# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
-# Version 40
+# Version 43
+# 2021-08-17 fix sed script in ssldir split handling.
+# 2021-08-17 fix for openssl to detect split version, with ssldir_include
+# and ssldir_lib output directories.
+# 2021-07-30 fix for openssl use of lib64 directory.
# 2021-06-14 fix nonblocking test to use host instead of target for mingw test.
# 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
# 64bit compatibility.
withval=$1
if test x_$withval != x_no; then
AC_MSG_CHECKING(for SSL)
+ if test -n "$withval"; then
+ dnl look for openssl install with different version, eg.
+ dnl in /usr/include/openssl11/openssl/ssl.h
+ dnl and /usr/lib64/openssl11/libssl.so
+ dnl with the --with-ssl=/usr/include/openssl11
+ if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then
+ ssldir="$withval"
+ found_ssl="yes"
+ withval=""
+ ssldir_include="$ssldir"
+ dnl find the libdir
+ ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ AC_MSG_ERROR([Could not find openssl lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or "/usr/include/openssl11"])
+ fi
+ fi
+ fi
+ fi
if test x_$withval = x_ -o x_$withval = x_yes; then
withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr"
fi
ssldir="$dir"
if test -f "$dir/include/openssl/ssl.h"; then
found_ssl="yes"
- AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
- dnl assume /usr/include is already in the include-path.
- if test "$ssldir" != "/usr"; then
- CPPFLAGS="$CPPFLAGS -I$ssldir/include"
- LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include"
- fi
+ ssldir_include="$ssldir/include"
+ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
+ ssldir_lib="$ssldir/lib64"
+ else
+ ssldir_lib="$ssldir/lib"
+ fi
break;
fi
done
AC_MSG_ERROR(Cannot find the SSL libraries in $withval)
else
AC_MSG_RESULT(found in $ssldir)
+ AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
HAVE_SSL=yes
- dnl assume /usr is already in the lib and dynlib paths.
- if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
- LDFLAGS="$LDFLAGS -L$ssldir/lib"
- LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
- ACX_RUNTIME_PATH_ADD([$ssldir/lib])
- fi
+ dnl assume /usr is already in the include, lib and dynlib paths.
+ if test "$ssldir" != "/usr"; then
+ CPPFLAGS="$CPPFLAGS -I$ssldir_include"
+ LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include"
+ LDFLAGS="$LDFLAGS -L$ssldir_lib"
+ LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib"
+ ACX_RUNTIME_PATH_ADD([$ssldir_lib])
+ fi
AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
LIBS="$LIBS -lcrypto"
AC_DEFUN([ACX_WITH_SSL],
[
AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
- /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
+ /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[
],[
withval="yes"
])
AC_DEFUN([ACX_WITH_SSL_OPTIONAL],
[
AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
- /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
+ /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[
],[
withval="yes"
])
/* Pathname to the NSD database */
#undef DBFILE
+/* Whether ERR_load_SSL_strings is deprecated */
+#undef DEPRECATED_ERR_LOAD_SSL_STRINGS
+
+/* Whether SHA1_Init is deprecated */
+#undef DEPRECATED_SHA1_INIT
+
/* default dnstap socket path */
#undef DNSTAP_SOCKET_PATH
/* Define to 1 if you have the `ERR_load_crypto_strings' function. */
#undef HAVE_ERR_LOAD_CRYPTO_STRINGS
+/* Define to 1 if you have the `ERR_load_SSL_strings' function. */
+#undef HAVE_ERR_LOAD_SSL_STRINGS
+
/* Define to 1 if you have the `event_base_free' function. */
#undef HAVE_EVENT_BASE_FREE
/* Define to 1 if you have the `EVP_cleanup' function. */
#undef HAVE_EVP_CLEANUP
+/* Define to 1 if you have the `EVP_MAC_CTX_get_mac_size' function. */
+#undef HAVE_EVP_MAC_CTX_GET_MAC_SIZE
+
/* Define to 1 if you have the `EVP_MAC_CTX_new' function. */
#undef HAVE_EVP_MAC_CTX_NEW
/* Define to 1 if you have the `setusercontext' function. */
#undef HAVE_SETUSERCONTEXT
+/* Define to 1 if you have the `SHA1_Init' function. */
+#undef HAVE_SHA1_INIT
+
/* Define to 1 if you have the `sigaction' function. */
#undef HAVE_SIGACTION
/* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
#undef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */
+#undef HAVE_SSL_GET1_PEER_CERTIFICATE
+
/* Define to 1 if you have the <stdarg.h> header file. */
#undef HAVE_STDARG_H
allow-axfr-fallback{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALLOW_AXFR_FALLBACK;}
tls-auth{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH;}
auth-domain-name{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_DOMAIN_NAME;}
+client-cert{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_CLIENT_CERT;}
+client-key{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_CLIENT_KEY;}
+client-key-pw{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_CLIENT_KEY_PW;}
key{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_KEY;}
algorithm{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALGORITHM;}
secret{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SECRET;}
/* xot auth */
%token VAR_TLS_AUTH
%token VAR_TLS_AUTH_DOMAIN_NAME
+%token VAR_TLS_AUTH_CLIENT_CERT
+%token VAR_TLS_AUTH_CLIENT_KEY
+%token VAR_TLS_AUTH_CLIENT_KEY_PW
/* pattern */
%token VAR_PATTERN
| VAR_TLS_AUTH_DOMAIN_NAME STRING
{
cfg_parser->tls_auth->auth_domain_name = region_strdup(cfg_parser->opt->region, $2);
- };
+ }
+ | VAR_TLS_AUTH_CLIENT_CERT STRING
+ {
+ cfg_parser->tls_auth->client_cert = region_strdup(cfg_parser->opt->region, $2);
+ }
+ | VAR_TLS_AUTH_CLIENT_KEY STRING
+ {
+ cfg_parser->tls_auth->client_key = region_strdup(cfg_parser->opt->region, $2);
+ }
+ | VAR_TLS_AUTH_CLIENT_KEY_PW STRING
+ {
+ cfg_parser->tls_auth->client_key_pw = region_strdup(cfg_parser->opt->region, $2);
+ }
+ ;
key:
VAR_KEY
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for NSD 4.3.7.
+# Generated by GNU Autoconf 2.69 for NSD 4.3.8.
#
# Report bugs to <nsd-bugs@nlnetlabs.nl>.
#
# Identity of this package.
PACKAGE_NAME='NSD'
PACKAGE_TARNAME='nsd'
-PACKAGE_VERSION='4.3.7'
-PACKAGE_STRING='NSD 4.3.7'
+PACKAGE_VERSION='4.3.8'
+PACKAGE_STRING='NSD 4.3.8'
PACKAGE_BUGREPORT='nsd-bugs@nlnetlabs.nl'
PACKAGE_URL=''
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures NSD 4.3.7 to adapt to many kinds of systems.
+\`configure' configures NSD 4.3.8 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of NSD 4.3.7:";;
+ short | recursive ) echo "Configuration of NSD 4.3.8:";;
esac
cat <<\_ACEOF
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-NSD configure 4.3.7
+NSD configure 4.3.8
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by NSD $as_me 4.3.7, which was
+It was created by NSD $as_me 4.3.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
if test x_$withval != x_no; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL" >&5
$as_echo_n "checking for SSL... " >&6; }
+ if test -n "$withval"; then
+ if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then
+ ssldir="$withval"
+ found_ssl="yes"
+ withval=""
+ ssldir_include="$ssldir"
+ CPPFLAGS="$CPPFLAGS -I$ssldir_include";
+ ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ as_fn_error $? "Could not find openssl lib file, $ssldir_lib/libssl.so,a, pass like \"/usr/local\" or \"/usr/include/openssl11\"" "$LINENO" 5
+ fi
+ fi
+ fi
+ fi
if test x_$withval = x_ -o x_$withval = x_yes; then
withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/sfw /usr/local /usr /usr/local/opt/openssl"
fi
ssldir="$dir"
if test -f "$dir/include/openssl/ssl.h"; then
found_ssl="yes";
-
-cat >>confdefs.h <<_ACEOF
-#define HAVE_SSL /**/
-_ACEOF
-
if test x_$ssldir != x_/usr; then
CPPFLAGS="$CPPFLAGS -I$ssldir/include";
fi
+ ssldir_include="$ssldir/include"
+ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
+ ssldir_lib="$ssldir/lib64"
+ else
+ ssldir_lib="$ssldir/lib"
+ fi
break;
fi
done
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $ssldir" >&5
$as_echo "found in $ssldir" >&6; }
HAVE_SSL=yes
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_SSL /**/
+_ACEOF
+
if test x_$ssldir != x_/usr; then
- LDFLAGS="$LDFLAGS -L$ssldir/lib";
+ LDFLAGS="$LDFLAGS -L$ssldir_lib";
fi
if test x_$ssldir = x_/usr/sfw; then
- LDFLAGS="$LDFLAGS -R$ssldir/lib";
+ LDFLAGS="$LDFLAGS -R$ssldir_lib";
fi
fi
done
- for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params
+ for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup ERR_load_crypto_strings OPENSSL_init_crypto CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params EVP_MAC_CTX_get_mac_size SHA1_Init
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
fi
done
+ if test "$ac_cv_func_SHA1_Init" = "yes"; then
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if SHA1_Init is deprecated" >&5
+$as_echo_n "checking if SHA1_Init is deprecated... " >&6; }
+cache=`echo SHA1_Init | sed 'y%.=/+-%___p_%'`
+if eval \${cv_cc_deprecated_$cache+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+echo '
+#include <openssl/sha.h>
+' >conftest.c
+echo 'void f(){ (void)SHA1_Init(NULL); }' >>conftest.c
+if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then
+eval "cv_cc_deprecated_$cache=no"
+else
+eval "cv_cc_deprecated_$cache=yes"
+fi
+rm -f conftest conftest.o conftest.c
+
+fi
+
+if eval "test \"`echo '$cv_cc_deprecated_'$cache`\" = yes"; then
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+cat >>confdefs.h <<_ACEOF
+#define DEPRECATED_SHA1_INIT 1
+_ACEOF
+
+:
+
+else
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+:
+
+fi
+
+ fi
ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ecdh_auto" "ac_cv_have_decl_SSL_CTX_set_ecdh_auto" "
$ac_includes_default
#ifdef HAVE_OPENSSL_ERR_H
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
- for ac_func in OPENSSL_init_ssl
+ for ac_func in OPENSSL_init_ssl SSL_get1_peer_certificate SSL_CTX_set_security_level ERR_load_SSL_strings
do :
- ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl"
-if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
-#define HAVE_OPENSSL_INIT_SSL 1
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
fi
done
+ if test "$ac_cv_func_ERR_load_SSL_strings" = "yes"; then
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ERR_load_SSL_strings is deprecated" >&5
+$as_echo_n "checking if ERR_load_SSL_strings is deprecated... " >&6; }
+cache=`echo ERR_load_SSL_strings | sed 'y%.=/+-%___p_%'`
+if eval \${cv_cc_deprecated_$cache+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+echo '
+#include <openssl/ssl.h>
+' >conftest.c
+echo 'void f(){ (void)ERR_load_SSL_strings(); }' >>conftest.c
+if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then
+eval "cv_cc_deprecated_$cache=no"
+else
+eval "cv_cc_deprecated_$cache=yes"
+fi
+rm -f conftest conftest.o conftest.c
+
+fi
+
+if eval "test \"`echo '$cv_cc_deprecated_'$cache`\" = yes"; then
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+cat >>confdefs.h <<_ACEOF
+#define DEPRECATED_ERR_LOAD_SSL_STRINGS 1
+_ACEOF
+
+:
+
+else
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+:
+
+fi
+
+ fi
LIBS="$BAKLIBS"
else
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by NSD $as_me 4.3.7, which was
+This file was extended by NSD $as_me 4.3.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-NSD config.status 4.3.7
+NSD config.status 4.3.8
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
sinclude(acx_nlnetlabs.m4)
sinclude(dnstap/dnstap.m4)
-AC_INIT([NSD],[4.3.7],[nsd-bugs@nlnetlabs.nl])
+AC_INIT([NSD],[4.3.8],[nsd-bugs@nlnetlabs.nl])
AC_CONFIG_HEADERS([config.h])
#
])
if test x_$withval != x_no; then
AC_MSG_CHECKING(for SSL)
+ if test -n "$withval"; then
+ dnl look for openssl install with different version, eg.
+ dnl in /usr/include/openssl11/openssl/ssl.h
+ dnl and /usr/lib64/openssl11/libssl.so
+ dnl with the --with-ssl=/usr/include/openssl11
+ if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then
+ ssldir="$withval"
+ found_ssl="yes"
+ withval=""
+ ssldir_include="$ssldir"
+ CPPFLAGS="$CPPFLAGS -I$ssldir_include";
+ dnl find the libdir
+ ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ AC_MSG_ERROR([Could not find openssl lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or "/usr/include/openssl11"])
+ fi
+ fi
+ fi
+ fi
if test x_$withval = x_ -o x_$withval = x_yes; then
withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/sfw /usr/local /usr /usr/local/opt/openssl"
fi
ssldir="$dir"
if test -f "$dir/include/openssl/ssl.h"; then
found_ssl="yes";
- AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
if test x_$ssldir != x_/usr; then
CPPFLAGS="$CPPFLAGS -I$ssldir/include";
fi
+ ssldir_include="$ssldir/include"
+ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
+ ssldir_lib="$ssldir/lib64"
+ else
+ ssldir_lib="$ssldir/lib"
+ fi
break;
fi
done
else
AC_MSG_RESULT([found in $ssldir])
HAVE_SSL=yes
+ AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
if test x_$ssldir != x_/usr; then
- LDFLAGS="$LDFLAGS -L$ssldir/lib";
+ LDFLAGS="$LDFLAGS -L$ssldir_lib";
fi
if test x_$ssldir = x_/usr/sfw; then
- LDFLAGS="$LDFLAGS -R$ssldir/lib";
+ LDFLAGS="$LDFLAGS -R$ssldir_lib";
fi
fi
AC_SUBST(HAVE_SSL)
SSL_LIBS="-lssl"
AC_SUBST(SSL_LIBS)
AC_CHECK_HEADERS([openssl/ssl.h openssl/err.h openssl/rand.h openssl/ocsp.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT])
- AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params])
+ AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup ERR_load_crypto_strings OPENSSL_init_crypto CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params EVP_MAC_CTX_get_mac_size SHA1_Init])
+ if test "$ac_cv_func_SHA1_Init" = "yes"; then
+ ACX_FUNC_DEPRECATED([SHA1_Init], [(void)SHA1_Init(NULL);], [
+#include <openssl/sha.h>
+])
+ fi
AC_CHECK_DECLS([SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
- AC_CHECK_FUNCS([OPENSSL_init_ssl])
+ AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_get1_peer_certificate SSL_CTX_set_security_level ERR_load_SSL_strings])
+ if test "$ac_cv_func_ERR_load_SSL_strings" = "yes"; then
+ ACX_FUNC_DEPRECATED([ERR_load_SSL_strings], [(void)ERR_load_SSL_strings();], [
+#include <openssl/ssl.h>
+])
+ fi
LIBS="$BAKLIBS"
else
}
*h = label_length;
h = p;
+ p++;
}
/* Add root label. */
+7 October 2021: Wouter
+ - Set default for answer-cookie to no. Because in server deployments
+ with mixed server software, a default of yes causes issues.
+ - Tag for 4.3.8rc2, includes the new answer-cookie default.
+
+4 October 2021: Wouter
+ - Tag for 4.3.8rc1.
+
+29 September 2021: Wouter
+ - Fix unit tests for svcb and xot to not touch the default
+ zonelistfile.
+ - Fix unit test for xot tertiary config for zonelistfile default.
+ - Fix unit test for dns-cookies for no unshare, and allow-query
+ for no IPv6 loopback.
+ - Fix unit test allow query to check for IPv6.
+
+22 September 2021: Wouter
+ - Fix #194: Incorrect NSEC3 response for SOA query below delegation
+ point.
+
+13 September 2021: Wouter
+ - Fix compile failure with openssl 1.0.2.
+
+3 September 2021: Wouter
+ - Fix not reachable annotation in radix_find_prefix_node.
+
+31 August 2021: Willem
+ - Fix #191: dname_parse_wire() returns fqdn wireformat length.
+
+26 August 2021: Wouter
+ - Fix #190: NSD returns 3 NSEC3 records for NODATA response.
+
+23 August 2021: Wouter
+ - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion
+ `query->delegation_rrset' failed.
+
+17 August 2021: Wouter
+ - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7.
+ - Fix sed script in ssldir split handling.
+
+13 August 2021: Wouter
+ - Merge #187: Support using system-wide crypto policies.
+
+10 August 2021: Wouter
+ - Merge #185 by cesarkuroiwa: Mutual TLS.
+ - Fixes for #185: Document client-cert, client-key and client-key-pw
+ in the man page. Fix yacc semicolon. Fix unused variable warning.
+ Use strlcpy instead of strncpy. Fix spelling error in error
+ printout.
+
+2 August 2021: Wouter
+ - Quieter tpkg/do-tests shell script with -q flag.
+ - For #184: Note that all zones can be targeted by some nsd-control
+ commands in the man page.
+
+30 July 2021: Wouter
+ - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
+ - Fix to compile with OpenSSL 3.0.0beta2.
+ - Fix configure detection of SSL_CTX_set_security_level.
+ - Fix deprecated functions use from openssl 3.0.0beta2.
+
+23 July 2021: Wouter
+ - Fix free on shutdown of XoT SSL context.
+
22 July 2021: Wouter
- tag 4.3.7 release, with the fixes between rc1 and this release.
+ - main branch continues for 4.3.8.
20 July 2021: Wouter
- Fix typo in xfrd-tcp.c.
NSD RELEASE NOTES
+4.3.8
+================
+FEATURES:
+ - Merge #185 by cesarkuroiwa: Mutual TLS.
+ - Set default for answer-cookie to no. Because in server deployments
+ with mixed server software, a default of yes causes issues.
+BUG FIXES:
+ - Fix to compile with OpenSSL 3.0.0beta2.
+ - Fix configure detection of SSL_CTX_set_security_level.
+ - Fix deprecated functions use from openssl 3.0.0beta2.
+ - For #184: Note that all zones can be targeted by some nsd-control
+ commands in the man page.
+ - Fixes for #185: Document client-cert, client-key and client-key-pw
+ in the man page. Fix yacc semicolon. Fix unused variable warning.
+ Use strlcpy instead of strncpy. Fix spelling error in error
+ printout.
+ - Merge #187: Support using system-wide crypto policies.
+ - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7.
+ - Fix sed script in ssldir split handling.
+ - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion
+ `query->delegation_rrset' failed.
+ - Fix #190: NSD returns 3 NSEC3 records for NODATA response.
+ - Fix compile failure with openssl 1.0.2.
+ - Fix #194: Incorrect NSEC3 response for SOA query below delegation
+ point.
+
4.3.7
================
FEATURES:
*/
#include "config.h"
#ifdef NSEC3
+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT)
#include <openssl/sha.h>
+#else
+#include <openssl/evp.h>
+#endif
#include <stdio.h>
#include <assert.h>
#include "iterated_hash.h"
+#include "util.h"
int
iterated_hash(unsigned char out[SHA_DIGEST_LENGTH],
const unsigned char *in, int inlength, int iterations)
{
#if defined(NSEC3) && defined(HAVE_SSL)
+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT)
SHA_CTX ctx;
+#else
+ EVP_MD_CTX* ctx;
+#endif
int n;
+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT)
+#else
+ ctx = EVP_MD_CTX_create();
+ if(!ctx) {
+ log_msg(LOG_ERR, "out of memory in iterated_hash");
+ return 0;
+ }
+#endif
assert(in && inlength > 0 && iterations >= 0);
for(n=0 ; n <= iterations ; ++n)
{
+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT)
SHA1_Init(&ctx);
SHA1_Update(&ctx, in, inlength);
if(saltlength > 0)
SHA1_Update(&ctx, salt, saltlength);
SHA1_Final(out, &ctx);
+#else
+ if(!EVP_DigestInit(ctx, EVP_sha1()))
+ log_msg(LOG_ERR, "iterated_hash could not EVP_DigestInit");
+
+ if(!EVP_DigestUpdate(ctx, in, inlength))
+ log_msg(LOG_ERR, "iterated_hash could not EVP_DigestUpdate");
+ if(saltlength > 0) {
+ if(!EVP_DigestUpdate(ctx, salt, saltlength))
+ log_msg(LOG_ERR, "iterated_hash could not EVP_DigestUpdate salt");
+ }
+ if(!EVP_DigestFinal_ex(ctx, out, NULL))
+ log_msg(LOG_ERR, "iterated_hash could not EVP_DigestFinal_ex");
+#endif
in=out;
inlength=SHA_DIGEST_LENGTH;
}
+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT)
+#else
+ EVP_MD_CTX_destroy(ctx);
+#endif
return SHA_DIGEST_LENGTH;
#else
(void)out; (void)salt; (void)saltlength;
{
/* return highest NS RRset in the zone that is a delegation above */
domain_type* result = NULL;
+ rrset_type* rrset = NULL;
while (domain && domain != zone->apex) {
- *ns = domain_find_rrset(domain, zone, TYPE_NS);
- if (*ns)
+ rrset = domain_find_rrset(domain, zone, TYPE_NS);
+ if (rrset) {
+ *ns = rrset;
result = domain;
+ }
domain = domain->parent;
}
-.TH "nsd\-checkconf" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7"
+.TH "nsd\-checkconf" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
-.TH "nsd\-checkzone" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7"
+.TH "nsd\-checkzone" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8"
.\" Copyright (c) 2014, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
-.TH "nsd\-control" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7"
+.TH "nsd\-control" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8"
.\" Copyright (c) 2011, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
Write zonefiles to disk, or the given zonefile to disk. Zones that have
changed (via AXFR or IXFR) are written, or if the zonefile has not been
created yet then it is created. Directory components of the zonefile
-path are created if necessary.
+path are created if necessary. With argument that zone is written if it
+was modified, without argument, all modified zones are written.
.TP
.B notify [<zone>]
Send NOTIFY messages to slave servers. Sends to the IP addresses
serial is updated. If a zone is given, notifies are sent for that zone.
These slave servers are supposed to initiate a zone transfer request
later (to this server or another master), this can be allowed via
-the 'provide\-xfr:' acl list configuration.
+the 'provide\-xfr:' acl list configuration. With argument that zone is
+processed, without argument, all zones are processed.
.TP
.B transfer [<zone>]
Attempt to update slave zones that are hosted on this server by contacting
from the masters (configured via 'allow\-notify:' acl list) that a new zone
serial has to be transferred. For zones with no content, NSD may have backed
off from asking often because the masters did not respond, but this command
-will reset the backoff to its initial timeout, for frequent retries.
+will reset the backoff to its initial timeout, for frequent retries. With
+argument that zone is transferred, without argument, all zones are transferred.
.TP
.B force_transfer [<zone>]
Force update slave zones that are hosted on this server. Even if the
master hosts the same serial number of the zone, a full AXFR is performed
to fetch it. If you want to use IXFR and check that the serial number
-increases, use the 'transfer' command.
+increases, use the 'transfer' command. With argument that zone is
+transferred, without argument, all zones are transferred.
.TP
.B zonestatus [<zone>]
Print state of the zone, the serial numbers and since when they have
zone has transfers active). The serial numbers printed are
the 'served\-serial' (currently active), the 'commit\-serial' (is in reload),
the 'notified\-serial' (got notify, busy fetching the data). The serial
-numbers are only printed if such a serial number is available.
+numbers are only printed if such a serial number is available. With argument
+that zone is printed, without argument, all zones are printed.
.TP
.B serverpid
Prints the PID of the server process. This is used for statistics (and
{
unsigned long err;
err = ERR_peek_error();
- if (ERR_GET_LIB(err) == ERR_LIB_SYS &&
- (ERR_GET_FUNC(err) == SYS_F_FOPEN ||
- ERR_GET_FUNC(err) == SYS_F_FREAD) ) {
+ if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
fprintf(stderr, "error: %s\n%s: %s\n",
s, path, ERR_reason_error_string(err));
exit(1);
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
#endif
+#if defined(HAVE_ERR_LOAD_SSL_STRINGS) && !defined(DEPRECATED_ERR_LOAD_SSL_STRINGS)
ERR_load_SSL_strings();
+#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
#else
-.TH "NSD" "8" "Jul 22, 2021" "NLnet Labs" "NSD 4.3.7"
+.TH "NSD" "8" "Oct 12, 2021" "NLnet Labs" "NSD 4.3.8"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
.B nsd
-\- Name Server Daemon (NSD) version 4.3.7.
+\- Name Server Daemon (NSD) version 4.3.8.
.SH "SYNOPSIS"
.B nsd
.RB [ \-4 ]
-.TH "nsd.conf" "5" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7"
+.TH "nsd.conf" "5" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
.TP
.B answer\-cookie:\fR <yes or no>
Enable to answer to requests containig DNS Cookies as specified in RFC7873.
-Default is yes.
+Default is no.
.TP
.B cookie\-secret:\fR <128 bit hex string>
Servers in an anycast deployment need to be able to verify each other's DNS
The tls-auth name. Used to refer to this TLS authentication information in the
access control list.
.TP
-.B auth-domain-name:\fR <string>
+.B auth\-domain\-name:\fR <string>
The authentication domain name as defined in RFC8310.
+.TP
+.B client\-cert: <file name of clientcert.pem>
+If you want to use mutual TLS authentication, this is where the client
+certificates can be configured that NSD uses to connect to the upstream
+server to download the zone. The client public key pem cert file can
+be configured here. Also configure a private key with client\-key.
+.TP
+.B client\-key: <file name of clientkey.key>
+If you want to use mutual TLS authentication, the private key file can
+be configured here for the client authentication.
+.TP
+.B client\-key\-pw: <string>
+If the client\-key file uses a password to decrypt the key before it can
+be used, then the password can be specified here as a string.
+It is possible to include other config files with the include: option, and
+this can be used to move that sensitive data to another file, if you wish.
.SS DNSTAP Logging Options
DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section.
This starts a collector process that writes the log information to the
# The authentication domain name as defined in RFC8310.
#auth-domain-name: "example.com"
+ # Client certificate and private key for Mutual TLS authentication
+ #client-cert: "path/to/clientcert.pem"
+ #client-key: "path/to/clientkey.key"
+ #client-key-pw: "password"
+
# Patterns have zone configuration and they are shared by one or more zones.
#
# pattern:
!prev_par->nsec3->nsec3_is_exact);
nsec3_add_rrset(query, answer, AUTHORITY_SECTION,
prev_par->nsec3->nsec3_cover);
+ } else {
+ /* the exact case was handled earlier, so this is
+ * with a closest-encloser proof, if in the part
+ * before the else the closest encloser proof is done,
+ * then we do not need to add a DS here because
+ * the optout proof is already complete. If not,
+ * we add the nsec3 here to complete the closest
+ * encloser proof with a next closer */
+ /* add optout range from parent zone */
+ /* note: no check of optout bit, resolver checks it */
+ if(domain->nsec3) {
+ nsec3_add_rrset(query, answer, AUTHORITY_SECTION,
+ domain->nsec3->nsec3_ds_parent_cover);
+ }
}
- /* add optout range from parent zone */
- /* note: no check of optout bit, resolver checks it */
- if(domain->nsec3)
