webbuilder_pel7ppc64lebuilder0
5 years ago
43 changed files with 8269 additions and 688 deletions
@ -0,0 +1,620 @@
@@ -0,0 +1,620 @@
|
||||
diff --git a/bin/Makefile.in b/bin/Makefile.in |
||||
index f0c504a..ce7a2da 100644 |
||||
--- a/bin/Makefile.in |
||||
+++ b/bin/Makefile.in |
||||
@@ -11,8 +11,8 @@ srcdir = @srcdir@ |
||||
VPATH = @srcdir@ |
||||
top_srcdir = @top_srcdir@ |
||||
|
||||
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \ |
||||
- @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests |
||||
+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ |
||||
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests |
||||
TARGETS = |
||||
|
||||
@BIND9_MAKE_RULES@ |
||||
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in |
||||
index 1d0c4ce..7b7f89b 100644 |
||||
--- a/bin/dnssec-pkcs11/Makefile.in |
||||
+++ b/bin/dnssec-pkcs11/Makefile.in |
||||
@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@ |
||||
|
||||
@BIND9_MAKE_INCLUDES@ |
||||
|
||||
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ |
||||
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES} |
||||
|
||||
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ |
||||
- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" |
||||
+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" |
||||
CWARNINGS = |
||||
|
||||
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ |
||||
-ISCLIBS = ../../lib/isc/libisc.@A@ |
||||
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ |
||||
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ |
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@ |
||||
|
||||
-DNSDEPLIBS = ../../lib/dns/libdns.@A@ |
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@ |
||||
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ |
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
|
||||
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} |
||||
|
||||
@@ -37,10 +37,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ |
||||
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@ |
||||
|
||||
# Alphabetically |
||||
-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \ |
||||
- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ |
||||
- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \ |
||||
- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@ |
||||
+TARGETS = dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \ |
||||
+ dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \ |
||||
+ dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \ |
||||
+ dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@ |
||||
|
||||
OBJS = dnssectool.@O@ |
||||
|
||||
@@ -61,15 +61,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} |
||||
|
||||
@BIND9_MAKE_RULES@ |
||||
|
||||
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} |
||||
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
|
||||
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} |
||||
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
|
||||
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} |
||||
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
|
||||
@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c |
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ |
||||
-c ${srcdir}/dnssec-signzone.c |
||||
|
||||
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} |
||||
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
|
||||
@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c |
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ |
||||
-c ${srcdir}/dnssec-verify.c |
||||
|
||||
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} |
||||
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
|
||||
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ |
||||
dnssec-revoke.@O@ ${OBJS} ${LIBS} |
||||
|
||||
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ |
||||
dnssec-settime.@O@ ${OBJS} ${LIBS} |
||||
|
||||
-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ |
||||
dnssec-importkey.@O@ ${OBJS} ${LIBS} |
||||
|
||||
@@ -108,16 +108,14 @@ docclean manclean maintainer-clean:: |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} |
||||
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
|
||||
install-man8: ${MANPAGES} |
||||
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 |
||||
|
||||
-install:: ${TARGETS} installdirs install-man8 |
||||
+install:: ${TARGETS} installdirs |
||||
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done |
||||
|
||||
uninstall:: |
||||
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done |
||||
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done |
||||
|
||||
clean distclean:: |
||||
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in |
||||
index 1d0c4ce..11538cf 100644 |
||||
--- a/bin/dnssec/Makefile.in |
||||
+++ b/bin/dnssec/Makefile.in |
||||
@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@ |
||||
|
||||
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ |
||||
|
||||
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ |
||||
+CDEFINES = -DVERSION=\"${VERSION}\" \ |
||||
@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" |
||||
CWARNINGS = |
||||
|
||||
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in |
||||
index d92bc9a..a8c42a4 100644 |
||||
--- a/bin/named-pkcs11/Makefile.in |
||||
+++ b/bin/named-pkcs11/Makefile.in |
||||
@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ |
||||
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ |
||||
|
||||
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ |
||||
- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ |
||||
- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ |
||||
+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \ |
||||
+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \ |
||||
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ |
||||
|
||||
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ |
||||
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ |
||||
|
||||
CWARNINGS = |
||||
|
||||
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ |
||||
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ |
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ |
||||
ISCCCLIBS = ../../lib/isccc/libisccc.@A@ |
||||
-ISCLIBS = ../../lib/isc/libisc.@A@ |
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ |
||||
LWRESLIBS = ../../lib/lwres/liblwres.@A@ |
||||
BIND9LIBS = ../../lib/bind9/libbind9.@A@ |
||||
|
||||
-DNSDEPLIBS = ../../lib/dns/libdns.@A@ |
||||
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ |
||||
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ |
||||
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ |
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@ |
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ |
||||
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ |
||||
|
||||
@@ -71,15 +71,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ |
||||
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ |
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
+ @LIBS@ |
||||
|
||||
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ |
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
+ @LIBS@ |
||||
|
||||
SUBDIRS = unix |
||||
|
||||
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ |
||||
+TARGETS = named-pkcs11@EXEEXT@ |
||||
|
||||
GEOIPLINKOBJS = geoip.@O@ |
||||
|
||||
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ |
||||
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ |
||||
zoneconf.@O@ \ |
||||
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ |
||||
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ |
||||
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} |
||||
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ |
||||
|
||||
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ |
||||
|
||||
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \ |
||||
tkeyconf.c tsigconf.c update.c xfrout.c \ |
||||
zoneconf.c \ |
||||
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ |
||||
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ |
||||
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} |
||||
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c |
||||
|
||||
MANPAGES = named.8 lwresd.8 named.conf.5 |
||||
|
||||
@@ -146,14 +144,14 @@ server.@O@: server.c |
||||
-DPRODUCT=\"${PRODUCT}\" \ |
||||
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c |
||||
|
||||
-named@EXEEXT@: ${OBJS} ${DEPLIBS} |
||||
+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS} |
||||
export MAKE_SYMTABLE="yes"; \ |
||||
export BASEOBJS="${OBJS} ${UOBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
|
||||
-lwresd@EXEEXT@: named@EXEEXT@ |
||||
+lwresd@EXEEXT@: named-pkcs11@EXEEXT@ |
||||
rm -f lwresd@EXEEXT@ |
||||
- @LN@ named@EXEEXT@ lwresd@EXEEXT@ |
||||
+ @LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@ |
||||
|
||||
doc man:: ${MANOBJS} |
||||
|
||||
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8 |
||||
|
||||
install-man: install-man5 install-man8 |
||||
|
||||
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} |
||||
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) |
||||
+install:: named-pkcs11@EXEEXT@ installdirs |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} |
||||
|
||||
uninstall:: |
||||
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5 |
||||
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8 |
||||
- rm -f ${DESTDIR}${mandir}/man8/named.8 |
||||
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ |
||||
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ |
||||
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@ |
||||
|
||||
@DLZ_DRIVER_RULES@ |
||||
|
||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in |
||||
index d92bc9a..6d2bfd1 100644 |
||||
--- a/bin/named/Makefile.in |
||||
+++ b/bin/named/Makefile.in |
||||
@@ -47,7 +47,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ |
||||
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ |
||||
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ |
||||
|
||||
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ |
||||
+CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ |
||||
|
||||
CWARNINGS = |
||||
|
||||
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in |
||||
index 70ee8b5..0fd8644 100644 |
||||
--- a/bin/pkcs11/Makefile.in |
||||
+++ b/bin/pkcs11/Makefile.in |
||||
@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@ |
||||
|
||||
@BIND9_MAKE_INCLUDES@ |
||||
|
||||
-CINCLUDES = ${ISC_INCLUDES} |
||||
+CINCLUDES = ${ISC_PKCS11_INCLUDES} |
||||
|
||||
CDEFINES = |
||||
|
||||
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ |
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@ |
||||
|
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@ |
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
|
||||
DEPLIBS = ${ISCDEPLIBS} |
||||
|
||||
diff --git a/configure.in b/configure.in |
||||
index 9a1d16d..2f13059 100644 |
||||
--- a/configure.in |
||||
+++ b/configure.in |
||||
@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI) |
||||
AC_SUBST(DST_GSSAPI_INC) |
||||
AC_SUBST(DNS_GSSAPI_LIBS) |
||||
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" |
||||
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" |
||||
|
||||
# |
||||
# Applications linking with libdns also need to link with these libraries. |
||||
# |
||||
|
||||
AC_SUBST(DNS_CRYPTO_LIBS) |
||||
+AC_SUBST(DNS_CRYPTO_PK11_LIBS) |
||||
|
||||
# |
||||
# was --with-randomdev specified? |
||||
@@ -1554,11 +1556,11 @@ fi |
||||
AC_MSG_CHECKING(for OpenSSL library) |
||||
OPENSSL_WARNING= |
||||
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" |
||||
-if test "yes" = "$want_native_pkcs11" |
||||
-then |
||||
- use_openssl="native_pkcs11" |
||||
- AC_MSG_RESULT(use of native PKCS11 instead) |
||||
-fi |
||||
+# if test "yes" = "$want_native_pkcs11" |
||||
+# then |
||||
+# use_openssl="native_pkcs11" |
||||
+# AC_MSG_RESULT(use of native PKCS11 instead) |
||||
+# fi |
||||
|
||||
if test "auto" = "$use_openssl" |
||||
then |
||||
@@ -1571,6 +1573,7 @@ then |
||||
fi |
||||
done |
||||
fi |
||||
+CRYPTO_PK11="" |
||||
OPENSSL_ECDSA="" |
||||
OPENSSL_GOST="" |
||||
OPENSSL_ED25519="" |
||||
@@ -1592,11 +1595,10 @@ case "$with_gost" in |
||||
;; |
||||
esac |
||||
|
||||
-case "$use_openssl" in |
||||
- native_pkcs11) |
||||
- AC_MSG_RESULT(disabled because of native PKCS11) |
||||
+if test "$want_native_pkcs11" = "yes" |
||||
+then |
||||
DST_OPENSSL_INC="" |
||||
- CRYPTO="-DPKCS11CRYPTO" |
||||
+ CRYPTO_PK11="-DPKCS11CRYPTO" |
||||
OPENSSLECDSALINKOBJS="" |
||||
OPENSSLECDSALINKSRCS="" |
||||
OPENSSLEDDSALINKOBJS="" |
||||
@@ -1605,7 +1607,9 @@ case "$use_openssl" in |
||||
OPENSSLGOSTLINKSRCS="" |
||||
OPENSSLLINKOBJS="" |
||||
OPENSSLLINKSRCS="" |
||||
- ;; |
||||
+fi |
||||
+ |
||||
+case "$use_openssl" in |
||||
no) |
||||
AC_MSG_RESULT(no) |
||||
DST_OPENSSL_INC="" |
||||
@@ -1635,11 +1639,11 @@ case "$use_openssl" in |
||||
If you don't want OpenSSL, use --without-openssl]) |
||||
;; |
||||
*) |
||||
- if test "yes" = "$want_native_pkcs11" |
||||
- then |
||||
- AC_MSG_RESULT() |
||||
- AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) |
||||
- fi |
||||
+ # if test "yes" = "$want_native_pkcs11" |
||||
+ # then |
||||
+ # AC_MSG_RESULT() |
||||
+ # AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) |
||||
+ # fi |
||||
if test "yes" = "$use_openssl" |
||||
then |
||||
# User did not specify a path - guess it |
||||
@@ -2062,6 +2066,7 @@ AC_SUBST(OPENSSL_ED25519) |
||||
AC_SUBST(OPENSSL_GOST) |
||||
|
||||
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" |
||||
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS" |
||||
|
||||
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" |
||||
if test "yes" = "$with_aes" |
||||
@@ -2381,6 +2386,7 @@ esac |
||||
AC_SUBST(PKCS11LINKOBJS) |
||||
AC_SUBST(PKCS11LINKSRCS) |
||||
AC_SUBST(CRYPTO) |
||||
+AC_SUBST(CRYPTO_PK11) |
||||
AC_SUBST(PKCS11_ECDSA) |
||||
AC_SUBST(PKCS11_GOST) |
||||
AC_SUBST(PKCS11_ED25519) |
||||
@@ -5434,8 +5440,11 @@ AC_CONFIG_FILES([ |
||||
bin/delv/Makefile |
||||
bin/dig/Makefile |
||||
bin/dnssec/Makefile |
||||
+ bin/dnssec-pkcs11/Makefile |
||||
bin/named/Makefile |
||||
bin/named/unix/Makefile |
||||
+ bin/named-pkcs11/Makefile |
||||
+ bin/named-pkcs11/unix/Makefile |
||||
bin/nsupdate/Makefile |
||||
bin/pkcs11/Makefile |
||||
bin/python/Makefile |
||||
@@ -5509,6 +5518,10 @@ AC_CONFIG_FILES([ |
||||
lib/dns/include/dns/Makefile |
||||
lib/dns/include/dst/Makefile |
||||
lib/dns/tests/Makefile |
||||
+ lib/dns-pkcs11/Makefile |
||||
+ lib/dns-pkcs11/include/Makefile |
||||
+ lib/dns-pkcs11/include/dns/Makefile |
||||
+ lib/dns-pkcs11/include/dst/Makefile |
||||
lib/irs/Makefile |
||||
lib/irs/include/Makefile |
||||
lib/irs/include/irs/Makefile |
||||
@@ -5533,6 +5546,24 @@ AC_CONFIG_FILES([ |
||||
lib/isc/unix/include/Makefile |
||||
lib/isc/unix/include/isc/Makefile |
||||
lib/isc/unix/include/pkcs11/Makefile |
||||
+ lib/isc-pkcs11/$arch/Makefile |
||||
+ lib/isc-pkcs11/$arch/include/Makefile |
||||
+ lib/isc-pkcs11/$arch/include/isc/Makefile |
||||
+ lib/isc-pkcs11/$thread_dir/Makefile |
||||
+ lib/isc-pkcs11/$thread_dir/include/Makefile |
||||
+ lib/isc-pkcs11/$thread_dir/include/isc/Makefile |
||||
+ lib/isc-pkcs11/Makefile |
||||
+ lib/isc-pkcs11/include/Makefile |
||||
+ lib/isc-pkcs11/include/isc/Makefile |
||||
+ lib/isc-pkcs11/include/isc/platform.h |
||||
+ lib/isc-pkcs11/include/pk11/Makefile |
||||
+ lib/isc-pkcs11/include/pkcs11/Makefile |
||||
+ lib/isc-pkcs11/tests/Makefile |
||||
+ lib/isc-pkcs11/nls/Makefile |
||||
+ lib/isc-pkcs11/unix/Makefile |
||||
+ lib/isc-pkcs11/unix/include/Makefile |
||||
+ lib/isc-pkcs11/unix/include/isc/Makefile |
||||
+ lib/isc-pkcs11/unix/include/pkcs11/Makefile |
||||
lib/isccc/Makefile |
||||
lib/isccc/include/Makefile |
||||
lib/isccc/include/isccc/Makefile |
||||
diff --git a/lib/Makefile.in b/lib/Makefile.in |
||||
index 81270a0..bcb5312 100644 |
||||
--- a/lib/Makefile.in |
||||
+++ b/lib/Makefile.in |
||||
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ |
||||
# Attempt to disable parallel processing. |
||||
.NOTPARALLEL: |
||||
.NO_PARALLEL: |
||||
-SUBDIRS = isc isccc dns isccfg bind9 lwres irs samples |
||||
+SUBDIRS = isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples |
||||
TARGETS = |
||||
|
||||
@BIND9_MAKE_RULES@ |
||||
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in |
||||
index 4a8549e..6a19906 100644 |
||||
--- a/lib/dns-pkcs11/Makefile.in |
||||
+++ b/lib/dns-pkcs11/Makefile.in |
||||
@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@ |
||||
|
||||
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ |
||||
|
||||
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ |
||||
- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ |
||||
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ |
||||
+ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ |
||||
|
||||
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} |
||||
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} |
||||
|
||||
CWARNINGS = |
||||
|
||||
-ISCLIBS = ../../lib/isc/libisc.@A@ |
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
|
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@ |
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
|
||||
LIBS = @LIBS@ |
||||
|
||||
@@ -146,15 +146,15 @@ version.@O@: version.c |
||||
-DLIBAGE=${LIBAGE} \ |
||||
-c ${srcdir}/version.c |
||||
|
||||
-libdns.@SA@: ${OBJS} |
||||
+libdns-pkcs11.@SA@: ${OBJS} |
||||
${AR} ${ARFLAGS} $@ ${OBJS} |
||||
${RANLIB} $@ |
||||
|
||||
-libdns.la: ${OBJS} |
||||
+libdns-pkcs11.la: ${OBJS} |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} |
