Commit 7b6fdf42 authored by Dag-Erling Smørgrav's avatar Dag-Erling Smørgrav
Browse files

Vendor import of Unbound 1.7.2.

parent 4289761a
......@@ -327,7 +327,7 @@ unbound-control$(EXEEXT): $(CONTROL_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
unbound-host$(EXEEXT): $(HOST_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
unbound-anchor$(EXEEXT): $(UBANCHOR_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat $(SSLLIB) $(LIBS)
......@@ -360,7 +360,7 @@ memstats$(EXEEXT): $(MEMSTATS_OBJ_LINK)
$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS)
asynclook$(EXEEXT): $(ASYNCLOOK_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) $(LIBS) -L. -L.libs -lunbound
$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
streamtcp$(EXEEXT): $(STREAMTCP_OBJ_LINK)
$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS)
......@@ -1463,7 +1463,7 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
$(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/remote.h \
$(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
$(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h
w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
$(srcdir)/winrc/w_inst.h
......
......@@ -71,6 +71,72 @@ static struct {
static inline void _rs_rekey(u_char *dat, size_t datlen);
/*
* Basic sanity checking; wish we could do better.
*/
static int
fallback_gotdata(char *buf, size_t len)
{
char any_set = 0;
size_t i;
for (i = 0; i < len; ++i)
any_set |= buf[i];
if (any_set == 0)
return -1;
return 0;
}
/* fallback for getentropy in case libc returns failure */
static int
fallback_getentropy_urandom(void *buf, size_t len)
{
size_t i;
int fd, flags;
int save_errno = errno;
start:
flags = O_RDONLY;
#ifdef O_NOFOLLOW
flags |= O_NOFOLLOW;
#endif
#ifdef O_CLOEXEC
flags |= O_CLOEXEC;
#endif
fd = open("/dev/urandom", flags, 0);
if (fd == -1) {
if (errno == EINTR)
goto start;
goto nodevrandom;
}
#ifndef O_CLOEXEC
# ifdef HAVE_FCNTL
fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
# endif
#endif
for (i = 0; i < len; ) {
size_t wanted = len - i;
ssize_t ret = read(fd, (char*)buf + i, wanted);
if (ret == -1) {
if (errno == EAGAIN || errno == EINTR)
continue;
close(fd);
goto nodevrandom;
}
i += ret;
}
close(fd);
if (fallback_gotdata(buf, len) == 0) {
errno = save_errno;
return 0; /* satisfied */
}
nodevrandom:
errno = EIO;
return -1;
}
static inline void
_rs_init(u_char *buf, size_t n)
{
......@@ -114,11 +180,14 @@ _rs_stir(void)
u_char rnd[KEYSZ + IVSZ];
if (getentropy(rnd, sizeof rnd) == -1) {
if(errno != ENOSYS ||
fallback_getentropy_urandom(rnd, sizeof rnd) == -1) {
#ifdef SIGKILL
raise(SIGKILL);
raise(SIGKILL);
#else
exit(9); /* windows */
exit(9); /* windows */
#endif
}
}
if (!rs)
......
......@@ -30,6 +30,9 @@
internal symbols */
#undef EXPORT_ALL_SYMBOLS
/* Define to 1 if you have the `accept4' function. */
#undef HAVE_ACCEPT4
/* Define to 1 if you have the `arc4random' function. */
#undef HAVE_ARC4RANDOM
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.7.1.
# Generated by GNU Autoconf 2.69 for unbound 1.7.2.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
......@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.7.1'
PACKAGE_STRING='unbound 1.7.1'
PACKAGE_VERSION='1.7.2'
PACKAGE_STRING='unbound 1.7.2'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
 
......@@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.7.1 to adapt to many kinds of systems.
\`configure' configures unbound 1.7.2 to adapt to many kinds of systems.
 
Usage: $0 [OPTION]... [VAR=VALUE]...
 
......@@ -1505,7 +1505,7 @@ fi
 
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.7.1:";;
short | recursive ) echo "Configuration of unbound 1.7.2:";;
esac
cat <<\_ACEOF
 
......@@ -1722,7 +1722,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.7.1
unbound configure 1.7.2
generated by GNU Autoconf 2.69
 
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
 
It was created by unbound $as_me 1.7.1, which was
It was created by unbound $as_me 1.7.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
 
$ $0 $@
......@@ -2783,11 +2783,11 @@ UNBOUND_VERSION_MAJOR=1
 
UNBOUND_VERSION_MINOR=7
 
UNBOUND_VERSION_MICRO=1
UNBOUND_VERSION_MICRO=2
 
 
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=9
LIBUNBOUND_REVISION=10
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
......@@ -2848,6 +2848,7 @@ LIBUNBOUND_AGE=5
# 1.6.8 had 7:7:5
# 1.7.0 had 7:8:5
# 1.7.1 had 7:9:5
# 1.7.2 had 7:10:5
 
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
......@@ -19467,7 +19468,7 @@ else
WINDRES="$ac_cv_prog_WINDRES"
fi
 
LIBS="$LIBS -liphlpapi"
LIBS="$LIBS -liphlpapi -lcrypt32"
WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
 
WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"
......@@ -19701,7 +19702,7 @@ if test "$ac_res" != no; then :
 
fi
 
for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget
for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
......@@ -20854,6 +20855,8 @@ if test "${enable_cachedb+set}" = set; then :
enableval=$enable_cachedb;
fi
 
# turn on cachedb when hiredis support is enabled.
if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi
case "$enable_cachedb" in
yes)
 
......@@ -21041,7 +21044,7 @@ _ACEOF
 
 
 
version=1.7.1
version=1.7.2
 
date=`date +'%b %e, %Y'`
 
......@@ -21560,7 +21563,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.7.1, which was
This file was extended by unbound $as_me 1.7.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
 
CONFIG_FILES = $CONFIG_FILES
......@@ -21626,7 +21629,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.7.1
unbound config.status 1.7.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
 
......
......@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[7])
m4_define([VERSION_MICRO],[1])
m4_define([VERSION_MICRO],[2])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=9
LIBUNBOUND_REVISION=10
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
......@@ -79,6 +79,7 @@ LIBUNBOUND_AGE=5
# 1.6.8 had 7:7:5
# 1.7.0 had 7:8:5
# 1.7.1 had 7:9:5
# 1.7.2 had 7:10:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
......@@ -1245,7 +1246,7 @@ if test "$USE_WINSOCK" = 1; then
#include <windows.h>
])
AC_CHECK_TOOL(WINDRES, windres)
LIBS="$LIBS -liphlpapi"
LIBS="$LIBS -liphlpapi -lcrypt32"
WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
AC_SUBST(WINAPPS)
WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"
......@@ -1318,7 +1319,7 @@ AC_INCLUDES_DEFAULT
#endif
])
AC_SEARCH_LIBS([setusercontext], [util])
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget])
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4])
AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
......@@ -1488,6 +1489,8 @@ dnsc_DNSCRYPT([
# check for cachedb if requested
AC_ARG_ENABLE(cachedb, AC_HELP_STRING([--enable-cachedb], [enable cachedb module that can use external cache storage]))
# turn on cachedb when hiredis support is enabled.
if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi
case "$enable_cachedb" in
yes)
AC_DEFINE([USE_CACHEDB], [1], [Define to 1 to use cachedb support])
......
......@@ -7,7 +7,7 @@ Name: unbound
Description: Library with validating, recursive, and caching DNS resolver
URL: http://www.unbound.net
Version: @PACKAGE_VERSION@
Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
Libs: -L${libdir} -lunbound
Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
Libs: -L${libdir} -lunbound -lssl -lcrypto
Libs.private: @SSLLIB@ @LIBS@
Cflags: -I${includedir}
......@@ -111,6 +111,8 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
control = acl_refuse_non_local;
else if(strcmp(s2, "allow_snoop") == 0)
control = acl_allow_snoop;
else if(strcmp(s2, "allow_setrd") == 0)
control = acl_allow_setrd;
else {
log_err("access control type %s unknown", str);
return 0;
......
......@@ -63,7 +63,9 @@ enum acl_access {
/** allow full access for recursion (+RD) queries */
acl_allow,
/** allow full access for all queries, recursion and cache snooping */
acl_allow_snoop
acl_allow_snoop,
/** allow full access for recursion queries and set RD flag regardless of request */
acl_allow_setrd
};
/**
......
......@@ -704,6 +704,7 @@ daemon_cleanup(struct daemon* daemon)
free(daemon->workers);
daemon->workers = NULL;
daemon->num = 0;
alloc_clear_special(&daemon->superalloc);
#ifdef USE_DNSTAP
dt_delete(daemon->dtenv);
daemon->dtenv = NULL;
......
......@@ -431,7 +431,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
fatal_exit("could not set up listen SSL_CTX");
}
if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL,
cfg->tls_cert_bundle)))
cfg->tls_cert_bundle, cfg->tls_win_cert)))
fatal_exit("could not set up connect SSL_CTX");
#endif
......
......@@ -1350,6 +1350,13 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
return ret;
}
/* If this request does not have the recursion bit set, verify
* ACLs allow the recursion bit to be treated as set. */
if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&
acl == acl_allow_setrd ) {
LDNS_RD_SET(sldns_buffer_begin(c->buffer));
}
/* If this request does not have the recursion bit set, verify
* ACLs allow the snooping. */
if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&
......
4 June 2018: Wouter
- Fix deadlock caused by incoming notify for auth-zone.
- tag for 1.7.2rc1
1 June 2018: Wouter
- Rename additional-tls-port to tls-additional-ports.
The older name is accepted for backwards compatibility.
30 May 2018: Wouter
- Patch from Syzdek: Add ability to ignore RD bit and treat all
requests as if the RD bit is set.
29 May 2018: Wouter
- in compat/arc4random call getentropy_urandom when getentropy fails
with ENOSYS.
- Fix that fallback for windows port.
28 May 2018: Wouter
- Fix windows tcp and tls spin on events.
- Add routine from getdns to add windows cert store to the SSL_CTX.
- tls-win-cert option that adds the system certificate store for
authenticating DNS-over-TLS connections. It can be used instead
of the tls-cert-bundle option, or with it to add certificates.
25 May 2018: Wouter
- For TCP and TLS connections that don't establish, perform address
update in infra cache, so future selections can exclude them.
- Fix that tcp sticky events are removed for closed fd on windows.
- Fix close events for tcp only.
24 May 2018: Wouter
- Fix that libunbound can do DNS-over-TLS, when configured.
- Fix that windows unbound service can use DNS-over-TLS.
- unbound-host initializes ssl (for potential DNS-over-TLS usage
inside libunbound), when ssl upstream or a cert-bundle is configured.
23 May 2018: Wouter
- Use accept4 to speed up incoming TCP (and TLS) connections,
available on Linux, FreeBSD and OpenBSD.
17 May 2018: Ralph
- Qname minimisation default changed to yes.
15 May 2018: Wouter
- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
11 May 2018: Wouter
- Fix contrib/libunbound.pc for libssl libcrypto references,
from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
7 May 2018: Wouter
- Fix windows to not have sticky TLS events for TCP.
- Fix read of DNS over TLS length and data in one read call.
- Fix mesh state assertion failure due to callback removal.
3 May 2018: Wouter
- Fix that configure --with-libhiredis also turns on cachedb.
- Fix gcc 8 buffer warning in testcode.
- Fix function type cast warning in libunbound context callback type.
2 May 2018: Wouter
- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
1 May 2018: Wouter
- Fix that unbound-control reload frees the rrset keys and returns
the memory pages to the system.
30 April 2018: Wouter
- Fix spelling error in man page and note defaults as no instead of
off.
26 April 2018: Wouter
- Fix for crash in daemon_cleanup with dnstap during reload,
from Saksham Manchanda.
- Also that for dnscrypt.
- tag for 1.7.1rc1 release.
- tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk
is from here 1.7.2 in development.
25 April 2018: Ralph
- Fix memory leak when caching wildcard records for aggressive NSEC use
......
README for Unbound 1.7.1
README for Unbound 1.7.2
Copyright 2007 NLnet Labs
http://unbound.net
......
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.7.1.
# See unbound.conf(5) man page, version 1.7.2.
#
# this is a comment.
......@@ -223,7 +223,8 @@ server:
# to this server. Specify classless netblocks with /size and action.
# By default everything is refused, except for localhost.
# Choose deny (drop message), refuse (polite error reply),
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
# allow_snoop (recursive and nonrecursive ok)
# deny_non_local (drop queries unless can be answered from local-data)
# refuse_non_local (like deny_non_local but polite error reply).
# access-control: 0.0.0.0/0 refuse
......@@ -372,7 +373,7 @@ server:
# Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
# to A when possible.
# qname-minimisation: no
# qname-minimisation: yes
# QNAME minimisation in strict mode. Do not fall-back to sending full
# QNAME to potentially broken nameservers. A lot of domains will not be
......@@ -681,8 +682,11 @@ server:
# Certificates used to authenticate connections made upstream.
# tls-cert-bundle: ""
# Add system certs to the cert bundle, from the Windows Cert Store
# tls-win-cert: no
# Also serve tls on these port numbers (eg. 443, ...), by listing
# additional-tls-port: portno for each of the port numbers.
# tls-additional-ports: portno for each of the port numbers.
# DNS64 prefix. Must be specified when DNS64 is use.
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
......@@ -725,7 +729,7 @@ server:
# low-rtt: 45
# select low rtt this many times out of 1000. 0 means the fast server
# select is disabled. prefetches are not sped up.
# low-rtt-pct: 0
# low-rtt-permil: 0
# Specific options for ipsecmod. unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
......
.TH "libunbound" "3" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
.TH "libunbound" "3" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
......@@ -43,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.7.1 functions.
\- Unbound DNS validating resolver 1.7.2 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP
......
.TH "unbound-anchor" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
.TH "unbound-anchor" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
......
.TH "unbound-checkconf" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
.TH "unbound-checkconf" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"
......
.TH "unbound-control" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
.TH "unbound-control" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
......
.TH "unbound\-host" "1" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
.TH "unbound\-host" "1" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"
......
.TH "unbound" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
.TH "unbound" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
.\"
.\" unbound.8 -- unbound manual
.\"
......@@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.7.1.
\- Unbound DNS validating resolver 1.7.2.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment