diff --git a/contrib/unbound/config.h b/contrib/unbound/config.h index ec3968c5d51a..73c64a0a5de3 100644 --- a/contrib/unbound/config.h +++ b/contrib/unbound/config.h @@ -1,6 +1,12 @@ /* config.h. Generated from config.h.in by configure. */ /* config.h.in. Generated from configure.ac by autoheader. */ +/* apply the noreturn attribute to a function that exits the program */ +#define ATTR_NORETURN __attribute__((__noreturn__)) + +/* apply the weak attribute to a symbol */ +#define ATTR_WEAK __attribute__((weak)) + /* Directory to chroot to */ #define CHROOT_DIR "/var/unbound" @@ -46,6 +52,9 @@ /* Whether the C compiler accepts the "format" attribute */ #define HAVE_ATTR_FORMAT 1 +/* Whether the C compiler accepts the "noreturn" attribute */ +#define HAVE_ATTR_NORETURN 1 + /* Whether the C compiler accepts the "unused" attribute */ #define HAVE_ATTR_UNUSED 1 @@ -59,7 +68,7 @@ #define HAVE_CHROOT 1 /* Define to 1 if you have the `CRYPTO_cleanup_all_ex_data' function. */ -#define HAVE_CRYPTO_CLEANUP_ALL_EX_DATA 1 +/* #undef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA */ /* Define to 1 if you have the `ctime_r' function. */ #define HAVE_CTIME_R 1 @@ -85,11 +94,11 @@ /* Define to 1 if you have the declaration of `NID_ED25519', and to 0 if you don't. */ -#define HAVE_DECL_NID_ED25519 0 +#define HAVE_DECL_NID_ED25519 1 /* Define to 1 if you have the declaration of `NID_ED448', and to 0 if you don't. */ -#define HAVE_DECL_NID_ED448 0 +#define HAVE_DECL_NID_ED448 1 /* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you don't. */ @@ -135,7 +144,7 @@ #define HAVE_DLFCN_H 1 /* Define to 1 if you have the `DSA_SIG_set0' function. */ -/* #undef HAVE_DSA_SIG_SET0 */ +#define HAVE_DSA_SIG_SET0 1 /* Define to 1 if you have the header file. */ /* #undef HAVE_ENDIAN_H */ @@ -150,10 +159,10 @@ #define HAVE_ENDSERVENT 1 /* Define to 1 if you have the `ERR_free_strings' function. */ -#define HAVE_ERR_FREE_STRINGS 1 +/* #undef HAVE_ERR_FREE_STRINGS */ /* Define to 1 if you have the `ERR_load_crypto_strings' function. */ -#define HAVE_ERR_LOAD_CRYPTO_STRINGS 1 +/* #undef HAVE_ERR_LOAD_CRYPTO_STRINGS */ /* Define to 1 if you have the `event_base_free' function. */ /* #undef HAVE_EVENT_BASE_FREE */ @@ -171,16 +180,16 @@ /* #undef HAVE_EVENT_H */ /* Define to 1 if you have the `EVP_cleanup' function. */ -#define HAVE_EVP_CLEANUP 1 +/* #undef HAVE_EVP_CLEANUP */ /* Define to 1 if you have the `EVP_DigestVerify' function. */ -/* #undef HAVE_EVP_DIGESTVERIFY */ +#define HAVE_EVP_DIGESTVERIFY 1 /* Define to 1 if you have the `EVP_dss1' function. */ -#define HAVE_EVP_DSS1 1 +/* #undef HAVE_EVP_DSS1 */ /* Define to 1 if you have the `EVP_MD_CTX_new' function. */ -/* #undef HAVE_EVP_MD_CTX_NEW */ +#define HAVE_EVP_MD_CTX_NEW 1 /* Define to 1 if you have the `EVP_sha1' function. */ #define HAVE_EVP_SHA1 1 @@ -200,6 +209,9 @@ /* Define to 1 if you have the header file. */ #define HAVE_EXPAT_H 1 +/* Define to 1 if you have the `explicit_bzero' function. */ +#define HAVE_EXPLICIT_BZERO 1 + /* Define to 1 if you have the `fcntl' function. */ #define HAVE_FCNTL 1 @@ -321,7 +333,7 @@ /* #undef HAVE_NSS */ /* Define to 1 if you have the `OpenSSL_add_all_digests' function. */ -#define HAVE_OPENSSL_ADD_ALL_DIGESTS 1 +/* #undef HAVE_OPENSSL_ADD_ALL_DIGESTS */ /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_BN_H 1 @@ -345,10 +357,10 @@ #define HAVE_OPENSSL_ERR_H 1 /* Define to 1 if you have the `OPENSSL_init_crypto' function. */ -/* #undef HAVE_OPENSSL_INIT_CRYPTO */ +#define HAVE_OPENSSL_INIT_CRYPTO 1 /* Define to 1 if you have the `OPENSSL_init_ssl' function. */ -/* #undef HAVE_OPENSSL_INIT_SSL */ +#define HAVE_OPENSSL_INIT_SSL 1 /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_RAND_H 1 @@ -381,7 +393,7 @@ #define HAVE_RANDOM 1 /* Define to 1 if you have the `RAND_cleanup' function. */ -#define HAVE_RAND_CLEANUP 1 +/* #undef HAVE_RAND_CLEANUP */ /* Define to 1 if you have the `reallocarray' function. */ #define HAVE_REALLOCARRAY 1 @@ -441,13 +453,13 @@ #define HAVE_SSL /**/ /* Define to 1 if you have the `SSL_CTX_set_security_level' function. */ -/* #undef HAVE_SSL_CTX_SET_SECURITY_LEVEL */ +#define HAVE_SSL_CTX_SET_SECURITY_LEVEL 1 /* Define to 1 if you have the `SSL_get0_peername' function. */ -/* #undef HAVE_SSL_GET0_PEERNAME */ +#define HAVE_SSL_GET0_PEERNAME 1 /* Define to 1 if you have the `SSL_set1_host' function. */ -/* #undef HAVE_SSL_SET1_HOST */ +#define HAVE_SSL_SET1_HOST 1 /* Define to 1 if you have the header file. */ #define HAVE_STDARG_H 1 @@ -631,7 +643,7 @@ #define PACKAGE_NAME "unbound" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "unbound 1.8.0" +#define PACKAGE_STRING "unbound 1.8.1" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "unbound" @@ -640,7 +652,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.8.0" +#define PACKAGE_VERSION "1.8.1" /* default pidfile location */ #define PIDFILE "/var/unbound/unbound.pid" @@ -659,7 +671,7 @@ #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem" /* version number for resource files */ -#define RSRC_PACKAGE_VERSION 1,8,0,0 +#define RSRC_PACKAGE_VERSION 1,8,1,0 /* Directory to chdir to */ #define RUN_DIR "/var/unbound" @@ -722,13 +734,13 @@ /* #undef USE_ECDSA_EVP_WORKAROUND */ /* Define this to enable ED25519 support. */ -/* #undef USE_ED25519 */ +#define USE_ED25519 1 /* Define this to enable ED448 support. */ -/* #undef USE_ED448 */ +#define USE_ED448 1 /* Define this to enable GOST support. */ -#define USE_GOST 1 +/* #undef USE_GOST */ /* Define to 1 to use ipsecmod support. */ /* #undef USE_IPSECMOD */ @@ -1145,6 +1157,11 @@ char *strsep(char **stringp, const char *delim); int isblank(int c); #endif +#ifndef HAVE_EXPLICIT_BZERO +#define explicit_bzero unbound_explicit_bzero +void explicit_bzero(void* buf, size_t len); +#endif + #if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP const char *inet_ntop(int af, const void *src, char *dst, size_t size); #endif @@ -1177,7 +1194,6 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size); # endif #endif /* HAVE_LIBRESSL */ #ifndef HAVE_ARC4RANDOM -void explicit_bzero(void* buf, size_t len); int getentropy(void* buf, size_t len); uint32_t arc4random(void); void arc4random_buf(void* buf, size_t n); diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in index 04356f334edf..7ffb3c989b10 100644 --- a/contrib/unbound/config.h.in +++ b/contrib/unbound/config.h.in @@ -1,5 +1,11 @@ /* config.h.in. Generated from configure.ac by autoheader. */ +/* apply the noreturn attribute to a function that exits the program */ +#undef ATTR_NORETURN + +/* apply the weak attribute to a symbol */ +#undef ATTR_WEAK + /* Directory to chroot to */ #undef CHROOT_DIR @@ -45,6 +51,9 @@ /* Whether the C compiler accepts the "format" attribute */ #undef HAVE_ATTR_FORMAT +/* Whether the C compiler accepts the "noreturn" attribute */ +#undef HAVE_ATTR_NORETURN + /* Whether the C compiler accepts the "unused" attribute */ #undef HAVE_ATTR_UNUSED @@ -199,6 +208,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_EXPAT_H +/* Define to 1 if you have the `explicit_bzero' function. */ +#undef HAVE_EXPLICIT_BZERO + /* Define to 1 if you have the `fcntl' function. */ #undef HAVE_FCNTL @@ -1144,6 +1156,11 @@ char *strsep(char **stringp, const char *delim); int isblank(int c); #endif +#ifndef HAVE_EXPLICIT_BZERO +#define explicit_bzero unbound_explicit_bzero +void explicit_bzero(void* buf, size_t len); +#endif + #if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP const char *inet_ntop(int af, const void *src, char *dst, size_t size); #endif @@ -1176,7 +1193,6 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size); # endif #endif /* HAVE_LIBRESSL */ #ifndef HAVE_ARC4RANDOM -void explicit_bzero(void* buf, size_t len); int getentropy(void* buf, size_t len); uint32_t arc4random(void); void arc4random_buf(void* buf, size_t n); diff --git a/contrib/unbound/configure b/contrib/unbound/configure index d2bdbef84e7a..4f134fca0bcf 100755 --- a/contrib/unbound/configure +++ b/contrib/unbound/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.8.0. +# Generated by GNU Autoconf 2.69 for unbound 1.8.1. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.8.0' -PACKAGE_STRING='unbound 1.8.0' +PACKAGE_VERSION='1.8.1' +PACKAGE_STRING='unbound 1.8.1' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl' PACKAGE_URL='' @@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.8.0 to adapt to many kinds of systems. +\`configure' configures unbound 1.8.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1505,7 +1505,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.8.0:";; + short | recursive ) echo "Configuration of unbound 1.8.1:";; esac cat <<\_ACEOF @@ -1722,7 +1722,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.8.0 +unbound configure 1.8.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.8.0, which was +It was created by unbound $as_me 1.8.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2783,11 +2783,11 @@ UNBOUND_VERSION_MAJOR=1 UNBOUND_VERSION_MINOR=8 -UNBOUND_VERSION_MICRO=0 +UNBOUND_VERSION_MICRO=1 LIBUNBOUND_CURRENT=8 -LIBUNBOUND_REVISION=0 +LIBUNBOUND_REVISION=1 LIBUNBOUND_AGE=0 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2850,7 +2850,8 @@ LIBUNBOUND_AGE=0 # 1.7.1 had 7:9:5 # 1.7.2 had 7:10:5 # 1.7.3 had 7:11:5 -# 1.7.4 had 8:0:0 # changes the event callback function signature +# 1.8.0 had 8:0:0 # changes the event callback function signature +# 1.8.1 had 8:1:0 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -6265,6 +6266,54 @@ if test $ac_cv_c_weak_attribute = yes; then $as_echo "#define HAVE_ATTR_WEAK 1" >>confdefs.h + +$as_echo "#define ATTR_WEAK __attribute__((weak))" >>confdefs.h + +fi + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler (${CC-cc}) accepts the \"noreturn\" attribute" >&5 +$as_echo_n "checking whether the C compiler (${CC-cc}) accepts the \"noreturn\" attribute... " >&6; } +if ${ac_cv_c_noreturn_attribute+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_c_noreturn_attribute=no +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +__attribute__((noreturn)) void f(int x) { printf("%d", x); } + +int +main () +{ + + f(1); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_c_noreturn_attribute="yes" +else + ac_cv_c_noreturn_attribute="no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_noreturn_attribute" >&5 +$as_echo "$ac_cv_c_noreturn_attribute" >&6; } +if test $ac_cv_c_noreturn_attribute = yes; then + +$as_echo "#define HAVE_ATTR_NORETURN 1" >>confdefs.h + + +$as_echo "#define ATTR_NORETURN __attribute__((__noreturn__))" >>confdefs.h + fi @@ -20033,6 +20082,20 @@ esac fi +ac_fn_c_check_func "$LINENO" "explicit_bzero" "ac_cv_func_explicit_bzero" +if test "x$ac_cv_func_explicit_bzero" = xyes; then : + $as_echo "#define HAVE_EXPLICIT_BZERO 1" >>confdefs.h + +else + case " $LIBOBJS " in + *" explicit_bzero.$ac_objext "* ) ;; + *) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext" + ;; +esac + +fi + + LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS" ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray" @@ -20079,12 +20142,6 @@ fi if test "$ac_cv_func_arc4random" = "no"; then - case " $LIBOBJS " in - *" explicit_bzero.$ac_objext "* ) ;; - *) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext" - ;; -esac - case " $LIBOBJS " in *" arc4_lock.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS arc4_lock.$ac_objext" @@ -21077,7 +21134,7 @@ _ACEOF -version=1.8.0 +version=1.8.1 date=`date +'%b %e, %Y'` @@ -21596,7 +21653,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.8.0, which was +This file was extended by unbound $as_me 1.8.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21662,7 +21719,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.8.0 +unbound config.status 1.8.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac index ca98b5459917..772a1417a987 100644 --- a/contrib/unbound/configure.ac +++ b/contrib/unbound/configure.ac @@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[8]) -m4_define([VERSION_MICRO],[0]) +m4_define([VERSION_MICRO],[1]) AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=8 -LIBUNBOUND_REVISION=0 +LIBUNBOUND_REVISION=1 LIBUNBOUND_AGE=0 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -81,7 +81,8 @@ LIBUNBOUND_AGE=0 # 1.7.1 had 7:9:5 # 1.7.2 had 7:10:5 # 1.7.3 had 7:11:5 -# 1.7.4 had 8:0:0 # changes the event callback function signature +# 1.8.0 had 8:0:0 # changes the event callback function signature +# 1.8.1 had 8:1:0 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -310,11 +311,36 @@ __attribute__((weak)) void f(int x) { printf("%d", x); } AC_MSG_RESULT($ac_cv_c_weak_attribute) if test $ac_cv_c_weak_attribute = yes; then AC_DEFINE(HAVE_ATTR_WEAK, 1, [Whether the C compiler accepts the "weak" attribute]) + AC_DEFINE(ATTR_WEAK, [__attribute__((weak))], [apply the weak attribute to a symbol]) fi ])dnl End of CHECK_WEAK_ATTRIBUTE CHECK_WEAK_ATTRIBUTE +AC_DEFUN([CHECK_NORETURN_ATTRIBUTE], +[AC_REQUIRE([AC_PROG_CC]) +AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "noreturn" attribute) +AC_CACHE_VAL(ac_cv_c_noreturn_attribute, +[ac_cv_c_noreturn_attribute=no +AC_TRY_COMPILE( +[ #include +__attribute__((noreturn)) void f(int x) { printf("%d", x); } +], [ + f(1); +], +[ac_cv_c_noreturn_attribute="yes"], +[ac_cv_c_noreturn_attribute="no"]) +]) + +AC_MSG_RESULT($ac_cv_c_noreturn_attribute) +if test $ac_cv_c_noreturn_attribute = yes; then + AC_DEFINE(HAVE_ATTR_NORETURN, 1, [Whether the C compiler accepts the "noreturn" attribute]) + AC_DEFINE(ATTR_NORETURN, [__attribute__((__noreturn__))], [apply the noreturn attribute to a function that exits the program]) +fi +])dnl End of CHECK_NORETURN_ATTRIBUTE + +CHECK_NORETURN_ATTRIBUTE + if test "$srcdir" != "."; then CPPFLAGS="$CPPFLAGS -I$srcdir" fi @@ -1396,6 +1422,7 @@ AC_REPLACE_FUNCS(strlcpy) AC_REPLACE_FUNCS(memmove) AC_REPLACE_FUNCS(gmtime_r) AC_REPLACE_FUNCS(isblank) +AC_REPLACE_FUNCS(explicit_bzero) dnl without CTIME, ARC4-functions and without reallocarray. LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS" AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4) @@ -1404,7 +1431,6 @@ if test "$USE_NSS" = "no"; then AC_REPLACE_FUNCS(arc4random) AC_REPLACE_FUNCS(arc4random_uniform) if test "$ac_cv_func_arc4random" = "no"; then - AC_LIBOBJ(explicit_bzero) AC_LIBOBJ(arc4_lock) AC_CHECK_FUNCS([getentropy],,[ if test "$USE_WINSOCK" = 1; then @@ -1729,6 +1755,11 @@ char *strsep(char **stringp, const char *delim); int isblank(int c); #endif +#ifndef HAVE_EXPLICIT_BZERO +#define explicit_bzero unbound_explicit_bzero +void explicit_bzero(void* buf, size_t len); +#endif + #if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP const char *inet_ntop(int af, const void *src, char *dst, size_t size); #endif @@ -1761,7 +1792,6 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size); # endif #endif /* HAVE_LIBRESSL */ #ifndef HAVE_ARC4RANDOM -void explicit_bzero(void* buf, size_t len); int getentropy(void* buf, size_t len); uint32_t arc4random(void); void arc4random_buf(void* buf, size_t n); diff --git a/contrib/unbound/contrib/fastrpz.patch b/contrib/unbound/contrib/fastrpz.patch index b80eeb2bb927..590f843d9fa5 100644 --- a/contrib/unbound/contrib/fastrpz.patch +++ b/contrib/unbound/contrib/fastrpz.patch @@ -1,15 +1,11 @@ Description: based on the included patch contrib/fastrpz.patch Author: fastrpz@farsightsecurity.com --- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: unboundfastrpz/Makefile.in =================================================================== -RCS file: ./RCS/Makefile.in,v -retrieving revision 1.1 -Index: unbound-1.7.0~rc1/Makefile.in -=================================================================== ---- unbound-1.7.0~rc1.orig/Makefile.in -+++ unbound-1.7.0~rc1/Makefile.in -@@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c +--- unboundfastrpz/Makefile.in (revision 4923) ++++ unboundfastrpz/Makefile.in (working copy) +@@ -23,6 +23,8 @@ CHECKLOCK_OBJ=@CHECKLOCK_OBJ@ DNSTAP_SRC=@DNSTAP_SRC@ DNSTAP_OBJ=@DNSTAP_OBJ@ @@ -18,7 +14,7 @@ Index: unbound-1.7.0~rc1/Makefile.in DNSCRYPT_SRC=@DNSCRYPT_SRC@ DNSCRYPT_OBJ=@DNSCRYPT_OBJ@ WITH_PYTHONMODULE=@WITH_PYTHONMODULE@ -@@ -125,7 +127,7 @@ validator/val_sigcrypt.c validator/val_u +@@ -126,7 +128,7 @@ edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \ edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \ cachedb/cachedb.c cachedb/redis.c respip/respip.c $(CHECKLOCK_SRC) \ @@ -27,16 +23,16 @@ Index: unbound-1.7.0~rc1/Makefile.in COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \ as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \ iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \ -@@ -137,7 +139,7 @@ slabhash.lo timehist.lo tube.lo winsock_ +@@ -139,7 +141,7 @@ validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \ - val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo authzone.lo\ + val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo redis.lo authzone.lo \ $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \ -$(IPSECMOD_OBJ) respip.lo +$(FASTRPZ_OBJ) $(IPSECMOD_OBJ) respip.lo COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \ outside_network.lo COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo -@@ -400,6 +402,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscry +@@ -405,6 +407,11 @@ $(srcdir)/util/config_file.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h @@ -48,11 +44,11 @@ Index: unbound-1.7.0~rc1/Makefile.in # Python Module pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \ pythonmod/interface.h \ -Index: unbound-1.7.0~rc1/config.h.in +Index: unboundfastrpz/config.h.in =================================================================== ---- unbound-1.7.0~rc1.orig/config.h.in -+++ unbound-1.7.0~rc1/config.h.in -@@ -1228,4 +1228,11 @@ void *unbound_stat_realloc_log(void *ptr +--- unboundfastrpz/config.h.in (revision 4923) ++++ unboundfastrpz/config.h.in (working copy) +@@ -1272,4 +1272,11 @@ /** the version of unbound-control that this software implements */ #define UNBOUND_CONTROL_VERSION 1 @@ -65,11 +61,11 @@ Index: unbound-1.7.0~rc1/config.h.in +#undef FASTRPZ_LIB_OPEN +/** turn on fastrpz response policy zones */ +#undef ENABLE_FASTRPZ -Index: unbound-1.7.0~rc1/configure.ac +Index: unboundfastrpz/configure.ac =================================================================== ---- unbound-1.7.0~rc1.orig/configure.ac -+++ unbound-1.7.0~rc1/configure.ac -@@ -6,6 +6,7 @@ sinclude(ax_pthread.m4) +--- unboundfastrpz/configure.ac (revision 4923) ++++ unboundfastrpz/configure.ac (working copy) +@@ -6,6 +6,7 @@ sinclude(acx_python.m4) sinclude(ac_pkg_swig.m4) sinclude(dnstap/dnstap.m4) @@ -77,7 +73,7 @@ Index: unbound-1.7.0~rc1/configure.ac sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing -@@ -1453,6 +1454,9 @@ case "$enable_ipsecmod" in +@@ -1565,6 +1566,9 @@ ;; esac @@ -87,11 +83,11 @@ Index: unbound-1.7.0~rc1/configure.ac AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) # on openBSD, the implicit rule make $< work. # on Solaris, it does not work ($? is changed sources, $^ lists dependencies). -Index: unbound-1.7.0~rc1/daemon/daemon.c +Index: unboundfastrpz/daemon/daemon.c =================================================================== ---- unbound-1.7.0~rc1.orig/daemon/daemon.c -+++ unbound-1.7.0~rc1/daemon/daemon.c -@@ -90,6 +90,9 @@ +--- unboundfastrpz/daemon/daemon.c (revision 4923) ++++ unboundfastrpz/daemon/daemon.c (working copy) +@@ -91,6 +91,9 @@ #include "sldns/keyraw.h" #include "respip/respip.h" #include @@ -101,7 +97,7 @@ Index: unbound-1.7.0~rc1/daemon/daemon.c #ifdef HAVE_SYSTEMD #include -@@ -461,6 +464,14 @@ daemon_create_workers(struct daemon* dae +@@ -462,6 +465,14 @@ fatal_exit("dnstap enabled in config but not built with dnstap support"); #endif } @@ -116,9 +112,9 @@ Index: unbound-1.7.0~rc1/daemon/daemon.c for(i=0; inum; i++) { if(!(daemon->workers[i] = worker_create(daemon, i, shufport+numport*i/daemon->num, -@@ -710,6 +721,9 @@ daemon_cleanup(struct daemon* daemon) - #ifdef USE_DNSCRYPT +@@ -719,6 +730,9 @@ dnsc_delete(daemon->dnscenv); + daemon->dnscenv = NULL; #endif +#ifdef ENABLE_FASTRPZ + rpz_delete(&daemon->rpz_clist, &daemon->rpz_client); @@ -126,11 +122,11 @@ Index: unbound-1.7.0~rc1/daemon/daemon.c daemon->cfg = NULL; } -Index: unbound-1.7.0~rc1/daemon/daemon.h +Index: unboundfastrpz/daemon/daemon.h =================================================================== ---- unbound-1.7.0~rc1.orig/daemon/daemon.h -+++ unbound-1.7.0~rc1/daemon/daemon.h -@@ -134,6 +134,11 @@ struct daemon { +--- unboundfastrpz/daemon/daemon.h (revision 4923) ++++ unboundfastrpz/daemon/daemon.h (working copy) +@@ -136,6 +136,11 @@ /** the dnscrypt environment */ struct dnsc_env* dnscenv; #endif @@ -142,11 +138,11 @@ Index: unbound-1.7.0~rc1/daemon/daemon.h }; /** -Index: unbound-1.7.0~rc1/daemon/worker.c +Index: unboundfastrpz/daemon/worker.c =================================================================== ---- unbound-1.7.0~rc1.orig/daemon/worker.c -+++ unbound-1.7.0~rc1/daemon/worker.c -@@ -74,6 +74,9 @@ +--- unboundfastrpz/daemon/worker.c (revision 4923) ++++ unboundfastrpz/daemon/worker.c (working copy) +@@ -75,6 +75,9 @@ #include "libunbound/context.h" #include "libunbound/libworker.h" #include "sldns/sbuffer.h" @@ -156,7 +152,7 @@ Index: unbound-1.7.0~rc1/daemon/worker.c #include "sldns/wire2str.h" #include "util/shm_side/shm_main.h" #include "dnscrypt/dnscrypt.h" -@@ -527,8 +530,27 @@ answer_norec_from_cache(struct worker* w +@@ -533,8 +536,27 @@ /* not secure */ secure = 0; break; @@ -182,9 +178,9 @@ Index: unbound-1.7.0~rc1/daemon/worker.c + } +#endif /* return this delegation from the cache */ + edns_bak = *edns; edns->edns_version = EDNS_ADVERTISED_VERSION; - edns->udp_size = EDNS_ADVERTISED_SIZE; -@@ -689,6 +711,23 @@ answer_from_cache(struct worker* worker, +@@ -702,6 +724,23 @@ secure = 0; } } else secure = 0; @@ -206,9 +202,9 @@ Index: unbound-1.7.0~rc1/daemon/worker.c + } +#endif + edns_bak = *edns; edns->edns_version = EDNS_ADVERTISED_VERSION; - edns->udp_size = EDNS_ADVERTISED_SIZE; -@@ -1291,6 +1330,15 @@ worker_handle_request(struct comm_point* +@@ -1407,6 +1446,15 @@ log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from", &repinfo->addr, repinfo->addrlen); goto send_reply; @@ -224,7 +220,7 @@ Index: unbound-1.7.0~rc1/daemon/worker.c } /* If we've found a local alias, replace the qname with the alias -@@ -1339,12 +1387,21 @@ lookup_cache: +@@ -1455,12 +1503,21 @@ h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2)); if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) { /* answer from cache - we have acquired a readlock on it */ @@ -248,7 +244,7 @@ Index: unbound-1.7.0~rc1/daemon/worker.c /* prefetch it if the prefetch TTL expired. * Note that if there is more than one pass * its qname must be that used for cache -@@ -1398,11 +1455,19 @@ lookup_cache: +@@ -1514,11 +1571,19 @@ lock_rw_unlock(&e->lock); } if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) { @@ -270,11 +266,11 @@ Index: unbound-1.7.0~rc1/daemon/worker.c goto send_reply; } verbose(VERB_ALGO, "answer norec from cache -- " -Index: unbound-1.7.0~rc1/doc/unbound.conf.5.in +Index: unboundfastrpz/doc/unbound.conf.5.in =================================================================== ---- unbound-1.7.0~rc1.orig/doc/unbound.conf.5.in -+++ unbound-1.7.0~rc1/doc/unbound.conf.5.in -@@ -1705,6 +1705,81 @@ It must be /96 or shorter. The default +--- unboundfastrpz/doc/unbound.conf.5.in (revision 4923) ++++ unboundfastrpz/doc/unbound.conf.5.in (working copy) +@@ -1728,6 +1728,81 @@ used by dns64 processing instead. Can be entered multiple times, list a new domain for which it applies, one per line. Applies also to names underneath the name given. @@ -356,10 +352,10 @@ Index: unbound-1.7.0~rc1/doc/unbound.conf.5.in .SS "DNSCrypt Options" .LP The -Index: unbound-1.7.0~rc1/fastrpz/librpz.h +Index: unboundfastrpz/fastrpz/librpz.h =================================================================== ---- /dev/null -+++ unbound-1.7.0~rc1/fastrpz/librpz.h +--- unboundfastrpz/fastrpz/librpz.h (nonexistent) ++++ unboundfastrpz/fastrpz/librpz.h (working copy) @@ -0,0 +1,957 @@ +/* + * Define the interface from a DNS resolver to the Response Policy Zone @@ -1318,11 +1314,11 @@ Index: unbound-1.7.0~rc1/fastrpz/librpz.h +#endif /* LIBRPZ_LIB_OPEN */ + +#endif /* LIBRPZ_H */ -Index: unbound-1.7.0~rc1/fastrpz/rpz.c +Index: unboundfastrpz/fastrpz/rpz.c =================================================================== ---- /dev/null -+++ unbound-1.7.0~rc1/fastrpz/rpz.c -@@ -0,0 +1,1357 @@ +--- unboundfastrpz/fastrpz/rpz.c (nonexistent) ++++ unboundfastrpz/fastrpz/rpz.c (working copy) +@@ -0,0 +1,1352 @@ +/* + * fastrpz/rpz.c - interface to the fastrpz response policy zone library + * @@ -1438,8 +1434,6 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.c +static void +log_fnc(librpz_log_level_t level, void* ATTR_UNUSED(ctx), const char* buf) +{ -+ char label_buf[sizeof("rpz ")+8]; -+ + /* Setting librpz_log_level overrides the unbound "verbose" level. */ + if(level > LIBRPZ_LOG_TRACE1 && + level <= librpz->log_level_val(LIBRPZ_LOG_INVALID)) @@ -1949,12 +1943,9 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.c + case st_ck_ns: + /* An NSDNAME or NSIP check failed for lack of cached data. */ + return false; -+#pragma clang diagnostic push -+#pragma clang diagnostic ignored "-Wunreachable-code" + default: + fatal_exit("impossible RPZ state %d in rpz_worker_cache()", + rpz->st); -+#pragma clang diagnostic pop + } + + /* Wait for a trigger. */ @@ -2680,10 +2671,10 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.c +} + +#endif /* ENABLE_FASTRPZ */ -Index: unbound-1.7.0~rc1/fastrpz/rpz.h +Index: unboundfastrpz/fastrpz/rpz.h =================================================================== ---- /dev/null -+++ unbound-1.7.0~rc1/fastrpz/rpz.h +--- unboundfastrpz/fastrpz/rpz.h (nonexistent) ++++ unboundfastrpz/fastrpz/rpz.h (working copy) @@ -0,0 +1,138 @@ +/* + * fastrpz/rpz.h - interface to the fastrpz response policy zone library @@ -2823,10 +2814,10 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.h + +#endif /* ENABLE_FASTRPZ */ +#endif /* UNBOUND_FASTRPZ_RPZ_H */ -Index: unbound-1.7.0~rc1/fastrpz/rpz.m4 +Index: unboundfastrpz/fastrpz/rpz.m4 =================================================================== ---- /dev/null -+++ unbound-1.7.0~rc1/fastrpz/rpz.m4 +--- unboundfastrpz/fastrpz/rpz.m4 (nonexistent) ++++ unboundfastrpz/fastrpz/rpz.m4 (working copy) @@ -0,0 +1,64 @@ +# fastrpz/rpz.m4 + @@ -2892,10 +2883,10 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.m4 + AC_MSG_WARN([[dlopen and librpz.so needed for fastrpz]]) + fi +]) -Index: unbound-1.7.0~rc1/iterator/iterator.c +Index: unboundfastrpz/iterator/iterator.c =================================================================== ---- unbound-1.7.0~rc1.orig/iterator/iterator.c -+++ unbound-1.7.0~rc1/iterator/iterator.c +--- unboundfastrpz/iterator/iterator.c (revision 4923) ++++ unboundfastrpz/iterator/iterator.c (working copy) @@ -68,6 +68,9 @@ #include "sldns/str2wire.h" #include "sldns/parseutil.h" @@ -2906,7 +2897,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c int iter_init(struct module_env* env, int id) -@@ -511,6 +514,23 @@ handle_cname_response(struct module_qsta +@@ -525,6 +528,23 @@ if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME && query_dname_compare(*mname, r->rk.dname) == 0 && !iter_find_rrset_in_prepend_answer(iq, r)) { @@ -2930,7 +2921,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c /* Add this relevant CNAME rrset to the prepend list.*/ if(!iter_add_prepend_answer(qstate, iq, r)) return 0; -@@ -519,6 +539,9 @@ handle_cname_response(struct module_qsta +@@ -533,6 +553,9 @@ /* Other rrsets in the section are ignored. */ } @@ -2940,7 +2931,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c /* add authority rrsets to authority prepend, for wildcarded CNAMEs */ for(i=msg->rep->an_numrrsets; irep->an_numrrsets + msg->rep->ns_numrrsets; i++) { -@@ -1148,6 +1171,7 @@ processInitRequest(struct module_qstate* +@@ -1216,6 +1239,7 @@ uint8_t* delname; size_t delnamelen; struct dns_msg* msg = NULL; @@ -2948,7 +2939,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo); /* check effort */ -@@ -1223,8 +1247,7 @@ processInitRequest(struct module_qstate* +@@ -1302,8 +1326,7 @@ } if(msg) { /* handle positive cache response */ @@ -2958,7 +2949,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c if(verbosity >= VERB_ALGO) { log_dns_msg("msg from cache lookup", &msg->qinfo, msg->rep); -@@ -1232,7 +1255,22 @@ processInitRequest(struct module_qstate* +@@ -1311,7 +1334,22 @@ (int)msg->rep->ttl, (int)msg->rep->prefetch_ttl); } @@ -2981,7 +2972,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c if(type == RESPONSE_TYPE_CNAME) { uint8_t* sname = 0; size_t slen = 0; -@@ -2552,6 +2590,62 @@ processQueryResponse(struct module_qstat +@@ -2716,6 +2754,62 @@ sock_list_insert(&qstate->reply_origin, &qstate->reply->addr, qstate->reply->addrlen, qstate->region); @@ -3041,10 +3032,10 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c + } + } +#endif - if(iq->minimisation_state != DONOT_MINIMISE_STATE) { + if(iq->minimisation_state != DONOT_MINIMISE_STATE + && !(iq->chase_flags & BIT_RD)) { if(FLAGS_GET_RCODE(iq->response->rep->flags) != - LDNS_RCODE_NOERROR) { -@@ -3273,12 +3367,44 @@ processFinished(struct module_qstate* qs +@@ -3462,6 +3556,10 @@ * but only if we did recursion. The nonrecursion referral * from cache does not need to be stored in the msg cache. */ if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) { @@ -3055,6 +3046,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c iter_dns_store(qstate->env, &qstate->qinfo, iq->response->rep, 0, qstate->prefetch_leeway, iq->dp&&iq->dp->has_parent_side_NS, +@@ -3468,6 +3566,34 @@ qstate->region, qstate->query_flags); } } @@ -3089,11 +3081,11 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c qstate->return_rcode = LDNS_RCODE_NOERROR; qstate->return_msg = iq->response; return 0; -Index: unbound-1.7.0~rc1/iterator/iterator.h +Index: unboundfastrpz/iterator/iterator.h =================================================================== ---- unbound-1.7.0~rc1.orig/iterator/iterator.h -+++ unbound-1.7.0~rc1/iterator/iterator.h -@@ -383,6 +383,16 @@ struct iter_qstate { +--- unboundfastrpz/iterator/iterator.h (revision 4923) ++++ unboundfastrpz/iterator/iterator.h (working copy) +@@ -386,6 +386,16 @@ */ int minimise_count; @@ -3110,11 +3102,11 @@ Index: unbound-1.7.0~rc1/iterator/iterator.h /** * Count number of time-outs. Used to prevent resolving failures when * the QNAME minimisation QTYPE is blocked. */ -Index: unbound-1.7.0~rc1/services/cache/dns.c +Index: unboundfastrpz/services/cache/dns.c =================================================================== ---- unbound-1.7.0~rc1.orig/services/cache/dns.c -+++ unbound-1.7.0~rc1/services/cache/dns.c -@@ -876,6 +876,14 @@ dns_cache_store(struct module_env* env, +--- unboundfastrpz/services/cache/dns.c (revision 4923) ++++ unboundfastrpz/services/cache/dns.c (working copy) +@@ -928,6 +928,14 @@ struct regional* region, uint32_t flags) { struct reply_info* rep = NULL; @@ -3129,11 +3121,11 @@ Index: unbound-1.7.0~rc1/services/cache/dns.c /* alloc, malloc properly (not in region, like msg is) */ rep = reply_info_copy(msgrep, env->alloc, NULL); if(!rep) -Index: unbound-1.7.0~rc1/services/mesh.c +Index: unboundfastrpz/services/mesh.c =================================================================== ---- unbound-1.7.0~rc1.orig/services/mesh.c -+++ unbound-1.7.0~rc1/services/mesh.c -@@ -59,6 +59,9 @@ +--- unboundfastrpz/services/mesh.c (revision 4923) ++++ unboundfastrpz/services/mesh.c (working copy) +@@ -60,6 +60,9 @@ #include "sldns/wire2str.h" #include "services/localzone.h" #include "util/data/dname.h" @@ -3143,7 +3135,7 @@ Index: unbound-1.7.0~rc1/services/mesh.c #include "respip/respip.h" /** subtract timers and the values do not overflow or become negative */ -@@ -1050,6 +1053,13 @@ mesh_send_reply(struct mesh_state* m, in +@@ -1057,6 +1060,13 @@ else secure = 0; if(!rep && rcode == LDNS_RCODE_NOERROR) rcode = LDNS_RCODE_SERVFAIL; @@ -3157,7 +3149,7 @@ Index: unbound-1.7.0~rc1/services/mesh.c /* send the reply */ /* We don't reuse the encoded answer if either the previous or current * response has a local alias. We could compare the alias records -@@ -1199,6 +1209,7 @@ struct mesh_state* mesh_area_find(struct +@@ -1230,6 +1240,7 @@ key.s.is_valrec = valrec; key.s.qinfo = *qinfo; key.s.query_flags = qflags; @@ -3165,7 +3157,7 @@ Index: unbound-1.7.0~rc1/services/mesh.c /* We are searching for a similar mesh state when we DO want to * aggregate the state. Thus unique is set to NULL. (default when we * desire aggregation).*/ -@@ -1245,6 +1256,10 @@ int mesh_state_add_reply(struct mesh_sta +@@ -1276,6 +1287,10 @@ if(!r) return 0; r->query_reply = *rep; @@ -3176,11 +3168,11 @@ Index: unbound-1.7.0~rc1/services/mesh.c r->edns = *edns; if(edns->opt_list) { r->edns.opt_list = edns_opt_copy_region(edns->opt_list, -Index: unbound-1.7.0~rc1/util/config_file.c +Index: unboundfastrpz/util/config_file.c =================================================================== ---- unbound-1.7.0~rc1.orig/util/config_file.c -+++ unbound-1.7.0~rc1/util/config_file.c -@@ -1323,6 +1323,8 @@ config_delete(struct config_file* cfg) +--- unboundfastrpz/util/config_file.c (revision 4923) ++++ unboundfastrpz/util/config_file.c (working copy) +@@ -1386,6 +1386,8 @@ free(cfg->dnstap_socket_path); free(cfg->dnstap_identity); free(cfg->dnstap_version); @@ -3189,11 +3181,11 @@ Index: unbound-1.7.0~rc1/util/config_file.c config_deldblstrlist(cfg->ratelimit_for_domain); config_deldblstrlist(cfg->ratelimit_below_domain); #ifdef USE_IPSECMOD -Index: unbound-1.7.0~rc1/util/config_file.h +Index: unboundfastrpz/util/config_file.h =================================================================== ---- unbound-1.7.0~rc1.orig/util/config_file.h -+++ unbound-1.7.0~rc1/util/config_file.h -@@ -431,6 +431,11 @@ struct config_file { +--- unboundfastrpz/util/config_file.h (revision 4923) ++++ unboundfastrpz/util/config_file.h (working copy) +@@ -468,6 +468,11 @@ /** true to disable DNSSEC lameness check in iterator */ int disable_dnssec_lame_check; @@ -3205,11 +3197,11 @@ Index: unbound-1.7.0~rc1/util/config_file.h /** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */ int ip_ratelimit; /** number of slabs for ip_ratelimit cache */ -Index: unbound-1.7.0~rc1/util/configlexer.lex +Index: unboundfastrpz/util/configlexer.lex =================================================================== ---- unbound-1.7.0~rc1.orig/util/configlexer.lex -+++ unbound-1.7.0~rc1/util/configlexer.lex -@@ -412,6 +412,10 @@ dnstap-log-forwarder-query-messages{COLO +--- unboundfastrpz/util/configlexer.lex (revision 4923) ++++ unboundfastrpz/util/configlexer.lex (working copy) +@@ -429,6 +429,10 @@ YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) } dnstap-log-forwarder-response-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) } @@ -3220,11 +3212,11 @@ Index: unbound-1.7.0~rc1/util/configlexer.lex disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) } ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) } ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) } -Index: unbound-1.7.0~rc1/util/configparser.y +Index: unboundfastrpz/util/configparser.y =================================================================== ---- unbound-1.7.0~rc1.orig/util/configparser.y -+++ unbound-1.7.0~rc1/util/configparser.y -@@ -124,6 +124,7 @@ extern struct config_parser_state* cfg_p +--- unboundfastrpz/util/configparser.y (revision 4923) ++++ unboundfastrpz/util/configparser.y (working copy) +@@ -125,6 +125,7 @@ %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES %token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES @@ -3232,7 +3224,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y %token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT %token VAR_DISABLE_DNSSEC_LAME_CHECK -@@ -158,7 +159,7 @@ extern struct config_parser_state* cfg_p +@@ -164,7 +165,7 @@ %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -3241,7 +3233,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y forwardstart contents_forward | pythonstart contents_py | rcstart contents_rc | dtstart contents_dt | viewstart contents_view | dnscstart contents_dnsc | cachedbstart contents_cachedb | -@@ -2384,6 +2385,50 @@ dt_dnstap_log_forwarder_response_message +@@ -2546,6 +2547,50 @@ (strcmp($2, "yes")==0); } ; @@ -3269,7 +3261,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y + + OUTYY(("P(rpz_zone:%s)\n", $2)); + old_cstr = cfg_parser->cfg->rpz_cstr; -+ asprintf(&new_cstr, "%s\nzone %s", old_cstr?old_cstr:"", $2); ++ (void)asprintf(&new_cstr, "%s\nzone %s", old_cstr?old_cstr:"", $2); + if(!new_cstr) + yyerror("out of memory"); + free(old_cstr); @@ -3282,7 +3274,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y + + OUTYY(("P(rpz_option:%s)\n", $2)); + old_cstr = cfg_parser->cfg->rpz_cstr; -+ asprintf(&new_cstr, "%s\n%s", old_cstr ? old_cstr : "", $2); ++ (void)asprintf(&new_cstr, "%s\n%s", old_cstr ? old_cstr : "", $2); + if(!new_cstr) + yyerror("out of memory"); + free(old_cstr); @@ -3292,11 +3284,11 @@ Index: unbound-1.7.0~rc1/util/configparser.y pythonstart: VAR_PYTHON { OUTYY(("\nP(python:)\n")); -Index: unbound-1.7.0~rc1/util/data/msgencode.c +Index: unboundfastrpz/util/data/msgencode.c =================================================================== ---- unbound-1.7.0~rc1.orig/util/data/msgencode.c -+++ unbound-1.7.0~rc1/util/data/msgencode.c -@@ -585,6 +585,35 @@ insert_section(struct reply_info* rep, s +--- unboundfastrpz/util/data/msgencode.c (revision 4923) ++++ unboundfastrpz/util/data/msgencode.c (working copy) +@@ -585,6 +585,35 @@ return RETVAL_OK; } @@ -3332,7 +3324,7 @@ Index: unbound-1.7.0~rc1/util/data/msgencode.c /** store query section in wireformat buffer, return RETVAL */ static int insert_query(struct query_info* qinfo, struct compress_tree_node** tree, -@@ -750,6 +779,19 @@ reply_info_encode(struct query_info* qin +@@ -748,6 +777,19 @@ return 0; } sldns_buffer_write_u16_at(buffer, 10, arcount); @@ -3352,13 +3344,13 @@ Index: unbound-1.7.0~rc1/util/data/msgencode.c } sldns_buffer_flip(buffer); return 1; -Index: unbound-1.7.0~rc1/util/data/packed_rrset.c +Index: unboundfastrpz/util/data/packed_rrset.c =================================================================== ---- unbound-1.7.0~rc1.orig/util/data/packed_rrset.c -+++ unbound-1.7.0~rc1/util/data/packed_rrset.c -@@ -254,6 +254,10 @@ sec_status_to_string(enum sec_status s) - case sec_status_indeterminate: return "sec_status_indeterminate"; +--- unboundfastrpz/util/data/packed_rrset.c (revision 4923) ++++ unboundfastrpz/util/data/packed_rrset.c (working copy) +@@ -255,6 +255,10 @@ case sec_status_insecure: return "sec_status_insecure"; + case sec_status_secure_sentinel_fail: return "sec_status_secure_sentinel_fail"; case sec_status_secure: return "sec_status_secure"; +#ifdef ENABLE_FASTRPZ + case sec_status_rpz_rewritten: return "sec_status_rpz_rewritten"; @@ -3367,12 +3359,12 @@ Index: unbound-1.7.0~rc1/util/data/packed_rrset.c } return "unknown_sec_status_value"; } -Index: unbound-1.7.0~rc1/util/data/packed_rrset.h +Index: unboundfastrpz/util/data/packed_rrset.h =================================================================== ---- unbound-1.7.0~rc1.orig/util/data/packed_rrset.h -+++ unbound-1.7.0~rc1/util/data/packed_rrset.h -@@ -189,7 +189,15 @@ enum sec_status { - sec_status_insecure, +--- unboundfastrpz/util/data/packed_rrset.h (revision 4923) ++++ unboundfastrpz/util/data/packed_rrset.h (working copy) +@@ -193,7 +193,15 @@ + sec_status_secure_sentinel_fail, /** SECURE means that the object (RRset or message) validated * according to local policy. */ - sec_status_secure @@ -3388,11 +3380,11 @@ Index: unbound-1.7.0~rc1/util/data/packed_rrset.h }; /** -Index: unbound-1.7.0~rc1/util/netevent.c +Index: unboundfastrpz/util/netevent.c =================================================================== ---- unbound-1.7.0~rc1.orig/util/netevent.c -+++ unbound-1.7.0~rc1/util/netevent.c -@@ -54,6 +54,9 @@ +--- unboundfastrpz/util/netevent.c (revision 4923) ++++ unboundfastrpz/util/netevent.c (working copy) +@@ -56,6 +56,9 @@ #ifdef HAVE_OPENSSL_ERR_H #include #endif @@ -3402,7 +3394,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c /* -------- Start of local definitions -------- */ /** if CMSG_ALIGN is not defined on this platform, a workaround */ -@@ -585,6 +588,9 @@ comm_point_udp_ancil_callback(int fd, sh +@@ -588,6 +591,9 @@ struct cmsghdr* cmsg; #endif /* S_SPLINT_S */ @@ -3412,7 +3404,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c rep.c = (struct comm_point*)arg; log_assert(rep.c->type == comm_udp); -@@ -674,6 +680,9 @@ comm_point_udp_callback(int fd, short ev +@@ -677,6 +683,9 @@ int i; struct sldns_buffer *buffer; @@ -3422,7 +3414,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c rep.c = (struct comm_point*)arg; log_assert(rep.c->type == comm_udp); -@@ -717,6 +726,9 @@ comm_point_udp_callback(int fd, short ev +@@ -720,6 +729,9 @@ (void)comm_point_send_udp_msg(rep.c, buffer, (struct sockaddr*)&rep.addr, rep.addrlen); } @@ -3432,7 +3424,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for another UDP port. Note rep.c cannot be reused with TCP fd. */ break; -@@ -2956,6 +2968,9 @@ comm_point_send_reply(struct comm_reply +@@ -3035,6 +3047,9 @@ comm_point_start_listening(repinfo->c, -1, repinfo->c->tcp_timeout_msec); } @@ -3442,7 +3434,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c } void -@@ -2965,6 +2980,9 @@ comm_point_drop_reply(struct comm_reply* +@@ -3044,6 +3059,9 @@ return; log_assert(repinfo && repinfo->c); log_assert(repinfo->c->type != comm_tcp_accept); @@ -3452,7 +3444,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c if(repinfo->c->type == comm_udp) return; reclaim_tcp_handler(repinfo->c); -@@ -2984,6 +3002,9 @@ comm_point_start_listening(struct comm_p +@@ -3063,6 +3081,9 @@ { verbose(VERB_ALGO, "comm point start listening %d", c->fd==-1?newfd:c->fd); @@ -3462,11 +3454,11 @@ Index: unbound-1.7.0~rc1/util/netevent.c if(c->type == comm_tcp_accept && !c->tcp_free) { /* no use to start listening no free slots. */ return; -Index: unbound-1.7.0~rc1/util/netevent.h +Index: unboundfastrpz/util/netevent.h =================================================================== ---- unbound-1.7.0~rc1.orig/util/netevent.h -+++ unbound-1.7.0~rc1/util/netevent.h -@@ -119,6 +119,10 @@ struct comm_reply { +--- unboundfastrpz/util/netevent.h (revision 4923) ++++ unboundfastrpz/util/netevent.h (working copy) +@@ -120,6 +120,10 @@ /** return type 0 (none), 4(IP4), 6(IP6) */ int srctype; /* DnsCrypt context */ @@ -3477,11 +3469,11 @@ Index: unbound-1.7.0~rc1/util/netevent.h #ifdef USE_DNSCRYPT uint8_t client_nonce[crypto_box_HALF_NONCEBYTES]; uint8_t nmkey[crypto_box_BEFORENMBYTES]; -Index: unbound-1.7.0~rc1/validator/validator.c +Index: unboundfastrpz/validator/validator.c =================================================================== ---- unbound-1.7.0~rc1.orig/validator/validator.c -+++ unbound-1.7.0~rc1/validator/validator.c -@@ -2688,6 +2688,12 @@ ds_response_to_ke(struct module_qstate* +--- unboundfastrpz/validator/validator.c (revision 4923) ++++ unboundfastrpz/validator/validator.c (working copy) +@@ -2755,6 +2755,12 @@ default: /* NSEC proof did not work, try next */ break; @@ -3494,7 +3486,7 @@ Index: unbound-1.7.0~rc1/validator/validator.c } sec = nsec3_prove_nods(qstate->env, ve, -@@ -2721,6 +2727,12 @@ ds_response_to_ke(struct module_qstate* +@@ -2788,6 +2794,12 @@ default: /* NSEC3 proof did not work */ break; @@ -3507,4 +3499,3 @@ Index: unbound-1.7.0~rc1/validator/validator.c } /* Apparently, no available NSEC/NSEC3 proved NODATA, so - diff --git a/contrib/unbound/daemon/daemon.c b/contrib/unbound/daemon/daemon.c index a6bfe390271e..4c3d5f1c1a17 100644 --- a/contrib/unbound/daemon/daemon.c +++ b/contrib/unbound/daemon/daemon.c @@ -660,18 +660,15 @@ daemon_fork(struct daemon* daemon) /* Start resolver service on main thread. */ #ifdef HAVE_SYSTEMD - if(daemon->cfg->use_systemd) - sd_notify(0, "READY=1"); + sd_notify(0, "READY=1"); #endif log_info("start of service (%s).", PACKAGE_STRING); worker_work(daemon->workers[0]); #ifdef HAVE_SYSTEMD - if(daemon->cfg->use_systemd) { - if (daemon->workers[0]->need_to_exit) - sd_notify(0, "STOPPING=1"); - else - sd_notify(0, "RELOADING=1"); - } + if (daemon->workers[0]->need_to_exit) + sd_notify(0, "STOPPING=1"); + else + sd_notify(0, "RELOADING=1"); #endif log_info("service stopped (%s).", PACKAGE_STRING); diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c index 91e5609f50f8..3971e4540510 100644 --- a/contrib/unbound/daemon/remote.c +++ b/contrib/unbound/daemon/remote.c @@ -275,12 +275,13 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, struct addrinfo hints; struct addrinfo* res; struct listen_port* n; - int noproto; + int noproto = 0; int fd, r; char port[15]; snprintf(port, sizeof(port), "%d", nr); port[sizeof(port)-1]=0; memset(&hints, 0, sizeof(hints)); + log_assert(ip); if(ip[0] == '/') { /* This looks like a local socket */ @@ -1069,6 +1070,7 @@ do_stats(RES* ssl, struct daemon_remote* rc, int reset) struct ub_stats_info total; struct ub_stats_info s; int i; + memset(&total, 0, sizeof(total)); log_assert(daemon->num > 0); /* gather all thread statistics in one place */ for(i=0; inum; i++) { diff --git a/contrib/unbound/daemon/unbound.c b/contrib/unbound/daemon/unbound.c index c2077bede523..781852ed8e2e 100644 --- a/contrib/unbound/daemon/unbound.c +++ b/contrib/unbound/daemon/unbound.c @@ -730,7 +730,7 @@ main(int argc, char* argv[]) } } argc -= optind; - argv += optind; + /* argv += optind; not using further arguments */ if(winopt) { #ifdef UB_ON_WINDOWS diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c index 9551c60f4a6a..2697ea6534f1 100644 --- a/contrib/unbound/daemon/worker.c +++ b/contrib/unbound/daemon/worker.c @@ -1180,7 +1180,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, char addrbuf[128]; addr_to_str(&repinfo->addr, repinfo->addrlen, addrbuf, sizeof(addrbuf)); - verbose(VERB_OPS, "ip_ratelimit allowed through for ip address %s ", + verbose(VERB_QUERY, "ip_ratelimit allowed through for ip address %s because of slip in ip_ratelimit_factor", addrbuf); } else { worker->stats.num_queries_ip_ratelimited++; @@ -1671,14 +1671,14 @@ worker_create(struct daemon* daemon, int id, int* ports, int n) (((unsigned int)worker->thread_num)<<17); /* shift thread_num so it does not match out pid bits */ if(!(worker->rndstate = ub_initstate(seed, daemon->rand))) { - seed = 0; + explicit_bzero(&seed, sizeof(seed)); log_err("could not init random numbers."); tube_delete(worker->cmd); free(worker->ports); free(worker); return NULL; } - seed = 0; + explicit_bzero(&seed, sizeof(seed)); #ifdef USE_DNSTAP if(daemon->cfg->dnstap) { log_assert(daemon->dtenv != NULL); diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog index 7e81304f930f..69bab6f640ad 100644 --- a/contrib/unbound/doc/Changelog +++ b/contrib/unbound/doc/Changelog @@ -1,5 +1,80 @@ +8 October 2018: Wouter + - fastrpz.patch fix included. + +1 October 2018: Wouter + - tag for release 1.8.1rc1. + +27 September 2018: Wouter + - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes + qname minimisation with a forwarder when connectivity has issues + from rejecting responses. + +25 September 2018: Wouter + - Perform TLS SNI indication of the host that is being contacted + for DNS over TLS service. It sets the configured tls auth name. + This is useful for hosts that apart from the DNS over TLS services + also provide other (web) services. + - Fix #4149: Add SSL cleanup for tcp timeout. + +17 September 2018: Wouter + - Fix compile on Mac for unbound, provide explicit_bzero when libc + does not have it. + - Fix unbound for openssl in FIPS mode, it uses the digests with + the EVP call contexts. + - Fix that with harden-below-nxdomain and qname minisation enabled + some iterator states for nonresponsive domains can get into a + state where they waited for an empty list. + - Stop UDP to TCP failover after timeouts that causes the ping count + to be reset by the TCP time measurement (that exists for TLS), + because that causes the UDP part to not be measured as timeout. + - Fix #4156: Fix systemd service manager state change notification. + +13 September 2018: Wouter + - Fix seed for random backup code to use explicit zero when wiped. + - exit log routine is annotated as noreturn function. + - free memory leaks in config strlist and str2list insert functions. + - do not move unused argv variable after getopt. + - Remove unused if clause in testcode. + - in testcode, free async ids, initialise array, and check for null + pointer during test of the test. And use exit for return to note + irregular program stop. + - Free memory leak in config strlist append. + - make sure nsec3 comparison salt is initialized. + - unit test has clang analysis. + - remove unused variable assignment from iterator scrub routine. + - check for null in delegation point during iterator refetch + in forward zone. + - neater pointer cast in libunbound context quit routine. + - initialize statistics totals for printout. + - in authzone check that node exists before adding rrset. + - in unbound-anchor, use readwrite memory BIO. + - assertion in autotrust that packed rrset is formed correctly. + - Fix memory leak when message parse fails partway through copy. + - remove unused udpsize assignment in message encode. + - nicer bio free code in unbound-anchor. + - annotate exit functions with noreturn in unbound-control. + +11 September 2018: Wouter + - Fixed unused return value warnings in contrib/fastrpz.patch for + asprintf. + - Fix to squelch respip warning in unit test, it is printed at + higher verbosity settings. + - Fix spelling errors. + - Fix initialisation in remote.c + +10 September 2018: Wouter + - 1.8.1 in svn trunk. (changes from 4,5,.. sep apply). + - iana port update. + +5 September 2018: Wouter + - Fix spelling error in header, from getdns commit by Andreas Gelmini. + +4 September 2018: Ralph + - More explicitly mention the type of ratelimit when applying + ip-ratelimit. + 4 September 2018: Wouter - - Tag for 1.8.0rc1 release. + - Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018. 31 August 2018: Wouter - Disable minimal-responses in subnet unit tests. @@ -1856,7 +1931,7 @@ compatibility with cisco dns guard. This lowers false positives. 18 April 2016: Wouter - - Fix some malformed reponses to edns queries get fallback to nonedns. + - Fix some malformed responses to edns queries get fallback to nonedns. 15 April 2016: Wouter - cachedb module event handling design. diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README index ae90773412ff..c817e34be24c 100644 --- a/contrib/unbound/doc/README +++ b/contrib/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.8.0 +README for Unbound 1.8.1 Copyright 2007 NLnet Labs http://unbound.net diff --git a/contrib/unbound/doc/example.conf b/contrib/unbound/doc/example.conf index 77f2f65564ee..b72e31f10080 100644 --- a/contrib/unbound/doc/example.conf +++ b/contrib/unbound/doc/example.conf @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.8.0. +# See unbound.conf(5) man page, version 1.8.1. # # this is a comment. diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in index fadfd9c6827b..fc8bc6b0de8d 100644 --- a/contrib/unbound/doc/example.conf.in +++ b/contrib/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.8.0. +# See unbound.conf(5) man page, version 1.8.1. # # this is a comment. diff --git a/contrib/unbound/doc/libunbound.3 b/contrib/unbound/doc/libunbound.3 index 9a2fff835601..003c867b1a7f 100644 --- a/contrib/unbound/doc/libunbound.3 +++ b/contrib/unbound/doc/libunbound.3 @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "libunbound" "3" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -43,7 +43,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.8.0 functions. +\- Unbound DNS validating resolver 1.8.1 functions. .SH "SYNOPSIS" .B #include .LP diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in index 9a2fff835601..003c867b1a7f 100644 --- a/contrib/unbound/doc/libunbound.3.in +++ b/contrib/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "libunbound" "3" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -43,7 +43,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.8.0 functions. +\- Unbound DNS validating resolver 1.8.1 functions. .SH "SYNOPSIS" .B #include .LP diff --git a/contrib/unbound/doc/unbound-anchor.8 b/contrib/unbound/doc/unbound-anchor.8 index 69eafe001797..c1eff06cf3b3 100644 --- a/contrib/unbound/doc/unbound-anchor.8 +++ b/contrib/unbound/doc/unbound-anchor.8 @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound-anchor" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in index ece844deff37..089aa47dfacb 100644 --- a/contrib/unbound/doc/unbound-anchor.8.in +++ b/contrib/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound-anchor" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/contrib/unbound/doc/unbound-checkconf.8 b/contrib/unbound/doc/unbound-checkconf.8 index af4e942fe342..7bf3e814b319 100644 --- a/contrib/unbound/doc/unbound-checkconf.8 +++ b/contrib/unbound/doc/unbound-checkconf.8 @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound-checkconf" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in index 038c9b457273..08107c141272 100644 --- a/contrib/unbound/doc/unbound-checkconf.8.in +++ b/contrib/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound-checkconf" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/contrib/unbound/doc/unbound-control.8 b/contrib/unbound/doc/unbound-control.8 index 1bf044ddab7f..69155fb559b5 100644 --- a/contrib/unbound/doc/unbound-control.8 +++ b/contrib/unbound/doc/unbound-control.8 @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound-control" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -301,7 +301,7 @@ you set unbound to validate with for-upstream yes and that can be cleared with \fBflush_zone\fR \fIzone\fR. .TP .B auth_zone_transfer \fIzone\fR -Tranfer the auth zone from master. The auth zone probe sequence is started, +Transfer the auth zone from master. The auth zone probe sequence is started, where the masters are probed to see if they have an updated zone (with the SOA serial check). And then the zone is transferred for a newer zone version. .TP diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in index 596138470e53..d176394cf2d3 100644 --- a/contrib/unbound/doc/unbound-control.8.in +++ b/contrib/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound-control" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -301,7 +301,7 @@ you set unbound to validate with for-upstream yes and that can be cleared with \fBflush_zone\fR \fIzone\fR. .TP .B auth_zone_transfer \fIzone\fR -Tranfer the auth zone from master. The auth zone probe sequence is started, +Transfer the auth zone from master. The auth zone probe sequence is started, where the masters are probed to see if they have an updated zone (with the SOA serial check). And then the zone is transferred for a newer zone version. .TP diff --git a/contrib/unbound/doc/unbound-host.1 b/contrib/unbound/doc/unbound-host.1 index f7f10475d213..6f72c52d9698 100644 --- a/contrib/unbound/doc/unbound-host.1 +++ b/contrib/unbound/doc/unbound-host.1 @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound\-host" "1" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in index dacee3d13429..d3a0b42bf5e0 100644 --- a/contrib/unbound/doc/unbound-host.1.in +++ b/contrib/unbound/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound\-host" "1" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/contrib/unbound/doc/unbound.8 b/contrib/unbound/doc/unbound.8 index 42fc054778cc..78e5a5acda28 100644 --- a/contrib/unbound/doc/unbound.8 +++ b/contrib/unbound/doc/unbound.8 @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.8.0. +\- Unbound DNS validating resolver 1.8.1. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in index 7062fb07eacb..65aa4b11d764 100644 --- a/contrib/unbound/doc/unbound.8.in +++ b/contrib/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.8.0. +\- Unbound DNS validating resolver 1.8.1. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5 index 4254b71cdae5..8ad2dd9fe23c 100644 --- a/contrib/unbound/doc/unbound.conf.5 +++ b/contrib/unbound/doc/unbound.conf.5 @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound.conf" "5" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -498,7 +498,7 @@ a daemon. Set the value to \fIno\fR when unbound runs as systemd service. Default is yes. .TP .B tcp\-connection\-limit: \fI -Allow up to \fIlimit\R simultaneous TCP connections from the given netblock. +Allow up to \fIlimit\fR simultaneous TCP connections from the given netblock. When at the limit, further connections are accepted but closed immediately. This option is experimental at this time. .TP diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in index a3536a14a249..bc233fdeb0c7 100644 --- a/contrib/unbound/doc/unbound.conf.5.in +++ b/contrib/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound.conf" "5" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -498,7 +498,7 @@ a daemon. Set the value to \fIno\fR when unbound runs as systemd service. Default is yes. .TP .B tcp\-connection\-limit: \fI -Allow up to \fIlimit\R simultaneous TCP connections from the given netblock. +Allow up to \fIlimit\fR simultaneous TCP connections from the given netblock. When at the limit, further connections are accepted but closed immediately. This option is experimental at this time. .TP diff --git a/contrib/unbound/iterator/iter_scrub.c b/contrib/unbound/iterator/iter_scrub.c index 12580dcdb539..b354eaa285b0 100644 --- a/contrib/unbound/iterator/iter_scrub.c +++ b/contrib/unbound/iterator/iter_scrub.c @@ -437,7 +437,9 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, rrset->rrset_all_next = nx->rrset_all_next; nx->rrset_all_next = rrset; - prev = nx; + /* prev = nx; unused, enable if there + * is other rrset removal code after + * this */ } } diff --git a/contrib/unbound/iterator/iterator.c b/contrib/unbound/iterator/iterator.c index e99a559fae4d..2f26bd3349de 100644 --- a/contrib/unbound/iterator/iterator.c +++ b/contrib/unbound/iterator/iterator.c @@ -1125,7 +1125,7 @@ forward_request(struct module_qstate* qstate, struct iter_qstate* iq) struct delegpt* dp; uint8_t* delname = iq->qchase.qname; size_t delnamelen = iq->qchase.qname_len; - if(iq->refetch_glue) { + if(iq->refetch_glue && iq->dp) { delname = iq->dp->name; delnamelen = iq->dp->namelen; } @@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, return 0; } - if(iq->minimisation_state == INIT_MINIMISE_STATE) { + if(iq->minimisation_state == INIT_MINIMISE_STATE + && !(iq->chase_flags & BIT_RD)) { /* (Re)set qinfo_out to (new) delegation point, except when * qinfo_out is already a subdomain of dp. This happens when * increasing by more than one label at once (QNAMEs with more @@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, sock_list_insert(&qstate->reply_origin, &qstate->reply->addr, qstate->reply->addrlen, qstate->region); - if(iq->minimisation_state != DONOT_MINIMISE_STATE) { + if(iq->minimisation_state != DONOT_MINIMISE_STATE + && !(iq->chase_flags & BIT_RD)) { if(FLAGS_GET_RCODE(iq->response->rep->flags) != LDNS_RCODE_NOERROR) { if(qstate->env->cfg->qname_minimisation_strict) @@ -2752,6 +2754,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, verbose(VERB_ALGO, "could not validate NXDOMAIN " "response"); + outbound_list_clear(&iq->outlist); + iq->num_current_queries = 0; + fptr_ok(fptr_whitelist_modenv_detach_subs( + qstate->env->detach_subs)); + (*qstate->env->detach_subs)(qstate); + iq->num_target_queries = 0; } } return next_state(iq, QUERYTARGETS_STATE); @@ -2993,7 +3001,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, iq->dp->name, iq->dp->namelen, qstate->qinfo.qclass)) { verbose(VERB_ALGO, "auth zone response bad, and no" " fallback possible, servfail"); - errinf_dname(qstate, "reponse is bad, no fallback, " + errinf_dname(qstate, "response is bad, no fallback, " "for auth zone", iq->dp->name); return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } diff --git a/contrib/unbound/libunbound/context.c b/contrib/unbound/libunbound/context.c index 9a35ce56f30f..20e3680ec3bc 100644 --- a/contrib/unbound/libunbound/context.c +++ b/contrib/unbound/libunbound/context.c @@ -392,12 +392,12 @@ struct ctx_query* context_deserialize_cancel(struct ub_ctx* ctx, uint8_t* context_serialize_quit(uint32_t* len) { - uint8_t* p = (uint8_t*)malloc(sizeof(uint32_t)); + uint32_t* p = (uint32_t*)malloc(sizeof(uint32_t)); if(!p) return NULL; *len = sizeof(uint32_t); sldns_write_uint32(p, UB_LIBCMD_QUIT); - return p; + return (uint8_t*)p; } enum ub_ctx_cmd context_serial_getcmd(uint8_t* p, uint32_t len) diff --git a/contrib/unbound/libunbound/libunbound.c b/contrib/unbound/libunbound/libunbound.c index 275e8d25a168..31adbd54dcdb 100644 --- a/contrib/unbound/libunbound/libunbound.c +++ b/contrib/unbound/libunbound/libunbound.c @@ -109,13 +109,13 @@ static struct ub_ctx* ub_ctx_create_nopipe(void) alloc_init(&ctx->superalloc, NULL, 0); seed = (unsigned int)time(NULL) ^ (unsigned int)getpid(); if(!(ctx->seed_rnd = ub_initstate(seed, NULL))) { - seed = 0; + explicit_bzero(&seed, sizeof(seed)); ub_randfree(ctx->seed_rnd); free(ctx); errno = ENOMEM; return NULL; } - seed = 0; + explicit_bzero(&seed, sizeof(seed)); lock_basic_init(&ctx->qqpipe_lock); lock_basic_init(&ctx->rrpipe_lock); lock_basic_init(&ctx->cfglock); @@ -392,7 +392,6 @@ ub_ctx_add_ta(struct ub_ctx* ctx, const char* ta) } if(!cfg_strlist_insert(&ctx->env->cfg->trust_anchor_list, dup)) { lock_basic_unlock(&ctx->cfglock); - free(dup); return UB_NOMEM; } lock_basic_unlock(&ctx->cfglock); @@ -412,7 +411,6 @@ ub_ctx_add_ta_file(struct ub_ctx* ctx, const char* fname) } if(!cfg_strlist_insert(&ctx->env->cfg->trust_anchor_file_list, dup)) { lock_basic_unlock(&ctx->cfglock); - free(dup); return UB_NOMEM; } lock_basic_unlock(&ctx->cfglock); @@ -432,7 +430,6 @@ int ub_ctx_add_ta_autr(struct ub_ctx* ctx, const char* fname) if(!cfg_strlist_insert(&ctx->env->cfg->auto_trust_anchor_file_list, dup)) { lock_basic_unlock(&ctx->cfglock); - free(dup); return UB_NOMEM; } lock_basic_unlock(&ctx->cfglock); @@ -452,7 +449,6 @@ ub_ctx_trustedkeys(struct ub_ctx* ctx, const char* fname) } if(!cfg_strlist_insert(&ctx->env->cfg->trusted_keys_file_list, dup)) { lock_basic_unlock(&ctx->cfglock); - free(dup); return UB_NOMEM; } lock_basic_unlock(&ctx->cfglock); @@ -962,7 +958,6 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr) return UB_NOMEM; } if(!cfg_strlist_insert(&s->addrs, dupl)) { - free(dupl); lock_basic_unlock(&ctx->cfglock); errno=ENOMEM; return UB_NOMEM; @@ -1045,7 +1040,6 @@ int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr, } if(!cfg_strlist_insert(&elem->addrs, a)) { lock_basic_unlock(&ctx->cfglock); - free(a); errno = ENOMEM; return UB_NOMEM; } @@ -1233,7 +1227,6 @@ ub_ctx_hosts(struct ub_ctx* ctx, const char* fname) ins)) { lock_basic_unlock(&ctx->cfglock); fclose(in); - free(ins); errno=ENOMEM; return UB_NOMEM; } diff --git a/contrib/unbound/libunbound/libworker.c b/contrib/unbound/libunbound/libworker.c index 05006a0ec44c..065f0a7b141a 100644 --- a/contrib/unbound/libunbound/libworker.c +++ b/contrib/unbound/libunbound/libworker.c @@ -187,7 +187,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb) if(!w->is_bg || w->is_bg_thread) { lock_basic_unlock(&ctx->cfglock); } - seed = 0; + explicit_bzero(&seed, sizeof(seed)); libworker_delete(w); return NULL; } @@ -207,7 +207,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb) hash_set_raninit((uint32_t)ub_random(w->env->rnd)); } } - seed = 0; + explicit_bzero(&seed, sizeof(seed)); if(eb) w->base = comm_base_create_event(eb); diff --git a/contrib/unbound/respip/respip.c b/contrib/unbound/respip/respip.c index f8e99b909c87..bcb31f89224d 100644 --- a/contrib/unbound/respip/respip.c +++ b/contrib/unbound/respip/respip.c @@ -172,7 +172,7 @@ respip_action_cfg(struct respip_set* set, const char* ipstr, if(!(node=respip_find_or_create(set, ipstr, 1))) return 0; if(node->action != respip_none) { - log_warn("duplicate response-ip action for '%s', overridden.", + verbose(VERB_QUERY, "duplicate response-ip action for '%s', overridden.", ipstr); } if(strcmp(actnstr, "deny") == 0) diff --git a/contrib/unbound/services/authzone.c b/contrib/unbound/services/authzone.c index e61381e49f2a..77bb7238a7fa 100644 --- a/contrib/unbound/services/authzone.c +++ b/contrib/unbound/services/authzone.c @@ -218,7 +218,7 @@ msg_add_rrset_an(struct auth_zone* z, struct regional* region, { log_assert(msg->rep->ns_numrrsets == 0); log_assert(msg->rep->ar_numrrsets == 0); - if(!rrset) + if(!rrset || !node) return 1; if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, z->dclass)) @@ -242,7 +242,7 @@ msg_add_rrset_ns(struct auth_zone* z, struct regional* region, struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) { log_assert(msg->rep->ar_numrrsets == 0); - if(!rrset) + if(!rrset || !node) return 1; if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, z->dclass)) @@ -265,7 +265,7 @@ static int msg_add_rrset_ar(struct auth_zone* z, struct regional* region, struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) { - if(!rrset) + if(!rrset || !node) return 1; if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, z->dclass)) diff --git a/contrib/unbound/services/cache/infra.c b/contrib/unbound/services/cache/infra.c index 4dd014532b84..07c41928d67e 100644 --- a/contrib/unbound/services/cache/infra.c +++ b/contrib/unbound/services/cache/infra.c @@ -1013,8 +1013,8 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra, char client_ip[128]; addr_to_str((struct sockaddr_storage *)&repinfo->addr, repinfo->addrlen, client_ip, sizeof(client_ip)); - verbose(VERB_OPS, "ratelimit exceeded %s %d", client_ip, - infra_ip_ratelimit); + verbose(VERB_OPS, "ip_ratelimit exceeded %s %d", + client_ip, infra_ip_ratelimit); } return (max <= infra_ip_ratelimit); } diff --git a/contrib/unbound/services/outside_network.c b/contrib/unbound/services/outside_network.c index 87c88349b3f8..e2c59c4616dd 100644 --- a/contrib/unbound/services/outside_network.c +++ b/contrib/unbound/services/outside_network.c @@ -365,6 +365,11 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len) comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl); #endif pend->c->ssl_shake_state = comm_ssl_shake_write; + if(w->tls_auth_name) { +#ifdef HAVE_SSL + (void)SSL_set_tlsext_host_name(pend->c->ssl, w->tls_auth_name); +#endif + } #ifdef HAVE_SSL_SET1_HOST if(w->tls_auth_name) { SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL); @@ -374,6 +379,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len) if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) { log_err("SSL_set1_host failed"); pend->c->fd = s; + SSL_free(pend->c->ssl); + pend->c->ssl = NULL; comm_point_close(pend->c); return 0; } @@ -1261,6 +1268,13 @@ outnet_tcptimer(void* arg) } else { /* it was in use */ struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting; + if(pend->c->ssl) { +#ifdef HAVE_SSL + SSL_shutdown(pend->c->ssl); + SSL_free(pend->c->ssl); + pend->c->ssl = NULL; +#endif + } comm_point_close(pend->c); pend->query = NULL; pend->next_free = outnet->tcp_free; @@ -1979,7 +1993,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error, return 0; } if(rto >= RTT_MAX_TIMEOUT) { - fallback_tcp = 1; + /* fallback_tcp = 1; */ /* UDP does not work, fallback to TCP below */ } else { serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep); diff --git a/contrib/unbound/sldns/sbuffer.h b/contrib/unbound/sldns/sbuffer.h index 2c30b3736708..2241640ddb12 100644 --- a/contrib/unbound/sldns/sbuffer.h +++ b/contrib/unbound/sldns/sbuffer.h @@ -130,7 +130,7 @@ struct sldns_buffer /** If the buffer is fixed it cannot be resized */ unsigned _fixed : 1; - /** If the buffer is vfixed, no more than capacity bytes willl be + /** If the buffer is vfixed, no more than capacity bytes will be * written to _data, however the _position counter will be updated * with the amount that would have been written in consecutive * writes. This allows for a modus operandi in which a sequence is @@ -160,7 +160,7 @@ sldns_buffer_invariant(sldns_buffer *buffer) assert(buffer != NULL); assert(buffer->_position <= buffer->_limit || buffer->_vfixed); assert(buffer->_limit <= buffer->_capacity); - assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0)); + assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0 && buffer->_limit == 0)); } #endif diff --git a/contrib/unbound/smallapp/unbound-anchor.c b/contrib/unbound/smallapp/unbound-anchor.c index dea674003a35..6e672f2a55bf 100644 --- a/contrib/unbound/smallapp/unbound-anchor.c +++ b/contrib/unbound/smallapp/unbound-anchor.c @@ -1090,11 +1090,14 @@ read_http_result(SSL* ssl) } if(!data) return NULL; if(verb >= 4) print_data("read data", data, (int)len); - m = BIO_new_mem_buf(data, (int)len); + m = BIO_new(BIO_s_mem()); if(!m) { if(verb) printf("out of memory\n"); + free(data); exit(0); } + BIO_write(m, data, (int)len); + free(data); return m; } @@ -1161,17 +1164,6 @@ https(struct ip_list* ip_list, const char* pathname, const char* urlname) return bio; } -/** free up a downloaded file BIO */ -static void -free_file_bio(BIO* bio) -{ - char* pp = NULL; - (void)BIO_reset(bio); - (void)BIO_get_mem_data(bio, &pp); - free(pp); - BIO_free(bio); -} - /** XML parse private data during the parse */ struct xml_data { /** the parser, reference */ @@ -1596,7 +1588,7 @@ xml_parse(BIO* xml, time_t now) xml_parse_setup(parser, &data, now); /* parse it */ - (void)BIO_reset(xml); + (void)BIO_seek(xml, 0); len = (int)BIO_get_mem_data(xml, &pp); if(!len || !pp) { if(verb) printf("out of memory\n"); @@ -1770,8 +1762,8 @@ verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer) X509_VERIFY_PARAM_free(param); #endif - (void)BIO_reset(p7s); - (void)BIO_reset(data); + (void)BIO_seek(p7s, 0); + (void)BIO_seek(data, 0); /* convert p7s to p7 (the signature) */ p7 = d2i_PKCS7_bio(p7s, NULL); @@ -1949,8 +1941,8 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file, if(verb) printf("success: the anchor has been updated " "using the cert\n"); - free_file_bio(xml); - free_file_bio(p7s); + BIO_free(xml); + BIO_free(p7s); #ifndef S_SPLINT_S sk_X509_pop_free(cert, X509_free); #endif @@ -2342,7 +2334,7 @@ int main(int argc, char* argv[]) } } argc -= optind; - argv += optind; + /* argv += optind; not using further arguments */ if(argc != 0) usage(); diff --git a/contrib/unbound/smallapp/unbound-control.c b/contrib/unbound/smallapp/unbound-control.c index 408571944d7a..45b7d5626719 100644 --- a/contrib/unbound/smallapp/unbound-control.c +++ b/contrib/unbound/smallapp/unbound-control.c @@ -73,6 +73,10 @@ #include #endif +static void usage(void) ATTR_NORETURN; +static void ssl_err(const char* s) ATTR_NORETURN; +static void ssl_path_err(const char* s, const char *path) ATTR_NORETURN; + /** Give unbound-control usage, and exit (1). */ static void usage(void) diff --git a/contrib/unbound/util/config_file.c b/contrib/unbound/util/config_file.c index 7eba9a1efd17..8ef61c8e21b8 100644 --- a/contrib/unbound/util/config_file.c +++ b/contrib/unbound/util/config_file.c @@ -841,6 +841,7 @@ config_get_option(struct config_file* cfg, const char* opt, { char buf[1024], nopt[64]; size_t len = sizeof(buf); + if(!opt) return 0; if(opt && opt[strlen(opt)-1] == ':' && strlen(opt)str = item; s->next = NULL; if(list->last) @@ -1578,11 +1583,15 @@ int cfg_strlist_insert(struct config_strlist** head, char* item) { struct config_strlist *s; - if(!item || !head) + if(!item || !head) { + free(item); return 0; + } s = (struct config_strlist*)calloc(1, sizeof(struct config_strlist)); - if(!s) + if(!s) { + free(item); return 0; + } s->str = item; s->next = *head; *head = s; @@ -1593,11 +1602,17 @@ int cfg_str2list_insert(struct config_str2list** head, char* item, char* i2) { struct config_str2list *s; - if(!item || !i2 || !head) + if(!item || !i2 || !head) { + free(item); + free(i2); return 0; + } s = (struct config_str2list*)calloc(1, sizeof(struct config_str2list)); - if(!s) + if(!s) { + free(item); + free(i2); return 0; + } s->str = item; s->str2 = i2; s->next = *head; diff --git a/contrib/unbound/util/config_file.h b/contrib/unbound/util/config_file.h index d1bce1b69be4..8c630b8a109c 100644 --- a/contrib/unbound/util/config_file.h +++ b/contrib/unbound/util/config_file.h @@ -792,6 +792,7 @@ char* config_collate_cat(struct config_strlist* list); * @param list: list head. zeroed at start. * @param item: new item. malloced by caller. if NULL the insertion fails. * @return true on success. + * on fail the item is free()ed. */ int cfg_strlist_append(struct config_strlist_head* list, char* item); @@ -809,6 +810,7 @@ struct config_strlist* cfg_strlist_find(struct config_strlist* head, * @param head: pointer to strlist head variable. * @param item: new item. malloced by caller. If NULL the insertion fails. * @return: true on success. + * on fail, the item is free()d. */ int cfg_strlist_insert(struct config_strlist** head, char* item); @@ -822,6 +824,7 @@ int cfg_region_strlist_insert(struct regional* region, * @param item: new item. malloced by caller. If NULL the insertion fails. * @param i2: 2nd string, malloced by caller. If NULL the insertion fails. * @return: true on success. + * on fail, the item and i2 are free()d. */ int cfg_str2list_insert(struct config_str2list** head, char* item, char* i2); diff --git a/contrib/unbound/util/data/msgencode.c b/contrib/unbound/util/data/msgencode.c index aab7f5dfecba..6bc3216ff9e9 100644 --- a/contrib/unbound/util/data/msgencode.c +++ b/contrib/unbound/util/data/msgencode.c @@ -647,8 +647,6 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep, sldns_buffer_clear(buffer); if(udpsize < sldns_buffer_limit(buffer)) sldns_buffer_set_limit(buffer, udpsize); - else if(sldns_buffer_limit(buffer) < udpsize) - udpsize = sldns_buffer_limit(buffer); if(sldns_buffer_remaining(buffer) < LDNS_HEADER_SIZE) return 0; diff --git a/contrib/unbound/util/data/msgreply.c b/contrib/unbound/util/data/msgreply.c index 540d7d4b3dec..45d42a87f458 100644 --- a/contrib/unbound/util/data/msgreply.c +++ b/contrib/unbound/util/data/msgreply.c @@ -441,10 +441,14 @@ parse_create_msg(sldns_buffer* pkt, struct msg_parse* msg, return 0; if(!parse_create_repinfo(msg, rep, region)) return 0; - if(!reply_info_alloc_rrset_keys(*rep, alloc, region)) + if(!reply_info_alloc_rrset_keys(*rep, alloc, region)) { + if(!region) reply_info_parsedelete(*rep, alloc); return 0; - if(!parse_copy_decompress(pkt, msg, *rep, region)) + } + if(!parse_copy_decompress(pkt, msg, *rep, region)) { + if(!region) reply_info_parsedelete(*rep, alloc); return 0; + } return 1; } diff --git a/contrib/unbound/util/iana_ports.inc b/contrib/unbound/util/iana_ports.inc index 55d041e4084a..e24322931326 100644 --- a/contrib/unbound/util/iana_ports.inc +++ b/contrib/unbound/util/iana_ports.inc @@ -4860,6 +4860,7 @@ 8800, 8804, 8805, +8807, 8808, 8873, 8880, diff --git a/contrib/unbound/util/log.h b/contrib/unbound/util/log.h index 7bc3d9e76152..f73c0754d657 100644 --- a/contrib/unbound/util/log.h +++ b/contrib/unbound/util/log.h @@ -174,7 +174,7 @@ void log_buf(enum verbosity_value level, const char* msg, struct sldns_buffer* b * Pass printf formatted arguments. No trailing newline is needed. * @param format: printf-style format string. Arguments follow. */ -void fatal_exit(const char* format, ...) ATTR_FORMAT(printf, 1, 2); +void fatal_exit(const char* format, ...) ATTR_FORMAT(printf, 1, 2) ATTR_NORETURN; /** * va_list argument version of log_info. diff --git a/contrib/unbound/validator/autotrust.c b/contrib/unbound/validator/autotrust.c index a34a7c96c814..a72967302df1 100644 --- a/contrib/unbound/validator/autotrust.c +++ b/contrib/unbound/validator/autotrust.c @@ -718,6 +718,7 @@ packed_rrset_heap_data(int iter(struct autr_ta**, uint8_t**, size_t*, list_i = list; i = 0; while(iter(&list_i, &rr, &rr_len, &dname_len)) { + log_assert(data->rr_data[i]); memmove(data->rr_data[i], sldns_wirerr_get_rdatawl(rr, rr_len, dname_len), data->rr_len[i]); diff --git a/contrib/unbound/validator/val_nsec3.c b/contrib/unbound/validator/val_nsec3.c index 773ed30cde5d..763b5ab7c767 100644 --- a/contrib/unbound/validator/val_nsec3.c +++ b/contrib/unbound/validator/val_nsec3.c @@ -520,6 +520,10 @@ nsec3_hash_cmp(const void* c1, const void* c2) } (void)nsec3_get_salt(h1->nsec3, h1->rr, &s1, &s1len); (void)nsec3_get_salt(h2->nsec3, h2->rr, &s2, &s2len); + if(s1len == 0 && s2len == 0) + return 0; + if(!s1) return -1; + if(!s2) return 1; if(s1len != s2len) { if(s1len < s2len) return -1; @@ -736,7 +740,7 @@ find_matching_nsec3(struct module_env* env, struct nsec3_filter* flt, size_t i_rs; int i_rr; struct ub_packed_rrset_key* s; - struct nsec3_cached_hash* hash; + struct nsec3_cached_hash* hash = NULL; int r; /* this loop skips other-zone and unknown NSEC3s, also non-NSEC3 RRs */ @@ -748,7 +752,7 @@ find_matching_nsec3(struct module_env* env, struct nsec3_filter* flt, if(r == 0) { log_err("nsec3: malloc failure"); break; /* alloc failure */ - } else if(r < 0) + } else if(r != 1) continue; /* malformed NSEC3 */ else if(nsec3_hash_matches_owner(flt, hash, s)) { *rrset = s; /* rrset with this name */ @@ -829,7 +833,7 @@ find_covering_nsec3(struct module_env* env, struct nsec3_filter* flt, size_t i_rs; int i_rr; struct ub_packed_rrset_key* s; - struct nsec3_cached_hash* hash; + struct nsec3_cached_hash* hash = NULL; int r; /* this loop skips other-zone and unknown NSEC3s, also non-NSEC3 RRs */ @@ -841,7 +845,7 @@ find_covering_nsec3(struct module_env* env, struct nsec3_filter* flt, if(r == 0) { log_err("nsec3: malloc failure"); break; /* alloc failure */ - } else if(r < 0) + } else if(r != 1) continue; /* malformed NSEC3 */ else if(nsec3_covers(flt->zone, hash, s, i_rr, env->scratch_buffer)) { diff --git a/contrib/unbound/validator/val_secalgo.c b/contrib/unbound/validator/val_secalgo.c index 95200a48b61b..0613316c9088 100644 --- a/contrib/unbound/validator/val_secalgo.c +++ b/contrib/unbound/validator/val_secalgo.c @@ -77,6 +77,22 @@ int fake_dsa = 0; /** fake SHA1 support for unit tests */ int fake_sha1 = 0; +/** + * Output a libcrypto openssl error to the logfile. + * @param str: string to add to it. + * @param e: the error to output, error number from ERR_get_error(). + */ +static void +log_crypto_error(const char* str, unsigned long e) +{ + char buf[128]; + /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ + ERR_error_string_n(e, buf, sizeof(buf)); + /* buf now contains */ + /* error:[error code]:[library name]:[function name]:[reason string] */ + log_err("%s crypto %s", str, buf); +} + /* return size of digest if supported, or 0 otherwise */ size_t nsec3_hash_algo_size_supported(int id) @@ -96,7 +112,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, { switch(algo) { case NSEC3_HASH_SHA1: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha1())) + log_crypto_error("could not digest with EVP_sha1", + ERR_get_error()); +#else (void)SHA1(buf, len, res); +#endif return 1; default: return 0; @@ -106,7 +128,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, void secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) { +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha256())) + log_crypto_error("could not digest with EVP_sha256", + ERR_get_error()); +#else (void)SHA256(buf, len, res); +#endif } /** @@ -165,12 +193,24 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, switch(algo) { #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) case LDNS_SHA1: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha1())) + log_crypto_error("could not digest with EVP_sha1", + ERR_get_error()); +#else (void)SHA1(buf, len, res); +#endif return 1; #endif #ifdef HAVE_EVP_SHA256 case LDNS_SHA256: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha256())) + log_crypto_error("could not digest with EVP_sha256", + ERR_get_error()); +#else (void)SHA256(buf, len, res); +#endif return 1; #endif #ifdef USE_GOST @@ -181,7 +221,13 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, #endif #ifdef USE_ECDSA case LDNS_SHA384: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha384())) + log_crypto_error("could not digest with EVP_sha384", + ERR_get_error()); +#else (void)SHA384(buf, len, res); +#endif return 1; #endif default: @@ -248,22 +294,6 @@ dnskey_algo_id_is_supported(int id) } } -/** - * Output a libcrypto openssl error to the logfile. - * @param str: string to add to it. - * @param e: the error to output, error number from ERR_get_error(). - */ -static void -log_crypto_error(const char* str, unsigned long e) -{ - char buf[128]; - /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ - ERR_error_string_n(e, buf, sizeof(buf)); - /* buf now contains */ - /* error:[error code]:[library name]:[function name]:[reason string] */ - log_err("%s crypto %s", str, buf); -} - #ifdef USE_DSA /** * Setup DSA key digest in DER encoding ...