upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-18 18:25:10 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'updated-with-master/xfr-tsig' into hackathon/poisonlicious-new-tsig-code

Browse source
This commit is contained in:
Willem Toorop 2025-07-19 15:02:30 +02:00
commit 433bb1c7bc
31 changed files with 5116 additions and 752 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

106
Makefile.in
View file

@ -130,7 +130,7 @@ util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
util/rtt.c util/siphash.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
util/storage/lruhash.c util/storage/slabhash.c util/tcp_conn_limit.c \
util/timehist.c util/tube.c util/proxy_protocol.c util/timeval_func.c \
util/timehist.c util/tsig.c util/tube.c util/proxy_protocol.c util/timeval_func.c \
util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \
validator/autotrust.c validator/val_anchor.c validator/validator.c \
validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \
@ -147,7 +147,7 @@ iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo view.lo \
outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
fptr_wlist.lo siphash.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
slabhash.lo tcp_conn_limit.lo timehist.lo tube.lo winsock_event.lo \
slabhash.lo tcp_conn_limit.lo timehist.lo tsig.lo tube.lo winsock_event.lo \
autotrust.lo val_anchor.lo rpz.lo rfc_1982.lo proxy_protocol.lo \
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo $(CACHEDB_OBJ) authzone.lo \
@ -179,11 +179,12 @@ testcode/unitlruhash.c testcode/unitmain.c testcode/unitmsgparse.c \
testcode/unitneg.c testcode/unitregional.c testcode/unitslabhash.c \
testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c \
testcode/unitecs.c testcode/unitauth.c testcode/unitzonemd.c \
testcode/unittcpreuse.c testcode/unitdoq.c testcode/unitinfra.c
testcode/unittcpreuse.c testcode/unitdoq.c testcode/unitinfra.c \
testcode/unittsig.c
UNITTEST_OBJ=unitanchor.lo unitdname.lo unitlruhash.lo unitmain.lo \
unitmsgparse.lo unitneg.lo unitregional.lo unitslabhash.lo unitverify.lo \
readhex.lo testpkts.lo unitldns.lo unitecs.lo unitauth.lo unitzonemd.lo \
unittcpreuse.lo unitdoq.lo unitinfra.lo
unittcpreuse.lo unitdoq.lo unitinfra.lo unittsig.lo
UNITTEST_OBJ_LINK=$(UNITTEST_OBJ) worker_cb.lo $(COMMON_OBJ) $(SLDNS_OBJ) \
$(COMPAT_OBJ)
DAEMON_SRC=daemon/acl_list.c daemon/cachedump.c daemon/daemon.c \
@ -719,6 +720,7 @@ depend:
# build rules
ipset.lo ipset.o: $(srcdir)/ipset/ipset.c
tsig.lo tsig.o: $(srcdir)/util/tsig.c config.h $(srcdir)/util/tsig.h
doqclient.lo doqclient.o: $(srcdir)/testcode/doqclient.c
unitdoq.lo unitdoq.o: $(srcdir)/testcode/unitdoq.c
@ -957,7 +959,8 @@ configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configy
$(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h util/configparser.h
configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
$(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/util/random.h $(srcdir)/sldns/str2wire.h util/configparser.h
$(srcdir)/util/random.h $(srcdir)/util/tsig.h $(srcdir)/util/locks.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/str2wire.h \
$(srcdir)/sldns/parseutil.h util/configparser.h
shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
@ -1002,7 +1005,8 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
$(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_anchor.h \
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_neg.h \
$(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h \
$(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h $(srcdir)/daemon/remote.h
$(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h $(srcdir)/util/tsig.h \
$(srcdir)/daemon/remote.h
locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
@ -1082,6 +1086,11 @@ tcp_conn_limit.lo tcp_conn_limit.o: $(srcdir)/util/tcp_conn_limit.c config.h $(s
$(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h \
$(srcdir)/util/timeval_func.h
tsig.lo tsig.o: $(srcdir)/util/tsig.c config.h $(srcdir)/util/tsig.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/dname.h
tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h \
@ -1227,9 +1236,11 @@ checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/u
$(srcdir)/testcode/checklocks.h
ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h
ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h
tsig.lo tsig.o: $(srcdir)/util/tsig.c $(srcdir)/util/tsig.h config.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/log.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/data/dname.h
tsig.lo tsig.o: $(srcdir)/util/tsig.c config.h $(srcdir)/util/tsig.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/dname.h
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@ -1312,6 +1323,10 @@ unitinfra.lo unitinfra.o: $(srcdir)/testcode/unitinfra.c config.h $(srcdir)/test
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h
unittsig.lo unittsig.o: $(srcdir)/testcode/unittsig.c config.h $(srcdir)/util/tsig.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/testcode/unitmain.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \
@ -1347,7 +1362,7 @@ daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
$(srcdir)/services/rpz.h $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
$(srcdir)/sldns/keyraw.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h
$(srcdir)/util/tsig.h $(srcdir)/sldns/keyraw.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h
remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
@ -1397,26 +1412,26 @@ unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
$(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/ub_event.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/util/tsig.h $(srcdir)/sldns/sbuffer.h $(srcdir)/daemon/worker.h \
$(srcdir)/libunbound/worker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/random.h $(srcdir)/util/tsig.h $(srcdir)/util/locks.h $(srcdir)/util/rbtree.h $(srcdir)/daemon/worker.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h \
$(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
$(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/proxy_protocol.h \
$(srcdir)/util/edns.h $(srcdir)/util/timeval_func.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
$(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
$(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
$(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/util/proxy_protocol.h $(srcdir)/util/edns.h $(srcdir)/util/timeval_func.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \
$(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \
$(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \
$(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h \
$(srcdir)/dnstap/dtstream.h
testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
@ -1436,26 +1451,26 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
$(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/util/tsig.h $(srcdir)/sldns/sbuffer.h $(srcdir)/daemon/worker.h \
$(srcdir)/libunbound/worker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/random.h $(srcdir)/util/tsig.h $(srcdir)/util/locks.h $(srcdir)/util/rbtree.h $(srcdir)/daemon/worker.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h \
$(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
$(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/proxy_protocol.h \
$(srcdir)/util/edns.h $(srcdir)/util/timeval_func.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
$(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
$(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
$(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/util/proxy_protocol.h $(srcdir)/util/edns.h $(srcdir)/util/timeval_func.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \
$(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \
$(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \
$(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h \
$(srcdir)/dnstap/dtstream.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \
@ -1477,7 +1492,7 @@ daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
$(srcdir)/services/rpz.h $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
$(srcdir)/sldns/keyraw.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h
$(srcdir)/util/tsig.h $(srcdir)/sldns/keyraw.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h
stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
@ -1571,7 +1586,8 @@ context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbou
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h \
$(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/daemon/acl_list.h $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h
$(srcdir)/daemon/acl_list.h $(srcdir)/util/edns.h $(srcdir)/util/tsig.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/iterator/iter_hints.h
libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
@ -1579,7 +1595,7 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
$(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
$(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h $(srcdir)/util/edns.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/tsig.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \

348
aclocal.m4 vendored
View file

@ -1,6 +1,6 @@
# generated automatically by aclocal 1.16.2 -*- Autoconf -*-
# generated automatically by aclocal 1.16.5 -*- Autoconf -*-
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
# Copyright (C) 1996-2021 Free Software Foundation, Inc.
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -14,7 +14,8 @@
m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
#
# Copyright (C) 1996-2001, 2003-2015 Free Software Foundation, Inc.
# Copyright (C) 1996-2001, 2003-2019, 2021-2022 Free Software
# Foundation, Inc.
# Written by Gordon Matzigkeit, 1996
#
# This file is free software; the Free Software Foundation gives
@ -45,7 +46,7 @@ m4_define([_LT_COPYING], [dnl
# along with this program. If not, see <http://www.gnu.org/licenses/>.
])
# serial 58 LT_INIT
# serial 59 LT_INIT
# LT_PREREQ(VERSION)
@ -195,6 +196,7 @@ m4_require([_LT_FILEUTILS_DEFAULTS])dnl
m4_require([_LT_CHECK_SHELL_FEATURES])dnl
m4_require([_LT_PATH_CONVERSION_FUNCTIONS])dnl
m4_require([_LT_CMD_RELOAD])dnl
m4_require([_LT_DECL_FILECMD])dnl
m4_require([_LT_CHECK_MAGIC_METHOD])dnl
m4_require([_LT_CHECK_SHAREDLIB_FROM_LINKLIB])dnl
m4_require([_LT_CMD_OLD_ARCHIVE])dnl
@ -233,8 +235,8 @@ esac
ofile=libtool
can_build_shared=yes
# All known linkers require a '.a' archive for static linking (except MSVC,
# which needs '.lib').
# All known linkers require a '.a' archive for static linking (except MSVC and
# ICC, which need '.lib').
libext=a
with_gnu_ld=$lt_cv_prog_gnu_ld
@ -736,7 +738,6 @@ _LT_CONFIG_SAVE_COMMANDS([
cat <<_LT_EOF >> "$cfgfile"
#! $SHELL
# Generated automatically by $as_me ($PACKAGE) $VERSION
# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
# NOTE: Changes made to this file will be lost: look at ltmain.sh.
# Provide generalized library-building support services.
@ -786,7 +787,7 @@ _LT_EOF
# if finds mixed CR/LF and LF-only lines. Since sed operates in
# text mode, it properly converts lines to CR/LF. This bash problem
# is reportedly fixed, but why not run on old versions too?
sed '$q' "$ltmain" >> "$cfgfile" \
$SED '$q' "$ltmain" >> "$cfgfile" \
|| (rm -f "$cfgfile"; exit 1)
mv -f "$cfgfile" "$ofile" ||
@ -1048,8 +1049,8 @@ int forced_loaded() { return 2;}
_LT_EOF
echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
$LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
$AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
echo "$AR $AR_FLAGS libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
$AR $AR_FLAGS libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
$RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
cat > conftest.c << _LT_EOF
@ -1073,17 +1074,12 @@ _LT_EOF
_lt_dar_allow_undefined='$wl-undefined ${wl}suppress' ;;
darwin1.*)
_lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;;
darwin*) # darwin 5.x on
# if running on 10.5 or later, the deployment target defaults
# to the OS version, if on x86, and 10.4, the deployment
# target defaults to 10.4. Don't you love it?
case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
10.0,*86*-darwin8*|10.0,*-darwin[[91]]*)
_lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;;
10.[[012]][[,.]]*)
_lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;;
10.*)
_lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;;
darwin*)
case $MACOSX_DEPLOYMENT_TARGET,$host in
10.[[012]],*|,*powerpc*-darwin[[5-8]]*)
_lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;;
*)
_lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;;
esac
;;
esac
@ -1132,12 +1128,12 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
output_verbose_link_cmd=func_echo_all
_LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dsymutil"
_LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dsymutil"
_LT_TAGVAR(archive_expsym_cmds, $1)="sed 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dar_export_syms$_lt_dsymutil"
_LT_TAGVAR(module_expsym_cmds, $1)="sed -e 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dar_export_syms$_lt_dsymutil"
_LT_TAGVAR(archive_expsym_cmds, $1)="$SED 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dar_export_syms$_lt_dsymutil"
_LT_TAGVAR(module_expsym_cmds, $1)="$SED -e 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dar_export_syms$_lt_dsymutil"
m4_if([$1], [CXX],
[ if test yes != "$lt_cv_apple_cc_single_mod"; then
_LT_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \$lib-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$lib-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring$_lt_dsymutil"
_LT_TAGVAR(archive_expsym_cmds, $1)="sed 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \$lib-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$lib-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring$_lt_dar_export_syms$_lt_dsymutil"
_LT_TAGVAR(archive_expsym_cmds, $1)="$SED 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \$lib-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$lib-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring$_lt_dar_export_syms$_lt_dsymutil"
fi
],[])
else
@ -1251,7 +1247,8 @@ _LT_DECL([], [ECHO], [1], [An echo program that protects backslashes])
# _LT_WITH_SYSROOT
# ----------------
AC_DEFUN([_LT_WITH_SYSROOT],
[AC_MSG_CHECKING([for sysroot])
[m4_require([_LT_DECL_SED])dnl
AC_MSG_CHECKING([for sysroot])
AC_ARG_WITH([sysroot],
[AS_HELP_STRING([--with-sysroot@<:@=DIR@:>@],
[Search for dependent libraries within DIR (or the compiler's sysroot
@ -1268,7 +1265,7 @@ case $with_sysroot in #(
fi
;; #(
/*)
lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"`
lt_sysroot=`echo "$with_sysroot" | $SED -e "$sed_quote_subst"`
;; #(
no|'')
;; #(
@ -1298,7 +1295,7 @@ ia64-*-hpux*)
# options accordingly.
echo 'int i;' > conftest.$ac_ext
if AC_TRY_EVAL(ac_compile); then
case `/usr/bin/file conftest.$ac_objext` in
case `$FILECMD conftest.$ac_objext` in
*ELF-32*)
HPUX_IA64_MODE=32
;;
@ -1315,7 +1312,7 @@ ia64-*-hpux*)
echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext
if AC_TRY_EVAL(ac_compile); then
if test yes = "$lt_cv_prog_gnu_ld"; then
case `/usr/bin/file conftest.$ac_objext` in
case `$FILECMD conftest.$ac_objext` in
*32-bit*)
LD="${LD-ld} -melf32bsmip"
;;
@ -1327,7 +1324,7 @@ ia64-*-hpux*)
;;
esac
else
case `/usr/bin/file conftest.$ac_objext` in
case `$FILECMD conftest.$ac_objext` in
*32-bit*)
LD="${LD-ld} -32"
;;
@ -1349,7 +1346,7 @@ mips64*-*linux*)
echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext
if AC_TRY_EVAL(ac_compile); then
emul=elf
case `/usr/bin/file conftest.$ac_objext` in
case `$FILECMD conftest.$ac_objext` in
*32-bit*)
emul="${emul}32"
;;
@ -1357,7 +1354,7 @@ mips64*-*linux*)
emul="${emul}64"
;;
esac
case `/usr/bin/file conftest.$ac_objext` in
case `$FILECMD conftest.$ac_objext` in
*MSB*)
emul="${emul}btsmip"
;;
@ -1365,7 +1362,7 @@ mips64*-*linux*)
emul="${emul}ltsmip"
;;
esac
case `/usr/bin/file conftest.$ac_objext` in
case `$FILECMD conftest.$ac_objext` in
*N32*)
emul="${emul}n32"
;;
@ -1385,14 +1382,14 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
# not appear in the list.
echo 'int i;' > conftest.$ac_ext
if AC_TRY_EVAL(ac_compile); then
case `/usr/bin/file conftest.o` in
case `$FILECMD conftest.o` in
*32-bit*)
case $host in
x86_64-*kfreebsd*-gnu)
LD="${LD-ld} -m elf_i386_fbsd"
;;
x86_64-*linux*)
case `/usr/bin/file conftest.o` in
case `$FILECMD conftest.o` in
*x86-64*)
LD="${LD-ld} -m elf32_x86_64"
;;
@ -1460,7 +1457,7 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
# options accordingly.
echo 'int i;' > conftest.$ac_ext
if AC_TRY_EVAL(ac_compile); then
case `/usr/bin/file conftest.o` in
case `$FILECMD conftest.o` in
*64-bit*)
case $lt_cv_prog_gnu_ld in
yes*)
@ -1499,9 +1496,22 @@ need_locks=$enable_libtool_lock
m4_defun([_LT_PROG_AR],
[AC_CHECK_TOOLS(AR, [ar], false)
: ${AR=ar}
: ${AR_FLAGS=cru}
_LT_DECL([], [AR], [1], [The archiver])
_LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
# Use ARFLAGS variable as AR's operation code to sync the variable naming with
# Automake. If both AR_FLAGS and ARFLAGS are specified, AR_FLAGS should have
# higher priority because thats what people were doing historically (setting
# ARFLAGS for automake and AR_FLAGS for libtool). FIXME: Make the AR_FLAGS
# variable obsoleted/removed.
test ${AR_FLAGS+y} || AR_FLAGS=${ARFLAGS-cr}
lt_ar_flags=$AR_FLAGS
_LT_DECL([], [lt_ar_flags], [0], [Flags to create an archive (by configure)])
# Make AR_FLAGS overridable by 'make ARFLAGS='. Don't try to run-time override
# by AR_FLAGS because that was never working and AR_FLAGS is about to die.
_LT_DECL([], [AR_FLAGS], [\@S|@{ARFLAGS-"\@S|@lt_ar_flags"}],
[Flags to create an archive])
AC_CACHE_CHECK([for archiver @FILE support], [lt_cv_ar_at_file],
[lt_cv_ar_at_file=no
@ -1720,7 +1730,7 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
lt_cv_sys_max_cmd_len=8192;
;;
bitrig* | darwin* | dragonfly* | freebsd* | netbsd* | openbsd*)
bitrig* | darwin* | dragonfly* | freebsd* | midnightbsd* | netbsd* | openbsd*)
# This has been around since 386BSD, at least. Likely further.
if test -x /sbin/sysctl; then
lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
@ -1763,7 +1773,7 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
sysv5* | sco5v6* | sysv4.2uw2*)
kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
if test -n "$kargmax"; then
lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ ]]//'`
lt_cv_sys_max_cmd_len=`echo $kargmax | $SED 's/.*[[ ]]//'`
else
lt_cv_sys_max_cmd_len=32768
fi
@ -2213,26 +2223,35 @@ m4_defun([_LT_CMD_STRIPLIB],
striplib=
old_striplib=
AC_MSG_CHECKING([whether stripping libraries is possible])
if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then
test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
test -z "$striplib" && striplib="$STRIP --strip-unneeded"
AC_MSG_RESULT([yes])
if test -z "$STRIP"; then
AC_MSG_RESULT([no])
else
# FIXME - insert some real tests, host_os isn't really good enough
case $host_os in
darwin*)
if test -n "$STRIP"; then
if $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then
old_striplib="$STRIP --strip-debug"
striplib="$STRIP --strip-unneeded"
AC_MSG_RESULT([yes])
else
case $host_os in
darwin*)
# FIXME - insert some real tests, host_os isn't really good enough
striplib="$STRIP -x"
old_striplib="$STRIP -S"
AC_MSG_RESULT([yes])
else
;;
freebsd*)
if $STRIP -V 2>&1 | $GREP "elftoolchain" >/dev/null; then
old_striplib="$STRIP --strip-debug"
striplib="$STRIP --strip-unneeded"
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
fi
;;
*)
AC_MSG_RESULT([no])
fi
;;
*)
AC_MSG_RESULT([no])
;;
esac
;;
esac
fi
fi
_LT_DECL([], [old_striplib], [1], [Commands to strip libraries])
_LT_DECL([], [striplib], [1])
@ -2555,7 +2574,7 @@ cygwin* | mingw* | pw32* | cegcc*)
case $host_os in
cygwin*)
# Cygwin DLLs use 'cyg' prefix rather than 'lib'
soname_spec='`echo $libname | sed -e 's/^lib/cyg/'``echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext'
soname_spec='`echo $libname | $SED -e 's/^lib/cyg/'``echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext'
m4_if([$1], [],[
sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"])
;;
@ -2565,14 +2584,14 @@ m4_if([$1], [],[
;;
pw32*)
# pw32 DLLs use 'pw' prefix rather than 'lib'
library_names_spec='`echo $libname | sed -e 's/^lib/pw/'``echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext'
library_names_spec='`echo $libname | $SED -e 's/^lib/pw/'``echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext'
;;
esac
dynamic_linker='Win32 ld.exe'
;;
*,cl*)
# Native MSVC
*,cl* | *,icl*)
# Native MSVC or ICC
libname_spec='$name'
soname_spec='$libname`echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext'
library_names_spec='$libname.dll.lib'
@ -2591,7 +2610,7 @@ m4_if([$1], [],[
done
IFS=$lt_save_ifs
# Convert to MSYS style.
sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([[a-zA-Z]]\\):| /\\1|g' -e 's|^ ||'`
sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's|\\\\|/|g' -e 's| \\([[a-zA-Z]]\\):| /\\1|g' -e 's|^ ||'`
;;
cygwin*)
# Convert to unix form, then to dos form, then back to unix form
@ -2628,7 +2647,7 @@ m4_if([$1], [],[
;;
*)
# Assume MSVC wrapper
# Assume MSVC and ICC wrapper
library_names_spec='$libname`echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext $libname.lib'
dynamic_linker='Win32 ld.exe'
;;
@ -2661,7 +2680,7 @@ dgux*)
shlibpath_var=LD_LIBRARY_PATH
;;
freebsd* | dragonfly*)
freebsd* | dragonfly* | midnightbsd*)
# DragonFly does not have aout. When/if they implement a new
# versioning mechanism, adjust this.
if test -x /usr/bin/objformat; then
@ -2873,9 +2892,6 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
# before this can be enabled.
hardcode_into_libs=yes
# Add ABI-specific directories to the system library path.
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
# Ideally, we could use ldconfig to report *all* directores which are
# searched for libraries, however this is still not possible. Aside from not
# being certain /sbin/ldconfig is available, command
@ -2884,7 +2900,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
# appending ld.so.conf contents (and includes) to the search path.
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on
@ -2896,6 +2912,18 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
dynamic_linker='GNU/Linux ld.so'
;;
netbsdelf*-gnu)
version_type=linux
need_lib_prefix=no
need_version=no
library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
hardcode_into_libs=yes
dynamic_linker='NetBSD ld.elf_so'
;;
netbsd*)
version_type=sunos
need_lib_prefix=no
@ -3463,7 +3491,7 @@ beos*)
bsdi[[45]]*)
lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
lt_cv_file_magic_cmd='/usr/bin/file -L'
lt_cv_file_magic_cmd='$FILECMD -L'
lt_cv_file_magic_test_file=/shlib/libc.so
;;
@ -3497,14 +3525,14 @@ darwin* | rhapsody*)
lt_cv_deplibs_check_method=pass_all
;;
freebsd* | dragonfly*)
freebsd* | dragonfly* | midnightbsd*)
if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
case $host_cpu in
i*86 )
# Not sure whether the presence of OpenBSD here was a mistake.
# Let's accept both of them until this is cleared up.
lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library'
lt_cv_file_magic_cmd=/usr/bin/file
lt_cv_file_magic_cmd=$FILECMD
lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
;;
esac
@ -3518,7 +3546,7 @@ haiku*)
;;
hpux10.20* | hpux11*)
lt_cv_file_magic_cmd=/usr/bin/file
lt_cv_file_magic_cmd=$FILECMD
case $host_cpu in
ia64*)
lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
@ -3555,7 +3583,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
lt_cv_deplibs_check_method=pass_all
;;
netbsd*)
netbsd* | netbsdelf*-gnu)
if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
else
@ -3565,7 +3593,7 @@ netbsd*)
newos6*)
lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
lt_cv_file_magic_cmd=/usr/bin/file
lt_cv_file_magic_cmd=$FILECMD
lt_cv_file_magic_test_file=/usr/lib/libnls.so
;;
@ -3692,13 +3720,13 @@ else
mingw*) lt_bad_file=conftest.nm/nofile ;;
*) lt_bad_file=/dev/null ;;
esac
case `"$tmp_nm" -B $lt_bad_file 2>&1 | sed '1q'` in
case `"$tmp_nm" -B $lt_bad_file 2>&1 | $SED '1q'` in
*$lt_bad_file* | *'Invalid file or object type'*)
lt_cv_path_NM="$tmp_nm -B"
break 2
;;
*)
case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
case `"$tmp_nm" -p /dev/null 2>&1 | $SED '1q'` in
*/dev/null*)
lt_cv_path_NM="$tmp_nm -p"
break 2
@ -3724,7 +3752,7 @@ else
# Let the user override the test.
else
AC_CHECK_TOOLS(DUMPBIN, [dumpbin "link -dump"], :)
case `$DUMPBIN -symbols -headers /dev/null 2>&1 | sed '1q'` in
case `$DUMPBIN -symbols -headers /dev/null 2>&1 | $SED '1q'` in
*COFF*)
DUMPBIN="$DUMPBIN -symbols -headers"
;;
@ -3964,7 +3992,7 @@ esac
if test "$lt_cv_nm_interface" = "MS dumpbin"; then
# Gets list of data symbols to import.
lt_cv_sys_global_symbol_to_import="sed -n -e 's/^I .* \(.*\)$/\1/p'"
lt_cv_sys_global_symbol_to_import="$SED -n -e 's/^I .* \(.*\)$/\1/p'"
# Adjust the below global symbol transforms to fixup imported variables.
lt_cdecl_hook=" -e 's/^I .* \(.*\)$/extern __declspec(dllimport) char \1;/p'"
lt_c_name_hook=" -e 's/^I .* \(.*\)$/ {\"\1\", (void *) 0},/p'"
@ -3982,20 +4010,20 @@ fi
# Transform an extracted symbol line into a proper C declaration.
# Some systems (esp. on ia64) link data and code symbols differently,
# so use this general approach.
lt_cv_sys_global_symbol_to_cdecl="sed -n"\
lt_cv_sys_global_symbol_to_cdecl="$SED -n"\
$lt_cdecl_hook\
" -e 's/^T .* \(.*\)$/extern int \1();/p'"\
" -e 's/^$symcode$symcode* .* \(.*\)$/extern char \1;/p'"
# Transform an extracted symbol line into symbol name and symbol address
lt_cv_sys_global_symbol_to_c_name_address="sed -n"\
lt_cv_sys_global_symbol_to_c_name_address="$SED -n"\
$lt_c_name_hook\
" -e 's/^: \(.*\) .*$/ {\"\1\", (void *) 0},/p'"\
" -e 's/^$symcode$symcode* .* \(.*\)$/ {\"\1\", (void *) \&\1},/p'"
# Transform an extracted symbol line into symbol name with lib prefix and
# symbol address.
lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n"\
lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="$SED -n"\
$lt_c_name_lib_hook\
" -e 's/^: \(.*\) .*$/ {\"\1\", (void *) 0},/p'"\
" -e 's/^$symcode$symcode* .* \(lib.*\)$/ {\"\1\", (void *) \&\1},/p'"\
@ -4019,7 +4047,7 @@ for ac_symprfx in "" "_"; do
if test "$lt_cv_nm_interface" = "MS dumpbin"; then
# Fake it for dumpbin and say T for any non-static function,
# D for any global variable and I for any imported variable.
# Also find C++ and __fastcall symbols from MSVC++,
# Also find C++ and __fastcall symbols from MSVC++ or ICC,
# which start with @ or ?.
lt_cv_sys_global_symbol_pipe="$AWK ['"\
" {last_section=section; section=\$ 3};"\
@ -4037,9 +4065,9 @@ for ac_symprfx in "" "_"; do
