kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update BIND9 ports to 9.11.4, 9.12.2 and 9.13.2.

Browse source 
Sponsored by:	Absolight
This commit is contained in:
Mathieu Arnold 2018-07-11 09:36:54 +00:00
parent a9a02659a8
commit 5f2f83cc31
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=474430
20 changed files with 66 additions and 690 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
dns/bind911/Makefile
View file

@ -3,7 +3,7 @@
PORTNAME= bind
PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/}
PORTREVISION= 2
PORTREVISION= 0
CATEGORIES= dns net ipv6
MASTER_SITES= ISC/bind9/${ISCVERSION}
PKGNAMESUFFIX= 911
@ -20,7 +20,7 @@ LIB_DEPENDS= libxml2.so:textproc/libxml2
USES= cpe libedit
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
ISCVERSION= 9.11.3
ISCVERSION= 9.11.4
CPE_VENDOR= isc
CPE_VERSION= ${ISCVERSION:C/-.*//}

6
dns/bind911/distinfo
View file

@ -1,3 +1,3 @@
TIMESTAMP = 1521455716
SHA256 (bind-9.11.3.tar.gz) = 0d9dde14b2ec7f9cdc3b69f19540c7a2e4eee7b6c727965dfae48810965876f5
SIZE (bind-9.11.3.tar.gz) = 9523375
TIMESTAMP = 1531290674
SHA256 (bind-9.11.4.tar.gz) = 595070b031f869f8939656b5a5d11b121211967f15f6afeafa895df745279617
SIZE (bind-9.11.4.tar.gz) = 9621408

20
dns/bind911/files/extrapatch-bind-min-override-ttl
View file

@ -1,6 +1,6 @@
--- bin/named/config.c.orig 2018-01-24 21:23:16 UTC
--- bin/named/config.c.orig 2018-06-10 06:06:33 UTC
+++ bin/named/config.c
@@ -171,6 +171,8 @@ options {\n\
@@ -176,6 +176,8 @@ options {\n\
" max-acache-size 16M;\n\
max-cache-size 90%;\n\
max-cache-ttl 604800; /* 1 week */\n\
@ -9,9 +9,9 @@
max-clients-per-query 100;\n\
max-ncache-ttl 10800; /* 3 hours */\n\
max-recursion-depth 7;\n\
--- bin/named/server.c.orig 2018-01-24 21:23:16 UTC
--- bin/named/server.c.orig 2018-06-10 06:06:33 UTC
+++ bin/named/server.c
@@ -3699,6 +3699,16 @@ configure_view(dns_view_t *view, dns_vie
@@ -3692,6 +3692,16 @@ configure_view(dns_view_t *view, dns_vie
}
obj = NULL;
@ -28,9 +28,9 @@
result = ns_config_get(maps, "max-cache-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
view->maxcachettl = cfg_obj_asuint32(obj);
--- lib/dns/include/dns/view.h.orig 2018-01-24 21:23:16 UTC
--- lib/dns/include/dns/view.h.orig 2018-06-10 06:06:33 UTC
+++ lib/dns/include/dns/view.h
@@ -146,6 +146,8 @@ struct dns_view {
@@ -150,6 +150,8 @@ struct dns_view {
isc_boolean_t requestnsid;
isc_boolean_t sendcookie;
dns_ttl_t maxcachettl;
@ -39,9 +39,9 @@
dns_ttl_t maxncachettl;
isc_uint32_t nta_lifetime;
isc_uint32_t nta_recheck;
--- lib/dns/resolver.c.orig 2018-01-24 21:23:16 UTC
--- lib/dns/resolver.c.orig 2018-06-10 06:06:33 UTC
+++ lib/dns/resolver.c
@@ -5477,6 +5477,18 @@ cache_name(fetchctx_t *fctx, dns_name_t
@@ -5473,6 +5473,18 @@ cache_name(fetchctx_t *fctx, dns_name_t
}
/*
@ -60,9 +60,9 @@
* Enforce the configure maximum cache TTL.
*/
if (rdataset->ttl > res->view->maxcachettl) {
--- lib/isccfg/namedconf.c.orig 2018-01-24 21:23:16 UTC
--- lib/isccfg/namedconf.c.orig 2018-06-10 06:06:33 UTC
+++ lib/isccfg/namedconf.c
@@ -1766,6 +1766,8 @@ view_clauses[] = {
@@ -1770,6 +1770,8 @@ view_clauses[] = {
#endif
{ "max-acache-size", &cfg_type_sizenodefault, 0 },
{ "max-cache-size", &cfg_type_sizeorpercent, 0 },

