diff options
| author | Jakob Schlyter <jakob@cvs.openbsd.org> | 2010-01-15 19:25:08 +0000 |
|---|---|---|
| committer | Jakob Schlyter <jakob@cvs.openbsd.org> | 2010-01-15 19:25:08 +0000 |
| commit | 47ae3f08df1c258bdceaba3f46b03ef989fdbf83 (patch) | |
| tree | 39c7a7a51d521e5bb1ef79a4389effa8fb91f6ee /usr.sbin | |
| parent | be596d15c59cc7348fd11819d96d372172ab318a (diff) | |
NSD v3.2.4
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/nsd/acx_nlnetlabs.m4 | 482 | ||||
| -rw-r--r-- | usr.sbin/nsd/configlexer.lex | 170 | ||||
| -rw-r--r-- | usr.sbin/nsd/netio.c | 25 | ||||
| -rw-r--r-- | usr.sbin/nsd/netio.h | 9 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd.conf.sample.in | 321 | ||||
| -rw-r--r-- | usr.sbin/nsd/tsig-openssl.c | 36 |
6 files changed, 264 insertions, 779 deletions
diff --git a/usr.sbin/nsd/acx_nlnetlabs.m4 b/usr.sbin/nsd/acx_nlnetlabs.m4 index c9ca7558da5..3baa9d3bf13 100644 --- a/usr.sbin/nsd/acx_nlnetlabs.m4 +++ b/usr.sbin/nsd/acx_nlnetlabs.m4 @@ -2,37 +2,10 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 28 -# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added. -# 2015-03-17 AHX_CONFIG_REALLOCARRAY added -# 2013-09-19 FLTO help text improved. -# 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes -# 2013-06-25 FLTO has --disable-flto option. -# 2013-05-03 Update W32_SLEEP for newer mingw that links but not defines it. -# 2013-03-22 Fix ACX_RSRC_VERSION for long version numbers. -# 2012-02-09 Fix AHX_MEMCMP_BROKEN with undef in compat/memcmp.h. -# 2012-01-20 Fix COMPILER_FLAGS_UNBOUND for gcc 4.6.2 assigned-not-used-warns. -# 2011-12-05 Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc. -# Fix ACX_MALLOC for redefined malloc error. -# Fix GETADDRINFO_WITH_INCLUDES to add -lws2_32 -# 2011-11-10 Fix FLTO test to not drop a.out in current directory. -# 2011-11-01 Fix FLTO test for llvm on Lion. -# 2011-08-01 Fix nonblock test (broken at v13). -# 2011-08-01 Fix autoconf 2.68 warnings -# 2011-06-23 Add ACX_CHECK_FLTO to check -flto. -# 2010-08-16 Fix FLAG_OMITTED for AS_TR_CPP changes in autoconf-2.66. -# 2010-07-02 Add check for ss_family (for minix). -# 2010-04-26 Fix to use CPPFLAGS for CHECK_COMPILER_FLAGS. -# 2010-03-01 Fix RPATH using CONFIG_COMMANDS to run at the very end. -# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS seperate, -ldl -# 2010-02-01 added ACX_CHECK_MEMCMP_SIGNED, AHX_MEMCMP_BROKEN -# 2010-01-20 added AHX_COONFIG_STRLCAT -# 2009-07-14 U_CHAR detection improved for windows crosscompile. -# added ACX_FUNC_MALLOC -# fixup some #if to #ifdef -# NONBLOCKING test for mingw crosscompile. -# 2009-07-13 added ACX_WITH_SSL_OPTIONAL -# 2009-07-03 fixup LDFLAGS for empty ssl dir. +# Version 2 +# 2009-07-03 +# Changelog +# - fixup LDFLAGS for empty ssl dir. # # Automates some of the checking constructs. Aims at portability for POSIX. # Documentation for functions is below. @@ -49,7 +22,6 @@ # ACX_DETERMINE_EXT_FLAGS_UNBOUND - find out which flags enable BSD and POSIX. # ACX_CHECK_FORMAT_ATTRIBUTE - find cc printf format syntax. # ACX_CHECK_UNUSED_ATTRIBUTE - find cc variable unused syntax. -# ACX_CHECK_FLTO - see if cc supports -flto and use it if so. # ACX_LIBTOOL_C_ONLY - create libtool for C only, improved. # ACX_TYPE_U_CHAR - u_char type. # ACX_TYPE_RLIM_T - rlim_t type. @@ -58,8 +30,6 @@ # ACX_TYPE_IN_PORT_T - in_port_t type. # ACX_ARG_RPATH - add --disable-rpath option. # ACX_WITH_SSL - add --with-ssl option, link -lcrypto. -# ACX_WITH_SSL_OPTIONAL - add --with-ssl option, link -lcrypto, -# where --without-ssl is also accepted # ACX_LIB_SSL - setup to link -lssl. # ACX_SYS_LARGEFILE - improved sys_largefile, fseeko, >2G files. # ACX_CHECK_GETADDRINFO_WITH_INCLUDES - find getaddrinfo, portably. @@ -67,7 +37,6 @@ # ACX_CHECK_NONBLOCKING_BROKEN - see if nonblocking sockets really work. # ACX_MKDIR_ONE_ARG - determine mkdir(2) number of arguments. # ACX_FUNC_IOCTLSOCKET - find ioctlsocket, portably. -# ACX_FUNC_MALLOC - check malloc, define replacement . # AHX_CONFIG_FORMAT_ATTRIBUTE - config.h text for format. # AHX_CONFIG_UNUSED_ATTRIBUTE - config.h text for unused. # AHX_CONFIG_FSEEKO - define fseeko, ftello fallback. @@ -79,7 +48,6 @@ # AHX_CONFIG_INET_NTOP - inet_ntop compat prototype # AHX_CONFIG_INET_ATON - inet_aton compat prototype # AHX_CONFIG_MEMMOVE - memmove compat prototype -# AHX_CONFIG_STRLCAT - strlcat compat prototype # AHX_CONFIG_STRLCPY - strlcpy compat prototype # AHX_CONFIG_GMTIME_R - gmtime_r compat prototype # AHX_CONFIG_W32_SLEEP - w32 compat for sleep @@ -92,11 +60,6 @@ # AHX_CONFIG_FLAG_OMITTED - define omitted flag # AHX_CONFIG_FLAG_EXT - define omitted extension flag # AHX_CONFIG_EXT_FLAGS - define the stripped extension flags -# ACX_CHECK_MEMCMP_SIGNED - check if memcmp uses signed characters. -# AHX_MEMCMP_BROKEN - replace memcmp func for CHECK_MEMCMP_SIGNED. -# ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family -# ACX_CHECK_PIE - add --enable-pie option and check if works -# ACX_CHECK_RELRO_NOW - add --enable-relro-now option and check it # dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines. @@ -110,7 +73,7 @@ dnl Calculate comma separated windows-resource numbers from package version. dnl Picks the first three(,0) or four numbers out of the name. dnl $1: variable for the result AC_DEFUN([ACX_RSRC_VERSION], -[$1=[`echo $PACKAGE_VERSION | sed -e 's/^[^0-9]*\([0-9][0-9]*\)[^0-9][^0-9]*\([0-9][0-9]*\)[^0-9][^0-9]*\([0-9][0-9]*\)[^0-9][^0-9]*\([0-9][0-9]*\).*$/\1,\2,\3,\4/' -e 's/^[^0-9]*\([0-9][0-9]*\)[^0-9][^0-9]*\([0-9][0-9]*\)[^0-9][^0-9]*\([0-9][0-9]*\)[^0-9]*$/\1,\2,\3,0/' `] +[$1=[`echo $PACKAGE_VERSION | sed -e 's/^[^0-9]*\([0-9]\)[^0-9]*\([0-9]\)[^0-9]*\([0-9]\)[^0-9]*\([0-9]\).*$/\1,\2,\3,\4/' -e 's/^[^0-9]*\([0-9]\)[^0-9]*\([0-9]\)[^0-9]*\([0-9]\)[^0-9]*$/\1,\2,\3,0/' `] ]) dnl Routine to help check for compiler flags. @@ -125,8 +88,8 @@ AC_MSG_CHECKING(whether $CC supports -$1) cache=`echo $1 | sed 'y%.=/+-%___p_%'` AC_CACHE_VAL(cv_prog_cc_flag_$cache, [ -echo 'void f(void){}' >conftest.c -if test -z "`$CC $CPPFLAGS $CFLAGS -$1 -c conftest.c 2>&1`"; then +echo 'void f(){}' >conftest.c +if test -z "`$CC -$1 -c conftest.c 2>&1`"; then eval "cv_prog_cc_flag_$cache=yes" else eval "cv_prog_cc_flag_$cache=no" @@ -170,18 +133,18 @@ AC_CACHE_VAL(cv_prog_cc_flag_needed_$cache, [ echo '$2' > conftest.c echo 'void f(){}' >>conftest.c -if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then +if test -z "`$CC $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then eval "cv_prog_cc_flag_needed_$cache=no" else [ -if test -z "`$CC $CPPFLAGS $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1`"; then +if test -z "`$CC $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1`"; then eval "cv_prog_cc_flag_needed_$cache=yes" else eval "cv_prog_cc_flag_needed_$cache=fail" #echo 'Test with flag fails too!' #cat conftest.c -#echo "$CC $CPPFLAGS $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1" -#echo `$CC $CPPFLAGS $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1` +#echo "$CC $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1" +#echo `$CC $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1` #exit 1 fi ] @@ -197,8 +160,8 @@ if eval "test \"`echo '$cv_prog_cc_flag_needed_'$cache`\" = no"; then AC_MSG_RESULT(no) #echo 'Test with flag is no!' #cat conftest.c -#echo "$CC $CPPFLAGS $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1" -#echo `$CC $CPPFLAGS $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1` +#echo "$CC $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1" +#echo `$CC $CFLAGS $1 $ERRFLAG -c conftest.c 2>&1` #exit 1 : $4 @@ -270,8 +233,6 @@ int test() { a = getopt(2, opts, "a"); a = isascii(32); str = gai_strerror(0); - if(str && t && tv.tv_usec && msg.msg_control) - a = 0; return a; } ], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE"]) @@ -307,8 +268,6 @@ int test() { a = getopt(2, opts, "a"); a = isascii(32); str = gai_strerror(0); - if(str && t && tv.tv_usec && msg.msg_control) - a = 0; return a; } ], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE"]) @@ -375,8 +334,6 @@ int test() { const char* str = NULL; t = ctime_r(&time, buf); str = gai_strerror(0); - if(t && str) - a = 0; return a; } ], [CFLAGS="$CFLAGS -D_POSIX_C_SOURCE=200112"]) @@ -403,35 +360,12 @@ int test() { srandom(32); a = getopt(2, opts, "a"); a = isascii(32); - if(tv.tv_usec) - a = 0; return a; } ], [CFLAGS="$CFLAGS -D__EXTENSIONS__"]) ])dnl End of ACX_DETERMINE_EXT_FLAGS_UNBOUND -dnl Check if CC supports -flto. -dnl in a way that supports clang and suncc (that flag does something else, -dnl but fails to link). It sets it in CFLAGS if it works. -AC_DEFUN([ACX_CHECK_FLTO], [ - AC_ARG_ENABLE([flto], AS_HELP_STRING([--disable-flto], [Disable link-time optimization (gcc specific option)])) - AS_IF([test "x$enable_flto" != "xno"], [ - AC_MSG_CHECKING([if $CC supports -flto]) - BAKCFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -flto" - AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ - if $CC $CFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then - CFLAGS="$BAKCFLAGS" - AC_MSG_RESULT(no) - else - AC_MSG_RESULT(yes) - fi - rm -f conftest conftest.c conftest.o - ], [CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)]) - ]) -]) - dnl Check the printf-format attribute (if any) dnl result in HAVE_ATTR_FORMAT. dnl Make sure you also include the AHX_CONFIG_FORMAT_ATTRIBUTE. @@ -546,20 +480,14 @@ AC_PROG_LIBTOOL dnl Detect if u_char type is defined, otherwise define it. AC_DEFUN([ACX_TYPE_U_CHAR], -[AC_CHECK_TYPE([u_char], , - [AC_DEFINE([u_char], [unsigned char], [Define to 'unsigned char if not defined])], [ -AC_INCLUDES_DEFAULT -#ifdef HAVE_WINSOCK2_H -# include <winsock2.h> -#endif -]) ]) + [AC_CHECK_TYPE(u_char, unsigned char)]) dnl Detect if rlim_t type is defined, otherwise define it. AC_DEFUN([ACX_TYPE_RLIM_T], [AC_CHECK_TYPE(rlim_t, , [AC_DEFINE([rlim_t], [unsigned long], [Define to 'int' if not defined])], [ AC_INCLUDES_DEFAULT -#ifdef HAVE_SYS_RESOURCE_H +#if HAVE_SYS_RESOURCE_H # include <sys/resource.h> #endif ]) ]) @@ -570,34 +498,31 @@ AC_DEFUN([ACX_TYPE_SOCKLEN_T], AC_CHECK_TYPE(socklen_t, , [AC_DEFINE([socklen_t], [int], [Define to 'int' if not defined])], [ AC_INCLUDES_DEFAULT -#ifdef HAVE_SYS_SOCKET_H +#if HAVE_SYS_SOCKET_H # include <sys/socket.h> #endif -#ifdef HAVE_WS2TCPIP_H -# include <ws2tcpip.h> -#endif ]) ]) -dnl Detect if in_addr_t type is defined, otherwise define it. +dnl Detect if socklen_t type is defined, otherwise define it. AC_DEFUN([ACX_TYPE_IN_ADDR_T], [ AC_CHECK_TYPE(in_addr_t, [], [AC_DEFINE([in_addr_t], [uint32_t], [in_addr_t])], [ AC_INCLUDES_DEFAULT -#ifdef HAVE_SYS_TYPES_H +#if HAVE_SYS_TYPES_H # include <sys/types.h> #endif -#ifdef HAVE_NETINET_IN_H +#if HAVE_NETINET_IN_H # include <netinet/in.h> #endif ]) ]) -dnl Detect if in_port_t type is defined, otherwise define it. +dnl Detect if socklen_t type is defined, otherwise define it. AC_DEFUN([ACX_TYPE_IN_PORT_T], [ AC_CHECK_TYPE(in_port_t, [], [AC_DEFINE([in_port_t], [uint16_t], [in_port_t])], [ AC_INCLUDES_DEFAULT -#ifdef HAVE_SYS_TYPES_H +#if HAVE_SYS_TYPES_H # include <sys/types.h> #endif -#ifdef HAVE_NETINET_IN_H +#if HAVE_NETINET_IN_H # include <netinet/in.h> #endif ]) ]) @@ -610,14 +535,12 @@ AC_ARG_ENABLE(rpath, [ --disable-rpath disable hardcoded rpath (default=enabled)], enable_rpath=$enableval, enable_rpath=yes) if test "x$enable_rpath" = xno; then - dnl AC_MSG_RESULT([Fixing libtool for -rpath problems.]) - AC_CONFIG_COMMANDS([disable-rpath], [ + AC_MSG_RESULT([Fixing libtool for -rpath problems.]) sed < libtool > libtool-2 \ 's/^hardcode_libdir_flag_spec.*$'/'hardcode_libdir_flag_spec=" -D__LIBTOOL_RPATH_SED__ "/' mv libtool-2 libtool chmod 755 libtool libtool="./libtool" - ]) fi ]) @@ -632,11 +555,22 @@ AC_DEFUN([ACX_RUNTIME_PATH_ADD], [ fi ]) -dnl Common code for both ACX_WITH_SSL and ACX_WITH_SSL_OPTIONAL -dnl Takes one argument; the withval checked in those 2 functions -dnl sets up the environment for the given openssl path -AC_DEFUN([ACX_SSL_CHECKS], [ - withval=$1 +dnl Check for SSL. +dnl Adds --with-ssl option, searches for openssl and defines HAVE_SSL if found +dnl Setup of CPPFLAGS, CFLAGS. Adds -lcrypto to LIBS. +dnl Checks main header files of SSL. +dnl +AC_DEFUN([ACX_WITH_SSL], +[ +AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname], + [enable SSL (will check /usr/local/ssl + /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[ + ],[ + withval="yes" + ]) + if test x_$withval = x_no; then + AC_MSG_ERROR([Need SSL library to do digital signature cryptography]) + fi if test x_$withval != x_no; then AC_MSG_CHECKING(for SSL) if test x_$withval = x_ -o x_$withval = x_yes; then @@ -647,11 +581,10 @@ AC_DEFUN([ACX_SSL_CHECKS], [ if test -f "$dir/include/openssl/ssl.h"; then found_ssl="yes" AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.]) - dnl assume /usr/include is already in the include-path. - if test "$ssldir" != "/usr"; then - CPPFLAGS="$CPPFLAGS -I$ssldir/include" - LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include" - fi + dnl assume /usr/include is already in the include-path. + if test "$ssldir" != "/usr"; then + CPPFLAGS="$CPPFLAGS -I$ssldir/include" + fi break; fi done @@ -660,108 +593,61 @@ AC_DEFUN([ACX_SSL_CHECKS], [ else AC_MSG_RESULT(found in $ssldir) HAVE_SSL=yes - dnl assume /usr is already in the lib and dynlib paths. - if test "$ssldir" != "/usr" -a "$ssldir" != ""; then + dnl assume /usr is already in the lib and dynlib paths. + if test "$ssldir" != "/usr" -a "$ssldir" != ""; then LDFLAGS="$LDFLAGS -L$ssldir/lib" - LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" - ACX_RUNTIME_PATH_ADD([$ssldir/lib]) - fi - - AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto]) - LIBS="$LIBS -lcrypto" - LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto" - AC_TRY_LINK(, [ - int HMAC_CTX_init(void); - (void)HMAC_CTX_init(); - ], [ - AC_MSG_RESULT(yes) - AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, - [If you have HMAC_CTX_init]) - ], [ - AC_MSG_RESULT(no) - # check if -lwsock32 or -lgdi32 are needed. - BAKLIBS="$LIBS" - BAKSSLLIBS="$LIBSSL_LIBS" - LIBS="$LIBS -lgdi32" - LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32" - AC_MSG_CHECKING([if -lcrypto needs -lgdi32]) - AC_TRY_LINK([], [ - int HMAC_CTX_init(void); - (void)HMAC_CTX_init(); - ],[ - AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, - [If you have HMAC_CTX_init]) - AC_MSG_RESULT(yes) - ],[ - AC_MSG_RESULT(no) - LIBS="$BAKLIBS" - LIBSSL_LIBS="$BAKSSLLIBS" - LIBS="$LIBS -ldl" - LIBSSL_LIBS="$LIBSSL_LIBS -ldl" - AC_MSG_CHECKING([if -lcrypto needs -ldl]) - AC_TRY_LINK([], [ - int HMAC_CTX_init(void); - (void)HMAC_CTX_init(); - ],[ - AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, - [If you have HMAC_CTX_init]) - AC_MSG_RESULT(yes) - ],[ - AC_MSG_RESULT(no) + ACX_RUNTIME_PATH_ADD([$ssldir/lib]) + fi + + AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto]) + LIBS="$LIBS -lcrypto" + AC_TRY_LINK(, [ + int HMAC_CTX_init(void); + (void)HMAC_CTX_init(); + ], [ + AC_MSG_RESULT(yes) + AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, + [If you have HMAC_CTX_init]) + ], [ + AC_MSG_RESULT(no) + # check if -lwsock32 or -lgdi32 are needed. + BAKLIBS="$LIBS" + LIBS="$LIBS -lgdi32" + AC_MSG_CHECKING([if -lcrypto needs -lgdi32]) + AC_TRY_LINK([], [ + int HMAC_CTX_init(void); + (void)HMAC_CTX_init(); + ],[ + AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, + [If you have HMAC_CTX_init]) + AC_MSG_RESULT(yes) + ],[ + AC_MSG_RESULT(no) + LIBS="$BAKLIBS" + LIBS="$LIBS -ldl" + AC_MSG_CHECKING([if -lcrypto needs -ldl]) + AC_TRY_LINK([], [ + int HMAC_CTX_init(void); + (void)HMAC_CTX_init(); + ],[ + AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, + [If you have HMAC_CTX_init]) + AC_MSG_RESULT(yes) + ],[ + AC_MSG_RESULT(no) AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required]) - ]) - ]) + ]) + ]) ]) fi AC_SUBST(HAVE_SSL) - AC_SUBST(RUNTIME_PATH) - # openssl engine functionality needs dlopen(). - BAKLIBS="$LIBS" - AC_SEARCH_LIBS([dlopen], [dl]) - if test "$LIBS" != "$BAKLIBS"; then - LIBSSL_LIBS="$LIBSSL_LIBS -ldl" - fi + AC_SUBST(RUNTIME_PATH) fi AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT]) -])dnl End of ACX_SSL_CHECKS - -dnl Check for SSL, where SSL is mandatory -dnl Adds --with-ssl option, searches for openssl and defines HAVE_SSL if found -dnl Setup of CPPFLAGS, CFLAGS. Adds -lcrypto to LIBS. -dnl Checks main header files of SSL. -dnl -AC_DEFUN([ACX_WITH_SSL], -[ -AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname], - [enable SSL (will check /usr/local/ssl - /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[ - ],[ - withval="yes" - ]) - if test x_$withval = x_no; then - AC_MSG_ERROR([Need SSL library to do digital signature cryptography]) - fi - ACX_SSL_CHECKS($withval) ])dnl End of ACX_WITH_SSL -dnl Check for SSL, where ssl is optional (--without-ssl is allowed) -dnl Adds --with-ssl option, searches for openssl and defines HAVE_SSL if found -dnl Setup of CPPFLAGS, CFLAGS. Adds -lcrypto to LIBS. -dnl Checks main header files of SSL. -dnl -AC_DEFUN([ACX_WITH_SSL_OPTIONAL], -[ -AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname], - [enable SSL (will check /usr/local/ssl - /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[ - ],[ - withval="yes" - ]) - ACX_SSL_CHECKS($withval) -])dnl End of ACX_WITH_SSL_OPTIONAL - dnl Setup to use -lssl dnl To use -lcrypto, use the ACX_WITH_SSL setup (before this one). AC_DEFUN([ACX_LIB_SSL], @@ -803,7 +689,7 @@ AC_DEFUN([ACX_CHECK_GETADDRINFO_WITH_INCLUDES], AC_MSG_CHECKING(for getaddrinfo) ac_cv_func_getaddrinfo=no AC_LINK_IFELSE( -[AC_LANG_SOURCE([[ +[ #ifdef __cplusplus extern "C" { @@ -817,21 +703,14 @@ int main() { ; return 0; } -]])], -dnl this case on linux, solaris, bsd -[ac_cv_func_getaddrinfo="yes" -dnl see if on windows -if test "$ac_cv_header_windows_h" = "yes"; then - AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used]) - USE_WINSOCK="1" - LIBS="$LIBS -lws2_32" -fi ], +dnl this case on linux, solaris, bsd +[ac_cv_func_getaddrinfo="yes"], dnl no quick getaddrinfo, try mingw32 and winsock2 library. ORIGLIBS="$LIBS" LIBS="$LIBS -lws2_32" AC_LINK_IFELSE( -[AC_LANG_PROGRAM( +AC_LANG_PROGRAM( [ #ifdef HAVE_WS2TCPIP_H #include <ws2tcpip.h> @@ -840,7 +719,7 @@ AC_LINK_IFELSE( [ (void)getaddrinfo(NULL, NULL, NULL, NULL); ] -)], +), [ ac_cv_func_getaddrinfo="yes" dnl already: LIBS="$LIBS -lws2_32" @@ -900,12 +779,7 @@ dnl a nonblocking socket do not work, a new call to select is necessary. AC_DEFUN([ACX_CHECK_NONBLOCKING_BROKEN], [ AC_MSG_CHECKING([if nonblocking sockets work]) -if echo $target | grep mingw32 >/dev/null; then - AC_MSG_RESULT([no (windows)]) - AC_DEFINE([NONBLOCKING_IS_BROKEN], 1, [Define if the network stack does not fully support nonblocking io (causes lower performance).]) -else -AC_RUN_IFELSE([ -AC_LANG_SOURCE([[ +AC_RUN_IFELSE(AC_LANG_PROGRAM([ #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -929,9 +803,7 @@ AC_LANG_SOURCE([[ #ifdef HAVE_TIME_H #include <time.h> #endif - -int main(void) -{ +],[[ int port; int sfd, cfd; int num = 10; @@ -1024,9 +896,7 @@ int main(void) close(sfd); close(cfd); - return 0; -} -]])], [ +]]), [ AC_MSG_RESULT([yes]) ], [ AC_MSG_RESULT([no]) @@ -1034,7 +904,6 @@ int main(void) ], [ AC_MSG_RESULT([crosscompile(yes)]) ]) -fi ])dnl End of ACX_CHECK_NONBLOCKING_BROKEN dnl Check if mkdir has one or two arguments. @@ -1066,41 +935,18 @@ AC_DEFUN([ACX_FUNC_IOCTLSOCKET], [ # check ioctlsocket AC_MSG_CHECKING(for ioctlsocket) -AC_LINK_IFELSE([AC_LANG_PROGRAM([ +AC_LINK_IFELSE(AC_LANG_PROGRAM([ #ifdef HAVE_WINSOCK2_H #include <winsock2.h> #endif ], [ (void)ioctlsocket(0, 0, NULL); -])], [ +]), [ AC_MSG_RESULT(yes) AC_DEFINE(HAVE_IOCTLSOCKET, 1, [if the function 'ioctlsocket' is available]) ],[AC_MSG_RESULT(no)]) ])dnl end of ACX_FUNC_IOCTLSOCKET -dnl detect malloc and provide malloc compat prototype. -dnl $1: unique name for compat code -AC_DEFUN([ACX_FUNC_MALLOC], -[ - AC_MSG_CHECKING([for GNU libc compatible malloc]) - AC_RUN_IFELSE([AC_LANG_PROGRAM( -[[#if defined STDC_HEADERS || defined HAVE_STDLIB_H -#include <stdlib.h> -#else -char *malloc (); -#endif -]], [ if(malloc(0) != 0) return 1;]) -], - [AC_MSG_RESULT([no]) - AC_LIBOBJ(malloc) - AC_DEFINE_UNQUOTED([malloc], [rpl_malloc_$1], [Define if replacement function should be used.])] , - [AC_MSG_RESULT([yes]) - AC_DEFINE([HAVE_MALLOC], 1, [If have GNU libc compatible malloc])], - [AC_MSG_RESULT([no (crosscompile)]) - AC_LIBOBJ(malloc) - AC_DEFINE_UNQUOTED([malloc], [rpl_malloc_$1], [Define if replacement function should be used.])] ) -]) - dnl Define fallback for fseeko and ftello if needed. AC_DEFUN([AHX_CONFIG_FSEEKO], [ @@ -1187,16 +1033,6 @@ void *memmove(void *dest, const void *src, size_t n); #endif ]) -dnl provide strlcat compat prototype. -dnl $1: unique name for compat code -AC_DEFUN([AHX_CONFIG_STRLCAT], -[ -#ifndef HAVE_STRLCAT -#define strlcat strlcat_$1 -size_t strlcat(char *dst, const char *src, size_t siz); -#endif -]) - dnl provide strlcpy compat prototype. dnl $1: unique name for compat code AC_DEFUN([AHX_CONFIG_STRLCPY], @@ -1217,20 +1053,10 @@ struct tm *gmtime_r(const time_t *timep, struct tm *result); #endif ]) -dnl provide reallocarray compat prototype. -dnl $1: unique name for compat code -AC_DEFUN([AHX_CONFIG_REALLOCARRAY], -[ -#ifndef HAVE_REALLOCARRAY -#define reallocarray reallocarray$1 -void* reallocarray(void *ptr, size_t nmemb, size_t size); -#endif -]) - dnl provide w32 compat definition for sleep AC_DEFUN([AHX_CONFIG_W32_SLEEP], [ -#if !defined(HAVE_SLEEP) || defined(HAVE_WINDOWS_H) +#ifndef HAVE_SLEEP #define sleep(x) Sleep((x)*1000) /* on win32 */ #endif /* HAVE_SLEEP */ ]) @@ -1277,7 +1103,7 @@ AC_DEFUN([ACX_CFLAGS_STRIP], [ if echo $CFLAGS | grep " $1" >/dev/null 2>&1; then CFLAGS="`echo $CFLAGS | sed -e 's/ $1//g'`" - AC_DEFINE(m4_bpatsubst(OMITTED_$1,[[-=]],_), 1, Put $1 define in config.h) + AC_DEFINE(AS_TR_CPP(OMITTED_$1), 1, Put $1 define in config.h) fi ]) @@ -1308,7 +1134,7 @@ AC_DEFUN([AHX_CONFIG_FLAG_OMITTED], dnl Wrapper for AHX_CONFIG_FLAG_OMITTED for -D style flags dnl $1: the -DNAME or -DNAME=value string. AC_DEFUN([AHX_CONFIG_FLAG_EXT], -[AHX_CONFIG_FLAG_OMITTED(m4_bpatsubst(OMITTED_$1,[[-=]],_),m4_bpatsubst(m4_bpatsubst($1,-D,),=.*$,),m4_if(m4_bregexp($1,=),-1,1,m4_bpatsubst($1,^.*=,))) +[AHX_CONFIG_FLAG_OMITTED(AS_TR_CPP(OMITTED_$1),m4_bpatsubst(m4_bpatsubst($1,-D,),=.*$,),m4_if(m4_bregexp($1,=),-1,1,m4_bpatsubst($1,^.*=,))) ]) dnl config.h part to define omitted cflags, use with ACX_STRIP_EXT_FLAGS. @@ -1323,112 +1149,4 @@ AHX_CONFIG_FLAG_EXT(-D_ALL_SOURCE) AHX_CONFIG_FLAG_EXT(-D_LARGEFILE_SOURCE=1) ]) -dnl check if memcmp is using signed characters and replace if so. -AC_DEFUN([ACX_CHECK_MEMCMP_SIGNED], -[AC_MSG_CHECKING([if memcmp compares unsigned]) -AC_RUN_IFELSE([AC_LANG_SOURCE([[ -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -int main(void) -{ - char a = 255, b = 0; - if(memcmp(&a, &b, 1) < 0) - return 1; - return 0; -} -]])], [AC_MSG_RESULT([yes]) ], -[ AC_MSG_RESULT([no]) - AC_DEFINE([MEMCMP_IS_BROKEN], [1], [Define if memcmp() does not compare unsigned bytes]) - AC_LIBOBJ([memcmp]) -], [ AC_MSG_RESULT([cross-compile no]) - AC_DEFINE([MEMCMP_IS_BROKEN], [1], [Define if memcmp() does not compare unsigned bytes]) - AC_LIBOBJ([memcmp]) -]) ]) - -dnl define memcmp to its replacement, pass unique id for program as arg -AC_DEFUN([AHX_MEMCMP_BROKEN], [ -#ifdef MEMCMP_IS_BROKEN -#include "compat/memcmp.h" -#define memcmp memcmp_$1 -int memcmp(const void *x, const void *y, size_t n); -#endif -]) - -dnl ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family -AC_DEFUN([ACX_CHECK_SS_FAMILY], -[AC_CHECK_MEMBER([struct sockaddr_storage.ss_family], [], [ - AC_CHECK_MEMBER([struct sockaddr_storage.__ss_family], [ - AC_DEFINE([ss_family], [__ss_family], [Fallback member name for socket family in struct sockaddr_storage]) - ],, [AC_INCLUDES_DEFAULT -#ifdef HAVE_NETINET_IN_H -#include <netinet/in.h> -#endif -#ifdef HAVE_SYS_SOCKET_H -#include <sys/socket.h> -#endif -#ifdef HAVE_NETDB_H -#include <netdb.h> -#endif -#ifdef HAVE_ARPA_INET_H -#include <arpa/inet.h> -#endif - ]) -], [AC_INCLUDES_DEFAULT -#ifdef HAVE_NETINET_IN_H -#include <netinet/in.h> -#endif -#ifdef HAVE_SYS_SOCKET_H -#include <sys/socket.h> -#endif -#ifdef HAVE_NETDB_H -#include <netdb.h> -#endif -#ifdef HAVE_ARPA_INET_H -#include <arpa/inet.h> -#endif -]) ]) - -dnl Check if CC and linker support -fPIE and -pie. -dnl If so, sets them in CFLAGS / LDFLAGS. -AC_DEFUN([ACX_CHECK_PIE], [ - AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable Position-Independent Executable (eg. to fully benefit from ASLR, small performance penalty)])) - AS_IF([test "x$enable_pie" = "xyes"], [ - AC_MSG_CHECKING([if $CC supports PIE]) - BAKLDFLAGS="$LDFLAGS" - BAKCFLAGS="$CFLAGS" - LDFLAGS="$LDFLAGS -pie" - CFLAGS="$CFLAGS -fPIE" - AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ - if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then - LDFLAGS="$BAKLDFLAGS" - AC_MSG_RESULT(no) - else - AC_MSG_RESULT(yes) - fi - rm -f conftest conftest.c conftest.o - ], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)]) - ]) -]) - -dnl Check if linker supports -Wl,-z,relro,-z,now. -dnl If so, adds it to LDFLAGS. -AC_DEFUN([ACX_CHECK_RELRO_NOW], [ - AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor areas)])) - AS_IF([test "x$enable_relro_now" = "xyes"], [ - AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now]) - BAKLDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now" - AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ - if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then - LDFLAGS="$BAKLDFLAGS" - AC_MSG_RESULT(no) - else - AC_MSG_RESULT(yes) - fi - rm -f conftest conftest.c conftest.o - ], [LDFLAGS="$BAKLDFLAGS" ; AC_MSG_RESULT(no)]) - ]) -]) - dnl End of file diff --git a/usr.sbin/nsd/configlexer.lex b/usr.sbin/nsd/configlexer.lex index e38e952a3f1..7b9a8a508a8 100644 --- a/usr.sbin/nsd/configlexer.lex +++ b/usr.sbin/nsd/configlexer.lex @@ -8,21 +8,20 @@ * */ -#include "config.h" +#include <config.h> #include <ctype.h> #include <errno.h> #include <string.h> #include <strings.h> -#ifdef HAVE_GLOB_H -# include <glob.h> -#endif #include "options.h" #include "configyyrename.h" #include "configparser.h" void c_error(const char *message); +#define YY_NO_UNPUT + #if 0 #define LEXOUT(s) printf s /* used ONLY when debugging */ #else @@ -30,134 +29,47 @@ void c_error(const char *message); #endif struct inc_state { - char* filename; + const char* filename; int line; - YY_BUFFER_STATE buffer; - struct inc_state* next; }; -static struct inc_state* config_include_stack = NULL; -static int inc_depth = 0; -static int inc_prev = 0; -static int num_args = 0; - -void init_cfg_parse(void) -{ - config_include_stack = NULL; - inc_depth = 0; - inc_prev = 0; - num_args = 0; -} +static struct inc_state parse_stack[MAXINCLUDES]; +static YY_BUFFER_STATE include_stack[MAXINCLUDES]; +static int config_include_stack_ptr = 0; static void config_start_include(const char* filename) { FILE *input; - struct inc_state* s; - char* nm; - if(inc_depth++ > 10000000) { - c_error_msg("too many include