Ondřej Surý [Tue, 22 May 2018 13:24:37 +0000 (15:24 +0200)]
address win32 build issues
- Replace external -DOPENSSL/-DPKCS11CRYPTO with properly AC_DEFINEd
HAVE_OPENSSL/HAVE_PKCS11
- Don't enforce the crypto provider from platform.h, just from dst_api.c
and configure scripts
Evan Hunt [Thu, 17 May 2018 21:55:10 +0000 (14:55 -0700)]
begin preparation for 9.13.0
- tidy up release notes, removing the existing "security fixes" and
"bug fixes" sections
- add a section in the release notes to discuss the new version
numbering
- update version, CHANGES, api, and mapapi files
Michał Kępień [Fri, 27 Apr 2018 07:13:26 +0000 (09:13 +0200)]
Detect recursion loops during query processing
Interrupt query processing when query_recurse() attempts to ask the same
name servers for the same QNAME/QTYPE tuple for two times in a row as
this indicates that query processing may be stuck for an indeterminate
period of time, e.g. due to interactions between features able to
restart query_lookup().
Michał Kępień [Fri, 27 Apr 2018 07:13:26 +0000 (09:13 +0200)]
Prevent check_stale_header() from leaking rdataset headers
check_stale_header() fails to update the pointer to the previous header
while processing rdataset headers eligible for serve-stale, thus
enabling rdataset headers to be leaked (i.e. disassociated from a node
and left on the relevant TTL heap) while iterating through a node. This
can lead to several different assertion failures. Add the missing
pointer update.
Tony Finch [Wed, 16 May 2018 19:24:24 +0000 (20:24 +0100)]
Add CHANGES entry.
4948. [bug] When request-nsid is turned on, EDNS NSID options
should be logged at level info. Since change 3741
they have been logged at debug(3) by mistake.
[GL !290]
Replace all random functions with isc_random, isc_random_buf and isc_random_uniform API.
The three functions has been modeled after the arc4random family of
functions, and they will always return random bytes.
The isc_random family of functions internally use these CSPRNG (if available):
1. getrandom() libc call (might be available on Linux and Solaris)
2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
4. crypto library function:
4a. RAND_bytes in case OpenSSL
4b. pkcs_C_GenerateRandom() in case PKCS#11 library
Michał Kępień [Tue, 15 May 2018 06:18:01 +0000 (08:18 +0200)]
isc_buffer_*(): if source can be NULL, only call memmove() when length is non-zero
Certain isc_buffer_*() functions might call memmove() with the second
argument (source) set to NULL and the third argument (length) set to 0.
While harmless, it triggers an ubsan warning:
runtime error: null pointer passed as argument 2, which is declared to never be null
Modify all memmove() call sites in lib/isc/include/isc/buffer.h and
lib/isc/buffer.c which may potentially use NULL as the second argument
(source) so that memmove() is only called if the third argument (length)
is non-zero.
Michał Kępień [Tue, 15 May 2018 06:18:01 +0000 (08:18 +0200)]
dns_rdataslab_merge(): use dns_rdata_compare() instead of compare_rdata()
compare_rdata() was meant to be used as a qsort() callback. Meanwhile,
dns_rdataslab_merge() calls compare_rdata() for a pair of dns_rdata_t
structures rather than a pair of struct xrdata structures, which is
harmless, but triggers an ubsan warning:
rdataslab.c:84:33: runtime error: member access within address <address> with insufficient space for an object of type 'const struct xrdata'
Use dns_rdata_compare() instead of compare_rdata() to prevent the
warning from being triggered.
Michał Kępień [Thu, 10 May 2018 07:43:38 +0000 (09:43 +0200)]
Use a while loop instead of a for loop in dns__zone_updatesigs()
Replace the outer for loop with a while loop to emphasize it keeps
processing the first element of diff->tuples, which changes on each
iteration due to tuples being removed from diff->tuples by
move_matching_tuples().
