diff options
| author | Stuart Henderson <sthen@cvs.openbsd.org> | 2015-12-11 12:28:50 +0000 |
|---|---|---|
| committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2015-12-11 12:28:50 +0000 |
| commit | bfeff489804ae07cbd2e83bfe3c3e29b9f213618 (patch) | |
| tree | a3215c9ae76d03bcfd08d1b53f1b923e28ad0d08 | |
| parent | 0acd6a362b41e985e864a92e9bee8ab3fbd9adf2 (diff) | |
update to NSD 4.1.7, ok florian@
| -rw-r--r-- | usr.sbin/nsd/Makefile.in | 1 | ||||
| -rw-r--r-- | usr.sbin/nsd/acx_nlnetlabs.m4 | 478 | ||||
| -rw-r--r-- | usr.sbin/nsd/config.h.in | 9 | ||||
| -rw-r--r-- | usr.sbin/nsd/configlexer.lex | 171 | ||||
| -rw-r--r-- | usr.sbin/nsd/configparser.y | 10 | ||||
| -rw-r--r-- | usr.sbin/nsd/configure.ac | 35 | ||||
| -rw-r--r-- | usr.sbin/nsd/netio.c | 101 | ||||
| -rw-r--r-- | usr.sbin/nsd/netio.h | 14 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd-checkconf.8.in | 2 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd-checkconf.c | 7 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd-checkzone.8.in | 2 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd-control.8.in | 2 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd.8.in | 4 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd.c | 3 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd.conf.5.in | 33 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd.conf.sample.in | 348 | ||||
| -rw-r--r-- | usr.sbin/nsd/options.c | 14 | ||||
| -rw-r--r-- | usr.sbin/nsd/options.h | 1 | ||||
| -rw-r--r-- | usr.sbin/nsd/query.c | 10 | ||||
| -rw-r--r-- | usr.sbin/nsd/region-allocator.c | 1 | ||||
| -rw-r--r-- | usr.sbin/nsd/server.c | 5 | ||||
| -rw-r--r-- | usr.sbin/nsd/tsig-openssl.c | 40 | ||||
| -rw-r--r-- | usr.sbin/nsd/zonec.c | 5 |
23 files changed, 941 insertions, 355 deletions
diff --git a/usr.sbin/nsd/Makefile.in b/usr.sbin/nsd/Makefile.in index d193cc6629e..91032915ada 100644 --- a/usr.sbin/nsd/Makefile.in +++ b/usr.sbin/nsd/Makefile.in @@ -65,6 +65,7 @@ EDIT = sed \ -e 's,@zonelistfile\@,$(zonelistfile),g' \ -e 's,@nsdconfigfile\@,$(nsdconfigfile),g' \ -e 's,@shell\@,$(SHELL),g' \ + -e 's,@ratelimit_default\@,@ratelimit_default@,g' \ -e 's,@user\@,$(user),g' TARGETS=nsd nsd-checkconf nsd-checkzone nsd-control nsd.conf.sample nsd-control-setup.sh diff --git a/usr.sbin/nsd/acx_nlnetlabs.m4 b/usr.sbin/nsd/acx_nlnetlabs.m4 index 3baa9d3bf13..26513e4ff67 100644 --- a/usr.sbin/nsd/acx_nlnetlabs.m4 +++ b/usr.sbin/nsd/acx_nlnetlabs.m4 @@ -2,10 +2,39 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 2 -# 2009-07-03 -# Changelog -# - fixup LDFLAGS for empty ssl dir. +# Version 30 +# 2015-11-18 spelling check fix. +# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly. +# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added. +# 2015-03-17 AHX_CONFIG_REALLOCARRAY added +# 2013-09-19 FLTO help text improved. +# 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes +# 2013-06-25 FLTO has --disable-flto option. +# 2013-05-03 Update W32_SLEEP for newer mingw that links but not defines it. +# 2013-03-22 Fix ACX_RSRC_VERSION for long version numbers. +# 2012-02-09 Fix AHX_MEMCMP_BROKEN with undef in compat/memcmp.h. +# 2012-01-20 Fix COMPILER_FLAGS_UNBOUND for gcc 4.6.2 assigned-not-used-warns. +# 2011-12-05 Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc. +# Fix ACX_MALLOC for redefined malloc error. +# Fix GETADDRINFO_WITH_INCLUDES to add -lws2_32 +# 2011-11-10 Fix FLTO test to not drop a.out in current directory. +# 2011-11-01 Fix FLTO test for llvm on Lion. +# 2011-08-01 Fix nonblock test (broken at v13). +# 2011-08-01 Fix autoconf 2.68 warnings +# 2011-06-23 Add ACX_CHECK_FLTO to check -flto. +# 2010-08-16 Fix FLAG_OMITTED for AS_TR_CPP changes in autoconf-2.66. +# 2010-07-02 Add check for ss_family (for minix). +# 2010-04-26 Fix to use CPPFLAGS for CHECK_COMPILER_FLAGS. +# 2010-03-01 Fix RPATH using CONFIG_COMMANDS to run at the very end. +# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS separate, -ldl +# 2010-02-01 added ACX_CHECK_MEMCMP_SIGNED, AHX_MEMCMP_BROKEN +# 2010-01-20 added AHX_COONFIG_STRLCAT +# 2009-07-14 U_CHAR detection improved for windows crosscompile. +# added ACX_FUNC_MALLOC +# fixup some #if to #ifdef +# NONBLOCKING test for mingw crosscompile. +# 2009-07-13 added ACX_WITH_SSL_OPTIONAL +# 2009-07-03 fixup LDFLAGS for empty ssl dir. # # Automates some of the checking constructs. Aims at portability for POSIX. # Documentation for functions is below. @@ -22,6 +51,7 @@ # ACX_DETERMINE_EXT_FLAGS_UNBOUND - find out which flags enable BSD and POSIX. # ACX_CHECK_FORMAT_ATTRIBUTE - find cc printf format syntax. # ACX_CHECK_UNUSED_ATTRIBUTE - find cc variable unused syntax. +# ACX_CHECK_FLTO - see if cc supports -flto and use it if so. # ACX_LIBTOOL_C_ONLY - create libtool for C only, improved. # ACX_TYPE_U_CHAR - u_char type. # ACX_TYPE_RLIM_T - rlim_t type. @@ -30,6 +60,8 @@ # ACX_TYPE_IN_PORT_T - in_port_t type. # ACX_ARG_RPATH - add --disable-rpath option. # ACX_WITH_SSL - add --with-ssl option, link -lcrypto. +# ACX_WITH_SSL_OPTIONAL - add --with-ssl option, link -lcrypto, +# where --without-ssl is also accepted # ACX_LIB_SSL - setup to link -lssl. # ACX_SYS_LARGEFILE - improved sys_largefile, fseeko, >2G files. # ACX_CHECK_GETADDRINFO_WITH_INCLUDES - find getaddrinfo, portably. @@ -37,6 +69,7 @@ # ACX_CHECK_NONBLOCKING_BROKEN - see if nonblocking sockets really work. # ACX_MKDIR_ONE_ARG - determine mkdir(2) number of arguments. # ACX_FUNC_IOCTLSOCKET - find ioctlsocket, portably. +# ACX_FUNC_MALLOC - check malloc, define replacement . # AHX_CONFIG_FORMAT_ATTRIBUTE - config.h text for format. # AHX_CONFIG_UNUSED_ATTRIBUTE - config.h text for unused. # AHX_CONFIG_FSEEKO - define fseeko, ftello fallback. @@ -48,6 +81,7 @@ # AHX_CONFIG_INET_NTOP - inet_ntop compat prototype # AHX_CONFIG_INET_ATON - inet_aton compat prototype # AHX_CONFIG_MEMMOVE - memmove compat prototype +# AHX_CONFIG_STRLCAT - strlcat compat prototype # AHX_CONFIG_STRLCPY - strlcpy compat prototype # AHX_CONFIG_GMTIME_R - gmtime_r compat prototype # AHX_CONFIG_W32_SLEEP - w32 compat for sleep @@ -60,6 +94,11 @@ # AHX_CONFIG_FLAG_OMITTED - define omitted flag # AHX_CONFIG_FLAG_EXT - define omitted extension flag # AHX_CONFIG_EXT_FLAGS - define the stripped extension flags +# ACX_CHECK_MEMCMP_SIGNED - check if memcmp uses signed characters. +# AHX_MEMCMP_BROKEN - replace memcmp func for CHECK_MEMCMP_SIGNED. +# ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family +# ACX_CHECK_PIE - add --enable-pie option and check if works +# ACX_CHECK_RELRO_NOW - add --enable-relro-now option and check it # dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines. @@ -73,7 +112,7 @@ dnl Calculate comma separated windows-resource numbers from package version. dnl Picks the first three(,0) or four numbers out of the name. dnl $1: variable for the result AC_DEFUN([ACX_RSRC_VERSION], -[$1=[`echo $PACKAGE_VERSION | sed -e 's/^[^0-9]*\([0-9]\)[^0-9]*\([0-9]\)[^0-9]*\([0-9]\)[^0-9]*\([0-9]\).*$/\1,\2,\3,\4/' -e 's/^[^0-9]*\([0-9]\)[^0-9]*\([0-9]\)[^0-9]*\([0-9]\)[^0-9]*$/\1,\2,\3,0/' `] +[$1=[`echo $PACKAGE_VERSION | sed -e 's/^[^0-9]*\([0-9][0-9]*\)[^0-9][^0-9]*\([0-9][0-9]*\)[^0-9][^0-9]*\([0-9][0-9]*\)[^0-9][^0-9]*\([0-9][0-9]*\).*$/\1,\2,\3,\4/' -e 's/^[^0-9]*\([0-9][0-9]*\)[^0-9][^0-9]*\([0-9][0-9]*\)[^0-9][^0-9]*\([0-9][0-9]*\)[^0-9]*$/\1,\2,\3,0/' `] ]) dnl Routine to help check for compiler flags. @@ -88,8 +127,8 @@ AC_MSG_CHECKING(whether $CC supports -$1) cache=`echo $1 | sed 'y%.=/+-%___p_%'` AC_CACHE_VAL(cv_prog_cc_flag_$cache, [ -echo 'void f(){}' >conftest.c -if test -z "`$CC -$1 -c conftest.c 2>&1`"; then +echo 'void f(void){}' >conftest.c +if test -z "`$CC $CPPFLAGS $CFLAGS -$1 -c conftest.c 2>&1`"; then eval "cv_prog_cc_flag_$cache=yes" else eval "cv_prog_cc_flag_$cache=no" @@ -133,18 +172,18 @@ AC_CACHE_VAL(cv_prog_cc_flag_needed_$cache, [ echo '$2' > conftest.c echo 'void f(){}' >>conftest.c -if test -z "`$CC $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then +if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then eval "cv_prog_cc_flag_needed_$cache=no" else [ -if test -z "`$CC $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1`"; then +if test -z "`$CC $CPPFLAGS $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1`"; then eval "cv_prog_cc_flag_needed_$cache=yes" else eval "cv_prog_cc_flag_needed_$cache=fail" #echo 'Test with flag fails too!' #cat conftest.c -#echo "$CC $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1" -#echo `$CC $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1` +#echo "$CC $CPPFLAGS $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1" +#echo `$CC $CPPFLAGS $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1` #exit 1 fi ] @@ -160,8 +199,8 @@ if eval "test \"`echo '$cv_prog_cc_flag_needed_'$cache`\" = no"; then AC_MSG_RESULT(no) #echo 'Test with flag is no!' #cat conftest.c -#echo "$CC $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1" -#echo `$CC $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1` +#echo "$CC $CPPFLAGS $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1" +#echo `$CC $CPPFLAGS $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1` #exit 1 : $4 @@ -233,6 +272,8 @@ int test() { a = getopt(2, opts, "a"); a = isascii(32); str = gai_strerror(0); + if(str && t && tv.tv_usec && msg.msg_control) + a = 0; return a; } ], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE"]) @@ -268,6 +309,8 @@ int test() { a = getopt(2, opts, "a"); a = isascii(32); str = gai_strerror(0); + if(str && t && tv.tv_usec && msg.msg_control) + a = 0; return a; } ], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE"]) @@ -334,6 +377,8 @@ int test() { const char* str = NULL; t = ctime_r(&time, buf); str = gai_strerror(0); + if(t && str) + a = 0; return a; } ], [CFLAGS="$CFLAGS -D_POSIX_C_SOURCE=200112"]) @@ -360,12 +405,35 @@ int test() { srandom(32); a = getopt(2, opts, "a"); a = isascii(32); + if(tv.tv_usec) + a = 0; return a; } ], [CFLAGS="$CFLAGS -D__EXTENSIONS__"]) ])dnl End of ACX_DETERMINE_EXT_FLAGS_UNBOUND +dnl Check if CC supports -flto. +dnl in a way that supports clang and suncc (that flag does something else, +dnl but fails to link). It sets it in CFLAGS if it works. +AC_DEFUN([ACX_CHECK_FLTO], [ + AC_ARG_ENABLE([flto], AS_HELP_STRING([--disable-flto], [Disable link-time optimization (gcc specific option)])) + AS_IF([test "x$enable_flto" != "xno"], [ + AC_MSG_CHECKING([if $CC supports -flto]) + BAKCFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -flto" + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ + if $CC $CFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + CFLAGS="$BAKCFLAGS" + AC_MSG_RESULT(no) + else + AC_MSG_RESULT(yes) + fi + rm -f conftest conftest.c conftest.o + ], [CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)]) + ]) +]) + dnl Check the printf-format attribute (if any) dnl result in HAVE_ATTR_FORMAT. dnl Make sure you also include the AHX_CONFIG_FORMAT_ATTRIBUTE. @@ -480,14 +548,20 @@ AC_PROG_LIBTOOL dnl Detect if u_char type is defined, otherwise define it. AC_DEFUN([ACX_TYPE_U_CHAR], - [AC_CHECK_TYPE(u_char, unsigned char)]) +[AC_CHECK_TYPE([u_char], , + [AC_DEFINE([u_char], [unsigned char], [Define to 'unsigned char if not defined])], [ +AC_INCLUDES_DEFAULT +#ifdef HAVE_WINSOCK2_H +# include <winsock2.h> +#endif +]) ]) dnl Detect if rlim_t type is defined, otherwise define it. AC_DEFUN([ACX_TYPE_RLIM_T], [AC_CHECK_TYPE(rlim_t, , [AC_DEFINE([rlim_t], [unsigned long], [Define to 'int' if not defined])], [ AC_INCLUDES_DEFAULT -#if HAVE_SYS_RESOURCE_H +#ifdef HAVE_SYS_RESOURCE_H # include <sys/resource.h> #endif ]) ]) @@ -498,31 +572,34 @@ AC_DEFUN([ACX_TYPE_SOCKLEN_T], AC_CHECK_TYPE(socklen_t, , [AC_DEFINE([socklen_t], [int], [Define to 'int' if not defined])], [ AC_INCLUDES_DEFAULT -#if HAVE_SYS_SOCKET_H +#ifdef HAVE_SYS_SOCKET_H # include <sys/socket.h> #endif +#ifdef HAVE_WS2TCPIP_H +# include <ws2tcpip.h> +#endif ]) ]) -dnl Detect if socklen_t type is defined, otherwise define it. +dnl Detect if in_addr_t type is defined, otherwise define it. AC_DEFUN([ACX_TYPE_IN_ADDR_T], [ AC_CHECK_TYPE(in_addr_t, [], [AC_DEFINE([in_addr_t], [uint32_t], [in_addr_t])], [ AC_INCLUDES_DEFAULT -#if HAVE_SYS_TYPES_H +#ifdef HAVE_SYS_TYPES_H # include <sys/types.h> #endif -#if HAVE_NETINET_IN_H +#ifdef HAVE_NETINET_IN_H # include <netinet/in.h> #endif ]) ]) -dnl Detect if socklen_t type is defined, otherwise define it. +dnl Detect if in_port_t type is defined, otherwise define it. AC_DEFUN([ACX_TYPE_IN_PORT_T], [ AC_CHECK_TYPE(in_port_t, [], [AC_DEFINE([in_port_t], [uint16_t], [in_port_t])], [ AC_INCLUDES_DEFAULT -#if HAVE_SYS_TYPES_H +#ifdef HAVE_SYS_TYPES_H # include <sys/types.h> #endif -#if HAVE_NETINET_IN_H +#ifdef HAVE_NETINET_IN_H # include <netinet/in.h> #endif ]) ]) @@ -535,12 +612,14 @@ AC_ARG_ENABLE(rpath, [ --disable-rpath disable hardcoded rpath (default=enabled)], enable_rpath=$enableval, enable_rpath=yes) if test "x$enable_rpath" = xno; then - AC_MSG_RESULT([Fixing libtool for -rpath problems.]) + dnl AC_MSG_RESULT([Fixing libtool for -rpath problems.]) + AC_CONFIG_COMMANDS([disable-rpath], [ sed < libtool > libtool-2 \ 's/^hardcode_libdir_flag_spec.*$'/'hardcode_libdir_flag_spec=" -D__LIBTOOL_RPATH_SED__ "/' mv libtool-2 libtool chmod 755 libtool libtool="./libtool" + ]) fi ]) @@ -555,22 +634,11 @@ AC_DEFUN([ACX_RUNTIME_PATH_ADD], [ fi ]) -dnl Check for SSL. -dnl Adds --with-ssl option, searches for openssl and defines HAVE_SSL if found -dnl Setup of CPPFLAGS, CFLAGS. Adds -lcrypto to LIBS. -dnl Checks main header files of SSL. -dnl -AC_DEFUN([ACX_WITH_SSL], -[ -AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname], - [enable SSL (will check /usr/local/ssl - /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[ - ],[ - withval="yes" - ]) - if test x_$withval = x_no; then - AC_MSG_ERROR([Need SSL library to do digital signature cryptography]) - fi +dnl Common code for both ACX_WITH_SSL and ACX_WITH_SSL_OPTIONAL +dnl Takes one argument; the withval checked in those 2 functions +dnl sets up the environment for the given openssl path +AC_DEFUN([ACX_SSL_CHECKS], [ + withval=$1 if test x_$withval != x_no; then AC_MSG_CHECKING(for SSL) if test x_$withval = x_ -o x_$withval = x_yes; then @@ -581,10 +649,11 @@ AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname], if test -f "$dir/include/openssl/ssl.h"; then found_ssl="yes" AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.]) - dnl assume /usr/include is already in the include-path. - if test "$ssldir" != "/usr"; then - CPPFLAGS="$CPPFLAGS -I$ssldir/include" - fi + dnl assume /usr/include is already in the include-path. + if test "$ssldir" != "/usr"; then + CPPFLAGS="$CPPFLAGS -I$ssldir/include" + LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include" + fi break; fi done @@ -593,61 +662,102 @@ AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname], else AC_MSG_RESULT(found in $ssldir) HAVE_SSL=yes - dnl assume /usr is already in the lib and dynlib paths. - if test "$ssldir" != "/usr" -a "$ssldir" != ""; then + dnl assume /usr is already in the lib and dynlib paths. + if test "$ssldir" != "/usr" -a "$ssldir" != ""; then LDFLAGS="$LDFLAGS -L$ssldir/lib" - ACX_RUNTIME_PATH_ADD([$ssldir/lib]) - fi - - AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto]) - LIBS="$LIBS -lcrypto" - AC_TRY_LINK(, [ - int HMAC_CTX_init(void); - (void)HMAC_CTX_init(); - ], [ - AC_MSG_RESULT(yes) - AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, - [If you have HMAC_CTX_init]) - ], [ - AC_MSG_RESULT(no) - # check if -lwsock32 or -lgdi32 are needed. - BAKLIBS="$LIBS" - LIBS="$LIBS -lgdi32" - AC_MSG_CHECKING([if -lcrypto needs -lgdi32]) - AC_TRY_LINK([], [ - int HMAC_CTX_init(void); - (void)HMAC_CTX_init(); - ],[ - AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, - [If you have HMAC_CTX_init]) - AC_MSG_RESULT(yes) - ],[ - AC_MSG_RESULT(no) - LIBS="$BAKLIBS" - LIBS="$LIBS -ldl" - AC_MSG_CHECKING([if -lcrypto needs -ldl]) - AC_TRY_LINK([], [ - int HMAC_CTX_init(void); - (void)HMAC_CTX_init(); - ],[ - AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, - [If you have HMAC_CTX_init]) - AC_MSG_RESULT(yes) - ],[ - AC_MSG_RESULT(no) + LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" + ACX_RUNTIME_PATH_ADD([$ssldir/lib]) + fi + + AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto]) + LIBS="$LIBS -lcrypto" + LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto" + AC_TRY_LINK(, [ + int HMAC_CTX_init(void); + (void)HMAC_CTX_init(); + ], [ + AC_MSG_RESULT(yes) + AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, + [If you have HMAC_CTX_init]) + ], [ + AC_MSG_RESULT(no) + # check if -lwsock32 or -lgdi32 are needed. + BAKLIBS="$LIBS" + BAKSSLLIBS="$LIBSSL_LIBS" + LIBS="$LIBS -lgdi32" + LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32" + AC_MSG_CHECKING([if -lcrypto needs -lgdi32]) + AC_TRY_LINK([], [ + int HMAC_CTX_init(void); + (void)HMAC_CTX_init(); + ],[ + AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, + [If you have HMAC_CTX_init]) + AC_MSG_RESULT(yes) + ],[ + AC_MSG_RESULT(no) + LIBS="$BAKLIBS" + LIBSSL_LIBS="$BAKSSLLIBS" + LIBS="$LIBS -ldl" + LIBSSL_LIBS="$LIBSSL_LIBS -ldl" + AC_MSG_CHECKING([if -lcrypto needs -ldl]) + AC_TRY_LINK([], [ + int HMAC_CTX_init(void); + (void)HMAC_CTX_init(); + ],[ + AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, + [If you have HMAC_CTX_init]) + AC_MSG_RESULT(yes) + ],[ + AC_MSG_RESULT(no) AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required]) - ]) - ]) + ]) + ]) ]) fi AC_SUBST(HAVE_SSL) - AC_SUBST(RUNTIME_PATH) + AC_SUBST(RUNTIME_PATH) fi AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT]) +])dnl End of ACX_SSL_CHECKS + +dnl Check for SSL, where SSL is mandatory +dnl Adds --with-ssl option, searches for openssl and defines HAVE_SSL if found +dnl Setup of CPPFLAGS, CFLAGS. Adds -lcrypto to LIBS. +dnl Checks main header files of SSL. +dnl +AC_DEFUN([ACX_WITH_SSL], +[ +AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname], + [enable SSL (will check /usr/local/ssl + /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[ + ],[ + withval="yes" + ]) + if test x_$withval = x_no; then + AC_MSG_ERROR([Need SSL library to do digital signature cryptography]) + fi + ACX_SSL_CHECKS($withval) ])dnl End of ACX_WITH_SSL +dnl Check for SSL, where ssl is optional (--without-ssl is allowed) +dnl Adds --with-ssl option, searches for openssl and defines HAVE_SSL if found +dnl Setup of CPPFLAGS, CFLAGS. Adds -lcrypto to LIBS. +dnl Checks main header files of SSL. +dnl +AC_DEFUN([ACX_WITH_SSL_OPTIONAL], +[ +AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname], + [enable SSL (will check /usr/local/ssl + /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[ + ],[ + withval="yes" + ]) + ACX_SSL_CHECKS($withval) +])dnl End of ACX_WITH_SSL_OPTIONAL + dnl Setup to use -lssl dnl To use -lcrypto, use the ACX_WITH_SSL setup (before this one). AC_DEFUN([ACX_LIB_SSL], @@ -689,7 +799,7 @@ AC_DEFUN([ACX_CHECK_GETADDRINFO_WITH_INCLUDES], AC_MSG_CHECKING(for getaddrinfo) ac_cv_func_getaddrinfo=no AC_LINK_IFELSE( -[ +[AC_LANG_SOURCE([[ #ifdef __cplusplus extern "C" { @@ -703,14 +813,21 @@ int main() { ; return 0; } -], +]])], dnl this case on linux, solaris, bsd -[ac_cv_func_getaddrinfo="yes"], +[ac_cv_func_getaddrinfo="yes" +dnl see if on windows +if test "$ac_cv_header_windows_h" = "yes"; then + AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used]) + USE_WINSOCK="1" + LIBS="$LIBS -lws2_32" +fi +], dnl no quick getaddrinfo, try mingw32 and winsock2 library. ORIGLIBS="$LIBS" LIBS="$LIBS -lws2_32" AC_LINK_IFELSE( -AC_LANG_PROGRAM( +[AC_LANG_PROGRAM( [ #ifdef HAVE_WS2TCPIP_H #include <ws2tcpip.h> @@ -719,7 +836,7 @@ AC_LANG_PROGRAM( [ (void)getaddrinfo(NULL, NULL, NULL, NULL); ] -), +)], [ ac_cv_func_getaddrinfo="yes" dnl already: LIBS="$LIBS -lws2_32" @@ -779,7 +896,12 @@ dnl a nonblocking socket do not work, a new call to select is necessary. AC_DEFUN([ACX_CHECK_NONBLOCKING_BROKEN], [ AC_MSG_CHECKING([if nonblocking sockets work]) -AC_RUN_IFELSE(AC_LANG_PROGRAM([ +if echo $target | grep mingw32 >/dev/null; then + AC_MSG_RESULT([no (windows)]) + AC_DEFINE([NONBLOCKING_IS_BROKEN], 1, [Define if the network stack does not fully support nonblocking io (causes lower performance).]) +else +AC_RUN_IFELSE([ +AC_LANG_SOURCE([[ #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -803,7 +925,9 @@ AC_RUN_IFELSE(AC_LANG_PROGRAM([ #ifdef HAVE_TIME_H #include <time.h> #endif -],[[ + +int main(void) +{ int port; int sfd, cfd; int num = 10; @@ -896,7 +1020,9 @@ AC_RUN_IFELSE(AC_LANG_PROGRAM([ close(sfd); close(cfd); -]]), [ + return 0; +} +]])], [ AC_MSG_RESULT([yes]) ], [ AC_MSG_RESULT([no]) @@ -904,6 +1030,7 @@ AC_RUN_IFELSE(AC_LANG_PROGRAM([ ], [ AC_MSG_RESULT([crosscompile(yes)]) ]) +fi ])dnl End of ACX_CHECK_NONBLOCKING_BROKEN dnl Check if mkdir has one or two arguments. @@ -935,18 +1062,41 @@ AC_DEFUN([ACX_FUNC_IOCTLSOCKET], [ # check ioctlsocket AC_MSG_CHECKING(for ioctlsocket) -AC_LINK_IFELSE(AC_LANG_PROGRAM([ +AC_LINK_IFELSE([AC_LANG_PROGRAM([ #ifdef HAVE_WINSOCK2_H #include <winsock2.h> #endif ], [ (void)ioctlsocket(0, 0, NULL); -]), [ +])], [ AC_MSG_RESULT(yes) AC_DEFINE(HAVE_IOCTLSOCKET, 1, [if the function 'ioctlsocket' is available]) ],[AC_MSG_RESULT(no)]) ])dnl end of ACX_FUNC_IOCTLSOCKET +dnl detect malloc and provide malloc compat prototype. +dnl $1: unique name for compat code +AC_DEFUN([ACX_FUNC_MALLOC], +[ + AC_MSG_CHECKING([for GNU libc compatible malloc]) + AC_RUN_IFELSE([AC_LANG_PROGRAM( +[[#if defined STDC_HEADERS || defined HAVE_STDLIB_H +#include <stdlib.h> +#else +char *malloc (); +#endif +]], [ if(malloc(0) != 0) return 1;]) +], + [AC_MSG_RESULT([no]) + AC_LIBOBJ(malloc) + AC_DEFINE_UNQUOTED([malloc], [rpl_malloc_$1], [Define if replacement function should be used.])] , + [AC_MSG_RESULT([yes]) + AC_DEFINE([HAVE_MALLOC], 1, [If have GNU libc compatible malloc])], + [AC_MSG_RESULT([no (crosscompile)]) + AC_LIBOBJ(malloc) + AC_DEFINE_UNQUOTED([malloc], [rpl_malloc_$1], [Define if replacement function should be used.])] ) +]) + dnl Define fallback for fseeko and ftello if needed. AC_DEFUN([AHX_CONFIG_FSEEKO], [ @@ -1033,6 +1183,16 @@ void *memmove(void *dest, const void *src, size_t n); #endif ]) +dnl provide strlcat compat prototype. +dnl $1: unique name for compat code +AC_DEFUN([AHX_CONFIG_STRLCAT], +[ +#ifndef HAVE_STRLCAT +#define strlcat strlcat_$1 +size_t strlcat(char *dst, const char *src, size_t siz); +#endif +]) + dnl provide strlcpy compat prototype. dnl $1: unique name for compat code AC_DEFUN([AHX_CONFIG_STRLCPY], @@ -1053,10 +1213,20 @@ struct tm *gmtime_r(const time_t *timep, struct tm *result); #endif ]) +dnl provide reallocarray compat prototype. +dnl $1: unique name for compat code +AC_DEFUN([AHX_CONFIG_REALLOCARRAY], +[ +#ifndef HAVE_REALLOCARRAY +#define reallocarray reallocarray$1 +void* reallocarray(void *ptr, size_t nmemb, size_t size); +#endif +]) + dnl provide w32 compat definition for sleep AC_DEFUN([AHX_CONFIG_W32_SLEEP], [ -#ifndef HAVE_SLEEP +#if !defined(HAVE_SLEEP) || defined(HAVE_WINDOWS_H) #define sleep(x) Sleep((x)*1000) /* on win32 */ #endif /* HAVE_SLEEP */ ]) @@ -1103,7 +1273,7 @@ AC_DEFUN([ACX_CFLAGS_STRIP], [ if echo $CFLAGS | grep " $1" >/dev/null 2>&1; then CFLAGS="`echo $CFLAGS | sed -e 's/ $1//g'`" - AC_DEFINE(AS_TR_CPP(OMITTED_$1), 1, Put $1 define in config.h) + AC_DEFINE(m4_bpatsubst(OMITTED_$1,[[-=]],_), 1, Put $1 define in config.h) fi ]) @@ -1134,7 +1304,7 @@ AC_DEFUN([AHX_CONFIG_FLAG_OMITTED], dnl Wrapper for AHX_CONFIG_FLAG_OMITTED for -D style flags dnl $1: the -DNAME or -DNAME=value string. AC_DEFUN([AHX_CONFIG_FLAG_EXT], -[AHX_CONFIG_FLAG_OMITTED(AS_TR_CPP(OMITTED_$1),m4_bpatsubst(m4_bpatsubst($1,-D,),=.*$,),m4_if(m4_bregexp($1,=),-1,1,m4_bpatsubst($1,^.*=,))) +[AHX_CONFIG_FLAG_OMITTED(m4_bpatsubst(OMITTED_$1,[[-=]],_),m4_bpatsubst(m4_bpatsubst($1,-D,),=.*$,),m4_if(m4_bregexp($1,=),-1,1,m4_bpatsubst($1,^.*=,))) ]) dnl config.h part to define omitted cflags, use with ACX_STRIP_EXT_FLAGS. @@ -1149,4 +1319,112 @@ AHX_CONFIG_FLAG_EXT(-D_ALL_SOURCE) AHX_CONFIG_FLAG_EXT(-D_LARGEFILE_SOURCE=1) ]) +dnl check if memcmp is using signed characters and replace if so. +AC_DEFUN([ACX_CHECK_MEMCMP_SIGNED], +[AC_MSG_CHECKING([if memcmp compares unsigned]) +AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +int main(void) +{ + char a = 255, b = 0; + if(memcmp(&a, &b, 1) < 0) + return 1; + return 0; +} +]])], [AC_MSG_RESULT([yes]) ], +[ AC_MSG_RESULT([no]) + AC_DEFINE([MEMCMP_IS_BROKEN], [1], [Define if memcmp() does not compare unsigned bytes]) + AC_LIBOBJ([memcmp]) +], [ AC_MSG_RESULT([cross-compile no]) + AC_DEFINE([MEMCMP_IS_BROKEN], [1], [Define if memcmp() does not compare unsigned bytes]) + AC_LIBOBJ([memcmp]) +]) ]) + +dnl define memcmp to its replacement, pass unique id for program as arg +AC_DEFUN([AHX_MEMCMP_BROKEN], [ +#ifdef MEMCMP_IS_BROKEN +#include "compat/memcmp.h" +#define memcmp memcmp_$1 +int memcmp(const void *x, const void *y, size_t n); +#endif +]) + +dnl ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family +AC_DEFUN([ACX_CHECK_SS_FAMILY], +[AC_CHECK_MEMBER([struct sockaddr_storage.ss_family], [], [ + AC_CHECK_MEMBER([struct sockaddr_storage.__ss_family], [ + AC_DEFINE([ss_family], [__ss_family], [Fallback member name for socket family in struct sockaddr_storage]) + ],, [AC_INCLUDES_DEFAULT +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#endif +#ifdef HAVE_SYS_SOCKET_H +#include <sys/socket.h> +#endif +#ifdef HAVE_NETDB_H +#include <netdb.h> +#endif +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif + ]) +], [AC_INCLUDES_DEFAULT +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#endif +#ifdef HAVE_SYS_SOCKET_H +#include <sys/socket.h> +#endif +#ifdef HAVE_NETDB_H +#include <netdb.h> +#endif +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif +]) ]) + +dnl Check if CC and linker support -fPIE and -pie. +dnl If so, sets them in CFLAGS / LDFLAGS. +AC_DEFUN([ACX_CHECK_PIE], [ + AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable Position-Independent Executable (eg. to fully benefit from ASLR, small performance penalty)])) + AS_IF([test "x$enable_pie" = "xyes"], [ + AC_MSG_CHECKING([if $CC supports PIE]) + BAKLDFLAGS="$LDFLAGS" + BAKCFLAGS="$CFLAGS" + LDFLAGS="$LDFLAGS -pie" + CFLAGS="$CFLAGS -fPIE" + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + AC_MSG_RESULT(no) + else + AC_MSG_RESULT(yes) + fi + rm -f conftest conftest.c conftest.o + ], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)]) + ]) +]) + +dnl Check if linker supports -Wl,-z,relro,-z,now. +dnl If so, adds it to LDFLAGS. +AC_DEFUN([ACX_CHECK_RELRO_NOW], [ + AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor areas)])) + AS_IF([test "x$enable_relro_now" = "xyes"], [ + AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now]) + BAKLDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now" + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + AC_MSG_RESULT(no) + else + AC_MSG_RESULT(yes) + fi + rm -f conftest conftest.c conftest.o + ], [LDFLAGS="$BAKLDFLAGS" ; AC_MSG_RESULT(no)]) + ]) +]) + dnl End of file diff --git a/usr.sbin/nsd/config.h.in b/usr.sbin/nsd/config.h.in index b2b1c3884dc..2a2e5b68655 100644 --- a/usr.sbin/nsd/config.h.in +++ b/usr.sbin/nsd/config.h.in @@ -188,6 +188,9 @@ /* Define to 1 if you have the <openssl/ssl.h> header file. */ #undef HAVE_OPENSSL_SSL_H +/* Define to 1 if you have the `ppoll' function. */ +#undef HAVE_PPOLL + /* Define to 1 if you have the `pselect' function. */ #undef HAVE_PSELECT @@ -411,12 +414,12 @@ /* Define this to enable rate limiting. */ #undef RATELIMIT +/* Define this to set ratelimit to off by default. */ +#undef RATELIMIT_DEFAULT_OFF + /* Define as the return type of signal handlers (`int' or `void'). */ #undef RETSIGTYPE -/* enable reuseport option by default. */ -#undef REUSEPORT_BY_DEFAULT - /* Define this to configure as a root server. */ #undef ROOT_SERVER diff --git a/usr.sbin/nsd/configlexer.lex b/usr.sbin/nsd/configlexer.lex index 7b9a8a508a8..20304b7be5b 100644 --- a/usr.sbin/nsd/configlexer.lex +++ b/usr.sbin/nsd/configlexer.lex @@ -8,20 +8,21 @@ * */ -#include <config.h> +#include "config.h" #include <ctype.h> #include <errno.h> #include <string.h> #include <strings.h> +#ifdef HAVE_GLOB_H +# include <glob.h> +#endif #include "options.h" #include "configyyrename.h" #include "configparser.h" void c_error(const char *message); -#define YY_NO_UNPUT - #if 0 #define LEXOUT(s) printf s /* used ONLY when debugging */ #else @@ -29,47 +30,134 @@ void c_error(const char *message); #endif struct inc_state { - const char* filename; + char* filename; int line; + YY_BUFFER_STATE buffer; + struct inc_state* next; }; -static struct inc_state parse_stack[MAXINCLUDES]; -static YY_BUFFER_STATE include_stack[MAXINCLUDES]; -static int config_include_stack_ptr = 0; +static struct inc_state* config_include_stack = NULL; +static int inc_depth = 0; +static int inc_prev = 0; +static int num_args = 0; + +void init_cfg_parse(void) +{ + config_include_stack = NULL; + inc_depth = 0; + inc_prev = 0; + num_args = 0; +} static void config_start_include(const char* filename) { FILE *input; + struct inc_state* s; + char* nm; + if(inc_depth++ > 10000000) { + c_error_msg("too many include files"); + return; + } if(strlen(filename) == 0) { c_error_msg("empty include file name"); return; } - if(config_include_stack_ptr >= MAXINCLUDES) { - c_error_msg("includes nested too deeply, skipped (>%d)", MAXINCLUDES); + s = (struct inc_state*)malloc(sizeof(*s)); + if(!s) { + c_error_msg("include %s: malloc failure", filename); + return; + } + if (cfg_parser->chroot) { + int l = strlen(cfg_parser->chroot); /* chroot has trailing slash */ + if (strncmp(cfg_parser->chroot, filename, l) != 0) { + c_error_msg("include file '%s' is not relative to chroot '%s'", + filename, cfg_parser->chroot); + return; + } + filename += l - 1; /* strip chroot without trailing slash */ + } + nm = strdup(filename); + if(!nm) { + c_error_msg("include %s: strdup failure", filename); + free(s); return; } input = fopen(filename, "r"); if(!input) { c_error_msg("cannot open include file '%s': %s", filename, strerror(errno)); + free(s); + free(nm); return; } LEXOUT(("switch_to_include_file(%s) ", filename)); - parse_stack[config_include_stack_ptr].filename = cfg_parser->filename; - parse_stack[config_include_stack_ptr].line = cfg_parser->line; - include_stack[config_include_stack_ptr] = YY_CURRENT_BUFFER; - cfg_parser->filename = region_strdup(cfg_parser->opt->region, filename); + s->filename = cfg_parser->filename; + s->line = cfg_parser->line; + s->buffer = YY_CURRENT_BUFFER; + s->next = config_include_stack; + config_include_stack = s; + + cfg_parser->filename = nm; cfg_parser->line = 1; yy_switch_to_buffer(yy_create_buffer(input, YY_BUF_SIZE)); - ++config_include_stack_ptr; +} + +static void config_start_include_glob(const char* filename) +{ + /* check for wildcards */ +#ifdef HAVE_GLOB + glob_t g; + size_t i; + int r, flags; + if(!(!strchr(filename, '*') && !strchr(filename, '?') && + !strchr(filename, '[') && !strchr(filename, '{') && + !strchr(filename, '~'))) { + flags = 0 +#ifdef GLOB_ERR + | GLOB_ERR +#endif +#ifdef GLOB_NOSORT + | GLOB_NOSORT +#endif +#ifdef GLOB_BRACE + | GLOB_BRACE +#endif +#ifdef GLOB_TILDE + | GLOB_TILDE +#endif + ; + memset(&g, 0, sizeof(g)); + r = glob(filename, flags, NULL, &g); + if(r) { + /* some error */ + globfree(&g); + if(r == GLOB_NOMATCH) + return; /* no matches for pattern */ + config_start_include(filename); /* let original deal with it */ + return; + } + /* process files found, if any */ + for(i=0; i<(size_t)g.gl_pathc; i++) { + config_start_include(g.gl_pathv[i]); + } + globfree(&g); + return; + } +#endif /* HAVE_GLOB */ + config_start_include(filename); } static void config_end_include(void) { - --config_include_stack_ptr; - cfg_parser->filename = parse_stack[config_include_stack_ptr].filename; - cfg_parser->line = parse_stack[config_include_stack_ptr].line; + struct inc_state* s = config_include_stack; + --inc_depth; + if(!s) return; + free(cfg_parser->filename); + cfg_parser->filename = s->filename; + cfg_parser->line = s->line; yy_delete_buffer(YY_CURRENT_BUFFER); - yy_switch_to_buffer(include_stack[config_include_stack_ptr]); + yy_switch_to_buffer(s->buffer); + config_include_stack = s->next; + free(s); } #ifndef yy_set_bol /* compat definition, for flex 2.4.6 */ @@ -82,6 +170,16 @@ static void config_end_include(void) #endif %} +%option noinput +%option nounput +%{ +#ifndef YY_NO_UNPUT +#define YY_NO_UNPUT 1 +#endif +#ifndef YY_NO_INPUT +#define YY_NO_INPUT 1 +#endif +%} SPACE [ \t] LETTER [a-zA-Z] @@ -99,12 +197,18 @@ ANY [^\"\n\r\\]|\\. server{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SERVER;} name{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_NAME;} ip-address{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP_ADDRESS;} +interface{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP_ADDRESS;} +ip-transparent{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP_TRANSPARENT;} debug-mode{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DEBUG_MODE;} hide-version{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_HIDE_VERSION;} ip4-only{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP4_ONLY;} ip6-only{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP6_ONLY;} +do-ip4{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DO_IP4;} +do-ip6{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DO_IP6;} database{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DATABASE;} identity{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IDENTITY;} +version{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_VERSION;} +nsid{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_NSID;} logfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_LOGFILE;} server-count{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SERVER_COUNT;} tcp-count{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TCP_COUNT;} @@ -114,16 +218,20 @@ ipv4-edns-size{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IPV4_EDNS_SIZE;} ipv6-edns-size{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IPV6_EDNS_SIZE;} pidfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_PIDFILE;} port{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_PORT;} +reuseport{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_REUSEPORT;} statistics{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_STATISTICS;} chroot{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CHROOT;} username{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_USERNAME;} zonesdir{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONESDIR;} +zonelistfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONELISTFILE;} difffile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DIFFFILE;} xfrdfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_XFRDFILE;} +xfrdir{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_XFRDIR;} xfrd-reload-timeout{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_XFRD_RELOAD_TIMEOUT;} verbosity{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_VERBOSITY;} zone{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONE;} zonefile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONEFILE;} +zonestats{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONESTATS;} allow-notify{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALLOW_NOTIFY;} request-xfr{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_REQUEST_XFR;} notify{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_NOTIFY;} @@ -134,8 +242,29 @@ allow-axfr-fallback{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALLOW_AXFR_F key{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_KEY;} algorithm{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALGORITHM;} secret{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SECRET;} +pattern{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_PATTERN;} +include-pattern{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_INCLUDEPATTERN;} +remote-control{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_REMOTE_CONTROL;} +control-enable{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_ENABLE;} +control-interface{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_INTERFACE;} +control-port{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_PORT;} +server-key-file{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SERVER_KEY_FILE;} +server-cert-file{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SERVER_CERT_FILE;} +control-key-file{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_KEY_FILE;} +control-cert-file{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_CERT_FILE;} AXFR { LEXOUT(("v(%s) ", yytext)); return VAR_AXFR;} UDP { LEXOUT(("v(%s) ", yytext)); return VAR_UDP;} +rrl-size{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_SIZE;} +rrl-ratelimit{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_RATELIMIT;} +rrl-slip{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_SLIP;} +rrl-ipv4-prefix-length{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_IPV4_PREFIX_LENGTH;} +rrl-ipv6-prefix-length{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_IPV6_PREFIX_LENGTH;} +rrl-whitelist-ratelimit{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_WHITELIST_RATELIMIT;} +rrl-whitelist{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_WHITELIST;} +zonefiles-check{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONEFILES_CHECK;} +zonefiles-write{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONEFILES_WRITE;} +log-time-ascii{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_LOG_TIME_ASCII;} +round-robin{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ROUND_ROBIN;} {NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++;} /* Quoted strings. Strip leading and ending quotes */ @@ -165,7 +294,7 @@ include{COLON} { LEXOUT(("v(%s) ", yytext)); BEGIN(include); } <include>\" { LEXOUT(("IQS ")); BEGIN(include_quoted); } <include>{UNQUOTEDLETTER}* { LEXOUT(("Iunquotedstr(%s) ", yytext)); - config_start_include(yytext); + config_start_include_glob(yytext); BEGIN(INITIAL); } <include_quoted><<EOF>> { @@ -177,12 +306,12 @@ include{COLON} { LEXOUT(("v(%s) ", yytext)); BEGIN(include); } <include_quoted>\" { LEXOUT(("IQE ")); yytext[yyleng - 1] = '\0'; - config_start_include(yytext); + config_start_include_glob(yytext); BEGIN(INITIAL); } <INITIAL><<EOF>> { yy_set_bol(1); /* Set beginning of line, so "^" rules match. */ - if (config_include_stack_ptr == 0) { + if (!config_include_stack) { yyterminate(); } else { fclose(yyin); diff --git a/usr.sbin/nsd/configparser.y b/usr.sbin/nsd/configparser.y index 03310ca27ba..36a3dddd3b8 100644 --- a/usr.sbin/nsd/configparser.y +++ b/usr.sbin/nsd/configparser.y @@ -67,7 +67,7 @@ extern config_parser_state_t* cfg_parser; %token VAR_RRL_IPV4_PREFIX_LENGTH VAR_RRL_IPV6_PREFIX_LENGTH %token VAR_RRL_WHITELIST_RATELIMIT VAR_RRL_WHITELIST %token VAR_ZONEFILES_CHECK VAR_ZONEFILES_WRITE VAR_LOG_TIME_ASCII -%token VAR_ROUND_ROBIN VAR_ZONESTATS VAR_REUSEPORT +%token VAR_ROUND_ROBIN VAR_ZONESTATS VAR_REUSEPORT VAR_VERSION %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -97,7 +97,7 @@ content_server: server_ip_address | server_ip_transparent | server_debug_mode | server_rrl_ipv4_prefix_length | server_rrl_ipv6_prefix_length | server_rrl_whitelist_ratelimit | server_zonefiles_check | server_do_ip4 | server_do_ip6 | server_zonefiles_write | server_log_time_ascii | server_round_robin | - server_reuseport; + server_reuseport | server_version; server_ip_address: VAR_IP_ADDRESS STRING { OUTYY(("P(server_ip_address:%s)\n", $2)); @@ -215,6 +215,12 @@ server_identity: VAR_IDENTITY STRING cfg_parser->opt->identity = region_strdup(cfg_parser->opt->region, $2); } ; +server_version: VAR_VERSION STRING + { + OUTYY(("P(server_version:%s)\n", $2)); + cfg_parser->opt->version = region_strdup(cfg_parser->opt->region, $2); + } + ; server_nsid: VAR_NSID STRING { unsigned char* nsid = 0; diff --git a/usr.sbin/nsd/configure.ac b/usr.sbin/nsd/configure.ac index d559af34d7c..c04deacc25e 100644 --- a/usr.sbin/nsd/configure.ac +++ b/usr.sbin/nsd/configure.ac @@ -4,7 +4,7 @@ dnl sinclude(acx_nlnetlabs.m4) -AC_INIT(NSD,4.1.6,nsd-bugs@nlnetlabs.nl) +AC_INIT(NSD,4.1.7,nsd-bugs@nlnetlabs.nl) AC_CONFIG_HEADER([config.h]) CFLAGS="$CFLAGS" @@ -91,7 +91,9 @@ AC_ARG_WITH([dbfile], AC_SUBST(dbfile) AC_DEFINE_UNQUOTED(DBFILE, ["`eval echo $dbfile`"], [Pathname to the NSD database]) -dbdir=`dirname $dbfile` +if test -n "$dbfile"; then + dbdir=`dirname $dbfile` +fi AC_SUBST(dbdir) piddir=`dirname $pidfile` @@ -336,9 +338,6 @@ AC_DEFUN([CHECK_SSL], [ if test x_$ssldir = x_/usr/sfw; then LDFLAGS="$LDFLAGS -R$ssldir/lib"; fi - AC_CHECK_LIB(crypto, HMAC_CTX_init,, [ - AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required]) - ]) fi AC_SUBST(HAVE_SSL) fi @@ -504,12 +503,6 @@ AC_CHECK_STRPTIME_WORKS ACX_CHECK_NONBLOCKING_BROKEN ACX_MKDIR_ONE_ARG -# see if reuseport is enabled by default (also a config option). -# freebsd can compile the option, but it does not work, it works on Linux. -if test "`uname`" = "Linux"; then - AC_DEFINE([REUSEPORT_BY_DEFAULT], 1, [enable reuseport option by default.]) -fi - # set -I. and -Isrcdir if test -n "$CPPFLAGS"; then CPPFLAGS="$CPPFLAGS -I." @@ -603,7 +596,7 @@ AC_SYS_LARGEFILE AC_CHECK_SIZEOF(void*) AC_CHECK_SIZEOF(off_t) AC_CHECK_FUNCS([arc4random arc4random_uniform]) -AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid setresgid setregid getpwnam mmap]) +AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid setresgid setregid getpwnam mmap ppoll]) AC_ARG_ENABLE(recvmmsg, AC_HELP_STRING([--enable-recvmmsg], [Enable recvmmsg and sendmmsg compilation, faster but some kernel versions may have implementation problems])) case "$enable_recvmmsg" in @@ -819,10 +812,28 @@ case "$enable_ratelimit" in esac AC_SUBST(ratelimit) +AC_ARG_ENABLE(ratelimit-default-is-off, AC_HELP_STRING([--enable-ratelimit-default-is-off], [Enable this to set default of ratelimit to off (enable in nsd.conf), otherwise ratelimit is enabled by default if --enable-ratelimit is enabled])) +case "$enable_ratelimit_default_is_off" in + yes) + AC_DEFINE_UNQUOTED([RATELIMIT_DEFAULT_OFF], [], [Define this to set ratelimit to off by default.]) + ratelimit_default="off" + ;; + no|*) + ratelimit_default="on" + ;; +esac +AC_SUBST(ratelimit_default) + + # we need SSL for TSIG (and maybe also for NSEC3). CHECK_SSL if test x$HAVE_SSL = x"yes"; then ACX_LIB_SSL + if test -n "$ssldir"; then + AC_CHECK_LIB(crypto, HMAC_CTX_init,, [ + AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required]) + ]) + fi SSL_LIBS="-lssl" AC_SUBST(SSL_LIBS) AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT]) diff --git a/usr.sbin/nsd/netio.c b/usr.sbin/nsd/netio.c index 664edfb3bd1..6c4b395babe 100644 --- a/usr.sbin/nsd/netio.c +++ b/usr.sbin/nsd/netio.c @@ -6,37 +6,25 @@ * See LICENSE for the license. * */ -#include <config.h> +#include "config.h" #include <assert.h> #include <errno.h> #include <sys/time.h> #include <string.h> #include <stdlib.h> +#include <poll.h> #include "netio.h" #include "util.h" - -#ifndef HAVE_PSELECT -int pselect(int n, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, - const struct timespec *timeout, const sigset_t *sigmask); -#else -#include <sys/select.h> -#endif - - -struct netio_handler_list -{ - netio_handler_list_type *next; - netio_handler_type *handler; -}; +#define MAX_NETIO_FDS 1024 netio_type * netio_create(region_type *region) { netio_type *result; - + assert(region); result = (netio_type *) region_alloc(region, sizeof(netio_type)); @@ -51,7 +39,7 @@ void netio_add_handler(netio_type *netio, netio_handler_type *handler) { netio_handler_list_type *elt; - + assert(netio); assert(handler); @@ -72,6 +60,7 @@ netio_add_handler(netio_type *netio, netio_handler_type *handler) elt->next = netio->handlers; elt->handler = handler; + elt->handler->pfd = -1; netio->handlers = elt; } @@ -79,7 +68,7 @@ void netio_remove_handler(netio_type *netio, netio_handler_type *handler) { netio_handler_list_type **elt_ptr; - + assert(netio); assert(handler); @@ -118,22 +107,26 @@ netio_current_time(netio_type *netio) int netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t *sigmask) { - fd_set readfds, writefds, exceptfds; - int max_fd; + /* static arrays to avoid allocation */ + static struct pollfd fds[MAX_NETIO_FDS]; + int numfd; int have_timeout = 0; struct timespec minimum_timeout; netio_handler_type *timeout_handler = NULL; netio_handler_list_type *elt; int rc; int result = 0; - +#ifndef HAVE_PPOLL + sigset_t origmask; +#endif + assert(netio); /* * Clear the cached current time. */ netio->have_current_time = 0; - + /* * Initialize the minimum timeout with the timeout parameter. */ @@ -146,26 +139,24 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t * Initialize the fd_sets and timeout based on the handler * information. */ - max_fd = -1; - FD_ZERO(&readfds); - FD_ZERO(&writefds); - FD_ZERO(&exceptfds); + numfd = 0; for (elt = netio->handlers; elt; elt = elt->next) { netio_handler_type *handler = elt->handler; - if (handler->fd >= 0 && handler->fd < (int)FD_SETSIZE) { - if (handler->fd > max_fd) { - max_fd = handler->fd; - } + if (handler->fd != -1 && numfd < MAX_NETIO_FDS) { + fds[numfd].fd = handler->fd; + fds[numfd].events = 0; + fds[numfd].revents = 0; + handler->pfd = numfd; if (handler->event_types & NETIO_EVENT_READ) { - FD_SET(handler->fd, &readfds); + fds[numfd].events |= POLLIN; } if (handler->event_types & NETIO_EVENT_WRITE) { - FD_SET(handler->fd, &writefds); - } - if (handler->event_types & NETIO_EVENT_EXCEPT) { - FD_SET(handler->fd, &exceptfds); + fds[numfd].events |= POLLOUT; } + numfd++; + } else { + handler->pfd = -1; } if (handler->timeout && (handler->event_types & NETIO_EVENT_TIMEOUT)) { struct timespec relative; @@ -187,7 +178,7 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t if (have_timeout && minimum_timeout.tv_sec < 0) { /* - * On negative timeout for a handler, immediatly + * On negative timeout for a handler, immediately * dispatch the timeout event without checking for * other events. */ @@ -198,12 +189,17 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t } /* Check for events. */ - rc = pselect(max_fd + 1, &readfds, &writefds, &exceptfds, - have_timeout ? &minimum_timeout : NULL, - sigmask); +#ifdef HAVE_PPOLL + rc = ppoll(fds, numfd, (have_timeout?&minimum_timeout:NULL), sigmask); +#else + sigprocmask(SIG_SETMASK, sigmask, &origmask); + rc = poll(fds, numfd, (have_timeout?minimum_timeout.tv_sec*1000+ + minimum_timeout.tv_nsec/1000000:-1)); + sigprocmask(SIG_SETMASK, &origmask, NULL); +#endif /* HAVE_PPOLL */ if (rc == -1) { if(errno == EINVAL || errno == EACCES || errno == EBADF) { - log_msg(LOG_ERR, "fatal error pselect: %s.", + log_msg(LOG_ERR, "fatal error poll: %s.", strerror(errno)); exit(1); } @@ -215,7 +211,7 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t * some time so the cached value is likely to be old). */ netio->have_current_time = 0; - + if (rc == 0) { /* * No events before the minimum timeout expired. @@ -232,26 +228,27 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t * calling the current handler! */ assert(netio->dispatch_next == NULL); + for (elt = netio->handlers; elt && rc; ) { netio_handler_type *handler = elt->handler; netio->dispatch_next = elt->next; - if (handler->fd >= 0 && handler->fd < (int)FD_SETSIZE) { + if (handler->fd != -1 && handler->pfd != -1) { netio_event_types_type event_types = NETIO_EVENT_NONE; - if (FD_ISSET(handler->fd, &readfds)) { + if ((fds[handler->pfd].revents & POLLIN)) { event_types |= NETIO_EVENT_READ; - FD_CLR(handler->fd, &readfds); - rc--; } - if (FD_ISSET(handler->fd, &writefds)) { + if ((fds[handler->pfd].revents & POLLOUT)) { event_types |= NETIO_EVENT_WRITE; - FD_CLR(handler->fd, &writefds); - rc--; } - if (FD_ISSET(handler->fd, &exceptfds)) { - event_types |= NETIO_EVENT_EXCEPT; - FD_CLR(handler->fd, &exceptfds); - rc--; + if ((fds[handler->pfd].revents & + (POLLNVAL|POLLHUP|POLLERR))) { + /* closed/error: give a read event, + * or otherwise, a write event */ + if((handler->event_types&NETIO_EVENT_READ)) + event_types |= NETIO_EVENT_READ; + else if((handler->event_types&NETIO_EVENT_WRITE)) + event_types |= NETIO_EVENT_WRITE; } if (event_types & handler->event_types) { diff --git a/usr.sbin/nsd/netio.h b/usr.sbin/nsd/netio.h index 99d9c316aa3..a0e805e9ea5 100644 --- a/usr.sbin/nsd/netio.h +++ b/usr.sbin/nsd/netio.h @@ -16,7 +16,6 @@ * * NETIO_EVENT_READ: reading will not block. * NETIO_EVENT_WRITE: writing will not block. - * NETIO_EVENT_EXCEPT: an exception occurred. * NETIO_EVENT_TIMEOUT: the timeout expired. * * A file descriptor must be specified if the handler is interested in @@ -58,8 +57,7 @@ enum netio_event_types { NETIO_EVENT_NONE = 0, NETIO_EVENT_READ = 1, NETIO_EVENT_WRITE = 2, - NETIO_EVENT_EXCEPT = 4, - NETIO_EVENT_TIMEOUT = 8 + NETIO_EVENT_TIMEOUT = 4, }; typedef enum netio_event_types netio_event_types_type; @@ -105,6 +103,9 @@ struct netio_handler */ int fd; + /** index of the pollfd array for this handler */ + int pfd; + /* * The time when no events should be checked for and the * handler should be called with the NETIO_EVENT_TIMEOUT @@ -134,6 +135,13 @@ struct netio_handler }; +struct netio_handler_list +{ + netio_handler_list_type *next; + netio_handler_type *handler; +}; + + /* * Create a new netio instance using the specified REGION. The netio * instance is cleaned up when the REGION is deallocated. diff --git a/usr.sbin/nsd/nsd-checkconf.8.in b/usr.sbin/nsd/nsd-checkconf.8.in index 6cb43541ae9..9bf830647a1 100644 --- a/usr.sbin/nsd/nsd-checkconf.8.in +++ b/usr.sbin/nsd/nsd-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "nsd\-checkconf" "8" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6" +.TH "nsd\-checkconf" "8" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff --git a/usr.sbin/nsd/nsd-checkconf.c b/usr.sbin/nsd/nsd-checkconf.c index 96bc89eca89..6cbe71e55c6 100644 --- a/usr.sbin/nsd/nsd-checkconf.c +++ b/usr.sbin/nsd/nsd-checkconf.c @@ -352,6 +352,7 @@ config_print_zone(nsd_options_t* opt, const char* k, int s, const char *o, /* str */ SERV_GET_PATH(final, database, o); SERV_GET_STR(identity, o); + SERV_GET_STR(version, o); SERV_GET_STR(nsid, o); SERV_GET_PATH(final, logfile, o); SERV_GET_PATH(final, pidfile, o); @@ -447,6 +448,7 @@ config_test_print_server(nsd_options_t* opt) printf("\thide-version: %s\n", opt->hide_version?"yes":"no"); print_string_var("database:", opt->database); print_string_var("identity:", opt->identity); + print_string_var("version:", opt->version); print_string_var("nsid:", opt->nsid); print_string_var("logfile:", opt->logfile); printf("\tserver_count: %d\n", opt->server_count); @@ -587,6 +589,11 @@ additional_checks(nsd_options_t* opt, const char* filename) filename, (unsigned) strlen(opt->identity)); errors ++; } + if (opt->version && strlen(opt->version) > UCHAR_MAX) { + fprintf(stderr, "%s: server version too long (%u characters)\n", + filename, (unsigned) strlen(opt->version)); + errors ++; + } /* not done here: parsing of ip-address. parsing of username. */ diff --git a/usr.sbin/nsd/nsd-checkzone.8.in b/usr.sbin/nsd/nsd-checkzone.8.in index 1ab76bc5e2f..f58e0daa6e1 100644 --- a/usr.sbin/nsd/nsd-checkzone.8.in +++ b/usr.sbin/nsd/nsd-checkzone.8.in @@ -1,4 +1,4 @@ -.TH "nsd\-checkzone" "8" "@date@" "NLnet Labs" "nsd @version@" +.TH "nsd\-checkzone" "8" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7" .\" Copyright (c) 2014, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff --git a/usr.sbin/nsd/nsd-control.8.in b/usr.sbin/nsd/nsd-control.8.in index b6af80ce551..4f6a59024cd 100644 --- a/usr.sbin/nsd/nsd-control.8.in +++ b/usr.sbin/nsd/nsd-control.8.in @@ -1,4 +1,4 @@ -.TH "nsd\-control" "8" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6" +.TH "nsd\-control" "8" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7" .\" Copyright (c) 2011, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff --git a/usr.sbin/nsd/nsd.8.in b/usr.sbin/nsd/nsd.8.in index eeea5054c94..0ef0cfa09bb 100644 --- a/usr.sbin/nsd/nsd.8.in +++ b/usr.sbin/nsd/nsd.8.in @@ -1,9 +1,9 @@ -.TH "NSD" "8" "Oct 22, 2015" "NLnet Labs" "NSD 4.1.6" +.TH "NSD" "8" "Dec 10, 2015" "NLnet Labs" "NSD 4.1.7" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" .B nsd -\- Name Server Daemon (NSD) version 4.1.6. +\- Name Server Daemon (NSD) version 4.1.7. .SH "SYNOPSIS" .B nsd .RB [ \-4 ] diff --git a/usr.sbin/nsd/nsd.c b/usr.sbin/nsd/nsd.c index d2084b77ae2..3d682cd347a 100644 --- a/usr.sbin/nsd/nsd.c +++ b/usr.sbin/nsd/nsd.c @@ -662,6 +662,9 @@ main(int argc, char *argv[]) if(nsd.options->identity) nsd.identity = nsd.options->identity; } + if(nsd.options->version) { + nsd.version = nsd.options->version; + } if (nsd.options->logfile && !nsd.log_filename) { nsd.log_filename = nsd.options->logfile; } diff --git a/usr.sbin/nsd/nsd.conf.5.in b/usr.sbin/nsd/nsd.conf.5.in index 99b3544968b..2fe1bf4ddad 100644 --- a/usr.sbin/nsd/nsd.conf.5.in +++ b/usr.sbin/nsd/nsd.conf.5.in @@ -1,4 +1,4 @@ -.TH "nsd.conf" "5" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6" +.TH "nsd.conf" "5" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" @@ -173,11 +173,9 @@ that it can answer immediately when the address is added. Default is no. Use the SO_REUSEPORT socket option, and create file descriptors for every server in the server\-count. This improves performance of the network stack. Only really useful if you also configure a server\-count higher -than 1 (such as, equal to the number of cpus). The default is yes on -Linux (where it works, and has been (backported) to 2.6 and 3.x kernels). -On FreeBSD it is known to fail (default is no), but you can enable it -if you think it is fixed. And a cautious default of no is used for -other systems. +than 1 (such as, equal to the number of cpus). The default is no. +It works on Linux, but does not work on FreeBSD, and likely does not +work on other systems. .TP .B debug\-mode:\fR <yes or no> Turns on debugging mode for nsd, does not fork a daemon process. @@ -216,6 +214,11 @@ Default is the name as returned by gethostname(3). Same as commandline option .BR \-i . .TP +.B version:\fR <string> +Returns the specified version string when asked for CH TXT version.server, +and version.bind queries. Default is the compiled package version. +See hide\-version to set the server to not respond to such queries. +.TP .B nsid:\fR <string> Add the specified nsid to the EDNS section of the answer when queried with an NSID EDNS enabled packet. As a sequence of hex characters or @@ -366,16 +369,24 @@ This option gives the size of the hashtable. Default 1000000. More buckets use more memory, and reduce the chance of hash collisions. .TP .B rrl\-ratelimit:\fR <qps> -The max qps allowed (from one query source). Default 200 qps. If set to 0 -then it is disabled (unlimited rate), also set the whilelist\-ratelimit +The max qps allowed (from one query source). Default is @ratelimit_default@ (with a suggested 200 qps). If set to 0 +then it is disabled (unlimited rate), also set the whitelist\-ratelimit to 0 to disable ratelimit processing. If you set verbosity to 2 the blocked and unblocked subnets are logged. Blocked queries are blocked -and some receive TCP fallback replies. +and some receive TCP fallback replies. Once the rate limit is reached, +NSD begins dropping responses. However, one in every "rrl\-slip" number +of responses is allowed, with the TC bit set. If slip is set to 2, the +outgoing response rate will be halved. If it's set to 3, the outgoing +response rate will be one\-third, and so on. If you set rrl\-slip to 10, +traffic is reduced to 1/10th. Ratelimit options rrl\-ratelimit, rrl\-size and +rrl\-whitelist\-ratelimit are updated when nsd\-control reconfig is done (also +the zone\-specific ratelimit options are updated). .TP .B rrl\-slip:\fR <numpackets> This option controls the number of packets discarded before we send back a SLIP response (a response with "truncated" bit set to one). 0 disables the sending of SLIP packets, -1 means every query will get a SLIP response. +1 means every query will get a SLIP response. Default is 2, cuts traffic in +half and legit users have a fair chance to get a +TC response. .TP .B rrl\-ipv4\-prefix\-length:\fR <subnet> IPv4 prefix length. Addresses are grouped by netblock. Default 24. @@ -385,7 +396,7 @@ IPv6 prefix length. Addresses are grouped by netblock. Default 64. .TP .B rrl\-whitelist\-ratelimit:\fR <qps> The max qps for query sorts for a source, which have been -whitelisted. Default 2000 qps. With the rrl\-whitelist option you can set +whitelisted. Default @ratelimit_default@ (with a suggested 2000 qps). With the rrl\-whitelist option you can set specific queries to receive this qps limit instead of the normal limit. With the value 0 the rate is unlimited. .\" rrlend diff --git a/usr.sbin/nsd/nsd.conf.sample.in b/usr.sbin/nsd/nsd.conf.sample.in index 442031b96fb..a78548e0fc8 100644 --- a/usr.sbin/nsd/nsd.conf.sample.in +++ b/usr.sbin/nsd/nsd.conf.sample.in @@ -1,47 +1,99 @@ # # nsd.conf -- the NSD(8) configuration file, nsd.conf(5). # -# Copyright (c) 2001-2006, NLnet Labs. All rights reserved. +# Copyright (c) 2001-2011, NLnet Labs. All rights reserved. # # See LICENSE for the license. # # This is a comment. # Sample configuration file +# include: "file" # include that file's text over here. Globbed, "*.conf" # options for the nsd server server: - # uncomment to specify specific interfaces to bind (default all). + # Number of NSD servers to fork. Put the number of CPUs to use here. + # server-count: 1 + + # uncomment to specify specific interfaces to bind (default are the + # wildcard interfaces 0.0.0.0 and ::0). + # For servers with multiple IP addresses, list them one by one, + # or the source address of replies could be wrong. + # Use ip-transparent to be able to list addresses that turn on later. # ip-address: 1.2.3.4 + # ip-address: 1.2.3.4@5678 # ip-address: 12fe::8ef0 - # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries - # hide-version: no + # Allow binding to non local addresses. Default no. + # ip-transparent: no + + # use the reuseport socket option for performance. Default no. + # reuseport: no # enable debug mode, does not fork daemon process into the background. # debug-mode: no - # listen only on IPv4 connections - # ip4-only: no + # listen on IPv4 connections + # do-ip4: yes + + # listen on IPv6 connections + # do-ip6: yes + + # port to answer queries on. default is 53. + # port: 53 + + # Verbosity level. + # verbosity: 0 + + # After binding socket, drop user privileges. + # can be a username, id or id.gid. + # username: @user@ - # listen only on IPv6 connections - # ip6-only: no + # Run NSD in a chroot-jail. + # make sure to have pidfile and database reachable from there. + # by default, no chroot-jail is used. + # chroot: "@configdir@" + + # The directory for zonefile: files. The daemon chdirs here. + # zonesdir: "@zonesdir@" + # the list of dynamically added zones. + # zonelistfile: "@zonelistfile@" + # the database to use + # if set to "" then no disk-database is used, less memory usage. # database: "@dbfile@" + # log messages to file. Default to stderr and syslog (with + # facility LOG_DAEMON). stderr disappears when daemon goes to bg. + # logfile: "@logfile@" + + # File to store pid for nsd in. + # pidfile: "@pidfile@" + + # The file where secondary zone refresh and expire timeouts are kept. + # If you delete this file, all secondary zones are forced to be + # 'refreshing' (as if nsd got a notify). Set to "" to disable. + # xfrdfile: "@xfrdfile@" + + # The directory where zone transfers are stored, in a subdir of it. + # xfrdir: "@xfrdir@" + + # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries + # hide-version: no + + # version string the server responds with for chaos queries. + # default is 'NSD x.y.z' with the server's version number. + # version: "NSD" + # identify the server (CH TXT ID.SERVER entry). # identity: "unidentified server" - # log messages to file. Default to stderr and syslog. - # logfile: "/var/log/nsd.log" - - # Number of NSD servers to fork. - # server-count: 1 + # NSID identity (hex string, or "ascii_somestring"). default disabled. + # nsid: "aabbccdd" # Maximum number of concurrent TCP connections per server. - # This option should have a value below 1000. - # tcp-count: 10 + # tcp-count: 100 # Maximum number of queries served on a single TCP connection. # By default 0, which means no maximum. @@ -56,125 +108,181 @@ server: # Preferred EDNS buffer size for IPv6. # ipv6-edns-size: 4096 - # File to store pid for nsd in. - # pidfile: "@pidfile@" - - # port to answer queries on. default is 53. - # port: 53 - - # statistics are produced every number of seconds. + # statistics are produced every number of seconds. Prints to log. + # Default is 0, meaning no statistics are produced. # statistics: 3600 - # Run NSD in a chroot-jail. - # make sure to have pidfile and database reachable from there. - # by default, no chroot-jail is used. - # chroot: "@configdir@" - - # After binding socket, drop user privileges. - # can be a username, id or id.gid. - # username: @user@ - - # The directory for zonefile: files. - # zonesdir: "@zonesdir@" - - # The file where incoming zone transfers are stored. - # run nsd-patch to update zone files, then you can safely delete it. - # difffile: "@difffile@" - - # The file where secondary zone refresh and expire timeouts are kept. - # If you delete this file, all secondary zones are forced to be - # 'refreshing' (as if nsd got a notify). - # xfrdfile: "@xfrdfile@" - # Number of seconds between reloads triggered by xfrd. - # xfrd-reload-timeout: 10 - - # Verbosity level. - # verbosity: 0 - -# key for zone 1 -key: - name: mskey - algorithm: hmac-md5 - secret: "K2tf3TRjvQkVCmJF3/Z9vA==" - -# Sample zone 1 -zone: - name: "example.com" - zonefile: "example.com.zone" - - # This is a slave zone. Masters are listed below. + # xfrd-reload-timeout: 1 + + # log timestamp in ascii (y-m-d h:m:s.msec), yes is default. + # log-time-ascii: yes - # master 1 - allow-notify: 168.192.44.42 mskey - request-xfr: 168.192.44.42 mskey + # round robin rotation of records in the answer. + # round-robin: no - # set local interface for sending zone transfer requests. - outgoing-interface: 10.0.0.10 + # check mtime of all zone files on start and sighup + # zonefiles-check: yes + + # write changed zonefiles to disk, every N seconds. + # default is 0(disabled) or 3600(if database is ""). + # zonefiles-write: 3600 + + # RRLconfig + # Response Rate Limiting, size of the hashtable. Default 1000000. + # rrl-size: 1000000 + + # Response Rate Limiting, maximum QPS allowed (from one query source). + # If set to 0, ratelimiting is disabled. Also set + # rrl-whitelist-ratelimit to 0 to disable ratelimit processing. + # Default is @ratelimit_default@. + # rrl-ratelimit: 200 + + # Response Rate Limiting, number of packets to discard before + # sending a SLIP response (a truncated one, allowing an honest + # resolver to retry with TCP). Default is 2 (one half of the + # queries will receive a SLIP response, 0 disables SLIP (all + # packets are discarded), 1 means every request will get a + # SLIP response. When the ratelimit is hit the traffic is + # divided by the rrl-slip value. + # rrl-slip: 2 + + # Response Rate Limiting, IPv4 prefix length. Addresses are + # grouped by netblock. + # rrl-ipv4-prefix-length: 24 + + # Response Rate Limiting, IPv6 prefix length. Addresses are + # grouped by netblock. + # rrl-ipv6-prefix-length: 64 + + # Response Rate Limiting, maximum QPS allowed (from one query source) + # for whitelisted types. Default is @ratelimit_default@. + # rrl-whitelist-ratelimit: 2000 + # RRLend + +# Remote control config section. +remote-control: + # Enable remote control with nsd-control(8) here. + # set up the keys and certificates with nsd-control-setup. + # control-enable: no + + # what interfaces are listened to for control, default is on localhost. + # control-interface: 127.0.0.1 + # control-interface: ::1 + + # port number for remote control operations (uses TLS over TCP). + # control-port: 8952 + + # nsd server key file for remote control. + # server-key-file: "@configdir@/nsd_server.key" + + # nsd server certificate file for remote control. + # server-cert-file: "@configdir@/nsd_server.pem" + + # nsd-control key file. + # control-key-file: "@configdir@/nsd_control.key" + + # nsd-control certificate file. + # control-cert-file: "@configdir@/nsd_control.pem" + + +# Secret keys for TSIGs that secure zone transfers. +# You could include: "secret.keys" and put the 'key:' statements in there, +# and give that file special access control permissions. +# +# key: + # The key name is sent to the other party, it must be the same + #name: "keyname" + # algorithm hmac-md5, or hmac-sha1, or hmac-sha256 (if compiled in) + #algorithm: hmac-sha256 + # secret material, must be the same as the other party uses. + # base64 encoded random number. + # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64 + #secret: "K2tf3TRjvQkVCmJF3/Z9vA==" + + +# Patterns have zone configuration and they are shared by one or more zones. +# +# pattern: + # name by which the pattern is referred to + #name: "myzones" + # the zonefile for the zones that use this pattern. + # if relative then from the zonesdir (inside the chroot). + # the name is processed: %s - zone name (as appears in zone:name). + # %1 - first character of zone name, %2 second, %3 third. + # %z - topleveldomain label of zone, %y, %x next labels in name. + # if label or character does not exist you get a dot '.'