||||
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} |
||||
|
||||
include: gen |
||||
${MAKE} include/dns/enumtype.h |
||||
@@ -180,25 +180,25 @@ code.h: gen |
||||
./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; } |
||||
|
||||
gen: gen.c |
||||
- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \ |
||||
+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \ |
||||
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS} |
||||
|
||||
-timestamp: include libdns.@A@ |
||||
+timestamp: include libdns-pkcs11.@A@ |
||||
touch timestamp |
||||
|
||||
-testdirs: libdns.@A@ |
||||
+testdirs: libdns-pkcs11.@A@ |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir} |
||||
|
||||
uninstall:: |
||||
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ |
||||
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@ |
||||
|
||||
clean distclean:: |
||||
- rm -f libdns.@A@ timestamp |
||||
+ rm -f libdns-pkcs11.@A@ timestamp |
||||
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h |
||||
rm -f include/dns/rdatastruct.h |
||||
rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h |
||||
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in |
||||
index ba53ef1..d1f1771 100644 |
||||
--- a/lib/isc-pkcs11/Makefile.in |
||||
+++ b/lib/isc-pkcs11/Makefile.in |
||||
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \ |
||||
-I${srcdir}/@ISC_THREAD_DIR@/include \ |
||||
-I${srcdir}/@ISC_ARCH_DIR@/include \ |
||||
-I./include \ |
||||
- -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@ |
||||
-CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" |
||||
+ -I${srcdir}/include ${DNS_PKCS11_INCLUDES} |
||||
+CDEFINES = @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" |
||||
CWARNINGS = |
||||
|
||||
# Alphabetically |
||||
@@ -107,40 +107,40 @@ version.@O@: version.c |
||||
-DLIBAGE=${LIBAGE} \ |
||||
-c ${srcdir}/version.c |
||||
|
||||
-libisc.@SA@: ${OBJS} ${SYMTBLOBJS} |
||||
+libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS} |
||||
${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS} |
||||
${RANLIB} $@ |
||||
|
||||
-libisc-nosymtbl.@SA@: ${OBJS} |
||||
+libisc-pkcs11-nosymtbl.@SA@: ${OBJS} |
||||
${AR} ${ARFLAGS} $@ ${OBJS} |
||||
${RANLIB} $@ |
||||
|
||||
-libisc.la: ${OBJS} ${SYMTBLOBJS} |
||||
+libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS} |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
${OBJS} ${SYMTBLOBJS} ${LIBS} |
||||
|
||||
-libisc-nosymtbl.la: ${OBJS} |
||||
+libisc-pkcs11-nosymtbl.la: ${OBJS} |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
${OBJS} ${LIBS} |
||||
|
||||
-timestamp: libisc.@A@ libisc-nosymtbl.@A@ |
||||
+timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ |
||||
touch timestamp |
||||
|
||||
-testdirs: libisc.@A@ libisc-nosymtbl.@A@ |
||||
+testdirs: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir} |
||||
|
||||
uninstall:: |
||||
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@ |
||||
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@ |
||||
|
||||
clean distclean:: |
||||
- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \ |
||||
- libisc-nosymtbl.la timestamp |
||||
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \ |
||||
+ libisc-pkcs11-nosymtbl.la timestamp |
||||
diff --git a/make/includes.in b/make/includes.in |
||||
index fa86ad1..3cfbe9f 100644 |
||||
--- a/make/includes.in |
||||
+++ b/make/includes.in |
||||
@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ |
||||
|
||||
TEST_INCLUDES = \ |
||||
-I${top_srcdir}/lib/tests/include |
||||
+ |
||||
+ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \ |
||||
+ -I${top_srcdir}/lib/isc-pkcs11 \ |
||||
+ -I${top_srcdir}/lib/isc-pkcs11/include \ |
||||
+ -I${top_srcdir}/lib/isc-pkcs11/unix/include \ |
||||
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \ |
||||
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include |
||||
+ |
||||
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \ |
||||
+ -I${top_srcdir}/lib/dns-pkcs11/include |
@ -0,0 +1,309 @@
@@ -0,0 +1,309 @@
|
||||
diff --git a/bin/Makefile.in b/bin/Makefile.in |
||||
index ce7a2da..4e6a824 100644 |
||||
--- a/bin/Makefile.in |
||||
+++ b/bin/Makefile.in |
||||
@@ -11,8 +11,8 @@ srcdir = @srcdir@ |
||||
VPATH = @srcdir@ |
||||
top_srcdir = @top_srcdir@ |
||||
|
||||
-SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ |
||||
- check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests |
||||
+SUBDIRS = named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ |
||||
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools tests |
||||
TARGETS = |
||||
|
||||
@BIND9_MAKE_RULES@ |
||||
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in |
||||
index 6d2bfd1..d3f42e8 100644 |
||||
--- a/bin/named-sdb/Makefile.in |
||||
+++ b/bin/named-sdb/Makefile.in |
||||
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@ |
||||
# |
||||
# Add database drivers here. |
||||
# |
||||
-DBDRIVER_OBJS = |
||||
-DBDRIVER_SRCS = |
||||
+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@ |
||||
+DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c |
||||
DBDRIVER_INCLUDES = |
||||
-DBDRIVER_LIBS = |
||||
+DBDRIVER_LIBS = -lldap -llber -lsqlite3 -lpq |
||||
|
||||
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers |
||||
|
||||
@@ -79,7 +79,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
|
||||
SUBDIRS = unix |
||||
|
||||
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ |
||||
+TARGETS = named-sdb@EXEEXT@ |
||||
|
||||
GEOIPLINKOBJS = geoip.@O@ |
||||
|
||||
@@ -146,7 +146,7 @@ server.@O@: server.c |
||||
-DPRODUCT=\"${PRODUCT}\" \ |
||||
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c |
||||
|
||||
-named@EXEEXT@: ${OBJS} ${DEPLIBS} |
||||
+named-sdb@EXEEXT@: ${OBJS} ${DEPLIBS} |
||||
export MAKE_SYMTABLE="yes"; \ |
||||
export BASEOBJS="${OBJS} ${UOBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} |
||||
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 |
||||
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
|
||||
install-man5: named.conf.5 |
||||
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5 |
||||
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8 |
||||
|
||||
install-man: install-man5 install-man8 |
||||
|
||||
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} |
||||
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) |
||||
+install:: ${TARGETS} installdirs |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir} |
||||
|
||||
uninstall:: |
||||
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5 |
||||
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8 |
||||
- rm -f ${DESTDIR}${mandir}/man8/named.8 |
||||
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ |
||||
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ |
||||
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@ |
||||
|
||||
@DLZ_DRIVER_RULES@ |
||||
|
||||
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c |
||||
index bb639d9..555c4d9 100644 |
||||
--- a/bin/named-sdb/main.c |
||||
+++ b/bin/named-sdb/main.c |
||||
@@ -91,6 +91,10 @@ |
||||
* Include header files for database drivers here. |
||||
*/ |
||||
/* #include "xxdb.h" */ |
||||
+#include "ldapdb.h" |
||||
+#include "pgsqldb.h" |
||||
+#include "sqlitedb.h" |
||||
+#include "dirdb.h" |
||||
|
||||
#ifdef CONTRIB_DLZ |
||||
/* |
||||
@@ -1061,6 +1065,11 @@ setup(void) { |
||||
ns_main_earlyfatal("isc_app_start() failed: %s", |
||||
isc_result_totext(result)); |
||||
|
||||
+ ldapdb_clear(); |
||||
+ pgsqldb_clear(); |
||||
+ dirdb_clear(); |
||||
+ sqlitedb_clear(); |
||||
+ |
||||
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>", |
||||
ns_g_product, ns_g_version, |
||||
@@ -1261,6 +1270,75 @@ setup(void) { |
||||
isc_result_totext(result)); |
||||
#endif |
||||
|
||||
+ result = ldapdb_init(); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ { |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB ldap module initialisation failed: %s.", |
||||
+ isc_result_totext(result) |
||||
+ ); |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB ldap zone database will be unavailable." |
||||
+ ); |
||||
+ }else |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_NOTICE, "SDB ldap zone database module loaded." |
||||
+ ); |
||||
+ |
||||
+ result = pgsqldb_init(); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ { |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB pgsql module initialisation failed: %s.", |
||||
+ isc_result_totext(result) |
||||
+ ); |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB pgsql zone database will be unavailable." |
||||
+ ); |
||||
+ }else |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded." |
||||
+ ); |
||||
+ |
||||
+ result = sqlitedb_init(); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ { |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB sqlite3 module initialisation failed: %s.", |
||||
+ isc_result_totext(result) |
||||
+ ); |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB sqlite3 zone database will be unavailable." |
||||
+ ); |
||||
+ }else |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded." |
||||
+ ); |
||||
+ |
||||
+ result = dirdb_init(); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ { |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB directory DB module initialisation failed: %s.", |
||||
+ isc_result_totext(result) |
||||
+ ); |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB directory DB zone database will be unavailable." |
||||
+ ); |
||||
+ }else |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_NOTICE, "SDB directory DB zone database module loaded." |
||||
+ ); |
||||
+ |
||||
+ |
||||
ns_server_create(ns_g_mctx, &ns_g_server); |
||||
|
||||
#ifdef HAVE_LIBSECCOMP |
||||
@@ -1303,6 +1381,11 @@ cleanup(void) { |
||||
|
||||
dns_name_destroy(); |
||||
|
||||
+ ldapdb_clear(); |
||||
+ pgsqldb_clear(); |
||||
+ sqlitedb_clear(); |
||||
+ dirdb_clear(); |
||||
+ |
||||
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
ISC_LOG_NOTICE, "exiting"); |
||||
ns_log_shutdown(); |
||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in |
||||
index 6d2bfd1..86f8587 100644 |
||||
--- a/bin/named/Makefile.in |
||||
+++ b/bin/named/Makefile.in |
||||
@@ -45,9 +45,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ |
||||
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ |
||||
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ |
||||
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ |
||||
- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ |
||||
+ @DST_OPENSSL_INC@ |
||||
|
||||
-CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ |
||||
+CDEFINES = @CRYPTO@ |
||||
|
||||
CWARNINGS = |
||||
|
||||
@@ -71,11 +71,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ |
||||
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ |
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
+ @LIBS@ |
||||
|
||||
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ |
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
+ @LIBS@ |
||||
|
||||
SUBDIRS = unix |
||||
|
||||
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ |
||||
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ |
||||
zoneconf.@O@ \ |
||||
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ |
||||
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ |
||||
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} |
||||
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ |
||||
|
||||
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ |
||||
|
||||
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \ |
||||
tkeyconf.c tsigconf.c update.c xfrout.c \ |
||||
zoneconf.c \ |
||||
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ |
||||
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ |
||||
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} |
||||
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c |
||||
|
||||
MANPAGES = named.8 lwresd.8 named.conf.5 |
||||
|
||||
@@ -195,7 +193,5 @@ uninstall:: |
||||
rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ |
||||
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ |
||||
|
||||
-@DLZ_DRIVER_RULES@ |
||||
- |
||||
named-symtbl.@O@: named-symtbl.c |
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c |
||||
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in |
||||
index c7e0868..95ab742 100644 |
||||
--- a/bin/sdb_tools/Makefile.in |
||||
+++ b/bin/sdb_tools/Makefile.in |
||||
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ |
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
|
||||
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ |
||||
+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ |
||||
|
||||
-OBJS = zone2ldap.@O@ zonetodb.@O@ |
||||
+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ |
||||
|
||||
-SRCS = zone2ldap.c zonetodb.c |
||||
+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c |
||||
|
||||
MANPAGES = zone2ldap.1 |
||||
|
||||
@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS} |
||||
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} |
||||
|
||||
+zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS} |
||||
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS} |
||||
+ |
||||
clean distclean manclean maintainer-clean:: |
||||
rm -f ${TARGETS} ${OBJS} |
||||
|
||||
@@ -60,4 +63,5 @@ installdirs: |
||||
install:: ${TARGETS} installdirs |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} |
||||
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 |
||||
diff --git a/configure.in b/configure.in |
||||
index 62536a6..f571a4f 100644 |
||||
--- a/configure.in |
||||
+++ b/configure.in |
||||
@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([ |
||||
bin/named/unix/Makefile |
||||
bin/named-pkcs11/Makefile |
||||
bin/named-pkcs11/unix/Makefile |
||||
+ bin/named-sdb/Makefile |
||||
+ bin/named-sdb/unix/Makefile |
||||
bin/nsupdate/Makefile |
||||
bin/pkcs11/Makefile |
||||
bin/python/Makefile |
||||
@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([ |
||||
bin/python/isc/tests/dnskey_test.py |
||||
bin/python/isc/tests/policy_test.py |
||||
bin/rndc/Makefile |
||||
+ bin/sdb_tools/Makefile |
||||
bin/tests/Makefile |
||||
bin/tests/headerdep_test.sh |
||||
bin/tests/optional/Makefile |
@ -0,0 +1,18 @@
@@ -0,0 +1,18 @@
|
||||
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c |
||||
index d56bc56..99c3314 100644 |
||||
--- a/bin/sdb_tools/zone2ldap.c |
||||
+++ b/bin/sdb_tools/zone2ldap.c |
||||
@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone) |
||||
} |
||||
|
||||
|
||||
- strlcat (dn, tmp, sizeof (dn)); |
||||
+ strncat (dn, tmp, sizeof (dn) - strlen (dn)); |
||||
} |
||||
|
||||
sprintf (tmp, "dc=%s", dc_list[0]); |
||||
- strlcat (dn, tmp, sizeof (dn)); |
||||
+ strncat (dn, tmp, sizeof (dn) - strlen (dn)); |
||||
|
||||
fflush(NULL); |
||||
return dn; |
@ -0,0 +1,131 @@
@@ -0,0 +1,131 @@
|
||||
From 94e08314024c812063bf99bd191a46265a2ba49f Mon Sep 17 00:00:00 2001 |
||||
From: Petr Mensik <pemensik@redhat.com> |
||||
Date: Wed, 24 Apr 2019 21:10:26 +0200 |
||||
Subject: [PATCH] Missing atomic fix to original CVE patch |
||||
|
||||
--- |
||||
bin/named/client.c | 18 +++++++----------- |
||||
bin/named/include/named/interfacemgr.h | 5 +++-- |
||||
bin/named/interfacemgr.c | 7 +++++-- |
||||
3 files changed, 15 insertions(+), 15 deletions(-) |
||||
|
||||
diff --git a/bin/named/client.c b/bin/named/client.c |
||||
index 3ada6e9..d3bf47d 100644 |
||||
--- a/bin/named/client.c |
||||
+++ b/bin/named/client.c |
||||
@@ -405,12 +405,10 @@ tcpconn_detach(ns_client_t *client) { |
||||
static void |
||||
mark_tcp_active(ns_client_t *client, isc_boolean_t active) { |
||||
if (active && !client->tcpactive) { |
||||
- isc_atomic_xadd(&client->interface->ntcpactive, 1); |
||||
+ isc_refcount_increment0(&client->interface->ntcpactive, NULL); |
||||
client->tcpactive = active; |
||||
} else if (!active && client->tcpactive) { |
||||
- uint32_t old = |
||||
- isc_atomic_xadd(&client->interface->ntcpactive, -1); |
||||
- INSIST(old > 0); |
||||
+ isc_refcount_decrement(&client->interface->ntcpactive, NULL); |
||||
client->tcpactive = active; |
||||
} |
||||
} |
||||
@@ -557,7 +555,7 @@ exit_check(ns_client_t *client) { |
||||
if (client->mortal && TCP_CLIENT(client) && |
||||
client->newstate != NS_CLIENTSTATE_FREED && |
||||
!ns_g_clienttest && |
||||
- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) |
||||
+ isc_refcount_current(&client->interface->ntcpaccepting) == 0) |
||||
{ |
||||
/* Nobody else is accepting */ |
||||
client->mortal = ISC_FALSE; |
||||
@@ -3321,7 +3319,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) { |
||||
isc_result_t result; |
||||
ns_client_t *client = event->ev_arg; |
||||
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; |
||||
- uint32_t old; |
||||
|
||||
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); |
||||
REQUIRE(NS_CLIENT_VALID(client)); |
||||
@@ -3341,8 +3338,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { |
||||
INSIST(client->naccepts == 1); |
||||
client->naccepts--; |
||||
|
||||
- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); |
||||
- INSIST(old > 0); |
||||
+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL); |
||||
|
||||
/* |
||||
* We must take ownership of the new socket before the exit |
||||
@@ -3473,8 +3469,8 @@ client_accept(ns_client_t *client) { |
||||
* quota is tcp-clients plus the number of listening |
||||
* interfaces plus 1.) |
||||
*/ |
||||
- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > |
||||
- (client->tcpactive ? 1 : 0)); |
||||
+ exit = (isc_refcount_current(&client->interface->ntcpactive) > |
||||
+ (client->tcpactive ? 1U : 0U)); |
||||
