d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to 1.8.1.

Browse Source 
Approved by:	re (kib)
This commit is contained in:
des 2018-10-10 08:53:47 +00:00
parent 28a7efdfb3
commit 0b62c2b8b2
48 changed files with 565 additions and 312 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
contrib/unbound/config.h
View File

@ -1,6 +1,12 @@
/* config.h. Generated from config.h.in by configure. */
/* config.h.in. Generated from configure.ac by autoheader. */
/* apply the noreturn attribute to a function that exits the program */
#define ATTR_NORETURN __attribute__((__noreturn__))
/* apply the weak attribute to a symbol */
#define ATTR_WEAK __attribute__((weak))
/* Directory to chroot to */
#define CHROOT_DIR "/var/unbound"
@ -46,6 +52,9 @@
/* Whether the C compiler accepts the "format" attribute */
#define HAVE_ATTR_FORMAT 1
/* Whether the C compiler accepts the "noreturn" attribute */
#define HAVE_ATTR_NORETURN 1
/* Whether the C compiler accepts the "unused" attribute */
#define HAVE_ATTR_UNUSED 1
@ -59,7 +68,7 @@
#define HAVE_CHROOT 1
/* Define to 1 if you have the `CRYPTO_cleanup_all_ex_data' function. */
#define HAVE_CRYPTO_CLEANUP_ALL_EX_DATA 1
/* #undef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA */
/* Define to 1 if you have the `ctime_r' function. */
#define HAVE_CTIME_R 1
@ -85,11 +94,11 @@
/* Define to 1 if you have the declaration of `NID_ED25519', and to 0 if you
don't. */
#define HAVE_DECL_NID_ED25519 0
#define HAVE_DECL_NID_ED25519 1
/* Define to 1 if you have the declaration of `NID_ED448', and to 0 if you
don't. */
#define HAVE_DECL_NID_ED448 0
#define HAVE_DECL_NID_ED448 1
/* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
don't. */
@ -135,7 +144,7 @@
#define HAVE_DLFCN_H 1
/* Define to 1 if you have the `DSA_SIG_set0' function. */
/* #undef HAVE_DSA_SIG_SET0 */
#define HAVE_DSA_SIG_SET0 1
/* Define to 1 if you have the <endian.h> header file. */
/* #undef HAVE_ENDIAN_H */
@ -150,10 +159,10 @@
#define HAVE_ENDSERVENT 1
/* Define to 1 if you have the `ERR_free_strings' function. */
#define HAVE_ERR_FREE_STRINGS 1
/* #undef HAVE_ERR_FREE_STRINGS */
/* Define to 1 if you have the `ERR_load_crypto_strings' function. */
#define HAVE_ERR_LOAD_CRYPTO_STRINGS 1
/* #undef HAVE_ERR_LOAD_CRYPTO_STRINGS */
/* Define to 1 if you have the `event_base_free' function. */
/* #undef HAVE_EVENT_BASE_FREE */
@ -171,16 +180,16 @@
/* #undef HAVE_EVENT_H */
/* Define to 1 if you have the `EVP_cleanup' function. */
#define HAVE_EVP_CLEANUP 1
/* #undef HAVE_EVP_CLEANUP */
/* Define to 1 if you have the `EVP_DigestVerify' function. */
/* #undef HAVE_EVP_DIGESTVERIFY */
#define HAVE_EVP_DIGESTVERIFY 1
/* Define to 1 if you have the `EVP_dss1' function. */
#define HAVE_EVP_DSS1 1
/* #undef HAVE_EVP_DSS1 */
/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
/* #undef HAVE_EVP_MD_CTX_NEW */
#define HAVE_EVP_MD_CTX_NEW 1
/* Define to 1 if you have the `EVP_sha1' function. */
#define HAVE_EVP_SHA1 1
@ -200,6 +209,9 @@
/* Define to 1 if you have the <expat.h> header file. */
#define HAVE_EXPAT_H 1
/* Define to 1 if you have the `explicit_bzero' function. */
#define HAVE_EXPLICIT_BZERO 1
/* Define to 1 if you have the `fcntl' function. */
#define HAVE_FCNTL 1
@ -321,7 +333,7 @@
/* #undef HAVE_NSS */
/* Define to 1 if you have the `OpenSSL_add_all_digests' function. */
#define HAVE_OPENSSL_ADD_ALL_DIGESTS 1
/* #undef HAVE_OPENSSL_ADD_ALL_DIGESTS */
/* Define to 1 if you have the <openssl/bn.h> header file. */
#define HAVE_OPENSSL_BN_H 1
@ -345,10 +357,10 @@
#define HAVE_OPENSSL_ERR_H 1
/* Define to 1 if you have the `OPENSSL_init_crypto' function. */
/* #undef HAVE_OPENSSL_INIT_CRYPTO */
#define HAVE_OPENSSL_INIT_CRYPTO 1
/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
/* #undef HAVE_OPENSSL_INIT_SSL */
#define HAVE_OPENSSL_INIT_SSL 1
/* Define to 1 if you have the <openssl/rand.h> header file. */
#define HAVE_OPENSSL_RAND_H 1
@ -381,7 +393,7 @@
#define HAVE_RANDOM 1
/* Define to 1 if you have the `RAND_cleanup' function. */
#define HAVE_RAND_CLEANUP 1
/* #undef HAVE_RAND_CLEANUP */
/* Define to 1 if you have the `reallocarray' function. */
#define HAVE_REALLOCARRAY 1
@ -441,13 +453,13 @@
#define HAVE_SSL /**/
/* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
/* #undef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
#define HAVE_SSL_CTX_SET_SECURITY_LEVEL 1
/* Define to 1 if you have the `SSL_get0_peername' function. */
/* #undef HAVE_SSL_GET0_PEERNAME */
#define HAVE_SSL_GET0_PEERNAME 1
/* Define to 1 if you have the `SSL_set1_host' function. */
/* #undef HAVE_SSL_SET1_HOST */
#define HAVE_SSL_SET1_HOST 1
/* Define to 1 if you have the <stdarg.h> header file. */
#define HAVE_STDARG_H 1
@ -631,7 +643,7 @@
#define PACKAGE_NAME "unbound"
/* Define to the full name and version of this package. */
#define PACKAGE_STRING "unbound 1.8.0"
#define PACKAGE_STRING "unbound 1.8.1"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "unbound"
@ -640,7 +652,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
#define PACKAGE_VERSION "1.8.0"
#define PACKAGE_VERSION "1.8.1"
/* default pidfile location */
#define PIDFILE "/var/unbound/unbound.pid"
@ -659,7 +671,7 @@
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
/* version number for resource files */
#define RSRC_PACKAGE_VERSION 1,8,0,0
#define RSRC_PACKAGE_VERSION 1,8,1,0
/* Directory to chdir to */
#define RUN_DIR "/var/unbound"
@ -722,13 +734,13 @@
/* #undef USE_ECDSA_EVP_WORKAROUND */
/* Define this to enable ED25519 support. */
/* #undef USE_ED25519 */
#define USE_ED25519 1
/* Define this to enable ED448 support. */
/* #undef USE_ED448 */
#define USE_ED448 1
/* Define this to enable GOST support. */
#define USE_GOST 1
/* #undef USE_GOST */
/* Define to 1 to use ipsecmod support. */
/* #undef USE_IPSECMOD */
@ -1145,6 +1157,11 @@ char *strsep(char **stringp, const char *delim);
int isblank(int c);
#endif
#ifndef HAVE_EXPLICIT_BZERO
#define explicit_bzero unbound_explicit_bzero
void explicit_bzero(void* buf, size_t len);
#endif
#if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP
const char *inet_ntop(int af, const void *src, char *dst, size_t size);
#endif
@ -1177,7 +1194,6 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
# endif
#endif /* HAVE_LIBRESSL */
#ifndef HAVE_ARC4RANDOM
void explicit_bzero(void* buf, size_t len);
int getentropy(void* buf, size_t len);
uint32_t arc4random(void);
void arc4random_buf(void* buf, size_t n);

18
contrib/unbound/config.h.in
View File

@ -1,5 +1,11 @@
/* config.h.in. Generated from configure.ac by autoheader. */
/* apply the noreturn attribute to a function that exits the program */
#undef ATTR_NORETURN
/* apply the weak attribute to a symbol */
#undef ATTR_WEAK
/* Directory to chroot to */
#undef CHROOT_DIR
@ -45,6 +51,9 @@
/* Whether the C compiler accepts the "format" attribute */
#undef HAVE_ATTR_FORMAT
/* Whether the C compiler accepts the "noreturn" attribute */
#undef HAVE_ATTR_NORETURN
/* Whether the C compiler accepts the "unused" attribute */
#undef HAVE_ATTR_UNUSED
@ -199,6 +208,9 @@
/* Define to 1 if you have the <expat.h> header file. */
#undef HAVE_EXPAT_H
/* Define to 1 if you have the `explicit_bzero' function. */
#undef HAVE_EXPLICIT_BZERO
/* Define to 1 if you have the `fcntl' function. */
#undef HAVE_FCNTL
@ -1144,6 +1156,11 @@ char *strsep(char **stringp, const char *delim);
int isblank(int c);
#endif
#ifndef HAVE_EXPLICIT_BZERO
#define explicit_bzero unbound_explicit_bzero
void explicit_bzero(void* buf, size_t len);
#endif
#if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP
const char *inet_ntop(int af, const void *src, char *dst, size_t size);
#endif
@ -1176,7 +1193,6 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
# endif
#endif /* HAVE_LIBRESSL */
#ifndef HAVE_ARC4RANDOM
void explicit_bzero(void* buf, size_t len);
int getentropy(void* buf, size_t len);
uint32_t arc4random(void);
void arc4random_buf(void* buf, size_t n);

95
contrib/unbound/configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.8.0.
# Generated by GNU Autoconf 2.69 for unbound 1.8.1.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.8.0'
PACKAGE_STRING='unbound 1.8.0'
PACKAGE_VERSION='1.8.1'
PACKAGE_STRING='unbound 1.8.1'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.8.0 to adapt to many kinds of systems.
\`configure' configures unbound 1.8.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1505,7 +1505,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.8.0:";;
short | recursive ) echo "Configuration of unbound 1.8.1:";;
esac
cat <<\_ACEOF
@ -1722,7 +1722,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.8.0
unbound configure 1.8.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.8.0, which was
It was created by unbound $as_me 1.8.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2783,11 +2783,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=8
UNBOUND_VERSION_MICRO=0
UNBOUND_VERSION_MICRO=1
LIBUNBOUND_CURRENT=8
LIBUNBOUND_REVISION=0
LIBUNBOUND_REVISION=1
LIBUNBOUND_AGE=0
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2850,7 +2850,8 @@ LIBUNBOUND_AGE=0
# 1.7.1 had 7:9:5
# 1.7.2 had 7:10:5
# 1.7.3 had 7:11:5
# 1.7.4 had 8:0:0 # changes the event callback function signature
# 1.8.0 had 8:0:0 # changes the event callback function signature
# 1.8.1 had 8:1:0
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -6265,6 +6266,54 @@ if test $ac_cv_c_weak_attribute = yes; then
$as_echo "#define HAVE_ATTR_WEAK 1" >>confdefs.h
$as_echo "#define ATTR_WEAK __attribute__((weak))" >>confdefs.h
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler (${CC-cc}) accepts the \"noreturn\" attribute" >&5
$as_echo_n "checking whether the C compiler (${CC-cc}) accepts the \"noreturn\" attribute... " >&6; }
if ${ac_cv_c_noreturn_attribute+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_cv_c_noreturn_attribute=no
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <stdio.h>
__attribute__((noreturn)) void f(int x) { printf("%d", x); }
int
main ()
{
f(1);
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ac_cv_c_noreturn_attribute="yes"
else
ac_cv_c_noreturn_attribute="no"
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_noreturn_attribute" >&5
$as_echo "$ac_cv_c_noreturn_attribute" >&6; }
if test $ac_cv_c_noreturn_attribute = yes; then
$as_echo "#define HAVE_ATTR_NORETURN 1" >>confdefs.h
$as_echo "#define ATTR_NORETURN __attribute__((__noreturn__))" >>confdefs.h
fi
@ -20033,6 +20082,20 @@ esac
fi
ac_fn_c_check_func "$LINENO" "explicit_bzero" "ac_cv_func_explicit_bzero"
if test "x$ac_cv_func_explicit_bzero" = xyes; then :
$as_echo "#define HAVE_EXPLICIT_BZERO 1" >>confdefs.h
else
case " $LIBOBJS " in
*" explicit_bzero.$ac_objext "* ) ;;
*) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext"
;;
esac
fi
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
@ -20079,12 +20142,6 @@ fi
if test "$ac_cv_func_arc4random" = "no"; then
case " $LIBOBJS " in
*" explicit_bzero.$ac_objext "* ) ;;
*) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext"
;;
esac
case " $LIBOBJS " in
*" arc4_lock.$ac_objext "* ) ;;
*) LIBOBJS="$LIBOBJS arc4_lock.$ac_objext"
@ -21077,7 +21134,7 @@ _ACEOF
version=1.8.0
version=1.8.1
date=`date +'%b %e, %Y'`
@ -21596,7 +21653,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.8.0, which was
This file was extended by unbound $as_me 1.8.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -21662,7 +21719,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.8.0
unbound config.status 1.8.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

40
contrib/unbound/configure.ac
View File

@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[8])
m4_define([VERSION_MICRO],[0])
m4_define([VERSION_MICRO],[1])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=8
LIBUNBOUND_REVISION=0
LIBUNBOUND_REVISION=1
LIBUNBOUND_AGE=0
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -81,7 +81,8 @@ LIBUNBOUND_AGE=0
# 1.7.1 had 7:9:5
# 1.7.2 had 7:10:5
# 1.7.3 had 7:11:5
# 1.7.4 had 8:0:0 # changes the event callback function signature
# 1.8.0 had 8:0:0 # changes the event callback function signature
# 1.8.1 had 8:1:0
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -310,11 +311,36 @@ __attribute__((weak)) void f(int x) { printf("%d", x); }
AC_MSG_RESULT($ac_cv_c_weak_attribute)
if test $ac_cv_c_weak_attribute = yes; then
AC_DEFINE(HAVE_ATTR_WEAK, 1, [Whether the C compiler accepts the "weak" attribute])
AC_DEFINE(ATTR_WEAK, [__attribute__((weak))], [apply the weak attribute to a symbol])
fi
])dnl End of CHECK_WEAK_ATTRIBUTE
CHECK_WEAK_ATTRIBUTE
AC_DEFUN([CHECK_NORETURN_ATTRIBUTE],
[AC_REQUIRE([AC_PROG_CC])
AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "noreturn" attribute)
AC_CACHE_VAL(ac_cv_c_noreturn_attribute,
[ac_cv_c_noreturn_attribute=no
AC_TRY_COMPILE(
[ #include <stdio.h>
__attribute__((noreturn)) void f(int x) { printf("%d", x); }
], [
f(1);
],
[ac_cv_c_noreturn_attribute="yes"],
[ac_cv_c_noreturn_attribute="no"])
])
AC_MSG_RESULT($ac_cv_c_noreturn_attribute)
if test $ac_cv_c_noreturn_attribute = yes; then
AC_DEFINE(HAVE_ATTR_NORETURN, 1, [Whether the C compiler accepts the "noreturn" attribute])
AC_DEFINE(ATTR_NORETURN, [__attribute__((__noreturn__))], [apply the noreturn attribute to a function that exits the program])
fi
])dnl End of CHECK_NORETURN_ATTRIBUTE
CHECK_NORETURN_ATTRIBUTE
if test "$srcdir" != "."; then
CPPFLAGS="$CPPFLAGS -I$srcdir"
fi
@ -1396,6 +1422,7 @@ AC_REPLACE_FUNCS(strlcpy)
AC_REPLACE_FUNCS(memmove)
AC_REPLACE_FUNCS(gmtime_r)
AC_REPLACE_FUNCS(isblank)
AC_REPLACE_FUNCS(explicit_bzero)
dnl without CTIME, ARC4-functions and without reallocarray.
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
@ -1404,7 +1431,6 @@ if test "$USE_NSS" = "no"; then
AC_REPLACE_FUNCS(arc4random)
AC_REPLACE_FUNCS(arc4random_uniform)
if test "$ac_cv_func_arc4random" = "no"; then
AC_LIBOBJ(explicit_bzero)
AC_LIBOBJ(arc4_lock)
AC_CHECK_FUNCS([getentropy],,[
if test "$USE_WINSOCK" = 1; then
@ -1729,6 +1755,11 @@ char *strsep(char **stringp, const char *delim);
int isblank(int c);
#endif
#ifndef HAVE_EXPLICIT_BZERO
#define explicit_bzero unbound_explicit_bzero
void explicit_bzero(void* buf, size_t len);
#endif
#if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP
const char *inet_ntop(int af, const void *src, char *dst, size_t size);
#endif
@ -1761,7 +1792,6 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
# endif
#endif /* HAVE_LIBRESSL */
#ifndef HAVE_ARC4RANDOM
void explicit_bzero(void* buf, size_t len);
int getentropy(void* buf, size_t len);
uint32_t arc4random(void);
void arc4random_buf(void* buf, size_t n);

285
contrib/unbound/contrib/fastrpz.patch
View File

@ -1,15 +1,11 @@
Description: based on the included patch contrib/fastrpz.patch
Author: fastrpz@farsightsecurity.com
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: unboundfastrpz/Makefile.in
===================================================================
RCS file: ./RCS/Makefile.in,v
retrieving revision 1.1
Index: unbound-1.7.0~rc1/Makefile.in
===================================================================
--- unbound-1.7.0~rc1.orig/Makefile.in
+++ unbound-1.7.0~rc1/Makefile.in
@@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c
--- unboundfastrpz/Makefile.in (revision 4923)
+++ unboundfastrpz/Makefile.in (working copy)
@@ -23,6 +23,8 @@
CHECKLOCK_OBJ=@CHECKLOCK_OBJ@
DNSTAP_SRC=@DNSTAP_SRC@
DNSTAP_OBJ=@DNSTAP_OBJ@
@ -18,7 +14,7 @@ Index: unbound-1.7.0~rc1/Makefile.in
DNSCRYPT_SRC=@DNSCRYPT_SRC@
DNSCRYPT_OBJ=@DNSCRYPT_OBJ@
WITH_PYTHONMODULE=@WITH_PYTHONMODULE@
@@ -125,7 +127,7 @@ validator/val_sigcrypt.c validator/val_u
@@ -126,7 +128,7 @@
edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
cachedb/cachedb.c cachedb/redis.c respip/respip.c $(CHECKLOCK_SRC) \
@ -27,16 +23,16 @@ Index: unbound-1.7.0~rc1/Makefile.in
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
@@ -137,7 +139,7 @@ slabhash.lo timehist.lo tube.lo winsock_
@@ -139,7 +141,7 @@
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo authzone.lo\
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo redis.lo authzone.lo \
$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
-$(IPSECMOD_OBJ) respip.lo
+$(FASTRPZ_OBJ) $(IPSECMOD_OBJ) respip.lo
COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
outside_network.lo
COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
@@ -400,6 +402,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscry
@@ -405,6 +407,11 @@
$(srcdir)/util/config_file.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h
@ -48,11 +44,11 @@ Index: unbound-1.7.0~rc1/Makefile.in
# Python Module
pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
pythonmod/interface.h \
Index: unbound-1.7.0~rc1/config.h.in
Index: unboundfastrpz/config.h.in
===================================================================
--- unbound-1.7.0~rc1.orig/config.h.in
+++ unbound-1.7.0~rc1/config.h.in
@@ -1228,4 +1228,11 @@ void *unbound_stat_realloc_log(void *ptr
--- unboundfastrpz/config.h.in (revision 4923)
+++ unboundfastrpz/config.h.in (working copy)
@@ -1272,4 +1272,11 @@
/** the version of unbound-control that this software implements */
#define UNBOUND_CONTROL_VERSION 1
@ -65,11 +61,11 @@ Index: unbound-1.7.0~rc1/config.h.in
+#undef FASTRPZ_LIB_OPEN
+/** turn on fastrpz response policy zones */
+#undef ENABLE_FASTRPZ
Index: unbound-1.7.0~rc1/configure.ac
Index: unboundfastrpz/configure.ac
===================================================================
--- unbound-1.7.0~rc1.orig/configure.ac
+++ unbound-1.7.0~rc1/configure.ac
@@ -6,6 +6,7 @@ sinclude(ax_pthread.m4)
--- unboundfastrpz/configure.ac (revision 4923)
+++ unboundfastrpz/configure.ac (working copy)
@@ -6,6 +6,7 @@
sinclude(acx_python.m4)
sinclude(ac_pkg_swig.m4)
sinclude(dnstap/dnstap.m4)
@ -77,7 +73,7 @@ Index: unbound-1.7.0~rc1/configure.ac
sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
@@ -1453,6 +1454,9 @@ case "$enable_ipsecmod" in
@@ -1565,6 +1566,9 @@
;;
esac
@ -87,11 +83,11 @@ Index: unbound-1.7.0~rc1/configure.ac
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
# on openBSD, the implicit rule make $< work.
# on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
Index: unbound-1.7.0~rc1/daemon/daemon.c
Index: unboundfastrpz/daemon/daemon.c
===================================================================
--- unbound-1.7.0~rc1.orig/daemon/daemon.c
+++ unbound-1.7.0~rc1/daemon/daemon.c
@@ -90,6 +90,9 @@
--- unboundfastrpz/daemon/daemon.c (revision 4923)
+++ unboundfastrpz/daemon/daemon.c (working copy)
@@ -91,6 +91,9 @@
#include "sldns/keyraw.h"
#include "respip/respip.h"
#include <signal.h>
@ -101,7 +97,7 @@ Index: unbound-1.7.0~rc1/daemon/daemon.c
#ifdef HAVE_SYSTEMD
#include <systemd/sd-daemon.h>
@@ -461,6 +464,14 @@ daemon_create_workers(struct daemon* dae
@@ -462,6 +465,14 @@
fatal_exit("dnstap enabled in config but not built with dnstap support");
#endif
}
@ -116,9 +112,9 @@ Index: unbound-1.7.0~rc1/daemon/daemon.c
for(i=0; i<daemon->num; i++) {
if(!(daemon->workers[i] = worker_create(daemon, i,
shufport+numport*i/daemon->num,
@@ -710,6 +721,9 @@ daemon_cleanup(struct daemon* daemon)
#ifdef USE_DNSCRYPT
@@ -719,6 +730,9 @@
dnsc_delete(daemon->dnscenv);
daemon->dnscenv = NULL;
#endif
+#ifdef ENABLE_FASTRPZ
+ rpz_delete(&daemon->rpz_clist, &daemon->rpz_client);
@ -126,11 +122,11 @@ Index: unbound-1.7.0~rc1/daemon/daemon.c
daemon->cfg = NULL;
}
Index: unbound-1.7.0~rc1/daemon/daemon.h
Index: unboundfastrpz/daemon/daemon.h
===================================================================
--- unbound-1.7.0~rc1.orig/daemon/daemon.h
+++ unbound-1.7.0~rc1/daemon/daemon.h
@@ -134,6 +134,11 @@ struct daemon {
--- unboundfastrpz/daemon/daemon.h (revision 4923)
+++ unboundfastrpz/daemon/daemon.h (working copy)
@@ -136,6 +136,11 @@
/** the dnscrypt environment */
struct dnsc_env* dnscenv;
#endif
@ -142,11 +138,11 @@ Index: unbound-1.7.0~rc1/daemon/daemon.h
};
/**
Index: unbound-1.7.0~rc1/daemon/worker.c
Index: unboundfastrpz/daemon/worker.c
===================================================================
--- unbound-1.7.0~rc1.orig/daemon/worker.c
+++ unbound-1.7.0~rc1/daemon/worker.c
@@ -74,6 +74,9 @@
--- unboundfastrpz/daemon/worker.c (revision 4923)
+++ unboundfastrpz/daemon/worker.c (working copy)
@@ -75,6 +75,9 @@
#include "libunbound/context.h"
#include "libunbound/libworker.h"
#include "sldns/sbuffer.h"
@ -156,7 +152,7 @@ Index: unbound-1.7.0~rc1/daemon/worker.c
#include "sldns/wire2str.h"
#include "util/shm_side/shm_main.h"
#include "dnscrypt/dnscrypt.h"
@@ -527,8 +530,27 @@ answer_norec_from_cache(struct worker* w
@@ -533,8 +536,27 @@
/* not secure */
secure = 0;
break;
@ -182,9 +178,9 @@ Index: unbound-1.7.0~rc1/daemon/worker.c
+ }
+#endif
/* return this delegation from the cache */
edns_bak = *edns;
edns->edns_version = EDNS_ADVERTISED_VERSION;
edns->udp_size = EDNS_ADVERTISED_SIZE;
@@ -689,6 +711,23 @@ answer_from_cache(struct worker* worker,
@@ -702,6 +724,23 @@
secure = 0;
}
} else secure = 0;
@ -206,9 +202,9 @@ Index: unbound-1.7.0~rc1/daemon/worker.c
+ }
+#endif
edns_bak = *edns;
edns->edns_version = EDNS_ADVERTISED_VERSION;
edns->udp_size = EDNS_ADVERTISED_SIZE;
@@ -1291,6 +1330,15 @@ worker_handle_request(struct comm_point*
@@ -1407,6 +1446,15 @@
log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
&repinfo->addr, repinfo->addrlen);
goto send_reply;
@ -224,7 +220,7 @@ Index: unbound-1.7.0~rc1/daemon/worker.c
}
/* If we've found a local alias, replace the qname with the alias
@@ -1339,12 +1387,21 @@ lookup_cache:
@@ -1455,12 +1503,21 @@
h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
/* answer from cache - we have acquired a readlock on it */
@ -248,7 +244,7 @@ Index: unbound-1.7.0~rc1/daemon/worker.c
/* prefetch it if the prefetch TTL expired.
* Note that if there is more than one pass
* its qname must be that used for cache
@@ -1398,11 +1455,19 @@ lookup_cache:
@@ -1514,11 +1571,19 @@
lock_rw_unlock(&e->lock);
}
if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) {
@ -270,11 +266,11 @@ Index: unbound-1.7.0~rc1/daemon/worker.c
goto send_reply;
}
verbose(VERB_ALGO, "answer norec from cache -- "
Index: unbound-1.7.0~rc1/doc/unbound.conf.5.in
Index: unboundfastrpz/doc/unbound.conf.5.in
===================================================================
--- unbound-1.7.0~rc1.orig/doc/unbound.conf.5.in
+++ unbound-1.7.0~rc1/doc/unbound.conf.5.in
@@ -1705,6 +1705,81 @@ It must be /96 or shorter. The default
--- unboundfastrpz/doc/unbound.conf.5.in (revision 4923)
+++ unboundfastrpz/doc/unbound.conf.5.in (working copy)
@@ -1728,6 +1728,81 @@
used by dns64 processing instead. Can be entered multiple times, list a
new domain for which it applies, one per line. Applies also to names
underneath the name given.
@ -356,10 +352,10 @@ Index: unbound-1.7.0~rc1/doc/unbound.conf.5.in
.SS "DNSCrypt Options"
.LP
The
Index: unbound-1.7.0~rc1/fastrpz/librpz.h
Index: unboundfastrpz/fastrpz/librpz.h
===================================================================
--- /dev/null
+++ unbound-1.7.0~rc1/fastrpz/librpz.h
--- unboundfastrpz/fastrpz/librpz.h (nonexistent)
+++ unboundfastrpz/fastrpz/librpz.h (working copy)
@@ -0,0 +1,957 @@
+/*
+ * Define the interface from a DNS resolver to the Response Policy Zone
@ -1318,11 +1314,11 @@ Index: unbound-1.7.0~rc1/fastrpz/librpz.h
+#endif /* LIBRPZ_LIB_OPEN */
+
+#endif /* LIBRPZ_H */
Index: unbound-1.7.0~rc1/fastrpz/rpz.c
Index: unboundfastrpz/fastrpz/rpz.c
===================================================================
--- /dev/null
+++ unbound-1.7.0~rc1/fastrpz/rpz.c
@@ -0,0 +1,1357 @@
--- unboundfastrpz/fastrpz/rpz.c (nonexistent)
+++ unboundfastrpz/fastrpz/rpz.c (working copy)
@@ -0,0 +1,1352 @@
+/*
+ * fastrpz/rpz.c - interface to the fastrpz response policy zone library
+ *
@ -1438,8 +1434,6 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.c
+static void
+log_fnc(librpz_log_level_t level, void* ATTR_UNUSED(ctx), const char* buf)
+{
+ char label_buf[sizeof("rpz ")+8];
+
+ /* Setting librpz_log_level overrides the unbound "verbose" level. */
+ if(level > LIBRPZ_LOG_TRACE1 &&
+ level <= librpz->log_level_val(LIBRPZ_LOG_INVALID))
@ -1949,12 +1943,9 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.c
+ case st_ck_ns:
+ /* An NSDNAME or NSIP check failed for lack of cached data. */
+ return false;
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunreachable-code"
+ default:
+ fatal_exit("impossible RPZ state %d in rpz_worker_cache()",
+ rpz->st);
+#pragma clang diagnostic pop
+ }
+
+ /* Wait for a trigger. */
@ -2680,10 +2671,10 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.c
+}
+
+#endif /* ENABLE_FASTRPZ */
Index: unbound-1.7.0~rc1/fastrpz/rpz.h
Index: unboundfastrpz/fastrpz/rpz.h
===================================================================
--- /dev/null
+++ unbound-1.7.0~rc1/fastrpz/rpz.h
--- unboundfastrpz/fastrpz/rpz.h (nonexistent)
+++ unboundfastrpz/fastrpz/rpz.h (working copy)
@@ -0,0 +1,138 @@
+/*
+ * fastrpz/rpz.h - interface to the fastrpz response policy zone library
@ -2823,10 +2814,10 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.h
+
+#endif /* ENABLE_FASTRPZ */
+#endif /* UNBOUND_FASTRPZ_RPZ_H */
Index: unbound-1.7.0~rc1/fastrpz/rpz.m4
Index: unboundfastrpz/fastrpz/rpz.m4
===================================================================
--- /dev/null
+++ unbound-1.7.0~rc1/fastrpz/rpz.m4
--- unboundfastrpz/fastrpz/rpz.m4 (nonexistent)
+++ unboundfastrpz/fastrpz/rpz.m4 (working copy)
@@ -0,0 +1,64 @@
+# fastrpz/rpz.m4
+
@ -2892,10 +2883,10 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.m4
+ AC_MSG_WARN([[dlopen and librpz.so needed for fastrpz]])
+ fi
+])
Index: unbound-1.7.0~rc1/iterator/iterator.c
Index: unboundfastrpz/iterator/iterator.c
===================================================================
--- unbound-1.7.0~rc1.orig/iterator/iterator.c
+++ unbound-1.7.0~rc1/iterator/iterator.c
--- unboundfastrpz/iterator/iterator.c (revision 4923)
+++ unboundfastrpz/iterator/iterator.c (working copy)
@@ -68,6 +68,9 @@
#include "sldns/str2wire.h"
#include "sldns/parseutil.h"
@ -2906,7 +2897,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c
int
iter_init(struct module_env* env, int id)
@@ -511,6 +514,23 @@ handle_cname_response(struct module_qsta
@@ -525,6 +528,23 @@
if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME &&
query_dname_compare(*mname, r->rk.dname) == 0 &&
!iter_find_rrset_in_prepend_answer(iq, r)) {
@ -2930,7 +2921,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c
/* Add this relevant CNAME rrset to the prepend list.*/
if(!iter_add_prepend_answer(qstate, iq, r))
return 0;
@@ -519,6 +539,9 @@ handle_cname_response(struct module_qsta
@@ -533,6 +553,9 @@
/* Other rrsets in the section are ignored. */
}
@ -2940,7 +2931,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c
/* add authority rrsets to authority prepend, for wildcarded CNAMEs */
for(i=msg->rep->an_numrrsets; i<msg->rep->an_numrrsets +
msg->rep->ns_numrrsets; i++) {
@@ -1148,6 +1171,7 @@ processInitRequest(struct module_qstate*
@@ -1216,6 +1239,7 @@
uint8_t* delname;
size_t delnamelen;
struct dns_msg* msg = NULL;
@ -2948,7 +2939,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c
log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
/* check effort */
@@ -1223,8 +1247,7 @@ processInitRequest(struct module_qstate*
@@ -1302,8 +1326,7 @@
}
if(msg) {
/* handle positive cache response */
@ -2958,7 +2949,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c
if(verbosity >= VERB_ALGO) {
log_dns_msg("msg from cache lookup", &msg->qinfo,
msg->rep);
@@ -1232,7 +1255,22 @@ processInitRequest(struct module_qstate*
@@ -1311,7 +1334,22 @@
(int)msg->rep->ttl,
(int)msg->rep->prefetch_ttl);
}
@ -2981,7 +2972,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c
if(type == RESPONSE_TYPE_CNAME) {
uint8_t* sname = 0;
size_t slen = 0;
@@ -2552,6 +2590,62 @@ processQueryResponse(struct module_qstat
@@ -2716,6 +2754,62 @@
sock_list_insert(&qstate->reply_origin,
&qstate->reply->addr, qstate->reply->addrlen,
qstate->region);
@ -3041,10 +3032,10 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c
+ }
+ }
+#endif
if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
if(iq->minimisation_state != DONOT_MINIMISE_STATE
&& !(iq->chase_flags & BIT_RD)) {
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
LDNS_RCODE_NOERROR) {
@@ -3273,12 +3367,44 @@ processFinished(struct module_qstate* qs
@@ -3462,6 +3556,10 @@
* but only if we did recursion. The nonrecursion referral
* from cache does not need to be stored in the msg cache. */
if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
@ -3055,6 +3046,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c
iter_dns_store(qstate->env, &qstate->qinfo,
iq->response->rep, 0, qstate->prefetch_leeway,
iq->dp&&iq->dp->has_parent_side_NS,
@@ -3468,6 +3566,34 @@
qstate->region, qstate->query_flags);
}
}
@ -3089,11 +3081,11 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c
qstate->return_rcode = LDNS_RCODE_NOERROR;
qstate->return_msg = iq->response;
return 0;
Index: unbound-1.7.0~rc1/iterator/iterator.h
Index: unboundfastrpz/iterator/iterator.h
===================================================================
--- unbound-1.7.0~rc1.orig/iterator/iterator.h
+++ unbound-1.7.0~rc1/iterator/iterator.h
@@ -383,6 +383,16 @@ struct iter_qstate {
--- unboundfastrpz/iterator/iterator.h (revision 4923)
+++ unboundfastrpz/iterator/iterator.h (working copy)
@@ -386,6 +386,16 @@
*/
int minimise_count;
@ -3110,11 +3102,11 @@ Index: unbound-1.7.0~rc1/iterator/iterator.h
/**
* Count number of time-outs. Used to prevent resolving failures when
* the QNAME minimisation QTYPE is blocked. */
Index: unbound-1.7.0~rc1/services/cache/dns.c
Index: unboundfastrpz/services/cache/dns.c
===================================================================
--- unbound-1.7.0~rc1.orig/services/cache/dns.c
+++ unbound-1.7.0~rc1/services/cache/dns.c
@@ -876,6 +876,14 @@ dns_cache_store(struct module_env* env,
--- unboundfastrpz/services/cache/dns.c (revision 4923)
+++ unboundfastrpz/services/cache/dns.c (working copy)
@@ -928,6 +928,14 @@
struct regional* region, uint32_t flags)
{
struct reply_info* rep = NULL;
@ -3129,11 +3121,11 @@ Index: unbound-1.7.0~rc1/services/cache/dns.c
/* alloc, malloc properly (not in region, like msg is) */
rep = reply_info_copy(msgrep, env->alloc, NULL);
if(!rep)
Index: unbound-1.7.0~rc1/services/mesh.c
Index: unboundfastrpz/services/mesh.c
===================================================================
--- unbound-1.7.0~rc1.orig/services/mesh.c
+++ unbound-1.7.0~rc1/services/mesh.c
@@ -59,6 +59,9 @@
--- unboundfastrpz/services/mesh.c (revision 4923)
+++ unboundfastrpz/services/mesh.c (working copy)
@@ -60,6 +60,9 @@
#include "sldns/wire2str.h"
#include "services/localzone.h"
#include "util/data/dname.h"
@ -3143,7 +3135,7 @@ Index: unbound-1.7.0~rc1/services/mesh.c
#include "respip/respip.h"
/** subtract timers and the values do not overflow or become negative */
@@ -1050,6 +1053,13 @@ mesh_send_reply(struct mesh_state* m, in
@@ -1057,6 +1060,13 @@
else secure = 0;
if(!rep && rcode == LDNS_RCODE_NOERROR)
rcode = LDNS_RCODE_SERVFAIL;
@ -3157,7 +3149,7 @@ Index: unbound-1.7.0~rc1/services/mesh.c
/* send the reply */
/* We don't reuse the encoded answer if either the previous or current
* response has a local alias. We could compare the alias records
@@ -1199,6 +1209,7 @@ struct mesh_state* mesh_area_find(struct
@@ -1230,6 +1240,7 @@
key.s.is_valrec = valrec;
key.s.qinfo = *qinfo;
key.s.query_flags = qflags;
@ -3165,7 +3157,7 @@ Index: unbound-1.7.0~rc1/services/mesh.c
/* We are searching for a similar mesh state when we DO want to
* aggregate the state. Thus unique is set to NULL. (default when we
* desire aggregation).*/
@@ -1245,6 +1256,10 @@ int mesh_state_add_reply(struct mesh_sta
@@ -1276,6 +1287,10 @@
if(!r)
return 0;
r->query_reply = *rep;
@ -3176,11 +3168,11 @@ Index: unbound-1.7.0~rc1/services/mesh.c
r->edns = *edns;
if(edns->opt_list) {
r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
Index: unbound-1.7.0~rc1/util/config_file.c
Index: unboundfastrpz/util/config_file.c
===================================================================
--- unbound-1.7.0~rc1.orig/util/config_file.c
+++ unbound-1.7.0~rc1/util/config_file.c
@@ -1323,6 +1323,8 @@ config_delete(struct config_file* cfg)
--- unboundfastrpz/util/config_file.c (revision 4923)
+++ unboundfastrpz/util/config_file.c (working copy)
@@ -1386,6 +1386,8 @@
free(cfg->dnstap_socket_path);
free(cfg->dnstap_identity);
free(cfg->dnstap_version);
@ -3189,11 +3181,11 @@ Index: unbound-1.7.0~rc1/util/config_file.c
config_deldblstrlist(cfg->ratelimit_for_domain);
config_deldblstrlist(cfg->ratelimit_below_domain);
#ifdef USE_IPSECMOD
Index: unbound-1.7.0~rc1/util/config_file.h
Index: unboundfastrpz/util/config_file.h
===================================================================
--- unbound-1.7.0~rc1.orig/util/config_file.h
+++ unbound-1.7.0~rc1/util/config_file.h
@@ -431,6 +431,11 @@ struct config_file {
--- unboundfastrpz/util/config_file.h (revision 4923)
+++ unboundfastrpz/util/config_file.h (working copy)
@@ -468,6 +468,11 @@
/** true to disable DNSSEC lameness check in iterator */
int disable_dnssec_lame_check;
@ -3205,11 +3197,11 @@ Index: unbound-1.7.0~rc1/util/config_file.h
/** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */
int ip_ratelimit;
/** number of slabs for ip_ratelimit cache */
Index: unbound-1.7.0~rc1/util/configlexer.lex
Index: unboundfastrpz/util/configlexer.lex
===================================================================
--- unbound-1.7.0~rc1.orig/util/configlexer.lex
+++ unbound-1.7.0~rc1/util/configlexer.lex
@@ -412,6 +412,10 @@ dnstap-log-forwarder-query-messages{COLO
--- unboundfastrpz/util/configlexer.lex (revision 4923)
+++ unboundfastrpz/util/configlexer.lex (working copy)
@@ -429,6 +429,10 @@
YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
dnstap-log-forwarder-response-messages{COLON} {
YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
@ -3220,11 +3212,11 @@ Index: unbound-1.7.0~rc1/util/configlexer.lex
disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) }
ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) }
Index: unbound-1.7.0~rc1/util/configparser.y
Index: unboundfastrpz/util/configparser.y
===================================================================
--- unbound-1.7.0~rc1.orig/util/configparser.y
+++ unbound-1.7.0~rc1/util/configparser.y
@@ -124,6 +124,7 @@ extern struct config_parser_state* cfg_p
--- unboundfastrpz/util/configparser.y (revision 4923)
+++ unboundfastrpz/util/configparser.y (working copy)
@@ -125,6 +125,7 @@
%token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
%token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES
%token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
@ -3232,7 +3224,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y
%token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
%token VAR_DISABLE_DNSSEC_LAME_CHECK
@@ -158,7 +159,7 @@ extern struct config_parser_state* cfg_p
@@ -164,7 +165,7 @@
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -3241,7 +3233,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y
forwardstart contents_forward | pythonstart contents_py |
rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
dnscstart contents_dnsc | cachedbstart contents_cachedb |
@@ -2384,6 +2385,50 @@ dt_dnstap_log_forwarder_response_message
@@ -2546,6 +2547,50 @@
(strcmp($2, "yes")==0);
}
;
@ -3269,7 +3261,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y
+
+ OUTYY(("P(rpz_zone:%s)\n", $2));
+ old_cstr = cfg_parser->cfg->rpz_cstr;
+ asprintf(&new_cstr, "%s\nzone %s", old_cstr?old_cstr:"", $2);
+ (void)asprintf(&new_cstr, "%s\nzone %s", old_cstr?old_cstr:"", $2);
+ if(!new_cstr)
+ yyerror("out of memory");
+ free(old_cstr);
@ -3282,7 +3274,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y
+
+ OUTYY(("P(rpz_option:%s)\n", $2));
+ old_cstr = cfg_parser->cfg->rpz_cstr;
+ asprintf(&new_cstr, "%s\n%s", old_cstr ? old_cstr : "", $2);
+ (void)asprintf(&new_cstr, "%s\n%s", old_cstr ? old_cstr : "", $2);
+ if(!new_cstr)
+ yyerror("out of memory");
+ free(old_cstr);
@ -3292,11 +3284,11 @@ Index: unbound-1.7.0~rc1/util/configparser.y
pythonstart: VAR_PYTHON
{
OUTYY(("\nP(python:)\n"));
Index: unbound-1.7.0~rc1/util/data/msgencode.c
Index: unboundfastrpz/util/data/msgencode.c
===================================================================
--- unbound-1.7.0~rc1.orig/util/data/msgencode.c
+++ unbound-1.7.0~rc1/util/data/msgencode.c
@@ -585,6 +585,35 @@ insert_section(struct reply_info* rep, s
--- unboundfastrpz/util/data/msgencode.c (revision 4923)
+++ unboundfastrpz/util/data/msgencode.c (working copy)
@@ -585,6 +585,35 @@
return RETVAL_OK;
}
@ -3332,7 +3324,7 @@ Index: unbound-1.7.0~rc1/util/data/msgencode.c
/** store query section in wireformat buffer, return RETVAL */
static int
insert_query(struct query_info* qinfo, struct compress_tree_node** tree,
@@ -750,6 +779,19 @@ reply_info_encode(struct query_info* qin
@@ -748,6 +777,19 @@
return 0;
}
sldns_buffer_write_u16_at(buffer, 10, arcount);
@ -3352,13 +3344,13 @@ Index: unbound-1.7.0~rc1/util/data/msgencode.c
}
sldns_buffer_flip(buffer);
return 1;
Index: unbound-1.7.0~rc1/util/data/packed_rrset.c
Index: unboundfastrpz/util/data/packed_rrset.c
===================================================================
--- unbound-1.7.0~rc1.orig/util/data/packed_rrset.c
+++ unbound-1.7.0~rc1/util/data/packed_rrset.c
@@ -254,6 +254,10 @@ sec_status_to_string(enum sec_status s)
case sec_status_indeterminate: return "sec_status_indeterminate";
--- unboundfastrpz/util/data/packed_rrset.c (revision 4923)
+++ unboundfastrpz/util/data/packed_rrset.c (working copy)
@@ -255,6 +255,10 @@
case sec_status_insecure: return "sec_status_insecure";
case sec_status_secure_sentinel_fail: return "sec_status_secure_sentinel_fail";
case sec_status_secure: return "sec_status_secure";
+#ifdef ENABLE_FASTRPZ
+ case sec_status_rpz_rewritten: return "sec_status_rpz_rewritten";
@ -3367,12 +3359,12 @@ Index: unbound-1.7.0~rc1/util/data/packed_rrset.c
}
return "unknown_sec_status_value";
}
Index: unbound-1.7.0~rc1/util/data/packed_rrset.h
Index: unboundfastrpz/util/data/packed_rrset.h
===================================================================
--- unbound-1.7.0~rc1.orig/util/data/packed_rrset.h
+++ unbound-1.7.0~rc1/util/data/packed_rrset.h
@@ -189,7 +189,15 @@ enum sec_status {
sec_status_insecure,
--- unboundfastrpz/util/data/packed_rrset.h (revision 4923)
+++ unboundfastrpz/util/data/packed_rrset.h (working copy)
@@ -193,7 +193,15 @@
sec_status_secure_sentinel_fail,
/** SECURE means that the object (RRset or message) validated
* according to local policy. */
- sec_status_secure
@ -3388,11 +3380,11 @@ Index: unbound-1.7.0~rc1/util/data/packed_rrset.h
};
/**
Index: unbound-1.7.0~rc1/util/netevent.c
Index: unboundfastrpz/util/netevent.c
===================================================================
--- unbound-1.7.0~rc1.orig/util/netevent.c
+++ unbound-1.7.0~rc1/util/netevent.c
@@ -54,6 +54,9 @@
--- unboundfastrpz/util/netevent.c (revision 4923)
+++ unboundfastrpz/util/netevent.c (working copy)
@@ -56,6 +56,9 @@
#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
#endif
@ -3402,7 +3394,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c
/* -------- Start of local definitions -------- */
/** if CMSG_ALIGN is not defined on this platform, a workaround */
@@ -585,6 +588,9 @@ comm_point_udp_ancil_callback(int fd, sh
@@ -588,6 +591,9 @@
struct cmsghdr* cmsg;
#endif /* S_SPLINT_S */
@ -3412,7 +3404,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c
rep.c = (struct comm_point*)arg;
log_assert(rep.c->type == comm_udp);
@@ -674,6 +680,9 @@ comm_point_udp_callback(int fd, short ev
@@ -677,6 +683,9 @@
int i;
struct sldns_buffer *buffer;
@ -3422,7 +3414,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c
rep.c = (struct comm_point*)arg;
log_assert(rep.c->type == comm_udp);
@@ -717,6 +726,9 @@ comm_point_udp_callback(int fd, short ev
@@ -720,6 +729,9 @@
(void)comm_point_send_udp_msg(rep.c, buffer,
(struct sockaddr*)&rep.addr, rep.addrlen);
}
@ -3432,7 +3424,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c
if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for
another UDP port. Note rep.c cannot be reused with TCP fd. */
break;
@@ -2956,6 +2968,9 @@ comm_point_send_reply(struct comm_reply
@@ -3035,6 +3047,9 @@
comm_point_start_listening(repinfo->c, -1,
repinfo->c->tcp_timeout_msec);
}
@ -3442,7 +3434,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c
}
void
@@ -2965,6 +2980,9 @@ comm_point_drop_reply(struct comm_reply*
@@ -3044,6 +3059,9 @@
return;
log_assert(repinfo && repinfo->c);
log_assert(repinfo->c->type != comm_tcp_accept);
@ -3452,7 +3444,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c
if(repinfo->c->type == comm_udp)
return;
reclaim_tcp_handler(repinfo->c);
@@ -2984,6 +3002,9 @@ comm_point_start_listening(struct comm_p
@@ -3063,6 +3081,9 @@
{
verbose(VERB_ALGO, "comm point start listening %d",
c->fd==-1?newfd:c->fd);
@ -3462,11 +3454,11 @@ Index: unbound-1.7.0~rc1/util/netevent.c
if(c->type == comm_tcp_accept && !c->tcp_free) {
/* no use to start listening no free slots. */
return;
Index: unbound-1.7.0~rc1/util/netevent.h
Index: unboundfastrpz/util/netevent.h
===================================================================
--- unbound-1.7.0~rc1.orig/util/netevent.h
+++ unbound-1.7.0~rc1/util/netevent.h
@@ -119,6 +119,10 @@ struct comm_reply {
--- unboundfastrpz/util/netevent.h (revision 4923)
+++ unboundfastrpz/util/netevent.h (working copy)
@@ -120,6 +120,10 @@
/** return type 0 (none), 4(IP4), 6(IP6) */
int srctype;
/* DnsCrypt context */
@ -3477,11 +3469,11 @@ Index: unbound-1.7.0~rc1/util/netevent.h
#ifdef USE_DNSCRYPT
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES];
uint8_t nmkey[crypto_box_BEFORENMBYTES];
Index: unbound-1.7.0~rc1/validator/validator.c
Index: unboundfastrpz/validator/validator.c
===================================================================
--- unbound-1.7.0~rc1.orig/validator/validator.c
+++ unbound-1.7.0~rc1/validator/validator.c
@@ -2688,6 +2688,12 @@ ds_response_to_ke(struct module_qstate*
--- unboundfastrpz/validator/validator.c (revision 4923)
+++ unboundfastrpz/validator/validator.c (working copy)
@@ -2755,6 +2755,12 @@
default:
/* NSEC proof did not work, try next */
break;
@ -3494,7 +3486,7 @@ Index: unbound-1.7.0~rc1/validator/validator.c
}
sec = nsec3_prove_nods(qstate->env, ve,
@@ -2721,6 +2727,12 @@ ds_response_to_ke(struct module_qstate*
@@ -2788,6 +2794,12 @@
default:
/* NSEC3 proof did not work */
break;
@ -3507,4 +3499,3 @@ Index: unbound-1.7.0~rc1/validator/validator.c
}
/* Apparently, no available NSEC/NSEC3 proved NODATA, so

13
contrib/unbound/daemon/daemon.c
View File

@ -660,18 +660,15 @@ daemon_fork(struct daemon* daemon)
/* Start resolver service on main thread. */
#ifdef HAVE_SYSTEMD
if(daemon->cfg->use_systemd)
sd_notify(0, "READY=1");
sd_notify(0, "READY=1");
#endif
log_info("start of service (%s).", PACKAGE_STRING);
worker_work(daemon->workers[0]);
#ifdef HAVE_SYSTEMD
if(daemon->cfg->use_systemd) {
if (daemon->workers[0]->need_to_exit)
sd_notify(0, "STOPPING=1");
else
sd_notify(0, "RELOADING=1");
}
if (daemon->workers[0]->need_to_exit)
sd_notify(0, "STOPPING=1");
else
sd_notify(0, "RELOADING=1");
#endif
log_info("service stopped (%s).", PACKAGE_STRING);

4
contrib/unbound/daemon/remote.c
View File

@ -275,12 +275,13 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
struct addrinfo hints;
struct addrinfo* res;
struct listen_port* n;
int noproto;
int noproto = 0;
int fd, r;
char port[15];
snprintf(port, sizeof(port), "%d", nr);
port[sizeof(port)-1]=0;
memset(&hints, 0, sizeof(hints));
log_assert(ip);
if(ip[0] == '/') {
/* This looks like a local socket */
@ -1069,6 +1070,7 @@ do_stats(RES* ssl, struct daemon_remote* rc, int reset)
struct ub_stats_info total;
struct ub_stats_info s;
int i;
memset(&total, 0, sizeof(total));
log_assert(daemon->num > 0);
/* gather all thread statistics in one place */
for(i=0; i<daemon->num; i++) {

2
contrib/unbound/daemon/unbound.c
View File

@ -730,7 +730,7 @@ main(int argc, char* argv[])
}
}
argc -= optind;
argv += optind;
/* argv += optind; not using further arguments */
if(winopt) {
#ifdef UB_ON_WINDOWS

6
contrib/unbound/daemon/worker.c
View File

@ -1180,7 +1180,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
char addrbuf[128];
addr_to_str(&repinfo->addr, repinfo->addrlen,
addrbuf, sizeof(addrbuf));
verbose(VERB_OPS, "ip_ratelimit allowed through for ip address %s ",
verbose(VERB_QUERY, "ip_ratelimit allowed through for ip address %s because of slip in ip_ratelimit_factor",
addrbuf);
} else {
worker->stats.num_queries_ip_ratelimited++;
@ -1671,14 +1671,14 @@ worker_create(struct daemon* daemon, int id, int* ports, int n)
(((unsigned int)worker->thread_num)<<17);
/* shift thread_num so it does not match out pid bits */
if(!(worker->rndstate = ub_initstate(seed, daemon->rand))) {
seed = 0;
explicit_bzero(&seed, sizeof(seed));
log_err("could not init random numbers.");
tube_delete(worker->cmd);
free(worker->ports);
free(worker);
return NULL;
}
seed = 0;
explicit_bzero(&seed, sizeof(seed));
#ifdef USE_DNSTAP
if(daemon->cfg->dnstap) {
log_assert(daemon->dtenv != NULL);

79
contrib/unbound/doc/Changelog
View File

@ -1,5 +1,80 @@
8 October 2018: Wouter
- fastrpz.patch fix included.
1 October 2018: Wouter
- tag for release 1.8.1rc1.
27 September 2018: Wouter
- Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
qname minimisation with a forwarder when connectivity has issues
from rejecting responses.
25 September 2018: Wouter
- Perform TLS SNI indication of the host that is being contacted
for DNS over TLS service. It sets the configured tls auth name.
This is useful for hosts that apart from the DNS over TLS services
also provide other (web) services.
- Fix #4149: Add SSL cleanup for tcp timeout.
17 September 2018: Wouter
- Fix compile on Mac for unbound, provide explicit_bzero when libc
does not have it.
- Fix unbound for openssl in FIPS mode, it uses the digests with
the EVP call contexts.
- Fix that with harden-below-nxdomain and qname minisation enabled
some iterator states for nonresponsive domains can get into a
state where they waited for an empty list.
- Stop UDP to TCP failover after timeouts that causes the ping count
to be reset by the TCP time measurement (that exists for TLS),
because that causes the UDP part to not be measured as timeout.
- Fix #4156: Fix systemd service manager state change notification.
13 September 2018: Wouter
- Fix seed for random backup code to use explicit zero when wiped.
- exit log routine is annotated as noreturn function.
- free memory leaks in config strlist and str2list insert functions.
- do not move unused argv variable after getopt.
- Remove unused if clause in testcode.
- in testcode, free async ids, initialise array, and check for null
pointer during test of the test. And use exit for return to note
irregular program stop.
- Free memory leak in config strlist append.
- make sure nsec3 comparison salt is initialized.
- unit test has clang analysis.
- remove unused variable assignment from iterator scrub routine.
- check for null in delegation point during iterator refetch
in forward zone.
- neater pointer cast in libunbound context quit routine.
- initialize statistics totals for printout.
- in authzone check that node exists before adding rrset.
- in unbound-anchor, use readwrite memory BIO.
- assertion in autotrust that packed rrset is formed correctly.
- Fix memory leak when message parse fails partway through copy.
- remove unused udpsize assignment in message encode.
- nicer bio free code in unbound-anchor.
- annotate exit functions with noreturn in unbound-control.
11 September 2018: Wouter
- Fixed unused return value warnings in contrib/fastrpz.patch for
asprintf.
- Fix to squelch respip warning in unit test, it is printed at
higher verbosity settings.
- Fix spelling errors.
- Fix initialisation in remote.c
10 September 2018: Wouter
- 1.8.1 in svn trunk. (changes from 4,5,.. sep apply).
- iana port update.
5 September 2018: Wouter
- Fix spelling error in header, from getdns commit by Andreas Gelmini.
4 September 2018: Ralph
- More explicitly mention the type of ratelimit when applying
ip-ratelimit.
4 September 2018: Wouter
- Tag for 1.8.0rc1 release.
- Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018.
31 August 2018: Wouter
- Disable minimal-responses in subnet unit tests.
@ -1856,7 +1931,7 @@
compatibility with cisco dns guard. This lowers false positives.
18 April 2016: Wouter
- Fix some malformed reponses to edns queries get fallback to nonedns.
- Fix some malformed responses to edns queries get fallback to nonedns.
15 April 2016: Wouter
- cachedb module event handling design.

2
contrib/unbound/doc/README
View File

@ -1,4 +1,4 @@
README for Unbound 1.8.0
README for Unbound 1.8.1
Copyright 2007 NLnet Labs
http://unbound.net

2
contrib/unbound/doc/example.conf
View File

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.8.0.
# See unbound.conf(5) man page, version 1.8.1.
#
# this is a comment.

2
contrib/unbound/doc/example.conf.in
View File

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.8.0.
# See unbound.conf(5) man page, version 1.8.1.
#
# this is a comment.

4
contrib/unbound/doc/libunbound.3
View File

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "libunbound" "3" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -43,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.8.0 functions.
\- Unbound DNS validating resolver 1.8.1 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

4
contrib/unbound/doc/libunbound.3.in
View File

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "libunbound" "3" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -43,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.8.0 functions.
\- Unbound DNS validating resolver 1.8.1 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

2
contrib/unbound/doc/unbound-anchor.8
View File

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound-anchor" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"

2
contrib/unbound/doc/unbound-anchor.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound-anchor" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"

2
contrib/unbound/doc/unbound-checkconf.8
View File

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound-checkconf" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"

2
contrib/unbound/doc/unbound-checkconf.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound-checkconf" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"

4
contrib/unbound/doc/unbound-control.8
View File

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound-control" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@ -301,7 +301,7 @@ you set unbound to validate with for-upstream yes and that can be cleared
with \fBflush_zone\fR \fIzone\fR.
.TP
.B auth_zone_transfer \fIzone\fR
Tranfer the auth zone from master. The auth zone probe sequence is started,
Transfer the auth zone from master. The auth zone probe sequence is started,
where the masters are probed to see if they have an updated zone (with the SOA
serial check). And then the zone is transferred for a newer zone version.
.TP

4
contrib/unbound/doc/unbound-control.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound-control" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@ -301,7 +301,7 @@ you set unbound to validate with for-upstream yes and that can be cleared
with \fBflush_zone\fR \fIzone\fR.
.TP
.B auth_zone_transfer \fIzone\fR
Tranfer the auth zone from master. The auth zone probe sequence is started,
Transfer the auth zone from master. The auth zone probe sequence is started,
where the masters are probed to see if they have an updated zone (with the SOA
serial check). And then the zone is transferred for a newer zone version.
.TP

2
contrib/unbound/doc/unbound-host.1
View File

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound\-host" "1" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"

2
contrib/unbound/doc/unbound-host.1.in
View File

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound\-host" "1" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"

4
contrib/unbound/doc/unbound.8
View File

@ -1,4 +1,4 @@
.TH "unbound" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.8.0.
\- Unbound DNS validating resolver 1.8.1.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]

4
contrib/unbound/doc/unbound.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.8.0.
\- Unbound DNS validating resolver 1.8.1.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]

4
contrib/unbound/doc/unbound.conf.5
View File

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound.conf" "5" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -498,7 +498,7 @@ a daemon. Set the value to \fIno\fR when unbound runs as systemd service.
Default is yes.
.TP
.B tcp\-connection\-limit: \fI<IP netblock> <limit>
Allow up to \fIlimit\R simultaneous TCP connections from the given netblock.
Allow up to \fIlimit\fR simultaneous TCP connections from the given netblock.
When at the limit, further connections are accepted but closed immediately.
This option is experimental at this time.
.TP

4
contrib/unbound/doc/unbound.conf.5.in
View File

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
.TH "unbound.conf" "5" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -498,7 +498,7 @@ a daemon. Set the value to \fIno\fR when unbound runs as systemd service.
Default is yes.
.TP
.B tcp\-connection\-limit: \fI<IP netblock> <limit>
Allow up to \fIlimit\R simultaneous TCP connections from the given netblock.
Allow up to \fIlimit\fR simultaneous TCP connections from the given netblock.
When at the limit, further connections are accepted but closed immediately.
This option is experimental at this time.
.TP

4
contrib/unbound/iterator/iter_scrub.c
View File

@ -437,7 +437,9 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
rrset->rrset_all_next =
nx->rrset_all_next;
nx->rrset_all_next = rrset;
prev = nx;
/* prev = nx; unused, enable if there
* is other rrset removal code after
* this */
}
}

16
contrib/unbound/iterator/iterator.c
View File

@ -1125,7 +1125,7 @@ forward_request(struct module_qstate* qstate, struct iter_qstate* iq)
struct delegpt* dp;
uint8_t* delname = iq->qchase.qname;
size_t delnamelen = iq->qchase.qname_len;
if(iq->refetch_glue) {
if(iq->refetch_glue && iq->dp) {
delname = iq->dp->name;
delnamelen = iq->dp->namelen;
}
@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
return 0;
}
if(iq->minimisation_state == INIT_MINIMISE_STATE) {
if(iq->minimisation_state == INIT_MINIMISE_STATE
&& !(iq->chase_flags & BIT_RD)) {
/* (Re)set qinfo_out to (new) delegation point, except when
* qinfo_out is already a subdomain of dp. This happens when
* increasing by more than one label at once (QNAMEs with more
@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
sock_list_insert(&qstate->reply_origin,
&qstate->reply->addr, qstate->reply->addrlen,
qstate->region);
if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
if(iq->minimisation_state != DONOT_MINIMISE_STATE
&& !(iq->chase_flags & BIT_RD)) {
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
LDNS_RCODE_NOERROR) {
if(qstate->env->cfg->qname_minimisation_strict)
@ -2752,6 +2754,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
verbose(VERB_ALGO,
"could not validate NXDOMAIN "
"response");
outbound_list_clear(&iq->outlist);
iq->num_current_queries = 0;
fptr_ok(fptr_whitelist_modenv_detach_subs(
qstate->env->detach_subs));
(*qstate->env->detach_subs)(qstate);
iq->num_target_queries = 0;
}
}
return next_state(iq, QUERYTARGETS_STATE);
@ -2993,7 +3001,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->dp->name, iq->dp->namelen, qstate->qinfo.qclass)) {
verbose(VERB_ALGO, "auth zone response bad, and no"
" fallback possible, servfail");
errinf_dname(qstate, "reponse is bad, no fallback, "
errinf_dname(qstate, "response is bad, no fallback, "
"for auth zone", iq->dp->name);
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}

4
contrib/unbound/libunbound/context.c
View File

@ -392,12 +392,12 @@ struct ctx_query* context_deserialize_cancel(struct ub_ctx* ctx,
uint8_t*
context_serialize_quit(uint32_t* len)
{
uint8_t* p = (uint8_t*)malloc(sizeof(uint32_t));
uint32_t* p = (uint32_t*)malloc(sizeof(uint32_t));
if(!p)
return NULL;
*len = sizeof(uint32_t);
sldns_write_uint32(p, UB_LIBCMD_QUIT);
return p;
return (uint8_t*)p;
}
enum ub_ctx_cmd context_serial_getcmd(uint8_t* p, uint32_t len)

11
contrib/unbound/libunbound/libunbound.c
View File

@ -109,13 +109,13 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
alloc_init(&ctx->superalloc, NULL, 0);
seed = (unsigned int)time(NULL) ^ (unsigned int)getpid();
if(!(ctx->seed_rnd = ub_initstate(seed, NULL))) {
seed = 0;
explicit_bzero(&seed, sizeof(seed));
ub_randfree(ctx->seed_rnd);
free(ctx);
errno = ENOMEM;
return NULL;
}
seed = 0;
explicit_bzero(&seed, sizeof(seed));
lock_basic_init(&ctx->qqpipe_lock);
lock_basic_init(&ctx->rrpipe_lock);
lock_basic_init(&ctx->cfglock);
@ -392,7 +392,6 @@ ub_ctx_add_ta(struct ub_ctx* ctx, const char* ta)
}
if(!cfg_strlist_insert(&ctx->env->cfg->trust_anchor_list, dup)) {
lock_basic_unlock(&ctx->cfglock);
free(dup);
return UB_NOMEM;
}
lock_basic_unlock(&ctx->cfglock);
@ -412,7 +411,6 @@ ub_ctx_add_ta_file(struct ub_ctx* ctx, const char* fname)
}
if(!cfg_strlist_insert(&ctx->env->cfg->trust_anchor_file_list, dup)) {
lock_basic_unlock(&ctx->cfglock);
free(dup);
return UB_NOMEM;
}
lock_basic_unlock(&ctx->cfglock);
@ -432,7 +430,6 @@ int ub_ctx_add_ta_autr(struct ub_ctx* ctx, const char* fname)
if(!cfg_strlist_insert(&ctx->env->cfg->auto_trust_anchor_file_list,
dup)) {
lock_basic_unlock(&ctx->cfglock);
free(dup);
return UB_NOMEM;
}
lock_basic_unlock(&ctx->cfglock);
@ -452,7 +449,6 @@ ub_ctx_trustedkeys(struct ub_ctx* ctx, const char* fname)
}
if(!cfg_strlist_insert(&ctx->env->cfg->trusted_keys_file_list, dup)) {
lock_basic_unlock(&ctx->cfglock);
free(dup);
return UB_NOMEM;
}
lock_basic_unlock(&ctx->cfglock);
@ -962,7 +958,6 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
return UB_NOMEM;
}
if(!cfg_strlist_insert(&s->addrs, dupl)) {
free(dupl);
lock_basic_unlock(&ctx->cfglock);
errno=ENOMEM;
return UB_NOMEM;
@ -1045,7 +1040,6 @@ int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr,
}
if(!cfg_strlist_insert(&elem->addrs, a)) {
lock_basic_unlock(&ctx->cfglock);
free(a);
errno = ENOMEM;
return UB_NOMEM;
}
@ -1233,7 +1227,6 @@ ub_ctx_hosts(struct ub_ctx* ctx, const char* fname)
ins)) {
lock_basic_unlock(&ctx->cfglock);
fclose(in);
free(ins);
errno=ENOMEM;
return UB_NOMEM;
}

4
contrib/unbound/libunbound/libworker.c
View File

@ -187,7 +187,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
if(!w->is_bg || w->is_bg_thread) {
lock_basic_unlock(&ctx->cfglock);
}
seed = 0;
explicit_bzero(&seed, sizeof(seed));
libworker_delete(w);
return NULL;
}
@ -207,7 +207,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
hash_set_raninit((uint32_t)ub_random(w->env->rnd));
}
}
seed = 0;
explicit_bzero(&seed, sizeof(seed));
if(eb)
w->base = comm_base_create_event(eb);

2
contrib/unbound/respip/respip.c
View File

@ -172,7 +172,7 @@ respip_action_cfg(struct respip_set* set, const char* ipstr,
if(!(node=respip_find_or_create(set, ipstr, 1)))
return 0;
if(node->action != respip_none) {
log_warn("duplicate response-ip action for '%s', overridden.",
verbose(VERB_QUERY, "duplicate response-ip action for '%s', overridden.",
ipstr);
}
if(strcmp(actnstr, "deny") == 0)

6
contrib/unbound/services/authzone.c
View File

@ -218,7 +218,7 @@ msg_add_rrset_an(struct auth_zone* z, struct regional* region,
{
log_assert(msg->rep->ns_numrrsets == 0);
log_assert(msg->rep->ar_numrrsets == 0);
if(!rrset)
if(!rrset || !node)
return 1;
if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
z->dclass))
@ -242,7 +242,7 @@ msg_add_rrset_ns(struct auth_zone* z, struct regional* region,
struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
{
log_assert(msg->rep->ar_numrrsets == 0);
if(!rrset)
if(!rrset || !node)
return 1;
if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
z->dclass))
@ -265,7 +265,7 @@ static int
msg_add_rrset_ar(struct auth_zone* z, struct regional* region,
struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
{
if(!rrset)
if(!rrset || !node)
return 1;
if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
z->dclass))

4
contrib/unbound/services/cache/infra.c vendored
View File

@ -1013,8 +1013,8 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
char client_ip[128];
addr_to_str((struct sockaddr_storage *)&repinfo->addr,
repinfo->addrlen, client_ip, sizeof(client_ip));
verbose(VERB_OPS, "ratelimit exceeded %s %d", client_ip,
infra_ip_ratelimit);
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d",
client_ip, infra_ip_ratelimit);
}
return (max <= infra_ip_ratelimit);
}

16
contrib/unbound/services/outside_network.c
View File

@ -365,6 +365,11 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl);
#endif
pend->c->ssl_shake_state = comm_ssl_shake_write;
if(w->tls_auth_name) {
#ifdef HAVE_SSL
(void)SSL_set_tlsext_host_name(pend->c->ssl, w->tls_auth_name);
#endif
}
#ifdef HAVE_SSL_SET1_HOST
if(w->tls_auth_name) {
SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);
@ -374,6 +379,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
log_err("SSL_set1_host failed");
pend->c->fd = s;
SSL_free(pend->c->ssl);
pend->c->ssl = NULL;
comm_point_close(pend->c);
return 0;
}
@ -1261,6 +1268,13 @@ outnet_tcptimer(void* arg)
} else {
/* it was in use */
struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting;
if(pend->c->ssl) {
#ifdef HAVE_SSL
SSL_shutdown(pend->c->ssl);
SSL_free(pend->c->ssl);
pend->c->ssl = NULL;
#endif
}
comm_point_close(pend->c);
pend->query = NULL;
pend->next_free = outnet->tcp_free;
@ -1979,7 +1993,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
return 0;
}
if(rto >= RTT_MAX_TIMEOUT) {
fallback_tcp = 1;
/* fallback_tcp = 1; */
/* UDP does not work, fallback to TCP below */
} else {
serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep);

4
contrib/unbound/sldns/sbuffer.h
View File

@ -130,7 +130,7 @@ struct sldns_buffer
/** If the buffer is fixed it cannot be resized */
unsigned _fixed : 1;
/** If the buffer is vfixed, no more than capacity bytes willl be
/** If the buffer is vfixed, no more than capacity bytes will be
* written to _data, however the _position counter will be updated
* with the amount that would have been written in consecutive
* writes. This allows for a modus operandi in which a sequence is
@ -160,7 +160,7 @@ sldns_buffer_invariant(sldns_buffer *buffer)
assert(buffer != NULL);
assert(buffer->_position <= buffer->_limit || buffer->_vfixed);
assert(buffer->_limit <= buffer->_capacity);
assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0));
assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0 && buffer->_limit == 0));
}
#endif

28
contrib/unbound/smallapp/unbound-anchor.c
View File

@ -1090,11 +1090,14 @@ read_http_result(SSL* ssl)
}
if(!data) return NULL;
if(verb >= 4) print_data("read data", data, (int)len);
m = BIO_new_mem_buf(data, (int)len);
m = BIO_new(BIO_s_mem());
if(!m) {
if(verb) printf("out of memory\n");
free(data);
exit(0);
}
BIO_write(m, data, (int)len);
free(data);
return m;
}
@ -1161,17 +1164,6 @@ https(struct ip_list* ip_list, const char* pathname, const char* urlname)
return bio;
}
/** free up a downloaded file BIO */
static void
free_file_bio(BIO* bio)
{
char* pp = NULL;
(void)BIO_reset(bio);
(void)BIO_get_mem_data(bio, &pp);
free(pp);
BIO_free(bio);
}
/** XML parse private data during the parse */
struct xml_data {
/** the parser, reference */
@ -1596,7 +1588,7 @@ xml_parse(BIO* xml, time_t now)
xml_parse_setup(parser, &data, now);
/* parse it */
(void)BIO_reset(xml);
(void)BIO_seek(xml, 0);
len = (int)BIO_get_mem_data(xml, &pp);
if(!len || !pp) {
if(verb) printf("out of memory\n");
@ -1770,8 +1762,8 @@ verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer)
X509_VERIFY_PARAM_free(param);
#endif
(void)BIO_reset(p7s);
(void)BIO_reset(data);
(void)BIO_seek(p7s, 0);
(void)BIO_seek(data, 0);
/* convert p7s to p7 (the signature) */
p7 = d2i_PKCS7_bio(p7s, NULL);
@ -1949,8 +1941,8 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file,
if(verb) printf("success: the anchor has been updated "
"using the cert\n");
free_file_bio(xml);
free_file_bio(p7s);
BIO_free(xml);
BIO_free(p7s);
#ifndef S_SPLINT_S
sk_X509_pop_free(cert, X509_free);
#endif
@ -2342,7 +2334,7 @@ int main(int argc, char* argv[])
}
}
argc -= optind;
argv += optind;
/* argv += optind; not using further arguments */
if(argc != 0)
usage();

4
contrib/unbound/smallapp/unbound-control.c
View File

@ -73,6 +73,10 @@
#include <sys/un.h>
#endif
static void usage(void) ATTR_NORETURN;
static void ssl_err(const char* s) ATTR_NORETURN;
static void ssl_path_err(const char* s, const char *path) ATTR_NORETURN;
/** Give unbound-control usage, and exit (1). */
static void
usage(void)

27
contrib/unbound/util/config_file.c
View File

@ -841,6 +841,7 @@ config_get_option(struct config_file* cfg, const char* opt,
{
char buf[1024], nopt[64];
size_t len = sizeof(buf);
if(!opt) return 0;
if(opt && opt[strlen(opt)-1] == ':' && strlen(opt)<sizeof(nopt)) {
memmove(nopt, opt, strlen(opt));
nopt[strlen(opt)-1] = 0;
@ -1526,11 +1527,15 @@ int ub_c_wrap(void)
int cfg_strlist_append(struct config_strlist_head* list, char* item)
{
struct config_strlist *s;
if(!item || !list)
if(!item || !list) {
free(item);
return 0;
}
s = (struct config_strlist*)calloc(1, sizeof(struct config_strlist));
if(!s)
if(!s) {
free(item);
return 0;
}
s->str = item;
s->next = NULL;
if(list->last)
@ -1578,11 +1583,15 @@ int
cfg_strlist_insert(struct config_strlist** head, char* item)
{
struct config_strlist *s;
if(!item || !head)
if(!item || !head) {
free(item);
return 0;
}
s = (struct config_strlist*)calloc(1, sizeof(struct config_strlist));
if(!s)
if(!s) {
free(item);
return 0;
}
s->str = item;
s->next = *head;
*head = s;
@ -1593,11 +1602,17 @@ int
cfg_str2list_insert(struct config_str2list** head, char* item, char* i2)
{
struct config_str2list *s;
if(!item || !i2 || !head)
if(!item || !i2 || !head) {
free(item);
free(i2);
return 0;
}
s = (struct config_str2list*)calloc(1, sizeof(struct config_str2list));
if(!s)
if(!s) {
free(item);
free(i2);
return 0;
}
s->str = item;
s->str2 = i2;
s->next = *head;

3
contrib/unbound/util/config_file.h
View File

@ -792,6 +792,7 @@ char* config_collate_cat(struct config_strlist* list);
* @param list: list head. zeroed at start.
* @param item: new item. malloced by caller. if NULL the insertion fails.
* @return true on success.
* on fail the item is free()ed.
*/
int cfg_strlist_append(struct config_strlist_head* list, char* item);
@ -809,6 +810,7 @@ struct config_strlist* cfg_strlist_find(struct config_strlist* head,
* @param head: pointer to strlist head variable.
* @param item: new item. malloced by caller. If NULL the insertion fails.
* @return: true on success.
* on fail, the item is free()d.
*/
int cfg_strlist_insert(struct config_strlist** head, char* item);
@ -822,6 +824,7 @@ int cfg_region_strlist_insert(struct regional* region,
* @param item: new item. malloced by caller. If NULL the insertion fails.
* @param i2: 2nd string, malloced by caller. If NULL the insertion fails.
* @return: true on success.
* on fail, the item and i2 are free()d.
*/
int cfg_str2list_insert(struct config_str2list** head, char* item, char* i2);

2
contrib/unbound/util/data/msgencode.c
View File

@ -647,8 +647,6 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
sldns_buffer_clear(buffer);
if(udpsize < sldns_buffer_limit(buffer))
sldns_buffer_set_limit(buffer, udpsize);
else if(sldns_buffer_limit(buffer) < udpsize)
udpsize = sldns_buffer_limit(buffer);
if(sldns_buffer_remaining(buffer) < LDNS_HEADER_SIZE)
return 0;

8
contrib/unbound/util/data/msgreply.c
View File

@ -441,10 +441,14 @@ parse_create_msg(sldns_buffer* pkt, struct msg_parse* msg,
return 0;
if(!parse_create_repinfo(msg, rep, region))
return 0;
if(!reply_info_alloc_rrset_keys(*rep, alloc, region))
if(!reply_info_alloc_rrset_keys(*rep, alloc, region)) {
if(!region) reply_info_parsedelete(*rep, alloc);
return 0;
if(!parse_copy_decompress(pkt, msg, *rep, region))
}
if(!parse_copy_decompress(pkt, msg, *rep, region)) {
if(!region) reply_info_parsedelete(*rep, alloc);
return 0;
}
return 1;
}

1
contrib/unbound/util/iana_ports.inc
View File

@ -4860,6 +4860,7 @@
8800,
8804,
8805,
8807,
8808,
8873,
8880,

2
contrib/unbound/util/log.h
View File

@ -174,7 +174,7 @@ void log_buf(enum verbosity_value level, const char* msg, struct sldns_buffer* b
* Pass printf formatted arguments. No trailing newline is needed.
* @param format: printf-style format string. Arguments follow.
*/
void fatal_exit(const char* format, ...) ATTR_FORMAT(printf, 1, 2);
void fatal_exit(const char* format, ...) ATTR_FORMAT(printf, 1, 2) ATTR_NORETURN;
/**
* va_list argument version of log_info.

1
contrib/unbound/validator/autotrust.c
View File

@ -718,6 +718,7 @@ packed_rrset_heap_data(int iter(struct autr_ta**, uint8_t**, size_t*,
list_i = list;
i = 0;
while(iter(&list_i, &rr, &rr_len, &dname_len)) {
log_assert(data->rr_data[i]);
memmove(data->rr_data[i],
sldns_wirerr_get_rdatawl(rr, rr_len, dname_len),
data->rr_len[i]);

12
contrib/unbound/validator/val_nsec3.c
View File

@ -520,6 +520,10 @@ nsec3_hash_cmp(const void* c1, const void* c2)
}
(void)nsec3_get_salt(h1->nsec3, h1->rr, &s1, &s1len);
(void)nsec3_get_salt(h2->nsec3, h2->rr, &s2, &s2len);
if(s1len == 0 && s2len == 0)
return 0;
if(!s1) return -1;
if(!s2) return 1;
if(s1len != s2len) {
if(s1len < s2len)
return -1;
@ -736,7 +740,7 @@ find_matching_nsec3(struct module_env* env, struct nsec3_filter* flt,
size_t i_rs;
int i_rr;
struct ub_packed_rrset_key* s;
struct nsec3_cached_hash* hash;
struct nsec3_cached_hash* hash = NULL;
int r;
/* this loop skips other-zone and unknown NSEC3s, also non-NSEC3 RRs */
@ -748,7 +752,7 @@ find_matching_nsec3(struct module_env* env, struct nsec3_filter* flt,
if(r == 0) {
log_err("nsec3: malloc failure");
break; /* alloc failure */
} else if(r < 0)
} else if(r != 1)
continue; /* malformed NSEC3 */
else if(nsec3_hash_matches_owner(flt, hash, s)) {
*rrset = s; /* rrset with this name */
@ -829,7 +833,7 @@ find_covering_nsec3(struct module_env* env, struct nsec3_filter* flt,
size_t i_rs;
int i_rr;
struct ub_packed_rrset_key* s;
struct nsec3_cached_hash* hash;
struct nsec3_cached_hash* hash = NULL;
int r;
/* this loop skips other-zone and unknown NSEC3s, also non-NSEC3 RRs */
@ -841,7 +845,7 @@ find_covering_nsec3(struct module_env* env, struct nsec3_filter* flt,
if(r == 0) {
log_err("nsec3: malloc failure");
break; /* alloc failure */
} else if(r < 0)
} else if(r != 1)
continue; /* malformed NSEC3 */
else if(nsec3_covers(flt->zone, hash, s, i_rr,
env->scratch_buffer)) {

62
contrib/unbound/validator/val_secalgo.c
View File

@ -77,6 +77,22 @@ int fake_dsa = 0;
/** fake SHA1 support for unit tests */
int fake_sha1 = 0;
/**
* Output a libcrypto openssl error to the logfile.
* @param str: string to add to it.
* @param e: the error to output, error number from ERR_get_error().
*/
static void
log_crypto_error(const char* str, unsigned long e)
{
char buf[128];
/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
ERR_error_string_n(e, buf, sizeof(buf));
/* buf now contains */
/* error:[error code]:[library name]:[function name]:[reason string] */
log_err("%s crypto %s", str, buf);
}
/* return size of digest if supported, or 0 otherwise */
size_t
nsec3_hash_algo_size_supported(int id)
@ -96,7 +112,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
{
switch(algo) {
case NSEC3_HASH_SHA1:
#ifdef OPENSSL_FIPS
if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
log_crypto_error("could not digest with EVP_sha1",
ERR_get_error());
#else
(void)SHA1(buf, len, res);
#endif
return 1;
default:
return 0;
@ -106,7 +128,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
void
secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
{
#ifdef OPENSSL_FIPS
if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
log_crypto_error("could not digest with EVP_sha256",
ERR_get_error());
#else
(void)SHA256(buf, len, res);
#endif
}
/**
@ -165,12 +193,24 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
switch(algo) {
#if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
case LDNS_SHA1:
#ifdef OPENSSL_FIPS
if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
log_crypto_error("could not digest with EVP_sha1",
ERR_get_error());
#else
(void)SHA1(buf, len, res);
#endif
return 1;
#endif
#ifdef HAVE_EVP_SHA256
case LDNS_SHA256:
#ifdef OPENSSL_FIPS
if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
log_crypto_error("could not digest with EVP_sha256",
ERR_get_error());
#else
(void)SHA256(buf, len, res);
#endif
return 1;
#endif
#ifdef USE_GOST
@ -181,7 +221,13 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
#endif
#ifdef USE_ECDSA
case LDNS_SHA384:
#ifdef OPENSSL_FIPS
if(!sldns_digest_evp(buf, len, res, EVP_sha384()))
log_crypto_error("could not digest with EVP_sha384",
ERR_get_error());
#else
(void)SHA384(buf, len, res);
#endif
return 1;
#endif
default:
@ -248,22 +294,6 @@ dnskey_algo_id_is_supported(int id)
}
}
/**
* Output a libcrypto openssl error to the logfile.
* @param str: string to add to it.
* @param e: the error to output, error number from ERR_get_error().
*/
static void
log_crypto_error(const char* str, unsigned long e)
{
char buf[128];
/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
ERR_error_string_n(e, buf, sizeof(buf));
/* buf now contains */
/* error:[error code]:[library name]:[function name]:[reason string] */
log_err("%s crypto %s", str, buf);
}
#ifdef USE_DSA
/**
* Setup DSA key digest in DER encoding ...