" s[1]~prfx {split(s[1],t,\"@\"); print f,t[1],substr(t[1],length(prfx))}"\
" ' prfx=^$ac_symprfx]"
else
lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ ]]\($symcode$symcode*\)[[ ]][[ ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
lt_cv_sys_global_symbol_pipe="$SED -n -e 's/^.*[[ ]]\($symcode$symcode*\)[[ ]][[ ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
fi
lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'"
lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | $SED '/ __gnu_lto/d'"
# Check to see that the pipe works correctly.
pipe_works=no
@ -4061,7 +4089,8 @@ _LT_EOF
if AC_TRY_EVAL(ac_compile); then
# Now try to grab the symbols.
nlist=conftest.nm
if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then
$ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD
if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then
# Try sorting and uniquifying the output.
if sort "$nlist" | uniq > "$nlist"T; then
mv -f "$nlist"T "$nlist"
@ -4326,7 +4355,7 @@ m4_if([$1], [CXX], [
;;
esac
;;
freebsd* | dragonfly*)
freebsd* | dragonfly* | midnightbsd*)
# FreeBSD uses GNU C++
;;
hpux9* | hpux10* | hpux11*)
@ -4409,7 +4438,7 @@ m4_if([$1], [CXX], [
_LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
;;
*)
case `$CC -V 2>&1 | sed 5q` in
case `$CC -V 2>&1 | $SED 5q` in
*Sun\ C*)
# Sun C++ 5.9
_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
@ -4433,7 +4462,7 @@ m4_if([$1], [CXX], [
;;
esac
;;
netbsd*)
netbsd* | netbsdelf*-gnu)
;;
*qnx* | *nto*)
# QNX uses GNU C++, but need to define -shared option too, otherwise
@ -4701,6 +4730,12 @@ m4_if([$1], [CXX], [
_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
;;
# flang / f18. f95 an alias for gfortran or flang on Debian
flang* | f18* | f95*)
_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
;;
# icc used to be incompatible with GCC.
# ICC 10 doesn't accept -KPIC any more.
icc* | ifort*)
@ -4745,7 +4780,7 @@ m4_if([$1], [CXX], [
_LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
;;
*)
case `$CC -V 2>&1 | sed 5q` in
case `$CC -V 2>&1 | $SED 5q` in
*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*)
# Sun Fortran 8.3 passes all unrecognized flags to the linker
_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
@ -4928,7 +4963,7 @@ m4_if([$1], [CXX], [
if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
_LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { if (\$ 2 == "W") { print \$ 3 " weak" } else { print \$ 3 } } }'\'' | sort -u > $export_symbols'
else
_LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols'
_LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "L") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols'
fi
;;
pw32*)
@ -4936,7 +4971,7 @@ m4_if([$1], [CXX], [
;;
cygwin* | mingw* | cegcc*)
case $cc_basename in
cl*)
cl* | icl*)
_LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
;;
*)
@ -4945,6 +4980,9 @@ m4_if([$1], [CXX], [
;;
esac
;;
linux* | k*bsd*-gnu | gnu*)
_LT_TAGVAR(link_all_deplibs, $1)=no
;;
*)
_LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
;;
@ -4993,20 +5031,23 @@ dnl Note also adjust exclude_expsyms for C++ above.
case $host_os in
cygwin* | mingw* | pw32* | cegcc*)
# FIXME: the MSVC++ port hasn't been tested in a loooong time
# FIXME: the MSVC++ and ICC port hasn't been tested in a loooong time
# When not using gcc, we currently assume that we are using
# Microsoft Visual C++.
# Microsoft Visual C++ or Intel C++ Compiler.
if test yes != "$GCC"; then
with_gnu_ld=no
fi
;;
interix*)
# we just hope/assume this is gcc and not c89 (= MSVC++)
# we just hope/assume this is gcc and not c89 (= MSVC++ or ICC)
with_gnu_ld=yes
;;
openbsd* | bitrig*)
with_gnu_ld=no
;;
linux* | k*bsd*-gnu | gnu*)
_LT_TAGVAR(link_all_deplibs, $1)=no
;;
esac
_LT_TAGVAR(ld_shlibs, $1)=yes
@ -5053,7 +5094,7 @@ dnl Note also adjust exclude_expsyms for C++ above.
_LT_TAGVAR(whole_archive_flag_spec, $1)=
fi
supports_anon_versioning=no
case `$LD -v | $SED -e 's/([^)]\+)\s\+//' 2>&1` in
case `$LD -v | $SED -e 's/([[^)]]\+)\s\+//' 2>&1` in
*GNU\ gold*) supports_anon_versioning=yes ;;
*\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
*\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
@ -5165,6 +5206,7 @@ _LT_EOF
emximp -o $lib $output_objdir/$libname.def'
_LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def'
_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
_LT_TAGVAR(file_list_spec, $1)='@'
;;
interix[[3-9]]*)
@ -5179,7 +5221,7 @@ _LT_EOF
# 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
# time. Moving up from 0x10000000 also allows more sbrk(2) space.
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='sed "s|^|_|" $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--retain-symbols-file,$output_objdir/$soname.expsym $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='$SED "s|^|_|" $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--retain-symbols-file,$output_objdir/$soname.expsym $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
;;
gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu)
@ -5222,7 +5264,7 @@ _LT_EOF
_LT_TAGVAR(compiler_needs_object, $1)=yes
;;
esac
case `$CC -V 2>&1 | sed 5q` in
case `$CC -V 2>&1 | $SED 5q` in
*Sun\ C*) # Sun C 5.9
_LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive'
_LT_TAGVAR(compiler_needs_object, $1)=yes
@ -5234,13 +5276,14 @@ _LT_EOF
if test yes = "$supports_anon_versioning"; then
_LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
echo "local: *; };" >> $output_objdir/$libname.ver~
$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-version-script $wl$output_objdir/$libname.ver -o $lib'
fi
case $cc_basename in
tcc*)
_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
_LT_TAGVAR(export_dynamic_flag_spec, $1)='-rdynamic'
;;
xlf* | bgf* | bgxlf* | mpixlf*)
@ -5250,7 +5293,7 @@ _LT_EOF
_LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
if test yes = "$supports_anon_versioning"; then
_LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
echo "local: *; };" >> $output_objdir/$libname.ver~
$LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
fi
@ -5261,7 +5304,7 @@ _LT_EOF
fi
;;
netbsd*)
netbsd* | netbsdelf*-gnu)
if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
wlarc=
@ -5382,7 +5425,7 @@ _LT_EOF
if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
_LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { if (\$ 2 == "W") { print \$ 3 " weak" } else { print \$ 3 } } }'\'' | sort -u > $export_symbols'
else
_LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols'
_LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "L") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols'
fi
aix_use_runtimelinking=no
@ -5565,12 +5608,12 @@ _LT_EOF
cygwin* | mingw* | pw32* | cegcc*)
# When not using gcc, we currently assume that we are using
# Microsoft Visual C++.
# Microsoft Visual C++ or Intel C++ Compiler.
# hardcode_libdir_flag_spec is actually meaningless, as there is
# no search path for DLLs.
case $cc_basename in
cl*)
# Native MSVC
cl* | icl*)
# Native MSVC or ICC
_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
_LT_TAGVAR(always_export_symbols, $1)=yes
@ -5611,7 +5654,7 @@ _LT_EOF
fi'
;;
*)
# Assume MSVC wrapper
# Assume MSVC and ICC wrapper
_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
# Tell ltmain to make .lib files, not .a files.
@ -5659,7 +5702,7 @@ _LT_EOF
;;
# FreeBSD 3 and greater uses gcc -shared to do shared libraries.
freebsd* | dragonfly*)
freebsd* | dragonfly* | midnightbsd*)
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
_LT_TAGVAR(hardcode_direct, $1)=yes
@ -5782,6 +5825,7 @@ _LT_EOF
if test yes = "$lt_cv_irix_exported_symbol"; then
_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
fi
_LT_TAGVAR(link_all_deplibs, $1)=no
else
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@ -5799,11 +5843,12 @@ _LT_EOF
# Fabrice Bellard et al's Tiny C Compiler
_LT_TAGVAR(ld_shlibs, $1)=yes
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
;;
esac
;;
netbsd*)
netbsd* | netbsdelf*-gnu)
if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out
else
@ -5870,6 +5915,7 @@ _LT_EOF
emximp -o $lib $output_objdir/$libname.def'
_LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def'
_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
_LT_TAGVAR(file_list_spec, $1)='@'
;;
osf3*)
@ -6425,7 +6471,7 @@ if test yes != "$_lt_caught_CXX_error"; then
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
else
GXX=no
@ -6636,8 +6682,8 @@ if test yes != "$_lt_caught_CXX_error"; then
cygwin* | mingw* | pw32* | cegcc*)
case $GXX,$cc_basename in
,cl* | no,cl*)
# Native MSVC
,cl* | no,cl* | ,icl* | no,icl*)
# Native MSVC or ICC
# hardcode_libdir_flag_spec is actually meaningless, as there is
# no search path for DLLs.
_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
@ -6735,6 +6781,7 @@ if test yes != "$_lt_caught_CXX_error"; then
emximp -o $lib $output_objdir/$libname.def'
_LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def'
_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
_LT_TAGVAR(file_list_spec, $1)='@'
;;
dgux*)
@ -6765,7 +6812,7 @@ if test yes != "$_lt_caught_CXX_error"; then
_LT_TAGVAR(archive_cmds_need_lc, $1)=no
;;
freebsd* | dragonfly*)
freebsd* | dragonfly* | midnightbsd*)
# FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
# conventions
_LT_TAGVAR(ld_shlibs, $1)=yes
@ -6800,7 +6847,7 @@ if test yes != "$_lt_caught_CXX_error"; then
# explicitly linking system object files so we need to strip them
# from the output so that they don't get included in the library
# dependencies.
output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
;;
*)
if test yes = "$GXX"; then
@ -6865,7 +6912,7 @@ if test yes != "$_lt_caught_CXX_error"; then
# explicitly linking system object files so we need to strip them
# from the output so that they don't get included in the library
# dependencies.
output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
;;
*)
if test yes = "$GXX"; then
@ -6902,7 +6949,7 @@ if test yes != "$_lt_caught_CXX_error"; then
# 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
# time. Moving up from 0x10000000 also allows more sbrk(2) space.
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='sed "s|^|_|" $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--retain-symbols-file,$output_objdir/$soname.expsym $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='$SED "s|^|_|" $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--retain-symbols-file,$output_objdir/$soname.expsym $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
;;
irix5* | irix6*)
case $cc_basename in
@ -7042,13 +7089,13 @@ if test yes != "$_lt_caught_CXX_error"; then
_LT_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
if test yes = "$supports_anon_versioning"; then
_LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
echo "local: *; };" >> $output_objdir/$libname.ver~
$CC -qmkshrobj $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-version-script $wl$output_objdir/$libname.ver -o $lib'
fi
;;
*)
case `$CC -V 2>&1 | sed 5q` in
case `$CC -V 2>&1 | $SED 5q` in
*Sun\ C*)
# Sun C++ 5.9
_LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
@ -7204,7 +7251,7 @@ if test yes != "$_lt_caught_CXX_error"; then
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
else
# FIXME: insert proper C++ library support
@ -7288,7 +7335,7 @@ if test yes != "$_lt_caught_CXX_error"; then
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
else
# g++ 2.7 appears to require '-G' NOT '-shared' on this
# platform.
@ -7299,7 +7346,7 @@ if test yes != "$_lt_caught_CXX_error"; then
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
fi
_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir'
@ -8186,6 +8233,14 @@ _LT_DECL([], [DLLTOOL], [1], [DLL creation program])
AC_SUBST([DLLTOOL])
])
# _LT_DECL_FILECMD
# ----------------
# Check for a file(cmd) program that can be used to detect file type and magic
m4_defun([_LT_DECL_FILECMD],
[AC_CHECK_TOOL([FILECMD], [file], [:])
_LT_DECL([], [FILECMD], [1], [A file(cmd) program that detects file types])
])# _LD_DECL_FILECMD
# _LT_DECL_SED
# ------------
# Check for a fully-functional sed program, that truncates
@ -8365,8 +8420,8 @@ _LT_DECL([to_tool_file_cmd], [lt_cv_to_tool_file_cmd],
# Helper functions for option handling. -*- Autoconf -*-
#
# Copyright (C) 2004-2005, 2007-2009, 2011-2015 Free Software
# Foundation, Inc.
# Copyright (C) 2004-2005, 2007-2009, 2011-2019, 2021-2022 Free
# Software Foundation, Inc.
# Written by Gary V. Vaughan, 2004
#
# This file is free software; the Free Software Foundation gives
@ -8797,7 +8852,7 @@ LT_OPTION_DEFINE([LTDL_INIT], [convenience],
# ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*-
#
# Copyright (C) 2004-2005, 2007-2008, 2011-2015 Free Software
# Copyright (C) 2004-2005, 2007-2008, 2011-2019, 2021-2022 Free Software
# Foundation, Inc.
# Written by Gary V. Vaughan, 2004
#
@ -8922,7 +8977,8 @@ m4_define([lt_dict_filter],
# ltversion.m4 -- version numbers -*- Autoconf -*-
#
# Copyright (C) 2004, 2011-2015 Free Software Foundation, Inc.
# Copyright (C) 2004, 2011-2019, 2021-2022 Free Software Foundation,
# Inc.
# Written by Scott James Remnant, 2004
#
# This file is free software; the Free Software Foundation gives
@ -8931,23 +8987,23 @@ m4_define([lt_dict_filter],
# @configure_input@
# serial 4179 ltversion.m4
# serial 4245 ltversion.m4
# This file is part of GNU Libtool
m4_define([LT_PACKAGE_VERSION], [2.4.6])
m4_define([LT_PACKAGE_REVISION], [2.4.6])
m4_define([LT_PACKAGE_VERSION], [2.4.7])
m4_define([LT_PACKAGE_REVISION], [2.4.7])
AC_DEFUN([LTVERSION_VERSION],
[macro_version='2.4.6'
macro_revision='2.4.6'
[macro_version='2.4.7'
macro_revision='2.4.7'
_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
_LT_DECL(, macro_revision, 0)
])
# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*-
#
# Copyright (C) 2004-2005, 2007, 2009, 2011-2015 Free Software
# Foundation, Inc.
# Copyright (C) 2004-2005, 2007, 2009, 2011-2019, 2021-2022 Free
# Software Foundation, Inc.
# Written by Scott James Remnant, 2004.
#
# This file is free software; the Free Software Foundation gives
@ -9044,8 +9100,8 @@ m4_ifndef([_LT_PROG_F77], [AC_DEFUN([_LT_PROG_F77])])
m4_ifndef([_LT_PROG_FC], [AC_DEFUN([_LT_PROG_FC])])
m4_ifndef([_LT_PROG_CXX], [AC_DEFUN([_LT_PROG_CXX])])
# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*-
# serial 11 (pkg-config-0.29.1)
# pkg.m4 - Macros to locate and use pkg-config. -*- Autoconf -*-
# serial 12 (pkg-config-0.29.2)
dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
@ -9087,7 +9143,7 @@ dnl
dnl See the "Since" comment for each macro you use to see what version
dnl of the macros you require.
m4_defun([PKG_PREREQ],
[m4_define([PKG_MACROS_VERSION], [0.29.1])
[m4_define([PKG_MACROS_VERSION], [0.29.2])
m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
[m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])])
])dnl PKG_PREREQ
@ -9132,7 +9188,7 @@ dnl Check to see whether a particular set of modules exists. Similar to
dnl PKG_CHECK_MODULES(), but does not set variables or print errors.
dnl
dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
dnl only at the first occurence in configure.ac, so if the first place
dnl only at the first occurrence in configure.ac, so if the first place
dnl it's called might be skipped (such as if it is within an "if", you
dnl have to call PKG_CHECK_EXISTS manually
AC_DEFUN([PKG_CHECK_EXISTS],
@ -9188,7 +9244,7 @@ AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
pkg_failed=no
AC_MSG_CHECKING([for $1])
AC_MSG_CHECKING([for $2])
_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
_PKG_CONFIG([$1][_LIBS], [libs], [$2])
@ -9198,17 +9254,17 @@ and $1[]_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.])
if test $pkg_failed = yes; then
AC_MSG_RESULT([no])
AC_MSG_RESULT([no])
_PKG_SHORT_ERRORS_SUPPORTED
if test $_pkg_short_errors_supported = yes; then
$1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
else
$1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
$1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
else
$1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
fi
# Put the nasty error message in config.log where it belongs
echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
# Put the nasty error message in config.log where it belongs
echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
m4_default([$4], [AC_MSG_ERROR(
m4_default([$4], [AC_MSG_ERROR(
[Package requirements ($2) were not met:
$$1_PKG_ERRORS
@ -9219,8 +9275,8 @@ installed software in a non-standard prefix.
_PKG_TEXT])[]dnl
])
elif test $pkg_failed = untried; then
AC_MSG_RESULT([no])
m4_default([$4], [AC_MSG_FAILURE(
AC_MSG_RESULT([no])
m4_default([$4], [AC_MSG_FAILURE(
[The pkg-config script could not be found or is too old. Make sure it
is in your PATH or set the PKG_CONFIG environment variable to the full
path to pkg-config.
@ -9230,10 +9286,10 @@ _PKG_TEXT
To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
])
else
$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
AC_MSG_RESULT([yes])
$3
$3
fi[]dnl
])dnl PKG_CHECK_MODULES
@ -9390,7 +9446,7 @@ AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],
# AM_CONDITIONAL -*- Autoconf -*-
# Copyright (C) 1997-2020 Free Software Foundation, Inc.
# Copyright (C) 1997-2021 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -9421,7 +9477,7 @@ AC_CONFIG_COMMANDS_PRE(
Usually this means the macro was only invoked conditionally.]])
fi])])
# Copyright (C) 2006-2020 Free Software Foundation, Inc.
# Copyright (C) 2006-2021 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,

9
config.h.in
View file

@ -253,6 +253,9 @@
/* Define to 1 if you have the `EVP_EncryptInit_ex' function. */
#undef HAVE_EVP_ENCRYPTINIT_EX
/* Define to 1 if you have the `EVP_MAC_CTX_new' function. */
#undef HAVE_EVP_MAC_CTX_NEW
/* Define to 1 if you have the `EVP_MAC_CTX_set_params' function. */
#undef HAVE_EVP_MAC_CTX_SET_PARAMS
@ -334,6 +337,9 @@
/* Define to 1 if you have the <hiredis/hiredis.h> header file. */
#undef HAVE_HIREDIS_HIREDIS_H
/* Define to 1 if you have the `HMAC_CTX_new' function. */
#undef HAVE_HMAC_CTX_NEW
/* Define to 1 if you have the `HMAC_Init_ex' function. */
#undef HAVE_HMAC_INIT_EX
@ -655,6 +661,9 @@
function. */
#undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
/* Define to 1 if you have the `SSL_CTX_set_tmp_ecdh' function. */
#undef HAVE_SSL_CTX_SET_TMP_ECDH
/* Define to 1 if you have the `SSL_get0_alpn_selected' function. */
#undef HAVE_SSL_GET0_ALPN_SELECTED

452
configure vendored
View file

File diff suppressed because it is too large Load diff

2
configure.ac
View file

@ -997,7 +997,7 @@ else
AC_MSG_RESULT([no])
fi
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex SSL_CTX_set_tmp_ecdh HMAC_CTX_new EVP_MAC_CTX_new])
# these check_funcs need -lssl
BAKLIBS="$LIBS"

17
daemon/daemon.c
View file

@ -89,6 +89,7 @@
#include "util/random.h"
#include "util/tube.h"
#include "util/net_help.h"
#include "util/tsig.h"
#include "sldns/keyraw.h"
#include "respip/respip.h"
#include "iterator/iter_fwd.h"
@ -320,6 +321,17 @@ daemon_init(void)
free(daemon);
return NULL;
}
if(!(daemon->env->tsig_key_table = tsig_key_table_create())) {
auth_zones_delete(daemon->env->auth_zones);
acl_list_delete(daemon->acl_interface);
acl_list_delete(daemon->acl);
tcl_list_delete(daemon->tcl);
edns_known_options_delete(daemon->env);
edns_strings_delete(daemon->env->edns_strings);
free(daemon->env);
free(daemon);
return NULL;
}
return daemon;
}
@ -771,6 +783,10 @@ daemon_fork(struct daemon* daemon)
daemon->use_response_ip = !respip_set_is_empty(
daemon->env->respip_set) || have_view_respip_cfg;
/* setup tsig keys */
if(!tsig_key_table_apply_cfg(daemon->env->tsig_key_table, daemon->cfg))
fatal_exit("Could not set up TSIG keys");
/* setup modules */
daemon_setup_modules(daemon);
@ -944,6 +960,7 @@ daemon_delete(struct daemon* daemon)
edns_known_options_delete(daemon->env);
edns_strings_delete(daemon->env->edns_strings);
auth_zones_delete(daemon->env->auth_zones);
tsig_key_table_delete(daemon->env->tsig_key_table);
}
ub_randfree(daemon->rand);
alloc_clear(&daemon->superalloc);

11
doc/example.conf.in
View file

@ -1418,3 +1418,14 @@ remote-control:
# rpz-signal-nxdomain-ra: no
# for-downstream: no
# tags: "example"
# TSIG keys
# tsig-key:
# # The key name is sent to the other party, it must be the same
# name: "keyname"
# # algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
# algorithm: sha256
# # secret material, must be the same as the other party uses.
# # base64 encoded random number.
# # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
# secret: "K2tf3TRjvQkVCmJF3/Z9vA=="

36
doc/unbound.conf.rst
View file

@ -4935,6 +4935,42 @@ The RPZ zones can be configured in the config file with these settings in the
If no tags are specified the policies from this clause will be applied for
all clients.
.. _unbound.conf.tsig-key:
TSIG Key Options
^^^^^^^^^^^^^^^^^
The **tsig-key:** clauses specify the TSIG keys that are used.
There can be multiple **tsig-key:** clauses, with each specifying a
different key.
Each key has a name, algorithm and secret key material.
TSIG keys are shared secrets.
Both sides of the connection share the secret information.
Also they must both use the same name for the key, and same algorithm.
With ``include: "key.conf"`` it is possible to put the declaration of the key
or some lines of it in an external file from the main configuration file.
It can also be used without such an include, with it the config statements
and key material can be put in separate files.
@@UAHL@unbound.conf.tsig-key@name@@: *"<key name>"*
Name of the TSIG key.
The key name is transferred in DNS wireformat in the TSIG record, and
is used to reference the TSIG key from where it is configured to be used.
@@UAHL@unbound.conf.tsig-key@algorithm@@: *<algorithm name>*
Name of the algorithm to use with this TSIG key.
This can be md5, sha1, sha224, sha256, sha384 or sha512.
@@UAHL@unbound.conf.tsig-key@secret@@: *"<base64 blob>"*
The secret contents is a base64 string.
A way to get random base64 bytes is e.g.
from ``dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64``
Memory Control Example
----------------------

3
libunbound/context.c
View file

@ -52,6 +52,7 @@
#include "util/data/msgreply.h"
#include "util/storage/slabhash.h"
#include "util/edns.h"
#include "util/tsig.h"
#include "sldns/sbuffer.h"
#include "iterator/iter_fwd.h"
#include "iterator/iter_hints.h"
@ -81,6 +82,8 @@ context_finalize(struct ub_ctx* ctx)
return UB_INITFAIL;
listen_setup_locks();
log_edns_known_options(VERB_ALGO, ctx->env);
if(!tsig_key_table_apply_cfg(ctx->env->tsig_key_table, cfg))
return UB_INITFAIL;
ctx->local_zones = local_zones_create();
if(!ctx->local_zones)
return UB_NOMEM;

14
libunbound/libunbound.c
View file

@ -59,6 +59,7 @@
#include "util/tube.h"
#include "util/ub_event.h"
#include "util/edns.h"
#include "util/tsig.h"
#include "services/modstack.h"
#include "services/localzone.h"
#include "services/cache/infra.h"
@ -168,6 +169,18 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
errno = ENOMEM;
return NULL;
}
ctx->env->tsig_key_table = tsig_key_table_create();
if(!ctx->env->tsig_key_table) {
auth_zones_delete(ctx->env->auth_zones);
edns_known_options_delete(ctx->env);
edns_strings_delete(ctx->env->edns_strings);
config_delete(ctx->env->cfg);
free(ctx->env);
ub_randfree(ctx->seed_rnd);
free(ctx);
errno = ENOMEM;
return NULL;
}
ctx->env->alloc = &ctx->superalloc;
ctx->env->worker = NULL;
@ -388,6 +401,7 @@ ub_ctx_delete(struct ub_ctx* ctx)
config_delete(ctx->env->cfg);
edns_known_options_delete(ctx->env);
edns_strings_delete(ctx->env->edns_strings);
tsig_key_table_delete(ctx->env->tsig_key_table);
forwards_delete(ctx->env->fwds);
hints_delete(ctx->env->hints);
auth_zones_delete(ctx->env->auth_zones);

917
ltmain.sh Normal file → Executable file
View file

File diff suppressed because it is too large Load diff

1
sldns/rrdef.h
View file

@ -494,6 +494,7 @@ typedef enum sldns_enum_ede_code sldns_ede_code;
#define LDNS_TSIG_ERROR_BADMODE 19
#define LDNS_TSIG_ERROR_BADNAME 20
#define LDNS_TSIG_ERROR_BADALG 21
#define LDNS_TSIG_ERROR_BADTRUNC 22
/** DNS Cookie extended rcode */
#define LDNS_EXT_RCODE_BADCOOKIE 23

1
sldns/wire2str.c
View file

@ -255,6 +255,7 @@ static sldns_lookup_table sldns_tsig_errors_data[] = {
{ LDNS_TSIG_ERROR_BADMODE, "BADMODE" },
{ LDNS_TSIG_ERROR_BADNAME, "BADNAME" },
{ LDNS_TSIG_ERROR_BADALG, "BADALG" },
{ LDNS_TSIG_ERROR_BADTRUNC, "BADTRUNC" },
{ 0, NULL }
};
sldns_lookup_table* sldns_tsig_errors = sldns_tsig_errors_data;

1
testcode/unitmain.c
View file

@ -1362,6 +1362,7 @@ main(int argc, char* argv[])
#ifdef HAVE_NGTCP2
doq_test();
#endif /* HAVE_NGTCP2 */
tsig_test();
if(log_get_lock()) {
lock_basic_destroy((lock_basic_type*)log_get_lock());
}

2
testcode/unitmain.h
View file

@ -88,5 +88,7 @@ void tcpreuse_test(void);
void doq_test(void);
/** unit test for infra cache functions */
void infra_test(void);
/** unit test for tsig functions */
void tsig_test(void);
#endif /* TESTCODE_UNITMAIN_H */

969
testcode/unittsig.c Normal file
View file

@ -0,0 +1,969 @@
/*
* testcode/unittsig.c - unit test for TSIG signatures.
*
* Copyright (c) 2025, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**
* \file
* Unit test for tsig code.
*/
#include "config.h"
#include "util/tsig.h"
#include "util/config_file.h"
#include "util/net_help.h"
#include "testcode/unitmain.h"
#include "sldns/parseutil.h"
#include "sldns/pkthdr.h"
#include "sldns/sbuffer.h"
#include "sldns/str2wire.h"
#include "sldns/wire2str.h"
#include <ctype.h>
#define xstr(s) str(s)
#define str(s) #s
#define SRCDIRSTR xstr(SRCDIR)
/** verbosity for this file, 0 no, 1 print some, 2 print packet dumps */
static int vtest = 0;
/**
* Content of the TSIG test files.
*
* The tsig test files have this syntax. It is made of lines, lines started
* with # are a comment. empty lines are ignored.
* file-algorithm <name>
* The name is like md5, sha1, sha256 and if the algorithm is not
* supported at the test run time, the file is skipped, silently.
*
* tsig-key:
* name: "key.name"
* algorithm: "hmac-sha256"
* secret: "<base64"
* the following lines define name:, algorithm: and secret:
* and it adds a tsig-key that can be used.
* del-key <name>
* The tsig key is deleted, from the in-memory key table.
*
* packet
* <hex>
* endpacket
* A packet in hex dump, on the following lines. Until 'endpacket'.
* It can be used to sign or verify.
* check-packet
* <hex>
* endpacket
* A packet in hex dump, on the following lines. Until 'endpacket'.
* It is compared to the packet buffer, and the test fails if not equal.
*
* tsig-sign-query <key> <time> <expected result>
* It TSIG signs with key name, at timestamp in secs, and the
* result of the call is compared with the expected result, and
* the test fails if not equal. The result is in the packet buffer.
* tsig-verify-query <key> <time> <rcode> <tsigerror> <tsigothertime>
* It tsig verifies the packet, looks up key in the key table.
* The verification is at timestamp, in secs. The result is checked,
* the key with keyname of result, the rcode function result, and
* if tsig data is returned, the tsigerror and tsigothertime are
* checked if present. If not equal the test fails.
* If no tsig data is returned, keyname '.', and 0 and 0 are the
* tsigerr and tsigothertime values that are checked.
*
* tsig-sign-shared <key> <time> <expected result>
* Looks up key in key_table and signs a reply with it.
* For a shared packet without prior hash of previous packet, since
* there is no previous packet. If the result is not the expected
* result the test fails.
* tsig-verify-shared <key> <time> <expected result>
* Looks up key in key_table and verifies a reply with it.
* For a shared packet without prior hash of previous packet, since
* there is no previous packet. If the result is not the expected
* result the test fails.
*
* tsig-sign-reply <time> <expected rcode> <expected result2>
* <hex>
* endpacket
* The data from previous packet in the buffer is used with
* tsig-verify-query. Then the hex data is the reply, it it
* used with tsig-sign-reply. The result packet is in the packet
* buffer. The expected rcode is the result of the verify,
* the expected result2 is the result of the sign. If that differs
* the test fails.
*
*/
/** Clean up first keyword */
static char*
get_keyword(char* line)
{
char* s = line;
while(isspace(*s))
s++;
if(strlen(s)>0 && s[strlen(s)-1] == '\n')
s[strlen(s)-1] = 0;
return s;
}
/** Get argument from line */
static char*
get_arg_on_line(char* line, char* keyword)
{
char* s = line;
s += strlen(keyword);
while(isspace(*s))
s++;
return s;
}
/** Get next argument from line */
static char*
get_next_arg_on_line(char** s)
{
char* arg;
if(!*s)
return *s;
while(**s && **s == ' ')
(*s)++;
arg = *s;
if(!**s)
return arg; /* No arguments */
*s = strchr(*s, ' ');
if(!*s) {
*s = arg+strlen(arg);
return arg; /* No further arguments */
}
if(!**s)
return arg;
*(*s)++ = 0;
while(**s && **s == ' ')
(*s)++;
return arg;
}
/** See if algorithm is supported for tsig test */
static int
tsig_algo_test(char* algo)
{
if(strcmp(algo, "md5") == 0)
return 1;
if(strcmp(algo, "sha1") == 0)
return 1;
if(strcmp(algo, "sha224") == 0) {
/* The EVP_sha256 test is also used for sha224. */
#ifdef HAVE_EVP_SHA256
return 1;
#else
return 0;
#endif
}
if(strcmp(algo, "sha256") == 0) {
#ifdef HAVE_EVP_SHA256
return 1;
#else
return 0;
#endif
}
if(strcmp(algo, "sha384") == 0) {
/* The EVP_sha512 test is also used for sha384. */
#ifdef HAVE_EVP_SHA512
return 1;
#else
return 0;
#endif
}
if(strcmp(algo, "sha512") == 0) {
#ifdef HAVE_EVP_SHA512
return 1;
#else
return 0;
#endif
}
if(vtest)
printf("Unknown tsig test algorithm %s\n", algo);
return 0;
}
/** Handle the file_algorithm */
static void
handle_file_algorithm(char* line, int* break_file)
{
char* algo = get_arg_on_line(line, "file-algorithm");
if(!tsig_algo_test(algo)) {
if(vtest)
printf("algorithm not supported\n");
*break_file = 1;
return;
}
if(vtest)
printf("algorithm supported\n");
}
/** Removes quotes if any */
static char*
quote_removal(char* line)
{
if(line[0] == '"') {
char* s = line+1;
if(strlen(s)>0 && s[strlen(s)-1] == '"')
s[strlen(s)-1] = 0;
return s;
}
return line;
}
/** Handle the tsig-key */
static void
handle_tsig_key(struct tsig_key_table* key_table, FILE* in, const char* fname)
{
char line[1024];
char* s;
char* name = NULL, *algorithm = NULL, *secret = NULL;
struct config_tsig_key k;
while(fgets(line, sizeof(line), in)) {
line[sizeof(line)-1]=0;
s = get_keyword(line);
if(strncmp(s, "name:", 5) == 0) {
name = strdup(quote_removal(
get_arg_on_line(s, "name:")));
if(!name)
fatal_exit("out of memory");
} else if(strncmp(s, "algorithm:", 10) == 0) {
algorithm = strdup(quote_removal(
get_arg_on_line(s, "algorithm:")));
if(!algorithm)
fatal_exit("out of memory");
} else if(strncmp(s, "secret:", 7) == 0) {
secret = strdup(quote_removal(
get_arg_on_line(s, "secret:")));
if(!secret)
fatal_exit("out of memory");
} else {
fatal_exit("unknown tsig-key element %s: %s",
fname, s);
}
if(name && algorithm && secret)
break;
}
k.next = NULL;
k.name = name;
k.algorithm = algorithm;
k.secret = secret;
if(!tsig_key_table_add_key(key_table, &k))
fatal_exit("could not tsig_key_table_add_key, out of memory");
if(vtest)
printf("add key %s %s\n", name, algorithm);
free(name);
free(algorithm);
explicit_bzero(secret, strlen(secret));
free(secret);
}
/** Handle the del_key */
static void
handle_del_key(char* line, struct tsig_key_table* key_table)
{
char* name = get_arg_on_line(line, "del_key");
tsig_key_table_del_key_fromstr(key_table, name);
if(vtest)
printf("deleted key %s\n", name);
}
/** skip whitespace */
static void
skip_whites(const char** p)
{
while(1) {
while(isspace((unsigned char)**p))
(*p)++;
if(**p == ';' || **p == '#') {
/* comment, skip until newline */
while(**p && **p != '\n')
(*p)++;
if(**p == '\n')
(*p)++;
} else return;
}
}
/** Read hex part into buffer */
static int
read_hex_segment(char* s, struct sldns_buffer* buf)
{
uint8_t val;
const char* p = s;
while(*p) {
skip_whites(&p);
if(!*p) break;
if(sldns_buffer_position(buf) == sldns_buffer_limit(buf)) {
printf("read hex: buffer too small\n");
return 0;
}
if(sldns_hexdigit_to_int(*p) == -1) {
printf("read hex: not hex: '%c'\n", *p);
return 0;
}
val = sldns_hexdigit_to_int(*p++) << 4;
skip_whites(&p);
if(!*p) {
printf("read hex: expected another, second, hex digit\n");
return 0;
}
if(sldns_hexdigit_to_int(*p) == -1) {
printf("read hex: not hex: '%c'\n", *p);
return 0;
}
val |= sldns_hexdigit_to_int(*p++);
sldns_buffer_write_u8(buf, (uint8_t)val);
skip_whites(&p);
}
return 1;
}
/** Read hex packet until 'endpacket' */
static int
read_packet_hex(char* line, struct sldns_buffer* buf, FILE* in,
const char* fname)
{
char l[102400];
char* s;
sldns_buffer_clear(buf);
if(!read_hex_segment(line, buf)) {
printf("Could not read hex %s: %s\n", fname, line);
return 0;
}
while(fgets(l, sizeof(l), in)) {
l[sizeof(l)-1]=0;
s = get_keyword(l);
if(strcmp(s, "endpacket") == 0)
break;
if(!read_hex_segment(s, buf)) {
printf("Could not read hex %s: %s\n", fname, s);
return 0;
}
}
sldns_buffer_flip(buf);
return 1;
}
/** Handle the packet */
static void
handle_packet(char* line, struct sldns_buffer* pkt, FILE* in,
const char* fname)
{
char* arg = get_arg_on_line(line, "packet");
if(!read_packet_hex(arg, pkt, in, fname))
fatal_exit("Could not read packet");
if(vtest >= 2) {
char* str = sldns_wire2str_pkt(sldns_buffer_begin(pkt),
sldns_buffer_limit(pkt));
if(str)
printf("packet: %s\n", str);
else
printf("could not wire2str_pkt\n");
free(str);
}
}
/** Handle the check-packet */
static void
handle_check_packet(char* line, struct sldns_buffer* pkt, FILE* in,
const char* fname)
{
char* arg = get_arg_on_line(line, "check-packet");
uint8_t data[65536];
sldns_buffer check;
sldns_buffer_init_frm_data(&check, data, sizeof(data));
if(!read_packet_hex(arg, &check, in, fname))
fatal_exit("Could not read check-packet");
if(vtest >= 2) {
char* str = sldns_wire2str_pkt(sldns_buffer_begin(&check),
sldns_buffer_limit(&check));
if(str)
printf("check-packet: %s\n", str);
else
printf("could not wire2str_pkt\n");
free(str);
}
/* Compare the packet */
if(vtest && (sldns_buffer_limit(pkt) != sldns_buffer_limit(&check) ||
memcmp(sldns_buffer_begin(pkt), sldns_buffer_begin(&check),
sldns_buffer_limit(pkt)) != 0)) {
printf("The packet and check-packet are different\n");
if(sldns_buffer_limit(pkt) != sldns_buffer_limit(&check))
printf("Lengths are different %d, %d (check)\n",
(int)sldns_buffer_limit(pkt),
(int)sldns_buffer_limit(&check));
else printf("Lengths are the same %d\n",
(int)sldns_buffer_limit(pkt));
if(vtest >= 2) {
char pkthex[64*1024*2+10], checkhex[64*1024*2+10];
char *pktstr, *checkstr;
hex_ntop(sldns_buffer_begin(pkt), sldns_buffer_limit(pkt),
pkthex, sizeof(pkthex));
hex_ntop(sldns_buffer_begin(&check), sldns_buffer_limit(&check),
checkhex, sizeof(checkhex));
printf(" packet: %s\n", pkthex);
printf("check-packet: %s\n", checkhex);
pktstr = sldns_wire2str_pkt(sldns_buffer_begin(pkt),
sldns_buffer_limit(pkt));
checkstr = sldns_wire2str_pkt(
sldns_buffer_begin(&check),
sldns_buffer_limit(&check));
if(pktstr)
printf(" packet: %s\n", pktstr);
else
printf(" packet: could not wire2str\n");
if(checkstr)
printf("check-packet: %s\n", checkstr);
else
printf("check-packet: could not wire2str\n");
free(pktstr);
free(checkstr);
}
}
unit_assert(sldns_buffer_limit(pkt) == sldns_buffer_limit(&check) &&
memcmp(sldns_buffer_begin(pkt), sldns_buffer_begin(&check),
sldns_buffer_limit(pkt)) == 0);
if(vtest)
printf("check-packet is equal\n");
}
/** Handle the tsig-sign-query */
static void
handle_tsig_sign_query(char* line, struct tsig_key_table* key_table,
struct sldns_buffer* pkt)
{
char* arg = get_arg_on_line(line, "tsig-sign-query");
char* keyname, *s, *timestr, *expectedstr;
int expected_result, ret;
uint64_t timepoint;
struct tsig_data* tsig;
size_t pos;
s = arg;
keyname = get_next_arg_on_line(&s);
timestr = get_next_arg_on_line(&s);
expectedstr = get_next_arg_on_line(&s);
timepoint = (uint64_t)atoll(timestr);
if(timepoint == 0 && strcmp(timestr, "0") != 0)
fatal_exit("expected time argument for %s", timestr);
expected_result = atoi(expectedstr);
if(expected_result == 0 && strcmp(expectedstr, "0") != 0)
fatal_exit("expected int argument for %s", expectedstr);
if(vtest)
printf("tsig-sign-query with %s %d %d\n", keyname,
(int)timepoint, expected_result);
tsig = tsig_create_fromstr(key_table, keyname);
if(!tsig)
fatal_exit("alloc fail or key not found %s", keyname);
/* Put position at the end of the packet to sign it. */
pos = sldns_buffer_limit(pkt);
sldns_buffer_clear(pkt);
sldns_buffer_set_position(pkt, pos);
ret = tsig_sign_query(tsig, pkt, key_table, timepoint);
sldns_buffer_flip(pkt);
if(vtest) {
if(ret == expected_result)
printf("function ok, %s\n", (ret?"success":"fail"));
else
printf("function returned %d, expected result %d\n",
ret, expected_result);
}
unit_assert(ret == expected_result);
tsig_delete(tsig);
}
/** Convert RCODE string to number. */
static int
str2wire_rcode(const char* str)
{
sldns_lookup_table *lt = sldns_lookup_by_name(sldns_rcodes, str);
if(lt) {
return (int)lt->id;
} else if(strncmp(str, "RCODE", 5) == 0) {
return atoi(str+5);
}
/* Try as-is, a number. */
return atoi(str);
}
/** Convert TSIG error code string to number. */
static int
str2wire_tsigerror(const char* str)
{
sldns_lookup_table *lt = sldns_lookup_by_name(sldns_tsig_errors, str);
if(lt) {
return (int)lt->id;
}
/* Try as-is, a number. */
return atoi(str);
}
/** Print TSIG error code to string */
static void
wire2str_tsigerror_buf(int tsigerr, char* buf, size_t len)
{
sldns_lookup_table *lt;
lt = sldns_lookup_by_id(sldns_tsig_errors, tsigerr);
if(lt && lt->name)
snprintf(buf, len, "%s", lt->name);
else snprintf(buf, len, "%d", tsigerr);
}
/** Handle the tsig-verify-query */
static void
handle_tsig_verify_query(char* line, struct tsig_key_table* key_table,
struct sldns_buffer* pkt)
{
char* arg = get_arg_on_line(line, "tsig-verify-query");
char* keyname, *s, *timestr, *expected_rcode_str,
*expected_tsigerr_str, *expected_other_str;
int expected_rcode, expected_tsigerr, ret;
uint64_t timepoint, expected_other;
struct tsig_data* tsig;
char keyname_dname[256];
s = arg;
keyname = get_next_arg_on_line(&s);
timestr = get_next_arg_on_line(&s);
expected_rcode_str = get_next_arg_on_line(&s);
expected_tsigerr_str = get_next_arg_on_line(&s);
expected_other_str = get_next_arg_on_line(&s);
timepoint = (uint64_t)atoll(timestr);
if(timepoint == 0 && strcmp(timestr, "0") != 0)
fatal_exit("expected time argument for %s", timestr);
expected_rcode = str2wire_rcode(expected_rcode_str);
if(expected_rcode == 0 && strcmp(expected_rcode_str, "0") != 0 &&
strcmp(expected_rcode_str, "NOERROR") != 0 &&
strcmp(expected_rcode_str, "RCODE0") != 0)
fatal_exit("expected rcode argument for %s", expected_rcode_str);
expected_tsigerr = str2wire_tsigerror(expected_tsigerr_str);
if(expected_tsigerr == 0 && strcmp(expected_tsigerr_str, "0") != 0 &&
strcmp(expected_tsigerr_str, "NOERROR") != 0)
fatal_exit("expected tsigerrorcode argument for %s",
expected_tsigerr_str);
expected_other = (uint64_t)atoll(expected_other_str);
if(expected_other == 0 && strcmp(expected_other_str, "0") != 0)
fatal_exit("expected int argument for %s", expected_other_str);
if(strlen(keyname) > 0 && keyname[strlen(keyname)-1] == '.')
snprintf(keyname_dname, sizeof(keyname_dname), "%s", keyname);
else snprintf(keyname_dname, sizeof(keyname_dname), "%s.", keyname);
if(vtest) {
char bufrc[16], bufte[16];
sldns_wire2str_rcode_buf(expected_rcode, bufrc, sizeof(bufrc));
wire2str_tsigerror_buf(expected_tsigerr, bufte, sizeof(bufte));
printf("tsig-verify-query with %s %d %s %s %llu\n", keyname,
(int)timepoint, bufrc, bufte,
(unsigned long long)expected_other);
}
/* Put position before TSIG */
if(!tsig_find_rr(pkt)) {
if(vtest)
printf("tsig-verify-query found no TSIG RR\n");
unit_assert(0);
return;
}
ret = tsig_parse_verify_query(key_table, pkt, &tsig, NULL, timepoint);
if(vtest) {
char bufrc[16], bufte[16], retrc[16], rette[16];
sldns_wire2str_rcode_buf(expected_rcode, bufrc, sizeof(bufrc));
wire2str_tsigerror_buf(expected_tsigerr, bufte, sizeof(bufte));
sldns_wire2str_rcode_buf(ret, retrc, sizeof(retrc));
if(tsig)
wire2str_tsigerror_buf(tsig->error, rette, sizeof(rette));
else snprintf(rette, sizeof(rette), "none");
if(ret == expected_rcode)
printf("function ok, rcode %s\n", retrc);
else
printf("function returned %s, expected result %s\n",
retrc, bufrc);
if(tsig) {
char keynm[256];
if(tsig->error == expected_tsigerr)
printf("tsig error ok, it is %s\n", bufte);
else printf("tsig error %s, expected %s\n", rette,
bufte);
if(tsig->other_len == 6) {
if(tsig->other_time == expected_other)
printf("othererrortime ok, it is %llu\n",
(unsigned long long)expected_other);
else printf("othererrortime %llu, expected %llu\n",
(unsigned long long)tsig->other_time,
(unsigned long long)expected_other);
} else {
if(0 == expected_other)
printf("othererrortime ok, none\n");
else printf("othererrortime none, expected %llu\n",
(unsigned long long)expected_other);
}
sldns_wire2str_dname_buf(tsig->key_name,
tsig->key_name_len, keynm, sizeof(keynm));
if(strcmp(keynm, keyname_dname) != 0)
printf("tsig key is %s, expected %s\n",
keynm, keyname_dname);
} else {
if(expected_tsigerr != 0 || expected_other != 0 ||
strcmp(keyname_dname, ".") != 0) {
printf("no tsig data returned, but expected it\n");
}
}
}
unit_assert(ret == expected_rcode);
if(tsig) {
char keynm[256];
unit_assert(tsig->error == expected_tsigerr);
if(tsig->other_len == 6) {
unit_assert(tsig->other_time == (uint64_t)expected_other);
} else {
unit_assert(0 == expected_other);
}
sldns_wire2str_dname_buf(tsig->key_name, tsig->key_name_len,
keynm, sizeof(keynm));
unit_assert(strcmp(keynm, keyname_dname) == 0);
} else {
unit_assert(0 == expected_tsigerr);
unit_assert(0 == expected_other);
unit_assert(strcmp(keyname_dname, ".") == 0);
}
tsig_delete(tsig);
}
/** Handle the tsig-sign-shared */
static void
handle_tsig_sign_shared(char* line, struct tsig_key_table* key_table,
struct sldns_buffer* pkt)
{
char* arg = get_arg_on_line(line, "tsig-sign-shared");
char* keyname, *s, *timestr, *expectedstr;
int expected_result, ret;
uint64_t timepoint;
struct tsig_key* key;
size_t pos;
uint8_t keynm[256];
size_t keynm_len;
s = arg;
keyname = get_next_arg_on_line(&s);
timestr = get_next_arg_on_line(&s);
expectedstr = get_next_arg_on_line(&s);
timepoint = (uint64_t)atoll(timestr);
if(timepoint == 0 && strcmp(timestr, "0") != 0)
fatal_exit("expected time argument for %s", timestr);
expected_result = atoi(expectedstr);
if(expected_result == 0 && strcmp(expectedstr, "0") != 0)
fatal_exit("expected int argument for %s", expectedstr);
if(vtest)
printf("tsig-sign-shared with %s %d %d\n", keyname,
(int)timepoint, expected_result);
keynm_len = sizeof(keynm);
if(sldns_str2wire_dname_buf(keyname, keynm, &keynm_len) != 0)
fatal_exit("could not parse '%s'", keyname);
key = tsig_key_table_search(key_table, keynm, keynm_len);
if(!key)
fatal_exit("key not found %s", keyname);
/* Put position at the end of the packet to sign it. */
pos = sldns_buffer_limit(pkt);
sldns_buffer_clear(pkt);
sldns_buffer_set_position(pkt, pos);
ret = tsig_sign_shared(pkt, key->name, key->algo->wireformat_name,
key->data, key->data_len, timepoint);
sldns_buffer_flip(pkt);
if(vtest) {
if(ret == expected_result)
printf("function ok, ret %d\n", ret);
else
printf("function returned %d, expected result %d\n",
ret, expected_result);
}
unit_assert(ret == expected_result);
}
/** Handle the tsig-verify-shared */
static void
handle_tsig_verify_shared(char* line, struct tsig_key_table* key_table,
struct sldns_buffer* pkt)
{
char* arg = get_arg_on_line(line, "tsig-verify-shared");
char* keyname, *s, *timestr, *expectedstr;
int expected_result, ret;
uint64_t timepoint;
struct tsig_key* key;
uint8_t keynm[256];
size_t keynm_len, pos;
s = arg;
keyname = get_next_arg_on_line(&s);
timestr = get_next_arg_on_line(&s);
expectedstr = get_next_arg_on_line(&s);
timepoint = (uint64_t)atoll(timestr);
if(timepoint == 0 && strcmp(timestr, "0") != 0)
fatal_exit("expected time argument for %s", timestr);
expected_result = atoi(expectedstr);
if(expected_result == 0 && strcmp(expectedstr, "0") != 0)
fatal_exit("expected int argument for %s", expectedstr);
if(vtest)
printf("tsig-verify-shared with %s %d %d\n", keyname,
(int)timepoint, expected_result);
keynm_len = sizeof(keynm);
if(sldns_str2wire_dname_buf(keyname, keynm, &keynm_len) != 0)
fatal_exit("could not parse '%s'", keyname);
key = tsig_key_table_search(key_table, keynm, keynm_len);
if(!key)
fatal_exit("key not found %s", keyname);
pos = sldns_buffer_limit(pkt);
sldns_buffer_clear(pkt);
sldns_buffer_set_limit(pkt, pos);
ret = tsig_verify_shared(pkt, key->name, key->algo->wireformat_name,
key->data, key->data_len, timepoint);
if(vtest) {
if(ret == expected_result)
printf("function ok, ret %d\n", ret);
else
printf("function returned %d, expected result %d\n",
ret, expected_result);
}
unit_assert(ret == expected_result);
}
/** Handle the tsig-sign-reply */
static void
handle_tsig_sign_reply(char* line, FILE* in, const char* fname,
struct tsig_key_table* key_table, struct sldns_buffer* pkt)
{
char* arg = get_arg_on_line(line, "tsig-sign-reply");
char* s, *timestr, *expected_rcode_str, *expectedstr2;
int expected_rcode, expected_result2, ret;
uint64_t timepoint;
struct tsig_data* tsig;
size_t pos;
uint8_t buf[65536];
sldns_buffer reply_pkt;
s = arg;
timestr = get_next_arg_on_line(&s);
expected_rcode_str = get_next_arg_on_line(&s);
expectedstr2 = get_next_arg_on_line(&s);
timepoint = (uint64_t)atoll(timestr);
if(timepoint == 0 && strcmp(timestr, "0") != 0)
fatal_exit("expected time argument for %s", timestr);
expected_rcode = str2wire_rcode(expected_rcode_str);
if(expected_rcode == 0 && strcmp(expected_rcode_str, "0") != 0 &&
strcmp(expected_rcode_str, "NOERROR") != 0 &&
strcmp(expected_rcode_str, "RCODE0") != 0)
fatal_exit("expected rcode argument for %s", expected_rcode_str);
expected_result2 = atoi(expectedstr2);
if(expected_result2 == 0 && strcmp(expectedstr2, "0") != 0)
fatal_exit("expected int argument for %s", expectedstr2);
sldns_buffer_init_frm_data(&reply_pkt, buf, sizeof(buf));
if(!read_packet_hex("", &reply_pkt, in, fname))
fatal_exit("Could not read reply packet");
if(vtest >= 2) {
char* str = sldns_wire2str_pkt(sldns_buffer_begin(&reply_pkt),
sldns_buffer_limit(&reply_pkt));
if(str)
printf("reply packet: %s\n", str);
else
printf("could not wire2str_pkt\n");
free(str);
}
if(vtest) {
char bufrc[16];
sldns_wire2str_rcode_buf(expected_rcode, bufrc, sizeof(bufrc));
printf("tsig-sign-reply with %d %s %d\n", (int)timepoint,
bufrc, expected_result2);
}
/* Verify the query in the packet buffer. Use that TSIG to sign
* a reply. */
if(!tsig_find_rr(pkt)) {
if(vtest)
printf("tsig-verify-query found no TSIG RR\n");
unit_assert(0);
return;
}
ret = tsig_parse_verify_query(key_table, pkt, &tsig, NULL, timepoint);
if(vtest) {
char bufrc[16];
sldns_wire2str_rcode_buf(expected_rcode, bufrc, sizeof(bufrc));
if(ret == expected_rcode)
printf("verify ok, ret %s\n", bufrc);
else
printf("verify returned %d, expected result %d %s\n",
ret, expected_rcode, bufrc);
}
unit_assert(ret == expected_rcode);
/* Put position at the end of the packet to sign it. */
pos = sldns_buffer_limit(&reply_pkt);
sldns_buffer_clear(&reply_pkt);
sldns_buffer_set_position(&reply_pkt, pos);
if(ret != 0) {
/* There was an error, set the rcode for it */
LDNS_RCODE_SET(sldns_buffer_begin(&reply_pkt), ret);
}
ret = tsig_sign_reply(tsig, &reply_pkt, key_table, timepoint);
sldns_buffer_flip(pkt);
if(vtest) {
if(ret == expected_result2)
printf("function ok, %s\n", (ret?"success":"fail"));
else
printf("function returned %d, expected result %d\n",
ret, expected_result2);
}
unit_assert(ret == expected_result2);
tsig_delete(tsig);
sldns_buffer_flip(&reply_pkt);
sldns_buffer_copy(pkt, &reply_pkt);
}
/** Handle one line from the TSIG test file */
static void
handle_line(char* line, struct tsig_key_table* key_table,
struct sldns_buffer* pkt, FILE* in, const char* fname,
int* break_file)
{
char* s = get_keyword(line);
if(vtest)
printf("line: %s\n", s);
if(strncmp(s, "file-algorithm", 14) == 0) {
handle_file_algorithm(s, break_file);
} else if(strcmp(s, "tsig-key:") == 0) {
handle_tsig_key(key_table, in, fname);
} else if(strncmp(s, "delkey", 6) == 0) {
handle_del_key(s, key_table);
} else if(strncmp(s, "packet", 6) == 0) {
handle_packet(s, pkt, in, fname);
} else if(strncmp(s, "check-packet", 12) == 0) {
handle_check_packet(s, pkt, in, fname);
} else if(strncmp(s, "tsig-sign-query", 15) == 0) {
handle_tsig_sign_query(s, key_table, pkt);
} else if(strncmp(s, "tsig-verify-query", 17) == 0) {
handle_tsig_verify_query(s, key_table, pkt);
} else if(strncmp(s, "tsig-sign-shared", 16) == 0) {
handle_tsig_sign_shared(s, key_table, pkt);
} else if(strncmp(s, "tsig-verify-shared", 18) == 0) {
handle_tsig_verify_shared(s, key_table, pkt);
} else if(strncmp(s, "tsig-sign-reply", 15) == 0) {
handle_tsig_sign_reply(s, in,fname, key_table, pkt);
} else if(strncmp(s, "#", 1) == 0) {
/* skip comment */
} else if(strcmp(s, "") == 0) {
/* skip empty lines */
} else {
fatal_exit("Unknown tsig line %s: %s", fname, s);
}
(void)pkt;
}
/** test tsig */
static void
tsig_test_one(const char* fname)
{
struct tsig_key_table* key_table;
sldns_buffer* pkt;
FILE* in;
char line[1024];
int break_file = 0;
unit_show_func("tsig", fname);
key_table = tsig_key_table_create();
if(!key_table)
fatal_exit("out of memory");
pkt = sldns_buffer_new(65536);
if(!pkt)
fatal_exit("out of memory");
sldns_buffer_flip(pkt); /* start with empty buffer */
in = fopen(fname, "r");
if(!in)
fatal_exit("could not open %s: %s", fname, strerror(errno));
while(fgets(line, sizeof(line), in)) {
line[sizeof(line)-1]=0;
handle_line(line, key_table, pkt, in, fname, &break_file);
if(break_file)
break;
}
if(ferror(in))
fatal_exit("error read %s: %s", fname, strerror(errno));
tsig_key_table_delete(key_table);
sldns_buffer_free(pkt);
fclose(in);
}
/** test tsig code */
void
tsig_test(void)
{
unit_show_feature("tsig");
tsig_test_one(SRCDIRSTR "/testdata/tsig_test.1");
tsig_test_one(SRCDIRSTR "/testdata/tsig_test.2");
tsig_test_one(SRCDIRSTR "/testdata/tsig_test.3");
tsig_test_one(SRCDIRSTR "/testdata/tsig_test.4");
tsig_test_one(SRCDIRSTR "/testdata/tsig_test.5");
tsig_test_one(SRCDIRSTR "/testdata/tsig_test.6");
}

165
testdata/tsig_test.1 vendored Normal file
View file

@ -0,0 +1,165 @@
# Test with algorithm MD5
file-algorithm md5
tsig-key:
name: "test.key"
algorithm: md5
secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
packet
# www.example.net. IN TXT
3a03010000010000000000000377777707657861
6d706c65036e65740000100001
endpacket
# check with the same contents
check-packet
3a03010000010000000000000377777707657861
6d706c65036e65740000100001
endpacket
# sign the query with <key> <timepoint> <expected function ret>
tsig-sign-query test.key 1750411954 1
check-packet
3a03010000010000000000010377777707657861
6d706c65036e657400001000010474657374036b
65790000fa00ff00000000003a08686d61632d6d
6435077369672d616c670372656703696e740000
0068552ab2012c0010d4a4778ce91160dc5dfd85
7e66f57bda3a0300000000
endpacket
# www.example.net A
packet
e707002000010000000000010377777707657861
6d706c65036e6574000001000100002910000000
00000000
endpacket
tsig-sign-query test.key 1750419725 1
check-packet
e707002000010000000000020377777707657861
6d706c65036e6574000001000100002910000000
000000000474657374036b65790000fa00ff0000
0000003a08686d61632d6d6435077369672d616c
670372656703696e740000006855490d012c0010
c00e00f1bafa240f41ee9cbe507b9802e7070000
0000
endpacket
tsig-verify-query test.key 1750419725 NOERROR NOERROR 0
# add some fudge to the time
packet
e707002000010000000000020377777707657861
6d706c65036e6574000001000100002910000000
000000000474657374036b65790000fa00ff0000
0000003a08686d61632d6d6435077369672d616c
670372656703696e740000006855490d012c0010
c00e00f1bafa240f41ee9cbe507b9802e7070000
0000
endpacket
tsig-verify-query test.key 1750419730 NOERROR NOERROR 0
# purposely make a bad digest
# changed 'www' (0x777777) to 'aaa' (0x616161)
packet
e707002000010000000000020361616107657861
6d706c65036e6574000001000100002910000000
000000000474657374036b65790000fa00ff0000
0000003a08686d61632d6d6435077369672d616c
670372656703696e740000006855490d012c0010
c00e00f1bafa240f41ee9cbe507b9802e7070000
0000
endpacket
tsig-verify-query test.key 1750419725 NOTAUTH BADSIG 0
# the wrong time is used, outside of the fudge region
packet
e707002000010000000000020377777707657861
6d706c65036e6574000001000100002910000000
000000000474657374036b65790000fa00ff0000
0000003a08686d61632d6d6435077369672d616c
670372656703696e740000006855490d012c0010
c00e00f1bafa240f41ee9cbe507b9802e7070000
0000
endpacket
tsig-verify-query test.key 1750819725 NOTAUTH BADTIME 1750819725
# An unknown key is used, 2222.key
packet
e707002000010000000000020377777707657861
6d706c65036e6574000001000100002910000000
000000000432323232036b65790000fa00ff0000
0000003a08686d61632d6d6435077369672d616c
670372656703696e740000006855490d012c0010
c00e00f1bafa240f41ee9cbe507b9802e7070000
0000
endpacket
tsig-verify-query 2222.key 1750419725 NOTAUTH BADKEY 0
# An unknown algorithm is used, hmac-UNK, 554e4b
packet
e707002000010000000000020377777707657861
6d706c65036e6574000001000100002910000000
000000000474657374036b65790000fa00ff0000
0000003a08686d61632d554e4b077369672d616c
670372656703696e740000006855490d012c0010
c00e00f1bafa240f41ee9cbe507b9802e7070000
0000
endpacket
tsig-verify-query test.key 1750419725 NOTAUTH BADKEY 0
# truncated hash
packet
e707002000010000000000020377777707657861
6d706c65036e6574000001000100002910000000
000000000474657374036b65790000fa00ff0000
0000003408686d61632d6d6435077369672d616c
670372656703696e740000006855490d012c000a
c00e00f1bafa240f41eee7070000
0000
endpacket
tsig-verify-query test.key 1750419725 NOTAUTH BADTRUNC 0
# TSIG does not parse, removed bytes from the end.
packet
e707002000010000000000020377777707657861
6d706c65036e6574000001000100002910000000
000000000474657374036b65790000fa00ff0000
0000003a08686d61632d6d6435077369672d616c
670372656703696e740000006855490d012c0010
c00e00f1bafa240f41ee9cbe507b9802
endpacket
tsig-verify-query . 1750419725 FORMERR NOERROR 0
# www.example.net A
packet
e707002000010000000000020377777707657861
6d706c65036e6574000001000100002910000000
000000000474657374036b65790000fa00ff0000
0000003a08686d61632d6d6435077369672d616c
670372656703696e740000006855490d012c0010
c00e00f1bafa240f41ee9cbe507b9802e7070000
0000
endpacket
tsig-sign-reply 1750419725 NOERROR 1
e707840000010001000000010377777707657861
6d706c65036e65740000010001c00c0001000100
000e1000040a141e2800002904d0000000000000
endpacket
# reply for www.example.net A
check-packet
e7078400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000003a08686d61632d6d6435077369672d616c670372656703696e740000006855490d012c0010dc3c138476fcb04cc138aa5c59647b86e70700000000
endpacket

48
testdata/tsig_test.2 vendored Normal file
View file

@ -0,0 +1,48 @@
# Test with algorithm
file-algorithm sha1
tsig-key:
name: "test.key"
algorithm: sha1
secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
packet
# www.example.net. IN TXT
3a03010000010000000000000377777707657861
6d706c65036e65740000100001
endpacket
# sign the query with <key> <timepoint> <expected function ret>
tsig-sign-query test.key 1750411954 1
check-packet
3a030100000100000000000103777777076578616d706c65036e657400001000010474657374036b65790000fa00ff00000000002f09686d61632d7368613100000068552ab2012c0014ddea549c7a82a0c4309c0894f884adf9dcf7cd2c3a0300000000
endpacket
# www.example.net A
packet
092d0000000100000000000103777777076578616d706c65036e657400000100010000291000000000000000
endpacket
tsig-sign-query test.key 1750420740 1
check-packet
092d0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000002f09686d61632d7368613100000068554d04012c0014f493f53a80f43dbd81df4f2feb7064de8247ba0b092d00000000
endpacket
tsig-verify-query test.key 1750420740 NOERROR NOERROR 0
packet
092d0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000002f09686d61632d7368613100000068554d04012c0014f493f53a80f43dbd81df4f2feb7064de8247ba0b092d00000000
endpacket
tsig-sign-reply 1750420740 NOERROR 1
092d840000010001000000010377777707657861
6d706c65036e65740000010001c00c0001000100
000e1000040a141e2800002904d0000000000000
endpacket
# reply for www.example.net A
check-packet
092d8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000002f09686d61632d7368613100000068554d04012c001475eace537fd51a9fbf192a10b20bfe824dd20318092d00000000
endpacket

