summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStuart Henderson <sthen@cvs.openbsd.org>2015-07-17 17:36:02 +0000
committerStuart Henderson <sthen@cvs.openbsd.org>2015-07-17 17:36:02 +0000
commit0648fda297cd0b072f32820e0229845c7a30e092 (patch)
tree1a7b872b8edab265582e9c62f2dfd1c5ceb0d501
parentcf3a99ef19172cd8a3dc0b09ff92a6197f532b13 (diff)
update to NSD 4.1.3, ok florian@, also tested by brad
-rw-r--r--usr.sbin/nsd/acx_nlnetlabs.m413
-rw-r--r--usr.sbin/nsd/configyyrename.h4
-rw-r--r--usr.sbin/nsd/dbaccess.c7
-rw-r--r--usr.sbin/nsd/dname.h2
-rw-r--r--usr.sbin/nsd/nsd-checkzone.8.in2
-rw-r--r--[-rwxr-xr-x]usr.sbin/nsd/nsd-control-setup.sh.in2
-rw-r--r--usr.sbin/nsd/nsd-control.c11
-rw-r--r--usr.sbin/nsd/nsd.h6
-rw-r--r--usr.sbin/nsd/packet.c54
-rw-r--r--usr.sbin/nsd/packet.h4
-rw-r--r--usr.sbin/nsd/radtree.c8
-rw-r--r--usr.sbin/nsd/region-allocator.h13
-rw-r--r--usr.sbin/nsd/tsig-openssl.c21
-rw-r--r--usr.sbin/nsd/tsig.h4
14 files changed, 126 insertions, 25 deletions
diff --git a/usr.sbin/nsd/acx_nlnetlabs.m4 b/usr.sbin/nsd/acx_nlnetlabs.m4
index e1cf83a70bd..decf0f58600 100644
--- a/usr.sbin/nsd/acx_nlnetlabs.m4
+++ b/usr.sbin/nsd/acx_nlnetlabs.m4
@@ -2,7 +2,8 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
-# Version 26
+# Version 27
+# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
# 2013-09-19 FLTO help text improved.
# 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
# 2013-06-25 FLTO has --disable-flto option.
@@ -1213,6 +1214,16 @@ struct tm *gmtime_r(const time_t *timep, struct tm *result);
#endif
])
+dnl provide reallocarray compat prototype.
+dnl $1: unique name for compat code
+AC_DEFUN([AHX_CONFIG_REALLOCARRAY],
+[
+#ifndef HAVE_REALLOCARRAY
+#define reallocarray reallocarray$1
+void* reallocarray(void *ptr, size_t nmemb, size_t size);
+#endif
+])
+
dnl provide w32 compat definition for sleep
AC_DEFUN([AHX_CONFIG_W32_SLEEP],
[
diff --git a/usr.sbin/nsd/configyyrename.h b/usr.sbin/nsd/configyyrename.h
index 6beb810aa8e..a637f41d229 100644
--- a/usr.sbin/nsd/configyyrename.h
+++ b/usr.sbin/nsd/configyyrename.h
@@ -104,7 +104,9 @@
#define yy_accept c__accept
#define yy_c_buf_p c__c_buf_p
#define yy_chk c__chk
-#define yy_current_buffer c__current_buffer
+#ifndef LEX_DEFINES_YY_CURRENT_BUFFER
+# define yy_current_buffer c__current_buffer
+#endif
#define yy_def c__def
#define yy_did_buffer_switch_on_eof c__did_buffer_switch_on_eof
#define yy_ec c__ec
diff --git a/usr.sbin/nsd/dbaccess.c b/usr.sbin/nsd/dbaccess.c
index ad15448038a..4e11977d6bd 100644
--- a/usr.sbin/nsd/dbaccess.c
+++ b/usr.sbin/nsd/dbaccess.c
@@ -156,8 +156,8 @@ read_rrset(udb_base* udb, namedb_type* db, zone_type* zone,
rrset = (rrset_type *) region_alloc(db->region, sizeof(rrset_type));
rrset->zone = zone;
rrset->rr_count = calculate_rr_count(udb, urrset);
- rrset->rrs = (rr_type *) region_alloc(
- db->region, rrset->rr_count * sizeof(rr_type));
+ rrset->rrs = (rr_type *) region_alloc_array(
+ db->region, rrset->rr_count, sizeof(rr_type));
/* add the RRs */
udb_ptr_new(&urr, udb, &RRSET(urrset)->rrs);
for(i=0; i<rrset->rr_count; i++) {
@@ -288,6 +288,7 @@ namedb_zone_delete(namedb_type* db, zone_type* zone)
/* see if apex can be deleted */
if(zone->apex) {
zone->apex->usage --;
+ zone->apex->is_apex = 0;
if(zone->apex->usage == 0) {
/* delete the apex, possibly */
domain_table_deldomain(db, zone->apex);
@@ -607,7 +608,7 @@ namedb_read_zonefile(struct nsd* nsd, struct zone* zone, udb_base* taskudb,
zone->logstr = NULL;
}
} else {
- VERBOSITY(1, (LOG_INFO, "zone %s read with no errors",
+ VERBOSITY(1, (LOG_INFO, "zone %s read with success",
zone->opts->name));
zone->is_ok = 1;
zone->is_changed = 0;
diff --git a/usr.sbin/nsd/dname.h b/usr.sbin/nsd/dname.h
index a9aa15ad177..060afff5b15 100644
--- a/usr.sbin/nsd/dname.h
+++ b/usr.sbin/nsd/dname.h
@@ -217,7 +217,7 @@ static inline size_t
dname_total_size(const dname_type *dname)
{
return (sizeof(dname_type)
- + ((dname->label_count + dname->name_size)
+ + ((((size_t)dname->label_count) + ((size_t)dname->name_size))
* sizeof(uint8_t)));
}
diff --git a/usr.sbin/nsd/nsd-checkzone.8.in b/usr.sbin/nsd/nsd-checkzone.8.in
index 7a19e1677be..648eb8784e5 100644
--- a/usr.sbin/nsd/nsd-checkzone.8.in
+++ b/usr.sbin/nsd/nsd-checkzone.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-checkzone" "8" "Feb 3, 2015" "NLnet Labs" "nsd 4.1.1"
+.TH "nsd\-checkzone" "8" "Jun 23, 2015" "NLnet Labs" "nsd 4.1.3"
.\" Copyright (c) 2014, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
diff --git a/usr.sbin/nsd/nsd-control-setup.sh.in b/usr.sbin/nsd/nsd-control-setup.sh.in
index a774717a740..b39c11ce722 100755..100644
--- a/usr.sbin/nsd/nsd-control-setup.sh.in
+++ b/usr.sbin/nsd/nsd-control-setup.sh.in
@@ -46,7 +46,7 @@ CLIENTNAME=nsd-control
DAYS=7200
# size of keys in bits
-BITS=1536
+BITS=3072
# hash algorithm
HASH=sha256
diff --git a/usr.sbin/nsd/nsd-control.c b/usr.sbin/nsd/nsd-control.c
index 2547489eb27..3b6e6526ab9 100644
--- a/usr.sbin/nsd/nsd-control.c
+++ b/usr.sbin/nsd/nsd-control.c
@@ -84,6 +84,8 @@ usage()
printf(" stats_noreset peek at statistics\n");
printf(" addzone <name> <pattern> add a new zone\n");
printf(" delzone <name> remove a zone\n");
+ printf(" addzones add zone list on stdin {name space pattern newline}\n");
+ printf(" delzones remove zone list on stdin {name newline}\n");
printf(" write [<zone>] write changed zonefiles to disk\n");
printf(" notify [<zone>] send NOTIFY messages to slave servers\n");
printf(" transfer [<zone>] try to update slave zones to newer serial\n");
@@ -253,10 +255,14 @@ setup_ssl(SSL_CTX* ctx, int fd)
static void
send_file(SSL* ssl, FILE* in, char* buf, size_t sz)
{
+ char e[] = {0x04, 0x0a};
while(fgets(buf, (int)sz, in)) {
if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0)
ssl_err("could not SSL_write contents");
}
+ /* send end-of-file marker */
+ if(SSL_write(ssl, e, (int)sizeof(e)) <= 0)
+ ssl_err("could not SSL_write end-of-file marker");
}
/** send command and display result */
@@ -281,8 +287,9 @@ go_cmd(SSL* ssl, int argc, char* argv[])
if(SSL_write(ssl, newline, (int)strlen(newline)) <= 0)
ssl_err("could not SSL_write");
- /* TODO remove or use file upload */
- if(argc == 1 && strcmp(argv[0], "load_cache") == 0) {
+ /* send contents to server */
+ if(argc == 1 && (strcmp(argv[0], "addzones") == 0 ||
+ strcmp(argv[0], "delzones") == 0)) {
send_file(ssl, stdin, buf, sizeof(buf));
}
diff --git a/usr.sbin/nsd/nsd.h b/usr.sbin/nsd/nsd.h
index 121e01ad91a..7fd805e3746 100644
--- a/usr.sbin/nsd/nsd.h
+++ b/usr.sbin/nsd/nsd.h
@@ -248,6 +248,10 @@ struct nsd
/* current zonestat array to use */
struct nsdst* zonestatnow;
#endif /* BIND8_STATS */
+ /* ratelimit for errors, time value */
+ time_t err_limit_time;
+ /* ratelimit for errors, packet count */
+ unsigned int err_limit_count;
struct nsd_options* options;
};
@@ -272,6 +276,8 @@ struct event_base* nsd_child_event_base(void);
/* extra domain numbers for temporary domains */
#define EXTRA_DOMAIN_NUMBERS 1024
#define SLOW_ACCEPT_TIMEOUT 2 /* in seconds */
+/* ratelimit for error responses */
+#define ERROR_RATELIMIT 100 /* qps */
/* allocate zonestat structures */
void server_zonestat_alloc(struct nsd* nsd);
/* remap the mmaps for zonestat isx, to bytesize sz. Caller has to set
diff --git a/usr.sbin/nsd/packet.c b/usr.sbin/nsd/packet.c
index 08d91b269d7..b0699d67747 100644
--- a/usr.sbin/nsd/packet.c
+++ b/usr.sbin/nsd/packet.c
@@ -342,3 +342,57 @@ int packet_read_query_section(buffer_type *packet,
*qclass = buffer_read_u16(packet);
return 1;
}
+
+int packet_find_notify_serial(buffer_type *packet, uint32_t* serial)
+{
+ size_t saved_position = buffer_position(packet);
+ /* count of further RRs after question section */
+ size_t rrcount = ANCOUNT(packet) + NSCOUNT(packet) + ARCOUNT(packet);
+ size_t i;
+ buffer_set_position(packet, QHEADERSZ);
+
+ /* skip all question RRs */
+ for (i = 0; i < QDCOUNT(packet); ++i) {
+ if (!packet_skip_rr(packet, 1)) {
+ buffer_set_position(packet, saved_position);
+ return 0;
+ }
+ }
+
+ /* Find the SOA RR */
+ for(i = 0; i < rrcount; i++) {
+ uint16_t rdata_size;
+ if (!packet_skip_dname(packet))
+ break;
+ /* check length available for type,class,ttl,rdatalen */
+ if (!buffer_available(packet, 10))
+ break;
+ /* check type, class */
+ if(buffer_read_u16(packet) == TYPE_SOA) {
+ if(buffer_read_u16(packet) != CLASS_IN)
+ break;
+ buffer_skip(packet, 4); /* skip ttl */
+ rdata_size = buffer_read_u16(packet);
+ if (!buffer_available(packet, rdata_size))
+ break;
+ /* skip two dnames, then serial */
+ if (!packet_skip_dname(packet) ||
+ !packet_skip_dname(packet))
+ break;
+ if (!buffer_available(packet, 4))
+ break;
+ *serial = buffer_read_u32(packet);
+ buffer_set_position(packet, saved_position);
+ return 1;
+ }
+ /* continue to next RR */
+ buffer_skip(packet, 6);
+ rdata_size = buffer_read_u16(packet);
+ if (!buffer_available(packet, rdata_size))
+ break;
+ buffer_skip(packet, rdata_size);
+ }
+ /* failed to find SOA */
+ buffer_set_position(packet, saved_position);
+ return 0;
+}
diff --git a/usr.sbin/nsd/packet.h b/usr.sbin/nsd/packet.h
index b07c6204c5c..27ea9367d67 100644
--- a/usr.sbin/nsd/packet.h
+++ b/usr.sbin/nsd/packet.h
@@ -196,4 +196,8 @@ int packet_read_query_section(buffer_type *packet,
uint16_t* qtype,
uint16_t* qclass);
+/* read notify SOA serial from packet. buffer position is unmodified on return.
