Commit a02efbe1 authored by Evan Hunt's avatar Evan Hunt
Browse files

Merge branch '244-enforce-crypto-library' into 'master'

Disable builds without cryptographic provider (OpenSSL or PKCS#11)

Closes #244

See merge request !266
parents ee83b59e ea562617
Pipeline #1639 passed with stages
in 8 minutes and 7 seconds
4945. [func] BIND can no longer be built without DNSSEC support.
A cryptography provder (i.e., OpenSSL or a hardware
service module with PKCS#11 support) must be
available. [GL #244]
4944. [cleanup] Silence cppcheck portability warnings in
lib/isc/tests/buffer_test.c. [GL #239]
 
......
......@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
CDEFINES =
CDEFINES = @CRYPTO@
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
......
......@@ -16,7 +16,7 @@ top_srcdir = @top_srcdir@
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
${DNS_INCLUDES} ${ISC_INCLUDES}
CDEFINES =
CDEFINES = @CRYPTO@
CWARNINGS =
OBJS = os.@O@
......
......@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
CINCLUDES = ${ISC_INCLUDES}
CDEFINES =
CDEFINES = @CRYPTO@
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
......
......@@ -18,7 +18,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
CDEFINES =
CDEFINES = @CRYPTO@
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
......
......@@ -17,7 +17,7 @@ PROVIDER = @PKCS11_PROVIDER@
CINCLUDES = ${ISC_INCLUDES}
CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\"
CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\" @CRYPTO@
ISCLIBS = ../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
......
......@@ -17,7 +17,7 @@ PROVIDER = @PKCS11_PROVIDER@
CINCLUDES = ${ISC_INCLUDES}
CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\"
CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\" @CRYPTO@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
......
......@@ -19,7 +19,7 @@ SUBDIRS = dlzexternal dyndb pipelined rndc rpz rsabigexponent tkey
CINCLUDES = ${ISC_INCLUDES} ${DNS_INCLUDES}
CDEFINES = @USE_GSSAPI@
CDEFINES = @USE_GSSAPI@ @CRYPTO@
CWARNINGS =
DNSLIBS =
......
......@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = ${ISC_INCLUDES}
CDEFINES =
CDEFINES = @CRYPTO@
CWARNINGS =
ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
......
......@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = ${ISC_INCLUDES} ${DNS_INCLUDES}
CDEFINES =
CDEFINES = @CRYPTO@
CWARNINGS =
DNSLIBS =
......
......@@ -941,6 +941,7 @@ infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
......@@ -1100,6 +1101,7 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
......@@ -1352,6 +1354,15 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
 
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
......@@ -1489,7 +1500,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir
libdir localedir mandir runstatedir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
......@@ -1642,6 +1653,7 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
......@@ -16226,7 +16238,6 @@ fi
 
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL library" >&5
$as_echo_n "checking for OpenSSL library... " >&6; }
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
if test "yes" = "$want_native_pkcs11"
then
......@@ -17345,6 +17356,15 @@ esac
 
 
 
if test "X$CRYPTO" = "X"; then
# cat << \EOF
as_fn_error $? "No cryptography library has been found or provided.
You must use --with-openssl, or --with-pkcs11 and --enable-native-pkcs11,
to enable cryptography." "$LINENO" 5
#EOF
exit 1
fi
# for PKCS11 benchmarks
 
have_clock_gt=no
......@@ -26532,14 +26552,6 @@ if test "yes" != "$silent"; then
report
fi
 
if test "X$CRYPTO" = "X"; then
cat << \EOF
BIND 9 is being built without cryptography support. This means it will
not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
--enable-native-pkcs11 to enable cryptography.
EOF
fi
# Tell Emacs to edit this file in shell mode.
# Local Variables:
# mode: sh
......
......@@ -1472,7 +1472,6 @@ then
fi
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
if test "yes" = "$want_native_pkcs11"
then
......@@ -2320,6 +2319,15 @@ AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
AC_SUBST(PKCS11_TEST)
if test "X$CRYPTO" = "X"; then
# cat << \EOF
AC_MSG_ERROR([No cryptography library has been found or provided.
You must use --with-openssl, or --with-pkcs11 and --enable-native-pkcs11,
to enable cryptography.])
#EOF
exit 1
fi
# for PKCS11 benchmarks
have_clock_gt=no
......@@ -5454,14 +5462,6 @@ if test "yes" != "$silent"; then
report
fi
if test "X$CRYPTO" = "X"; then
cat << \EOF
BIND 9 is being built without cryptography support. This means it will
not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
--enable-native-pkcs11 to enable cryptography.
EOF
fi
# Tell Emacs to edit this file in shell mode.
# Local Variables:
# mode: sh
......
......@@ -17,7 +17,7 @@ DLZINCLUDES = @DLZ_DRIVER_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \
${ISC_INCLUDES} ${DLZINCLUDES}
CDEFINES = @CONTRIB_DLZ@
CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
CWARNINGS =
DLZLIBS = @DLZ_DRIVER_LIBS@
......
......@@ -132,6 +132,13 @@
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
BIND can no longer be built without DNSSEC support. A cryptography
provder (i.e., OpenSSL or a hardware service module with
PKCS#11 support) must be available. [GL #244]
</para>
</listitem>
<listitem>
<para>
Zone types <command>primary</command> and
......
......@@ -20,7 +20,7 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude -I../include ${ISC_INCLUDES} ${IRS_INCLUDES}
CDEFINES = -DTESTS="\"${top_builddir}/lib/irs/tests/\""
CDEFINES = -DTESTS="\"${top_builddir}/lib/irs/tests/\"" @CRYPTO@
CFGLIBS = ../../isccfg/libisccfg.@A@
CFGDEPLIBS = ../../isccfg/libisccfg.@A@
......
......@@ -18,6 +18,14 @@
***** Platform-dependent defines.
*****/
/***
*** Enforce OpenSSL or PKCS#11 cryptography
***/
#if !defined(OPENSSL) && !defined(PKCS11CRYPTO)
#error No cryptography library has been found or provided.
#endif
/***
*** Network.
***/
......
......@@ -16,7 +16,7 @@ CINCLUDES = -I../unix/include \
-I../include \
-I${srcdir}/../include
CDEFINES =
CDEFINES = @CRYPTO@
CWARNINGS =
OBJS = msgcat.@O@
......
......@@ -17,7 +17,7 @@ CINCLUDES = -I${srcdir}/include \
-I${srcdir}/../include \
-I${srcdir}/..
CDEFINES =
CDEFINES = @CRYPTO@
CWARNINGS =
THREADOPTOBJS = condition.@O@ mutex.@O@
......
......@@ -17,7 +17,7 @@ CINCLUDES = -I${srcdir}/include \
-I${srcdir}/../include \
-I${srcdir}/..
CDEFINES =
CDEFINES = @CRYPTO@
CWARNINGS =
OBJS = condition.@O@ mutex.@O@ thread.@O@
......
......@@ -15,7 +15,7 @@ CINCLUDES = -I${srcdir}/.. \
-I./include \
-I${srcdir}/include \
-I${srcdir}/../include
CDEFINES =
CDEFINES = @CRYPTO@
CWARNINGS =
# Alphabetically
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment