Particularly interesting is
- Fix #190: NSD returns 3 NSEC3 records for NODATA response.
which I believe is a fix for the problem mischa reported on misc: "NSD
exit status 11 on 7.0"
Tests, OKs?
diff --git doc/RELNOTES doc/RELNOTES
index 054eb9b8f60..b7157bbc0a6 100644
--- doc/RELNOTES
+++ doc/RELNOTES
@@ -1,5 +1,31 @@
NSD RELEASE NOTES
+4.3.8
+================
+FEATURES:
+ - Merge #185 by cesarkuroiwa: Mutual TLS.
+ - Set default for answer-cookie to no. Because in server deployments
+ with mixed server software, a default of yes causes issues.
+BUG FIXES:
+ - Fix to compile with OpenSSL 3.0.0beta2.
+ - Fix configure detection of SSL_CTX_set_security_level.
+ - Fix deprecated functions use from openssl 3.0.0beta2.
+ - For #184: Note that all zones can be targeted by some nsd-control
+ commands in the man page.
+ - Fixes for #185: Document client-cert, client-key and client-key-pw
+ in the man page. Fix yacc semicolon. Fix unused variable warning.
+ Use strlcpy instead of strncpy. Fix spelling error in error
+ printout.
+ - Merge #187: Support using system-wide crypto policies.
+ - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7.
+ - Fix sed script in ssldir split handling.
+ - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion
+ `query->delegation_rrset' failed.
+ - Fix #190: NSD returns 3 NSEC3 records for NODATA response.
+ - Fix compile failure with openssl 1.0.2.
+ - Fix #194: Incorrect NSEC3 response for SOA query below delegation
+ point.
+
4.3.7
================
FEATURES:
diff --git acx_nlnetlabs.m4 acx_nlnetlabs.m4
index 7ce79070805..1574f97bfe0 100644
--- acx_nlnetlabs.m4
+++ acx_nlnetlabs.m4
@@ -2,7 +2,11 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
-# Version 40
+# Version 43
+# 2021-08-17 fix sed script in ssldir split handling.
+# 2021-08-17 fix for openssl to detect split version, with ssldir_include
+# and ssldir_lib output directories.
+# 2021-07-30 fix for openssl use of lib64 directory.
# 2021-06-14 fix nonblocking test to use host instead of target for mingw test.
# 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
# 64bit compatibility.
@@ -646,6 +650,30 @@ AC_DEFUN([ACX_SSL_CHECKS], [
withval=$1
if test x_$withval != x_no; then
AC_MSG_CHECKING(for SSL)
+ if test -n "$withval"; then
+ dnl look for openssl install with different version, eg.
+ dnl in /usr/include/openssl11/openssl/ssl.h
+ dnl and /usr/lib64/openssl11/libssl.so
+ dnl with the --with-ssl=/usr/include/openssl11
+ if test ! -f "$withval/include/openssl/ssl.h" -a -f
"$withval/openssl/ssl.h"; then
+ ssldir="$withval"
+ found_ssl="yes"
+ withval=""
+ ssldir_include="$ssldir"
+ dnl find the libdir
+ ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f
"$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ ssldir_lib=`echo $ssldir | sed -e
's/include/lib64/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f
"$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ AC_MSG_ERROR([Could not find openssl
lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or
"/usr/include/openssl11"])
+ fi
+ fi
+ fi
+ fi
if test x_$withval = x_ -o x_$withval = x_yes; then
withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local
/opt/local /usr/sfw /usr"
fi
@@ -653,12 +681,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [
ssldir="$dir"
if test -f "$dir/include/openssl/ssl.h"; then
found_ssl="yes"
- AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL
libraries installed.])
- dnl assume /usr/include is already in the include-path.
- if test "$ssldir" != "/usr"; then
- CPPFLAGS="$CPPFLAGS -I$ssldir/include"
- LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include"
- fi
+ ssldir_include="$ssldir/include"
+ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
+ ssldir_lib="$ssldir/lib64"
+ else
+ ssldir_lib="$ssldir/lib"
+ fi
break;
fi
done
@@ -666,13 +694,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
AC_MSG_ERROR(Cannot find the SSL libraries in $withval)
else
AC_MSG_RESULT(found in $ssldir)
+ AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL
libraries installed.])
HAVE_SSL=yes
- dnl assume /usr is already in the lib and dynlib paths.
- if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
- LDFLAGS="$LDFLAGS -L$ssldir/lib"
- LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
- ACX_RUNTIME_PATH_ADD([$ssldir/lib])
- fi
+ dnl assume /usr is already in the include, lib and dynlib paths.
+ if test "$ssldir" != "/usr"; then
+ CPPFLAGS="$CPPFLAGS -I$ssldir_include"
+ LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include"
+ LDFLAGS="$LDFLAGS -L$ssldir_lib"
+ LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib"
+ ACX_RUNTIME_PATH_ADD([$ssldir_lib])
+ fi
AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
LIBS="$LIBS -lcrypto"
@@ -751,7 +782,7 @@ dnl
AC_DEFUN([ACX_WITH_SSL],
[
AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check
/usr/local/ssl
- /usr/lib/ssl /usr/ssl /usr/pkg /usr/local
/opt/local /usr/sfw /usr)]),[
+ /usr/lib/ssl /usr/ssl /usr/pkg /usr/local
/opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[
],[
withval="yes"
])
@@ -769,7 +800,7 @@ dnl
AC_DEFUN([ACX_WITH_SSL_OPTIONAL],
[
AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check
/usr/local/ssl
- /usr/lib/ssl /usr/ssl /usr/pkg /usr/local
/opt/local /usr/sfw /usr)]),[
+ /usr/lib/ssl /usr/ssl /usr/pkg /usr/local
/opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[
],[
withval="yes"
])
diff --git config.h.in config.h.in
index c4cd67f7dfe..34a89602063 100644
--- config.h.in
+++ config.h.in
@@ -31,6 +31,12 @@
/* Pathname to the NSD database */
#undef DBFILE
+/* Whether ERR_load_SSL_strings is deprecated */
+#undef DEPRECATED_ERR_LOAD_SSL_STRINGS
+
+/* Whether SHA1_Init is deprecated */
+#undef DEPRECATED_SHA1_INIT
+
/* default dnstap socket path */
#undef DNSTAP_SOCKET_PATH
@@ -127,6 +133,9 @@
/* Define to 1 if you have the `ERR_load_crypto_strings' function. */
#undef HAVE_ERR_LOAD_CRYPTO_STRINGS
+/* Define to 1 if you have the `ERR_load_SSL_strings' function. */
+#undef HAVE_ERR_LOAD_SSL_STRINGS
+
/* Define to 1 if you have the `event_base_free' function. */
#undef HAVE_EVENT_BASE_FREE
@@ -145,6 +154,9 @@
/* Define to 1 if you have the `EVP_cleanup' function. */
#undef HAVE_EVP_CLEANUP
+/* Define to 1 if you have the `EVP_MAC_CTX_get_mac_size' function. */
+#undef HAVE_EVP_MAC_CTX_GET_MAC_SIZE
+
/* Define to 1 if you have the `EVP_MAC_CTX_new' function. */
#undef HAVE_EVP_MAC_CTX_NEW
@@ -338,6 +350,9 @@
/* Define to 1 if you have the `setusercontext' function. */
#undef HAVE_SETUSERCONTEXT
+/* Define to 1 if you have the `SHA1_Init' function. */
+#undef HAVE_SHA1_INIT
+
/* Define to 1 if you have the `sigaction' function. */
#undef HAVE_SIGACTION
@@ -359,6 +374,9 @@
/* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
#undef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */
+#undef HAVE_SSL_GET1_PEER_CERTIFICATE
+
/* Define to 1 if you have the <stdarg.h> header file. */
#undef HAVE_STDARG_H
diff --git configlexer.lex configlexer.lex
index 6d4933de381..d5fcd58b7f6 100644
--- configlexer.lex
+++ configlexer.lex
@@ -242,6 +242,9 @@ outgoing-interface{COLON} { LEXOUT(("v(%s) ", yytext));
return VAR_OUTGOING_INTE
allow-axfr-fallback{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_ALLOW_AXFR_FALLBACK;}
tls-auth{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_TLS_AUTH;}
auth-domain-name{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_TLS_AUTH_DOMAIN_NAME;}
+client-cert{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_TLS_AUTH_CLIENT_CERT;}
+client-key{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_TLS_AUTH_CLIENT_KEY;}
+client-key-pw{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_TLS_AUTH_CLIENT_KEY_PW;}
key{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_KEY;}
algorithm{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ALGORITHM;}
secret{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SECRET;}
diff --git configparser.y configparser.y
index 6b369cad35d..6642a6f544c 100644
--- configparser.y
+++ configparser.y
@@ -149,6 +149,9 @@ static int parse_range(const char *str, long long *low,
long long *high);
/* xot auth */
%token VAR_TLS_AUTH
%token VAR_TLS_AUTH_DOMAIN_NAME
+%token VAR_TLS_AUTH_CLIENT_CERT
+%token VAR_TLS_AUTH_CLIENT_KEY
+%token VAR_TLS_AUTH_CLIENT_KEY_PW
/* pattern */
%token VAR_PATTERN
@@ -672,7 +675,20 @@ tls_auth_option:
| VAR_TLS_AUTH_DOMAIN_NAME STRING
{
cfg_parser->tls_auth->auth_domain_name =
region_strdup(cfg_parser->opt->region, $2);
- };
+ }
+ | VAR_TLS_AUTH_CLIENT_CERT STRING
+ {
+ cfg_parser->tls_auth->client_cert =
region_strdup(cfg_parser->opt->region, $2);
+ }
+ | VAR_TLS_AUTH_CLIENT_KEY STRING
+ {
+ cfg_parser->tls_auth->client_key =
region_strdup(cfg_parser->opt->region, $2);
+ }
+ | VAR_TLS_AUTH_CLIENT_KEY_PW STRING
+ {
+ cfg_parser->tls_auth->client_key_pw =
region_strdup(cfg_parser->opt->region, $2);
+ }
+ ;
key:
VAR_KEY
diff --git configure configure
index 156d6467332..4f8d1ccaddd 100644
--- configure
+++ configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for NSD 4.3.7.
+# Generated by GNU Autoconf 2.69 for NSD 4.3.8.
#
# Report bugs to <[email protected]>.
#
@@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='NSD'
PACKAGE_TARNAME='nsd'
-PACKAGE_VERSION='4.3.7'
-PACKAGE_STRING='NSD 4.3.7'
+PACKAGE_VERSION='4.3.8'
+PACKAGE_STRING='NSD 4.3.8'
PACKAGE_BUGREPORT='[email protected]'
PACKAGE_URL=''
@@ -1328,7 +1328,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures NSD 4.3.7 to adapt to many kinds of systems.
+\`configure' configures NSD 4.3.8 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1390,7 +1390,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of NSD 4.3.7:";;
+ short | recursive ) echo "Configuration of NSD 4.3.8:";;
esac
cat <<\_ACEOF
@@ -1563,7 +1563,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-NSD configure 4.3.7
+NSD configure 4.3.8
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2272,7 +2272,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by NSD $as_me 4.3.7, which was
+It was created by NSD $as_me 4.3.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -9351,6 +9351,26 @@ fi
if test x_$withval != x_no; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL" >&5
$as_echo_n "checking for SSL... " >&6; }
+ if test -n "$withval"; then
+
if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h";
then
+ ssldir="$withval"
+ found_ssl="yes"
+ withval=""
+ ssldir_include="$ssldir"
+ CPPFLAGS="$CPPFLAGS -I$ssldir_include";
+ ssldir_lib=`echo $ssldir | sed
-e 's/include/lib/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f
"$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ ssldir_lib=`echo $ssldir | sed -e
's/include/lib64/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f
"$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ as_fn_error $? "Could not find openssl
lib file, $ssldir_lib/libssl.so,a, pass like \"/usr/local\" or
\"/usr/include/openssl11\"" "$LINENO" 5
+ fi
+ fi
+ fi
+ fi
if test x_$withval = x_ -o x_$withval = x_yes; then
withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/sfw
/usr/local /usr /usr/local/opt/openssl"
fi
@@ -9358,14 +9378,15 @@ $as_echo_n "checking for SSL... " >&6; }
ssldir="$dir"
if test -f "$dir/include/openssl/ssl.h"; then
found_ssl="yes";
-
-cat >>confdefs.h <<_ACEOF
-#define HAVE_SSL /**/
-_ACEOF
-
if test x_$ssldir != x_/usr; then
CPPFLAGS="$CPPFLAGS -I$ssldir/include";
fi
+ ssldir_include="$ssldir/include"
+ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
+ ssldir_lib="$ssldir/lib64"
+ else
+ ssldir_lib="$ssldir/lib"
+ fi
break;
fi
done
@@ -9375,11 +9396,16 @@ _ACEOF
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $ssldir"
>&5
$as_echo "found in $ssldir" >&6; }
HAVE_SSL=yes
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_SSL /**/
+_ACEOF
+
if test x_$ssldir != x_/usr; then
- LDFLAGS="$LDFLAGS -L$ssldir/lib";
+ LDFLAGS="$LDFLAGS -L$ssldir_lib";
fi
if test x_$ssldir = x_/usr/sfw; then
- LDFLAGS="$LDFLAGS -R$ssldir/lib";
+ LDFLAGS="$LDFLAGS -R$ssldir_lib";
fi
fi
@@ -9614,7 +9640,7 @@ fi
done
- for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup
ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level
CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params
+ for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup
ERR_load_crypto_strings OPENSSL_init_crypto CRYPTO_memcmp
EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params
EVP_MAC_CTX_get_mac_size SHA1_Init
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -9626,6 +9652,47 @@ _ACEOF
fi
done
+ if test "$ac_cv_func_SHA1_Init" = "yes"; then
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if SHA1_Init is deprecated"
>&5
+$as_echo_n "checking if SHA1_Init is deprecated... " >&6; }
+cache=`echo SHA1_Init | sed 'y%.=/+-%___p_%'`
+if eval \${cv_cc_deprecated_$cache+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+echo '
+#include <openssl/sha.h>
+' >conftest.c
+echo 'void f(){ (void)SHA1_Init(NULL); }' >>conftest.c
+if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e
unavailable`"; then
+eval "cv_cc_deprecated_$cache=no"
+else
+eval "cv_cc_deprecated_$cache=yes"
+fi
+rm -f conftest conftest.o conftest.c
+
+fi
+
+if eval "test \"`echo '$cv_cc_deprecated_'$cache`\" = yes"; then
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+cat >>confdefs.h <<_ACEOF
+#define DEPRECATED_SHA1_INIT 1
+_ACEOF
+
+:
+
+else
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+:
+
+fi
+
+ fi
ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ecdh_auto"
"ac_cv_have_decl_SSL_CTX_set_ecdh_auto" "
$ac_includes_default
#ifdef HAVE_OPENSSL_ERR_H
@@ -9701,17 +9768,59 @@ fi
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
- for ac_func in OPENSSL_init_ssl
+ for ac_func in OPENSSL_init_ssl SSL_get1_peer_certificate
SSL_CTX_set_security_level ERR_load_SSL_strings
do :
- ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl"
-if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
-#define HAVE_OPENSSL_INIT_SSL 1
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
fi
done
+ if test "$ac_cv_func_ERR_load_SSL_strings" = "yes"; then
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ERR_load_SSL_strings is
deprecated" >&5
+$as_echo_n "checking if ERR_load_SSL_strings is deprecated... " >&6; }
+cache=`echo ERR_load_SSL_strings | sed 'y%.=/+-%___p_%'`
+if eval \${cv_cc_deprecated_$cache+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+echo '
+#include <openssl/ssl.h>
+' >conftest.c
+echo 'void f(){ (void)ERR_load_SSL_strings(); }' >>conftest.c
+if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e
unavailable`"; then
+eval "cv_cc_deprecated_$cache=no"
+else
+eval "cv_cc_deprecated_$cache=yes"
+fi
+rm -f conftest conftest.o conftest.c
+
+fi
+
+if eval "test \"`echo '$cv_cc_deprecated_'$cache`\" = yes"; then
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+cat >>confdefs.h <<_ACEOF
+#define DEPRECATED_ERR_LOAD_SSL_STRINGS 1
+_ACEOF
+
+:
+
+else
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+:
+
+fi
+
+ fi
LIBS="$BAKLIBS"
else
@@ -11046,7 +11155,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by NSD $as_me 4.3.7, which was
+This file was extended by NSD $as_me 4.3.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -11108,7 +11217,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-NSD config.status 4.3.7
+NSD config.status 4.3.8
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git configure.ac configure.ac
index 8449e510bdd..4c09bb363b9 100644
--- configure.ac
+++ configure.ac
@@ -5,7 +5,7 @@ dnl
sinclude(acx_nlnetlabs.m4)
sinclude(dnstap/dnstap.m4)
-AC_INIT([NSD],[4.3.7],[[email protected]])
+AC_INIT([NSD],[4.3.8],[[email protected]])
AC_CONFIG_HEADERS([config.h])
#
@@ -369,6 +369,31 @@ AC_DEFUN([CHECK_SSL], [
])
if test x_$withval != x_no; then
AC_MSG_CHECKING(for SSL)
+ if test -n "$withval"; then
+ dnl look for openssl install with different version, eg.
+ dnl in /usr/include/openssl11/openssl/ssl.h
+ dnl and /usr/lib64/openssl11/libssl.so
+ dnl with the --with-ssl=/usr/include/openssl11
+ if test ! -f "$withval/include/openssl/ssl.h" -a -f
"$withval/openssl/ssl.h"; then
+ ssldir="$withval"
+ found_ssl="yes"
+ withval=""
+ ssldir_include="$ssldir"
+ CPPFLAGS="$CPPFLAGS -I$ssldir_include";
+ dnl find the libdir
+ ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f
"$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ ssldir_lib=`echo $ssldir | sed -e
's/include/lib64/'`
+ if test -f "$ssldir_lib/libssl.a" -o -f
"$ssldir_lib/libssl.so"; then
+ : # found here
+ else
+ AC_MSG_ERROR([Could not find openssl
lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or
"/usr/include/openssl11"])
+ fi
+ fi
+ fi
+ fi
if test x_$withval = x_ -o x_$withval = x_yes; then
withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/sfw
/usr/local /usr /usr/local/opt/openssl"
fi
@@ -376,10 +401,15 @@ AC_DEFUN([CHECK_SSL], [
ssldir="$dir"
if test -f "$dir/include/openssl/ssl.h"; then
found_ssl="yes";
- AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL
libraries installed.])
if test x_$ssldir != x_/usr; then
CPPFLAGS="$CPPFLAGS -I$ssldir/include";
fi
+ ssldir_include="$ssldir/include"
+ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
+ ssldir_lib="$ssldir/lib64"
+ else
+ ssldir_lib="$ssldir/lib"
+ fi
break;
fi
done
@@ -388,11 +418,12 @@ AC_DEFUN([CHECK_SSL], [
else
AC_MSG_RESULT([found in $ssldir])
HAVE_SSL=yes
+ AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL
libraries installed.])
if test x_$ssldir != x_/usr; then
- LDFLAGS="$LDFLAGS -L$ssldir/lib";
+ LDFLAGS="$LDFLAGS -L$ssldir_lib";
fi
if test x_$ssldir = x_/usr/sfw; then
- LDFLAGS="$LDFLAGS -R$ssldir/lib";
+ LDFLAGS="$LDFLAGS -R$ssldir_lib";
fi
fi
AC_SUBST(HAVE_SSL)
@@ -1049,7 +1080,12 @@ if test x$HAVE_SSL = x"yes"; then
SSL_LIBS="-lssl"
AC_SUBST(SSL_LIBS)
AC_CHECK_HEADERS([openssl/ssl.h openssl/err.h openssl/rand.h
openssl/ocsp.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT])
- AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup
ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level
CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params])
+ AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup
ERR_load_crypto_strings OPENSSL_init_crypto CRYPTO_memcmp
EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params
EVP_MAC_CTX_get_mac_size SHA1_Init])
+ if test "$ac_cv_func_SHA1_Init" = "yes"; then
+ ACX_FUNC_DEPRECATED([SHA1_Init], [(void)SHA1_Init(NULL);], [
+#include <openssl/sha.h>
+])
+ fi
AC_CHECK_DECLS([SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
@@ -1076,7 +1112,12 @@ AC_INCLUDES_DEFAULT
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
- AC_CHECK_FUNCS([OPENSSL_init_ssl])
+ AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_get1_peer_certificate
SSL_CTX_set_security_level ERR_load_SSL_strings])
+ if test "$ac_cv_func_ERR_load_SSL_strings" = "yes"; then
+ ACX_FUNC_DEPRECATED([ERR_load_SSL_strings],
[(void)ERR_load_SSL_strings();], [
+#include <openssl/ssl.h>
+])
+ fi
LIBS="$BAKLIBS"
else
diff --git dname.c dname.c
index 6b8c812e5a6..487d2535a2b 100644
--- dname.c
+++ dname.c
@@ -243,6 +243,7 @@ int dname_parse_wire(uint8_t* dname, const char* name)
}
*h = label_length;
h = p;
+ p++;
}
/* Add root label. */
diff --git doc/ChangeLog doc/ChangeLog
index 80b241c30ea..43c3b7bfd72 100644
--- doc/ChangeLog
+++ doc/ChangeLog
@@ -1,5 +1,70 @@
+7 October 2021: Wouter
+ - Set default for answer-cookie to no. Because in server deployments
+ with mixed server software, a default of yes causes issues.
+ - Tag for 4.3.8rc2, includes the new answer-cookie default.
+
+4 October 2021: Wouter
+ - Tag for 4.3.8rc1.
+
+29 September 2021: Wouter
+ - Fix unit tests for svcb and xot to not touch the default
+ zonelistfile.
+ - Fix unit test for xot tertiary config for zonelistfile default.
+ - Fix unit test for dns-cookies for no unshare, and allow-query
+ for no IPv6 loopback.
+ - Fix unit test allow query to check for IPv6.
+
+22 September 2021: Wouter
+ - Fix #194: Incorrect NSEC3 response for SOA query below delegation
+ point.
+
+13 September 2021: Wouter
+ - Fix compile failure with openssl 1.0.2.
+
+3 September 2021: Wouter
+ - Fix not reachable annotation in radix_find_prefix_node.
+
+31 August 2021: Willem
+ - Fix #191: dname_parse_wire() returns fqdn wireformat length.
+
+26 August 2021: Wouter
+ - Fix #190: NSD returns 3 NSEC3 records for NODATA response.
+
+23 August 2021: Wouter
+ - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion
+ `query->delegation_rrset' failed.
+
+17 August 2021: Wouter
+ - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7.
+ - Fix sed script in ssldir split handling.
+
+13 August 2021: Wouter
+ - Merge #187: Support using system-wide crypto policies.
+
+10 August 2021: Wouter
+ - Merge #185 by cesarkuroiwa: Mutual TLS.
+ - Fixes for #185: Document client-cert, client-key and client-key-pw
+ in the man page. Fix yacc semicolon. Fix unused variable warning.
+ Use strlcpy instead of strncpy. Fix spelling error in error
+ printout.
+
+2 August 2021: Wouter
+ - Quieter tpkg/do-tests shell script with -q flag.
+ - For #184: Note that all zones can be targeted by some nsd-control
+ commands in the man page.
+
+30 July 2021: Wouter
+ - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
+ - Fix to compile with OpenSSL 3.0.0beta2.
+ - Fix configure detection of SSL_CTX_set_security_level.
+ - Fix deprecated functions use from openssl 3.0.0beta2.
+
+23 July 2021: Wouter
+ - Fix free on shutdown of XoT SSL context.
+
22 July 2021: Wouter
- tag 4.3.7 release, with the fixes between rc1 and this release.
+ - main branch continues for 4.3.8.
20 July 2021: Wouter
- Fix typo in xfrd-tcp.c.
diff --git iterated_hash.c iterated_hash.c
index e8606a3b06c..8c0d657598b 100644
--- iterated_hash.c
+++ iterated_hash.c
@@ -9,11 +9,16 @@
*/
#include "config.h"
#ifdef NSEC3
+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT)
#include <openssl/sha.h>
+#else
+#include <openssl/evp.h>
+#endif
#include <stdio.h>
#include <assert.h>
#include "iterated_hash.h"
+#include "util.h"
int
iterated_hash(unsigned char out[SHA_DIGEST_LENGTH],
@@ -21,19 +26,49 @@ iterated_hash(unsigned char out[SHA_DIGEST_LENGTH],
const unsigned char *in, int inlength, int iterations)
{
#if defined(NSEC3) && defined(HAVE_SSL)
+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT)
SHA_CTX ctx;
+#else
+ EVP_MD_CTX* ctx;
+#endif
int n;
+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT)
+#else
+ ctx = EVP_MD_CTX_create();
+ if(!ctx) {
+ log_msg(LOG_ERR, "out of memory in iterated_hash");
+ return 0;
+ }
+#endif
assert(in && inlength > 0 && iterations >= 0);
for(n=0 ; n <= iterations ; ++n)
{
+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT)
SHA1_Init(&ctx);
SHA1_Update(&ctx, in, inlength);
if(saltlength > 0)
SHA1_Update(&ctx, salt, saltlength);
SHA1_Final(out, &ctx);
+#else
+ if(!EVP_DigestInit(ctx, EVP_sha1()))
+ log_msg(LOG_ERR, "iterated_hash could not
EVP_DigestInit");
+
+ if(!EVP_DigestUpdate(ctx, in, inlength))
+ log_msg(LOG_ERR, "iterated_hash could not
EVP_DigestUpdate");
+ if(saltlength > 0) {
+ if(!EVP_DigestUpdate(ctx, salt, saltlength))
+ log_msg(LOG_ERR, "iterated_hash could not
EVP_DigestUpdate salt");
+ }
+ if(!EVP_DigestFinal_ex(ctx, out, NULL))
+ log_msg(LOG_ERR, "iterated_hash could not
EVP_DigestFinal_ex");
+#endif
in=out;
inlength=SHA_DIGEST_LENGTH;
}
+#if defined(HAVE_SHA1_INIT) && !defined(DEPRECATED_SHA1_INIT)
+#else
+ EVP_MD_CTX_destroy(ctx);
+#endif
return SHA_DIGEST_LENGTH;
#else
(void)out; (void)salt; (void)saltlength;
diff --git namedb.c namedb.c
index 06bef71147c..772e038b16d 100644
--- namedb.c
+++ namedb.c
@@ -583,10 +583,13 @@ domain_find_ns_rrsets(domain_type* domain, zone_type*
zone, rrset_type **ns)
{
/* return highest NS RRset in the zone that is a delegation above */
domain_type* result = NULL;
+ rrset_type* rrset = NULL;
while (domain && domain != zone->apex) {
- *ns = domain_find_rrset(domain, zone, TYPE_NS);
- if (*ns)
+ rrset = domain_find_rrset(domain, zone, TYPE_NS);
+ if (rrset) {
+ *ns = rrset;
result = domain;
+ }
domain = domain->parent;
}
diff --git nsd-checkconf.8.in nsd-checkconf.8.in
index 0a514e6dab0..62f0695577d 100644
--- nsd-checkconf.8.in
+++ nsd-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-checkconf" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7"
+.TH "nsd\-checkconf" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
diff --git nsd-checkzone.8.in nsd-checkzone.8.in
index 6b31cf9ea7a..76ac2fe2442 100644
--- nsd-checkzone.8.in
+++ nsd-checkzone.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-checkzone" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7"
+.TH "nsd\-checkzone" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8"
.\" Copyright (c) 2014, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
diff --git nsd-control.8.in nsd-control.8.in
index ecefed3051c..f7f338c70ae 100644
--- nsd-control.8.in
+++ nsd-control.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-control" "8" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7"
+.TH "nsd\-control" "8" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8"
.\" Copyright (c) 2011, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
@@ -107,7 +107,8 @@ For bulk removals.
Write zonefiles to disk, or the given zonefile to disk. Zones that have
changed (via AXFR or IXFR) are written, or if the zonefile has not been
created yet then it is created. Directory components of the zonefile
-path are created if necessary.
+path are created if necessary. With argument that zone is written if it
+was modified, without argument, all modified zones are written.
.TP
.B notify [<zone>]
Send NOTIFY messages to slave servers. Sends to the IP addresses
@@ -116,7 +117,8 @@ server. Usually NSD sends NOTIFY messages right away when
a master zone
serial is updated. If a zone is given, notifies are sent for that zone.
These slave servers are supposed to initiate a zone transfer request
later (to this server or another master), this can be allowed via
-the 'provide\-xfr:' acl list configuration.
+the 'provide\-xfr:' acl list configuration. With argument that zone is
+processed, without argument, all zones are processed.
.TP
.B transfer [<zone>]
Attempt to update slave zones that are hosted on this server by contacting
@@ -125,13 +127,15 @@ If a zone is given, that zone is updated. Usually NSD
receives a NOTIFY
from the masters (configured via 'allow\-notify:' acl list) that a new zone
serial has to be transferred. For zones with no content, NSD may have backed
off from asking often because the masters did not respond, but this command
-will reset the backoff to its initial timeout, for frequent retries.
+will reset the backoff to its initial timeout, for frequent retries. With
+argument that zone is transferred, without argument, all zones are transferred.
.TP
.B force_transfer [<zone>]
Force update slave zones that are hosted on this server. Even if the
master hosts the same serial number of the zone, a full AXFR is performed
to fetch it. If you want to use IXFR and check that the serial number
-increases, use the 'transfer' command.
+increases, use the 'transfer' command. With argument that zone is
+transferred, without argument, all zones are transferred.
.TP
.B zonestatus [<zone>]
Print state of the zone, the serial numbers and since when they have
@@ -142,7 +146,8 @@ zone is up\-to\-date), 'expired' (slave zone has expired),
'refreshing' (slave
zone has transfers active). The serial numbers printed are
the 'served\-serial' (currently active), the 'commit\-serial' (is in reload),
the 'notified\-serial' (got notify, busy fetching the data). The serial
-numbers are only printed if such a serial number is available.
+numbers are only printed if such a serial number is available. With argument
+that zone is printed, without argument, all zones are printed.
.TP
.B serverpid
Prints the PID of the server process. This is used for statistics (and
diff --git nsd-control.c nsd-control.c
index be615a2f915..528a58c3592 100644
--- nsd-control.c
+++ nsd-control.c
@@ -133,9 +133,7 @@ static void ssl_path_err(const char* s, const char *path)
{
unsigned long err;
err = ERR_peek_error();
- if (ERR_GET_LIB(err) == ERR_LIB_SYS &&
- (ERR_GET_FUNC(err) == SYS_F_FOPEN ||
- ERR_GET_FUNC(err) == SYS_F_FREAD) ) {
+ if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
fprintf(stderr, "error: %s\n%s: %s\n",
s, path, ERR_reason_error_string(err));
exit(1);
@@ -532,7 +530,9 @@ int main(int argc, char* argv[])
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
#endif
+#if defined(HAVE_ERR_LOAD_SSL_STRINGS) &&
!defined(DEPRECATED_ERR_LOAD_SSL_STRINGS)
ERR_load_SSL_strings();
+#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
#else
diff --git nsd.8.in nsd.8.in
index 443c0867e41..5c7f52e3311 100644
--- nsd.8.in
+++ nsd.8.in
@@ -1,9 +1,9 @@
-.TH "NSD" "8" "Jul 22, 2021" "NLnet Labs" "NSD 4.3.7"
+.TH "NSD" "8" "Oct 12, 2021" "NLnet Labs" "NSD 4.3.8"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
.B nsd
-\- Name Server Daemon (NSD) version 4.3.7.
+\- Name Server Daemon (NSD) version 4.3.8.
.SH "SYNOPSIS"
.B nsd
.RB [ \-4 ]
diff --git nsd.conf.5.in nsd.conf.5.in
index ad4bd542650..4ee4b1292f9 100644
--- nsd.conf.5.in
+++ nsd.conf.5.in
@@ -1,4 +1,4 @@
-.TH "nsd.conf" "5" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7"
+.TH "nsd.conf" "5" "Oct 12, 2021" "NLnet Labs" "nsd 4.3.8"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
@@ -494,7 +494,7 @@ With the value 0 the rate is unlimited.
.TP
.B answer\-cookie:\fR <yes or no>
Enable to answer to requests containig DNS Cookies as specified in RFC7873.
-Default is yes.
+Default is no.
.TP
.B cookie\-secret:\fR <128 bit hex string>
Servers in an anycast deployment need to be able to verify each other's DNS
@@ -884,8 +884,24 @@ It has the following attributes.
The tls-auth name. Used to refer to this TLS authentication information in the
access control list.
.TP
-.B auth-domain-name:\fR <string>
+.B auth\-domain\-name:\fR <string>
The authentication domain name as defined in RFC8310.
+.TP
+.B client\-cert: <file name of clientcert.pem>
+If you want to use mutual TLS authentication, this is where the client
+certificates can be configured that NSD uses to connect to the upstream
+server to download the zone. The client public key pem cert file can
+be configured here. Also configure a private key with client\-key.
+.TP
+.B client\-key: <file name of clientkey.key>
+If you want to use mutual TLS authentication, the private key file can
+be configured here for the client authentication.
+.TP
+.B client\-key\-pw: <string>
+If the client\-key file uses a password to decrypt the key before it can
+be used, then the password can be specified here as a string.
+It is possible to include other config files with the include: option, and
+this can be used to move that sensitive data to another file, if you wish.
.SS DNSTAP Logging Options
DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section.
This starts a collector process that writes the log information to the
diff --git nsd.conf.sample.in nsd.conf.sample.in
index 6077ccc85c9..9758c37b0c0 100644
--- nsd.conf.sample.in
+++ nsd.conf.sample.in
@@ -325,6 +325,11 @@ remote-control:
# The authentication domain name as defined in RFC8310.
#auth-domain-name: "example.com"
+ # Client certificate and private key for Mutual TLS authentication
+ #client-cert: "path/to/clientcert.pem"
+ #client-key: "path/to/clientkey.key"
+ #client-key-pw: "password"
+
# Patterns have zone configuration and they are shared by one or more zones.
#
# pattern:
diff --git nsec3.c nsec3.c
index 3cdd572932e..1075812a437 100644
--- nsec3.c
+++ nsec3.c
@@ -1053,12 +1053,21 @@ nsec3_add_ds_proof(struct query *query, struct answer
*answer,
!prev_par->nsec3->nsec3_is_exact);
nsec3_add_rrset(query, answer, AUTHORITY_SECTION,
prev_par->nsec3->nsec3_cover);
+ } else {
+ /* the exact case was handled earlier, so this is
+ * with a closest-encloser proof, if in the part
+ * before the else the closest encloser proof is done,
+ * then we do not need to add a DS here because
+ * the optout proof is already complete. If not,
+ * we add the nsec3 here to complete the closest
+ * encloser proof with a next closer */
+ /* add optout range from parent zone */
+ /* note: no check of optout bit, resolver checks it */
+ if(domain->nsec3) {
+ nsec3_add_rrset(query, answer,
AUTHORITY_SECTION,
+ domain->nsec3->nsec3_ds_parent_cover);
+ }
}
- /* add optout range from parent zone */
- /* note: no check of optout bit, resolver checks it */
- if(domain->nsec3)
- nsec3_add_rrset(query, answer, AUTHORITY_SECTION,
- domain->nsec3->nsec3_ds_parent_cover);
}
}
diff --git options.c options.c
index d8fe022b412..6411959e8c6 100644
--- options.c
+++ options.c
@@ -131,7 +131,7 @@ nsd_options_create(region_type* region)
opt->tls_service_pem = NULL;
opt->tls_port = TLS_PORT;
opt->tls_cert_bundle = NULL;
- opt->answer_cookie = 1;
+ opt->answer_cookie = 0;
opt->cookie_secret = NULL;
opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt";
opt->control_enable = 0;
diff --git options.h options.h
index bb66acb03d5..f1c57aea2bf 100644
--- options.h
+++ options.h
@@ -340,6 +340,9 @@ struct tls_auth_options {
rbnode_type node; /* key of tree is name */
char* name;
char* auth_domain_name;
+ char* client_cert;
+ char* client_key;
+ char* client_key_pw;
};
/** zone list free space */
diff --git query.c query.c
index 44b6690ad67..d0fba064fab 100644
--- query.c
+++ query.c
