Browse Source

bind update to 9.11

Signed-off-by: webbuilder_pel7ppc64lebuilder0 <webbuilder@powerel.org>
master
webbuilder_pel7ppc64lebuilder0 5 years ago
parent
commit
fed45eb58b
  1. 620
      SOURCES/bind-9.10-dist-native-pkcs11.patch
  2. 309
      SOURCES/bind-9.10-sdb.patch
  3. 18
      SOURCES/bind-9.10-use-of-strlcat.patch
  4. 131
      SOURCES/bind-9.11-CVE-2018-5743-atomic.patch
  5. 868
      SOURCES/bind-9.11-CVE-2018-5743.patch
  6. 48
      SOURCES/bind-9.11-CVE-2019-6471.patch
  7. 49
      SOURCES/bind-9.11-dnssec-lookaside.patch
  8. 41
      SOURCES/bind-9.11-ed448-disable.patch
  9. 39
      SOURCES/bind-9.11-export-suffix.patch
  10. 1516
      SOURCES/bind-9.11-fips-code.patch
  11. 1781
      SOURCES/bind-9.11-fips-tests.patch
  12. 100
      SOURCES/bind-9.11-host-idn-disable.patch
  13. 206
      SOURCES/bind-9.11-kyua-pkcs11.patch
  14. 303
      SOURCES/bind-9.11-libidn.patch
  15. 70
      SOURCES/bind-9.11-no-default-cookies.patch
  16. 42
      SOURCES/bind-9.11-no-default-ipv6.patch
  17. 256
      SOURCES/bind-9.11-oot-manual.patch
  18. 27
      SOURCES/bind-9.11-pk11.patch
  19. 120
      SOURCES/bind-9.11-rh1205168.patch
  20. 14
      SOURCES/bind-9.11-rh1410433.patch
  21. 288
      SOURCES/bind-9.11-rh1624100.patch
  22. 72
      SOURCES/bind-9.11-rh1685940.patch
  23. 45
      SOURCES/bind-9.11-unit-disable-random.patch
  24. 196
      SOURCES/bind-9.11-zone2ldap.patch
  25. 2
      SOURCES/bind-9.3.1rc1-sdb_tools-Makefile.in
  26. 18
      SOURCES/bind-9.3.2-redhat_doc.patch
  27. 145
      SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch
  28. 107
      SOURCES/bind-9.3.2b2-sdbsrc.patch
  29. 75
      SOURCES/bind-9.5-dlz-64bit.patch
  30. 34
      SOURCES/bind-9.9.1-P2-dlz-libdb.patch
  31. 65
      SOURCES/bind-9.9.1-P2-multlib-conflict.patch
  32. 18
      SOURCES/bind-95-rh452060.patch
  33. 10
      SOURCES/bind93-rh726120.patch
  34. 41
      SOURCES/bind97-rh478718.patch
  35. 22
      SOURCES/bind99-rh640538.patch
  36. 4
      SOURCES/named-chroot-setup.service
  37. 23
      SOURCES/named-chroot.files
  38. 4
      SOURCES/named-sdb-chroot-setup.service
  39. 2
      SOURCES/named.conf
  40. 4
      SOURCES/named.conf.sample
  41. 53
      SOURCES/setup-named-chroot.sh
  42. 55
      SOURCES/setup-named-softhsm.sh
  43. 1116
      SPECS/bind.spec

620
SOURCES/bind-9.10-dist-native-pkcs11.patch

@ -0,0 +1,620 @@ @@ -0,0 +1,620 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
index f0c504a..ce7a2da 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,8 +11,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
- @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
index 1d0c4ce..7b7f89b 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../lib/isc/libisc.@A@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
@@ -37,10 +37,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@
+TARGETS = dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \
+ dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \
+ dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \
+ dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@
OBJS = dnssectool.@O@
@@ -61,15 +61,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-revoke.@O@ ${OBJS} ${LIBS}
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-settime.@O@ ${OBJS} ${LIBS}
-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
@@ -108,16 +108,14 @@ docclean manclean maintainer-clean::
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install-man8: ${MANPAGES}
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs install-man8
+install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
uninstall::
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done
clean distclean::
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 1d0c4ce..11538cf 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+CDEFINES = -DVERSION=\"${VERSION}\" \
@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index d92bc9a..a8c42a4 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
@@ -71,15 +71,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named-pkcs11@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -146,14 +144,14 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
-lwresd@EXEEXT@: named@EXEEXT@
+lwresd@EXEEXT@: named-pkcs11@EXEEXT@
rm -f lwresd@EXEEXT@
- @LN@ named@EXEEXT@ lwresd@EXEEXT@
+ @LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@
doc man:: ${MANOBJS}
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
+install:: named-pkcs11@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
uninstall::
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
- rm -f ${DESTDIR}${mandir}/man8/named.8
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
@DLZ_DRIVER_RULES@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index d92bc9a..6d2bfd1 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -47,7 +47,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
CWARNINGS =
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index 70ee8b5..0fd8644 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${ISC_INCLUDES}
+CINCLUDES = ${ISC_PKCS11_INCLUDES}
CDEFINES =
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.in b/configure.in
index 9a1d16d..2f13059 100644
--- a/configure.in
+++ b/configure.in
@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
#
# Applications linking with libdns also need to link with these libraries.
#
AC_SUBST(DNS_CRYPTO_LIBS)
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
#
# was --with-randomdev specified?
@@ -1554,11 +1556,11 @@ fi
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
-if test "yes" = "$want_native_pkcs11"
-then
- use_openssl="native_pkcs11"
- AC_MSG_RESULT(use of native PKCS11 instead)
-fi
+# if test "yes" = "$want_native_pkcs11"
+# then
+# use_openssl="native_pkcs11"
+# AC_MSG_RESULT(use of native PKCS11 instead)
+# fi
if test "auto" = "$use_openssl"
then
@@ -1571,6 +1573,7 @@ then
fi
done
fi
+CRYPTO_PK11=""
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
@@ -1592,11 +1595,10 @@ case "$with_gost" in
;;
esac
-case "$use_openssl" in
- native_pkcs11)
- AC_MSG_RESULT(disabled because of native PKCS11)
+if test "$want_native_pkcs11" = "yes"
+then
DST_OPENSSL_INC=""
- CRYPTO="-DPKCS11CRYPTO"
+ CRYPTO_PK11="-DPKCS11CRYPTO"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -1605,7 +1607,9 @@ case "$use_openssl" in
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
- ;;
+fi
+
+case "$use_openssl" in
no)
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
@@ -1635,11 +1639,11 @@ case "$use_openssl" in
If you don't want OpenSSL, use --without-openssl])
;;
*)
- if test "yes" = "$want_native_pkcs11"
- then
- AC_MSG_RESULT()
- AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
- fi
+ # if test "yes" = "$want_native_pkcs11"
+ # then
+ # AC_MSG_RESULT()
+ # AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
+ # fi
if test "yes" = "$use_openssl"
then
# User did not specify a path - guess it
@@ -2062,6 +2066,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
@@ -2381,6 +2386,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
+AC_SUBST(CRYPTO_PK11)
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
@@ -5434,8 +5440,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
+ bin/dnssec-pkcs11/Makefile
bin/named/Makefile
bin/named/unix/Makefile
+ bin/named-pkcs11/Makefile
+ bin/named-pkcs11/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5509,6 +5518,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
+ lib/dns-pkcs11/Makefile
+ lib/dns-pkcs11/include/Makefile
+ lib/dns-pkcs11/include/dns/Makefile
+ lib/dns-pkcs11/include/dst/Makefile
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
@@ -5533,6 +5546,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
+ lib/isc-pkcs11/$arch/Makefile
+ lib/isc-pkcs11/$arch/include/Makefile
+ lib/isc-pkcs11/$arch/include/isc/Makefile
+ lib/isc-pkcs11/$thread_dir/Makefile
+ lib/isc-pkcs11/$thread_dir/include/Makefile
+ lib/isc-pkcs11/$thread_dir/include/isc/Makefile
+ lib/isc-pkcs11/Makefile
+ lib/isc-pkcs11/include/Makefile
+ lib/isc-pkcs11/include/isc/Makefile
+ lib/isc-pkcs11/include/isc/platform.h
+ lib/isc-pkcs11/include/pk11/Makefile
+ lib/isc-pkcs11/include/pkcs11/Makefile
+ lib/isc-pkcs11/tests/Makefile
+ lib/isc-pkcs11/nls/Makefile
+ lib/isc-pkcs11/unix/Makefile
+ lib/isc-pkcs11/unix/include/Makefile
+ lib/isc-pkcs11/unix/include/isc/Makefile
+ lib/isc-pkcs11/unix/include/pkcs11/Makefile
lib/isccc/Makefile
lib/isccc/include/Makefile
lib/isccc/include/isccc/Makefile
diff --git a/lib/Makefile.in b/lib/Makefile.in
index 81270a0..bcb5312 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
-SUBDIRS = isc isccc dns isccfg bind9 lwres irs samples
+SUBDIRS = isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 4a8549e..6a19906 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
+ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
CWARNINGS =
-ISCLIBS = ../../lib/isc/libisc.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LIBS = @LIBS@
@@ -146,15 +146,15 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libdns.@SA@: ${OBJS}
+libdns-pkcs11.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libdns.la: ${OBJS}
+libdns-pkcs11.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
include: gen
${MAKE} include/dns/enumtype.h
@@ -180,25 +180,25 @@ code.h: gen
./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
gen: gen.c
- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
-timestamp: include libdns.@A@
+timestamp: include libdns-pkcs11.@A@
touch timestamp
-testdirs: libdns.@A@
+testdirs: libdns-pkcs11.@A@
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
clean distclean::
- rm -f libdns.@A@ timestamp
+ rm -f libdns-pkcs11.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
index ba53ef1..d1f1771 100644
--- a/lib/isc-pkcs11/Makefile.in
+++ b/lib/isc-pkcs11/Makefile.in
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \
-I${srcdir}/@ISC_THREAD_DIR@/include \
-I${srcdir}/@ISC_ARCH_DIR@/include \
-I./include \
- -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+ -I${srcdir}/include ${DNS_PKCS11_INCLUDES}
+CDEFINES = @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
CWARNINGS =
# Alphabetically
@@ -107,40 +107,40 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
+libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS}
${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
${RANLIB} $@
-libisc-nosymtbl.@SA@: ${OBJS}
+libisc-pkcs11-nosymtbl.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisc.la: ${OBJS} ${SYMTBLOBJS}
+libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${SYMTBLOBJS} ${LIBS}
-libisc-nosymtbl.la: ${OBJS}
+libisc-pkcs11-nosymtbl.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS}
-timestamp: libisc.@A@ libisc-nosymtbl.@A@
+timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
touch timestamp
-testdirs: libisc.@A@ libisc-nosymtbl.@A@
+testdirs: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@
clean distclean::
- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
- libisc-nosymtbl.la timestamp
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
+ libisc-pkcs11-nosymtbl.la timestamp
diff --git a/make/includes.in b/make/includes.in
index fa86ad1..3cfbe9f 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
TEST_INCLUDES = \
-I${top_srcdir}/lib/tests/include
+
+ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/isc-pkcs11 \
+ -I${top_srcdir}/lib/isc-pkcs11/include \
+ -I${top_srcdir}/lib/isc-pkcs11/unix/include \
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include
+
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/dns-pkcs11/include

309
SOURCES/bind-9.10-sdb.patch

@ -0,0 +1,309 @@ @@ -0,0 +1,309 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
index ce7a2da..4e6a824 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,8 +11,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
- check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+SUBDIRS = named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools tests
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
index 6d2bfd1..d3f42e8 100644
--- a/bin/named-sdb/Makefile.in
+++ b/bin/named-sdb/Makefile.in
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
#
# Add database drivers here.
#
-DBDRIVER_OBJS =
-DBDRIVER_SRCS =
+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@
+DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c
DBDRIVER_INCLUDES =
-DBDRIVER_LIBS =
+DBDRIVER_LIBS = -lldap -llber -lsqlite3 -lpq
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
@@ -79,7 +79,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named-sdb@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -146,7 +146,7 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
+named-sdb@EXEEXT@: ${OBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install-man5: named.conf.5
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
+install:: ${TARGETS} installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir}
uninstall::
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
- rm -f ${DESTDIR}${mandir}/man8/named.8
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
index bb639d9..555c4d9 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -91,6 +91,10 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
+#include "ldapdb.h"
+#include "pgsqldb.h"
+#include "sqlitedb.h"
+#include "dirdb.h"
#ifdef CONTRIB_DLZ
/*
@@ -1061,6 +1065,11 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
+ ldapdb_clear();
+ pgsqldb_clear();
+ dirdb_clear();
+ sqlitedb_clear();
+
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
ns_g_product, ns_g_version,
@@ -1261,6 +1270,75 @@ setup(void) {
isc_result_totext(result));
#endif
+ result = ldapdb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB ldap module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB ldap zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB ldap zone database module loaded."
+ );
+
+ result = pgsqldb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB pgsql module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB pgsql zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded."
+ );
+
+ result = sqlitedb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB sqlite3 module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB sqlite3 zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded."
+ );
+
+ result = dirdb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB directory DB module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB directory DB zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB directory DB zone database module loaded."
+ );
+
+
ns_server_create(ns_g_mctx, &ns_g_server);
#ifdef HAVE_LIBSECCOMP
@@ -1303,6 +1381,11 @@ cleanup(void) {
dns_name_destroy();
+ ldapdb_clear();
+ pgsqldb_clear();
+ sqlitedb_clear();
+ dirdb_clear();
+
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 6d2bfd1..86f8587 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -45,9 +45,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+ @DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
+CDEFINES = @CRYPTO@
CWARNINGS =
@@ -71,11 +71,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
SUBDIRS = unix
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -195,7 +193,5 @@ uninstall::
rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
-@DLZ_DRIVER_RULES@
-
named-symtbl.@O@: named-symtbl.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
index c7e0868..95ab742 100644
--- a/bin/sdb_tools/Makefile.in
+++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
-OBJS = zone2ldap.@O@ zonetodb.@O@
+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
-SRCS = zone2ldap.c zonetodb.c
+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
MANPAGES = zone2ldap.1
@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
+zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
+
clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
@@ -60,4 +63,5 @@ installdirs:
install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/configure.in b/configure.in
index 62536a6..f571a4f 100644
--- a/configure.in
+++ b/configure.in
@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
+ bin/named-sdb/Makefile
+ bin/named-sdb/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/dnskey_test.py
bin/python/isc/tests/policy_test.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile
bin/tests/headerdep_test.sh
bin/tests/optional/Makefile

18
SOURCES/bind-9.10-use-of-strlcat.patch

@ -0,0 +1,18 @@ @@ -0,0 +1,18 @@
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index d56bc56..99c3314 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
}
- strlcat (dn, tmp, sizeof (dn));
+ strncat (dn, tmp, sizeof (dn) - strlen (dn));
}
sprintf (tmp, "dc=%s", dc_list[0]);
- strlcat (dn, tmp, sizeof (dn));
+ strncat (dn, tmp, sizeof (dn) - strlen (dn));
fflush(NULL);
return dn;

131
SOURCES/bind-9.11-CVE-2018-5743-atomic.patch

@ -0,0 +1,131 @@ @@ -0,0 +1,131 @@
From 94e08314024c812063bf99bd191a46265a2ba49f Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 24 Apr 2019 21:10:26 +0200
Subject: [PATCH] Missing atomic fix to original CVE patch

---
bin/named/client.c | 18 +++++++-----------
bin/named/include/named/interfacemgr.h | 5 +++--
bin/named/interfacemgr.c | 7 +++++--
3 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/bin/named/client.c b/bin/named/client.c
index 3ada6e9..d3bf47d 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -405,12 +405,10 @@ tcpconn_detach(ns_client_t *client) {
static void
mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
if (active && !client->tcpactive) {
- isc_atomic_xadd(&client->interface->ntcpactive, 1);
+ isc_refcount_increment0(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
} else if (!active && client->tcpactive) {
- uint32_t old =
- isc_atomic_xadd(&client->interface->ntcpactive, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
}
}
@@ -557,7 +555,7 @@ exit_check(ns_client_t *client) {
if (client->mortal && TCP_CLIENT(client) &&
client->newstate != NS_CLIENTSTATE_FREED &&
!ns_g_clienttest &&
- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
+ isc_refcount_current(&client->interface->ntcpaccepting) == 0)
{
/* Nobody else is accepting */
client->mortal = ISC_FALSE;
@@ -3321,7 +3319,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
isc_result_t result;
ns_client_t *client = event->ev_arg;
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
- uint32_t old;
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
REQUIRE(NS_CLIENT_VALID(client));
@@ -3341,8 +3338,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
INSIST(client->naccepts == 1);
client->naccepts--;
- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
/*
* We must take ownership of the new socket before the exit
@@ -3473,8 +3469,8 @@ client_accept(ns_client_t *client) {
* quota is tcp-clients plus the number of listening
* interfaces plus 1.)
*/
- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
- (client->tcpactive ? 1 : 0));
+ exit = (isc_refcount_current(&client->interface->ntcpactive) >
+ (client->tcpactive ? 1U : 0U));
if (exit) {
client->newstate = NS_CLIENTSTATE_INACTIVE;
(void)exit_check(client);
@@ -3532,7 +3528,7 @@ client_accept(ns_client_t *client) {
* listening for connections itself to prevent the interface
* going dead.
*/
- isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
}
static void
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
index d9ac90f..aa21049 100644
--- a/bin/named/include/named/interfacemgr.h
+++ b/bin/named/include/named/interfacemgr.h
@@ -43,6 +43,7 @@
#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/socket.h>
+#include <isc/refcount.h>
#include <dns/result.h>
@@ -73,11 +74,11 @@ struct ns_interface {
/*%< UDP dispatchers. */
isc_socket_t * tcpsocket; /*%< TCP socket. */
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
- int32_t ntcpaccepting; /*%< Number of clients
+ isc_refcount_t ntcpaccepting; /*%< Number of clients
ready to accept new
TCP connections on this
interface */
- int32_t ntcpactive; /*%< Number of clients
+ isc_refcount_t ntcpactive; /*%< Number of clients
servicing TCP queries
(whether accepting or
connected) */
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index 96c080b..2ce97bb 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
* connections will be handled in parallel even though there is
* only one client initially.
*/
- ifp->ntcpaccepting = 0;
- ifp->ntcpactive = 0;
+ isc_refcount_init(&ifp->ntcpaccepting, 0);
+ isc_refcount_init(&ifp->ntcpactive, 0);
ifp->nudpdispatch = 0;
@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
ns_interfacemgr_detach(&ifp->mgr);
+ isc_refcount_destroy(&ifp->ntcpactive);
+ isc_refcount_destroy(&ifp->ntcpaccepting);
+
ifp->magic = 0;
isc_mem_put(mctx, ifp, sizeof(*ifp));
}
--
2.20.1

868
SOURCES/bind-9.11-CVE-2018-5743.patch

@ -0,0 +1,868 @@ @@ -0,0 +1,868 @@
From b2929ff50a7676563177bc52a372ddcae48cb002 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 24 Apr 2019 20:09:07 +0200
Subject: [PATCH] 5200. [security] tcp-clients settings could be
exceeded in some cases, which could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL
#615]

---
bin/named/client.c | 421 +++++++++++++++++++------
bin/named/include/named/client.h | 13 +-
bin/named/include/named/interfacemgr.h | 13 +-
bin/named/interfacemgr.c | 9 +-
lib/isc/include/isc/quota.h | 7 +
lib/isc/quota.c | 33 +-
6 files changed, 385 insertions(+), 111 deletions(-)

diff --git a/bin/named/client.c b/bin/named/client.c
index b7d8a98..e1acaf1 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -243,7 +243,7 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
dns_dispatch_t *disp, isc_boolean_t tcp);
static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
- isc_socket_t *sock);
+ isc_socket_t *sock, ns_client_t *oldclient);
static inline isc_boolean_t
allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr,
isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl);
@@ -295,6 +295,119 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
}
}
+/*%
+ * Allocate a reference-counted object that will maintain a single pointer to
+ * the (also reference-counted) TCP client quota, shared between all the
+ * clients processing queries on a single TCP connection, so that all
+ * clients sharing the one socket will together consume only one slot in
+ * the 'tcp-clients' quota.
+ */
+static isc_result_t
+tcpconn_init(ns_client_t *client, isc_boolean_t force) {
+ isc_result_t result;
+ isc_quota_t *quota = NULL;
+ ns_tcpconn_t *tconn = NULL;
+
+ REQUIRE(client->tcpconn == NULL);
+
+ /*
+ * Try to attach to the quota first, so we won't pointlessly
+ * allocate memory for a tcpconn object if we can't get one.
+ */
+ if (force) {
+ result = isc_quota_force(&ns_g_server->tcpquota, &quota);
+ } else {
+ result = isc_quota_attach(&ns_g_server->tcpquota, &quota);
+ }
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ }
+
+ /*
+ * A global memory context is used for the allocation as different
+ * client structures may have different memory contexts assigned and a
+ * reference counter allocated here might need to be freed by a
+ * different client. The performance impact caused by memory context
+ * contention here is expected to be negligible, given that this code
+ * is only executed for TCP connections.
+ */
+ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));
+
+ isc_refcount_init(&tconn->refs, 1);
+ tconn->tcpquota = quota;
+ quota = NULL;
+ tconn->pipelined = ISC_FALSE;
+
+ client->tcpconn = tconn;
+
+ return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Increase the count of client structures sharing the TCP connection
+ * that 'source' is associated with; add a pointer to the same tcpconn
+ * to 'target', thus associating it with the same TCP connection.
+ */
+static void
+tcpconn_attach(ns_client_t *source, ns_client_t *target) {
+ int refs;
+
+ REQUIRE(source->tcpconn != NULL);
+ REQUIRE(target->tcpconn == NULL);
+ REQUIRE(source->tcpconn->pipelined);
+
+ isc_refcount_increment(&source->tcpconn->refs, &refs);
+ INSIST(refs > 1);
+ target->tcpconn = source->tcpconn;
+}
+
+/*%
+ * Decrease the count of client structures sharing the TCP connection that
+ * 'client' is associated with. If this is the last client using this TCP
+ * connection, we detach from the TCP quota and free the tcpconn
+ * object. Either way, client->tcpconn is set to NULL.
+ */
+static void
+tcpconn_detach(ns_client_t *client) {
+ ns_tcpconn_t *tconn = NULL;
+ int refs;
+
+ REQUIRE(client->tcpconn != NULL);
+
+ tconn = client->tcpconn;
+ client->tcpconn = NULL;
+
+ isc_refcount_decrement(&tconn->refs, &refs);
+ if (refs == 0) {
+ isc_quota_detach(&tconn->tcpquota);
+ isc_mem_free(ns_g_mctx, tconn);
+ }
+}
+
+/*%
+ * Mark a client as active and increment the interface's 'ntcpactive'
+ * counter, as a signal that there is at least one client servicing
+ * TCP queries for the interface. If we reach the TCP client quota at
+ * some point, this will be used to determine whether a quota overrun
+ * should be permitted.
+ *
+ * Marking the client active with the 'tcpactive' flag ensures proper
+ * accounting, by preventing us from incrementing or decrementing
+ * 'ntcpactive' more than once per client.
+ */
+static void
+mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
+ if (active && !client->tcpactive) {
+ isc_atomic_xadd(&client->interface->ntcpactive, 1);
+ client->tcpactive = active;
+ } else if (!active && client->tcpactive) {
+ uint32_t old =
+ isc_atomic_xadd(&client->interface->ntcpactive, -1);
+ INSIST(old > 0);
+ client->tcpactive = active;
+ }
+}
+
/*%
* Check for a deactivation or shutdown request and take appropriate
* action. Returns ISC_TRUE if either is in progress; in this case
@@ -384,7 +497,8 @@ exit_check(ns_client_t *client) {
INSIST(client->recursionquota == NULL);
if (NS_CLIENTSTATE_READING == client->newstate) {
- if (!client->pipelined) {
+ INSIST(client->tcpconn != NULL);
+ if (!client->tcpconn->pipelined) {
client_read(client);
client->newstate = NS_CLIENTSTATE_MAX;
return (ISC_TRUE); /* We're done. */
@@ -402,10 +516,13 @@ exit_check(ns_client_t *client) {
*/
INSIST(client->recursionquota == NULL);
INSIST(client->newstate <= NS_CLIENTSTATE_READY);
- if (client->nreads > 0)
+
+ if (client->nreads > 0) {
dns_tcpmsg_cancelread(&client->tcpmsg);
- if (client->nreads != 0) {
- /* Still waiting for read cancel completion. */
+ }
+
+ /* Still waiting for read cancel completion. */
+ if (client->nreads > 0) {
return (ISC_TRUE);
}
@@ -413,14 +530,49 @@ exit_check(ns_client_t *client) {
dns_tcpmsg_invalidate(&client->tcpmsg);
client->tcpmsg_valid = ISC_FALSE;
}
+
+ /*
+ * Soon the client will be ready to accept a new TCP
+ * connection or UDP request, but we may have enough
+ * clients doing that already. Check whether this client
+ * needs to remain active and allow it go inactive if
+ * not.
+ *
+ * UDP clients always go inactive at this point, but a TCP
+ * client may need to stay active and return to READY
+ * state if no other clients are available to listen
+ * for TCP requests on this interface.
+ *
+ * Regardless, if we're going to FREED state, that means
+ * the system is shutting down and we don't need to
+ * retain clients.
+ */
+ if (client->mortal && TCP_CLIENT(client) &&
+ client->newstate != NS_CLIENTSTATE_FREED &&
+ !ns_g_clienttest &&
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
+ {
+ /* Nobody else is accepting */
+ client->mortal = ISC_FALSE;
+ client->newstate = NS_CLIENTSTATE_READY;
+ }
+
+ /*
+ * Detach from TCP connection and TCP client quota,
+ * if appropriate. If this is the last reference to
+ * the TCP connection in our pipeline group, the
+ * TCP quota slot will be released.
+ */
+ if (client->tcpconn) {
+ tcpconn_detach(client);
+ }
+
if (client->tcpsocket != NULL) {
CTRACE("closetcp");
isc_socket_detach(&client->tcpsocket);
+ mark_tcp_active(client, ISC_FALSE);
}
- if (client->tcpquota != NULL)
- isc_quota_detach(&client->tcpquota);
-
if (client->timerset) {
(void)isc_timer_reset(client->timer,
isc_timertype_inactive,
@@ -428,45 +580,26 @@ exit_check(ns_client_t *client) {
client->timerset = ISC_FALSE;
}
- client->pipelined = ISC_FALSE;
-
client->peeraddr_valid = ISC_FALSE;
client->state = NS_CLIENTSTATE_READY;
- INSIST(client->recursionquota == NULL);
-
- /*
- * Now the client is ready to accept a new TCP connection
- * or UDP request, but we may have enough clients doing
- * that already. Check whether this client needs to remain
- * active and force it to go inactive if not.
- *
- * UDP clients go inactive at this point, but TCP clients
- * may remain active if we have fewer active TCP client
- * objects than desired due to an earlier quota exhaustion.
- */
- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
- LOCK(&client->interface->lock);
- if (client->interface->ntcpcurrent <
- client->interface->ntcptarget)
- client->mortal = ISC_FALSE;
- UNLOCK(&client->interface->lock);
- }
/*
* We don't need the client; send it to the inactive
* queue for recycling.
*/
if (client->mortal) {
- if (client->newstate > NS_CLIENTSTATE_INACTIVE)
+ if (client->newstate > NS_CLIENTSTATE_INACTIVE) {
client->newstate = NS_CLIENTSTATE_INACTIVE;
+ }
}
if (NS_CLIENTSTATE_READY == client->newstate) {
if (TCP_CLIENT(client)) {
client_accept(client);
- } else
+ } else {
client_udprecv(client);
+ }
client->newstate = NS_CLIENTSTATE_MAX;
return (ISC_TRUE);
}
@@ -478,41 +611,51 @@ exit_check(ns_client_t *client) {
/*
* We are trying to enter the inactive state.
*/
- if (client->naccepts > 0)
+ if (client->naccepts > 0) {
isc_socket_cancel(client->tcplistener, client->task,
ISC_SOCKCANCEL_ACCEPT);
+ }
/* Still waiting for accept cancel completion. */
- if (! (client->naccepts == 0))
+ if (client->naccepts > 0) {
return (ISC_TRUE);
+ }
/* Accept cancel is complete. */
- if (client->nrecvs > 0)
+ if (client->nrecvs > 0) {
isc_socket_cancel(client->udpsocket, client->task,
ISC_SOCKCANCEL_RECV);
+ }
/* Still waiting for recv cancel completion. */
- if (! (client->nrecvs == 0))
+ if (client->nrecvs > 0) {
return (ISC_TRUE);
+ }
/* Still waiting for control event to be delivered */
- if (client->nctls > 0)
+ if (client->nctls > 0) {
return (ISC_TRUE);
-
- /* Deactivate the client. */
- if (client->interface)
- ns_interface_detach(&client->interface);
+ }
INSIST(client->naccepts == 0);
INSIST(client->recursionquota == NULL);
- if (client->tcplistener != NULL)
+ if (client->tcplistener != NULL) {
isc_socket_detach(&client->tcplistener);
+ mark_tcp_active(client, ISC_FALSE);
+ }
- if (client->udpsocket != NULL)
+ if (client->udpsocket != NULL) {
isc_socket_detach(&client->udpsocket);
+ }
- if (client->dispatch != NULL)
+ /* Deactivate the client. */
+ if (client->interface != NULL) {
+ ns_interface_detach(&client->interface);
+ }
+
+ if (client->dispatch != NULL) {
dns_dispatch_detach(&client->dispatch);
+ }
client->attributes = 0;
client->mortal = ISC_FALSE;
@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) {
client->newstate = NS_CLIENTSTATE_MAX;
if (!ns_g_clienttest && manager != NULL &&
!manager->exiting)
+ {
ISC_QUEUE_PUSH(manager->inactive, client,
ilink);
- if (client->needshutdown)
+ }
+ if (client->needshutdown) {
isc_task_shutdown(client->task);
+ }
return (ISC_TRUE);
}
}
@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event_t *event) {
return;
if (TCP_CLIENT(client)) {
- if (client->pipelined) {
+ if (client->tcpconn != NULL) {
client_read(client);
} else {
client_accept(client);
@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event_t *event) {
}
}
-
/*%
* The client's task has received a shutdown event.
*/
@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
client->nrecvs--;
} else {
INSIST(TCP_CLIENT(client));
+ INSIST(client->tcpconn != NULL);
REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
REQUIRE(event->ev_sender == &client->tcpmsg);
buffer = &client->tcpmsg.buffer;
@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_event_t *event) {
/*
* Pipeline TCP query processing.
*/
- if (client->message->opcode != dns_opcode_query)
- client->pipelined = ISC_FALSE;
- if (TCP_CLIENT(client) && client->pipelined) {
- result = isc_quota_reserve(&ns_g_server->tcpquota);
- if (result == ISC_R_SUCCESS)
- result = ns_client_replace(client);
+ if (TCP_CLIENT(client) &&
+ client->message->opcode != dns_opcode_query)
+ {
+ client->tcpconn->pipelined = ISC_FALSE;
+ }
+ if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
+ /*
+ * We're pipelining. Replace the client; the
+ * replacement can read the TCP socket looking
+ * for new messages and this one can process the
+ * current message asynchronously.
+ *
+ * There will now be at least three clients using this
+ * TCP socket - one accepting new connections,
+ * one reading an existing connection to get new
+ * messages, and one answering the message already
+ * received.
+ */
+ result = ns_client_replace(client);
if (result != ISC_R_SUCCESS) {
- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
- "no more TCP clients(read): %s",
- isc_result_totext(result));
- client->pipelined = ISC_FALSE;
+ client->tcpconn->pipelined = ISC_FALSE;
}
}
@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
client->signer = NULL;
dns_name_init(&client->signername, NULL);
client->mortal = ISC_FALSE;
- client->pipelined = ISC_FALSE;
- client->tcpquota = NULL;
+ client->tcpconn = NULL;
client->recursionquota = NULL;
client->interface = NULL;
client->peeraddr_valid = ISC_FALSE;
@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
client->filter_aaaa = dns_aaaa_ok;
#endif
client->needshutdown = ns_g_clienttest;
+ client->tcpactive = ISC_FALSE;
ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
NS_EVENT_CLIENTCONTROL, client_start, client, client,
@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) {
static void
client_newconn(isc_task_t *task, isc_event_t *event) {
+ isc_result_t result;
ns_client_t *client = event->ev_arg;
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
- isc_result_t result;
+ uint32_t old;
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
REQUIRE(NS_CLIENT_VALID(client));
@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
INSIST(client->state == NS_CLIENTSTATE_READY);
+ /*
+ * The accept() was successful and we're now establishing a new
+ * connection. We need to make note of it in the client and
+ * interface objects so client objects can do the right thing
+ * when going inactive in exit_check() (see comments in
+ * client_accept() for details).
+ */
INSIST(client->naccepts == 1);
client->naccepts--;
- LOCK(&client->interface->lock);
- INSIST(client->interface->ntcpcurrent > 0);
- client->interface->ntcpcurrent--;
- UNLOCK(&client->interface->lock);
+ old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
+ INSIST(old > 0);
/*
* We must take ownership of the new socket before the exit
@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"accept failed: %s",
isc_result_totext(nevent->result));
+ tcpconn_detach(client);
}
if (exit_check(client))
@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
* telnetting to port 53 (once per CPU) will
* deny service to legitimate TCP clients.
*/
- client->pipelined = ISC_FALSE;
- result = isc_quota_attach(&ns_g_server->tcpquota,
- &client->tcpquota);
- if (result == ISC_R_SUCCESS)
- result = ns_client_replace(client);
- if (result != ISC_R_SUCCESS) {
- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
- "no more TCP clients(accept): %s",
- isc_result_totext(result));
- } else if (ns_g_server->keepresporder == NULL ||
- !allowed(&netaddr, NULL, NULL, 0, NULL,
- ns_g_server->keepresporder)) {
- client->pipelined = ISC_TRUE;
+ result = ns_client_replace(client);
+ if (result == ISC_R_SUCCESS &&
+ (ns_g_server->keepresporder == NULL ||
+ !allowed(&netaddr, NULL, NULL, 0, NULL,
+ ns_g_server->keepresporder)))
+ {
+ client->tcpconn->pipelined = ISC_TRUE;
}
client_read(client);
@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) {
CTRACE("accept");
+ /*
+ * Set up a new TCP connection. This means try to attach to the
+ * TCP client quota (tcp-clients), but fail if we're over quota.
+ */
+ result = tcpconn_init(client, ISC_FALSE);
+ if (result != ISC_R_SUCCESS) {
+ isc_boolean_t exit;
+
+ ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+ NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
+ "TCP client quota reached: %s",
+ isc_result_totext(result));
+
+ /*
+ * We have exceeded the system-wide TCP client quota. But,
+ * we can't just block this accept in all cases, because if
+ * we did, a heavy TCP load on other interfaces might cause
+ * this interface to be starved, with no clients able to
+ * accept new connections.
+ *
+ * So, we check here to see if any other clients are
+ * already servicing TCP queries on this interface (whether
+ * accepting, reading, or processing). If we find that at
+ * least one client other than this one is active, then
+ * it's okay *not* to call accept - we can let this
+ * client go inactive and another will take over when it's
+ * done.
+ *
+ * If there aren't enough active clients on the interface,
+ * then we can be a little bit flexible about the quota.
+ * We'll allow *one* extra client through to ensure we're
+ * listening on every interface; we do this by setting the
+ * 'force' option to tcpconn_init().
+ *
+ * (Note: In practice this means that the real TCP client
+ * quota is tcp-clients plus the number of listening
+ * interfaces plus 1.)
+ */
+ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
+ (client->tcpactive ? 1 : 0));
+ if (exit) {
+ client->newstate = NS_CLIENTSTATE_INACTIVE;
+ (void)exit_check(client);
+ return;
+ }
+
+ result = tcpconn_init(client, ISC_TRUE);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ }
+
+ /*
+ * If this client was set up using get_client() or get_worker(),
+ * then TCP is already marked active. However, if it was restarted
+ * from exit_check(), it might not be, so we take care of it now.
+ */
+ mark_tcp_active(client, ISC_TRUE);
+
result = isc_socket_accept(client->tcplistener, client->task,
client_newconn, client);
if (result != ISC_R_SUCCESS) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
- "isc_socket_accept() failed: %s",
- isc_result_totext(result));
/*
* XXXRTH What should we do? We're trying to accept but
* it didn't work. If we just give up, then TCP
@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) {
*
* For now, we just go idle.
*/
+ UNEXPECTED_ERROR(__FILE__, __LINE__,
+ "isc_socket_accept() failed: %s",
+ isc_result_totext(result));
+
+ tcpconn_detach(client);
+ mark_tcp_active(client, ISC_FALSE);
return;
}
+
+ /*
+ * The client's 'naccepts' counter indicates that this client has
+ * called accept() and is waiting for a new connection. It should
+ * never exceed 1.
+ */
INSIST(client->naccepts == 0);
client->naccepts++;
- LOCK(&client->interface->lock);
- client->interface->ntcpcurrent++;
- UNLOCK(&client->interface->lock);
+
+ /*
+ * The interface's 'ntcpaccepting' counter is incremented when
+ * any client calls accept(), and decremented in client_newconn()
+ * once the connection is established.
+ *
+ * When the client object is shutting down after handling a TCP
+ * request (see exit_check()), if this value is at least one, that
+ * means another client has called accept() and is waiting to
+ * establish the next connection. That means the client may be
+ * be free to become inactive; otherwise it may need to start
+ * listening for connections itself to prevent the interface
+ * going dead.
+ */
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
}
static void
@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) {
REQUIRE(client->manager != NULL);
tcp = TCP_CLIENT(client);
- if (tcp && client->pipelined) {
+ if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) {
result = get_worker(client->manager, client->interface,
- client->tcpsocket);
+ client->tcpsocket, client);
} else {
result = get_client(client->manager, client->interface,
client->dispatch, tcp);
+
}
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
/*
* The responsibility for listening for new requests is hereby
@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
client->dscp = ifp->dscp;
if (tcp) {
+ mark_tcp_active(client, ISC_TRUE);
+
client->attributes |= NS_CLIENTATTR_TCP;
isc_socket_attach(ifp->tcpsocket,
&client->tcplistener);
+
} else {
isc_socket_t *sock;
@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
}
static isc_result_t
-get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
+get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
+ ns_client_t *oldclient)
{
isc_result_t result = ISC_R_SUCCESS;
isc_event_t *ev;
@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
MTRACE("get worker");
REQUIRE(manager != NULL);
+ REQUIRE(oldclient != NULL);
if (manager->exiting)
return (ISC_R_SHUTTINGDOWN);
@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
ns_interface_attach(ifp, &client->interface);
client->newstate = client->state = NS_CLIENTSTATE_WORKING;
INSIST(client->recursionquota == NULL);
- client->tcpquota = &ns_g_server->tcpquota;
client->dscp = ifp->dscp;
client->attributes |= NS_CLIENTATTR_TCP;
- client->pipelined = ISC_TRUE;
client->mortal = ISC_TRUE;
+ tcpconn_attach(oldclient, client);
+ mark_tcp_active(client, ISC_TRUE);
+
isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
isc_socket_attach(sock, &client->tcpsocket);
isc_socket_setname(client->tcpsocket, "worker-tcp", NULL);
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index 262b906..0f54d22 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */
-
#ifndef NAMED_CLIENT_H
#define NAMED_CLIENT_H 1
@@ -77,6 +75,13 @@
*** Types
***/
+/*% reference-counted TCP connection object */
+typedef struct ns_tcpconn {
+ isc_refcount_t refs;
+ isc_quota_t *tcpquota;
+ isc_boolean_t pipelined;
+} ns_tcpconn_t;
+
/*% nameserver client structure */
struct ns_client {
unsigned int magic;
@@ -91,6 +96,7 @@ struct ns_client {
int nupdates;
int nctls;
int references;
+ isc_boolean_t tcpactive;
isc_boolean_t needshutdown; /*
* Used by clienttest to get
* the client to go from
@@ -129,8 +135,7 @@ struct ns_client {
dns_name_t signername; /*%< [T]SIG key name */
dns_name_t * signer; /*%< NULL if not valid sig */
isc_boolean_t mortal; /*%< Die after handling request */
- isc_boolean_t pipelined; /*%< TCP queries not in sequence */
- isc_quota_t *tcpquota;
+ ns_tcpconn_t *tcpconn;
isc_quota_t *recursionquota;
ns_interface_t *interface;
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
index 36870f3..d9ac90f 100644
--- a/bin/named/include/named/interfacemgr.h
+++ b/bin/named/include/named/interfacemgr.h
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */
-
#ifndef NAMED_INTERFACEMGR_H
#define NAMED_INTERFACEMGR_H 1
@@ -75,9 +73,14 @@ struct ns_interface {
/*%< UDP dispatchers. */
isc_socket_t * tcpsocket; /*%< TCP socket. */
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
- int ntcptarget; /*%< Desired number of concurrent
- TCP accepts */
- int ntcpcurrent; /*%< Current ditto, locked */
+ int32_t ntcpaccepting; /*%< Number of clients
+ ready to accept new
+ TCP connections on this
+ interface */
+ int32_t ntcpactive; /*%< Number of clients
+ servicing TCP queries
+ (whether accepting or
+ connected) */
int nudpdispatch; /*%< Number of UDP dispatches */
ns_clientmgr_t * clientmgr; /*%< Client manager. */
ISC_LINK(ns_interface_t) link;
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index d8c7188..96c080b 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
* connections will be handled in parallel even though there is
* only one client initially.
*/
- ifp->ntcptarget = 1;
- ifp->ntcpcurrent = 0;
+ ifp->ntcpaccepting = 0;
+ ifp->ntcpactive = 0;
+
ifp->nudpdispatch = 0;
ifp->dscp = -1;
@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
*/
(void)isc_socket_filter(ifp->tcpsocket, "dataready");
- result = ns_clientmgr_createclients(ifp->clientmgr,
- ifp->ntcptarget, ifp,
- ISC_TRUE);
+ result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE);
if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"TCP ns_clientmgr_createclients(): %s",
diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
index b9bf598..36c5830 100644
--- a/lib/isc/include/isc/quota.h
+++ b/lib/isc/include/isc/quota.h
@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
* quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
*/
+isc_result_t
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p);
+/*%<
+ * Like isc_quota_attach, but will attach '*p' to the quota
+ * even if the hard quota has been exceeded.
+ */
+
void
isc_quota_detach(isc_quota_t **p);
/*%<
diff --git a/lib/isc/quota.c b/lib/isc/quota.c
index 3ddff0d..20976a4 100644
--- a/lib/isc/quota.c
+++ b/lib/isc/quota.c
@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) {
UNLOCK(&quota->lock);
}
-isc_result_t
-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
-{
+static isc_result_t
+doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) {
isc_result_t result;
- INSIST(p != NULL && *p == NULL);
+ REQUIRE(p != NULL && *p == NULL);
+
result = isc_quota_reserve(quota);
- if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
+ if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
+ *p = quota;
+ } else if (result == ISC_R_QUOTA && force) {
+ /* attach anyway */
+ LOCK(&quota->lock);
+ quota->used++;
+ UNLOCK(&quota->lock);
+
*p = quota;
+ result = ISC_R_SUCCESS;
+ }
+
return (result);
}
+isc_result_t
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) {
+ return (doattach(quota, p, ISC_FALSE));
+}
+
+isc_result_t
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p) {
+ return (doattach(quota, p, ISC_TRUE));
+}
+
void
-isc_quota_detach(isc_quota_t **p)
-{
+isc_quota_detach(isc_quota_t **p) {
INSIST(p != NULL && *p != NULL);
isc_quota_release(*p);
*p = NULL;
--
2.20.1

48
SOURCES/bind-9.11-CVE-2019-6471.patch

@ -0,0 +1,48 @@ @@ -0,0 +1,48 @@
From 66c074b707318005d50f14910678ba451877a7a6 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 19 Jun 2019 12:28:08 +0200
Subject: [PATCH] Fix CVE-2019-6471

5244. [security] Fixed a race condition in dns_dispatch_getnext()
that could cause an assertion failure if a
significant number of incoming packets were
rejected. (CVE-2019-6471) [GL #942]
---
lib/dns/dispatch.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 321459ebcb..ae5c9c0fc7 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -3419,13 +3419,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
disp = resp->disp;
REQUIRE(VALID_DISPATCH(disp));
- REQUIRE(resp->item_out == ISC_TRUE);
- resp->item_out = ISC_FALSE;
-
ev = *sockevent;
*sockevent = NULL;
LOCK(&disp->lock);
+
+ REQUIRE(resp->item_out == ISC_TRUE);
+ resp->item_out = ISC_FALSE;
+
if (ev->buffer.base != NULL)
free_buffer(disp, ev->buffer.base, ev->buffer.length);
free_devent(disp, ev);
@@ -3570,6 +3571,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
isc_task_send(disp->task[0], &disp->ctlevent);
}
+/*
+ * disp must be locked.
+ */
static void
do_cancel(dns_dispatch_t *disp) {
dns_dispatchevent_t *ev;
--
2.20.1

49
SOURCES/bind-9.11-dnssec-lookaside.patch

@ -0,0 +1,49 @@ @@ -0,0 +1,49 @@
From d5ca0a8f5d31dad4e77bdb8316853f703e68b60f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 29 Jan 2019 21:26:33 +0100
Subject: [PATCH 4/5] Accept dnssec-lookaside yes;

Thread it the same way as "auto" value. Print a warning and ignore it.
---
bin/named/server.c | 3 ++-
lib/bind9/check.c | 8 +++++---
2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/bin/named/server.c b/bin/named/server.c
index 0c8939d..93f9417 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4615,7 +4615,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
/* If "no", skip; if "auto", log warning */
if (!strcasecmp(dom, "no")) {
result = ISC_R_NOTFOUND;
- } else if (!strcasecmp(dom, "auto")) {
+ } else if (!strcasecmp(dom, "auto")
+ || !strcasecmp(dom, "yes")) {
/*
* Warning logged by libbind9.
*/
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 1a3d534..f075de0 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1176,11 +1176,13 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if (!strcasecmp(dlv, "no")) {
continue;
}
- if (!strcasecmp(dlv, "auto")) {
+ if (!strcasecmp(dlv, "auto")
+ || !strcasecmp(dlv, "yes")) {
cfg_obj_log(obj, logctx,
ISC_LOG_WARNING,
- "dnssec-lookaside 'auto' "
- "is no longer supported");
+ "dnssec-lookaside '%s' "
+ "is no longer supported",
+ dlv);
continue;
}
}
--
2.20.1

41
SOURCES/bind-9.11-ed448-disable.patch

@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
From e1da251de9647872d776b70078556f4e3e21cad8 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Feb 2019 12:36:17 +0100
Subject: [PATCH] Disable autodetected ED448 algorithm support

Implementation is broken in bind, disabled also in more recent versions.
Makes bin/tests/system/dnssec fail.
---
configure.in | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/configure.in b/configure.in
index 1397c50..475ab9e 100644
--- a/configure.in
+++ b/configure.in
@@ -1964,6 +1964,9 @@ int main() {
}
],
[AC_MSG_RESULT(yes)
+ # ED448 support is broken in BIND
+ # https://gitlab.isc.org/isc-projects/bind9/issues/225
+ # disable if autodetected, can be enabled by --with-eddsa=all
have_ed448="yes"],
[AC_MSG_RESULT(no)
have_ed448="no"],
@@ -1976,8 +1979,10 @@ int main() {
esac
case $have_ed448 in
yes)
- AC_DEFINE(HAVE_OPENSSL_ED448, 1,
- [Define if your OpenSSL version supports Ed448.])
+ # ED448 support is broken in BIND
+ # https://gitlab.isc.org/isc-projects/bind9/issues/225
+ # AC_DEFINE(HAVE_OPENSSL_ED448, 1,
+ # [Define if your OpenSSL version supports Ed448.])
;;
*)
;;
--
2.20.1

39
SOURCES/bind-9.11-export-suffix.patch

@ -0,0 +1,39 @@ @@ -0,0 +1,39 @@
diff --git a/configure.in b/configure.in
index e6cd6a4..988b0a7 100644
--- a/configure.in
+++ b/configure.in
@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS)
AC_SUBST(BUILD_LDFLAGS)
AC_SUBST(BUILD_LIBS)
+AC_SUBST(LIBDIR_SUFFIX)
+
#
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
diff --git a/isc-config.sh.in b/isc-config.sh.in
index 110191a..5a64004 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -12,16 +12,17 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@
+libdir_suffix=@LIBDIR_SUFFIX@
arch=$(uname -m)
case $arch in
x86_64 | amd64 | sparc64 | s390x | ppc64)
- libdir=/usr/lib64
- sec_libdir=/usr/lib
+ libdir=/usr/lib64${libdir_suffix}
+ sec_libdir=/usr/lib${libdir_suffix}
;;
* )
- libdir=/usr/lib
- sec_libdir=/usr/lib64
+ libdir=/usr/lib${libdir_suffix}
+ sec_libdir=/usr/lib64${libdir_suffix}
;;
esac

1516
SOURCES/bind-9.11-fips-code.patch

File diff suppressed because it is too large Load Diff

1781
SOURCES/bind-9.11-fips-tests.patch

File diff suppressed because it is too large Load Diff

100
SOURCES/bind-9.11-host-idn-disable.patch

@ -0,0 +1,100 @@ @@ -0,0 +1,100 @@
From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 25 Sep 2018 18:08:46 +0200
Subject: [PATCH] Disable IDN from environment as documented

Manual page of host contained instructions to disable IDN processing
when it was built with libidn2. When refactoring IDN support however,
support for disabling IDN in host and nslookup was lost. Use also
environment variable and document it for nslookup, host and dig.