if (exit) { |
||||
client->newstate = NS_CLIENTSTATE_INACTIVE; |
||||
(void)exit_check(client); |
||||
@@ -3532,7 +3528,7 @@ client_accept(ns_client_t *client) { |
||||
* listening for connections itself to prevent the interface |
||||
* going dead. |
||||
*/ |
||||
- isc_atomic_xadd(&client->interface->ntcpaccepting, 1); |
||||
+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL); |
||||
} |
||||
|
||||
static void |
||||
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h |
||||
index d9ac90f..aa21049 100644 |
||||
--- a/bin/named/include/named/interfacemgr.h |
||||
+++ b/bin/named/include/named/interfacemgr.h |
||||
@@ -43,6 +43,7 @@ |
||||
#include <isc/magic.h> |
||||
#include <isc/mem.h> |
||||
#include <isc/socket.h> |
||||
+#include <isc/refcount.h> |
||||
|
||||
#include <dns/result.h> |
||||
|
||||
@@ -73,11 +74,11 @@ struct ns_interface { |
||||
/*%< UDP dispatchers. */ |
||||
isc_socket_t * tcpsocket; /*%< TCP socket. */ |
||||
isc_dscp_t dscp; /*%< "listen-on" DSCP value */ |
||||
- int32_t ntcpaccepting; /*%< Number of clients |
||||
+ isc_refcount_t ntcpaccepting; /*%< Number of clients |
||||
ready to accept new |
||||
TCP connections on this |
||||
interface */ |
||||
- int32_t ntcpactive; /*%< Number of clients |
||||
+ isc_refcount_t ntcpactive; /*%< Number of clients |
||||
servicing TCP queries |
||||
(whether accepting or |
||||
connected) */ |
||||
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c |
||||
index 96c080b..2ce97bb 100644 |
||||
--- a/bin/named/interfacemgr.c |
||||
+++ b/bin/named/interfacemgr.c |
||||
@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, |
||||
* connections will be handled in parallel even though there is |
||||
* only one client initially. |
||||
*/ |
||||
- ifp->ntcpaccepting = 0; |
||||
- ifp->ntcpactive = 0; |
||||
+ isc_refcount_init(&ifp->ntcpaccepting, 0); |
||||
+ isc_refcount_init(&ifp->ntcpactive, 0); |
||||
|
||||
ifp->nudpdispatch = 0; |
||||
|
||||
@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp) { |
||||
|
||||
ns_interfacemgr_detach(&ifp->mgr); |
||||
|
||||
+ isc_refcount_destroy(&ifp->ntcpactive); |
||||
+ isc_refcount_destroy(&ifp->ntcpaccepting); |
||||
+ |
||||
ifp->magic = 0; |
||||
isc_mem_put(mctx, ifp, sizeof(*ifp)); |
||||
} |
||||
-- |
||||
2.20.1 |
||||
|
@ -0,0 +1,868 @@
@@ -0,0 +1,868 @@
|
||||
From b2929ff50a7676563177bc52a372ddcae48cb002 Mon Sep 17 00:00:00 2001 |
||||
From: Petr Mensik <pemensik@redhat.com> |
||||
Date: Wed, 24 Apr 2019 20:09:07 +0200 |
||||
Subject: [PATCH] 5200. [security] tcp-clients settings could be |
||||
exceeded in some cases, which could lead to |
||||
exhaustion of file descriptors. (CVE-2018-5743) [GL |
||||
#615] |
||||
|
||||
--- |
||||
bin/named/client.c | 421 +++++++++++++++++++------ |
||||
bin/named/include/named/client.h | 13 +- |
||||
bin/named/include/named/interfacemgr.h | 13 +- |
||||
bin/named/interfacemgr.c | 9 +- |
||||
lib/isc/include/isc/quota.h | 7 + |
||||
lib/isc/quota.c | 33 +- |
||||
6 files changed, 385 insertions(+), 111 deletions(-) |
||||
|
||||
diff --git a/bin/named/client.c b/bin/named/client.c |
||||
index b7d8a98..e1acaf1 100644 |
||||
--- a/bin/named/client.c |
||||
+++ b/bin/named/client.c |
||||
@@ -243,7 +243,7 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason); |
||||
static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, |
||||
dns_dispatch_t *disp, isc_boolean_t tcp); |
||||
static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, |
||||
- isc_socket_t *sock); |
||||
+ isc_socket_t *sock, ns_client_t *oldclient); |
||||
static inline isc_boolean_t |
||||
allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr, |
||||
isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl); |
||||
@@ -295,6 +295,119 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) { |
||||
} |
||||
} |
||||
|
||||
+/*% |
||||
+ * Allocate a reference-counted object that will maintain a single pointer to |
||||
+ * the (also reference-counted) TCP client quota, shared between all the |
||||
+ * clients processing queries on a single TCP connection, so that all |
||||
+ * clients sharing the one socket will together consume only one slot in |
||||
+ * the 'tcp-clients' quota. |
||||
+ */ |
||||
+static isc_result_t |
||||
+tcpconn_init(ns_client_t *client, isc_boolean_t force) { |
||||
+ isc_result_t result; |
||||
+ isc_quota_t *quota = NULL; |
||||
+ ns_tcpconn_t *tconn = NULL; |
||||
+ |
||||
+ REQUIRE(client->tcpconn == NULL); |
||||
+ |
||||
+ /* |
||||
+ * Try to attach to the quota first, so we won't pointlessly |
||||
+ * allocate memory for a tcpconn object if we can't get one. |
||||
+ */ |
||||
+ if (force) { |
||||
+ result = isc_quota_force(&ns_g_server->tcpquota, "a); |
||||
+ } else { |
||||
+ result = isc_quota_attach(&ns_g_server->tcpquota, "a); |
||||
+ } |
||||
+ if (result != ISC_R_SUCCESS) { |
||||
+ return (result); |
||||
+ } |
||||
+ |
||||
+ /* |
||||
+ * A global memory context is used for the allocation as different |
||||
+ * client structures may have different memory contexts assigned and a |
||||
+ * reference counter allocated here might need to be freed by a |
||||
+ * different client. The performance impact caused by memory context |
||||
+ * contention here is expected to be negligible, given that this code |
||||
+ * is only executed for TCP connections. |
||||
+ */ |
||||
+ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn)); |
||||
+ |
||||
+ isc_refcount_init(&tconn->refs, 1); |
||||
+ tconn->tcpquota = quota; |
||||
+ quota = NULL; |
||||
+ tconn->pipelined = ISC_FALSE; |
||||
+ |
||||
+ client->tcpconn = tconn; |
||||
+ |
||||
+ return (ISC_R_SUCCESS); |
||||
+} |
||||
+ |
||||
+/*% |
||||
+ * Increase the count of client structures sharing the TCP connection |
||||
+ * that 'source' is associated with; add a pointer to the same tcpconn |
||||
+ * to 'target', thus associating it with the same TCP connection. |
||||
+ */ |
||||
+static void |
||||
+tcpconn_attach(ns_client_t *source, ns_client_t *target) { |
||||
+ int refs; |
||||
+ |
||||
+ REQUIRE(source->tcpconn != NULL); |
||||
+ REQUIRE(target->tcpconn == NULL); |
||||
+ REQUIRE(source->tcpconn->pipelined); |
||||
+ |
||||
+ isc_refcount_increment(&source->tcpconn->refs, &refs); |
||||
+ INSIST(refs > 1); |
||||
+ target->tcpconn = source->tcpconn; |
||||
+} |
||||
+ |
||||
+/*% |
||||
+ * Decrease the count of client structures sharing the TCP connection that |
||||
+ * 'client' is associated with. If this is the last client using this TCP |
||||
+ * connection, we detach from the TCP quota and free the tcpconn |
||||
+ * object. Either way, client->tcpconn is set to NULL. |
||||
+ */ |
||||
+static void |
||||
+tcpconn_detach(ns_client_t *client) { |
||||
+ ns_tcpconn_t *tconn = NULL; |
||||
+ int refs; |
||||
+ |
||||
+ REQUIRE(client->tcpconn != NULL); |
||||
+ |
||||
+ tconn = client->tcpconn; |
||||
+ client->tcpconn = NULL; |
||||
+ |
||||
+ isc_refcount_decrement(&tconn->refs, &refs); |
||||
+ if (refs == 0) { |
||||
+ isc_quota_detach(&tconn->tcpquota); |
||||
+ isc_mem_free(ns_g_mctx, tconn); |
||||
+ } |
||||
+} |
||||
+ |
||||
+/*% |
||||
+ * Mark a client as active and increment the interface's 'ntcpactive' |
||||
+ * counter, as a signal that there is at least one client servicing |
||||
+ * TCP queries for the interface. If we reach the TCP client quota at |
||||
+ * some point, this will be used to determine whether a quota overrun |
||||
+ * should be permitted. |
||||
+ * |
||||
+ * Marking the client active with the 'tcpactive' flag ensures proper |
||||
+ * accounting, by preventing us from incrementing or decrementing |
||||
+ * 'ntcpactive' more than once per client. |
||||
+ */ |
||||
+static void |
||||
+mark_tcp_active(ns_client_t *client, isc_boolean_t active) { |
||||
+ if (active && !client->tcpactive) { |
||||
+ isc_atomic_xadd(&client->interface->ntcpactive, 1); |
||||
+ client->tcpactive = active; |
||||
+ } else if (!active && client->tcpactive) { |
||||
+ uint32_t old = |
||||
+ isc_atomic_xadd(&client->interface->ntcpactive, -1); |
||||
+ INSIST(old > 0); |
||||
+ client->tcpactive = active; |
||||
+ } |
||||
+} |
||||
+ |
||||
/*% |
||||
* Check for a deactivation or shutdown request and take appropriate |
||||
* action. Returns ISC_TRUE if either is in progress; in this case |
||||
@@ -384,7 +497,8 @@ exit_check(ns_client_t *client) { |
||||
INSIST(client->recursionquota == NULL); |
||||
|
||||
if (NS_CLIENTSTATE_READING == client->newstate) { |
||||
- if (!client->pipelined) { |
||||
+ INSIST(client->tcpconn != NULL); |
||||
+ if (!client->tcpconn->pipelined) { |
||||
client_read(client); |
||||
client->newstate = NS_CLIENTSTATE_MAX; |
||||
return (ISC_TRUE); /* We're done. */ |
||||
@@ -402,10 +516,13 @@ exit_check(ns_client_t *client) { |
||||
*/ |
||||
INSIST(client->recursionquota == NULL); |
||||
INSIST(client->newstate <= NS_CLIENTSTATE_READY); |
||||
- if (client->nreads > 0) |
||||
+ |
||||
+ if (client->nreads > 0) { |
||||
dns_tcpmsg_cancelread(&client->tcpmsg); |
||||
- if (client->nreads != 0) { |
||||
- /* Still waiting for read cancel completion. */ |
||||
+ } |
||||
+ |
||||
+ /* Still waiting for read cancel completion. */ |
||||
+ if (client->nreads > 0) { |
||||
return (ISC_TRUE); |
||||
} |
||||
|
||||
@@ -413,14 +530,49 @@ exit_check(ns_client_t *client) { |
||||
dns_tcpmsg_invalidate(&client->tcpmsg); |
||||
client->tcpmsg_valid = ISC_FALSE; |
||||
} |
||||
+ |
||||
+ /* |
||||
+ * Soon the client will be ready to accept a new TCP |
||||
+ * connection or UDP request, but we may have enough |
||||
+ * clients doing that already. Check whether this client |
||||
+ * needs to remain active and allow it go inactive if |
||||
+ * not. |
||||
+ * |
||||
+ * UDP clients always go inactive at this point, but a TCP |
||||
+ * client may need to stay active and return to READY |
||||
+ * state if no other clients are available to listen |
||||
+ * for TCP requests on this interface. |
||||
+ * |
||||
+ * Regardless, if we're going to FREED state, that means |
||||
+ * the system is shutting down and we don't need to |
||||
+ * retain clients. |
||||
+ */ |
||||
+ if (client->mortal && TCP_CLIENT(client) && |
||||
+ client->newstate != NS_CLIENTSTATE_FREED && |
||||
+ !ns_g_clienttest && |
||||
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) |
||||
+ { |
||||
+ /* Nobody else is accepting */ |
||||
+ client->mortal = ISC_FALSE; |
||||
+ client->newstate = NS_CLIENTSTATE_READY; |
||||
+ } |
||||
+ |
||||
+ /* |
||||
+ * Detach from TCP connection and TCP client quota, |
||||
+ * if appropriate. If this is the last reference to |
||||
+ * the TCP connection in our pipeline group, the |
||||
+ * TCP quota slot will be released. |
||||
+ */ |
||||
+ if (client->tcpconn) { |
||||
+ tcpconn_detach(client); |
||||
+ } |
||||
+ |
||||
if (client->tcpsocket != NULL) { |
||||
CTRACE("closetcp"); |
||||
isc_socket_detach(&client->tcpsocket); |
||||
+ mark_tcp_active(client, ISC_FALSE); |
||||
} |
||||
|
||||
- if (client->tcpquota != NULL) |
||||
- isc_quota_detach(&client->tcpquota); |
||||
- |
||||
if (client->timerset) { |
||||
(void)isc_timer_reset(client->timer, |
||||
isc_timertype_inactive, |
||||
@@ -428,45 +580,26 @@ exit_check(ns_client_t *client) { |
||||
client->timerset = ISC_FALSE; |
||||
} |
||||
|
||||
- client->pipelined = ISC_FALSE; |
||||
- |
||||
client->peeraddr_valid = ISC_FALSE; |
||||
|
||||
client->state = NS_CLIENTSTATE_READY; |
||||
- INSIST(client->recursionquota == NULL); |
||||
- |
||||
- /* |
||||
- * Now the client is ready to accept a new TCP connection |
||||
- * or UDP request, but we may have enough clients doing |
||||
- * that already. Check whether this client needs to remain |
||||
- * active and force it to go inactive if not. |
||||
- * |
||||
- * UDP clients go inactive at this point, but TCP clients |
||||
- * may remain active if we have fewer active TCP client |
||||
- * objects than desired due to an earlier quota exhaustion. |
||||
- */ |
||||
- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) { |
||||
- LOCK(&client->interface->lock); |
||||
- if (client->interface->ntcpcurrent < |
||||
- client->interface->ntcptarget) |
||||
- client->mortal = ISC_FALSE; |
||||
- UNLOCK(&client->interface->lock); |
||||
- } |
||||
|
||||
/* |
||||
* We don't need the client; send it to the inactive |
||||
* queue for recycling. |
||||
*/ |
||||
if (client->mortal) { |
||||
- if (client->newstate > NS_CLIENTSTATE_INACTIVE) |
||||
+ if (client->newstate > NS_CLIENTSTATE_INACTIVE) { |
||||
client->newstate = NS_CLIENTSTATE_INACTIVE; |
||||
+ } |
||||
} |
||||
|
||||
if (NS_CLIENTSTATE_READY == client->newstate) { |
||||
if (TCP_CLIENT(client)) { |
||||
client_accept(client); |
||||
- } else |
||||
+ } else { |
||||
client_udprecv(client); |
||||
+ } |
||||
client->newstate = NS_CLIENTSTATE_MAX; |
||||
return (ISC_TRUE); |
||||
} |
||||
@@ -478,41 +611,51 @@ exit_check(ns_client_t *client) { |
||||
/* |
||||
* We are trying to enter the inactive state. |
||||
*/ |
||||
- if (client->naccepts > 0) |
||||
+ if (client->naccepts > 0) { |
||||
isc_socket_cancel(client->tcplistener, client->task, |
||||
ISC_SOCKCANCEL_ACCEPT); |
||||
+ } |
||||
|
||||
/* Still waiting for accept cancel completion. */ |
||||
- if (! (client->naccepts == 0)) |
||||
+ if (client->naccepts > 0) { |
||||
return (ISC_TRUE); |
||||
+ } |
||||
|
||||
/* Accept cancel is complete. */ |
||||
- if (client->nrecvs > 0) |
||||
+ if (client->nrecvs > 0) { |
||||
isc_socket_cancel(client->udpsocket, client->task, |
||||
ISC_SOCKCANCEL_RECV); |
||||
+ } |
||||
|
||||
/* Still waiting for recv cancel completion. */ |
||||
- if (! (client->nrecvs == 0)) |
||||
+ if (client->nrecvs > 0) { |
||||
return (ISC_TRUE); |
||||
+ } |
||||
|
||||
/* Still waiting for control event to be delivered */ |
||||
- if (client->nctls > 0) |
||||
+ if (client->nctls > 0) { |
||||
return (ISC_TRUE); |
||||
- |
||||
- /* Deactivate the client. */ |
||||
- if (client->interface) |
||||
- ns_interface_detach(&client->interface); |
||||
+ } |
||||
|
||||
INSIST(client->naccepts == 0); |
||||
INSIST(client->recursionquota == NULL); |
||||
- if (client->tcplistener != NULL) |
||||
+ if (client->tcplistener != NULL) { |
||||
isc_socket_detach(&client->tcplistener); |
||||
+ mark_tcp_active(client, ISC_FALSE); |
||||
+ } |
||||
|
||||
- if (client->udpsocket != NULL) |
||||
+ if (client->udpsocket != NULL) { |
||||
isc_socket_detach(&client->udpsocket); |
||||
+ } |
||||
|
||||
- if (client->dispatch != NULL) |
||||
+ /* Deactivate the client. */ |
||||
+ if (client->interface != NULL) { |
||||
+ ns_interface_detach(&client->interface); |
||||
+ } |
||||
+ |
||||
+ if (client->dispatch != NULL) { |
||||
dns_dispatch_detach(&client->dispatch); |
||||
+ } |
||||
|
||||
client->attributes = 0; |
||||
client->mortal = ISC_FALSE; |
||||
@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) { |
||||
client->newstate = NS_CLIENTSTATE_MAX; |
||||
if (!ns_g_clienttest && manager != NULL && |
||||
!manager->exiting) |
||||
+ { |
||||
ISC_QUEUE_PUSH(manager->inactive, client, |
||||
ilink); |
||||
- if (client->needshutdown) |
||||
+ } |
||||
+ if (client->needshutdown) { |
||||
isc_task_shutdown(client->task); |
||||
+ } |
||||
return (ISC_TRUE); |
||||
} |
||||
} |
||||
@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event_t *event) { |
||||
return; |
||||
|
||||
if (TCP_CLIENT(client)) { |
||||
- if (client->pipelined) { |
||||
+ if (client->tcpconn != NULL) { |
||||
client_read(client); |
||||
} else { |
||||
client_accept(client); |
||||
@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event_t *event) { |
||||
} |
||||
} |
||||
|
||||
- |
||||
/*% |
||||
* The client's task has received a shutdown event. |
||||
*/ |
||||
@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_event_t *event) { |
||||
client->nrecvs--; |
||||
} else { |
||||
INSIST(TCP_CLIENT(client)); |
||||
+ INSIST(client->tcpconn != NULL); |
||||
REQUIRE(event->ev_type == DNS_EVENT_TCPMSG); |
||||
REQUIRE(event->ev_sender == &client->tcpmsg); |
||||
buffer = &client->tcpmsg.buffer; |
||||
@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_event_t *event) { |
||||
/* |
||||
* Pipeline TCP query processing. |
||||
*/ |
||||
- if (client->message->opcode != dns_opcode_query) |
||||
- client->pipelined = ISC_FALSE; |
||||
- if (TCP_CLIENT(client) && client->pipelined) { |
||||
- result = isc_quota_reserve(&ns_g_server->tcpquota); |
||||
- if (result == ISC_R_SUCCESS) |
||||
- result = ns_client_replace(client); |
||||
+ if (TCP_CLIENT(client) && |
||||
+ client->message->opcode != dns_opcode_query) |
||||
+ { |
||||
+ client->tcpconn->pipelined = ISC_FALSE; |
||||
+ } |
||||
+ if (TCP_CLIENT(client) && client->tcpconn->pipelined) { |
||||
+ /* |
||||
+ * We're pipelining. Replace the client; the |
||||
+ * replacement can read the TCP socket looking |
||||
+ * for new messages and this one can process the |
||||
+ * current message asynchronously. |
||||
+ * |
||||
+ * There will now be at least three clients using this |
||||
+ * TCP socket - one accepting new connections, |
||||
+ * one reading an existing connection to get new |
||||
+ * messages, and one answering the message already |
||||
+ * received. |
||||
+ */ |
||||
+ result = ns_client_replace(client); |
||||
if (result != ISC_R_SUCCESS) { |
||||
- ns_client_log(client, NS_LOGCATEGORY_CLIENT, |
||||
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, |
||||
- "no more TCP clients(read): %s", |
||||
- isc_result_totext(result)); |
||||
- client->pipelined = ISC_FALSE; |
||||
+ client->tcpconn->pipelined = ISC_FALSE; |
||||
} |
||||
} |
||||
|
||||
@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { |
||||
client->signer = NULL; |
||||
dns_name_init(&client->signername, NULL); |
||||
client->mortal = ISC_FALSE; |
||||
- client->pipelined = ISC_FALSE; |
||||
- client->tcpquota = NULL; |
||||
+ client->tcpconn = NULL; |
||||
client->recursionquota = NULL; |
||||
client->interface = NULL; |
||||
client->peeraddr_valid = ISC_FALSE; |
||||
@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { |
||||
client->filter_aaaa = dns_aaaa_ok; |
||||
#endif |
||||
client->needshutdown = ns_g_clienttest; |
||||
+ client->tcpactive = ISC_FALSE; |
||||
|
||||
ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL, |
||||
NS_EVENT_CLIENTCONTROL, client_start, client, client, |
||||
@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) { |
||||
|
||||
static void |
||||
client_newconn(isc_task_t *task, isc_event_t *event) { |
||||
+ isc_result_t result; |
||||
ns_client_t *client = event->ev_arg; |
||||
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; |
||||
- isc_result_t result; |
||||
+ uint32_t old; |
||||
|
||||
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); |
||||
REQUIRE(NS_CLIENT_VALID(client)); |
||||
@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_event_t *event) { |
||||
|
||||
INSIST(client->state == NS_CLIENTSTATE_READY); |
||||
|
||||
+ /* |
||||
+ * The accept() was successful and we're now establishing a new |
||||
+ * connection. We need to make note of it in the client and |
||||
+ * interface objects so client objects can do the right thing |
||||
+ * when going inactive in exit_check() (see comments in |
||||
+ * client_accept() for details). |
||||
+ */ |
||||
INSIST(client->naccepts == 1); |
||||
client->naccepts--; |
||||
|
||||
- LOCK(&client->interface->lock); |
||||
- INSIST(client->interface->ntcpcurrent > 0); |
||||
- client->interface->ntcpcurrent--; |
||||
- UNLOCK(&client->interface->lock); |
||||
+ old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); |
||||
+ INSIST(old > 0); |
||||
|
||||
/* |
||||
* We must take ownership of the new socket before the exit |
||||
@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { |
||||
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), |
||||
"accept failed: %s", |
||||
isc_result_totext(nevent->result)); |
||||
+ tcpconn_detach(client); |
||||
} |
||||
|
||||
if (exit_check(client)) |
||||
@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_event_t *event) { |
||||
* telnetting to port 53 (once per CPU) will |
||||
* deny service to legitimate TCP clients. |
||||
*/ |
||||
- client->pipelined = ISC_FALSE; |
||||
- result = isc_quota_attach(&ns_g_server->tcpquota, |
||||
- &client->tcpquota); |
||||
- if (result == ISC_R_SUCCESS) |
||||
- result = ns_client_replace(client); |
||||
- if (result != ISC_R_SUCCESS) { |
||||
- ns_client_log(client, NS_LOGCATEGORY_CLIENT, |
||||
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, |
||||
- "no more TCP clients(accept): %s", |
||||
- isc_result_totext(result)); |
||||
- } else if (ns_g_server->keepresporder == NULL || |
||||
- !allowed(&netaddr, NULL, NULL, 0, NULL, |
||||
- ns_g_server->keepresporder)) { |
||||
- client->pipelined = ISC_TRUE; |
||||
+ result = ns_client_replace(client); |
||||
+ if (result == ISC_R_SUCCESS && |
||||
+ (ns_g_server->keepresporder == NULL || |
||||
+ !allowed(&netaddr, NULL, NULL, 0, NULL, |
||||
+ ns_g_server->keepresporder))) |
||||
+ { |
||||
+ client->tcpconn->pipelined = ISC_TRUE; |
||||
} |
||||
|
||||
client_read(client); |
||||
@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) { |
||||
|
||||
CTRACE("accept"); |
||||
|
||||
+ /* |
||||
+ * Set up a new TCP connection. This means try to attach to the |
||||
+ * TCP client quota (tcp-clients), but fail if we're over quota. |
||||
+ */ |
||||
+ result = tcpconn_init(client, ISC_FALSE); |
||||
+ if (result != ISC_R_SUCCESS) { |
||||
+ isc_boolean_t exit; |
||||
+ |
||||
+ ns_client_log(client, NS_LOGCATEGORY_CLIENT, |
||||
+ NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, |
||||
+ "TCP client quota reached: %s", |
||||
+ isc_result_totext(result)); |
||||
+ |
||||
+ /* |
||||
+ * We have exceeded the system-wide TCP client quota. But, |
||||
+ * we can't just block this accept in all cases, because if |
||||
+ * we did, a heavy TCP load on other interfaces might cause |
||||
+ * this interface to be starved, with no clients able to |
||||
+ * accept new connections. |
||||
+ * |
||||
+ * So, we check here to see if any other clients are |
||||
+ * already servicing TCP queries on this interface (whether |
||||
+ * accepting, reading, or processing). If we find that at |
||||
+ * least one client other than this one is active, then |
||||
+ * it's okay *not* to call accept - we can let this |
||||
+ * client go inactive and another will take over when it's |
||||
+ * done. |
||||
+ * |
||||
+ * If there aren't enough active clients on the interface, |
||||
+ * then we can be a little bit flexible about the quota. |
||||
+ * We'll allow *one* extra client through to ensure we're |
||||
+ * listening on every interface; we do this by setting the |
||||
+ * 'force' option to tcpconn_init(). |
||||
+ * |
||||
+ * (Note: In practice this means that the real TCP client |
||||
+ * quota is tcp-clients plus the number of listening |
||||
+ * interfaces plus 1.) |
||||
+ */ |
||||
+ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > |
||||
+ (client->tcpactive ? 1 : 0)); |
||||
+ if (exit) { |
||||
+ client->newstate = NS_CLIENTSTATE_INACTIVE; |
||||
+ (void)exit_check(client); |
||||
+ return; |
||||
+ } |
||||
+ |
||||
+ result = tcpconn_init(client, ISC_TRUE); |
||||
+ RUNTIME_CHECK(result == ISC_R_SUCCESS); |
||||
+ } |
||||
+ |
||||
+ /* |
||||
+ * If this client was set up using get_client() or get_worker(), |
||||
+ * then TCP is already marked active. However, if it was restarted |
||||
+ * from exit_check(), it might not be, so we take care of it now. |
||||
+ */ |
||||
+ mark_tcp_active(client, ISC_TRUE); |
||||
+ |
||||
result = isc_socket_accept(client->tcplistener, client->task, |
||||
client_newconn, client); |
||||
if (result != ISC_R_SUCCESS) { |
||||
- UNEXPECTED_ERROR(__FILE__, __LINE__, |
||||
- "isc_socket_accept() failed: %s", |
||||
- isc_result_totext(result)); |
||||
/* |
||||
* XXXRTH What should we do? We're trying to accept but |
||||
* it didn't work. If we just give up, then TCP |
||||
@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) { |
||||
* |
||||
* For now, we just go idle. |
||||
*/ |
||||
+ UNEXPECTED_ERROR(__FILE__, __LINE__, |
||||
+ "isc_socket_accept() failed: %s", |
||||
+ isc_result_totext(result)); |
||||
+ |
||||
+ tcpconn_detach(client); |
||||
+ mark_tcp_active(client, ISC_FALSE); |
||||
return; |
||||
} |
||||
+ |
||||
+ /* |
||||
+ * The client's 'naccepts' counter indicates that this client has |
||||
+ * called accept() and is waiting for a new connection. It should |
||||
+ * never exceed 1. |
||||
+ */ |
||||
INSIST(client->naccepts == 0); |
||||
client->naccepts++; |
||||
- LOCK(&client->interface->lock); |
||||
- client->interface->ntcpcurrent++; |
||||
- UNLOCK(&client->interface->lock); |
||||
+ |
||||
+ /* |
||||
+ * The interface's 'ntcpaccepting' counter is incremented when |
||||
+ * any client calls accept(), and decremented in client_newconn() |
||||
+ * once the connection is established. |
||||
+ * |
||||
+ * When the client object is shutting down after handling a TCP |
||||
+ * request (see exit_check()), if this value is at least one, that |
||||
+ * means another client has called accept() and is waiting to |
||||
+ * establish the next connection. That means the client may be |
||||
+ * be free to become inactive; otherwise it may need to start |
||||
+ * listening for connections itself to prevent the interface |
||||
+ * going dead. |
||||
+ */ |
||||
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 1); |
||||
} |
||||
|
||||
static void |
||||
@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) { |
||||
REQUIRE(client->manager != NULL); |
||||
|
||||
tcp = TCP_CLIENT(client); |
||||
- if (tcp && client->pipelined) { |
||||
+ if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) { |
||||
result = get_worker(client->manager, client->interface, |
||||
- client->tcpsocket); |
||||
+ client->tcpsocket, client); |
||||
} else { |
||||
result = get_client(client->manager, client->interface, |
||||
client->dispatch, tcp); |
||||
+ |
||||
} |
||||
- if (result != ISC_R_SUCCESS) |
||||
+ if (result != ISC_R_SUCCESS) { |
||||
return (result); |
||||
+ } |
||||
|
||||
/* |
||||
* The responsibility for listening for new requests is hereby |
||||
@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, |
||||
client->dscp = ifp->dscp; |
||||
|
||||
if (tcp) { |
||||
+ mark_tcp_active(client, ISC_TRUE); |
||||
+ |
||||
client->attributes |= NS_CLIENTATTR_TCP; |
||||
isc_socket_attach(ifp->tcpsocket, |
||||
&client->tcplistener); |
||||
+ |
||||
} else { |
||||
isc_socket_t *sock; |
||||
|
||||
@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, |
||||
} |
||||
|
||||
static isc_result_t |
||||
-get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock) |
||||
+get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock, |
||||
+ ns_client_t *oldclient) |
||||
{ |
||||
isc_result_t result = ISC_R_SUCCESS; |
||||
isc_event_t *ev; |
||||
@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock) |
||||
MTRACE("get worker"); |
||||
|
||||
REQUIRE(manager != NULL); |
||||
+ REQUIRE(oldclient != NULL); |
||||
|
||||
if (manager->exiting) |
||||
return (ISC_R_SHUTTINGDOWN); |
||||
@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock) |
||||
ns_interface_attach(ifp, &client->interface); |
||||
client->newstate = client->state = NS_CLIENTSTATE_WORKING; |
||||
INSIST(client->recursionquota == NULL); |
||||
- client->tcpquota = &ns_g_server->tcpquota; |
||||
|
||||
client->dscp = ifp->dscp; |
||||
|
||||
client->attributes |= NS_CLIENTATTR_TCP; |
||||
- client->pipelined = ISC_TRUE; |
||||
client->mortal = ISC_TRUE; |
||||
|
||||
+ tcpconn_attach(oldclient, client); |
||||
+ mark_tcp_active(client, ISC_TRUE); |
||||
+ |
||||
isc_socket_attach(ifp->tcpsocket, &client->tcplistener); |
||||
isc_socket_attach(sock, &client->tcpsocket); |
||||
isc_socket_setname(client->tcpsocket, "worker-tcp", NULL); |
||||
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h |
||||
index 262b906..0f54d22 100644 |
||||
--- a/bin/named/include/named/client.h |
||||
+++ b/bin/named/include/named/client.h |
||||
@@ -9,8 +9,6 @@ |
||||
* information regarding copyright ownership. |
||||
*/ |
||||
|
||||
-/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */ |
||||
- |
||||
#ifndef NAMED_CLIENT_H |
||||
#define NAMED_CLIENT_H 1 |
||||
|
||||
@@ -77,6 +75,13 @@ |
||||
*** Types |
||||
***/ |
||||
|
||||
+/*% reference-counted TCP connection object */ |
||||
+typedef struct ns_tcpconn { |
||||
+ isc_refcount_t refs; |
||||
+ isc_quota_t *tcpquota; |
||||
+ isc_boolean_t pipelined; |
||||
+} ns_tcpconn_t; |
||||
+ |
||||
/*% nameserver client structure */ |
||||
struct ns_client { |
||||
unsigned int magic; |
||||
@@ -91,6 +96,7 @@ struct ns_client { |
||||
int nupdates; |
||||
int nctls; |
||||
int references; |
||||
+ isc_boolean_t tcpactive; |
||||
isc_boolean_t needshutdown; /* |
||||
* Used by clienttest to get |
||||
* the client to go from |
||||
@@ -129,8 +135,7 @@ struct ns_client { |
||||
dns_name_t signername; /*%< [T]SIG key name */ |
||||
dns_name_t * signer; /*%< NULL if not valid sig */ |
||||
isc_boolean_t mortal; /*%< Die after handling request */ |
||||
- isc_boolean_t pipelined; /*%< TCP queries not in sequence */ |
||||
- isc_quota_t *tcpquota; |
||||
+ ns_tcpconn_t *tcpconn; |
||||
isc_quota_t *recursionquota; |
||||
ns_interface_t *interface; |
||||
|
||||
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h |
||||
index 36870f3..d9ac90f 100644 |
||||
--- a/bin/named/include/named/interfacemgr.h |
||||
+++ b/bin/named/include/named/interfacemgr.h |
||||
@@ -9,8 +9,6 @@ |
||||
* information regarding copyright ownership. |
||||
*/ |
||||
|
||||
-/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */ |
||||
- |
||||
#ifndef NAMED_INTERFACEMGR_H |
||||
#define NAMED_INTERFACEMGR_H 1 |
||||
|
||||
@@ -75,9 +73,14 @@ struct ns_interface { |
||||
/*%< UDP dispatchers. */ |
||||
isc_socket_t * tcpsocket; /*%< TCP socket. */ |
||||
isc_dscp_t dscp; /*%< "listen-on" DSCP value */ |
||||
- int ntcptarget; /*%< Desired number of concurrent |
||||
- TCP accepts */ |
||||
- int ntcpcurrent; /*%< Current ditto, locked */ |
||||
+ int32_t ntcpaccepting; /*%< Number of clients |
||||
+ ready to accept new |
||||
+ TCP connections on this |
||||
+ interface */ |
||||
+ int32_t ntcpactive; /*%< Number of clients |
||||
+ servicing TCP queries |
||||
+ (whether accepting or |
||||
+ connected) */ |
||||
int nudpdispatch; /*%< Number of UDP dispatches */ |
||||
ns_clientmgr_t * clientmgr; /*%< Client manager. */ |
||||
ISC_LINK(ns_interface_t) link; |
||||
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c |
||||
index d8c7188..96c080b 100644 |
||||
--- a/bin/named/interfacemgr.c |
||||
+++ b/bin/named/interfacemgr.c |
||||
@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, |
||||
* connections will be handled in parallel even though there is |
||||
* only one client initially. |
||||
*/ |
||||
- ifp->ntcptarget = 1; |
||||
- ifp->ntcpcurrent = 0; |
||||
+ ifp->ntcpaccepting = 0; |
||||
+ ifp->ntcpactive = 0; |
||||
+ |
||||
ifp->nudpdispatch = 0; |
||||
|
||||
ifp->dscp = -1; |
||||
@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) { |
||||
*/ |
||||
(void)isc_socket_filter(ifp->tcpsocket, "dataready"); |
||||
|
||||
- result = ns_clientmgr_createclients(ifp->clientmgr, |
||||
- ifp->ntcptarget, ifp, |
||||
- ISC_TRUE); |
||||
+ result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE); |
||||
if (result != ISC_R_SUCCESS) { |
||||
UNEXPECTED_ERROR(__FILE__, __LINE__, |
||||
"TCP ns_clientmgr_createclients(): %s", |
||||
diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h |
||||
index b9bf598..36c5830 100644 |
||||
--- a/lib/isc/include/isc/quota.h |
||||
+++ b/lib/isc/include/isc/quota.h |
||||
@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p); |
||||
* quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA). |
||||
*/ |
||||
|
||||
+isc_result_t |
||||
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p); |
||||
+/*%< |
||||
+ * Like isc_quota_attach, but will attach '*p' to the quota |
||||
+ * even if the hard quota has been exceeded. |
||||
+ */ |
||||
+ |
||||
void |
||||
isc_quota_detach(isc_quota_t **p); |
||||
/*%< |
||||
diff --git a/lib/isc/quota.c b/lib/isc/quota.c |
||||
index 3ddff0d..20976a4 100644 |
||||
--- a/lib/isc/quota.c |
||||
+++ b/lib/isc/quota.c |
||||
@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) { |
||||
UNLOCK("a->lock); |
||||
} |
||||
|
||||
-isc_result_t |
||||
-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) |
||||
-{ |
||||
+static isc_result_t |
||||
+doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) { |
||||
isc_result_t result; |
||||
- INSIST(p != NULL && *p == NULL); |
||||
+ REQUIRE(p != NULL && *p == NULL); |
||||
+ |
||||
result = isc_quota_reserve(quota); |
||||
- if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) |
||||
+ if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) { |
||||
+ *p = quota; |
||||
+ } else if (result == ISC_R_QUOTA && force) { |
||||
+ /* attach anyway */ |
||||
+ LOCK("a->lock); |
||||
+ quota->used++; |
||||
+ UNLOCK("a->lock); |
||||
+ |
||||
*p = quota; |
||||
+ result = ISC_R_SUCCESS; |
||||
+ } |
||||
+ |
||||
return (result); |
||||
} |
||||
|
||||
+isc_result_t |
||||
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) { |
||||
+ return (doattach(quota, p, ISC_FALSE)); |
||||
+} |
||||
+ |
||||
+isc_result_t |
||||
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p) { |
||||
+ return (doattach(quota, p, ISC_TRUE)); |
||||
+} |
||||
+ |
||||
void |
||||
-isc_quota_detach(isc_quota_t **p) |
||||
-{ |
||||
+isc_quota_detach(isc_quota_t **p) { |
||||
INSIST(p != NULL && *p != NULL); |
||||
isc_quota_release(*p); |
||||
*p = NULL; |
||||
-- |
||||
2.20.1 |
||||
|
@ -0,0 +1,48 @@
@@ -0,0 +1,48 @@
|
||||
From 66c074b707318005d50f14910678ba451877a7a6 Mon Sep 17 00:00:00 2001 |
||||
From: Petr Mensik <pemensik@redhat.com> |
||||
Date: Wed, 19 Jun 2019 12:28:08 +0200 |
||||
Subject: [PATCH] Fix CVE-2019-6471 |
||||
|
||||
5244. [security] Fixed a race condition in dns_dispatch_getnext() |
||||
that could cause an assertion failure if a |
||||
significant number of incoming packets were |
||||
rejected. (CVE-2019-6471) [GL #942] |
||||
--- |
||||
lib/dns/dispatch.c | 10 +++++++--- |
||||
1 file changed, 7 insertions(+), 3 deletions(-) |
||||
|
||||
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c |
||||
index 321459ebcb..ae5c9c0fc7 100644 |
||||
--- a/lib/dns/dispatch.c |
||||
+++ b/lib/dns/dispatch.c |
||||
@@ -3419,13 +3419,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { |
||||
disp = resp->disp; |
||||
REQUIRE(VALID_DISPATCH(disp)); |
||||
|
||||
- REQUIRE(resp->item_out == ISC_TRUE); |
||||
- resp->item_out = ISC_FALSE; |
||||
- |
||||
ev = *sockevent; |
||||
*sockevent = NULL; |
||||
|
||||
LOCK(&disp->lock); |
||||
+ |
||||
+ REQUIRE(resp->item_out == ISC_TRUE); |
||||
+ resp->item_out = ISC_FALSE; |
||||
+ |
||||
if (ev->buffer.base != NULL) |
||||
free_buffer(disp, ev->buffer.base, ev->buffer.length); |
||||
free_devent(disp, ev); |
||||
@@ -3570,6 +3571,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, |
||||
isc_task_send(disp->task[0], &disp->ctlevent); |
||||
} |
||||
|
||||
+/* |
||||
+ * disp must be locked. |
||||
+ */ |
