update unbound, fix unbound openssl issue on OS X

This commit is contained in:
Riccardo Spagni 2015-12-30 12:57:50 +02:00
parent 32a26332f8
commit 2d43ae8063
No known key found for this signature in database
GPG Key ID: 55432DF31CCD4FCD
101 changed files with 4685 additions and 3057 deletions

View File

@ -30,6 +30,15 @@ cmake_minimum_required(VERSION 2.8.7)
project(unbound C)
if (APPLE)
if (not OpenSSL_DIR)
EXECUTE_PROCESS(COMMAND brew --prefix openssl
OUTPUT_VARIABLE OPENSSL_ROOT_DIR
OUTPUT_STRIP_TRAILING_WHITESPACE)
message(STATUS "Using OpenSSL found at ${OPENSSL_ROOT_DIR}")
endif()
endif()
find_package(OpenSSL REQUIRED)
find_package(Threads)

View File

@ -38,6 +38,7 @@ UNBOUND_VERSION_MINOR=@UNBOUND_VERSION_MINOR@
UNBOUND_VERSION_MICRO=@UNBOUND_VERSION_MICRO@
ALLTARGET=@ALLTARGET@
INSTALLTARGET=@INSTALLTARGET@
SSLLIB=@SSLLIB@
# _unbound.la if pyunbound enabled.
PYUNBOUND_TARGET=@PYUNBOUND_TARGET@
@ -132,7 +133,7 @@ compat/memcmp.c compat/memmove.c compat/snprintf.c compat/strlcat.c \
compat/strlcpy.c compat/strptime.c compat/getentropy_linux.c \
compat/getentropy_osx.c compat/getentropy_solaris.c compat/getentropy_win.c \
compat/explicit_bzero.c compat/arc4random.c compat/arc4random_uniform.c \
compat/arc4_lock.c compat/sha512.c compat/reallocarray.c
compat/arc4_lock.c compat/sha512.c compat/reallocarray.c compat/isblank.c
COMPAT_OBJ=$(LIBOBJS:.o=.lo)
COMPAT_OBJ_WITHOUT_CTIME=$(LIBOBJ_WITHOUT_CTIME:.o=.lo)
COMPAT_OBJ_WITHOUT_CTIMEARC4=$(LIBOBJ_WITHOUT_CTIMEARC4:.o=.lo)
@ -242,7 +243,7 @@ ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
$(COMPAT_OBJ) $(PYUNBOUND_OBJ) \
$(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ)
COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS)
COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@
LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
LINK_LIB=$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(staticexe) -version-info @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined
@ -295,22 +296,22 @@ longtest: tests
lib: libunbound.la unbound.h
libunbound.la: $(LIBUNBOUND_OBJ_LINK)
$(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) -lssl $(LIBS)
$(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) $(SSLLIB) $(LIBS)
unbound$(EXEEXT): $(DAEMON_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
unbound-checkconf$(EXEEXT): $(CHECKCONF_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
unbound-control$(EXEEXT): $(CONTROL_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
unbound-host$(EXEEXT): $(HOST_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
unbound-anchor$(EXEEXT): $(UBANCHOR_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat -lssl $(LIBS)
$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat $(SSLLIB) $(LIBS)
unbound-service-install$(EXEEXT): $(SVCINST_OBJ_LINK)
$(LINK) -o $@ $(SVCINST_OBJ_LINK) $(LIBS)
@ -322,37 +323,37 @@ anchor-update$(EXEEXT): $(ANCHORUPD_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(ANCHORUPD_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
unittest$(EXEEXT): $(UNITTEST_OBJ_LINK)
$(LINK) -o $@ $(UNITTEST_OBJ_LINK) -lssl $(LIBS)
$(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSLLIB) $(LIBS)
testbound$(EXEEXT): $(TESTBOUND_OBJ_LINK)
$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) -lssl $(LIBS)
$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSLLIB) $(LIBS)
lock-verify$(EXEEXT): $(LOCKVERIFY_OBJ_LINK)
$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) -lssl $(LIBS)
$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSLLIB) $(LIBS)
petal$(EXEEXT): $(PETAL_OBJ_LINK)
$(LINK) -o $@ $(PETAL_OBJ_LINK) -lssl $(LIBS)
$(LINK) -o $@ $(PETAL_OBJ_LINK) $(SSLLIB) $(LIBS)
pktview$(EXEEXT): $(PKTVIEW_OBJ_LINK)
$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) -lssl $(LIBS)
$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSLLIB) $(LIBS)
memstats$(EXEEXT): $(MEMSTATS_OBJ_LINK)
$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) -lssl $(LIBS)
$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS)
asynclook$(EXEEXT): $(ASYNCLOOK_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) $(LIBS) -L. -L.libs -lunbound
streamtcp$(EXEEXT): $(STREAMTCP_OBJ_LINK)
$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) -lssl $(LIBS)
$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS)
perf$(EXEEXT): $(PERF_OBJ_LINK)
$(LINK) -o $@ $(PERF_OBJ_LINK) -lssl $(LIBS)
$(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS)
delayer$(EXEEXT): $(DELAYER_OBJ_LINK)
$(LINK) -o $@ $(DELAYER_OBJ_LINK) -lssl $(LIBS)
$(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS)
signit$(EXEEXT): testcode/signit.c
$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ testcode/signit.c $(LDFLAGS) -lldns -lssl $(LIBS)
$(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@ -o $@ testcode/signit.c $(LDFLAGS) -lldns $(SSLLIB) $(LIBS)
unbound.h: $(srcdir)/libunbound/unbound.h
sed -e 's/@''UNBOUND_VERSION_MAJOR@/$(UNBOUND_VERSION_MAJOR)/' -e 's/@''UNBOUND_VERSION_MINOR@/$(UNBOUND_VERSION_MINOR)/' -e 's/@''UNBOUND_VERSION_MICRO@/$(UNBOUND_VERSION_MICRO)/' < $(srcdir)/libunbound/unbound.h > $@
@ -566,7 +567,7 @@ DEPEND_TARGET2=Makefile.in
# then, remove srcdir from the (generated) parser and lexer.
# and mention the .lo
depend:
(cd $(srcdir) ; $(CC) $(DEPFLAG) $(CPPFLAGS) $(CFLAGS) $(ALL_SRC) $(COMPAT_SRC)) | \
(cd $(srcdir) ; $(CC) $(DEPFLAG) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@ $(ALL_SRC) $(COMPAT_SRC)) | \
sed -e 's!'$$HOME'[^ ]* !!g' -e 's!'$$HOME'[^ ]*$$!!g' \
-e 's!/usr[^ ]* !!g' -e 's!/usr[^ ]*$$!!g' \
-e 's!/opt[^ ]* !!g' -e 's!/opt[^ ]*$$!!g' | \
@ -644,7 +645,7 @@ iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterato
$(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
$(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
@ -727,8 +728,7 @@ outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c confi
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h
alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@ -776,14 +776,12 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/dnstap/dnstap.h \
$(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
$(srcdir)/dnstap/dnstap.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/sldns/wire2str.h \
$(srcdir)/sldns/wire2str.h
random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
@ -818,8 +816,7 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
$(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
$(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/services/modstack.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
@ -844,18 +841,16 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
$(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
$(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h \
$(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/validator.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kentry.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
@ -867,17 +862,15 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
$(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
$(srcdir)/sldns/sbuffer.h \
$(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
$(srcdir)/sldns/sbuffer.h
val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@ -895,11 +888,6 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src
$(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/testcode/checklocks.h
dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
$(srcdir)/dnstap/dnstap.h \
$(srcdir)/dnstap/dnstap.pb-c.h
dnstap.pb-c.lo dnstap.pb-c.o: $(srcdir)/dnstap/dnstap.pb-c.c $(srcdir)/dnstap/dnstap.pb-c.h
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@ -908,8 +896,7 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
$(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
@ -947,38 +934,35 @@ unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/lo
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
$(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h \
cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
$(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
$(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
$(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
$(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
$(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/wire2str.h \
$(srcdir)/sldns/str2wire.h
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
$(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
$(srcdir)/daemon/remote.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
$(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
$(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@ -1002,35 +986,33 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
$(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/remote.h \
$(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/mini_event.h \
$(srcdir)/util/rbtree.h
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h \
$(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/libworker.h
testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
$(srcdir)/daemon/remote.h \
$(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
$(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@ -1046,12 +1028,12 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
@ -1059,14 +1041,13 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
@ -1141,19 +1122,18 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
$(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/services/localzone.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
$(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \
$(srcdir)/util/netevent.h $(srcdir)/services/mesh.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
$(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
$(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
@ -1164,21 +1144,18 @@ streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util
$(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
$(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
@ -1191,8 +1168,7 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
$(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
$(srcdir)/winrc/w_inst.h
@ -1200,14 +1176,11 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
$(srcdir)/winrc/w_inst.h
anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
$(srcdir)/sldns/rrdef.h \
keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/sldns/keyraw.h \
$(srcdir)/sldns/keyraw.h
parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/sldns/sbuffer.h
parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
@ -1227,8 +1200,7 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
@ -1238,3 +1210,4 @@ arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.
arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h $(srcdir)/util/locks.h
sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
isblank.lo isblank.o: $(srcdir)/compat/isblank.c config.h

View File

@ -2,7 +2,11 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
# Version 27
# Version 31
# 2015-12-11 FLTO check for new OSX, clang.
# 2015-11-18 spelling check fix.
# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
# 2013-09-19 FLTO help text improved.
# 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
@ -23,7 +27,7 @@
# 2010-07-02 Add check for ss_family (for minix).
# 2010-04-26 Fix to use CPPFLAGS for CHECK_COMPILER_FLAGS.
# 2010-03-01 Fix RPATH using CONFIG_COMMANDS to run at the very end.
# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS seperate, -ldl
# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS separate, -ldl
# 2010-02-01 added ACX_CHECK_MEMCMP_SIGNED, AHX_MEMCMP_BROKEN
# 2010-01-20 added AHX_COONFIG_STRLCAT
# 2009-07-14 U_CHAR detection improved for windows crosscompile.
@ -94,6 +98,8 @@
# ACX_CHECK_MEMCMP_SIGNED - check if memcmp uses signed characters.
# AHX_MEMCMP_BROKEN - replace memcmp func for CHECK_MEMCMP_SIGNED.
# ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family
# ACX_CHECK_PIE - add --enable-pie option and check if works
# ACX_CHECK_RELRO_NOW - add --enable-relro-now option and check it
#
dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines.
@ -418,7 +424,7 @@ AC_DEFUN([ACX_CHECK_FLTO], [
BAKCFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -flto"
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
if $CC $CFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
if $CC $CFLAGS -o conftest conftest.c 2>&1 | $GREP -e "warning: no debug symbols in executable" -e "warning: object" >/dev/null; then
CFLAGS="$BAKCFLAGS"
AC_MSG_RESULT(no)
else
@ -712,12 +718,6 @@ AC_DEFUN([ACX_SSL_CHECKS], [
fi
AC_SUBST(HAVE_SSL)
AC_SUBST(RUNTIME_PATH)
# openssl engine functionality needs dlopen().
BAKLIBS="$LIBS"
AC_SEARCH_LIBS([dlopen], [dl])
if test "$LIBS" != "$BAKLIBS"; then
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
fi
fi
AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
@ -1386,4 +1386,46 @@ AC_DEFUN([ACX_CHECK_SS_FAMILY],
#endif
]) ])
dnl Check if CC and linker support -fPIE and -pie.
dnl If so, sets them in CFLAGS / LDFLAGS.
AC_DEFUN([ACX_CHECK_PIE], [
AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable Position-Independent Executable (eg. to fully benefit from ASLR, small performance penalty)]))
AS_IF([test "x$enable_pie" = "xyes"], [
AC_MSG_CHECKING([if $CC supports PIE])
BAKLDFLAGS="$LDFLAGS"
BAKCFLAGS="$CFLAGS"
LDFLAGS="$LDFLAGS -pie"
CFLAGS="$CFLAGS -fPIE"
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
LDFLAGS="$BAKLDFLAGS"
AC_MSG_RESULT(no)
else
AC_MSG_RESULT(yes)
fi
rm -f conftest conftest.c conftest.o
], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)])
])
])
dnl Check if linker supports -Wl,-z,relro,-z,now.
dnl If so, adds it to LDFLAGS.
AC_DEFUN([ACX_CHECK_RELRO_NOW], [
AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor areas)]))
AS_IF([test "x$enable_relro_now" = "xyes"], [
AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now])
BAKLDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
LDFLAGS="$BAKLDFLAGS"
AC_MSG_RESULT(no)
else
AC_MSG_RESULT(yes)
fi
rm -f conftest conftest.c conftest.o
], [LDFLAGS="$BAKLDFLAGS" ; AC_MSG_RESULT(no)])
])
])
dnl End of file

View File

@ -82,7 +82,7 @@
# modified version of the Autoconf Macro, you may extend this special
# exception to the GPL to apply to your modified version as well.
#serial 20
#serial 21
AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
AC_DEFUN([AX_PTHREAD], [
@ -103,8 +103,8 @@ if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then
save_LIBS="$LIBS"
LIBS="$PTHREAD_LIBS $LIBS"
AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS])
AC_TRY_LINK_FUNC(pthread_join, ax_pthread_ok=yes)
AC_MSG_RESULT($ax_pthread_ok)
AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes])
AC_MSG_RESULT([$ax_pthread_ok])
if test x"$ax_pthread_ok" = xno; then
PTHREAD_LIBS=""
PTHREAD_CFLAGS=""
@ -164,6 +164,20 @@ case ${host_os} in
;;
esac
# Clang doesn't consider unrecognized options an error unless we specify
# -Werror. We throw in some extra Clang-specific options to ensure that
# this doesn't happen for GCC, which also accepts -Werror.
AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags])
save_CFLAGS="$CFLAGS"
ax_pthread_extra_flags="-Werror"
CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])],
[AC_MSG_RESULT([yes])],
[ax_pthread_extra_flags=
AC_MSG_RESULT([no])])
CFLAGS="$save_CFLAGS"
if test x"$ax_pthread_ok" = xno; then
for flag in $ax_pthread_flags; do
@ -178,7 +192,7 @@ for flag in $ax_pthread_flags; do
;;
pthread-config)
AC_CHECK_PROG(ax_pthread_config, pthread-config, yes, no)
AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
if test x"$ax_pthread_config" = xno; then continue; fi
PTHREAD_CFLAGS="`pthread-config --cflags`"
PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
@ -193,7 +207,7 @@ for flag in $ax_pthread_flags; do
save_LIBS="$LIBS"
save_CFLAGS="$CFLAGS"
LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags"
# Check for various functions. We must include pthread.h,
# since some functions may be macros. (On the Sequent, we
@ -219,7 +233,7 @@ for flag in $ax_pthread_flags; do
LIBS="$save_LIBS"
CFLAGS="$save_CFLAGS"
AC_MSG_RESULT($ax_pthread_ok)
AC_MSG_RESULT([$ax_pthread_ok])
if test "x$ax_pthread_ok" = xyes; then
break;
fi
@ -245,9 +259,9 @@ if test "x$ax_pthread_ok" = xyes; then
[attr_name=$attr; break],
[])
done
AC_MSG_RESULT($attr_name)
AC_MSG_RESULT([$attr_name])
if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then
AC_DEFINE_UNQUOTED(PTHREAD_CREATE_JOINABLE, $attr_name,
AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name],
[Define to necessary symbol if this constant
uses a non-standard name on your system.])
fi
@ -261,24 +275,25 @@ if test "x$ax_pthread_ok" = xyes; then
if test "$GCC" = "yes"; then
flag="-D_REENTRANT"
else
# TODO: What about Clang on Solaris?
flag="-mt -D_REENTRANT"
fi
;;
esac
AC_MSG_RESULT(${flag})
AC_MSG_RESULT([$flag])
if test "x$flag" != xno; then
PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
fi
AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
ax_cv_PTHREAD_PRIO_INHERIT, [
AC_LINK_IFELSE([
AC_LANG_PROGRAM([[#include <pthread.h>]], [[int i = PTHREAD_PRIO_INHERIT;]])],
[ax_cv_PTHREAD_PRIO_INHERIT], [
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
[[int i = PTHREAD_PRIO_INHERIT;]])],
[ax_cv_PTHREAD_PRIO_INHERIT=yes],
[ax_cv_PTHREAD_PRIO_INHERIT=no])
])
AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"],
AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], 1, [Have PTHREAD_PRIO_INHERIT.]))
[AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])])
LIBS="$save_LIBS"
CFLAGS="$save_CFLAGS"
@ -301,13 +316,13 @@ fi
test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
AC_SUBST(PTHREAD_LIBS)
AC_SUBST(PTHREAD_CFLAGS)
AC_SUBST(PTHREAD_CC)
AC_SUBST([PTHREAD_LIBS])
AC_SUBST([PTHREAD_CFLAGS])
AC_SUBST([PTHREAD_CC])
# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
if test x"$ax_pthread_ok" = xyes; then
ifelse([$1],,AC_DEFINE(HAVE_PTHREAD,1,[Define if you have POSIX threads libraries and header files.]),[$1])
ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
:
else
ax_pthread_ok=no

View File

@ -26,7 +26,9 @@
#include <fcntl.h>
#include <limits.h>
#include <signal.h>
#ifdef HAVE_STDINT_H
#include <stdint.h>
#endif
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

View File

@ -46,7 +46,12 @@
#include <errno.h>
#include <unistd.h>
#include <time.h>
#if defined(HAVE_SSL)
#include <openssl/sha.h>
#elif defined(HAVE_NETTLE)
#include <nettle/sha.h>
#endif
#include <linux/types.h>
#include <linux/random.h>
@ -67,9 +72,21 @@
HD(b); \
} while (0)
#if defined(HAVE_SSL)
#define CRYPTO_SHA512_CTX SHA512_CTX
#define CRYPTO_SHA512_INIT(x) SHA512_Init(x)
#define CRYPTO_SHA512_FINAL(r, c) SHA512_Final(r, c)
#define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
#define HD(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
#define HF(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (void*)))
#elif defined(HAVE_NETTLE)
#define CRYPTO_SHA512_CTX struct sha512_ctx
#define CRYPTO_SHA512_INIT(x) sha512_init(x)
#define CRYPTO_SHA512_FINAL(r, c) sha512_digest(c, SHA512_DIGEST_SIZE, r)
#define HR(x, l) (sha512_update(&ctx, (l), (uint8_t *)(x)))
#define HD(x) (sha512_update(&ctx, sizeof (x), (uint8_t *)&(x)))
#define HF(x) (sha512_update(&ctx, sizeof (void*), (uint8_t *)&(x)))
#endif
int getentropy(void *buf, size_t len);
@ -122,7 +139,7 @@ getentropy(void *buf, size_t len)
* Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID.
* sysctl is a failsafe API, so it guarantees a result. This
* should work inside a chroot, or when file descriptors are
* exhuasted.
* exhausted.
*
* However this can fail if the Linux kernel removes support
* for sysctl. Starting in 2007, there have been efforts to
@ -337,7 +354,7 @@ getentropy_fallback(void *buf, size_t len)
struct rusage ru;
sigset_t sigset;
struct stat st;
SHA512_CTX ctx;
CRYPTO_SHA512_CTX ctx;
static pid_t lastpid;
pid_t pid;
size_t i, ii, m;
@ -354,7 +371,7 @@ getentropy_fallback(void *buf, size_t len)
}
for (i = 0; i < len; ) {
int j;
SHA512_Init(&ctx);
CRYPTO_SHA512_INIT(&ctx);
for (j = 0; j < repeat; j++) {
HX((e = gettimeofday(&tv, NULL)) == -1, tv);
if (e != -1) {
@ -526,7 +543,7 @@ getentropy_fallback(void *buf, size_t len)
# endif
#endif /* HAVE_GETAUXVAL */
SHA512_Final(results, &ctx);
CRYPTO_SHA512_FINAL(results, &ctx);
memcpy((char*)buf + i, results, min(sizeof(results), len - i));
i += min(sizeof(results), len - i);
}

View File

@ -30,7 +30,9 @@
#include <sys/stat.h>
#include <sys/time.h>
#include <stdlib.h>
#ifdef HAVE_STDINT_H
#include <stdint.h>
#endif
#include <stdio.h>
#include <termios.h>
#include <fcntl.h>
@ -39,10 +41,14 @@
#include <errno.h>
#include <unistd.h>
#include <time.h>
#ifdef HAVE_SYS_SHA2_H
#include <sys/sha2.h>
#define SHA512_Init SHA512Init
#define SHA512_Update SHA512Update
#define SHA512_Final SHA512Final
#else
#include "openssl/sha.h"
#endif
#include <sys/vfs.h>
#include <sys/statfs.h>

45
external/unbound/compat/isblank.c vendored Normal file
View File

@ -0,0 +1,45 @@
/* isblank - compatibility implementation of isblank
*
* Copyright (c) 2015, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
/* return true for a blank character: space or tab */
int isblank(int c);
/* implementation of isblank. unsigned char is the argument */
int
isblank(int c)
{
return (c==' ' || c=='\t');
}

View File

@ -18,7 +18,10 @@
#include "config.h"
#include <sys/types.h>
#include <errno.h>
#ifdef HAVE_STDINT_H
#include <stdint.h>
#endif
#include <limits.h>
#include <stdlib.h>
/*

View File

@ -70,7 +70,7 @@ unsigned char *SHA512(void *data, unsigned int data_len, unsigned char *digest);
* Please make sure that your system defines BYTE_ORDER. If your
* architecture is little-endian, make sure it also defines
* LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
* equivilent.
* equivalent.
*
* If your system does not define the above, then you can do so by
* hand like this:

View File

@ -42,6 +42,7 @@
#ifdef HAVE_STDINT_H
#include <stdint.h>
#endif
#include <limits.h>
/* for test */
/* #define SNPRINTF_TEST 1 */
@ -428,7 +429,7 @@ print_num_llp(char** at, size_t* left, int* ret, void* value,
char buf[PRINT_DEC_BUFSZ];
int negative = 0;
int zero = (value == 0);
#if defined(UINTPTR_MAX) && defined(UINT32_MAX) && (UINTPTR_MAX == UINT32_MAX)
#if defined(SIZE_MAX) && defined(UINT32_MAX) && (UINT32_MAX == SIZE_MAX || INT32_MAX == SIZE_MAX)
/* avoid warning about upcast on 32bit systems */
unsigned long long llvalue = (unsigned long)value;
#else

