diff options
author | Stuart Henderson <sthen@cvs.openbsd.org> | 2015-07-17 17:36:02 +0000 |
---|---|---|
committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2015-07-17 17:36:02 +0000 |
commit | 0648fda297cd0b072f32820e0229845c7a30e092 (patch) | |
tree | 1a7b872b8edab265582e9c62f2dfd1c5ceb0d501 | |
parent | cf3a99ef19172cd8a3dc0b09ff92a6197f532b13 (diff) |
update to NSD 4.1.3, ok florian@, also tested by brad
-rw-r--r-- | usr.sbin/nsd/acx_nlnetlabs.m4 | 13 | ||||
-rw-r--r-- | usr.sbin/nsd/configyyrename.h | 4 | ||||
-rw-r--r-- | usr.sbin/nsd/dbaccess.c | 7 | ||||
-rw-r--r-- | usr.sbin/nsd/dname.h | 2 | ||||
-rw-r--r-- | usr.sbin/nsd/nsd-checkzone.8.in | 2 | ||||
-rw-r--r--[-rwxr-xr-x] | usr.sbin/nsd/nsd-control-setup.sh.in | 2 | ||||
-rw-r--r-- | usr.sbin/nsd/nsd-control.c | 11 | ||||
-rw-r--r-- | usr.sbin/nsd/nsd.h | 6 | ||||
-rw-r--r-- | usr.sbin/nsd/packet.c | 54 | ||||
-rw-r--r-- | usr.sbin/nsd/packet.h | 4 | ||||
-rw-r--r-- | usr.sbin/nsd/radtree.c | 8 | ||||
-rw-r--r-- | usr.sbin/nsd/region-allocator.h | 13 | ||||
-rw-r--r-- | usr.sbin/nsd/tsig-openssl.c | 21 | ||||
-rw-r--r-- | usr.sbin/nsd/tsig.h | 4 |
14 files changed, 126 insertions, 25 deletions
diff --git a/usr.sbin/nsd/acx_nlnetlabs.m4 b/usr.sbin/nsd/acx_nlnetlabs.m4 index e1cf83a70bd..decf0f58600 100644 --- a/usr.sbin/nsd/acx_nlnetlabs.m4 +++ b/usr.sbin/nsd/acx_nlnetlabs.m4 @@ -2,7 +2,8 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 26 +# Version 27 +# 2015-03-17 AHX_CONFIG_REALLOCARRAY added # 2013-09-19 FLTO help text improved. # 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes # 2013-06-25 FLTO has --disable-flto option. @@ -1213,6 +1214,16 @@ struct tm *gmtime_r(const time_t *timep, struct tm *result); #endif ]) +dnl provide reallocarray compat prototype. +dnl $1: unique name for compat code +AC_DEFUN([AHX_CONFIG_REALLOCARRAY], +[ +#ifndef HAVE_REALLOCARRAY +#define reallocarray reallocarray$1 +void* reallocarray(void *ptr, size_t nmemb, size_t size); +#endif +]) + dnl provide w32 compat definition for sleep AC_DEFUN([AHX_CONFIG_W32_SLEEP], [ diff --git a/usr.sbin/nsd/configyyrename.h b/usr.sbin/nsd/configyyrename.h index 6beb810aa8e..a637f41d229 100644 --- a/usr.sbin/nsd/configyyrename.h +++ b/usr.sbin/nsd/configyyrename.h @@ -104,7 +104,9 @@ #define yy_accept c__accept #define yy_c_buf_p c__c_buf_p #define yy_chk c__chk -#define yy_current_buffer c__current_buffer +#ifndef LEX_DEFINES_YY_CURRENT_BUFFER +# define yy_current_buffer c__current_buffer +#endif #define yy_def c__def #define yy_did_buffer_switch_on_eof c__did_buffer_switch_on_eof #define yy_ec c__ec diff --git a/usr.sbin/nsd/dbaccess.c b/usr.sbin/nsd/dbaccess.c index ad15448038a..4e11977d6bd 100644 --- a/usr.sbin/nsd/dbaccess.c +++ b/usr.sbin/nsd/dbaccess.c @@ -156,8 +156,8 @@ read_rrset(udb_base* udb, namedb_type* db, zone_type* zone, rrset = (rrset_type *) region_alloc(db->region, sizeof(rrset_type)); rrset->zone = zone; rrset->rr_count = calculate_rr_count(udb, urrset); - rrset->rrs = (rr_type *) region_alloc( - db->region, rrset->rr_count * sizeof(rr_type)); + rrset->rrs = (rr_type *) region_alloc_array( + db->region, rrset->rr_count, sizeof(rr_type)); /* add the RRs */ udb_ptr_new(&urr, udb, &RRSET(urrset)->rrs); for(i=0; i<rrset->rr_count; i++) { @@ -288,6 +288,7 @@ namedb_zone_delete(namedb_type* db, zone_type* zone) /* see if apex can be deleted */ if(zone->apex) { zone->apex->usage --; + zone->apex->is_apex = 0; if(zone->apex->usage == 0) { /* delete the apex, possibly */ domain_table_deldomain(db, zone->apex); @@ -607,7 +608,7 @@ namedb_read_zonefile(struct nsd* nsd, struct zone* zone, udb_base* taskudb, zone->logstr = NULL; } } else { - VERBOSITY(1, (LOG_INFO, "zone %s read with no errors", + VERBOSITY(1, (LOG_INFO, "zone %s read with success", zone->opts->name)); zone->is_ok = 1; zone->is_changed = 0; diff --git a/usr.sbin/nsd/dname.h b/usr.sbin/nsd/dname.h index a9aa15ad177..060afff5b15 100644 --- a/usr.sbin/nsd/dname.h +++ b/usr.sbin/nsd/dname.h @@ -217,7 +217,7 @@ static inline size_t dname_total_size(const dname_type *dname) { return (sizeof(dname_type) - + ((dname->label_count + dname->name_size) + + ((((size_t)dname->label_count) + ((size_t)dname->name_size)) * sizeof(uint8_t))); } diff --git a/usr.sbin/nsd/nsd-checkzone.8.in b/usr.sbin/nsd/nsd-checkzone.8.in index 7a19e1677be..648eb8784e5 100644 --- a/usr.sbin/nsd/nsd-checkzone.8.in +++ b/usr.sbin/nsd/nsd-checkzone.8.in @@ -1,4 +1,4 @@ -.TH "nsd\-checkzone" "8" "Feb 3, 2015" "NLnet Labs" "nsd 4.1.1" +.TH "nsd\-checkzone" "8" "Jun 23, 2015" "NLnet Labs" "nsd 4.1.3" .\" Copyright (c) 2014, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff --git a/usr.sbin/nsd/nsd-control-setup.sh.in b/usr.sbin/nsd/nsd-control-setup.sh.in index a774717a740..b39c11ce722 100755..100644 --- a/usr.sbin/nsd/nsd-control-setup.sh.in +++ b/usr.sbin/nsd/nsd-control-setup.sh.in @@ -46,7 +46,7 @@ CLIENTNAME=nsd-control DAYS=7200 # size of keys in bits -BITS=1536 +BITS=3072 # hash algorithm HASH=sha256 diff --git a/usr.sbin/nsd/nsd-control.c b/usr.sbin/nsd/nsd-control.c index 2547489eb27..3b6e6526ab9 100644 --- a/usr.sbin/nsd/nsd-control.c +++ b/usr.sbin/nsd/nsd-control.c @@ -84,6 +84,8 @@ usage() printf(" stats_noreset peek at statistics\n"); printf(" addzone <name> <pattern> add a new zone\n"); printf(" delzone <name> remove a zone\n"); + printf(" addzones add zone list on stdin {name space pattern newline}\n"); + printf(" delzones remove zone list on stdin {name newline}\n"); printf(" write [<zone>] write changed zonefiles to disk\n"); printf(" notify [<zone>] send NOTIFY messages to slave servers\n"); printf(" transfer [<zone>] try to update slave zones to newer serial\n"); @@ -253,10 +255,14 @@ setup_ssl(SSL_CTX* ctx, int fd) static void send_file(SSL* ssl, FILE* in, char* buf, size_t sz) { + char e[] = {0x04, 0x0a}; while(fgets(buf, (int)sz, in)) { if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) ssl_err("could not SSL_write contents"); } + /* send end-of-file marker */ + if(SSL_write(ssl, e, (int)sizeof(e)) <= 0) + ssl_err("could not SSL_write end-of-file marker"); } /** send command and display result */ @@ -281,8 +287,9 @@ go_cmd(SSL* ssl, int argc, char* argv[]) if(SSL_write(ssl, newline, (int)strlen(newline)) <= 0) ssl_err("could not SSL_write"); - /* TODO remove or use file upload */ - if(argc == 1 && strcmp(argv[0], "load_cache") == 0) { + /* send contents to server */ + if(argc == 1 && (strcmp(argv[0], "addzones") == 0 || + strcmp(argv[0], "delzones") == 0)) { send_file(ssl, stdin, buf, sizeof(buf)); } diff --git a/usr.sbin/nsd/nsd.h b/usr.sbin/nsd/nsd.h index 121e01ad91a..7fd805e3746 100644 --- a/usr.sbin/nsd/nsd.h +++ b/usr.sbin/nsd/nsd.h @@ -248,6 +248,10 @@ struct nsd /* current zonestat array to use */ struct nsdst* zonestatnow; #endif /* BIND8_STATS */ + /* ratelimit for errors, time value */ + time_t err_limit_time; + /* ratelimit for errors, packet count */ + unsigned int err_limit_count; struct nsd_options* options; }; @@ -272,6 +276,8 @@ struct event_base* nsd_child_event_base(void); /* extra domain numbers for temporary domains */ #define EXTRA_DOMAIN_NUMBERS 1024 #define SLOW_ACCEPT_TIMEOUT 2 /* in seconds */ +/* ratelimit for error responses */ +#define ERROR_RATELIMIT 100 /* qps */ /* allocate zonestat structures */ void server_zonestat_alloc(struct nsd* nsd); /* remap the mmaps for zonestat isx, to bytesize sz. Caller has to set diff --git a/usr.sbin/nsd/packet.c b/usr.sbin/nsd/packet.c index 08d91b269d7..b0699d67747 100644 --- a/usr.sbin/nsd/packet.c +++ b/usr.sbin/nsd/packet.c @@ -342,3 +342,57 @@ int packet_read_query_section(buffer_type *packet, *qclass = buffer_read_u16(packet); return 1; } + +int packet_find_notify_serial(buffer_type *packet, uint32_t* serial) +{ + size_t saved_position = buffer_position(packet); + /* count of further RRs after question section */ + size_t rrcount = ANCOUNT(packet) + NSCOUNT(packet) + ARCOUNT(packet); + size_t i; + buffer_set_position(packet, QHEADERSZ); + + /* skip all question RRs */ + for (i = 0; i < QDCOUNT(packet); ++i) { + if (!packet_skip_rr(packet, 1)) { + buffer_set_position(packet, saved_position); + return 0; + } + } + + /* Find the SOA RR */ + for(i = 0; i < rrcount; i++) { + uint16_t rdata_size; + if (!packet_skip_dname(packet)) + break; + /* check length available for type,class,ttl,rdatalen */ + if (!buffer_available(packet, 10)) + break; + /* check type, class */ + if(buffer_read_u16(packet) == TYPE_SOA) { + if(buffer_read_u16(packet) != CLASS_IN) + break; + buffer_skip(packet, 4); /* skip ttl */ + rdata_size = buffer_read_u16(packet); + if (!buffer_available(packet, rdata_size)) + break; + /* skip two dnames, then serial */ + if (!packet_skip_dname(packet) || + !packet_skip_dname(packet)) + break; + if (!buffer_available(packet, 4)) + break; + *serial = buffer_read_u32(packet); + buffer_set_position(packet, saved_position); + return 1; + } + /* continue to next RR */ + buffer_skip(packet, 6); + rdata_size = buffer_read_u16(packet); + if (!buffer_available(packet, rdata_size)) + break; + buffer_skip(packet, rdata_size); + } + /* failed to find SOA */ + buffer_set_position(packet, saved_position); + return 0; +} diff --git a/usr.sbin/nsd/packet.h b/usr.sbin/nsd/packet.h index b07c6204c5c..27ea9367d67 100644 --- a/usr.sbin/nsd/packet.h +++ b/usr.sbin/nsd/packet.h @@ -196,4 +196,8 @@ int packet_read_query_section(buffer_type *packet, uint16_t* qtype, uint16_t* qclass); +/* read notify SOA serial from packet. buffer position is unmodified on return. + * returns false on no-serial found or parse failure. */ +int packet_find_notify_serial(buffer_type *packet, uint32_t* serial); + #endif /* _PACKET_H_ */ diff --git a/usr.sbin/nsd/radtree.c b/usr.sbin/nsd/radtree.c index 014d23908aa..8ca4a5bd5ba 100644 --- a/usr.sbin/nsd/radtree.c +++ b/usr.sbin/nsd/radtree.c @@ -189,7 +189,7 @@ radnode_array_grow(struct region* region, struct radnode* n, unsigned want) if(ns > 256) ns = 256; /* we do not use realloc, because we want to keep the old array * in case alloc fails, so that the tree is still usable */ - a = (struct radsel*)region_alloc(region, ns*sizeof(struct radsel)); + a = (struct radsel*)region_alloc_array(region, ns, sizeof(struct radsel)); if(!a) return 0; assert(n->len <= n->capacity); assert(n->capacity < ns); @@ -670,8 +670,8 @@ static void radnode_array_reduce_if_needed(struct region* region, struct radnode* n) { if(n->len <= n->capacity/2 && n->len != n->capacity) { - struct radsel* a = (struct radsel*)region_alloc(region, - sizeof(*a)*n->len); + struct radsel* a = (struct radsel*)region_alloc_array(region, + sizeof(*a), n->len); if(!a) return; memcpy(a, n->array, sizeof(*a)*n->len); region_recycle(region, n->array, n->capacity*sizeof(*a)); @@ -953,6 +953,7 @@ struct radnode* radix_last(struct radtree* rt) struct radnode* radix_next(struct radnode* n) { + if(!n) return NULL; if(n->len) { /* go down */ struct radnode* s = radnode_first_in_subtree(n); @@ -982,6 +983,7 @@ struct radnode* radix_next(struct radnode* n) struct radnode* radix_prev(struct radnode* n) { + if(!n) return NULL; /* must go up, since all array nodes are after this node */ while(n->parent) { uint8_t idx = n->pidx; diff --git a/usr.sbin/nsd/region-allocator.h b/usr.sbin/nsd/region-allocator.h index 7a7bfe96f2a..d525a2b05bc 100644 --- a/usr.sbin/nsd/region-allocator.h +++ b/usr.sbin/nsd/region-allocator.h @@ -88,6 +88,8 @@ void region_remove_cleanup(region_type *region, */ void *region_alloc(region_type *region, size_t size); +/** Allocate array with integer overflow checks, in region */ +void *region_alloc_array(region_type *region, size_t num, size_t size); /* * Allocate SIZE bytes of memory inside REGION and copy INIT into it. @@ -96,6 +98,12 @@ void *region_alloc(region_type *region, size_t size); */ void *region_alloc_init(region_type *region, const void *init, size_t size); +/** + * Allocate array (with integer overflow check on sizes), and init with + * the given array copied into it. Allocated in the region + */ +void *region_alloc_array_init(region_type *region, const void *init, + size_t num, size_t size); /* * Allocate SIZE bytes of memory inside REGION that are initialized to @@ -104,6 +112,11 @@ void *region_alloc_init(region_type *region, const void *init, size_t size); */ void *region_alloc_zero(region_type *region, size_t size); +/** + * Allocate array (with integer overflow check on sizes), and zero it. + * Allocated in the region. + */ +void *region_alloc_array_zero(region_type *region, size_t num, size_t size); /* * Run the cleanup actions and free all memory associated with REGION. diff --git a/usr.sbin/nsd/tsig-openssl.c b/usr.sbin/nsd/tsig-openssl.c index 6795e750f1f..40a35f50324 100644 --- a/usr.sbin/nsd/tsig-openssl.c +++ b/usr.sbin/nsd/tsig-openssl.c @@ -61,14 +61,19 @@ tsig_openssl_init(region_type *region) int count = 0; OpenSSL_add_all_digests(); - count += tsig_openssl_init_algorithm(region, "md5", "hmac-md5","hmac-md5.sig-alg.reg.int."); -#ifdef HAVE_EVP_SHA1 - count += tsig_openssl_init_algorithm(region, "sha1", "hmac-sha1", "hmac-sha1."); -#endif /* HAVE_EVP_SHA1 */ - -#ifdef HAVE_EVP_SHA256 - count += tsig_openssl_init_algorithm(region, "sha256", "hmac-sha256", "hmac-sha256."); -#endif /* HAVE_EVP_SHA256 */ + count += tsig_openssl_init_algorithm(region, + "md5", "hmac-md5","hmac-md5.sig-alg.reg.int."); + count += tsig_openssl_init_algorithm(region, + "sha1", "hmac-sha1", "hmac-sha1."); + count += tsig_openssl_init_algorithm(region, + "sha224", "hmac-sha224", "hmac-sha224."); + count += tsig_openssl_init_algorithm(region, + "sha256", "hmac-sha256", "hmac-sha256."); + count += tsig_openssl_init_algorithm(region, + "sha384", "hmac-sha384", "hmac-sha384."); + count += tsig_openssl_init_algorithm(region, + "sha512", "hmac-sha512", "hmac-sha512."); + return count; } diff --git a/usr.sbin/nsd/tsig.h b/usr.sbin/nsd/tsig.h index 71cad7740c7..1c2c1211715 100644 --- a/usr.sbin/nsd/tsig.h +++ b/usr.sbin/nsd/tsig.h @@ -22,10 +22,6 @@ #define TSIG_ERROR_BADKEY 17 #define TSIG_ERROR_BADTIME 18 -#define TSIG_HMAC_MD5 157 -#define TSIG_HMAC_SHA1 158 -#define TSIG_HMAC_SHA256 159 - typedef struct tsig_algorithm tsig_algorithm_type; typedef struct tsig_key tsig_key_type; typedef struct tsig_record tsig_record_type; |