Support variable CHARSET=ASCII to disable IDN, supported in downstream
RH patch since RHEL 5.
---
bin/dig/dig.docbook | 4 +++-
bin/dig/dighost.c | 9 +++++++--
bin/dig/host.docbook | 2 +-
bin/dig/nslookup.docbook | 15 +++++++++++++++
4 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index fedd288..d5dba72 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
reply from the server.
If you'd like to turn off the IDN support for some reason, use
parameters <parameter>+noidnin</parameter> and
- <parameter>+noidnout</parameter>.
+ <parameter>+noidnout</parameter> or define
+ the <envar>IDN_DISABLE</envar> environment variable.
+
</para>
</refsection>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 7408193..d46379d 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -822,12 +822,17 @@ make_empty_lookup(void) {
looknew->seenbadcookie = ISC_FALSE;
looknew->badcookie = ISC_TRUE;
#ifdef WITH_IDN_SUPPORT
- looknew->idnin = ISC_TRUE;
+ looknew->idnin = (getenv("IDN_DISABLE") == NULL);
+ if (looknew->idnin) {
+ const char *charset = getenv("CHARSET");
+ if (charset && !strcmp(charset, "ASCII"))
+ looknew->idnin = ISC_FALSE;
+ }
#else
looknew->idnin = ISC_FALSE;
#endif
#ifdef WITH_IDN_OUT_SUPPORT
- looknew->idnout = ISC_TRUE;
+ looknew->idnout = looknew->idnin;
#else
looknew->idnout = ISC_FALSE;
#endif
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 9c3aeaa..42cbbf9 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -378,7 +378,7 @@
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
+ If you'd like to turn off the IDN support for some reason, define
the <envar>IDN_DISABLE</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>host</command> runs.
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
index 3aff4e9..86a09c6 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
@@ -478,6 +478,21 @@ nslookup -query=hinfo -timeout=10
</para>
</refsection>
+ <refsection><info><title>IDN SUPPORT</title></info>
+
+ <para>
+ If <command>nslookup</command> has been built with IDN (internationalized
+ domain name) support, it can accept and display non-ASCII domain names.
+ <command>nslookup</command> appropriately converts character encoding of
+ domain name before sending a request to DNS server or displaying a
+ reply from the server.
+ If you'd like to turn off the IDN support for some reason, define
+ the <envar>IDN_DISABLE</envar> environment variable.
+ The IDN support is disabled if the variable is set when
+ <command>nslookup</command> runs.
+ </para>
+ </refsection>
+
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
--
2.14.4

206
SOURCES/bind-9.11-kyua-pkcs11.patch

@ -0,0 +1,206 @@ @@ -0,0 +1,206 @@
From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests

Add dns-pkcs11 tests Makefile to configure

Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
---
configure.in | 1 +
lib/Atffile | 2 ++
lib/Kyuafile | 2 ++
lib/dns-pkcs11/tests/Makefile.in | 10 +++++-----
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
lib/isc-pkcs11/tests/Makefile.in | 6 +++---
lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++-------
7 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/configure.in b/configure.in
index 67b3aab..4767eeb 100644
--- a/configure.in
+++ b/configure.in
@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
+ lib/dns-pkcs11/tests/Makefile
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
diff --git a/lib/Atffile b/lib/Atffile
index 93bbb01..4db3dce 100644
--- a/lib/Atffile
+++ b/lib/Atffile
@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1"
prop: test-suite = bind9
tp: dns
+tp: dns-pkcs11
tp: irs
tp: isc
+tp: isc-pkcs11
tp: isccfg
tp: lwres
diff --git a/lib/Kyuafile b/lib/Kyuafile
index ff9fc56..eaaf0dc 100644
--- a/lib/Kyuafile
+++ b/lib/Kyuafile
@@ -2,7 +2,9 @@ syntax(2)
test_suite('bind9')
include('dns/Kyuafile')
+include('dns-pkcs11/Kyuafile')
include('irs/Kyuafile')
include('isc/Kyuafile')
+include('isc-pkcs11/Kyuafile')
include('isccfg/Kyuafile')
include('lwres/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index 2a6571b..f25a784 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
@DST_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
-ISCLIBS = ../../isc/libisc.@A@
-ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@
-DNSDEPLIBS = ../libdns.@A@
+ISCLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
+ISCDEPLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
+DNSLIBS = ../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSDEPLIBS = ../libdns-pkcs11.@A@
LIBS = @LIBS@ @ATFLIBS@
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
index 036d27a..eb6554f 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
ret = dst_key_computesecret(key, key, &buf);
ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY);
ret = key->func->computesecret(key, key, &buf);
- ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE);
+ /* PKCS11 variant gives different result, accept both */
+ ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY);
dst_key_free(&key);
dns_test_end();
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
index f7fa538..818dae4 100644
--- a/lib/isc-pkcs11/tests/Makefile.in
+++ b/lib/isc-pkcs11/tests/Makefile.in
@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\""
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
-ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCDEPLIBS = ../libisc.@A@
+ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
+ISCDEPLIBS = ../libisc-pkcs11.@A@
LIBS = @LIBS@ @ATFLIBS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
index 5b8a374..c1891c2 100644
--- a/lib/isc-pkcs11/tests/hash_test.c
+++ b/lib/isc-pkcs11/tests/hash_test.c
@@ -74,7 +74,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key {
const char *key;
- const int len;
+ const unsigned len;
} hash_test_key_t;
/* non-hmac tests */
@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA1_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA1_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha1_init(&hmacsha1, buffer, test_key->len);
+ isc_hmacsha1_init(&hmacsha1, buffer, len);
isc_hmacsha1_update(&hmacsha1,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA224_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA224_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha224_init(&hmacsha224, buffer, test_key->len);
+ isc_hmacsha224_init(&hmacsha224, buffer, len);
isc_hmacsha224_update(&hmacsha224,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA256_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA256_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha256_init(&hmacsha256, buffer, test_key->len);
+ isc_hmacsha256_init(&hmacsha256, buffer, len);
isc_hmacsha256_update(&hmacsha256,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA384_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA384_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha384_init(&hmacsha384, buffer, test_key->len);
+ isc_hmacsha384_init(&hmacsha384, buffer, len);
isc_hmacsha384_update(&hmacsha384,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA512_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA512_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha512_init(&hmacsha512, buffer, test_key->len);
+ isc_hmacsha512_init(&hmacsha512, buffer, len);
isc_hmacsha512_update(&hmacsha512,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_MD5_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_MD5_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacmd5_init(&hmacmd5, buffer, test_key->len);
+ isc_hmacmd5_init(&hmacmd5, buffer, len);
isc_hmacmd5_update(&hmacmd5,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
--
2.14.3

303
SOURCES/bind-9.11-libidn.patch

@ -0,0 +1,303 @@ @@ -0,0 +1,303 @@
From fb4271f5881a83c2cfb639587597b9a80c536a6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 29 Jan 2019 20:59:57 +0100
Subject: [PATCH] Replace libidn2 support with libidn

They should be more or less compatible. Try to maintain original
behaviour of old 9.11 libidn patch, ignore any in output filter.
---
bin/dig/Makefile.in | 6 ++---
bin/dig/dighost.c | 64 ++++++++++++++++++++++++++++++---------------
config.h.in | 4 +--
configure.in | 56 +++++++++++++++++++--------------------
4 files changed, 76 insertions(+), 54 deletions(-)

diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index 3edd951..75441b0 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -19,7 +19,7 @@ READLINE_LIB = @READLINE_LIB@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} \
${BIND9_INCLUDES} ${ISC_INCLUDES} \
- ${LWRES_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @DST_OPENSSL_INC@
+ ${LWRES_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN_CFLAGS@ @DST_OPENSSL_INC@
CDEFINES = -DVERSION=\"${VERSION}\" @CRYPTO@
CWARNINGS =
@@ -41,10 +41,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \
${ISCCFGDEPLIBS} ${LWRESDEPLIBS}
LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
- ${ISCLIBS} @IDNKIT_LIBS@ @LIBIDN2_LIBS@ @LIBS@
+ ${ISCLIBS} @IDNKIT_LIBS@ @LIBIDN_LIBS@ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
- ${ISCNOSYMLIBS} @IDNKIT_LIBS@ @LIBIDN2_LIBS@ @LIBS@
+ ${ISCNOSYMLIBS} @IDNKIT_LIBS@ @LIBIDN_LIBS@ @LIBS@
SUBDIRS =
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index ffc16c4..a345a21 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -38,8 +38,9 @@
#include <idn/api.h>
#endif
-#ifdef WITH_LIBIDN2
-#include <idn2.h>
+#ifdef WITH_LIBIDN
+#include <stringprep.h>
+#include <idna.h>
#endif
#endif /* WITH_IDN_SUPPORT */
@@ -4761,7 +4762,7 @@ idn_ace_to_locale(const char *from, char *to, size_t tolen) {
}
#endif /* WITH_IDNKIT */
-#ifdef WITH_LIBIDN2
+#ifdef WITH_LIBIDN
static void
idn_initialize(void) {
}
@@ -4769,16 +4770,25 @@ idn_initialize(void) {
static isc_result_t
idn_locale_to_ace(const char *from, char *to, size_t tolen) {
int res;
+ char *utf8_str;
char *tmp_str = NULL;
- res = idn2_to_ascii_lz(from, &tmp_str, IDN2_NONTRANSITIONAL|IDN2_NFC_INPUT);
- if (res == IDN2_DISALLOWED) {
- res = idn2_to_ascii_lz(from, &tmp_str, IDN2_TRANSITIONAL|IDN2_NFC_INPUT);
+ debug ("libidn_locale_to_utf8");
+ utf8_str = stringprep_locale_to_utf8 (from);
+ if (utf8_str == NULL) {
+ debug ("libidn stringprep_locale_to_utf8 failure");
+ return ISC_R_FAILURE;
}
- if (res == IDN2_OK) {
+ int iresult;
+
+ debug ("libidn_utf8_to_ascii");
+ res = idna_to_ascii_8z (utf8_str, &tmp_str, 0);
+ free (utf8_str);
+
+ if (res == IDNA_SUCCESS) {
/*
- * idn2_to_ascii_lz() normalizes all strings to lowerl case,
+ * idna_to_ascii_8z() normalizes all strings to lowerl case,
* but we generally don't want to lowercase all input strings;
* make sure to return the original case if the two strings
* differ only in case
@@ -4786,26 +4796,26 @@ idn_locale_to_ace(const char *from, char *to, size_t tolen) {
if (!strcasecmp(from, tmp_str)) {
if (strlen(from) >= tolen) {
debug("from string is too long");
- idn2_free(tmp_str);
+ free(tmp_str);
return ISC_R_NOSPACE;
}
- idn2_free(tmp_str);
+ free(tmp_str);
(void) strlcpy(to, from, tolen);
return ISC_R_SUCCESS;
}
/* check the length */
if (strlen(tmp_str) >= tolen) {
debug("ACE string is too long");
- idn2_free(tmp_str);
+ free(tmp_str);
return ISC_R_NOSPACE;
}
(void) strlcpy(to, tmp_str, tolen);
- idn2_free(tmp_str);
+ free(tmp_str);
return ISC_R_SUCCESS;
}
- fatal("'%s' is not a legal IDN name (%s), use +noidnin", from, idn2_strerror(res));
+ fatal("'%s' is not a legal IDN name (%s), use +noidnin", from, idna_strerror (res));
return ISC_R_FAILURE;
}
@@ -4813,29 +4823,41 @@ idn_locale_to_ace(const char *from, char *to, size_t tolen) {
static isc_result_t
idn_ace_to_locale(const char *from, char *to, size_t tolen) {
int res;
+ char *tmp2 = NULL;
char *tmp_str = NULL;
- res = idn2_to_unicode_8zlz(from, &tmp_str,
- IDN2_NONTRANSITIONAL|IDN2_NFC_INPUT);
+ res = idna_to_unicode_8z8z (from, &tmp2, 0);
+ if (res != IDNA_SUCCESS) {
+ debug ("output_filter: %s", idna_strerror (res));
+ return ISC_R_SUCCESS;
+ }
+
+ tmp_str = stringprep_utf8_to_locale (tmp2);
+ if (tmp_str == NULL) {
+ debug ("output_filter: stringprep_utf8_to_locale failed");
+ res = idna_to_ascii_8z(tmp2, &tmp_str, 0);
+ }
+
+ free(tmp2);
- if (res == IDN2_OK) {
+ if (res == IDNA_SUCCESS) {
/* check the length */
if (strlen(tmp_str) >= tolen) {
debug("encoded ASC string is too long");
- idn2_free(tmp_str);
+ free(tmp_str);
return ISC_R_FAILURE;
}
(void) strlcpy(to, tmp_str, tolen);
- idn2_free(tmp_str);
+ free(tmp_str);
return ISC_R_SUCCESS;
}
-
- fatal("'%s' is not a legal IDN name (%s), use +noidnout", from, idn2_strerror(res));
+ // fatal("'%s' is not a legal IDN name (%s), use +noidnout", from, idna_strerror(res));
+ free(tmp_str);
return ISC_R_FAILURE;
}
#endif /* WITH_IDN_OUT_SUPPORT */
-#endif /* WITH_LIBIDN2 */
+#endif /* WITH_LIBIDN */
#endif /* WITH_IDN_SUPPORT */
#ifdef DIG_SIGCHASE
diff --git a/config.h.in b/config.h.in
index 1dc65cf..9eb8a16 100644
--- a/config.h.in
+++ b/config.h.in
@@ -615,8 +615,8 @@ int sigwait(const unsigned int *set, int *sig);
/* define if IDN input support is to be included. */
#undef WITH_IDN_SUPPORT
-/* define if libidn2 support is to be included. */
-#undef WITH_LIBIDN2
+/* define if libidn support is to be included. */
+#undef WITH_LIBIDN
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel). */
diff --git a/configure.in b/configure.in
index 9a1d16d..1397c50 100644
--- a/configure.in
+++ b/configure.in
@@ -4864,36 +4864,36 @@ fi
AC_SUBST(IDNKIT_LIBS)
#
-# IDN support using libidn2
+# IDN support using libidn
#
-LIBIDN2_CFLAGS=
-LIBIDN2_LDFLAGS=
-LIBIDN2_LIBS=
-AC_ARG_WITH(libidn2,
- AS_HELP_STRING([--with-libidn2[=PATH]], [enable IDN support using GNU libidn2 [yes|no|path]]),
- use_libidn2="$withval", use_libidn2="no")
-AS_CASE([$use_libidn2],
+LIBIDN_CFLAGS=
+LIBIDN_LDFLAGS=
+LIBIDN_LIBS=
+AC_ARG_WITH(libidn,
+ AS_HELP_STRING([--with-libidn[=PATH]], [enable IDN support using GNU libidn [yes|no|path]]),
+ use_libidn="$withval", use_libidn="no")
+AS_CASE([$use_libidn],
[no],[:],
[yes],[:],
[*],[
- LIBIDN2_CFLAGS="-I$use_libidn2/include"
- LIBIDN2_LDFLAGS="-L$use_libidn2/lib"
+ LIBIDN_CFLAGS="-I$use_libidn/include"
+ LIBIDN_LDFLAGS="-L$use_libidn/lib"
])
-AS_IF([test "$use_libidn2" != "no"],
+AS_IF([test "$use_libidn" != "no"],
[save_CFLAGS="$CFLAGS"
save_LIBS="$LIBS"
save_LDFLAGS="$LDFLAGS"
- CFLAGS="$LIBIDN2_CFLAGS $CFLAGS"
- LDFLAGS="$LIBIDN2_LDFLAGS $LDFLAGS"
- AC_SEARCH_LIBS([idn2_to_ascii_8z], [idn2],
+ CFLAGS="$LIBIDN_CFLAGS $CFLAGS"
+ LDFLAGS="$LIBIDN_LDFLAGS $LDFLAGS"
+ AC_SEARCH_LIBS([idna_to_ascii_8z], [idn],
[AC_DEFINE(WITH_IDN_SUPPORT, 1, [define if IDN input support is to be included.])
- AC_DEFINE(WITH_LIBIDN2, 1, [define if libidn2 support is to be included.])
- LIBIDN2_LIBS="$LIBIDN2_LDFLAGS -lidn2"],
- [AC_MSG_ERROR([libidn2 requested, but not found])])
- AC_TRY_LINK([#include <idn2.h>],
- [idn2_to_unicode_8zlz(".", NULL, IDN2_NONTRANSITIONAL|IDN2_NFC_INPUT);],
+ AC_DEFINE(WITH_LIBIDN, 1, [define if libidn support is to be included.])
+ LIBIDN_LIBS="$LIBIDN_LDFLAGS -lidn"],
+ [AC_MSG_ERROR([libidn requested, but not found])])
+ AC_TRY_LINK([#include <idna.h>],
+ [idna_to_unicode_8zlz(".", NULL, 0);],
[AC_MSG_RESULT(yes)
AC_DEFINE(WITH_IDN_OUT_SUPPORT, 1, [define if IDN output support is to be included.])],
[AC_MSG_RESULT([no])])
@@ -4901,21 +4901,21 @@ AS_IF([test "$use_libidn2" != "no"],
LIBS="$save_LIBS"
LDFLAGS="$save_LDFLAGS"
])
-AC_SUBST([LIBIDN2_CFLAGS])
-AC_SUBST([LIBIDN2_LIBS])
+AC_SUBST([LIBIDN_CFLAGS])
+AC_SUBST([LIBIDN_LIBS])
#
# IDN support in general
#
-# check if idnkit and libidn2 are not used at the same time
-if test "$use_idnkit" != no && test "$use_libidn2" != no; then
- AC_MSG_ERROR([idnkit and libidn2 cannot be used at the same time.])
+# check if idnkit and libidn are not used at the same time
+if test "$use_idnkit" != no && test "$use_libidn" != no; then
+ AC_MSG_ERROR([idnkit and libidn cannot be used at the same time.])
fi
# the IDN support is on
-if test "$use_idnkit" != no || test "$use_libidn2" != no; then
+if test "$use_idnkit" != no || test "$use_libidn" != no; then
AC_DEFINE(WITH_IDN_SUPPORT, 1, [define if IDN input support is to be included.])
- if test "$use_libidn2" = no || test "$use_libidn2_out" != no; then
+ if test "$use_libidn" = no || test "$use_libidn_out" != no; then
AC_DEFINE(WITH_IDN_OUT_SUPPORT, 1, [define if IDN output support is to be included.])
fi
fi
@@ -5618,7 +5618,7 @@ report() {
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
test "X$ZLIB" = "X" || echo " HTTP zlib compression (--with-zlib)"
test "X$NZD_TOOLS" = "X" || echo " LMDB database to store configuration for 'addzone' zones (--with-lmdb)"
- test "no" = "$use_libidn2" || echo " IDN support (--with-libidn2)"
+ test "no" = "$use_libidn" || echo " IDN support (--with-libidn)"
fi
if test "no" != "$use_pkcs11"; then
@@ -5716,7 +5716,7 @@ report() {
test "X$JSONSTATS" = "X" && echo " JSON statistics (--with-libjson)"
test "X$ZLIB" = "X" && echo " HTTP zlib compression (--with-zlib)"
test "X$NZD_TOOLS" = "X" && echo " LMDB database to store configuration for 'addzone' zones (--with-lmdb)"
- test "no" = "$use_libidn2" && echo " IDN support (--with-libidn2)"
+ test "no" = "$use_libidn" && echo " IDN support (--with-libidn)"
echo "-------------------------------------------------------------------------------"
echo "Configured paths:"
--
2.20.1

70
SOURCES/bind-9.11-no-default-cookies.patch

@ -0,0 +1,70 @@ @@ -0,0 +1,70 @@
From 8963e300f7e465b3c96e859ba81e128fa508cefd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 21 Jan 2019 19:15:40 +0100
Subject: [PATCH 1/5] Turn off sending cookies by default

Upstream has default sending cookies on by default. For compatiblity
with bind 9.9.4, require inclusion of send-cookie in configuration or
dig +cookie parameter to send cookie. Would not send EDNS extension in
non-DNSSEC query by default.
---
bin/dig/dig.c | 4 ++--
bin/dig/dig.docbook | 4 ++--
bin/named/config.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index c577e31..8b23676 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -1429,7 +1429,7 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
lookup->section_authority = ISC_TRUE;
lookup->section_question = ISC_FALSE;
lookup->dnssec = ISC_TRUE;
- lookup->sendcookie = ISC_TRUE;
+ lookup->sendcookie = ISC_FALSE;
usesearch = ISC_FALSE;
}
break;
@@ -1883,7 +1883,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
default_lookup = make_empty_lookup();
default_lookup->adflag = ISC_TRUE;
default_lookup->edns = 0;
- default_lookup->sendcookie = ISC_TRUE;
+ default_lookup->sendcookie = ISC_FALSE;
#ifndef NOPOSIX
/*
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index d5dba72..575a308 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -617,10 +617,10 @@
Send a COOKIE EDNS option, with optional
value. Replaying a COOKIE from a previous response will
allow the server to identify a previous client. The
- default is <option>+cookie</option>.
+ default is <option>+nocookie</option>.
</para>
<para>
- <command>+cookie</command> is also set when +trace
+ <command>+nocookie</command> is also set when +trace
is set to better emulate the default queries from a
nameserver.
</para>
diff --git a/bin/named/config.c b/bin/named/config.c
index c50f759..7d97029 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -102,7 +102,7 @@ options {\n\
resolver-query-timeout 10;\n\
rrset-order { order random; };\n\
secroots-file \"named.secroots\";\n\
- send-cookie true;\n\
+ send-cookie false;\n\
# serial-queries <obsolete>;\n\
serial-query-rate 20;\n\
server-id none;\n\
--
2.20.1

42
SOURCES/bind-9.11-no-default-ipv6.patch

@ -0,0 +1,42 @@ @@ -0,0 +1,42 @@
From 9fea3896c84d027271c2315af098dad319a444da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 21 Jan 2019 19:23:10 +0100
Subject: [PATCH 2/5] Turn off listening on IPv6 by default

To maintain behaviour of BIND 9.9, turn off listening on IPv6 by
default. To enable listening like upstream defaults, include
listen-on-v6 { any; }; in options.
---
bin/named/config.c | 2 +-
doc/arm/Bv9ARM-book.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/named/config.c b/bin/named/config.c
index 7d97029..1d7aaa1 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -77,7 +77,7 @@ options {\n\
interface-interval 60;\n\
# keep-response-order {none;};\n\
listen-on {any;};\n\
- listen-on-v6 {any;};\n\
+ listen-on-v6 {none;};\n\
# lock-file \"" NS_LOCALSTATEDIR "/run/named/named.lock\";\n\
match-mapped-addresses no;\n\
max-rsa-exponent-size 0; /* no limit */\n\
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index a5d9e2e..5e7d015 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -7473,7 +7473,7 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; };
The <command>listen-on-v6</command> option is used to
specify the interfaces and the ports on which the server will
listen for incoming queries sent using IPv6. If not specified,
- the server will listen on port 53 on all IPv6 interfaces.
+ the server will not listen on port 53 on any IPv6 interfaces.
</para>
<para>
--
2.20.1

256
SOURCES/bind-9.11-oot-manual.patch

@ -0,0 +1,256 @@ @@ -0,0 +1,256 @@
From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 25 Jul 2018 12:24:16 +0200
Subject: [PATCH] Use make automatic variables to install updated manuals

Make will choose modified manual from build directory or original from source
directory automagically. Take advantage of install tool feature.
Install all files in single command instead of iterating on each of them.
---
bin/check/Makefile.in | 8 +++++---
bin/confgen/Makefile.in | 9 +++++----
bin/delv/Makefile.in | 6 ++++--
bin/dig/Makefile.in | 8 ++++----
bin/dnssec/Makefile.in | 6 ++++--
bin/named/Makefile.in | 13 +++++++++----
bin/pkcs11/Makefile.in | 9 ++++-----
bin/python/Makefile.in | 8 ++++----
bin/tools/Makefile.in | 25 +++++++++++++++----------
9 files changed, 54 insertions(+), 38 deletions(-)

diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index 12f48d2d23..d8eac4c714 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -83,12 +83,14 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+ (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
+
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
- (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index 87f13dda4b..7865c0c73e 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -95,13 +95,14 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
+install-man8: rndc-confgen.8 ddns-confgen.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+ (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
+
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
- (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in
index e2d2802262..19361a83ea 100644
--- a/bin/delv/Makefile.in
+++ b/bin/delv/Makefile.in
@@ -63,10 +63,12 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-install:: delv@EXEEXT@ installdirs
+install-man1: delv.1
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+install:: delv@EXEEXT@ installdirs install-man1
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
delv@EXEEXT@ ${DESTDIR}${bindir}
- ${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1
uninstall::
rm -f ${DESTDIR}${mandir}/man1/delv.1
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index 773ac46395..3edd951e7e 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -91,16 +91,16 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
+install-man1: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs install-man1
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
dig@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
host@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
nslookup@EXEEXT@ ${DESTDIR}${bindir}
- for m in ${MANPAGES}; do \
- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
- done
uninstall::
for m in ${MANPAGES}; do \
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 1be1d5ffc6..1d0c4ce5c1 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -110,9 +110,11 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
uninstall::
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 1c413973d0..03e4cb849b 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -172,12 +172,17 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
+install-man5: named.conf.5
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
+
+install-man8: named.8 lwresd.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install-man: install-man5 install-man8
+
+install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
uninstall::
rm -f ${DESTDIR}${mandir}/man5/named.conf.5
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index ae9061626c..a058c91214 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -71,7 +71,10 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \
@@ -80,10 +83,6 @@ install:: ${TARGETS} installdirs
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \
${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8
uninstall::
rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8
diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
index aa678d47ab..064c404e2f 100644
--- a/bin/python/Makefile.in
+++ b/bin/python/Makefile.in
@@ -47,13 +47,13 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
${INSTALL_SCRIPT} dnssec-checkds ${DESTDIR}${sbindir}
${INSTALL_SCRIPT} dnssec-coverage ${DESTDIR}${sbindir}
${INSTALL_SCRIPT} dnssec-keymgr ${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8
if test -n "${PYTHON}" ; then \
if test -n "${DESTDIR}" ; then \
${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index 7bf2af4cea..c395bc7462 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -119,17 +119,27 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-nzd:
+nzd-man: named-nzd2nzf.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+nzd: nzd-man
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-nzd2nzf@EXEEXT@ \
${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/named-nzd2nzf.8 ${DESTDIR}${mandir}/man8
-dnstap:
+dnstap-man: dnstap-read.1
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+dnstap: dnstap-man
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dnstap-read@EXEEXT@ \
${DESTDIR}${bindir}
- ${INSTALL_DATA} ${srcdir}/dnstap-read.1 ${DESTDIR}${mandir}/man1
-install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
+install-man1: arpaname.1 named-rrchecker.1 mdig.1
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+install-man8: named-journalprint.8 nsec3hash.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ install-man1 install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \
${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \
@@ -144,13 +154,8 @@ install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} mdig@EXEEXT@ \
${DESTDIR}${bindir}
- ${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named-rrchecker.1 ${DESTDIR}${mandir}/man1
- ${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/mdig.1 ${DESTDIR}${mandir}/man1
uninstall::
rm -f ${DESTDIR}${mandir}/man1/mdig.1
--
2.14.4

27
SOURCES/bind-9.11-pk11.patch

@ -0,0 +1,27 @@ @@ -0,0 +1,27 @@
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 640519a..fc40472 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -59,6 +59,9 @@
#include <openssl/objects.h>
#include <openssl/rsa.h>
#endif
+#if PKCS11CRYPTO
+#include <pk11/pk11.h>
+#endif
ISC_LANG_BEGINDECLS
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
index aa8907a..603712a 100644
--- a/lib/isc/include/pk11/internal.h
+++ b/lib/isc/include/pk11/internal.h
@@ -13,6 +13,8 @@
#ifndef PK11_INTERNAL_H
#define PK11_INTERNAL_H 1
+#include <pk11/pk11.h>
+
/*! \file pk11/internal.h */
ISC_LANG_BEGINDECLS

120
SOURCES/bind-9.11-rh1205168.patch

@ -0,0 +1,120 @@ @@ -0,0 +1,120 @@
From 90416594843a56550e40b11561807786219ce1c4 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 11 Sep 2017 15:01:36 -0700
Subject: [PATCH] remap getaddrinfo() to irs_getgetaddrinfo()

The libirs version of getaddrinfo() cannot be called from within BIND9.

fix prototypes
---
lib/irs/include/irs/netdb.h.in | 94 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 94 insertions(+)

diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in
index 23dcd37..f36113d 100644
--- a/lib/irs/include/irs/netdb.h.in
+++ b/lib/irs/include/irs/netdb.h.in
@@ -150,6 +150,100 @@ struct addrinfo {
#define NI_DGRAM 0x00000010
/*
+ * Define to map into irs_ namespace.
+ */
+
+#define IRS_NAMESPACE
+
+#ifdef IRS_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo irs_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo irs_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo irs_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror irs_gai_strerror
+
+#endif
+
+extern int getaddrinfo (const char *name,
+ const char *service,
+ const struct addrinfo *req,
+ struct addrinfo **pai);
+extern int getnameinfo (const struct sockaddr *sa,
+ socklen_t salen, char *host,
+ socklen_t hostlen, char *serv,
+ socklen_t servlen, int flags);
+extern void freeaddrinfo (struct addrinfo *ai);
+extern const char *gai_strerror (int ecode);
+
+/*
+ * Define to map into irs_ namespace.
+ */
+
+#define IRS_NAMESPACE
+
+#ifdef IRS_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo irs_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo irs_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo irs_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror irs_gai_strerror
+
+int
+getaddrinfo(const char *hostname, const char *servname,
+ const struct addrinfo *hints, struct addrinfo **res);
+
+int
+getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen,
+ char *host, IRS_GETNAMEINFO_BUFLEN_T hostlen,
+ char *serv, IRS_GETNAMEINFO_BUFLEN_T servlen,
+ IRS_GETNAMEINFO_FLAGS_T flags);
+
+void freeaddrinfo (struct addrinfo *ai);
+
+IRS_GAISTRERROR_RETURN_T
+gai_strerror(int ecode);
+
+#endif
+
+/*
* Tell Emacs to use C mode on this file.
* Local variables:
* mode: c
--
2.9.5

14
SOURCES/bind-9.11-rh1410433.patch

@ -0,0 +1,14 @@ @@ -0,0 +1,14 @@
diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
index 0ce5e42..556d920 100644
--- a/lib/dns/dyndb.c
+++ b/lib/dns/dyndb.c
@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
instname, filename);
flags = RTLD_NOW|RTLD_LOCAL;
-#ifdef RTLD_DEEPBIND
- flags |= RTLD_DEEPBIND;
-#endif
handle = dlopen(filename, flags);
if (handle == NULL)

288
SOURCES/bind-9.11-rh1624100.patch

@ -0,0 +1,288 @@ @@ -0,0 +1,288 @@
From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts

(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)

Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()

(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)

Fix the isc_safe_memwipe() usage with (NULL, >0)

(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
---
bin/dnssec/dnssec-signzone.c | 2 +-
lib/dns/nsec3.c | 4 +--
lib/dns/spnego.c | 4 +--
lib/isc/Makefile.in | 8 ++---
lib/isc/include/isc/safe.h | 18 ++++------
lib/isc/safe.c | 81 --------------------------------------------
lib/isc/tests/safe_test.c | 20 -----------
7 files changed, 13 insertions(+), 124 deletions(-)
delete mode 100644 lib/isc/safe.c

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 53be1f5c60..351296a356 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
static int
hashlist_comp(const void *a, const void *b) {
- return (isc_safe_memcompare(a, b, hash_length + 1));
+ return (memcmp(a, b, hash_length + 1));
}
static void
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index d364308aaf..37b6a8a7fe 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
* Work out what this NSEC3 covers.
* Inside (<0) or outside (>=0).
*/
- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length);
+ scope = memcmp(owner, nsec3.next, nsec3.next_length);
/*
* Prepare to compute all the hashes.
@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
return (ISC_R_IGNORE);
}
- order = isc_safe_memcompare(hash, owner, length);
+ order = memcmp(hash, owner, length);
if (first && order == 0) {
/*
* The hashes are the same.
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index ce3e42d650..079d4c1b4a 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
/* mod_auth_kerb.c */
-static int
+static isc_boolean_t
cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
{
unsigned char *p;
@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
if (((OM_uint32) *p++) != gssoid->length)
return (GSS_S_DEFECTIVE_TOKEN);
- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
+ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length));
}
/* accept_sec_context.c */
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index ba53ef1091..98acffffc9 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
rwlock.@O@ \
- safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
tm.@O@ timer.@O@ version.@O@ \
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
netaddr.c netscope.c pool.c ondestroy.c \
parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
- safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
+ serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
strtoul.c symtab.c task.c taskpool.c timer.c \
tm.c version.c
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
@BIND9_MAKE_RULES@
-safe.@O@: safe.c
- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \
- -c ${srcdir}/safe.c
-
version.@O@: version.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
index f29f00bac6..b8a0b2290c 100644
--- a/lib/isc/include/isc/safe.h
+++ b/lib/isc/include/isc/safe.h
@@ -15,27 +15,21 @@
/*! \file isc/safe.h */
-#include <isc/types.h>
-#include <stdlib.h>
+#include <isc/boolean.h>
+#include <isc/lang.h>
+
+#include <openssl/crypto.h>
ISC_LANG_BEGINDECLS
-isc_boolean_t
-isc_safe_memequal(const void *s1, const void *s2, size_t n);
+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n))
/*%<
* Returns ISC_TRUE iff. two blocks of memory are equal, otherwise
* ISC_FALSE.
*
*/
-int
-isc_safe_memcompare(const void *b1, const void *b2, size_t len);
-/*%<
- * Clone of libc memcmp() which is safe to differential timing attacks.
- */
-
-void
-isc_safe_memwipe(void *ptr, size_t len);
+#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len)
/*%<
* Clear the memory of length `len` pointed to by `ptr`.
*
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
deleted file mode 100644
index 5c9e1e2d13..0000000000
--- a/lib/isc/safe.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#ifdef WIN32
-#include <windows.h>
-#endif
-
-#ifdef _MSC_VER
-#pragma optimize("", off)
-#endif
-
-isc_boolean_t
-isc_safe_memequal(const void *s1, const void *s2, size_t n) {
- isc_uint8_t acc = 0;
-
- if (n != 0U) {
- const isc_uint8_t *p1 = s1, *p2 = s2;
-
- do {
- acc |= *p1++ ^ *p2++;
- } while (--n != 0U);
- }
- return (ISC_TF(acc == 0));
-}
-
-
-int
-isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
- const unsigned char *p1 = b1, *p2 = b2;
- size_t i;
- int res = 0, done = 0;
-
- for (i = 0; i < len; i++) {
- /* lt is -1 if p1[i] < p2[i]; else 0. */
- int lt = (p1[i] - p2[i]) >> CHAR_BIT;
-
- /* gt is -1 if p1[i] > p2[i]; else 0. */
- int gt = (p2[i] - p1[i]) >> CHAR_BIT;
-
- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
- int cmp = lt - gt;
-
- /* set res = cmp if !done. */
- res |= cmp & ~done;
-
- /* set done if p1[i] != p2[i]. */
- done |= lt | gt;
- }
-
- return (res);
-}
-
-void
-isc_safe_memwipe(void *ptr, size_t len) {
- if (ISC_UNLIKELY(ptr == NULL || len == 0))
- return;
-
-#ifdef WIN32
- SecureZeroMemory(ptr, len);
-#elif HAVE_EXPLICIT_BZERO
- explicit_bzero(ptr, len);
-#else
- memset(ptr, 0, len);
-#endif
-}
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
index f721cd1096..ea3e61f98d 100644
--- a/lib/isc/tests/safe_test.c
+++ b/lib/isc/tests/safe_test.c
@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) {
"\x00\x00\x00\x00", 4));
}
-ATF_TC(isc_safe_memcompare);
-ATF_TC_HEAD(isc_safe_memcompare, tc) {
- atf_tc_set_md_var(tc, "descr", "safe memcompare()");
-}
-ATF_TC_BODY(isc_safe_memcompare, tc) {
- UNUSED(tc);
-
- ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0);
- ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0);
- ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x00", 4) == 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x01", 4) < 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02",
- "\x00\x00\x00\x00", 4) > 0);
-}
-
ATF_TC(isc_safe_memwipe);
ATF_TC_HEAD(isc_safe_memwipe, tc) {
atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()");
@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
/* These should pass. */
isc_safe_memwipe(NULL, 0);
isc_safe_memwipe((void *) -1, 0);
- isc_safe_memwipe(NULL, 42);
/*
* isc_safe_memwipe(ptr, size) should function same as
@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
*/
ATF_TP_ADD_TCS(tp) {
ATF_TP_ADD_TC(tp, isc_safe_memequal);
- ATF_TP_ADD_TC(tp, isc_safe_memcompare);
ATF_TP_ADD_TC(tp, isc_safe_memwipe);
return (atf_no_error());
}
--
2.14.4

72
SOURCES/bind-9.11-rh1685940.patch

@ -0,0 +1,72 @@ @@ -0,0 +1,72 @@
From 9fcd066217e8b6f52b601bdd8a0cb6455f98b88c Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 7 Mar 2019 14:33:28 +0100
Subject: [PATCH] Do not replace random generator on single thread

DHCP builds fails to initialize dst library entropy generator. It does
not require it for anything. Instead of initializing it, skip replacing
custom random generator in single thread builds. Should use OpenSSL
default random generator in case of SSL.

Related: rhbz#1685940
---
lib/dns/openssl_link.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index ec6dc7f..ca3ffbc 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -31,6 +31,7 @@
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/mutexblock.h>
+#include <isc/platform.h>
#include <isc/string.h>
#include <isc/thread.h>
#include <isc/util.h>
@@ -220,6 +221,7 @@ dst__openssl_init(const char *engine) {
ERR_load_crypto_strings();
#endif
+#ifdef ISC_PLATFORM_USETHREADS
rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
if (rm == NULL) {
result = ISC_R_NOMEMORY;
@@ -231,6 +233,7 @@ dst__openssl_init(const char *engine) {
rm->add = entropy_add;
rm->pseudorand = entropy_getpseudo;
rm->status = entropy_status;
+#endif
#if !defined(OPENSSL_NO_ENGINE)
#if !defined(CONF_MFLAGS_DEFAULT_SECTION)
@@ -264,6 +267,7 @@ dst__openssl_init(const char *engine) {
}
}
+#ifdef ISC_PLATFORM_USETHREADS
re = ENGINE_get_default_RAND();
if (re == NULL) {
re = ENGINE_new();
@@ -276,6 +280,7 @@ dst__openssl_init(const char *engine) {
ENGINE_free(re);
} else
ENGINE_finish(re);
+#endif
#else
RAND_set_rand_method(rm);
#endif /* !defined(OPENSSL_NO_ENGINE) */
@@ -286,7 +291,8 @@ dst__openssl_init(const char *engine) {
if (e != NULL)
ENGINE_free(e);
e = NULL;
- mem_free(rm FILELINE);
+ if (rm != NULL)
+ mem_free(rm FILELINE);
rm = NULL;
#endif
cleanup_mutexinit:
--
2.20.1

45
SOURCES/bind-9.11-unit-disable-random.patch

@ -0,0 +1,45 @@ @@ -0,0 +1,45 @@
From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Feb 2019 22:42:27 +0100
Subject: [PATCH] Disable random_test

It fails too often on some architecture, failing the whole build along.
Because it runs two times for pkcs11 and normal build and any of
subtests can occasionally fail, stop it.

It can be used again by defining 'unstable' variable in Kyuafile.
---
lib/isc/tests/Atffile | 3 ++-
lib/isc/tests/Kyuafile | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile
index 8681844..74a4a77 100644
--- a/lib/isc/tests/Atffile
+++ b/lib/isc/tests/Atffile
@@ -20,7 +20,8 @@ tp: pool_test
tp: print_test
tp: queue_test
tp: radix_test
-tp: random_test
+# random test fails too often
+#tp: random_test
tp: regex_test
tp: result_test
tp: safe_test
diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
index 1c510c1..a86824a 100644
--- a/lib/isc/tests/Kyuafile
+++ b/lib/isc/tests/Kyuafile
@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'}
atf_test_program{name='print_test'}
atf_test_program{name='queue_test'}
atf_test_program{name='radix_test'}
-atf_test_program{name='random_test'}
+atf_test_program{name='random_test', required_configs='unstable'}
atf_test_program{name='regex_test'}
atf_test_program{name='result_test'}
atf_test_program{name='safe_test'}
--
2.20.1

196
SOURCES/bind-9.11-zone2ldap.patch

@ -0,0 +1,196 @@ @@ -0,0 +1,196 @@
From 738d12594972ad816e8cff9821f760aa0682fd08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 18 Dec 2018 16:06:26 +0100
Subject: [PATCH] Make absolute hostname by dns API instead of strings

Duplicate all strings in dc_list. Free allocated memory on each record.
---
bin/sdb_tools/zone2ldap.c | 72 +++++++++++++++++++++++++++++------------------
1 file changed, 45 insertions(+), 27 deletions(-)

diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index acf160b..cc482dc 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp);
/* Get a DN */
char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
+/* Free a DN list */
+static void
+free_dc_list(char **dc_list);
+
/* Add to RR list */
void add_to_rr_list (char *dn, char *name, char *type, char *data,
unsigned int ttl, unsigned int flags);
@@ -123,6 +127,7 @@ static char dNSTTL []="dNSTTL";
static char zoneName []="zoneName";
static char dc []="dc";
static char sameZone []="@";
+static char dot []=".";
/* LDAPMod mod_values: */
static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
@@ -396,6 +401,8 @@ main (int argc, char **argv)
}
}
+
+ free_dc_list(dc_list);
}
else
{
@@ -451,12 +458,17 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
char data[2048];
char **dc_list;
char *dn;
+ size_t argzone_len;
+ isc_boolean_t omit_dot;
isc_buffer_t buff;
isc_result_t result;
isc_buffer_init (&buff, name, sizeof (name));
- result = dns_name_totext (dnsname, ISC_TRUE, &buff);
+ argzone_len = strlen(argzone);
+ /* If argzone is absolute, output absolute name too */
+ omit_dot = ISC_TF(!(argzone_len > 0 && argzone[argzone_len-1] == '.'));
+ result = dns_name_totext (dnsname, omit_dot, &buff);
isc_result_check (result, "dns_name_totext");
name[isc_buffer_usedlength (&buff)] = 0;
@@ -478,6 +490,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
+ free_dc_list(dc_list);
}
@@ -538,12 +551,9 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs == (LDAPMod **) NULL)
fatal("calloc");
- for (i = 0; i < (int)flags; i++)
- {
- tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod));
- if (tmp->attrs[i] == (LDAPMod *) NULL)
- fatal("malloc");
- }
+ tmp->attrs[0] = (LDAPMod *) malloc (sizeof (LDAPMod));
+ if (tmp->attrs[0] == (LDAPMod *) NULL)
+ fatal("malloc");
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
tmp->attrs[0]->mod_type = objectClass;
@@ -559,9 +569,18 @@ add_to_rr_list (char *dn, char *name, char *type,
return;
}
+ for (i = 1; i < (int)flags-1; i++)
+ {
+ tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod));
+ if (tmp->attrs[i] == (LDAPMod *) NULL)
+ fatal("malloc");
+ }
+ tmp->attrs[i] = NULL;
+
+
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
tmp->attrs[1]->mod_type = relativeDomainName;
- tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
+ tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 3);
if (tmp->attrs[1]->mod_values == (char **)NULL)
fatal("calloc");
@@ -705,25 +724,16 @@ char **
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
- int i = 0;
+ int i = 0, j = 0;
char *hname=0L, *last=0L;
int hlen=strlen(hostname), zlen=(strlen(zone));
/* printf("hostname: %s zone: %s\n",hostname, zone); */
- hname=0L;
if(flags == DNS_OBJECT)
{
- if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') )
- {
- hname=(char*)malloc(hlen + 1);
- hlen += 1;
- sprintf(hname, "%s.", hostname);
- hostname = hname;
- }
if(strcmp(hostname, zone) == 0)
{
- if( hname == 0 )
- hname=strdup(hostname);
+ hname=strdup(hostname);
last = strdup(sameZone);
}else
{
@@ -731,8 +741,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
||( strcmp( hostname + (hlen - zlen), zone ) != 0)
)
{
- if( hname != 0 )
- free(hname);
hname=(char*)malloc( hlen + zlen + 1);
if( *zone == '.' )
sprintf(hname, "%s%s", hostname, zone);
@@ -740,8 +748,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
sprintf(hname,"%s",zone);
}else
{
- if( hname == 0 )
- hname = strdup(hostname);
+ hname = strdup(hostname);
}
last = hname;
}
@@ -754,18 +761,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
tmp = strrchr (hname, '.'))
{
- if( *( tmp + 1 ) != '\0' )
+ tmp[0] = '\0';
+ if( tmp[1] != '\0' )
{
- *tmp = '\0';
dn_buffer[i++] = ++tmp;
}else
{ /* trailing '.' ! */
- dn_buffer[i++] = strdup(".");
- *tmp = '\0';
+ dn_buffer[i++] = dot;
if( tmp == hname )
break;
}
}
+ for (j=0; j<i; j++)
+ {
+ dn_buffer[j] = strdup(dn_buffer[j]);
+ }
if( ( last != hname ) && (tmp != hname) )
dn_buffer[i++] = hname;
dn_buffer[i++] = last;
@@ -825,6 +835,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
return dn;
}
+static void
+free_dc_list(char **dc_list)
+{
+ for (; *dc_list; dc_list++) {
+ free(*dc_list);
+ *dc_list=NULL;
+ }
+}
/* Initialize LDAP Conn */
void
--
2.14.5

2
SOURCES/bind-9.3.1rc1-sdb_tools-Makefile.in

@ -2,7 +2,7 @@ srcdir = @srcdir@ @@ -2,7 +2,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@

@BIND9_VERSION@
VERSION=@BIND9_VERSION@

@BIND9_MAKE_INCLUDES@


18
SOURCES/bind-9.3.2-redhat_doc.patch

@ -1,9 +1,11 @@ @@ -1,9 +1,11 @@
--- bind-9.4.0/bin/named/named.8.redhat_doc 2007-01-30 01:23:44.000000000 +0100
+++ bind-9.4.0/bin/named/named.8 2007-03-12 15:39:19.000000000 +0100
@@ -205,6 +205,57 @@
\fI/var/run/named/named.pid\fR
diff --git a/bin/named/named.8 b/bin/named/named.8
index cd990a9..890be36 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -358,6 +358,57 @@ The default configuration file\&.
/var/run/named/named\&.pid
.RS 4
The default process\-id file.
The default process\-id file\&.
+.PP
+.SH "NOTES"
+.PP
@ -27,8 +29,8 @@ @@ -27,8 +29,8 @@
+zone database file directory (the options { "directory" } option), where
+$ROOTDIR is set in /etc/sysconfig/named.
+.PP
+The "named" group must be granted read privelege to
+these files in order for named to be enabled to read them.
+The "named" group must be granted read privelege to
+these files in order for named to be enabled to read them.
+.PP
+Any file created in the zone database file directory is automatically assigned
+the SELinux file context named_zone_t .
@ -40,7 +42,7 @@ @@ -40,7 +42,7 @@
+The Red Hat BIND distribution and SELinux policy creates three directories where
+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
+/var/named/data. By placing files you want named to modify, such as
+slave or DDNS updateable zone files and database / statistics dump files in
+slave or DDNS updateable zone files and database / statistics dump files in
+these directories, named will work normally and no further operator action is
+required. Files in these directories are automatically assigned the 'named_cache_t'
+file context, which SELinux allows named to write.

145
SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch

@ -1,24 +1,25 @@ @@ -1,24 +1,25 @@
diff -up bind-9.5.1b1/bin/sdb_tools/Makefile.in.fix_sdb_ldap bind-9.5.1b1/bin/sdb_tools/Makefile.in
--- bind-9.5.1b1/bin/sdb_tools/Makefile.in.fix_sdb_ldap 2008-07-21 12:14:00.000000000 +0200
+++ bind-9.5.1b1/bin/sdb_tools/Makefile.in 2008-07-21 12:17:51.000000000 +0200
@@ -30,11 +30,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS}
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
index 95ab742..6069f09 100644
--- a/bin/sdb_tools/Makefile.in
+++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
-OBJS = zone2ldap.@O@ zonetodb.@O@
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@
-OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@
-SRCS = zone2ldap.c zonetodb.c
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c
-SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c
MANPAGES = zone2ldap.1
@@ -48,6 +48,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLI
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
@ -26,25 +27,19 @@ diff -up bind-9.5.1b1/bin/sdb_tools/Makefile.in.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -26,25 +27,19 @@ diff -up bind-9.5.1b1/bin/sdb_tools/Makefile.in.fix_sdb_ldap bind-9.5.1b1/bin/sd
clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
@@ -57,5 +60,6 @@ installdirs:
@@ -62,6 +65,7 @@ installdirs:
install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sdb_tools/zone2ldap.c
--- bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap 2008-07-21 12:14:00.000000000 +0200
+++ bind-9.5.1b1/bin/sdb_tools/zone2ldap.c 2008-07-21 12:14:00.000000000 +0200
@@ -24,6 +24,7 @@
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/print.h>
+#include <isc/hash.h>
#include <isc/result.h>
#include <dns/db.h>
@@ -61,6 +62,9 @@ ldap_info;
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index 23dd873..d56bc56 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -65,6 +66,9 @@ ldap_info;
/* usage Info */
void usage (void);
@ -54,7 +49,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -54,7 +49,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
/* Add to the ldap dit */
void add_ldap_values (ldap_info * ldinfo);
@@ -77,7 +81,7 @@ char **hostname_to_dn_list (char *hostna
@@ -81,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
int get_attr_list_size (char **tmp);
/* Get a DN */
@ -63,7 +58,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -63,7 +58,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
/* Add to RR list */
void add_to_rr_list (char *dn, char *name, char *type, char *data,
@@ -99,11 +103,27 @@ void
@@ -103,11 +107,27 @@ void
init_ldap_conn ();
void usage();
@ -96,7 +91,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -96,7 +91,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
LDAP *conn;
unsigned int debug = 0;
@@ -119,12 +139,12 @@ main (int argc, char **argv)
@@ -131,12 +151,12 @@ main (int argc, char **argv)
isc_result_t result;
char *basedn;
ldap_info *tmp;
@ -112,38 +107,35 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -112,38 +107,35 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
dns_fixedname_t fixedzone, fixedname;
dns_rdataset_t rdataset;
char **dc_list;
@@ -137,7 +157,7 @@ main (int argc, char **argv)
@@ -149,7 +169,7 @@ main (int argc, char **argv)
extern char *optarg;
extern int optind, opterr, optopt;
int create_base = 0;
- int topt;
+ int topt, dcn, zdn, znlen;
if ((int) argc < 2)
if (argc < 2)
{
@@ -145,7 +165,7 @@ main (int argc, char **argv)
@@ -157,7 +177,7 @@ main (int argc, char **argv)
exit (-1);
}
- while ((topt = getopt ((int) argc, argv, "D:w:b:z:f:h:?dcv")) != -1)
+ while ((topt = getopt ((int) argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1)
- while ((topt = getopt (argc, argv, "D:w:b:z:f:h:?dcv")) != -1)
+ while ((topt = getopt (argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1)
{
switch (topt)
{
@@ -164,8 +184,11 @@ main (int argc, char **argv)
case 'w':
bindpw = strdup (optarg);
@@ -180,6 +200,9 @@ main (int argc, char **argv)
if (bindpw == NULL)
fatal("strdup");
break;
+ case 'W':
+ bindpw = getpass("Enter LDAP Password: ");
+ break;
case 'b':
- ldapbase = strdup (optarg);
+ ldapbase = strdup (optarg);
break;
case 'z':
argzone = strdup (optarg);
@@ -277,27 +300,62 @@ main (int argc, char **argv)
ldapbase = strdup (optarg);
if (ldapbase == NULL)
@@ -301,27 +324,62 @@ main (int argc, char **argv)
{
if (debug)
printf ("Creating base zone DN %s\n", argzone);
@ -216,7 +208,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -216,7 +208,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
}
else
{
@@ -306,8 +364,13 @@ main (int argc, char **argv)
@@ -330,8 +388,13 @@ main (int argc, char **argv)
else
sprintf (fullbasedn, "%s", ctmp);
}
@ -230,7 +222,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -230,7 +222,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
}
}
@@ -383,14 +446,14 @@ generate_ldap (dns_name_t * dnsname, dns
@@ -409,14 +472,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
isc_result_check (result, "dns_rdata_totext");
data[isc_buffer_usedlength (&buff)] = 0;
@ -248,7 +240,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -248,7 +240,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
}
@@ -430,7 +493,8 @@ add_to_rr_list (char *dn, char *name, ch
@@ -456,7 +519,8 @@ add_to_rr_list (char *dn, char *name, char *type,
int attrlist;
char ldap_type_buffer[128];
char charttl[64];
@ -258,8 +250,8 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -258,8 +250,8 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
if ((tmp = locate_by_dn (dn)) == NULL)
{
@@ -465,13 +529,13 @@ add_to_rr_list (char *dn, char *name, ch
}
@@ -483,13 +547,13 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("malloc");
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[0]->mod_type = (char*)"objectClass";
@ -275,7 +267,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -275,7 +267,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
tmp->attrs[1] = NULL;
tmp->attrcnt = 2;
tmp->next = ldap_info_base;
@@ -480,7 +544,7 @@ add_to_rr_list (char *dn, char *name, ch
@@ -498,7 +562,7 @@ add_to_rr_list (char *dn, char *name, char *type,
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
@ -284,8 +276,8 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -284,8 +276,8 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
@@ -502,7 +566,7 @@ add_to_rr_list (char *dn, char *name, ch
tmp->attrs[2]->mod_values[1] = NULL;
@@ -527,7 +591,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[3]->mod_type = (char*)"dNSTTL";
@ -293,9 +285,9 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -293,9 +285,9 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
@@ -512,10 +576,21 @@ add_to_rr_list (char *dn, char *name, ch
tmp->attrs[3]->mod_values[0] = strdup (charttl);
tmp->attrs[3]->mod_values[1] = NULL;
@@ -540,14 +604,25 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs[3]->mod_values[0] == NULL)
fatal("strdup");
+ znlen=strlen(gbl_zone);
+ if ( *(gbl_zone + (znlen-1)) == '.' )
@ -312,12 +304,16 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -312,12 +304,16 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
- tmp->attrs[4]->mod_type = (char*)"zoneName";
+ tmp->attrs[4]->mod_type = zoneName;
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
if (tmp->attrs[4]->mod_values == (char **)NULL)
fatal("calloc");
- tmp->attrs[4]->mod_values[0] = gbl_zone;
+ tmp->attrs[4]->mod_values[0] = zn;
tmp->attrs[4]->mod_values[1] = NULL;
tmp->attrs[5] = NULL;
@@ -526,7 +601,7 @@ add_to_rr_list (char *dn, char *name, ch
@@ -558,7 +633,7 @@ add_to_rr_list (char *dn, char *name, char *type,
else
{
@ -326,7 +322,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -326,7 +322,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
{
sprintf (ldap_type_buffer, "%sRecord", type);
if (!strncmp
@@ -595,69 +670,105 @@ char **
@@ -632,44 +707,70 @@ char **
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
@ -336,17 +332,19 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -336,17 +332,19 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
- char *hnamebuff;
-
- zname = strdup (hostname);
- if (zname == NULL)
- fatal("strdup");
-
- if (flags == DNS_OBJECT)
- {
+ char *hname=0L, *last=0L;
+ int hlen=strlen(hostname), zlen=(strlen(zone));
-
- if (strlen (zname) != strlen (zone))
- {
- tmp = &zname[strlen (zname) - strlen (zone)];
- *--tmp = '\0';
- hnamebuff = strdup (zname);
- if (hnamebuff == NULL)
- fatal("strdup");
- zname = ++tmp;
- }
- else
@ -366,6 +364,9 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -366,6 +364,9 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
- }
- dn_buffer[i++] = zname;
- dn_buffer[i++] = hnamebuff;
+ char *hname=0L, *last=0L;
+ int hlen=strlen(hostname), zlen=(strlen(zone));
+
+/* printf("hostname: %s zone: %s\n",hostname, zone); */
+ hname=0L;
+ if(flags == DNS_OBJECT)
@ -427,13 +428,9 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -427,13 +428,9 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
+ dn_buffer[i++] = hname;
+ dn_buffer[i++] = last;
dn_buffer[i] = NULL;
-
return dn_buffer;
}
-
/* build an sdb compatible LDAP DN from a "dc_list" (char **).
* will append dNSTTL information to each RR Record, with the
return dn_buffer;
@@ -681,24 +782,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
* exception of "@"/SOA. */
char *
@ -470,7 +467,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -470,7 +467,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
else
sprintf(tmp,"dc=%s,", dc_list[x]);
}
@@ -683,6 +794,7 @@ void
@@ -724,6 +833,7 @@ void
init_ldap_conn ()
{
int result;
@ -478,7 +475,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -478,7 +475,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
conn = ldap_open (ldapsystem, LDAP_PORT);
if (conn == NULL)
{
@@ -692,7 +804,7 @@ init_ldap_conn ()
@@ -733,7 +843,7 @@ init_ldap_conn ()
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
@ -487,7 +484,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -487,7 +484,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
}
/* Like isc_result_check, only for LDAP */
@@ -709,8 +821,6 @@ ldap_result_check (const char *msg, char
@@ -750,8 +860,6 @@ ldap_result_check (const char *msg, char *dn, int err)
}
}
@ -496,7 +493,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -496,7 +493,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
/* For running the ldap_info run queue. */
void
add_ldap_values (ldap_info * ldinfo)
@@ -718,14 +828,14 @@ add_ldap_values (ldap_info * ldinfo)
@@ -759,14 +867,14 @@ add_ldap_values (ldap_info * ldinfo)
int result;
char dnbuffer[1024];
@ -513,12 +510,10 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd @@ -513,12 +510,10 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd
}
@@ -736,7 +846,7 @@ void
@@ -777,5 +885,5 @@ void
usage ()
{
fprintf (stderr,
- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n"
+ "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n"
"\t[-c Create LDAP Base structure][-d Debug Output (lots !)]\n "
);
}
- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] "
+ "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] "
"[-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");}