48
testdata/tsig_test.3 vendored Normal file
View file

@ -0,0 +1,48 @@
# Test with algorithm
file-algorithm sha224
tsig-key:
name: "test.key"
algorithm: sha224
secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
packet
# www.example.net. IN TXT
3a03010000010000000000000377777707657861
6d706c65036e65740000100001
endpacket
# sign the query with <key> <timepoint> <expected function ret>
tsig-sign-query test.key 1750411954 1
check-packet
3a030100000100000000000103777777076578616d706c65036e657400001000010474657374036b65790000fa00ff0000000000390b686d61632d73686132323400000068552ab2012c001c104d12e4ccab950cb7690233661549b027567ea0c8beb868a7c1c4f33a0300000000
endpacket
# www.example.net A
packet
7e7e0000000100000000000103777777076578616d706c65036e657400000100010000291000000000000000
endpacket
tsig-sign-query test.key 1750421692 1
check-packet
7e7e0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff0000000000390b686d61632d736861323234000000685550bc012c001c03431f500872691d8780dafe326cdbe56ceaaca1d0ea3e3a262848e77e7e00000000
endpacket
tsig-verify-query test.key 1750421692 NOERROR NOERROR 0
packet
7e7e0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff0000000000390b686d61632d736861323234000000685550bc012c001c03431f500872691d8780dafe326cdbe56ceaaca1d0ea3e3a262848e77e7e00000000
endpacket
tsig-sign-reply 1750421692 NOERROR 1
7e7e840000010001000000010377777707657861
6d706c65036e65740000010001c00c0001000100
000e1000040a141e2800002904d0000000000000
endpacket
# reply for www.example.net A
check-packet
7e7e8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff0000000000390b686d61632d736861323234000000685550bc012c001c0fa7ddec264122b5e0c3d1a64ed043c3d68582f0ae2ba2d5b3e186127e7e00000000
endpacket

60
testdata/tsig_test.4 vendored Normal file
View file

@ -0,0 +1,60 @@
# Test with algorithm
file-algorithm sha256
tsig-key:
name: "test.key"
algorithm: sha256
secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
packet
# www.example.net. IN TXT
3a03010000010000000000000377777707657861
6d706c65036e65740000100001
endpacket
# sign the query with <key> <timepoint> <expected function ret>
tsig-sign-query test.key 1750411954 1
check-packet
3a030100000100000000000103777777076578616d706c65036e657400001000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068552ab2012c00200c35a60a42461678af59a10fbb1a18dcca69e62d58abdc8be808ab095d4beb403a0300000000
endpacket
# www.example.net A
packet
c7580000000100000000000103777777076578616d706c65036e657400000100010000291000000000000000
endpacket
tsig-sign-query test.key 1750421767 1
check-packet
c7580000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068555107012c0020aa49c7e324b075dd057aeaba998ee10b6c72f8573f56d3b42fb2f65ee1e81f76c75800000000
endpacket
tsig-verify-query test.key 1750421767 NOERROR NOERROR 0
packet
c7580000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068555107012c0020aa49c7e324b075dd057aeaba998ee10b6c72f8573f56d3b42fb2f65ee1e81f76c75800000000
endpacket
tsig-sign-reply 1750421767 NOERROR 1
c758840000010001000000010377777707657861
6d706c65036e65740000010001c00c0001000100
000e1000040a141e2800002904d0000000000000
endpacket
# reply for www.example.net A
check-packet
c7588400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068555107012c0020a377c921817d4009a6ab35e7f84aa697751b3a976701e8fb6b843965325bf9bdc75800000000
endpacket
packet
c7588400000100010000000103777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d0000000000000
endpacket
tsig-sign-shared test.key 1750411954 0
check-packet
c7588400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068552ab2012c00206a0e6bb9e1228588a8edd5da1dd611bcd0b4e2dd815e7c5501825ea374b3ebacc75800000000
endpacket
tsig-verify-shared test.key 1750411954 0

48
testdata/tsig_test.5 vendored Normal file
View file

@ -0,0 +1,48 @@
# Test with algorithm
file-algorithm sha384
tsig-key:
name: "test.key"
algorithm: sha384
secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
packet
# www.example.net. IN TXT
3a03010000010000000000000377777707657861
6d706c65036e65740000100001
endpacket
# sign the query with <key> <timepoint> <expected function ret>
tsig-sign-query test.key 1750411954 1
check-packet
3a030100000100000000000103777777076578616d706c65036e657400001000010474657374036b65790000fa00ff00000000004d0b686d61632d73686133383400000068552ab2012c00302416b7442f06e5ab2f9814d391c48b73384ab59cccc7de20ecad999a38de62aaa1b61ac0cd3df299bab30776c92322f03a0300000000
endpacket
# www.example.net A
packet
aafc0000000100000000000103777777076578616d706c65036e657400000100010000291000000000000000
endpacket
tsig-sign-query test.key 1750421817 1
check-packet
aafc0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000004d0b686d61632d73686133383400000068555139012c00300953f74bcc78dae61e9d93aad74e128dbc240a671de017efd3707235be7890cbf2a51255f5843438fbaa26d04caca506aafc00000000
endpacket
tsig-verify-query test.key 1750421817 NOERROR NOERROR 0
packet
aafc0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000004d0b686d61632d73686133383400000068555139012c00300953f74bcc78dae61e9d93aad74e128dbc240a671de017efd3707235be7890cbf2a51255f5843438fbaa26d04caca506aafc00000000
endpacket
tsig-sign-reply 1750421817 NOERROR 1
aafc840000010001000000010377777707657861
6d706c65036e65740000010001c00c0001000100
000e1000040a141e2800002904d0000000000000
endpacket
# reply for www.example.net A
check-packet
aafc8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000004d0b686d61632d73686133383400000068555139012c00301e895712f5633d84e82afd7b1dcdd792c5d51532c7a5f52701c9bd464f0d8f6cc735530d16417e8bf3cf104808554642aafc00000000
endpacket

48
testdata/tsig_test.6 vendored Normal file
View file

@ -0,0 +1,48 @@
# Test with algorithm
file-algorithm sha512
tsig-key:
name: "test.key"
algorithm: sha512
secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
packet
# www.example.net. IN TXT
3a03010000010000000000000377777707657861
6d706c65036e65740000100001
endpacket
# sign the query with <key> <timepoint> <expected function ret>
tsig-sign-query test.key 1750411954 1
check-packet
3a030100000100000000000103777777076578616d706c65036e657400001000010474657374036b65790000fa00ff00000000005d0b686d61632d73686135313200000068552ab2012c00403cd816538bec85fea4ae45a6fb2e961622a4dfad2afa69da999c53133d02e9f2ba789a14b489678b83ab319662d2388fcc7286bfa11d88e71614c845e77584c43a0300000000
endpacket
# www.example.net A
packet
e74d0000000100000000000103777777076578616d706c65036e657400000100010000291000000000000000
endpacket
tsig-sign-query test.key 1750421867 1
check-packet
e74d0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000005d0b686d61632d7368613531320000006855516b012c0040bbc78c7a8019119b79f89f3ed66d874acb3a29bfcd3ac75fce3779d60d41080fe536c03de404a9143314eabce88a0c5eff6204d94d3225cf42327322c8a48acae74d00000000
endpacket
tsig-verify-query test.key 1750421867 NOERROR NOERROR 0
packet
e74d0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000005d0b686d61632d7368613531320000006855516b012c0040bbc78c7a8019119b79f89f3ed66d874acb3a29bfcd3ac75fce3779d60d41080fe536c03de404a9143314eabce88a0c5eff6204d94d3225cf42327322c8a48acae74d00000000
endpacket
tsig-sign-reply 1750421867 NOERROR 1
e74d840000010001000000010377777707657861
6d706c65036e65740000010001c00c0001000100
000e1000040a141e2800002904d0000000000000
endpacket
# reply for www.example.net A
check-packet
e74d8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000005d0b686d61632d7368613531320000006855516b012c0040690c00d5e01a382b7a4c07739e0faab1a3c98f5bae1b49213032b7da070c4b985056894e1ebc88468d5d070d0589ea8032fb88f3a1902fa91211d2b4989bbb93e74d00000000
endpacket

26
util/config_file.c
View file

@ -224,6 +224,7 @@ config_create(void)
cfg->stubs = NULL;
cfg->forwards = NULL;
cfg->auths = NULL;
cfg->tsig_keys = NULL;
#ifdef CLIENT_SUBNET
cfg->client_subnet = NULL;
cfg->client_subnet_zone = NULL;
@ -930,7 +931,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
* max-client-subnet-ipv4, max-client-subnet-ipv6,
* min-client-subnet-ipv4, min-client-subnet-ipv6,
* max-ecs-tree-size-ipv4, max-ecs-tree-size-ipv6, ipsecmod_hook,
* ipsecmod_whitelist. */
* ipsecmod_whitelist, tsig-key. */
return 0;
}
return 1;
@ -1436,6 +1437,7 @@ config_get_option(struct config_file* cfg, const char* opt,
* local-data-ptr - converted to local-data entries
* stub-zone, name, stub-addr, stub-host, stub-prime
* forward-zone, name, forward-addr, forward-host
* tsig-key
*/
else return 0;
return 1;
@ -1707,6 +1709,27 @@ config_delviews(struct config_view* p)
}
}
void
config_deltsig_key(struct config_tsig_key* p)
{
if(!p) return;
free(p->name);
free(p->algorithm);
free(p->secret);
free(p);
}
void
config_deltsig_keys(struct config_tsig_key* p)
{
struct config_tsig_key* np;
while(p) {
np = p->next;
config_deltsig_key(p);
p = np;
}
}
void
config_del_strarray(char** array, int num)
{
@ -1762,6 +1785,7 @@ config_delete(struct config_file* cfg)
config_delstubs(cfg->forwards);
config_delauths(cfg->auths);
config_delviews(cfg->views);
config_deltsig_keys(cfg->tsig_keys);
config_delstrlist(cfg->donotqueryaddrs);
config_delstrlist(cfg->root_hints);
#ifdef CLIENT_SUBNET

29
util/config_file.h
View file

@ -45,6 +45,7 @@
struct config_stub;
struct config_auth;
struct config_view;
struct config_tsig_key;
struct config_strlist;
struct config_str2list;
struct config_str3list;
@ -265,6 +266,8 @@ struct config_file {
struct config_auth* auths;
/** the views definitions, linked list */
struct config_view* views;
/** the tsig-key definitions, linked list */
struct config_tsig_key* tsig_keys;
/** list of donotquery addresses, linked list */
struct config_strlist* donotqueryaddrs;
#ifdef CLIENT_SUBNET
@ -909,6 +912,20 @@ struct config_view {
struct config_str2list* respip_data;
};
/**
* Tsig-key config options
*/
struct config_tsig_key {
/** next in list */
struct config_tsig_key* next;
/** name of the tsig key */
char* name;
/** algorithm */
char* algorithm;
/** secret date, in base64 */
char* secret;
};
/**
* List of strings for config options
*/
@ -1221,6 +1238,18 @@ void config_delview(struct config_view* p);
*/
void config_delviews(struct config_view* list);
/**
* Delete a tsig_key item
* @param p: tsig_key item
*/
void config_deltsig_key(struct config_tsig_key* p);
/**
* Delete items in config tsig_key list.
* @param list: list.
*/
void config_deltsig_keys(struct config_tsig_key* list);
/** check if config for remote control turns on IP-address interface
* with certificates or a named pipe without certificates. */
int options_remote_is_address(struct config_file* cfg);

3
util/configlexer.lex
View file

@ -607,6 +607,9 @@ proxy-protocol-port{COLON} { YDVAR(1, VAR_PROXY_PROTOCOL_PORT) }
iter-scrub-ns{COLON} { YDVAR(1, VAR_ITER_SCRUB_NS) }
iter-scrub-cname{COLON} { YDVAR(1, VAR_ITER_SCRUB_CNAME) }
max-global-quota{COLON} { YDVAR(1, VAR_MAX_GLOBAL_QUOTA) }
tsig-key{COLON} { YDVAR(0, VAR_TSIG_KEY) }
algorithm{COLON} { YDVAR(1, VAR_ALGORITHM) }
secret{COLON} { YDVAR(1, VAR_SECRET) }
<INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; }
/* Quoted strings. Strip leading and ending quotes */

81
util/configparser.y
View file

@ -47,7 +47,9 @@
#include "util/configyyrename.h"
#include "util/config_file.h"
#include "util/net_help.h"
#include "util/tsig.h"
#include "sldns/str2wire.h"
#include "sldns/parseutil.h"
int ub_c_lex(void);
void ub_c_error(const char *message);
@ -215,6 +217,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_LOG_DESTADDR VAR_CACHEDB_CHECK_WHEN_SERVE_EXPIRED
%token VAR_COOKIE_SECRET_FILE VAR_ITER_SCRUB_NS VAR_ITER_SCRUB_CNAME
%token VAR_MAX_GLOBAL_QUOTA VAR_HARDEN_UNVERIFIED_GLUE VAR_LOG_TIME_ISO
%token VAR_TSIG_KEY VAR_ALGORITHM VAR_SECRET
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -223,7 +226,7 @@ toplevelvar: serverstart contents_server | stub_clause |
rcstart contents_rc | dtstart contents_dt | view_clause |
dnscstart contents_dnsc | cachedbstart contents_cachedb |
ipsetstart contents_ipset | authstart contents_auth |
rpzstart contents_rpz | dynlibstart contents_dl |
rpzstart contents_rpz | dynlibstart contents_dl | tsig_key_clause |
force_toplevel
;
force_toplevel: VAR_FORCE_TOPLEVEL
@ -3745,6 +3748,82 @@ dl_file: VAR_DYNLIB_FILE STRING_ARG
yyerror("out of memory");
}
;
tsig_key_clause: tsig_key_start contents_tsig_key
{
/* tsig-key end */
if(cfg_parser->cfg->tsig_keys) {
if(!cfg_parser->cfg->tsig_keys->name)
yyerror("tsig-key without name");
else if(!cfg_parser->cfg->tsig_keys->algorithm)
ub_c_error_msg("tsig-key %s has no algorithm",
cfg_parser->cfg->tsig_keys->name);
else if(!cfg_parser->cfg->tsig_keys->secret)
ub_c_error_msg("tsig-key %s has no secret blob",
cfg_parser->cfg->tsig_keys->name);
}
}
;
tsig_key_start: VAR_TSIG_KEY
{
struct config_tsig_key* s;
OUTYY(("\nP(tsig-key:)\n"));
cfg_parser->started_toplevel = 1;
s = (struct config_tsig_key*)calloc(1,
sizeof(struct config_tsig_key));
if(s) {
s->next = cfg_parser->cfg->tsig_keys;
cfg_parser->cfg->tsig_keys = s;
} else {
yyerror("out of memory");
}
}
;
contents_tsig_key: contents_tsig_key content_tsig_key
| ;
content_tsig_key: tsig_key_name | tsig_key_algorithm | tsig_key_secret
;
tsig_key_name: VAR_NAME STRING_ARG
{
uint8_t buf[LDNS_MAX_DOMAINLEN+1];
size_t len = sizeof(buf);
int r;
OUTYY(("P(name:%s)\n", $2));
free(cfg_parser->cfg->tsig_keys->name);
cfg_parser->cfg->tsig_keys->name = $2;
if((r=sldns_str2wire_dname_buf($2, buf, &len))!=0)
ub_c_error_msg("could not parse tsig key name"
" '%s':%d: %s", $2, LDNS_WIREPARSE_OFFSET(r),
sldns_get_errorstr_parse(r));
}
tsig_key_algorithm: VAR_ALGORITHM STRING_ARG
{
OUTYY(("P(algorithm:%s)\n", $2));
free(cfg_parser->cfg->tsig_keys->algorithm);
cfg_parser->cfg->tsig_keys->algorithm = $2;
if(!tsig_algo_check_name($2))
ub_c_error_msg("could not parse tsig key algorithm '%s'",
$2);
}
tsig_key_secret: VAR_SECRET STRING_ARG
{
uint8_t data[16384];
int size;
OUTYY(("P(secret:%s)\n", $2));
free(cfg_parser->cfg->tsig_keys->secret);
cfg_parser->cfg->tsig_keys->secret = $2;
size = sldns_b64_pton($2, data, sizeof(data));
if(size == -1) {
ub_c_error_msg("cannot base64 decode tsig secret %s",
cfg_parser->cfg->tsig_keys->name?
cfg_parser->cfg->tsig_keys->name:"");
} else if(size != 0) {
explicit_bzero(data, size);
}
}
server_disable_dnssec_lame_check: VAR_DISABLE_DNSSEC_LAME_CHECK STRING_ARG
{
OUTYY(("P(disable_dnssec_lame_check:%s)\n", $2));

2
util/data/dname.c
View file

@ -97,7 +97,7 @@ dname_valid(uint8_t* dname, size_t maxlen)
/** compare uncompressed, noncanonical, registers are hints for speed */
int
query_dname_compare(const register uint8_t* d1, const register uint8_t* d2)
query_dname_compare(register const uint8_t* d1, register const uint8_t* d2)
{
register uint8_t lab1, lab2;
log_assert(d1 && d2);

2
util/fptr_wlist.c
View file

@ -72,6 +72,7 @@
#include "libunbound/libworker.h"
#include "libunbound/context.h"
#include "libunbound/worker.h"
#include "util/tsig.h"
#include "util/tube.h"
#include "util/config_file.h"
#include "daemon/remote.h"
@ -262,6 +263,7 @@ fptr_whitelist_rbtree_cmp(int (*fptr) (const void *, const void *))
else if(fptr == &auth_zone_cmp) return 1;
else if(fptr == &auth_data_cmp) return 1;
else if(fptr == &auth_xfer_cmp) return 1;
else if(fptr == &tsig_key_compare) return 1;
#ifdef HAVE_NGTCP2
else if(fptr == &doq_conn_cmp) return 1;
else if(fptr == &doq_conid_cmp) return 1;

3
util/module.h
View file

@ -181,6 +181,7 @@ struct views;
struct respip_set;
struct respip_client_info;
struct respip_addr_info;
struct tsig_key_table;
struct module_stack;
/** Maximum number of modules in operation */
@ -529,6 +530,8 @@ struct module_env {
struct views* views;
/** response-ip set with associated actions and tags. */
struct respip_set* respip_set;
/** the TSIG keys */
struct tsig_key_table* tsig_key_table;
/** module specific data. indexed by module id. */
void* modinfo[MAX_MODULE];

2018
util/tsig.c
View file

File diff suppressed because it is too large Load diff

398
util/tsig.h
View file

@ -1,25 +1,25 @@
/*
* util/tsig.c - utility functions for TSIG.
* util/tsig.h - handle TSIG signatures.
*
* Copyright (c) 2025, NLnet Labs. All rights reserved.
* Copyright (c) 2023, NLnet Labs. All rights reserved.
*
* This software is open source.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
@ -36,19 +36,385 @@
/**
* \file
*
* This file provides functions to create and verify TSIG RRs
* This file provides functions to create and verify TSIG RRs.
*/
#ifndef UTIL_TSIG_H
#define UTIL_TSIG_H
#include "config.h"
#include "sldns/sbuffer.h"
#include "util/locks.h"
#include "util/rbtree.h"
struct sldns_buffer;
struct config_file;
struct config_tsig_key;
struct regional;
/**
* Verify pkt with the name (domain name), algorithm and key.
* out 0 on success, an error code otherwise.
/**
* TSIG record, the RR that is in the packet.
* The RR Type is TSIG and the RR class is CLASS_ANY. The TTL is 0.
*/
int tsig_verify(sldns_buffer* pkt, const uint8_t* name, const uint8_t* alg,
const uint8_t* secret, size_t secret_len, uint64_t now);
struct tsig_record {
/** domain name of the RR, the key name. */
uint8_t* key_name;
/** length of the key_name */
size_t key_name_len;
/** the position of the TSIG RR in the packet, it is before the owner
* name. */
size_t tsig_pos;
/** the algorithm name, as a domain name. */
uint8_t* algorithm_name;
/** length of the algorithm_name */
size_t algorithm_name_len;
/** the signed time, 48bits on the wire */
uint64_t signed_time;
/** the fudge time */
uint16_t fudge_time;
/** the mac size, uint16_t on the wire */
size_t mac_size;
/** the mac data */
uint8_t* mac_data;
/** the original query id */
uint16_t original_query_id;
/** the tsig error code */
uint16_t error_code;
/** length of the other data, uint16_t on the wire */
size_t other_size;
/** the other data */
uint8_t* other_data;
/** if the other size is 48bit, the timestamp in it. */
uint64_t other_time;
};
#endif
/**
* TSIG data. This keeps track of the information between packets,
* for the TSIG signature, and state, errors, key.
*/
struct tsig_data {
/** The key name, in wireformat */
uint8_t* key_name;
/** length of the key name */
size_t key_name_len;
/** The algo name, if the key could not be found. If NULL, it can
* be found in the tsig_key algo. */
uint8_t* algo_name;
/** length of the algo name */
size_t algo_name_len;
/** mac size */
size_t mac_size;
/** digest buffer */
uint8_t* mac;
/** original query ID */
uint16_t original_query_id;
/** the TSIG class */
uint16_t klass;
/** the TSIG TTL */
uint16_t ttl;
/** the time signed, 48bit */
uint64_t time_signed;
/** fudge amount of time_signed */
uint16_t fudge;
/** the TSIG error code */
uint16_t error;
/** other data length, 6 for other_time as failed time. */
uint16_t other_len;
/** if other len 6, this is 48bit time of error. */
uint64_t other_time;
};
/**
* TSIG algorithm. This is the HMAC algorithm used for the TSIG mac.
*/
struct tsig_algorithm {
/** Short name of the algorithm, like "hmac-md5" */
char* short_name;
/**
* Full wireformat name of the algorith, such as
* "hmac-md5.sig-alg.reg.int."
* In canonical format, that is in lowercase.
*/
uint8_t* wireformat_name;
/** length of the wireformat_name */
size_t wireformat_name_len;
/** digest name, like "md5" */
const char* digest;
/** the maximum size of the digest from the algorithm, in bytes,
* like 16 for MD5, and 20 for SHA1. */
size_t max_digest_size;
};
/**
* TSIG key. This is used to sign and verify packets.
*/
struct tsig_key {
/** the rbtree node */
rbnode_type node;
/** name of the key as string */
char* name_str;
/** the algorithm structure */
struct tsig_algorithm* algo;
/**
* Name of the key, in wireformat.
* The key name has to be transferred as a domain name, of the TSIG
* RR and thus the key name has to be a wireformat domain name.
*/
uint8_t* name;
/** length of name */
size_t name_len;
/** the data, with the secret portion of the key. decoded from the
* base64 string with the secret. */
uint8_t* data;
/** the size of the data */
size_t data_len;
};
/**
* The TSIG key storage. Keys are stored by name.
* They are read from config.
*/
struct tsig_key_table {
/* Lock on the tsig key table and all keys. */
lock_rw_type lock;
/* Tree of tsig keys, by wireformat name. */
struct rbtree_type* tree;
};
/**
* Create TSIG key table.
* @return NULL on alloc failure.
*/
struct tsig_key_table* tsig_key_table_create(void);
/**
* Delete TSIG key table. And the keys in it.
* @param key_table: to delete.
*/
void tsig_key_table_delete(struct tsig_key_table* key_table);
/** Add a key to the TSIG key table. */
int tsig_key_table_add_key(struct tsig_key_table* key_table,
struct config_tsig_key* s);
/** Delete a key from the TSIG key table. */
void tsig_key_table_del_key_fromstr(struct tsig_key_table* key_table,
char* name);
/**
* Apply config to the tsig key table.
* @param key_table: the tsig key table.
* @param cfg: the config to read.
* @return false on failure.
*/
int tsig_key_table_apply_cfg(struct tsig_key_table* key_table,
struct config_file* cfg);
/**
* Find key in key table. Caller must hold lock on the table.
* @param key_table: the tsig key table.
* @param name: name to look for in wireformat.
* @param namelen: length of name.
* @return the found key or NULL if not found. The item is locked
* by the key_table lock.
*/
struct tsig_key* tsig_key_table_search(struct tsig_key_table* key_table,
uint8_t* name, size_t namelen);
/**
* Delete TSIG key.
* @param key: to delete
*/
void tsig_key_delete(struct tsig_key* key);
/**
* See if an algorithm name is in the list of accepted algorithm names.
* @param algo_name: string to check
* @return 0 on failure.
*/
int tsig_algo_check_name(const char* algo_name);
/**
* Get the TSIG algorithm for the algorithm name.
* @param algo_name: string to find.
* @return NULL on failure, tsig algorithm structure.
*/
struct tsig_algorithm* tsig_algo_find_name(const char* algo_name);
/**
* Get the TSIG algorithm for the algorithm wireformat name.
* @param algo: wireformat algorithm name to find.
* @return NULL on failure, tsig algorithm structure.
*/
struct tsig_algorithm* tsig_algo_find_wire(uint8_t* algo);
/**
* Sign pkt with the name (domain name), algorithm and key in Base64.
* out 0 on success, -1 on failure.
* For a shared packet with contents. This signs a reply packet without
* the prior hash, since there is no prior packet.
*/
int tsig_sign_shared(struct sldns_buffer* pkt, const uint8_t* name,
const uint8_t* alg, const uint8_t* secret, size_t secret_len,
uint64_t now);
/**
* Verify pkt with the name (domain name), algorithm and key in Base64.
* out 0 on success, an error code otherwise.
* For a shared packet with contents. This verifies a reply packet without
* the prior hash, since there is no prior packet.
* out 0 on success, on failure:
* -1 for malformed, no tsig RR, or too large for buffer.
* >0 rcode with a TSIG error code otherwise.
*/
int tsig_verify_shared(struct sldns_buffer* pkt, const uint8_t* name,
const uint8_t* alg, const uint8_t* secret, size_t secret_len,
uint64_t now);
/** Compare function for the key table keys. */
int tsig_key_compare(const void* v1, const void* v2);
/**
* Find tsig key and create new tsig data.
* @param key_table: the tsig key table.
* @param name: key name in wireformat.
* @param namelen: length of name.
* @return NULL if not found, or alloc failure.
*/
struct tsig_data* tsig_create(struct tsig_key_table* key_table,
uint8_t* name, size_t namelen);
/**
* Find tsig key and create new tsig data.
* @param key_table: the tsig key table.
* @param name: key name string.
* @return NULL if not found, or alloc failure, or could not parse string.
*/
struct tsig_data* tsig_create_fromstr(struct tsig_key_table* key_table,
char* name);
/**
* Delete tsig data.
* @param tsig: the tsig data to delete.
*/
void tsig_delete(struct tsig_data* tsig);
/**
* Sign a query with TSIG. Appends the TSIG record.
* @param tsig: the tsig data, keeps state to verify reply.
* @param pkt: query packet. position must be at end of packet.
* @param key_table: the tsig key table is used to fetch the key details.
* @param now: time to sign the query, the current time.
* @return false on failure.
*/
int tsig_sign_query(struct tsig_data* tsig, struct sldns_buffer* pkt,
struct tsig_key_table* key_table, uint64_t now);
/**
* Verify a query with TSIG.
* @param tsig: the tsig data, keep state to sign reply.
* @param pkt: the query packet.
* @param key: the key with algorithm, caller must hold lock.
* @param rr: the tsig record parsed from the query.
* @param now: time that is used, the current time.
* @return rcode with failure for alloc failure or malformed wireformat.
* 0 NOERROR is success, if tsig is nonNULL it has either verified
* or contains a TSIG error.
*/
int tsig_verify_query(struct tsig_data* tsig, struct sldns_buffer* pkt,
struct tsig_key* key, struct tsig_record* rr, uint64_t now);
/**
* Look up key from TSIG in packet.
* @param key_table: the tsig key table.
* @param pkt: the packet to look at TSIG.
* @param rr: the TSIG record parsed.
* @param tsig_ret: the tsig key is returned here. Or it can be NULL, no TSIG.
* @param region: if nonNULL used to allocate.
* @param key: if the key is in the key_table the key is returned.
* On success the key table is locked for the key.
* @return fail for alloc failure servfail or wireformat malformed formerr,
* success has 0 NOERROR, for no TSIG in packet with tsig returned NULL,
* and for key not found with tsig returned with a tsig error in it,
* and for key found with tsig returned with tsig in it.
* After this call, the return value is the rcode for failure. Then the
* tsig, is NULL for no TSIG, or nonNULL, with a TSIG error or content that
* can be verified with tsig_verify_query.
*/
int tsig_lookup_key(struct tsig_key_table* key_table,
struct sldns_buffer* pkt, struct tsig_record* rr,
struct tsig_data** tsig_ret, struct regional* region,
struct tsig_key** key);
/**
* Parse a TSIG from the packet. Current position is just before it.
* @param pkt: the packet.
* @param rr: data filled in, with pointers to the packet buffer.
* The key name can be compressed.
* @return 0 if OK, otherwise an RCODE.
*/
int tsig_parse(struct sldns_buffer* pkt, struct tsig_record* rr);
/**
* Parse and verify the TSIG in query packet.
* @param key_table: the tsig key table.
* @param pkt: the packet
* @param tsig: the tsig key is returned. Or it can be NULL.
* @param region: if nonNULL used to allocate.
* @param now: time that is used, the current time.
* @return rcode with failure for alloc failure or malformed wireformat.
* 0 NOERROR is success, if tsig is nonNULL it has either verified
* or contains a TSIG error.
*/
int tsig_parse_verify_query(struct tsig_key_table* key_table,
struct sldns_buffer* pkt, struct tsig_data** tsig,
struct regional* region, uint64_t now);
/**
* Sign a reply with TSIG. Appends the TSIG record.
* @param tsig: the tsig data.
* @param pkt: the packet to sign.
* @param key_table: the tsig key table is used to fetch the key details.
* @param now: time to sign the query, the current time.
* @return false on failure.
*/
int tsig_sign_reply(struct tsig_data* tsig, struct sldns_buffer* pkt,
struct tsig_key_table* key_table, uint64_t now);
/**
* Verify a reply with TSIG.
* @param tsig: the tsig data.
* @param pkt: the reply to verify.
* @param key: the key with algorithm, caller must hold lock.
* @param rr: the tsig record parsed from the reply.
* @param now: time to sign the query, the current time.
* @return false on failure, like
* alloc failure, wireformat malformed, did not verify.
*/
int tsig_verify_reply(struct tsig_data* tsig, struct sldns_buffer* pkt,
struct tsig_key* key, struct tsig_record* rr, uint64_t now);
/**
* Verify a reply with TSIG.
* @param tsig: the tsig data.
* @param pkt: the reply to verify.
* @param key_table: the tsig key table is used to fetch the key details.
* @param now: time to sign the query, the current time.
* @return false on failure, like
* alloc failure, wireformat malformed, did not verify.
*/
int tsig_parse_verify_reply(struct tsig_data* tsig, struct sldns_buffer* pkt,
struct tsig_key_table* key_table, uint64_t now);
/**
* Calculate reserved space for TSIG.
* @param tsig: the tsig data
* @return number of bytes to keep reserved for the TSIG added.
*/
size_t tsig_reserved_space(struct tsig_data* tsig);
/**
* See if the packet has a TSIG record, or not.
* @param pkt: the packet.
* @return false if malformed or no tsig. If found, the position is
* just before the TSIG record. So it can be parsed.
*/
int tsig_find_rr(struct sldns_buffer* pkt);
#endif /* UTIL_TSIG_H */