Merge pull request #414 from NLnetLabs/bugfix/xot-interoperability

XoT interoperability

doc/ChangeLog

@@ -1,3 +1,6 @@
+3 January 2025: Willem
+	- Fix #414: XoT interoperability with BIND and Knot
+
 23 December 2024: Willem
 	- Fix #415: Fix out of tree builds. Thanks Florian Obser (@fobser).
 

doc/RELNOTES

@@ -4,6 +4,7 @@ NSD RELEASE NOTES
 ================
 BUG FIXES:
         - Fix #415: Fix out of tree builds. Thanks Florian Obser (@fobser).
+	- Fix #414: XoT interoperability with BIND and Knot
 
 4.11.0
 ================

server.c

@@ -1898,23 +1898,29 @@ server_send_soa_xfrd(struct nsd* nsd, int shortsoa)
 
 #ifdef HAVE_SSL
 static void
-log_crypto_from_err(const char* str, unsigned long err)
+log_crypto_from_err(int level, const char* str, unsigned long err)
 {
 	/* error:[error code]:[library name]:[function name]:[reason string] */
 	char buf[128];
 	unsigned long e;
 	ERR_error_string_n(err, buf, sizeof(buf));
-	log_msg(LOG_ERR, "%s crypto %s", str, buf);
+	log_msg(level, "%s crypto %s", str, buf);
 	while( (e=ERR_get_error()) ) {
 		ERR_error_string_n(e, buf, sizeof(buf));
-		log_msg(LOG_ERR, "and additionally crypto %s", buf);
+		log_msg(level, "and additionally crypto %s", buf);
 	}
 }
 
 void
 log_crypto_err(const char* str)
 {
-	log_crypto_from_err(str, ERR_get_error());
+	log_crypto_from_err(LOG_ERR, str, ERR_get_error());
+}
+
+void
+log_crypto_warning(const char* str)
+{
+	log_crypto_from_err(LOG_WARNING, str, ERR_get_error());
 }
 
 /** true if the ssl handshake error has to be squelched from the logs */
@@ -2079,6 +2085,20 @@ add_ocsp_data_cb(SSL *s, void* ATTR_UNUSED(arg))
 	}
 }
 
+static int
+server_alpn_cb(SSL* ATTR_UNUSED(s),
+		const unsigned char** out, unsigned char* outlen,
+		const unsigned char* in, unsigned int inlen,
+		void* ATTR_UNUSED(arg))
+{
+	static const unsigned char alpns[] = { 3, 'd', 'o', 't' };
+	unsigned char* tmp_out;
+
+	SSL_select_next_proto(&tmp_out, outlen, alpns, sizeof(alpns), in, inlen);
+	*out = tmp_out;
+	return SSL_TLSEXT_ERR_OK;
+}
+
 SSL_CTX*
 server_tls_ctx_setup(char* key, char* pem, char* verifypem)
 {
@@ -2128,6 +2148,13 @@ server_tls_ctx_setup(char* key, char* pem, char* verifypem)
 		return 0;
 	}
 #endif
+#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
+	/* disable client renegotiation */
+	if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
+		SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
+		log_crypto_warning("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
+	}
+#endif
 #if defined(SHA256_DIGEST_LENGTH) && defined(SSL_TXT_CHACHA20)
 	/* if we detect system-wide crypto policies, use those */
 	if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) {
@@ -2174,6 +2201,7 @@ server_tls_ctx_setup(char* key, char* pem, char* verifypem)
 		SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(verifypem));
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
 	}
+	SSL_CTX_set_alpn_select_cb(ctx, server_alpn_cb, NULL);
 	return ctx;
 }
 
@@ -4802,7 +4830,7 @@ tls_handshake(struct tcp_handler_data* data, int fd, int writing)
 					char a[64], s[256];
 					addr2str(&data->query->remote_addr, a, sizeof(a));
 					snprintf(s, sizeof(s), "TLS handshake failed from %s", a);
-					log_crypto_from_err(s, err);
+					log_crypto_from_err(LOG_ERR, s, err);
 				}
 			}
 			cleanup_tcp_handler(data);

tpkg/xot.tdir/xot.primary.conf.in

@@ -17,31 +17,31 @@ remote-control:
 	control-enable: @TPKG_CONTROL_ENABLE@
 	control-interface: 127.0.0.1
 	control-port: @TPKG_PRI_PORT_CTL@
-	server-key-file: "nsd_server.key"
-	server-cert-file: "nsd_server.pem"
-	control-key-file: "nsd_control.key"
-	control-cert-file: "nsd_control.pem"
+	server-key-file: "xot.nsd_server.key"
+	server-cert-file: "xot.nsd_server.pem"
+	control-key-file: "xot.nsd_control.key"
+	control-cert-file: "xot.nsd_control.pem"
 
 zone:
 	name: example.org
-	zonefile: example.org
+	zonefile: xot.example.org
 	notify: 127.0.0.1@@TPKG_SEC_PORT@ xot.
 	provide-xfr: 0.0.0.0/0 xot.
 
 zone:
 	name: example.net
-	zonefile: example.net
+	zonefile: xot.example.net
 	notify: 127.0.0.1@@TPKG_SEC_PORT@ xot.
 	provide-xfr: 0.0.0.0/0 xot.
 
 zone:
 	name: example.com
-	zonefile: example.com
+	zonefile: xot.example.com
 	notify: 127.0.0.1@@TPKG_SEC_PORT@ xot.
 	provide-xfr: 0.0.0.0/0 xot.
 
 zone:
 	name: example.edu
-	zonefile: example.edu
+	zonefile: xot.example.edu
 	notify: 127.0.0.1@@TPKG_SEC_PORT@ xot.
 	provide-xfr: 0.0.0.0/0 xot.

tpkg/xot.tdir/xot.secondary.conf.in

@@ -12,10 +12,10 @@ remote-control:
 	control-enable: @TPKG_CONTROL_ENABLE@
 	control-interface: 127.0.0.1
 	control-port: @TPKG_SEC_PORT_CTL@
-	server-key-file: "nsd_server.key"
-	server-cert-file: "nsd_server.pem"
-	control-key-file: "nsd_control.key"
-	control-cert-file: "nsd_control.pem"
+	server-key-file: "xot.nsd_server.key"
+	server-cert-file: "xot.nsd_server.pem"
+	control-key-file: "xot.nsd_control.key"
+	control-cert-file: "xot.nsd_control.pem"
 
 include: "xot.tsig"
 

tpkg/xot.tdir/xot.tertiary.conf.in

@@ -11,10 +11,10 @@ remote-control:
 	control-enable: @TPKG_CONTROL_ENABLE@
 	control-interface: 127.0.0.1
 	control-port: @TPKG_TER_PORT_CTL@
-	server-key-file: "nsd_server.key"
-	server-cert-file: "nsd_server.pem"
-	control-key-file: "nsd_control.key"
-	control-cert-file: "nsd_control.pem"
+	server-key-file: "xot.nsd_server.key"
+	server-cert-file: "xot.nsd_server.pem"
+	control-key-file: "xot.nsd_control.key"
+	control-cert-file: "xot.nsd_control.pem"
 
 include: "xot.tsig"