netmgr: Add additional safeguards to netmgr/tls.c

This commit adds couple of additional safeguards against running sends/reads on inactive sockets. The changes was modeled after the changes we made to netmgr/tcpdns.c
2026-06-11 04:30:00 -04:00 · 2020-11-10 11:23:05 +01:00 · 2020-11-10 11:23:05 +01:00 · fa424225af
commit fa424225af
parent d2a2804069
7 changed files with 142 additions and 82 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -982,15 +982,13 @@ named_config_getdscp(const cfg_obj_t *config, isc_dscp_t *dscpp) {

 struct keyalgorithms {
 	const char *str;
-	enum {
-		hmacnone,
-		hmacmd5,
-		hmacsha1,
-		hmacsha224,
-		hmacsha256,
-		hmacsha384,
-		hmacsha512
-	} hmac;
+	enum { hmacnone,
+	       hmacmd5,
+	       hmacsha1,
+	       hmacsha224,
+	       hmacsha256,
+	       hmacsha384,
+	       hmacsha512 } hmac;
 	unsigned int type;
 	uint16_t size;
 } algorithms[] = { { "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@ -129,7 +129,7 @@ EXTERN bool named_g_forcelock		   INIT(false);
 #if NAMED_RUN_PID_DIR
 EXTERN const char *named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/named/"
 								   "named.pid");
-#else /* if NAMED_RUN_PID_DIR */
+#else  /* if NAMED_RUN_PID_DIR */
 EXTERN const char *named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/"
 								   "named.pid");
 #endif /* if NAMED_RUN_PID_DIR */
--- a/bin/named/main.c
+++ b/bin/named/main.c
@ -232,7 +232,7 @@ assertion_failed(const char *file, int line, isc_assertiontype_t type,
 					      NAMED_LOGMODULE_MAIN,
 					      ISC_LOG_CRITICAL, "%s", strs[i]);
 			}
-#else /* HAVE_BACKTRACE_SYMBOLS */
+#else  /* HAVE_BACKTRACE_SYMBOLS */
 			for (int i = 0; i < nframes; i++) {
 				isc_log_write(
 					named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
@ -521,8 +521,8 @@ printversion(bool verbose) {
 	printf("linked to OpenSSL version: %s\n",
 	       OpenSSL_version(OPENSSL_VERSION));

-#else /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
-       * 0x10100000L */
+#else  /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
+	* 0x10100000L */
 	printf("linked to OpenSSL version: %s\n",
 	       SSLeay_version(SSLEAY_VERSION));
 #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
@ -912,7 +912,7 @@ create_managers(void) {
 		named_g_cpus, named_g_cpus == 1 ? "" : "s");
 #ifdef WIN32
 	named_g_udpdisp = 1;
-#else /* ifdef WIN32 */
+#else  /* ifdef WIN32 */
 	if (named_g_udpdisp == 0) {
 		named_g_udpdisp = named_g_cpus_detected;
 	}
@ -1132,8 +1132,8 @@ setup(void) {
 		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
 		      "linked to OpenSSL version: %s",
 		      OpenSSL_version(OPENSSL_VERSION));
-#else /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
-       * 0x10100000L */
+#else  /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
+	* 0x10100000L */
 	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
 		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
 		      "linked to OpenSSL version: %s",
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -465,7 +465,7 @@ nzd_close(MDB_txn **txnp, bool commit);

 static isc_result_t
 nzd_count(dns_view_t *view, int *countp);
-#else /* ifdef HAVE_LMDB */
+#else  /* ifdef HAVE_LMDB */
 static isc_result_t
 nzf_append(dns_view_t *view, const cfg_obj_t *zconfig);
 #endif /* ifdef HAVE_LMDB */
@ -674,13 +674,11 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, const char **namestrp,
 	dns_name_t *name = NULL;
 	isc_buffer_t namebuf;
 	const char *atstr = NULL;
-	enum {
-		INIT_DNSKEY,
-		STATIC_DNSKEY,
-		INIT_DS,
-		STATIC_DS,
-		TRUSTED
-	} anchortype;
+	enum { INIT_DNSKEY,
+	       STATIC_DNSKEY,
+	       INIT_DS,
+	       STATIC_DS,
+	       TRUSTED } anchortype;

 	REQUIRE(namestrp != NULL && *namestrp == NULL);
 	REQUIRE(ds != NULL);
@ -1390,7 +1388,7 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) {
 	if (!strcasecmp(str, "fixed")) {
 #if DNS_RDATASET_FIXED
 		mode = DNS_RDATASETATTR_FIXEDORDER;
-#else /* if DNS_RDATASET_FIXED */
+#else  /* if DNS_RDATASET_FIXED */
 		mode = DNS_RDATASETATTR_CYCLIC;
 #endif /* DNS_RDATASET_FIXED */
 	} else if (!strcasecmp(str, "random")) {
@ -2477,7 +2475,7 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps,
 			    " without `./configure --enable-dnsrps`");
 		return (ISC_R_FAILURE);
 	}
-#else /* ifndef USE_DNSRPS */
+#else  /* ifndef USE_DNSRPS */
 	if (dnsrps_enabled) {
 		if (librpz == NULL) {
 			cfg_obj_log(rpz_obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL,
@ -6825,7 +6823,8 @@ adjust_interfaces(named_server_t *server, isc_mem_t *mctx) {
 		for (view = ISC_LIST_HEAD(server->viewlist);
 		     view != NULL && view != zoneview;
 		     view = ISC_LIST_NEXT(view, link))
-		{}
+		{
+		}
 		if (view == NULL) {
 			continue;
 		}
@ -7754,7 +7753,7 @@ setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 			return (ISC_R_FAILURE);
 		}
 	}
-#else /* ifdef HAVE_LMDB */
+#else  /* ifdef HAVE_LMDB */
 	UNUSED(obj);
 #endif /* HAVE_LMDB */

@ -9777,7 +9776,7 @@ run_server(isc_task_t *task, isc_event_t *event) {

 #if defined(HAVE_GEOIP2)
 	geoip = named_g_geoip;
-#else /* if defined(HAVE_GEOIP2) */
+#else  /* if defined(HAVE_GEOIP2) */
 	geoip = NULL;
 #endif /* if defined(HAVE_GEOIP2) */

@ -13389,7 +13388,7 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
 #ifndef HAVE_LMDB
 	FILE *fp = NULL;
 	bool cleanup_config = false;
-#else /* HAVE_LMDB */
+#else  /* HAVE_LMDB */
 	MDB_txn *txn = NULL;
 	MDB_dbi dbi;

@ -13430,7 +13429,7 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,

 	(void)isc_stdio_close(fp);
 	fp = NULL;
-#else /* HAVE_LMDB */
+#else  /* HAVE_LMDB */
 	/* Make sure we can open the NZD database */
 	result = nzd_writable(view);
 	if (result != ISC_R_SUCCESS) {
@ -13528,7 +13527,7 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
 	/* Save the new zone configuration into the NZD */
 	CHECK(nzd_open(view, 0, &txn, &dbi));
 	CHECK(nzd_save(&txn, dbi, zone, zoneobj));
-#else /* ifdef HAVE_LMDB */
+#else  /* ifdef HAVE_LMDB */
 	/* Append the zone configuration to the NZF */
 	result = nzf_append(view, zoneobj);
 #endif /* HAVE_LMDB */
@ -13544,7 +13543,7 @@ cleanup:
 					  cfg->nzf_config, name, NULL);
 		RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
 	}
-#else /* HAVE_LMDB */
+#else  /* HAVE_LMDB */
 	if (txn != NULL) {
 		(void)nzd_close(&txn, false);
 	}
@ -13569,7 +13568,7 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
 #ifndef HAVE_LMDB
 	FILE *fp = NULL;
 	cfg_obj_t *z;
-#else /* HAVE_LMDB */
+#else  /* HAVE_LMDB */
 	MDB_txn *txn = NULL;
 	MDB_dbi dbi;
 	LOCK(&view->new_zone_lock);
@ -13617,7 +13616,7 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
 	}
 	(void)isc_stdio_close(fp);
 	fp = NULL;
-#else /* HAVE_LMDB */
+#else  /* HAVE_LMDB */
 	/* Make sure we can open the NZD database */
 	result = nzd_writable(view);
 	if (result != ISC_R_SUCCESS) {
@ -13738,7 +13737,7 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
 #ifdef HAVE_LMDB
 		CHECK(nzd_open(view, 0, &txn, &dbi));
 		CHECK(nzd_save(&txn, dbi, zone, zoneobj));
-#else /* ifdef HAVE_LMDB */
+#else  /* ifdef HAVE_LMDB */
 		result = nzf_append(view, zoneobj);
 		if (result != ISC_R_SUCCESS) {
 			TCHECK(putstr(text, "\nNew zone config not saved: "));
@ -13766,7 +13765,7 @@ cleanup:
 	if (fp != NULL) {
 		(void)isc_stdio_close(fp);
 	}
-#else /* HAVE_LMDB */
+#else  /* HAVE_LMDB */
 	if (txn != NULL) {
 		(void)nzd_close(&txn, false);
 	}
@ -13811,7 +13810,7 @@ named_server_changezone(named_server_t *server, char *command,
 	/* Are we accepting new zones in this view? */
 #ifdef HAVE_LMDB
 	if (view->new_zone_db == NULL)
-#else /* ifdef HAVE_LMDB */
+#else  /* ifdef HAVE_LMDB */
 	if (view->new_zone_file == NULL)
 #endif /* HAVE_LMDB */
 	{
@ -13957,7 +13956,7 @@ rmzone(isc_task_t *task, isc_event_t *event) {
 			(void)nzd_close(&txn, false);
 		}
 		UNLOCK(&view->new_zone_lock);
-#else /* ifdef HAVE_LMDB */
+#else  /* ifdef HAVE_LMDB */
 		result = delete_zoneconf(view, cfg->add_parser, cfg->nzf_config,
 					 dns_zone_getorigin(zone),
 					 nzf_writeconf);
@ -14326,7 +14325,7 @@ named_server_showzone(named_server_t *server, isc_lex_t *lex,
 		zconfig = find_name_in_list_from_map(cfg->nzf_config, "zone",
 						     zonename, redirect);
 	}
-#else /* HAVE_LMDB */
+#else  /* HAVE_LMDB */
 	if (zconfig == NULL) {
 		const cfg_obj_t *zlist = NULL;
 		CHECK(get_newzone_config(view, zonename, &nzconfig));
@ -15994,7 +15993,7 @@ named_server_dnstap(named_server_t *server, isc_lex_t *lex,

 	result = dns_dt_reopen(server->dtenv, backups);
 	return (result);
-#else /* ifdef HAVE_DNSTAP */
+#else  /* ifdef HAVE_DNSTAP */
 	UNUSED(server);
 	UNUSED(lex);
 	UNUSED(text);
--- a/lib/isc/netmgr/tcpdns.c
+++ b/lib/isc/netmgr/tcpdns.c
@ -869,11 +869,16 @@ isc_nm_tlsdnsconnect(isc_nm_t *mgr, isc_nmiface_t *local, isc_nmiface_t *peer,

 void
 isc__nm_tcpdns_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) {
-	isc_nmsocket_t *sock = handle->sock;
+	isc_nmsocket_t *sock = NULL;
 	isc__netievent_tcpdnsread_t *ievent = NULL;
 	isc_nmhandle_t *eventhandle = NULL;

-	REQUIRE(handle == sock->statichandle);
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	sock = handle->sock;
+
+	REQUIRE(sock->statichandle == handle);
+	REQUIRE(VALID_NMSOCK(sock));
 	REQUIRE(sock->recv_cb == NULL);
 	REQUIRE(sock->tid == isc_nm_tid());
 	REQUIRE(atomic_load(&sock->client));
--- a/lib/isc/netmgr/tls.c
+++ b/lib/isc/netmgr/tls.c
@ -58,6 +58,20 @@ tls_close_direct(isc_nmsocket_t *sock);
 static void
 async_tls_do_bio(isc_nmsocket_t *sock);

+/*
+ * The socket is closing, outerhandle has been detached, listener is
+ * inactive, or the netmgr is closing: any operation on it should abort
+ * with ISC_R_CANCELED.
+ */
+static bool
+inactive(isc_nmsocket_t *sock) {
+	return (!isc__nmsocket_active(sock) || atomic_load(&sock->closing) ||
+		sock->outerhandle == NULL ||
+		(sock->listener != NULL &&
+		 !isc__nmsocket_active(sock->listener)) ||
+		atomic_load(&sock->mgr->closing));
+}
+
 static void
 tls_senddone(isc_nmhandle_t *handle, isc_result_t eresult, void *cbarg) {
 	isc_nmsocket_t *sock = (isc_nmsocket_t *)cbarg;
@ -93,6 +107,11 @@ tls_do_bio(isc_nmsocket_t *sock) {
 	/* We will resume read if TLS layer wants us to */
 	isc_nm_pauseread(sock->outerhandle);

+	if (inactive(sock)) {
+		result = ISC_R_CANCELED;
+		goto error;
+	}
+
 	if (sock->tls.state == TLS_INIT) {
 		(void)SSL_do_handshake(sock->tls.ssl);
 		sock->tls.state = TLS_HANDSHAKE;
@ -178,11 +197,10 @@ tls_do_bio(isc_nmsocket_t *sock) {
 		return;
 	}

-	if (tls_err == 0) {
+	switch (tls_err) {
+	case 0:
 		return;
-	}
-
-	if (tls_err == SSL_ERROR_WANT_WRITE) {
+	case SSL_ERROR_WANT_WRITE:
 		if (!sock->tls.sending) {
 			/*
 			 * Launch tls_do_bio asynchronously. If we're sending
@ -192,9 +210,11 @@ tls_do_bio(isc_nmsocket_t *sock) {
 		} else {
 			return;
 		}
-	} else if (tls_err == SSL_ERROR_WANT_READ) {
+		break;
+	case SSL_ERROR_WANT_READ:
 		isc_nm_resumeread(sock->outerhandle);
-	} else if (tls_err != 0) {
+		break;
+	default:
 		result = tls_error_to_result(tls_err);
 		goto error;
 	}
@ -385,59 +405,72 @@ void
 isc__nm_async_tlssend(isc__networker_t *worker, isc__netievent_t *ev0) {
 	int rv;
 	isc__netievent_tcpsend_t *ievent = (isc__netievent_tcpsend_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
 	isc__nm_uvreq_t *req = ievent->req;
 	ievent->req = NULL;
 	REQUIRE(VALID_UVREQ(req));
-	REQUIRE(worker->id == ievent->sock->tid);
+	REQUIRE(worker->id == sock->tid);

-	if (!atomic_load(&ievent->sock->active)) {
+	if (inactive(sock)) {
+		req->cb.send(req->handle, ISC_R_CANCELED, req->cbarg);
+		isc__nm_uvreq_put(&req, sock);
 		return;
 	}
-	if (!ISC_LIST_EMPTY(ievent->sock->tls.sends)) {
+	if (!ISC_LIST_EMPTY(sock->tls.sends)) {
 		/* We're not the first */
-		ISC_LIST_APPEND(ievent->sock->tls.sends, req, link);
-		tls_do_bio(ievent->sock);
+		ISC_LIST_APPEND(sock->tls.sends, req, link);
+		tls_do_bio(sock);
 		return;
 	}

-	rv = SSL_write(ievent->sock->tls.ssl, req->uvbuf.base, req->uvbuf.len);
+	rv = SSL_write(sock->tls.ssl, req->uvbuf.base, req->uvbuf.len);
 	if (rv < 0) {
 		/*
 		 * We might need to read, we might need to write, or the
 		 * TLS socket might be dead - in any case, we need to
 		 * enqueue the uvreq and let the TLS BIO layer do the rest.
 		 */
-		ISC_LIST_APPEND(ievent->sock->tls.sends, req, link);
-		tls_do_bio(ievent->sock);
+		ISC_LIST_APPEND(sock->tls.sends, req, link);
+		tls_do_bio(sock);
 		return;
 	}
 	if (rv != (int)req->uvbuf.len) {
-		ievent->sock->tls.state = TLS_ERROR;
-		async_tls_do_bio(ievent->sock);
+		sock->tls.state = TLS_ERROR;
+		async_tls_do_bio(sock);
 		return;
 	}
-	req->cb.send(ievent->sock->statichandle, ISC_R_SUCCESS, req->cbarg);
-	isc__nm_uvreq_put(&req, ievent->sock);
-	tls_do_bio(ievent->sock);
+	req->cb.send(sock->statichandle, ISC_R_SUCCESS, req->cbarg);
+	isc__nm_uvreq_put(&req, sock);
+	tls_do_bio(sock);
 	return;
 }

 void
 isc__nm_tls_send(isc_nmhandle_t *handle, isc_region_t *region, isc_nm_cb_t cb,
 		 void *cbarg) {
-	isc_nmsocket_t *sock = handle->sock;
 	isc__netievent_tcpsend_t *ievent = NULL;
 	isc__nm_uvreq_t *uvreq = NULL;
+	isc_nmsocket_t *sock = NULL;
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	sock = handle->sock;

 	REQUIRE(sock->type == isc_nm_tlssocket);

+	if (inactive(sock)) {
+		cb(handle, ISC_R_CANCELED, cbarg);
+		return;
+	}
+
 	uvreq = isc__nm_uvreq_get(sock->mgr, sock);
-	uvreq->uvbuf.base = (char *)region->base;
-	uvreq->uvbuf.len = region->length;
 	isc_nmhandle_attach(handle, &uvreq->handle);
 	uvreq->cb.send = cb;
 	uvreq->cbarg = cbarg;

+	uvreq->uvbuf.base = (char *)region->base;
+	uvreq->uvbuf.len = region->length;
+
 	/*
 	 * We need to create an event and pass it using async channel
 	 */
@ -464,7 +497,18 @@ isc__nm_tls_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) {
 	isc__netievent_startread_t *ievent = NULL;

 	REQUIRE(VALID_NMHANDLE(handle));
-	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	sock = handle->sock;
+
+	REQUIRE(sock->statichandle == handle);
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->recv_cb == NULL);
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (inactive(sock)) {
+		cb(handle, ISC_R_NOTCONNECTED, NULL, cbarg);
+		return;
+	}

 	sock = handle->sock;
 	sock->recv_cb = cb;
@ -492,14 +536,20 @@ static void
 timer_close_cb(uv_handle_t *handle) {
 	isc_nmsocket_t *sock = (isc_nmsocket_t *)uv_handle_get_data(handle);
 	INSIST(VALID_NMSOCK(sock));
-	isc__nmsocket_detach(&sock);
+	tls_close_direct(sock);
 }

 static void
 tls_close_direct(isc_nmsocket_t *sock) {
 	REQUIRE(sock->tid == isc_nm_tid());

-	/* We don't need atomics here, it's all in single network thread */
+	if (sock->timer_running) {
+		uv_timer_stop(&sock->timer);
+		sock->timer_running = false;
+	}
+
+	/* We don't need atomics here, it's all in single network thread
+	 */
 	if (sock->timer_initialized) {
 		/*
 		 * We need to fire the timer callback to clean it up,
@ -511,8 +561,8 @@ tls_close_direct(isc_nmsocket_t *sock) {
 		uv_close((uv_handle_t *)&sock->timer, timer_close_cb);
 	} else {
 		/*
-		 * At this point we're certain that there are no external
-		 * references, we can close everything.
+		 * At this point we're certain that there are no
+		 * external references, we can close everything.
 		 */
 		if (sock->outerhandle != NULL) {
 			isc_nm_pauseread(sock->outerhandle);
@ -533,6 +583,7 @@ tls_close_direct(isc_nmsocket_t *sock) {
 			sock->tls.app_bio = NULL;
 		}
 		atomic_store(&sock->closed, true);
+		isc__nmsocket_detach(&sock);
 	}
 }

@ -541,6 +592,11 @@ isc__nm_tls_close(isc_nmsocket_t *sock) {
 	REQUIRE(VALID_NMSOCK(sock));
 	REQUIRE(sock->type == isc_nm_tlssocket);

+	if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
+					    true)) {
+		return;
+	}
+
 	if (sock->tid == isc_nm_tid()) {
 		tls_close_direct(sock);
 	} else {
@ -601,7 +657,8 @@ isc_nm_tlsconnect(isc_nm_t *mgr, isc_nmiface_t *local, isc_nmiface_t *peer,
 	nsock->connect_cbarg = cbarg;
 	nsock->connect_timeout = timeout;
 	nsock->tls.ctx = ctx;
-	/* We need to initialize SSL now to reference SSL_CTX properly */
+	/* We need to initialize SSL now to reference SSL_CTX properly
+	 */
 	nsock->tls.ssl = SSL_new(nsock->tls.ctx);
 	if (nsock->tls.ssl == NULL) {
 		atomic_store(&nsock->closed, true);
@ -753,9 +810,9 @@ isc_nm_tls_create_server_ctx(const char *keyfile, const char *certfile,
 		}

 		/*
-		 * EVP_PKEY_assign_*() set the referenced key to key however
-		 * these use the supplied key internally and so key will be
-		 * freed when the parent pkey is freed.
+		 * EVP_PKEY_assign_*() set the referenced key to key
+		 * however these use the supplied key internally and so
+		 * key will be freed when the parent pkey is freed.
 		 */
 		EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa);
 		rsa = NULL;
@ -776,7 +833,8 @@ isc_nm_tls_create_server_ctx(const char *keyfile, const char *certfile,
 					   0);
 		X509_NAME_add_entry_by_txt(
 			name, "O", MBSTRING_ASC,
-			(const unsigned char *)"BIND9 ephemeral certificate",
+			(const unsigned char *)"BIND9 ephemeral "
+					       "certificate",
 			-1, -1, 0);
 		X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
 					   (const unsigned char *)"bind9.local",
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -1138,7 +1138,7 @@ static cfg_clausedef_t options_clauses[] = {
 	{ "dnstap-output", &cfg_type_dnstapoutput, 0 },
 	{ "dnstap-identity", &cfg_type_serverid, 0 },
 	{ "dnstap-version", &cfg_type_qstringornone, 0 },
-#else /* ifdef HAVE_DNSTAP */
+#else  /* ifdef HAVE_DNSTAP */
 	{ "dnstap-output", &cfg_type_dnstapoutput,
 	  CFG_CLAUSEFLAG_NOTCONFIGURED },
 	{ "dnstap-identity", &cfg_type_serverid, CFG_CLAUSEFLAG_NOTCONFIGURED },
@ -1158,7 +1158,7 @@ static cfg_clausedef_t options_clauses[] = {
 	{ "fstrm-set-output-queue-model", &cfg_type_fstrm_model, 0 },
 	{ "fstrm-set-output-queue-size", &cfg_type_uint32, 0 },
 	{ "fstrm-set-reopen-interval", &cfg_type_duration, 0 },
-#else /* ifdef HAVE_DNSTAP */
+#else  /* ifdef HAVE_DNSTAP */
 	{ "fstrm-set-buffer-hint", &cfg_type_uint32,
 	  CFG_CLAUSEFLAG_NOTCONFIGURED },
 	{ "fstrm-set-flush-timeout", &cfg_type_uint32,
@ -1176,7 +1176,7 @@ static cfg_clausedef_t options_clauses[] = {
 #endif /* HAVE_DNSTAP */
 #if defined(HAVE_GEOIP2)
 	{ "geoip-directory", &cfg_type_qstringornone, 0 },
-#else /* if defined(HAVE_GEOIP2) */
+#else  /* if defined(HAVE_GEOIP2) */
 	{ "geoip-directory", &cfg_type_qstringornone,
 	  CFG_CLAUSEFLAG_NOTCONFIGURED },
 #endif /* HAVE_GEOIP2 */
@ -1750,7 +1750,7 @@ static cfg_tuplefielddef_t rpz_fields[] = {
 #ifdef USE_DNSRPS
 	{ "dnsrps-enable", &cfg_type_boolean, 0 },
 	{ "dnsrps-options", &cfg_type_bracketed_text, 0 },
-#else /* ifdef USE_DNSRPS */
+#else  /* ifdef USE_DNSRPS */
 	{ "dnsrps-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTCONFIGURED },
 	{ "dnsrps-options", &cfg_type_bracketed_text,
 	  CFG_CLAUSEFLAG_NOTCONFIGURED },
@ -1959,7 +1959,7 @@ static cfg_clausedef_t view_clauses[] = {
 #ifdef USE_DNSRPS
 	{ "dnsrps-enable", &cfg_type_boolean, 0 },
 	{ "dnsrps-options", &cfg_type_bracketed_text, 0 },
-#else /* ifdef USE_DNSRPS */
+#else  /* ifdef USE_DNSRPS */
 	{ "dnsrps-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTCONFIGURED },
 	{ "dnsrps-options", &cfg_type_bracketed_text,
 	  CFG_CLAUSEFLAG_NOTCONFIGURED },
@ -1973,7 +1973,7 @@ static cfg_clausedef_t view_clauses[] = {
 	{ "dnssec-validation", &cfg_type_boolorauto, 0 },
 #ifdef HAVE_DNSTAP
 	{ "dnstap", &cfg_type_dnstap, 0 },
-#else /* ifdef HAVE_DNSTAP */
+#else  /* ifdef HAVE_DNSTAP */
 	{ "dnstap", &cfg_type_dnstap, CFG_CLAUSEFLAG_NOTCONFIGURED },
 #endif /* HAVE_DNSTAP */
 	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
@ -1993,7 +1993,7 @@ static cfg_clausedef_t view_clauses[] = {
 	{ "lame-ttl", &cfg_type_duration, 0 },
 #ifdef HAVE_LMDB
 	{ "lmdb-mapsize", &cfg_type_sizeval, 0 },
-#else /* ifdef HAVE_LMDB */
+#else  /* ifdef HAVE_LMDB */
 	{ "lmdb-mapsize", &cfg_type_sizeval, CFG_CLAUSEFLAG_NOOP },
 #endif /* ifdef HAVE_LMDB */
 	{ "max-acache-size", &cfg_type_sizenodefault, CFG_CLAUSEFLAG_OBSOLETE },