127
dns/bind911/files/patch-CVE-2018-5738
View file

@ -1,127 +0,0 @@
commit 3d71785ef143b670409affee203145eb39266d87
Author: Evan Hunt <each@isc.org>
Date: 2018-06-04 21:55:41 -0700
allow-recursion could incorrectly inherit from the default allow-query
--- CHANGES.orig 2018-03-08 20:55:28 UTC
+++ CHANGES
@@ -1,3 +1,10 @@
+4960. [security] When recursion is enabled, but the "allow-recursion"
+ and "allow-query-cache" ACLs are not specified,
+ they should be limited to local networks,
+ but were inadvertently set to match the default
+ "allow-query", thus allowing remote queries.
+ (CVE-2018-5738) [GL #309]
+
--- 9.11.3 released ---
--- 9.11.3rc2 released ---
--- bin/named/server.c.orig 2018-03-08 20:55:28 UTC
+++ bin/named/server.c
@@ -3376,10 +3376,6 @@ configure_view(dns_view_t *view, dns_vie
dns_acache_setcachesize(view->acache, max_acache_size);
}
- CHECK(configure_view_acl(vconfig, config, ns_g_config,
- "allow-query", NULL, actx,
- ns_g_mctx, &view->queryacl));
-
/*
* Make the list of response policy zone names for a view that
* is used for real lookups and so cares about hints.
@@ -4258,9 +4254,6 @@ configure_view(dns_view_t *view, dns_vie
INSIST(result == ISC_R_SUCCESS);
view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
- CHECK(configure_view_acl(vconfig, config, ns_g_config,
- "allow-query-cache-on", NULL, actx,
- ns_g_mctx, &view->cacheonacl));
/*
* Set sources where additional data and CNAME/DNAME
* targets for authoritative answers may be found.
@@ -4287,22 +4280,40 @@ configure_view(dns_view_t *view, dns_vie
view->additionalfromcache = ISC_TRUE;
}
+ CHECK(configure_view_acl(vconfig, config, ns_g_config,
+ "allow-query-cache-on", NULL, actx,
+ ns_g_mctx, &view->cacheonacl));
+
/*
- * Set "allow-query-cache", "allow-recursion", and
- * "allow-recursion-on" acls if configured in named.conf.
- * (Ignore the global defaults for now, because these ACLs
- * can inherit from each other when only some of them set at
- * the options/view level.)
+ * Set the "allow-query", "allow-query-cache", "allow-recursion",
+ * and "allow-recursion-on" ACLs if configured in named.conf, but
+ * NOT from the global defaults. This is done by leaving the third
+ * argument to configure_view_acl() NULL.
+ *
+ * We ignore the global defaults here because these ACLs
+ * can inherit from each other. If any are still unset after
+ * applying the inheritance rules, we'll look up the defaults at
+ * that time.
*/
- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
- NULL, actx, ns_g_mctx, &view->cacheacl));
+
+ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-query", NULL, actx,
+ ns_g_mctx, &view->queryacl));
+
+ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-query-cache", NULL, actx,
+ ns_g_mctx, &view->cacheacl));
if (strcmp(view->name, "_bind") != 0 &&
view->rdclass != dns_rdataclass_chaos)
{
+ /* named.conf only */
CHECK(configure_view_acl(vconfig, config, NULL,
"allow-recursion", NULL, actx,
ns_g_mctx, &view->recursionacl));
+ /* named.conf only */
CHECK(configure_view_acl(vconfig, config, NULL,
"allow-recursion-on", NULL, actx,
ns_g_mctx, &view->recursiononacl));
@@ -4340,18 +4351,21 @@ configure_view(dns_view_t *view, dns_vie
* the global config.
*/
if (view->recursionacl == NULL) {
+ /* global default only */
CHECK(configure_view_acl(NULL, NULL, ns_g_config,
"allow-recursion", NULL,
actx, ns_g_mctx,
&view->recursionacl));
}
if (view->recursiononacl == NULL) {
+ /* global default only */
CHECK(configure_view_acl(NULL, NULL, ns_g_config,
"allow-recursion-on", NULL,
actx, ns_g_mctx,
&view->recursiononacl));
}
if (view->cacheacl == NULL) {
+ /* global default only */
CHECK(configure_view_acl(NULL, NULL, ns_g_config,
"allow-query-cache", NULL,
actx, ns_g_mctx,
@@ -4365,6 +4379,14 @@ configure_view(dns_view_t *view, dns_vie
CHECK(dns_acl_none(mctx, &view->cacheacl));
}
+ if (view->queryacl == NULL) {
+ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, ns_g_config,
+ "allow-query", NULL,
+ actx, ns_g_mctx,
+ &view->queryacl));
+ }
+
/*
* Ignore case when compressing responses to the specified
* clients. This causes case not always to be preserved,