107
SOURCES/bind-9.3.2b2-sdbsrc.patch

@ -1,6 +1,21 @@ @@ -1,6 +1,21 @@
--- bind-9.3.2b2/contrib/sdb/ldap/zone2ldap.c.sdbsrc 2005-08-16 00:43:03.000000000 -0400
+++ bind-9.3.2b2/contrib/sdb/ldap/zone2ldap.c 2005-11-15 12:57:44.000000000 -0500
@@ -59,16 +59,16 @@
diff --git a/contrib/sdb/bdb/bdb.c b/contrib/sdb/bdb/bdb.c
index 23594bb..b3c6619 100644
--- a/contrib/sdb/bdb/bdb.c
+++ b/contrib/sdb/bdb/bdb.c
@@ -43,7 +43,7 @@
#include <dns/lib.h>
#include <dns/ttl.h>
-#include <named/bdb.h>
+#include "bdb.h"
#include <named/globals.h>
#include <named/config.h>
diff --git a/contrib/sdb/ldap/zone2ldap.c b/contrib/sdb/ldap/zone2ldap.c
index 07c89bc..23dd873 100644
--- a/contrib/sdb/ldap/zone2ldap.c
+++ b/contrib/sdb/ldap/zone2ldap.c
@@ -63,16 +63,16 @@ typedef struct LDAP_INFO
ldap_info;
/* usage Info */
@ -20,7 +35,7 @@ @@ -20,7 +35,7 @@
/* Put a hostname into a char ** array */
char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
@@ -84,7 +84,7 @@
@@ -88,7 +88,7 @@ void add_to_rr_list (char *dn, char *name, char *type, char *data,
unsigned int ttl, unsigned int flags);
/* Error checking */
@ -29,7 +44,7 @@ @@ -29,7 +44,7 @@
/* Generate LDIF Format files */
void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata,
@@ -93,11 +93,17 @@
@@ -97,11 +97,17 @@ void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata,
/* head pointer to the list */
ldap_info *ldap_info_base = NULL;
@ -50,16 +65,7 @@ @@ -50,16 +65,7 @@
LDAP *conn;
unsigned int debug = 0;
@@ -106,7 +112,7 @@
#endif
int
-main (int *argc, char **argv)
+main (int argc, char **argv)
{
isc_mem_t *mctx = NULL;
isc_entropy_t *ectx = NULL;
@@ -116,7 +122,7 @@
@@ -128,7 +134,7 @@ main (int argc, char **argv)
LDAPMod *base_attrs[2];
LDAPMod base;
isc_buffer_t buff;
@ -68,7 +74,7 @@ @@ -68,7 +74,7 @@
char fullbasedn[1024];
char *ctmp;
dns_fixedname_t fixedzone, fixedname;
@@ -280,9 +286,9 @@
@@ -304,9 +310,9 @@ main (int argc, char **argv)
if ((*ctmp == ',') || (ctmp == &basedn[0]))
{
base.mod_op = LDAP_MOD_ADD;
@ -81,7 +87,7 @@ @@ -81,7 +87,7 @@
base_attrs[1] = NULL;
if (ldapbase)
@@ -337,7 +343,7 @@
@@ -363,7 +369,7 @@ main (int argc, char **argv)
* I should probably rename this function, as not to cause any
* confusion with the isc* routines. Will exit on error. */
void
@ -90,17 +96,16 @@ @@ -90,17 +96,16 @@
{
if (res != ISC_R_SUCCESS)
{
@@ -449,7 +455,7 @@
exit (-1);
}
@@ -470,20 +476,20 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs == (LDAPMod **) NULL)
fatal("calloc");
- for (i = 0; i < flags; i++)
+ for (i = 0; i < (int)flags; i++)
{
tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod));
if (tmp->attrs[i] == (LDAPMod *) NULL)
@@ -459,13 +465,13 @@
}
fatal("malloc");
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[0]->mod_type = "objectClass";
@ -116,7 +121,7 @@ @@ -116,7 +121,7 @@
tmp->attrs[1] = NULL;
tmp->attrcnt = 2;
tmp->next = ldap_info_base;
@@ -474,7 +480,7 @@
@@ -492,7 +498,7 @@ add_to_rr_list (char *dn, char *name, char *type,
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
@ -125,8 +130,8 @@ @@ -125,8 +130,8 @@
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
@@ -496,7 +502,7 @@
tmp->attrs[2]->mod_values[1] = NULL;
@@ -521,7 +527,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[3]->mod_type = "dNSTTL";
@ -134,16 +139,16 @@ @@ -134,16 +139,16 @@
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
@@ -507,7 +513,7 @@
tmp->attrs[3]->mod_values[1] = NULL;
@@ -535,7 +541,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[4]->mod_type = "zoneName";
+ tmp->attrs[4]->mod_type = (char*)"zoneName";
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
tmp->attrs[4]->mod_values[0] = gbl_zone;
tmp->attrs[4]->mod_values[1] = NULL;
@@ -607,7 +613,7 @@
if (tmp->attrs[4]->mod_values == (char **)NULL)
@@ -648,7 +654,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
zname = ++tmp;
}
else
@ -152,7 +157,7 @@ @@ -152,7 +157,7 @@
}
else
{
@@ -686,12 +692,12 @@
@@ -727,12 +733,12 @@ init_ldap_conn ()
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
@ -167,30 +172,10 @@ @@ -167,30 +172,10 @@
{
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
{
@@ -730,5 +736,8 @@
usage ()
{
fprintf (stderr,
- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]
- [-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");}
+ "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n"
+ "\t[-c Create LDAP Base structure][-d Debug Output (lots !)]\n "
+ );
+}
+
--- bind-9.3.2b2/contrib/sdb/bdb/bdb.c.sdbsrc 2002-07-02 00:45:34.000000000 -0400
+++ bind-9.3.2b2/contrib/sdb/bdb/bdb.c 2005-11-15 12:57:44.000000000 -0500
@@ -43,7 +43,7 @@
#include <dns/lib.h>
#include <dns/ttl.h>
-#include <named/bdb.h>
+#include "bdb.h"
#include <named/globals.h>
#include <named/config.h>
--- bind-9.3.2b2/contrib/sdb/pgsql/pgsqldb.c.sdbsrc 2004-03-08 04:04:22.000000000 -0500
+++ bind-9.3.2b2/contrib/sdb/pgsql/pgsqldb.c 2005-11-15 12:57:44.000000000 -0500
diff --git a/contrib/sdb/pgsql/pgsqldb.c b/contrib/sdb/pgsql/pgsqldb.c
index 50d3cba..516eb9f 100644
--- a/contrib/sdb/pgsql/pgsqldb.c
+++ b/contrib/sdb/pgsql/pgsqldb.c
@@ -23,7 +23,7 @@
#include <string.h>
#include <stdlib.h>
@ -200,8 +185,10 @@ @@ -200,8 +185,10 @@
#include <isc/mem.h>
#include <isc/print.h>
--- bind-9.3.2b2/contrib/sdb/pgsql/zonetodb.c.sdbsrc 2005-09-05 22:12:40.000000000 -0400
+++ bind-9.3.2b2/contrib/sdb/pgsql/zonetodb.c 2005-11-15 12:58:12.000000000 -0500
diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c
index b8f5912..ff2d135 100644
--- a/contrib/sdb/pgsql/zonetodb.c
+++ b/contrib/sdb/pgsql/zonetodb.c
@@ -37,7 +37,7 @@
#include <dns/rdatatype.h>
#include <dns/result.h>
@ -211,7 +198,7 @@ @@ -211,7 +198,7 @@
/*
* Generate a PostgreSQL table from a zone.
@@ -54,6 +54,9 @@
@@ -54,6 +54,9 @@ char *dbname, *dbtable;
char str[10240];
void
@ -221,7 +208,7 @@ @@ -221,7 +208,7 @@
closeandexit(int status) {
if (conn != NULL)
PQfinish(conn);
@@ -61,6 +64,9 @@
@@ -61,6 +64,9 @@ closeandexit(int status) {
}
void
@ -231,7 +218,7 @@ @@ -231,7 +218,7 @@
check_result(isc_result_t result, const char *message) {
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "%s: %s\n", message,
@@ -84,7 +90,8 @@
@@ -84,7 +90,8 @@ quotestring(const unsigned char *source, unsigned char *dest) {
}
*dest++ = 0;
}

75
SOURCES/bind-9.5-dlz-64bit.patch

@ -1,6 +1,7 @@ @@ -1,6 +1,7 @@
diff -up bind-9.9.0/contrib/dlz/config.dlz.in.64bit bind-9.9.0/contrib/dlz/config.dlz.in
--- bind-9.9.0/contrib/dlz/config.dlz.in.64bit 2011-11-05 06:14:28.000000000 +0100
+++ bind-9.9.0/contrib/dlz/config.dlz.in 2012-04-24 14:52:08.398511143 +0200
diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in
index 47525af..eefe3c3 100644
--- a/contrib/dlz/config.dlz.in
+++ b/contrib/dlz/config.dlz.in
@@ -17,6 +17,13 @@
#
dlzdir='${DLZ_DRIVER_DIR}'
@ -15,33 +16,19 @@ diff -up bind-9.9.0/contrib/dlz/config.dlz.in.64bit bind-9.9.0/contrib/dlz/confi @@ -15,33 +16,19 @@ diff -up bind-9.9.0/contrib/dlz/config.dlz.in.64bit bind-9.9.0/contrib/dlz/confi
#
# Private autoconf macro to simplify configuring drivers:
#
@@ -135,9 +142,9 @@ then
then
use_dlz_mysql=$d
mysql_include=$d/include/mysql
- if test -d $d/lib/mysql
+ if test -d $d/${target_lib}/mysql
then
- mysql_lib=$d/lib/mysql
+ mysql_lib=$d/${target_lib}/mysql
else
mysql_lib=$d/lib
fi
@@ -274,11 +281,11 @@ case "$use_dlz_bdb" in
bdb_libnames="db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
- if test -f "$dd/lib/lib${d}.so"
+ if test -f "$dd/${target_lib}/lib${d}.so"
then
if test "$dd" != "/usr"
@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in
then
- dlz_bdb_libs="-L${dd}/lib "
+ dlz_bdb_libs="-L${dd}/${target_lib} "
else
dlz_bdb_libs=""
break
fi
@@ -383,7 +390,7 @@ case "$use_dlz_ldap" in
- elif test -f "$dd/lib/lib${d}.so"
+ elif test -f "$dd/${target_lib}/lib${d}.so"
then
- dlz_bdb_libs="-L${dd}/lib -l${d}"
+ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
break
fi
done
@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in
*)
DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver,
[-I$use_dlz_ldap/include],
@ -50,21 +37,17 @@ diff -up bind-9.9.0/contrib/dlz/config.dlz.in.64bit bind-9.9.0/contrib/dlz/confi @@ -50,21 +37,17 @@ diff -up bind-9.9.0/contrib/dlz/config.dlz.in.64bit bind-9.9.0/contrib/dlz/confi
AC_MSG_RESULT(
[using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include])
@@ -407,7 +414,7 @@ then
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
then
use_dlz_odbc=$d
break
@@ -427,7 +434,7 @@ case "$use_dlz_odbc" in
*)
DLZ_ADD_DRIVER(ODBC, dlz_odbc_driver,
[-I$use_dlz_odbc/include],
- [-L$use_dlz_odbc/lib -lodbc])
+ [-L$use_dlz_odbc/${target_lib} -lodbc])
AC_MSG_RESULT([using ODBC from $use_dlz_odbc])
;;
@@ -432,11 +439,11 @@ then
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
then
use_dlz_odbc=$d
dlz_odbc_include="-I$use_dlz_odbc/include"
- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
break
fi
done

34
SOURCES/bind-9.9.1-P2-dlz-libdb.patch

@ -1,26 +1,30 @@ @@ -1,26 +1,30 @@
diff -up bind-9.9.4/contrib/dlz/config.dlz.in.libdb bind-9.9.4/contrib/dlz/config.dlz.in
--- bind-9.9.4/contrib/dlz/config.dlz.in.libdb 2014-01-06 13:24:24.669256364 +0100
+++ bind-9.9.4/contrib/dlz/config.dlz.in 2014-01-06 13:26:29.861420493 +0100
@@ -257,7 +257,7 @@ case "$use_dlz_bdb" in
diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in
--- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200
+++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200
@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in
# Check other locations for includes.
# Order is important (sigh).
- bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /db/"
+ bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /libdb/ /db/"
for d in $bdb_incdirs
- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
# include a blank element first
for d in "" $bdb_incdirs
do
if test -f "$dd/include${d}db.h"
@@ -283,13 +283,7 @@ case "$use_dlz_bdb" in
@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
if test -f "$dd/${target_lib}/lib${d}.so"
- if test "$dd" = "/usr"
+ if test -f "$dd/${target_lib}/lib${d}.so"
then
- if test "$dd" != "/usr"
- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}")
- if test $dlz_bdb_libs != "yes"
- then
- dlz_bdb_libs="-L${dd}/${target_lib} "
- else
- dlz_bdb_libs=""
- break
- fi
- dlz_bdb_libs="${dlz_bdb_libs}-l${d}"
- elif test -f "$dd/${target_lib}/lib${d}.so"
- then
- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
break
fi

