Commit b5c63b39 authored by Dag-Erling Smørgrav's avatar Dag-Erling Smørgrav
Browse files

Vendor import of Unbound 1.6.8.

parent 2bda7bda
# generated automatically by aclocal 1.15 -*- Autoconf -*-
# generated automatically by aclocal 1.15.1 -*- Autoconf -*-
# Copyright (C) 1996-2014 Free Software Foundation, Inc.
# Copyright (C) 1996-2017 Free Software Foundation, Inc.
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
......@@ -9390,7 +9390,7 @@ AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],
# AM_CONDITIONAL -*- Autoconf -*-
# Copyright (C) 1997-2014 Free Software Foundation, Inc.
# Copyright (C) 1997-2017 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
......@@ -9421,7 +9421,7 @@ AC_CONFIG_COMMANDS_PRE(
Usually this means the macro was only invoked conditionally.]])
fi])])
# Copyright (C) 2006-2014 Free Software Foundation, Inc.
# Copyright (C) 2006-2017 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.6.7.
# Generated by GNU Autoconf 2.69 for unbound 1.6.8.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
......@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.6.7'
PACKAGE_STRING='unbound 1.6.7'
PACKAGE_VERSION='1.6.8'
PACKAGE_STRING='unbound 1.6.8'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
 
......@@ -1437,7 +1437,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.6.7 to adapt to many kinds of systems.
\`configure' configures unbound 1.6.8 to adapt to many kinds of systems.
 
Usage: $0 [OPTION]... [VAR=VALUE]...
 
......@@ -1502,7 +1502,7 @@ fi
 
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.6.7:";;
short | recursive ) echo "Configuration of unbound 1.6.8:";;
esac
cat <<\_ACEOF
 
......@@ -1714,7 +1714,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.6.7
unbound configure 1.6.8
generated by GNU Autoconf 2.69
 
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -2423,7 +2423,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
 
It was created by unbound $as_me 1.6.7, which was
It was created by unbound $as_me 1.6.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
 
$ $0 $@
......@@ -2775,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1
 
UNBOUND_VERSION_MINOR=6
 
UNBOUND_VERSION_MICRO=7
UNBOUND_VERSION_MICRO=8
 
 
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=6
LIBUNBOUND_REVISION=7
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
......@@ -2837,6 +2837,7 @@ LIBUNBOUND_AGE=5
# 1.6.5 had 7:4:5
# 1.6.6 had 7:5:5
# 1.6.7 had 7:6:5
# 1.6.8 had 7:7:5
 
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
......@@ -20694,7 +20695,7 @@ _ACEOF
 
 
 
version=1.6.7
version=1.6.8
 
date=`date +'%b %e, %Y'`
 
......@@ -21213,7 +21214,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.6.7, which was
This file was extended by unbound $as_me 1.6.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
 
CONFIG_FILES = $CONFIG_FILES
......@@ -21279,7 +21280,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.6.7
unbound config.status 1.6.8
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
 
......
......@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[6])
m4_define([VERSION_MICRO],[7])
m4_define([VERSION_MICRO],[8])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=6
LIBUNBOUND_REVISION=7
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
......@@ -76,6 +76,7 @@ LIBUNBOUND_AGE=5
# 1.6.5 had 7:4:5
# 1.6.6 had 7:5:5
# 1.6.7 had 7:6:5
# 1.6.8 had 7:7:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
......
19 January 2018: Wouter
- patch for CVE-2017-15105: vulnerability in the processing of
wildcard synthesized NSEC records.
10 October 2017: Wouter
- tag 1.6.7
......
README for Unbound 1.6.7
README for Unbound 1.6.8
Copyright 2007 NLnet Labs
http://unbound.net
......
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.6.7.
# See unbound.conf(5) man page, version 1.6.8.
#
# this is a comment.
......
.TH "libunbound" "3" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.TH "libunbound" "3" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
......@@ -43,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.6.7 functions.
\- Unbound DNS validating resolver 1.6.8 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP
......
.TH "unbound-anchor" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.TH "unbound-anchor" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
......
.TH "unbound-checkconf" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.TH "unbound-checkconf" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"
......
.TH "unbound-control" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.TH "unbound-control" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
......
.TH "unbound\-host" "1" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.TH "unbound\-host" "1" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"
......
.TH "unbound" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.TH "unbound" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
.\"
.\" unbound.8 -- unbound manual
.\"
......@@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.6.7.
\- Unbound DNS validating resolver 1.6.8.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]
......
.TH "unbound.conf" "5" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.TH "unbound.conf" "5" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
......
......@@ -186,7 +186,9 @@ verifytest_rrset(struct module_env* env, struct val_env* ve,
ntohs(rrset->rk.rrset_class));
}
setup_sigalg(dnskey, sigalg); /* check all algorithms in the dnskey */
sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason);
/* ok to give null as qstate here, won't be used for answer section. */
sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason,
LDNS_SECTION_ANSWER, NULL);
if(vsig) {
printf("verify outcome is: %s %s\n", sec_status_to_string(sec),
reason?reason:"");
......
......@@ -1227,17 +1227,20 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp)
* @param ve: validator environment (with options) for verification.
* @param tp: trust point to verify with
* @param rrset: DNSKEY rrset to verify.
* @param qstate: qstate with region.
* @return false on failure, true if verification successful.
*/
static int
verify_dnskey(struct module_env* env, struct val_env* ve,
struct trust_anchor* tp, struct ub_packed_rrset_key* rrset)
struct trust_anchor* tp, struct ub_packed_rrset_key* rrset,
struct module_qstate* qstate)
{
char* reason = NULL;
uint8_t sigalg[ALGO_NEEDS_MAX+1];
int downprot = env->cfg->harden_algo_downgrade;
enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason,
qstate);
/* sigalg is ignored, it returns algorithms signalled to exist, but
* in 5011 there are no other rrsets to check. if downprot is
* enabled, then it checks that the DNSKEY is signed with all
......@@ -1276,7 +1279,8 @@ min_expiry(struct module_env* env, struct packed_rrset_data* dd)
/** Is rr self-signed revoked key */
static int
rr_is_selfsigned_revoked(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* dnskey_rrset, size_t i)
struct ub_packed_rrset_key* dnskey_rrset, size_t i,
struct module_qstate* qstate)
{
enum sec_status sec;
char* reason = NULL;
......@@ -1285,7 +1289,7 @@ rr_is_selfsigned_revoked(struct module_env* env, struct val_env* ve,
/* no algorithm downgrade protection necessary, if it is selfsigned
* revoked it can be removed. */
sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, i,
&reason);
&reason, LDNS_SECTION_ANSWER, qstate);
return (sec == sec_status_secure);
}
......@@ -1501,7 +1505,7 @@ init_events(struct trust_anchor* tp)
static void
check_contains_revoked(struct module_env* env, struct val_env* ve,
struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
int* changed)
int* changed, struct module_qstate* qstate)
{
struct packed_rrset_data* dd = (struct packed_rrset_data*)
dnskey_rrset->entry.data;
......@@ -1521,7 +1525,7 @@ check_contains_revoked(struct module_env* env, struct val_env* ve,
}
if(!ta)
continue; /* key not found */
if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i)) {
if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i, qstate)) {
/* checked if there is an rrsig signed by this key. */
/* same keytag, but stored can be revoked already, so
* compare keytags, with +0 or +128(REVOKE flag) */
......@@ -2118,7 +2122,8 @@ autr_tp_remove(struct module_env* env, struct trust_anchor* tp,
}
int autr_process_prime(struct module_env* env, struct val_env* ve,
struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset)
struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
struct module_qstate* qstate)
{
int changed = 0;
log_assert(tp && tp->autr);
......@@ -2159,7 +2164,7 @@ int autr_process_prime(struct module_env* env, struct val_env* ve,
return 1; /* trust point exists */
}
/* check for revoked keys to remove immediately */
check_contains_revoked(env, ve, tp, dnskey_rrset, &changed);
check_contains_revoked(env, ve, tp, dnskey_rrset, &changed, qstate);
if(changed) {
verbose(VERB_ALGO, "autotrust: revokedkeys, reassemble");
if(!autr_assemble(tp)) {
......@@ -2175,7 +2180,7 @@ int autr_process_prime(struct module_env* env, struct val_env* ve,
}
}
/* verify the dnskey rrset and see if it is valid. */
if(!verify_dnskey(env, ve, tp, dnskey_rrset)) {
if(!verify_dnskey(env, ve, tp, dnskey_rrset, qstate)) {
verbose(VERB_ALGO, "autotrust: dnskey did not verify.");
/* only increase failure count if this is not the first prime,
* this means there was a previous successful probe */
......
......@@ -47,6 +47,7 @@ struct val_anchors;
struct trust_anchor;
struct ub_packed_rrset_key;
struct module_env;
struct module_qstate;
struct val_env;
struct sldns_buffer;
......@@ -188,12 +189,14 @@ void autr_point_delete(struct trust_anchor* tp);
* @param tp: trust anchor to process.
* @param dnskey_rrset: DNSKEY rrset probed (can be NULL if bad prime result).
* allocated in a region. Has not been validated yet.
* @param qstate: qstate with region.
* @return false if trust anchor was revoked completely.
* Otherwise logs errors to log, does not change return value.
* On errors, likely the trust point has been unchanged.
*/
int autr_process_prime(struct module_env* env, struct val_env* ve,
struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset);
struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
struct module_qstate* qstate);
/**
* Debug printout of rfc5011 tracked anchors
......
......@@ -176,7 +176,7 @@ val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
static int
nsec_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
char** reason)
char** reason, struct module_qstate* qstate)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
nsec->entry.data;
......@@ -185,7 +185,8 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
if(d->security == sec_status_secure)
return 1;
d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason,
LDNS_SECTION_AUTHORITY, qstate);
if(d->security == sec_status_secure) {
rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
return 1;
......@@ -196,7 +197,8 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
enum sec_status
val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
struct query_info* qinfo, struct reply_info* rep,
struct key_entry_key* kkey, time_t* proof_ttl, char** reason)
struct key_entry_key* kkey, time_t* proof_ttl, char** reason,
struct module_qstate* qstate)
{
struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
......@@ -213,7 +215,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
* 1) this is a delegation point and there is no DS
* 2) this is not a delegation point */
if(nsec) {
if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) {
if(!nsec_verify_rrset(env, ve, nsec, kkey, reason, qstate)) {
verbose(VERB_ALGO, "NSEC RRset for the "
"referral did not verify.");
return sec_status_bogus;
......@@ -242,7 +244,8 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
i++) {
if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
continue;
if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) {
if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason,
qstate)) {
verbose(VERB_ALGO, "NSEC for empty non-terminal "
"did not verify.");
return sec_status_bogus;
......
......@@ -46,6 +46,7 @@
#include "util/data/packed_rrset.h"
struct val_env;
struct module_env;
struct module_qstate;
struct ub_packed_rrset_key;
struct reply_info;
struct query_info;
......@@ -64,6 +65,7 @@ struct key_entry_key;
* @param kkey: key entry to use for verification of signatures.
* @param proof_ttl: if secure, the TTL of how long this proof lasts.
* @param reason: string explaining why bogus.
* @param qstate: qstate with region.
* @return security status.
* SECURE: proved absence of DS.
* INSECURE: proved that this was not a delegation point.
......@@ -73,7 +75,7 @@ struct key_entry_key;
enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
struct val_env* ve, struct query_info* qinfo,
struct reply_info* rep, struct key_entry_key* kkey,
time_t* proof_ttl, char** reason);
time_t* proof_ttl, char** reason, struct module_qstate* qstate);
/**
* nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
......
......@@ -1285,7 +1285,7 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
static int
list_is_secure(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct key_entry_key* kkey, char** reason)
struct key_entry_key* kkey, char** reason, struct module_qstate* qstate)
{
struct packed_rrset_data* d;
size_t i;
......@@ -1299,7 +1299,7 @@ list_is_secure(struct module_env* env, struct val_env* ve,
if(d->security == sec_status_secure)
continue;
d->security = val_verify_rrset_entry(env, ve, list[i], kkey,
reason);
reason, LDNS_SECTION_AUTHORITY, qstate);
if(d->security != sec_status_secure) {
verbose(VERB_ALGO, "NSEC3 did not verify");
return 0;
......@@ -1312,7 +1312,8 @@ list_is_secure(struct module_env* env, struct val_env* ve,
enum sec_status
nsec3_prove_nods(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey, char** reason)
struct query_info* qinfo, struct key_entry_key* kkey, char** reason,
struct module_qstate* qstate)
{
rbtree_type ct;
struct nsec3_filter flt;
......@@ -1325,7 +1326,7 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve,
*reason = "no valid NSEC3s";
return sec_status_bogus; /* no valid NSEC3s, bogus */
}
if(!list_is_secure(env, ve, list, num, kkey, reason))
if(!list_is_secure(env, ve, list, num, kkey, reason, qstate))
return sec_status_bogus; /* not all NSEC3 records secure */
rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
filter_init(&flt, list, num, qinfo); /* init RR iterator */
......
......@@ -71,6 +71,7 @@
struct val_env;
struct regional;
struct module_env;
struct module_qstate;
struct ub_packed_rrset_key;
struct reply_info;
struct query_info;
......@@ -185,6 +186,7 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
* @param qinfo: query that is verified for.
* @param kkey: key entry that signed the NSEC3s.
* @param reason: string for bogus result.
* @param qstate: qstate with region.
* @return:
* sec_status SECURE of the proposition is proven by the NSEC3 RRs,
* BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored.
......@@ -194,7 +196,8 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
enum sec_status
nsec3_prove_nods(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey, char** reason);
struct query_info* qinfo, struct key_entry_key* kkey, char** reason,
struct module_qstate* qstate);
/**
* Prove NXDOMAIN or NODATA.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment