From a904e10382628c737f903abd24b9073d85e51e87 Mon Sep 17 00:00:00 2001 From: florian Date: Sun, 24 Oct 2021 12:14:18 +0000 Subject: [PATCH] Update to 4.3.8. OK sthen --- usr.sbin/nsd/acx_nlnetlabs.m4 | 61 +++++++++---- usr.sbin/nsd/config.h.in | 18 ++++ usr.sbin/nsd/configlexer.lex | 3 + usr.sbin/nsd/configparser.y | 18 +++- usr.sbin/nsd/configure | 151 +++++++++++++++++++++++++++----- usr.sbin/nsd/configure.ac | 53 +++++++++-- usr.sbin/nsd/dname.c | 1 + usr.sbin/nsd/doc/ChangeLog | 65 ++++++++++++++ usr.sbin/nsd/doc/RELNOTES | 26 ++++++ usr.sbin/nsd/iterated_hash.c | 35 ++++++++ usr.sbin/nsd/namedb.c | 7 +- usr.sbin/nsd/nsd-checkconf.8.in | 2 +- usr.sbin/nsd/nsd-checkzone.8.in | 2 +- usr.sbin/nsd/nsd-control.8.in | 17 ++-- usr.sbin/nsd/nsd-control.c | 6 +- usr.sbin/nsd/nsd.8.in | 4 +- usr.sbin/nsd/nsd.conf.5.in | 22 ++++- usr.sbin/nsd/nsd.conf.sample.in | 5 ++ usr.sbin/nsd/nsec3.c | 19 ++-- usr.sbin/nsd/options.c | 2 +- usr.sbin/nsd/options.h | 3 + usr.sbin/nsd/query.c | 1 + usr.sbin/nsd/radtree.c | 2 +- usr.sbin/nsd/server.c | 11 ++- usr.sbin/nsd/tsig-openssl.c | 4 +- usr.sbin/nsd/xfrd-tcp.c | 27 ++++++ usr.sbin/nsd/xfrd.c | 4 + 27 files changed, 497 insertions(+), 72 deletions(-) diff --git a/usr.sbin/nsd/acx_nlnetlabs.m4 b/usr.sbin/nsd/acx_nlnetlabs.m4 index 7ce79070805..1574f97bfe0 100644 --- a/usr.sbin/nsd/acx_nlnetlabs.m4 +++ b/usr.sbin/nsd/acx_nlnetlabs.m4 @@ -2,7 +2,11 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 40 +# Version 43 +# 2021-08-17 fix sed script in ssldir split handling. +# 2021-08-17 fix for openssl to detect split version, with ssldir_include +# and ssldir_lib output directories. +# 2021-07-30 fix for openssl use of lib64 directory. # 2021-06-14 fix nonblocking test to use host instead of target for mingw test. # 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for # 64bit compatibility. @@ -646,6 +650,30 @@ AC_DEFUN([ACX_SSL_CHECKS], [ withval=$1 if test x_$withval != x_no; then AC_MSG_CHECKING(for SSL) + if test -n "$withval"; then + dnl look for openssl install with different version, eg. + dnl in /usr/include/openssl11/openssl/ssl.h + dnl and /usr/lib64/openssl11/libssl.so + dnl with the --with-ssl=/usr/include/openssl11 + if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then + ssldir="$withval" + found_ssl="yes" + withval="" + ssldir_include="$ssldir" + dnl find the libdir + ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'` + if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then + : # found here + else + ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'` + if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then + : # found here + else + AC_MSG_ERROR([Could not find openssl lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or "/usr/include/openssl11"]) + fi + fi + fi + fi if test x_$withval = x_ -o x_$withval = x_yes; then withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr" fi @@ -653,12 +681,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [ ssldir="$dir" if test -f "$dir/include/openssl/ssl.h"; then found_ssl="yes" - AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.]) - dnl assume /usr/include is already in the include-path. - if test "$ssldir" != "/usr"; then - CPPFLAGS="$CPPFLAGS -I$ssldir/include" - LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include" - fi + ssldir_include="$ssldir/include" + if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then + ssldir_lib="$ssldir/lib64" + else + ssldir_lib="$ssldir/lib" + fi break; fi done @@ -666,13 +694,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [ AC_MSG_ERROR(Cannot find the SSL libraries in $withval) else AC_MSG_RESULT(found in $ssldir) + AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.]) HAVE_SSL=yes - dnl assume /usr is already in the lib and dynlib paths. - if test "$ssldir" != "/usr" -a "$ssldir" != ""; then - LDFLAGS="$LDFLAGS -L$ssldir/lib" - LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" - ACX_RUNTIME_PATH_ADD([$ssldir/lib]) - fi + dnl assume /usr is already in the include, lib and dynlib paths. + if test "$ssldir" != "/usr"; then + CPPFLAGS="$CPPFLAGS -I$ssldir_include" + LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include" + LDFLAGS="$LDFLAGS -L$ssldir_lib" + LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib" + ACX_RUNTIME_PATH_ADD([$ssldir_lib]) + fi AC_MSG_CHECKING([for EVP_sha256 in -lcrypto]) LIBS="$LIBS -lcrypto" @@ -751,7 +782,7 @@ dnl AC_DEFUN([ACX_WITH_SSL], [ AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl - /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[ + /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[ ],[ withval="yes" ]) @@ -769,7 +800,7 @@ dnl AC_DEFUN([ACX_WITH_SSL_OPTIONAL], [ AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl - /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[ + /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[ ],[ withval="yes" ]) diff --git a/usr.sbin/nsd/config.h.in b/usr.sbin/nsd/config.h.in index c4cd67f7dfe..34a89602063 100644 --- a/usr.sbin/nsd/config.h.in +++ b/usr.sbin/nsd/config.h.in @@ -31,6 +31,12 @@ /* Pathname to the NSD database */ #undef DBFILE +/* Whether ERR_load_SSL_strings is deprecated */ +#undef DEPRECATED_ERR_LOAD_SSL_STRINGS + +/* Whether SHA1_Init is deprecated */ +#undef DEPRECATED_SHA1_INIT + /* default dnstap socket path */ #undef DNSTAP_SOCKET_PATH @@ -127,6 +133,9 @@ /* Define to 1 if you have the `ERR_load_crypto_strings' function. */ #undef HAVE_ERR_LOAD_CRYPTO_STRINGS +/* Define to 1 if you have the `ERR_load_SSL_strings' function. */ +#undef HAVE_ERR_LOAD_SSL_STRINGS + /* Define to 1 if you have the `event_base_free' function. */ #undef HAVE_EVENT_BASE_FREE @@ -145,6 +154,9 @@ /* Define to 1 if you have the `EVP_cleanup' function. */ #undef HAVE_EVP_CLEANUP +/* Define to 1 if you have the `EVP_MAC_CTX_get_mac_size' function. */ +#undef HAVE_EVP_MAC_CTX_GET_MAC_SIZE + /* Define to 1 if you have the `EVP_MAC_CTX_new' function. */ #undef HAVE_EVP_MAC_CTX_NEW @@ -338,6 +350,9 @@ /* Define to 1 if you have the `setusercontext' function. */ #undef HAVE_SETUSERCONTEXT +/* Define to 1 if you have the `SHA1_Init' function. */ +#undef HAVE_SHA1_INIT + /* Define to 1 if you have the `sigaction' function. */ #undef HAVE_SIGACTION @@ -359,6 +374,9 @@ /* Define to 1 if you have the `SSL_CTX_set_security_level' function. */ #undef HAVE_SSL_CTX_SET_SECURITY_LEVEL +/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */ +#undef HAVE_SSL_GET1_PEER_CERTIFICATE + /* Define to 1 if you have the header file. */ #undef HAVE_STDARG_H diff --git a/usr.sbin/nsd/configlexer.lex b/usr.sbin/nsd/configlexer.lex index 6d4933de381..d5fcd58b7f6 100644 --- a/usr.sbin/nsd/configlexer.lex +++ b/usr.sbin/nsd/configlexer.lex @@ -242,6 +242,9 @@ outgoing-interface{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_OUTGOING_INTE allow-axfr-fallback{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALLOW_AXFR_FALLBACK;} tls-auth{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH;} auth-domain-name{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_DOMAIN_NAME;} +client-cert{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_CLIENT_CERT;} +client-key{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_CLIENT_KEY;} +client-key-pw{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_CLIENT_KEY_PW;} key{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_KEY;} algorithm{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALGORITHM;} secret{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SECRET;} diff --git a/usr.sbin/nsd/configparser.y b/usr.sbin/nsd/configparser.y index 6b369cad35d..6642a6f544c 100644 --- a/usr.sbin/nsd/configparser.y +++ b/usr.sbin/nsd/configparser.y @@ -149,6 +149,9 @@ static int parse_range(const char *str, long long *low, long long *high); /* xot auth */ %token VAR_TLS_AUTH %token VAR_TLS_AUTH_DOMAIN_NAME +%token VAR_TLS_AUTH_CLIENT_CERT +%token VAR_TLS_AUTH_CLIENT_KEY +%token VAR_TLS_AUTH_CLIENT_KEY_PW /* pattern */ %token VAR_PATTERN @@ -672,7 +675,20 @@ tls_auth_option: | VAR_TLS_AUTH_DOMAIN_NAME STRING { cfg_parser->tls_auth->auth_domain_name = region_strdup(cfg_parser->opt->region, $2); - }; + } + | VAR_TLS_AUTH_CLIENT_CERT STRING + { + cfg_parser->tls_auth->client_cert = region_strdup(cfg_parser->opt->region, $2); + } + | VAR_TLS_AUTH_CLIENT_KEY STRING + { + cfg_parser->tls_auth->client_key = region_strdup(cfg_parser->opt->region, $2); + } + | VAR_TLS_AUTH_CLIENT_KEY_PW STRING + { + cfg_parser->tls_auth->client_key_pw = region_strdup(cfg_parser->opt->region, $2); + } + ; key: VAR_KEY diff --git a/usr.sbin/nsd/configure b/usr.sbin/nsd/configure index 156d6467332..4f8d1ccaddd 100644 --- a/usr.sbin/nsd/configure +++ b/usr.sbin/nsd/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for NSD 4.3.7. +# Generated by GNU Autoconf 2.69 for NSD 4.3.8. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='NSD' PACKAGE_TARNAME='nsd' -PACKAGE_VERSION='4.3.7' -PACKAGE_STRING='NSD 4.3.7' +PACKAGE_VERSION='4.3.8' +PACKAGE_STRING='NSD 4.3.8' PACKAGE_BUGREPORT='nsd-bugs@nlnetlabs.nl' PACKAGE_URL='' @@ -1328,7 +1328,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures NSD 4.3.7 to adapt to many kinds of systems. +\`configure' configures NSD 4.3.8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1390,7 +1390,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of NSD 4.3.7:";; + short | recursive ) echo "Configuration of NSD 4.3.8:";; esac cat <<\_ACEOF @@ -1563,7 +1563,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -NSD configure 4.3.7 +NSD configure 4.3.8 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2272,7 +2272,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by NSD $as_me 4.3.7, which was +It was created by NSD $as_me 4.3.8, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -9351,6 +9351,26 @@ fi if test x_$withval != x_no; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL" >&5 $as_echo_n "checking for SSL... " >&6; } + if test -n "$withval"; then + if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then + ssldir="$withval" + found_ssl="yes" + withval="" + ssldir_include="$ssldir" + CPPFLAGS="$CPPFLAGS -I$ssldir_include"; + ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'` + if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then + : # found here + else + ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'` + if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then + : # found here + else + as_fn_error $? "Could not find openssl lib file, $ssldir_lib/libssl.so,a, pass like \"/usr/local\" or \"/usr/include/openssl11\"" "$LINENO" 5 + fi + fi + fi + fi if test x_$withval = x_ -o x_$withval = x_yes; then withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/sfw /usr/local /usr /usr/local/opt/openssl" fi @@ -9358,14 +9378,15 @@ $as_echo_n "checking for SSL... " >&6; } ssldir="$dir" if test -f "$dir/include/openssl/ssl.h"; then found_ssl="yes"; - -cat >>confdefs.h <<_ACEOF -#define HAVE_SSL /**/ -_ACEOF - if test x_$ssldir != x_/usr; then CPPFLAGS="$CPPFLAGS -I$ssldir/include"; fi + ssldir_include="$ssldir/include" + if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then + ssldir_lib="$ssldir/lib64" + else + ssldir_lib="$ssldir/lib" + fi break; fi done @@ -9375,11 +9396,16 @@ _ACEOF { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $ssldir" >&5 $as_echo "found in $ssldir" >&6; } HAVE_SSL=yes + +cat >>confdefs.h <<_ACEOF +#define HAVE_SSL /**/ +_ACEOF + if test x_$ssldir != x_/usr; then - LDFLAGS="$LDFLAGS -L$ssldir/lib"; + LDFLAGS="$LDFLAGS -L$ssldir_lib"; fi if test x_$ssldir = x_/usr/sfw; then - LDFLAGS="$LDFLAGS -R$ssldir/lib"; + LDFLAGS="$LDFLAGS -R$ssldir_lib"; fi fi @@ -9614,7 +9640,7 @@ fi done - for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params + for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup ERR_load_crypto_strings OPENSSL_init_crypto CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params EVP_MAC_CTX_get_mac_size SHA1_Init do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -9626,6 +9652,47 @@ _ACEOF fi done + if test "$ac_cv_func_SHA1_Init" = "yes"; then + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if SHA1_Init is deprecated" >&5 +$as_echo_n "checking if SHA1_Init is deprecated... " >&6; } +cache=`echo SHA1_Init | sed 'y%.=/+-%___p_%'` +if eval \${cv_cc_deprecated_$cache+:} false; then : + $as_echo_n "(cached) " >&6 +else + +echo ' +#include +' >conftest.c +echo 'void f(){ (void)SHA1_Init(NULL); }' >>conftest.c +if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then +eval "cv_cc_deprecated_$cache=no" +else +eval "cv_cc_deprecated_$cache=yes" +fi +rm -f conftest conftest.o conftest.c + +fi + +if eval "test \"`echo '$cv_cc_deprecated_'$cache`\" = yes"; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +cat >>confdefs.h <<_ACEOF +#define DEPRECATED_SHA1_INIT 1 +_ACEOF + +: + +else +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +: + +fi + + fi ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ecdh_auto" "ac_cv_have_decl_SSL_CTX_set_ecdh_auto" " $ac_includes_default #ifdef HAVE_OPENSSL_ERR_H @@ -9701,17 +9768,59 @@ fi BAKLIBS="$LIBS" LIBS="-lssl $LIBS" - for ac_func in OPENSSL_init_ssl + for ac_func in OPENSSL_init_ssl SSL_get1_peer_certificate SSL_CTX_set_security_level ERR_load_SSL_strings do : - ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl" -if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF -#define HAVE_OPENSSL_INIT_SSL 1 +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done + if test "$ac_cv_func_ERR_load_SSL_strings" = "yes"; then + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ERR_load_SSL_strings is deprecated" >&5 +$as_echo_n "checking if ERR_load_SSL_strings is deprecated... " >&6; } +cache=`echo ERR_load_SSL_strings | sed 'y%.=/+-%___p_%'` +if eval \${cv_cc_deprecated_$cache+:} false; then : + $as_echo_n "(cached) " >&6 +else + +echo ' +#include +' >conftest.c +echo 'void f(){ (void)ERR_load_SSL_strings(); }' >>conftest.c +if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then +eval "cv_cc_deprecated_$cache=no" +else +eval "cv_cc_deprecated_$cache=yes" +fi +rm -f conftest conftest.o conftest.c + +fi + +if eval "test \"`echo '$cv_cc_deprecated_'$cache`\" = yes"; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +cat >>confdefs.h <<_ACEOF +#define DEPRECATED_ERR_LOAD_SSL_STRINGS 1 +_ACEOF + +: + +else +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +: + +fi + + fi LIBS="$BAKLIBS" else @@ -11046,7 +11155,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by NSD $as_me 4.3.7, which was +This file was extended by NSD $as_me 4.3.8, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -11108,7 +11217,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -NSD config.status 4.3.7 +NSD config.status 