65
SOURCES/bind-9.9.1-P2-multlib-conflict.patch

@ -1,8 +1,9 @@ @@ -1,8 +1,9 @@
diff -up bind-9.9.3rc2/config.h.in.multlib-conflict bind-9.9.3rc2/config.h.in
--- bind-9.9.3rc2/config.h.in.multlib-conflict 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/config.h.in 2013-05-13 12:10:22.514870894 +0200
@@ -416,7 +416,7 @@ int sigwait(const unsigned int *set, int
#undef PORT_NONBLOCK
diff --git a/config.h.in b/config.h.in
index e1364dd921..1dc65cfb21 100644
--- a/config.h.in
+++ b/config.h.in
@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig);
#undef PREFER_GOSTASN1
/* The size of `void *', as computed by sizeof. */
-#undef SIZEOF_VOID_P
@ -10,24 +11,42 @@ diff -up bind-9.9.3rc2/config.h.in.multlib-conflict bind-9.9.3rc2/config.h.in @@ -10,24 +11,42 @@ diff -up bind-9.9.3rc2/config.h.in.multlib-conflict bind-9.9.3rc2/config.h.in
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
diff -up bind-9.9.3rc2/configure.in.multlib-conflict bind-9.9.3rc2/configure.in
--- bind-9.9.3rc2/configure.in.multlib-conflict 2013-05-13 12:10:22.481870901 +0200
+++ bind-9.9.3rc2/configure.in 2013-05-13 12:10:22.515870894 +0200
@@ -2251,7 +2251,9 @@ int getnameinfo(const struct sockaddr *,
size_t, char *, size_t, int);],
diff --git a/configure.in b/configure.in
index 73b1c8ccbb..129fc3f311 100644
--- a/configure.in
+++ b/configure.in
@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([
#include <sys/socket.h>
#include <netdb.h>
int getnameinfo(const struct sockaddr *, socklen_t, char *,
- socklen_t, char *, socklen_t, unsigned int);],
+ socklen_t, char *, socklen_t, int);],
[ return (0);],
[AC_MSG_RESULT(size_t for buflen; int for flags)
- AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
+ # Changed to solve multilib conflict on Fedora
+ #AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
+ AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)],
- [AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
+ [AC_MSG_RESULT(socklen_t for buflen; int for flags)
AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t,
[Define to the sockaddr length type used by getnameinfo(3).])
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
[Define to the buffer length type used by getnameinfo(3).])
- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
+ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int,
[Define to the flags type used by getnameinfo(3).])],
[AC_TRY_COMPILE([
#include <sys/types.h>
@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *,
[AC_MSG_RESULT(not match any subspecies; assume standard definition)
AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t)
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
diff -up bind-9.9.3rc2/isc-config.sh.in.multlib-conflict bind-9.9.3rc2/isc-config.sh.in
--- bind-9.9.3rc2/isc-config.sh.in.multlib-conflict 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/isc-config.sh.in 2013-05-13 12:26:40.258698745 +0200
@@ -21,7 +21,18 @@ prefix=@prefix@
-AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])])
+AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])])
#
# ...and same for gai_strerror().
diff --git a/isc-config.sh.in b/isc-config.sh.in
index a8a0a89e88..b5e94ed13e 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -13,7 +13,18 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@
@ -47,9 +66,9 @@ diff -up bind-9.9.3rc2/isc-config.sh.in.multlib-conflict bind-9.9.3rc2/isc-confi @@ -47,9 +66,9 @@ diff -up bind-9.9.3rc2/isc-config.sh.in.multlib-conflict bind-9.9.3rc2/isc-confi
usage()
{
@@ -133,6 +144,16 @@ if test x"$echo_libs" = x"true"; then
@@ -132,6 +143,16 @@ if test x"$echo_libs" = x"true"; then
if test x"${exec_prefix_set}" = x"true"; then
includes="-L${exec_prefix}/lib"
libs="-L${exec_prefix}/lib"
else
+ if [ ! -x $libdir/libisc.so ] ; then
+ if [ ! -x $sec_libdir/libisc.so ] ; then
@ -63,4 +82,4 @@ diff -up bind-9.9.3rc2/isc-config.sh.in.multlib-conflict bind-9.9.3rc2/isc-confi @@ -63,4 +82,4 @@ diff -up bind-9.9.3rc2/isc-config.sh.in.multlib-conflict bind-9.9.3rc2/isc-confi
+ fi
libs="-L${libdir}"
fi
if test x"$liblwres" = x"true" ; then
if test x"$libirs" = x"true" ; then

18
SOURCES/bind-95-rh452060.patch

@ -1,10 +1,12 @@ @@ -1,10 +1,12 @@
diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost.c
--- bind-9.5.0-P2/bin/dig/dighost.c.rh452060 2008-12-01 22:30:01.000000000 +0100
+++ bind-9.5.0-P2/bin/dig/dighost.c 2008-12-01 22:30:07.000000000 +0100
@@ -1280,6 +1280,12 @@ clear_query(dig_query_t *query) {
debug("clear_query(%p)", query);
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index f657c30..ff9a2d2 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) {
if (query->timer != NULL)
isc_timer_detach(&query->timer);
+
+ if (query->waiting_senddone) {
+ debug("send_done not yet called");
+ query->pending_free = ISC_TRUE;
@ -14,7 +16,7 @@ diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost. @@ -14,7 +16,7 @@ diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost.
lookup = query->lookup;
if (lookup->current_query == query)
@@ -1301,10 +1307,7 @@ clear_query(dig_query_t *query) {
@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) {
isc_mempool_put(commctx, query->recvspace);
isc_buffer_invalidate(&query->recvbuf);
isc_buffer_invalidate(&query->lengthbuf);
@ -26,7 +28,7 @@ diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost. @@ -26,7 +28,7 @@ diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost.
}
/*%
@@ -2175,9 +2178,9 @@ send_done(isc_task_t *_task, isc_event_t
@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
isc_event_free(&event);
if (query->pending_free)

10
SOURCES/bind93-rh726120.patch

@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
From 23c33ea76e916cc16e354faa218b6a0ca6385d00 Mon Sep 17 00:00:00 2001
From 976b84dced599a74348834e11bcc3fec67a99387 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 5 Dec 2017 16:33:08 +0100
Subject: [PATCH] Fix bug #726120
@ -8,11 +8,11 @@ Subject: [PATCH] Fix bug #726120 @@ -8,11 +8,11 @@ Subject: [PATCH] Fix bug #726120
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 42a2fe2..3a066c6 100644
index 97ca54e71..eb66793a4 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -3416,7 +3416,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
return;
@@ -4107,7 +4107,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
}
}
if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) ||
- (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse))
@ -22,5 +22,5 @@ index 42a2fe2..3a066c6 100644 @@ -22,5 +22,5 @@ index 42a2fe2..3a066c6 100644
dig_query_t *next = ISC_LIST_NEXT(query, link);
if (l->current_query == query)
--
2.9.5
2.20.1


41
SOURCES/bind97-rh478718.patch

@ -1,7 +1,8 @@ @@ -1,7 +1,8 @@
diff -up bind-9.7.0/configure.in.rh478718 bind-9.7.0/configure.in
--- bind-9.7.0/configure.in.rh478718 2010-03-01 14:50:02.331207076 +0100
+++ bind-9.7.0/configure.in 2010-03-01 14:50:21.501207488 +0100
@@ -2540,6 +2540,10 @@ main() {
diff --git a/configure.in b/configure.in
index 896e81c1ce..73b1c8ccbb 100644
--- a/configure.in
+++ b/configure.in
@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then
AC_MSG_RESULT($arch)
fi
@ -9,22 +10,42 @@ diff -up bind-9.7.0/configure.in.rh478718 bind-9.7.0/configure.in @@ -9,22 +10,42 @@ diff -up bind-9.7.0/configure.in.rh478718 bind-9.7.0/configure.in
+ AC_MSG_ERROR([XADDQ present but disabled by Fedora patch!])
+fi
+
if test "$have_atomic" = "yes"; then
if test "yes" = "$have_atomic"; then
AC_MSG_CHECKING([compiler support for inline assembly code])
diff -up bind-9.7.0/lib/isc/include/isc/platform.h.in.rh478718 bind-9.7.0/lib/isc/include/isc/platform.h.in
--- bind-9.7.0/lib/isc/include/isc/platform.h.in.rh478718 2010-03-01 14:50:31.421207522 +0100
+++ bind-9.7.0/lib/isc/include/isc/platform.h.in 2010-03-01 14:50:40.313707286 +0100
@@ -255,7 +255,11 @@
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index 2ff522342f..58df86adb3 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -289,19 +289,25 @@
* If the "xaddq" operation (64bit xadd) is available on this architecture,
* ISC_PLATFORM_HAVEXADDQ will be defined.
*/
-@ISC_PLATFORM_HAVEXADDQ@
/*
- * If the 32-bit "atomic swap" operation is available on this
- * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
+ * If the 64-bit "atomic swap" operation is available on this
+ * architecture, ISC_PLATFORM_HAVEATOMICSTOREQ" will be defined.
*/
-@ISC_PLATFORM_HAVEATOMICSTORE@
+
+#ifdef __x86_64__
+#define ISC_PLATFORM_HAVEXADDQ 1
+#define ISC_PLATFORM_HAVEATOMICSTOREQ 1
+#else
+#undef ISC_PLATFORM_HAVEXADDQ
+#undef ISC_PLATFORM_HAVEATOMICSTOREQ
+#endif
/*
* If the "atomic swap" operation is available on this architecture,
- * If the 64-bit "atomic swap" operation is available on this
+ * If the 32-bit "atomic swap" operation is available on this
* architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
*/
-@ISC_PLATFORM_HAVEATOMICSTOREQ@
+@ISC_PLATFORM_HAVEATOMICSTORE@
/*
* If the "compare-and-exchange" operation is available on this architecture,

22
SOURCES/bind99-rh640538.patch

@ -1,11 +1,12 @@ @@ -1,11 +1,12 @@
diff -up bind-9.9.2/bin/dig/dig.docbook.rh640538 bind-9.9.2/bin/dig/dig.docbook
--- bind-9.9.2/bin/dig/dig.docbook.rh640538 2012-09-27 02:35:19.000000000 +0200
+++ bind-9.9.2/bin/dig/dig.docbook 2012-11-12 14:47:17.385334972 +0100
@@ -961,6 +961,40 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
</refsect1>
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 1079421..f11abd1 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1177,6 +1177,39 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</para>
</refsection>
<refsect1>
+ <title>RETURN CODES</title>
+ <refsection><info><title>RETURN CODES</title></info>
+ <para>
+ <command>Dig</command> return codes are:
+ <variablelist>
@ -36,9 +37,8 @@ diff -up bind-9.9.2/bin/dig/dig.docbook.rh640538 bind-9.9.2/bin/dig/dig.docbook @@ -36,9 +37,8 @@ diff -up bind-9.9.2/bin/dig/dig.docbook.rh640538 bind-9.9.2/bin/dig/dig.docbook
+ </varlistentry>
+ </variablelist>
+ </para>
+ </refsect1>
+ </refsection>
+
+ <refsect1>
<title>FILES</title>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
</para>

4
SOURCES/named-chroot-setup.service

@ -8,5 +8,5 @@ After=named-setup-rndc.service @@ -8,5 +8,5 @@ After=named-setup-rndc.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files

23
SOURCES/named-chroot.files

@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
# Configuration of files used in chroot
# Following files are made available after named-chroot.service start
# if they are missing or empty in target directory.
/etc/localtime
/etc/named.root.key
/etc/named.conf
/etc/named.rfc1912.zones
/etc/rndc.conf
/etc/rndc.key
/etc/named.iscdlv.key
/etc/crypto-policies/back-ends/bind.config
/etc/protocols
/etc/services
/etc/named.dnssec.keys
/etc/pki/dnssec-keys
/etc/named
/usr/lib64/bind
/usr/lib/bind
/run/named
# Warning: the order is important
# If a directory containing $ROOTDIR is listed here,
# it MUST be listed last. (/var/named contains /var/named/chroot)
/var/named

4
SOURCES/named-sdb-chroot-setup.service

@ -8,5 +8,5 @@ After=named-setup-rndc.service @@ -8,5 +8,5 @@ After=named-setup-rndc.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on /etc/named-chroot.files
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off /etc/named-chroot.files

2
SOURCES/named.conf

@ -36,7 +36,7 @@ options { @@ -36,7 +36,7 @@ options {
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
bindkeys-file "/etc/named.root.key";

managed-keys-directory "/var/named/dynamic";


4
SOURCES/named.conf.sample

@ -86,7 +86,7 @@ logging @@ -86,7 +86,7 @@ logging
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
};

/*
@ -171,7 +171,7 @@ view "internal" @@ -171,7 +171,7 @@ view "internal"
allow-update { key ddns_key; };
file "dynamic/my.ddns.internal.zone.db";
// put dynamically updateable zones in the slaves/ directory so named can update them
};
};
};

key ddns_key

53
SOURCES/setup-named-chroot.sh

@ -3,26 +3,22 @@ @@ -3,26 +3,22 @@
# Warning: the order is important
# If a directory containing $ROOTDIR is listed here,
# it MUST be listed last. (/var/named contains /var/named/chroot)
ROOTDIR_MOUNT='/etc/localtime /etc/named /etc/pki/dnssec-keys /etc/named.root.key /etc/named.conf
/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key /etc/named.iscdlv.key /etc/protocols /etc/services
/usr/lib64/bind /usr/lib/bind /run/named
/var/named'
ROOTDIR="$1"
CONFIG_FILES="${3:-/etc/named-chroot.files}"

usage()
{
echo
echo 'This script setups chroot environment for BIND'
echo 'Usage: setup-named-chroot.sh ROOTDIR [on|off]'
echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
}

if ! [ "$#" -eq 2 ]; then
if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
echo 'Wrong number of arguments'
usage
exit 1
fi

ROOTDIR="$1"

# Exit if ROOTDIR doesn't exist
if ! [ -d "$ROOTDIR" ]; then
echo "Root directory $ROOTDIR doesn't exist"
@ -30,10 +26,47 @@ if ! [ -d "$ROOTDIR" ]; then @@ -30,10 +26,47 @@ if ! [ -d "$ROOTDIR" ]; then
exit 1
fi

if ! [ -r "$CONFIG_FILES" ]; then
echo "Files list $CONFIG_FILES doesn't exist" 2>&1
usage
exit 1
fi

dev_create()
{
DEVNAME="$ROOTDIR/dev/$1"
shift
if ! [ -e "$DEVNAME" ]; then
/bin/mknod -m 0664 "$DEVNAME" $@
/bin/chgrp named "$DEVNAME"
if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
/usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
fi
fi
}

dev_chroot_prep()
{
dev_create random c 1 8
dev_create zero c 1 5
dev_create null c 1 3
}

files_comment_filter()
{
if [ -d "$1" ]; then
grep -v '^[[:space:]]*#' "$1"/*.files
else
grep -v '^[[:space:]]*#' "$1"
fi
}

mount_chroot_conf()
{
if [ -n "$ROOTDIR" ]; then
for all in $ROOTDIR_MOUNT; do
# Check devices are prepared
dev_chroot_prep
files_comment_filter "$CONFIG_FILES" | while read -r all; do
# Skip nonexistant files
[ -e "$all" ] || continue

@ -58,7 +91,7 @@ mount_chroot_conf() @@ -58,7 +91,7 @@ mount_chroot_conf()
umount_chroot_conf()
{
if [ -n "$ROOTDIR" ]; then
for all in $ROOTDIR_MOUNT; do
files_comment_filter "$CONFIG_FILES" | while read -r all; do
# Check if file is mount target. Do not use /proc/mounts because detecting
# of modified mounted files can fail.
if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then

55
SOURCES/setup-named-softhsm.sh

@ -0,0 +1,55 @@ @@ -0,0 +1,55 @@
#!/bin/sh
#
# This script will initialise token storage of softhsm PKCS11 provider
# in custom location. Is useful to store tokens in non-standard location.

SOFTHSM2_CONF="$1"
TOKENPATH="$2"
GROUPNAME="$3"
# Do not use this script for real keys worth protection
# This is intended for crypto accelerators using PKCS11 interface.
# Uninitialized token would fail any crypto operation.
PIN=1234

set -e

if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
echo "Usage: $0 <config file> <token directory> [group]" >&2
exit 1
fi

if ! [ -f "$SOFTHSM2_CONF" ]; then
cat << SED > "$SOFTHSM2_CONF"
# SoftHSM v2 configuration file

directories.tokendir = ${TOKENPATH}
objectstore.backend = file

# ERROR, WARNING, INFO, DEBUG
log.level = ERROR

# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
SED
else
echo "Config file $SOFTHSM2_CONF already exists" >&2
fi

[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"

export SOFTHSM2_CONF

if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
then
echo "Token in ${TOKENPATH} is already initialized" >&2
else
echo "Initializing tokens to ${TOKENPATH}..."
softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN

if [ -n "$GROUPNAME" ]; then
chgrp -R -- "$GROUPNAME" "$TOKENPATH"
chmod -R -- g=rX,o= "$TOKENPATH"
fi
fi

echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""

1116
SPECS/bind.spec

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save