View File

@ -97,6 +97,10 @@
don't. */
#cmakedefine HAVE_DECL_STRLCPY
/* Define to 1 if you have the declaration of `XML_StopParser', and to 0 if
you don't. */
#cmakedefine HAVE_DECL_XML_STOPPARSER
/* Define to 1 if you have the <dlfcn.h> header file. */
#cmakedefine HAVE_DLFCN_H
@ -154,6 +158,9 @@
/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
#cmakedefine HAVE_FSEEKO
/* Define to 1 if you have the `fsync' function. */
#cmakedefine HAVE_FSYNC
/* Whether getaddrinfo is available */
#cmakedefine HAVE_GETADDRINFO
@ -208,6 +215,9 @@
/* Define to 1 if you have the <iphlpapi.h> header file. */
#cmakedefine HAVE_IPHLPAPI_H
/* Define to 1 if you have the `isblank' function. */
#undef HAVE_ISBLANK
/* Define to 1 if you have the `kill' function. */
#cmakedefine HAVE_KILL
@ -235,6 +245,9 @@
/* Define to 1 if you have the <netinet/in.h> header file. */
#cmakedefine HAVE_NETINET_IN_H
/* Use libnettle for crypto */
#cmakedefine HAVE_NETTLE
/* Use libnss for crypto */
#cmakedefine HAVE_NSS
@ -283,7 +296,7 @@
/* Define to 1 if you have the `recvmsg' function. */
#cmakedefine HAVE_RECVMSG
/* Define to 1 if you have the `sbrk' function. */
/* define if you have the sbrk() call */
#cmakedefine HAVE_SBRK
/* Define to 1 if you have the `sendmsg' function. */
@ -538,6 +551,9 @@
/* The size of `time_t', as computed by sizeof. */
#undef SIZEOF_TIME_T
/* define if (v)snprintf does not return length needed, (but length used) */
#undef SNPRINTF_RET_BROKEN
/* Define to 1 if you have the ANSI C header files. */
#cmakedefine STDC_HEADERS
@ -861,13 +877,13 @@
#endif
#ifndef HAVE_SNPRINTF
#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
#define snprintf snprintf_unbound
#define vsnprintf vsnprintf_unbound
#include <stdarg.h>
int snprintf (char *str, size_t count, const char *fmt, ...);
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
#endif /* HAVE_SNPRINTF */
#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
#ifndef HAVE_INET_PTON
@ -964,6 +980,11 @@ int memcmp(const void *x, const void *y, size_t n);
char *ctime_r(const time_t *timep, char *buf);
#endif
#ifndef HAVE_ISBLANK
#define isblank unbound_isblank
int isblank(int c);
#endif
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
#define strptime unbound_strptime
struct tm;

View File

@ -94,6 +94,10 @@
don't. */
#undef HAVE_DECL_STRLCPY
/* Define to 1 if you have the declaration of `XML_StopParser', and to 0 if
you don't. */
#undef HAVE_DECL_XML_STOPPARSER
/* Define to 1 if you have the <dlfcn.h> header file. */
#undef HAVE_DLFCN_H
@ -151,6 +155,9 @@
/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
#undef HAVE_FSEEKO
/* Define to 1 if you have the `fsync' function. */
#undef HAVE_FSYNC
/* Whether getaddrinfo is available */
#undef HAVE_GETADDRINFO
@ -205,6 +212,9 @@
/* Define to 1 if you have the <iphlpapi.h> header file. */
#undef HAVE_IPHLPAPI_H
/* Define to 1 if you have the `isblank' function. */
#undef HAVE_ISBLANK
/* Define to 1 if you have the `kill' function. */
#undef HAVE_KILL
@ -232,6 +242,9 @@
/* Define to 1 if you have the <netinet/in.h> header file. */
#undef HAVE_NETINET_IN_H
/* Use libnettle for crypto */
#undef HAVE_NETTLE
/* Use libnss for crypto */
#undef HAVE_NSS
@ -280,7 +293,7 @@
/* Define to 1 if you have the `recvmsg' function. */
#undef HAVE_RECVMSG
/* Define to 1 if you have the `sbrk' function. */
/* define if you have the sbrk() call */
#undef HAVE_SBRK
/* Define to 1 if you have the `sendmsg' function. */
@ -535,6 +548,9 @@
/* The size of `time_t', as computed by sizeof. */
#undef SIZEOF_TIME_T
/* define if (v)snprintf does not return length needed, (but length used) */
#undef SNPRINTF_RET_BROKEN
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
@ -848,15 +864,13 @@
#define MAXHOSTNAMELEN 256
#endif
#ifndef HAVE_SNPRINTF
#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
#define snprintf snprintf_unbound
#define vsnprintf vsnprintf_unbound
#include <stdarg.h>
int snprintf (char *str, size_t count, const char *fmt, ...);
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
#endif /* HAVE_SNPRINTF */
#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
#ifndef HAVE_INET_PTON
#define inet_pton inet_pton_unbound
@ -952,6 +966,11 @@ int memcmp(const void *x, const void *y, size_t n);
char *ctime_r(const time_t *timep, char *buf);
#endif
#ifndef HAVE_ISBLANK
#define isblank unbound_isblank
int isblank(int c);
#endif
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
#define strptime unbound_strptime
struct tm;

View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.5.5.
# Generated by GNU Autoconf 2.69 for unbound 1.5.8.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.5.5'
PACKAGE_STRING='unbound 1.5.5'
PACKAGE_VERSION='1.5.8'
PACKAGE_STRING='unbound 1.5.8'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
@ -661,6 +661,7 @@ CHECKLOCK_OBJ
staticexe
UNBOUND_EVENT_UNINSTALL
UNBOUND_EVENT_INSTALL
SSLLIB
HAVE_SSL
CONFIG_DATE
NETBSD_LINTFLAGS
@ -683,6 +684,7 @@ PYTHON_LDFLAGS
PYTHON_CPPFLAGS
PYTHON
PYTHON_VERSION
PTHREAD_CFLAGS_ONLY
PTHREAD_CFLAGS
PTHREAD_LIBS
PTHREAD_CC
@ -804,6 +806,8 @@ with_username
enable_checking
enable_debug
enable_flto
enable_pie
enable_relro_now
enable_shared
enable_static
with_pic
@ -821,6 +825,7 @@ with_solaris_threads
with_pyunbound
with_pythonmodule
with_nss
with_nettle
with_ssl
enable_sha2
enable_gost
@ -1389,7 +1394,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.5.5 to adapt to many kinds of systems.
\`configure' configures unbound 1.5.8 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1454,7 +1459,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.5.5:";;
short | recursive ) echo "Configuration of unbound 1.5.8:";;
esac
cat <<\_ACEOF
@ -1465,6 +1470,10 @@ Optional Features:
--enable-checking Enable warnings, asserts, makefile-dependencies
--enable-debug same as enable-checking
--disable-flto Disable link-time optimization (gcc specific option)
--enable-pie Enable Position-Independent Executable (eg. to fully
benefit from ASLR, small performance penalty)
--enable-relro-now Enable full relocation binding at load-time (RELRO
NOW, to protect GOT and .dtor areas)
--enable-shared[=PKGS] build shared libraries [default=yes]
--enable-static[=PKGS] build static libraries [default=yes]
--enable-fast-install[=PKGS]
@ -1528,6 +1537,7 @@ Optional Packages:
--with-pythonmodule build Python module, or --without-pythonmodule to
disable script engine. (default=no)
--with-nss=path use libnss instead of openssl, installed at path.
--with-nettle=path use libnettle as crypto library, installed at path.
--with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl
/usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
/usr)
@ -1629,7 +1639,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.5.5
unbound configure 1.5.8
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2338,7 +2348,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.5.5, which was
It was created by unbound $as_me 1.5.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2690,11 +2700,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=5
UNBOUND_VERSION_MICRO=5
UNBOUND_VERSION_MICRO=8
LIBUNBOUND_CURRENT=5
LIBUNBOUND_REVISION=7
LIBUNBOUND_REVISION=11
LIBUNBOUND_AGE=3
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2738,6 +2748,10 @@ LIBUNBOUND_AGE=3
# 1.5.2 had 5:5:3
# 1.5.3 had 5:6:3
# 1.5.4 had 5:7:3
# 1.5.5 had 5:8:3
# 1.5.6 had 5:9:3
# 1.5.7 had 5:10:3
# 1.5.8 had 5:11:3
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -5859,7 +5873,7 @@ main ()
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
if $CC $CFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
if $CC $CFLAGS -o conftest conftest.c 2>&1 | $GREP -e "warning: no debug symbols in executable" -e "warning: object" >/dev/null; then
CFLAGS="$BAKCFLAGS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
@ -5879,6 +5893,96 @@ rm -f core conftest.err conftest.$ac_objext \
fi
# Check whether --enable-pie was given.
if test "${enable_pie+set}" = set; then :
enableval=$enable_pie;
fi
if test "x$enable_pie" = "xyes"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports PIE" >&5
$as_echo_n "checking if $CC supports PIE... " >&6; }
BAKLDFLAGS="$LDFLAGS"
BAKCFLAGS="$CFLAGS"
LDFLAGS="$LDFLAGS -pie"
CFLAGS="$CFLAGS -fPIE"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
LDFLAGS="$BAKLDFLAGS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
fi
rm -f conftest conftest.c conftest.o
else
LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
fi
# Check whether --enable-relro_now was given.
if test "${enable_relro_now+set}" = set; then :
enableval=$enable_relro_now;
fi
if test "x$enable_relro_now" = "xyes"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wl,-z,relro,-z,now" >&5
$as_echo_n "checking if $CC supports -Wl,-z,relro,-z,now... " >&6; }
BAKLDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
LDFLAGS="$BAKLDFLAGS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
fi
rm -f conftest conftest.c conftest.o
else
LDFLAGS="$BAKLDFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5
$as_echo_n "checking for inline... " >&6; }
if ${ac_cv_c_inline+:} false; then :
@ -15421,6 +15525,37 @@ case ${host_os} in
;;
esac
# Clang doesn't consider unrecognized options an error unless we specify
# -Werror. We throw in some extra Clang-specific options to ensure that
# this doesn't happen for GCC, which also accepts -Werror.
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if compiler needs -Werror to reject unknown flags" >&5
$as_echo_n "checking if compiler needs -Werror to reject unknown flags... " >&6; }
save_CFLAGS="$CFLAGS"
ax_pthread_extra_flags="-Werror"
CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int foo(void);
int
main ()
{
foo()
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
else
ax_pthread_extra_flags=
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS="$save_CFLAGS"
if test x"$ax_pthread_ok" = xno; then
for flag in $ax_pthread_flags; do
@ -15490,7 +15625,7 @@ $as_echo_n "checking for the pthreads library -l$flag... " >&6; }
save_LIBS="$LIBS"
save_CFLAGS="$CFLAGS"
LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags"
# Check for various functions. We must include pthread.h,
# since some functions may be macros. (On the Sequent, we
@ -15588,12 +15723,13 @@ $as_echo_n "checking if more special flags are required for pthreads... " >&6; }
if test "$GCC" = "yes"; then
flag="-D_REENTRANT"
else
# TODO: What about Clang on Solaris?
flag="-mt -D_REENTRANT"
fi
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${flag}" >&5
$as_echo "${flag}" >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $flag" >&5
$as_echo "$flag" >&6; }
if test "x$flag" != xno; then
PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
fi
@ -15606,8 +15742,7 @@ else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <pthread.h>
#include <pthread.h>
int
main ()
{
@ -15739,6 +15874,43 @@ _ACEOF
fi
if echo "$CFLAGS" | grep -e "-pthread" >/dev/null; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -pthread unused during linking" >&5
$as_echo_n "checking if -pthread unused during linking... " >&6; }
# catch clang warning 'argument unused during compilation'
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
$ac_includes_default
int main(void) {return 0;}
_ACEOF
pthread_unused="yes"
# first compile
echo "$CC $CFLAGS -c conftest.c -o conftest.o" >&5
$CC $CFLAGS -c conftest.c -o conftest.o 2>&5 >&5
if test $? = 0; then
# then link
echo "$CC $CFLAGS -Werror $LDFLAGS $LIBS -o conftest contest.o" >&5
$CC $CFLAGS -Werror $LDFLAGS $LIBS -o conftest conftest.o 2>&5 >&5
if test $? -ne 0; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
CFLAGS=`echo "$CFLAGS" | sed -e 's/-pthread//'`
PTHREAD_CFLAGS_ONLY="-pthread"
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi # endif cc successful
rm -f conftest conftest.c conftest.o
fi # endif -pthread in CFLAGS
:
else
ax_pthread_ok=no
@ -16101,7 +16273,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
as_fn_error $? "Python version >= 2.4.0 is required" "$LINENO" 5
fi
PY_MAJOR_VERSION="`$PYTHON -c "import sys; print(sys.version_info.major)"`"
PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`"
# Have Python
@ -16309,13 +16481,44 @@ $as_echo "#define HAVE_NSS 1" >>confdefs.h
CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
fi
LIBS="$LIBS -lnss3 -lnspr4"
SSLLIB=""
fi
# libnettle
USE_NETTLE="no"
# Check whether --with-nettle was given.
if test "${with_nettle+set}" = set; then :
withval=$with_nettle;
USE_NETTLE="yes"
$as_echo "#define HAVE_NETTLE 1" >>confdefs.h
if test "$withval" != "" -a "$withval" != "yes"; then
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
LDFLAGS="$LDFLAGS -L$withval/lib"
if test "x$enable_rpath" = xyes; then
if echo "$withval/lib" | grep "^/" >/dev/null; then
RUNTIME_PATH="$RUNTIME_PATH -R$withval/lib"
fi
fi
else
CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
fi
LIBS="$LIBS -lhogweed -lnettle -lgmp"
SSLLIB=""
fi
# openssl
if test $USE_NSS = "no"; then
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
# Check whether --with-ssl was given.
@ -16484,67 +16687,6 @@ rm -f core conftest.err conftest.$ac_objext \
fi
# openssl engine functionality needs dlopen().
BAKLIBS="$LIBS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
$as_echo_n "checking for library containing dlopen... " >&6; }
if ${ac_cv_search_dlopen+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_func_search_save_LIBS=$LIBS
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char dlopen ();
int
main ()
{
return dlopen ();
;
return 0;
}
_ACEOF
for ac_lib in '' dl; do
if test -z "$ac_lib"; then
ac_res="none required"
else
ac_res=-l$ac_lib
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
fi
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_search_dlopen=$ac_res
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext
if ${ac_cv_search_dlopen+:} false; then :
break
fi
done
if ${ac_cv_search_dlopen+:} false; then :
else
ac_cv_search_dlopen=no
fi
rm conftest.$ac_ext
LIBS=$ac_func_search_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5
$as_echo "$ac_cv_search_dlopen" >&6; }
ac_res=$ac_cv_search_dlopen
if test "$ac_res" != no; then :
test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
fi
if test "$LIBS" != "$BAKLIBS"; then
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
fi
fi
for ac_header in openssl/ssl.h
do :
@ -16682,6 +16824,7 @@ fi
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
SSLLIB="-lssl"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
$as_echo_n "checking for LibreSSL... " >&6; }
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
@ -16879,6 +17022,7 @@ _ACEOF
fi
# Check whether --enable-sha2 was given.
if test "${enable_sha2+set}" = set; then :
enableval=$enable_sha2;
@ -16902,7 +17046,7 @@ if test "${enable_gost+set}" = set; then :
fi
use_gost="no"
if test $USE_NSS = "no"; then
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
case "$enable_gost" in
no)
;;
@ -17055,7 +17199,7 @@ case "$enable_ecdsa" in
no)
;;
*)
if test $USE_NSS = "no"; then
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
if test "x$ac_cv_func_ECDSA_sign" = xyes; then :
@ -17546,6 +17690,20 @@ fi
done
ac_fn_c_check_decl "$LINENO" "XML_StopParser" "ac_cv_have_decl_XML_StopParser" "$ac_includes_default
#include <expat.h>
"
if test "x$ac_cv_have_decl_XML_StopParser" = xyes; then :
ac_have_decl=1
else
ac_have_decl=0
fi
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_XML_STOPPARSER $ac_have_decl
_ACEOF
# set static linking if requested
@ -18003,7 +18161,7 @@ if test "$ac_res" != no; then :
fi
for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent
for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -18062,6 +18220,33 @@ fi
done
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sbrk" >&5
$as_echo_n "checking for sbrk... " >&6; }
# catch the warning of deprecated sbrk
old_cflags="$CFLAGS"
CFLAGS="$CFLAGS -Werror"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
$ac_includes_default
int main(void) { void* cur = sbrk(0); printf("%u\n", (unsigned)(size_t)((char*)cur - (char*)sbrk(0))); return 0; }
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
$as_echo "#define HAVE_SBRK 1" >>confdefs.h
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS="$old_cflags"
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
if echo $build_os | grep darwin8 > /dev/null; then
@ -18124,6 +18309,48 @@ esac
fi
# test if snprintf return the proper length
if test "x$ac_cv_func_snprintf" = xyes; then
if test c${cross_compiling} = cno; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for correct snprintf return value" >&5
$as_echo_n "checking for correct snprintf return value... " >&6; }
if test "$cross_compiling" = yes; then :
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "cannot run test program while cross compiling
See \`config.log' for more details" "$LINENO" 5; }
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
$ac_includes_default
int main(void) { return !(snprintf(NULL, 0, "test") == 4); }
_ACEOF
if ac_fn_c_try_run "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
$as_echo "#define SNPRINTF_RET_BROKEN /**/" >>confdefs.h
case " $LIBOBJS " in
*" snprintf.$ac_objext "* ) ;;
*) LIBOBJS="$LIBOBJS snprintf.$ac_objext"
;;
esac
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
fi
fi
ac_fn_c_check_func "$LINENO" "strlcat" "ac_cv_func_strlcat"
if test "x$ac_cv_func_strlcat" = xyes; then :
$as_echo "#define HAVE_STRLCAT 1" >>confdefs.h
@ -18180,6 +18407,20 @@ esac
fi
ac_fn_c_check_func "$LINENO" "isblank" "ac_cv_func_isblank"
if test "x$ac_cv_func_isblank" = xyes; then :
$as_echo "#define HAVE_ISBLANK 1" >>confdefs.h
else
case " $LIBOBJS " in
*" isblank.$ac_objext "* ) ;;
*) LIBOBJS="$LIBOBJS isblank.$ac_objext"
;;
esac
fi
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
@ -18920,7 +19161,7 @@ _ACEOF
version=1.5.5
version=1.5.8
date=`date +'%b %e, %Y'`
@ -19435,7 +19676,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.5.5, which was
This file was extended by unbound $as_me 1.5.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -19501,7 +19742,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.5.5
unbound config.status 1.5.8
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

View File

@ -10,14 +10,14 @@ sinclude(dnstap/dnstap.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[5])
m4_define([VERSION_MICRO],[5])
m4_define([VERSION_MICRO],[8])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=5
LIBUNBOUND_REVISION=7
LIBUNBOUND_REVISION=11
LIBUNBOUND_AGE=3
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -61,6 +61,10 @@ LIBUNBOUND_AGE=3
# 1.5.2 had 5:5:3
# 1.5.3 had 5:6:3
# 1.5.4 had 5:7:3
# 1.5.5 had 5:8:3
# 1.5.6 had 5:9:3
# 1.5.7 had 5:10:3
# 1.5.8 had 5:11:3
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -246,6 +250,8 @@ case "$debug_enabled" in
;;
esac
ACX_CHECK_FLTO
ACX_CHECK_PIE
ACX_CHECK_RELRO_NOW
AC_C_INLINE
ACX_CHECK_FORMAT_ATTRIBUTE
@ -412,6 +418,36 @@ if test x_$withval != x_no; then
CC="$PTHREAD_CC"
ub_have_pthreads=yes
AC_CHECK_TYPES([pthread_spinlock_t, pthread_rwlock_t],,,[#include <pthread.h>])
if echo "$CFLAGS" | grep -e "-pthread" >/dev/null; then
AC_MSG_CHECKING([if -pthread unused during linking])
# catch clang warning 'argument unused during compilation'
AC_LANG_CONFTEST([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
[[
int main(void) {return 0;}
]])])
pthread_unused="yes"
# first compile
echo "$CC $CFLAGS -c conftest.c -o conftest.o" >&AS_MESSAGE_LOG_FD
$CC $CFLAGS -c conftest.c -o conftest.o 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD
if test $? = 0; then
# then link
echo "$CC $CFLAGS -Werror $LDFLAGS $LIBS -o conftest contest.o" >&AS_MESSAGE_LOG_FD
$CC $CFLAGS -Werror $LDFLAGS $LIBS -o conftest conftest.o 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD
if test $? -ne 0; then
AC_MSG_RESULT(yes)
CFLAGS=`echo "$CFLAGS" | sed -e 's/-pthread//'`
PTHREAD_CFLAGS_ONLY="-pthread"
AC_SUBST(PTHREAD_CFLAGS_ONLY)
else
AC_MSG_RESULT(no)
fi
else
AC_MSG_RESULT(no)
fi # endif cc successful
rm -f conftest conftest.c conftest.o
fi # endif -pthread in CFLAGS
])
fi
@ -475,7 +511,7 @@ if test x_$ub_test_python != x_no; then
AC_ERROR([Python version >= 2.4.0 is required])
fi
PY_MAJOR_VERSION="`$PYTHON -c "import sys; print(sys.version_info.major)"`"
[PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`"]
AC_SUBST(PY_MAJOR_VERSION)
# Have Python
AC_DEFINE(HAVE_PYTHON,1,[Define if you have Python libraries and header files.])
@ -558,13 +594,34 @@ AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
fi
LIBS="$LIBS -lnss3 -lnspr4"
SSLLIB=""
]
)
# libnettle
USE_NETTLE="no"
AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
[use libnettle as crypto library, installed at path.]),
[
USE_NETTLE="yes"
AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
if test "$withval" != "" -a "$withval" != "yes"; then
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
LDFLAGS="$LDFLAGS -L$withval/lib"
ACX_RUNTIME_PATH_ADD([$withval/lib])
else
CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
fi
LIBS="$LIBS -lhogweed -lnettle -lgmp"
SSLLIB=""
]
)
# openssl
if test $USE_NSS = "no"; then
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
ACX_WITH_SSL
ACX_LIB_SSL
SSLLIB="-lssl"
AC_MSG_CHECKING([for LibreSSL])
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
AC_MSG_RESULT([yes])
@ -599,6 +656,7 @@ AC_INCLUDES_DEFAULT
#include <openssl/evp.h>
])
fi
AC_SUBST(SSLLIB)
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
@ -710,7 +768,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
use_gost="no"
if test $USE_NSS = "no"; then
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
case "$enable_gost" in
no)
;;
@ -724,7 +782,7 @@ case "$enable_gost" in
fi
;;
esac
fi dnl !USE_NSS
fi dnl !USE_NSS && !USE_NETTLE
AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
use_ecdsa="no"
@ -732,7 +790,7 @@ case "$enable_ecdsa" in
no)
;;
*)
if test $USE_NSS = "no"; then
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
@ -878,6 +936,9 @@ if test x_$found_libexpat != x_yes; then
AC_ERROR([Could not find libexpat, expat.h])
fi
AC_CHECK_HEADERS([expat.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_DECLS([XML_StopParser], [], [], [AC_INCLUDES_DEFAULT
#include <expat.h>
])
# set static linking if requested
AC_SUBST(staticexe)
@ -982,10 +1043,23 @@ AC_INCLUDES_DEFAULT
#endif
])
AC_SEARCH_LIBS([setusercontext], [util])
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent])
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync])
AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
AC_MSG_CHECKING([for sbrk])
# catch the warning of deprecated sbrk
old_cflags="$CFLAGS"
CFLAGS="$CFLAGS -Werror"
AC_COMPILE_IFELSE([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
[[
int main(void) { void* cur = sbrk(0); printf("%u\n", (unsigned)(size_t)((char*)cur - (char*)sbrk(0))); return 0; }
]])], [
AC_MSG_RESULT(yes)
AC_DEFINE(HAVE_SBRK, 1, [define if you have the sbrk() call])
], [AC_MSG_RESULT(no)])
CFLAGS="$old_cflags"
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
if echo $build_os | grep darwin8 > /dev/null; then
AC_DEFINE(DARWIN_BROKEN_SETREUID, 1, [Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work])
@ -994,10 +1068,25 @@ AC_REPLACE_FUNCS(inet_aton)
AC_REPLACE_FUNCS(inet_pton)
AC_REPLACE_FUNCS(inet_ntop)
AC_REPLACE_FUNCS(snprintf)
# test if snprintf return the proper length
if test "x$ac_cv_func_snprintf" = xyes; then
if test c${cross_compiling} = cno; then
AC_MSG_CHECKING([for correct snprintf return value])
AC_RUN_IFELSE([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
[[
int main(void) { return !(snprintf(NULL, 0, "test") == 4); }
]])], [AC_MSG_RESULT(yes)], [
AC_MSG_RESULT(no)
AC_DEFINE([SNPRINTF_RET_BROKEN], [], [define if (v)snprintf does not return length needed, (but length used)])
AC_LIBOBJ(snprintf)
])
fi
fi
AC_REPLACE_FUNCS(strlcat)
AC_REPLACE_FUNCS(strlcpy)
AC_REPLACE_FUNCS(memmove)
AC_REPLACE_FUNCS(gmtime_r)
AC_REPLACE_FUNCS(isblank)
dnl without CTIME, ARC4-functions and without reallocarray.
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
@ -1232,7 +1321,13 @@ AHX_CONFIG_FORMAT_ATTRIBUTE
AHX_CONFIG_UNUSED_ATTRIBUTE
AHX_CONFIG_FSEEKO
AHX_CONFIG_MAXHOSTNAMELEN
AHX_CONFIG_SNPRINTF(unbound)
#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
#define snprintf snprintf_unbound
#define vsnprintf vsnprintf_unbound
#include <stdarg.h>
int snprintf (char *str, size_t count, const char *fmt, ...);
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
AHX_CONFIG_INET_PTON(unbound)
AHX_CONFIG_INET_NTOP(unbound)
AHX_CONFIG_INET_ATON(unbound)
@ -1255,6 +1350,11 @@ AHX_MEMCMP_BROKEN(unbound)
char *ctime_r(const time_t *timep, char *buf);
#endif
#ifndef HAVE_ISBLANK
#define isblank unbound_isblank
int isblank(int c);
#endif
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
#define strptime unbound_strptime
struct tm;

View File

@ -71,6 +71,7 @@ check_function_exists(inet_ntop HAVE_INET_NTOP)
check_function_exists(inet_pton HAVE_INET_PTON)
check_function_exists(initgroups HAVE_INITGROUPS)
check_function_exists(ioctlsocket HAVE_IOCTLSOCKET)
check_function_exists(isblank HAVE_ISBLANK)
check_function_exists(kill HAVE_KILL)
check_function_exists(localtime_r HAVE_LOCALTIME_R)
check_function_exists(malloc HAVE_MALLOC)
@ -211,7 +212,7 @@ set(UNBOUND_PIDFILE "${CMAKE_INSTALL_PREFIX}/etc/unbound/unbound.pid"
# Copied from configure.ac.
set(WINVER 0x0502)
set(PACKAGE_VERSION "1.4.23")
set(PACKAGE_VERSION "1.5.8")
set(PACKAGE_NAME "${PROJECT_NAME}")
set(PACKAGE_STRING "${PACKAGE_NAME} ${PACKAGE_VERSION}")
set(MAXSYSLOGMSGLEN 10240)

View File

@ -312,7 +312,7 @@
+ /**
* Each time a delegation point changes for a given query or a
* query times out and/or wakes up, this state is (re)visited.
* This state is reponsible for iterating through a list of
* This state is responsible for iterating through a list of
@@ -309,6 +320,13 @@ struct iter_qstate {
*/
int refetch_glue;

View File

@ -1,33 +1,33 @@
@Echo off
rem Convert the Yoyo.org anti-ad server listing
rem into an unbound dns spoof redirection list.
rem Written by Y.Voinov (c) 2014
rem Note: Wget required!
rem Variables
set prefix="C:\Program Files (x86)"
set dst_dir=%prefix%\Unbound
set work_dir=%TEMP%
set list_addr="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
rem Check Wget installed
for /f "delims=" %%a in ('where wget') do @set wget=%%a
if /I "%wget%"=="" echo Wget not found. If installed, add path to PATH environment variable. & exit 1
echo Wget found: %wget%
"%wget%" -O %work_dir%\yoyo_ad_servers %list_addr%
del /Q /F /S %dst_dir%\unbound_ad_servers
for /F "eol=; tokens=*" %%a in (%work_dir%\yoyo_ad_servers) do (
echo local-zone: %%a redirect>>%dst_dir%\unbound_ad_servers
echo local-data: "%%a A 127.0.0.1">>%dst_dir%\unbound_ad_servers
)
echo Done.
rem then add an include line to your unbound.conf pointing to the full path of
rem the unbound_ad_servers file:
rem
rem include: $dst_dir/unbound_ad_servers
rem
@Echo off
rem Convert the Yoyo.org anti-ad server listing
rem into an unbound dns spoof redirection list.
rem Written by Y.Voinov (c) 2014
rem Note: Wget required!
rem Variables
set prefix="C:\Program Files (x86)"
set dst_dir=%prefix%\Unbound
set work_dir=%TEMP%
set list_addr="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
rem Check Wget installed
for /f "delims=" %%a in ('where wget') do @set wget=%%a
if /I "%wget%"=="" echo Wget not found. If installed, add path to PATH environment variable. & exit 1
echo Wget found: %wget%
"%wget%" -O %work_dir%\yoyo_ad_servers %list_addr%
del /Q /F /S %dst_dir%\unbound_ad_servers
for /F "eol=; tokens=*" %%a in (%work_dir%\yoyo_ad_servers) do (
echo local-zone: %%a redirect>>%dst_dir%\unbound_ad_servers
echo local-data: "%%a A 127.0.0.1">>%dst_dir%\unbound_ad_servers
)
echo Done.
rem then add an include line to your unbound.conf pointing to the full path of
rem the unbound_ad_servers file:
rem
rem include: $dst_dir/unbound_ad_servers
rem

View File

@ -273,7 +273,7 @@ fi
- Change make/configure lines to attempt to fix -lphtread linking issue
* Thu Feb 18 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-2
- Removed dependancy for dnssec-conf
- Removed dependency for dnssec-conf
- Added ISC DLV key (formerly in dnssec-conf)
- Fixup old DLV locations in unbound.conf file via %%post
- Fix parent child disagreement handling and no-ipv6 present [svn r1953]
@ -312,7 +312,7 @@ fi
- Re-enabled glob.patch
* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-7
- unbound-iterator.patch was not commited
- unbound-iterator.patch was not committed
* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-6
- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793
@ -338,11 +338,11 @@ fi
* Wed Jan 14 2009 Paul Wouters <paul@xelerance.com - 1.2.0-1
- Updated to 1.2.0
- Added dependancy on minimum SSL for CVE-2008-5077
- Added dependancy on bc for unbound-munin
- Added dependency on minimum SSL for CVE-2008-5077
- Added dependency on bc for unbound-munin
- Added minimum requirement of libevent 1.4.5. Crashes with older versions
(note: libevent is stale in EL-4 and not in EL-5, needs fixing there)
- Removed dependancy on selinux-policy (will get used when available)
- Removed dependency on selinux-policy (will get used when available)
- Enable options as per draft-wijngaards-dnsext-resolver-side-mitigation-00.txt
- Enable unwanted-reply-threshold to mitigate against a Kaminsky attack
- Enable val-clean-additional to drop addition unsigned data from signed
@ -423,7 +423,7 @@ fi
- Build against ldns-1.3.0
* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-1
- Split of -devel package, fixed dependancies, make rpmlint happy
- Split of -devel package, fixed dependencies, make rpmlint happy
* Thu Apr 25 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.12
- Using parts from ports collection entry by Jaap Akkerhuis.

View File

@ -208,12 +208,14 @@ daemon_remote_create(struct config_file* cfg)
return NULL;
}
/* no SSLv2, SSLv3 because has defects */
if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
!= SSL_OP_NO_SSLv2){
log_crypto_err("could not set SSL_OP_NO_SSLv2");
daemon_remote_delete(rc);
return NULL;
}
if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3){
log_crypto_err("could not set SSL_OP_NO_SSLv3");
daemon_remote_delete(rc);
return NULL;
@ -1259,8 +1261,6 @@ struct del_info {
size_t len;
/** labels */
int labs;
/** now */
time_t now;
/** time to invalidate to */
time_t expired;
/** number of rrsets removed */
@ -1289,7 +1289,7 @@ infra_del_host(struct lruhash_entry* e, void* arg)
d->timeout_AAAA = 0;
d->timeout_other = 0;
rtt_init(&d->rtt);
if(d->ttl >= inf->now) {
if(d->ttl > inf->expired) {
d->ttl = inf->expired;
inf->num_keys++;
}
@ -1318,7 +1318,6 @@ do_flush_infra(SSL* ssl, struct worker* worker, char* arg)
inf.name = 0;
inf.len = 0;
inf.labs = 0;
inf.now = *worker->env.now;
inf.expired = *worker->env.now;
inf.expired -= 3; /* handle 3 seconds skew between threads */
inf.num_rrsets = 0;
@ -1349,7 +1348,7 @@ zone_del_rrset(struct lruhash_entry* e, void* arg)
if(dname_subdomain_c(k->rk.dname, inf->name)) {
struct packed_rrset_data* d =
(struct packed_rrset_data*)e->data;
if(d->ttl >= inf->now) {
if(d->ttl > inf->expired) {
d->ttl = inf->expired;
inf->num_rrsets++;
}
@ -1365,7 +1364,7 @@ zone_del_msg(struct lruhash_entry* e, void* arg)
struct msgreply_entry* k = (struct msgreply_entry*)e->key;
if(dname_subdomain_c(k->key.qname, inf->name)) {
struct reply_info* d = (struct reply_info*)e->data;
if(d->ttl >= inf->now) {
if(d->ttl > inf->expired) {
d->ttl = inf->expired;
inf->num_msgs++;
}
@ -1381,7 +1380,7 @@ zone_del_kcache(struct lruhash_entry* e, void* arg)
struct key_entry_key* k = (struct key_entry_key*)e->key;
if(dname_subdomain_c(k->name, inf->name)) {
struct key_entry_data* d = (struct key_entry_data*)e->data;
if(d->ttl >= inf->now) {
if(d->ttl > inf->expired) {
d->ttl = inf->expired;
inf->num_keys++;
}
@ -1404,7 +1403,6 @@ do_flush_zone(SSL* ssl, struct worker* worker, char* arg)
inf.name = nm;
inf.len = nmlen;
inf.labs = nmlabs;
inf.now = *worker->env.now;
inf.expired = *worker->env.now;
inf.expired -= 3; /* handle 3 seconds skew between threads */
inf.num_rrsets = 0;
@ -1474,7 +1472,6 @@ do_flush_bogus(SSL* ssl, struct worker* worker)
struct del_info inf;
/* what we do is to set them all expired */
inf.worker = worker;
inf.now = *worker->env.now;
inf.expired = *worker->env.now;
inf.expired -= 3; /* handle 3 seconds skew between threads */
inf.num_rrsets = 0;
@ -1550,7 +1547,6 @@ do_flush_negative(SSL* ssl, struct worker* worker)
struct del_info inf;
/* what we do is to set them all expired */
inf.worker = worker;
inf.now = *worker->env.now;
inf.expired = *worker->env.now;
inf.expired -= 3; /* handle 3 seconds skew between threads */
inf.num_rrsets = 0;
@ -2283,11 +2279,17 @@ do_list_local_data(SSL* ssl, struct worker* worker)
for(i=0; i<d->count + d->rrsig_count; i++) {
if(!packed_rr_to_string(p->rrset, i,
0, s, slen)) {
if(!ssl_printf(ssl, "BADRR\n"))
if(!ssl_printf(ssl, "BADRR\n")) {
lock_rw_unlock(&z->lock);
lock_rw_unlock(&zones->lock);
return;
}
}
if(!ssl_printf(ssl, "%s\n", s))
if(!ssl_printf(ssl, "%s\n", s)) {
lock_rw_unlock(&z->lock);
lock_rw_unlock(&zones->lock);
return;
}
}
}
}

View File

@ -180,6 +180,8 @@ static void usage()
SSLeay_version(SSLEAY_VERSION)
#elif defined(HAVE_NSS)
NSS_GetVersion()
#elif defined(HAVE_NETTLE)
"nettle"
#endif
);
printf("linked modules:");
@ -450,6 +452,9 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
/* endpwent below, in case we need pwd for setusercontext */
}
#endif
#ifdef UB_ON_WINDOWS
w_config_adjust_directory(cfg);
#endif
/* init syslog (as root) if needed, before daemonize, otherwise
* a fork error could not be printed since daemonize closed stderr.*/

View File

@ -866,11 +866,16 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
goto send_reply;
}
if((ret=parse_edns_from_pkt(c->buffer, &edns)) != 0) {
struct edns_data reply_edns;
verbose(VERB_ALGO, "worker parse edns: formerror.");
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
sldns_buffer_rewind(c->buffer);
LDNS_QR_SET(sldns_buffer_begin(c->buffer));
memset(&reply_edns, 0, sizeof(reply_edns));
reply_edns.edns_present = 1;
reply_edns.udp_size = EDNS_ADVERTISED_SIZE;
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret);
error_encode(c->buffer, ret, &qinfo,
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
sldns_buffer_read_u16_at(c->buffer, 2), &reply_edns);
server_stats_insrcode(&worker->stats, c->buffer);
goto send_reply;
}

View File

@ -618,8 +618,10 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
dd->rr_ttl = (time_t*)&dd->rr_data[dd->count];
for(i = 0; i < fd->count; ++i) {
if (fd->rr_len[i] != 6 || fd->rr_data[i][0] != 0
|| fd->rr_data[i][1] != 4)
|| fd->rr_data[i][1] != 4) {
*dd_out = NULL;
return;
}
dd->rr_len[i] = 18;
dd->rr_data[i] =
(uint8_t*)&dd->rr_ttl[dd->count] + 18*i;
@ -638,6 +640,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
*/
if(!dk) {
log_err("no key");
*dd_out = NULL;
return;
}
@ -646,6 +649,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
if(!dk->rk.dname) {
log_err("out of memory");
*dd_out = NULL;
return;
}

View File

@ -105,7 +105,7 @@ message Message {
enum Type {
// AUTH_QUERY is a DNS query message received from a resolver by an
// authoritative name server, from the perspective of the authorative
// authoritative name server, from the perspective of the authoritative
// name server.
AUTH_QUERY = 1;

View File

@ -1,3 +1,175 @@
15 December 2015: Ralph
- Fix #729: omit use of escape sequences in echo since they are not
portable (unbound-control-setup).
11 December 2015: Wouter
- remove NULL-checks before free, patch from Michael McConville.
- updated ax_pthread.m4 to version 21 with clang support, this
removes a warning from compilation.
- OSX portability, detect if sbrk is deprecated.
- OSX clang, stop -pthread unused during link stage warnings.
- OSX clang new flto check.
10 December 2015: Wouter
- 1.5.7 release
- trunk has 1.5.8 in development.
8 December 2015: Wouter
- Fixup 724 for unbound-control.
7 December 2015: Ralph
- Do not minimise forwarded requests.
4 December 2015: Wouter
- Removed unneeded whitespace from example.conf.
3 December 2015: Ralph
- (after rc1 tag)
- Committed fix to qname minimisation and unit test case for it.
3 December 2015: Wouter
- iana portlist update.
- 1.5.7rc1 prerelease tag.
2 December 2015: Wouter
- Fixup 724: Fix PCA prompt for unbound-service-install.exe.
re-enable stdout printout.
- For 724: Add Changelog to windows binary dist.
1 December 2015: Ralph
- Qname minimisation review fixes
1 December 2015: Wouter
- Fixup 724 fix for fname_after_chroot() calls.
- Remove stdout printout for unbound-service-install.exe
- .gitignore for git users.
30 November 2015: Ralph
- Implemented qname minimisation
30 November 2015: Wouter
- Fix for #724: conf syntax to read files from run dir (on Windows).
25 November 2015: Wouter
- Fix for #720, fix unbound-control-setup windows batch file.
24 November 2015: Wouter
- Fix #720: add windows scripts to zip bundle.
- iana portlist update.
20 November 2015: Wouter
- Added assert on rrset cache correctness.
- Fix that malformed EDNS query gets a response without malformed EDNS.
18 November 2015: Wouter
- newer acx_nlnetlabs.m4.
- spelling fixes from Igor Sobrado Delgado.
17 November 2015: Wouter
- Fix #594. libunbound: optionally use libnettle for crypto.
Contributed by Luca Bruno. Added --with-nettle for use with
--with-libunbound-only.
- refactor nsec3 hash implementation to be more library-portable.
- iana portlist update.
- Fixup DER encoded DSA signatures for libnettle.
16 November 2015: Wouter
- Fix for lenient accept of reverse order DNAME and CNAME.
6 November 2015: Wouter
- Change example.conf: ftp.internic.net to https://www.internic.net
5 November 2015: Wouter
- ACX_SSL_CHECKS no longer adds -ldl needlessly.
3 November 2015: Wouter
- Fix #718: Fix unbound-control-setup with support for env
without HEREDOC bash support.
29 October 2015: Wouter
- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
- Fix #716: nodata proof with empty non-terminals and wildcards.
28 October 2015: Wouter
- Fix checklock testcode for linux threads on exit.
27 October 2015: Wouter
- isblank() compat implementation.
- detect libexpat without xml_StopParser function.
- portability fixes.
- portability, replace snprintf if return value broken.
23 October 2015: Wouter
- Fix #714: Document config to block private-address for IPv4
mapped IPv6 addresses.
22 October 2015: Wouter
- Fix #712: unbound-anchor appears to not fsync root.key.
20 October 2015: Wouter
- 1.5.6 release.
- trunk tracks development of 1.5.7.
15 October 2015: Wouter
- Fix segfault in the dns64 module in the formaterror error path.
- Fix sldns_wire2str_rdata_scan for malformed RRs.
- tag for 1.5.6rc1 release.
14 October 2015: Wouter
- ANY responses include DNAME records if present, as per Evan Hunt's
remark in dnsop.
- Fix manpage to suggest using SIGTERM to terminate the server.
9 October 2015: Wouter
- Default for ssl-port is port 853, the temporary port assignment
for secure domain name system traffic.
If you used to rely on the older default of port 443, you have
to put a clause in unbound.conf for that. The new value is likely
going to be the standardised port number for this traffic.
- iana portlist update.
6 October 2015: Wouter
- 1.5.5 release.
- trunk tracks the development of 1.5.6.
28 September 2015: Wouter
- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
failures.
- tag for 1.5.5rc1 release.
- makedist.sh: pgp sig echo commands.
25 September 2015: Wouter
- Fix unbound-control flush that does not succeed in removing data.
22 September 2015: Wouter
- Fix config globbed include chroot treatment, this fixes reload of
globs (patch from Dag-Erling Smørgrav).
- iana portlist update.
- Fix #702: New IPs for for h.root-servers.net.
- Remove confusion comment from canonical_compare() function.
- Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
- testbound selftest also works in non-debug mode.
- Fix minor error in unbound.conf.5.in
- Fix unbound.conf(5) access-control description for precedence
and default.
31 August 2015: Wouter
- changed windows setup compression to be more transparent.
28 August 2015: Wouter
- Fix #697: Get PY_MAJOR_VERSION failure at configure for python
2.4 to 2.6.
- Feature #699: --enable-pie option to that builds PIE binary.
- Feature #700: --enable-relro-now option that enables full read-only
relocation.
24 August 2015: Wouter
- Fix deadlock for local data add and zone add when unbound-control
list_local_data printout is interrupted.
- iana portlist update.
- Change default of harden-algo-downgrade to off. This is lenient
for algorithm rollover.
13 August 2015: Wouter
- 5011 implementation does not insist on all algorithms, when
harden-algo-downgrade is turned off.
@ -693,7 +865,7 @@
existence in 4592. NSEC empty non-terminals exist and thus the
RCODE should have been NOERROR. If this occurs, and the RRsets
are secure, we set the RCODE to NOERROR and the security status
of the reponse is also considered secure.
of the response is also considered secure.
14 February 2014: Wouter
- Works on Minix (3.2.1).
@ -1465,7 +1637,7 @@
- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
- Fix warning unused in compat/strptime.c.
- Fix malloc detection and double defintion.
- Fix malloc detection and double definition.
2 December 2011: Wouter
- configure generated with autoconf 2.68.
@ -4910,7 +5082,7 @@
- Advertise builtin select libevent alternative when no libevent
is found.
- signit can generate NSEC3 hashes, for generating tests.
- multiple nsec3 paramaters in message test.
- multiple nsec3 parameters in message test.
- too high nsec3 iterations becomes insecure test.
21 September 2007: Wouter
@ -4981,7 +5153,7 @@
- testbound can replay a TCP query (set MATCH TCP in the QUERY).
- DS and noDS referral validation test.
- if you configure many trust anchors, parent trust anchors can
securely deny existance of child trust anchors, if validated.
securely deny existence of child trust anchors, if validated.
- not all *.name NSECs are present because a wildcard was matched,
and *.name NSECs can prove nodata for empty nonterminals.
Also, for wildcard name NSECs, check they are not from the parent
@ -5288,7 +5460,7 @@
17 July 2007: Wouter
- forward zone options in config file.
- forward per zone in iterator. takes precendence over stubs.
- forward per zone in iterator. takes precedence over stubs.
- fixup commithooks.
- removed forward-to and forward-to-port features, subsumed by
new forward zones.
@ -5389,7 +5561,7 @@
ldns and libevent are linked statically. Default is off.
- make install and make uninstall. Works with static-exe and without.
installation of unbound binary and manual pages.
- alignement problem fix on solaris 64.
- alignment problem fix on solaris 64.
- fixup address in case of TCP error.
12 June 2007: Wouter
@ -5472,7 +5644,7 @@
- removed FLAG_CD from message and rrset caches. This was useful for
an agnostic forwarder, but not for a sophisticated (trust value per
rrset enabled) cache.
- iterator reponse typing.
- iterator response typing.
- iterator cname handle.
- iterator prime start.
- subquery work.
@ -5492,7 +5664,7 @@
- Acknowledge use of unbound-java code in iterator. Nicer readme.
- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
rrset cache from module environment.
- packed rrset key has type and class as easily accessable struct
- packed rrset key has type and class as easily accessible struct
members. They are still kept in network format for fast msg encode.
- dns cache find_delegation routine.
- iterator main functions setup.
@ -5576,7 +5748,7 @@
- EDNS read from query, used to make reply smaller.
- advertised edns value constants.
- EDNS BADVERS response, if asked for too high edns version.
- EDNS extended error reponses once the EDNS record from the query
- EDNS extended error responses once the EDNS record from the query
has successfully been parsed.
4 May 2007: Wouter

View File

@ -8,7 +8,7 @@
#Use this to include other text into the file.
#include: "otherfile.conf"
# The server clause sets the main parameters.
# The server clause sets the main parameters.
server:
# whitespace is not necessary, but looks cleaner.
@ -40,7 +40,7 @@ server:
# interface: 2001:DB8::5
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
# Socket options are not supported on all platforms. experimental.
# interface-automatic: no
# port to answer queries from
@ -84,10 +84,10 @@ server:
# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
# 0 is system default. Use 4m to handle spikes on very busy servers.
# so-sndbuf: 0
# use SO_REUSEPORT to distribute queries over threads.
# so-reuseport: no
# use IP_TRANSPARENT so the interface: addresses can be non-local
# and you can config non-existing IPs that are going to work later on
# ip-transparent: no
@ -105,7 +105,7 @@ server:
# msg-buffer-size: 65552
# the amount of memory to use for the message cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# plain value in bytes or you can append k, m or G. default is "4Mb".
# msg-cache-size: 4m
# the number of slabs to use for the message cache.
@ -118,12 +118,12 @@ server:
# if very busy, 50% queries run to completion, 50% get timeout in msec
# jostle-timeout: 200
# msec to wait before close of port on timeout UDP. 0 disables.
# delay-close: 0
# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
# the number of slabs to use for the RRset cache.
@ -145,7 +145,7 @@ server:
# the time to live (TTL) value for cached roundtrip times, lameness and
# EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
# minimum wait time for responses, increase if uplink is long. In msec.
# infra-cache-min-rtt: 50
@ -195,8 +195,8 @@ server:
#
# If chroot is enabled, you should pass the configfile (from the
# commandline) as a full path from the original root. After the
# chroot has been performed the now defunct portion of the config
# file path is removed to be able to reread the config after a reload.
# chroot has been performed the now defunct portion of the config
# file path is removed to be able to reread the config after a reload.
#
# All other file paths (working dir, logfile, roothints, and
# key files) can be specified in several ways:
@ -205,7 +205,7 @@ server:
# o as an absolute path relative to the original root.
# In the last case the path is adjusted to remove the unused portion.
#
# The pid file can be absolute and outside of the chroot, it is
# The pid file can be absolute and outside of the chroot, it is
# written just prior to performing the chroot and dropping permissions.
#
# Additionally, unbound may need to access /dev/random (for entropy).
@ -219,22 +219,22 @@ server:
# If you give "" no privileges are dropped.
# username: "@UNBOUND_USERNAME@"
# the working directory. The relative files in this config are
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
# directory: "@UNBOUND_RUN_DIR@"
# the log file, "" means log to stderr.
# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
# logfile: ""
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# log to, with identity "unbound". If yes, it overrides the logfile.
# use-syslog: yes
# use-syslog: yes
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
# log-time-ascii: no
# print one line with time, IP, name, type, class for every query.
# log-queries: no
@ -242,7 +242,7 @@ server:
# pidfile: "@UNBOUND_PIDFILE@"
# file to read root hints from.
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
# get one from https://www.internic.net/domain/named.cache
# root-hints: ""
# enable to not answer id.server and hostname.bind queries.
@ -258,8 +258,8 @@ server:
# version: ""
# the target fetch policy.
# series of integers describing the policy per dependency depth.
# The number of values in the list determines the maximum dependency
# series of integers describing the policy per dependency depth.
# The number of values in the list determines the maximum dependency
# depth the recursor will pursue before giving up. Each integer means:
# -1 : fetch all targets opportunistically,
# 0: fetch on demand,
@ -267,17 +267,17 @@ server:
# Enclose the list of numbers between quotes ("").
# target-fetch-policy: "3 2 1 0 0"
# Harden against very small EDNS buffer sizes.
# Harden against very small EDNS buffer sizes.
# harden-short-bufsize: no
# Harden against unseemly large queries.
# harden-large-queries: no
# Harden against out of zone rrsets, to avoid spoofing attempts.
# Harden against out of zone rrsets, to avoid spoofing attempts.
# harden-glue: yes
# Harden against receiving dnssec-stripped data. If you turn it
# off, failing to validate dnskey data for a trustanchor will
# off, failing to validate dnskey data for a trustanchor will
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
# harden-dnssec-stripped: yes
@ -287,27 +287,32 @@ server:
# Harden the referral path by performing additional queries for
# infrastructure data. Validates the replies (if possible).
# Default off, because the lookups burden the server. Experimental
# Default off, because the lookups burden the server. Experimental
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
# harden-referral-path: no
# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record. If no, allows the weakest algorithm
# to validate the zone.
# harden-algo-downgrade: yes
# harden-algo-downgrade: no
# Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
# to NS when possible.
# qname-minimisation: no
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
# use-caps-for-id: no
# Domains (and domains in them) without support for dns-0x20 and
# the fallback fails because they keep sending different answers.
# caps-whitelist: "licdn.com"
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
# Protects against 'DNS Rebinding' (uses browser as network proxy).
# Only 'private-domain' and 'local-data' names are allowed to have
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
# Protects against 'DNS Rebinding' (uses browser as network proxy).
# Only 'private-domain' and 'local-data' names are allowed to have
# these private addresses. No default.
# private-address: 10.0.0.0/8
# private-address: 172.16.0.0/12
@ -315,6 +320,7 @@ server:
# private-address: 169.254.0.0/16
# private-address: fd00::/8
# private-address: fe80::/10
# private-address: ::ffff:0:0/96
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
@ -373,7 +379,7 @@ server:
# Zone file format, with DS and DNSKEY entries.
# Note this gets out of date, use auto-trust-anchor-file please.
# trust-anchor-file: ""
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
# Note this gets out of date, use auto-trust-anchor-file please.
@ -383,7 +389,7 @@ server:
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry. Like trust-anchor-file
# but has a different file format. Format is BIND-9 style format,
# but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# you need external update procedures to track changes in keys.
# trusted-keys-file: ""
@ -408,7 +414,7 @@ server:
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
# potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
# val-clean-additional: yes
@ -433,7 +439,7 @@ server:
# A message with an NSEC3 with larger count is marked insecure.
# List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
# instruct the auto-trust-anchor-file probing to add anchors after ttl.
# add-holddown: 2592000 # 30 days
@ -448,7 +454,7 @@ server:
# permit-small-holddown: no
# the amount of memory to use for the key cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
# the number of slabs to use for the key cache.
@ -457,7 +463,7 @@ server:
# key-cache-slabs: 4
# the amount of memory to use for the negative cache (used for DLV).
# plain value in bytes or you can append k, m or G. default is "1Mb".
# plain value in bytes or you can append k, m or G. default is "1Mb".
# neg-cache-size: 1m
# By default, for a number of zones a small default 'nothing here'
@ -501,7 +507,7 @@ server:
# local-zone: "b.e.f.ip6.arpa." nodefault
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
# if unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
@ -512,7 +518,7 @@ server:
# a number of locally served zones can be configured.
# local-zone: <zone> <type>
# local-data: "<resource record string>"
# o deny serves local data (if any), else, drops queries.
# o deny serves local data (if any), else, drops queries.
# o refuse serves local data (if any), else, replies with error.
# o static serves local data, else, nxdomain or nodata answer.
# o transparent gives local data, but resolves normally for other names
@ -525,7 +531,7 @@ server:
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
# the default content is omitted, or you can omit it with 'nodefault'.
#
#
# If you configure local-data without specifying local-zone, by
# default a transparent local-zone is created for the data.
#
@ -552,7 +558,7 @@ server:
# default is "" (disabled). requires restart to take effect.
# ssl-service-key: "path/to/privatekeyfile.key"
# ssl-service-pem: "path/to/publiccertfile.pem"
# ssl-port: 443
# ssl-port: 853
# request upstream over SSL (with plain DNS inside the SSL stream).
# Default is no. Can be turned on and off with unbound-control.
@ -571,7 +577,7 @@ server:
# ratelimit-size: 4m
# ratelimit cache slabs, reduces lock contention if equal to cpucount.
# ratelimit-slabs: 4
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
# ratelimit-factor: 10
@ -590,7 +596,7 @@ python:
# Script file to load
# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
# Remote control config section.
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
@ -621,9 +627,9 @@ remote-control:
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
# the list is treated as priming hints (default is no).
# With stub-first yes, it attempts without the stub if it fails.
# Consider adding domain-insecure: name and local-zone: name nodefault

View File

@ -169,7 +169,7 @@ therefore not flushed. The option must end with a ':' and whitespace
must be between the option and the value. Some values may not have an
effect if set this way, the new values are not written to the config file,
not all options are supported. This is different from the set_option call
in libunbound, where all values work because unbound has not been inited.
in libunbound, where all values work because unbound has not been initialized.
.IP
The values that work are: statistics\-interval, statistics\-cumulative,
do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,

View File

@ -296,7 +296,7 @@ trust (very large) TTL values.
.TP
.B cache\-min\-ttl: \fI<seconds>
Time to live minimum for RRsets and messages in the cache. Default is 0.
If the the minimum kicks in, the data is cached for longer than the domain
If the minimum kicks in, the data is cached for longer than the domain
owner intended, and thus less queries are made to look up the data.
Zero makes sure the data in the cache is as the domain owner intended,
higher values, especially more than an hour or so, can lead to trouble as
@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service. Default is "",
turned off.
.TP
.B ssl\-port: \fI<number>
The port number on which to provide TCP SSL service, default 443, only
The port number on which to provide TCP SSL service, default 853, only
interfaces configured with that port number as @number get the SSL service.
.TP
.B do\-daemonize: \fI<yes or no>
@ -373,6 +373,7 @@ a daemon. Default is yes.
The netblock is given as an IP4 or IP6 address with /size appended for a
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
The most specific netblock match is used, if none match \fIdeny\fR is used.
.IP
The action \fIdeny\fR stops queries from hosts from that netblock.
.IP
@ -443,6 +444,8 @@ requires privileges, then a reload will fail; a restart is needed.
.TP
.B directory: \fI<directory>
Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
On Windows the string "%EXECUTABLE%" tries to change to the directory
that unbound.exe resides in.
.TP
.B logfile: \fI<filename>
If "" is given, logging goes to stderr, or nowhere once daemonized.
@ -480,7 +483,7 @@ kill \-HUP `cat @UNBOUND_PIDFILE@`
.fi
triggers a reload,
.nf
kill \-QUIT `cat @UNBOUND_PIDFILE@`
kill \-TERM `cat @UNBOUND_PIDFILE@`
.fi
gracefully terminates.
.TP
@ -567,7 +570,7 @@ to increase the max depth that is checked to.
.B harden\-algo\-downgrade: \fI<yes or no>
Harden against algorithm downgrade when multiple algorithms are
advertised in the DS record. If no, allows the weakest algorithm to
validate the zone. Default is yes. Zone signers must produce zones
validate the zone. Default is no. Zone signers must produce zones
that allow this feature to work, but sometimes they do not, and turning
this option off avoids that validation failure.
.TP
@ -584,23 +587,30 @@ queries. For domains that do not support 0x20 and also fail with fallback
because they keep sending different answers, like some load balancers.
Can be given multiple times, for different domains.
.TP
.B qname\-minimisation: \fI<yes or no>
Send minimum amount of information to upstream servers to enhance privacy.
Only sent minimum required labels of the QNAME and set QTYPE to NS when
possible. Best effort approach, full QNAME and original QTYPE will be sent when
upstream replies with a RCODE other than NOERROR. Default is off.
.TP
.B private\-address: \fI<IP address or subnet>
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
on your private network, and are not allowed to be returned for public
internet names. Any occurence of such addresses are removed from
DNS answers. Additionally, the DNSSEC validator may mark the answers
bogus. This protects against so\-called DNS Rebinding, where a user browser
is turned into a network proxy, allowing remote access through the browser
to other parts of your private network. Some names can be allowed to
contain your private addresses, by default all the \fBlocal\-data\fR
that you configured is allowed to, and you can specify additional
names using \fBprivate\-domain\fR. No private addresses are enabled
by default. We consider to enable this for the RFC1918 private IP
address space by default in later releases. That would enable private
addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
fd00::/8 and fe80::/10, since the RFC standards say these addresses
should not be visible on the public internet. Turning on 127.0.0.0/8
would hinder many spamblocklists as they use that.
on your private network, and are not allowed to be returned for
public internet names. Any occurrence of such addresses are removed
from DNS answers. Additionally, the DNSSEC validator may mark the
answers bogus. This protects against so\-called DNS Rebinding, where
a user browser is turned into a network proxy, allowing remote access
through the browser to other parts of your private network. Some names
can be allowed to contain your private addresses, by default all the
\fBlocal\-data\fR that you configured is allowed to, and you can specify
additional names using \fBprivate\-domain\fR. No private addresses are
enabled by default. We consider to enable this for the RFC1918 private
IP address space by default in later releases. That would enable private
addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
fd00::/8 and fe80::/10, since the RFC standards say these addresses
should not be visible on the public internet. Turning on 127.0.0.0/8
would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96
stops IPv4-mapped IPv6 addresses from bypassing the filter.
.TP
.B private\-domain: \fI<domain name>
Allow this domain, and all its subdomains to contain private addresses.
@ -745,7 +755,7 @@ Instruct the validator to remove data from the additional section of secure
messages that are not signed properly. Messages that are insecure, bogus,
indeterminate or unchecked are not affected. Default is yes. Use this setting
to protect the users that rely on this validator for authentication from
protentially bad data in the additional section.
potentially bad data in the additional section.
.TP
.B val\-log\-level: \fI<number>
Have the validator print validation failures to the log. Regardless of
@ -1032,7 +1042,7 @@ If set to 0, all queries are dropped for domains where the limit is
exceeded. If set to another value, 1 in that number is allowed through
to complete. Default is 10, allowing 1/10 traffic to flow normally.
This can make ordinary queries complete (if repeatedly queried for),
and enter the cache, whilst also mitigiting the traffic flow by the
and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.TP 5
.B ratelimit\-for\-domain: \fI<domain> <number qps>

View File

@ -135,7 +135,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
if(!ah(dp, "F.ROOT-SERVERS.NET.", "192.5.5.241")) goto failed;
if(!ah(dp, "G.ROOT-SERVERS.NET.", "192.112.36.4")) goto failed;
if(!ah(dp, "H.ROOT-SERVERS.NET.", "128.63.2.53")) goto failed;
if(!ah(dp, "H.ROOT-SERVERS.NET.", "198.97.190.53")) goto failed;
if(!ah(dp, "I.ROOT-SERVERS.NET.", "192.36.148.17")) goto failed;
if(!ah(dp, "J.ROOT-SERVERS.NET.", "192.58.128.30")) goto failed;
if(!ah(dp, "K.ROOT-SERVERS.NET.", "193.0.14.129")) goto failed;
@ -148,7 +148,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
if(!ah(dp, "F.ROOT-SERVERS.NET.", "2001:500:2f::f")) goto failed;
if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::803f:235")) goto failed;
if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::53")) goto failed;
if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed;
if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) goto failed;
if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) goto failed;

View File

@ -405,7 +405,43 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
/* Follow the CNAME chain. */
if(rrset->type == LDNS_RR_TYPE_CNAME) {
struct rrset_parse* nx = rrset->rrset_all_next;
uint8_t* oldsname = sname;
/* see if the next one is a DNAME, if so, swap them */
if(nx && nx->section == LDNS_SECTION_ANSWER &&
nx->type == LDNS_RR_TYPE_DNAME &&
nx->rr_count == 1 &&
pkt_strict_sub(pkt, sname, nx->dname)) {
/* there is a DNAME after this CNAME, it
* is in the ANSWER section, and the DNAME
* applies to the name we cover */
/* check if the alias of the DNAME equals
* this CNAME */
uint8_t alias[LDNS_MAX_DOMAINLEN+1];
size_t aliaslen = 0;
uint8_t* t = NULL;
size_t tlen = 0;
if(synth_cname(sname, snamelen, nx, alias,
&aliaslen, pkt) &&
parse_get_cname_target(rrset, &t, &tlen) &&
dname_pkt_compare(pkt, alias, t) == 0) {
/* the synthesized CNAME equals the
* current CNAME. This CNAME is the
* one that the DNAME creates, and this
* CNAME is better capitalised */
verbose(VERB_ALGO, "normalize: re-order of DNAME and its CNAME");
if(prev) prev->rrset_all_next = nx;
else msg->rrset_first = nx;
if(nx->rrset_all_next == NULL)
msg->rrset_last = rrset;
rrset->rrset_all_next =
nx->rrset_all_next;
nx->rrset_all_next = rrset;
prev = nx;
}
}
/* move to next name in CNAME chain */
if(!parse_get_cname_target(rrset, &sname, &snamelen))
return 0;
prev = rrset;
@ -638,7 +674,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
* children of the originating zone. The idea here is that,
* as far as we know, the server that we contacted is ONLY
* authoritative for the originating zone. It, of course, MAY
* be authoriative for any other zones, and of course, MAY
* be authoritative for any other zones, and of course, MAY
* NOT be authoritative for some subdomains of the originating
* zone. */
prev = NULL;

View File

@ -255,7 +255,7 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
return -1; /* server is lame */
else if(rtt >= USEFUL_SERVER_TOP_TIMEOUT)
/* server is unresponsive,
* we used to return TOP_TIMOUT, but fairly useless,
* we used to return TOP_TIMEOUT, but fairly useless,
* because if == TOP_TIMEOUT is dropped because
* blacklisted later, instead, remove it here, so
* other choices (that are not blacklisted) can be
@ -306,7 +306,7 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
return got_it;
}
/** filter the addres list, putting best targets at front,
/** filter the address list, putting best targets at front,
* returns number of best targets (or 0, no suitable targets) */
static int
iter_filter_order(struct iter_env* iter_env, struct module_env* env,

View File

@ -64,6 +64,7 @@
#include "util/random.h"
#include "sldns/rrdef.h"
#include "sldns/wire2str.h"
#include "sldns/str2wire.h"
#include "sldns/parseutil.h"
#include "sldns/sbuffer.h"
@ -81,6 +82,21 @@ iter_init(struct module_env* env, int id)
log_err("iterator: could not apply configuration settings.");
return 0;
}
if(env->cfg->qname_minimisation) {
uint8_t dname[LDNS_MAX_DOMAINLEN+1];
size_t len = sizeof(dname);
if(sldns_str2wire_dname_buf("ip6.arpa.", dname, &len) != 0) {
log_err("ip6.arpa. parse error");
return 0;
}
iter_env->ip6arpa_dname = (uint8_t*)malloc(len);
if(!iter_env->ip6arpa_dname) {
log_err("malloc failure");
return 0;
}
memcpy(iter_env->ip6arpa_dname, dname, len);
}
return 1;
}
@ -101,6 +117,7 @@ iter_deinit(struct module_env* env, int id)
if(!env || !env->modinfo[id])
return;
iter_env = (struct iter_env*)env->modinfo[id];
free(iter_env->ip6arpa_dname);
free(iter_env->target_fetch_policy);
priv_delete(iter_env->priv);
donotq_delete(iter_env->donotq);
@ -145,6 +162,12 @@ iter_new(struct module_qstate* qstate, int id)
/* Start with the (current) qname. */
iq->qchase = qstate->qinfo;
outbound_list_init(&iq->outlist);
if (qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
else
iq->minimisation_state = DONOT_MINIMISE_STATE;
memset(&iq->qinfo_out, 0, sizeof(struct query_info));
return 1;
}
@ -176,7 +199,7 @@ next_state(struct iter_qstate* iq, enum iter_state nextstate)
/**
* Transition an event to its final state. Final states always either return
* a result up the module chain, or reactivate a dependent event. Which
* final state to transtion to is set in the module state for the event when
* final state to transition to is set in the module state for the event when
* it was created, and depends on the original purpose of the event.
*
* The response is stored in the qstate->buf buffer.
@ -506,7 +529,7 @@ target_count_increase(struct iter_qstate* iq, int num)
/**
* Generate a subrequest.
* Generate a local request event. Local events are tied to this module, and
* have a correponding (first tier) event that is waiting for this event to
* have a corresponding (first tier) event that is waiting for this event to
* resolve to continue.
*
* @param qname The query name for this request.
@ -590,6 +613,11 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
subiq->qchase = subq->qinfo;
subiq->chase_flags = subq->query_flags;
subiq->refetch_glue = 0;
if(qstate->env->cfg->qname_minimisation)
subiq->minimisation_state = INIT_MINIMISE_STATE;
else
subiq->minimisation_state = DONOT_MINIMISE_STATE;
memset(&subiq->qinfo_out, 0, sizeof(struct query_info));
}
return 1;
}
@ -1042,6 +1070,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
iq->query_restart_count++;
iq->sent_count = 0;
sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
if(qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
return next_state(iq, INIT_REQUEST_STATE);
}
@ -1062,6 +1092,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
iq->refetch_glue = 0;
iq->minimisation_state = DONOT_MINIMISE_STATE;
/* the request has been forwarded.
* forwarded requests need to be immediately sent to the
* next state, QUERYTARGETS. */
@ -1599,6 +1630,8 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
iq->refetch_glue = 1;
iq->query_restart_count++;
iq->sent_count = 0;
if(qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
return next_state(iq, INIT_REQUEST_STATE);
}
}
@ -1975,9 +2008,78 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
}
if(iq->minimisation_state == INIT_MINIMISE_STATE) {
/* (Re)set qinfo_out to (new) delegation point, except
* when qinfo_out is already a subdomain of dp. This happens
* when resolving ip6.arpa dnames. */
if(!(iq->qinfo_out.qname_len
&& dname_subdomain_c(iq->qchase.qname,
iq->qinfo_out.qname)
&& dname_subdomain_c(iq->qinfo_out.qname,
iq->dp->name))) {
iq->qinfo_out.qname = iq->dp->name;
iq->qinfo_out.qname_len = iq->dp->namelen;
iq->qinfo_out.qtype = LDNS_RR_TYPE_NS;
iq->qinfo_out.qclass = iq->qchase.qclass;
}
iq->minimisation_state = MINIMISE_STATE;
}
if(iq->minimisation_state == MINIMISE_STATE) {
int labdiff = dname_count_labels(iq->qchase.qname) -
dname_count_labels(iq->qinfo_out.qname);
iq->qinfo_out.qname = iq->qchase.qname;
iq->qinfo_out.qname_len = iq->qchase.qname_len;
/* Special treatment for ip6.arpa lookups.
* Reverse IPv6 dname has 34 labels, increment the IP part
* (usually first 32 labels) by 8 labels (7 more than the
* default 1 label increment). */
if(labdiff <= 32 &&
dname_subdomain_c(iq->qchase.qname, ie->ip6arpa_dname)) {
labdiff -= 7;
/* Small chance of zone cut after first label. Stop
* minimising */
if(labdiff <= 1)
labdiff = 0;
}
if(labdiff > 1) {
verbose(VERB_QUERY, "removing %d labels", labdiff-1);
dname_remove_labels(&iq->qinfo_out.qname,
&iq->qinfo_out.qname_len,
labdiff-1);
}
if(labdiff < 1 ||
(labdiff < 2 && iq->qchase.qtype == LDNS_RR_TYPE_DS))
/* Stop minimising this query, resolve "as usual" */
iq->minimisation_state = DONOT_MINIMISE_STATE;
else {
struct dns_msg* msg = dns_cache_lookup(qstate->env,
iq->qinfo_out.qname, iq->qinfo_out.qname_len,
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
qstate->query_flags, qstate->region,
qstate->env->scratch);
if(msg && msg->rep->an_numrrsets == 0
&& FLAGS_GET_RCODE(msg->rep->flags) ==
LDNS_RCODE_NOERROR)
/* no need to send query if it is already
* cached as NOERROR/NODATA */
return 1;
}
}
if(iq->minimisation_state == SKIP_MINIMISE_STATE)
/* Do not increment qname, continue incrementing next
* iteration */
iq->minimisation_state = MINIMISE_STATE;
if(iq->minimisation_state == DONOT_MINIMISE_STATE)
iq->qinfo_out = iq->qchase;
/* We have a valid target. */
if(verbosity >= VERB_QUERY) {
log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
log_query_info(VERB_QUERY, "sending query:", &iq->qinfo_out);
log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
&target->addr, target->addrlen);
verbose(VERB_ALGO, "dnssec status: %s%s",
@ -1986,8 +2088,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
outq = (*qstate->env->send_query)(
iq->qchase.qname, iq->qchase.qname_len,
iq->qchase.qtype, iq->qchase.qclass,
iq->qinfo_out.qname, iq->qinfo_out.qname_len,
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), EDNS_DO|BIT_CD,
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
ie, iq), &target->addr, target->addrlen, iq->dp->name,
@ -2042,6 +2144,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
enum response_type type;
iq->num_current_queries--;
if(iq->response == NULL) {
/* Don't increment qname when QNAME minimisation is enabled */
if (qstate->env->cfg->qname_minimisation)
iq->minimisation_state = SKIP_MINIMISE_STATE;
iq->chase_to_rd = 0;
iq->dnssec_lame_query = 0;
verbose(VERB_ALGO, "query response was timeout");
@ -2142,6 +2247,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
sock_list_insert(&qstate->reply_origin,
&qstate->reply->addr, qstate->reply->addrlen,
qstate->region);
if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
/* Best effort qname-minimisation.
* Stop minimising and send full query when RCODE
* is not NOERROR */
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
LDNS_RCODE_NOERROR)
iq->minimisation_state = DONOT_MINIMISE_STATE;
return next_state(iq, QUERYTARGETS_STATE);
}
return final_state(iq);
} else if(type == RESPONSE_TYPE_REFERRAL) {
/* REFERRAL type responses get a reset of the
@ -2201,6 +2315,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
* point to the referral. */
iq->deleg_msg = iq->response;
iq->dp = delegpt_from_message(iq->response, qstate->region);
if (qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
if(!iq->dp)
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
if(!cache_fill_missing(qstate->env, iq->qchase.qclass,
@ -2280,6 +2396,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* set the current request's qname to the new value. */
iq->qchase.qname = sname;
iq->qchase.qname_len = snamelen;
if (qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
/* Clear the query state, since this is a query restart. */
iq->deleg_msg = NULL;
iq->dp = NULL;
@ -2353,6 +2471,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* LAME, THROWAWAY and "unknown" all end up here.
* Recycle to the QUERYTARGETS state to hopefully try a
* different target. */
if (qstate->env->cfg->qname_minimisation)
iq->minimisation_state = DONOT_MINIMISE_STATE;
return next_state(iq, QUERYTARGETS_STATE);
}
@ -2968,7 +3088,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
prs->flags &= ~BIT_CD;
/* normalize and sanitize: easy to delete items from linked lists */
if(!scrub_message(pkt, prs, &iq->qchase, iq->dp->name,
if(!scrub_message(pkt, prs, &iq->qinfo_out, iq->dp->name,
qstate->env->scratch, qstate->env, ie)) {
/* if 0x20 enabled, start fallback, but we have no message */
if(event == module_event_capsfail && !iq->caps_fallback) {

View File

@ -54,7 +54,7 @@ struct iter_priv;
struct rbtree_t;
/** max number of targets spawned for a query and its subqueries */
#define MAX_TARGET_COUNT 32
#define MAX_TARGET_COUNT 64
/** max number of query restarts. Determines max number of CNAME chain. */
#define MAX_RESTART_COUNT 8
/** max number of referrals. Makes sure resolver does not run away */
@ -112,6 +112,32 @@ struct iter_env {
* array of max_dependency_depth+1 size.
*/
int* target_fetch_policy;
/** ip6.arpa dname in wireformat, used for qname-minimisation */
uint8_t* ip6arpa_dname;
};
/**
* QNAME minimisation state
*/
enum minimisation_state {
/**
* (Re)start minimisation. Outgoing QNAME should be set to dp->name.
* State entered on new query or after following refferal or CNAME.
*/
INIT_MINIMISE_STATE = 0,
/**
* QNAME minimisataion ongoing. Increase QNAME on every iteration.
*/
MINIMISE_STATE,
/**
* Don't increment QNAME this iteration
*/
SKIP_MINIMISE_STATE,
/**
* Send out full QNAME + original QTYPE
*/
DONOT_MINIMISE_STATE,
};
/**
@ -322,6 +348,15 @@ struct iter_qstate {
/** list of pending queries to authoritative servers. */
struct outbound_list outlist;
/** QNAME minimisation state */
enum minimisation_state minimisation_state;
/**
* The query info that is sent upstream. Will be a subset of qchase
* when qname minimisation is enabled.
*/
struct query_info qinfo_out;
};
/**

View File

@ -68,6 +68,9 @@
#ifdef HAVE_SYS_WAIT_H
#include <sys/wait.h>
#endif
#ifdef HAVE_TIME_H
#include <time.h>
#endif
#if defined(UB_ON_WINDOWS) && defined (HAVE_WINDOWS_H)
#include <windows.h>
@ -955,7 +958,7 @@ ub_ctx_resolvconf(struct ub_ctx* ctx, const char* fname)
while (ptr) {
numserv++;
if((retval=ub_ctx_set_fwd(ctx,
ptr->IpAddress.String)!=0)) {
ptr->IpAddress.String))!=0) {
free(info);
return retval;
}

View File

@ -36,7 +36,7 @@
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " testenv to make test environment and run bash "
@echo " usefull in case you don't want to install unbound but want to test examples"
@echo " useful in case you don't want to install unbound but want to test examples"
@echo " doc to make documentation"
@echo " clean clean all"

View File

@ -22,7 +22,7 @@ You need GNU make to compile sources; SWIG and Python devel libraries to compile
**Testing**
If the compilation is successfull, you can test the python LDNS extension module by::
If the compilation is successful, you can test the python LDNS extension module by::
> cd contrib/python
> make testenv

View File

@ -42,7 +42,7 @@ Class ub_result
False, if validation failed or domain queried has no security info.
It is possible to get a result with no data (havedata is false),
and secure is true. This means that the non-existance of the data
and secure is true. This means that the non-existence of the data
was cryptographically proven (with signatures).
.. attribute:: bogus

View File

@ -44,7 +44,7 @@ ctx.debugout(fw)
ctx.debuglevel(2)
if os.path.isfile("keys"):
ctx.add_ta_file("keys") #read public keys for DNSSEC verificatio
ctx.add_ta_file("keys") #read public keys for DNSSEC verification
status, result = ctx.resolve("www.nic.cz", RR_TYPE_A, RR_CLASS_IN)
if status == 0 and result.havedata:

View File

@ -1,5 +1,5 @@
/*
* libounbound.i: pyUnbound module (libunbound wrapper for Python)
* libunbound.i: pyUnbound module (libunbound wrapper for Python)
*
* Copyright (c) 2009, Zdenek Vasicek (vasicek AT fit.vutbr.cz)
* Marek Vavrusa (xvavru00 AT stud.fit.vutbr.cz)
@ -455,7 +455,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
#_UB_CTX_METHODS#
def zone_print(self):
"""Print local zones using debougout"""
"""Print local zones using debugout"""
_unbound.ub_ctx_print_local_zones(self)
def zone_add(self,zonename,zonetype):

View File

@ -4394,7 +4394,7 @@ EOF
{
/* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
namespace, but it is not one of the ones we know about and
have already dealt with, above (inluding dump-script), then
have already dealt with, above (including dump-script), then
report an error. Otherwise, targets might begin to believe
they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
namespace. The first time any user complains about this, we'll

View File

@ -328,10 +328,10 @@ if [ "$DOWIN" = "yes" ]; then
$strip unbound-service-install.exe
$strip unbound-service-remove.exe
cd tmp.$$
cp ../doc/example.conf example.conf
cp ../unbound.exe ../unbound-anchor.exe ../unbound-host.exe ../unbound-control.exe ../unbound-checkconf.exe ../unbound-service-install.exe ../unbound-service-remove.exe ../LICENSE ../winrc/unbound-control-setup.cmd ../winrc/unbound-website.url ../winrc/service.conf ../winrc/README.txt .
cp ../doc/example.conf ../doc/Changelog .
cp ../unbound.exe ../unbound-anchor.exe ../unbound-host.exe ../unbound-control.exe ../unbound-checkconf.exe ../unbound-service-install.exe ../unbound-service-remove.exe ../LICENSE ../winrc/unbound-control-setup.cmd ../winrc/unbound-website.url ../winrc/service.conf ../winrc/README.txt ../contrib/create_unbound_ad_servers.cmd ../contrib/warmup.cmd ../contrib/unbound_cache.cmd .
# zipfile
zip ../$file LICENSE README.txt unbound.exe unbound-anchor.exe unbound-host.exe unbound-control.exe unbound-checkconf.exe unbound-service-install.exe unbound-service-remove.exe unbound-control-setup.cmd example.conf service.conf unbound-website.url
zip ../$file LICENSE README.txt unbound.exe unbound-anchor.exe unbound-host.exe unbound-control.exe unbound-checkconf.exe unbound-service-install.exe unbound-service-remove.exe unbound-control-setup.cmd example.conf service.conf unbound-website.url create_unbound_ad_servers.cmd warmup.cmd unbound_cache.cmd Changelog
info "Testing $file"
(cd .. ; zip -T $file )
# installer
@ -451,6 +451,10 @@ tar czf ../unbound-$version.tar.gz unbound-$version || error_cleanup "Failed to
cleanup
storehash unbound-$version.tar.gz
echo "create unbound-$version.tar.gz.asc with:"
echo " gpg --armor --detach-sign unbound-$version.tar.gz"
echo " gpg --armor --detach-sign unbound-$version.zip"
echo " gpg --armor --detach-sign unbound_setup_$version.exe"
info "Unbound distribution created successfully."

View File

@ -24,7 +24,7 @@ DNS query and word lookup
Let's define the following format od DNS queries: ``word1[.]word2[.] ... wordN[.]{en,cs}[._dict_.cz.]``.
Word lookup is done by simple ``dict`` lookup from broken DNS request.
Query name is divided into a list of labels. This list is accesible as qname_list attribute.
Query name is divided into a list of labels. This list is accessible as qname_list attribute.
::
aword = ' '.join(qstate.qinfo.qname_list[0:-4]) #skip last four labels

View File

@ -311,7 +311,7 @@ config_file
.. attribute:: local_data
Local data RRs configged.
Local data RRs configured.
.. attribute:: remote_control_enable

View File

@ -68,7 +68,7 @@ Module event
.. data:: module_event_error
Error occured.
Error occurred.
Security status
~~~~~~~~~~~~~~~~

View File

@ -347,12 +347,12 @@ DNSMessage
.. method:: __init__(self, rr_name, rr_type, rr_class = RR_CLASS_IN, query_flags = 0, default_ttl = 0)
Prepares an answer (DNS packet) from qiven information. Query flags are combination of PKT_xx contants.
Prepares an answer (DNS packet) from given information. Query flags are combination of PKT_xx constants.
.. method:: set_return_msg(self, qstate)
This method fills qstate return message according to the given informations.
It takes lists of RRs in each section of answer, created necessray RRsets in wire format and store the result in :attr:`qstate.return_msg`.
It takes lists of RRs in each section of answer, created necessary RRsets in wire format and store the result in :attr:`qstate.return_msg`.
Returns 1 if OK.
.. attribute:: rr_name

View File

@ -9,7 +9,7 @@ Synchronized with database engine, for example *MySQL*.
Firewall control
----------------
Control firewall (e.g. enable incomming SSH connection) with DNS query signed with private key.
Control firewall (e.g. enable incoming SSH connection) with DNS query signed with private key.
So firewall can blocks every service during normal operation.
Scriptable DNS-based blacklist (DNS-BL_)

View File

@ -656,8 +656,9 @@ fill_any(struct module_env* env,
time_t now = *env->now;
struct dns_msg* msg = NULL;
uint16_t lookup[] = {LDNS_RR_TYPE_A, LDNS_RR_TYPE_AAAA,
LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS, 0};
int i, num=5; /* number of RR types to look up */
LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS,
LDNS_RR_TYPE_DNAME, 0};
int i, num=6; /* number of RR types to look up */
log_assert(lookup[num] == 0);
for(i=0; i<num; i++) {

View File

@ -190,6 +190,7 @@ rrset_cache_update(struct rrset_cache* r, struct rrset_ref* ref,
uint16_t rrset_type = ntohs(k->rk.type);
int equal = 0;
log_assert(ref->id != 0 && k->id != 0);
log_assert(k->rk.dname != NULL);
/* looks up item with a readlock - no editing! */
if((e=slabhash_lookup(&r->table, h, k, 0)) != 0) {
/* return id and key as they will be used in the cache

View File

@ -56,13 +56,13 @@ time_t sldns_mktime_from_utc(const struct tm *tm);
/**
* The function interprets time as the number of seconds since epoch
* with respect to now using serial arithmitics (rfc1982).
* with respect to now using serial arithmetics (rfc1982).
* That number of seconds is then converted to broken-out time information.
* This is especially usefull when converting the inception and expiration
* fields of RRSIG records.
*
* \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
* to be intepreted as a serial arithmitics number relative to now.
* to be intepreted as a serial arithmetics number relative to now.
* \param[in] now number of seconds since epoch (midnight, January 1st, 1970)
* to which the time value is compared to determine the final value.
* \param[out] result the struct with the broken-out time information

View File

@ -342,7 +342,7 @@ enum sldns_enum_rdf_type
/** A <character-string> encoding of the value field as specified
* [RFC1035], Section 5.1., encoded as remaining rdata.
* For CAA.
* For CAA, URI.
*/
LDNS_RDF_TYPE_LONG_STR,

View File

@ -697,6 +697,9 @@ int sldns_wire2str_rdata_scan(uint8_t** d, size_t* dlen, char** s,
}
w += n;
}
if(*dlen != 0) {
goto failed;
}
return w;
}

View File

@ -95,7 +95,7 @@
* signed yet; avoids attacks on system clock). The
* last-successful-RFC5011-probe (if available) has to be more than 30 days
* in the past (otherwise, RFC5011 should have worked). This keeps
* unneccesary https traffic down. If the main certificate is expired, it
* unnecessary https traffic down. If the main certificate is expired, it
* fails.
*
* The dates on the keys in the xml are checked (uses the libexpat xml
@ -1520,7 +1520,11 @@ xml_entitydeclhandler(void *userData,
const XML_Char *ATTR_UNUSED(publicId),
const XML_Char *ATTR_UNUSED(notationName))
{
#if HAVE_DECL_XML_STOPPARSER
(void)XML_StopParser((XML_Parser)userData, XML_FALSE);
#else
(void)userData;
#endif
}
/**
@ -1828,6 +1832,12 @@ write_unsigned_root(const char* root_anchor_file)
root_anchor_file);
if(verb && errno != 0) printf("%s\n", strerror(errno));
}
fflush(out);
#ifdef HAVE_FSYNC
fsync(fileno(out));
#else
FlushFileBuffers((HANDLE)_fileno(out));
#endif
fclose(out);
}
@ -1854,6 +1864,12 @@ write_root_anchor(const char* root_anchor_file, BIO* ds)
root_anchor_file);
if(verb && errno != 0) printf("%s\n", strerror(errno));
}
fflush(out);
#ifdef HAVE_FSYNC
fsync(fileno(out));
#else
FlushFileBuffers((HANDLE)_fileno(out));
#endif
fclose(out);
}

View File

@ -335,7 +335,9 @@ morechecks(struct config_file* cfg, const char* fname)
if(cfg->edns_buffer_size > cfg->msg_buffer_size)
fatal_exit("edns-buffer-size larger than msg-buffer-size, "
"answers will not fit in processing buffer");
#ifdef UB_ON_WINDOWS
w_config_adjust_directory(cfg);
#endif
if(cfg->chrootdir && cfg->chrootdir[0] &&
cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
fatal_exit("chootdir %s has trailing slash '/' please remove.",

View File

@ -107,16 +107,15 @@ else
fi
# create self-signed cert for server
cat >request.cfg <<EOF
[req]
default_bits=$BITS
default_md=$HASH
prompt=no
distinguished_name=req_distinguished_name
echo "[req]" > request.cfg
echo "default_bits=$BITS" >> request.cfg
echo "default_md=$HASH" >> request.cfg
echo "prompt=no" >> request.cfg
echo "distinguished_name=req_distinguished_name" >> request.cfg
echo "" >> request.cfg
echo "[req_distinguished_name]" >> request.cfg
echo "commonName=$SERVERNAME" >> request.cfg
[req_distinguished_name]
commonName=$SERVERNAME
EOF
test -f request.cfg || error "could not create request.cfg"
echo "create $SVR_BASE.pem (self signed certificate)"
@ -125,16 +124,15 @@ openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out
openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
# create client request and sign it, piped
cat >request.cfg <<EOF
[req]
default_bits=$BITS
default_md=$HASH
prompt=no
distinguished_name=req_distinguished_name
echo "[req]" > request.cfg
echo "default_bits=$BITS" >> request.cfg
echo "default_md=$HASH" >> request.cfg
echo "prompt=no" >> request.cfg
echo "distinguished_name=req_distinguished_name" >> request.cfg
echo "" >> request.cfg
echo "[req_distinguished_name]" >> request.cfg
echo "commonName=$CLIENTNAME" >> request.cfg
[req_distinguished_name]
commonName=$CLIENTNAME
EOF
test -f request.cfg || error "could not create request.cfg"
echo "create $CTL_BASE.pem (signed client certificate)"

View File

@ -156,10 +156,12 @@ setup_ctx(struct config_file* cfg)
ctx = SSL_CTX_new(SSLv23_client_method());
if(!ctx)
ssl_err("could not allocate SSL_CTX pointer");
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
!= SSL_OP_NO_SSLv2)
ssl_err("could not set SSL_OP_NO_SSLv2");
if(cfg->remote_control_use_cert) {
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3)
ssl_err("could not set SSL_OP_NO_SSLv3");
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
@ -361,6 +363,9 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
fatal_exit("could not read config file");
if(!cfg->remote_control_enable)
log_warn("control-enable is 'no' in the config file.");
#ifdef UB_ON_WINDOWS
w_config_adjust_directory(cfg);
#endif
ctx = setup_ctx(cfg);
/* contact server */

View File

@ -430,7 +430,7 @@ finish_acquire_lock(struct thr_check* thr, struct checked_lock* lock,
* @param timedfunc: the pthread_mutex_timedlock or similar function.
* Uses absolute timeout value.
* @param arg: what to pass to tryfunc and timedlock.
* @param exclusive: if lock must be exlusive (only one allowed).
* @param exclusive: if lock must be exclusive (only one allowed).
* @param getwr: if attempts to get writelock (or readlock) for rwlocks.
*/
static void
@ -502,6 +502,8 @@ void
checklock_rdlock(enum check_lock_type type, struct checked_lock* lock,
const char* func, const char* file, int line)
{
if(key_deleted)
return;
log_assert(type == check_lock_rwlock);
checklock_lockit(type, lock, func, file, line,
@ -520,6 +522,8 @@ void
checklock_wrlock(enum check_lock_type type, struct checked_lock* lock,
const char* func, const char* file, int line)
{
if(key_deleted)
return;
log_assert(type == check_lock_rwlock);
checklock_lockit(type, lock, func, file, line,
try_wr, timed_wr, &lock->u.rwlock, 0, 1);
@ -555,6 +559,8 @@ void
checklock_lock(enum check_lock_type type, struct checked_lock* lock,
const char* func, const char* file, int line)
{
if(key_deleted)
return;
log_assert(type != check_lock_rwlock);
switch(type) {
case check_lock_mutex:
@ -577,8 +583,10 @@ void
checklock_unlock(enum check_lock_type type, struct checked_lock* lock,
const char* func, const char* file, int line)
{
struct thr_check *thr = (struct thr_check*)pthread_getspecific(
thr_debug_key);
struct thr_check *thr;
if(key_deleted)
return;
thr = (struct thr_check*)pthread_getspecific(thr_debug_key);
checktype(type, lock, func, file, line);
if(!thr) lock_error(lock, func, file, line, "no thread info");
@ -755,7 +763,8 @@ static void
lock_debug_info(struct checked_lock* lock)
{
if(!lock) return;
log_info("+++ Lock %x, %d %d create %s %s %d", (int)lock,
log_info("+++ Lock %llx, %d %d create %s %s %d",
(unsigned long long)(size_t)lock,
lock->create_thread, lock->create_instance,
lock->create_func, lock->create_file, lock->create_line);
log_info("lock type: %s",
@ -790,8 +799,9 @@ thread_debug_info(struct thr_check* thr)
struct checked_lock* l = NULL;
if(!thr) return;
log_info("pthread id is %x", (int)thr->id);
log_info("thread func is %x", (int)thr->func);
log_info("thread arg is %x (%d)", (int)thr->arg,
log_info("thread func is %llx", (unsigned long long)(size_t)thr->func);
log_info("thread arg is %llx (%d)",
(unsigned long long)(size_t)thr->arg,
(thr->arg?*(int*)thr->arg:0));
log_info("thread num is %d", thr->num);
log_info("locks created %d", thr->locks_created);
@ -801,7 +811,8 @@ thread_debug_info(struct thr_check* thr)
w = thr->waiting;
f = thr->holding_first;
l = thr->holding_last;
log_info("thread waiting for a lock: %s %x", w?"yes":"no", (int)w);
log_info("thread waiting for a lock: %s %llx", w?"yes":"no",
(unsigned long long)(size_t)w);
lock_debug_info(w);
log_info("thread holding first: %s, last: %s", f?"yes":"no",
l?"yes":"no");

View File

@ -569,7 +569,7 @@ do_infra_rtt(struct replay_runtime* runtime)
free(dp);
}
/** perform exponential backoff on the timout */
/** perform exponential backoff on the timeout */
static void
expon_timeout_backoff(struct replay_runtime* runtime)
{

View File

@ -44,6 +44,9 @@
*/
#include "config.h"
#ifdef HAVE_TIME_H
#include <time.h>
#endif
#include "util/log.h"
#include "util/rbtree.h"
#include "util/locks.h"

View File

@ -499,8 +499,7 @@ replay_scenario_delete(struct replay_scenario* scen)
struct replay_range* rng, *rngn;
if(!scen)
return;
if(scen->title)
free(scen->title);
free(scen->title);
mom = scen->mom_first;
while(mom) {
momn = mom->mom_next;
@ -909,118 +908,127 @@ macro_assign(rbtree_t* store, char* name, char* value)
return x->value != NULL;
}
/* testbound assert function for selftest. counts the number of tests */
#define tb_assert(x) \
do { if(!(x)) fatal_exit("%s:%d: %s: assertion %s failed", \
__FILE__, __LINE__, __func__, #x); \
num_asserts++; \
} while(0);
void testbound_selftest(void)
{
/* test the macro store */
rbtree_t* store = macro_store_create();
char* v;
int r;
log_assert(store);
int num_asserts = 0;
tb_assert(store);
v = macro_lookup(store, "bla");
log_assert(strcmp(v, "") == 0);
tb_assert(strcmp(v, "") == 0);
free(v);
v = macro_lookup(store, "vlerk");
log_assert(strcmp(v, "") == 0);
tb_assert(strcmp(v, "") == 0);
free(v);
r = macro_assign(store, "bla", "waarde1");
log_assert(r);
tb_assert(r);
v = macro_lookup(store, "vlerk");
log_assert(strcmp(v, "") == 0);
tb_assert(strcmp(v, "") == 0);
free(v);
v = macro_lookup(store, "bla");
log_assert(strcmp(v, "waarde1") == 0);
tb_assert(strcmp(v, "waarde1") == 0);
free(v);
r = macro_assign(store, "vlerk", "kanteel");
log_assert(r);
tb_assert(r);
v = macro_lookup(store, "bla");
log_assert(strcmp(v, "waarde1") == 0);
tb_assert(strcmp(v, "waarde1") == 0);
free(v);
v = macro_lookup(store, "vlerk");
log_assert(strcmp(v, "kanteel") == 0);
tb_assert(strcmp(v, "kanteel") == 0);
free(v);
r = macro_assign(store, "bla", "ww");
log_assert(r);
tb_assert(r);
v = macro_lookup(store, "bla");
log_assert(strcmp(v, "ww") == 0);
tb_assert(strcmp(v, "ww") == 0);
free(v);
log_assert( macro_length("}") == 1);
log_assert( macro_length("blabla}") == 7);
log_assert( macro_length("bla${zoink}bla}") == 7+8);
log_assert( macro_length("bla${zoink}${bla}bla}") == 7+8+6);
tb_assert( macro_length("}") == 1);
tb_assert( macro_length("blabla}") == 7);
tb_assert( macro_length("bla${zoink}bla}") == 7+8);
tb_assert( macro_length("bla${zoink}${bla}bla}") == 7+8+6);
v = macro_process(store, NULL, "");
log_assert( v && strcmp(v, "") == 0);
tb_assert( v && strcmp(v, "") == 0);
free(v);
v = macro_process(store, NULL, "${}");
log_assert( v && strcmp(v, "") == 0);
tb_assert( v && strcmp(v, "") == 0);
free(v);
v = macro_process(store, NULL, "blabla ${} dinges");
log_assert( v && strcmp(v, "blabla dinges") == 0);
tb_assert( v && strcmp(v, "blabla dinges") == 0);
free(v);
v = macro_process(store, NULL, "1${$bla}2${$bla}3");
log_assert( v && strcmp(v, "1ww2ww3") == 0);
tb_assert( v && strcmp(v, "1ww2ww3") == 0);
free(v);
v = macro_process(store, NULL, "it is ${ctime 123456}");
log_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
tb_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
free(v);
r = macro_assign(store, "t1", "123456");
log_assert(r);
tb_assert(r);
v = macro_process(store, NULL, "it is ${ctime ${$t1}}");
log_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
tb_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
free(v);
v = macro_process(store, NULL, "it is ${ctime $t1}");
log_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
tb_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
free(v);
r = macro_assign(store, "x", "1");
log_assert(r);
tb_assert(r);
r = macro_assign(store, "y", "2");
log_assert(r);
tb_assert(r);
v = macro_process(store, NULL, "${$x + $x}");
log_assert( v && strcmp(v, "2") == 0);
tb_assert( v && strcmp(v, "2") == 0);
free(v);
v = macro_process(store, NULL, "${$x - $x}");
log_assert( v && strcmp(v, "0") == 0);
tb_assert( v && strcmp(v, "0") == 0);
free(v);
v = macro_process(store, NULL, "${$y * $y}");
log_assert( v && strcmp(v, "4") == 0);
tb_assert( v && strcmp(v, "4") == 0);
free(v);
v = macro_process(store, NULL, "${32 / $y + $x + $y}");
log_assert( v && strcmp(v, "19") == 0);
tb_assert( v && strcmp(v, "19") == 0);
free(v);
v = macro_process(store, NULL, "${32 / ${$y+$y} + ${${100*3}/3}}");
log_assert( v && strcmp(v, "108") == 0);
tb_assert( v && strcmp(v, "108") == 0);
free(v);
v = macro_process(store, NULL, "${1 2 33 2 1}");
log_assert( v && strcmp(v, "1 2 33 2 1") == 0);
tb_assert( v && strcmp(v, "1 2 33 2 1") == 0);
free(v);
v = macro_process(store, NULL, "${123 3 + 5}");
log_assert( v && strcmp(v, "123 8") == 0);
tb_assert( v && strcmp(v, "123 8") == 0);
free(v);
v = macro_process(store, NULL, "${123 glug 3 + 5}");
log_assert( v && strcmp(v, "123 glug 8") == 0);
tb_assert( v && strcmp(v, "123 glug 8") == 0);
free(v);
macro_store_delete(store);
printf("selftest successful (%d checks).\n", num_asserts);
}

View File

@ -35,7 +35,7 @@
*/
/**
* \file
* Exits with code 1 on a failure. 0 if all unit tests are successfull.
* Exits with code 1 on a failure. 0 if all unit tests are successful.
*/
#include "config.h"
@ -284,10 +284,9 @@ main(int argc, char* argv[])
case 's':
free(pass_argv[1]);
testbound_selftest();
printf("selftest successful\n");
exit(0);
case '2':
#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS)) && defined(USE_SHA2)
#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
printf("SHA256 supported\n");
exit(0);
#else

View File

@ -214,7 +214,7 @@ void delete_entry(struct entry* list);
* @param in: file to read from. Filepos must be at the start of a new line.
* @param name: name of the file for prettier errors.
* @param pstate: file parse state with lineno, default_ttl,
* oirigin and prev_rr name.
* origin and prev_rr name.
* @param skip_whitespace: skip leftside whitespace.
* @return: The entry read (malloced) or NULL if no entry could be read.
*/

View File

@ -359,7 +359,7 @@ testlookup_unlim(struct lruhash* table, testdata_t** ref)
static void
test_long_table(struct lruhash* table)
{
/* assuming it all fits in the hastable, this check will work */
/* assuming it all fits in the hashtable, this check will work */
testdata_t* ref[HASHTESTMAX * 100];
size_t i;
memset(ref, 0, sizeof(ref));

View File

@ -36,7 +36,7 @@
/**
* \file
* Unit test main program. Calls all the other unit tests.
* Exits with code 1 on a failure. 0 if all unit tests are successfull.
* Exits with code 1 on a failure. 0 if all unit tests are successful.
*/
#include "config.h"

View File

@ -242,7 +242,7 @@ testlookup_unlim(struct slabhash* table, testdata_t** ref)
static void
test_long_table(struct slabhash* table)
{
/* assuming it all fits in the hastable, this check will work */
/* assuming it all fits in the hashtable, this check will work */
testdata_t* ref[HASHTESTMAX * 100];
size_t i;
memset(ref, 0, sizeof(ref));

View File

@ -504,12 +504,12 @@ verify_test(void)
verifytest_file("testdata/test_signatures.6", "20080416005004");
verifytest_file("testdata/test_signatures.7", "20070829144150");
verifytest_file("testdata/test_signatures.8", "20070829144150");
#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS)) && defined(USE_SHA2)
#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
verifytest_file("testdata/test_sigs.rsasha256", "20070829144150");
verifytest_file("testdata/test_sigs.sha1_and_256", "20070829144150");
verifytest_file("testdata/test_sigs.rsasha256_draft", "20090101000000");
#endif
#if (defined(HAVE_EVP_SHA512) || defined(HAVE_NSS)) && defined(USE_SHA2)
#if (defined(HAVE_EVP_SHA512) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
verifytest_file("testdata/test_sigs.rsasha512_draft", "20070829144150");
#endif
verifytest_file("testdata/test_sigs.hinfo", "20090107100022");

View File

@ -100,7 +100,7 @@ config_create(void)
cfg->tcp_upstream = 0;
cfg->ssl_service_key = NULL;
cfg->ssl_service_pem = NULL;
cfg->ssl_port = 443;
cfg->ssl_port = 853;
cfg->ssl_upstream = 0;
cfg->use_syslog = 1;
cfg->log_time_ascii = 0;
@ -174,7 +174,7 @@ config_create(void)
cfg->harden_dnssec_stripped = 1;
cfg->harden_below_nxdomain = 0;
cfg->harden_referral_path = 0;
cfg->harden_algo_downgrade = 1;
cfg->harden_algo_downgrade = 0;
cfg->use_caps_bits_for_id = 0;
cfg->caps_whitelist = NULL;
cfg->private_address = NULL;
@ -240,6 +240,7 @@ config_create(void)
cfg->ratelimit_for_domain = NULL;
cfg->ratelimit_below_domain = NULL;
cfg->ratelimit_factor = 10;
cfg->qname_minimisation = 0;
return cfg;
error_exit:
config_delete(cfg);
@ -473,6 +474,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_MEMSIZE("ratelimit-size:", ratelimit_size)
else S_POW2("ratelimit-slabs:", ratelimit_slabs)
else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
else S_YNO("qname-minimisation:", qname_minimisation)
/* val_sig_skew_min and max are copied into val_env during init,
* so this does not update val_env with set_option */
else if(strcmp(opt, "val-sig-skew-min:") == 0)
@ -747,6 +749,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
else O_YNO(opt, "qname-minimisation", qname_minimisation)
/* not here:
* outgoing-permit, outgoing-avoid - have list of ports
* local-zone - zones and nodefault variables
@ -1555,6 +1558,28 @@ w_lookup_reg_str(const char* key, const char* name)
}
return result;
}
void w_config_adjust_directory(struct config_file* cfg)
{
if(cfg->directory && cfg->directory[0]) {
TCHAR dirbuf[2*MAX_PATH+4];
if(strcmp(cfg->directory, "%EXECUTABLE%") == 0) {
/* get executable path, and if that contains
* directories, snip off the filename part */
dirbuf[0] = 0;
if(!GetModuleFileName(NULL, dirbuf, MAX_PATH))
log_err("could not GetModuleFileName");
if(strrchr(dirbuf, '\\')) {
(strrchr(dirbuf, '\\'))[0] = 0;
} else log_err("GetModuleFileName had no path");
if(dirbuf[0]) {
/* adjust directory for later lookups to work*/
free(cfg->directory);
cfg->directory = memdup(dirbuf, strlen(dirbuf)+1);
}
}
}
}
#endif /* UB_ON_WINDOWS */
void errinf(struct module_qstate* qstate, const char* str)

View File

@ -283,7 +283,7 @@ struct config_file {
struct config_str2list* local_zones;
/** local zones nodefault list */
struct config_strlist* local_zones_nodefault;
/** local data RRs configged */
/** local data RRs configured */
struct config_strlist* local_data;
/** unblock lan zones (reverse lookups for 10/8 and so on) */
int unblock_lan_zones;
@ -364,6 +364,8 @@ struct config_file {
struct config_str2list* ratelimit_below_domain;
/** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
int ratelimit_factor;
/** minimise outgoing QNAME and hide original QTYPE if possible */
int qname_minimisation;
};
/** from cfg username, after daemonise setup performed */
@ -739,6 +741,9 @@ void ub_c_error_msg(const char* fmt, ...) ATTR_FORMAT(printf, 1, 2);
* exist on an error (logged with log_err) was encountered.
*/
char* w_lookup_reg_str(const char* key, const char* name);
/** Modify directory in options for module file name */
void w_config_adjust_directory(struct config_file* cfg);
#endif /* UB_ON_WINDOWS */
#endif /* UTIL_CONFIG_FILE_H */

File diff suppressed because it is too large Load Diff

View File

@ -126,6 +126,10 @@ static void config_start_include_glob(const char* filename)
#endif
;
memset(&g, 0, sizeof(g));
if(cfg_parser->chroot && strncmp(filename, cfg_parser->chroot,
strlen(cfg_parser->chroot)) == 0) {
filename += strlen(cfg_parser->chroot);
}
r = glob(filename, flags, NULL, &g);
if(r) {
/* some error */
@ -201,6 +205,7 @@ SQANY [^\'\n\r\\]|\\.
/* note that flex makes the longest match and '.' is any but not nl */
LEXOUT(("comment(%s) ", yytext)); /* ignore */ }
server{COLON} { YDVAR(0, VAR_SERVER) }
qname-minimisation{COLON} { YDVAR(1, VAR_QNAME_MINIMISATION) }
num-threads{COLON} { YDVAR(1, VAR_NUM_THREADS) }
verbosity{COLON} { YDVAR(1, VAR_VERBOSITY) }
port{COLON} { YDVAR(1, VAR_PORT) }

File diff suppressed because it is too large Load Diff

View File

@ -204,7 +204,8 @@ extern int yydebug;
VAR_RATELIMIT_FACTOR = 413,
VAR_CAPS_WHITELIST = 414,
VAR_CACHE_MAX_NEGATIVE_TTL = 415,
VAR_PERMIT_SMALL_HOLDDOWN = 416
VAR_PERMIT_SMALL_HOLDDOWN = 416,
VAR_QNAME_MINIMISATION = 417
};
#endif
/* Tokens. */
@ -367,6 +368,7 @@ extern int yydebug;
#define VAR_CAPS_WHITELIST 414
#define VAR_CACHE_MAX_NEGATIVE_TTL 415
#define VAR_PERMIT_SMALL_HOLDDOWN 416
#define VAR_QNAME_MINIMISATION 417
@ -380,7 +382,7 @@ typedef union YYSTYPE
/* Line 2058 of yacc.c */
#line 384 "util/configparser.h"
#line 386 "util/configparser.h"
} YYSTYPE;
# define YYSTYPE_IS_TRIVIAL 1
# define yystype YYSTYPE /* obsolescent; will be withdrawn */

View File

@ -122,6 +122,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
%token VAR_QNAME_MINIMISATION
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -186,7 +187,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_ratelimit_size | server_ratelimit_for_domain |
server_ratelimit_below_domain | server_ratelimit_factor |
server_caps_whitelist | server_cache_max_negative_ttl |
server_permit_small_holddown
server_permit_small_holddown | server_qname_minimisation
;
stubstart: VAR_STUB_ZONE
{
@ -1318,6 +1319,16 @@ server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG
free($2);
}
;
server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG
{
OUTYY(("P(server_qname_minimisation:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->qname_minimisation =
(strcmp($2, "yes")==0);
free($2);
}
;
stub_name: VAR_NAME STRING_ARG
{
OUTYY(("P(name:%s)\n", $2));

View File

@ -57,11 +57,9 @@ ub_packed_rrset_parsedelete(struct ub_packed_rrset_key* pkey,
{
if(!pkey)
return;
if(pkey->entry.data)
free(pkey->entry.data);
free(pkey->entry.data);
pkey->entry.data = NULL;
if(pkey->rk.dname)
free(pkey->rk.dname);
free(pkey->rk.dname);
pkey->rk.dname = NULL;
pkey->id = 0;
alloc_special_release(alloc, pkey);

View File

@ -660,6 +660,7 @@
833,
847,
848,
853,
860,
861,
862,
@ -3840,6 +3841,9 @@
4404,
4405,
4406,
4412,
4413,
4416,
4425,
4426,
4430,
@ -4570,6 +4574,7 @@
7070,
7071,
7080,
7088,
7095,
7099,
7100,
@ -5381,6 +5386,7 @@
38203,
39681,
40000,
40023,
40841,
40842,
40843,

View File

@ -232,7 +232,7 @@ void ub_thread_create(ub_thread_t* thr, void* (*func)(void*), void* arg)
0, /* default flags, run immediately */
NULL); /* do not store thread identifier anywhere */
#else
/* the begintheadex routine setups for the C lib; aligns stack */
/* the beginthreadex routine setups for the C lib; aligns stack */
*thr=(ub_thread_t)_beginthreadex(NULL, 0, (void*)func, arg, 0, NULL);
#endif
if(*thr == NULL) {

View File

@ -261,12 +261,9 @@ void event_base_free(struct event_base* base)
{
if(!base)
return;
if(base->times)
free(base->times);
if(base->fds)
free(base->fds);
if(base->signals)
free(base->signals);
free(base->times);
free(base->fds);
free(base->signals);
free(base);
}

View File

@ -619,12 +619,14 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
return NULL;
}
/* no SSLv2, SSLv3 because has defects */
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
!= SSL_OP_NO_SSLv2){
log_crypto_err("could not set SSL_OP_NO_SSLv2");
SSL_CTX_free(ctx);
return NULL;
}
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3){
log_crypto_err("could not set SSL_OP_NO_SSLv3");
SSL_CTX_free(ctx);
return NULL;
@ -690,12 +692,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
log_crypto_err("could not allocate SSL_CTX pointer");
return NULL;
}
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) {
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
!= SSL_OP_NO_SSLv2) {
log_crypto_err("could not set SSL_OP_NO_SSLv2");
SSL_CTX_free(ctx);
return NULL;
}
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) {
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3) {
log_crypto_err("could not set SSL_OP_NO_SSLv3");
SSL_CTX_free(ctx);
return NULL;

View File

@ -68,6 +68,8 @@
/* nss3 */
#include "secport.h"
#include "pk11pub.h"
#elif defined(HAVE_NETTLE)
#include "yarrow.h"
#endif
/**
@ -76,7 +78,7 @@
*/
#define MAX_VALUE 0x7fffffff
#ifndef HAVE_NSS
#if defined(HAVE_SSL)
void
ub_systemseed(unsigned int ATTR_UNUSED(seed))
{
@ -110,7 +112,7 @@ ub_random_max(struct ub_randstate* state, long int x)
return (long)arc4random_uniform((uint32_t)x);
}
#else
#elif defined(HAVE_NSS)
/* not much to remember for NSS since we use its pk11_random, placeholder */
struct ub_randstate {
@ -144,6 +146,72 @@ long int ub_random(struct ub_randstate* ATTR_UNUSED(state))
return x & MAX_VALUE;
}
#elif defined(HAVE_NETTLE)
/**
* libnettle implements a Yarrow-256 generator (SHA256 + AES),
* and we have to ensure it is seeded before use.
*/
struct ub_randstate {
struct yarrow256_ctx ctx;
int seeded;
};
void ub_systemseed(unsigned int ATTR_UNUSED(seed))
{
/**
* We seed on init and not here, as we need the ctx to re-seed.
* This also means that re-seeding is not supported.
*/
log_err("Re-seeding not supported, generator untouched");
}
struct ub_randstate* ub_initstate(unsigned int seed,
struct ub_randstate* ATTR_UNUSED(from))
{
struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
uint8_t buf[YARROW256_SEED_FILE_SIZE];
if(!s) {
log_err("malloc failure in random init");
return NULL;
}
/* Setup Yarrow context */
yarrow256_init(&s->ctx, 0, NULL);
if(getentropy(buf, sizeof(buf)) != -1) {
/* got entropy */
yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
s->seeded = yarrow256_is_seeded(&s->ctx);
} else {
/* Stretch the uint32 input seed and feed it to Yarrow */
uint32_t v = seed;
size_t i;
for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) {
memmove(buf+i*sizeof(seed), &v, sizeof(seed));
v = v*seed + (uint32_t)i;
}
yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
s->seeded = yarrow256_is_seeded(&s->ctx);
}
return s;
}
long int ub_random(struct ub_randstate* s)
{
/* random 31 bit value. */
long int x = 0;
if (!s || !s->seeded) {
log_err("Couldn't generate randomness, Yarrow-256 generator not yet seeded");
} else {
yarrow256_random(&s->ctx, sizeof(x), (uint8_t *)&x);
}
return x & MAX_VALUE;
}
#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
#if defined(HAVE_NSS) || defined(HAVE_NETTLE)
long int
ub_random_max(struct ub_randstate* state, long int x)
{
@ -155,12 +223,11 @@ ub_random_max(struct ub_randstate* state, long int x)
v = ub_random(state);
return (v % x);
}
#endif /* HAVE_NSS */
#endif /* HAVE_NSS or HAVE_NETTLE */
void
ub_randfree(struct ub_randstate* s)
{
if(s)
free(s);
free(s);
/* user app must do RAND_cleanup(); */
}

View File

@ -68,7 +68,7 @@ static void rbtree_insert_fixup(rbtree_t *rbtree, rbnode_t *node);
static void rbtree_delete_fixup(rbtree_t* rbtree, rbnode_t* child, rbnode_t* child_parent);
/*
* Creates a new red black tree, intializes and returns a pointer to it.
* Creates a new red black tree, initializes and returns a pointer to it.
*
* Return NULL on failure.
*

View File

@ -96,7 +96,7 @@ int rtt_notimeout(const struct rtt_info* rtt);
void rtt_update(struct rtt_info* rtt, int ms);
/**
* Update the statistics with a new timout expired observation.
* Update the statistics with a new timeout expired observation.
* @param rtt: round trip statistics structure.
* @param orig: original rtt time given for the query that timed out.
* Used to calculate the maximum responsible backed off time that

View File

@ -356,7 +356,7 @@ uint32_t hashlittle( const void *key, size_t length, uint32_t initval)
* rest of the string. Every machine with memory protection I've seen
* does it on word boundaries, so is OK with this. But VALGRIND will
* still catch it and complain. The masking trick does make the hash
* noticably faster for short strings (like English words).
* noticeably faster for short strings (like English words).
*/
#ifndef VALGRIND
@ -544,7 +544,7 @@ void hashlittle2(
* rest of the string. Every machine with memory protection I've seen
* does it on word boundaries, so is OK with this. But VALGRIND will
* still catch it and complain. The masking trick does make the hash
* noticably faster for short strings (like English words).
* noticeably faster for short strings (like English words).
*/
#ifndef VALGRIND
@ -725,7 +725,7 @@ uint32_t hashbig( const void *key, size_t length, uint32_t initval)
* rest of the string. Every machine with memory protection I've seen
* does it on word boundaries, so is OK with this. But VALGRIND will
* still catch it and complain. The masking trick does make the hash
* noticably faster for short strings (like English words).
* noticeably faster for short strings (like English words).
*/
#ifndef VALGRIND
@ -858,7 +858,7 @@ void driver2()
{
for (j=0; j<8; ++j) /*------------------------ for each input bit, */
{
for (m=1; m<8; ++m) /*------------ for serveral possible initvals, */
for (m=1; m<8; ++m) /*------------ for several possible initvals, */
{
for (l=0; l<HASHSTATE; ++l)
e[l]=f[l]=g[l]=h[l]=x[l]=y[l]=~((uint32_t)0);

View File

@ -118,10 +118,8 @@ void tube_remove_bg_listen(struct tube* tube)
comm_point_delete(tube->listen_com);
tube->listen_com = NULL;
}
if(tube->cmd_msg) {
free(tube->cmd_msg);
tube->cmd_msg = NULL;
}
free(tube->cmd_msg);
tube->cmd_msg = NULL;
}
void tube_remove_bg_write(struct tube* tube)

View File

@ -83,7 +83,7 @@ struct tube {
/** background write queue, commpoint to write results back */
struct comm_point* res_com;
/** are we curently writing a result, 0 if not, else bytecount into
/** are we currently writing a result, 0 if not, else bytecount into
* the res_list first entry. */
size_t res_write;
/** list of outstanding results to be written back */

View File

@ -459,12 +459,9 @@ void event_base_free(struct event_base *base)
verbose(VERB_CLIENT, "winsock_event event_base_free");
if(!base)
return;
if(base->items)
free(base->items);
if(base->times)
free(base->times);
if(base->signals)
free(base->signals);
free(base->items);
free(base->times);
free(base->signals);
free(base);
}

View File

@ -201,7 +201,7 @@ struct event {
int stick_events;
/** true if this event is a signaling WSAEvent by the user.
* User created and user closed WSAEvent. Only signaled/unsigneled,
* User created and user closed WSAEvent. Only signaled/unsignaled,
* no read/write/distinctions needed. */
int is_signal;
/** used during callbacks to see which events were just checked */

View File

@ -1195,6 +1195,14 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp)
fatal_exit("could not completely write: %s", fname);
return;
}
if(fflush(out) != 0)
log_err("could not fflush(%s): %s", fname, strerror(errno));
#ifdef HAVE_FSYNC
if(fsync(fileno(out)) != 0)
log_err("could not fsync(%s): %s", fname, strerror(errno));
#else
FlushFileBuffers((HANDLE)_fileno(out));
#endif
if(fclose(out) != 0) {
fatal_exit("could not complete write: %s: %s",
fname, strerror(errno));
@ -2162,7 +2170,7 @@ int autr_process_prime(struct module_env* env, struct val_env* ve,
if(!verify_dnskey(env, ve, tp, dnskey_rrset)) {
verbose(VERB_ALGO, "autotrust: dnskey did not verify.");
/* only increase failure count if this is not the first prime,
* this means there was a previous succesful probe */
* this means there was a previous successful probe */
if(tp->autr->last_success) {
tp->autr->query_failed += 1;
autr_write_file(env, tp);

View File

@ -38,7 +38,7 @@
*
* This file contains helper functions for the validator module.
* The functions help with aggressive negative caching.
* This creates new denials of existance, and proofs for absence of types
* This creates new denials of existence, and proofs for absence of types
* from cached NSEC records.
*/
#include "config.h"

View File

@ -38,7 +38,7 @@
*
* This file contains helper functions for the validator module.
* The functions help with aggressive negative caching.
* This creates new denials of existance, and proofs for absence of types
* This creates new denials of existence, and proofs for absence of types
* from cached NSEC records.
*/

View File

@ -1,5 +1,5 @@
/*
* validator/val_nsec.c - validator NSEC denial of existance functions.
* validator/val_nsec.c - validator NSEC denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
@ -38,7 +38,7 @@
*
* This file contains helper functions for the validator module.
* The functions help with NSEC checking, the different NSEC proofs
* for denial of existance, and proofs for presence of types.
* for denial of existence, and proofs for presence of types.
*/
#include "config.h"
#include "validator/val_nsec.h"
@ -279,7 +279,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
return sec_status_insecure;
}
/* NSEC proof did not conlusively point to DS or no DS */
/* NSEC proof did not conclusively point to DS or no DS */
return sec_status_unchecked;
}
@ -340,6 +340,28 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
*wc = ce;
return 1;
}
} else {
/* See if the next owner name covers a wildcard
* empty non-terminal. */
while (dname_strict_subdomain_c(nm, nsec->rk.dname)) {
/* wildcard does not apply if qname below
* the name that exists under the '*' */
if (dname_subdomain_c(qinfo->qname, nm))
break;
/* but if it is a wildcard and qname is below
* it, then the wildcard applies. The wildcard
* is an empty nonterminal. nodata proven. */
if (dname_is_wild(nm)) {
size_t ce_len = ln;
uint8_t* ce = nm;
dname_remove_label(&ce, &ce_len);
if(dname_strict_subdomain_c(qinfo->qname, ce)) {
*wc = ce;
return 1;
}
}
dname_remove_label(&nm, &ln);
}
}
/* Otherwise, this NSEC does not prove ENT and is not a

View File

@ -1,5 +1,5 @@
/*
* validator/val_nsec.h - validator NSEC denial of existance functions.
* validator/val_nsec.h - validator NSEC denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
@ -38,7 +38,7 @@
*
* This file contains helper functions for the validator module.
* The functions help with NSEC checking, the different NSEC proofs
* for denial of existance, and proofs for presence of types.
* for denial of existence, and proofs for presence of types.
*/
#ifndef VALIDATOR_VAL_NSEC_H
@ -54,7 +54,7 @@ struct key_entry_key;
/**
* Check DS absence.
* There is a NODATA reply to a DS that needs checking.
* NSECs can prove this is not a delegation point, or sucessfully prove
* NSECs can prove this is not a delegation point, or successfully prove
* that there is no DS. Or this fails.
*
* @param env: module env for rrsig verification routines.

View File

@ -1,5 +1,5 @@
/*
* validator/val_nsec3.c - validator NSEC3 denial of existance functions.
* validator/val_nsec3.c - validator NSEC3 denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
@ -38,18 +38,12 @@
*
* This file contains helper functions for the validator module.
* The functions help with NSEC3 checking, the different NSEC3 proofs
* for denial of existance, and proofs for presence of types.
* for denial of existence, and proofs for presence of types.
*/
#include "config.h"
#include <ctype.h>
#ifdef HAVE_OPENSSL_SSL_H
#include "openssl/ssl.h"
#endif
#ifdef HAVE_NSS
/* nss3 */
#include "sechash.h"
#endif
#include "validator/val_nsec3.h"
#include "validator/val_secalgo.h"
#include "validator/validator.h"
#include "validator/val_kentry.h"
#include "services/cache/rrset.h"
@ -370,8 +364,8 @@ filter_next(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum)
/**
* Start iterating over NSEC3 records.
* @param filter: the filter structure, must have been filter_init-ed.
* @param rrsetnum: can be undefined on call, inited.
* @param rrnum: can be undefined on call, inited.
* @param rrsetnum: can be undefined on call, initialised.
* @param rrnum: can be undefined on call, initialised.
* @return first rrset of an NSEC3, together with rrnum this points to
* the first RR to examine. Is NULL on empty list.
*/
@ -545,46 +539,24 @@ nsec3_get_hashed(sldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
query_dname_tolower(sldns_buffer_begin(buf));
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
switch(algo) {
#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
case NSEC3_HASH_SHA1:
#ifdef HAVE_SSL
hash_len = SHA_DIGEST_LENGTH;
#else
hash_len = SHA1_LENGTH;
#endif
if(hash_len > max)
return 0;
# ifdef HAVE_SSL
(void)SHA1((unsigned char*)sldns_buffer_begin(buf),
(unsigned long)sldns_buffer_limit(buf),
(unsigned char*)res);
# else
(void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)res,
(unsigned char*)sldns_buffer_begin(buf),
(unsigned long)sldns_buffer_limit(buf));
# endif
for(i=0; i<iter; i++) {
sldns_buffer_clear(buf);
sldns_buffer_write(buf, res, hash_len);
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
# ifdef HAVE_SSL
(void)SHA1(
(unsigned char*)sldns_buffer_begin(buf),
(unsigned long)sldns_buffer_limit(buf),
(unsigned char*)res);
# else
(void)HASH_HashBuf(HASH_AlgSHA1,
(unsigned char*)res,
(unsigned char*)sldns_buffer_begin(buf),
(unsigned long)sldns_buffer_limit(buf));
# endif
}
break;
#endif /* HAVE_EVP_SHA1 or NSS */
default:
log_err("nsec3 hash of unknown algo %d", algo);
hash_len = nsec3_hash_algo_size_supported(algo);
if(hash_len == 0) {
log_err("nsec3 hash of unknown algo %d", algo);
return 0;
}
if(hash_len > max)
return 0;
if(!secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
sldns_buffer_limit(buf), (unsigned char*)res))
return 0;
for(i=0; i<iter; i++) {
sldns_buffer_clear(buf);
sldns_buffer_write(buf, res, hash_len);
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
if(!secalgo_nsec3_hash(algo,
(unsigned char*)sldns_buffer_begin(buf),
sldns_buffer_limit(buf), (unsigned char*)res))
return 0;
}
return hash_len;
@ -607,50 +579,24 @@ nsec3_calc_hash(struct regional* region, sldns_buffer* buf,
query_dname_tolower(sldns_buffer_begin(buf));
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
switch(algo) {
#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
case NSEC3_HASH_SHA1:
#ifdef HAVE_SSL
c->hash_len = SHA_DIGEST_LENGTH;
#else
c->hash_len = SHA1_LENGTH;
#endif
c->hash = (uint8_t*)regional_alloc(region,
c->hash_len);
if(!c->hash)
return 0;
# ifdef HAVE_SSL
(void)SHA1((unsigned char*)sldns_buffer_begin(buf),
(unsigned long)sldns_buffer_limit(buf),
(unsigned char*)c->hash);
# else
(void)HASH_HashBuf(HASH_AlgSHA1,
(unsigned char*)c->hash,
(unsigned char*)sldns_buffer_begin(buf),
(unsigned long)sldns_buffer_limit(buf));
# endif
for(i=0; i<iter; i++) {
sldns_buffer_clear(buf);
sldns_buffer_write(buf, c->hash, c->hash_len);
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
# ifdef HAVE_SSL
(void)SHA1(
(unsigned char*)sldns_buffer_begin(buf),
(unsigned long)sldns_buffer_limit(buf),
(unsigned char*)c->hash);
# else
(void)HASH_HashBuf(HASH_AlgSHA1,
(unsigned char*)c->hash,
(unsigned char*)sldns_buffer_begin(buf),
(unsigned long)sldns_buffer_limit(buf));
# endif
}
break;
#endif /* HAVE_EVP_SHA1 or NSS */
default:
log_err("nsec3 hash of unknown algo %d", algo);
return -1;
c->hash_len = nsec3_hash_algo_size_supported(algo);
if(c->hash_len == 0) {
log_err("nsec3 hash of unknown algo %d", algo);
return -1;
}
c->hash = (uint8_t*)regional_alloc(region, c->hash_len);
if(!c->hash)
return 0;
(void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
sldns_buffer_limit(buf), (unsigned char*)c->hash);
for(i=0; i<iter; i++) {
sldns_buffer_clear(buf);
sldns_buffer_write(buf, c->hash, c->hash_len);
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
(void)secalgo_nsec3_hash(algo,
(unsigned char*)sldns_buffer_begin(buf),
sldns_buffer_limit(buf), (unsigned char*)c->hash);
}
return 1;
}

View File

@ -1,5 +1,5 @@
/*
* validator/val_nsec3.h - validator NSEC3 denial of existance functions.
* validator/val_nsec3.h - validator NSEC3 denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
@ -38,7 +38,7 @@
*
* This file contains helper functions for the validator module.
* The functions help with NSEC3 checking, the different NSEC3 proofs
* for denial of existance, and proofs for presence of types.
* for denial of existence, and proofs for presence of types.
*
* NSEC3
* 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
@ -256,7 +256,7 @@ int nsec3_hash_cmp(const void* c1, const void* c2);
* Used internally by the nsec3 proof functions in this file.
* published to enable unit testing of hash algorithms and cache.
*
* @param table: the cache table. Must be inited at start.
* @param table: the cache table. Must be initialised at start.
* @param region: scratch region to use for allocation.
* This region holds the tree, if you wipe the region, reinit the tree.
* @param buf: temporary buffer.

View File

@ -44,12 +44,13 @@
/* packed_rrset on top to define enum types (forced by c99 standard) */
#include "util/data/packed_rrset.h"
#include "validator/val_secalgo.h"
#include "validator/val_nsec3.h"
#include "util/log.h"
#include "sldns/rrdef.h"
#include "sldns/keyraw.h"
#include "sldns/sbuffer.h"
#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
#error "Need crypto library to do digital signature cryptography"
#endif
@ -71,10 +72,36 @@
#include <openssl/engine.h>
#endif
/* return size of digest if supported, or 0 otherwise */
size_t
nsec3_hash_algo_size_supported(int id)
{
switch(id) {
case NSEC3_HASH_SHA1:
return SHA_DIGEST_LENGTH;
default:
return 0;
}
}
/* perform nsec3 hash. return false on failure */
int
secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
unsigned char* res)
{
switch(algo) {
case NSEC3_HASH_SHA1:
(void)SHA1(buf, len, res);
return 1;
default:
return 0;
}
}
/**
* Return size of DS digest according to its hash algorithm.
* @param algo: DS digest algo.
* @return size in bytes of digest, or 0 if not supported.
* @return size in bytes of digest, or 0 if not supported.
*/
size_t
ds_digest_size_supported(int algo)
@ -565,6 +592,32 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
/* nspr4 */
#include "prerror.h"
/* return size of digest if supported, or 0 otherwise */
size_t
nsec3_hash_algo_size_supported(int id)
{
switch(id) {
case NSEC3_HASH_SHA1:
return SHA1_LENGTH;
default:
return 0;
}
}
/* perform nsec3 hash. return false on failure */
int
secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
unsigned char* res)
{
switch(algo) {
case NSEC3_HASH_SHA1:
(void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
return 1;
default:
return 0;
}
}
size_t
ds_digest_size_supported(int algo)
{
@ -1069,5 +1122,466 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
return sec_status_bogus;
}
#elif defined(HAVE_NETTLE)
#endif /* HAVE_SSL or HAVE_NSS */
#include "sha.h"
#include "bignum.h"
#include "macros.h"
#include "rsa.h"
#include "dsa.h"
#include "asn1.h"
#ifdef USE_ECDSA
#include "ecdsa.h"
#include "ecc-curve.h"
#endif
static int
_digest_nettle(int algo, uint8_t* buf, size_t len,
unsigned char* res)
{
switch(algo) {
case SHA1_DIGEST_SIZE:
{
struct sha1_ctx ctx;
sha1_init(&ctx);
sha1_update(&ctx, len, buf);
sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
return 1;
}
case SHA256_DIGEST_SIZE:
{
struct sha256_ctx ctx;
sha256_init(&ctx);
sha256_update(&ctx, len, buf);
sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
return 1;
}
case SHA384_DIGEST_SIZE:
{
struct sha384_ctx ctx;
sha384_init(&ctx);
sha384_update(&ctx, len, buf);
sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
return 1;
}
case SHA512_DIGEST_SIZE:
{
struct sha512_ctx ctx;
sha512_init(&ctx);
sha512_update(&ctx, len, buf);
sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
return 1;
}
default:
break;
}
return 0;
}
/* return size of digest if supported, or 0 otherwise */
size_t
nsec3_hash_algo_size_supported(int id)
{
switch(id) {
case NSEC3_HASH_SHA1:
return SHA1_DIGEST_SIZE;
default:
return 0;
}
}
/* perform nsec3 hash. return false on failure */
int
secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
unsigned char* res)
{
switch(algo) {
case NSEC3_HASH_SHA1:
return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
res);
default:
return 0;
}
}
/**
* Return size of DS digest according to its hash algorithm.
* @param algo: DS digest algo.
* @return size in bytes of digest, or 0 if not supported.
*/
size_t
ds_digest_size_supported(int algo)
{
switch(algo) {
case LDNS_SHA1:
return SHA1_DIGEST_SIZE;
#ifdef USE_SHA2
case LDNS_SHA256:
return SHA256_DIGEST_SIZE;
#endif
#ifdef USE_ECDSA
case LDNS_SHA384:
return SHA384_DIGEST_SIZE;
#endif
/* GOST not supported */
case LDNS_HASH_GOST:
default:
break;
}
return 0;
}
int
secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
unsigned char* res)
{
switch(algo) {
case LDNS_SHA1:
return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
#if defined(USE_SHA2)
case LDNS_SHA256:
return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
#endif
#ifdef USE_ECDSA
case LDNS_SHA384:
return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
#endif
case LDNS_HASH_GOST:
default:
verbose(VERB_QUERY, "unknown DS digest algorithm %d",
algo);
break;
}
return 0;
}
int
dnskey_algo_id_is_supported(int id)
{
/* uses libnettle */
switch(id) {
case LDNS_DSA:
case LDNS_DSA_NSEC3:
case LDNS_RSASHA1:
case LDNS_RSASHA1_NSEC3:
#ifdef USE_SHA2
case LDNS_RSASHA256:
case LDNS_RSASHA512:
#endif
#ifdef USE_ECDSA
case LDNS_ECDSAP256SHA256:
case LDNS_ECDSAP384SHA384:
#endif
return 1;
case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
case LDNS_ECC_GOST:
default:
return 0;
}
}
static char *
_verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
{
uint8_t digest[SHA1_DIGEST_SIZE];
uint8_t key_t;
int res = 0;
size_t offset;
struct dsa_public_key pubkey;
struct dsa_signature signature;
unsigned int expected_len;
/* Extract DSA signature from the record */
nettle_dsa_signature_init(&signature);
/* Signature length: 41 bytes - RFC 2536 sec. 3 */
if(sigblock_len == 41) {
if(key[0] != sigblock[0])
return "invalid T value in DSA signature or pubkey";
nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
} else {
/* DER encoded, decode the ASN1 notated R and S bignums */
/* SEQUENCE { r INTEGER, s INTEGER } */
struct asn1_der_iterator i, seq;
if(asn1_der_iterator_first(&i, sigblock_len,
(uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
|| i.type != ASN1_SEQUENCE)
return "malformed DER encoded DSA signature";
/* decode this element of i using the seq iterator */
if(asn1_der_decode_constructed(&i, &seq) !=
ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
return "malformed DER encoded DSA signature";
if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
return "malformed DER encoded DSA signature";
if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
|| seq.type != ASN1_INTEGER)
return "malformed DER encoded DSA signature";
if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
return "malformed DER encoded DSA signature";
if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
return "malformed DER encoded DSA signature";
}
/* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
key_t = key[0];
if (key_t > 8) {
return "invalid T value in DSA pubkey";
}
/* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
if (keylen < 21) {
return "DSA pubkey too short";
}
expected_len = 1 + /* T */
20 + /* Q */
(64 + key_t*8) + /* P */
(64 + key_t*8) + /* G */
(64 + key_t*8); /* Y */
if (keylen != expected_len ) {
return "invalid DSA pubkey length";
}
/* Extract DSA pubkey from the record */
nettle_dsa_public_key_init(&pubkey);
offset = 1;
nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
offset += 20;
nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset);
offset += (64 + key_t*8);
nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset);
offset += (64 + key_t*8);
nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset);
/* Digest content of "buf" and verify its DSA signature in "sigblock"*/
res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
/* Clear and return */
nettle_dsa_signature_clear(&signature);
nettle_dsa_public_key_clear(&pubkey);
if (!res)
return "DSA signature verification failed";
else
return NULL;
}
static char *
_verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
{
uint16_t exp_len = 0;
size_t exp_offset = 0, mod_offset = 0;
struct rsa_public_key pubkey;
mpz_t signature;
int res = 0;
/* RSA pubkey parsing as per RFC 3110 sec. 2 */
if( keylen <= 1) {
return "null RSA key";
}
if (key[0] != 0) {
/* 1-byte length */
exp_len = key[0];
exp_offset = 1;
} else {
/* 1-byte NUL + 2-bytes exponent length */
if (keylen < 3) {
return "incorrect RSA key length";
}
exp_len = READ_UINT16(key+1);
if (exp_len == 0)
return "null RSA exponent length";
exp_offset = 3;
}
/* Check that we are not over-running input length */
if (keylen < exp_offset + exp_len + 1) {
return "RSA key content shorter than expected";
}
mod_offset = exp_offset + exp_len;
nettle_rsa_public_key_init(&pubkey);
pubkey.size = keylen - mod_offset;
nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
/* Digest content of "buf" and verify its RSA signature in "sigblock"*/
nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
switch (digest_size) {
case SHA1_DIGEST_SIZE:
{
uint8_t digest[SHA1_DIGEST_SIZE];
res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
break;
}
case SHA256_DIGEST_SIZE:
{
uint8_t digest[SHA256_DIGEST_SIZE];
res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
break;
}
case SHA512_DIGEST_SIZE:
{
uint8_t digest[SHA512_DIGEST_SIZE];
res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
break;
}
default:
break;
}
/* Clear and return */
nettle_rsa_public_key_clear(&pubkey);
mpz_clear(signature);
if (!res) {
return "RSA signature verification failed";
} else {
return NULL;
}
}
#ifdef USE_ECDSA
static char *
_verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
{
int res = 0;
struct ecc_point pubkey;
struct dsa_signature signature;
/* Always matched strength, as per RFC 6605 sec. 1 */
if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
return "wrong ECDSA signature length";
}
/* Parse ECDSA signature as per RFC 6605 sec. 4 */
nettle_dsa_signature_init(&signature);
switch (digest_size) {
case SHA256_DIGEST_SIZE:
{
uint8_t digest[SHA256_DIGEST_SIZE];
mpz_t x, y;
nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
res &= nettle_ecc_point_set(&pubkey, x, y);
res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
mpz_clear(x);
mpz_clear(y);
break;
}
case SHA384_DIGEST_SIZE:
{
uint8_t digest[SHA384_DIGEST_SIZE];
mpz_t x, y;
nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
res &= nettle_ecc_point_set(&pubkey, x, y);
res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
mpz_clear(x);
mpz_clear(y);
nettle_ecc_point_clear(&pubkey);
break;
}
default:
return "unknown ECDSA algorithm";
}
/* Clear and return */
nettle_dsa_signature_clear(&signature);
if (!res)
return "ECDSA signature verification failed";
else
return NULL;
}
#endif
/**
* Check a canonical sig+rrset and signature against a dnskey
* @param buf: buffer with data to verify, the first rrsig part and the
* canonicalized rrset.
* @param algo: DNSKEY algorithm.
* @param sigblock: signature rdata field from RRSIG
* @param sigblock_len: length of sigblock data.
* @param key: public key data from DNSKEY RR.
* @param keylen: length of keydata.
* @param reason: bogus reason in more detail.
* @return secure if verification succeeded, bogus on crypto failure,
* unchecked on format errors and alloc failures.
*/
enum sec_status
verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
char** reason)
{
unsigned int digest_size = 0;
if (sigblock_len == 0 || keylen == 0) {
*reason = "null signature";
return sec_status_bogus;
}
switch(algo) {
case LDNS_DSA:
case LDNS_DSA_NSEC3:
*reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
if (*reason != NULL)
return sec_status_bogus;
else
return sec_status_secure;
case LDNS_RSASHA1:
case LDNS_RSASHA1_NSEC3:
digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
#ifdef USE_SHA2
case LDNS_RSASHA256:
digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
case LDNS_RSASHA512:
digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
#endif
*reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
sigblock_len, key, keylen);
if (*reason != NULL)
return sec_status_bogus;
else
return sec_status_secure;
#ifdef USE_ECDSA
case LDNS_ECDSAP256SHA256:
digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
case LDNS_ECDSAP384SHA384:
digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
sigblock_len, key, keylen);
if (*reason != NULL)
return sec_status_bogus;
else
return sec_status_secure;
#endif
case LDNS_RSAMD5:
case LDNS_ECC_GOST:
default:
*reason = "unable to verify signature, unknown algorithm";
return sec_status_bogus;
}
}
#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */

View File

@ -44,6 +44,21 @@
#define VALIDATOR_VAL_SECALGO_H
struct sldns_buffer;
/** Return size of nsec3 hash algorithm, 0 if not supported */
size_t nsec3_hash_algo_size_supported(int id);
/**
* Hash a single hash call of an NSEC3 hash algorithm.
* Iterations and salt are done by the caller.
* @param algo: nsec3 hash algorithm.
* @param buf: the buffer to digest
* @param len: length of buffer to digest.
* @param res: result stored here (must have sufficient space).
* @return false on failure.
*/
int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
unsigned char* res);
/**
* Return size of DS digest according to its hash algorithm.
* @param algo: DS digest algo.

View File

@ -57,7 +57,7 @@
#include "sldns/wire2str.h"
#include <ctype.h>
#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
#error "Need crypto library to do digital signature cryptography"
#endif
@ -795,10 +795,6 @@ canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j)
if(i==j)
return 0;
/* in case rdata-len is to be compared for canonical order
c = memcmp(d->rr_data[i], d->rr_data[j], 2);
if(c != 0)
return c; */
switch(type) {
/* These RR types have only a name as RDATA.

View File

@ -391,7 +391,7 @@ int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset);
* Find DS denial message in cache. Saves new qstate allocation and allows
* the validator to use partial content which is not enough to construct a
* message for network (or user) consumption. Without SOA for example,
* which is a common occurence in the unbound code since the referrals contain
* which is a common occurrence in the unbound code since the referrals contain
* NSEC/NSEC3 rrs without the SOA element, thus do not allow synthesis of a
* full negative reply, but do allow synthesis of sufficient proof.
* @param env: query env with caches and time.

View File

@ -749,7 +749,7 @@ validate_nodata_response(struct module_env* env, struct val_env* ve,
/* Since we are here, there must be nothing in the ANSWER section to
* validate. */
/* (Note: CNAME/DNAME responses will not directly get here --
* instead, they are chased down into indiviual CNAME validations,
* instead, they are chased down into individual CNAME validations,
* and at the end of the cname chain a POSITIVE, or CNAME_NOANSWER
* validation.) */
@ -1597,7 +1597,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
target_key_name) != 0) {
/* check if there is a cache entry : pick up an NSEC if
* there is no DS, check if that NSEC has DS-bit unset, and
* thus can disprove the secure delagation we seek.
* thus can disprove the secure delegation we seek.
* We can then use that NSEC even in the absence of a SOA
* record that would be required by the iterator to supply
* a completely protocol-correct response.
@ -1829,7 +1829,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
* @return true if there is no DLV.
* false: processing is finished for the validator operate().
* This function may exit in three ways:
* o no DLV (agressive cache), so insecure. (true)
* o no DLV (aggressive cache), so insecure. (true)
* o error - stop processing (false)
* o DLV lookup was started, stop processing (false)
*/

View File

@ -1,6 +1,8 @@
# The NSIS (http://nsis.sourceforge.net) install script.
# This script is BSD licensed.
SetCompressor /solid /final lzma
# use the default compression to help anti-virus in scanning us
#SetCompressor /solid /final lzma
!include LogicLib.nsh
!include MUI2.nsh
@ -92,6 +94,7 @@ section "-hidden.postinstall"
File "unbound-website.url"
File "service.conf"
File "..\doc\example.conf"
File "..\doc\Changelog"
# Store Root Key choice
SectionGetFlags ${SectionRootKey} $R0
@ -178,6 +181,7 @@ section "un.Unbound"
Delete "$INSTDIR\unbound-website.url"
Delete "$INSTDIR\service.conf"
Delete "$INSTDIR\example.conf"
Delete "$INSTDIR\Changelog"
Delete "$INSTDIR\root.key"
RMDir "$INSTDIR"

View File

@ -1,164 +1,164 @@
@Echo off
rem
rem unbound-control-setup.cmd - set up SSL certificates for unbound-control
rem
rem Copyright (c) 2008, NLnet Labs. All rights reserved.
rem Modified for Windows by Y.Voinov (c) 2014
rem
rem This software is open source.
rem
rem Redistribution and use in source and binary forms, with or without
rem modification, are permitted provided that the following conditions
rem are met:
rem
rem Redistributions of source code must retain the above copyright notice,
rem this list of conditions and the following disclaimer.
rem
rem Redistributions in binary form must reproduce the above copyright notice,
rem this list of conditions and the following disclaimer in the documentation
rem and/or other materials provided with the distribution.
rem
rem Neither the name of the NLNET LABS nor the names of its contributors may
rem be used to endorse or promote products derived from this software without
rem specific prior written permission.
rem
rem THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
rem "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
rem LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
rem A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
rem HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
rem SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
rem TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
rem PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
rem LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
rem NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
rem SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
rem settings:
rem directory for files
set prefix="C:\Program Files (x86)"
set DESTDIR=%prefix%\Unbound
rem issuer and subject name for certificates
set SERVERNAME=unbound
set CLIENTNAME=unbound-control
rem validity period for certificates
set DAYS=7200
rem size of keys in bits
set BITS=1536
rem hash algorithm
set HASH=sha256
rem base name for unbound server keys
set SVR_BASE=unbound_server
rem base name for unbound-control keys
set CTL_BASE=unbound_control
rem end of options
rem Check OpenSSL installed
for /f "delims=" %%a in ('where openssl') do @set SSL_PROGRAM=%%a
if /I "%SSL_PROGRAM%"=="" echo SSL not found. If installed, add path to PATH environment variable. & exit 1
echo SSL found: %SSL_PROGRAM%
set arg=%1
if /I "%arg%" == "-h" goto help
if /I "%arg%"=="-d" set DESTDIR=%2
rem go!:
echo setup in directory %DESTDIR%
cd %$DESTDIR%
rem create certificate keys; do not recreate if they already exist.
if exist $SVR_BASE.key (
echo %SVR_BASE%.key exists
goto next
)
echo generating %SVR_BASE%.key
"%SSL_PROGRAM%" genrsa -out %SVR_BASE%.key %BITS% || echo could not genrsa && exit 1
:next
if exist %CTL_BASE%.key (
echo %CTL_BASE%.key exists
goto next2
)
echo generating %CTL_BASE%.key
"%SSL_PROGRAM%" genrsa -out %CTL_BASE%.key %BITS% || echo could not genrsa && exit 1
:next2
rem create self-signed cert for server
if exist request.cfg (del /F /Q /S request.cfg)
echo [req]>>request.cfg
echo default_bits=%BITS%>>request.cfg
echo default_md=%HASH%>>request.cfg
echo prompt=no>>request.cfg
echo distinguished_name=req_distinguished_name>>request.cfg
echo.>>request.cfg
echo [req_distinguished_name]>>request.cfg
echo commonName=%SERVERNAME%>>request.cfg
if not exist request.cfg (
echo could not create request.cfg
exit 1
)
echo create %SVR_BASE%.pem (self signed certificate)
"%SSL_PROGRAM%" req -key %SVR_BASE%.key -config request.cfg -new -x509 -days %DAYS% -out %SVR_BASE%.pem || echo could not create %SVR_BASE%.pem && exit 1
rem create trusted usage pem
"%SSL_PROGRAM%" x509 -in %SVR_BASE%.pem -addtrust serverAuth -out %SVR_BASE%_trust.pem
rem create client request and sign it
if exist request.cfg (del /F /Q /S request.cfg)
echo [req]>>request.cfg
echo default_bits=%BITS%>>request.cfg
echo default_md=%HASH%>>request.cfg
echo prompt=no>>request.cfg
echo distinguished_name=req_distinguished_name>>request.cfg
echo.>>request.cfg
echo [req_distinguished_name]>>request.cfg
echo commonName=%CLIENTNAME%>>request.cfg
if not exist request.cfg (
echo could not create request.cfg
exit 1
)
echo create %CTL_BASE%.pem (signed client certificate)
"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -out %CTL_BASE%.pem
if not exist %CTL_BASE%.pem (
echo could not create %CTL_BASE%.pem
exit 1
)
rem create trusted usage pem
rem "%SSL_PROGRAM%" x509 -in %CTL_BASE%.pem -addtrust clientAuth -out %CTL_BASE%_trust.pem
rem see details with "%SSL_PROGRAM%" x509 -noout -text < %SVR_BASE%.pem
rem echo "create %CTL_BASE%_browser.pfx (web client certificate)"
rem echo "create webbrowser PKCSrem12 .PFX certificate file. In Firefox import in:"
rem echo "preferences - advanced - encryption - view certificates - your certs"
rem echo "empty password is used, simply click OK on the password dialog box."
rem "%SSL_PROGRAM%" pkcs12 -export -in %CTL_BASE%_trust.pem -inkey %CTL_BASE%.key -name "unbound remote control client cert" -out %CTL_BASE%_browser.pfx -password "pass:" || echo could not create browser certificate && exit 1
rem remove crap
del /F /Q /S request.cfg
del /F /Q /S %CTL_BASE%_trust.pem
del /F /Q /S %SVR_BASE%_trust.pem
del /F /Q /S %SVR_BASE%_trust.srl
echo Setup success. Certificates created. Enable in unbound.conf file to use
exit 0
:help
echo unbound-control-setup.cmd - setup SSL keys for unbound-control
echo -d dir use directory to store keys and certificates.
echo default: %DESTDIR%
echo please run this command using the same user id that the
echo unbound daemon uses, it needs read privileges.
exit 1
@Echo off
rem
rem unbound-control-setup.cmd - set up SSL certificates for unbound-control
rem
rem Copyright (c) 2008, NLnet Labs. All rights reserved.
rem Modified for Windows by Y.Voinov (c) 2014
rem
rem This software is open source.
rem
rem Redistribution and use in source and binary forms, with or without
rem modification, are permitted provided that the following conditions
rem are met:
rem
rem Redistributions of source code must retain the above copyright notice,
rem this list of conditions and the following disclaimer.
rem
rem Redistributions in binary form must reproduce the above copyright notice,
rem this list of conditions and the following disclaimer in the documentation
rem and/or other materials provided with the distribution.
rem
rem Neither the name of the NLNET LABS nor the names of its contributors may
rem be used to endorse or promote products derived from this software without
rem specific prior written permission.
rem
rem THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
rem "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
rem LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
rem A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
rem HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
rem SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
rem TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
rem PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
rem LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
rem NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
rem SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
rem settings:
rem directory for files
set prefix="C:\Program Files (x86)"
set DESTDIR=%prefix%\Unbound
rem issuer and subject name for certificates
set SERVERNAME=unbound
set CLIENTNAME=unbound-control
rem validity period for certificates
set DAYS=7200
rem size of keys in bits
set BITS=1536
rem hash algorithm
set HASH=sha256
rem base name for unbound server keys
set SVR_BASE=unbound_server
rem base name for unbound-control keys
set CTL_BASE=unbound_control
rem end of options
rem Check OpenSSL installed
for /f "delims=" %%a in ('where openssl') do @set SSL_PROGRAM=%%a
if /I "%SSL_PROGRAM%"=="" echo SSL not found. If installed, add path to PATH environment variable. & exit 1
echo SSL found: %SSL_PROGRAM%
set arg=%1
if /I "%arg%" == "-h" goto help
if /I "%arg%"=="-d" set DESTDIR=%2
rem go!:
echo setup in directory %DESTDIR%
cd %DESTDIR%
rem create certificate keys; do not recreate if they already exist.
if exist %SVR_BASE%.key (
echo %SVR_BASE%.key exists
goto next
)
echo generating %SVR_BASE%.key
"%SSL_PROGRAM%" genrsa -out %SVR_BASE%.key %BITS% || echo could not genrsa && exit 1
:next
if exist %CTL_BASE%.key (
echo %CTL_BASE%.key exists
goto next2
)
echo generating %CTL_BASE%.key
"%SSL_PROGRAM%" genrsa -out %CTL_BASE%.key %BITS% || echo could not genrsa && exit 1
:next2
rem create self-signed cert for server
if exist request.cfg (del /F /Q /S request.cfg)
echo [req]>>request.cfg
echo default_bits=%BITS%>>request.cfg
echo default_md=%HASH%>>request.cfg
echo prompt=no>>request.cfg
echo distinguished_name=req_distinguished_name>>request.cfg
echo.>>request.cfg
echo [req_distinguished_name]>>request.cfg
echo commonName=%SERVERNAME%>>request.cfg
if not exist request.cfg (
echo could not create request.cfg
exit 1
)
echo create %SVR_BASE%.pem (self signed certificate)
"%SSL_PROGRAM%" req -key %SVR_BASE%.key -config request.cfg -new -x509 -days %DAYS% -out %SVR_BASE%.pem || echo could not create %SVR_BASE%.pem && exit 1
rem create trusted usage pem
"%SSL_PROGRAM%" x509 -in %SVR_BASE%.pem -addtrust serverAuth -out %SVR_BASE%_trust.pem
rem create client request and sign it
if exist request.cfg (del /F /Q /S request.cfg)
echo [req]>>request.cfg
echo default_bits=%BITS%>>request.cfg
echo default_md=%HASH%>>request.cfg
echo prompt=no>>request.cfg
echo distinguished_name=req_distinguished_name>>request.cfg
echo.>>request.cfg
echo [req_distinguished_name]>>request.cfg
echo commonName=%CLIENTNAME%>>request.cfg
if not exist request.cfg (
echo could not create request.cfg
exit 1
)
echo create %CTL_BASE%.pem (signed client certificate)
"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -out %CTL_BASE%.pem
if not exist %CTL_BASE%.pem (
echo could not create %CTL_BASE%.pem
exit 1
)
rem create trusted usage pem
rem "%SSL_PROGRAM%" x509 -in %CTL_BASE%.pem -addtrust clientAuth -out %CTL_BASE%_trust.pem
rem see details with "%SSL_PROGRAM%" x509 -noout -text < %SVR_BASE%.pem
rem echo "create %CTL_BASE%_browser.pfx (web client certificate)"
rem echo "create webbrowser PKCSrem12 .PFX certificate file. In Firefox import in:"
rem echo "preferences - advanced - encryption - view certificates - your certs"
rem echo "empty password is used, simply click OK on the password dialog box."
rem "%SSL_PROGRAM%" pkcs12 -export -in %CTL_BASE%_trust.pem -inkey %CTL_BASE%.key -name "unbound remote control client cert" -out %CTL_BASE%_browser.pfx -password "pass:" || echo could not create browser certificate && exit 1
rem remove crap
del /F /Q /S request.cfg
del /F /Q /S %CTL_BASE%_trust.pem
del /F /Q /S %SVR_BASE%_trust.pem
del /F /Q /S %SVR_BASE%_trust.srl
echo Setup success. Certificates created. Enable in unbound.conf file to use
exit 0
:help
echo unbound-control-setup.cmd - setup SSL keys for unbound-control
echo -d dir use directory to store keys and certificates.
echo default: %DESTDIR%
echo please run this command using the same user id that the
echo unbound daemon uses, it needs read privileges.
exit 1

View File

@ -13,4 +13,23 @@
</ms_asmv2:requestedPrivileges>
</ms_asmv2:security>
</ms_asmv2:trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<!--This Id value indicates the application supports Windows Vista/Server
2008 functionality -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--This Id value indicates the application supports Windows 7/Server 2008
R2 functionality-->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--This Id value indicates the application supports Windows 8/Server 2012
functionality-->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- This Id value indicates the application supports Windows Blue/Server
2012 R2 functionality-->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!-- This Id value indicates the application supports Windows Threshold
functionality ; Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
</application>
</compatibility>
</assembly>

Some files were not shown because too many files have changed in this diff Show More