||||
static void |
||||
do_cancel(dns_dispatch_t *disp) { |
||||
dns_dispatchevent_t *ev; |
||||
-- |
||||
2.20.1 |
||||
|
@ -0,0 +1,49 @@
@@ -0,0 +1,49 @@
|
||||
From d5ca0a8f5d31dad4e77bdb8316853f703e68b60f Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> |
||||
Date: Tue, 29 Jan 2019 21:26:33 +0100 |
||||
Subject: [PATCH 4/5] Accept dnssec-lookaside yes; |
||||
|
||||
Thread it the same way as "auto" value. Print a warning and ignore it. |
||||
--- |
||||
bin/named/server.c | 3 ++- |
||||
lib/bind9/check.c | 8 +++++--- |
||||
2 files changed, 7 insertions(+), 4 deletions(-) |
||||
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c |
||||
index 0c8939d..93f9417 100644 |
||||
--- a/bin/named/server.c |
||||
+++ b/bin/named/server.c |
||||
@@ -4615,7 +4615,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, |
||||
/* If "no", skip; if "auto", log warning */ |
||||
if (!strcasecmp(dom, "no")) { |
||||
result = ISC_R_NOTFOUND; |
||||
- } else if (!strcasecmp(dom, "auto")) { |
||||
+ } else if (!strcasecmp(dom, "auto") |
||||
+ || !strcasecmp(dom, "yes")) { |
||||
/* |
||||
* Warning logged by libbind9. |
||||
*/ |
||||
diff --git a/lib/bind9/check.c b/lib/bind9/check.c |
||||
index 1a3d534..f075de0 100644 |
||||
--- a/lib/bind9/check.c |
||||
+++ b/lib/bind9/check.c |
||||
@@ -1176,11 +1176,13 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, |
||||
if (!strcasecmp(dlv, "no")) { |
||||
continue; |
||||
} |
||||
- if (!strcasecmp(dlv, "auto")) { |
||||
+ if (!strcasecmp(dlv, "auto") |
||||
+ || !strcasecmp(dlv, "yes")) { |
||||
cfg_obj_log(obj, logctx, |
||||
ISC_LOG_WARNING, |
||||
- "dnssec-lookaside 'auto' " |
||||
- "is no longer supported"); |
||||
+ "dnssec-lookaside '%s' " |
||||
+ "is no longer supported", |
||||
+ dlv); |
||||
continue; |
||||
} |
||||
} |
||||
-- |
||||
2.20.1 |
||||
|
@ -0,0 +1,41 @@
@@ -0,0 +1,41 @@
|
||||
From e1da251de9647872d776b70078556f4e3e21cad8 Mon Sep 17 00:00:00 2001 |
||||
From: Petr Mensik <pemensik@redhat.com> |
||||
Date: Thu, 21 Feb 2019 12:36:17 +0100 |
||||
Subject: [PATCH] Disable autodetected ED448 algorithm support |
||||
|
||||
Implementation is broken in bind, disabled also in more recent versions. |
||||
Makes bin/tests/system/dnssec fail. |
||||
--- |
||||
configure.in | 9 +++++++-- |
||||
1 file changed, 7 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/configure.in b/configure.in |
||||
index 1397c50..475ab9e 100644 |
||||
--- a/configure.in |
||||
+++ b/configure.in |
||||
@@ -1964,6 +1964,9 @@ int main() { |
||||
} |
||||
], |
||||
[AC_MSG_RESULT(yes) |
||||
+ # ED448 support is broken in BIND |
||||
+ # https://gitlab.isc.org/isc-projects/bind9/issues/225 |
||||
+ # disable if autodetected, can be enabled by --with-eddsa=all |
||||
have_ed448="yes"], |
||||
[AC_MSG_RESULT(no) |
||||
have_ed448="no"], |
||||
@@ -1976,8 +1979,10 @@ int main() { |
||||
esac |
||||
case $have_ed448 in |
||||
yes) |
||||
- AC_DEFINE(HAVE_OPENSSL_ED448, 1, |
||||
- [Define if your OpenSSL version supports Ed448.]) |
||||
+ # ED448 support is broken in BIND |
||||
+ # https://gitlab.isc.org/isc-projects/bind9/issues/225 |
||||
+ # AC_DEFINE(HAVE_OPENSSL_ED448, 1, |
||||
+ # [Define if your OpenSSL version supports Ed448.]) |
||||
;; |
||||
*) |
||||
;; |
||||
-- |
||||
2.20.1 |
||||
|
@ -0,0 +1,39 @@
@@ -0,0 +1,39 @@
|
||||
diff --git a/configure.in b/configure.in |
||||
index e6cd6a4..988b0a7 100644 |
||||
--- a/configure.in |
||||
+++ b/configure.in |
||||
@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS) |
||||
AC_SUBST(BUILD_LDFLAGS) |
||||
AC_SUBST(BUILD_LIBS) |
||||
|
||||
+AC_SUBST(LIBDIR_SUFFIX) |
||||
+ |
||||
# |
||||
# Commands to run at the end of config.status. |
||||
# Don't just put these into configure, it won't work right if somebody |
||||
diff --git a/isc-config.sh.in b/isc-config.sh.in |
||||
index 110191a..5a64004 100644 |
||||
--- a/isc-config.sh.in |
||||
+++ b/isc-config.sh.in |
||||
@@ -12,16 +12,17 @@ prefix=@prefix@ |
||||
exec_prefix=@exec_prefix@ |
||||
exec_prefix_set= |
||||
includedir=@includedir@ |
||||
+libdir_suffix=@LIBDIR_SUFFIX@ |
||||
arch=$(uname -m) |
||||
|
||||
case $arch in |
||||
x86_64 | amd64 | sparc64 | s390x | ppc64) |
||||
- libdir=/usr/lib64 |
||||
- sec_libdir=/usr/lib |
||||
+ libdir=/usr/lib64${libdir_suffix} |
||||
+ sec_libdir=/usr/lib${libdir_suffix} |
||||
;; |
||||
* ) |
||||
- libdir=/usr/lib |
||||
- sec_libdir=/usr/lib64 |
||||
+ libdir=/usr/lib${libdir_suffix} |
||||
+ sec_libdir=/usr/lib64${libdir_suffix} |
||||
;; |
||||
esac |
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,100 @@
@@ -0,0 +1,100 @@
|
||||
From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> |
||||
Date: Tue, 25 Sep 2018 18:08:46 +0200 |
||||
Subject: [PATCH] Disable IDN from environment as documented |
||||
|
||||
Manual page of host contained instructions to disable IDN processing |
||||
when it was built with libidn2. When refactoring IDN support however, |
||||
support for disabling IDN in host and nslookup was lost. Use also |
||||
environment variable and document it for nslookup, host and dig. |
||||
|
||||
Support variable CHARSET=ASCII to disable IDN, supported in downstream |
||||
RH patch since RHEL 5. |
||||
--- |
||||
bin/dig/dig.docbook | 4 +++- |
||||
bin/dig/dighost.c | 9 +++++++-- |
||||
bin/dig/host.docbook | 2 +- |
||||
bin/dig/nslookup.docbook | 15 +++++++++++++++ |
||||
4 files changed, 26 insertions(+), 4 deletions(-) |
||||
|
||||
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook |
||||
index fedd288..d5dba72 100644 |
||||
--- a/bin/dig/dig.docbook |
||||
+++ b/bin/dig/dig.docbook |
||||
@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr |
||||
reply from the server. |
||||
If you'd like to turn off the IDN support for some reason, use |
||||
parameters <parameter>+noidnin</parameter> and |
||||
- <parameter>+noidnout</parameter>. |
||||
+ <parameter>+noidnout</parameter> or define |
||||
+ the <envar>IDN_DISABLE</envar> environment variable. |
||||
+ |
||||
</para> |
||||
</refsection> |
||||
|
||||
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c |
||||
index 7408193..d46379d 100644 |
||||
--- a/bin/dig/dighost.c |
||||
+++ b/bin/dig/dighost.c |
||||
@@ -822,12 +822,17 @@ make_empty_lookup(void) { |
||||
looknew->seenbadcookie = ISC_FALSE; |
||||
looknew->badcookie = ISC_TRUE; |
||||
#ifdef WITH_IDN_SUPPORT |
||||
- looknew->idnin = ISC_TRUE; |
||||
+ looknew->idnin = (getenv("IDN_DISABLE") == NULL); |
||||
+ if (looknew->idnin) { |
||||
+ const char *charset = getenv("CHARSET"); |
||||
+ if (charset && !strcmp(charset, "ASCII")) |
||||
+ looknew->idnin = ISC_FALSE; |
||||
+ } |
||||
#else |
||||
looknew->idnin = ISC_FALSE; |
||||
#endif |
||||
#ifdef WITH_IDN_OUT_SUPPORT |
||||
- looknew->idnout = ISC_TRUE; |
||||
+ looknew->idnout = looknew->idnin; |
||||
#else |
||||
looknew->idnout = ISC_FALSE; |
||||
#endif |
||||
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook |
||||
index 9c3aeaa..42cbbf9 100644 |
||||
--- a/bin/dig/host.docbook |
||||
+++ b/bin/dig/host.docbook |
||||
@@ -378,7 +378,7 @@ |
||||
<command>host</command> appropriately converts character encoding of |
||||
domain name before sending a request to DNS server or displaying a |
||||
reply from the server. |
||||
- If you'd like to turn off the IDN support for some reason, defines |
||||
+ If you'd like to turn off the IDN support for some reason, define |
||||
the <envar>IDN_DISABLE</envar> environment variable. |
||||
The IDN support is disabled if the variable is set when |
||||
<command>host</command> runs. |
||||
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook |
||||
index 3aff4e9..86a09c6 100644 |
||||
--- a/bin/dig/nslookup.docbook |
||||
+++ b/bin/dig/nslookup.docbook |
||||
@@ -478,6 +478,21 @@ nslookup -query=hinfo -timeout=10 |
||||
</para> |
||||
</refsection> |
||||
|
||||
+ <refsection><info><title>IDN SUPPORT</title></info> |
||||
+ |
||||
+ <para> |
||||
+ If <command>nslookup</command> has been built with IDN (internationalized |
||||
+ domain name) support, it can accept and display non-ASCII domain names. |
||||
+ <command>nslookup</command> appropriately converts character encoding of |
||||
+ domain name before sending a request to DNS server or displaying a |
||||
+ reply from the server. |
||||
+ If you'd like to turn off the IDN support for some reason, define |
||||
+ the <envar>IDN_DISABLE</envar> environment variable. |
||||
+ The IDN support is disabled if the variable is set when |
||||
+ <command>nslookup</command> runs. |
||||
+ </para> |
||||
+ </refsection> |
||||
+ |
||||
<refsection><info><title>FILES</title></info> |
||||
|
||||
<para><filename>/etc/resolv.conf</filename> |
||||
-- |
||||
2.14.4 |
||||
|
@ -0,0 +1,206 @@
@@ -0,0 +1,206 @@
|
||||
From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> |
||||
Date: Tue, 2 Jan 2018 18:13:07 +0100 |
||||
Subject: [PATCH] Fix pkcs11 variants atf tests |
||||
|
||||
Add dns-pkcs11 tests Makefile to configure |
||||
|
||||
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode |
||||
--- |
||||
configure.in | 1 + |
||||
lib/Atffile | 2 ++ |
||||
lib/Kyuafile | 2 ++ |
||||
lib/dns-pkcs11/tests/Makefile.in | 10 +++++----- |
||||
lib/dns-pkcs11/tests/dh_test.c | 3 ++- |
||||
lib/isc-pkcs11/tests/Makefile.in | 6 +++--- |
||||
lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++------- |
||||
7 files changed, 40 insertions(+), 16 deletions(-) |
||||
|
||||
diff --git a/configure.in b/configure.in |
||||
index 67b3aab..4767eeb 100644 |
||||
--- a/configure.in |
||||
+++ b/configure.in |
||||
@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([ |
||||
lib/dns-pkcs11/include/Makefile |
||||
lib/dns-pkcs11/include/dns/Makefile |
||||
lib/dns-pkcs11/include/dst/Makefile |
||||
+ lib/dns-pkcs11/tests/Makefile |
||||
lib/irs/Makefile |
||||
lib/irs/include/Makefile |
||||
lib/irs/include/irs/Makefile |
||||
diff --git a/lib/Atffile b/lib/Atffile |
||||
index 93bbb01..4db3dce 100644 |
||||
--- a/lib/Atffile |
||||
+++ b/lib/Atffile |
||||
@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1" |
||||
prop: test-suite = bind9 |
||||
|
||||
tp: dns |
||||
+tp: dns-pkcs11 |
||||
tp: irs |
||||
tp: isc |
||||
+tp: isc-pkcs11 |
||||
tp: isccfg |
||||
tp: lwres |
||||
diff --git a/lib/Kyuafile b/lib/Kyuafile |
||||
index ff9fc56..eaaf0dc 100644 |
||||
--- a/lib/Kyuafile |
||||
+++ b/lib/Kyuafile |
||||
@@ -2,7 +2,9 @@ syntax(2) |
||||
test_suite('bind9') |
||||
|
||||
include('dns/Kyuafile') |
||||
+include('dns-pkcs11/Kyuafile') |
||||
include('irs/Kyuafile') |
||||
include('isc/Kyuafile') |
||||
+include('isc-pkcs11/Kyuafile') |
||||
include('isccfg/Kyuafile') |
||||
include('lwres/Kyuafile') |
||||
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in |
||||
index 2a6571b..f25a784 100644 |
||||
--- a/lib/dns-pkcs11/tests/Makefile.in |
||||
+++ b/lib/dns-pkcs11/tests/Makefile.in |
||||
@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@ |
||||
|
||||
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ |
||||
@DST_OPENSSL_INC@ |
||||
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\"" |
||||
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" |
||||
|
||||
-ISCLIBS = ../../isc/libisc.@A@ |
||||
-ISCDEPLIBS = ../../isc/libisc.@A@ |
||||
-DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@ |
||||
-DNSDEPLIBS = ../libdns.@A@ |
||||
+ISCLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@ |
||||
+ISCDEPLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@ |
||||
+DNSLIBS = ../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ |
||||
+DNSDEPLIBS = ../libdns-pkcs11.@A@ |
||||
|
||||
LIBS = @LIBS@ @ATFLIBS@ |
||||
|
||||
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c |
||||
index 036d27a..eb6554f 100644 |
||||
--- a/lib/dns-pkcs11/tests/dh_test.c |
||||
+++ b/lib/dns-pkcs11/tests/dh_test.c |
||||
@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) { |
||||
ret = dst_key_computesecret(key, key, &buf); |
||||
ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY); |
||||
ret = key->func->computesecret(key, key, &buf); |
||||
- ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE); |
||||
+ /* PKCS11 variant gives different result, accept both */ |
||||
+ ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY); |
||||
|
||||
dst_key_free(&key); |
||||
dns_test_end(); |
||||
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in |
||||
index f7fa538..818dae4 100644 |
||||
--- a/lib/isc-pkcs11/tests/Makefile.in |
||||
+++ b/lib/isc-pkcs11/tests/Makefile.in |
||||
@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@ |
||||
@BIND9_MAKE_INCLUDES@ |
||||
|
||||
CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@ |
||||
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\"" |
||||
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\"" |
||||
|
||||
-ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@ |
||||
-ISCDEPLIBS = ../libisc.@A@ |
||||
+ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@ |
||||
+ISCDEPLIBS = ../libisc-pkcs11.@A@ |
||||
|
||||
LIBS = @LIBS@ @ATFLIBS@ |
||||
|
||||
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c |
||||
index 5b8a374..c1891c2 100644 |
||||
--- a/lib/isc-pkcs11/tests/hash_test.c |
||||
+++ b/lib/isc-pkcs11/tests/hash_test.c |
||||
@@ -74,7 +74,7 @@ typedef struct hash_testcase { |
||||
|
||||
typedef struct hash_test_key { |
||||
const char *key; |
||||
- const int len; |
||||
+ const unsigned len; |
||||
} hash_test_key_t; |
||||
|
||||
/* non-hmac tests */ |
||||
@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) { |
||||
hash_test_key_t *test_key = test_keys; |
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) { |
||||
+ int len = ISC_MAX(test_key->len, ISC_SHA1_DIGESTLENGTH); |
||||
+ |
||||
+ memset(buffer, 0, ISC_SHA1_DIGESTLENGTH); |
||||
memmove(buffer, test_key->key, test_key->len); |
||||
- isc_hmacsha1_init(&hmacsha1, buffer, test_key->len); |
||||
+ isc_hmacsha1_init(&hmacsha1, buffer, len); |
||||
isc_hmacsha1_update(&hmacsha1, |
||||
(const isc_uint8_t *) testcase->input, |
||||
testcase->input_len); |
||||
@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) { |
||||
hash_test_key_t *test_key = test_keys; |
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) { |
||||
+ int len = ISC_MAX(test_key->len, ISC_SHA224_DIGESTLENGTH); |
||||
+ |
||||
+ memset(buffer, 0, ISC_SHA224_DIGESTLENGTH); |
||||
memmove(buffer, test_key->key, test_key->len); |
||||
- isc_hmacsha224_init(&hmacsha224, buffer, test_key->len); |
||||
+ isc_hmacsha224_init(&hmacsha224, buffer, len); |
||||
isc_hmacsha224_update(&hmacsha224, |
||||
(const isc_uint8_t *) testcase->input, |
||||
testcase->input_len); |
||||
@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) { |
||||
hash_test_key_t *test_key = test_keys; |
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) { |
||||
+ int len = ISC_MAX(test_key->len, ISC_SHA256_DIGESTLENGTH); |
||||
+ |
||||
+ memset(buffer, 0, ISC_SHA256_DIGESTLENGTH); |
||||
memmove(buffer, test_key->key, test_key->len); |
||||
- isc_hmacsha256_init(&hmacsha256, buffer, test_key->len); |
||||
+ isc_hmacsha256_init(&hmacsha256, buffer, len); |
||||
isc_hmacsha256_update(&hmacsha256, |
||||
(const isc_uint8_t *) testcase->input, |
||||
testcase->input_len); |
||||
@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) { |
||||
hash_test_key_t *test_key = test_keys; |
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) { |
||||
+ int len = ISC_MAX(test_key->len, ISC_SHA384_DIGESTLENGTH); |
||||
+ |
||||
+ memset(buffer, 0, ISC_SHA384_DIGESTLENGTH); |
||||
memmove(buffer, test_key->key, test_key->len); |
||||
- isc_hmacsha384_init(&hmacsha384, buffer, test_key->len); |
||||
+ isc_hmacsha384_init(&hmacsha384, buffer, len); |
||||
isc_hmacsha384_update(&hmacsha384, |
||||
(const isc_uint8_t *) testcase->input, |
||||
testcase->input_len); |
||||
@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) { |
||||
hash_test_key_t *test_key = test_keys; |
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) { |
||||
+ int len = ISC_MAX(test_key->len, ISC_SHA512_DIGESTLENGTH); |
||||
+ |
||||
+ memset(buffer, 0, ISC_SHA512_DIGESTLENGTH); |
||||
memmove(buffer, test_key->key, test_key->len); |
||||
- isc_hmacsha512_init(&hmacsha512, buffer, test_key->len); |
||||
+ isc_hmacsha512_init(&hmacsha512, buffer, len); |
||||
isc_hmacsha512_update(&hmacsha512, |
||||
(const isc_uint8_t *) testcase->input, |
||||
testcase->input_len); |
||||
@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) { |
||||
hash_test_key_t *test_key = test_keys; |
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) { |
||||
+ int len = ISC_MAX(test_key->len, ISC_MD5_DIGESTLENGTH); |
||||
+ |
||||
+ memset(buffer, 0, ISC_MD5_DIGESTLENGTH); |
||||
memmove(buffer, test_key->key, test_key->len); |
||||
- isc_hmacmd5_init(&hmacmd5, buffer, test_key->len); |
||||
+ isc_hmacmd5_init(&hmacmd5, buffer, len); |
||||
isc_hmacmd5_update(&hmacmd5, |
||||
(const isc_uint8_t *) testcase->input, |
||||
testcase->input_len); |
||||
-- |
||||
2.14.3 |
||||
|
@ -0,0 +1,303 @@
@@ -0,0 +1,303 @@
|
||||
From fb4271f5881a83c2cfb639587597b9a80c536a6d Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> |
||||
Date: Tue, 29 Jan 2019 20:59:57 +0100 |
||||
Subject: [PATCH] Replace libidn2 support with libidn |
||||
|
||||
They should be more or less compatible. Try to maintain original |
||||
behaviour of old 9.11 libidn patch, ignore any in output filter. |
||||
--- |
||||
bin/dig/Makefile.in | 6 ++--- |
||||
bin/dig/dighost.c | 64 ++++++++++++++++++++++++++++++--------------- |
||||
config.h.in | 4 +-- |
||||
configure.in | 56 +++++++++++++++++++-------------------- |
||||
4 files changed, 76 insertions(+), 54 deletions(-) |
||||
|
||||
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in |
||||
index 3edd951..75441b0 100644 |
||||
--- a/bin/dig/Makefile.in |
||||
+++ b/bin/dig/Makefile.in |
||||
@@ -19,7 +19,7 @@ READLINE_LIB = @READLINE_LIB@ |
||||
|
||||
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} \ |
||||
${BIND9_INCLUDES} ${ISC_INCLUDES} \ |
||||
- ${LWRES_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @DST_OPENSSL_INC@ |
||||
+ ${LWRES_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN_CFLAGS@ @DST_OPENSSL_INC@ |
||||
|
||||
CDEFINES = -DVERSION=\"${VERSION}\" @CRYPTO@ |
||||
CWARNINGS = |
||||
@@ -41,10 +41,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \ |
||||
${ISCCFGDEPLIBS} ${LWRESDEPLIBS} |
||||
|
||||
LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ |
||||
- ${ISCLIBS} @IDNKIT_LIBS@ @LIBIDN2_LIBS@ @LIBS@ |
||||
+ ${ISCLIBS} @IDNKIT_LIBS@ @LIBIDN_LIBS@ @LIBS@ |
||||
|
||||
NOSYMLIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ |
||||
- ${ISCNOSYMLIBS} @IDNKIT_LIBS@ @LIBIDN2_LIBS@ @LIBS@ |
||||
+ ${ISCNOSYMLIBS} @IDNKIT_LIBS@ @LIBIDN_LIBS@ @LIBS@ |
||||
|
||||
SUBDIRS = |
||||
|
||||
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c |
||||
index ffc16c4..a345a21 100644 |
||||
--- a/bin/dig/dighost.c |
||||
+++ b/bin/dig/dighost.c |
||||
@@ -38,8 +38,9 @@ |
||||
#include <idn/api.h> |
||||
#endif |
||||
|
||||
-#ifdef WITH_LIBIDN2 |
||||
-#include <idn2.h> |
||||
+#ifdef WITH_LIBIDN |
||||
+#include <stringprep.h> |
||||
+#include <idna.h> |
||||
#endif |
||||
#endif /* WITH_IDN_SUPPORT */ |
||||
|
||||
@@ -4761,7 +4762,7 @@ idn_ace_to_locale(const char *from, char *to, size_t tolen) { |
||||
} |
||||
#endif /* WITH_IDNKIT */ |
||||
|
||||
-#ifdef WITH_LIBIDN2 |
||||
+#ifdef WITH_LIBIDN |
||||
static void |
||||
idn_initialize(void) { |
||||
} |
||||
@@ -4769,16 +4770,25 @@ idn_initialize(void) { |
||||
static isc_result_t |
||||
idn_locale_to_ace(const char *from, char *to, size_t tolen) { |
||||
int res; |
||||
+ char *utf8_str; |
||||
char *tmp_str = NULL; |
||||
|
||||
- res = idn2_to_ascii_lz(from, &tmp_str, IDN2_NONTRANSITIONAL|IDN2_NFC_INPUT); |
||||
- if (res == IDN2_DISALLOWED) { |
||||
- res = idn2_to_ascii_lz(from, &tmp_str, IDN2_TRANSITIONAL|IDN2_NFC_INPUT); |
||||
+ debug ("libidn_locale_to_utf8"); |
||||
+ utf8_str = stringprep_locale_to_utf8 (from); |
||||
+ if (utf8_str == NULL) { |
||||
+ debug ("libidn stringprep_locale_to_utf8 failure"); |
||||
+ return ISC_R_FAILURE; |
||||
} |
||||
|
||||
- if (res == IDN2_OK) { |
||||
+ int iresult; |
||||
+ |
||||
+ debug ("libidn_utf8_to_ascii"); |
||||
+ res = idna_to_ascii_8z (utf8_str, &tmp_str, 0); |
||||
+ free (utf8_str); |
||||
+ |
||||
+ if (res == IDNA_SUCCESS) { |
||||
/* |
||||
- * idn2_to_ascii_lz() normalizes all strings to lowerl case, |
||||
+ * idna_to_ascii_8z() normalizes all strings to lowerl case, |
||||
* but we generally don't want to lowercase all input strings; |
||||
* make sure to return the original case if the two strings |
||||
* differ only in case |
||||
@@ -4786,26 +4796,26 @@ idn_locale_to_ace(const char *from, char *to, size_t tolen) { |
||||
if (!strcasecmp(from, tmp_str)) { |
||||
if (strlen(from) >= tolen) { |
||||
debug("from string is too long"); |
||||
- idn2_free(tmp_str); |
||||
+ free(tmp_str); |
||||
return ISC_R_NOSPACE; |
||||
} |
||||
- idn2_free(tmp_str); |
||||
+ free(tmp_str); |
||||
(void) strlcpy(to, from, tolen); |
||||
return ISC_R_SUCCESS; |
||||
} |
||||
/* check the length */ |
||||
if (strlen(tmp_str) >= tolen) { |
||||
debug("ACE string is too long"); |
||||
- idn2_free(tmp_str); |
||||
+ free(tmp_str); |
||||
return ISC_R_NOSPACE; |
||||
} |
||||
|
||||
(void) strlcpy(to, tmp_str, tolen); |
||||
- idn2_free(tmp_str); |
||||
+ free(tmp_str); |
||||
return ISC_R_SUCCESS; |
||||
} |
||||
|
||||
- fatal("'%s' is not a legal IDN name (%s), use +noidnin", from, idn2_strerror(res)); |
||||
+ fatal("'%s' is not a legal IDN name (%s), use +noidnin", from, idna_strerror (res)); |
||||
return ISC_R_FAILURE; |
||||
} |
||||
|
||||
@@ -4813,29 +4823,41 @@ idn_locale_to_ace(const char *from, char *to, size_t tolen) { |
||||
static isc_result_t |
||||
idn_ace_to_locale(const char *from, char *to, size_t tolen) { |
||||
int res; |
||||
+ char *tmp2 = NULL; |
||||
char *tmp_str = NULL; |
||||
|
||||
- res = idn2_to_unicode_8zlz(from, &tmp_str, |
||||
- IDN2_NONTRANSITIONAL|IDN2_NFC_INPUT); |
||||
+ res = idna_to_unicode_8z8z (from, &tmp2, 0); |
||||
+ if (res != IDNA_SUCCESS) { |
||||
+ debug ("output_filter: %s", idna_strerror (res)); |
||||
+ return ISC_R_SUCCESS; |
||||
+ } |
||||
+ |
||||
+ tmp_str = stringprep_utf8_to_locale (tmp2); |
||||
+ if (tmp_str == NULL) { |
||||
+ debug ("output_filter: stringprep_utf8_to_locale failed"); |
||||
+ res = idna_to_ascii_8z(tmp2, &tmp_str, 0); |
||||
+ } |
||||
+ |
||||
+ free(tmp2); |
||||
|
||||
- if (res == IDN2_OK) { |
||||
+ if (res == IDNA_SUCCESS) { |
||||
/* check the length */ |
||||
if (strlen(tmp_str) >= tolen) { |
||||
debug("encoded ASC string is too long"); |
||||
- idn2_free(tmp_str); |
||||
+ free(tmp_str); |
||||
return ISC_R_FAILURE; |
||||
} |
||||
|
||||
(void) strlcpy(to, tmp_str, tolen); |
||||
- idn2_free(tmp_str); |
||||
+ free(tmp_str); |
||||
return ISC_R_SUCCESS; |
||||
} |
||||
- |
||||
- fatal("'%s' is not a legal IDN name (%s), use +noidnout", from, idn2_strerror(res)); |
||||
+ // fatal("'%s' is not a legal IDN name (%s), use +noidnout", from, idna_strerror(res)); |
||||
+ free(tmp_str); |
||||
return ISC_R_FAILURE; |
||||
} |
||||
#endif /* WITH_IDN_OUT_SUPPORT */ |
||||
-#endif /* WITH_LIBIDN2 */ |
||||
+#endif /* WITH_LIBIDN */ |
||||
#endif /* WITH_IDN_SUPPORT */ |
||||
|
||||
#ifdef DIG_SIGCHASE |
||||
diff --git a/config.h.in b/config.h.in |
||||
index 1dc65cf..9eb8a16 100644 |
||||
--- a/config.h.in |
||||
+++ b/config.h.in |
||||
@@ -615,8 +615,8 @@ int sigwait(const unsigned int *set, int *sig); |
||||
/* define if IDN input support is to be included. */ |
||||
#undef WITH_IDN_SUPPORT |
||||
|
||||
-/* define if libidn2 support is to be included. */ |
||||
-#undef WITH_LIBIDN2 |
||||
+/* define if libidn support is to be included. */ |
||||
+#undef WITH_LIBIDN |
||||
|
||||
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most |
||||
significant byte first (like Motorola and SPARC, unlike Intel). */ |
||||
diff --git a/configure.in b/configure.in |
||||
index 9a1d16d..1397c50 100644 |
||||
--- a/configure.in |
||||
+++ b/configure.in |
||||
@@ -4864,36 +4864,36 @@ fi |
||||
AC_SUBST(IDNKIT_LIBS) |
||||
|
||||
# |
||||
-# IDN support using libidn2 |
||||
+# IDN support using libidn |
||||
# |
||||
|
||||
-LIBIDN2_CFLAGS= |
||||
-LIBIDN2_LDFLAGS= |
||||
-LIBIDN2_LIBS= |
||||
-AC_ARG_WITH(libidn2, |
||||
- AS_HELP_STRING([--with-libidn2[=PATH]], [enable IDN support using GNU libidn2 [yes|no|path]]), |
||||
- use_libidn2="$withval", use_libidn2="no") |
||||
-AS_CASE([$use_libidn2], |
||||
+LIBIDN_CFLAGS= |
||||
+LIBIDN_LDFLAGS= |
||||
+LIBIDN_LIBS= |
||||
+AC_ARG_WITH(libidn, |
||||
+ AS_HELP_STRING([--with-libidn[=PATH]], [enable IDN support using GNU libidn [yes|no|path]]), |
||||
+ use_libidn="$withval", use_libidn="no") |
||||
+AS_CASE([$use_libidn], |
||||
[no],[:], |
||||
[yes],[:], |
||||
[*],[ |
||||
- LIBIDN2_CFLAGS="-I$use_libidn2/include" |
||||
- LIBIDN2_LDFLAGS="-L$use_libidn2/lib" |
||||
+ LIBIDN_CFLAGS="-I$use_libidn/include" |
||||
+ LIBIDN_LDFLAGS="-L$use_libidn/lib" |
||||
]) |
||||
|
||||
-AS_IF([test "$use_libidn2" != "no"], |
||||
+AS_IF([test "$use_libidn" != "no"], |
||||
[save_CFLAGS="$CFLAGS" |
||||
save_LIBS="$LIBS" |
||||
save_LDFLAGS="$LDFLAGS" |
||||
- CFLAGS="$LIBIDN2_CFLAGS $CFLAGS" |
||||
- LDFLAGS="$LIBIDN2_LDFLAGS $LDFLAGS" |
||||
- AC_SEARCH_LIBS([idn2_to_ascii_8z], [idn2], |
||||
+ CFLAGS="$LIBIDN_CFLAGS $CFLAGS" |
||||
+ LDFLAGS="$LIBIDN_LDFLAGS $LDFLAGS" |
||||
+ AC_SEARCH_LIBS([idna_to_ascii_8z], [idn], |
||||
[AC_DEFINE(WITH_IDN_SUPPORT, 1, [define if IDN input support is to be included.]) |
||||
- AC_DEFINE(WITH_LIBIDN2, 1, [define if libidn2 support is to be included.]) |
||||
- LIBIDN2_LIBS="$LIBIDN2_LDFLAGS -lidn2"], |
||||
- [AC_MSG_ERROR([libidn2 requested, but not found])]) |
||||
- AC_TRY_LINK([#include <idn2.h>], |
||||
- [idn2_to_unicode_8zlz(".", NULL, IDN2_NONTRANSITIONAL|IDN2_NFC_INPUT);], |
||||
+ AC_DEFINE(WITH_LIBIDN, 1, [define if libidn support is to be included.]) |
||||
+ LIBIDN_LIBS="$LIBIDN_LDFLAGS -lidn"], |
||||
+ [AC_MSG_ERROR([libidn requested, but not found])]) |
||||
+ AC_TRY_LINK([#include <idna.h>], |
||||
+ [idna_to_unicode_8zlz(".", NULL, 0);], |
||||
[AC_MSG_RESULT(yes) |
||||
AC_DEFINE(WITH_IDN_OUT_SUPPORT, 1, [define if IDN output support is to be included.])], |
||||
[AC_MSG_RESULT([no])]) |
||||
@@ -4901,21 +4901,21 @@ AS_IF([test "$use_libidn2" != "no"], |
||||
LIBS="$save_LIBS" |
||||
LDFLAGS="$save_LDFLAGS" |
||||
]) |
||||
-AC_SUBST([LIBIDN2_CFLAGS]) |
||||
-AC_SUBST([LIBIDN2_LIBS]) |
||||
+AC_SUBST([LIBIDN_CFLAGS]) |
||||
+AC_SUBST([LIBIDN_LIBS]) |
||||
|
||||
# |
||||
# IDN support in general |
||||
# |
||||
|
||||
-# check if idnkit and libidn2 are not used at the same time |
||||
-if test "$use_idnkit" != no && test "$use_libidn2" != no; then |
||||
- AC_MSG_ERROR([idnkit and libidn2 cannot be used at the same time.]) |
||||
+# check if idnkit and libidn are not used at the same time |
||||
+if test "$use_idnkit" != no && test "$use_libidn" != no; then |
||||
+ AC_MSG_ERROR([idnkit and libidn cannot be used at the same time.]) |
||||
fi |
||||
# the IDN support is on |
||||
-if test "$use_idnkit" != no || test "$use_libidn2" != no; then |
||||
+if test "$use_idnkit" != no || test "$use_libidn" != no; then |
||||
AC_DEFINE(WITH_IDN_SUPPORT, 1, [define if IDN input support is to be included.]) |
||||
- if test "$use_libidn2" = no || test "$use_libidn2_out" != no; then |
||||
+ if test "$use_libidn" = no || test "$use_libidn_out" != no; then |
||||
AC_DEFINE(WITH_IDN_OUT_SUPPORT, 1, [define if IDN output support is to be included.]) |
||||
fi |
||||
fi |
||||
@@ -5618,7 +5618,7 @@ report() { |
||||
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" |
||||
test "X$ZLIB" = "X" || echo " HTTP zlib compression (--with-zlib)" |
||||
test "X$NZD_TOOLS" = "X" || echo " LMDB database to store configuration for 'addzone' zones (--with-lmdb)" |
||||
- test "no" = "$use_libidn2" || echo " IDN support (--with-libidn2)" |
||||
+ test "no" = "$use_libidn" || echo " IDN support (--with-libidn)" |
||||
fi |
||||
|
||||
if test "no" != "$use_pkcs11"; then |
||||
@@ -5716,7 +5716,7 @@ report() { |
||||
test "X$JSONSTATS" = "X" && echo " JSON statistics (--with-libjson)" |
||||
test "X$ZLIB" = "X" && echo " HTTP zlib compression (--with-zlib)" |
||||
test "X$NZD_TOOLS" = "X" && echo " LMDB database to store configuration for 'addzone' zones (--with-lmdb)" |
||||
- test "no" = "$use_libidn2" && echo " IDN support (--with-libidn2)" |
||||
+ test "no" = "$use_libidn" && echo " IDN support (--with-libidn)" |
||||
|
||||
echo "-------------------------------------------------------------------------------" |
||||
echo "Configured paths:" |
||||
-- |
||||
2.20.1 |
||||
|
@ -0,0 +1,70 @@
@@ -0,0 +1,70 @@
|
||||
From 8963e300f7e465b3c96e859ba81e128fa508cefd Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> |
||||
Date: Mon, 21 Jan 2019 19:15:40 +0100 |
||||
Subject: [PATCH 1/5] Turn off sending cookies by default |
||||
|
||||
Upstream has default sending cookies on by default. For compatiblity |
||||
with bind 9.9.4, require inclusion of send-cookie in configuration or |
||||
dig +cookie parameter to send cookie. Would not send EDNS extension in |
||||
non-DNSSEC query by default. |
||||
--- |
||||
bin/dig/dig.c | 4 ++-- |
||||
bin/dig/dig.docbook | 4 ++-- |
||||
bin/named/config.c | 2 +- |
||||
3 files changed, 5 insertions(+), 5 deletions(-) |
||||
|
||||
diff --git a/bin/dig/dig.c b/bin/dig/dig.c |
||||
index c577e31..8b23676 100644 |
||||
--- a/bin/dig/dig.c |
||||
+++ b/bin/dig/dig.c |
||||
@@ -1429,7 +1429,7 @@ plus_option(const char *option, isc_boolean_t is_batchfile, |
||||
lookup->section_authority = ISC_TRUE; |
||||
lookup->section_question = ISC_FALSE; |
||||
lookup->dnssec = ISC_TRUE; |
||||
- lookup->sendcookie = ISC_TRUE; |
||||
+ lookup->sendcookie = ISC_FALSE; |
||||
usesearch = ISC_FALSE; |
||||
} |
||||
break; |
||||
@@ -1883,7 +1883,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, |
||||
default_lookup = make_empty_lookup(); |
||||
default_lookup->adflag = ISC_TRUE; |
||||
default_lookup->edns = 0; |
||||
- default_lookup->sendcookie = ISC_TRUE; |
||||
+ default_lookup->sendcookie = ISC_FALSE; |
||||
|
||||
#ifndef NOPOSIX |
||||
/* |
||||
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook |
||||
index d5dba72..575a308 100644 |
||||
--- a/bin/dig/dig.docbook |
||||
+++ b/bin/dig/dig.docbook |
||||
@@ -617,10 +617,10 @@ |
||||
Send a COOKIE EDNS option, with optional |
||||
value. Replaying a COOKIE from a previous response will |
||||
allow the server to identify a previous client. The |
||||
- default is <option>+cookie</option>. |
||||
+ default is <option>+nocookie</option>. |
||||
</para> |
||||
<para> |
||||
- <command>+cookie</command> is also set when +trace |
||||
+ <command>+nocookie</command> is also set when +trace |
||||
is set to better emulate the default queries from a |
||||
nameserver. |
||||
</para> |
||||
diff --git a/bin/named/config.c b/bin/named/config.c |
||||
index c50f759..7d97029 100644 |
||||
--- a/bin/named/config.c |
||||
+++ b/bin/named/config.c |
||||
@@ -102,7 +102,7 @@ options {\n\ |
||||
resolver-query-timeout 10;\n\ |
||||
rrset-order { order random; };\n\ |
||||
secroots-file \"named.secroots\";\n\ |
||||
- send-cookie true;\n\ |
||||
+ send-cookie false;\n\ |
||||
# serial-queries <obsolete>;\n\ |
||||
serial-query-rate 20;\n\ |
||||
server-id none;\n\ |
||||
-- |
||||
2.20.1 |
||||
|
@ -0,0 +1,42 @@
@@ -0,0 +1,42 @@
|
||||
From 9fea3896c84d027271c2315af098dad319a444da Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> |
||||
Date: Mon, 21 Jan 2019 19:23:10 +0100 |
||||
Subject: [PATCH 2/5] Turn off listening on IPv6 by default |
||||
|
||||
To maintain behaviour of BIND 9.9, turn off listening on IPv6 by |
||||
default. To enable listening like upstream defaults, include |
||||
listen-on-v6 { any; }; in options. |
||||
--- |
||||
bin/named/config.c | 2 +- |
||||
doc/arm/Bv9ARM-book.xml | 2 +- |
||||
2 files changed, 2 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/bin/named/config.c b/bin/named/config.c |
||||
index 7d97029..1d7aaa1 100644 |
||||
--- a/bin/named/config.c |
||||
+++ b/bin/named/config.c |
||||
@@ -77,7 +77,7 @@ options {\n\ |
||||
interface-interval 60;\n\ |
||||
# keep-response-order {none;};\n\ |
||||
listen-on {any;};\n\ |
||||
- listen-on-v6 {any;};\n\ |
||||
+ listen-on-v6 {none;};\n\ |
||||
# lock-file \"" NS_LOCALSTATEDIR "/run/named/named.lock\";\n\ |
||||
match-mapped-addresses no;\n\ |
||||
max-rsa-exponent-size 0; /* no limit */\n\ |
||||
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml |
||||
index a5d9e2e..5e7d015 100644 |
||||
--- a/doc/arm/Bv9ARM-book.xml |
||||
+++ b/doc/arm/Bv9ARM-book.xml |
||||
@@ -7473,7 +7473,7 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; }; |
||||
The <command>listen-on-v6</command> option is used to |
||||
specify the interfaces and the ports on which the server will |
||||
listen for incoming queries sent using IPv6. If not specified, |
||||
- the server will listen on port 53 on all IPv6 interfaces. |
||||
+ the server will not listen on port 53 on any IPv6 interfaces. |
||||
</para> |
||||
|
||||
<para> |
||||
-- |
||||
2.20.1 |
||||
|
@ -0,0 +1,256 @@
@@ -0,0 +1,256 @@
|
||||
From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> |
||||
Date: Wed, 25 Jul 2018 12:24:16 +0200 |
||||
Subject: [PATCH] Use make automatic variables to install updated manuals |
||||
|
||||
Make will choose modified manual from build directory or original from source |
||||
directory automagically. Take advantage of install tool feature. |
||||
Install all files in single command instead of iterating on each of them. |
||||
--- |
||||
bin/check/Makefile.in | 8 +++++--- |
||||
bin/confgen/Makefile.in | 9 +++++---- |
||||
bin/delv/Makefile.in | 6 ++++-- |
||||
bin/dig/Makefile.in | 8 ++++---- |
||||
bin/dnssec/Makefile.in | 6 ++++-- |
||||
bin/named/Makefile.in | 13 +++++++++---- |
||||
bin/pkcs11/Makefile.in | 9 ++++----- |
||||
bin/python/Makefile.in | 8 ++++---- |
||||
bin/tools/Makefile.in | 25 +++++++++++++++---------- |
||||
9 files changed, 54 insertions(+), 38 deletions(-) |
||||
|
||||
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in |
||||
index 12f48d2d23..d8eac4c714 100644 |
||||
--- a/bin/check/Makefile.in |
||||
+++ b/bin/check/Makefile.in |
||||
@@ -83,12 +83,14 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
|
||||
-install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs |
||||
+install-man8: ${MANPAGES} |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 |
||||
+ (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) |
||||
+ |
||||
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs install-man8 |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir} |
||||
(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@) |
||||
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done |
||||
- (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) |
||||
|
||||
uninstall:: |
||||
rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8 |
||||
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in |
||||
index 87f13dda4b..7865c0c73e 100644 |
||||
--- a/bin/confgen/Makefile.in |
||||
+++ b/bin/confgen/Makefile.in |
||||
@@ -95,13 +95,14 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
|
||||
-install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs |
||||
+install-man8: rndc-confgen.8 ddns-confgen.8 |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 |
||||
+ (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8) |
||||
+ |
||||
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs install-man8 |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir} |
||||
- ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8 |
||||
(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@) |
||||
- (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8) |
||||
|
||||
uninstall:: |
||||
rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8 |
||||
diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in |
||||
index e2d2802262..19361a83ea 100644 |
||||
--- a/bin/delv/Makefile.in |
||||
+++ b/bin/delv/Makefile.in |
||||
@@ -63,10 +63,12 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 |
||||
|
||||
-install:: delv@EXEEXT@ installdirs |
||||
+install-man1: delv.1 |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 |
||||
+ |
||||
+install:: delv@EXEEXT@ installdirs install-man1 |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ |
||||
delv@EXEEXT@ ${DESTDIR}${bindir} |
||||
- ${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1 |
||||
|
||||
uninstall:: |
||||
rm -f ${DESTDIR}${mandir}/man1/delv.1 |
||||
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in |
||||
index 773ac46395..3edd951e7e 100644 |
||||
--- a/bin/dig/Makefile.in |
||||
+++ b/bin/dig/Makefile.in |
||||
@@ -91,16 +91,16 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 |
||||
|
||||
-install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs |
||||
+install-man1: ${MANPAGES} |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 |
||||
+ |
||||
+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs install-man1 |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ |
||||
dig@EXEEXT@ ${DESTDIR}${bindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ |
||||
host@EXEEXT@ ${DESTDIR}${bindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ |
||||
nslookup@EXEEXT@ ${DESTDIR}${bindir} |
||||
- for m in ${MANPAGES}; do \ |
||||
- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \ |
||||
- done |
||||
|
||||
uninstall:: |
||||
for m in ${MANPAGES}; do \ |
||||
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in |
||||
index 1be1d5ffc6..1d0c4ce5c1 100644 |
||||
--- a/bin/dnssec/Makefile.in |
||||
+++ b/bin/dnssec/Makefile.in |
||||
@@ -110,9 +110,11 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
|
||||
-install:: ${TARGETS} installdirs |
||||
+install-man8: ${MANPAGES} |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 |
||||
+ |
||||
+install:: ${TARGETS} installdirs install-man8 |
||||
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done |
||||
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done |
||||
|
||||
uninstall:: |
||||
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done |
||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in |
||||
index 1c413973d0..03e4cb849b 100644 |
||||
--- a/bin/named/Makefile.in |
||||
+++ b/bin/named/Makefile.in |
||||
@@ -172,12 +172,17 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
|
||||
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs |
||||
+install-man5: named.conf.5 |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5 |
||||
+ |
||||
+install-man8: named.8 lwresd.8 |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 |
||||
+ |
||||
+install-man: install-man5 install-man8 |
||||
+ |
||||
+install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} |
||||
(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) |
||||
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 |
||||
|
||||
uninstall:: |
||||
rm -f ${DESTDIR}${mandir}/man5/named.conf.5 |
||||
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in |
||||
index ae9061626c..a058c91214 100644 |
||||
--- a/bin/pkcs11/Makefile.in |
||||
+++ b/bin/pkcs11/Makefile.in |
||||
@@ -71,7 +71,10 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
|
||||
-install:: ${TARGETS} installdirs |
||||
+install-man8: ${MANPAGES} |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 |
||||
+ |
||||
+install:: ${TARGETS} installdirs install-man8 |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \ |
||||
${DESTDIR}${sbindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \ |
||||
@@ -80,10 +83,6 @@ install:: ${TARGETS} installdirs |
||||
${DESTDIR}${sbindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \ |
||||
${DESTDIR}${sbindir} |
||||
- ${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8 |
||||
|
||||
uninstall:: |
||||
rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8 |
||||
diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in |
||||
index aa678d47ab..064c404e2f 100644 |
||||
--- a/bin/python/Makefile.in |
||||
+++ b/bin/python/Makefile.in |
||||
@@ -47,13 +47,13 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
|
||||
-install:: ${TARGETS} installdirs |
||||
+install-man8: ${MANPAGES} |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 |
||||
+ |
||||
+install:: ${TARGETS} installdirs install-man8 |
||||
${INSTALL_SCRIPT} dnssec-checkds ${DESTDIR}${sbindir} |
||||
${INSTALL_SCRIPT} dnssec-coverage ${DESTDIR}${sbindir} |
||||
${INSTALL_SCRIPT} dnssec-keymgr ${DESTDIR}${sbindir} |
||||
- ${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8 |
||||
if test -n "${PYTHON}" ; then \ |
||||
if test -n "${DESTDIR}" ; then \ |
||||
${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \ |
||||
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in |
||||
index 7bf2af4cea..c395bc7462 100644 |
||||
--- a/bin/tools/Makefile.in |
||||
+++ b/bin/tools/Makefile.in |
||||
@@ -119,17 +119,27 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
|
||||
-nzd: |
||||
+nzd-man: named-nzd2nzf.8 |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 |
||||
+ |
||||
+nzd: nzd-man |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-nzd2nzf@EXEEXT@ \ |
||||
${DESTDIR}${sbindir} |
||||
- ${INSTALL_DATA} ${srcdir}/named-nzd2nzf.8 ${DESTDIR}${mandir}/man8 |
||||
|
||||
-dnstap: |
||||
+dnstap-man: dnstap-read.1 |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 |
||||
+ |
||||
+dnstap: dnstap-man |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dnstap-read@EXEEXT@ \ |
||||
${DESTDIR}${bindir} |
||||
- ${INSTALL_DATA} ${srcdir}/dnstap-read.1 ${DESTDIR}${mandir}/man1 |
||||
|
||||
-install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ |
||||
+install-man1: arpaname.1 named-rrchecker.1 mdig.1 |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 |
||||
+ |
||||
+install-man8: named-journalprint.8 nsec3hash.8 |
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 |
||||
+ |
||||
+install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ install-man1 install-man8 |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \ |
||||
${DESTDIR}${bindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \ |
||||
@@ -144,13 +154,8 @@ install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ |
||||
${DESTDIR}${sbindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} mdig@EXEEXT@ \ |
||||
${DESTDIR}${bindir} |
||||
- ${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1 |
||||
${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/named-rrchecker.1 ${DESTDIR}${mandir}/man1 |
||||
- ${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8 |
||||
${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/mdig.1 ${DESTDIR}${mandir}/man1 |
||||
|
||||
uninstall:: |
||||
rm -f ${DESTDIR}${mandir}/man1/mdig.1 |
||||
-- |
||||
2.14.4 |
||||
|
@ -0,0 +1,27 @@
@@ -0,0 +1,27 @@
|
||||
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h |
||||
index 640519a..fc40472 100644 |
||||
--- a/lib/dns/dst_internal.h |
||||
+++ b/lib/dns/dst_internal.h |
||||
@@ -59,6 +59,9 @@ |
||||
#include <openssl/objects.h> |
||||
#include <openssl/rsa.h> |
||||
#endif |
||||
+#if PKCS11CRYPTO |
||||
+#include <pk11/pk11.h> |
||||
+#endif |
||||
|
||||
ISC_LANG_BEGINDECLS |
||||
|
||||
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h |
||||
index aa8907a..603712a 100644 |
||||
--- a/lib/isc/include/pk11/internal.h |
||||
+++ b/lib/isc/include/pk11/internal.h |
||||
@@ -13,6 +13,8 @@ |
||||
#ifndef PK11_INTERNAL_H |
||||
#define PK11_INTERNAL_H 1 |
||||
|
||||
+#include <pk11/pk11.h> |
||||
+ |
||||
/*! \file pk11/internal.h */ |
||||
|
||||
ISC_LANG_BEGINDECLS |
@ -0,0 +1,120 @@
@@ -0,0 +1,120 @@
|
||||
From 90416594843a56550e40b11561807786219ce1c4 Mon Sep 17 00:00:00 2001 |
||||
From: Evan Hunt <each@isc.org> |
||||
Date: Mon, 11 Sep 2017 15:01:36 -0700 |
||||
Subject: [PATCH] remap getaddrinfo() to irs_getgetaddrinfo() |
||||
|
||||
The libirs version of getaddrinfo() cannot be called from within BIND9. |
||||
|
||||
fix prototypes |
||||
--- |
||||
lib/irs/include/irs/netdb.h.in | 94 ++++++++++++++++++++++++++++++++++++++++++ |
||||
1 file changed, 94 insertions(+) |
||||
|
||||
diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in |
||||
index 23dcd37..f36113d 100644 |
||||
--- a/lib/irs/include/irs/netdb.h.in |
||||
+++ b/lib/irs/include/irs/netdb.h.in |
||||
@@ -150,6 +150,100 @@ struct addrinfo { |
||||
#define NI_DGRAM 0x00000010 |
||||
|
||||
/* |
||||
+ * Define to map into irs_ namespace. |
||||
+ */ |
||||
+ |
||||
+#define IRS_NAMESPACE |
||||
+ |
||||
+#ifdef IRS_NAMESPACE |
||||
+ |
||||
+/* |
||||
+ * Use our versions not the ones from the C library. |
||||
+ */ |
||||
+ |
||||
+#ifdef getnameinfo |
||||
+#undef getnameinfo |
||||
+#endif |
||||
+#define getnameinfo irs_getnameinfo |
||||
+ |
||||
+#ifdef getaddrinfo |
||||
+#undef getaddrinfo |
||||
+#endif |
||||
+#define getaddrinfo irs_getaddrinfo |
||||
+ |
||||
+#ifdef freeaddrinfo |
||||
+#undef freeaddrinfo |
||||
+#endif |
||||
+#define freeaddrinfo irs_freeaddrinfo |
||||
+ |
||||
+#ifdef gai_strerror |
||||
+#undef gai_strerror |
||||
+#endif |
||||
+#define gai_strerror irs_gai_strerror |
||||
+ |
||||
+#endif |
||||
+ |
||||
+extern int getaddrinfo (const char *name, |
||||
+ const char *service, |
||||
+ const struct addrinfo *req, |
||||
+ struct addrinfo **pai); |
||||
+extern int getnameinfo (const struct sockaddr *sa, |
||||
+ socklen_t salen, char *host, |
||||
+ socklen_t hostlen, char *serv, |
||||
+ socklen_t servlen, int flags); |
||||
+extern void freeaddrinfo (struct addrinfo *ai); |
||||
+extern const char *gai_strerror (int ecode); |
||||
+ |
||||
+/* |
||||
+ * Define to map into irs_ namespace. |
||||
+ */ |
||||
+ |
||||
+#define IRS_NAMESPACE |
||||
+ |
||||
+#ifdef IRS_NAMESPACE |
||||
+ |
||||
+/* |
||||
+ * Use our versions not the ones from the C library. |
||||
+ */ |
||||
+ |
||||
+#ifdef getnameinfo |
||||
+#undef getnameinfo |
||||
+#endif |
||||
+#define getnameinfo irs_getnameinfo |
||||
+ |
||||
+#ifdef getaddrinfo |
||||
+#undef getaddrinfo |
||||
+#endif |
||||
+#define getaddrinfo irs_getaddrinfo |
||||
+ |
||||
+#ifdef freeaddrinfo |
||||
+#undef freeaddrinfo |
||||
+#endif |
||||
+#define freeaddrinfo irs_freeaddrinfo |
||||
+ |
||||
+#ifdef gai_strerror |
||||
+#undef gai_strerror |
||||
+#endif |
||||
+#define gai_strerror irs_gai_strerror |
||||
+ |
||||
+int |
||||
+getaddrinfo(const char *hostname, const char *servname, |
||||
+ const struct addrinfo *hints, struct addrinfo **res); |
||||
+ |
||||
+int |
||||
+getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen, |
||||
+ char *host, IRS_GETNAMEINFO_BUFLEN_T hostlen, |
||||
+ char *serv, IRS_GETNAMEINFO_BUFLEN_T servlen, |
||||
+ IRS_GETNAMEINFO_FLAGS_T flags); |
||||
+ |
||||
+void freeaddrinfo (struct addrinfo *ai); |
||||
+ |
||||
+IRS_GAISTRERROR_RETURN_T |
||||
+gai_strerror(int ecode); |
||||
+ |
||||
+#endif |
||||
+ |
||||
+/* |
||||
* Tell Emacs to use C mode on this file. |
||||
* Local variables: |
||||
* mode: c |
||||
-- |
||||
2.9.5 |
||||
|
@ -0,0 +1,14 @@
@@ -0,0 +1,14 @@
|
||||
diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c |
||||
index 0ce5e42..556d920 100644 |
||||
--- a/lib/dns/dyndb.c |
||||
+++ b/lib/dns/dyndb.c |
||||
@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname, |
||||
instname, filename); |
||||
|
||||
flags = RTLD_NOW|RTLD_LOCAL; |
||||
-#ifdef RTLD_DEEPBIND |
||||
- flags |= RTLD_DEEPBIND; |
||||
-#endif |
||||
|
||||
handle = dlopen(filename, flags); |
||||
if (handle == NULL) |
@ -0,0 +1,288 @@
@@ -0,0 +1,288 @@
|
||||
From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org> |
||||
Date: Wed, 25 Apr 2018 14:04:31 +0200 |
||||
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts |
||||
|
||||
(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d) |
||||
|
||||
Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp() |
||||
|
||||
(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c) |
||||
|
||||
Fix the isc_safe_memwipe() usage with (NULL, >0) |
||||
|
||||
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846) |
||||
--- |
||||
bin/dnssec/dnssec-signzone.c | 2 +- |
||||
lib/dns/nsec3.c | 4 +-- |
||||
lib/dns/spnego.c | 4 +-- |
||||
lib/isc/Makefile.in | 8 ++--- |
||||
lib/isc/include/isc/safe.h | 18 ++++------ |
||||
lib/isc/safe.c | 81 -------------------------------------------- |
||||
lib/isc/tests/safe_test.c | 20 ----------- |
||||
7 files changed, 13 insertions(+), 124 deletions(-) |
||||
delete mode 100644 lib/isc/safe.c |
||||
|
||||
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c |
||||
index 53be1f5c60..351296a356 100644 |
||||
--- a/bin/dnssec/dnssec-signzone.c |
||||
+++ b/bin/dnssec/dnssec-signzone.c |
||||
@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, |
||||
|
||||
static int |
||||
hashlist_comp(const void *a, const void *b) { |
||||
- return (isc_safe_memcompare(a, b, hash_length + 1)); |
||||
+ return (memcmp(a, b, hash_length + 1)); |
||||
} |
||||
|
||||
static void |
||||
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c |
||||
index d364308aaf..37b6a8a7fe 100644 |
||||
--- a/lib/dns/nsec3.c |
||||
+++ b/lib/dns/nsec3.c |
||||
@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, |
||||
* Work out what this NSEC3 covers. |
||||
* Inside (<0) or outside (>=0). |
||||
*/ |
||||
- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length); |
||||
+ scope = memcmp(owner, nsec3.next, nsec3.next_length); |
||||
|
||||
/* |
||||
* Prepare to compute all the hashes. |
||||
@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, |
||||
return (ISC_R_IGNORE); |
||||
} |
||||
|
||||
- order = isc_safe_memcompare(hash, owner, length); |
||||
+ order = memcmp(hash, owner, length); |
||||
if (first && order == 0) { |
||||
/* |
||||
* The hashes are the same. |
||||
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c |
||||
index ce3e42d650..079d4c1b4a 100644 |
||||
--- a/lib/dns/spnego.c |
||||
+++ b/lib/dns/spnego.c |
||||
@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *, |
||||
|
||||
/* mod_auth_kerb.c */ |
||||
|
||||
-static int |
||||
+static isc_boolean_t |
||||
cmp_gss_type(gss_buffer_t token, gss_OID gssoid) |
||||
{ |
||||
unsigned char *p; |
||||
@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) |
||||
if (((OM_uint32) *p++) != gssoid->length) |
||||
return (GSS_S_DEFECTIVE_TOKEN); |
||||
|
||||
- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length)); |
||||
+ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length)); |
||||
} |
||||
|
||||
/* accept_sec_context.c */ |
||||
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in |
||||
index ba53ef1091..98acffffc9 100644 |
||||
--- a/lib/isc/Makefile.in |
||||
+++ b/lib/isc/Makefile.in |
||||
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ |
||||
parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \ |
||||
ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \ |
||||
rwlock.@O@ \ |
||||
- safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ |
||||
+ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ |
||||
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \ |
||||
tm.@O@ timer.@O@ version.@O@ \ |
||||
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS} |
||||
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ |
||||
netaddr.c netscope.c pool.c ondestroy.c \ |
||||
parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \ |
||||
ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \ |
||||
- safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ |
||||
+ serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ |
||||
strtoul.c symtab.c task.c taskpool.c timer.c \ |
||||
tm.c version.c |
||||
|
||||
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@ |
||||
|
||||
@BIND9_MAKE_RULES@ |
||||
|
||||
-safe.@O@: safe.c |
||||
- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \ |
||||
- -c ${srcdir}/safe.c |
||||
- |
||||
version.@O@: version.c |
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ |
||||
-DVERSION=\"${VERSION}\" \ |
||||
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h |
||||
index f29f00bac6..b8a0b2290c 100644 |
||||
--- a/lib/isc/include/isc/safe.h |
||||
+++ b/lib/isc/include/isc/safe.h |
||||
@@ -15,27 +15,21 @@ |
||||
|
||||
/*! \file isc/safe.h */ |
||||
|
||||
-#include <isc/types.h> |
||||
-#include <stdlib.h> |
||||
+#include <isc/boolean.h> |
||||
+#include <isc/lang.h> |
||||
+ |
||||
+#include <openssl/crypto.h> |
||||
|
||||
ISC_LANG_BEGINDECLS |
||||
|
||||
-isc_boolean_t |
||||
-isc_safe_memequal(const void *s1, const void *s2, size_t n); |
||||
+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n)) |
||||
/*%< |
||||
* Returns ISC_TRUE iff. two blocks of memory are equal, otherwise |
||||
* ISC_FALSE. |
||||
* |
||||
*/ |
||||
|
||||
-int |
||||
-isc_safe_memcompare(const void *b1, const void *b2, size_t len); |
