Sorry, I messed up the GitHub issues, this is the interesting one. - Fix #194: Incorrect NSEC3 response for SOA query below delegation point.
On 20 October 2021 18:24:13 CEST, Florian Obser <[email protected]> wrote: > >Particularly interesting is >- Fix #190: NSD returns 3 NSEC3 records for NODATA response. > >which I believe is a fix for the problem mischa reported on misc: "NSD >exit status 11 on 7.0" > >Tests, OKs? > >diff --git doc/RELNOTES doc/RELNOTES >index 054eb9b8f60..b7157bbc0a6 100644 >--- doc/RELNOTES >+++ doc/RELNOTES >@@ -1,5 +1,31 @@ > NSD RELEASE NOTES > >+4.3.8 >+================ >+FEATURES: >+ - Merge #185 by cesarkuroiwa: Mutual TLS. >+ - Set default for answer-cookie to no. Because in server deployments >+ with mixed server software, a default of yes causes issues. >+BUG FIXES: >+ - Fix to compile with OpenSSL 3.0.0beta2. >+ - Fix configure detection of SSL_CTX_set_security_level. >+ - Fix deprecated functions use from openssl 3.0.0beta2. >+ - For #184: Note that all zones can be targeted by some nsd-control >+ commands in the man page. >+ - Fixes for #185: Document client-cert, client-key and client-key-pw >+ in the man page. Fix yacc semicolon. Fix unused variable warning. >+ Use strlcpy instead of strncpy. Fix spelling error in error >+ printout. >+ - Merge #187: Support using system-wide crypto policies. >+ - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7. >+ - Fix sed script in ssldir split handling. >+ - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion >+ `query->delegation_rrset' failed. >+ - Fix #190: NSD returns 3 NSEC3 records for NODATA response. >+ - Fix compile failure with openssl 1.0.2. >+ - Fix #194: Incorrect NSEC3 response for SOA query below delegation >+ point. >+ > 4.3.7 > ================ > FEATURES: >diff --git acx_nlnetlabs.m4 acx_nlnetlabs.m4 >index 7ce79070805..1574f97bfe0 100644 >--- acx_nlnetlabs.m4 >+++ acx_nlnetlabs.m4 >@@ -2,7 +2,11 @@ > # Copyright 2009, Wouter Wijngaards, NLnet Labs. > # BSD licensed. > # >-# Version 40 >+# Version 43 >+# 2021-08-17 fix sed script in ssldir split handling. >+# 2021-08-17 fix for openssl to detect split version, with ssldir_include >+# and ssldir_lib output directories. >+# 2021-07-30 fix for openssl use of lib64 directory. > # 2021-06-14 fix nonblocking test to use host instead of target for mingw > test. > # 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for > # 64bit compatibility. >@@ -646,6 +650,30 @@ AC_DEFUN([ACX_SSL_CHECKS], [ > withval=$1 > if test x_$withval != x_no; then > AC_MSG_CHECKING(for SSL) >+ if test -n "$withval"; then >+ dnl look for openssl install with different version, eg. >+ dnl in /usr/include/openssl11/openssl/ssl.h >+ dnl and /usr/lib64/openssl11/libssl.so >+ dnl with the --with-ssl=/usr/include/openssl11 >+ if test ! -f "$withval/include/openssl/ssl.h" -a -f >"$withval/openssl/ssl.h"; then >+ ssldir="$withval" >+ found_ssl="yes" >+ withval="" >+ ssldir_include="$ssldir" >+ dnl find the libdir >+ ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'` >+ if test -f "$ssldir_lib/libssl.a" -o -f >"$ssldir_lib/libssl.so"; then >+ : # found here >+ else >+ ssldir_lib=`echo $ssldir | sed -e >'s/include/lib64/'` >+ if test -f "$ssldir_lib/libssl.a" -o -f >"$ssldir_lib/libssl.so"; then >+ : # found here >+ else >+ AC_MSG_ERROR([Could not find openssl >lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or >"/usr/include/openssl11"]) >+ fi >+ fi >+ fi >+ fi > if test x_$withval = x_ -o x_$withval = x_yes; then > withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local > /opt/local /usr/sfw /usr" > fi >@@ -653,12 +681,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [ > ssldir="$dir" > if test -f "$dir/include/openssl/ssl.h"; then > found_ssl="yes" >- AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the >SSL libraries installed.]) >- dnl assume /usr/include is already in the include-path. >- if test "$ssldir" != "/usr"; then >- CPPFLAGS="$CPPFLAGS -I$ssldir/include" >- LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include" >- fi >+ ssldir_include="$ssldir/include" >+ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then >+ ssldir_lib="$ssldir/lib64" >+ else >+ ssldir_lib="$ssldir/lib" >+ fi > break; > fi > done >@@ -666,13 +694,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [ > AC_MSG_ERROR(Cannot find the SSL libraries in $withval) > else > AC_MSG_RESULT(found in $ssldir) >+ AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL >libraries installed.]) > HAVE_SSL=yes >- dnl assume /usr is already in the lib and dynlib paths. >- if test "$ssldir" != "/usr" -a "$ssldir" != ""; then >- LDFLAGS="$LDFLAGS -L$ssldir/lib" >- LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" >- ACX_RUNTIME_PATH_ADD([$ssldir/lib]) >- fi >+ dnl assume /usr is already in the include, lib and dynlib paths. >+ if test "$ssldir" != "/usr"; then >+ CPPFLAGS="$CPPFLAGS -I$ssldir_include" >+ LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include" >+ LDFLAGS="$LDFLAGS -L$ssldir_lib" >+ LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib" >+ ACX_RUNTIME_PATH_ADD([$ssldir_lib]) >+ fi > > AC_MSG_CHECKING([for EVP_sha256 in -lcrypto]) > LIBS="$LIBS -lcrypto" >@@ -751,7 +782,7 @@ dnl > AC_DEFUN([ACX_WITH_SSL], > [ > AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check > /usr/local/ssl >- /usr/lib/ssl /usr/ssl /usr/pkg /usr/local >/opt/local /usr/sfw /usr)]),[ >+ /usr/lib/ssl /usr/ssl /usr/pkg /usr/local >/opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[ > ],[ > withval="yes" > ]) >@@ -769,7 +800,7 @@ dnl > AC_DEFUN([ACX_WITH_SSL_OPTIONAL], > [ > AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check > /usr/local/ssl >- /usr/lib/ssl /usr/ssl /usr/pkg /usr/local >/opt/local /usr/sfw /usr)]),[ >+ /usr/lib/ssl /usr/ssl /usr/pkg /usr/local >/opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[ > ],[ > withval="yes" > ]) >diff --git config.h.in config.h.in >index c4cd67f7dfe..34a89602063 100644 >--- config.h.in >+++ config.h.in >@@ -31,6 +31,12 @@ > /* Pathname to the NSD database */ > #undef DBFILE > >+/* Whether ERR_load_SSL_strings is deprecated */ >+#undef DEPRECATED_ERR_LOAD_SSL_STRINGS >+ >+/* Whether SHA1_Init is deprecated */ >+#undef DEPRECATED_SHA1_INIT >+ > /* default dnstap socket path */ > #undef DNSTAP_SOCKET_PATH > >@@ -127,6 +133,9 @@ > /* Define to 1 if you have the `ERR_load_crypto_strings' function. */ > #undef HAVE_ERR_LOAD_CRYPTO_STRINGS > >+/* Define to 1 if you have the `ERR_load_SSL_strings' function. */ >+#undef HAVE_ERR_LOAD_SSL_STRINGS >+ > /* Define to 1 if you have the `event_base_free' function. */ > #undef HAVE_EVENT_BASE_FREE > >@@ -145,6 +154,9 @@ > /* Define to 1 if you have the `EVP_cleanup' function. */ > #undef HAVE_EVP_CLEANUP > >+/* Define to 1 if you have the `EVP_MAC_CTX_get_mac_size' function. */ >+#undef HAVE_EVP_MAC_CTX_GET_MAC_SIZE >+ > /* Define to 1 if you have the `EVP_MAC_CTX_new' function. */ > #undef HAVE_EVP_MAC_CTX_NEW > >@@ -338,6 +350,9 @@ > /* Define to 1 if you have the `setusercontext' function. */ > #undef HAVE_SETUSERCONTEXT > >+/* Define to 1 if you have the `SHA1_Init' function. */ >+#undef HAVE_SHA1_INIT >+ > /* Define to 1 if you have the `sigaction' function. */ > #undef HAVE_SIGACTION > >@@ -359,6 +374,9 @@ > /* Define to 1 if you have the `SSL_CTX_set_security_level' function. */ > #undef HAVE_SSL_CTX_SET_SECURITY_LEVEL > >+/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */ >+#undef HAVE_SSL_GET1_PEER_CERTIFICATE >+ > /* Define to 1 if you have the <stdarg.h> header file. */ > #undef HAVE_STDARG_H > >diff --git configlexer.lex configlexer.lex >index 6d4933de381..d5fcd58b7f6 100644 >--- configlexer.lex >+++ configlexer.lex >@@ -242,6 +242,9 @@ outgoing-interface{COLON} { LEXOUT(("v(%s) ", yytext)); >return VAR_OUTGOING_INTE > allow-axfr-fallback{COLON} { LEXOUT(("v(%s) ", yytext)); return > VAR_ALLOW_AXFR_FALLBACK;} > tls-auth{COLON} { LEXOUT(("v(%s) ", yytext)); return > VAR_TLS_AUTH;} > auth-domain-name{COLON} { LEXOUT(("v(%s) ", yytext)); return > VAR_TLS_AUTH_DOMAIN_NAME;} >+client-cert{COLON} { LEXOUT(("v(%s) ", yytext)); return >VAR_TLS_AUTH_CLIENT_CERT;} >+client-key{COLON} { LEXOUT(("v(%s) ", yytext)); return >VAR_TLS_AUTH_CLIENT_KEY;} >+client-key-pw{COLON} { LEXOUT(("v(%s) ", yytext)); return >VAR_TLS_AUTH_CLIENT_KEY_PW;} > key{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_KEY;} > algorithm{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALGORITHM;} > secret{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SECRET;} >diff --git configparser.y configparser.y >index 6b369cad35d..6642a6f544c 100644 >--- configparser.y >+++ configparser.y >@@ -149,6 +149,9 @@ static int parse_range(const char *str, long long *low, >long long *high); > /* xot auth */ > %token VAR_TLS_AUTH > %token VAR_TLS_AUTH_DOMAIN_NAME >+%token VAR_TLS_AUTH_CLIENT_CERT >+%token VAR_TLS_AUTH_CLIENT_KEY >+%token VAR_TLS_AUTH_CLIENT_KEY_PW > > /* pattern */ > %token VAR_PATTERN >@@ -672,7 +675,20 @@ tls_auth_option: > | VAR_TLS_AUTH_DOMAIN_NAME STRING > { > cfg_parser->tls_auth->auth_domain_name = > region_strdup(cfg_parser->opt->region, $2); >- }; >+ } >+ | VAR_TLS_AUTH_CLIENT_CERT STRING >+ { >+ cfg_parser->tls_auth->client_cert = >region_strdup(cfg_parser->opt->region, $2); >+ } >+ | VAR_TLS_AUTH_CLIENT_KEY STRING >+ { >+ cfg_parser->tls_auth->client_key = >region_strdup(cfg_parser->opt->region, $2); >+ } >+ | VAR_TLS_AUTH_CLIENT_KEY_PW STRING >+ { >+ cfg_parser->tls_auth->client_key_pw = >region_strdup(cfg_parser->opt->region, $2); >+ } >+ ; > > key: > VAR_KEY >diff --git configure configure >index 156d6467332..4f8d1ccaddd 100644 >--- configure >+++ configure >@@ -1,6 +1,6 @@ > #! /bin/sh > # Guess values for system-dependent variables and create Makefiles. >-# Generated by GNU Autoconf 2.69 for NSD 4.3.7. >+# Generated by GNU Autoconf 2.69 for NSD 4.3.8. > # > # Report bugs to <[email protected]>. > # >@@ -580,8 +580,8 @@ MAKEFLAGS= > # Identity of this package. > PACKAGE_NAME='NSD' > PACKAGE_TARNAME='nsd' >-PACKAGE_VERSION='4.3.7' >-PACKAGE_STRING='NSD 4.3.7' >+PACKAGE_VERSION='4.3.8' >+PACKAGE_STRING='NSD 4.3.8' > PACKAGE_BUGREPORT='[email protected]' > PACKAGE_URL='' > >@@ -1328,7 +1328,7 @@ if test "$ac_init_help" = "long"; then > # Omit some internal or obsolete options to make the list less imposing. > # This message is too long to be a string in the A/UX 3.1 sh. > cat <<_ACEOF >-\`configure' configures NSD 4.3.7 to adapt to many kinds of systems. >+\`configure' configures NSD 4.3.8 to adapt to many kinds of systems. > > Usage: $0 [OPTION]... [VAR=VALUE]... > >@@ -1390,7 +1390,7 @@ fi > > if test -n "$ac_init_help"; then > case $ac_init_help in >- short | recursive ) echo "Configuration of NSD 4.3.7:";; >+ short | recursive ) echo "Configuration of NSD 4.3.8:";; > esac > cat <<\_ACEOF > >@@ -1563,7 +1563,7 @@ fi > test -n "$ac_init_help" && exit $ac_status > if $ac_init_version; then > cat <<\_ACEOF >-NSD configure 4.3.7 >+NSD configure 4.3.8 > generated by GNU Autoconf 2.69 > > Copyright (C) 2012 Free Software Foundation, Inc. >@@ -2272,7 +2272,7 @@ cat >config.log <<_ACEOF > This file contains any messages produced by compilers while > running configure, to aid debugging if configure makes a mistake. > >-It was created by NSD $as_me 4.3.7, which was >+It was created by NSD $as_me 4.3.8, which was > generated by GNU Autoconf 2.69. Invocation command line was > > $ $0 $@ >@@ -9351,6 +9351,26 @@ fi > if test x_$withval != x_no; then > { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL" >&5 > $as_echo_n "checking for SSL... " >&6; } >+ if test -n "$withval"; then >+ >if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; >then >+ ssldir="$withval" >+ found_ssl="yes" >+ withval="" >+ ssldir_include="$ssldir" >+ CPPFLAGS="$CPPFLAGS -I$ssldir_include"; >+ ssldir_lib=`echo $ssldir | >sed -e 's/include/lib/'` >+ if test -f "$ssldir_lib/libssl.a" -o -f >"$ssldir_lib/libssl.so"; then >+ : # found here >+ else >+ ssldir_lib=`echo $ssldir | sed -e >'s/include/lib64/'` >+ if test -f "$ssldir_lib/libssl.a" -o -f >"$ssldir_lib/libssl.so"; then >+ : # found here >+ else >+ as_fn_error $? "Could not find >openssl lib file, $ssldir_lib/libssl.so,a, pass like \"/usr/local\" or >\"/usr/include/openssl11\"" "$LINENO" 5 >+ fi >+ fi >+ fi >+ fi > if test x_$withval = x_ -o x_$withval = x_yes; then > withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/sfw > /usr/local /usr /usr/local/opt/openssl" > fi >@@ -9358,14 +9378,15 @@ $as_echo_n "checking for SSL... " >&6; } > ssldir="$dir" > if test -f "$dir/include/openssl/ssl.h"; then > found_ssl="yes"; >- >-cat >>confdefs.h <<_ACEOF >-#define HAVE_SSL /**/ >-_ACEOF >- > if test x_$ssldir != x_/usr; then > CPPFLAGS="$CPPFLAGS -I$ssldir/include"; > fi >+ ssldir_include="$ssldir/include" >+ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then >+ ssldir_lib="$ssldir/lib64" >+ else >+ ssldir_lib="$ssldir/lib" >+ fi > break; > fi > done >@@ -9375,11 +9396,16 @@ _ACEOF > { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in > $ssldir" >&5 > $as_echo "found in $ssldir" >&6; } > HAVE_SSL=yes >+ >+cat >>confdefs.h <<_ACEOF >+#define HAVE_SSL /**/ >+_ACEOF >+ > if test x_$ssldir != x_/usr; then >- LDFLAGS="$LDFLAGS -L$ssldir/lib"; >+ LDFLAGS="$LDFLAGS -L$ssldir_lib"; > fi > if test x_$ssldir = x_/usr/sfw; then >- LDFLAGS="$LDFLAGS -R$ssldir/lib"; >+ LDFLAGS="$LDFLAGS -R$ssldir_lib"; > fi > fi > >@@ -9614,7 +9640,7 @@ fi > > done > >- for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup >ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level >CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params >+ for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup >ERR_load_crypto_strings OPENSSL_init_crypto CRYPTO_memcmp >EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params >EVP_MAC_CTX_get_mac_size SHA1_Init > do : > as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` > ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" >@@ -9626,6 +9652,47 @@ _ACEOF > fi > done > >+ if test "$ac_cv_func_SHA1_Init" = "yes"; then >+ >+ >+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if SHA1_Init is deprecated" >>&5 >+$as_echo_n "checking if SHA1_Init is deprecated... " >&6; } >+cache=`echo SHA1_Init | sed 'y%.=/+-%___p_%'` >+if eval \${cv_cc_deprecated_$cache+:} false; then : >+ $as_echo_n "(cached) " >&6 >+else >+ >+echo ' >+#include <openssl/sha.h> >+' >conftest.c >+echo 'void f(){ (void)SHA1_Init(NULL); }' >>conftest.c >+if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e >unavailable`"; then >+eval "cv_cc_deprecated_$cache=no" >+else >+eval "cv_cc_deprecated_$cache=yes" >+fi >+rm -f conftest conftest.o conftest.c >+ >+fi >+ >+if eval "test \"`echo '$cv_cc_deprecated_'$cache`\" = yes"; then >+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 >+$as_echo "yes" >&6; } >+ >+cat >>confdefs.h <<_ACEOF >+#define DEPRECATED_SHA1_INIT 1 >+_ACEOF >+ >+: >+ >+else >+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 >+$as_echo "no" >&6; } >+: >+ >+fi >+ >+ fi > ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ecdh_auto" > "ac_cv_have_decl_SSL_CTX_set_ecdh_auto" " > $ac_includes_default > #ifdef HAVE_OPENSSL_ERR_H >@@ -9701,17 +9768,59 @@ fi > > BAKLIBS="$LIBS" > LIBS="-lssl $LIBS" >- for ac_func in OPENSSL_init_ssl >+ for ac_func in OPENSSL_init_ssl SSL_get1_peer_certificate >SSL_CTX_set_security_level ERR_load_SSL_strings > do : >- ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" >"ac_cv_func_OPENSSL_init_ssl" >-if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then : >+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` >+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" >+if eval test \"x\$"$as_ac_var"\" = x"yes"; then : > cat >>confdefs.h <<_ACEOF >-#define HAVE_OPENSSL_INIT_SSL 1 >+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 > _ACEOF > > fi > done > >+ if test "$ac_cv_func_ERR_load_SSL_strings" = "yes"; then >+ >+ >+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ERR_load_SSL_strings is >deprecated" >&5 >+$as_echo_n "checking if ERR_load_SSL_strings is deprecated... " >&6; } >+cache=`echo ERR_load_SSL_strings | sed 'y%.=/+-%___p_%'` >+if eval \${cv_cc_deprecated_$cache+:} false; then : >+ $as_echo_n "(cached) " >&6 >+else >+ >+echo ' >+#include <openssl/ssl.h> >+' >conftest.c >+echo 'void f(){ (void)ERR_load_SSL_strings(); }' >>conftest.c >+if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e >unavailable`"; then >+eval "cv_cc_deprecated_$cache=no" >+else >+eval "cv_cc_deprecated_$cache=yes" >+fi >+rm -f conftest conftest.o conftest.c >+ >+fi >+ >+if eval "test \"`echo '$cv_cc_deprecated_'$cache`\" = yes"; then >+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 >+$as_echo "yes" >&6; } >+ >+cat >>confdefs.h <<_ACEOF >+#define DEPRECATED_ERR_LOAD_SSL_STRINGS 1 >+_ACEOF >+ >+: >+ >+else >+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 >+$as_echo "no" >&6; } >+: >+ >+fi >+ >+ fi > LIBS="$BAKLIBS" > > else >@@ -11046,7 +11155,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 > # report actual input values of CONFIG_FILES etc. instead of their > # values after options handling. > ac_log=" >-This file was extended by NSD $as_me 4.3.7, which was >+This file was extended by NSD $as_me 4.3.8, which was > generated by GNU Autoconf 2.69. Invocation command line was > > CONFIG_FILES = $CONFIG_FILES >@@ -11108,7 +11217,7 @@ _ACEOF > cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 > ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; > s/[\\""\`\$]/\\\\&/g'`" > ac_cs_version="\\ >-NSD config.status 4.3.7 >+NSD config.status 4.3.8 > configured by $0, generated by GNU Autoconf 2.69, > with options \\"\$ac_cs_config\\" > >diff --git configure.ac configure.ac >index 8449e510bdd..4c09bb363b9 100644 >--- configure.ac >+++ configure.ac >@@ -5,7 +5,7 @@ dnl > sinclude(acx_nlnetlabs.m4) > sinclude(dnstap/dnstap.m4) > >-AC_INIT([NSD],[4.3.7],[[email protected]]) >+AC_INIT([NSD],[4.3.8],[[email protected]]) > AC_CONFIG_HEADERS([config.h]) > > # >@@ -369,6 +369,31 @@ AC_DEFUN([CHECK_SSL], [ > ]) > if test x_$withval != x_no; then > AC_MSG_CHECKING(for SSL) >+ if test -n "$withval"; then >+ dnl look for openssl install with different version, eg. >+ dnl in /usr/include/openssl11/openssl/ssl.h >+ dnl and /usr/lib64/openssl11/libssl.so >+ dnl with the --with-ssl=/usr/include/openssl11 >+ if test ! -f "$withval/include/openssl/ssl.h" -a -f >"$withval/openssl/ssl.h"; then >+ ssldir="$withval" >+ found_ssl="yes" >+ withval="" >+ ssldir_include="$ssldir" >+ CPPFLAGS="$CPPFLAGS -I$ssldir_include"; >+ dnl find the libdir >+ ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'` >+ if test -f "$ssldir_lib/libssl.a" -o -f >"$ssldir_lib/libssl.so"; then >+ : # found here >+ else >+ ssldir_lib=`echo $ssldir | sed -e >'s/include/lib64/'` >+ if test -f "$ssldir_lib/libssl.a" -o -f >"$ssldir_lib/libssl.so"; then >+ : # found here >+ else >+ AC_MSG_ERROR([Could not find openssl >lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or >"/usr/include/openssl11"]) >+ fi >+ fi >+ fi >+ fi > if test x_$withval = x_ -o x_$withval = x_yes; then > withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/sfw > /usr/local /usr /usr/local/opt/openssl" > fi >@@ -376,10 +401,15 @@ AC_DEFUN([CHECK_SSL], [ > ssldir="$dir" > if test -f "$dir/include/openssl/ssl.h"; then > found_ssl="yes"; >- AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the >SSL libraries installed.]) > if test x_$ssldir != x_/usr; then > CPPFLAGS="$CPPFLAGS -I$ssldir/include"; > fi >+ ssldir_include="$ssldir/include" >+ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then >+ ssldir_lib="$ssldir/lib64" >+ else >+ ssldir_lib="$ssldir/lib" >+ fi > break; > fi > done >@@ -388,11 +418,12 @@ AC_DEFUN([CHECK_SSL], [ > else > AC_MSG_RESULT([found in $ssldir]) > HAVE_SSL=yes >+ AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL >libraries installed.]) > if test x_$ssldir != x_/usr; then >- LDFLAGS="$LDFLAGS -L$ssldir/lib"; >+ LDFLAGS="$LDFLAGS -L$ssldir_lib"; > fi > if test x_$ssldir = x_/usr/sfw; then >- LDFLAGS="$LDFLAGS -R$ssldir/lib"; >+ LDFLAGS="$LDFLAGS -R$ssldir_lib"; > fi > fi > AC_SUBST(HAVE_SSL) >@@ -1049,7 +1080,12 @@ if test x$HAVE_SSL = x"yes"; then > SSL_LIBS="-lssl" > AC_SUBST(SSL_LIBS) > AC_CHECK_HEADERS([openssl/ssl.h openssl/err.h openssl/rand.h > openssl/ocsp.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT]) >- AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup >ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level >CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params]) >+ AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup >ERR_load_crypto_strings OPENSSL_init_crypto CRYPTO_memcmp >EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params >EVP_MAC_CTX_get_mac_size SHA1_Init]) >+ if test "$ac_cv_func_SHA1_Init" = "yes"; then >+ ACX_FUNC_DEPRECATED([SHA1_Init], [(void)SHA1_Init(NULL);], [ >+#include <openssl/sha.h> >+]) >+ fi > AC_CHECK_DECLS([SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [ > AC_INCLUDES_DEFAULT > #ifdef HAVE_OPENSSL_ERR_H >@@ -1076,7 +1112,12 @@ AC_INCLUDES_DEFAULT > > BAKLIBS="$LIBS" > LIBS="-lssl $LIBS" >- AC_CHECK_FUNCS([OPENSSL_init_ssl]) >+ AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_get1_peer_certificate >SSL_CTX_set_security_level ERR_load_SSL_strings]) >+ if test "$ac_cv_func_ERR_load_SSL_strings" = "yes"; then >+ ACX_FUNC_DEPRECATED([ERR_load_SSL_strings], >[(void)ERR_load_SSL_strings();], [ >+#include <openssl/ssl.h> >+]) >+ fi > LIBS="$BAKLIBS" > > else >diff --git dname.c dname.c >index 6b8c812e5a6..487d2535a2b 100644 >--- dname.c >+++ dname.c >@@ -243,6 +243,7 @@ int dname_parse_wire(uint8_t* dname, const char* name) > } > *h = label_length; > h = p; >+ p++; > } > > /* Add root label. */ >diff --git doc/ChangeLog doc/ChangeLog >index 80b241c30ea..43c3b7bfd72 100644 >--- doc/ChangeLog >+++ doc/ChangeLog >@@ -1,5 +1,70 @@ >+7 October 2021: Wouter >+ - Set default for answer-cookie to no. Because in server deployments >+ with mixed server software, a default of yes causes issues. >+ - Tag for 4.3.8rc2, includes the new answer-cookie default. >+ >+4 October 2021: Wouter >+ - Tag for 4.3.8rc1. >+ >+29 September 2021: Wouter >+ - Fix unit tests for svcb and xot to not touch the default >+ zonelistfile. >+ - Fix unit test for xot tertiary config for zonelistfile default. >+ - Fix unit test for dns-cookies for no unshare, and allow-query >+ for no IPv6 loopback. >+ - Fix unit test allow query to check for IPv6. >+ >+22 September 2021: Wouter >+ - Fix #194: Incorrect NSEC3 response for SOA query below delegation >+ point. >+ >+13 September 2021: Wouter >+ - Fix compile failure with openssl 1.0.2. >+ >+3 September 2021: Wouter >+ - Fix not reachable annotation in radix_find_prefix_node. >+ >+31 August 2021: Willem >+ - Fix #191: dname_parse_wire() returns fqdn wireformat length. >+ >+26 August 2021: Wouter >+ - Fix #190: NSD returns 3 NSEC3 records for NODATA response. >+ >+23 August 2021: Wouter >+ - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion >+ `query->delegation_rrset' failed. >+ >+17 August 2021: Wouter >+ - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7. >+ - Fix sed script in ssldir split handling. >+ >+13 August 2021: Wouter >+ - Merge #187: Support using system-wide crypto policies. >+ >+10 August 2021: Wouter >+ - Merge #185 by cesarkuroiwa: Mutual TLS. >+ - Fixes for #185: Document client-cert, client-key and client-key-pw >+ in the man page. Fix yacc semicolon. Fix unused variable warning. >+ Use strlcpy instead of strncpy. Fix spelling error in error >+ printout. >+ >+2 August 2021: Wouter >+ - Quieter tpkg/do-tests shell script with -q flag. >+ - For #184: Note that all zones can be targeted by some nsd-control >+ commands in the man page. >+ >+30 July 2021: Wouter >+ - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check. >+ - Fix to compile with OpenSSL 3.0.0beta2. >+ - Fix configure detection of SSL_CTX_set_security_level. >+ - Fix deprecated functions use from openssl 3.0.0beta2. >+ >+23 July 2021: Wouter >+ - Fix free on shutdown of XoT SSL context. >+ > 22 July 2021: Wouter > - tag 4.3.7 release, with the fixes between rc1 and this release. >+ - main branch continues for 4.3.8. > > 20 July 2021: Wouter > - Fix typo in xfrd-tcp.c. >diff --git iterated_hash.c iterated_hash.c >index e8606a3b06c..8c0d657598b 100644 >--- iterated_hash.c >+++ iterated_hash.c >@@ -9,11 +9,16 @@ > */ > #include "config.h" > #ifdef NSEC3 >+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) > #include <openssl/sha.h> >+#else >+#include <openssl/evp.h> >+#endif > #include <stdio.h> > #include <assert.h> > > #include "iterated_hash.h" >+#include "util.h" > > int > iterated_hash(unsigned char out[SHA_DIGEST_LENGTH], >@@ -21,19 +26,49 @@ iterated_hash(unsigned char out[SHA_DIGEST_LENGTH], > const unsigned char *in, int inlength, int iterations) > { > #if defined(NSEC3) && defined(HAVE_SSL) >+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) > SHA_CTX ctx; >+#else >+ EVP_MD_CTX* ctx; >+#endif > int n; >+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) >+#else >+ ctx = EVP_MD_CTX_create(); >+ if(!ctx) { >+ log_msg(LOG_ERR, "out of memory in iterated_hash"); >+ return 0; >+ } >+#endif > assert(in && inlength > 0 && iterations >= 0); > for(n=0 ; n <= iterations ; ++n) > { >+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) > SHA1_Init(&ctx); > SHA1_Update(&ctx, in, inlength); > if(saltlength > 0) > SHA1_Update(&ctx, salt, saltlength); > SHA1_Final(out, &ctx); >+#else >+ if(!EVP_DigestInit(ctx, EVP_sha1())) >+ log_msg(LOG_ERR, "iterated_hash could not >EVP_DigestInit"); >+ >+ if(!EVP_DigestUpdate(ctx, in, inlength)) >+ log_msg(LOG_ERR, "iterated_hash could not >EVP_DigestUpdate"); >+ if(saltlength > 0) { >+ if(!EVP_DigestUpdate(ctx, salt, saltlength)) >+ log_msg(LOG_ERR, "iterated_hash could not >EVP_DigestUpdate salt"); >+ } >+ if(!EVP_DigestFinal_ex(ctx, out, NULL)) >+ log_msg(LOG_ERR, "iterated_hash could not >EVP_DigestFinal_ex"); >+#endif > in=out; > inlength=SHA_DIGEST_LENGTH; > } >+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) >+#else >+ EVP_MD_CTX_destroy(ctx); >+#endif > return SHA_DIGEST_LENGTH; > #else > (void)out; (void)salt; (void)saltlength; >diff --git namedb.c namedb.c >index 06bef71147c..772e038b16d 100644 >--- namedb.c >+++ namedb.c >@@ -583,10 +583,13 @@ domain_find_ns_rrsets(domain_type* domain, zone_type* >zone, rrset_type **ns) > { > /* return highest NS RRset in the zone that is a delegation above */ > domain_type* result = NULL; >+ rrset_type* rrset = NULL; > while (domain && domain != zone->apex) { >- *ns = domain_find_rrset(domain, zone, TYPE_NS); >- if (*ns) >+ rrset = domain_find_rrset(domain, zone, TYPE_NS); >+ if (rrset) { >+ *ns = rrset; > result = domain; >+ } > domain = domain->parent; > } > >diff --git nsd-checkconf.8.in nsd-checkconf.8.in >index 0a514e6dab0..62f0695577d 100644 >--- nsd-checkconf.8.in >+++ nsd-checkconf.8.in >@@ -1,4 +1,4 @@ >-.TH "nsd\-checkconf" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7" >+.TH "nsd\-checkconf" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8" > .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. > .\" See LICENSE for the license. > .SH "NAME" >diff --git nsd-checkzone.8.in nsd-checkzone.8.in >index 6b31cf9ea7a..76ac2fe2442 100644 >--- nsd-checkzone.8.in >+++ nsd-checkzone.8.in >@@ -1,4 +1,4 @@ >-.TH "nsd\-checkzone" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7" >+.TH "nsd\-checkzone" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8" > .\" Copyright (c) 2014, NLnet Labs. All rights reserved. > .\" See LICENSE for the license. > .SH "NAME" >diff --git nsd-control.8.in nsd-control.8.in >index ecefed3051c..f7f338c70ae 100644 >--- nsd-control.8.in >+++ nsd-control.8.in >@@ -1,4 +1,4 @@ >-.TH "nsd\-control" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7" >+.TH "nsd\-control" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8" > .\" Copyright (c) 2011, NLnet Labs. All rights reserved. > .\" See LICENSE for the license. > .SH "NAME" >@@ -107,7 +107,8 @@ For bulk removals. > Write zonefiles to disk, or the given zonefile to disk. Zones that have > changed (via AXFR or IXFR) are written, or if the zonefile has not been > created yet then it is created. Directory components of the zonefile >-path are created if necessary. >+path are created if necessary. With argument that zone is written if it >+was modified, without argument, all modified zones are written. > .TP > .B notify [<zone>] > Send NOTIFY messages to slave servers. Sends to the IP addresses >@@ -116,7 +117,8 @@ server. Usually NSD sends NOTIFY messages right away when >a master zone > serial is updated. If a zone is given, notifies are sent for that zone. > These slave servers are supposed to initiate a zone transfer request > later (to this server or another master), this can be allowed via >-the 'provide\-xfr:' acl list configuration. >+the 'provide\-xfr:' acl list configuration. With argument that zone is >+processed, without argument, all zones are processed. > .TP > .B transfer [<zone>] > Attempt to update slave zones that are hosted on this server by contacting >@@ -125,13 +127,15 @@ If a zone is given, that zone is updated. Usually NSD >receives a NOTIFY > from the masters (configured via 'allow\-notify:' acl list) that a new zone > serial has to be transferred. For zones with no content, NSD may have backed > off from asking often because the masters did not respond, but this command >-will reset the backoff to its initial timeout, for frequent retries. >+will reset the backoff to its initial timeout, for frequent retries. With >+argument that zone is transferred, without argument, all zones are >transferred. > .TP > .B force_transfer [<zone>] > Force update slave zones that are hosted on this server. Even if the > master hosts the same serial number of the zone, a full AXFR is performed > to fetch it. If you want to use IXFR and check that the serial number >-increases, use the 'transfer' command. >+increases, use the 'transfer' command. With argument that zone is >+transferred, without argument, all zones are transferred. > .TP > .B zonestatus [<zone>] > Print state of the zone, the serial numbers and since when they have >@@ -142,7 +146,8 @@ zone is up\-to\-date), 'expired' ( -- Sent from a mobile device. Please excuse poor formatting.