4.3.8 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/usr.sbin/nsd/configure.ac b/usr.sbin/nsd/configure.ac index 8449e510bdd..4c09bb363b9 100644 --- a/usr.sbin/nsd/configure.ac +++ b/usr.sbin/nsd/configure.ac @@ -5,7 +5,7 @@ dnl sinclude(acx_nlnetlabs.m4) sinclude(dnstap/dnstap.m4) -AC_INIT([NSD],[4.3.7],[nsd-bugs@nlnetlabs.nl]) +AC_INIT([NSD],[4.3.8],[nsd-bugs@nlnetlabs.nl]) AC_CONFIG_HEADERS([config.h]) # @@ -369,6 +369,31 @@ AC_DEFUN([CHECK_SSL], [ ]) if test x_$withval != x_no; then AC_MSG_CHECKING(for SSL) + if test -n "$withval"; then + dnl look for openssl install with different version, eg. + dnl in /usr/include/openssl11/openssl/ssl.h + dnl and /usr/lib64/openssl11/libssl.so + dnl with the --with-ssl=/usr/include/openssl11 + if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then + ssldir="$withval" + found_ssl="yes" + withval="" + ssldir_include="$ssldir" + CPPFLAGS="$CPPFLAGS -I$ssldir_include"; + dnl find the libdir + ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'` + if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then + : # found here + else + ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'` + if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then + : # found here + else + AC_MSG_ERROR([Could not find openssl lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or "/usr/include/openssl11"]) + fi + fi + fi + fi if test x_$withval = x_ -o x_$withval = x_yes; then withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/sfw /usr/local /usr /usr/local/opt/openssl" fi @@ -376,10 +401,15 @@ AC_DEFUN([CHECK_SSL], [ ssldir="$dir" if test -f "$dir/include/openssl/ssl.h"; then found_ssl="yes"; - AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.]) if test x_$ssldir != x_/usr; then CPPFLAGS="$CPPFLAGS -I$ssldir/include"; fi + ssldir_include="$ssldir/include" + if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then + ssldir_lib="$ssldir/lib64" + else + ssldir_lib="$ssldir/lib" + fi break; fi done @@ -388,11 +418,12 @@ AC_DEFUN([CHECK_SSL], [ else AC_MSG_RESULT([found in $ssldir]) HAVE_SSL=yes + AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.]) if test x_$ssldir != x_/usr; then - LDFLAGS="$LDFLAGS -L$ssldir/lib"; + LDFLAGS="$LDFLAGS -L$ssldir_lib"; fi if test x_$ssldir = x_/usr/sfw; then - LDFLAGS="$LDFLAGS -R$ssldir/lib"; + LDFLAGS="$LDFLAGS -R$ssldir_lib"; fi fi AC_SUBST(HAVE_SSL) @@ -1049,7 +1080,12 @@ if test x$HAVE_SSL = x"yes"; then SSL_LIBS="-lssl" AC_SUBST(SSL_LIBS) AC_CHECK_HEADERS([openssl/ssl.h openssl/err.h openssl/rand.h openssl/ocsp.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT]) - AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params]) + AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup ERR_load_crypto_strings OPENSSL_init_crypto CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params EVP_MAC_CTX_get_mac_size SHA1_Init]) + if test "$ac_cv_func_SHA1_Init" = "yes"; then + ACX_FUNC_DEPRECATED([SHA1_Init], [(void)SHA1_Init(NULL);], [ +#include +]) + fi AC_CHECK_DECLS([SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H @@ -1076,7 +1112,12 @@ AC_INCLUDES_DEFAULT BAKLIBS="$LIBS" LIBS="-lssl $LIBS" - AC_CHECK_FUNCS([OPENSSL_init_ssl]) + AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_get1_peer_certificate SSL_CTX_set_security_level ERR_load_SSL_strings]) + if test "$ac_cv_func_ERR_load_SSL_strings" = "yes"; then + ACX_FUNC_DEPRECATED([ERR_load_SSL_strings], [(void)ERR_load_SSL_strings();], [ +#include +]) + fi LIBS="$BAKLIBS" else diff --git a/usr.sbin/nsd/dname.c b/usr.sbin/nsd/dname.c index 6b8c812e5a6..487d2535a2b 100644 --- a/usr.sbin/nsd/dname.c +++ b/usr.sbin/nsd/dname.c @@ -243,6 +243,7 @@ int dname_parse_wire(uint8_t* dname, const char* name) } *h = label_length; h = p; + p++; } /* Add root label. */ diff --git a/usr.sbin/nsd/doc/ChangeLog b/usr.sbin/nsd/doc/ChangeLog index 80b241c30ea..43c3b7bfd72 100644 --- a/usr.sbin/nsd/doc/ChangeLog +++ b/usr.sbin/nsd/doc/ChangeLog @@ -1,5 +1,70 @@ +7 October 2021: Wouter + - Set default for answer-cookie to no. Because in server deployments + with mixed server software, a default of yes causes issues. + - Tag for 4.3.8rc2, includes the new answer-cookie default. + +4 October 2021: Wouter + - Tag for 4.3.8rc1. + +29 September 2021: Wouter + - Fix unit tests for svcb and xot to not touch the default + zonelistfile. + - Fix unit test for xot tertiary config for zonelistfile default. + - Fix unit test for dns-cookies for no unshare, and allow-query + for no IPv6 loopback. + - Fix unit test allow query to check for IPv6. + +22 September 2021: Wouter + - Fix #194: Incorrect NSEC3 response for SOA query below delegation + point. + +13 September 2021: Wouter + - Fix compile failure with openssl 1.0.2. + +3 September 2021: Wouter + - Fix not reachable annotation in radix_find_prefix_node. + +31 August 2021: Willem + - Fix #191: dname_parse_wire() returns fqdn wireformat length. + +26 August 2021: Wouter + - Fix #190: NSD returns 3 NSEC3 records for NODATA response. + +23 August 2021: Wouter + - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion + `query->delegation_rrset' failed. + +17 August 2021: Wouter + - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7. + - Fix sed script in ssldir split handling. + +13 August 2021: Wouter + - Merge #187: Support using system-wide crypto policies. + +10 August 2021: Wouter + - Merge #185 by cesarkuroiwa: Mutual TLS. + - Fixes for #185: Document client-cert, client-key and client-key-pw + in the man page. Fix yacc semicolon. Fix unused variable warning. + Use strlcpy instead of strncpy. Fix spelling error in error + printout. + +2 August 2021: Wouter + - Quieter tpkg/do-tests shell script with -q flag. + - For #184: Note that all zones can be targeted by some nsd-control + commands in the man page. + +30 July 2021: Wouter + - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check. + - Fix to compile with OpenSSL 3.0.0beta2. + - Fix configure detection of SSL_CTX_set_security_level. + - Fix deprecated functions use from openssl 3.0.0beta2. + +23 July 2021: Wouter + - Fix free on shutdown of XoT SSL context. + 22 July 2021: Wouter - tag 4.3.7 release, with the fixes between rc1 and this release. + - main branch continues for 4.3.8. 20 July 2021: Wouter - Fix typo in xfrd-tcp.c. diff --git a/usr.sbin/nsd/doc/RELNOTES b/usr.sbin/nsd/doc/RELNOTES index 054eb9b8f60..b7157bbc0a6 100644 --- a/usr.sbin/nsd/doc/RELNOTES +++ b/usr.sbin/nsd/doc/RELNOTES @@ -1,5 +1,31 @@ NSD RELEASE NOTES +4.3.8 +================ +FEATURES: + - Merge #185 by cesarkuroiwa: Mutual TLS. + - Set default for answer-cookie to no. Because in server deployments + with mixed server software, a default of yes causes issues. +BUG FIXES: + - Fix to compile with OpenSSL 3.0.0beta2. + - Fix configure detection of SSL_CTX_set_security_level. + - Fix deprecated functions use from openssl 3.0.0beta2. + - For #184: Note that all zones can be targeted by some nsd-control + commands in the man page. + - Fixes for #185: Document client-cert, client-key and client-key-pw + in the man page. Fix yacc semicolon. Fix unused variable warning. + Use strlcpy instead of strncpy. Fix spelling error in error + printout. + - Merge #187: Support using system-wide crypto policies. + - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7. + - Fix sed script in ssldir split handling. + - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion + `query->delegation_rrset' failed. + - Fix #190: NSD returns 3 NSEC3 records for NODATA response. + - Fix compile failure with openssl 1.0.2. + - Fix #194: Incorrect NSEC3 response for SOA query below delegation + point. + 4.3.7 ================ FEATURES: diff --git a/usr.sbin/nsd/iterated_hash.c b/usr.sbin/nsd/iterated_hash.c index e8606a3b06c..8c0d657598b 100644 --- a/usr.sbin/nsd/iterated_hash.c +++ b/usr.sbin/nsd/iterated_hash.c @@ -9,11 +9,16 @@ */ #include "config.h" #ifdef NSEC3 +#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) #include +#else +#include +#endif #include #include #include "iterated_hash.h" +#include "util.h" int iterated_hash(unsigned char out[SHA_DIGEST_LENGTH], @@ -21,19 +26,49 @@ iterated_hash(unsigned char out[SHA_DIGEST_LENGTH], const unsigned char *in, int inlength, int iterations) { #if defined(NSEC3) && defined(HAVE_SSL) +#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) SHA_CTX ctx; +#else + EVP_MD_CTX* ctx; +#endif int n; +#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) +#else + ctx = EVP_MD_CTX_create(); + if(!ctx) { + log_msg(LOG_ERR, "out of memory in iterated_hash"); + return 0; + } +#endif assert(in && inlength > 0 && iterations >= 0); for(n=0 ; n <= iterations ; ++n) { +#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) SHA1_Init(&ctx); SHA1_Update(&ctx, in, inlength); if(saltlength > 0) SHA1_Update(&ctx, salt, saltlength); SHA1_Final(out, &ctx); +#else + if(!EVP_DigestInit(ctx, EVP_sha1())) + log_msg(LOG_ERR, "iterated_hash could not EVP_DigestInit"); + + if(!EVP_DigestUpdate(ctx, in, inlength)) + log_msg(LOG_ERR, "iterated_hash could not EVP_DigestUpdate"); + if(saltlength > 0) { + if(!EVP_DigestUpdate(ctx, salt, saltlength)) + log_msg(LOG_ERR, "iterated_hash could not EVP_DigestUpdate salt"); + } + if(!EVP_DigestFinal_ex(ctx, out, NULL)) + log_msg(LOG_ERR, "iterated_hash could not EVP_DigestFinal_ex"); +#endif in=out; inlength=SHA_DIGEST_LENGTH; } +#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT) +#else + EVP_MD_CTX_destroy(ctx); +#endif return SHA_DIGEST_LENGTH; #else (void)out; (void)salt; (void)saltlength; diff --git a/usr.sbin/nsd/namedb.c b/usr.sbin/nsd/namedb.c index 06bef71147c..772e038b16d 100644 --- a/usr.sbin/nsd/namedb.c +++ b/usr.sbin/nsd/namedb.c @@ -583,10 +583,13 @@ domain_find_ns_rrsets(domain_type* domain, zone_type* zone, rrset_type **ns) { /* return highest NS RRset in the zone that