diff options
| author | Stuart Henderson <sthen@cvs.openbsd.org> | 2021-08-13 19:58:48 +0000 |
|---|---|---|
| committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2021-08-13 19:58:48 +0000 |
| commit | 5f679f64659e68d9abb873cab3d7bad739238e3a (patch) | |
| tree | a90f94f2c5e74006db70f4dd38a9f0e10f8d56ae /usr.sbin/unbound/util | |
| parent | b186aed10fe44790988cd0b583f77841c91ad6ff (diff) | |
merge unbound-1.13.2 / regen configure, ok florian
Diffstat (limited to 'usr.sbin/unbound/util')
| -rw-r--r-- | usr.sbin/unbound/util/config_file.c | 84 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/config_file.h | 39 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/configlexer.lex | 9 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/configparser.y | 138 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/data/dname.h | 4 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/data/msgreply.c | 22 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/fptr_wlist.c | 5 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/iana_ports.inc | 5 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/net_help.c | 3 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/net_help.h | 6 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/netevent.c | 126 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/netevent.h | 12 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/shm_side/shm_main.c | 6 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/storage/lookup3.c | 102 | ||||
| -rw-r--r-- | usr.sbin/unbound/util/ub_event_pluggable.c | 3 |
15 files changed, 454 insertions, 110 deletions
diff --git a/usr.sbin/unbound/util/config_file.c b/usr.sbin/unbound/util/config_file.c index 2fb8d0d2acc..4725e7db68d 100644 --- a/usr.sbin/unbound/util/config_file.c +++ b/usr.sbin/unbound/util/config_file.c @@ -105,11 +105,14 @@ config_create(void) cfg->do_ip6 = 1; cfg->do_udp = 1; cfg->do_tcp = 1; + cfg->tcp_reuse_timeout = 60 * 1000; /* 60s in milisecs */ + cfg->max_reuse_tcp_queries = 200; cfg->tcp_upstream = 0; cfg->udp_upstream_without_downstream = 0; cfg->tcp_mss = 0; cfg->outgoing_tcp_mss = 0; cfg->tcp_idle_timeout = 30 * 1000; /* 30s in millisecs */ + cfg->tcp_auth_query_timeout = 3 * 1000; /* 3s in millisecs */ cfg->do_tcp_keepalive = 0; cfg->tcp_keepalive_timeout = 120 * 1000; /* 120s in millisecs */ cfg->ssl_service_key = NULL; @@ -235,8 +238,10 @@ config_create(void) cfg->hide_identity = 0; cfg->hide_version = 0; cfg->hide_trustanchor = 0; + cfg->hide_http_user_agent = 0; cfg->identity = NULL; cfg->version = NULL; + cfg->http_user_agent = NULL; cfg->nsid_cfg_str = NULL; cfg->nsid = NULL; cfg->nsid_len = 0; @@ -250,6 +255,7 @@ config_create(void) cfg->val_date_override = 0; cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */ cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */ + cfg->val_max_restart = 5; cfg->val_clean_additional = 1; cfg->val_log_level = 0; cfg->val_log_squelch = 0; @@ -262,6 +268,7 @@ config_create(void) cfg->serve_expired_reply_ttl = 30; cfg->serve_expired_client_timeout = 0; cfg->serve_original_ttl = 0; + cfg->zonemd_permissive_mode = 0; cfg->add_holddown = 30*24*3600; cfg->del_holddown = 30*24*3600; cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */ @@ -305,7 +312,7 @@ config_create(void) if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit; #endif if(!(cfg->val_nsec3_key_iterations = - strdup("1024 150 2048 500 4096 2500"))) goto error_exit; + strdup("1024 150 2048 150 4096 150"))) goto error_exit; #if defined(DNSTAP_SOCKET_PATH) if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH))) goto error_exit; @@ -516,7 +523,10 @@ int config_set_option(struct config_file* cfg, const char* opt, udp_upstream_without_downstream) else S_NUMBER_NONZERO("tcp-mss:", tcp_mss) else S_NUMBER_NONZERO("outgoing-tcp-mss:", outgoing_tcp_mss) + else S_NUMBER_NONZERO("tcp-auth-query-timeout:", tcp_auth_query_timeout) else S_NUMBER_NONZERO("tcp-idle-timeout:", tcp_idle_timeout) + else S_NUMBER_NONZERO("max-reuse-tcp-queries:", max_reuse_tcp_queries) + else S_NUMBER_NONZERO("tcp-reuse-timeout:", tcp_reuse_timeout) else S_YNO("edns-tcp-keepalive:", do_tcp_keepalive) else S_NUMBER_NONZERO("edns-tcp-keepalive-timeout:", tcp_keepalive_timeout) else S_YNO("ssl-upstream:", ssl_upstream) @@ -587,8 +597,10 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_YNO("hide-identity:", hide_identity) else S_YNO("hide-version:", hide_version) else S_YNO("hide-trustanchor:", hide_trustanchor) + else S_YNO("hide-http-user-agent:", hide_http_user_agent) else S_STR("identity:", identity) else S_STR("version:", version) + else S_STR("http-user-agent:", http_user_agent) else if(strcmp(opt, "nsid:") == 0) { free(cfg->nsid_cfg_str); if (!(cfg->nsid_cfg_str = strdup(val))) @@ -649,6 +661,7 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout) else S_YNO("serve-original-ttl:", serve_original_ttl) else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations) + else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode) else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown) else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown) else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing) @@ -756,12 +769,14 @@ int config_set_option(struct config_file* cfg, const char* opt, #endif else if(strcmp(opt, "define-tag:") ==0) { return config_add_tag(cfg, val); - /* val_sig_skew_min and max are copied into val_env during init, - * so this does not update val_env with set_option */ + /* val_sig_skew_min, max and val_max_restart are copied into val_env + * during init so this does not update val_env with set_option */ } else if(strcmp(opt, "val-sig-skew-min:") == 0) { IS_NUMBER_OR_ZERO; cfg->val_sig_skew_min = (int32_t)atoi(val); } else if(strcmp(opt, "val-sig-skew-max:") == 0) { IS_NUMBER_OR_ZERO; cfg->val_sig_skew_max = (int32_t)atoi(val); } + else if(strcmp(opt, "val-max-restart:") == 0) + { IS_NUMBER_OR_ZERO; cfg->val_max_restart = (int32_t)atoi(val); } else if (strcmp(opt, "outgoing-interface:") == 0) { char* d = strdup(val); char** oi = @@ -1005,7 +1020,10 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "udp-upstream-without-downstream", udp_upstream_without_downstream) else O_DEC(opt, "tcp-mss", tcp_mss) else O_DEC(opt, "outgoing-tcp-mss", outgoing_tcp_mss) + else O_DEC(opt, "tcp-auth-query-timeout", tcp_auth_query_timeout) else O_DEC(opt, "tcp-idle-timeout", tcp_idle_timeout) + else O_DEC(opt, "max-reuse-tcp-queries", max_reuse_tcp_queries) + else O_DEC(opt, "tcp-reuse-timeout", tcp_reuse_timeout) else O_YNO(opt, "edns-tcp-keepalive", do_tcp_keepalive) else O_DEC(opt, "edns-tcp-keepalive-timeout", tcp_keepalive_timeout) else O_YNO(opt, "ssl-upstream", ssl_upstream) @@ -1041,8 +1059,10 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "hide-identity", hide_identity) else O_YNO(opt, "hide-version", hide_version) else O_YNO(opt, "hide-trustanchor", hide_trustanchor) + else O_YNO(opt, "hide-http-user-agent", hide_http_user_agent) else O_STR(opt, "identity", identity) else O_STR(opt, "version", version) + else O_STR(opt, "http-user-agent", http_user_agent) else O_STR(opt, "nsid", nsid_cfg_str) else O_STR(opt, "target-fetch-policy", target_fetch_policy) else O_YNO(opt, "harden-short-bufsize", harden_short_bufsize) @@ -1070,6 +1090,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_DEC(opt, "serve-expired-client-timeout", serve_expired_client_timeout) else O_YNO(opt, "serve-original-ttl", serve_original_ttl) else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations) + else O_YNO(opt, "zonemd-permissive-mode", zonemd_permissive_mode) else O_UNS(opt, "add-holddown", add_holddown) else O_UNS(opt, "del-holddown", del_holddown) else O_UNS(opt, "keep-missing", keep_missing) @@ -1178,6 +1199,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_DEC(opt, "fast-server-permil", fast_server_permil) else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min) else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max) + else O_DEC(opt, "val-max-restart", val_max_restart) else O_YNO(opt, "qname-minimisation", qname_minimisation) else O_YNO(opt, "qname-minimisation-strict", qname_minimisation_strict) else O_IFC(opt, "define-tag", num_tags, tagname) @@ -1516,6 +1538,7 @@ config_delete(struct config_file* cfg) #endif free(cfg->identity); free(cfg->version); + free(cfg->http_user_agent); free(cfg->nsid_cfg_str); free(cfg->nsid); free(cfg->module_conf); @@ -1681,6 +1704,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail) return num; } +void cfg_apply_local_port_policy(struct config_file* cfg, int num) { +(void)cfg; +(void)num; +#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE + { + int i = 0; + FILE* range_fd; + if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) { + int min_port = 0; + int max_port = num - 1; + if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) { + for(i=0; i<min_port; i++) { + cfg->outgoing_avail_ports[i] = 0; + } + for(i=max_port+1; i<num; i++) { + cfg->outgoing_avail_ports[i] = 0; + } + } else { + log_err("unexpected port range in %s", + LINUX_IP_LOCAL_PORT_RANGE_PATH); + } + fclose(range_fd); + } else { + log_err("failed to read from file: %s (%s)", + LINUX_IP_LOCAL_PORT_RANGE_PATH, + strerror(errno)); + } + } +#endif +} + /** print error with file and line number */ static void ub_c_error_va_list(const char *fmt, va_list args) { @@ -2605,3 +2659,27 @@ int options_remote_is_address(struct config_file* cfg) return (cfg->control_ifs.first->str[0] != '/'); } +/** see if interface is https, its port number == the https port number */ +int +if_is_https(const char* ifname, const char* port, int https_port) +{ + char* p = strchr(ifname, '@'); + if(!p && atoi(port) == https_port) + return 1; + if(p && atoi(p+1) == https_port) + return 1; + return 0; +} + +/** see if config contains https turned on */ +int cfg_has_https(struct config_file* cfg) +{ + int i; + char portbuf[32]; + snprintf(portbuf, sizeof(portbuf), "%d", cfg->port); + for(i = 0; i<cfg->num_ifs; i++) { + if(if_is_https(cfg->ifs[i], portbuf, cfg->https_port)) + return 1; + } + return 0; +} diff --git a/usr.sbin/unbound/util/config_file.h b/usr.sbin/unbound/util/config_file.h index 7cf27cc2c3e..aed6812dafe 100644 --- a/usr.sbin/unbound/util/config_file.h +++ b/usr.sbin/unbound/util/config_file.h @@ -93,6 +93,12 @@ struct config_file { int do_udp; /** do tcp query support. */ int do_tcp; + /** max number of queries on a reuse connection. */ + size_t max_reuse_tcp_queries; + /** timeout for REUSE entries in milliseconds. */ + int tcp_reuse_timeout; + /** timeout in milliseconds for TCP queries to auth servers. */ + int tcp_auth_query_timeout; /** tcp upstream queries (no UDP upstream queries) */ int tcp_upstream; /** udp upstream enabled when no UDP downstream is enabled (do_udp no)*/ @@ -334,10 +340,14 @@ struct config_file { int hide_version; /** do not report trustanchor (trustanchor.unbound) */ int hide_trustanchor; + /** do not report the User-Agent HTTP header */ + int hide_http_user_agent; /** identity, hostname is returned if "". */ char* identity; /** version, package version returned if "". */ char* version; + /** User-Agent for HTTP header */ + char* http_user_agent; /** nsid */ char *nsid_cfg_str; uint8_t *nsid; @@ -367,6 +377,8 @@ struct config_file { int32_t val_sig_skew_min; /** the maximum for signature clock skew */ int32_t val_sig_skew_max; + /** max number of query restarts, number of IPs to probe */ + int32_t val_max_restart; /** this value sets the number of seconds before revalidating bogus */ int bogus_ttl; /** should validator clean additional section for secure msgs */ @@ -396,6 +408,8 @@ struct config_file { int serve_original_ttl; /** nsec3 maximum iterations per key size, string */ char* val_nsec3_key_iterations; + /** if zonemd failures are permitted, only logged */ + int zonemd_permissive_mode; /** autotrust add holddown time, in seconds */ unsigned int add_holddown; /** autotrust del holddown time, in seconds */ @@ -727,6 +741,10 @@ struct config_auth { /** Always reply with this CNAME target if the cname override action is * used */ char* rpz_cname; + /** Check ZONEMD records for this zone */ + int zonemd_check; + /** Reject absence of ZONEMD records, zone must have one */ + int zonemd_reject_absence; }; /** @@ -1173,6 +1191,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num); int cfg_condense_ports(struct config_file* cfg, int** avail); /** + * Apply system specific port range policy. + * @param cfg: config file. + * @param num: size of the array (65536). + */ +void cfg_apply_local_port_policy(struct config_file* cfg, int num); + +/** * Scan ports available * @param avail: the array from cfg. * @param num: size of the array (65536). @@ -1301,5 +1326,19 @@ void w_config_adjust_directory(struct config_file* cfg); /** debug option for unit tests. */ extern int fake_dsa, fake_sha1; +/** see if interface is https, its port number == the https port number */ +int if_is_https(const char* ifname, const char* port, int https_port); + +/** + * Return true if the config contains settings that enable https. + * @param cfg: config information. + * @return true if https ports are used for server. + */ +int cfg_has_https(struct config_file* cfg); + +#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE +#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range" +#endif + #endif /* UTIL_CONFIG_FILE_H */ diff --git a/usr.sbin/unbound/util/configlexer.lex b/usr.sbin/unbound/util/configlexer.lex index bc4e92c7f11..dbfc17d499f 100644 --- a/usr.sbin/unbound/util/configlexer.lex +++ b/usr.sbin/unbound/util/configlexer.lex @@ -235,6 +235,9 @@ tcp-upstream{COLON} { YDVAR(1, VAR_TCP_UPSTREAM) } tcp-mss{COLON} { YDVAR(1, VAR_TCP_MSS) } outgoing-tcp-mss{COLON} { YDVAR(1, VAR_OUTGOING_TCP_MSS) } tcp-idle-timeout{COLON} { YDVAR(1, VAR_TCP_IDLE_TIMEOUT) } +max-reuse-tcp-queries{COLON} { YDVAR(1, VAR_MAX_REUSE_TCP_QUERIES) } +tcp-reuse-timeout{COLON} { YDVAR(1, VAR_TCP_REUSE_TIMEOUT) } +tcp-auth-query-timeout{COLON} { YDVAR(1, VAR_TCP_AUTH_QUERY_TIMEOUT) } edns-tcp-keepalive{COLON} { YDVAR(1, VAR_EDNS_TCP_KEEPALIVE) } edns-tcp-keepalive-timeout{COLON} { YDVAR(1, VAR_EDNS_TCP_KEEPALIVE_TIMEOUT) } ssl-upstream{COLON} { YDVAR(1, VAR_SSL_UPSTREAM) } @@ -368,8 +371,10 @@ max-ecs-tree-size-ipv6{COLON} { YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) } hide-identity{COLON} { YDVAR(1, VAR_HIDE_IDENTITY) } hide-version{COLON} { YDVAR(1, VAR_HIDE_VERSION) } hide-trustanchor{COLON} { YDVAR(1, VAR_HIDE_TRUSTANCHOR) } +hide-http-user-agent{COLON} { YDVAR(1, VAR_HIDE_HTTP_USER_AGENT) } identity{COLON} { YDVAR(1, VAR_IDENTITY) } version{COLON} { YDVAR(1, VAR_VERSION) } +http-user-agent{COLON} { YDVAR(1, VAR_HTTP_USER_AGENT) } module-config{COLON} { YDVAR(1, VAR_MODULE_CONF) } dlv-anchor{COLON} { YDVAR(1, VAR_DLV_ANCHOR) } dlv-anchor-file{COLON} { YDVAR(1, VAR_DLV_ANCHOR_FILE) } @@ -382,6 +387,7 @@ root-key-sentinel{COLON} { YDVAR(1, VAR_ROOT_KEY_SENTINEL) } val-override-date{COLON} { YDVAR(1, VAR_VAL_OVERRIDE_DATE) } val-sig-skew-min{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MIN) } val-sig-skew-max{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MAX) } +val-max-restart{COLON} { YDVAR(1, VAR_VAL_MAX_RESTART) } val-bogus-ttl{COLON} { YDVAR(1, VAR_BOGUS_TTL) } val-clean-additional{COLON} { YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) } val-permissive-mode{COLON} { YDVAR(1, VAR_VAL_PERMISSIVE_MODE) } @@ -401,6 +407,9 @@ key-cache-slabs{COLON} { YDVAR(1, VAR_KEY_CACHE_SLABS) } neg-cache-size{COLON} { YDVAR(1, VAR_NEG_CACHE_SIZE) } val-nsec3-keysize-iterations{COLON} { YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) } +zonemd-permissive-mode{COLON} { YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) } +zonemd-check{COLON} { YDVAR(1, VAR_ZONEMD_CHECK) } +zonemd-reject-absence{COLON} { YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) } add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) } del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) } keep-missing{COLON} { YDVAR(1, VAR_KEEP_MISSING) } diff --git a/usr.sbin/unbound/util/configparser.y b/usr.sbin/unbound/util/configparser.y index 272a9796939..e22d48d4105 100644 --- a/usr.sbin/unbound/util/configparser.y +++ b/usr.sbin/unbound/util/configparser.y @@ -100,17 +100,18 @@ extern struct config_parser_state* cfg_parser; %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE -%token VAR_CONTROL_USE_CERT +%token VAR_CONTROL_USE_CERT VAR_TCP_REUSE_TIMEOUT VAR_MAX_REUSE_TCP_QUERIES %token VAR_EXTENDED_STATISTICS VAR_LOCAL_DATA_PTR VAR_JOSTLE_TIMEOUT %token VAR_STUB_PRIME VAR_UNWANTED_REPLY_THRESHOLD VAR_LOG_TIME_ASCII %token VAR_DOMAIN_INSECURE VAR_PYTHON VAR_PYTHON_SCRIPT VAR_VAL_SIG_SKEW_MIN -%token VAR_VAL_SIG_SKEW_MAX VAR_CACHE_MIN_TTL VAR_VAL_LOG_LEVEL -%token VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING VAR_ADD_HOLDDOWN -%token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH -%token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT VAR_HARDEN_BELOW_NXDOMAIN -%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS -%token VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM -%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST +%token VAR_VAL_SIG_SKEW_MAX VAR_VAL_MAX_RESTART VAR_CACHE_MIN_TTL +%token VAR_VAL_LOG_LEVEL VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING +%token VAR_ADD_HOLDDOWN VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE +%token VAR_PREFETCH VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT +%token VAR_HARDEN_BELOW_NXDOMAIN VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES +%token VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS VAR_TCP_UPSTREAM +%token VAR_SSL_UPSTREAM VAR_TCP_AUTH_QUERY_TIMEOUT VAR_SSL_SERVICE_KEY +%token VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST %token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE %token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS %token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE @@ -153,6 +154,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_SERVE_EXPIRED_TTL_RESET VAR_SERVE_EXPIRED_REPLY_TTL %token VAR_SERVE_EXPIRED_CLIENT_TIMEOUT VAR_SERVE_ORIGINAL_TTL VAR_FAKE_DSA %token VAR_FAKE_SHA1 VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR +%token VAR_HIDE_HTTP_USER_AGENT VAR_HTTP_USER_AGENT %token VAR_TRUST_ANCHOR_SIGNALING VAR_AGGRESSIVE_NSEC VAR_USE_SYSTEMD %token VAR_SHM_ENABLE VAR_SHM_KEY VAR_ROOT_KEY_SENTINEL %token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER @@ -182,6 +184,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME %token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING %token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID +%token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -223,6 +226,7 @@ content_server: server_num_threads | server_verbosity | server_port | server_harden_short_bufsize | server_harden_large_queries | server_do_not_query_address | server_hide_identity | server_hide_version | server_identity | server_version | + server_hide_http_user_agent | server_http_user_agent | server_harden_glue | server_module_conf | server_trust_anchor_file | server_trust_anchor | server_val_override_date | server_bogus_ttl | server_val_clean_additional | server_val_permissive_mode | @@ -242,8 +246,9 @@ content_server: server_num_threads | server_verbosity | server_port | server_local_data_ptr | server_jostle_timeout | server_unwanted_reply_threshold | server_log_time_ascii | server_domain_insecure | server_val_sig_skew_min | - server_val_sig_skew_max | server_cache_min_ttl | server_val_log_level | - server_auto_trust_anchor_file | server_add_holddown | + server_val_sig_skew_max | server_val_max_restart | + server_cache_min_ttl | server_val_log_level | + server_auto_trust_anchor_file | server_add_holddown | server_del_holddown | server_keep_missing | server_so_rcvbuf | server_edns_buffer_size | server_prefetch | server_prefetch_key | server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag | @@ -299,7 +304,10 @@ content_server: server_num_threads | server_verbosity | server_port | server_stream_wait_size | server_tls_ciphers | server_tls_ciphersuites | server_tls_session_ticket_keys | server_tls_use_sni | server_edns_client_string | - server_edns_client_string_opcode | server_nsid + server_edns_client_string_opcode | server_nsid | + server_zonemd_permissive_mode | server_max_reuse_tcp_queries | + server_tcp_reuse_timeout | server_tcp_auth_query_timeout + ; stubstart: VAR_STUB_ZONE { @@ -366,6 +374,8 @@ authstart: VAR_AUTH_ZONE s->for_downstream = 1; s->for_upstream = 1; s->fallback_enabled = 0; + s->zonemd_check = 0; + s->zonemd_reject_absence = 0; s->isrpz = 0; } else yyerror("out of memory"); @@ -375,7 +385,7 @@ contents_auth: contents_auth content_auth | ; content_auth: auth_name | auth_zonefile | auth_master | auth_url | auth_for_downstream | auth_for_upstream | auth_fallback_enabled | - auth_allow_notify + auth_allow_notify | auth_zonemd_check | auth_zonemd_reject_absence ; rpz_tag: VAR_TAGS STRING_ARG @@ -856,6 +866,39 @@ server_tcp_idle_timeout: VAR_TCP_IDLE_TIMEOUT STRING_ARG free($2); } ; +server_max_reuse_tcp_queries: VAR_MAX_REUSE_TCP_QUERIES STRING_ARG + { + OUTYY(("P(server_max_reuse_tcp_queries:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else if (atoi($2) < 1) + cfg_parser->cfg->max_reuse_tcp_queries = 0; + else cfg_parser->cfg->max_reuse_tcp_queries = atoi($2); + free($2); + } + ; +server_tcp_reuse_timeout: VAR_TCP_REUSE_TIMEOUT STRING_ARG + { + OUTYY(("P(server_tcp_reuse_timeout:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else if (atoi($2) < 1) + cfg_parser->cfg->tcp_reuse_timeout = 0; + else cfg_parser->cfg->tcp_reuse_timeout = atoi($2); + free($2); + } + ; +server_tcp_auth_query_timeout: VAR_TCP_AUTH_QUERY_TIMEOUT STRING_ARG + { + OUTYY(("P(server_tcp_auth_query_timeout:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else if (atoi($2) < 1) + cfg_parser->cfg->tcp_auth_query_timeout = 0; + else cfg_parser->cfg->tcp_auth_query_timeout = atoi($2); + free($2); + } + ; server_tcp_keepalive: VAR_EDNS_TCP_KEEPALIVE STRING_ARG { OUTYY(("P(server_tcp_keepalive:%s)\n", $2)); @@ -1296,6 +1339,15 @@ server_hide_trustanchor: VAR_HIDE_TRUSTANCHOR STRING_ARG free($2); } ; +server_hide_http_user_agent: VAR_HIDE_HTTP_USER_AGENT STRING_ARG + { + OUTYY(("P(server_hide_user_agent:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->hide_http_user_agent = (strcmp($2, "yes")==0); + free($2); + } + ; server_identity: VAR_IDENTITY STRING_ARG { OUTYY(("P(server_identity:%s)\n", $2)); @@ -1310,6 +1362,13 @@ server_version: VAR_VERSION STRING_ARG cfg_parser->cfg->version = $2; } ; +server_http_user_agent: VAR_HTTP_USER_AGENT STRING_ARG + { + OUTYY(("P(server_http_user_agent:%s)\n", $2)); + free(cfg_parser->cfg->http_user_agent); + cfg_parser->cfg->http_user_agent = $2; + } + ; server_nsid: VAR_NSID STRING_ARG { OUTYY(("P(server_nsid:%s)\n", $2)); @@ -1814,6 +1873,19 @@ server_val_sig_skew_max: VAR_VAL_SIG_SKEW_MAX STRING_ARG free($2); } ; +server_val_max_restart: VAR_VAL_MAX_RESTART STRING_ARG + { + OUTYY(("P(server_val_max_restart:%s)\n", $2)); + if(*$2 == '\0' || strcmp($2, "0") == 0) { + cfg_parser->cfg->val_max_restart = 0; + } else { + cfg_parser->cfg->val_max_restart = atoi($2); + if(!cfg_parser->cfg->val_max_restart) + yyerror("number expected"); + } + free($2); + } + ; server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG { OUTYY(("P(server_cache_max_ttl:%s)\n", $2)); @@ -1986,6 +2058,15 @@ server_val_nsec3_keysize_iterations: VAR_VAL_NSEC3_KEYSIZE_ITERATIONS STRING_ARG cfg_parser->cfg->val_nsec3_key_iterations = $2; } ; +server_zonemd_permissive_mode: VAR_ZONEMD_PERMISSIVE_MODE STRING_ARG + { + OUTYY(("P(server_zonemd_permissive_mode:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->zonemd_permissive_mode = (strcmp($2, "yes")==0); + free($2); + } + ; server_add_holddown: VAR_ADD_HOLDDOWN STRING_ARG { OUTYY(("P(server_add_holddown:%s)\n", $2)); @@ -2741,6 +2822,26 @@ auth_allow_notify: VAR_ALLOW_NOTIFY STRING_ARG yyerror("out of memory"); } ; +auth_zonemd_check: VAR_ZONEMD_CHECK STRING_ARG + { + OUTYY(("P(zonemd-check:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->auths->zonemd_check = + (strcmp($2, "yes")==0); + free($2); + } + ; +auth_zonemd_reject_absence: VAR_ZONEMD_REJECT_ABSENCE STRING_ARG + { + OUTYY(("P(zonemd-reject-absence:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->auths->zonemd_reject_absence = + (strcmp($2, "yes")==0); + free($2); + } + ; auth_for_downstream: VAR_FOR_DOWNSTREAM STRING_ARG { OUTYY(("P(for-downstream:%s)\n", $2)); @@ -2791,13 +2892,20 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG && strcmp($3, "always_transparent")!=0 && strcmp($3, "always_refuse")!=0 && strcmp($3, "always_nxdomain")!=0 + && strcmp($3, "always_nodata")!=0 + && strcmp($3, "always_deny")!=0 + && strcmp($3, "always_null")!=0 && strcmp($3, "noview")!=0 - && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0) { + && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0 + && strcmp($3, "inform_redirect") != 0 + && strcmp($3, "ipset") != 0) { yyerror("local-zone type: expected static, deny, " "refuse, redirect, transparent, " "typetransparent, inform, inform_deny, " - "always_transparent, always_refuse, " - "always_nxdomain, noview or nodefault"); + "inform_redirect, always_transparent, " + "always_refuse, always_nxdomain, " + "always_nodata, always_deny, always_null, " + "noview, nodefault or ipset"); free($2); free($3); } else if(strcmp($3, "nodefault")==0) { diff --git a/usr.sbin/unbound/util/data/dname.h b/usr.sbin/unbound/util/data/dname.h index e37c11822b3..cb0f6735d92 100644 --- a/usr.sbin/unbound/util/data/dname.h +++ b/usr.sbin/unbound/util/data/dname.h @@ -261,7 +261,7 @@ int dname_is_root(uint8_t* dname); * Snip off first label from a dname, returning the parent zone. * @param dname: from what to strip off. uncompressed wireformat. * @param len: length, adjusted to become less. - * @return stripped off, or "." if input was ".". + * return stripped off, or "." if input was ".". */ void dname_remove_label(uint8_t** dname, size_t* len); @@ -271,7 +271,7 @@ void dname_remove_label(uint8_t** dname, size_t* len); * @param len: length, adjusted to become less. * @param n: number of labels to strip off (from the left). * if 0, nothing happens. - * @return stripped off, or "." if input was ".". + * return stripped off, or "." if input was ".". */ void dname_remove_labels(uint8_t** dname, size_t* len, int n); diff --git a/usr.sbin/unbound/util/data/msgreply.c b/usr.sbin/unbound/util/data/msgreply.c index 4830b343f0f..00272fd1c64 100644 --- a/usr.sbin/unbound/util/data/msgreply.c +++ b/usr.sbin/unbound/util/data/msgreply.c @@ -329,7 +329,10 @@ parse_create_rrset(sldns_buffer* pkt, struct rrset_parse* pset, return 0; /* copy & decompress */ if(!parse_rr_copy(pkt, pset, *data)) { - if(!region) free(*data); + if(!region) { + free(*data); + *data = NULL; + } return 0; } return 1; @@ -394,8 +397,13 @@ parse_copy_decompress_rrset(sldns_buffer* pkt, struct msg_parse* msg, pk->rk.type = htons(pset->type); pk->rk.rrset_class = pset->rrset_class; /** read data part. */ - if(!parse_create_rrset(pkt, pset, &data, region)) + if(!parse_create_rrset(pkt, pset, &data, region)) { + if(!region) { + free(pk->rk.dname); + pk->rk.dname = NULL; + } return 0; + } pk->entry.data = (void*)data; pk->entry.key = (void*)pk; pk->entry.hash = pset->hash; @@ -825,9 +833,15 @@ log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* rep) /* not particularly fast but flexible, make wireformat and print */ sldns_buffer* buf = sldns_buffer_new(65535); struct regional* region = regional_create(); - if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0, + if(!(buf && region)) { + log_err("%s: log_dns_msg: out of memory", str); + sldns_buffer_free(buf); + regional_destroy(region); + return; + } + if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0, region, 65535, 1, 0)) { - log_info("%s: log_dns_msg: out of memory", str); + log_err("%s: log_dns_msg: out of memory", str); } else { char* s = sldns_wire2str_pkt(sldns_buffer_begin(buf), sldns_buffer_limit(buf)); diff --git a/usr.sbin/unbound/util/fptr_wlist.c b/usr.sbin/unbound/util/fptr_wlist.c index a9e9d3a0323..de6dbd02a37 100644 --- a/usr.sbin/unbound/util/fptr_wlist.c +++ b/usr.sbin/unbound/util/fptr_wlist.c @@ -196,8 +196,6 @@ int fptr_whitelist_pending_udp(comm_point_callback_type *fptr) { if(fptr == &serviced_udp_callback) return 1; - else if(fptr == &worker_handle_reply) return 1; - else if(fptr == &libworker_handle_reply) return 1; return 0; } @@ -205,8 +203,6 @@ int fptr_whitelist_pending_tcp(comm_point_callback_type *fptr) { if(fptr == &serviced_tcp_callback) return 1; - else if(fptr == &worker_handle_reply) return 1; - else if(fptr == &libworker_handle_reply) return 1; return 0; } @@ -583,6 +579,7 @@ int fptr_whitelist_mesh_cb(mesh_cb_func_type fptr) else if(fptr == &probe_answer_cb) return 1; else if(fptr == &auth_xfer_probe_lookup_callback) return 1; else if(fptr == &auth_xfer_transfer_lookup_callback) return 1; + else if(fptr == &auth_zonemd_dnskey_lookup_callback) return 1; return 0; } diff --git a/usr.sbin/unbound/util/iana_ports.inc b/usr.sbin/unbound/util/iana_ports.inc index 875851e6ac6..b93af015da6 100644 --- a/usr.sbin/unbound/util/iana_ports.inc +++ b/usr.sbin/unbound/util/iana_ports.inc @@ -118,7 +118,6 @@ 140, 141, 142, -143, 144, 145, 146, @@ -679,7 +678,6 @@ 990, 991, 992, -993, 995, 996, 997, @@ -4246,6 +4244,7 @@ 5504, 5505, 5506, +5540, 5553, 5554, 5555, @@ -4738,6 +4737,7 @@ 8006, 8007, 8008, +8017, 8019, 8020, 8021, @@ -5378,6 +5378,7 @@ 30999, 31016, 31029, +31337, 31416, 31457, 31620, diff --git a/usr.sbin/unbound/util/net_help.c b/usr.sbin/unbound/util/net_help.c index 3b5527adf43..06bc1f5dd7e 100644 --- a/usr.sbin/unbound/util/net_help.c +++ b/usr.sbin/unbound/util/net_help.c @@ -887,7 +887,7 @@ log_cert(unsigned level, const char* str, void* cert) } #endif /* HAVE_SSL */ -#if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) +#if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB) static int alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* ATTR_UNUSED(arg)) @@ -1609,5 +1609,4 @@ sock_close(int socket) { closesocket(socket); } - # endif /* USE_WINSOCK */ diff --git a/usr.sbin/unbound/util/net_help.h b/usr.sbin/unbound/util/net_help.h index 45b607a430d..79835270c47 100644 --- a/usr.sbin/unbound/util/net_help.h +++ b/usr.sbin/unbound/util/net_help.h @@ -42,6 +42,7 @@ #ifndef NET_HELP_H #define NET_HELP_H #include "util/log.h" +#include "util/random.h" struct sock_list; struct regional; struct config_strlist; @@ -76,8 +77,6 @@ struct config_strlist; /** timeout in milliseconds for UDP queries to auth servers. */ #define UDP_AUTH_QUERY_TIMEOUT 3000 -/** timeout in milliseconds for TCP queries to auth servers. */ -#define TCP_AUTH_QUERY_TIMEOUT 3000 /** Advertised version of EDNS capabilities */ #define EDNS_ADVERTISED_VERSION 0 /** Advertised size of EDNS capabilities */ @@ -94,6 +93,9 @@ extern uint16_t EDNS_ADVERTISED_SIZE; /** DNSKEY secure entry point, KSK flag */ #define DNSKEY_BIT_SEP 0x0001 +/** return a random 16-bit number given a random source */ +#define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff) + /** minimal responses when positive answer */ extern int MINIMAL_RESPONSES; diff --git a/usr.sbin/unbound/util/netevent.c b/usr.sbin/unbound/util/netevent.c index a2c0e6073e3..11c642a2bc3 100644 --- a/usr.sbin/unbound/util/netevent.c +++ b/usr.sbin/unbound/util/netevent.c @@ -51,6 +51,16 @@ #include "dnstap/dnstap.h" #include "dnscrypt/dnscrypt.h" #include "services/listen_dnsport.h" +#ifdef HAVE_SYS_TYPES_H +#include <sys/types.h> +#endif +#ifdef HAVE_SYS_SOCKET_H +#include <sys/socket.h> +#endif +#ifdef HAVE_NETDB_H +#include <netdb.h> +#endif + #ifdef HAVE_OPENSSL_SSL_H #include <openssl/ssl.h> #endif @@ -152,7 +162,7 @@ struct internal_signal { static struct comm_point* comm_point_create_tcp_handler( struct comm_base *base, struct comm_point* parent, size_t bufsize, struct sldns_buffer* spoolbuf, comm_point_callback_type* callback, - void* callback_arg); + void* callback_arg, struct unbound_socket* socket); /* -------- End of local definitions -------- */ @@ -289,6 +299,7 @@ udp_send_errno_needs_log(struct sockaddr* addr, socklen_t addrlen) # ifdef ENETDOWN case ENETDOWN: # endif + case EPERM: if(verbosity < VERB_ALGO) return 0; default: @@ -302,7 +313,7 @@ udp_send_errno_needs_log(struct sockaddr* addr, socklen_t addrlen) /* 'Cannot assign requested address' also when disconnected */ || (errno == EADDRNOTAVAIL) # endif - ) && verbosity < VERB_DETAIL) + ) && verbosity < VERB_ALGO) return 0; # ifdef EADDRINUSE /* If SO_REUSEADDR is set, we could try to connect to the same server @@ -408,7 +419,9 @@ static void p_ancil(const char* str, struct comm_reply* r) log_info("%s: unknown srctype %d", str, r->srctype); return; } + if(r->srctype == 6) { +#ifdef IPV6_PKTINFO char buf[1024]; if(inet_ntop(AF_INET6, &r->pktinfo.v6info.ipi6_addr, buf, (socklen_t)sizeof(buf)) == 0) { @@ -416,6 +429,7 @@ static void p_ancil(const char* str, struct comm_reply* r) } buf[sizeof(buf)-1]=0; log_info("%s: %s %d", str, buf, r->pktinfo.v6info.ipi6_ifindex); +#endif } else if(r->srctype == 4) { #ifdef IP_PKTINFO char buf1[1024], buf2[1024]; @@ -1200,7 +1214,7 @@ ssl_handshake(struct comm_point* c) int r; if(c->ssl_shake_state == comm_ssl_shake_hs_read) { /* read condition satisfied back to writing */ - comm_point_listen_for_rw(c, 1, 1); + comm_point_listen_for_rw(c, 0, 1); c->ssl_shake_state = comm_ssl_shake_none; return 1; } @@ -1257,7 +1271,11 @@ ssl_handshake(struct comm_point* c) if((SSL_get_verify_mode(c->ssl)&SSL_VERIFY_PEER)) { /* verification */ if(SSL_get_verify_result(c->ssl) == X509_V_OK) { +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + X509* x = SSL_get1_peer_certificate(c->ssl); +#else X509* x = SSL_get_peer_certificate(c->ssl); +#endif if(!x) { log_addr(VERB_ALGO, "SSL connection failed: " "no certificate", @@ -1283,7 +1301,11 @@ ssl_handshake(struct comm_point* c) #endif X509_free(x); } else { +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + X509* x = SSL_get1_peer_certificate(c->ssl); +#else X509* x = SSL_get_peer_certificate(c->ssl); +#endif if(x) { log_cert(VERB_ALGO, "peer certificate", x); X509_free(x); @@ -1300,6 +1322,7 @@ ssl_handshake(struct comm_point* c) c->repinfo.addrlen); } +#ifdef HAVE_SSL_GET0_ALPN_SELECTED /* check if http2 use is negotiated */ if(c->type == comm_http && c->h2_session) { const unsigned char *alpn; @@ -1311,13 +1334,14 @@ ssl_handshake(struct comm_point* c) c->use_h2 = 1; } } +#endif /* setup listen rw correctly */ if(c->tcp_is_reading) { if(c->ssl_shake_state != comm_ssl_shake_read) comm_point_listen_for_rw(c, 1, 0); } else { - comm_point_listen_for_rw(c, 1, 1); + comm_point_listen_for_rw(c, 0, 1); } c->ssl_shake_state = comm_ssl_shake_none; return 1; @@ -1348,7 +1372,9 @@ ssl_handle_read(struct comm_point* c) return tcp_req_info_handle_read_close(c->tcp_req_info); return 0; /* shutdown, closed */ } else if(want == SSL_ERROR_WANT_READ) { +#ifdef USE_WINSOCK ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ); +#endif return 1; /* read more later */ } else if(want == SSL_ERROR_WANT_WRITE) { c->ssl_shake_state = comm_ssl_shake_hs_write; @@ -1396,7 +1422,9 @@ ssl_handle_read(struct comm_point* c) return tcp_req_info_handle_read_close(c->tcp_req_info); return 0; /* shutdown, closed */ } else if(want == SSL_ERROR_WANT_READ) { +#ifdef USE_WINSOCK ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ); +#endif return 1; /* read more later */ } else if(want == SSL_ERROR_WANT_WRITE) { c->ssl_shake_state = comm_ssl_shake_hs_write; @@ -1489,7 +1517,9 @@ ssl_handle_write(struct comm_point* c) comm_point_listen_for_rw(c, 1, 0); return 1; /* wait for read condition */ } else if(want == SSL_ERROR_WANT_WRITE) { +#ifdef USE_WINSOCK ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE); +#endif return 1; /* write more later */ } else if(want == SSL_ERROR_SYSCALL) { #ifdef EPIPE @@ -1539,7 +1569,9 @@ ssl_handle_write(struct comm_point* c) comm_point_listen_for_rw(c, 1, 0); return 1; /* wait for read condition */ } else if(want == SSL_ERROR_WANT_WRITE) { +#ifdef USE_WINSOCK ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE); +#endif return 1; /* write more later */ } else if(want == SSL_ERROR_SYSCALL) { #ifdef EPIPE @@ -1620,6 +1652,10 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) if(errno == ECONNRESET && verbosity < 2) return 0; /* silence reset by peer */ #endif +#ifdef ECONNREFUSED + if(errno == ECONNREFUSED && verbosity < 2) + return 0; /* silence reset by peer */ +#endif #ifdef ENETUNREACH if(errno == ENETUNREACH && verbosity < 2) return 0; /* silence it */ @@ -1648,6 +1684,16 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) } #endif #else /* USE_WINSOCK */ + if(WSAGetLastError() == WSAECONNREFUSED && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAEHOSTDOWN && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAEHOSTUNREACH && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAENETDOWN && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAENETUNREACH && verbosity < 2) + return 0; if(WSAGetLastError() == WSAECONNRESET) return 0; if(WSAGetLastError() == WSAEINPROGRESS) @@ -1681,7 +1727,8 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) (int)sldns_buffer_limit(c->buffer)); } - log_assert(sldns_buffer_remaining(c->buffer) > 0); + if(sldns_buffer_remaining(c->buffer) == 0) + log_err("in comm_point_tcp_handle_read buffer_remaining is not > 0 as expected, continuing with (harmless) 0 length recv"); r = recv(fd, (void*)sldns_buffer_current(c->buffer), sldns_buffer_remaining(c->buffer), 0); if(r == 0) { @@ -2197,6 +2244,8 @@ ssl_http_read_more(struct comm_point* c) log_crypto_err("could not SSL_read"); return 0; } + verbose(VERB_ALGO, "ssl http read more skip to %d + %d", + (int)sldns_buffer_position(c->buffer), (int)r); sldns_buffer_skip(c->buffer, (ssize_t)r); return 1; #else @@ -2233,6 +2282,8 @@ http_read_more(int fd, struct comm_point* c) &c->repinfo.addr, c->repinfo.addrlen); return 0; } + verbose(VERB_ALGO, "http read more skip to %d + %d", + (int)sldns_buffer_position(c->buffer), (int)r); sldns_buffer_skip(c->buffer, r); return 1; } @@ -2370,7 +2421,7 @@ http_process_chunk_header(struct comm_point* c) return 1; } -/** handle nonchunked data segment */ +/** handle nonchunked data segment, 0=fail, 1=wait */ static int http_nonchunk_segment(struct comm_point* c) { @@ -2379,7 +2430,7 @@ http_nonchunk_segment(struct comm_point* c) * we are looking to read tcp_byte_count more data * and then the transfer is done. */ size_t remainbufferlen; - size_t got_now = sldns_buffer_limit(c->buffer) - c->http_stored; + size_t got_now = sldns_buffer_limit(c->buffer); if(c->tcp_byte_count <= got_now) { /* done, this is the last data fragment */ c->http_stored = 0; @@ -2388,13 +2439,12 @@ http_nonchunk_segment(struct comm_point* c) (void)(*c->callback)(c, c->cb_arg, NETEVENT_DONE, NULL); return 1; } - c->tcp_byte_count -= got_now; /* if we have the buffer space, * read more data collected into the buffer */ remainbufferlen = sldns_buffer_capacity(c->buffer) - sldns_buffer_limit(c->buffer); - if(remainbufferlen >= c->tcp_byte_count || - remainbufferlen >= 2048) { + if(remainbufferlen+got_now >= c->tcp_byte_count || + remainbufferlen >= (c->ssl?16384:2048)) { size_t total = sldns_buffer_limit(c->buffer); sldns_buffer_clear(c->buffer); sldns_buffer_set_position(c->buffer, total); @@ -2404,6 +2454,7 @@ http_nonchunk_segment(struct comm_point* c) } /* call callback with this data amount, then * wait for more */ + c->tcp_byte_count -= got_now; c->http_stored = 0; sldns_buffer_set_position(c->buffer, 0); fptr_ok(fptr_whitelist_comm_point(c->callback)); @@ -2762,6 +2813,11 @@ comm_point_http_handle_read(int fd, struct comm_point* c) return 0; } + if(c->http_stored >= sldns_buffer_position(c->buffer)) { + /* read did not work but we wanted more data, there is + * no bytes to process now. */ + return 1; + } sldns_buffer_flip(c->buffer); /* if we are partway in a segment of data, position us at the point * where we left off previously */ @@ -3184,7 +3240,7 @@ void comm_point_raw_handle_callback(int ATTR_UNUSED(fd), struct comm_point* comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer, - comm_point_callback_type* callback, void* callback_arg) + comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket) { struct comm_point* c = (struct comm_point*)calloc(1, sizeof(struct comm_point)); @@ -3223,6 +3279,7 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer, c->inuse = 0; c->callback = callback; c->cb_arg = callback_arg; + c->socket = socket; evbits = UB_EV_READ | UB_EV_PERSIST; /* ub_event stuff */ c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, @@ -3244,7 +3301,7 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer, struct comm_point* comm_point_create_udp_ancil(struct comm_base *base, int fd, sldns_buffer* buffer, - comm_point_callback_type* callback, void* callback_arg) + comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket) { struct comm_point* c = (struct comm_point*)calloc(1, sizeof(struct comm_point)); @@ -3283,6 +3340,7 @@ comm_point_create_udp_ancil(struct comm_base *base, int fd, #endif c->callback = callback; c->cb_arg = callback_arg; + c->socket = socket; evbits = UB_EV_READ | UB_EV_PERSIST; /* ub_event stuff */ c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, @@ -3305,7 +3363,7 @@ static struct comm_point* comm_point_create_tcp_handler(struct comm_base *base, struct comm_point* parent, size_t bufsize, struct sldns_buffer* spoolbuf, comm_point_callback_type* callback, - void* callback_arg) + void* callback_arg, struct unbound_socket* socket) { struct comm_point* c = (struct comm_point*)calloc(1, sizeof(struct comm_point)); @@ -3361,6 +3419,7 @@ comm_point_create_tcp_handler(struct comm_base *base, c->repinfo.c = c; c->callback = callback; c->cb_arg = callback_arg; + c->socket = socket; if(spoolbuf) { c->tcp_req_info = tcp_req_info_create(spoolbuf); if(!c->tcp_req_info) { @@ -3400,7 +3459,8 @@ static struct comm_point* comm_point_create_http_handler(struct comm_base *base, struct comm_point* parent, size_t bufsize, int harden_large_queries, uint32_t http_max_streams, char* http_endpoint, - comm_point_callback_type* callback, void* callback_arg) + comm_point_callback_type* callback, void* callback_arg, + struct unbound_socket* socket) { struct comm_point* c = (struct comm_point*)calloc(1, sizeof(struct comm_point)); @@ -3454,6 +3514,7 @@ comm_point_create_http_handler(struct comm_base *base, c->repinfo.c = c; c->callback = callback; c->cb_arg = callback_arg; + c->socket = socket; c->http_min_version = http_version_2; c->http2_stream_max_qbuffer_size = bufsize; @@ -3518,7 +3579,7 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num, uint32_t http_max_streams, char* http_endpoint, struct tcl_list* tcp_conn_limit, size_t bufsize, struct sldns_buffer* spoolbuf, enum listen_type port_type, - comm_point_callback_type* callback, void* callback_arg) + comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket) { struct comm_point* c = (struct comm_point*)calloc(1, sizeof(struct comm_point)); @@ -3568,6 +3629,7 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num, #endif c->callback = NULL; c->cb_arg = NULL; + c->socket = socket; evbits = UB_EV_READ | UB_EV_PERSIST; /* ub_event stuff */ c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, @@ -3589,12 +3651,12 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num, port_type == listen_type_ssl || port_type == listen_type_tcp_dnscrypt) { c->tcp_handlers[i] = comm_point_create_tcp_handler(base, - c, bufsize, spoolbuf, callback, callback_arg); + c, bufsize, spoolbuf, callback, callback_arg, socket); } else if(port_type == listen_type_http) { c->tcp_handlers[i] = comm_point_create_http_handler( base, c, bufsize, harden_large_queries, http_max_streams, http_endpoint, - callback, callback_arg); + callback, callback_arg, socket); } else { log_err("could not create tcp handler, unknown listen " @@ -3895,11 +3957,13 @@ comm_point_close(struct comm_point* c) /* close fd after removing from event lists, or epoll.. is messed up */ if(c->fd != -1 && !c->do_not_close) { +#ifdef USE_WINSOCK if(c->type == comm_tcp || c->type == comm_http) { /* delete sticky events for the fd, it gets closed */ ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ); ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE); } +#endif verbose(VERB_ALGO, "close fd %d", c->fd); sock_close(c->fd); } @@ -3970,20 +4034,26 @@ comm_point_send_reply(struct comm_reply *repinfo) comm_point_send_udp_msg(repinfo->c, buffer, (struct sockaddr*)&repinfo->addr, repinfo->addrlen, 0); #ifdef USE_DNSTAP - if(repinfo->c->dtenv != NULL && - repinfo->c->dtenv->log_client_response_messages) - dt_msg_send_client_response(repinfo->c->dtenv, - &repinfo->addr, repinfo->c->type, repinfo->c->buffer); + /* + * sending src (client)/dst (local service) addresses over DNSTAP from udp callback + */ + if(repinfo->c->dtenv != NULL && repinfo->c->dtenv->log_client_response_messages) { + log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen); + log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen); + dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->buffer); + } #endif } else { #ifdef USE_DNSTAP - if(repinfo->c->tcp_parent->dtenv != NULL && - repinfo->c->tcp_parent->dtenv->log_client_response_messages) - dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, - &repinfo->addr, repinfo->c->type, - ( repinfo->c->tcp_req_info - ? repinfo->c->tcp_req_info->spool_buffer - : repinfo->c->buffer )); + /* + * sending src (client)/dst (local service) addresses over DNSTAP from TCP callback + */ + if(repinfo->c->tcp_parent->dtenv != NULL && repinfo->c->tcp_parent->dtenv->log_client_response_messages) { + log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen); + log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen); + dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, + ( repinfo->c->tcp_req_info? repinfo->c->tcp_req_info->spool_buffer: repinfo->c->buffer )); + } #endif if(repinfo->c->tcp_req_info) { tcp_req_info_send_reply(repinfo->c->tcp_req_info); diff --git a/usr.sbin/unbound/util/netevent.h b/usr.sbin/unbound/util/netevent.h index 4a2aa1677c0..c79f99b3eb6 100644 --- a/usr.sbin/unbound/util/netevent.h +++ b/usr.sbin/unbound/util/netevent.h @@ -70,6 +70,7 @@ struct comm_point; struct comm_reply; struct tcl_list; struct ub_event_base; +struct unbound_socket; struct mesh_state; struct mesh_area; @@ -169,6 +170,8 @@ struct comm_point { /** if the event is added or not */ int event_added; + struct unbound_socket* socket; + /** file descriptor for communication point */ int fd; @@ -495,12 +498,13 @@ struct ub_event_base* comm_base_internal(struct comm_base* b); * @param buffer: shared buffer by UDP sockets from this thread. * @param callback: callback function pointer. * @param callback_arg: will be passed to your callback function. + * @param socket: and opened socket properties will be passed to your callback function. * @return: returns the allocated communication point. NULL on error. * Sets timeout to NULL. Turns off TCP options. */ struct comm_point* comm_point_create_udp(struct comm_base* base, int fd, struct sldns_buffer* buffer, - comm_point_callback_type* callback, void* callback_arg); + comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket); /** * Create an UDP with ancillary data comm point. Calls malloc. @@ -511,12 +515,13 @@ struct comm_point* comm_point_create_udp(struct comm_base* base, * @param buffer: shared buffer by UDP sockets from this thread. * @param callback: callback function pointer. * @param callback_arg: will be passed to your callback function. + * @param socket: and opened socket properties will be passed to your callback function. * @return: returns the allocated communication point. NULL on error. * Sets timeout to NULL. Turns off TCP options. */ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base, int fd, struct sldns_buffer* buffer, - comm_point_callback_type* callback, void* callback_arg); + comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket); /** * Create a TCP listener comm point. Calls malloc. @@ -539,6 +544,7 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base, * to select handler type to use. * @param callback: callback function pointer for TCP handlers. * @param callback_arg: will be passed to your callback function. + * @param socket: and opened socket properties will be passed to your callback function. * @return: returns the TCP listener commpoint. You can find the * TCP handlers in the array inside the listener commpoint. * returns NULL on error. @@ -550,7 +556,7 @@ struct comm_point* comm_point_create_tcp(struct comm_base* base, struct tcl_list* tcp_conn_limit, size_t bufsize, struct sldns_buffer* spoolbuf, enum listen_type port_type, - comm_point_callback_type* callback, void* callback_arg); + comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket); /** * Create an outgoing TCP commpoint. No file descriptor is opened, left at -1. diff --git a/usr.sbin/unbound/util/shm_side/shm_main.c b/usr.sbin/unbound/util/shm_side/shm_main.c index af8c5bcf370..51039abf3ed 100644 --- a/usr.sbin/unbound/util/shm_side/shm_main.c +++ b/usr.sbin/unbound/util/shm_side/shm_main.c @@ -130,6 +130,7 @@ int shm_main_init(struct daemon* daemon) /* Just release memory unused */ free(daemon->shm_info); + daemon->shm_info = NULL; return 0; } @@ -143,6 +144,7 @@ int shm_main_init(struct daemon* daemon) /* Just release memory unused */ free(daemon->shm_info); + daemon->shm_info = NULL; return 0; } @@ -156,6 +158,7 @@ int shm_main_init(struct daemon* daemon) /* Just release memory unused */ free(daemon->shm_info); + daemon->shm_info = NULL; return 0; } @@ -170,6 +173,7 @@ int shm_main_init(struct daemon* daemon) /* Just release memory unused */ free(daemon->shm_info); + daemon->shm_info = NULL; return 0; } @@ -210,6 +214,8 @@ void shm_main_shutdown(struct daemon* daemon) if (daemon->shm_info->ptr_arr) shmdt(daemon->shm_info->ptr_arr); + free(daemon->shm_info); + daemon->shm_info = NULL; #else (void)daemon; #endif /* HAVE_SHMGET */ diff --git a/usr.sbin/unbound/util/storage/lookup3.c b/usr.sbin/unbound/util/storage/lookup3.c index bb25eb433c9..c4026626c6d 100644 --- a/usr.sbin/unbound/util/storage/lookup3.c +++ b/usr.sbin/unbound/util/storage/lookup3.c @@ -53,21 +53,69 @@ on 1 byte), but shoehorning those bytes into integers efficiently is messy. #include "util/storage/lookup3.h" #include <stdio.h> /* defines printf for tests */ #include <time.h> /* defines time_t for timings in the test */ -/*#include <stdint.h> defines uint32_t etc (from config.h) */ -#include <sys/param.h> /* attempt to define endianness */ -#ifdef HAVE_SYS_TYPES_H -# include <sys/types.h> /* attempt to define endianness (solaris) */ -#endif -#if defined(linux) || defined(__OpenBSD__) + +/* + * If our build system provides endianness info, signalled by + * HAVE_TARGET_ENDIANNESS and the presence or absence of TARGET_IS_BIG_ENDIAN, + * use that. Otherwise try to work out the endianness. + */ +#if defined(HAVE_TARGET_ENDIANNESS) +# if defined(TARGET_IS_BIG_ENDIAN) +# define HASH_LITTLE_ENDIAN 0 +# define HASH_BIG_ENDIAN 1 +# else +# define HASH_LITTLE_ENDIAN 1 +# define HASH_BIG_ENDIAN 0 +# endif +#else +# include <sys/param.h> /* attempt to define endianness */ +# ifdef HAVE_SYS_TYPES_H +# include <sys/types.h> /* attempt to define endianness (solaris) */ +# endif +# if defined(linux) || defined(__OpenBSD__) # ifdef HAVE_ENDIAN_H # include <endian.h> /* attempt to define endianness */ # else # include <machine/endian.h> /* on older OpenBSD */ # endif -#endif -#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__) -#include <sys/endian.h> /* attempt to define endianness */ -#endif +# endif +# if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__) +# include <sys/endian.h> /* attempt to define endianness */ +# endif + /* + * My best guess at if you are big-endian or little-endian. This may + * need adjustment. + */ +# if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \ + __BYTE_ORDER == __LITTLE_ENDIAN) || \ + (defined(i386) || defined(__i386__) || defined(__i486__) || \ + defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86)) +# define HASH_LITTLE_ENDIAN 1 +# define HASH_BIG_ENDIAN 0 +# elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \ + __BYTE_ORDER == __BIG_ENDIAN) || \ + (defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel)) +# define HASH_LITTLE_ENDIAN 0 +# define HASH_BIG_ENDIAN 1 +# elif defined(_MACHINE_ENDIAN_H_) + /* test for machine_endian_h protects failure if some are empty strings */ +# if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN +# define HASH_LITTLE_ENDIAN 0 +# define HASH_BIG_ENDIAN 1 +# endif +# if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN +# define HASH_LITTLE_ENDIAN 1 +# define HASH_BIG_ENDIAN 0 +# endif /* _MACHINE_ENDIAN_H_ */ +# else +# define HASH_LITTLE_ENDIAN 0 +# define HASH_BIG_ENDIAN 0 +# endif +#endif /* defined(HAVE_TARGET_ENDIANNESS) */ + +#define hashsize(n) ((uint32_t)1<<(n)) +#define hashmask(n) (hashsize(n)-1) +#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k)))) /* random initial value */ static uint32_t raninit = (uint32_t)0xdeadbeef; @@ -79,40 +127,6 @@ hash_set_raninit(uint32_t v) } /* - * My best guess at if you are big-endian or little-endian. This may - * need adjustment. - */ -#if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \ - __BYTE_ORDER == __LITTLE_ENDIAN) || \ - (defined(i386) || defined(__i386__) || defined(__i486__) || \ - defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86)) -# define HASH_LITTLE_ENDIAN 1 -# define HASH_BIG_ENDIAN 0 -#elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \ - __BYTE_ORDER == __BIG_ENDIAN) || \ - (defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel)) -# define HASH_LITTLE_ENDIAN 0 -# define HASH_BIG_ENDIAN 1 -#elif defined(_MACHINE_ENDIAN_H_) -/* test for machine_endian_h protects failure if some are empty strings */ -# if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN -# define HASH_LITTLE_ENDIAN 0 -# define HASH_BIG_ENDIAN 1 -# endif -# if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN -# define HASH_LITTLE_ENDIAN 1 -# define HASH_BIG_ENDIAN 0 -# endif /* _MACHINE_ENDIAN_H_ */ -#else -# define HASH_LITTLE_ENDIAN 0 -# define HASH_BIG_ENDIAN 0 -#endif - -#define hashsize(n) ((uint32_t)1<<(n)) -#define hashmask(n) (hashsize(n)-1) -#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k)))) - -/* ------------------------------------------------------------------------------- mix -- mix 3 32-bit values reversibly. diff --git a/usr.sbin/unbound/util/ub_event_pluggable.c b/usr.sbin/unbound/util/ub_event_pluggable.c index 235bba6ba79..4280d4db1a3 100644 --- a/usr.sbin/unbound/util/ub_event_pluggable.c +++ b/usr.sbin/unbound/util/ub_event_pluggable.c @@ -666,7 +666,8 @@ ub_winsock_tcp_wouldblock(struct ub_event* ev, int eventbits) fptr_ok(ev->vmt != &default_event_vmt || ev->vmt->winsock_tcp_wouldblock == my_winsock_tcp_wouldblock); - (*ev->vmt->winsock_tcp_wouldblock)(ev, eventbits); + if (ev->vmt->winsock_tcp_wouldblock) + (*ev->vmt->winsock_tcp_wouldblock)(ev, eventbits); } } |