files"); - return; - } if(strlen(filename) == 0) { c_error_msg("empty include file name"); return; } - s = (struct inc_state*)malloc(sizeof(*s)); - if(!s) { - c_error_msg("include %s: malloc failure", filename); - return; - } - if (cfg_parser->chroot) { - int l = strlen(cfg_parser->chroot); /* chroot has trailing slash */ - if (strncmp(cfg_parser->chroot, filename, l) != 0) { - c_error_msg("include file '%s' is not relative to chroot '%s'", - filename, cfg_parser->chroot); - return; - } - filename += l - 1; /* strip chroot without trailing slash */ - } - nm = strdup(filename); - if(!nm) { - c_error_msg("include %s: strdup failure", filename); - free(s); + if(config_include_stack_ptr >= MAXINCLUDES) { + c_error_msg("includes nested too deeply, skipped (>%d)", MAXINCLUDES); return; } input = fopen(filename, "r"); if(!input) { c_error_msg("cannot open include file '%s': %s", filename, strerror(errno)); - free(s); - free(nm); return; } LEXOUT(("switch_to_include_file(%s) ", filename)); - s->filename = cfg_parser->filename; - s->line = cfg_parser->line; - s->buffer = YY_CURRENT_BUFFER; - s->next = config_include_stack; - config_include_stack = s; - - cfg_parser->filename = nm; + parse_stack[config_include_stack_ptr].filename = cfg_parser->filename; + parse_stack[config_include_stack_ptr].line = cfg_parser->line; + include_stack[config_include_stack_ptr] = YY_CURRENT_BUFFER; + cfg_parser->filename = region_strdup(cfg_parser->opt->region, filename); cfg_parser->line = 1; yy_switch_to_buffer(yy_create_buffer(input, YY_BUF_SIZE)); -} - -static void config_start_include_glob(const char* filename) -{ - /* check for wildcards */ -#ifdef HAVE_GLOB - glob_t g; - size_t i; - int r, flags; - if(!(!strchr(filename, '*') && !strchr(filename, '?') && - !strchr(filename, '[') && !strchr(filename, '{') && - !strchr(filename, '~'))) { - flags = 0 -#ifdef GLOB_ERR - | GLOB_ERR -#endif -#ifdef GLOB_NOSORT - | GLOB_NOSORT -#endif -#ifdef GLOB_BRACE - | GLOB_BRACE -#endif -#ifdef GLOB_TILDE - | GLOB_TILDE -#endif - ; - memset(&g, 0, sizeof(g)); - r = glob(filename, flags, NULL, &g); - if(r) { - /* some error */ - globfree(&g); - if(r == GLOB_NOMATCH) - return; /* no matches for pattern */ - config_start_include(filename); /* let original deal with it */ - return; - } - /* process files found, if any */ - for(i=0; i<(size_t)g.gl_pathc; i++) { - config_start_include(g.gl_pathv[i]); - } - globfree(&g); - return; - } -#endif /* HAVE_GLOB */ - config_start_include(filename); + ++config_include_stack_ptr; } static void config_end_include(void) { - struct inc_state* s = config_include_stack; - --inc_depth; - if(!s) return; - free(cfg_parser->filename); - cfg_parser->filename = s->filename; - cfg_parser->line = s->line; + --config_include_stack_ptr; + cfg_parser->filename = parse_stack[config_include_stack_ptr].filename; + cfg_parser->line = parse_stack[config_include_stack_ptr].line; yy_delete_buffer(YY_CURRENT_BUFFER); - yy_switch_to_buffer(s->buffer); - config_include_stack = s->next; - free(s); + yy_switch_to_buffer(include_stack[config_include_stack_ptr]); } #ifndef yy_set_bol /* compat definition, for flex 2.4.6 */ @@ -170,16 +82,6 @@ static void config_end_include(void) #endif %} -%option noinput -%option nounput -%{ -#ifndef YY_NO_UNPUT -#define YY_NO_UNPUT 1 -#endif -#ifndef YY_NO_INPUT -#define YY_NO_INPUT 1 -#endif -%} SPACE [ \t] LETTER [a-zA-Z] @@ -197,17 +99,12 @@ ANY [^\"\n\r\\]|\\. server{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SERVER;} name{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_NAME;} ip-address{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP_ADDRESS;} -interface{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP_ADDRESS;} -ip-transparent{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP_TRANSPARENT;} debug-mode{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DEBUG_MODE;} hide-version{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_HIDE_VERSION;} ip4-only{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP4_ONLY;} ip6-only{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP6_ONLY;} -do-ip4{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DO_IP4;} -do-ip6{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DO_IP6;} database{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DATABASE;} identity{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IDENTITY;} -nsid{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_NSID;} logfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_LOGFILE;} server-count{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SERVER_COUNT;} tcp-count{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TCP_COUNT;} @@ -217,20 +114,16 @@ ipv4-edns-size{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IPV4_EDNS_SIZE;} ipv6-edns-size{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IPV6_EDNS_SIZE;} pidfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_PIDFILE;} port{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_PORT;} -reuseport{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_REUSEPORT;} statistics{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_STATISTICS;} chroot{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CHROOT;} username{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_USERNAME;} zonesdir{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONESDIR;} -zonelistfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONELISTFILE;} difffile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DIFFFILE;} xfrdfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_XFRDFILE;} -xfrdir{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_XFRDIR;} xfrd-reload-timeout{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_XFRD_RELOAD_TIMEOUT;} verbosity{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_VERBOSITY;} zone{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONE;} zonefile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONEFILE;} -zonestats{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONESTATS;} allow-notify{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALLOW_NOTIFY;} request-xfr{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_REQUEST_XFR;} notify{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_NOTIFY;} @@ -241,29 +134,8 @@ allow-axfr-fallback{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALLOW_AXFR_F key{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_KEY;} algorithm{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALGORITHM;} secret{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SECRET;} -pattern{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_PATTERN;} -include-pattern{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_INCLUDEPATTERN;} -remote-control{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_REMOTE_CONTROL;} -control-enable{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_ENABLE;} -control-interface{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_INTERFACE;} -control-port{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_PORT;} -server-key-file{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SERVER_KEY_FILE;} -server-cert-file{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SERVER_CERT_FILE;} -control-key-file{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_KEY_FILE;} -control-cert-file{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_CERT_FILE;} AXFR { LEXOUT(("v(%s) ", yytext)); return VAR_AXFR;} UDP { LEXOUT(("v(%s) ", yytext)); return VAR_UDP;} -rrl-size{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_SIZE;} -rrl-ratelimit{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_RATELIMIT;} -rrl-slip{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_SLIP;} -rrl-ipv4-prefix-length{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_IPV4_PREFIX_LENGTH;} -rrl-ipv6-prefix-length{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_IPV6_PREFIX_LENGTH;} -rrl-whitelist-ratelimit{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_WHITELIST_RATELIMIT;} -rrl-whitelist{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_RRL_WHITELIST;} -zonefiles-check{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONEFILES_CHECK;} -zonefiles-write{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONEFILES_WRITE;} -log-time-ascii{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_LOG_TIME_ASCII;} -round-robin{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ROUND_ROBIN;} {NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++;} /* Quoted strings. Strip leading and ending quotes */ @@ -293,7 +165,7 @@ include{COLON} { LEXOUT(("v(%s) ", yytext)); BEGIN(include); } <include>\" { LEXOUT(("IQS ")); BEGIN(include_quoted); } <include>{UNQUOTEDLETTER}* { LEXOUT(("Iunquotedstr(%s) ", yytext)); - config_start_include_glob(yytext); + config_start_include(yytext); BEGIN(INITIAL); } <include_quoted><<EOF>> { @@ -305,12 +177,12 @@ include{COLON} { LEXOUT(("v(%s) ", yytext)); BEGIN(include); } <include_quoted>\" { LEXOUT(("IQE ")); yytext[yyleng - 1] = '\0'; - config_start_include_glob(yytext); + config_start_include(yytext); BEGIN(INITIAL); } <INITIAL><<EOF>> { yy_set_bol(1); /* Set beginning of line, so "^" rules match. */ - if (!config_include_stack) { + if (config_include_stack_ptr == 0) { yyterminate(); } else { fclose(yyin); diff --git a/usr.sbin/nsd/netio.c b/usr.sbin/nsd/netio.c index ad8ee16ee60..664edfb3bd1 100644 --- a/usr.sbin/nsd/netio.c +++ b/usr.sbin/nsd/netio.c @@ -6,7 +6,7 @@ * See LICENSE for the license. * */ -#include "config.h" +#include <config.h> #include <assert.h> #include <errno.h> @@ -25,11 +25,18 @@ int pselect(int n, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, #include <sys/select.h> #endif + +struct netio_handler_list +{ + netio_handler_list_type *next; + netio_handler_type *handler; +}; + netio_type * netio_create(region_type *region) { netio_type *result; - + assert(region); result = (netio_type *) region_alloc(region, sizeof(netio_type)); @@ -44,7 +51,7 @@ void netio_add_handler(netio_type *netio, netio_handler_type *handler) { netio_handler_list_type *elt; - + assert(netio); assert(handler); @@ -72,7 +79,7 @@ void netio_remove_handler(netio_type *netio, netio_handler_type *handler) { netio_handler_list_type **elt_ptr; - + assert(netio); assert(handler); @@ -119,14 +126,14 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t netio_handler_list_type *elt; int rc; int result = 0; - + assert(netio); /* * Clear the cached current time. */ netio->have_current_time = 0; - + /* * Initialize the minimum timeout with the timeout parameter. */ @@ -146,7 +153,7 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t for (elt = netio->handlers; elt; elt = elt->next) { netio_handler_type *handler = elt->handler; - if (handler->fd != -1 && handler->fd < (int)FD_SETSIZE) { + if (handler->fd >= 0 && handler->fd < (int)FD_SETSIZE) { if (handler->fd > max_fd) { max_fd = handler->fd; } @@ -208,7 +215,7 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t * some time so the cached value is likely to be old). */ netio->have_current_time = 0; - + if (rc == 0) { /* * No events before the minimum timeout expired. @@ -228,7 +235,7 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t for (elt = netio->handlers; elt && rc; ) { netio_handler_type *handler = elt->handler; netio->dispatch_next = elt->next; - if (handler->fd != -1 && handler->fd < (int)FD_SETSIZE) { + if (handler->fd >= 0 && handler->fd < (int)FD_SETSIZE) { netio_event_types_type event_types = NETIO_EVENT_NONE; if (FD_ISSET(handler->fd, &readfds)) { diff --git a/usr.sbin/nsd/netio.h b/usr.sbin/nsd/netio.h index c8299b97adb..99d9c316aa3 100644 --- a/usr.sbin/nsd/netio.h +++ b/usr.sbin/nsd/netio.h @@ -59,7 +59,7 @@ enum netio_event_types { NETIO_EVENT_READ = 1, NETIO_EVENT_WRITE = 2, NETIO_EVENT_EXCEPT = 4, - NETIO_EVENT_TIMEOUT = 8, + NETIO_EVENT_TIMEOUT = 8 }; typedef enum netio_event_types netio_event_types_type; @@ -134,13 +134,6 @@ struct netio_handler }; -struct netio_handler_list -{ - netio_handler_list_type *next; - netio_handler_type *handler; -}; - - /* * Create a new netio instance using the specified REGION. The netio * instance is cleaned up when the REGION is deallocated. diff --git a/usr.sbin/nsd/nsd.conf.sample.in b/usr.sbin/nsd/nsd.conf.sample.in index e3d1ff70fd8..442031b96fb 100644 --- a/usr.sbin/nsd/nsd.conf.sample.in +++ b/usr.sbin/nsd/nsd.conf.sample.in @@ -1,96 +1,47 @@ # # nsd.conf -- the NSD(8) configuration file, nsd.conf(5). # -# Copyright (c) 2001-2011, NLnet Labs. All rights reserved. +# Copyright (c) 2001-2006, NLnet Labs. All rights reserved. # # See LICENSE for the license. # # This is a comment. # Sample configuration file -# include: "file" # include that file's text over here. Globbed, "*.conf" # options for the nsd server server: - # Number of NSD servers to fork. Put the number of CPUs to use here. - # server-count: 1 - - # uncomment to specify specific interfaces to bind (default are the - # wildcard interfaces 0.0.0.0 and ::0). - # For servers with multiple IP addresses, list them one by one, - # or the source address of replies could be wrong. - # Use ip-transparent to be able to list addresses that turn on later. + # uncomment to specify specific interfaces to bind (default all). # ip-address: 1.2.3.4 - # ip-address: 1.2.3.4@5678 # ip-address: 12fe::8ef0 - # Allow binding to non local addresses. Default no. - # ip-transparent: no - - # use the reuseport socket option for performance. - # The default is yes on linux, no for others. - # reuseport: no + # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries + # hide-version: no # enable debug mode, does not fork daemon process into the background. # debug-mode: no - # listen on IPv4 connections - # do-ip4: yes - - # listen on IPv6 connections - # do-ip6: yes - - # port to answer queries on. default is 53. - # port: 53 - - # Verbosity level. - # verbosity: 0 - - # After binding socket, drop user privileges. - # can be a username, id or id.gid. - # username: @user@ - - # Run NSD in a chroot-jail. - # make sure to have pidfile and database reachable from there. - # by default, no chroot-jail is used. - # chroot: "@configdir@" + # listen only on IPv4 connections + # ip4-only: no - # The directory for zonefile: files. The daemon chdirs here. - # zonesdir: "@zonesdir@" + # listen only on IPv6 connections + # ip6-only: no - # the list of dynamically added zones. - # zonelistfile: "@zonelistfile@" - # the database to use - # if set to "" then no disk-database is used, less memory usage. # database: "@dbfile@" - # log messages to file. Default to stderr and syslog (with - # facility LOG_DAEMON). stderr disappears when daemon goes to bg. - # logfile: "@logfile@" - - # File to store pid for nsd in. - # pidfile: "@pidfile@" - - # The file where secondary zone refresh and expire timeouts are kept. - # If you delete this file, all secondary zones are forced to be - # 'refreshing' (as if nsd got a notify). Set to "" to disable. - # xfrdfile: "@xfrdfile@" - - # The directory where zone transfers are stored, in a subdir of it. - # xfrdir: "@xfrdir@" - - # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries - # hide-version: no - # identify the server (CH TXT ID.SERVER entry). # identity: "unidentified server" - # NSID identity (hex string, or "ascii_somestring"). default disabled. - # nsid: "aabbccdd" + # log messages to file. Default to stderr and syslog. + # logfile: "/var/log/nsd.log" + + # Number of NSD servers to fork. + # server-count: 1 # Maximum number of concurrent TCP connections per server. - # tcp-count: 100 + # This option should have a value below 1000. + # tcp-count: 10 # Maximum number of queries served on a single TCP connection. # By default 0, which means no maximum. @@ -105,179 +56,125 @@ server: # Preferred EDNS buffer size for IPv6. # ipv6-edns-size: 4096 - # statistics are produced every number of seconds. Prints to log. - # Default is 0, meaning no statistics are produced. - # statistics: 3600 + # File to store pid for nsd in. + # pidfile: "@pidfile@" - # Number of seconds between reloads triggered by xfrd. - # xfrd-reload-timeout: 1 - - # log timestamp in ascii (y-m-d h:m:s.msec), yes is default. - # log-time-ascii: yes + # port to answer queries on. default is 53. + # port: 53 - # round robin rotation of records in the answer. - # round-robin: no + # statistics are produced every number of seconds. + # statistics: 3600 - # check mtime of all zone files on start and sighup - # zonefiles-check: yes - - # write changed zonefiles to disk, every N seconds. - # default is 0(disabled) or 3600(if database is ""). - # zonefiles-write: 3600 + # Run NSD in a chroot-jail. + # make sure to have pidfile and database reachable from there. + # by default, no chroot-jail is used. + # chroot: "@configdir@" - # RRLconfig - # Response Rate Limiting, size of the hashtable. Default 1000000. - # rrl-size: 1000000 + # After binding socket, drop user privileges. + # can be a username, id or id.gid. + # username: @user@ + + # The directory for zonefile: files. + # zonesdir: "@zonesdir@" - # Response Rate Limiting, maximum QPS allowed (from one query source). - # Default 200. If set to 0, ratelimiting is disabled. Also set - # rrl-whitelist-ratelimit to 0 to disable ratelimit processing. - # rrl-ratelimit: 200 + # The file where incoming zone transfers are stored. + # run nsd-patch to update zone files, then you can safely delete it. + # difffile: "@difffile@" - # Response Rate Limiting, number of packets to discard before - # sending a SLIP response (a truncated one, allowing an honest - # resolver to retry with TCP). Default is 2 (one half of the - # queries will receive a SLIP response, 0 disables SLIP (all - # packets are discarded), 1 means every request will get a - # SLIP response. - # rrl-slip: 2 + # The file where secondary zone refresh and expire timeouts are kept. + # If you delete this file, all secondary zones are forced to be + # 'refreshing' (as if nsd got a notify). + # xfrdfile: "@xfrdfile@" - # Response Rate Limiting, IPv4 prefix length. Addresses are - # grouped by netblock. - # rrl-ipv4-prefix-length: 24 + # Number of seconds between reloads triggered by xfrd. + # xfrd-reload-timeout: 10 - # Response Rate Limiting, IPv6 prefix length. Addresses are - # grouped by netblock. - # rrl-ipv6-prefix-length: 64 + # Verbosity level. + # verbosity: 0 - # Response Rate Limiting, maximum QPS allowed (from one query source) - # for whitelisted types. Default 2000. - # rrl-whitelist-ratelimit: 2000 - # RRLend +# key for zone 1 +key: + name: mskey + algorithm: hmac-md5 + secret: "K2tf3TRjvQkVCmJF3/Z9vA==" -# Remote control config section. -remote-control: - # Enable remote control with nsd-control(8) here. - # set up the keys and certificates with nsd-control-setup. - # control-enable: no +# Sample zone 1 +zone: + name: "example.com" + zonefile: "example.com.zone" - # what interfaces are listened to for control, default is on localhost. - # control-interface: 127.0.0.1 - # control-interface: ::1 + # This is a slave zone. Masters are listed below. - # port number for remote control operations (uses TLS over TCP). - # control-port: 8952 + # master 1 + allow-notify: 168.192.44.42 mskey + request-xfr: 168.192.44.42 mskey - # nsd server key file for remote control. - # server-key-file: "@configdir@/nsd_server.key" + # set local interface for sending zone transfer requests. + outgoing-interface: 10.0.0.10 - # nsd server certificate file for remote control. - # server-cert-file: "@configdir@/nsd_server.pem" + # master 2 + allow-notify: 10.0.0.11 NOKEY + request-xfr: 10.0.0.11 NOKEY - # nsd-control key file. - # control-key-file: "@configdir@/nsd_control.key" + # By default, a slave will request a zone transfer with IXFR/TCP. + # If you want to make use of IXFR/UDP use + allow-notify: 10.0.0.12 NOKEY + request-xfr: UDP 10.0.0.12 NOKEY - # nsd-control certificate file. - # control-cert-file: "@configdir@/nsd_control.pem" + # for a master that only speaks AXFR (like NSD) use + allow-notify: 10.0.0.13 NOKEY + request-xfr: AXFR 10.0.0.13 NOKEY + # Attention: You cannot use UDP and AXFR together. AXFR is always over + # TCP. If you use UDP, we higly recommend you to deploy TSIG. -# Secret keys for TSIGs that secure zone transfers. -# You could include: "secret.keys" and put the 'key:' statements in there, -# and give that file special access control permissions. -# -# key: - # The key name is sent to the other party, it must be the same - #name: "keyname" - # algorithm hmac-md5, or hmac-sha1, or hmac-sha256 (if compiled in) - #algorithm: hmac-sha256 - # secret material, must be the same as the other party uses. - # base64 encoded random number. - # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64 - #secret: "K2tf3TRjvQkVCmJF3/Z9vA==" - - -# Patterns have zone configuration and they are shared by one or more zones. -# -# pattern: - # name by which the pattern is referred to - #name: "myzones" - # the zonefile for the zones that use this pattern. - # if relative then from the zonesdir (inside the chroot). - # the name is processed: %s - zone name (as appears in zone:name). - # %1 - first character of zone name, %2 second, %3 third. - # %z - topleveldomain label of zone, %y, %x next labels in name. - # if label or character does not exist you get a dot '.'