From 10d0191c590565b8681014d1918a92a1b77e76ca Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 28 2020 09:34:43 +0000 Subject: import bind-9.11.13-3.el8 --- diff --git a/.bind.metadata b/.bind.metadata index afb5fba..c07b294 100644 --- a/.bind.metadata +++ b/.bind.metadata @@ -1,3 +1,2 @@ -f01eada382fb2bd4d1fcab3f6f83bd3ebc35a9ab SOURCES/bind-9.11.4-P2.tar.gz -1dc72fe31e4c84853ea2d016e36f0419d1885fa0 SOURCES/config-18.tar.bz2 +550367762a653ac5ed0eb04b316d06517650a925 SOURCES/bind-9.11.13.tar.gz a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data diff --git a/.gitignore b/.gitignore index 575c6ab..8008e19 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,2 @@ -SOURCES/bind-9.11.4-P2.tar.gz -SOURCES/config-18.tar.bz2 +SOURCES/bind-9.11.13.tar.gz SOURCES/random.data diff --git a/SOURCES/bind-9.10-dist-native-pkcs11.patch b/SOURCES/bind-9.10-dist-native-pkcs11.patch index 6f66dc1..e553d5f 100644 --- a/SOURCES/bind-9.10-dist-native-pkcs11.patch +++ b/SOURCES/bind-9.10-dist-native-pkcs11.patch @@ -14,25 +14,26 @@ index f0c504a..ce7a2da 100644 @BIND9_MAKE_RULES@ diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in -index 1d0c4ce..7b7f89b 100644 +index 4b8ca13..32f4470 100644 --- a/bin/dnssec-pkcs11/Makefile.in +++ b/bin/dnssec-pkcs11/Makefile.in -@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@ +@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ +CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES} - CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ +-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ - @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" ++CDEFINES = -DVERSION=\"${VERSION}\" @PKCS11_ENGINE@ \ + @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" CWARNINGS = --DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ +-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../lib/isc/libisc.@A@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ +ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ +ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@ @@ -43,7 +44,7 @@ index 1d0c4ce..7b7f89b 100644 DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} -@@ -37,10 +37,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ +@@ -35,10 +35,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@ # Alphabetically @@ -58,7 +59,7 @@ index 1d0c4ce..7b7f89b 100644 OBJS = dnssectool.@O@ -@@ -61,15 +61,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} +@@ -59,15 +59,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} @BIND9_MAKE_RULES@ @@ -77,7 +78,7 @@ index 1d0c4ce..7b7f89b 100644 export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ ${FINALBUILDCMD} -@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c +@@ -75,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ -c ${srcdir}/dnssec-signzone.c @@ -86,7 +87,7 @@ index 1d0c4ce..7b7f89b 100644 export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ ${FINALBUILDCMD} -@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c +@@ -83,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ -c ${srcdir}/dnssec-verify.c @@ -110,7 +111,7 @@ index 1d0c4ce..7b7f89b 100644 ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ dnssec-importkey.@O@ ${OBJS} ${LIBS} -@@ -108,16 +108,14 @@ docclean manclean maintainer-clean:: +@@ -106,16 +106,14 @@ docclean manclean maintainer-clean:: installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} @@ -121,18 +122,18 @@ index 1d0c4ce..7b7f89b 100644 -install:: ${TARGETS} installdirs install-man8 +install:: ${TARGETS} installdirs - for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done + for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done uninstall:: -- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done - for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done +- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done + for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done clean distclean:: diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in -index 1d0c4ce..11538cf 100644 +index 4b8ca13..4175996 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in -@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@ +@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@ CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ @@ -142,44 +143,46 @@ index 1d0c4ce..11538cf 100644 CWARNINGS = diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in -index d92bc9a..a8c42a4 100644 +index 3166368..a403941 100644 --- a/bin/named-pkcs11/Makefile.in +++ b/bin/named-pkcs11/Makefile.in -@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ +@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ - ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ - ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ -+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \ -+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \ - ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ ++ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \ ++ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \ + ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \ + @DST_OPENSSL_INC@ -CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ -+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ ++CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ @USE_GSSAPI@ CWARNINGS = --DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ +-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ ISCCCLIBS = ../../lib/isccc/libisccc.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ -+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ - ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ +-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ++ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ ++ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@ LWRESLIBS = ../../lib/lwres/liblwres.@A@ BIND9LIBS = ../../lib/bind9/libbind9.@A@ -DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ -ISCDEPLIBS = ../../lib/isc/libisc.@A@ -+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ ++ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ -@@ -71,15 +71,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ +@@ -72,15 +72,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ @@ -189,16 +192,16 @@ index d92bc9a..a8c42a4 100644 NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ - ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ -+ @LIBS@ ++ @LIBS@ SUBDIRS = unix -TARGETS = named@EXEEXT@ lwresd@EXEEXT@ -+TARGETS = named-pkcs11@EXEEXT@ ++TARGETS = named-pkcs11@EXEEXT@ GEOIPLINKOBJS = geoip.@O@ - -@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ + GEOIP2LINKOBJS = geoip.@O@ +@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ zoneconf.@O@ \ lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ @@ -208,7 +211,7 @@ index d92bc9a..a8c42a4 100644 UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ -@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \ +@@ -113,8 +112,7 @@ SRCS = builtin.c client.c config.c control.c \ tkeyconf.c tsigconf.c update.c xfrout.c \ zoneconf.c \ lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ @@ -218,7 +221,7 @@ index d92bc9a..a8c42a4 100644 MANPAGES = named.8 lwresd.8 named.conf.5 -@@ -146,14 +144,14 @@ server.@O@: server.c +@@ -154,14 +152,14 @@ server.@O@: server.c -DPRODUCT=\"${PRODUCT}\" \ -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c @@ -236,7 +239,7 @@ index d92bc9a..a8c42a4 100644 doc man:: ${MANOBJS} -@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8 +@@ -192,16 +190,11 @@ install-man8: named.8 lwresd.8 install-man: install-man5 install-man8 @@ -257,15 +260,15 @@ index d92bc9a..a8c42a4 100644 @DLZ_DRIVER_RULES@ diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index d92bc9a..6d2bfd1 100644 +index 3166368..890574f 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in -@@ -47,7 +47,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ - ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ - ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ +@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ + ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \ + @DST_OPENSSL_INC@ -CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ -+CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ ++CDEFINES = @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@ CWARNINGS = @@ -290,11 +293,11 @@ index a058c91..d4b689a 100644 DEPLIBS = ${ISCDEPLIBS} -diff --git a/configure.in b/configure.in -index 849fa94..69e6373 100644 ---- a/configure.in -+++ b/configure.in -@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI) +diff --git a/configure.ac b/configure.ac +index 9b7d778..59ba20b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI) AC_SUBST(DST_GSSAPI_INC) AC_SUBST(DNS_GSSAPI_LIBS) DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" @@ -309,10 +312,10 @@ index 849fa94..69e6373 100644 # # was --with-randomdev specified? -@@ -1554,11 +1556,11 @@ fi +@@ -1494,11 +1496,11 @@ AC_ARG_ENABLE(openssl-hash, AC_MSG_CHECKING(for OpenSSL library) OPENSSL_WARNING= - openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" + openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw" -if test "yes" = "$want_native_pkcs11" -then - use_openssl="native_pkcs11" @@ -326,7 +329,7 @@ index 849fa94..69e6373 100644 if test "auto" = "$use_openssl" then -@@ -1571,6 +1573,7 @@ then +@@ -1511,6 +1513,7 @@ then fi done fi @@ -334,7 +337,7 @@ index 849fa94..69e6373 100644 OPENSSL_ECDSA="" OPENSSL_GOST="" OPENSSL_ED25519="" -@@ -1592,11 +1595,10 @@ case "$with_gost" in +@@ -1532,11 +1535,10 @@ case "$with_gost" in ;; esac @@ -349,7 +352,7 @@ index 849fa94..69e6373 100644 CRYPTOLIB="pkcs11" OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" -@@ -1606,7 +1608,9 @@ case "$use_openssl" in +@@ -1546,7 +1548,9 @@ case "$use_openssl" in OPENSSLGOSTLINKSRCS="" OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" @@ -360,7 +363,7 @@ index 849fa94..69e6373 100644 no) AC_MSG_RESULT(no) DST_OPENSSL_INC="" -@@ -1638,7 +1642,7 @@ case "$use_openssl" in +@@ -1578,7 +1582,7 @@ case "$use_openssl" in If you do not want OpenSSL, use --without-openssl]) ;; *) @@ -369,7 +372,7 @@ index 849fa94..69e6373 100644 then AC_MSG_RESULT() AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) -@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519) +@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519) AC_SUBST(OPENSSL_GOST) DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" @@ -377,7 +380,7 @@ index 849fa94..69e6373 100644 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" if test "yes" = "$with_aes" -@@ -2384,6 +2389,7 @@ esac +@@ -2291,6 +2296,7 @@ esac AC_SUBST(PKCS11LINKOBJS) AC_SUBST(PKCS11LINKSRCS) AC_SUBST(CRYPTO) @@ -385,7 +388,7 @@ index 849fa94..69e6373 100644 AC_SUBST(PKCS11_ECDSA) AC_SUBST(PKCS11_GOST) AC_SUBST(PKCS11_ED25519) -@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([ +@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([ bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile @@ -397,7 +400,7 @@ index 849fa94..69e6373 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile -@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([ +@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([ lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile @@ -408,7 +411,7 @@ index 849fa94..69e6373 100644 lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile -@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([ +@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([ lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile @@ -447,17 +450,18 @@ index 81270a0..bcb5312 100644 @BIND9_MAKE_RULES@ diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 4a8549e..6a19906 100644 +index 7f09bd6..c388d9e 100644 --- a/lib/dns-pkcs11/Makefile.in +++ b/lib/dns-pkcs11/Makefile.in -@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@ +@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ -CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ -- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ +- ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \ +- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ +CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ -+ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ ++ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ -CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} +CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} @@ -470,9 +474,9 @@ index 4a8549e..6a19906 100644 -ISCDEPLIBS = ../../lib/isc/libisc.@A@ +ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ - LIBS = @LIBS@ + LIBS = ${MAXMINDDB_LIBS} @LIBS@ -@@ -146,15 +146,15 @@ version.@O@: version.c +@@ -150,15 +149,15 @@ version.@O@: version.c -DLIBAGE=${LIBAGE} \ -c ${srcdir}/version.c @@ -492,13 +496,9 @@ index 4a8549e..6a19906 100644 include: gen ${MAKE} include/dns/enumtype.h -@@ -180,25 +180,25 @@ code.h: gen - ./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; } - - gen: gen.c -- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \ -+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \ - ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS} +@@ -189,22 +188,22 @@ gen: gen.c + ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ + ${BUILD_LIBS} ${LFS_LIBS} -timestamp: include libdns.@A@ +timestamp: include libdns-pkcs11.@A@ @@ -523,9 +523,9 @@ index 4a8549e..6a19906 100644 + rm -f libdns-pkcs11.@A@ timestamp rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h rm -f include/dns/rdatastruct.h - rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h + rm -f dnstap.pb-c.c dnstap.pb-c.h diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in -index ba53ef1..d1f1771 100644 +index 8ad54bb..a3ecdfb 100644 --- a/lib/isc-pkcs11/Makefile.in +++ b/lib/isc-pkcs11/Makefile.in @@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \ @@ -539,7 +539,7 @@ index ba53ef1..d1f1771 100644 CWARNINGS = # Alphabetically -@@ -107,40 +107,40 @@ version.@O@: version.c +@@ -103,40 +103,40 @@ version.@O@: version.c -DLIBAGE=${LIBAGE} \ -c ${srcdir}/version.c diff --git a/SOURCES/bind-9.10-sdb.patch b/SOURCES/bind-9.10-sdb.patch index 7874a5c..5524daa 100644 --- a/SOURCES/bind-9.10-sdb.patch +++ b/SOURCES/bind-9.10-sdb.patch @@ -14,7 +14,7 @@ index ce7a2da..4e6a824 100644 @BIND9_MAKE_RULES@ diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in -index 6d2bfd1..d3f42e8 100644 +index 03a72d5..4c1cb6d 100644 --- a/bin/named-sdb/Makefile.in +++ b/bin/named-sdb/Makefile.in @@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@ @@ -31,7 +31,7 @@ index 6d2bfd1..d3f42e8 100644 DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers -@@ -79,7 +79,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ +@@ -80,7 +80,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ SUBDIRS = unix @@ -39,8 +39,8 @@ index 6d2bfd1..d3f42e8 100644 +TARGETS = named-sdb@EXEEXT@ GEOIPLINKOBJS = geoip.@O@ - -@@ -146,7 +146,7 @@ server.@O@: server.c + GEOIP2LINKOBJS = geoip.@O@ +@@ -154,7 +154,7 @@ server.@O@: server.c -DPRODUCT=\"${PRODUCT}\" \ -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c @@ -49,7 +49,7 @@ index 6d2bfd1..d3f42e8 100644 export MAKE_SYMTABLE="yes"; \ export BASEOBJS="${OBJS} ${UOBJS}"; \ ${FINALBUILDCMD} -@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h +@@ -181,8 +181,6 @@ statschannel.@O@: bind9.xsl.h installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} @@ -58,7 +58,7 @@ index 6d2bfd1..d3f42e8 100644 install-man5: named.conf.5 ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5 -@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8 +@@ -192,16 +190,11 @@ install-man8: named.8 lwresd.8 install-man: install-man5 install-man8 @@ -79,10 +79,10 @@ index 6d2bfd1..d3f42e8 100644 @DLZ_DRIVER_RULES@ diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c -index bb639d9..555c4d9 100644 +index 108b8d6..a943421 100644 --- a/bin/named-sdb/main.c +++ b/bin/named-sdb/main.c -@@ -91,6 +91,10 @@ +@@ -93,6 +93,10 @@ * Include header files for database drivers here. */ /* #include "xxdb.h" */ @@ -93,7 +93,7 @@ index bb639d9..555c4d9 100644 #ifdef CONTRIB_DLZ /* -@@ -1061,6 +1065,11 @@ setup(void) { +@@ -1069,6 +1073,11 @@ setup(void) { ns_main_earlyfatal("isc_app_start() failed: %s", isc_result_totext(result)); @@ -105,7 +105,7 @@ index bb639d9..555c4d9 100644 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ISC_LOG_NOTICE, "starting %s %s%s%s ", ns_g_product, ns_g_version, -@@ -1261,6 +1270,75 @@ setup(void) { +@@ -1269,6 +1278,75 @@ setup(void) { isc_result_totext(result)); #endif @@ -181,7 +181,7 @@ index bb639d9..555c4d9 100644 ns_server_create(ns_g_mctx, &ns_g_server); #ifdef HAVE_LIBSECCOMP -@@ -1303,6 +1381,11 @@ cleanup(void) { +@@ -1311,6 +1389,11 @@ cleanup(void) { dns_name_destroy(); @@ -194,22 +194,23 @@ index bb639d9..555c4d9 100644 ISC_LOG_NOTICE, "exiting"); ns_log_shutdown(); diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index 6d2bfd1..86f8587 100644 +index 03a72d5..47cc046 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in -@@ -45,9 +45,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ +@@ -45,10 +45,10 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ -- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ -+ @DST_OPENSSL_INC@ +- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \ ++ ${MAXMINDDB_CFLAGS} \ + @DST_OPENSSL_INC@ --CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ -+CDEFINES = @CRYPTO@ +-CDEFINES = @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@ ++CDEFINES = @USE_GSSAPI@ @CRYPTO@ CWARNINGS = -@@ -71,11 +71,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ +@@ -72,11 +72,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ @@ -223,7 +224,7 @@ index 6d2bfd1..86f8587 100644 SUBDIRS = unix -@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ +@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ zoneconf.@O@ \ lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ @@ -233,7 +234,7 @@ index 6d2bfd1..86f8587 100644 UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ -@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \ +@@ -113,8 +112,7 @@ SRCS = builtin.c client.c config.c control.c \ tkeyconf.c tsigconf.c update.c xfrout.c \ zoneconf.c \ lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ @@ -243,7 +244,7 @@ index 6d2bfd1..86f8587 100644 MANPAGES = named.8 lwresd.8 named.conf.5 -@@ -195,7 +193,5 @@ uninstall:: +@@ -203,7 +201,5 @@ uninstall:: rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ @@ -286,11 +287,11 @@ index c7e0868..95ab742 100644 ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 -diff --git a/configure.in b/configure.in -index 62536a6..f571a4f 100644 ---- a/configure.in -+++ b/configure.in -@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([ +diff --git a/configure.ac b/configure.ac +index eff9f05..d05ad1f 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -5429,6 +5429,8 @@ AC_CONFIG_FILES([ bin/named/unix/Makefile bin/named-pkcs11/Makefile bin/named-pkcs11/unix/Makefile @@ -299,7 +300,7 @@ index 62536a6..f571a4f 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile -@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([ +@@ -5453,6 +5455,7 @@ AC_CONFIG_FILES([ bin/python/isc/tests/dnskey_test.py bin/python/isc/tests/policy_test.py bin/rndc/Makefile diff --git a/SOURCES/bind-9.11-CVE-2018-5743-atomic.patch b/SOURCES/bind-9.11-CVE-2018-5743-atomic.patch deleted file mode 100644 index 5647ab6..0000000 --- a/SOURCES/bind-9.11-CVE-2018-5743-atomic.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 94e08314024c812063bf99bd191a46265a2ba49f Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Wed, 24 Apr 2019 21:10:26 +0200 -Subject: [PATCH] Missing atomic fix to original CVE patch - ---- - bin/named/client.c | 18 +++++++----------- - bin/named/include/named/interfacemgr.h | 5 +++-- - bin/named/interfacemgr.c | 7 +++++-- - 3 files changed, 15 insertions(+), 15 deletions(-) - -diff --git a/bin/named/client.c b/bin/named/client.c -index 3ada6e9..d3bf47d 100644 ---- a/bin/named/client.c -+++ b/bin/named/client.c -@@ -405,12 +405,10 @@ tcpconn_detach(ns_client_t *client) { - static void - mark_tcp_active(ns_client_t *client, isc_boolean_t active) { - if (active && !client->tcpactive) { -- isc_atomic_xadd(&client->interface->ntcpactive, 1); -+ isc_refcount_increment0(&client->interface->ntcpactive, NULL); - client->tcpactive = active; - } else if (!active && client->tcpactive) { -- uint32_t old = -- isc_atomic_xadd(&client->interface->ntcpactive, -1); -- INSIST(old > 0); -+ isc_refcount_decrement(&client->interface->ntcpactive, NULL); - client->tcpactive = active; - } - } -@@ -557,7 +555,7 @@ exit_check(ns_client_t *client) { - if (client->mortal && TCP_CLIENT(client) && - client->newstate != NS_CLIENTSTATE_FREED && - !ns_g_clienttest && -- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) -+ isc_refcount_current(&client->interface->ntcpaccepting) == 0) - { - /* Nobody else is accepting */ - client->mortal = ISC_FALSE; -@@ -3321,7 +3319,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) { - isc_result_t result; - ns_client_t *client = event->ev_arg; - isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; -- uint32_t old; - - REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); - REQUIRE(NS_CLIENT_VALID(client)); -@@ -3341,8 +3338,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { - INSIST(client->naccepts == 1); - client->naccepts--; - -- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); -- INSIST(old > 0); -+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL); - - /* - * We must take ownership of the new socket before the exit -@@ -3473,8 +3469,8 @@ client_accept(ns_client_t *client) { - * quota is tcp-clients plus the number of listening - * interfaces plus 1.) - */ -- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > -- (client->tcpactive ? 1 : 0)); -+ exit = (isc_refcount_current(&client->interface->ntcpactive) > -+ (client->tcpactive ? 1U : 0U)); - if (exit) { - client->newstate = NS_CLIENTSTATE_INACTIVE; - (void)exit_check(client); -@@ -3532,7 +3528,7 @@ client_accept(ns_client_t *client) { - * listening for connections itself to prevent the interface - * going dead. - */ -- isc_atomic_xadd(&client->interface->ntcpaccepting, 1); -+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL); - } - - static void -diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h -index d9ac90f..aa21049 100644 ---- a/bin/named/include/named/interfacemgr.h -+++ b/bin/named/include/named/interfacemgr.h -@@ -43,6 +43,7 @@ - #include - #include - #include -+#include - - #include - -@@ -73,11 +74,11 @@ struct ns_interface { - /*%< UDP dispatchers. */ - isc_socket_t * tcpsocket; /*%< TCP socket. */ - isc_dscp_t dscp; /*%< "listen-on" DSCP value */ -- int32_t ntcpaccepting; /*%< Number of clients -+ isc_refcount_t ntcpaccepting; /*%< Number of clients - ready to accept new - TCP connections on this - interface */ -- int32_t ntcpactive; /*%< Number of clients -+ isc_refcount_t ntcpactive; /*%< Number of clients - servicing TCP queries - (whether accepting or - connected) */ -diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c -index 96c080b..2ce97bb 100644 ---- a/bin/named/interfacemgr.c -+++ b/bin/named/interfacemgr.c -@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, - * connections will be handled in parallel even though there is - * only one client initially. - */ -- ifp->ntcpaccepting = 0; -- ifp->ntcpactive = 0; -+ isc_refcount_init(&ifp->ntcpaccepting, 0); -+ isc_refcount_init(&ifp->ntcpactive, 0); - - ifp->nudpdispatch = 0; - -@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp) { - - ns_interfacemgr_detach(&ifp->mgr); - -+ isc_refcount_destroy(&ifp->ntcpactive); -+ isc_refcount_destroy(&ifp->ntcpaccepting); -+ - ifp->magic = 0; - isc_mem_put(mctx, ifp, sizeof(*ifp)); - } --- -2.20.1 - diff --git a/SOURCES/bind-9.11-CVE-2018-5743.patch b/SOURCES/bind-9.11-CVE-2018-5743.patch deleted file mode 100644 index 665e2b2..0000000 --- a/SOURCES/bind-9.11-CVE-2018-5743.patch +++ /dev/null @@ -1,868 +0,0 @@ -From b2929ff50a7676563177bc52a372ddcae48cb002 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Wed, 24 Apr 2019 20:09:07 +0200 -Subject: [PATCH] 5200. [security] tcp-clients settings could be - exceeded in some cases, which could lead to - exhaustion of file descriptors. (CVE-2018-5743) [GL - #615] - ---- - bin/named/client.c | 421 +++++++++++++++++++------ - bin/named/include/named/client.h | 13 +- - bin/named/include/named/interfacemgr.h | 13 +- - bin/named/interfacemgr.c | 9 +- - lib/isc/include/isc/quota.h | 7 + - lib/isc/quota.c | 33 +- - 6 files changed, 385 insertions(+), 111 deletions(-) - -diff --git a/bin/named/client.c b/bin/named/client.c -index b7d8a98..e1acaf1 100644 ---- a/bin/named/client.c -+++ b/bin/named/client.c -@@ -243,7 +243,7 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason); - static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, - dns_dispatch_t *disp, isc_boolean_t tcp); - static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, -- isc_socket_t *sock); -+ isc_socket_t *sock, ns_client_t *oldclient); - static inline isc_boolean_t - allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr, - isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl); -@@ -295,6 +295,119 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) { - } - } - -+/*% -+ * Allocate a reference-counted object that will maintain a single pointer to -+ * the (also reference-counted) TCP client quota, shared between all the -+ * clients processing queries on a single TCP connection, so that all -+ * clients sharing the one socket will together consume only one slot in -+ * the 'tcp-clients' quota. -+ */ -+static isc_result_t -+tcpconn_init(ns_client_t *client, isc_boolean_t force) { -+ isc_result_t result; -+ isc_quota_t *quota = NULL; -+ ns_tcpconn_t *tconn = NULL; -+ -+ REQUIRE(client->tcpconn == NULL); -+ -+ /* -+ * Try to attach to the quota first, so we won't pointlessly -+ * allocate memory for a tcpconn object if we can't get one. -+ */ -+ if (force) { -+ result = isc_quota_force(&ns_g_server->tcpquota, "a); -+ } else { -+ result = isc_quota_attach(&ns_g_server->tcpquota, "a); -+ } -+ if (result != ISC_R_SUCCESS) { -+ return (result); -+ } -+ -+ /* -+ * A global memory context is used for the allocation as different -+ * client structures may have different memory contexts assigned and a -+ * reference counter allocated here might need to be freed by a -+ * different client. The performance impact caused by memory context -+ * contention here is expected to be negligible, given that this code -+ * is only executed for TCP connections. -+ */ -+ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn)); -+ -+ isc_refcount_init(&tconn->refs, 1); -+ tconn->tcpquota = quota; -+ quota = NULL; -+ tconn->pipelined = ISC_FALSE; -+ -+ client->tcpconn = tconn; -+ -+ return (ISC_R_SUCCESS); -+} -+ -+/*% -+ * Increase the count of client structures sharing the TCP connection -+ * that 'source' is associated with; add a pointer to the same tcpconn -+ * to 'target', thus associating it with the same TCP connection. -+ */ -+static void -+tcpconn_attach(ns_client_t *source, ns_client_t *target) { -+ int refs; -+ -+ REQUIRE(source->tcpconn != NULL); -+ REQUIRE(target->tcpconn == NULL); -+ REQUIRE(source->tcpconn->pipelined); -+ -+ isc_refcount_increment(&source->tcpconn->refs, &refs); -+ INSIST(refs > 1); -+ target->tcpconn = source->tcpconn; -+} -+ -+/*% -+ * Decrease the count of client structures sharing the TCP connection that -+ * 'client' is associated with. If this is the last client using this TCP -+ * connection, we detach from the TCP quota and free the tcpconn -+ * object. Either way, client->tcpconn is set to NULL. -+ */ -+static void -+tcpconn_detach(ns_client_t *client) { -+ ns_tcpconn_t *tconn = NULL; -+ int refs; -+ -+ REQUIRE(client->tcpconn != NULL); -+ -+ tconn = client->tcpconn; -+ client->tcpconn = NULL; -+ -+ isc_refcount_decrement(&tconn->refs, &refs); -+ if (refs == 0) { -+ isc_quota_detach(&tconn->tcpquota); -+ isc_mem_free(ns_g_mctx, tconn); -+ } -+} -+ -+/*% -+ * Mark a client as active and increment the interface's 'ntcpactive' -+ * counter, as a signal that there is at least one client servicing -+ * TCP queries for the interface. If we reach the TCP client quota at -+ * some point, this will be used to determine whether a quota overrun -+ * should be permitted. -+ * -+ * Marking the client active with the 'tcpactive' flag ensures proper -+ * accounting, by preventing us from incrementing or decrementing -+ * 'ntcpactive' more than once per client. -+ */ -+static void -+mark_tcp_active(ns_client_t *client, isc_boolean_t active) { -+ if (active && !client->tcpactive) { -+ isc_atomic_xadd(&client->interface->ntcpactive, 1); -+ client->tcpactive = active; -+ } else if (!active && client->tcpactive) { -+ uint32_t old = -+ isc_atomic_xadd(&client->interface->ntcpactive, -1); -+ INSIST(old > 0); -+ client->tcpactive = active; -+ } -+} -+ - /*% - * Check for a deactivation or shutdown request and take appropriate - * action. Returns ISC_TRUE if either is in progress; in this case -@@ -384,7 +497,8 @@ exit_check(ns_client_t *client) { - INSIST(client->recursionquota == NULL); - - if (NS_CLIENTSTATE_READING == client->newstate) { -- if (!client->pipelined) { -+ INSIST(client->tcpconn != NULL); -+ if (!client->tcpconn->pipelined) { - client_read(client); - client->newstate = NS_CLIENTSTATE_MAX; - return (ISC_TRUE); /* We're done. */ -@@ -402,10 +516,13 @@ exit_check(ns_client_t *client) { - */ - INSIST(client->recursionquota == NULL); - INSIST(client->newstate <= NS_CLIENTSTATE_READY); -- if (client->nreads > 0) -+ -+ if (client->nreads > 0) { - dns_tcpmsg_cancelread(&client->tcpmsg); -- if (client->nreads != 0) { -- /* Still waiting for read cancel completion. */ -+ } -+ -+ /* Still waiting for read cancel completion. */ -+ if (client->nreads > 0) { - return (ISC_TRUE); - } - -@@ -413,14 +530,49 @@ exit_check(ns_client_t *client) { - dns_tcpmsg_invalidate(&client->tcpmsg); - client->tcpmsg_valid = ISC_FALSE; - } -+ -+ /* -+ * Soon the client will be ready to accept a new TCP -+ * connection or UDP request, but we may have enough -+ * clients doing that already. Check whether this client -+ * needs to remain active and allow it go inactive if -+ * not. -+ * -+ * UDP clients always go inactive at this point, but a TCP -+ * client may need to stay active and return to READY -+ * state if no other clients are available to listen -+ * for TCP requests on this interface. -+ * -+ * Regardless, if we're going to FREED state, that means -+ * the system is shutting down and we don't need to -+ * retain clients. -+ */ -+ if (client->mortal && TCP_CLIENT(client) && -+ client->newstate != NS_CLIENTSTATE_FREED && -+ !ns_g_clienttest && -+ isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) -+ { -+ /* Nobody else is accepting */ -+ client->mortal = ISC_FALSE; -+ client->newstate = NS_CLIENTSTATE_READY; -+ } -+ -+ /* -+ * Detach from TCP connection and TCP client quota, -+ * if appropriate. If this is the last reference to -+ * the TCP connection in our pipeline group, the -+ * TCP quota slot will be released. -+ */ -+ if (client->tcpconn) { -+ tcpconn_detach(client); -+ } -+ - if (client->tcpsocket != NULL) { - CTRACE("closetcp"); - isc_socket_detach(&client->tcpsocket); -+ mark_tcp_active(client, ISC_FALSE); - } - -- if (client->tcpquota != NULL) -- isc_quota_detach(&client->tcpquota); -- - if (client->timerset) { - (void)isc_timer_reset(client->timer, - isc_timertype_inactive, -@@ -428,45 +580,26 @@ exit_check(ns_client_t *client) { - client->timerset = ISC_FALSE; - } - -- client->pipelined = ISC_FALSE; -- - client->peeraddr_valid = ISC_FALSE; - - client->state = NS_CLIENTSTATE_READY; -- INSIST(client->recursionquota == NULL); -- -- /* -- * Now the client is ready to accept a new TCP connection -- * or UDP request, but we may have enough clients doing -- * that already. Check whether this client needs to remain -- * active and force it to go inactive if not. -- * -- * UDP clients go inactive at this point, but TCP clients -- * may remain active if we have fewer active TCP client -- * objects than desired due to an earlier quota exhaustion. -- */ -- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) { -- LOCK(&client->interface->lock); -- if (client->interface->ntcpcurrent < -- client->interface->ntcptarget) -- client->mortal = ISC_FALSE; -- UNLOCK(&client->interface->lock); -- } - - /* - * We don't need the client; send it to the inactive - * queue for recycling. - */ - if (client->mortal) { -- if (client->newstate > NS_CLIENTSTATE_INACTIVE) -+ if (client->newstate > NS_CLIENTSTATE_INACTIVE) { - client->newstate = NS_CLIENTSTATE_INACTIVE; -+ } - } - - if (NS_CLIENTSTATE_READY == client->newstate) { - if (TCP_CLIENT(client)) { - client_accept(client); -- } else -+ } else { - client_udprecv(client); -+ } - client->newstate = NS_CLIENTSTATE_MAX; - return (ISC_TRUE); - } -@@ -478,41 +611,51 @@ exit_check(ns_client_t *client) { - /* - * We are trying to enter the inactive state. - */ -- if (client->naccepts > 0) -+ if (client->naccepts > 0) { - isc_socket_cancel(client->tcplistener, client->task, - ISC_SOCKCANCEL_ACCEPT); -+ } - - /* Still waiting for accept cancel completion. */ -- if (! (client->naccepts == 0)) -+ if (client->naccepts > 0) { - return (ISC_TRUE); -+ } - - /* Accept cancel is complete. */ -- if (client->nrecvs > 0) -+ if (client->nrecvs > 0) { - isc_socket_cancel(client->udpsocket, client->task, - ISC_SOCKCANCEL_RECV); -+ } - - /* Still waiting for recv cancel completion. */ -- if (! (client->nrecvs == 0)) -+ if (client->nrecvs > 0) { - return (ISC_TRUE); -+ } - - /* Still waiting for control event to be delivered */ -- if (client->nctls > 0) -+ if (client->nctls > 0) { - return (ISC_TRUE); -- -- /* Deactivate the client. */ -- if (client->interface) -- ns_interface_detach(&client->interface); -+ } - - INSIST(client->naccepts == 0); - INSIST(client->recursionquota == NULL); -- if (client->tcplistener != NULL) -+ if (client->tcplistener != NULL) { - isc_socket_detach(&client->tcplistener); -+ mark_tcp_active(client, ISC_FALSE); -+ } - -- if (client->udpsocket != NULL) -+ if (client->udpsocket != NULL) { - isc_socket_detach(&client->udpsocket); -+ } - -- if (client->dispatch != NULL) -+ /* Deactivate the client. */ -+ if (client->interface != NULL) { -+ ns_interface_detach(&client->interface); -+ } -+ -+ if (client->dispatch != NULL) { - dns_dispatch_detach(&client->dispatch); -+ } - - client->attributes = 0; - client->mortal = ISC_FALSE; -@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) { - client->newstate = NS_CLIENTSTATE_MAX; - if (!ns_g_clienttest && manager != NULL && - !manager->exiting) -+ { - ISC_QUEUE_PUSH(manager->inactive, client, - ilink); -- if (client->needshutdown) -+ } -+ if (client->needshutdown) { - isc_task_shutdown(client->task); -+ } - return (ISC_TRUE); - } - } -@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event_t *event) { - return; - - if (TCP_CLIENT(client)) { -- if (client->pipelined) { -+ if (client->tcpconn != NULL) { - client_read(client); - } else { - client_accept(client); -@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event_t *event) { - } - } - -- - /*% - * The client's task has received a shutdown event. - */ -@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_event_t *event) { - client->nrecvs--; - } else { - INSIST(TCP_CLIENT(client)); -+ INSIST(client->tcpconn != NULL); - REQUIRE(event->ev_type == DNS_EVENT_TCPMSG); - REQUIRE(event->ev_sender == &client->tcpmsg); - buffer = &client->tcpmsg.buffer; -@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_event_t *event) { - /* - * Pipeline TCP query processing. - */ -- if (client->message->opcode != dns_opcode_query) -- client->pipelined = ISC_FALSE; -- if (TCP_CLIENT(client) && client->pipelined) { -- result = isc_quota_reserve(&ns_g_server->tcpquota); -- if (result == ISC_R_SUCCESS) -- result = ns_client_replace(client); -+ if (TCP_CLIENT(client) && -+ client->message->opcode != dns_opcode_query) -+ { -+ client->tcpconn->pipelined = ISC_FALSE; -+ } -+ if (TCP_CLIENT(client) && client->tcpconn->pipelined) { -+ /* -+ * We're pipelining. Replace the client; the -+ * replacement can read the TCP socket looking -+ * for new messages and this one can process the -+ * current message asynchronously. -+ * -+ * There will now be at least three clients using this -+ * TCP socket - one accepting new connections, -+ * one reading an existing connection to get new -+ * messages, and one answering the message already -+ * received. -+ */ -+ result = ns_client_replace(client); - if (result != ISC_R_SUCCESS) { -- ns_client_log(client, NS_LOGCATEGORY_CLIENT, -- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, -- "no more TCP clients(read): %s", -- isc_result_totext(result)); -- client->pipelined = ISC_FALSE; -+ client->tcpconn->pipelined = ISC_FALSE; - } - } - -@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { - client->signer = NULL; - dns_name_init(&client->signername, NULL); - client->mortal = ISC_FALSE; -- client->pipelined = ISC_FALSE; -- client->tcpquota = NULL; -+ client->tcpconn = NULL; - client->recursionquota = NULL; - client->interface = NULL; - client->peeraddr_valid = ISC_FALSE; -@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { - client->filter_aaaa = dns_aaaa_ok; - #endif - client->needshutdown = ns_g_clienttest; -+ client->tcpactive = ISC_FALSE; - - ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL, - NS_EVENT_CLIENTCONTROL, client_start, client, client, -@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) { - - static void - client_newconn(isc_task_t *task, isc_event_t *event) { -+ isc_result_t result; - ns_client_t *client = event->ev_arg; - isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; -- isc_result_t result; -+ uint32_t old; - - REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); - REQUIRE(NS_CLIENT_VALID(client)); -@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_event_t *event) { - - INSIST(client->state == NS_CLIENTSTATE_READY); - -+ /* -+ * The accept() was successful and we're now establishing a new -+ * connection. We need to make note of it in the client and -+ * interface objects so client objects can do the right thing -+ * when going inactive in exit_check() (see comments in -+ * client_accept() for details). -+ */ - INSIST(client->naccepts == 1); - client->naccepts--; - -- LOCK(&client->interface->lock); -- INSIST(client->interface->ntcpcurrent > 0); -- client->interface->ntcpcurrent--; -- UNLOCK(&client->interface->lock); -+ old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); -+ INSIST(old > 0); - - /* - * We must take ownership of the new socket before the exit -@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), - "accept failed: %s", - isc_result_totext(nevent->result)); -+ tcpconn_detach(client); - } - - if (exit_check(client)) -@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_event_t *event) { - * telnetting to port 53 (once per CPU) will - * deny service to legitimate TCP clients. - */ -- client->pipelined = ISC_FALSE; -- result = isc_quota_attach(&ns_g_server->tcpquota, -- &client->tcpquota); -- if (result == ISC_R_SUCCESS) -- result = ns_client_replace(client); -- if (result != ISC_R_SUCCESS) { -- ns_client_log(client, NS_LOGCATEGORY_CLIENT, -- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, -- "no more TCP clients(accept): %s", -- isc_result_totext(result)); -- } else if (ns_g_server->keepresporder == NULL || -- !allowed(&netaddr, NULL, NULL, 0, NULL, -- ns_g_server->keepresporder)) { -- client->pipelined = ISC_TRUE; -+ result = ns_client_replace(client); -+ if (result == ISC_R_SUCCESS && -+ (ns_g_server->keepresporder == NULL || -+ !allowed(&netaddr, NULL, NULL, 0, NULL, -+ ns_g_server->keepresporder))) -+ { -+ client->tcpconn->pipelined = ISC_TRUE; - } - - client_read(client); -@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) { - - CTRACE("accept"); - -+ /* -+ * Set up a new TCP connection. This means try to attach to the -+ * TCP client quota (tcp-clients), but fail if we're over quota. -+ */ -+ result = tcpconn_init(client, ISC_FALSE); -+ if (result != ISC_R_SUCCESS) { -+ isc_boolean_t exit; -+ -+ ns_client_log(client, NS_LOGCATEGORY_CLIENT, -+ NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, -+ "TCP client quota reached: %s", -+ isc_result_totext(result)); -+ -+ /* -+ * We have exceeded the system-wide TCP client quota. But, -+ * we can't just block this accept in all cases, because if -+ * we did, a heavy TCP load on other interfaces might cause -+ * this interface to be starved, with no clients able to -+ * accept new connections. -+ * -+ * So, we check here to see if any other clients are -+ * already servicing TCP queries on this interface (whether -+ * accepting, reading, or processing). If we find that at -+ * least one client other than this one is active, then -+ * it's okay *not* to call accept - we can let this -+ * client go inactive and another will take over when it's -+ * done. -+ * -+ * If there aren't enough active clients on the interface, -+ * then we can be a little bit flexible about the quota. -+ * We'll allow *one* extra client through to ensure we're -+ * listening on every interface; we do this by setting the -+ * 'force' option to tcpconn_init(). -+ * -+ * (Note: In practice this means that the real TCP client -+ * quota is tcp-clients plus the number of listening -+ * interfaces plus 1.) -+ */ -+ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > -+ (client->tcpactive ? 1 : 0)); -+ if (exit) { -+ client->newstate = NS_CLIENTSTATE_INACTIVE; -+ (void)exit_check(client); -+ return; -+ } -+ -+ result = tcpconn_init(client, ISC_TRUE); -+ RUNTIME_CHECK(result == ISC_R_SUCCESS); -+ } -+ -+ /* -+ * If this client was set up using get_client() or get_worker(), -+ * then TCP is already marked active. However, if it was restarted -+ * from exit_check(), it might not be, so we take care of it now. -+ */ -+ mark_tcp_active(client, ISC_TRUE); -+ - result = isc_socket_accept(client->tcplistener, client->task, - client_newconn, client); - if (result != ISC_R_SUCCESS) { -- UNEXPECTED_ERROR(__FILE__, __LINE__, -- "isc_socket_accept() failed: %s", -- isc_result_totext(result)); - /* - * XXXRTH What should we do? We're trying to accept but - * it didn't work. If we just give up, then TCP -@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) { - * - * For now, we just go idle. - */ -+ UNEXPECTED_ERROR(__FILE__, __LINE__, -+ "isc_socket_accept() failed: %s", -+ isc_result_totext(result)); -+ -+ tcpconn_detach(client); -+ mark_tcp_active(client, ISC_FALSE); - return; - } -+ -+ /* -+ * The client's 'naccepts' counter indicates that this client has -+ * called accept() and is waiting for a new connection. It should -+ * never exceed 1. -+ */ - INSIST(client->naccepts == 0); - client->naccepts++; -- LOCK(&client->interface->lock); -- client->interface->ntcpcurrent++; -- UNLOCK(&client->interface->lock); -+ -+ /* -+ * The interface's 'ntcpaccepting' counter is incremented when -+ * any client calls accept(), and decremented in client_newconn() -+ * once the connection is established. -+ * -+ * When the client object is shutting down after handling a TCP -+ * request (see exit_check()), if this value is at least one, that -+ * means another client has called accept() and is waiting to -+ * establish the next connection. That means the client may be -+ * be free to become inactive; otherwise it may need to start -+ * listening for connections itself to prevent the interface -+ * going dead. -+ */ -+ isc_atomic_xadd(&client->interface->ntcpaccepting, 1); - } - - static void -@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) { - REQUIRE(client->manager != NULL); - - tcp = TCP_CLIENT(client); -- if (tcp && client->pipelined) { -+ if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) { - result = get_worker(client->manager, client->interface, -- client->tcpsocket); -+ client->tcpsocket, client); - } else { - result = get_client(client->manager, client->interface, - client->dispatch, tcp); -+ - } -- if (result != ISC_R_SUCCESS) -+ if (result != ISC_R_SUCCESS) { - return (result); -+ } - - /* - * The responsibility for listening for new requests is hereby -@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, - client->dscp = ifp->dscp; - - if (tcp) { -+ mark_tcp_active(client, ISC_TRUE); -+ - client->attributes |= NS_CLIENTATTR_TCP; - isc_socket_attach(ifp->tcpsocket, - &client->tcplistener); -+ - } else { - isc_socket_t *sock; - -@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, - } - - static isc_result_t --get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock) -+get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock, -+ ns_client_t *oldclient) - { - isc_result_t result = ISC_R_SUCCESS; - isc_event_t *ev; -@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock) - MTRACE("get worker"); - - REQUIRE(manager != NULL); -+ REQUIRE(oldclient != NULL); - - if (manager->exiting) - return (ISC_R_SHUTTINGDOWN); -@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock) - ns_interface_attach(ifp, &client->interface); - client->newstate = client->state = NS_CLIENTSTATE_WORKING; - INSIST(client->recursionquota == NULL); -- client->tcpquota = &ns_g_server->tcpquota; - - client->dscp = ifp->dscp; - - client->attributes |= NS_CLIENTATTR_TCP; -- client->pipelined = ISC_TRUE; - client->mortal = ISC_TRUE; - -+ tcpconn_attach(oldclient, client); -+ mark_tcp_active(client, ISC_TRUE); -+ - isc_socket_attach(ifp->tcpsocket, &client->tcplistener); - isc_socket_attach(sock, &client->tcpsocket); - isc_socket_setname(client->tcpsocket, "worker-tcp", NULL); -diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h -index 262b906..0f54d22 100644 ---- a/bin/named/include/named/client.h -+++ b/bin/named/include/named/client.h -@@ -9,8 +9,6 @@ - * information regarding copyright ownership. - */ - --/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */ -- - #ifndef NAMED_CLIENT_H - #define NAMED_CLIENT_H 1 - -@@ -77,6 +75,13 @@ - *** Types - ***/ - -+/*% reference-counted TCP connection object */ -+typedef struct ns_tcpconn { -+ isc_refcount_t refs; -+ isc_quota_t *tcpquota; -+ isc_boolean_t pipelined; -+} ns_tcpconn_t; -+ - /*% nameserver client structure */ - struct ns_client { - unsigned int magic; -@@ -91,6 +96,7 @@ struct ns_client { - int nupdates; - int nctls; - int references; -+ isc_boolean_t tcpactive; - isc_boolean_t needshutdown; /* - * Used by clienttest to get - * the client to go from -@@ -129,8 +135,7 @@ struct ns_client { - dns_name_t signername; /*%< [T]SIG key name */ - dns_name_t * signer; /*%< NULL if not valid sig */ - isc_boolean_t mortal; /*%< Die after handling request */ -- isc_boolean_t pipelined; /*%< TCP queries not in sequence */ -- isc_quota_t *tcpquota; -+ ns_tcpconn_t *tcpconn; - isc_quota_t *recursionquota; - ns_interface_t *interface; - -diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h -index 36870f3..d9ac90f 100644 ---- a/bin/named/include/named/interfacemgr.h -+++ b/bin/named/include/named/interfacemgr.h -@@ -9,8 +9,6 @@ - * information regarding copyright ownership. - */ - --/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */ -- - #ifndef NAMED_INTERFACEMGR_H - #define NAMED_INTERFACEMGR_H 1 - -@@ -75,9 +73,14 @@ struct ns_interface { - /*%< UDP dispatchers. */ - isc_socket_t * tcpsocket; /*%< TCP socket. */ - isc_dscp_t dscp; /*%< "listen-on" DSCP value */ -- int ntcptarget; /*%< Desired number of concurrent -- TCP accepts */ -- int ntcpcurrent; /*%< Current ditto, locked */ -+ int32_t ntcpaccepting; /*%< Number of clients -+ ready to accept new -+ TCP connections on this -+ interface */ -+ int32_t ntcpactive; /*%< Number of clients -+ servicing TCP queries -+ (whether accepting or -+ connected) */ - int nudpdispatch; /*%< Number of UDP dispatches */ - ns_clientmgr_t * clientmgr; /*%< Client manager. */ - ISC_LINK(ns_interface_t) link; -diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c -index d8c7188..96c080b 100644 ---- a/bin/named/interfacemgr.c -+++ b/bin/named/interfacemgr.c -@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, - * connections will be handled in parallel even though there is - * only one client initially. - */ -- ifp->ntcptarget = 1; -- ifp->ntcpcurrent = 0; -+ ifp->ntcpaccepting = 0; -+ ifp->ntcpactive = 0; -+ - ifp->nudpdispatch = 0; - - ifp->dscp = -1; -@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) { - */ - (void)isc_socket_filter(ifp->tcpsocket, "dataready"); - -- result = ns_clientmgr_createclients(ifp->clientmgr, -- ifp->ntcptarget, ifp, -- ISC_TRUE); -+ result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "TCP ns_clientmgr_createclients(): %s", -diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h -index b9bf598..36c5830 100644 ---- a/lib/isc/include/isc/quota.h -+++ b/lib/isc/include/isc/quota.h -@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p); - * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA). - */ - -+isc_result_t -+isc_quota_force(isc_quota_t *quota, isc_quota_t **p); -+/*%< -+ * Like isc_quota_attach, but will attach '*p' to the quota -+ * even if the hard quota has been exceeded. -+ */ -+ - void - isc_quota_detach(isc_quota_t **p); - /*%< -diff --git a/lib/isc/quota.c b/lib/isc/quota.c -index 3ddff0d..20976a4 100644 ---- a/lib/isc/quota.c -+++ b/lib/isc/quota.c -@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) { - UNLOCK("a->lock); - } - --isc_result_t --isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) --{ -+static isc_result_t -+doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) { - isc_result_t result; -- INSIST(p != NULL && *p == NULL); -+ REQUIRE(p != NULL && *p == NULL); -+ - result = isc_quota_reserve(quota); -- if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) -+ if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) { -+ *p = quota; -+ } else if (result == ISC_R_QUOTA && force) { -+ /* attach anyway */ -+ LOCK("a->lock); -+ quota->used++; -+ UNLOCK("a->lock); -+ - *p = quota; -+ result = ISC_R_SUCCESS; -+ } -+ - return (result); - } - -+isc_result_t -+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) { -+ return (doattach(quota, p, ISC_FALSE)); -+} -+ -+isc_result_t -+isc_quota_force(isc_quota_t *quota, isc_quota_t **p) { -+ return (doattach(quota, p, ISC_TRUE)); -+} -+ - void --isc_quota_detach(isc_quota_t **p) --{ -+isc_quota_detach(isc_quota_t **p) { - INSIST(p != NULL && *p != NULL); - isc_quota_release(*p); - *p = NULL; --- -2.20.1 - diff --git a/SOURCES/bind-9.11-CVE-2018-5744-test.patch b/SOURCES/bind-9.11-CVE-2018-5744-test.patch deleted file mode 100644 index 4aee6f1..0000000 --- a/SOURCES/bind-9.11-CVE-2018-5744-test.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 4b9bfa5c8cae6f81e94af0f582bf9686320144db Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Mon, 10 Dec 2018 13:33:54 +1100 -Subject: [PATCH] check that multiple KEY-TAG trust-anchor-telemetry options - don't leak memory - -(cherry picked from commit 4b1dc4a5445e9561f2208f9388cf9f9e2cfcbe51) -(cherry picked from commit f545e9dff1f0eadcdea5531ef7062324d232c716) -(cherry picked from commit 2bda5ac2e1635ac10a595c4ff155516ded7abec2) ---- - bin/tests/system/dnssec/tests.sh | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh -index 3156668..b1907c7 100644 ---- a/bin/tests/system/dnssec/tests.sh -+++ b/bin/tests/system/dnssec/tests.sh -@@ -3508,11 +3508,22 @@ status=`expr $status + $ret` - - echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" - ret=0 --$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1 -+$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1 - grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -+echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" -+ret=0 -+$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 -+grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 -+grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 -+(cd "$SYSTEMTESTTOP" && $PERL ./stop.pl dnssec ns1) || ret=1 -+(cd "$SYSTEMTESTTOP" && $PERL ./start.pl --noclean --restart --port ${PORT} dnssec ns1) || ret=1 -+n=`expr $n + 1` -+test "$ret" -eq 0 || echo_i "failed" -+status=`expr $status + $ret` -+ - echo_i "exit status: $status" - [ $status -eq 0 ] || exit 1 --- -2.20.1 - diff --git a/SOURCES/bind-9.11-CVE-2018-5744.patch b/SOURCES/bind-9.11-CVE-2018-5744.patch deleted file mode 100644 index e3ac8c9..0000000 --- a/SOURCES/bind-9.11-CVE-2018-5744.patch +++ /dev/null @@ -1,31 +0,0 @@ -From a4e1db793d4971d87631276ea57808074ed2c1c7 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Thu, 21 Feb 2019 17:23:53 +0100 -Subject: [PATCH 1/3] Fix CVE-2018-5744 - -5110. [security] Named leaked memory if there were multiple Key Tag - EDNS options present. (CVE-2018-5744) [GL #772] ---- - bin/named/client.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/bin/named/client.c b/bin/named/client.c -index b9ebc93..b7d8a98 100644 ---- a/bin/named/client.c -+++ b/bin/named/client.c -@@ -2112,6 +2112,12 @@ process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { - return (DNS_R_OPTERR); - } - -+ /* Silently drop additional keytag options. */ -+ if (client->keytag != NULL) { -+ isc_buffer_forward(buf, (unsigned int)optlen); -+ return (ISC_R_SUCCESS); -+ } -+ - client->keytag = isc_mem_get(client->mctx, optlen); - if (client->keytag != NULL) { - client->keytag_len = (isc_uint16_t)optlen; --- -2.20.1 - diff --git a/SOURCES/bind-9.11-CVE-2018-5745.patch b/SOURCES/bind-9.11-CVE-2018-5745.patch deleted file mode 100644 index 1ea50c6..0000000 --- a/SOURCES/bind-9.11-CVE-2018-5745.patch +++ /dev/null @@ -1,474 +0,0 @@ -From c705a3eac69286b47a70b851aa5dd9119d04512f Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 23 Jul 2019 16:43:55 +0200 -Subject: [PATCH] Fix CVE-2018-5745 - -Squashed commit of the following: - -commit c38e1dd10567e246bb802d889c3b2d2d286c7616 -Author: Evan Hunt -Date: Fri Dec 21 17:24:47 2018 -0800 - - use algorithm 255 for both unsupported keys - - (cherry picked from commit de8b2d4a6a97bb2ddf19024918581e70512ebc41) - -commit caf8a62270c850fbc59cfa6bb9dcedb2ef7228c2 -Author: Matthijs Mekking -Date: Wed Dec 19 18:45:43 2018 +0100 - - Add tests for mkeys with unsupported algorithm - - These tests check if a key with an unsupported algorithm in - managed-keys is ignored and when seeing an algorithm rollover to - an unsupported algorithm, the new key will be ignored too. - - (cherry picked from commit 144cb53d0ae3aa5e6e3123720b603f9ab2bd1fa9) - (cherry picked from commit 8c2a8ca50946449bf26a7e0843cc5e54e36071ae) - -commit 634655f38385595fb9a35e93ec3a72ed4c48bda6 -Author: Matthijs Mekking -Date: Wed Dec 19 18:47:43 2018 +0100 - - Update keyfetch_done compute_tag check - - If in keyfetch_done the compute_tag fails (because for example the - algorithm is not supported), don't crash, but instead ignore the - key. - - (cherry picked from commit b1d5411569ae10830b63f07560091193646cc739) - (cherry picked from commit 8f64928e2eb9395d8cdcd62183a1eaec3b1c5256) - -commit e5cb28c3f3df4c37d528665e67fb460cc1662259 -Author: Matthijs Mekking -Date: Wed Dec 12 14:06:10 2018 +0100 - - Don't free key in compute_tag in case of failure - - If `dns_dnssec_keyfromrdata` failed we don't need to call - `dst_key_free` because no `dstkey` was created. Doing so - nevertheless will result in an assertion failure. - - This can happen if the key uses an unsupported algorithm. - - (cherry picked from commit 7a1ca39b950b7d5230b605ac60f15a1cb94e3d69) - (cherry picked from commit acae423ef4274c5535da324da78ce1441628d5f6) ---- - bin/tests/system/mkeys/README | 3 + - bin/tests/system/mkeys/clean.sh | 2 + - bin/tests/system/mkeys/ns1/root.db | 20 +++---- - bin/tests/system/mkeys/ns1/sign.sh | 7 ++- - bin/tests/system/mkeys/ns1/unsupported.key | 1 + - bin/tests/system/mkeys/ns6/named.args | 1 + - bin/tests/system/mkeys/ns6/named.conf.in | 43 +++++++++++++++ - bin/tests/system/mkeys/ns6/setup.sh | 30 ++++++++++ - .../system/mkeys/ns6/unsupported-managed.key | 1 + - bin/tests/system/mkeys/ns7/named.conf.in | 50 +++++++++++++++++ - bin/tests/system/mkeys/setup.sh | 1 + - bin/tests/system/mkeys/tests.sh | 55 +++++++++++++++++++ - lib/dns/include/dst/dst.h | 3 +- - lib/dns/zone.c | 27 ++++++++- - 14 files changed, 229 insertions(+), 15 deletions(-) - create mode 100644 bin/tests/system/mkeys/ns1/unsupported.key - create mode 100644 bin/tests/system/mkeys/ns6/named.args - create mode 100644 bin/tests/system/mkeys/ns6/named.conf.in - create mode 100644 bin/tests/system/mkeys/ns6/setup.sh - create mode 100644 bin/tests/system/mkeys/ns6/unsupported-managed.key - create mode 100644 bin/tests/system/mkeys/ns7/named.conf.in - -diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README -index 700e6c21ca..257ef5406f 100644 ---- a/bin/tests/system/mkeys/README -+++ b/bin/tests/system/mkeys/README -@@ -16,3 +16,6 @@ ns3 is a validator with a broken key in managed-keys. - - ns5 is a validator which is prevented from getting a response from the - root server, causing key refresh queries to fail. -+ -+ns6 is a validator which has unsupported algorithms, one at start up, -+one because of an algorithm rollover. -diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh -index 17bd50f273..844d813eb4 100644 ---- a/bin/tests/system/mkeys/clean.sh -+++ b/bin/tests/system/mkeys/clean.sh -@@ -11,6 +11,7 @@ - - rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk - rm -f dsset-. ns1/dsset-. -+rm -f ns1/zone.key - rm -f ns*/named.lock - rm -f */managed-keys.bind* */named.secroots - rm -f */managed.conf ns1/managed.key ns1/managed.key.id -@@ -19,3 +20,4 @@ rm -f dig.out* delv.out* rndc.out* signer.out* - rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp - rm -f */named.conf - rm -f ns5/named.args -+rm -f ns7/view1.mkeys ns7/view2.mkeys -diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db -index 6ba922af09..0070f13942 100644 ---- a/bin/tests/system/mkeys/ns1/root.db -+++ b/bin/tests/system/mkeys/ns1/root.db -@@ -8,16 +8,16 @@ - ; information regarding copyright ownership. - - $TTL 20 --. IN SOA gson.nominum.com. a.root.servers.nil. ( -- 2000042100 ; serial -- 600 ; refresh -- 600 ; retry -- 1200 ; expire -- 2 ; minimum -- ) --. NS a.root-servers.nil. --a.root-servers.nil. A 10.53.0.1 -+. IN SOA gson.nominum.com. a.root.servers.nil. ( -+ 2000042100 ; serial -+ 600 ; refresh -+ 600 ; retry -+ 1200 ; expire -+ 2 ; minimum -+ ) -+. NS a.root-servers.nil. -+a.root-servers.nil. A 10.53.0.1 - - ; no delegation - --example. TXT "This is a test." -+example. TXT "This is a test." -diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh -index ccc7889ad9..e5e7ec05d6 100644 ---- a/bin/tests/system/mkeys/ns1/sign.sh -+++ b/bin/tests/system/mkeys/ns1/sign.sh -@@ -25,13 +25,18 @@ keyfile_to_managed_keys $keyname > managed.conf - cp managed.conf ../ns2/managed.conf - cp managed.conf ../ns5/managed.conf - --# Configure a trusted key statement (used by delv) -+# Configure a trusted key statement (used by delv). - keyfile_to_trusted_keys $keyname > trusted.conf - -+# Prepare an unsupported algorithm key. -+unsupportedkey=Kunknown.+255+00000 -+cp unsupported.key "${unsupportedkey}.key" -+ - # - # Save keyname and keyid for managed key id test. - # - echo "$keyname" > managed.key -+echo "$zskkeyname" > zone.key - keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'` - keyid=`expr $keyid + 0` - echo "$keyid" > managed.key.id -diff --git a/bin/tests/system/mkeys/ns1/unsupported.key b/bin/tests/system/mkeys/ns1/unsupported.key -new file mode 100644 -index 0000000000..7435d03b63 ---- /dev/null -+++ b/bin/tests/system/mkeys/ns1/unsupported.key -@@ -0,0 +1 @@ -+. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB -diff --git a/bin/tests/system/mkeys/ns6/named.args b/bin/tests/system/mkeys/ns6/named.args -new file mode 100644 -index 0000000000..02f8f670f6 ---- /dev/null -+++ b/bin/tests/system/mkeys/ns6/named.args -@@ -0,0 +1 @@ -+-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20 -diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in -new file mode 100644 -index 0000000000..8d76f7f2e7 ---- /dev/null -+++ b/bin/tests/system/mkeys/ns6/named.conf.in -@@ -0,0 +1,43 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+// NS6 -+ -+options { -+ query-source address 10.53.0.6; -+ notify-source 10.53.0.6; -+ transfer-source 10.53.0.6; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.6; }; -+ listen-on-v6 { none; }; -+ recursion yes; -+ notify no; -+ dnssec-enable yes; -+ dnssec-validation yes; -+ trust-anchor-telemetry no; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+zone "." { -+ type hint; -+ file "../../common/root.hint"; -+}; -+ -+include "managed.conf"; -diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh -new file mode 100644 -index 0000000000..5ba1647da5 ---- /dev/null -+++ b/bin/tests/system/mkeys/ns6/setup.sh -@@ -0,0 +1,30 @@ -+#!/bin/sh -e -+# -+# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+# -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, You can obtain one at http://mozilla.org/MPL/2.0/. -+# -+# See the COPYRIGHT file distributed with this work for additional -+# information regarding copyright ownership. -+ -+SYSTEMTESTTOP=../.. -+. $SYSTEMTESTTOP/conf.sh -+ -+zone=. -+zonefile=root.db -+ -+# an RSA key -+rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.` -+ -+# a key with unsupported algorithm -+unsupportedkey=Kunknown.+255+00000 -+cp unsupported-managed.key "${unsupportedkey}.key" -+ -+# root key -+rootkey=`cat ../ns1/managed.key` -+cp "../ns1/${rootkey}.key" . -+ -+# Configure the resolving server with a managed trusted key. -+keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf -diff --git a/bin/tests/system/mkeys/ns6/unsupported-managed.key b/bin/tests/system/mkeys/ns6/unsupported-managed.key -new file mode 100644 -index 0000000000..be872a00f0 ---- /dev/null -+++ b/bin/tests/system/mkeys/ns6/unsupported-managed.key -@@ -0,0 +1 @@ -+unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6 -diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in -new file mode 100644 -index 0000000000..a9aba00733 ---- /dev/null -+++ b/bin/tests/system/mkeys/ns7/named.conf.in -@@ -0,0 +1,50 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+// NS7 -+ -+options { -+ query-source address 10.53.0.7; -+ notify-source 10.53.0.7; -+ transfer-source 10.53.0.7; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.7; }; -+ listen-on-v6 { none; }; -+ recursion yes; -+ notify no; -+ dnssec-enable yes; -+ dnssec-validation auto; -+ bindkeys-file "managed.conf"; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+view view1 { -+ zone "." { -+ type hint; -+ file "../../common/root.hint"; -+ }; -+}; -+ -+view view2 { -+ zone "." { -+ type hint; -+ file "../../common/root.hint"; -+ }; -+}; -diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh -index bd3169f9b6..100a86959b 100644 ---- a/bin/tests/system/mkeys/setup.sh -+++ b/bin/tests/system/mkeys/setup.sh -@@ -25,3 +25,4 @@ copy_setports ns5/named.conf.in ns5/named.conf - cp ns5/named1.args ns5/named.args - - ( cd ns1 && $SHELL sign.sh ) -+( cd ns6 && $SHELL setup.sh ) -diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh -index f65f49e98d..b8410902d7 100644 ---- a/bin/tests/system/mkeys/tests.sh -+++ b/bin/tests/system/mkeys/tests.sh -@@ -701,6 +701,8 @@ rm -f ns1/root.db.signed.jnl - nextpart ns5/named.run > /dev/null - mkeys_reconfig_on 1 - wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run -+#mkeys_secroots_on 5 -+#grep '; managed' ns5/named.secroots > /dev/null || ret=1 - # ns1 should not longer REFUSE queries from ns5, so managed keys should be - # correctly refreshed and resolving should succeed - $DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 -@@ -710,5 +712,58 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -+echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" -+ret=0 -+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6 -+rm -f ns6/managed-keys.bind* -+nextpart ns6/named.run > /dev/null -+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6 -+# log when an unsupported algorithm is encountered during startup -+wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=`expr $status + $ret` -+ -+n=`expr $n + 1` -+echo_i "skipping unsupported algorithm in managed-keys ($n)" -+ret=0 -+mkeys_status_on 6 > rndc.out.$n 2>&1 -+# there should still be only two keys listed (for . and rsasha256.) -+count=`grep -c "keyid: " rndc.out.$n` -+[ "$count" -eq 2 ] || ret=1 -+# two lines indicating trust status -+count=`grep -c "trust" rndc.out.$n` -+[ "$count" -eq 2 ] || ret=1 -+ -+n=`expr $n + 1` -+echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)" -+ret=0 -+cp ns1/root.db ns1/root.db.orig -+ksk=`cat ns1/managed.key` -+zsk=`cat ns1/zone.key` -+cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db -+grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1 -+$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1 -+grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1 -+cp ns1/root.db.orig ns1/root.db -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=`expr $status + $ret` -+ -+n=`expr $n + 1` -+echo_i "skipping unsupported algorithm in rollover ($n)" -+ret=0 -+mkeys_reload_on 1 -+mkeys_refresh_on 6 -+mkeys_status_on 6 > rndc.out.$n 2>&1 -+# there should still be only two keys listed (for . and rsasha256.) -+count=`grep -c "keyid: " rndc.out.$n` -+[ "$count" -eq 2 ] || ret=1 -+# two lines indicating trust status -+count=`grep -c "trust" rndc.out.$n` -+[ "$count" -eq 2 ] || ret=1 -+# log when an unsupported algorithm is encountered during rollover -+wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=`expr $status + $ret` -+ - echo_i "exit status: $status" - [ $status -eq 0 ] || exit 1 -diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index e8c1a3c287..91f4a6e300 100644 ---- a/lib/dns/include/dst/dst.h -+++ b/lib/dns/include/dst/dst.h -@@ -67,8 +67,7 @@ typedef struct dst_context dst_context_t; - #define DST_ALG_HMACSHA512 165 /* XXXMPA */ - #define DST_ALG_INDIRECT 252 - #define DST_ALG_PRIVATE 254 --#define DST_ALG_EXPAND 255 --#define DST_MAX_ALGS 255 -+#define DST_MAX_ALGS 256 - - /*% A buffer of this size is large enough to hold any key */ - #define DST_KEY_MAXSIZE 1280 -diff --git a/lib/dns/zone.c b/lib/dns/zone.c -index 055b2417eb..96c98d585c 100644 ---- a/lib/dns/zone.c -+++ b/lib/dns/zone.c -@@ -3903,9 +3903,10 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx, - dns_rdatatype_dnskey, dnskey, &buffer); - - result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey); -- if (result == ISC_R_SUCCESS) -+ if (result == ISC_R_SUCCESS) { - *tag = dst_key_id(dstkey); -- dst_key_free(&dstkey); -+ dst_key_free(&dstkey); -+ } - - return (result); - } -@@ -9364,6 +9365,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { - - dns_keydata_todnskey(&keydata, &dnskey, NULL); - result = compute_tag(keyname, &dnskey, mctx, &keytag); -+ if (result != ISC_R_SUCCESS) { -+ /* -+ * Skip if we cannot compute the key tag. -+ * This may happen if the algorithm is unsupported -+ */ -+ dns_zone_log(zone, ISC_LOG_ERROR, -+ "Cannot compute tag for key in zone %s: %s " -+ "(skipping)", -+ namebuf, dns_result_totext(result)); -+ continue; -+ } - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - /* -@@ -9475,6 +9487,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { - continue; - - result = compute_tag(keyname, &dnskey, mctx, &keytag); -+ if (result != ISC_R_SUCCESS) { -+ /* -+ * Skip if we cannot compute the key tag. -+ * This may happen if the algorithm is unsupported -+ */ -+ dns_zone_log(zone, ISC_LOG_ERROR, -+ "Cannot compute tag for key in zone %s: %s " -+ "(skipping)", -+ namebuf, dns_result_totext(result)); -+ continue; -+ } - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE); --- -2.20.1 - diff --git a/SOURCES/bind-9.11-CVE-2019-6465.patch b/SOURCES/bind-9.11-CVE-2019-6465.patch deleted file mode 100644 index 0657aa3..0000000 --- a/SOURCES/bind-9.11-CVE-2019-6465.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 3824a600a51188c713e900115d6af129b54706df Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Wed, 6 Feb 2019 11:35:21 -0800 -Subject: [PATCH] denied axfr requests were not effective for writable DLZ - zones - -(cherry picked from commit d9077cd0038e59726e1956de18b4b7872038a283) -(cherry picked from commit 34348d9ee4db15307c6c42db294419b4df569f76) ---- - bin/named/xfrout.c | 8 ++++---- - bin/tests/system/dlzexternal/driver.c | 18 +++++++++++++++--- - bin/tests/system/dlzexternal/tests.sh | 16 ++++++++++++---- - 3 files changed, 31 insertions(+), 11 deletions(-) - -diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c -index c531e0acef..f6e57d889e 100644 ---- a/bin/named/xfrout.c -+++ b/bin/named/xfrout.c -@@ -803,12 +803,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { - result = dns_zt_find(client->view->zonetable, question_name, 0, NULL, - &zone); - -- if (result != ISC_R_SUCCESS) { -+ if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) { - /* -- * Normal zone table does not have a match. -- * Try the DLZ database -+ * The normal zone table does not have a match, or this is -+ * marked in the zone table as a DLZ zone. Check the DLZ -+ * databases for a match. - */ -- // Temporary: only searching the first DLZ database - if (! ISC_LIST_EMPTY(client->view->dlz_searched)) { - result = dns_dlzallowzonexfr(client->view, - question_name, -diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c -index 37a62622da..dfa7847984 100644 ---- a/bin/tests/system/dlzexternal/driver.c -+++ b/bin/tests/system/dlzexternal/driver.c -@@ -542,10 +542,22 @@ dlz_lookup(const char *zone, const char *name, void *dbdata, - */ - isc_result_t - dlz_allowzonexfr(void *dbdata, const char *name, const char *client) { -- UNUSED(client); -+ isc_result_t result; -+ -+ result = dlz_findzonedb(dbdata, name, NULL, NULL); -+ if (result != ISC_R_SUCCESS) { -+ return (result); -+ } - -- /* Just say yes for all our zones */ -- return (dlz_findzonedb(dbdata, name, NULL, NULL)); -+ /* -+ * Exception for 10.53.0.5 so we can test that allow-transfer -+ * is effective. -+ */ -+ if (strcmp(client, "10.53.0.5") == 0) { -+ return (ISC_R_NOPERM); -+ } -+ -+ return (ISC_R_SUCCESS); - } - - /* -diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh -index 87dd13b10e..1754aaa57c 100644 ---- a/bin/tests/system/dlzexternal/tests.sh -+++ b/bin/tests/system/dlzexternal/tests.sh -@@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 - status=`expr $status + $ret` - - newtest "testing AXFR from DLZ drivers" --$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.ns1.test$n --lines=`cat dig.out.ns1.test$n | wc -l` -+$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n -+lines=`cat dig.out.example.ns1.test$n | wc -l` - [ ${lines:-0} -eq 4 ] || ret=1 --$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.ns1.test$n --lines=`cat dig.out.ns1.test$n | wc -l` -+$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n -+lines=`cat dig.out.alternate.ns1.test$n | wc -l` - [ ${lines:-0} -eq 5 ] || ret=1 - [ "$ret" -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` - -+newtest "testing AXFR denied from DLZ drivers" -+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n -+grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1 -+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n -+grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1 -+[ "$ret" -eq 0 ] || echo_i "failed" -+status=`expr $status + $ret` -+ - newtest "testing unsearched/unregistered DLZ zone is not found" - $DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n - grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1 --- -2.20.1 - diff --git a/SOURCES/bind-9.11-CVE-2019-6471.patch b/SOURCES/bind-9.11-CVE-2019-6471.patch deleted file mode 100644 index 64f86d5..0000000 --- a/SOURCES/bind-9.11-CVE-2019-6471.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 66c074b707318005d50f14910678ba451877a7a6 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Wed, 19 Jun 2019 12:28:08 +0200 -Subject: [PATCH] Fix CVE-2019-6471 - -5244. [security] Fixed a race condition in dns_dispatch_getnext() - that could cause an assertion failure if a - significant number of incoming packets were - rejected. (CVE-2019-6471) [GL #942] ---- - lib/dns/dispatch.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c -index 321459ebcb..ae5c9c0fc7 100644 ---- a/lib/dns/dispatch.c -+++ b/lib/dns/dispatch.c -@@ -3419,13 +3419,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { - disp = resp->disp; - REQUIRE(VALID_DISPATCH(disp)); - -- REQUIRE(resp->item_out == ISC_TRUE); -- resp->item_out = ISC_FALSE; -- - ev = *sockevent; - *sockevent = NULL; - - LOCK(&disp->lock); -+ -+ REQUIRE(resp->item_out == ISC_TRUE); -+ resp->item_out = ISC_FALSE; -+ - if (ev->buffer.base != NULL) - free_buffer(disp, ev->buffer.base, ev->buffer.length); - free_devent(disp, ev); -@@ -3570,6 +3571,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, - isc_task_send(disp->task[0], &disp->ctlevent); - } - -+/* -+ * disp must be locked. -+ */ - static void - do_cancel(dns_dispatch_t *disp) { - dns_dispatchevent_t *ev; --- -2.20.1 - diff --git a/SOURCES/bind-9.11-dhcp-time-monotonic.patch b/SOURCES/bind-9.11-dhcp-time-monotonic.patch new file mode 100644 index 0000000..743c5cb --- /dev/null +++ b/SOURCES/bind-9.11-dhcp-time-monotonic.patch @@ -0,0 +1,171 @@ +diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h +index 0389efa..149cde5 100644 +--- a/lib/isc/include/isc/result.h ++++ b/lib/isc/include/isc/result.h +@@ -89,7 +89,8 @@ + #define ISC_R_DISCFULL 67 /*%< disc full */ + #define ISC_R_DEFAULT 68 /*%< default */ + #define ISC_R_IPV4PREFIX 69 /*%< IPv4 prefix */ +-#define ISC_R_NRESULTS 70 ++#define ISC_R_TIMESHIFTED 70 /*%< system time changed */ ++#define ISC_R_NRESULTS 71 + + ISC_LANG_BEGINDECLS + +diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h +index 973c348..cceeb5e 100644 +--- a/lib/isc/include/isc/util.h ++++ b/lib/isc/include/isc/util.h +@@ -289,6 +289,10 @@ extern void mock_assert(const int result, const char* const expression, + * Time + */ + #define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS) ++#ifdef CLOCK_BOOTTIME ++#define TIME_MONOTONIC(tp) RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS) ++#endif ++ + + /*% + * Alignment +diff --git a/lib/isc/result.c b/lib/isc/result.c +index a9db132..f33fc6b 100644 +--- a/lib/isc/result.c ++++ b/lib/isc/result.c +@@ -105,6 +105,7 @@ static const char *description[ISC_R_NRESULTS] = { + "disc full", /*%< 67 */ + "default", /*%< 68 */ + "IPv4 prefix", /*%< 69 */ ++ "time changed", /*%< 70 */ + }; + + static const char *identifier[ISC_R_NRESULTS] = { +@@ -178,6 +179,7 @@ static const char *identifier[ISC_R_NRESULTS] = { + "ISC_R_DISCFULL", + "ISC_R_DEFAULT", + "ISC_R_IPV4PREFIX", ++ "ISC_R_TIMESHIFTED", + }; + + #define ISC_RESULT_RESULTSET 2 +diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c +index a6e9882..286fe95 100644 +--- a/lib/isc/unix/app.c ++++ b/lib/isc/unix/app.c +@@ -442,15 +442,47 @@ isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task, + static isc_result_t + evloop(isc__appctx_t *ctx) { + isc_result_t result; ++ isc_time_t now; ++#ifdef CLOCK_BOOTTIME ++ isc_time_t monotonic; ++ isc_uint64_t diff = 0; ++#else ++ isc_time_t prev; ++ TIME_NOW(&prev); ++#endif + + while (!ctx->want_shutdown) { + int n; +- isc_time_t when, now; ++ isc_time_t when; + struct timeval tv, *tvp; + isc_socketwait_t *swait; + bool readytasks; + bool call_timer_dispatch = false; + ++ uint64_t us; ++ ++#ifdef CLOCK_BOOTTIME ++ // TBD macros for following three lines ++ TIME_NOW(&now); ++ TIME_MONOTONIC(&monotonic); ++ INSIST(now.seconds > monotonic.seconds) ++ us = isc_time_microdiff (&now, &monotonic); ++ if (us < diff){ ++ us = diff - us; ++ if (us > 1000000){ // ignoring shifts less than one second ++ return ISC_R_TIMESHIFTED; ++ }; ++ diff = isc_time_microdiff (&now, &monotonic); ++ } else { ++ diff = isc_time_microdiff (&now, &monotonic); ++ // not implemented ++ } ++#else ++ TIME_NOW(&now); ++ if (isc_time_compare (&now, &prev) < 0) ++ return ISC_R_TIMESHIFTED; ++ TIME_NOW(&prev); ++#endif + /* + * Check the reload (or suspend) case first for exiting the + * loop as fast as possible in case: +@@ -475,7 +507,6 @@ evloop(isc__appctx_t *ctx) { + if (result != ISC_R_SUCCESS) + tvp = NULL; + else { +- uint64_t us; + + TIME_NOW(&now); + us = isc_time_microdiff(&when, &now); +diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h +index b864c29..5dd43c9 100644 +--- a/lib/isc/unix/include/isc/time.h ++++ b/lib/isc/unix/include/isc/time.h +@@ -132,6 +132,26 @@ isc_time_isepoch(const isc_time_t *t); + *\li 't' is a valid pointer. + */ + ++#ifdef CLOCK_BOOTTIME ++isc_result_t ++isc_time_boottime(isc_time_t *t); ++/*%< ++ * Set 't' to monotonic time from previous boot ++ * it's not affected by system time change. It also ++ * includes the time system was suspended ++ * ++ * Requires: ++ *\li 't' is a valid pointer. ++ * ++ * Returns: ++ * ++ *\li Success ++ *\li Unexpected error ++ * Getting the time from the system failed. ++ */ ++#endif /* CLOCK_BOOTTIME */ ++ ++ + isc_result_t + isc_time_now(isc_time_t *t); + /*%< +diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c +index 8edc9df..fe0bb91 100644 +--- a/lib/isc/unix/time.c ++++ b/lib/isc/unix/time.c +@@ -498,3 +498,25 @@ isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) { + t->nanoseconds / NS_PER_MS); + } + } ++ ++ ++#ifdef CLOCK_BOOTTIME ++isc_result_t ++isc_time_boottime(isc_time_t *t) { ++ struct timespec ts; ++ ++ char strbuf[ISC_STRERRORSIZE]; ++ ++ if (clock_gettime (CLOCK_BOOTTIME, &ts) != 0){ ++ isc__strerror(errno, strbuf, sizeof(strbuf)); ++ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf); ++ return (ISC_R_UNEXPECTED); ++ } ++ ++ t->seconds = ts.tv_sec; ++ t->nanoseconds = ts.tv_nsec; ++ ++ return (ISC_R_SUCCESS); ++ ++}; ++#endif diff --git a/SOURCES/bind-9.11-engine-pkcs11.patch b/SOURCES/bind-9.11-engine-pkcs11.patch new file mode 100644 index 0000000..4a6290d --- /dev/null +++ b/SOURCES/bind-9.11-engine-pkcs11.patch @@ -0,0 +1,27 @@ +From 37f89ccfc439f8d86c401d9ae10e94e53b924961 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 27 Aug 2019 20:39:59 +0200 +Subject: [PATCH] Do not set engine for native PKCS11 + +It resets already set lib_path to pkcs11, which is invalid in native +pkcs11 crypto. Engine has to be path to PKCS#11 module. +--- + bin/named/include/named/globals.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h +index eda2214..2a611d5 100644 +--- a/bin/named/include/named/globals.h ++++ b/bin/named/include/named/globals.h +@@ -160,7 +160,7 @@ EXTERN const char * ns_g_defaultdnstap INIT(NULL); + + EXTERN const char * ns_g_username INIT(NULL); + +-#if defined(USE_PKCS11) ++#if defined(USE_PKCS11) && !defined(PKCS11CRYPTO) + EXTERN const char * ns_g_engine INIT(PKCS11_ENGINE); + #else + EXTERN const char * ns_g_engine INIT(NULL); +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-export-suffix.patch b/SOURCES/bind-9.11-export-suffix.patch index e3ba29c..8703747 100644 --- a/SOURCES/bind-9.11-export-suffix.patch +++ b/SOURCES/bind-9.11-export-suffix.patch @@ -1,8 +1,8 @@ -diff --git a/configure.in b/configure.in -index e6cd6a4..988b0a7 100644 ---- a/configure.in -+++ b/configure.in -@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS) +diff --git a/configure.ac b/configure.ac +index c1bfd62..7c5ad51 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -5333,6 +5333,8 @@ AC_SUBST(BUILD_CPPFLAGS) AC_SUBST(BUILD_LDFLAGS) AC_SUBST(BUILD_LIBS) @@ -12,10 +12,10 @@ index e6cd6a4..988b0a7 100644 # Commands to run at the end of config.status. # Don't just put these into configure, it won't work right if somebody diff --git a/isc-config.sh.in b/isc-config.sh.in -index 110191a..5a64004 100644 +index b5e94ed..d2857e0 100644 --- a/isc-config.sh.in +++ b/isc-config.sh.in -@@ -12,16 +12,17 @@ prefix=@prefix@ +@@ -13,16 +13,17 @@ prefix=@prefix@ exec_prefix=@exec_prefix@ exec_prefix_set= includedir=@includedir@ diff --git a/SOURCES/bind-9.11-fips-code.patch b/SOURCES/bind-9.11-fips-code.patch index 2dccdea..cf00104 100644 --- a/SOURCES/bind-9.11-fips-code.patch +++ b/SOURCES/bind-9.11-fips-code.patch @@ -1,11 +1,13 @@ -From fb8665aebd79ea33cb255f578544e1738f5bbb58 Mon Sep 17 00:00:00 2001 +From eff6dcb62f3cea6df0a848c2220a49bc02cb4a0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:34:45 +0200 -Subject: [PATCH 1/2] Squashed commit of the following: +Subject: [PATCH] FIPS code changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Squashed commit of the following: + commit b49f70ce0575b6b52a71b90fe0376dbf16f92c6b Author: Petr Menšík Date: Mon Jan 22 14:12:37 2018 +0100 @@ -94,39 +96,39 @@ Date: Mon Jan 22 07:21:04 2018 +0100 Add runtime detection whether MD5 is useable. --- - bin/confgen/keygen.c | 10 ++++- - bin/confgen/rndc-confgen.c | 36 +++++------------- - bin/dig/dig.c | 7 ++-- - bin/dig/dighost.c | 14 +++++-- - bin/dnssec/dnssec-keygen.c | 14 +++++++ - bin/named/config.c | 25 ++++++++++++- - bin/nsupdate/nsupdate.c | 24 +++++++----- + bin/confgen/keygen.c | 10 +++- + bin/confgen/rndc-confgen.c | 32 ++++--------- + bin/dig/dig.c | 7 +-- + bin/dig/dighost.c | 14 ++++-- + bin/dnssec/dnssec-keygen.c | 14 ++++++ + bin/named/config.c | 25 +++++++++- + bin/nsupdate/nsupdate.c | 24 ++++++---- bin/rndc/rndc.c | 3 +- - bin/tests/optional/hash_test.c | 78 ++++++++++++++++++++------------------- + bin/tests/optional/hash_test.c | 78 ++++++++++++++++--------------- bin/tests/system/tkey/keycreate.c | 3 ++ - bin/tests/system/tkey/keydelete.c | 18 ++++++--- - lib/bind9/check.c | 10 +++++ - lib/dns/dst_api.c | 23 ++++++++---- + bin/tests/system/tkey/keydelete.c | 17 ++++--- + lib/bind9/check.c | 10 ++++ + lib/dns/dst_api.c | 23 ++++++--- lib/dns/dst_internal.h | 3 +- - lib/dns/dst_parse.c | 18 +++++++-- - lib/dns/hmac_link.c | 20 +++------- + lib/dns/dst_parse.c | 18 +++++-- + lib/dns/hmac_link.c | 18 ++----- lib/dns/opensslrsa_link.c | 6 +++ - lib/dns/pkcs11rsa_link.c | 33 +++++++++++++++-- - lib/dns/rcode.c | 21 ++++++++++- - lib/dns/tests/rsa_test.c | 29 ++++++++------- + lib/dns/pkcs11rsa_link.c | 33 +++++++++++-- + lib/dns/rcode.c | 21 ++++++++- + lib/dns/tests/rsa_test.c | 4 ++ lib/dns/tests/tsig_test.c | 1 + - lib/dns/tkey.c | 9 +++++ + lib/dns/tkey.c | 9 ++++ lib/dns/tsec.c | 8 +++- - lib/dns/tsig.c | 17 +++++---- + lib/dns/tsig.c | 17 ++++--- lib/isc/include/isc/md5.h | 3 ++ - lib/isc/md5.c | 59 +++++++++++++++++++++++++++++ - lib/isc/pk11.c | 58 ++++++++++++++++++++--------- - lib/isc/tests/hash_test.c | 9 +++-- - lib/isccc/cc.c | 42 +++++++++++++-------- - 29 files changed, 424 insertions(+), 177 deletions(-) + lib/isc/md5.c | 59 +++++++++++++++++++++++ + lib/isc/pk11.c | 44 +++++++++++------ + lib/isc/tests/hash_test.c | 9 ++++ + lib/isccc/cc.c | 42 +++++++++++------ + 29 files changed, 400 insertions(+), 155 deletions(-) diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index 453c641dba..11cc54dd46 100644 +index 8931ad5..5015abb 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -22,6 +22,7 @@ @@ -150,7 +152,7 @@ index 453c641dba..11cc54dd46 100644 switch (alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + fatal("unsupported algorithm %d\n", alg); + } else if (keysize < 1 || keysize > 512) { + fatal("keysize %d out of range (must be 1-512)\n", @@ -161,10 +163,10 @@ index 453c641dba..11cc54dd46 100644 case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA224: diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c -index 2925baf32f..d7d8418073 100644 +index 5ca3d76..6b7790a 100644 --- a/bin/confgen/rndc-confgen.c +++ b/bin/confgen/rndc-confgen.c -@@ -35,6 +35,7 @@ +@@ -36,6 +36,7 @@ #include #include #include @@ -172,16 +174,16 @@ index 2925baf32f..d7d8418073 100644 #include #include #include -@@ -62,7 +63,7 @@ const char *progname; +@@ -63,7 +64,7 @@ const char *progname; - isc_boolean_t verbose = ISC_FALSE; + bool verbose = false; -const char *keyfile, *keydef; +const char *keyfile, *keydef, *algdef; ISC_PLATFORM_NORETURN_PRE static void usage(int status) ISC_PLATFORM_NORETURN_POST; -@@ -70,13 +71,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST; +@@ -71,13 +72,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST; static void usage(int status) { @@ -196,7 +198,7 @@ index 2925baf32f..d7d8418073 100644 -b bits: from 1 through 512, default 256; total length of the secret\n\ -c keyfile: specify an alternate key file (requires -a)\n\ -k keyname: the name as it will be used in named.conf and rndc.conf\n\ -@@ -85,24 +85,7 @@ Usage:\n\ +@@ -86,24 +86,7 @@ Usage:\n\ -s addr: the address to which rndc should connect\n\ -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ -u user: set the keyfile owner to \"user\" (requires -a)\n", @@ -222,31 +224,27 @@ index 2925baf32f..d7d8418073 100644 exit (status); } -@@ -138,13 +121,14 @@ main(int argc, char **argv) { +@@ -139,11 +122,12 @@ main(int argc, char **argv) { progname = program; keyname = DEFAULT_KEYNAME; -#ifndef PK11_MD5_DISABLE - alg = DST_ALG_HMACMD5; -#else -- alg = DST_ALG_HMACSHA256; --#endif - serveraddr = DEFAULT_SERVER; - port = DEFAULT_PORT; -+ alg = DST_ALG_HMACSHA256; + alg = DST_ALG_HMACSHA256; +#ifndef PK11_MD5_DISABLE + if (isc_md5_available()) + alg = DST_ALG_HMACMD5; -+#endif + #endif + algdef = alg_totext(alg); - - isc_commandline_errprint = ISC_FALSE; + serveraddr = DEFAULT_SERVER; + port = DEFAULT_PORT; diff --git a/bin/dig/dig.c b/bin/dig/dig.c -index d4808ada67..9dff7c8ecd 100644 +index 706299e..aaf22e7 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c -@@ -17,6 +17,7 @@ +@@ -20,6 +20,7 @@ #include #include @@ -254,7 +252,7 @@ index d4808ada67..9dff7c8ecd 100644 #include #include #include -@@ -1757,10 +1758,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, +@@ -1774,10 +1775,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, ptr = ptr2; ptr2 = ptr3; } else { @@ -269,10 +267,10 @@ index d4808ada67..9dff7c8ecd 100644 digestbits = 0; } diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index ecefc98453..94c428ed30 100644 +index 93e5b40..afd2700 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c -@@ -77,6 +77,7 @@ +@@ -80,6 +80,7 @@ #include #include #include @@ -280,7 +278,7 @@ index ecefc98453..94c428ed30 100644 #include #include #include -@@ -1243,9 +1244,10 @@ parse_hmac(const char *hmac) { +@@ -1246,9 +1247,10 @@ parse_hmac(const char *hmac) { digestbits = 0; #ifndef PK11_MD5_DISABLE @@ -293,7 +291,7 @@ index ecefc98453..94c428ed30 100644 hmacname = DNS_TSIG_HMACMD5_NAME; digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); } else -@@ -1365,7 +1367,13 @@ setup_file_key(void) { +@@ -1368,7 +1370,13 @@ setup_file_key(void) { switch (dst_key_alg(dstkey)) { #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: @@ -309,10 +307,10 @@ index ecefc98453..94c428ed30 100644 #endif case DST_ALG_HMACSHA1: diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c -index 6fc3ab0979..fc04356ed4 100644 +index 1476d0d..f5c9316 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c -@@ -34,6 +34,7 @@ +@@ -36,6 +36,7 @@ #include #include #include @@ -320,7 +318,7 @@ index 6fc3ab0979..fc04356ed4 100644 #include #include #include -@@ -560,6 +561,19 @@ main(int argc, char **argv) { +@@ -562,6 +563,19 @@ main(int argc, char **argv) { "\"-a RSAMD5\"\n"); INSIST(freeit == NULL); return (1); @@ -333,7 +331,7 @@ index 6fc3ab0979..fc04356ed4 100644 + return (1); + } + } else if (strcasecmp(algname, "RSAMD5") == 0 && -+ isc_md5_available() == ISC_FALSE) { ++ !isc_md5_available()) { + fprintf(stderr, "The use of RSAMD5 was disabled\n"); + INSIST(freeit == NULL); + return (1); @@ -341,10 +339,10 @@ index 6fc3ab0979..fc04356ed4 100644 alg = DST_ALG_HMACMD5; #else diff --git a/bin/named/config.c b/bin/named/config.c -index 54bc37fff7..c50f759ddd 100644 +index 32c454a..dff826b 100644 --- a/bin/named/config.c +++ b/bin/named/config.c -@@ -17,6 +17,7 @@ +@@ -18,6 +18,7 @@ #include #include @@ -352,14 +350,14 @@ index 54bc37fff7..c50f759ddd 100644 #include #include #include -@@ -966,6 +967,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name, +@@ -974,6 +975,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name, return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits)); } +static inline int +algorithms_start() { +#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + int i = 0; + while (algorithms[i].str != NULL && + algorithms[i].hmac == hmacmd5) { @@ -373,9 +371,9 @@ index 54bc37fff7..c50f759ddd 100644 + isc_result_t ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, - unsigned int *typep, isc_uint16_t *digestbits) -@@ -975,7 +991,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, - isc_uint16_t bits; + unsigned int *typep, uint16_t *digestbits) +@@ -983,7 +999,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + uint16_t bits; isc_result_t result; - for (i = 0; algorithms[i].str != NULL; i++) { @@ -383,7 +381,7 @@ index 54bc37fff7..c50f759ddd 100644 len = strlen(algorithms[i].str); if (strncasecmp(algorithms[i].str, str, len) == 0 && (str[len] == '\0' || -@@ -998,7 +1014,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, +@@ -1006,7 +1022,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, if (name != NULL) { switch (algorithms[i].hmac) { #ifndef PK11_MD5_DISABLE @@ -398,18 +396,18 @@ index 54bc37fff7..c50f759ddd 100644 case hmacsha1: *name = dns_tsig_hmacsha1_name; break; case hmacsha224: *name = dns_tsig_hmacsha224_name; break; diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index 6967b49754..bb5d50038f 100644 +index de60313..bbb3936 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c -@@ -29,6 +29,7 @@ +@@ -31,6 +31,7 @@ #include #include #include +#include #include #include - #include -@@ -474,9 +475,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len, + #include +@@ -477,9 +478,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len, strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf))); #ifndef PK11_MD5_DISABLE @@ -422,7 +420,7 @@ index 6967b49754..bb5d50038f 100644 *hmac = DNS_TSIG_HMACMD5_NAME; result = isc_parse_uint16(&digestbits, &buf[9], 10); if (result != ISC_R_SUCCESS || digestbits > 128) { -@@ -589,10 +591,10 @@ setup_keystr(void) { +@@ -592,10 +594,10 @@ setup_keystr(void) { exit(1); } } else { @@ -436,7 +434,7 @@ index 6967b49754..bb5d50038f 100644 #endif name = keystr; n = s; -@@ -729,7 +731,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { +@@ -732,7 +734,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { switch (dst_key_alg(dstkey)) { #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: @@ -446,7 +444,7 @@ index 6967b49754..bb5d50038f 100644 break; #endif case DST_ALG_HMACSHA1: -@@ -1604,12 +1607,13 @@ evaluate_key(char *cmdline) { +@@ -1637,12 +1640,13 @@ evaluate_key(char *cmdline) { return (STATUS_SYNTAX); } namestr = n + 1; @@ -465,10 +463,10 @@ index 6967b49754..bb5d50038f 100644 isc_buffer_init(&b, namestr, strlen(namestr)); isc_buffer_add(&b, strlen(namestr)); diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c -index 5c29caf86b..617b06b4a1 100644 +index 9eb0ce0..8083654 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c -@@ -21,6 +21,7 @@ +@@ -23,6 +23,7 @@ #include #include #include @@ -476,7 +474,7 @@ index 5c29caf86b..617b06b4a1 100644 #include #include #include -@@ -634,7 +635,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, +@@ -636,7 +637,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, algorithmstr = cfg_obj_asstring(algorithmobj); #ifndef PK11_MD5_DISABLE @@ -486,7 +484,7 @@ index 5c29caf86b..617b06b4a1 100644 else #endif diff --git a/bin/tests/optional/hash_test.c b/bin/tests/optional/hash_test.c -index bf2891ad4c..b5f0a1c5f5 100644 +index bf2891a..b5f0a1c 100644 --- a/bin/tests/optional/hash_test.c +++ b/bin/tests/optional/hash_test.c @@ -90,43 +90,47 @@ main(int argc, char **argv) { @@ -575,7 +573,7 @@ index bf2891ad4c..b5f0a1c5f5 100644 /* diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 2a0ee94888..489f4390dc 100644 +index 5a00f86..653c951 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -20,6 +20,7 @@ @@ -590,30 +588,29 @@ index 2a0ee94888..489f4390dc 100644 static char keystr[] = "0123456789ab"; isc_event_free(&event); -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); result = ISC_R_FAILURE; if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 7057c318e4..36ee6c7d21 100644 +index bde66a4..70a40c3 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c -@@ -225,12 +225,18 @@ main(int argc, char **argv) { +@@ -225,12 +225,17 @@ main(int argc, char **argv) { result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); CHECK("dst_key_fromnamedfile", result); #ifndef PK11_MD5_DISABLE - result = dns_tsigkey_createfromkey(dst_key_name(dstkey), - DNS_TSIG_HMACMD5_NAME, -- dstkey, ISC_TRUE, NULL, 0, 0, +- dstkey, true, NULL, 0, 0, - mctx, ring, &tsigkey); - dst_key_free(&dstkey); - CHECK("dns_tsigkey_createfromkey", result); + if (isc_md5_available()) { + result = dns_tsigkey_createfromkey(dst_key_name(dstkey), + DNS_TSIG_HMACMD5_NAME, -+ dstkey, ISC_TRUE, -+ NULL, 0, 0, ++ dstkey, true, NULL, 0, 0, + mctx, ring, &tsigkey); + dst_key_free(&dstkey); + CHECK("dns_tsigkey_createfromkey", result); @@ -625,10 +622,10 @@ index 7057c318e4..36ee6c7d21 100644 dst_key_free(&dstkey); CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); diff --git a/lib/bind9/check.c b/lib/bind9/check.c -index 3da83a7ae2..1a3d534799 100644 +index ec0ab6d..e0803d4 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c -@@ -21,6 +21,7 @@ +@@ -23,6 +23,7 @@ #include #include #include @@ -636,13 +633,13 @@ index 3da83a7ae2..1a3d534799 100644 #include #include #include -@@ -2572,6 +2573,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) { +@@ -2618,6 +2619,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) { } algorithm = cfg_obj_asstring(algobj); +#ifndef PK11_MD5_DISABLE + /* Skip hmac-md5* algorithms */ -+ if (isc_md5_available() == ISC_FALSE && ++ if (!isc_md5_available() && + strncasecmp(algorithm, "hmac-md5", 8) == 0) { + cfg_obj_log(algobj, logctx, ISC_LOG_ERROR, + "disabled algorithm '%s'", algorithm); @@ -653,10 +650,10 @@ index 3da83a7ae2..1a3d534799 100644 len = strlen(algorithms[i].name); if (strncasecmp(algorithms[i].name, algorithm, len) == 0 && diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 4f3d6ac55c..dbece0ac56 100644 +index e3c47a9..320c0f8 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c -@@ -190,6 +190,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -192,6 +192,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, dst_result_register(); memset(dst_t_func, 0, sizeof(dst_t_func)); @@ -669,7 +666,7 @@ index 4f3d6ac55c..dbece0ac56 100644 #ifndef PK11_MD5_DISABLE RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); #endif -@@ -199,7 +205,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -201,7 +207,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); #ifdef OPENSSL @@ -677,7 +674,7 @@ index 4f3d6ac55c..dbece0ac56 100644 #ifndef PK11_MD5_DISABLE RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5], DST_ALG_RSAMD5)); -@@ -233,14 +238,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -235,14 +240,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448])); #endif #elif PKCS11CRYPTO @@ -703,10 +700,10 @@ index 4f3d6ac55c..dbece0ac56 100644 RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA])); RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h -index 640519a5ba..deb7ed4e13 100644 +index 6ee796c..3e55d44 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h -@@ -245,7 +245,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp); +@@ -250,7 +250,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp); isc_result_t dst__hmacsha512_init(struct dst_func **funcp); isc_result_t dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); @@ -717,10 +714,10 @@ index 640519a5ba..deb7ed4e13 100644 isc_result_t dst__openssldsa_init(struct dst_func **funcp); isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c -index b0e5c895c6..03f2b8ace8 100644 +index f31c33d..87023a6 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c -@@ -30,6 +30,7 @@ +@@ -33,6 +33,7 @@ #include #include #include @@ -728,7 +725,7 @@ index b0e5c895c6..03f2b8ace8 100644 #include #include #include -@@ -393,6 +394,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, +@@ -396,6 +397,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, switch (alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: @@ -739,7 +736,7 @@ index b0e5c895c6..03f2b8ace8 100644 #endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: -@@ -418,7 +423,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, +@@ -421,7 +426,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, return (check_eddsa(priv, external)); #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: @@ -751,36 +748,35 @@ index b0e5c895c6..03f2b8ace8 100644 #endif case DST_ALG_HMACSHA1: return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg)); -@@ -637,11 +645,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, +@@ -640,11 +648,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, } #ifdef PK11_MD5_DISABLE - check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg, -- ISC_TRUE, external); +- true, external); + if (alg == DST_ALG_RSA) + alg = DST_ALG_RSASHA1; #else -- check = check_data(priv, alg, ISC_TRUE, external); -+ if (isc_md5_available() == ISC_FALSE && alg == DST_ALG_RSA) +- check = check_data(priv, alg, true, external); ++ if (!isc_md5_available() && alg == DST_ALG_RSA) + alg = DST_ALG_RSASHA1; #endif -+ check = check_data(priv, alg, ISC_TRUE, external); ++ check = check_data(priv, alg, true, external); if (check < 0) { ret = DST_R_INVALIDPRIVATEKEY; goto fail; diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c -index 59aa4705e5..21bfa44450 100644 +index 3b6579b..4bdce2f 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c -@@ -338,25 +338,17 @@ static dst_func_t hmacmd5_functions = { +@@ -340,20 +340,10 @@ static dst_func_t hmacmd5_functions = { isc_result_t dst__hmacmd5_init(dst_func_t **funcp) { -#ifdef HAVE_FIPS_MODE - /* +- /* - * Problems from OpenSSL are likely from FIPS mode -+ * Prevent use of incorrect crypto - */ +- */ - int fips_mode = FIPS_mode(); - - if (fips_mode != 0) { @@ -789,26 +785,20 @@ index 59aa4705e5..21bfa44450 100644 - "if the value is 0.\n" - "Please disable either FIPS mode or MD5.", - fips_mode); +- } +-#endif + -+#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { -+ /* Intentionally skip initialization */ ++ /* Intentionally skip initialization */ ++ if (!isc_md5_available()) + return (ISC_R_SUCCESS); - } - #endif - -- /* -- * Prevent use of incorrect crypto -- */ -- - RUNTIME_CHECK(isc_md5_check(ISC_FALSE)); - RUNTIME_CHECK(isc_hmacmd5_check(0)); + #if PK11_FLAVOR != PK11_UTIMACO_FLAVOR + /* diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c -index f4847bbe74..126cebca19 100644 +index ec35f50..c80fabe 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c -@@ -1801,6 +1801,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { +@@ -1812,6 +1812,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { if (*funcp == NULL) { switch (algorithm) { @@ -822,10 +812,10 @@ index f4847bbe74..126cebca19 100644 #if defined(HAVE_EVP_SHA256) || !USE_EVP *funcp = &opensslrsa_functions; diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c -index 56955203e9..af6008d4dd 100644 +index 096c1a8..6c280bf 100644 --- a/lib/dns/pkcs11rsa_link.c +++ b/lib/dns/pkcs11rsa_link.c -@@ -94,10 +94,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { +@@ -96,10 +96,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { #endif /* @@ -835,44 +825,44 @@ index 56955203e9..af6008d4dd 100644 switch (dctx->key->key_alg) { case DST_ALG_RSAMD5: +#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); +#endif + /* FALLTHROUGH */ case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: /* From RFC 3110 */ -@@ -634,6 +639,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { +@@ -641,6 +646,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { switch (key->key_alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); + mech.mechanism = CKM_MD5; break; #endif -@@ -790,6 +798,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { +@@ -799,6 +807,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { switch (key->key_alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); + der = md5_der; derlen = sizeof(md5_der); hashlen = ISC_MD5_DIGESTLENGTH; -@@ -1014,6 +1025,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { +@@ -1024,6 +1035,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { switch (key->key_alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); + der = md5_der; derlen = sizeof(md5_der); hashlen = ISC_MD5_DIGESTLENGTH; -@@ -2217,11 +2231,22 @@ static dst_func_t pkcs11rsa_functions = { +@@ -2231,11 +2245,22 @@ static dst_func_t pkcs11rsa_functions = { }; isc_result_t @@ -899,18 +889,18 @@ index 56955203e9..af6008d4dd 100644 } diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c -index 937d8fc1ec..d1fa8d5870 100644 +index 9c42c50..f51d548 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c -@@ -14,6 +14,7 @@ - #include +@@ -16,6 +16,7 @@ + #include #include +#include #include #include #include -@@ -347,17 +348,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { +@@ -357,17 +358,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { return (dns_mnemonic_totext(cert, target, certs)); } @@ -919,7 +909,7 @@ index 937d8fc1ec..d1fa8d5870 100644 + struct tbl *algs = secalgs; + +#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + while (algs->name != NULL && + algs->value == DNS_KEYALG_RSAMD5) + ++algs; @@ -947,87 +937,65 @@ index 937d8fc1ec..d1fa8d5870 100644 void diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c -index 224cf5b475..44040dd8b7 100644 +index f9ac6d0..241e17e 100644 --- a/lib/dns/tests/rsa_test.c +++ b/lib/dns/tests/rsa_test.c -@@ -19,6 +19,7 @@ - #include - #include +@@ -27,6 +27,7 @@ + #define UNIT_TESTING + #include +#include #include #include -@@ -225,23 +226,25 @@ ATF_TC_BODY(isc_rsa_verify, tc) { +@@ -248,6 +249,8 @@ isc_rsa_verify_test(void **state) { /* RSAMD5 */ #ifndef PK11_MD5_DISABLE -- key->key_alg = DST_ALG_RSAMD5; + if (isc_md5_available()) { -+ key->key_alg = DST_ALG_RSAMD5; - -- ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, -- ISC_FALSE, &ctx); -- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); -+ ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, -+ ISC_FALSE, &ctx); -+ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); - -- r.base = d; -- r.length = 10; -- ret = dst_context_adddata(ctx, &r); -- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); -+ r.base = d; -+ r.length = 10; -+ ret = dst_context_adddata(ctx, &r); -+ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); - -- r.base = sigmd5; -- r.length = 256; -- ret = dst_context_verify(ctx, &r); -- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); -+ r.base = sigmd5; -+ r.length = 256; -+ ret = dst_context_verify(ctx, &r); -+ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); - -- dst_context_destroy(&ctx); -+ dst_context_destroy(&ctx); ++ /* wrong indentation is kept for diff minimization */ + key->key_alg = DST_ALG_RSAMD5; + + ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, +@@ -265,6 +268,7 @@ isc_rsa_verify_test(void **state) { + assert_int_equal(ret, ISC_R_SUCCESS); + + dst_context_destroy(&ctx); + } #endif /* RSASHA256 */ diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c -index ee025c2387..c403d9954d 100644 +index 11d011a..feb2068 100644 --- a/lib/dns/tests/tsig_test.c +++ b/lib/dns/tests/tsig_test.c -@@ -14,6 +14,7 @@ - #include - #include +@@ -25,6 +25,7 @@ + #define UNIT_TESTING + #include +#include #include #include - + #include diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c -index d9f68e50b1..a8edde47b5 100644 +index 89cfc79..d07364a 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c -@@ -242,6 +242,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, +@@ -245,6 +245,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, unsigned char digests[32]; unsigned int i; -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_NOTIMPLEMENTED); + isc_buffer_usedregion(shared, &r); /* -@@ -318,6 +321,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, +@@ -321,6 +324,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, } #ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + tkey_log("process_dhtkey: MD5 was disabled"); + tkeyout->error = dns_tsigerror_badalg; + return (ISC_R_SUCCESS); @@ -1037,7 +1005,7 @@ index d9f68e50b1..a8edde47b5 100644 tkey_log("process_dhtkey: algorithms other than " "hmac-md5 are not supported"); diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c -index a367291f23..37baad7437 100644 +index 9d8ead4..0c82f65 100644 --- a/lib/dns/tsec.c +++ b/lib/dns/tsec.c @@ -11,6 +11,7 @@ @@ -1063,10 +1031,10 @@ index a367291f23..37baad7437 100644 #endif case DST_ALG_HMACSHA1: diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c -index bdcc581bc3..70805bb709 100644 +index 58c1104..00ee1e1 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c -@@ -270,7 +270,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, +@@ -273,7 +273,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, (void)dns_name_downcase(&tkey->name, &tkey->name, NULL); #ifndef PK11_MD5_DISABLE @@ -1076,7 +1044,7 @@ index bdcc581bc3..70805bb709 100644 tkey->algorithm = DNS_TSIG_HMACMD5_NAME; if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) { ret = DNS_R_BADALG; -@@ -496,7 +497,8 @@ destroyring(dns_tsig_keyring_t *ring) { +@@ -499,7 +500,8 @@ destroyring(dns_tsig_keyring_t *ring) { static unsigned int dst_alg_fromname(dns_name_t *algorithm) { #ifndef PK11_MD5_DISABLE @@ -1086,7 +1054,7 @@ index bdcc581bc3..70805bb709 100644 return (DST_ALG_HMACMD5); } else #endif -@@ -680,7 +682,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, +@@ -683,7 +685,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, REQUIRE(secret != NULL); #ifndef PK11_MD5_DISABLE @@ -1096,7 +1064,7 @@ index bdcc581bc3..70805bb709 100644 if (secret != NULL) { isc_buffer_t b; -@@ -1280,7 +1283,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, +@@ -1291,7 +1294,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, return (ret); if ( #ifndef PK11_MD5_DISABLE @@ -1105,7 +1073,7 @@ index bdcc581bc3..70805bb709 100644 #endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || -@@ -1449,7 +1452,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, +@@ -1460,7 +1463,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, if ( #ifndef PK11_MD5_DISABLE @@ -1114,7 +1082,7 @@ index bdcc581bc3..70805bb709 100644 #endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || -@@ -1590,7 +1593,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { +@@ -1601,7 +1604,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { goto cleanup_querystruct; if ( #ifndef PK11_MD5_DISABLE @@ -1123,7 +1091,7 @@ index bdcc581bc3..70805bb709 100644 #endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || -@@ -1769,7 +1772,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { +@@ -1780,7 +1783,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { goto cleanup_context; if ( #ifndef PK11_MD5_DISABLE @@ -1133,24 +1101,24 @@ index bdcc581bc3..70805bb709 100644 alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h -index e5f46dd9c7..9d11f9f8b6 100644 +index 4d29398..e3f5cec 100644 --- a/lib/isc/include/isc/md5.h +++ b/lib/isc/include/isc/md5.h -@@ -89,6 +89,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest); - isc_boolean_t - isc_md5_check(isc_boolean_t testing); +@@ -91,6 +91,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest); + bool + isc_md5_check(bool testing); -+isc_boolean_t ++bool +isc_md5_available(void); + ISC_LANG_ENDDECLS #endif /* !PK11_MD5_DISABLE */ diff --git a/lib/isc/md5.c b/lib/isc/md5.c -index 740d863b1b..aefd16478f 100644 +index 249f3da..628a414 100644 --- a/lib/isc/md5.c +++ b/lib/isc/md5.c -@@ -35,6 +35,7 @@ +@@ -37,6 +37,7 @@ #include #include @@ -1158,17 +1126,17 @@ index 740d863b1b..aefd16478f 100644 #include #include #include -@@ -53,6 +54,9 @@ +@@ -54,6 +55,9 @@ #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) #endif +static isc_once_t available_once = ISC_ONCE_INIT; -+static isc_boolean_t available = ISC_FALSE; ++static bool available = false; + void isc_md5_init(isc_md5_t *ctx) { ctx->ctx = EVP_MD_CTX_new(); -@@ -84,8 +88,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { +@@ -85,8 +89,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { ctx->ctx = NULL; } @@ -1180,14 +1148,14 @@ index 740d863b1b..aefd16478f 100644 + + ctx->ctx = EVP_MD_CTX_new(); + RUNTIME_CHECK(ctx->ctx != NULL); -+ available = ISC_TF(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); ++ available = (EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); + if (available) + (void)EVP_DigestFinal(ctx->ctx, digest, NULL); + EVP_MD_CTX_free(ctx->ctx); + ctx->ctx = NULL; +} + -+isc_boolean_t ++bool +isc_md5_available() { + RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) + == ISC_R_SUCCESS); @@ -1197,12 +1165,12 @@ index 740d863b1b..aefd16478f 100644 #elif PKCS11CRYPTO +static isc_once_t available_once = ISC_ONCE_INIT; -+static isc_boolean_t available = ISC_FALSE; ++static bool available = false; + void isc_md5_init(isc_md5_t *ctx) { CK_RV rv; -@@ -128,6 +157,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { +@@ -129,6 +158,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { pk11_return_session(ctx); } @@ -1213,18 +1181,18 @@ index 740d863b1b..aefd16478f 100644 + CK_RV rv; + CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; + -+ if (pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS) ++ if (pk11_get_session(ctx, OP_DIGEST, true, false, ++ false, NULL, 0) == ISC_R_SUCCESS) + { + rv = pkcs_C_DigestInit(ctx->session, &mech); + isc_md5_invalidate(ctx); -+ available = (ISC_TF(rv == CKR_OK)); ++ available = (rv == CKR_OK); + } else { -+ available = ISC_FALSE; ++ available = false; + } +} + -+isc_boolean_t ++bool +isc_md5_available() { + RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) + == ISC_R_SUCCESS); @@ -1234,74 +1202,49 @@ index 740d863b1b..aefd16478f 100644 #else static void -@@ -337,6 +391,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { +@@ -338,6 +392,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { memmove(digest, ctx->buf, 16); isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */ } + -+isc_boolean_t ++bool +isc_md5_available() { -+ return ISC_TRUE; ++ return true; +} #endif /* diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index fc75a46154..48e1031974 100644 +index 0d5b009..7809e7b 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c -@@ -191,13 +191,12 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { - LOCK(&alloclock); - if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) - isc_mem_attach(mctx, &pk11_mctx); -+ UNLOCK(&alloclock); -+ -+ LOCK(&sessionlock); +@@ -197,8 +197,6 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { + UNLOCK(&alloclock); if (initialized) { -- UNLOCK(&alloclock); -- return (ISC_R_SUCCESS); + goto unlock; - } else { -- LOCK(&sessionlock); -- initialized = ISC_TRUE; -- UNLOCK(&alloclock); -+ result = ISC_R_SUCCESS; -+ goto unlock; +- initialized = true; } ISC_LIST_INIT(tokens); -@@ -237,6 +236,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { +@@ -238,6 +236,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { } #endif #endif /* PKCS11CRYPTO */ -+ initialized = ISC_TRUE; - result = ISC_R_SUCCESS; ++ initialized = true; unlock: UNLOCK(&sessionlock); -@@ -273,9 +273,14 @@ pk11_finalize(void) { - pk11_mem_put(token, sizeof(*token)); - token = next; - } -+ LOCK(&alloclock); - if (pk11_mctx != NULL) - isc_mem_detach(&pk11_mctx); -+ UNLOCK(&alloclock); -+ -+ LOCK(&sessionlock); - initialized = ISC_FALSE; -+ UNLOCK(&sessionlock); - return (ret); - } - -@@ -589,6 +594,8 @@ scan_slots(void) { + return (result); +@@ -589,6 +588,8 @@ scan_slots(void) { pk11_token_t *token; unsigned int i; - isc_boolean_t bad; + bool bad; + unsigned int best_rsa_algorithms = 0; + unsigned int best_digest_algorithms = 0; slotCount = 0; PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount)); -@@ -601,6 +608,8 @@ scan_slots(void) { +@@ -601,6 +602,8 @@ scan_slots(void) { PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount)); for (i = 0; i < slotCount; i++) { @@ -1310,12 +1253,12 @@ index fc75a46154..48e1031974 100644 slot = slotList[i]; PK11_TRACE2("slot#%u=0x%lx\n", i, slot); -@@ -640,11 +649,12 @@ scan_slots(void) { +@@ -640,11 +643,12 @@ scan_slots(void) { if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || ((mechInfo.flags & CKF_VERIFY) == 0)) { -#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) -- bad = ISC_TRUE; +- bad = true; -#endif PK11_TRACEM(CKM_MD5_RSA_PKCS); } @@ -1326,28 +1269,28 @@ index fc75a46154..48e1031974 100644 rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS, &mechInfo); if ((rv != CKR_OK) || -@@ -687,8 +697,14 @@ scan_slots(void) { +@@ -687,8 +691,14 @@ scan_slots(void) { if (bad) goto try_dsa; token->operations |= 1 << OP_RSA; - if (best_rsa_token == NULL) + if (best_rsa_token == NULL) { -+ best_rsa_token = token; + best_rsa_token = token; + best_rsa_algorithms = rsa_algorithms; + } else if (rsa_algorithms > best_rsa_algorithms) { + pk11_mem_put(best_rsa_token, sizeof(*best_rsa_token)); - best_rsa_token = token; ++ best_rsa_token = token; + best_rsa_algorithms = rsa_algorithms; + } try_dsa: - bad = ISC_FALSE; -@@ -756,11 +772,12 @@ scan_slots(void) { - bad = ISC_FALSE; + bad = false; +@@ -756,11 +766,12 @@ scan_slots(void) { + bad = false; rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { -#ifndef PK11_MD5_DISABLE -- bad = ISC_TRUE; +- bad = true; -#endif PK11_TRACEM(CKM_MD5); } @@ -1357,13 +1300,13 @@ index fc75a46154..48e1031974 100644 +#endif rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; -@@ -788,11 +805,12 @@ scan_slots(void) { + bad = true; +@@ -788,11 +799,12 @@ scan_slots(void) { } rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) -- bad = ISC_TRUE; +- bad = true; -#endif PK11_TRACEM(CKM_MD5_HMAC); } @@ -1374,61 +1317,61 @@ index fc75a46154..48e1031974 100644 rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { #ifndef PK11_SHA_1_HMAC_REPLACE -@@ -830,8 +848,14 @@ scan_slots(void) { +@@ -830,8 +842,14 @@ scan_slots(void) { } if (!bad) { token->operations |= 1 << OP_DIGEST; - if (digest_token == NULL) + if (digest_token == NULL) { -+ digest_token = token; + digest_token = token; + best_digest_algorithms = digest_algorithms; + } else if (digest_algorithms > best_digest_algorithms) { + pk11_mem_put(digest_token, sizeof(*digest_token)); - digest_token = token; ++ digest_token = token; + best_digest_algorithms = digest_algorithms; + } } /* ECDSA requires digest */ diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c -index 18759903be..6bc45b1ad3 100644 +index 31ced94..421131e 100644 --- a/lib/isc/tests/hash_test.c +++ b/lib/isc/tests/hash_test.c -@@ -2008,7 +2008,8 @@ ATF_TP_ADD_TCS(tp) { - * various cryptographic hashes. - */ - #ifndef PK11_MD5_DISABLE -- ATF_TP_ADD_TC(tp, md5_check); -+ if (isc_md5_available()) -+ ATF_TP_ADD_TC(tp, md5_check); - #endif - ATF_TP_ADD_TC(tp, sha1_check); +@@ -775,6 +775,9 @@ isc_md5_test(void **state) { + + UNUSED(state); + ++ if (!isc_md5_available()) ++ return; ++ + /* + * These are the various test vectors. All of these are passed + * through the hash function and the results are compared to the +@@ -1630,6 +1633,9 @@ isc_hmacmd5_test(void **state) { + + UNUSED(state); + ++ if (!isc_md5_available()) ++ return; ++ + /* + * These are the various test vectors. All of these are passed + * through the hash function and the results are compared to the +@@ -1940,6 +1946,9 @@ static void + md5_check_test(void **state) { + UNUSED(state); + ++ if (!isc_md5_available()) ++ return; ++ + assert_true(isc_md5_check(false)); + assert_false(isc_md5_check(true)); -@@ -2016,7 +2017,8 @@ ATF_TP_ADD_TCS(tp) { - ATF_TP_ADD_TC(tp, isc_hash_function_reverse); - ATF_TP_ADD_TC(tp, isc_hash_initializer); - #ifndef PK11_MD5_DISABLE -- ATF_TP_ADD_TC(tp, isc_hmacmd5); -+ if (isc_md5_available()) -+ ATF_TP_ADD_TC(tp, isc_hmacmd5); - #endif - ATF_TP_ADD_TC(tp, isc_hmacsha1); - ATF_TP_ADD_TC(tp, isc_hmacsha224); -@@ -2024,7 +2026,8 @@ ATF_TP_ADD_TCS(tp) { - ATF_TP_ADD_TC(tp, isc_hmacsha384); - ATF_TP_ADD_TC(tp, isc_hmacsha512); - #ifndef PK11_MD5_DISABLE -- ATF_TP_ADD_TC(tp, isc_md5); -+ if (isc_md5_available()) -+ ATF_TP_ADD_TC(tp, isc_md5); - #endif - ATF_TP_ADD_TC(tp, isc_sha1); - ATF_TP_ADD_TC(tp, isc_sha224); diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c -index 7225ab4a37..42b30466be 100644 +index c2740cb..c314d76 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c -@@ -270,11 +270,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, +@@ -272,11 +272,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, switch (algorithm) { #ifndef PK11_MD5_DISABLE case ISCCC_ALG_HMACMD5: @@ -1449,14 +1392,14 @@ index 7225ab4a37..42b30466be 100644 break; #endif -@@ -348,14 +352,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, +@@ -350,14 +354,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, { unsigned int hmac_base, signed_base; isc_result_t result; -+ const isc_boolean_t md5 = ISC_TF(algorithm == ISCCC_ALG_HMACMD5); ++ const bool md5 = (algorithm == ISCCC_ALG_HMACMD5); #ifndef PK11_MD5_DISABLE -+ if (md5 && isc_md5_available() == ISC_FALSE) ++ if (md5 && !isc_md5_available()) + return (ISC_R_NOTIMPLEMENTED); + result = isc_buffer_reserve(buffer, @@ -1470,7 +1413,7 @@ index 7225ab4a37..42b30466be 100644 return (ISC_R_NOTIMPLEMENTED); result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha)); #endif -@@ -374,7 +382,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, +@@ -376,7 +384,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, * we know what it is. */ #ifndef PK11_MD5_DISABLE @@ -1479,7 +1422,7 @@ index 7225ab4a37..42b30466be 100644 hmac_base = (*buffer)->used + HMD5_OFFSET; isc_buffer_putmem(*buffer, auth_hmd5, sizeof(auth_hmd5)); -@@ -440,7 +448,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, +@@ -442,7 +450,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, if (!isccc_alist_alistp(_auth)) return (ISC_R_FAILURE); #ifndef PK11_MD5_DISABLE @@ -1488,7 +1431,7 @@ index 7225ab4a37..42b30466be 100644 hmac = isccc_alist_lookup(_auth, "hmd5"); else #endif -@@ -455,12 +463,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, +@@ -457,12 +465,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, switch (algorithm) { #ifndef PK11_MD5_DISABLE case ISCCC_ALG_HMACMD5: @@ -1512,5 +1455,5 @@ index 7225ab4a37..42b30466be 100644 case ISCCC_ALG_HMACSHA1: -- -2.14.4 +2.20.1 diff --git a/SOURCES/bind-9.11-fips-disable.patch b/SOURCES/bind-9.11-fips-disable.patch index 4ba1d2e..afe9564 100644 --- a/SOURCES/bind-9.11-fips-disable.patch +++ b/SOURCES/bind-9.11-fips-disable.patch @@ -1,4 +1,4 @@ -From 38ae0949251e7bd228858120d8eaa2a697f84f1a Mon Sep 17 00:00:00 2001 +From 83b889c238282b210f874a3ad81bb56299767495 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Mon, 5 Aug 2019 11:54:03 +0200 Subject: [PATCH] Allow explicit disabling of autodisabled MD5 @@ -15,16 +15,16 @@ other usage. 3 files changed, 21 insertions(+), 20 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c -index 1afb461226..8116cab0cb 100644 +index 5b57371..51702ab 100644 --- a/bin/named/server.c +++ b/bin/named/server.c -@@ -1530,12 +1530,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { +@@ -1547,12 +1547,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { r.length = strlen(r.base); result = dns_secalg_fromtext(&alg, &r); - if (result != ISC_R_SUCCESS) { + if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) { - isc_uint8_t ui; + uint8_t ui; result = isc_parse_uint8(&ui, r.base, 10); alg = ui; } @@ -34,10 +34,10 @@ index 1afb461226..8116cab0cb 100644 ns_g_lctx, ISC_LOG_ERROR, "invalid algorithm"); diff --git a/lib/bind9/check.c b/lib/bind9/check.c -index 1a3d534799..545e3c6a5e 100644 +index e0803d4..8023784 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c -@@ -298,6 +298,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) { +@@ -302,6 +302,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) { r.length = strlen(r.base); tresult = dns_secalg_fromtext(&alg, &r); @@ -49,10 +49,10 @@ index 1a3d534799..545e3c6a5e 100644 cfg_obj_log(cfg_listelt_value(element), logctx, ISC_LOG_ERROR, "invalid algorithm '%s'", diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c -index d1fa8d5870..d57a798e29 100644 +index f51d548..c49b8d1 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c -@@ -124,7 +124,6 @@ +@@ -126,7 +126,6 @@ #endif #define SECALGNAMES \ @@ -60,7 +60,7 @@ index d1fa8d5870..d57a798e29 100644 DH_SECALGNAMES \ DSA_SECALGNAMES \ { DNS_KEYALG_ECC, "ECC", 0 }, \ -@@ -176,6 +175,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES }; +@@ -178,6 +177,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES }; static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES }; static struct tbl certs[] = { CERTNAMES }; static struct tbl secalgs[] = { SECALGNAMES }; @@ -68,7 +68,7 @@ index d1fa8d5870..d57a798e29 100644 static struct tbl secprotos[] = { SECPROTONAMES }; static struct tbl hashalgs[] = { HASHALGNAMES }; static struct tbl dsdigests[] = { DSDIGESTNAMES }; -@@ -348,33 +348,30 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { +@@ -358,33 +358,30 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { return (dns_mnemonic_totext(cert, target, certs)); } @@ -77,7 +77,7 @@ index d1fa8d5870..d57a798e29 100644 - struct tbl *algs = secalgs; - -#ifndef PK11_MD5_DISABLE -- if (isc_md5_available() == ISC_FALSE) { +- if (!isc_md5_available()) { - while (algs->name != NULL && - algs->value == DNS_KEYALG_RSAMD5) - ++algs; @@ -97,7 +97,7 @@ index d1fa8d5870..d57a798e29 100644 + secalgs, 0xff); + if (result != ISC_R_SUCCESS) { + result = dns_mnemonic_fromtext(&value, source, -+ md5_secalgs, 0xff); ++ md5_secalgs, 0xff); + if (result != ISC_R_SUCCESS) { + return (result); + } else if (!isc_md5_available()) { diff --git a/SOURCES/bind-9.11-fips-tests.patch b/SOURCES/bind-9.11-fips-tests.patch index f7a998d..29dda07 100644 --- a/SOURCES/bind-9.11-fips-tests.patch +++ b/SOURCES/bind-9.11-fips-tests.patch @@ -1,11 +1,13 @@ -From 35b53607724ec4b5d4060385218c39ccd0d78a4d Mon Sep 17 00:00:00 2001 +From c23daf334d5487fa53fef88c82312e439a2d8523 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 -Subject: [PATCH 2/2] Squashed commit of the following: +Subject: [PATCH] FIPS tests changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Squashed commit of the following: + commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa Author: Petr Menšík Date: Wed Mar 7 20:35:13 2018 +0100 @@ -56,59 +58,56 @@ Date: Wed Mar 7 10:44:23 2018 +0100 Use hmac-sha256 instead of default hmac-md5 for allow-query --- - bin/tests/system/acl/ns2/named1.conf.in | 4 +- - bin/tests/system/acl/ns2/named2.conf.in | 4 +- - bin/tests/system/acl/ns2/named3.conf.in | 6 +-- - bin/tests/system/acl/ns2/named4.conf.in | 4 +- - bin/tests/system/acl/ns2/named5.conf.in | 4 +- - bin/tests/system/acl/tests.sh | 32 +++++------ - bin/tests/system/allow-query/ns2/named10.conf.in | 2 +- - bin/tests/system/allow-query/ns2/named11.conf.in | 4 +- - bin/tests/system/allow-query/ns2/named12.conf.in | 2 +- - bin/tests/system/allow-query/ns2/named30.conf.in | 2 +- - bin/tests/system/allow-query/ns2/named31.conf.in | 4 +- - bin/tests/system/allow-query/ns2/named32.conf.in | 2 +- - bin/tests/system/allow-query/ns2/named40.conf.in | 4 +- - bin/tests/system/allow-query/tests.sh | 18 +++---- - bin/tests/system/catz/ns1/named.conf.in | 2 +- - bin/tests/system/catz/ns2/named.conf.in | 2 +- - bin/tests/system/checkconf/bad-tsig.conf | 2 +- - bin/tests/system/checkconf/good.conf | 2 +- - bin/tests/system/digdelv/ns2/example.db | 15 +++--- - bin/tests/system/digdelv/tests.sh | 28 +++++----- - bin/tests/system/dlv/ns1/sign.sh | 4 +- - bin/tests/system/dlv/ns2/sign.sh | 4 +- - bin/tests/system/dlv/ns3/sign.sh | 69 ++++++++++++------------ - bin/tests/system/dlv/ns6/sign.sh | 66 ++++++++++++----------- - bin/tests/system/dnssec/ns1/sign.sh | 4 +- - bin/tests/system/dnssec/ns2/sign.sh | 12 ++--- - bin/tests/system/dnssec/ns3/sign.sh | 20 +++---- - bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +- - bin/tests/system/dnssec/tests.sh | 8 +-- - bin/tests/system/feature-test.c | 14 +++++ - bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +- - bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +- - bin/tests/system/notify/ns5/named.conf.in | 6 +-- - bin/tests/system/notify/tests.sh | 6 +-- - bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- - bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- - bin/tests/system/nsupdate/setup.sh | 7 ++- - bin/tests/system/nsupdate/tests.sh | 11 +++- - bin/tests/system/rndc/setup.sh | 2 +- - bin/tests/system/rndc/tests.sh | 23 ++++---- - bin/tests/system/tsig/clean.sh | 1 + - bin/tests/system/tsig/ns1/named.conf.in | 10 +--- - bin/tests/system/tsig/ns1/rndc5.conf.in | 11 ++++ - bin/tests/system/tsig/setup.sh | 4 ++ - bin/tests/system/tsig/tests.sh | 67 ++++++++++++++--------- - bin/tests/system/tsiggss/setup.sh | 2 +- - bin/tests/system/upforwd/ns1/named.conf.in | 2 +- - bin/tests/system/upforwd/tests.sh | 2 +- - 48 files changed, 287 insertions(+), 225 deletions(-) + bin/tests/system/acl/ns2/named1.conf.in | 4 +- + bin/tests/system/acl/ns2/named2.conf.in | 4 +- + bin/tests/system/acl/ns2/named3.conf.in | 6 +- + bin/tests/system/acl/ns2/named4.conf.in | 4 +- + bin/tests/system/acl/ns2/named5.conf.in | 4 +- + bin/tests/system/acl/tests.sh | 32 ++++----- + .../system/allow-query/ns2/named10.conf.in | 2 +- + .../system/allow-query/ns2/named11.conf.in | 4 +- + .../system/allow-query/ns2/named12.conf.in | 2 +- + .../system/allow-query/ns2/named30.conf.in | 2 +- + .../system/allow-query/ns2/named31.conf.in | 4 +- + .../system/allow-query/ns2/named32.conf.in | 2 +- + .../system/allow-query/ns2/named40.conf.in | 4 +- + bin/tests/system/allow-query/tests.sh | 18 ++--- + bin/tests/system/catz/ns1/named.conf.in | 2 +- + bin/tests/system/catz/ns2/named.conf.in | 2 +- + bin/tests/system/checkconf/bad-tsig.conf | 2 +- + bin/tests/system/checkconf/good.conf | 2 +- + bin/tests/system/digdelv/ns2/example.db | 15 +++-- + bin/tests/system/digdelv/tests.sh | 20 +++--- + bin/tests/system/dlv/ns1/sign.sh | 4 +- + bin/tests/system/dlv/ns2/sign.sh | 4 +- + bin/tests/system/dlv/ns6/sign.sh | 66 +++++++++--------- + bin/tests/system/dnssec/ns2/sign.sh | 8 +-- + bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +- + bin/tests/system/dnssec/tests.sh | 4 +- + bin/tests/system/feature-test.c | 14 ++++ + bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +- + bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +- + bin/tests/system/notify/ns5/named.conf.in | 6 +- + bin/tests/system/notify/tests.sh | 6 +- + bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- + bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- + bin/tests/system/nsupdate/setup.sh | 7 +- + bin/tests/system/nsupdate/tests.sh | 11 ++- + bin/tests/system/rndc/setup.sh | 2 +- + bin/tests/system/rndc/tests.sh | 23 ++++--- + bin/tests/system/tsig/clean.sh | 1 + + bin/tests/system/tsig/ns1/named.conf.in | 10 +-- + bin/tests/system/tsig/setup.sh | 5 ++ + bin/tests/system/tsig/tests.sh | 67 ++++++++++++------- + bin/tests/system/tsiggss/setup.sh | 2 +- + bin/tests/system/upforwd/ns1/named.conf.in | 2 +- + bin/tests/system/upforwd/tests.sh | 2 +- + bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ + 45 files changed, 232 insertions(+), 171 deletions(-) create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 0ea6502708..026db3f134 100644 +index 0ea6502..026db3f 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -33,12 +33,12 @@ options { @@ -127,7 +126,7 @@ index 0ea6502708..026db3f134 100644 }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index b877880554..d8f50be255 100644 +index b877880..d8f50be 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -33,12 +33,12 @@ options { @@ -146,7 +145,7 @@ index b877880554..d8f50be255 100644 }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 0a950622a2..aa54088138 100644 +index 0a95062..aa54088 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -33,17 +33,17 @@ options { @@ -171,7 +170,7 @@ index 0a950622a2..aa54088138 100644 }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 7cdcb6e341..606a3452d8 100644 +index 7cdcb6e..606a345 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -33,12 +33,12 @@ options { @@ -190,7 +189,7 @@ index 7cdcb6e341..606a3452d8 100644 }; diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 4b4e05027a..0e679a821d 100644 +index 4b4e050..0e679a8 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -34,12 +34,12 @@ options { @@ -209,7 +208,7 @@ index 4b4e05027a..0e679a821d 100644 }; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index 09f31f2bb9..f88f0d4430 100644 +index 09f31f2..f88f0d4 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" @@ -335,7 +334,7 @@ index 09f31f2bb9..f88f0d4430 100644 echo_i "testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index 1569913b37..e9c5c2d574 100644 +index 1569913..e9c5c2d 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -12,7 +12,7 @@ @@ -348,7 +347,7 @@ index 1569913b37..e9c5c2d574 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 18ac91c6e7..2b1c8739d8 100644 +index 18ac91c..2b1c873 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -12,12 +12,12 @@ @@ -367,7 +366,7 @@ index 18ac91c6e7..2b1c8739d8 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index b8248444dd..dd48945bf8 100644 +index b824844..dd48945 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -12,7 +12,7 @@ @@ -380,7 +379,7 @@ index b8248444dd..dd48945bf8 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index aeb1540e95..bfce58bddd 100644 +index aeb1540..bfce58b 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -12,7 +12,7 @@ @@ -393,7 +392,7 @@ index aeb1540e95..bfce58bddd 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index d4b743281a..e0f52526ba 100644 +index d4b7432..e0f5252 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -12,12 +12,12 @@ @@ -412,7 +411,7 @@ index d4b743281a..e0f52526ba 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index c0259387e7..87afb3fa3a 100644 +index c025938..87afb3f 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -12,7 +12,7 @@ @@ -425,7 +424,7 @@ index c0259387e7..87afb3fa3a 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index d83b376cfd..d726b9480b 100644 +index d83b376..d726b94 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; @@ -444,7 +443,7 @@ index d83b376cfd..d726b9480b 100644 }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index fb6059d5b8..f9601564a2 100644 +index fb6059d..f960156 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh @@ -190,7 +190,7 @@ rndc_reload @@ -529,7 +528,7 @@ index fb6059d5b8..f9601564a2 100644 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 74b7d371b7..c35376640d 100644 +index 74b7d37..c353766 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -61,5 +61,5 @@ zone "catalog4.example" { @@ -540,7 +539,7 @@ index 74b7d371b7..c35376640d 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in -index ee83efbee4..35ced08842 100644 +index ee83efb..35ced08 100644 --- a/bin/tests/system/catz/ns2/named.conf.in +++ b/bin/tests/system/catz/ns2/named.conf.in @@ -70,5 +70,5 @@ zone "catalog4.example" { @@ -551,7 +550,7 @@ index ee83efbee4..35ced08842 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf -index 21be03e9d2..e57c30875c 100644 +index 21be03e..e57c308 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf +++ b/bin/tests/system/checkconf/bad-tsig.conf @@ -11,7 +11,7 @@ @@ -564,7 +563,7 @@ index 21be03e9d2..e57c30875c 100644 }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 9ab35b38a5..486551ae64 100644 +index 9ab35b3..486551a 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -153,6 +153,6 @@ dyndb "name" "library.so" { @@ -576,7 +575,7 @@ index 9ab35b38a5..486551ae64 100644 secret "qwertyuiopasdfgh"; }; diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db -index f4e30f51e5..9f53e31c97 100644 +index f4e30f5..9f53e31 100644 --- a/bin/tests/system/digdelv/ns2/example.db +++ b/bin/tests/system/digdelv/ns2/example.db @@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 @@ -602,37 +601,19 @@ index f4e30f51e5..9f53e31c97 100644 ; TTL of 3 weeks weeks 1814400 A 10.53.0.2 diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh -index 1b25c4ddfc..5dbf20a3e1 100644 +index ade45ce..d3aff24 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh -@@ -62,7 +62,7 @@ if [ -x ${DIG} ] ; then - echo_i "checking dig +multi +norrcomments works for dnskey (when default is rrcomments)($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -70,7 +70,7 @@ if [ -x ${DIG} ] ; then - echo_i "checking dig +multi +norrcomments works for soa (when default is rrcomments)($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -78,7 +78,7 @@ if [ -x ${DIG} ] ; then +@@ -106,7 +106,7 @@ if [ -x "$DIG" ] ; then echo_i "checking dig +rrcomments works for DNSKEY($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 - grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 + grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` - -@@ -86,7 +86,7 @@ if [ -x ${DIG} ] ; then +@@ -115,7 +115,7 @@ if [ -x "$DIG" ] ; then echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -641,7 +622,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -94,7 +94,7 @@ if [ -x ${DIG} ] ; then +@@ -123,7 +123,7 @@ if [ -x "$DIG" ] ; then echo_i "checking dig +short +nosplit works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -650,7 +631,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -102,7 +102,7 @@ if [ -x ${DIG} ] ; then +@@ -131,7 +131,7 @@ if [ -x "$DIG" ] ; then echo_i "checking dig +short +rrcomments works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -659,7 +640,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -118,7 +118,7 @@ if [ -x ${DIG} ] ; then +@@ -148,7 +148,7 @@ if [ -x "$DIG" ] ; then echo_i "checking dig +short +rrcomments works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -668,34 +649,16 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -543,7 +543,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +multi +norrcomments works for dnskey (when default is rrcomments)($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -551,7 +551,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +multi +norrcomments works for soa (when default is rrcomments)($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -559,7 +559,7 @@ if [ -x ${DELV} ] ; then +@@ -695,7 +695,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +rrcomments works for DNSKEY($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 - grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 + grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` - -@@ -567,7 +567,7 @@ if [ -x ${DELV} ] ; then +@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -704,7 +667,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -575,7 +575,7 @@ if [ -x ${DELV} ] ; then +@@ -712,7 +712,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +rrcomments works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -713,7 +676,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -583,7 +583,7 @@ if [ -x ${DELV} ] ; then +@@ -720,7 +720,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +nosplit works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -722,7 +685,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi f=`awk '{print NF}' < delv.out.test$n` test "${f:-0}" -eq 14 || ret=1 -@@ -594,7 +594,7 @@ if [ -x ${DELV} ] ; then +@@ -731,7 +731,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +nosplit +norrcomments works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -732,22 +695,22 @@ index 1b25c4ddfc..5dbf20a3e1 100644 f=`awk '{print NF}' < delv.out.test$n` test "${f:-0}" -eq 4 || ret=1 diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh -index b8151620cc..2a62e583b8 100755 +index 606e7cc..a3a0d60 100755 --- a/bin/tests/system/dlv/ns1/sign.sh +++ b/bin/tests/system/dlv/ns1/sign.sh @@ -23,8 +23,8 @@ infile=root.db.in zonefile=root.db outfile=root.signed --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh -index 6f84d7a525..e128303a22 100755 +index 9825c57..202c978 100755 --- a/bin/tests/system/dlv/ns2/sign.sh +++ b/bin/tests/system/dlv/ns2/sign.sh @@ -24,8 +24,8 @@ zonefile=druz.db @@ -761,207 +724,8 @@ index 6f84d7a525..e128303a22 100755 cat $infile $keyname1.key $keyname2.key >$zonefile -diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh -index bcc9922e26..846dbcc0df 100755 ---- a/bin/tests/system/dlv/ns3/sign.sh -+++ b/bin/tests/system/dlv/ns3/sign.sh -@@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh" - dlvzone=dlv.utld. - dlvsets= - dssets= -+bits=1024 - - zone=child1.utld. - infile=child.db.in -@@ -26,8 +27,8 @@ zonefile=child1.utld.db - outfile=child1.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -42,8 +43,8 @@ zonefile=child3.utld.db - outfile=child3.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -58,8 +59,8 @@ zonefile=child4.utld.db - outfile=child4.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -73,8 +74,8 @@ zonefile=child5.utld.db - outfile=child5.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -88,8 +89,8 @@ infile=child.db.in - zonefile=child7.utld.db - outfile=child7.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -103,8 +104,8 @@ infile=child.db.in - zonefile=child8.utld.db - outfile=child8.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -118,8 +119,8 @@ zonefile=child9.utld.db - outfile=child9.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -132,8 +133,8 @@ zonefile=child10.utld.db - outfile=child10.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -147,8 +148,8 @@ outfile=child1.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -164,8 +165,8 @@ outfile=child3.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -181,8 +182,8 @@ outfile=child4.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -197,8 +198,8 @@ outfile=child5.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -213,8 +214,8 @@ zonefile=child7.druz.db - outfile=child7.druz.signed - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -228,8 +229,8 @@ infile=child.db.in - zonefile=child8.druz.db - outfile=child8.druz.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -243,8 +244,8 @@ zonefile=child9.druz.db - outfile=child9.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -258,8 +259,8 @@ outfile=child10.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -272,8 +273,8 @@ infile=dlv.db.in - zonefile=dlv.utld.db - outfile=dlv.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile - diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh -index 1e398625f1..4ed19acd1f 100755 +index 1e39862..4ed19ac 100755 --- a/bin/tests/system/dlv/ns6/sign.sh +++ b/bin/tests/system/dlv/ns6/sign.sh @@ -16,13 +16,15 @@ SYSTESTDIR=dlv @@ -1147,43 +911,11 @@ index 1e398625f1..4ed19acd1f 100755 cat $infile $keyname1.key $keyname2.key >$zonefile -diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh -index 198d60ae15..d89a539ffd 100644 ---- a/bin/tests/system/dnssec/ns1/sign.sh -+++ b/bin/tests/system/dnssec/ns1/sign.sh -@@ -27,7 +27,7 @@ cp ../ns2/dsset-in-addr.arpa$TP . - grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP - cp ../ns6/dsset-optout-tld$TP . - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` - - cat $infile $keyname.key > $zonefile - -@@ -48,6 +48,6 @@ cp managed.conf ../ns4/managed.conf - # - # Save keyid for managed key id test. - # --keyid=`expr $keyname : 'K.+001+\(.*\)'` -+keyid=`expr $keyname : 'K.+008+\([0-9]*\)'` - keyid=`expr $keyid + 0` - echo "$keyid" > managed.key.id diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh -index 9078459ac8..9dcd028eb5 100644 +index 13fb924..1ffa279 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh -@@ -29,8 +29,8 @@ do - cp ../ns3/dsset-$subdomain.example$TP . - done - --keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` --keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` -+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` -+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -89,8 +89,8 @@ zone=in-addr.arpa. +@@ -126,8 +126,8 @@ zone=in-addr.arpa. infile=in-addr.arpa.db.in zonefile=in-addr.arpa.db @@ -1194,7 +926,7 @@ index 9078459ac8..9dcd028eb5 100644 cat $infile $keyname1.key $keyname2.key >$zonefile $SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null -@@ -101,7 +101,7 @@ privzone=private.secure.example. +@@ -138,7 +138,7 @@ privzone=private.secure.example privinfile=private.secure.example.db.in privzonefile=private.secure.example.db @@ -1203,104 +935,17 @@ index 9078459ac8..9dcd028eb5 100644 cat $privinfile $privkeyname.key >$privzonefile -@@ -115,7 +115,7 @@ dlvinfile=dlv.db.in +@@ -152,7 +152,7 @@ dlvinfile=dlv.db.in dlvzonefile=dlv.db - dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP + dlvsetfile=dlvset-${privzone}${TP} -dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone` +dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $dlvzone` cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile -diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh -index 330abf7feb..f95a6b7ea8 100644 ---- a/bin/tests/system/dnssec/ns3/sign.sh -+++ b/bin/tests/system/dnssec/ns3/sign.sh -@@ -28,7 +28,7 @@ zone=bogus.example. - infile=bogus.example.db.in - zonefile=bogus.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -38,8 +38,8 @@ zone=dynamic.example. - infile=dynamic.example.db.in - zonefile=dynamic.example.db - --keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` --keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone` -+keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` -+keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone -f KSK $zone` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -49,7 +49,7 @@ zone=keyless.example. - infile=generic.example.db.in - zonefile=keyless.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -69,7 +69,7 @@ zone=secure.nsec3.example. - infile=secure.nsec3.example.db.in - zonefile=secure.nsec3.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -82,7 +82,7 @@ zone=nsec3.nsec3.example. - infile=nsec3.nsec3.example.db.in - zonefile=nsec3.nsec3.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -95,7 +95,7 @@ zone=optout.nsec3.example. - infile=optout.nsec3.example.db.in - zonefile=optout.nsec3.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -108,7 +108,7 @@ zone=nsec3.example. - infile=nsec3.example.db.in - zonefile=nsec3.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -121,7 +121,7 @@ zone=secure.optout.example. - infile=secure.optout.example.db.in - zonefile=secure.optout.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -498,7 +498,7 @@ zone=badds.example. - infile=bogus.example.db.in - zonefile=badds.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` - - cat $infile $keyname.key >$zonefile - diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad -index ed30460bda..e6b112630e 100644 +index ed30460..e6b1126 100644 --- a/bin/tests/system/dnssec/ns5/trusted.conf.bad +++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad @@ -10,5 +10,5 @@ @@ -1311,28 +956,10 @@ index ed30460bda..e6b112630e 100644 + "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV"; }; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh -index bb2315fbf3..315666825e 100644 +index b31c1b4..a5e237b 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh -@@ -1690,7 +1690,7 @@ ret=0 - $RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i - keyid=`cat ns1/managed.key.id` - cp ns4/named.secroots named.secroots.test$n --linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l` -+linecount=`grep "./RSASHA256/$keyid ; trusted" named.secroots.test$n | wc -l` - [ "$linecount" -eq 1 ] || ret=1 - linecount=`cat named.secroots.test$n | wc -l` - [ "$linecount" -eq 10 ] || ret=1 -@@ -3018,7 +3018,7 @@ echo_i "check dig's +nocrypto flag ($n)" - ret=0 - $DIG $DIGOPTS +norec +nocrypto DNSKEY . \ - @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 --grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 -+grep '256 3 8 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 - grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +norec +nocrypto DS example \ - @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 -@@ -3130,8 +3130,8 @@ do +@@ -3235,8 +3235,8 @@ do alg=`expr $alg + 1` continue;; 3) size="-b 512";; @@ -1344,7 +971,7 @@ index bb2315fbf3..315666825e 100644 8) size="-b 512";; 10) size="-b 1024";; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 9612450ab4..5eee6aa4f8 100644 +index c1249ed..20a3139 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -19,6 +19,7 @@ @@ -1355,15 +982,15 @@ index 9612450ab4..5eee6aa4f8 100644 #include #ifdef WIN32 -@@ -45,6 +46,7 @@ usage() { - fprintf(stderr, " --have-geoip\n"); +@@ -47,6 +48,7 @@ usage() { + fprintf(stderr, " --have-geoip2\n"); fprintf(stderr, " --have-libxml2\n"); fprintf(stderr, " --ipv6only=no\n"); + fprintf(stderr, " --md5\n"); fprintf(stderr, " --rpz-nsdname\n"); fprintf(stderr, " --rpz-nsip\n"); fprintf(stderr, " --with-idn\n"); -@@ -136,6 +138,18 @@ main(int argc, char **argv) { +@@ -155,6 +157,18 @@ main(int argc, char **argv) { #endif } @@ -1383,7 +1010,7 @@ index 9612450ab4..5eee6aa4f8 100644 #ifdef ENABLE_RPZ_NSIP return (0); diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh -index f7555810a0..4a7d89004a 100755 +index f755581..4a7d890 100755 --- a/bin/tests/system/filter-aaaa/ns1/sign.sh +++ b/bin/tests/system/filter-aaaa/ns1/sign.sh @@ -21,8 +21,8 @@ infile=signed.db.in @@ -1398,7 +1025,7 @@ index f7555810a0..4a7d89004a 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh -index f7555810a0..4a7d89004a 100755 +index f755581..4a7d890 100755 --- a/bin/tests/system/filter-aaaa/ns4/sign.sh +++ b/bin/tests/system/filter-aaaa/ns4/sign.sh @@ -21,8 +21,8 @@ infile=signed.db.in @@ -1413,7 +1040,7 @@ index f7555810a0..4a7d89004a 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index cfcfe8fa2f..0a1614d527 100644 +index cfcfe8f..0a1614d 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in @@ -10,17 +10,17 @@ @@ -1438,10 +1065,10 @@ index cfcfe8fa2f..0a1614d527 100644 }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index ad20e3eaca..5a9ce4688a 100644 +index 1f6e6d0..c08bd25 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh -@@ -186,16 +186,16 @@ ret=0 +@@ -212,16 +212,16 @@ ret=0 $NSUPDATE << EOF server 10.53.0.5 ${PORT} zone x21 @@ -1462,7 +1089,7 @@ index ad20e3eaca..5a9ce4688a 100644 grep "test string" dig.out.b.ns5.test$n > /dev/null && grep "test string" dig.out.c.ns5.test$n > /dev/null && diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index 1d999adc39..26b6b7c9ab 100644 +index 1d999ad..26b6b7c 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -32,7 +32,7 @@ controls { @@ -1475,10 +1102,10 @@ index 1d999adc39..26b6b7c9ab 100644 }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index b4ecf96668..1adb33eb0b 100644 +index 4549184..cb7dccd 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in -@@ -24,7 +24,7 @@ options { +@@ -33,7 +33,7 @@ controls { }; key altkey { @@ -1488,10 +1115,10 @@ index b4ecf96668..1adb33eb0b 100644 }; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index 32674eb382..2331b30b00 100644 +index 21805c5..0d3d85c 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh -@@ -59,7 +59,12 @@ EOF +@@ -58,7 +58,12 @@ EOF $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key @@ -1506,10 +1133,10 @@ index 32674eb382..2331b30b00 100644 $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index 2a01d1e46d..e8659587c3 100755 +index 4da4849..b3bc807 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh -@@ -680,7 +680,14 @@ fi +@@ -708,7 +708,14 @@ fi n=`expr $n + 1` ret=0 echo_i "check TSIG key algorithms ($n)" @@ -1525,7 +1152,7 @@ index 2a01d1e46d..e8659587c3 100755 $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -688,7 +695,7 @@ send +@@ -716,7 +723,7 @@ send END done sleep 2 @@ -1535,7 +1162,7 @@ index 2a01d1e46d..e8659587c3 100755 done if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh -index 850c4d2744..09a3e0f9ad 100644 +index 343869e..c30efb0 100644 --- a/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh @@ -37,7 +37,7 @@ make_key () { @@ -1548,10 +1175,10 @@ index 850c4d2744..09a3e0f9ad 100644 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index d364e6fea0..dbf3bc6780 100644 +index 57e066d..186a723 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh -@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` @@ -1582,7 +1209,7 @@ index d364e6fea0..dbf3bc6780 100644 n=`expr $n + 1` echo_i "testing rndc with hmac-sha1 ($n)" diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh -index 576ec70f76..cb7a852189 100644 +index 576ec70..cb7a852 100644 --- a/bin/tests/system/tsig/clean.sh +++ b/bin/tests/system/tsig/clean.sh @@ -20,3 +20,4 @@ rm -f */named.run @@ -1591,7 +1218,7 @@ index 576ec70f76..cb7a852189 100644 rm -f keygen.out? +rm -f ns1/named.conf diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index fbf30c6dc4..f61657d7cf 100644 +index fbf30c6..f61657d 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -21,10 +21,7 @@ options { @@ -1618,37 +1245,21 @@ index fbf30c6dc4..f61657d7cf 100644 key "sha1-trunc" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in -new file mode 100644 -index 0000000000..4117830adb ---- /dev/null -+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in -@@ -0,0 +1,11 @@ -+ -+key "md5" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5; -+}; -+ -+key "md5-trunc" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5-80; -+}; -+ diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh -index 656e9bbcd8..628c5bbac1 100644 +index 4dd4a25..aa0f966 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh -@@ -17,3 +17,7 @@ $SHELL clean.sh +@@ -17,3 +17,8 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf - test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE ++ +if $FEATURETEST --md5 +then + cat ns1/rndc5.conf.in >> ns1/named.conf +fi diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index f731fa604c..cade35bc1d 100644 +index f731fa6..cade35b 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f @@ -1740,10 +1351,10 @@ index f731fa604c..cade35bc1d 100644 echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh -index 5da33cfde0..fb108b02bd 100644 +index 0d21c7b..dbcb7b4 100644 --- a/bin/tests/system/tsiggss/setup.sh +++ b/bin/tests/system/tsiggss/setup.sh -@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE +@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE copy_setports ns1/named.conf.in ns1/named.conf @@ -1751,7 +1362,7 @@ index 5da33cfde0..fb108b02bd 100644 +key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.` cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index e0a30cda15..6a77b1ce52 100644 +index e0a30cd..6a77b1c 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -10,7 +10,7 @@ @@ -1764,7 +1375,7 @@ index e0a30cda15..6a77b1ce52 100644 }; diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index b0694bbd5c..9adae8228e 100644 +index b0694bb..9adae82 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh @@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi @@ -1776,6 +1387,22 @@ index b0694bbd5c..9adae8228e 100644 server 10.53.0.3 ${PORT} update add updated.example. 600 A 10.10.10.1 update add updated.example. 600 TXT Foo +diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in +new file mode 100644 +index 0000000..0682194 +--- /dev/null ++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in +@@ -0,0 +1,10 @@ ++# Conditionally included when support for MD5 is available ++key "md5" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5; ++}; ++ ++key "md5-trunc" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5-80; ++}; -- -2.14.4 +2.20.1 diff --git a/SOURCES/bind-9.11-host-idn-disable.patch b/SOURCES/bind-9.11-host-idn-disable.patch index 434c596..7f02b4c 100644 --- a/SOURCES/bind-9.11-host-idn-disable.patch +++ b/SOURCES/bind-9.11-host-idn-disable.patch @@ -1,4 +1,4 @@ -From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001 +From ec50eff97c259b5bfbfa4e050d69fe7b39b0f15a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 25 Sep 2018 18:08:46 +0200 Subject: [PATCH] Disable IDN from environment as documented @@ -12,16 +12,16 @@ Support variable CHARSET=ASCII to disable IDN, supported in downstream RH patch since RHEL 5. --- bin/dig/dig.docbook | 4 +++- - bin/dig/dighost.c | 9 +++++++-- + bin/dig/dighost.c | 5 +++++ bin/dig/host.docbook | 2 +- bin/dig/nslookup.docbook | 15 +++++++++++++++ - 4 files changed, 26 insertions(+), 4 deletions(-) + 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook -index fedd288..d5dba72 100644 +index 5d19301..933af79 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook -@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr +@@ -1312,7 +1312,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr reply from the server. If you'd like to turn off the IDN support for some reason, use parameters +noidnin and @@ -33,34 +33,26 @@ index fedd288..d5dba72 100644 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index 7408193..d46379d 100644 +index 5eabc1f..73aaab8 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c -@@ -822,12 +822,17 @@ make_empty_lookup(void) { - looknew->seenbadcookie = ISC_FALSE; - looknew->badcookie = ISC_TRUE; +@@ -826,6 +826,11 @@ make_empty_lookup(void) { + looknew->badcookie = true; #ifdef WITH_IDN_SUPPORT -- looknew->idnin = ISC_TRUE; -+ looknew->idnin = (getenv("IDN_DISABLE") == NULL); + looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false; + if (looknew->idnin) { + const char *charset = getenv("CHARSET"); + if (charset && !strcmp(charset, "ASCII")) -+ looknew->idnin = ISC_FALSE; ++ looknew->idnin = false; + } #else - looknew->idnin = ISC_FALSE; - #endif - #ifdef WITH_IDN_OUT_SUPPORT -- looknew->idnout = ISC_TRUE; -+ looknew->idnout = looknew->idnin; - #else - looknew->idnout = ISC_FALSE; + looknew->idnin = false; #endif diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook -index 9c3aeaa..42cbbf9 100644 +index da0f8fb..9689b5a 100644 --- a/bin/dig/host.docbook +++ b/bin/dig/host.docbook -@@ -378,7 +378,7 @@ +@@ -379,7 +379,7 @@ host appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. @@ -70,10 +62,10 @@ index 9c3aeaa..42cbbf9 100644 The IDN support is disabled if the variable is set when host runs. diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook -index 3aff4e9..86a09c6 100644 +index d46fc2d..6d7d181 100644 --- a/bin/dig/nslookup.docbook +++ b/bin/dig/nslookup.docbook -@@ -478,6 +478,21 @@ nslookup -query=hinfo -timeout=10 +@@ -495,6 +495,21 @@ nslookup -query=hinfo -timeout=10 @@ -96,5 +88,5 @@ index 3aff4e9..86a09c6 100644 /etc/resolv.conf -- -2.14.4 +2.20.1 diff --git a/SOURCES/bind-9.11-json-c.patch b/SOURCES/bind-9.11-json-c.patch new file mode 100644 index 0000000..95e5597 --- /dev/null +++ b/SOURCES/bind-9.11-json-c.patch @@ -0,0 +1,50 @@ +From cb6d2019766a6c8c5516fd8859cedf0052f03293 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 25 Jul 2019 11:37:57 +0200 +Subject: [PATCH] Skip support of jsoncpp + +Bind cannot be compiled when jsoncpp-devel is installed. Remove support +for jsoncpp, use only json-c-devel. Bind 9.15 has already support for +--with-json-c, do not yet introduce it. +--- + configure.ac | 17 ++--------------- + 1 file changed, 2 insertions(+), 15 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 6d05337..5ce83b5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2594,15 +2594,7 @@ case "$use_libjson" in + auto|yes) + for d in /usr /usr/local /opt/local + do +- if test -f "${d}/include/json/json.h" +- then +- if test ${d} != /usr +- then +- libjson_cflags="-I ${d}/include" +- LIBS="$LIBS -L${d}/lib" +- fi +- have_libjson="yes" +- elif test -f "${d}/include/json-c/json.h" ++ if test -f "${d}/include/json-c/json.h" + then + if test ${d} != /usr + then +@@ -2615,12 +2607,7 @@ case "$use_libjson" in + done + ;; + *) +- if test -f "${use_libjson}/include/json/json.h" +- then +- libjson_cflags="-I${use_libjson}/include" +- LIBS="$LIBS -L${use_libjson}/lib" +- have_libjson="yes" +- elif test -f "${use_libjson}/include/json-c/json.h" ++ if test -f "${use_libjson}/include/json-c/json.h" + then + libjson_cflags="-I${use_libjson}/include" + LIBS="$LIBS -L${use_libjson}/lib" +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-kyua-pkcs11.patch b/SOURCES/bind-9.11-kyua-pkcs11.patch index ab21828..ac15d22 100644 --- a/SOURCES/bind-9.11-kyua-pkcs11.patch +++ b/SOURCES/bind-9.11-kyua-pkcs11.patch @@ -1,4 +1,4 @@ -From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001 +From eb38d2278937ec3fe45d0af30cd080953bbb5b54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 2 Jan 2018 18:13:07 +0100 Subject: [PATCH] Fix pkcs11 variants atf tests @@ -7,20 +7,19 @@ Add dns-pkcs11 tests Makefile to configure Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode --- - configure.in | 1 + - lib/Atffile | 2 ++ + configure.ac | 1 + lib/Kyuafile | 2 ++ lib/dns-pkcs11/tests/Makefile.in | 10 +++++----- lib/dns-pkcs11/tests/dh_test.c | 3 ++- lib/isc-pkcs11/tests/Makefile.in | 6 +++--- lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++------- - 7 files changed, 40 insertions(+), 16 deletions(-) + 6 files changed, 38 insertions(+), 16 deletions(-) -diff --git a/configure.in b/configure.in -index 67b3aab..4767eeb 100644 ---- a/configure.in -+++ b/configure.in -@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([ +diff --git a/configure.ac b/configure.ac +index 0532feb..a83ddd5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -5578,6 +5578,7 @@ AC_CONFIG_FILES([ lib/dns-pkcs11/include/Makefile lib/dns-pkcs11/include/dns/Makefile lib/dns-pkcs11/include/dst/Makefile @@ -28,25 +27,11 @@ index 67b3aab..4767eeb 100644 lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile -diff --git a/lib/Atffile b/lib/Atffile -index 93bbb01..4db3dce 100644 ---- a/lib/Atffile -+++ b/lib/Atffile -@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1" - prop: test-suite = bind9 - - tp: dns -+tp: dns-pkcs11 - tp: irs - tp: isc -+tp: isc-pkcs11 - tp: isccfg - tp: lwres diff --git a/lib/Kyuafile b/lib/Kyuafile -index ff9fc56..eaaf0dc 100644 +index 7c8bab0..eec9564 100644 --- a/lib/Kyuafile +++ b/lib/Kyuafile -@@ -2,7 +2,9 @@ syntax(2) +@@ -2,8 +2,10 @@ syntax(2) test_suite('bind9') include('dns/Kyuafile') @@ -54,67 +39,68 @@ index ff9fc56..eaaf0dc 100644 include('irs/Kyuafile') include('isc/Kyuafile') +include('isc-pkcs11/Kyuafile') + include('isccc/Kyuafile') include('isccfg/Kyuafile') include('lwres/Kyuafile') diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index 2a6571b..f25a784 100644 +index 7671e1d..e237d5c 100644 --- a/lib/dns-pkcs11/tests/Makefile.in +++ b/lib/dns-pkcs11/tests/Makefile.in -@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@ +@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@ CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ @DST_OPENSSL_INC@ -CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\"" -+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" ++CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" -ISCLIBS = ../../isc/libisc.@A@ -ISCDEPLIBS = ../../isc/libisc.@A@ --DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@ +-DNSLIBS = ../libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ -DNSDEPLIBS = ../libdns.@A@ +ISCLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@ +ISCDEPLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@ -+DNSLIBS = ../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ ++DNSLIBS = ../libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ +DNSDEPLIBS = ../libdns-pkcs11.