Michał Kępień [Thu, 10 May 2018 07:43:38 +0000 (09:43 +0200)]
Remove redundant assertions
The ENSURE assertion at the end of dns_diff_appendminimal() is not
needed because it is placed right after code which resets *tuplep to
NULL if it is not NULL already.
The INSIST assertion in move_matching_tuples() checks the same pointer
again.
Michał Kępień [Thu, 10 May 2018 07:43:38 +0000 (09:43 +0200)]
Look for the next matching tuple in a separate function
Extract the portion of the do-while loop responsible for finding the
next tuple with the same name and type into a separate function to
improve code clarity.
Michał Kępień [Thu, 10 May 2018 07:43:38 +0000 (09:43 +0200)]
Extract the do-while loop in dns__zone_updatesigs() into a separate function
The do-while loop in dns__zone_updatesigs() is hard to follow due to
heavy nesting and the 'tuple' variable also being used in the outer for
loop. Add a comment to explain the purpose of the do-while loop.
Extract it into a separate function to decrease indentation and prevent
using 'tuple' in two different loops.
Michał Kępień [Tue, 13 Mar 2018 13:06:11 +0000 (14:06 +0100)]
Add a framework for dns__zone_updatesigs() unit tests
Add a new ATF test, sigs_test, containing everything required to start
defining test cases for dns__zone_updatesigs(). The framework is
written in a way which ensures that changes to zone database applied by
any dns__zone_updatesigs() invocation are preserved between subsequent
checks.
Michał Kępień [Tue, 13 Mar 2018 13:06:10 +0000 (14:06 +0100)]
Move find_zone_keys() to lib/dns/zone_p.h
Rename find_zone_keys() to dns__zone_findkeys() and move it to
lib/dns/zone_p.h, so that it can be used in unit tests. Add a comment
describing the purpose of this function.
Michał Kępień [Tue, 13 Mar 2018 13:06:09 +0000 (14:06 +0100)]
Move update_sigs() to lib/dns/zone_p.h
Rename update_sigs() to dns__zone_updatesigs() and move it to
lib/dns/zone_p.h, so that it can be unit tested. Add a comment
describing the purpose of this function.
Michał Kępień [Tue, 13 Mar 2018 13:06:08 +0000 (14:06 +0100)]
Move zonediff_t to lib/dns/zone_p.h
Rename zonediff_t to dns__zonediff_t and move it to lib/dns/zone_p.h, so
that unit tests can be written for functions taking pointers to
structures of this type as arguments.
Michał Kępień [Tue, 13 Mar 2018 13:06:07 +0000 (14:06 +0100)]
Add lib/dns/zone_p.h
Add a new private header file, lib/dns/zone_p.h, which will hold type
definitions and function prototypes not meant to be exported by libdns,
but required by zone-related unit tests.
Michał Kępień [Tue, 13 Mar 2018 13:06:06 +0000 (14:06 +0100)]
Add a helper function to facilitate preparing dns_diff_t structures
Implement dns_test_difffromchanges(), a function which enables preparing
a dns_diff_t structure from a mostly-textual representation of zone
database changes to be applied. This will improve readability of test
case definitions by allowing contents of a dns_diff_t structure, passed
e.g. to update_sigs(), to be represented in a human-friendly manner.
Michał Kępień [Tue, 13 Mar 2018 13:06:04 +0000 (14:06 +0100)]
Rework dns_test_makezone()
The dns_test_makezone() helper function always assigns the created zone
to some view, which is not always necessary and complicates cleanup of
non-managed zones as they are required not to be assigned to any view.
Rework dns_test_makezone() in order to make it easier to use in unit
tests operating on non-managed zones. Use dns_name_fromstring() instead
of dns_name_fromtext() to simplify code. Do not use the CHECK() macro
and add comments to make code flow simpler to follow. Use
dns_test_makeview() instead of dns_view_create().
Adjust existing unit tests using this function so that they still pass.
projects / thirdparty / bind9.git / log
