Anyone? We really want this one... - Fix #194: Incorrect NSEC3 response for SOA query below delegation point.
On 2021-10-20 18:24 +02, Florian Obser <[email protected]> wrote: > Particularly interesting is > - Fix #190: NSD returns 3 NSEC3 records for NODATA response. > > which I believe is a fix for the problem mischa reported on misc: "NSD > exit status 11 on 7.0" > > Tests, OKs? > > diff --git doc/RELNOTES doc/RELNOTES > index 054eb9b8f60..b7157bbc0a6 100644 > --- doc/RELNOTES > +++ doc/RELNOTES > @@ -1,5 +1,31 @@ > NSD RELEASE NOTES > > +4.3.8 > +================ > +FEATURES: > + - Merge #185 by cesarkuroiwa: Mutual TLS. > + - Set default for answer-cookie to no. Because in server deployments > + with mixed server software, a default of yes causes issues. > +BUG FIXES: > + - Fix to compile with OpenSSL 3.0.0beta2. > + - Fix configure detection of SSL_CTX_set_security_level. > + - Fix deprecated functions use from openssl 3.0.0beta2. > + - For #184: Note that all zones can be targeted by some nsd-control > + commands in the man page. > + - Fixes for #185: Document client-cert, client-key and client-key-pw > + in the man page. Fix yacc semicolon. Fix unused variable warning. > + Use strlcpy instead of strncpy. Fix spelling error in error > + printout. > + - Merge #187: Support using system-wide crypto policies. > + - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7. > + - Fix sed script in ssldir split handling. > + - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion > + `query->delegation_rrset' failed. > + - Fix #190: NSD returns 3 NSEC3 records for NODATA response. > + - Fix compile failure with openssl 1.0.2. > + - Fix #194: Incorrect NSEC3 response for SOA query below delegation > + point. > + > 4.3.7 > ================ > FEATURES: > diff --git acx_nlnetlabs.m4 acx_nlnetlabs.m4 > index 7ce79070805..1574f97bfe0 100644 > --- acx_nlnetlabs.m4 > +++ acx_nlnetlabs.m4 > @@ -2,7 +2,11 @@ > # Copyright 2009, Wouter Wijngaards, NLnet Labs. > # BSD licensed. > # > -# Version 40 > +# Version 43 > +# 2021-08-17 fix sed script in ssldir split handling. > +# 2021-08-17 fix for openssl to detect split version, with ssldir_include > +# and ssldir_lib output directories. > +# 2021-07-30 fix for openssl use of lib64 directory. > # 2021-06-14 fix nonblocking test to use host instead of target for mingw > test. > # 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for > # 64bit compatibility. > @@ -646,6 +650,30 @@ AC_DEFUN([ACX_SSL_CHECKS], [ > withval=$1 > if test x_$withval != x_no; then > AC_MSG_CHECKING(for SSL) > + if test -n "$withval"; then > + dnl look for openssl install with different version, eg. > + dnl in /usr/include/openssl11/openssl/ssl.h > + dnl and /usr/lib64/openssl11/libssl.so > + dnl with the --with-ssl=/usr/include/openssl11 > + if test ! -f "$withval/include/openssl/ssl.h" -a -f > "$withval/openssl/ssl.h"; then > + ssldir="$withval" > + found_ssl="yes" > + withval="" > + ssldir_include="$ssldir" > + dnl find the libdir > + ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'` > + if test -f "$ssldir_lib/libssl.a" -o -f > "$ssldir_lib/libssl.so"; then > + : # found here > + else > + ssldir_lib=`echo $ssldir | sed -e > 's/include/lib64/'` > + if test -f "$ssldir_lib/libssl.a" -o -f > "$ssldir_lib/libssl.so"; then > + : # found here > + else > + AC_MSG_ERROR([Could not find openssl > lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or > "/usr/include/openssl11"]) > + fi > + fi > + fi > + fi > if test x_$withval = x_ -o x_$withval = x_yes; then > withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg > /usr/local /opt/local /usr/sfw /usr" > fi > @@ -653,12 +681,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [ > ssldir="$dir" > if test -f "$dir/include/openssl/ssl.h"; then > found_ssl="yes" > - AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the > SSL libraries installed.]) > - dnl assume /usr/include is already in the include-path. > - if test "$ssldir" != "/usr"; then > - CPPFLAGS="$CPPFLAGS -I$ssldir/include" > - LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include" > - fi > + ssldir_include="$ssldir/include" > + if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then > + ssldir_lib="$ssldir/lib64" > + else > + ssldir_lib="$ssldir/lib" > + fi > break; > fi > done > @@ -666,13 +694,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [ > AC_MSG_ERROR(Cannot find the SSL libraries in $withval) > else > AC_MSG_RESULT(found in $ssldir) > + AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL > libraries installed.]) > HAVE_SSL=yes > - dnl assume /usr is already in the lib and dynlib paths. > - if test "$ssldir" != "/usr" -a "$ssldir" != ""; then > - LDFLAGS="$LDFLAGS -L$ssldir/lib" > - LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" > - ACX_RUNTIME_PATH_ADD([$ssldir/lib]) > - fi > + dnl assume /usr is already in the include, lib and dynlib paths. > + if test "$ssldir" != "/usr"; then > + CPPFLAGS="$CPPFLAGS -I$ssldir_include" > + LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include" > + LDFLAGS="$LDFLAGS -L$ssldir_lib" > + LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib" > + ACX_RUNTIME_PATH_ADD([$ssldir_lib]) > + fi > > AC_MSG_CHECKING([for EVP_sha256 in -lcrypto]) > LIBS="$LIBS -lcrypto" > @@ -751,7 +782,7 @@ dnl > AC_DEFUN([ACX_WITH_SSL], > [ > AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will > check /usr/local/ssl > - /usr/lib/ssl /usr/ssl /usr/pkg /usr/local > /opt/local /usr/sfw /usr)]),[ > + /usr/lib/ssl /usr/ssl /usr/pkg /usr/local > /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[ > ],[ > withval="yes" > ]) > @@ -769,7 +800,7 @@ dnl > AC_DEFUN([ACX_WITH_SSL_OPTIONAL], > [ > AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will > check /usr/local/ssl > - /usr/lib/ssl /usr/ssl /usr/pkg /usr/local > /opt/local /usr/sfw /usr)]),[ > + /usr/lib/ssl /usr/ssl /usr/pkg /usr/local > /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[ > ],[ > withval="yes" > ]) > diff --git config.h.in config.h.in > index c4cd67f7dfe..34a89602063 100644 > --- config.h.in > +++ config.h.in > @@ -31,6 +31,12 @@ > /* Pathname to the NSD database */ > #undef DBFILE > > +/* Whether ERR_load_SSL_strings is deprecated */ > +#undef DEPRECATED_ERR_LOAD_SSL_STRINGS > + > +/* Whether SHA1_Init is deprecated */ > +#undef DEPRECATED_SHA1_INIT > + > /* default dnstap socket path */ > #undef DNSTAP_SOCKET_PATH > > @@ -127,6 +133,9 @@ > /* Define to 1 if you have the `ERR_load_crypto_strings' function. */ > #undef HAVE_ERR_LOAD_CRYPTO_STRINGS > > +/* Define to 1 if you have the `ERR_load_SSL_strings' function. */ > +#undef HAVE_ERR_LOAD_SSL_STRINGS > + > /* Define to 1 if you have the `event_base_free' function. */ > #undef HAVE_EVENT_BASE_FREE > > @@ -145,6 +154,9 @@ > /* Define to 1 if you have the `EVP_cleanup' function. */ > #undef HAVE_EVP_CLEANUP > > +/* Define to 1 if you have the `EVP_MAC_CTX_get_mac_size' function. */ > +#undef HAVE_EVP_MAC_CTX_GET_MAC_SIZE > + > /* Define to 1 if you have the `EVP_MAC_CTX_new' function. */ > #undef HAVE_EVP_MAC_CTX_NEW > > @@ -338,6 +350,9 @@ > /* Define to 1 if you have the `setusercontext' function. */ > #undef HAVE_SETUSERCONTEXT > > +/* Define to 1 if you have the `SHA1_Init' function. */ > +#undef HAVE_SHA1_INIT > + > /* Define to 1 if you have the `sigaction' function. */ > #undef HAVE_SIGACTION > > @@ -359,6 +374,9 @@ > /* Define to 1 if you have the `SSL_CTX_set_security_level' function. */ > #undef HAVE_SSL_CTX_SET_SECURITY_LEVEL > > +/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */ > +#undef HAVE_SSL_GET1_PEER_CERTIFICATE > + > /* Define to 1 if you have the <stdarg.h> header file. */ > #undef HAVE_STDARG_H > > diff --git configlexer.lex configlexer.lex > index 6d4933de381..d5fcd58b7f6 100644 > --- configlexer.lex > +++ configlexer.lex > @@ -242,6 +242,9 @@ outgoing-interface{COLON} { LEXOUT(("v(%s) ", yytext)); > return VAR_OUTGOING_INTE > allow-axfr-fallback{COLON} { LEXOUT(("v(%s) ", yytext)); return > VAR_ALLOW_AXFR_FALLBACK;} > tls-auth{COLON} { LEXOUT(("v(%s) ", yytext)); return > VAR_TLS_AUTH;} > auth-domain-name{COLON} { LEXOUT(("v(%s) ", yytext)); return > VAR_TLS_AUTH_DOMAIN_NAME;} > +client-cert{COLON} { LEXOUT(("v(%s) ", yytext)); return > VAR_TLS_AUTH_CLIENT_CERT;} > +client-key{COLON} { LEXOUT(("v(%s) ", yytext)); return > VAR_TLS_AUTH_CLIENT_KEY;} > +client-key-pw{COLON} { LEXOUT(("v(%s) ", yytext)); return > VAR_TLS_AUTH_CLIENT_KEY_PW;} > key{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_KEY;} > algorithm{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALGORITHM;} > secret{COLON} { LEXOUT(("v(%s) ", yytext)); return > VAR_SECRET;} > diff --git configparser.y configparser.y > index 6b369cad35d..6642a6f544c 100644 > --- configparser.y > +++ configparser.y > @@ -149,6 +149,9 @@ static int parse_range(const char *str, long long *low, > long long *high); > /* xot auth */ > %token VAR_TLS_AUTH > %token VAR_TLS_AUTH_DOMAIN_NAME > +%token VAR_TLS_AUTH_CLIENT_CERT > +%token VAR_TLS_AUTH_CLIENT_KEY > +%token VAR_TLS_AUTH_CLIENT_KEY_PW > > /* pattern */ > %token VAR_PATTERN > @@ -672,7 +675,20 @@ tls_auth_option: > | VAR_TLS_AUTH_DOMAIN_NAME STRING > { > cfg_parser->tls_auth->auth_domain_name = > region_strdup(cfg_parser->opt->region, $2); > - }; > + } > + | VAR_TLS_AUTH_CLIENT_CERT STRING > + { > + cfg_parser->tls_auth->client_cert = > region_strdup(cfg_parser->opt->region, $2); > + } > + | VAR_TLS_AUTH_CLIENT_KEY STRING > + { > + cfg_parser->tls_auth->client_key = > region_strdup(cfg_parser->opt->region, $2); > + } > + | VAR_TLS_AUTH_CLIENT_KEY_PW STRING > + { > + cfg_parser->tls_auth->client_key_pw = > region_strdup(cfg_parser->opt->region, $2); > + } > + ; > > key: > VAR_KEY > diff --git configure configure > index 156d6467332..4f8d1ccaddd 100644 > --- configure > +++ configure > @@ -1,6 +1,6 @@ > #! /bin/sh > # Guess values for system-dependent variables and create Makefiles. > -# Generated by GNU Autoconf 2.69 for NSD 4.3.7. > +# Generated by GNU Autoconf 2.69 for NSD 4.3.8. > # > # Report bugs to <[email protected]>. > # > @@ -580,8 +580,8 @@ MAKEFLAGS= > # Identity of this package. > PACKAGE_NAME='NSD' > PACKAGE_TARNAME='nsd' > -PACKAGE_VERSION='4.3.7' > -PACKAGE_STRING='NSD 4.3.7' > +PACKAGE_VERSION='4.3.8' > +PACKAGE_STRING='NSD 4.3.8' > PACKAGE_BUGREPORT='[email protected]' > PACKAGE_URL='' > > @@ -1328,7 +1328,7 @@ if test "$ac_init_help" = "long"; then > # Omit some internal or obsolete options to make the list less imposing. > # This message is too long to be a string in the A/UX 3.1 sh. > cat <<_ACEOF > -\`configure' configures NSD 4.3.7 to adapt to many kinds of systems. > +\`configure' configures NSD 4.3.8 to adapt to many kinds of systems. > > Usage: $0 [OPTION]... [VAR=VALUE]... > > @@ -1390,7 +1390,7 @@ fi > > if test -n "$ac_init_help"; then > case $ac_init_help in > - short | recursive ) echo "Configuration of NSD 4.3.7:";; > + short | recursive ) echo "Configuration of NSD 4.3.8:";; > esac > cat <<\_ACEOF > > @@ -1563,7 +1563,7 @@ fi > test -n "$ac_init_help" && exit $ac_status > if $ac_init_version; then > cat <<\_ACEOF > -NSD configure 4.3.7 > +NSD configure 4.3.8 > generated by GNU Autoconf 2.69 > > Copyright (C) 2012 Free Software Foundation, Inc. > @@ -2272,7 +2272,7 @@ cat >config.log <<_ACEOF > This file contains any messages produced by compilers while > running configure, to aid debugging if configure makes a mistake. > > -It was created by NSD $as_me 4.3.7, which was > +It was created by NSD $as_me 4.3.8, which was > generated by GNU Autoconf 2.69. Invocation command line was > > $ $0 $@ > @@ -9351,6 +9351,26 @@ fi > if test x_$withval != x_no; then > { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL" >&5 > $as_echo_n "checking for SSL... " >&6; } > + if test -n "$withval"; then > + > if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; > then > + ssldir="$withval" > + found_ssl="yes" > + withval="" > + ssldir_include="$ssldir" > + CPPFLAGS="$CPPFLAGS -I$ssldir_include"; > + ssldir_lib=`echo $ssldir | > sed -e 's/include/lib/'` > + if test -f "$ssldir_lib/libssl.a" -o -f > "$ssldir_lib/libssl.so"; then > + : # found here > + else > + ssldir_lib=`echo $ssldir | sed -e > 's/include/lib64/'` > + if test -f "$ssldir_lib/libssl.a" -o -f > "$ssldir_lib/libssl.so"; then > + : # found here > + else > + as_fn_error $? "Could not find > openssl lib file, $ssldir_lib/libssl.so,a, pass like \"/usr/local\" or > \"/usr/include/openssl11\"" "$LINENO" 5 > + fi > + fi > + fi > + fi > if test x_$withval = x_ -o x_$withval = x_yes; then > withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/sfw > /usr/local /usr /usr/local/opt/openssl" > fi > @@ -9358,14 +9378,15 @@ $as_echo_n "checking for SSL... " >&6; } > ssldir="$dir" > if test -f "$dir/include/openssl/ssl.h"; then > found_ssl="yes"; > - > -cat >>confdefs.h <<_ACEOF > -#define HAVE_SSL /**/ > -_ACEOF > - > if test x_$ssldir != x_/usr; then > CPPFLAGS="$CPPFLAGS -I$ssldir/include"; > fi > + ssldir_include="$ssldir/include" > + if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then > + ssldir_lib="$ssldir/lib64" > + else > + ssldir_lib="$ssldir/lib" > + fi > break; > fi > done > @@ -9375,11 +9396,16 @@ _ACEOF > { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in > $ssldir" >&5 > $as_echo "found in $ssldir" >&6; } > HAVE_SSL=yes > + > +cat >>confdefs.h <<_ACEOF > +#define HAVE_SSL /**/ > +_ACEOF > + > if test x_$ssldir != x_/usr; then > - LDFLAGS="$LDFLAGS -L$ssldir/lib"; > + LDFLAGS="$LDFLAGS -L$ssldir_lib"; > fi > if test x_$ssldir = x_/usr/sfw; then > - LDFLAGS="$LDFLAGS -R$ssldir/lib"; > + LDFLAGS="$LDFLAGS -R$ssldir_lib"; > fi > fi > > @@ -9614,7 +9640,7 @@ fi > > done > > - for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup > ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level > CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params > + for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup > ERR_load_crypto_strings OPENSSL_init_crypto CRYPTO_memcmp > EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params > EVP_MAC_CTX_get_mac_size SHA1_Init > do : > as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` > ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" > @@ -9626,6 +9652,47 @@ _ACEOF > fi > done > > + if test "$ac_cv_func_SHA1_Init" = "yes"; then > + > + > +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if SHA1_Init is > deprecated" >&5 > +$as_echo_n "checking if SHA1_Init is deprecated... " >&6; } > +cache=`echo SHA1_Init | sed 'y%.=/+-%___p_%'` > +if eval \${cv_cc_deprecated_$cache+:} false; then : > + $as_echo_n "(cached) " >&6 > +else > + > +echo ' > +#include <openssl/sha.h> > +' >conftest.c > +echo 'void f(){ (void)SHA1_Init(NULL); }' >>conftest.c > +if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated > -e unavailable`"; then > +eval "cv_cc_deprecated_$cache=no" > +else > +eval "cv_cc_deprecated_$cache=yes" > +fi > +rm -f conftest conftest.o conftest.c > + > +fi > + > +if eval "test \"`echo '$cv_cc_deprecated_'$cache`\" = yes"; then > +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 > +$as_echo "yes" >&6; } > + > +cat >>confdefs.h <<_ACEOF > +#define DEPRECATED_SHA1_INIT 1 > +_ACEOF > + > +: > + > +else > +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 > +$as_echo "no" >&6; } > +: > + > +fi > + > + fi > ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ecdh_auto" > "ac_cv_have_decl_SSL_CTX_set_ecdh_auto" " > $ac_includes_default > #ifdef HAVE_OPENSSL_ERR_H > @@ -9701,17 +9768,59 @@ fi > > BAKLIBS="$LIBS" > LIBS="-lssl $LIBS" > - for ac_func in OPENSSL_init_ssl > + for ac_func in OPENSSL_init_ssl SSL_get1_peer_certificate > SSL_CTX_set_security_level ERR_load_SSL_strings > do : > - ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" > "ac_cv_func_OPENSSL_init_ssl" > -if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then : > + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` > +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" > +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : > cat >>confdefs.h <<_ACEOF > -#define HAVE_OPENSSL_INIT_SSL 1 > +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 > _ACEOF > > fi > done > > + if test "$ac_cv_func_ERR_load_SSL_strings" = "yes"; then > + > + > +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ERR_load_SSL_strings is > deprecated" >&5 > +$as_echo_n "checking if ERR_load_SSL_strings is deprecated... " >&6; } > +cache=`echo ERR_load_SSL_strings | sed 'y%.=/+-%___p_%'` > +if eval \${cv_cc_deprecated_$cache+:} false; then : > + $as_echo_n "(cached) " >&6 > +else > + > +echo ' > +#include <openssl/ssl.h> > +' >conftest.c > +echo 'void f(){ (void)ERR_load_SSL_strings(); }' >>conftest.c > +if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated > -e unavailable`"; then > +eval "cv_cc_deprecated_$cache=no" > +else > +eval "cv_cc_deprecated_$cache=yes" > +fi > +rm -f conftest conftest.o conftest.c > + > +fi > + > +if eval "test \"`echo '$cv_cc_deprecated_'$cache`\" = yes"; then > +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 > +$as_echo "yes" >&6; } > + > +cat >>confdefs.h <<_ACEOF > +#define DEPRECATED_ERR_LOAD_SSL_STRINGS 1 > +_ACEOF > + > +: > + > +else > +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 > +$as_echo "no" >&6; } > +: > + > +fi > + > + fi > LIBS="$BAKLIBS" > > else > @@ -11046,7 +11155,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 > # report actual input values of CONFIG_FILES etc. instead of their > # values after options handling. > ac_log=" > -This file was extended by NSD $as_me 4.3.7, which was > +This file was extended by NSD $as_me 4.3.8, which was > generated by GNU Autoconf 2.69. Invocation command line was > > CONFIG_FILES = $CONFIG_FILES > @@ -11108,7 +11217,7 @@ _ACEOF > cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 > ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; > s/[\\""\`\$]/\\\\&/g'`" > ac_cs_version="\\ > -NSD config.status 4.3.7 > +NSD config.status 4.3.8 > configured by $0, generated by GNU Autoconf 2.69, > with options \\"\$ac_cs_config\\" > > diff --git configure.ac configure.ac > index 8449e510bdd..4c09bb363b9 100644 > --- configure.ac > +++ configure.ac > @@ -5,7 +5,7 @@ dnl > sinclude(acx_nlnetlabs.m4) > sinclude(dnstap/dnstap.m4) > > -AC_INIT([NSD],[4.3.7],[[email protected]]) > +AC_INIT([NSD],[4.3.8],[[email protected]]) > AC_CONFIG_HEADERS([config.h]) > > # > @@ -369,6 +369,31 @@ AC_DEFUN([CHECK_SSL], [ > ]) > if test x_$withval != x_no; then > AC_MSG_CHECKING(for SSL) > + if test -n "$withval"; then > + dnl look for openssl install with different version, eg. > + dnl in /usr/include/openssl11/openssl/ssl.h > + dnl and /usr/lib64/openssl11/libssl.so > + dnl with the --with-ssl=/usr/include/openssl11 > + if test ! -f "$withval/include/openssl/ssl.h" -a -f > "$withval/openssl/ssl.h"; then > + ssldir="$withval" > + found_ssl="yes" > + withval="" > + ssldir_include="$ssldir" > + CPPFLAGS="$CPPFLAGS -I$ssldir_include"; > + dnl find the libdir > + ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'` > + if test -f "$ssldir_lib/libssl.a" -o -f > "$ssldir_lib/libssl.so"; then > + : # found here > + else > + ssldir_lib=`echo $ssldir | sed -e > 's/include/lib64/'` > + if test -f "$ssldir_lib/libssl.a" -o -f > "$ssldir_lib/libssl.so"; then > + : # found here > + else > + AC_MSG_ERROR([Could not find openssl > lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or > "/usr/include/openssl11"]) > + fi > + fi > + fi > + fi > if test x_$withval = x_ -o x_$withval = x_yes; then > withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/sfw > /usr/local /usr /usr/local/opt/openssl" > fi > @@ -376,10 +401,15 @@ AC_DEFUN([CHECK_SSL], [ > ssldir="$dir" > if test -f "$dir/include/openssl/ssl.h"; then > found_ssl="yes"; > - AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the > SSL libraries installed.]) > if test x_$ssldir != x_/usr; then > CPPFLAGS="$CPPFLAGS -I$ssldir/include"; > fi > + ssldir_include="$ssldir/include" > + if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then > + ssldir_lib="$ssldir/lib64" > + else > + ssldir_lib="$ssldir/lib" > + fi > break; > fi > done > @@ -388,11 +418,12 @@ AC_DEFUN([CHECK_SSL], [ > else > AC_MSG_RESULT([found in $ssldir]) > HAVE_SSL=yes > + AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL > libraries installed.]) > if test x_$ssldir != x_/usr; then > - LDFLAGS="$LDFLAGS -L$ssldir/lib"; > + LDFLAGS="$LDFLAGS -L$ssldir_lib"; > fi > if test x_$ssldir = x_/usr/sfw; then > - LDFLAGS="$LDFLAGS -R$ssldir/lib"; > + LDFLAGS="$LDFLAGS -R$ssldir_lib"; > fi > fi > AC_SUBST(HAVE_SSL) > @@ -1049,7 +1080,12 @@ if test x$HAVE_SSL = x"yes"; then > SSL_LIBS="-lssl" > AC_SUBST(SSL_LIBS) > AC_CHECK_HEADERS([openssl/ssl.h openssl/err.h openssl/rand.h > openssl/ocsp.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT]) > - AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup > ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level > CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new > EVP_MAC_CTX_set_params]) > + AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup > ERR_load_crypto_strings OPENSSL_init_crypto CRYPTO_memcmp > EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params > EVP_MAC_CTX_get_mac_size SHA1_Init]) > + if test "$ac_cv_func_SHA1_Init" = "yes"; then > + ACX_FUNC_DEPRECATED([SHA1_Init], [(void)SHA1_Init(NULL);], [ > +#include <openssl/sha.h> > +]) > + fi > AC_CHECK_DECLS([SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [ > AC_INCLUDES_DEFAULT > #ifdef HAVE_OPENSSL_ERR_H > @@ -1076,7 +1112,12 @@ AC_INCLUDES_DEFAULT > > BAKLIBS="$LIBS" > LIBS="-lssl $LIBS" > - AC_CHECK_FUNCS([OPENSSL_init_ssl]) > + AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_get1_peer_certificate > SSL_CTX_set_security_level ERR_load_SSL_strings]) > + if test "$ac_cv_func_ERR_load_SSL_strings" = "yes"; then > + ACX_FUNC_DEPRECATED([ERR_load_SSL_strings], > [(void)ERR_load_SSL_strings();], [ > +#include <openssl/ssl.h> > +]) > + fi > LIBS="$BAKLIBS" > > else > diff --git dname.c dname.c > index 6b8c812e5a6..487d2535a2b 100644 > --- dname.c > +++ dname.c > @@ -243,6 +243,7 @@ int dname_parse_wire(uint8_t* dname, const char* name) > } > *h = label_length; > h = p; > + p++; > } > > /* Add root label. */ > diff --git doc/ChangeLog doc/ChangeLog > index 80b241c30ea..43c3b7bfd72 100644 > --- doc/ChangeLog > +++ doc/ChangeLog > @@ -1,5 +1,70 @@ > +7 October 2021: Wouter > + - Set default for answer-cookie to no. Because in server deployments > + with mixed server software, a default of yes causes issues. > + - Tag for 4.3.8rc2, includes the new answer-cookie default. > + > +4 October 2021: Wouter > + - Tag for 4.3.8rc1. > + > +29 September 2021: Wouter > + - Fix unit tests for svcb and xot to not touch the default > + zonelistfile. > + - Fix unit test for xot tertiary config for zonelistfile default. > + - Fix unit test for dns-cookies for no unshare, and allow-query > + for no IPv6 loopback. > + - Fix unit test allow query to check for IPv6. > + > +22 September 2021: Wouter > + - Fix #194: Incorrect NSEC3 response for SOA query below delegation > + point. > + > +13 September 2021: Wouter > + - Fix compile failure with openssl 1.0.2. > + > +3 September 2021: Wouter > + - Fix not reachable annotation in radix_find_prefix_node. > + > +31 August 2021: Willem > + - Fix #191: dname_parse_wire() returns fqdn wireformat length. > + > +26 August 2021: Wouter > + - Fix #190: NSD returns 3 NSEC3 records for NODATA response. > + > +23 August 2021: Wouter > + - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion > + `query->delegation_rrset' failed. > + > +17 August 2021: Wouter > + - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7. > + - Fix sed script in ssldir split handling. > + > +13 August 2021: Wouter > + - Merge #187: Support using system-wide crypto policies. > + > +10 August 2021: Wouter > + - Merge #185 by cesarkuroiwa: Mutual TLS. > + - Fixes for #185: Document client-cert, client-key and client-key-pw > + in the man page. Fix yacc semicolon. Fix unused variable warning. > + Use strlcpy instead of strncpy. Fix spelling error in error > + printout. > + > +2 August 2021: Wouter > + - Quieter tpkg/do-tests shell script with -q flag. > + - For #184: Note that all zones can be targeted by some nsd-control > + commands in the man page. > + > +30 July 2021: Wouter > + - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check. > + - Fix to compile with OpenSSL 3.0.0beta2. > + - Fix configure detection of SSL_CTX_set_security_level. > + - Fix deprecated functions use from openssl 3.0.0beta2. > + > +23 July 2021: Wouter > + - Fix free on shutdown of XoT SSL context. > + > 22 July 2021: Wouter > - tag 4.3.7 release, with the fixes between rc1 and this release. > + - main branch continues for 4.3.8. > > 20 July 2021: Wouter > - Fix typo in xfrd-tcp.c. > diff --git iterated_hash.c iterated_hash.c > index e8606a3b06c..8c0d657598b 100644 > --- iterated_hash.c > +++ iterated_hash.c > @@ -9,11 +9,16 @@ > */ > #include "config.h" > #ifdef NSEC3 > +#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) > #include <openssl/sha.h> > +#else > +#include <openssl/evp.h> > +#endif > #include <stdio.h> > #include <assert.h> > > #include "iterated_hash.h" > +#include "util.h" > > int > iterated_hash(unsigned char out[SHA_DIGEST_LENGTH], > @@ -21,19 +26,49 @@ iterated_hash(unsigned char out[SHA_DIGEST_LENGTH], > const unsigned char *in, int inlength, int iterations) > { > #if defined(NSEC3) && defined(HAVE_SSL) > +#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) > SHA_CTX ctx; > +#else > + EVP_MD_CTX* ctx; > +#endif > int n; > +#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) > +#else > + ctx = EVP_MD_CTX_create(); > + if(!ctx) { > + log_msg(LOG_ERR, "out of memory in iterated_hash"); > + return 0; > + } > +#endif > assert(in && inlength > 0 && iterations >= 0); > for(n=0 ; n <= iterations ; ++n) > { > +#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) > SHA1_Init(&ctx); > SHA1_Update(&ctx, in, inlength); > if(saltlength > 0) > SHA1_Update(&ctx, salt, saltlength); > SHA1_Final(out, &ctx); > +#else > + if(!EVP_DigestInit(ctx, EVP_sha1())) > + log_msg(LOG_ERR, "iterated_hash could not > EVP_DigestInit"); > + > + if(!EVP_DigestUpdate(ctx, in, inlength)) > + log_msg(LOG_ERR, "iterated_hash could not > EVP_DigestUpdate"); > + if(saltlength > 0) { > + if(!EVP_DigestUpdate(ctx, salt, saltlength)) > + log_msg(LOG_ERR, "iterated_hash could not > EVP_DigestUpdate salt"); > + } > + if(!EVP_DigestFinal_ex(ctx, out, NULL)) > + log_msg(LOG_ERR, "iterated_hash could not > EVP_DigestFinal_ex"); > +#endif > in=out; > inlength=SHA_DIGEST_LENGTH; > } > +#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) > +#else > + EVP_MD_CTX_destroy(ctx); > +#endif > return SHA_DIGEST_LENGTH; > #else > (void)out; (void)salt; (void)saltlength; > diff --git namedb.c namedb.c > index 06bef71147c..772e038b16d 100644 > --- namedb.c > +++ namedb.c > @@ -583,10 +583,13 @@ domain_find_ns_rrsets(domain_type* domain, zone_type* > zone, rrset_type **ns) > { > /* return highest NS RRset in the zone that is a delegation above */ > domain_type* result = NULL; > + rrset_type* rrset = NULL; > while (domain && domain != zone->apex) { > - *ns = domain_find_rrset(domain, zone, TYPE_NS); > - if (*ns) > + rrset = domain_find_rrset(domain, zone, TYPE_NS); > + if (rrset) { > + *ns = rrset; > result = domain; > + } > domain = domain->parent; > } > > diff --git nsd-checkconf.8.in nsd-checkconf.8.in > index 0a514e6dab0..62f0695577d 100644 > --- nsd-checkconf.8.in > +++ nsd-checkconf.8.in > @@ -1,4 +1,4 @@ > -.TH "nsd\-checkconf" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7" > +.TH "nsd\-checkconf" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8" > .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. > .\" See LICENSE for the license. > .SH "NAME" > diff --git nsd-checkzone.8.in nsd-checkzone.8.in > index 6b31cf9ea7a..76ac2fe2442 100644 > --- nsd-checkzone.8.in > +++ nsd-checkzone.8.in > @@ -1,4 +1,4 @@ > -.TH "nsd\-checkzone" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7" > +.TH "nsd\-checkzone" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8" > .\" Copyright (c) 2014, NLnet Labs. All rights reserved. > .\" See LICENSE for the license. > .SH "NAME" > diff --git nsd-control.8.in nsd-control.8.in > index ecefed3051c..f7f338c70ae 100644 > --- nsd-control.8.in > +++ nsd-control.8.in > @@ -1,4 +1,4 @@ > -.TH "nsd\-control" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7" > +.TH "nsd\-control" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8" > .\" Copyright (c) 2011, NLnet Labs. All rights reserved. > .\" See LICENSE for the license. > .SH "NAME" > @@ -107,7 +107,8 @@ For bulk removals. > Write zonefiles to disk, or the given zonefile to disk. Zones that have > changed (via AXFR or IXFR) are written, or if the zonefile has not been > created yet then it is created. Directory components of the zonefile > -path are created if necessary. > +path are created if necessary. With argument that zone is written if it > +was modified, without argument, all modified zones are written. > .TP > .B notify [<zone>] > Send NOTIFY messages to slave servers. Sends to the IP addresses > @@ -116,7 +117,8 @@ server. Usually NSD sends NOTIFY messages right away > when a master zone > serial is updated. If a zone is given, notifies are sent for that zone. > These slave servers are supposed to initiate a zone transfer request > later (to this server or another master), this can be allowed via > -the 'provide\-xfr:' acl list configuration. > +the 'provide\-xfr:' acl list configuration. With argument that zone is > +processed, without argument, all zones are processed. > .TP > .B transfer [<zone>] > Attempt to update slave zones that are hosted on this server by contacting > @@ -125,13 +127,15 @@ If a zone is given, that zone is updated. Usually NSD > receives a NOTIFY > from the masters (configured via 'allow\-notify:' acl list) that a new zone > serial has to be transferred. For zones with no content, NSD may have backed > off from asking often because the masters did not respond, but this command > -will reset the backoff to its initial timeout, for frequent retries. > +will reset the backoff to its initial timeout, for frequent retries. With > +argument that zone is transferred, without argument, all zones are > transferred. > .TP > .B force_transfer [<zone>] > Force update slave zones that are hosted on this server. Even if the > master hosts the same serial number of the zone, a full AXFR is performed > to fetch it. If you want to use IXFR and check that the serial number > -increases, use the 'transfer' command. > +increases, use the 'transfer' command. With argument that zone is > +transferred, without argument, all zones are transferred. > .TP > .B zonestatus [<zone>] > Print state of the zone, the serial numbers and since when they have > @@ -142,7 +146,8 @@ zone is up\-to\-date), 'expired' (slave zone has > expired), 'refreshing' (slave > zone has transfers active). The serial numbers printed are > the 'served\-serial' (currently active), the 'commit\-serial' (is in reload), > the 'notified\-serial' (got notify, busy fetching the data). The serial > -numbers are only printed if such a serial number is available. > +numbers are only printed if such a serial number is available. With argument > +that zone is printed, without argument, all zones are printed. > .TP > .B serverpid > Prints the PID of the server process. This is used for statistics (and > diff --git nsd-control.c nsd-control.c > index be615a2f915..528a58c3592 100644 > --- nsd-control.c > +++ nsd-control.c > @@ -133,9 +133,7 @@ static void ssl_path_err(const char* s, const char *path) > { > unsigned long err; > err = ERR_peek_error(); > - if (ERR_GET_LIB(err) == ERR_LIB_SYS && > - (ERR_GET_FUNC(err) == SYS_F_FOPEN || > - ERR_GET_FUNC(err) == SYS_F_FREAD) ) { > + if (ERR_GET_LIB(err) == ERR_LIB_SYS) { > fprintf(stderr, "error: %s\n%s: %s\n", > s, path, ERR_reason_error_string(err)); > exit(1); > @@ -532,7 +530,9 @@ int main(int argc, char* argv[]) > #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS > ERR_load_crypto_strings(); > #endif > +#if defined(HAVE_ERR_LOAD_SSL_STRINGS) && > !defined(DEPRECATED_ERR_LOAD_SSL_STRINGS) > ERR_load_SSL_strings(); > +#endif > #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) > OpenSSL_add_all_algorithms(); > #else > diff --git nsd.8.in nsd.8.in > index 443c0867e41..5c7f52e3311 100644 > --- nsd.8.in > +++ nsd.8.in > @@ -1,9 +1,9 @@ > -.TH "NSD" "8" "Jul 22, 2021" "NLnet Labs" "NSD 4.3.7" > +.TH "NSD" "8" "Oct 12, 2021" "NLnet Labs" "NSD 4.3.8" > .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. > .\" See LICENSE for the license. > .SH "NAME" > .B nsd > -\- Name Server Daemon (NSD) version 4.3.7. > +\- Name Server Daemon (NSD) version 4.3.8. > .SH "SYNOPSIS" > .B nsd > .RB [ \-4 ] > diff --git nsd.conf.5.in nsd.conf.5.in > index ad4bd542650..4ee4b1292f9 100644 > --- nsd.conf.5.in > +++ nsd.conf.5.in > @@ -1,4 +1,4 @@ > -.TH "nsd.conf" "5" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7" > +.TH "nsd.conf" "5" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8" > .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. > .\" See LICENSE for the license. > .SH "NAME" > @@ -494,7 +494,7 @@ With the value 0 the rate is unlimited. > .TP > .B answer\-cookie:\fR <yes or no> > Enable to answer to requests containig DNS Cookies as specified in RFC7873. > -Default is yes. > +Default is no. > .TP > .B cookie\-secret:\fR <128 bit hex string> > Servers in an anycast deployment need to be able to verify each other's DNS > @@ -884,8 +884,24 @@ It has the following attributes. > The tls-auth name. Used to refer to this TLS authentication information in > the > access control list. > .TP > -.B auth-domain-name:\fR <string> > +.B auth\-domain\-name:\fR <string> > The authentication domain name as defined in RFC8310. > +.TP > +.B client\-cert: <file name of clientcert.pem> > +If you want to use mutual TLS authentication, this is where the client > +certificates can be configured that NSD uses to connect to the upstream > +server to download the zone. The client public key pem cert file can > +be configured here. Also configure a private key with client\-key. > +.TP > +.B client\-key: <file name of clientkey.key> > +If you want to use mutual TLS authentication, the private key file can > +be configured here for the client authentication. > +.TP > +.B client\-key\-pw: <string> > +If the client\-key file uses a password to decrypt the key before it can > +be used, then the password can be specified here as a string. > +It is possible to include other config files with the include: option, and > +this can be used to move that sensitive data to another file, if you wish. > .SS DNSTAP Logging Options > DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section. > This starts a collector process that writes the log information to the > diff --git nsd.conf.sample.in nsd.conf.sample.in > index 6077ccc85c9..9758c37b0c0 100644 > --- nsd.conf.sample.in > +++ nsd.conf.sample.in > @@ -325,6 +325,11 @@ remote-control: > # The authentication domain name as defined in RFC8310. > #auth-domain-name: "example.com" > > + # Client certificate and private key for Mutual TLS authentication > + #client-cert: "path/to/clientcert.pem" > + #client-key: "path/to/clientkey.key" > + #client-key-pw: "password" > + > # Patterns have zone configuration and they are shared by one or more zones. > # > # pattern: > diff --git nsec3.c nsec3.c > index 3cdd572932e..1075812a437 100644 > --- nsec3.c > +++ nsec3.c > @@ -1053,12 +1053,21 @@ nsec3_add_ds_proof(struct query *query, struct answer > *answer, > !prev_par->nsec3->nsec3_is_exact); > nsec3_add_rrset(query, answer, AUTHORITY_SECTION, > prev_par->nsec3->nsec3_cover); > + } else { > + /* the exact case was handled earlier, so this is > + * with a closest-encloser proof, if in the part > + * before the else the closest encloser proof is done, > + * then we do not need to add a DS here because > + * the optout proof is already complete. If not, > + * we add the nsec3 here to complete the closest > + * encloser proof with a next closer */ > + /* add optout range from parent zone */ > + /* note: no check of optout bit, resolver checks it */ > + if(domain->nsec3) { > + nsec3_add_rrset(query, answer, > AUTHORITY_SECTION, > + domain->nsec3->nsec3_ds_parent_cover); > + } > } > - /* add optout range from parent zone */ > - /* note: no check of optout bit, resolver checks it */ > - if(domain->nsec3) > - nsec3_add_rrset(query, answer, AUTHORITY_SECTION, > - domain->nsec3->nsec3_ds_parent_cover); > } > } > > diff --git options.c options.c > index d8fe022b412..6411959e8c6 100644 > --- options.c > +++ options.c > @@ -131,7 +131,7 @@ nsd_options_create(region_type* region) > opt->tls_service_pem = NULL; > opt->tls_port = TLS_PORT; > opt->tls_cert_bundle = NULL; > - opt->answer_cookie = 1; > + opt->answer_cookie = 0; > opt->cookie_secret = NULL; > opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt"; > opt->control_enable = 0; > diff --git options.h options.h > index bb66acb03d5..f1c57aea2bf 100644 > --- options.h > +++ options.h > @@ -340,6 +340,9 @@ struct tls_auth_options { > rbnode_type node; /* key of tree is name */ > char* name; > char* auth_domain_name; > + char* client_cert; > + char* client_key; > + char* client_key_pw; > }; > > /** zone list free space */ > diff --git query.c query.c > index 44b6690ad67..d0fba064fab 100644 > --- query.c > +++ query.c > @@ -1424,6 +1424,7 @@ answer_lookup_zone(struct nsd *nsd, struct query *q, > answer_type *answer, > } > > if (!q->delegation_domain > + || !q->delegation_rrset > || (exact && q->qtype == TYPE_DS && closest_encloser == > q->delegation_domain)) > { > if (q->qclass == CLASS_ANY) { > diff --git radtree.c radtree.c > index 4bd12a4e6e9..472e9c12898 100644 > --- radtree.c > +++ radtree.c > @@ -175,7 +175,7 @@ static int radix_find_prefix_node(struct radtree* rt, > uint8_t* k, > *result = n; > } > /* cannot reach because of returns when !n above */ > - /* ENOREACH */ > + /* ENOTREACH */ > return 1; > } > > diff --git server.c server.c > index c01f022a1c1..f7a2f53c60a 100644 > --- server.c > +++ server.c > @@ -1823,7 +1823,9 @@ perform_openssl_init(void) > #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS > ERR_load_crypto_strings(); > #endif > +#if defined(HAVE_ERR_LOAD_SSL_STRINGS) && > !defined(DEPRECATED_ERR_LOAD_SSL_STRINGS) > ERR_load_SSL_strings(); > +#endif > #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) > OpenSSL_add_all_algorithms(); > #else > @@ -1999,9 +2001,12 @@ server_tls_ctx_setup(char* key, char* pem, char* > verifypem) > } > #endif > #if defined(SHA256_DIGEST_LENGTH) && defined(SSL_TXT_CHACHA20) > - /* if we have sha256, set the cipher list to have no known vulns */ > - if(!SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20")) > - log_crypto_err("could not set cipher list with > SSL_CTX_set_cipher_list"); > + /* if we detect system-wide crypto policies, use those */ > + if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) { > + /* if we have sha256, set the cipher list to have no known > vulns */ > + if(!SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20")) > + log_crypto_err("could not set cipher list with > SSL_CTX_set_cipher_list"); > + } > #endif > if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) & > SSL_OP_CIPHER_SERVER_PREFERENCE) != > diff --git tsig-openssl.c tsig-openssl.c > index 6cdf47990d0..fff0919c613 100644 > --- tsig-openssl.c > +++ tsig-openssl.c > @@ -114,7 +114,9 @@ tsig_openssl_init_algorithm(region_type* region, > #endif > return 0; > } > -#ifndef HAVE_EVP_MAC_CTX_NEW > +#ifdef HAVE_EVP_MAC_CTX_GET_MAC_SIZE > + algorithm->maximum_digest_size = EVP_MAC_CTX_get_mac_size(hmac_ctx); > +#elif !defined(HAVE_EVP_MAC_CTX_NEW) > algorithm->maximum_digest_size = EVP_MD_size(hmac_algorithm); > #else > algorithm->maximum_digest_size = EVP_MAC_size(hmac_ctx); > diff --git xfrd-tcp.c xfrd-tcp.c > index 8668ed0981a..a71c1955cfb 100644 > --- xfrd-tcp.c > +++ xfrd-tcp.c > @@ -124,6 +124,13 @@ ssl_handshake(struct xfrd_tcp_pipeline* tp) > > return 0; > } > + > +int password_cb(char *buf, int size, int ATTR_UNUSED(rwflag), void *u) > +{ > + strlcpy(buf, (char*)u, size); > + return strlen(buf); > +} > + > #endif > > /* sort tcppipe, first on IP address, for an IPaddresss, sort on num_unused > */ > @@ -170,6 +177,7 @@ struct xfrd_tcp_set* xfrd_tcp_set_create(struct region* > region, const char *tls_ > tls_cert_bundle); > } > #else > + (void)tls_cert_bundle; > log_msg(LOG_INFO, "xfrd: No TLS 1.3 support - XFR-over-TLS not > available"); > #endif > for(i=0; i<XFRD_MAX_TCP; i++) > @@ -708,6 +716,25 @@ xfrd_tcp_open(struct xfrd_tcp_set* set, struct > xfrd_tcp_pipeline* tp, > xfrd_set_refresh_now(zone); > return 0; > } > + > + /* Load client certificate (if provided) */ > + if (zone->master->tls_auth_options->client_cert && > + zone->master->tls_auth_options->client_key) { > + if (SSL_CTX_use_certificate_chain_file(set->ssl_ctx, > + > zone->master->tls_auth_options->client_cert) != 1) { > + log_msg(LOG_ERR, "xfrd tls: Unable to load > client certificate from file %s", > zone->master->tls_auth_options->client_cert); > + } > + > + if (zone->master->tls_auth_options->client_key_pw) { > + SSL_CTX_set_default_passwd_cb(set->ssl_ctx, > password_cb); > + > SSL_CTX_set_default_passwd_cb_userdata(set->ssl_ctx, > zone->master->tls_auth_options->client_key_pw); > + } > + > + if (SSL_CTX_use_PrivateKey_file(set->ssl_ctx, > zone->master->tls_auth_options->client_key, SSL_FILETYPE_PEM) != 1) { > + log_msg(LOG_ERR, "xfrd tls: Unable to load > private key from file %s", zone->master->tls_auth_options->client_key); > + } > + } > + > tp->handshake_done = 0; > if(!ssl_handshake(tp)) { > if(tp->handshake_want == SSL_ERROR_SYSCALL) { > diff --git xfrd.c xfrd.c > index 6f5768f792d..c40e8ca57a5 100644 > --- xfrd.c > +++ xfrd.c > @@ -402,6 +402,10 @@ xfrd_shutdown() > daemon_remote_delete(xfrd->nsd->rc); /* ssl-delete secret keys */ > if (xfrd->nsd->tls_ctx) > SSL_CTX_free(xfrd->nsd->tls_ctx); > +# ifdef HAVE_TLS_1_3 > + if (xfrd->tcp_set->ssl_ctx) > + SSL_CTX_free(xfrd->tcp_set->ssl_ctx); > +# endif > #endif > #ifdef USE_DNSTAP > dt_collector_close(nsd.dt_collector, &nsd); > > -- > > I'm not entirely sure you are real. > -- I'm not entirely sure you are real.