is a delegation above */ domain_type* result = NULL; + rrset_type* rrset = NULL; while (domain && domain != zone->apex) { - *ns = domain_find_rrset(domain, zone, TYPE_NS); - if (*ns) + rrset = domain_find_rrset(domain, zone, TYPE_NS); + if (rrset) { + *ns = rrset; result = domain; + } domain = domain->parent; } diff --git a/usr.sbin/nsd/nsd-checkconf.8.in b/usr.sbin/nsd/nsd-checkconf.8.in index 0a514e6dab0..62f0695577d 100644 --- a/usr.sbin/nsd/nsd-checkconf.8.in +++ b/usr.sbin/nsd/nsd-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "nsd\-checkconf" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7" +.TH "nsd\-checkconf" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff --git a/usr.sbin/nsd/nsd-checkzone.8.in b/usr.sbin/nsd/nsd-checkzone.8.in index 6b31cf9ea7a..76ac2fe2442 100644 --- a/usr.sbin/nsd/nsd-checkzone.8.in +++ b/usr.sbin/nsd/nsd-checkzone.8.in @@ -1,4 +1,4 @@ -.TH "nsd\-checkzone" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7" +.TH "nsd\-checkzone" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8" .\" Copyright (c) 2014, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff --git a/usr.sbin/nsd/nsd-control.8.in b/usr.sbin/nsd/nsd-control.8.in index ecefed3051c..f7f338c70ae 100644 --- a/usr.sbin/nsd/nsd-control.8.in +++ b/usr.sbin/nsd/nsd-control.8.in @@ -1,4 +1,4 @@ -.TH "nsd\-control" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7" +.TH "nsd\-control" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8" .\" Copyright (c) 2011, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" @@ -107,7 +107,8 @@ For bulk removals. Write zonefiles to disk, or the given zonefile to disk. Zones that have changed (via AXFR or IXFR) are written, or if the zonefile has not been created yet then it is created. Directory components of the zonefile -path are created if necessary. +path are created if necessary. With argument that zone is written if it +was modified, without argument, all modified zones are written. .TP .B notify [] Send NOTIFY messages to slave servers. Sends to the IP addresses @@ -116,7 +117,8 @@ server. Usually NSD sends NOTIFY messages right away when a master zone serial is updated. If a zone is given, notifies are sent for that zone. These slave servers are supposed to initiate a zone transfer request later (to this server or another master), this can be allowed via -the 'provide\-xfr:' acl list configuration. +the 'provide\-xfr:' acl list configuration. With argument that zone is +processed, without argument, all zones are processed. .TP .B transfer [] Attempt to update slave zones that are hosted on this server by contacting @@ -125,13 +127,15 @@ If a zone is given, that zone is updated. Usually NSD receives a NOTIFY from the masters (configured via 'allow\-notify:' acl list) that a new zone serial has to be transferred. For zones with no content, NSD may have backed off from asking often because the masters did not respond, but this command -will reset the backoff to its initial timeout, for frequent retries. +will reset the backoff to its initial timeout, for frequent retries. With +argument that zone is transferred, without argument, all zones are transferred. .TP .B force_transfer [] Force update slave zones that are hosted on this server. Even if the master hosts the same serial number of the zone, a full AXFR is performed to fetch it. If you want to use IXFR and check that the serial number -increases, use the 'transfer' command. +increases, use the 'transfer' command. With argument that zone is +transferred, without argument, all zones are transferred. .TP .B zonestatus [] Print state of the zone, the serial numbers and since when they have @@ -142,7 +146,8 @@ zone is up\-to\-date), 'expired' (slave zone has expired), 'refreshing' (slave zone has transfers active). The serial numbers printed are the 'served\-serial' (currently active), the 'commit\-serial' (is in reload), the 'notified\-serial' (got notify, busy fetching the data). The serial -numbers are only printed if such a serial number is available. +numbers are only printed if such a serial number is available. With argument +that zone is printed, without argument, all zones are printed. .TP .B serverpid Prints the PID of the server process. This is used for statistics (and diff --git a/usr.sbin/nsd/nsd-control.c b/usr.sbin/nsd/nsd-control.c index be615a2f915..528a58c3592 100644 --- a/usr.sbin/nsd/nsd-control.c +++ b/usr.sbin/nsd/nsd-control.c @@ -133,9 +133,7 @@ static void ssl_path_err(const char* s, const char *path) { unsigned long err; err = ERR_peek_error(); - if (ERR_GET_LIB(err) == ERR_LIB_SYS && - (ERR_GET_FUNC(err) == SYS_F_FOPEN || - ERR_GET_FUNC(err) == SYS_F_FREAD) ) { + if (ERR_GET_LIB(err) == ERR_LIB_SYS) { fprintf(stderr, "error: %s\n%s: %s\n", s, path, ERR_reason_error_string(err)); exit(1); @@ -532,7 +530,9 @@ int main(int argc, char* argv[]) #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS ERR_load_crypto_strings(); #endif +#if defined(HAVE_ERR_LOAD_SSL_STRINGS) && !defined(DEPRECATED_ERR_LOAD_SSL_STRINGS) ERR_load_SSL_strings(); +#endif #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) OpenSSL_add_all_algorithms(); #else diff --git a/usr.sbin/nsd/nsd.8.in b/usr.sbin/nsd/nsd.8.in index 443c0867e41..5c7f52e3311 100644 --- a/usr.sbin/nsd/nsd.8.in +++ b/usr.sbin/nsd/nsd.8.in @@ -1,9 +1,9 @@ -.TH "NSD" "8" "Jul 22, 2021" "NLnet Labs" "NSD 4.3.7" +.TH "NSD" "8" "Oct 12, 2021" "NLnet Labs" "NSD 4.3.8" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" .B nsd -\- Name Server Daemon (NSD) version 4.3.7. +\- Name Server Daemon (NSD) version 4.3.8. .SH "SYNOPSIS" .B nsd .RB [ \-4 ] diff --git a/usr.sbin/nsd/nsd.conf.5.in b/usr.sbin/nsd/nsd.conf.5.in index ad4bd542650..4ee4b1292f9 100644 --- a/usr.sbin/nsd/nsd.conf.5.in +++ b/usr.sbin/nsd/nsd.conf.5.in @@ -1,4 +1,4 @@ -.TH "nsd.conf" "5" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7" +.TH "nsd.conf" "5" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" @@ -494,7 +494,7 @@ With the value 0 the rate is unlimited. .TP .B answer\-cookie:\fR Enable to answer to requests containig DNS Cookies as specified in RFC7873. -Default is yes. +Default is no. .TP .B cookie\-secret:\fR <128 bit hex string> Servers in an anycast deployment need to be able to verify each other's DNS @@ -884,8 +884,24 @@ It has the following attributes. The tls-auth name. Used to refer to this TLS authentication information in the access control list. .TP -.B auth-domain-name:\fR +.B auth\-domain\-name:\fR The authentication domain name as defined in RFC8310. +.TP +.B client\-cert: +If you want to use mutual TLS authentication, this is where the client +certificates can be configured that NSD uses to connect to the upstream +server to download the zone. The client public key pem cert file can +be configured here. Also configure a private key with client\-key. +.TP +.B client\-key: +If you want to use mutual TLS authentication, the private key file can +be configured here for the client authentication. +.TP +.B client\-key\-pw: +If the client\-key file uses a password to decrypt the key before it can +be used, then the password can be specified here as a string. +It is possible to include other config files with the include: option, and +this can be used to move that sensitive data to another file, if you wish. .SS DNSTAP Logging Options DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section. This starts a collector process that writes the log information to the diff --git a/usr.sbin/nsd/nsd.conf.sample.in b/usr.sbin/nsd/nsd.conf.sample.in index 6077ccc85c9..9758c37b0c0 100644 --- a/usr.sbin/nsd/nsd.conf.sample.in +++ b/usr.sbin/nsd/nsd.conf.sample.in @@ -325,6 +325,11 @@ remote-control: # The authentication domain name as defined in RFC8310. #auth-domain-name: "example.com" + # Client certificate and private key for Mutual TLS authentication + #client-cert: "path/to/clientcert.pem" + #client-key: "path/to/clientkey.key" + #client-key-pw: "password" + # Patterns have zone configuration and they are shared by one or more zones. # # pattern: diff --git a/usr.sbin/nsd/nsec3.c b/usr.sbin/nsd/nsec3.c index 3cdd572932e..1075812a437 100644 --- a/usr.sbin/nsd/nsec3.c +++ b/usr.sbin/nsd/nsec3.c @@ -1053,12 +1053,21 @@ nsec3_add_ds_proof(struct query *query, struct answer *answer, !prev_par->nsec3->nsec3_is_exact); nsec3_add_rrset(query, answer, AUTHORITY_SECTION, prev_par->nsec3->nsec3_cover); + } else { + /* the exact case was handled earlier, so this is + * with a closest-encloser proof, if in the part + * before the else the closest encloser proof is done, + * then we do not need to add a DS here because + * the optout proof is already complete. If not, + * we add the nsec3 here to complete the closest + * encloser proof with a next closer */ + /* add optout range from parent zone */ + /* note: no check of optout bit, resolver checks it */ + if(domain->nsec3) { + nsec3_add_rrset(query, answer, AUTHORITY_SECTION, + domain->nsec3->nsec3_ds_parent_cover); + } } - /* add optout range from parent zone */ - /* note: no check of optout bit, resolver checks it */ - if(domain->nsec3) - nsec3_add_rrset(query, answer, AUTHORITY_SECTION, - domain->nsec3->nsec3_ds_parent_cover); } } diff --git a/usr.sbin/nsd/options.c b/usr.sbin/nsd/options.c index d8fe022b412..6411959e8c6 100644 --- a/usr.sbin/nsd/options.c +++ b/usr.sbin/nsd/options.c @@ -131,7 +131,7 @@ nsd_options_create(region_type* region) opt->tls_service_pem = NULL; opt->tls_port = TLS_PORT; opt->tls_cert_bundle = NULL; - opt->answer_cookie = 1; + opt->answer_cookie = 0; opt->cookie_secret = NULL; opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt"; opt->control_enable = 0; diff --git a/usr.sbin/nsd/options.h b/usr.sbin/nsd/options.h index bb66acb03d5..f1c57aea2bf 100644 --- a/usr.sbin/nsd/options.h +++ b/usr.sbin/nsd/options.h @@ -340,6 +340,9 @@ struct tls_auth_options { rbnode_type node; /* key of tree is name */ char* name; char* auth_domain_name; + char* client_cert; + char* client_key; + char* client_key_pw; }; /** zone list free space */ diff --git a/usr.sbin/nsd/query.c b/usr.sbin/nsd/query.c index 44b6690ad67..d0fba064fab 100644 --- a/usr.sbin/nsd/query.c +++ b/usr.sbin/nsd/query.c @@ -1424,6 +1424,7 @@ answer_lookup_zone(struct nsd *nsd, struct query *q, answer_type *answer, } if (!q->delegation_domain + || !q->delegation_rrset || (exact && q->qtype == TYPE_DS && closest_encloser == q->delegation_domain)) { if (q->qclass == CLASS_ANY) { diff --git a/usr.sbin/nsd/radtree.c b/usr.sbin/nsd/radtree.c index 4bd12a4e6e9..472e9c12898 100644 --- a/usr.sbin/nsd/radtree.c +++ b/usr.sbin/nsd/radtree.c @@ -175,7 +175,7 @@ static int radix_find_prefix_node(struct radtree* rt, uint8_t* k, *result = n; } /* cannot reach because of returns when !n above */ - /* ENOREACH */ + /* ENOTREACH */ return 1; } diff --git a/usr.sbin/nsd/server.c b/usr.sbin/nsd/server.c index c01f022a1c1..f7a2f53c60a 100644 --- a/usr.sbin/nsd/server.c +++ b/usr.sbin/nsd/server.c @@ -1823,7 +1823,9 @@ perform_openssl_init(void) #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS ERR_load_crypto_strings(); #endif +#if defined(HAVE_ERR_LOAD_SSL_STRINGS) && !defined(DEPRECATED_ERR_LOAD_SSL_STRINGS) ERR_load_SSL_strings(); +#endif #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) OpenSSL_add_all_algorithms(); #else @@ -1999,9 +2001,12 @@ server_tls_ctx_setup(char* key, char* pem, char* verifypem) } #endif #if defined(SHA256_DIGEST_LENGTH) && defined(SSL_TXT_CHACHA20) - /* if we have sha256, set the cipher list to have no known vulns */ - if(!SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20")) - log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); + /* if we detect system-wide crypto policies, use those */ + if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) { + /* if we have sha256, set the cipher list to have no known vulns */ + if(!SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20")) + log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); + } #endif if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) & SSL_OP_CIPHER_SERVER_PREFERENCE) != diff --git a/usr.sbin/nsd/tsig-openssl.c b/usr.sbin/nsd/tsig-openssl.c index 6cdf47990d0..fff0919c613 100644 --- a/usr.sbin/nsd/tsig-openssl.c +++ b/usr.sbin/nsd/tsig-openssl.c @@ -114,7 +114,9 @@ tsig_openssl_init_algorithm(region_type* region, #endif return 0; } -#ifndef HAVE_EVP_MAC_CTX_NEW +#ifdef HAVE_EVP_MAC_CTX_GET_MAC_SIZE + algorithm->maximum_digest_size = EVP_MAC_CTX_get_mac_size(hmac_ctx); +#elif !defined(HAVE_EVP_MAC_CTX_NEW) algorithm->maximum_digest_size = EVP_MD_size(hmac_algorithm); #else algorithm->maximum_digest_size = EVP_MAC_size(hmac_ctx); diff --git a/usr.sbin/nsd/xfrd-tcp.c b/usr.sbin/nsd/xfrd-tcp.c index 8668ed0981a..a71c1955cfb 100644 --- a/usr.sbin/nsd/xfrd-tcp.c +++ b/usr.sbin/nsd/xfrd-tcp.c @@ -124,6 +124,13 @@ ssl_handshake(struct xfrd_tcp_pipeline* tp) return 0; } + +int password_cb(char *buf, int size, int ATTR_UNUSED(rwflag), void *u) +{ + strlcpy(buf, (char*)u, size); + return strlen(buf); +} + #endif /* sort tcppipe, first on IP address, for an IPaddresss, sort on num_unused */ @@ -170,6 +177,7 @@ struct xfrd_tcp_set* xfrd_tcp_set_create(struct region* region, const char *tls_ tls_cert_bundle); } #else + (void)tls_cert_bundle; log_msg(LOG_INFO, "xfrd: No TLS 1.3 support - XFR-over-TLS not available"); #endif for(i=0; imaster->tls_auth_options->client_cert && + zone->master->tls_auth_options->client_key) { + if (SSL_CTX_use_certificate_chain_file(set->ssl_ctx, + zone->master->tls_auth_options->client_cert) != 1) { + log_msg(LOG_ERR, "xfrd tls: Unable to load client certificate from file %s", zone->master->tls_auth_options->client_cert); + } + + if (zone->master->tls_auth_options->client_key_pw) { + SSL_CTX_set_default_passwd_cb(set->ssl_ctx, password_cb); + SSL_CTX_set_default_passwd_cb_userdata(set->ssl_ctx, zone->master->tls_auth_options->client_key_pw); + } + + if (SSL_CTX_use_PrivateKey_file(set->ssl_ctx, zone->master->tls_auth_options->client_key, SSL_FILETYPE_PEM) != 1) { + log_msg(LOG_ERR, "xfrd tls: Unable to load private key from file %s", zone->master->tls_auth_options->client_key); + } + } + tp->handshake_done = 0; if(!ssl_handshake(tp)) { if(tp->handshake_want == SSL_ERROR_SYSCALL) { diff --git a/usr.sbin/nsd/xfrd.c b/usr.sbin/nsd/xfrd.c index 6f5768f792d..c40e8ca57a5 100644 --- a/usr.sbin/nsd/xfrd.c +++ b/usr.sbin/nsd/xfrd.c @@ -402,6 +402,10 @@ xfrd_shutdown() daemon_remote_delete(xfrd->nsd->rc); /* ssl-delete secret keys */ if (xfrd->nsd->tls_ctx) SSL_CTX_free(xfrd->nsd->tls_ctx); +# ifdef HAVE_TLS_1_3 + if (xfrd->tcp_set->ssl_ctx) + SSL_CTX_free(xfrd->tcp_set->ssl_ctx); +# endif #endif #ifdef USE_DNSTAP dt_collector_close(nsd.dt_collector, &nsd); -- 2.20.1