4
dns/bind911/files/patch-bin_named_include_named_globals.h
View file

@ -1,8 +1,8 @@
We reference the pid file as being run/named/pid everywere else.
--- bin/named/include/named/globals.h.orig 2018-01-04 05:28:11 UTC
--- bin/named/include/named/globals.h.orig 2018-06-10 06:06:33 UTC
+++ bin/named/include/named/globals.h
@@ -135,7 +135,7 @@ EXTERN isc_boolean_t ns_g_forcelock IN
@@ -138,7 +138,7 @@ EXTERN isc_boolean_t ns_g_forcelock IN
#if NS_RUN_PID_DIR
EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR
"/run/named/"

4
dns/bind911/files/patch-bin_tests_system_dlzexternal_Makefile.in
View file

@ -1,6 +1,6 @@
--- bin/tests/system/dlzexternal/Makefile.in.orig 2017-04-14 03:58:25 UTC
--- bin/tests/system/dlzexternal/Makefile.in.orig 2018-06-10 06:06:33 UTC
+++ bin/tests/system/dlzexternal/Makefile.in
@@ -31,7 +31,7 @@ OBJS =
@@ -34,7 +34,7 @@ OBJS =
@BIND9_MAKE_RULES@
CFLAGS = @CFLAGS@ @SO_CFLAGS@

8
dns/bind911/files/patch-configure
View file

@ -1,6 +1,6 @@
--- configure.orig 2018-03-08 20:55:28 UTC
--- configure.orig 2018-06-10 06:06:33 UTC
+++ configure
@@ -14465,27 +14465,9 @@ done
@@ -14961,27 +14961,9 @@ done
# problems start to show up.
saved_libs="$LIBS"
for TRY_LIBS in \
@ -30,7 +30,7 @@
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14528,47 +14510,7 @@ $as_echo "no" >&6; } ;;
@@ -15024,47 +15006,7 @@ $as_echo "no" >&6; } ;;
no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
esac
@ -79,7 +79,7 @@
DNS_GSSAPI_LIBS="$LIBS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
@@ -23242,7 +23184,7 @@ $as_echo "" >&6; }
@@ -23847,7 +23789,7 @@ $as_echo "" >&6; }
# Check other locations for includes.
# Order is important (sigh).

4
dns/bind912/Makefile
View file

@ -8,7 +8,7 @@ PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/}
PORTREVISION= 0
.else
# dns/bind912 here
PORTREVISION= 1
PORTREVISION= 0
.endif
CATEGORIES= dns net ipv6
MASTER_SITES= ISC/bind9/${ISCVERSION}
@ -35,7 +35,7 @@ LIB_DEPENDS= libxml2.so:textproc/libxml2
USES= cpe libedit
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
ISCVERSION= 9.12.1-P2
ISCVERSION= 9.12.2
CPE_VENDOR= isc
CPE_VERSION= ${ISCVERSION:C/-.*//}

6
dns/bind912/distinfo
View file

@ -1,3 +1,3 @@
TIMESTAMP = 1526711298
SHA256 (bind-9.12.1-P2.tar.gz) = 0de7c3453461e2f0505ac634b984f8e7afa1952cf7fc972cbefbcc169edf2d29
SIZE (bind-9.12.1-P2.tar.gz) = 9305005
TIMESTAMP = 1531290911
SHA256 (bind-9.12.2.tar.gz) = 9f6a4c8b39a7064d447d8414a09ed667ff21adc69f17461916d8f5a45f348452
SIZE (bind-9.12.2.tar.gz) = 9424960

20
dns/bind912/files/extrapatch-bind-min-override-ttl
View file

@ -1,6 +1,6 @@
--- bin/named/config.c.orig 2018-02-18 05:26:12 UTC
--- bin/named/config.c.orig 2018-07-03 07:08:14 UTC
+++ bin/named/config.c
@@ -176,12 +176,14 @@ options {\n\
@@ -182,12 +182,14 @@ options {\n\
max-recursion-queries 75;\n\
max-stale-ttl 604800; /* 1 week */\n\
message-compression yes;\n\
@ -15,9 +15,9 @@
provide-ixfr true;\n\
query-source address *;\n\
query-source-v6 address *;\n\
--- bin/named/server.c.orig 2018-02-18 05:26:12 UTC
--- bin/named/server.c.orig 2018-07-03 07:08:14 UTC
+++ bin/named/server.c
@@ -4074,6 +4074,16 @@ configure_view(dns_view_t *view, dns_vie
@@ -4072,6 +4072,16 @@ configure_view(dns_view_t *view, dns_vie
}
obj = NULL;
@ -34,9 +34,9 @@
result = named_config_get(maps, "max-cache-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
view->maxcachettl = cfg_obj_asuint32(obj);
--- lib/dns/include/dns/view.h.orig 2018-02-18 05:26:12 UTC
--- lib/dns/include/dns/view.h.orig 2018-07-03 07:08:14 UTC
+++ lib/dns/include/dns/view.h
@@ -145,6 +145,8 @@ struct dns_view {
@@ -149,6 +149,8 @@ struct dns_view {
isc_boolean_t requestnsid;
isc_boolean_t sendcookie;
dns_ttl_t maxcachettl;
@ -45,9 +45,9 @@
dns_ttl_t maxncachettl;
isc_uint32_t nta_lifetime;
isc_uint32_t nta_recheck;
--- lib/dns/resolver.c.orig 2018-02-18 05:26:12 UTC
--- lib/dns/resolver.c.orig 2018-07-03 07:08:14 UTC
+++ lib/dns/resolver.c
@@ -5762,6 +5762,18 @@ cache_name(fetchctx_t *fctx, dns_name_t
@@ -5756,6 +5756,18 @@ cache_name(fetchctx_t *fctx, dns_name_t
}
/*
@ -66,9 +66,9 @@
* Enforce the configure maximum cache TTL.
*/
if (rdataset->ttl > res->view->maxcachettl) {
--- lib/isccfg/namedconf.c.orig 2018-02-18 05:26:12 UTC
--- lib/isccfg/namedconf.c.orig 2018-07-03 07:08:14 UTC
+++ lib/isccfg/namedconf.c
@@ -1910,6 +1910,8 @@ view_clauses[] = {
@@ -1914,6 +1914,8 @@ view_clauses[] = {
{ "max-acache-size", &cfg_type_sizenodefault,
CFG_CLAUSEFLAG_OBSOLETE },
{ "max-cache-size", &cfg_type_sizeorpercent, 0 },

112
dns/bind912/files/patch-CVE-2018-5738
View file

@ -1,112 +0,0 @@
commit be02bf65712ee54148496aac3edb3ca7d061327f
Author: Evan Hunt <each@isc.org>
Date: 2018-06-04 21:46:23 -0700
allow-recursion could incorrectly inherit from the default allow-query
--- CHANGES.orig 2018-05-16 18:06:47 UTC
+++ CHANGES
@@ -1,3 +1,10 @@
+4960. [security] When recursion is enabled, but the "allow-recursion"
+ and "allow-query-cache" ACLs are not specified,
+ they should be limited to local networks,
+ but were inadvertently set to match the default
+ "allow-query", thus allowing remote queries.
+ (CVE-2018-5738) [GL #309]
+
--- 9.12.1-P2 released ---
--- 9.12.1-P1 (withdrawn) ---
--- bin/named/server.c.orig 2018-05-16 18:06:47 UTC
+++ bin/named/server.c
@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_vie
CHECKM(named_config_getport(config, &port), "port");
dns_view_setdstport(view, port);
- CHECK(configure_view_acl(vconfig, config, named_g_config,
- "allow-query", NULL, actx,
- named_g_mctx, &view->queryacl));
-
/*
* Make the list of response policy zone names for a view that
* is used for real lookups and so cares about hints.
@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_vie
"allow-query-cache-on", NULL, actx,
named_g_mctx, &view->cacheonacl));
/*
- * Set "allow-query-cache", "allow-recursion", and
- * "allow-recursion-on" acls if configured in named.conf.
- * (Ignore the global defaults for now, because these ACLs
- * can inherit from each other when only some of them set at
- * the options/view level.)
+ * Set the "allow-query", "allow-query-cache", "allow-recursion",
+ * and "allow-recursion-on" ACLs if configured in named.conf, but
+ * NOT from the global defaults. This is done by leaving the third
+ * argument to configure_view_acl() NULL.
+ *
+ * We ignore the global defaults here because these ACLs
+ * can inherit from each other. If any are still unset after
+ * applying the inheritance rules, we'll look up the defaults at
+ * that time.
*/
- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
- NULL, actx, named_g_mctx, &view->cacheacl));
+
+ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-query", NULL, actx,
+ named_g_mctx, &view->queryacl));
+
+ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-query-cache", NULL, actx,
+ named_g_mctx, &view->cacheacl));
if (strcmp(view->name, "_bind") != 0 &&
view->rdclass != dns_rdataclass_chaos)
{
+ /* named.conf only */
CHECK(configure_view_acl(vconfig, config, NULL,
"allow-recursion", NULL, actx,
named_g_mctx, &view->recursionacl));
+ /* named.conf only */
CHECK(configure_view_acl(vconfig, config, NULL,
"allow-recursion-on", NULL, actx,
named_g_mctx, &view->recursiononacl));
@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_vie
* the global config.
*/
if (view->recursionacl == NULL) {
+ /* global default only */
CHECK(configure_view_acl(NULL, NULL, named_g_config,
"allow-recursion", NULL,
actx, named_g_mctx,
&view->recursionacl));
}
if (view->recursiononacl == NULL) {
+ /* global default only */
CHECK(configure_view_acl(NULL, NULL, named_g_config,
"allow-recursion-on", NULL,
actx, named_g_mctx,
&view->recursiononacl));
}
if (view->cacheacl == NULL) {
+ /* global default only */
CHECK(configure_view_acl(NULL, NULL, named_g_config,
"allow-query-cache", NULL,
actx, named_g_mctx,
@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_vie
CHECK(dns_acl_none(mctx, &view->cacheacl));
}
+ if (view->queryacl == NULL) {
+ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ "allow-query", NULL,
+ actx, named_g_mctx,
+ &view->queryacl));
+ }
+
/*
* Ignore case when compressing responses to the specified
* clients. This causes case not always to be preserved,

4
dns/bind912/files/patch-bin_named_include_named_globals.h
View file

@ -1,8 +1,8 @@
We reference the pid file as being run/named/pid everywere else.
--- bin/named/include/named/globals.h.orig 2018-01-17 06:56:09 UTC
--- bin/named/include/named/globals.h.orig 2018-06-10 06:06:19 UTC
+++ bin/named/include/named/globals.h
@@ -125,7 +125,7 @@ EXTERN isc_boolean_t named_g_forcelock
@@ -128,7 +128,7 @@ EXTERN isc_boolean_t named_g_forcelock
#if NAMED_RUN_PID_DIR
EXTERN const char * named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR
"/run/named/"

4
dns/bind912/files/patch-bin_tests_system_dlzexternal_Makefile.in
View file

@ -1,6 +1,6 @@
--- bin/tests/system/dlzexternal/Makefile.in.orig 2016-11-01 20:46:42 UTC
--- bin/tests/system/dlzexternal/Makefile.in.orig 2018-06-10 06:06:19 UTC
+++ bin/tests/system/dlzexternal/Makefile.in
@@ -31,7 +31,7 @@ OBJS =
@@ -34,7 +34,7 @@ OBJS =
@BIND9_MAKE_RULES@
CFLAGS = @CFLAGS@ @SO_CFLAGS@

8
dns/bind912/files/patch-configure
View file

@ -1,6 +1,6 @@
--- configure.orig 2018-03-08 20:56:40 UTC
--- configure.orig 2018-06-10 06:06:19 UTC
+++ configure
@@ -14455,27 +14455,9 @@ done
@@ -14939,27 +14939,9 @@ done
# problems start to show up.
saved_libs="$LIBS"
for TRY_LIBS in \
@ -30,7 +30,7 @@
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14518,47 +14500,7 @@ $as_echo "no" >&6; } ;;
@@ -15002,47 +14984,7 @@ $as_echo "no" >&6; } ;;
no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
esac
@ -79,7 +79,7 @@
DNS_GSSAPI_LIBS="$LIBS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
@@ -23197,7 +23139,7 @@ $as_echo "" >&6; }
@@ -23790,7 +23732,7 @@ $as_echo "" >&6; }
# Check other locations for includes.
# Order is important (sigh).

386
dns/bind912/files/patch-libressl2.7
View file

@ -1,386 +0,0 @@
From 1e64b869b5b33e2deda7059e4348d9870f86d315 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Thu, 3 May 2018 13:59:04 +0200
Subject: [PATCH 1/3] Add support for LibreSSL 2.7
(cherry picked from commit 29ff62a1492ce3dc702a887e864d00bf1949aed3)
---
config.h.in | 12 +++++++
configure | 13 +++++++
configure.in | 2 ++
lib/dns/openssldh_link.c | 69 +++++++++++++++++++++++--------------
lib/dns/openssldsa_link.c | 2 +-
lib/dns/opensslecdsa_link.c | 11 +++---
lib/dns/opensslrsa_link.c | 36 ++++++++++++-------
7 files changed, 103 insertions(+), 42 deletions(-)
diff --git config.h.in config.h.in
index 0cc04c5dd9..65ee20eeb5 100644
--- config.h.in
+++ config.h.in
@@ -206,6 +206,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the <devpoll.h> header file. */
#undef HAVE_DEVPOLL_H
+/* Define to 1 if you have the `DH_get0_key' function. */
+#undef HAVE_DH_GET0_KEY
+
/* Define to 1 if you have the `dlclose' function. */
#undef HAVE_DLCLOSE
@@ -221,6 +224,12 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 to enable dnstap support */
#undef HAVE_DNSTAP
+/* Define to 1 if you have the `DSA_get0_pqg' function. */
+#undef HAVE_DSA_GET0_PQG
+
+/* Define to 1 if you have the `ECDSA_SIG_get0' function. */
+#undef HAVE_ECDSA_SIG_GET0
+
/* Define to 1 if you have the <editline/readline.h> header file. */
#undef HAVE_EDITLINE_READLINE_H
@@ -431,6 +440,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the <regex.h> header file. */
#undef HAVE_REGEX_H
+/* Define to 1 if you have the `RSA_set0_key' function. */
+#undef HAVE_RSA_SET0_KEY
+
/* Define to 1 if you have the <sched.h> header file. */
#undef HAVE_SCHED_H
diff --git configure configure
index fc9256fa8d..2dde1a681d 100755
--- configure
+++ configure
@@ -16724,6 +16724,19 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
+fi
+done
+
+
+ for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg
+do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
fi
done
diff --git configure.in configure.in
index 99139ba5ac..193562c783 100644
--- configure.in
+++ configure.in
@@ -1781,6 +1781,8 @@ DSO_METHOD_dlfcn();
AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)
+ AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])
+
AC_MSG_CHECKING(for OpenSSL ECDSA support)
have_ecdsa=""
AC_TRY_RUN([
diff --git lib/dns/openssldh_link.c lib/dns/openssldh_link.c
index e74bee2e2d..0db673dd31 100644
--- lib/dns/openssldh_link.c
+++ lib/dns/openssldh_link.c
@@ -71,62 +71,81 @@ static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
static BIGNUM *bn2, *bn768, *bn1024, *bn1536;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(HAVE_DH_GET0_KEY)
/*
* DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg
* are from OpenSSL 1.1.0.
*/
static void
DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) {
- if (pub_key != NULL)
+ if (pub_key != NULL) {
*pub_key = dh->pub_key;
- if (priv_key != NULL)
+ }
+ if (priv_key != NULL) {
*priv_key = dh->priv_key;
+ }
}
static int
DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) {
- /* Note that it is valid for priv_key to be NULL */
- if (pub_key == NULL)
- return 0;
+ if (pub_key != NULL) {
+ BN_free(dh->pub_key);
+ dh->pub_key = pub_key;
+ }
- BN_free(dh->pub_key);
- BN_free(dh->priv_key);
- dh->pub_key = pub_key;
- dh->priv_key = priv_key;
+ if (priv_key != NULL) {
+ BN_free(dh->priv_key);
+ dh->priv_key = priv_key;
+ }
- return 1;
+ return (1);
}
static void
DH_get0_pqg(const DH *dh,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
{
- if (p != NULL)
+ if (p != NULL) {
*p = dh->p;
- if (q != NULL)
+ }
+ if (q != NULL) {
*q = dh->q;
- if (g != NULL)
+ }
+ if (g != NULL) {
*g = dh->g;
+ }
}
static int
-DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
- /* q is optional */
- if (p == NULL || g == NULL)
- return(0);
- BN_free(dh->p);
- BN_free(dh->q);
- BN_free(dh->g);
- dh->p = p;
- dh->q = q;
- dh->g = g;
+DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* If the fields p and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL. q may remain NULL.
+ */
+ if ((dh->p == NULL && p == NULL)
+ || (dh->g == NULL && g == NULL))
+ {
+ return 0;
+ }
+
+ if (p != NULL) {
+ BN_free(dh->p);
+ dh->p = p;
+ }
+ if (q != NULL) {
+ BN_free(dh->q);
+ dh->q = q;
+ }
+ if (g != NULL) {
+ BN_free(dh->g);
+ dh->g = g;
+ }
if (q != NULL) {
dh->length = BN_num_bits(q);
}
- return(1);
+ return (1);
}
#define DH_clear_flags(d, f) (d)->flags &= ~(f)
diff --git lib/dns/openssldsa_link.c lib/dns/openssldsa_link.c
index 1c541ae73a..dfbd484247 100644
--- lib/dns/openssldsa_link.c
+++ lib/dns/openssldsa_link.c
@@ -52,7 +52,7 @@
static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(HAVE_DSA_GET0_PQG)
static void
DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
const BIGNUM **g)
diff --git lib/dns/opensslecdsa_link.c lib/dns/opensslecdsa_link.c
index a8941a808a..2e47459249 100644
--- lib/dns/opensslecdsa_link.c
+++ lib/dns/opensslecdsa_link.c
@@ -45,20 +45,23 @@
#define DST_RET(a) {ret = a; goto err;}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(HAVE_ECDSA_SIG_GET0)
/* From OpenSSL 1.1 */
static void
ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
- if (pr != NULL)
+ if (pr != NULL) {
*pr = sig->r;
- if (ps != NULL)
+ }
+ if (ps != NULL) {
*ps = sig->s;
+ }
}
static int
ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
- if (r == NULL || s == NULL)
+ if (r == NULL || s == NULL) {
return 0;
+ }
BN_clear_free(sig->r);
BN_clear_free(sig->s);
diff --git lib/dns/opensslrsa_link.c lib/dns/opensslrsa_link.c
index bdb0a3931d..43f6d317bc 100644
--- lib/dns/opensslrsa_link.c
+++ lib/dns/opensslrsa_link.c
@@ -123,7 +123,7 @@
#endif
#define DST_RET(a) {ret = a; goto err;}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(HAVE_RSA_SET0_KEY)
/* From OpenSSL 1.1.0 */
static int
RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
@@ -133,8 +133,9 @@ RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
* parameters MUST be non-NULL for n and e. d may be
* left NULL (in case only the public key is used).
*/
- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL))
+ if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
return 0;
+ }
if (n != NULL) {
BN_free(r->n);
@@ -159,8 +160,9 @@ RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {
* If the fields p and q in r are NULL, the corresponding input
* parameters MUST be non-NULL.
*/
- if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL))
+ if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) {
return 0;
+ }
if (p != NULL) {
BN_free(r->p);
@@ -183,7 +185,9 @@ RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
if ((r->dmp1 == NULL && dmp1 == NULL) ||
(r->dmq1 == NULL && dmq1 == NULL) ||
(r->iqmp == NULL && iqmp == NULL))
+ {
return 0;
+ }
if (dmp1 != NULL) {
BN_free(r->dmp1);
@@ -205,32 +209,40 @@ static void
RSA_get0_key(const RSA *r,
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
{
- if (n != NULL)
+ if (n != NULL) {
*n = r->n;
- if (e != NULL)
+ }
+ if (e != NULL) {
*e = r->e;
- if (d != NULL)
+ }
+ if (d != NULL) {
*d = r->d;
+ }
}
static void
RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
- if (p != NULL)
+ if (p != NULL) {
*p = r->p;
- if (q != NULL)
- *q = r->q;
+ }
+ if (q != NULL) {
+ *q = r->q;
+ }
}
static void
RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
const BIGNUM **iqmp)
{
- if (dmp1 != NULL)
+ if (dmp1 != NULL) {
*dmp1 = r->dmp1;
- if (dmq1 != NULL)
+ }
+ if (dmq1 != NULL) {
*dmq1 = r->dmq1;
- if (iqmp != NULL)
+ }
+ if (iqmp != NULL) {
*iqmp = r->iqmp;
+ }
}
static int
--
2.17.1
From e3a318e8d3e050677cfe603b25eaa9607c202276 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 2 May 2018 14:18:06 +0200
Subject: [PATCH 2/3] Workaround LibreSSL 2.7.0-2.7.2 quirk in DH_set0_key
(cherry picked from commit 6b9e3b7b069509e79c59f89403a91761c300bdee)
---
lib/dns/openssldh_link.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git lib/dns/openssldh_link.c lib/dns/openssldh_link.c
index 0db673dd31..8dfda0d2fa 100644
--- lib/dns/openssldh_link.c
+++ lib/dns/openssldh_link.c
@@ -44,6 +44,8 @@
#include <dst/result.h>
+#include <openssl/opensslv.h>
+
#include "dst_internal.h"
#include "dst_openssl.h"
#include "dst_parse.h"
@@ -564,7 +566,15 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
DH_free(dh);
return (dst__openssl_toresult(ISC_R_NOMEMORY));
}
+#if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && (LIBRESSL_VERSION_NUMBER <= 0x2070200fL)
+ /*
+ * LibreSSL << 2.7.3 DH_get0_key requires priv_key to be set when
+ * DH structure is empty, hence we cannot use DH_get0_key().
+ */
+ dh->pub_key = pub_key;
+#else /* LIBRESSL_VERSION_NUMBER */
DH_set0_key(dh, pub_key, NULL);
+#endif /* LIBRESSL_VERSION_NUMBER */
isc_region_consume(&r, publen);
key->key_size = BN_num_bits(p);
--
2.17.1

2
dns/bind913/Makefile
View file

@ -33,7 +33,7 @@ LIB_DEPENDS= libxml2.so:textproc/libxml2
USES= cpe libedit ssl
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
ISCVERSION= 9.13.1
ISCVERSION= 9.13.2
CPE_VENDOR= isc
CPE_VERSION= ${ISCVERSION:C/-.*//}

6
dns/bind913/distinfo
View file

@ -1,3 +1,3 @@
TIMESTAMP = 1529066513
SHA256 (bind-9.13.1.tar.gz) = d081011170a915b3059d3f24e1a14e5540d2892f2a0267af94cfbe6601423d22
SIZE (bind-9.13.1.tar.gz) = 8787034
TIMESTAMP = 1531290964
SHA256 (bind-9.13.2.tar.gz) = 6c044e9ea81add9dbbd2f5dfc224964cc6b6e364e43a8d6d8b574d9282651802
SIZE (bind-9.13.2.tar.gz) = 8547111

22
dns/bind913/files/extrapatch-bind-min-override-ttl
View file

@ -1,6 +1,6 @@
--- bin/named/config.c.orig 2018-05-18 05:44:02 UTC
--- bin/named/config.c.orig 2018-07-03 07:51:40 UTC
+++ bin/named/config.c
@@ -174,12 +174,14 @@ options {\n\
@@ -177,12 +177,14 @@ options {\n\
max-recursion-queries 75;\n\
max-stale-ttl 604800; /* 1 week */\n\
message-compression yes;\n\
@ -13,11 +13,11 @@
nsec3-test-zone no;\n\
+ override-cache-ttl 0; /* do not override */\n\
provide-ixfr true;\n\
qname-minimization relaxed;\n\
query-source address *;\n\
query-source-v6 address *;\n\
--- bin/named/server.c.orig 2018-05-18 05:44:02 UTC
--- bin/named/server.c.orig 2018-07-03 07:51:40 UTC
+++ bin/named/server.c
@@ -4072,6 +4072,16 @@ configure_view(dns_view_t *view, dns_vie
@@ -4071,6 +4071,16 @@ configure_view(dns_view_t *view, dns_vie
}
obj = NULL;
@ -34,9 +34,9 @@
result = named_config_get(maps, "max-cache-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
view->maxcachettl = cfg_obj_asuint32(obj);
--- lib/dns/include/dns/view.h.orig 2018-05-18 05:44:02 UTC
--- lib/dns/include/dns/view.h.orig 2018-07-03 07:51:40 UTC
+++ lib/dns/include/dns/view.h
@@ -149,6 +149,8 @@ struct dns_view {
@@ -151,6 +151,8 @@ struct dns_view {
isc_boolean_t requestnsid;
isc_boolean_t sendcookie;
dns_ttl_t maxcachettl;
@ -45,9 +45,9 @@
dns_ttl_t maxncachettl;
isc_uint32_t nta_lifetime;
isc_uint32_t nta_recheck;
--- lib/dns/resolver.c.orig 2018-05-18 05:44:02 UTC
--- lib/dns/resolver.c.orig 2018-07-03 07:51:40 UTC
+++ lib/dns/resolver.c
@@ -5746,6 +5746,18 @@ cache_name(fetchctx_t *fctx, dns_name_t
@@ -5799,6 +5799,18 @@ cache_name(fetchctx_t *fctx, dns_name_t
}
/*
@ -66,9 +66,9 @@
* Enforce the configure maximum cache TTL.
*/
if (rdataset->ttl > res->view->maxcachettl) {
--- lib/isccfg/namedconf.c.orig 2018-05-18 05:44:02 UTC
--- lib/isccfg/namedconf.c.orig 2018-07-03 07:51:40 UTC
+++ lib/isccfg/namedconf.c
@@ -1916,6 +1916,8 @@ view_clauses[] = {
@@ -1917,6 +1917,8 @@ view_clauses[] = {
{ "max-acache-size", &cfg_type_sizenodefault,
CFG_CLAUSEFLAG_OBSOLETE },
{ "max-cache-size", &cfg_type_sizeorpercent, 0 },

8
dns/bind913/files/patch-configure
View file

@ -1,6 +1,6 @@
--- configure.orig 2018-05-22 23:42:35 UTC
--- configure.orig 2018-07-03 07:51:40 UTC
+++ configure
@@ -14757,27 +14757,9 @@ done
@@ -14993,27 +14993,9 @@ done
# problems start to show up.
saved_libs="$LIBS"
for TRY_LIBS in \
@ -30,7 +30,7 @@
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14820,47 +14802,7 @@ $as_echo "no" >&6; } ;;
@@ -15056,47 +15038,7 @@ $as_echo "no" >&6; } ;;
no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
esac
@ -79,7 +79,7 @@
DNS_GSSAPI_LIBS="$LIBS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
@@ -23329,7 +23271,7 @@ $as_echo "" >&6; }
@@ -23693,7 +23635,7 @@ $as_echo "" >&6; }
# Check other locations for includes.
# Order is important (sigh).

1
dns/bind913/pkg-plist
View file

@ -120,6 +120,7 @@ include/dns/view.h
include/dns/xfrin.h
include/dns/zone.h
include/dns/zonekey.h
include/dns/zoneverify.h
include/dns/zt.h
include/dst/dst.h
include/dst/gssapi.h