@A@ - LIBS = @LIBS@ @ATFLIBS@ - + LIBS = @LIBS@ @CMOCKA_LIBS@ + CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@ diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c -index 036d27a..eb6554f 100644 +index 4dbfd82..a383b8e 100644 --- a/lib/dns-pkcs11/tests/dh_test.c +++ b/lib/dns-pkcs11/tests/dh_test.c -@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) { - ret = dst_key_computesecret(key, key, &buf); - ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY); - ret = key->func->computesecret(key, key, &buf); -- ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE); +@@ -86,7 +86,8 @@ dh_computesecret(void **state) { + result = dst_key_computesecret(key, key, &buf); + assert_int_equal(result, DST_R_NOTPRIVATEKEY); + result = key->func->computesecret(key, key, &buf); +- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE); + /* PKCS11 variant gives different result, accept both */ -+ ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY); ++ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY); dst_key_free(&key); - dns_test_end(); + } diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in -index f7fa538..818dae4 100644 +index 2fdee0b..a263b35 100644 --- a/lib/isc-pkcs11/tests/Makefile.in +++ b/lib/isc-pkcs11/tests/Makefile.in -@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@ +@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@ -CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\"" -+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\"" ++CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\"" -ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@ -ISCDEPLIBS = ../libisc.@A@ +ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@ +ISCDEPLIBS = ../libisc-pkcs11.@A@ - LIBS = @LIBS@ @ATFLIBS@ - + LIBS = @LIBS@ @CMOCKA_LIBS@ + CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@ diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c -index 5b8a374..c1891c2 100644 +index 9c4d299..d9deba2 100644 --- a/lib/isc-pkcs11/tests/hash_test.c +++ b/lib/isc-pkcs11/tests/hash_test.c -@@ -74,7 +74,7 @@ typedef struct hash_testcase { +@@ -85,7 +85,7 @@ typedef struct hash_testcase { typedef struct hash_test_key { const char *key; @@ -123,7 +109,7 @@ index 5b8a374..c1891c2 100644 } hash_test_key_t; /* non-hmac tests */ -@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) { +@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -134,9 +120,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha1_init(&hmacsha1, buffer, test_key->len); + isc_hmacsha1_init(&hmacsha1, buffer, len); isc_hmacsha1_update(&hmacsha1, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) { +@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -147,9 +133,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha224_init(&hmacsha224, buffer, test_key->len); + isc_hmacsha224_init(&hmacsha224, buffer, len); isc_hmacsha224_update(&hmacsha224, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) { +@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -160,9 +146,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha256_init(&hmacsha256, buffer, test_key->len); + isc_hmacsha256_init(&hmacsha256, buffer, len); isc_hmacsha256_update(&hmacsha256, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) { +@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -173,9 +159,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha384_init(&hmacsha384, buffer, test_key->len); + isc_hmacsha384_init(&hmacsha384, buffer, len); isc_hmacsha384_update(&hmacsha384, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) { +@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -186,9 +172,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha512_init(&hmacsha512, buffer, test_key->len); + isc_hmacsha512_init(&hmacsha512, buffer, len); isc_hmacsha512_update(&hmacsha512, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) { +@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -199,8 +185,8 @@ index 5b8a374..c1891c2 100644 - isc_hmacmd5_init(&hmacmd5, buffer, test_key->len); + isc_hmacmd5_init(&hmacmd5, buffer, len); isc_hmacmd5_update(&hmacmd5, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -- -2.14.3 +2.20.1 diff --git a/SOURCES/bind-9.11-oot-manual.patch b/SOURCES/bind-9.11-oot-manual.patch index b090b9f..84e9d25 100644 --- a/SOURCES/bind-9.11-oot-manual.patch +++ b/SOURCES/bind-9.11-oot-manual.patch @@ -1,4 +1,4 @@ -From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001 +From 8ca95f47231822df2b9c171a4da1e93ca5b748eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Jul 2018 12:24:16 +0200 Subject: [PATCH] Use make automatic variables to install updated manuals @@ -19,7 +19,7 @@ Install all files in single command instead of iterating on each of them. 9 files changed, 54 insertions(+), 38 deletions(-) diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in -index 12f48d2d23..d8eac4c714 100644 +index c124e80..1174f8d 100644 --- a/bin/check/Makefile.in +++ b/bin/check/Makefile.in @@ -83,12 +83,14 @@ installdirs: @@ -35,13 +35,13 @@ index 12f48d2d23..d8eac4c714 100644 ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir} ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir} (cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@) -- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done +- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done - (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) uninstall:: rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8 diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index 87f13dda4b..7865c0c73e 100644 +index 87f13dd..7865c0c 100644 --- a/bin/confgen/Makefile.in +++ b/bin/confgen/Makefile.in @@ -95,13 +95,14 @@ installdirs: @@ -64,7 +64,7 @@ index 87f13dda4b..7865c0c73e 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8 diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in -index e2d2802262..19361a83ea 100644 +index e2d2802..19361a8 100644 --- a/bin/delv/Makefile.in +++ b/bin/delv/Makefile.in @@ -63,10 +63,12 @@ installdirs: @@ -83,7 +83,7 @@ index e2d2802262..19361a83ea 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man1/delv.1 diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in -index 773ac46395..3edd951e7e 100644 +index a9830a9..d7ac0b6 100644 --- a/bin/dig/Makefile.in +++ b/bin/dig/Makefile.in @@ -91,16 +91,16 @@ installdirs: @@ -102,13 +102,13 @@ index 773ac46395..3edd951e7e 100644 ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ nslookup@EXEEXT@ ${DESTDIR}${bindir} - for m in ${MANPAGES}; do \ -- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \ -- done +- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \ +- done uninstall:: for m in ${MANPAGES}; do \ diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in -index 1be1d5ffc6..1d0c4ce5c1 100644 +index 2239ad1..ce0a177 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -110,9 +110,11 @@ installdirs: @@ -120,16 +120,16 @@ index 1be1d5ffc6..1d0c4ce5c1 100644 + ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 + +install:: ${TARGETS} installdirs install-man8 - for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done -- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done + for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done +- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done uninstall:: - for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done + for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index 1c413973d0..03e4cb849b 100644 +index e1f85a9..d92bc9a 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in -@@ -172,12 +172,17 @@ installdirs: +@@ -176,12 +176,17 @@ installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 @@ -152,7 +152,7 @@ index 1c413973d0..03e4cb849b 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man5/named.conf.5 diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in -index ae9061626c..a058c91214 100644 +index ae90616..a058c91 100644 --- a/bin/pkcs11/Makefile.in +++ b/bin/pkcs11/Makefile.in @@ -71,7 +71,10 @@ installdirs: @@ -179,7 +179,7 @@ index ae9061626c..a058c91214 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8 diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in -index aa678d47ab..064c404e2f 100644 +index aa678d4..064c404 100644 --- a/bin/python/Makefile.in +++ b/bin/python/Makefile.in @@ -47,13 +47,13 @@ installdirs: @@ -201,7 +201,7 @@ index aa678d47ab..064c404e2f 100644 if test -n "${DESTDIR}" ; then \ ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \ diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in -index 7bf2af4cea..c395bc7462 100644 +index 7bf2af4..c395bc7 100644 --- a/bin/tools/Makefile.in +++ b/bin/tools/Makefile.in @@ -119,17 +119,27 @@ installdirs: diff --git a/SOURCES/bind-9.11-rh1410433.patch b/SOURCES/bind-9.11-rh1410433.patch index b7fdc48..d307620 100644 --- a/SOURCES/bind-9.11-rh1410433.patch +++ b/SOURCES/bind-9.11-rh1410433.patch @@ -1,14 +1,16 @@ diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c -index 0ce5e42..556d920 100644 +index 15561ce..e4449b0 100644 --- a/lib/dns/dyndb.c +++ b/lib/dns/dyndb.c -@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname, +@@ -133,8 +133,11 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname, instname, filename); flags = RTLD_NOW|RTLD_LOCAL; --#ifdef RTLD_DEEPBIND -- flags |= RTLD_DEEPBIND; --#endif ++#if 0 ++ /* Shared global namespace is required for dns-pkcs11 library */ + #if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__ + flags |= RTLD_DEEPBIND; ++#endif + #endif handle = dlopen(filename, flags); - if (handle == NULL) diff --git a/SOURCES/bind-9.11-rh1624100.patch b/SOURCES/bind-9.11-rh1624100.patch index 954661c..5764ed7 100644 --- a/SOURCES/bind-9.11-rh1624100.patch +++ b/SOURCES/bind-9.11-rh1624100.patch @@ -1,4 +1,4 @@ -From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001 +From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 25 Apr 2018 14:04:31 +0200 Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts @@ -14,20 +14,20 @@ Fix the isc_safe_memwipe() usage with (NULL, >0) (cherry picked from commit 083461d3329ff6f2410745848a926090586a9846) --- bin/dnssec/dnssec-signzone.c | 2 +- - lib/dns/nsec3.c | 4 +-- - lib/dns/spnego.c | 4 +-- - lib/isc/Makefile.in | 8 ++--- - lib/isc/include/isc/safe.h | 18 ++++------ - lib/isc/safe.c | 81 -------------------------------------------- - lib/isc/tests/safe_test.c | 20 ----------- - 7 files changed, 13 insertions(+), 124 deletions(-) + lib/dns/nsec3.c | 4 +- + lib/dns/spnego.c | 4 +- + lib/isc/Makefile.in | 8 +--- + lib/isc/include/isc/safe.h | 18 ++------ + lib/isc/safe.c | 83 ------------------------------------ + lib/isc/tests/safe_test.c | 18 -------- + 7 files changed, 11 insertions(+), 126 deletions(-) delete mode 100644 lib/isc/safe.c diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 53be1f5c60..351296a356 100644 +index 6ddaebe..d921870 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c -@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, +@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, static int hashlist_comp(const void *a, const void *b) { @@ -37,10 +37,10 @@ index 53be1f5c60..351296a356 100644 static void diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c -index d364308aaf..37b6a8a7fe 100644 +index 6ae7ca8..01426d6 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c -@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, +@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, * Work out what this NSEC3 covers. * Inside (<0) or outside (>=0). */ @@ -49,7 +49,7 @@ index d364308aaf..37b6a8a7fe 100644 /* * Prepare to compute all the hashes. -@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, +@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, return (ISC_R_IGNORE); } @@ -59,10 +59,10 @@ index d364308aaf..37b6a8a7fe 100644 /* * The hashes are the same. diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c -index ce3e42d650..079d4c1b4a 100644 +index ad77f24..670982a 100644 --- a/lib/dns/spnego.c +++ b/lib/dns/spnego.c -@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *, +@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *, /* mod_auth_kerb.c */ @@ -71,7 +71,7 @@ index ce3e42d650..079d4c1b4a 100644 cmp_gss_type(gss_buffer_t token, gss_OID gssoid) { unsigned char *p; -@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) +@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) if (((OM_uint32) *p++) != gssoid->length) return (GSS_S_DEFECTIVE_TOKEN); @@ -81,15 +81,15 @@ index ce3e42d650..079d4c1b4a 100644 /* accept_sec_context.c */ diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in -index ba53ef1091..98acffffc9 100644 +index 0fd0837..8ad54bb 100644 --- a/lib/isc/Makefile.in +++ b/lib/isc/Makefile.in @@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \ ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \ rwlock.@O@ \ -- safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ -+ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ +- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ ++ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \ tm.@O@ timer.@O@ version.@O@ \ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS} @@ -97,8 +97,8 @@ index ba53ef1091..98acffffc9 100644 netaddr.c netscope.c pool.c ondestroy.c \ parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \ ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \ -- safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ -+ serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ +- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ ++ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ strtoul.c symtab.c task.c taskpool.c timer.c \ tm.c version.c @@ -114,28 +114,28 @@ index ba53ef1091..98acffffc9 100644 ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION=\"${VERSION}\" \ diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h -index f29f00bac6..b8a0b2290c 100644 +index 66ed08b..88b8f47 100644 --- a/lib/isc/include/isc/safe.h +++ b/lib/isc/include/isc/safe.h -@@ -15,27 +15,21 @@ +@@ -15,29 +15,19 @@ /*! \file isc/safe.h */ +-#include +- -#include -#include -+#include +#include -+ +#include ISC_LANG_BEGINDECLS --isc_boolean_t +-bool -isc_safe_memequal(const void *s1, const void *s2, size_t n); -+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n)) ++#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n) /*%< - * Returns ISC_TRUE iff. two blocks of memory are equal, otherwise - * ISC_FALSE. + * Returns true iff. two blocks of memory are equal, otherwise + * false. * */ @@ -153,10 +153,10 @@ index f29f00bac6..b8a0b2290c 100644 * diff --git a/lib/isc/safe.c b/lib/isc/safe.c deleted file mode 100644 -index 5c9e1e2d13..0000000000 +index 7a464b6..0000000 --- a/lib/isc/safe.c +++ /dev/null -@@ -1,81 +0,0 @@ +@@ -1,83 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * @@ -172,6 +172,8 @@ index 5c9e1e2d13..0000000000 - -#include - +-#include +- -#include -#include -#include @@ -184,18 +186,18 @@ index 5c9e1e2d13..0000000000 -#pragma optimize("", off) -#endif - --isc_boolean_t +-bool -isc_safe_memequal(const void *s1, const void *s2, size_t n) { -- isc_uint8_t acc = 0; +- uint8_t acc = 0; - - if (n != 0U) { -- const isc_uint8_t *p1 = s1, *p2 = s2; +- const uint8_t *p1 = s1, *p2 = s2; - - do { - acc |= *p1++ ^ *p2++; - } while (--n != 0U); - } -- return (ISC_TF(acc == 0)); +- return (acc == 0); -} - - @@ -239,35 +241,33 @@ index 5c9e1e2d13..0000000000 -#endif -} diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c -index f721cd1096..ea3e61f98d 100644 +index 266ac75..60e9181 100644 --- a/lib/isc/tests/safe_test.c +++ b/lib/isc/tests/safe_test.c -@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) { - "\x00\x00\x00\x00", 4)); +@@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) { + "\x00\x00\x00\x00", 4)); } --ATF_TC(isc_safe_memcompare); --ATF_TC_HEAD(isc_safe_memcompare, tc) { -- atf_tc_set_md_var(tc, "descr", "safe memcompare()"); --} --ATF_TC_BODY(isc_safe_memcompare, tc) { -- UNUSED(tc); +-/* test isc_safe_memcompare() */ +-static void +-isc_safe_memcompare_test(void **state) { +- UNUSED(state); - -- ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0); -- ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0); -- ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0); -- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", -- "\x00\x00\x00\x00", 4) == 0); -- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", -- "\x00\x00\x00\x01", 4) < 0); -- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02", -- "\x00\x00\x00\x00", 4) > 0); +- assert_int_equal(isc_safe_memcompare("test", "test", 4), 0); +- assert_true(isc_safe_memcompare("test", "tesc", 4) > 0); +- assert_true(isc_safe_memcompare("test", "tesy", 4) < 0); +- assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00", +- "\x00\x00\x00\x00", 4), 0); +- assert_true(isc_safe_memcompare("\x00\x00\x00\x00", +- "\x00\x00\x00\x01", 4) < 0); +- assert_true(isc_safe_memcompare("\x00\x00\x00\x02", +- "\x00\x00\x00\x00", 4) > 0); -} - - ATF_TC(isc_safe_memwipe); - ATF_TC_HEAD(isc_safe_memwipe, tc) { - atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()"); -@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) { + /* test isc_safe_memwipe() */ + static void + isc_safe_memwipe_test(void **state) { +@@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) { /* These should pass. */ isc_safe_memwipe(NULL, 0); isc_safe_memwipe((void *) -1, 0); @@ -275,14 +275,14 @@ index f721cd1096..ea3e61f98d 100644 /* * isc_safe_memwipe(ptr, size) should function same as -@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) { - */ - ATF_TP_ADD_TCS(tp) { - ATF_TP_ADD_TC(tp, isc_safe_memequal); -- ATF_TP_ADD_TC(tp, isc_safe_memcompare); - ATF_TP_ADD_TC(tp, isc_safe_memwipe); - return (atf_no_error()); - } +@@ -108,7 +91,6 @@ main(void) { + const struct CMUnitTest tests[] = { + cmocka_unit_test(isc_safe_memequal_test), + cmocka_unit_test(isc_safe_memwipe_test), +- cmocka_unit_test(isc_safe_memcompare_test), + }; + + return (cmocka_run_group_tests(tests, NULL, NULL)); -- -2.14.4 +2.20.1 diff --git a/SOURCES/bind-9.11-rh1679307.patch b/SOURCES/bind-9.11-rh1679307.patch deleted file mode 100644 index 05c553f..0000000 --- a/SOURCES/bind-9.11-rh1679307.patch +++ /dev/null @@ -1,245 +0,0 @@ -From 88cf9dec060e8c3f1705a4e41a30e283bc3c8b1b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= -Date: Tue, 10 Jul 2018 14:34:35 +0200 -Subject: [PATCH] Improve error handling in idn_ace_to_locale() - -While idn2_to_unicode_8zlz() takes a 'flags' argument, it is ignored and -thus cannot be used to perform IDN checks on the output string. - -The bug in libidn2 versions before 2.0.5 was not that a call to -idn2_to_unicode_8zlz() with certain flags set did not cause IDN checks -to be performed. The bug was that idn2_to_unicode_8zlz() did not check -whether a conversion can be performed between UTF-8 and the current -locale's character encoding. In other words, with libidn2 version -2.0.5+, if the current locale's character encoding is ASCII, then -idn2_to_unicode_8zlz() will fail when it is passed any Punycode string -which decodes to a non-ASCII string, even if it is a valid IDNA2008 -name. - -Rework idn_ace_to_locale() so that invalid IDNA2008 names are properly -and consistently detected for all libidn2 versions and locales. - -Update the "idna" system test accordingly. Add checks for processing a -server response containing Punycode which decodes to an invalid IDNA2008 -name. Fix invalid subtest description. - -(cherry picked from commit 7fe0f00a3bf31dc26ee3dc8777e3076546b83990) -(cherry picked from commit 4fdee34a0b0ad142182914327a1bc53144b90ed1) ---- - bin/dig/dighost.c | 72 ++++++++++++++++++++++++------- - bin/tests/system/idna/tests.sh | 77 +++++++++++----------------------- - 2 files changed, 82 insertions(+), 67 deletions(-) - -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index d46379ddc2..26528af3cc 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -4812,26 +4812,70 @@ idn_locale_to_ace(const char *from, char *to, size_t tolen) { - static isc_result_t - idn_ace_to_locale(const char *from, char *to, size_t tolen) { - int res; -- char *tmp_str = NULL; -+ char *utf8_src, *tmp_str = NULL; - -- res = idn2_to_unicode_8zlz(from, &tmp_str, -- IDN2_NONTRANSITIONAL|IDN2_NFC_INPUT); -+ /* -+ * We need to: -+ * -+ * 1) check whether 'from' is a valid IDNA2008 name, -+ * 2) if it is, output it in the current locale's character encoding. -+ * -+ * Unlike idn2_to_ascii_*(), idn2_to_unicode_*() functions are unable -+ * to perform IDNA2008 validity checks. Thus, we need to decode any -+ * Punycode in 'from', check if the resulting name is a valid IDNA2008 -+ * name, and only once we ensure it is, output that name in the current -+ * locale's character encoding. -+ * -+ * We could just use idn2_to_unicode_8zlz() + idn2_to_ascii_lz(), but -+ * then we would not be able to universally tell invalid names and -+ * character encoding errors apart (if the current locale uses ASCII -+ * for character encoding, the former function would fail even for a -+ * valid IDNA2008 name, as long as it contained any non-ASCII -+ * character). Thus, we need to take a longer route. -+ * -+ * First, convert 'from' to UTF-8, ignoring the current locale. -+ */ -+ res = idn2_to_unicode_8z8z(from, &utf8_src, 0); -+ if (res != IDN2_OK) { -+ fatal("Bad ACE string '%s' (%s), use +noidnout", -+ from, idn2_strerror(res)); -+ } - -- if (res == IDN2_OK) { -- /* check the length */ -- if (strlen(tmp_str) >= tolen) { -- debug("encoded ASC string is too long"); -- idn2_free(tmp_str); -- return ISC_R_FAILURE; -- } -+ /* -+ * Then, check whether decoded 'from' is a valid IDNA2008 name. -+ */ -+ res = idn2_to_ascii_8z(utf8_src, NULL, IDN2_NONTRANSITIONAL); -+ if (res != IDN2_OK) { -+ fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnout", -+ from, idn2_strerror(res)); -+ } - -- (void) strlcpy(to, tmp_str, tolen); -+ /* -+ * Finally, try converting the decoded 'from' into the current locale's -+ * character encoding. -+ */ -+ res = idn2_to_unicode_8zlz(utf8_src, &tmp_str, 0); -+ if (res != IDN2_OK) { -+ fatal("Cannot represent '%s' in the current locale (%s), " -+ "use +noidnout or a different locale", -+ from, idn2_strerror(res)); -+ } -+ -+ /* -+ * Free the interim conversion result. -+ */ -+ idn2_free(utf8_src); -+ -+ /* check the length */ -+ if (strlen(tmp_str) >= tolen) { -+ debug("encoded ASC string is too long"); - idn2_free(tmp_str); -- return ISC_R_SUCCESS; -+ return (ISC_R_FAILURE); - } - -- fatal("'%s' is not a legal IDN name (%s), use +noidnout", from, idn2_strerror(res)); -- return ISC_R_FAILURE; -+ (void) strlcpy(to, tmp_str, tolen); -+ idn2_free(tmp_str); -+ return (ISC_R_SUCCESS); - } - #endif /* WITH_IDN_OUT_SUPPORT */ - #endif /* WITH_LIBIDN2 */ -diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh -index 3a9b91b442..6637bf6828 100644 ---- a/bin/tests/system/idna/tests.sh -+++ b/bin/tests/system/idna/tests.sh -@@ -136,46 +136,6 @@ idna_fail() { - status=`expr $status + $ret` - } - --# Check if current version of libidn2 is >= a given version --# --# This requires that: --# a) "pkg-config" exists on the system --# b) The libidn2 installed has an associated ".pc" file --# c) The system sort command supports "-V" --# --# $1 - Minimum version required --# --# Returns: --# 0 - Version check is OK, libidn2 at required version or greater. --# 1 - Version check was made, but libidn2 not at required version. --# 2 - Could not carry out version check -- --libidn_version_check() { -- ret=2 -- if [ -n "`command -v pkg-config`" ]; then -- version=`pkg-config --modversion --silence-errors libidn2` -- if [ -n "$version" ]; then -- # Does the sort command have a "-V" flag on this system? -- sort -V 2>&1 > /dev/null << . --. -- if [ $? -eq 0 ]; then -- # Sort -V exists. Sort the IDN version and the minimum version -- # required. If the IDN version is greater than or equal to that -- # version, it will appear last in the list. -- last_version=`printf "%s\n" $version $1 | sort -V | tail -1` -- if [ "$version" = "$last_version" ]; then -- ret=0 -- else -- ret=1 -- fi -- fi -- fi -- fi -- -- return $ret --} -- -- - # Function to check that case is preserved for an all-ASCII label. - # - # Without IDNA support, case-preservation is the expected behavior. -@@ -310,16 +270,7 @@ idna_enabled_test() { - text="Checking fake A-label" - idna_fail "$text" "" "xn--ahahah" - idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah." -- -- # Owing to issues with libdns, the next test will fail for versions of -- # libidn earlier than 2.0.5. For this reason, get the version (if -- # available) and compare with 2.0.5. -- libidn_version_check 2.0.5 -- if [ $? -ne 0 ]; then -- echo_i "Skipping fake A-label +noidnin +idnout test (libidn2 version issues)" -- else -- idna_test "$text" "+noidnin +idnout" "xn--ahahah" "xn--ahahah." -- fi -+ idna_fail "$text" "+noidnin +idnout" "xn--ahahah" - idna_fail "$text" "+idnin +noidnout" "xn--ahahah" - idna_fail "$text" "+idnin +idnout" "xn--ahahah" - -@@ -327,7 +278,7 @@ idna_enabled_test() { - # BIND rejects such labels: with +idnin - - label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj" -- text="Checking punycode label shorter than minimum valid length" -+ text="Checking punycode label longer than maximum valid length" - idna_fail "$text" "" "$label" - idna_fail "$text" "+noidnin +noidnout" "$label" - idna_fail "$text" "+noidnin +idnout" "$label" -@@ -337,7 +288,7 @@ idna_enabled_test() { - - - -- # Tests of a valid unicode string but an invalid U-label -+ # Tests of a valid unicode string but an invalid U-label (input) - # - # Symbols are not valid IDNA names. - # -@@ -347,12 +298,32 @@ idna_enabled_test() { - # - # The +[no]idnout options should not have any effect on the test. - -- text="Checking invalid U-label" -+ text="Checking invalid input U-label" - idna_fail "$text" "" "🧦.com" - idna_test "$text" "+noidnin +noidnout" "🧦.com" "\240\159\167\166.com." - idna_test "$text" "+noidnin +idnout" "🧦.com" "\240\159\167\166.com." - idna_fail "$text" "+idnin +noidnout" "🧦.com" - idna_fail "$text" "+idnin +idnout" "🧦.com" -+ -+ # Tests of a valid unicode string but an invalid U-label (output) -+ # -+ # Symbols are not valid IDNA names. -+ # -+ # Note that an invalid U-label is accepted even when +idnin is in effect -+ # because "xn--19g" is valid Punycode. -+ # -+ # +noidnout: "dig" should send the ACE string to the server and display the -+ # returned qname. -+ # +idnout: "dig" should generate an error. -+ # -+ # The +[no]idnin options should not have any effect on the test. -+ -+ text="Checking invalid output U-label" -+ idna_fail "$text" "" "xn--19g" -+ idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." -+ idna_fail "$text" "+noidnin +idnout" "xn--19g" -+ idna_test "$text" "+idnin +noidnout" "xn--19g" "xn--19g." -+ idna_fail "$text" "+idnin +idnout" "xn--19g" - } - - --- -2.20.1 - diff --git a/SOURCES/bind-9.11-rh1790879.patch b/SOURCES/bind-9.11-rh1790879.patch new file mode 100644 index 0000000..7f44fee --- /dev/null +++ b/SOURCES/bind-9.11-rh1790879.patch @@ -0,0 +1,65 @@ +From f9a37643528dc83b981156d0a1cf52e3d9a38322 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Mon, 2 Dec 2019 15:15:06 +0100 +Subject: [PATCH] Fix GeoIP2 memory leak upon reconfiguration + +Loaded GeoIP2 databases are only released when named is shut down, but +not during server reconfiguration. This causes memory to be leaked +every time "rndc reconfig" or "rndc reload" is used, as long as any +GeoIP2 database is in use. Fix by releasing any loaded GeoIP2 databases +before reloading them. Do not call dns_geoip_shutdown() until server +shutdown as that function releases the memory context used for caching +GeoIP2 lookup results. + +(cherry picked from commit 670afbe84a87e202fa795079d9d6d1639bcf391d) +(cherry picked from commit 95a5589fa2ac3956fecfef780158a2745718c860) +--- + bin/named/geoip.c | 2 -- + bin/named/server.c | 6 ++++++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/bin/named/geoip.c b/bin/named/geoip.c +index d560f8fbcf..0b11f6b803 100644 +--- a/bin/named/geoip.c ++++ b/bin/named/geoip.c +@@ -243,6 +243,4 @@ ns_geoip_shutdown(void) { + ns_g_geoip->domain = NULL; + } + #endif /* HAVE_GEOIP2 */ +- +- dns_geoip_shutdown(); + } +diff --git a/bin/named/server.c b/bin/named/server.c +index ebe7ad4702..4d7d2210ff 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -72,6 +72,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -7684,6 +7685,10 @@ load_configuration(const char *filename, ns_server_t *server, + isc__socketmgr_setreserved(ns_g_socketmgr, reserved); + + #if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2) ++ /* ++ * Release any previously opened GeoIP2 databases. ++ */ ++ ns_geoip_shutdown(); + /* + * Initialize GeoIP databases from the configured location. + * This should happen before configuring any ACLs, so that we +@@ -9030,6 +9035,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { + #endif + #if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2) + ns_geoip_shutdown(); ++ dns_geoip_shutdown(); + #endif /* HAVE_GEOIP || HAVE_GEOIP2 */ + + dns_db_detach(&server->in_roothints); +-- +2.21.1 + diff --git a/SOURCES/bind-9.11-rt31459.patch b/SOURCES/bind-9.11-rt31459.patch index 6208ef2..ea25abe 100644 --- a/SOURCES/bind-9.11-rt31459.patch +++ b/SOURCES/bind-9.11-rt31459.patch @@ -1,4 +1,4 @@ -From ae9c9ef5a5ba06cf57b5a87b5f2bbc71649ba41b Mon Sep 17 00:00:00 2001 +From 7e61714a5d1509ec79af42391e41eb1afc53063a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 12 Sep 2017 19:05:46 -0700 Subject: [PATCH] rebased rt31459c @@ -22,27 +22,25 @@ Include new unit test bin/dnssec/dnssec-verify.c | 8 +- bin/dnssec/dnssectool.c | 11 +- bin/named/server.c | 6 + - bin/nsupdate/nsupdate.c | 18 ++- + bin/nsupdate/nsupdate.c | 14 +- bin/tests/makejournal.c | 6 +- - bin/tests/system/pipelined/pipequeries.c | 20 ++- + bin/tests/system/pipelined/pipequeries.c | 20 +- bin/tests/system/pipelined/tests.sh | 4 +- bin/tests/system/rsabigexponent/bigkey.c | 4 + - bin/tests/system/tkey/keycreate.c | 26 +++- - bin/tests/system/tkey/keydelete.c | 26 +++- + bin/tests/system/tkey/keycreate.c | 26 ++- + bin/tests/system/tkey/keydelete.c | 26 ++- bin/tests/system/tkey/tests.sh | 8 +- bin/tools/mdig.c | 3 +- - configure | 250 ++++++++++++++++++------------- - configure.in | 77 +++++++++- - lib/dns/dst_api.c | 21 ++- + configure | 250 +++++++++++++---------- + configure.ac | 77 ++++++- + lib/dns/dst_api.c | 21 +- lib/dns/include/dst/dst.h | 8 + - lib/dns/lib.c | 17 ++- - lib/dns/openssl_link.c | 72 ++++++++- - lib/dns/pkcs11.c | 29 +++- - lib/dns/tests/Atffile | 1 + + lib/dns/lib.c | 15 +- + lib/dns/openssl_link.c | 72 ++++++- + lib/dns/pkcs11.c | 29 ++- lib/dns/tests/Kyuafile | 1 + lib/dns/tests/Makefile.in | 7 + - lib/dns/tests/dnstest.c | 14 +- - lib/dns/tests/dstrandom_test.c | 105 +++++++++++++ + lib/dns/tests/dstrandom_test.c | 115 +++++++++++ lib/dns/win32/libdns.def.in | 7 + lib/isc/entropy.c | 24 +++ lib/isc/include/isc/entropy.h | 12 ++ @@ -50,12 +48,12 @@ Include new unit test lib/isc/include/isc/types.h | 2 + lib/isc/pk11.c | 12 +- lib/isc/win32/include/isc/platform.h.in | 5 + - win32utils/Configure | 29 +++- - 38 files changed, 704 insertions(+), 184 deletions(-) + win32utils/Configure | 28 ++- + 36 files changed, 701 insertions(+), 175 deletions(-) create mode 100644 lib/dns/tests/dstrandom_test.c diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index 11cc54d..fa439cc 100644 +index 5015abb..295e16f 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, @@ -66,17 +64,17 @@ index 11cc54d..fa439cc 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif DO("start entropy source", isc_entropy_usebestsource(ectx, &entropy_source, randomfile, diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c -index 94a982c..897c497 100644 +index 2c0c308..3e585af 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c -@@ -495,14 +495,14 @@ main(int argc, char **argv) { +@@ -494,14 +494,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -94,7 +92,7 @@ index 94a982c..897c497 100644 isc_entropy_stopcallbacksources(ectx); setup_logging(mctx, &log); -@@ -564,8 +564,8 @@ main(int argc, char **argv) { +@@ -571,8 +571,8 @@ main(int argc, char **argv) { if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); @@ -105,10 +103,10 @@ index 94a982c..897c497 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c -index 2edf614..840316c 100644 +index 0d1e7f8..79c4d74 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c -@@ -406,14 +406,14 @@ main(int argc, char **argv) { +@@ -407,14 +407,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -126,7 +124,7 @@ index 2edf614..840316c 100644 isc_entropy_stopcallbacksources(ectx); setup_logging(mctx, &log); -@@ -457,8 +457,8 @@ main(int argc, char **argv) { +@@ -458,8 +458,8 @@ main(int argc, char **argv) { if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); @@ -137,10 +135,10 @@ index 2edf614..840316c 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c -index 10fad0b..0b68e99 100644 +index 7d82dbf..10f9359 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c -@@ -182,14 +182,14 @@ main(int argc, char **argv) { +@@ -184,14 +184,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -158,7 +156,7 @@ index 10fad0b..0b68e99 100644 isc_entropy_stopcallbacksources(ectx); result = dst_key_fromnamedfile(filename, dir, -@@ -271,8 +271,8 @@ main(int argc, char **argv) { +@@ -273,8 +273,8 @@ main(int argc, char **argv) { cleanup: dst_key_free(&key); @@ -169,10 +167,10 @@ index 10fad0b..0b68e99 100644 if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c -index 360cdb9..b7bf171 100644 +index f355903..6a2ca59 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c -@@ -380,14 +380,14 @@ main(int argc, char **argv) { +@@ -382,14 +382,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -190,7 +188,7 @@ index 360cdb9..b7bf171 100644 isc_entropy_stopcallbacksources(ectx); if (predecessor != NULL) { -@@ -672,8 +672,8 @@ main(int argc, char **argv) { +@@ -674,8 +674,8 @@ main(int argc, char **argv) { if (prevkey != NULL) dst_key_free(&prevkey); dst_key_free(&key); @@ -201,10 +199,10 @@ index 360cdb9..b7bf171 100644 if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 1bea357..53be1f5 100644 +index c6a0313..6ddaebe 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c -@@ -3459,14 +3459,15 @@ main(int argc, char *argv[]) { +@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) { if (!pseudorandom) eflags |= ISC_ENTROPY_GOODONLY; @@ -224,7 +222,7 @@ index 1bea357..53be1f5 100644 isc_stdtime_get(&now); if (startstr != NULL) { -@@ -3878,8 +3879,8 @@ main(int argc, char *argv[]) { +@@ -3879,8 +3880,8 @@ main(int argc, char *argv[]) { dns_master_styledestroy(&dsstyle, mctx); cleanup_logging(&log); @@ -235,10 +233,10 @@ index 1bea357..53be1f5 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c -index 792510a..dc32765 100644 +index 4c293bf..3263cbc 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c -@@ -280,15 +280,15 @@ main(int argc, char *argv[]) { +@@ -281,15 +281,15 @@ main(int argc, char *argv[]) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -259,10 +257,10 @@ index 792510a..dc32765 100644 rdclass = strtoclass(classname); diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index dc32c90..4ea9eaf 100644 +index fbc7ece..31a99e7 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c -@@ -32,6 +32,7 @@ +@@ -34,6 +34,7 @@ #include #include #include @@ -270,7 +268,7 @@ index dc32c90..4ea9eaf 100644 #include #include #include -@@ -233,7 +234,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -235,7 +236,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { if (*ectx == NULL) { result = isc_entropy_create(mctx, ectx); if (result != ISC_R_SUCCESS) @@ -280,7 +278,7 @@ index dc32c90..4ea9eaf 100644 ISC_LIST_INIT(sources); } -@@ -242,6 +244,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -244,6 +246,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { randomfile = NULL; } @@ -288,17 +286,17 @@ index dc32c90..4ea9eaf 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(*ectx, ISC_TRUE); ++ isc_entropy_usehook(*ectx, true); + } +#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard); diff --git a/bin/named/server.c b/bin/named/server.c -index 59a8998..ee5186c 100644 +index 7d85d3b..c782073 100644 --- a/bin/named/server.c +++ b/bin/named/server.c -@@ -34,6 +34,7 @@ +@@ -36,6 +36,7 @@ #include #include #include @@ -306,38 +304,30 @@ index 59a8998..ee5186c 100644 #include #include #include -@@ -8083,6 +8084,10 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8211,6 +8212,10 @@ load_configuration(const char *filename, ns_server_t *server, "no source of entropy found"); } else { const char *randomdev = cfg_obj_asstring(obj); +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) -+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); ++ isc_entropy_usehook(ns_g_entropy, true); +#else int level = ISC_LOG_ERROR; result = isc_entropy_createfilesource(ns_g_entropy, randomdev); -@@ -8117,6 +8122,7 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8245,6 +8250,7 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } +#endif #endif } - } + diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index bb5d500..46c7acf 100644 +index bbb3936..0286987 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c -@@ -33,6 +33,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -269,7 +270,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -272,7 +272,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { if (*ectx == NULL) { result = isc_entropy_create(mctx, ectx); if (result != ISC_R_SUCCESS) @@ -347,7 +337,7 @@ index bb5d500..46c7acf 100644 ISC_LIST_INIT(sources); } -@@ -278,6 +280,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -281,6 +282,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { randomfile = NULL; } @@ -355,13 +345,13 @@ index bb5d500..46c7acf 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(*ectx, ISC_TRUE); ++ isc_entropy_usehook(*ectx, true); + } +#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard); -@@ -948,11 +957,11 @@ setup_system(void) { +@@ -979,11 +987,11 @@ setup_system(void) { } } @@ -375,41 +365,31 @@ index bb5d500..46c7acf 100644 result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr); check_result(result, "dns_dispatchmgr_create"); -@@ -976,6 +985,9 @@ setup_system(void) { - check_result(result, "dst_lib_init"); - is_dst_up = ISC_TRUE; - -+ /* moved after dst_lib_init() */ -+ isc_hash_init(); -+ - attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP; - attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; - diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c -index fed59be..9f125da 100644 +index 61a41b0..acc71a1 100644 --- a/bin/tests/makejournal.c +++ b/bin/tests/makejournal.c -@@ -100,12 +100,12 @@ main(int argc, char **argv) { +@@ -102,12 +102,12 @@ main(int argc, char **argv) { CHECK(isc_mem_create(0, 0, &mctx)); CHECK(isc_entropy_create(mctx, &ectx)); - CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -- hash_active = ISC_TRUE; +- hash_active = true; - CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); - dst_active = ISC_TRUE; + dst_active = true; + CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+ hash_active = ISC_TRUE; ++ hash_active = true; + CHECK(isc_log_create(mctx, &lctx, &logconfig)); isc_log_registercategories(lctx, categories); isc_log_setcontext(lctx); diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index 379b6a3..810d99e 100644 +index c6ab7f8..f0a6ff2 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c -@@ -202,6 +202,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { +@@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { int main(int argc, char *argv[]) { @@ -418,9 +398,9 @@ index 379b6a3..810d99e 100644 struct in_addr inaddr; isc_result_t result; @@ -222,7 +223,7 @@ main(int argc, char *argv[]) { - UNUSED(argv); + int c; - isc_commandline_errprint = ISC_FALSE; + isc_commandline_errprint = false; - while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) { + while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) { switch (c) { @@ -436,7 +416,7 @@ index 379b6a3..810d99e 100644 case '?': fprintf(stderr, "%s: invalid argument '%c'", argv[0], c); -@@ -274,10 +278,18 @@ main(int argc, char *argv[]) { +@@ -275,10 +279,18 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); @@ -446,7 +426,7 @@ index 379b6a3..810d99e 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif + if (randomfile != NULL) @@ -457,7 +437,7 @@ index 379b6a3..810d99e 100644 taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -330,8 +342,8 @@ main(int argc, char *argv[]) { +@@ -331,8 +343,8 @@ main(int argc, char *argv[]) { isc_task_detach(&task); isc_taskmgr_destroy(&taskmgr); @@ -468,7 +448,7 @@ index 379b6a3..810d99e 100644 isc_log_destroy(&lctx); diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh -index a6720ce..9063b1f 100644 +index 61f1ff7..ed1302a 100644 --- a/bin/tests/system/pipelined/tests.sh +++ b/bin/tests/system/pipelined/tests.sh @@ -19,7 +19,7 @@ status=0 @@ -479,7 +459,7 @@ index a6720ce..9063b1f 100644 +$PIPEQUERIES -p ${PORT} -r $RANDFILE < input > raw || ret=1 awk '{ print $1 " " $5 }' < raw > output sort < output > output-sorted - diff ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; } + $DIFF ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; } @@ -43,7 +43,7 @@ status=`expr $status + $ret` echo_i "check keep-response-order" @@ -487,10 +467,10 @@ index a6720ce..9063b1f 100644 -$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1 +$PIPEQUERIES -p ${PORT} -r $RANDFILE ++ < inputb > rawb || ret=1 awk '{ print $1 " " $5 }' < rawb > outputb - diff refb outputb || ret=1 + $DIFF refb outputb || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c -index 4462f2e..f1230d8 100644 +index 4462f2e..f06268d 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -20,6 +20,7 @@ @@ -506,13 +486,13 @@ index 4462f2e..f1230d8 100644 CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); +#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); +#endif CHECK(isc_entropy_usebestsource(ectx, &source, "../random.data", ISC_ENTROPY_KEYBOARDNO), diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 489f439..4f2f5b4 100644 +index 653c951..fe8698e 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { @@ -555,7 +535,7 @@ index 489f439..4f2f5b4 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif + if (randomfile != NULL) @@ -581,7 +561,7 @@ index 489f439..4f2f5b4 100644 isc_mem_destroy(&mctx); diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 36ee6c7..0975bbe 100644 +index 70a40c3..2146f9b 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { @@ -624,7 +604,7 @@ index 36ee6c7..0975bbe 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif + if (randomfile != NULL) @@ -639,7 +619,7 @@ index 36ee6c7..0975bbe 100644 taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -265,8 +285,8 @@ main(int argc, char **argv) { +@@ -264,8 +284,8 @@ main(int argc, char **argv) { isc_log_destroy(&log); @@ -690,10 +670,10 @@ index 9f90dd7..fad6c83 100644 echo "I:failed" status=`expr $status + $ret` diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c -index 1f5dd4c..4e3bfa5 100644 +index bf6dbb6..0416b21 100644 --- a/bin/tools/mdig.c +++ b/bin/tools/mdig.c -@@ -1933,12 +1933,11 @@ main(int argc, char *argv[]) { +@@ -1972,12 +1972,11 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); @@ -705,10 +685,10 @@ index 1f5dd4c..4e3bfa5 100644 - RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); - ISC_LIST_INIT(queries); - parse_args(ISC_FALSE, argc, argv); + parse_args(false, argc, argv); if (server == NULL) diff --git a/configure b/configure -index c83773a..ac1ea3f 100755 +index ed002e0..a578874 100755 --- a/configure +++ b/configure @@ -640,6 +640,7 @@ ac_includes_default="\ @@ -719,7 +699,7 @@ index c83773a..ac1ea3f 100755 BUILD_LIBS BUILD_LDFLAGS BUILD_CPPFLAGS -@@ -825,6 +826,7 @@ XMLSTATS +@@ -821,6 +822,7 @@ XMLSTATS NZDTARGETS NZDSRCS NZD_TOOLS @@ -727,7 +707,7 @@ index c83773a..ac1ea3f 100755 PKCS11_TEST PKCS11_ED25519 PKCS11_GOST -@@ -1037,6 +1039,7 @@ with_eddsa +@@ -1045,6 +1047,7 @@ with_eddsa with_aes enable_openssl_hash with_cc_alg @@ -735,7 +715,7 @@ index c83773a..ac1ea3f 100755 with_lmdb with_libxml2 with_libjson -@@ -1730,6 +1733,7 @@ Optional Features: +@@ -1744,6 +1747,7 @@ Optional Features: --enable-threads enable multithreading --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] --enable-openssl-hash use OpenSSL for hash functions [default=no] @@ -743,7 +723,7 @@ index c83773a..ac1ea3f 100755 --enable-largefile 64-bit file support --enable-backtrace log stack backtrace on abort [default=yes] --enable-symtable use internal symbol table for backtrace -@@ -16486,6 +16490,7 @@ case "$use_openssl" in +@@ -17115,6 +17119,7 @@ case "$use_openssl" in $as_echo "disabled because of native PKCS11" >&6; } DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -751,7 +731,7 @@ index c83773a..ac1ea3f 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -16500,6 +16505,7 @@ $as_echo "disabled because of native PKCS11" >&6; } +@@ -17129,6 +17134,7 @@ $as_echo "disabled because of native PKCS11" >&6; } $as_echo "no" >&6; } DST_OPENSSL_INC="" CRYPTO="" @@ -759,7 +739,7 @@ index c83773a..ac1ea3f 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -16512,6 +16518,7 @@ $as_echo "no" >&6; } +@@ -17141,6 +17147,7 @@ $as_echo "no" >&6; } auto) DST_OPENSSL_INC="" CRYPTO="" @@ -767,7 +747,7 @@ index c83773a..ac1ea3f 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -16521,7 +16528,7 @@ $as_echo "no" >&6; } +@@ -17150,7 +17157,7 @@ $as_echo "no" >&6; } OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -776,7 +756,7 @@ index c83773a..ac1ea3f 100755 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -16552,6 +16559,7 @@ $as_echo "not found" >&6; } +@@ -17181,6 +17188,7 @@ $as_echo "not found" >&6; } as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 fi CRYPTO='-DOPENSSL' @@ -784,7 +764,7 @@ index c83773a..ac1ea3f 100755 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -17213,8 +17221,6 @@ fi +@@ -17806,8 +17814,6 @@ fi # Use OpenSSL for hash functions # @@ -793,7 +773,7 @@ index c83773a..ac1ea3f 100755 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -17583,6 +17589,86 @@ if test "rt" = "$have_clock_gt"; then +@@ -18182,6 +18188,86 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -880,7 +860,7 @@ index c83773a..ac1ea3f 100755 # # was --with-lmdb specified? # -@@ -19665,9 +19751,12 @@ _ACEOF +@@ -20264,9 +20350,12 @@ _ACEOF if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 $as_echo "size_t for buflen; int for flags" >&6; } @@ -895,7 +875,7 @@ index c83773a..ac1ea3f 100755 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h -@@ -21032,12 +21121,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -21581,12 +21670,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -909,7 +889,7 @@ index c83773a..ac1ea3f 100755 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -@@ -21070,6 +21154,11 @@ cat >>confdefs.h <<_ACEOF +@@ -21619,6 +21703,11 @@ cat >>confdefs.h <<_ACEOF _ACEOF @@ -921,7 +901,7 @@ index c83773a..ac1ea3f 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21078,39 +21167,6 @@ _ACEOF +@@ -21627,39 +21716,6 @@ _ACEOF fi ;; x86_64-*|amd64-*) @@ -961,7 +941,7 @@ index c83773a..ac1ea3f 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21141,6 +21197,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } +@@ -21690,6 +21746,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } $as_echo "$arch" >&6; } fi @@ -972,7 +952,7 @@ index c83773a..ac1ea3f 100755 if test "yes" = "$have_atomic"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 $as_echo_n "checking compiler support for inline assembly code... " >&6; } -@@ -23428,6 +23488,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" +@@ -24244,6 +24304,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" # dlzdir='${DLZ_DRIVER_DIR}' @@ -1003,7 +983,7 @@ index c83773a..ac1ea3f 100755 # # Private autoconf macro to simplify configuring drivers: # -@@ -23758,11 +23842,11 @@ $as_echo "no" >&6; } +@@ -24574,11 +24658,11 @@ $as_echo "no" >&6; } $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } ;; *) @@ -1018,7 +998,7 @@ index c83773a..ac1ea3f 100755 fi CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" -@@ -23847,7 +23931,7 @@ $as_echo "" >&6; } +@@ -24663,7 +24747,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). @@ -1027,13 +1007,12 @@ index c83773a..ac1ea3f 100755 # include a blank element first for d in "" $bdb_incdirs do -@@ -23872,57 +23956,9 @@ $as_echo "" >&6; } +@@ -24688,57 +24772,9 @@ $as_echo "" >&6; } bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" for d in $bdb_libnames do - if test "$dd" = "/usr" -+ if test -f "$dd/${target_lib}/lib${d}.so" - then +- then - as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d" >&5 -$as_echo_n "checking for db_create in -l$d... " >&6; } @@ -1081,13 +1060,14 @@ index c83773a..ac1ea3f 100755 - break - fi - elif test -f "$dd/lib/lib${d}.so" -- then ++ if test -f "$dd/${target_lib}/lib${d}.so" + then - dlz_bdb_libs="-L${dd}/lib -l${d}" + dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" break fi done -@@ -24081,10 +24117,10 @@ $as_echo "no" >&6; } +@@ -24897,10 +24933,10 @@ $as_echo "no" >&6; } DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" fi @@ -1101,7 +1081,7 @@ index c83773a..ac1ea3f 100755 fi -@@ -24170,11 +24206,11 @@ fi +@@ -24986,11 +25022,11 @@ fi odbcdirs="/usr /usr/local /usr/pkg" for d in $odbcdirs do @@ -1115,7 +1095,7 @@ index c83773a..ac1ea3f 100755 break fi done -@@ -24449,6 +24485,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" +@@ -25265,6 +25301,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" @@ -1124,7 +1104,7 @@ index c83773a..ac1ea3f 100755 # # Commands to run at the end of config.status. # Don't just put these into configure, it won't work right if somebody -@@ -26839,6 +26877,8 @@ report() { +@@ -27644,6 +27682,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1133,16 +1113,16 @@ index c83773a..ac1ea3f 100755 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -26879,6 +26919,8 @@ report() { +@@ -27684,6 +27724,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" - test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" + test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" + echo " Cryptographic library for DNSSEC: $CRYPTOLIB" + echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -26926,6 +26968,8 @@ report() { +@@ -27731,6 +27773,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1151,11 +1131,11 @@ index c83773a..ac1ea3f 100755 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" -diff --git a/configure.in b/configure.in -index 9a1d16d..849fa94 100644 ---- a/configure.in -+++ b/configure.in -@@ -1597,6 +1597,7 @@ case "$use_openssl" in +diff --git a/configure.ac b/configure.ac +index 45a8126..bb1345b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1537,6 +1537,7 @@ case "$use_openssl" in AC_MSG_RESULT(disabled because of native PKCS11) DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -1163,7 +1143,7 @@ index 9a1d16d..849fa94 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1610,6 +1611,7 @@ case "$use_openssl" in +@@ -1550,6 +1551,7 @@ case "$use_openssl" in AC_MSG_RESULT(no) DST_OPENSSL_INC="" CRYPTO="" @@ -1171,7 +1151,7 @@ index 9a1d16d..849fa94 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1622,6 +1624,7 @@ case "$use_openssl" in +@@ -1562,6 +1564,7 @@ case "$use_openssl" in auto) DST_OPENSSL_INC="" CRYPTO="" @@ -1179,7 +1159,7 @@ index 9a1d16d..849fa94 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1632,7 +1635,7 @@ case "$use_openssl" in +@@ -1572,7 +1575,7 @@ case "$use_openssl" in OPENSSLLINKSRCS="" AC_MSG_ERROR( [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -1188,7 +1168,7 @@ index 9a1d16d..849fa94 100644 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -1662,6 +1665,7 @@ If you don't want OpenSSL, use --without-openssl]) +@@ -1602,6 +1605,7 @@ If you don't want OpenSSL, use --without-openssl]) AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) fi CRYPTO='-DOPENSSL' @@ -1196,7 +1176,7 @@ index 9a1d16d..849fa94 100644 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -2135,7 +2139,6 @@ fi +@@ -2037,7 +2041,6 @@ fi # Use OpenSSL for hash functions # @@ -1204,7 +1184,7 @@ index 9a1d16d..849fa94 100644 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -2402,6 +2405,67 @@ if test "rt" = "$have_clock_gt"; then +@@ -2309,6 +2312,67 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -1272,7 +1252,7 @@ index 9a1d16d..849fa94 100644 # # was --with-lmdb specified? # -@@ -4235,12 +4299,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -4105,12 +4169,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -1286,7 +1266,7 @@ index 9a1d16d..849fa94 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -4249,7 +4313,6 @@ if test "yes" = "$use_atomic"; then +@@ -4119,7 +4183,6 @@ if test "yes" = "$use_atomic"; then fi ;; x86_64-*|amd64-*) @@ -1294,7 +1274,7 @@ index 9a1d16d..849fa94 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -5613,6 +5676,8 @@ report() { +@@ -5527,6 +5590,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1303,16 +1283,16 @@ index 9a1d16d..849fa94 100644 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -5653,6 +5718,8 @@ report() { +@@ -5567,6 +5632,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" - test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" + test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" + echo " Cryptographic library for DNSSEC: $CRYPTOLIB" + echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -5700,6 +5767,8 @@ report() { +@@ -5614,6 +5681,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1322,10 +1302,10 @@ index 9a1d16d..849fa94 100644 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index dbece0a..803e7b3 100644 +index ec6e00e..1614afa 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c -@@ -274,6 +274,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); #endif @@ -1335,17 +1315,17 @@ index dbece0a..803e7b3 100644 + isc_entropy_sethook(dst_random_getdata); +#endif +#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ - dst_initialized = ISC_TRUE; + dst_initialized = true; return (ISC_R_SUCCESS); -@@ -293,11 +299,19 @@ dst_lib_destroy(void) { +@@ -296,11 +302,19 @@ dst_lib_destroy(void) { for (i = 0; i < DST_MAX_ALGS; i++) if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) dst_t_func[i]->cleanup(); +#if defined(OPENSSL) || defined(PKCS11CRYPTO) +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (dst_entropy_pool != NULL) { -+ isc_entropy_usehook(dst_entropy_pool, ISC_FALSE); ++ isc_entropy_usehook(dst_entropy_pool, false); + isc_entropy_sethook(NULL); + } +#endif @@ -1358,7 +1338,7 @@ index dbece0a..803e7b3 100644 if (dst__memory_pool != NULL) isc_mem_detach(&dst__memory_pool); if (dst_entropy_pool != NULL) -@@ -2000,13 +2014,17 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { +@@ -2002,13 +2016,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { flags &= ~ISC_ENTROPY_GOODONLY; else flags |= ISC_ENTROPY_BLOCKING; @@ -1377,7 +1357,7 @@ index dbece0a..803e7b3 100644 #ifdef GSSAPI unsigned int flags = dst_entropy_flags; isc_result_t ret; -@@ -2029,6 +2047,7 @@ dst__entropy_status(void) { +@@ -2031,6 +2049,7 @@ dst__entropy_status(void) { #endif return (isc_entropy_status(dst_entropy_pool)); #else @@ -1386,10 +1366,10 @@ index dbece0a..803e7b3 100644 #endif } diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index fcc7b47..d9b6ab6 100644 +index 1924e74..6813c96 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h -@@ -157,6 +157,14 @@ dst_lib_destroy(void); +@@ -159,6 +159,14 @@ dst_lib_destroy(void); * Releases all resources allocated by DST. */ @@ -1401,38 +1381,30 @@ index fcc7b47..d9b6ab6 100644 + * Specialization of isc_entropy_getdata(). + */ + - isc_boolean_t + bool dst_algorithm_supported(unsigned int alg); /*%< diff --git a/lib/dns/lib.c b/lib/dns/lib.c -index 53237d5..c6d83e9 100644 +index 304814b..60543c4 100644 --- a/lib/dns/lib.c +++ b/lib/dns/lib.c -@@ -9,14 +9,13 @@ - * information regarding copyright ownership. - */ - --/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */ -- - /*! \file */ - - #include - +@@ -18,6 +18,7 @@ + #include #include +#include #include #include #include -@@ -77,6 +76,7 @@ static unsigned int references = 0; +@@ -78,6 +79,7 @@ static unsigned int references = 0; static void initialize(void) { isc_result_t result; + isc_entropy_t *ectx = NULL; - REQUIRE(initialize_done == ISC_FALSE); + REQUIRE(initialize_done == false); -@@ -87,11 +87,14 @@ initialize(void) { +@@ -88,11 +90,14 @@ initialize(void) { result = dns_ecdb_register(dns_g_mctx, &dbimp); if (result != ISC_R_SUCCESS) goto cleanup_mctx; @@ -1449,14 +1421,14 @@ index 53237d5..c6d83e9 100644 if (result != ISC_R_SUCCESS) goto cleanup_hash; -@@ -99,11 +102,17 @@ initialize(void) { +@@ -100,11 +105,17 @@ initialize(void) { if (result != ISC_R_SUCCESS) goto cleanup_dst; + isc_hash_init(); + isc_entropy_detach(&ectx); + - initialize_done = ISC_TRUE; + initialize_done = true; return; cleanup_dst: @@ -1468,7 +1440,7 @@ index 53237d5..c6d83e9 100644 isc_hash_destroy(); cleanup_db: diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index ec6dc7f..c1e1bde 100644 +index d65ce26..6849732 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -31,6 +31,7 @@ @@ -1506,7 +1478,7 @@ index ec6dc7f..c1e1bde 100644 #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static void -@@ -190,7 +193,7 @@ _set_thread_id(CRYPTO_THREADID *id) +@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id) isc_result_t dst__openssl_init(const char *engine) { isc_result_t result; @@ -1515,7 +1487,7 @@ index ec6dc7f..c1e1bde 100644 ENGINE *re; #else UNUSED(engine); -@@ -220,6 +223,7 @@ dst__openssl_init(const char *engine) { +@@ -222,6 +225,7 @@ dst__openssl_init(const char *engine) { ERR_load_crypto_strings(); #endif @@ -1523,7 +1495,7 @@ index ec6dc7f..c1e1bde 100644 rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); if (rm == NULL) { result = ISC_R_NOMEMORY; -@@ -231,6 +235,7 @@ dst__openssl_init(const char *engine) { +@@ -233,6 +237,7 @@ dst__openssl_init(const char *engine) { rm->add = entropy_add; rm->pseudorand = entropy_getpseudo; rm->status = entropy_status; @@ -1531,7 +1503,7 @@ index ec6dc7f..c1e1bde 100644 #if !defined(OPENSSL_NO_ENGINE) #if !defined(CONF_MFLAGS_DEFAULT_SECTION) -@@ -264,6 +269,7 @@ dst__openssl_init(const char *engine) { +@@ -266,6 +271,7 @@ dst__openssl_init(const char *engine) { } } @@ -1539,7 +1511,7 @@ index ec6dc7f..c1e1bde 100644 re = ENGINE_get_default_RAND(); if (re == NULL) { re = ENGINE_new(); -@@ -276,9 +282,21 @@ dst__openssl_init(const char *engine) { +@@ -278,9 +284,21 @@ dst__openssl_init(const char *engine) { ENGINE_free(re); } else ENGINE_finish(re); @@ -1561,7 +1533,7 @@ index ec6dc7f..c1e1bde 100644 return (ISC_R_SUCCESS); #if !defined(OPENSSL_NO_ENGINE) -@@ -286,10 +304,14 @@ dst__openssl_init(const char *engine) { +@@ -288,10 +306,14 @@ dst__openssl_init(const char *engine) { if (e != NULL) ENGINE_free(e); e = NULL; @@ -1576,7 +1548,7 @@ index ec6dc7f..c1e1bde 100644 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); -@@ -304,14 +326,17 @@ void +@@ -306,14 +328,17 @@ void dst__openssl_destroy(void) { #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) OPENSSL_cleanup(); @@ -1594,7 +1566,7 @@ index ec6dc7f..c1e1bde 100644 if (rm != NULL) { #if OPENSSL_VERSION_NUMBER >= 0x00907000L RAND_cleanup(); -@@ -319,6 +344,7 @@ dst__openssl_destroy(void) { +@@ -321,6 +346,7 @@ dst__openssl_destroy(void) { mem_free(rm FILELINE); rm = NULL; } @@ -1602,7 +1574,7 @@ index ec6dc7f..c1e1bde 100644 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) CONF_modules_free(); #endif -@@ -454,11 +480,45 @@ dst__openssl_getengine(const char *engine) { +@@ -456,11 +482,45 @@ dst__openssl_getengine(const char *engine) { } #endif @@ -1707,35 +1679,23 @@ index 5a2c502..8eaef53 100644 #endif /* PKCS11CRYPTO */ /*! \file */ -diff --git a/lib/dns/tests/Atffile b/lib/dns/tests/Atffile -index 953082d..603c4b5 100644 ---- a/lib/dns/tests/Atffile -+++ b/lib/dns/tests/Atffile -@@ -10,6 +10,7 @@ tp: dbversion_test - tp: dh_test - tp: dispatch_test - tp: dnstap_test -+tp: dstrandom_test - tp: dst_test - tp: geoip_test - tp: gost_test diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile -index 0353a73..cb2324d 100644 +index 937b548..f3c0e38 100644 --- a/lib/dns/tests/Kyuafile +++ b/lib/dns/tests/Kyuafile -@@ -10,6 +10,7 @@ atf_test_program{name='dh_test'} - atf_test_program{name='dispatch_test'} - atf_test_program{name='dnstap_test'} - atf_test_program{name='dst_test'} -+atf_test_program{name='dstrandom_test'} - atf_test_program{name='geoip_test'} - atf_test_program{name='gost_test'} - atf_test_program{name='keytable_test'} +@@ -10,6 +10,7 @@ tap_test_program{name='dh_test'} + tap_test_program{name='dispatch_test'} + tap_test_program{name='dnstap_test'} + tap_test_program{name='dst_test'} ++tap_test_program{name='dstrandom_test'} + tap_test_program{name='geoip_test'} + tap_test_program{name='gost_test'} + tap_test_program{name='keytable_test'} diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in -index 58fa872..625e809 100644 +index 90dc3a6..7671e1d 100644 --- a/lib/dns/tests/Makefile.in +++ b/lib/dns/tests/Makefile.in -@@ -40,6 +40,7 @@ SRCS = acl_test.c \ +@@ -37,6 +37,7 @@ SRCS = acl_test.c \ dnstap_test.c \ dst_test.c \ dnstest.c \ @@ -1743,7 +1703,7 @@ index 58fa872..625e809 100644 geoip_test.c \ gost_test.c \ keytable_test.c \ -@@ -71,6 +72,7 @@ TARGETS = acl_test@EXEEXT@ \ +@@ -69,6 +70,7 @@ TARGETS = acl_test@EXEEXT@ \ dh_test@EXEEXT@ \ dispatch_test@EXEEXT@ \ dnstap_test@EXEEXT@ \ @@ -1751,9 +1711,9 @@ index 58fa872..625e809 100644 dst_test@EXEEXT@ \ geoip_test@EXEEXT@ \ gost_test@EXEEXT@ \ -@@ -255,6 +257,11 @@ tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \ - ${ISCLIBS} ${LIBS} +@@ -258,6 +260,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LDFLAGS} -o $@ zt_test.@O@ dnstest.@O@ \ + ${DNSLIBS} ${ISCLIBS} ${LIBS} +dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ @@ -1763,80 +1723,42 @@ index 58fa872..625e809 100644 unit:: sh ${top_builddir}/unit/unittest.sh -diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c -index fb9ef53..344a7c2 100644 ---- a/lib/dns/tests/dnstest.c -+++ b/lib/dns/tests/dnstest.c -@@ -120,12 +120,12 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { - CHECK(isc_mem_create(0, 0, &mctx)); - CHECK(isc_entropy_create(mctx, &ectx)); - -- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -- hash_active = ISC_TRUE; -- - CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); - dst_active = ISC_TRUE; - -+ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+ hash_active = ISC_TRUE; -+ - if (logfile != NULL) { - isc_logdestination_t destination; - isc_logconfig_t *logconfig = NULL; -@@ -169,14 +169,14 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { - - void - dns_test_end(void) { -- if (dst_active) { -- dst_lib_destroy(); -- dst_active = ISC_FALSE; -- } - if (hash_active) { - isc_hash_destroy(); - hash_active = ISC_FALSE; - } -+ if (dst_active) { -+ dst_lib_destroy(); -+ dst_active = ISC_FALSE; -+ } - if (ectx != NULL) - isc_entropy_detach(&ectx); - diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c new file mode 100644 -index 0000000..d2c72e7 +index 0000000..bd3d164 --- /dev/null +++ b/lib/dns/tests/dstrandom_test.c -@@ -0,0 +1,105 @@ +@@ -0,0 +1,115 @@ +/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. + */ + -+/* $Id$ */ -+ -+/*! \file */ -+ +#include + -+#include ++#if HAVE_CMOCKA ++ ++#include ++#include ++#include + ++#include +#include +#include ++#include ++ ++#define UNIT_TESTING ++#include + +#include +#include ++#include +#include +#include + @@ -1846,78 +1768,87 @@ index 0000000..d2c72e7 +isc_entropy_t *ectx = NULL; +unsigned char buffer[128]; + -+ATF_TC(isc_entropy_getdata); -+ATF_TC_HEAD(isc_entropy_getdata, tc) { -+ atf_tc_set_md_var(tc, "descr", -+ "isc_entropy_getdata() examples"); -+ atf_tc_set_md_var(tc, "X-randomfile", -+ "testdata/dstrandom/random.data"); -+} -+ATF_TC_BODY(isc_entropy_getdata, tc) { ++/* isc_entropy_getdata() examples */ ++static void ++isc_entropy_getdata_test(void **state) { + isc_result_t result; + unsigned int returned, status; ++ const char *randomfile = "testdata/dstrandom/random.data"; + int ret; -+ const char *randomfile = atf_tc_get_md_var(tc, "X-randomfile"); ++ ++ UNUSED(state); + + isc_mem_debugging |= ISC_MEM_DEBUGRECORD; + result = isc_mem_create(0, 0, &mctx); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ assert_int_equal(result, ISC_R_SUCCESS); + result = isc_entropy_create(mctx, &ectx); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ assert_int_equal(result, ISC_R_SUCCESS); + result = dst_lib_init(mctx, ectx, 0); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ assert_int_equal(result, ISC_R_SUCCESS); + +#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + + returned = 0; + result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), + &returned, 0); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); -+ ATF_REQUIRE(returned == sizeof(buffer)); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ assert_int_equal(returned, sizeof(buffer)); + + status = isc_entropy_status(ectx); -+ ATF_REQUIRE_EQ(status, 0); ++ assert_int_equal(status, 0); + -+ isc_entropy_usehook(ectx, ISC_FALSE); ++ isc_entropy_usehook(ectx, false); +#endif + + ret = chdir(TESTS); -+ ATF_REQUIRE_EQ(ret, 0); ++ assert_int_equal(ret, 0); + + result = isc_entropy_createfilesource(ectx, randomfile); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ assert_int_equal(result, ISC_R_SUCCESS); + + returned = 0; + result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), + &returned, 0); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); -+ ATF_REQUIRE(returned == sizeof(buffer)); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ assert_int_equal(returned, sizeof(buffer)); + + status = isc_entropy_status(ectx); -+ ATF_REQUIRE(status > 0); ++ assert_true(status > 0); + + dst_lib_destroy(); + isc_entropy_detach(&ectx); -+ ATF_REQUIRE(ectx == NULL); ++ assert_null(ectx); ++ + isc_mem_destroy(&mctx); -+ ATF_REQUIRE(mctx == NULL); ++ assert_null(mctx); +} + -+/* -+ * Main -+ */ -+ATF_TP_ADD_TCS(tp) { -+ ATF_TP_ADD_TC(tp, isc_entropy_getdata); ++int ++main(void) { ++ const struct CMUnitTest tests[] = { ++ cmocka_unit_test(isc_entropy_getdata_test), ++ }; + -+ return (atf_no_error()); ++ return (cmocka_run_group_tests(tests, NULL, NULL)); +} + ++#else /* HAVE_CMOCKA */ ++ ++#include ++ ++int ++main(void) { ++ printf("1..0 # Skipped: cmocka not available\n"); ++ return (0); ++} ++ ++#endif diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in -index d48eeb2..213e9d9 100644 +index 5c45d59..34b660c 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in -@@ -1480,6 +1480,13 @@ dst_lib_destroy +@@ -1484,6 +1484,13 @@ dst_lib_destroy dst_lib_init dst_lib_init2 dst_lib_initmsgcat @@ -1932,14 +1863,14 @@ index d48eeb2..213e9d9 100644 dst_region_computerid dst_result_register diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c -index 232094a..a85650b 100644 +index ab2f617..ed05ed6 100644 --- a/lib/isc/entropy.c +++ b/lib/isc/entropy.c -@@ -103,11 +103,15 @@ struct isc_entropy { - isc_uint32_t initialized; - isc_uint32_t initcount; +@@ -104,11 +104,15 @@ struct isc_entropy { + uint32_t initialized; + uint32_t initcount; isc_entropypool_t pool; -+ isc_boolean_t usehook; ++ bool usehook; unsigned int nsources; isc_entropysource_t *nextsource; ISC_LIST(isc_entropysource_t) sources; @@ -1950,8 +1881,8 @@ index 232094a..a85650b 100644 + /*% Sample Queue */ typedef struct { - isc_uint32_t last_time; /*%< last time recorded */ -@@ -556,6 +560,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, + uint32_t last_time; /*%< last time recorded */ +@@ -557,6 +561,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, LOCK(&ent->lock); @@ -1963,11 +1894,11 @@ index 232094a..a85650b 100644 remain = length; buf = data; total = 0; -@@ -707,6 +716,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { +@@ -708,6 +717,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { ent->refcnt = 1; ent->initialized = 0; ent->initcount = 0; -+ ent->usehook = ISC_FALSE; ++ ent->usehook = false; ent->magic = ENTROPY_MAGIC; isc_entropypool_init(&ent->pool); @@ -1977,7 +1908,7 @@ index 232094a..a85650b 100644 } + +void -+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff) { ++isc_entropy_usehook(isc_entropy_t *ectx, bool onoff) { + REQUIRE(VALID_ENTROPY(ectx)); + + LOCK(&ectx->lock); @@ -1990,15 +1921,15 @@ index 232094a..a85650b 100644 + hook = myhook; +} diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index d52c43e..d9deb8a 100644 +index 4bba8e1..632166a 100644 --- a/lib/isc/include/isc/entropy.h +++ b/lib/isc/include/isc/entropy.h -@@ -303,6 +303,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, +@@ -304,6 +304,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, * isc_entropy_createcallbacksource(). */ +void -+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); ++isc_entropy_usehook(isc_entropy_t *ectx, bool onoff); +/*!< + * \brief Mark/unmark the given entropy structure as being hooked. + */ @@ -2013,10 +1944,10 @@ index d52c43e..d9deb8a 100644 #endif /* ISC_ENTROPY_H */ diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in -index d7a5bec..0166b79 100644 +index 9c7c342..ee8dc3e 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in -@@ -344,6 +344,11 @@ +@@ -341,6 +341,11 @@ */ @ISC_PLATFORM_HAVESTRINGSH@ @@ -2029,7 +1960,7 @@ index d7a5bec..0166b79 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h -index f161faf..dec577e 100644 +index 42ff7e0..8d87c44 100644 --- a/lib/isc/include/isc/types.h +++ b/lib/isc/include/isc/types.h @@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ @@ -2042,10 +1973,10 @@ index f161faf..dec577e 100644 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index 48e1031..74566c9 100644 +index 8e6ed93..ceb5a2c 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c -@@ -327,14 +327,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { +@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { ret = isc_stdio_open(randomfile, "r", &stream); if (ret != ISC_R_SUCCESS) goto cleanup; @@ -2068,10 +1999,10 @@ index 48e1031..74566c9 100644 cleanup: if (stream != NULL) diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in -index de6a434..2c32782 100644 +index 5b8a2c9..913a2ce 100644 --- a/lib/isc/win32/include/isc/platform.h.in +++ b/lib/isc/win32/include/isc/platform.h.in -@@ -74,6 +74,11 @@ +@@ -69,6 +69,11 @@ #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn) #define ISC_PLATFORM_NORETURN_POST @@ -2084,10 +2015,10 @@ index de6a434..2c32782 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/win32utils/Configure b/win32utils/Configure -index e9f4680..79bb178 100644 +index ccaf067..240fb80 100644 --- a/win32utils/Configure +++ b/win32utils/Configure -@@ -381,6 +381,7 @@ my @substdefh = ("AES_CC", +@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA", my %configdefp; my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP", @@ -2095,7 +2026,7 @@ index e9f4680..79bb178 100644 "ISC_PLATFORM_HAVEATOMICSTORE", "ISC_PLATFORM_HAVEATOMICSTOREQ", "ISC_PLATFORM_HAVECMPXCHG", -@@ -509,7 +510,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); +@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); # enable-xxx/disable-xxx @@ -2105,7 +2036,7 @@ index e9f4680..79bb178 100644 "fixed-rrset", "intrinsics", "isc-spnego", -@@ -571,6 +573,7 @@ my @help = ( +@@ -581,6 +583,7 @@ my @help = ( "\nOptional Features:\n", " enable-intrinsics enable instrinsic/atomic functions [default=yes]\n", " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", @@ -2113,7 +2044,7 @@ index e9f4680..79bb178 100644 " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", " enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n", " enable-filter-aaaa enable filtering of AAAA records [default=yes]\n", -@@ -614,7 +617,9 @@ my $want_clean = "no"; +@@ -630,7 +633,9 @@ my $want_clean = "no"; my $want_unknown = "no"; my $unknown_value; my $enable_intrinsics = "yes"; @@ -2123,7 +2054,7 @@ index e9f4680..79bb178 100644 my $enable_openssl_hash = "auto"; my $enable_filter_aaaa = "yes"; my $enable_isc_spnego = "yes"; -@@ -823,6 +828,10 @@ sub myenable { +@@ -850,6 +855,10 @@ sub myenable { if ($val =~ /^yes$/i) { $enable_native_pkcs11 = "yes"; } @@ -2134,7 +2065,7 @@ index e9f4680..79bb178 100644 } elsif ($key =~ /^openssl-hash$/i) { if ($val =~ /^yes$/i) { $enable_openssl_hash = "yes"; -@@ -1106,6 +1115,11 @@ if ($verbose) { +@@ -1158,6 +1167,11 @@ if ($verbose) { } else { print "native-pkcs11: disabled\n"; } @@ -2146,7 +2077,7 @@ index e9f4680..79bb178 100644 if ($enable_openssl_hash eq "yes") { print "openssl-hash: enabled\n"; } else { -@@ -1449,6 +1463,7 @@ if ($enable_intrinsics eq "yes") { +@@ -1516,6 +1530,7 @@ if ($enable_intrinsics eq "yes") { # enable-native-pkcs11 if ($enable_native_pkcs11 eq "yes") { @@ -2154,7 +2085,7 @@ index e9f4680..79bb178 100644 if ($use_openssl eq "auto") { $use_openssl = "no"; } -@@ -1658,6 +1673,7 @@ if ($use_openssl eq "yes") { +@@ -1725,6 +1740,7 @@ if ($use_openssl eq "yes") { $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); } @@ -2162,10 +2093,10 @@ index e9f4680..79bb178 100644 $configcond{"OPENSSL"} = 1; $configdefd{"CRYPTO"} = "OPENSSL"; $configvar{"OPENSSL_PATH"} = "$openssl_path"; -@@ -2209,6 +2225,15 @@ if ($cookie_algorithm eq "sha1") { - die "Unrecognized cookie algorithm: $cookie_algorithm\n"; +@@ -2296,6 +2312,15 @@ if ($use_aes eq "yes") { } + +# enable-crypto-rand +if ($enable_crypto_rand eq "yes") { + if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) { @@ -2178,7 +2109,7 @@ index e9f4680..79bb178 100644 # enable-openssl-hash if ($enable_openssl_hash eq "yes") { if ($use_openssl eq "no") { -@@ -3531,6 +3556,7 @@ exit 0; +@@ -3671,6 +3696,7 @@ exit 0; # --enable-developer partially supported # --enable-newstats (9.9/9.9sub only) # --enable-native-pkcs11 supported @@ -2186,14 +2117,6 @@ index e9f4680..79bb178 100644 # --enable-openssl-version-check included without a way to disable it # --enable-openssl-hash supported # --enable-threads included without a way to disable it -@@ -3556,6 +3582,7 @@ exit 0; - # --with-gost supported - # --with-aes supported - # --with-cc-alg supported -+# --with-randomdev not supported on WIN32 (makes no sense) - # --with-geoip supported - # --with-gssapi supported with MIT (K)erberos (f)or (W)indows - # --with-lmdb no supported on WIN32 (port is not reliable) -- -2.14.4 +2.20.1 diff --git a/SOURCES/bind-9.11-rt46047-2.patch b/SOURCES/bind-9.11-rt46047-2.patch deleted file mode 100644 index f3b1710..0000000 --- a/SOURCES/bind-9.11-rt46047-2.patch +++ /dev/null @@ -1,91 +0,0 @@ -From c79ff443ba029eaf7da8781aef0b1ddbed467781 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 14 Jun 2019 12:30:01 +0200 -Subject: [PATCH] Fix OpenSSL random generator warnings Squashed commit of the - following: - -commit 70492c6361e55309dae0e48ae031e295f0a46a5e -Author: Evan Hunt -Date: Sat Sep 16 21:01:06 2017 -0700 - - [master] silence compiler warning - - (cherry picked from commit 6e5ae91479408540f04337c9dc27c3f3fffae6c7) - -commit 4d8c2767b584d993eb898d2210c85ffce214d1dc -Author: Mark Andrews -Date: Fri Dec 22 08:48:38 2017 +1100 - - add POST(argc); - - (cherry picked from commit be5a0eaa7adafc454658e09672d865eb453baeab) - (cherry picked from commit 0163c3b8130cbed705c3267948ab49eebe26286d) - -commit c64b5b10a3a175482b89eddbe63d8b5107a2fbf3 -Author: Petr Mensik -Date: Thu Jun 13 22:23:14 2019 +0200 - - fixup! completed and corrected the crypto-random change ---- - bin/named/server.c | 3 +++ - bin/tests/system/tkey/keydelete.c | 1 + - lib/dns/tests/dstrandom_test.c | 3 +-- - 3 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/bin/named/server.c b/bin/named/server.c -index db0270900f..1afb461226 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -8100,6 +8100,8 @@ load_configuration(const char *filename, ns_server_t *server, - } - #endif - } else { -+ result = isc_entropy_createfilesource(ns_g_entropy, -+ randomdev); - #ifdef PATH_RANDOMDEV - if (ns_g_fallbackentropy != NULL) { - level = ISC_LOG_INFO; -@@ -8893,6 +8895,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { - server->in_roothints = NULL; - server->blackholeacl = NULL; - server->keepresporder = NULL; -+ server->rngctx = NULL; - - /* Must be first. */ - CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, -diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 3d5ac74486..55ebb66a60 100644 ---- a/bin/tests/system/tkey/keydelete.c -+++ b/bin/tests/system/tkey/keydelete.c -@@ -172,6 +172,7 @@ main(int argc, char **argv) { - randomfile = argv[2]; - argv += 2; - argc -= 2; -+ POST(argc); - } - keyname = argv[1]; - -diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c -index d2c72e7685..56738d14a4 100644 ---- a/lib/dns/tests/dstrandom_test.c -+++ b/lib/dns/tests/dstrandom_test.c -@@ -14,8 +14,6 @@ - * PERFORMANCE OF THIS SOFTWARE. - */ - --/* $Id$ */ -- - /*! \file */ - - #include -@@ -24,6 +22,7 @@ - - #include - #include -+#include - - #include - #include --- -2.20.1 - diff --git a/SOURCES/bind-9.11-rt46047.patch b/SOURCES/bind-9.11-rt46047.patch index 2444cbd..8f413f6 100644 --- a/SOURCES/bind-9.11-rt46047.patch +++ b/SOURCES/bind-9.11-rt46047.patch @@ -1,4 +1,4 @@ -From dc861636b6bcb4a028b2392347a57a61bb5ece6e Mon Sep 17 00:00:00 2001 +From 5a465424f5249ceaf0547ab90361a16eb08f7a2b Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 28 Sep 2017 10:09:22 -0700 Subject: [PATCH] completed and corrected the crypto-random change @@ -33,23 +33,25 @@ Subject: [PATCH] completed and corrected the crypto-random change bin/named/include/named/server.h | 2 + bin/named/interfacemgr.c | 1 + bin/named/query.c | 1 + - bin/named/server.c | 52 +++++++++++++--------- + bin/named/server.c | 52 ++++++++++++++-------- bin/nsupdate/nsupdate.c | 4 +- bin/tests/system/pipelined/pipequeries.c | 4 +- bin/tests/system/tkey/keycreate.c | 4 +- - bin/tests/system/tkey/keydelete.c | 4 +- + bin/tests/system/tkey/keydelete.c | 5 +-- doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++------- - doc/arm/notes.xml | 23 +++++++++- - lib/dns/dst_api.c | 7 ++- + doc/arm/notes-rh-changes.xml | 43 ++++++++++++++++++ + doc/arm/notes.xml | 1 + + lib/dns/dst_api.c | 4 +- lib/dns/include/dst/dst.h | 14 +++++- lib/dns/openssl_link.c | 3 +- lib/isc/include/isc/entropy.h | 50 +++++++++++++++------ lib/isc/include/isc/random.h | 28 +++++++----- lib/isccfg/namedconf.c | 2 +- - 22 files changed, 218 insertions(+), 110 deletions(-) + 23 files changed, 241 insertions(+), 106 deletions(-) + create mode 100644 doc/arm/notes-rh-changes.xml diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index fa439cc..a7ad417 100644 +index 295e16f..0f79aa8 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, @@ -65,7 +67,7 @@ index fa439cc..a7ad417 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif + if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { @@ -76,10 +78,10 @@ index fa439cc..a7ad417 100644 &entropy_source, randomfile, diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook -index 96dfef6..1c84b06 100644 +index 0ae6b41..4562430 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook -@@ -349,15 +349,23 @@ +@@ -348,15 +348,23 @@ -r randomdev @@ -112,16 +114,16 @@ index 96dfef6..1c84b06 100644 diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index 4ea9eaf..5dd9475 100644 +index 31a99e7..38c83ed 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c -@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { ISC_LIST_INIT(sources); } +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (randomfile == NULL) { -+ isc_entropy_usehook(*ectx, ISC_TRUE); ++ isc_entropy_usehook(*ectx, true); + } +#endif if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { @@ -133,17 +135,17 @@ index 4ea9eaf..5dd9475 100644 - if (randomfile != NULL && - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; -- isc_entropy_usehook(*ectx, ISC_TRUE); +- isc_entropy_usehook(*ectx, true); - } -#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard); diff --git a/bin/named/client.c b/bin/named/client.c -index b7d8a98..56d475c 100644 +index 50fa2cd..524d9a3 100644 --- a/bin/named/client.c +++ b/bin/named/client.c -@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, +@@ -1762,7 +1762,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, isc_buffer_init(&buf, cookie, sizeof(cookie)); isc_stdtime_get(&now); @@ -154,10 +156,10 @@ index b7d8a98..56d475c 100644 compute_cookie(client, now, nonce, ns_g_server->secret, &buf); diff --git a/bin/named/config.c b/bin/named/config.c -index c50f759..c1e72ef 100644 +index dbdff64..63da4b0 100644 --- a/bin/named/config.c +++ b/bin/named/config.c -@@ -92,7 +92,9 @@ options {\n\ +@@ -98,7 +98,9 @@ options {\n\ # pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\ port 53;\n\ prefetch 2 9;\n" @@ -169,10 +171,10 @@ index c50f759..c1e72ef 100644 #endif " recursing-file \"named.recursing\";\n\ diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c -index 237e8dc..b905475 100644 +index d955c2f..40621f2 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c -@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { +@@ -325,9 +325,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { static void control_recvmessage(isc_task_t *task, isc_event_t *event) { @@ -185,8 +187,8 @@ index 237e8dc..b905475 100644 + controlkey_t *key = NULL; isccc_sexpr_t *request = NULL; isccc_sexpr_t *response = NULL; - isc_uint32_t algorithm; -@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { + uint32_t algorithm; +@@ -338,16 +339,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { isc_buffer_t *text; isc_result_t result; isc_result_t eresult; @@ -194,7 +196,7 @@ index 237e8dc..b905475 100644 + isccc_sexpr_t *_ctrl = NULL; isccc_time_t sent; isccc_time_t exp; - isc_uint32_t nonce; + uint32_t nonce; - isccc_sexpr_t *data; + isccc_sexpr_t *data = NULL; @@ -206,25 +208,25 @@ index 237e8dc..b905475 100644 algorithm = DST_ALG_UNKNOWN; secret.rstart = NULL; text = NULL; -@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { +@@ -458,8 +460,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { * Establish nonce. */ if (conn->nonce == 0) { - while (conn->nonce == 0) - isc_random_get(&conn->nonce); + while (conn->nonce == 0) { -+ isc_uint16_t r1 = isc_rng_random(server->rngctx); -+ isc_uint16_t r2 = isc_rng_random(server->rngctx); ++ uint16_t r1 = isc_rng_random(server->rngctx); ++ uint16_t r2 = isc_rng_random(server->rngctx); + conn->nonce = (r1 << 16) | r2; + } eresult = ISC_R_SUCCESS; } else eresult = ns_control_docommand(request, listener->readonly, &text); diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h -index d8179a6..e03d24d 100644 +index 7ee8f66..8982d26 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h -@@ -17,6 +17,7 @@ +@@ -20,6 +20,7 @@ #include #include #include @@ -232,19 +234,19 @@ index d8179a6..e03d24d 100644 #include #include #include -@@ -131,6 +132,7 @@ struct ns_server { +@@ -134,6 +135,7 @@ struct ns_server { char * lockfile; - isc_uint16_t transfer_tcp_message_size; + uint16_t transfer_tcp_message_size; + isc_rng_t * rngctx; }; struct ns_altsecret { diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c -index d8c7188..50f924e 100644 +index 9dea7c1..272d300 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c -@@ -15,6 +15,7 @@ +@@ -17,6 +17,7 @@ #include #include @@ -253,10 +255,10 @@ index d8c7188..50f924e 100644 #include #include diff --git a/bin/named/query.c b/bin/named/query.c -index accbf3b..d89622d 100644 +index c9e5469..0940714 100644 --- a/bin/named/query.c +++ b/bin/named/query.c -@@ -18,6 +18,7 @@ +@@ -19,6 +19,7 @@ #include #include #include @@ -265,10 +267,10 @@ index accbf3b..d89622d 100644 #include #include diff --git a/bin/named/server.c b/bin/named/server.c -index ca789e5..db02709 100644 +index 36fc047..3c1eec0 100644 --- a/bin/named/server.c +++ b/bin/named/server.c -@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8208,21 +8208,32 @@ load_configuration(const char *filename, ns_server_t *server, * Open the source of entropy. */ if (first_time) { @@ -277,11 +279,6 @@ index ca789e5..db02709 100644 obj = NULL; result = ns_config_get(maps, "random-device", &obj); - if (result != ISC_R_SUCCESS) { -- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, -- NS_LOGMODULE_SERVER, ISC_LOG_INFO, -- "no source of entropy found"); -- } else { -- const char *randomdev = cfg_obj_asstring(obj); + if (result == ISC_R_SUCCESS) { + if (!cfg_obj_isvoid(obj)) { + level = ISC_LOG_INFO; @@ -289,28 +286,33 @@ index ca789e5..db02709 100644 + } + } + if (randomdev == NULL) { - #ifdef ISC_PLATFORM_CRYPTORANDOM -- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) -- isc_entropy_usehook(ns_g_entropy, ISC_TRUE); -+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); - #else -- int level = ISC_LOG_ERROR; -- result = isc_entropy_createfilesource(ns_g_entropy, -- randomdev); ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ isc_entropy_usehook(ns_g_entropy, true); ++#else + if ((obj != NULL) && !cfg_obj_isvoid(obj)) + level = ISC_LOG_INFO; -+ isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL, + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, +- NS_LOGMODULE_SERVER, ISC_LOG_INFO, + NS_LOGMODULE_SERVER, level, -+ "no source of entropy found"); + "no source of entropy found"); + if ((obj == NULL) || cfg_obj_isvoid(obj)) { + CHECK(ISC_R_FAILURE); + } +#endif -+ } else { + } else { +- const char *randomdev = cfg_obj_asstring(obj); +-#ifdef ISC_PLATFORM_CRYPTORANDOM +- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) +- isc_entropy_usehook(ns_g_entropy, true); +-#else +- int level = ISC_LOG_ERROR; + result = isc_entropy_createfilesource(ns_g_entropy, +- randomdev); ++ randomdev); #ifdef PATH_RANDOMDEV if (ns_g_fallbackentropy != NULL) { level = ISC_LOG_INFO; -@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8233,8 +8244,8 @@ load_configuration(const char *filename, ns_server_t *server, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, level, @@ -321,24 +323,33 @@ index ca789e5..db02709 100644 randomdev, isc_result_totext(result)); } -@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8254,7 +8265,6 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } -#endif #endif } - } -@@ -8911,6 +8919,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { + +@@ -9022,6 +9032,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { + server->in_roothints = NULL; + server->blackholeacl = NULL; + server->keepresporder = NULL; ++ server->rngctx = NULL; + + /* Must be first. */ + CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, +@@ -9048,6 +9059,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, &server->tkeyctx), "creating TKEY context"); ++ server->rngctx = NULL; + CHECKFATAL(isc_rng_create(ns_g_mctx, ns_g_entropy, &server->rngctx), + "creating random numbers context"); /* * Setup the server task, which is responsible for coordinating -@@ -9117,7 +9127,8 @@ ns_server_destroy(ns_server_t **serverp) { +@@ -9254,7 +9268,8 @@ ns_server_destroy(ns_server_t **serverp) { if (server->zonemgr != NULL) dns_zonemgr_detach(&server->zonemgr); @@ -348,7 +359,7 @@ index ca789e5..db02709 100644 if (server->tkeyctx != NULL) dns_tkeyctx_destroy(&server->tkeyctx); -@@ -13018,10 +13029,10 @@ newzone_cfgctx_destroy(void **cfgp) { +@@ -13230,10 +13245,10 @@ newzone_cfgctx_destroy(void **cfgp) { static isc_result_t generate_salt(unsigned char *salt, size_t saltlen) { @@ -356,19 +367,19 @@ index ca789e5..db02709 100644 + size_t i, n; union { unsigned char rnd[256]; -- isc_uint32_t rnd32[64]; -+ isc_uint16_t rnd16[128]; +- uint32_t rnd32[64]; ++ uint16_t rnd16[128]; } rnd; unsigned char text[512 + 1]; isc_region_t r; -@@ -13031,9 +13042,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { +@@ -13243,9 +13258,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { if (saltlen > 256U) return (ISC_R_RANGE); -- n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t); +- n = (int) (saltlen + sizeof(uint32_t) - 1) / sizeof(uint32_t); - for (i = 0; i < n; i++) - isc_random_get(&rnd.rnd32[i]); -+ n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t); ++ n = (saltlen + sizeof(uint16_t) - 1) / sizeof(uint16_t); + for (i = 0; i < n; i++) { + rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx); + } @@ -376,10 +387,10 @@ index ca789e5..db02709 100644 memmove(salt, rnd.rnd, saltlen); diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index 46c7acf..a0d0278 100644 +index 0286987..0376377 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c -@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { } #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -387,14 +398,14 @@ index 46c7acf..a0d0278 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(*ectx, ISC_TRUE); + isc_entropy_usehook(*ectx, true); } #endif diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index 810d99e..d7d10e2 100644 +index f0a6ff2..55064f6 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c -@@ -279,9 +279,7 @@ main(int argc, char *argv[]) { +@@ -280,9 +280,7 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -402,11 +413,11 @@ index 810d99e..d7d10e2 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 4f2f5b4..0894db7 100644 +index fe8698e..937fcc3 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -255,9 +255,7 @@ main(int argc, char *argv[]) { @@ -417,14 +428,22 @@ index 4f2f5b4..0894db7 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 0975bbe..5b8a470 100644 +index 2146f9b..64b8e74 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c -@@ -182,9 +182,7 @@ main(int argc, char **argv) { +@@ -171,6 +171,7 @@ main(int argc, char **argv) { + randomfile = argv[2]; + argv += 2; + argc -= 2; ++ POST(argc); + } + keyname = argv[1]; + +@@ -182,9 +183,7 @@ main(int argc, char **argv) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -432,14 +451,14 @@ index 0975bbe..5b8a470 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index a5d9e2e..2a96f71 100644 +index 33e06e6..539973c 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml -@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] +@@ -5076,22 +5076,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] random-device @@ -501,56 +520,72 @@ index a5d9e2e..2a96f71 100644 +diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml +new file mode 100644 +index 0000000..11c3a7c +--- /dev/null ++++ b/doc/arm/notes-rh-changes.xml +@@ -0,0 +1,43 @@ ++ ++ ++ ++
Red Hat Specific Changes ++ ++ ++ ++ By default, BIND now uses the random number generation functions ++ in the cryptographic library (i.e., OpenSSL or a PKCS#11 ++ provider) as a source of high-quality randomness rather than ++ /dev/random. This is suitable for virtual ++ machine environments, which may have limited entropy pools and ++ lack hardware random number generators. ++ ++ ++ This can be overridden by specifying another entropy source via ++ the random-device option in ++ named.conf, or via the -r ++ command line option. However, for functions requiring full ++ cryptographic strength, such as DNSSEC key generation, this ++ cannot be overridden. In particular, the ++ -r command line option no longer has any ++ effect on dnssec-keygen. ++ ++ ++ This can be disabled by building with ++ configure --disable-crypto-rand, in which ++ case /dev/random will be the default ++ entropy source. [RT #31459] [RT #46047] ++ ++ ++ ++
++ diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index d3fdb5e..fbc78a0 100644 +index b16dab6..763ff7e 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml -@@ -115,7 +115,28 @@ - - - -- None. -+ By default, BIND now uses the random number generation functions -+ in the cryptographic library (i.e., OpenSSL or a PKCS#11 -+ provider) as a source of high-quality randomness rather than -+ /dev/random. This is suitable for virtual -+ machine environments, which may have limited entropy pools and -+ lack hardware random number generators. -+ -+ -+ This can be overridden by specifying another entropy source via -+ the random-device option in -+ named.conf, or via the -r -+ command line option. However, for functions requiring full -+ cryptographic strength, such as DNSSEC key generation, this -+ cannot be overridden. In particular, the -+ -r command line option no longer has any -+ effect on dnssec-keygen. -+ -+ -+ This can be disabled by building with -+ configure --disable-crypto-rand, in which -+ case /dev/random will be the default -+ entropy source. [RT #31459] [RT #46047] - - - +@@ -36,6 +36,7 @@ + + + ++ + + + diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 803e7b3..29a4fef 100644 +index 1614afa..0f52df9 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c -@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, - #endif - #if defined(OPENSSL) || defined(PKCS11CRYPTO) - #ifdef ISC_PLATFORM_CRYPTORANDOM -- if (dst_entropy_pool != NULL) -+ if (dst_entropy_pool != NULL) { - isc_entropy_sethook(dst_random_getdata); -+ } - #endif - #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ - dst_initialized = ISC_TRUE; -@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { +@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { else flags |= ISC_ENTROPY_BLOCKING; #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -565,10 +600,10 @@ index 803e7b3..29a4fef 100644 } diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index d9b6ab6..e8c1a3c 100644 +index 6813c96..665574d 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h -@@ -161,8 +161,18 @@ isc_result_t +@@ -163,8 +163,18 @@ isc_result_t dst_random_getdata(void *data, unsigned int length, unsigned int *returned, unsigned int flags); /*%< @@ -588,12 +623,12 @@ index d9b6ab6..e8c1a3c 100644 + * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error */ - isc_boolean_t + bool diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index c1e1bde..91e87d0 100644 +index 6849732..e00a0e4 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c -@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) { +@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) { isc_result_t dst_random_getdata(void *data, unsigned int length, @@ -604,7 +639,7 @@ index c1e1bde..91e87d0 100644 #ifndef DONT_REQUIRE_DST_LIB_INIT INSIST(dst__memory_pool != NULL); diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index d9deb8a..2d37363 100644 +index 632166a..c7cb17d 100644 --- a/lib/isc/include/isc/entropy.h +++ b/lib/isc/include/isc/entropy.h @@ -9,8 +9,6 @@ @@ -616,7 +651,7 @@ index d9deb8a..2d37363 100644 #ifndef ISC_ENTROPY_H #define ISC_ENTROPY_H 1 -@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent, +@@ -191,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent, /*!< * \brief Create an entropy source that is polled via a callback. * @@ -628,7 +663,7 @@ index d9deb8a..2d37363 100644 * * Samples are added via isc_entropy_addcallbacksample(), below. * _addcallbacksample() is the only function which may be called from -@@ -233,15 +230,32 @@ isc_result_t +@@ -234,15 +231,32 @@ isc_result_t isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, unsigned int *returned, unsigned int flags); /*!< @@ -668,9 +703,9 @@ index d9deb8a..2d37363 100644 */ void -@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, +@@ -307,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, void - isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); + isc_entropy_usehook(isc_entropy_t *ectx, bool onoff); /*!< - * \brief Mark/unmark the given entropy structure as being hooked. + * \brief Configure entropy context 'ectx' to use the hook function @@ -693,7 +728,7 @@ index d9deb8a..2d37363 100644 ISC_LANG_ENDDECLS diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h -index ba53ebf..b575728 100644 +index f8aed34..17c551b 100644 --- a/lib/isc/include/isc/random.h +++ b/lib/isc/include/isc/random.h @@ -9,8 +9,6 @@ @@ -736,8 +771,8 @@ index ba53ebf..b575728 100644 ISC_LANG_BEGINDECLS @@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx); - isc_uint16_t - isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound); + uint16_t + isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound); /*%< - * Returns a uniformly distributed pseudo random 16-bit unsigned - * integer. @@ -747,10 +782,10 @@ index ba53ebf..b575728 100644 ISC_LANG_ENDDECLS diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c -index 8d496ff..dd08187 100644 +index 03890a3..7bad989 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c -@@ -1106,7 +1106,7 @@ options_clauses[] = { +@@ -1109,7 +1109,7 @@ options_clauses[] = { { "pid-file", &cfg_type_qstringornone, 0 }, { "port", &cfg_type_uint32, 0 }, { "querylog", &cfg_type_boolean, 0 }, diff --git a/SOURCES/bind-9.11-serve-stale.patch b/SOURCES/bind-9.11-serve-stale.patch new file mode 100644 index 0000000..350fe62 --- /dev/null +++ b/SOURCES/bind-9.11-serve-stale.patch @@ -0,0 +1,3858 @@ +From 2bdcb7159b1ac097355e95864e979b4f68bc1a4e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 7 Nov 2019 14:31:03 +0100 +Subject: [PATCH] Implement serve-stale in 9.11 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Squashed commit of the following: + +commit 32f47f36e545223b2a4757588d7bd4af8c5f5760 +Author: Petr Menšík +Date: Tue Sep 3 18:45:54 2019 +0200 + + convert serve_stale to db_test + + Manual checkout from commit e8f61dd315c5d1c88915bb79361182241e42e47a. + Use test modified for cmocka, including serve-stale tests. + +commit 071eb1fb0786f6d614955813d99c3caabff33383 +Author: Michał Kępień +Date: Fri Apr 27 09:13:26 2018 +0200 + + Detect recursion loops during query processing + + Interrupt query processing when query_recurse() attempts to ask the same + name servers for the same QNAME/QTYPE tuple for two times in a row as + this indicates that query processing may be stuck for an indeterminate + period of time, e.g. due to interactions between features able to + restart query_lookup(). + + (cherry picked from commit 46bb4dd124ed031d4c219d1e37a3c6322092e30c) + +commit c12090bc361c7fa4522ace73899e778e44e9b295 +Author: Petr Menšík +Date: Mon Sep 2 11:12:32 2019 +0200 + + Fix test name used in whole test-suite + + Correct name is serve-stale + +commit ff4d826f295d268a248ca06941d65c903e1b405c +Author: Petr Menšík +Date: Fri Aug 30 17:43:28 2019 +0200 + + Clean files in more generic rules + +commit 8d81ed15eda9a2a11e1433d1fdddacfc772708b6 +Author: Petr Menšík +Date: Thu Aug 29 21:27:57 2019 +0200 + + [rt46602] Pass port numbers to tests via environment variables + + Manually applied commit f5d8f079008b648d2e343543e66dd728054c6101 + +commit 94fafa477891576286def8c4041ad127734af2d1 +Author: Tony Finch +Date: Tue Apr 10 16:17:57 2018 +0100 + + Move serve-stale logging to its own category, so that its verbosity can be curtailed. + + (cherry picked from commit 4b442c309dfb2c8880b19af4133047655bb734df) + +commit e0c884bee98c3d2533dfaa667f58c6a80d8a3a00 +Author: Michał Kępień +Date: Fri Apr 27 09:13:26 2018 +0200 + + Prevent check_stale_header() from leaking rdataset headers + + check_stale_header() fails to update the pointer to the previous header + while processing rdataset headers eligible for serve-stale, thus + enabling rdataset headers to be leaked (i.e. disassociated from a node + and left on the relevant TTL heap) while iterating through a node. This + can lead to several different assertion failures. Add the missing + pointer update. + + (cherry picked from commit 391fac1fc8d2e470287b5cc4344b3adb90c6f54a) + +commit d724cc1d80ee8d46113eaf82549d49636739b67c +Author: Matthijs Mekking +Date: Thu Jan 24 10:24:44 2019 +0100 + + Print in dump-file stale ttl + + This change makes rndc dumpdb correctly print the "; stale" line. + It also provides extra information on how long this data may still + be served to clients (in other words how long the stale RRset may + still be used). + + (cherry picked from commit 924ebc605db798e2a383ee5eaaebad739e7c789c) + +commit 625da4bd4590ac6108bb30eddd23ceffb245ae49 +Author: Michał Kępień +Date: Mon Oct 22 15:26:45 2018 +0200 + + Check serve-stale behavior with a cold cache + + Ensure that serve-stale works as expected when returning stale answers + is enabled, the authoritative server does not respond, and there is no + cached answer available. + + (cherry picked from commit 27cfe83a388147edfa0451b28c06c746912ea684) + +commit d67ae10461c409fdafdbbe64f857db2552b71059 +Author: Michał Kępień +Date: Mon Oct 22 15:26:45 2018 +0200 + + Check TTL of stale answers + + Make sure that stale answers returned when the serve-stale feature is + enabled have a TTL matching the value of the stale-answer-ttl setting. + + (cherry picked from commit 893ab37ce78c658215bd3a019f25afe795b37d5a) + +commit 50459107805e68e4a63a8e497bf58ef3ce013ddb +Author: Michał Kępień +Date: Mon Jul 9 14:35:12 2018 +0200 + + Do not use Net::DNS::Nameserver in the "serve-stale" system test + + Net::DNS versions older than 0.67 respond to queries sent to a + Net::DNS::Nameserver even if its ReplyHandler returns undef. This makes + the "serve-stale" system test fail as it takes advantage of the newer + behavior. Since the latest Net::DNS version available with stock + RHEL/CentOS 6 packages is 0.65 and we officially support that operating + system, bin/tests/system/serve-stale/ans2/ans.pl should behave + consistently for various Net::DNS versions. Ensure that by reworking it + so that it does not use Net::DNS::Nameserver. + + (cherry picked from commit c4209418a50c09142375f7edadca731c526f3d3a) + +commit 4b5befc714bb386bd245b1c14ce3bce5ae6fb5fa +Author: Petr Menšík +Date: Tue Jun 5 21:38:29 2018 +0200 + + Fix server-stale requirement, skip without Time::HiRes + + (cherry picked from commit 7a0c7bf9c8e6a724e52635eed213ad25b9504e66) + +commit 5ce51a3a7e5ef3087c4d022e3fca42fb2fd0c996 +Author: Ondřej Surý +Date: Wed Oct 18 13:01:14 2017 +0200 + + [rt46602] Update server-stale test to run on port passed from run.sh script + + (cherry picked from commit f83ebd34b9555a5a834c58146035173bcbd01dda) + +commit 3954a9bf3437f6fab050294a7f2f954a23d161ec +Author: Ondřej Surý +Date: Wed Oct 18 14:18:59 2017 +0200 + + [rt46602] Add serve-stale working files to .gitignore + + (cherry picked from commit cba162e70e7fac43435a606106841a69ce468526) + +commit 112aa21f5fa875494820e4d1eb70e41e10e1aae7 +Author: Mark Andrews +Date: Thu Oct 12 15:33:47 2017 +1100 + + test for Net::DNS::Nameserver + + (cherry picked from commit 5b60d0608ac2852753180b762d1917163f9dc315) + +commit 9d610e46af8a636f44914cee4cf8b2016054db1e +Author: Mark Andrews +Date: Thu Oct 12 15:19:45 2017 +1100 + + add Net::DNS prerequiste test + + (cherry picked from commit fa644181f51559da3e3913acd72dbc3f6d916e71) + +commit e4ea7ba88d9a9a0c79579400c68a5dabe03e8572 +Author: Mark Andrews +Date: Wed Sep 6 19:26:10 2017 +1000 + + add quotes arount $send_response + + (cherry picked from commit 023ab19634b287543169e9b7b5259f3126cd60ff) + +commit 0af0c5d33c2de34da164571288b650282c6be10a +Author: Mark Andrews +Date: Thu Nov 23 16:11:49 2017 +1100 + + initalise serve_stale_ttl + + (cherry picked from commit 2f4e0e5a81278f59037bf06ae99ff52245cd57e9) + +commit fbadd90ee81863d617c4c319d5f0079b877fe102 +Author: Evan Hunt +Date: Thu Sep 14 11:48:21 2017 -0700 + + [master] add thanks to APNIC and add missing note for serve-stale + +commit deb8adaa59955970b9d2f2fe58060a3cbf08312b +Author: Mark Andrews +Date: Wed Sep 6 12:16:10 2017 +1000 + + silence 'staleanswersok' may be used uninitialized in this function warning. [RT #14147 + +commit 0e2d03823768dc545015e6ce309777210f4a9f85 +Author: Petr Menšík +Date: Thu Aug 29 19:57:58 2019 +0200 + + More fixes to merge + +commit 360e25ffe7623ea0a2eec49395001f4940967776 +Author: Mark Andrews +Date: Wed Sep 6 09:58:29 2017 +1000 + + 4700. [func] Serving of stale answers is now supported. This + allows named to provide stale cached answers when + the authoritative server is under attack. + See max-stale-ttl, stale-answer-enable, + stale-answer-ttl. [RT #44790] + +Signed-off-by: Petr Menšík +--- + bin/named/config.c | 9 +- + bin/named/control.c | 2 + + bin/named/include/named/control.h | 1 + + bin/named/include/named/log.h | 1 + + bin/named/include/named/query.h | 15 + + bin/named/include/named/server.h | 13 +- + bin/named/log.c | 1 + + bin/named/query.c | 164 +++++- + bin/named/server.c | 177 +++++- + bin/named/statschannel.c | 6 + + bin/rndc/rndc.c | 2 + + bin/rndc/rndc.docbook | 19 + + bin/tests/system/chain/prereq.sh | 7 + + bin/tests/system/conf.sh.in | 2 +- + bin/tests/system/dyndb/driver/db.c | 2 + + bin/tests/system/serve-stale/.gitignore | 11 + + bin/tests/system/serve-stale/ans2/ans.pl.in | 178 ++++++ + bin/tests/system/serve-stale/clean.sh | 15 + + .../system/serve-stale/ns1/named1.conf.in | 35 ++ + .../system/serve-stale/ns1/named2.conf.in | 35 ++ + bin/tests/system/serve-stale/ns1/root.db | 5 + + .../system/serve-stale/ns3/named.conf.in | 35 ++ + bin/tests/system/serve-stale/prereq.sh | 38 ++ + bin/tests/system/serve-stale/setup.sh | 13 + + bin/tests/system/serve-stale/tests.sh | 536 ++++++++++++++++++ + doc/arm/Bv9ARM-book.xml | 69 ++- + doc/arm/logging-categories.xml | 11 + + doc/arm/notes-rh-changes.xml | 14 +- + doc/misc/options | 10 + + lib/bind9/check.c | 78 ++- + lib/dns/cache.c | 38 +- + lib/dns/db.c | 22 + + lib/dns/ecdb.c | 4 +- + lib/dns/include/dns/cache.h | 21 + + lib/dns/include/dns/db.h | 35 ++ + lib/dns/include/dns/rdataset.h | 11 + + lib/dns/include/dns/resolver.h | 43 +- + lib/dns/include/dns/types.h | 6 + + lib/dns/include/dns/view.h | 3 + + lib/dns/master.c | 14 +- + lib/dns/masterdump.c | 23 + + lib/dns/rbtdb.c | 207 ++++++- + lib/dns/resolver.c | 78 ++- + lib/dns/sdb.c | 4 +- + lib/dns/sdlz.c | 4 +- + lib/dns/tests/db_test.c | 198 ++++++- + lib/dns/view.c | 3 + + lib/isccfg/namedconf.c | 5 + + 48 files changed, 2121 insertions(+), 102 deletions(-) + create mode 100644 bin/tests/system/serve-stale/.gitignore + create mode 100644 bin/tests/system/serve-stale/ans2/ans.pl.in + create mode 100644 bin/tests/system/serve-stale/clean.sh + create mode 100644 bin/tests/system/serve-stale/ns1/named1.conf.in + create mode 100644 bin/tests/system/serve-stale/ns1/named2.conf.in + create mode 100644 bin/tests/system/serve-stale/ns1/root.db + create mode 100644 bin/tests/system/serve-stale/ns3/named.conf.in + create mode 100644 bin/tests/system/serve-stale/prereq.sh + create mode 100644 bin/tests/system/serve-stale/setup.sh + create mode 100755 bin/tests/system/serve-stale/tests.sh + +diff --git a/bin/named/config.c b/bin/named/config.c +index 63da4b0..b598f9b 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -182,13 +182,14 @@ options {\n\ + #ifdef HAVE_LMDB + " lmdb-mapsize 32M;\n" + #endif +-" max-acache-size 16M;\n\ +- max-cache-size 90%;\n\ ++" max-cache-size 90%;\n\ ++ max-acache-size 16M;\n\ + max-cache-ttl 604800; /* 1 week */\n\ + max-clients-per-query 100;\n\ + max-ncache-ttl 10800; /* 3 hours */\n\ + max-recursion-depth 7;\n\ + max-recursion-queries 75;\n\ ++ max-stale-ttl 604800; /* 1 week */\n\ + message-compression yes;\n\ + # min-roots ;\n\ + minimal-any false;\n\ +@@ -203,10 +204,14 @@ options {\n\ + request-expire true;\n\ + request-ixfr true;\n\ + require-server-cookie no;\n\ ++ resolver-nonbackoff-tries 3;\n\ ++ resolver-retry-interval 800; /* in milliseconds */\n\ + # rfc2308-type1 ;\n\ + root-key-sentinel yes;\n\ + servfail-ttl 1;\n\ + # sortlist \n\ ++ stale-answer-enable false;\n\ ++ stale-answer-ttl 1; /* 1 second */\n\ + # topology \n\ + transfer-format many-answers;\n\ + v6-bias 50;\n\ +diff --git a/bin/named/control.c b/bin/named/control.c +index df23c26..8b79850 100644 +--- a/bin/named/control.c ++++ b/bin/named/control.c +@@ -282,6 +282,8 @@ ns_control_docommand(isccc_sexpr_t *message, bool readonly, + result = ns_server_validation(ns_g_server, lex, text); + } else if (command_compare(command, NS_COMMAND_ZONESTATUS)) { + result = ns_server_zonestatus(ns_g_server, lex, text); ++ } else if (command_compare(command, NS_COMMAND_SERVESTALE)) { ++ result = ns_server_servestale(ns_g_server, lex, text); + } else { + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, +diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h +index 8705fdd..1634154 100644 +--- a/bin/named/include/named/control.h ++++ b/bin/named/include/named/control.h +@@ -69,6 +69,7 @@ + #define NS_COMMAND_MKEYS "managed-keys" + #define NS_COMMAND_DNSTAPREOPEN "dnstap-reopen" + #define NS_COMMAND_DNSTAP "dnstap" ++#define NS_COMMAND_SERVESTALE "serve-stale" + + isc_result_t + ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp); +diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h +index 56bfcd4..cd8db60 100644 +--- a/bin/named/include/named/log.h ++++ b/bin/named/include/named/log.h +@@ -32,6 +32,7 @@ + #define NS_LOGCATEGORY_UPDATE_SECURITY (&ns_g_categories[6]) + #define NS_LOGCATEGORY_QUERY_ERRORS (&ns_g_categories[7]) + #define NS_LOGCATEGORY_TAT (&ns_g_categories[8]) ++#define NS_LOGCATEGORY_SERVE_STALE (&ns_g_categories[9]) + + /* + * Backwards compatibility. +diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h +index 9661f56..445b578 100644 +--- a/bin/named/include/named/query.h ++++ b/bin/named/include/named/query.h +@@ -35,6 +35,18 @@ typedef struct ns_dbversion { + ISC_LINK(struct ns_dbversion) link; + } ns_dbversion_t; + ++/*% ++ * nameserver recursion parameters, to uniquely identify a recursion ++ * query; this is used to detect a recursion loop ++ */ ++typedef struct ns_query_recparam { ++ dns_rdatatype_t qtype; ++ dns_name_t * qname; ++ dns_fixedname_t fqname; ++ dns_name_t * qdomain; ++ dns_fixedname_t fqdomain; ++} ns_query_recparam_t; ++ + /*% nameserver query structure */ + struct ns_query { + unsigned int attributes; +@@ -63,6 +75,7 @@ struct ns_query { + unsigned int dns64_aaaaoklen; + unsigned int dns64_options; + unsigned int dns64_ttl; ++ + struct { + dns_db_t * db; + dns_zone_t * zone; +@@ -76,6 +89,8 @@ struct ns_query { + bool authoritative; + bool is_zone; + } redirect; ++ ++ ns_query_recparam_t recparam; + dns_keytag_t root_key_sentinel_keyid; + bool root_key_sentinel_is_ta; + bool root_key_sentinel_not_ta; +diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h +index 8982d26..919ac28 100644 +--- a/bin/named/include/named/server.h ++++ b/bin/named/include/named/server.h +@@ -224,7 +224,10 @@ enum { + + dns_nsstatscounter_tcphighwater = 57, + +- dns_nsstatscounter_max = 58 ++ dns_nsstatscounter_trystale = 58, ++ dns_nsstatscounter_usedstale = 59, ++ ++ dns_nsstatscounter_max = 60 + }; + + /*% +@@ -763,4 +766,12 @@ ns_server_mkeys(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text); + isc_result_t + ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text); + ++ ++/*% ++ * Control whether stale answers are served or not when configured in ++ * named.conf. ++ */ ++isc_result_t ++ns_server_servestale(ns_server_t *server, isc_lex_t *lex, ++ isc_buffer_t **text); + #endif /* NAMED_SERVER_H */ +diff --git a/bin/named/log.c b/bin/named/log.c +index 3aa25e9..12f178b 100644 +--- a/bin/named/log.c ++++ b/bin/named/log.c +@@ -38,6 +38,7 @@ static isc_logcategory_t categories[] = { + { "update-security", 0 }, + { "query-errors", 0 }, + { "trust-anchor-telemetry", 0 }, ++ { "serve-stale", 0 }, + { NULL, 0 } + }; + +diff --git a/bin/named/query.c b/bin/named/query.c +index 0940714..882d69c 100644 +--- a/bin/named/query.c ++++ b/bin/named/query.c +@@ -125,10 +125,14 @@ + #define REDIRECT(c) (((c)->query.attributes & \ + NS_QUERYATTR_REDIRECT) != 0) + +-/*% No QNAME Proof? */ ++/*% Does the rdataset 'r' have an attached 'No QNAME Proof'? */ + #define NOQNAME(r) (((r)->attributes & \ + DNS_RDATASETATTR_NOQNAME) != 0) + ++/*% Does the rdataset 'r' contain a stale answer? */ ++#define STALE(r) (((r)->attributes & \ ++ DNS_RDATASETATTR_STALE) != 0) ++ + #ifdef WANT_QUERYTRACE + static inline void + client_trace(ns_client_t *client, int level, const char *message) { +@@ -217,6 +221,10 @@ static bool + rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); + ++static void ++recparam_update(ns_query_recparam_t *param, dns_rdatatype_t qtype, ++ const dns_name_t *qname, const dns_name_t *qdomain); ++ + /*% + * Increment query statistics counters. + */ +@@ -470,6 +478,7 @@ query_reset(ns_client_t *client, bool everything) { + client->query.isreferral = false; + client->query.dns64_options = 0; + client->query.dns64_ttl = UINT32_MAX; ++ recparam_update(&client->query.recparam, 0, NULL, NULL); + client->query.root_key_sentinel_keyid = 0; + client->query.root_key_sentinel_is_ta = false; + client->query.root_key_sentinel_not_ta = false; +@@ -4254,6 +4263,54 @@ query_prefetch(ns_client_t *client, dns_name_t *qname, + dns_rdataset_clearprefetch(rdataset); + } + ++/*% ++ * Check whether the recursion parameters in 'param' match the current query's ++ * recursion parameters provided in 'qtype', 'qname', and 'qdomain'. ++ */ ++static bool ++recparam_match(const ns_query_recparam_t *param, dns_rdatatype_t qtype, ++ const dns_name_t *qname, const dns_name_t *qdomain) ++{ ++ REQUIRE(param != NULL); ++ ++ return (param->qtype == qtype && ++ param->qname != NULL && qname != NULL && ++ param->qdomain != NULL && qdomain != NULL && ++ dns_name_equal(param->qname, qname) && ++ dns_name_equal(param->qdomain, qdomain)); ++} ++ ++/*% ++ * Update 'param' with current query's recursion parameters provided in ++ * 'qtype', 'qname', and 'qdomain'. ++ */ ++static void ++recparam_update(ns_query_recparam_t *param, dns_rdatatype_t qtype, ++ const dns_name_t *qname, const dns_name_t *qdomain) ++{ ++ isc_result_t result; ++ ++ REQUIRE(param != NULL); ++ ++ param->qtype = qtype; ++ ++ if (qname == NULL) { ++ param->qname = NULL; ++ } else { ++ param->qname = dns_fixedname_initname(¶m->fqname); ++ result = dns_name_copy(qname, param->qname, NULL); ++ RUNTIME_CHECK(result == ISC_R_SUCCESS); ++ } ++ ++ if (qdomain == NULL) { ++ param->qdomain = NULL; ++ } else { ++ param->qdomain = dns_fixedname_initname(¶m->fqdomain); ++ result = dns_name_copy(qdomain, param->qdomain, NULL); ++ RUNTIME_CHECK(result == ISC_R_SUCCESS); ++ } ++} ++ + static isc_result_t + query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, + dns_name_t *qdomain, dns_rdataset_t *nameservers, +@@ -4263,6 +4320,19 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, + dns_rdataset_t *rdataset, *sigrdataset; + isc_sockaddr_t *peeraddr; + ++ /* ++ * Check recursion parameters from the previous query to see if they ++ * match. If not, update recursion parameters and proceed. ++ */ ++ if (recparam_match(&client->query.recparam, qtype, qname, qdomain)) { ++ ns_client_log(client, NS_LOGCATEGORY_CLIENT, ++ NS_LOGMODULE_QUERY, ISC_LOG_INFO, ++ "recursion loop detected"); ++ return (ISC_R_FAILURE); ++ } ++ ++ recparam_update(&client->query.recparam, qtype, qname, qdomain); ++ + if (!resuming) + inc_stats(client, dns_nsstatscounter_recursion); + +@@ -6780,6 +6850,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + int line = -1; + bool dns64_exclude, dns64, rpz; + bool nxrewrite = false; ++ bool want_stale = false; + bool redirected = false; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; +@@ -7089,6 +7160,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + type = qtype; + + restart: ++ // query_start + CTRACE(ISC_LOG_DEBUG(3), "query_find: restart"); + want_restart = false; + authoritative = false; +@@ -7233,6 +7305,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + } + + db_find: ++ // query_lookup + CTRACE(ISC_LOG_DEBUG(3), "query_find: db_find"); + /* + * We'll need some resources... +@@ -7290,6 +7363,35 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + if (!is_zone) + dns_cache_updatestats(client->view->cache, result); + ++ if (want_stale) { ++ char namebuf[DNS_NAME_FORMATSIZE]; ++ bool success; ++ ++ client->query.dboptions &= ~DNS_DBFIND_STALEOK; ++ want_stale = false; ++ ++ if (dns_rdataset_isassociated(rdataset) && ++ dns_rdataset_count(rdataset) > 0 && ++ STALE(rdataset)) { ++ rdataset->ttl = client->view->staleanswerttl; ++ success = true; ++ } else { ++ success = false; ++ } ++ ++ dns_name_format(client->query.qname, ++ namebuf, sizeof(namebuf)); ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_SERVE_STALE, ++ NS_LOGMODULE_QUERY, ISC_LOG_INFO, ++ "%s resolver failure, stale answer %s", ++ namebuf, success ? "used" : "unavailable"); ++ ++ if (!success) { ++ QUERY_ERROR(DNS_R_SERVFAIL); ++ goto cleanup; ++ } ++ } ++ + resume: + CTRACE(ISC_LOG_DEBUG(3), "query_find: resume"); + +@@ -7635,6 +7737,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + * The cache doesn't even have the root NS. Get them from + * the hints DB. + */ ++ // query_notfound + INSIST(!is_zone); + if (db != NULL) + dns_db_detach(&db); +@@ -7697,12 +7800,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + */ + /* FALLTHROUGH */ + case DNS_R_DELEGATION: ++ // query_delegation + authoritative = false; + if (is_zone) { + /* + * Look to see if we are authoritative for the + * child zone if the query type is DS. + */ ++ // query_zone_delegation + if (!RECURSIONOK(client) && + (options & DNS_GETDB_NOEXACT) != 0 && + qtype == dns_rdatatype_ds) { +@@ -8089,6 +8194,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + false, true); + } + } ++ // query_nxdomain + if (dns_rdataset_isassociated(rdataset)) { + /* + * If we've got a NSEC record, we need to save the +@@ -8409,7 +8515,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + /* + * If we have a zero ttl from the cache refetch it. + */ +- if (!is_zone && !resuming && rdataset->ttl == 0 && ++ // query_cname ++ if (!is_zone && !resuming && !STALE(rdataset) && rdataset->ttl == 0 && + RECURSIONOK(client)) + { + if (dns_rdataset_isassociated(rdataset)) +@@ -8627,7 +8734,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + "query_find: unexpected error after resuming: %s", + isc_result_totext(result)); + CTRACE(ISC_LOG_ERROR, errmsg); +- QUERY_ERROR(DNS_R_SERVFAIL); ++ if (resuming) { ++ want_stale = true; ++ } else { ++ QUERY_ERROR(DNS_R_SERVFAIL); ++ } + goto cleanup; + } + +@@ -8883,7 +8994,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + /* + * If we have a zero ttl from the cache refetch it. + */ +- if (!is_zone && !resuming && rdataset->ttl == 0 && ++ if (!is_zone && !resuming && !STALE(rdataset) && rdataset->ttl == 0 && + RECURSIONOK(client)) + { + if (dns_rdataset_isassociated(rdataset)) +@@ -8894,6 +9005,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + if (node != NULL) + dns_db_detachnode(db, &node); + ++ // query_respond + INSIST(!REDIRECT(client)); + result = query_recurse(client, qtype, + client->query.qname, +@@ -9174,6 +9286,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + dns_fixedname_name(&wildcardname), + true, false); + cleanup: ++ // query_done + CTRACE(ISC_LOG_DEBUG(3), "query_find: cleanup"); + /* + * General cleanup. +@@ -9230,6 +9343,49 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + goto restart; + } + ++ if (want_stale) { ++ dns_ttl_t stale_ttl = 0; ++ isc_result_t result; ++ bool staleanswersok = false; ++ ++ /* ++ * Stale answers only make sense if stale_ttl > 0 but ++ * we want rndc to be able to control returning stale ++ * answers if they are configured. ++ */ ++ dns_db_attach(client->view->cachedb, &db); ++ result = dns_db_getservestalettl(db, &stale_ttl); ++ if (result == ISC_R_SUCCESS && stale_ttl > 0) { ++ switch (client->view->staleanswersok) { ++ case dns_stale_answer_yes: ++ staleanswersok = true; ++ break; ++ case dns_stale_answer_conf: ++ staleanswersok = ++ client->view->staleanswersenable; ++ break; ++ case dns_stale_answer_no: ++ staleanswersok = false; ++ break; ++ } ++ } else { ++ staleanswersok = false; ++ } ++ ++ if (staleanswersok) { ++ client->query.dboptions |= DNS_DBFIND_STALEOK; ++ inc_stats(client, dns_nsstatscounter_trystale); ++ if (client->query.fetch != NULL) ++ dns_resolver_destroyfetch( ++ &client->query.fetch); ++ goto db_find; ++ } ++ dns_db_detach(&db); ++ want_stale = false; ++ QUERY_ERROR(DNS_R_SERVFAIL); ++ goto cleanup; ++ } ++ + if (eresult != ISC_R_SUCCESS && + (!PARTIALANSWER(client) || WANTRECURSION(client) + || eresult == DNS_R_DROP)) { +diff --git a/bin/named/server.c b/bin/named/server.c +index 0c1f08b..d195bca 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -1722,7 +1722,8 @@ static bool + cache_sharable(dns_view_t *originview, dns_view_t *view, + bool new_zero_no_soattl, + unsigned int new_cleaning_interval, +- uint64_t new_max_cache_size) ++ uint64_t new_max_cache_size, ++ uint32_t new_stale_ttl) + { + /* + * If the cache cannot even reused for the same view, it cannot be +@@ -1737,6 +1738,7 @@ cache_sharable(dns_view_t *originview, dns_view_t *view, + */ + if (dns_cache_getcleaninginterval(originview->cache) != + new_cleaning_interval || ++ dns_cache_getservestalettl(originview->cache) != new_stale_ttl || + dns_cache_getcachesize(originview->cache) != new_max_cache_size) { + return (false); + } +@@ -3292,6 +3294,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + size_t max_acache_size; + size_t max_adb_size; + uint32_t lame_ttl, fail_ttl; ++ uint32_t max_stale_ttl; + dns_tsig_keyring_t *ring = NULL; + dns_view_t *pview = NULL; /* Production view */ + isc_mem_t *cmctx = NULL, *hmctx = NULL; +@@ -3320,6 +3323,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + bool old_rpz_ok = false; + isc_dscp_t dscp4 = -1, dscp6 = -1; + dns_dyndbctx_t *dctx = NULL; ++ unsigned int resolver_param; + + REQUIRE(DNS_VIEW_VALID(view)); + +@@ -3734,6 +3738,24 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + if (view->maxncachettl > 7 * 24 * 3600) + view->maxncachettl = 7 * 24 * 3600; + ++ obj = NULL; ++ result = ns_config_get(maps, "max-stale-ttl", &obj); ++ INSIST(result == ISC_R_SUCCESS); ++ max_stale_ttl = cfg_obj_asuint32(obj); ++ ++ obj = NULL; ++ result = ns_config_get(maps, "stale-answer-enable", &obj); ++ INSIST(result == ISC_R_SUCCESS); ++ view->staleanswersenable = cfg_obj_asboolean(obj); ++ ++ result = dns_viewlist_find(&ns_g_server->viewlist, view->name, ++ view->rdclass, &pview); ++ if (result == ISC_R_SUCCESS) { ++ view->staleanswersok = pview->staleanswersok; ++ dns_view_detach(&pview); ++ } else ++ view->staleanswersok = dns_stale_answer_conf; ++ + /* + * Configure the view's cache. + * +@@ -3767,7 +3789,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + nsc = cachelist_find(cachelist, cachename, view->rdclass); + if (nsc != NULL) { + if (!cache_sharable(nsc->primaryview, view, zero_no_soattl, +- cleaning_interval, max_cache_size)) { ++ cleaning_interval, max_cache_size, ++ max_stale_ttl)) { + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "views %s and %s can't share the cache " +@@ -3866,9 +3889,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + + dns_cache_setcleaninginterval(cache, cleaning_interval); + dns_cache_setcachesize(cache, max_cache_size); ++ dns_cache_setservestalettl(cache, max_stale_ttl); + + dns_cache_detach(&cache); + ++ obj = NULL; ++ result = ns_config_get(maps, "stale-answer-ttl", &obj); ++ INSIST(result == ISC_R_SUCCESS); ++ view->staleanswerttl = ISC_MAX(cfg_obj_asuint32(obj), 1); ++ + /* + * Resolver. + * +@@ -4057,6 +4086,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + maxbits = 4096; + view->maxbits = maxbits; + ++ /* ++ * Set resolver retry parameters. ++ */ ++ obj = NULL; ++ CHECK(ns_config_get(maps, "resolver-retry-interval", &obj)); ++ resolver_param = cfg_obj_asuint32(obj); ++ if (resolver_param > 0) ++ dns_resolver_setretryinterval(view->resolver, resolver_param); ++ ++ obj = NULL; ++ CHECK(ns_config_get(maps, "resolver-nonbackoff-tries", &obj)); ++ resolver_param = cfg_obj_asuint32(obj); ++ if (resolver_param > 0) ++ dns_resolver_setnonbackofftries(view->resolver, resolver_param); ++ + /* + * Set supported DNSSEC algorithms. + */ +@@ -14423,3 +14467,132 @@ ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) { + return (ISC_R_NOTIMPLEMENTED); + #endif + } ++ ++isc_result_t ++ns_server_servestale(ns_server_t *server, isc_lex_t *lex, ++ isc_buffer_t **text) ++{ ++ char *ptr, *classtxt, *viewtxt = NULL; ++ char msg[128]; ++ dns_rdataclass_t rdclass = dns_rdataclass_in; ++ dns_view_t *view; ++ bool found = false; ++ dns_stale_answer_t staleanswersok = dns_stale_answer_conf; ++ bool wantstatus = false; ++ isc_result_t result = ISC_R_SUCCESS; ++ ++ /* Skip the command name. */ ++ ptr = next_token(lex, text); ++ if (ptr == NULL) ++ return (ISC_R_UNEXPECTEDEND); ++ ++ ptr = next_token(lex, NULL); ++ if (ptr == NULL) ++ return (ISC_R_UNEXPECTEDEND); ++ ++ if (strcasecmp(ptr, "on") == 0 || strcasecmp(ptr, "yes") == 0) { ++ staleanswersok = dns_stale_answer_yes; ++ } else if (strcasecmp(ptr, "off") == 0 || strcasecmp(ptr, "no") == 0) { ++ staleanswersok = dns_stale_answer_no; ++ } else if (strcasecmp(ptr, "reset") == 0) { ++ staleanswersok = dns_stale_answer_conf; ++ } else if (strcasecmp(ptr, "status") == 0) { ++ wantstatus = true; ++ } else ++ return (DNS_R_SYNTAX); ++ ++ /* Look for the optional class name. */ ++ classtxt = next_token(lex, text); ++ if (classtxt != NULL) { ++ /* Look for the optional view name. */ ++ viewtxt = next_token(lex, text); ++ } ++ ++ if (classtxt != NULL) { ++ isc_textregion_t r; ++ ++ r.base = classtxt; ++ r.length = strlen(classtxt); ++ result = dns_rdataclass_fromtext(&rdclass, &r); ++ if (result != ISC_R_SUCCESS) { ++ if (viewtxt == NULL) { ++ viewtxt = classtxt; ++ classtxt = NULL; ++ result = ISC_R_SUCCESS; ++ } else { ++ snprintf(msg, sizeof(msg), ++ "unknown class '%s'", classtxt); ++ (void) putstr(text, msg); ++ goto cleanup; ++ } ++ } ++ } ++ ++ result = isc_task_beginexclusive(server->task); ++ RUNTIME_CHECK(result == ISC_R_SUCCESS); ++ ++ for (view = ISC_LIST_HEAD(server->viewlist); ++ view != NULL; ++ view = ISC_LIST_NEXT(view, link)) ++ { ++ dns_ttl_t stale_ttl = 0; ++ dns_db_t *db = NULL; ++ ++ if (classtxt != NULL && rdclass != view->rdclass) ++ continue; ++ ++ if (viewtxt != NULL && strcmp(view->name, viewtxt) != 0) ++ continue; ++ ++ if (!wantstatus) { ++ view->staleanswersok = staleanswersok; ++ found = true; ++ continue; ++ } ++ ++ db = NULL; ++ dns_db_attach(view->cachedb, &db); ++ (void)dns_db_getservestalettl(db, &stale_ttl); ++ dns_db_detach(&db); ++ if (found) ++ CHECK(putstr(text, "\n")); ++ CHECK(putstr(text, view->name)); ++ CHECK(putstr(text, ": ")); ++ switch (view->staleanswersok) { ++ case dns_stale_answer_yes: ++ if (stale_ttl > 0) ++ CHECK(putstr(text, "on (rndc)")); ++ else ++ CHECK(putstr(text, "off (not-cached)")); ++ break; ++ case dns_stale_answer_no: ++ CHECK(putstr(text, "off (rndc)")); ++ break; ++ case dns_stale_answer_conf: ++ if (view->staleanswersenable && stale_ttl > 0) ++ CHECK(putstr(text, "on")); ++ else if (view->staleanswersenable) ++ CHECK(putstr(text, "off (not-cached)")); ++ else ++ CHECK(putstr(text, "off")); ++ break; ++ } ++ if (stale_ttl > 0) { ++ snprintf(msg, sizeof(msg), ++ " (stale-answer-ttl=%u max-stale-ttl=%u)", ++ view->staleanswerttl, stale_ttl); ++ CHECK(putstr(text, msg)); ++ } ++ found = true; ++ } ++ isc_task_endexclusive(ns_g_server->task); ++ ++ if (!found) ++ result = ISC_R_NOTFOUND; ++ ++cleanup: ++ if (isc_buffer_usedlength(*text) > 0) ++ (void) putnull(text); ++ ++ return (result); ++} +diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c +index 4cdf7d6..5b413e7 100644 +--- a/bin/named/statschannel.c ++++ b/bin/named/statschannel.c +@@ -297,6 +297,12 @@ init_desc(void) { + "QryNXRedirRLookup"); + SET_NSSTATDESC(badcookie, "sent badcookie response", "QryBADCOOKIE"); + SET_NSSTATDESC(keytagopt, "Keytag option received", "KeyTagOpt"); ++ SET_NSSTATDESC(trystale, ++ "attempts to use stale cache data after lookup failure", ++ "QryTryStale"); ++ SET_NSSTATDESC(usedstale, ++ "successful uses of stale cache data after lookup failure", ++ "QryUsedStale"); + INSIST(i == dns_nsstatscounter_max); + + /* Initialize resolver statistics */ +diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c +index 8083654..d519983 100644 +--- a/bin/rndc/rndc.c ++++ b/bin/rndc/rndc.c +@@ -160,6 +160,8 @@ command is one of the following:\n\ + scan Scan available network interfaces for changes.\n\ + secroots [view ...]\n\ + Write security roots to the secroots file.\n\ ++ serve-stale ( yes | no | reset ) [class [view]]\n\ ++ Control whether stale answers are returned\n\ + showzone zone [class [view]]\n\ + Print a zone's configuration.\n\ + sign zone [class [view]]\n\ +diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook +index 06b073a..6ae8e5d 100644 +--- a/bin/rndc/rndc.docbook ++++ b/bin/rndc/rndc.docbook +@@ -688,6 +688,25 @@ + + + ++ ++ serve-stale ( on | off | reset | status) class view ++ ++ ++ Enable, disable, or reset the serving of stale answers ++ as configured in named.conf. Serving of stale answers ++ will remain disabled across named.conf ++ reloads if disabled via rndc until it is reset via rndc. ++ ++ ++ Status will report whether serving of stale answers is ++ currently enabled, disabled or not configured for a ++ view. If serving of stale records is configured then ++ the values of stale-answer-ttl and max-stale-ttl are ++ reported. ++ ++ ++ ++ + + secroots - view ... + +diff --git a/bin/tests/system/chain/prereq.sh b/bin/tests/system/chain/prereq.sh +index f3f1939..9ff3f07 100644 +--- a/bin/tests/system/chain/prereq.sh ++++ b/bin/tests/system/chain/prereq.sh +@@ -48,3 +48,10 @@ else + echo_i "This test requires the Net::DNS::Nameserver library." >&2 + exit 1 + fi ++if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null ++then ++ : ++else ++ echo "I:This test requires the Net::DNS::Nameserver library." >&2 ++ exit 1 ++fi +diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in +index f781966..d20a830 100644 +--- a/bin/tests/system/conf.sh.in ++++ b/bin/tests/system/conf.sh.in +@@ -125,7 +125,7 @@ PARALLELDIRS="dnssec rpzrecurse \ + reclimit redirect resolver rndc rootkeysentinel rpz \ + rrchecker rrl rrsetorder rsabigexponent runtime \ + sfcache smartsign sortlist \ +- spf staticstub statistics statschannel stub \ ++ spf serve-stale staticstub statistics statschannel stub \ + tcp tsig tsiggss \ + unknown upforwd verify views wildcard \ + xfer xferquota zero zonechecks" +diff --git a/bin/tests/system/dyndb/driver/db.c b/bin/tests/system/dyndb/driver/db.c +index 02aa6ab..a77c7de 100644 +--- a/bin/tests/system/dyndb/driver/db.c ++++ b/bin/tests/system/dyndb/driver/db.c +@@ -629,6 +629,8 @@ static dns_dbmethods_t sampledb_methods = { + hashsize, + NULL, + NULL, ++ NULL, ++ NULL, + }; + + /* Auxiliary driver functions. */ +diff --git a/bin/tests/system/serve-stale/.gitignore b/bin/tests/system/serve-stale/.gitignore +new file mode 100644 +index 0000000..2272eef +--- /dev/null ++++ b/bin/tests/system/serve-stale/.gitignore +@@ -0,0 +1,11 @@ ++/ans2/ans.pid ++/ans2/ans.pl ++/dig.out* ++/ns1/named.conf ++/ns3/named.conf ++/ns3/root.bk ++/rndc.out* ++named.lock ++named.pid ++named.port ++named.run +diff --git a/bin/tests/system/serve-stale/ans2/ans.pl.in b/bin/tests/system/serve-stale/ans2/ans.pl.in +new file mode 100644 +index 0000000..2b39eca +--- /dev/null ++++ b/bin/tests/system/serve-stale/ans2/ans.pl.in +@@ -0,0 +1,178 @@ ++#!/usr/bin/env perl ++# ++# Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++use strict; ++use warnings; ++ ++use IO::File; ++use IO::Socket; ++use Getopt::Long; ++use Net::DNS; ++use Time::HiRes qw(usleep nanosleep); ++ ++my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; ++print $pidf "$$\n" or die "cannot write pid file: $!"; ++$pidf->close or die "cannot close pid file: $!"; ++sub rmpid { unlink "ans.pid"; exit 1; }; ++ ++$SIG{INT} = \&rmpid; ++$SIG{TERM} = \&rmpid; ++ ++my $send_response = 1; ++ ++my $localaddr = "10.53.0.2"; ++my $localport = @PORT@; ++my $udpsock = IO::Socket::INET->new(LocalAddr => "$localaddr", ++ LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; ++ ++# ++# Delegation ++# ++my $SOA = "example 300 IN SOA . . 0 0 0 0 300"; ++my $NS = "example 300 IN NS ns.example"; ++my $A = "ns.example 300 IN A $localaddr"; ++# ++# Records to be TTL stretched ++# ++my $TXT = "data.example 1 IN TXT \"A text record with a 1 second ttl\""; ++my $negSOA = "example 1 IN SOA . . 0 0 0 0 300"; ++ ++sub reply_handler { ++ my ($qname, $qclass, $qtype) = @_; ++ my ($rcode, @ans, @auth, @add); ++ ++ print ("request: $qname/$qtype\n"); ++ STDOUT->flush(); ++ ++ # Control whether we send a response or not. ++ # We always respond to control commands. ++ if ($qname eq "enable" ) { ++ if ($qtype eq "TXT") { ++ $send_response = 1; ++ my $rr = new Net::DNS::RR("$qname 0 $qclass TXT \"$send_response\""); ++ push @ans, $rr; ++ } ++ $rcode = "NOERROR"; ++ return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); ++ } elsif ($qname eq "disable" ) { ++ if ($qtype eq "TXT") { ++ $send_response = 0; ++ my $rr = new Net::DNS::RR("$qname 0 $qclass TXT \"$send_response\""); ++ push @ans, $rr; ++ } ++ $rcode = "NOERROR"; ++ return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); ++ } ++ ++ # If we are not responding to queries we are done. ++ return if (!$send_response); ++ ++ # Construct the response and send it. ++ if ($qname eq "ns.example" ) { ++ if ($qtype eq "A") { ++ my $rr = new Net::DNS::RR($A); ++ push @ans, $rr; ++ } else { ++ my $rr = new Net::DNS::RR($SOA); ++ push @auth, $rr; ++ } ++ $rcode = "NOERROR"; ++ } elsif ($qname eq "example") { ++ if ($qtype eq "NS") { ++ my $rr = new Net::DNS::RR($NS); ++ push @auth, $rr; ++ $rr = new Net::DNS::RR($A); ++ push @add, $rr; ++ } elsif ($qtype eq "SOA") { ++ my $rr = new Net::DNS::RR($SOA); ++ push @ans, $rr; ++ } else { ++ my $rr = new Net::DNS::RR($SOA); ++ push @auth, $rr; ++ } ++ $rcode = "NOERROR"; ++ } elsif ($qname eq "nodata.example") { ++ my $rr = new Net::DNS::RR($negSOA); ++ push @auth, $rr; ++ $rcode = "NOERROR"; ++ } elsif ($qname eq "data.example") { ++ if ($qtype eq "TXT") { ++ my $rr = new Net::DNS::RR($TXT); ++ push @ans, $rr; ++ } else { ++ my $rr = new Net::DNS::RR($negSOA); ++ push @auth, $rr; ++ } ++ $rcode = "NOERROR"; ++ } elsif ($qname eq "nxdomain.example") { ++ my $rr = new Net::DNS::RR($negSOA); ++ push @auth, $rr; ++ $rcode = "NXDOMAIN"; ++ } else { ++ my $rr = new Net::DNS::RR($SOA); ++ push @auth, $rr; ++ $rcode = "NXDOMAIN"; ++ } ++ ++ # mark the answer as authoritive (by setting the 'aa' flag ++ return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); ++} ++ ++GetOptions( ++ 'port=i' => \$localport, ++); ++ ++my $rin; ++my $rout; ++ ++for (;;) { ++ $rin = ''; ++ vec($rin, fileno($udpsock), 1) = 1; ++ ++ select($rout = $rin, undef, undef, undef); ++ ++ if (vec($rout, fileno($udpsock), 1)) { ++ my ($buf, $request, $err); ++ $udpsock->recv($buf, 512); ++ ++ if ($Net::DNS::VERSION > 0.68) { ++ $request = new Net::DNS::Packet(\$buf, 0); ++ $@ and die $@; ++ } else { ++ my $err; ++ ($request, $err) = new Net::DNS::Packet(\$buf, 0); ++ $err and die $err; ++ } ++ ++ my @questions = $request->question; ++ my $qname = $questions[0]->qname; ++ my $qclass = $questions[0]->qclass; ++ my $qtype = $questions[0]->qtype; ++ my $id = $request->header->id; ++ ++ my ($rcode, $ans, $auth, $add, $headermask) = reply_handler($qname, $qclass, $qtype); ++ ++ if (!defined($rcode)) { ++ print " Silently ignoring query\n"; ++ next; ++ } ++ ++ my $reply = Net::DNS::Packet->new(); ++ $reply->header->qr(1); ++ $reply->header->aa(1) if $headermask->{'aa'}; ++ $reply->header->id($id); ++ $reply->header->rcode($rcode); ++ $reply->push("question", @questions); ++ $reply->push("answer", @$ans) if $ans; ++ $reply->push("authority", @$auth) if $auth; ++ $reply->push("additional", @$add) if $add; ++ ++ my $num_chars = $udpsock->send($reply->data); ++ print " Sent $num_chars bytes via UDP\n"; ++ } ++} +diff --git a/bin/tests/system/serve-stale/clean.sh b/bin/tests/system/serve-stale/clean.sh +new file mode 100644 +index 0000000..2397326 +--- /dev/null ++++ b/bin/tests/system/serve-stale/clean.sh +@@ -0,0 +1,15 @@ ++# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++rm -f test.output ++rm -f dig.out.test* ++rm -f ans2/ans.pl ++rm -f ns3/root.bk ++rm -f rndc.out.test* ++rm -f ns*/named.memstats ++rm -f ns*/managed-keys.bind ++rm -f ns*/named.conf ++rm -f ns*/named.run +diff --git a/bin/tests/system/serve-stale/ns1/named1.conf.in b/bin/tests/system/serve-stale/ns1/named1.conf.in +new file mode 100644 +index 0000000..8a75a10 +--- /dev/null ++++ b/bin/tests/system/serve-stale/ns1/named1.conf.in +@@ -0,0 +1,35 @@ ++/* ++ * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ */ ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++options { ++ query-source address 10.53.0.1; ++ notify-source 10.53.0.1; ++ transfer-source 10.53.0.1; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.1; }; ++ listen-on-v6 { none; }; ++ recursion yes; ++ max-stale-ttl 3600; ++ stale-answer-ttl 1; ++ stale-answer-enable yes; ++}; ++ ++zone "." { ++ type master; ++ file "root.db"; ++}; +diff --git a/bin/tests/system/serve-stale/ns1/named2.conf.in b/bin/tests/system/serve-stale/ns1/named2.conf.in +new file mode 100644 +index 0000000..072e6ec +--- /dev/null ++++ b/bin/tests/system/serve-stale/ns1/named2.conf.in +@@ -0,0 +1,35 @@ ++/* ++ * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ */ ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++options { ++ query-source address 10.53.0.1; ++ notify-source 10.53.0.1; ++ transfer-source 10.53.0.1; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.1; }; ++ listen-on-v6 { none; }; ++ recursion yes; ++ max-stale-ttl 7200; ++ stale-answer-ttl 2; ++ stale-answer-enable yes; ++}; ++ ++zone "." { ++ type master; ++ file "root.db"; ++}; +diff --git a/bin/tests/system/serve-stale/ns1/root.db b/bin/tests/system/serve-stale/ns1/root.db +new file mode 100644 +index 0000000..eb9ad3e +--- /dev/null ++++ b/bin/tests/system/serve-stale/ns1/root.db +@@ -0,0 +1,5 @@ ++. 300 SOA . . 0 0 0 0 0 ++. 300 NS ns.nil. ++ns.nil. 300 A 10.53.0.1 ++example. 300 NS ns.example. ++ns.example. 300 A 10.53.0.2 +diff --git a/bin/tests/system/serve-stale/ns3/named.conf.in b/bin/tests/system/serve-stale/ns3/named.conf.in +new file mode 100644 +index 0000000..24a3293 +--- /dev/null ++++ b/bin/tests/system/serve-stale/ns3/named.conf.in +@@ -0,0 +1,35 @@ ++/* ++ * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ */ ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++options { ++ query-source address 10.53.0.3; ++ notify-source 10.53.0.3; ++ transfer-source 10.53.0.3; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.3; }; ++ listen-on-v6 { none; }; ++ recursion yes; ++ // max-stale-ttl 3600; ++ // stale-answer-ttl 3; ++}; ++ ++zone "." { ++ type slave; ++ masters { 10.53.0.1; }; ++ file "root.bk"; ++}; +diff --git a/bin/tests/system/serve-stale/prereq.sh b/bin/tests/system/serve-stale/prereq.sh +new file mode 100644 +index 0000000..a3bbef8 +--- /dev/null ++++ b/bin/tests/system/serve-stale/prereq.sh +@@ -0,0 +1,38 @@ ++#!/bin/sh ++# ++# Copyright (C) 2011, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++SYSTEMTESTTOP=.. ++. $SYSTEMTESTTOP/conf.sh ++ ++if $PERL -e 'use Net::DNS;' 2>/dev/null ++then ++ if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.74);' 2>/dev/null ++ then ++ : ++ else ++ echo "I:Net::DNS versions 0.69 to 0.74 have bugs that cause this test to fail: please update." >&2 ++ exit 1 ++ fi ++else ++ echo "I:This test requires the Net::DNS library." >&2 ++ exit 1 ++fi ++if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null ++then ++ : ++else ++ echo "I:This test requires the Net::DNS::Nameserver library." >&2 ++ exit 1 ++fi ++if $PERL -e 'use Time::HiRes;' 2>/dev/null ++then ++ : ++else ++ echo "I:This test requires the Time::HiRes library." >&2 ++ exit 1 ++fi +diff --git a/bin/tests/system/serve-stale/setup.sh b/bin/tests/system/serve-stale/setup.sh +new file mode 100644 +index 0000000..690f43c +--- /dev/null ++++ b/bin/tests/system/serve-stale/setup.sh +@@ -0,0 +1,13 @@ ++#!/bin/sh ++# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++SYSTEMTESTTOP=.. ++. $SYSTEMTESTTOP/conf.sh ++ ++copy_setports ns1/named1.conf.in ns1/named.conf ++copy_setports ans2/ans.pl.in ans2/ans.pl ++copy_setports ns3/named.conf.in ns3/named.conf +diff --git a/bin/tests/system/serve-stale/tests.sh b/bin/tests/system/serve-stale/tests.sh +new file mode 100755 +index 0000000..201c996 +--- /dev/null ++++ b/bin/tests/system/serve-stale/tests.sh +@@ -0,0 +1,536 @@ ++#!/bin/sh ++# ++# Copyright (C) 2000, 2001, 2004, 2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++SYSTEMTESTTOP=.. ++. $SYSTEMTESTTOP/conf.sh ++ ++while getopts "p:c:" flag; do ++ case "$flag" in ++ p) port=$OPTARG ;; ++ c) controlport=$OPTARG ;; ++ *) exit 1 ;; ++ esac ++done ++ ++RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" ++ ++echo "RNDCCMD: ${RNDCCMD}" ++ ++status=0 ++n=0 ++ ++#echo "I:check ans.pl server ($n)" ++#$DIG -p ${PORT} @10.53.0.2 example NS ++#$DIG -p ${PORT} @10.53.0.2 example SOA ++#$DIG -p ${PORT} @10.53.0.2 ns.example A ++#$DIG -p ${PORT} @10.53.0.2 ns.example AAAA ++#$DIG -p ${PORT} @10.53.0.2 txt enable ++#$DIG -p ${PORT} @10.53.0.2 txt disable ++#$DIG -p ${PORT} @10.53.0.2 ns.example AAAA ++#$DIG -p ${PORT} @10.53.0.2 txt enable ++#$DIG -p ${PORT} @10.53.0.2 ns.example AAAA ++##$DIG -p ${PORT} @10.53.0.2 data.example TXT ++#$DIG -p ${PORT} @10.53.0.2 nodata.example TXT ++#$DIG -p ${PORT} @10.53.0.2 nxdomain.example TXT ++ ++n=`expr $n + 1` ++echo "I:prime cache data.example ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:prime cache nodata.example ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:prime cache nxdomain.example ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n ++grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:disable responses from authoritative server ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n ++grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 ++grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++sleep 1 ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale status' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 ++grep '_default: on (stale-answer-ttl=1 max-stale-ttl=3600)' rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale data.example ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nodata.example ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nxdomain.example ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n ++grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:running 'rndc serve-stale off' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale off || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale status' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 ++grep '_default: off (rndc) (stale-answer-ttl=1 max-stale-ttl=3600)' rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale data.example (serve-stale off) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n ++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nodata.example (serve-stale off) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n ++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nxdomain.example (serve-stale off) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n ++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:running 'rndc serve-stale on' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale on || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale status' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 ++grep '_default: on (rndc) (stale-answer-ttl=1 max-stale-ttl=3600)' rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale data.example (serve-stale on) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nodata.example (serve-stale on) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nxdomain.example (serve-stale on) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n ++grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:running 'rndc serve-stale no' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale no || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale status' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 ++grep '_default: off (rndc) (stale-answer-ttl=1 max-stale-ttl=3600)' rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale data.example (serve-stale no) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n ++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nodata.example (serve-stale no) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n ++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nxdomain.example (serve-stale no) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n ++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:running 'rndc serve-stale yes' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale yes || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale status' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 ++grep '_default: on (rndc) (stale-answer-ttl=1 max-stale-ttl=3600)' rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale data.example (serve-stale yes) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nodata.example (serve-stale yes) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nxdomain.example (serve-stale yes) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n ++grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:running 'rndc serve-stale off' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale off || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:running 'rndc serve-stale reset' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale reset || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale status' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 ++grep '_default: on (stale-answer-ttl=1 max-stale-ttl=3600)' rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale data.example (serve-stale reset) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nodata.example (serve-stale reset) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check stale nxdomain.example (serve-stale reset) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n ++grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:running 'rndc serve-stale off' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale off || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale status' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 ++grep '_default: off (rndc) (stale-answer-ttl=1 max-stale-ttl=3600)' rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:updating ns1/named.conf ($n)" ++ret=0 ++sed -e "s/@PORT@/${PORT}/g;s/@CONTROLPORT@/${CONTROLPORT}/g" < ns1/named2.conf.in > ns1/named.conf ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:running 'rndc reload' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 reload > rndc.out.test$n 2>&1 || ret=1 ++grep "server reload successful" rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale status' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 ++grep '_default: off (rndc) (stale-answer-ttl=2 max-stale-ttl=7200)' rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale > rndc.out.test$n 2>&1 && ret=1 ++grep "unexpected end of input" rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale unknown' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 serve-stale unknown > rndc.out.test$n 2>&1 && ret=1 ++grep "syntax error" rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo_i "flush cache, re-enable serve-stale and query again ($n)" ++ret=0 ++$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 ++$RNDCCMD 10.53.0.1 serve-stale on > rndc.out.test$n.2 2>&1 || ret=1 ++$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n ++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++ret=0 ++$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n ++grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 ++grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:prime cache data.example (max-stale-ttl default) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:prime cache nodata.example (max-stale-ttl default) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:prime cache nxdomain.example (max-stale-ttl default) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$n ++grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:disable responses from authoritative server ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n ++grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 ++grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++sleep 1 ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale status' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 ++grep '_default: off (stale-answer-ttl=1 max-stale-ttl=604800)' rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check fail of data.example (max-stale-ttl default) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n ++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check fail of nodata.example (max-stale-ttl default) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n ++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check fail of nxdomain.example (max-stale-ttl default) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$n ++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale on' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.3 serve-stale on > rndc.out.test$n 2>&1 || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check 'rndc serve-stale status' ($n)" ++ret=0 ++$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 ++grep '_default: on (rndc) (stale-answer-ttl=1 max-stale-ttl=604800)' rndc.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check data.example (max-stale-ttl default) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check nodata.example (max-stale-ttl default) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n ++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo "I:check nxdomain.example (max-stale-ttl default) ($n)" ++ret=0 ++$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$n ++grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 ++grep "example.*1.*IN" dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++echo "I:exit status: $status" ++[ $status -eq 0 ] || exit 1 +diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml +index 539973c..8528649 100644 +--- a/doc/arm/Bv9ARM-book.xml ++++ b/doc/arm/Bv9ARM-book.xml +@@ -4376,6 +4376,9 @@ badresp:1,adberr:0,findfail:0,valfail:0] + statement in the named.conf file: +
+ ++ [ max-stale-ttl number ; ] ++ [ stale-answer-enable yes_or_no ; ] ++ [ stale-answer-ttl number ; ] + + +
<command>options</command> Statement Definition and +@@ -4469,6 +4472,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] + <command>dnssec-validation</command>, + <command>max-cache-ttl</command>, + <command>max-ncache-ttl</command>, ++ <command>max-stale-ttl</command>, + <command>max-cache-size</command>, and + <command>zero-no-soa-ttl</command>. + </para> +@@ -5480,7 +5484,6 @@ options { + </listitem> + </varlistentry> + +- + <varlistentry> + <term><command>max-zone-ttl</command></term> + <listitem> +@@ -5516,6 +5519,21 @@ options { + </listitem> + </varlistentry> + ++ <varlistentry> ++ <term><command>stale-answer-ttl</command></term> ++ <listitem> ++ <para> ++ Specifies the TTL to be returned on stale answers. ++ The default is 1 second. The minimal allowed is ++ also 1 second; a value of 0 will be updated silently ++ to 1 second. For stale answers to be returned ++ <option>max-stale-ttl</option> must be set to a ++ non zero value and they must not have been disabled ++ by <command>rndc</command>. ++ </para> ++ </listitem> ++ </varlistentry> ++ + <varlistentry> + <term><command>serial-update-method</command></term> + <listitem> +@@ -6275,6 +6293,22 @@ options { + </listitem> + </varlistentry> + ++ <varlistentry> ++ <term><command>serve-stale-enable</command></term> ++ <listitem> ++ <para> ++ Enable the returning of stale answers when the ++ nameservers for the zone are not answering. This ++ is off by default but can be enabled/disabled via ++ <command>rndc server-stale on</command> and ++ <command>rndc server-stale off</command> which ++ override the named.conf setting. <command>rndc ++ server-stale reset</command> will restore control ++ via named.conf. ++ </para> ++ </listitem> ++ </varlistentry> ++ + <varlistentry> + <term><command>nocookie-udp-size</command></term> + <listitem> +@@ -7483,14 +7517,20 @@ options { + <term><command>resolver-query-timeout</command></term> + <listitem> + <para> +- The amount of time in seconds that the resolver ++ The amount of time in milliseconds that the resolver + will spend attempting to resolve a recursive + query before failing. The default and minimum +- is <literal>10</literal> and the maximum is +- <literal>30</literal>. Setting it to ++ is <literal>10000</literal> and the maximum is ++ <literal>30000</literal>. Setting it to + <literal>0</literal> will result in the default + being used. + </para> ++ <para> ++ This value was originally specified in seconds. ++ Values less than or equal to 300 will be be treated ++ as seconds and converted to milliseconds before ++ applying the above limits. ++ </para> + </listitem> + </varlistentry> + </variablelist> +@@ -8976,6 +9016,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; + </listitem> + </varlistentry> + ++ <varlistentry> ++ <term><command>max-stale-ttl</command></term> ++ <listitem> ++ <para> ++ Sets the maximum time for which the server will ++ retain records past their normal expiry to ++ return them as stale records when the servers ++ for those records are not reachable. The default ++ is to not retain the record. ++ </para> ++ <para> ++ <command>rndc serve-stale</command> can be used ++ to disable and re-enable the serving of stale ++ records at runtime. Reloading or reconfiguring ++ <command>named</command> will not re-enable serving ++ of stale records if they have been disabled via ++ <command>rndc</command>. ++ </para> ++ </listitem> ++ </varlistentry> ++ + <varlistentry> + <term><command>min-roots</command></term> + <listitem> +diff --git a/doc/arm/logging-categories.xml b/doc/arm/logging-categories.xml +index 181def7..59f6afb 100644 +--- a/doc/arm/logging-categories.xml ++++ b/doc/arm/logging-categories.xml +@@ -311,6 +311,17 @@ + </para> + </entry> + </row> ++ <row rowsep="0"> ++ <entry colname="1"> ++ <para><command>serve-stale</command></para> ++ </entry> ++ <entry colname="2"> ++ <para> ++ Whether or not a stale answer is used ++ following a resolver failure. ++ </para> ++ </entry> ++ </row> + <row rowsep="0"> + <entry colname="1"> + <para><command>spill</command></para> +diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml +index 11c3a7c..ba3c2cc 100644 +--- a/doc/arm/notes-rh-changes.xml ++++ b/doc/arm/notes-rh-changes.xml +@@ -13,6 +13,9 @@ + <section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes + + ++ ++ This version includes some features not present in releases by ISC. ++ + + By default, BIND now uses the random number generation functions + in the cryptographic library (i.e., OpenSSL or a PKCS#11 +@@ -37,7 +40,16 @@ + case /dev/random will be the default + entropy source. [RT #31459] [RT #46047] + +- ++ ++ When acting as a recursive resolver, named ++ can now continue returning answers whose TTLs have expired ++ when the authoritative server is under attack and unable to ++ respond. This is controlled by the ++ stale-answer-enable, ++ stale-answer-ttl and ++ max-stale-ttl options. [RT #44790] ++ ++ + +
+ +diff --git a/doc/misc/options b/doc/misc/options +index e11beed..fde93c7 100644 +--- a/doc/misc/options ++++ b/doc/misc/options +@@ -225,6 +225,7 @@ options { + max-refresh-time ; + max-retry-time ; + max-rsa-exponent-size ; ++ max-stale-ttl ; + max-transfer-idle-in ; + max-transfer-idle-out ; + max-transfer-time-in ; +@@ -298,7 +299,9 @@ options { + request-sit ; // obsolete + require-server-cookie ; + reserved-sockets ; ++ resolver-nonbackoff-tries ; + resolver-query-timeout ; ++ resolver-retry-interval ; + response-policy { zone [ log ] [ max-policy-ttl + ] [ policy ( cname | disabled | drop | given | no-op + | nodata | nxdomain | passthru | tcp-only ) ] [ +@@ -328,6 +331,8 @@ options { + sit-secret ; // obsolete + sortlist { ; ... }; + stacksize ( default | unlimited | ); ++ stale-answer-enable ; ++ stale-answer-ttl ; + startup-notify-rate ; + statistics-file ; + statistics-interval ; // not yet implemented +@@ -539,6 +544,7 @@ view [ ] { + max-recursion-queries ; + max-refresh-time ; + max-retry-time ; ++ max-stale-ttl ; + max-transfer-idle-in ; + max-transfer-idle-out ; + max-transfer-time-in ; +@@ -600,7 +606,9 @@ view [ ] { + request-nsid ; + request-sit ; // obsolete + require-server-cookie ; ++ resolver-nonbackoff-tries ; + resolver-query-timeout ; ++ resolver-retry-interval ; + response-policy { zone [ log ] [ max-policy-ttl + ] [ policy ( cname | disabled | drop | given | no-op + | nodata | nxdomain | passthru | tcp-only ) ] [ +@@ -655,6 +663,8 @@ view [ ] { + sig-signing-type ; + sig-validity-interval [ ]; + sortlist { ; ... }; ++ stale-answer-enable ; ++ stale-answer-ttl ; + suppress-initial-notify ; // not yet implemented + topology { ; ... }; // not implemented + transfer-format ( many-answers | one-answer ); +diff --git a/lib/bind9/check.c b/lib/bind9/check.c +index 5c057a4..7b82618 100644 +--- a/lib/bind9/check.c ++++ b/lib/bind9/check.c +@@ -99,7 +99,8 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "rrset-order: invalid class '%s'", + r.base); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_FAILURE; + } + } + +@@ -112,7 +113,8 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "rrset-order: invalid type '%s'", + r.base); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_FAILURE; + } + } + +@@ -126,7 +128,8 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) { + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "rrset-order: invalid name '%s'", str); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_FAILURE; + } + } + +@@ -135,14 +138,16 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) { + strcasecmp("order", cfg_obj_asstring(obj)) != 0) { + cfg_obj_log(ent, logctx, ISC_LOG_ERROR, + "rrset-order: keyword 'order' missing"); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_FAILURE; + } + + obj = cfg_tuple_get(ent, "ordering"); + if (!cfg_obj_isstring(obj)) { + cfg_obj_log(ent, logctx, ISC_LOG_ERROR, + "rrset-order: missing ordering"); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_FAILURE; + } else if (strcasecmp(cfg_obj_asstring(obj), "fixed") == 0) { + #if !DNS_RDATASET_FIXED + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, +@@ -154,7 +159,8 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "rrset-order: invalid order '%s'", + cfg_obj_asstring(obj)); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_FAILURE; + } + return (result); + } +@@ -174,7 +180,7 @@ check_order(const cfg_obj_t *options, isc_log_t *logctx) { + element = cfg_list_next(element)) + { + tresult = check_orderent(cfg_listelt_value(element), logctx); +- if (tresult != ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) + result = tresult; + } + return (result); +@@ -204,7 +210,8 @@ check_dual_stack(const cfg_obj_t *options, isc_log_t *logctx) { + if (val > UINT16_MAX) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "port '%u' out of range", val); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_RANGE; + } + } + obj = cfg_tuple_get(alternates, "addresses"); +@@ -224,7 +231,8 @@ check_dual_stack(const cfg_obj_t *options, isc_log_t *logctx) { + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "bad name '%s'", str); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = tresult; + } + obj = cfg_tuple_get(value, "port"); + if (cfg_obj_isuint32(obj)) { +@@ -232,7 +240,8 @@ check_dual_stack(const cfg_obj_t *options, isc_log_t *logctx) { + if (val > UINT16_MAX) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "port '%u' out of range", val); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_RANGE; + } + } + } +@@ -1267,7 +1276,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "auto-dnssec may only be activated at the " + "zone level"); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_FAILURE; + } + } + +@@ -1287,7 +1297,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + { + obj = cfg_listelt_value(element); + tresult = mustbesecure(obj, symtab, logctx, mctx); +- if (tresult != ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) + result = tresult; + } + if (symtab != NULL) +@@ -1306,7 +1316,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "%s: invalid name '%s'", + server_contact[i], str); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_FAILURE; + } + } + } +@@ -1326,7 +1337,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "disable-empty-zone: invalid name '%s'", + str); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_FAILURE; + } + } + +@@ -1340,11 +1352,12 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + strlen(cfg_obj_asstring(obj)) > 1024U) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "'server-id' too big (>1024 bytes)"); +- result = ISC_R_FAILURE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_FAILURE; + } + + tresult = check_dscp(options, logctx); +- if (tresult != ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) + result = tresult; + + obj = NULL; +@@ -1354,11 +1367,13 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + if (lifetime > 604800) { /* 7 days */ + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "'nta-lifetime' cannot exceed one week"); +- result = ISC_R_RANGE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_RANGE; + } else if (lifetime == 0) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "'nta-lifetime' may not be zero"); +- result = ISC_R_RANGE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_RANGE; + } + } + +@@ -1369,7 +1384,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + if (recheck > 604800) { /* 7 days */ + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "'nta-recheck' cannot exceed one week"); +- result = ISC_R_RANGE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_RANGE; + } + + if (recheck > lifetime) +@@ -1387,7 +1403,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + if (strcasecmp(ccalg, "aes") == 0) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "cookie-algorithm: '%s' not supported", ccalg); +- result = ISC_R_NOTIMPLEMENTED; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_NOTIMPLEMENTED; + } + #endif + +@@ -1476,7 +1493,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "%s out of range (%u < %u)", + fstrm[i].name, value, fstrm[i].min); +- result = ISC_R_RANGE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_RANGE; + } + + if (strcmp(fstrm[i].name, "fstrm-set-input-queue-size") == 0) { +@@ -1490,7 +1508,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + "%s '%u' not a power-of-2", + fstrm[i].name, + cfg_obj_asuint32(obj)); +- result = ISC_R_RANGE; ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_RANGE; + } + } + } +@@ -1508,7 +1527,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + "%" PRId64 "' " + "is too small", + mapsize); +- return (ISC_R_RANGE); ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_RANGE; + } else if (mapsize > (1ULL << 40)) { /* 1 terabyte */ + cfg_obj_log(obj, logctx, + ISC_LOG_ERROR, +@@ -1516,10 +1536,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, + "%" PRId64 "' " + "is too large", + mapsize); +- return (ISC_R_RANGE); ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_RANGE; + } + } + ++ obj = NULL; ++ (void)cfg_map_get(options, "resolver-nonbackoff-tries", &obj); ++ if (obj != NULL && cfg_obj_asuint32(obj) == 0U) { ++ cfg_obj_log(obj, logctx, ISC_LOG_ERROR, ++ "'resolver-nonbackoff-tries' must be >= 1"); ++ if (result == ISC_R_SUCCESS) ++ result = ISC_R_RANGE; ++ } ++ + return (result); + } + +diff --git a/lib/dns/cache.c b/lib/dns/cache.c +index 4701ff8..97e427a 100644 +--- a/lib/dns/cache.c ++++ b/lib/dns/cache.c +@@ -138,6 +138,7 @@ struct dns_cache { + int db_argc; + char **db_argv; + size_t size; ++ dns_ttl_t serve_stale_ttl; + isc_stats_t *stats; + + /* Locked by 'filelock'. */ +@@ -167,9 +168,13 @@ overmem_cleaning_action(isc_task_t *task, isc_event_t *event); + + static inline isc_result_t + cache_create_db(dns_cache_t *cache, dns_db_t **db) { +- return (dns_db_create(cache->mctx, cache->db_type, dns_rootname, +- dns_dbtype_cache, cache->rdclass, +- cache->db_argc, cache->db_argv, db)); ++ isc_result_t result; ++ result = dns_db_create(cache->mctx, cache->db_type, dns_rootname, ++ dns_dbtype_cache, cache->rdclass, ++ cache->db_argc, cache->db_argv, db); ++ if (result == ISC_R_SUCCESS) ++ dns_db_setservestalettl(*db, cache->serve_stale_ttl); ++ return (result); + } + + isc_result_t +@@ -238,6 +243,7 @@ dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr, + cache->references = 1; + cache->live_tasks = 0; + cache->rdclass = rdclass; ++ cache->serve_stale_ttl = 0; + + cache->stats = NULL; + result = isc_stats_create(cmctx, &cache->stats, +@@ -1092,6 +1098,32 @@ dns_cache_getcachesize(dns_cache_t *cache) { + return (size); + } + ++void ++dns_cache_setservestalettl(dns_cache_t *cache, dns_ttl_t ttl) { ++ REQUIRE(VALID_CACHE(cache)); ++ ++ LOCK(&cache->lock); ++ cache->serve_stale_ttl = ttl; ++ UNLOCK(&cache->lock); ++ ++ (void)dns_db_setservestalettl(cache->db, ttl); ++} ++ ++dns_ttl_t ++dns_cache_getservestalettl(dns_cache_t *cache) { ++ dns_ttl_t ttl; ++ isc_result_t result; ++ ++ REQUIRE(VALID_CACHE(cache)); ++ ++ /* ++ * Could get it straight from the dns_cache_t, but use db ++ * to confirm the value that the db is really using. ++ */ ++ result = dns_db_getservestalettl(cache->db, &ttl); ++ return result == ISC_R_SUCCESS ? ttl : 0; ++} ++ + /* + * The cleaner task is shutting down; do the necessary cleanup. + */ +diff --git a/lib/dns/db.c b/lib/dns/db.c +index ee3e00d..576aa65 100644 +--- a/lib/dns/db.c ++++ b/lib/dns/db.c +@@ -1130,3 +1130,25 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) { + return (ISC_R_NOTIMPLEMENTED); + return ((db->methods->nodefullname)(db, node, name)); + } ++ ++isc_result_t ++dns_db_setservestalettl(dns_db_t *db, dns_ttl_t ttl) ++{ ++ REQUIRE(DNS_DB_VALID(db)); ++ REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0); ++ ++ if (db->methods->setservestalettl != NULL) ++ return ((db->methods->setservestalettl)(db, ttl)); ++ return (ISC_R_NOTIMPLEMENTED); ++} ++ ++isc_result_t ++dns_db_getservestalettl(dns_db_t *db, dns_ttl_t *ttl) ++{ ++ REQUIRE(DNS_DB_VALID(db)); ++ REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0); ++ ++ if (db->methods->getservestalettl != NULL) ++ return ((db->methods->getservestalettl)(db, ttl)); ++ return (ISC_R_NOTIMPLEMENTED); ++} +diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c +index 47994ea..23bfe7d 100644 +--- a/lib/dns/ecdb.c ++++ b/lib/dns/ecdb.c +@@ -588,7 +588,9 @@ static dns_dbmethods_t ecdb_methods = { + NULL, /* setcachestats */ + NULL, /* hashsize */ + NULL, /* nodefullname */ +- NULL /* getsize */ ++ NULL, /* getsize */ ++ NULL, /* setservestalettl */ ++ NULL /* getservestalettl */ + }; + + static isc_result_t +diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h +index 62797db..714b78e 100644 +--- a/lib/dns/include/dns/cache.h ++++ b/lib/dns/include/dns/cache.h +@@ -260,6 +260,27 @@ dns_cache_getcachesize(dns_cache_t *cache); + * Get the maximum cache size. + */ + ++void ++dns_cache_setservestalettl(dns_cache_t *cache, dns_ttl_t ttl); ++/*%< ++ * Sets the maximum length of time that cached answers may be retained ++ * past their normal TTL. Default value for the library is 0, disabling ++ * the use of stale data. ++ * ++ * Requires: ++ *\li 'cache' to be valid. ++ */ ++ ++dns_ttl_t ++dns_cache_getservestalettl(dns_cache_t *cache); ++/*%< ++ * Gets the maximum length of time that cached answers may be kept past ++ * normal expiry. ++ * ++ * Requires: ++ *\li 'cache' to be valid. ++ */ ++ + isc_result_t + dns_cache_flush(dns_cache_t *cache); + /*%< +diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h +index ae6ae36..5079053 100644 +--- a/lib/dns/include/dns/db.h ++++ b/lib/dns/include/dns/db.h +@@ -197,6 +197,8 @@ typedef struct dns_dbmethods { + dns_name_t *name); + isc_result_t (*getsize)(dns_db_t *db, dns_dbversion_t *version, + uint64_t *records, uint64_t *bytes); ++ isc_result_t (*setservestalettl)(dns_db_t *db, dns_ttl_t ttl); ++ isc_result_t (*getservestalettl)(dns_db_t *db, dns_ttl_t *ttl); + } dns_dbmethods_t; + + typedef isc_result_t +@@ -255,6 +257,7 @@ struct dns_dbonupdatelistener { + #define DNS_DBFIND_FORCENSEC3 0x0080 + #define DNS_DBFIND_ADDITIONALOK 0x0100 + #define DNS_DBFIND_NOZONECUT 0x0200 ++#define DNS_DBFIND_STALEOK 0x0400 + /*@}*/ + + /*@{*/ +@@ -1685,6 +1688,38 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name); + * \li 'db' is a valid database + * \li 'node' and 'name' are not NULL + */ ++ ++isc_result_t ++dns_db_setservestalettl(dns_db_t *db, dns_ttl_t ttl); ++/*%< ++ * Sets the maximum length of time that cached answers may be retained ++ * past their normal TTL. Default value for the library is 0, disabling ++ * the use of stale data. ++ * ++ * Requires: ++ * \li 'db' is a valid cache database. ++ * \li 'ttl' is the number of seconds to retain data past its normal expiry. ++ * ++ * Returns: ++ * \li #ISC_R_SUCCESS ++ * \li #ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation. ++ */ ++ ++isc_result_t ++dns_db_getservestalettl(dns_db_t *db, dns_ttl_t *ttl); ++/*%< ++ * Gets maximum length of time that cached answers may be kept past ++ * normal TTL expiration. ++ * ++ * Requires: ++ * \li 'db' is a valid cache database. ++ * \li 'ttl' is the number of seconds to retain data past its normal expiry. ++ * ++ * Returns: ++ * \li #ISC_R_SUCCESS ++ * \li #ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation. ++ */ ++ + ISC_LANG_ENDDECLS + + #endif /* DNS_DB_H */ +diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h +index 5295d8e..97071ed 100644 +--- a/lib/dns/include/dns/rdataset.h ++++ b/lib/dns/include/dns/rdataset.h +@@ -128,6 +128,7 @@ struct dns_rdataset { + unsigned int magic; /* XXX ? */ + dns_rdatasetmethods_t * methods; + ISC_LINK(dns_rdataset_t) link; ++ + /* + * XXX do we need these, or should they be retrieved by methods? + * Leaning towards the latter, since they are not frequently required +@@ -136,12 +137,19 @@ struct dns_rdataset { + dns_rdataclass_t rdclass; + dns_rdatatype_t type; + dns_ttl_t ttl; ++ /* ++ * Stale ttl is used to see how long this RRset can still be used ++ * to serve to clients, after the TTL has expired. ++ */ ++ dns_ttl_t stale_ttl; + dns_trust_t trust; + dns_rdatatype_t covers; ++ + /* + * attributes + */ + unsigned int attributes; ++ + /*% + * the counter provides the starting point in the "cyclic" order. + * The value UINT32_MAX has a special meaning of "picking up a +@@ -149,11 +157,13 @@ struct dns_rdataset { + * increment the counter. + */ + uint32_t count; ++ + /* + * This RRSIG RRset should be re-generated around this time. + * Only valid if DNS_RDATASETATTR_RESIGN is set in attributes. + */ + isc_stdtime_t resign; ++ + /*@{*/ + /*% + * These are for use by the rdataset implementation, and MUST NOT +@@ -206,6 +216,7 @@ struct dns_rdataset { + #define DNS_RDATASETATTR_OPTOUT 0x00100000 /*%< OPTOUT proof */ + #define DNS_RDATASETATTR_NEGATIVE 0x00200000 + #define DNS_RDATASETATTR_PREFETCH 0x00400000 ++#define DNS_RDATASETATTR_STALE 0x01000000 + + /*% + * _OMITDNSSEC: +diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h +index 6da41b7..7b397cb 100644 +--- a/lib/dns/include/dns/resolver.h ++++ b/lib/dns/include/dns/resolver.h +@@ -547,9 +547,12 @@ dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name); + + + void +-dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds); ++dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int timeout); + /*%< +- * Set the length of time the resolver will work on a query, in seconds. ++ * Set the length of time the resolver will work on a query, in milliseconds. ++ * ++ * 'timeout' was originally defined in seconds, and later redefined to be in ++ * milliseconds. Values less than or equal to 300 are treated as seconds. + * + * If timeout is 0, the default timeout will be applied. + * +@@ -560,7 +563,8 @@ dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds); + unsigned int + dns_resolver_gettimeout(dns_resolver_t *resolver); + /*%< +- * Get the current length of time the resolver will work on a query, in seconds. ++ * Get the current length of time the resolver will work on a query, ++ * in milliseconds. + * + * Requires: + * \li resolver to be valid. +@@ -582,6 +586,39 @@ dns_resolver_getzeronosoattl(dns_resolver_t *resolver); + void + dns_resolver_setzeronosoattl(dns_resolver_t *resolver, bool state); + ++unsigned int ++dns_resolver_getretryinterval(dns_resolver_t *resolver); ++ ++void ++dns_resolver_setretryinterval(dns_resolver_t *resolver, unsigned int interval); ++/*%< ++ * Sets the amount of time, in millseconds, that is waited for a reply ++ * to a server before another server is tried. Interacts with the ++ * value of dns_resolver_getnonbackofftries() by trying that number of times ++ * at this interval, before doing exponential backoff and doubling the interval ++ * on each subsequent try, to a maximum of 10 seconds. Defaults to 800 ms; ++ * silently capped at 2000 ms. ++ * ++ * Requires: ++ * \li resolver to be valid. ++ * \li interval > 0. ++ */ ++ ++unsigned int ++dns_resolver_getnonbackofftries(dns_resolver_t *resolver); ++ ++void ++dns_resolver_setnonbackofftries(dns_resolver_t *resolver, unsigned int tries); ++/*%< ++ * Sets the number of failures of getting a reply from remote servers for ++ * a query before backing off by doubling the retry interval for each ++ * subsequent request sent. Defaults to 3. ++ * ++ * Requires: ++ * \li resolver to be valid. ++ * \li tries > 0. ++ */ ++ + unsigned int + dns_resolver_getoptions(dns_resolver_t *resolver); + +diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h +index 567e8a8..7bf2b60 100644 +--- a/lib/dns/include/dns/types.h ++++ b/lib/dns/include/dns/types.h +@@ -385,6 +385,12 @@ typedef enum { + dns_updatemethod_date + } dns_updatemethod_t; + ++typedef enum { ++ dns_stale_answer_no, ++ dns_stale_answer_yes, ++ dns_stale_answer_conf ++} dns_stale_answer_t; ++ + /* + * Functions. + */ +diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h +index c849dec..647ca2a 100644 +--- a/lib/dns/include/dns/view.h ++++ b/lib/dns/include/dns/view.h +@@ -229,6 +229,9 @@ struct dns_view { + dns_dtenv_t *dtenv; /* Dnstap environment */ + dns_dtmsgtype_t dttypes; /* Dnstap message types + to log */ ++ dns_ttl_t staleanswerttl; ++ dns_stale_answer_t staleanswersok; /* rndc setting */ ++ bool staleanswersenable; /* named.conf setting */ + }; + + #define DNS_VIEW_MAGIC ISC_MAGIC('V','i','e','w') +diff --git a/lib/dns/master.c b/lib/dns/master.c +index 2a87bca..ac4bb19 100644 +--- a/lib/dns/master.c ++++ b/lib/dns/master.c +@@ -1948,12 +1948,18 @@ load_text(dns_loadctx_t *lctx) { + + if ((lctx->options & DNS_MASTER_AGETTL) != 0) { + /* +- * Adjust the TTL for $DATE. If the RR has already +- * expired, ignore it. ++ * Adjust the TTL for $DATE. If the RR has ++ * already expired, set its TTL to 0. This ++ * should be okay even if the TTL stretching ++ * feature is not in effect, because it will ++ * just be quickly expired by the cache, and the ++ * way this was written before the patch it ++ * could potentially add 0 TTLs anyway. + */ + if (lctx->ttl < ttl_offset) +- continue; +- lctx->ttl -= ttl_offset; ++ lctx->ttl = 0; ++ else ++ lctx->ttl -= ttl_offset; + } + + /* +diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c +index 13d1a3e..873b694 100644 +--- a/lib/dns/masterdump.c ++++ b/lib/dns/masterdump.c +@@ -81,6 +81,9 @@ struct dns_master_style { + */ + #define DNS_TOTEXT_LINEBREAK_MAXLEN 100 + ++/*% Does the rdataset 'r' contain a stale answer? */ ++#define STALE(r) (((r)->attributes & DNS_RDATASETATTR_STALE) != 0) ++ + /*% + * Context structure for a masterfile dump in progress. + */ +@@ -94,6 +97,7 @@ typedef struct dns_totext_ctx { + dns_fixedname_t origin_fixname; + uint32_t current_ttl; + bool current_ttl_valid; ++ dns_ttl_t serve_stale_ttl; + } dns_totext_ctx_t; + + LIBDNS_EXTERNAL_DATA const dns_master_style_t +@@ -382,6 +386,7 @@ totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx) { + ctx->neworigin = NULL; + ctx->current_ttl = 0; + ctx->current_ttl_valid = false; ++ ctx->serve_stale_ttl = 0; + + return (ISC_R_SUCCESS); + } +@@ -1028,6 +1033,11 @@ dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name, + (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) { + /* Omit negative cache entries */ + } else { ++ if (STALE(rds)) { ++ fprintf(f, "; stale (for %u more seconds)\n", ++ (rds->stale_ttl - ++ ctx->serve_stale_ttl)); ++ } + isc_result_t result = + dump_rdataset(mctx, name, rds, ctx, + buffer, f); +@@ -1496,6 +1506,16 @@ dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version, + dns_db_attach(db, &dctx->db); + + dctx->do_date = dns_db_iscache(dctx->db); ++ if (dctx->do_date) { ++ /* ++ * Adjust the date backwards by the serve-stale TTL, if any. ++ * This is so the TTL will be loaded correctly when next ++ * started. ++ */ ++ (void)dns_db_getservestalettl(dctx->db, ++ &dctx->tctx.serve_stale_ttl); ++ dctx->now -= dctx->tctx.serve_stale_ttl; ++ } + + if (dctx->format == dns_masterformat_text && + (dctx->tctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0) { +@@ -1555,6 +1575,9 @@ writeheader(dns_dumpctx_t *dctx) { + * it in the zone case. + */ + if (dctx->do_date) { ++ fprintf(dctx->f, ++ "; using a %d second stale ttl\n", ++ dctx->tctx.serve_stale_ttl); + result = dns_time32_totext(dctx->now, &buffer); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_buffer_usedregion(&buffer, &r); +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index 738aa20..5055fcb 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -488,6 +488,7 @@ typedef ISC_LIST(rdatasetheader_t) rdatasetheaderlist_t; + typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t; + + #define RDATASET_ATTR_NONEXISTENT 0x0001 ++/*%< May be potentially served as stale data. */ + #define RDATASET_ATTR_STALE 0x0002 + #define RDATASET_ATTR_IGNORE 0x0004 + #define RDATASET_ATTR_RETAIN 0x0008 +@@ -500,6 +501,8 @@ typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t; + #define RDATASET_ATTR_CASESET 0x0400 + #define RDATASET_ATTR_ZEROTTL 0x0800 + #define RDATASET_ATTR_CASEFULLYLOWER 0x1000 ++/*%< Ancient - awaiting cleanup. */ ++#define RDATASET_ATTR_ANCIENT 0x2000 + + typedef struct acache_cbarg { + dns_rdatasetadditional_t type; +@@ -550,6 +553,8 @@ struct acachectl { + (((header)->attributes & RDATASET_ATTR_ZEROTTL) != 0) + #define CASEFULLYLOWER(header) \ + (((header)->attributes & RDATASET_ATTR_CASEFULLYLOWER) != 0) ++#define ANCIENT(header) \ ++ (((header)->attributes & RDATASET_ATTR_ANCIENT) != 0) + + + #define ACTIVE(header, now) \ +@@ -609,6 +614,12 @@ typedef enum { + expire_flush + } expire_t; + ++typedef enum { ++ rdataset_ttl_fresh, ++ rdataset_ttl_stale, ++ rdataset_ttl_ancient ++} rdataset_ttl_t; ++ + typedef struct rbtdb_version { + /* Not locked */ + rbtdb_serial_t serial; +@@ -676,6 +687,12 @@ struct dns_rbtdb { + dns_dbnode_t *soanode; + dns_dbnode_t *nsnode; + ++ /* ++ * Maximum length of time to keep using a stale answer past its ++ * normal TTL expiry. ++ */ ++ dns_ttl_t serve_stale_ttl; ++ + /* + * This is a linked list used to implement the LRU cache. There will + * be node_lock_count linked lists here. Nodes in bucket 1 will be +@@ -719,6 +736,8 @@ struct dns_rbtdb { + #define RBTDB_ATTR_LOADED 0x01 + #define RBTDB_ATTR_LOADING 0x02 + ++#define KEEPSTALE(rbtdb) ((rbtdb)->serve_stale_ttl > 0) ++ + /*% + * Search Context + */ +@@ -1784,15 +1803,15 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) { + } + + static inline void +-mark_stale_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header) { ++mark_header_ancient(dns_rbtdb_t *rbtdb, rdatasetheader_t *header) { + + /* +- * If we are already stale there is nothing to do. ++ * If we are already ancient there is nothing to do. + */ +- if ((header->attributes & RDATASET_ATTR_STALE) != 0) ++ if (ANCIENT(header)) + return; + +- header->attributes |= RDATASET_ATTR_STALE; ++ header->attributes |= RDATASET_ATTR_ANCIENT; + header->node->dirty = 1; + + /* +@@ -1833,8 +1852,8 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { + /* + * If current is nonexistent or stale, we can clean it up. + */ +- if ((current->attributes & +- (RDATASET_ATTR_NONEXISTENT|RDATASET_ATTR_STALE)) != 0) { ++ if (NONEXISTENT(current) || ANCIENT(current) || ++ (STALE(current) && ! KEEPSTALE(rbtdb))) { + if (top_prev != NULL) + top_prev->next = current->next; + else +@@ -2076,6 +2095,80 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { + } + } + ++#if 0 ++static void ++clean_now_or_later(dns_rbtnode_t *node, dns_rbtdb_t *rbtdb, ++ rdatasetheader_t *header, rdatasetheader_t **header_prevp) ++{ ++ if (dns_rbtnode_refcurrent(node) == 0) { ++ isc_mem_t *mctx; ++ ++ /* ++ * header->down can be non-NULL if the refcount has just ++ * decremented to 0 but decrement_reference() has not performed ++ * clean_cache_node(), in which case we need to purge the stale ++ * headers first. ++ */ ++ mctx = rbtdb->common.mctx; ++ clean_stale_headers(rbtdb, mctx, header); ++ if (*header_prevp != NULL) ++ (*header_prevp)->next = header->next; ++ else ++ node->data = header->next; ++ free_rdataset(rbtdb, mctx, header); ++ } else { ++ header->attributes |= RDATASET_ATTR_STALE | ++ RDATASET_ATTR_ANCIENT; ++ node->dirty = 1; ++ *header_prevp = header; ++ } ++} ++ ++static rdataset_ttl_t ++check_ttl(dns_rbtnode_t *node, rbtdb_search_t *search, ++ rdatasetheader_t *header, rdatasetheader_t **header_prevp, ++ nodelock_t *lock, isc_rwlocktype_t *locktype) ++{ ++ dns_rbtdb_t *rbtdb = search->rbtdb; ++ ++ if (header->rdh_ttl > search->now) ++ return rdataset_ttl_fresh; ++ ++ /* ++ * This rdataset is stale, but perhaps still usable. ++ */ ++ if (KEEPSTALE(rbtdb) && ++ header->rdh_ttl + rbtdb->serve_stale_ttl > search->now) { ++ header->attributes |= RDATASET_ATTR_STALE; ++ /* Doesn't set dirty because it doesn't need removal. */ ++ return rdataset_ttl_stale; ++ } ++ ++ /* ++ * This rdataset is so stale it is no longer usable, even with ++ * KEEPSTALE. If no one else is using the node, we can clean it up ++ * right now, otherwise we mark it as ancient, and the node as dirty, ++ * so it will get cleaned up later. ++ */ ++ if ((header->rdh_ttl <= search->now - RBTDB_VIRTUAL) && ++ (*locktype == isc_rwlocktype_write || ++ NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) { ++ /* ++ * We update the node's status only when we can get write ++ * access; otherwise, we leave others to this work. Periodical ++ * cleaning will eventually take the job as the last resort. ++ * We won't downgrade the lock, since other rdatasets are ++ * probably stale, too. ++ */ ++ *locktype = isc_rwlocktype_write; ++ clean_now_or_later(node, rbtdb, header, header_prevp); ++ } else ++ *header_prevp = header; ++ ++ return rdataset_ttl_ancient; ++} ++#endif ++ + /* + * Caller must be holding the node lock. + */ +@@ -3308,6 +3401,12 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, + rdataset->attributes |= DNS_RDATASETATTR_OPTOUT; + if (PREFETCH(header)) + rdataset->attributes |= DNS_RDATASETATTR_PREFETCH; ++ if (STALE(header)) { ++ rdataset->attributes |= DNS_RDATASETATTR_STALE; ++ rdataset->stale_ttl = ++ (rbtdb->serve_stale_ttl + header->rdh_ttl) - now; ++ rdataset->ttl = 0; ++ } + rdataset->private1 = rbtdb; + rdataset->private2 = node; + raw = (unsigned char *)header + sizeof(*header); +@@ -4648,6 +4747,19 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header, + #endif + + if (!ACTIVE(header, search->now)) { ++ dns_ttl_t stale = header->rdh_ttl + ++ search->rbtdb->serve_stale_ttl; ++ /* ++ * If this data is in the stale window keep it and if ++ * DNS_DBFIND_STALEOK is not set we tell the caller to ++ * skip this record. ++ */ ++ if (KEEPSTALE(search->rbtdb) && stale > search->now) { ++ header->attributes |= RDATASET_ATTR_STALE; ++ *header_prev = header; ++ return ((search->options & DNS_DBFIND_STALEOK) == 0); ++ } ++ + /* + * This rdataset is stale. If no one else is using the + * node, we can clean it up right now, otherwise we mark +@@ -4687,7 +4799,7 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header, + node->data = header->next; + free_rdataset(search->rbtdb, mctx, header); + } else { +- mark_stale_header(search->rbtdb, header); ++ mark_header_ancient(search->rbtdb, header); + *header_prev = header; + } + } else +@@ -5125,7 +5237,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, + &locktype, lock, &search, + &header_prev)) { + /* Do nothing. */ +- } else if (EXISTS(header) && (!STALE(header))) { ++ } else if (EXISTS(header) && !ANCIENT(header)) { + /* + * We now know that there is at least one active + * non-stale rdataset at this node. +@@ -5603,7 +5715,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { + * refcurrent(rbtnode) must be non-zero. This is so + * because 'node' is an argument to the function. + */ +- mark_stale_header(rbtdb, header); ++ mark_header_ancient(rbtdb, header); + if (log) + isc_log_write(dns_lctx, category, module, + level, "overmem cache: stale %s", +@@ -5611,7 +5723,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { + } else if (force_expire) { + if (! RETAIN(header)) { + set_ttl(rbtdb, header, 0); +- mark_stale_header(rbtdb, header); ++ mark_header_ancient(rbtdb, header); + } else if (log) { + isc_log_write(dns_lctx, category, module, + level, "overmem cache: " +@@ -5868,9 +5980,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + * non-zero. This is so because 'node' is an + * argument to the function. + */ +- mark_stale_header(rbtdb, header); ++ mark_header_ancient(rbtdb, header); + } +- } else if (EXISTS(header) && (!STALE(header))) { ++ } else if (EXISTS(header) && !ANCIENT(header)) { + if (header->type == matchtype) + found = header; + else if (header->type == RBTDB_RDATATYPE_NCACHEANY || +@@ -6160,7 +6272,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + topheader = topheader->next) + { + set_ttl(rbtdb, topheader, 0); +- mark_stale_header(rbtdb, topheader); ++ mark_header_ancient(rbtdb, topheader); + } + goto find_header; + } +@@ -6218,7 +6330,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + * ncache entry. + */ + set_ttl(rbtdb, topheader, 0); +- mark_stale_header(rbtdb, topheader); ++ mark_header_ancient(rbtdb, topheader); + topheader = NULL; + goto find_header; + } +@@ -6256,8 +6368,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + } + + /* +- * Trying to add an rdataset with lower trust to a cache DB +- * has no effect, provided that the cache data isn't stale. ++ * Trying to add an rdataset with lower trust to a cache ++ * DB has no effect, provided that the cache data isn't ++ * stale. If the cache data is stale, new lower trust ++ * data will supersede it below. Unclear what the best ++ * policy is here. + */ + if (rbtversion == NULL && trust < header->trust && + (ACTIVE(header, now) || header_nx)) { +@@ -6286,6 +6401,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + + if ((options & DNS_DBADD_EXACT) != 0) + flags |= DNS_RDATASLAB_EXACT; ++ /* ++ * TTL use here is irrelevant to the cache; ++ * merge is only done with zonedbs. ++ */ + if ((options & DNS_DBADD_EXACTTTL) != 0 && + newheader->rdh_ttl != header->rdh_ttl) + result = DNS_R_NOTEXACT; +@@ -6329,11 +6448,12 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + } + } + /* +- * Don't replace existing NS, A and AAAA RRsets +- * in the cache if they are already exist. This +- * prevents named being locked to old servers. +- * Don't lower trust of existing record if the +- * update is forced. ++ * Don't replace existing NS, A and AAAA RRsets in the ++ * cache if they are already exist. This prevents named ++ * being locked to old servers. Don't lower trust of ++ * existing record if the update is forced. Nothing ++ * special to be done w.r.t stale data; it gets replaced ++ * normally further down. + */ + if (IS_CACHE(rbtdb) && ACTIVE(header, now) && + header->type == dns_rdatatype_ns && +@@ -6508,10 +6628,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, + changed->dirty = true; + if (rbtversion == NULL) { + set_ttl(rbtdb, header, 0); +- mark_stale_header(rbtdb, header); ++ mark_header_ancient(rbtdb, header); + if (sigheader != NULL) { + set_ttl(rbtdb, sigheader, 0); +- mark_stale_header(rbtdb, sigheader); ++ mark_header_ancient(rbtdb, sigheader); + } + } + if (rbtversion != NULL && !header_nx) { +@@ -8310,6 +8430,30 @@ nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) { + return (result); + } + ++static isc_result_t ++setservestalettl(dns_db_t *db, dns_ttl_t ttl) { ++ dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; ++ ++ REQUIRE(VALID_RBTDB(rbtdb)); ++ REQUIRE(IS_CACHE(rbtdb)); ++ ++ /* currently no bounds checking. 0 means disable. */ ++ rbtdb->serve_stale_ttl = ttl; ++ return ISC_R_SUCCESS; ++} ++ ++static isc_result_t ++getservestalettl(dns_db_t *db, dns_ttl_t *ttl) { ++ dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; ++ ++ REQUIRE(VALID_RBTDB(rbtdb)); ++ REQUIRE(IS_CACHE(rbtdb)); ++ ++ *ttl = rbtdb->serve_stale_ttl; ++ return ISC_R_SUCCESS; ++} ++ ++ + static dns_dbmethods_t zone_methods = { + attach, + detach, +@@ -8355,7 +8499,9 @@ static dns_dbmethods_t zone_methods = { + NULL, + hashsize, + nodefullname, +- getsize ++ getsize, ++ NULL, ++ NULL + }; + + static dns_dbmethods_t cache_methods = { +@@ -8403,7 +8549,9 @@ static dns_dbmethods_t cache_methods = { + setcachestats, + hashsize, + nodefullname, +- NULL ++ NULL, ++ setservestalettl, ++ getservestalettl + }; + + isc_result_t +@@ -8674,7 +8822,7 @@ dns_rbtdb_create + rbtdb->rpzs = NULL; + rbtdb->load_rpzs = NULL; + rbtdb->rpz_num = DNS_RPZ_INVALID_NUM; +- ++ rbtdb->serve_stale_ttl = 0; + /* + * Version Initialization. + */ +@@ -9092,7 +9240,8 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) { + * rdatasets to work. + */ + if (NONEXISTENT(header) || +- (now != 0 && now > header->rdh_ttl)) ++ (now != 0 && now > header->rdh_ttl ++ + rbtdb->serve_stale_ttl)) + header = NULL; + break; + } else +@@ -10280,7 +10429,7 @@ static inline bool + need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) { + if ((header->attributes & + (RDATASET_ATTR_NONEXISTENT | +- RDATASET_ATTR_STALE | ++ RDATASET_ATTR_ANCIENT | + RDATASET_ATTR_ZEROTTL)) != 0) + return (false); + +@@ -10386,7 +10535,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + bool tree_locked, expire_t reason) + { + set_ttl(rbtdb, header, 0); +- mark_stale_header(rbtdb, header); ++ mark_header_ancient(rbtdb, header); + + /* + * Caller must hold the node (write) lock. +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 04a58c0..164fc01 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -141,16 +141,17 @@ + #endif /* WANT_QUERYTRACE */ + + #define US_PER_SEC 1000000U ++#define US_PER_MSEC 1000U + /* + * The maximum time we will wait for a single query. + */ +-#define MAX_SINGLE_QUERY_TIMEOUT 9U +-#define MAX_SINGLE_QUERY_TIMEOUT_US (MAX_SINGLE_QUERY_TIMEOUT*US_PER_SEC) ++#define MAX_SINGLE_QUERY_TIMEOUT 9000U ++#define MAX_SINGLE_QUERY_TIMEOUT_US (MAX_SINGLE_QUERY_TIMEOUT*US_PER_MSEC) + + /* + * We need to allow a individual query time to complete / timeout. + */ +-#define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U) ++#define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1000U) + + /* The default time in seconds for the whole query to live. */ + #ifndef DEFAULT_QUERY_TIMEOUT +@@ -159,7 +160,7 @@ + + /* The maximum time in seconds for the whole query to live. */ + #ifndef MAXIMUM_QUERY_TIMEOUT +-#define MAXIMUM_QUERY_TIMEOUT 30 ++#define MAXIMUM_QUERY_TIMEOUT 30000 + #endif + + /* The default maximum number of recursions to follow before giving up. */ +@@ -496,6 +497,10 @@ struct dns_resolver { + unsigned int maxqueries; + isc_result_t quotaresp[2]; + ++ /* Additions for serve-stale feature. */ ++ unsigned int retryinterval; /* in milliseconds */ ++ unsigned int nonbackofftries; ++ + /* Locked by lock. */ + unsigned int references; + bool exiting; +@@ -1617,14 +1622,12 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) { + unsigned int seconds; + unsigned int us; + ++ us = fctx->res->retryinterval * 1000; + /* +- * We retry every .8 seconds the first two times through the address +- * list, and then we do exponential back-off. ++ * Exponential backoff after the first few tries. + */ +- if (fctx->restarts < 3) +- us = 800000; +- else +- us = (800000 << (fctx->restarts - 2)); ++ if (fctx->restarts >= fctx->res->nonbackofftries) ++ us <<= (fctx->restarts - fctx->res->nonbackofftries - 1); + + /* + * Add a fudge factor to the expected rtt based on the current +@@ -4481,7 +4484,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, + /* + * Compute an expiration time for the entire fetch. + */ +- isc_interval_set(&interval, res->query_timeout, 0); ++ isc_interval_set(&interval, res->query_timeout / 1000, ++ res->query_timeout % 1000 * 1000000); + iresult = isc_time_nowplusinterval(&fctx->expires, &interval); + if (iresult != ISC_R_SUCCESS) { + UNEXPECTED_ERROR(__FILE__, __LINE__, +@@ -8965,6 +8969,8 @@ dns_resolver_create(dns_view_t *view, + res->spillattimer = NULL; + res->zspill = 0; + res->zero_no_soa_ttl = false; ++ res->retryinterval = 30000; ++ res->nonbackofftries = 3; + res->query_timeout = DEFAULT_QUERY_TIMEOUT; + res->maxdepth = DEFAULT_RECURSION_DEPTH; + res->maxqueries = DEFAULT_MAX_QUERIES; +@@ -10291,17 +10297,20 @@ dns_resolver_gettimeout(dns_resolver_t *resolver) { + } + + void +-dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) { ++dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int timeout) { + REQUIRE(VALID_RESOLVER(resolver)); + +- if (seconds == 0) +- seconds = DEFAULT_QUERY_TIMEOUT; +- if (seconds > MAXIMUM_QUERY_TIMEOUT) +- seconds = MAXIMUM_QUERY_TIMEOUT; +- if (seconds < MINIMUM_QUERY_TIMEOUT) +- seconds = MINIMUM_QUERY_TIMEOUT; ++ if (timeout <= 300) ++ timeout *= 1000; ++ ++ if (timeout == 0) ++ timeout = DEFAULT_QUERY_TIMEOUT; ++ if (timeout > MAXIMUM_QUERY_TIMEOUT) ++ timeout = MAXIMUM_QUERY_TIMEOUT; ++ if (timeout < MINIMUM_QUERY_TIMEOUT) ++ timeout = MINIMUM_QUERY_TIMEOUT; + +- resolver->query_timeout = seconds; ++ resolver->query_timeout = timeout; + } + + void +@@ -10398,3 +10407,34 @@ dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which) + + return (resolver->quotaresp[which]); + } ++ ++unsigned int ++dns_resolver_getretryinterval(dns_resolver_t *resolver) { ++ REQUIRE(VALID_RESOLVER(resolver)); ++ ++ return (resolver->retryinterval); ++} ++ ++void ++dns_resolver_setretryinterval(dns_resolver_t *resolver, unsigned int interval) ++{ ++ REQUIRE(VALID_RESOLVER(resolver)); ++ REQUIRE(interval > 0); ++ ++ resolver->retryinterval = ISC_MIN(interval, 2000); ++} ++ ++unsigned int ++dns_resolver_getnonbackofftries(dns_resolver_t *resolver) { ++ REQUIRE(VALID_RESOLVER(resolver)); ++ ++ return (resolver->nonbackofftries); ++} ++ ++void ++dns_resolver_setnonbackofftries(dns_resolver_t *resolver, unsigned int tries) { ++ REQUIRE(VALID_RESOLVER(resolver)); ++ REQUIRE(tries > 0); ++ ++ resolver->nonbackofftries = tries; ++} +diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c +index d4c8c67..ee9be79 100644 +--- a/lib/dns/sdb.c ++++ b/lib/dns/sdb.c +@@ -1368,7 +1368,9 @@ static dns_dbmethods_t sdb_methods = { + NULL, /* setcachestats */ + NULL, /* hashsize */ + NULL, /* nodefullname */ +- NULL /* getsize */ ++ NULL, /* getsize */ ++ NULL, /* setservestalettl */ ++ NULL /* getservestalettl */ + }; + + static isc_result_t +diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c +index 0b9620c..331992e 100644 +--- a/lib/dns/sdlz.c ++++ b/lib/dns/sdlz.c +@@ -1336,7 +1336,9 @@ static dns_dbmethods_t sdlzdb_methods = { + NULL, /* setcachestats */ + NULL, /* hashsize */ + NULL, /* nodefullname */ +- NULL /* getsize */ ++ NULL, /* getsize */ ++ NULL, /* setservestalettl */ ++ NULL /* getservestalettl */ + }; + + /* +diff --git a/lib/dns/tests/db_test.c b/lib/dns/tests/db_test.c +index 35cf21d..bf39545 100644 +--- a/lib/dns/tests/db_test.c ++++ b/lib/dns/tests/db_test.c +@@ -28,8 +28,9 @@ + + #include + #include +-#include + #include ++#include ++#include + + #include "dnstest.h" + +@@ -76,7 +77,7 @@ getoriginnode_test(void **state) { + assert_int_equal(result, ISC_R_SUCCESS); + + result = dns_db_create(mymctx, "rbt", dns_rootname, dns_dbtype_zone, +- dns_rdataclass_in, 0, NULL, &db); ++ dns_rdataclass_in, 0, NULL, &db); + assert_int_equal(result, ISC_R_SUCCESS); + + result = dns_db_getoriginnode(db, &node); +@@ -91,6 +92,197 @@ getoriginnode_test(void **state) { + isc_mem_detach(&mymctx); + } + ++/* test getservestalettl and setservestalettl */ ++static void ++getsetservestalettl_test(void **state) { ++ dns_db_t *db = NULL; ++ isc_mem_t *mymctx = NULL; ++ isc_result_t result; ++ dns_ttl_t ttl; ++ ++ UNUSED(state); ++ ++ result = isc_mem_create(0, 0, &mymctx); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ result = dns_db_create(mymctx, "rbt", dns_rootname, dns_dbtype_cache, ++ dns_rdataclass_in, 0, NULL, &db); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ ttl = 5000; ++ result = dns_db_getservestalettl(db, &ttl); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ assert_int_equal(ttl, 0); ++ ++ ttl = 6 * 3600; ++ result = dns_db_setservestalettl(db, ttl); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ ttl = 5000; ++ result = dns_db_getservestalettl(db, &ttl); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ assert_int_equal(ttl, 6 * 3600); ++ ++ dns_db_detach(&db); ++ isc_mem_detach(&mymctx); ++} ++ ++/* check DNS_DBFIND_STALEOK works */ ++static void ++dns_dbfind_staleok_test(void **state) { ++ dns_db_t *db = NULL; ++ dns_dbnode_t *node = NULL; ++ dns_fixedname_t example_fixed; ++ dns_fixedname_t found_fixed; ++ dns_name_t *example; ++ dns_name_t *found; ++ dns_rdatalist_t rdatalist; ++ dns_rdataset_t rdataset; ++ int count; ++ int pass; ++ isc_mem_t *mymctx = NULL; ++ isc_result_t result; ++ unsigned char data[] = { 0x0a, 0x00, 0x00, 0x01 }; ++ ++ UNUSED(state); ++ ++ result = isc_mem_create(0, 0, &mymctx); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ result = dns_db_create(mymctx, "rbt", dns_rootname, dns_dbtype_cache, ++ dns_rdataclass_in, 0, NULL, &db); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ example = dns_fixedname_initname(&example_fixed); ++ found = dns_fixedname_initname(&found_fixed); ++ ++ result = dns_name_fromstring(example, "example", 0, NULL); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ /* ++ * Pass 0: default; no stale processing permitted. ++ * Pass 1: stale processing for 1 second. ++ * Pass 2: stale turned off after being on. ++ */ ++ for (pass = 0; pass < 3; pass++) { ++ dns_rdata_t rdata = DNS_RDATA_INIT; ++ ++ /* 10.0.0.1 */ ++ rdata.data = data; ++ rdata.length = 4; ++ rdata.rdclass = dns_rdataclass_in; ++ rdata.type = dns_rdatatype_a; ++ ++ dns_rdatalist_init(&rdatalist); ++ rdatalist.ttl = 2; ++ rdatalist.type = dns_rdatatype_a; ++ rdatalist.rdclass = dns_rdataclass_in; ++ ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); ++ ++ switch (pass) { ++ case 0: ++ /* default: stale processing off */ ++ break; ++ case 1: ++ /* turn on stale processing */ ++ result = dns_db_setservestalettl(db, 1); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ break; ++ case 2: ++ /* turn off stale processing */ ++ result = dns_db_setservestalettl(db, 0); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ break; ++ } ++ ++ dns_rdataset_init(&rdataset); ++ result = dns_rdatalist_tordataset(&rdatalist, &rdataset); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ result = dns_db_findnode(db, example, true, &node); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ result = dns_db_addrdataset(db, node, NULL, 0, &rdataset, 0, ++ NULL); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ dns_db_detachnode(db, &node); ++ dns_rdataset_disassociate(&rdataset); ++ ++ result = dns_db_find(db, example, NULL, dns_rdatatype_a, ++ 0, 0, &node, found, &rdataset, NULL); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ /* ++ * May loop for up to 2 seconds performing non stale lookups. ++ */ ++ count = 0; ++ do { ++ count++; ++ assert_in_range(count, 0, 20); /* loop sanity */ ++ assert_int_equal(rdataset.attributes & ++ DNS_RDATASETATTR_STALE, 0); ++ assert_true(rdataset.ttl > 0); ++ dns_db_detachnode(db, &node); ++ dns_rdataset_disassociate(&rdataset); ++ ++ usleep(100000); /* 100 ms */ ++ ++ result = dns_db_find(db, example, NULL, ++ dns_rdatatype_a, 0, 0, ++ &node, found, &rdataset, NULL); ++ } while (result == ISC_R_SUCCESS); ++ ++ assert_int_equal(result, ISC_R_NOTFOUND); ++ ++ /* ++ * Check whether we can get stale data. ++ */ ++ result = dns_db_find(db, example, NULL, dns_rdatatype_a, ++ DNS_DBFIND_STALEOK, 0, ++ &node, found, &rdataset, NULL); ++ switch (pass) { ++ case 0: ++ assert_int_equal(result, ISC_R_NOTFOUND); ++ break; ++ case 1: ++ /* ++ * Should loop for 1 second with stale lookups then ++ * stop. ++ */ ++ count = 0; ++ do { ++ count++; ++ assert_in_range(count, 0, 49); /* loop sanity */ ++ assert_int_equal(result, ISC_R_SUCCESS); ++ assert_int_equal(rdataset.ttl, 0); ++ assert_int_equal(rdataset.attributes & ++ DNS_RDATASETATTR_STALE, ++ DNS_RDATASETATTR_STALE); ++ dns_db_detachnode(db, &node); ++ dns_rdataset_disassociate(&rdataset); ++ ++ usleep(100000); /* 100 ms */ ++ ++ result = dns_db_find(db, example, NULL, ++ dns_rdatatype_a, ++ DNS_DBFIND_STALEOK, ++ 0, &node, found, ++ &rdataset, NULL); ++ } while (result == ISC_R_SUCCESS); ++ assert_in_range(count, 1, 10); ++ assert_int_equal(result, ISC_R_NOTFOUND); ++ break; ++ case 2: ++ assert_int_equal(result, ISC_R_NOTFOUND); ++ break; ++ } ++ } ++ ++ dns_db_detach(&db); ++ isc_mem_detach(&mymctx); ++} ++ + /* database class */ + static void + class_test(void **state) { +@@ -213,6 +405,8 @@ int + main(void) { + const struct CMUnitTest tests[] = { + cmocka_unit_test(getoriginnode_test), ++ cmocka_unit_test(getsetservestalettl_test), ++ cmocka_unit_test(dns_dbfind_staleok_test), + cmocka_unit_test_setup_teardown(class_test, + _setup, _teardown), + cmocka_unit_test_setup_teardown(dbtype_test, +diff --git a/lib/dns/view.c b/lib/dns/view.c +index a1a4301..abf6a4c 100644 +--- a/lib/dns/view.c ++++ b/lib/dns/view.c +@@ -229,6 +229,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, + view->flush = false; + view->dlv = NULL; + view->maxudp = 0; ++ view->staleanswerttl = 1; ++ view->staleanswersok = dns_stale_answer_conf; ++ view->staleanswersenable = false; + view->nocookieudp = 0; + view->maxbits = 0; + view->v4_aaaa = dns_aaaa_ok; +diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c +index 7bad989..bbf4b45 100644 +--- a/lib/isccfg/namedconf.c ++++ b/lib/isccfg/namedconf.c +@@ -1778,6 +1778,7 @@ view_clauses[] = { + { "max-ncache-ttl", &cfg_type_uint32, 0 }, + { "max-recursion-depth", &cfg_type_uint32, 0 }, + { "max-recursion-queries", &cfg_type_uint32, 0 }, ++ { "max-stale-ttl", &cfg_type_ttlval, 0 }, + { "max-udp-size", &cfg_type_uint32, 0 }, + { "message-compression", &cfg_type_boolean, 0 }, + { "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP }, +@@ -1806,7 +1807,9 @@ view_clauses[] = { + { "request-nsid", &cfg_type_boolean, 0 }, + { "request-sit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, + { "require-server-cookie", &cfg_type_boolean, 0 }, ++ { "resolver-nonbackoff-tries", &cfg_type_uint32, 0 }, + { "resolver-query-timeout", &cfg_type_uint32, 0 }, ++ { "resolver-retry-interval", &cfg_type_uint32, 0 }, + { "response-policy", &cfg_type_rpz, 0 }, + { "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI }, + { "root-delegation-only", &cfg_type_optional_exclude, 0 }, +@@ -1815,6 +1818,8 @@ view_clauses[] = { + { "send-cookie", &cfg_type_boolean, 0 }, + { "servfail-ttl", &cfg_type_ttlval, 0 }, + { "sortlist", &cfg_type_bracketed_aml, 0 }, ++ { "stale-answer-enable", &cfg_type_boolean, 0 }, ++ { "stale-answer-ttl", &cfg_type_ttlval, 0 }, + { "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI }, + { "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP }, + { "transfer-format", &cfg_type_transferformat, 0 }, +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-unit-disable-random.patch b/SOURCES/bind-9.11-unit-disable-random.patch index 5658d12..553f725 100644 --- a/SOURCES/bind-9.11-unit-disable-random.patch +++ b/SOURCES/bind-9.11-unit-disable-random.patch @@ -1,4 +1,4 @@ -From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001 +From 373f07148217a8e70e33446f5108fb42d1079ba6 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Thu, 21 Feb 2019 22:42:27 +0100 Subject: [PATCH] Disable random_test @@ -9,37 +9,22 @@ subtests can occasionally fail, stop it. It can be used again by defining 'unstable' variable in Kyuafile. --- - lib/isc/tests/Atffile | 3 ++- lib/isc/tests/Kyuafile | 2 +- - 2 files changed, 3 insertions(+), 2 deletions(-) + 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile -index 8681844..74a4a77 100644 ---- a/lib/isc/tests/Atffile -+++ b/lib/isc/tests/Atffile -@@ -20,7 +20,8 @@ tp: pool_test - tp: print_test - tp: queue_test - tp: radix_test --tp: random_test -+# random test fails too often -+#tp: random_test - tp: regex_test - tp: result_test - tp: safe_test diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile -index 1c510c1..a86824a 100644 +index 4cd2574..9df2340 100644 --- a/lib/isc/tests/Kyuafile +++ b/lib/isc/tests/Kyuafile -@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'} - atf_test_program{name='print_test'} - atf_test_program{name='queue_test'} - atf_test_program{name='radix_test'} --atf_test_program{name='random_test'} -+atf_test_program{name='random_test', required_configs='unstable'} - atf_test_program{name='regex_test'} - atf_test_program{name='result_test'} - atf_test_program{name='safe_test'} +@@ -19,7 +19,7 @@ tap_test_program{name='pool_test'} + tap_test_program{name='print_test'} + tap_test_program{name='queue_test'} + tap_test_program{name='radix_test'} +-tap_test_program{name='random_test'} ++tap_test_program{name='random_test', required_configs='unstable'} + tap_test_program{name='regex_test'} + tap_test_program{name='result_test'} + tap_test_program{name='safe_test'} -- 2.20.1 diff --git a/SOURCES/bind-9.11-zone2ldap.patch b/SOURCES/bind-9.11-zone2ldap.patch index e576c03..a816240 100644 --- a/SOURCES/bind-9.11-zone2ldap.patch +++ b/SOURCES/bind-9.11-zone2ldap.patch @@ -1,15 +1,15 @@ -From 738d12594972ad816e8cff9821f760aa0682fd08 Mon Sep 17 00:00:00 2001 +From 0430b3ac66169eea7a74aaa8bfca50400d3497cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 18 Dec 2018 16:06:26 +0100 Subject: [PATCH] Make absolute hostname by dns API instead of strings Duplicate all strings in dc_list. Free allocated memory on each record. --- - bin/sdb_tools/zone2ldap.c | 72 +++++++++++++++++++++++++++++------------------ - 1 file changed, 45 insertions(+), 27 deletions(-) + bin/sdb_tools/zone2ldap.c | 71 +++++++++++++++++++++++++-------------- + 1 file changed, 45 insertions(+), 26 deletions(-) diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c -index acf160b..cc482dc 100644 +index 76186b5..28df191 100644 --- a/bin/sdb_tools/zone2ldap.c +++ b/bin/sdb_tools/zone2ldap.c @@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp); @@ -40,26 +40,26 @@ index acf160b..cc482dc 100644 } else { -@@ -451,12 +458,17 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) +@@ -451,12 +458,18 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) char data[2048]; char **dc_list; char *dn; + size_t argzone_len; -+ isc_boolean_t omit_dot; ++ bool omit_dot; isc_buffer_t buff; isc_result_t result; isc_buffer_init (&buff, name, sizeof (name)); -- result = dns_name_totext (dnsname, ISC_TRUE, &buff); + result = dns_name_totext (dnsname, true, &buff); + argzone_len = strlen(argzone); + /* If argzone is absolute, output absolute name too */ -+ omit_dot = ISC_TF(!(argzone_len > 0 && argzone[argzone_len-1] == '.')); ++ omit_dot = (!(argzone_len > 0 && argzone[argzone_len-1] == '.')); + result = dns_name_totext (dnsname, omit_dot, &buff); isc_result_check (result, "dns_name_totext"); name[isc_buffer_usedlength (&buff)] = 0; -@@ -478,6 +490,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) +@@ -478,6 +491,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data); add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT); @@ -67,7 +67,7 @@ index acf160b..cc482dc 100644 } -@@ -538,12 +551,9 @@ add_to_rr_list (char *dn, char *name, char *type, +@@ -538,12 +552,9 @@ add_to_rr_list (char *dn, char *name, char *type, if (tmp->attrs == (LDAPMod **) NULL) fatal("calloc"); @@ -83,7 +83,7 @@ index acf160b..cc482dc 100644 tmp->attrs[0]->mod_op = LDAP_MOD_ADD; tmp->attrs[0]->mod_type = objectClass; -@@ -559,9 +569,18 @@ add_to_rr_list (char *dn, char *name, char *type, +@@ -559,9 +570,18 @@ add_to_rr_list (char *dn, char *name, char *type, return; } @@ -103,7 +103,7 @@ index acf160b..cc482dc 100644 if (tmp->attrs[1]->mod_values == (char **)NULL) fatal("calloc"); -@@ -705,25 +724,16 @@ char ** +@@ -705,25 +725,16 @@ char ** hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) { char *tmp; @@ -131,7 +131,7 @@ index acf160b..cc482dc 100644 last = strdup(sameZone); }else { -@@ -731,8 +741,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) +@@ -731,8 +742,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) ||( strcmp( hostname + (hlen - zlen), zone ) != 0) ) { @@ -140,7 +140,7 @@ index acf160b..cc482dc 100644 hname=(char*)malloc( hlen + zlen + 1); if( *zone == '.' ) sprintf(hname, "%s%s", hostname, zone); -@@ -740,8 +748,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) +@@ -740,8 +749,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) sprintf(hname,"%s",zone); }else { @@ -150,7 +150,7 @@ index acf160b..cc482dc 100644 } last = hname; } -@@ -754,18 +761,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) +@@ -754,18 +762,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) for (tmp = strrchr (hname, '.'); tmp != (char *) 0; tmp = strrchr (hname, '.')) { @@ -176,7 +176,7 @@ index acf160b..cc482dc 100644 if( ( last != hname ) && (tmp != hname) ) dn_buffer[i++] = hname; dn_buffer[i++] = last; -@@ -825,6 +835,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone) +@@ -825,6 +836,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone) return dn; } @@ -192,5 +192,5 @@ index acf160b..cc482dc 100644 /* Initialize LDAP Conn */ void -- -2.14.5 +2.20.1 diff --git a/SOURCES/bind-9.11.13-rwlock.patch b/SOURCES/bind-9.11.13-rwlock.patch new file mode 100644 index 0000000..24dfa15 --- /dev/null +++ b/SOURCES/bind-9.11.13-rwlock.patch @@ -0,0 +1,513 @@ +From bc9a36bad14b014340244bfc35a20df6809a5568 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Thu, 27 Feb 2020 15:35:31 +0100 +Subject: [PATCH] Fix rwlock to be thread-safe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is a backport of the following commits + +commit 4cf275ba8aa1caf47ed763b51c37fa561005cb8d +Author: Ondřej Surý +Date: Wed Feb 12 09:17:55 2020 +0100 + + Replace non-loop usage of atomic_compare_exchange_weak with strong variant + +commit b43f5e023885dac9f1ffdace54720150768a333b +Author: Ondřej Surý +Date: Sat Feb 1 10:48:20 2020 +0100 + + Convert all atomic operations in isc_rwlock to release-acquire memory ordering + +commit 49462cf9747261cbc39d5fa4c691b64ac5472af4 +Author: Ondřej Surý +Date: Tue May 14 00:19:11 2019 +0700 + + Make isc_rwlock.c thread-safe + +commit 9d5df99a9d9d13c9487969b6fa3818a8b83b4ee2 +Author: Ondřej Surý +Date: Thu Aug 23 15:30:06 2018 +0200 + + Directly use return value of atomic_compare_exchange_strong_explicit insteaf of comparing expected value + +commit b5709e5531d9d45f9fc3db129c11ad474477d7b6 +Author: Ondřej Surý +Date: Fri Aug 17 19:21:12 2018 +0200 + + Explicitly load atomic values in lib/isc/rwlock.c +--- + lib/isc/rwlock.c | 275 ++++++++++++++++++----------------------------- + 1 file changed, 107 insertions(+), 168 deletions(-) + +diff --git a/lib/isc/rwlock.c b/lib/isc/rwlock.c +index 9533c0f828..5591eff719 100644 +--- a/lib/isc/rwlock.c ++++ b/lib/isc/rwlock.c +@@ -46,6 +46,26 @@ + #if defined(ISC_RWLOCK_USEATOMIC) + static isc_result_t + isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type); ++ ++#ifndef ISC_RWLOCK_USESTDATOMIC ++#error non-stdatomic support removed ++#endif ++ ++#define atomic_load_acquire(o) \ ++ atomic_load_explicit((o), memory_order_acquire) ++#define atomic_store_release(o, v) \ ++ atomic_store_explicit((o), (v), memory_order_release) ++#define atomic_fetch_add_release(o, v) \ ++ atomic_fetch_add_explicit((o), (v), memory_order_release) ++#define atomic_fetch_sub_release(o, v) \ ++ atomic_fetch_sub_explicit((o), (v), memory_order_release) ++#define atomic_compare_exchange_weak_acq_rel(o, e, d) \ ++ atomic_compare_exchange_weak_explicit((o), (e), (d), \ ++ memory_order_acq_rel, \ ++ memory_order_acquire) ++#define atomic_compare_exchange_strong_acq_rel(o, e, d) \ ++ atomic_compare_exchange_strong_explicit( \ ++ (o), (e), (d), memory_order_acq_rel, memory_order_acquire) + #endif + + #ifdef ISC_RWLOCK_TRACE +@@ -108,13 +128,13 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota, + */ + rwl->magic = 0; + +- rwl->spins = 0; + #if defined(ISC_RWLOCK_USEATOMIC) +- rwl->write_requests = 0; +- rwl->write_completions = 0; +- rwl->cnt_and_flag = 0; ++ atomic_init(&rwl->spins, 0); ++ atomic_init(&rwl->write_requests, 0); ++ atomic_init(&rwl->write_completions, 0); ++ atomic_init(&rwl->cnt_and_flag, 0); + rwl->readers_waiting = 0; +- rwl->write_granted = 0; ++ atomic_init(&rwl->write_granted, 0); + if (read_quota != 0) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "read quota is not supported"); +@@ -123,6 +143,7 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota, + write_quota = RWLOCK_DEFAULT_WRITE_QUOTA; + rwl->write_quota = write_quota; + #else ++ rwl->spins = 0; + rwl->type = isc_rwlocktype_read; + rwl->original = isc_rwlocktype_none; + rwl->active = 0; +@@ -178,16 +199,9 @@ void + isc_rwlock_destroy(isc_rwlock_t *rwl) { + REQUIRE(VALID_RWLOCK(rwl)); + +-#if defined(ISC_RWLOCK_USEATOMIC) +- REQUIRE(rwl->write_requests == rwl->write_completions && +- rwl->cnt_and_flag == 0 && rwl->readers_waiting == 0); +-#else +- LOCK(&rwl->lock); +- REQUIRE(rwl->active == 0 && +- rwl->readers_waiting == 0 && +- rwl->writers_waiting == 0); +- UNLOCK(&rwl->lock); +-#endif ++ REQUIRE(atomic_load_acquire(&rwl->write_requests) == ++ atomic_load_acquire(&rwl->write_completions) && ++ atomic_load_acquire(&rwl->cnt_and_flag) == 0 && rwl->readers_waiting == 0); + + rwl->magic = 0; + (void)isc_condition_destroy(&rwl->readable); +@@ -274,10 +288,13 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + #endif + + if (type == isc_rwlocktype_read) { +- if (rwl->write_requests != rwl->write_completions) { ++ if (atomic_load_acquire(&rwl->write_requests) != ++ atomic_load_acquire(&rwl->write_completions)) ++ { + /* there is a waiting or active writer */ + LOCK(&rwl->lock); +- if (rwl->write_requests != rwl->write_completions) { ++ if (atomic_load_acquire(&rwl->write_requests) != ++ atomic_load_acquire(&rwl->write_completions)) { + rwl->readers_waiting++; + WAIT(&rwl->readable, &rwl->lock); + rwl->readers_waiting--; +@@ -285,23 +302,24 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + UNLOCK(&rwl->lock); + } + +-#if defined(ISC_RWLOCK_USESTDATOMIC) +- cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag, +- READER_INCR, +- memory_order_relaxed); +-#else +- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR); +-#endif ++ cntflag = atomic_fetch_add_release(&rwl->cnt_and_flag, ++ READER_INCR); + POST(cntflag); + while (1) { +- if ((rwl->cnt_and_flag & WRITER_ACTIVE) == 0) ++ if ((atomic_load_acquire(&rwl->cnt_and_flag) ++ & WRITER_ACTIVE) == 0) ++ { + break; ++ } + + /* A writer is still working */ + LOCK(&rwl->lock); + rwl->readers_waiting++; +- if ((rwl->cnt_and_flag & WRITER_ACTIVE) != 0) ++ if ((atomic_load_acquire(&rwl->cnt_and_flag) ++ & WRITER_ACTIVE) != 0) ++ { + WAIT(&rwl->readable, &rwl->lock); ++ } + rwl->readers_waiting--; + UNLOCK(&rwl->lock); + +@@ -336,20 +354,19 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + * quota, reset the condition (race among readers doesn't + * matter). + */ +- rwl->write_granted = 0; ++ atomic_store_release(&rwl->write_granted, 0); + } else { + int32_t prev_writer; + + /* enter the waiting queue, and wait for our turn */ +-#if defined(ISC_RWLOCK_USESTDATOMIC) +- prev_writer = atomic_fetch_add_explicit(&rwl->write_requests, 1, +- memory_order_relaxed); +-#else +- prev_writer = isc_atomic_xadd(&rwl->write_requests, 1); +-#endif +- while (rwl->write_completions != prev_writer) { ++ prev_writer = atomic_fetch_add_release(&rwl->write_requests, 1); ++ while (atomic_load_acquire(&rwl->write_completions) ++ != prev_writer) ++ { + LOCK(&rwl->lock); +- if (rwl->write_completions != prev_writer) { ++ if (atomic_load_acquire(&rwl->write_completions) ++ != prev_writer) ++ { + WAIT(&rwl->writeable, &rwl->lock); + UNLOCK(&rwl->lock); + continue; +@@ -359,29 +376,24 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + } + + while (1) { +-#if defined(ISC_RWLOCK_USESTDATOMIC) + int_fast32_t cntflag2 = 0; +- atomic_compare_exchange_strong_explicit +- (&rwl->cnt_and_flag, &cntflag2, WRITER_ACTIVE, +- memory_order_relaxed, memory_order_relaxed); +-#else +- int32_t cntflag2; +- cntflag2 = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0, +- WRITER_ACTIVE); +-#endif +- +- if (cntflag2 == 0) ++ if (atomic_compare_exchange_weak_acq_rel( ++ &rwl->cnt_and_flag, &cntflag2, WRITER_ACTIVE)) ++ { + break; ++ } + + /* Another active reader or writer is working. */ + LOCK(&rwl->lock); +- if (rwl->cnt_and_flag != 0) ++ if (atomic_load_acquire(&rwl->cnt_and_flag) != 0) { + WAIT(&rwl->writeable, &rwl->lock); ++ } + UNLOCK(&rwl->lock); + } + +- INSIST((rwl->cnt_and_flag & WRITER_ACTIVE) != 0); +- rwl->write_granted++; ++ INSIST((atomic_load_acquire(&rwl->cnt_and_flag) ++ & WRITER_ACTIVE)); ++ atomic_fetch_add_release(&rwl->write_granted, 1); + } + + #ifdef ISC_RWLOCK_TRACE +@@ -395,12 +407,10 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + isc_result_t + isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + int32_t cnt = 0; +- int32_t max_cnt = rwl->spins * 2 + 10; ++ int32_t spins = atomic_load_acquire(&rwl->spins) * 2 + 10; ++ int32_t max_cnt = ISC_MAX(spins, RWLOCK_MAX_ADAPTIVE_COUNT); + isc_result_t result = ISC_R_SUCCESS; + +- if (max_cnt > RWLOCK_MAX_ADAPTIVE_COUNT) +- max_cnt = RWLOCK_MAX_ADAPTIVE_COUNT; +- + do { + if (cnt++ >= max_cnt) { + result = isc__rwlock_lock(rwl, type); +@@ -411,7 +421,7 @@ isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + #endif + } while (isc_rwlock_trylock(rwl, type) != ISC_R_SUCCESS); + +- rwl->spins += (cnt - rwl->spins) / 8; ++ atomic_fetch_add_release(&rwl->spins, (cnt - spins) / 8); + + return (result); + } +@@ -429,36 +439,28 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + + if (type == isc_rwlocktype_read) { + /* If a writer is waiting or working, we fail. */ +- if (rwl->write_requests != rwl->write_completions) ++ if (atomic_load_acquire(&rwl->write_requests) != ++ atomic_load_acquire(&rwl->write_completions)) + return (ISC_R_LOCKBUSY); + + /* Otherwise, be ready for reading. */ +-#if defined(ISC_RWLOCK_USESTDATOMIC) +- cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag, +- READER_INCR, +- memory_order_relaxed); +-#else +- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR); +-#endif ++ cntflag = atomic_fetch_add_release(&rwl->cnt_and_flag, ++ READER_INCR); + if ((cntflag & WRITER_ACTIVE) != 0) { + /* + * A writer is working. We lose, and cancel the read + * request. + */ +-#if defined(ISC_RWLOCK_USESTDATOMIC) +- cntflag = atomic_fetch_sub_explicit +- (&rwl->cnt_and_flag, READER_INCR, +- memory_order_relaxed); +-#else +- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, +- -READER_INCR); +-#endif ++ cntflag = atomic_fetch_sub_release( ++ &rwl->cnt_and_flag, READER_INCR); + /* + * If no other readers are waiting and we've suspended + * new writers in this short period, wake them up. + */ + if (cntflag == READER_INCR && +- rwl->write_completions != rwl->write_requests) { ++ atomic_load_acquire(&rwl->write_completions) != ++ atomic_load_acquire(&rwl->write_requests)) ++ { + LOCK(&rwl->lock); + BROADCAST(&rwl->writeable); + UNLOCK(&rwl->lock); +@@ -468,31 +470,19 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + } + } else { + /* Try locking without entering the waiting queue. */ +-#if defined(ISC_RWLOCK_USESTDATOMIC) + int_fast32_t zero = 0; +- if (!atomic_compare_exchange_strong_explicit +- (&rwl->cnt_and_flag, &zero, WRITER_ACTIVE, +- memory_order_relaxed, memory_order_relaxed)) ++ if (!atomic_compare_exchange_strong_acq_rel( ++ &rwl->cnt_and_flag, &zero, WRITER_ACTIVE)) ++ { + return (ISC_R_LOCKBUSY); +-#else +- cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0, +- WRITER_ACTIVE); +- if (cntflag != 0) +- return (ISC_R_LOCKBUSY); +-#endif ++ } + + /* + * XXXJT: jump into the queue, possibly breaking the writer + * order. + */ +-#if defined(ISC_RWLOCK_USESTDATOMIC) +- atomic_fetch_sub_explicit(&rwl->write_completions, 1, +- memory_order_relaxed); +-#else +- (void)isc_atomic_xadd(&rwl->write_completions, -1); +-#endif +- +- rwl->write_granted++; ++ atomic_fetch_sub_release(&rwl->write_completions, 1); ++ atomic_fetch_add_release(&rwl->write_granted, 1); + } + + #ifdef ISC_RWLOCK_TRACE +@@ -507,14 +497,12 @@ isc_result_t + isc_rwlock_tryupgrade(isc_rwlock_t *rwl) { + REQUIRE(VALID_RWLOCK(rwl)); + +-#if defined(ISC_RWLOCK_USESTDATOMIC) + { + int_fast32_t reader_incr = READER_INCR; + + /* Try to acquire write access. */ +- atomic_compare_exchange_strong_explicit +- (&rwl->cnt_and_flag, &reader_incr, WRITER_ACTIVE, +- memory_order_relaxed, memory_order_relaxed); ++ atomic_compare_exchange_strong_acq_rel( ++ &rwl->cnt_and_flag, &reader_incr, WRITER_ACTIVE); + /* + * There must have been no writer, and there must have + * been at least one reader. +@@ -527,36 +515,11 @@ isc_rwlock_tryupgrade(isc_rwlock_t *rwl) { + * We are the only reader and have been upgraded. + * Now jump into the head of the writer waiting queue. + */ +- atomic_fetch_sub_explicit(&rwl->write_completions, 1, +- memory_order_relaxed); ++ atomic_fetch_sub_release(&rwl->write_completions, 1); + } else + return (ISC_R_LOCKBUSY); + + } +-#else +- { +- int32_t prevcnt; +- +- /* Try to acquire write access. */ +- prevcnt = isc_atomic_cmpxchg(&rwl->cnt_and_flag, +- READER_INCR, WRITER_ACTIVE); +- /* +- * There must have been no writer, and there must have +- * been at least one reader. +- */ +- INSIST((prevcnt & WRITER_ACTIVE) == 0 && +- (prevcnt & ~WRITER_ACTIVE) != 0); +- +- if (prevcnt == READER_INCR) { +- /* +- * We are the only reader and have been upgraded. +- * Now jump into the head of the writer waiting queue. +- */ +- (void)isc_atomic_xadd(&rwl->write_completions, -1); +- } else +- return (ISC_R_LOCKBUSY); +- } +-#endif + + return (ISC_R_SUCCESS); + } +@@ -567,33 +530,15 @@ isc_rwlock_downgrade(isc_rwlock_t *rwl) { + + REQUIRE(VALID_RWLOCK(rwl)); + +-#if defined(ISC_RWLOCK_USESTDATOMIC) +- { +- /* Become an active reader. */ +- prev_readers = atomic_fetch_add_explicit(&rwl->cnt_and_flag, +- READER_INCR, +- memory_order_relaxed); +- /* We must have been a writer. */ +- INSIST((prev_readers & WRITER_ACTIVE) != 0); +- +- /* Complete write */ +- atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE, +- memory_order_relaxed); +- atomic_fetch_add_explicit(&rwl->write_completions, 1, +- memory_order_relaxed); +- } +-#else +- { +- /* Become an active reader. */ +- prev_readers = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR); +- /* We must have been a writer. */ +- INSIST((prev_readers & WRITER_ACTIVE) != 0); +- +- /* Complete write */ +- (void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE); +- (void)isc_atomic_xadd(&rwl->write_completions, 1); +- } +-#endif ++ /* Become an active reader. */ ++ prev_readers = atomic_fetch_add_release(&rwl->cnt_and_flag, ++ READER_INCR); ++ /* We must have been a writer. */ ++ INSIST((prev_readers & WRITER_ACTIVE) != 0); ++ ++ /* Complete write */ ++ atomic_fetch_sub_release(&rwl->cnt_and_flag, WRITER_ACTIVE); ++ atomic_fetch_add_release(&rwl->write_completions, 1); + + /* Resume other readers */ + LOCK(&rwl->lock); +@@ -614,20 +559,16 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + #endif + + if (type == isc_rwlocktype_read) { +-#if defined(ISC_RWLOCK_USESTDATOMIC) +- prev_cnt = atomic_fetch_sub_explicit(&rwl->cnt_and_flag, +- READER_INCR, +- memory_order_relaxed); +-#else +- prev_cnt = isc_atomic_xadd(&rwl->cnt_and_flag, -READER_INCR); +-#endif ++ prev_cnt = atomic_fetch_sub_release(&rwl->cnt_and_flag, ++ READER_INCR); + /* + * If we're the last reader and any writers are waiting, wake + * them up. We need to wake up all of them to ensure the + * FIFO order. + */ + if (prev_cnt == READER_INCR && +- rwl->write_completions != rwl->write_requests) { ++ atomic_load_acquire(&rwl->write_completions) != ++ atomic_load_acquire(&rwl->write_requests)) { + LOCK(&rwl->lock); + BROADCAST(&rwl->writeable); + UNLOCK(&rwl->lock); +@@ -639,19 +580,16 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + * Reset the flag, and (implicitly) tell other writers + * we are done. + */ +-#if defined(ISC_RWLOCK_USESTDATOMIC) +- atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE, +- memory_order_relaxed); +- atomic_fetch_add_explicit(&rwl->write_completions, 1, +- memory_order_relaxed); +-#else +- (void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE); +- (void)isc_atomic_xadd(&rwl->write_completions, 1); +-#endif +- +- if (rwl->write_granted >= rwl->write_quota || +- rwl->write_requests == rwl->write_completions || +- (rwl->cnt_and_flag & ~WRITER_ACTIVE) != 0) { ++ atomic_fetch_sub_release(&rwl->cnt_and_flag, WRITER_ACTIVE); ++ atomic_fetch_add_release(&rwl->write_completions, 1); ++ ++ if ((atomic_load_acquire(&rwl->write_granted) >= ++ rwl->write_quota) || ++ (atomic_load_acquire(&rwl->write_requests) == ++ atomic_load_acquire(&rwl->write_completions)) || ++ (atomic_load_acquire(&rwl->cnt_and_flag) ++ & ~WRITER_ACTIVE)) ++ { + /* + * We have passed the write quota, no writer is + * waiting, or some readers are almost ready, pending +@@ -668,7 +606,8 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) { + UNLOCK(&rwl->lock); + } + +- if (rwl->write_requests != rwl->write_completions && ++ if ((atomic_load_acquire(&rwl->write_requests) != ++ atomic_load_acquire(&rwl->write_completions)) && + wakeup_writers) { + LOCK(&rwl->lock); + BROADCAST(&rwl->writeable); +-- +2.21.0 + diff --git a/SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch b/SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch index d027bb9..35c8542 100644 --- a/SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch +++ b/SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch @@ -36,10 +36,10 @@ index 95ab742..6069f09 100644 ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c -index 23dd873..d56bc56 100644 +index aa2c711..76186b5 100644 --- a/bin/sdb_tools/zone2ldap.c +++ b/bin/sdb_tools/zone2ldap.c -@@ -65,6 +66,9 @@ ldap_info; +@@ -66,6 +66,9 @@ ldap_info; /* usage Info */ void usage (void); @@ -49,7 +49,7 @@ index 23dd873..d56bc56 100644 /* Add to the ldap dit */ void add_ldap_values (ldap_info * ldinfo); -@@ -81,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags); +@@ -82,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags); int get_attr_list_size (char **tmp); /* Get a DN */ @@ -58,7 +58,7 @@ index 23dd873..d56bc56 100644 /* Add to RR list */ void add_to_rr_list (char *dn, char *name, char *type, char *data, -@@ -103,11 +107,27 @@ void +@@ -104,11 +107,27 @@ void init_ldap_conn (); void usage(); @@ -91,7 +91,7 @@ index 23dd873..d56bc56 100644 LDAP *conn; unsigned int debug = 0; -@@ -131,12 +151,12 @@ main (int argc, char **argv) +@@ -132,12 +151,12 @@ main (int argc, char **argv) isc_result_t result; char *basedn; ldap_info *tmp; @@ -107,7 +107,7 @@ index 23dd873..d56bc56 100644 dns_fixedname_t fixedzone, fixedname; dns_rdataset_t rdataset; char **dc_list; -@@ -149,7 +169,7 @@ main (int argc, char **argv) +@@ -150,7 +169,7 @@ main (int argc, char **argv) extern char *optarg; extern int optind, opterr, optopt; int create_base = 0; @@ -116,7 +116,7 @@ index 23dd873..d56bc56 100644 if (argc < 2) { -@@ -157,7 +177,7 @@ main (int argc, char **argv) +@@ -158,7 +177,7 @@ main (int argc, char **argv) exit (-1); } @@ -125,7 +125,7 @@ index 23dd873..d56bc56 100644 { switch (topt) { -@@ -180,6 +200,9 @@ main (int argc, char **argv) +@@ -181,6 +200,9 @@ main (int argc, char **argv) if (bindpw == NULL) fatal("strdup"); break; @@ -135,7 +135,7 @@ index 23dd873..d56bc56 100644 case 'b': ldapbase = strdup (optarg); if (ldapbase == NULL) -@@ -301,27 +324,62 @@ main (int argc, char **argv) +@@ -300,27 +322,62 @@ main (int argc, char **argv) { if (debug) printf ("Creating base zone DN %s\n", argzone); @@ -208,7 +208,7 @@ index 23dd873..d56bc56 100644 } else { -@@ -330,8 +388,13 @@ main (int argc, char **argv) +@@ -329,8 +386,13 @@ main (int argc, char **argv) else sprintf (fullbasedn, "%s", ctmp); } @@ -222,7 +222,7 @@ index 23dd873..d56bc56 100644 } } -@@ -409,14 +472,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) +@@ -408,14 +470,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) isc_result_check (result, "dns_rdata_totext"); data[isc_buffer_usedlength (&buff)] = 0; @@ -240,7 +240,7 @@ index 23dd873..d56bc56 100644 } -@@ -456,7 +519,8 @@ add_to_rr_list (char *dn, char *name, char *type, +@@ -455,7 +517,8 @@ add_to_rr_list (char *dn, char *name, char *type, int attrlist; char ldap_type_buffer[128]; char charttl[64]; @@ -250,7 +250,7 @@ index 23dd873..d56bc56 100644 if ((tmp = locate_by_dn (dn)) == NULL) { -@@ -483,13 +547,13 @@ add_to_rr_list (char *dn, char *name, char *type, +@@ -482,13 +545,13 @@ add_to_rr_list (char *dn, char *name, char *type, fatal("malloc"); } tmp->attrs[0]->mod_op = LDAP_MOD_ADD; @@ -267,7 +267,7 @@ index 23dd873..d56bc56 100644 tmp->attrs[1] = NULL; tmp->attrcnt = 2; tmp->next = ldap_info_base; -@@ -498,7 +562,7 @@ add_to_rr_list (char *dn, char *name, char *type, +@@ -497,7 +560,7 @@ add_to_rr_list (char *dn, char *name, char *type, } tmp->attrs[1]->mod_op = LDAP_MOD_ADD; @@ -276,7 +276,7 @@ index 23dd873..d56bc56 100644 tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); if (tmp->attrs[1]->mod_values == (char **)NULL) -@@ -527,7 +591,7 @@ add_to_rr_list (char *dn, char *name, char *type, +@@ -526,7 +589,7 @@ add_to_rr_list (char *dn, char *name, char *type, fatal("strdup"); tmp->attrs[3]->mod_op = LDAP_MOD_ADD; @@ -285,7 +285,7 @@ index 23dd873..d56bc56 100644 tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2); if (tmp->attrs[3]->mod_values == (char **)NULL) -@@ -540,14 +604,25 @@ add_to_rr_list (char *dn, char *name, char *type, +@@ -539,14 +602,25 @@ add_to_rr_list (char *dn, char *name, char *type, if (tmp->attrs[3]->mod_values[0] == NULL) fatal("strdup"); @@ -313,7 +313,7 @@ index 23dd873..d56bc56 100644 tmp->attrs[4]->mod_values[1] = NULL; tmp->attrs[5] = NULL; -@@ -558,7 +633,7 @@ add_to_rr_list (char *dn, char *name, char *type, +@@ -557,7 +631,7 @@ add_to_rr_list (char *dn, char *name, char *type, else { @@ -322,7 +322,7 @@ index 23dd873..d56bc56 100644 { sprintf (ldap_type_buffer, "%sRecord", type); if (!strncmp -@@ -632,44 +707,70 @@ char ** +@@ -631,44 +705,70 @@ char ** hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) { char *tmp; @@ -430,7 +430,7 @@ index 23dd873..d56bc56 100644 dn_buffer[i] = NULL; return dn_buffer; -@@ -681,24 +782,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) +@@ -680,24 +780,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) * exception of "@"/SOA. */ char * @@ -459,7 +459,7 @@ index 23dd873..d56bc56 100644 if (flag == WI_SPEC) { if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl)) -- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%d,", dc_list[x], ttl); +- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%u,", dc_list[x], ttl); + sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]); else if (x == (size - 2)) - sprintf(tmp, "relativeDomainName=%s,",dc_list[x]); @@ -467,7 +467,7 @@ index 23dd873..d56bc56 100644 else sprintf(tmp,"dc=%s,", dc_list[x]); } -@@ -724,6 +833,7 @@ void +@@ -723,6 +831,7 @@ void init_ldap_conn () { int result; @@ -475,7 +475,7 @@ index 23dd873..d56bc56 100644 conn = ldap_open (ldapsystem, LDAP_PORT); if (conn == NULL) { -@@ -733,7 +843,7 @@ init_ldap_conn () +@@ -732,7 +841,7 @@ init_ldap_conn () } result = ldap_simple_bind_s (conn, binddn, bindpw); @@ -484,7 +484,7 @@ index 23dd873..d56bc56 100644 } /* Like isc_result_check, only for LDAP */ -@@ -750,8 +860,6 @@ ldap_result_check (const char *msg, char *dn, int err) +@@ -749,8 +858,6 @@ ldap_result_check (const char *msg, char *dn, int err) } } @@ -493,7 +493,7 @@ index 23dd873..d56bc56 100644 /* For running the ldap_info run queue. */ void add_ldap_values (ldap_info * ldinfo) -@@ -759,14 +867,14 @@ add_ldap_values (ldap_info * ldinfo) +@@ -758,14 +865,14 @@ add_ldap_values (ldap_info * ldinfo) int result; char dnbuffer[1024]; @@ -510,7 +510,7 @@ index 23dd873..d56bc56 100644 } -@@ -777,5 +885,5 @@ void +@@ -776,5 +883,5 @@ void usage () { fprintf (stderr, diff --git a/SOURCES/bind-9.9.1-P2-multlib-conflict.patch b/SOURCES/bind-9.9.1-P2-multlib-conflict.patch index 96506dd..8768b86 100644 --- a/SOURCES/bind-9.9.1-P2-multlib-conflict.patch +++ b/SOURCES/bind-9.9.1-P2-multlib-conflict.patch @@ -1,8 +1,8 @@ diff --git a/config.h.in b/config.h.in -index e1364dd921..1dc65cfb21 100644 +index 4ecaa8f..2f65ccc 100644 --- a/config.h.in +++ b/config.h.in -@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig); +@@ -600,7 +600,7 @@ int sigwait(const unsigned int *set, int *sig); #undef PREFER_GOSTASN1 /* The size of `void *', as computed by sizeof. */ @@ -11,39 +11,8 @@ index e1364dd921..1dc65cfb21 100644 /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS -diff --git a/configure.in b/configure.in -index 73b1c8ccbb..129fc3f311 100644 ---- a/configure.in -+++ b/configure.in -@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([ - #include - #include - int getnameinfo(const struct sockaddr *, socklen_t, char *, -- socklen_t, char *, socklen_t, unsigned int);], -+ socklen_t, char *, socklen_t, int);], - [ return (0);], -- [AC_MSG_RESULT(socklen_t for buflen; u_int for flags) -+ [AC_MSG_RESULT(socklen_t for buflen; int for flags) - AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t, - [Define to the sockaddr length type used by getnameinfo(3).]) - AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t, - [Define to the buffer length type used by getnameinfo(3).]) -- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int, -+ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int, - [Define to the flags type used by getnameinfo(3).])], - [AC_TRY_COMPILE([ - #include -@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *, - [AC_MSG_RESULT(not match any subspecies; assume standard definition) - AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t) - AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t) --AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])]) -+AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])]) - - # - # ...and same for gai_strerror(). diff --git a/isc-config.sh.in b/isc-config.sh.in -index a8a0a89e88..b5e94ed13e 100644 +index a8a0a89..b5e94ed 100644 --- a/isc-config.sh.in +++ b/isc-config.sh.in @@ -13,7 +13,18 @@ prefix=@prefix@ diff --git a/SOURCES/bind-95-rh452060.patch b/SOURCES/bind-95-rh452060.patch index dac3a8d..6f4a892 100644 --- a/SOURCES/bind-95-rh452060.patch +++ b/SOURCES/bind-95-rh452060.patch @@ -1,34 +1,34 @@ diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index f657c30..ff9a2d2 100644 +index c06c804..e75b8b7 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c -@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) { +@@ -1816,6 +1816,13 @@ clear_query(dig_query_t *query) { if (query->timer != NULL) isc_timer_detach(&query->timer); + + if (query->waiting_senddone) { + debug("send_done not yet called"); -+ query->pending_free = ISC_TRUE; ++ query->pending_free = true; + return; + } + lookup = query->lookup; if (lookup->current_query == query) -@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) { +@@ -1841,10 +1848,7 @@ clear_query(dig_query_t *query) { isc_mempool_put(commctx, query->recvspace); isc_buffer_invalidate(&query->recvbuf); isc_buffer_invalidate(&query->lengthbuf); - if (query->waiting_senddone) -- query->pending_free = ISC_TRUE; +- query->pending_free = true; - else - isc_mem_free(mctx, query); + isc_mem_free(mctx, query); } /*% -@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) { +@@ -2895,9 +2899,9 @@ send_done(isc_task_t *_task, isc_event_t *event) { isc_event_free(&event); if (query->pending_free) diff --git a/SOURCES/bind93-rh490837.patch b/SOURCES/bind93-rh490837.patch index 230d7a7..6ea55ba 100644 --- a/SOURCES/bind93-rh490837.patch +++ b/SOURCES/bind93-rh490837.patch @@ -1,13 +1,22 @@ -? patch -? lib/isc/lex.c.rh490837 -Index: lib/isc/lex.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/lex.c,v -retrieving revision 1.86 -diff -p -u -r1.86 lex.c ---- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86 -+++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000 -@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne +diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h +index 1f44b5a..a3625f9 100644 +--- a/lib/isc/include/isc/stdio.h ++++ b/lib/isc/include/isc/stdio.h +@@ -69,6 +69,9 @@ isc_stdio_sync(FILE *f); + * direct counterpart in the stdio library. + */ + ++isc_result_t ++isc_stdio_fgetc(FILE *f, int *ret); ++ + ISC_LANG_ENDDECLS + + #endif /* ISC_STDIO_H */ +diff --git a/lib/isc/lex.c b/lib/isc/lex.c +index a8955bc..fc6103b 100644 +--- a/lib/isc/lex.c ++++ b/lib/isc/lex.c +@@ -434,17 +434,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) { if (source->is_file) { stream = source->input; @@ -28,34 +37,14 @@ diff -p -u -r1.86 lex.c goto done; } + - source->at_eof = ISC_TRUE; + source->at_eof = true; } } else { -Index: lib/isc/include/isc/stdio.h -=================================================================== -RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v -retrieving revision 1.13 -diff -p -u -r1.13 stdio.h ---- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13 -+++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000 -@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f); - * direct counterpart in the stdio library. - */ - -+isc_result_t -+isc_stdio_fgetc(FILE *f, int *ret); -+ - ISC_LANG_ENDDECLS - - #endif /* ISC_STDIO_H */ -Index: lib/isc/unix/errno2result.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v -retrieving revision 1.17 -diff -p -u -r1.17 errno2result.c ---- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17 -+++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000 -@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) { +diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c +index 2f12bcc..5bfd648 100644 +--- a/lib/isc/unix/errno2result.c ++++ b/lib/isc/unix/errno2result.c +@@ -40,6 +40,7 @@ isc___errno2result(int posixerrno, bool dolog, case EINVAL: /* XXX sometimes this is not for files */ case ENAMETOOLONG: case EBADF: @@ -63,14 +52,11 @@ diff -p -u -r1.17 errno2result.c return (ISC_R_INVALIDFILE); case ENOENT: return (ISC_R_FILENOTFOUND); -Index: lib/isc/unix/stdio.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v -retrieving revision 1.8 -diff -p -u -r1.8 stdio.c ---- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8 -+++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000 -@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) { +diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c +index e60fa65..77f0b13 100644 +--- a/lib/isc/unix/stdio.c ++++ b/lib/isc/unix/stdio.c +@@ -149,3 +149,22 @@ isc_stdio_sync(FILE *f) { return (isc__errno2result(errno)); } diff --git a/SOURCES/bind97-rh478718.patch b/SOURCES/bind97-rh478718.patch index ef44490..dfc4165 100644 --- a/SOURCES/bind97-rh478718.patch +++ b/SOURCES/bind97-rh478718.patch @@ -1,8 +1,8 @@ -diff --git a/configure.in b/configure.in -index 896e81c1ce..73b1c8ccbb 100644 ---- a/configure.in -+++ b/configure.in -@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then +diff --git a/configure.ac b/configure.ac +index 26c509e..c1bfd62 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -4152,6 +4152,10 @@ if test "yes" = "$use_atomic"; then AC_MSG_RESULT($arch) fi @@ -14,10 +14,10 @@ index 896e81c1ce..73b1c8ccbb 100644 AC_MSG_CHECKING([compiler support for inline assembly code]) diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in -index 2ff522342f..58df86adb3 100644 +index c902d46..9c7c342 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in -@@ -289,19 +289,25 @@ +@@ -284,19 +284,25 @@ * If the "xaddq" operation (64bit xadd) is available on this architecture, * ISC_PLATFORM_HAVEXADDQ will be defined. */ diff --git a/SOURCES/named-chroot.files b/SOURCES/named-chroot.files index b38cbe6..43c559a 100644 --- a/SOURCES/named-chroot.files +++ b/SOURCES/named-chroot.files @@ -16,6 +16,7 @@ /etc/named /usr/lib64/bind /usr/lib/bind +/usr/share/GeoIP /run/named # Warning: the order is important # If a directory containing $ROOTDIR is listed here, diff --git a/SOURCES/named-chroot.service b/SOURCES/named-chroot.service index 5732b1c..a49df15 100644 --- a/SOURCES/named-chroot.service +++ b/SOURCES/named-chroot.service @@ -20,7 +20,7 @@ PIDFile=/var/named/chroot/run/named/named.pid ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS -ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' +ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' diff --git a/SOURCES/named-pkcs11.service b/SOURCES/named-pkcs11.service index c1a19d1..27e0693 100644 --- a/SOURCES/named-pkcs11.service +++ b/SOURCES/named-pkcs11.service @@ -16,7 +16,7 @@ PIDFile=/run/named/named.pid ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS -ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' +ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' diff --git a/SOURCES/named-sdb-chroot.service b/SOURCES/named-sdb-chroot.service index 5294f47..acf88ba 100644 --- a/SOURCES/named-sdb-chroot.service +++ b/SOURCES/named-sdb-chroot.service @@ -20,7 +20,7 @@ PIDFile=/var/named/chroot_sdb/run/named/named.pid ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS -ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' +ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' diff --git a/SOURCES/named-sdb.service b/SOURCES/named-sdb.service index b80ec17..cdf3a62 100644 --- a/SOURCES/named-sdb.service +++ b/SOURCES/named-sdb.service @@ -16,7 +16,7 @@ PIDFile=/run/named/named.pid ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} $OPTIONS -ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' +ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' diff --git a/SOURCES/named.empty b/SOURCES/named.empty new file mode 100644 index 0000000..8e271e7 --- /dev/null +++ b/SOURCES/named.empty @@ -0,0 +1,10 @@ +$TTL 3H +@ IN SOA @ rname.invalid. ( + 0 ; serial + 1D ; refresh + 1H ; retry + 1W ; expire + 3H ) ; minimum + NS @ + A 127.0.0.1 + AAAA ::1 diff --git a/SOURCES/named.localhost b/SOURCES/named.localhost new file mode 100644 index 0000000..6fe6a52 --- /dev/null +++ b/SOURCES/named.localhost @@ -0,0 +1,10 @@ +$TTL 1D +@ IN SOA @ rname.invalid. ( + 0 ; serial + 1D ; refresh + 1H ; retry + 1W ; expire + 3H ) ; minimum + NS @ + A 127.0.0.1 + AAAA ::1 diff --git a/SOURCES/named.loopback b/SOURCES/named.loopback new file mode 100644 index 0000000..7f3d862 --- /dev/null +++ b/SOURCES/named.loopback @@ -0,0 +1,11 @@ +$TTL 1D +@ IN SOA @ rname.invalid. ( + 0 ; serial + 1D ; refresh + 1H ; retry + 1W ; expire + 3H ) ; minimum + NS @ + A 127.0.0.1 + AAAA ::1 + PTR localhost. diff --git a/SOURCES/named.rfc1912.zones b/SOURCES/named.rfc1912.zones new file mode 100644 index 0000000..fa8caf5 --- /dev/null +++ b/SOURCES/named.rfc1912.zones @@ -0,0 +1,45 @@ +// named.rfc1912.zones: +// +// Provided by Red Hat caching-nameserver package +// +// ISC BIND named zone configuration for zones recommended by +// RFC 1912 section 4.1 : localhost TLDs and address zones +// and https://tools.ietf.org/html/rfc6303 +// (c)2007 R W Franks +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// +// Note: empty-zones-enable yes; option is default. +// If private ranges should be forwarded, add +// disable-empty-zone "."; into options +// + +zone "localhost.localdomain" IN { + type master; + file "named.localhost"; + allow-update { none; }; +}; + +zone "localhost" IN { + type master; + file "named.localhost"; + allow-update { none; }; +}; + +zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { + type master; + file "named.loopback"; + allow-update { none; }; +}; + +zone "1.0.0.127.in-addr.arpa" IN { + type master; + file "named.loopback"; + allow-update { none; }; +}; + +zone "0.in-addr.arpa" IN { + type master; + file "named.empty"; + allow-update { none; }; +}; diff --git a/SOURCES/named.root b/SOURCES/named.root new file mode 100644 index 0000000..532d4ff --- /dev/null +++ b/SOURCES/named.root @@ -0,0 +1,61 @@ + +; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net +; (2 servers found) +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900 +;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 1472 +;; QUESTION SECTION: +;. IN NS + +;; ANSWER SECTION: +. 518400 IN NS a.root-servers.net. +. 518400 IN NS b.root-servers.net. +. 518400 IN NS c.root-servers.net. +. 518400 IN NS d.root-servers.net. +. 518400 IN NS e.root-servers.net. +. 518400 IN NS f.root-servers.net. +. 518400 IN NS g.root-servers.net. +. 518400 IN NS h.root-servers.net. +. 518400 IN NS i.root-servers.net. +. 518400 IN NS j.root-servers.net. +. 518400 IN NS k.root-servers.net. +. 518400 IN NS l.root-servers.net. +. 518400 IN NS m.root-servers.net. + +;; ADDITIONAL SECTION: +a.root-servers.net. 518400 IN A 198.41.0.4 +b.root-servers.net. 518400 IN A 199.9.14.201 +c.root-servers.net. 518400 IN A 192.33.4.12 +d.root-servers.net. 518400 IN A 199.7.91.13 +e.root-servers.net. 518400 IN A 192.203.230.10 +f.root-servers.net. 518400 IN A 192.5.5.241 +g.root-servers.net. 518400 IN A 192.112.36.4 +h.root-servers.net. 518400 IN A 198.97.190.53 +i.root-servers.net. 518400 IN A 192.36.148.17 +j.root-servers.net. 518400 IN A 192.58.128.30 +k.root-servers.net. 518400 IN A 193.0.14.129 +l.root-servers.net. 518400 IN A 199.7.83.42 +m.root-servers.net. 518400 IN A 202.12.27.33 +a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 +b.root-servers.net. 518400 IN AAAA 2001:500:200::b +c.root-servers.net. 518400 IN AAAA 2001:500:2::c +d.root-servers.net. 518400 IN AAAA 2001:500:2d::d +e.root-servers.net. 518400 IN AAAA 2001:500:a8::e +f.root-servers.net. 518400 IN AAAA 2001:500:2f::f +g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d +h.root-servers.net. 518400 IN AAAA 2001:500:1::53 +i.root-servers.net. 518400 IN AAAA 2001:7fe::53 +j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 +k.root-servers.net. 518400 IN AAAA 2001:7fd::1 +l.root-servers.net. 518400 IN AAAA 2001:500:9f::42 +m.root-servers.net. 518400 IN AAAA 2001:dc3::35 + +;; Query time: 24 msec +;; SERVER: 198.41.0.4#53(198.41.0.4) +;; WHEN: Thu Apr 05 15:57:34 CEST 2018 +;; MSG SIZE rcvd: 811 + diff --git a/SOURCES/named.root.key b/SOURCES/named.root.key new file mode 100644 index 0000000..48449a8 --- /dev/null +++ b/SOURCES/named.root.key @@ -0,0 +1,19 @@ +managed-keys { + # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml + # for current trust anchor information. + # + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/SOURCES/named.service b/SOURCES/named.service index 6a162ad..7cd6d34 100644 --- a/SOURCES/named.service +++ b/SOURCES/named.service @@ -15,8 +15,7 @@ PIDFile=/run/named/named.pid ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS - -ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' +ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 06c5ea7..3a2b8b4 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -1,14 +1,14 @@ # # Red Hat BIND package .spec file # +# vim:expandtab ts=2: -%global PATCHVER P2 +#%%global PATCHVER P1 #%%global PREVER rc1 %global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}} # bcond_without is built by default, unless --without X is passed # bcond_with is built only when --with X is passed to build -%bcond_without UNITTEST %bcond_with SYSTEMTEST %bcond_without SDB %bcond_without GSSTSIG @@ -19,12 +19,18 @@ %bcond_with LMDB %bcond_with DLZ %bcond_without EXPORT_LIBS -%if 0%{?fedora} >= 17 -%bcond_without KYUA -%bcond_without GEOIP -%else -%bcond_with KYUA +# Legacy GeoIP support %bcond_with GEOIP +%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8 +%bcond_without UNITTEST +%else +%bcond_with UNITTEST +%endif +%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8 +# New MaxMind GeoLite support +%bcond_without GEOIP2 +%else +%bcond_with GEOIP2 %endif %{?!bind_uid: %global bind_uid 25} @@ -34,6 +40,10 @@ %if %{with SDB} %global chroot_sdb_prefix %{bind_dir}/chroot_sdb %endif +%global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\ + %{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\ + %{_libdir}/bind %{_datadir}/GeoIP + ## The order of libs is important. See lib/Makefile.in for details %define bind_export_libs isc dns isccfg irs %{!?_export_dir:%global _export_dir /bind9-export/} @@ -44,16 +54,16 @@ # # lib*.so.X versions of selected libraries -%global sover_dns 1102 -%global sover_isc 169 -%global sover_irs 160 -%global sover_isccfg 160 +%global sover_dns 1107 +%global sover_isc 1104 +%global sover_irs 161 +%global sover_isccfg 163 Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.11.4 -Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Version: 9.11.13 +Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -63,9 +73,16 @@ Source3: named.logrotate Source7: bind-9.3.1rc1-sdb_tools-Makefile.in Source8: dnszone.schema Source12: README.sdb_pgsql +Source16: named.conf +# Refresh by command: dig @a.root-servers.net. +tcp +norec +# or from URL +Source17: https://www.internic.net/domain/named.root +Source18: named.localhost +Source19: named.loopback +Source20: named.empty +Source23: named.rfc1912.zones Source25: named.conf.sample -Source26: named.conf -Source28: config-18.tar.bz2 +Source27: named.root.key Source30: ldap2zone.c Source31: ldap2zone.1 Source32: named-sdb.8 @@ -111,6 +128,8 @@ Patch140:bind-9.11-rh1410433.patch Patch145:bind-9.11-rh1205168.patch # [ISC-Bugs #46853] commit cb616c6d5c2ece1fac37fa6e0bca2b53d4043098 ISC 4851 Patch149:bind-9.11-kyua-pkcs11.patch +# Avoid conflicts with OpenSSL PKCS11 engine +Patch150:bind-9.11-engine-pkcs11.patch Patch153:bind-9.11-export-suffix.patch Patch154:bind-9.11-oot-manual.patch Patch155:bind-9.11-pk11.patch @@ -121,10 +140,6 @@ Patch157:bind-9.11-fips-tests.patch # commit 083461d3329ff6f2410745848a926090586a9846 Patch158:bind-9.11-rh1624100.patch Patch159:bind-9.11-host-idn-disable.patch -Patch160:bind-9.11-CVE-2018-5744.patch -Patch161:bind-9.11-CVE-2018-5744-test.patch -Patch162:bind-9.11-CVE-2018-5743.patch -Patch163:bind-9.11-CVE-2018-5743-atomic.patch Patch164:bind-9.11-fips-code-includes.patch # [RT #31459] commit 06a8051d2476fb526fe6960832209392c763a9af Patch165:bind-9.11-rt31459.patch @@ -133,12 +148,13 @@ Patch166:bind-9.11-rt46047.patch Patch167:bind-9.11-rh1668682.patch # random_test fails too often by random, disable it Patch168:bind-9.11-unit-disable-random.patch -Patch169:bind-9.11-rt46047-2.patch -Patch170:bind-9.11-CVE-2019-6471.patch -Patch171:bind-9.11-rh1679307.patch -Patch172:bind-9.11-CVE-2018-5745.patch -Patch173:bind-9.11-CVE-2019-6465.patch Patch174:bind-9.11-fips-disable.patch +# Make sure jsonccp-devel does not interfere +Patch175:bind-9.11-json-c.patch +Patch177:bind-9.11-serve-stale.patch +Patch178:bind-9.11-dhcp-time-monotonic.patch +Patch179:bind-9.11-rh1790879.patch +Patch180:bind-9.11.13-rwlock.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -174,26 +190,22 @@ BuildRequires: systemd BuildRequires: python3-devel BuildRequires: python3-ply BuildRequires: findutils sed -%if %{with GEOIP} -BuildRequires: GeoIP-devel -%endif %if %{with SDB} BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mariadb-connector-c-devel BuildRequires: libdb-devel %endif -%if %{with KYUA} +%if %{with UNITTEST} # make unit dependencies -BuildRequires: libatf-c-devel kyua -%else -# shipped atf library requires c++ -BuildRequires: gcc-c++ +BuildRequires: libcmocka-devel kyua %endif %if %{with PKCS11} BuildRequires: softhsm %endif %if %{with SYSTEMTEST} # bin/tests/system dependencies -BuildRequires: net-tools perl(Net::DNS) perl(Net::DNS::Nameserver) +BuildRequires: perl(Net::DNS) perl(Net::DNS::Nameserver) perl(Time::HiRes) perl(Getopt::Long) +# manual configuration requires this tool +BuildRequires: iproute %endif %if %{with GSSTSIG} BuildRequires: krb5-devel @@ -201,6 +213,12 @@ BuildRequires: krb5-devel %if %{with LMDB} BuildRequires: lmdb-devel %endif +%if %{with GEOIP} +BuildRequires: GeoIP-devel +%endif +%if %{with GEOIP2} +BuildRequires: libmaxminddb-devel +%endif # Needed to regenerate dig.1 manpage BuildRequires: docbook-style-xsl, libxslt @@ -328,6 +346,13 @@ required for development with ISC BIND 9 %package lite-devel Summary: Lite version of header files and libraries needed for BIND DNS development Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} +Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa} +%if %{with GEOIP} +Requires: GeoIP-devel%{?_isa} +%endif +%if %{with GEOIP2} +Requires: libmaxminddb-devel%{?_isa} +%endif %description lite-devel The bind-lite-devel package contains lite version of the header @@ -459,7 +484,7 @@ are used for building ISC DHCP. %patch72 -p1 -b .64bit %endif %patch102 -p1 -b .rh452060 -%patch106 -p0 -b .rh490837 +%patch106 -p1 -b .rh490837 %patch109 -p1 -b .rh478718 %patch112 -p1 -b .rh645544 %patch130 -p1 -b .libdb @@ -473,21 +498,17 @@ are used for building ISC DHCP. %patch157 -p1 -b .fips-tests %patch158 -p1 -b .rh1624100 %patch159 -p1 -b .host-idn-disable -%patch160 -p1 -b .CVE-2018-5744 -%patch161 -p1 -b .CVE-2018-5744-test -%patch162 -p1 -b .CVE-2018-5743 -%patch163 -p1 -b .CVE-2018-5743-atomic %patch164 -p1 -b .fips-includes %patch165 -p1 -b .rt31459 %patch166 -p1 -b .rt46047 %patch167 -p1 -b .rh1668682 %patch168 -p1 -b .random_test-disable -%patch169 -p1 -b .rt46047-2 -%patch170 -p1 -b .CVE-2019-6471 -%patch171 -p1 -b .rh1679307 -%patch172 -p1 -b .CVE-2018-5745 -%patch173 -p1 -b .CVE-2019-6465 %patch174 -p1 -b .rh1737407 +%patch175 -p1 -b .json-c +%patch177 -p1 -b .serve-stale +%patch178 -p1 -b .time-monotonic +%patch179 -p1 -b .rh1790879 +%patch180 -p1 -b .rwlock mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -499,6 +520,7 @@ cp -r lib/isc{,-pkcs11} cp -r lib/dns{,-pkcs11} %patch136 -p1 -b .dist_pkcs11 %patch149 -p1 -b .kyua-pkcs11 +%patch150 -p1 -b .engine-pkcs11 %endif %if %{with SDB} @@ -548,10 +570,9 @@ done # normal and pkcs11 unit tests %define unit_prepare_build() \ - cp -uv Kyuafile Atffile "%{1}/" \ + cp -uv Kyuafile "%{1}/" \ find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \ find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \ - find lib -name 'Atffile' -exec cp -uv '{}' "%{1}/{}" ';' \ find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ @@ -559,14 +580,6 @@ done cp -Tuav bin/tests "%{1}/bin/tests/" \ cp -uv version "%{1}" \ -%if %{with KYUA} -# Use system installed libatf-c library with kyua tool -ATF_PATH=/usr -%else -# Use bundled atf library with atf-run -ATF_PATH=yes -%endif - export CFLAGS="$CFLAGS $RPM_OPT_FLAGS" export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE" export STD_CDEFINES="$CPPFLAGS" @@ -592,11 +605,14 @@ export LIBDIR_SUFFIX --disable-static \ --includedir=%{_includedir}/bind9 \ --with-tuning=large \ + --with-libidn2 \ + --enable-openssl-hash \ %if %{with GEOIP} --with-geoip \ %endif - --with-libidn2 \ - --enable-openssl-hash \ +%if %{with GEOIP2} + --with-geoip2 \ +%endif %if %{with PKCS11} --enable-native-pkcs11 \ --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \ @@ -619,7 +635,7 @@ export LIBDIR_SUFFIX --with-lmdb=no \ %endif %if %{with UNITTEST} - --with-atf=${ATF_PATH} \ + --with-cmocka \ %endif --enable-fixed-rrset \ --with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \ @@ -642,16 +658,6 @@ pushd bin/python make man popd -%if ! %{with KYUA} -# Do not build atf again for export libs -ATF_PATH="`pwd`/unit/atf" - -# Atf libs are built. Prevent their installation -sed -i -e \ -'/^SUBDIRS =/s/atf-src//i' \ -unit/Makefile -%endif - %if %{with DLZ} pushd contrib/dlz pushd bin/dlzbdb @@ -690,7 +696,7 @@ export LIBDIR_SUFFIX --disable-isc-spnego \ %endif %if %{with UNITTEST} - --with-atf=${ATF_PATH} \ + --with-cmocka \ %endif --enable-fixed-rrset \ --disable-rpz-nsip \ @@ -714,10 +720,6 @@ sed -i -e \ "/^SUBDIRS =/s/.*/SUBDIRS = %{bind_export_libs}/i" \ lib/Makefile -sed -i -e \ -'/^SUBDIRS =/s/atf-src//i' \ -unit/Makefile - for lib in %{bind_export_libs} do find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g" -i {} \; @@ -731,11 +733,15 @@ popd # export library unit tests %unit_prepare_build export-libs -# Do not try pkcs11 and lwres in export libs -sed -e '/^\s*include(.*-pkcs11/ d' -e '/^\s*include(.*lwres/ d' \ - -i export-libs/lib/Kyuafile -sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \ - -i export-libs/lib/Atffile +# Test just compiled libraries +for lib in %{bind_export_libs} +do + sed -e "s,^\s*include(.*${lib}/.*,-- use &," \ + -i export-libs/lib/Kyuafile +done + +sed -e "/^\s*include(/ d" -e 's/^-- use //' \ + -i export-libs/lib/Kyuafile ## End of export libs %endif @@ -769,68 +775,73 @@ sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \ %endif %if %{with SYSTEMTEST} -if [ "`whoami`" = 'root' ]; then +# Runs system test if ip addresses are already configured +# or it is able to configure them +if perl bin/tests/system/testsock.pl +then + CONFIGURED=already +else + CONFIGURED= + sh bin/tests/system/ifconfig.sh up + perl bin/tests/system/testsock.pl && CONFIGURED=build +fi +if [ -n "$CONFIGURED" ] +then set -e - chmod -R a+rwX . - pushd bin/tests - pushd system - ./ifconfig.sh up - popd - make test + pushd build/bin/tests + chown -R ${USER} . # Can be unknown user + make test %{?_smp_mflags} 2>&1 | tee test.log e=$? - pushd system - ./ifconfig.sh down - popd popd + [ "$CONFIGURED" = build ] && sh bin/tests/system/ifconfig.sh down if [ "$e" -ne 0 ]; then echo "ERROR: this build of BIND failed 'make test'. Aborting." exit $e; fi; else - echo 'only root can run the tests (they require an ifconfig).' + echo 'SKIPPED: tests require root, CAP_NET_ADMIN or already configured test addresses.' +fi %endif : %install # Build directory hierarchy -mkdir -p ${RPM_BUILD_ROOT}/etc/logrotate.d +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/bind -mkdir -p ${RPM_BUILD_ROOT}/var/named/{slaves,data,dynamic} +mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named/{slaves,data,dynamic} mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8} mkdir -p ${RPM_BUILD_ROOT}/run/named -mkdir -p ${RPM_BUILD_ROOT}/var/log +mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log #chroot -mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/{dev,etc,var,run/named} -mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/var/{log,named,tmp} -mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/crypto-policies/back-ends +for D in %{chroot_create_directories} +do + mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}${D} +done # create symlink as it is on real filesystem pushd ${RPM_BUILD_ROOT}/%{chroot_prefix}/var ln -s ../run run popd -mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/{pki/dnssec-keys,named} -mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/%{_libdir}/bind # these are required to prevent them being erased during upgrade of previous -touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf +touch ${RPM_BUILD_ROOT}/%{chroot_prefix}%{_sysconfdir}/named.conf #end chroot #sdb-chroot %if %{with SDB} -mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/{dev,etc,var,run/named} -mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var/{log,named,tmp} -mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/crypto-policies/back-ends +for D in %{chroot_create_directories} +do + mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}${D} +done # create symlink as it is on real filesystem -pushd ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var +pushd ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}%{_localstatedir} ln -s ../run run popd -mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/{pki/dnssec-keys,named} -mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/%{_libdir}/bind # these are required to prevent them being erased during upgrade of previous -touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/named.conf +touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}%{_sysconfdir}/named.conf %endif #end sdb-chroot @@ -934,7 +945,6 @@ install -m 644 %{SOURCE34} ${RPM_BUILD_ROOT}%{_mandir}/man1/zone2sqlite.1 pushd ${RPM_BUILD_ROOT}%{_mandir}/man8 ln -s named.8.gz named-pkcs11.8.gz ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz -ln -s dnssec-coverage.8.gz dnssec-coverage-pkcs11.8.gz ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz @@ -949,20 +959,28 @@ popd touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log # configuration files: -tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28} -install -m 640 %{SOURCE26} ${RPM_BUILD_ROOT}/etc/named.conf -touch ${RPM_BUILD_ROOT}/etc/rndc.key -touch ${RPM_BUILD_ROOT}/etc/rndc.conf -mkdir ${RPM_BUILD_ROOT}/etc/named -install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}/etc/trusted-key.key +install -m 640 %{SOURCE16} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf +touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf} +install -m 644 %{SOURCE27} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key +install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named + +# data files: +mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named +install -m 640 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca +install -m 640 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost +install -m 640 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback +install -m 640 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty +install -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones # sample bind configuration files for %%doc: mkdir -p sample/etc sample/var/named/{data,slaves} install -m 644 %{SOURCE25} sample/etc/named.conf # Copy default configuration to %%doc to make it usable from system-config-bind -install -m 644 %{SOURCE26} named.conf.default -install -m 644 ${RPM_BUILD_ROOT}/etc/named.rfc1912.zones sample/etc/named.rfc1912.zones -install -m 644 ${RPM_BUILD_ROOT}/var/named/{named.ca,named.localhost,named.loopback,named.empty} sample/var/named +install -m 644 %{SOURCE16} named.conf.default +install -m 644 %{SOURCE23} sample/etc/named.rfc1912.zones +install -m 644 %{SOURCE18} %{SOURCE19} %{SOURCE20} sample/var/named +install -m 644 %{SOURCE17} sample/var/named/named.ca for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do echo '@ in soa localhost. root 1 3H 15M 1W 1D ns localhost.' > sample/var/named/$f; @@ -1210,9 +1228,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %files libs -%{_libdir}/libbind9.so.160* -%{_libdir}/libisccc.so.160* -%{_libdir}/liblwres.so.160* +%{_libdir}/libbind9.so.161* +%{_libdir}/libisccc.so.161* +%{_libdir}/liblwres.so.161* %files libs-lite %{_libdir}/libdns.so.%{sover_dns}* @@ -1310,27 +1328,28 @@ rm -rf ${RPM_BUILD_ROOT} %defattr(0640,root,named,0750) %dir %{chroot_prefix} %dir %{chroot_prefix}/dev -%dir %{chroot_prefix}/etc -%dir %{chroot_prefix}/etc/named -%dir %{chroot_prefix}/etc/pki -%dir %{chroot_prefix}/etc/pki/dnssec-keys -%dir %{chroot_prefix}/etc/crypto-policies -%dir %{chroot_prefix}/etc/crypto-policies/back-ends -%dir %{chroot_prefix}/var +%dir %{chroot_prefix}%{_sysconfdir} +%dir %{chroot_prefix}%{_sysconfdir}/named +%dir %{chroot_prefix}%{_sysconfdir}/pki +%dir %{chroot_prefix}%{_sysconfdir}/pki/dnssec-keys +%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies +%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies/back-ends +%dir %{chroot_prefix}%{_localstatedir} %dir %{chroot_prefix}/run -%ghost %config(noreplace) %{chroot_prefix}/etc/named.conf +%ghost %config(noreplace) %{chroot_prefix}%{_sysconfdir}/named.conf %defattr(-,root,root,-) %dir %{chroot_prefix}/usr %dir %{chroot_prefix}/%{_libdir} %dir %{chroot_prefix}/%{_libdir}/bind +%dir %{chroot_prefix}/%{_datadir}/GeoIP %defattr(0660,root,named,01770) -%dir %{chroot_prefix}/var/named +%dir %{chroot_prefix}%{_localstatedir}/named %defattr(0660,named,named,0770) -%dir %{chroot_prefix}/var/tmp -%dir %{chroot_prefix}/var/log +%dir %{chroot_prefix}%{_localstatedir}/tmp +%dir %{chroot_prefix}%{_localstatedir}/log %defattr(-,named,named,-) %dir %{chroot_prefix}/run/named -%{chroot_prefix}/var/run +%{chroot_prefix}%{_localstatedir}/run %if %{with SDB} %files sdb-chroot @@ -1346,27 +1365,28 @@ rm -rf ${RPM_BUILD_ROOT} %defattr(0640,root,named,0750) %dir %{chroot_sdb_prefix} %dir %{chroot_sdb_prefix}/dev -%dir %{chroot_sdb_prefix}/etc -%dir %{chroot_sdb_prefix}/etc/named -%dir %{chroot_sdb_prefix}/etc/pki -%dir %{chroot_sdb_prefix}/etc/pki/dnssec-keys -%dir %{chroot_sdb_prefix}/etc/crypto-policies -%dir %{chroot_sdb_prefix}/etc/crypto-policies/back-ends -%dir %{chroot_sdb_prefix}/var +%dir %{chroot_sdb_prefix}%{_sysconfdir} +%dir %{chroot_sdb_prefix}%{_sysconfdir}/named +%dir %{chroot_sdb_prefix}%{_sysconfdir}/pki +%dir %{chroot_sdb_prefix}%{_sysconfdir}/pki/dnssec-keys +%dir %{chroot_sdb_prefix}%{_sysconfdir}/crypto-policies +%dir %{chroot_sdb_prefix}%{_sysconfdir}/crypto-policies/back-ends +%dir %{chroot_sdb_prefix}%{_localstatedir} %dir %{chroot_sdb_prefix}/run -%ghost %config(noreplace) %{chroot_sdb_prefix}/etc/named.conf +%ghost %config(noreplace) %{chroot_sdb_prefix}%{_sysconfdir}/named.conf %defattr(0660,root,named,01770) -%dir %{chroot_sdb_prefix}/var/named +%dir %{chroot_sdb_prefix}%{_localstatedir}/named %defattr(-,root,root,-) %dir %{chroot_sdb_prefix}/usr %dir %{chroot_sdb_prefix}/%{_libdir} %dir %{chroot_sdb_prefix}/%{_libdir}/bind +%dir %{chroot_sdb_prefix}/%{_datadir}/GeoIP %defattr(0660,named,named,0770) -%dir %{chroot_sdb_prefix}/var/tmp -%dir %{chroot_sdb_prefix}/var/log +%dir %{chroot_sdb_prefix}%{_localstatedir}/tmp +%dir %{chroot_sdb_prefix}%{_localstatedir}/log %defattr(-,named,named,-) %dir %{chroot_sdb_prefix}/run/named -%{chroot_sdb_prefix}/var/run +%{chroot_sdb_prefix}%{_localstatedir}/run %endif %if %{with PKCS11} @@ -1384,6 +1404,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_sbindir}/pkcs11-tokens %{_mandir}/man8/pkcs11*.8* %{_mandir}/man8/dnssec*-pkcs11.8* +%{_mandir}/man8/dnssec*.8* +%exclude %{_mandir}/man8/dnssec-coverage.8* +%exclude %{_mandir}/man8/dnssec-keymgr.8* %files pkcs11-libs %{_libdir}/libdns-pkcs11.so.%{sover_dns}* @@ -1463,6 +1486,42 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Thu Feb 27 2020 Miroslav Lichvar - 32:9.11.13-3 +- Fix rwlock to be thread-safe (#1740511) + +* Tue Jan 14 2020 Petr Menšík - 32:9.11.13-2 +- Release GeoIP data on reload (#1790879) + +* Tue Nov 19 2019 Petr Menšík - 32:9.11.13-1 +- Update to 9.11.13 + +* Tue Nov 19 2019 Petr Menšík - 32:9.11.12-5 +- Report failures on systemctl reload (#1739428) + +* Mon Nov 18 2019 Pavel Zhukov - 32:9.11.12-4 +- dhcp: Use monotonic time for detecting time jumps if available (#1729211) + +* Fri Nov 15 2019 Petr Menšík - 32:9.11.12-3 +- Backported serve-stale feature (#1664863) + +* Thu Nov 07 2019 Petr Menšík - 32:9.11.12-2 +- Add GeoLite2 support (#1564443) +- Add GeoIP to bind-chroot (#1497646) +- Fix wrong default GeoIP directory (#1768258) + +* Mon Oct 21 2019 Petr Menšík - 32:9.11.12-1 +- Update to 9.11.12 (#1557762) + +* Wed Sep 25 2019 Petr Menšík - 32:9.11.11-1 +- Update to 9.11.11 + +* Tue Aug 27 2019 Petr Menšík - 32:9.11.10-1 +- Update to 9.11.10 +- Share pkcs11-utils and dnssec-utils manuals instead of recommend + +* Thu Aug 08 2019 Petr Menšík - 32:9.11.7-1 +- Update to 9.11.7 + * Thu Aug 08 2019 Petr Menšík - 32:9.11.4-26.P2 - Permit explicit disabling of RSAMD5 in FIPS mode (#1737407)