On 2020/10/09 21:35, Stuart Henderson wrote:
> Here's an update to NSD 4.3.3. Any tests/comments/OKs?
Updated to reinstate the pledge lost in nsd.c (merge error as we had a
local commit post 4.3.2), spotted by tb.
(I didn't reorder the diff for easier reading this time).
Index: Makefile.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/Makefile.in,v
retrieving revision 1.29
diff -u -p -r1.29 Makefile.in
--- Makefile.in 23 Jul 2020 13:54:07 -0000 1.29
+++ Makefile.in 9 Oct 2020 21:36:14 -0000
@@ -126,7 +126,7 @@ install:
orig-install: all
$(INSTALL) -d $(DESTDIR)$(sbindir)
$(INSTALL) -d $(DESTDIR)$(configdir)
- $(INSTALL) -d $(DESTDIR)$(piddir)
+ if test -n "$(piddir)"; then $(INSTALL) -d $(DESTDIR)$(piddir); fi
$(INSTALL) -d $(DESTDIR)$(xfrdir)
$(INSTALL) -d $(DESTDIR)$(dbdir)
$(INSTALL) -d $(DESTDIR)$(mandir)
Index: acx_nlnetlabs.m4
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/acx_nlnetlabs.m4,v
retrieving revision 1.3
diff -u -p -r1.3 acx_nlnetlabs.m4
--- acx_nlnetlabs.m4 24 Jun 2016 08:34:03 -0000 1.3
+++ acx_nlnetlabs.m4 9 Oct 2020 21:36:14 -0000
@@ -2,7 +2,8 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
-# Version 34
+# Version 35
+# 2020-08-24 Use EVP_sha256 instead of HMAC_Update (for openssl-3.0.0).
# 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
# 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
# 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
@@ -673,30 +674,30 @@ AC_DEFUN([ACX_SSL_CHECKS], [
ACX_RUNTIME_PATH_ADD([$ssldir/lib])
fi
- AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
+ AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
LIBS="$LIBS -lcrypto"
LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
AC_TRY_LINK(, [
- int HMAC_Update(void);
- (void)HMAC_Update();
+ int EVP_sha256(void);
+ (void)EVP_sha256();
], [
AC_MSG_RESULT(yes)
- AC_DEFINE([HAVE_HMAC_UPDATE], 1,
- [If you have HMAC_Update])
+ AC_DEFINE([HAVE_EVP_SHA256], 1,
+ [If you have EVP_sha256])
], [
AC_MSG_RESULT(no)
# check if -lwsock32 or -lgdi32 are needed.
BAKLIBS="$LIBS"
BAKSSLLIBS="$LIBSSL_LIBS"
- LIBS="$LIBS -lgdi32"
- LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32"
+ LIBS="$LIBS -lgdi32 -lws2_32"
+ LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32"
AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
AC_TRY_LINK([], [
- int HMAC_Update(void);
- (void)HMAC_Update();
+ int EVP_sha256(void);
+ (void)EVP_sha256();
],[
- AC_DEFINE([HAVE_HMAC_UPDATE], 1,
- [If you have HMAC_Update])
+ AC_DEFINE([HAVE_EVP_SHA256], 1,
+ [If you have EVP_sha256])
AC_MSG_RESULT(yes)
],[
AC_MSG_RESULT(no)
@@ -706,11 +707,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
AC_MSG_CHECKING([if -lcrypto needs -ldl])
AC_TRY_LINK([], [
- int HMAC_Update(void);
- (void)HMAC_Update();
+ int EVP_sha256(void);
+ (void)EVP_sha256();
],[
- AC_DEFINE([HAVE_HMAC_UPDATE], 1,
- [If you have HMAC_Update])
+ AC_DEFINE([HAVE_EVP_SHA256], 1,
+ [If you have EVP_sha256])
AC_MSG_RESULT(yes)
],[
AC_MSG_RESULT(no)
@@ -720,11 +721,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
AC_TRY_LINK([], [
- int HMAC_Update(void);
- (void)HMAC_Update();
+ int EVP_sha256(void);
+ (void)EVP_sha256();
],[
- AC_DEFINE([HAVE_HMAC_UPDATE], 1,
- [If you have HMAC_Update])
+ AC_DEFINE([HAVE_EVP_SHA256], 1,
+ [If you have EVP_sha256])
AC_MSG_RESULT(yes)
],[
AC_MSG_RESULT(no)
@@ -839,7 +840,11 @@ dnl see if on windows
if test "$ac_cv_header_windows_h" = "yes"; then
AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used])
USE_WINSOCK="1"
- LIBS="$LIBS -lws2_32"
+ if echo $LIBS | grep 'lws2_32' >/dev/null; then
+ :
+ else
+ LIBS="$LIBS -lws2_32"
+ fi
fi
],
dnl no quick getaddrinfo, try mingw32 and winsock2 library.
Index: config.h.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/config.h.in,v
retrieving revision 1.33
diff -u -p -r1.33 config.h.in
--- config.h.in 23 Jul 2020 13:54:08 -0000 1.33
+++ config.h.in 9 Oct 2020 21:36:14 -0000
@@ -139,6 +139,12 @@
/* Define to 1 if you have the `EVP_cleanup' function. */
#undef HAVE_EVP_CLEANUP
+/* Define to 1 if you have the `EVP_MAC_CTX_new' function. */
+#undef HAVE_EVP_MAC_CTX_NEW
+
+/* Define to 1 if you have the `EVP_MAC_CTX_set_params' function. */
+#undef HAVE_EVP_MAC_CTX_SET_PARAMS
+
/* Define to 1 if you have the `ev_default_loop' function. */
#undef HAVE_EV_DEFAULT_LOOP
@@ -166,6 +172,9 @@
/* Define to 1 if you have the `gethostname' function. */
#undef HAVE_GETHOSTNAME
+/* Define to 1 if you have the `getifaddrs' function. */
+#undef HAVE_GETIFADDRS
+
/* Define to 1 if you have the `getnameinfo' function. */
#undef HAVE_GETNAMEINFO
@@ -250,6 +259,9 @@
/* Define to 1 if you have the <netinet/tcp.h> header file. */
#undef HAVE_NETINET_TCP_H
+
+/* Define to 1 if you have the <openssl/core_names.h> header file. */
+#undef HAVE_OPENSSL_CORE_NAMES_H
/* Define to 1 if you have the <openssl/err.h> header file. */
#undef HAVE_OPENSSL_ERR_H
Index: configure
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/configure,v
retrieving revision 1.46
diff -u -p -r1.46 configure
--- configure 23 Jul 2020 13:54:08 -0000 1.46
+++ configure 9 Oct 2020 21:36:14 -0000
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for NSD 4.3.2.
+# Generated by GNU Autoconf 2.69 for NSD 4.3.3.
#
# Report bugs to <nsd-b...@nlnetlabs.nl>.
#
@@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='NSD'
PACKAGE_TARNAME='nsd'
-PACKAGE_VERSION='4.3.2'
-PACKAGE_STRING='NSD 4.3.2'
+PACKAGE_VERSION='4.3.3'
+PACKAGE_STRING='NSD 4.3.3'
PACKAGE_BUGREPORT='nsd-b...@nlnetlabs.nl'
PACKAGE_URL=''
@@ -1314,7 +1314,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures NSD 4.3.2 to adapt to many kinds of systems.
+\`configure' configures NSD 4.3.3 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1376,7 +1376,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of NSD 4.3.2:";;
+ short | recursive ) echo "Configuration of NSD 4.3.3:";;
esac
cat <<\_ACEOF
@@ -1536,7 +1536,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-NSD configure 4.3.2
+NSD configure 4.3.3
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2245,7 +2245,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by NSD $as_me 4.3.2, which was
+It was created by NSD $as_me 4.3.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -8350,7 +8350,7 @@ done
fi
-for ac_func in tzset alarm chroot dup2 endpwent gethostname memset memcpy
pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev
getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask
strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid
setresgid setregid getpwnam mmap ppoll clock_gettime accept4
+for ac_func in tzset alarm chroot dup2 endpwent gethostname memset memcpy
pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev
getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask
strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid
setresgid setregid getpwnam mmap ppoll clock_gettime accept4 getifaddrs
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -9099,7 +9099,7 @@ _ACEOF
cat >>confdefs.h <<_ACEOF
-#define EDNS_MAX_MESSAGE_LEN 4096
+#define EDNS_MAX_MESSAGE_LEN 1232
_ACEOF
@@ -9560,6 +9560,8 @@ fi
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
+ # remove space after -ldl if there.
+ LIBS=`echo "$LIBS" | sed -e 's/ $//'`
# Check for -pthread
BAKLIBS="$LIBS"
@@ -9571,8 +9573,8 @@ int
main ()
{
- int HMAC_Update(void);
- (void)HMAC_Update();
+ int EVP_sha256(void);
+ (void)EVP_sha256();
;
return 0;
@@ -9595,11 +9597,11 @@ $as_echo_n "checking if libcrypto needs
#ifdef __cplusplus
extern "C"
#endif
-char HMAC_Update ();
+char EVP_sha256 ();
int
main ()
{
-return HMAC_Update ();
+return EVP_sha256 ();
;
return 0;
}
@@ -9625,9 +9627,9 @@ rm -f core conftest.err conftest.$ac_obj
LIBS="$BAKLIBS"
if test -n "$ssldir"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_Update
in -lcrypto" >&5
-$as_echo_n "checking for HMAC_Update in -lcrypto... " >&6; }
-if ${ac_cv_lib_crypto_HMAC_Update+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256
in -lcrypto" >&5
+$as_echo_n "checking for EVP_sha256 in -lcrypto... " >&6; }
+if ${ac_cv_lib_crypto_EVP_sha256+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -9641,27 +9643,27 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_
#ifdef __cplusplus
extern "C"
#endif
-char HMAC_Update ();
+char EVP_sha256 ();
int
main ()
{
-return HMAC_Update ();
+return EVP_sha256 ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_crypto_HMAC_Update=yes
+ ac_cv_lib_crypto_EVP_sha256=yes
else
- ac_cv_lib_crypto_HMAC_Update=no
+ ac_cv_lib_crypto_EVP_sha256=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result:
$ac_cv_lib_crypto_HMAC_Update" >&5
-$as_echo "$ac_cv_lib_crypto_HMAC_Update" >&6; }
-if test "x$ac_cv_lib_crypto_HMAC_Update" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_EVP_sha256"
>&5
+$as_echo "$ac_cv_lib_crypto_EVP_sha256" >&6; }
+if test "x$ac_cv_lib_crypto_EVP_sha256" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_LIBCRYPTO 1
_ACEOF
@@ -9677,7 +9679,7 @@ fi
fi
SSL_LIBS="-lssl"
- for ac_header in openssl/ssl.h openssl/err.h openssl/rand.h
openssl/ocsp.h
+ for ac_header in openssl/ssl.h openssl/err.h openssl/rand.h
openssl/ocsp.h openssl/core_names.h
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header"
"$ac_includes_default
@@ -9691,7 +9693,7 @@ fi
done
- for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup
ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level
CRYPTO_memcmp EC_KEY_new_by_curve_name
+ for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup
ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level
CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -10833,7 +10835,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by NSD $as_me 4.3.2, which was
+This file was extended by NSD $as_me 4.3.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -10895,7 +10897,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-NSD config.status 4.3.2
+NSD config.status 4.3.3
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
Index: configure.ac
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/configure.ac,v
retrieving revision 1.46
diff -u -p -r1.46 configure.ac
--- configure.ac 23 Jul 2020 13:54:08 -0000 1.46
+++ configure.ac 9 Oct 2020 21:36:14 -0000
@@ -5,7 +5,7 @@ dnl
sinclude(acx_nlnetlabs.m4)
sinclude(dnstap/dnstap.m4)
-AC_INIT(NSD,4.3.2,nsd-b...@nlnetlabs.nl)
+AC_INIT(NSD,4.3.3,nsd-b...@nlnetlabs.nl)
AC_CONFIG_HEADER([config.h])
#
@@ -657,7 +657,7 @@ AC_CHECK_SIZEOF(void*)
AC_CHECK_SIZEOF(off_t)
AC_CHECK_FUNCS([getrandom arc4random arc4random_uniform])
AC_SEARCH_LIBS([setusercontext],[util],[AC_CHECK_HEADERS([login_cap.h])])
-AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy
pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev
getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask
strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid
setresgid setregid getpwnam mmap ppoll clock_gettime accept4])
+AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy
pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev
getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask
strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid
setresgid setregid getpwnam mmap ppoll clock_gettime accept4 getifaddrs])
AC_CHECK_TYPE([struct mmsghdr], AC_DEFINE(HAVE_MMSGHDR, 1, [If sys/socket.h
has a struct mmsghdr.]), [], [
AC_INCLUDES_DEFAULT
@@ -908,7 +908,7 @@ AC_DEFINE_UNQUOTED([TCP_PORT], ["53"], [
AC_DEFINE_UNQUOTED([TCP_MAX_MESSAGE_LEN], [65535], [Define to the default
maximum message length.])
AC_DEFINE_UNQUOTED([UDP_PORT], ["53"], [Define to the default udp port.])
AC_DEFINE_UNQUOTED([UDP_MAX_MESSAGE_LEN], [512], [Define to the default
maximum udp message length.])
-AC_DEFINE_UNQUOTED([EDNS_MAX_MESSAGE_LEN], [4096], [Define to the default
maximum message length with EDNS.])
+AC_DEFINE_UNQUOTED([EDNS_MAX_MESSAGE_LEN], [1232], [Define to the default
maximum message length with EDNS.])
AC_DEFINE_UNQUOTED([TLS_PORT], ["853"], [Define to the default DNS over TLS
port.])
AC_DEFINE_UNQUOTED([MAXSYSLOGMSGLEN], [512], [Define to the maximum message
length to pass to syslog.])
AC_DEFINE_UNQUOTED([NSD_CONTROL_PORT], [8952], [Define to the default
nsd-control port.])
@@ -1019,19 +1019,21 @@ AC_SUBST(ratelimit_default)
CHECK_SSL
if test x$HAVE_SSL = x"yes"; then
ACX_LIB_SSL
+ # remove space after -ldl if there.
+ LIBS=`echo "$LIBS" | sed -e 's/ $//'`
# Check for -pthread
BAKLIBS="$LIBS"
LIBS="-lcrypto $LIBS"
AC_TRY_LINK([], [
- int HMAC_Update(void);
- (void)HMAC_Update();
+ int EVP_sha256(void);
+ (void)EVP_sha256();
], [],[
- dnl so link fails for HMAC_Update, try with -pthread.
+ dnl so link fails for EVP_sha256, try with -pthread.
BAKCFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -pthread"
AC_MSG_CHECKING([if libcrypto needs -pthread])
- AC_TRY_LINK_FUNC([HMAC_Update], [
+ AC_TRY_LINK_FUNC([EVP_sha256], [
AC_MSG_RESULT([yes])
] , [
AC_MSG_RESULT([no])
@@ -1042,14 +1044,14 @@ if test x$HAVE_SSL = x"yes"; then
LIBS="$BAKLIBS"
if test -n "$ssldir"; then
- AC_CHECK_LIB(crypto, HMAC_Update,, [
+ AC_CHECK_LIB(crypto, EVP_sha256,, [
AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7
or higher is required])
])
fi
SSL_LIBS="-lssl"
AC_SUBST(SSL_LIBS)
- AC_CHECK_HEADERS([openssl/ssl.h openssl/err.h openssl/rand.h
openssl/ocsp.h],,, [AC_INCLUDES_DEFAULT])
- AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup
ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level
CRYPTO_memcmp EC_KEY_new_by_curve_name])
+ AC_CHECK_HEADERS([openssl/ssl.h openssl/err.h openssl/rand.h
openssl/ocsp.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT])
+ AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup
ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level
CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params])
AC_CHECK_DECLS([SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
Index: dbaccess.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/dbaccess.c,v
retrieving revision 1.6
diff -u -p -r1.6 dbaccess.c
--- dbaccess.c 14 May 2020 06:08:40 -0000 1.6
+++ dbaccess.c 9 Oct 2020 21:36:14 -0000
@@ -391,13 +391,13 @@ try_read_udb(namedb_type* db, int fd, co
if(!(db->udb=udb_base_create_fd(filename, fd, &namedb_walkfunc,
NULL))) {
/* fd is closed by failed udb create call */
- VERBOSITY(1, (LOG_WARNING, "can not use %s, "
+ VERBOSITY(1, (LOG_ERR, "can not use %s, "
"will create anew", filename));
return 0;
}
/* sanity check if can be opened */
if(udb_base_get_userflags(db->udb) != 0) {
- log_msg(LOG_WARNING, "%s was not closed properly, it might "
+ log_msg(LOG_ERR, "%s was not closed properly, it might "
"be corrupted, will create anew", filename);
udb_base_free(db->udb);
db->udb = NULL;
Index: ipc.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/ipc.c,v
retrieving revision 1.8
diff -u -p -r1.8 ipc.c
--- ipc.c 14 May 2020 06:08:40 -0000 1.8
+++ ipc.c 9 Oct 2020 21:36:14 -0000
@@ -50,6 +50,7 @@ ipc_child_quit(struct nsd* nsd)
region_destroy(nsd->server_region);
#endif
server_shutdown(nsd);
+ /* ENOTREACH */
exit(0);
}
Index: mini_event.h
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/mini_event.h,v
retrieving revision 1.2
diff -u -p -r1.2 mini_event.h
--- mini_event.h 17 Feb 2017 20:04:45 -0000 1.2
+++ mini_event.h 9 Oct 2020 21:36:14 -0000
@@ -55,6 +55,11 @@ struct region;
#if defined(USE_MINI_EVENT) && !defined(USE_WINSOCK)
+#ifdef HAVE_SYS_SELECT_H
+/* for fd_set on OpenBSD */
+#include <sys/select.h>
+#endif
+
#ifndef HAVE_EVENT_BASE_FREE
#define HAVE_EVENT_BASE_FREE
#endif
Index: nsd-checkconf.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd-checkconf.8.in,v
retrieving revision 1.29
diff -u -p -r1.29 nsd-checkconf.8.in
--- nsd-checkconf.8.in 23 Jul 2020 13:54:08 -0000 1.29
+++ nsd-checkconf.8.in 9 Oct 2020 21:36:14 -0000
@@ -1,4 +1,4 @@
-.TH "nsd\-checkconf" "8" "Jul 14, 2020" "NLnet Labs" "nsd 4.3.2"
+.TH "nsd\-checkconf" "8" "Oct 8, 2020" "NLnet Labs" "nsd 4.3.3"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
Index: nsd-checkzone.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd-checkzone.8.in,v
retrieving revision 1.13
diff -u -p -r1.13 nsd-checkzone.8.in
--- nsd-checkzone.8.in 23 Jul 2020 13:54:08 -0000 1.13
+++ nsd-checkzone.8.in 9 Oct 2020 21:36:14 -0000
@@ -1,4 +1,4 @@
-.TH "nsd\-checkzone" "8" "Jul 14, 2020" "NLnet Labs" "nsd 4.3.2"
+.TH "nsd\-checkzone" "8" "Oct 8, 2020" "NLnet Labs" "nsd 4.3.3"
.\" Copyright (c) 2014, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
Index: nsd-control.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd-control.8.in,v
retrieving revision 1.17
diff -u -p -r1.17 nsd-control.8.in
--- nsd-control.8.in 23 Jul 2020 13:54:08 -0000 1.17
+++ nsd-control.8.in 9 Oct 2020 21:36:14 -0000
@@ -1,4 +1,4 @@
-.TH "nsd\-control" "8" "Jul 14, 2020" "NLnet Labs" "nsd 4.3.2"
+.TH "nsd\-control" "8" "Oct 8, 2020" "NLnet Labs" "nsd 4.3.3"
.\" Copyright (c) 2011, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
Index: nsd-control.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd-control.c,v
retrieving revision 1.11
diff -u -p -r1.11 nsd-control.c
--- nsd-control.c 14 May 2020 06:08:40 -0000 1.11
+++ nsd-control.c 9 Oct 2020 21:36:14 -0000
@@ -63,7 +63,7 @@
#include "tsig.h"
#include "options.h"
-static void usage() ATTR_NORETURN;
+static void usage(void) ATTR_NORETURN;
static void ssl_err(const char* s) ATTR_NORETURN;
static void ssl_path_err(const char* s, const char *path) ATTR_NORETURN;
Index: nsd.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd.8.in,v
retrieving revision 1.30
diff -u -p -r1.30 nsd.8.in
--- nsd.8.in 23 Jul 2020 13:54:08 -0000 1.30
+++ nsd.8.in 9 Oct 2020 21:36:14 -0000
@@ -1,9 +1,9 @@
-.TH "NSD" "8" "Jul 14, 2020" "NLnet Labs" "NSD 4.3.2"
+.TH "NSD" "8" "Oct 8, 2020" "NLnet Labs" "NSD 4.3.3"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
.B nsd
-\- Name Server Daemon (NSD) version 4.3.2.
+\- Name Server Daemon (NSD) version 4.3.3.
.SH "SYNOPSIS"
.B nsd
.RB [ \-4 ]
Index: nsd.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd.c,v
retrieving revision 1.38
diff -u -p -r1.38 nsd.c
--- nsd.c 23 Jul 2020 14:34:55 -0000 1.38
+++ nsd.c 9 Oct 2020 21:36:14 -0000
@@ -139,12 +139,141 @@ version(void)
);
#endif
fprintf(stderr,
- "Copyright (C) 2001-2006 NLnet Labs. This is free software.\n"
+ "Copyright (C) 2001-2020 NLnet Labs. This is free software.\n"
"There is NO warranty; not even for MERCHANTABILITY or
FITNESS\n"
"FOR A PARTICULAR PURPOSE.\n");
exit(0);
}
+#ifdef HAVE_GETIFADDRS
+static void
+resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char
***ip_addresses, size_t *ip_addresses_size)
+{
+ struct ifaddrs *ifa;
+ size_t last_ip_addresses_size = *ip_addresses_size;
+
+ for(ifa = ifas; ifa != NULL; ifa = ifa->ifa_next) {
+ sa_family_t family;
+ const char* atsign;
+#ifdef INET6 /* | address ip | % | ifa name | @ | port | nul */
+ char addr_buf[INET6_ADDRSTRLEN + 1 + IF_NAMESIZE + 1 + 16 + 1];
+#else
+ char addr_buf[INET_ADDRSTRLEN + 1 + 16 + 1];
+#endif
+
+ if((atsign=strrchr(search_ifa, '@')) != NULL) {
+ if(strlen(ifa->ifa_name) != (size_t)(atsign-search_ifa)
+ || strncmp(ifa->ifa_name, search_ifa,
+ atsign-search_ifa) != 0)
+ continue;
+ } else {
+ if(strcmp(ifa->ifa_name, search_ifa) != 0)
+ continue;
+ atsign = "";
+ }
+
+ if(ifa->ifa_addr == NULL)
+ continue;
+
+ family = ifa->ifa_addr->sa_family;
+ if(family == AF_INET) {
+ char a4[INET_ADDRSTRLEN + 1];
+ struct sockaddr_in *in4 = (struct sockaddr_in *)
+ ifa->ifa_addr;
+ if(!inet_ntop(family, &in4->sin_addr, a4, sizeof(a4)))
+ error("inet_ntop");
+ snprintf(addr_buf, sizeof(addr_buf), "%s%s",
+ a4, atsign);
+ }
+#ifdef INET6
+ else if(family == AF_INET6) {
+ struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)
+ ifa->ifa_addr;
+ char a6[INET6_ADDRSTRLEN + 1];
+ char if_index_name[IF_NAMESIZE + 1];
+ if_index_name[0] = 0;
+ if(!inet_ntop(family, &in6->sin6_addr, a6, sizeof(a6)))
+ error("inet_ntop");
+ if_indextoname(in6->sin6_scope_id,
+ (char *)if_index_name);
+ if (strlen(if_index_name) != 0) {
+ snprintf(addr_buf, sizeof(addr_buf),
+ "%s%%%s%s", a6, if_index_name, atsign);
+ } else {
+ snprintf(addr_buf, sizeof(addr_buf), "%s%s",
+ a6, atsign);
+ }
+ }
+#endif
+ else {
+ continue;
+ }
+ VERBOSITY(4, (LOG_INFO, "interface %s has address %s",
+ search_ifa, addr_buf));
+
+ *ip_addresses = xrealloc(*ip_addresses, sizeof(char *) *
(*ip_addresses_size + 1));
+ (*ip_addresses)[*ip_addresses_size] = xstrdup(addr_buf);
+ (*ip_addresses_size)++;
+ }
+
+ if (*ip_addresses_size == last_ip_addresses_size) {
+ *ip_addresses = xrealloc(*ip_addresses, sizeof(char *) *
(*ip_addresses_size + 1));
+ (*ip_addresses)[*ip_addresses_size] = xstrdup(search_ifa);
+ (*ip_addresses_size)++;
+ }
+}
+#endif /* HAVE_GETIFADDRS */
+
+static void
+resolve_interface_names(struct nsd_options* options)
+{
+#ifdef HAVE_GETIFADDRS
+ struct ifaddrs *addrs;
+ struct ip_address_option *ip_addr;
+ struct ip_address_option *last = NULL;
+ struct ip_address_option *first = NULL;
+
+ if(getifaddrs(&addrs) == -1)
+ error("failed to list interfaces");
+
+ /* replace the list of ip_adresses with a new list where the
+ * interface names are replaced with their ip-address strings
+ * from getifaddrs. An interface can have several addresses. */
+ for(ip_addr = options->ip_addresses; ip_addr; ip_addr = ip_addr->next) {
+ char **ip_addresses = NULL;
+ size_t ip_addresses_size = 0, i;
+ resolve_ifa_name(addrs, ip_addr->address, &ip_addresses,
+ &ip_addresses_size);
+
+ for (i = 0; i < ip_addresses_size; i++) {
+ struct ip_address_option *current;
+ /* this copies the range_option, dev, and fib from
+ * the original ip_address option to the new ones
+ * with the addresses spelled out by resolve_ifa_name*/
+ current = region_alloc_init(options->region, ip_addr,
+ sizeof(*ip_addr));
+ current->address = region_strdup(options->region,
+ ip_addresses[i]);
+ current->next = NULL;
+ free(ip_addresses[i]);
+
+ if(first == NULL) {
+ first = current;
+ } else {
+ last->next = current;
+ }
+ last = current;
+ }
+ free(ip_addresses);
+ }
+
+ freeifaddrs(addrs);
+ options->ip_addresses = first;
+#else
+ (void)options;
+#endif /* HAVE_GETIFADDRS */
+}
+
static void
copyaddrinfo(struct nsd_addrinfo *dest, struct addrinfo *src)
{
@@ -170,7 +299,7 @@ setup_socket(
if(node) {
char *sep;
- if(strlcpy(host_buf, node, sizeof(host_buf)) >=
sizeof(host_buf)) {
+ if (strlcpy(host_buf, node, sizeof(host_buf)) >=
sizeof(host_buf)) {
error("cannot parse address '%s': %s", node,
strerror(ENAMETOOLONG));
}
@@ -657,8 +786,9 @@ unlinkpid(const char* file)
if (fd == -1) {
/* Truncate the pid file. */
log_msg(LOG_ERR, "can not truncate the pid file %s:
%s", file, strerror(errno));
- } else
+ } else {
close(fd);
+ }
/* unlink pidfile */
if (unlink(file) == -1) {
@@ -1238,6 +1368,7 @@ main(int argc, char *argv[])
nsd.this_child = NULL;
+ resolve_interface_names(nsd.options);
figure_sockets(&nsd.udp, &nsd.tcp, &nsd.ifs,
nsd.options->ip_addresses, udp_port, tcp_port, &hints);
Index: nsd.conf.5.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd.conf.5.in,v
retrieving revision 1.35
diff -u -p -r1.35 nsd.conf.5.in
--- nsd.conf.5.in 23 Jul 2020 13:54:08 -0000 1.35
+++ nsd.conf.5.in 9 Oct 2020 21:36:14 -0000
@@ -1,4 +1,4 @@
-.TH "nsd.conf" "5" "Jul 14, 2020" "NLnet Labs" "nsd 4.3.2"
+.TH "nsd.conf" "5" "Oct 8, 2020" "NLnet Labs" "nsd 4.3.3"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
@@ -143,11 +143,15 @@ NSD will bind to the listed ip\-address.
to bind multiple ip\-addresses. Optionally, a port number can be given.
If none are given NSD listens to the wildcard interface. Same as commandline
option
.BR \-a.
+.IP
To limit which NSD server(s) listen on the given interface, specify one or
more servers separated by whitespace after <ip>[@port]. Ranges can be used as
a shorthand to specify multiple consecutive servers. By default every server
will listen.
-.BR
+.IP
+If an interface name is used instead of ip4 or ip6, the list of IP addresses
+associated with that interface is picked up and used at server start.
+.IP
For servers with multiple IP addresses that can be used to send traffic
to the internet, list them one by one, or the source address of replies
could be wrong. This is because if the udp socket associates a source
@@ -298,10 +302,10 @@ Default is system default MSS determined
negotiation between NSD and other servers.
.TP
.B ipv4\-edns\-size:\fR <number>
-Preferred EDNS buffer size for IPv4. Default 4096.
+Preferred EDNS buffer size for IPv4. Default 1232.
.TP
.B ipv6\-edns\-size:\fR <number>
-Preferred EDNS buffer size for IPv6. Default 4096.
+Preferred EDNS buffer size for IPv6. Default 1232.
.TP
.B pidfile:\fR <filename>
Use the pid file instead of the platform specific default, usually
Index: nsd.conf.sample.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd.conf.sample.in,v
retrieving revision 1.14
diff -u -p -r1.14 nsd.conf.sample.in
--- nsd.conf.sample.in 23 Jul 2020 13:54:08 -0000 1.14
+++ nsd.conf.sample.in 9 Oct 2020 21:36:14 -0000
@@ -175,10 +175,10 @@ server:
# outgoing-tcp-mss: 0
# Preferred EDNS buffer size for IPv4.
- # ipv4-edns-size: 4096
+ # ipv4-edns-size: 1232
# Preferred EDNS buffer size for IPv6.
- # ipv6-edns-size: 4096
+ # ipv6-edns-size: 1232
# statistics are produced every number of seconds. Prints to log.
# Default is 0, meaning no statistics are produced.
Index: options.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/options.c,v
retrieving revision 1.19
diff -u -p -r1.19 options.c
--- options.c 23 Jul 2020 13:54:08 -0000 1.19
+++ options.c 9 Oct 2020 21:36:14 -0000
@@ -9,6 +9,7 @@
#include "config.h"
#include <string.h>
#include <stdio.h>
+#include <sys/stat.h>
#include <errno.h>
#include "options.h"
#include "query.h"
@@ -161,6 +162,20 @@ nsd_options_insert_pattern(struct nsd_op
return 1;
}
+void
+warn_if_directory(const char* filetype, FILE* f, const char* fname)
+{
+ if(fileno(f) != -1) {
+ struct stat st;
+ memset(&st, 0, sizeof(st));
+ if(fstat(fileno(f), &st) != -1) {
+ if(S_ISDIR(st.st_mode)) {
+ log_msg(LOG_WARNING, "trying to read %s but it
is a directory: %s", filetype, fname);
+ }
+ }
+ }
+}
+
int
parse_options_file(struct nsd_options* opt, const char* file,
void (*err)(void*,const char*), void* err_arg)
@@ -197,6 +212,7 @@ parse_options_file(struct nsd_options* o
}
return 0;
}
+ warn_if_directory("configfile", in, file);
c_in = in;
c_parse();
fclose(in);
Index: options.h
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/options.h,v
retrieving revision 1.18
diff -u -p -r1.18 options.h
--- options.h 23 Jul 2020 13:54:08 -0000 1.18
+++ options.h 9 Oct 2020 21:36:14 -0000
@@ -468,5 +468,9 @@ void nsd_options_destroy(struct nsd_opti
void replace_str(char* buf, size_t len, const char* one, const char* two);
/* apply pattern to the existing pattern in the parser */
void config_apply_pattern(struct pattern_options *dest, const char* name);
+/* if the file is a directory, print a warning, because flex just exit()s
+ * when a fileread fails because it is a directory, helps the user figure
+ * out what just happened */
+void warn_if_directory(const char* filetype, FILE* f, const char* fname);
#endif /* OPTIONS_H */
Index: server.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/server.c,v
retrieving revision 1.39
diff -u -p -r1.39 server.c
--- server.c 23 Jul 2020 13:54:08 -0000 1.39
+++ server.c 9 Oct 2020 21:36:14 -0000
@@ -1660,6 +1660,7 @@ server_send_soa_xfrd(struct nsd* nsd, in
udb_base_sync(nsd->db->udb, 1);
udb_base_close(nsd->db->udb);
server_shutdown(nsd);
+ /* ENOTREACH */
exit(0);
}
}
@@ -1857,6 +1858,7 @@ listen_sslctx_setup_2(void* ctxt)
(void)ctx;
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
+ /* ENOTREACH */
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling
ECDHE");
}
#elif defined(HAVE_DECL_SSL_CTX_SET_TMP_ECDH) && defined(NID_X9_62_prime256v1)
&& defined(HAVE_EC_KEY_NEW_BY_CURVE_NAME)
Index: tsig-openssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/tsig-openssl.c,v
retrieving revision 1.4
diff -u -p -r1.4 tsig-openssl.c
--- tsig-openssl.c 24 Oct 2016 09:44:43 -0000 1.4
+++ tsig-openssl.c 9 Oct 2020 21:36:14 -0000
@@ -11,6 +11,9 @@
#if defined(HAVE_SSL)
+#ifdef HAVE_OPENSSL_CORE_NAMES_H
+#include <openssl/core_names.h>
+#endif
#include "tsig-openssl.h"
#include "tsig.h"
#include "util.h"
@@ -22,11 +25,36 @@ static void init_context(void *context,
static void update(void *context, const void *data, size_t size);
static void final(void *context, uint8_t *digest, size_t *size);
+#ifdef HAVE_EVP_MAC_CTX_NEW
+struct tsig_openssl_data {
+ /* the MAC for the algorithm, 'hmac' */
+ EVP_MAC* mac;
+ /* the digest name for creating the EVP_MAC_CTX with, 'sha256' */
+ const char* digest;
+};
+
+struct tsig_openssl_context {
+ /* the evp mac context, if notNULL it has algo and key set. */
+ EVP_MAC_CTX* hmac_ctx;
+ /* the size of destination buffers */
+ size_t outsize;
+};
+
+static void
+cleanup_tsig_openssl_data(void *data)
+{
+ struct tsig_openssl_data* d = (struct tsig_openssl_data*)data;
+ EVP_MAC_free(d->mac);
+ d->mac = NULL;
+}
+#endif
+
static int
tsig_openssl_init_algorithm(region_type* region,
const char* digest, const char* name, const char* wireformat)
{
tsig_algorithm_type* algorithm;
+#ifndef HAVE_EVP_MAC_CTX_NEW
const EVP_MD *hmac_algorithm;
hmac_algorithm = EVP_get_digestbyname(digest);
@@ -34,6 +62,44 @@ tsig_openssl_init_algorithm(region_type*
/* skip but don't error */
return 0;
}
+#else
+ struct tsig_openssl_data* data;
+ EVP_MAC_CTX* hmac_ctx;
+ OSSL_PARAM params[3];
+ data = region_alloc(region, sizeof(*data));
+ data->digest = digest;
+ data->mac = EVP_MAC_fetch(NULL, "hmac", NULL);
+ if(!data->mac) {
+ log_msg(LOG_ERR, "could not fetch MAC implementation 'hmac'
with EVP_MAC_fetch");
+ return 0;
+ }
+ /* this context is created to see what size the output is */
+ hmac_ctx = EVP_MAC_CTX_new(data->mac);
+ if(!hmac_ctx) {
+ EVP_MAC_free(data->mac);
+ return 0;
+ }
+ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
+ (char*)digest, 0);
+ params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
+ "", 1);
+ params[2] = OSSL_PARAM_construct_end();
+#ifdef HAVE_EVP_MAC_CTX_SET_PARAMS
+ if(EVP_MAC_CTX_set_params(hmac_ctx, params) <= 0) {
+ log_msg(LOG_ERR, "could not EVP_MAC_CTX_set_params");
+ EVP_MAC_CTX_free(hmac_ctx);
+ EVP_MAC_free(data->mac);
+ return 0;
+ }
+#else
+ if(EVP_MAC_set_ctx_params(hmac_ctx, params) <= 0) {
+ log_msg(LOG_ERR, "could not EVP_MAC_set_ctx_params");
+ EVP_MAC_CTX_free(hmac_ctx);
+ EVP_MAC_free(data->mac);
+ return 0;
+ }
+#endif
+#endif
algorithm = (tsig_algorithm_type *) region_alloc(
region, sizeof(tsig_algorithm_type));
@@ -42,18 +108,34 @@ tsig_openssl_init_algorithm(region_type*
= dname_parse(region, wireformat);
if (!algorithm->wireformat_name) {
log_msg(LOG_ERR, "cannot parse %s algorithm", wireformat);
+#ifdef HAVE_EVP_MAC_CTX_NEW
+ EVP_MAC_CTX_free(hmac_ctx);
+ EVP_MAC_free(data->mac);
+#endif
return 0;
}
+#ifndef HAVE_EVP_MAC_CTX_NEW
algorithm->maximum_digest_size = EVP_MD_size(hmac_algorithm);
+#else
+ algorithm->maximum_digest_size = EVP_MAC_size(hmac_ctx);
+#endif
if(algorithm->maximum_digest_size < 20)
algorithm->maximum_digest_size = EVP_MAX_MD_SIZE;
+#ifndef HAVE_EVP_MAC_CTX_NEW
algorithm->data = hmac_algorithm;
+#else
+ algorithm->data = data;
+ region_add_cleanup(region, cleanup_tsig_openssl_data, data);
+#endif
algorithm->hmac_create_context = create_context;
algorithm->hmac_init_context = init_context;
algorithm->hmac_update = update;
algorithm->hmac_final = final;
tsig_add_algorithm(algorithm);
+#ifdef HAVE_EVP_MAC_CTX_NEW
+ EVP_MAC_CTX_free(hmac_ctx);
+#endif
return 1;
}
@@ -86,6 +168,7 @@ tsig_openssl_init(region_type *region)
static void
cleanup_context(void *data)
{
+#ifndef HAVE_EVP_MAC_CTX_NEW
HMAC_CTX *context = (HMAC_CTX *) data;
#ifdef HAVE_HMAC_CTX_NEW
HMAC_CTX_free(context);
@@ -93,11 +176,17 @@ cleanup_context(void *data)
HMAC_CTX_cleanup(context);
free(context);
#endif
+#else
+ struct tsig_openssl_context* c = (struct tsig_openssl_context*)data;
+ EVP_MAC_CTX_free(c->hmac_ctx);
+ c->hmac_ctx = NULL;
+#endif
}
static void *
create_context(region_type *region)
{
+#ifndef HAVE_EVP_MAC_CTX_NEW
#ifdef HAVE_HMAC_CTX_NEW
HMAC_CTX *context = HMAC_CTX_new();
#else
@@ -109,6 +198,12 @@ create_context(region_type *region)
#else
HMAC_CTX_init(context);
#endif
+#else
+ struct tsig_openssl_context* context = region_alloc(region,
+ sizeof(*context));
+ memset(context, 0, sizeof(*context));
+ region_add_cleanup(region, cleanup_context, context);
+#endif
return context;
}
@@ -117,25 +212,75 @@ init_context(void *context,
tsig_algorithm_type *algorithm,
tsig_key_type *key)
{
+#ifndef HAVE_EVP_MAC_CTX_NEW
HMAC_CTX *ctx = (HMAC_CTX *) context;
const EVP_MD *md = (const EVP_MD *) algorithm->data;
HMAC_Init_ex(ctx, key->data, key->size, md, NULL);
+#else
+ OSSL_PARAM params[3];
+ struct tsig_openssl_data* algo_data = (struct tsig_openssl_data*)
+ algorithm->data;
+ struct tsig_openssl_context* c = (struct tsig_openssl_context*)context;
+ if(c->hmac_ctx) {
+ EVP_MAC_CTX_free(c->hmac_ctx);
+ }
+ c->hmac_ctx = EVP_MAC_CTX_new(algo_data->mac);
+ if(!c->hmac_ctx) {
+ log_msg(LOG_ERR, "could not EVP_MAC_CTX_new");
+ return;
+ }
+ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
+ (char*)algo_data->digest, 0);
+ params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
+ key->data, key->size);
+ params[2] = OSSL_PARAM_construct_end();
+#ifdef HAVE_EVP_MAC_CTX_SET_PARAMS
+ if(EVP_MAC_CTX_set_params(c->hmac_ctx, params) <= 0) {
+ log_msg(LOG_ERR, "could not EVP_MAC_CTX_set_params");
+ EVP_MAC_CTX_free(c->hmac_ctx);
+ c->hmac_ctx = NULL;
+ return;
+ }
+#else
+ if(EVP_MAC_set_ctx_params(hmac_ctx, params) <= 0) {
+ log_msg(LOG_ERR, "could not EVP_MAC_set_ctx_params");
+ EVP_MAC_CTX_free(c->hmac_ctx);
+ c->hmac_ctx = NULL;
+ return;
+ }
+#endif
+ c->outsize = algorithm->maximum_digest_size;
+#endif
}
static void
update(void *context, const void *data, size_t size)
{
+#ifndef HAVE_EVP_MAC_CTX_NEW
HMAC_CTX *ctx = (HMAC_CTX *) context;
HMAC_Update(ctx, (unsigned char *) data, (int) size);
+#else
+ struct tsig_openssl_context* c = (struct tsig_openssl_context*)context;
+ if(EVP_MAC_update(c->hmac_ctx, data, size) <= 0) {
+ log_msg(LOG_ERR, "could not EVP_MAC_update");
+ }
+#endif
}
static void
final(void *context, uint8_t *digest, size_t *size)
{
+#ifndef HAVE_EVP_MAC_CTX_NEW
HMAC_CTX *ctx = (HMAC_CTX *) context;
unsigned len = (unsigned) *size;
HMAC_Final(ctx, digest, &len);
*size = (size_t) len;
+#else
+ struct tsig_openssl_context* c = (struct tsig_openssl_context*)context;
+ if(EVP_MAC_final(c->hmac_ctx, digest, size, c->outsize) <= 0) {
+ log_msg(LOG_ERR, "could not EVP_MAC_final");
+ }
+#endif
}
void
Index: tsig-openssl.h
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/tsig-openssl.h,v
retrieving revision 1.1.1.4
diff -u -p -r1.1.1.4 tsig-openssl.h
--- tsig-openssl.h 26 Nov 2013 12:50:10 -0000 1.1.1.4
+++ tsig-openssl.h 9 Oct 2020 21:36:14 -0000
@@ -22,7 +22,7 @@
*/
int tsig_openssl_init(region_type *region);
-void tsig_openssl_finalize();
+void tsig_openssl_finalize(void);
#endif /* defined(HAVE_SSL) */
Index: util.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/util.c,v
retrieving revision 1.25
diff -u -p -r1.25 util.c
--- util.c 23 Jul 2020 14:34:55 -0000 1.25
+++ util.c 9 Oct 2020 21:36:14 -0000
@@ -266,6 +266,19 @@ lookup_by_id(lookup_table_type *table, i
return NULL;
}
+char *
+xstrdup(const char *src)
+{
+ char *result = strdup(src);
+
+ if(!result) {
+ log_msg(LOG_ERR, "strdup failed: %s", strerror(errno));
+ exit(1);
+ }
+
+ return result;
+}
+
void *
xalloc(size_t size)
{
Index: util.h
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/util.h,v
retrieving revision 1.16
diff -u -p -r1.16 util.h
--- util.h 23 Jul 2020 13:54:08 -0000 1.16
+++ util.h 9 Oct 2020 21:36:14 -0000
@@ -148,6 +148,7 @@ void *xmallocarray(size_t num, size_t si
void *xalloc_zero(size_t size);
void *xalloc_array_zero(size_t num, size_t size);
void *xrealloc(void *ptr, size_t size);
+char *xstrdup(const char *src);
/*
* Mmap allocator routines.
@@ -400,7 +401,7 @@ struct state_pretty_rr {
struct state_pretty_rr* create_pretty_rr(struct region* region);
/* print rr to file, returns 0 on failure(nothing is written) */
int print_rr(FILE *out, struct state_pretty_rr* state, struct rr *record,
- struct region* tmp_region, struct buffer* tmp_buffer);
+ struct region* tmp_region, struct buffer* tmp_buffer);
/*
* Convert a numeric rcode value to a human readable string
Index: zonec.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/zonec.c,v
retrieving revision 1.26
diff -u -p -r1.26 zonec.c
--- zonec.c 17 Sep 2019 16:19:35 -0000 1.26
+++ zonec.c 9 Oct 2020 21:36:14 -0000
@@ -1341,8 +1341,12 @@ zone_open(const char *filename, uint32_t
if (strcmp(filename, "-") == 0) {
yyin = stdin;
filename = "<stdin>";
- } else if (!(yyin = fopen(filename, "r"))) {
- return 0;
+ warn_if_directory("zonefile from stdin", yyin, filename);
+ } else {
+ if (!(yyin = fopen(filename, "r"))) {
+ return 0;
+ }
+ warn_if_directory("zonefile", yyin, filename);
}
zparser_init(filename, ttl, klass, origin);
Index: zonec.h
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/zonec.h,v
retrieving revision 1.9
diff -u -p -r1.9 zonec.h
--- zonec.h 17 Sep 2019 16:19:35 -0000 1.9
+++ zonec.h 9 Oct 2020 21:36:14 -0000
@@ -117,7 +117,7 @@ void parse_unknown_rdata(uint16_t type,
uint32_t zparser_ttl2int(const char *ttlstr, int* error);
void zadd_rdata_wireformat(uint16_t *data);
void zadd_rdata_txt_wireformat(uint16_t *data, int first);
-void zadd_rdata_txt_clean_wireformat();
+void zadd_rdata_txt_clean_wireformat(void);
void zadd_rdata_domain(domain_type *domain);
void set_bitnsec(uint8_t bits[NSEC_WINDOW_COUNT][NSEC_WINDOW_BITS_SIZE],
Index: doc/ChangeLog
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/doc/ChangeLog,v
retrieving revision 1.4
diff -u -p -r1.4 ChangeLog
--- doc/ChangeLog 23 Jul 2020 13:54:08 -0000 1.4
+++ doc/ChangeLog 9 Oct 2020 21:36:14 -0000
@@ -1,3 +1,58 @@
+1 October 2020: Wouter
+ - tag for 4.3.3rc1 release.
+
+30 September 2020: Wouter
+ - Updated date in nsd -v output.
+ - Fixup bug013_truncate, checkconf and cutest_qroot tests for new
+ default EDNS size.
+
+29 September 2020: Willem
+ - Follow DNS flag day 2020 advice and
+ set default EDNS message size to 1232.
+
+4 September 2020: Wouter
+ - Remove unused space from LIBS on link line.
+
+3 September 2020: Wouter
+ - Merge PR #121: Increase log level of recreated database from
+ WARNING to ERR.
+
+1 September 2020: Wouter
+ - Fix #119: fix compile warnings from new gcc.
+ - Fix #119: warn when trying to parse a directory.
+
+27 August 2020: Wouter
+ - Merged PR #113 with fixes. Instead of listing an IP-address to
+ listen on, an interface name can be specified in nsd.conf, with
+ ip-address: eth0. The IP-addresses for that interface are then used.
+
+26 August 2020: Wouter
+ - Add xstrdup for PR #113.
+ - Tidy up code like in PR #113.
+ - Import code from PR #113.
+ - Fix for unknown EVP_MAC_CTX_free function in openssl 3.0.0 tsig code.
+
+24 August 2020: Wouter
+ - Fix that configure checks for EVP_sha256 to detect openssl, because
+ HMAC_CTX_new is deprecated in 3.0.0.
+ - Port TSIG code for openssl 3.0.0-alpha6.
+ - Sync acx_nlnetlabs.m4 with the unbound repo.
+ - Review fixes for tsig, defensive free and zero.
+
+4 August 2020: Wouter
+ - Merge #117: mini_event.h (4.3.2 and 4.3.1) on OpenBSD cannot find
+ fd_set - patch.
+
+23 July 2020: Wouter
+ - Merge #115 from millert: Fix strlcpy() usage. From OpenBSD.
+
+15 July 2020: Wouter
+ - Fix make install with --with-pidfile="".
+
+14 July 2020: Wouter
+ - Tag for 4.3.2 release. Master branch contains the next version
+ in development, 4.3.3.
+
7 July 2020: Wouter
- Tag for 4.3.2rc1.
Index: doc/RELNOTES
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/doc/RELNOTES,v
retrieving revision 1.3
diff -u -p -r1.3 RELNOTES
--- doc/RELNOTES 23 Jul 2020 13:54:08 -0000 1.3
+++ doc/RELNOTES 9 Oct 2020 21:36:14 -0000
@@ -1,5 +1,29 @@
NSD RELEASE NOTES
+4.3.3
+================
+FEATURES:
+ - Follow DNS flag day 2020 advice and
+ set default EDNS message size to 1232.
+ - Merged PR #113 with fixes. Instead of listing an IP-address to
+ listen on, an interface name can be specified in nsd.conf, with
+ ip-address: eth0. The IP-addresses for that interface are then used.
+ - Port TSIG code for openssl 3.0.0-alpha6.
+BUG FIXES:
+ - Fix make install with --with-pidfile="".
+ - Merge #115 from millert: Fix strlcpy() usage. From OpenBSD.
+ - Merge #117: mini_event.h (4.3.2 and 4.3.1) on OpenBSD cannot find
+ fd_set - patch.
+ - Fix that configure checks for EVP_sha256 to detect openssl, because
+ HMAC_CTX_new is deprecated in 3.0.0.
+ - Fix #119: fix compile warnings from new gcc.
+ - Fix #119: warn when trying to parse a directory.
+ - Merge PR #121: Increase log level of recreated database from
+ WARNING to ERR.
+ - Remove unused space from LIBS on link line.
+ - Updated date in nsd -v output.
+
+
4.3.2
================
FEATURES:
