d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vendor import of Unbound 1.6.6.

Browse Source
This commit is contained in:
Dag-Erling Smørgrav 2018-05-12 11:55:17 +00:00
parent 8c2647a7dc
commit a6c5280ea5
587 changed files with 17136 additions and 3503 deletions
Makefile.inacx_nlnetlabs.m4
cachedb
cachedb.c
config.h.inconfigureconfigure.ac
contrib
fastrpz.patch
daemon
daemon.cremote.cstats.cunbound.cworker.c
dns64
dns64.c
dnscrypt
dnscrypt.cdnscrypt.h
testdata
gencert.sh
keys1
public.keysecret.key
keys2
public.keysecret.key
doc
ChangelogREADMEexample.conf.inlibunbound.3.inunbound-anchor.8.inunbound-checkconf.8.inunbound-control.8.inunbound-host.1.inunbound.8.inunbound.conf.5.in
iterator
iterator.citerator.h
libunbound
libworker.cunbound.h
pythonmod/doc/examples
example0-1.pyexample0.rst
services
authzone.c
cache
dns.cinfra.c
listen_dnsport.clocalzone.clocalzone.houtside_network.c
sldns
parseutil.cstr2wire.cwire2str.c
smallapp
unbound-anchor.cunbound-checkconf.cunbound-control.c
testcode
do-tests.shfake_event.cmini_tdir.shpetal.crun_vm.shstreamtcp.cunitverify.c
testdata
00-lint.tdir
00-lint.dsc00-lint.test
00-lint.tpkg
01-doc.tdir
01-doc.dsc01-doc.test
01-doc.tpkg
02-unittest.tdir
02-unittest.dsc02-unittest.test
02-unittest.tpkg
03-testbound.tdir
03-testbound.dsc03-testbound.test
03-testbound.tpkg
04-checkconf.tdir
04-checkconf.dsc04-checkconf.testbad.badfwdbad.badifbad.badipbad.bindbad.usergood.allgood.ifportgood.includewarn.algo
04-checkconf.tpkg
05-asynclook.tdir
05-asynclook.dsc05-asynclook.hosts05-asynclook.post05-asynclook.pre05-asynclook.test05-asynclook.testns
05-asynclook.tpkg
06-ianaports.tdir
06-ianaports.dsc06-ianaports.test
06-ianaports.tpkg
07-confroot.tdir
07-confroot.dsc07-confroot.test
07-confroot.tpkg
08-host-lib.tdir
08-host-lib.dsc08-host-lib.hosts08-host-lib.post08-host-lib.pre08-host-lib.test08-host-lib.testns
08-host-lib.tpkg
Show More

91
Makefile.in

@ -426,7 +426,7 @@ libunbound/python/libunbound_wrap.c: $(srcdir)/libunbound/python/libunbound.i un
# Pyunbound python unbound wrapper
_unbound.la: libunbound_wrap.lo libunbound.la
$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) L. -L.libs -lunbound
$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) -L. -L.libs -lunbound
util/config_file.c: util/configparser.h
util/configlexer.c: $(srcdir)/util/configlexer.lex util/configparser.h
@ -735,9 +735,9 @@ iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/i
$(srcdir)/sldns/str2wire.h
listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/services/outside_network.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
$(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h
localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@ -749,8 +749,8 @@ localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/serv
$(srcdir)/util/as112.h
mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h \
$(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h \
@ -777,12 +777,12 @@ view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(s
outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
@ -830,7 +830,7 @@ authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/service
$(srcdir)/validator/val_secalgo.h
fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
@ -851,8 +851,8 @@ locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdi
log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h
@ -860,8 +860,8 @@ module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(s
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
$(srcdir)/util/net_help.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
@ -876,7 +876,7 @@ net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_he
random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
@ -897,19 +897,19 @@ slabhash.lo slabhash.o: $(srcdir)/util/storage/slabhash.c config.h $(srcdir)/uti
timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h
tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h \
$(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
$(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \
@ -1040,7 +1040,9 @@ checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/u
$(srcdir)/testcode/checklocks.h
dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
$(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/storage/lookup3.h
ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
@ -1174,9 +1176,10 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
$(srcdir)/validator/val_kcache.h
unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/remote.h \
@ -1207,16 +1210,15 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
$(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/rbtree.h \
$(srcdir)/testcode/fake_event.h $(srcdir)/daemon/remote.h \
$(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/daemon/remote.h \
$(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/daemon/daemon.h \
$(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
@ -1266,17 +1268,19 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
$(srcdir)/validator/val_kcache.h
replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \
$(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h \
$(srcdir)/sldns/rrdef.h
fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
@ -1309,7 +1313,8 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \
$(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h $(PYTHONMOD_HEADER)
$(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h $(PYTHONMOD_HEADER) \
$(srcdir)/edns-subnet/subnet-whitelist.h
worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \

10
acx_nlnetlabs.m4

@ -688,8 +688,8 @@ AC_DEFUN([ACX_SSL_CHECKS], [
# check if -lwsock32 or -lgdi32 are needed.
BAKLIBS="$LIBS"
BAKSSLLIBS="$LIBSSL_LIBS"
LIBS="$LIBS -lgdi32"
LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32"
LIBS="$LIBS -lgdi32 -lws2_32"
LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32"
AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
AC_TRY_LINK([], [
int HMAC_Update(void);
@ -839,7 +839,11 @@ dnl see if on windows
if test "$ac_cv_header_windows_h" = "yes"; then
AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used])
USE_WINSOCK="1"
LIBS="$LIBS -lws2_32"
if echo $LIBS | grep 'lws2_32' >/dev/null; then
:
else
LIBS="$LIBS -lws2_32"
fi
fi
],
dnl no quick getaddrinfo, try mingw32 and winsock2 library.

44
cachedb/cachedb.c

@ -61,6 +61,8 @@
/** the unit test testframe for cachedb, its module state contains
* a cache for a couple queries (in memory). */
struct testframe_moddata {
/** lock for mutex */
lock_basic_type lock;
/** key for single stored data element, NULL if none */
char* stored_key;
/** data for single stored data element, NULL if none */
@ -72,14 +74,18 @@ struct testframe_moddata {
static int
testframe_init(struct module_env* env, struct cachedb_env* cachedb_env)
{
struct testframe_moddata* d;
(void)env;
verbose(VERB_ALGO, "testframe_init");
cachedb_env->backend_data = (void*)calloc(1,
d = (struct testframe_moddata*)calloc(1,
sizeof(struct testframe_moddata));
cachedb_env->backend_data = (void*)d;
if(!cachedb_env->backend_data) {
log_err("out of memory");
return 0;
}
lock_basic_init(&d->lock);
lock_protect(&d->lock, d, sizeof(*d));
return 1;
}
@ -92,6 +98,7 @@ testframe_deinit(struct module_env* env, struct cachedb_env* cachedb_env)
verbose(VERB_ALGO, "testframe_deinit");
if(!d)
return;
lock_basic_destroy(&d->lock);
free(d->stored_key);
free(d->stored_data);
free(d);
@ -105,17 +112,22 @@ testframe_lookup(struct module_env* env, struct cachedb_env* cachedb_env,
cachedb_env->backend_data;
(void)env;
verbose(VERB_ALGO, "testframe_lookup of %s", key);
lock_basic_lock(&d->lock);
if(d->stored_key && strcmp(d->stored_key, key) == 0) {
if(d->stored_datalen > sldns_buffer_capacity(result_buffer))
if(d->stored_datalen > sldns_buffer_capacity(result_buffer)) {
lock_basic_unlock(&d->lock);
return 0; /* too large */
}
verbose(VERB_ALGO, "testframe_lookup found %d bytes",
(int)d->stored_datalen);
sldns_buffer_clear(result_buffer);
sldns_buffer_write(result_buffer, d->stored_data,
d->stored_datalen);
sldns_buffer_flip(result_buffer);
lock_basic_unlock(&d->lock);
return 1;
}
lock_basic_unlock(&d->lock);
return 0;
}
@ -126,6 +138,7 @@ testframe_store(struct module_env* env, struct cachedb_env* cachedb_env,
struct testframe_moddata* d = (struct testframe_moddata*)
cachedb_env->backend_data;
(void)env;
lock_basic_lock(&d->lock);
verbose(VERB_ALGO, "testframe_store %s (%d bytes)", key, (int)data_len);
/* free old data element (if any) */
@ -137,6 +150,7 @@ testframe_store(struct module_env* env, struct cachedb_env* cachedb_env,
d->stored_data = memdup(data, data_len);
if(!d->stored_data) {
lock_basic_unlock(&d->lock);
log_err("out of memory");
return;
}
@ -146,8 +160,10 @@ testframe_store(struct module_env* env, struct cachedb_env* cachedb_env,
free(d->stored_data);
d->stored_data = NULL;
d->stored_datalen = 0;
lock_basic_unlock(&d->lock);
return;
}
lock_basic_unlock(&d->lock);
/* (key,data) successfully stored */
}
@ -170,16 +186,17 @@ cachedb_find_backend(const char* str)
static int
cachedb_apply_cfg(struct cachedb_env* cachedb_env, struct config_file* cfg)
{
const char* backend_str = "testframe"; /* TODO get from cfg */
(void)cfg; /* need this until the TODO is implemented */
if(backend_str && backend_str[0]) {
cachedb_env->backend = cachedb_find_backend(backend_str);
if(!cachedb_env->backend) {
log_err("cachedb: cannot find backend name '%s",
backend_str);
return 0;
}
const char* backend_str = cfg->cachedb_backend;
/* If unspecified we use the in-memory test DB. */
if(!backend_str)
backend_str = "testframe";
cachedb_env->backend = cachedb_find_backend(backend_str);
if(!cachedb_env->backend) {
log_err("cachedb: cannot find backend name '%s'", backend_str);
return 0;
}
/* TODO see if more configuration needs to be applied or not */
return 1;
}
@ -277,9 +294,10 @@ calc_hash(struct module_qstate* qstate, char* buf, size_t len)
size_t clen = 0;
uint8_t hash[CACHEDB_HASHSIZE/8];
const char* hex = "0123456789ABCDEF";
const char* secret = "default"; /* TODO: from qstate->env->cfg */
const char* secret = qstate->env->cfg->cachedb_secret ?
qstate->env->cfg->cachedb_secret : "default";
size_t i;
/* copy the hash info into the clear buffer */
if(clen + qstate->qinfo.qname_len < sizeof(clear)) {
memmove(clear+clen, qstate->qinfo.qname,

3
config.h.in

@ -296,6 +296,9 @@
/* Define to 1 if you have the <nettle/dsa-compat.h> header file. */
#undef HAVE_NETTLE_DSA_COMPAT_H
/* Define to 1 if you have the <nettle/eddsa.h> header file. */
#undef HAVE_NETTLE_EDDSA_H
/* Use libnss for crypto */
#undef HAVE_NSS

100
configure vendored

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.6.5.
# Generated by GNU Autoconf 2.69 for unbound 1.6.6.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.6.5'
PACKAGE_STRING='unbound 1.6.5'
PACKAGE_VERSION='1.6.6'
PACKAGE_STRING='unbound 1.6.6'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
@ -1437,7 +1437,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.6.5 to adapt to many kinds of systems.
\`configure' configures unbound 1.6.6 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1502,7 +1502,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.6.5:";;
short | recursive ) echo "Configuration of unbound 1.6.6:";;
esac
cat <<\_ACEOF
@ -1714,7 +1714,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.6.5
unbound configure 1.6.6
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2423,7 +2423,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.6.5, which was
It was created by unbound $as_me 1.6.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2775,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=6
UNBOUND_VERSION_MICRO=5
UNBOUND_VERSION_MICRO=6
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=4
LIBUNBOUND_REVISION=5
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2835,6 +2835,7 @@ LIBUNBOUND_AGE=5
# 1.6.3 had 7:2:5
# 1.6.4 had 7:3:5
# 1.6.5 had 7:4:5
# 1.6.6 had 7:5:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -16464,7 +16465,9 @@ if test x"$ax_pthread_ok" = xyes; then
$as_echo "#define HAVE_PTHREAD 1" >>confdefs.h
LIBS="$PTHREAD_LIBS $LIBS"
if test -n "$PTHREAD_LIBS"; then
LIBS="$PTHREAD_LIBS $LIBS"
fi
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CC="$PTHREAD_CC"
ub_have_pthreads=yes
@ -16894,8 +16897,16 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
$as_echo "#define HAVE_PYTHON 1" >>confdefs.h
LIBS="$PYTHON_LDFLAGS $LIBS"
CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
if test -n "$LIBS"; then
LIBS="$PYTHON_LDFLAGS $LIBS"
else
LIBS="$PYTHON_LDFLAGS"
fi
if test -n "$CPPFLAGS"; then
CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
else
CPPFLAGS="$PYTHON_CPPFLAGS"
fi
ub_have_python=yes
PC_PY_DEPENDENCY="python"
@ -17250,8 +17261,8 @@ $as_echo "no" >&6; }
# check if -lwsock32 or -lgdi32 are needed.
BAKLIBS="$LIBS"
BAKSSLLIBS="$LIBSSL_LIBS"
LIBS="$LIBS -lgdi32"
LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32"
LIBS="$LIBS -lgdi32 -lws2_32"
LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -lgdi32" >&5
$as_echo_n "checking if -lcrypto needs -lgdi32... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@ -18053,6 +18064,7 @@ case "$enable_dsa" in
;;
*)
# detect if DSA is supported, and turn it off if not.
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
ac_fn_c_check_func "$LINENO" "DSA_SIG_new" "ac_cv_func_DSA_SIG_new"
if test "x$ac_cv_func_DSA_SIG_new" = xyes; then :
@ -18067,6 +18079,13 @@ else
fi
fi
else
cat >>confdefs.h <<_ACEOF
#define USE_DSA 1
_ACEOF
fi
;;
esac
@ -18096,11 +18115,6 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
if test $ac_have_decl = 1; then :
cat >>confdefs.h <<_ACEOF
#define USE_ED25519 1
_ACEOF
use_ed25519="yes"
else
@ -18108,6 +18122,28 @@ else
fi
fi
fi
if test $USE_NETTLE = "yes"; then
for ac_header in nettle/eddsa.h
do :
ac_fn_c_check_header_compile "$LINENO" "nettle/eddsa.h" "ac_cv_header_nettle_eddsa_h" "$ac_includes_default
"
if test "x$ac_cv_header_nettle_eddsa_h" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_NETTLE_EDDSA_H 1
_ACEOF
use_ed25519="yes"
fi
done
fi
if test $use_ed25519 = "yes"; then
cat >>confdefs.h <<_ACEOF
#define USE_ED25519 1
_ACEOF
fi
;;
esac
@ -18621,7 +18657,12 @@ if test x_$enable_static_exe = x_yes; then
if test "$on_mingw" = yes; then
staticexe="-all-static"
# for static compile, include gdi32 and zlib here.
LIBS="$LIBS -lgdi32 -lz"
if echo $LIBS | grep 'lgdi32' >/dev/null; then
:
else
LIBS="$LIBS -lgdi32"
fi
LIBS="$LIBS -lz"
fi
fi
@ -18979,7 +19020,11 @@ if test "$ac_cv_header_windows_h" = "yes"; then
$as_echo "#define USE_WINSOCK 1" >>confdefs.h
USE_WINSOCK="1"
LIBS="$LIBS -lws2_32"
if echo $LIBS | grep 'lws2_32' >/dev/null; then
:
else
LIBS="$LIBS -lws2_32"
fi
fi
else
@ -20633,7 +20678,12 @@ $as_echo "#define OMITTED__D_LARGEFILE_SOURCE_1 1" >>confdefs.h
fi
LDFLAGS="$LATE_LDFLAGS $LDFLAGS"
if test -n "$LATE_LDFLAGS"; then
LDFLAGS="$LATE_LDFLAGS $LDFLAGS"
fi
# remove start spaces
LDFLAGS=`echo "$LDFLAGS"|sed -e 's/^ *//'`
LIBS=`echo "$LIBS"|sed -e 's/^ *//'`
cat >>confdefs.h <<_ACEOF
@ -20643,7 +20693,7 @@ _ACEOF
version=1.6.5
version=1.6.6
date=`date +'%b %e, %Y'`
@ -21162,7 +21212,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.6.5, which was
This file was extended by unbound $as_me 1.6.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -21228,7 +21278,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.6.5
unbound config.status 1.6.6
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

46
configure.ac

@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[6])
m4_define([VERSION_MICRO],[5])
m4_define([VERSION_MICRO],[6])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=4
LIBUNBOUND_REVISION=5
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -74,6 +74,7 @@ LIBUNBOUND_AGE=5
# 1.6.3 had 7:2:5
# 1.6.4 had 7:3:5
# 1.6.5 had 7:4:5
# 1.6.6 had 7:5:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -456,7 +457,9 @@ ub_have_pthreads=no
if test x_$withval != x_no; then
AX_PTHREAD([
AC_DEFINE(HAVE_PTHREAD,1,[Define if you have POSIX threads libraries and header files.])
LIBS="$PTHREAD_LIBS $LIBS"
if test -n "$PTHREAD_LIBS"; then
LIBS="$PTHREAD_LIBS $LIBS"
fi
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CC="$PTHREAD_CC"
ub_have_pthreads=yes
@ -558,8 +561,16 @@ if test x_$ub_test_python != x_no; then
AC_SUBST(PY_MAJOR_VERSION)
# Have Python
AC_DEFINE(HAVE_PYTHON,1,[Define if you have Python libraries and header files.])
LIBS="$PYTHON_LDFLAGS $LIBS"
CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
if test -n "$LIBS"; then
LIBS="$PYTHON_LDFLAGS $LIBS"
else
LIBS="$PYTHON_LDFLAGS"
fi
if test -n "$CPPFLAGS"; then
CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
else
CPPFLAGS="$PYTHON_CPPFLAGS"
fi
ub_have_python=yes
PC_PY_DEPENDENCY="python"
AC_SUBST(PC_PY_DEPENDENCY)
@ -912,10 +923,14 @@ case "$enable_dsa" in
;;
*)
# detect if DSA is supported, and turn it off if not.
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
AC_CHECK_FUNC(DSA_SIG_new, [
AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
fi ])
else
AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
fi
;;
esac
@ -927,13 +942,18 @@ case "$enable_ed25519" in
*)
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
AC_CHECK_DECLS([NID_ED25519], [
AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
use_ed25519="yes"
], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
fi ], [AC_INCLUDES_DEFAULT
#include <openssl/evp.h>
])
fi
if test $USE_NETTLE = "yes"; then
AC_CHECK_HEADERS([nettle/eddsa.h], use_ed25519="yes",, [AC_INCLUDES_DEFAULT])
fi
if test $use_ed25519 = "yes"; then
AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
fi
;;
esac
@ -1106,7 +1126,12 @@ if test x_$enable_static_exe = x_yes; then
if test "$on_mingw" = yes; then
staticexe="-all-static"
# for static compile, include gdi32 and zlib here.
LIBS="$LIBS -lgdi32 -lz"
if echo $LIBS | grep 'lgdi32' >/dev/null; then
:
else
LIBS="$LIBS -lgdi32"
fi
LIBS="$LIBS -lz"
fi
fi
@ -1448,7 +1473,12 @@ AC_SUBST(ALLTARGET)
AC_SUBST(INSTALLTARGET)
ACX_STRIP_EXT_FLAGS
LDFLAGS="$LATE_LDFLAGS $LDFLAGS"
if test -n "$LATE_LDFLAGS"; then
LDFLAGS="$LATE_LDFLAGS $LDFLAGS"
fi
# remove start spaces
LDFLAGS=`echo "$LDFLAGS"|sed -e 's/^ *//'`
LIBS=`echo "$LIBS"|sed -e 's/^ *//'`
AC_DEFINE_UNQUOTED([MAXSYSLOGMSGLEN], [10240], [Define to the maximum message length to pass to syslog.])

6
contrib/fastrpz.patch

@ -3263,15 +3263,15 @@ diff -u --unidirectional-new-file -r1.1 ./util/configparser.y
%token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
%token VAR_DISABLE_DNSSEC_LAME_CHECK
@@ -150,7 +151,7 @@
@@ -153,7 +154,7 @@
toplevelvar: serverstart contents_server | stubstart contents_stub |
forwardstart contents_forward | pythonstart contents_py |
rcstart contents_rc | dtstart contents_dt | viewstart
- contents_view |
+ contents_view | rpzstart contents_rpz |
dnscstart contents_dnsc
dnscstart contents_dnsc |
cachedbstart contents_cachedb
;
@@ -2160,6 +2161,50 @@
(strcmp($2, "yes")==0);
}

9
daemon/daemon.c

@ -221,7 +221,9 @@ daemon_init(void)
# ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
# endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
ERR_load_SSL_strings();
#endif
# ifdef USE_GOST
(void)sldns_key_EVP_load_gost_id();
# endif
@ -239,7 +241,7 @@ daemon_init(void)
# if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
(void)SSL_library_init();
# else
(void)OPENSSL_init_ssl(0, NULL);
(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
# endif
# if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
if(!ub_openssl_lock_init())
@ -421,8 +423,8 @@ daemon_create_workers(struct daemon* daemon)
daemon->rand = ub_initstate(seed, NULL);
if(!daemon->rand)
fatal_exit("could not init random generator");
hash_set_raninit((uint32_t)ub_random(daemon->rand));
}
hash_set_raninit((uint32_t)ub_random(daemon->rand));
shufport = (int*)calloc(65536, sizeof(int));
if(!shufport)
fatal_exit("out of memory during daemon init");
@ -690,6 +692,9 @@ daemon_cleanup(struct daemon* daemon)
daemon->num = 0;
#ifdef USE_DNSTAP
dt_delete(daemon->dtenv);
#endif
#ifdef USE_DNSCRYPT
dnsc_delete(daemon->dnscenv);
#endif
daemon->cfg = NULL;
}

85
daemon/remote.c

@ -229,42 +229,10 @@ daemon_remote_create(struct config_file* cfg)
free(rc);
return NULL;
}
/* no SSLv2, SSLv3 because has defects */
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
!= SSL_OP_NO_SSLv2){
log_crypto_err("could not set SSL_OP_NO_SSLv2");
if(!listen_sslctx_setup(rc->ctx)) {
daemon_remote_delete(rc);
return NULL;
}
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3){
log_crypto_err("could not set SSL_OP_NO_SSLv3");
daemon_remote_delete(rc);
return NULL;
}
#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
/* if we have tls 1.1 disable 1.0 */
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
!= SSL_OP_NO_TLSv1){
log_crypto_err("could not set SSL_OP_NO_TLSv1");
daemon_remote_delete(rc);
return NULL;
}
#endif
#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
/* if we have tls 1.2 disable 1.1 */
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
!= SSL_OP_NO_TLSv1_1){
log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
daemon_remote_delete(rc);
return NULL;
}
#endif
#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
/* if we have sha256, set the cipher list to have no known vulns */
if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
#endif
if (cfg->remote_control_use_cert == 0) {
/* No certificates are requested */
@ -314,23 +282,7 @@ daemon_remote_create(struct config_file* cfg)
log_crypto_err("Error in SSL_CTX check_private_key");
goto setup_error;
}
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
}
#elif defined(USE_ECDSA)
if(1) {
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
if (!ecdh) {
log_crypto_err("could not find p256, not enabling ECDHE");
} else {
if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
}
EC_KEY_free (ecdh);
}
}
#endif
listen_sslctx_setup_2(rc->ctx);
if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
log_crypto_err("Error setting up SSL_CTX verify locations");
setup_error:
@ -415,7 +367,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
if (cfg->username && cfg->username[0] &&
cfg_uid != (uid_t)-1) {
if(chown(ip, cfg_uid, cfg_gid) == -1)
log_err("cannot chown %u.%u %s: %s",
verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
(unsigned)cfg_uid, (unsigned)cfg_gid,
ip, strerror(errno));
}
@ -841,7 +793,7 @@ print_stats(SSL* ssl, const char* nm, struct ub_stats_info* s)
static int
print_thread_stats(SSL* ssl, int i, struct ub_stats_info* s)
{
char nm[16];
char nm[32];
snprintf(nm, sizeof(nm), "thread%d", i);
nm[sizeof(nm)-1]=0;
return print_stats(ssl, nm, s);
@ -873,6 +825,9 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
#ifdef USE_IPSECMOD
size_t ipsecmod = 0;
#endif /* USE_IPSECMOD */
#ifdef USE_DNSCRYPT
size_t dnscrypt_shared_secret = 0;
#endif /* USE_DNSCRYPT */
msg = slabhash_get_mem(daemon->env->msg_cache);
rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
val = mod_get_mem(&worker->env, "validator");
@ -884,6 +839,12 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
#ifdef USE_IPSECMOD
ipsecmod = mod_get_mem(&worker->env, "ipsecmod");
#endif /* USE_IPSECMOD */
#ifdef USE_DNSCRYPT
if(daemon->dnscenv) {
dnscrypt_shared_secret = slabhash_get_mem(
daemon->dnscenv->shared_secrets_cache);
}
#endif /* USE_DNSCRYPT */
if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
return 0;
@ -903,6 +864,11 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
if(!print_longnum(ssl, "mem.mod.ipsecmod"SQ, ipsecmod))
return 0;
#endif /* USE_IPSECMOD */
#ifdef USE_DNSCRYPT
if(!print_longnum(ssl, "mem.cache.dnscrypt_shared_secret"SQ,
dnscrypt_shared_secret))
return 0;
#endif /* USE_DNSCRYPT */
return 1;
}
@ -1065,6 +1031,9 @@ print_ext(SSL* ssl, struct ub_stats_info* s)
if(!ssl_printf(ssl, "num.answer.rcode.nodata"SQ"%lu\n",
(unsigned long)s->svr.ans_rcode_nodata)) return 0;
}
/* iteration */
if(!ssl_printf(ssl, "num.query.ratelimited"SQ"%lu\n",
(unsigned long)s->svr.queries_ratelimited)) return 0;
/* validation */
if(!ssl_printf(ssl, "num.answer.secure"SQ"%lu\n",
(unsigned long)s->svr.ans_secure)) return 0;
@ -1086,6 +1055,12 @@ print_ext(SSL* ssl, struct ub_stats_info* s)
(unsigned)s->svr.infra_cache_count)) return 0;
if(!ssl_printf(ssl, "key.cache.count"SQ"%u\n",
(unsigned)s->svr.key_cache_count)) return 0;
#ifdef USE_DNSCRYPT
if(!ssl_printf(ssl, "dnscrypt_shared_secret.cache.count"SQ"%u\n",
(unsigned)s->svr.shared_secret_cache_count)) return 0;
if(!ssl_printf(ssl, "num.query.dnscrypt.shared_secret.cachemiss"SQ"%lu\n",
(unsigned long)s->svr.num_query_dnscrypt_secret_missed_cache)) return 0;
#endif /* USE_DNSCRYPT */
return 1;
}
@ -2389,10 +2364,16 @@ dump_infra_host(struct lruhash_entry* e, void* arg)
struct infra_data* d = (struct infra_data*)e->data;
char ip_str[1024];
char name[257];
int port;
if(a->ssl_failed)
return;
addr_to_str(&k->addr, k->addrlen, ip_str, sizeof(ip_str));
dname_str(k->zonename, name);
port = (int)ntohs(((struct sockaddr_in*)&k->addr)->sin_port);
if(port != UNBOUND_DNS_PORT) {
snprintf(ip_str+strlen(ip_str), sizeof(ip_str)-strlen(ip_str),
"@%d", port);
}
/* skip expired stuff (only backed off) */
if(d->ttl < a->now) {
if(d->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT) {

64
daemon/stats.c

@ -56,6 +56,7 @@
#include "util/timehist.h"
#include "util/net_help.h"
#include "validator/validator.h"
#include "iterator/iterator.h"
#include "sldns/sbuffer.h"
#include "services/cache/rrset.h"
#include "services/cache/infra.h"
@ -123,7 +124,7 @@ void server_stats_log(struct ub_server_stats* stats, struct worker* worker,
/** get rrsets bogus number from validator */
static size_t
get_rrset_bogus(struct worker* worker)
get_rrset_bogus(struct worker* worker, int reset)
{
int m = modstack_find(&worker->env.mesh->mods, "validator");
struct val_env* ve;
@ -133,12 +134,48 @@ get_rrset_bogus(struct worker* worker)
ve = (struct val_env*)worker->env.modinfo[m];
lock_basic_lock(&ve->bogus_lock);
r = ve->num_rrset_bogus;
if(!worker->env.cfg->stat_cumulative)
if(reset && !worker->env.cfg->stat_cumulative)
ve->num_rrset_bogus = 0;
lock_basic_unlock(&ve->bogus_lock);
return r;
}
/** get number of ratelimited queries from iterator */
static size_t
get_queries_ratelimit(struct worker* worker, int reset)
{
int m = modstack_find(&worker->env.mesh->mods, "iterator");
struct iter_env* ie;
size_t r;
if(m == -1)
return 0;
ie = (struct iter_env*)worker->env.modinfo[m];
lock_basic_lock(&ie->queries_ratelimit_lock);
r = ie->num_queries_ratelimited;
if(reset && !worker->env.cfg->stat_cumulative)
ie->num_queries_ratelimited = 0;
lock_basic_unlock(&ie->queries_ratelimit_lock);
return r;
}
#ifdef USE_DNSCRYPT
/** get the number of shared secret cache miss */
static size_t
get_dnscrypt_cache_miss(struct worker* worker, int reset)
{
size_t r;
struct dnsc_env* de = worker->daemon->dnscenv;
if(!de) return 0;
lock_basic_lock(&de->shared_secrets_cache_lock);
r = de->num_query_dnscrypt_secret_missed_cache;
if(reset && !worker->env.cfg->stat_cumulative)
de->num_query_dnscrypt_secret_missed_cache = 0;
lock_basic_unlock(&de->shared_secrets_cache_lock);
return r;
}
#endif /* USE_DNSCRYPT */
void
server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
{
@ -169,7 +206,10 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
s->svr.qtcp_outgoing = (long long)worker->back->num_tcp_outgoing;
/* get and reset validator rrset bogus number */
s->svr.rrset_bogus = (long long)get_rrset_bogus(worker);
s->svr.rrset_bogus = (long long)get_rrset_bogus(worker, reset);
/* get and reset iterator query ratelimit number */
s->svr.queries_ratelimited = (long long)get_queries_ratelimit(worker, reset);
/* get cache sizes */
s->svr.msg_cache_count = (long long)count_slabhash_entries(worker->env.msg_cache);
@ -179,6 +219,21 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
s->svr.key_cache_count = (long long)count_slabhash_entries(worker->env.key_cache->slab);
else s->svr.key_cache_count = 0;
#ifdef USE_DNSCRYPT
if(worker->daemon->dnscenv) {
s->svr.num_query_dnscrypt_secret_missed_cache =
(long long)get_dnscrypt_cache_miss(worker, reset);
s->svr.shared_secret_cache_count = (long long)count_slabhash_entries(
worker->daemon->dnscenv->shared_secrets_cache);
} else {
s->svr.num_query_dnscrypt_secret_missed_cache = 0;
s->svr.shared_secret_cache_count = 0;
}
#else
s->svr.num_query_dnscrypt_secret_missed_cache = 0;
s->svr.shared_secret_cache_count = 0;
#endif /* USE_DNSCRYPT */
/* get tcp accept usage */
s->svr.tcp_accept_usage = 0;
for(lp = worker->front->cps; lp; lp = lp->next) {
@ -240,7 +295,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
a->svr.num_query_dnscrypt_cleartext;
total->svr.num_query_dnscrypt_crypted_malformed += \
a->svr.num_query_dnscrypt_crypted_malformed;
#endif
#endif /* USE_DNSCRYPT */
/* the max size reached is upped to higher of both */
if(a->svr.max_query_list_size > total->svr.max_query_list_size)
total->svr.max_query_list_size = a->svr.max_query_list_size;
@ -266,7 +321,6 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
total->svr.zero_ttl_responses += a->svr.zero_ttl_responses;
total->svr.ans_secure += a->svr.ans_secure;
total->svr.ans_bogus += a->svr.ans_bogus;
total->svr.rrset_bogus += a->svr.rrset_bogus;
total->svr.unwanted_replies += a->svr.unwanted_replies;
total->svr.unwanted_queries += a->svr.unwanted_queries;
total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;

28
daemon/unbound.c

@ -128,6 +128,9 @@ static void usage(void)
for(m = module_list_avail(); *m; m++)
printf(" %s", *m);
printf("\n");
#ifdef USE_DNSCRYPT
printf("DNSCrypt feature available\n");
#endif
printf("BSD licensed, see LICENSE in source package for details.\n");
printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
ub_event_base_free(base);
@ -400,7 +403,7 @@ detach(void)
/** daemonize, drop user priviliges and chroot if needed */
static void
perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
const char** cfgfile)
const char** cfgfile, int need_pidfile)
{
#ifdef HAVE_KILL
int pidinchroot;
@ -444,13 +447,13 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
#ifdef HAVE_KILL
/* true if pidfile is inside chrootdir, or nochroot */
pidinchroot = !(cfg->chrootdir && cfg->chrootdir[0]) ||
pidinchroot = need_pidfile && (!(cfg->chrootdir && cfg->chrootdir[0]) ||
(cfg->chrootdir && cfg->chrootdir[0] &&
strncmp(cfg->pidfile, cfg->chrootdir,
strlen(cfg->chrootdir))==0);
strlen(cfg->chrootdir))==0));
/* check old pid file before forking */
if(cfg->pidfile && cfg->pidfile[0]) {
if(cfg->pidfile && cfg->pidfile[0] && need_pidfile) {
/* calculate position of pidfile */
if(cfg->pidfile[0] == '/')
daemon->pidfile = strdup(cfg->pidfile);
@ -469,7 +472,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
/* write new pidfile (while still root, so can be outside chroot) */
#ifdef HAVE_KILL
if(cfg->pidfile && cfg->pidfile[0]) {
if(cfg->pidfile && cfg->pidfile[0] && need_pidfile) {
writepid(daemon->pidfile, getpid());
if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1 &&
pidinchroot) {
@ -484,6 +487,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
}
#else
(void)daemon;
(void)need_pidfile;
#endif /* HAVE_KILL */
/* Set user context */
@ -600,9 +604,10 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
* These increase verbosity as specified in the config file.
* @param debug_mode: if set, do not daemonize.
* @param log_default_identity: Default identity to report in logs
* @param need_pidfile: if false, no pidfile is checked or created.
*/
static void
run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode, const char* log_default_identity)
run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode, const char* log_default_identity, int need_pidfile)
{
struct config_file* cfg = NULL;
struct daemon* daemon = NULL;
@ -632,7 +637,7 @@ run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode, const char*
if(!daemon_open_shared_ports(daemon))
fatal_exit("could not open ports");
if(!done_setup) {
perform_setup(daemon, cfg, debug_mode, &cfgfile);
perform_setup(daemon, cfg, debug_mode, &cfgfile, need_pidfile);
done_setup = 1;
} else {
/* reopen log after HUP to facilitate log rotation */
@ -682,6 +687,8 @@ main(int argc, char* argv[])
const char* log_ident_default;
int cmdline_verbose = 0;
int debug_mode = 0;
int need_pidfile = 1;
#ifdef UB_ON_WINDOWS
int cmdline_cfg = 0;
#endif
@ -690,7 +697,7 @@ main(int argc, char* argv[])
log_ident_default = strrchr(argv[0],'/')?strrchr(argv[0],'/')+1:argv[0];
log_ident_set(log_ident_default);
/* parse the options */
while( (c=getopt(argc, argv, "c:dhvw:")) != -1) {
while( (c=getopt(argc, argv, "c:dhpvw:")) != -1) {
switch(c) {
case 'c':
cfgfile = optarg;
@ -702,6 +709,9 @@ main(int argc, char* argv[])
cmdline_verbose++;
verbosity++;
break;
case 'p':
need_pidfile = 0;
break;
case 'd':
debug_mode++;
break;
@ -732,7 +742,7 @@ main(int argc, char* argv[])
return 1;
}
run_daemon(cfgfile, cmdline_verbose, debug_mode, log_ident_default);
run_daemon(cfgfile, cmdline_verbose, debug_mode, log_ident_default, need_pidfile);
log_init(NULL, 0, NULL); /* close logfile */
return 0;
}

20
daemon/worker.c

@ -1009,6 +1009,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
struct query_info* lookup_qinfo = &qinfo;
struct query_info qinfo_tmp; /* placeholdoer for lookup_qinfo */
struct respip_client_info* cinfo = NULL, cinfo_tmp;
memset(&qinfo, 0, sizeof(qinfo));
if(error != NETEVENT_NOERROR) {
/* some bad tcp query DNS formats give these error calls */
@ -1111,6 +1112,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
if(!query_info_parse(&qinfo, c->buffer)) {
verbose(VERB_ALGO, "worker parse request: formerror.");
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
memset(&qinfo, 0, sizeof(qinfo)); /* zero qinfo.qname */
if(worker_err_ratelimit(worker, LDNS_RCODE_FORMERR) == -1) {
comm_point_drop_reply(repinfo);
return 0;
@ -1355,6 +1357,10 @@ lookup_cache:
lock_rw_unlock(&e->lock);
regional_free_all(worker->scratchpad);
goto send_reply;
} else {
/* Note that we've already released the
* lock if we're here after prefetch. */
lock_rw_unlock(&e->lock);
}
/* We've found a partial reply ending with an
* alias. Replace the lookup qinfo for the
@ -1362,7 +1368,6 @@ lookup_cache:
* (possibly) complete the reply. As we're
* passing the "base" reply, there will be no
* more alias chasing. */
lock_rw_unlock(&e->lock);
memset(&qinfo_tmp, 0, sizeof(qinfo_tmp));
get_cname_target(alias_rrset, &qinfo_tmp.qname,
&qinfo_tmp.qname_len);
@ -1669,7 +1674,17 @@ worker_init(struct worker* worker, struct config_file *cfg,
worker->env.send_query = &worker_send_query;
worker->env.alloc = &worker->alloc;
worker->env.rnd = worker->rndstate;
worker->env.scratch = worker->scratchpad;
/* If case prefetch is triggered, the corresponding mesh will clear
* the scratchpad for the module env in the middle of request handling.
* It would be prone to a use-after-free kind of bug, so we avoid
* sharing it with worker's own scratchpad at the cost of having
* one more pad per worker. */
worker->env.scratch = regional_create_custom(cfg->msg_buffer_size);
if(!worker->env.scratch) {
log_err("malloc failure");
worker_delete(worker);
return 0;
}
worker->env.mesh = mesh_create(&worker->daemon->mods, &worker->env);
worker->env.detach_subs = &mesh_detach_subs;
worker->env.attach_sub = &mesh_attach_sub;
@ -1758,6 +1773,7 @@ worker_delete(struct worker* worker)
comm_base_delete(worker->base);
ub_randfree(worker->rndstate);
alloc_clear(&worker->alloc);
regional_destroy(worker->env.scratch);
regional_destroy(worker->scratchpad);
free(worker);
}

1
dns64/dns64.c

@ -540,6 +540,7 @@ dns64_operate(struct module_qstate* qstate, enum module_ev event, int id,
case module_event_new:
/* Tag this query as being new and fall through. */
qstate->minfo[id] = (void*)DNS64_NEW_QUERY;
/* fallthrough */
case module_event_pass:
qstate->ext_state[id] = handle_event_pass(qstate, id);
break;

305
dnscrypt/dnscrypt.c

@ -12,6 +12,8 @@
#include "util/net_help.h"
#include "util/netevent.h"
#include "util/log.h"
#include "util/storage/slabhash.h"
#include "util/storage/lookup3.h"
#include "dnscrypt/cert.h"
#include "dnscrypt/dnscrypt.h"
@ -19,13 +21,15 @@
#include <ctype.h>
/**
* \file
* dnscrypt functions for encrypting DNS packets.
*/
#define DNSCRYPT_QUERY_BOX_OFFSET \
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + crypto_box_HALF_NONCEBYTES)
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + \
crypto_box_HALF_NONCEBYTES)
// 8 bytes: magic header (CERT_MAGIC_HEADER)
// 12 bytes: the client's nonce
@ -33,13 +37,110 @@
// 16 bytes: Poly1305 MAC (crypto_box_ZEROBYTES - crypto_box_BOXZEROBYTES)
#define DNSCRYPT_REPLY_BOX_OFFSET \
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES + crypto_box_HALF_NONCEBYTES)
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES + \
crypto_box_HALF_NONCEBYTES)
/**
* Shared secret cache key length.
* secret key.
* 1 byte: ES_VERSION[1]
* 32 bytes: client crypto_box_PUBLICKEYBYTES
* 32 bytes: server crypto_box_SECRETKEYBYTES
*/
#define DNSCRYPT_SHARED_SECRET_KEY_LENGTH \
(1 + crypto_box_PUBLICKEYBYTES + crypto_box_SECRETKEYBYTES)
struct shared_secret_cache_key {
/** the hash table key */
uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH];
/** the hash table entry, data is uint8_t pointer of size crypto_box_BEFORENMBYTES which contains the shared secret. */
struct lruhash_entry entry;
};
/**
* Generate a key suitable to find shared secret in slabhash.
* \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH
* \param[in] esversion: The es version least significant byte.
* \param[in] pk: The public key of the client. uint8_t pointer of size
* crypto_box_PUBLICKEYBYTES.
* \param[in] sk: The secret key of the server matching the magic query number.
* uint8_t pointer of size crypto_box_SECRETKEYBYTES.
* \return the hash of the key.
*/
static uint32_t
dnsc_shared_secrets_cache_key(uint8_t* key,
uint8_t esversion,
uint8_t* pk,
uint8_t* sk)
{
key[0] = esversion;
memcpy(key + 1, pk, crypto_box_PUBLICKEYBYTES);
memcpy(key + 1 + crypto_box_PUBLICKEYBYTES, sk, crypto_box_SECRETKEYBYTES);
return hashlittle(key, DNSCRYPT_SHARED_SECRET_KEY_LENGTH, 0);
}
/**
* Inserts a shared secret into the shared_secrets_cache slabhash.
* The shared secret is copied so the caller can use it freely without caring
* about the cache entry being evicted or not.
* \param[in] cache: the slabhash in which to look for the key.
* \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH
* which contains the key of the shared secret.
* \param[in] hash: the hash of the key.
* \param[in] nmkey: a uint8_t pointer of size crypto_box_BEFORENMBYTES which
* contains the shared secret.
*/
static void
dnsc_shared_secret_cache_insert(struct slabhash *cache,
uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH],
uint32_t hash,
uint8_t nmkey[crypto_box_BEFORENMBYTES])
{
struct shared_secret_cache_key* k =
(struct shared_secret_cache_key*)calloc(1, sizeof(*k));
uint8_t* d = malloc(crypto_box_BEFORENMBYTES);
if(!k || !d) {
free(k);
free(d);
return;
}
memcpy(d, nmkey, crypto_box_BEFORENMBYTES);
lock_rw_init(&k->entry.lock);
memcpy(k->key, key, DNSCRYPT_SHARED_SECRET_KEY_LENGTH);
k->entry.hash = hash;
k->entry.key = k;
k->entry.data = d;
slabhash_insert(cache,
hash, &k->entry,
d,
NULL);
}
/**
* Lookup a record in shared_secrets_cache.
* \param[in] cache: a pointer to shared_secrets_cache slabhash.
* \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH
* containing the key to look for.
* \param[in] hash: a hash of the key.
* \return a pointer to the locked cache entry or NULL on failure.
*/
static struct lruhash_entry*
dnsc_shared_secrets_lookup(struct slabhash* cache,
uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH],
uint32_t hash)
{
return slabhash_lookup(cache, hash, key, 0);
}
/**
* Decrypt a query using the dnsccert that was found using dnsc_find_cert.
* The client nonce will be extracted from the encrypted query and stored in
* client_nonce, a shared secret will be computed and stored in nmkey and the
* buffer will be decrypted inplace.
* \param[in] env the dnscrypt environment.
* \param[in] cert the cert that matches this encrypted query.
* \param[in] client_nonce where the client nonce will be stored.
* \param[in] nmkey where the shared secret key will be written.
@ -47,7 +148,8 @@
* \return 0 on success.
*/
static int
dnscrypt_server_uncurve(const dnsccert *cert,
dnscrypt_server_uncurve(struct dnsc_env* env,
const dnsccert *cert,
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
uint8_t nmkey[crypto_box_BEFORENMBYTES],
struct sldns_buffer* buffer)
@ -56,27 +158,55 @@ dnscrypt_server_uncurve(const dnsccert *cert,
uint8_t *const buf = sldns_buffer_begin(buffer);
uint8_t nonce[crypto_box_NONCEBYTES];
struct dnscrypt_query_header *query_header;
// shared secret cache
uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH];
struct lruhash_entry* entry;
uint32_t hash;
if (len <= DNSCRYPT_QUERY_HEADER_SIZE) {
return -1;
}
query_header = (struct dnscrypt_query_header *)buf;
memcpy(nmkey, query_header->publickey, crypto_box_PUBLICKEYBYTES);
if(cert->es_version[1] == 2) {
hash = dnsc_shared_secrets_cache_key(key,
cert->es_version[1],
query_header->publickey,
cert->keypair->crypt_secretkey);
entry = dnsc_shared_secrets_lookup(env->shared_secrets_cache,
key,
hash);
if(!entry) {
lock_basic_lock(&env->shared_secrets_cache_lock);
env->num_query_dnscrypt_secret_missed_cache++;
lock_basic_unlock(&env->shared_secrets_cache_lock);
if(cert->es_version[1] == 2) {
#ifdef USE_DNSCRYPT_XCHACHA20
if (crypto_box_curve25519xchacha20poly1305_beforenm(
nmkey, nmkey, cert->keypair->crypt_secretkey) != 0) {
return -1;
}
if (crypto_box_curve25519xchacha20poly1305_beforenm(
nmkey, query_header->publickey,
cert->keypair->crypt_secretkey) != 0) {
return -1;
}
#else
return -1;
return -1;
#endif
} else {
if (crypto_box_beforenm(nmkey, nmkey, cert->keypair->crypt_secretkey) != 0) {
if (crypto_box_beforenm(nmkey,
query_header->publickey,
cert->keypair->crypt_secretkey) != 0) {
return -1;
}
}
// Cache the shared secret we just computed.
dnsc_shared_secret_cache_insert(env->shared_secrets_cache,
key,
hash,
nmkey);
} else {
/* copy shared secret and unlock entry */
memcpy(nmkey, entry->data, crypto_box_BEFORENMBYTES);
lock_rw_unlock(&entry->lock);
}
memcpy(nonce, query_header->nonce, crypto_box_HALF_NONCEBYTES);
memset(nonce + crypto_box_HALF_NONCEBYTES, 0, crypto_box_HALF_NONCEBYTES);
@ -106,7 +236,7 @@ dnscrypt_server_uncurve(const dnsccert *cert,
len -= DNSCRYPT_QUERY_HEADER_SIZE;
while (*sldns_buffer_at(buffer, --len) == 0)
;
;
if (*sldns_buffer_at(buffer, len) != 0x80) {
return -1;
@ -172,7 +302,7 @@ dnscrypt_hrtime(void)
if (ret == 0) {
ts = (uint64_t)tv.tv_sec * 1000000U + (uint64_t)tv.tv_usec;
} else {
log_err("gettimeofday: %s", strerror(errno));
log_err("gettimeofday: %s", strerror(errno));
}
return ts;
}
@ -223,7 +353,8 @@ dnscrypt_server_curve(const dnsccert *cert,
size_t max_udp_size)
{
size_t dns_reply_len = sldns_buffer_limit(buffer);
size_t max_len = dns_reply_len + DNSCRYPT_MAX_PADDING + DNSCRYPT_REPLY_HEADER_SIZE;
size_t max_len = dns_reply_len + DNSCRYPT_MAX_PADDING \
+ DNSCRYPT_REPLY_HEADER_SIZE;
size_t max_reply_size = max_udp_size - 20U - 8U;
uint8_t nonce[crypto_box_NONCEBYTES];
uint8_t *boxed;
@ -268,8 +399,14 @@ dnscrypt_server_curve(const dnsccert *cert,
}
}
sldns_buffer_write_at(buffer, 0, DNSCRYPT_MAGIC_RESPONSE, DNSCRYPT_MAGIC_HEADER_LEN);
sldns_buffer_write_at(buffer, DNSCRYPT_MAGIC_HEADER_LEN, nonce, crypto_box_NONCEBYTES);
sldns_buffer_write_at(buffer,
0,
DNSCRYPT_MAGIC_RESPONSE,
DNSCRYPT_MAGIC_HEADER_LEN);
sldns_buffer_write_at(buffer,
DNSCRYPT_MAGIC_HEADER_LEN,
nonce,
crypto_box_NONCEBYTES);
sldns_buffer_set_limit(buffer, len + DNSCRYPT_REPLY_HEADER_SIZE);
return 0;
}
@ -284,17 +421,17 @@ dnscrypt_server_curve(const dnsccert *cert,
static int
dnsc_read_from_file(char *fname, char *buf, size_t count)
{
int fd;
fd = open(fname, O_RDONLY);
if (fd == -1) {
return -1;
}
if (read(fd, buf, count) != (ssize_t)count) {
close(fd);
return -2;
}
close(fd);
return 0;
int fd;
fd = open(fname, O_RDONLY);
if (fd == -1) {
return -1;
}
if (read(fd, buf, count) != (ssize_t)count) {
close(fd);
return -2;
}
close(fd);
return 0;
}
/**
@ -308,12 +445,12 @@ dnsc_read_from_file(char *fname, char *buf, size_t count)
static char *
dnsc_chroot_path(struct config_file *cfg, char *path)
{
char *nm;
nm = path;
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
nm += strlen(cfg->chrootdir);
return nm;
char *nm;
nm = path;
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
nm += strlen(cfg->chrootdir);
return nm;
}
/**
@ -379,7 +516,7 @@ dnsc_key_to_fingerprint(char fingerprint[80U], const uint8_t * const key)
/**
* Find the cert matching a DNSCrypt query.
* \param[in] dnscenv The DNSCrypt enviroment, which contains the list of certs
* \param[in] dnscenv The DNSCrypt environment, which contains the list of certs
* supported by the server.
* \param[in] buffer The encrypted DNS query.
* \return a dnsccert * if we found a cert matching the magic_number of the
@ -450,6 +587,7 @@ dnsc_load_local_data(struct dnsc_env* dnscenv, struct config_file *cfg)
snprintf(rr + strlen(rr), rrlen - 1 - strlen(rr), "\\%03d", c);
}
}
verbose(VERB_OPS, "DNSCrypt: adding local data to config: %s", rr);
snprintf(rr + strlen(rr), rrlen - 1 - strlen(rr), "\"");
cfg_strlist_insert(&cfg->local_data, strdup(rr));
free(rr);
@ -502,7 +640,7 @@ dnsc_parse_keys(struct dnsc_env *env, struct config_file *cfg)
env->keypairs = sodium_allocarray(env->keypairs_count,
sizeof *env->keypairs);
env->certs = sodium_allocarray(env->signed_certs_count,
env->certs = sodium_allocarray(env->signed_certs_count,
sizeof *env->certs);
cert_id = 0U;
@ -584,7 +722,8 @@ dnsc_handle_curved_request(struct dnsc_env* dnscenv,
// to serve the certificate.
verbose(VERB_ALGO, "handle request called on DNSCrypt socket");
if ((repinfo->dnsc_cert = dnsc_find_cert(dnscenv, c->buffer)) != NULL) {
if(dnscrypt_server_uncurve(repinfo->dnsc_cert,
if(dnscrypt_server_uncurve(dnscenv,
repinfo->dnsc_cert,
repinfo->client_nonce,
repinfo->nmkey,
c->buffer) != 0){
@ -629,23 +768,93 @@ dnsc_create(void)
fatal_exit("dnsc_create: could not initialize libsodium.");
}
env = (struct dnsc_env *) calloc(1, sizeof(struct dnsc_env));
lock_basic_init(&env->shared_secrets_cache_lock);
lock_protect(&env->shared_secrets_cache_lock,
&env->num_query_dnscrypt_secret_missed_cache,
sizeof(env->num_query_dnscrypt_secret_missed_cache));
return env;
}
int
dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg)
{
if(dnsc_parse_certs(env, cfg) <= 0) {
fatal_exit("dnsc_apply_cfg: no cert file loaded");
}
if(dnsc_parse_keys(env, cfg) <= 0) {
fatal_exit("dnsc_apply_cfg: no key file loaded");
}
randombytes_buf(env->hash_key, sizeof env->hash_key);
env->provider_name = cfg->dnscrypt_provider;
if(dnsc_parse_certs(env, cfg) <= 0) {
fatal_exit("dnsc_apply_cfg: no cert file loaded");
}
if(dnsc_parse_keys(env, cfg) <= 0) {
fatal_exit("dnsc_apply_cfg: no key file loaded");
}
randombytes_buf(env->hash_key, sizeof env->hash_key);
env->provider_name = cfg->dnscrypt_provider;
if(dnsc_load_local_data(env, cfg) <= 0) {
fatal_exit("dnsc_apply_cfg: could not load local data");
}
return 0;
if(dnsc_load_local_data(env, cfg) <= 0) {
fatal_exit("dnsc_apply_cfg: could not load local data");
}
env->shared_secrets_cache = slabhash_create(
cfg->dnscrypt_shared_secret_cache_slabs,
HASH_DEFAULT_STARTARRAY,
cfg->dnscrypt_shared_secret_cache_size,
dnsc_shared_secrets_sizefunc,
dnsc_shared_secrets_compfunc,
dnsc_shared_secrets_delkeyfunc,
dnsc_shared_secrets_deldatafunc,
NULL
);
if(!env->shared_secrets_cache){
fatal_exit("dnsc_apply_cfg: could not create shared secrets cache.");
}
return 0;
}
void
dnsc_delete(struct dnsc_env *env)
{
if(!env) {
return;
}
verbose(VERB_OPS, "DNSCrypt: Freeing environment.");
sodium_free(env->signed_certs);
sodium_free(env->certs);
sodium_free(env->keypairs);
slabhash_delete(env->shared_secrets_cache);
lock_basic_destroy(&env->shared_secrets_cache_lock);
free(env);
}
/**
* #########################################################
* ############# Shared secrets cache functions ############
* #########################################################
*/
size_t
dnsc_shared_secrets_sizefunc(void *k, void* ATTR_UNUSED(d))
{
struct shared_secret_cache_key* ssk = (struct shared_secret_cache_key*)k;
size_t key_size = sizeof(struct shared_secret_cache_key)
+ lock_get_mem(&ssk->entry.lock);
size_t data_size = crypto_box_BEFORENMBYTES;
(void)ssk; /* otherwise ssk is unused if no threading, or fixed locksize */
return key_size + data_size;
}
int
dnsc_shared_secrets_compfunc(void *m1, void *m2)
{
return sodium_memcmp(m1, m2, DNSCRYPT_SHARED_SECRET_KEY_LENGTH);
}
void
dnsc_shared_secrets_delkeyfunc(void *k, void* ATTR_UNUSED(arg))
{
struct shared_secret_cache_key* ssk = (struct shared_secret_cache_key*)k;
lock_rw_destroy(&ssk->entry.lock);
free(ssk);
}
void
dnsc_shared_secrets_deldatafunc(void* d, void* ATTR_UNUSED(arg))
{
uint8_t* data = (uint8_t*)d;
free(data);
}

38
dnscrypt/dnscrypt.h

@ -26,6 +26,7 @@
#include "config.h"
#include "dnscrypt/cert.h"
#include "util/locks.h"
#define DNSCRYPT_QUERY_HEADER_SIZE \
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + crypto_box_HALF_NONCEBYTES + crypto_box_MACBYTES)
@ -38,6 +39,7 @@
struct sldns_buffer;
struct config_file;
struct comm_reply;
struct slabhash;
typedef struct KeyPair_ {
uint8_t crypt_publickey[crypto_box_PUBLICKEYBYTES];
@ -52,7 +54,7 @@ typedef struct cert_ {
struct dnsc_env {
struct SignedCert *signed_certs;
dnsccert *certs;
dnsccert *certs;
size_t signed_certs_count;
uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES];
uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES];
@ -61,6 +63,11 @@ struct dnsc_env {
uint64_t nonce_ts_last;
unsigned char hash_key[crypto_shorthash_KEYBYTES];
char * provider_name;
struct slabhash *shared_secrets_cache;
/** lock on shared secret cache counters */
lock_basic_type shared_secrets_cache_lock;
/** number of misses from shared_secrets_cache */
size_t num_query_dnscrypt_secret_missed_cache;
};
struct dnscrypt_query_header {
@ -71,7 +78,7 @@ struct dnscrypt_query_header {
};
/**
* Initialize DNSCrypt enviroment.
* Initialize DNSCrypt environment.
* Initialize sodium library and allocate the dnsc_env structure.
* \return an uninitialized struct dnsc_env.
*/
@ -88,6 +95,12 @@ struct dnsc_env * dnsc_create(void);
*/
int dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg);
/**
* Delete DNSCrypt environment
*
*/
void dnsc_delete(struct dnsc_env *env);
/**
* handle a crypted dnscrypt request.
* Determine wether or not a query is coming over the dnscrypt listener and
@ -105,5 +118,26 @@ int dnsc_handle_curved_request(struct dnsc_env* dnscenv,
*/
int dnsc_handle_uncurved_request(struct comm_reply *repinfo);
/**
* Computes the size of the shared secret cache entry.
*/
size_t dnsc_shared_secrets_sizefunc(void *k, void *d);
/**
* Compares two shared secret cache keys.
*/
int dnsc_shared_secrets_compfunc(void *m1, void *m2);
/**
* Function to delete a shared secret cache key.
*/
void dnsc_shared_secrets_delkeyfunc(void *k, void* arg);
/**
* Function to delete a share secret cache value.
*/
void dnsc_shared_secrets_deldatafunc(void* d, void* arg);
#endif /* USE_DNSCRYPT */
#endif

38
dnscrypt/testdata/gencert.sh vendored Executable file

@ -0,0 +1,38 @@
#!/bin/bash
CERT_EXPIRE_DAYS="$(( 365 * 15 ))"
DIR="$(dirname "$0")"
if [[ "$PWD" != *tdir ]]
then
echo "You should run this script with a .tdir directory"
exit 1
fi
for i in 1 2
do
# Ephemeral key
rm -f "${i}.key"
dnscrypt-wrapper --gen-crypt-keypair \
--crypt-secretkey-file="${i}.key" \
--provider-publickey-file="${DIR}/keys${i}/public.key" \
--provider-secretkey-file="${DIR}/keys${i}/secret.key"
# Cert file
for cipher in salsa chacha
do
rm -f "${i}_${cipher}.cert"
extraarg=""
if [ "${cipher}" == "chacha" ]
then
extraarg="-x"
fi
dnscrypt-wrapper ${extraarg} --gen-cert-file \
--provider-cert-file="${i}_${cipher}.cert" \
--crypt-secretkey-file="${i}.key" \
--provider-publickey-file="${DIR}/keys${i}/public.key" \
--provider-secretkey-file="${DIR}/keys${i}/secret.key" \
--cert-file-expire-days="${CERT_EXPIRE_DAYS}"
done
done

1
dnscrypt/testdata/keys1/public.key vendored Normal file

@ -0,0 +1 @@
¸_A¡O#÷ÛÈfó—ÌoD¶_<C2B6>eŶ)|'T¦éÜòO<C3B2>

1
dnscrypt/testdata/keys1/secret.key vendored Normal file

@ -0,0 +1 @@
-6\Uùõñh`^"…ºz/C9 óˆ¸_A¡O#÷ÛÈfó—ÌoD¶_<C2B6>eŶ)|'T¦éÜòO<C3B2>

1
dnscrypt/testdata/keys2/public.key vendored Normal file

@ -0,0 +1 @@
ΓR ς<>ύeµτ{φl<1A>ΑKΛ€Ξ:5r\±}KΣηƒ

1
dnscrypt/testdata/keys2/secret.key vendored Normal file

@ -0,0 +1 @@
ηi% 5 fΝν Ιϋ<CE99>ν BnκΝ―.ΊΓR ς<>ύeµτ{φl<1A>ΑKΛ€Ξ:5r\±}KΣηƒ

150
doc/Changelog

@ -1,8 +1,150 @@
21 Aug 2017: Wouter
13 September 2017: Wouter
- tag 1.6.6rc2
12 September 2017: Wouter
- Add dns64 for client-subnet in unbound-checkconf.
4 September 2017: Ralph
- Fix #1412: QNAME minimisation strict mode not honored
- Fix #1434: Fix windows openssl 1.1.0 linking.
4 September 2017: Wouter
- tag 1.6.6rc1
- makedist fix for windows binaries, with openssl 1.1.0 windres fix,
and expat 2.2.4 install target fix.
1 September 2017: Wouter
- Recommend 1472 buffer size in unbound.conf
31 August 2017: Wouter
- Fix #1424: cachedb:testframe is not thread safe.
- For #1417: escape ; in dnscrypt tests.
- but reverted that, tests fails with that escape.
- Fix #1417: [dnscrypt] shared secret cache counters, and works when
dnscrypt is not enabled. And cache size configuration option.
- make depend
- Fix #1418: [ip ratelimit] initialize slabhash using
ip-ratelimit-slabs.
30 August 2017: Wouter
- updated contrib/fastrpz.patch to apply with configparser changes.
- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
29 August 2017: Wouter
- Fix #1414: fix segfault on parse failure and log_replies.
- zero qinfo in handle_request, this zeroes local_alias and also the
qname member.
- new keys and certs for dnscrypt tests.
- fixup WKS test on buildhost without servicebyname.
28 August 2017: Wouter
- Fix #1415: patch to free dnscrypt environment on reload.
- iana portlist update
- Fix #1415: [dnscrypt] shared secret cache, patch from
Manu Bretelle.
- Small fixes for the shared secret cache patch.
- Fix WKS records on kvm autobuild host, with default protobyname
entries for udp and tcp.
23 August 2017: Wouter
- Fix #1407: Add ECS options check to unbound-checkconf.
- make depend
- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
allocation failure.
22 August 2017: Wouter
- Fix install of trust anchor when two anchors are present, makes both
valid. Checks hash of DS but not signature of new key. This fixes
installs between sep11 and oct11 2017.
- Tag 1.6.5
valid. Checks hash of DS but not signature of new key. This fixes
the root.key file if created when unbound is installed between
sep11 and oct11 2017.
- tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
- trunk version 1.6.6 in development.
- Fix issue on macOX 10.10 where TCP fast open is detected but not
implemented causing TCP to fail. The fix allows fallback to regular
TCP in this case and is also more robust for cases where connectx()
fails for some reason.
- Fix #1402: squelch invalid argument error for fd_set_block on windows.
10 August 2017: Wouter
- Patch to show DNSCrypt status in help output, from Carsten
Strotmann.
8 August 2017: Wouter
- Fix #1398: make cachedb secret configurable.
- Remove spaces from Makefile.
7 August 2017: Wouter
- Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
3 August 2017: Ralph
- Remove unused iter_env member (ip6arpa_dname)
- Do not reset rrset.bogus stats when called using stats_noreset.
- Added stats for queries that have been ratelimited by domain
recursion.
- Do not add rrset_bogus and query ratelimiting stats per thread, these
module stats are global.
3 August 2017: Wouter
- Fix #1394: mix of serve-expired and response-ip could cause a crash.
24 July 2017: Wouter
- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
config.sub(2016-09-05).
- annotate case statement fallthrough for gcc 7.1.1.
- flex output from flex 2.6.1.
- snprintf of thread number does not warn about truncated string.
- squelch TCP fast open error on FreeBSD when kernel has it disabled,
unless verbosity is high.
- remove warning from windows compile.
- Fix compile with libnettle
- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
- Fix #1365: Add Ed25519 support using libnettle.
- iana portlist update
17 July 2017: Wouter
- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
With the -p option unbound does not create a pidfile.
11 July 2017: Wouter
- Fix #1344: RFC6761-reserved domains: test. and invalid.
- Redirect all localhost names to localhost address for RFC6761.
6 July 2017: Wouter
- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
- Fix svn hooks for tdir (selected if testcode/mini_tdir.sh exists)..
4 July 2017: Wouter
- Fix 1332: Bump verbosity of failed chown'ing of the control socket.
3 July 2017: Wouter
- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
on.
- Fix #1331: libunbound segfault in threaded mode when context is
deleted.
- Fix pythonmod link line option flag.
- Fix openssl 1.1.0 load of ssl error strings from ssl init.
29 June 2017: Wouter
- Fix python example0 return module wait instead of error for pass.
- iana portlist update
- enhancement for hardened-tls for DNS over TLS. Removed duplicated
security settings.
27 June 2017: Wouter
- Tag 1.6.4 is created with the 1.6.4rc2 contents.
- Trunk contains 1.6.5, with changes from 26, 27 june.
- Remove signed unsigned warning from authzone.
- Fix that infra cache host hash does not change after reconfig.
26 June 2017: Wouter
- (for 1.6.5)
Better fixup of dnscrypt_cert_chacha test for different escapes.
- First fix for zero b64 and hex text zone format in sldns.
- unbound-control dump_infra prints port number for address if not 53.
23 June 2017: Wouter
- (for 1.6.5): fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
22 June 2017: Wouter
- Tag 1.6.4rc2

2
doc/README

@ -1,4 +1,4 @@
README for Unbound 1.6.5
README for Unbound 1.6.6
Copyright 2007 NLnet Labs
http://unbound.net

16
doc/example.conf.in

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.6.5.
# See unbound.conf(5) man page, version 1.6.6.
#
# this is a comment.
@ -116,7 +116,7 @@ server:
# ip-freebind: no
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
# edns-buffer-size: 4096
# Maximum UDP response size (not applied to TCP response).
@ -563,6 +563,8 @@ server:
# local-zone: "127.in-addr.arpa." nodefault
# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
# local-zone: "onion." nodefault
# local-zone: "test." nodefault
# local-zone: "invalid." nodefault
# local-zone: "10.in-addr.arpa." nodefault
# local-zone: "16.172.in-addr.arpa." nodefault
# local-zone: "17.172.in-addr.arpa." nodefault
@ -838,3 +840,13 @@ remote-control:
# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
# CacheDB
# Enable external backend DB as auxiliary cache. Specify the backend name
# (default is "testframe", which has no use other than for debugging and
# testing) and backend-specific options. The 'cachedb' module must be
# included in module-config.
# cachedb:
# backend: "testframe"
# # secret seed string to calculate hashed keys
# secret-seed: "default"

4
doc/libunbound.3.in

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
.TH "libunbound" "3" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -43,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.6.5 functions.
\- Unbound DNS validating resolver 1.6.6 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

2
doc/unbound-anchor.8.in

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
.TH "unbound-anchor" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"

2
doc/unbound-checkconf.8.in

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
.TH "unbound-checkconf" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"

6
doc/unbound-control.8.in

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
.TH "unbound-control" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@ -493,6 +493,10 @@ number of queries that had an EDNS OPT record present.
number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit set.
These queries are also included in the num.query.edns.present number.
.TP
.I num.query.ratelimited
The number of queries that are turned away from being send to nameserver due to
ratelimiting.
.TP
.I num.answer.rcode.NXDOMAIN
The number of answers to queries, from cache or from recursion, that had the
return code NXDOMAIN. Also printed for the other return codes.

2
doc/unbound-host.1.in

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
.TH "unbound\-host" "1" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"

10
doc/unbound.8.in

@ -1,4 +1,4 @@
.TH "unbound" "8" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
.TH "unbound" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,11 +9,12 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.6.5.
\- Unbound DNS validating resolver 1.6.6.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]
.RB [ \-d ]
.RB [ \-p ]
.RB [ \-v ]
.RB [ \-c
.IR cfgfile ]
@ -67,6 +68,11 @@ the thread\-spawn time, so that most config and setup errors appear on
stderr. If given twice or more, logging does not switch to the log file
or to syslog, but the log messages are printed to stderr all the time.
.TP
.B \-p
Don't use a pidfile. This argument should only be used by supervision
systems which can ensure that only one instance of unbound will run
concurrently.
.TP
.B \-v
Increase verbosity. If given multiple times, more information is logged.
This is in addition to the verbosity (if any) from the config file.

82
doc/unbound.conf.5.in

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
.TH "unbound.conf" "5" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -197,7 +197,7 @@ This is the value put into datagrams over UDP towards peers. The actual
buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
not set higher than that value. Default is 4096 which is RFC recommended.
If you have fragmentation reassembly problems, usually seen as timeouts,
then a value of 1480 can fix it. Setting to 512 bypasses even the most
then a value of 1472 can fix it. Setting to 512 bypasses even the most
stringent path MTU problems, but is seen as extreme, since the amount
of TCP fallback generated is excessive (probably also for this resolver,
consider tuning the outgoing tcp number).
@ -1048,19 +1048,19 @@ has no other effect than turning off default contents for the
given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
use a subzone, use \fItransparent\fR.
.P
The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and
the AS112 zones. The AS112 zones are reverse DNS zones for private use and
reserved IP addresses for which the servers on the internet cannot provide
correct answers. They are configured by default to give nxdomain (no reverse
information) answers. The defaults can be turned off by specifying your
own local\-zone of that name, or using the 'nodefault' type. Below is a
list of the default zone contents.
The default zones are localhost, reverse 127.0.0.1 and ::1, the onion, test,
invalid and the AS112 zones. The AS112 zones are reverse DNS zones for
private use and reserved IP addresses for which the servers on the internet
cannot provide correct answers. They are configured by default to give
nxdomain (no reverse information) answers. The defaults can be turned off
by specifying your own local\-zone of that name, or using the 'nodefault'
type. Below is a list of the default zone contents.
.TP 10
\h'5'\fIlocalhost\fR
The IP4 and IP6 localhost information is given. NS and SOA records are provided
for completeness and to satisfy some DNS update tools. Default content:
.nf
local\-zone: "localhost." static
local\-zone: "localhost." redirect
local\-data: "localhost. 10800 IN NS localhost."
local\-data: "localhost. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
@ -1104,6 +1104,24 @@ local\-data: "onion. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
.fi
.TP 10
\h'5'\fItest (RFC 7686)\fR
Default content:
.nf
local\-zone: "test." static
local\-data: "test. 10800 IN NS localhost."
local\-data: "test. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
.fi
.TP 10
\h'5'\fIinvalid (RFC 7686)\fR
Default content:
.nf
local\-zone: "invalid." static
local\-data: "invalid. 10800 IN NS localhost."
local\-data: "invalid. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
.fi
.TP 10
\h'5'\fIreverse RFC1918 local use zones\fR
Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
@ -1461,7 +1479,7 @@ despite the presence of actual AAAA records.
.LP
The
.B dnscrypt:
clause give the settings of the dnscrypt channel. While those options are
clause gives the settings of the dnscrypt channel. While those options are
available, they are only meaningful if unbound was compiled with
\fB\-\-enable\-dnscrypt\fR.
Currently certificate and secret/public keys cannot be generated by unbound.
@ -1489,6 +1507,17 @@ times.
.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
This option may be specified multiple times.
.TP
.B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
Give the size of the data structure in which the shared secret keys are kept
in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
The shared secret cache is used when a same client is making multiple queries
using the same public key. It saves a substantial amount of CPU.
.TP
.B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
Give power of 2 number of slabs, this is used to reduce lock contention
in the dnscrypt shared secrets cache. Close to the number of cpus is
a fairly good setting.
.SS "EDNS Client Subnet Module Options"
.LP
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
@ -1603,6 +1632,37 @@ A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no.
Whitelist the domain so that the module logic will be executed. Can
be given multiple times, for different domains. If the option is not
specified, all domains are treated as being whitelisted (default).
.SS "Cache DB Module Options"
.LP
The Cache DB module must be configured in the \fBmodule\-config:\fR
"validator cachedb iterator" directive and be compiled into the daemon
with \fB\-\-enable\-cachedb\fR.
If this module is enabled and configured, the specified backend database
works as a second level cache:
When Unbound cannot find an answer to a query in its built-in in-memory
cache, it consults the specified backend.
If it finds a valid answer in the backend, Unbound uses it to respond
to the query without performing iterative DNS resolution.
If Unbound cannot even find an answer in the backend, it resolves the
query as usual, and stores the answer in the backend.
The
.B cachedb:
clause gives custom settings of the cache DB module.
.TP
.B backend: \fI<backend name>\fR
Specify the backend database name.
Currently, only the in-memory "testframe" backend is supported.
As the name suggests this backend is not of any practical use.
This option defaults to "testframe".
.TP
.B secret-seed: \fI<"secret string">\fR
Specify a seed to calculate a hash value from query information.
This value will be used as the key of the corresponding answer for the
backend database and can be customized if the hash should not be predictable
operationally.
If the backend database is shared by multiple Unbound instances,
all instances must use the same secret seed.
This option defaults to "default".
.SH "MEMORY CONTROL EXAMPLE"
In the example config settings below memory usage is reduced. Some service
levels are lower, notable very large data and a high TCP load are no longer

20
iterator/iterator.c

@ -78,6 +78,12 @@ iter_init(struct module_env* env, int id)
return 0;
}
env->modinfo[id] = (void*)iter_env;
lock_basic_init(&iter_env->queries_ratelimit_lock);
lock_protect(&iter_env->queries_ratelimit_lock,
&iter_env->num_queries_ratelimited,
sizeof(iter_env->num_queries_ratelimited));
if(!iter_apply_cfg(iter_env, env->cfg)) {
log_err("iterator: could not apply configuration settings.");
return 0;
@ -103,6 +109,7 @@ iter_deinit(struct module_env* env, int id)
if(!env || !env->modinfo[id])
return;
iter_env = (struct iter_env*)env->modinfo[id];
lock_basic_destroy(&iter_env->queries_ratelimit_lock);
free(iter_env->target_fetch_policy);
priv_delete(iter_env->priv);
donotq_delete(iter_env->donotq);
@ -1276,6 +1283,9 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
"delegation point", iq->dp->name,
LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
} else {
lock_basic_lock(&ie->queries_ratelimit_lock);
ie->num_queries_ratelimited++;
lock_basic_unlock(&ie->queries_ratelimit_lock);
log_nametypeclass(VERB_ALGO, "ratelimit exceeded with "
"delegation point", iq->dp->name,
LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
@ -2064,6 +2074,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) {
if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name,
iq->dp->namelen, *qstate->env->now)) {
lock_basic_lock(&ie->queries_ratelimit_lock);
ie->num_queries_ratelimited++;
lock_basic_unlock(&ie->queries_ratelimit_lock);
verbose(VERB_ALGO, "query exceeded ratelimits");
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
@ -2156,7 +2169,6 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
}
if(iq->minimisation_state == SKIP_MINIMISE_STATE) {
iq->minimise_timeout_count++;
if(iq->minimise_timeout_count < MAX_MINIMISE_TIMEOUT_COUNT)
/* Do not increment qname, continue incrementing next
* iteration */
@ -2197,6 +2209,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok)
infra_ratelimit_dec(qstate->env->infra_cache, iq->dp->name,
iq->dp->namelen, *qstate->env->now);
if(qstate->env->cfg->qname_minimisation)
iq->minimisation_state = SKIP_MINIMISE_STATE;
return next_state(iq, QUERYTARGETS_STATE);
}
outbound_list_insert(&iq->outlist, outq);
@ -2246,8 +2260,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
if(iq->response == NULL) {
/* Don't increment qname when QNAME minimisation is enabled */
if(qstate->env->cfg->qname_minimisation)
if(qstate->env->cfg->qname_minimisation) {
iq->minimise_timeout_count++;
iq->minimisation_state = SKIP_MINIMISE_STATE;
}
iq->chase_to_rd = 0;
iq->dnssec_lame_query = 0;
verbose(VERB_ALGO, "query response was timeout");

6
iterator/iterator.h

@ -130,8 +130,10 @@ struct iter_env {
*/
int* target_fetch_policy;
/** ip6.arpa dname in wireformat, used for qname-minimisation */
uint8_t* ip6arpa_dname;
/** lock on ratelimit counter */
lock_basic_type queries_ratelimit_lock;
/** number of queries that have been ratelimited */
size_t num_queries_ratelimited;
};
/**

3
libunbound/libworker.c

@ -294,6 +294,7 @@ libworker_do_cmd(struct libworker* w, uint8_t* msg, uint32_t len)
log_err("unknown command for bg worker %d",
(int)context_serial_getcmd(msg, len));
/* and fall through to quit */
/* fallthrough */
case UB_LIBCMD_QUIT:
free(msg);
comm_base_exit(w->base);
@ -749,7 +750,7 @@ libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
{
struct ctx_query* q = (struct ctx_query*)arg;
if(q->cancelled) {
if(q->cancelled || q->w->back->want_to_quit) {
if(q->w->is_bg_thread) {
/* delete it now */
struct ub_ctx* ctx = q->w->ctx;

7
libunbound/unbound.h

@ -622,6 +622,7 @@ struct ub_shm_stat_info {
long long subnet;
long long ipsecmod;
long long respip;
long long dnscrypt_shared_secret;
} mem;
};
@ -704,6 +705,8 @@ struct ub_server_stats {
long long ans_bogus;
/** rrsets marked bogus by validator */
long long rrset_bogus;
/** number of queries that have been ratelimited by domain recursion. */
long long queries_ratelimited;
/** unwanted traffic received on server-facing ports */
long long unwanted_replies;
/** unwanted traffic received on client-facing ports */
@ -735,6 +738,10 @@ struct ub_server_stats {
long long num_query_dnscrypt_cleartext;
/** number of malformed encrypted queries */
long long num_query_dnscrypt_crypted_malformed;
/** number of queries which did not have a shared secret in cache */
long long num_query_dnscrypt_secret_missed_cache;
/** number of dnscrypt shared secret cache entries */
long long shared_secret_cache_count;
};
/**

2
pythonmod/doc/examples/example0-1.py

@ -24,7 +24,7 @@ def operate(id, event, qstate, qdata):
if event == MODULE_EVENT_PASS:
log_info("pythonmod: event_pass")
qstate.ext_state[id] = MODULE_ERROR
qstate.ext_state[id] = MODULE_WAIT_MODULE
return True
log_err("pythonmod: BAD event")

2
pythonmod/doc/examples/example0.rst

@ -109,7 +109,7 @@ Script file must contain four compulsory functions:
return True
if event == MODULE_EVENT_PASS:
qstate.ext_state[id] = MODULE_ERROR
qstate.ext_state[id] = MODULE_WAIT_MODULE
return True
log_err("pythonmod: BAD event")

2
services/authzone.c

@ -628,7 +628,7 @@ rrset_add_rr(struct auth_rrset* rrset, uint32_t rr_ttl, uint8_t* rdata,
d->rr_len[d->count-1] = rdatalen;
else d->rr_len[total-1] = rdatalen;
packed_rrset_ptr_fixup(d);
if(rr_ttl < d->ttl)
if((time_t)rr_ttl < d->ttl)
d->ttl = rr_ttl;
/* copy old values into new array */

3
services/cache/dns.c vendored

@ -99,6 +99,9 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now,
}
}
/* no break: also copy key item */
/* the line below is matched by gcc regex and silences
* the fallthrough warning */
/* fallthrough */
case 1: /* ref updated, item inserted */
rep->rrsets[i] = rep->ref[i].key;
}

2
services/cache/infra.c vendored

@ -249,7 +249,7 @@ infra_create(struct config_file* cfg)
name_tree_init_parents(&infra->domain_limits);
}
infra_ip_ratelimit = cfg->ip_ratelimit;
infra->client_ip_rates = slabhash_create(cfg->ratelimit_slabs,
infra->client_ip_rates = slabhash_create(cfg->ip_ratelimit_slabs,
INFRA_HOST_STARTSIZE, cfg->ip_ratelimit_size, &ip_rate_sizefunc,
&ip_rate_compfunc, &ip_rate_delkeyfunc, &ip_rate_deldatafunc, NULL);
if(!infra->client_ip_rates) {

7
services/listen_dnsport.c

@ -792,7 +792,12 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
#endif
if ((setsockopt(s, IPPROTO_TCP, TCP_FASTOPEN, &qlen,
sizeof(qlen))) == -1 ) {
log_err("Setting TCP Fast Open as server failed: %s", strerror(errno));
#ifdef ENOPROTOOPT
/* squelch ENOPROTOOPT: freebsd server mode with kernel support
disabled, except when verbosity enabled for debugging */
if(errno != ENOPROTOOPT || verbosity >= 3)
#endif
log_err("Setting TCP Fast Open as server failed: %s", strerror(errno));
}
#endif
return s;

111
services/localzone.c

@ -260,7 +260,8 @@ rrstr_get_rr_content(const char* str, uint8_t** nm, uint16_t* type,
/** return name and class of rr; parses string */
static int
get_rr_nameclass(const char* str, uint8_t** nm, uint16_t* dclass)
get_rr_nameclass(const char* str, uint8_t** nm, uint16_t* dclass,
uint16_t* dtype)
{
uint8_t rr[LDNS_RR_BUF_SIZE];
size_t len = sizeof(rr), dname_len = 0;
@ -274,6 +275,7 @@ get_rr_nameclass(const char* str, uint8_t** nm, uint16_t* dclass)
}
*nm = memdup(rr, dname_len);
*dclass = sldns_wirerr_get_class(rr, len, dname_len);
*dtype = sldns_wirerr_get_type(rr, len, dname_len);
if(!*nm) {
log_err("out of memory");
return 0;
@ -522,18 +524,18 @@ static int
lz_enter_rr_str(struct local_zones* zones, const char* rr)
{
uint8_t* rr_name;
uint16_t rr_class;
uint16_t rr_class, rr_type;
size_t len;
int labs;
struct local_zone* z;
int r;
if(!get_rr_nameclass(rr, &rr_name, &rr_class)) {
if(!get_rr_nameclass(rr, &rr_name, &rr_class, &rr_type)) {
log_err("bad rr %s", rr);
return 0;
}
labs = dname_count_size_labels(rr_name, &len);
lock_rw_rdlock(&zones->lock);
z = local_zones_lookup(zones, rr_name, len, labs, rr_class);
z = local_zones_lookup(zones, rr_name, len, labs, rr_class, rr_type);
if(!z) {
lock_rw_unlock(&zones->lock);
fatal_exit("internal error: no zone for rr %s", rr);
@ -719,9 +721,9 @@ lz_nodefault(struct config_file* cfg, const char* name)
return 0;
}
/** enter AS112 default zone */
/** enter (AS112) empty default zone */
static int
add_as112_default(struct local_zones* zones, struct config_file* cfg,
add_empty_default(struct local_zones* zones, struct config_file* cfg,
const char* name)
{
struct local_zone* z;
@ -762,7 +764,7 @@ int local_zone_enter_defaults(struct local_zones* zones, struct config_file* cfg
/* localhost. zone */
if(!lz_exists(zones, "localhost.") &&
!lz_nodefault(cfg, "localhost.")) {
if(!(z=lz_enter_zone(zones, "localhost.", "static",
if(!(z=lz_enter_zone(zones, "localhost.", "redirect",
LDNS_RR_CLASS_IN)) ||
!lz_enter_rr_into_zone(z,
"localhost. 10800 IN NS localhost.") ||
@ -816,26 +818,24 @@ int local_zone_enter_defaults(struct local_zones* zones, struct config_file* cfg
lock_rw_unlock(&z->lock);
}
/* onion. zone (RFC 7686) */
if(!lz_exists(zones, "onion.") &&
!lz_nodefault(cfg, "onion.")) {
if(!(z=lz_enter_zone(zones, "onion.", "static",
LDNS_RR_CLASS_IN)) ||
!lz_enter_rr_into_zone(z,
"onion. 10800 IN NS localhost.") ||
!lz_enter_rr_into_zone(z,
"onion. 10800 IN SOA localhost. nobody.invalid. "
"1 3600 1200 604800 10800")) {
log_err("out of memory adding default zone");
if(z) { lock_rw_unlock(&z->lock); }
return 0;
}
lock_rw_unlock(&z->lock);
if(!add_empty_default(zones, cfg, "onion.")) {
log_err("out of memory adding default zone");
return 0;
}
/* test. zone (RFC 7686) */
if(!add_empty_default(zones, cfg, "test.")) {
log_err("out of memory adding default zone");
return 0;
}
/* invalid. zone (RFC 7686) */
if(!add_empty_default(zones, cfg, "invalid.")) {
log_err("out of memory adding default zone");
return 0;
}
/* block AS112 zones, unless asked not to */
if(!cfg->unblock_lan_zones) {
for(zstr = as112_zones; *zstr; zstr++) {
if(!add_as112_default(zones, cfg, *zstr)) {
if(!add_empty_default(zones, cfg, *zstr)) {
log_err("out of memory adding default zone");
return 0;
}
@ -913,16 +913,17 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
init_parents(zones); /* to enable local_zones_lookup() */
for(p = cfg->local_data; p; p = p->next) {
uint8_t* rr_name;
uint16_t rr_class;
uint16_t rr_class, rr_type;
size_t len;
int labs;
if(!get_rr_nameclass(p->str, &rr_name, &rr_class)) {
if(!get_rr_nameclass(p->str, &rr_name, &rr_class, &rr_type)) {
log_err("Bad local-data RR %s", p->str);
return 0;
}
labs = dname_count_size_labels(rr_name, &len);
lock_rw_rdlock(&zones->lock);
if(!local_zones_lookup(zones, rr_name, len, labs, rr_class)) {
if(!local_zones_lookup(zones, rr_name, len, labs, rr_class,
rr_type)) {
if(!have_name) {
dclass = rr_class;
nm = rr_name;
@ -1053,21 +1054,26 @@ local_zones_apply_cfg(struct local_zones* zones, struct config_file* cfg)
struct local_zone*
local_zones_lookup(struct local_zones* zones,
uint8_t* name, size_t len, int labs, uint16_t dclass)
uint8_t* name, size_t len, int labs, uint16_t dclass, uint16_t dtype)
{
return local_zones_tags_lookup(zones, name, len, labs,
dclass, NULL, 0, 1);
dclass, dtype, NULL, 0, 1);
}
struct local_zone*
local_zones_tags_lookup(struct local_zones* zones,
uint8_t* name, size_t len, int labs, uint16_t dclass,
uint8_t* name, size_t len, int labs, uint16_t dclass, uint16_t dtype,
uint8_t* taglist, size_t taglen, int ignoretags)
{
rbnode_type* res = NULL;
struct local_zone *result;
struct local_zone key;
int m;
/* for type DS use a zone higher when on a zonecut */
if(dtype == LDNS_RR_TYPE_DS && !dname_is_root(name)) {
dname_remove_label(&name, &len);
labs--;
}
key.node.key = &key;
key.dclass = dclass;
key.name = name;
@ -1583,7 +1589,7 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
if(view->local_zones &&
(z = local_zones_lookup(view->local_zones,
qinfo->qname, qinfo->qname_len, labs,
qinfo->qclass))) {
qinfo->qclass, qinfo->qtype))) {
verbose(VERB_ALGO,
"using localzone from view: %s",
view->name);
@ -1600,8 +1606,8 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
/* try global local_zones tree */
lock_rw_rdlock(&zones->lock);
if(!(z = local_zones_tags_lookup(zones, qinfo->qname,
qinfo->qname_len, labs, qinfo->qclass, taglist,
taglen, 0))) {
qinfo->qname_len, labs, qinfo->qclass, qinfo->qtype,
taglist, taglen, 0))) {
lock_rw_unlock(&zones->lock);
return 0;
}
@ -1756,19 +1762,19 @@ int
local_zones_add_RR(struct local_zones* zones, const char* rr)
{
uint8_t* rr_name;
uint16_t rr_class;
uint16_t rr_class, rr_type;
size_t len;
int labs;
struct local_zone* z;
int r;
if(!get_rr_nameclass(rr, &rr_name, &rr_class)) {
if(!get_rr_nameclass(rr, &rr_name, &rr_class, &rr_type)) {
return 0;
}
labs = dname_count_size_labels(rr_name, &len);
/* could first try readlock then get writelock if zone does not exist,
* but we do not add enough RRs (from multiple threads) to optimize */
lock_rw_wrlock(&zones->lock);
z = local_zones_lookup(zones, rr_name, len, labs, rr_class);
z = local_zones_lookup(zones, rr_name, len, labs, rr_class, rr_type);
if(!z) {
z = local_zones_add_zone(zones, rr_name, len, labs, rr_class,
local_zone_transparent);
@ -1820,14 +1826,47 @@ del_empty_term(struct local_zone* z, struct local_data* d,
}
}
/** find and remove type from list in domain struct */
static void
del_local_rrset(struct local_data* d, uint16_t dtype)
{
struct local_rrset* prev=NULL, *p=d->rrsets;
while(p && ntohs(p->rrset->rk.type) != dtype) {
prev = p;
p = p->next;
}
if(!p)
return; /* rrset type not found */
/* unlink it */
if(prev) prev->next = p->next;
else d->rrsets = p->next;
/* no memory recycling for zone deletions ... */
}
void local_zones_del_data(struct local_zones* zones,
uint8_t* name, size_t len, int labs, uint16_t dclass)
{
/* find zone */
struct local_zone* z;
struct local_data* d;
/* remove DS */
lock_rw_rdlock(&zones->lock);
z = local_zones_lookup(zones, name, len, labs, dclass);
z = local_zones_lookup(zones, name, len, labs, dclass, LDNS_RR_TYPE_DS);
if(z) {
lock_rw_wrlock(&z->lock);
d = lz_find_node(z, name, len, labs);
if(d) {
del_local_rrset(d, LDNS_RR_TYPE_DS);
del_empty_term(z, d, name, len, labs);
}
lock_rw_unlock(&z->lock);
}
lock_rw_unlock(&zones->lock);
/* remove other types */
lock_rw_rdlock(&zones->lock);
z = local_zones_lookup(zones, name, len, labs, dclass, 0);
if(!z) {
/* no such zone, we're done */
lock_rw_unlock(&zones->lock);

7
services/localzone.h

@ -235,6 +235,7 @@ void local_zone_delete(struct local_zone* z);
* @param len: length of name.
* @param labs: labelcount of name.
* @param dclass: class to lookup.
* @param dtype: type to lookup, if type DS a zone higher is used for zonecuts.
* @param taglist: taglist to lookup.
* @param taglen: lenth of taglist.
* @param ignoretags: lookup zone by name and class, regardless the
@ -242,7 +243,7 @@ void local_zone_delete(struct local_zone* z);
* @return closest local_zone or NULL if no covering zone is found.
*/
struct local_zone* local_zones_tags_lookup(struct local_zones* zones,
uint8_t* name, size_t len, int labs, uint16_t dclass,
uint8_t* name, size_t len, int labs, uint16_t dclass, uint16_t dtype,
uint8_t* taglist, size_t taglen, int ignoretags);
/**
@ -253,10 +254,12 @@ struct local_zone* local_zones_tags_lookup(struct local_zones* zones,
* @param len: length of name.
* @param labs: labelcount of name.
* @param dclass: class to lookup.
* @param dtype: type of the record, if type DS then a zone higher up is found
* pass 0 to just plain find a zone for a name.
* @return closest local_zone or NULL if no covering zone is found.
*/
struct local_zone* local_zones_lookup(struct local_zones* zones,
uint8_t* name, size_t len, int labs, uint16_t dclass);
uint8_t* name, size_t len, int labs, uint16_t dclass, uint16_t dtype);
/**
* Debug helper. Print all zones

11
services/outside_network.c

@ -268,6 +268,13 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
if (connectx(s, &endpoints, SAE_ASSOCID_ANY,
CONNECT_DATA_IDEMPOTENT | CONNECT_RESUME_ON_READ_WRITE,
NULL, 0, NULL, NULL) == -1) {
/* if fails, failover to connect for OSX 10.10 */
#ifdef EINPROGRESS
if(errno != EINPROGRESS) {
#else
if(1) {
#endif
if(connect(s, (struct sockaddr*)&w->addr, w->addrlen) == -1) {
#else /* USE_OSX_MSG_FASTOPEN*/
#ifdef USE_MSG_FASTOPEN
pend->c->tcp_do_fastopen = 1;
@ -302,6 +309,10 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
#ifdef USE_MSG_FASTOPEN
}
#endif /* USE_MSG_FASTOPEN */
#ifdef USE_OSX_MSG_FASTOPEN
}
}
#endif /* USE_OSX_MSG_FASTOPEN */
if(w->outnet->sslctx && w->ssl_upstream) {
pend->c->ssl = outgoing_ssl_fd(w->outnet->sslctx, s);
if(!pend->c->ssl) {

9
sldns/parseutil.c

@ -402,10 +402,12 @@ sldns_b32_ntop_base(const uint8_t* src, size_t src_sz, char* dst, size_t dst_sz,
/* ........ ........ ....4444 4....... ........ */
c = src[3] >> 7 ;
/* fallthrough */
case 3: dst[4] = b32[(src[2] & 0x0f) << 1 | c];
/* ........ .......3 3333.... ........ ........ */
c = src[2] >> 4 ;
/* fallthrough */
case 2: dst[3] = b32[(src[1] & 0x01) << 4 | c];
/* ........ ..22222. ........ ........ ........ */
@ -413,6 +415,7 @@ sldns_b32_ntop_base(const uint8_t* src, size_t src_sz, char* dst, size_t dst_sz,
/* .....111 11...... ........ ........ ........ */
c = src[1] >> 6 ;
/* fallthrough */
case 1: dst[1] = b32[(src[0] & 0x07) << 2 | c];
/* 00000... ........ ........ ........ ........ */
@ -423,9 +426,12 @@ sldns_b32_ntop_base(const uint8_t* src, size_t src_sz, char* dst, size_t dst_sz,
switch (src_sz) {
case 1: dst[2] = '=';
dst[3] = '=';
/* fallthrough */
case 2: dst[4] = '=';
/* fallthrough */
case 3: dst[5] = '=';
dst[6] = '=';
/* fallthrough */
case 4: dst[7] = '=';
}
}
@ -537,15 +543,18 @@ sldns_b32_pton_base(const char* src, size_t src_sz, uint8_t* dst, size_t dst_sz,
/* ........ ........ ........ .55555.. ........ */
/* ........ ........ ....4444 4....... ........ */
dst[3] = buf[4] << 7 | buf[5] << 2 | buf[6] >> 3;
/* fallthrough */
case 5: /* ........ ........ ....4444 4....... ........ */
/* ........ .......3 3333.... ........ ........ */
dst[2] = buf[3] << 4 | buf[4] >> 1;
/* fallthrough */
case 4: /* ........ .......3 3333.... ........ ........ */
/* ........ ..22222. ........ ........ ........ */
/* .....111 11...... ........ ........ ........ */
dst[1] = buf[1] << 6 | buf[2] << 1 | buf[3] >> 4;
/* fallthrough */
case 2: /* .....111 11...... ........ ........ ........ */
/* 00000... ........ ........ ........ ........ */

11
sldns/str2wire.c

@ -1190,6 +1190,10 @@ int sldns_str2wire_b64_buf(const char* str, uint8_t* rd, size_t* len)
{
size_t sz = sldns_b64_pton_calculate_size(strlen(str));
int n;
if(strcmp(str, "0") == 0) {
*len = 0;
return LDNS_WIREPARSE_ERR_OK;
}
if(*len < sz)
return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
n = sldns_b64_pton(str, rd, *len);
@ -1223,6 +1227,10 @@ int sldns_str2wire_hex_buf(const char* str, uint8_t* rd, size_t* len)
s++;
continue;
}
if(dlen == 0 && *s == '0' && *(s+1) == 0) {
*len = 0;
return LDNS_WIREPARSE_ERR_OK;
}
if(!isxdigit((unsigned char)*s))
return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_HEX, s-str);
if(*len < dlen/2 + 1)
@ -1685,12 +1693,15 @@ int sldns_str2wire_wks_buf(const char* str, uint8_t* rd, size_t* len)
struct protoent *p = getprotobyname(token);
have_proto = 1;
if(p) rd[0] = (uint8_t)p->p_proto;
else if(strcasecmp(token, "tcp")==0) rd[0]=6;
else if(strcasecmp(token, "udp")==0) rd[0]=17;
else rd[0] = (uint8_t)atoi(token);
(void)strlcpy(proto_str, token, sizeof(proto_str));
} else {
int serv_port;
struct servent *serv = getservbyname(token, proto_str);
if(serv) serv_port=(int)ntohs((uint16_t)serv->s_port);
else if(strcasecmp(token, "domain")==0) serv_port=53;
else {
serv_port = atoi(token);
if(serv_port == 0 && strcmp(token, "0") != 0) {

10
sldns/wire2str.c

@ -1220,11 +1220,17 @@ static int sldns_wire2str_b64_scan_num(uint8_t** d, size_t* dl, char** s,
int sldns_wire2str_b64_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
{
if(*dl == 0) {
return sldns_str_print(s, sl, "0");
}
return sldns_wire2str_b64_scan_num(d, dl, s, sl, *dl);
}
int sldns_wire2str_hex_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
{
if(*dl == 0) {
return sldns_str_print(s, sl, "0");
}
return print_remainder_hex("", d, dl, s, sl);
}
@ -1465,6 +1471,10 @@ int sldns_wire2str_wks_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
if(protocol && (protocol->p_name != NULL)) {
w += sldns_str_print(s, sl, "%s", protocol->p_name);
proto_name = protocol->p_name;
} else if(protocol_nr == 6) {
w += sldns_str_print(s, sl, "tcp");
} else if(protocol_nr == 17) {
w += sldns_str_print(s, sl, "udp");
} else {
w += sldns_str_print(s, sl, "%u", (unsigned)protocol_nr);
}

4
smallapp/unbound-anchor.c

@ -2326,7 +2326,9 @@ int main(int argc, char* argv[])
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
ERR_load_SSL_strings();
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
#else
@ -2337,7 +2339,7 @@ int main(int argc, char* argv[])
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
(void)SSL_library_init();
#else
(void)OPENSSL_init_ssl(0, NULL);
(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
#endif
if(dolist) do_list_builtin();

29
smallapp/unbound-checkconf.c

@ -71,6 +71,9 @@
#ifdef WITH_PYTHONMODULE
#include "pythonmod/pythonmod.h"
#endif
#ifdef CLIENT_SUBNET
#include "edns-subnet/subnet-whitelist.h"
#endif
/** Give checkconf usage, and exit (1). */
static void
@ -345,6 +348,20 @@ check_chroot_filelist_wild(const char* desc, struct config_strlist* list,
}
}
#ifdef CLIENT_SUBNET
/** check ECS configuration */
static void
ecs_conf_checks(struct config_file* cfg)
{
struct ecs_whitelist* whitelist = NULL;
if(!(whitelist = ecs_whitelist_create()))
fatal_exit("Could not create ednssubnet whitelist: out of memory");
if(!ecs_whitelist_apply_cfg(whitelist, cfg))
fatal_exit("Could not setup ednssubnet whitelist");
ecs_whitelist_delete(whitelist);
}
#endif /* CLIENT_SUBNET */
/** check configuration for errors */
static void
morechecks(struct config_file* cfg, const char* fname)
@ -427,8 +444,11 @@ morechecks(struct config_file* cfg, const char* fname)
check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
cfg->chrootdir, cfg);
#ifdef USE_IPSECMOD
check_chroot_string("ipsecmod-hook", &cfg->ipsecmod_hook, cfg->chrootdir,
cfg);
if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) {
/* only check hook if enabled */
check_chroot_string("ipsecmod-hook", &cfg->ipsecmod_hook,
cfg->chrootdir, cfg);
}
#endif
/* remove chroot setting so that modules are not stripping pathnames*/
free(cfg->chrootdir);
@ -474,6 +494,8 @@ morechecks(struct config_file* cfg, const char* fname)
#ifdef CLIENT_SUBNET
&& strcmp(cfg->module_conf, "subnetcache iterator") != 0
&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
&& strcmp(cfg->module_conf, "dns64 subnetcache iterator") != 0
&& strcmp(cfg->module_conf, "dns64 subnetcache validator iterator") != 0
#endif
#if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET)
&& strcmp(cfg->module_conf, "python subnetcache iterator") != 0
@ -524,6 +546,9 @@ morechecks(struct config_file* cfg, const char* fname)
localzonechecks(cfg);
view_and_respipchecks(cfg);
#ifdef CLIENT_SUBNET
ecs_conf_checks(cfg);
#endif
}
/** check forwards */

20
smallapp/unbound-control.c

@ -207,7 +207,7 @@ static void pr_stats(const char* nm, struct ub_stats_info* s)
PR_UL_NM("num.dnscrypt.cleartext", s->svr.num_query_dnscrypt_cleartext);
PR_UL_NM("num.dnscrypt.malformed",
s->svr.num_query_dnscrypt_crypted_malformed);
#endif
#endif /* USE_DNSCRYPT */
printf("%s.requestlist.avg"SQ"%g\n", nm,
(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
(double)s->svr.sum_query_list_size/
@ -251,6 +251,10 @@ static void print_mem(struct ub_shm_stat_info* shm_stat)
#ifdef USE_IPSECMOD
PR_LL("mem.mod.ipsecmod", shm_stat->mem.ipsecmod);
#endif
#ifdef USE_DNSCRYPT
PR_LL("mem.cache.dnscrypt_shared_secret",
shm_stat->mem.dnscrypt_shared_secret);
#endif
}
/** print histogram */
@ -337,6 +341,8 @@ static void print_extended(struct ub_stats_info* s)
if(!inhibit_zero || s->svr.ans_rcode_nodata) {
PR_UL("num.answer.rcode.nodata", s->svr.ans_rcode_nodata);
}
/* iteration */
PR_UL("num.query.ratelimited", s->svr.queries_ratelimited);
/* validation */
PR_UL("num.answer.secure", s->svr.ans_secure);
PR_UL("num.answer.bogus", s->svr.ans_bogus);
@ -349,6 +355,12 @@ static void print_extended(struct ub_stats_info* s)
PR_UL("rrset.cache.count", s->svr.rrset_cache_count);
PR_UL("infra.cache.count", s->svr.infra_cache_count);
PR_UL("key.cache.count", s->svr.key_cache_count);
#ifdef USE_DNSCRYPT
PR_UL("dnscrypt_shared_secret.cache.count",
s->svr.shared_secret_cache_count);
PR_UL("num.query.dnscrypt.shared_secret.cachemiss",
s->svr.num_query_dnscrypt_secret_missed_cache);
#endif /* USE_DNSCRYPT */
}
/** print statistics out of memory structures */
@ -356,7 +368,7 @@ static void do_stats_shm(struct config_file* cfg, struct ub_stats_info* stats,
struct ub_shm_stat_info* shm_stat)
{
int i;
char nm[16];
char nm[32];
for(i=0; i<cfg->num_threads; i++) {
snprintf(nm, sizeof(nm), "thread%d", i);
pr_stats(nm, &stats[i+1]);
@ -763,7 +775,9 @@ int main(int argc, char* argv[])
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
ERR_load_SSL_strings();
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
#else
@ -774,7 +788,7 @@ int main(int argc, char* argv[])
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
(void)SSL_library_init();
#else
(void)OPENSSL_init_ssl(0, NULL);
(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
#endif
if(!RAND_status()) {

26
testcode/do-tests.sh

@ -1,15 +1,15 @@
#!/usr/bin/env bash
. testdata/common.sh
NEED_SPLINT='00-lint.tpkg'
NEED_DOXYGEN='01-doc.tpkg'
NEED_XXD='fwd_compress_c00c.tpkg fwd_zero.tpkg'
NEED_NC='fwd_compress_c00c.tpkg fwd_zero.tpkg'
NEED_CURL='06-ianaports.tpkg root_anchor.tpkg'
NEED_WHOAMI='07-confroot.tpkg'
NEED_IPV6='fwd_ancil.tpkg fwd_tcp_tc6.tpkg stub_udp6.tpkg edns_cache.tpkg'
NEED_NOMINGW='tcp_sigpipe.tpkg 07-confroot.tpkg 08-host-lib.tpkg fwd_ancil.tpkg'
NEED_DNSCRYPT_PROXY='dnscrypt_queries.tpkg dnscrypt_queries_chacha.tpkg'
NEED_SPLINT='00-lint.tdir'
NEED_DOXYGEN='01-doc.tdir'
NEED_XXD='fwd_compress_c00c.tdir fwd_zero.tdir'
NEED_NC='fwd_compress_c00c.tdir fwd_zero.tdir'
NEED_CURL='06-ianaports.tdir root_anchor.tdir'
NEED_WHOAMI='07-confroot.tdir'
NEED_IPV6='fwd_ancil.tdir fwd_tcp_tc6.tdir stub_udp6.tdir edns_cache.tdir'
NEED_NOMINGW='tcp_sigpipe.tdir 07-confroot.tdir 08-host-lib.tdir fwd_ancil.tdir'
NEED_DNSCRYPT_PROXY='dnscrypt_queries.tdir dnscrypt_queries_chacha.tdir'
# test if dig and ldns-testns are available.
test_tool_avail "dig"
@ -30,9 +30,9 @@ else
fi
cd testdata;
sh ../testcode/mini_tpkg.sh clean
sh ../testcode/mini_tdir.sh clean
rm -f .perfstats.txt
for test in `ls *.tpkg`; do
for test in `ls -d *.tdir`; do
SKIP=0
skip_if_in_list $test "$NEED_SPLINT" "splint"
skip_if_in_list $test "$NEED_DOXYGEN" "doxygen"
@ -54,10 +54,10 @@ for test in `ls *.tpkg`; do
fi
if test $SKIP -eq 0; then
echo $test
sh ../testcode/mini_tpkg.sh -a ../.. exe $test
sh ../testcode/mini_tdir.sh -a ../.. exe $test
else
echo "skip $test"
fi
done
sh ../testcode/mini_tpkg.sh report
sh ../testcode/mini_tdir.sh report
cat .perfstats.txt

2
testcode/fake_event.c

@ -1331,7 +1331,7 @@ int serviced_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
return 0;
}
/* timers in testbound for autotrust. statistics tested in tpkg. */
/* timers in testbound for autotrust. statistics tested in tdir. */
struct comm_timer* comm_timer_create(struct comm_base* base,
void (*cb)(void*), void* cb_arg)
{

171
testcode/mini_tdir.sh Executable file

@ -0,0 +1,171 @@
# tdir that only exes the files.
args="../.."
if test "$1" = "-a"; then
args=$2
shift
shift
fi
if test "$1" = "clean"; then
echo "rm -f result.* .done* .tdir.var.master .tdir.var.test"
rm -f result.* .done* .tdir.var.master .tdir.var.test
exit 0
fi
if test "$1" = "fake"; then
echo "minitdir fake $2"
echo "fake" > .done-`basename $2 .tdir`
exit 0
fi
if test "$1" = "-f" && test "$2" = "report"; then
echo "Minitdir Long Report"
pass=0
fail=0
skip=0
echo " STATUS ELAPSED TESTNAME TESTDESCRIPTION"
for result in *.tdir; do
name=`basename $result .tdir`
timelen=" "
desc=""
if test -f "result.$name"; then
timestart=`grep ^DateRunStart: "result.$name" | sed -e 's/DateRunStart: //'`
timeend=`grep ^DateRunEnd: "result.$name" | sed -e 's/DateRunEnd: //'`
timesec=`expr $timeend - $timestart`
timelen=`printf %4ds $timesec`
if test $? -ne 0; then
timelen="$timesec""s"
fi
desc=`grep ^Description: "result.$name" | sed -e 's/Description: //'`
fi
if test -f ".done-$name"; then
if test "$1" != "-q"; then
echo "** PASSED ** $timelen $name: $desc"
pass=`expr $pass + 1`
fi
else
if test -f "result.$name"; then
echo "!! FAILED !! $timelen $name: $desc"
fail=`expr $fail + 1`
else
echo ".> SKIPPED<< $timelen $name: $desc"
skip=`expr $skip + 1`
fi
fi
done
echo ""
if test "$skip" = "0"; then
echo "$pass pass, $fail fail"
else
echo "$pass pass, $fail fail, $skip skip"
fi
echo ""
exit 0
fi
if test "$1" = "report" || test "$2" = "report"; then
echo "Minitdir Report"
for result in *.tdir; do
name=`basename $result .tdir`
if test -f ".done-$name"; then
if test "$1" != "-q"; then
echo "** PASSED ** : $name"
fi
else
if test -f "result.$name"; then
echo "!! FAILED !! : $name"
else
echo ">> SKIPPED<< : $name"
fi
fi
done
exit 0
fi
if test "$1" != 'exe'; then
# usage
echo "mini tdir. Reduced functionality for old shells."
echo " tdir exe <file>"
echo " tdir fake <file>"
echo " tdir clean"
echo " tdir [-q|-f] report"
exit 1
fi
shift
# do not execute if the disk is too full
#DISKLIMIT=100000
# This check is not portable (to Solaris 10).
#avail=`df . | tail -1 | awk '{print $4}'`
#if test "$avail" -lt "$DISKLIMIT"; then
#echo "minitdir: The disk is too full! Only $avail."
#exit 1
#fi
name=`basename $1 .tdir`
dir=$name.$$
result=result.$name
done=.done-$name
success="no"
if test -x "`which bash`"; then
shell="bash"
else
shell="sh"
fi
# check already done
if test -f .done-$name; then
echo "minitdir .done-$name exists. skip test."
exit 0
fi
# Copy
echo "minitdir copy $1 to $dir"
mkdir $dir
cp -a $name.tdir/* $dir/
cd $dir
# EXE
echo "minitdir exe $name" > $result
grep "Description:" $name.dsc >> $result 2>&1
echo "DateRunStart: "`date "+%s" 2>/dev/null` >> $result
if test -f $name.pre; then
echo "minitdir exe $name.pre"
echo "minitdir exe $name.pre" >> $result
$shell $name.pre $args >> $result
if test $? -ne 0; then
echo "Warning: $name.pre did not exit successfully"
fi
fi
if test -f $name.test; then
echo "minitdir exe $name.test"
echo "minitdir exe $name.test" >> $result
$shell $name.test $args >>$result 2>&1
if test $? -ne 0; then
echo "$name: FAILED" >> $result
echo "$name: FAILED"
success="no"
else
echo "$name: PASSED" >> $result
echo "$name: PASSED" > ../.done-$name
echo "$name: PASSED"
success="yes"
fi
fi
if test -f $name.post; then
echo "minitdir exe $name.post"
echo "minitdir exe $name.post" >> $result
$shell $name.post $args >> $result
if test $? -ne 0; then
echo "Warning: $name.post did not exit successfully"
fi
fi
echo "DateRunEnd: "`date "+%s" 2>/dev/null` >> $result
mv $result ..
cd ..
rm -rf $dir
# compat for windows where deletion may not succeed initially (files locked
# by processes that still have to exit).
if test $? -eq 1; then
echo "minitdir waiting for processes to terminate"
sleep 2 # some time to exit, and try again
rm -rf $dir
fi

4
testcode/petal.c

@ -643,7 +643,9 @@ int main(int argc, char* argv[])
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
ERR_load_SSL_strings();
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
#else
@ -654,7 +656,7 @@ int main(int argc, char* argv[])
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
(void)SSL_library_init();
#else
(void)OPENSSL_init_ssl(0, NULL);
(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
#endif
do_service(addr, port, key, cert);

26
testcode/run_vm.sh

@ -1,7 +1,7 @@
#!/usr/local/bin/bash
# run tpkg tests from within a VM. Looks for loopback addr.
# run tdir tests from within a VM. Looks for loopback addr.
# if run not from within a VM, runs the tests as usual.
# with one argument: run that tpkg, otherwise, run all tpkgs.
# with one argument: run that tdir, otherwise, run all tdirs.
get_lo0_ip4() {
if test -x /sbin/ifconfig
@ -23,12 +23,12 @@ else
ALT_LOOPBACK=true
fi
cd testdata
TPKG=../testcode/mini_tpkg.sh
#RUNLIST=`(ls -1 *.tpkg|grep -v '^0[016]')`
RUNLIST=`(ls -1 *.tpkg)`
TPKG=../testcode/mini_tdir.sh
#RUNLIST=`(ls -1d *.tdir|grep -v '^0[016]')`
RUNLIST=`(ls -1d *.tdir)`
if test "$#" = "1"; then RUNLIST="$1"; fi
# fix up tpkg that was edited on keyboard interrupt.
# fix up tdir that was edited on keyboard interrupt.
cleanup() {
echo cleanup
if test -f "$t.bak"; then mv "$t.bak" "$t"; fi
@ -44,16 +44,15 @@ do
continue
fi
# We have alternative 127.0.0.1 number
if ( echo $t | grep '6\.tpkg$' ) # skip IPv6 tests
if ( echo $t | grep '6\.tdir$' ) # skip IPv6 tests
then
continue
elif test "$t" = "edns_cache.tpkg" # This one is IPv6 too!
elif test "$t" = "edns_cache.tdir" # This one is IPv6 too!
then
continue
fi
cp -p "$t" "$t.bak"
tar xzf $t
find "${t%.tpkg}.dir" -type f \
cp -ap "$t" "$t.bak"
find "${t}" -type f \
-exec grep -q -e '127\.0\.0\.1' -e '@localhost' {} \; -print | {
while read f
do
@ -63,15 +62,14 @@ do
mv "$f._" "$f"
done
}
find "${t%.tpkg}.dir" -type d -name "127.0.0.1" -print | {
find "${t}" -type d -name "127.0.0.1" -print | {
while read d
do
mv -v "$d" "${d%127.0.0.1}${LO0_IP4}"
done
}
tar czf $t "${t%.tpkg}.dir"
rm -fr "${t%.tpkg}.dir"
$TPKG exe $t
rm -fr "${t}"
mv "$t.bak" "$t"
done
# get out of testdata/

4
testcode/streamtcp.c

@ -410,7 +410,9 @@ int main(int argc, char** argv)
return 1;
}
if(usessl) {
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
ERR_load_SSL_strings();
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
#else
@ -421,7 +423,7 @@ int main(int argc, char** argv)
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
(void)SSL_library_init();
#else
(void)OPENSSL_init_ssl(0, NULL);
(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
#endif
}
send_em(svr, udp, usessl, noanswer, argc, argv);

3
testcode/unitverify.c

@ -299,6 +299,7 @@ verifytest_file(const char* fname, const char* at_date)
struct module_env env;
struct val_env ve;
time_t now = time(NULL);
unit_show_func("signature verify", fname);
if(!list)
fatal_exit("could not read %s: %s", fname, strerror(errno));
@ -341,6 +342,7 @@ dstest_file(const char* fname)
struct entry* e;
struct entry* list = read_datafile(fname, 1);
struct module_env env;
unit_show_func("DS verify", fname);
if(!list)
fatal_exit("could not read %s: %s", fname, strerror(errno));
@ -474,6 +476,7 @@ nsec3_hash_test(const char* fname)
sldns_buffer* buf = sldns_buffer_new(65535);
struct entry* e;
struct entry* list = read_datafile(fname, 1);
unit_show_func("NSEC3 hash", fname);
if(!list)
fatal_exit("could not read %s: %s", fname, strerror(errno));

16
testdata/00-lint.tdir/00-lint.dsc vendored Normal file

@ -0,0 +1,16 @@
BaseName: 00-lint
Version: 1.0
Description: Put source into lint.
CreationDate: Wed Jan 3 14:12:02 CET 2007
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre:
Post:
Test: 00-lint.test
AuxFiles:
Passed:
Failure:

11
testdata/00-lint.tdir/00-lint.test vendored Normal file

@ -0,0 +1,11 @@
# #-- 00-lint.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
get_make
(cd $PRE ; $MAKE lint)

BIN
testdata/00-lint.tpkg vendored

Binary file not shown.

16
testdata/01-doc.tdir/01-doc.dsc vendored Normal file

@ -0,0 +1,16 @@
BaseName: 01-doc
Version: 1.0
Description: Check documentation
CreationDate: Wed Jan 3 15:15:01 CET 2007
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre:
Post:
Test: 01-doc.test
AuxFiles:
Passed:
Failure:

47
testdata/01-doc.tdir/01-doc.test vendored Normal file

@ -0,0 +1,47 @@
# #-- 01-doc.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
set_doxygen_path
PRE="../.."
get_make
(cd $PRE ; $MAKE doc) > mylog 2>&1
bad=0
if grep -e "Warning" -e "warning" -e "Error" -e "error" mylog >/dev/null 2>&1;
then
cat mylog
bad=1
else
# "doxygen ok"
cat mylog
fi
(cd $PRE; find . -name "*.h" -print) >hlist
(cd $PRE; find . -name "*.c" -print) >>hlist
# filter out config.h
fgrep -v -e "config.h" hlist > ilist; mv ilist hlist
fgrep -v -e "util/configparser" hlist > ilist; mv ilist hlist
fgrep -v -e "util/configlexer" hlist > ilist; mv ilist hlist
fgrep -v -e "util/configyyrename" hlist > ilist; mv ilist hlist
fgrep -v -e "util/locks.h" hlist > ilist; mv ilist hlist
fgrep -v -e "util/storage/lookup3.c" hlist > ilist; mv ilist hlist
fgrep -v -e "ldns-src/" hlist > ilist; mv ilist hlist
fgrep -v -e "libunbound/python/libunbound_wrap.c" hlist > ilist; mv ilist hlist
fgrep -v -e "pythonmod/interface.h" hlist > ilist; mv ilist hlist
fgrep -v -e "dnstap" hlist > ilist; mv ilist hlist
# filter out compat
fgrep -v -e "compat/" hlist > ilist; mv ilist hlist
for h in `cat hlist`; do
if fgrep "`basename $h`" $PRE/doc/html/files.html >/dev/null; then
: # ok
else
echo "Warning: $h has no documentation."
bad=1
fi
done
exit $bad

BIN
testdata/01-doc.tpkg vendored

Binary file not shown.

16
testdata/02-unittest.tdir/02-unittest.dsc vendored Normal file

@ -0,0 +1,16 @@
BaseName: 02-unittest
Version: 1.0
Description: Unit tests.
CreationDate: Thu Jan 4 16:32:42 CET 2007
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre:
Post:
Test: 02-unittest.test
AuxFiles:
Passed:
Failure:

26
testdata/02-unittest.tdir/02-unittest.test vendored Normal file

@ -0,0 +1,26 @@
# #-- 02-unittest.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
get_make
(cd $PRE ; $MAKE unittest; $MAKE lock-verify)
if (cd $PRE; ./unittest); then
echo "unit test worked."
else
echo "unit test failed."
exit 1
fi
if test -f $PRE/ublocktrace.0; then
if (cd $PRE; ./lock-verify ublocktrace.*); then
echo "lock-verify test worked."
else
echo "lock-verify test failed."
exit 1
fi
fi
exit 0

BIN
testdata/02-unittest.tpkg vendored

Binary file not shown.

16
testdata/03-testbound.tdir/03-testbound.dsc vendored Normal file

@ -0,0 +1,16 @@
BaseName: 03-testbound
Version: 1.0
Description: Run testbound event replay scenarios.
CreationDate: Tue Feb 13 16:36:18 CET 2007
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre:
Post:
Test: 03-testbound.test
AuxFiles:
Passed:
Failure:

123
testdata/03-testbound.tdir/03-testbound.test vendored Normal file

@ -0,0 +1,123 @@
# #-- 03-testbound.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
get_make
(cd $PRE ; $MAKE testbound)
exitval=0
# quiet="" to make verbose
do_valgrind=no
# valgrind mode for debug
#if grep "staticexe=-static" $PRE/Makefile >/dev/null 2>&1; then
# if test -x "`which valgrind`"; then
# do_valgrind=yes
# fi
#fi
# self-test (unit test of testbound)
if test $do_valgrind = "yes"; then
if (valgrind $PRE/testbound -s >tmpout 2>&1;); then
echo "selftest OK "
else
echo "selftest FAILED"
exit 1
fi
if grep "All heap blocks were freed -- no leaks are possible." tmpout >/dev/null 2>&1; then
: # clean
else
echo "Memory leaked in selftest"
grep "in use at exit" tmpout
exit 1
fi
else
if ($PRE/testbound -s >/dev/null 2>&1;); then
echo "selftest OK "
else
echo "selftest FAILED"
exit 1
fi
fi
# the .crpl are not always supported and need checking for SHA256 and GOST
# support.
# the .rpl should work on any system (portable).
for input in $PRE/testdata/*.rpl $PRE/testdata/*.crpl; do
header=`grep SCENARIO_BEGIN $input | head -1 | sed -e 's/SCENARIO_BEGIN //'`
cleaninput=`echo $input | sed -e "s?$PRE/testdata/??"`
# detect if SHA256 is needed
if echo $cleaninput | grep sha2 >/dev/null 2>&1; then
if $PRE/testbound -2 >/dev/null 2>&1; then
: # the SHA256 is supported
else
continue
fi
fi
# detect if GOST is needed
if echo $cleaninput | grep gost >/dev/null 2>&1; then
if $PRE/testbound -g >/dev/null 2>&1; then
: # GOST is supported
else
continue
fi
fi
# detect if CLIENT_SUBNET is needed
if echo $cleaninput | grep subnet >/dev/null 2>&1; then
if $PRE/testbound -c >/dev/null 2>&1; then
: # CLIENT_SUBNET is supported
else
continue
fi
fi
# detect if IPSECMOD is needed
if echo $cleaninput | grep ipsecmod >/dev/null 2>&1; then
if $PRE/testbound -i >/dev/null 2>&1; then
: # IPSECMOD is supported
else
continue
fi
fi
if test $do_valgrind = "yes"; then
if (valgrind $PRE/testbound -p $input >tmpout 2>&1;); then
echo " OK $cleaninput: $header"
else
echo "FAILED $cleaninput: $header"
exitval=1
fi
if grep "All heap blocks were freed -- no leaks are possible." tmpout >/dev/null 2>&1; then
: # clean
else
echo "Memory leaked in $cleaninput"
grep "in use at exit" tmpout
exitval=1
fi
else
# do valgrind=no
if ($PRE/testbound -p $input >/dev/null 2>&1;); then
echo " OK $cleaninput: $header"
else
echo "FAILED $cleaninput: $header"
exitval=1
fi
fi
if test -f ublocktrace.0; then
if $PRE/lock-verify ublocktrace.*; then
#echo "lock-verify test $input worked."
i=i
else
echo "lock-verify test $input failed."
exitval=1
fi
fi
done
exit $exitval

BIN
testdata/03-testbound.tpkg vendored

Binary file not shown.

16
testdata/04-checkconf.tdir/04-checkconf.dsc vendored Normal file

@ -0,0 +1,16 @@
BaseName: 04-checkconf
Version: 1.0
Description: Test configuration checker.
CreationDate: Fri Sep 28 15:46:27 CEST 2007
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre:
Post:
Test: 04-checkconf.test
AuxFiles:
Passed:
Failure:

72
testdata/04-checkconf.tdir/04-checkconf.test vendored Normal file

@ -0,0 +1,72 @@
# #-- 04-checkconf.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
PRE="../.."
# test that failed exit code is used
$PRE/unbound-checkconf bla bla bla>/dev/null
if test $? != 1; then
echo "exit code for usage wrong"
exit 1
fi
$PRE/unbound-checkconf -h >/dev/null
if test $? != 1; then
echo "exit code for usage wrong"
exit 1
fi
$PRE/unbound-checkconf notexist_file
if test $? != 1; then
echo "exit code for nofile wrong"
exit 1
fi
# detect windows
if grep "define UB_ON_WINDOWS 1" ../../config.h; then
onwin=1
else
onwin=0
fi
# test check of config files.
for f in bad.*; do
echo
echo $PRE/unbound-checkconf $f
if test $f = "bad.user" -a $onwin -eq 1; then
echo "skipped on windows"
continue
fi
$PRE/unbound-checkconf $f
if test $? != 1; then
echo "exit code case $f wrong"
exit 1
fi
done
for f in good.*; do
echo
echo $PRE/unbound-checkconf $f
$PRE/unbound-checkconf $f
if test $? != 0; then
echo "exit code case $f wrong"
exit 1
fi
done
echo $PRE/unbound-checkconf warn.algo
$PRE/unbound-checkconf warn.algo > outfile 2>&1
if test $? != 0; then
cat outfile
echo "wrong exit code, warning should not fail with error"
exit 1
fi
cat outfile
if grep "unsupported algo" outfile; then
echo "OK"
else
echo "Failed, should print warning"
exit 1
fi
exit 0

8
testdata/04-checkconf.tdir/bad.badfwd vendored Normal file

@ -0,0 +1,8 @@
server:
# to make sure the check doesn't fail on username or chrootdir.
username: ""
chroot: ""
forward-zone:
name: "example.com"
forward-addr: 123.123.AAAA.123

17
testdata/04-checkconf.tdir/bad.badif vendored Normal file

@ -0,0 +1,17 @@
# bad host and interface lines.
server:
username: ""
interface: 127.0.0.1
interface: 127.0.0.1
interface: 127.0.0.1
outgoing-interface: ::1
outgoing-interface: ::1
outgoing-interface: ::1
forward-zone:
name: root.
forward-host: 127.0.0.1
stub-zone:
name: com.
stub-host: ::3

2
testdata/04-checkconf.tdir/bad.badip vendored Normal file

@ -0,0 +1,2 @@
server:
interface: 123.AAAA.123.123

35
testdata/04-checkconf.tdir/bad.bind vendored Normal file

@ -0,0 +1,35 @@
# test daemon
options {
directory "/home/wouter/bla";
version "test BIND 24";
pid-file "/home/wouter/named_24.pid";
dnssec-enable yes;
listen-on-v6 { any; };
};
// logging clause
logging {
channel mainlog {
file "named_24.log" size 10m;
severity info;
};
category default {
mainlog;
};
};
zone "." IN {
type hint;
file "root.servers";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "localhost.rev";
allow-update { none; };
};

2
testdata/04-checkconf.tdir/bad.user vendored Normal file

@ -0,0 +1,2 @@
server:
username: blabla_noexist_user

246
testdata/04-checkconf.tdir/good.all vendored Normal file

@ -0,0 +1,246 @@
# To test, all options are used.
#
# Example configuration file.
#
# See unbound.conf(5) man page.
#
# this is a comment.
#Use this to include other text into the file.
#include: "otherfile.conf"
# The server clause sets the main parameters.
server:
# whitespace is not necessary, but looks cleaner.
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 2
# number of threads to create. 1 disables threading.
num-threads: 1
# specify the interfaces to answer queries from by ip-address.
# If you give none the default (all) interface is used.
# specify every interface on a new 'interface:' labelled line.
interface: 192.0.2.153
interface: 192.0.2.154
interface: 2001:DB8::5
# port to answer queries from
port: 53
# number of port to allocate per thread, determines the size of the
# port range. A larger port range gives more resistance to certain
# spoof attacks, as it gets harder to guess which port is used.
# But also takes more system resources (for open sockets).
outgoing-range: 16
outgoing-port-permit: 1000-1020
outgoing-port-avoid: 2000-2048
outgoing-port-avoid: 3000
# number of outgoing simultaneous tcp buffers to hold per thread.
outgoing-num-tcp: 10
# number of incoming simultaneous tcp buffers to hold per thread.
incoming-num-tcp: 10
# buffer size for handling DNS data. No messages larger than this
# size can be sent or received, by UDP or TCP. In bytes.
msg-buffer-size: 65552
# the amount of memory to use for the message cache.
# in bytes. default is 4 Mb
msg-cache-size: 4194304
# the number of slabs to use for the message cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
msg-cache-slabs: 4
# the number of queries that a thread gets to service.
num-queries-per-thread: 1024
# the amount of memory to use for the RRset cache.
# in bytes. default is 4 Mb
rrset-cache-size: 4194304
# the number of slabs to use for the RRset cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
rrset-cache-slabs: 4
# the time to live (TTL) value for cached roundtrip times and
# EDNS version information for hosts. In seconds.
infra-host-ttl: 900
# the time to live (TTL) value for cached lame delegations. In sec.
infra-lame-ttl: 900
# the number of slabs to use for the Infrastructure cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
infra-cache-slabs: 4
# the maximum number of hosts that are cached (roundtrip times, EDNS).
infra-cache-numhosts: 10000
# the maximum size of the lame zones cached per host. in bytes.
infra-cache-lame-size: 10240
# Enable IPv4, "yes" or "no".
do-ip4: yes
# Enable IPv6, "yes" or "no".
do-ip6: yes
# Enable UDP, "yes" or "no".
do-udp: yes
# Enable TCP, "yes" or "no".
do-tcp: yes
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
# for extra security, but make sure all files are in that directory.
chroot: ""
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is nothing "".
username: "nobody"
# the working directory.
directory: "."
# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
logfile: ""
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# log to, with identity "unbound". If yes, it overrides the logfile.
use-syslog: no
# the pid file.
pidfile: "unbound.pid"
# enable to not answer id.server and hostname.bind queries.
hide-identity: no
# enable to not answer version.server and version.bind queries.
hide-version: no
# the identity to report. Leave "" or default to return hostname.
identity: ""
# the version to report. Leave "" or default to return package version.
version: ""
# the target fetch policy.
# series of integers describing the policy per dependency depth.
# The number of values in the list determines the maximum dependency
# depth the recursor will pursue before giving up. Each integer means:
# -1 : fetch all targets opportunistically,
# 0: fetch on demand,
# positive value: fetch that many targets opportunistically.
# Enclose the list of numbers between quotes ("").
target-fetch-policy: "3 2 1 0 0"
# Harden against very small EDNS buffer sizes.
harden-short-bufsize: yes
# Harden against unseemly large queries.
harden-large-queries: yes
# Harden against out of zone rrsets, to avoid spoofing attempts.
harden-glue: yes
# Do not query the following addresses. No DNS queries are sent there.
# List one address per entry. To block other ports than the default
# DNS port, use "1.2.3.4@123" to block port 123 for 1.2.3.4.
do-not-query-address: 127.0.0.1
do-not-query-address: 127.0.0.2
do-not-query-address: 127.255.255.255
do-not-query-address: ::1
# module configuration of the server. A string with identifiers
# separated by spaces. "iterator" or "validator iterator"
module-config: "validator iterator"
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
trust-anchor-file: ""
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
# (These examples are from August 2007 and may not be valid anymore).
trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry. Like trust-anchor-file
# but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
trusted-keys-file: ""
# Override the date for validation with a specific fixed date.
# Do not set this unless you are debugging signature inception
# and expiration. "" or "0" turns the feature off.
val-override-date: ""
# The time to live for bogus data, rrsets and messages. This avoids
# some of the revalidation, until the time interval expires. in secs.
val-bogus-ttl: 900
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
val-clean-additional: yes
# Turn permissive mode on to permit bogus messages. Thus, messages
# for which security checks failed will be returned to clients,
# instead of SERVFAIL. It still performs the security checks, which
# result in interesting log files and possibly the AD bit in
# replies if the message is found secure. The default is off.
val-permissive-mode: no
# It is possible to configure NSEC3 maximum iteration counts per
# keysize. Keep this table very short, as linear search is done.
# A message with an NSEC3 with larger count is marked insecure.
# List in ascending order the keysize and count values.
val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
# the amount of memory to use for the key cache.
# in bytes. default is 4 Mb
key-cache-size: 4194304
# the number of slabs to use for the key cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
key-cache-slabs: 4
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
# nameservers by hostname or by ipaddress.
stub-zone:
name: "example.com"
stub-addr: 192.0.2.68
stub-zone:
name: "example.org"
stub-host: ns.example.com.
# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
# recursion to other nameservers. List zero or more nameservers by hostname
# or by ipaddress. Use an entry with name "." to forward all queries.
forward-zone:
name: "example.com"
forward-addr: 192.0.2.68
forward-addr: 192.0.2.73@5355 # forward to port 5355.
forward-zone:
name: "example.org"
forward-host: fwd.example.com

23
testdata/04-checkconf.tdir/good.ifport vendored Normal file

@ -0,0 +1,23 @@
#
# bug301 : unbound-checkconf cannot parse interface '0.0.0.0@5353'
#Use this to include other text into the file.
#include: "otherfile.conf"
# The server clause sets the main parameters.
server:
# specify the interfaces to answer queries from by ip-address.
# If you give none the default (all) interface is used.
# specify every interface on a new 'interface:' labelled line.
interface: 192.0.2.153
interface: 192.0.2.154
interface: 2001:DB8::5
interface: 0.0.0.0@5353
# config
chroot: ""
username: "nobody"
directory: "."
logfile: ""
use-syslog: no
pidfile: "unbound.pid"

6
testdata/04-checkconf.tdir/good.include vendored Normal file

@ -0,0 +1,6 @@
# include some file to test include functionality.
include: "good.all"
server:
identity: "my identity"

9
testdata/04-checkconf.tdir/warn.algo vendored Normal file

@ -0,0 +1,9 @@
server:
chroot: ""
directory: ""
pidfile: ""
username: ""
logfile: ""
trust-anchor: "jelte.nlnetlabs.nl. DS 42860 2000 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"

BIN
testdata/04-checkconf.tpkg vendored

Binary file not shown.

16
testdata/05-asynclook.tdir/05-asynclook.dsc vendored Normal file

@ -0,0 +1,16 @@
BaseName: 05-asynclook
Version: 1.0
Description: Test async lookup using libunbound
CreationDate: Fri Jan 25 09:50:35 CET 2008
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: 05-asynclook.pre
Post: 05-asynclook.post
Test: 05-asynclook.test
AuxFiles:
Passed:
Failure:

12
testdata/05-asynclook.tdir/05-asynclook.hosts vendored Normal file

@ -0,0 +1,12 @@
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your
# machine.
#
::1 localhost localhost.my.domain
127.0.0.1 localhost localhost.my.domain
# Imaginary network.
10.0.0.2 myname.my.domain myname
10.0.0.3 myfriend.my.domain myfriend
10.20.30.40 virtual.virtual.virtual.local

10
testdata/05-asynclook.tdir/05-asynclook.post vendored Normal file

@ -0,0 +1,10 @@
# #-- 05-asynclook.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
kill_pid $FWD_PID

20
testdata/05-asynclook.tdir/05-asynclook.pre vendored Normal file

@ -0,0 +1,20 @@
# #-- 05-asynclook.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
get_random_port 2
FWD_PORT=$(($RND_PORT + 1))
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT 05-asynclook.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log

198
testdata/05-asynclook.tdir/05-asynclook.test vendored Normal file

@ -0,0 +1,198 @@
# #-- 05-asynclook.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
PRE="../.."
. ../common.sh
# test if fwder is up
echo "> dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile"
dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile
if grep "10.20.30.40" outfile; then
echo "fwder is up"
else
cat fwd.log
echo "fwder not up"
exit 1
fi
rm outfile
# create asynclook
get_make
echo "> (cd $PRE ; $MAKE asynclook)"
(cd $PRE ; $MAKE asynclook)
if test ! -x $PRE/asynclook; then
echo "cannot build asynclook test program"
exit 1
fi
(cd $PRE ; $MAKE lock-verify)
# check the locks.
function locktest() {
if test -x $PRE/lock-verify -a -f ublocktrace.0; then
$PRE/lock-verify ublocktrace.*
if test $? -ne 0; then
echo "lock-verify error"
exit 1
fi
fi
}
# detect if there is forking on this system.
HAVE_FORK=yes
if grep "undef HAVE_FORK" $PRE/config.h >/dev/null 2>&1; then
HAVE_FORK=no
fi
if test $HAVE_FORK = yes; then
# test hosts reading (directed at local auth info)
echo '> $PRE/asynclook -H 05-asynclook.hosts virtual.virtual.virtual.local 2>&1 | tee outfile'
$PRE/asynclook -H 05-asynclook.hosts virtual.virtual.virtual.local 2>&1 | tee outfile
if grep "virtual.virtual.virtual.local: 10.20.30.40" outfile; then
echo "OK"
else
echo "Not OK"
exit 1
fi
locktest
rm outfile
# test async lookups (directed at testns)
echo '> $PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com 2>&1 | tee outfile'
$PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com 2>&1 | tee outfile
if grep "www.example.com: 10.20.30.40" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
echo '> $PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: 10.20.30.40" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: 10.20.30.42" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
fi #HAVE_FORK
echo '> $PRE/asynclook -t -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -t -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: 10.20.30.40" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: 10.20.30.42" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
if test $HAVE_FORK = yes; then
# test cancellation
echo '> $PRE/asynclook -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: cancelled" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: cancelled" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
fi #HAVE_FORK
echo '> $PRE/asynclook -t -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -t -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: cancelled" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: cancelled" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
if test $HAVE_FORK = yes; then
# test blocking mode
echo '> $PRE/asynclook -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: 10.20.30.40" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: 10.20.30.42" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
fi #HAVE_FORK
echo '> $PRE/asynclook -t -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -t -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: 10.20.30.40" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: 10.20.30.42" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
echo "> cat logfiles"
cat fwd.log
exit 0

35
testdata/05-asynclook.tdir/05-asynclook.testns vendored Normal file

@ -0,0 +1,35 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
; for priming query
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
@ IN NS
SECTION ANSWER
@ IN NS 127.0.0.1
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www IN A
SECTION ANSWER
www IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www2 IN A
SECTION ANSWER
www2 IN A 10.20.30.42
ENTRY_END

BIN
testdata/05-asynclook.tpkg vendored

Binary file not shown.

16
testdata/06-ianaports.tdir/06-ianaports.dsc vendored Normal file

@ -0,0 +1,16 @@
BaseName: 06-ianaports
Version: 1.0
Description: check if iana assigned ports have changed.
CreationDate: Thu Apr 10 12:42:40 CEST 2008
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre:
Post:
Test: 06-ianaports.test
AuxFiles:
Passed:
Failure:

27
testdata/06-ianaports.tdir/06-ianaports.test vendored Normal file

@ -0,0 +1,27 @@
# #-- 06-ianaports.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
PRE="../.."
. ../common.sh
mkdir util
get_make
echo "> $MAKE -f $PRE/Makefile iana_update"
$MAKE -f $PRE/Makefile iana_update
if test $? -ne 0; then
echo "cannot iana update"
exit 1
fi
diff -u $PRE/util/iana_ports.inc util/iana_ports.inc
if test $? -ne 0; then
echo "IANA assigned ports have updated, make iana_update and commit"
echo "cp util/iana_ports.inc $PRE/util/iana_ports.inc"
cp util/iana_ports.inc $PRE/util/iana_ports.inc
exit 1
fi
exit 0

BIN
testdata/06-ianaports.tpkg vendored

Binary file not shown.

16
testdata/07-confroot.tdir/07-confroot.dsc vendored Normal file

@ -0,0 +1,16 @@
BaseName: 07-confroot
Version: 1.0
Description: test checkconf with chroot dir.
CreationDate: Mon Apr 14 14:54:59 CEST 2008
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre:
Post:
Test: 07-confroot.test
AuxFiles:
Passed:
Failure:

287
testdata/07-confroot.tdir/07-confroot.test vendored Normal file

@ -0,0 +1,287 @@
# #-- 07-confroot.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
PRE="../.."
if uname | grep "MINGW" >/dev/null; then
# no chroot, no need to test.
# (test fails on / en \ comparisons, by the way).
echo "no chroot on windows, end test"
exit 0
fi
# create config file
cwd=`pwd -P`
subdir=$cwd/subdir
user=`whoami`
mkdir subdir
if test $? -ne 0; then
echo "could not create subdir"
exit 1
fi
cat > test.conf <<EOF
server:
chroot: $cwd
directory: $subdir
username: $user
pidfile: "/unbound.pid"
root-hints: "root.ca"
root-hints: "$subdir/root.cb"
root-hints: "/subdir/root.cc"
logfile: "output.log"
trust-anchor-file: "$subdir/trustanchor.conf"
trust-anchor-file: "/subdir/trustanchor.conf"
trust-anchor-file: "trustanchor.conf"
trusted-keys-file: "trustkeys.conf"
trusted-keys-file: "$subdir/trustkeys2.conf"
trusted-keys-file: "/subdir/trustkeys3.conf"
EOF
# fake root file
echo ". NS a.root-servers.net." > subdir/root.ca
echo "a.root-servers.net. IN A 127.0.0.1" >> subdir/root.ca
echo ". CH NS b.root-servers.net." > subdir/root.cb
echo "b.root-servers.net. CH A 127.0.0.1" >> subdir/root.cb
echo ". HS NS c.root-servers.net." > subdir/root.cc
echo "c.root-servers.net. HS A 127.0.0.1" >> subdir/root.cc
echo "" > subdir/trustkeys.conf
echo "" > subdir/trustkeys2.conf
echo "" > subdir/trustkeys3.conf
echo "" > subdir/trustanchor.conf
echo "" > subdir/trustanchor2.conf
echo "" > subdir/trustanchor3.conf
$PRE/unbound-checkconf test.conf
if test $? -ne 0; then
echo "Checkconf of config with chroot inside it failed"
exit 1
fi
echo "OK 1"
### NEXT TEST
cat > test.conf <<EOF
server:
chroot: $cwd
directory: "subdir"
username: $user
pidfile: "/unbound.pid"
root-hints: "root.ca"
root-hints: "$subdir/root.cb"
root-hints: "/subdir/root.cc"
logfile: "output.log"
trust-anchor-file: "$subdir/trustanchor.conf"
trust-anchor-file: "/subdir/trustanchor.conf"
trust-anchor-file: "trustanchor.conf"
trusted-keys-file: "trustkeys.conf"
trusted-keys-file: "$subdir/trustkeys2.conf"
trusted-keys-file: "/subdir/trustkeys3.conf"
EOF
$PRE/unbound-checkconf test.conf
if test $? -ne 0; then
echo "Checkconf of config with chroot inside it failed"
exit 1
fi
echo "OK 2"
### NEXT TEST
cat > test.conf <<EOF
server:
chroot: $cwd
directory: "/subdir"
username: $user
pidfile: "/unbound.pid"
root-hints: "root.ca"
root-hints: "$subdir/root.cb"
root-hints: "/subdir/root.cc"
logfile: "output.log"
trust-anchor-file: "$subdir/trustanchor.conf"
trust-anchor-file: "/subdir/trustanchor.conf"
trust-anchor-file: "trustanchor.conf"
trusted-keys-file: "trustkeys.conf"
trusted-keys-file: "$subdir/trustkeys2.conf"
trusted-keys-file: "/subdir/trustkeys3.conf"
EOF
$PRE/unbound-checkconf test.conf
if test $? -ne 0; then
echo "Checkconf of config with chroot inside it failed"
exit 1
fi
echo "OK 3"
### NEXT TEST
cat > test.conf <<EOF
server:
chroot: "."
directory: "./subdir"
username: $user
pidfile: "/unbound.pid"
root-hints: "root.ca"
#root-hints: "$subdir/root.cb"
root-hints: "/subdir/root.cc"
logfile: "output.log"
#trust-anchor-file: "$subdir/trustanchor.conf"
trust-anchor-file: "/subdir/trustanchor.conf"
trust-anchor-file: "trustanchor.conf"
trusted-keys-file: "trustkeys.conf"
#trusted-keys-file: "$subdir/trustkeys2.conf"
trusted-keys-file: "/subdir/trustkeys3.conf"
EOF
$PRE/unbound-checkconf test.conf
if test $? -ne 1; then
echo "Checkconf of config with chroot inside it failed"
exit 1
fi
echo "OK 4"
### NEXT TEST
cat > test.conf <<EOF
server:
chroot: ""
directory: "subdir"
username: $user
pidfile: "/unbound.pid"
root-hints: "root.ca"
root-hints: "$subdir/root.cb"
#root-hints: "/subdir/root.cc"
logfile: "output.log"
trust-anchor-file: "$subdir/trustanchor.conf"
#trust-anchor-file: "/subdir/trustanchor.conf"
trust-anchor-file: "trustanchor.conf"
trusted-keys-file: "trustkeys.conf"
trusted-keys-file: "$subdir/trustkeys2.conf"
#trusted-keys-file: "/subdir/trustkeys3.conf"
EOF
$PRE/unbound-checkconf test.conf
if test $? -ne 0; then
echo "Checkconf of config with chroot inside it failed"
exit 1
fi
echo "OK 5"
### NEXT TEST
cat > test.conf <<EOF
server:
chroot: ""
directory: ""
username: $user
pidfile: "/unbound.pid"
#root-hints: "root.ca"
root-hints: "$subdir/root.cb"
root-hints: "subdir/root.cc"
logfile: "output.log"
trust-anchor-file: "$subdir/trustanchor.conf"
trust-anchor-file: "subdir/trustanchor.conf"
#trust-anchor-file: "trustanchor.conf"
#trusted-keys-file: "trustkeys.conf"
trusted-keys-file: "$subdir/trustkeys2.conf"
trusted-keys-file: "subdir/trustkeys3.conf"
EOF
$PRE/unbound-checkconf test.conf
if test $? -ne 0; then
echo "Checkconf of config with chroot inside it failed"
exit 1
fi
echo "OK 6"
### NEXT TEST
cat > test.conf <<EOF
server:
chroot: "."
directory: ""
username: $user
pidfile: "/nosubdir/unbound.pid"
#root-hints: "root.ca"
#root-hints: "$subdir/root.cb"
root-hints: "subdir/root.cc"
logfile: "output.log"
#trust-anchor-file: "$subdir/trustanchor.conf"
trust-anchor-file: "subdir/trustanchor.conf"
#trust-anchor-file: "trustanchor.conf"
#trusted-keys-file: "trustkeys.conf"
#trusted-keys-file: "$subdir/trustkeys2.conf"
trusted-keys-file: "subdir/trustkeys3.conf"
EOF
$PRE/unbound-checkconf test.conf
if test $? -ne 1; then
echo "Checkconf of config with chroot inside it failed"
exit 1
fi
echo "OK 7"
### NEXT TEST
cat > test.conf <<EOF
server:
chroot: $cwd
directory: ""
username: $user
pidfile: "/unbound.pid"
#root-hints: "root.ca"
root-hints: "$subdir/root.cb"
root-hints: "/subdir/root.cc"
logfile: "output.log"
trust-anchor-file: "$subdir/trustanchor.conf"
trust-anchor-file: "/subdir/trustanchor.conf"
#trust-anchor-file: "trustanchor.conf"
#trusted-keys-file: "trustkeys.conf"
trusted-keys-file: "$subdir/trustkeys2.conf"
trusted-keys-file: "/subdir/trustkeys3.conf"
EOF
$PRE/unbound-checkconf test.conf
if test $? -ne 0; then
echo "Checkconf of config with chroot inside it failed"
exit 1
fi
echo "OK 8"
exit 0

BIN
testdata/07-confroot.tpkg vendored

Binary file not shown.

16
testdata/08-host-lib.tdir/08-host-lib.dsc vendored Normal file

@ -0,0 +1,16 @@
BaseName: 08-host-lib
Version: 1.0
Description: Test async lookup using libunbound
CreationDate: Fri May 16 13:21:58 CEST 2008
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: 08-host-lib.pre
Post: 08-host-lib.post
Test: 08-host-lib.test
AuxFiles:
Passed:
Failure:

12
testdata/08-host-lib.tdir/08-host-lib.hosts vendored Normal file

@ -0,0 +1,12 @@
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your
# machine.
#
::1 localhost localhost.my.domain
127.0.0.1 localhost localhost.my.domain
# Imaginary network.
10.0.0.2 myname.my.domain myname
10.0.0.3 myfriend.my.domain myfriend
10.20.30.40 virtual.virtual.virtual.local

10
testdata/08-host-lib.tdir/08-host-lib.post vendored Normal file

@ -0,0 +1,10 @@
# #-- 08-host-lib.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
kill_pid $FWD_PID

19
testdata/08-host-lib.tdir/08-host-lib.pre vendored Normal file

@ -0,0 +1,19 @@
# #-- 08-host-lib.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
get_random_port 2
FWD_PORT=$(($RND_PORT + 1))
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT 08-host-lib.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log

194
testdata/08-host-lib.tdir/08-host-lib.test vendored Normal file

@ -0,0 +1,194 @@
# #-- 08-host-lib.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
PRE="../.."
. ../common.sh
if grep FORK $PRE/config.h | grep "define" >/dev/null 2>&1; then
# nothing
:
else
echo "forking is not available; test skipped."
exit 0
fi
# test if fwder is up
echo "> dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile"
dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile
if grep "10.20.30.40" outfile; then
echo "fwder is up"
else
cat fwd.log
echo "fwder not up"
exit 1
fi
rm outfile
# create asynclook
get_make
echo "> (cd $PRE ; $MAKE asynclook)"
(cd $PRE ; $MAKE asynclook)
if test ! -x $PRE/asynclook; then
echo "cannot build asynclook test program"
exit 1
fi
(cd $PRE ; $MAKE lock-verify)
# check the locks.
function locktest() {
if test -x $PRE/lock-verify -a -f ublocktrace.0; then
$PRE/lock-verify ublocktrace.*
if test $? -ne 0; then
echo "lock-verify error"
exit 1
fi
fi
}
# test hosts reading (directed at local auth info)
echo '> $PRE/asynclook -H 08-host-lib.hosts virtual.virtual.virtual.local 2>&1 | tee outfile'
$PRE/asynclook -H 08-host-lib.hosts virtual.virtual.virtual.local 2>&1 | tee outfile
if grep "virtual.virtual.virtual.local: 10.20.30.40" outfile; then
echo "OK"
else
echo "Not OK"
exit 1
fi
locktest
rm outfile
# test async lookups (directed at testns)
echo '> $PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com 2>&1 | tee outfile'
$PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com 2>&1 | tee outfile
if grep "www.example.com: 10.20.30.40" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
echo '> $PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: 10.20.30.40" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: 10.20.30.42" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
echo '> $PRE/asynclook -t -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -t -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: 10.20.30.40" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: 10.20.30.42" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
# test cancellation
echo '> $PRE/asynclook -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: cancelled" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: cancelled" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
echo '> $PRE/asynclook -t -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -t -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: cancelled" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: cancelled" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
# test blocking mode
echo '> $PRE/asynclook -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: 10.20.30.40" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: 10.20.30.42" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
echo '> $PRE/asynclook -t -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
$PRE/asynclook -t -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
if grep "www.example.com: 10.20.30.40" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
if grep "www2.example.com: 10.20.30.42" outfile; then
echo "OK"
else
cat fwd.log
echo "Not OK"
exit 1
fi
locktest
rm outfile
echo "> cat logfiles"
cat fwd.log
exit 0

35
testdata/08-host-lib.tdir/08-host-lib.testns vendored Normal file

@ -0,0 +1,35 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
; for priming query
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
@ IN NS
SECTION ANSWER
@ IN NS 127.0.0.1
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www IN A
SECTION ANSWER
www IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www2 IN A
SECTION ANSWER
www2 IN A 10.20.30.42
ENTRY_END

BIN
testdata/08-host-lib.tpkg vendored

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More