From fed45eb58ba58e4826dbafa15e6cba4f9772f677 Mon Sep 17 00:00:00 2001 From: webbuilder_pel7ppc64lebuilder0 Date: Wed, 20 Nov 2019 15:06:35 +0100 Subject: [PATCH] bind update to 9.11 Signed-off-by: webbuilder_pel7ppc64lebuilder0 --- SOURCES/bind-9.10-dist-native-pkcs11.patch | 620 ++++++ SOURCES/bind-9.10-sdb.patch | 309 +++ SOURCES/bind-9.10-use-of-strlcat.patch | 18 + SOURCES/bind-9.11-CVE-2018-5743-atomic.patch | 131 ++ SOURCES/bind-9.11-CVE-2018-5743.patch | 868 +++++++++ SOURCES/bind-9.11-CVE-2019-6471.patch | 48 + SOURCES/bind-9.11-dnssec-lookaside.patch | 49 + SOURCES/bind-9.11-ed448-disable.patch | 41 + SOURCES/bind-9.11-export-suffix.patch | 39 + SOURCES/bind-9.11-fips-code.patch | 1516 +++++++++++++++ SOURCES/bind-9.11-fips-tests.patch | 1781 ++++++++++++++++++ SOURCES/bind-9.11-host-idn-disable.patch | 100 + SOURCES/bind-9.11-kyua-pkcs11.patch | 206 ++ SOURCES/bind-9.11-libidn.patch | 303 +++ SOURCES/bind-9.11-no-default-cookies.patch | 70 + SOURCES/bind-9.11-no-default-ipv6.patch | 42 + SOURCES/bind-9.11-oot-manual.patch | 256 +++ SOURCES/bind-9.11-pk11.patch | 27 + SOURCES/bind-9.11-rh1205168.patch | 120 ++ SOURCES/bind-9.11-rh1410433.patch | 14 + SOURCES/bind-9.11-rh1624100.patch | 288 +++ SOURCES/bind-9.11-rh1685940.patch | 72 + SOURCES/bind-9.11-unit-disable-random.patch | 45 + SOURCES/bind-9.11-zone2ldap.patch | 196 ++ SOURCES/bind-9.3.1rc1-sdb_tools-Makefile.in | 2 +- SOURCES/bind-9.3.2-redhat_doc.patch | 18 +- SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch | 145 +- SOURCES/bind-9.3.2b2-sdbsrc.patch | 107 +- SOURCES/bind-9.5-dlz-64bit.patch | 75 +- SOURCES/bind-9.9.1-P2-dlz-libdb.patch | 34 +- SOURCES/bind-9.9.1-P2-multlib-conflict.patch | 65 +- SOURCES/bind-95-rh452060.patch | 18 +- SOURCES/bind93-rh726120.patch | 10 +- SOURCES/bind97-rh478718.patch | 41 +- SOURCES/bind99-rh640538.patch | 22 +- SOURCES/named-chroot-setup.service | 4 +- SOURCES/named-chroot.files | 23 + SOURCES/named-sdb-chroot-setup.service | 4 +- SOURCES/named.conf | 2 +- SOURCES/named.conf.sample | 4 +- SOURCES/setup-named-chroot.sh | 53 +- SOURCES/setup-named-softhsm.sh | 55 + SPECS/bind.spec | 1116 +++++++---- 43 files changed, 8269 insertions(+), 688 deletions(-) create mode 100644 SOURCES/bind-9.10-dist-native-pkcs11.patch create mode 100644 SOURCES/bind-9.10-sdb.patch create mode 100644 SOURCES/bind-9.10-use-of-strlcat.patch create mode 100644 SOURCES/bind-9.11-CVE-2018-5743-atomic.patch create mode 100644 SOURCES/bind-9.11-CVE-2018-5743.patch create mode 100644 SOURCES/bind-9.11-CVE-2019-6471.patch create mode 100644 SOURCES/bind-9.11-dnssec-lookaside.patch create mode 100644 SOURCES/bind-9.11-ed448-disable.patch create mode 100644 SOURCES/bind-9.11-export-suffix.patch create mode 100644 SOURCES/bind-9.11-fips-code.patch create mode 100644 SOURCES/bind-9.11-fips-tests.patch create mode 100644 SOURCES/bind-9.11-host-idn-disable.patch create mode 100644 SOURCES/bind-9.11-kyua-pkcs11.patch create mode 100644 SOURCES/bind-9.11-libidn.patch create mode 100644 SOURCES/bind-9.11-no-default-cookies.patch create mode 100644 SOURCES/bind-9.11-no-default-ipv6.patch create mode 100644 SOURCES/bind-9.11-oot-manual.patch create mode 100644 SOURCES/bind-9.11-pk11.patch create mode 100644 SOURCES/bind-9.11-rh1205168.patch create mode 100644 SOURCES/bind-9.11-rh1410433.patch create mode 100644 SOURCES/bind-9.11-rh1624100.patch create mode 100644 SOURCES/bind-9.11-rh1685940.patch create mode 100644 SOURCES/bind-9.11-unit-disable-random.patch create mode 100644 SOURCES/bind-9.11-zone2ldap.patch create mode 100644 SOURCES/named-chroot.files create mode 100755 SOURCES/setup-named-softhsm.sh diff --git a/SOURCES/bind-9.10-dist-native-pkcs11.patch b/SOURCES/bind-9.10-dist-native-pkcs11.patch new file mode 100644 index 0000000..a700078 --- /dev/null +++ b/SOURCES/bind-9.10-dist-native-pkcs11.patch @@ -0,0 +1,620 @@ +diff --git a/bin/Makefile.in b/bin/Makefile.in +index f0c504a..ce7a2da 100644 +--- a/bin/Makefile.in ++++ b/bin/Makefile.in +@@ -11,8 +11,8 @@ srcdir = @srcdir@ + VPATH = @srcdir@ + top_srcdir = @top_srcdir@ + +-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \ +- @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests ++SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ ++ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests + TARGETS = + + @BIND9_MAKE_RULES@ +diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in +index 1d0c4ce..7b7f89b 100644 +--- a/bin/dnssec-pkcs11/Makefile.in ++++ b/bin/dnssec-pkcs11/Makefile.in +@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ ++CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES} + + CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ +- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" ++ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" + CWARNINGS = + +-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ +-ISCLIBS = ../../lib/isc/libisc.@A@ +-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ ++ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ ++ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ +-ISCDEPLIBS = ../../lib/isc/libisc.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ++ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + + DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} + +@@ -37,10 +37,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ + NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@ + + # Alphabetically +-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \ +- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ +- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \ +- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@ ++TARGETS = dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \ ++ dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \ ++ dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \ ++ dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@ + + OBJS = dnssectool.@O@ + +@@ -61,15 +61,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} + + @BIND9_MAKE_RULES@ + +-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} ++dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} ++dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} ++dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ + -c ${srcdir}/dnssec-signzone.c + +-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} ++dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ + -c ${srcdir}/dnssec-verify.c + +-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} ++dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} ++dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-revoke.@O@ ${OBJS} ${LIBS} + +-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} ++dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-settime.@O@ ${OBJS} ${LIBS} + +-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} ++dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-importkey.@O@ ${OBJS} ${LIBS} + +@@ -108,16 +108,14 @@ docclean manclean maintainer-clean:: + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} +- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + + install-man8: ${MANPAGES} + ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 + +-install:: ${TARGETS} installdirs install-man8 ++install:: ${TARGETS} installdirs + for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done + + uninstall:: +- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done + for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done + + clean distclean:: +diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in +index 1d0c4ce..11538cf 100644 +--- a/bin/dnssec/Makefile.in ++++ b/bin/dnssec/Makefile.in +@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@ + + CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ + +-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ ++CDEFINES = -DVERSION=\"${VERSION}\" \ + @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" + CWARNINGS = + +diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in +index d92bc9a..a8c42a4 100644 +--- a/bin/named-pkcs11/Makefile.in ++++ b/bin/named-pkcs11/Makefile.in +@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ + DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ + + CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ +- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ +- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ ++ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \ ++ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \ + ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ + +-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ ++CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ + + CWARNINGS = + +-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCCCLIBS = ../../lib/isccc/libisccc.@A@ +-ISCLIBS = ../../lib/isc/libisc.@A@ ++ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ + LWRESLIBS = ../../lib/lwres/liblwres.@A@ + BIND9LIBS = ../../lib/bind9/libbind9.@A@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ + ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ +-ISCDEPLIBS = ../../lib/isc/libisc.@A@ ++ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ + BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ + +@@ -71,15 +71,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + + LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ +- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ ++ @LIBS@ + + NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ +- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ ++ @LIBS@ + + SUBDIRS = unix + +-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ ++TARGETS = named-pkcs11@EXEEXT@ + + GEOIPLINKOBJS = geoip.@O@ + +@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ + tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ + zoneconf.@O@ \ + lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ +- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ +- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} ++ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ + + UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ + +@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \ + tkeyconf.c tsigconf.c update.c xfrout.c \ + zoneconf.c \ + lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ +- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ +- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} ++ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c + + MANPAGES = named.8 lwresd.8 named.conf.5 + +@@ -146,14 +144,14 @@ server.@O@: server.c + -DPRODUCT=\"${PRODUCT}\" \ + -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c + +-named@EXEEXT@: ${OBJS} ${DEPLIBS} ++named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS} + export MAKE_SYMTABLE="yes"; \ + export BASEOBJS="${OBJS} ${UOBJS}"; \ + ${FINALBUILDCMD} + +-lwresd@EXEEXT@: named@EXEEXT@ ++lwresd@EXEEXT@: named-pkcs11@EXEEXT@ + rm -f lwresd@EXEEXT@ +- @LN@ named@EXEEXT@ lwresd@EXEEXT@ ++ @LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@ + + doc man:: ${MANOBJS} + +@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8 + + install-man: install-man5 install-man8 + +-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} +- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) ++install:: named-pkcs11@EXEEXT@ installdirs ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} + + uninstall:: +- rm -f ${DESTDIR}${mandir}/man5/named.conf.5 +- rm -f ${DESTDIR}${mandir}/man8/lwresd.8 +- rm -f ${DESTDIR}${mandir}/man8/named.8 +- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@ + + @DLZ_DRIVER_RULES@ + +diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in +index d92bc9a..6d2bfd1 100644 +--- a/bin/named/Makefile.in ++++ b/bin/named/Makefile.in +@@ -47,7 +47,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ + ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ + ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ + +-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ ++CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ + + CWARNINGS = + +diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in +index 70ee8b5..0fd8644 100644 +--- a/bin/pkcs11/Makefile.in ++++ b/bin/pkcs11/Makefile.in +@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = ${ISC_INCLUDES} ++CINCLUDES = ${ISC_PKCS11_INCLUDES} + + CDEFINES = + +-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ ++ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@ + +-ISCDEPLIBS = ../../lib/isc/libisc.@A@ ++ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + + DEPLIBS = ${ISCDEPLIBS} + +diff --git a/configure.in b/configure.in +index 9a1d16d..2f13059 100644 +--- a/configure.in ++++ b/configure.in +@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI) + AC_SUBST(DST_GSSAPI_INC) + AC_SUBST(DNS_GSSAPI_LIBS) + DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" ++DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" + + # + # Applications linking with libdns also need to link with these libraries. + # + + AC_SUBST(DNS_CRYPTO_LIBS) ++AC_SUBST(DNS_CRYPTO_PK11_LIBS) + + # + # was --with-randomdev specified? +@@ -1554,11 +1556,11 @@ fi + AC_MSG_CHECKING(for OpenSSL library) + OPENSSL_WARNING= + openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" +-if test "yes" = "$want_native_pkcs11" +-then +- use_openssl="native_pkcs11" +- AC_MSG_RESULT(use of native PKCS11 instead) +-fi ++# if test "yes" = "$want_native_pkcs11" ++# then ++# use_openssl="native_pkcs11" ++# AC_MSG_RESULT(use of native PKCS11 instead) ++# fi + + if test "auto" = "$use_openssl" + then +@@ -1571,6 +1573,7 @@ then + fi + done + fi ++CRYPTO_PK11="" + OPENSSL_ECDSA="" + OPENSSL_GOST="" + OPENSSL_ED25519="" +@@ -1592,11 +1595,10 @@ case "$with_gost" in + ;; + esac + +-case "$use_openssl" in +- native_pkcs11) +- AC_MSG_RESULT(disabled because of native PKCS11) ++if test "$want_native_pkcs11" = "yes" ++then + DST_OPENSSL_INC="" +- CRYPTO="-DPKCS11CRYPTO" ++ CRYPTO_PK11="-DPKCS11CRYPTO" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -1605,7 +1607,9 @@ case "$use_openssl" in + OPENSSLGOSTLINKSRCS="" + OPENSSLLINKOBJS="" + OPENSSLLINKSRCS="" +- ;; ++fi ++ ++case "$use_openssl" in + no) + AC_MSG_RESULT(no) + DST_OPENSSL_INC="" +@@ -1635,11 +1639,11 @@ case "$use_openssl" in + If you don't want OpenSSL, use --without-openssl]) + ;; + *) +- if test "yes" = "$want_native_pkcs11" +- then +- AC_MSG_RESULT() +- AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) +- fi ++ # if test "yes" = "$want_native_pkcs11" ++ # then ++ # AC_MSG_RESULT() ++ # AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) ++ # fi + if test "yes" = "$use_openssl" + then + # User did not specify a path - guess it +@@ -2062,6 +2066,7 @@ AC_SUBST(OPENSSL_ED25519) + AC_SUBST(OPENSSL_GOST) + + DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" ++DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS" + + ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" + if test "yes" = "$with_aes" +@@ -2381,6 +2386,7 @@ esac + AC_SUBST(PKCS11LINKOBJS) + AC_SUBST(PKCS11LINKSRCS) + AC_SUBST(CRYPTO) ++AC_SUBST(CRYPTO_PK11) + AC_SUBST(PKCS11_ECDSA) + AC_SUBST(PKCS11_GOST) + AC_SUBST(PKCS11_ED25519) +@@ -5434,8 +5440,11 @@ AC_CONFIG_FILES([ + bin/delv/Makefile + bin/dig/Makefile + bin/dnssec/Makefile ++ bin/dnssec-pkcs11/Makefile + bin/named/Makefile + bin/named/unix/Makefile ++ bin/named-pkcs11/Makefile ++ bin/named-pkcs11/unix/Makefile + bin/nsupdate/Makefile + bin/pkcs11/Makefile + bin/python/Makefile +@@ -5509,6 +5518,10 @@ AC_CONFIG_FILES([ + lib/dns/include/dns/Makefile + lib/dns/include/dst/Makefile + lib/dns/tests/Makefile ++ lib/dns-pkcs11/Makefile ++ lib/dns-pkcs11/include/Makefile ++ lib/dns-pkcs11/include/dns/Makefile ++ lib/dns-pkcs11/include/dst/Makefile + lib/irs/Makefile + lib/irs/include/Makefile + lib/irs/include/irs/Makefile +@@ -5533,6 +5546,24 @@ AC_CONFIG_FILES([ + lib/isc/unix/include/Makefile + lib/isc/unix/include/isc/Makefile + lib/isc/unix/include/pkcs11/Makefile ++ lib/isc-pkcs11/$arch/Makefile ++ lib/isc-pkcs11/$arch/include/Makefile ++ lib/isc-pkcs11/$arch/include/isc/Makefile ++ lib/isc-pkcs11/$thread_dir/Makefile ++ lib/isc-pkcs11/$thread_dir/include/Makefile ++ lib/isc-pkcs11/$thread_dir/include/isc/Makefile ++ lib/isc-pkcs11/Makefile ++ lib/isc-pkcs11/include/Makefile ++ lib/isc-pkcs11/include/isc/Makefile ++ lib/isc-pkcs11/include/isc/platform.h ++ lib/isc-pkcs11/include/pk11/Makefile ++ lib/isc-pkcs11/include/pkcs11/Makefile ++ lib/isc-pkcs11/tests/Makefile ++ lib/isc-pkcs11/nls/Makefile ++ lib/isc-pkcs11/unix/Makefile ++ lib/isc-pkcs11/unix/include/Makefile ++ lib/isc-pkcs11/unix/include/isc/Makefile ++ lib/isc-pkcs11/unix/include/pkcs11/Makefile + lib/isccc/Makefile + lib/isccc/include/Makefile + lib/isccc/include/isccc/Makefile +diff --git a/lib/Makefile.in b/lib/Makefile.in +index 81270a0..bcb5312 100644 +--- a/lib/Makefile.in ++++ b/lib/Makefile.in +@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ + # Attempt to disable parallel processing. + .NOTPARALLEL: + .NO_PARALLEL: +-SUBDIRS = isc isccc dns isccfg bind9 lwres irs samples ++SUBDIRS = isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples + TARGETS = + + @BIND9_MAKE_RULES@ +diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in +index 4a8549e..6a19906 100644 +--- a/lib/dns-pkcs11/Makefile.in ++++ b/lib/dns-pkcs11/Makefile.in +@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@ + + USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ + +-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ +- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ ++CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ ++ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ + +-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} ++CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} + + CWARNINGS = + +-ISCLIBS = ../../lib/isc/libisc.@A@ ++ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + +-ISCDEPLIBS = ../../lib/isc/libisc.@A@ ++ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + + LIBS = @LIBS@ + +@@ -146,15 +146,15 @@ version.@O@: version.c + -DLIBAGE=${LIBAGE} \ + -c ${srcdir}/version.c + +-libdns.@SA@: ${OBJS} ++libdns-pkcs11.@SA@: ${OBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + +-libdns.la: ${OBJS} ++libdns-pkcs11.la: ${OBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ + -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ +- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} ++ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} + + include: gen + ${MAKE} include/dns/enumtype.h +@@ -180,25 +180,25 @@ code.h: gen + ./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; } + + gen: gen.c +- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \ ++ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \ + ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS} + +-timestamp: include libdns.@A@ ++timestamp: include libdns-pkcs11.@A@ + touch timestamp + +-testdirs: libdns.@A@ ++testdirs: libdns-pkcs11.@A@ + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} + + install:: timestamp installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@ + + clean distclean:: +- rm -f libdns.@A@ timestamp ++ rm -f libdns-pkcs11.@A@ timestamp + rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h + rm -f include/dns/rdatastruct.h + rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h +diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in +index ba53ef1..d1f1771 100644 +--- a/lib/isc-pkcs11/Makefile.in ++++ b/lib/isc-pkcs11/Makefile.in +@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \ + -I${srcdir}/@ISC_THREAD_DIR@/include \ + -I${srcdir}/@ISC_ARCH_DIR@/include \ + -I./include \ +- -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@ +-CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" ++ -I${srcdir}/include ${DNS_PKCS11_INCLUDES} ++CDEFINES = @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" + CWARNINGS = + + # Alphabetically +@@ -107,40 +107,40 @@ version.@O@: version.c + -DLIBAGE=${LIBAGE} \ + -c ${srcdir}/version.c + +-libisc.@SA@: ${OBJS} ${SYMTBLOBJS} ++libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS} + ${RANLIB} $@ + +-libisc-nosymtbl.@SA@: ${OBJS} ++libisc-pkcs11-nosymtbl.@SA@: ${OBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + +-libisc.la: ${OBJS} ${SYMTBLOBJS} ++libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \ + -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ + ${OBJS} ${SYMTBLOBJS} ${LIBS} + +-libisc-nosymtbl.la: ${OBJS} ++libisc-pkcs11-nosymtbl.la: ${OBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \ + -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ + ${OBJS} ${LIBS} + +-timestamp: libisc.@A@ libisc-nosymtbl.@A@ ++timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ + touch timestamp + +-testdirs: libisc.@A@ libisc-nosymtbl.@A@ ++testdirs: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} + + install:: timestamp installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@ + + clean distclean:: +- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \ +- libisc-nosymtbl.la timestamp ++ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \ ++ libisc-pkcs11-nosymtbl.la timestamp +diff --git a/make/includes.in b/make/includes.in +index fa86ad1..3cfbe9f 100644 +--- a/make/includes.in ++++ b/make/includes.in +@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ + + TEST_INCLUDES = \ + -I${top_srcdir}/lib/tests/include ++ ++ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \ ++ -I${top_srcdir}/lib/isc-pkcs11 \ ++ -I${top_srcdir}/lib/isc-pkcs11/include \ ++ -I${top_srcdir}/lib/isc-pkcs11/unix/include \ ++ -I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \ ++ -I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include ++ ++DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \ ++ -I${top_srcdir}/lib/dns-pkcs11/include diff --git a/SOURCES/bind-9.10-sdb.patch b/SOURCES/bind-9.10-sdb.patch new file mode 100644 index 0000000..7874a5c --- /dev/null +++ b/SOURCES/bind-9.10-sdb.patch @@ -0,0 +1,309 @@ +diff --git a/bin/Makefile.in b/bin/Makefile.in +index ce7a2da..4e6a824 100644 +--- a/bin/Makefile.in ++++ b/bin/Makefile.in +@@ -11,8 +11,8 @@ srcdir = @srcdir@ + VPATH = @srcdir@ + top_srcdir = @top_srcdir@ + +-SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ +- check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests ++SUBDIRS = named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ ++ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools tests + TARGETS = + + @BIND9_MAKE_RULES@ +diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in +index 6d2bfd1..d3f42e8 100644 +--- a/bin/named-sdb/Makefile.in ++++ b/bin/named-sdb/Makefile.in +@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@ + # + # Add database drivers here. + # +-DBDRIVER_OBJS = +-DBDRIVER_SRCS = ++DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@ ++DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c + DBDRIVER_INCLUDES = +-DBDRIVER_LIBS = ++DBDRIVER_LIBS = -lldap -llber -lsqlite3 -lpq + + DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers + +@@ -79,7 +79,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + + SUBDIRS = unix + +-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ ++TARGETS = named-sdb@EXEEXT@ + + GEOIPLINKOBJS = geoip.@O@ + +@@ -146,7 +146,7 @@ server.@O@: server.c + -DPRODUCT=\"${PRODUCT}\" \ + -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c + +-named@EXEEXT@: ${OBJS} ${DEPLIBS} ++named-sdb@EXEEXT@: ${OBJS} ${DEPLIBS} + export MAKE_SYMTABLE="yes"; \ + export BASEOBJS="${OBJS} ${UOBJS}"; \ + ${FINALBUILDCMD} +@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} +- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 +- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + + install-man5: named.conf.5 + ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5 +@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8 + + install-man: install-man5 install-man8 + +-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} +- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) ++install:: ${TARGETS} installdirs ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir} + + uninstall:: +- rm -f ${DESTDIR}${mandir}/man5/named.conf.5 +- rm -f ${DESTDIR}${mandir}/man8/lwresd.8 +- rm -f ${DESTDIR}${mandir}/man8/named.8 +- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@ + + @DLZ_DRIVER_RULES@ + +diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c +index bb639d9..555c4d9 100644 +--- a/bin/named-sdb/main.c ++++ b/bin/named-sdb/main.c +@@ -91,6 +91,10 @@ + * Include header files for database drivers here. + */ + /* #include "xxdb.h" */ ++#include "ldapdb.h" ++#include "pgsqldb.h" ++#include "sqlitedb.h" ++#include "dirdb.h" + + #ifdef CONTRIB_DLZ + /* +@@ -1061,6 +1065,11 @@ setup(void) { + ns_main_earlyfatal("isc_app_start() failed: %s", + isc_result_totext(result)); + ++ ldapdb_clear(); ++ pgsqldb_clear(); ++ dirdb_clear(); ++ sqlitedb_clear(); ++ + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, + ISC_LOG_NOTICE, "starting %s %s%s%s ", + ns_g_product, ns_g_version, +@@ -1261,6 +1270,75 @@ setup(void) { + isc_result_totext(result)); + #endif + ++ result = ldapdb_init(); ++ if (result != ISC_R_SUCCESS) ++ { ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB ldap module initialisation failed: %s.", ++ isc_result_totext(result) ++ ); ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB ldap zone database will be unavailable." ++ ); ++ }else ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_NOTICE, "SDB ldap zone database module loaded." ++ ); ++ ++ result = pgsqldb_init(); ++ if (result != ISC_R_SUCCESS) ++ { ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB pgsql module initialisation failed: %s.", ++ isc_result_totext(result) ++ ); ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB pgsql zone database will be unavailable." ++ ); ++ }else ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded." ++ ); ++ ++ result = sqlitedb_init(); ++ if (result != ISC_R_SUCCESS) ++ { ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB sqlite3 module initialisation failed: %s.", ++ isc_result_totext(result) ++ ); ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB sqlite3 zone database will be unavailable." ++ ); ++ }else ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded." ++ ); ++ ++ result = dirdb_init(); ++ if (result != ISC_R_SUCCESS) ++ { ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB directory DB module initialisation failed: %s.", ++ isc_result_totext(result) ++ ); ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB directory DB zone database will be unavailable." ++ ); ++ }else ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_NOTICE, "SDB directory DB zone database module loaded." ++ ); ++ ++ + ns_server_create(ns_g_mctx, &ns_g_server); + + #ifdef HAVE_LIBSECCOMP +@@ -1303,6 +1381,11 @@ cleanup(void) { + + dns_name_destroy(); + ++ ldapdb_clear(); ++ pgsqldb_clear(); ++ sqlitedb_clear(); ++ dirdb_clear(); ++ + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, + ISC_LOG_NOTICE, "exiting"); + ns_log_shutdown(); +diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in +index 6d2bfd1..86f8587 100644 +--- a/bin/named/Makefile.in ++++ b/bin/named/Makefile.in +@@ -45,9 +45,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ + CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ + ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ + ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ +- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ ++ @DST_OPENSSL_INC@ + +-CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ ++CDEFINES = @CRYPTO@ + + CWARNINGS = + +@@ -71,11 +71,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + + LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ +- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ ++ @LIBS@ + + NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ +- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ ++ @LIBS@ + + SUBDIRS = unix + +@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ + tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ + zoneconf.@O@ \ + lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ +- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ +- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} ++ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ + + UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ + +@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \ + tkeyconf.c tsigconf.c update.c xfrout.c \ + zoneconf.c \ + lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ +- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ +- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} ++ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c + + MANPAGES = named.8 lwresd.8 named.conf.5 + +@@ -195,7 +193,5 @@ uninstall:: + rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ + ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ + +-@DLZ_DRIVER_RULES@ +- + named-symtbl.@O@: named-symtbl.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c +diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in +index c7e0868..95ab742 100644 +--- a/bin/sdb_tools/Makefile.in ++++ b/bin/sdb_tools/Makefile.in +@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ + +-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ ++TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ + +-OBJS = zone2ldap.@O@ zonetodb.@O@ ++OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ + +-SRCS = zone2ldap.c zonetodb.c ++SRCS = zone2ldap.c zonetodb.c zone2sqlite.c + + MANPAGES = zone2ldap.1 + +@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS} + zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} + ++zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS} ++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS} ++ + clean distclean manclean maintainer-clean:: + rm -f ${TARGETS} ${OBJS} + +@@ -60,4 +63,5 @@ installdirs: + install:: ${TARGETS} installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} + ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 +diff --git a/configure.in b/configure.in +index 62536a6..f571a4f 100644 +--- a/configure.in ++++ b/configure.in +@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([ + bin/named/unix/Makefile + bin/named-pkcs11/Makefile + bin/named-pkcs11/unix/Makefile ++ bin/named-sdb/Makefile ++ bin/named-sdb/unix/Makefile + bin/nsupdate/Makefile + bin/pkcs11/Makefile + bin/python/Makefile +@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([ + bin/python/isc/tests/dnskey_test.py + bin/python/isc/tests/policy_test.py + bin/rndc/Makefile ++ bin/sdb_tools/Makefile + bin/tests/Makefile + bin/tests/headerdep_test.sh + bin/tests/optional/Makefile diff --git a/SOURCES/bind-9.10-use-of-strlcat.patch b/SOURCES/bind-9.10-use-of-strlcat.patch new file mode 100644 index 0000000..2a39916 --- /dev/null +++ b/SOURCES/bind-9.10-use-of-strlcat.patch @@ -0,0 +1,18 @@ +diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c +index d56bc56..99c3314 100644 +--- a/bin/sdb_tools/zone2ldap.c ++++ b/bin/sdb_tools/zone2ldap.c +@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone) + } + + +- strlcat (dn, tmp, sizeof (dn)); ++ strncat (dn, tmp, sizeof (dn) - strlen (dn)); + } + + sprintf (tmp, "dc=%s", dc_list[0]); +- strlcat (dn, tmp, sizeof (dn)); ++ strncat (dn, tmp, sizeof (dn) - strlen (dn)); + + fflush(NULL); + return dn; diff --git a/SOURCES/bind-9.11-CVE-2018-5743-atomic.patch b/SOURCES/bind-9.11-CVE-2018-5743-atomic.patch new file mode 100644 index 0000000..5647ab6 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2018-5743-atomic.patch @@ -0,0 +1,131 @@ +From 94e08314024c812063bf99bd191a46265a2ba49f Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Wed, 24 Apr 2019 21:10:26 +0200 +Subject: [PATCH] Missing atomic fix to original CVE patch + +--- + bin/named/client.c | 18 +++++++----------- + bin/named/include/named/interfacemgr.h | 5 +++-- + bin/named/interfacemgr.c | 7 +++++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/bin/named/client.c b/bin/named/client.c +index 3ada6e9..d3bf47d 100644 +--- a/bin/named/client.c ++++ b/bin/named/client.c +@@ -405,12 +405,10 @@ tcpconn_detach(ns_client_t *client) { + static void + mark_tcp_active(ns_client_t *client, isc_boolean_t active) { + if (active && !client->tcpactive) { +- isc_atomic_xadd(&client->interface->ntcpactive, 1); ++ isc_refcount_increment0(&client->interface->ntcpactive, NULL); + client->tcpactive = active; + } else if (!active && client->tcpactive) { +- uint32_t old = +- isc_atomic_xadd(&client->interface->ntcpactive, -1); +- INSIST(old > 0); ++ isc_refcount_decrement(&client->interface->ntcpactive, NULL); + client->tcpactive = active; + } + } +@@ -557,7 +555,7 @@ exit_check(ns_client_t *client) { + if (client->mortal && TCP_CLIENT(client) && + client->newstate != NS_CLIENTSTATE_FREED && + !ns_g_clienttest && +- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) ++ isc_refcount_current(&client->interface->ntcpaccepting) == 0) + { + /* Nobody else is accepting */ + client->mortal = ISC_FALSE; +@@ -3321,7 +3319,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) { + isc_result_t result; + ns_client_t *client = event->ev_arg; + isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; +- uint32_t old; + + REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); + REQUIRE(NS_CLIENT_VALID(client)); +@@ -3341,8 +3338,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { + INSIST(client->naccepts == 1); + client->naccepts--; + +- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); +- INSIST(old > 0); ++ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL); + + /* + * We must take ownership of the new socket before the exit +@@ -3473,8 +3469,8 @@ client_accept(ns_client_t *client) { + * quota is tcp-clients plus the number of listening + * interfaces plus 1.) + */ +- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > +- (client->tcpactive ? 1 : 0)); ++ exit = (isc_refcount_current(&client->interface->ntcpactive) > ++ (client->tcpactive ? 1U : 0U)); + if (exit) { + client->newstate = NS_CLIENTSTATE_INACTIVE; + (void)exit_check(client); +@@ -3532,7 +3528,7 @@ client_accept(ns_client_t *client) { + * listening for connections itself to prevent the interface + * going dead. + */ +- isc_atomic_xadd(&client->interface->ntcpaccepting, 1); ++ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL); + } + + static void +diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h +index d9ac90f..aa21049 100644 +--- a/bin/named/include/named/interfacemgr.h ++++ b/bin/named/include/named/interfacemgr.h +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include + +@@ -73,11 +74,11 @@ struct ns_interface { + /*%< UDP dispatchers. */ + isc_socket_t * tcpsocket; /*%< TCP socket. */ + isc_dscp_t dscp; /*%< "listen-on" DSCP value */ +- int32_t ntcpaccepting; /*%< Number of clients ++ isc_refcount_t ntcpaccepting; /*%< Number of clients + ready to accept new + TCP connections on this + interface */ +- int32_t ntcpactive; /*%< Number of clients ++ isc_refcount_t ntcpactive; /*%< Number of clients + servicing TCP queries + (whether accepting or + connected) */ +diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c +index 96c080b..2ce97bb 100644 +--- a/bin/named/interfacemgr.c ++++ b/bin/named/interfacemgr.c +@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, + * connections will be handled in parallel even though there is + * only one client initially. + */ +- ifp->ntcpaccepting = 0; +- ifp->ntcpactive = 0; ++ isc_refcount_init(&ifp->ntcpaccepting, 0); ++ isc_refcount_init(&ifp->ntcpactive, 0); + + ifp->nudpdispatch = 0; + +@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp) { + + ns_interfacemgr_detach(&ifp->mgr); + ++ isc_refcount_destroy(&ifp->ntcpactive); ++ isc_refcount_destroy(&ifp->ntcpaccepting); ++ + ifp->magic = 0; + isc_mem_put(mctx, ifp, sizeof(*ifp)); + } +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-CVE-2018-5743.patch b/SOURCES/bind-9.11-CVE-2018-5743.patch new file mode 100644 index 0000000..665e2b2 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2018-5743.patch @@ -0,0 +1,868 @@ +From b2929ff50a7676563177bc52a372ddcae48cb002 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Wed, 24 Apr 2019 20:09:07 +0200 +Subject: [PATCH] 5200. [security] tcp-clients settings could be + exceeded in some cases, which could lead to + exhaustion of file descriptors. (CVE-2018-5743) [GL + #615] + +--- + bin/named/client.c | 421 +++++++++++++++++++------ + bin/named/include/named/client.h | 13 +- + bin/named/include/named/interfacemgr.h | 13 +- + bin/named/interfacemgr.c | 9 +- + lib/isc/include/isc/quota.h | 7 + + lib/isc/quota.c | 33 +- + 6 files changed, 385 insertions(+), 111 deletions(-) + +diff --git a/bin/named/client.c b/bin/named/client.c +index b7d8a98..e1acaf1 100644 +--- a/bin/named/client.c ++++ b/bin/named/client.c +@@ -243,7 +243,7 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason); + static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, + dns_dispatch_t *disp, isc_boolean_t tcp); + static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, +- isc_socket_t *sock); ++ isc_socket_t *sock, ns_client_t *oldclient); + static inline isc_boolean_t + allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr, + isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl); +@@ -295,6 +295,119 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) { + } + } + ++/*% ++ * Allocate a reference-counted object that will maintain a single pointer to ++ * the (also reference-counted) TCP client quota, shared between all the ++ * clients processing queries on a single TCP connection, so that all ++ * clients sharing the one socket will together consume only one slot in ++ * the 'tcp-clients' quota. ++ */ ++static isc_result_t ++tcpconn_init(ns_client_t *client, isc_boolean_t force) { ++ isc_result_t result; ++ isc_quota_t *quota = NULL; ++ ns_tcpconn_t *tconn = NULL; ++ ++ REQUIRE(client->tcpconn == NULL); ++ ++ /* ++ * Try to attach to the quota first, so we won't pointlessly ++ * allocate memory for a tcpconn object if we can't get one. ++ */ ++ if (force) { ++ result = isc_quota_force(&ns_g_server->tcpquota, "a); ++ } else { ++ result = isc_quota_attach(&ns_g_server->tcpquota, "a); ++ } ++ if (result != ISC_R_SUCCESS) { ++ return (result); ++ } ++ ++ /* ++ * A global memory context is used for the allocation as different ++ * client structures may have different memory contexts assigned and a ++ * reference counter allocated here might need to be freed by a ++ * different client. The performance impact caused by memory context ++ * contention here is expected to be negligible, given that this code ++ * is only executed for TCP connections. ++ */ ++ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn)); ++ ++ isc_refcount_init(&tconn->refs, 1); ++ tconn->tcpquota = quota; ++ quota = NULL; ++ tconn->pipelined = ISC_FALSE; ++ ++ client->tcpconn = tconn; ++ ++ return (ISC_R_SUCCESS); ++} ++ ++/*% ++ * Increase the count of client structures sharing the TCP connection ++ * that 'source' is associated with; add a pointer to the same tcpconn ++ * to 'target', thus associating it with the same TCP connection. ++ */ ++static void ++tcpconn_attach(ns_client_t *source, ns_client_t *target) { ++ int refs; ++ ++ REQUIRE(source->tcpconn != NULL); ++ REQUIRE(target->tcpconn == NULL); ++ REQUIRE(source->tcpconn->pipelined); ++ ++ isc_refcount_increment(&source->tcpconn->refs, &refs); ++ INSIST(refs > 1); ++ target->tcpconn = source->tcpconn; ++} ++ ++/*% ++ * Decrease the count of client structures sharing the TCP connection that ++ * 'client' is associated with. If this is the last client using this TCP ++ * connection, we detach from the TCP quota and free the tcpconn ++ * object. Either way, client->tcpconn is set to NULL. ++ */ ++static void ++tcpconn_detach(ns_client_t *client) { ++ ns_tcpconn_t *tconn = NULL; ++ int refs; ++ ++ REQUIRE(client->tcpconn != NULL); ++ ++ tconn = client->tcpconn; ++ client->tcpconn = NULL; ++ ++ isc_refcount_decrement(&tconn->refs, &refs); ++ if (refs == 0) { ++ isc_quota_detach(&tconn->tcpquota); ++ isc_mem_free(ns_g_mctx, tconn); ++ } ++} ++ ++/*% ++ * Mark a client as active and increment the interface's 'ntcpactive' ++ * counter, as a signal that there is at least one client servicing ++ * TCP queries for the interface. If we reach the TCP client quota at ++ * some point, this will be used to determine whether a quota overrun ++ * should be permitted. ++ * ++ * Marking the client active with the 'tcpactive' flag ensures proper ++ * accounting, by preventing us from incrementing or decrementing ++ * 'ntcpactive' more than once per client. ++ */ ++static void ++mark_tcp_active(ns_client_t *client, isc_boolean_t active) { ++ if (active && !client->tcpactive) { ++ isc_atomic_xadd(&client->interface->ntcpactive, 1); ++ client->tcpactive = active; ++ } else if (!active && client->tcpactive) { ++ uint32_t old = ++ isc_atomic_xadd(&client->interface->ntcpactive, -1); ++ INSIST(old > 0); ++ client->tcpactive = active; ++ } ++} ++ + /*% + * Check for a deactivation or shutdown request and take appropriate + * action. Returns ISC_TRUE if either is in progress; in this case +@@ -384,7 +497,8 @@ exit_check(ns_client_t *client) { + INSIST(client->recursionquota == NULL); + + if (NS_CLIENTSTATE_READING == client->newstate) { +- if (!client->pipelined) { ++ INSIST(client->tcpconn != NULL); ++ if (!client->tcpconn->pipelined) { + client_read(client); + client->newstate = NS_CLIENTSTATE_MAX; + return (ISC_TRUE); /* We're done. */ +@@ -402,10 +516,13 @@ exit_check(ns_client_t *client) { + */ + INSIST(client->recursionquota == NULL); + INSIST(client->newstate <= NS_CLIENTSTATE_READY); +- if (client->nreads > 0) ++ ++ if (client->nreads > 0) { + dns_tcpmsg_cancelread(&client->tcpmsg); +- if (client->nreads != 0) { +- /* Still waiting for read cancel completion. */ ++ } ++ ++ /* Still waiting for read cancel completion. */ ++ if (client->nreads > 0) { + return (ISC_TRUE); + } + +@@ -413,14 +530,49 @@ exit_check(ns_client_t *client) { + dns_tcpmsg_invalidate(&client->tcpmsg); + client->tcpmsg_valid = ISC_FALSE; + } ++ ++ /* ++ * Soon the client will be ready to accept a new TCP ++ * connection or UDP request, but we may have enough ++ * clients doing that already. Check whether this client ++ * needs to remain active and allow it go inactive if ++ * not. ++ * ++ * UDP clients always go inactive at this point, but a TCP ++ * client may need to stay active and return to READY ++ * state if no other clients are available to listen ++ * for TCP requests on this interface. ++ * ++ * Regardless, if we're going to FREED state, that means ++ * the system is shutting down and we don't need to ++ * retain clients. ++ */ ++ if (client->mortal && TCP_CLIENT(client) && ++ client->newstate != NS_CLIENTSTATE_FREED && ++ !ns_g_clienttest && ++ isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) ++ { ++ /* Nobody else is accepting */ ++ client->mortal = ISC_FALSE; ++ client->newstate = NS_CLIENTSTATE_READY; ++ } ++ ++ /* ++ * Detach from TCP connection and TCP client quota, ++ * if appropriate. If this is the last reference to ++ * the TCP connection in our pipeline group, the ++ * TCP quota slot will be released. ++ */ ++ if (client->tcpconn) { ++ tcpconn_detach(client); ++ } ++ + if (client->tcpsocket != NULL) { + CTRACE("closetcp"); + isc_socket_detach(&client->tcpsocket); ++ mark_tcp_active(client, ISC_FALSE); + } + +- if (client->tcpquota != NULL) +- isc_quota_detach(&client->tcpquota); +- + if (client->timerset) { + (void)isc_timer_reset(client->timer, + isc_timertype_inactive, +@@ -428,45 +580,26 @@ exit_check(ns_client_t *client) { + client->timerset = ISC_FALSE; + } + +- client->pipelined = ISC_FALSE; +- + client->peeraddr_valid = ISC_FALSE; + + client->state = NS_CLIENTSTATE_READY; +- INSIST(client->recursionquota == NULL); +- +- /* +- * Now the client is ready to accept a new TCP connection +- * or UDP request, but we may have enough clients doing +- * that already. Check whether this client needs to remain +- * active and force it to go inactive if not. +- * +- * UDP clients go inactive at this point, but TCP clients +- * may remain active if we have fewer active TCP client +- * objects than desired due to an earlier quota exhaustion. +- */ +- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) { +- LOCK(&client->interface->lock); +- if (client->interface->ntcpcurrent < +- client->interface->ntcptarget) +- client->mortal = ISC_FALSE; +- UNLOCK(&client->interface->lock); +- } + + /* + * We don't need the client; send it to the inactive + * queue for recycling. + */ + if (client->mortal) { +- if (client->newstate > NS_CLIENTSTATE_INACTIVE) ++ if (client->newstate > NS_CLIENTSTATE_INACTIVE) { + client->newstate = NS_CLIENTSTATE_INACTIVE; ++ } + } + + if (NS_CLIENTSTATE_READY == client->newstate) { + if (TCP_CLIENT(client)) { + client_accept(client); +- } else ++ } else { + client_udprecv(client); ++ } + client->newstate = NS_CLIENTSTATE_MAX; + return (ISC_TRUE); + } +@@ -478,41 +611,51 @@ exit_check(ns_client_t *client) { + /* + * We are trying to enter the inactive state. + */ +- if (client->naccepts > 0) ++ if (client->naccepts > 0) { + isc_socket_cancel(client->tcplistener, client->task, + ISC_SOCKCANCEL_ACCEPT); ++ } + + /* Still waiting for accept cancel completion. */ +- if (! (client->naccepts == 0)) ++ if (client->naccepts > 0) { + return (ISC_TRUE); ++ } + + /* Accept cancel is complete. */ +- if (client->nrecvs > 0) ++ if (client->nrecvs > 0) { + isc_socket_cancel(client->udpsocket, client->task, + ISC_SOCKCANCEL_RECV); ++ } + + /* Still waiting for recv cancel completion. */ +- if (! (client->nrecvs == 0)) ++ if (client->nrecvs > 0) { + return (ISC_TRUE); ++ } + + /* Still waiting for control event to be delivered */ +- if (client->nctls > 0) ++ if (client->nctls > 0) { + return (ISC_TRUE); +- +- /* Deactivate the client. */ +- if (client->interface) +- ns_interface_detach(&client->interface); ++ } + + INSIST(client->naccepts == 0); + INSIST(client->recursionquota == NULL); +- if (client->tcplistener != NULL) ++ if (client->tcplistener != NULL) { + isc_socket_detach(&client->tcplistener); ++ mark_tcp_active(client, ISC_FALSE); ++ } + +- if (client->udpsocket != NULL) ++ if (client->udpsocket != NULL) { + isc_socket_detach(&client->udpsocket); ++ } + +- if (client->dispatch != NULL) ++ /* Deactivate the client. */ ++ if (client->interface != NULL) { ++ ns_interface_detach(&client->interface); ++ } ++ ++ if (client->dispatch != NULL) { + dns_dispatch_detach(&client->dispatch); ++ } + + client->attributes = 0; + client->mortal = ISC_FALSE; +@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) { + client->newstate = NS_CLIENTSTATE_MAX; + if (!ns_g_clienttest && manager != NULL && + !manager->exiting) ++ { + ISC_QUEUE_PUSH(manager->inactive, client, + ilink); +- if (client->needshutdown) ++ } ++ if (client->needshutdown) { + isc_task_shutdown(client->task); ++ } + return (ISC_TRUE); + } + } +@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event_t *event) { + return; + + if (TCP_CLIENT(client)) { +- if (client->pipelined) { ++ if (client->tcpconn != NULL) { + client_read(client); + } else { + client_accept(client); +@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event_t *event) { + } + } + +- + /*% + * The client's task has received a shutdown event. + */ +@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_event_t *event) { + client->nrecvs--; + } else { + INSIST(TCP_CLIENT(client)); ++ INSIST(client->tcpconn != NULL); + REQUIRE(event->ev_type == DNS_EVENT_TCPMSG); + REQUIRE(event->ev_sender == &client->tcpmsg); + buffer = &client->tcpmsg.buffer; +@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_event_t *event) { + /* + * Pipeline TCP query processing. + */ +- if (client->message->opcode != dns_opcode_query) +- client->pipelined = ISC_FALSE; +- if (TCP_CLIENT(client) && client->pipelined) { +- result = isc_quota_reserve(&ns_g_server->tcpquota); +- if (result == ISC_R_SUCCESS) +- result = ns_client_replace(client); ++ if (TCP_CLIENT(client) && ++ client->message->opcode != dns_opcode_query) ++ { ++ client->tcpconn->pipelined = ISC_FALSE; ++ } ++ if (TCP_CLIENT(client) && client->tcpconn->pipelined) { ++ /* ++ * We're pipelining. Replace the client; the ++ * replacement can read the TCP socket looking ++ * for new messages and this one can process the ++ * current message asynchronously. ++ * ++ * There will now be at least three clients using this ++ * TCP socket - one accepting new connections, ++ * one reading an existing connection to get new ++ * messages, and one answering the message already ++ * received. ++ */ ++ result = ns_client_replace(client); + if (result != ISC_R_SUCCESS) { +- ns_client_log(client, NS_LOGCATEGORY_CLIENT, +- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, +- "no more TCP clients(read): %s", +- isc_result_totext(result)); +- client->pipelined = ISC_FALSE; ++ client->tcpconn->pipelined = ISC_FALSE; + } + } + +@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { + client->signer = NULL; + dns_name_init(&client->signername, NULL); + client->mortal = ISC_FALSE; +- client->pipelined = ISC_FALSE; +- client->tcpquota = NULL; ++ client->tcpconn = NULL; + client->recursionquota = NULL; + client->interface = NULL; + client->peeraddr_valid = ISC_FALSE; +@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { + client->filter_aaaa = dns_aaaa_ok; + #endif + client->needshutdown = ns_g_clienttest; ++ client->tcpactive = ISC_FALSE; + + ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL, + NS_EVENT_CLIENTCONTROL, client_start, client, client, +@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) { + + static void + client_newconn(isc_task_t *task, isc_event_t *event) { ++ isc_result_t result; + ns_client_t *client = event->ev_arg; + isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; +- isc_result_t result; ++ uint32_t old; + + REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); + REQUIRE(NS_CLIENT_VALID(client)); +@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_event_t *event) { + + INSIST(client->state == NS_CLIENTSTATE_READY); + ++ /* ++ * The accept() was successful and we're now establishing a new ++ * connection. We need to make note of it in the client and ++ * interface objects so client objects can do the right thing ++ * when going inactive in exit_check() (see comments in ++ * client_accept() for details). ++ */ + INSIST(client->naccepts == 1); + client->naccepts--; + +- LOCK(&client->interface->lock); +- INSIST(client->interface->ntcpcurrent > 0); +- client->interface->ntcpcurrent--; +- UNLOCK(&client->interface->lock); ++ old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); ++ INSIST(old > 0); + + /* + * We must take ownership of the new socket before the exit +@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "accept failed: %s", + isc_result_totext(nevent->result)); ++ tcpconn_detach(client); + } + + if (exit_check(client)) +@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_event_t *event) { + * telnetting to port 53 (once per CPU) will + * deny service to legitimate TCP clients. + */ +- client->pipelined = ISC_FALSE; +- result = isc_quota_attach(&ns_g_server->tcpquota, +- &client->tcpquota); +- if (result == ISC_R_SUCCESS) +- result = ns_client_replace(client); +- if (result != ISC_R_SUCCESS) { +- ns_client_log(client, NS_LOGCATEGORY_CLIENT, +- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, +- "no more TCP clients(accept): %s", +- isc_result_totext(result)); +- } else if (ns_g_server->keepresporder == NULL || +- !allowed(&netaddr, NULL, NULL, 0, NULL, +- ns_g_server->keepresporder)) { +- client->pipelined = ISC_TRUE; ++ result = ns_client_replace(client); ++ if (result == ISC_R_SUCCESS && ++ (ns_g_server->keepresporder == NULL || ++ !allowed(&netaddr, NULL, NULL, 0, NULL, ++ ns_g_server->keepresporder))) ++ { ++ client->tcpconn->pipelined = ISC_TRUE; + } + + client_read(client); +@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) { + + CTRACE("accept"); + ++ /* ++ * Set up a new TCP connection. This means try to attach to the ++ * TCP client quota (tcp-clients), but fail if we're over quota. ++ */ ++ result = tcpconn_init(client, ISC_FALSE); ++ if (result != ISC_R_SUCCESS) { ++ isc_boolean_t exit; ++ ++ ns_client_log(client, NS_LOGCATEGORY_CLIENT, ++ NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, ++ "TCP client quota reached: %s", ++ isc_result_totext(result)); ++ ++ /* ++ * We have exceeded the system-wide TCP client quota. But, ++ * we can't just block this accept in all cases, because if ++ * we did, a heavy TCP load on other interfaces might cause ++ * this interface to be starved, with no clients able to ++ * accept new connections. ++ * ++ * So, we check here to see if any other clients are ++ * already servicing TCP queries on this interface (whether ++ * accepting, reading, or processing). If we find that at ++ * least one client other than this one is active, then ++ * it's okay *not* to call accept - we can let this ++ * client go inactive and another will take over when it's ++ * done. ++ * ++ * If there aren't enough active clients on the interface, ++ * then we can be a little bit flexible about the quota. ++ * We'll allow *one* extra client through to ensure we're ++ * listening on every interface; we do this by setting the ++ * 'force' option to tcpconn_init(). ++ * ++ * (Note: In practice this means that the real TCP client ++ * quota is tcp-clients plus the number of listening ++ * interfaces plus 1.) ++ */ ++ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > ++ (client->tcpactive ? 1 : 0)); ++ if (exit) { ++ client->newstate = NS_CLIENTSTATE_INACTIVE; ++ (void)exit_check(client); ++ return; ++ } ++ ++ result = tcpconn_init(client, ISC_TRUE); ++ RUNTIME_CHECK(result == ISC_R_SUCCESS); ++ } ++ ++ /* ++ * If this client was set up using get_client() or get_worker(), ++ * then TCP is already marked active. However, if it was restarted ++ * from exit_check(), it might not be, so we take care of it now. ++ */ ++ mark_tcp_active(client, ISC_TRUE); ++ + result = isc_socket_accept(client->tcplistener, client->task, + client_newconn, client); + if (result != ISC_R_SUCCESS) { +- UNEXPECTED_ERROR(__FILE__, __LINE__, +- "isc_socket_accept() failed: %s", +- isc_result_totext(result)); + /* + * XXXRTH What should we do? We're trying to accept but + * it didn't work. If we just give up, then TCP +@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) { + * + * For now, we just go idle. + */ ++ UNEXPECTED_ERROR(__FILE__, __LINE__, ++ "isc_socket_accept() failed: %s", ++ isc_result_totext(result)); ++ ++ tcpconn_detach(client); ++ mark_tcp_active(client, ISC_FALSE); + return; + } ++ ++ /* ++ * The client's 'naccepts' counter indicates that this client has ++ * called accept() and is waiting for a new connection. It should ++ * never exceed 1. ++ */ + INSIST(client->naccepts == 0); + client->naccepts++; +- LOCK(&client->interface->lock); +- client->interface->ntcpcurrent++; +- UNLOCK(&client->interface->lock); ++ ++ /* ++ * The interface's 'ntcpaccepting' counter is incremented when ++ * any client calls accept(), and decremented in client_newconn() ++ * once the connection is established. ++ * ++ * When the client object is shutting down after handling a TCP ++ * request (see exit_check()), if this value is at least one, that ++ * means another client has called accept() and is waiting to ++ * establish the next connection. That means the client may be ++ * be free to become inactive; otherwise it may need to start ++ * listening for connections itself to prevent the interface ++ * going dead. ++ */ ++ isc_atomic_xadd(&client->interface->ntcpaccepting, 1); + } + + static void +@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) { + REQUIRE(client->manager != NULL); + + tcp = TCP_CLIENT(client); +- if (tcp && client->pipelined) { ++ if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) { + result = get_worker(client->manager, client->interface, +- client->tcpsocket); ++ client->tcpsocket, client); + } else { + result = get_client(client->manager, client->interface, + client->dispatch, tcp); ++ + } +- if (result != ISC_R_SUCCESS) ++ if (result != ISC_R_SUCCESS) { + return (result); ++ } + + /* + * The responsibility for listening for new requests is hereby +@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, + client->dscp = ifp->dscp; + + if (tcp) { ++ mark_tcp_active(client, ISC_TRUE); ++ + client->attributes |= NS_CLIENTATTR_TCP; + isc_socket_attach(ifp->tcpsocket, + &client->tcplistener); ++ + } else { + isc_socket_t *sock; + +@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, + } + + static isc_result_t +-get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock) ++get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock, ++ ns_client_t *oldclient) + { + isc_result_t result = ISC_R_SUCCESS; + isc_event_t *ev; +@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock) + MTRACE("get worker"); + + REQUIRE(manager != NULL); ++ REQUIRE(oldclient != NULL); + + if (manager->exiting) + return (ISC_R_SHUTTINGDOWN); +@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock) + ns_interface_attach(ifp, &client->interface); + client->newstate = client->state = NS_CLIENTSTATE_WORKING; + INSIST(client->recursionquota == NULL); +- client->tcpquota = &ns_g_server->tcpquota; + + client->dscp = ifp->dscp; + + client->attributes |= NS_CLIENTATTR_TCP; +- client->pipelined = ISC_TRUE; + client->mortal = ISC_TRUE; + ++ tcpconn_attach(oldclient, client); ++ mark_tcp_active(client, ISC_TRUE); ++ + isc_socket_attach(ifp->tcpsocket, &client->tcplistener); + isc_socket_attach(sock, &client->tcpsocket); + isc_socket_setname(client->tcpsocket, "worker-tcp", NULL); +diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h +index 262b906..0f54d22 100644 +--- a/bin/named/include/named/client.h ++++ b/bin/named/include/named/client.h +@@ -9,8 +9,6 @@ + * information regarding copyright ownership. + */ + +-/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */ +- + #ifndef NAMED_CLIENT_H + #define NAMED_CLIENT_H 1 + +@@ -77,6 +75,13 @@ + *** Types + ***/ + ++/*% reference-counted TCP connection object */ ++typedef struct ns_tcpconn { ++ isc_refcount_t refs; ++ isc_quota_t *tcpquota; ++ isc_boolean_t pipelined; ++} ns_tcpconn_t; ++ + /*% nameserver client structure */ + struct ns_client { + unsigned int magic; +@@ -91,6 +96,7 @@ struct ns_client { + int nupdates; + int nctls; + int references; ++ isc_boolean_t tcpactive; + isc_boolean_t needshutdown; /* + * Used by clienttest to get + * the client to go from +@@ -129,8 +135,7 @@ struct ns_client { + dns_name_t signername; /*%< [T]SIG key name */ + dns_name_t * signer; /*%< NULL if not valid sig */ + isc_boolean_t mortal; /*%< Die after handling request */ +- isc_boolean_t pipelined; /*%< TCP queries not in sequence */ +- isc_quota_t *tcpquota; ++ ns_tcpconn_t *tcpconn; + isc_quota_t *recursionquota; + ns_interface_t *interface; + +diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h +index 36870f3..d9ac90f 100644 +--- a/bin/named/include/named/interfacemgr.h ++++ b/bin/named/include/named/interfacemgr.h +@@ -9,8 +9,6 @@ + * information regarding copyright ownership. + */ + +-/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */ +- + #ifndef NAMED_INTERFACEMGR_H + #define NAMED_INTERFACEMGR_H 1 + +@@ -75,9 +73,14 @@ struct ns_interface { + /*%< UDP dispatchers. */ + isc_socket_t * tcpsocket; /*%< TCP socket. */ + isc_dscp_t dscp; /*%< "listen-on" DSCP value */ +- int ntcptarget; /*%< Desired number of concurrent +- TCP accepts */ +- int ntcpcurrent; /*%< Current ditto, locked */ ++ int32_t ntcpaccepting; /*%< Number of clients ++ ready to accept new ++ TCP connections on this ++ interface */ ++ int32_t ntcpactive; /*%< Number of clients ++ servicing TCP queries ++ (whether accepting or ++ connected) */ + int nudpdispatch; /*%< Number of UDP dispatches */ + ns_clientmgr_t * clientmgr; /*%< Client manager. */ + ISC_LINK(ns_interface_t) link; +diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c +index d8c7188..96c080b 100644 +--- a/bin/named/interfacemgr.c ++++ b/bin/named/interfacemgr.c +@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, + * connections will be handled in parallel even though there is + * only one client initially. + */ +- ifp->ntcptarget = 1; +- ifp->ntcpcurrent = 0; ++ ifp->ntcpaccepting = 0; ++ ifp->ntcpactive = 0; ++ + ifp->nudpdispatch = 0; + + ifp->dscp = -1; +@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) { + */ + (void)isc_socket_filter(ifp->tcpsocket, "dataready"); + +- result = ns_clientmgr_createclients(ifp->clientmgr, +- ifp->ntcptarget, ifp, +- ISC_TRUE); ++ result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE); + if (result != ISC_R_SUCCESS) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "TCP ns_clientmgr_createclients(): %s", +diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h +index b9bf598..36c5830 100644 +--- a/lib/isc/include/isc/quota.h ++++ b/lib/isc/include/isc/quota.h +@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p); + * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA). + */ + ++isc_result_t ++isc_quota_force(isc_quota_t *quota, isc_quota_t **p); ++/*%< ++ * Like isc_quota_attach, but will attach '*p' to the quota ++ * even if the hard quota has been exceeded. ++ */ ++ + void + isc_quota_detach(isc_quota_t **p); + /*%< +diff --git a/lib/isc/quota.c b/lib/isc/quota.c +index 3ddff0d..20976a4 100644 +--- a/lib/isc/quota.c ++++ b/lib/isc/quota.c +@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) { + UNLOCK("a->lock); + } + +-isc_result_t +-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) +-{ ++static isc_result_t ++doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) { + isc_result_t result; +- INSIST(p != NULL && *p == NULL); ++ REQUIRE(p != NULL && *p == NULL); ++ + result = isc_quota_reserve(quota); +- if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) ++ if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) { ++ *p = quota; ++ } else if (result == ISC_R_QUOTA && force) { ++ /* attach anyway */ ++ LOCK("a->lock); ++ quota->used++; ++ UNLOCK("a->lock); ++ + *p = quota; ++ result = ISC_R_SUCCESS; ++ } ++ + return (result); + } + ++isc_result_t ++isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) { ++ return (doattach(quota, p, ISC_FALSE)); ++} ++ ++isc_result_t ++isc_quota_force(isc_quota_t *quota, isc_quota_t **p) { ++ return (doattach(quota, p, ISC_TRUE)); ++} ++ + void +-isc_quota_detach(isc_quota_t **p) +-{ ++isc_quota_detach(isc_quota_t **p) { + INSIST(p != NULL && *p != NULL); + isc_quota_release(*p); + *p = NULL; +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-CVE-2019-6471.patch b/SOURCES/bind-9.11-CVE-2019-6471.patch new file mode 100644 index 0000000..64f86d5 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2019-6471.patch @@ -0,0 +1,48 @@ +From 66c074b707318005d50f14910678ba451877a7a6 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Wed, 19 Jun 2019 12:28:08 +0200 +Subject: [PATCH] Fix CVE-2019-6471 + +5244. [security] Fixed a race condition in dns_dispatch_getnext() + that could cause an assertion failure if a + significant number of incoming packets were + rejected. (CVE-2019-6471) [GL #942] +--- + lib/dns/dispatch.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c +index 321459ebcb..ae5c9c0fc7 100644 +--- a/lib/dns/dispatch.c ++++ b/lib/dns/dispatch.c +@@ -3419,13 +3419,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { + disp = resp->disp; + REQUIRE(VALID_DISPATCH(disp)); + +- REQUIRE(resp->item_out == ISC_TRUE); +- resp->item_out = ISC_FALSE; +- + ev = *sockevent; + *sockevent = NULL; + + LOCK(&disp->lock); ++ ++ REQUIRE(resp->item_out == ISC_TRUE); ++ resp->item_out = ISC_FALSE; ++ + if (ev->buffer.base != NULL) + free_buffer(disp, ev->buffer.base, ev->buffer.length); + free_devent(disp, ev); +@@ -3570,6 +3571,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, + isc_task_send(disp->task[0], &disp->ctlevent); + } + ++/* ++ * disp must be locked. ++ */ + static void + do_cancel(dns_dispatch_t *disp) { + dns_dispatchevent_t *ev; +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-dnssec-lookaside.patch b/SOURCES/bind-9.11-dnssec-lookaside.patch new file mode 100644 index 0000000..8c1b316 --- /dev/null +++ b/SOURCES/bind-9.11-dnssec-lookaside.patch @@ -0,0 +1,49 @@ +From d5ca0a8f5d31dad4e77bdb8316853f703e68b60f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 29 Jan 2019 21:26:33 +0100 +Subject: [PATCH 4/5] Accept dnssec-lookaside yes; + +Thread it the same way as "auto" value. Print a warning and ignore it. +--- + bin/named/server.c | 3 ++- + lib/bind9/check.c | 8 +++++--- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 0c8939d..93f9417 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -4615,7 +4615,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + /* If "no", skip; if "auto", log warning */ + if (!strcasecmp(dom, "no")) { + result = ISC_R_NOTFOUND; +- } else if (!strcasecmp(dom, "auto")) { ++ } else if (!strcasecmp(dom, "auto") ++ || !strcasecmp(dom, "yes")) { + /* + * Warning logged by libbind9. + */ +diff --git a/lib/bind9/check.c b/lib/bind9/check.c +index 1a3d534..f075de0 100644 +--- a/lib/bind9/check.c ++++ b/lib/bind9/check.c +@@ -1176,11 +1176,13 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + if (!strcasecmp(dlv, "no")) { + continue; + } +- if (!strcasecmp(dlv, "auto")) { ++ if (!strcasecmp(dlv, "auto") ++ || !strcasecmp(dlv, "yes")) { + cfg_obj_log(obj, logctx, + ISC_LOG_WARNING, +- "dnssec-lookaside 'auto' " +- "is no longer supported"); ++ "dnssec-lookaside '%s' " ++ "is no longer supported", ++ dlv); + continue; + } + } +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-ed448-disable.patch b/SOURCES/bind-9.11-ed448-disable.patch new file mode 100644 index 0000000..f3006bf --- /dev/null +++ b/SOURCES/bind-9.11-ed448-disable.patch @@ -0,0 +1,41 @@ +From e1da251de9647872d776b70078556f4e3e21cad8 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 21 Feb 2019 12:36:17 +0100 +Subject: [PATCH] Disable autodetected ED448 algorithm support + +Implementation is broken in bind, disabled also in more recent versions. +Makes bin/tests/system/dnssec fail. +--- + configure.in | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/configure.in b/configure.in +index 1397c50..475ab9e 100644 +--- a/configure.in ++++ b/configure.in +@@ -1964,6 +1964,9 @@ int main() { + } + ], + [AC_MSG_RESULT(yes) ++ # ED448 support is broken in BIND ++ # https://gitlab.isc.org/isc-projects/bind9/issues/225 ++ # disable if autodetected, can be enabled by --with-eddsa=all + have_ed448="yes"], + [AC_MSG_RESULT(no) + have_ed448="no"], +@@ -1976,8 +1979,10 @@ int main() { + esac + case $have_ed448 in + yes) +- AC_DEFINE(HAVE_OPENSSL_ED448, 1, +- [Define if your OpenSSL version supports Ed448.]) ++ # ED448 support is broken in BIND ++ # https://gitlab.isc.org/isc-projects/bind9/issues/225 ++ # AC_DEFINE(HAVE_OPENSSL_ED448, 1, ++ # [Define if your OpenSSL version supports Ed448.]) + ;; + *) + ;; +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-export-suffix.patch b/SOURCES/bind-9.11-export-suffix.patch new file mode 100644 index 0000000..e3ba29c --- /dev/null +++ b/SOURCES/bind-9.11-export-suffix.patch @@ -0,0 +1,39 @@ +diff --git a/configure.in b/configure.in +index e6cd6a4..988b0a7 100644 +--- a/configure.in ++++ b/configure.in +@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS) + AC_SUBST(BUILD_LDFLAGS) + AC_SUBST(BUILD_LIBS) + ++AC_SUBST(LIBDIR_SUFFIX) ++ + # + # Commands to run at the end of config.status. + # Don't just put these into configure, it won't work right if somebody +diff --git a/isc-config.sh.in b/isc-config.sh.in +index 110191a..5a64004 100644 +--- a/isc-config.sh.in ++++ b/isc-config.sh.in +@@ -12,16 +12,17 @@ prefix=@prefix@ + exec_prefix=@exec_prefix@ + exec_prefix_set= + includedir=@includedir@ ++libdir_suffix=@LIBDIR_SUFFIX@ + arch=$(uname -m) + + case $arch in + x86_64 | amd64 | sparc64 | s390x | ppc64) +- libdir=/usr/lib64 +- sec_libdir=/usr/lib ++ libdir=/usr/lib64${libdir_suffix} ++ sec_libdir=/usr/lib${libdir_suffix} + ;; + * ) +- libdir=/usr/lib +- sec_libdir=/usr/lib64 ++ libdir=/usr/lib${libdir_suffix} ++ sec_libdir=/usr/lib64${libdir_suffix} + ;; + esac + diff --git a/SOURCES/bind-9.11-fips-code.patch b/SOURCES/bind-9.11-fips-code.patch new file mode 100644 index 0000000..2dccdea --- /dev/null +++ b/SOURCES/bind-9.11-fips-code.patch @@ -0,0 +1,1516 @@ +From fb8665aebd79ea33cb255f578544e1738f5bbb58 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 2 Aug 2018 23:34:45 +0200 +Subject: [PATCH 1/2] Squashed commit of the following: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit b49f70ce0575b6b52a71b90fe0376dbf16f92c6b +Author: Petr Menšík +Date: Mon Jan 22 14:12:37 2018 +0100 + + Update system tests to detect MD5 disabled at runtime + +commit 80ceffee4860c24baf70bc9a8653d92731eda2e4 +Author: Petr Menšík +Date: Thu Aug 2 14:53:54 2018 +0200 + + Avoid warning about undefined parameters + +commit e4ad4363e3d1acaac58456117579f02761f38fdc +Author: Petr Menšík +Date: Wed Jun 20 19:31:19 2018 +0200 + + Fix rndc-confgen default algorithm, report true algorithm in usage. + +commit 7e629a351010cb75e0589ec361f720085675998c +Author: Petr Menšík +Date: Fri Feb 23 21:21:30 2018 +0100 + + Cleanup only if initialization was successful + +commit 2101b948c77cbcbe07eb4a1e60f3e693b2245ec6 +Author: Petr Menšík +Date: Mon Feb 5 12:19:28 2018 +0100 + + Ensure dst backend is initialized first even before hmac algorithms. + +commit 7567c7edde7519115a9ae7e20818c835d3eb1ffe +Author: Petr Menšík +Date: Mon Feb 5 12:17:54 2018 +0100 + + Skip initialization of MD5 based algorithms if not available. + +commit 5782137df6b45a6d900d5a1c250c1257227e917a +Author: Petr Menšík +Date: Mon Feb 5 10:21:27 2018 +0100 + + Change secalgs skipping to be more safe + +commit f2d78729898182d2d19d5064de1bec9b66817159 +Author: Petr Menšík +Date: Wed Jan 31 18:26:11 2018 +0100 + + Skip MD5 algorithm also in case of NULL name + +commit 32a2ad4abc7aaca1c257730319ad3c27405d3407 +Author: Petr Menšík +Date: Wed Jan 31 11:38:12 2018 +0100 + + Make MD5 behave like unknown algorithm in TSIG. + +commit 13cd3f704dce568fdf24a567be5802b58ac6007b +Author: Petr Menšík +Date: Tue Nov 28 20:14:37 2017 +0100 + + Select token with most supported functions, instead of demanding it must support all functions + + Initialize PKCS#11 always until successfully initialized + +commit a71df74abdca4fe63bcdf542b81a109cf1f495b4 +Author: Petr Menšík +Date: Mon Jan 22 16:17:44 2018 +0100 + + Handle MD5 unavailability from DST + +commit dd82cb263efa2753d3ee772972726ea08bcc639b +Author: Petr Menšík +Date: Mon Jan 22 14:11:16 2018 +0100 + + Check runtime flag from library and applications, fail gracefully. + +commit c7b2f87f07ecae75b821a908e29f08a42371e32e +Author: Petr Menšík +Date: Mon Jan 22 08:39:08 2018 +0100 + + Modify libraries to use isc_md5_available() if PK11_MD5_DISABLE is not + defined. + TODO: pk11.c should accept slot without MD5 support. + +commit 0b8e470ec636b9e350b5ec3203eb2b4091415fde +Author: Petr Menšík +Date: Mon Jan 22 07:21:04 2018 +0100 + + Add runtime detection whether MD5 is useable. +--- + bin/confgen/keygen.c | 10 ++++- + bin/confgen/rndc-confgen.c | 36 +++++------------- + bin/dig/dig.c | 7 ++-- + bin/dig/dighost.c | 14 +++++-- + bin/dnssec/dnssec-keygen.c | 14 +++++++ + bin/named/config.c | 25 ++++++++++++- + bin/nsupdate/nsupdate.c | 24 +++++++----- + bin/rndc/rndc.c | 3 +- + bin/tests/optional/hash_test.c | 78 ++++++++++++++++++++------------------- + bin/tests/system/tkey/keycreate.c | 3 ++ + bin/tests/system/tkey/keydelete.c | 18 ++++++--- + lib/bind9/check.c | 10 +++++ + lib/dns/dst_api.c | 23 ++++++++---- + lib/dns/dst_internal.h | 3 +- + lib/dns/dst_parse.c | 18 +++++++-- + lib/dns/hmac_link.c | 20 +++------- + lib/dns/opensslrsa_link.c | 6 +++ + lib/dns/pkcs11rsa_link.c | 33 +++++++++++++++-- + lib/dns/rcode.c | 21 ++++++++++- + lib/dns/tests/rsa_test.c | 29 ++++++++------- + lib/dns/tests/tsig_test.c | 1 + + lib/dns/tkey.c | 9 +++++ + lib/dns/tsec.c | 8 +++- + lib/dns/tsig.c | 17 +++++---- + lib/isc/include/isc/md5.h | 3 ++ + lib/isc/md5.c | 59 +++++++++++++++++++++++++++++ + lib/isc/pk11.c | 58 ++++++++++++++++++++--------- + lib/isc/tests/hash_test.c | 9 +++-- + lib/isccc/cc.c | 42 +++++++++++++-------- + 29 files changed, 424 insertions(+), 177 deletions(-) + +diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c +index 453c641dba..11cc54dd46 100644 +--- a/bin/confgen/keygen.c ++++ b/bin/confgen/keygen.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -73,7 +74,7 @@ alg_fromtext(const char *name) { + p = &name[5]; + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(p, "md5") == 0) ++ if (strcasecmp(p, "md5") == 0 && isc_md5_available()) + return DST_ALG_HMACMD5; + #endif + if (strcasecmp(p, "sha1") == 0) +@@ -132,6 +133,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, + switch (alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: ++ if (isc_md5_available() == ISC_FALSE) { ++ fatal("unsupported algorithm %d\n", alg); ++ } else if (keysize < 1 || keysize > 512) { ++ fatal("keysize %d out of range (must be 1-512)\n", ++ keysize); ++ } ++ break; + #endif + case DST_ALG_HMACSHA1: + case DST_ALG_HMACSHA224: +diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c +index 2925baf32f..d7d8418073 100644 +--- a/bin/confgen/rndc-confgen.c ++++ b/bin/confgen/rndc-confgen.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -62,7 +63,7 @@ const char *progname; + + isc_boolean_t verbose = ISC_FALSE; + +-const char *keyfile, *keydef; ++const char *keyfile, *keydef, *algdef; + + ISC_PLATFORM_NORETURN_PRE static void + usage(int status) ISC_PLATFORM_NORETURN_POST; +@@ -70,13 +71,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST; + static void + usage(int status) { + +-#ifndef PK11_MD5_DISABLE + fprintf(stderr, "\ + Usage:\n\ + %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ + [-s addr] [-t chrootdir] [-u user]\n\ + -a: generate just the key clause and write it to keyfile (%s)\n\ +- -A alg: algorithm (default hmac-md5)\n\ ++ -A alg: algorithm (default %s)\n\ + -b bits: from 1 through 512, default 256; total length of the secret\n\ + -c keyfile: specify an alternate key file (requires -a)\n\ + -k keyname: the name as it will be used in named.conf and rndc.conf\n\ +@@ -85,24 +85,7 @@ Usage:\n\ + -s addr: the address to which rndc should connect\n\ + -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ + -u user: set the keyfile owner to \"user\" (requires -a)\n", +- progname, keydef); +-#else +- fprintf(stderr, "\ +-Usage:\n\ +- %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ +-[-s addr] [-t chrootdir] [-u user]\n\ +- -a: generate just the key clause and write it to keyfile (%s)\n\ +- -A alg: algorithm (default hmac-sha256)\n\ +- -b bits: from 1 through 512, default 256; total length of the secret\n\ +- -c keyfile: specify an alternate key file (requires -a)\n\ +- -k keyname: the name as it will be used in named.conf and rndc.conf\n\ +- -p port: the port named will listen on and rndc will connect to\n\ +- -r randomfile: source of random data (use \"keyboard\" for key timing)\n\ +- -s addr: the address to which rndc should connect\n\ +- -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ +- -u user: set the keyfile owner to \"user\" (requires -a)\n", +- progname, keydef); +-#endif ++ progname, keydef, algdef); + + exit (status); + } +@@ -138,13 +121,14 @@ main(int argc, char **argv) { + progname = program; + + keyname = DEFAULT_KEYNAME; +-#ifndef PK11_MD5_DISABLE +- alg = DST_ALG_HMACMD5; +-#else +- alg = DST_ALG_HMACSHA256; +-#endif + serveraddr = DEFAULT_SERVER; + port = DEFAULT_PORT; ++ alg = DST_ALG_HMACSHA256; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ alg = DST_ALG_HMACMD5; ++#endif ++ algdef = alg_totext(alg); + + isc_commandline_errprint = ISC_FALSE; + +diff --git a/bin/dig/dig.c b/bin/dig/dig.c +index d4808ada67..9dff7c8ecd 100644 +--- a/bin/dig/dig.c ++++ b/bin/dig/dig.c +@@ -17,6 +17,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -1757,10 +1758,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, + ptr = ptr2; + ptr2 = ptr3; + } else { +-#ifndef PK11_MD5_DISABLE +- hmacname = DNS_TSIG_HMACMD5_NAME; +-#else + hmacname = DNS_TSIG_HMACSHA256_NAME; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + #endif + digestbits = 0; + } +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index ecefc98453..94c428ed30 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -77,6 +77,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1243,9 +1244,10 @@ parse_hmac(const char *hmac) { + digestbits = 0; + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(buf, "hmac-md5") == 0) { ++ if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) { + hmacname = DNS_TSIG_HMACMD5_NAME; +- } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { ++ } else if (strncasecmp(buf, "hmac-md5-", 9) == 0 && ++ isc_md5_available()) { + hmacname = DNS_TSIG_HMACMD5_NAME; + digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); + } else +@@ -1365,7 +1367,13 @@ setup_file_key(void) { + switch (dst_key_alg(dstkey)) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- hmacname = DNS_TSIG_HMACMD5_NAME; ++ if (isc_md5_available()) { ++ hmacname = DNS_TSIG_HMACMD5_NAME; ++ } else { ++ printf(";; Couldn't create key %s: bad algorithm\n", ++ keynametext); ++ goto failure; ++ } + break; + #endif + case DST_ALG_HMACSHA1: +diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c +index 6fc3ab0979..fc04356ed4 100644 +--- a/bin/dnssec/dnssec-keygen.c ++++ b/bin/dnssec/dnssec-keygen.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -560,6 +561,19 @@ main(int argc, char **argv) { + "\"-a RSAMD5\"\n"); + INSIST(freeit == NULL); + return (1); ++ } else if (strcasecmp(algname, "HMAC-MD5") == 0) { ++ if (isc_md5_available()) { ++ alg = DST_ALG_HMACMD5; ++ } else { ++ fprintf(stderr, ++ "The use of HMAC-MD5 was disabled\n"); ++ return (1); ++ } ++ } else if (strcasecmp(algname, "RSAMD5") == 0 && ++ isc_md5_available() == ISC_FALSE) { ++ fprintf(stderr, "The use of RSAMD5 was disabled\n"); ++ INSIST(freeit == NULL); ++ return (1); + } else if (strcasecmp(algname, "HMAC-MD5") == 0) { + alg = DST_ALG_HMACMD5; + #else +diff --git a/bin/named/config.c b/bin/named/config.c +index 54bc37fff7..c50f759ddd 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -17,6 +17,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -966,6 +967,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name, + return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits)); + } + ++static inline int ++algorithms_start() { ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ int i = 0; ++ while (algorithms[i].str != NULL && ++ algorithms[i].hmac == hmacmd5) { ++ i++; ++ } ++ return i; ++ } ++#endif ++ return 0; ++} ++ + isc_result_t + ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + unsigned int *typep, isc_uint16_t *digestbits) +@@ -975,7 +991,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + isc_uint16_t bits; + isc_result_t result; + +- for (i = 0; algorithms[i].str != NULL; i++) { ++ for (i = algorithms_start(); algorithms[i].str != NULL; i++) { + len = strlen(algorithms[i].str); + if (strncasecmp(algorithms[i].str, str, len) == 0 && + (str[len] == '\0' || +@@ -998,7 +1014,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + if (name != NULL) { + switch (algorithms[i].hmac) { + #ifndef PK11_MD5_DISABLE +- case hmacmd5: *name = dns_tsig_hmacmd5_name; break; ++ case hmacmd5: ++ if (isc_md5_available()) { ++ *name = dns_tsig_hmacmd5_name; break; ++ } else { ++ return (ISC_R_NOTFOUND); ++ } + #endif + case hmacsha1: *name = dns_tsig_hmacsha1_name; break; + case hmacsha224: *name = dns_tsig_hmacsha224_name; break; +diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c +index 6967b49754..bb5d50038f 100644 +--- a/bin/nsupdate/nsupdate.c ++++ b/bin/nsupdate/nsupdate.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -474,9 +475,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len, + strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf))); + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(buf, "hmac-md5") == 0) { ++ if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) { + *hmac = DNS_TSIG_HMACMD5_NAME; +- } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { ++ } else if (strncasecmp(buf, "hmac-md5-", 9) == 0 && ++ isc_md5_available()) { + *hmac = DNS_TSIG_HMACMD5_NAME; + result = isc_parse_uint16(&digestbits, &buf[9], 10); + if (result != ISC_R_SUCCESS || digestbits > 128) { +@@ -589,10 +591,10 @@ setup_keystr(void) { + exit(1); + } + } else { +-#ifndef PK11_MD5_DISABLE +- hmacname = DNS_TSIG_HMACMD5_NAME; +-#else + hmacname = DNS_TSIG_HMACSHA256_NAME; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + #endif + name = keystr; + n = s; +@@ -729,7 +731,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { + switch (dst_key_alg(dstkey)) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- hmacname = DNS_TSIG_HMACMD5_NAME; ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + break; + #endif + case DST_ALG_HMACSHA1: +@@ -1604,12 +1607,13 @@ evaluate_key(char *cmdline) { + return (STATUS_SYNTAX); + } + namestr = n + 1; +- } else +-#ifndef PK11_MD5_DISABLE +- hmacname = DNS_TSIG_HMACMD5_NAME; +-#else ++ } else { + hmacname = DNS_TSIG_HMACSHA256_NAME; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + #endif ++ } + + isc_buffer_init(&b, namestr, strlen(namestr)); + isc_buffer_add(&b, strlen(namestr)); +diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c +index 5c29caf86b..617b06b4a1 100644 +--- a/bin/rndc/rndc.c ++++ b/bin/rndc/rndc.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -634,7 +635,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, + algorithmstr = cfg_obj_asstring(algorithmobj); + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(algorithmstr, "hmac-md5") == 0) ++ if (strcasecmp(algorithmstr, "hmac-md5") == 0 && isc_md5_available()) + algorithm = ISCCC_ALG_HMACMD5; + else + #endif +diff --git a/bin/tests/optional/hash_test.c b/bin/tests/optional/hash_test.c +index bf2891ad4c..b5f0a1c5f5 100644 +--- a/bin/tests/optional/hash_test.c ++++ b/bin/tests/optional/hash_test.c +@@ -90,43 +90,47 @@ main(int argc, char **argv) { + print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4); + + #ifndef PK11_MD5_DISABLE +- s = "abc"; +- isc_md5_init(&md5); +- memmove(buffer, s, strlen(s)); +- isc_md5_update(&md5, buffer, strlen(s)); +- isc_md5_final(&md5, digest); +- print_digest(s, "md5", digest, 4); +- +- /* +- * The 3 HMAC-MD5 examples from RFC2104 +- */ +- s = "Hi There"; +- memset(key, 0x0b, 16); +- isc_hmacmd5_init(&hmacmd5, key, 16); +- memmove(buffer, s, strlen(s)); +- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); +- isc_hmacmd5_sign(&hmacmd5, digest); +- print_digest(s, "hmacmd5", digest, 4); +- +- s = "what do ya want for nothing?"; +- strlcpy((char *)key, "Jefe", sizeof(key)); +- isc_hmacmd5_init(&hmacmd5, key, 4); +- memmove(buffer, s, strlen(s)); +- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); +- isc_hmacmd5_sign(&hmacmd5, digest); +- print_digest(s, "hmacmd5", digest, 4); +- +- s = "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335"; +- memset(key, 0xaa, 16); +- isc_hmacmd5_init(&hmacmd5, key, 16); +- memmove(buffer, s, strlen(s)); +- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); +- isc_hmacmd5_sign(&hmacmd5, digest); +- print_digest(s, "hmacmd5", digest, 4); ++ if (isc_md5_available()) { ++ s = "abc"; ++ isc_md5_init(&md5); ++ memmove(buffer, s, strlen(s)); ++ isc_md5_update(&md5, buffer, strlen(s)); ++ isc_md5_final(&md5, digest); ++ print_digest(s, "md5", digest, 4); ++ ++ /* ++ * The 3 HMAC-MD5 examples from RFC2104 ++ */ ++ s = "Hi There"; ++ memset(key, 0x0b, 16); ++ isc_hmacmd5_init(&hmacmd5, key, 16); ++ memmove(buffer, s, strlen(s)); ++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); ++ isc_hmacmd5_sign(&hmacmd5, digest); ++ print_digest(s, "hmacmd5", digest, 4); ++ ++ s = "what do ya want for nothing?"; ++ strlcpy((char *)key, "Jefe", sizeof(key)); ++ isc_hmacmd5_init(&hmacmd5, key, 4); ++ memmove(buffer, s, strlen(s)); ++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); ++ isc_hmacmd5_sign(&hmacmd5, digest); ++ print_digest(s, "hmacmd5", digest, 4); ++ ++ s = "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335"; ++ memset(key, 0xaa, 16); ++ isc_hmacmd5_init(&hmacmd5, key, 16); ++ memmove(buffer, s, strlen(s)); ++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); ++ isc_hmacmd5_sign(&hmacmd5, digest); ++ print_digest(s, "hmacmd5", digest, 4); ++ } else { ++ fprintf(stderr, "Skipping disabled MD5 algorithm\n"); ++ } + #endif + + /* +diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c +index 2a0ee94888..489f4390dc 100644 +--- a/bin/tests/system/tkey/keycreate.c ++++ b/bin/tests/system/tkey/keycreate.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -142,6 +143,8 @@ sendquery(isc_task_t *task, isc_event_t *event) { + static char keystr[] = "0123456789ab"; + + isc_event_free(&event); ++ if (isc_md5_available() == ISC_FALSE) ++ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); + + result = ISC_R_FAILURE; + if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) +diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c +index 7057c318e4..36ee6c7d21 100644 +--- a/bin/tests/system/tkey/keydelete.c ++++ b/bin/tests/system/tkey/keydelete.c +@@ -225,12 +225,18 @@ main(int argc, char **argv) { + result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); + CHECK("dst_key_fromnamedfile", result); + #ifndef PK11_MD5_DISABLE +- result = dns_tsigkey_createfromkey(dst_key_name(dstkey), +- DNS_TSIG_HMACMD5_NAME, +- dstkey, ISC_TRUE, NULL, 0, 0, +- mctx, ring, &tsigkey); +- dst_key_free(&dstkey); +- CHECK("dns_tsigkey_createfromkey", result); ++ if (isc_md5_available()) { ++ result = dns_tsigkey_createfromkey(dst_key_name(dstkey), ++ DNS_TSIG_HMACMD5_NAME, ++ dstkey, ISC_TRUE, ++ NULL, 0, 0, ++ mctx, ring, &tsigkey); ++ dst_key_free(&dstkey); ++ CHECK("dns_tsigkey_createfromkey", result); ++ } else { ++ dst_key_free(&dstkey); ++ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); ++ } + #else + dst_key_free(&dstkey); + CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); +diff --git a/lib/bind9/check.c b/lib/bind9/check.c +index 3da83a7ae2..1a3d534799 100644 +--- a/lib/bind9/check.c ++++ b/lib/bind9/check.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2572,6 +2573,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) { + } + + algorithm = cfg_obj_asstring(algobj); ++#ifndef PK11_MD5_DISABLE ++ /* Skip hmac-md5* algorithms */ ++ if (isc_md5_available() == ISC_FALSE && ++ strncasecmp(algorithm, "hmac-md5", 8) == 0) { ++ cfg_obj_log(algobj, logctx, ISC_LOG_ERROR, ++ "disabled algorithm '%s'", algorithm); ++ return (ISC_R_DISABLED); ++ } ++#endif + for (i = 0; algorithms[i].name != NULL; i++) { + len = strlen(algorithms[i].name); + if (strncasecmp(algorithms[i].name, algorithm, len) == 0 && +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index 4f3d6ac55c..dbece0ac56 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -190,6 +190,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + dst_result_register(); + + memset(dst_t_func, 0, sizeof(dst_t_func)); ++ ++#ifdef OPENSSL ++ RETERR(dst__openssl_init(engine)); ++#elif PKCS11CRYPTO ++ RETERR(dst__pkcs11_init(mctx, engine)); ++#endif + #ifndef PK11_MD5_DISABLE + RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); + #endif +@@ -199,7 +205,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); + RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); + #ifdef OPENSSL +- RETERR(dst__openssl_init(engine)); + #ifndef PK11_MD5_DISABLE + RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5], + DST_ALG_RSAMD5)); +@@ -233,14 +238,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448])); + #endif + #elif PKCS11CRYPTO +- RETERR(dst__pkcs11_init(mctx, engine)); + #ifndef PK11_MD5_DISABLE +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5])); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5], ++ DST_ALG_RSAMD5)); + #endif +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1])); +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256])); +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512])); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1], ++ DST_ALG_RSASHA1)); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1], ++ DST_ALG_NSEC3RSASHA1)); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256], ++ DST_ALG_RSASHA256)); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512], ++ DST_ALG_RSASHA512)); + #ifndef PK11_DSA_DISABLE + RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA])); + RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); +diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h +index 640519a5ba..deb7ed4e13 100644 +--- a/lib/dns/dst_internal.h ++++ b/lib/dns/dst_internal.h +@@ -245,7 +245,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp); + isc_result_t dst__hmacsha512_init(struct dst_func **funcp); + isc_result_t dst__opensslrsa_init(struct dst_func **funcp, + unsigned char algorithm); +-isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp); ++isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp, ++ unsigned char algorithm); + #ifndef PK11_DSA_DISABLE + isc_result_t dst__openssldsa_init(struct dst_func **funcp); + isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); +diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c +index b0e5c895c6..03f2b8ace8 100644 +--- a/lib/dns/dst_parse.c ++++ b/lib/dns/dst_parse.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -393,6 +394,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, + switch (alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available()) ++ return (check_rsa(priv, external)); ++ else ++ return (DST_R_UNSUPPORTEDALG); + #endif + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: +@@ -418,7 +423,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, + return (check_eddsa(priv, external)); + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- return (check_hmac_md5(priv, old)); ++ if (isc_md5_available()) ++ return (check_hmac_md5(priv, old)); ++ else ++ return (DST_R_UNSUPPORTEDALG); + #endif + case DST_ALG_HMACSHA1: + return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg)); +@@ -637,11 +645,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, + } + + #ifdef PK11_MD5_DISABLE +- check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg, +- ISC_TRUE, external); ++ if (alg == DST_ALG_RSA) ++ alg = DST_ALG_RSASHA1; + #else +- check = check_data(priv, alg, ISC_TRUE, external); ++ if (isc_md5_available() == ISC_FALSE && alg == DST_ALG_RSA) ++ alg = DST_ALG_RSASHA1; + #endif ++ check = check_data(priv, alg, ISC_TRUE, external); + if (check < 0) { + ret = DST_R_INVALIDPRIVATEKEY; + goto fail; +diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c +index 59aa4705e5..21bfa44450 100644 +--- a/lib/dns/hmac_link.c ++++ b/lib/dns/hmac_link.c +@@ -338,25 +338,17 @@ static dst_func_t hmacmd5_functions = { + + isc_result_t + dst__hmacmd5_init(dst_func_t **funcp) { +-#ifdef HAVE_FIPS_MODE + /* +- * Problems from OpenSSL are likely from FIPS mode ++ * Prevent use of incorrect crypto + */ +- int fips_mode = FIPS_mode(); +- +- if (fips_mode != 0) { +- UNEXPECTED_ERROR(__FILE__, __LINE__, +- "FIPS mode is %d: MD5 is only supported " +- "if the value is 0.\n" +- "Please disable either FIPS mode or MD5.", +- fips_mode); ++ ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ /* Intentionally skip initialization */ ++ return (ISC_R_SUCCESS); + } + #endif + +- /* +- * Prevent use of incorrect crypto +- */ +- + RUNTIME_CHECK(isc_md5_check(ISC_FALSE)); + RUNTIME_CHECK(isc_hmacmd5_check(0)); + +diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c +index f4847bbe74..126cebca19 100644 +--- a/lib/dns/opensslrsa_link.c ++++ b/lib/dns/opensslrsa_link.c +@@ -1801,6 +1801,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { + + if (*funcp == NULL) { + switch (algorithm) { ++#ifndef PK11_MD5_DISABLE ++ case DST_ALG_RSAMD5: ++ if (isc_md5_available()) ++ *funcp = &opensslrsa_functions; ++ break; ++#endif + case DST_ALG_RSASHA256: + #if defined(HAVE_EVP_SHA256) || !USE_EVP + *funcp = &opensslrsa_functions; +diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c +index 56955203e9..af6008d4dd 100644 +--- a/lib/dns/pkcs11rsa_link.c ++++ b/lib/dns/pkcs11rsa_link.c +@@ -94,10 +94,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { + #endif + + /* +- * Reject incorrect RSA key lengths. ++ * Reject incorrect RSA key lengths or disabled algorithms. + */ + switch (dctx->key->key_alg) { + case DST_ALG_RSAMD5: ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++#endif ++ /* FALLTHROUGH */ + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + /* From RFC 3110 */ +@@ -634,6 +639,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { + switch (key->key_alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++ + mech.mechanism = CKM_MD5; + break; + #endif +@@ -790,6 +798,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { + switch (key->key_alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++ + der = md5_der; + derlen = sizeof(md5_der); + hashlen = ISC_MD5_DIGESTLENGTH; +@@ -1014,6 +1025,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + switch (key->key_alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++ + der = md5_der; + derlen = sizeof(md5_der); + hashlen = ISC_MD5_DIGESTLENGTH; +@@ -2217,11 +2231,22 @@ static dst_func_t pkcs11rsa_functions = { + }; + + isc_result_t +-dst__pkcs11rsa_init(dst_func_t **funcp) { ++dst__pkcs11rsa_init(dst_func_t **funcp, unsigned char algorithm) { + REQUIRE(funcp != NULL); + +- if (*funcp == NULL) +- *funcp = &pkcs11rsa_functions; ++ if (*funcp == NULL) { ++ switch (algorithm) { ++#ifndef PK11_MD5_DISABLE ++ case DST_ALG_RSAMD5: ++ if (isc_md5_available()) ++ *funcp = &pkcs11rsa_functions; ++ break; ++#endif ++ default: ++ *funcp = &pkcs11rsa_functions; ++ break; ++ } ++ } + return (ISC_R_SUCCESS); + } + +diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c +index 937d8fc1ec..d1fa8d5870 100644 +--- a/lib/dns/rcode.c ++++ b/lib/dns/rcode.c +@@ -14,6 +14,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -347,17 +348,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { + return (dns_mnemonic_totext(cert, target, certs)); + } + ++static inline struct tbl * ++secalgs_tbl_start() { ++ struct tbl *algs = secalgs; ++ ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ while (algs->name != NULL && ++ algs->value == DNS_KEYALG_RSAMD5) ++ ++algs; ++ } ++#endif ++ return algs; ++} ++ + isc_result_t + dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) { + unsigned int value; +- RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff)); ++ ++ RETERR(dns_mnemonic_fromtext(&value, source, ++ secalgs_tbl_start(), 0xff)); + *secalgp = value; + return (ISC_R_SUCCESS); + } + + isc_result_t + dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) { +- return (dns_mnemonic_totext(secalg, target, secalgs)); ++ return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start())); + } + + void +diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c +index 224cf5b475..44040dd8b7 100644 +--- a/lib/dns/tests/rsa_test.c ++++ b/lib/dns/tests/rsa_test.c +@@ -19,6 +19,7 @@ + #include + #include + ++#include + #include + #include + +@@ -225,23 +226,25 @@ ATF_TC_BODY(isc_rsa_verify, tc) { + /* RSAMD5 */ + + #ifndef PK11_MD5_DISABLE +- key->key_alg = DST_ALG_RSAMD5; ++ if (isc_md5_available()) { ++ key->key_alg = DST_ALG_RSAMD5; + +- ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, +- ISC_FALSE, &ctx); +- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); ++ ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, ++ ISC_FALSE, &ctx); ++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); + +- r.base = d; +- r.length = 10; +- ret = dst_context_adddata(ctx, &r); +- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); ++ r.base = d; ++ r.length = 10; ++ ret = dst_context_adddata(ctx, &r); ++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); + +- r.base = sigmd5; +- r.length = 256; +- ret = dst_context_verify(ctx, &r); +- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); ++ r.base = sigmd5; ++ r.length = 256; ++ ret = dst_context_verify(ctx, &r); ++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); + +- dst_context_destroy(&ctx); ++ dst_context_destroy(&ctx); ++ } + #endif + + /* RSASHA256 */ +diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c +index ee025c2387..c403d9954d 100644 +--- a/lib/dns/tests/tsig_test.c ++++ b/lib/dns/tests/tsig_test.c +@@ -14,6 +14,7 @@ + #include + #include + ++#include + #include + #include + +diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c +index d9f68e50b1..a8edde47b5 100644 +--- a/lib/dns/tkey.c ++++ b/lib/dns/tkey.c +@@ -242,6 +242,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, + unsigned char digests[32]; + unsigned int i; + ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_NOTIMPLEMENTED); ++ + isc_buffer_usedregion(shared, &r); + + /* +@@ -318,6 +321,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, + } + + #ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ tkey_log("process_dhtkey: MD5 was disabled"); ++ tkeyout->error = dns_tsigerror_badalg; ++ return (ISC_R_SUCCESS); ++ } ++ + if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) { + tkey_log("process_dhtkey: algorithms other than " + "hmac-md5 are not supported"); +diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c +index a367291f23..37baad7437 100644 +--- a/lib/dns/tsec.c ++++ b/lib/dns/tsec.c +@@ -11,6 +11,7 @@ + + #include + ++#include + #include + #include + +@@ -63,7 +64,12 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, + switch (dst_key_alg(key)) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- algname = dns_tsig_hmacmd5_name; ++ if (isc_md5_available()) { ++ algname = dns_tsig_hmacmd5_name; ++ } else { ++ isc_mem_put(mctx, tsec, sizeof(*tsec)); ++ return (DNS_R_BADALG); ++ } + break; + #endif + case DST_ALG_HMACSHA1: +diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c +index bdcc581bc3..70805bb709 100644 +--- a/lib/dns/tsig.c ++++ b/lib/dns/tsig.c +@@ -270,7 +270,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, + (void)dns_name_downcase(&tkey->name, &tkey->name, NULL); + + #ifndef PK11_MD5_DISABLE +- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { ++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && ++ isc_md5_available()) { + tkey->algorithm = DNS_TSIG_HMACMD5_NAME; + if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) { + ret = DNS_R_BADALG; +@@ -496,7 +497,8 @@ destroyring(dns_tsig_keyring_t *ring) { + static unsigned int + dst_alg_fromname(dns_name_t *algorithm) { + #ifndef PK11_MD5_DISABLE +- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { ++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && ++ isc_md5_available()) { + return (DST_ALG_HMACMD5); + } else + #endif +@@ -680,7 +682,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, + REQUIRE(secret != NULL); + + #ifndef PK11_MD5_DISABLE +- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { ++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && ++ isc_md5_available()) { + if (secret != NULL) { + isc_buffer_t b; + +@@ -1280,7 +1283,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + return (ret); + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || +@@ -1449,7 +1452,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || +@@ -1590,7 +1593,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + goto cleanup_querystruct; + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || +@@ -1769,7 +1772,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + goto cleanup_context; + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || +diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h +index e5f46dd9c7..9d11f9f8b6 100644 +--- a/lib/isc/include/isc/md5.h ++++ b/lib/isc/include/isc/md5.h +@@ -89,6 +89,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest); + isc_boolean_t + isc_md5_check(isc_boolean_t testing); + ++isc_boolean_t ++isc_md5_available(void); ++ + ISC_LANG_ENDDECLS + + #endif /* !PK11_MD5_DISABLE */ +diff --git a/lib/isc/md5.c b/lib/isc/md5.c +index 740d863b1b..aefd16478f 100644 +--- a/lib/isc/md5.c ++++ b/lib/isc/md5.c +@@ -35,6 +35,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -53,6 +54,9 @@ + #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) + #endif + ++static isc_once_t available_once = ISC_ONCE_INIT; ++static isc_boolean_t available = ISC_FALSE; ++ + void + isc_md5_init(isc_md5_t *ctx) { + ctx->ctx = EVP_MD_CTX_new(); +@@ -84,8 +88,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { + ctx->ctx = NULL; + } + ++static void ++do_detect_available() { ++ isc_md5_t local; ++ isc_md5_t *ctx = &local; ++ unsigned char digest[ISC_MD5_DIGESTLENGTH]; ++ ++ ctx->ctx = EVP_MD_CTX_new(); ++ RUNTIME_CHECK(ctx->ctx != NULL); ++ available = ISC_TF(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); ++ if (available) ++ (void)EVP_DigestFinal(ctx->ctx, digest, NULL); ++ EVP_MD_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; ++} ++ ++isc_boolean_t ++isc_md5_available() { ++ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) ++ == ISC_R_SUCCESS); ++ return available; ++} ++ + #elif PKCS11CRYPTO + ++static isc_once_t available_once = ISC_ONCE_INIT; ++static isc_boolean_t available = ISC_FALSE; ++ + void + isc_md5_init(isc_md5_t *ctx) { + CK_RV rv; +@@ -128,6 +157,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { + pk11_return_session(ctx); + } + ++static void ++do_detect_available() { ++ isc_md5_t local; ++ isc_md5_t *ctx = &local; ++ CK_RV rv; ++ CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; ++ ++ if (pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, ++ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS) ++ { ++ rv = pkcs_C_DigestInit(ctx->session, &mech); ++ isc_md5_invalidate(ctx); ++ available = (ISC_TF(rv == CKR_OK)); ++ } else { ++ available = ISC_FALSE; ++ } ++} ++ ++isc_boolean_t ++isc_md5_available() { ++ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) ++ == ISC_R_SUCCESS); ++ return available; ++} ++ + #else + + static void +@@ -337,6 +391,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { + memmove(digest, ctx->buf, 16); + isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */ + } ++ ++isc_boolean_t ++isc_md5_available() { ++ return ISC_TRUE; ++} + #endif + + /* +diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c +index fc75a46154..48e1031974 100644 +--- a/lib/isc/pk11.c ++++ b/lib/isc/pk11.c +@@ -191,13 +191,12 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { + LOCK(&alloclock); + if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) + isc_mem_attach(mctx, &pk11_mctx); ++ UNLOCK(&alloclock); ++ ++ LOCK(&sessionlock); + if (initialized) { +- UNLOCK(&alloclock); +- return (ISC_R_SUCCESS); +- } else { +- LOCK(&sessionlock); +- initialized = ISC_TRUE; +- UNLOCK(&alloclock); ++ result = ISC_R_SUCCESS; ++ goto unlock; + } + + ISC_LIST_INIT(tokens); +@@ -237,6 +236,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { + } + #endif + #endif /* PKCS11CRYPTO */ ++ initialized = ISC_TRUE; + result = ISC_R_SUCCESS; + unlock: + UNLOCK(&sessionlock); +@@ -273,9 +273,14 @@ pk11_finalize(void) { + pk11_mem_put(token, sizeof(*token)); + token = next; + } ++ LOCK(&alloclock); + if (pk11_mctx != NULL) + isc_mem_detach(&pk11_mctx); ++ UNLOCK(&alloclock); ++ ++ LOCK(&sessionlock); + initialized = ISC_FALSE; ++ UNLOCK(&sessionlock); + return (ret); + } + +@@ -589,6 +594,8 @@ scan_slots(void) { + pk11_token_t *token; + unsigned int i; + isc_boolean_t bad; ++ unsigned int best_rsa_algorithms = 0; ++ unsigned int best_digest_algorithms = 0; + + slotCount = 0; + PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount)); +@@ -601,6 +608,8 @@ scan_slots(void) { + PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount)); + + for (i = 0; i < slotCount; i++) { ++ unsigned int rsa_algorithms = 0; ++ unsigned int digest_algorithms = 0; + slot = slotList[i]; + PK11_TRACE2("slot#%u=0x%lx\n", i, slot); + +@@ -640,11 +649,12 @@ scan_slots(void) { + if ((rv != CKR_OK) || + ((mechInfo.flags & CKF_SIGN) == 0) || + ((mechInfo.flags & CKF_VERIFY) == 0)) { +-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) +- bad = ISC_TRUE; +-#endif + PK11_TRACEM(CKM_MD5_RSA_PKCS); + } ++#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) ++ else ++ ++rsa_algorithms; ++#endif + rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS, + &mechInfo); + if ((rv != CKR_OK) || +@@ -687,8 +697,14 @@ scan_slots(void) { + if (bad) + goto try_dsa; + token->operations |= 1 << OP_RSA; +- if (best_rsa_token == NULL) ++ if (best_rsa_token == NULL) { ++ best_rsa_token = token; ++ best_rsa_algorithms = rsa_algorithms; ++ } else if (rsa_algorithms > best_rsa_algorithms) { ++ pk11_mem_put(best_rsa_token, sizeof(*best_rsa_token)); + best_rsa_token = token; ++ best_rsa_algorithms = rsa_algorithms; ++ } + + try_dsa: + bad = ISC_FALSE; +@@ -756,11 +772,12 @@ scan_slots(void) { + bad = ISC_FALSE; + rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { +-#ifndef PK11_MD5_DISABLE +- bad = ISC_TRUE; +-#endif + PK11_TRACEM(CKM_MD5); + } ++#ifndef PK11_MD5_DISABLE ++ else ++ ++digest_algorithms; ++#endif + rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { + bad = ISC_TRUE; +@@ -788,11 +805,12 @@ scan_slots(void) { + } + rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { +-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) +- bad = ISC_TRUE; +-#endif + PK11_TRACEM(CKM_MD5_HMAC); + } ++#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) ++ else ++ ++digest_algorithms; ++#endif + rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { + #ifndef PK11_SHA_1_HMAC_REPLACE +@@ -830,8 +848,14 @@ scan_slots(void) { + } + if (!bad) { + token->operations |= 1 << OP_DIGEST; +- if (digest_token == NULL) ++ if (digest_token == NULL) { ++ digest_token = token; ++ best_digest_algorithms = digest_algorithms; ++ } else if (digest_algorithms > best_digest_algorithms) { ++ pk11_mem_put(digest_token, sizeof(*digest_token)); + digest_token = token; ++ best_digest_algorithms = digest_algorithms; ++ } + } + + /* ECDSA requires digest */ +diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c +index 18759903be..6bc45b1ad3 100644 +--- a/lib/isc/tests/hash_test.c ++++ b/lib/isc/tests/hash_test.c +@@ -2008,7 +2008,8 @@ ATF_TP_ADD_TCS(tp) { + * various cryptographic hashes. + */ + #ifndef PK11_MD5_DISABLE +- ATF_TP_ADD_TC(tp, md5_check); ++ if (isc_md5_available()) ++ ATF_TP_ADD_TC(tp, md5_check); + #endif + ATF_TP_ADD_TC(tp, sha1_check); + +@@ -2016,7 +2017,8 @@ ATF_TP_ADD_TCS(tp) { + ATF_TP_ADD_TC(tp, isc_hash_function_reverse); + ATF_TP_ADD_TC(tp, isc_hash_initializer); + #ifndef PK11_MD5_DISABLE +- ATF_TP_ADD_TC(tp, isc_hmacmd5); ++ if (isc_md5_available()) ++ ATF_TP_ADD_TC(tp, isc_hmacmd5); + #endif + ATF_TP_ADD_TC(tp, isc_hmacsha1); + ATF_TP_ADD_TC(tp, isc_hmacsha224); +@@ -2024,7 +2026,8 @@ ATF_TP_ADD_TCS(tp) { + ATF_TP_ADD_TC(tp, isc_hmacsha384); + ATF_TP_ADD_TC(tp, isc_hmacsha512); + #ifndef PK11_MD5_DISABLE +- ATF_TP_ADD_TC(tp, isc_md5); ++ if (isc_md5_available()) ++ ATF_TP_ADD_TC(tp, isc_md5); + #endif + ATF_TP_ADD_TC(tp, isc_sha1); + ATF_TP_ADD_TC(tp, isc_sha224); +diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c +index 7225ab4a37..42b30466be 100644 +--- a/lib/isccc/cc.c ++++ b/lib/isccc/cc.c +@@ -270,11 +270,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, + switch (algorithm) { + #ifndef PK11_MD5_DISABLE + case ISCCC_ALG_HMACMD5: +- isc_hmacmd5_init(&ctx.hmd5, secret->rstart, +- REGION_SIZE(*secret)); +- isc_hmacmd5_update(&ctx.hmd5, data, length); +- isc_hmacmd5_sign(&ctx.hmd5, digest); +- source.rend = digest + ISC_MD5_DIGESTLENGTH; ++ if (isc_md5_available()) { ++ isc_hmacmd5_init(&ctx.hmd5, secret->rstart, ++ REGION_SIZE(*secret)); ++ isc_hmacmd5_update(&ctx.hmd5, data, length); ++ isc_hmacmd5_sign(&ctx.hmd5, digest); ++ source.rend = digest + ISC_MD5_DIGESTLENGTH; ++ } else { ++ return (ISC_R_FAILURE); ++ } + break; + #endif + +@@ -348,14 +352,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, + { + unsigned int hmac_base, signed_base; + isc_result_t result; ++ const isc_boolean_t md5 = ISC_TF(algorithm == ISCCC_ALG_HMACMD5); + + #ifndef PK11_MD5_DISABLE ++ if (md5 && isc_md5_available() == ISC_FALSE) ++ return (ISC_R_NOTIMPLEMENTED); ++ + result = isc_buffer_reserve(buffer, +- 4 + ((algorithm == ISCCC_ALG_HMACMD5) ? ++ 4 + ((md5) ? + sizeof(auth_hmd5) : + sizeof(auth_hsha))); + #else +- if (algorithm == ISCCC_ALG_HMACMD5) ++ if (md5) + return (ISC_R_NOTIMPLEMENTED); + result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha)); + #endif +@@ -374,7 +382,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, + * we know what it is. + */ + #ifndef PK11_MD5_DISABLE +- if (algorithm == ISCCC_ALG_HMACMD5) { ++ if (md5) { + hmac_base = (*buffer)->used + HMD5_OFFSET; + isc_buffer_putmem(*buffer, + auth_hmd5, sizeof(auth_hmd5)); +@@ -440,7 +448,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, + if (!isccc_alist_alistp(_auth)) + return (ISC_R_FAILURE); + #ifndef PK11_MD5_DISABLE +- if (algorithm == ISCCC_ALG_HMACMD5) ++ if (algorithm == ISCCC_ALG_HMACMD5 && isc_md5_available()) + hmac = isccc_alist_lookup(_auth, "hmd5"); + else + #endif +@@ -455,12 +463,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, + switch (algorithm) { + #ifndef PK11_MD5_DISABLE + case ISCCC_ALG_HMACMD5: +- isc_hmacmd5_init(&ctx.hmd5, secret->rstart, +- REGION_SIZE(*secret)); +- isc_hmacmd5_update(&ctx.hmd5, data, length); +- isc_hmacmd5_sign(&ctx.hmd5, digest); +- source.rend = digest + ISC_MD5_DIGESTLENGTH; +- break; ++ if (isc_md5_available()) { ++ isc_hmacmd5_init(&ctx.hmd5, secret->rstart, ++ REGION_SIZE(*secret)); ++ isc_hmacmd5_update(&ctx.hmd5, data, length); ++ isc_hmacmd5_sign(&ctx.hmd5, digest); ++ source.rend = digest + ISC_MD5_DIGESTLENGTH; ++ break; ++ } else { ++ return (ISC_R_FAILURE); ++ } + #endif + + case ISCCC_ALG_HMACSHA1: +-- +2.14.4 + diff --git a/SOURCES/bind-9.11-fips-tests.patch b/SOURCES/bind-9.11-fips-tests.patch new file mode 100644 index 0000000..f7a998d --- /dev/null +++ b/SOURCES/bind-9.11-fips-tests.patch @@ -0,0 +1,1781 @@ +From 35b53607724ec4b5d4060385218c39ccd0d78a4d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 2 Aug 2018 23:46:45 +0200 +Subject: [PATCH 2/2] Squashed commit of the following: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa +Author: Petr Menšík +Date: Wed Mar 7 20:35:13 2018 +0100 + + Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available. + +commit ab303db70082db76ecf36493d0b82ef3e8750cad +Author: Petr Menšík +Date: Wed Mar 7 18:11:10 2018 +0100 + + Changed root key to be RSASHA256 + + Change bad trusted key to be the same algorithm. + +commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8 +Author: Petr Menšík +Date: Wed Mar 7 16:56:17 2018 +0100 + + Change used key to not use hmac-md5 + + Fix upforwd test, do not use hmac-md5 + +commit aec891571626f053acfb4d0a247240cbc21a84e9 +Author: Petr Menšík +Date: Wed Mar 7 15:54:11 2018 +0100 + + Increase bitsize of DSA key to pass FIPS 140-2 mode. + +commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696 +Author: Petr Menšík +Date: Wed Mar 7 15:41:08 2018 +0100 + + Fix tsig and rndc tests for disabled md5 + + Use hmac-sha256 instead of hmac-md5. + +commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67 +Author: Petr Menšík +Date: Wed Mar 7 13:21:00 2018 +0100 + + Add md5 availability detection to featuretest + +commit f389a918803e2853e4b55fed62765dc4a492e34f +Author: Petr Menšík +Date: Wed Mar 7 10:44:23 2018 +0100 + + Change tests to not use hmac-md5 algorithms if not required + + Use hmac-sha256 instead of default hmac-md5 for allow-query +--- + bin/tests/system/acl/ns2/named1.conf.in | 4 +- + bin/tests/system/acl/ns2/named2.conf.in | 4 +- + bin/tests/system/acl/ns2/named3.conf.in | 6 +-- + bin/tests/system/acl/ns2/named4.conf.in | 4 +- + bin/tests/system/acl/ns2/named5.conf.in | 4 +- + bin/tests/system/acl/tests.sh | 32 +++++------ + bin/tests/system/allow-query/ns2/named10.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named11.conf.in | 4 +- + bin/tests/system/allow-query/ns2/named12.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named30.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named31.conf.in | 4 +- + bin/tests/system/allow-query/ns2/named32.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named40.conf.in | 4 +- + bin/tests/system/allow-query/tests.sh | 18 +++---- + bin/tests/system/catz/ns1/named.conf.in | 2 +- + bin/tests/system/catz/ns2/named.conf.in | 2 +- + bin/tests/system/checkconf/bad-tsig.conf | 2 +- + bin/tests/system/checkconf/good.conf | 2 +- + bin/tests/system/digdelv/ns2/example.db | 15 +++--- + bin/tests/system/digdelv/tests.sh | 28 +++++----- + bin/tests/system/dlv/ns1/sign.sh | 4 +- + bin/tests/system/dlv/ns2/sign.sh | 4 +- + bin/tests/system/dlv/ns3/sign.sh | 69 ++++++++++++------------ + bin/tests/system/dlv/ns6/sign.sh | 66 ++++++++++++----------- + bin/tests/system/dnssec/ns1/sign.sh | 4 +- + bin/tests/system/dnssec/ns2/sign.sh | 12 ++--- + bin/tests/system/dnssec/ns3/sign.sh | 20 +++---- + bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +- + bin/tests/system/dnssec/tests.sh | 8 +-- + bin/tests/system/feature-test.c | 14 +++++ + bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +- + bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +- + bin/tests/system/notify/ns5/named.conf.in | 6 +-- + bin/tests/system/notify/tests.sh | 6 +-- + bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- + bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- + bin/tests/system/nsupdate/setup.sh | 7 ++- + bin/tests/system/nsupdate/tests.sh | 11 +++- + bin/tests/system/rndc/setup.sh | 2 +- + bin/tests/system/rndc/tests.sh | 23 ++++---- + bin/tests/system/tsig/clean.sh | 1 + + bin/tests/system/tsig/ns1/named.conf.in | 10 +--- + bin/tests/system/tsig/ns1/rndc5.conf.in | 11 ++++ + bin/tests/system/tsig/setup.sh | 4 ++ + bin/tests/system/tsig/tests.sh | 67 ++++++++++++++--------- + bin/tests/system/tsiggss/setup.sh | 2 +- + bin/tests/system/upforwd/ns1/named.conf.in | 2 +- + bin/tests/system/upforwd/tests.sh | 2 +- + 48 files changed, 287 insertions(+), 225 deletions(-) + create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + +diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in +index 0ea6502708..026db3f134 100644 +--- a/bin/tests/system/acl/ns2/named1.conf.in ++++ b/bin/tests/system/acl/ns2/named1.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in +index b877880554..d8f50be255 100644 +--- a/bin/tests/system/acl/ns2/named2.conf.in ++++ b/bin/tests/system/acl/ns2/named2.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in +index 0a950622a2..aa54088138 100644 +--- a/bin/tests/system/acl/ns2/named3.conf.in ++++ b/bin/tests/system/acl/ns2/named3.conf.in +@@ -33,17 +33,17 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key three { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in +index 7cdcb6e341..606a3452d8 100644 +--- a/bin/tests/system/acl/ns2/named4.conf.in ++++ b/bin/tests/system/acl/ns2/named4.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in +index 4b4e05027a..0e679a821d 100644 +--- a/bin/tests/system/acl/ns2/named5.conf.in ++++ b/bin/tests/system/acl/ns2/named5.conf.in +@@ -34,12 +34,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh +index 09f31f2bb9..f88f0d4430 100644 +--- a/bin/tests/system/acl/tests.sh ++++ b/bin/tests/system/acl/tests.sh +@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" + # key "one" should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + + # any other key should be fine + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + copy_setports ns2/named2.conf.in ns2/named.conf +@@ -39,18 +39,18 @@ sleep 5 + # prefix 10/8 should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # any other address should work, as long as it sends key "one" + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + echo_i "testing nested ACL processing" +@@ -62,31 +62,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # but only one or the other should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` +@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 + # and other values? right out + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two +@@ -108,31 +108,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + echo_i "testing allow-query-on ACL processing" +diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in +index 1569913b37..e9c5c2d574 100644 +--- a/bin/tests/system/allow-query/ns2/named10.conf.in ++++ b/bin/tests/system/allow-query/ns2/named10.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in +index 18ac91c6e7..2b1c8739d8 100644 +--- a/bin/tests/system/allow-query/ns2/named11.conf.in ++++ b/bin/tests/system/allow-query/ns2/named11.conf.in +@@ -12,12 +12,12 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in +index b8248444dd..dd48945bf8 100644 +--- a/bin/tests/system/allow-query/ns2/named12.conf.in ++++ b/bin/tests/system/allow-query/ns2/named12.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in +index aeb1540e95..bfce58bddd 100644 +--- a/bin/tests/system/allow-query/ns2/named30.conf.in ++++ b/bin/tests/system/allow-query/ns2/named30.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in +index d4b743281a..e0f52526ba 100644 +--- a/bin/tests/system/allow-query/ns2/named31.conf.in ++++ b/bin/tests/system/allow-query/ns2/named31.conf.in +@@ -12,12 +12,12 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in +index c0259387e7..87afb3fa3a 100644 +--- a/bin/tests/system/allow-query/ns2/named32.conf.in ++++ b/bin/tests/system/allow-query/ns2/named32.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in +index d83b376cfd..d726b9480b 100644 +--- a/bin/tests/system/allow-query/ns2/named40.conf.in ++++ b/bin/tests/system/allow-query/ns2/named40.conf.in +@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; + acl badaccept { 10.53.0.1; }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh +index fb6059d5b8..f9601564a2 100644 +--- a/bin/tests/system/allow-query/tests.sh ++++ b/bin/tests/system/allow-query/tests.sh +@@ -190,7 +190,7 @@ rndc_reload + + echo_i "test $n: key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -203,7 +203,7 @@ rndc_reload + + echo_i "test $n: key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -216,7 +216,7 @@ rndc_reload + + echo_i "test $n: key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -349,7 +349,7 @@ rndc_reload + + echo_i "test $n: views key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -362,7 +362,7 @@ rndc_reload + + echo_i "test $n: views key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -375,7 +375,7 @@ rndc_reload + + echo_i "test $n: views key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -508,7 +508,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -518,7 +518,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -528,7 +528,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in +index 74b7d371b7..c35376640d 100644 +--- a/bin/tests/system/catz/ns1/named.conf.in ++++ b/bin/tests/system/catz/ns1/named.conf.in +@@ -61,5 +61,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in +index ee83efbee4..35ced08842 100644 +--- a/bin/tests/system/catz/ns2/named.conf.in ++++ b/bin/tests/system/catz/ns2/named.conf.in +@@ -70,5 +70,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf +index 21be03e9d2..e57c30875c 100644 +--- a/bin/tests/system/checkconf/bad-tsig.conf ++++ b/bin/tests/system/checkconf/bad-tsig.conf +@@ -11,7 +11,7 @@ + + /* Bad secret */ + key "badtsig" { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "jEdD+BPKg=="; + }; + +diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf +index 9ab35b38a5..486551ae64 100644 +--- a/bin/tests/system/checkconf/good.conf ++++ b/bin/tests/system/checkconf/good.conf +@@ -153,6 +153,6 @@ dyndb "name" "library.so" { + system; + }; + key "mykey" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "qwertyuiopasdfgh"; + }; +diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db +index f4e30f51e5..9f53e31c97 100644 +--- a/bin/tests/system/digdelv/ns2/example.db ++++ b/bin/tests/system/digdelv/ns2/example.db +@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 + ;; + ;; we are not testing DNSSEC behavior, so we don't care about the semantics + ;; of the following records. +-dnskey 300 DNSKEY 256 3 1 ( +- AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg +- +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD +- Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R +- b9VIE5x7KNHAYTvTO5d4S8M= +- ) ++dnskey 300 DNSKEY 256 3 8 ( ++ AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo ++ EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba ++ zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R ++ qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/ ++ KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld ++ QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG ++ /idCeeQlaLU= ++ ) + + ; TTL of 3 weeks + weeks 1814400 A 10.53.0.2 +diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh +index 1b25c4ddfc..5dbf20a3e1 100644 +--- a/bin/tests/system/digdelv/tests.sh ++++ b/bin/tests/system/digdelv/tests.sh +@@ -62,7 +62,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +multi +norrcomments works for dnskey (when default is rrcomments)($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -70,7 +70,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +multi +norrcomments works for soa (when default is rrcomments)($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -78,7 +78,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +rrcomments works for DNSKEY($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -86,7 +86,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -94,7 +94,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +nosplit works($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < dig.out.test$n > /dev/null || ret=1 ++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -102,7 +102,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +rrcomments works($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1 ++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -118,7 +118,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +rrcomments works($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1 ++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -543,7 +543,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +multi +norrcomments works for dnskey (when default is rrcomments)($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -551,7 +551,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +multi +norrcomments works for soa (when default is rrcomments)($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -559,7 +559,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +rrcomments works for DNSKEY($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -567,7 +567,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -575,7 +575,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +rrcomments works ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < delv.out.test$n > /dev/null || ret=1 ++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < delv.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -583,7 +583,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +nosplit works ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=" < delv.out.test$n > /dev/null || ret=1 ++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=" < delv.out.test$n > /dev/null || ret=1 + if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi + f=`awk '{print NF}' < delv.out.test$n` + test "${f:-0}" -eq 14 || ret=1 +@@ -594,7 +594,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +nosplit +norrcomments works ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < delv.out.test$n > /dev/null || ret=1 ++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < delv.out.test$n > /dev/null || ret=1 + if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi + f=`awk '{print NF}' < delv.out.test$n` + test "${f:-0}" -eq 4 || ret=1 +diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh +index b8151620cc..2a62e583b8 100755 +--- a/bin/tests/system/dlv/ns1/sign.sh ++++ b/bin/tests/system/dlv/ns1/sign.sh +@@ -23,8 +23,8 @@ infile=root.db.in + zonefile=root.db + outfile=root.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh +index 6f84d7a525..e128303a22 100755 +--- a/bin/tests/system/dlv/ns2/sign.sh ++++ b/bin/tests/system/dlv/ns2/sign.sh +@@ -24,8 +24,8 @@ zonefile=druz.db + outfile=druz.pre + dlvzone=utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh +index bcc9922e26..846dbcc0df 100755 +--- a/bin/tests/system/dlv/ns3/sign.sh ++++ b/bin/tests/system/dlv/ns3/sign.sh +@@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh" + dlvzone=dlv.utld. + dlvsets= + dssets= ++bits=1024 + + zone=child1.utld. + infile=child.db.in +@@ -26,8 +27,8 @@ zonefile=child1.utld.db + outfile=child1.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -42,8 +43,8 @@ zonefile=child3.utld.db + outfile=child3.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -58,8 +59,8 @@ zonefile=child4.utld.db + outfile=child4.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -73,8 +74,8 @@ zonefile=child5.utld.db + outfile=child5.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -88,8 +89,8 @@ infile=child.db.in + zonefile=child7.utld.db + outfile=child7.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -103,8 +104,8 @@ infile=child.db.in + zonefile=child8.utld.db + outfile=child8.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -118,8 +119,8 @@ zonefile=child9.utld.db + outfile=child9.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -132,8 +133,8 @@ zonefile=child10.utld.db + outfile=child10.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -147,8 +148,8 @@ outfile=child1.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -164,8 +165,8 @@ outfile=child3.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -181,8 +182,8 @@ outfile=child4.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -197,8 +198,8 @@ outfile=child5.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -213,8 +214,8 @@ zonefile=child7.druz.db + outfile=child7.druz.signed + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -228,8 +229,8 @@ infile=child.db.in + zonefile=child8.druz.db + outfile=child8.druz.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -243,8 +244,8 @@ zonefile=child9.druz.db + outfile=child9.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -258,8 +259,8 @@ outfile=child10.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -272,8 +273,8 @@ infile=dlv.db.in + zonefile=dlv.utld.db + outfile=dlv.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh +index 1e398625f1..4ed19acd1f 100755 +--- a/bin/tests/system/dlv/ns6/sign.sh ++++ b/bin/tests/system/dlv/ns6/sign.sh +@@ -16,13 +16,15 @@ SYSTESTDIR=dlv + + echo_i "dlv/ns6/sign.sh" + ++bits=1024 ++ + zone=grand.child1.utld. + infile=child.db.in + zonefile=grand.child1.utld.db + outfile=grand.child1.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -36,8 +38,8 @@ zonefile=grand.child3.utld.db + outfile=grand.child3.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -51,8 +53,8 @@ zonefile=grand.child4.utld.db + outfile=grand.child4.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -66,8 +68,8 @@ zonefile=grand.child5.utld.db + outfile=grand.child5.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -81,8 +83,8 @@ zonefile=grand.child7.utld.db + outfile=grand.child7.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -96,8 +98,8 @@ zonefile=grand.child8.utld.db + outfile=grand.child8.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -111,8 +113,8 @@ zonefile=grand.child9.utld.db + outfile=grand.child9.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -125,8 +127,8 @@ zonefile=grand.child10.utld.db + outfile=grand.child10.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -138,8 +140,8 @@ infile=child.db.in + zonefile=grand.child1.druz.db + outfile=grand.child1.druz.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -153,8 +155,8 @@ zonefile=grand.child3.druz.db + outfile=grand.child3.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -168,8 +170,8 @@ zonefile=grand.child4.druz.db + outfile=grand.child4.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -183,8 +185,8 @@ zonefile=grand.child5.druz.db + outfile=grand.child5.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -198,8 +200,8 @@ zonefile=grand.child7.druz.db + outfile=grand.child7.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -213,8 +215,8 @@ zonefile=grand.child8.druz.db + outfile=grand.child8.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -228,8 +230,8 @@ zonefile=grand.child9.druz.db + outfile=grand.child9.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -242,8 +244,8 @@ zonefile=grand.child10.druz.db + outfile=grand.child10.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh +index 198d60ae15..d89a539ffd 100644 +--- a/bin/tests/system/dnssec/ns1/sign.sh ++++ b/bin/tests/system/dnssec/ns1/sign.sh +@@ -27,7 +27,7 @@ cp ../ns2/dsset-in-addr.arpa$TP . + grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP + cp ../ns6/dsset-optout-tld$TP . + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` + + cat $infile $keyname.key > $zonefile + +@@ -48,6 +48,6 @@ cp managed.conf ../ns4/managed.conf + # + # Save keyid for managed key id test. + # +-keyid=`expr $keyname : 'K.+001+\(.*\)'` ++keyid=`expr $keyname : 'K.+008+\([0-9]*\)'` + keyid=`expr $keyid + 0` + echo "$keyid" > managed.key.id +diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh +index 9078459ac8..9dcd028eb5 100644 +--- a/bin/tests/system/dnssec/ns2/sign.sh ++++ b/bin/tests/system/dnssec/ns2/sign.sh +@@ -29,8 +29,8 @@ do + cp ../ns3/dsset-$subdomain.example$TP . + done + +-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` ++keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` ++keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -89,8 +89,8 @@ zone=in-addr.arpa. + infile=in-addr.arpa.db.in + zonefile=in-addr.arpa.db + +-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` ++keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` ++keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` + + cat $infile $keyname1.key $keyname2.key >$zonefile + $SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +@@ -101,7 +101,7 @@ privzone=private.secure.example. + privinfile=private.secure.example.db.in + privzonefile=private.secure.example.db + +-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone` ++privkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $privzone` + + cat $privinfile $privkeyname.key >$privzonefile + +@@ -115,7 +115,7 @@ dlvinfile=dlv.db.in + dlvzonefile=dlv.db + dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP + +-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone` ++dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $dlvzone` + + cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile + +diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh +index 330abf7feb..f95a6b7ea8 100644 +--- a/bin/tests/system/dnssec/ns3/sign.sh ++++ b/bin/tests/system/dnssec/ns3/sign.sh +@@ -28,7 +28,7 @@ zone=bogus.example. + infile=bogus.example.db.in + zonefile=bogus.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -38,8 +38,8 @@ zone=dynamic.example. + infile=dynamic.example.db.in + zonefile=dynamic.example.db + +-keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` +-keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone` ++keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` ++keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone -f KSK $zone` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -49,7 +49,7 @@ zone=keyless.example. + infile=generic.example.db.in + zonefile=keyless.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -69,7 +69,7 @@ zone=secure.nsec3.example. + infile=secure.nsec3.example.db.in + zonefile=secure.nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -82,7 +82,7 @@ zone=nsec3.nsec3.example. + infile=nsec3.nsec3.example.db.in + zonefile=nsec3.nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -95,7 +95,7 @@ zone=optout.nsec3.example. + infile=optout.nsec3.example.db.in + zonefile=optout.nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -108,7 +108,7 @@ zone=nsec3.example. + infile=nsec3.example.db.in + zonefile=nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -121,7 +121,7 @@ zone=secure.optout.example. + infile=secure.optout.example.db.in + zonefile=secure.optout.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -498,7 +498,7 @@ zone=badds.example. + infile=bogus.example.db.in + zonefile=badds.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad +index ed30460bda..e6b112630e 100644 +--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad ++++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad +@@ -10,5 +10,5 @@ + */ + + trusted-keys { +- "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk="; ++ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV"; + }; +diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh +index bb2315fbf3..315666825e 100644 +--- a/bin/tests/system/dnssec/tests.sh ++++ b/bin/tests/system/dnssec/tests.sh +@@ -1690,7 +1690,7 @@ ret=0 + $RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i + keyid=`cat ns1/managed.key.id` + cp ns4/named.secroots named.secroots.test$n +-linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l` ++linecount=`grep "./RSASHA256/$keyid ; trusted" named.secroots.test$n | wc -l` + [ "$linecount" -eq 1 ] || ret=1 + linecount=`cat named.secroots.test$n | wc -l` + [ "$linecount" -eq 10 ] || ret=1 +@@ -3018,7 +3018,7 @@ echo_i "check dig's +nocrypto flag ($n)" + ret=0 + $DIG $DIGOPTS +norec +nocrypto DNSKEY . \ + @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 +-grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 ++grep '256 3 8 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 + grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +norec +nocrypto DS example \ + @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 +@@ -3130,8 +3130,8 @@ do + alg=`expr $alg + 1` + continue;; + 3) size="-b 512";; +- 5) size="-b 512";; +- 6) size="-b 512";; ++ 5) size="-b 1024";; ++ 6) size="-b 1024";; + 7) size="-b 512";; + 8) size="-b 512";; + 10) size="-b 1024";; +diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c +index 9612450ab4..5eee6aa4f8 100644 +--- a/bin/tests/system/feature-test.c ++++ b/bin/tests/system/feature-test.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + + #ifdef WIN32 +@@ -45,6 +46,7 @@ usage() { + fprintf(stderr, " --have-geoip\n"); + fprintf(stderr, " --have-libxml2\n"); + fprintf(stderr, " --ipv6only=no\n"); ++ fprintf(stderr, " --md5\n"); + fprintf(stderr, " --rpz-nsdname\n"); + fprintf(stderr, " --rpz-nsip\n"); + fprintf(stderr, " --with-idn\n"); +@@ -136,6 +138,18 @@ main(int argc, char **argv) { + #endif + } + ++ if (strcmp(argv[1], "--md5") == 0) { ++#ifdef PK11_MD5_DISABLE ++ return (1); ++#else ++ if (isc_md5_available()) { ++ return (0); ++ } else { ++ return (1); ++ } ++#endif ++ } ++ + if (strcmp(argv[1], "--rpz-nsip") == 0) { + #ifdef ENABLE_RPZ_NSIP + return (0); +diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh +index f7555810a0..4a7d89004a 100755 +--- a/bin/tests/system/filter-aaaa/ns1/sign.sh ++++ b/bin/tests/system/filter-aaaa/ns1/sign.sh +@@ -21,8 +21,8 @@ infile=signed.db.in + zonefile=signed.db.signed + outfile=signed.db.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh +index f7555810a0..4a7d89004a 100755 +--- a/bin/tests/system/filter-aaaa/ns4/sign.sh ++++ b/bin/tests/system/filter-aaaa/ns4/sign.sh +@@ -21,8 +21,8 @@ infile=signed.db.in + zonefile=signed.db.signed + outfile=signed.db.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in +index cfcfe8fa2f..0a1614d527 100644 +--- a/bin/tests/system/notify/ns5/named.conf.in ++++ b/bin/tests/system/notify/ns5/named.conf.in +@@ -10,17 +10,17 @@ + */ + + key "a" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "aaaaaaaaaaaaaaaaaaaa"; + }; + + key "b" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "bbbbbbbbbbbbbbbbbbbb"; + }; + + key "c" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "cccccccccccccccccccc"; + }; + +diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh +index ad20e3eaca..5a9ce4688a 100644 +--- a/bin/tests/system/notify/tests.sh ++++ b/bin/tests/system/notify/tests.sh +@@ -186,16 +186,16 @@ ret=0 + $NSUPDATE << EOF + server 10.53.0.5 ${PORT} + zone x21 +-key a aaaaaaaaaaaaaaaaaaaa ++key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa + update add added.x21 0 in txt "test string" + send + EOF + + for i in 1 2 3 4 5 6 7 8 9 + do +- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt > dig.out.b.ns5.test$n || ret=1 +- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ + txt > dig.out.c.ns5.test$n || ret=1 + grep "test string" dig.out.b.ns5.test$n > /dev/null && + grep "test string" dig.out.c.ns5.test$n > /dev/null && +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index 1d999adc39..26b6b7c9ab 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -32,7 +32,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in +index b4ecf96668..1adb33eb0b 100644 +--- a/bin/tests/system/nsupdate/ns2/named.conf.in ++++ b/bin/tests/system/nsupdate/ns2/named.conf.in +@@ -24,7 +24,7 @@ options { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh +index 32674eb382..2331b30b00 100644 +--- a/bin/tests/system/nsupdate/setup.sh ++++ b/bin/tests/system/nsupdate/setup.sh +@@ -59,7 +59,12 @@ EOF + + $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key + +-$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++if $FEATURETEST --md5; then ++ $DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++else ++ echo -n > ns1/md5.key ++fi ++ + $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key + $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key + $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index 2a01d1e46d..e8659587c3 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -680,7 +680,14 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++if $FEATURETEST --md5 ++then ++ ALGS="md5 sha1 sha224 sha256 sha384 sha512" ++else ++ ALGS="sha1 sha224 sha256 sha384 sha512" ++ echo_i "skipping disabled md5 algorithm" ++fi ++for alg in $ALGS; do + $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 + server 10.53.0.1 ${PORT} + update add ${alg}.keytests.nil. 600 A 10.10.10.3 +@@ -688,7 +695,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then +diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh +index 850c4d2744..09a3e0f9ad 100644 +--- a/bin/tests/system/rndc/setup.sh ++++ b/bin/tests/system/rndc/setup.sh +@@ -37,7 +37,7 @@ make_key () { + sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf + } + +-make_key 1 ${EXTRAPORT1} hmac-md5 ++$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 + make_key 2 ${EXTRAPORT2} hmac-sha1 + make_key 3 ${EXTRAPORT3} hmac-sha224 + make_key 4 ${EXTRAPORT4} hmac-sha256 +diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh +index d364e6fea0..dbf3bc6780 100644 +--- a/bin/tests/system/rndc/tests.sh ++++ b/bin/tests/system/rndc/tests.sh +@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + n=`expr $n + 1` +-echo_i "testing rndc with hmac-md5 ($n)" +-ret=0 +-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 +-for i in 2 3 4 5 6 +-do +- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +-done +-if [ $ret != 0 ]; then echo_i "failed"; fi +-status=`expr $status + $ret` ++if $FEATURETEST --md5 ++then ++ echo_i "testing rndc with hmac-md5 ($n)" ++ ret=0 ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 ++ for i in 2 3 4 5 6 ++ do ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=`expr $status + $ret` ++else ++ echo_i "skipping rndc with hmac-md5 ($n)" ++fi + + n=`expr $n + 1` + echo_i "testing rndc with hmac-sha1 ($n)" +diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh +index 576ec70f76..cb7a852189 100644 +--- a/bin/tests/system/tsig/clean.sh ++++ b/bin/tests/system/tsig/clean.sh +@@ -20,3 +20,4 @@ rm -f */named.run + rm -f ns*/named.lock + rm -f Kexample.net.+163+* + rm -f keygen.out? ++rm -f ns1/named.conf +diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in +index fbf30c6dc4..f61657d7cf 100644 +--- a/bin/tests/system/tsig/ns1/named.conf.in ++++ b/bin/tests/system/tsig/ns1/named.conf.in +@@ -21,10 +21,7 @@ options { + notify no; + }; + +-key "md5" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5; +-}; ++# md5 key appended by setup.sh at the end + + key "sha1" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +@@ -51,10 +48,7 @@ key "sha512" { + algorithm hmac-sha512; + }; + +-key "md5-trunc" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5-80; +-}; ++# md5-trunc key appended by setup.sh at the end + + key "sha1-trunc" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in +new file mode 100644 +index 0000000000..4117830adb +--- /dev/null ++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in +@@ -0,0 +1,11 @@ ++ ++key "md5" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5; ++}; ++ ++key "md5-trunc" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5-80; ++}; ++ +diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh +index 656e9bbcd8..628c5bbac1 100644 +--- a/bin/tests/system/tsig/setup.sh ++++ b/bin/tests/system/tsig/setup.sh +@@ -17,3 +17,7 @@ $SHELL clean.sh + copy_setports ns1/named.conf.in ns1/named.conf + + test -r $RANDFILE || $GENRANDOM 400 $RANDFILE ++if $FEATURETEST --md5 ++then ++ cat ns1/rndc5.conf.in >> ns1/named.conf ++fi +diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh +index f731fa604c..cade35bc1d 100644 +--- a/bin/tests/system/tsig/tests.sh ++++ b/bin/tests/system/tsig/tests.sh +@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f + + status=0 + +-echo_i "fetching using hmac-md5 (old form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 +-fi +- +-echo_i "fetching using hmac-md5 (new form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (old form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++ ++ echo_i "fetching using hmac-md5 (new form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5" + fi + + echo_i "fetching using hmac-sha1" +@@ -87,12 +92,17 @@ fi + # Truncated TSIG + # + # +-echo_i "fetching using hmac-md5 (trunc)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 +-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (trunc)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 ++ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5 (trunc)" + fi + + echo_i "fetching using hmac-sha1 (trunc)" +@@ -141,12 +151,17 @@ fi + # Check for bad truncation. + # + # +-echo_i "fetching using hmac-md5-80 (BADTRUNC)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 +-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5-80 (BADTRUNC)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 ++ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5-80 (BADTRUNC)" + fi + + echo_i "fetching using hmac-sha1-80 (BADTRUNC)" +diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh +index 5da33cfde0..fb108b02bd 100644 +--- a/bin/tests/system/tsiggss/setup.sh ++++ b/bin/tests/system/tsiggss/setup.sh +@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + + copy_setports ns1/named.conf.in ns1/named.conf + +-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.` ++key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.` + cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db +diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in +index e0a30cda15..6a77b1ce52 100644 +--- a/bin/tests/system/upforwd/ns1/named.conf.in ++++ b/bin/tests/system/upforwd/ns1/named.conf.in +@@ -10,7 +10,7 @@ + */ + + key "update.example." { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; + }; + +diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh +index b0694bbd5c..9adae8228e 100644 +--- a/bin/tests/system/upforwd/tests.sh ++++ b/bin/tests/system/upforwd/tests.sh +@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + + echo_i "updating zone (signed) ($n)" + ret=0 +-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < +Date: Tue, 25 Sep 2018 18:08:46 +0200 +Subject: [PATCH] Disable IDN from environment as documented + +Manual page of host contained instructions to disable IDN processing +when it was built with libidn2. When refactoring IDN support however, +support for disabling IDN in host and nslookup was lost. Use also +environment variable and document it for nslookup, host and dig. + +Support variable CHARSET=ASCII to disable IDN, supported in downstream +RH patch since RHEL 5. +--- + bin/dig/dig.docbook | 4 +++- + bin/dig/dighost.c | 9 +++++++-- + bin/dig/host.docbook | 2 +- + bin/dig/nslookup.docbook | 15 +++++++++++++++ + 4 files changed, 26 insertions(+), 4 deletions(-) + +diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook +index fedd288..d5dba72 100644 +--- a/bin/dig/dig.docbook ++++ b/bin/dig/dig.docbook +@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr + reply from the server. + If you'd like to turn off the IDN support for some reason, use + parameters +noidnin and +- +noidnout. ++ +noidnout or define ++ the IDN_DISABLE environment variable. ++ + + + +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index 7408193..d46379d 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -822,12 +822,17 @@ make_empty_lookup(void) { + looknew->seenbadcookie = ISC_FALSE; + looknew->badcookie = ISC_TRUE; + #ifdef WITH_IDN_SUPPORT +- looknew->idnin = ISC_TRUE; ++ looknew->idnin = (getenv("IDN_DISABLE") == NULL); ++ if (looknew->idnin) { ++ const char *charset = getenv("CHARSET"); ++ if (charset && !strcmp(charset, "ASCII")) ++ looknew->idnin = ISC_FALSE; ++ } + #else + looknew->idnin = ISC_FALSE; + #endif + #ifdef WITH_IDN_OUT_SUPPORT +- looknew->idnout = ISC_TRUE; ++ looknew->idnout = looknew->idnin; + #else + looknew->idnout = ISC_FALSE; + #endif +diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook +index 9c3aeaa..42cbbf9 100644 +--- a/bin/dig/host.docbook ++++ b/bin/dig/host.docbook +@@ -378,7 +378,7 @@ + host appropriately converts character encoding of + domain name before sending a request to DNS server or displaying a + reply from the server. +- If you'd like to turn off the IDN support for some reason, defines ++ If you'd like to turn off the IDN support for some reason, define + the IDN_DISABLE environment variable. + The IDN support is disabled if the variable is set when + host runs. +diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook +index 3aff4e9..86a09c6 100644 +--- a/bin/dig/nslookup.docbook ++++ b/bin/dig/nslookup.docbook +@@ -478,6 +478,21 @@ nslookup -query=hinfo -timeout=10 + + + ++ IDN SUPPORT ++ ++ ++ If nslookup has been built with IDN (internationalized ++ domain name) support, it can accept and display non-ASCII domain names. ++ nslookup appropriately converts character encoding of ++ domain name before sending a request to DNS server or displaying a ++ reply from the server. ++ If you'd like to turn off the IDN support for some reason, define ++ the IDN_DISABLE environment variable. ++ The IDN support is disabled if the variable is set when ++ nslookup runs. ++ ++ ++ + FILES + + /etc/resolv.conf +-- +2.14.4 + diff --git a/SOURCES/bind-9.11-kyua-pkcs11.patch b/SOURCES/bind-9.11-kyua-pkcs11.patch new file mode 100644 index 0000000..ab21828 --- /dev/null +++ b/SOURCES/bind-9.11-kyua-pkcs11.patch @@ -0,0 +1,206 @@ +From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 2 Jan 2018 18:13:07 +0100 +Subject: [PATCH] Fix pkcs11 variants atf tests + +Add dns-pkcs11 tests Makefile to configure + +Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode +--- + configure.in | 1 + + lib/Atffile | 2 ++ + lib/Kyuafile | 2 ++ + lib/dns-pkcs11/tests/Makefile.in | 10 +++++----- + lib/dns-pkcs11/tests/dh_test.c | 3 ++- + lib/isc-pkcs11/tests/Makefile.in | 6 +++--- + lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++------- + 7 files changed, 40 insertions(+), 16 deletions(-) + +diff --git a/configure.in b/configure.in +index 67b3aab..4767eeb 100644 +--- a/configure.in ++++ b/configure.in +@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([ + lib/dns-pkcs11/include/Makefile + lib/dns-pkcs11/include/dns/Makefile + lib/dns-pkcs11/include/dst/Makefile ++ lib/dns-pkcs11/tests/Makefile + lib/irs/Makefile + lib/irs/include/Makefile + lib/irs/include/irs/Makefile +diff --git a/lib/Atffile b/lib/Atffile +index 93bbb01..4db3dce 100644 +--- a/lib/Atffile ++++ b/lib/Atffile +@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1" + prop: test-suite = bind9 + + tp: dns ++tp: dns-pkcs11 + tp: irs + tp: isc ++tp: isc-pkcs11 + tp: isccfg + tp: lwres +diff --git a/lib/Kyuafile b/lib/Kyuafile +index ff9fc56..eaaf0dc 100644 +--- a/lib/Kyuafile ++++ b/lib/Kyuafile +@@ -2,7 +2,9 @@ syntax(2) + test_suite('bind9') + + include('dns/Kyuafile') ++include('dns-pkcs11/Kyuafile') + include('irs/Kyuafile') + include('isc/Kyuafile') ++include('isc-pkcs11/Kyuafile') + include('isccfg/Kyuafile') + include('lwres/Kyuafile') +diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in +index 2a6571b..f25a784 100644 +--- a/lib/dns-pkcs11/tests/Makefile.in ++++ b/lib/dns-pkcs11/tests/Makefile.in +@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@ + + CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ + @DST_OPENSSL_INC@ +-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\"" ++CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" + +-ISCLIBS = ../../isc/libisc.@A@ +-ISCDEPLIBS = ../../isc/libisc.@A@ +-DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@ +-DNSDEPLIBS = ../libdns.@A@ ++ISCLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@ ++ISCDEPLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@ ++DNSLIBS = ../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ ++DNSDEPLIBS = ../libdns-pkcs11.@A@ + + LIBS = @LIBS@ @ATFLIBS@ + +diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c +index 036d27a..eb6554f 100644 +--- a/lib/dns-pkcs11/tests/dh_test.c ++++ b/lib/dns-pkcs11/tests/dh_test.c +@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) { + ret = dst_key_computesecret(key, key, &buf); + ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY); + ret = key->func->computesecret(key, key, &buf); +- ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE); ++ /* PKCS11 variant gives different result, accept both */ ++ ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY); + + dst_key_free(&key); + dns_test_end(); +diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in +index f7fa538..818dae4 100644 +--- a/lib/isc-pkcs11/tests/Makefile.in ++++ b/lib/isc-pkcs11/tests/Makefile.in +@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@ + @BIND9_MAKE_INCLUDES@ + + CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@ +-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\"" ++CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\"" + +-ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@ +-ISCDEPLIBS = ../libisc.@A@ ++ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@ ++ISCDEPLIBS = ../libisc-pkcs11.@A@ + + LIBS = @LIBS@ @ATFLIBS@ + +diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c +index 5b8a374..c1891c2 100644 +--- a/lib/isc-pkcs11/tests/hash_test.c ++++ b/lib/isc-pkcs11/tests/hash_test.c +@@ -74,7 +74,7 @@ typedef struct hash_testcase { + + typedef struct hash_test_key { + const char *key; +- const int len; ++ const unsigned len; + } hash_test_key_t; + + /* non-hmac tests */ +@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_SHA1_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_SHA1_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacsha1_init(&hmacsha1, buffer, test_key->len); ++ isc_hmacsha1_init(&hmacsha1, buffer, len); + isc_hmacsha1_update(&hmacsha1, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_SHA224_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_SHA224_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacsha224_init(&hmacsha224, buffer, test_key->len); ++ isc_hmacsha224_init(&hmacsha224, buffer, len); + isc_hmacsha224_update(&hmacsha224, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_SHA256_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_SHA256_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacsha256_init(&hmacsha256, buffer, test_key->len); ++ isc_hmacsha256_init(&hmacsha256, buffer, len); + isc_hmacsha256_update(&hmacsha256, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_SHA384_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_SHA384_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacsha384_init(&hmacsha384, buffer, test_key->len); ++ isc_hmacsha384_init(&hmacsha384, buffer, len); + isc_hmacsha384_update(&hmacsha384, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_SHA512_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_SHA512_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacsha512_init(&hmacsha512, buffer, test_key->len); ++ isc_hmacsha512_init(&hmacsha512, buffer, len); + isc_hmacsha512_update(&hmacsha512, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_MD5_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_MD5_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacmd5_init(&hmacmd5, buffer, test_key->len); ++ isc_hmacmd5_init(&hmacmd5, buffer, len); + isc_hmacmd5_update(&hmacmd5, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +-- +2.14.3 + diff --git a/SOURCES/bind-9.11-libidn.patch b/SOURCES/bind-9.11-libidn.patch new file mode 100644 index 0000000..5471edc --- /dev/null +++ b/SOURCES/bind-9.11-libidn.patch @@ -0,0 +1,303 @@ +From fb4271f5881a83c2cfb639587597b9a80c536a6d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 29 Jan 2019 20:59:57 +0100 +Subject: [PATCH] Replace libidn2 support with libidn + +They should be more or less compatible. Try to maintain original +behaviour of old 9.11 libidn patch, ignore any in output filter. +--- + bin/dig/Makefile.in | 6 ++--- + bin/dig/dighost.c | 64 ++++++++++++++++++++++++++++++--------------- + config.h.in | 4 +-- + configure.in | 56 +++++++++++++++++++-------------------- + 4 files changed, 76 insertions(+), 54 deletions(-) + +diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in +index 3edd951..75441b0 100644 +--- a/bin/dig/Makefile.in ++++ b/bin/dig/Makefile.in +@@ -19,7 +19,7 @@ READLINE_LIB = @READLINE_LIB@ + + CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} \ + ${BIND9_INCLUDES} ${ISC_INCLUDES} \ +- ${LWRES_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @DST_OPENSSL_INC@ ++ ${LWRES_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN_CFLAGS@ @DST_OPENSSL_INC@ + + CDEFINES = -DVERSION=\"${VERSION}\" @CRYPTO@ + CWARNINGS = +@@ -41,10 +41,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \ + ${ISCCFGDEPLIBS} ${LWRESDEPLIBS} + + LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ +- ${ISCLIBS} @IDNKIT_LIBS@ @LIBIDN2_LIBS@ @LIBS@ ++ ${ISCLIBS} @IDNKIT_LIBS@ @LIBIDN_LIBS@ @LIBS@ + + NOSYMLIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ +- ${ISCNOSYMLIBS} @IDNKIT_LIBS@ @LIBIDN2_LIBS@ @LIBS@ ++ ${ISCNOSYMLIBS} @IDNKIT_LIBS@ @LIBIDN_LIBS@ @LIBS@ + + SUBDIRS = + +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index ffc16c4..a345a21 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -38,8 +38,9 @@ + #include + #endif + +-#ifdef WITH_LIBIDN2 +-#include ++#ifdef WITH_LIBIDN ++#include ++#include + #endif + #endif /* WITH_IDN_SUPPORT */ + +@@ -4761,7 +4762,7 @@ idn_ace_to_locale(const char *from, char *to, size_t tolen) { + } + #endif /* WITH_IDNKIT */ + +-#ifdef WITH_LIBIDN2 ++#ifdef WITH_LIBIDN + static void + idn_initialize(void) { + } +@@ -4769,16 +4770,25 @@ idn_initialize(void) { + static isc_result_t + idn_locale_to_ace(const char *from, char *to, size_t tolen) { + int res; ++ char *utf8_str; + char *tmp_str = NULL; + +- res = idn2_to_ascii_lz(from, &tmp_str, IDN2_NONTRANSITIONAL|IDN2_NFC_INPUT); +- if (res == IDN2_DISALLOWED) { +- res = idn2_to_ascii_lz(from, &tmp_str, IDN2_TRANSITIONAL|IDN2_NFC_INPUT); ++ debug ("libidn_locale_to_utf8"); ++ utf8_str = stringprep_locale_to_utf8 (from); ++ if (utf8_str == NULL) { ++ debug ("libidn stringprep_locale_to_utf8 failure"); ++ return ISC_R_FAILURE; + } + +- if (res == IDN2_OK) { ++ int iresult; ++ ++ debug ("libidn_utf8_to_ascii"); ++ res = idna_to_ascii_8z (utf8_str, &tmp_str, 0); ++ free (utf8_str); ++ ++ if (res == IDNA_SUCCESS) { + /* +- * idn2_to_ascii_lz() normalizes all strings to lowerl case, ++ * idna_to_ascii_8z() normalizes all strings to lowerl case, + * but we generally don't want to lowercase all input strings; + * make sure to return the original case if the two strings + * differ only in case +@@ -4786,26 +4796,26 @@ idn_locale_to_ace(const char *from, char *to, size_t tolen) { + if (!strcasecmp(from, tmp_str)) { + if (strlen(from) >= tolen) { + debug("from string is too long"); +- idn2_free(tmp_str); ++ free(tmp_str); + return ISC_R_NOSPACE; + } +- idn2_free(tmp_str); ++ free(tmp_str); + (void) strlcpy(to, from, tolen); + return ISC_R_SUCCESS; + } + /* check the length */ + if (strlen(tmp_str) >= tolen) { + debug("ACE string is too long"); +- idn2_free(tmp_str); ++ free(tmp_str); + return ISC_R_NOSPACE; + } + + (void) strlcpy(to, tmp_str, tolen); +- idn2_free(tmp_str); ++ free(tmp_str); + return ISC_R_SUCCESS; + } + +- fatal("'%s' is not a legal IDN name (%s), use +noidnin", from, idn2_strerror(res)); ++ fatal("'%s' is not a legal IDN name (%s), use +noidnin", from, idna_strerror (res)); + return ISC_R_FAILURE; + } + +@@ -4813,29 +4823,41 @@ idn_locale_to_ace(const char *from, char *to, size_t tolen) { + static isc_result_t + idn_ace_to_locale(const char *from, char *to, size_t tolen) { + int res; ++ char *tmp2 = NULL; + char *tmp_str = NULL; + +- res = idn2_to_unicode_8zlz(from, &tmp_str, +- IDN2_NONTRANSITIONAL|IDN2_NFC_INPUT); ++ res = idna_to_unicode_8z8z (from, &tmp2, 0); ++ if (res != IDNA_SUCCESS) { ++ debug ("output_filter: %s", idna_strerror (res)); ++ return ISC_R_SUCCESS; ++ } ++ ++ tmp_str = stringprep_utf8_to_locale (tmp2); ++ if (tmp_str == NULL) { ++ debug ("output_filter: stringprep_utf8_to_locale failed"); ++ res = idna_to_ascii_8z(tmp2, &tmp_str, 0); ++ } ++ ++ free(tmp2); + +- if (res == IDN2_OK) { ++ if (res == IDNA_SUCCESS) { + /* check the length */ + if (strlen(tmp_str) >= tolen) { + debug("encoded ASC string is too long"); +- idn2_free(tmp_str); ++ free(tmp_str); + return ISC_R_FAILURE; + } + + (void) strlcpy(to, tmp_str, tolen); +- idn2_free(tmp_str); ++ free(tmp_str); + return ISC_R_SUCCESS; + } +- +- fatal("'%s' is not a legal IDN name (%s), use +noidnout", from, idn2_strerror(res)); ++ // fatal("'%s' is not a legal IDN name (%s), use +noidnout", from, idna_strerror(res)); ++ free(tmp_str); + return ISC_R_FAILURE; + } + #endif /* WITH_IDN_OUT_SUPPORT */ +-#endif /* WITH_LIBIDN2 */ ++#endif /* WITH_LIBIDN */ + #endif /* WITH_IDN_SUPPORT */ + + #ifdef DIG_SIGCHASE +diff --git a/config.h.in b/config.h.in +index 1dc65cf..9eb8a16 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -615,8 +615,8 @@ int sigwait(const unsigned int *set, int *sig); + /* define if IDN input support is to be included. */ + #undef WITH_IDN_SUPPORT + +-/* define if libidn2 support is to be included. */ +-#undef WITH_LIBIDN2 ++/* define if libidn support is to be included. */ ++#undef WITH_LIBIDN + + /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most + significant byte first (like Motorola and SPARC, unlike Intel). */ +diff --git a/configure.in b/configure.in +index 9a1d16d..1397c50 100644 +--- a/configure.in ++++ b/configure.in +@@ -4864,36 +4864,36 @@ fi + AC_SUBST(IDNKIT_LIBS) + + # +-# IDN support using libidn2 ++# IDN support using libidn + # + +-LIBIDN2_CFLAGS= +-LIBIDN2_LDFLAGS= +-LIBIDN2_LIBS= +-AC_ARG_WITH(libidn2, +- AS_HELP_STRING([--with-libidn2[=PATH]], [enable IDN support using GNU libidn2 [yes|no|path]]), +- use_libidn2="$withval", use_libidn2="no") +-AS_CASE([$use_libidn2], ++LIBIDN_CFLAGS= ++LIBIDN_LDFLAGS= ++LIBIDN_LIBS= ++AC_ARG_WITH(libidn, ++ AS_HELP_STRING([--with-libidn[=PATH]], [enable IDN support using GNU libidn [yes|no|path]]), ++ use_libidn="$withval", use_libidn="no") ++AS_CASE([$use_libidn], + [no],[:], + [yes],[:], + [*],[ +- LIBIDN2_CFLAGS="-I$use_libidn2/include" +- LIBIDN2_LDFLAGS="-L$use_libidn2/lib" ++ LIBIDN_CFLAGS="-I$use_libidn/include" ++ LIBIDN_LDFLAGS="-L$use_libidn/lib" + ]) + +-AS_IF([test "$use_libidn2" != "no"], ++AS_IF([test "$use_libidn" != "no"], + [save_CFLAGS="$CFLAGS" + save_LIBS="$LIBS" + save_LDFLAGS="$LDFLAGS" +- CFLAGS="$LIBIDN2_CFLAGS $CFLAGS" +- LDFLAGS="$LIBIDN2_LDFLAGS $LDFLAGS" +- AC_SEARCH_LIBS([idn2_to_ascii_8z], [idn2], ++ CFLAGS="$LIBIDN_CFLAGS $CFLAGS" ++ LDFLAGS="$LIBIDN_LDFLAGS $LDFLAGS" ++ AC_SEARCH_LIBS([idna_to_ascii_8z], [idn], + [AC_DEFINE(WITH_IDN_SUPPORT, 1, [define if IDN input support is to be included.]) +- AC_DEFINE(WITH_LIBIDN2, 1, [define if libidn2 support is to be included.]) +- LIBIDN2_LIBS="$LIBIDN2_LDFLAGS -lidn2"], +- [AC_MSG_ERROR([libidn2 requested, but not found])]) +- AC_TRY_LINK([#include ], +- [idn2_to_unicode_8zlz(".", NULL, IDN2_NONTRANSITIONAL|IDN2_NFC_INPUT);], ++ AC_DEFINE(WITH_LIBIDN, 1, [define if libidn support is to be included.]) ++ LIBIDN_LIBS="$LIBIDN_LDFLAGS -lidn"], ++ [AC_MSG_ERROR([libidn requested, but not found])]) ++ AC_TRY_LINK([#include ], ++ [idna_to_unicode_8zlz(".", NULL, 0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(WITH_IDN_OUT_SUPPORT, 1, [define if IDN output support is to be included.])], + [AC_MSG_RESULT([no])]) +@@ -4901,21 +4901,21 @@ AS_IF([test "$use_libidn2" != "no"], + LIBS="$save_LIBS" + LDFLAGS="$save_LDFLAGS" + ]) +-AC_SUBST([LIBIDN2_CFLAGS]) +-AC_SUBST([LIBIDN2_LIBS]) ++AC_SUBST([LIBIDN_CFLAGS]) ++AC_SUBST([LIBIDN_LIBS]) + + # + # IDN support in general + # + +-# check if idnkit and libidn2 are not used at the same time +-if test "$use_idnkit" != no && test "$use_libidn2" != no; then +- AC_MSG_ERROR([idnkit and libidn2 cannot be used at the same time.]) ++# check if idnkit and libidn are not used at the same time ++if test "$use_idnkit" != no && test "$use_libidn" != no; then ++ AC_MSG_ERROR([idnkit and libidn cannot be used at the same time.]) + fi + # the IDN support is on +-if test "$use_idnkit" != no || test "$use_libidn2" != no; then ++if test "$use_idnkit" != no || test "$use_libidn" != no; then + AC_DEFINE(WITH_IDN_SUPPORT, 1, [define if IDN input support is to be included.]) +- if test "$use_libidn2" = no || test "$use_libidn2_out" != no; then ++ if test "$use_libidn" = no || test "$use_libidn_out" != no; then + AC_DEFINE(WITH_IDN_OUT_SUPPORT, 1, [define if IDN output support is to be included.]) + fi + fi +@@ -5618,7 +5618,7 @@ report() { + test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" + test "X$ZLIB" = "X" || echo " HTTP zlib compression (--with-zlib)" + test "X$NZD_TOOLS" = "X" || echo " LMDB database to store configuration for 'addzone' zones (--with-lmdb)" +- test "no" = "$use_libidn2" || echo " IDN support (--with-libidn2)" ++ test "no" = "$use_libidn" || echo " IDN support (--with-libidn)" + fi + + if test "no" != "$use_pkcs11"; then +@@ -5716,7 +5716,7 @@ report() { + test "X$JSONSTATS" = "X" && echo " JSON statistics (--with-libjson)" + test "X$ZLIB" = "X" && echo " HTTP zlib compression (--with-zlib)" + test "X$NZD_TOOLS" = "X" && echo " LMDB database to store configuration for 'addzone' zones (--with-lmdb)" +- test "no" = "$use_libidn2" && echo " IDN support (--with-libidn2)" ++ test "no" = "$use_libidn" && echo " IDN support (--with-libidn)" + + echo "-------------------------------------------------------------------------------" + echo "Configured paths:" +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-no-default-cookies.patch b/SOURCES/bind-9.11-no-default-cookies.patch new file mode 100644 index 0000000..20618ea --- /dev/null +++ b/SOURCES/bind-9.11-no-default-cookies.patch @@ -0,0 +1,70 @@ +From 8963e300f7e465b3c96e859ba81e128fa508cefd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Mon, 21 Jan 2019 19:15:40 +0100 +Subject: [PATCH 1/5] Turn off sending cookies by default + +Upstream has default sending cookies on by default. For compatiblity +with bind 9.9.4, require inclusion of send-cookie in configuration or +dig +cookie parameter to send cookie. Would not send EDNS extension in +non-DNSSEC query by default. +--- + bin/dig/dig.c | 4 ++-- + bin/dig/dig.docbook | 4 ++-- + bin/named/config.c | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/bin/dig/dig.c b/bin/dig/dig.c +index c577e31..8b23676 100644 +--- a/bin/dig/dig.c ++++ b/bin/dig/dig.c +@@ -1429,7 +1429,7 @@ plus_option(const char *option, isc_boolean_t is_batchfile, + lookup->section_authority = ISC_TRUE; + lookup->section_question = ISC_FALSE; + lookup->dnssec = ISC_TRUE; +- lookup->sendcookie = ISC_TRUE; ++ lookup->sendcookie = ISC_FALSE; + usesearch = ISC_FALSE; + } + break; +@@ -1883,7 +1883,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, + default_lookup = make_empty_lookup(); + default_lookup->adflag = ISC_TRUE; + default_lookup->edns = 0; +- default_lookup->sendcookie = ISC_TRUE; ++ default_lookup->sendcookie = ISC_FALSE; + + #ifndef NOPOSIX + /* +diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook +index d5dba72..575a308 100644 +--- a/bin/dig/dig.docbook ++++ b/bin/dig/dig.docbook +@@ -617,10 +617,10 @@ + Send a COOKIE EDNS option, with optional + value. Replaying a COOKIE from a previous response will + allow the server to identify a previous client. The +- default is . ++ default is . + + +- +cookie is also set when +trace ++ +nocookie is also set when +trace + is set to better emulate the default queries from a + nameserver. + +diff --git a/bin/named/config.c b/bin/named/config.c +index c50f759..7d97029 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -102,7 +102,7 @@ options {\n\ + resolver-query-timeout 10;\n\ + rrset-order { order random; };\n\ + secroots-file \"named.secroots\";\n\ +- send-cookie true;\n\ ++ send-cookie false;\n\ + # serial-queries ;\n\ + serial-query-rate 20;\n\ + server-id none;\n\ +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-no-default-ipv6.patch b/SOURCES/bind-9.11-no-default-ipv6.patch new file mode 100644 index 0000000..1a3c2be --- /dev/null +++ b/SOURCES/bind-9.11-no-default-ipv6.patch @@ -0,0 +1,42 @@ +From 9fea3896c84d027271c2315af098dad319a444da Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Mon, 21 Jan 2019 19:23:10 +0100 +Subject: [PATCH 2/5] Turn off listening on IPv6 by default + +To maintain behaviour of BIND 9.9, turn off listening on IPv6 by +default. To enable listening like upstream defaults, include +listen-on-v6 { any; }; in options. +--- + bin/named/config.c | 2 +- + doc/arm/Bv9ARM-book.xml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/bin/named/config.c b/bin/named/config.c +index 7d97029..1d7aaa1 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -77,7 +77,7 @@ options {\n\ + interface-interval 60;\n\ + # keep-response-order {none;};\n\ + listen-on {any;};\n\ +- listen-on-v6 {any;};\n\ ++ listen-on-v6 {none;};\n\ + # lock-file \"" NS_LOCALSTATEDIR "/run/named/named.lock\";\n\ + match-mapped-addresses no;\n\ + max-rsa-exponent-size 0; /* no limit */\n\ +diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml +index a5d9e2e..5e7d015 100644 +--- a/doc/arm/Bv9ARM-book.xml ++++ b/doc/arm/Bv9ARM-book.xml +@@ -7473,7 +7473,7 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; }; + The listen-on-v6 option is used to + specify the interfaces and the ports on which the server will + listen for incoming queries sent using IPv6. If not specified, +- the server will listen on port 53 on all IPv6 interfaces. ++ the server will not listen on port 53 on any IPv6 interfaces. + + + +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-oot-manual.patch b/SOURCES/bind-9.11-oot-manual.patch new file mode 100644 index 0000000..b090b9f --- /dev/null +++ b/SOURCES/bind-9.11-oot-manual.patch @@ -0,0 +1,256 @@ +From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 25 Jul 2018 12:24:16 +0200 +Subject: [PATCH] Use make automatic variables to install updated manuals + +Make will choose modified manual from build directory or original from source +directory automagically. Take advantage of install tool feature. +Install all files in single command instead of iterating on each of them. +--- + bin/check/Makefile.in | 8 +++++--- + bin/confgen/Makefile.in | 9 +++++---- + bin/delv/Makefile.in | 6 ++++-- + bin/dig/Makefile.in | 8 ++++---- + bin/dnssec/Makefile.in | 6 ++++-- + bin/named/Makefile.in | 13 +++++++++---- + bin/pkcs11/Makefile.in | 9 ++++----- + bin/python/Makefile.in | 8 ++++---- + bin/tools/Makefile.in | 25 +++++++++++++++---------- + 9 files changed, 54 insertions(+), 38 deletions(-) + +diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in +index 12f48d2d23..d8eac4c714 100644 +--- a/bin/check/Makefile.in ++++ b/bin/check/Makefile.in +@@ -83,12 +83,14 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs ++install-man8: ${MANPAGES} ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) ++ ++install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs install-man8 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir} + (cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@) +- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done +- (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) + + uninstall:: + rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8 +diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in +index 87f13dda4b..7865c0c73e 100644 +--- a/bin/confgen/Makefile.in ++++ b/bin/confgen/Makefile.in +@@ -95,13 +95,14 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs ++install-man8: rndc-confgen.8 ddns-confgen.8 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8) ++ ++install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs install-man8 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir} +- ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8 + (cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@) +- (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8) + + uninstall:: + rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8 +diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in +index e2d2802262..19361a83ea 100644 +--- a/bin/delv/Makefile.in ++++ b/bin/delv/Makefile.in +@@ -63,10 +63,12 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 + +-install:: delv@EXEEXT@ installdirs ++install-man1: delv.1 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 ++ ++install:: delv@EXEEXT@ installdirs install-man1 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ + delv@EXEEXT@ ${DESTDIR}${bindir} +- ${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1 + + uninstall:: + rm -f ${DESTDIR}${mandir}/man1/delv.1 +diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in +index 773ac46395..3edd951e7e 100644 +--- a/bin/dig/Makefile.in ++++ b/bin/dig/Makefile.in +@@ -91,16 +91,16 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 + +-install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs ++install-man1: ${MANPAGES} ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 ++ ++install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs install-man1 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ + dig@EXEEXT@ ${DESTDIR}${bindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ + host@EXEEXT@ ${DESTDIR}${bindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ + nslookup@EXEEXT@ ${DESTDIR}${bindir} +- for m in ${MANPAGES}; do \ +- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \ +- done + + uninstall:: + for m in ${MANPAGES}; do \ +diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in +index 1be1d5ffc6..1d0c4ce5c1 100644 +--- a/bin/dnssec/Makefile.in ++++ b/bin/dnssec/Makefile.in +@@ -110,9 +110,11 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: ${TARGETS} installdirs ++install-man8: ${MANPAGES} ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++install:: ${TARGETS} installdirs install-man8 + for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done +- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done + + uninstall:: + for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done +diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in +index 1c413973d0..03e4cb849b 100644 +--- a/bin/named/Makefile.in ++++ b/bin/named/Makefile.in +@@ -172,12 +172,17 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs ++install-man5: named.conf.5 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5 ++ ++install-man8: named.8 lwresd.8 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++install-man: install-man5 install-man8 ++ ++install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} + (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) +- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 + + uninstall:: + rm -f ${DESTDIR}${mandir}/man5/named.conf.5 +diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in +index ae9061626c..a058c91214 100644 +--- a/bin/pkcs11/Makefile.in ++++ b/bin/pkcs11/Makefile.in +@@ -71,7 +71,10 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: ${TARGETS} installdirs ++install-man8: ${MANPAGES} ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++install:: ${TARGETS} installdirs install-man8 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \ + ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \ +@@ -80,10 +83,6 @@ install:: ${TARGETS} installdirs + ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \ + ${DESTDIR}${sbindir} +- ${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8 + + uninstall:: + rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8 +diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in +index aa678d47ab..064c404e2f 100644 +--- a/bin/python/Makefile.in ++++ b/bin/python/Makefile.in +@@ -47,13 +47,13 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: ${TARGETS} installdirs ++install-man8: ${MANPAGES} ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++install:: ${TARGETS} installdirs install-man8 + ${INSTALL_SCRIPT} dnssec-checkds ${DESTDIR}${sbindir} + ${INSTALL_SCRIPT} dnssec-coverage ${DESTDIR}${sbindir} + ${INSTALL_SCRIPT} dnssec-keymgr ${DESTDIR}${sbindir} +- ${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8 + if test -n "${PYTHON}" ; then \ + if test -n "${DESTDIR}" ; then \ + ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \ +diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in +index 7bf2af4cea..c395bc7462 100644 +--- a/bin/tools/Makefile.in ++++ b/bin/tools/Makefile.in +@@ -119,17 +119,27 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-nzd: ++nzd-man: named-nzd2nzf.8 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++nzd: nzd-man + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-nzd2nzf@EXEEXT@ \ + ${DESTDIR}${sbindir} +- ${INSTALL_DATA} ${srcdir}/named-nzd2nzf.8 ${DESTDIR}${mandir}/man8 + +-dnstap: ++dnstap-man: dnstap-read.1 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 ++ ++dnstap: dnstap-man + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dnstap-read@EXEEXT@ \ + ${DESTDIR}${bindir} +- ${INSTALL_DATA} ${srcdir}/dnstap-read.1 ${DESTDIR}${mandir}/man1 + +-install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ ++install-man1: arpaname.1 named-rrchecker.1 mdig.1 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 ++ ++install-man8: named-journalprint.8 nsec3hash.8 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ install-man1 install-man8 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \ + ${DESTDIR}${bindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \ +@@ -144,13 +154,8 @@ install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ + ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} mdig@EXEEXT@ \ + ${DESTDIR}${bindir} +- ${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1 + ${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/named-rrchecker.1 ${DESTDIR}${mandir}/man1 +- ${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8 + ${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/mdig.1 ${DESTDIR}${mandir}/man1 + + uninstall:: + rm -f ${DESTDIR}${mandir}/man1/mdig.1 +-- +2.14.4 + diff --git a/SOURCES/bind-9.11-pk11.patch b/SOURCES/bind-9.11-pk11.patch new file mode 100644 index 0000000..d802314 --- /dev/null +++ b/SOURCES/bind-9.11-pk11.patch @@ -0,0 +1,27 @@ +diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h +index 640519a..fc40472 100644 +--- a/lib/dns/dst_internal.h ++++ b/lib/dns/dst_internal.h +@@ -59,6 +59,9 @@ + #include + #include + #endif ++#if PKCS11CRYPTO ++#include ++#endif + + ISC_LANG_BEGINDECLS + +diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h +index aa8907a..603712a 100644 +--- a/lib/isc/include/pk11/internal.h ++++ b/lib/isc/include/pk11/internal.h +@@ -13,6 +13,8 @@ + #ifndef PK11_INTERNAL_H + #define PK11_INTERNAL_H 1 + ++#include ++ + /*! \file pk11/internal.h */ + + ISC_LANG_BEGINDECLS diff --git a/SOURCES/bind-9.11-rh1205168.patch b/SOURCES/bind-9.11-rh1205168.patch new file mode 100644 index 0000000..181cec9 --- /dev/null +++ b/SOURCES/bind-9.11-rh1205168.patch @@ -0,0 +1,120 @@ +From 90416594843a56550e40b11561807786219ce1c4 Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Mon, 11 Sep 2017 15:01:36 -0700 +Subject: [PATCH] remap getaddrinfo() to irs_getgetaddrinfo() + +The libirs version of getaddrinfo() cannot be called from within BIND9. + +fix prototypes +--- + lib/irs/include/irs/netdb.h.in | 94 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 94 insertions(+) + +diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in +index 23dcd37..f36113d 100644 +--- a/lib/irs/include/irs/netdb.h.in ++++ b/lib/irs/include/irs/netdb.h.in +@@ -150,6 +150,100 @@ struct addrinfo { + #define NI_DGRAM 0x00000010 + + /* ++ * Define to map into irs_ namespace. ++ */ ++ ++#define IRS_NAMESPACE ++ ++#ifdef IRS_NAMESPACE ++ ++/* ++ * Use our versions not the ones from the C library. ++ */ ++ ++#ifdef getnameinfo ++#undef getnameinfo ++#endif ++#define getnameinfo irs_getnameinfo ++ ++#ifdef getaddrinfo ++#undef getaddrinfo ++#endif ++#define getaddrinfo irs_getaddrinfo ++ ++#ifdef freeaddrinfo ++#undef freeaddrinfo ++#endif ++#define freeaddrinfo irs_freeaddrinfo ++ ++#ifdef gai_strerror ++#undef gai_strerror ++#endif ++#define gai_strerror irs_gai_strerror ++ ++#endif ++ ++extern int getaddrinfo (const char *name, ++ const char *service, ++ const struct addrinfo *req, ++ struct addrinfo **pai); ++extern int getnameinfo (const struct sockaddr *sa, ++ socklen_t salen, char *host, ++ socklen_t hostlen, char *serv, ++ socklen_t servlen, int flags); ++extern void freeaddrinfo (struct addrinfo *ai); ++extern const char *gai_strerror (int ecode); ++ ++/* ++ * Define to map into irs_ namespace. ++ */ ++ ++#define IRS_NAMESPACE ++ ++#ifdef IRS_NAMESPACE ++ ++/* ++ * Use our versions not the ones from the C library. ++ */ ++ ++#ifdef getnameinfo ++#undef getnameinfo ++#endif ++#define getnameinfo irs_getnameinfo ++ ++#ifdef getaddrinfo ++#undef getaddrinfo ++#endif ++#define getaddrinfo irs_getaddrinfo ++ ++#ifdef freeaddrinfo ++#undef freeaddrinfo ++#endif ++#define freeaddrinfo irs_freeaddrinfo ++ ++#ifdef gai_strerror ++#undef gai_strerror ++#endif ++#define gai_strerror irs_gai_strerror ++ ++int ++getaddrinfo(const char *hostname, const char *servname, ++ const struct addrinfo *hints, struct addrinfo **res); ++ ++int ++getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen, ++ char *host, IRS_GETNAMEINFO_BUFLEN_T hostlen, ++ char *serv, IRS_GETNAMEINFO_BUFLEN_T servlen, ++ IRS_GETNAMEINFO_FLAGS_T flags); ++ ++void freeaddrinfo (struct addrinfo *ai); ++ ++IRS_GAISTRERROR_RETURN_T ++gai_strerror(int ecode); ++ ++#endif ++ ++/* + * Tell Emacs to use C mode on this file. + * Local variables: + * mode: c +-- +2.9.5 + diff --git a/SOURCES/bind-9.11-rh1410433.patch b/SOURCES/bind-9.11-rh1410433.patch new file mode 100644 index 0000000..b7fdc48 --- /dev/null +++ b/SOURCES/bind-9.11-rh1410433.patch @@ -0,0 +1,14 @@ +diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c +index 0ce5e42..556d920 100644 +--- a/lib/dns/dyndb.c ++++ b/lib/dns/dyndb.c +@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname, + instname, filename); + + flags = RTLD_NOW|RTLD_LOCAL; +-#ifdef RTLD_DEEPBIND +- flags |= RTLD_DEEPBIND; +-#endif + + handle = dlopen(filename, flags); + if (handle == NULL) diff --git a/SOURCES/bind-9.11-rh1624100.patch b/SOURCES/bind-9.11-rh1624100.patch new file mode 100644 index 0000000..954661c --- /dev/null +++ b/SOURCES/bind-9.11-rh1624100.patch @@ -0,0 +1,288 @@ +From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 25 Apr 2018 14:04:31 +0200 +Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts + +(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d) + +Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp() + +(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c) + +Fix the isc_safe_memwipe() usage with (NULL, >0) + +(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846) +--- + bin/dnssec/dnssec-signzone.c | 2 +- + lib/dns/nsec3.c | 4 +-- + lib/dns/spnego.c | 4 +-- + lib/isc/Makefile.in | 8 ++--- + lib/isc/include/isc/safe.h | 18 ++++------ + lib/isc/safe.c | 81 -------------------------------------------- + lib/isc/tests/safe_test.c | 20 ----------- + 7 files changed, 13 insertions(+), 124 deletions(-) + delete mode 100644 lib/isc/safe.c + +diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c +index 53be1f5c60..351296a356 100644 +--- a/bin/dnssec/dnssec-signzone.c ++++ b/bin/dnssec/dnssec-signzone.c +@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, + + static int + hashlist_comp(const void *a, const void *b) { +- return (isc_safe_memcompare(a, b, hash_length + 1)); ++ return (memcmp(a, b, hash_length + 1)); + } + + static void +diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c +index d364308aaf..37b6a8a7fe 100644 +--- a/lib/dns/nsec3.c ++++ b/lib/dns/nsec3.c +@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, + * Work out what this NSEC3 covers. + * Inside (<0) or outside (>=0). + */ +- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length); ++ scope = memcmp(owner, nsec3.next, nsec3.next_length); + + /* + * Prepare to compute all the hashes. +@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, + return (ISC_R_IGNORE); + } + +- order = isc_safe_memcompare(hash, owner, length); ++ order = memcmp(hash, owner, length); + if (first && order == 0) { + /* + * The hashes are the same. +diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c +index ce3e42d650..079d4c1b4a 100644 +--- a/lib/dns/spnego.c ++++ b/lib/dns/spnego.c +@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *, + + /* mod_auth_kerb.c */ + +-static int ++static isc_boolean_t + cmp_gss_type(gss_buffer_t token, gss_OID gssoid) + { + unsigned char *p; +@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) + if (((OM_uint32) *p++) != gssoid->length) + return (GSS_S_DEFECTIVE_TOKEN); + +- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length)); ++ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length)); + } + + /* accept_sec_context.c */ +diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in +index ba53ef1091..98acffffc9 100644 +--- a/lib/isc/Makefile.in ++++ b/lib/isc/Makefile.in +@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ + parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \ + ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \ + rwlock.@O@ \ +- safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ ++ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ + string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \ + tm.@O@ timer.@O@ version.@O@ \ + ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS} +@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ + netaddr.c netscope.c pool.c ondestroy.c \ + parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \ + ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \ +- safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ ++ serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ + strtoul.c symtab.c task.c taskpool.c timer.c \ + tm.c version.c + +@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@ + + @BIND9_MAKE_RULES@ + +-safe.@O@: safe.c +- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \ +- -c ${srcdir}/safe.c +- + version.@O@: version.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ + -DVERSION=\"${VERSION}\" \ +diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h +index f29f00bac6..b8a0b2290c 100644 +--- a/lib/isc/include/isc/safe.h ++++ b/lib/isc/include/isc/safe.h +@@ -15,27 +15,21 @@ + + /*! \file isc/safe.h */ + +-#include +-#include ++#include ++#include ++ ++#include + + ISC_LANG_BEGINDECLS + +-isc_boolean_t +-isc_safe_memequal(const void *s1, const void *s2, size_t n); ++#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n)) + /*%< + * Returns ISC_TRUE iff. two blocks of memory are equal, otherwise + * ISC_FALSE. + * + */ + +-int +-isc_safe_memcompare(const void *b1, const void *b2, size_t len); +-/*%< +- * Clone of libc memcmp() which is safe to differential timing attacks. +- */ +- +-void +-isc_safe_memwipe(void *ptr, size_t len); ++#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len) + /*%< + * Clear the memory of length `len` pointed to by `ptr`. + * +diff --git a/lib/isc/safe.c b/lib/isc/safe.c +deleted file mode 100644 +index 5c9e1e2d13..0000000000 +--- a/lib/isc/safe.c ++++ /dev/null +@@ -1,81 +0,0 @@ +-/* +- * Copyright (C) Internet Systems Consortium, Inc. ("ISC") +- * +- * This Source Code Form is subject to the terms of the Mozilla Public +- * License, v. 2.0. If a copy of the MPL was not distributed with this +- * file, You can obtain one at http://mozilla.org/MPL/2.0/. +- * +- * See the COPYRIGHT file distributed with this work for additional +- * information regarding copyright ownership. +- */ +- +-/*! \file */ +- +-#include +- +-#include +-#include +-#include +- +-#ifdef WIN32 +-#include +-#endif +- +-#ifdef _MSC_VER +-#pragma optimize("", off) +-#endif +- +-isc_boolean_t +-isc_safe_memequal(const void *s1, const void *s2, size_t n) { +- isc_uint8_t acc = 0; +- +- if (n != 0U) { +- const isc_uint8_t *p1 = s1, *p2 = s2; +- +- do { +- acc |= *p1++ ^ *p2++; +- } while (--n != 0U); +- } +- return (ISC_TF(acc == 0)); +-} +- +- +-int +-isc_safe_memcompare(const void *b1, const void *b2, size_t len) { +- const unsigned char *p1 = b1, *p2 = b2; +- size_t i; +- int res = 0, done = 0; +- +- for (i = 0; i < len; i++) { +- /* lt is -1 if p1[i] < p2[i]; else 0. */ +- int lt = (p1[i] - p2[i]) >> CHAR_BIT; +- +- /* gt is -1 if p1[i] > p2[i]; else 0. */ +- int gt = (p2[i] - p1[i]) >> CHAR_BIT; +- +- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */ +- int cmp = lt - gt; +- +- /* set res = cmp if !done. */ +- res |= cmp & ~done; +- +- /* set done if p1[i] != p2[i]. */ +- done |= lt | gt; +- } +- +- return (res); +-} +- +-void +-isc_safe_memwipe(void *ptr, size_t len) { +- if (ISC_UNLIKELY(ptr == NULL || len == 0)) +- return; +- +-#ifdef WIN32 +- SecureZeroMemory(ptr, len); +-#elif HAVE_EXPLICIT_BZERO +- explicit_bzero(ptr, len); +-#else +- memset(ptr, 0, len); +-#endif +-} +diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c +index f721cd1096..ea3e61f98d 100644 +--- a/lib/isc/tests/safe_test.c ++++ b/lib/isc/tests/safe_test.c +@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) { + "\x00\x00\x00\x00", 4)); + } + +-ATF_TC(isc_safe_memcompare); +-ATF_TC_HEAD(isc_safe_memcompare, tc) { +- atf_tc_set_md_var(tc, "descr", "safe memcompare()"); +-} +-ATF_TC_BODY(isc_safe_memcompare, tc) { +- UNUSED(tc); +- +- ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0); +- ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0); +- ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0); +- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", +- "\x00\x00\x00\x00", 4) == 0); +- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", +- "\x00\x00\x00\x01", 4) < 0); +- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02", +- "\x00\x00\x00\x00", 4) > 0); +-} +- + ATF_TC(isc_safe_memwipe); + ATF_TC_HEAD(isc_safe_memwipe, tc) { + atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()"); +@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) { + /* These should pass. */ + isc_safe_memwipe(NULL, 0); + isc_safe_memwipe((void *) -1, 0); +- isc_safe_memwipe(NULL, 42); + + /* + * isc_safe_memwipe(ptr, size) should function same as +@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) { + */ + ATF_TP_ADD_TCS(tp) { + ATF_TP_ADD_TC(tp, isc_safe_memequal); +- ATF_TP_ADD_TC(tp, isc_safe_memcompare); + ATF_TP_ADD_TC(tp, isc_safe_memwipe); + return (atf_no_error()); + } +-- +2.14.4 + diff --git a/SOURCES/bind-9.11-rh1685940.patch b/SOURCES/bind-9.11-rh1685940.patch new file mode 100644 index 0000000..6771880 --- /dev/null +++ b/SOURCES/bind-9.11-rh1685940.patch @@ -0,0 +1,72 @@ +From 9fcd066217e8b6f52b601bdd8a0cb6455f98b88c Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 7 Mar 2019 14:33:28 +0100 +Subject: [PATCH] Do not replace random generator on single thread + +DHCP builds fails to initialize dst library entropy generator. It does +not require it for anything. Instead of initializing it, skip replacing +custom random generator in single thread builds. Should use OpenSSL +default random generator in case of SSL. + +Related: rhbz#1685940 +--- + lib/dns/openssl_link.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c +index ec6dc7f..ca3ffbc 100644 +--- a/lib/dns/openssl_link.c ++++ b/lib/dns/openssl_link.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -220,6 +221,7 @@ dst__openssl_init(const char *engine) { + ERR_load_crypto_strings(); + #endif + ++#ifdef ISC_PLATFORM_USETHREADS + rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); + if (rm == NULL) { + result = ISC_R_NOMEMORY; +@@ -231,6 +233,7 @@ dst__openssl_init(const char *engine) { + rm->add = entropy_add; + rm->pseudorand = entropy_getpseudo; + rm->status = entropy_status; ++#endif + + #if !defined(OPENSSL_NO_ENGINE) + #if !defined(CONF_MFLAGS_DEFAULT_SECTION) +@@ -264,6 +267,7 @@ dst__openssl_init(const char *engine) { + } + } + ++#ifdef ISC_PLATFORM_USETHREADS + re = ENGINE_get_default_RAND(); + if (re == NULL) { + re = ENGINE_new(); +@@ -276,6 +280,7 @@ dst__openssl_init(const char *engine) { + ENGINE_free(re); + } else + ENGINE_finish(re); ++#endif + #else + RAND_set_rand_method(rm); + #endif /* !defined(OPENSSL_NO_ENGINE) */ +@@ -286,7 +291,8 @@ dst__openssl_init(const char *engine) { + if (e != NULL) + ENGINE_free(e); + e = NULL; +- mem_free(rm FILELINE); ++ if (rm != NULL) ++ mem_free(rm FILELINE); + rm = NULL; + #endif + cleanup_mutexinit: +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-unit-disable-random.patch b/SOURCES/bind-9.11-unit-disable-random.patch new file mode 100644 index 0000000..5658d12 --- /dev/null +++ b/SOURCES/bind-9.11-unit-disable-random.patch @@ -0,0 +1,45 @@ +From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 21 Feb 2019 22:42:27 +0100 +Subject: [PATCH] Disable random_test + +It fails too often on some architecture, failing the whole build along. +Because it runs two times for pkcs11 and normal build and any of +subtests can occasionally fail, stop it. + +It can be used again by defining 'unstable' variable in Kyuafile. +--- + lib/isc/tests/Atffile | 3 ++- + lib/isc/tests/Kyuafile | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile +index 8681844..74a4a77 100644 +--- a/lib/isc/tests/Atffile ++++ b/lib/isc/tests/Atffile +@@ -20,7 +20,8 @@ tp: pool_test + tp: print_test + tp: queue_test + tp: radix_test +-tp: random_test ++# random test fails too often ++#tp: random_test + tp: regex_test + tp: result_test + tp: safe_test +diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile +index 1c510c1..a86824a 100644 +--- a/lib/isc/tests/Kyuafile ++++ b/lib/isc/tests/Kyuafile +@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'} + atf_test_program{name='print_test'} + atf_test_program{name='queue_test'} + atf_test_program{name='radix_test'} +-atf_test_program{name='random_test'} ++atf_test_program{name='random_test', required_configs='unstable'} + atf_test_program{name='regex_test'} + atf_test_program{name='result_test'} + atf_test_program{name='safe_test'} +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-zone2ldap.patch b/SOURCES/bind-9.11-zone2ldap.patch new file mode 100644 index 0000000..e576c03 --- /dev/null +++ b/SOURCES/bind-9.11-zone2ldap.patch @@ -0,0 +1,196 @@ +From 738d12594972ad816e8cff9821f760aa0682fd08 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 18 Dec 2018 16:06:26 +0100 +Subject: [PATCH] Make absolute hostname by dns API instead of strings + +Duplicate all strings in dc_list. Free allocated memory on each record. +--- + bin/sdb_tools/zone2ldap.c | 72 +++++++++++++++++++++++++++++------------------ + 1 file changed, 45 insertions(+), 27 deletions(-) + +diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c +index acf160b..cc482dc 100644 +--- a/bin/sdb_tools/zone2ldap.c ++++ b/bin/sdb_tools/zone2ldap.c +@@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp); + /* Get a DN */ + char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone); + ++/* Free a DN list */ ++static void ++free_dc_list(char **dc_list); ++ + /* Add to RR list */ + void add_to_rr_list (char *dn, char *name, char *type, char *data, + unsigned int ttl, unsigned int flags); +@@ -123,6 +127,7 @@ static char dNSTTL []="dNSTTL"; + static char zoneName []="zoneName"; + static char dc []="dc"; + static char sameZone []="@"; ++static char dot []="."; + /* LDAPMod mod_values: */ + static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL }; + static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL }; +@@ -396,6 +401,8 @@ main (int argc, char **argv) + } + + } ++ ++ free_dc_list(dc_list); + } + else + { +@@ -451,12 +458,17 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) + char data[2048]; + char **dc_list; + char *dn; ++ size_t argzone_len; ++ isc_boolean_t omit_dot; + + isc_buffer_t buff; + isc_result_t result; + + isc_buffer_init (&buff, name, sizeof (name)); +- result = dns_name_totext (dnsname, ISC_TRUE, &buff); ++ argzone_len = strlen(argzone); ++ /* If argzone is absolute, output absolute name too */ ++ omit_dot = ISC_TF(!(argzone_len > 0 && argzone[argzone_len-1] == '.')); ++ result = dns_name_totext (dnsname, omit_dot, &buff); + isc_result_check (result, "dns_name_totext"); + name[isc_buffer_usedlength (&buff)] = 0; + +@@ -478,6 +490,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) + printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data); + + add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT); ++ free_dc_list(dc_list); + } + + +@@ -538,12 +551,9 @@ add_to_rr_list (char *dn, char *name, char *type, + if (tmp->attrs == (LDAPMod **) NULL) + fatal("calloc"); + +- for (i = 0; i < (int)flags; i++) +- { +- tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod)); +- if (tmp->attrs[i] == (LDAPMod *) NULL) +- fatal("malloc"); +- } ++ tmp->attrs[0] = (LDAPMod *) malloc (sizeof (LDAPMod)); ++ if (tmp->attrs[0] == (LDAPMod *) NULL) ++ fatal("malloc"); + tmp->attrs[0]->mod_op = LDAP_MOD_ADD; + tmp->attrs[0]->mod_type = objectClass; + +@@ -559,9 +569,18 @@ add_to_rr_list (char *dn, char *name, char *type, + return; + } + ++ for (i = 1; i < (int)flags-1; i++) ++ { ++ tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod)); ++ if (tmp->attrs[i] == (LDAPMod *) NULL) ++ fatal("malloc"); ++ } ++ tmp->attrs[i] = NULL; ++ ++ + tmp->attrs[1]->mod_op = LDAP_MOD_ADD; + tmp->attrs[1]->mod_type = relativeDomainName; +- tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); ++ tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 3); + + if (tmp->attrs[1]->mod_values == (char **)NULL) + fatal("calloc"); +@@ -705,25 +724,16 @@ char ** + hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) + { + char *tmp; +- int i = 0; ++ int i = 0, j = 0; + char *hname=0L, *last=0L; + int hlen=strlen(hostname), zlen=(strlen(zone)); + + /* printf("hostname: %s zone: %s\n",hostname, zone); */ +- hname=0L; + if(flags == DNS_OBJECT) + { +- if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') ) +- { +- hname=(char*)malloc(hlen + 1); +- hlen += 1; +- sprintf(hname, "%s.", hostname); +- hostname = hname; +- } + if(strcmp(hostname, zone) == 0) + { +- if( hname == 0 ) +- hname=strdup(hostname); ++ hname=strdup(hostname); + last = strdup(sameZone); + }else + { +@@ -731,8 +741,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) + ||( strcmp( hostname + (hlen - zlen), zone ) != 0) + ) + { +- if( hname != 0 ) +- free(hname); + hname=(char*)malloc( hlen + zlen + 1); + if( *zone == '.' ) + sprintf(hname, "%s%s", hostname, zone); +@@ -740,8 +748,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) + sprintf(hname,"%s",zone); + }else + { +- if( hname == 0 ) +- hname = strdup(hostname); ++ hname = strdup(hostname); + } + last = hname; + } +@@ -754,18 +761,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) + for (tmp = strrchr (hname, '.'); tmp != (char *) 0; + tmp = strrchr (hname, '.')) + { +- if( *( tmp + 1 ) != '\0' ) ++ tmp[0] = '\0'; ++ if( tmp[1] != '\0' ) + { +- *tmp = '\0'; + dn_buffer[i++] = ++tmp; + }else + { /* trailing '.' ! */ +- dn_buffer[i++] = strdup("."); +- *tmp = '\0'; ++ dn_buffer[i++] = dot; + if( tmp == hname ) + break; + } + } ++ for (j=0; j - #include - #include -+#include - #include - - #include -@@ -61,6 +62,9 @@ ldap_info; +diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c +index 23dd873..d56bc56 100644 +--- a/bin/sdb_tools/zone2ldap.c ++++ b/bin/sdb_tools/zone2ldap.c +@@ -65,6 +66,9 @@ ldap_info; /* usage Info */ void usage (void); @@ -54,7 +49,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd /* Add to the ldap dit */ void add_ldap_values (ldap_info * ldinfo); -@@ -77,7 +81,7 @@ char **hostname_to_dn_list (char *hostna +@@ -81,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags); int get_attr_list_size (char **tmp); /* Get a DN */ @@ -63,7 +58,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd /* Add to RR list */ void add_to_rr_list (char *dn, char *name, char *type, char *data, -@@ -99,11 +103,27 @@ void +@@ -103,11 +107,27 @@ void init_ldap_conn (); void usage(); @@ -96,7 +91,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd LDAP *conn; unsigned int debug = 0; -@@ -119,12 +139,12 @@ main (int argc, char **argv) +@@ -131,12 +151,12 @@ main (int argc, char **argv) isc_result_t result; char *basedn; ldap_info *tmp; @@ -112,38 +107,35 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd dns_fixedname_t fixedzone, fixedname; dns_rdataset_t rdataset; char **dc_list; -@@ -137,7 +157,7 @@ main (int argc, char **argv) +@@ -149,7 +169,7 @@ main (int argc, char **argv) extern char *optarg; extern int optind, opterr, optopt; int create_base = 0; - int topt; + int topt, dcn, zdn, znlen; - if ((int) argc < 2) + if (argc < 2) { -@@ -145,7 +165,7 @@ main (int argc, char **argv) +@@ -157,7 +177,7 @@ main (int argc, char **argv) exit (-1); } -- while ((topt = getopt ((int) argc, argv, "D:w:b:z:f:h:?dcv")) != -1) -+ while ((topt = getopt ((int) argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1) +- while ((topt = getopt (argc, argv, "D:w:b:z:f:h:?dcv")) != -1) ++ while ((topt = getopt (argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1) { switch (topt) { -@@ -164,8 +184,11 @@ main (int argc, char **argv) - case 'w': - bindpw = strdup (optarg); +@@ -180,6 +200,9 @@ main (int argc, char **argv) + if (bindpw == NULL) + fatal("strdup"); break; + case 'W': + bindpw = getpass("Enter LDAP Password: "); + break; case 'b': -- ldapbase = strdup (optarg); -+ ldapbase = strdup (optarg); - break; - case 'z': - argzone = strdup (optarg); -@@ -277,27 +300,62 @@ main (int argc, char **argv) + ldapbase = strdup (optarg); + if (ldapbase == NULL) +@@ -301,27 +324,62 @@ main (int argc, char **argv) { if (debug) printf ("Creating base zone DN %s\n", argzone); @@ -216,7 +208,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd } else { -@@ -306,8 +364,13 @@ main (int argc, char **argv) +@@ -330,8 +388,13 @@ main (int argc, char **argv) else sprintf (fullbasedn, "%s", ctmp); } @@ -230,7 +222,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd } } -@@ -383,14 +446,14 @@ generate_ldap (dns_name_t * dnsname, dns +@@ -409,14 +472,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) isc_result_check (result, "dns_rdata_totext"); data[isc_buffer_usedlength (&buff)] = 0; @@ -248,7 +240,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd } -@@ -430,7 +493,8 @@ add_to_rr_list (char *dn, char *name, ch +@@ -456,7 +519,8 @@ add_to_rr_list (char *dn, char *name, char *type, int attrlist; char ldap_type_buffer[128]; char charttl[64]; @@ -258,8 +250,8 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd if ((tmp = locate_by_dn (dn)) == NULL) { -@@ -465,13 +529,13 @@ add_to_rr_list (char *dn, char *name, ch - } +@@ -483,13 +547,13 @@ add_to_rr_list (char *dn, char *name, char *type, + fatal("malloc"); } tmp->attrs[0]->mod_op = LDAP_MOD_ADD; - tmp->attrs[0]->mod_type = (char*)"objectClass"; @@ -275,7 +267,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd tmp->attrs[1] = NULL; tmp->attrcnt = 2; tmp->next = ldap_info_base; -@@ -480,7 +544,7 @@ add_to_rr_list (char *dn, char *name, ch +@@ -498,7 +562,7 @@ add_to_rr_list (char *dn, char *name, char *type, } tmp->attrs[1]->mod_op = LDAP_MOD_ADD; @@ -284,8 +276,8 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); if (tmp->attrs[1]->mod_values == (char **)NULL) -@@ -502,7 +566,7 @@ add_to_rr_list (char *dn, char *name, ch - tmp->attrs[2]->mod_values[1] = NULL; +@@ -527,7 +591,7 @@ add_to_rr_list (char *dn, char *name, char *type, + fatal("strdup"); tmp->attrs[3]->mod_op = LDAP_MOD_ADD; - tmp->attrs[3]->mod_type = (char*)"dNSTTL"; @@ -293,9 +285,9 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2); if (tmp->attrs[3]->mod_values == (char **)NULL) -@@ -512,10 +576,21 @@ add_to_rr_list (char *dn, char *name, ch - tmp->attrs[3]->mod_values[0] = strdup (charttl); - tmp->attrs[3]->mod_values[1] = NULL; +@@ -540,14 +604,25 @@ add_to_rr_list (char *dn, char *name, char *type, + if (tmp->attrs[3]->mod_values[0] == NULL) + fatal("strdup"); + znlen=strlen(gbl_zone); + if ( *(gbl_zone + (znlen-1)) == '.' ) @@ -312,12 +304,16 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd - tmp->attrs[4]->mod_type = (char*)"zoneName"; + tmp->attrs[4]->mod_type = zoneName; tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2); + + if (tmp->attrs[4]->mod_values == (char **)NULL) + fatal("calloc"); + - tmp->attrs[4]->mod_values[0] = gbl_zone; + tmp->attrs[4]->mod_values[0] = zn; tmp->attrs[4]->mod_values[1] = NULL; tmp->attrs[5] = NULL; -@@ -526,7 +601,7 @@ add_to_rr_list (char *dn, char *name, ch +@@ -558,7 +633,7 @@ add_to_rr_list (char *dn, char *name, char *type, else { @@ -326,7 +322,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd { sprintf (ldap_type_buffer, "%sRecord", type); if (!strncmp -@@ -595,69 +670,105 @@ char ** +@@ -632,44 +707,70 @@ char ** hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) { char *tmp; @@ -336,17 +332,19 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd - char *hnamebuff; - - zname = strdup (hostname); +- if (zname == NULL) +- fatal("strdup"); - - if (flags == DNS_OBJECT) - { -+ char *hname=0L, *last=0L; -+ int hlen=strlen(hostname), zlen=(strlen(zone)); - +- - if (strlen (zname) != strlen (zone)) - { - tmp = &zname[strlen (zname) - strlen (zone)]; - *--tmp = '\0'; - hnamebuff = strdup (zname); +- if (hnamebuff == NULL) +- fatal("strdup"); - zname = ++tmp; - } - else @@ -366,6 +364,9 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd - } - dn_buffer[i++] = zname; - dn_buffer[i++] = hnamebuff; ++ char *hname=0L, *last=0L; ++ int hlen=strlen(hostname), zlen=(strlen(zone)); ++ +/* printf("hostname: %s zone: %s\n",hostname, zone); */ + hname=0L; + if(flags == DNS_OBJECT) @@ -427,13 +428,9 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd + dn_buffer[i++] = hname; + dn_buffer[i++] = last; dn_buffer[i] = NULL; -- - return dn_buffer; - } -- - /* build an sdb compatible LDAP DN from a "dc_list" (char **). - * will append dNSTTL information to each RR Record, with the + return dn_buffer; +@@ -681,24 +782,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) * exception of "@"/SOA. */ char * @@ -470,7 +467,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd else sprintf(tmp,"dc=%s,", dc_list[x]); } -@@ -683,6 +794,7 @@ void +@@ -724,6 +833,7 @@ void init_ldap_conn () { int result; @@ -478,7 +475,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd conn = ldap_open (ldapsystem, LDAP_PORT); if (conn == NULL) { -@@ -692,7 +804,7 @@ init_ldap_conn () +@@ -733,7 +843,7 @@ init_ldap_conn () } result = ldap_simple_bind_s (conn, binddn, bindpw); @@ -487,7 +484,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd } /* Like isc_result_check, only for LDAP */ -@@ -709,8 +821,6 @@ ldap_result_check (const char *msg, char +@@ -750,8 +860,6 @@ ldap_result_check (const char *msg, char *dn, int err) } } @@ -496,7 +493,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd /* For running the ldap_info run queue. */ void add_ldap_values (ldap_info * ldinfo) -@@ -718,14 +828,14 @@ add_ldap_values (ldap_info * ldinfo) +@@ -759,14 +867,14 @@ add_ldap_values (ldap_info * ldinfo) int result; char dnbuffer[1024]; @@ -513,12 +510,10 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd } -@@ -736,7 +846,7 @@ void +@@ -777,5 +885,5 @@ void usage () { fprintf (stderr, -- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n" -+ "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n" - "\t[-c Create LDAP Base structure][-d Debug Output (lots !)]\n " - ); - } +- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] " ++ "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] " + "[-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");} diff --git a/SOURCES/bind-9.3.2b2-sdbsrc.patch b/SOURCES/bind-9.3.2b2-sdbsrc.patch index bd0ed32..46e183c 100644 --- a/SOURCES/bind-9.3.2b2-sdbsrc.patch +++ b/SOURCES/bind-9.3.2b2-sdbsrc.patch @@ -1,6 +1,21 @@ ---- bind-9.3.2b2/contrib/sdb/ldap/zone2ldap.c.sdbsrc 2005-08-16 00:43:03.000000000 -0400 -+++ bind-9.3.2b2/contrib/sdb/ldap/zone2ldap.c 2005-11-15 12:57:44.000000000 -0500 -@@ -59,16 +59,16 @@ +diff --git a/contrib/sdb/bdb/bdb.c b/contrib/sdb/bdb/bdb.c +index 23594bb..b3c6619 100644 +--- a/contrib/sdb/bdb/bdb.c ++++ b/contrib/sdb/bdb/bdb.c +@@ -43,7 +43,7 @@ + #include + #include + +-#include ++#include "bdb.h" + #include + #include + +diff --git a/contrib/sdb/ldap/zone2ldap.c b/contrib/sdb/ldap/zone2ldap.c +index 07c89bc..23dd873 100644 +--- a/contrib/sdb/ldap/zone2ldap.c ++++ b/contrib/sdb/ldap/zone2ldap.c +@@ -63,16 +63,16 @@ typedef struct LDAP_INFO ldap_info; /* usage Info */ @@ -20,7 +35,7 @@ /* Put a hostname into a char ** array */ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags); -@@ -84,7 +84,7 @@ +@@ -88,7 +88,7 @@ void add_to_rr_list (char *dn, char *name, char *type, char *data, unsigned int ttl, unsigned int flags); /* Error checking */ @@ -29,7 +44,7 @@ /* Generate LDIF Format files */ void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, -@@ -93,11 +93,17 @@ +@@ -97,11 +97,17 @@ void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, /* head pointer to the list */ ldap_info *ldap_info_base = NULL; @@ -50,16 +65,7 @@ LDAP *conn; unsigned int debug = 0; -@@ -106,7 +112,7 @@ - #endif - - int --main (int *argc, char **argv) -+main (int argc, char **argv) - { - isc_mem_t *mctx = NULL; - isc_entropy_t *ectx = NULL; -@@ -116,7 +122,7 @@ +@@ -128,7 +134,7 @@ main (int argc, char **argv) LDAPMod *base_attrs[2]; LDAPMod base; isc_buffer_t buff; @@ -68,7 +74,7 @@ char fullbasedn[1024]; char *ctmp; dns_fixedname_t fixedzone, fixedname; -@@ -280,9 +286,9 @@ +@@ -304,9 +310,9 @@ main (int argc, char **argv) if ((*ctmp == ',') || (ctmp == &basedn[0])) { base.mod_op = LDAP_MOD_ADD; @@ -81,7 +87,7 @@ base_attrs[1] = NULL; if (ldapbase) -@@ -337,7 +343,7 @@ +@@ -363,7 +369,7 @@ main (int argc, char **argv) * I should probably rename this function, as not to cause any * confusion with the isc* routines. Will exit on error. */ void @@ -90,17 +96,16 @@ { if (res != ISC_R_SUCCESS) { -@@ -449,7 +455,7 @@ - exit (-1); - } +@@ -470,20 +476,20 @@ add_to_rr_list (char *dn, char *name, char *type, + if (tmp->attrs == (LDAPMod **) NULL) + fatal("calloc"); - for (i = 0; i < flags; i++) + for (i = 0; i < (int)flags; i++) { tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod)); if (tmp->attrs[i] == (LDAPMod *) NULL) -@@ -459,13 +465,13 @@ - } + fatal("malloc"); } tmp->attrs[0]->mod_op = LDAP_MOD_ADD; - tmp->attrs[0]->mod_type = "objectClass"; @@ -116,7 +121,7 @@ tmp->attrs[1] = NULL; tmp->attrcnt = 2; tmp->next = ldap_info_base; -@@ -474,7 +480,7 @@ +@@ -492,7 +498,7 @@ add_to_rr_list (char *dn, char *name, char *type, } tmp->attrs[1]->mod_op = LDAP_MOD_ADD; @@ -125,8 +130,8 @@ tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); if (tmp->attrs[1]->mod_values == (char **)NULL) -@@ -496,7 +502,7 @@ - tmp->attrs[2]->mod_values[1] = NULL; +@@ -521,7 +527,7 @@ add_to_rr_list (char *dn, char *name, char *type, + fatal("strdup"); tmp->attrs[3]->mod_op = LDAP_MOD_ADD; - tmp->attrs[3]->mod_type = "dNSTTL"; @@ -134,16 +139,16 @@ tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2); if (tmp->attrs[3]->mod_values == (char **)NULL) -@@ -507,7 +513,7 @@ - tmp->attrs[3]->mod_values[1] = NULL; +@@ -535,7 +541,7 @@ add_to_rr_list (char *dn, char *name, char *type, + fatal("strdup"); tmp->attrs[4]->mod_op = LDAP_MOD_ADD; - tmp->attrs[4]->mod_type = "zoneName"; + tmp->attrs[4]->mod_type = (char*)"zoneName"; tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2); - tmp->attrs[4]->mod_values[0] = gbl_zone; - tmp->attrs[4]->mod_values[1] = NULL; -@@ -607,7 +613,7 @@ + + if (tmp->attrs[4]->mod_values == (char **)NULL) +@@ -648,7 +654,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) zname = ++tmp; } else @@ -152,7 +157,7 @@ } else { -@@ -686,12 +692,12 @@ +@@ -727,12 +733,12 @@ init_ldap_conn () } result = ldap_simple_bind_s (conn, binddn, bindpw); @@ -167,30 +172,10 @@ { if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS)) { -@@ -730,5 +736,8 @@ - usage () - { - fprintf (stderr, -- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] -- [-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");} -+ "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n" -+ "\t[-c Create LDAP Base structure][-d Debug Output (lots !)]\n " -+ ); -+} -+ ---- bind-9.3.2b2/contrib/sdb/bdb/bdb.c.sdbsrc 2002-07-02 00:45:34.000000000 -0400 -+++ bind-9.3.2b2/contrib/sdb/bdb/bdb.c 2005-11-15 12:57:44.000000000 -0500 -@@ -43,7 +43,7 @@ - #include - #include - --#include -+#include "bdb.h" - #include - #include - ---- bind-9.3.2b2/contrib/sdb/pgsql/pgsqldb.c.sdbsrc 2004-03-08 04:04:22.000000000 -0500 -+++ bind-9.3.2b2/contrib/sdb/pgsql/pgsqldb.c 2005-11-15 12:57:44.000000000 -0500 +diff --git a/contrib/sdb/pgsql/pgsqldb.c b/contrib/sdb/pgsql/pgsqldb.c +index 50d3cba..516eb9f 100644 +--- a/contrib/sdb/pgsql/pgsqldb.c ++++ b/contrib/sdb/pgsql/pgsqldb.c @@ -23,7 +23,7 @@ #include #include @@ -200,8 +185,10 @@ #include #include ---- bind-9.3.2b2/contrib/sdb/pgsql/zonetodb.c.sdbsrc 2005-09-05 22:12:40.000000000 -0400 -+++ bind-9.3.2b2/contrib/sdb/pgsql/zonetodb.c 2005-11-15 12:58:12.000000000 -0500 +diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c +index b8f5912..ff2d135 100644 +--- a/contrib/sdb/pgsql/zonetodb.c ++++ b/contrib/sdb/pgsql/zonetodb.c @@ -37,7 +37,7 @@ #include #include @@ -211,7 +198,7 @@ /* * Generate a PostgreSQL table from a zone. -@@ -54,6 +54,9 @@ +@@ -54,6 +54,9 @@ char *dbname, *dbtable; char str[10240]; void @@ -221,7 +208,7 @@ closeandexit(int status) { if (conn != NULL) PQfinish(conn); -@@ -61,6 +64,9 @@ +@@ -61,6 +64,9 @@ closeandexit(int status) { } void @@ -231,7 +218,7 @@ check_result(isc_result_t result, const char *message) { if (result != ISC_R_SUCCESS) { fprintf(stderr, "%s: %s\n", message, -@@ -84,7 +90,8 @@ +@@ -84,7 +90,8 @@ quotestring(const unsigned char *source, unsigned char *dest) { } *dest++ = 0; } diff --git a/SOURCES/bind-9.5-dlz-64bit.patch b/SOURCES/bind-9.5-dlz-64bit.patch index 0e726d8..ec064c6 100644 --- a/SOURCES/bind-9.5-dlz-64bit.patch +++ b/SOURCES/bind-9.5-dlz-64bit.patch @@ -1,6 +1,7 @@ -diff -up bind-9.9.0/contrib/dlz/config.dlz.in.64bit bind-9.9.0/contrib/dlz/config.dlz.in ---- bind-9.9.0/contrib/dlz/config.dlz.in.64bit 2011-11-05 06:14:28.000000000 +0100 -+++ bind-9.9.0/contrib/dlz/config.dlz.in 2012-04-24 14:52:08.398511143 +0200 +diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in +index 47525af..eefe3c3 100644 +--- a/contrib/dlz/config.dlz.in ++++ b/contrib/dlz/config.dlz.in @@ -17,6 +17,13 @@ # dlzdir='${DLZ_DRIVER_DIR}' @@ -15,33 +16,19 @@ diff -up bind-9.9.0/contrib/dlz/config.dlz.in.64bit bind-9.9.0/contrib/dlz/confi # # Private autoconf macro to simplify configuring drivers: # -@@ -135,9 +142,9 @@ then - then - use_dlz_mysql=$d - mysql_include=$d/include/mysql -- if test -d $d/lib/mysql -+ if test -d $d/${target_lib}/mysql - then -- mysql_lib=$d/lib/mysql -+ mysql_lib=$d/${target_lib}/mysql - else - mysql_lib=$d/lib - fi -@@ -274,11 +281,11 @@ case "$use_dlz_bdb" in - bdb_libnames="db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" - for d in $bdb_libnames - do -- if test -f "$dd/lib/lib${d}.so" -+ if test -f "$dd/${target_lib}/lib${d}.so" - then - if test "$dd" != "/usr" +@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in then -- dlz_bdb_libs="-L${dd}/lib " -+ dlz_bdb_libs="-L${dd}/${target_lib} " - else - dlz_bdb_libs="" + break fi -@@ -383,7 +390,7 @@ case "$use_dlz_ldap" in +- elif test -f "$dd/lib/lib${d}.so" ++ elif test -f "$dd/${target_lib}/lib${d}.so" + then +- dlz_bdb_libs="-L${dd}/lib -l${d}" ++ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" + break + fi + done +@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in *) DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver, [-I$use_dlz_ldap/include], @@ -50,21 +37,17 @@ diff -up bind-9.9.0/contrib/dlz/config.dlz.in.64bit bind-9.9.0/contrib/dlz/confi AC_MSG_RESULT( [using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include]) -@@ -407,7 +414,7 @@ then - odbcdirs="/usr /usr/local /usr/pkg" - for d in $odbcdirs - do -- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a -+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a - then - use_dlz_odbc=$d - break -@@ -427,7 +434,7 @@ case "$use_dlz_odbc" in - *) - DLZ_ADD_DRIVER(ODBC, dlz_odbc_driver, - [-I$use_dlz_odbc/include], -- [-L$use_dlz_odbc/lib -lodbc]) -+ [-L$use_dlz_odbc/${target_lib} -lodbc]) - - AC_MSG_RESULT([using ODBC from $use_dlz_odbc]) - ;; +@@ -432,11 +439,11 @@ then + odbcdirs="/usr /usr/local /usr/pkg" + for d in $odbcdirs + do +- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a ++ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a + then + use_dlz_odbc=$d + dlz_odbc_include="-I$use_dlz_odbc/include" +- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc" ++ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc" + break + fi + done diff --git a/SOURCES/bind-9.9.1-P2-dlz-libdb.patch b/SOURCES/bind-9.9.1-P2-dlz-libdb.patch index 7c62d87..866ed8f 100644 --- a/SOURCES/bind-9.9.1-P2-dlz-libdb.patch +++ b/SOURCES/bind-9.9.1-P2-dlz-libdb.patch @@ -1,26 +1,30 @@ -diff -up bind-9.9.4/contrib/dlz/config.dlz.in.libdb bind-9.9.4/contrib/dlz/config.dlz.in ---- bind-9.9.4/contrib/dlz/config.dlz.in.libdb 2014-01-06 13:24:24.669256364 +0100 -+++ bind-9.9.4/contrib/dlz/config.dlz.in 2014-01-06 13:26:29.861420493 +0100 -@@ -257,7 +257,7 @@ case "$use_dlz_bdb" in +diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in +--- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200 ++++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200 +@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in # Check other locations for includes. # Order is important (sigh). -- bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /db/" -+ bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /libdb/ /db/" - for d in $bdb_incdirs +- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" ++ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db" + # include a blank element first + for d in "" $bdb_incdirs do - if test -f "$dd/include${d}db.h" -@@ -283,13 +283,7 @@ case "$use_dlz_bdb" in +@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in + bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" + for d in $bdb_libnames do - if test -f "$dd/${target_lib}/lib${d}.so" +- if test "$dd" = "/usr" ++ if test -f "$dd/${target_lib}/lib${d}.so" then -- if test "$dd" != "/usr" +- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}") +- if test $dlz_bdb_libs != "yes" - then -- dlz_bdb_libs="-L${dd}/${target_lib} " -- else -- dlz_bdb_libs="" +- break - fi -- dlz_bdb_libs="${dlz_bdb_libs}-l${d}" +- elif test -f "$dd/${target_lib}/lib${d}.so" +- then +- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" + dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" break fi diff --git a/SOURCES/bind-9.9.1-P2-multlib-conflict.patch b/SOURCES/bind-9.9.1-P2-multlib-conflict.patch index 03d5f5c..96506dd 100644 --- a/SOURCES/bind-9.9.1-P2-multlib-conflict.patch +++ b/SOURCES/bind-9.9.1-P2-multlib-conflict.patch @@ -1,8 +1,9 @@ -diff -up bind-9.9.3rc2/config.h.in.multlib-conflict bind-9.9.3rc2/config.h.in ---- bind-9.9.3rc2/config.h.in.multlib-conflict 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/config.h.in 2013-05-13 12:10:22.514870894 +0200 -@@ -416,7 +416,7 @@ int sigwait(const unsigned int *set, int - #undef PORT_NONBLOCK +diff --git a/config.h.in b/config.h.in +index e1364dd921..1dc65cfb21 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig); + #undef PREFER_GOSTASN1 /* The size of `void *', as computed by sizeof. */ -#undef SIZEOF_VOID_P @@ -10,24 +11,42 @@ diff -up bind-9.9.3rc2/config.h.in.multlib-conflict bind-9.9.3rc2/config.h.in /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS -diff -up bind-9.9.3rc2/configure.in.multlib-conflict bind-9.9.3rc2/configure.in ---- bind-9.9.3rc2/configure.in.multlib-conflict 2013-05-13 12:10:22.481870901 +0200 -+++ bind-9.9.3rc2/configure.in 2013-05-13 12:10:22.515870894 +0200 -@@ -2251,7 +2251,9 @@ int getnameinfo(const struct sockaddr *, - size_t, char *, size_t, int);], +diff --git a/configure.in b/configure.in +index 73b1c8ccbb..129fc3f311 100644 +--- a/configure.in ++++ b/configure.in +@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([ + #include + #include + int getnameinfo(const struct sockaddr *, socklen_t, char *, +- socklen_t, char *, socklen_t, unsigned int);], ++ socklen_t, char *, socklen_t, int);], [ return (0);], - [AC_MSG_RESULT(size_t for buflen; int for flags) -- AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t) -+ # Changed to solve multilib conflict on Fedora -+ #AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t) -+ AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t) - AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)], +- [AC_MSG_RESULT(socklen_t for buflen; u_int for flags) ++ [AC_MSG_RESULT(socklen_t for buflen; int for flags) + AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t, + [Define to the sockaddr length type used by getnameinfo(3).]) + AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t, + [Define to the buffer length type used by getnameinfo(3).]) +- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int, ++ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int, + [Define to the flags type used by getnameinfo(3).])], + [AC_TRY_COMPILE([ + #include +@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *, [AC_MSG_RESULT(not match any subspecies; assume standard definition) + AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t) AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t) -diff -up bind-9.9.3rc2/isc-config.sh.in.multlib-conflict bind-9.9.3rc2/isc-config.sh.in ---- bind-9.9.3rc2/isc-config.sh.in.multlib-conflict 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/isc-config.sh.in 2013-05-13 12:26:40.258698745 +0200 -@@ -21,7 +21,18 @@ prefix=@prefix@ +-AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])]) ++AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])]) + + # + # ...and same for gai_strerror(). +diff --git a/isc-config.sh.in b/isc-config.sh.in +index a8a0a89e88..b5e94ed13e 100644 +--- a/isc-config.sh.in ++++ b/isc-config.sh.in +@@ -13,7 +13,18 @@ prefix=@prefix@ exec_prefix=@exec_prefix@ exec_prefix_set= includedir=@includedir@ @@ -47,9 +66,9 @@ diff -up bind-9.9.3rc2/isc-config.sh.in.multlib-conflict bind-9.9.3rc2/isc-confi usage() { -@@ -133,6 +144,16 @@ if test x"$echo_libs" = x"true"; then +@@ -132,6 +143,16 @@ if test x"$echo_libs" = x"true"; then if test x"${exec_prefix_set}" = x"true"; then - includes="-L${exec_prefix}/lib" + libs="-L${exec_prefix}/lib" else + if [ ! -x $libdir/libisc.so ] ; then + if [ ! -x $sec_libdir/libisc.so ] ; then @@ -63,4 +82,4 @@ diff -up bind-9.9.3rc2/isc-config.sh.in.multlib-conflict bind-9.9.3rc2/isc-confi + fi libs="-L${libdir}" fi - if test x"$liblwres" = x"true" ; then + if test x"$libirs" = x"true" ; then diff --git a/SOURCES/bind-95-rh452060.patch b/SOURCES/bind-95-rh452060.patch index 58808b0..dac3a8d 100644 --- a/SOURCES/bind-95-rh452060.patch +++ b/SOURCES/bind-95-rh452060.patch @@ -1,10 +1,12 @@ -diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost.c ---- bind-9.5.0-P2/bin/dig/dighost.c.rh452060 2008-12-01 22:30:01.000000000 +0100 -+++ bind-9.5.0-P2/bin/dig/dighost.c 2008-12-01 22:30:07.000000000 +0100 -@@ -1280,6 +1280,12 @@ clear_query(dig_query_t *query) { - - debug("clear_query(%p)", query); +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index f657c30..ff9a2d2 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) { + if (query->timer != NULL) + isc_timer_detach(&query->timer); ++ + if (query->waiting_senddone) { + debug("send_done not yet called"); + query->pending_free = ISC_TRUE; @@ -14,7 +16,7 @@ diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost. lookup = query->lookup; if (lookup->current_query == query) -@@ -1301,10 +1307,7 @@ clear_query(dig_query_t *query) { +@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) { isc_mempool_put(commctx, query->recvspace); isc_buffer_invalidate(&query->recvbuf); isc_buffer_invalidate(&query->lengthbuf); @@ -26,7 +28,7 @@ diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost. } /*% -@@ -2175,9 +2178,9 @@ send_done(isc_task_t *_task, isc_event_t +@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) { isc_event_free(&event); if (query->pending_free) diff --git a/SOURCES/bind93-rh726120.patch b/SOURCES/bind93-rh726120.patch index 5eb11ee..5b6cc05 100644 --- a/SOURCES/bind93-rh726120.patch +++ b/SOURCES/bind93-rh726120.patch @@ -1,4 +1,4 @@ -From 23c33ea76e916cc16e354faa218b6a0ca6385d00 Mon Sep 17 00:00:00 2001 +From 976b84dced599a74348834e11bcc3fec67a99387 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 5 Dec 2017 16:33:08 +0100 Subject: [PATCH] Fix bug #726120 @@ -8,11 +8,11 @@ Subject: [PATCH] Fix bug #726120 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index 42a2fe2..3a066c6 100644 +index 97ca54e71..eb66793a4 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c -@@ -3416,7 +3416,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { - return; +@@ -4107,7 +4107,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { + } } if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) || - (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse)) @@ -22,5 +22,5 @@ index 42a2fe2..3a066c6 100644 dig_query_t *next = ISC_LIST_NEXT(query, link); if (l->current_query == query) -- -2.9.5 +2.20.1 diff --git a/SOURCES/bind97-rh478718.patch b/SOURCES/bind97-rh478718.patch index c6ea596..ef44490 100644 --- a/SOURCES/bind97-rh478718.patch +++ b/SOURCES/bind97-rh478718.patch @@ -1,7 +1,8 @@ -diff -up bind-9.7.0/configure.in.rh478718 bind-9.7.0/configure.in ---- bind-9.7.0/configure.in.rh478718 2010-03-01 14:50:02.331207076 +0100 -+++ bind-9.7.0/configure.in 2010-03-01 14:50:21.501207488 +0100 -@@ -2540,6 +2540,10 @@ main() { +diff --git a/configure.in b/configure.in +index 896e81c1ce..73b1c8ccbb 100644 +--- a/configure.in ++++ b/configure.in +@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then AC_MSG_RESULT($arch) fi @@ -9,22 +10,42 @@ diff -up bind-9.7.0/configure.in.rh478718 bind-9.7.0/configure.in + AC_MSG_ERROR([XADDQ present but disabled by Fedora patch!]) +fi + - if test "$have_atomic" = "yes"; then + if test "yes" = "$have_atomic"; then AC_MSG_CHECKING([compiler support for inline assembly code]) -diff -up bind-9.7.0/lib/isc/include/isc/platform.h.in.rh478718 bind-9.7.0/lib/isc/include/isc/platform.h.in ---- bind-9.7.0/lib/isc/include/isc/platform.h.in.rh478718 2010-03-01 14:50:31.421207522 +0100 -+++ bind-9.7.0/lib/isc/include/isc/platform.h.in 2010-03-01 14:50:40.313707286 +0100 -@@ -255,7 +255,11 @@ +diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in +index 2ff522342f..58df86adb3 100644 +--- a/lib/isc/include/isc/platform.h.in ++++ b/lib/isc/include/isc/platform.h.in +@@ -289,19 +289,25 @@ * If the "xaddq" operation (64bit xadd) is available on this architecture, * ISC_PLATFORM_HAVEXADDQ will be defined. */ -@ISC_PLATFORM_HAVEXADDQ@ + + /* +- * If the 32-bit "atomic swap" operation is available on this +- * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined. ++ * If the 64-bit "atomic swap" operation is available on this ++ * architecture, ISC_PLATFORM_HAVEATOMICSTOREQ" will be defined. + */ +-@ISC_PLATFORM_HAVEATOMICSTORE@ ++ +#ifdef __x86_64__ +#define ISC_PLATFORM_HAVEXADDQ 1 ++#define ISC_PLATFORM_HAVEATOMICSTOREQ 1 +#else +#undef ISC_PLATFORM_HAVEXADDQ ++#undef ISC_PLATFORM_HAVEATOMICSTOREQ +#endif /* - * If the "atomic swap" operation is available on this architecture, +- * If the 64-bit "atomic swap" operation is available on this ++ * If the 32-bit "atomic swap" operation is available on this + * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined. + */ +-@ISC_PLATFORM_HAVEATOMICSTOREQ@ ++@ISC_PLATFORM_HAVEATOMICSTORE@ + + /* + * If the "compare-and-exchange" operation is available on this architecture, diff --git a/SOURCES/bind99-rh640538.patch b/SOURCES/bind99-rh640538.patch index a8e68f2..5066a14 100644 --- a/SOURCES/bind99-rh640538.patch +++ b/SOURCES/bind99-rh640538.patch @@ -1,11 +1,12 @@ -diff -up bind-9.9.2/bin/dig/dig.docbook.rh640538 bind-9.9.2/bin/dig/dig.docbook ---- bind-9.9.2/bin/dig/dig.docbook.rh640538 2012-09-27 02:35:19.000000000 +0200 -+++ bind-9.9.2/bin/dig/dig.docbook 2012-11-12 14:47:17.385334972 +0100 -@@ -961,6 +961,40 @@ dig +qr www.isc.org any -x 127.0.0.1 isc - +diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook +index 1079421..f11abd1 100644 +--- a/bin/dig/dig.docbook ++++ b/bin/dig/dig.docbook +@@ -1177,6 +1177,39 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr + + - -+ RETURN CODES ++ RETURN CODES + + Dig return codes are: + @@ -36,9 +37,8 @@ diff -up bind-9.9.2/bin/dig/dig.docbook.rh640538 bind-9.9.2/bin/dig/dig.docbook + + + -+ ++ + -+ - FILES + FILES + /etc/resolv.conf - diff --git a/SOURCES/named-chroot-setup.service b/SOURCES/named-chroot-setup.service index 9870a88..237a909 100644 --- a/SOURCES/named-chroot-setup.service +++ b/SOURCES/named-chroot-setup.service @@ -8,5 +8,5 @@ After=named-setup-rndc.service [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on -ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off +ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files +ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files diff --git a/SOURCES/named-chroot.files b/SOURCES/named-chroot.files new file mode 100644 index 0000000..b38cbe6 --- /dev/null +++ b/SOURCES/named-chroot.files @@ -0,0 +1,23 @@ +# Configuration of files used in chroot +# Following files are made available after named-chroot.service start +# if they are missing or empty in target directory. +/etc/localtime +/etc/named.root.key +/etc/named.conf +/etc/named.rfc1912.zones +/etc/rndc.conf +/etc/rndc.key +/etc/named.iscdlv.key +/etc/crypto-policies/back-ends/bind.config +/etc/protocols +/etc/services +/etc/named.dnssec.keys +/etc/pki/dnssec-keys +/etc/named +/usr/lib64/bind +/usr/lib/bind +/run/named +# Warning: the order is important +# If a directory containing $ROOTDIR is listed here, +# it MUST be listed last. (/var/named contains /var/named/chroot) +/var/named diff --git a/SOURCES/named-sdb-chroot-setup.service b/SOURCES/named-sdb-chroot-setup.service index 0967a60..5a3e173 100644 --- a/SOURCES/named-sdb-chroot-setup.service +++ b/SOURCES/named-sdb-chroot-setup.service @@ -8,5 +8,5 @@ After=named-setup-rndc.service [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on -ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off +ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on /etc/named-chroot.files +ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off /etc/named-chroot.files diff --git a/SOURCES/named.conf b/SOURCES/named.conf index 89338bd..193aa7c 100644 --- a/SOURCES/named.conf +++ b/SOURCES/named.conf @@ -36,7 +36,7 @@ options { dnssec-validation yes; /* Path to ISC DLV key */ - bindkeys-file "/etc/named.iscdlv.key"; + bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; diff --git a/SOURCES/named.conf.sample b/SOURCES/named.conf.sample index 6d504a8..a062cff 100644 --- a/SOURCES/named.conf.sample +++ b/SOURCES/named.conf.sample @@ -86,7 +86,7 @@ logging channel default_debug { file "data/named.run"; severity dynamic; - }; + }; }; /* @@ -171,7 +171,7 @@ view "internal" allow-update { key ddns_key; }; file "dynamic/my.ddns.internal.zone.db"; // put dynamically updateable zones in the slaves/ directory so named can update them - }; + }; }; key ddns_key diff --git a/SOURCES/setup-named-chroot.sh b/SOURCES/setup-named-chroot.sh index 2326c49..49cdb47 100755 --- a/SOURCES/setup-named-chroot.sh +++ b/SOURCES/setup-named-chroot.sh @@ -3,26 +3,22 @@ # Warning: the order is important # If a directory containing $ROOTDIR is listed here, # it MUST be listed last. (/var/named contains /var/named/chroot) -ROOTDIR_MOUNT='/etc/localtime /etc/named /etc/pki/dnssec-keys /etc/named.root.key /etc/named.conf -/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key /etc/named.iscdlv.key /etc/protocols /etc/services -/usr/lib64/bind /usr/lib/bind /run/named -/var/named' +ROOTDIR="$1" +CONFIG_FILES="${3:-/etc/named-chroot.files}" usage() { echo echo 'This script setups chroot environment for BIND' - echo 'Usage: setup-named-chroot.sh ROOTDIR [on|off]' + echo 'Usage: setup-named-chroot.sh ROOTDIR [chroot.files]' } -if ! [ "$#" -eq 2 ]; then +if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then echo 'Wrong number of arguments' usage exit 1 fi -ROOTDIR="$1" - # Exit if ROOTDIR doesn't exist if ! [ -d "$ROOTDIR" ]; then echo "Root directory $ROOTDIR doesn't exist" @@ -30,10 +26,47 @@ if ! [ -d "$ROOTDIR" ]; then exit 1 fi +if ! [ -r "$CONFIG_FILES" ]; then + echo "Files list $CONFIG_FILES doesn't exist" 2>&1 + usage + exit 1 +fi + +dev_create() +{ + DEVNAME="$ROOTDIR/dev/$1" + shift + if ! [ -e "$DEVNAME" ]; then + /bin/mknod -m 0664 "$DEVNAME" $@ + /bin/chgrp named "$DEVNAME" + if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then + /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || : + fi + fi +} + +dev_chroot_prep() +{ + dev_create random c 1 8 + dev_create zero c 1 5 + dev_create null c 1 3 +} + +files_comment_filter() +{ + if [ -d "$1" ]; then + grep -v '^[[:space:]]*#' "$1"/*.files + else + grep -v '^[[:space:]]*#' "$1" + fi +} + mount_chroot_conf() { if [ -n "$ROOTDIR" ]; then - for all in $ROOTDIR_MOUNT; do + # Check devices are prepared + dev_chroot_prep + files_comment_filter "$CONFIG_FILES" | while read -r all; do # Skip nonexistant files [ -e "$all" ] || continue @@ -58,7 +91,7 @@ mount_chroot_conf() umount_chroot_conf() { if [ -n "$ROOTDIR" ]; then - for all in $ROOTDIR_MOUNT; do + files_comment_filter "$CONFIG_FILES" | while read -r all; do # Check if file is mount target. Do not use /proc/mounts because detecting # of modified mounted files can fail. if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then diff --git a/SOURCES/setup-named-softhsm.sh b/SOURCES/setup-named-softhsm.sh new file mode 100755 index 0000000..7ae0a6d --- /dev/null +++ b/SOURCES/setup-named-softhsm.sh @@ -0,0 +1,55 @@ +#!/bin/sh +# +# This script will initialise token storage of softhsm PKCS11 provider +# in custom location. Is useful to store tokens in non-standard location. + +SOFTHSM2_CONF="$1" +TOKENPATH="$2" +GROUPNAME="$3" +# Do not use this script for real keys worth protection +# This is intended for crypto accelerators using PKCS11 interface. +# Uninitialized token would fail any crypto operation. +PIN=1234 + +set -e + +if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then + echo "Usage: $0 [group]" >&2 + exit 1 +fi + +if ! [ -f "$SOFTHSM2_CONF" ]; then +cat << SED > "$SOFTHSM2_CONF" +# SoftHSM v2 configuration file + +directories.tokendir = ${TOKENPATH} +objectstore.backend = file + +# ERROR, WARNING, INFO, DEBUG +log.level = ERROR + +# If CKF_REMOVABLE_DEVICE flag should be set +slots.removable = false +SED +else + echo "Config file $SOFTHSM2_CONF already exists" >&2 +fi + +[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH" + +export SOFTHSM2_CONF + +if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null +then + echo "Token in ${TOKENPATH} is already initialized" >&2 +else + echo "Initializing tokens to ${TOKENPATH}..." + softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN + + if [ -n "$GROUPNAME" ]; then + chgrp -R -- "$GROUPNAME" "$TOKENPATH" + chmod -R -- g=rX,o= "$TOKENPATH" + fi +fi + +echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\"" diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 48f91b1..62616c6 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -2,37 +2,73 @@ # Red Hat BIND package .spec file # -#%%global PATCHVER P2 -#%%global PREVER rc2 -#%%global VERSION %{version}%{PREVER} -%global VERSION %{version} -#%%global VERSION %{version}-%{PATCHVER} - -%{?!SDB: %global SDB 1} -%{?!test: %global test 0} +%global PATCHVER P2 +#%%global PREVER rc1 +%global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}} + +# bcond_without is built by default, unless --without X is passed +# bcond_with is built only when --with X is passed to build +%bcond_without UNITTEST +%bcond_with SYSTEMTEST +%bcond_without SDB +%bcond_without GSSTSIG +# it is not possible to build the package without PKCS11 sub-package +# due to extensive changes to Makefiles +%bcond_without PKCS11 +%bcond_without DEVEL +%bcond_with LMDB +%bcond_with DLZ +%bcond_without EXPORT_LIBS +%if 0%{?fedora} >= 17 +%bcond_without KYUA +%else +%bcond_with KYUA +%endif + %{?!bind_uid: %global bind_uid 25} %{?!bind_gid: %global bind_gid 25} -%{?!GSSTSIG: %global GSSTSIG 1} -%{?!PKCS11: %global PKCS11 1} -%{?!DEVEL: %global DEVEL 1} %global bind_dir /var/named %global chroot_prefix %{bind_dir}/chroot %global selinuxbooleans named_write_master_zones=1 -%if %{SDB} +%if %{with SDB} %global chroot_sdb_prefix %{bind_dir}/chroot_sdb %endif +## The order of libs is important. See lib/Makefile.in for details +%define bind_export_libs isc dns isccfg irs +%{!?_export_dir:%global _export_dir /bind9-export/} +# libisc-nosym requires to be linked with unresolved symbols +# When libisc-nosym linking is fixed, it can be defined to 1 +# Visit https://bugzilla.redhat.com/show_bug.cgi?id=1540300 +%undefine _strict_symbol_defs_build # + +# lib*.so.X versions of selected libraries +%global sover_dns 1102 +%global sover_isc 169 +%global sover_irs 160 +%global sover_isccfg 160 + +# Fix permissions on existing device files on upgrade +%define chroot_fix_devices() \ +if [ $1 -gt 1 ]; then \ + for DEV in "%{1}/dev"/{null,random,zero}; do \ + if [ -e "$DEV" ] && [ "$(/bin/stat --printf="%G %a" "$DEV")" = "root 644" ]; \ + then \ + /bin/chmod 0664 "$DEV" \ + /bin/chgrp named "$DEV" \ + fi \ + done \ +fi + Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind -License: ISC -Version: 9.9.4 -Release: 73%{?PATCHVER}%{?PREVER}%{?dist} +License: MPLv2.0 +Version: 9.11.4 +Release: 9%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ -Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Group: System Environment/Daemons # -Source: https://ftp.isc.org/isc/bind9/%{VERSION}/bind-%{VERSION}.tar.gz +Source: https://ftp.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz Source1: named.sysconfig Source3: named.logrotate Source7: bind-9.3.1rc1-sdb_tools-Makefile.in @@ -40,7 +76,7 @@ Source8: dnszone.schema Source12: README.sdb_pgsql Source25: named.conf.sample Source26: named.conf -Source28: config-16.tar.bz2 +Source28: config-18.tar.bz2 # Up-to-date bind.keys from upstream # Fetch a new one from page https://www.isc.org/bind-keys Source29: bind.keys @@ -62,179 +98,130 @@ Source44: named-chroot-setup.service Source45: named-sdb-chroot-setup.service Source46: named-setup-rndc.service Source47: named-pkcs11.service -# added due to GeoIP functionality tests -# patch tool does not support binary patches -Source48: geoip-testing-data.tar.xz +Source48: setup-named-softhsm.sh +Source49: named-chroot.files # Common patches -Patch5: bind-nonexec.patch Patch10: bind-9.5-PIE.patch Patch16: bind-9.3.2-redhat_doc.patch Patch72: bind-9.5-dlz-64bit.patch -Patch87: bind-9.5-parallel-build.patch Patch101:bind-96-old-api.patch Patch102:bind-95-rh452060.patch Patch106:bind93-rh490837.patch Patch109:bind97-rh478718.patch -Patch110:bind97-rh570851.patch -Patch111:bind97-exportlib.patch Patch112:bind97-rh645544.patch -Patch119:bind97-rh693982.patch -Patch123:bind98-rh735103.patch Patch124:bind93-rh726120.patch -# FIXME: This disables dlzexternal, which I will enable later again -# Make tests on all architectures and disable it -Patch127:bind99-forward.patch Patch130:bind-9.9.1-P2-dlz-libdb.patch +# Make tests on all architectures and disable it Patch131:bind-9.9.1-P2-multlib-conflict.patch Patch133:bind99-rh640538.patch Patch134:bind97-rh669163.patch -Patch137:bind99-rrl.patch -# Install dns/update.h header for bind-dyndb-ldap plugin -Patch138:bind-9.9.3-include-update-h.patch -Patch139:bind99-ISC-Bugs-34738.patch -Patch140:bind99-ISC-Bugs-34870-v3.patch -Patch141:bind99-ISC-Bugs-35073.patch -Patch142:bind99-ISC-Bugs-35080.patch -Patch143:bind99-CVE-2014-0591.patch -Patch144:bind99-rh1067424.patch -Patch145:bind99-rh1072379.patch -Patch146:bind99-rh1098959.patch -Patch147:bind99-CVE-2014-8500.patch -Patch148:bind99-CVE-2015-1349.patch -Patch149:bind99-rh1215687-limits.patch -Patch154:bind99-rh1215164.patch -Patch155:bind99-rh1214827.patch -Patch156:bind99-CVE-2015-4620.patch -Patch157:bind99-CVE-2015-5477.patch -Patch158:bind-99-socket-maxevents.patch -Patch159:bind99-CVE-2015-5722.patch -Patch160:bind99-CVE-2015-8000.patch -Patch161:bind99-CVE-2015-8704.patch -Patch162:bind99-CVE-2016-1285-CVE-2016-1286.patch -Patch163:bind99-rh1291185.patch -Patch164:bind99-rh1259514.patch -Patch165:bind99-rh1306610.patch -Patch166:bind99-rh1220594-geoip.patch -Patch167:bind99-automatic-interface-scanning-rh1294506.patch -# commit 51bcc28543ce205f7af238ef2f3889ef020a0961 ISC 4467 -patch168:bind99-CVE-2016-2776.patch -# commit bbb7c613b3e41495db627909660334695b48e60b ISC 4489 -patch169:bind99-CVE-2016-8864.patch -# commit d372472f604d45f85b3bbae5d6f523fb561a8823 ISC 4508 -patch170:bind99-CVE-2016-9131.patch -# commit a14b7f0187315767a1fa855f116fe937a7b402e3 ISC 4510 -patch171:bind99-CVE-2016-9147.patch -# commit 69cb8ebf157183d9c36a9813f945348dd81b521f ISC 4517 -Patch172:bind99-CVE-2016-9444.patch -# commit 2c74ad28efe5710ad04562c6f9902bc48d3be0ed ISC 4530 -Patch173:bind99-rt43779.patch -# commit 062b04898be720ed0855efc192847fcbc667b3e1 ISC 4406 -Patch174:bind99-CVE-2016-2775.patch -# ISC 4557 -Patch175:bind99-CVE-2017-3135.patch -# ISC 4558 -Patch176:bind99-rt44318.patch -# commit c550e75ade4ceb4ece96f660292799519a5c3183 ISC 4567 -Patch177:bind99-rh1392362.patch -# commit 1f3ac11cb4ecfab52f517ebf78493b0f05318be2 -Patch178:bind99-coverity-fixes2.patch -# ISC 4575 -Patch179:bind99-CVE-2017-3136.patch -# ISC 4578 -Patch180:bind99-CVE-2017-3137.patch -# commit 5e746ab61ed8158f784b86111fef95581a08b7dd ISC 3905 -Patch181:bind99-rh1416304.patch -# ISC 4643 -Patch182: bind99-CVE-2017-3142+3143.patch -# commit e3894cd3a92be79a64072835008ec589b17c601a -Patch183: bind99-rh1472862.patch -# commit 2fc1b8102d4bf02162012c27ab95e98a7438bd8f ISC 4647 -Patch184: bind99-rh1476013.patch -# commit 51aed1827453f40ee56b165d45c5d58d96838d94 -Patch185: bind99-rh1470637-tests.patch -# commit 51b00c6c783ccf5dca86119ff8f4f8b994298ca4 ISC 4712 -Patch186: bind99-rh1470637.patch -# commit 6a3fa181d1253db5191139e20231512eebaddeeb ISC 3745 -Patch187: bind99-rh1464850.patch -# commit 871f3c8beeb2134b17414ec167b90a57adb8e122 ISC 3980 -Patch188: bind99-rh1464850-2.patch -# commit 4eb998928b9aef0ceda42d7529980d658138698a ISC 3525 -Patch189: bind99-rh1501531.patch -# ISC 4858 -Patch190: bind99-CVE-2017-3145.patch -Patch191: bind99-rh1510008.patch -Patch192: bind99-nta.patch -Patch193: bind99-rh1510008-2.patch -Patch194: bind99-fips.patch -Patch195: bind99-fips-tests.patch -# commit c3fbf330bc014f0470371e8da590d14a1d62977e ISC 4377 -Patch196: bind99-rh1549130.patch -# commit cb735b3f902d4bb5f6e30328d5828d38efa63573 -Patch197: bind99-rh1549130-2.patch -Patch198: bind99-CVE-2018-5740.patch -Patch199: bind99-rh1647539.patch - -# Native PKCS#11 functionality from 9.10 -Patch150:bind-9.9-allow_external_dnskey.patch -Patch151:bind-9.9-native-pkcs11.patch -Patch152:bind-9.9-dist-native-pkcs11.patch -Patch153:bind99-coverity-fixes.patch +# Fedora specific patch to distribute native-pkcs#11 functionality +Patch136:bind-9.10-dist-native-pkcs11.patch + +# [ISC-Bugs #42525] non-portable use of strlcat in contrib/sdb/ldap/zone2ldap.c +# introduced by https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=fc9f0ac5778f78003a7acc957a23711811fec122 +Patch137:bind-9.10-use-of-strlcat.patch +Patch140:bind-9.11-rh1410433.patch +Patch145:bind-9.11-rh1205168.patch +# [ISC-Bugs #46853] commit cb616c6d5c2ece1fac37fa6e0bca2b53d4043098 ISC 4851 +Patch149:bind-9.11-kyua-pkcs11.patch +Patch153:bind-9.11-export-suffix.patch +Patch154:bind-9.11-oot-manual.patch +Patch155:bind-9.11-pk11.patch +Patch156:bind-9.11-fips-code.patch +Patch157:bind-9.11-fips-tests.patch +# commit 66ba2fdad583d962a1f4971c85d58381f0849e4d +# commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c +# commit 083461d3329ff6f2410745848a926090586a9846 +Patch158:bind-9.11-rh1624100.patch +Patch159:bind-9.11-host-idn-disable.patch +# RHEL 7 feature reset patches +# Disables sending cookies by default +Patch160:bind-9.11-no-default-cookies.patch +# Disables listening on IPv6 by default +Patch161:bind-9.11-no-default-ipv6.patch +# Accept dnssec-lookaside yes with a warning +Patch162:bind-9.11-dnssec-lookaside.patch +# Downgrade libidn2 usage back to libidn +Patch163:bind-9.11-libidn.patch +# https://gitlab.isc.org/isc-projects/bind9/issues/225 +Patch164:bind-9.11-ed448-disable.patch +# random_test fails too often by random, disable it +Patch165:bind-9.11-unit-disable-random.patch +Patch166:bind-9.11-rh1685940.patch +Patch167:bind-9.11-CVE-2018-5743.patch +Patch168:bind-9.11-CVE-2018-5743-atomic.patch +Patch169:bind-9.11-CVE-2019-6471.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch -Patch12: bind-9.5-sdb.patch -Patch62: bind-9.5-sdb-sqlite-bld.patch +Patch12: bind-9.10-sdb.patch # needs inpection Patch17: bind-9.3.2b1-fix_sdb_ldap.patch -Patch104: bind99-dyndb.patch - -# IDN paches -Patch73: bind-9.5-libidn.patch -Patch83: bind-9.5-libidn2.patch -Patch85: bind-9.5-libidn3.patch -Patch94: bind95-rh461409.patch -Patch135:bind99-libidn4.patch +Patch18: bind-9.11-zone2ldap.patch -# +Requires(post): systemd Requires(preun): systemd Requires(postun): systemd Requires: coreutils -Requires: systemd-units -Requires(post): grep, systemd +Requires(pre): shadow-utils Requires(post): shadow-utils Requires(post): glibc-common -Requires(pre): shadow-utils -Requires: bind-libs = %{epoch}:%{version}-%{release} +Requires(post): grep +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} Obsoletes: bind-config < 30:9.3.2-34.fc6 Provides: bind-config = 30:9.3.2-34.fc6 Obsoletes: caching-nameserver < 31:9.4.1-7.fc8 Provides: caching-nameserver = 31:9.4.1-7.fc8 Obsoletes: dnssec-conf < 1.27-2 -Provides: dnssec-conf = 1.27-1 +Provides: dnssec-conf = 1.27-2 +BuildRequires: gcc, make Requires: python-ply Provides: python-isc = %{epoch}:%{version}-%{release} Provides: python-bind = %{epoch}:%{version}-%{release} # selinux_set_booleans requires Requires(post): policycoreutils-python, libselinux-utils, selinux-policy Requires(postun): policycoreutils-python, libselinux-utils, selinux-policy -Requires(posttrans): policycoreutils-python, libselinux-utils, selinux-policy +# Ensures at least one selinux-policy-X is installed when post is executed. +# Needed for selinux-policy-targeted to be already installed, but not requiring it explicitly +# Should be satisfied with selinux-policy-minimum if no selinux policy is used +Requires(post): selinux-policy-base +Requires(postun): selinux-policy-base BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel BuildRequires: libidn-devel, libxml2-devel, GeoIP-devel -BuildRequires: systemd-units +BuildRequires: systemd +# needed for %%{__python} macro +BuildRequires: python-devel BuildRequires: python-ply BuildRequires: selinux-policy -%if %{SDB} -BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mysql-devel +BuildRequires: findutils sed +%if %{with SDB} +BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mariadb-devel BuildRequires: libdb-devel %endif -%if %{test} -BuildRequires: net-tools +%if %{with KYUA} +# make unit dependencies +BuildRequires: libatf-c-devel kyua +%else +# shipped atf library requires c++ +BuildRequires: gcc-c++ +%endif +%if %{with PKCS11} +BuildRequires: softhsm +%endif +%if %{with SYSTEMTEST} +# bin/tests/system dependencies +BuildRequires: net-tools perl(Net::DNS) perl(Net::DNS::Nameserver) %endif -%if %{GSSTSIG} +%if %{with GSSTSIG} BuildRequires: krb5-devel %endif +%if %{with LMDB} +BuildRequires: lmdb-devel +%endif # Needed to regenerate dig.1 manpage BuildRequires: docbook-style-xsl, libxslt @@ -245,13 +232,15 @@ which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. -%if %{PKCS11} +%if %{with PKCS11} %package pkcs11 Summary: Bind with native PKCS#11 functionality for crypto -Group: System Environment/Daemons -Requires: bind = %{epoch}:%{version}-%{release} -Requires: bind-libs = %{epoch}:%{version}-%{release} -Requires: bind-pkcs11-libs = %{epoch}:%{version}-%{release} +Requires: systemd +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} +#Recommends: softhsm %description pkcs11 This is a version of BIND server built with native PKCS#11 functionality. @@ -261,8 +250,8 @@ This version of BIND binary is supported only in setup with the IPA server. %package pkcs11-utils Summary: Bind tools with native PKCS#11 for using DNSSEC -Group: System Environment/Daemons -Requires: bind-pkcs11-libs = %{epoch}:%{version}-%{release} +Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} +Obsoletes: bind-pkcs11 < 32:9.9.4-16.P2 %description pkcs11-utils This is a set of PKCS#11 utilities that when used together create rsa @@ -273,7 +262,7 @@ compiled with native PKCS#11 functionality are included. Summary: Bind libraries compiled with native PKCS#11 Group: System Environment/Daemons Requires: bind-license = %{epoch}:%{version}-%{release} -Requires: bind-libs = %{epoch}:%{version}-%{release} +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} %description pkcs11-libs This is a set of BIND libraries (dns, isc) compiled with native PKCS#11 @@ -282,20 +271,21 @@ functionality. %package pkcs11-devel Summary: Development files for Bind libraries compiled with native PKCS#11 Group: System Environment/Daemons -Requires: bind-pkcs11-libs = %{epoch}:%{version}-%{release} +Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-lite-devel%{?_isa} = %{epoch}:%{version}-%{release} %description pkcs11-devel This a set of development files for BIND libraries (dns, isc) compiled with native PKCS#11 functionality. %endif -%if %{SDB} +%if %{with SDB} %package sdb Summary: BIND server with database backends and DLZ support -Group: System Environment/Daemons -Requires: bind -Requires: bind-libs = %{epoch}:%{version}-%{release} -Requires: systemd-units +Requires: systemd +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} %description sdb BIND (Berkeley Internet Name Domain) is an implementation of the DNS @@ -310,7 +300,6 @@ or in the filesystem (dirdb), in addition to the standard in-memory RBT %package libs-lite Summary: Libraries for working with the DNS protocol -Group: Applications/System Obsoletes:bind-libbind-devel < 31:9.3.3-4.fc7 Provides: bind-libbind-devel = 31:9.3.3-4.fc7 Requires: bind-license = %{epoch}:%{version}-%{release} @@ -321,8 +310,8 @@ programs to work with DNS protocol. %package libs Summary: Libraries used by the BIND DNS packages -Group: Applications/System Requires: bind-license = %{epoch}:%{version}-%{release} +Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} %description libs Contains heavyweight version of BIND suite libraries used by both named DNS @@ -330,7 +319,6 @@ server and utilities in bind-utils package. %package license Summary: License of the BIND DNS suite -Group: Applications/System BuildArch:noarch %description license @@ -338,8 +326,8 @@ Contains license of the BIND DNS suite. %package utils Summary: Utilities for querying DNS name servers -Group: Applications/System -Requires: bind-libs = %{epoch}:%{version}-%{release} +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} %description utils Bind-utils contains a collection of utilities for querying DNS (Domain @@ -351,13 +339,13 @@ network addresses. You should install bind-utils if you need to get information from DNS name servers. -%if %{DEVEL} +%if %{with DEVEL} %package devel Summary: Header files and libraries needed for BIND DNS development -Group: Development/Libraries Obsoletes:bind-libbind-devel < 31:9.3.3-4.fc7 Provides: bind-libbind-devel = 31:9.3.3-4.fc7 -Requires: bind-libs = %{epoch}:%{version}-%{release} +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-lite-devel%{?_isa} = %{epoch}:%{version}-%{release} %description devel The bind-devel package contains full version of the header files and libraries @@ -366,8 +354,7 @@ required for development with ISC BIND 9 %package lite-devel Summary: Lite version of header files and libraries needed for BIND DNS development -Group: Development/Libraries -Requires: bind-libs-lite = %{epoch}:%{version}-%{release} +Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} %description lite-devel The bind-lite-devel package contains lite version of the header @@ -375,24 +362,24 @@ files and libraries required for development with ISC BIND 9 %package chroot Summary: A chroot runtime environment for the ISC BIND DNS server, named(8) -Group: System Environment/Daemons Prefix: %{chroot_prefix} -Requires(post): grep -Requires(preun):grep -Requires: bind = %{epoch}:%{version}-%{release} -Requires: systemd-units +# grep is required due to setup-named-chroot.sh script +Requires: grep +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} %description chroot This package contains a tree of files which can be used as a chroot(2) jail for the named(8) program from the BIND package. Based on the code from Jan "Yenya" Kasprzak -%if %{SDB} +%if %{with SDB} %package sdb-chroot Summary: A chroot runtime environment for the ISC BIND DNS server, named-sdb(8) +Prefix: %{chroot_sdb_prefix} Group: System Environment/Daemons -Prefix: %{chroot_prefix} -Requires: bind-sdb +# grep is required due to setup-named-chroot.sh script +Requires: grep +Requires: bind-sdb%{?_isa} = %{epoch}:%{version}-%{release} Requires: systemd-units %description sdb-chroot @@ -402,119 +389,131 @@ Based on the code from Jan "Yenya" Kasprzak %endif +%if %{with DLZ} +%package dlz-bdb +Summary: BIND server bdb DLZ module +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} + +%description dlz-bdb +Dynamic Loadable Zones module for BIND server. + +%package dlz-filesystem +Summary: BIND server filesystem DLZ module +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} + +%description dlz-filesystem +Dynamic Loadable Zones module for BIND server. + +%package dlz-ldap +Summary: BIND server ldap DLZ module +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} + +%description dlz-ldap +Dynamic Loadable Zones module for BIND server. + +%package dlz-mysql +Summary: BIND server mysql DLZ module +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} + +%description dlz-mysql +Dynamic Loadable Zones module for BIND server. + +%package dlz-mysqldyn +Summary: BIND server mysqldyn DLZ module +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} + +%description dlz-mysqldyn +Dynamic Loadable Zones module for BIND server. + +%package dlz-sqlite3 +Summary: BIND server sqlite3 DLZ module +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} + +%description dlz-sqlite3 +Dynamic Loadable Zones module for BIND server. +%endif + + +%if %{with EXPORT_LIBS} +%package export-libs +Summary: ISC libs for DHCP application +%if 0%{?fedora} >= 1 +Obsoletes: bind99-libs < 9.9.11-4 +Provides: bind99-libs = 9.9.11-4 +# This subpackage will not use shared license, but distribute its own +%endif + +%description export-libs +BIND (Berkeley Internet Name Domain) is an implementation of the DNS +(Domain Name System) protocols. This package set contains only export +version of BIND libraries, that are used for building ISC DHCP. + +%package export-devel +Summary: Header files and libraries needed for BIND export libraries +Requires: %{name}-export-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: openssl-devel +Requires: libcap-devel + +%if 0%{?fedora} >= 1 +Obsoletes: bind99-devel < 9.9.11-4 +# To prevent linking against wrong set of libraries, +# do not coexist with bind99-devel +Conflicts: bind99-devel +%endif + +%description export-devel +This package contains export version of the header files and libraries +required for development with ISC BIND. These headers and libraries +are used for building ISC DHCP. +%endif + %prep -%setup -q -n %{name}-%{VERSION} +%setup -q -n %{name}-%{BINDVERSION} # Common patches -%patch5 -p1 -b .nonexec %patch10 -p1 -b .PIE %patch16 -p1 -b .redhat_doc -%ifnarch alpha ia64 %patch72 -p1 -b .64bit -%endif -%patch73 -p1 -b .libidn -%patch83 -p1 -b .libidn2 -%patch85 -p1 -b .libidn3 -%patch87 -p1 -b .parallel -%patch94 -p1 -b .rh461409 - %patch102 -p1 -b .rh452060 %patch106 -p0 -b .rh490837 %patch109 -p1 -b .rh478718 -%patch110 -p1 -b .rh570851 -%patch111 -p1 -b .exportlib %patch112 -p1 -b .rh645544 -%patch119 -p1 -b .rh693982 -%patch123 -p1 -b .rh735103 %patch124 -p1 -b .rh726120 -%patch127 -p1 -b .forward %patch130 -p1 -b .libdb %patch131 -p1 -b .multlib-conflict -%patch137 -p1 -b .rrl -%patch138 -p1 -b .update -%patch139 -p1 -b .journal -%patch140 -p1 -b .send_buffers -%patch141 -p1 -b .leak_35073 -%patch142 -p1 -b .rbt_crash -%patch143 -p1 -b .CVE-2014-059 -%patch144 -p1 -b .rh1067424 -%patch145 -p1 -b .rh1072379 -%patch146 -p1 -b .rh1098959 -%patch147 -p1 -b .CVE-2014-8500 -%patch148 -p1 -b .CVE-2015-1349 -%patch149 -p1 -b .rh1215687-limits - -%patch150 -p1 -b .external_key -%patch151 -p1 -b .native_pkcs11 -# http://cov01.lab.eng.brq.redhat.com/covscanhub/waiving/9377/ -%patch153 -p1 -b .coverity_9377 -%patch154 -p1 -b .rh1215164 -%patch155 -p1 -b .nsupdate_realm -%patch156 -p1 -b .CVE-2015-4620 -%patch157 -p1 -b .CVE-2015-5477 -%patch158 -p1 -b .sock-maxevents -%patch159 -p1 -b .CVE-2015-5722 -%patch160 -p1 -b .CVE-2015-8000 -%patch161 -p1 -b .CVE-2015-8704 -%patch162 -p1 -b .CVE-2016-1285-CVE-2016-1286 -%patch163 -p1 -b .rh1291185 -%patch164 -p1 -b .rh1259514 -%patch165 -p1 -b .rh1306610-caa -%patch104 -p1 -b .dyndb - -# GeoIP support -%patch166 -p1 -b .rh1220594-geoip -# extract the binary testing data -tar -xf %{SOURCE48} -C bin/tests/system/geoip/data - -%patch167 -p1 -b .rh1294506 -%patch168 -p1 -b .CVE-2016-2776 -%patch169 -p1 -b .CVE-2016-8864 -%patch170 -p1 -b .CVE-2016-9131 -%patch171 -p1 -b .CVE-2016-9147 -%patch172 -p1 -b .CVE-2016-9444 -%patch173 -p1 -b .rt43779 -%patch174 -p1 -b .CVE-2016-2775 -%patch175 -p1 -b .CVE-2017-3135 -%patch176 -p1 -b .rt44318 -%patch177 -p1 -b .rh1392362 -%patch178 -p1 -b .coverity2 -%patch179 -p1 -b .CVE-2017-3136 -%patch180 -p1 -b .CVE-2017-3137 -%patch181 -p1 -b .rh1416304 -%patch182 -p1 -b .CVE-2017-3142+3143 -%patch183 -p1 -b .rh1472862 -%patch184 -p1 -b .rh1476013 -%patch185 -p1 -b .rh1470637-tests -%patch186 -p1 -b .rh1470637 -%patch187 -p1 -b .rh1464850 -%patch188 -p1 -b .rh1464850 -%patch189 -p1 -b .rh1501531 -%patch190 -p1 -b .CVE-2017-3145 -%patch191 -p1 -b .dnssec-keymgr -%patch192 -p1 -b .rh1452091 -%patch193 -p1 -b .dnssec-keymgr-2 -%patch194 -p1 -b .fips -%patch195 -p1 -b .fips-tests -%patch196 -p1 -b .rh1549130 -%patch197 -p1 -b .rh1549130-2 -%patch198 -p1 -b .CVE-2018-5740 -%patch199 -p1 -b .rh1647539 +%patch140 -p1 -b .rh1410433 +%patch145 -p1 -b .rh1205168 +%patch153 -p1 -b .export_suffix +%patch154 -p1 -b .oot-man +%patch155 -p1 -b .pk11-internal +%patch156 -p1 -b .fips-code +%patch157 -p1 -b .fips-tests +%patch158 -p1 -b .rh1624100 +%patch159 -p1 -b .host-idn-disable +%patch160 -p1 -b .rebase +%patch161 -p1 -b .rebase +%patch162 -p1 -b .rebase +%patch163 -p1 -b .rebase +%patch164 -p1 -b .noed448 +%patch165 -p1 -b .random_test-disable +%patch166 -p1 -b .dhcp-entropy +%patch167 -p1 -b .CVE-2018-5743 +%patch168 -p1 -b .CVE-2018-5743-atomic +%patch169 -p1 -b .CVE-2019-6471 # Override upstream builtin keys cp -fp %{SOURCE29} bind.keys -%if %{PKCS11} +%if %{with PKCS11} cp -r bin/named{,-pkcs11} cp -r bin/dnssec{,-pkcs11} cp -r lib/isc{,-pkcs11} cp -r lib/dns{,-pkcs11} -cp -r lib/export/isc{,-pkcs11} -cp -r lib/export/dns{,-pkcs11} -%patch152 -p1 -b .dist_pkcs11 +%patch136 -p1 -b .dist_pkcs11 +%patch149 -p1 -b .kyua-pkcs11 %endif -%if %{SDB} +%if %{with SDB} %patch101 -p1 -b .old-api mkdir bin/named-sdb cp -r bin/named/* bin/named-sdb @@ -538,16 +537,13 @@ cp -fp contrib/sdb/ldap/{zone2ldap.1,zone2ldap.c} bin/sdb_tools cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools %patch12 -p1 -b .sdb -%endif -%if %{SDB} %patch17 -p1 -b .fix_sdb_ldap +%patch18 -p1 -b .fix_zone2ldap +%patch137 -p1 -b .strlcat_fix %endif -%if %{SDB} -%patch62 -p1 -b .sdb-sqlite-bld -%endif + %patch133 -p1 -b .rh640538 %patch134 -p1 -b .rh669163 -%patch135 -p1 -b .libidn4 # Sparc and s390 arches need to use -fPIE %ifarch sparcv9 sparc64 s390 s390x @@ -555,10 +551,34 @@ for i in bin/named{,-sdb}/{,unix}/Makefile.in; do sed -i 's|fpie|fPIE|g' $i done %endif - :; + %build +## We use out of tree configure/build for export libs +%define _configure "../configure" + +# normal and pkcs11 unit tests +%define unit_prepare_build() \ + cp -uv Kyuafile Atffile "%{1}/" \ + find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \ + find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \ + find lib -name 'Atffile' -exec cp -uv '{}' "%{1}/{}" ';' \ + find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ + find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ + +%define systemtest_prepare_build() \ + cp -Tuav bin/tests "%{1}/bin/tests/" \ + cp -uv version "%{1}" \ + +%if %{with KYUA} +# Use system installed libatf-c library with kyua tool +ATF_PATH=/usr +%else +# Use bundled atf library with atf-run +ATF_PATH=yes +%endif + export CFLAGS="$CFLAGS $RPM_OPT_FLAGS" export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE" export STD_CDEFINES="$CPPFLAGS" @@ -569,7 +589,12 @@ version libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f +mkdir build +pushd build +LIBDIR_SUFFIX= +export LIBDIR_SUFFIX %configure \ + --with-python=%{__python} \ --with-libtool \ --localstatedir=/var \ --enable-threads \ @@ -579,16 +604,16 @@ libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f --enable-rrl \ --with-pic \ --disable-static \ - --disable-openssl-version-check \ - --enable-exportlib \ - --with-export-libdir=%{_libdir} \ - --with-export-includedir=%{_includedir} \ --includedir=%{_includedir}/bind9 \ -%if %{PKCS11} + --with-tuning=large \ + --with-geoip \ + --with-libidn \ + --enable-openssl-hash \ +%if %{with PKCS11} --enable-native-pkcs11 \ --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \ %endif -%if %{SDB} +%if %{with SDB} --with-dlopen=yes \ --with-dlz-ldap=yes \ --with-dlz-postgres=yes \ @@ -596,16 +621,32 @@ libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f --with-dlz-filesystem=yes \ --with-dlz-bdb=yes \ %endif -%if %{GSSTSIG} +%if %{with GSSTSIG} --with-gssapi=yes \ --disable-isc-spnego \ +%endif +%if %{with LMDB} + --with-lmdb=yes \ +%else + --with-lmdb=no \ +%endif +%if %{with UNITTEST} + --with-atf=${ATF_PATH} \ %endif --enable-fixed-rrset \ --with-tuning=large \ --with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \ + --enable-full-report \ ; make %{?_smp_mflags} +### FIXME hack!!! +### xsltproc doesn't find properly configured files +### and use ones from source tree +### copy generated files to the original location +cp -rv doc/* ../doc/ + + # Regenerate dig.1 manpage pushd bin/dig make man @@ -614,8 +655,139 @@ pushd bin/python make man popd -%if %{test} +%if ! %{with KYUA} +# Do not build atf again for export libs +ATF_PATH="`pwd`/unit/atf" + +# Atf libs are built. Prevent their installation +sed -i -e \ +'/^SUBDIRS =/s/atf-src//i' \ +unit/Makefile +%endif + +%if %{with DLZ} + pushd contrib/dlz + pushd bin/dlzbdb + make + popd + pushd modules + for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do + make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS" + done + popd + popd +%endif +popd # build + +%unit_prepare_build build +%systemtest_prepare_build build + +%if %{with EXPORT_LIBS} +cp isc-config.sh.1 isc-export-config.sh.1 + +## Create export libs ## +mkdir -p export-libs +pushd export-libs +LIBDIR_SUFFIX=%{_export_dir} +export LIBDIR_SUFFIX +## minimal subset of options to make clients aka dhcp working +%{configure} \ + --with-libtool \ + --disable-static \ + --disable-epoll \ + --disable-kqueue \ + --libdir=%{_libdir}%{_export_dir} \ + --includedir=%{_includedir}%{_export_dir}/ \ + --disable-threads \ + --enable-openssl-hash \ +%if %{with GSSTSIG} + --with-gssapi=yes \ + --disable-isc-spnego \ +%endif +%if %{with UNITTEST} + --with-atf=${ATF_PATH} \ +%endif + --enable-fixed-rrset \ + --disable-rpz-nsip \ + --disable-rpz-nsdname \ + --without-lmdb \ + --without-libxml2 \ + --without-libjson \ + --without-zlib \ + --without-dlopen \ + --enable-full-report + +## We don't want to build other libs than -export twice +## FIXME this should be in patch instead of SED'ing +## but do we really like/want to patch generated files? + +mv isc-config.sh isc-export-config.sh + +sed -i \ +-e '/^SUBDIRS =/s/.*/SUBDIRS = make lib/i' \ +-e 's/isc-config.sh/isc-export-config.sh/g' \ +-e 's/bind9-config/bind9-export-config/g' \ +Makefile + +sed -i -e \ +"/^SUBDIRS =/s/.*/SUBDIRS = %{bind_export_libs}/i" \ +lib/Makefile + +sed -i -e \ +'/^SUBDIRS =/s/atf-src//i' \ +unit/Makefile + +for lib in %{bind_export_libs} +do + find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g" -i {} \; + sed -e "s/-l${lib}\([^[:alpha:]]\)/-l${lib}-export\1/g" \ + -e "s/lib${lib}\./lib${lib}-export\./g" \ + -i isc-export-config.sh +done; + +make %{?_smp_mflags} +popd + +# export library unit tests +%unit_prepare_build export-libs +# Do not try pkcs11 and lwres in export libs +sed -e '/^\s*include(.*-pkcs11/ d' -e '/^\s*include(.*lwres/ d' \ + -i export-libs/lib/Kyuafile +sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \ + -i export-libs/lib/Atffile + +## End of export libs +%endif + %check +%if %{with PKCS11} + # Tests require initialization of pkcs11 token + export SOFTHSM2_CONF="`pwd`/softhsm2.conf" + sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens" +%endif + +%if %{with UNITTEST} + pushd build + make unit + e=$? + if [ "$e" -ne 0 ]; then + echo "ERROR: this build of BIND failed 'make unit'. Aborting." + exit $e; + fi; + popd + + pushd export-libs + make unit + e=$? + if [ "$e" -ne 0 ]; then + echo "ERROR: this build of BIND export-libs failed 'make unit'. Aborting." + exit $e; + fi; + popd + +%endif + +%if %{with SYSTEMTEST} if [ "`whoami`" = 'root' ]; then set -e chmod -R a+rwX . @@ -636,10 +808,9 @@ if [ "`whoami`" = 'root' ]; then else echo 'only root can run the tests (they require an ifconfig).' %endif +: %install -rm -rf ${RPM_BUILD_ROOT} - # Build directory hierarchy mkdir -p ${RPM_BUILD_ROOT}/etc/logrotate.d mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/bind @@ -660,14 +831,11 @@ popd mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/{pki/dnssec-keys,named} mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/%{_libdir}/bind # these are required to prevent them being erased during upgrade of previous -touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/dev/null -touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/dev/random -touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/dev/zero touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf #end chroot #sdb-chroot -%if %{SDB} +%if %{with SDB} mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/{dev,etc,var,run/named} mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var/{log,named,tmp} @@ -679,14 +847,24 @@ popd mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/{pki/dnssec-keys,named} mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/%{_libdir}/bind # these are required to prevent them being erased during upgrade of previous -touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/null -touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/random -touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/zero touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/named.conf %endif #end sdb-chroot +pushd build + +make DESTDIR=${RPM_BUILD_ROOT} install +popd +%if %{with EXPORT_LIBS} +pushd export-libs make DESTDIR=${RPM_BUILD_ROOT} install +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/ld.so.conf.d +echo "%{_libdir}/%{_export_dir}" > %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-export-%{_arch}.conf +cp -fp config.h ${RPM_BUILD_ROOT}/%{_includedir}%{_export_dir} +rm -rf ${RPM_BUILD_ROOT}/%{_includedir}%{_export_dir}/pkcs11/ +rm -f ${RPM_BUILD_ROOT}/%{_includedir}%{_export_dir}/pk11/{constants,internal,pk11,result}.h +popd +%endif # Remove unwanted files rm -f ${RPM_BUILD_ROOT}/etc/bind.keys @@ -698,12 +876,13 @@ install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir} -%if %{SDB} +%if %{with SDB} install -m 644 %{SOURCE39} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE40} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE45} ${RPM_BUILD_ROOT}%{_unitdir} %endif -%if %{PKCS11} + +%if %{with PKCS11} install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir} %endif @@ -711,28 +890,47 @@ mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir} install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh +%if %{with PKCS11} +install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh +%endif + install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named -%if %{SDB} +install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files +%if %{with SDB} mkdir -p ${RPM_BUILD_ROOT}/etc/openldap/schema install -m 644 %{SOURCE8} ${RPM_BUILD_ROOT}/etc/openldap/schema/dnszone.schema install -m 644 %{SOURCE12} contrib/sdb/pgsql/ %endif +%if %{with DLZ} + pushd contrib/dlz + pushd bin/dlzbdb + make DESTDIR=${RPM_BUILD_ROOT} install + popd + pushd modules + for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do + make -C $DIR DESTDIR=${RPM_BUILD_ROOT} libdir=%{_libdir}/bind install + done + mv mysqldyn/testing/README mysqldyn/testing/README.testing + popd + popd +%endif + # Install isc/errno2result.h header -install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/isc +install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/isc +pushd build # Files required to run test-suite outside of build tree: cp -fp config.h ${RPM_BUILD_ROOT}/%{_includedir}/bind9 -cp -fp lib/dns/include/dns/forward.h ${RPM_BUILD_ROOT}/%{_includedir}/dns -cp -fp lib/isc/unix/include/isc/keyboard.h ${RPM_BUILD_ROOT}/%{_includedir}/isc +popd # Remove libtool .la files: find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; # Remove -devel files out of buildroot if not needed -%if !%{DEVEL} +%if !%{with DEVEL} rm -f ${RPM_BUILD_ROOT}/%{_libdir}/bind9/*so rm -rf ${RPM_BUILD_ROOT}/%{_includedir}/bind9 rm -f ${RPM_BUILD_ROOT}/%{_mandir}/man1/isc-config.sh.1* @@ -741,7 +939,7 @@ rm -f ${RPM_BUILD_ROOT}/%{_bindir}/isc-config.sh %endif # SDB manpages -%if %{SDB} +%if %{with SDB} install -m 644 %{SOURCE31} ${RPM_BUILD_ROOT}%{_mandir}/man1/ldap2zone.1 install -m 644 %{SOURCE32} ${RPM_BUILD_ROOT}%{_mandir}/man8/named-sdb.8 install -m 644 %{SOURCE33} ${RPM_BUILD_ROOT}%{_mandir}/man1/zonetodb.1 @@ -749,7 +947,7 @@ install -m 644 %{SOURCE34} ${RPM_BUILD_ROOT}%{_mandir}/man1/zone2sqlite.1 %endif # PKCS11 versions manpages -%if %{PKCS11} +%if %{with PKCS11} pushd ${RPM_BUILD_ROOT}%{_mandir}/man8 ln -s named.8.gz named-pkcs11.8.gz ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz @@ -770,6 +968,7 @@ touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log # configuration files: tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28} +install -m 640 %{SOURCE26} ${RPM_BUILD_ROOT}/etc/named.conf touch ${RPM_BUILD_ROOT}/etc/rndc.key touch ${RPM_BUILD_ROOT}/etc/rndc.conf mkdir ${RPM_BUILD_ROOT}/etc/named @@ -799,7 +998,7 @@ install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named %pre if [ "$1" -eq 1 ]; then /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :; - /usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c Named named >/dev/null 2>&1 || :; + /usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :; fi; :; @@ -812,11 +1011,16 @@ if [ "$1" -eq 1 ]; then [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key else - # Upgrade, use invalid shell - if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then - usermod -s /bin/false named + # Upgrade, use nologin shell again + if getent passwd named | grep ':/bin/false$' >/dev/null; then + /sbin/usermod -s /sbin/nologin named fi fi +. /etc/selinux/config +if %{_sbindir}/selinuxenabled && [ "${SELINUX}" != "disabled" ] ; then + %selinux_set_booleans -s targeted %{selinuxbooleans} + %selinux_set_booleans -s mls %{selinuxbooleans} +fi %systemd_post named.service :; @@ -828,16 +1032,14 @@ fi /sbin/ldconfig %systemd_postun_with_restart named.service # Unset on both upgrade and install. Boolean would be unset from now -# until %posttrans on upgrade. Write requests might fail during update. -(export LC_ALL=C; %{selinux_unset_booleans %{selinuxbooleans}}) - -%posttrans -# selinux-policy-targeted is required for following macro to work. -# This package should not depend on it explicitly, but anaconda ensures -# it is installed. Run after all packages are installed. -(export LC_ALL=C; %{selinux_set_booleans %{selinuxbooleans}}) +# until %%posttrans on upgrade. Write requests might fail during update. +. /etc/selinux/config +if %{_sbindir}/selinuxenabled && [ "${SELINUX}" != "disabled" ] ; then + %selinux_unset_booleans -s targeted %{selinuxbooleans} + %selinux_unset_booleans -s mls %{selinuxbooleans} +fi -%if %{SDB} +%if %{with SDB} %post sdb # Initial installation %systemd_post named-sdb.service @@ -851,7 +1053,7 @@ fi %systemd_postun_with_restart named-sdb.service %endif -%if %{PKCS11} +%if %{with PKCS11} %post pkcs11 # Initial installation %systemd_post named-pkcs11.service @@ -876,13 +1078,17 @@ fi /sbin/chkconfig --del named >/dev/null 2>&1 || : /bin/systemctl try-restart named.service >/dev/null 2>&1 || : -%post libs -p /sbin/ldconfig - -%postun libs -p /sbin/ldconfig +%ldconfig_scriptlets libs +%ldconfig_scriptlets libs-lite -%post libs-lite -p /sbin/ldconfig +%if %{with PKCS11} +%ldconfig_scriptlets pkcs11-libs +%endif -%postun libs-lite -p /sbin/ldconfig +%if %{with EXPORT_LIBS} +%post export-libs -p /sbin/ldconfig +%postun export-libs -p /sbin/ldconfig +%endif %pre chroot # updating @@ -896,28 +1102,18 @@ fi %post chroot %systemd_post named-chroot.service -if [ "$1" -gt 0 ]; then - [ -e %{chroot_prefix}/dev/random ] || \ - /bin/mknod %{chroot_prefix}/dev/random c 1 8 - [ -e %{chroot_prefix}/dev/zero ] || \ - /bin/mknod %{chroot_prefix}/dev/zero c 1 5 - [ -e %{chroot_prefix}/dev/null ] || \ - /bin/mknod %{chroot_prefix}/dev/null c 1 3 -fi; +%chroot_fix_devices %{chroot_prefix} :; %posttrans chroot if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1; fi; -:; %preun chroot -%systemd_preun named-chroot.service -if [ "$1" -eq 0 ]; then - # Package removal, not upgrade - rm -f %{chroot_prefix}/dev/{random,zero,null} -fi +# wait for stop of both named-chroot and named-chroot-setup services +# on uninstall +%systemd_preun named-chroot.service named-chroot-setup.service :; %postun chroot @@ -925,18 +1121,11 @@ fi %systemd_postun_with_restart named-chroot.service -%if %{SDB} +%if %{with SDB} %post sdb-chroot %systemd_post named-sdb-chroot.service -if [ "$1" -gt 0 ]; then - [ -e %{chroot_sdb_prefix}/dev/random ] || \ - /bin/mknod %{chroot_sdb_prefix}/dev/random c 1 8 - [ -e %{chroot_sdb_prefix}/dev/zero ] || \ - /bin/mknod %{chroot_sdb_prefix}/dev/zero c 1 5 - [ -e %{chroot_sdb_prefix}/dev/null ] || \ - /bin/mknod %{chroot_sdb_prefix}/dev/null c 1 3 -fi; +%chroot_fix_devices %{chroot_sdb_prefix} :; %posttrans sdb-chroot @@ -947,10 +1136,6 @@ fi; %preun sdb-chroot %systemd_preun named-sdb-chroot.service -if [ "$1" -eq 0 ]; then - # Package removal, not upgrade - rm -f %{chroot_sdb_prefix}/dev/{random,zero,null} -fi :; %postun sdb-chroot @@ -964,7 +1149,6 @@ rm -rf ${RPM_BUILD_ROOT} :; %files -%defattr(-,root,root,-) %{_libdir}/bind %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named %config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.iscdlv.key @@ -973,43 +1157,60 @@ rm -rf ${RPM_BUILD_ROOT} %{_sysconfdir}/rwtab.d/named %{_unitdir}/named.service %{_unitdir}/named-setup-rndc.service -%{_sbindir}/arpaname +%{_sbindir}/named-journalprint +%{_sbindir}/named-checkconf +%{_bindir}/arpaname +%{_bindir}/named-rrchecker +%{_sbindir}/lwresd +%{_sbindir}/named +%{_sbindir}/rndc* %{_sbindir}/ddns-confgen +%{_sbindir}/tsig-keygen %{_sbindir}/genrandom -%{_sbindir}/named-journalprint %{_sbindir}/nsec3hash %{_sbindir}/dnssec* +%if %{with PKCS11} %exclude %{_sbindir}/dnssec*pkcs11 -%{_sbindir}/named-check* -%{_sbindir}/lwresd -%{_sbindir}/named -%{_sbindir}/rndc* -%{_sbindir}/named-compilezone +%endif %{_sbindir}/isc-hmac-fixup +%{_sbindir}/named-checkzone +%{_sbindir}/named-compilezone +%if %{with LMDB} +%{_sbindir}/named-nzd2nzf +%endif %{_libexecdir}/generate-rndc-key.sh -%{python_sitelib}/isc/ -%{python_sitelib}/*.egg-info %{_mandir}/man1/arpaname.1* +%{_mandir}/man1/named-rrchecker.1* %{_mandir}/man5/named.conf.5* %{_mandir}/man5/rndc.conf.5* %{_mandir}/man8/rndc.8* %{_mandir}/man8/named.8* %{_mandir}/man8/lwresd.8* -%{_mandir}/man8/dnssec*.8* %exclude %{_mandir}/man8/dnssec*-pkcs11.8* %{_mandir}/man8/named-checkconf.8* -%{_mandir}/man8/named-checkzone.8* -%{_mandir}/man8/named-compilezone.8* %{_mandir}/man8/rndc-confgen.8* +%{_mandir}/man8/named-journalprint.8* %{_mandir}/man8/ddns-confgen.8* +%{_mandir}/man8/tsig-keygen.8* %{_mandir}/man8/genrandom.8* -%{_mandir}/man8/named-journalprint.8* %{_mandir}/man8/nsec3hash.8* +%{_mandir}/man8/dnssec*.8* +%if %{with PKCS11} +%exclude %{_mandir}/man8/dnssec*-pkcs11.8* +%endif %{_mandir}/man8/isc-hmac-fixup.8* +%{_mandir}/man8/named-checkzone.8* +%{_mandir}/man8/named-compilezone.8* +%if %{with LMDB} +%{_mandir}/man8/named-nzd2nzf.8* +%endif %doc CHANGES README named.conf.default %doc doc/arm/*html doc/arm/*pdf %doc sample/ +%{python_sitelib}/*.egg-info +%{python_sitelib}/isc/ + # Hide configuration %defattr(0640,root,named,0750) %dir %{_sysconfdir}/named @@ -1029,9 +1230,6 @@ rm -rf ${RPM_BUILD_ROOT} %config %verify(not link) %{_localstatedir}/named/named.empty %ghost %config(noreplace) %{_sysconfdir}/rndc.key # ^- rndc.key now created on first install only if it does not exist -# %%verify(not size,not md5) %%config(noreplace) %%attr(0640,root,named) /etc/rndc.conf -# ^- Let the named internal default rndc.conf be used - -# rndc.conf not required unless it differs from default. %ghost %config(noreplace) %{_sysconfdir}/rndc.conf # ^- The default rndc.conf which uses rndc.key is in named's default internal config - # so rndc.conf is not necessary. @@ -1039,9 +1237,8 @@ rm -rf ${RPM_BUILD_ROOT} %defattr(-,named,named,-) %dir /run/named -%if %{SDB} +%if %{with SDB} %files sdb -%defattr(-,root,root,-) %{_unitdir}/named-sdb.service %{_mandir}/man1/zone2ldap.1* %{_mandir}/man1/ldap2zone.1* @@ -1059,66 +1256,77 @@ rm -rf ${RPM_BUILD_ROOT} %endif %files libs -%defattr(-,root,root,-) -%{_libdir}/*so.* -%exclude %{_libdir}/*export.so.* +%{_libdir}/libbind9.so.160* +%{_libdir}/libisccc.so.160* +%{_libdir}/liblwres.so.160* %exclude %{_libdir}/*pkcs11.so.* -%exclude %{_libdir}/*pkcs11-export.so.* %files libs-lite -%defattr(-,root,root,-) -%{_libdir}/*export.so.* -%exclude %{_libdir}/*pkcs11-export.so.* - +%{_libdir}/libdns.so.%{sover_dns}* +%{_libdir}/libirs.so.%{sover_irs}* +%{_libdir}/libisc.so.%{sover_isc}* +%{_libdir}/libisccfg.so.%{sover_isccfg}* %files license -%defattr(-,root,root,-) -%doc COPYRIGHT +%{!?_licensedir:%global license %%doc} +%license COPYRIGHT %files utils -%defattr(-,root,root,-) %{_bindir}/dig +%{_bindir}/delv %{_bindir}/host %{_bindir}/nslookup %{_bindir}/nsupdate +%{_bindir}/mdig %{_mandir}/man1/host.1* %{_mandir}/man1/nsupdate.1* %{_mandir}/man1/dig.1* +%{_mandir}/man1/delv.1* +%{_mandir}/man1/mdig.1* %{_mandir}/man1/nslookup.1* %{_sysconfdir}/trusted-key.key -%if %{DEVEL} +%if %{with DEVEL} %files devel -%defattr(-,root,root,-) -%{_libdir}/*so -%exclude %{_libdir}/*export.so +%{_libdir}/libbind9.so +%{_libdir}/libisccc.so +%{_libdir}/liblwres.so +%{_includedir}/bind9/config.h +%{_includedir}/bind9/bind9 %exclude %{_libdir}/*pkcs11.so -%exclude %{_libdir}/*pkcs11-export.so -%{_includedir}/bind9 +%{_includedir}/bind9/isccc +%{_includedir}/bind9/lwres %exclude %{_includedir}/bind9/pkcs11 %exclude %{_includedir}/bind9/pk11 %{_mandir}/man1/isc-config.sh.1* +%{_mandir}/man1/bind9-config.1* %{_mandir}/man3/lwres* %{_bindir}/isc-config.sh +%{_bindir}/bind9-config %endif %files lite-devel -%defattr(-,root,root,-) -%{_libdir}/*export.so -%exclude %{_libdir}/*pkcs11-export.so -%{_includedir}/dns -%{_includedir}/dst -%{_includedir}/irs -%{_includedir}/isc -%{_includedir}/isccfg +%{_libdir}/libdns.so +%{_libdir}/libirs.so +%{_libdir}/libisc.so +%{_libdir}/libisccfg.so +%dir %{_includedir}/bind9 +%{_includedir}/bind9/dns +%{_includedir}/bind9/dst +%{_includedir}/bind9/irs +%{_includedir}/bind9/isc +%dir %{_includedir}/bind9/pk11 +%{_includedir}/bind9/pk11/site.h +%{_includedir}/bind9/isccfg %files chroot -%defattr(-,root,root,-) +%config(noreplace) %{_sysconfdir}/named-chroot.files %{_unitdir}/named-chroot.service %{_unitdir}/named-chroot-setup.service %{_libexecdir}/setup-named-chroot.sh -%ghost %{chroot_prefix}/dev/null -%ghost %{chroot_prefix}/dev/random -%ghost %{chroot_prefix}/dev/zero +%defattr(0664,root,named,-) +%ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null +%ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random +%ghost %dev(c,1,5) %verify(not mtime) %{chroot_prefix}/dev/zero %defattr(0640,root,named,0750) %dir %{chroot_prefix} %dir %{chroot_prefix}/dev @@ -1142,15 +1350,16 @@ rm -rf ${RPM_BUILD_ROOT} %dir %{chroot_prefix}/run/named %{chroot_prefix}/var/run -%if %{SDB} +%if %{with SDB} %files sdb-chroot -%defattr(-,root,root,-) +%config(noreplace) %{_sysconfdir}/named-chroot.files %{_unitdir}/named-sdb-chroot.service %{_unitdir}/named-sdb-chroot-setup.service %{_libexecdir}/setup-named-chroot.sh -%ghost %{chroot_sdb_prefix}/dev/null -%ghost %{chroot_sdb_prefix}/dev/random -%ghost %{chroot_sdb_prefix}/dev/zero +%defattr(0664,root,named,-) +%ghost %dev(c,1,3) %verify(not mtime) %{chroot_sdb_prefix}/dev/null +%ghost %dev(c,1,8) %verify(not mtime) %{chroot_sdb_prefix}/dev/random +%ghost %dev(c,1,5) %verify(not mtime) %{chroot_sdb_prefix}/dev/zero %defattr(0640,root,named,0750) %dir %{chroot_sdb_prefix} %dir %{chroot_sdb_prefix}/dev @@ -1175,15 +1384,14 @@ rm -rf ${RPM_BUILD_ROOT} %{chroot_sdb_prefix}/var/run %endif -%if %{PKCS11} +%if %{with PKCS11} %files pkcs11 -%defattr(-,root,root,-) %{_sbindir}/named-pkcs11 %{_unitdir}/named-pkcs11.service %{_mandir}/man8/named-pkcs11.8* +%{_libexecdir}/setup-named-softhsm.sh %files pkcs11-utils -%defattr(-,root,root,-) %{_sbindir}/dnssec*pkcs11 %{_sbindir}/pkcs11-destroy %{_sbindir}/pkcs11-keygen @@ -1193,20 +1401,110 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man8/dnssec*-pkcs11.8* %files pkcs11-libs -%defattr(-,root,root,-) -%{_libdir}/*pkcs11.so.* -%{_libdir}/*pkcs11-export.so.* +%{_libdir}/libdns-pkcs11.so.%{sover_dns}* +%{_libdir}/libisc-pkcs11.so.%{sover_isc}* %files pkcs11-devel -%defattr(-,root,root,-) -%{_includedir}/bind9/pk11 +%{_includedir}/bind9/pk11/*.h +%exclude %{_includedir}/bind9/pk11/site.h %{_includedir}/bind9/pkcs11 -%{_libdir}/*pkcs11.so -%{_libdir}/*pkcs11-export.so +%{_libdir}/libdns-pkcs11.so +%{_libdir}/libisc-pkcs11.so +%endif +%if %{with EXPORT_LIBS} +%files export-libs +%dir %{_libdir}/%{_export_dir} +%{_libdir}/%{_export_dir}/libdns-export.so.%{sover_dns}* +%{_libdir}/%{_export_dir}/libirs-export.so.%{sover_irs}* +%{_libdir}/%{_export_dir}/libisc-export.so.%{sover_isc}* +%{_libdir}/%{_export_dir}/libisccfg-export.so.%{sover_isccfg}* +%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-export-%{_arch}.conf +# This subpackage has to distribute its own license. Do not conflict with +# other subpackages of different version +%license COPYRIGHT + +%files export-devel +%{_libdir}/%{_export_dir}/libdns-export.so +%{_libdir}/%{_export_dir}/libirs-export.so +%{_libdir}/%{_export_dir}/libisc-export.so +%{_libdir}/%{_export_dir}/libisccfg-export.so +%dir %{_includedir}/%{_export_dir} +%{_includedir}/%{_export_dir}/dns +%{_includedir}/%{_export_dir}/dst +%{_includedir}/%{_export_dir}/irs +%{_includedir}/%{_export_dir}/isc +%dir %{_includedir}/%{_export_dir}/pk11 +%{_includedir}/%{_export_dir}/pk11/site.h +%{_includedir}/%{_export_dir}/isccfg +%{_includedir}/%{_export_dir}/config.h +%{_mandir}/man1/isc-export-config.sh.1* +%{_mandir}/man1/bind9-export-config.1* +%attr(0755,root,root) %{_bindir}/isc-export-config.sh +%{_bindir}/bind9-export-config %endif +%if %{with DLZ} +%files dlz-bdb +%{_sbindir}/dlzbdb +%{_libdir}/bind/dlz_bdbhpt_dynamic.so +%doc contrib/dlz/modules/bdbhpt/testing/* + +%files dlz-filesystem +%{_libdir}/bind/dlz_filesystem_dynamic.so + +%files dlz-mysql +%{_libdir}/bind/dlz_mysql_dynamic.so +%doc contrib/dlz/modules/mysql/testing/* + +%files dlz-mysqldyn +%{_libdir}/bind/dlz_mysqldyn_mod.so +%doc contrib/dlz/modules/mysqldyn/testing/* +%doc contrib/dlz/modules/mysqldyn/README + +%files dlz-ldap +%{_libdir}/bind/dlz_ldap_dynamic.so +%doc contrib/dlz/modules/ldap/testing/* + +%files dlz-sqlite3 +%{_libdir}/bind/dlz_sqlite3_dynamic.so +%doc contrib/dlz/modules/sqlite3/testing/* + +%endif + + %changelog +* Wed Jun 19 2019 Petr Menšík - 32:9.11.4-9.P2 +- Fix CVE-2019-6471 + +* Wed Jun 12 2019 Petr Menšík - 32:9.11.4-8.P2 +- Fix scriptlet errors when selinux-policy is not installed (#1647659) + +* Wed Apr 24 2019 Petr Menšík - 32:9.11.4-7.P2 +- Fix inefective limit of TCP clients (CVE-2018-5743) + +* Wed Mar 27 2019 Petr Menšík - 32:9.11.4-6.P2 +- Use /sbin/nologin again (#1676661) + +* Mon Mar 18 2019 Petr Menšík - 32:9.11.4-5.P2 +- Make sure selinux-policy is installed soon enough (#1647659) + +* Mon Mar 18 2019 Petr Menšík - 32:9.11.4-4.P2 +- Disable custom random generator for export libs (#1685940) + +* Tue Mar 12 2019 Petr Menšík - 32:9.11.4-3.P2 +- Fix memory handling in zone2ldap tool + +* Thu Feb 28 2019 Petr Menšík - 32:9.11.4-2.P2 +- Move dnssec utilities back to bind package +- Remove separate python-bind package + +* Tue Jan 29 2019 Petr Menšík - 32:9.11.4-1.P2 +- Rebase features patches +- Disable autodetected eddsa algorithm ED448 +- Add versioned depends to all library subpackages +- Fix multilib conflict of devel packages + * Fri Nov 23 2018 Petr Menšík - 32:9.9.4-73 - Fixes debug level comments (#1647539)