||||
-/*%< |
||||
- * Clone of libc memcmp() which is safe to differential timing attacks. |
||||
- */ |
||||
- |
||||
-void |
||||
-isc_safe_memwipe(void *ptr, size_t len); |
||||
+#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len) |
||||
/*%< |
||||
* Clear the memory of length `len` pointed to by `ptr`. |
||||
* |
||||
diff --git a/lib/isc/safe.c b/lib/isc/safe.c |
||||
deleted file mode 100644 |
||||
index 5c9e1e2d13..0000000000 |
||||
--- a/lib/isc/safe.c |
||||
+++ /dev/null |
||||
@@ -1,81 +0,0 @@ |
||||
-/* |
||||
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC") |
||||
- * |
||||
- * This Source Code Form is subject to the terms of the Mozilla Public |
||||
- * License, v. 2.0. If a copy of the MPL was not distributed with this |
||||
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
- * |
||||
- * See the COPYRIGHT file distributed with this work for additional |
||||
- * information regarding copyright ownership. |
||||
- */ |
||||
- |
||||
-/*! \file */ |
||||
- |
||||
-#include <config.h> |
||||
- |
||||
-#include <isc/safe.h> |
||||
-#include <isc/string.h> |
||||
-#include <isc/util.h> |
||||
- |
||||
-#ifdef WIN32 |
||||
-#include <windows.h> |
||||
-#endif |
||||
- |
||||
-#ifdef _MSC_VER |
||||
-#pragma optimize("", off) |
||||
-#endif |
||||
- |
||||
-isc_boolean_t |
||||
-isc_safe_memequal(const void *s1, const void *s2, size_t n) { |
||||
- isc_uint8_t acc = 0; |
||||
- |
||||
- if (n != 0U) { |
||||
- const isc_uint8_t *p1 = s1, *p2 = s2; |
||||
- |
||||
- do { |
||||
- acc |= *p1++ ^ *p2++; |
||||
- } while (--n != 0U); |
||||
- } |
||||
- return (ISC_TF(acc == 0)); |
||||
-} |
||||
- |
||||
- |
||||
-int |
||||
-isc_safe_memcompare(const void *b1, const void *b2, size_t len) { |
||||
- const unsigned char *p1 = b1, *p2 = b2; |
||||
- size_t i; |
||||
- int res = 0, done = 0; |
||||
- |
||||
- for (i = 0; i < len; i++) { |
||||
- /* lt is -1 if p1[i] < p2[i]; else 0. */ |
||||
- int lt = (p1[i] - p2[i]) >> CHAR_BIT; |
||||
- |
||||
- /* gt is -1 if p1[i] > p2[i]; else 0. */ |
||||
- int gt = (p2[i] - p1[i]) >> CHAR_BIT; |
||||
- |
||||
- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */ |
||||
- int cmp = lt - gt; |
||||
- |
||||
- /* set res = cmp if !done. */ |
||||
- res |= cmp & ~done; |
||||
- |
||||
- /* set done if p1[i] != p2[i]. */ |
||||
- done |= lt | gt; |
||||
- } |
||||
- |
||||
- return (res); |
||||
-} |
||||
- |
||||
-void |
||||
-isc_safe_memwipe(void *ptr, size_t len) { |
||||
- if (ISC_UNLIKELY(ptr == NULL || len == 0)) |
||||
- return; |
||||
- |
||||
-#ifdef WIN32 |
||||
- SecureZeroMemory(ptr, len); |
||||
-#elif HAVE_EXPLICIT_BZERO |
||||
- explicit_bzero(ptr, len); |
||||
-#else |
||||
- memset(ptr, 0, len); |
||||
-#endif |
||||
-} |
||||
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c |
||||
index f721cd1096..ea3e61f98d 100644 |
||||
--- a/lib/isc/tests/safe_test.c |
||||
+++ b/lib/isc/tests/safe_test.c |
||||
@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) { |
||||
"\x00\x00\x00\x00", 4)); |
||||
} |
||||
|
||||
-ATF_TC(isc_safe_memcompare); |
||||
-ATF_TC_HEAD(isc_safe_memcompare, tc) { |
||||
- atf_tc_set_md_var(tc, "descr", "safe memcompare()"); |
||||
-} |
||||
-ATF_TC_BODY(isc_safe_memcompare, tc) { |
||||
- UNUSED(tc); |
||||
- |
||||
- ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0); |
||||
- ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0); |
||||
- ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0); |
||||
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", |
||||
- "\x00\x00\x00\x00", 4) == 0); |
||||
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", |
||||
- "\x00\x00\x00\x01", 4) < 0); |
||||
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02", |
||||
- "\x00\x00\x00\x00", 4) > 0); |
||||
-} |
||||
- |
||||
ATF_TC(isc_safe_memwipe); |
||||
ATF_TC_HEAD(isc_safe_memwipe, tc) { |
||||
atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()"); |
||||
@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) { |
||||
/* These should pass. */ |
||||
isc_safe_memwipe(NULL, 0); |
||||
isc_safe_memwipe((void *) -1, 0); |
||||
- isc_safe_memwipe(NULL, 42); |
||||
|
||||
/* |
||||
* isc_safe_memwipe(ptr, size) should function same as |
||||
@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) { |
||||
*/ |
||||
ATF_TP_ADD_TCS(tp) { |
||||
ATF_TP_ADD_TC(tp, isc_safe_memequal); |
||||
- ATF_TP_ADD_TC(tp, isc_safe_memcompare); |
||||
ATF_TP_ADD_TC(tp, isc_safe_memwipe); |
||||
return (atf_no_error()); |
||||
} |
||||
-- |
||||
2.14.4 |
||||
|
@ -0,0 +1,72 @@
@@ -0,0 +1,72 @@
|
||||
From 9fcd066217e8b6f52b601bdd8a0cb6455f98b88c Mon Sep 17 00:00:00 2001 |
||||
From: Petr Mensik <pemensik@redhat.com> |
||||
Date: Thu, 7 Mar 2019 14:33:28 +0100 |
||||
Subject: [PATCH] Do not replace random generator on single thread |
||||
|
||||
DHCP builds fails to initialize dst library entropy generator. It does |
||||
not require it for anything. Instead of initializing it, skip replacing |
||||
custom random generator in single thread builds. Should use OpenSSL |
||||
default random generator in case of SSL. |
||||
|
||||
Related: rhbz#1685940 |
||||
--- |
||||
lib/dns/openssl_link.c | 8 +++++++- |
||||
1 file changed, 7 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c |
||||
index ec6dc7f..ca3ffbc 100644 |
||||
--- a/lib/dns/openssl_link.c |
||||
+++ b/lib/dns/openssl_link.c |
||||
@@ -31,6 +31,7 @@ |
||||
#include <isc/mem.h> |
||||
#include <isc/mutex.h> |
||||
#include <isc/mutexblock.h> |
||||
+#include <isc/platform.h> |
||||
#include <isc/string.h> |
||||
#include <isc/thread.h> |
||||
#include <isc/util.h> |
||||
@@ -220,6 +221,7 @@ dst__openssl_init(const char *engine) { |
||||
ERR_load_crypto_strings(); |
||||
#endif |
||||
|
||||
+#ifdef ISC_PLATFORM_USETHREADS |
||||
rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); |
||||
if (rm == NULL) { |
||||
result = ISC_R_NOMEMORY; |
||||
@@ -231,6 +233,7 @@ dst__openssl_init(const char *engine) { |
||||
rm->add = entropy_add; |
||||
rm->pseudorand = entropy_getpseudo; |
||||
rm->status = entropy_status; |
||||
+#endif |
||||
|
||||
#if !defined(OPENSSL_NO_ENGINE) |
||||
#if !defined(CONF_MFLAGS_DEFAULT_SECTION) |
||||
@@ -264,6 +267,7 @@ dst__openssl_init(const char *engine) { |
||||
} |
||||
} |
||||
|
||||
+#ifdef ISC_PLATFORM_USETHREADS |
||||
re = ENGINE_get_default_RAND(); |
||||
if (re == NULL) { |
||||
re = ENGINE_new(); |
||||
@@ -276,6 +280,7 @@ dst__openssl_init(const char *engine) { |
||||
ENGINE_free(re); |
||||
} else |
||||
ENGINE_finish(re); |
||||
+#endif |
||||
#else |
||||
RAND_set_rand_method(rm); |
||||
#endif /* !defined(OPENSSL_NO_ENGINE) */ |
||||
@@ -286,7 +291,8 @@ dst__openssl_init(const char *engine) { |
||||
if (e != NULL) |
||||
ENGINE_free(e); |
||||
e = NULL; |
||||
- mem_free(rm FILELINE); |
||||
+ if (rm != NULL) |
||||
+ mem_free(rm FILELINE); |
||||
rm = NULL; |
||||
#endif |
||||
cleanup_mutexinit: |
||||
-- |
||||
2.20.1 |
||||
|
@ -0,0 +1,45 @@
@@ -0,0 +1,45 @@
|
||||
From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001 |
||||
From: Petr Mensik <pemensik@redhat.com> |
||||
Date: Thu, 21 Feb 2019 22:42:27 +0100 |
||||
Subject: [PATCH] Disable random_test |
||||
|
||||
It fails too often on some architecture, failing the whole build along. |
||||
Because it runs two times for pkcs11 and normal build and any of |
||||
subtests can occasionally fail, stop it. |
||||
|
||||
It can be used again by defining 'unstable' variable in Kyuafile. |
||||
--- |
||||
lib/isc/tests/Atffile | 3 ++- |
||||
lib/isc/tests/Kyuafile | 2 +- |
||||
2 files changed, 3 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile |
||||
index 8681844..74a4a77 100644 |
||||
--- a/lib/isc/tests/Atffile |
||||
+++ b/lib/isc/tests/Atffile |
||||
@@ -20,7 +20,8 @@ tp: pool_test |
||||
tp: print_test |
||||
tp: queue_test |
||||
tp: radix_test |
||||
-tp: random_test |
||||
+# random test fails too often |
||||
+#tp: random_test |
||||
tp: regex_test |
||||
tp: result_test |
||||
tp: safe_test |
||||
diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile |
||||
index 1c510c1..a86824a 100644 |
||||
--- a/lib/isc/tests/Kyuafile |
||||
+++ b/lib/isc/tests/Kyuafile |
||||
@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'} |
||||
atf_test_program{name='print_test'} |
||||
atf_test_program{name='queue_test'} |
||||
atf_test_program{name='radix_test'} |
||||
-atf_test_program{name='random_test'} |
||||
+atf_test_program{name='random_test', required_configs='unstable'} |
||||
atf_test_program{name='regex_test'} |
||||
atf_test_program{name='result_test'} |
||||
atf_test_program{name='safe_test'} |
||||
-- |
||||
2.20.1 |
||||
|
@ -0,0 +1,196 @@
@@ -0,0 +1,196 @@
|
||||
From 738d12594972ad816e8cff9821f760aa0682fd08 Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> |
||||
Date: Tue, 18 Dec 2018 16:06:26 +0100 |
||||
Subject: [PATCH] Make absolute hostname by dns API instead of strings |
||||
|
||||
Duplicate all strings in dc_list. Free allocated memory on each record. |
||||
--- |
||||
bin/sdb_tools/zone2ldap.c | 72 +++++++++++++++++++++++++++++------------------ |
||||
1 file changed, 45 insertions(+), 27 deletions(-) |
||||
|
||||
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c |
||||
index acf160b..cc482dc 100644 |
||||
--- a/bin/sdb_tools/zone2ldap.c |
||||
+++ b/bin/sdb_tools/zone2ldap.c |
||||
@@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp); |
||||
/* Get a DN */ |
||||
char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone); |
||||
|
||||
+/* Free a DN list */ |
||||
+static void |
||||
+free_dc_list(char **dc_list); |
||||
+ |
||||
/* Add to RR list */ |
||||
void add_to_rr_list (char *dn, char *name, char *type, char *data, |
||||
unsigned int ttl, unsigned int flags); |
||||
@@ -123,6 +127,7 @@ static char dNSTTL []="dNSTTL"; |
||||
static char zoneName []="zoneName"; |
||||
static char dc []="dc"; |
||||
static char sameZone []="@"; |
||||
+static char dot []="."; |
||||
/* LDAPMod mod_values: */ |
||||
static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL }; |
||||
static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL }; |
||||
@@ -396,6 +401,8 @@ main (int argc, char **argv) |
||||
} |
||||
|
||||
} |
||||
+ |
||||
+ free_dc_list(dc_list); |
||||
} |
||||
else |
||||
{ |
||||
@@ -451,12 +458,17 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) |
||||
char data[2048]; |
||||
char **dc_list; |
||||
char *dn; |
||||
+ size_t argzone_len; |
||||
+ isc_boolean_t omit_dot; |
||||
|
||||
isc_buffer_t buff; |
||||
isc_result_t result; |
||||
|
||||
isc_buffer_init (&buff, name, sizeof (name)); |
||||
- result = dns_name_totext (dnsname, ISC_TRUE, &buff); |
||||
+ argzone_len = strlen(argzone); |
||||
+ /* If argzone is absolute, output absolute name too */ |
||||
+ omit_dot = ISC_TF(!(argzone_len > 0 && argzone[argzone_len-1] == '.')); |
||||
+ result = dns_name_totext (dnsname, omit_dot, &buff); |
||||
isc_result_check (result, "dns_name_totext"); |
||||
name[isc_buffer_usedlength (&buff)] = 0; |
||||
|
||||
@@ -478,6 +490,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) |
||||
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data); |
||||
|
||||
add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT); |
||||
+ free_dc_list(dc_list); |
||||
} |
||||
|
||||
|
||||
@@ -538,12 +551,9 @@ add_to_rr_list (char *dn, char *name, char *type, |
||||
if (tmp->attrs == (LDAPMod **) NULL) |
||||
fatal("calloc"); |
||||
|
||||
- for (i = 0; i < (int)flags; i++) |
||||
- { |
||||
- tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod)); |
||||
- if (tmp->attrs[i] == (LDAPMod *) NULL) |
||||
- fatal("malloc"); |
||||
- } |
||||
+ tmp->attrs[0] = (LDAPMod *) malloc (sizeof (LDAPMod)); |
||||
+ if (tmp->attrs[0] == (LDAPMod *) NULL) |
||||
+ fatal("malloc"); |
||||
tmp->attrs[0]->mod_op = LDAP_MOD_ADD; |
||||
tmp->attrs[0]->mod_type = objectClass; |
||||
|
||||
@@ -559,9 +569,18 @@ add_to_rr_list (char *dn, char *name, char *type, |
||||
return; |
||||
} |
||||
|
||||
+ for (i = 1; i < (int)flags-1; i++) |
||||
+ { |
||||
+ tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod)); |
||||
+ if (tmp->attrs[i] == (LDAPMod *) NULL) |
||||
+ fatal("malloc"); |
||||
+ } |
||||
+ tmp->attrs[i] = NULL; |
||||
+ |
||||
+ |
||||
tmp->attrs[1]->mod_op = LDAP_MOD_ADD; |
||||
tmp->attrs[1]->mod_type = relativeDomainName; |
||||
- tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); |
||||
+ tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 3); |
||||
|
||||
if (tmp->attrs[1]->mod_values == (char **)NULL) |
||||
fatal("calloc"); |
||||
@@ -705,25 +724,16 @@ char ** |
||||
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) |
||||
{ |
||||
char *tmp; |
||||
- int i = 0; |
||||
+ int i = 0, j = 0; |
||||
char *hname=0L, *last=0L; |
||||
int hlen=strlen(hostname), zlen=(strlen(zone)); |
||||
|
||||
/* printf("hostname: %s zone: %s\n",hostname, zone); */ |
||||
- hname=0L; |
||||
if(flags == DNS_OBJECT) |
||||
{ |
||||
- if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') ) |
||||
- { |
||||
- hname=(char*)malloc(hlen + 1); |
||||
- hlen += 1; |
||||
- sprintf(hname, "%s.", hostname); |
||||
- hostname = hname; |
||||
- } |
||||
if(strcmp(hostname, zone) == 0) |
||||
{ |
||||
- if( hname == 0 ) |
||||
- hname=strdup(hostname); |
||||
+ hname=strdup(hostname); |
||||
last = strdup(sameZone); |
||||
}else |
||||
{ |
||||
@@ -731,8 +741,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) |
||||
||( strcmp( hostname + (hlen - zlen), zone ) != 0) |
||||
) |
||||
{ |
||||
- if( hname != 0 ) |
||||
- free(hname); |
||||
hname=(char*)malloc( hlen + zlen + 1); |
||||
if( *zone == '.' ) |
||||
sprintf(hname, "%s%s", hostname, zone); |
||||
@@ -740,8 +748,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) |
||||
sprintf(hname,"%s",zone); |
||||
}else |
||||
{ |
||||
- if( hname == 0 ) |
||||
- hname = strdup(hostname); |
||||
+ hname = strdup(hostname); |
||||
} |
||||
last = hname; |
||||
} |
||||
@@ -754,18 +761,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) |
||||
for (tmp = strrchr (hname, '.'); tmp != (char *) 0; |
||||
tmp = strrchr (hname, '.')) |
||||
{ |
||||
- if( *( tmp + 1 ) != '\0' ) |
||||
+ tmp[0] = '\0'; |
||||
+ if( tmp[1] != '\0' ) |
||||
{ |
||||
- *tmp = '\0'; |
||||
dn_buffer[i++] = ++tmp; |
||||
}else |
||||
{ /* trailing '.' ! */ |
||||
- dn_buffer[i++] = strdup("."); |
||||
- *tmp = '\0'; |
||||
+ dn_buffer[i++] = dot; |
||||
if( tmp == hname ) |
||||
break; |
||||
} |
||||
} |
||||
+ for (j=0; j<i; j++) |
||||
+ { |
||||
+ dn_buffer[j] = strdup(dn_buffer[j]); |
||||
+ } |
||||
if( ( last != hname ) && (tmp != hname) ) |
||||
dn_buffer[i++] = hname; |
||||
dn_buffer[i++] = last; |
||||
@@ -825,6 +835,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone) |
||||
return dn; |
||||
} |
||||
|
||||
+static void |
||||
+free_dc_list(char **dc_list) |
||||
+{ |
||||
+ for (; *dc_list; dc_list++) { |
||||
+ free(*dc_list); |
||||
+ *dc_list=NULL; |
||||
+ } |
||||
+} |
||||
|
||||
/* Initialize LDAP Conn */ |
||||
void |
||||
-- |
||||
2.14.5 |
||||
|
@ -0,0 +1,23 @@
@@ -0,0 +1,23 @@
|
||||
# Configuration of files used in chroot |
||||
# Following files are made available after named-chroot.service start |
||||
# if they are missing or empty in target directory. |
||||
/etc/localtime |
||||
/etc/named.root.key |
||||
/etc/named.conf |
||||
/etc/named.rfc1912.zones |
||||
/etc/rndc.conf |
||||
/etc/rndc.key |
||||
/etc/named.iscdlv.key |
||||
/etc/crypto-policies/back-ends/bind.config |
||||
/etc/protocols |
||||
/etc/services |
||||
/etc/named.dnssec.keys |
||||
/etc/pki/dnssec-keys |
||||
/etc/named |
||||
/usr/lib64/bind |
||||
/usr/lib/bind |
||||
/run/named |
||||
# Warning: the order is important |
||||
# If a directory containing $ROOTDIR is listed here, |
||||
# it MUST be listed last. (/var/named contains /var/named/chroot) |
||||
/var/named |
@ -0,0 +1,55 @@
@@ -0,0 +1,55 @@
|
||||
#!/bin/sh |
||||
# |
||||
# This script will initialise token storage of softhsm PKCS11 provider |
||||
# in custom location. Is useful to store tokens in non-standard location. |
||||
|
||||
SOFTHSM2_CONF="$1" |
||||
TOKENPATH="$2" |
||||
GROUPNAME="$3" |
||||
# Do not use this script for real keys worth protection |
||||
# This is intended for crypto accelerators using PKCS11 interface. |
||||
# Uninitialized token would fail any crypto operation. |
||||
PIN=1234 |
||||
|
||||
set -e |
||||
|
||||
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then |
||||
echo "Usage: $0 <config file> <token directory> [group]" >&2 |
||||
exit 1 |
||||
fi |
||||
|
||||
if ! [ -f "$SOFTHSM2_CONF" ]; then |
||||
cat << SED > "$SOFTHSM2_CONF" |
||||
# SoftHSM v2 configuration file |
||||
|
||||
directories.tokendir = ${TOKENPATH} |
||||
objectstore.backend = file |
||||
|
||||
# ERROR, WARNING, INFO, DEBUG |
||||
log.level = ERROR |
||||
|
||||
# If CKF_REMOVABLE_DEVICE flag should be set |
||||
slots.removable = false |
||||
SED |
||||
else |
||||
echo "Config file $SOFTHSM2_CONF already exists" >&2 |
||||
fi |
||||
|
||||
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH" |
||||
|
||||
export SOFTHSM2_CONF |
||||
|
||||
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null |
||||
then |
||||
echo "Token in ${TOKENPATH} is already initialized" >&2 |
||||
else |
||||
echo "Initializing tokens to ${TOKENPATH}..." |
||||
softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN |
||||
|
||||
if [ -n "$GROUPNAME" ]; then |
||||
chgrp -R -- "$GROUPNAME" "$TOKENPATH" |
||||
chmod -R -- g=rX,o= "$TOKENPATH" |
||||
fi |
||||
fi |
||||
|
||||
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\"" |
Loading…
Reference in new issue