- nsec3_add_rrset(query, answer, AUTHORITY_SECTION,
- domain->nsec3->nsec3_ds_parent_cover);
}
}
opt->tls_service_pem = NULL;
opt->tls_port = TLS_PORT;
opt->tls_cert_bundle = NULL;
- opt->answer_cookie = 1;
+ opt->answer_cookie = 0;
opt->cookie_secret = NULL;
opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt";
opt->control_enable = 0;
rbnode_type node; /* key of tree is name */
char* name;
char* auth_domain_name;
+ char* client_cert;
+ char* client_key;
+ char* client_key_pw;
};
/** zone list free space */
}
if (!q->delegation_domain
+ || !q->delegation_rrset
|| (exact && q->qtype == TYPE_DS && closest_encloser == q->delegation_domain))
{
if (q->qclass == CLASS_ANY) {
*result = n;
}
/* cannot reach because of returns when !n above */
- /* ENOREACH */
+ /* ENOTREACH */
return 1;
}
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
#endif
+#if defined(HAVE_ERR_LOAD_SSL_STRINGS) && !defined(DEPRECATED_ERR_LOAD_SSL_STRINGS)
ERR_load_SSL_strings();
+#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
#else
}
#endif
#if defined(SHA256_DIGEST_LENGTH) && defined(SSL_TXT_CHACHA20)
- /* if we have sha256, set the cipher list to have no known vulns */
- if(!SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20"))
- log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
+ /* if we detect system-wide crypto policies, use those */
+ if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) {
+ /* if we have sha256, set the cipher list to have no known vulns */
+ if(!SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20"))
+ log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
+ }
#endif
if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
SSL_OP_CIPHER_SERVER_PREFERENCE) !=
#endif
return 0;
}
-#ifndef HAVE_EVP_MAC_CTX_NEW
+#ifdef HAVE_EVP_MAC_CTX_GET_MAC_SIZE
+ algorithm->maximum_digest_size = EVP_MAC_CTX_get_mac_size(hmac_ctx);
+#elif !defined(HAVE_EVP_MAC_CTX_NEW)
algorithm->maximum_digest_size = EVP_MD_size(hmac_algorithm);
#else
algorithm->maximum_digest_size = EVP_MAC_size(hmac_ctx);
return 0;
}
+
+int password_cb(char *buf, int size, int ATTR_UNUSED(rwflag), void *u)
+{
+ strlcpy(buf, (char*)u, size);
+ return strlen(buf);
+}
+
#endif
/* sort tcppipe, first on IP address, for an IPaddresss, sort on num_unused */
tls_cert_bundle);
}
#else
+ (void)tls_cert_bundle;
log_msg(LOG_INFO, "xfrd: No TLS 1.3 support - XFR-over-TLS not available");
#endif
for(i=0; i<XFRD_MAX_TCP; i++)
xfrd_set_refresh_now(zone);
return 0;
}
+
+ /* Load client certificate (if provided) */
+ if (zone->master->tls_auth_options->client_cert &&
+ zone->master->tls_auth_options->client_key) {
+ if (SSL_CTX_use_certificate_chain_file(set->ssl_ctx,
+ zone->master->tls_auth_options->client_cert) != 1) {
+ log_msg(LOG_ERR, "xfrd tls: Unable to load client certificate from file %s", zone->master->tls_auth_options->client_cert);
+ }
+
+ if (zone->master->tls_auth_options->client_key_pw) {
+ SSL_CTX_set_default_passwd_cb(set->ssl_ctx, password_cb);
+ SSL_CTX_set_default_passwd_cb_userdata(set->ssl_ctx, zone->master->tls_auth_options->client_key_pw);
+ }
+
+ if (SSL_CTX_use_PrivateKey_file(set->ssl_ctx, zone->master->tls_auth_options->client_key, SSL_FILETYPE_PEM) != 1) {
+ log_msg(LOG_ERR, "xfrd tls: Unable to load private key from file %s", zone->master->tls_auth_options->client_key);
+ }
+ }
+
tp->handshake_done = 0;
if(!ssl_handshake(tp)) {
if(tp->handshake_want == SSL_ERROR_SYSCALL) {
daemon_remote_delete(xfrd->nsd->rc); /* ssl-delete secret keys */
if (xfrd->nsd->tls_ctx)
SSL_CTX_free(xfrd->nsd->tls_ctx);
+# ifdef HAVE_TLS_1_3
+ if (xfrd->tcp_set->ssl_ctx)
+ SSL_CTX_free(xfrd->tcp_set->ssl_ctx);
+# endif
#endif
#ifdef USE_DNSTAP
dt_collector_close(nsd.dt_collector, &nsd);
projects / openbsd / commitdiff