diff options
| author | erwin <erwin@FreeBSD.org> | 2012-12-07 12:39:58 +0000 |
|---|---|---|
| committer | erwin <erwin@FreeBSD.org> | 2012-12-07 12:39:58 +0000 |
| commit | 5d8c8fc50b9836a3c4a9d975721d7682dd286965 (patch) | |
| tree | c3abb28c9e8cb3396d1d00b0af4f9a474adaf5f5 /contrib/bind9/lib | |
| parent | d4467dc03357aa391339c667b9bce1af3f0455d9 (diff) | |
| parent | 4d1484242d381404f6b827320dad3260370137c8 (diff) | |
| download | FreeBSD-src-5d8c8fc50b9836a3c4a9d975721d7682dd286965.zip FreeBSD-src-5d8c8fc50b9836a3c4a9d975721d7682dd286965.tar.gz | |
Update to 9.8.4-P1.
Security Fixes
Prevents named from aborting with a require assertion failure
on servers with DNS64 enabled. These crashes might occur as a
result of specific queries that are received.
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
Feature Changes
* Improves OpenSSL error logging [RT #29932]
* nslookup now returns a nonzero exit code when it is unable to get
an answer. [RT #29492]
Other critical bug fixes are included.
Approved by: delphij (mentor)
MFC after: 3 days
Security: CVE-2012-5688
Sponsored by: DK Hostmaster A/S
Diffstat (limited to 'contrib/bind9/lib')
134 files changed, 1811 insertions, 484 deletions
diff --git a/contrib/bind9/lib/Makefile.in b/contrib/bind9/lib/Makefile.in index e46aef2..e3f0bdb 100644 --- a/contrib/bind9/lib/Makefile.in +++ b/contrib/bind9/lib/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001, 2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/bind9/Makefile.in b/contrib/bind9/lib/bind9/Makefile.in index 35c4022..73285e1 100644 --- a/contrib/bind9/lib/bind9/Makefile.in +++ b/contrib/bind9/lib/bind9/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/bind9/api b/contrib/bind9/lib/bind9/api index 089e782..7e9b115 100644 --- a/contrib/bind9/lib/bind9/api +++ b/contrib/bind9/lib/bind9/api @@ -4,5 +4,5 @@ # 9.8: 80-89 # 9.9: 90-109 LIBINTERFACE = 80 -LIBREVISION = 5 +LIBREVISION = 7 LIBAGE = 0 diff --git a/contrib/bind9/lib/bind9/check.c b/contrib/bind9/lib/bind9/check.c index 26eaa1a..f765604 100644 --- a/contrib/bind9/lib/bind9/check.c +++ b/contrib/bind9/lib/bind9/check.c @@ -287,10 +287,6 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) { tresult = dns_secalg_fromtext(&alg, &r); if (tresult != ISC_R_SUCCESS) { - isc_uint8_t ui; - result = isc_parse_uint8(&ui, r.base, 10); - } - if (tresult != ISC_R_SUCCESS) { cfg_obj_log(cfg_listelt_value(element), logctx, ISC_LOG_ERROR, "invalid algorithm '%s'", r.base); @@ -1259,6 +1255,29 @@ typedef struct { } optionstable; static isc_result_t +check_nonzero(const cfg_obj_t *options, isc_log_t *logctx) { + isc_result_t result = ISC_R_SUCCESS; + const cfg_obj_t *obj = NULL; + unsigned int i; + + static const char *nonzero[] = { "max-retry-time", "min-retry-time", + "max-refresh-time", "min-refresh-time" }; + /* + * Check if value is zero. + */ + for (i = 0; i < sizeof(nonzero) / sizeof(nonzero[0]); i++) { + obj = NULL; + if (cfg_map_get(options, nonzero[i], &obj) == ISC_R_SUCCESS && + cfg_obj_asuint32(obj) == 0) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "'%s' must not be zero", nonzero[i]); + result = ISC_R_FAILURE; + } + } + return (result); +} + +static isc_result_t check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, const cfg_obj_t *config, isc_symtab_t *symtab, dns_rdataclass_t defclass, cfg_aclconfctx_t *actx, @@ -1267,7 +1286,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, const char *znamestr; const char *typestr; unsigned int ztype; - const cfg_obj_t *zoptions; + const cfg_obj_t *zoptions, *goptions = NULL; const cfg_obj_t *obj = NULL; isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult; @@ -1288,8 +1307,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, { "also-notify", MASTERZONE | SLAVEZONE }, { "dialup", MASTERZONE | SLAVEZONE | STUBZONE }, { "delegation-only", HINTZONE | STUBZONE | DELEGATIONZONE }, - { "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE }, - { "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE }, + { "forward", MASTERZONE | SLAVEZONE | STUBZONE | + STATICSTUBZONE | FORWARDZONE }, + { "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | + STATICSTUBZONE | FORWARDZONE }, { "maintain-ixfr-base", MASTERZONE | SLAVEZONE }, { "max-ixfr-log-size", MASTERZONE | SLAVEZONE }, { "notify-source", MASTERZONE | SLAVEZONE }, @@ -1345,10 +1366,14 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, { "passive", SLAVEZONE | STUBZONE }, }; + znamestr = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); zoptions = cfg_tuple_get(zconfig, "options"); + if (config != NULL) + cfg_map_get(config, "options", &goptions); + obj = NULL; (void)cfg_map_get(zoptions, "type", &obj); if (obj == NULL) { @@ -1430,6 +1455,12 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } /* + * Check if value is zero. + */ + if (check_nonzero(zoptions, logctx) != ISC_R_SUCCESS) + result = ISC_R_FAILURE; + + /* * Look for inappropriate options for the given zone type. * Check that ACLs expand correctly. */ @@ -2170,6 +2201,14 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, } /* + * Check non-zero options at the global and view levels. + */ + if (options != NULL && check_nonzero(options, logctx) != ISC_R_SUCCESS) + result = ISC_R_FAILURE; + if (voptions != NULL &&check_nonzero(voptions, logctx) != ISC_R_SUCCESS) + result = ISC_R_FAILURE; + + /* * Check that dual-stack-servers is reasonable. */ if (voptions == NULL) { @@ -2196,15 +2235,15 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, tresult = isc_symtab_create(mctx, 1000, freekey, mctx, ISC_FALSE, &symtab); if (tresult != ISC_R_SUCCESS) - return (ISC_R_NOMEMORY); + goto cleanup; (void)cfg_map_get(config, "key", &keys); tresult = check_keylist(keys, symtab, mctx, logctx); if (tresult == ISC_R_EXISTS) result = ISC_R_FAILURE; else if (tresult != ISC_R_SUCCESS) { - isc_symtab_destroy(&symtab); - return (tresult); + result = tresult; + goto cleanup; } if (voptions != NULL) { @@ -2214,8 +2253,8 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, if (tresult == ISC_R_EXISTS) result = ISC_R_FAILURE; else if (tresult != ISC_R_SUCCESS) { - isc_symtab_destroy(&symtab); - return (tresult); + result = tresult; + goto cleanup; } } @@ -2336,7 +2375,11 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, if (tresult != ISC_R_SUCCESS) result = tresult; - cfg_aclconfctx_detach(&actx); + cleanup: + if (symtab != NULL) + isc_symtab_destroy(&symtab); + if (actx != NULL) + cfg_aclconfctx_detach(&actx); return (result); } diff --git a/contrib/bind9/lib/bind9/include/Makefile.in b/contrib/bind9/lib/bind9/include/Makefile.in index 65eecb0..0a7436c 100644 --- a/contrib/bind9/lib/bind9/include/Makefile.in +++ b/contrib/bind9/lib/bind9/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/bind9/include/bind9/Makefile.in b/contrib/bind9/lib/bind9/include/bind9/Makefile.in index 8abfaf6..11ae586 100644 --- a/contrib/bind9/lib/bind9/include/bind9/Makefile.in +++ b/contrib/bind9/lib/bind9/include/bind9/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/dns/Makefile.in b/contrib/bind9/lib/dns/Makefile.in index cfaf775..a01bb41 100644 --- a/contrib/bind9/lib/dns/Makefile.in +++ b/contrib/bind9/lib/dns/Makefile.in @@ -47,7 +47,8 @@ LIBS = @LIBS@ # Alphabetically OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \ - opensslgost_link.@O@ opensslrsa_link.@O@ + opensslecdsa_link.@O@ opensslgost_link.@O@ \ + opensslrsa_link.@O@ DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ \ dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \ @@ -76,7 +77,7 @@ OBJS= ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} # Alphabetically OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \ - opensslgost_link.c opensslrsa_link.c + opensslecdsa_link.c opensslgost_link.c opensslrsa_link.c DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ \ dst_api.c dst_lib.c dst_parse.c \ diff --git a/contrib/bind9/lib/dns/adb.c b/contrib/bind9/lib/dns/adb.c index 1dba252..531d112 100644 --- a/contrib/bind9/lib/dns/adb.c +++ b/contrib/bind9/lib/dns/adb.c @@ -111,6 +111,7 @@ struct dns_adb { isc_taskmgr_t *taskmgr; isc_task_t *task; + isc_task_t *excl; isc_interval_t tick_interval; int next_cleanbucket; @@ -1627,10 +1628,12 @@ new_adbname(dns_adb_t *adb, dns_name_t *dnsname) { LOCK(&adb->namescntlock); adb->namescnt++; - if (!adb->grownames_sent && adb->namescnt > (adb->nnames * 8)) { + if (!adb->grownames_sent && adb->excl != NULL && + adb->namescnt > (adb->nnames * 8)) + { isc_event_t *event = &adb->grownames; inc_adb_irefcnt(adb); - isc_task_send(adb->task, &event); + isc_task_send(adb->excl, &event); adb->grownames_sent = ISC_TRUE; } UNLOCK(&adb->namescntlock); @@ -1751,8 +1754,9 @@ new_adbentry(dns_adb_t *adb) { ISC_LINK_INIT(e, plink); LOCK(&adb->entriescntlock); adb->entriescnt++; - if (!adb->growentries_sent && - adb->entriescnt > (adb->nentries * 8)) { + if (!adb->growentries_sent && adb->growentries_sent && + adb->entriescnt > (adb->nentries * 8)) + { isc_event_t *event = &adb->growentries; inc_adb_irefcnt(adb); isc_task_send(adb->task, &event); @@ -2327,6 +2331,7 @@ destroy(dns_adb_t *adb) { adb->magic = 0; isc_task_detach(&adb->task); + isc_task_detach(&adb->excl); isc_mempool_destroy(&adb->nmp); isc_mempool_destroy(&adb->nhmp); @@ -2410,6 +2415,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr, adb->aimp = NULL; adb->afmp = NULL; adb->task = NULL; + adb->excl = NULL; adb->mctx = NULL; adb->view = view; adb->taskmgr = taskmgr; @@ -2445,6 +2451,16 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr, adb, NULL, NULL); adb->grownames_sent = ISC_FALSE; + result = isc_taskmgr_excltask(adb->taskmgr, &adb->excl); + if (result != ISC_R_SUCCESS) { + DP(ISC_LOG_INFO, "adb: task-exclusive mode unavailable, " + "intializing table sizes to %u\n", + nbuckets[11]); + adb->nentries = nbuckets[11]; + adb->nnames= nbuckets[11]; + + } + isc_mem_attach(mem, &adb->mctx); result = isc_mutex_init(&adb->lock); @@ -2557,6 +2573,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr, result = isc_task_create(adb->taskmgr, 0, &adb->task); if (result != ISC_R_SUCCESS) goto fail3; + isc_task_setname(adb->task, "ADB", adb); /* @@ -3904,8 +3921,10 @@ dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr, addr->entry->srtt = new_srtt; addr->srtt = new_srtt; - isc_stdtime_get(&now); - addr->entry->expires = now + ADB_ENTRY_WINDOW; + if (addr->entry->expires == 0) { + isc_stdtime_get(&now); + addr->entry->expires = now + ADB_ENTRY_WINDOW; + } UNLOCK(&adb->entrylocks[bucket]); } @@ -3915,6 +3934,7 @@ dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int bits, unsigned int mask) { int bucket; + isc_stdtime_t now; REQUIRE(DNS_ADB_VALID(adb)); REQUIRE(DNS_ADBADDRINFO_VALID(addr)); @@ -3923,6 +3943,11 @@ dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr, LOCK(&adb->entrylocks[bucket]); addr->entry->flags = (addr->entry->flags & ~mask) | (bits & mask); + if (addr->entry->expires == 0) { + isc_stdtime_get(&now); + addr->entry->expires = now + ADB_ENTRY_WINDOW; + } + /* * Note that we do not update the other bits in addr->flags with * the most recent values from addr->entry->flags. @@ -4001,15 +4026,16 @@ dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp) { entry = addr->entry; REQUIRE(DNS_ADBENTRY_VALID(entry)); - isc_stdtime_get(&now); - *addrp = NULL; overmem = isc_mem_isovermem(adb->mctx); bucket = addr->entry->lock_bucket; LOCK(&adb->entrylocks[bucket]); - entry->expires = now + ADB_ENTRY_WINDOW; + if (entry->expires == 0) { + isc_stdtime_get(&now); + entry->expires = now + ADB_ENTRY_WINDOW; + } want_check_exit = dec_entry_refcnt(adb, overmem, entry, ISC_FALSE); diff --git a/contrib/bind9/lib/dns/api b/contrib/bind9/lib/dns/api index 9e783a5..325781a 100644 --- a/contrib/bind9/lib/dns/api +++ b/contrib/bind9/lib/dns/api @@ -3,6 +3,6 @@ # 9.7: 60-79 # 9.8: 80-89 # 9.9: 90-109 -LIBINTERFACE = 87 +LIBINTERFACE = 89 LIBREVISION = 1 -LIBAGE = 6 +LIBAGE = 1 diff --git a/contrib/bind9/lib/dns/db.c b/contrib/bind9/lib/dns/db.c index 1252c81..0cf2c27 100644 --- a/contrib/bind9/lib/dns/db.c +++ b/contrib/bind9/lib/dns/db.c @@ -952,14 +952,13 @@ dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st) (db->methods->rpz_enabled)(db, st); } -isc_result_t +void dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, dns_rdataset_t *ardataset, dns_rpz_st_t *st, dns_name_t *query_qname) { - if (db->methods->rpz_findips == NULL) - return (ISC_R_NOTIMPLEMENTED); - return ((db->methods->rpz_findips)(rpz, rpz_type, zone, db, version, - ardataset, st, query_qname)); + if (db->methods->rpz_findips != NULL) + (db->methods->rpz_findips)(rpz, rpz_type, zone, db, version, + ardataset, st, query_qname); } diff --git a/contrib/bind9/lib/dns/dnssec.c b/contrib/bind9/lib/dns/dnssec.c index b72e82d..3569ad7 100644 --- a/contrib/bind9/lib/dns/dnssec.c +++ b/contrib/bind9/lib/dns/dnssec.c @@ -44,10 +44,13 @@ #include <dns/rdataset.h> #include <dns/rdatastruct.h> #include <dns/result.h> +#include <dns/stats.h> #include <dns/tsig.h> /* for DNS_TSIG_FUDGE */ #include <dst/result.h> +LIBDNS_EXTERNAL_DATA isc_stats_t *dns_dnssec_stats; + #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR) #define RETERR(x) do { \ @@ -77,6 +80,12 @@ digest_callback(void *arg, isc_region_t *data) { return (dst_context_adddata(ctx, data)); } +static inline void +inc_stat(isc_statscounter_t counter) { + if (dns_dnssec_stats != NULL) + isc_stats_increment(dns_dnssec_stats, counter); +} + /* * Make qsort happy. */ @@ -153,7 +162,9 @@ dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx, } static isc_result_t -digest_sig(dst_context_t *ctx, dns_rdata_t *sigrdata, dns_rdata_rrsig_t *sig) { +digest_sig(dst_context_t *ctx, isc_boolean_t downcase, dns_rdata_t *sigrdata, + dns_rdata_rrsig_t *rrsig) +{ isc_region_t r; isc_result_t ret; dns_fixedname_t fname; @@ -165,11 +176,16 @@ digest_sig(dst_context_t *ctx, dns_rdata_t *sigrdata, dns_rdata_rrsig_t *sig) { ret = dst_context_adddata(ctx, &r); if (ret != ISC_R_SUCCESS) return (ret); - dns_fixedname_init(&fname); - RUNTIME_CHECK(dns_name_downcase(&sig->signer, - dns_fixedname_name(&fname), NULL) - == ISC_R_SUCCESS); - dns_name_toregion(dns_fixedname_name(&fname), &r); + if (downcase) { + dns_fixedname_init(&fname); + + RUNTIME_CHECK(dns_name_downcase(&rrsig->signer, + dns_fixedname_name(&fname), + NULL) == ISC_R_SUCCESS); + dns_name_toregion(dns_fixedname_name(&fname), &r); + } else + dns_name_toregion(&rrsig->signer, &r); + return (dst_context_adddata(ctx, &r)); } @@ -191,6 +207,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_uint32_t flags; unsigned int sigsize; dns_fixedname_t fnewname; + dns_fixedname_t fsigner; REQUIRE(name != NULL); REQUIRE(dns_name_countlabels(name) <= 255); @@ -218,8 +235,14 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, sig.common.rdtype = dns_rdatatype_rrsig; ISC_LINK_INIT(&sig.common, link); + /* + * Downcase signer. + */ dns_name_init(&sig.signer, NULL); - dns_name_clone(dst_key_name(key), &sig.signer); + dns_fixedname_init(&fsigner); + RUNTIME_CHECK(dns_name_downcase(dst_key_name(key), + dns_fixedname_name(&fsigner), NULL) == ISC_R_SUCCESS); + dns_name_clone(dns_fixedname_name(&fsigner), &sig.signer); sig.covered = set->type; sig.algorithm = dst_key_alg(key); @@ -259,7 +282,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, /* * Digest the SIG rdata. */ - ret = digest_sig(ctx, &tmpsigrdata, &sig); + ret = digest_sig(ctx, ISC_FALSE, &tmpsigrdata, &sig); if (ret != ISC_R_SUCCESS) goto cleanup_context; @@ -332,7 +355,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, memcpy(sig.signature, r.base, sig.siglen); ret = dns_rdata_fromstruct(sigrdata, sig.common.rdclass, - sig.common.rdtype, &sig, buffer); + sig.common.rdtype, &sig, buffer); cleanup_array: isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t)); @@ -363,6 +386,7 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, dst_context_t *ctx = NULL; int labels = 0; isc_uint32_t flags; + isc_boolean_t downcase = ISC_FALSE; REQUIRE(name != NULL); REQUIRE(set != NULL); @@ -377,8 +401,10 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, if (set->type != sig.covered) return (DNS_R_SIGINVALID); - if (isc_serial_lt(sig.timeexpire, sig.timesigned)) + if (isc_serial_lt(sig.timeexpire, sig.timesigned)) { + inc_stat(dns_dnssecstats_fail); return (DNS_R_SIGINVALID); + } if (!ignoretime) { isc_stdtime_get(&now); @@ -386,10 +412,13 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, /* * Is SIG temporally valid? */ - if (isc_serial_lt((isc_uint32_t)now, sig.timesigned)) + if (isc_serial_lt((isc_uint32_t)now, sig.timesigned)) { + inc_stat(dns_dnssecstats_fail); return (DNS_R_SIGFUTURE); - else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now)) + } else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now)) { + inc_stat(dns_dnssecstats_fail); return (DNS_R_SIGEXPIRED); + } } /* @@ -400,16 +429,22 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, case dns_rdatatype_ns: case dns_rdatatype_soa: case dns_rdatatype_dnskey: - if (!dns_name_equal(name, &sig.signer)) + if (!dns_name_equal(name, &sig.signer)) { + inc_stat(dns_dnssecstats_fail); return (DNS_R_SIGINVALID); + } break; case dns_rdatatype_ds: - if (dns_name_equal(name, &sig.signer)) + if (dns_name_equal(name, &sig.signer)) { + inc_stat(dns_dnssecstats_fail); return (DNS_R_SIGINVALID); + } /* FALLTHROUGH */ default: - if (!dns_name_issubdomain(name, &sig.signer)) + if (!dns_name_issubdomain(name, &sig.signer)) { + inc_stat(dns_dnssecstats_fail); return (DNS_R_SIGINVALID); + } break; } @@ -417,11 +452,16 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, * Is the key allowed to sign data? */ flags = dst_key_flags(key); - if (flags & DNS_KEYTYPE_NOAUTH) + if (flags & DNS_KEYTYPE_NOAUTH) { + inc_stat(dns_dnssecstats_fail); return (DNS_R_KEYUNAUTHORIZED); - if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) + } + if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { + inc_stat(dns_dnssecstats_fail); return (DNS_R_KEYUNAUTHORIZED); + } + again: ret = dst_context_create(key, mctx, &ctx); if (ret != ISC_R_SUCCESS) goto cleanup_struct; @@ -429,7 +469,7 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, /* * Digest the SIG rdata (not including the signature). */ - ret = digest_sig(ctx, sigrdata, &sig); + ret = digest_sig(ctx, downcase, sigrdata, &sig); if (ret != ISC_R_SUCCESS) goto cleanup_context; @@ -508,21 +548,40 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, r.base = sig.signature; r.length = sig.siglen; ret = dst_context_verify(ctx, &r); - if (ret == DST_R_VERIFYFAILURE) - ret = DNS_R_SIGINVALID; + if (ret == ISC_R_SUCCESS && downcase) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(&sig.signer, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO, + "sucessfully validated after lower casing " + "signer '%s'", namebuf); + inc_stat(dns_dnssecstats_downcase); + } else if (ret == ISC_R_SUCCESS) + inc_stat(dns_dnssecstats_asis); cleanup_array: isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t)); cleanup_context: dst_context_destroy(&ctx); + if (ret == DST_R_VERIFYFAILURE && !downcase) { + downcase = ISC_TRUE; + goto again; + } cleanup_struct: dns_rdata_freestruct(&sig); + if (ret == DST_R_VERIFYFAILURE) + ret = DNS_R_SIGINVALID; + + if (ret != ISC_R_SUCCESS) + inc_stat(dns_dnssecstats_fail); + if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) { if (wild != NULL) RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, dns_fixedname_name(&fnewname), wild, NULL) == ISC_R_SUCCESS); + inc_stat(dns_dnssecstats_wildcard); ret = DNS_R_FROMWILDCARD; } return (ret); @@ -1325,11 +1384,12 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory, * the keys in the keyset, regardless of whether they have * metadata indicating they should be deactivated or removed. */ -static void +static isc_result_t addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey, isc_boolean_t savekeys, isc_mem_t *mctx) { dns_dnsseckey_t *key; + isc_result_t result; /* Skip duplicates */ for (key = ISC_LIST_HEAD(*keylist); @@ -1357,10 +1417,12 @@ addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey, } key->source = dns_keysource_zoneapex; - return; + return (ISC_R_SUCCESS); } - dns_dnsseckey_create(mctx, newkey, &key); + result = dns_dnsseckey_create(mctx, newkey, &key); + if (result != ISC_R_SUCCESS) + return (result); if (key->legacy || savekeys) { key->force_publish = ISC_TRUE; key->force_sign = dst_key_isprivate(key->key); @@ -1368,6 +1430,7 @@ addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey, key->source = dns_keysource_zoneapex; ISC_LIST_APPEND(*keylist, key, link); *newkey = NULL; + return (ISC_R_SUCCESS); } @@ -1457,7 +1520,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin, goto skip; if (public) { - addkey(keylist, &pubkey, savekeys, mctx); + RETERR(addkey(keylist, &pubkey, savekeys, mctx)); goto skip; } @@ -1510,7 +1573,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin, } if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) { - addkey(keylist, &pubkey, savekeys, mctx); + RETERR(addkey(keylist, &pubkey, savekeys, mctx)); goto skip; } RETERR(result); @@ -1519,7 +1582,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin, if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) goto skip; - addkey(keylist, &privkey, savekeys, mctx); + RETERR(addkey(keylist, &privkey, savekeys, mctx)); skip: if (pubkey != NULL) dst_key_free(&pubkey); diff --git a/contrib/bind9/lib/dns/ds.c b/contrib/bind9/lib/dns/ds.c index 3c74d1d..e72ecbb 100644 --- a/contrib/bind9/lib/dns/ds.c +++ b/contrib/bind9/lib/dns/ds.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2010, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2002, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -52,12 +52,13 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, { dns_fixedname_t fname; dns_name_t *name; - unsigned char digest[ISC_SHA256_DIGESTLENGTH]; + unsigned char digest[ISC_SHA384_DIGESTLENGTH]; isc_region_t r; isc_buffer_t b; dns_rdata_ds_t ds; isc_sha1_t sha1; isc_sha256_t sha256; + isc_sha384_t sha384; #ifdef HAVE_OPENSSL_GOST EVP_MD_CTX ctx; const EVP_MD *md; @@ -86,17 +87,18 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, isc_sha1_update(&sha1, r.base, r.length); isc_sha1_final(&sha1, digest); break; + #ifdef HAVE_OPENSSL_GOST #define CHECK(x) \ if ((x) != 1) { \ EVP_MD_CTX_cleanup(&ctx); \ - return (DST_R_OPENSSLFAILURE); \ + return (DST_R_CRYPTOFAILURE); \ } case DNS_DSDIGEST_GOST: md = EVP_gost(); if (md == NULL) - return (DST_R_OPENSSLFAILURE); + return (DST_R_CRYPTOFAILURE); EVP_MD_CTX_init(&ctx); CHECK(EVP_DigestInit(&ctx, md)); dns_name_toregion(name, &r); @@ -111,6 +113,18 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, CHECK(EVP_DigestFinal(&ctx, digest, NULL)); break; #endif + + case DNS_DSDIGEST_SHA384: + isc_sha384_init(&sha384); + dns_name_toregion(name, &r); + isc_sha384_update(&sha384, r.base, r.length); + dns_rdata_toregion(key, &r); + INSIST(r.length >= 4); + isc_sha384_update(&sha384, r.base, r.length); + isc_sha384_final(digest, &sha384); + break; + + case DNS_DSDIGEST_SHA256: default: isc_sha256_init(&sha256); dns_name_toregion(name, &r); @@ -132,11 +146,18 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, case DNS_DSDIGEST_SHA1: ds.length = ISC_SHA1_DIGESTLENGTH; break; + #ifdef HAVE_OPENSSL_GOST case DNS_DSDIGEST_GOST: ds.length = ISC_GOST_DIGESTLENGTH; break; #endif + + case DNS_DSDIGEST_SHA384: + ds.length = ISC_SHA384_DIGESTLENGTH; + break; + + case DNS_DSDIGEST_SHA256: default: ds.length = ISC_SHA256_DIGESTLENGTH; break; @@ -152,9 +173,11 @@ dns_ds_digest_supported(unsigned int digest_type) { #ifdef HAVE_OPENSSL_GOST return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 || digest_type == DNS_DSDIGEST_SHA256 || - digest_type == DNS_DSDIGEST_GOST)); + digest_type == DNS_DSDIGEST_GOST || + digest_type == DNS_DSDIGEST_SHA384)); #else return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 || - digest_type == DNS_DSDIGEST_SHA256)); + digest_type == DNS_DSDIGEST_SHA256 || + digest_type == DNS_DSDIGEST_SHA384)); #endif } diff --git a/contrib/bind9/lib/dns/dst_api.c b/contrib/bind9/lib/dns/dst_api.c index a14b268..f5dd89a 100644 --- a/contrib/bind9/lib/dns/dst_api.c +++ b/contrib/bind9/lib/dns/dst_api.c @@ -56,6 +56,7 @@ #include <isc/string.h> #include <isc/time.h> #include <isc/util.h> +#include <isc/file.h> #include <dns/fixedname.h> #include <dns/keyvalues.h> @@ -226,6 +227,10 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, #ifdef HAVE_OPENSSL_GOST RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST])); #endif +#ifdef HAVE_OPENSSL_ECDSA + RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); + RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); +#endif #endif /* OPENSSL */ #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); @@ -1110,6 +1115,12 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { case DST_ALG_ECCGOST: *n = DNS_SIG_GOSTSIGSIZE; break; + case DST_ALG_ECDSA256: + *n = DNS_SIG_ECDSA256SIZE; + break; + case DST_ALG_ECDSA384: + *n = DNS_SIG_ECDSA384SIZE; + break; case DST_ALG_HMACMD5: *n = 16; break; @@ -1415,6 +1426,8 @@ issymmetric(const dst_key_t *key) { case DST_ALG_NSEC3DSA: case DST_ALG_DH: case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: return (ISC_FALSE); case DST_ALG_HMACMD5: case DST_ALG_GSSAPI: @@ -1691,7 +1704,8 @@ algorithm_status(unsigned int alg) { alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA || alg == DST_ALG_NSEC3RSASHA1 || alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512 || - alg == DST_ALG_ECCGOST) + alg == DST_ALG_ECCGOST || + alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384) return (DST_R_NOCRYPTO); #endif return (DST_R_UNSUPPORTEDALG); diff --git a/contrib/bind9/lib/dns/dst_internal.h b/contrib/bind9/lib/dns/dst_internal.h index d9f6ac8..2f4f946 100644 --- a/contrib/bind9/lib/dns/dst_internal.h +++ b/contrib/bind9/lib/dns/dst_internal.h @@ -217,6 +217,9 @@ isc_result_t dst__gssapi_init(struct dst_func **funcp); #ifdef HAVE_OPENSSL_GOST isc_result_t dst__opensslgost_init(struct dst_func **funcp); #endif +#ifdef HAVE_OPENSSL_ECDSA +isc_result_t dst__opensslecdsa_init(struct dst_func **funcp); +#endif /*% * Destructors diff --git a/contrib/bind9/lib/dns/dst_openssl.h b/contrib/bind9/lib/dns/dst_openssl.h index 7237a5e..a30fd6a 100644 --- a/contrib/bind9/lib/dns/dst_openssl.h +++ b/contrib/bind9/lib/dns/dst_openssl.h @@ -39,6 +39,9 @@ ISC_LANG_BEGINDECLS isc_result_t dst__openssl_toresult(isc_result_t fallback); +isc_result_t +dst__openssl_toresult2(const char *funcname, isc_result_t fallback); + #ifdef USE_ENGINE ENGINE * dst__openssl_getengine(const char *engine); diff --git a/contrib/bind9/lib/dns/dst_parse.c b/contrib/bind9/lib/dns/dst_parse.c index 8e9efbd..95896c4 100644 --- a/contrib/bind9/lib/dns/dst_parse.c +++ b/contrib/bind9/lib/dns/dst_parse.c @@ -44,8 +44,10 @@ #include <isc/stdtime.h> #include <isc/string.h> #include <isc/util.h> +#include <isc/file.h> #include <dns/time.h> +#include <dns/log.h> #include "dst_internal.h" #include "dst_parse.h" @@ -106,6 +108,8 @@ static struct parse_map map[] = { {TAG_GOST_PRIVASN1, "GostAsn1:"}, + {TAG_ECDSA_PRIVATEKEY, "PrivateKey:"}, + {TAG_HMACMD5_KEY, "Key:"}, {TAG_HMACMD5_BITS, "Bits:"}, @@ -251,6 +255,15 @@ check_gost(const dst_private_t *priv) { } static int +check_ecdsa(const dst_private_t *priv) { + if (priv->nelements != ECDSA_NTAGS) + return (-1); + if (priv->elements[0].tag != TAG(DST_ALG_ECDSA256, 0)) + return (-1); + return (0); +} + +static int check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) { int i, j; @@ -302,13 +315,20 @@ check_data(const dst_private_t *priv, const unsigned int alg, switch (alg) { case DST_ALG_RSAMD5: case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: return (check_rsa(priv)); case DST_ALG_DH: return (check_dh(priv)); case DST_ALG_DSA: + case DST_ALG_NSEC3DSA: return (check_dsa(priv)); case DST_ALG_ECCGOST: return (check_gost(priv)); + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: + return (check_ecdsa(priv)); case DST_ALG_HMACMD5: return (check_hmac_md5(priv, old)); case DST_ALG_HMACSHA1: @@ -345,7 +365,7 @@ isc_result_t dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, isc_mem_t *mctx, dst_private_t *priv) { - int n = 0, major, minor; + int n = 0, major, minor, check; isc_buffer_t b; isc_token_t token; unsigned char *data = NULL; @@ -515,8 +535,14 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, data = NULL; } done: - if (check_data(priv, alg, ISC_TRUE) < 0) + check = check_data(priv, alg, ISC_TRUE); + if (check < 0) { + ret = DST_R_INVALIDPRIVATEKEY; + goto fail; + } else if (check != ISC_R_SUCCESS) { + ret = check; goto fail; + } return (ISC_R_SUCCESS); @@ -533,7 +559,6 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, const char *directory) { FILE *fp; - int ret, i; isc_result_t result; char filename[ISC_DIR_NAMEMAX]; char buffer[MAXFIELDSIZE * 2]; @@ -543,16 +568,32 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, isc_buffer_t b; isc_region_t r; int major, minor; + mode_t mode; + int i, ret; REQUIRE(priv != NULL); - if (check_data(priv, dst_key_alg(key), ISC_FALSE) < 0) + ret = check_data(priv, dst_key_alg(key), ISC_FALSE); + if (ret < 0) return (DST_R_INVALIDPRIVATEKEY); + else if (ret != ISC_R_SUCCESS) + return (ret); isc_buffer_init(&b, filename, sizeof(filename)); - ret = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &b); - if (ret != ISC_R_SUCCESS) - return (ret); + result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &b); + if (result != ISC_R_SUCCESS) + return (result); + + result = isc_file_mode(filename, &mode); + if (result == ISC_R_SUCCESS && mode != 0600) { + /* File exists; warn that we are changing its permissions */ + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING, + "Permissions on the file %s " + "have changed from 0%o to 0600 as " + "a result of this operation.", + filename, (unsigned int)mode); + } if ((fp = fopen(filename, "w")) == NULL) return (DST_R_WRITEERROR); @@ -603,6 +644,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, case DST_ALG_ECCGOST: fprintf(fp, "(ECC-GOST)\n"); break; + case DST_ALG_ECDSA256: + fprintf(fp, "(ECDSAP256SHA256)\n"); + break; + case DST_ALG_ECDSA384: + fprintf(fp, "(ECDSAP384SHA384)\n"); + break; case DST_ALG_HMACMD5: fprintf(fp, "(HMAC_MD5)\n"); break; diff --git a/contrib/bind9/lib/dns/dst_parse.h b/contrib/bind9/lib/dns/dst_parse.h index 91b072f..f048bf0 100644 --- a/contrib/bind9/lib/dns/dst_parse.h +++ b/contrib/bind9/lib/dns/dst_parse.h @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2010, 2012 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -81,6 +81,9 @@ #define GOST_NTAGS 1 #define TAG_GOST_PRIVASN1 ((DST_ALG_ECCGOST << TAG_SHIFT) + 0) +#define ECDSA_NTAGS 1 +#define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0) + #define OLD_HMACMD5_NTAGS 1 #define HMACMD5_NTAGS 2 #define TAG_HMACMD5_KEY ((DST_ALG_HMACMD5 << TAG_SHIFT) + 0) diff --git a/contrib/bind9/lib/dns/dst_result.c b/contrib/bind9/lib/dns/dst_result.c index 429dbb2..297e809 100644 --- a/contrib/bind9/lib/dns/dst_result.c +++ b/contrib/bind9/lib/dns/dst_result.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -30,7 +30,7 @@ static const char *text[DST_R_NRESULTS] = { "algorithm is unsupported", /*%< 0 */ - "openssl failure", /*%< 1 */ + "crypto failure", /*%< 1 */ "built with no crypto support", /*%< 2 */ "illegal operation for a null key", /*%< 3 */ "public key is invalid", /*%< 4 */ diff --git a/contrib/bind9/lib/dns/include/Makefile.in b/contrib/bind9/lib/dns/include/Makefile.in index b52cb98..10d798d 100644 --- a/contrib/bind9/lib/dns/include/Makefile.in +++ b/contrib/bind9/lib/dns/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/dns/include/dns/db.h b/contrib/bind9/lib/dns/include/dns/db.h index 6aa02d2..fe268f4 100644 --- a/contrib/bind9/lib/dns/include/dns/db.h +++ b/contrib/bind9/lib/dns/include/dns/db.h @@ -172,7 +172,7 @@ typedef struct dns_dbmethods { isc_boolean_t (*isdnssec)(dns_db_t *db); dns_stats_t *(*getrrsetstats)(dns_db_t *db); void (*rpz_enabled)(dns_db_t *db, dns_rpz_st_t *st); - isc_result_t (*rpz_findips)(dns_rpz_zone_t *rpz, + void (*rpz_findips)(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, @@ -1507,7 +1507,7 @@ dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st); * DNS_RPZ_TYPE_NSDNAME records. */ -isc_result_t +void dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, dns_rdataset_t *ardataset, dns_rpz_st_t *st, @@ -1524,10 +1524,6 @@ dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, * \li 'ardataset' is an A or AAAA rdataset of addresses to check * \li 'found' specifies the previous best match if any or * or NULL, an empty name, 0, DNS_RPZ_POLICY_MISS, and 0 - * - * Returns: - * \li #ISC_R_SUCCESS - * \li #ISC_R_UNEXPECTED */ ISC_LANG_ENDDECLS diff --git a/contrib/bind9/lib/dns/include/dns/dnssec.h b/contrib/bind9/lib/dns/include/dns/dnssec.h index b87fd5c..e986d40 100644 --- a/contrib/bind9/lib/dns/include/dns/dnssec.h +++ b/contrib/bind9/lib/dns/include/dns/dnssec.h @@ -24,6 +24,7 @@ #include <isc/lang.h> #include <isc/stdtime.h> +#include <isc/stats.h> #include <dns/diff.h> #include <dns/types.h> @@ -32,6 +33,8 @@ ISC_LANG_BEGINDECLS +LIBDNS_EXTERNAL_DATA extern isc_stats_t *dns_dnssec_stats; + /*%< Maximum number of keys supported in a zone. */ #define DNS_MAXZONEKEYS 32 @@ -96,8 +99,8 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_stdtime_t *inception, isc_stdtime_t *expire, isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata); /*%< - * Generates a SIG record covering this rdataset. This has no effect - * on existing SIG records. + * Generates a RRSIG record covering this rdataset. This has no effect + * on existing RRSIG records. * * Requires: *\li 'name' (the owner name of the record) is a valid name @@ -130,9 +133,9 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_boolean_t ignoretime, isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild); /*%< - * Verifies the SIG record covering this rdataset signed by a specific - * key. This does not determine if the key's owner is authorized to - * sign this record, as this requires a resolver or database. + * Verifies the RRSIG record covering this rdataset signed by a specific + * key. This does not determine if the key's owner is authorized to sign + * this record, as this requires a resolver or database. * If 'ignoretime' is ISC_TRUE, temporal validity will not be checked. * * Requires: diff --git a/contrib/bind9/lib/dns/include/dns/ds.h b/contrib/bind9/lib/dns/include/dns/ds.h index b20b408..03ab0ed 100644 --- a/contrib/bind9/lib/dns/include/dns/ds.h +++ b/contrib/bind9/lib/dns/include/dns/ds.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2010, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -27,15 +27,16 @@ #define DNS_DSDIGEST_SHA1 (1) #define DNS_DSDIGEST_SHA256 (2) #define DNS_DSDIGEST_GOST (3) +#define DNS_DSDIGEST_SHA384 (4) /* should not be here... */ #define ISC_GOST_DIGESTLENGTH 32U /* - * Assuming SHA-256 digest type. + * Assuming SHA-384 digest type. */ -#define DNS_DS_BUFFERSIZE (36) +#define DNS_DS_BUFFERSIZE (52) ISC_LANG_BEGINDECLS diff --git a/contrib/bind9/lib/dns/include/dns/iptable.h b/contrib/bind9/lib/dns/include/dns/iptable.h index d7eb140..2ce8e18 100644 --- a/contrib/bind9/lib/dns/include/dns/iptable.h +++ b/contrib/bind9/lib/dns/include/dns/iptable.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -23,6 +23,8 @@ #include <isc/magic.h> #include <isc/radix.h> +#include <dns/types.h> + struct dns_iptable { unsigned int magic; isc_mem_t *mctx; diff --git a/contrib/bind9/lib/dns/include/dns/keyvalues.h b/contrib/bind9/lib/dns/include/dns/keyvalues.h index 55c0b8f..0c392ca 100644 --- a/contrib/bind9/lib/dns/include/dns/keyvalues.h +++ b/contrib/bind9/lib/dns/include/dns/keyvalues.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -71,6 +71,8 @@ #define DNS_KEYALG_RSASHA256 8 #define DNS_KEYALG_RSASHA512 10 #define DNS_KEYALG_ECCGOST 12 +#define DNS_KEYALG_ECDSA256 13 +#define DNS_KEYALG_ECDSA384 14 #define DNS_KEYALG_INDIRECT 252 #define DNS_KEYALG_PRIVATEDNS 253 #define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */ @@ -101,4 +103,10 @@ #define DNS_SIG_GOSTSIGSIZE 64 +#define DNS_SIG_ECDSA256SIZE 64 +#define DNS_SIG_ECDSA384SIZE 96 + +#define DNS_KEY_ECDSA256SIZE 64 +#define DNS_KEY_ECDSA384SIZE 96 + #endif /* DNS_KEYVALUES_H */ diff --git a/contrib/bind9/lib/dns/include/dns/log.h b/contrib/bind9/lib/dns/include/dns/log.h index b73b17f..689b148 100644 --- a/contrib/bind9/lib/dns/include/dns/log.h +++ b/contrib/bind9/lib/dns/include/dns/log.h @@ -75,6 +75,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[]; #define DNS_LOGMODULE_ACACHE (&dns_modules[25]) #define DNS_LOGMODULE_DLZ (&dns_modules[26]) #define DNS_LOGMODULE_DNSSEC (&dns_modules[27]) +#define DNS_LOGMODULE_CRYPTO (&dns_modules[28]) ISC_LANG_BEGINDECLS diff --git a/contrib/bind9/lib/dns/include/dns/rdataset.h b/contrib/bind9/lib/dns/include/dns/rdataset.h index 7918551..b2b8370 100644 --- a/contrib/bind9/lib/dns/include/dns/rdataset.h +++ b/contrib/bind9/lib/dns/include/dns/rdataset.h @@ -56,6 +56,7 @@ #include <isc/stdtime.h> #include <dns/types.h> +#include <dns/rdatastruct.h> ISC_LANG_BEGINDECLS @@ -651,6 +652,25 @@ dns_rdataset_expire(dns_rdataset_t *rdataset); * Mark the rdataset to be expired in the backing database. */ +void +dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, + dns_rdata_rrsig_t *rrsig, isc_stdtime_t now, + isc_boolean_t acceptexpired); +/*%< + * Trim the ttl of 'rdataset' and 'sigrdataset' so that they will expire + * at or before 'rrsig->expiretime'. If 'acceptexpired' is true and the + * signature has expired or will expire in the next 120 seconds, limit + * the ttl to be no more than 120 seconds. + * + * The ttl is further limited by the original ttl as stored in 'rrsig' + * and the original ttl values of 'rdataset' and 'sigrdataset'. + * + * Requires: + * \li 'rdataset' is a valid rdataset. + * \li 'sigrdataset' is a valid rdataset. + * \li 'rrsig' is non NULL. + */ + const char * dns_trust_totext(dns_trust_t trust); /* diff --git a/contrib/bind9/lib/dns/include/dns/rpz.h b/contrib/bind9/lib/dns/include/dns/rpz.h index 59d4f87..4227dd4 100644 --- a/contrib/bind9/lib/dns/include/dns/rpz.h +++ b/contrib/bind9/lib/dns/include/dns/rpz.h @@ -30,6 +30,7 @@ ISC_LANG_BEGINDECLS #define DNS_RPZ_IP_ZONE "rpz-ip" #define DNS_RPZ_NSIP_ZONE "rpz-nsip" #define DNS_RPZ_NSDNAME_ZONE "rpz-nsdname" +#define DNS_RPZ_PASSTHRU_ZONE "rpz-passthru" typedef isc_uint8_t dns_rpz_cidr_bits_t; @@ -66,11 +67,14 @@ typedef struct dns_rpz_zone dns_rpz_zone_t; struct dns_rpz_zone { ISC_LINK(dns_rpz_zone_t) link; - int num; + int num; /* ordinal in list of policy zones */ dns_name_t origin; /* Policy zone name */ dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ - dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ + dns_name_t passthru;/* DNS_RPZ_PASSTHRU_ZONE. */ dns_name_t cname; /* override value for ..._CNAME */ + dns_ttl_t max_policy_ttl; + dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ + isc_boolean_t recursive_only; }; /* @@ -143,6 +147,7 @@ typedef struct { } dns_rpz_st_t; #define DNS_RPZ_TTL_DEFAULT 5 +#define DNS_RPZ_MAX_TTL_DEFAULT DNS_RPZ_TTL_DEFAULT /* * So various response policy zone messages can be turned up or down. @@ -152,6 +157,7 @@ typedef struct { #define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1) #define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2) #define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3) +#define DNS_RPZ_DEBUG_QUIET (DNS_RPZ_DEBUG_LEVEL3+1) const char * dns_rpz_type2str(dns_rpz_type_t type); @@ -192,7 +198,8 @@ dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix); dns_rpz_policy_t -dns_rpz_decode_cname(dns_rdataset_t *, dns_name_t *selfname); +dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, + dns_name_t *selfname); ISC_LANG_ENDDECLS diff --git a/contrib/bind9/lib/dns/include/dns/stats.h b/contrib/bind9/lib/dns/include/dns/stats.h index bc77d1e..5364267 100644 --- a/contrib/bind9/lib/dns/include/dns/stats.h +++ b/contrib/bind9/lib/dns/include/dns/stats.h @@ -64,6 +64,16 @@ enum { dns_resstatscounter_max = 30, + /* + * DNSSEC stats. + */ + dns_dnssecstats_asis = 0, + dns_dnssecstats_downcase = 1, + dns_dnssecstats_wildcard = 2, + dns_dnssecstats_fail = 3, + + dns_dnssecstats_max = 4, + /*% * Zone statistics counters. */ diff --git a/contrib/bind9/lib/dns/include/dns/view.h b/contrib/bind9/lib/dns/include/dns/view.h index 7db600b..4a04867 100644 --- a/contrib/bind9/lib/dns/include/dns/view.h +++ b/contrib/bind9/lib/dns/include/dns/view.h @@ -162,6 +162,8 @@ struct dns_view { dns_dns64list_t dns64; unsigned int dns64cnt; ISC_LIST(dns_rpz_zone_t) rpz_zones; + isc_boolean_t rpz_recursive_only; + isc_boolean_t rpz_break_dnssec; /* * Configurable data for server use only, diff --git a/contrib/bind9/lib/dns/include/dns/zone.h b/contrib/bind9/lib/dns/include/dns/zone.h index 9eada59..9db825c 100644 --- a/contrib/bind9/lib/dns/include/dns/zone.h +++ b/contrib/bind9/lib/dns/include/dns/zone.h @@ -1815,7 +1815,7 @@ dns_zone_setsignatures(dns_zone_t *zone, isc_uint32_t signatures); isc_result_t dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, - isc_uint16_t keyid, isc_boolean_t delete); + isc_uint16_t keyid, isc_boolean_t deleteit); /*%< * Initiate/resume signing of the entire zone with the zone DNSKEY(s) * that match the given algorithm and keyid. diff --git a/contrib/bind9/lib/dns/include/dst/Makefile.in b/contrib/bind9/lib/dns/include/dst/Makefile.in index 4ed4ec0..cece67d 100644 --- a/contrib/bind9/lib/dns/include/dst/Makefile.in +++ b/contrib/bind9/lib/dns/include/dst/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/dns/include/dst/dst.h b/contrib/bind9/lib/dns/include/dst/dst.h index bf314f3..b0fa690 100644 --- a/contrib/bind9/lib/dns/include/dst/dst.h +++ b/contrib/bind9/lib/dns/include/dst/dst.h @@ -59,6 +59,8 @@ typedef struct dst_context dst_context_t; #define DST_ALG_RSASHA256 8 #define DST_ALG_RSASHA512 10 #define DST_ALG_ECCGOST 12 +#define DST_ALG_ECDSA256 13 +#define DST_ALG_ECDSA384 14 #define DST_ALG_HMACMD5 157 #define DST_ALG_GSSAPI 160 #define DST_ALG_HMACSHA1 161 /* XXXMPA */ diff --git a/contrib/bind9/lib/dns/include/dst/result.h b/contrib/bind9/lib/dns/include/dst/result.h index d77b72e..00640a1 100644 --- a/contrib/bind9/lib/dns/include/dst/result.h +++ b/contrib/bind9/lib/dns/include/dst/result.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -34,7 +34,9 @@ #include <isc/result.h> /* Contractual promise. */ #define DST_R_UNSUPPORTEDALG (ISC_RESULTCLASS_DST + 0) -#define DST_R_OPENSSLFAILURE (ISC_RESULTCLASS_DST + 1) +#define DST_R_CRYPTOFAILURE (ISC_RESULTCLASS_DST + 1) +/* compat */ +#define DST_R_OPENSSLFAILURE DST_R_CRYPTOFAILURE #define DST_R_NOCRYPTO (ISC_RESULTCLASS_DST + 2) #define DST_R_NULLKEY (ISC_RESULTCLASS_DST + 3) #define DST_R_INVALIDPUBLICKEY (ISC_RESULTCLASS_DST + 4) diff --git a/contrib/bind9/lib/dns/log.c b/contrib/bind9/lib/dns/log.c index 8f3774f..d286d10 100644 --- a/contrib/bind9/lib/dns/log.c +++ b/contrib/bind9/lib/dns/log.c @@ -81,6 +81,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = { { "dns/acache", 0 }, { "dns/dlz", 0 }, { "dns/dnssec", 0 }, + { "dns/crypto", 0 }, { NULL, 0 } }; diff --git a/contrib/bind9/lib/dns/master.c b/contrib/bind9/lib/dns/master.c index 7f6cf58..8304507 100644 --- a/contrib/bind9/lib/dns/master.c +++ b/contrib/bind9/lib/dns/master.c @@ -2076,19 +2076,21 @@ load_raw(dns_loadctx_t *lctx) { unsigned int loop_cnt = 0; dns_rdatacallbacks_t *callbacks; unsigned char namebuf[DNS_NAME_MAXWIRE]; - isc_region_t r; - dns_name_t name; + dns_fixedname_t fixed; + dns_name_t *name; rdatalist_head_t head, dummy; dns_rdatalist_t rdatalist; isc_mem_t *mctx = lctx->mctx; dns_rdata_t *rdata = NULL; unsigned int rdata_size = 0; int target_size = TSIZ; - isc_buffer_t target; + isc_buffer_t target, buf; unsigned char *target_mem = NULL; + dns_decompress_t dctx; REQUIRE(DNS_LCTX_VALID(lctx)); callbacks = lctx->callbacks; + dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE); if (lctx->first) { dns_masterrawheader_t header; @@ -2145,6 +2147,9 @@ load_raw(dns_loadctx_t *lctx) { } isc_buffer_init(&target, target_mem, target_size); + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + /* * In the following loop, we regard any error fatal regardless of * whether "MANYERRORS" is set in the context option. This is because @@ -2156,7 +2161,7 @@ load_raw(dns_loadctx_t *lctx) { for (loop_cnt = 0; (lctx->loop_cnt == 0 || loop_cnt < lctx->loop_cnt); loop_cnt++) { - unsigned int i, rdcount, consumed_name; + unsigned int i, rdcount; isc_uint16_t namelen; isc_uint32_t totallen; size_t minlen, readlen; @@ -2246,12 +2251,11 @@ load_raw(dns_loadctx_t *lctx) { lctx->f); if (result != ISC_R_SUCCESS) goto cleanup; + isc_buffer_setactive(&target, (unsigned int)namelen); - isc_buffer_activeregion(&target, &r); - dns_name_init(&name, NULL); - dns_name_fromregion(&name, &r); - isc_buffer_forward(&target, (unsigned int)namelen); - consumed_name = isc_buffer_consumedlength(&target); + result = dns_name_fromwire(name, &target, &dctx, 0, NULL); + if (result != ISC_R_SUCCESS) + goto cleanup; /* Rdata contents. */ if (rdcount > rdata_size) { @@ -2282,7 +2286,7 @@ load_raw(dns_loadctx_t *lctx) { /* Partial Commit. */ ISC_LIST_APPEND(head, &rdatalist, link); - result = commit(callbacks, lctx, &head, &name, + result = commit(callbacks, lctx, &head, name, NULL, 0); for (j = 0; j < i; j++) { ISC_LIST_UNLINK(rdatalist.rdata, @@ -2294,8 +2298,6 @@ load_raw(dns_loadctx_t *lctx) { /* Rewind the buffer and continue */ isc_buffer_clear(&target); - isc_buffer_add(&target, consumed_name); - isc_buffer_forward(&target, consumed_name); rdcount -= i; @@ -2315,11 +2317,20 @@ load_raw(dns_loadctx_t *lctx) { if (result != ISC_R_SUCCESS) goto cleanup; isc_buffer_setactive(&target, (unsigned int)rdlen); - isc_buffer_activeregion(&target, &r); - isc_buffer_forward(&target, (unsigned int)rdlen); - dns_rdata_fromregion(&rdata[i], rdatalist.rdclass, - rdatalist.type, &r); - + /* + * It is safe to have the source active region and + * the target available region be the same if + * decompression is disabled (see dctx above) and we + * are not downcasing names (options == 0). + */ + isc_buffer_init(&buf, isc_buffer_current(&target), + (unsigned int)rdlen); + result = dns_rdata_fromwire(&rdata[i], + rdatalist.rdclass, + rdatalist.type, &target, + &dctx, 0, &buf); + if (result != ISC_R_SUCCESS) + goto cleanup; ISC_LIST_APPEND(rdatalist.rdata, &rdata[i], link); } @@ -2336,7 +2347,7 @@ load_raw(dns_loadctx_t *lctx) { ISC_LIST_APPEND(head, &rdatalist, link); /* Commit this RRset. rdatalist will be unlinked. */ - result = commit(callbacks, lctx, &head, &name, NULL, 0); + result = commit(callbacks, lctx, &head, name, NULL, 0); for (i = 0; i < rdcount; i++) { ISC_LIST_UNLINK(rdatalist.rdata, &rdata[i], link); diff --git a/contrib/bind9/lib/dns/masterdump.c b/contrib/bind9/lib/dns/masterdump.c index 0c17c1a..a10e6f2 100644 --- a/contrib/bind9/lib/dns/masterdump.c +++ b/contrib/bind9/lib/dns/masterdump.c @@ -1545,7 +1545,8 @@ dns_master_dumptostream2(isc_mem_t *mctx, dns_db_t *db, } static isc_result_t -opentmp(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { +opentmp(isc_mem_t *mctx, dns_masterformat_t format, const char *file, + char **tempp, FILE **fp) { FILE *f = NULL; isc_result_t result; char *tempname = NULL; @@ -1560,7 +1561,10 @@ opentmp(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { if (result != ISC_R_SUCCESS) goto cleanup; - result = isc_file_openunique(tempname, &f); + if (format == dns_masterformat_text) + result = isc_file_openunique(tempname, &f); + else + result = isc_file_bopenunique(tempname, &f); if (result != ISC_R_SUCCESS) { isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR, @@ -1604,7 +1608,7 @@ dns_master_dumpinc2(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version, if (file == NULL) return (ISC_R_NOMEMORY); - result = opentmp(mctx, filename, &tempname, &f); + result = opentmp(mctx, format, filename, &tempname, &f); if (result != ISC_R_SUCCESS) goto cleanup; @@ -1658,7 +1662,7 @@ dns_master_dump2(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version, char *tempname; dns_dumpctx_t *dctx = NULL; - result = opentmp(mctx, filename, &tempname, &f); + result = opentmp(mctx, format, filename, &tempname, &f); if (result != ISC_R_SUCCESS) return (result); diff --git a/contrib/bind9/lib/dns/openssl_link.c b/contrib/bind9/lib/dns/openssl_link.c index 59626f2..d186761 100644 --- a/contrib/bind9/lib/dns/openssl_link.c +++ b/contrib/bind9/lib/dns/openssl_link.c @@ -45,6 +45,8 @@ #include <isc/thread.h> #include <isc/util.h> +#include <dns/log.h> + #include <dst/result.h> #include "dst_internal.h" @@ -172,6 +174,8 @@ dst__openssl_init(const char *engine) { CRYPTO_set_locking_callback(lock_callback); CRYPTO_set_id_callback(id_callback); + ERR_load_crypto_strings(); + rm = mem_alloc(sizeof(RAND_METHOD)); if (rm == NULL) { result = ISC_R_NOMEMORY; @@ -285,7 +289,7 @@ dst__openssl_destroy() { isc_result_t dst__openssl_toresult(isc_result_t fallback) { isc_result_t result = fallback; - int err = ERR_get_error(); + unsigned long err = ERR_get_error(); switch (ERR_GET_REASON(err)) { case ERR_R_MALLOC_FAILURE: @@ -298,6 +302,40 @@ dst__openssl_toresult(isc_result_t fallback) { return (result); } +isc_result_t +dst__openssl_toresult2(const char *funcname, isc_result_t fallback) { + isc_result_t result = fallback; + unsigned long err = ERR_peek_error(); + const char *file, *data; + int line, flags; + char buf[256]; + + switch (ERR_GET_REASON(err)) { + case ERR_R_MALLOC_FAILURE: + result = ISC_R_NOMEMORY; + goto done; + default: + break; + } + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING, + "%s failed", funcname); + for (;;) { + err = ERR_get_error_line_data(&file, &line, &data, &flags); + if (err == 0U) + goto done; + ERR_error_string_n(err, buf, sizeof(buf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_CRYPTO, ISC_LOG_INFO, + "%s:%s:%d:%s", buf, file, line, + (flags & ERR_TXT_STRING) ? data : ""); + } + + done: + ERR_clear_error(); + return (result); +} + #if defined(USE_ENGINE) ENGINE * dst__openssl_getengine(const char *engine) { diff --git a/contrib/bind9/lib/dns/openssldh_link.c b/contrib/bind9/lib/dns/openssldh_link.c index 71b4b12..9fe9bb5 100644 --- a/contrib/bind9/lib/dns/openssldh_link.c +++ b/contrib/bind9/lib/dns/openssldh_link.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -94,7 +94,8 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, return (ISC_R_NOSPACE); ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv); if (ret == 0) - return (dst__openssl_toresult(DST_R_COMPUTESECRETFAILURE)); + return (dst__openssl_toresult2("DH_compute_key", + DST_R_COMPUTESECRETFAILURE)); isc_buffer_add(secret, len); return (ISC_R_SUCCESS); } @@ -204,7 +205,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { #if OPENSSL_VERSION_NUMBER > 0x00908000L dh = DH_new(); if (dh == NULL) - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + return (dst__openssl_toresult(ISC_R_NOMEMORY)); if (callback == NULL) { BN_GENCB_set_old(&cb, NULL, NULL); @@ -216,7 +217,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { if (!DH_generate_parameters_ex(dh, key->key_size, generator, &cb)) { DH_free(dh); - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + return (dst__openssl_toresult2( + "DH_generate_parameters_ex", + DST_R_OPENSSLFAILURE)); } #else dh = DH_generate_parameters(key->key_size, generator, @@ -225,11 +228,13 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { } if (dh == NULL) - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + return (dst__openssl_toresult2("DH_generate_parameters", + DST_R_OPENSSLFAILURE)); if (DH_generate_key(dh) == 0) { DH_free(dh); - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + return (dst__openssl_toresult2("DH_generate_key", + DST_R_OPENSSLFAILURE)); } dh->flags &= ~DH_FLAG_CACHE_MONT_P; @@ -460,6 +465,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { dh = key->keydata.dh; + memset(bufs, 0, sizeof(bufs)); for (i = 0; i < 4; i++) { bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(dh->p)); if (bufs[i] == NULL) { diff --git a/contrib/bind9/lib/dns/openssldsa_link.c b/contrib/bind9/lib/dns/openssldsa_link.c index 39c0615..e2cf8cd 100644 --- a/contrib/bind9/lib/dns/openssldsa_link.c +++ b/contrib/bind9/lib/dns/openssldsa_link.c @@ -168,7 +168,8 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) { EVP_PKEY_free(pkey); free(sigbuf); - return (ISC_R_FAILURE); + return (dst__openssl_toresult2("EVP_SignFinal", + ISC_R_FAILURE)); } INSIST(EVP_PKEY_size(pkey) >= (int) siglen); EVP_PKEY_free(pkey); @@ -181,23 +182,26 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { sb = sigbuf; if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) { free(sigbuf); - return (ISC_R_FAILURE); + return (dst__openssl_toresult2("d2i_DSA_SIG", ISC_R_FAILURE)); } free(sigbuf); #elif 0 /* Only use EVP for the Digest */ if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) { - return (ISC_R_FAILURE); + return (dst__openssl_toresult2("EVP_DigestFinal_ex", + ISC_R_FAILURE)); } dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa); if (dsasig == NULL) - return (dst__openssl_toresult(DST_R_SIGNFAILURE)); + return (dst__openssl_toresult2("DSA_do_sign", + DST_R_SIGNFAILURE)); #else isc_sha1_final(sha1ctx, digest); dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa); if (dsasig == NULL) - return (dst__openssl_toresult(DST_R_SIGNFAILURE)); + return (dst__openssl_toresult2("DSA_do_sign", + DST_R_SIGNFAILURE)); #endif *r.base++ = (key->key_size - 512)/64; BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH); @@ -276,10 +280,15 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) { status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa); #endif DSA_SIG_free(dsasig); - if (status != 1) + switch (status) { + case 1: + return (ISC_R_SUCCESS); + case 0: return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); - - return (ISC_R_SUCCESS); + default: + return (dst__openssl_toresult2("DSA_do_verify", + DST_R_VERIFYFAILURE)); + } } static isc_boolean_t @@ -370,19 +379,22 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { &cb)) { DSA_free(dsa); - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + return (dst__openssl_toresult2("DSA_generate_parameters_ex", + DST_R_OPENSSLFAILURE)); } #else dsa = DSA_generate_parameters(key->key_size, rand_array, ISC_SHA1_DIGESTLENGTH, NULL, NULL, NULL, NULL); if (dsa == NULL) - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + return (dst__openssl_toresult2("DSA_generate_parameters", + DST_R_OPENSSLFAILURE)); #endif if (DSA_generate_key(dsa) == 0) { DSA_free(dsa); - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + return (dst__openssl_toresult2("DSA_generate_key", + DST_R_OPENSSLFAILURE)); } dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; diff --git a/contrib/bind9/lib/dns/opensslecdsa_link.c b/contrib/bind9/lib/dns/opensslecdsa_link.c new file mode 100644 index 0000000..e6c9b67 --- /dev/null +++ b/contrib/bind9/lib/dns/opensslecdsa_link.c @@ -0,0 +1,596 @@ +/* + * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id$ */ + +#include <config.h> + +#ifdef HAVE_OPENSSL_ECDSA + +#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384) +#error "ECDSA without EVP for SHA2?" +#endif + +#include <isc/entropy.h> +#include <isc/mem.h> +#include <isc/sha2.h> +#include <isc/string.h> +#include <isc/util.h> + +#include <dns/keyvalues.h> +#include <dst/result.h> + +#include "dst_internal.h" +#include "dst_openssl.h" +#include "dst_parse.h" + +#include <openssl/err.h> +#include <openssl/objects.h> +#include <openssl/ecdsa.h> +#include <openssl/bn.h> + +#ifndef NID_X9_62_prime256v1 +#error "P-256 group is not known (NID_X9_62_prime256v1)" +#endif +#ifndef NID_secp384r1 +#error "P-384 group is not known (NID_secp384r1)" +#endif + +#define DST_RET(a) {ret = a; goto err;} + +static isc_result_t opensslecdsa_todns(const dst_key_t *key, + isc_buffer_t *data); + +static isc_result_t +opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { + EVP_MD_CTX *evp_md_ctx; + const EVP_MD *type = NULL; + + UNUSED(key); + REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || + dctx->key->key_alg == DST_ALG_ECDSA384); + + evp_md_ctx = EVP_MD_CTX_create(); + if (evp_md_ctx == NULL) + return (ISC_R_NOMEMORY); + if (dctx->key->key_alg == DST_ALG_ECDSA256) + type = EVP_sha256(); + else + type = EVP_sha384(); + + if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) { + EVP_MD_CTX_destroy(evp_md_ctx); + return (dst__openssl_toresult2("EVP_DigestInit_ex", + ISC_R_FAILURE)); + } + + dctx->ctxdata.evp_md_ctx = evp_md_ctx; + + return (ISC_R_SUCCESS); +} + +static void +opensslecdsa_destroyctx(dst_context_t *dctx) { + EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; + + REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || + dctx->key->key_alg == DST_ALG_ECDSA384); + + if (evp_md_ctx != NULL) { + EVP_MD_CTX_destroy(evp_md_ctx); + dctx->ctxdata.evp_md_ctx = NULL; + } +} + +static isc_result_t +opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) { + EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; + + REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || + dctx->key->key_alg == DST_ALG_ECDSA384); + + if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) + return (dst__openssl_toresult2("EVP_DigestUpdate", + ISC_R_FAILURE)); + + return (ISC_R_SUCCESS); +} + +static int +BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) { + int bytes = size - BN_num_bytes(bn); + + while (bytes-- > 0) + *buf++ = 0; + BN_bn2bin(bn, buf); + return (size); +} + +static isc_result_t +opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { + isc_result_t ret; + dst_key_t *key = dctx->key; + isc_region_t r; + ECDSA_SIG *ecdsasig; + EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; + EVP_PKEY *pkey = key->keydata.pkey; + EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey); + unsigned int dgstlen, siglen; + unsigned char digest[EVP_MAX_MD_SIZE]; + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || + key->key_alg == DST_ALG_ECDSA384); + + if (eckey == NULL) + return (ISC_R_FAILURE); + + if (key->key_alg == DST_ALG_ECDSA256) + siglen = DNS_SIG_ECDSA256SIZE; + else + siglen = DNS_SIG_ECDSA384SIZE; + + isc_buffer_availableregion(sig, &r); + if (r.length < siglen) + DST_RET(ISC_R_NOSPACE); + + if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen)) + DST_RET(dst__openssl_toresult2("EVP_DigestFinal", + ISC_R_FAILURE)); + + ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey); + if (ecdsasig == NULL) + DST_RET(dst__openssl_toresult2("ECDSA_do_sign", + DST_R_SIGNFAILURE)); + BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2); + r.base += siglen / 2; + BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2); + r.base += siglen / 2; + ECDSA_SIG_free(ecdsasig); + isc_buffer_add(sig, siglen); + ret = ISC_R_SUCCESS; + + err: + if (eckey != NULL) + EC_KEY_free(eckey); + return (ret); +} + +static isc_result_t +opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + isc_result_t ret; + dst_key_t *key = dctx->key; + int status; + unsigned char *cp = sig->base; + ECDSA_SIG *ecdsasig = NULL; + EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; + EVP_PKEY *pkey = key->keydata.pkey; + EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey); + unsigned int dgstlen, siglen; + unsigned char digest[EVP_MAX_MD_SIZE]; + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || + key->key_alg == DST_ALG_ECDSA384); + + if (eckey == NULL) + return (ISC_R_FAILURE); + + if (key->key_alg == DST_ALG_ECDSA256) + siglen = DNS_SIG_ECDSA256SIZE; + else + siglen = DNS_SIG_ECDSA384SIZE; + + if (sig->length != siglen) + return (DST_R_VERIFYFAILURE); + + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) + DST_RET (dst__openssl_toresult2("EVP_DigestFinal_ex", + ISC_R_FAILURE)); + + ecdsasig = ECDSA_SIG_new(); + if (ecdsasig == NULL) + DST_RET (ISC_R_NOMEMORY); + ecdsasig->r = BN_bin2bn(cp, siglen / 2, NULL); + cp += siglen / 2; + ecdsasig->s = BN_bin2bn(cp, siglen / 2, NULL); + /* cp += siglen / 2; */ + + status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey); + switch (status) { + case 1: + ret = ISC_R_SUCCESS; + break; + case 0: + ret = dst__openssl_toresult(DST_R_VERIFYFAILURE); + break; + default: + ret = dst__openssl_toresult2("ECDSA_do_verify", + DST_R_VERIFYFAILURE); + break; + } + + err: + if (ecdsasig != NULL) + ECDSA_SIG_free(ecdsasig); + if (eckey != NULL) + EC_KEY_free(eckey); + return (ret); +} + +static isc_boolean_t +opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + isc_boolean_t ret; + int status; + EVP_PKEY *pkey1 = key1->keydata.pkey; + EVP_PKEY *pkey2 = key2->keydata.pkey; + EC_KEY *eckey1 = NULL; + EC_KEY *eckey2 = NULL; + const BIGNUM *priv1, *priv2; + + if (pkey1 == NULL && pkey2 == NULL) + return (ISC_TRUE); + else if (pkey1 == NULL || pkey2 == NULL) + return (ISC_FALSE); + + eckey1 = EVP_PKEY_get1_EC_KEY(pkey1); + eckey2 = EVP_PKEY_get1_EC_KEY(pkey2); + if (eckey1 == NULL && eckey2 == NULL) { + DST_RET (ISC_TRUE); + } else if (eckey1 == NULL || eckey2 == NULL) + DST_RET (ISC_FALSE); + + status = EVP_PKEY_cmp(pkey1, pkey2); + if (status != 1) + DST_RET (ISC_FALSE); + + priv1 = EC_KEY_get0_private_key(eckey1); + priv2 = EC_KEY_get0_private_key(eckey2); + if (priv1 != NULL || priv2 != NULL) { + if (priv1 == NULL || priv2 == NULL) + DST_RET (ISC_FALSE); + if (BN_cmp(priv1, priv2) != 0) + DST_RET (ISC_FALSE); + } + ret = ISC_TRUE; + + err: + if (eckey1 != NULL) + EC_KEY_free(eckey1); + if (eckey2 != NULL) + EC_KEY_free(eckey2); + return (ret); +} + +static isc_result_t +opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { + isc_result_t ret; + EVP_PKEY *pkey; + EC_KEY *eckey = NULL; + int group_nid; + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || + key->key_alg == DST_ALG_ECDSA384); + UNUSED(unused); + UNUSED(callback); + + if (key->key_alg == DST_ALG_ECDSA256) + group_nid = NID_X9_62_prime256v1; + else + group_nid = NID_secp384r1; + + eckey = EC_KEY_new_by_curve_name(group_nid); + if (eckey == NULL) + return (dst__openssl_toresult2("EC_KEY_new_by_curve_name", + DST_R_OPENSSLFAILURE)); + + if (EC_KEY_generate_key(eckey) != 1) + DST_RET (dst__openssl_toresult2("EC_KEY_generate_key", + DST_R_OPENSSLFAILURE)); + + pkey = EVP_PKEY_new(); + if (pkey == NULL) + DST_RET (ISC_R_NOMEMORY); + if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) { + EVP_PKEY_free(pkey); + DST_RET (ISC_R_FAILURE); + } + key->keydata.pkey = pkey; + ret = ISC_R_SUCCESS; + + err: + if (eckey != NULL) + EC_KEY_free(eckey); + return (ret); +} + +static isc_boolean_t +opensslecdsa_isprivate(const dst_key_t *key) { + isc_boolean_t ret; + EVP_PKEY *pkey = key->keydata.pkey; + EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey); + + ret = ISC_TF(eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL); + if (eckey != NULL) + EC_KEY_free(eckey); + return (ret); +} + +static void +opensslecdsa_destroy(dst_key_t *key) { + EVP_PKEY *pkey = key->keydata.pkey; + + EVP_PKEY_free(pkey); + key->keydata.pkey = NULL; +} + +static isc_result_t +opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { + isc_result_t ret; + EVP_PKEY *pkey; + EC_KEY *eckey = NULL; + isc_region_t r; + int len; + unsigned char *cp; + unsigned char buf[DNS_KEY_ECDSA384SIZE + 1]; + + REQUIRE(key->keydata.pkey != NULL); + + pkey = key->keydata.pkey; + eckey = EVP_PKEY_get1_EC_KEY(pkey); + if (eckey == NULL) + return (dst__openssl_toresult(ISC_R_FAILURE)); + len = i2o_ECPublicKey(eckey, NULL); + /* skip form */ + len--; + + isc_buffer_availableregion(data, &r); + if (r.length < (unsigned int) len) + DST_RET (ISC_R_NOSPACE); + cp = buf; + if (!i2o_ECPublicKey(eckey, &cp)) + DST_RET (dst__openssl_toresult(ISC_R_FAILURE)); + memcpy(r.base, buf + 1, len); + isc_buffer_add(data, len); + ret = ISC_R_SUCCESS; + + err: + if (eckey != NULL) + EC_KEY_free(eckey); + return (ret); +} + +static isc_result_t +opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + isc_result_t ret; + EVP_PKEY *pkey; + EC_KEY *eckey = NULL; + isc_region_t r; + int group_nid; + unsigned int len; + const unsigned char *cp; + unsigned char buf[DNS_KEY_ECDSA384SIZE + 1]; + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || + key->key_alg == DST_ALG_ECDSA384); + + if (key->key_alg == DST_ALG_ECDSA256) { + len = DNS_KEY_ECDSA256SIZE; + group_nid = NID_X9_62_prime256v1; + } else { + len = DNS_KEY_ECDSA384SIZE; + group_nid = NID_secp384r1; + } + + isc_buffer_remainingregion(data, &r); + if (r.length == 0) + return (ISC_R_SUCCESS); + if (r.length < len) + return (DST_R_INVALIDPUBLICKEY); + + eckey = EC_KEY_new_by_curve_name(group_nid); + if (eckey == NULL) + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + + buf[0] = POINT_CONVERSION_UNCOMPRESSED; + memcpy(buf + 1, r.base, len); + cp = buf; + if (o2i_ECPublicKey(&eckey, + (const unsigned char **) &cp, + (long) len + 1) == NULL) + DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY)); + if (EC_KEY_check_key(eckey) != 1) + DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY)); + + pkey = EVP_PKEY_new(); + if (pkey == NULL) + DST_RET (ISC_R_NOMEMORY); + if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) { + EVP_PKEY_free(pkey); + DST_RET (dst__openssl_toresult(ISC_R_FAILURE)); + } + + isc_buffer_forward(data, len); + key->keydata.pkey = pkey; + ret = ISC_R_SUCCESS; + + err: + if (eckey != NULL) + EC_KEY_free(eckey); + return (ret); +} + +static isc_result_t +opensslecdsa_tofile(const dst_key_t *key, const char *directory) { + isc_result_t ret; + EVP_PKEY *pkey; + EC_KEY *eckey = NULL; + const BIGNUM *privkey; + dst_private_t priv; + unsigned char *buf = NULL; + + if (key->keydata.pkey == NULL) + return (DST_R_NULLKEY); + + pkey = key->keydata.pkey; + eckey = EVP_PKEY_get1_EC_KEY(pkey); + if (eckey == NULL) + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + privkey = EC_KEY_get0_private_key(eckey); + if (privkey == NULL) + DST_RET (ISC_R_FAILURE); + + buf = isc_mem_get(key->mctx, BN_num_bytes(privkey)); + if (buf == NULL) + DST_RET (ISC_R_NOMEMORY); + + priv.elements[0].tag = TAG_ECDSA_PRIVATEKEY; + priv.elements[0].length = BN_num_bytes(privkey); + BN_bn2bin(privkey, buf); + priv.elements[0].data = buf; + priv.nelements = ECDSA_NTAGS; + ret = dst__privstruct_writefile(key, &priv, directory); + + err: + if (eckey != NULL) + EC_KEY_free(eckey); + if (buf != NULL) + isc_mem_put(key->mctx, buf, BN_num_bytes(privkey)); + return (ret); +} + +static isc_result_t +ecdsa_check(EC_KEY *eckey, dst_key_t *pub) +{ + isc_result_t ret = ISC_R_FAILURE; + EVP_PKEY *pkey; + EC_KEY *pubeckey = NULL; + const EC_POINT *pubkey; + + if (pub == NULL) + return (ISC_R_SUCCESS); + pkey = pub->keydata.pkey; + if (pkey == NULL) + return (ISC_R_SUCCESS); + pubeckey = EVP_PKEY_get1_EC_KEY(pkey); + if (pubeckey == NULL) + return (ISC_R_SUCCESS); + pubkey = EC_KEY_get0_public_key(pubeckey); + if (pubkey == NULL) + DST_RET (ISC_R_SUCCESS); + if (EC_KEY_set_public_key(eckey, pubkey) != 1) + DST_RET (ISC_R_SUCCESS); + if (EC_KEY_check_key(eckey) == 1) + DST_RET (ISC_R_SUCCESS); + + err: + if (pubeckey != NULL) + EC_KEY_free(pubeckey); + return (ret); +} + +static isc_result_t +opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + EVP_PKEY *pkey; + EC_KEY *eckey = NULL; + BIGNUM *privkey; + int group_nid; + isc_mem_t *mctx = key->mctx; + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || + key->key_alg == DST_ALG_ECDSA384); + + if (key->key_alg == DST_ALG_ECDSA256) + group_nid = NID_X9_62_prime256v1; + else + group_nid = NID_secp384r1; + + eckey = EC_KEY_new_by_curve_name(group_nid); + if (eckey == NULL) + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + + /* read private key file */ + ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv); + if (ret != ISC_R_SUCCESS) + goto err; + + privkey = BN_bin2bn(priv.elements[0].data, + priv.elements[0].length, NULL); + if (privkey == NULL) + DST_RET(ISC_R_NOMEMORY); + if (!EC_KEY_set_private_key(eckey, privkey)) + DST_RET(ISC_R_NOMEMORY); + if (ecdsa_check(eckey, pub) != ISC_R_SUCCESS) + DST_RET(DST_R_INVALIDPRIVATEKEY); + dst__privstruct_free(&priv, mctx); + memset(&priv, 0, sizeof(priv)); + + pkey = EVP_PKEY_new(); + if (pkey == NULL) + DST_RET (ISC_R_NOMEMORY); + if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) { + EVP_PKEY_free(pkey); + DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } + key->keydata.pkey = pkey; + ret = ISC_R_SUCCESS; + + err: + if (eckey != NULL) + EC_KEY_free(eckey); + dst__privstruct_free(&priv, mctx); + memset(&priv, 0, sizeof(priv)); + return (ret); +} + +static dst_func_t opensslecdsa_functions = { + opensslecdsa_createctx, + opensslecdsa_destroyctx, + opensslecdsa_adddata, + opensslecdsa_sign, + opensslecdsa_verify, + NULL, /*%< computesecret */ + opensslecdsa_compare, + NULL, /*%< paramcompare */ + opensslecdsa_generate, + opensslecdsa_isprivate, + opensslecdsa_destroy, + opensslecdsa_todns, + opensslecdsa_fromdns, + opensslecdsa_tofile, + opensslecdsa_parse, + NULL, /*%< cleanup */ + NULL, /*%< fromlabel */ + NULL, /*%< dump */ + NULL, /*%< restore */ +}; + +isc_result_t +dst__opensslecdsa_init(dst_func_t **funcp) { + REQUIRE(funcp != NULL); + if (*funcp == NULL) + *funcp = &opensslecdsa_functions; + return (ISC_R_SUCCESS); +} + +#else /* HAVE_OPENSSL_ECDSA */ + +#include <isc/util.h> + +EMPTY_TRANSLATION_UNIT + +#endif /* HAVE_OPENSSL_ECDSA */ +/*! \file */ diff --git a/contrib/bind9/lib/dns/opensslgost_link.c b/contrib/bind9/lib/dns/opensslgost_link.c index e92d50f..8a55a6b 100644 --- a/contrib/bind9/lib/dns/opensslgost_link.c +++ b/contrib/bind9/lib/dns/opensslgost_link.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2010-2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -121,10 +121,15 @@ opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) { EVP_PKEY *pkey = key->keydata.pkey; status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey); - if (status != 1) + switch (status) { + case 1: + return (ISC_R_SUCCESS); + case 0: return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); - - return (ISC_R_SUCCESS); + default: + return (dst__openssl_toresult2("EVP_VerifyFinal", + DST_R_VERIFYFAILURE)); + } } static isc_boolean_t @@ -168,22 +173,27 @@ opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) { void (*fptr)(int); } u; EVP_PKEY *pkey = NULL; + isc_result_t ret; UNUSED(unused); ctx = EVP_PKEY_CTX_new_id(NID_id_GostR3410_2001, NULL); if (ctx == NULL) - goto err; + DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_id", + DST_R_OPENSSLFAILURE)); if (callback != NULL) { u.fptr = callback; EVP_PKEY_CTX_set_app_data(ctx, u.dptr); EVP_PKEY_CTX_set_cb(ctx, &progress_cb); } if (EVP_PKEY_keygen_init(ctx) <= 0) - goto err; + DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init", + DST_R_OPENSSLFAILURE)); if (EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0) - goto err; + DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_ctrl_str", + DST_R_OPENSSLFAILURE)); if (EVP_PKEY_keygen(ctx, &pkey) <= 0) - goto err; + DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", + DST_R_OPENSSLFAILURE)); key->keydata.pkey = pkey; EVP_PKEY_CTX_free(ctx); return (ISC_R_SUCCESS); @@ -193,7 +203,7 @@ err: EVP_PKEY_free(pkey); if (ctx != NULL) EVP_PKEY_CTX_free(ctx); - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + return (ret); } static isc_boolean_t @@ -267,7 +277,8 @@ opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) { p = der; if (d2i_PUBKEY(&pkey, &p, (long) sizeof(der)) == NULL) - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + return (dst__openssl_toresult2("d2i_PUBKEY", + DST_R_OPENSSLFAILURE)); key->keydata.pkey = pkey; return (ISC_R_SUCCESS); @@ -293,7 +304,8 @@ opensslgost_tofile(const dst_key_t *key, const char *directory) { p = der; if (i2d_PrivateKey(pkey, &p) != len) { - result = dst__openssl_toresult(DST_R_OPENSSLFAILURE); + result = dst__openssl_toresult2("i2d_PrivateKey", + DST_R_OPENSSLFAILURE); goto fail; } @@ -328,7 +340,8 @@ opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { p = priv.elements[0].data; if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p, (long) priv.elements[0].length) == NULL) - DST_RET(DST_R_INVALIDPRIVATEKEY); + DST_RET(dst__openssl_toresult2("d2i_PrivateKey", + DST_R_INVALIDPRIVATEKEY)); key->keydata.pkey = pkey; key->key_size = EVP_PKEY_bits(pkey); dst__privstruct_free(&priv, mctx); @@ -377,35 +390,47 @@ static dst_func_t opensslgost_functions = { isc_result_t dst__opensslgost_init(dst_func_t **funcp) { + isc_result_t ret; + REQUIRE(funcp != NULL); /* check if the gost engine works properly */ e = ENGINE_by_id("gost"); if (e == NULL) - return (DST_R_OPENSSLFAILURE); + return (dst__openssl_toresult2("ENGINE_by_id", + DST_R_OPENSSLFAILURE)); if (ENGINE_init(e) <= 0) { ENGINE_free(e); e = NULL; - return (DST_R_OPENSSLFAILURE); + return (dst__openssl_toresult2("ENGINE_init", + DST_R_OPENSSLFAILURE)); } /* better than to rely on digest_gost symbol */ opensslgost_digest = ENGINE_get_digest(e, NID_id_GostR3411_94); + if (opensslgost_digest == NULL) + DST_RET(dst__openssl_toresult2("ENGINE_get_digest", + DST_R_OPENSSLFAILURE)); /* from openssl.cnf */ - if ((opensslgost_digest == NULL) || - (ENGINE_register_pkey_asn1_meths(e) <= 0) || - (ENGINE_ctrl_cmd_string(e, - "CRYPT_PARAMS", - "id-Gost28147-89-CryptoPro-A-ParamSet", - 0) <= 0)) { - ENGINE_finish(e); - ENGINE_free(e); - e = NULL; - return (DST_R_OPENSSLFAILURE); - } + if (ENGINE_register_pkey_asn1_meths(e) <= 0) + DST_RET(dst__openssl_toresult2( + "ENGINE_register_pkey_asn1_meths", + DST_R_OPENSSLFAILURE)); + if (ENGINE_ctrl_cmd_string(e, + "CRYPT_PARAMS", + "id-Gost28147-89-CryptoPro-A-ParamSet", + 0) <= 0) + DST_RET(dst__openssl_toresult2("ENGINE_ctrl_cmd_string", + DST_R_OPENSSLFAILURE)); if (*funcp == NULL) *funcp = &opensslgost_functions; return (ISC_R_SUCCESS); + + err: + ENGINE_finish(e); + ENGINE_free(e); + e = NULL; + return (ret); } #else /* HAVE_OPENSSL_GOST */ diff --git a/contrib/bind9/lib/dns/opensslrsa_link.c b/contrib/bind9/lib/dns/opensslrsa_link.c index a245618..80c3f57 100644 --- a/contrib/bind9/lib/dns/opensslrsa_link.c +++ b/contrib/bind9/lib/dns/opensslrsa_link.c @@ -156,7 +156,8 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) { EVP_MD_CTX_destroy(evp_md_ctx); - return (ISC_R_FAILURE); + return (dst__openssl_toresult2("EVP_DigestInit_ex", + ISC_R_FAILURE)); } dctx->ctxdata.evp_md_ctx = evp_md_ctx; #else @@ -304,7 +305,8 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) { #if USE_EVP if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) { - return (ISC_R_FAILURE); + return (dst__openssl_toresult2("EVP_DigestUpdate", + ISC_R_FAILURE)); } #else switch (dctx->key->key_alg) { @@ -374,10 +376,6 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { int status; int type = 0; unsigned int digestlen = 0; - char *message; - unsigned long err; - const char* file; - int line; #if OPENSSL_VERSION_NUMBER < 0x00908000L unsigned int prefixlen = 0; const unsigned char *prefix = NULL; @@ -397,7 +395,8 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { return (ISC_R_NOSPACE); if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) { - return (ISC_R_FAILURE); + return (dst__openssl_toresult2("EVP_SignFinal", + ISC_R_FAILURE)); } #else if (r.length < (unsigned int) RSA_size(rsa)) @@ -489,13 +488,9 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { INSIST(type != 0); status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa); #endif - if (status == 0) { - err = ERR_peek_error_line(&file, &line); - if (err != 0U) { - message = ERR_error_string(err, NULL); - } - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } + if (status == 0) + return (dst__openssl_toresult2("RSA_sign", + DST_R_OPENSSLFAILURE)); #endif isc_buffer_add(sig, siglen); @@ -615,7 +610,9 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) { original, rsa, RSA_PKCS1_PADDING); if (status <= 0) - return (DST_R_VERIFYFAILURE); + return (dst__openssl_toresult2( + "RSA_public_decrypt", + DST_R_VERIFYFAILURE)); if (status != (int)(prefixlen + digestlen)) return (DST_R_VERIFYFAILURE); if (memcmp(original, prefix, prefixlen)) @@ -636,7 +633,8 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) { #endif #endif if (status != 1) - return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); + return (dst__openssl_toresult2("RSA_verify", + DST_R_VERIFYFAILURE)); return (ISC_R_SUCCESS); } @@ -727,6 +725,7 @@ progress_cb(int p, int n, BN_GENCB *cb) static isc_result_t opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { #if OPENSSL_VERSION_NUMBER > 0x00908000L + isc_result_t ret = DST_R_OPENSSLFAILURE; BN_GENCB cb; union { void *dptr; @@ -776,6 +775,8 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { #endif return (ISC_R_SUCCESS); } + ret = dst__openssl_toresult2("RSA_generate_key_ex", + DST_R_OPENSSLFAILURE); err: #if USE_EVP @@ -786,7 +787,7 @@ err: BN_free(e); if (rsa != NULL) RSA_free(rsa); - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + return (dst__openssl_toresult(ret)); #else RSA *rsa; unsigned long e; @@ -810,7 +811,8 @@ err: #if USE_EVP EVP_PKEY_free(pkey); #endif - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + return (dst__openssl_toresult2("RSA_generate_key", + DST_R_OPENSSLFAILURE)); } SET_FLAGS(rsa); #if USE_EVP @@ -1009,6 +1011,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { rsa = key->keydata.rsa; #endif + memset(bufs, 0, sizeof(bufs)); for (i = 0; i < 8; i++) { bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(rsa->n)); if (bufs[i] == NULL) { @@ -1162,7 +1165,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { /* read private key file */ ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); if (ret != ISC_R_SUCCESS) - return (ret); + goto err; for (i = 0; i < priv.nelements; i++) { switch (priv.elements[i].tag) { @@ -1188,10 +1191,10 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { if (e == NULL) DST_RET(DST_R_NOENGINE); pkey = ENGINE_load_private_key(e, label, NULL, NULL); - if (pkey == NULL) { - /* ERR_print_errors_fp(stderr); */ - DST_RET(ISC_R_NOTFOUND); - } + if (pkey == NULL) + DST_RET(dst__openssl_toresult2( + "ENGINE_load_private_key", + ISC_R_NOTFOUND)); key->engine = isc_mem_strdup(key->mctx, engine); if (key->engine == NULL) DST_RET(ISC_R_NOMEMORY); @@ -1336,7 +1339,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, } pkey = ENGINE_load_private_key(e, label, NULL, NULL); if (pkey == NULL) - DST_RET(ISC_R_NOTFOUND); + DST_RET(dst__openssl_toresult2("ENGINE_load_private_key", + ISC_R_NOTFOUND)); if (engine != NULL) { key->engine = isc_mem_strdup(key->mctx, engine); if (key->engine == NULL) diff --git a/contrib/bind9/lib/dns/rbtdb.c b/contrib/bind9/lib/dns/rbtdb.c index a2523ba..ef721b8 100644 --- a/contrib/bind9/lib/dns/rbtdb.c +++ b/contrib/bind9/lib/dns/rbtdb.c @@ -113,6 +113,8 @@ typedef isc_uint32_t rbtdb_rdatatype_t; RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname) #define RBTDB_RDATATYPE_SIGDNAME \ RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname) +#define RBTDB_RDATATYPE_SIGDDS \ + RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds) #define RBTDB_RDATATYPE_NCACHEANY \ RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any) @@ -4572,7 +4574,7 @@ get_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st) * configured earlier than this policy zone and does not have a higher * precedence type. */ -static isc_result_t +static void rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, dns_rdataset_t *ardataset, dns_rpz_st_t *st, @@ -4597,7 +4599,7 @@ rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, if (rbtdb->rpz_cidr == NULL) { RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - return (ISC_R_UNEXPECTED); + return; } dns_fixedname_init(&selfnamef); @@ -4659,7 +4661,7 @@ rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, dns_name_format(qname, namebuf, sizeof(namebuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, - "rpz_findips findnode(%s): %s", + "rpz_findips findnode(%s) failed: %s", namebuf, isc_result_totext(result)); continue; } @@ -4680,7 +4682,8 @@ rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, if (zrdataset.type != dns_rdatatype_cname) { rpz_policy = DNS_RPZ_POLICY_RECORD; } else { - rpz_policy = dns_rpz_decode_cname(&zrdataset, + rpz_policy = dns_rpz_decode_cname(rpz, + &zrdataset, selfname); if (rpz_policy == DNS_RPZ_POLICY_RECORD || rpz_policy == DNS_RPZ_POLICY_WILDCNAME) @@ -4738,7 +4741,7 @@ rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, st->m.type = rpz_type; st->m.prefix = prefix; st->m.policy = rpz_policy; - st->m.ttl = ttl; + st->m.ttl = ISC_MIN(ttl, rpz->max_policy_ttl); st->m.result = result; dns_name_copy(qname, st->qname, NULL); if ((rpz_policy == DNS_RPZ_POLICY_RECORD || @@ -4755,7 +4758,6 @@ rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, } RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - return (ISC_R_SUCCESS); } #endif @@ -5914,13 +5916,12 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, negtype = 0; if (rbtversion == NULL && !newheader_nx) { rdtype = RBTDB_RDATATYPE_BASE(newheader->type); + covers = RBTDB_RDATATYPE_EXT(newheader->type); + sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, covers); if (NEGATIVE(newheader)) { /* * We're adding a negative cache entry. */ - covers = RBTDB_RDATATYPE_EXT(newheader->type); - sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, - covers); for (topheader = rbtnode->data; topheader != NULL; topheader = topheader->next) { @@ -5953,14 +5954,20 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, * We're adding something that isn't a * negative cache entry. Look for an extant * non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative - * cache entry. + * cache entry. If we're adding an RRSIG, also + * check for an extant non-stale NODATA ncache + * entry which covers the same type as the RRSIG. */ for (topheader = rbtnode->data; topheader != NULL; topheader = topheader->next) { - if (topheader->type == - RBTDB_RDATATYPE_NCACHEANY) - break; + if ((topheader->type == + RBTDB_RDATATYPE_NCACHEANY) || + (newheader->type == sigtype && + topheader->type == + RBTDB_RDATATYPE_VALUE(0, covers))) { + break; + } } if (topheader != NULL && EXISTS(topheader) && topheader->rdh_ttl > now) { @@ -5983,7 +5990,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, } /* * The new rdataset is better. Expire the - * NXDOMAIN/NODATA(QTYPE=ANY). + * ncache entry. */ set_ttl(rbtdb, topheader, 0); topheader->attributes |= RDATASET_ATTR_STALE; @@ -6145,7 +6152,9 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, } if (IS_CACHE(rbtdb) && header->rdh_ttl > now && (header->type == dns_rdatatype_a || - header->type == dns_rdatatype_aaaa) && + header->type == dns_rdatatype_aaaa || + header->type == dns_rdatatype_ds || + header->type == RBTDB_RDATATYPE_SIGDDS) && !header_nx && !newheader_nx && header->trust >= newheader->trust && dns_rdataslab_equal((unsigned char *)header, diff --git a/contrib/bind9/lib/dns/rcode.c b/contrib/bind9/lib/dns/rcode.c index 09f6d83..0b7fe8c 100644 --- a/contrib/bind9/lib/dns/rcode.c +++ b/contrib/bind9/lib/dns/rcode.c @@ -108,6 +108,8 @@ { DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \ { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \ { DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \ + { DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \ + { DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \ { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \ { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \ { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \ diff --git a/contrib/bind9/lib/dns/rdata.c b/contrib/bind9/lib/dns/rdata.c index d200f1b..60890e0 100644 --- a/contrib/bind9/lib/dns/rdata.c +++ b/contrib/bind9/lib/dns/rdata.c @@ -436,6 +436,8 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass, REQUIRE(DNS_RDATA_INITIALIZED(rdata)); REQUIRE(DNS_RDATA_VALIDFLAGS(rdata)); } + REQUIRE(source != NULL); + REQUIRE(target != NULL); if (type == 0) return (DNS_R_FORMERR); @@ -536,13 +538,11 @@ rdata_validate(isc_buffer_t *src, isc_buffer_t *dest, dns_rdataclass_t rdclass, dns_rdatatype_t type) { dns_decompress_t dctx; - dns_rdata_t rdata = DNS_RDATA_INIT; isc_result_t result; dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE); isc_buffer_setactive(src, isc_buffer_usedlength(src)); - result = dns_rdata_fromwire(&rdata, rdclass, type, src, - &dctx, 0, dest); + result = dns_rdata_fromwire(NULL, rdclass, type, src, &dctx, 0, dest); dns_decompress_invalidate(&dctx); return (result); @@ -1167,7 +1167,8 @@ txt_fromwire(isc_buffer_t *source, isc_buffer_t *target) { if (n > tregion.length) return (ISC_R_NOSPACE); - memcpy(tregion.base, sregion.base, n); + if (tregion.base != sregion.base) + memcpy(tregion.base, sregion.base, n); isc_buffer_forward(source, n); isc_buffer_add(target, n); return (ISC_R_SUCCESS); @@ -1341,7 +1342,8 @@ mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) { isc_buffer_availableregion(target, &tr); if (length > tr.length) return (ISC_R_NOSPACE); - memcpy(tr.base, base, length); + if (tr.base != base) + memcpy(tr.base, base, length); isc_buffer_add(target, length); return (ISC_R_SUCCESS); } diff --git a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c b/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c index f447e7c..4dbcb1e 100644 --- a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c +++ b/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c @@ -84,6 +84,9 @@ fromtext_dlv(ARGS_FROMTEXT) { case DNS_DSDIGEST_GOST: length = ISC_GOST_DIGESTLENGTH; break; + case DNS_DSDIGEST_SHA384: + length = ISC_SHA384_DIGESTLENGTH; + break; default: length = -1; break; @@ -162,7 +165,9 @@ fromwire_dlv(ARGS_FROMWIRE) { (sr.base[3] == DNS_DSDIGEST_SHA256 && sr.length < 4 + ISC_SHA256_DIGESTLENGTH) || (sr.base[3] == DNS_DSDIGEST_GOST && - sr.length < 4 + ISC_GOST_DIGESTLENGTH)) + sr.length < 4 + ISC_GOST_DIGESTLENGTH) || + (sr.base[3] == DNS_DSDIGEST_SHA384 && + sr.length < 4 + ISC_SHA384_DIGESTLENGTH)) return (ISC_R_UNEXPECTEDEND); /* @@ -176,6 +181,8 @@ fromwire_dlv(ARGS_FROMWIRE) { sr.length = 4 + ISC_SHA256_DIGESTLENGTH; else if (sr.base[3] == DNS_DSDIGEST_GOST) sr.length = 4 + ISC_GOST_DIGESTLENGTH; + else if (sr.base[3] == DNS_DSDIGEST_SHA384) + sr.length = 4 + ISC_SHA384_DIGESTLENGTH; isc_buffer_forward(source, sr.length); return (mem_tobuffer(target, sr.base, sr.length)); @@ -228,6 +235,9 @@ fromstruct_dlv(ARGS_FROMSTRUCT) { case DNS_DSDIGEST_GOST: REQUIRE(dlv->length == ISC_GOST_DIGESTLENGTH); break; + case DNS_DSDIGEST_SHA384: + REQUIRE(dlv->length == ISC_SHA384_DIGESTLENGTH); + break; } UNUSED(type); diff --git a/contrib/bind9/lib/dns/rdata/generic/ds_43.c b/contrib/bind9/lib/dns/rdata/generic/ds_43.c index cece442..20bac85 100644 --- a/contrib/bind9/lib/dns/rdata/generic/ds_43.c +++ b/contrib/bind9/lib/dns/rdata/generic/ds_43.c @@ -84,6 +84,9 @@ fromtext_ds(ARGS_FROMTEXT) { case DNS_DSDIGEST_GOST: length = ISC_GOST_DIGESTLENGTH; break; + case DNS_DSDIGEST_SHA384: + length = ISC_SHA384_DIGESTLENGTH; + break; default: length = -1; break; @@ -162,7 +165,9 @@ fromwire_ds(ARGS_FROMWIRE) { (sr.base[3] == DNS_DSDIGEST_SHA256 && sr.length < 4 + ISC_SHA256_DIGESTLENGTH) || (sr.base[3] == DNS_DSDIGEST_GOST && - sr.length < 4 + ISC_GOST_DIGESTLENGTH)) + sr.length < 4 + ISC_GOST_DIGESTLENGTH) || + (sr.base[3] == DNS_DSDIGEST_SHA384 && + sr.length < 4 + ISC_SHA384_DIGESTLENGTH)) return (ISC_R_UNEXPECTEDEND); /* @@ -176,6 +181,8 @@ fromwire_ds(ARGS_FROMWIRE) { sr.length = 4 + ISC_SHA256_DIGESTLENGTH; else if (sr.base[3] == DNS_DSDIGEST_GOST) sr.length = 4 + ISC_GOST_DIGESTLENGTH; + else if (sr.base[3] == DNS_DSDIGEST_SHA384) + sr.length = 4 + ISC_SHA384_DIGESTLENGTH; isc_buffer_forward(source, sr.length); return (mem_tobuffer(target, sr.base, sr.length)); @@ -228,6 +235,9 @@ fromstruct_ds(ARGS_FROMSTRUCT) { case DNS_DSDIGEST_GOST: REQUIRE(ds->length == ISC_GOST_DIGESTLENGTH); break; + case DNS_DSDIGEST_SHA384: + REQUIRE(ds->length == ISC_SHA384_DIGESTLENGTH); + break; } UNUSED(type); diff --git a/contrib/bind9/lib/dns/rdataset.c b/contrib/bind9/lib/dns/rdataset.c index 8c86549..026d771 100644 --- a/contrib/bind9/lib/dns/rdataset.c +++ b/contrib/bind9/lib/dns/rdataset.c @@ -26,6 +26,7 @@ #include <isc/buffer.h> #include <isc/mem.h> #include <isc/random.h> +#include <isc/serial.h> #include <isc/util.h> #include <dns/name.h> @@ -772,3 +773,30 @@ dns_rdataset_expire(dns_rdataset_t *rdataset) { if (rdataset->methods->expire != NULL) (rdataset->methods->expire)(rdataset); } + +void +dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, + dns_rdata_rrsig_t *rrsig, isc_stdtime_t now, + isc_boolean_t acceptexpired) +{ + isc_uint32_t ttl = 0; + + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE(DNS_RDATASET_VALID(sigrdataset)); + REQUIRE(rrsig != NULL); + + /* + * If we accept expired RRsets keep them for no more than 120 seconds. + */ + if (acceptexpired && + (isc_serial_le(rrsig->timeexpire, ((now + 120) & 0xffffffff)) || + isc_serial_le(rrsig->timeexpire, now))) + ttl = 120; + else if (isc_serial_ge(rrsig->timeexpire, now)) + ttl = rrsig->timeexpire - now; + + ttl = ISC_MIN(ISC_MIN(rdataset->ttl, sigrdataset->ttl), + ISC_MIN(rrsig->originalttl, ttl)); + rdataset->ttl = ttl; + sigrdataset->ttl = ttl; +} diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c index 4c8b144..503f1d2 100644 --- a/contrib/bind9/lib/dns/resolver.c +++ b/contrib/bind9/lib/dns/resolver.c @@ -105,8 +105,21 @@ #define QTRACE(m) #endif +#define US_PER_SEC 1000000U +/* + * The maximum time we will wait for a single query. + */ +#define MAX_SINGLE_QUERY_TIMEOUT 9U +#define MAX_SINGLE_QUERY_TIMEOUT_US (MAX_SINGLE_QUERY_TIMEOUT*US_PER_SEC) + +/* + * We need to allow a individual query time to complete / timeout. + */ +#define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U) + +/* The default time in seconds for the whole query to live. */ #ifndef DEFAULT_QUERY_TIMEOUT -#define DEFAULT_QUERY_TIMEOUT 30 /* The default time in seconds for the whole query to live. */ +#define DEFAULT_QUERY_TIMEOUT MINIMUM_QUERY_TIMEOUT #endif #ifndef MAXIMUM_QUERY_TIMEOUT @@ -821,8 +834,8 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp, */ INSIST(no_response); rtt = query->addrinfo->srtt + 200000; - if (rtt > 10000000) - rtt = 10000000; + if (rtt > MAX_SINGLE_QUERY_TIMEOUT_US) + rtt = MAX_SINGLE_QUERY_TIMEOUT_US; /* * Replace the current RTT with our value. */ @@ -1336,12 +1349,18 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) { us = (800000 << (fctx->restarts - 2)); /* - * Double the round-trip time. + * Add a fudge factor to the expected rtt based on the current + * estimate. */ - rtt *= 2; + if (rtt < 50000) + rtt += 50000; + else if (rtt < 100000) + rtt += 100000; + else + rtt += 200000; /* - * Always wait for at least the doubled round-trip time. + * Always wait for at least the expected rtt. */ if (us < rtt) us = rtt; @@ -1349,11 +1368,11 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) { /* * But don't ever wait for more than 10 seconds. */ - if (us > 10000000) - us = 10000000; + if (us > MAX_SINGLE_QUERY_TIMEOUT_US) + us = MAX_SINGLE_QUERY_TIMEOUT_US; - seconds = us / 1000000; - us -= seconds * 1000000; + seconds = us / US_PER_SEC; + us -= seconds * US_PER_SEC; isc_interval_set(&fctx->interval, seconds, us * 1000); } @@ -1375,6 +1394,11 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, task = res->buckets[fctx->bucketnum].task; srtt = addrinfo->srtt; + + /* + * A forwarder needs to make multiple queries. Give it at least + * a second to do these in. + */ if (ISFORWARDER(addrinfo) && srtt < 1000000) srtt = 1000000; @@ -8211,8 +8235,8 @@ dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx, "timeout:%u,lame:%u,neterr:%u,badresp:%u," "adberr:%u,findfail:%u,valfail:%u]", __FILE__, fctx->exitline, fctx->info, - fctx->duration / 1000000, - fctx->duration % 1000000, + fctx->duration / US_PER_SEC, + fctx->duration % US_PER_SEC, isc_result_totext(fctx->result), isc_result_totext(fctx->vresult), domainbuf, fctx->referrals, fctx->restarts, @@ -8818,6 +8842,8 @@ dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) { seconds = DEFAULT_QUERY_TIMEOUT; if (seconds > MAXIMUM_QUERY_TIMEOUT) seconds = MAXIMUM_QUERY_TIMEOUT; + if (seconds < MINIMUM_QUERY_TIMEOUT) + seconds = MINIMUM_QUERY_TIMEOUT; resolver->query_timeout = seconds; } diff --git a/contrib/bind9/lib/dns/rpz.c b/contrib/bind9/lib/dns/rpz.c index e3f4989..7865859 100644 --- a/contrib/bind9/lib/dns/rpz.c +++ b/contrib/bind9/lib/dns/rpz.c @@ -118,9 +118,9 @@ struct dns_rpz_cidr { isc_mem_t *mctx; isc_boolean_t have_nsdname; /* zone has NSDNAME record */ dns_rpz_cidr_node_t *root; - dns_name_t ip_name; /* RPZ_IP_ZONE.LOCALHOST. */ - dns_name_t nsip_name; /* RPZ_NSIP_ZONE.LOCALHOST. */ - dns_name_t nsdname_name; /* RPZ_NSDNAME_ZONE.LOCALHOST */ + dns_name_t ip_name; /* RPZ_IP_ZONE.origin. */ + dns_name_t nsip_name; /* RPZ_NSIP_ZONE.origin. */ + dns_name_t nsdname_name; /* RPZ_NSDNAME_ZONE.origin */ }; static isc_boolean_t have_rpz_zones = ISC_FALSE; @@ -183,7 +183,7 @@ dns_rpz_policy2str(dns_rpz_policy_t policy) { str = "NODATA"; break; case DNS_RPZ_POLICY_RECORD: - str = "records"; + str = "Local-Data"; break; case DNS_RPZ_POLICY_CNAME: case DNS_RPZ_POLICY_WILDCNAME: @@ -255,6 +255,8 @@ dns_rpz_view_destroy(dns_view_t *view) { ISC_LIST_UNLINK(view->rpz_zones, zone, link); if (dns_name_dynamic(&zone->origin)) dns_name_free(&zone->origin, view->mctx); + if (dns_name_dynamic(&zone->passthru)) + dns_name_free(&zone->passthru, view->mctx); if (dns_name_dynamic(&zone->nsdname)) dns_name_free(&zone->nsdname, view->mctx); if (dns_name_dynamic(&zone->cname)) @@ -427,14 +429,16 @@ new_node(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *ip, } static void -badname(int level, dns_name_t *name, const char *comment) { +badname(int level, dns_name_t *name, const char *str1, const char *str2) { char printname[DNS_NAME_FORMATSIZE]; - if (isc_log_wouldlog(dns_lctx, level)) { + if (level < DNS_RPZ_DEBUG_QUIET + && isc_log_wouldlog(dns_lctx, level)) { dns_name_format(name, printname, sizeof(printname)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB, level, - "invalid rpz \"%s\"%s", printname, comment); + "invalid rpz IP address \"%s\"%s%s", + printname, str1, str2); } } @@ -566,11 +570,11 @@ name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name, dns_rpz_type_t type, dns_rpz_cidr_key_t *tgt_ip, dns_rpz_cidr_bits_t *tgt_prefix) { - isc_buffer_t buffer; - unsigned char data[DNS_NAME_MAXWIRE+1]; + isc_result_t result; dns_fixedname_t fname; - dns_name_t *name; - const char *cp, *end; + dns_name_t *ipname; + char ipstr[DNS_NAME_FORMATSIZE]; + const char *prefix_str, *cp, *end; char *cp2; int ip_labels; dns_rpz_cidr_bits_t bits; @@ -585,37 +589,43 @@ name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name, ip_labels -= dns_name_countlabels(&cidr->ip_name); ip_labels--; if (ip_labels < 1) { - badname(level, src_name, ", too short"); + badname(level, src_name, "; too short", ""); return (ISC_R_FAILURE); } /* - * Get text for the IP address without RPZ_x_ZONE.rpz.LOCALHOST. + * Get text for the IP address */ dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); + ipname = dns_fixedname_name(&fname); dns_name_split(src_name, dns_name_countlabels(&cidr->ip_name), - name, NULL); - isc_buffer_init(&buffer, data, sizeof(data)); - dns_name_totext(name, ISC_TRUE, &buffer); - isc_buffer_putuint8(&buffer, '\0'); - cp = isc_buffer_base(&buffer); - - prefix = strtoul(cp, &cp2, 10); - if (prefix < 1U || prefix > 128U || *cp2 != '.') { - badname(level, src_name, ", bad prefix length"); + ipname, NULL); + dns_name_format(ipname, ipstr, sizeof(ipstr)); + end = &ipstr[strlen(ipstr)+1]; + prefix_str = ipstr; + + prefix = strtoul(prefix_str, &cp2, 10); + if (*cp2 != '.') { + badname(level, src_name, + "; invalid leading prefix length", ""); + return (ISC_R_FAILURE); + } + *cp2 = '\0'; + if (prefix < 1U || prefix > 128U) { + badname(level, src_name, + "; invalid prefix length of ", prefix_str); return (ISC_R_FAILURE); } cp = cp2+1; - end = isc_buffer_used(&buffer); if (ip_labels == 4 && !strchr(cp, 'z')) { /* * Convert an IPv4 address * from the form "prefix.w.z.y.x" */ if (prefix > 32U) { - badname(level, src_name, "; bad IPv4 prefix length"); + badname(level, src_name, + "; invalid IPv4 prefix length of ", prefix_str); return (ISC_R_FAILURE); } prefix += 96; @@ -627,7 +637,10 @@ name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name, for (i = 0; i < 32; i += 8) { l = strtoul(cp, &cp2, 10); if (l > 255U || (*cp2 != '.' && *cp2 != '\0')) { - badname(level, src_name, "; bad IPv4 address"); + if (*cp2 == '.') + *cp2 = '\0'; + badname(level, src_name, + "; invalid IPv4 octet ", cp); return (ISC_R_FAILURE); } tgt_ip->w[3] |= l << i; @@ -654,7 +667,10 @@ name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name, l = strtoul(cp, &cp2, 16); if (l > 0xffffu || (*cp2 != '.' && *cp2 != '\0')) { - badname(level, src_name, ""); + if (*cp2 == '.') + *cp2 = '\0'; + badname(level, src_name, + "; invalid IPv6 word ", cp); return (ISC_R_FAILURE); } if ((i & 1) == 0) @@ -667,7 +683,7 @@ name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name, } } if (cp != end) { - badname(level, src_name, ""); + badname(level, src_name, "", ""); return (ISC_R_FAILURE); } @@ -681,7 +697,8 @@ name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name, i = bits % DNS_RPZ_CIDR_WORD_BITS; aword = tgt_ip->w[bits / DNS_RPZ_CIDR_WORD_BITS]; if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) { - badname(level, src_name, "; wrong prefix length"); + badname(level, src_name, + "; too small prefix length of ", prefix_str); return (ISC_R_FAILURE); } bits -= i; @@ -689,13 +706,13 @@ name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name, } /* - * Convert the IPv6 address back to a canonical policy domain name + * Convert the address back to a canonical policy domain name * to ensure that it is in canonical form. */ - if (ISC_R_SUCCESS != ip2name(cidr, tgt_ip, (dns_rpz_cidr_bits_t)prefix, - type, NULL, name) || - !dns_name_equal(src_name, name)) { - badname(level, src_name, "; not canonical"); + result = ip2name(cidr, tgt_ip, (dns_rpz_cidr_bits_t) prefix, + type, NULL, ipname); + if (result != ISC_R_SUCCESS || !dns_name_equal(src_name, ipname)) { + badname(level, src_name, "; not canonical", ""); return (ISC_R_FAILURE); } @@ -934,6 +951,7 @@ search(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *tgt_ip, */ void dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name) { + isc_result_t result; dns_rpz_cidr_key_t tgt_ip; dns_rpz_cidr_bits_t tgt_prefix; dns_rpz_type_t type; @@ -956,19 +974,22 @@ dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name) { case DNS_RPZ_TYPE_BAD: return; } - if (ISC_R_SUCCESS != name2ipkey(cidr, DNS_RPZ_ERROR_LEVEL, name, - type, &tgt_ip, &tgt_prefix)) + result = name2ipkey(cidr, DNS_RPZ_ERROR_LEVEL, name, + type, &tgt_ip, &tgt_prefix); + if (result != ISC_R_SUCCESS) return; - if (ISC_R_EXISTS == search(cidr, &tgt_ip, tgt_prefix, type, - ISC_TRUE, NULL) && - isc_log_wouldlog(dns_lctx, DNS_RPZ_ERROR_LEVEL)) { + result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_TRUE, NULL); + if (result == ISC_R_EXISTS && + isc_log_wouldlog(dns_lctx, DNS_RPZ_ERROR_LEVEL)) + { char printname[DNS_NAME_FORMATSIZE]; dns_name_format(name, printname, sizeof(printname)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, - "duplicate rpz name \"%s\"", printname); + "rpz add failed; \"%s\" is a duplicate name", + printname); } } @@ -978,6 +999,7 @@ dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name) { */ void dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name) { + isc_result_t result; dns_rpz_cidr_key_t tgt_ip; dns_rpz_cidr_bits_t tgt_prefix; dns_rpz_type_t type; @@ -1010,19 +1032,14 @@ dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name) { /* * Do not get excited about the deletion of interior rbt nodes. */ - if (ISC_R_SUCCESS != name2ipkey(cidr, DNS_RPZ_DEBUG_LEVEL3, name, - type, &tgt_ip, &tgt_prefix)) + result = name2ipkey(cidr, DNS_RPZ_DEBUG_QUIET, name, + type, &tgt_ip, &tgt_prefix); + if (result != ISC_R_SUCCESS) return; - if (ISC_R_SUCCESS != search(cidr, &tgt_ip, tgt_prefix, type, - ISC_FALSE, &tgt)) { - if (isc_log_wouldlog(dns_lctx, DNS_RPZ_ERROR_LEVEL)) { - char printname[DNS_NAME_FORMATSIZE]; - - dns_name_format(name, printname, sizeof(printname)); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, - DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, - "missing rpz node \"%s\"", printname); - } + + result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_FALSE, &tgt); + if (result != ISC_R_SUCCESS) { + badname(DNS_RPZ_ERROR_LEVEL, name, "; missing rpz node", ""); return; } @@ -1135,7 +1152,9 @@ dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, * Translate CNAME rdata to a QNAME response policy action. */ dns_rpz_policy_t -dns_rpz_decode_cname(dns_rdataset_t *rdataset, dns_name_t *selfname) { +dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, + dns_name_t *selfname) +{ dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_cname_t cname; isc_result_t result; @@ -1171,7 +1190,13 @@ dns_rpz_decode_cname(dns_rdataset_t *rdataset, dns_name_t *selfname) { } /* - * 128.1.0.127.rpz-ip CNAME 128.1.0.0.127. means "do not rewrite" + * CNAME PASSTHRU.origin means "do not rewrite. + */ + if (dns_name_equal(&cname.cname, &rpz->passthru)) + return (DNS_RPZ_POLICY_PASSTHRU); + + /* + * 128.1.0.127.rpz-ip CNAME 128.1.0.0.127. is obsolete PASSTHRU */ if (selfname != NULL && dns_name_equal(&cname.cname, selfname)) return (DNS_RPZ_POLICY_PASSTHRU); diff --git a/contrib/bind9/lib/dns/spnego_asn1.pl b/contrib/bind9/lib/dns/spnego_asn1.pl index 93dd676..0aaa57f 100755 --- a/contrib/bind9/lib/dns/spnego_asn1.pl +++ b/contrib/bind9/lib/dns/spnego_asn1.pl @@ -1,6 +1,6 @@ #!/bin/bin/perl -w # -# Copyright (C) 2006, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2006, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c index 3f9aae7..674675f 100644 --- a/contrib/bind9/lib/dns/validator.c +++ b/contrib/bind9/lib/dns/validator.c @@ -2075,15 +2075,13 @@ validate(dns_validator_t *val, isc_boolean_t resume) { validator_log(val, ISC_LOG_DEBUG(3), "failed to verify rdataset"); else { - isc_uint32_t ttl; isc_stdtime_t now; isc_stdtime_get(&now); - ttl = ISC_MIN(event->rdataset->ttl, - ISC_MIN(val->siginfo->originalttl, - val->siginfo->timeexpire - now)); - event->rdataset->ttl = ttl; - event->sigrdataset->ttl = ttl; + dns_rdataset_trimttl(event->rdataset, + event->sigrdataset, + val->siginfo, now, + val->view->acceptexpired); } if (val->keynode != NULL) diff --git a/contrib/bind9/lib/dns/view.c b/contrib/bind9/lib/dns/view.c index 4590693..6750058 100644 --- a/contrib/bind9/lib/dns/view.c +++ b/contrib/bind9/lib/dns/view.c @@ -193,6 +193,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, view->v4_aaaa = dns_v4_aaaa_ok; view->v4_aaaa_acl = NULL; ISC_LIST_INIT(view->rpz_zones); + view->rpz_recursive_only = ISC_TRUE; + view->rpz_break_dnssec = ISC_FALSE; dns_fixedname_init(&view->dlv_fixed); view->managed_keys = NULL; #ifdef BIND9 diff --git a/contrib/bind9/lib/dns/zone.c b/contrib/bind9/lib/dns/zone.c index efe31eb..22db239 100644 --- a/contrib/bind9/lib/dns/zone.c +++ b/contrib/bind9/lib/dns/zone.c @@ -3082,7 +3082,7 @@ zone_journal(dns_zone_t *zone, dns_diff_t *diff, const char *caller) { ISC_TRUE, &journal); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "%s:dns_journal_open -> %s\n", + "%s:dns_journal_open -> %s", caller, dns_result_totext(result)); return (result); } @@ -3091,7 +3091,7 @@ zone_journal(dns_zone_t *zone, dns_diff_t *diff, const char *caller) { dns_journal_destroy(&journal); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "%s:dns_journal_write_transaction -> %s\n", + "%s:dns_journal_write_transaction -> %s", caller, dns_result_totext(result)); return (result); } @@ -3116,7 +3116,7 @@ add_soa(dns_zone_t *zone, dns_db_t *db) { result = dns_db_newversion(db, &ver); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "add_soa:dns_db_newversion -> %s\n", + "add_soa:dns_db_newversion -> %s", dns_result_totext(result)); goto failure; } @@ -3126,7 +3126,7 @@ add_soa(dns_zone_t *zone, dns_db_t *db) { 0, 0, 0, 0, 0, buf, &rdata); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "add_soa:dns_soa_buildrdata -> %s\n", + "add_soa:dns_soa_buildrdata -> %s", dns_result_totext(result)); goto failure; } @@ -3178,7 +3178,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { result = dns_db_newversion(db, &ver); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "sync_keyzone:dns_db_newversion -> %s\n", + "sync_keyzone:dns_db_newversion -> %s", dns_result_totext(result)); goto failure; } @@ -4939,7 +4939,7 @@ zone_resigninc(dns_zone_t *zone) { result = dns_db_newversion(db, &version); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_resigninc:dns_db_newversion -> %s\n", + "zone_resigninc:dns_db_newversion -> %s", dns_result_totext(result)); goto failure; } @@ -4948,7 +4948,7 @@ zone_resigninc(dns_zone_t *zone) { zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_resigninc:find_zone_keys -> %s\n", + "zone_resigninc:find_zone_keys -> %s", dns_result_totext(result)); goto failure; } @@ -4972,7 +4972,7 @@ zone_resigninc(dns_zone_t *zone) { result = dns_db_getsigningtime(db, &rdataset, name); if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_resigninc:dns_db_getsigningtime -> %s\n", + "zone_resigninc:dns_db_getsigningtime -> %s", dns_result_totext(result)); } @@ -4996,7 +4996,7 @@ zone_resigninc(dns_zone_t *zone) { zone_keys, nkeys, now, ISC_TRUE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_resigninc:del_sigs -> %s\n", + "zone_resigninc:del_sigs -> %s", dns_result_totext(result)); break; } @@ -5006,7 +5006,7 @@ zone_resigninc(dns_zone_t *zone) { expire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_resigninc:add_sigs -> %s\n", + "zone_resigninc:add_sigs -> %s", dns_result_totext(result)); break; } @@ -5018,7 +5018,7 @@ zone_resigninc(dns_zone_t *zone) { } if (result != ISC_R_SUCCESS) dns_zone_log(zone, ISC_LOG_ERROR, - "zone_resigninc:dns_db_getsigningtime -> %s\n", + "zone_resigninc:dns_db_getsigningtime -> %s", dns_result_totext(result)); } @@ -5029,7 +5029,7 @@ zone_resigninc(dns_zone_t *zone) { &sig_diff, zone_keys, nkeys, now, ISC_TRUE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_resigninc:del_sigs -> %s\n", + "zone_resigninc:del_sigs -> %s", dns_result_totext(result)); goto failure; } @@ -5044,7 +5044,7 @@ zone_resigninc(dns_zone_t *zone) { result = increment_soa_serial(db, version, &sig_diff, zone->mctx); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_resigninc:increment_soa_serial -> %s\n", + "zone_resigninc:increment_soa_serial -> %s", dns_result_totext(result)); goto failure; } @@ -5058,7 +5058,7 @@ zone_resigninc(dns_zone_t *zone) { soaexpire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_resigninc:add_sigs -> %s\n", + "zone_resigninc:add_sigs -> %s", dns_result_totext(result)); goto failure; } @@ -5753,7 +5753,7 @@ update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version, zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "update_sigs:del_sigs -> %s\n", + "update_sigs:del_sigs -> %s", dns_result_totext(result)); return (result); } @@ -5763,7 +5763,7 @@ update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version, expire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "update_sigs:add_sigs -> %s\n", + "update_sigs:add_sigs -> %s", dns_result_totext(result)); return (result); } @@ -5848,7 +5848,7 @@ zone_nsec3chain(dns_zone_t *zone) { result = dns_db_newversion(db, &version); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:dns_db_newversion -> %s\n", + "zone_nsec3chain:dns_db_newversion -> %s", dns_result_totext(result)); goto failure; } @@ -5857,7 +5857,7 @@ zone_nsec3chain(dns_zone_t *zone) { DNS_MAXZONEKEYS, zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:find_zone_keys -> %s\n", + "zone_nsec3chain:find_zone_keys -> %s", dns_result_totext(result)); goto failure; } @@ -6003,7 +6003,7 @@ zone_nsec3chain(dns_zone_t *zone) { &nsec3_diff); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "dns_nsec3_addnsec3 -> %s\n", + "dns_nsec3_addnsec3 -> %s", dns_result_totext(result)); goto failure; } @@ -6061,7 +6061,7 @@ zone_nsec3chain(dns_zone_t *zone) { } else if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "dns_dbiterator_next -> %s\n", + "dns_dbiterator_next -> %s", dns_result_totext(result)); goto failure; } else if (delegation) { @@ -6119,7 +6119,7 @@ zone_nsec3chain(dns_zone_t *zone) { if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "need_nsec_chain -> %s\n", + "need_nsec_chain -> %s", dns_result_totext(result)); goto failure; } @@ -6144,7 +6144,7 @@ zone_nsec3chain(dns_zone_t *zone) { if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "fixup_nsec3param -> %s\n", + "fixup_nsec3param -> %s", dns_result_totext(result)); goto failure; } @@ -6159,7 +6159,7 @@ zone_nsec3chain(dns_zone_t *zone) { if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "deletematchingnsec3 -> %s\n", + "deletematchingnsec3 -> %s", dns_result_totext(result)); goto failure; } @@ -6260,7 +6260,7 @@ zone_nsec3chain(dns_zone_t *zone) { if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "fixup_nsec3param -> %s\n", + "fixup_nsec3param -> %s", dns_result_totext(result)); goto failure; } @@ -6268,7 +6268,7 @@ zone_nsec3chain(dns_zone_t *zone) { } else if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "dns_dbiterator_next -> %s\n", + "dns_dbiterator_next -> %s", dns_result_totext(result)); goto failure; } else if (delegation) { @@ -6305,7 +6305,7 @@ zone_nsec3chain(dns_zone_t *zone) { result = dns_db_allrdatasets(db, node, version, 0, &iterator); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "dns_db_allrdatasets -> %s\n", + "dns_db_allrdatasets -> %s", dns_result_totext(result)); goto failure; } @@ -6331,7 +6331,7 @@ zone_nsec3chain(dns_zone_t *zone) { if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "updatesecure -> %s\n", + "updatesecure -> %s", dns_result_totext(result)); goto failure; } @@ -6344,7 +6344,7 @@ zone_nsec3chain(dns_zone_t *zone) { if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "dns_nsec3_addnsec3s -> %s\n", + "dns_nsec3_addnsec3s -> %s", dns_result_totext(result)); goto failure; } @@ -6359,7 +6359,7 @@ zone_nsec3chain(dns_zone_t *zone) { check_ksk, keyset_kskonly, &sig_diff); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "update_sigs -> %s\n", dns_result_totext(result)); + "update_sigs -> %s", dns_result_totext(result)); goto failure; } @@ -6372,7 +6372,7 @@ zone_nsec3chain(dns_zone_t *zone) { check_ksk, keyset_kskonly, &sig_diff); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "update_sigs -> %s\n", dns_result_totext(result)); + "update_sigs -> %s", dns_result_totext(result)); goto failure; } @@ -6383,7 +6383,7 @@ zone_nsec3chain(dns_zone_t *zone) { zone->minimum, ISC_FALSE, &nsec_diff); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "updatesecure -> %s\n", + "updatesecure -> %s", dns_result_totext(result)); goto failure; } @@ -6394,7 +6394,7 @@ zone_nsec3chain(dns_zone_t *zone) { check_ksk, keyset_kskonly, &sig_diff); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "update_sigs -> %s\n", dns_result_totext(result)); + "update_sigs -> %s", dns_result_totext(result)); goto failure; } @@ -6409,14 +6409,14 @@ zone_nsec3chain(dns_zone_t *zone) { &sig_diff, zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "del_sigs -> %s\n", dns_result_totext(result)); + "del_sigs -> %s", dns_result_totext(result)); goto failure; } result = increment_soa_serial(db, version, &sig_diff, zone->mctx); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "increment_soa_serial -> %s\n", + "increment_soa_serial -> %s", dns_result_totext(result)); goto failure; } @@ -6426,7 +6426,7 @@ zone_nsec3chain(dns_zone_t *zone) { soaexpire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "add_sigs -> %s\n", dns_result_totext(result)); + "add_sigs -> %s", dns_result_totext(result)); goto failure; } @@ -6470,7 +6470,7 @@ zone_nsec3chain(dns_zone_t *zone) { failure: if (result != ISC_R_SUCCESS) - dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s\n", + dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s", dns_result_totext(result)); /* * On error roll back the current nsec3chain. @@ -6673,7 +6673,7 @@ zone_sign(dns_zone_t *zone) { result = dns_db_newversion(db, &version); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:dns_db_newversion -> %s\n", + "zone_sign:dns_db_newversion -> %s", dns_result_totext(result)); goto failure; } @@ -6682,7 +6682,7 @@ zone_sign(dns_zone_t *zone) { DNS_MAXZONEKEYS, zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:find_zone_keys -> %s\n", + "zone_sign:find_zone_keys -> %s", dns_result_totext(result)); goto failure; } @@ -6903,7 +6903,7 @@ zone_sign(dns_zone_t *zone) { if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "updatesecure -> %s\n", + "updatesecure -> %s", dns_result_totext(result)); goto failure; } @@ -6915,8 +6915,7 @@ zone_sign(dns_zone_t *zone) { &post_diff); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "updatesignwithkey " - "-> %s\n", + "updatesignwithkey -> %s", dns_result_totext(result)); goto failure; } @@ -6924,7 +6923,7 @@ zone_sign(dns_zone_t *zone) { goto next_signing; } else if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:dns_dbiterator_next -> %s\n", + "zone_sign:dns_dbiterator_next -> %s", dns_result_totext(result)); goto failure; } else if (delegation) { @@ -6950,7 +6949,7 @@ zone_sign(dns_zone_t *zone) { check_ksk, keyset_kskonly, &sig_diff); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:" - "update_sigs -> %s\n", + "update_sigs -> %s", dns_result_totext(result)); goto failure; } @@ -6970,7 +6969,7 @@ zone_sign(dns_zone_t *zone) { &sig_diff, zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:del_sigs -> %s\n", + "zone_sign:del_sigs -> %s", dns_result_totext(result)); goto failure; } @@ -6978,7 +6977,7 @@ zone_sign(dns_zone_t *zone) { result = increment_soa_serial(db, version, &sig_diff, zone->mctx); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:increment_soa_serial -> %s\n", + "zone_sign:increment_soa_serial -> %s", dns_result_totext(result)); goto failure; } @@ -6992,7 +6991,7 @@ zone_sign(dns_zone_t *zone) { soaexpire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:add_sigs -> %s\n", + "zone_sign:add_sigs -> %s", dns_result_totext(result)); goto failure; } @@ -8034,7 +8033,7 @@ zone_maintenance(dns_zone_t *zone) { DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) && DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP)) { dumping = was_dumping(zone); - } else + } else dumping = ISC_TRUE; UNLOCK_ZONE(zone); if (!dumping) { @@ -14008,7 +14007,7 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "sign_apex:find_zone_keys -> %s\n", + "sign_apex:find_zone_keys -> %s", dns_result_totext(result)); return (result); } @@ -14039,7 +14038,7 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "sign_apex:del_sigs -> %s\n", + "sign_apex:del_sigs -> %s", dns_result_totext(result)); goto failure; } @@ -14049,7 +14048,7 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, keyset_kskonly); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "sign_apex:add_sigs -> %s\n", + "sign_apex:add_sigs -> %s", dns_result_totext(result)); goto failure; } @@ -14061,7 +14060,7 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "sign_apex:update_sigs -> %s\n", + "sign_apex:update_sigs -> %s", dns_result_totext(result)); goto failure; } diff --git a/contrib/bind9/lib/export/Makefile.in b/contrib/bind9/lib/export/Makefile.in index fc9d4ad..1fd7216 100644 --- a/contrib/bind9/lib/export/Makefile.in +++ b/contrib/bind9/lib/export/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/dns/Makefile.in b/contrib/bind9/lib/export/dns/Makefile.in index cd72988..6df36fe 100644 --- a/contrib/bind9/lib/export/dns/Makefile.in +++ b/contrib/bind9/lib/export/dns/Makefile.in @@ -44,7 +44,7 @@ LIBS = @LIBS@ # Alphabetically OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \ - opensslgost_link.@O@ opensslrsa_link.@O@ + opensslecdsa_link.@O@ opensslgost_link.@O@ opensslrsa_link.@O@ DSTOBJS = @OPENSSLLINKOBJS@ \ dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \ @@ -72,7 +72,7 @@ OBJS= ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} ${PORTDNSOBJS} # Alphabetically OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \ - opensslgost_link.c opensslrsa_link.c + opensslecdsa_link.c opensslgost_link.c opensslrsa_link.c DSTSRCS = @OPENSSLLINKSRCS@ \ dst_api.c dst_lib.c dst_parse.c \ diff --git a/contrib/bind9/lib/export/dns/include/Makefile.in b/contrib/bind9/lib/export/dns/include/Makefile.in index 9fc0b66..6bf1205 100644 --- a/contrib/bind9/lib/export/dns/include/Makefile.in +++ b/contrib/bind9/lib/export/dns/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/dns/include/dns/Makefile.in b/contrib/bind9/lib/export/dns/include/dns/Makefile.in index 2d7f2c7..b7f51b4 100644 --- a/contrib/bind9/lib/export/dns/include/dns/Makefile.in +++ b/contrib/bind9/lib/export/dns/include/dns/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/dns/include/dst/Makefile.in b/contrib/bind9/lib/export/dns/include/dst/Makefile.in index 259e62e..f6f540a 100644 --- a/contrib/bind9/lib/export/dns/include/dst/Makefile.in +++ b/contrib/bind9/lib/export/dns/include/dst/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/irs/include/irs/Makefile.in b/contrib/bind9/lib/export/irs/include/irs/Makefile.in index c850757..530e67c 100644 --- a/contrib/bind9/lib/export/irs/include/irs/Makefile.in +++ b/contrib/bind9/lib/export/irs/include/irs/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/isc/Makefile.in b/contrib/bind9/lib/export/isc/Makefile.in index a55a1f4..86726ab 100644 --- a/contrib/bind9/lib/export/isc/Makefile.in +++ b/contrib/bind9/lib/export/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2010, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/isc/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/include/isc/Makefile.in index 2499185..91f538c 100644 --- a/contrib/bind9/lib/export/isc/include/isc/Makefile.in +++ b/contrib/bind9/lib/export/isc/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/isc/nls/Makefile.in b/contrib/bind9/lib/export/isc/nls/Makefile.in index a9e779f..2515685 100644 --- a/contrib/bind9/lib/export/isc/nls/Makefile.in +++ b/contrib/bind9/lib/export/isc/nls/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/isc/nothreads/Makefile.in b/contrib/bind9/lib/export/isc/nothreads/Makefile.in index 93b2109..994da63 100644 --- a/contrib/bind9/lib/export/isc/nothreads/Makefile.in +++ b/contrib/bind9/lib/export/isc/nothreads/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2010, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/isc/nothreads/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/nothreads/include/isc/Makefile.in index eb25c88..9bda987 100644 --- a/contrib/bind9/lib/export/isc/nothreads/include/isc/Makefile.in +++ b/contrib/bind9/lib/export/isc/nothreads/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/isc/pthreads/Makefile.in b/contrib/bind9/lib/export/isc/pthreads/Makefile.in index 92788ec..f08e5c6 100644 --- a/contrib/bind9/lib/export/isc/pthreads/Makefile.in +++ b/contrib/bind9/lib/export/isc/pthreads/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/isc/pthreads/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/pthreads/include/isc/Makefile.in index 77d5c07..4319768 100644 --- a/contrib/bind9/lib/export/isc/pthreads/include/isc/Makefile.in +++ b/contrib/bind9/lib/export/isc/pthreads/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/isc/unix/Makefile.in b/contrib/bind9/lib/export/isc/unix/Makefile.in index 5a8eed8..f5cf7e8 100644 --- a/contrib/bind9/lib/export/isc/unix/Makefile.in +++ b/contrib/bind9/lib/export/isc/unix/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in index f19b8c6..7159c76 100644 --- a/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in +++ b/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/isccfg/include/isccfg/Makefile.in b/contrib/bind9/lib/export/isccfg/include/isccfg/Makefile.in index 5e9ea78..57a344c 100644 --- a/contrib/bind9/lib/export/isccfg/include/isccfg/Makefile.in +++ b/contrib/bind9/lib/export/isccfg/include/isccfg/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/samples/Makefile-postinstall.in b/contrib/bind9/lib/export/samples/Makefile-postinstall.in index 174aed6..5b1aafb 100644 --- a/contrib/bind9/lib/export/samples/Makefile-postinstall.in +++ b/contrib/bind9/lib/export/samples/Makefile-postinstall.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/export/samples/Makefile.in b/contrib/bind9/lib/export/samples/Makefile.in index c60baac..cdc66b1 100644 --- a/contrib/bind9/lib/export/samples/Makefile.in +++ b/contrib/bind9/lib/export/samples/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/irs/Makefile.in b/contrib/bind9/lib/irs/Makefile.in index ed86967..d3c47b0 100644 --- a/contrib/bind9/lib/irs/Makefile.in +++ b/contrib/bind9/lib/irs/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/irs/include/Makefile.in b/contrib/bind9/lib/irs/include/Makefile.in index eca1945..91099f1 100644 --- a/contrib/bind9/lib/irs/include/Makefile.in +++ b/contrib/bind9/lib/irs/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/irs/include/irs/Makefile.in b/contrib/bind9/lib/irs/include/irs/Makefile.in index 3c3b612..63e7fd6 100644 --- a/contrib/bind9/lib/irs/include/irs/Makefile.in +++ b/contrib/bind9/lib/irs/include/irs/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/alpha/Makefile.in b/contrib/bind9/lib/isc/alpha/Makefile.in index 324db07..9c24cdf 100644 --- a/contrib/bind9/lib/isc/alpha/Makefile.in +++ b/contrib/bind9/lib/isc/alpha/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/alpha/include/Makefile.in b/contrib/bind9/lib/isc/alpha/include/Makefile.in index f1d8bdd..e399559 100644 --- a/contrib/bind9/lib/isc/alpha/include/Makefile.in +++ b/contrib/bind9/lib/isc/alpha/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/alpha/include/isc/Makefile.in b/contrib/bind9/lib/isc/alpha/include/isc/Makefile.in index 5f116ca..4927e21 100644 --- a/contrib/bind9/lib/isc/alpha/include/isc/Makefile.in +++ b/contrib/bind9/lib/isc/alpha/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/api b/contrib/bind9/lib/isc/api index 3b91551..18de29c 100644 --- a/contrib/bind9/lib/isc/api +++ b/contrib/bind9/lib/isc/api @@ -3,6 +3,6 @@ # 9.7: 60-79 # 9.8: 80-89 # 9.9: 90-109 -LIBINTERFACE = 83 -LIBREVISION = 5 -LIBAGE = 0 +LIBINTERFACE = 85 +LIBREVISION = 0 +LIBAGE = 1 diff --git a/contrib/bind9/lib/isc/ia64/Makefile.in b/contrib/bind9/lib/isc/ia64/Makefile.in index 324db07..9c24cdf 100644 --- a/contrib/bind9/lib/isc/ia64/Makefile.in +++ b/contrib/bind9/lib/isc/ia64/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/ia64/include/Makefile.in b/contrib/bind9/lib/isc/ia64/include/Makefile.in index f1d8bdd..e399559 100644 --- a/contrib/bind9/lib/isc/ia64/include/Makefile.in +++ b/contrib/bind9/lib/isc/ia64/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/ia64/include/isc/Makefile.in b/contrib/bind9/lib/isc/ia64/include/isc/Makefile.in index 5f116ca..4927e21 100644 --- a/contrib/bind9/lib/isc/ia64/include/isc/Makefile.in +++ b/contrib/bind9/lib/isc/ia64/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/ia64/include/isc/atomic.h b/contrib/bind9/lib/isc/ia64/include/isc/atomic.h index 74df4c5..557941d 100644 --- a/contrib/bind9/lib/isc/ia64/include/isc/atomic.h +++ b/contrib/bind9/lib/isc/ia64/include/isc/atomic.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2006, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/include/Makefile.in b/contrib/bind9/lib/isc/include/Makefile.in index 04778d7..70c165e 100644 --- a/contrib/bind9/lib/isc/include/Makefile.in +++ b/contrib/bind9/lib/isc/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isc/include/isc/file.h b/contrib/bind9/lib/isc/include/isc/file.h index 8794065..38f78b7 100644 --- a/contrib/bind9/lib/isc/include/isc/file.h +++ b/contrib/bind9/lib/isc/include/isc/file.h @@ -25,6 +25,7 @@ #include <stdio.h> #include <isc/lang.h> +#include <isc/stat.h> #include <isc/types.h> ISC_LANG_BEGINDECLS @@ -33,6 +34,9 @@ isc_result_t isc_file_settime(const char *file, isc_time_t *time); isc_result_t +isc_file_mode(const char *file, mode_t *modep); + +isc_result_t isc_file_getmodtime(const char *file, isc_time_t *time); /*!< * \brief Get the time of last modification of a file. @@ -97,15 +101,22 @@ isc_file_mktemplate(const char *path, char *buf, size_t buflen); * of the path with the internal template string. */ - isc_result_t isc_file_openunique(char *templet, FILE **fp); isc_result_t isc_file_openuniqueprivate(char *templet, FILE **fp); isc_result_t isc_file_openuniquemode(char *templet, int mode, FILE **fp); +isc_result_t +isc_file_bopenunique(char *templet, FILE **fp); +isc_result_t +isc_file_bopenuniqueprivate(char *templet, FILE **fp); +isc_result_t +isc_file_bopenuniquemode(char *templet, int mode, FILE **fp); /*!< * \brief Create and open a file with a unique name based on 'templet'. + * isc_file_bopen*() open the file in binary mode in Windows. + * isc_file_open*() open the file in text mode in Windows. * * Notes: *\li 'template' is a reserved work in C++. If you want to complain diff --git a/contrib/bind9/lib/isc/include/isc/namespace.h b/contrib/bind9/lib/isc/include/isc/namespace.h index 158cfe5..ae1801d 100644 --- a/contrib/bind9/lib/isc/include/isc/namespace.h +++ b/contrib/bind9/lib/isc/include/isc/namespace.h @@ -146,6 +146,8 @@ #define isc_task_getcurrenttime isc__task_getcurrenttime #define isc_taskmgr_create isc__taskmgr_create #define isc_taskmgr_destroy isc__taskmgr_destroy +#define isc_taskmgr_setexcltask isc__taskmgr_setexcltask +#define isc_taskmgr_excltask isc__taskmgr_excltask #define isc_task_beginexclusive isc__task_beginexclusive #define isc_task_endexclusive isc__task_endexclusive diff --git a/contrib/bind9/lib/isc/include/isc/task.h b/contrib/bind9/lib/isc/include/isc/task.h index 36fca36..19d4783 100644 --- a/contrib/bind9/lib/isc/include/isc/task.h +++ b/contrib/bind9/lib/isc/include/isc/task.h @@ -106,6 +106,8 @@ typedef struct isc_taskmgrmethods { isc_result_t (*taskcreate)(isc_taskmgr_t *manager, unsigned int quantum, isc_task_t **taskp); + void (*setexcltask)(isc_taskmgr_t *mgr, isc_task_t *task); + isc_result_t (*excltask)(isc_taskmgr_t *mgr, isc_task_t **taskp); } isc_taskmgrmethods_t; typedef struct isc_taskmethods { @@ -697,6 +699,31 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp); * have been freed. */ +void +isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task); +/*%< + * Set a task which will be used for all task-exclusive operations. + * + * Requires: + *\li 'manager' is a valid task manager. + * + *\li 'task' is a valid task. + */ + +isc_result_t +isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp); +/*%< + * Attach '*taskp' to the task set by isc_taskmgr_getexcltask(). + * This task should be used whenever running in task-exclusive mode, + * so as to prevent deadlock between two exclusive tasks. + * + * Requires: + *\li 'manager' is a valid task manager. + + *\li taskp != NULL && *taskp == NULL + */ + + #ifdef HAVE_LIBXML2 void diff --git a/contrib/bind9/lib/isc/mem.c b/contrib/bind9/lib/isc/mem.c index 5b4b16c..1964b7a 100644 --- a/contrib/bind9/lib/isc/mem.c +++ b/contrib/bind9/lib/isc/mem.c @@ -1191,7 +1191,7 @@ isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) { oldsize -= ALIGNMENT_SIZE; INSIST(oldsize == size); } - isc_mem_free((isc_mem_t *)ctx, ptr); + isc__mem_free((isc_mem_t *)ctx, ptr FLARG_PASS); MCTXLOCK(ctx, &ctx->lock); ctx->references--; @@ -1327,7 +1327,7 @@ isc___mem_put(isc_mem_t *ctx0, void *ptr, size_t size FLARG) { oldsize -= ALIGNMENT_SIZE; INSIST(oldsize == size); } - isc_mem_free((isc_mem_t *)ctx, ptr); + isc__mem_free((isc_mem_t *)ctx, ptr FLARG_PASS); return; } @@ -1592,7 +1592,11 @@ isc___mem_reallocate(isc_mem_t *ctx0, void *ptr, size_t size FLARG) { oldsize = (((size_info *)ptr)[-1]).u.size; INSIST(oldsize >= ALIGNMENT_SIZE); oldsize -= ALIGNMENT_SIZE; - copysize = oldsize > size ? size : oldsize; + if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) { + INSIST(oldsize >= ALIGNMENT_SIZE); + oldsize -= ALIGNMENT_SIZE; + } + copysize = (oldsize > size) ? size : oldsize; memcpy(new_ptr, ptr, copysize); isc__mem_free(ctx0, ptr FLARG_PASS); } diff --git a/contrib/bind9/lib/isc/mips/Makefile.in b/contrib/bind9/lib/isc/mips/Makefile.in index 324db07..9c24cdf 100644 --- a/contrib/bind9/lib/isc/mips/Makefile.in +++ b/contrib/bind9/lib/isc/mips/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/mips/include/Makefile.in b/contrib/bind9/lib/isc/mips/include/Makefile.in index f1d8bdd..e399559 100644 --- a/contrib/bind9/lib/isc/mips/include/Makefile.in +++ b/contrib/bind9/lib/isc/mips/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/mips/include/isc/Makefile.in b/contrib/bind9/lib/isc/mips/include/isc/Makefile.in index 5f116ca..4927e21 100644 --- a/contrib/bind9/lib/isc/mips/include/isc/Makefile.in +++ b/contrib/bind9/lib/isc/mips/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/nls/Makefile.in b/contrib/bind9/lib/isc/nls/Makefile.in index aca4a27..7bacf1c 100644 --- a/contrib/bind9/lib/isc/nls/Makefile.in +++ b/contrib/bind9/lib/isc/nls/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1999-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isc/noatomic/Makefile.in b/contrib/bind9/lib/isc/noatomic/Makefile.in index 324db07..9c24cdf 100644 --- a/contrib/bind9/lib/isc/noatomic/Makefile.in +++ b/contrib/bind9/lib/isc/noatomic/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/noatomic/include/Makefile.in b/contrib/bind9/lib/isc/noatomic/include/Makefile.in index f1d8bdd..e399559 100644 --- a/contrib/bind9/lib/isc/noatomic/include/Makefile.in +++ b/contrib/bind9/lib/isc/noatomic/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/noatomic/include/isc/Makefile.in b/contrib/bind9/lib/isc/noatomic/include/isc/Makefile.in index 5f116ca..4927e21 100644 --- a/contrib/bind9/lib/isc/noatomic/include/isc/Makefile.in +++ b/contrib/bind9/lib/isc/noatomic/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/nothreads/Makefile.in b/contrib/bind9/lib/isc/nothreads/Makefile.in index 7e7abd6..540b243 100644 --- a/contrib/bind9/lib/isc/nothreads/Makefile.in +++ b/contrib/bind9/lib/isc/nothreads/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2010, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isc/nothreads/include/Makefile.in b/contrib/bind9/lib/isc/nothreads/include/Makefile.in index a52310a..662a72d 100644 --- a/contrib/bind9/lib/isc/nothreads/include/Makefile.in +++ b/contrib/bind9/lib/isc/nothreads/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in b/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in index 3c9eab0..a2c347e 100644 --- a/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in +++ b/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isc/powerpc/Makefile.in b/contrib/bind9/lib/isc/powerpc/Makefile.in index 324db07..9c24cdf 100644 --- a/contrib/bind9/lib/isc/powerpc/Makefile.in +++ b/contrib/bind9/lib/isc/powerpc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/powerpc/include/Makefile.in b/contrib/bind9/lib/isc/powerpc/include/Makefile.in index f1d8bdd..e399559 100644 --- a/contrib/bind9/lib/isc/powerpc/include/Makefile.in +++ b/contrib/bind9/lib/isc/powerpc/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/powerpc/include/isc/Makefile.in b/contrib/bind9/lib/isc/powerpc/include/isc/Makefile.in index 5f116ca..4927e21 100644 --- a/contrib/bind9/lib/isc/powerpc/include/isc/Makefile.in +++ b/contrib/bind9/lib/isc/powerpc/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/pthreads/Makefile.in b/contrib/bind9/lib/isc/pthreads/Makefile.in index d6e7c76..9f66ef3 100644 --- a/contrib/bind9/lib/isc/pthreads/Makefile.in +++ b/contrib/bind9/lib/isc/pthreads/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isc/pthreads/condition.c b/contrib/bind9/lib/isc/pthreads/condition.c index 50281a2..9053cf0 100644 --- a/contrib/bind9/lib/isc/pthreads/condition.c +++ b/contrib/bind9/lib/isc/pthreads/condition.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -43,7 +43,14 @@ isc_condition_waituntil(isc_condition_t *c, isc_mutex_t *m, isc_time_t *t) { * POSIX defines a timespec's tv_sec as time_t. */ result = isc_time_secondsastimet(t, &ts.tv_sec); - if (result != ISC_R_SUCCESS) + + /* + * If we have a range error ts.tv_sec is most probably a signed + * 32 bit value. Set ts.tv_sec to INT_MAX. This is a kludge. + */ + if (result == ISC_R_RANGE) + ts.tv_sec = INT_MAX; + else if (result != ISC_R_SUCCESS) return (result); /*! diff --git a/contrib/bind9/lib/isc/pthreads/include/Makefile.in b/contrib/bind9/lib/isc/pthreads/include/Makefile.in index 0303ab1..46c243e 100644 --- a/contrib/bind9/lib/isc/pthreads/include/Makefile.in +++ b/contrib/bind9/lib/isc/pthreads/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in b/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in index 11675ec..7cadcf4 100644 --- a/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in +++ b/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isc/sparc64/Makefile.in b/contrib/bind9/lib/isc/sparc64/Makefile.in index 324db07..9c24cdf 100644 --- a/contrib/bind9/lib/isc/sparc64/Makefile.in +++ b/contrib/bind9/lib/isc/sparc64/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/sparc64/include/Makefile.in b/contrib/bind9/lib/isc/sparc64/include/Makefile.in index f1d8bdd..e399559 100644 --- a/contrib/bind9/lib/isc/sparc64/include/Makefile.in +++ b/contrib/bind9/lib/isc/sparc64/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/sparc64/include/isc/Makefile.in b/contrib/bind9/lib/isc/sparc64/include/isc/Makefile.in index 5f116ca..4927e21 100644 --- a/contrib/bind9/lib/isc/sparc64/include/isc/Makefile.in +++ b/contrib/bind9/lib/isc/sparc64/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/task.c b/contrib/bind9/lib/isc/task.c index f4e1265..a5f6ef9 100644 --- a/contrib/bind9/lib/isc/task.c +++ b/contrib/bind9/lib/isc/task.c @@ -152,6 +152,7 @@ struct isc__taskmgr { unsigned int tasks_running; isc_boolean_t exclusive_requested; isc_boolean_t exiting; + isc__task_t *excl; #ifdef USE_SHARED_MANAGER unsigned int refs; #endif /* ISC_PLATFORM_USETHREADS */ @@ -221,6 +222,10 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers, unsigned int default_quantum, isc_taskmgr_t **managerp); ISC_TASKFUNC_SCOPE void isc__taskmgr_destroy(isc_taskmgr_t **managerp); +ISC_TASKFUNC_SCOPE void +isc__taskmgr_setexcltask(isc_taskmgr_t *mgr0, isc_task_t *task0); +ISC_TASKFUNC_SCOPE isc_result_t +isc__taskmgr_excltask(isc_taskmgr_t *mgr0, isc_task_t **taskp); ISC_TASKFUNC_SCOPE isc_result_t isc__task_beginexclusive(isc_task_t *task); ISC_TASKFUNC_SCOPE void @@ -261,7 +266,9 @@ static struct isc__taskmethods { static isc_taskmgrmethods_t taskmgrmethods = { isc__taskmgr_destroy, - isc__task_create + isc__task_create, + isc__taskmgr_setexcltask, + isc__taskmgr_excltask }; /*** @@ -1262,6 +1269,7 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers, manager->tasks_running = 0; manager->exclusive_requested = ISC_FALSE; manager->exiting = ISC_FALSE; + manager->excl = NULL; isc_mem_attach(mctx, &manager->mctx); @@ -1344,6 +1352,12 @@ isc__taskmgr_destroy(isc_taskmgr_t **managerp) { */ /* + * Detach the exclusive task before acquiring the manager lock + */ + if (manager->excl != NULL) + isc__task_detach((isc_task_t **) &manager->excl); + + /* * Unlike elsewhere, we're going to hold this lock a long time. * We need to do so, because otherwise the list of tasks could * change while we were traversing it. @@ -1440,12 +1454,41 @@ isc__taskmgr_dispatch(isc_taskmgr_t *manager0) { #endif /* USE_WORKER_THREADS */ +ISC_TASKFUNC_SCOPE void +isc__taskmgr_setexcltask(isc_taskmgr_t *mgr0, isc_task_t *task0) { + isc__taskmgr_t *mgr = (isc__taskmgr_t *) mgr0; + isc__task_t *task = (isc__task_t *) task0; + + REQUIRE(VALID_MANAGER(mgr)); + REQUIRE(VALID_TASK(task)); + if (mgr->excl != NULL) + isc__task_detach((isc_task_t **) &mgr->excl); + isc__task_attach(task0, (isc_task_t **) &mgr->excl); +} + +ISC_TASKFUNC_SCOPE isc_result_t +isc__taskmgr_excltask(isc_taskmgr_t *mgr0, isc_task_t **taskp) { + isc__taskmgr_t *mgr = (isc__taskmgr_t *) mgr0; + + REQUIRE(VALID_MANAGER(mgr)); + REQUIRE(taskp != NULL && *taskp == NULL); + + if (mgr->excl == NULL) + return (ISC_R_NOTFOUND); + + isc__task_attach((isc_task_t *) mgr->excl, taskp); + return (ISC_R_SUCCESS); +} + ISC_TASKFUNC_SCOPE isc_result_t isc__task_beginexclusive(isc_task_t *task0) { #ifdef USE_WORKER_THREADS isc__task_t *task = (isc__task_t *)task0; isc__taskmgr_t *manager = task->manager; + REQUIRE(task->state == task_state_running); + /* XXX: Require task == manager->excl? */ + LOCK(&manager->lock); if (manager->exclusive_requested) { UNLOCK(&manager->lock); diff --git a/contrib/bind9/lib/isc/task_api.c b/contrib/bind9/lib/isc/task_api.c index 551d0d37..06a8d24 100644 --- a/contrib/bind9/lib/isc/task_api.c +++ b/contrib/bind9/lib/isc/task_api.c @@ -187,6 +187,17 @@ isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type, void *tag) return (task->methods->purgeevents(task, sender, type, tag)); } +void +isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task) { + REQUIRE(ISCAPI_TASK_VALID(task)); + return (mgr->methods->setexcltask(mgr, task)); +} + +isc_result_t +isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp) { + return (mgr->methods->excltask(mgr, taskp)); +} + isc_result_t isc_task_beginexclusive(isc_task_t *task) { REQUIRE(ISCAPI_TASK_VALID(task)); diff --git a/contrib/bind9/lib/isc/unix/Makefile.in b/contrib/bind9/lib/isc/unix/Makefile.in index 9884ca9..c1411cb 100644 --- a/contrib/bind9/lib/isc/unix/Makefile.in +++ b/contrib/bind9/lib/isc/unix/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isc/unix/file.c b/contrib/bind9/lib/isc/unix/file.c index 0538761..99c02ec 100644 --- a/contrib/bind9/lib/isc/unix/file.c +++ b/contrib/bind9/lib/isc/unix/file.c @@ -98,6 +98,20 @@ file_stats(const char *file, struct stat *stats) { } isc_result_t +isc_file_mode(const char *file, mode_t *modep) { + isc_result_t result; + struct stat stats; + + REQUIRE(modep != NULL); + + result = file_stats(file, &stats); + if (result == ISC_R_SUCCESS) + *modep = (stats.st_mode & 07777); + + return (result); +} + +isc_result_t isc_file_getmodtime(const char *file, isc_time_t *time) { isc_result_t result; struct stat stats; @@ -313,6 +327,23 @@ isc_file_openuniquemode(char *templet, int mode, FILE **fp) { } isc_result_t +isc_file_bopenunique(char *templet, FILE **fp) { + int mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH; + return (isc_file_openuniquemode(templet, mode, fp)); +} + +isc_result_t +isc_file_bopenuniqueprivate(char *templet, FILE **fp) { + int mode = S_IWUSR|S_IRUSR; + return (isc_file_openuniquemode(templet, mode, fp)); +} + +isc_result_t +isc_file_bopenuniquemode(char *templet, int mode, FILE **fp) { + return (isc_file_openuniquemode(templet, mode, fp)); +} + +isc_result_t isc_file_remove(const char *filename) { int r; diff --git a/contrib/bind9/lib/isc/unix/include/Makefile.in b/contrib/bind9/lib/isc/unix/include/Makefile.in index 0303ab1..46c243e 100644 --- a/contrib/bind9/lib/isc/unix/include/Makefile.in +++ b/contrib/bind9/lib/isc/unix/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isc/unix/include/isc/Makefile.in b/contrib/bind9/lib/isc/unix/include/isc/Makefile.in index 2f4d216..d3b5084 100644 --- a/contrib/bind9/lib/isc/unix/include/isc/Makefile.in +++ b/contrib/bind9/lib/isc/unix/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isc/x86_32/Makefile.in b/contrib/bind9/lib/isc/x86_32/Makefile.in index 324db07..9c24cdf 100644 --- a/contrib/bind9/lib/isc/x86_32/Makefile.in +++ b/contrib/bind9/lib/isc/x86_32/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/x86_32/include/Makefile.in b/contrib/bind9/lib/isc/x86_32/include/Makefile.in index f1d8bdd..e399559 100644 --- a/contrib/bind9/lib/isc/x86_32/include/Makefile.in +++ b/contrib/bind9/lib/isc/x86_32/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/x86_32/include/isc/Makefile.in b/contrib/bind9/lib/isc/x86_32/include/isc/Makefile.in index 5f116ca..4927e21 100644 --- a/contrib/bind9/lib/isc/x86_32/include/isc/Makefile.in +++ b/contrib/bind9/lib/isc/x86_32/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/x86_64/Makefile.in b/contrib/bind9/lib/isc/x86_64/Makefile.in index 324db07..9c24cdf 100644 --- a/contrib/bind9/lib/isc/x86_64/Makefile.in +++ b/contrib/bind9/lib/isc/x86_64/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/x86_64/include/Makefile.in b/contrib/bind9/lib/isc/x86_64/include/Makefile.in index f1d8bdd..e399559 100644 --- a/contrib/bind9/lib/isc/x86_64/include/Makefile.in +++ b/contrib/bind9/lib/isc/x86_64/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isc/x86_64/include/isc/Makefile.in b/contrib/bind9/lib/isc/x86_64/include/isc/Makefile.in index f33ae99..9a988bb 100644 --- a/contrib/bind9/lib/isc/x86_64/include/isc/Makefile.in +++ b/contrib/bind9/lib/isc/x86_64/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/lib/isccc/api b/contrib/bind9/lib/isccc/api index a629bf7..ba19dd9 100644 --- a/contrib/bind9/lib/isccc/api +++ b/contrib/bind9/lib/isccc/api @@ -4,5 +4,5 @@ # 9.8: 80-89 # 9.9: 90-109 LIBINTERFACE = 80 -LIBREVISION = 1 +LIBREVISION = 2 LIBAGE = 0 diff --git a/contrib/bind9/lib/isccc/cc.c b/contrib/bind9/lib/isccc/cc.c index b549d6cb..1ab9479 100644 --- a/contrib/bind9/lib/isccc/cc.c +++ b/contrib/bind9/lib/isccc/cc.c @@ -399,8 +399,6 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, first_tag = ISC_FALSE; } - *alistp = alist; - if (secret != NULL) { if (checksum_rstart != NULL) result = verify(alist, checksum_rstart, @@ -412,7 +410,9 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, result = ISC_R_SUCCESS; bad: - if (result != ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) + *alistp = alist; + else isccc_sexpr_free(&alist); return (result); diff --git a/contrib/bind9/lib/isccc/include/Makefile.in b/contrib/bind9/lib/isccc/include/Makefile.in index 9f727c3..6b222a5 100644 --- a/contrib/bind9/lib/isccc/include/Makefile.in +++ b/contrib/bind9/lib/isccc/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isccc/include/isccc/Makefile.in b/contrib/bind9/lib/isccc/include/isccc/Makefile.in index ae5bec7..c4af19a 100644 --- a/contrib/bind9/lib/isccc/include/isccc/Makefile.in +++ b/contrib/bind9/lib/isccc/include/isccc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isccfg/api b/contrib/bind9/lib/isccfg/api index 9f3d38c..cde1e2f 100644 --- a/contrib/bind9/lib/isccfg/api +++ b/contrib/bind9/lib/isccfg/api @@ -4,5 +4,5 @@ # 9.8: 80-89 # 9.9: 90-109 LIBINTERFACE = 82 -LIBREVISION = 2 +LIBREVISION = 3 LIBAGE = 0 diff --git a/contrib/bind9/lib/isccfg/include/Makefile.in b/contrib/bind9/lib/isccfg/include/Makefile.in index 1f24003..5c6976a 100644 --- a/contrib/bind9/lib/isccfg/include/Makefile.in +++ b/contrib/bind9/lib/isccfg/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in b/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in index a6fd412..211583a 100644 --- a/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in +++ b/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001, 2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/isccfg/namedconf.c b/contrib/bind9/lib/isccfg/namedconf.c index 3f9454d..4d09f11 100644 --- a/contrib/bind9/lib/isccfg/namedconf.c +++ b/contrib/bind9/lib/isccfg/namedconf.c @@ -1014,66 +1014,60 @@ static cfg_type_t cfg_type_masterformat = { -/* +/*% * response-policy { * zone <string> [ policy (given|disabled|passthru| - * nxdomain|nodata|cname <domain> ) ]; - * }; - * - * this is a chimera of doc_optional_keyvalue() and cfg_doc_enum() + * nxdomain|nodata|cname <domain> ) ] + * [ recursive-only yes|no ] + * [ max-policy-ttl number ] ; + * } [ recursive-only yes|no ] [ break-dnssec yes|no ] + * [ max-policy-ttl number ] ; */ + static void -doc_rpz_policies(cfg_printer_t *pctx, const cfg_type_t *type) { - const keyword_type_t *kw; +doc_rpz_policy(cfg_printer_t *pctx, const cfg_type_t *type) { const char * const *p; - - kw = type->of; - cfg_print_chars(pctx, "[ ", 2); - cfg_print_cstr(pctx, kw->name); - cfg_print_chars(pctx, " ", 1); - + /* + * This is cfg_doc_enum() without the trailing " )". + */ cfg_print_chars(pctx, "( ", 2); - for (p = kw->type->of; *p != NULL; p++) { + for (p = type->of; *p != NULL; p++) { cfg_print_cstr(pctx, *p); if (p[1] != NULL) cfg_print_chars(pctx, " | ", 3); } } -/* - * print_qstring() from parser.c - */ -static void -print_rpz_cname(cfg_printer_t *pctx, const cfg_obj_t *obj) -{ - cfg_print_chars(pctx, "\"", 1); - cfg_print_ustring(pctx, obj); - cfg_print_chars(pctx, "\"", 1); -} - static void doc_rpz_cname(cfg_printer_t *pctx, const cfg_type_t *type) { cfg_doc_terminal(pctx, type); - cfg_print_chars(pctx, " ) ]", 4); + cfg_print_chars(pctx, " )", 2); } +/* + * Parse + * given|disabled|passthru|nxdomain|nodata|cname <domain> + */ static isc_result_t -parse_rpz(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { +cfg_parse_rpz_policy(cfg_parser_t *pctx, const cfg_type_t *type, + cfg_obj_t **ret) +{ isc_result_t result; - cfg_obj_t *obj = NULL; - const cfg_tuplefielddef_t *fields = type->of; + cfg_obj_t *obj; + const cfg_tuplefielddef_t *fields; CHECK(cfg_create_tuple(pctx, type, &obj)); + + fields = type->of; CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0])); - CHECK(cfg_parse_obj(pctx, fields[1].type, &obj->value.tuple[1])); /* * parse cname domain only after "policy cname" */ - if (cfg_obj_isvoid(obj->value.tuple[1]) || - strcasecmp("cname", cfg_obj_asstring(obj->value.tuple[1]))) { - CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[2])); + if (strcasecmp("cname", cfg_obj_asstring(obj->value.tuple[0])) != 0) { + CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1])); } else { - CHECK(cfg_parse_obj(pctx, fields[2].type, &obj->value.tuple[2])); + CHECK(cfg_parse_obj(pctx, fields[1].type, + &obj->value.tuple[1])); } *ret = obj; @@ -1084,50 +1078,160 @@ cleanup: return (result); } +/* + * Parse a tuple consisting of any kind of required field followed + * by 2 or more optional keyvalues that can be in any order. + */ +static isc_result_t +cfg_parse_kv_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { + const cfg_tuplefielddef_t *fields, *f; + cfg_obj_t *obj; + int fn; + isc_result_t result; + + obj = NULL; + CHECK(cfg_create_tuple(pctx, type, &obj)); + + /* + * The zone first field is required and always first. + */ + fields = type->of; + CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0])); + + for (;;) { + CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING)); + if (pctx->token.type != isc_tokentype_string) + break; + + for (fn = 1, f = &fields[1]; ; ++fn, ++f) { + if (f->name == NULL) { + cfg_parser_error(pctx, 0, "unexpected '%s'", + TOKEN_STRING(pctx)); + result = ISC_R_UNEXPECTEDTOKEN; + goto cleanup; + } + if (obj->value.tuple[fn] == NULL && + strcasecmp(f->name, TOKEN_STRING(pctx)) == 0) + break; + } + + CHECK(cfg_gettoken(pctx, 0)); + CHECK(cfg_parse_obj(pctx, f->type, &obj->value.tuple[fn])); + } + + for (fn = 1, f = &fields[1]; f->name != NULL; ++fn, ++f) { + if (obj->value.tuple[fn] == NULL) + CHECK(cfg_parse_void(pctx, NULL, + &obj->value.tuple[fn])); + } + + *ret = obj; + return (ISC_R_SUCCESS); + +cleanup: + CLEANUP_OBJ(obj); + return (result); +} + +static void +cfg_print_kv_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) { + unsigned int i; + const cfg_tuplefielddef_t *fields, *f; + const cfg_obj_t *fieldobj; + + fields = obj->type->of; + for (f = fields, i = 0; f->name != NULL; f++, i++) { + fieldobj = obj->value.tuple[i]; + if (fieldobj->type->print == cfg_print_void) + continue; + if (i != 0) { + cfg_print_chars(pctx, " ", 1); + cfg_print_cstr(pctx, f->name); + cfg_print_chars(pctx, " ", 1); + } + cfg_print_obj(pctx, fieldobj); + } +} + +static void +cfg_doc_kv_tuple(cfg_printer_t *pctx, const cfg_type_t *type) { + const cfg_tuplefielddef_t *fields, *f; + + fields = type->of; + for (f = fields; f->name != NULL; f++) { + if (f != fields) { + cfg_print_chars(pctx, " [ ", 3); + cfg_print_cstr(pctx, f->name); + if (f->type->doc != cfg_doc_void) + cfg_print_chars(pctx, " ", 1); + } + cfg_doc_obj(pctx, f->type); + if (f != fields) + cfg_print_chars(pctx, " ]", 2); + } +} + +static keyword_type_t zone_kw = {"zone", &cfg_type_qstring}; +static cfg_type_t cfg_type_rpz_zone = { + "zone", parse_keyvalue, print_keyvalue, + doc_keyvalue, &cfg_rep_string, + &zone_kw +}; static const char *rpz_policies[] = { "given", "disabled", "passthru", "no-op", "nxdomain", "nodata", "cname", NULL }; -static cfg_type_t cfg_type_rpz_policylist = { - "policies", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, - &cfg_rep_string, &rpz_policies +static cfg_type_t cfg_type_rpz_policy_name = { + "policy name", cfg_parse_enum, cfg_print_ustring, + doc_rpz_policy, &cfg_rep_string, + &rpz_policies }; -static keyword_type_t rpz_policies_kw = { - "policy", &cfg_type_rpz_policylist +static cfg_type_t cfg_type_rpz_cname = { + "quoted_string", cfg_parse_astring, NULL, + doc_rpz_cname, &cfg_rep_string, + NULL }; -static cfg_type_t cfg_type_rpz_policy = { - "optional_policy", parse_optional_keyvalue, print_keyvalue, - doc_rpz_policies, &cfg_rep_string, &rpz_policies_kw +static cfg_tuplefielddef_t rpz_policy_fields[] = { + { "policy name", &cfg_type_rpz_policy_name, 0 }, + { "cname", &cfg_type_rpz_cname, 0 }, + { NULL, NULL, 0 } }; -static cfg_type_t cfg_type_cname = { - "domain", cfg_parse_astring, print_rpz_cname, doc_rpz_cname, - &cfg_rep_string, NULL +static cfg_type_t cfg_type_rpz_policy = { + "policy tuple", cfg_parse_rpz_policy, + cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, + rpz_policy_fields }; -static cfg_tuplefielddef_t rpzone_fields[] = { - { "name", &cfg_type_astring, 0 }, +static cfg_tuplefielddef_t rpz_zone_fields[] = { + { "zone name", &cfg_type_rpz_zone, 0 }, { "policy", &cfg_type_rpz_policy, 0 }, - { "cname", &cfg_type_cname, 0 }, + { "recursive-only", &cfg_type_boolean, 0 }, + { "max-policy-ttl", &cfg_type_uint32, 0 }, { NULL, NULL, 0 } }; -static cfg_type_t cfg_type_rpzone = { - "rpzone", parse_rpz, cfg_print_tuple, cfg_doc_tuple, - &cfg_rep_tuple, rpzone_fields +static cfg_type_t cfg_type_rpz_tuple = { + "rpz tuple", cfg_parse_kv_tuple, + cfg_print_kv_tuple, cfg_doc_kv_tuple, &cfg_rep_tuple, + rpz_zone_fields }; -static cfg_clausedef_t rpz_clauses[] = { - { "zone", &cfg_type_rpzone, CFG_CLAUSEFLAG_MULTI }, - { NULL, NULL, 0 } +static cfg_type_t cfg_type_rpz_list = { + "zone list", cfg_parse_bracketed_list, cfg_print_bracketed_list, + cfg_doc_bracketed_list, &cfg_rep_list, + &cfg_type_rpz_tuple }; -static cfg_clausedef_t *rpz_clausesets[] = { - rpz_clauses, - NULL +static cfg_tuplefielddef_t rpz_fields[] = { + { "zone list", &cfg_type_rpz_list, 0 }, + { "recursive-only", &cfg_type_boolean, 0 }, + { "break-dnssec", &cfg_type_boolean, 0 }, + { "max-policy-ttl", &cfg_type_uint32, 0 }, + { NULL, NULL, 0 } }; static cfg_type_t cfg_type_rpz = { - "rpz", cfg_parse_map, cfg_print_map, cfg_doc_map, - &cfg_rep_map, rpz_clausesets + "rpz", cfg_parse_kv_tuple, + cfg_print_kv_tuple, cfg_doc_kv_tuple, &cfg_rep_tuple, + rpz_fields }; - /*% * dnssec-lookaside */ diff --git a/contrib/bind9/lib/lwres/Makefile.in b/contrib/bind9/lib/lwres/Makefile.in index 858b325..0cf873b 100644 --- a/contrib/bind9/lib/lwres/Makefile.in +++ b/contrib/bind9/lib/lwres/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/lwres/api b/contrib/bind9/lib/lwres/api index ba19dd9..1e51baa 100644 --- a/contrib/bind9/lib/lwres/api +++ b/contrib/bind9/lib/lwres/api @@ -4,5 +4,5 @@ # 9.8: 80-89 # 9.9: 90-109 LIBINTERFACE = 80 -LIBREVISION = 2 +LIBREVISION = 3 LIBAGE = 0 diff --git a/contrib/bind9/lib/lwres/getaddrinfo.c b/contrib/bind9/lib/lwres/getaddrinfo.c index 8e916f3..811a2fe 100644 --- a/contrib/bind9/lib/lwres/getaddrinfo.c +++ b/contrib/bind9/lib/lwres/getaddrinfo.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * This code is derived from software contributed to ISC by @@ -398,7 +398,7 @@ lwres_getaddrinfo(const char *hostname, const char *servname, goto inet6_addr; } addrsize = sizeof(struct in_addr); - addroff = (char *)(&SIN(0)->sin_addr) - (char *)0; + addroff = offsetof(struct sockaddr_in, sin_addr); family = AF_INET; goto common; #ifdef LWRES_HAVE_SIN6_SCOPE_ID @@ -408,7 +408,7 @@ lwres_getaddrinfo(const char *hostname, const char *servname, if (family && family != AF_INET6) return (EAI_NONAME); addrsize = sizeof(struct in6_addr); - addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0; + addroff = offsetof(struct sockaddr_in6, sin6_addr); family = AF_INET6; goto common; #endif @@ -417,7 +417,7 @@ lwres_getaddrinfo(const char *hostname, const char *servname, return (EAI_NONAME); inet6_addr: addrsize = sizeof(struct in6_addr); - addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0; + addroff = offsetof(struct sockaddr_in6, sin6_addr); family = AF_INET6; common: diff --git a/contrib/bind9/lib/lwres/include/Makefile.in b/contrib/bind9/lib/lwres/include/Makefile.in index 4750a5e..6c3d07f 100644 --- a/contrib/bind9/lib/lwres/include/Makefile.in +++ b/contrib/bind9/lib/lwres/include/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/lwres/include/lwres/Makefile.in b/contrib/bind9/lib/lwres/include/lwres/Makefile.in index fc3126f..36b8b03 100644 --- a/contrib/bind9/lib/lwres/include/lwres/Makefile.in +++ b/contrib/bind9/lib/lwres/include/lwres/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/lib/lwres/man/Makefile.in b/contrib/bind9/lib/lwres/man/Makefile.in index cb723c2..80db9f2 100644 --- a/contrib/bind9/lib/lwres/man/Makefile.in +++ b/contrib/bind9/lib/lwres/man/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any |