+ * returns false on no-serial found or parse failure. */
+int packet_find_notify_serial(buffer_type *packet, uint32_t* serial);
+
#endif /* _PACKET_H_ */
diff --git a/usr.sbin/nsd/radtree.c b/usr.sbin/nsd/radtree.c
index 014d23908aa..8ca4a5bd5ba 100644
--- a/usr.sbin/nsd/radtree.c
+++ b/usr.sbin/nsd/radtree.c
@@ -189,7 +189,7 @@ radnode_array_grow(struct region* region, struct radnode* n, unsigned want)
if(ns > 256) ns = 256;
/* we do not use realloc, because we want to keep the old array
* in case alloc fails, so that the tree is still usable */
- a = (struct radsel*)region_alloc(region, ns*sizeof(struct radsel));
+ a = (struct radsel*)region_alloc_array(region, ns, sizeof(struct radsel));
if(!a) return 0;
assert(n->len <= n->capacity);
assert(n->capacity < ns);
@@ -670,8 +670,8 @@ static void
radnode_array_reduce_if_needed(struct region* region, struct radnode* n)
{
if(n->len <= n->capacity/2 && n->len != n->capacity) {
- struct radsel* a = (struct radsel*)region_alloc(region,
- sizeof(*a)*n->len);
+ struct radsel* a = (struct radsel*)region_alloc_array(region,
+ sizeof(*a), n->len);
if(!a) return;
memcpy(a, n->array, sizeof(*a)*n->len);
region_recycle(region, n->array, n->capacity*sizeof(*a));
@@ -953,6 +953,7 @@ struct radnode* radix_last(struct radtree* rt)
struct radnode* radix_next(struct radnode* n)
{
+ if(!n) return NULL;
if(n->len) {
/* go down */
struct radnode* s = radnode_first_in_subtree(n);
@@ -982,6 +983,7 @@ struct radnode* radix_next(struct radnode* n)
struct radnode* radix_prev(struct radnode* n)
{
+ if(!n) return NULL;
/* must go up, since all array nodes are after this node */
while(n->parent) {
uint8_t idx = n->pidx;
diff --git a/usr.sbin/nsd/region-allocator.h b/usr.sbin/nsd/region-allocator.h
index 7a7bfe96f2a..d525a2b05bc 100644
--- a/usr.sbin/nsd/region-allocator.h
+++ b/usr.sbin/nsd/region-allocator.h
@@ -88,6 +88,8 @@ void region_remove_cleanup(region_type *region,
*/
void *region_alloc(region_type *region, size_t size);
+/** Allocate array with integer overflow checks, in region */
+void *region_alloc_array(region_type *region, size_t num, size_t size);
/*
* Allocate SIZE bytes of memory inside REGION and copy INIT into it.
@@ -96,6 +98,12 @@ void *region_alloc(region_type *region, size_t size);
*/
void *region_alloc_init(region_type *region, const void *init, size_t size);
+/**
+ * Allocate array (with integer overflow check on sizes), and init with
+ * the given array copied into it. Allocated in the region
+ */
+void *region_alloc_array_init(region_type *region, const void *init,
+ size_t num, size_t size);
/*
* Allocate SIZE bytes of memory inside REGION that are initialized to
@@ -104,6 +112,11 @@ void *region_alloc_init(region_type *region, const void *init, size_t size);
*/
void *region_alloc_zero(region_type *region, size_t size);
+/**
+ * Allocate array (with integer overflow check on sizes), and zero it.
+ * Allocated in the region.
+ */
+void *region_alloc_array_zero(region_type *region, size_t num, size_t size);
/*
* Run the cleanup actions and free all memory associated with REGION.
diff --git a/usr.sbin/nsd/tsig-openssl.c b/usr.sbin/nsd/tsig-openssl.c
index 6795e750f1f..40a35f50324 100644
--- a/usr.sbin/nsd/tsig-openssl.c
+++ b/usr.sbin/nsd/tsig-openssl.c
@@ -61,14 +61,19 @@ tsig_openssl_init(region_type *region)
int count = 0;
OpenSSL_add_all_digests();
- count += tsig_openssl_init_algorithm(region, "md5", "hmac-md5","hmac-md5.sig-alg.reg.int.");
-#ifdef HAVE_EVP_SHA1
- count += tsig_openssl_init_algorithm(region, "sha1", "hmac-sha1", "hmac-sha1.");
-#endif /* HAVE_EVP_SHA1 */
-
-#ifdef HAVE_EVP_SHA256
- count += tsig_openssl_init_algorithm(region, "sha256", "hmac-sha256", "hmac-sha256.");
-#endif /* HAVE_EVP_SHA256 */
+ count += tsig_openssl_init_algorithm(region,
+ "md5", "hmac-md5","hmac-md5.sig-alg.reg.int.");
+ count += tsig_openssl_init_algorithm(region,
+ "sha1", "hmac-sha1", "hmac-sha1.");
+ count += tsig_openssl_init_algorithm(region,
+ "sha224", "hmac-sha224", "hmac-sha224.");
+ count += tsig_openssl_init_algorithm(region,
+ "sha256", "hmac-sha256", "hmac-sha256.");
+ count += tsig_openssl_init_algorithm(region,
+ "sha384", "hmac-sha384", "hmac-sha384.");
+ count += tsig_openssl_init_algorithm(region,
+ "sha512", "hmac-sha512", "hmac-sha512.");
+
return count;
}
diff --git a/usr.sbin/nsd/tsig.h b/usr.sbin/nsd/tsig.h
index 71cad7740c7..1c2c1211715 100644
--- a/usr.sbin/nsd/tsig.h
+++ b/usr.sbin/nsd/tsig.h
@@ -22,10 +22,6 @@
#define TSIG_ERROR_BADKEY 17
#define TSIG_ERROR_BADTIME 18
-#define TSIG_HMAC_MD5 157
-#define TSIG_HMAC_SHA1 158
-#define TSIG_HMAC_SHA256 159
-
typedef struct tsig_algorithm tsig_algorithm_type;
typedef struct tsig_key tsig_key_type;
typedef struct tsig_record tsig_record_type;