. + # for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s" + #zonefile: "%s.zone" + + # If no master and slave access control elements are provided, + # this zone will not be served to/from other servers. + + # A master zone needs notify: and provide-xfr: lists. A slave + # may also allow zone transfer (for debug or other secondaries). + # notify these slaves when the master zone changes, address TSIG|NOKEY + # IP can be ipv4 and ipv6, with @port for a nondefault port number. + #notify: 192.0.2.1 NOKEY + # allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED + # address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40 + #provide-xfr: 192.0.2.0/24 my_tsig_key_name + # set the number of retries for notify. + #notify-retry: 5 - # master 2 - allow-notify: 10.0.0.11 NOKEY - request-xfr: 10.0.0.11 NOKEY + # uncomment to provide AXFR to all the world + # provide-xfr: 0.0.0.0/0 NOKEY + # provide-xfr: ::0/0 NOKEY + # A slave zone needs allow-notify: and request-xfr: lists. + #allow-notify: 2001:db8::0/64 my_tsig_key_name # By default, a slave will request a zone transfer with IXFR/TCP. - # If you want to make use of IXFR/UDP use - allow-notify: 10.0.0.12 NOKEY - request-xfr: UDP 10.0.0.12 NOKEY - - # for a master that only speaks AXFR (like NSD) use - allow-notify: 10.0.0.13 NOKEY - request-xfr: AXFR 10.0.0.13 NOKEY - + # If you want to make use of IXFR/UDP use: UDP addr tsigkey + # for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey + #request-xfr: 192.0.2.2 the_tsig_key_name # Attention: You cannot use UDP and AXFR together. AXFR is always over # TCP. If you use UDP, we higly recommend you to deploy TSIG. - # Allow AXFR fallback if the master does not support IXFR. Default # is yes. - allow-axfr-fallback: "yes" - - # uncomment to provide AXFR to all the world - # provide-xfr: 0.0.0.0/0 NOKEY - # provide-xfr: ::0/0 NOKEY - -# Sample zone 2 -zone: - name: "example.net" - zonefile: "example.net.signed.zone" - - # This is a master zone. Slaves are listed below. - - # secondary 1. Uses port 5300. - notify: 10.0.0.14@5300 sec1_key - provide-xfr: 10.0.0.14@5300 sec1_key + #allow-axfr-fallback: yes + # set local interface for sending zone transfer requests. + # default is let the OS choose. + #outgoing-interface: 10.0.0.10 - # set local interface for sending notifies - outgoing-interface: 10.0.0.15 + # if compiled with --enable-zone-stats, give name of stat block for + # this zone (or group of zones). Output from nsd-control stats. + # zonestats: "%s" - # secondary 2. - notify: 10.11.12.14 sec2_key - provide-xfr: 10.11.12.14 sec2_key + # if you give another pattern name here, at this point the settings + # from that pattern are inserted into this one (as if it were a + # macro). The statement can be given in between other statements, + # because the order of access control elements can make a difference + # (which master to request from first, which slave to notify first). + #include-pattern: "common-masters" - # also provide xfr to operator's network. - provide-xfr: 169.192.85.0/24 NOKEY - # uncomment to disable xfr for the address. - # provide-xfr: 169.192.85.66 BLOCKED - # set the number of retries for notify. - notify-retry: 5 - -# keys for zone 2 -key: - name: "sec1_key" - algorithm: hmac-md5 - secret: "6KM6qiKfwfEpamEq72HQdA==" - -key: - name: sec2_key - algorithm: hmac-sha1 - secret: "m83H2x8R0zbDf3yRKhrqgw==" - -key: - name: sec3_key - algorithm: hmac-sha256 - secret: "m83H2x8R0zbDf3yRKhrqgw==" +# Fixed zone entries. Here you can config zones that cannot be deleted. +# Zones that are dynamically added and deleted are put in the zonelist file. +# +# zone: + # name: "example.com" + # you can give a pattern here, all the settings from that pattern + # are then inserted at this point + # include-pattern: "master" + # You can also specify (additional) options directly for this zone. + # zonefile: "example.com.zone" + # request-xfr: 192.0.2.1 example.com.key + + # RRLconfig + # Response Rate Limiting, whitelist types + # rrl-whitelist: nxdomain + # rrl-whitelist: error + # rrl-whitelist: referral + # rrl-whitelist: any + # rrl-whitelist: rrsig + # rrl-whitelist: wildcard + # rrl-whitelist: nodata + # rrl-whitelist: dnskey + # rrl-whitelist: positive + # rrl-whitelist: all + # RRLend diff --git a/usr.sbin/nsd/options.c b/usr.sbin/nsd/options.c index f86e99bf420..88968518a86 100644 --- a/usr.sbin/nsd/options.c +++ b/usr.sbin/nsd/options.c @@ -56,6 +56,7 @@ nsd_options_create(region_type* region) opt->do_ip6 = 1; opt->database = DBFILE; opt->identity = 0; + opt->version = 0; opt->nsid = 0; opt->logfile = 0; opt->log_time_ascii = 1; @@ -69,11 +70,7 @@ nsd_options_create(region_type* region) opt->pidfile = PIDFILE; opt->port = UDP_PORT; /* deprecated? opt->port = TCP_PORT; */ -#ifdef REUSEPORT_BY_DEFAULT - opt->reuseport = 1; -#else opt->reuseport = 0; -#endif opt->statistics = 0; opt->chroot = 0; opt->username = USER; @@ -83,11 +80,16 @@ nsd_options_create(region_type* region) opt->zonelistfile = ZONELISTFILE; #ifdef RATELIMIT opt->rrl_size = RRL_BUCKETS; - opt->rrl_ratelimit = RRL_LIMIT/2; opt->rrl_slip = RRL_SLIP; opt->rrl_ipv4_prefix_length = RRL_IPV4_PREFIX_LENGTH; opt->rrl_ipv6_prefix_length = RRL_IPV6_PREFIX_LENGTH; +# ifdef RATELIMIT_DEFAULT_OFF + opt->rrl_ratelimit = 0; + opt->rrl_whitelist_ratelimit = 0; +# else + opt->rrl_ratelimit = RRL_LIMIT/2; opt->rrl_whitelist_ratelimit = RRL_WLIST_LIMIT/2; +# endif #endif opt->zonefiles_check = 1; if(opt->database == NULL || opt->database[0] == 0) @@ -1507,7 +1509,7 @@ acl_key_matches(acl_options_t* acl, struct query* q) } if(!acl->key_options->tsig_key) { DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail no config")); - return 0; /* key not properly configged */ + return 0; /* key not properly configured */ } if(dname_compare(q->tsig.key_name, acl->key_options->tsig_key->name) != 0) { diff --git a/usr.sbin/nsd/options.h b/usr.sbin/nsd/options.h index d2cd0c4d8ee..34ed295eb4a 100644 --- a/usr.sbin/nsd/options.h +++ b/usr.sbin/nsd/options.h @@ -67,6 +67,7 @@ struct nsd_options { int do_ip6; const char* database; const char* identity; + const char* version; const char* logfile; int server_count; int tcp_count; diff --git a/usr.sbin/nsd/query.c b/usr.sbin/nsd/query.c index 295598cbadb..4f26112adc1 100644 --- a/usr.sbin/nsd/query.c +++ b/usr.sbin/nsd/query.c @@ -309,7 +309,6 @@ process_query_section(query_type *query) &query->qtype, &query->qclass)) return 0; query->qname = dname_make(query->region, qnamebuf, 1); - query->opcode = OPCODE(query->packet); return 1; } @@ -1318,6 +1317,15 @@ query_process(query_type *q, nsd_type *nsd) return QUERY_DISCARDED; } + /* check opcode early on, because new opcodes may have different + * specification of the meaning of the rest of the packet */ + q->opcode = OPCODE(q->packet); + if(q->opcode != OPCODE_QUERY && q->opcode != OPCODE_NOTIFY) { + if(query_ratelimit_err(nsd)) + return QUERY_DISCARDED; + return query_error(q, NSD_RC_IMPL); + } + if (RCODE(q->packet) != RCODE_OK || !process_query_section(q)) { return query_formerr(q, nsd); } diff --git a/usr.sbin/nsd/region-allocator.c b/usr.sbin/nsd/region-allocator.c index 5a280d832aa..95454a66678 100644 --- a/usr.sbin/nsd/region-allocator.c +++ b/usr.sbin/nsd/region-allocator.c @@ -12,6 +12,7 @@ #include <assert.h> #include <stdlib.h> #include <string.h> +#include <limits.h> #include "region-allocator.h" #include "util.h" diff --git a/usr.sbin/nsd/server.c b/usr.sbin/nsd/server.c index 13093165098..2b3be10618f 100644 --- a/usr.sbin/nsd/server.c +++ b/usr.sbin/nsd/server.c @@ -760,6 +760,11 @@ server_init_ifs(struct nsd *nsd, size_t from, size_t to, int* reuseport_works) continue; } nsd->tcp[i].fam = (int)addr->ai_family; + /* turn off REUSEPORT for TCP by copying the socket fd */ + if(i >= nsd->ifs) { + nsd->tcp[i].s = nsd->tcp[i%nsd->ifs].s; + continue; + } if ((nsd->tcp[i].s = socket(addr->ai_family, addr->ai_socktype, 0)) == -1) { #if defined(INET6) if (addr->ai_family == AF_INET6 && diff --git a/usr.sbin/nsd/tsig-openssl.c b/usr.sbin/nsd/tsig-openssl.c index 5773fd2a674..1088573a048 100644 --- a/usr.sbin/nsd/tsig-openssl.c +++ b/usr.sbin/nsd/tsig-openssl.c @@ -7,9 +7,9 @@ * */ -#include <config.h> +#include "config.h" -#if defined(TSIG) && defined(HAVE_SSL) +#if defined(HAVE_SSL) #include "tsig-openssl.h" #include "tsig.h" @@ -31,7 +31,7 @@ tsig_openssl_init_algorithm(region_type* region, hmac_algorithm = EVP_get_digestbyname(digest); if (!hmac_algorithm) { - log_msg(LOG_ERR, "%s digest not available", digest); + /* skip but don't error */ return 0; } @@ -44,7 +44,9 @@ tsig_openssl_init_algorithm(region_type* region, log_msg(LOG_ERR, "cannot parse %s algorithm", wireformat); return 0; } - algorithm->maximum_digest_size = EVP_MAX_MD_SIZE; + algorithm->maximum_digest_size = EVP_MD_size(hmac_algorithm); + if(algorithm->maximum_digest_size < 20) + algorithm->maximum_digest_size = EVP_MAX_MD_SIZE; algorithm->data = hmac_algorithm; algorithm->hmac_create_context = create_context; algorithm->hmac_init_context = init_context; @@ -58,21 +60,23 @@ tsig_openssl_init_algorithm(region_type* region, int tsig_openssl_init(region_type *region) { + int count = 0; OpenSSL_add_all_digests(); - /* TODO: walk lookup supported algorithms table */ - if (!tsig_openssl_init_algorithm(region, "md5", "hmac-md5","hmac-md5.sig-alg.reg.int.")) - return 0; -#ifdef HAVE_EVP_SHA1 - if (!tsig_openssl_init_algorithm(region, "sha1", "hmac-sha1", "hmac-sha1.")) - return 0; -#endif /* HAVE_EVP_SHA1 */ - -#ifdef HAVE_EVP_SHA256 - if (!tsig_openssl_init_algorithm(region, "sha256", "hmac-sha256", "hmac-sha256.")) - return 0; -#endif /* HAVE_EVP_SHA256 */ - return 1; + count += tsig_openssl_init_algorithm(region, + "md5", "hmac-md5","hmac-md5.sig-alg.reg.int."); + count += tsig_openssl_init_algorithm(region, + "sha1", "hmac-sha1", "hmac-sha1."); + count += tsig_openssl_init_algorithm(region, + "sha224", "hmac-sha224", "hmac-sha224."); + count += tsig_openssl_init_algorithm(region, + "sha256", "hmac-sha256", "hmac-sha256."); + count += tsig_openssl_init_algorithm(region, + "sha384", "hmac-sha384", "hmac-sha384."); + count += tsig_openssl_init_algorithm(region, + "sha512", "hmac-sha512", "hmac-sha512."); + + return count; } static void @@ -124,4 +128,4 @@ tsig_openssl_finalize() EVP_cleanup(); } -#endif /* defined(TSIG) && defined(HAVE_SSL) */ +#endif /* defined(HAVE_SSL) */ diff --git a/usr.sbin/nsd/zonec.c b/usr.sbin/nsd/zonec.c index a3409f7853f..666b0cc3dd7 100644 --- a/usr.sbin/nsd/zonec.c +++ b/usr.sbin/nsd/zonec.c @@ -1434,7 +1434,10 @@ process_rr(void) rr_type* o; if (rr->type != TYPE_RRSIG && rrset->rrs[0].ttl != rr->ttl) { zc_warning_prev_line( - "TTL does not match the TTL of the RRset"); + "%s TTL %u does not match the TTL %u of the %s RRset", + domain_to_string(rr->owner), (unsigned)rr->ttl, + (unsigned)rrset->rrs[0].ttl, + rrtype_to_string(rr->type)); } /* Search for possible duplicates... */ |