summaryrefslogtreecommitdiff
path: root/usr.sbin/unbound/util
diff options
context:
space:
mode:
authorStuart Henderson <sthen@cvs.openbsd.org>2019-09-11 14:13:28 +0000
committerStuart Henderson <sthen@cvs.openbsd.org>2019-09-11 14:13:28 +0000
commit8e93f11dfb8d73f15e084a3da8ef2b7bec018ea3 (patch)
treea4d83ff706a61e84e73bd817576db74da8650c73 /usr.sbin/unbound/util
parenta6af4ccc826e64f8e2964fbf5b4a7cea34ff75cb (diff)
merge unbound 1.9.3
Diffstat (limited to 'usr.sbin/unbound/util')
-rw-r--r--usr.sbin/unbound/util/config_file.c60
-rw-r--r--usr.sbin/unbound/util/config_file.h25
-rw-r--r--usr.sbin/unbound/util/configlexer.lex3
-rw-r--r--usr.sbin/unbound/util/configparser.y67
-rw-r--r--usr.sbin/unbound/util/data/msgencode.c72
-rw-r--r--usr.sbin/unbound/util/data/msgreply.c2
-rw-r--r--usr.sbin/unbound/util/fptr_wlist.c26
-rw-r--r--usr.sbin/unbound/util/iana_ports.inc1
-rw-r--r--usr.sbin/unbound/util/mini_event.c2
-rw-r--r--usr.sbin/unbound/util/net_help.c16
-rw-r--r--usr.sbin/unbound/util/winsock_event.c2
11 files changed, 236 insertions, 40 deletions
diff --git a/usr.sbin/unbound/util/config_file.c b/usr.sbin/unbound/util/config_file.c
index d97ad998990..676b7af5492 100644
--- a/usr.sbin/unbound/util/config_file.c
+++ b/usr.sbin/unbound/util/config_file.c
@@ -255,6 +255,9 @@ config_create(void)
cfg->neg_cache_size = 1 * 1024 * 1024;
cfg->local_zones = NULL;
cfg->local_zones_nodefault = NULL;
+#ifdef USE_IPSET
+ cfg->local_zones_ipset = NULL;
+#endif
cfg->local_zones_disable_default = 0;
cfg->local_data = NULL;
cfg->local_zone_overrides = NULL;
@@ -327,9 +330,13 @@ config_create(void)
cfg->cachedb_backend = NULL;
cfg->cachedb_secret = NULL;
#endif
+#ifdef USE_IPSET
+ cfg->ipset_name_v4 = NULL;
+ cfg->ipset_name_v6 = NULL;
+#endif
return cfg;
error_exit:
- config_delete(cfg);
+ config_delete(cfg);
return NULL;
}
@@ -602,7 +609,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_STR("control-key-file:", control_key_file)
else S_STR("control-cert-file:", control_cert_file)
else S_STR("module-config:", module_conf)
- else S_STR("python-script:", python_script)
+ else S_STRLIST("python-script:", python_script)
else S_YNO("disable-dnssec-lame-check:", disable_dnssec_lame_check)
#ifdef CLIENT_SUBNET
/* Can't set max subnet prefix here, since that value is used when
@@ -1054,7 +1061,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
else O_DEC(opt, "max-udp-size", max_udp_size)
- else O_STR(opt, "python-script", python_script)
+ else O_LST(opt, "python-script", python_script)
else O_YNO(opt, "disable-dnssec-lame-check", disable_dnssec_lame_check)
else O_DEC(opt, "ip-ratelimit", ip_ratelimit)
else O_DEC(opt, "ratelimit", ratelimit)
@@ -1092,6 +1099,10 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_STR(opt, "backend", cachedb_backend)
else O_STR(opt, "secret-seed", cachedb_secret)
#endif
+#ifdef USE_IPSET
+ else O_STR(opt, "name-v4", ipset_name_v4)
+ else O_STR(opt, "name-v6", ipset_name_v6)
+#endif
/* not here:
* outgoing-permit, outgoing-avoid - have list of ports
* local-zone - zones and nodefault variables
@@ -1310,6 +1321,9 @@ config_delview(struct config_view* p)
free(p->name);
config_deldblstrlist(p->local_zones);
config_delstrlist(p->local_zones_nodefault);
+#ifdef USE_IPSET
+ config_delstrlist(p->local_zones_ipset);
+#endif
config_delstrlist(p->local_data);
free(p);
}
@@ -1384,7 +1398,6 @@ config_delete(struct config_file* cfg)
free(cfg->version);
free(cfg->module_conf);
free(cfg->outgoing_avail_ports);
- free(cfg->python_script);
config_delstrlist(cfg->caps_whitelist);
config_delstrlist(cfg->private_address);
config_delstrlist(cfg->private_domain);
@@ -1400,6 +1413,9 @@ config_delete(struct config_file* cfg)
free(cfg->val_nsec3_key_iterations);
config_deldblstrlist(cfg->local_zones);
config_delstrlist(cfg->local_zones_nodefault);
+#ifdef USE_IPSET
+ config_delstrlist(cfg->local_zones_ipset);
+#endif
config_delstrlist(cfg->local_data);
config_deltrplstrlist(cfg->local_zone_overrides);
config_del_strarray(cfg->tagname, cfg->num_tags);
@@ -1420,6 +1436,7 @@ config_delete(struct config_file* cfg)
free(cfg->dnstap_version);
config_deldblstrlist(cfg->ratelimit_for_domain);
config_deldblstrlist(cfg->ratelimit_below_domain);
+ config_delstrlist(cfg->python_script);
#ifdef USE_IPSECMOD
free(cfg->ipsecmod_hook);
config_delstrlist(cfg->ipsecmod_whitelist);
@@ -1428,6 +1445,10 @@ config_delete(struct config_file* cfg)
free(cfg->cachedb_backend);
free(cfg->cachedb_secret);
#endif
+#ifdef USE_IPSET
+ free(cfg->ipset_name_v4);
+ free(cfg->ipset_name_v6);
+#endif
free(cfg);
}
@@ -1630,6 +1651,31 @@ cfg_strlist_insert(struct config_strlist** head, char* item)
return 1;
}
+int
+cfg_strlist_append_ex(struct config_strlist** head, char* item)
+{
+ struct config_strlist *s;
+ if(!item || !head)
+ return 0;
+ s = (struct config_strlist*)calloc(1, sizeof(struct config_strlist));
+ if(!s)
+ return 0;
+ s->str = item;
+ s->next = NULL;
+
+ if (*head==NULL) {
+ *head = s;
+ } else {
+ struct config_strlist *last = *head;
+ while (last->next!=NULL) {
+ last = last->next;
+ }
+ last->next = s;
+ }
+
+ return 1;
+}
+
int
cfg_str2list_insert(struct config_str2list** head, char* item, char* i2)
{
@@ -2107,6 +2153,11 @@ cfg_parse_local_zone(struct config_file* cfg, const char* val)
if(strcmp(type, "nodefault")==0) {
return cfg_strlist_insert(&cfg->local_zones_nodefault,
strdup(name));
+#ifdef USE_IPSET
+ } else if(strcmp(type, "ipset")==0) {
+ return cfg_strlist_insert(&cfg->local_zones_ipset,
+ strdup(name));
+#endif
} else {
return cfg_str2list_insert(&cfg->local_zones, strdup(buf),
strdup(type));
@@ -2381,3 +2432,4 @@ int options_remote_is_address(struct config_file* cfg)
if(cfg->control_ifs.first->str[0] == 0) return 1;
return (cfg->control_ifs.first->str[0] != '/');
}
+
diff --git a/usr.sbin/unbound/util/config_file.h b/usr.sbin/unbound/util/config_file.h
index 3cffdbff938..b3ef930a0f1 100644
--- a/usr.sbin/unbound/util/config_file.h
+++ b/usr.sbin/unbound/util/config_file.h
@@ -384,6 +384,10 @@ struct config_file {
struct config_str2list* local_zones;
/** local zones nodefault list */
struct config_strlist* local_zones_nodefault;
+#ifdef USE_IPSET
+ /** local zones ipset list */
+ struct config_strlist* local_zones_ipset;
+#endif
/** do not add any default local zone */
int local_zones_disable_default;
/** local data RRs configured */
@@ -433,7 +437,7 @@ struct config_file {
char* control_cert_file;
/** Python script file */
- char* python_script;
+ struct config_strlist* python_script;
/** Use systemd socket activation. */
int use_systemd;
@@ -575,6 +579,12 @@ struct config_file {
int redis_timeout;
#endif
#endif
+
+ /* ipset module */
+#ifdef USE_IPSET
+ char* ipset_name_v4;
+ char* ipset_name_v6;
+#endif
};
/** from cfg username, after daemonize setup performed */
@@ -647,6 +657,10 @@ struct config_view {
struct config_strlist* local_data;
/** local zones nodefault list */
struct config_strlist* local_zones_nodefault;
+#ifdef USE_IPSET
+ /** local zones ipset list */
+ struct config_strlist* local_zones_ipset;
+#endif
/** Fallback to global local_zones when there is no match in the view
* view specific tree. 1 for yes, 0 for no */
int isfirst;
@@ -821,6 +835,14 @@ char* config_collate_cat(struct config_strlist* list);
int cfg_strlist_append(struct config_strlist_head* list, char* item);
/**
+ * Searches the end of a string list and appends the given text.
+ * @param head: pointer to strlist head variable.
+ * @param item: new item. malloced by caller. if NULL the insertion fails.
+ * @return true on success.
+ */
+int cfg_strlist_append_ex(struct config_strlist** head, char* item);
+
+/**
* Find string in strlist.
* @param head: pointer to strlist head variable.
* @param item: the item to search for.
@@ -1181,3 +1203,4 @@ void w_config_adjust_directory(struct config_file* cfg);
extern int fake_dsa, fake_sha1;
#endif /* UTIL_CONFIG_FILE_H */
+
diff --git a/usr.sbin/unbound/util/configlexer.lex b/usr.sbin/unbound/util/configlexer.lex
index 16b5bc5471b..7a9729086af 100644
--- a/usr.sbin/unbound/util/configlexer.lex
+++ b/usr.sbin/unbound/util/configlexer.lex
@@ -483,6 +483,9 @@ secret-seed{COLON} { YDVAR(1, VAR_CACHEDB_SECRETSEED) }
redis-server-host{COLON} { YDVAR(1, VAR_CACHEDB_REDISHOST) }
redis-server-port{COLON} { YDVAR(1, VAR_CACHEDB_REDISPORT) }
redis-timeout{COLON} { YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) }
+ipset{COLON} { YDVAR(0, VAR_IPSET) }
+name-v4{COLON} { YDVAR(1, VAR_IPSET_NAME_V4) }
+name-v6{COLON} { YDVAR(1, VAR_IPSET_NAME_V6) }
udp-upstream-without-downstream{COLON} { YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) }
tcp-connection-limit{COLON} { YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
<INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; }
diff --git a/usr.sbin/unbound/util/configparser.y b/usr.sbin/unbound/util/configparser.y
index c7b916966e2..10227a2ff7f 100644
--- a/usr.sbin/unbound/util/configparser.y
+++ b/usr.sbin/unbound/util/configparser.y
@@ -167,6 +167,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES
%token VAR_TLS_SESSION_TICKET_KEYS
+%token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -174,7 +175,7 @@ toplevelvar: serverstart contents_server | stubstart contents_stub |
forwardstart contents_forward | pythonstart contents_py |
rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
dnscstart contents_dnsc | cachedbstart contents_cachedb |
- authstart contents_auth
+ ipsetstart contents_ipset | authstart contents_auth
;
/* server: declaration */
@@ -1784,13 +1785,14 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
&& strcmp($3, "always_nxdomain")!=0
&& strcmp($3, "noview")!=0
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
- && strcmp($3, "inform_redirect") != 0) {
+ && strcmp($3, "inform_redirect") != 0
+ && strcmp($3, "ipset") != 0) {
yyerror("local-zone type: expected static, deny, "
"refuse, redirect, transparent, "
"typetransparent, inform, inform_deny, "
"inform_redirect, always_transparent, "
"always_refuse, always_nxdomain, noview "
- "or nodefault");
+ ", nodefault or ipset");
free($2);
free($3);
} else if(strcmp($3, "nodefault")==0) {
@@ -1798,6 +1800,13 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
local_zones_nodefault, $2))
fatal_exit("out of memory adding local-zone");
free($3);
+#ifdef USE_IPSET
+ } else if(strcmp($3, "ipset")==0) {
+ if(!cfg_strlist_insert(&cfg_parser->cfg->
+ local_zones_ipset, $2))
+ fatal_exit("out of memory adding local-zone");
+ free($3);
+#endif
} else {
if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones,
$2, $3))
@@ -2455,6 +2464,13 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
local_zones_nodefault, $2))
fatal_exit("out of memory adding local-zone");
free($3);
+#ifdef USE_IPSET
+ } else if(strcmp($3, "ipset")==0) {
+ if(!cfg_strlist_insert(&cfg_parser->cfg->views->
+ local_zones_ipset, $2))
+ fatal_exit("out of memory adding local-zone");
+ free($3);
+#endif
} else {
if(!cfg_str2list_insert(
&cfg_parser->cfg->views->local_zones,
@@ -2722,8 +2738,8 @@ content_py: py_script
py_script: VAR_PYTHON_SCRIPT STRING_ARG
{
OUTYY(("P(python-script:%s)\n", $2));
- free(cfg_parser->cfg->python_script);
- cfg_parser->cfg->python_script = $2;
+ if(!cfg_strlist_append_ex(&cfg_parser->cfg->python_script, $2))
+ yyerror("out of memory");
}
server_disable_dnssec_lame_check: VAR_DISABLE_DNSSEC_LAME_CHECK STRING_ARG
{
@@ -2959,6 +2975,45 @@ server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG
}
}
;
+ ipsetstart: VAR_IPSET
+ {
+ OUTYY(("\nP(ipset:)\n"));
+ }
+ ;
+ contents_ipset: contents_ipset content_ipset
+ | ;
+ content_ipset: ipset_name_v4 | ipset_name_v6
+ ;
+ ipset_name_v4: VAR_IPSET_NAME_V4 STRING_ARG
+ {
+ #ifdef USE_IPSET
+ OUTYY(("P(name-v4:%s)\n", $2));
+ if(cfg_parser->cfg->ipset_name_v4)
+ yyerror("ipset name v4 override, there must be one "
+ "name for ip v4");
+ free(cfg_parser->cfg->ipset_name_v4);
+ cfg_parser->cfg->ipset_name_v4 = $2;
+ #else
+ OUTYY(("P(Compiled without ipset, ignoring)\n"));
+ free($2);
+ #endif
+ }
+ ;
+ ipset_name_v6: VAR_IPSET_NAME_V6 STRING_ARG
+ {
+ #ifdef USE_IPSET
+ OUTYY(("P(name-v6:%s)\n", $2));
+ if(cfg_parser->cfg->ipset_name_v6)
+ yyerror("ipset name v6 override, there must be one "
+ "name for ip v6");
+ free(cfg_parser->cfg->ipset_name_v6);
+ cfg_parser->cfg->ipset_name_v6 = $2;
+ #else
+ OUTYY(("P(Compiled without ipset, ignoring)\n"));
+ free($2);
+ #endif
+ }
+ ;
%%
/* parse helper routines could be here */
@@ -2978,3 +3033,5 @@ validate_respip_action(const char* action)
"always_refuse or always_nxdomain");
}
}
+
+
diff --git a/usr.sbin/unbound/util/data/msgencode.c b/usr.sbin/unbound/util/data/msgencode.c
index 4c0a5550be1..a51a4b9b85d 100644
--- a/usr.sbin/unbound/util/data/msgencode.c
+++ b/usr.sbin/unbound/util/data/msgencode.c
@@ -639,15 +639,37 @@ positive_answer(struct reply_info* rep, uint16_t qtype) {
return 0;
}
-int
-reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
- uint16_t id, uint16_t flags, sldns_buffer* buffer, time_t timenow,
- struct regional* region, uint16_t udpsize, int dnssec)
+static int
+negative_answer(struct reply_info* rep) {
+ size_t i;
+ int ns_seen = 0;
+ if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN)
+ return 1;
+ if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR &&
+ rep->an_numrrsets != 0)
+ return 0; /* positive */
+ if(FLAGS_GET_RCODE(rep->flags) != LDNS_RCODE_NOERROR &&
+ FLAGS_GET_RCODE(rep->flags) != LDNS_RCODE_NXDOMAIN)
+ return 0;
+ for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++){
+ if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA)
+ return 1;
+ if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS)
+ ns_seen = 1;
+ }
+ if(ns_seen) return 0; /* could be referral, NS, but no SOA */
+ return 1;
+}
+
+int
+reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ uint16_t id, uint16_t flags, sldns_buffer* buffer, time_t timenow,
+ struct regional* region, uint16_t udpsize, int dnssec, int minimise)
{
uint16_t ancount=0, nscount=0, arcount=0;
struct compress_tree_node* tree = 0;
int r;
- size_t rr_offset;
+ size_t rr_offset;
sldns_buffer_clear(buffer);
if(udpsize < sldns_buffer_limit(buffer))
@@ -663,7 +685,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
/* insert query section */
if(rep->qdcount) {
- if((r=insert_query(qinfo, &tree, buffer, region)) !=
+ if((r=insert_query(qinfo, &tree, buffer, region)) !=
RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* create truncated message */
@@ -707,8 +729,8 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
}
/* insert answer section */
- if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
- 0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
+ if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
+ 0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
dnssec, rr_offset)) != RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* create truncated message */
@@ -722,9 +744,9 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
sldns_buffer_write_u16_at(buffer, 6, ancount);
/* if response is positive answer, auth/add sections are not required */
- if( ! (MINIMAL_RESPONSES && positive_answer(rep, qinfo->qtype)) ) {
+ if( ! (minimise && positive_answer(rep, qinfo->qtype)) ) {
/* insert auth section */
- if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
+ if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
rep->an_numrrsets, timenow, region, &tree,
LDNS_SECTION_AUTHORITY, qinfo->qtype,
dnssec, rr_offset)) != RETVAL_OK) {
@@ -739,20 +761,22 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
}
sldns_buffer_write_u16_at(buffer, 8, nscount);
- /* insert add section */
- if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
- rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
- &tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
- dnssec, rr_offset)) != RETVAL_OK) {
- if(r == RETVAL_TRUNC) {
- /* no need to set TC bit, this is the additional */
- sldns_buffer_write_u16_at(buffer, 10, arcount);
- sldns_buffer_flip(buffer);
- return 1;
+ if(! (minimise && negative_answer(rep))) {
+ /* insert add section */
+ if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
+ rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
+ &tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
+ dnssec, rr_offset)) != RETVAL_OK) {
+ if(r == RETVAL_TRUNC) {
+ /* no need to set TC bit, this is the additional */
+ sldns_buffer_write_u16_at(buffer, 10, arcount);
+ sldns_buffer_flip(buffer);
+ return 1;
+ }
+ return 0;
}
- return 0;
+ sldns_buffer_write_u16_at(buffer, 10, arcount);
}
- sldns_buffer_write_u16_at(buffer, 10, arcount);
}
sldns_buffer_flip(buffer);
return 1;
@@ -763,7 +787,7 @@ calc_edns_field_size(struct edns_data* edns)
{
size_t rdatalen = 0;
struct edns_option* opt;
- if(!edns || !edns->edns_present)
+ if(!edns || !edns->edns_present)
return 0;
for(opt = edns->opt_list; opt; opt = opt->next) {
rdatalen += 4 + opt->opt_len;
@@ -850,7 +874,7 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
}
if(!reply_info_encode(qinf, rep, id, flags, pkt, timenow, region,
- udpsize, dnssec)) {
+ udpsize, dnssec, MINIMAL_RESPONSES)) {
log_err("reply encode: out of memory");
return 0;
}
diff --git a/usr.sbin/unbound/util/data/msgreply.c b/usr.sbin/unbound/util/data/msgreply.c
index 32aec4bf4c9..a2c09ac2016 100644
--- a/usr.sbin/unbound/util/data/msgreply.c
+++ b/usr.sbin/unbound/util/data/msgreply.c
@@ -819,7 +819,7 @@ log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* rep)
sldns_buffer* buf = sldns_buffer_new(65535);
struct regional* region = regional_create();
if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0,
- region, 65535, 1)) {
+ region, 65535, 1, 0)) {
log_info("%s: log_dns_msg: out of memory", str);
} else {
char* s = sldns_wire2str_pkt(sldns_buffer_begin(buf),
diff --git a/usr.sbin/unbound/util/fptr_wlist.c b/usr.sbin/unbound/util/fptr_wlist.c
index 94d23fa3a32..f5da501de19 100644
--- a/usr.sbin/unbound/util/fptr_wlist.c
+++ b/usr.sbin/unbound/util/fptr_wlist.c
@@ -90,6 +90,9 @@
#ifdef CLIENT_SUBNET
#include "edns-subnet/subnetmod.h"
#endif
+#ifdef USE_IPSET
+#include "ipset/ipset.h"
+#endif
int
fptr_whitelist_comm_point(comm_point_callback_type *fptr)
@@ -358,8 +361,8 @@ fptr_whitelist_modenv_kill_sub(void (*fptr)(struct module_qstate* newq))
}
int
-fptr_whitelist_modenv_detect_cycle(int (*fptr)(
- struct module_qstate* qstate, struct query_info* qinfo,
+fptr_whitelist_modenv_detect_cycle(int (*fptr)(
+ struct module_qstate* qstate, struct query_info* qinfo,
uint16_t flags, int prime, int valrec))
{
if(fptr == &mesh_detect_cycle) return 1;
@@ -385,6 +388,9 @@ fptr_whitelist_mod_init(int (*fptr)(struct module_env* env, int id))
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_init) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_init) return 1;
+#endif
return 0;
}
@@ -407,6 +413,9 @@ fptr_whitelist_mod_deinit(void (*fptr)(struct module_env* env, int id))
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_deinit) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_deinit) return 1;
+#endif
return 0;
}
@@ -430,6 +439,9 @@ fptr_whitelist_mod_operate(void (*fptr)(struct module_qstate* qstate,
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_operate) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_operate) return 1;
+#endif
return 0;
}
@@ -453,6 +465,9 @@ fptr_whitelist_mod_inform_super(void (*fptr)(
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_inform_super) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_inform_super) return 1;
+#endif
return 0;
}
@@ -476,6 +491,9 @@ fptr_whitelist_mod_clear(void (*fptr)(struct module_qstate* qstate,
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_clear) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_clear) return 1;
+#endif
return 0;
}
@@ -498,6 +516,9 @@ fptr_whitelist_mod_get_mem(size_t (*fptr)(struct module_env* env, int id))
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_get_mem) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_get_mem) return 1;
+#endif
return 0;
}
@@ -597,3 +618,4 @@ int fptr_whitelist_inplace_cb_query_response(
#endif
return 0;
}
+
diff --git a/usr.sbin/unbound/util/iana_ports.inc b/usr.sbin/unbound/util/iana_ports.inc
index aa972a67bd5..8577073c868 100644
--- a/usr.sbin/unbound/util/iana_ports.inc
+++ b/usr.sbin/unbound/util/iana_ports.inc
@@ -1848,7 +1848,6 @@
2197,
2198,
2199,
-2200,
2201,
2202,
2203,
diff --git a/usr.sbin/unbound/util/mini_event.c b/usr.sbin/unbound/util/mini_event.c
index faadf1a23c8..661d88d2e6f 100644
--- a/usr.sbin/unbound/util/mini_event.c
+++ b/usr.sbin/unbound/util/mini_event.c
@@ -313,7 +313,7 @@ int event_add(struct event* ev, struct timeval* tv)
struct timeval *now = ev->ev_base->time_tv;
ev->ev_timeout.tv_sec = tv->tv_sec + now->tv_sec;
ev->ev_timeout.tv_usec = tv->tv_usec + now->tv_usec;
- while(ev->ev_timeout.tv_usec > 1000000) {
+ while(ev->ev_timeout.tv_usec >= 1000000) {
ev->ev_timeout.tv_usec -= 1000000;
ev->ev_timeout.tv_sec++;
}
diff --git a/usr.sbin/unbound/util/net_help.c b/usr.sbin/unbound/util/net_help.c
index 13bcdf8085b..88bfc225a8e 100644
--- a/usr.sbin/unbound/util/net_help.c
+++ b/usr.sbin/unbound/util/net_help.c
@@ -744,6 +744,14 @@ listen_sslctx_setup(void* ctxt)
return 0;
}
#endif
+#if defined(SSL_OP_NO_RENEGOTIATION)
+ /* disable client renegotiation */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
+ SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
+ log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+ return 0;
+ }
+#endif
#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
/* if we have sha256, set the cipher list to have no known vulns */
if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
@@ -962,6 +970,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
SSL_CTX_free(ctx);
return NULL;
}
+#if defined(SSL_OP_NO_RENEGOTIATION)
+ /* disable client renegotiation */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
+ SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
+ log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+ return 0;
+ }
+#endif
if(key && key[0]) {
if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
log_err("error in client certificate %s", pem);
diff --git a/usr.sbin/unbound/util/winsock_event.c b/usr.sbin/unbound/util/winsock_event.c
index 63d98796d19..de6c28ecb08 100644
--- a/usr.sbin/unbound/util/winsock_event.c
+++ b/usr.sbin/unbound/util/winsock_event.c
@@ -558,7 +558,7 @@ int event_add(struct event *ev, struct timeval *tv)
struct timeval *now = ev->ev_base->time_tv;
ev->ev_timeout.tv_sec = tv->tv_sec + now->tv_sec;
ev->ev_timeout.tv_usec = tv->tv_usec + now->tv_usec;
- while(ev->ev_timeout.tv_usec > 1000000) {
+ while(ev->ev_timeout.tv_usec >= 1000000) {
ev->ev_timeout.tv_usec -= 1000000;
ev->ev_timeout.tv_sec++;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-30 01:01:33 +0000