@@ -1424,6 +1424,7 @@ answer_lookup_zone(struct nsd *nsd, struct query *q,
answer_type *answer,
}
if (!q->delegation_domain
+ || !q->delegation_rrset
|| (exact && q->qtype == TYPE_DS && closest_encloser ==
q->delegation_domain))
{
if (q->qclass == CLASS_ANY) {
diff --git radtree.c radtree.c
index 4bd12a4e6e9..472e9c12898 100644
--- radtree.c
+++ radtree.c
@@ -175,7 +175,7 @@ static int radix_find_prefix_node(struct radtree* rt,
uint8_t* k,
*result = n;
}
/* cannot reach because of returns when !n above */
- /* ENOREACH */
+ /* ENOTREACH */
return 1;
}
diff --git server.c server.c
index c01f022a1c1..f7a2f53c60a 100644
--- server.c
+++ server.c
@@ -1823,7 +1823,9 @@ perform_openssl_init(void)
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
#endif
+#if defined(HAVE_ERR_LOAD_SSL_STRINGS) &&
!defined(DEPRECATED_ERR_LOAD_SSL_STRINGS)
ERR_load_SSL_strings();
+#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
#else
@@ -1999,9 +2001,12 @@ server_tls_ctx_setup(char* key, char* pem, char*
verifypem)
}
#endif
#if defined(SHA256_DIGEST_LENGTH) && defined(SSL_TXT_CHACHA20)
- /* if we have sha256, set the cipher list to have no known vulns */
- if(!SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20"))
- log_crypto_err("could not set cipher list with
SSL_CTX_set_cipher_list");
+ /* if we detect system-wide crypto policies, use those */
+ if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) {
+ /* if we have sha256, set the cipher list to have no known
vulns */
+ if(!SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20"))
+ log_crypto_err("could not set cipher list with
SSL_CTX_set_cipher_list");
+ }
#endif
if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
SSL_OP_CIPHER_SERVER_PREFERENCE) !=
diff --git tsig-openssl.c tsig-openssl.c
index 6cdf47990d0..fff0919c613 100644
--- tsig-openssl.c
+++ tsig-openssl.c
@@ -114,7 +114,9 @@ tsig_openssl_init_algorithm(region_type* region,
#endif
return 0;
}
-#ifndef HAVE_EVP_MAC_CTX_NEW
+#ifdef HAVE_EVP_MAC_CTX_GET_MAC_SIZE
+ algorithm->maximum_digest_size = EVP_MAC_CTX_get_mac_size(hmac_ctx);
+#elif !defined(HAVE_EVP_MAC_CTX_NEW)
algorithm->maximum_digest_size = EVP_MD_size(hmac_algorithm);
#else
algorithm->maximum_digest_size = EVP_MAC_size(hmac_ctx);
diff --git xfrd-tcp.c xfrd-tcp.c
index 8668ed0981a..a71c1955cfb 100644
--- xfrd-tcp.c
+++ xfrd-tcp.c
@@ -124,6 +124,13 @@ ssl_handshake(struct xfrd_tcp_pipeline* tp)
return 0;
}
+
+int password_cb(char *buf, int size, int ATTR_UNUSED(rwflag), void *u)
+{
+ strlcpy(buf, (char*)u, size);
+ return strlen(buf);
+}
+
#endif
/* sort tcppipe, first on IP address, for an IPaddresss, sort on num_unused */
@@ -170,6 +177,7 @@ struct xfrd_tcp_set* xfrd_tcp_set_create(struct region*
region, const char *tls_
tls_cert_bundle);
}
#else
+ (void)tls_cert_bundle;
log_msg(LOG_INFO, "xfrd: No TLS 1.3 support - XFR-over-TLS not
available");
#endif
for(i=0; i<XFRD_MAX_TCP; i++)
@@ -708,6 +716,25 @@ xfrd_tcp_open(struct xfrd_tcp_set* set, struct
xfrd_tcp_pipeline* tp,
xfrd_set_refresh_now(zone);
return 0;
}
+
+ /* Load client certificate (if provided) */
+ if (zone->master->tls_auth_options->client_cert &&
+ zone->master->tls_auth_options->client_key) {
+ if (SSL_CTX_use_certificate_chain_file(set->ssl_ctx,
+
zone->master->tls_auth_options->client_cert) != 1) {
+ log_msg(LOG_ERR, "xfrd tls: Unable to load
client certificate from file %s", zone->master->tls_auth_options->client_cert);
+ }
+
+ if (zone->master->tls_auth_options->client_key_pw) {
+ SSL_CTX_set_default_passwd_cb(set->ssl_ctx,
password_cb);
+
SSL_CTX_set_default_passwd_cb_userdata(set->ssl_ctx,
zone->master->tls_auth_options->client_key_pw);
+ }
+
+ if (SSL_CTX_use_PrivateKey_file(set->ssl_ctx,
zone->master->tls_auth_options->client_key, SSL_FILETYPE_PEM) != 1) {
+ log_msg(LOG_ERR, "xfrd tls: Unable to load
private key from file %s", zone->master->tls_auth_options->client_key);
+ }
+ }
+
tp->handshake_done = 0;
if(!ssl_handshake(tp)) {
if(tp->handshake_want == SSL_ERROR_SYSCALL) {
diff --git xfrd.c xfrd.c
index 6f5768f792d..c40e8ca57a5 100644
--- xfrd.c
+++ xfrd.c
@@ -402,6 +402,10 @@ xfrd_shutdown()
daemon_remote_delete(xfrd->nsd->rc); /* ssl-delete secret keys */
if (xfrd->nsd->tls_ctx)
SSL_CTX_free(xfrd->nsd->tls_ctx);
+# ifdef HAVE_TLS_1_3
+ if (xfrd->tcp_set->ssl_ctx)
+ SSL_CTX_free(xfrd->tcp_set->ssl_ctx);
+# endif
#endif
#ifdef USE_DNSTAP
dt_collector_close(nsd.dt_collector, &nsd);
--
I'm not entirely sure you are real.