. - # for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s" - #zonefile: "%s.zone" - - # If no master and slave access control elements are provided, - # this zone will not be served to/from other servers. - - # A master zone needs notify: and provide-xfr: lists. A slave - # may also allow zone transfer (for debug or other secondaries). - # notify these slaves when the master zone changes, address TSIG|NOKEY - # IP can be ipv4 and ipv6, with @port for a nondefault port number. - #notify: 192.0.2.1 NOKEY - # allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED - # address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40 - #provide-xfr: 192.0.2.0/24 my_tsig_key_name - # set the number of retries for notify. - #notify-retry: 5 + # Allow AXFR fallback if the master does not support IXFR. Default + # is yes. + allow-axfr-fallback: "yes" # uncomment to provide AXFR to all the world # provide-xfr: 0.0.0.0/0 NOKEY # provide-xfr: ::0/0 NOKEY - # A slave zone needs allow-notify: and request-xfr: lists. - #allow-notify: 2001:db8::0/64 my_tsig_key_name - # By default, a slave will request a zone transfer with IXFR/TCP. - # If you want to make use of IXFR/UDP use: UDP addr tsigkey - # for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey - #request-xfr: 192.0.2.2 the_tsig_key_name - # Attention: You cannot use UDP and AXFR together. AXFR is always over - # TCP. If you use UDP, we higly recommend you to deploy TSIG. - # Allow AXFR fallback if the master does not support IXFR. Default - # is yes. - #allow-axfr-fallback: yes - # set local interface for sending zone transfer requests. - # default is let the OS choose. - #outgoing-interface: 10.0.0.10 +# Sample zone 2 +zone: + name: "example.net" + zonefile: "example.net.signed.zone" - # if compiled with --enable-zone-stats, give name of stat block for - # this zone (or group of zones). Output from nsd-control stats. - # zonestats: "%s" + # This is a master zone. Slaves are listed below. - # if you give another pattern name here, at this point the settings - # from that pattern are inserted into this one (as if it were a - # macro). The statement can be given in between other statements, - # because the order of access control elements can make a difference - # (which master to request from first, which slave to notify first). - #include-pattern: "common-masters" + # secondary 1. Uses port 5300. + notify: 10.0.0.14@5300 sec1_key + provide-xfr: 10.0.0.14@5300 sec1_key + # set local interface for sending notifies + outgoing-interface: 10.0.0.15 -# Fixed zone entries. Here you can config zones that cannot be deleted. -# Zones that are dynamically added and deleted are put in the zonelist file. -# -# zone: - # name: "example.com" - # you can give a pattern here, all the settings from that pattern - # are then inserted at this point - # include-pattern: "master" - # You can also specify (additional) options directly for this zone. - # zonefile: "example.com.zone" - # request-xfr: 192.0.2.1 example.com.key - - # RRLconfig - # Response Rate Limiting, whitelist types - # rrl-whitelist: nxdomain - # rrl-whitelist: error - # rrl-whitelist: referral - # rrl-whitelist: any - # rrl-whitelist: rrsig - # rrl-whitelist: wildcard - # rrl-whitelist: nodata - # rrl-whitelist: dnskey - # rrl-whitelist: positive - # rrl-whitelist: all - # RRLend + # secondary 2. + notify: 10.11.12.14 sec2_key + provide-xfr: 10.11.12.14 sec2_key + + # also provide xfr to operator's network. + provide-xfr: 169.192.85.0/24 NOKEY + # uncomment to disable xfr for the address. + # provide-xfr: 169.192.85.66 BLOCKED + + # set the number of retries for notify. + notify-retry: 5 + +# keys for zone 2 +key: + name: "sec1_key" + algorithm: hmac-md5 + secret: "6KM6qiKfwfEpamEq72HQdA==" + +key: + name: sec2_key + algorithm: hmac-sha1 + secret: "m83H2x8R0zbDf3yRKhrqgw==" + +key: + name: sec3_key + algorithm: hmac-sha256 + secret: "m83H2x8R0zbDf3yRKhrqgw==" diff --git a/usr.sbin/nsd/tsig-openssl.c b/usr.sbin/nsd/tsig-openssl.c index 40a35f50324..5773fd2a674 100644 --- a/usr.sbin/nsd/tsig-openssl.c +++ b/usr.sbin/nsd/tsig-openssl.c @@ -7,9 +7,9 @@ * */ -#include "config.h" +#include <config.h> -#if defined(HAVE_SSL) +#if defined(TSIG) && defined(HAVE_SSL) #include "tsig-openssl.h" #include "tsig.h" @@ -31,7 +31,7 @@ tsig_openssl_init_algorithm(region_type* region, hmac_algorithm = EVP_get_digestbyname(digest); if (!hmac_algorithm) { - /* skip but don't error */ + log_msg(LOG_ERR, "%s digest not available", digest); return 0; } @@ -58,23 +58,21 @@ tsig_openssl_init_algorithm(region_type* region, int tsig_openssl_init(region_type *region) { - int count = 0; OpenSSL_add_all_digests(); - count += tsig_openssl_init_algorithm(region, - "md5", "hmac-md5","hmac-md5.sig-alg.reg.int."); - count += tsig_openssl_init_algorithm(region, - "sha1", "hmac-sha1", "hmac-sha1."); - count += tsig_openssl_init_algorithm(region, - "sha224", "hmac-sha224", "hmac-sha224."); - count += tsig_openssl_init_algorithm(region, - "sha256", "hmac-sha256", "hmac-sha256."); - count += tsig_openssl_init_algorithm(region, - "sha384", "hmac-sha384", "hmac-sha384."); - count += tsig_openssl_init_algorithm(region, - "sha512", "hmac-sha512", "hmac-sha512."); - - return count; + /* TODO: walk lookup supported algorithms table */ + if (!tsig_openssl_init_algorithm(region, "md5", "hmac-md5","hmac-md5.sig-alg.reg.int.")) + return 0; +#ifdef HAVE_EVP_SHA1 + if (!tsig_openssl_init_algorithm(region, "sha1", "hmac-sha1", "hmac-sha1.")) + return 0; +#endif /* HAVE_EVP_SHA1 */ + +#ifdef HAVE_EVP_SHA256 + if (!tsig_openssl_init_algorithm(region, "sha256", "hmac-sha256", "hmac-sha256.")) + return 0; +#endif /* HAVE_EVP_SHA256 */ + return 1; } static void @@ -126,4 +124,4 @@ tsig_openssl_finalize() EVP_cleanup(); } -#endif /* defined(HAVE_SSL) */ +#endif /* defined(TSIG) && defined(HAVE_SSL) */ |