diff options
| author | Stuart Henderson <sthen@cvs.openbsd.org> | 2020-08-24 09:41:54 +0000 |
|---|---|---|
| committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2020-08-24 09:41:54 +0000 |
| commit | a8caf799285f804684b3911bad666569243617d4 (patch) | |
| tree | ece123666035943a5d1491020b1d3ce78c96db32 /usr.sbin | |
| parent | 3798bdfa99216b77c98f20ad898ec10a40ec30a1 (diff) | |
merge unbound 1.11.0
Diffstat (limited to 'usr.sbin')
65 files changed, 4172 insertions, 2226 deletions
diff --git a/usr.sbin/unbound/Makefile.in b/usr.sbin/unbound/Makefile.in index f64d1123eff..e0b3ab2cf2f 100644 --- a/usr.sbin/unbound/Makefile.in +++ b/usr.sbin/unbound/Makefile.in @@ -25,6 +25,7 @@ DNSTAP_SRC=@DNSTAP_SRC@ DNSTAP_OBJ=@DNSTAP_OBJ@ DNSCRYPT_SRC=@DNSCRYPT_SRC@ DNSCRYPT_OBJ=@DNSCRYPT_OBJ@ +WITH_DYNLIBMODULE=@WITH_DYNLIBMODULE@ WITH_PYTHONMODULE=@WITH_PYTHONMODULE@ WITH_PYUNBOUND=@WITH_PYUNBOUND@ PY_MAJOR_VERSION=@PY_MAJOR_VERSION@ @@ -77,7 +78,7 @@ LINT=splint LINTFLAGS=+quiet -weak -warnposix -unrecog -Din_addr_t=uint32_t -Du_int=unsigned -Du_char=uint8_t -preproc -Drlimit=rlimit64 -D__gnuc_va_list=va_list -formatcode #-Dglob64=glob -Dglobfree64=globfree # compat with openssl linux edition. -LINTFLAGS+="-DBN_ULONG=unsigned long" -Dkrb5_int32=int "-Dkrb5_ui_4=unsigned int" -DPQ_64BIT=uint64_t -DRC4_INT=unsigned -fixedformalarray -D"ENGINE=unsigned" -D"RSA=unsigned" -D"DSA=unsigned" -D"EVP_PKEY=unsigned" -D"EVP_MD=unsigned" -D"SSL=unsigned" -D"SSL_CTX=unsigned" -D"X509=unsigned" -D"RC4_KEY=unsigned" -D"EVP_MD_CTX=unsigned" -D"ECDSA_SIG=DSA_SIG" -Dfstrm_res=int +LINTFLAGS+="-DBN_ULONG=unsigned long" -Dkrb5_int32=int "-Dkrb5_ui_4=unsigned int" -DPQ_64BIT=uint64_t -DRC4_INT=unsigned -fixedformalarray -D"ENGINE=unsigned" -D"RSA=unsigned" -D"DSA=unsigned" -D"EVP_PKEY=unsigned" -D"EVP_MD=unsigned" -D"SSL=unsigned" -D"SSL_CTX=unsigned" -D"X509=unsigned" -D"RC4_KEY=unsigned" -D"EVP_MD_CTX=unsigned" -D"ECDSA_SIG=DSA_SIG" # compat with NetBSD LINTFLAGS+=@NETBSD_LINTFLAGS@ # compat with OpenBSD @@ -87,6 +88,12 @@ LINTFLAGS+="-D__uint16_t=uint16_t" "-DEVP_PKEY_ASN1_METHOD=int" "-D_RuneLocale=i INSTALL=$(SHELL) $(srcdir)/install-sh +DYNLIBMOD_SRC=dynlibmod/dynlibmod.c +DYNLIBMOD_OBJ=@DYNLIBMOD_OBJ@ +DYNLIBMOD_HEADER=@DYNLIBMOD_HEADER@ +DYNLIBMOD_EXTRALIBS=@DYNLIBMOD_EXTRALIBS@ + + #pythonmod.c is not here, it is mentioned by itself in its own rules, #makedepend fails on missing interface.h otherwise. PYTHONMOD_SRC=pythonmod/pythonmod_utils.c @@ -140,7 +147,7 @@ autotrust.lo val_anchor.lo rpz.lo \ validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \ val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo redis.lo authzone.lo \ $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \ -$(IPSECMOD_OBJ) $(IPSET_OBJ) respip.lo +$(IPSECMOD_OBJ) $(IPSET_OBJ) $(DYNLIBMOD_OBJ) respip.lo COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \ outside_network.lo COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo @@ -219,7 +226,7 @@ MEMSTATS_OBJ_LINK=$(MEMSTATS_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \ $(SLDNS_OBJ) ASYNCLOOK_SRC=testcode/asynclook.c ASYNCLOOK_OBJ=asynclook.lo -ASYNCLOOK_OBJ_LINK=$(ASYNCLOOK_OBJ) log.lo locks.lo $(COMPAT_OBJ) @ASYNCLOOK_ALLOCCHECK_EXTRA_OBJ@ +ASYNCLOOK_OBJ_LINK=$(ASYNCLOOK_OBJ) log.lo locks.lo $(CHECKLOCK_OBJ) $(COMPAT_OBJ) @ASYNCLOOK_ALLOCCHECK_EXTRA_OBJ@ STREAMTCP_SRC=testcode/streamtcp.c STREAMTCP_OBJ=streamtcp.lo STREAMTCP_OBJ_LINK=$(STREAMTCP_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \ @@ -233,6 +240,10 @@ DELAYER_OBJ_LINK=$(DELAYER_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \ $(SLDNS_OBJ) IPSET_SRC=@IPSET_SRC@ IPSET_OBJ=@IPSET_OBJ@ +DNSTAP_SOCKET_SRC=dnstap/unbound-dnstap-socket.c +DNSTAP_SOCKET_OBJ=unbound-dnstap-socket.lo +DNSTAP_SOCKET_OBJ_LINK=$(DNSTAP_SOCKET_OBJ) $(COMMON_OBJ) \ +$(COMPAT_OBJ) $(SLDNS_OBJ) LIBUNBOUND_SRC=libunbound/context.c libunbound/libunbound.c \ libunbound/libworker.c LIBUNBOUND_OBJ=context.lo libunbound.lo libworker.lo ub_event_pluggable.lo @@ -259,7 +270,7 @@ ALL_SRC=$(COMMON_SRC) $(UNITTEST_SRC) $(DAEMON_SRC) \ $(TESTBOUND_SRC) $(LOCKVERIFY_SRC) $(PKTVIEW_SRC) \ $(MEMSTATS_SRC) $(CHECKCONF_SRC) $(LIBUNBOUND_SRC) $(HOST_SRC) \ $(ASYNCLOOK_SRC) $(STREAMTCP_SRC) $(PERF_SRC) $(DELAYER_SRC) \ - $(CONTROL_SRC) $(UBANCHOR_SRC) $(PETAL_SRC) \ + $(CONTROL_SRC) $(UBANCHOR_SRC) $(PETAL_SRC) $(DNSTAP_SOCKET_SRC)\ $(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC) \ $(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC) @@ -267,7 +278,7 @@ ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \ $(TESTBOUND_OBJ) $(LOCKVERIFY_OBJ) $(PKTVIEW_OBJ) \ $(MEMSTATS_OBJ) $(CHECKCONF_OBJ) $(LIBUNBOUND_OBJ) $(HOST_OBJ) \ $(ASYNCLOOK_OBJ) $(STREAMTCP_OBJ) $(PERF_OBJ) $(DELAYER_OBJ) \ - $(CONTROL_OBJ) $(UBANCHOR_OBJ) $(PETAL_OBJ) \ + $(CONTROL_OBJ) $(UBANCHOR_OBJ) $(PETAL_OBJ) $(DNSTAP_SOCKET_OBJ)\ $(COMPAT_OBJ) $(PYUNBOUND_OBJ) \ $(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ) @@ -306,6 +317,7 @@ rsrc_unbound_checkconf.o: $(srcdir)/winrc/rsrc_unbound_checkconf.rc config.h TEST_BIN=asynclook$(EXEEXT) delayer$(EXEEXT) \ lock-verify$(EXEEXT) memstats$(EXEEXT) perf$(EXEEXT) \ petal$(EXEEXT) pktview$(EXEEXT) streamtcp$(EXEEXT) \ + unbound-dnstap-socket$(EXEEXT) \ testbound$(EXEEXT) unittest$(EXEEXT) tests: all $(TEST_BIN) @@ -315,7 +327,7 @@ longcheck: longtest test: unittest$(EXEEXT) testbound$(EXEEXT) ./unittest$(EXEEXT) ./testbound$(EXEEXT) -s - for x in $(srcdir)/testdata/*.rpl; do echo -n "$$x "; if ./testbound$(EXEEXT) -p $$x >/dev/null 2>&1; then echo OK; else echo failed; exit 1; fi done + for x in $(srcdir)/testdata/*.rpl; do printf "%s" "$$x "; if ./testbound$(EXEEXT) -p $$x >/dev/null 2>&1; then echo OK; else echo failed; exit 1; fi done @echo test OK longtest: tests @@ -328,13 +340,13 @@ libunbound.la: $(LIBUNBOUND_OBJ_LINK) $(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) $(SSLLIB) $(LIBS) unbound$(EXEEXT): $(DAEMON_OBJ_LINK) libunbound.la - $(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) + $(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) unbound-checkconf$(EXEEXT): $(CHECKCONF_OBJ_LINK) libunbound.la - $(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) + $(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) unbound-control$(EXEEXT): $(CONTROL_OBJ_LINK) libunbound.la - $(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) + $(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) unbound-host$(EXEEXT): $(HOST_OBJ_LINK) libunbound.la $(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS) @@ -352,34 +364,34 @@ anchor-update$(EXEEXT): $(ANCHORUPD_OBJ_LINK) libunbound.la $(LINK) -o $@ $(ANCHORUPD_OBJ_LINK) -L. -L.libs -lunbound $(LIBS) unittest$(EXEEXT): $(UNITTEST_OBJ_LINK) - $(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSLLIB) $(LIBS) + $(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) testbound$(EXEEXT): $(TESTBOUND_OBJ_LINK) - $(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSLLIB) $(LIBS) + $(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) lock-verify$(EXEEXT): $(LOCKVERIFY_OBJ_LINK) - $(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSLLIB) $(LIBS) + $(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) petal$(EXEEXT): $(PETAL_OBJ_LINK) $(LINK) -o $@ $(PETAL_OBJ_LINK) $(SSLLIB) $(LIBS) pktview$(EXEEXT): $(PKTVIEW_OBJ_LINK) - $(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSLLIB) $(LIBS) + $(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) memstats$(EXEEXT): $(MEMSTATS_OBJ_LINK) - $(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS) + $(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) asynclook$(EXEEXT): $(ASYNCLOOK_OBJ_LINK) libunbound.la $(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS) streamtcp$(EXEEXT): $(STREAMTCP_OBJ_LINK) - $(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS) + $(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) perf$(EXEEXT): $(PERF_OBJ_LINK) - $(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS) + $(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) delayer$(EXEEXT): $(DELAYER_OBJ_LINK) - $(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS) + $(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) signit$(EXEEXT): testcode/signit.c $(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@ -o $@ testcode/signit.c $(LDFLAGS) -lldns $(SSLLIB) $(LIBS) @@ -401,7 +413,13 @@ dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h: $(srcdir)/dnstap/dnstap.proto @-if test ! -d dnstap; then $(INSTALL) -d dnstap; fi $(PROTOC_C) --c_out=. --proto_path=$(srcdir) $(srcdir)/dnstap/dnstap.proto +unbound-dnstap-socket$(EXEEXT): $(DNSTAP_SOCKET_OBJ_LINK) + $(LINK) -o $@ $(DNSTAP_SOCKET_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS) + dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h +dtstream.lo dtstream.o: $(srcdir)/dnstap/dtstream.c config.h $(srcdir)/dnstap/dtstream.h +dnstap_fstrm.lo dnstap_fstrm.o: $(srcdir)/dnstap/dnstap_fstrm.c config.h $(srcdir)/dnstap/dnstap_fstrm.h +unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h $(srcdir)/dnstap/dtstream.h # dnscrypt dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \ @@ -455,6 +473,7 @@ clean: rm -f unbound$(EXEEXT) unbound-checkconf$(EXEEXT) unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup libunbound.la unbound.h rm -f $(ALL_SRC:.c=.lint) rm -f _unbound.la libunbound/python/libunbound_wrap.c libunbound/python/unbound.py pythonmod/interface.h pythonmod/unboundmodule.py + rm -f libunbound.a rm -rf autom4te.cache .libs build doc/html doc/xml distclean: clean @@ -630,6 +649,7 @@ depend: -e 's?$$(srcdir)/pythonmod/pythonmod.h?$$(PYTHONMOD_HEADER)?g' \ -e 's?$$(srcdir)/edns-subnet/subnetmod.h $$(srcdir)/edns-subnet/subnet-whitelist.h $$(srcdir)/edns-subnet/edns-subnet.h $$(srcdir)/edns-subnet/addrtree.h?$$(SUBNET_HEADER)?g' \ -e 's?$$(srcdir)/ipsecmod/ipsecmod.h $$(srcdir)/ipsecmod/ipsecmod-whitelist.h?$$(IPSECMOD_HEADER)?g' \ + -e 's?$$(srcdir)/dynlibmod/dynlibmod.h?$$(DYNLIBMOD_HEADER)?g' \ -e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' \ > $(DEPEND_TMP) cp $(DEPEND_TARGET) $(DEPEND_TMP2) @@ -797,12 +817,13 @@ modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/service $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \ + $(srcdir)/ipset/ipset.h $(srcdir)/dynlibmod/dynlibmod.h view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \ @@ -887,21 +908,23 @@ authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/service $(srcdir)/validator/val_secalgo.h fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/outside_network.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \ - $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \ - $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \ - $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound-event.h \ - $(srcdir)/libunbound/worker.h + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \ + $(srcdir)/services/outside_network.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/validator/validator.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_nsec3.h \ + $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_neg.h \ + $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h \ + $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h \ + $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h \ + $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h \ + $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h \ + $(srcdir)/dynlibmod/dynlibmod.h locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \ @@ -1109,7 +1132,32 @@ respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localz $(srcdir)/util/regional.h checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/testcode/checklocks.h +dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/locks.h $(srcdir)/dnstap/dnstap.h \ + dnstap/dnstap.pb-c.h +dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h \ + +dynlibmod.lo dynlibmod.o: $(srcdir)/dynlibmod/dynlibmod.c config.h $(srcdir)/dynlibmod/dynlibmod.h \ + $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h\ + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/tube.h \ + $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h +dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/storage/lookup3.h ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h +ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \ diff --git a/usr.sbin/unbound/acx_python.m4 b/usr.sbin/unbound/acx_python.m4 index 2940971f1a4..a84daa03588 100644 --- a/usr.sbin/unbound/acx_python.m4 +++ b/usr.sbin/unbound/acx_python.m4 @@ -58,6 +58,11 @@ $ac_distutils_result]) AC_MSG_RESULT([$PYTHON_LDFLAGS]) AC_SUBST([PYTHON_LDFLAGS]) + if test -z "$PYTHON_LIBDIR"; then + PYTHON_LIBDIR=`$PYTHON -c "from distutils.sysconfig import *; \ + print(get_config_var('LIBDIR'));"` + fi + # # Check for site packages # diff --git a/usr.sbin/unbound/cachedb/cachedb.c b/usr.sbin/unbound/cachedb/cachedb.c index c5be516225f..eed4d5fd9be 100644 --- a/usr.sbin/unbound/cachedb/cachedb.c +++ b/usr.sbin/unbound/cachedb/cachedb.c @@ -160,7 +160,7 @@ testframe_lookup(struct module_env* env, struct cachedb_env* cachedb_env, static void testframe_store(struct module_env* env, struct cachedb_env* cachedb_env, - char* key, uint8_t* data, size_t data_len) + char* key, uint8_t* data, size_t data_len, time_t ATTR_UNUSED(ttl)) { struct testframe_moddata* d = (struct testframe_moddata*) cachedb_env->backend_data; @@ -606,7 +606,8 @@ cachedb_extcache_store(struct module_qstate* qstate, struct cachedb_env* ie) /* call backend */ (*ie->backend->store)(qstate->env, ie, key, sldns_buffer_begin(qstate->env->scratch_buffer), - sldns_buffer_limit(qstate->env->scratch_buffer)); + sldns_buffer_limit(qstate->env->scratch_buffer), + qstate->return_msg->rep->ttl); } /** diff --git a/usr.sbin/unbound/cachedb/cachedb.h b/usr.sbin/unbound/cachedb/cachedb.h index 27187dc56dc..05c4368e60b 100644 --- a/usr.sbin/unbound/cachedb/cachedb.h +++ b/usr.sbin/unbound/cachedb/cachedb.h @@ -84,7 +84,7 @@ struct cachedb_backend { /** Store (env, cachedb_env, key, data, data_len) */ void (*store)(struct module_env*, struct cachedb_env*, char*, - uint8_t*, size_t); + uint8_t*, size_t, time_t); }; #define CACHEDB_HASHSIZE 256 /* bit hash */ diff --git a/usr.sbin/unbound/config.guess b/usr.sbin/unbound/config.guess index 7ea49fadcd8..e94095c5fbe 100644 --- a/usr.sbin/unbound/config.guess +++ b/usr.sbin/unbound/config.guess @@ -1,8 +1,8 @@ -#!/usr/bin/sh +#! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2016 Free Software Foundation, Inc. +# Copyright 1992-2020 Free Software Foundation, Inc. -timestamp='2016-10-02' +timestamp='2020-07-12' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -15,7 +15,7 @@ timestamp='2016-10-02' # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, see <http://www.gnu.org/licenses/>. +# along with this program; if not, see <https://www.gnu.org/licenses/>. # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -27,7 +27,7 @@ timestamp='2016-10-02' # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess +# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess # # Please send patches to <config-patches@gnu.org>. @@ -39,7 +39,7 @@ Usage: $0 [OPTION] Output the configuration name of the system \`$me' is run on. -Operation modes: +Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit @@ -50,7 +50,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2016 Free Software Foundation, Inc. +Copyright 1992-2020 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -84,8 +84,6 @@ if test $# != 0; then exit 1 fi -trap 'exit 1' 1 2 15 - # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a @@ -96,34 +94,40 @@ trap 'exit 1' 1 2 15 # Portable tmp directory creation inspired by the Autoconf team. -set_cc_for_build=' -trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; -trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; -: ${TMPDIR=/tmp} ; - { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || - { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || - { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || - { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; -dummy=$tmp/dummy ; -tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; -case $CC_FOR_BUILD,$HOST_CC,$CC in - ,,) echo "int x;" > $dummy.c ; - for c in cc gcc c89 c99 ; do - if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then - CC_FOR_BUILD="$c"; break ; - fi ; - done ; - if test x"$CC_FOR_BUILD" = x ; then - CC_FOR_BUILD=no_compiler_found ; - fi - ;; - ,,*) CC_FOR_BUILD=$CC ;; - ,*,*) CC_FOR_BUILD=$HOST_CC ;; -esac ; set_cc_for_build= ;' +tmp= +# shellcheck disable=SC2172 +trap 'test -z "$tmp" || rm -fr "$tmp"' 0 1 2 13 15 + +set_cc_for_build() { + # prevent multiple calls if $tmp is already set + test "$tmp" && return 0 + : "${TMPDIR=/tmp}" + # shellcheck disable=SC2039 + { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir "$tmp" 2>/dev/null) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir "$tmp" 2>/dev/null) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } + dummy=$tmp/dummy + case ${CC_FOR_BUILD-},${HOST_CC-},${CC-} in + ,,) echo "int x;" > "$dummy.c" + for driver in cc gcc c89 c99 ; do + if ($driver -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then + CC_FOR_BUILD="$driver" + break + fi + done + if test x"$CC_FOR_BUILD" = x ; then + CC_FOR_BUILD=no_compiler_found + fi + ;; + ,,*) CC_FOR_BUILD=$CC ;; + ,*,*) CC_FOR_BUILD=$HOST_CC ;; + esac +} # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) -if (test -f /.attbin/uname) >/dev/null 2>&1 ; then +if test -f /.attbin/uname ; then PATH=$PATH:/.attbin ; export PATH fi @@ -132,14 +136,14 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown -case "${UNAME_SYSTEM}" in +case "$UNAME_SYSTEM" in Linux|GNU|GNU/*) # If the system lacks a compiler, then just pick glibc. # We could probably try harder. LIBC=gnu - eval $set_cc_for_build - cat <<-EOF > $dummy.c + set_cc_for_build + cat <<-EOF > "$dummy.c" #include <features.h> #if defined(__UCLIBC__) LIBC=uclibc @@ -149,13 +153,20 @@ Linux|GNU|GNU/*) LIBC=gnu #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` + eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`" + + # If ldd exists, use it to detect musl libc. + if command -v ldd >/dev/null && \ + ldd --version 2>&1 | grep -q ^musl + then + LIBC=musl + fi ;; esac # Note: order is significant - the case branches are not exclusive. -case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in +case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, @@ -169,30 +180,30 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ - /sbin/$sysctl 2>/dev/null || \ - /usr/sbin/$sysctl 2>/dev/null || \ + "/sbin/$sysctl" 2>/dev/null || \ + "/usr/sbin/$sysctl" 2>/dev/null || \ echo unknown)` - case "${UNAME_MACHINE_ARCH}" in + case "$UNAME_MACHINE_ARCH" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; earmv*) - arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'` - endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'` - machine=${arch}${endian}-unknown + arch=`echo "$UNAME_MACHINE_ARCH" | sed -e 's,^e\(armv[0-9]\).*$,\1,'` + endian=`echo "$UNAME_MACHINE_ARCH" | sed -ne 's,^.*\(eb\)$,\1,p'` + machine="${arch}${endian}"-unknown ;; - *) machine=${UNAME_MACHINE_ARCH}-unknown ;; + *) machine="$UNAME_MACHINE_ARCH"-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently (or will in the future) and ABI. - case "${UNAME_MACHINE_ARCH}" in + case "$UNAME_MACHINE_ARCH" in earm*) os=netbsdelf ;; arm*|i386|m68k|ns32k|sh3*|sparc|vax) - eval $set_cc_for_build + set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then @@ -208,10 +219,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in ;; esac # Determine ABI tags. - case "${UNAME_MACHINE_ARCH}" in + case "$UNAME_MACHINE_ARCH" in earm*) expr='s/^earmv[0-9]/-eabi/;s/eb$//' - abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"` + abi=`echo "$UNAME_MACHINE_ARCH" | sed -e "$expr"` ;; esac # The OS release @@ -219,45 +230,60 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. - case "${UNAME_VERSION}" in + case "$UNAME_VERSION" in Debian*) release='-gnu' ;; *) - release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2` + release=`echo "$UNAME_RELEASE" | sed -e 's/[-_].*//' | cut -d. -f1,2` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. - echo "${machine}-${os}${release}${abi}" + echo "$machine-${os}${release}${abi-}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} + echo "$UNAME_MACHINE_ARCH"-unknown-bitrig"$UNAME_RELEASE" exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE_ARCH"-unknown-openbsd"$UNAME_RELEASE" exit ;; *:LibertyBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} + echo "$UNAME_MACHINE_ARCH"-unknown-libertybsd"$UNAME_RELEASE" + exit ;; + *:MidnightBSD:*:*) + echo "$UNAME_MACHINE"-unknown-midnightbsd"$UNAME_RELEASE" exit ;; *:ekkoBSD:*:*) - echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-ekkobsd"$UNAME_RELEASE" exit ;; *:SolidBSD:*:*) - echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-solidbsd"$UNAME_RELEASE" + exit ;; + *:OS108:*:*) + echo "$UNAME_MACHINE"-unknown-os108_"$UNAME_RELEASE" exit ;; macppc:MirBSD:*:*) - echo powerpc-unknown-mirbsd${UNAME_RELEASE} + echo powerpc-unknown-mirbsd"$UNAME_RELEASE" exit ;; *:MirBSD:*:*) - echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-mirbsd"$UNAME_RELEASE" exit ;; *:Sortix:*:*) - echo ${UNAME_MACHINE}-unknown-sortix + echo "$UNAME_MACHINE"-unknown-sortix + exit ;; + *:Twizzler:*:*) + echo "$UNAME_MACHINE"-unknown-twizzler + exit ;; + *:Redox:*:*) + echo "$UNAME_MACHINE"-unknown-redox + exit ;; + mips:OSF1:*.*) + echo mips-dec-osf1 exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in @@ -310,28 +336,19 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + echo "$UNAME_MACHINE"-dec-osf"`echo "$UNAME_RELEASE" | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`" # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 exit $exitcode ;; - Alpha\ *:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # Should we change UNAME_MACHINE based on the output of uname instead - # of the specific Alpha model? - echo alpha-pc-interix - exit ;; - 21064:Windows_NT:50:3) - echo alpha-dec-winnt3.5 - exit ;; Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit ;; *:[Aa]miga[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-amigaos + echo "$UNAME_MACHINE"-unknown-amigaos exit ;; *:[Mm]orph[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-morphos + echo "$UNAME_MACHINE"-unknown-morphos exit ;; *:OS/390:*:*) echo i370-ibm-openedition @@ -343,7 +360,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) - echo arm-acorn-riscix${UNAME_RELEASE} + echo arm-acorn-riscix"$UNAME_RELEASE" exit ;; arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos @@ -370,19 +387,19 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in sparc) echo sparc-icl-nx7; exit ;; esac ;; s390x:SunOS:*:*) - echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo "$UNAME_MACHINE"-ibm-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`" exit ;; sun4H:SunOS:5.*:*) - echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-hal-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) - echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-sun-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`" exit ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) - echo i386-pc-auroraux${UNAME_RELEASE} + echo i386-pc-auroraux"$UNAME_RELEASE" exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) - eval $set_cc_for_build + set_cc_for_build SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. @@ -395,13 +412,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in SUN_ARCH=x86_64 fi fi - echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo "$SUN_ARCH"-pc-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. - echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-sun-solaris3"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; sun4*:SunOS:*:*) case "`/usr/bin/arch -k`" in @@ -410,25 +427,25 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in ;; esac # Japanese Language versions have a version number like `4.1.3-JL'. - echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` + echo sparc-sun-sunos"`echo "$UNAME_RELEASE"|sed -e 's/-/_/'`" exit ;; sun3*:SunOS:*:*) - echo m68k-sun-sunos${UNAME_RELEASE} + echo m68k-sun-sunos"$UNAME_RELEASE" exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3 + test "x$UNAME_RELEASE" = x && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) - echo m68k-sun-sunos${UNAME_RELEASE} + echo m68k-sun-sunos"$UNAME_RELEASE" ;; sun4) - echo sparc-sun-sunos${UNAME_RELEASE} + echo sparc-sun-sunos"$UNAME_RELEASE" ;; esac exit ;; aushp:SunOS:*:*) - echo sparc-auspex-sunos${UNAME_RELEASE} + echo sparc-auspex-sunos"$UNAME_RELEASE" exit ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not @@ -439,44 +456,44 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint${UNAME_RELEASE} + echo m68k-milan-mint"$UNAME_RELEASE" exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint${UNAME_RELEASE} + echo m68k-hades-mint"$UNAME_RELEASE" exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint${UNAME_RELEASE} + echo m68k-unknown-mint"$UNAME_RELEASE" exit ;; m68k:machten:*:*) - echo m68k-apple-machten${UNAME_RELEASE} + echo m68k-apple-machten"$UNAME_RELEASE" exit ;; powerpc:machten:*:*) - echo powerpc-apple-machten${UNAME_RELEASE} + echo powerpc-apple-machten"$UNAME_RELEASE" exit ;; RISC*:Mach:*:*) echo mips-dec-mach_bsd4.3 exit ;; RISC*:ULTRIX:*:*) - echo mips-dec-ultrix${UNAME_RELEASE} + echo mips-dec-ultrix"$UNAME_RELEASE" exit ;; VAX*:ULTRIX*:*:*) - echo vax-dec-ultrix${UNAME_RELEASE} + echo vax-dec-ultrix"$UNAME_RELEASE" exit ;; 2020:CLIX:*:* | 2430:CLIX:*:*) - echo clipper-intergraph-clix${UNAME_RELEASE} + echo clipper-intergraph-clix"$UNAME_RELEASE" exit ;; mips:*:*:UMIPS | mips:*:*:RISCos) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #ifdef __cplusplus #include <stdio.h> /* for printf() prototype */ int main (int argc, char *argv[]) { @@ -485,23 +502,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) - printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssysv\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) - printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssvr4\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) - printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + printf ("mips-mips-riscos%sbsd\\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF - $CC_FOR_BUILD -o $dummy $dummy.c && - dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && - SYSTEM_NAME=`$dummy $dummyarg` && + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && + dummyarg=`echo "$UNAME_RELEASE" | sed -n 's/\([0-9]*\).*/\1/p'` && + SYSTEM_NAME=`"$dummy" "$dummyarg"` && { echo "$SYSTEM_NAME"; exit; } - echo mips-mips-riscos${UNAME_RELEASE} + echo mips-mips-riscos"$UNAME_RELEASE" exit ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax @@ -527,17 +544,17 @@ EOF AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` - if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] + if [ "$UNAME_PROCESSOR" = mc88100 ] || [ "$UNAME_PROCESSOR" = mc88110 ] then - if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ - [ ${TARGET_BINARY_INTERFACE}x = x ] + if [ "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx ] || \ + [ "$TARGET_BINARY_INTERFACE"x = x ] then - echo m88k-dg-dgux${UNAME_RELEASE} + echo m88k-dg-dgux"$UNAME_RELEASE" else - echo m88k-dg-dguxbcs${UNAME_RELEASE} + echo m88k-dg-dguxbcs"$UNAME_RELEASE" fi else - echo i586-dg-dgux${UNAME_RELEASE} + echo i586-dg-dgux"$UNAME_RELEASE" fi exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) @@ -554,7 +571,7 @@ EOF echo m68k-tektronix-bsd exit ;; *:IRIX*:*:*) - echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` + echo mips-sgi-irix"`echo "$UNAME_RELEASE"|sed -e 's/-/_/g'`" exit ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id @@ -566,14 +583,14 @@ EOF if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + IBM_REV="$UNAME_VERSION.$UNAME_RELEASE" fi - echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} + echo "$UNAME_MACHINE"-ibm-aix"$IBM_REV" exit ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #include <sys/systemcfg.h> main() @@ -584,7 +601,7 @@ EOF exit(0); } EOF - if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` + if $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` then echo "$SYSTEM_NAME" else @@ -598,7 +615,7 @@ EOF exit ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` - if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then + if /usr/sbin/lsattr -El "$IBM_CPU_ID" | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc @@ -607,18 +624,18 @@ EOF IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | awk -F: '{ print $3 }' | sed s/[0-9]*$/0/` else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + IBM_REV="$UNAME_VERSION.$UNAME_RELEASE" fi - echo ${IBM_ARCH}-ibm-aix${IBM_REV} + echo "$IBM_ARCH"-ibm-aix"$IBM_REV" exit ;; *:AIX:*:*) echo rs6000-ibm-aix exit ;; - ibmrt:4.4BSD:*|romp-ibm:BSD:*) + ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and - echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to + echo romp-ibm-bsd"$UNAME_RELEASE" # 4.3 with uname added to exit ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) echo rs6000-bull-bosx @@ -633,28 +650,28 @@ EOF echo m68k-hp-bsd4.4 exit ;; 9000/[34678]??:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - case "${UNAME_MACHINE}" in - 9000/31? ) HP_ARCH=m68000 ;; - 9000/[34]?? ) HP_ARCH=m68k ;; + HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'` + case "$UNAME_MACHINE" in + 9000/31?) HP_ARCH=m68000 ;; + 9000/[34]??) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "${sc_cpu_version}" in + case "$sc_cpu_version" in 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 - case "${sc_kernel_bits}" in + case "$sc_kernel_bits" in 32) HP_ARCH=hppa2.0n ;; 64) HP_ARCH=hppa2.0w ;; '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi - if [ "${HP_ARCH}" = "" ]; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + if [ "$HP_ARCH" = "" ]; then + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #define _HPUX_SOURCE #include <stdlib.h> @@ -687,13 +704,13 @@ EOF exit (0); } EOF - (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + (CCOPTS="" $CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null) && HP_ARCH=`"$dummy"` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac - if [ ${HP_ARCH} = hppa2.0w ] + if [ "$HP_ARCH" = hppa2.0w ] then - eval $set_cc_for_build + set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler @@ -712,15 +729,15 @@ EOF HP_ARCH=hppa64 fi fi - echo ${HP_ARCH}-hp-hpux${HPUX_REV} + echo "$HP_ARCH"-hp-hpux"$HPUX_REV" exit ;; ia64:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - echo ia64-hp-hpux${HPUX_REV} + HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'` + echo ia64-hp-hpux"$HPUX_REV" exit ;; 3050*:HI-UX:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #include <unistd.h> int main () @@ -745,11 +762,11 @@ EOF exit (0); } EOF - $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` && { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; - 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) @@ -758,7 +775,7 @@ EOF *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; - hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) @@ -766,9 +783,9 @@ EOF exit ;; i*86:OSF1:*:*) if [ -x /usr/sbin/sysversion ] ; then - echo ${UNAME_MACHINE}-unknown-osf1mk + echo "$UNAME_MACHINE"-unknown-osf1mk else - echo ${UNAME_MACHINE}-unknown-osf1 + echo "$UNAME_MACHINE"-unknown-osf1 fi exit ;; parisc*:Lites*:*:*) @@ -793,130 +810,123 @@ EOF echo c4-convex-bsd exit ;; CRAY*Y-MP:*:*:*) - echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo ymp-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*[A-Z]90:*:*:*) - echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ + echo "$UNAME_MACHINE"-cray-unicos"$UNAME_RELEASE" \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) - echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo t90-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*T3E:*:*:*) - echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo alphaev5-cray-unicosmk"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*SV1:*:*:*) - echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo sv1-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; *:UNICOS/mp:*:*) - echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo craynv-cray-unicosmp"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) - echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} + echo "$UNAME_MACHINE"-pc-bsdi"$UNAME_RELEASE" exit ;; sparc*:BSD/OS:*:*) - echo sparc-unknown-bsdi${UNAME_RELEASE} + echo sparc-unknown-bsdi"$UNAME_RELEASE" exit ;; *:BSD/OS:*:*) - echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-bsdi"$UNAME_RELEASE" + exit ;; + arm:FreeBSD:*:*) + UNAME_PROCESSOR=`uname -p` + set_cc_for_build + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + echo "${UNAME_PROCESSOR}"-unknown-freebsd"`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`"-gnueabi + else + echo "${UNAME_PROCESSOR}"-unknown-freebsd"`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`"-gnueabihf + fi exit ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`/usr/bin/uname -p` - case ${UNAME_PROCESSOR} in + case "$UNAME_PROCESSOR" in amd64) - echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; - *) - echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + UNAME_PROCESSOR=x86_64 ;; + i386) + UNAME_PROCESSOR=i586 ;; esac + echo "$UNAME_PROCESSOR"-unknown-freebsd"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`" exit ;; i*:CYGWIN*:*) - echo ${UNAME_MACHINE}-pc-cygwin + echo "$UNAME_MACHINE"-pc-cygwin exit ;; *:MINGW64*:*) - echo ${UNAME_MACHINE}-pc-mingw64 + echo "$UNAME_MACHINE"-pc-mingw64 exit ;; *:MINGW*:*) - echo ${UNAME_MACHINE}-pc-mingw32 + echo "$UNAME_MACHINE"-pc-mingw32 exit ;; *:MSYS*:*) - echo ${UNAME_MACHINE}-pc-msys - exit ;; - i*:windows32*:*) - # uname -m includes "-pc" on this system. - echo ${UNAME_MACHINE}-mingw32 + echo "$UNAME_MACHINE"-pc-msys exit ;; i*:PW*:*) - echo ${UNAME_MACHINE}-pc-pw32 + echo "$UNAME_MACHINE"-pc-pw32 exit ;; *:Interix*:*) - case ${UNAME_MACHINE} in + case "$UNAME_MACHINE" in x86) - echo i586-pc-interix${UNAME_RELEASE} + echo i586-pc-interix"$UNAME_RELEASE" exit ;; authenticamd | genuineintel | EM64T) - echo x86_64-unknown-interix${UNAME_RELEASE} + echo x86_64-unknown-interix"$UNAME_RELEASE" exit ;; IA64) - echo ia64-unknown-interix${UNAME_RELEASE} + echo ia64-unknown-interix"$UNAME_RELEASE" exit ;; esac ;; - [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) - echo i${UNAME_MACHINE}-pc-mks - exit ;; - 8664:Windows_NT:*) - echo x86_64-pc-mks - exit ;; - i*:Windows_NT*:* | Pentium*:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we - # UNAME_MACHINE based on the output of uname instead of i386? - echo i586-pc-interix - exit ;; i*:UWIN*:*) - echo ${UNAME_MACHINE}-pc-uwin + echo "$UNAME_MACHINE"-pc-uwin exit ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) - echo x86_64-unknown-cygwin - exit ;; - p*:CYGWIN*:*) - echo powerpcle-unknown-cygwin + echo x86_64-pc-cygwin exit ;; prep*:SunOS:5.*:*) - echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo powerpcle-unknown-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; *:GNU:*:*) # the GNU system - echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + echo "`echo "$UNAME_MACHINE"|sed -e 's,[-/].*$,,'`-unknown-$LIBC`echo "$UNAME_RELEASE"|sed -e 's,/.*$,,'`" exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + echo "$UNAME_MACHINE-unknown-`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`-$LIBC" exit ;; - i*86:Minix:*:*) - echo ${UNAME_MACHINE}-pc-minix + *:Minix:*:*) + echo "$UNAME_MACHINE"-unknown-minix exit ;; aarch64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in EV5) UNAME_MACHINE=alphaev5 ;; EV56) UNAME_MACHINE=alphaev56 ;; PCA56) UNAME_MACHINE=alphapca56 ;; @@ -927,140 +937,178 @@ EOF esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC=gnulibc1 ; fi - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; arc:Linux:*:* | arceb:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; arm*:Linux:*:*) - eval $set_cc_for_build + set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then - echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabi else - echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabihf fi fi exit ;; avr32*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; cris:Linux:*:*) - echo ${UNAME_MACHINE}-axis-linux-${LIBC} + echo "$UNAME_MACHINE"-axis-linux-"$LIBC" exit ;; crisv32:Linux:*:*) - echo ${UNAME_MACHINE}-axis-linux-${LIBC} + echo "$UNAME_MACHINE"-axis-linux-"$LIBC" exit ;; e2k:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; frv:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; hexagon:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; i*86:Linux:*:*) - echo ${UNAME_MACHINE}-pc-linux-${LIBC} + echo "$UNAME_MACHINE"-pc-linux-"$LIBC" exit ;; ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; k1om:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; m32r*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; m68*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; mips:Linux:*:* | mips64:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + IS_GLIBC=0 + test x"${LIBC}" = xgnu && IS_GLIBC=1 + sed 's/^ //' << EOF > "$dummy.c" #undef CPU - #undef ${UNAME_MACHINE} - #undef ${UNAME_MACHINE}el + #undef mips + #undef mipsel + #undef mips64 + #undef mips64el + #if ${IS_GLIBC} && defined(_ABI64) + LIBCABI=gnuabi64 + #else + #if ${IS_GLIBC} && defined(_ABIN32) + LIBCABI=gnuabin32 + #else + LIBCABI=${LIBC} + #endif + #endif + + #if ${IS_GLIBC} && defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 + CPU=mipsisa64r6 + #else + #if ${IS_GLIBC} && !defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 + CPU=mipsisa32r6 + #else + #if defined(__mips64) + CPU=mips64 + #else + CPU=mips + #endif + #endif + #endif + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=${UNAME_MACHINE}el + MIPS_ENDIAN=el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=${UNAME_MACHINE} + MIPS_ENDIAN= #else - CPU= + MIPS_ENDIAN= #endif #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } + eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^CPU\|^MIPS_ENDIAN\|^LIBCABI'`" + test "x$CPU" != x && { echo "$CPU${MIPS_ENDIAN}-unknown-linux-$LIBCABI"; exit; } ;; mips64el:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; openrisc*:Linux:*:*) - echo or1k-unknown-linux-${LIBC} + echo or1k-unknown-linux-"$LIBC" exit ;; or32:Linux:*:* | or1k*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; padre:Linux:*:*) - echo sparc-unknown-linux-${LIBC} + echo sparc-unknown-linux-"$LIBC" exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-${LIBC} + echo hppa64-unknown-linux-"$LIBC" exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in - PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; - PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; - *) echo hppa-unknown-linux-${LIBC} ;; + PA7*) echo hppa1.1-unknown-linux-"$LIBC" ;; + PA8*) echo hppa2.0-unknown-linux-"$LIBC" ;; + *) echo hppa-unknown-linux-"$LIBC" ;; esac exit ;; ppc64:Linux:*:*) - echo powerpc64-unknown-linux-${LIBC} + echo powerpc64-unknown-linux-"$LIBC" exit ;; ppc:Linux:*:*) - echo powerpc-unknown-linux-${LIBC} + echo powerpc-unknown-linux-"$LIBC" exit ;; ppc64le:Linux:*:*) - echo powerpc64le-unknown-linux-${LIBC} + echo powerpc64le-unknown-linux-"$LIBC" exit ;; ppcle:Linux:*:*) - echo powerpcle-unknown-linux-${LIBC} + echo powerpcle-unknown-linux-"$LIBC" exit ;; riscv32:Linux:*:* | riscv64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; s390:Linux:*:* | s390x:Linux:*:*) - echo ${UNAME_MACHINE}-ibm-linux-${LIBC} + echo "$UNAME_MACHINE"-ibm-linux-"$LIBC" exit ;; sh64*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; sh*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; tile*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; vax:Linux:*:*) - echo ${UNAME_MACHINE}-dec-linux-${LIBC} + echo "$UNAME_MACHINE"-dec-linux-"$LIBC" exit ;; x86_64:Linux:*:*) - echo ${UNAME_MACHINE}-pc-linux-${LIBC} + set_cc_for_build + LIBCABI=$LIBC + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then + if (echo '#ifdef __ILP32__'; echo IS_X32; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_X32 >/dev/null + then + LIBCABI="$LIBC"x32 + fi + fi + echo "$UNAME_MACHINE"-pc-linux-"$LIBCABI" exit ;; xtensa*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. @@ -1074,34 +1122,34 @@ EOF # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. - echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + echo "$UNAME_MACHINE"-pc-sysv4.2uw"$UNAME_VERSION" exit ;; i*86:OS/2:*:*) # If we were able to find `uname', then EMX Unix compatibility # is probably installed. - echo ${UNAME_MACHINE}-pc-os2-emx + echo "$UNAME_MACHINE"-pc-os2-emx exit ;; i*86:XTS-300:*:STOP) - echo ${UNAME_MACHINE}-unknown-stop + echo "$UNAME_MACHINE"-unknown-stop exit ;; i*86:atheos:*:*) - echo ${UNAME_MACHINE}-unknown-atheos + echo "$UNAME_MACHINE"-unknown-atheos exit ;; i*86:syllable:*:*) - echo ${UNAME_MACHINE}-pc-syllable + echo "$UNAME_MACHINE"-pc-syllable exit ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) - echo i386-unknown-lynxos${UNAME_RELEASE} + echo i386-unknown-lynxos"$UNAME_RELEASE" exit ;; i*86:*DOS:*:*) - echo ${UNAME_MACHINE}-pc-msdosdjgpp + echo "$UNAME_MACHINE"-pc-msdosdjgpp exit ;; - i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) - UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` + i*86:*:4.*:*) + UNAME_REL=`echo "$UNAME_RELEASE" | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then - echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} + echo "$UNAME_MACHINE"-univel-sysv"$UNAME_REL" else - echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} + echo "$UNAME_MACHINE"-pc-sysv"$UNAME_REL" fi exit ;; i*86:*:5:[678]*) @@ -1111,12 +1159,12 @@ EOF *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac - echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} + echo "$UNAME_MACHINE-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}" exit ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name` - echo ${UNAME_MACHINE}-pc-isc$UNAME_REL + echo "$UNAME_MACHINE"-pc-isc"$UNAME_REL" elif /bin/uname -X 2>/dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 @@ -1126,9 +1174,9 @@ EOF && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 - echo ${UNAME_MACHINE}-pc-sco$UNAME_REL + echo "$UNAME_MACHINE"-pc-sco"$UNAME_REL" else - echo ${UNAME_MACHINE}-pc-sysv32 + echo "$UNAME_MACHINE"-pc-sysv32 fi exit ;; pc:*:*:*) @@ -1148,9 +1196,9 @@ EOF exit ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then - echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 + echo i860-stardent-sysv"$UNAME_RELEASE" # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. - echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 + echo i860-unknown-sysv"$UNAME_RELEASE" # Unknown i860-SVR4 fi exit ;; mini*:CTIX:SYS*5:*) @@ -1170,9 +1218,9 @@ EOF test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; @@ -1181,28 +1229,28 @@ EOF test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) - echo m68k-unknown-lynxos${UNAME_RELEASE} + echo m68k-unknown-lynxos"$UNAME_RELEASE" exit ;; mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit ;; TSUNAMI:LynxOS:2.*:*) - echo sparc-unknown-lynxos${UNAME_RELEASE} + echo sparc-unknown-lynxos"$UNAME_RELEASE" exit ;; rs6000:LynxOS:2.*:*) - echo rs6000-unknown-lynxos${UNAME_RELEASE} + echo rs6000-unknown-lynxos"$UNAME_RELEASE" exit ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) - echo powerpc-unknown-lynxos${UNAME_RELEASE} + echo powerpc-unknown-lynxos"$UNAME_RELEASE" exit ;; SM[BE]S:UNIX_SV:*:*) - echo mips-dde-sysv${UNAME_RELEASE} + echo mips-dde-sysv"$UNAME_RELEASE" exit ;; RM*:ReliantUNIX-*:*:*) echo mips-sni-sysv4 @@ -1213,7 +1261,7 @@ EOF *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` - echo ${UNAME_MACHINE}-sni-sysv4 + echo "$UNAME_MACHINE"-sni-sysv4 else echo ns32k-sni-sysv fi @@ -1233,23 +1281,23 @@ EOF exit ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. - echo ${UNAME_MACHINE}-stratus-vos + echo "$UNAME_MACHINE"-stratus-vos exit ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos exit ;; mc68*:A/UX:*:*) - echo m68k-apple-aux${UNAME_RELEASE} + echo m68k-apple-aux"$UNAME_RELEASE" exit ;; news*:NEWS-OS:6*:*) echo mips-sony-newsos6 exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} + echo mips-nec-sysv"$UNAME_RELEASE" else - echo mips-unknown-sysv${UNAME_RELEASE} + echo mips-unknown-sysv"$UNAME_RELEASE" fi exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. @@ -1268,60 +1316,71 @@ EOF echo x86_64-unknown-haiku exit ;; SX-4:SUPER-UX:*:*) - echo sx4-nec-superux${UNAME_RELEASE} + echo sx4-nec-superux"$UNAME_RELEASE" exit ;; SX-5:SUPER-UX:*:*) - echo sx5-nec-superux${UNAME_RELEASE} + echo sx5-nec-superux"$UNAME_RELEASE" exit ;; SX-6:SUPER-UX:*:*) - echo sx6-nec-superux${UNAME_RELEASE} + echo sx6-nec-superux"$UNAME_RELEASE" exit ;; SX-7:SUPER-UX:*:*) - echo sx7-nec-superux${UNAME_RELEASE} + echo sx7-nec-superux"$UNAME_RELEASE" exit ;; SX-8:SUPER-UX:*:*) - echo sx8-nec-superux${UNAME_RELEASE} + echo sx8-nec-superux"$UNAME_RELEASE" exit ;; SX-8R:SUPER-UX:*:*) - echo sx8r-nec-superux${UNAME_RELEASE} + echo sx8r-nec-superux"$UNAME_RELEASE" exit ;; SX-ACE:SUPER-UX:*:*) - echo sxace-nec-superux${UNAME_RELEASE} + echo sxace-nec-superux"$UNAME_RELEASE" exit ;; Power*:Rhapsody:*:*) - echo powerpc-apple-rhapsody${UNAME_RELEASE} + echo powerpc-apple-rhapsody"$UNAME_RELEASE" exit ;; *:Rhapsody:*:*) - echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} + echo "$UNAME_MACHINE"-apple-rhapsody"$UNAME_RELEASE" + exit ;; + arm64:Darwin:*:*) + echo aarch64-apple-darwin"$UNAME_RELEASE" exit ;; *:Darwin:*:*) - UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown - eval $set_cc_for_build - if test "$UNAME_PROCESSOR" = unknown ; then - UNAME_PROCESSOR=powerpc + UNAME_PROCESSOR=`uname -p` + case $UNAME_PROCESSOR in + unknown) UNAME_PROCESSOR=powerpc ;; + esac + if command -v xcode-select > /dev/null 2> /dev/null && \ + ! xcode-select --print-path > /dev/null 2> /dev/null ; then + # Avoid executing cc if there is no toolchain installed as + # cc will be a stub that puts up a graphical alert + # prompting the user to install developer tools. + CC_FOR_BUILD=no_compiler_found + else + set_cc_for_build fi - if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then - if [ "$CC_FOR_BUILD" != no_compiler_found ]; then - if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null - then - case $UNAME_PROCESSOR in - i386) UNAME_PROCESSOR=x86_64 ;; - powerpc) UNAME_PROCESSOR=powerpc64 ;; - esac - fi + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi + # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc + if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_PPC >/dev/null + then + UNAME_PROCESSOR=powerpc fi elif test "$UNAME_PROCESSOR" = i386 ; then - # Avoid executing cc on OS X 10.9, as it ships with a stub - # that puts up a graphical alert prompting to install - # developer tools. Any system running Mac OS X 10.7 or - # later (Darwin 11 and later) is required to have a 64-bit - # processor. This is not true of the ARM version of Darwin - # that Apple uses in portable devices. - UNAME_PROCESSOR=x86_64 + # uname -m returns i386 or x86_64 + UNAME_PROCESSOR=$UNAME_MACHINE fi - echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} + echo "$UNAME_PROCESSOR"-apple-darwin"$UNAME_RELEASE" exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` @@ -1329,19 +1388,25 @@ EOF UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi - echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} + echo "$UNAME_PROCESSOR"-"$UNAME_MACHINE"-nto-qnx"$UNAME_RELEASE" exit ;; *:QNX:*:4*) echo i386-pc-qnx exit ;; - NEO-?:NONSTOP_KERNEL:*:*) - echo neo-tandem-nsk${UNAME_RELEASE} + NEO-*:NONSTOP_KERNEL:*:*) + echo neo-tandem-nsk"$UNAME_RELEASE" exit ;; NSE-*:NONSTOP_KERNEL:*:*) - echo nse-tandem-nsk${UNAME_RELEASE} + echo nse-tandem-nsk"$UNAME_RELEASE" + exit ;; + NSR-*:NONSTOP_KERNEL:*:*) + echo nsr-tandem-nsk"$UNAME_RELEASE" + exit ;; + NSV-*:NONSTOP_KERNEL:*:*) + echo nsv-tandem-nsk"$UNAME_RELEASE" exit ;; - NSR-?:NONSTOP_KERNEL:*:*) - echo nsr-tandem-nsk${UNAME_RELEASE} + NSX-*:NONSTOP_KERNEL:*:*) + echo nsx-tandem-nsk"$UNAME_RELEASE" exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux @@ -1350,18 +1415,19 @@ EOF echo bs2000-siemens-sysv exit ;; DS/*:UNIX_System_V:*:*) - echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} + echo "$UNAME_MACHINE"-"$UNAME_SYSTEM"-"$UNAME_RELEASE" exit ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. + # shellcheck disable=SC2154 if test "$cputype" = 386; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" fi - echo ${UNAME_MACHINE}-unknown-plan9 + echo "$UNAME_MACHINE"-unknown-plan9 exit ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 @@ -1382,14 +1448,14 @@ EOF echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) - echo mips-sei-seiux${UNAME_RELEASE} + echo mips-sei-seiux"$UNAME_RELEASE" exit ;; *:DragonFly:*:*) - echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + echo "$UNAME_MACHINE"-unknown-dragonfly"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`" exit ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` - case "${UNAME_MACHINE}" in + case "$UNAME_MACHINE" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; V*) echo vax-dec-vms ; exit ;; @@ -1398,32 +1464,190 @@ EOF echo i386-pc-xenix exit ;; i*86:skyos:*:*) - echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'` + echo "$UNAME_MACHINE"-pc-skyos"`echo "$UNAME_RELEASE" | sed -e 's/ .*$//'`" exit ;; i*86:rdos:*:*) - echo ${UNAME_MACHINE}-pc-rdos + echo "$UNAME_MACHINE"-pc-rdos exit ;; i*86:AROS:*:*) - echo ${UNAME_MACHINE}-pc-aros + echo "$UNAME_MACHINE"-pc-aros exit ;; x86_64:VMkernel:*:*) - echo ${UNAME_MACHINE}-unknown-esx + echo "$UNAME_MACHINE"-unknown-esx exit ;; amd64:Isilon\ OneFS:*:*) echo x86_64-unknown-onefs exit ;; + *:Unleashed:*:*) + echo "$UNAME_MACHINE"-unknown-unleashed"$UNAME_RELEASE" + exit ;; +esac + +# No uname command or uname output not recognized. +set_cc_for_build +cat > "$dummy.c" <<EOF +#ifdef _SEQUENT_ +#include <sys/types.h> +#include <sys/utsname.h> +#endif +#if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) +#if defined (vax) || defined (__vax) || defined (__vax__) || defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) +#include <signal.h> +#if defined(_SIZE_T_) || defined(SIGLOST) +#include <sys/utsname.h> +#endif +#endif +#endif +main () +{ +#if defined (sony) +#if defined (MIPSEB) + /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, + I don't know.... */ + printf ("mips-sony-bsd\n"); exit (0); +#else +#include <sys/param.h> + printf ("m68k-sony-newsos%s\n", +#ifdef NEWSOS4 + "4" +#else + "" +#endif + ); exit (0); +#endif +#endif + +#if defined (NeXT) +#if !defined (__ARCHITECTURE__) +#define __ARCHITECTURE__ "m68k" +#endif + int version; + version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; + if (version < 4) + printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); + else + printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); + exit (0); +#endif + +#if defined (MULTIMAX) || defined (n16) +#if defined (UMAXV) + printf ("ns32k-encore-sysv\n"); exit (0); +#else +#if defined (CMU) + printf ("ns32k-encore-mach\n"); exit (0); +#else + printf ("ns32k-encore-bsd\n"); exit (0); +#endif +#endif +#endif + +#if defined (__386BSD__) + printf ("i386-pc-bsd\n"); exit (0); +#endif + +#if defined (sequent) +#if defined (i386) + printf ("i386-sequent-dynix\n"); exit (0); +#endif +#if defined (ns32000) + printf ("ns32k-sequent-dynix\n"); exit (0); +#endif +#endif + +#if defined (_SEQUENT_) + struct utsname un; + + uname(&un); + if (strncmp(un.version, "V2", 2) == 0) { + printf ("i386-sequent-ptx2\n"); exit (0); + } + if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ + printf ("i386-sequent-ptx1\n"); exit (0); + } + printf ("i386-sequent-ptx\n"); exit (0); +#endif + +#if defined (vax) +#if !defined (ultrix) +#include <sys/param.h> +#if defined (BSD) +#if BSD == 43 + printf ("vax-dec-bsd4.3\n"); exit (0); +#else +#if BSD == 199006 + printf ("vax-dec-bsd4.3reno\n"); exit (0); +#else + printf ("vax-dec-bsd\n"); exit (0); +#endif +#endif +#else + printf ("vax-dec-bsd\n"); exit (0); +#endif +#else +#if defined(_SIZE_T_) || defined(SIGLOST) + struct utsname un; + uname (&un); + printf ("vax-dec-ultrix%s\n", un.release); exit (0); +#else + printf ("vax-dec-ultrix\n"); exit (0); +#endif +#endif +#endif +#if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) +#if defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) +#if defined(_SIZE_T_) || defined(SIGLOST) + struct utsname *un; + uname (&un); + printf ("mips-dec-ultrix%s\n", un.release); exit (0); +#else + printf ("mips-dec-ultrix\n"); exit (0); +#endif +#endif +#endif + +#if defined (alliant) && defined (i860) + printf ("i860-alliant-bsd\n"); exit (0); +#endif + + exit (1); +} +EOF + +$CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null && SYSTEM_NAME=`$dummy` && + { echo "$SYSTEM_NAME"; exit; } + +# Apollos put the system type in the environment. +test -d /usr/apollo && { echo "$ISP-apollo-$SYSTYPE"; exit; } + +echo "$0: unable to guess system type" >&2 + +case "$UNAME_MACHINE:$UNAME_SYSTEM" in + mips:Linux | mips64:Linux) + # If we got here on MIPS GNU/Linux, output extra information. + cat >&2 <<EOF + +NOTE: MIPS GNU/Linux systems require a C compiler to fully recognize +the system type. Please install a C compiler and try again. +EOF + ;; esac cat >&2 <<EOF -$0: unable to guess system type This script (version $timestamp), has failed to recognize the -operating system you are using. If your script is old, overwrite -config.guess and config.sub with the latest versions from: +operating system you are using. If your script is old, overwrite *all* +copies of config.guess and config.sub with the latest versions from: - http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess + https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess and - http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub + https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub +EOF + +year=`echo $timestamp | sed 's,-.*,,'` +# shellcheck disable=SC2003 +if test "`expr "\`date +%Y\`" - "$year"`" -lt 3 ; then + cat >&2 <<EOF If $0 has already been updated, send the following data and any information you think might be pertinent to config-patches@gnu.org to @@ -1446,16 +1670,17 @@ hostinfo = `(hostinfo) 2>/dev/null` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` -UNAME_MACHINE = ${UNAME_MACHINE} -UNAME_RELEASE = ${UNAME_RELEASE} -UNAME_SYSTEM = ${UNAME_SYSTEM} -UNAME_VERSION = ${UNAME_VERSION} +UNAME_MACHINE = "$UNAME_MACHINE" +UNAME_RELEASE = "$UNAME_RELEASE" +UNAME_SYSTEM = "$UNAME_SYSTEM" +UNAME_VERSION = "$UNAME_VERSION" EOF +fi exit 1 # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" diff --git a/usr.sbin/unbound/config.h.in b/usr.sbin/unbound/config.h.in index 78d47fedc13..f7a4095ed34 100644 --- a/usr.sbin/unbound/config.h.in +++ b/usr.sbin/unbound/config.h.in @@ -28,6 +28,9 @@ /* Whether daemon is deprecated */ #undef DEPRECATED_DAEMON +/* Define this to enable kernel based UDP source port randomization. */ +#undef DISABLE_EXPLICIT_PORT_RANDOMISATION + /* default dnstap socket path */ #undef DNSTAP_SOCKET_PATH @@ -176,6 +179,9 @@ /* Define to 1 if you have the `endservent' function. */ #undef HAVE_ENDSERVENT +/* Define to 1 if you have the `ENGINE_cleanup' function. */ +#undef HAVE_ENGINE_CLEANUP + /* Define to 1 if you have the `ERR_free_strings' function. */ #undef HAVE_ERR_FREE_STRINGS @@ -380,6 +386,9 @@ /* Define to 1 if you have the <openssl/conf.h> header file. */ #undef HAVE_OPENSSL_CONF_H +/* Define to 1 if you have the <openssl/core_names.h> header file. */ +#undef HAVE_OPENSSL_CORE_NAMES_H + /* Define to 1 if you have the <openssl/dh.h> header file. */ #undef HAVE_OPENSSL_DH_H @@ -494,8 +503,9 @@ /* Define to 1 if you have the `SSL_CTX_set_security_level' function. */ #undef HAVE_SSL_CTX_SET_SECURITY_LEVEL -/* Define to 1 if you have the `SSL_CTX_set_tlsext_ticket_key_cb' function. */ -#undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_CB +/* Define to 1 if you have the `SSL_CTX_set_tlsext_ticket_key_evp_cb' + function. */ +#undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB /* Define to 1 if you have the `SSL_get0_peername' function. */ #undef HAVE_SSL_GET0_PEERNAME @@ -590,6 +600,9 @@ /* Define to 1 if you have the <sys/wait.h> header file. */ #undef HAVE_SYS_WAIT_H +/* Define to 1 if you have the <TargetConditionals.h> header file. */ +#undef HAVE_TARGETCONDITIONALS_H + /* Define to 1 if you have the <time.h> header file. */ #undef HAVE_TIME_H @@ -805,6 +818,9 @@ /* Define to 1 to use ipset support */ #undef USE_IPSET +/* Define if you enable libevent */ +#undef USE_LIBEVENT + /* Define if you want to use internal select based events */ #undef USE_MINI_EVENT @@ -854,6 +870,9 @@ /* the version of the windows API enabled */ #undef WINVER +/* Define if you want dynlib module. */ +#undef WITH_DYNLIBMODULE + /* Define if you want Python module. */ #undef WITH_PYTHONMODULE diff --git a/usr.sbin/unbound/config.sub b/usr.sbin/unbound/config.sub index ba15a57a5cf..3d9a8dc3d5a 100644 --- a/usr.sbin/unbound/config.sub +++ b/usr.sbin/unbound/config.sub @@ -1,8 +1,8 @@ -#!/usr/bin/sh +#! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2016 Free Software Foundation, Inc. +# Copyright 1992-2020 Free Software Foundation, Inc. -timestamp='2016-09-05' +timestamp='2020-07-10' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -15,7 +15,7 @@ timestamp='2016-09-05' # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, see <http://www.gnu.org/licenses/>. +# along with this program; if not, see <https://www.gnu.org/licenses/>. # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -33,7 +33,7 @@ timestamp='2016-09-05' # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub +# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases @@ -57,7 +57,7 @@ Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS Canonicalize a configuration name. -Operation modes: +Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit @@ -67,7 +67,7 @@ Report bugs and patches to <config-patches@gnu.org>." version="\ GNU config.sub ($timestamp) -Copyright 1992-2016 Free Software Foundation, Inc. +Copyright 1992-2020 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -89,12 +89,12 @@ while test $# -gt 0 ; do - ) # Use stdin as input. break ;; -* ) - echo "$me: invalid option $1$help" + echo "$me: invalid option $1$help" >&2 exit 1 ;; *local*) # First pass through any local machine types. - echo $1 + echo "$1" exit ;; * ) @@ -110,1242 +110,1167 @@ case $# in exit 1;; esac -# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). -# Here we must recognize all the valid KERNEL-OS combinations. -maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` -case $maybe_os in - nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ - linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ - knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \ - kopensolaris*-gnu* | cloudabi*-eabi* | \ - storm-chaos* | os2-emx* | rtmk-nova*) - os=-$maybe_os - basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` - ;; - android-linux) - os=-linux-android - basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown - ;; - *) - basic_machine=`echo $1 | sed 's/-[^-]*$//'` - if [ $basic_machine != $1 ] - then os=`echo $1 | sed 's/.*-/-/'` - else os=; fi - ;; -esac +# Split fields of configuration type +# shellcheck disable=SC2162 +IFS="-" read field1 field2 field3 field4 <<EOF +$1 +EOF -### Let's recognize common machines as not being operating systems so -### that things like config.sub decstation-3100 work. We also -### recognize some manufacturers as not being operating systems, so we -### can provide default operating systems below. -case $os in - -sun*os*) - # Prevent following clause from handling this invalid input. - ;; - -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ - -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ - -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ - -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ - -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ - -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray | -microblaze*) - os= - basic_machine=$1 - ;; - -bluegene*) - os=-cnk - ;; - -sim | -cisco | -oki | -wec | -winbond) - os= - basic_machine=$1 - ;; - -scout) - ;; - -wrs) - os=-vxworks - basic_machine=$1 - ;; - -chorusos*) - os=-chorusos - basic_machine=$1 - ;; - -chorusrdb) - os=-chorusrdb - basic_machine=$1 - ;; - -hiux*) - os=-hiuxwe2 - ;; - -sco6) - os=-sco5v6 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco5) - os=-sco3.2v5 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco4) - os=-sco3.2v4 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2.[4-9]*) - os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2v[4-9]*) - # Don't forget version if it is 3.2v4 or newer. - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco5v6*) - # Don't forget version if it is 3.2v4 or newer. - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco*) - os=-sco3.2v2 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -udk*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -isc) - os=-isc2.2 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -clix*) - basic_machine=clipper-intergraph - ;; - -isc*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -lynx*178) - os=-lynxos178 - ;; - -lynx*5) - os=-lynxos5 - ;; - -lynx*) - os=-lynxos +# Separate into logical components for further validation +case $1 in + *-*-*-*-*) + echo Invalid configuration \`"$1"\': more than four components >&2 + exit 1 ;; - -ptx*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` + *-*-*-*) + basic_machine=$field1-$field2 + basic_os=$field3-$field4 ;; - -windowsnt*) - os=`echo $os | sed -e 's/windowsnt/winnt/'` + *-*-*) + # Ambiguous whether COMPANY is present, or skipped and KERNEL-OS is two + # parts + maybe_os=$field2-$field3 + case $maybe_os in + nto-qnx* | linux-* | uclinux-uclibc* \ + | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \ + | netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \ + | storm-chaos* | os2-emx* | rtmk-nova*) + basic_machine=$field1 + basic_os=$maybe_os + ;; + android-linux) + basic_machine=$field1-unknown + basic_os=linux-android + ;; + *) + basic_machine=$field1-$field2 + basic_os=$field3 + ;; + esac ;; - -psos*) - os=-psos + *-*) + # A lone config we happen to match not fitting any pattern + case $field1-$field2 in + decstation-3100) + basic_machine=mips-dec + basic_os= + ;; + *-*) + # Second component is usually, but not always the OS + case $field2 in + # Prevent following clause from handling this valid os + sun*os*) + basic_machine=$field1 + basic_os=$field2 + ;; + # Manufacturers + dec* | mips* | sequent* | encore* | pc533* | sgi* | sony* \ + | att* | 7300* | 3300* | delta* | motorola* | sun[234]* \ + | unicom* | ibm* | next | hp | isi* | apollo | altos* \ + | convergent* | ncr* | news | 32* | 3600* | 3100* \ + | hitachi* | c[123]* | convex* | sun | crds | omron* | dg \ + | ultra | tti* | harris | dolphin | highlevel | gould \ + | cbm | ns | masscomp | apple | axis | knuth | cray \ + | microblaze* | sim | cisco \ + | oki | wec | wrs | winbond) + basic_machine=$field1-$field2 + basic_os= + ;; + *) + basic_machine=$field1 + basic_os=$field2 + ;; + esac + ;; + esac ;; - -mint | -mint[0-9]*) - basic_machine=m68k-atari - os=-mint + *) + # Convert single-component short-hands not valid as part of + # multi-component configurations. + case $field1 in + 386bsd) + basic_machine=i386-pc + basic_os=bsd + ;; + a29khif) + basic_machine=a29k-amd + basic_os=udi + ;; + adobe68k) + basic_machine=m68010-adobe + basic_os=scout + ;; + alliant) + basic_machine=fx80-alliant + basic_os= + ;; + altos | altos3068) + basic_machine=m68k-altos + basic_os= + ;; + am29k) + basic_machine=a29k-none + basic_os=bsd + ;; + amdahl) + basic_machine=580-amdahl + basic_os=sysv + ;; + amiga) + basic_machine=m68k-unknown + basic_os= + ;; + amigaos | amigados) + basic_machine=m68k-unknown + basic_os=amigaos + ;; + amigaunix | amix) + basic_machine=m68k-unknown + basic_os=sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + basic_os=sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + basic_os=bsd + ;; + aros) + basic_machine=i386-pc + basic_os=aros + ;; + aux) + basic_machine=m68k-apple + basic_os=aux + ;; + balance) + basic_machine=ns32k-sequent + basic_os=dynix + ;; + blackfin) + basic_machine=bfin-unknown + basic_os=linux + ;; + cegcc) + basic_machine=arm-unknown + basic_os=cegcc + ;; + convex-c1) + basic_machine=c1-convex + basic_os=bsd + ;; + convex-c2) + basic_machine=c2-convex + basic_os=bsd + ;; + convex-c32) + basic_machine=c32-convex + basic_os=bsd + ;; + convex-c34) + basic_machine=c34-convex + basic_os=bsd + ;; + convex-c38) + basic_machine=c38-convex + basic_os=bsd + ;; + cray) + basic_machine=j90-cray + basic_os=unicos + ;; + crds | unos) + basic_machine=m68k-crds + basic_os= + ;; + da30) + basic_machine=m68k-da30 + basic_os= + ;; + decstation | pmax | pmin | dec3100 | decstatn) + basic_machine=mips-dec + basic_os= + ;; + delta88) + basic_machine=m88k-motorola + basic_os=sysv3 + ;; + dicos) + basic_machine=i686-pc + basic_os=dicos + ;; + djgpp) + basic_machine=i586-pc + basic_os=msdosdjgpp + ;; + ebmon29k) + basic_machine=a29k-amd + basic_os=ebmon + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + basic_os=ose + ;; + gmicro) + basic_machine=tron-gmicro + basic_os=sysv + ;; + go32) + basic_machine=i386-pc + basic_os=go32 + ;; + h8300hms) + basic_machine=h8300-hitachi + basic_os=hms + ;; + h8300xray) + basic_machine=h8300-hitachi + basic_os=xray + ;; + h8500hms) + basic_machine=h8500-hitachi + basic_os=hms + ;; + harris) + basic_machine=m88k-harris + basic_os=sysv3 + ;; + hp300 | hp300hpux) + basic_machine=m68k-hp + basic_os=hpux + ;; + hp300bsd) + basic_machine=m68k-hp + basic_os=bsd + ;; + hppaosf) + basic_machine=hppa1.1-hp + basic_os=osf + ;; + hppro) + basic_machine=hppa1.1-hp + basic_os=proelf + ;; + i386mach) + basic_machine=i386-mach + basic_os=mach + ;; + isi68 | isi) + basic_machine=m68k-isi + basic_os=sysv + ;; + m68knommu) + basic_machine=m68k-unknown + basic_os=linux + ;; + magnum | m3230) + basic_machine=mips-mips + basic_os=sysv + ;; + merlin) + basic_machine=ns32k-utek + basic_os=sysv + ;; + mingw64) + basic_machine=x86_64-pc + basic_os=mingw64 + ;; + mingw32) + basic_machine=i686-pc + basic_os=mingw32 + ;; + mingw32ce) + basic_machine=arm-unknown + basic_os=mingw32ce + ;; + monitor) + basic_machine=m68k-rom68k + basic_os=coff + ;; + morphos) + basic_machine=powerpc-unknown + basic_os=morphos + ;; + moxiebox) + basic_machine=moxie-unknown + basic_os=moxiebox + ;; + msdos) + basic_machine=i386-pc + basic_os=msdos + ;; + msys) + basic_machine=i686-pc + basic_os=msys + ;; + mvs) + basic_machine=i370-ibm + basic_os=mvs + ;; + nacl) + basic_machine=le32-unknown + basic_os=nacl + ;; + ncr3000) + basic_machine=i486-ncr + basic_os=sysv4 + ;; + netbsd386) + basic_machine=i386-pc + basic_os=netbsd + ;; + netwinder) + basic_machine=armv4l-rebel + basic_os=linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + basic_os=newsos + ;; + news1000) + basic_machine=m68030-sony + basic_os=newsos + ;; + necv70) + basic_machine=v70-nec + basic_os=sysv + ;; + nh3000) + basic_machine=m68k-harris + basic_os=cxux + ;; + nh[45]000) + basic_machine=m88k-harris + basic_os=cxux + ;; + nindy960) + basic_machine=i960-intel + basic_os=nindy + ;; + mon960) + basic_machine=i960-intel + basic_os=mon960 + ;; + nonstopux) + basic_machine=mips-compaq + basic_os=nonstopux + ;; + os400) + basic_machine=powerpc-ibm + basic_os=os400 + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + basic_os=ose + ;; + os68k) + basic_machine=m68k-none + basic_os=os68k + ;; + paragon) + basic_machine=i860-intel + basic_os=osf + ;; + parisc) + basic_machine=hppa-unknown + basic_os=linux + ;; + psp) + basic_machine=mipsallegrexel-sony + basic_os=psp + ;; + pw32) + basic_machine=i586-unknown + basic_os=pw32 + ;; + rdos | rdos64) + basic_machine=x86_64-pc + basic_os=rdos + ;; + rdos32) + basic_machine=i386-pc + basic_os=rdos + ;; + rom68k) + basic_machine=m68k-rom68k + basic_os=coff + ;; + sa29200) + basic_machine=a29k-amd + basic_os=udi + ;; + sei) + basic_machine=mips-sei + basic_os=seiux + ;; + sequent) + basic_machine=i386-sequent + basic_os= + ;; + sps7) + basic_machine=m68k-bull + basic_os=sysv2 + ;; + st2000) + basic_machine=m68k-tandem + basic_os= + ;; + stratus) + basic_machine=i860-stratus + basic_os=sysv4 + ;; + sun2) + basic_machine=m68000-sun + basic_os= + ;; + sun2os3) + basic_machine=m68000-sun + basic_os=sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + basic_os=sunos4 + ;; + sun3) + basic_machine=m68k-sun + basic_os= + ;; + sun3os3) + basic_machine=m68k-sun + basic_os=sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + basic_os=sunos4 + ;; + sun4) + basic_machine=sparc-sun + basic_os= + ;; + sun4os3) + basic_machine=sparc-sun + basic_os=sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + basic_os=sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + basic_os=solaris2 + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + basic_os= + ;; + sv1) + basic_machine=sv1-cray + basic_os=unicos + ;; + symmetry) + basic_machine=i386-sequent + basic_os=dynix + ;; + t3e) + basic_machine=alphaev5-cray + basic_os=unicos + ;; + t90) + basic_machine=t90-cray + basic_os=unicos + ;; + toad1) + basic_machine=pdp10-xkl + basic_os=tops20 + ;; + tpf) + basic_machine=s390x-ibm + basic_os=tpf + ;; + udi29k) + basic_machine=a29k-amd + basic_os=udi + ;; + ultra3) + basic_machine=a29k-nyu + basic_os=sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + basic_os=none + ;; + vaxv) + basic_machine=vax-dec + basic_os=sysv + ;; + vms) + basic_machine=vax-dec + basic_os=vms + ;; + vsta) + basic_machine=i386-pc + basic_os=vsta + ;; + vxworks960) + basic_machine=i960-wrs + basic_os=vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + basic_os=vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + basic_os=vxworks + ;; + xbox) + basic_machine=i686-pc + basic_os=mingw32 + ;; + ymp) + basic_machine=ymp-cray + basic_os=unicos + ;; + *) + basic_machine=$1 + basic_os= + ;; + esac ;; esac -# Decode aliases for certain CPU-COMPANY combinations. +# Decode 1-component or ad-hoc basic machines case $basic_machine in - # Recognize the basic CPU types without company name. - # Some are omitted here because they have special meanings below. - 1750a | 580 \ - | a29k \ - | aarch64 | aarch64_be \ - | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ - | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ - | am33_2.0 \ - | arc | arceb \ - | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ - | avr | avr32 \ - | ba \ - | be32 | be64 \ - | bfin \ - | c4x | c8051 | clipper \ - | d10v | d30v | dlx | dsp16xx \ - | e2k | epiphany \ - | fido | fr30 | frv | ft32 \ - | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ - | hexagon \ - | i370 | i860 | i960 | ia64 \ - | ip2k | iq2000 \ - | k1om \ - | le32 | le64 \ - | lm32 \ - | m32c | m32r | m32rle | m68000 | m68k | m88k \ - | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ - | mips | mipsbe | mipseb | mipsel | mipsle \ - | mips16 \ - | mips64 | mips64el \ - | mips64octeon | mips64octeonel \ - | mips64orion | mips64orionel \ - | mips64r5900 | mips64r5900el \ - | mips64vr | mips64vrel \ - | mips64vr4100 | mips64vr4100el \ - | mips64vr4300 | mips64vr4300el \ - | mips64vr5000 | mips64vr5000el \ - | mips64vr5900 | mips64vr5900el \ - | mipsisa32 | mipsisa32el \ - | mipsisa32r2 | mipsisa32r2el \ - | mipsisa32r6 | mipsisa32r6el \ - | mipsisa64 | mipsisa64el \ - | mipsisa64r2 | mipsisa64r2el \ - | mipsisa64r6 | mipsisa64r6el \ - | mipsisa64sb1 | mipsisa64sb1el \ - | mipsisa64sr71k | mipsisa64sr71kel \ - | mipsr5900 | mipsr5900el \ - | mipstx39 | mipstx39el \ - | mn10200 | mn10300 \ - | moxie \ - | mt \ - | msp430 \ - | nds32 | nds32le | nds32be \ - | nios | nios2 | nios2eb | nios2el \ - | ns16k | ns32k \ - | open8 | or1k | or1knd | or32 \ - | pdp10 | pdp11 | pj | pjl \ - | powerpc | powerpc64 | powerpc64le | powerpcle \ - | pyramid \ - | riscv32 | riscv64 \ - | rl78 | rx \ - | score \ - | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ - | sh64 | sh64le \ - | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ - | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ - | spu \ - | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ - | ubicom32 \ - | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ - | visium \ - | we32k \ - | x86 | xc16x | xstormy16 | xtensa \ - | z8k | z80) - basic_machine=$basic_machine-unknown - ;; - c54x) - basic_machine=tic54x-unknown - ;; - c55x) - basic_machine=tic55x-unknown - ;; - c6x) - basic_machine=tic6x-unknown - ;; - leon|leon[3-9]) - basic_machine=sparc-$basic_machine - ;; - m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) - basic_machine=$basic_machine-unknown - os=-none + # Here we handle the default manufacturer of certain CPU types. It is in + # some cases the only manufacturer, in others, it is the most popular. + w89k) + cpu=hppa1.1 + vendor=winbond ;; - m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) + op50n) + cpu=hppa1.1 + vendor=oki ;; - ms1) - basic_machine=mt-unknown + op60c) + cpu=hppa1.1 + vendor=oki ;; - - strongarm | thumb | xscale) - basic_machine=arm-unknown + ibm*) + cpu=i370 + vendor=ibm ;; - xgate) - basic_machine=$basic_machine-unknown - os=-none + orion105) + cpu=clipper + vendor=highlevel ;; - xscaleeb) - basic_machine=armeb-unknown + mac | mpw | mac-mpw) + cpu=m68k + vendor=apple ;; - - xscaleel) - basic_machine=armel-unknown + pmac | pmac-mpw) + cpu=powerpc + vendor=apple ;; - # We use `pc' rather than `unknown' - # because (1) that's what they normally are, and - # (2) the word "unknown" tends to confuse beginning users. - i*86 | x86_64) - basic_machine=$basic_machine-pc - ;; - # Object if more than one company name word. - *-*-*) - echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 - exit 1 - ;; - # Recognize the basic CPU types with company name. - 580-* \ - | a29k-* \ - | aarch64-* | aarch64_be-* \ - | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ - | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ - | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ - | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ - | avr-* | avr32-* \ - | ba-* \ - | be32-* | be64-* \ - | bfin-* | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c4x-* \ - | c8051-* | clipper-* | craynv-* | cydra-* \ - | d10v-* | d30v-* | dlx-* \ - | e2k-* | elxsi-* \ - | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ - | h8300-* | h8500-* \ - | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ - | hexagon-* \ - | i*86-* | i860-* | i960-* | ia64-* \ - | ip2k-* | iq2000-* \ - | k1om-* \ - | le32-* | le64-* \ - | lm32-* \ - | m32c-* | m32r-* | m32rle-* \ - | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ - | microblaze-* | microblazeel-* \ - | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ - | mips16-* \ - | mips64-* | mips64el-* \ - | mips64octeon-* | mips64octeonel-* \ - | mips64orion-* | mips64orionel-* \ - | mips64r5900-* | mips64r5900el-* \ - | mips64vr-* | mips64vrel-* \ - | mips64vr4100-* | mips64vr4100el-* \ - | mips64vr4300-* | mips64vr4300el-* \ - | mips64vr5000-* | mips64vr5000el-* \ - | mips64vr5900-* | mips64vr5900el-* \ - | mipsisa32-* | mipsisa32el-* \ - | mipsisa32r2-* | mipsisa32r2el-* \ - | mipsisa32r6-* | mipsisa32r6el-* \ - | mipsisa64-* | mipsisa64el-* \ - | mipsisa64r2-* | mipsisa64r2el-* \ - | mipsisa64r6-* | mipsisa64r6el-* \ - | mipsisa64sb1-* | mipsisa64sb1el-* \ - | mipsisa64sr71k-* | mipsisa64sr71kel-* \ - | mipsr5900-* | mipsr5900el-* \ - | mipstx39-* | mipstx39el-* \ - | mmix-* \ - | mt-* \ - | msp430-* \ - | nds32-* | nds32le-* | nds32be-* \ - | nios-* | nios2-* | nios2eb-* | nios2el-* \ - | none-* | np1-* | ns16k-* | ns32k-* \ - | open8-* \ - | or1k*-* \ - | orion-* \ - | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ - | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ - | pyramid-* \ - | riscv32-* | riscv64-* \ - | rl78-* | romp-* | rs6000-* | rx-* \ - | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ - | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ - | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ - | sparclite-* \ - | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \ - | tahoe-* \ - | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ - | tile*-* \ - | tron-* \ - | ubicom32-* \ - | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ - | vax-* \ - | visium-* \ - | we32k-* \ - | x86-* | x86_64-* | xc16x-* | xps100-* \ - | xstormy16-* | xtensa*-* \ - | ymp-* \ - | z8k-* | z80-*) - ;; - # Recognize the basic CPU types without company name, with glob match. - xtensa*) - basic_machine=$basic_machine-unknown - ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. - 386bsd) - basic_machine=i386-unknown - os=-bsd - ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) - basic_machine=m68000-att + cpu=m68000 + vendor=att ;; 3b*) - basic_machine=we32k-att - ;; - a29khif) - basic_machine=a29k-amd - os=-udi - ;; - abacus) - basic_machine=abacus-unknown - ;; - adobe68k) - basic_machine=m68010-adobe - os=-scout - ;; - alliant | fx80) - basic_machine=fx80-alliant - ;; - altos | altos3068) - basic_machine=m68k-altos - ;; - am29k) - basic_machine=a29k-none - os=-bsd - ;; - amd64) - basic_machine=x86_64-pc - ;; - amd64-*) - basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - amdahl) - basic_machine=580-amdahl - os=-sysv - ;; - amiga | amiga-*) - basic_machine=m68k-unknown - ;; - amigaos | amigados) - basic_machine=m68k-unknown - os=-amigaos - ;; - amigaunix | amix) - basic_machine=m68k-unknown - os=-sysv4 - ;; - apollo68) - basic_machine=m68k-apollo - os=-sysv - ;; - apollo68bsd) - basic_machine=m68k-apollo - os=-bsd - ;; - aros) - basic_machine=i386-pc - os=-aros - ;; - asmjs) - basic_machine=asmjs-unknown - ;; - aux) - basic_machine=m68k-apple - os=-aux - ;; - balance) - basic_machine=ns32k-sequent - os=-dynix - ;; - blackfin) - basic_machine=bfin-unknown - os=-linux - ;; - blackfin-*) - basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` - os=-linux + cpu=we32k + vendor=att ;; bluegene*) - basic_machine=powerpc-ibm - os=-cnk - ;; - c54x-*) - basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - c55x-*) - basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - c6x-*) - basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - c90) - basic_machine=c90-cray - os=-unicos - ;; - cegcc) - basic_machine=arm-unknown - os=-cegcc - ;; - convex-c1) - basic_machine=c1-convex - os=-bsd - ;; - convex-c2) - basic_machine=c2-convex - os=-bsd - ;; - convex-c32) - basic_machine=c32-convex - os=-bsd - ;; - convex-c34) - basic_machine=c34-convex - os=-bsd - ;; - convex-c38) - basic_machine=c38-convex - os=-bsd - ;; - cray | j90) - basic_machine=j90-cray - os=-unicos - ;; - craynv) - basic_machine=craynv-cray - os=-unicosmp - ;; - cr16 | cr16-*) - basic_machine=cr16-unknown - os=-elf - ;; - crds | unos) - basic_machine=m68k-crds - ;; - crisv32 | crisv32-* | etraxfs*) - basic_machine=crisv32-axis - ;; - cris | cris-* | etrax*) - basic_machine=cris-axis - ;; - crx) - basic_machine=crx-unknown - os=-elf - ;; - da30 | da30-*) - basic_machine=m68k-da30 - ;; - decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) - basic_machine=mips-dec + cpu=powerpc + vendor=ibm + basic_os=cnk ;; decsystem10* | dec10*) - basic_machine=pdp10-dec - os=-tops10 + cpu=pdp10 + vendor=dec + basic_os=tops10 ;; decsystem20* | dec20*) - basic_machine=pdp10-dec - os=-tops20 + cpu=pdp10 + vendor=dec + basic_os=tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) - basic_machine=m68k-motorola - ;; - delta88) - basic_machine=m88k-motorola - os=-sysv3 - ;; - dicos) - basic_machine=i686-pc - os=-dicos - ;; - djgpp) - basic_machine=i586-pc - os=-msdosdjgpp - ;; - dpx20 | dpx20-*) - basic_machine=rs6000-bull - os=-bosx - ;; - dpx2* | dpx2*-bull) - basic_machine=m68k-bull - os=-sysv3 - ;; - e500v[12]) - basic_machine=powerpc-unknown - os=$os"spe" + cpu=m68k + vendor=motorola ;; - e500v[12]-*) - basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` - os=$os"spe" - ;; - ebmon29k) - basic_machine=a29k-amd - os=-ebmon - ;; - elxsi) - basic_machine=elxsi-elxsi - os=-bsd + dpx2*) + cpu=m68k + vendor=bull + basic_os=sysv3 ;; encore | umax | mmax) - basic_machine=ns32k-encore + cpu=ns32k + vendor=encore ;; - es1800 | OSE68k | ose68k | ose | OSE) - basic_machine=m68k-ericsson - os=-ose + elxsi) + cpu=elxsi + vendor=elxsi + basic_os=${basic_os:-bsd} ;; fx2800) - basic_machine=i860-alliant + cpu=i860 + vendor=alliant ;; genix) - basic_machine=ns32k-ns - ;; - gmicro) - basic_machine=tron-gmicro - os=-sysv - ;; - go32) - basic_machine=i386-pc - os=-go32 + cpu=ns32k + vendor=ns ;; h3050r* | hiux*) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - h8300hms) - basic_machine=h8300-hitachi - os=-hms - ;; - h8300xray) - basic_machine=h8300-hitachi - os=-xray - ;; - h8500hms) - basic_machine=h8500-hitachi - os=-hms - ;; - harris) - basic_machine=m88k-harris - os=-sysv3 - ;; - hp300-*) - basic_machine=m68k-hp - ;; - hp300bsd) - basic_machine=m68k-hp - os=-bsd - ;; - hp300hpux) - basic_machine=m68k-hp - os=-hpux + cpu=hppa1.1 + vendor=hitachi + basic_os=hiuxwe2 ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) - basic_machine=hppa1.0-hp + cpu=hppa1.0 + vendor=hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) - basic_machine=m68000-hp + cpu=m68000 + vendor=hp ;; hp9k3[2-9][0-9]) - basic_machine=m68k-hp + cpu=m68k + vendor=hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) - basic_machine=hppa1.0-hp + cpu=hppa1.0 + vendor=hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) - basic_machine=hppa1.0-hp - ;; - hppa-next) - os=-nextstep3 - ;; - hppaosf) - basic_machine=hppa1.1-hp - os=-osf - ;; - hppro) - basic_machine=hppa1.1-hp - os=-proelf - ;; - i370-ibm* | ibm*) - basic_machine=i370-ibm + cpu=hppa1.0 + vendor=hp ;; i*86v32) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv32 + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv32 ;; i*86v4*) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv4 + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv4 ;; i*86v) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv ;; i*86sol2) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-solaris2 - ;; - i386mach) - basic_machine=i386-mach - os=-mach + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=solaris2 ;; - i386-vsta | vsta) - basic_machine=i386-unknown - os=-vsta + j90 | j90-cray) + cpu=j90 + vendor=cray + basic_os=${basic_os:-unicos} ;; iris | iris4d) - basic_machine=mips-sgi - case $os in - -irix*) + cpu=mips + vendor=sgi + case $basic_os in + irix*) ;; *) - os=-irix4 + basic_os=irix4 ;; esac ;; - isi68 | isi) - basic_machine=m68k-isi - os=-sysv - ;; - leon-*|leon[3-9]-*) - basic_machine=sparc-`echo $basic_machine | sed 's/-.*//'` - ;; - m68knommu) - basic_machine=m68k-unknown - os=-linux - ;; - m68knommu-*) - basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` - os=-linux - ;; - m88k-omron*) - basic_machine=m88k-omron - ;; - magnum | m3230) - basic_machine=mips-mips - os=-sysv - ;; - merlin) - basic_machine=ns32k-utek - os=-sysv - ;; - microblaze*) - basic_machine=microblaze-xilinx - ;; - mingw64) - basic_machine=x86_64-pc - os=-mingw64 - ;; - mingw32) - basic_machine=i686-pc - os=-mingw32 - ;; - mingw32ce) - basic_machine=arm-unknown - os=-mingw32ce - ;; miniframe) - basic_machine=m68000-convergent - ;; - *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) - basic_machine=m68k-atari - os=-mint - ;; - mips3*-*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` + cpu=m68000 + vendor=convergent ;; - mips3*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown - ;; - monitor) - basic_machine=m68k-rom68k - os=-coff - ;; - morphos) - basic_machine=powerpc-unknown - os=-morphos - ;; - moxiebox) - basic_machine=moxie-unknown - os=-moxiebox - ;; - msdos) - basic_machine=i386-pc - os=-msdos - ;; - ms1-*) - basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` - ;; - msys) - basic_machine=i686-pc - os=-msys - ;; - mvs) - basic_machine=i370-ibm - os=-mvs - ;; - nacl) - basic_machine=le32-unknown - os=-nacl - ;; - ncr3000) - basic_machine=i486-ncr - os=-sysv4 - ;; - netbsd386) - basic_machine=i386-unknown - os=-netbsd - ;; - netwinder) - basic_machine=armv4l-rebel - os=-linux - ;; - news | news700 | news800 | news900) - basic_machine=m68k-sony - os=-newsos - ;; - news1000) - basic_machine=m68030-sony - os=-newsos + *mint | mint[0-9]* | *MiNT | *MiNT[0-9]*) + cpu=m68k + vendor=atari + basic_os=mint ;; news-3600 | risc-news) - basic_machine=mips-sony - os=-newsos - ;; - necv70) - basic_machine=v70-nec - os=-sysv - ;; - next | m*-next ) - basic_machine=m68k-next - case $os in - -nextstep* ) + cpu=mips + vendor=sony + basic_os=newsos + ;; + next | m*-next) + cpu=m68k + vendor=next + case $basic_os in + openstep*) + ;; + nextstep*) ;; - -ns2*) - os=-nextstep2 + ns2*) + basic_os=nextstep2 ;; *) - os=-nextstep3 + basic_os=nextstep3 ;; esac ;; - nh3000) - basic_machine=m68k-harris - os=-cxux - ;; - nh[45]000) - basic_machine=m88k-harris - os=-cxux - ;; - nindy960) - basic_machine=i960-intel - os=-nindy - ;; - mon960) - basic_machine=i960-intel - os=-mon960 - ;; - nonstopux) - basic_machine=mips-compaq - os=-nonstopux - ;; np1) - basic_machine=np1-gould - ;; - neo-tandem) - basic_machine=neo-tandem - ;; - nse-tandem) - basic_machine=nse-tandem - ;; - nsr-tandem) - basic_machine=nsr-tandem + cpu=np1 + vendor=gould ;; op50n-* | op60c-*) - basic_machine=hppa1.1-oki - os=-proelf - ;; - openrisc | openrisc-*) - basic_machine=or32-unknown - ;; - os400) - basic_machine=powerpc-ibm - os=-os400 - ;; - OSE68000 | ose68000) - basic_machine=m68000-ericsson - os=-ose - ;; - os68k) - basic_machine=m68k-none - os=-os68k + cpu=hppa1.1 + vendor=oki + basic_os=proelf ;; pa-hitachi) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - paragon) - basic_machine=i860-intel - os=-osf - ;; - parisc) - basic_machine=hppa-unknown - os=-linux - ;; - parisc-*) - basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` - os=-linux + cpu=hppa1.1 + vendor=hitachi + basic_os=hiuxwe2 ;; pbd) - basic_machine=sparc-tti + cpu=sparc + vendor=tti ;; pbb) - basic_machine=m68k-tti - ;; - pc532 | pc532-*) - basic_machine=ns32k-pc532 - ;; - pc98) - basic_machine=i386-pc - ;; - pc98-*) - basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentium | p5 | k5 | k6 | nexgen | viac3) - basic_machine=i586-pc - ;; - pentiumpro | p6 | 6x86 | athlon | athlon_*) - basic_machine=i686-pc - ;; - pentiumii | pentium2 | pentiumiii | pentium3) - basic_machine=i686-pc + cpu=m68k + vendor=tti ;; - pentium4) - basic_machine=i786-pc - ;; - pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) - basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumpro-* | p6-* | 6x86-* | athlon-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentium4-*) - basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + pc532) + cpu=ns32k + vendor=pc532 ;; pn) - basic_machine=pn-gould - ;; - power) basic_machine=power-ibm - ;; - ppc | ppcbe) basic_machine=powerpc-unknown - ;; - ppc-* | ppcbe-*) - basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppcle | powerpclittle) - basic_machine=powerpcle-unknown - ;; - ppcle-* | powerpclittle-*) - basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` + cpu=pn + vendor=gould ;; - ppc64) basic_machine=powerpc64-unknown - ;; - ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppc64le | powerpc64little) - basic_machine=powerpc64le-unknown - ;; - ppc64le-* | powerpc64little-*) - basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` + power) + cpu=power + vendor=ibm ;; ps2) - basic_machine=i386-ibm - ;; - pw32) - basic_machine=i586-unknown - os=-pw32 - ;; - rdos | rdos64) - basic_machine=x86_64-pc - os=-rdos - ;; - rdos32) - basic_machine=i386-pc - os=-rdos - ;; - rom68k) - basic_machine=m68k-rom68k - os=-coff + cpu=i386 + vendor=ibm ;; rm[46]00) - basic_machine=mips-siemens + cpu=mips + vendor=siemens ;; rtpc | rtpc-*) - basic_machine=romp-ibm - ;; - s390 | s390-*) - basic_machine=s390-ibm - ;; - s390x | s390x-*) - basic_machine=s390x-ibm - ;; - sa29200) - basic_machine=a29k-amd - os=-udi + cpu=romp + vendor=ibm ;; - sb1) - basic_machine=mipsisa64sb1-unknown + sde) + cpu=mipsisa32 + vendor=sde + basic_os=${basic_os:-elf} ;; - sb1el) - basic_machine=mipsisa64sb1el-unknown + simso-wrs) + cpu=sparclite + vendor=wrs + basic_os=vxworks ;; - sde) - basic_machine=mipsisa32-sde - os=-elf + tower | tower-32) + cpu=m68k + vendor=ncr ;; - sei) - basic_machine=mips-sei - os=-seiux + vpp*|vx|vx-*) + cpu=f301 + vendor=fujitsu ;; - sequent) - basic_machine=i386-sequent + w65) + cpu=w65 + vendor=wdc ;; - sh) - basic_machine=sh-hitachi - os=-hms + w89k-*) + cpu=hppa1.1 + vendor=winbond + basic_os=proelf ;; - sh5el) - basic_machine=sh5le-unknown + none) + cpu=none + vendor=none ;; - sh64) - basic_machine=sh64-unknown + leon|leon[3-9]) + cpu=sparc + vendor=$basic_machine ;; - sparclite-wrs | simso-wrs) - basic_machine=sparclite-wrs - os=-vxworks + leon-*|leon[3-9]-*) + cpu=sparc + vendor=`echo "$basic_machine" | sed 's/-.*//'` ;; - sps7) - basic_machine=m68k-bull - os=-sysv2 + + *-*) + # shellcheck disable=SC2162 + IFS="-" read cpu vendor <<EOF +$basic_machine +EOF ;; - spur) - basic_machine=spur-unknown + # We use `pc' rather than `unknown' + # because (1) that's what they normally are, and + # (2) the word "unknown" tends to confuse beginning users. + i*86 | x86_64) + cpu=$basic_machine + vendor=pc ;; - st2000) - basic_machine=m68k-tandem + # These rules are duplicated from below for sake of the special case above; + # i.e. things that normalized to x86 arches should also default to "pc" + pc98) + cpu=i386 + vendor=pc ;; - stratus) - basic_machine=i860-stratus - os=-sysv4 + x64 | amd64) + cpu=x86_64 + vendor=pc ;; - strongarm-* | thumb-*) - basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` + # Recognize the basic CPU types without company name. + *) + cpu=$basic_machine + vendor=unknown ;; - sun2) - basic_machine=m68000-sun +esac + +unset -v basic_machine + +# Decode basic machines in the full and proper CPU-Company form. +case $cpu-$vendor in + # Here we handle the default manufacturer of certain CPU types in canonical form. It is in + # some cases the only manufacturer, in others, it is the most popular. + craynv-unknown) + vendor=cray + basic_os=${basic_os:-unicosmp} ;; - sun2os3) - basic_machine=m68000-sun - os=-sunos3 + c90-unknown | c90-cray) + vendor=cray + basic_os=${Basic_os:-unicos} ;; - sun2os4) - basic_machine=m68000-sun - os=-sunos4 + fx80-unknown) + vendor=alliant ;; - sun3os3) - basic_machine=m68k-sun - os=-sunos3 + romp-unknown) + vendor=ibm ;; - sun3os4) - basic_machine=m68k-sun - os=-sunos4 + mmix-unknown) + vendor=knuth ;; - sun4os3) - basic_machine=sparc-sun - os=-sunos3 + microblaze-unknown | microblazeel-unknown) + vendor=xilinx ;; - sun4os4) - basic_machine=sparc-sun - os=-sunos4 + rs6000-unknown) + vendor=ibm ;; - sun4sol2) - basic_machine=sparc-sun - os=-solaris2 + vax-unknown) + vendor=dec ;; - sun3 | sun3-*) - basic_machine=m68k-sun + pdp11-unknown) + vendor=dec ;; - sun4) - basic_machine=sparc-sun + we32k-unknown) + vendor=att ;; - sun386 | sun386i | roadrunner) - basic_machine=i386-sun + cydra-unknown) + vendor=cydrome ;; - sv1) - basic_machine=sv1-cray - os=-unicos + i370-ibm*) + vendor=ibm ;; - symmetry) - basic_machine=i386-sequent - os=-dynix + orion-unknown) + vendor=highlevel ;; - t3e) - basic_machine=alphaev5-cray - os=-unicos + xps-unknown | xps100-unknown) + cpu=xps100 + vendor=honeywell ;; - t90) - basic_machine=t90-cray - os=-unicos + + # Here we normalize CPU types with a missing or matching vendor + dpx20-unknown | dpx20-bull) + cpu=rs6000 + vendor=bull + basic_os=${basic_os:-bosx} ;; - tile*) - basic_machine=$basic_machine-unknown - os=-linux-gnu + + # Here we normalize CPU types irrespective of the vendor + amd64-*) + cpu=x86_64 ;; - tx39) - basic_machine=mipstx39-unknown + blackfin-*) + cpu=bfin + basic_os=linux ;; - tx39el) - basic_machine=mipstx39el-unknown + c54x-*) + cpu=tic54x ;; - toad1) - basic_machine=pdp10-xkl - os=-tops20 + c55x-*) + cpu=tic55x ;; - tower | tower-32) - basic_machine=m68k-ncr + c6x-*) + cpu=tic6x ;; - tpf) - basic_machine=s390x-ibm - os=-tpf + e500v[12]-*) + cpu=powerpc + basic_os=${basic_os}"spe" ;; - udi29k) - basic_machine=a29k-amd - os=-udi + mips3*-*) + cpu=mips64 ;; - ultra3) - basic_machine=a29k-nyu - os=-sym1 + ms1-*) + cpu=mt ;; - v810 | necv810) - basic_machine=v810-nec - os=-none + m68knommu-*) + cpu=m68k + basic_os=linux ;; - vaxv) - basic_machine=vax-dec - os=-sysv + m9s12z-* | m68hcs12z-* | hcs12z-* | s12z-*) + cpu=s12z ;; - vms) - basic_machine=vax-dec - os=-vms + openrisc-*) + cpu=or32 ;; - vpp*|vx|vx-*) - basic_machine=f301-fujitsu + parisc-*) + cpu=hppa + basic_os=linux ;; - vxworks960) - basic_machine=i960-wrs - os=-vxworks + pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) + cpu=i586 ;; - vxworks68) - basic_machine=m68k-wrs - os=-vxworks + pentiumpro-* | p6-* | 6x86-* | athlon-* | athalon_*-*) + cpu=i686 ;; - vxworks29k) - basic_machine=a29k-wrs - os=-vxworks + pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) + cpu=i686 ;; - w65*) - basic_machine=w65-wdc - os=-none + pentium4-*) + cpu=i786 ;; - w89k-*) - basic_machine=hppa1.1-winbond - os=-proelf + pc98-*) + cpu=i386 ;; - xbox) - basic_machine=i686-pc - os=-mingw32 + ppc-* | ppcbe-*) + cpu=powerpc ;; - xps | xps100) - basic_machine=xps100-honeywell + ppcle-* | powerpclittle-*) + cpu=powerpcle ;; - xscale-* | xscalee[bl]-*) - basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` + ppc64-*) + cpu=powerpc64 ;; - ymp) - basic_machine=ymp-cray - os=-unicos + ppc64le-* | powerpc64little-*) + cpu=powerpc64le ;; - z8k-*-coff) - basic_machine=z8k-unknown - os=-sim + sb1-*) + cpu=mipsisa64sb1 ;; - z80-*-coff) - basic_machine=z80-unknown - os=-sim + sb1el-*) + cpu=mipsisa64sb1el ;; - none) - basic_machine=none-none - os=-none + sh5e[lb]-*) + cpu=`echo "$cpu" | sed 's/^\(sh.\)e\(.\)$/\1\2e/'` ;; - -# Here we handle the default manufacturer of certain CPU types. It is in -# some cases the only manufacturer, in others, it is the most popular. - w89k) - basic_machine=hppa1.1-winbond + spur-*) + cpu=spur ;; - op50n) - basic_machine=hppa1.1-oki + strongarm-* | thumb-*) + cpu=arm ;; - op60c) - basic_machine=hppa1.1-oki + tx39-*) + cpu=mipstx39 ;; - romp) - basic_machine=romp-ibm + tx39el-*) + cpu=mipstx39el ;; - mmix) - basic_machine=mmix-knuth + x64-*) + cpu=x86_64 ;; - rs6000) - basic_machine=rs6000-ibm + xscale-* | xscalee[bl]-*) + cpu=`echo "$cpu" | sed 's/^xscale/arm/'` ;; - vax) - basic_machine=vax-dec + arm64-*) + cpu=aarch64 ;; - pdp10) - # there are many clones, so DEC is not a safe bet - basic_machine=pdp10-unknown + + # Recognize the canonical CPU Types that limit and/or modify the + # company names they are paired with. + cr16-*) + basic_os=${basic_os:-elf} ;; - pdp11) - basic_machine=pdp11-dec + crisv32-* | etraxfs*-*) + cpu=crisv32 + vendor=axis ;; - we32k) - basic_machine=we32k-att + cris-* | etrax*-*) + cpu=cris + vendor=axis ;; - sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) - basic_machine=sh-unknown + crx-*) + basic_os=${basic_os:-elf} ;; - sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) - basic_machine=sparc-sun + neo-tandem) + cpu=neo + vendor=tandem ;; - cydra) - basic_machine=cydra-cydrome + nse-tandem) + cpu=nse + vendor=tandem ;; - orion) - basic_machine=orion-highlevel + nsr-tandem) + cpu=nsr + vendor=tandem ;; - orion105) - basic_machine=clipper-highlevel + nsv-tandem) + cpu=nsv + vendor=tandem ;; - mac | mpw | mac-mpw) - basic_machine=m68k-apple + nsx-tandem) + cpu=nsx + vendor=tandem ;; - pmac | pmac-mpw) - basic_machine=powerpc-apple + mipsallegrexel-sony) + cpu=mipsallegrexel + vendor=sony ;; - *-unknown) - # Make sure to match an already-canonicalized machine name. + tile*-*) + basic_os=${basic_os:-linux-gnu} ;; + *) - echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 - exit 1 + # Recognize the canonical CPU types that are allowed with any + # company name. + case $cpu in + 1750a | 580 \ + | a29k \ + | aarch64 | aarch64_be \ + | abacus \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] \ + | alphapca5[67] | alpha64pca5[67] \ + | am33_2.0 \ + | amdgcn \ + | arc | arceb \ + | arm | arm[lb]e | arme[lb] | armv* \ + | avr | avr32 \ + | asmjs \ + | ba \ + | be32 | be64 \ + | bfin | bpf | bs2000 \ + | c[123]* | c30 | [cjt]90 | c4x \ + | c8051 | clipper | craynv | csky | cydra \ + | d10v | d30v | dlx | dsp16xx \ + | e2k | elxsi | epiphany \ + | f30[01] | f700 | fido | fr30 | frv | ft32 | fx80 \ + | h8300 | h8500 \ + | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | hexagon \ + | i370 | i*86 | i860 | i960 | ia16 | ia64 \ + | ip2k | iq2000 \ + | k1om \ + | le32 | le64 \ + | lm32 \ + | m32c | m32r | m32rle \ + | m5200 | m68000 | m680[012346]0 | m68360 | m683?2 | m68k \ + | m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x \ + | m88110 | m88k | maxq | mb | mcore | mep | metag \ + | microblaze | microblazeel \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64eb | mips64el \ + | mips64octeon | mips64octeonel \ + | mips64orion | mips64orionel \ + | mips64r5900 | mips64r5900el \ + | mips64vr | mips64vrel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mips64vr5900 | mips64vr5900el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa32r6 | mipsisa32r6el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64r6 | mipsisa64r6el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipsr5900 | mipsr5900el \ + | mipstx39 | mipstx39el \ + | mmix \ + | mn10200 | mn10300 \ + | moxie \ + | mt \ + | msp430 \ + | nds32 | nds32le | nds32be \ + | nfp \ + | nios | nios2 | nios2eb | nios2el \ + | none | np1 | ns16k | ns32k | nvptx \ + | open8 \ + | or1k* \ + | or32 \ + | orion \ + | picochip \ + | pdp10 | pdp11 | pj | pjl | pn | power \ + | powerpc | powerpc64 | powerpc64le | powerpcle | powerpcspe \ + | pru \ + | pyramid \ + | riscv | riscv32 | riscv64 \ + | rl78 | romp | rs6000 | rx \ + | s390 | s390x \ + | score \ + | sh | shl \ + | sh[1234] | sh[24]a | sh[24]ae[lb] | sh[23]e | she[lb] | sh[lb]e \ + | sh[1234]e[lb] | sh[12345][lb]e | sh[23]ele | sh64 | sh64le \ + | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet \ + | sparclite \ + | sparcv8 | sparcv9 | sparcv9b | sparcv9v | sv1 | sx* \ + | spu \ + | tahoe \ + | tic30 | tic4x | tic54x | tic55x | tic6x | tic80 \ + | tron \ + | ubicom32 \ + | v70 | v850 | v850e | v850e1 | v850es | v850e2 | v850e2v3 \ + | vax \ + | visium \ + | w65 \ + | wasm32 | wasm64 \ + | we32k \ + | x86 | x86_64 | xc16x | xgate | xps100 \ + | xstormy16 | xtensa* \ + | ymp \ + | z8k | z80) + ;; + + *) + echo Invalid configuration \`"$1"\': machine \`"$cpu-$vendor"\' not recognized 1>&2 + exit 1 + ;; + esac ;; esac # Here we canonicalize certain aliases for manufacturers. -case $basic_machine in - *-digital*) - basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` +case $vendor in + digital*) + vendor=dec ;; - *-commodore*) - basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` + commodore*) + vendor=cbm ;; *) ;; @@ -1353,203 +1278,215 @@ esac # Decode manufacturer-specific aliases for certain operating systems. -if [ x"$os" != x"" ] +if [ x$basic_os != x ] then -case $os in - # First match some system type aliases - # that might get confused with valid system types. - # -solaris* is a basic system type, with this one exception. - -auroraux) - os=-auroraux + +# First recognize some ad-hoc caes, or perhaps split kernel-os, or else just +# set os. +case $basic_os in + gnu/linux*) + kernel=linux + os=`echo $basic_os | sed -e 's|gnu/linux|gnu|'` + ;; + nto-qnx*) + kernel=nto + os=`echo $basic_os | sed -e 's|nto-qnx|qnx|'` + ;; + *-*) + # shellcheck disable=SC2162 + IFS="-" read kernel os <<EOF +$basic_os +EOF + ;; + # Default OS when just kernel was specified + nto*) + kernel=nto + os=`echo $basic_os | sed -e 's|nto|qnx|'` + ;; + linux*) + kernel=linux + os=`echo $basic_os | sed -e 's|linux|gnu|'` ;; - -solaris1 | -solaris1.*) - os=`echo $os | sed -e 's|solaris1|sunos4|'` + *) + kernel= + os=$basic_os ;; - -solaris) - os=-solaris2 +esac + +# Now, normalize the OS (knowing we just have one component, it's not a kernel, +# etc.) +case $os in + # First match some system type aliases that might get confused + # with valid system types. + # solaris* is a basic system type, with this one exception. + auroraux) + os=auroraux ;; - -svr4*) - os=-sysv4 + bluegene*) + os=cnk ;; - -unixware*) - os=-sysv4.2uw + solaris1 | solaris1.*) + os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; - -gnu/linux*) - os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` + solaris) + os=solaris2 ;; - # First accept the basic system types. - # The portable systems comes first. - # Each alternative MUST END IN A *, to match a version number. - # -sysv* is not here because it comes later, after sysvr4. - -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ - | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ - | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ - | -sym* | -kopensolaris* | -plan9* \ - | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ - | -aos* | -aros* | -cloudabi* | -sortix* \ - | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ - | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \ - | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ - | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ - | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ - | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -chorusos* | -chorusrdb* | -cegcc* \ - | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ - | -linux-newlib* | -linux-musl* | -linux-uclibc* \ - | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ - | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ - | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ - | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ - | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ - | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ - | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \ - | -onefs* | -tirtos* | -phoenix*) - # Remember, each alternative MUST END IN *, to match a version number. - ;; - -qnx*) - case $basic_machine in - x86-* | i*86-*) - ;; - *) - os=-nto$os - ;; - esac + unixware*) + os=sysv4.2uw ;; - -nto-qnx*) + # es1800 is here to avoid being matched by es* (a different OS) + es1800*) + os=ose ;; - -nto*) - os=`echo $os | sed -e 's|nto|nto-qnx|'` + # Some version numbers need modification + chorusos*) + os=chorusos ;; - -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ - | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ - | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) + isc) + os=isc2.2 ;; - -mac*) - os=`echo $os | sed -e 's|mac|macos|'` + sco6) + os=sco5v6 ;; - -linux-dietlibc) - os=-linux-dietlibc + sco5) + os=sco3.2v5 ;; - -linux*) - os=`echo $os | sed -e 's|linux|linux-gnu|'` + sco4) + os=sco3.2v4 ;; - -sunos5*) - os=`echo $os | sed -e 's|sunos5|solaris2|'` + sco3.2.[4-9]*) + os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` ;; - -sunos6*) - os=`echo $os | sed -e 's|sunos6|solaris3|'` + sco*v* | scout) + # Don't match below ;; - -opened*) - os=-openedition + sco*) + os=sco3.2v2 ;; - -os400*) - os=-os400 + psos*) + os=psos ;; - -wince*) - os=-wince + qnx*) + case $cpu in + x86 | i*86) + ;; + *) + os=nto-$os + ;; + esac ;; - -osfrose*) - os=-osfrose + hiux*) + os=hiuxwe2 ;; - -osf*) - os=-osf + lynx*178) + os=lynxos178 ;; - -utek*) - os=-bsd + lynx*5) + os=lynxos5 ;; - -dynix*) - os=-bsd + lynxos*) + # don't get caught up in next wildcard ;; - -acis*) - os=-aos + lynx*) + os=lynxos ;; - -atheos*) - os=-atheos + mac[0-9]*) + os=`echo "$os" | sed -e 's|mac|macos|'` ;; - -syllable*) - os=-syllable + opened*) + os=openedition ;; - -386bsd) - os=-bsd + os400*) + os=os400 ;; - -ctix* | -uts*) - os=-sysv + sunos5*) + os=`echo "$os" | sed -e 's|sunos5|solaris2|'` ;; - -nova*) - os=-rtmk-nova + sunos6*) + os=`echo "$os" | sed -e 's|sunos6|solaris3|'` ;; - -ns2 ) - os=-nextstep2 + wince*) + os=wince ;; - -nsk*) - os=-nsk + utek*) + os=bsd ;; - # Preserve the version number of sinix5. - -sinix5.*) - os=`echo $os | sed -e 's|sinix|sysv|'` + dynix*) + os=bsd ;; - -sinix*) - os=-sysv4 + acis*) + os=aos ;; - -tpf*) - os=-tpf + atheos*) + os=atheos ;; - -triton*) - os=-sysv3 + syllable*) + os=syllable ;; - -oss*) - os=-sysv3 + 386bsd) + os=bsd ;; - -svr4) - os=-sysv4 + ctix* | uts*) + os=sysv ;; - -svr3) - os=-sysv3 + nova*) + os=rtmk-nova ;; - -sysvr4) - os=-sysv4 + ns2) + os=nextstep2 ;; - # This must come after -sysvr4. - -sysv*) + # Preserve the version number of sinix5. + sinix5.*) + os=`echo $os | sed -e 's|sinix|sysv|'` ;; - -ose*) - os=-ose + sinix*) + os=sysv4 ;; - -es1800*) - os=-ose + tpf*) + os=tpf ;; - -xenix) - os=-xenix + triton*) + os=sysv3 ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - os=-mint + oss*) + os=sysv3 ;; - -aros*) - os=-aros + svr4*) + os=sysv4 ;; - -zvmoe) - os=-zvmoe + svr3) + os=sysv3 ;; - -dicos*) - os=-dicos + sysvr4) + os=sysv4 ;; - -nacl*) + ose*) + os=ose ;; - -ios) + *mint | mint[0-9]* | *MiNT | MiNT[0-9]*) + os=mint ;; - -none) + dicos*) + os=dicos + ;; + pikeos*) + # Until real need of OS specific support for + # particular features comes up, bare metal + # configurations are quite functional. + case $cpu in + arm*) + os=eabi + ;; + *) + os=elf + ;; + esac ;; *) - # Get rid of the `-' at the beginning of $os. - os=`echo $os | sed 's/[^-]*-//'` - echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 - exit 1 + # No normalization, but not necessarily accepted, that comes below. ;; esac + else # Here we handle the default operating systems that come with various machines. @@ -1562,261 +1499,352 @@ else # will signal an error saying that MANUFACTURER isn't an operating # system, and we'll never get to this point. -case $basic_machine in +kernel= +case $cpu-$vendor in score-*) - os=-elf + os=elf ;; spu-*) - os=-elf + os=elf ;; *-acorn) - os=-riscix1.2 + os=riscix1.2 ;; arm*-rebel) - os=-linux + kernel=linux + os=gnu ;; arm*-semi) - os=-aout + os=aout ;; c4x-* | tic4x-*) - os=-coff + os=coff ;; c8051-*) - os=-elf + os=elf + ;; + clipper-intergraph) + os=clix ;; hexagon-*) - os=-elf + os=elf ;; tic54x-*) - os=-coff + os=coff ;; tic55x-*) - os=-coff + os=coff ;; tic6x-*) - os=-coff + os=coff ;; # This must come before the *-dec entry. pdp10-*) - os=-tops20 + os=tops20 ;; pdp11-*) - os=-none + os=none ;; *-dec | vax-*) - os=-ultrix4.2 + os=ultrix4.2 ;; m68*-apollo) - os=-domain + os=domain ;; i386-sun) - os=-sunos4.0.2 + os=sunos4.0.2 ;; m68000-sun) - os=-sunos3 + os=sunos3 ;; m68*-cisco) - os=-aout + os=aout ;; mep-*) - os=-elf + os=elf ;; mips*-cisco) - os=-elf + os=elf ;; mips*-*) - os=-elf + os=elf ;; or32-*) - os=-coff + os=coff ;; *-tti) # must be before sparc entry or we get the wrong os. - os=-sysv3 + os=sysv3 ;; sparc-* | *-sun) - os=-sunos4.1.1 + os=sunos4.1.1 ;; - *-be) - os=-beos + pru-*) + os=elf ;; - *-haiku) - os=-haiku + *-be) + os=beos ;; *-ibm) - os=-aix + os=aix ;; *-knuth) - os=-mmixware + os=mmixware ;; *-wec) - os=-proelf + os=proelf ;; *-winbond) - os=-proelf + os=proelf ;; *-oki) - os=-proelf + os=proelf ;; *-hp) - os=-hpux + os=hpux ;; *-hitachi) - os=-hiux + os=hiux ;; i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) - os=-sysv + os=sysv ;; *-cbm) - os=-amigaos + os=amigaos ;; *-dg) - os=-dgux + os=dgux ;; *-dolphin) - os=-sysv3 + os=sysv3 ;; m68k-ccur) - os=-rtu + os=rtu ;; m88k-omron*) - os=-luna + os=luna ;; - *-next ) - os=-nextstep + *-next) + os=nextstep ;; *-sequent) - os=-ptx + os=ptx ;; *-crds) - os=-unos + os=unos ;; *-ns) - os=-genix + os=genix ;; i370-*) - os=-mvs - ;; - *-next) - os=-nextstep3 + os=mvs ;; *-gould) - os=-sysv + os=sysv ;; *-highlevel) - os=-bsd + os=bsd ;; *-encore) - os=-bsd + os=bsd ;; *-sgi) - os=-irix + os=irix ;; *-siemens) - os=-sysv4 + os=sysv4 ;; *-masscomp) - os=-rtu + os=rtu ;; f30[01]-fujitsu | f700-fujitsu) - os=-uxpv + os=uxpv ;; *-rom68k) - os=-coff + os=coff ;; *-*bug) - os=-coff + os=coff ;; *-apple) - os=-macos + os=macos ;; *-atari*) - os=-mint + os=mint + ;; + *-wrs) + os=vxworks ;; *) - os=-none + os=none ;; esac + fi +# Now, validate our (potentially fixed-up) OS. +case $os in + # Sometimes we do "kernel-abi", so those need to count as OSes. + musl* | newlib* | uclibc*) + ;; + # Likewise for "kernel-libc" + eabi | eabihf | gnueabi | gnueabihf) + ;; + # Now accept the basic system types. + # The portable systems comes first. + # Each alternative MUST end in a * to match a version number. + gnu* | android* | bsd* | mach* | minix* | genix* | ultrix* | irix* \ + | *vms* | esix* | aix* | cnk* | sunos | sunos[34]* \ + | hpux* | unos* | osf* | luna* | dgux* | auroraux* | solaris* \ + | sym* | plan9* | psp* | sim* | xray* | os68k* | v88r* \ + | hiux* | abug | nacl* | netware* | windows* \ + | os9* | macos* | osx* | ios* \ + | mpw* | magic* | mmixware* | mon960* | lnews* \ + | amigaos* | amigados* | msdos* | newsos* | unicos* | aof* \ + | aos* | aros* | cloudabi* | sortix* | twizzler* \ + | nindy* | vxsim* | vxworks* | ebmon* | hms* | mvs* \ + | clix* | riscos* | uniplus* | iris* | isc* | rtu* | xenix* \ + | mirbsd* | netbsd* | dicos* | openedition* | ose* \ + | bitrig* | openbsd* | solidbsd* | libertybsd* | os108* \ + | ekkobsd* | freebsd* | riscix* | lynxos* | os400* \ + | bosx* | nextstep* | cxux* | aout* | elf* | oabi* \ + | ptx* | coff* | ecoff* | winnt* | domain* | vsta* \ + | udi* | lites* | ieee* | go32* | aux* | hcos* \ + | chorusrdb* | cegcc* | glidix* \ + | cygwin* | msys* | pe* | moss* | proelf* | rtems* \ + | midipix* | mingw32* | mingw64* | mint* \ + | uxpv* | beos* | mpeix* | udk* | moxiebox* \ + | interix* | uwin* | mks* | rhapsody* | darwin* \ + | openstep* | oskit* | conix* | pw32* | nonstopux* \ + | storm-chaos* | tops10* | tenex* | tops20* | its* \ + | os2* | vos* | palmos* | uclinux* | nucleus* | morphos* \ + | scout* | superux* | sysv* | rtmk* | tpf* | windiss* \ + | powermax* | dnix* | nx6 | nx7 | sei* | dragonfly* \ + | skyos* | haiku* | rdos* | toppers* | drops* | es* \ + | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \ + | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \ + | nsk* | powerunix* | genode* | zvmoe* ) + ;; + # This one is extra strict with allowed versions + sco3.2v2 | sco3.2v[4-9]* | sco5v6*) + # Don't forget version if it is 3.2v4 or newer. + ;; + none) + ;; + *) + echo Invalid configuration \`"$1"\': OS \`"$os"\' not recognized 1>&2 + exit 1 + ;; +esac + +# As a final step for OS-related things, validate the OS-kernel combination +# (given a valid OS), if there is a kernel. +case $kernel-$os in + linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* | linux-musl* | linux-uclibc* ) + ;; + -dietlibc* | -newlib* | -musl* | -uclibc* ) + # These are just libc implementations, not actual OSes, and thus + # require a kernel. + echo "Invalid configuration \`$1': libc \`$os' needs explicit kernel." 1>&2 + exit 1 + ;; + kfreebsd*-gnu* | kopensolaris*-gnu*) + ;; + nto-qnx*) + ;; + *-eabi* | *-gnueabi*) + ;; + -*) + # Blank kernel with real OS is always fine. + ;; + *-*) + echo "Invalid configuration \`$1': Kernel \`$kernel' not known to work with OS \`$os'." 1>&2 + exit 1 + ;; +esac + # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. -vendor=unknown -case $basic_machine in - *-unknown) - case $os in - -riscix*) +case $vendor in + unknown) + case $cpu-$os in + *-riscix*) vendor=acorn ;; - -sunos*) + *-sunos*) vendor=sun ;; - -cnk*|-aix*) + *-cnk* | *-aix*) vendor=ibm ;; - -beos*) + *-beos*) vendor=be ;; - -hpux*) + *-hpux*) vendor=hp ;; - -mpeix*) + *-mpeix*) vendor=hp ;; - -hiux*) + *-hiux*) vendor=hitachi ;; - -unos*) + *-unos*) vendor=crds ;; - -dgux*) + *-dgux*) vendor=dg ;; - -luna*) + *-luna*) vendor=omron ;; - -genix*) + *-genix*) vendor=ns ;; - -mvs* | -opened*) + *-clix*) + vendor=intergraph + ;; + *-mvs* | *-opened*) + vendor=ibm + ;; + *-os400*) vendor=ibm ;; - -os400*) + s390-* | s390x-*) vendor=ibm ;; - -ptx*) + *-ptx*) vendor=sequent ;; - -tpf*) + *-tpf*) vendor=ibm ;; - -vxsim* | -vxworks* | -windiss*) + *-vxsim* | *-vxworks* | *-windiss*) vendor=wrs ;; - -aux*) + *-aux*) vendor=apple ;; - -hms*) + *-hms*) vendor=hitachi ;; - -mpw* | -macos*) + *-mpw* | *-macos*) vendor=apple ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + *-*mint | *-mint[0-9]* | *-*MiNT | *-MiNT[0-9]*) vendor=atari ;; - -vos*) + *-vos*) vendor=stratus ;; esac - basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` ;; esac -echo $basic_machine$os +echo "$cpu-$vendor-${kernel:+$kernel-}$os" exit # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" diff --git a/usr.sbin/unbound/configure b/usr.sbin/unbound/configure index 117419076f9..15670a07143 100644 --- a/usr.sbin/unbound/configure +++ b/usr.sbin/unbound/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.10.1. +# Generated by GNU Autoconf 2.69 for unbound 1.11.0. # # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>. # @@ -591,8 +591,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.10.1' -PACKAGE_STRING='unbound 1.10.1' +PACKAGE_VERSION='1.11.0' +PACKAGE_STRING='unbound 1.11.0' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues' PACKAGE_URL='' @@ -649,6 +649,7 @@ ENABLE_DNSCRYPT ENABLE_DNSCRYPT_XCHACHA20 DNSTAP_OBJ DNSTAP_SRC +DNSTAP_SOCKET_PATH opt_dnstap_socket_path ENABLE_DNSTAP PROTOC_C @@ -699,6 +700,10 @@ PYTHON_LDFLAGS PYTHON_CPPFLAGS PYTHON PYTHON_VERSION +DYNLIBMOD_EXTRALIBS +DYNLIBMOD_HEADER +DYNLIBMOD_OBJ +WITH_DYNLIBMODULE PTHREAD_CFLAGS_ONLY PTHREAD_CFLAGS PTHREAD_LIBS @@ -855,6 +860,7 @@ enable_alloc_nonregional with_pthreads with_solaris_threads with_syslog_facility +with_dynlibmodule with_pyunbound with_pythonmodule enable_swig_version_check @@ -883,13 +889,13 @@ enable_allsymbols enable_dnstap with_dnstap_socket_path with_protobuf_c -with_libfstrm enable_dnscrypt with_libsodium enable_cachedb enable_ipsecmod enable_ipset with_libmnl +enable_explicit_port_randomisation with_libunbound_only ' ac_precious_vars='build_alias @@ -1452,7 +1458,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.10.1 to adapt to many kinds of systems. +\`configure' configures unbound 1.11.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1517,7 +1523,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.10.1:";; + short | recursive ) echo "Configuration of unbound 1.11.0:";; esac cat <<\_ACEOF @@ -1572,13 +1578,16 @@ Optional Features: --enable-allsymbols export all symbols from libunbound and link binaries to it, smaller install size but libunbound export table is polluted by internal symbols - --enable-dnstap Enable dnstap support (requires fstrm, protobuf-c) + --enable-dnstap Enable dnstap support (requires protobuf-c) --enable-dnscrypt Enable dnscrypt support (requires libsodium) --enable-cachedb enable cachedb module that can use external cache storage --enable-ipsecmod Enable ipsecmod module that facilitates opportunistic IPsec --enable-ipset enable ipset module + --disable-explicit-port-randomisation + disable explicit source port randomisation and rely + on the kernel to provide random source ports Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -1614,6 +1623,8 @@ Optional Packages: --with-solaris-threads use solaris native thread library. --with-syslog-facility=LOCAL0 - LOCAL7 set SYSLOG_FACILITY, default DAEMON + --with-dynlibmodule build dynamic library module, or + --without-dynlibmodule to disable it. (default=no) --with-pyunbound build PyUnbound, or --without-pyunbound to skip it. (default=no) --with-pythonmodule build Python module, or --without-pythonmodule to @@ -1634,7 +1645,6 @@ Optional Packages: --with-dnstap-socket-path=pathname set default dnstap socket path --with-protobuf-c=path Path where protobuf-c is installed, for dnstap - --with-libfstrm=path Path where libfstrm is installed, for dnstap --with-libsodium=path Path where libsodium is installed, for dnscrypt --with-libmnl=path specify explicit path for libmnl. --with-libunbound-only do not build daemon and tool programs @@ -1740,7 +1750,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.10.1 +unbound configure 1.11.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2449,7 +2459,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.10.1, which was +It was created by unbound $as_me 1.11.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2799,13 +2809,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu UNBOUND_VERSION_MAJOR=1 -UNBOUND_VERSION_MINOR=10 +UNBOUND_VERSION_MINOR=11 -UNBOUND_VERSION_MICRO=1 +UNBOUND_VERSION_MICRO=0 LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=8 +LIBUNBOUND_REVISION=9 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2881,6 +2891,7 @@ LIBUNBOUND_AGE=1 # 1.9.6 had 9:6:1 # 1.10.0 had 9:7:1 # 1.10.1 had 9:8:1 +# 1.11.0 had 9:9:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -14729,6 +14740,20 @@ fi done +# Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH +for ac_header in TargetConditionals.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "TargetConditionals.h" "ac_cv_header_TargetConditionals_h" "$ac_includes_default" +if test "x$ac_cv_header_TargetConditionals_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_TARGETCONDITIONALS_H 1 +_ACEOF + +fi + +done + + # check for types. # Using own tests for int64* because autoconf builtin only give 32bit. ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" "$ac_includes_default" @@ -17171,6 +17196,34 @@ cat >>confdefs.h <<_ACEOF _ACEOF +# Check for dynamic library module + +# Check whether --with-dynlibmodule was given. +if test "${with_dynlibmodule+set}" = set; then : + withval=$with_dynlibmodule; +else + withval="no" +fi + + +if test x_$withval != x_no; then + +$as_echo "#define WITH_DYNLIBMODULE 1" >>confdefs.h + + WITH_DYNLIBMODULE=yes + + DYNLIBMOD_OBJ="dynlibmod.lo" + + DYNLIBMOD_HEADER='$(srcdir)/dynlibmod/dynlibmod.h' + + if test $on_mingw = "no"; then + DYNLIBMOD_EXTRALIBS="-ldl -export-dynamic" + else + DYNLIBMOD_EXTRALIBS="-Wl,--export-all-symbols,--out-implib,libunbound.a" + fi + +fi + # Check for PyUnbound # Check whether --with-pyunbound was given. @@ -17312,6 +17365,11 @@ $as_echo_n "checking for Python library path... " >&6; } $as_echo "$PYTHON_LDFLAGS" >&6; } + if test -z "$PYTHON_LIBDIR"; then + PYTHON_LIBDIR=`$PYTHON -c "from distutils.sysconfig import *; \ + print(get_config_var('LIBDIR'));"` + fi + # # Check for site packages # @@ -17417,6 +17475,15 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h else CPPFLAGS="$PYTHON_CPPFLAGS" fi + if test "$PYTHON_LIBDIR" != "/usr/lib" -a "$PYTHON_LIBDIR" != "" -a "$PYTHON_LIBDIR" != "/usr/lib64"; then + + if test "x$enable_rpath" = xyes; then + if echo "$PYTHON_LIBDIR" | grep "^/" >/dev/null; then + RUNTIME_PATH="$RUNTIME_PATH -R$PYTHON_LIBDIR" + fi + fi + + fi ub_have_python=yes if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5 @@ -18259,7 +18326,7 @@ else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi -for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h +for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default @@ -18273,7 +18340,7 @@ fi done -for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback +for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -18289,7 +18356,7 @@ done # these check_funcs need -lssl BAKLIBS="$LIBS" LIBS="-lssl $LIBS" -for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites +for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -19107,31 +19174,34 @@ esac if test "${with_libevent+set}" = set; then : withval=$with_libevent; else - withval="no" + with_libevent="no" fi -if test x_$withval = x_yes -o x_$withval != x_no; then +if test "x_$with_libevent" != x_no; then + +$as_echo "#define USE_LIBEVENT 1" >>confdefs.h + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libevent" >&5 $as_echo_n "checking for libevent... " >&6; } - if test x_$withval = x_ -o x_$withval = x_yes; then - withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" + if test "x_$with_libevent" = x_ -o "x_$with_libevent" = x_yes; then + with_libevent="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" fi - for dir in $withval; do + for dir in $with_libevent; do thedir="$dir" if test -f "$dir/include/event.h" -o -f "$dir/include/event2/event.h"; then found_libevent="yes" - if test "$thedir" != "/usr"; then - CPPFLAGS="$CPPFLAGS -I$thedir/include" - fi - break; - fi + if test "$thedir" != "/usr"; then + CPPFLAGS="$CPPFLAGS -I$thedir/include" + fi + break; + fi done if test x_$found_libevent != x_yes; then if test -f "$dir/event.h" -a \( -f "$dir/libevent.la" -o -f "$dir/libev.la" \) ; then # libevent source directory - { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $thedir" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $thedir" >&5 $as_echo "found in $thedir" >&6; } - CPPFLAGS="$CPPFLAGS -I$thedir -I$thedir/include" + CPPFLAGS="$CPPFLAGS -I$thedir -I$thedir/include" BAK_LDFLAGS_SET="1" BAK_LDFLAGS="$LDFLAGS" # remove evdns from linking @@ -19144,10 +19214,10 @@ $as_echo "found in $thedir" >&6; } cp $ev_files_o build/libevent cp $ev_files_lo build/libevent cp $ev_files_libso build/libevent/.libs - LATE_LDFLAGS="build/libevent/*.lo -lm" + LATE_LDFLAGS="build/libevent/*.lo -lm" LDFLAGS="build/libevent/*.o $LDFLAGS -lm" else - as_fn_error $? "Cannot find the libevent library in $withval + as_fn_error $? "Cannot find the libevent library in $with_libevent You can restart ./configure --with-libevent=no to use a builtin alternative. Please note that this alternative is not as capable as libevent when using large outgoing port ranges. " "$LINENO" 5 @@ -20968,73 +21038,6 @@ else fi - -# Check whether --with-libfstrm was given. -if test "${with_libfstrm+set}" = set; then : - withval=$with_libfstrm; - CFLAGS="$CFLAGS -I$withval/include" - LDFLAGS="$LDFLAGS -L$withval/lib" - -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing fstrm_iothr_init" >&5 -$as_echo_n "checking for library containing fstrm_iothr_init... " >&6; } -if ${ac_cv_search_fstrm_iothr_init+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char fstrm_iothr_init (); -int -main () -{ -return fstrm_iothr_init (); - ; - return 0; -} -_ACEOF -for ac_lib in '' fstrm; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_fstrm_iothr_init=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_fstrm_iothr_init+:} false; then : - break -fi -done -if ${ac_cv_search_fstrm_iothr_init+:} false; then : - -else - ac_cv_search_fstrm_iothr_init=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_fstrm_iothr_init" >&5 -$as_echo "$ac_cv_search_fstrm_iothr_init" >&6; } -ac_res=$ac_cv_search_fstrm_iothr_init -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -else - as_fn_error $? "The fstrm library was not found. Please install fstrm!" "$LINENO" 5 -fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing protobuf_c_message_pack" >&5 $as_echo_n "checking for library containing protobuf_c_message_pack... " >&6; } if ${ac_cv_search_protobuf_c_message_pack+:} false; then : @@ -21108,10 +21111,12 @@ cat >>confdefs.h <<_ACEOF #define DNSTAP_SOCKET_PATH "$hdr_dnstap_socket_path" _ACEOF + DNSTAP_SOCKET_PATH="$hdr_dnstap_socket_path" - DNSTAP_SRC="dnstap/dnstap.c dnstap/dnstap.pb-c.c" - DNSTAP_OBJ="dnstap.lo dnstap.pb-c.lo" + DNSTAP_SRC="dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c" + + DNSTAP_OBJ="dnstap.lo dnstap.pb-c.lo dnstap_fstrm.lo dtstream.lo" else @@ -21443,6 +21448,21 @@ $as_echo "found in $dir" >&6; } # nothing ;; esac +# Check whether --enable-explicit-port-randomisation was given. +if test "${enable_explicit_port_randomisation+set}" = set; then : + enableval=$enable_explicit_port_randomisation; +fi + +case "$enable_explicit_port_randomisation" in + no) + +$as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h + + ;; + yes|*) + ;; +esac + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5 $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; } @@ -21599,7 +21619,7 @@ _ACEOF -version=1.10.1 +version=1.11.0 date=`date +'%b %e, %Y'` @@ -22118,7 +22138,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.10.1, which was +This file was extended by unbound $as_me 1.11.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -22184,7 +22204,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.10.1 +unbound config.status 1.11.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/usr.sbin/unbound/configure.ac b/usr.sbin/unbound/configure.ac index 17c99d5c1fc..81d10063734 100644 --- a/usr.sbin/unbound/configure.ac +++ b/usr.sbin/unbound/configure.ac @@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) -m4_define([VERSION_MINOR],[10]) -m4_define([VERSION_MICRO],[1]) +m4_define([VERSION_MINOR],[11]) +m4_define([VERSION_MICRO],[0]) AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=8 +LIBUNBOUND_REVISION=9 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -94,6 +94,7 @@ LIBUNBOUND_AGE=1 # 1.9.6 had 9:6:1 # 1.10.0 had 9:7:1 # 1.10.1 had 9:8:1 +# 1.11.0 had 9:9:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -399,6 +400,9 @@ PKG_PROG_PKG_CONFIG # Checks for header files. AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h],,, [AC_INCLUDES_DEFAULT]) +# Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH +AC_CHECK_HEADERS([TargetConditionals.h]) + # check for types. # Using own tests for int64* because autoconf builtin only give 32bit. AC_CHECK_TYPE(int8_t, signed char) @@ -624,6 +628,28 @@ case "${UNBOUND_SYSLOG_FACILITY}" in esac AC_DEFINE_UNQUOTED(UB_SYSLOG_FACILITY,${UNBOUND_SYSLOG_FACILITY},[the SYSLOG_FACILITY to use, default LOG_DAEMON]) +# Check for dynamic library module +AC_ARG_WITH(dynlibmodule, + AC_HELP_STRING([--with-dynlibmodule], + [build dynamic library module, or --without-dynlibmodule to disable it. (default=no)]), + [], [ withval="no" ]) + +if test x_$withval != x_no; then + AC_DEFINE(WITH_DYNLIBMODULE, 1, [Define if you want dynlib module.]) + WITH_DYNLIBMODULE=yes + AC_SUBST(WITH_DYNLIBMODULE) + DYNLIBMOD_OBJ="dynlibmod.lo" + AC_SUBST(DYNLIBMOD_OBJ) + DYNLIBMOD_HEADER='$(srcdir)/dynlibmod/dynlibmod.h' + AC_SUBST(DYNLIBMOD_HEADER) + if test $on_mingw = "no"; then + DYNLIBMOD_EXTRALIBS="-ldl -export-dynamic" + else + DYNLIBMOD_EXTRALIBS="-Wl,--export-all-symbols,--out-implib,libunbound.a" + fi + AC_SUBST(DYNLIBMOD_EXTRALIBS) +fi + # Check for PyUnbound AC_ARG_WITH(pyunbound, AC_HELP_STRING([--with-pyunbound], @@ -675,6 +701,9 @@ if test x_$ub_test_python != x_no; then else CPPFLAGS="$PYTHON_CPPFLAGS" fi + if test "$PYTHON_LIBDIR" != "/usr/lib" -a "$PYTHON_LIBDIR" != "" -a "$PYTHON_LIBDIR" != "/usr/lib64"; then + ACX_RUNTIME_PATH_ADD([$PYTHON_LIBDIR]) + fi ub_have_python=yes PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"], [PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"], @@ -821,13 +850,13 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/ else AC_MSG_RESULT([no]) fi -AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback]) +AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback]) # these check_funcs need -lssl BAKLIBS="$LIBS" LIBS="-lssl $LIBS" -AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites]) +AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb]) LIBS="$BAKLIBS" AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ @@ -1215,28 +1244,29 @@ esac # check for libevent AC_ARG_WITH(libevent, AC_HELP_STRING([--with-libevent=pathname], [use libevent (will check /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr or you can specify an explicit path). Slower, but allows use of large outgoing port ranges.]), - [ ],[ withval="no" ]) -if test x_$withval = x_yes -o x_$withval != x_no; then + [ ],[ with_libevent="no" ]) +if test "x_$with_libevent" != x_no; then + AC_DEFINE([USE_LIBEVENT], [1], [Define if you enable libevent]) AC_MSG_CHECKING(for libevent) - if test x_$withval = x_ -o x_$withval = x_yes; then - withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" + if test "x_$with_libevent" = x_ -o "x_$with_libevent" = x_yes; then + with_libevent="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" fi - for dir in $withval; do + for dir in $with_libevent; do thedir="$dir" if test -f "$dir/include/event.h" -o -f "$dir/include/event2/event.h"; then found_libevent="yes" - dnl assume /usr is in default path. - if test "$thedir" != "/usr"; then - CPPFLAGS="$CPPFLAGS -I$thedir/include" - fi - break; - fi + dnl assume /usr is in default path. + if test "$thedir" != "/usr"; then + CPPFLAGS="$CPPFLAGS -I$thedir/include" + fi + break; + fi done if test x_$found_libevent != x_yes; then if test -f "$dir/event.h" -a \( -f "$dir/libevent.la" -o -f "$dir/libev.la" \) ; then # libevent source directory - AC_MSG_RESULT(found in $thedir) - CPPFLAGS="$CPPFLAGS -I$thedir -I$thedir/include" + AC_MSG_RESULT(found in $thedir) + CPPFLAGS="$CPPFLAGS -I$thedir -I$thedir/include" BAK_LDFLAGS_SET="1" BAK_LDFLAGS="$LDFLAGS" # remove evdns from linking @@ -1249,10 +1279,10 @@ if test x_$withval = x_yes -o x_$withval != x_no; then cp $ev_files_o build/libevent cp $ev_files_lo build/libevent cp $ev_files_libso build/libevent/.libs - LATE_LDFLAGS="build/libevent/*.lo -lm" + LATE_LDFLAGS="build/libevent/*.lo -lm" LDFLAGS="build/libevent/*.o $LDFLAGS -lm" else - AC_MSG_ERROR([Cannot find the libevent library in $withval + AC_MSG_ERROR([Cannot find the libevent library in $with_libevent You can restart ./configure --with-libevent=no to use a builtin alternative. Please note that this alternative is not as capable as libevent when using large outgoing port ranges. ]) @@ -1688,9 +1718,10 @@ dt_DNSTAP([$UNBOUND_RUN_DIR/dnstap.sock], ACX_ESCAPE_BACKSLASH($opt_dnstap_socket_path, hdr_dnstap_socket_path) AC_DEFINE_UNQUOTED(DNSTAP_SOCKET_PATH, ["$hdr_dnstap_socket_path"], [default dnstap socket path]) + AC_SUBST(DNSTAP_SOCKET_PATH,["$hdr_dnstap_socket_path"]) - AC_SUBST([DNSTAP_SRC], ["dnstap/dnstap.c dnstap/dnstap.pb-c.c"]) - AC_SUBST([DNSTAP_OBJ], ["dnstap.lo dnstap.pb-c.lo"]) + AC_SUBST([DNSTAP_SRC], ["dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c"]) + AC_SUBST([DNSTAP_OBJ], ["dnstap.lo dnstap.pb-c.lo dnstap_fstrm.lo dtstream.lo"]) ], [ AC_SUBST([ENABLE_DNSTAP], [0]) @@ -1778,6 +1809,15 @@ case "$enable_ipset" in # nothing ;; esac +AC_ARG_ENABLE(explicit-port-randomisation, AC_HELP_STRING([--disable-explicit-port-randomisation], [disable explicit source port randomisation and rely on the kernel to provide random source ports])) +case "$enable_explicit_port_randomisation" in + no) + AC_DEFINE([DISABLE_EXPLICIT_PORT_RANDOMISATION], [1], [Define this to enable kernel based UDP source port randomization.]) + ;; + yes|*) + ;; +esac + AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) # on openBSD, the implicit rule make $< work. diff --git a/usr.sbin/unbound/daemon/acl_list.c b/usr.sbin/unbound/daemon/acl_list.c index c16a920d99e..84324575e71 100644 --- a/usr.sbin/unbound/daemon/acl_list.c +++ b/usr.sbin/unbound/daemon/acl_list.c @@ -273,7 +273,7 @@ check_data(const char* data, const struct config_strlist* head) if(res == 0) return 1; log_err("rr data [char %d] parse error %s", - (int)LDNS_WIREPARSE_OFFSET(res)-13, + (int)LDNS_WIREPARSE_OFFSET(res)-2, sldns_get_errorstr_parse(res)); return 0; } diff --git a/usr.sbin/unbound/daemon/daemon.c b/usr.sbin/unbound/daemon/daemon.c index 8b0fc3483ab..5d4279259ed 100644 --- a/usr.sbin/unbound/daemon/daemon.c +++ b/usr.sbin/unbound/daemon/daemon.c @@ -451,11 +451,9 @@ daemon_create_workers(struct daemon* daemon) fatal_exit("out of memory during daemon init"); if(daemon->cfg->dnstap) { #ifdef USE_DNSTAP - daemon->dtenv = dt_create(daemon->cfg->dnstap_socket_path, - (unsigned int)daemon->num); + daemon->dtenv = dt_create(daemon->cfg); if (!daemon->dtenv) fatal_exit("dt_create failed"); - dt_apply_cfg(daemon->dtenv, daemon->cfg); #else fatal_exit("dnstap enabled in config but not built with dnstap support"); #endif @@ -783,7 +781,7 @@ daemon_delete(struct daemon* daemon) # endif # ifdef HAVE_OPENSSL_CONFIG EVP_cleanup(); -# if (OPENSSL_VERSION_NUMBER < 0x10100000) && !defined(OPENSSL_NO_ENGINE) +# if (OPENSSL_VERSION_NUMBER < 0x10100000) && !defined(OPENSSL_NO_ENGINE) && defined(HAVE_ENGINE_CLEANUP) ENGINE_cleanup(); # endif CONF_modules_free(); diff --git a/usr.sbin/unbound/daemon/remote.c b/usr.sbin/unbound/daemon/remote.c index 1782a39cad7..aa263d074c6 100644 --- a/usr.sbin/unbound/daemon/remote.c +++ b/usr.sbin/unbound/daemon/remote.c @@ -329,7 +329,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, /* open fd */ fd = create_tcp_accept_sock(res, 1, &noproto, 0, - cfg->ip_transparent, 0, cfg->ip_freebind, cfg->use_systemd); + cfg->ip_transparent, 0, cfg->ip_freebind, cfg->use_systemd, cfg->ip_dscp); freeaddrinfo(res); } @@ -804,6 +804,9 @@ print_mem(RES* ssl, struct worker* worker, struct daemon* daemon, size_t dnscrypt_shared_secret = 0; size_t dnscrypt_nonce = 0; #endif /* USE_DNSCRYPT */ +#ifdef WITH_DYNLIBMODULE + size_t dynlib = 0; +#endif /* WITH_DYNLIBMODULE */ msg = slabhash_get_mem(daemon->env->msg_cache); rrset = slabhash_get_mem(&daemon->env->rrset_cache->table); val = mod_get_mem(&worker->env, "validator"); @@ -822,6 +825,9 @@ print_mem(RES* ssl, struct worker* worker, struct daemon* daemon, dnscrypt_nonce = slabhash_get_mem(daemon->dnscenv->nonces_cache); } #endif /* USE_DNSCRYPT */ +#ifdef WITH_DYNLIBMODULE + dynlib = mod_get_mem(&worker->env, "dynlib"); +#endif /* WITH_DYNLIBMODULE */ if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset)) return 0; @@ -849,6 +855,10 @@ print_mem(RES* ssl, struct worker* worker, struct daemon* daemon, dnscrypt_nonce)) return 0; #endif /* USE_DNSCRYPT */ +#ifdef WITH_DYNLIBMODULE + if(!print_longnum(ssl, "mem.mod.dynlibmod"SQ, dynlib)) + return 0; +#endif /* WITH_DYNLIBMODULE */ if(!print_longnum(ssl, "mem.streamwait"SQ, (size_t)s->svr.mem_stream_wait)) return 0; @@ -907,7 +917,7 @@ static int print_ext(RES* ssl, struct ub_stats_info* s) { int i; - char nm[16]; + char nm[32]; const sldns_rr_descriptor* desc; const sldns_lookup_table* lt; /* TYPE */ @@ -1124,6 +1134,10 @@ parse_arg_name(RES* ssl, char* str, uint8_t** res, size_t* len, int* labs) *res = NULL; *len = 0; *labs = 0; + if(str[0] == '\0') { + ssl_printf(ssl, "error: this option requires a domain name\n"); + return 0; + } status = sldns_str2wire_dname_buf(str, nm, &nmlen); if(status != 0) { ssl_printf(ssl, "error cannot parse name %s at %d: %s\n", str, diff --git a/usr.sbin/unbound/daemon/unbound.c b/usr.sbin/unbound/daemon/unbound.c index af76fc84fe5..3f96603c430 100644 --- a/usr.sbin/unbound/daemon/unbound.c +++ b/usr.sbin/unbound/daemon/unbound.c @@ -88,6 +88,14 @@ # include "nss.h" #endif +#ifdef HAVE_TARGETCONDITIONALS_H +#include <TargetConditionals.h> +#endif + +#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH) +#undef HAVE_FORK +#endif + /** print build options. */ static void print_build_options(void) @@ -526,6 +534,8 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, LOGIN_SETALL & ~LOGIN_SETUSER & ~LOGIN_SETGROUP) != 0) log_warn("unable to setusercontext %s: %s", cfg->username, strerror(errno)); +#else + (void)pwd; #endif /* HAVE_SETUSERCONTEXT */ } #endif /* HAVE_GETPWNAM */ diff --git a/usr.sbin/unbound/daemon/worker.c b/usr.sbin/unbound/daemon/worker.c index eb7fdf2f576..23e3244c504 100644 --- a/usr.sbin/unbound/daemon/worker.c +++ b/usr.sbin/unbound/daemon/worker.c @@ -79,6 +79,7 @@ #include "sldns/wire2str.h" #include "util/shm_side/shm_main.h" #include "dnscrypt/dnscrypt.h" +#include "dnstap/dtstream.h" #ifdef HAVE_SYS_TYPES_H # include <sys/types.h> @@ -1807,14 +1808,14 @@ worker_init(struct worker* worker, struct config_file *cfg, worker->back = outside_network_create(worker->base, cfg->msg_buffer_size, (size_t)cfg->outgoing_num_ports, cfg->out_ifs, cfg->num_out_ifs, cfg->do_ip4, cfg->do_ip6, - cfg->do_tcp?cfg->outgoing_num_tcp:0, + cfg->do_tcp?cfg->outgoing_num_tcp:0, cfg->ip_dscp, worker->daemon->env->infra_cache, worker->rndstate, cfg->use_caps_bits_for_id, worker->ports, worker->numports, cfg->unwanted_threshold, cfg->outgoing_tcp_mss, &worker_alloc_cleanup, worker, cfg->do_udp || cfg->udp_upstream_without_downstream, worker->daemon->connect_sslctx, cfg->delay_close, - dtenv); + cfg->tls_use_sni, dtenv); if(!worker->back) { log_err("could not create outgoing sockets"); worker_delete(worker); @@ -1914,6 +1915,20 @@ worker_init(struct worker* worker, struct config_file *cfg, ) { auth_xfer_pickup_initial(worker->env.auth_zones, &worker->env); } +#ifdef USE_DNSTAP + if(worker->daemon->cfg->dnstap +#ifndef THREADS_DISABLED + && worker->thread_num == 0 +#endif + ) { + if(!dt_io_thread_start(dtenv->dtio, comm_base_internal( + worker->base), worker->daemon->num)) { + log_err("could not start dnstap io thread"); + worker_delete(worker); + return 0; + } + } +#endif /* USE_DNSTAP */ if(!worker->env.mesh || !worker->env.scratch_buffer) { worker_delete(worker); return 0; @@ -1961,6 +1976,16 @@ worker_delete(struct worker* worker) wsvc_desetup_worker(worker); #endif /* UB_ON_WINDOWS */ } +#ifdef USE_DNSTAP + if(worker->daemon->cfg->dnstap +#ifndef THREADS_DISABLED + && worker->thread_num == 0 +#endif + ) { + dt_io_thread_stop(worker->dtenv.dtio); + } + dt_deinit(&worker->dtenv); +#endif /* USE_DNSTAP */ comm_base_delete(worker->base); ub_randfree(worker->rndstate); alloc_clear(&worker->alloc); @@ -2099,3 +2124,18 @@ int codeline_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b)) return 0; } +#ifdef USE_DNSTAP +void dtio_tap_callback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev), + void* ATTR_UNUSED(arg)) +{ + log_assert(0); +} +#endif + +#ifdef USE_DNSTAP +void dtio_mainfdcallback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev), + void* ATTR_UNUSED(arg)) +{ + log_assert(0); +} +#endif diff --git a/usr.sbin/unbound/dns64/dns64.c b/usr.sbin/unbound/dns64/dns64.c index 1a569059aff..5c70119a54d 100644 --- a/usr.sbin/unbound/dns64/dns64.c +++ b/usr.sbin/unbound/dns64/dns64.c @@ -227,7 +227,7 @@ ipv4_to_ptr(uint32_t ipv4, char ptr[], size_t nm_len) static const char IPV4_PTR_SUFFIX[] = "\07in-addr\04arpa"; int i; char* c = ptr; - log_assert(nm_len == MAX_PTR_QNAME_IPV4); + log_assert(nm_len == MAX_PTR_QNAME_IPV4); (void)nm_len; for (i = 0; i < 4; ++i) { *c = uitoa((unsigned int)(ipv4 % 256), c + 1); diff --git a/usr.sbin/unbound/dnstap/dnstap.c b/usr.sbin/unbound/dnstap/dnstap.c index aabf8eec907..cc5449dff4a 100644 --- a/usr.sbin/unbound/dnstap/dnstap.c +++ b/usr.sbin/unbound/dnstap/dnstap.c @@ -49,13 +49,12 @@ #include "util/netevent.h" #include "util/log.h" -#include <fstrm.h> #include <protobuf-c/protobuf-c.h> #include "dnstap/dnstap.h" +#include "dnstap/dtstream.h" #include "dnstap/dnstap.pb-c.h" -#define DNSTAP_CONTENT_TYPE "protobuf:dnstap.Dnstap" #define DNSTAP_INITIAL_BUF_SIZE 256 struct dt_msg { @@ -90,13 +89,7 @@ dt_pack(const Dnstap__Dnstap *d, void **buf, size_t *sz) static void dt_send(const struct dt_env *env, void *buf, size_t len_buf) { - fstrm_res res; - if (!buf) - return; - res = fstrm_iothr_submit(env->iothr, env->ioq, buf, len_buf, - fstrm_free_wrapper, NULL); - if (res != fstrm_res_success) - free(buf); + dt_msg_queue_submit(env->msgqueue, buf, len_buf); } static void @@ -135,56 +128,33 @@ check_socket_file(const char* socket_path) } struct dt_env * -dt_create(const char *socket_path, unsigned num_workers) +dt_create(struct config_file* cfg) { -#ifdef UNBOUND_DEBUG - fstrm_res res; -#endif struct dt_env *env; - struct fstrm_iothr_options *fopt; - struct fstrm_unix_writer_options *fuwopt; - struct fstrm_writer *fw; - struct fstrm_writer_options *fwopt; - verbose(VERB_OPS, "attempting to connect to dnstap socket %s", - socket_path); - log_assert(socket_path != NULL); - log_assert(num_workers > 0); - check_socket_file(socket_path); + if(cfg->dnstap && cfg->dnstap_socket_path && cfg->dnstap_socket_path[0] && + (cfg->dnstap_ip==NULL || cfg->dnstap_ip[0]==0)) { + verbose(VERB_OPS, "attempting to connect to dnstap socket %s", + cfg->dnstap_socket_path); + check_socket_file(cfg->dnstap_socket_path); + } env = (struct dt_env *) calloc(1, sizeof(struct dt_env)); if (!env) return NULL; - fwopt = fstrm_writer_options_init(); -#ifdef UNBOUND_DEBUG - res = -#else - (void) -#endif - fstrm_writer_options_add_content_type(fwopt, - DNSTAP_CONTENT_TYPE, sizeof(DNSTAP_CONTENT_TYPE) - 1); - log_assert(res == fstrm_res_success); - - fuwopt = fstrm_unix_writer_options_init(); - fstrm_unix_writer_options_set_socket_path(fuwopt, socket_path); - - fw = fstrm_unix_writer_init(fuwopt, fwopt); - log_assert(fw != NULL); - - fopt = fstrm_iothr_options_init(); - fstrm_iothr_options_set_num_input_queues(fopt, num_workers); - env->iothr = fstrm_iothr_init(fopt, &fw); - if (env->iothr == NULL) { - verbose(VERB_DETAIL, "dt_create: fstrm_iothr_init() failed"); - fstrm_writer_destroy(&fw); + env->dtio = dt_io_thread_create(); + if(!env->dtio) { + log_err("malloc failure"); free(env); - env = NULL; + return NULL; } - fstrm_iothr_options_destroy(&fopt); - fstrm_unix_writer_options_destroy(&fuwopt); - fstrm_writer_options_destroy(&fwopt); - + if(!dt_io_thread_apply_cfg(env->dtio, cfg)) { + dt_io_thread_delete(env->dtio); + free(env); + return NULL; + } + dt_apply_cfg(env, cfg); return env; } @@ -272,19 +242,33 @@ dt_apply_cfg(struct dt_env *env, struct config_file *cfg) int dt_init(struct dt_env *env) { - env->ioq = fstrm_iothr_get_input_queue(env->iothr); - if (env->ioq == NULL) + env->msgqueue = dt_msg_queue_create(); + if(!env->msgqueue) { + log_err("malloc failure"); + return 0; + } + if(!dt_io_thread_register_queue(env->dtio, env->msgqueue)) { + log_err("malloc failure"); + dt_msg_queue_delete(env->msgqueue); + env->msgqueue = NULL; return 0; + } return 1; } void +dt_deinit(struct dt_env* env) +{ + dt_io_thread_unregister_queue(env->dtio, env->msgqueue); + dt_msg_queue_delete(env->msgqueue); +} + +void dt_delete(struct dt_env *env) { if (!env) return; - verbose(VERB_OPS, "closing dnstap socket"); - fstrm_iothr_destroy(&env->iothr); + dt_io_thread_delete(env->dtio); free(env->identity); free(env->version); free(env); diff --git a/usr.sbin/unbound/doc/Changelog b/usr.sbin/unbound/doc/Changelog index 725b82ac64b..3339e77b30c 100644 --- a/usr.sbin/unbound/doc/Changelog +++ b/usr.sbin/unbound/doc/Changelog @@ -1,6 +1,330 @@ +20 July 2020: Wouter + - Fix streamtcp to print packet data to stdout. This makes the + stdout and stderr not mix together lines, when parsing its output. + - Fix contrib/fastrpz.patch to apply cleanly. It fixes for changes + due to added libdynmod, but it does not compile, it conflicts with + new rpz code. + - branch now named 1.11.0 and 1.11.0rc1 tag. + +17 July 2020: Wouter + - Fix libnettle compile for session ticket key callback function + changes. + - Fix lock dependency cycle in rpz zone config setup. + +17 July 2020: Ralph + - Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie + Courrèges-Anglas. + - Fix PR #234 log_assert sizeof to use union buffer. + +16 July 2020: Wouter + - Fix check conf test for referencing installation paths. + - Fix unused variable warning for clang analyzer. + +16 July 2020: George + - Introduce 'include-toplevel:' configuration option. + +16 July 2020: Ralph + - Add bidirectional frame streams support. + +8 July 2020: Wouter + - Fix add missing DSA header, for compilation without deprecated + OpenSSL APIs. + - Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL + 3.0.0-alpha4. + - Longer keys for the test set, this avoids weak crypto errors. + +7 July 2020: Wouter + - Fix #259: Fix unbound-checkconf does not check view existence. + unbound-checkconf checks access-control-view, access-control-tags, + access-control-tag-actions and access-control-tag-datas. + - Fix offset of error printout for access-control-tag-datas. + - Review fixes for checkconf #259 change. + +6 July 2020: Wouter + - run_vm cleanup better and removes trailing slash on single argument. + +29 June 2020: Wouter + - Move reply list clean for serve expired mesh callback to after + the reply is sent, so that script callbacks have reply_info. + - Also move reply list clean for mesh callbacks to the scrip callback + can see the reply_info. + - Fix for mesh accounting if the reply list already empty to begin + with. + - Fix for mesh accounting when rpz decides to drop a reply with a + tcp stream waiting for it. + - Review fix for number of detached states due to use of variable + after end of loop. + - Fix tcp req info drop due to size call into mesh accounting + removal of mesh state during mesh send reply. + +24 June 2020: Wouter + - iana portlist updated. + - doxygen file comments for dynlibmodule. + +17 June 2020: Wouter + - Fix default explanation in man page for qname-minimisation-strict. + - Fix display of event loop method with libev. + +8 June 2020: Wouter + - Mention tls name possible when tls is enabled for stub-addr in the + man page. + +27 May 2020: George + - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use + "Requires:". + +25 May 2020: George + - Update contrib/aaaa-filter-iterator.patch for the recent + generate_sub_request() change and to apply cleanly. + +21 May 2020: George + - Fix for integer overflow when printing RDF_TYPE_TIME. + +19 May 2020: Wouter + - CVE-2020-12662 Unbound can be tricked into amplifying an incoming + query into a large number of queries directed to a target. + - CVE-2020-12663 Malformed answers from upstream name servers can be + used to make Unbound unresponsive. + - Release 1.10.1 is 1.10.0 with fixes, code repository continues, + including those fixes, towards the next release. Configure has + version 1.10.2 version number in it. + - For PR #93: windows compile warnings removal + - windows compile warnings removal for ip dscp option code. + - For PR #93: unit test for dynlib module. + +18 May 2020: Wouter + - For PR #93: dynlibmod can handle reloads and deinit and inits again, + with dlclose and dlopen of the library again. Also for multiple + modules. Fix memory leak by not closing dlopened content. Fix + to allow one dynlibmod instance by unbound-checkconf. + - For PR #93: checkconf allows multiple dynlib in module-config, for + a couple cases. + - For PR #93: checkconf allows python dynlib in module-config, for + a couple cases. + - For PR #93: man page spelling reference fix. + - For PR #93: fix link of other executables for dynlibmod dependency. + +15 May 2020: Wouter + - Merge PR #93: Add dynamic library support. + - Fixed conflicts for PR #93 and make configure, yacc, lex. + - For PR #93: Fix warnings for dynlibmodule. + +15 May 2020: Ralph + - Cache ECS answers with longest scope of CNAME chain. + +22 April 2020: George + - Explicitly use 'rrset-roundrobin: no' for test cases. + +21 April 2020: Wouter + - Merge #225 from akhait: KSK-2010 has been revoked. It removes the + KSK-2010 from the default list in unbound-anchor, now that the + revocation period is over. KSK-2017 is the only trust anchor in + the shipped default now. + +21 April 2020: George + - Change default value for 'rrset-roundrobin' to yes. + - Fix tests for new rrset-roundrobin default. + +20 April 2020: Wouter + - Fix #222: --enable-rpath, fails to rpath python lib. + - Fix for count of reply states in the mesh. + - Remove unneeded was_mesh_reply check. + +17 April 2020: George + - Add SNI support on more TLS connections (fixes #193). + - Add SNI support to unbound-anchor. + +16 April 2020: George + - Add doxygen documentation for DSCP. + +16 April 2020: Wouter + - Fix help return code in unbound-control-setup script. + - Fix for posix shell syntax for trap in nsd-control-setup. + - Fix for posix shell syntax for trap in run_msg.sh test script. + +15 April 2020: George + - Fix #220: auth-zone section in config may lead to segfault. + +7 April 2020: Wouter + - Merge PR #214 from gearnode: unbound-control-setup recreate + certificates. With the -r option the certificates are created + again, without it, only the files that do not exist are created. + +6 April 2020: Ralph + - Keep track of number of timeouts. Use this counter to determine if + capsforid fallback should be started. + +6 April 2020: George + - More documentation for redis-expire-records option. + +1 April 2020: George + - Merge PR #206: Redis TTL, by Talkabout. + +30 March 2020: Wouter + - Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and :: + - Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful + transports. + +27 March 2020: Wouter + - Merge PR #203 from noloader: Update README-Travis.md with current + procedures. + +27 March 2020: Ralph + - Make unbound-control error returned on missing domain name more user + friendly. + +26 March 2020: Ralph + - Fix RPZ concurrency issue when using auth_zone_reload. + +25 March 2020: George + - Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings. + - Fix on #201. + +24 March 2020: Wouter + - Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP + tag for outgoing packets. + - Fixes on #200. + - Travis fix for ios by omitting tools from install. + +23 March 2020: Wouter + - Fix compile on Solaris for unbound-checkconf. + +20 March 2020: George + - Merge PR #198 from fobser: Declare lz_enter_rr_into_zone() static, it's + only used in this file. + +20 March 2020: Wouter + - Merge PR #197 from fobser: Make log_ident_revert_to_default() a + proper prototype. + +19 March 2020: Ralph + - Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton. + - Fix #158: open tls-session-ticket-keys as binary, for Windows. By + Daisuke HIGASHI. + - Merge PR#134, Allow the kernel to provide random source ports. By + Florian Obser. + - Log warning when using outgoing-port-permit and outgoing-port-avoid + while explicit port randomisation is disabled. + - Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton. + - Fix .travis.yml error, missing 'env' option. + +16 March 2020: Wouter + - Fix #192: In the unbound-checkconf tool, the module config of + dns64 subnetcache respip validator iterator is whitelisted, it was + reported it seems to work. + +12 March 2020: Wouter + - Fix compile of test tools without protobuf. + +11 March 2020: Ralph + - Add check to make sure RPZ records are subdomains of configured + zone origin. + +11 March 2020: George + - Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete + type, by noloader. + - Changelog entry for (Fix #189, Merge PR #190). + +11 March 2020: Wouter + - Fix #188: unbound-control.c:882:6: error: 'execlp' is + unavailable: not available on tvOS. + +6 March 2020: George + - Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by + noloader + +5 March 2020: Wouter + - Fix PR #182 from noloader: Add iOS testing to Travis. + +4 March 2020: Ralph + - Update README-Travis.md (from PR #179), by Jeffrey Walton. + +4 March 2020: George + - Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android. + +4 March 2020: Wouter + - Merge PR #180 from noloader: Avoid calling exit in Travis script. + +3 March 2020: George + - Upgrade config.guess(2020-01-01) and config.sub(2020-01-01). + +2 March 2020: Ralph + - Fix #175, Merge PR #176: fix link error when OpenSSL is configured + with no-engine, thanks noloader. + +2 March 2020: George + - Fix compiler warning in dns64/dns64.c + - Merge PR #174: Add Android to Travis testing, by noloader. + - Move android build scripts to contrib/ and allow android tests to fail. + +2 March 2020: Wouter + - Fix #177: dnstap does not build on macOS. + +28 February 2020: Ralph + - Merge PR #172: Add IBM s390x arch for testing, by noloader. + +28 February 2020: Wouter + - Merge PR #173: updated makedist.sh for config.guess and + config.sub and sha256 digest for gpg, by noloader. + - Merge PR #164: Framestreams, this branch implements dnstap + unidirectional connectivity in unbound. This has a number of + new features. + + The dependency on libfstrm is removed. The fstrm protocol code + resides in dnstap/dnstap_fstrm.h and dnstap/dnstap_fstrm.c. This + contains a brief definition of what unbound needs. + + The make unbound-dnstap-socket builds a debug tool, + unbound-dnstap-socket. It can listen, accept multiple DNSTAP + streams and print information. Commandline options control it. + + Unbound can reconnect if the unix domain socket file socket is + closed. This uses exponential backoff after which it uses a + one second timer to throttle cpu down. There is also support + to use TCP and TLS for connecting to the log server. There + are new config options to turn them on, in the dnstap section + in the man page and example config file. dnstap-ip with IP + address of server for TCP or TLS use. dnstap-tls to turn + on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle, + dnstap-tls-client-key-file and dnstap-tls-client-cert-file + to configure the certificates for server authentication and + client authentication, or leave at "" to not use that. + +27 February 2020: George + - Merge PR #171: Add additional compilers and platforms to Travis + testing, by noloader. + +27 February 2020: Wouter + - Fix #169: Fix warning for daemon/remote.c output may be truncated + from snprintf. + - Fix #170: Fix gcc undefined sanitizer signed integer overflow + warning in signature expiry RFC1982 serial number arithmetic. + - Fix more undefined sanitizer issues, in respip copy_rrset null + dname, and in the client_info_compare routine for null memcmp. + +26 February 2020: Wouter + - iana portlist updated. + +25 February 2020: Wouter + - Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for + using ipv4 filters, because the hosts ip6 netblock /64 is not owned + by one operator, and thus reputation is shared. + +24 February 2020: George + - Merge PR #166: Fix typo in unbound.service.in, by glitsj16. + 20 February 2020: Wouter - Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for Unbound from Yuri Voinov. + - master branch has 1.10.1 version. + +18 February 2020: Wouter + - protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for + different openssl versions. + +17 February 2020: Wouter + - changelog point where the tag for 1.10.0rc2 release is. And with + the unbound_smf23 commit added to it, that is the 1.10.0 release. 17 February 2020: Ralph - Add respip to supported module-config options in unbound-checkconf. diff --git a/usr.sbin/unbound/doc/README b/usr.sbin/unbound/doc/README index 6bd34bbed95..6bd9a4c5fda 100644 --- a/usr.sbin/unbound/doc/README +++ b/usr.sbin/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.10.1 +README for Unbound 1.11.0 Copyright 2007 NLnet Labs http://unbound.net diff --git a/usr.sbin/unbound/doc/example.conf.in b/usr.sbin/unbound/doc/example.conf.in index 6ec91a41501..0f0f5358a34 100644 --- a/usr.sbin/unbound/doc/example.conf.in +++ b/usr.sbin/unbound/doc/example.conf.in @@ -1,13 +1,17 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.10.1. +# See unbound.conf(5) man page, version 1.11.0. # # this is a comment. -#Use this to include other text into the file. +# Use this anywhere in the file to include other text into this file. #include: "otherfile.conf" +# Use this anywhere in the file to include other text, that explicitly starts a +# clause, into this file. Text after this directive needs to start a clause. +#include-toplevel: "otherfile.conf" + # The server clause sets the main parameters. server: # whitespace is not necessary, but looks cleaner. @@ -70,6 +74,9 @@ server: # Set this to yes to prefer ipv6 upstream servers over ipv4. # prefer-ip6: no + # Prefer ipv4 upstream servers, even if ipv6 is available. + # prefer-ip4: no + # number of ports to allocate per thread, determines the size of the # port range that can be open simultaneously. About double the # num-queries-per-thread, or, use as many as the OS will allow you. @@ -116,6 +123,11 @@ server: # Linux only. On Linux you also have ip-transparent that is similar. # ip-freebind: no + # the value of the Differentiated Services Codepoint (DSCP) + # in the differentiated services field (DS) of the outgoing + # IP packets + # ip-dscp: 0 + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) # edns-buffer-size: 4096 @@ -465,7 +477,7 @@ server: # deny-any: no # if yes, Unbound rotates RRSet order in response. - # rrset-roundrobin: no + # rrset-roundrobin: yes # if yes, Unbound doesn't insert authority/additional sections # into response messages when those sections are not required. @@ -738,6 +750,10 @@ server: # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Use the SNI extension for TLS connections. Default is yes. + # Changing the value requires a reload. + # tls-use-sni: yes + # Add the secret file for TLS Session Ticket. # Secret file must be 80 bytes of random data. # First key use to encrypt and decrypt TLS session tickets. @@ -847,6 +863,17 @@ python: # Script file to load # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" +# Dynamic library config section. To enable: +# o use --with-dynlibmodule to configure before compiling. +# o list dynlib in the module-config string (above) to enable. +# It can be placed anywhere, the dynlib module is only a very thin wrapper +# to load modules dynamically. +# o and give a dynlib-file to run. If more than one dynlib entry is listed in +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" + # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. @@ -1005,10 +1032,12 @@ remote-control: # redis-server-port: 6379 # # timeout (in ms) for communication with the redis server # redis-timeout: 100 +# # set timeout on redis records based on DNS response TTL +# redis-expire-records: no # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset needs run unbound as root user. +# Note: To enable ipset unbound needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1016,6 +1045,40 @@ remote-control: # name-v6: "list-v6" # +# Dnstap logging support, if compiled in. To enable, set the dnstap-enable +# to yes and also some of dnstap-log-..-messages to yes. And select an +# upstream log destination, by socket path, TCP or TLS destination. +# dnstap: +# dnstap-enable: no +# # if set to yes frame streams will be used in bidirectional mode +# dnstap-bidirectional: yes +# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" +# # if "" use the unix socket in dnstap-socket-path, otherwise, +# # set it to "IPaddress[@port]" of the destination. +# dnstap-ip: "" +# # if set to yes if you want to use TLS to dnstap-ip, no for TCP. +# dnstap-tls: yes +# # name for authenticating the upstream server. or "" disabled. +# dnstap-tls-server-name: "" +# # if "", it uses the cert bundle from the main unbound config. +# dnstap-tls-cert-bundle: "" +# # key file for client authentication, or "" disabled. +# dnstap-tls-client-key-file: "" +# # cert file for client authentication, or "" disabled. +# dnstap-tls-client-cert-file: "" +# dnstap-send-identity: no +# dnstap-send-version: no +# # if "" it uses the hostname. +# dnstap-identity: "" +# # if "" it uses the package version. +# dnstap-version: "" +# dnstap-log-resolver-query-messages: no +# dnstap-log-resolver-response-messages: no +# dnstap-log-client-query-messages: no +# dnstap-log-client-response-messages: no +# dnstap-log-forwarder-query-messages: no +# dnstap-log-forwarder-response-messages: no + # Response Policy Zones # RPZ policies. Applied in order of configuration. QNAME and Response IP # Address trigger are the only supported triggers. Supported actions are: diff --git a/usr.sbin/unbound/doc/libunbound.3.in b/usr.sbin/unbound/doc/libunbound.3.in index 69c20111624..10bda1614b2 100644 --- a/usr.sbin/unbound/doc/libunbound.3.in +++ b/usr.sbin/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" +.TH "libunbound" "3" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.10.1 functions. +\- Unbound DNS validating resolver 1.11.0 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP diff --git a/usr.sbin/unbound/doc/unbound-anchor.8.in b/usr.sbin/unbound/doc/unbound-anchor.8.in index 680066a7507..1c7799ca11d 100644 --- a/usr.sbin/unbound/doc/unbound-anchor.8.in +++ b/usr.sbin/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" +.TH "unbound-anchor" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" @@ -69,6 +69,9 @@ The server name, it connects to https://name. Specify without https:// prefix. The default is "data.iana.org". It connects to the port specified with \-P. You can pass an IPv4 address or IPv6 address (no brackets) if you want. .TP +.B \-S +Do not use SNI for the HTTPS connection. Default is to use SNI. +.TP .B \-b \fIaddress The source address to bind to for domain resolution and contacting the server on https. May be either an IPv4 address or IPv6 address (no brackets). diff --git a/usr.sbin/unbound/doc/unbound-checkconf.8.in b/usr.sbin/unbound/doc/unbound-checkconf.8.in index 8fb18410dfd..c7a0f944957 100644 --- a/usr.sbin/unbound/doc/unbound-checkconf.8.in +++ b/usr.sbin/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" +.TH "unbound-checkconf" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/usr.sbin/unbound/doc/unbound-control.8.in b/usr.sbin/unbound/doc/unbound-control.8.in index 3747b1fa670..15445030336 100644 --- a/usr.sbin/unbound/doc/unbound-control.8.in +++ b/usr.sbin/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" +.TH "unbound-control" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0" .\" .\" unbound-control.8 -- unbound remote control manual .\" diff --git a/usr.sbin/unbound/doc/unbound-host.1.in b/usr.sbin/unbound/doc/unbound-host.1.in index e2dcc4a9b0e..cae708d66b1 100644 --- a/usr.sbin/unbound/doc/unbound-host.1.in +++ b/usr.sbin/unbound/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" +.TH "unbound\-host" "1" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/usr.sbin/unbound/doc/unbound.8.in b/usr.sbin/unbound/doc/unbound.8.in index 74c900ebcc0..fcdb3d83340 100644 --- a/usr.sbin/unbound/doc/unbound.8.in +++ b/usr.sbin/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" +.TH "unbound" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.10.1. +\- Unbound DNS validating resolver 1.11.0. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/usr.sbin/unbound/doc/unbound.conf.5.in b/usr.sbin/unbound/doc/unbound.conf.5.in index 595ddaa97dc..fc886ea8964 100644 --- a/usr.sbin/unbound/doc/unbound.conf.5.in +++ b/usr.sbin/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" +.TH "unbound.conf" "5" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -41,6 +41,12 @@ for the included files works, relative pathnames for the included names work if the directory where the daemon is started equals its chroot/working directory or is specified before the include statement with directory: dir. Wildcards can be used to include multiple files, see \fIglob\fR(7). +.P +For a more structural include option, the +.B include\-toplevel: +directive can be used. This closes whatever clause is currently active (if any) +and forces the use of clauses in the included files and right after this +directive. .SS "Server Options" These options are part of the .B server: @@ -90,9 +96,12 @@ interface and port number), if not specified the default port (from Same as interface: (for ease of compatibility with nsd.conf). .TP .B interface\-automatic: \fI<yes or no> -Detect source interface on UDP queries and copy them to replies. This -feature is experimental, and needs support in your OS for particular socket -options. Default value is no. +Listen on all addresses on all (current and future) interfaces, detect the +source interface on UDP queries and copy them to replies. This is a lot like +ip\-transparent, but this option services all interfaces whilst with +ip\-transparent you can select which (future) interfaces unbound provides +service on. This feature is experimental, and needs support in your OS for +particular socket options. Default value is no. .TP .B outgoing\-interface: \fI<ip address or ip6 netblock> Interface to use to connect to the network. This interface is used to send @@ -287,6 +296,12 @@ IP addresses that are nonlocal or do not exist, like when the network interface or IP address is down. Exists only on Linux, where the similar ip\-transparent option is also available. .TP +.B ip-dscp: \fI<number> +The value of the Differentiated Services Codepoint (DSCP) in the +differentiated services field (DS) of the outgoing IP packet headers. +The field replaces the outdated IPv4 Type-Of-Service field and the +IPV6 traffic class field. +.TP .B rrset\-cache\-size: \fI<number> Number of bytes size of the RRset cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes @@ -345,6 +360,13 @@ IPv6 to the internet nameservers. With this option you can disable the ipv6 transport for sending DNS traffic, it does not impact the contents of the DNS traffic, which may have ip4 and ip6 addresses in it. .TP +.B prefer\-ip4: \fI<yes or no> +If enabled, prefer IPv4 transport for sending DNS queries to internet +nameservers. Default is no. Useful if the IPv6 netblock the server has, +the entire /64 of that is not owned by one operator and the reputation of +the netblock /64 is an issue, using IPv4 then uses the IPv4 filters that +the upstream servers have. +.TP .B prefer\-ip6: \fI<yes or no> If enabled, prefer IPv6 transport for sending DNS queries to internet nameservers. Default is no. @@ -494,6 +516,11 @@ and that is the default. Set the list of ciphersuites to allow when serving TLS. This is for newer TLS 1.3 connections. Use "" for defaults, and that is the default. .TP +.B tls\-use\-sni: \fI<yes or no> +Enable or disable sending the SNI extension on TLS connections. +Default is yes. +Changing the value requires a reload. +.TP .B use\-systemd: \fI<yes or no> Enable or disable systemd socket activation. Default is no. @@ -798,7 +825,7 @@ NXDOMAIN from a DNSSEC signed zone. Default is yes. QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to potentially broken nameservers. A lot of domains will not be resolvable when this option in enabled. Only use if you know what you are doing. -This option only has effect when qname-minimisation is enabled. Default is off. +This option only has effect when qname-minimisation is enabled. Default is no. .TP .B aggressive\-nsec: \fI<yes or no> Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN @@ -866,7 +893,7 @@ are none. .TP .B rrset\-roundrobin: \fI<yes or no> If yes, Unbound rotates RRSet order in response (the random number is taken -from the query ID, for speed and thread safety). Default is no. +from the query ID, for speed and thread safety). Default is yes. .TP .B minimal-responses: \fI<yes or no> If yes, Unbound doesn't insert authority/additional sections into response @@ -897,7 +924,9 @@ EDNS client subnet support the default is "subnetcache validator iterator". Most modules that need to be listed here have to be listed at the beginning of the line. The cachedb module has to be listed just before the iterator. The python module can be listed in different places, it then processes the -output of the module it is just before. +output of the module it is just before. The dynlib module can be listed pretty +much anywhere, it is only a very thin wrapper that allows dynamic libraries to +run in its place. .TP .B trust\-anchor\-file: \fI<filename> File with trusted keys for validation. Both DS and DNSKEY entries can appear @@ -1546,6 +1575,9 @@ Name of stub zone nameserver. Is itself resolved before it is used. .B stub\-addr: \fI<IP address> IP address of stub zone nameserver. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. +If tls is enabled, then you can append a '#' and a name, then it'll check +the tls authentication certificates with that name. If you combine +the '@' and '#', the '@' comes first. .TP .B stub\-prime: \fI<yes or no> This option is by default no. If enabled it performs NS set priming, @@ -1764,6 +1796,24 @@ directory. .B python\-script: \fI<python file>\fR The script file to load. Repeat this option for every python module instance added to the \fBmodule\-config:\fR option. +.SS "Dynamic Library Module Options" +.LP +The +.B dynlib: +clause gives the settings for the \fIdynlib\fR module. This module is only +a very small wrapper that allows dynamic modules to be loaded on runtime +instead of being compiled into the application. To enable the dynlib module it +has to be compiled into the daemon, and the word "dynlib" has to be put in the +\fBmodule\-config:\fR option. Multiple instances of dynamic libraries are +supported by adding the word "dynlib" more than once. +.LP +The \fBdynlib\-file:\fR path should be specified as an absolute path relative +to the new path set by \fBchroot:\fR option, or as a relative path to the +working directory. +.TP +.B dynlib\-file: \fI<dynlib file>\fR +The dynamic library file to load. Repeat this option for every dynlib module +instance added to the \fBmodule\-config:\fR option. .SS "DNS64 Module Options" .LP The dns64 module must be configured in the \fBmodule\-config:\fR "dns64 @@ -2015,6 +2065,11 @@ even if some data have expired in terms of DNS TTL or the Redis server has cached too much data; if necessary the Redis server must be configured to limit the cache size, preferably with some kind of least-recently-used eviction policy. +Additionaly, the \fBredis\-expire\-records\fR option can be used in order to +set the relative DNS TTL of the message as timeout to the Redis records; keep +in mind that some additional memory is used per key and that the expire +information is stored as absolute Unix timestamps in Redis (computer time must +be stable). This backend uses synchronous communication with the Redis server based on the assumption that the communication is stable and sufficiently fast. @@ -2069,6 +2124,94 @@ If this timeout expires Unbound closes the connection, treats it as if the Redis server does not have the requested data, and will try to re-establish a new connection later. This option defaults to 100 milliseconds. +.TP +.B redis-expire-records: \fI<yes or no> +If Redis record expiration is enabled. If yes, unbound sets timeout for Redis +records so that Redis can evict keys that have expired automatically. If +unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0, +this option is internally reverted to "no". Redis SETEX support is required +for this option (Redis >= 2.0.0). +This option defaults to no. +.SS DNSTAP Logging Options +DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section. +This starts an extra thread (when compiled with threading) that writes +the log information to the destination. If unbound is compiled without +threading it does not spawn a thread, but connects per-process to the +destination. +.TP +.B dnstap-enable: \fI<yes or no> +If dnstap is enabled. Default no. If yes, it connects to the dnstap server +and if any of the dnstap-log-..-messages options is enabled it sends logs +for those messages to the server. +.TP +.B dnstap-bidirectional: \fI<yes or no> +Use frame streams in bidirectional mode to transfer DNSTAP messages. Default is +yes. +.TP +.B dnstap-socket-path: \fI<file name> +Sets the unix socket file name for connecting to the server that is +listening on that socket. Default is "@DNSTAP_SOCKET_PATH@". +.TP +.B dnstap-ip: \fI<IPaddress[@port]> +If "", the unix socket is used, if set with an IP address (IPv4 or IPv6) +that address is used to connect to the server. +.TP +.B dnstap-tls: \fI<yes or no> +Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR. +The default is yes. If set to no, TCP is used to connect to the server. +.TP +.B dnstap-tls-server-name: \fI<name of TLS authentication> +The TLS server name to authenticate the server with. Used when \fBdnstap-tls\fR is enabled. If "" it is ignored, default "". +.TP +.B dnstap-tls-cert-bundle: \fI<file name of cert bundle> +The pem file with certs to verify the TLS server certificate. If "" the +server default cert bundle is used, or the windows cert bundle on windows. +Default is "". +.TP +.B dnstap-tls-client-key-file: \fI<file name> +The client key file for TLS client authentication. If "" client +authentication is not used. Default is "". +.TP +.B dnstap-tls-client-cert-file: \fI<file name> +The client cert file for TLS client authentication. Default is "". +.TP +.B dnstap-send-identity: \fI<yes or no> +If enabled, the server identity is included in the log messages. +Default is no. +.TP +.B dnstap-send-version: \fI<yes or no> +If enabled, the server version if included in the log messages. +Default is no. +.TP +.B dnstap-identity: \fI<string> +The identity to send with messages, if "" the hostname is used. +Default is "". +.TP +.B dnstap-version: \fI<string> +The version to send with messages, if "" the package version is used. +Default is "". +.TP +.B dnstap-log-resolver-query-messages: \fI<yes or no> +Enable to log resolver query messages. Default is no. +These are messages from unbound to upstream servers. +.TP +.B dnstap-log-resolver-response-messages: \fI<yes or no> +Enable to log resolver response messages. Default is no. +These are replies from upstream servers to unbound. +.TP +.B dnstap-log-client-query-messages: \fI<yes or no> +Enable to log client query messages. Default is no. +These are client queries to unbound. +.TP +.B dnstap-log-client-response-messages: \fI<yes or no> +Enable to log client response messages. Default is no. +These are responses from unbound to clients. +.TP +.B dnstap-log-forwarder-query-messages: \fI<yes or no> +Enable to log forwarder query messages. Default is no. +.TP +.B dnstap-log-forwarder-response-messages: \fI<yes or no> +Enable to log forwarder response messages. Default is no. .SS Response Policy Zone Options .LP Response Policy Zones are configured with \fBrpz:\fR, and each one must have a diff --git a/usr.sbin/unbound/edns-subnet/subnetmod.c b/usr.sbin/unbound/edns-subnet/subnetmod.c index 37dc550cd69..f1b401b9080 100644 --- a/usr.sbin/unbound/edns-subnet/subnetmod.c +++ b/usr.sbin/unbound/edns-subnet/subnetmod.c @@ -386,8 +386,7 @@ update_cache(struct module_qstate *qstate, int id) rep->flags |= (BIT_RA | BIT_QR); /* fix flags to be sensible for */ rep->flags &= ~(BIT_AA | BIT_CD);/* a reply based on the cache */ addrtree_insert(tree, (addrkey_t*)edns->subnet_addr, - edns->subnet_source_mask, - sq->ecs_server_in.subnet_scope_mask, rep, + edns->subnet_source_mask, sq->max_scope, rep, rep->ttl, *qstate->env->now); lock_rw_unlock(&lru_entry->lock); @@ -543,7 +542,7 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq) c_out->subnet_addr_fam = c_in->subnet_addr_fam; c_out->subnet_source_mask = c_in->subnet_source_mask; memcpy(&c_out->subnet_addr, &c_in->subnet_addr, INET6_SIZE); - c_out->subnet_scope_mask = s_in->subnet_scope_mask; + c_out->subnet_scope_mask = sq->max_scope; /* Limit scope returned to client to scope used for caching. */ if(c_out->subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP4) { if(c_out->subnet_scope_mask > @@ -648,6 +647,19 @@ ecs_query_response(struct module_qstate* qstate, struct dns_msg* response, qstate->env->cfg->client_subnet_opcode); sq->subnet_sent = 0; memset(&sq->ecs_server_out, 0, sizeof(sq->ecs_server_out)); + } else if (!sq->track_max_scope && + FLAGS_GET_RCODE(response->rep->flags) == LDNS_RCODE_NOERROR && + response->rep->an_numrrsets > 0 + ) { + struct ub_packed_rrset_key* s = response->rep->rrsets[0]; + if(ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME && + query_dname_compare(qstate->qinfo.qname, + s->rk.dname) == 0) { + /* CNAME response for QNAME. From now on keep track of + * longest received ECS prefix for all queries on this + * qstate. */ + sq->track_max_scope = 1; + } } return 1; } @@ -663,16 +675,19 @@ ecs_edns_back_parsed(struct module_qstate* qstate, int id, return 1; if((ecs_opt = edns_opt_list_find( qstate->edns_opts_back_in, - qstate->env->cfg->client_subnet_opcode))) { - if(parse_subnet_option(ecs_opt, &sq->ecs_server_in) && - sq->subnet_sent && - sq->ecs_server_in.subnet_validdata) + qstate->env->cfg->client_subnet_opcode)) && + parse_subnet_option(ecs_opt, &sq->ecs_server_in) && + sq->subnet_sent && sq->ecs_server_in.subnet_validdata) { /* Only skip global cache store if we sent an ECS option * and received one back. Answers from non-whitelisted * servers will end up in global cache. Answers for * queries with 0 source will not (unless nameserver * does not support ECS). */ qstate->no_cache_store = 1; + if(!sq->track_max_scope || (sq->track_max_scope && + sq->ecs_server_in.subnet_scope_mask > + sq->max_scope)) + sq->max_scope = sq->ecs_server_in.subnet_scope_mask; } return 1; diff --git a/usr.sbin/unbound/edns-subnet/subnetmod.h b/usr.sbin/unbound/edns-subnet/subnetmod.h index e408627b0ab..27ba2ee7412 100644 --- a/usr.sbin/unbound/edns-subnet/subnetmod.h +++ b/usr.sbin/unbound/edns-subnet/subnetmod.h @@ -45,6 +45,7 @@ #include "util/alloc.h" #include "util/net_help.h" #include "util/storage/slabhash.h" +#include "util/data/dname.h" #include "edns-subnet/addrtree.h" #include "edns-subnet/edns-subnet.h" @@ -83,6 +84,12 @@ struct subnet_qstate { struct ecs_data ecs_server_out; int subnet_downstream; int subnet_sent; + /** keep track of longest received scope, set after receiving CNAME for + * incoming QNAME. */ + int track_max_scope; + /** longest received scope mask since track_max_scope is set. This value + * is used for caching and answereing to client. */ + uint8_t max_scope; /** has the subnet module been started with no_cache_store? */ int started_no_cache_store; }; diff --git a/usr.sbin/unbound/iterator/iter_utils.c b/usr.sbin/unbound/iterator/iter_utils.c index 3c14de86e7b..7bc67da69b2 100644 --- a/usr.sbin/unbound/iterator/iter_utils.c +++ b/usr.sbin/unbound/iterator/iter_utils.c @@ -484,6 +484,63 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env, got_num = num4ok; *selected_rtt = num4_lowrtt; } + } else if (env->cfg->prefer_ip4) { + int got_num4 = 0; + int low_rtt4 = 0; + int i; + int attempt = -1; /* filter to make sure addresses have + less attempts on them than the first, to force round + robin when all the IPv4 addresses fail */ + int num6ok = 0; /* number ip6 at low attempt count */ + int num6_lowrtt = 0; + prev = NULL; + a = dp->result_list; + for(i = 0; i < got_num; i++) { + swap_to_front = 0; + if(a->addr.ss_family != AF_INET && attempt == -1) { + /* if we only have ip6 at low attempt count, + * then ip4 is failing, and we need to + * select one of the remaining IPv6 addrs */ + attempt = a->attempts; + num6ok++; + num6_lowrtt = a->sel_rtt; + } else if(a->addr.ss_family != AF_INET && attempt == a->attempts) { + num6ok++; + if(num6_lowrtt == 0 || a->sel_rtt < num6_lowrtt) { + num6_lowrtt = a->sel_rtt; + } + } + if(a->addr.ss_family == AF_INET) { + if(attempt == -1) { + attempt = a->attempts; + } else if(a->attempts > attempt) { + break; + } + got_num4++; + swap_to_front = 1; + if(low_rtt4 == 0 || a->sel_rtt < low_rtt4) { + low_rtt4 = a->sel_rtt; + } + } + /* swap to front if IPv4, or move to next result */ + if(swap_to_front && prev) { + n = a->next_result; + prev->next_result = n; + a->next_result = dp->result_list; + dp->result_list = a; + a = n; + } else { + prev = a; + a = a->next_result; + } + } + if(got_num4 > 0) { + got_num = got_num4; + *selected_rtt = low_rtt4; + } else if(num6ok > 0) { + got_num = num6ok; + *selected_rtt = num6_lowrtt; + } } return got_num; } diff --git a/usr.sbin/unbound/iterator/iterator.c b/usr.sbin/unbound/iterator/iterator.c index 9d36660c0b1..23b07ea9095 100644 --- a/usr.sbin/unbound/iterator/iterator.c +++ b/usr.sbin/unbound/iterator/iterator.c @@ -162,7 +162,7 @@ iter_new(struct module_qstate* qstate, int id) iq->qchase = qstate->qinfo; outbound_list_init(&iq->outlist); iq->minimise_count = 0; - iq->minimise_timeout_count = 0; + iq->timeout_count = 0; if (qstate->env->cfg->qname_minimisation) iq->minimisation_state = INIT_MINIMISE_STATE; else @@ -2239,7 +2239,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, iq->qinfo_out.qname = iq->qchase.qname; iq->qinfo_out.qname_len = iq->qchase.qname_len; iq->minimise_count++; - iq->minimise_timeout_count = 0; + iq->timeout_count = 0; iter_dec_attempts(iq->dp, 1); @@ -2327,7 +2327,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, } } if(iq->minimisation_state == SKIP_MINIMISE_STATE) { - if(iq->minimise_timeout_count < MAX_MINIMISE_TIMEOUT_COUNT) + if(iq->timeout_count < MAX_MINIMISE_TIMEOUT_COUNT) /* Do not increment qname, continue incrementing next * iteration */ iq->minimisation_state = MINIMISE_STATE; @@ -2668,14 +2668,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, if(iq->response == NULL) { /* Don't increment qname when QNAME minimisation is enabled */ if(qstate->env->cfg->qname_minimisation) { - iq->minimise_timeout_count++; iq->minimisation_state = SKIP_MINIMISE_STATE; } + iq->timeout_count++; iq->chase_to_rd = 0; iq->dnssec_lame_query = 0; verbose(VERB_ALGO, "query response was timeout"); return next_state(iq, QUERYTARGETS_STATE); } + iq->timeout_count = 0; type = response_type_from_server( (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), iq->response, &iq->qinfo_out, iq->dp); @@ -3690,7 +3691,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq, iq->response = NULL; iq->state = QUERY_RESP_STATE; if(event == module_event_noreply || event == module_event_error) { - if(event == module_event_noreply && iq->sent_count >= 3 && + if(event == module_event_noreply && iq->timeout_count >= 3 && qstate->env->cfg->use_caps_bits_for_id && !iq->caps_fallback && !is_caps_whitelisted(ie, iq)) { /* start fallback */ diff --git a/usr.sbin/unbound/iterator/iterator.h b/usr.sbin/unbound/iterator/iterator.h index 53dcab3b18b..342ac207e82 100644 --- a/usr.sbin/unbound/iterator/iterator.h +++ b/usr.sbin/unbound/iterator/iterator.h @@ -398,8 +398,9 @@ struct iter_qstate { /** * Count number of time-outs. Used to prevent resolving failures when - * the QNAME minimisation QTYPE is blocked. */ - int minimise_timeout_count; + * the QNAME minimisation QTYPE is blocked. Used to determine if + * capsforid fallback should be started.*/ + int timeout_count; /** True if the current response is from auth_zone */ int auth_zone_response; diff --git a/usr.sbin/unbound/libunbound/libworker.c b/usr.sbin/unbound/libunbound/libworker.c index 6cb97ff1fd4..44b8d790561 100644 --- a/usr.sbin/unbound/libunbound/libworker.c +++ b/usr.sbin/unbound/libunbound/libworker.c @@ -74,6 +74,14 @@ #include "sldns/sbuffer.h" #include "sldns/str2wire.h" +#ifdef HAVE_TARGETCONDITIONALS_H +#include <TargetConditionals.h> +#endif + +#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH) +#undef HAVE_FORK +#endif + /** handle new query command for bg worker */ static void handle_newq(struct libworker* w, uint8_t* buf, uint32_t len); @@ -225,12 +233,12 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb) w->back = outside_network_create(w->base, cfg->msg_buffer_size, (size_t)cfg->outgoing_num_ports, cfg->out_ifs, cfg->num_out_ifs, cfg->do_ip4, cfg->do_ip6, - cfg->do_tcp?cfg->outgoing_num_tcp:0, + cfg->do_tcp?cfg->outgoing_num_tcp:0, cfg->ip_dscp, w->env->infra_cache, w->env->rnd, cfg->use_caps_bits_for_id, ports, numports, cfg->unwanted_threshold, cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w, cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx, - cfg->delay_close, NULL); + cfg->delay_close, cfg->tls_use_sni, NULL); w->env->outnet = w->back; if(!w->is_bg || w->is_bg_thread) { lock_basic_unlock(&ctx->cfglock); @@ -1047,3 +1055,19 @@ wsvc_cron_cb(void* ATTR_UNUSED(arg)) log_assert(0); } #endif /* UB_ON_WINDOWS */ + +#ifdef USE_DNSTAP +void dtio_tap_callback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev), + void* ATTR_UNUSED(arg)) +{ + log_assert(0); +} +#endif + +#ifdef USE_DNSTAP +void dtio_mainfdcallback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev), + void* ATTR_UNUSED(arg)) +{ + log_assert(0); +} +#endif diff --git a/usr.sbin/unbound/libunbound/unbound.h b/usr.sbin/unbound/libunbound/unbound.h index ca9592d62d5..b53426c76d5 100644 --- a/usr.sbin/unbound/libunbound/unbound.h +++ b/usr.sbin/unbound/libunbound/unbound.h @@ -642,6 +642,7 @@ struct ub_shm_stat_info { long long respip; long long dnscrypt_shared_secret; long long dnscrypt_nonce; + long long dynlib; } mem; }; diff --git a/usr.sbin/unbound/respip/respip.c b/usr.sbin/unbound/respip/respip.c index f504f55791a..6fa4f18851f 100644 --- a/usr.sbin/unbound/respip/respip.c +++ b/usr.sbin/unbound/respip/respip.c @@ -502,10 +502,16 @@ copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region) ck->entry.hash = key->entry.hash; ck->entry.key = ck; ck->rk = key->rk; - ck->rk.dname = regional_alloc_init(region, key->rk.dname, - key->rk.dname_len); - if(!ck->rk.dname) - return NULL; + if(key->rk.dname) { + ck->rk.dname = regional_alloc_init(region, key->rk.dname, + key->rk.dname_len); + if(!ck->rk.dname) + return NULL; + ck->rk.dname_len = key->rk.dname_len; + } else { + ck->rk.dname = NULL; + ck->rk.dname_len = 0; + } if((unsigned)data->count >= 0xffff00U) return NULL; /* guard against integer overflow in dsize */ @@ -908,6 +914,7 @@ respip_rewrite_reply(const struct query_info* qinfo, int ret = 1; struct ub_packed_rrset_key* redirect_rrset = NULL; struct rpz* r; + struct auth_zone* a; struct ub_packed_rrset_key* data = NULL; int rpz_used = 0; int rpz_log = 0; @@ -949,6 +956,10 @@ respip_rewrite_reply(const struct query_info* qinfo, } if(!raddr && !view->isfirst) goto done; + if(!raddr && view->isfirst) { + lock_rw_unlock(&view->lock); + view = NULL; + } } if(!raddr && (raddr = respip_addr_lookup(rep, ipset, &rrset_id))) { @@ -959,7 +970,9 @@ respip_rewrite_reply(const struct query_info* qinfo, ipset->tagname, ipset->num_tags); } lock_rw_rdlock(&az->rpz_lock); - for(r = az->rpz_first; r && !raddr; r = r->next) { + for(a = az->rpz_first; a && !raddr; a = a->rpz_az_next) { + lock_rw_rdlock(&a->lock); + r = a->rpz; if(!r->taglist || taglist_intersect(r->taglist, r->taglistlen, ctaglist, ctaglen)) { if((raddr = respip_addr_lookup(rep, @@ -969,16 +982,21 @@ respip_rewrite_reply(const struct query_info* qinfo, region, &rpz_used)) { log_err("out of memory"); lock_rw_unlock(&raddr->lock); + lock_rw_unlock(&a->lock); lock_rw_unlock(&az->rpz_lock); return 0; } - if(!rpz_used) { - lock_rw_unlock(&raddr->lock); - raddr = NULL; - actinfo->rpz_disabled++; + if(rpz_used) { + /* break to make sure 'a' stays pointed + * to used auth_zone, and keeps lock */ + break; } + lock_rw_unlock(&raddr->lock); + raddr = NULL; + actinfo->rpz_disabled++; } - } + } + lock_rw_unlock(&a->lock); } lock_rw_unlock(&az->rpz_lock); if(raddr && !search_only) { @@ -1032,6 +1050,9 @@ respip_rewrite_reply(const struct query_info* qinfo, if(raddr) { lock_rw_unlock(&raddr->lock); } + if(rpz_used) { + lock_rw_unlock(&a->lock); + } return ret; } diff --git a/usr.sbin/unbound/services/authzone.c b/usr.sbin/unbound/services/authzone.c index 34170abaf4a..a26d1003abe 100644 --- a/usr.sbin/unbound/services/authzone.c +++ b/usr.sbin/unbound/services/authzone.c @@ -392,12 +392,12 @@ auth_zone_delete(struct auth_zone* z, struct auth_zones* az) if(az && z->rpz) { /* keep RPZ linked list intact */ lock_rw_wrlock(&az->rpz_lock); - if(z->rpz->prev) - z->rpz->prev->next = z->rpz->next; + if(z->rpz_az_prev) + z->rpz_az_prev->rpz_az_next = z->rpz_az_next; else - az->rpz_first = z->rpz->next; - if(z->rpz->next) - z->rpz->next->prev = z->rpz->prev; + az->rpz_first = z->rpz_az_next; + if(z->rpz_az_next) + z->rpz_az_next->rpz_az_prev = z->rpz_az_prev; lock_rw_unlock(&az->rpz_lock); } if(z->rpz) @@ -426,9 +426,11 @@ auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen, } rbtree_init(&z->data, &auth_data_cmp); lock_rw_init(&z->lock); - lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type)); + lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type)- + sizeof(&z->rpz_az_next)-sizeof(&z->rpz_az_prev)); lock_rw_wrlock(&z->lock); - /* z lock protects all, except rbtree itself, which is az->lock */ + /* z lock protects all, except rbtree itself and the rpz linked list + * pointers, which are protected using az->lock */ if(!rbtree_insert(&az->ztree, &z->node)) { lock_rw_unlock(&z->lock); auth_zone_delete(z, NULL); @@ -1178,9 +1180,9 @@ az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, return 0; } if(z->rpz) { - if(!(rpz_insert_rr(z->rpz, z->namelen, dname, dname_len, - rr_type, rr_class, rr_ttl, rdata, rdatalen, rr, - rr_len))) + if(!(rpz_insert_rr(z->rpz, z->name, z->namelen, dname, + dname_len, rr_type, rr_class, rr_ttl, rdata, rdatalen, + rr, rr_len))) return 0; } return 1; @@ -1864,15 +1866,26 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c) struct auth_xfer* x = NULL; /* create zone */ + if(c->isrpz) { + /* if the rpz lock is needed, grab it before the other + * locks to avoid a lock dependency cycle */ + lock_rw_wrlock(&az->rpz_lock); + } lock_rw_wrlock(&az->lock); if(!(z=auth_zones_find_or_add_zone(az, c->name))) { lock_rw_unlock(&az->lock); + if(c->isrpz) { + lock_rw_unlock(&az->rpz_lock); + } return 0; } if(c->masters || c->urls) { if(!(x=auth_zones_find_or_add_xfer(az, z))) { lock_rw_unlock(&az->lock); lock_rw_unlock(&z->lock); + if(c->isrpz) { + lock_rw_unlock(&az->rpz_lock); + } return 0; } } @@ -1887,6 +1900,9 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c) lock_basic_unlock(&x->lock); } lock_rw_unlock(&z->lock); + if(c->isrpz) { + lock_rw_unlock(&az->rpz_lock); + } return 0; } z->for_downstream = c->for_downstream; @@ -1897,11 +1913,14 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c) fatal_exit("Could not setup RPZ zones"); return 0; } - lock_rw_wrlock(&az->rpz_lock); - z->rpz->next = az->rpz_first; + lock_protect(&z->lock, &z->rpz->local_zones, sizeof(*z->rpz)); + /* the az->rpz_lock is locked above */ + z->rpz_az_next = az->rpz_first; if(az->rpz_first) - az->rpz_first->prev = z->rpz; - az->rpz_first = z->rpz; + az->rpz_first->rpz_az_prev = z; + az->rpz_first = z; + } + if(c->isrpz) { lock_rw_unlock(&az->rpz_lock); } @@ -5331,7 +5350,7 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf, log_assert(xfr->task_transfer); lock_basic_lock(&xfr->lock); env = xfr->task_transfer->env; - if(env->outnet->want_to_quit) { + if(!env || env->outnet->want_to_quit) { lock_basic_unlock(&xfr->lock); return; /* stop on quit */ } @@ -5770,7 +5789,7 @@ auth_xfer_transfer_timer_callback(void* arg) log_assert(xfr->task_transfer); lock_basic_lock(&xfr->lock); env = xfr->task_transfer->env; - if(env->outnet->want_to_quit) { + if(!env || env->outnet->want_to_quit) { lock_basic_unlock(&xfr->lock); return; /* stop on quit */ } @@ -5812,7 +5831,7 @@ auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err, log_assert(xfr->task_transfer); lock_basic_lock(&xfr->lock); env = xfr->task_transfer->env; - if(env->outnet->want_to_quit) { + if(!env || env->outnet->want_to_quit) { lock_basic_unlock(&xfr->lock); return 0; /* stop on quit */ } @@ -5893,7 +5912,7 @@ auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err, log_assert(xfr->task_transfer); lock_basic_lock(&xfr->lock); env = xfr->task_transfer->env; - if(env->outnet->want_to_quit) { + if(!env || env->outnet->want_to_quit) { lock_basic_unlock(&xfr->lock); return 0; /* stop on quit */ } @@ -6107,7 +6126,7 @@ auth_xfer_probe_timer_callback(void* arg) log_assert(xfr->task_probe); lock_basic_lock(&xfr->lock); env = xfr->task_probe->env; - if(env->outnet->want_to_quit) { + if(!env || env->outnet->want_to_quit) { lock_basic_unlock(&xfr->lock); return; /* stop on quit */ } @@ -6143,7 +6162,7 @@ auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err, log_assert(xfr->task_probe); lock_basic_lock(&xfr->lock); env = xfr->task_probe->env; - if(env->outnet->want_to_quit) { + if(!env || env->outnet->want_to_quit) { lock_basic_unlock(&xfr->lock); return 0; /* stop on quit */ } @@ -6388,7 +6407,7 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf, log_assert(xfr->task_probe); lock_basic_lock(&xfr->lock); env = xfr->task_probe->env; - if(env->outnet->want_to_quit) { + if(!env || env->outnet->want_to_quit) { lock_basic_unlock(&xfr->lock); return; /* stop on quit */ } @@ -6465,7 +6484,7 @@ auth_xfer_timer(void* arg) log_assert(xfr->task_nextprobe); lock_basic_lock(&xfr->lock); env = xfr->task_nextprobe->env; - if(env->outnet->want_to_quit) { + if(!env || env->outnet->want_to_quit) { lock_basic_unlock(&xfr->lock); return; /* stop on quit */ } diff --git a/usr.sbin/unbound/services/authzone.h b/usr.sbin/unbound/services/authzone.h index 9bb131ad8b3..3d94f30d620 100644 --- a/usr.sbin/unbound/services/authzone.h +++ b/usr.sbin/unbound/services/authzone.h @@ -82,8 +82,8 @@ struct auth_zones { size_t num_query_up; /** number of queries downstream */ size_t num_query_down; - /** first rpz item in linked list */ - struct rpz* rpz_first; + /** first auth zone containing rpz item in linked list */ + struct auth_zone* rpz_first; /** rw lock for rpz linked list, needed when iterating or editing linked * list. */ lock_rw_type rpz_lock; @@ -138,6 +138,11 @@ struct auth_zone { int zone_deleted; /** deletelist pointer, unused normally except during delete */ struct auth_zone* delete_next; + /* not protected by auth_zone lock, must be last items in struct */ + /** next auth zone containing RPZ data, or NULL */ + struct auth_zone* rpz_az_next; + /** previous auth zone containing RPZ data, or NULL */ + struct auth_zone* rpz_az_prev; }; /** diff --git a/usr.sbin/unbound/services/listen_dnsport.c b/usr.sbin/unbound/services/listen_dnsport.c index 7e2afd843be..cc56d3fd316 100644 --- a/usr.sbin/unbound/services/listen_dnsport.c +++ b/usr.sbin/unbound/services/listen_dnsport.c @@ -179,9 +179,10 @@ int create_udp_sock(int family, int socktype, struct sockaddr* addr, socklen_t addrlen, int v6only, int* inuse, int* noproto, int rcv, int snd, int listen, int* reuseport, int transparent, - int freebind, int use_systemd) + int freebind, int use_systemd, int dscp) { int s; + char* err; #if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_USE_MIN_MTU) || defined(IP_TRANSPARENT) || defined(IP_BINDANY) || defined(IP_FREEBIND) || defined (SO_BINDANY) int on=1; #endif @@ -451,6 +452,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, # endif #endif /* SO_SNDBUF */ } + err = set_ip_dscp(s, family, dscp); + if(err != NULL) + log_warn("error setting IP DiffServ codepoint %d on UDP socket: %s", dscp, err); if(family == AF_INET6) { # if defined(IPV6_V6ONLY) if(v6only) { @@ -638,9 +642,10 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto, - int* reuseport, int transparent, int mss, int freebind, int use_systemd) + int* reuseport, int transparent, int mss, int freebind, int use_systemd, int dscp) { int s; + char* err; #if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_V6ONLY) || defined(IP_TRANSPARENT) || defined(IP_BINDANY) || defined(IP_FREEBIND) || defined(SO_BINDANY) int on = 1; #endif @@ -793,6 +798,9 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto, strerror(errno)); } #endif /* IP_TRANSPARENT || IP_BINDANY || SO_BINDANY */ + err = set_ip_dscp(s, addr->ai_family, dscp); + if(err != NULL) + log_warn("error setting IP DiffServ codepoint %d on TCP socket: %s", dscp, err); if( #ifdef HAVE_SYSTEMD !got_fd_from_systemd && @@ -866,6 +874,55 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto, return s; } +char* +set_ip_dscp(int socket, int addrfamily, int dscp) +{ + int ds; + + if(dscp == 0) + return NULL; + ds = dscp << 2; + switch(addrfamily) { + case AF_INET6: + if(setsockopt(socket, IPPROTO_IPV6, IPV6_TCLASS, (void*)&ds, sizeof(ds)) < 0) + return sock_strerror(errno); + break; + default: + if(setsockopt(socket, IPPROTO_IP, IP_TOS, (void*)&ds, sizeof(ds)) < 0) + return sock_strerror(errno); + break; + } + return NULL; +} + +# ifndef USE_WINSOCK +char* +sock_strerror(int errn) +{ + return strerror(errn); +} + +void +sock_close(int socket) +{ + close(socket); +} + +# else +char* +sock_strerror(int ATTR_UNUSED(errn)) +{ + return wsa_strerror(WSAGetLastError()); +} + +void +sock_close(int socket) +{ + closesocket(socket); +} + +# endif /* USE_WINSOCK */ + int create_local_accept_sock(const char *path, int* noproto, int use_systemd) { @@ -952,7 +1009,7 @@ err: static int make_sock(int stype, const char* ifname, const char* port, struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd, - int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd) + int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd, int dscp) { struct addrinfo *res = NULL; int r, s, inuse, noproto; @@ -980,7 +1037,7 @@ make_sock(int stype, const char* ifname, const char* port, s = create_udp_sock(res->ai_family, res->ai_socktype, (struct sockaddr*)res->ai_addr, res->ai_addrlen, v6only, &inuse, &noproto, (int)rcv, (int)snd, 1, - reuseport, transparent, freebind, use_systemd); + reuseport, transparent, freebind, use_systemd, dscp); if(s == -1 && inuse) { log_err("bind: address already in use"); } else if(s == -1 && noproto && hints->ai_family == AF_INET6){ @@ -988,7 +1045,7 @@ make_sock(int stype, const char* ifname, const char* port, } } else { s = create_tcp_accept_sock(res, v6only, &noproto, reuseport, - transparent, tcp_mss, freebind, use_systemd); + transparent, tcp_mss, freebind, use_systemd, dscp); if(s == -1 && noproto && hints->ai_family == AF_INET6){ *noip6 = 1; } @@ -1001,7 +1058,7 @@ make_sock(int stype, const char* ifname, const char* port, static int make_sock_port(int stype, const char* ifname, const char* port, struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd, - int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd) + int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd, int dscp) { char* s = strchr(ifname, '@'); if(s) { @@ -1023,10 +1080,10 @@ make_sock_port(int stype, const char* ifname, const char* port, (void)strlcpy(p, s+1, sizeof(p)); p[strlen(s+1)]=0; return make_sock(stype, newif, p, hints, v6only, noip6, - rcv, snd, reuseport, transparent, tcp_mss, freebind, use_systemd); + rcv, snd, reuseport, transparent, tcp_mss, freebind, use_systemd, dscp); } return make_sock(stype, ifname, port, hints, v6only, noip6, rcv, snd, - reuseport, transparent, tcp_mss, freebind, use_systemd); + reuseport, transparent, tcp_mss, freebind, use_systemd, dscp); } /** @@ -1146,6 +1203,7 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port, * @param freebind: set IP_FREEBIND socket option. * @param use_systemd: if true, fetch sockets from systemd. * @param dnscrypt_port: dnscrypt service port number + * @param dscp: DSCP to use. * @return: returns false on error. */ static int @@ -1154,7 +1212,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, size_t rcv, size_t snd, int ssl_port, struct config_strlist* tls_additional_port, int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd, - int dnscrypt_port) + int dnscrypt_port, int dscp) { int s, noip6=0; #ifdef USE_DNSCRYPT @@ -1171,7 +1229,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, if(do_auto) { if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, &noip6, rcv, snd, reuseport, transparent, - tcp_mss, freebind, use_systemd)) == -1) { + tcp_mss, freebind, use_systemd, dscp)) == -1) { if(noip6) { log_warn("IPv6 protocol not available"); return 1; @@ -1200,7 +1258,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, /* regular udp socket */ if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, &noip6, rcv, snd, reuseport, transparent, - tcp_mss, freebind, use_systemd)) == -1) { + tcp_mss, freebind, use_systemd, dscp)) == -1) { if(noip6) { log_warn("IPv6 protocol not available"); return 1; @@ -1222,7 +1280,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, tls_additional_port); if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, &noip6, 0, 0, reuseport, transparent, tcp_mss, - freebind, use_systemd)) == -1) { + freebind, use_systemd, dscp)) == -1) { if(noip6) { /*log_warn("IPv6 protocol not available");*/ return 1; @@ -1421,7 +1479,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport) cfg->ssl_port, cfg->tls_additional_port, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, - cfg->dnscrypt_port)) { + cfg->dnscrypt_port, cfg->ip_dscp)) { listening_ports_free(list); return NULL; } @@ -1435,7 +1493,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport) cfg->ssl_port, cfg->tls_additional_port, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, - cfg->dnscrypt_port)) { + cfg->dnscrypt_port, cfg->ip_dscp)) { listening_ports_free(list); return NULL; } @@ -1451,7 +1509,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport) cfg->ssl_port, cfg->tls_additional_port, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, - cfg->dnscrypt_port)) { + cfg->dnscrypt_port, cfg->ip_dscp)) { listening_ports_free(list); return NULL; } @@ -1465,7 +1523,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport) cfg->ssl_port, cfg->tls_additional_port, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, - cfg->dnscrypt_port)) { + cfg->dnscrypt_port, cfg->ip_dscp)) { listening_ports_free(list); return NULL; } diff --git a/usr.sbin/unbound/services/listen_dnsport.h b/usr.sbin/unbound/services/listen_dnsport.h index ad84d832264..ddd1b63a4d9 100644 --- a/usr.sbin/unbound/services/listen_dnsport.h +++ b/usr.sbin/unbound/services/listen_dnsport.h @@ -205,11 +205,12 @@ void listen_start_accept(struct listen_dnsport* listen); * @param transparent: set IP_TRANSPARENT socket option. * @param freebind: set IP_FREEBIND socket option. * @param use_systemd: if true, fetch sockets from systemd. + * @param dscp: DSCP to use. * @return: the socket. -1 on error. */ int create_udp_sock(int family, int socktype, struct sockaddr* addr, socklen_t addrlen, int v6only, int* inuse, int* noproto, int rcv, - int snd, int listen, int* reuseport, int transparent, int freebind, int use_systemd); + int snd, int listen, int* reuseport, int transparent, int freebind, int use_systemd, int dscp); /** * Create and bind TCP listening socket @@ -222,10 +223,11 @@ int create_udp_sock(int family, int socktype, struct sockaddr* addr, * @param mss: maximum segment size of the socket. if zero, leaves the default. * @param freebind: set IP_FREEBIND socket option. * @param use_systemd: if true, fetch sockets from systemd. + * @param dscp: DSCP to use. * @return: the socket. -1 on error. */ int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto, - int* reuseport, int transparent, int mss, int freebind, int use_systemd); + int* reuseport, int transparent, int mss, int freebind, int use_systemd, int dscp); /** * Create and bind local listening socket @@ -367,4 +369,7 @@ int tcp_req_info_handle_read_close(struct tcp_req_info* req); /** get the size of currently used tcp stream wait buffers (in bytes) */ size_t tcp_req_info_get_stream_buffer_size(void); +char* set_ip_dscp(int socket, int addrfamily, int ds); +char* sock_strerror(int errn); + #endif /* LISTEN_DNSPORT_H */ diff --git a/usr.sbin/unbound/services/localzone.c b/usr.sbin/unbound/services/localzone.c index 18407832ff4..6aaf0c05518 100644 --- a/usr.sbin/unbound/services/localzone.c +++ b/usr.sbin/unbound/services/localzone.c @@ -518,7 +518,7 @@ local_zone_enter_rr(struct local_zone* z, uint8_t* nm, size_t nmlen, } /** enter data RR into auth zone */ -int +static int lz_enter_rr_into_zone(struct local_zone* z, const char* rrstr) { uint8_t* nm; diff --git a/usr.sbin/unbound/services/mesh.c b/usr.sbin/unbound/services/mesh.c index 9114ef4c4e2..4b0c5db418f 100644 --- a/usr.sbin/unbound/services/mesh.c +++ b/usr.sbin/unbound/services/mesh.c @@ -159,16 +159,28 @@ client_info_compare(const struct respip_client_info* ci_a, return 1; if(ci_a->taglen != ci_b->taglen) return (ci_a->taglen < ci_b->taglen) ? -1 : 1; - cmp = memcmp(ci_a->taglist, ci_b->taglist, ci_a->taglen); - if(cmp != 0) - return cmp; + if(ci_a->taglist && !ci_b->taglist) + return -1; + if(!ci_a->taglist && ci_b->taglist) + return 1; + if(ci_a->taglist && ci_b->taglist) { + cmp = memcmp(ci_a->taglist, ci_b->taglist, ci_a->taglen); + if(cmp != 0) + return cmp; + } if(ci_a->tag_actions_size != ci_b->tag_actions_size) return (ci_a->tag_actions_size < ci_b->tag_actions_size) ? -1 : 1; - cmp = memcmp(ci_a->tag_actions, ci_b->tag_actions, - ci_a->tag_actions_size); - if(cmp != 0) - return cmp; + if(ci_a->tag_actions && !ci_b->tag_actions) + return -1; + if(!ci_a->tag_actions && ci_b->tag_actions) + return 1; + if(ci_a->tag_actions && ci_b->tag_actions) { + cmp = memcmp(ci_a->tag_actions, ci_b->tag_actions, + ci_a->tag_actions_size); + if(cmp != 0) + return cmp; + } if(ci_a->tag_datas != ci_b->tag_datas) return ci_a->tag_datas < ci_b->tag_datas ? -1 : 1; if(ci_a->view != ci_b->view) @@ -1284,7 +1296,7 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep, void mesh_query_done(struct mesh_state* mstate) { - struct mesh_reply* r, *reply_list = NULL; + struct mesh_reply* r; struct mesh_reply* prev = NULL; struct sldns_buffer* prev_buffer = NULL; struct mesh_cb* c; @@ -1308,27 +1320,7 @@ void mesh_query_done(struct mesh_state* mstate) free(err); } } - if(mstate->reply_list) { - /* set the reply_list to NULL during the mesh_query_done - * processing, so that calls back into the mesh from - * tcp_req_info (deciding to drop the reply and thus - * unregister the mesh_reply from the mstate) are stopped - * because the list is empty. - * The mstate is then likely not a reply_state, and maybe - * also a detached_state. - */ - reply_list = mstate->reply_list; - mstate->reply_list = NULL; - if(!mstate->reply_list && !mstate->cb_list) { - /* was a reply state, not anymore */ - log_assert(mstate->s.env->mesh->num_reply_states > 0); - mstate->s.env->mesh->num_reply_states--; - } - if(!mstate->reply_list && !mstate->cb_list && - mstate->super_set.count == 0) - mstate->s.env->mesh->num_detached_states++; - } - for(r = reply_list; r; r = r->next) { + for(r = mstate->reply_list; r; r = r->next) { /* if a response-ip address block has been stored the * information should be logged for each client. */ if(mstate->s.respip_action_info && @@ -1352,15 +1344,31 @@ void mesh_query_done(struct mesh_state* mstate) /* if this query is determined to be dropped during the * mesh processing, this is the point to take that action. */ if(mstate->s.is_drop) { + /* briefly set the reply_list to NULL, so that the + * tcp req info cleanup routine that calls the mesh + * to deregister the meshstate for it is not done + * because the list is NULL and also accounting is not + * done there, but instead we do that here. */ + struct mesh_reply* reply_list = mstate->reply_list; + mstate->reply_list = NULL; comm_point_drop_reply(&r->query_reply); + mstate->reply_list = reply_list; } else { struct sldns_buffer* r_buffer = r->query_reply.c->buffer; + struct mesh_reply* rlist = mstate->reply_list; if(r->query_reply.c->tcp_req_info) { r_buffer = r->query_reply.c->tcp_req_info->spool_buffer; prev_buffer = NULL; } + /* briefly set the replylist to null in case the + * meshsendreply calls tcpreqinfo sendreply that + * comm_point_drops because of size, and then the + * null stops the mesh state remove and thus + * reply_list modification and accounting */ + mstate->reply_list = NULL; mesh_send_reply(mstate, mstate->s.return_rcode, rep, r, r_buffer, prev, prev_buffer); + mstate->reply_list = rlist; if(r->query_reply.c->tcp_req_info) { tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate); r_buffer = NULL; @@ -1369,6 +1377,17 @@ void mesh_query_done(struct mesh_state* mstate) prev_buffer = r_buffer; } } + if(mstate->reply_list) { + mstate->reply_list = NULL; + if(!mstate->reply_list && !mstate->cb_list) { + /* was a reply state, not anymore */ + log_assert(mstate->s.env->mesh->num_reply_states > 0); + mstate->s.env->mesh->num_reply_states--; + } + if(!mstate->reply_list && !mstate->cb_list && + mstate->super_set.count == 0) + mstate->s.env->mesh->num_detached_states++; + } mstate->replies_sent = 1; while((c = mstate->cb_list) != NULL) { /* take this cb off the list; so that the list can be @@ -1863,7 +1882,7 @@ mesh_serve_expired_callback(void* arg) { struct mesh_state* mstate = (struct mesh_state*) arg; struct module_qstate* qstate = &mstate->s; - struct mesh_reply* r; + struct mesh_reply* r, *rlist; struct mesh_area* mesh = qstate->env->mesh; struct dns_msg* msg; struct mesh_cb* c; @@ -1946,16 +1965,7 @@ mesh_serve_expired_callback(void* arg) if(verbosity >= VERB_ALGO) log_dns_msg("Serve expired lookup", &qstate->qinfo, msg->rep); - r = mstate->reply_list; - mstate->reply_list = NULL; - if(!mstate->reply_list && !mstate->cb_list) { - log_assert(mesh->num_reply_states > 0); - mesh->num_reply_states--; - if(mstate->super_set.count == 0) { - mesh->num_detached_states++; - } - } - for(; r; r = r->next) { + for(r = mstate->reply_list; r; r = r->next) { /* If address info is returned, it means the action should be an * 'inform' variant and the information should be logged. */ if(actinfo.addrinfo) { @@ -1977,8 +1987,15 @@ mesh_serve_expired_callback(void* arg) r_buffer = r->query_reply.c->buffer; if(r->query_reply.c->tcp_req_info) r_buffer = r->query_reply.c->tcp_req_info->spool_buffer; + /* briefly set the replylist to null in case the meshsendreply + * calls tcpreqinfo sendreply that comm_point_drops because + * of size, and then the null stops the mesh state remove and + * thus reply_list modification and accounting */ + rlist = mstate->reply_list; + mstate->reply_list = NULL; mesh_send_reply(mstate, LDNS_RCODE_NOERROR, msg->rep, r, r_buffer, prev, prev_buffer); + mstate->reply_list = rlist; if(r->query_reply.c->tcp_req_info) tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate); prev = r; @@ -1988,6 +2005,16 @@ mesh_serve_expired_callback(void* arg) mesh->ans_expired++; } + if(mstate->reply_list) { + mstate->reply_list = NULL; + if(!mstate->reply_list && !mstate->cb_list) { + log_assert(mesh->num_reply_states > 0); + mesh->num_reply_states--; + if(mstate->super_set.count == 0) { + mesh->num_detached_states++; + } + } + } while((c = mstate->cb_list) != NULL) { /* take this cb off the list; so that the list can be * changed, eg. by adds from the callback routine */ diff --git a/usr.sbin/unbound/services/modstack.c b/usr.sbin/unbound/services/modstack.c index 68e5928146d..a600549b16c 100644 --- a/usr.sbin/unbound/services/modstack.c +++ b/usr.sbin/unbound/services/modstack.c @@ -51,6 +51,9 @@ #ifdef WITH_PYTHONMODULE #include "pythonmod/pythonmod.h" #endif +#ifdef WITH_DYNLIBMODULE +#include "dynlibmod/dynlibmod.h" +#endif #ifdef USE_CACHEDB #include "cachedb/cachedb.h" #endif @@ -140,6 +143,9 @@ module_list_avail(void) #ifdef WITH_PYTHONMODULE "python", #endif +#ifdef WITH_DYNLIBMODULE + "dynlib", +#endif #ifdef USE_CACHEDB "cachedb", #endif @@ -171,6 +177,9 @@ module_funcs_avail(void) #ifdef WITH_PYTHONMODULE &pythonmod_get_funcblock, #endif +#ifdef WITH_DYNLIBMODULE + &dynlibmod_get_funcblock, +#endif #ifdef USE_CACHEDB &cachedb_get_funcblock, #endif diff --git a/usr.sbin/unbound/services/outside_network.c b/usr.sbin/unbound/services/outside_network.c index 80b1f12454d..44e01d7450c 100644 --- a/usr.sbin/unbound/services/outside_network.c +++ b/usr.sbin/unbound/services/outside_network.c @@ -205,18 +205,25 @@ pick_outgoing_tcp(struct waiting_tcp* w, int s) /** get TCP file descriptor for address, returns -1 on failure, * tcp_mss is 0 or maxseg size to set for TCP packets. */ int -outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss) +outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss, int dscp) { int s; + int af; + char* err; #ifdef SO_REUSEADDR int on = 1; #endif #ifdef INET6 - if(addr_is_ip6(addr, addrlen)) + if(addr_is_ip6(addr, addrlen)){ s = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP); - else + af = AF_INET6; + } else { +#else + { #endif + af = AF_INET; s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); + } if(s == -1) { #ifndef USE_WINSOCK log_err_addr("outgoing tcp: socket", strerror(errno), @@ -236,6 +243,12 @@ outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss) } #endif + err = set_ip_dscp(s, af, dscp); + if(err != NULL) { + verbose(VERB_ALGO, "outgoing tcp:" + "error setting IP DiffServ codepoint on socket"); + } + if(tcp_mss > 0) { #if defined(IPPROTO_TCP) && defined(TCP_MAXSEG) if(setsockopt(s, IPPROTO_TCP, TCP_MAXSEG, @@ -291,7 +304,7 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len) log_assert(pkt); log_assert(w->addrlen > 0); /* open socket */ - s = outnet_get_tcp_fd(&w->addr, w->addrlen, w->outnet->tcp_mss); + s = outnet_get_tcp_fd(&w->addr, w->addrlen, w->outnet->tcp_mss, w->outnet->ip_dscp); if(s == -1) return 0; @@ -373,45 +386,16 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len) comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl); #endif pend->c->ssl_shake_state = comm_ssl_shake_write; - if(w->tls_auth_name) { + if(!set_auth_name_on_ssl(pend->c->ssl, w->tls_auth_name, + w->outnet->tls_use_sni)) { + pend->c->fd = s; #ifdef HAVE_SSL - (void)SSL_set_tlsext_host_name(pend->c->ssl, w->tls_auth_name); + SSL_free(pend->c->ssl); #endif + pend->c->ssl = NULL; + comm_point_close(pend->c); + return 0; } -#ifdef HAVE_SSL_SET1_HOST - if(w->tls_auth_name) { - SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL); - /* setting the hostname makes openssl verify the - * host name in the x509 certificate in the - * SSL connection*/ - if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) { - log_err("SSL_set1_host failed"); - pend->c->fd = s; - SSL_free(pend->c->ssl); - pend->c->ssl = NULL; - comm_point_close(pend->c); - return 0; - } - } -#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) - /* openssl 1.0.2 has this function that can be used for - * set1_host like verification */ - if(w->tls_auth_name) { - X509_VERIFY_PARAM* param = SSL_get0_param(pend->c->ssl); - X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); - if(!X509_VERIFY_PARAM_set1_host(param, w->tls_auth_name, strlen(w->tls_auth_name))) { - log_err("X509_VERIFY_PARAM_set1_host failed"); - pend->c->fd = s; - SSL_free(pend->c->ssl); - pend->c->ssl = NULL; - comm_point_close(pend->c); - return 0; - } - SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL); - } -#else - verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication"); -#endif /* HAVE_SSL_SET1_HOST */ } w->pkt = NULL; w->next_waiting = (void*)pend; @@ -512,7 +496,9 @@ portcomm_loweruse(struct outside_network* outnet, struct port_comm* pc) comm_point_close(pc->cp); pif = pc->pif; log_assert(pif->inuse > 0); +#ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION pif->avail_ports[pif->avail_total - pif->inuse] = pc->number; +#endif pif->inuse--; pif->out[pc->index] = pif->out[pif->inuse]; pif->out[pc->index]->index = pc->index; @@ -725,10 +711,12 @@ create_pending_tcp(struct outside_network* outnet, size_t bufsize) static int setup_if(struct port_if* pif, const char* addrstr, int* avail, int numavail, size_t numfd) { +#ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION pif->avail_total = numavail; pif->avail_ports = (int*)memdup(avail, (size_t)numavail*sizeof(int)); if(!pif->avail_ports) return 0; +#endif if(!ipstrtoaddr(addrstr, UNBOUND_DNS_PORT, &pif->addr, &pif->addrlen) && !netblockstrtoaddr(addrstr, UNBOUND_DNS_PORT, &pif->addr, &pif->addrlen, &pif->pfxlen)) @@ -745,11 +733,11 @@ static int setup_if(struct port_if* pif, const char* addrstr, struct outside_network* outside_network_create(struct comm_base *base, size_t bufsize, size_t num_ports, char** ifs, int num_ifs, int do_ip4, - int do_ip6, size_t num_tcp, struct infra_cache* infra, + int do_ip6, size_t num_tcp, int dscp, struct infra_cache* infra, struct ub_randstate* rnd, int use_caps_for_id, int* availports, int numavailports, size_t unwanted_threshold, int tcp_mss, void (*unwanted_action)(void*), void* unwanted_param, int do_udp, - void* sslctx, int delayclose, struct dt_env* dtenv) + void* sslctx, int delayclose, int tls_use_sni, struct dt_env* dtenv) { struct outside_network* outnet = (struct outside_network*) calloc(1, sizeof(struct outside_network)); @@ -765,6 +753,7 @@ outside_network_create(struct comm_base *base, size_t bufsize, outnet->infra = infra; outnet->rnd = rnd; outnet->sslctx = sslctx; + outnet->tls_use_sni = tls_use_sni; #ifdef USE_DNSTAP outnet->dtenv = dtenv; #else @@ -778,6 +767,7 @@ outside_network_create(struct comm_base *base, size_t bufsize, outnet->use_caps_for_id = use_caps_for_id; outnet->do_udp = do_udp; outnet->tcp_mss = tcp_mss; + outnet->ip_dscp = dscp; #ifndef S_SPLINT_S if(delayclose) { outnet->delayclose = 1; @@ -955,7 +945,9 @@ outside_network_delete(struct outside_network* outnet) comm_point_delete(pc->cp); free(pc); } +#ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION free(outnet->ip4_ifs[i].avail_ports); +#endif free(outnet->ip4_ifs[i].out); } free(outnet->ip4_ifs); @@ -969,7 +961,9 @@ outside_network_delete(struct outside_network* outnet) comm_point_delete(pc->cp); free(pc); } +#ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION free(outnet->ip6_ifs[i].avail_ports); +#endif free(outnet->ip6_ifs[i].out); } free(outnet->ip6_ifs); @@ -1059,11 +1053,12 @@ sai6_putrandom(struct sockaddr_in6 *sa, int pfxlen, struct ub_randstate *rnd) * @param port: port override for addr. * @param inuse: if -1 is returned, this bool means the port was in use. * @param rnd: random state (for address randomisation). + * @param dscp: DSCP to use. * @return fd or -1 */ static int udp_sockport(struct sockaddr_storage* addr, socklen_t addrlen, int pfxlen, - int port, int* inuse, struct ub_randstate* rnd) + int port, int* inuse, struct ub_randstate* rnd, int dscp) { int fd, noproto; if(addr_is_ip6(addr, addrlen)) { @@ -1078,13 +1073,13 @@ udp_sockport(struct sockaddr_storage* addr, socklen_t addrlen, int pfxlen, } fd = create_udp_sock(AF_INET6, SOCK_DGRAM, (struct sockaddr*)&sa, addrlen, 1, inuse, &noproto, - 0, 0, 0, NULL, 0, freebind, 0); + 0, 0, 0, NULL, 0, freebind, 0, dscp); } else { struct sockaddr_in* sa = (struct sockaddr_in*)addr; sa->sin_port = (in_port_t)htons((uint16_t)port); fd = create_udp_sock(AF_INET, SOCK_DGRAM, (struct sockaddr*)addr, addrlen, 1, inuse, &noproto, - 0, 0, 0, NULL, 0, 0, 0); + 0, 0, 0, NULL, 0, 0, 0, dscp); } return fd; } @@ -1133,6 +1128,7 @@ select_ifport(struct outside_network* outnet, struct pending* pend, while(1) { my_if = ub_random_max(outnet->rnd, num_if); pif = &ifs[my_if]; +#ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION my_port = ub_random_max(outnet->rnd, pif->avail_total); if(my_port < pif->inuse) { /* port already open */ @@ -1144,8 +1140,11 @@ select_ifport(struct outside_network* outnet, struct pending* pend, /* try to open new port, if fails, loop to try again */ log_assert(pif->inuse < pif->maxout); portno = pif->avail_ports[my_port - pif->inuse]; +#else + my_port = portno = 0; +#endif fd = udp_sockport(&pif->addr, pif->addrlen, pif->pfxlen, - portno, &inuse, outnet->rnd); + portno, &inuse, outnet->rnd, outnet->ip_dscp); if(fd == -1 && !inuse) { /* nonrecoverable error making socket */ return 0; @@ -1167,8 +1166,10 @@ select_ifport(struct outside_network* outnet, struct pending* pend, /* grab port in interface */ pif->out[pif->inuse] = pend->pc; +#ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION pif->avail_ports[my_port - pif->inuse] = pif->avail_ports[pif->avail_total-pif->inuse-1]; +#endif pif->inuse++; break; } @@ -2192,10 +2193,11 @@ fd_for_dest(struct outside_network* outnet, struct sockaddr_storage* to_addr, { struct sockaddr_storage* addr; socklen_t addrlen; - int i, try, pnum; + int i, try, pnum, dscp; struct port_if* pif; /* create fd */ + dscp = outnet->ip_dscp; for(try = 0; try<1000; try++) { int port = 0; int freebind = 0; @@ -2225,6 +2227,7 @@ fd_for_dest(struct outside_network* outnet, struct sockaddr_storage* to_addr, } addr = &pif->addr; addrlen = pif->addrlen; +#ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION pnum = ub_random_max(outnet->rnd, pif->avail_total); if(pnum < pif->inuse) { /* port already open */ @@ -2233,19 +2236,21 @@ fd_for_dest(struct outside_network* outnet, struct sockaddr_storage* to_addr, /* unused ports in start part of array */ port = pif->avail_ports[pnum - pif->inuse]; } - +#else + pnum = port = 0; +#endif if(addr_is_ip6(to_addr, to_addrlen)) { struct sockaddr_in6 sa = *(struct sockaddr_in6*)addr; sa.sin6_port = (in_port_t)htons((uint16_t)port); fd = create_udp_sock(AF_INET6, SOCK_DGRAM, (struct sockaddr*)&sa, addrlen, 1, &inuse, &noproto, - 0, 0, 0, NULL, 0, freebind, 0); + 0, 0, 0, NULL, 0, freebind, 0, dscp); } else { struct sockaddr_in* sa = (struct sockaddr_in*)addr; sa->sin_port = (in_port_t)htons((uint16_t)port); fd = create_udp_sock(AF_INET, SOCK_DGRAM, (struct sockaddr*)addr, addrlen, 1, &inuse, &noproto, - 0, 0, 0, NULL, 0, freebind, 0); + 0, 0, 0, NULL, 0, freebind, 0, dscp); } if(fd != -1) { return fd; @@ -2294,6 +2299,11 @@ setup_comm_ssl(struct comm_point* cp, struct outside_network* outnet, #endif cp->ssl_shake_state = comm_ssl_shake_write; /* https verification */ +#ifdef HAVE_SSL + if(outnet->tls_use_sni) { + (void)SSL_set_tlsext_host_name(cp->ssl, host); + } +#endif #ifdef HAVE_SSL_SET1_HOST if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) { /* because we set SSL_VERIFY_PEER, in netevent in @@ -2316,7 +2326,9 @@ setup_comm_ssl(struct comm_point* cp, struct outside_network* outnet, * set1_host like verification */ if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) { X509_VERIFY_PARAM* param = SSL_get0_param(cp->ssl); +# ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); +# endif if(!X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) { log_err("X509_VERIFY_PARAM_set1_host failed"); return 0; @@ -2335,7 +2347,7 @@ outnet_comm_point_for_tcp(struct outside_network* outnet, sldns_buffer* query, int timeout, int ssl, char* host) { struct comm_point* cp; - int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss); + int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss, outnet->ip_dscp); if(fd == -1) { return 0; } @@ -2397,7 +2409,7 @@ outnet_comm_point_for_http(struct outside_network* outnet, { /* cp calls cb with err=NETEVENT_DONE when transfer is done */ struct comm_point* cp; - int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss); + int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss, outnet->ip_dscp); if(fd == -1) { return 0; } @@ -2455,7 +2467,10 @@ if_get_mem(struct port_if* pif) { size_t s; int i; - s = sizeof(*pif) + sizeof(int)*pif->avail_total + + s = sizeof(*pif) + +#ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION + sizeof(int)*pif->avail_total + +#endif sizeof(struct port_comm*)*pif->maxout; for(i=0; i<pif->inuse; i++) s += sizeof(*pif->out[i]) + diff --git a/usr.sbin/unbound/services/outside_network.h b/usr.sbin/unbound/services/outside_network.h index 3456a3da38b..c8f6d5724a8 100644 --- a/usr.sbin/unbound/services/outside_network.h +++ b/usr.sbin/unbound/services/outside_network.h @@ -132,12 +132,16 @@ struct outside_network { struct ub_randstate* rnd; /** ssl context to create ssl wrapped TCP with DNS connections */ void* sslctx; + /** if SNI will be used for TLS connections */ + int tls_use_sni; #ifdef USE_DNSTAP /** dnstap environment */ struct dt_env* dtenv; #endif /** maximum segment size of tcp socket */ int tcp_mss; + /** IP_TOS socket option requested on the sockets */ + int ip_dscp; /** * Array of tcp pending used for outgoing TCP connections. @@ -172,11 +176,13 @@ struct port_if { * if 0, no randomisation. */ int pfxlen; +#ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION /** the available ports array. These are unused. * Only the first total-inuse part is filled. */ int* avail_ports; /** the total number of available ports (size of the array) */ int avail_total; +#endif /** array of the commpoints currently in use. * allocated for max number of fds, first part in use. */ @@ -399,6 +405,7 @@ struct serviced_query { * @param do_ip4: service IP4. * @param do_ip6: service IP6. * @param num_tcp: number of outgoing tcp buffers to preallocate. + * @param dscp: DSCP to use. * @param infra: pointer to infra cached used for serviced queries. * @param rnd: stored to create random numbers for serviced queries. * @param use_caps_for_id: enable to use 0x20 bits to encode id randomness. @@ -412,16 +419,17 @@ struct serviced_query { * @param sslctx: context to create outgoing connections with (if enabled). * @param delayclose: if not 0, udp sockets are delayed before timeout closure. * msec to wait on timeouted udp sockets. + * @param tls_use_sni: if SNI is used for TLS connections. * @param dtenv: environment to send dnstap events with (if enabled). * @return: the new structure (with no pending answers) or NULL on error. */ struct outside_network* outside_network_create(struct comm_base* base, size_t bufsize, size_t num_ports, char** ifs, int num_ifs, - int do_ip4, int do_ip6, size_t num_tcp, struct infra_cache* infra, + int do_ip4, int do_ip6, size_t num_tcp, int dscp, struct infra_cache* infra, struct ub_randstate* rnd, int use_caps_for_id, int* availports, int numavailports, size_t unwanted_threshold, int tcp_mss, void (*unwanted_action)(void*), void* unwanted_param, int do_udp, - void* sslctx, int delayclose, struct dt_env *dtenv); + void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv); /** * Delete outside_network structure. @@ -540,7 +548,7 @@ size_t serviced_get_mem(struct serviced_query* sq); /** get TCP file descriptor for address, returns -1 on failure, * tcp_mss is 0 or maxseg size to set for TCP packets. */ -int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss); +int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss, int dscp); /** * Create udp commpoint suitable for sending packets to the destination. diff --git a/usr.sbin/unbound/sldns/parseutil.c b/usr.sbin/unbound/sldns/parseutil.c index 82dbc0fe113..3515d64c5d1 100644 --- a/usr.sbin/unbound/sldns/parseutil.c +++ b/usr.sbin/unbound/sldns/parseutil.c @@ -167,7 +167,7 @@ sldns_gmtime64_r(int64_t clock, struct tm *result) static int64_t sldns_serial_arithmetics_time(int32_t time, time_t now) { - int32_t offset = time - (int32_t) now; + int32_t offset = (int32_t)((uint32_t) time - (uint32_t) now); return (int64_t) now + offset; } diff --git a/usr.sbin/unbound/smallapp/unbound-anchor.c b/usr.sbin/unbound/smallapp/unbound-anchor.c index d4b9d23cb26..5ac5e148a97 100644 --- a/usr.sbin/unbound/smallapp/unbound-anchor.c +++ b/usr.sbin/unbound/smallapp/unbound-anchor.c @@ -191,6 +191,7 @@ usage(void) printf("-c file cert file, default %s\n", ROOT_CERT_FILE); printf("-l list builtin key and cert on stdout\n"); printf("-u name server in https url, default %s\n", URLNAME); + printf("-S do not use SNI for the https connection\n"); printf("-x path pathname to xml in url, default %s\n", XMLNAME); printf("-s path pathname to p7s in url, default %s\n", P7SNAME); printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER); @@ -249,9 +250,7 @@ get_builtin_ds(void) return /* The anchors must start on a new line with ". IN DS and end with \n"[;] * because the makedist script greps on the source here */ -/* anchor 19036 is from 2010 */ /* anchor 20326 is from 2017 */ -". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n" ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"; } @@ -776,7 +775,7 @@ setup_sslctx(void) /** initiate TLS on a connection */ static SSL* -TLS_initiate(SSL_CTX* sslctx, int fd) +TLS_initiate(SSL_CTX* sslctx, int fd, const char* urlname, int use_sni) { X509* x; int r; @@ -792,6 +791,9 @@ TLS_initiate(SSL_CTX* sslctx, int fd) SSL_free(ssl); return NULL; } + if(use_sni) { + (void)SSL_set_tlsext_host_name(ssl, urlname); + } while(1) { ERR_clear_error(); if( (r=SSL_do_handshake(ssl)) == 1) @@ -1127,7 +1129,7 @@ read_http_result(SSL* ssl) /** https to an IP addr, return BIO with pathname or NULL */ static BIO* https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname, - struct ip_list* src) + struct ip_list* src, int use_sni) { int fd; SSL* ssl; @@ -1141,7 +1143,7 @@ https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname, SSL_CTX_free(sslctx); return NULL; } - ssl = TLS_initiate(sslctx, fd); + ssl = TLS_initiate(sslctx, fd, urlname, use_sni); if(!ssl) { SSL_CTX_free(sslctx); fd_close(fd); @@ -1165,11 +1167,12 @@ https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname, * @param pathname: pathname of file on server to GET. * @param urlname: name to pass as the virtual host for this request. * @param src: if nonNULL, source address to bind to. + * @param use_sni: if SNI will be used. * @return a memory BIO with the file in it. */ static BIO* https(struct ip_list* ip_list, const char* pathname, const char* urlname, - struct ip_list* src) + struct ip_list* src, int use_sni) { struct ip_list* ip; BIO* bio = NULL; @@ -1177,7 +1180,7 @@ https(struct ip_list* ip_list, const char* pathname, const char* urlname, wipe_ip_usage(ip_list); while( (ip = pick_random_ip(ip_list)) ) { ip->used = 1; - bio = https_to_ip(ip, pathname, urlname, src); + bio = https_to_ip(ip, pathname, urlname, src, use_sni); if(bio) break; } if(!bio) { @@ -1933,7 +1936,7 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file, const char* urlname, const char* xmlname, const char* p7sname, const char* p7signer, const char* res_conf, const char* root_hints, const char* debugconf, const char* srcaddr, int ip4only, int ip6only, - int port) + int port, int use_sni) { STACK_OF(X509)* cert; @@ -1967,8 +1970,8 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file, #endif /* fetch the necessary files over HTTPS */ - xml = https(ip_list, xmlname, urlname, src); - p7s = https(ip_list, p7sname, urlname, src); + xml = https(ip_list, xmlname, urlname, src, use_sni); + p7s = https(ip_list, p7sname, urlname, src, use_sni); /* verify and update the root anchor */ verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer); @@ -2239,7 +2242,7 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file, const char* urlname, const char* xmlname, const char* p7sname, const char* p7signer, const char* res_conf, const char* root_hints, const char* debugconf, const char* srcaddr, int ip4only, int ip6only, - int force, int res_conf_fallback, int port) + int force, int res_conf_fallback, int port, int use_sni) { struct ub_result* dnskey; int used_builtin = 0; @@ -2282,7 +2285,7 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file, probe_date_allows_certupdate(root_anchor_file)) || force) { if(do_certupdate(root_anchor_file, root_cert_file, urlname, xmlname, p7sname, p7signer, res_conf, root_hints, - debugconf, srcaddr, ip4only, ip6only, port)) + debugconf, srcaddr, ip4only, ip6only, port, use_sni)) return 1; return used_builtin; } @@ -2313,8 +2316,9 @@ int main(int argc, char* argv[]) char* s; int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT; int res_conf_fallback = 0; + int use_sni = 1; /* parse the options */ - while( (c=getopt(argc, argv, "46C:FRP:a:b:c:f:hln:r:s:u:vx:")) != -1) { + while( (c=getopt(argc, argv, "46C:FRSP:a:b:c:f:hln:r:s:u:vx:")) != -1) { switch(c) { case 'l': dolist = 1; @@ -2337,6 +2341,9 @@ int main(int argc, char* argv[]) case 'u': urlname = optarg; break; + case 'S': + use_sni = 0; + break; case 'x': xmlname = optarg; break; @@ -2425,5 +2432,5 @@ int main(int argc, char* argv[]) return do_root_update_work(root_anchor_file, root_cert_file, urlname, xmlname, p7sname, p7signer, res_conf, root_hints, debugconf, - srcaddr, ip4only, ip6only, force, res_conf_fallback, port); + srcaddr, ip4only, ip6only, force, res_conf_fallback, port, use_sni); } diff --git a/usr.sbin/unbound/smallapp/unbound-checkconf.c b/usr.sbin/unbound/smallapp/unbound-checkconf.c index e69ad38ff95..5b16f681024 100644 --- a/usr.sbin/unbound/smallapp/unbound-checkconf.c +++ b/usr.sbin/unbound/smallapp/unbound-checkconf.c @@ -58,6 +58,7 @@ #include "services/authzone.h" #include "respip/respip.h" #include "sldns/sbuffer.h" +#include "sldns/str2wire.h" #ifdef HAVE_GETOPT_H #include <getopt.h> #endif @@ -194,6 +195,94 @@ localzonechecks(struct config_file* cfg) local_zones_delete(zs); } +/** checks for acl and views */ +static void +acl_view_tag_checks(struct config_file* cfg, struct views* views) +{ + int d; + struct sockaddr_storage a; + socklen_t alen; + struct config_str2list* acl; + struct config_str3list* s3; + struct config_strbytelist* sb; + + /* acl_view */ + for(acl=cfg->acl_view; acl; acl = acl->next) { + struct view* v; + if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen, + &d)) { + fatal_exit("cannot parse access-control-view " + "address %s %s", acl->str, acl->str2); + } + v = views_find_view(views, acl->str2, 0); + if(!v) { + fatal_exit("cannot find view for " + "access-control-view: %s %s", + acl->str, acl->str2); + } + lock_rw_unlock(&v->lock); + } + + /* acl_tags */ + for(sb=cfg->acl_tags; sb; sb = sb->next) { + if(!netblockstrtoaddr(sb->str, UNBOUND_DNS_PORT, &a, &alen, + &d)) { + fatal_exit("cannot parse access-control-tags " + "address %s", sb->str); + } + } + + /* acl_tag_actions */ + for(s3=cfg->acl_tag_actions; s3; s3 = s3->next) { + enum localzone_type t; + if(!netblockstrtoaddr(s3->str, UNBOUND_DNS_PORT, &a, &alen, + &d)) { + fatal_exit("cannot parse access-control-tag-actions " + "address %s %s %s", + s3->str, s3->str2, s3->str3); + } + if(find_tag_id(cfg, s3->str2) == -1) { + fatal_exit("cannot parse tag %s (define-tag it), " + "for access-control-tag-actions: %s %s %s", + s3->str2, s3->str, s3->str2, s3->str3); + } + if(!local_zone_str2type(s3->str3, &t)) { + fatal_exit("cannot parse access control action type %s" + " for access-control-tag-actions: %s %s %s", + s3->str3, s3->str, s3->str2, s3->str3); + } + } + + /* acl_tag_datas */ + for(s3=cfg->acl_tag_datas; s3; s3 = s3->next) { + char buf[65536]; + uint8_t rr[LDNS_RR_BUF_SIZE]; + size_t len = sizeof(rr); + int res; + if(!netblockstrtoaddr(s3->str, UNBOUND_DNS_PORT, &a, &alen, + &d)) { + fatal_exit("cannot parse access-control-tag-datas address %s %s '%s'", + s3->str, s3->str2, s3->str3); + } + if(find_tag_id(cfg, s3->str2) == -1) { + fatal_exit("cannot parse tag %s (define-tag it), " + "for access-control-tag-datas: %s %s '%s'", + s3->str2, s3->str, s3->str2, s3->str3); + } + /* '.' is sufficient for validation, and it makes the call to + * sldns_wirerr_get_type() simpler below. */ + snprintf(buf, sizeof(buf), "%s %s", ".", s3->str3); + res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600, NULL, + 0, NULL, 0); + if(res != 0) { + fatal_exit("cannot parse rr data [char %d] parse error %s, for access-control-tag-datas: %s %s '%s'", + (int)LDNS_WIREPARSE_OFFSET(res)-2, + sldns_get_errorstr_parse(res), + s3->str, s3->str2, s3->str3); + } + } +} + /** check view and response-ip configuration */ static void view_and_respipchecks(struct config_file* cfg) @@ -211,6 +300,7 @@ view_and_respipchecks(struct config_file* cfg) fatal_exit("Could not setup respip set"); if(!respip_views_apply_cfg(views, cfg, &ignored)) fatal_exit("Could not setup per-view respip sets"); + acl_view_tag_checks(cfg, views); views_delete(views); respip_set_delete(respip); } @@ -481,6 +571,8 @@ morechecks(struct config_file* cfg) fatal_exit("num_threads value weird"); if(!cfg->do_ip4 && !cfg->do_ip6) fatal_exit("ip4 and ip6 are both disabled, pointless"); + if(!cfg->do_ip4 && cfg->prefer_ip4) + fatal_exit("cannot prefer and disable ip4, pointless"); if(!cfg->do_ip6 && cfg->prefer_ip6) fatal_exit("cannot prefer and disable ip6, pointless"); if(!cfg->do_udp && !cfg->do_tcp) @@ -567,6 +659,64 @@ morechecks(struct config_file* cfg) && strcmp(cfg->module_conf, "python dns64 iterator") != 0 && strcmp(cfg->module_conf, "python dns64 validator iterator") != 0 #endif +#ifdef WITH_DYNLIBMODULE + && strcmp(cfg->module_conf, "dynlib iterator") != 0 + && strcmp(cfg->module_conf, "dynlib dynlib iterator") != 0 + && strcmp(cfg->module_conf, "dynlib dynlib dynlib iterator") != 0 + && strcmp(cfg->module_conf, "python dynlib iterator") != 0 + && strcmp(cfg->module_conf, "python dynlib dynlib iterator") != 0 + && strcmp(cfg->module_conf, "python dynlib dynlib dynlib iterator") != 0 + && strcmp(cfg->module_conf, "dynlib respip iterator") != 0 + && strcmp(cfg->module_conf, "dynlib validator iterator") != 0 + && strcmp(cfg->module_conf, "dynlib dynlib validator iterator") != 0 + && strcmp(cfg->module_conf, "dynlib dynlib dynlib validator iterator") != 0 + && strcmp(cfg->module_conf, "python dynlib validator iterator") != 0 + && strcmp(cfg->module_conf, "python dynlib dynlib validator iterator") != 0 + && strcmp(cfg->module_conf, "python dynlib dynlib dynlib validator iterator") != 0 + && strcmp(cfg->module_conf, "dynlib respip validator iterator") != 0 + && strcmp(cfg->module_conf, "validator dynlib iterator") != 0 + && strcmp(cfg->module_conf, "dns64 dynlib iterator") != 0 + && strcmp(cfg->module_conf, "dns64 dynlib validator iterator") != 0 + && strcmp(cfg->module_conf, "dns64 validator dynlib iterator") != 0 + && strcmp(cfg->module_conf, "dynlib dns64 iterator") != 0 + && strcmp(cfg->module_conf, "dynlib dns64 validator iterator") != 0 + && strcmp(cfg->module_conf, "dynlib dns64 cachedb iterator") != 0 + && strcmp(cfg->module_conf, "dynlib dns64 validator cachedb iterator") != 0 + && strcmp(cfg->module_conf, "dns64 dynlib cachedb iterator") != 0 + && strcmp(cfg->module_conf, "dns64 dynlib validator cachedb iterator") != 0 + && strcmp(cfg->module_conf, "dynlib cachedb iterator") != 0 + && strcmp(cfg->module_conf, "dynlib respip cachedb iterator") != 0 + && strcmp(cfg->module_conf, "dynlib validator cachedb iterator") != 0 + && strcmp(cfg->module_conf, "dynlib respip validator cachedb iterator") != 0 + && strcmp(cfg->module_conf, "cachedb dynlib iterator") != 0 + && strcmp(cfg->module_conf, "respip cachedb dynlib iterator") != 0 + && strcmp(cfg->module_conf, "validator cachedb dynlib iterator") != 0 + && strcmp(cfg->module_conf, "respip validator cachedb dynlib iterator") != 0 + && strcmp(cfg->module_conf, "validator dynlib cachedb iterator") != 0 + && strcmp(cfg->module_conf, "respip validator dynlib cachedb iterator") != 0 + && strcmp(cfg->module_conf, "dynlib subnetcache iterator") != 0 + && strcmp(cfg->module_conf, "dynlib respip subnetcache iterator") != 0 + && strcmp(cfg->module_conf, "subnetcache dynlib iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache dynlib iterator") != 0 + && strcmp(cfg->module_conf, "dynlib subnetcache validator iterator") != 0 + && strcmp(cfg->module_conf, "dynlib respip subnetcache validator iterator") != 0 + && strcmp(cfg->module_conf, "subnetcache dynlib validator iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache dynlib validator iterator") != 0 + && strcmp(cfg->module_conf, "subnetcache validator dynlib iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache validator dynlib iterator") != 0 + && strcmp(cfg->module_conf, "dynlib ipsecmod iterator") != 0 + && strcmp(cfg->module_conf, "dynlib ipsecmod respip iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod dynlib iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod dynlib respip iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod respip validator iterator") != 0 + && strcmp(cfg->module_conf, "dynlib ipsecmod validator iterator") != 0 + && strcmp(cfg->module_conf, "dynlib ipsecmod respip validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod dynlib validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod dynlib respip validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod validator dynlib iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod respip validator dynlib iterator") != 0 +#endif #ifdef USE_CACHEDB && strcmp(cfg->module_conf, "validator cachedb iterator") != 0 && strcmp(cfg->module_conf, "respip validator cachedb iterator") != 0 @@ -598,6 +748,8 @@ morechecks(struct config_file* cfg) && strcmp(cfg->module_conf, "respip subnetcache validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 subnetcache iterator") != 0 && strcmp(cfg->module_conf, "dns64 subnetcache validator iterator") != 0 + && strcmp(cfg->module_conf, "dns64 subnetcache respip iterator") != 0 + && strcmp(cfg->module_conf, "dns64 subnetcache respip validator iterator") != 0 #endif #if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET) && strcmp(cfg->module_conf, "python subnetcache iterator") != 0 @@ -705,7 +857,7 @@ check_auth(struct config_file* cfg) { int is_rpz = 0; struct auth_zones* az = auth_zones_create(); - if(!az || !auth_zones_apply_cfg(az, cfg, 0i, &is_rpz)) { + if(!az || !auth_zones_apply_cfg(az, cfg, 0, &is_rpz)) { fatal_exit("Could not setup authority zones"); } auth_zones_delete(az); diff --git a/usr.sbin/unbound/smallapp/unbound-control-setup.sh.in b/usr.sbin/unbound/smallapp/unbound-control-setup.sh.in index f4024b43553..3e506e84e23 100644 --- a/usr.sbin/unbound/smallapp/unbound-control-setup.sh.in +++ b/usr.sbin/unbound/smallapp/unbound-control-setup.sh.in @@ -5,22 +5,22 @@ # Copyright (c) 2008, NLnet Labs. All rights reserved. # # This software is open source. -# +# # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: -# +# # Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. -# +# # Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation # and/or other materials provided with the distribution. -# +# # Neither the name of the NLNET LABS nor the names of its contributors may # be used to endorse or promote products derived from this software without # specific prior written permission. -# +# # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR @@ -57,87 +57,144 @@ SVR_BASE=unbound_server # base name for unbound-control keys CTL_BASE=unbound_control +# flag to recreate generated certificates +RECREATE=0 + # we want -rw-r----- access (say you run this as root: grp=yes (server), all=no). umask 0027 # end of options -# functions: -error ( ) { - echo "$0 fatal error: $1" - exit 1 +set -eu + +cleanup() { + echo "removing artifacts" + + rm -rf \ + server.cnf \ + client.cnf \ + "${SVR_BASE}_trust.pem" \ + "${CTL_BASE}_trust.pem" \ + "${SVR_BASE}_trust.srl" } -# check arguments: -while test $# -ne 0; do - case $1 in - -d) - if test $# -eq 1; then error "need argument for -d"; fi - DESTDIR="$2" - shift - ;; - *) - echo "unbound-control-setup.sh - setup SSL keys for unbound-control" - echo " -d dir use directory to store keys and certificates." - echo " default: $DESTDIR" - echo "please run this command using the same user id that the " - echo "unbound daemon uses, it needs read privileges." - exit 1 - ;; - esac - shift +fatal() { + printf "fatal error: $*\n" >/dev/stderr + exit 1 +} + +usage() { + cat <<EOF +usage: $0 OPTIONS +OPTIONS +-d <dir> used directory to store keys and certificates (default: $DESTDIR) +-h show help notice +-r recreate certificates +EOF +} + +OPTIND=1 +while getopts 'd:hr' arg; do + case "$arg" in + d) DESTDIR="$OPTARG" ;; + h) usage; exit 1 ;; + r) RECREATE=1 ;; + ?) fatal "'$arg' unknown option" ;; + esac done +shift $((OPTIND - 1)) + -# go!: echo "setup in directory $DESTDIR" -cd "$DESTDIR" || error "could not cd to $DESTDIR" - -# create certificate keys; do not recreate if they already exist. -if test -f $SVR_BASE.key; then - echo "$SVR_BASE.key exists" -else - echo "generating $SVR_BASE.key" - openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa" +cd "$DESTDIR" + +trap cleanup INT + +# === +# Generate server certificate +# === + +# generate private key; do no recreate it if they already exist. +if [ ! -f "$SVR_BASE.key" ]; then + openssl genrsa -out "$SVR_BASE.key" "$BITS" fi -if test -f $CTL_BASE.key; then - echo "$CTL_BASE.key exists" -else - echo "generating $CTL_BASE.key" - openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa" + +cat >server.cnf <<EOF +default_bits=$BITS +default_md=$HASH +prompt=no +distinguished_name=req_distinguished_name +[req_distinguished_name] +commonName=$SERVERNAME +EOF + +[ -f server.cnf ] || fatal "cannot create openssl configuration" + +if [ ! -f "$SVR_BASE.pem" -o $RECREATE -eq 1 ]; then + openssl req \ + -new -x509 \ + -key "$SVR_BASE.key" \ + -config server.cnf \ + -days "$DAYS" \ + -out "$SVR_BASE.pem" + + [ ! -f "SVR_BASE.pem" ] || fatal "cannot create server certificate" fi -# create self-signed cert for server -echo "[req]" > request.cfg -echo "default_bits=$BITS" >> request.cfg -echo "default_md=$HASH" >> request.cfg -echo "prompt=no" >> request.cfg -echo "distinguished_name=req_distinguished_name" >> request.cfg -echo "" >> request.cfg -echo "[req_distinguished_name]" >> request.cfg -echo "commonName=$SERVERNAME" >> request.cfg +# === +# Generate client certificate +# === -test -f request.cfg || error "could not create request.cfg" +# generate private key; do no recreate it if they already exist. +if [ ! -f "$CTL_BASE.key" ]; then + openssl genrsa -out "$CTL_BASE.key" "$BITS" +fi + +cat >client.cnf <<EOF +[req] +default_bits=$BITS +default_md=$HASH +prompt=no +distinguished_name=req_distinguished_name +[req_distinguished_name] +commonName=$CLIENTNAME +EOF + +[ -f client.cnf ] || fatal "cannot create openssl configuration" + +if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then + openssl x509 \ + -addtrust serverAuth \ + -in "$SVR_BASE.pem" \ + -out "${SVR_BASE}_trust.pem" + + openssl req \ + -new \ + -config client.cnf \ + -key "$CTL_BASE.key" \ + | openssl x509 \ + -req \ + -days "$DAYS" \ + -CA "${SVR_BASE}_trust.pem" \ + -CAkey "$SVR_BASE.key" \ + -CAcreateserial \ + -$HASH \ + -out "$CTL_BASE.pem" + + [ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate" +fi + +# remove unused permissions +chmod o-rw \ + "$SVR_BASE.pem" \ + "$SVR_BASE.key" \ + "$CTL_BASE.pem" \ + "$CTL_BASE.key" + +cleanup + +echo "Setup success. Certificates created. Enable in unbound.conf file to use" -echo "create $SVR_BASE.pem (self signed certificate)" -openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" -# create trusted usage pem -openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" - -# create client request and sign it, piped -echo "[req]" > request.cfg -echo "default_bits=$BITS" >> request.cfg -echo "default_md=$HASH" >> request.cfg -echo "prompt=no" >> request.cfg -echo "distinguished_name=req_distinguished_name" >> request.cfg -echo "" >> request.cfg -echo "[req_distinguished_name]" >> request.cfg -echo "commonName=$CLIENTNAME" >> request.cfg - -test -f request.cfg || error "could not create request.cfg" - -echo "create $CTL_BASE.pem (signed client certificate)" -openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem -test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" # create trusted usage pem # openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" @@ -148,13 +205,3 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" # echo "empty password is used, simply click OK on the password dialog box." # openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" -# set desired permissions -chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key - -# remove crap -rm -f request.cfg -rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" - -echo "Setup success. Certificates created. Enable in unbound.conf file to use" - -exit 0 diff --git a/usr.sbin/unbound/smallapp/unbound-control.c b/usr.sbin/unbound/smallapp/unbound-control.c index 4843a9b3112..c2b42e95164 100644 --- a/usr.sbin/unbound/smallapp/unbound-control.c +++ b/usr.sbin/unbound/smallapp/unbound-control.c @@ -74,6 +74,10 @@ #include <sys/un.h> #endif +#ifdef HAVE_TARGETCONDITIONALS_H +#include <TargetConditionals.h> +#endif + static void usage(void) ATTR_NORETURN; static void ssl_err(const char* s) ATTR_NORETURN; static void ssl_path_err(const char* s, const char *path) ATTR_NORETURN; @@ -264,6 +268,9 @@ static void print_mem(struct ub_shm_stat_info* shm_stat, #ifdef USE_IPSECMOD PR_LL("mem.mod.ipsecmod", shm_stat->mem.ipsecmod); #endif +#ifdef WITH_DYNLIBMODULE + PR_LL("mem.mod.dynlib", shm_stat->mem.dynlib); +#endif #ifdef USE_DNSCRYPT PR_LL("mem.cache.dnscrypt_shared_secret", shm_stat->mem.dnscrypt_shared_secret); @@ -879,11 +886,16 @@ int main(int argc, char* argv[]) if(argc == 0) usage(); if(argc >= 1 && strcmp(argv[0], "start")==0) { +#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH) + fatal_exit("could not exec unbound: %s", + strerror(ENOSYS)); +#else if(execlp("unbound", "unbound", "-c", cfgfile, (char*)NULL) < 0) { fatal_exit("could not exec unbound: %s", strerror(errno)); } +#endif } if(argc >= 1 && strcmp(argv[0], "stats_shm")==0) { print_stats_shm(cfgfile); diff --git a/usr.sbin/unbound/smallapp/worker_cb.c b/usr.sbin/unbound/smallapp/worker_cb.c index 6c3bd004908..78d921a3c6e 100644 --- a/usr.sbin/unbound/smallapp/worker_cb.c +++ b/usr.sbin/unbound/smallapp/worker_cb.c @@ -248,3 +248,19 @@ void remote_get_opt_ssl(char* ATTR_UNUSED(str), void* ATTR_UNUSED(arg)) { log_assert(0); } + +#ifdef USE_DNSTAP +void dtio_tap_callback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev), + void* ATTR_UNUSED(arg)) +{ + log_assert(0); +} +#endif + +#ifdef USE_DNSTAP +void dtio_mainfdcallback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev), + void* ATTR_UNUSED(arg)) +{ + log_assert(0); +} +#endif diff --git a/usr.sbin/unbound/util/config_file.c b/usr.sbin/unbound/util/config_file.c index 5a8139d69c4..6139dfc2610 100644 --- a/usr.sbin/unbound/util/config_file.c +++ b/usr.sbin/unbound/util/config_file.c @@ -116,6 +116,7 @@ config_create(void) cfg->ssl_upstream = 0; cfg->tls_cert_bundle = NULL; cfg->tls_win_cert = 0; + cfg->tls_use_sni = 1; cfg->use_syslog = 1; cfg->log_identity = NULL; /* changed later with argv[0] */ cfg->log_time_ascii = 0; @@ -186,6 +187,7 @@ config_create(void) cfg->so_reuseport = REUSEPORT_DEFAULT; cfg->ip_transparent = 0; cfg->ip_freebind = 0; + cfg->ip_dscp = 0; cfg->num_ifs = 0; cfg->ifs = NULL; cfg->num_out_ifs = 0; @@ -266,13 +268,14 @@ config_create(void) cfg->unblock_lan_zones = 0; cfg->insecure_lan_zones = 0; cfg->python_script = NULL; + cfg->dynlib_file = NULL; cfg->remote_control_enable = 0; cfg->control_ifs.first = NULL; cfg->control_ifs.last = NULL; cfg->control_port = UNBOUND_CONTROL_PORT; cfg->control_use_cert = 1; cfg->minimal_responses = 1; - cfg->rrset_roundrobin = 0; + cfg->rrset_roundrobin = 1; cfg->unknown_server_time_limit = 376; cfg->max_udp_size = 4096; if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key"))) @@ -295,6 +298,8 @@ config_create(void) if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH))) goto error_exit; #endif + cfg->dnstap_bidirectional = 1; + cfg->dnstap_tls = 1; cfg->disable_dnssec_lame_check = 0; cfg->ip_ratelimit = 0; cfg->ratelimit = 0; @@ -335,6 +340,7 @@ config_create(void) if(!(cfg->redis_server_host = strdup("127.0.0.1"))) goto error_exit; cfg->redis_timeout = 100; cfg->redis_server_port = 6379; + cfg->redis_expire_records = 0; #endif /* USE_REDIS */ #endif /* USE_CACHEDB */ #ifdef USE_IPSET @@ -504,6 +510,7 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_STRLIST_APPEND("tls-session-ticket-keys:", tls_session_ticket_keys) else S_STR("tls-ciphers:", tls_ciphers) else S_STR("tls-ciphersuites:", tls_ciphersuites) + else S_YNO("tls-use-sni:", tls_use_sni) else S_YNO("interface-automatic:", if_automatic) else S_YNO("use-systemd:", use_systemd) else S_YNO("do-daemonize:", do_daemonize) @@ -523,6 +530,7 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_YNO("so-reuseport:", so_reuseport) else S_YNO("ip-transparent:", ip_transparent) else S_YNO("ip-freebind:", ip_freebind) + else S_NUMBER_OR_ZERO("ip-dscp:", ip_dscp) else S_MEMSIZE("rrset-cache-size:", rrset_cache_size) else S_POW2("rrset-cache-slabs:", rrset_cache_slabs) else S_YNO("prefetch:", prefetch) @@ -622,6 +630,7 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_STR("control-cert-file:", control_cert_file) else S_STR("module-config:", module_conf) else S_STRLIST("python-script:", python_script) + else S_STRLIST("dynlib-file:", dynlib_file) else S_YNO("disable-dnssec-lame-check:", disable_dnssec_lame_check) #ifdef CLIENT_SUBNET /* Can't set max subnet prefix here, since that value is used when @@ -631,7 +640,15 @@ int config_set_option(struct config_file* cfg, const char* opt, #endif #ifdef USE_DNSTAP else S_YNO("dnstap-enable:", dnstap) + else S_YNO("dnstap-bidirectional:", dnstap_bidirectional) else S_STR("dnstap-socket-path:", dnstap_socket_path) + else S_STR("dnstap-ip:", dnstap_ip) + else S_YNO("dnstap-tls:", dnstap_tls) + else S_STR("dnstap-tls-server-name:", dnstap_tls_server_name) + else S_STR("dnstap-tls-cert-bundle:", dnstap_tls_cert_bundle) + else S_STR("dnstap-tls-client-key-file:", dnstap_tls_client_key_file) + else S_STR("dnstap-tls-client-cert-file:", + dnstap_tls_client_cert_file) else S_YNO("dnstap-send-identity:", dnstap_send_identity) else S_YNO("dnstap-send-version:", dnstap_send_version) else S_STR("dnstap-identity:", dnstap_identity) @@ -915,6 +932,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "so-reuseport", so_reuseport) else O_YNO(opt, "ip-transparent", ip_transparent) else O_YNO(opt, "ip-freebind", ip_freebind) + else O_DEC(opt, "ip-dscp", ip_dscp) else O_MEM(opt, "rrset-cache-size", rrset_cache_size) else O_DEC(opt, "rrset-cache-slabs", rrset_cache_slabs) else O_YNO(opt, "prefetch-key", prefetch_key) @@ -949,6 +967,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_LST(opt, "tls-session-ticket-keys", tls_session_ticket_keys.first) else O_STR(opt, "tls-ciphers", tls_ciphers) else O_STR(opt, "tls-ciphersuites", tls_ciphersuites) + else O_YNO(opt, "tls-use-sni", tls_use_sni) else O_YNO(opt, "use-systemd", use_systemd) else O_YNO(opt, "do-daemonize", do_daemonize) else O_STR(opt, "chroot", chrootdir) @@ -1038,7 +1057,16 @@ config_get_option(struct config_file* cfg, const char* opt, #endif #ifdef USE_DNSTAP else O_YNO(opt, "dnstap-enable", dnstap) + else O_YNO(opt, "dnstap-bidirectional", dnstap_bidirectional) else O_STR(opt, "dnstap-socket-path", dnstap_socket_path) + else O_STR(opt, "dnstap-ip", dnstap_ip) + else O_YNO(opt, "dnstap-tls", dnstap_tls) + else O_STR(opt, "dnstap-tls-server-name", dnstap_tls_server_name) + else O_STR(opt, "dnstap-tls-cert-bundle", dnstap_tls_cert_bundle) + else O_STR(opt, "dnstap-tls-client-key-file", + dnstap_tls_client_key_file) + else O_STR(opt, "dnstap-tls-client-cert-file", + dnstap_tls_client_cert_file) else O_YNO(opt, "dnstap-send-identity", dnstap_send_identity) else O_YNO(opt, "dnstap-send-version", dnstap_send_version) else O_STR(opt, "dnstap-identity", dnstap_identity) @@ -1076,6 +1104,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones) else O_DEC(opt, "max-udp-size", max_udp_size) else O_LST(opt, "python-script", python_script) + else O_LST(opt, "dynlib-file", dynlib_file) else O_YNO(opt, "disable-dnssec-lame-check", disable_dnssec_lame_check) else O_DEC(opt, "ip-ratelimit", ip_ratelimit) else O_DEC(opt, "ratelimit", ratelimit) @@ -1116,6 +1145,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_STR(opt, "redis-server-host", redis_server_host) else O_DEC(opt, "redis-server-port", redis_server_port) else O_DEC(opt, "redis-timeout", redis_timeout) + else O_YNO(opt, "redis-expire-records", redis_expire_records) #endif /* USE_REDIS */ #endif /* USE_CACHEDB */ #ifdef USE_IPSET @@ -1458,11 +1488,17 @@ config_delete(struct config_file* cfg) free(cfg->dns64_prefix); config_delstrlist(cfg->dns64_ignore_aaaa); free(cfg->dnstap_socket_path); + free(cfg->dnstap_ip); + free(cfg->dnstap_tls_server_name); + free(cfg->dnstap_tls_cert_bundle); + free(cfg->dnstap_tls_client_key_file); + free(cfg->dnstap_tls_client_cert_file); free(cfg->dnstap_identity); free(cfg->dnstap_version); config_deldblstrlist(cfg->ratelimit_for_domain); config_deldblstrlist(cfg->ratelimit_below_domain); config_delstrlist(cfg->python_script); + config_delstrlist(cfg->dynlib_file); #ifdef USE_IPSECMOD free(cfg->ipsecmod_hook); config_delstrlist(cfg->ipsecmod_whitelist); @@ -1509,6 +1545,11 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num) { char* mid = strchr(str, '-'); +#ifdef DISABLE_EXPLICIT_PORT_RANDOMISATION + log_warn("Explicit port randomisation disabled, ignoring " + "outgoing-port-permit and outgoing-port-avoid configuration " + "options"); +#endif if(!mid) { int port = atoi(str); if(port == 0 && strcmp(str, "0") != 0) { diff --git a/usr.sbin/unbound/util/config_file.h b/usr.sbin/unbound/util/config_file.h index 8739ca2ae1e..66e5025d05b 100644 --- a/usr.sbin/unbound/util/config_file.h +++ b/usr.sbin/unbound/util/config_file.h @@ -85,6 +85,8 @@ struct config_file { int do_ip4; /** do ip6 query support. */ int do_ip6; + /** prefer ip4 upstream queries. */ + int prefer_ip4; /** prefer ip6 upstream queries. */ int prefer_ip6; /** do udp query support. */ @@ -126,6 +128,8 @@ struct config_file { char* tls_ciphers; /** TLS chiphersuites (TLSv1.3) */ char* tls_ciphersuites; + /** if SNI is to be used */ + int tls_use_sni; /** outgoing port range number of ports (per thread) */ int outgoing_num_ports; @@ -186,6 +190,8 @@ struct config_file { int ip_transparent; /** IP_FREEBIND socket option request on port 53 sockets */ int ip_freebind; + /** IP_TOS socket option requested on port 53 sockets */ + int ip_dscp; /** number of interfaces to open. If 0 default all interfaces. */ int num_ifs; @@ -444,6 +450,9 @@ struct config_file { /** Python script file */ struct config_strlist* python_script; + /** Dynamic library file */ + struct config_strlist* dynlib_file; + /** Use systemd socket activation. */ int use_systemd; @@ -472,8 +481,22 @@ struct config_file { /** true to enable dnstap support */ int dnstap; + /** using bidirectional frame streams if true */ + int dnstap_bidirectional; /** dnstap socket path */ char* dnstap_socket_path; + /** dnstap IP */ + char* dnstap_ip; + /** dnstap TLS enable */ + int dnstap_tls; + /** dnstap tls server authentication name */ + char* dnstap_tls_server_name; + /** dnstap server cert bundle */ + char* dnstap_tls_cert_bundle; + /** dnstap client key for client authentication */ + char* dnstap_tls_client_key_file; + /** dnstap client cert for client authentication */ + char* dnstap_tls_client_cert_file; /** true to send "identity" via dnstap */ int dnstap_send_identity; /** true to send "version" via dnstap */ @@ -582,6 +605,8 @@ struct config_file { int redis_server_port; /** timeout (in ms) for communication with the redis server */ int redis_timeout; + /** set timeout on redis records based on DNS response ttl */ + int redis_expire_records; #endif #endif diff --git a/usr.sbin/unbound/util/configlexer.lex b/usr.sbin/unbound/util/configlexer.lex index deedffa58da..83cea4b992f 100644 --- a/usr.sbin/unbound/util/configlexer.lex +++ b/usr.sbin/unbound/util/configlexer.lex @@ -45,11 +45,13 @@ struct inc_state { int line; YY_BUFFER_STATE buffer; struct inc_state* next; + int inc_toplevel; }; static struct inc_state* config_include_stack = NULL; static int inc_depth = 0; static int inc_prev = 0; static int num_args = 0; +static int inc_toplevel = 0; void init_cfg_parse(void) { @@ -57,14 +59,15 @@ void init_cfg_parse(void) inc_depth = 0; inc_prev = 0; num_args = 0; + inc_toplevel = 0; } -static void config_start_include(const char* filename) +static void config_start_include(const char* filename, int toplevel) { FILE *input; struct inc_state* s; char* nm; - if(inc_depth++ > 100000) { + if(inc_depth+1 > 100000) { ub_c_error_msg("too many include files"); return; } @@ -96,17 +99,20 @@ static void config_start_include(const char* filename) return; } LEXOUT(("switch_to_include_file(%s)\n", filename)); + inc_depth++; s->filename = cfg_parser->filename; s->line = cfg_parser->line; s->buffer = YY_CURRENT_BUFFER; + s->inc_toplevel = inc_toplevel; s->next = config_include_stack; config_include_stack = s; cfg_parser->filename = nm; cfg_parser->line = 1; + inc_toplevel = toplevel; yy_switch_to_buffer(yy_create_buffer(input, YY_BUF_SIZE)); } -static void config_start_include_glob(const char* filename) +static void config_start_include_glob(const char* filename, int toplevel) { /* check for wildcards */ @@ -139,19 +145,19 @@ static void config_start_include_glob(const char* filename) globfree(&g); if(r == GLOB_NOMATCH) return; /* no matches for pattern */ - config_start_include(filename); /* let original deal with it */ + config_start_include(filename, toplevel); /* let original deal with it */ return; } /* process files found, if any */ for(i=(int)g.gl_pathc-1; i>=0; i--) { - config_start_include(g.gl_pathv[i]); + config_start_include(g.gl_pathv[i], toplevel); } globfree(&g); return; } #endif /* HAVE_GLOB */ - config_start_include(filename); + config_start_include(filename, toplevel); } static void config_end_include(void) @@ -165,6 +171,7 @@ static void config_end_include(void) yy_delete_buffer(YY_CURRENT_BUFFER); yy_switch_to_buffer(s->buffer); config_include_stack = s->next; + inc_toplevel = s->inc_toplevel; free(s); } @@ -199,7 +206,7 @@ COLON \: DQANY [^\"\n\r\\]|\\. SQANY [^\'\n\r\\]|\\. -%x quotedstring singlequotedstr include include_quoted val +%x quotedstring singlequotedstr include include_quoted val include_toplevel include_toplevel_quoted %% <INITIAL,val>{SPACE}* { @@ -220,6 +227,7 @@ outgoing-num-tcp{COLON} { YDVAR(1, VAR_OUTGOING_NUM_TCP) } incoming-num-tcp{COLON} { YDVAR(1, VAR_INCOMING_NUM_TCP) } do-ip4{COLON} { YDVAR(1, VAR_DO_IP4) } do-ip6{COLON} { YDVAR(1, VAR_DO_IP6) } +prefer-ip4{COLON} { YDVAR(1, VAR_PREFER_IP4) } prefer-ip6{COLON} { YDVAR(1, VAR_PREFER_IP6) } do-udp{COLON} { YDVAR(1, VAR_DO_UDP) } do-tcp{COLON} { YDVAR(1, VAR_DO_TCP) } @@ -247,6 +255,7 @@ tls-additional-port{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) } tls-session-ticket-keys{COLON} { YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) } tls-ciphers{COLON} { YDVAR(1, VAR_TLS_CIPHERS) } tls-ciphersuites{COLON} { YDVAR(1, VAR_TLS_CIPHERSUITES) } +tls-use-sni{COLON} { YDVAR(1, VAR_TLS_USE_SNI) } use-systemd{COLON} { YDVAR(1, VAR_USE_SYSTEMD) } do-daemonize{COLON} { YDVAR(1, VAR_DO_DAEMONIZE) } interface{COLON} { YDVAR(1, VAR_INTERFACE) } @@ -258,6 +267,7 @@ so-sndbuf{COLON} { YDVAR(1, VAR_SO_SNDBUF) } so-reuseport{COLON} { YDVAR(1, VAR_SO_REUSEPORT) } ip-transparent{COLON} { YDVAR(1, VAR_IP_TRANSPARENT) } ip-freebind{COLON} { YDVAR(1, VAR_IP_FREEBIND) } +ip-dscp{COLON} { YDVAR(1, VAR_IP_DSCP) } chroot{COLON} { YDVAR(1, VAR_CHROOT) } username{COLON} { YDVAR(1, VAR_USERNAME) } directory{COLON} { YDVAR(1, VAR_DIRECTORY) } @@ -412,6 +422,8 @@ control-key-file{COLON} { YDVAR(1, VAR_CONTROL_KEY_FILE) } control-cert-file{COLON} { YDVAR(1, VAR_CONTROL_CERT_FILE) } python-script{COLON} { YDVAR(1, VAR_PYTHON_SCRIPT) } python{COLON} { YDVAR(0, VAR_PYTHON) } +dynlib-file{COLON} { YDVAR(1, VAR_DYNLIB_FILE) } +dynlib{COLON} { YDVAR(0, VAR_DYNLIB) } domain-insecure{COLON} { YDVAR(1, VAR_DOMAIN_INSECURE) } minimal-responses{COLON} { YDVAR(1, VAR_MINIMAL_RESPONSES) } rrset-roundrobin{COLON} { YDVAR(1, VAR_RRSET_ROUNDROBIN) } @@ -429,7 +441,16 @@ access-control-view{COLON} { YDVAR(2, VAR_ACCESS_CONTROL_VIEW) } local-zone-override{COLON} { YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) } dnstap{COLON} { YDVAR(0, VAR_DNSTAP) } dnstap-enable{COLON} { YDVAR(1, VAR_DNSTAP_ENABLE) } +dnstap-bidirectional{COLON} { YDVAR(1, VAR_DNSTAP_BIDIRECTIONAL) } dnstap-socket-path{COLON} { YDVAR(1, VAR_DNSTAP_SOCKET_PATH) } +dnstap-ip{COLON} { YDVAR(1, VAR_DNSTAP_IP) } +dnstap-tls{COLON} { YDVAR(1, VAR_DNSTAP_TLS) } +dnstap-tls-server-name{COLON} { YDVAR(1, VAR_DNSTAP_TLS_SERVER_NAME) } +dnstap-tls-cert-bundle{COLON} { YDVAR(1, VAR_DNSTAP_TLS_CERT_BUNDLE) } +dnstap-tls-client-key-file{COLON} { + YDVAR(1, VAR_DNSTAP_TLS_CLIENT_KEY_FILE) } +dnstap-tls-client-cert-file{COLON} { + YDVAR(1, VAR_DNSTAP_TLS_CLIENT_CERT_FILE) } dnstap-send-identity{COLON} { YDVAR(1, VAR_DNSTAP_SEND_IDENTITY) } dnstap-send-version{COLON} { YDVAR(1, VAR_DNSTAP_SEND_VERSION) } dnstap-identity{COLON} { YDVAR(1, VAR_DNSTAP_IDENTITY) } @@ -490,6 +511,7 @@ secret-seed{COLON} { YDVAR(1, VAR_CACHEDB_SECRETSEED) } redis-server-host{COLON} { YDVAR(1, VAR_CACHEDB_REDISHOST) } redis-server-port{COLON} { YDVAR(1, VAR_CACHEDB_REDISPORT) } redis-timeout{COLON} { YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) } +redis-expire-records{COLON} { YDVAR(1, VAR_CACHEDB_REDISEXPIRERECORDS) } ipset{COLON} { YDVAR(0, VAR_IPSET) } name-v4{COLON} { YDVAR(1, VAR_IPSET_NAME_V4) } name-v6{COLON} { YDVAR(1, VAR_IPSET_NAME_V6) } @@ -551,7 +573,7 @@ tcp-connection-limit{COLON} { YDVAR(2, VAR_TCP_CONNECTION_LIMIT) } <include>\" { LEXOUT(("IQS ")); BEGIN(include_quoted); } <include>{UNQUOTEDLETTER}* { LEXOUT(("Iunquotedstr(%s) ", yytext)); - config_start_include_glob(yytext); + config_start_include_glob(yytext, 0); BEGIN(inc_prev); } <include_quoted><<EOF>> { @@ -564,7 +586,7 @@ tcp-connection-limit{COLON} { YDVAR(2, VAR_TCP_CONNECTION_LIMIT) } <include_quoted>\" { LEXOUT(("IQE ")); yytext[yyleng - 1] = '\0'; - config_start_include_glob(yytext); + config_start_include_glob(yytext, 0); BEGIN(inc_prev); } <INITIAL,val><<EOF>> { @@ -573,11 +595,47 @@ tcp-connection-limit{COLON} { YDVAR(2, VAR_TCP_CONNECTION_LIMIT) } if (!config_include_stack) { yyterminate(); } else { + int prev_toplevel = inc_toplevel; fclose(yyin); config_end_include(); + if(prev_toplevel) return (VAR_FORCE_TOPLEVEL); } } + /* include-toplevel: directive */ +<INITIAL,val>include-toplevel{COLON} { + LEXOUT(("v(%s) ", yytext)); inc_prev = YYSTATE; BEGIN(include_toplevel); +} +<include_toplevel><<EOF>> { + yyerror("EOF inside include_toplevel directive"); + BEGIN(inc_prev); +} +<include_toplevel>{SPACE}* { LEXOUT(("ITSP ")); /* ignore */ } +<include_toplevel>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } +<include_toplevel>\" { LEXOUT(("ITQS ")); BEGIN(include_toplevel_quoted); } +<include_toplevel>{UNQUOTEDLETTER}* { + LEXOUT(("ITunquotedstr(%s) ", yytext)); + config_start_include_glob(yytext, 1); + BEGIN(inc_prev); + return (VAR_FORCE_TOPLEVEL); +} +<include_toplevel_quoted><<EOF>> { + yyerror("EOF inside quoted string"); + BEGIN(inc_prev); +} +<include_toplevel_quoted>{DQANY}* { LEXOUT(("ITSTR(%s) ", yytext)); yymore(); } +<include_toplevel_quoted>{NEWLINE} { + yyerror("newline before \" in include name"); + cfg_parser->line++; BEGIN(inc_prev); +} +<include_toplevel_quoted>\" { + LEXOUT(("ITQE ")); + yytext[yyleng - 1] = '\0'; + config_start_include_glob(yytext, 1); + BEGIN(inc_prev); + return (VAR_FORCE_TOPLEVEL); +} + <val>{UNQUOTEDLETTER}* { LEXOUT(("unquotedstr(%s) ", yytext)); if(--num_args == 0) { BEGIN(INITIAL); } yylval.str = strdup(yytext); return STRING_ARG; } diff --git a/usr.sbin/unbound/util/configparser.y b/usr.sbin/unbound/util/configparser.y index 798f4a972fd..fe600a999d4 100644 --- a/usr.sbin/unbound/util/configparser.y +++ b/usr.sbin/unbound/util/configparser.y @@ -69,8 +69,9 @@ extern struct config_parser_state* cfg_parser; %token SPACE LETTER NEWLINE COMMENT COLON ANY ZONESTR %token <str> STRING_ARG +%token VAR_FORCE_TOPLEVEL %token VAR_SERVER VAR_VERBOSITY VAR_NUM_THREADS VAR_PORT -%token VAR_OUTGOING_RANGE VAR_INTERFACE +%token VAR_OUTGOING_RANGE VAR_INTERFACE VAR_PREFER_IP4 %token VAR_DO_IP4 VAR_DO_IP6 VAR_PREFER_IP6 VAR_DO_UDP VAR_DO_TCP %token VAR_TCP_MSS VAR_OUTGOING_TCP_MSS VAR_TCP_IDLE_TIMEOUT %token VAR_EDNS_TCP_KEEPALIVE VAR_EDNS_TCP_KEEPALIVE_TIMEOUT @@ -116,8 +117,10 @@ extern struct config_parser_state* cfg_parser; %token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES %token VAR_INFRA_CACHE_MIN_RTT %token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL VAR_DNS64_IGNORE_AAAA -%token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH -%token VAR_DNSTAP_SEND_IDENTITY VAR_DNSTAP_SEND_VERSION +%token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH VAR_DNSTAP_IP +%token VAR_DNSTAP_TLS VAR_DNSTAP_TLS_SERVER_NAME VAR_DNSTAP_TLS_CERT_BUNDLE +%token VAR_DNSTAP_TLS_CLIENT_KEY_FILE VAR_DNSTAP_TLS_CLIENT_CERT_FILE +%token VAR_DNSTAP_SEND_IDENTITY VAR_DNSTAP_SEND_VERSION VAR_DNSTAP_BIDIRECTIONAL %token VAR_DNSTAP_IDENTITY VAR_DNSTAP_VERSION %token VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES %token VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES @@ -127,6 +130,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES %token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT +%token VAR_IP_DSCP %token VAR_DISABLE_DNSSEC_LAME_CHECK %token VAR_IP_RATELIMIT VAR_IP_RATELIMIT_SLABS VAR_IP_RATELIMIT_SIZE %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE @@ -159,6 +163,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT %token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED %token VAR_CACHEDB_REDISHOST VAR_CACHEDB_REDISPORT VAR_CACHEDB_REDISTIMEOUT +%token VAR_CACHEDB_REDISEXPIRERECORDS %token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM %token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM %token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL @@ -166,10 +171,11 @@ extern struct config_parser_state* cfg_parser; %token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT %token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY %token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY -%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES +%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES VAR_TLS_USE_SNI %token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6 %token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE %token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME +%token VAR_DYNLIB VAR_DYNLIB_FILE %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -178,20 +184,25 @@ toplevelvar: serverstart contents_server | stubstart contents_stub | rcstart contents_rc | dtstart contents_dt | viewstart contents_view | dnscstart contents_dnsc | cachedbstart contents_cachedb | ipsetstart contents_ipset | authstart contents_auth | - rpzstart contents_rpz + rpzstart contents_rpz | dynlibstart contents_dl | + force_toplevel + ; +force_toplevel: VAR_FORCE_TOPLEVEL + { + OUTYY(("\nP(force-toplevel)\n")); + } ; - /* server: declaration */ serverstart: VAR_SERVER { - OUTYY(("\nP(server:)\n")); + OUTYY(("\nP(server:)\n")); } ; -contents_server: contents_server content_server +contents_server: contents_server content_server | ; content_server: server_num_threads | server_verbosity | server_port | server_outgoing_range | server_do_ip4 | - server_do_ip6 | server_prefer_ip6 | + server_do_ip6 | server_prefer_ip4 | server_prefer_ip6 | server_do_udp | server_do_tcp | server_tcp_mss | server_outgoing_tcp_mss | server_tcp_idle_timeout | server_tcp_keepalive | server_tcp_keepalive_timeout | @@ -239,6 +250,7 @@ content_server: server_num_threads | server_verbosity | server_port | server_dns64_prefix | server_dns64_synthall | server_dns64_ignore_aaaa | server_infra_cache_min_rtt | server_harden_algo_downgrade | server_ip_transparent | server_ip_ratelimit | server_ratelimit | + server_ip_dscp | server_ip_ratelimit_slabs | server_ratelimit_slabs | server_ip_ratelimit_size | server_ratelimit_size | server_ratelimit_for_domain | @@ -272,7 +284,8 @@ content_server: server_num_threads | server_verbosity | server_port | server_tcp_connection_limit | server_log_servfail | server_deny_any | server_unknown_server_time_limit | server_log_tag_queryreply | server_stream_wait_size | server_tls_ciphers | - server_tls_ciphersuites | server_tls_session_ticket_keys + server_tls_ciphersuites | server_tls_session_ticket_keys | + server_tls_use_sni ; stubstart: VAR_STUB_ZONE { @@ -780,6 +793,15 @@ server_do_tcp: VAR_DO_TCP STRING_ARG free($2); } ; +server_prefer_ip4: VAR_PREFER_IP4 STRING_ARG + { + OUTYY(("P(server_prefer_ip4:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->prefer_ip4 = (strcmp($2, "yes")==0); + free($2); + } + ; server_prefer_ip6: VAR_PREFER_IP6 STRING_ARG { OUTYY(("P(server_prefer_ip6:%s)\n", $2)); @@ -938,6 +960,15 @@ server_tls_session_ticket_keys: VAR_TLS_SESSION_TICKET_KEYS STRING_ARG yyerror("out of memory"); } ; +server_tls_use_sni: VAR_TLS_USE_SNI STRING_ARG + { + OUTYY(("P(server_tls_use_sni:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->tls_use_sni = (strcmp($2, "yes")==0); + free($2); + } + ; server_use_systemd: VAR_USE_SYSTEMD STRING_ARG { OUTYY(("P(server_use_systemd:%s)\n", $2)); @@ -1247,6 +1278,20 @@ server_ip_freebind: VAR_IP_FREEBIND STRING_ARG free($2); } ; +server_ip_dscp: VAR_IP_DSCP STRING_ARG + { + OUTYY(("P(server_ip_dscp:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else if (atoi($2) > 63) + yyerror("value too large (max 63)"); + else if (atoi($2) < 0) + yyerror("value too small (min 0)"); + else + cfg_parser->cfg->ip_dscp = atoi($2); + free($2); + } + ; server_stream_wait_size: VAR_STREAM_WAIT_SIZE STRING_ARG { OUTYY(("P(server_stream_wait_size:%s)\n", $2)); @@ -2719,7 +2764,10 @@ dtstart: VAR_DNSTAP ; contents_dt: contents_dt content_dt | ; -content_dt: dt_dnstap_enable | dt_dnstap_socket_path | +content_dt: dt_dnstap_enable | dt_dnstap_socket_path | dt_dnstap_bidirectional | + dt_dnstap_ip | dt_dnstap_tls | dt_dnstap_tls_server_name | + dt_dnstap_tls_cert_bundle | + dt_dnstap_tls_client_key_file | dt_dnstap_tls_client_cert_file | dt_dnstap_send_identity | dt_dnstap_send_version | dt_dnstap_identity | dt_dnstap_version | dt_dnstap_log_resolver_query_messages | @@ -2738,6 +2786,16 @@ dt_dnstap_enable: VAR_DNSTAP_ENABLE STRING_ARG free($2); } ; +dt_dnstap_bidirectional: VAR_DNSTAP_BIDIRECTIONAL STRING_ARG + { + OUTYY(("P(dt_dnstap_bidirectional:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->dnstap_bidirectional = + (strcmp($2, "yes")==0); + free($2); + } + ; dt_dnstap_socket_path: VAR_DNSTAP_SOCKET_PATH STRING_ARG { OUTYY(("P(dt_dnstap_socket_path:%s)\n", $2)); @@ -2745,6 +2803,50 @@ dt_dnstap_socket_path: VAR_DNSTAP_SOCKET_PATH STRING_ARG cfg_parser->cfg->dnstap_socket_path = $2; } ; +dt_dnstap_ip: VAR_DNSTAP_IP STRING_ARG + { + OUTYY(("P(dt_dnstap_ip:%s)\n", $2)); + free(cfg_parser->cfg->dnstap_ip); + cfg_parser->cfg->dnstap_ip = $2; + } + ; +dt_dnstap_tls: VAR_DNSTAP_TLS STRING_ARG + { + OUTYY(("P(dt_dnstap_tls:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->dnstap_tls = (strcmp($2, "yes")==0); + free($2); + } + ; +dt_dnstap_tls_server_name: VAR_DNSTAP_TLS_SERVER_NAME STRING_ARG + { + OUTYY(("P(dt_dnstap_tls_server_name:%s)\n", $2)); + free(cfg_parser->cfg->dnstap_tls_server_name); + cfg_parser->cfg->dnstap_tls_server_name = $2; + } + ; +dt_dnstap_tls_cert_bundle: VAR_DNSTAP_TLS_CERT_BUNDLE STRING_ARG + { + OUTYY(("P(dt_dnstap_tls_cert_bundle:%s)\n", $2)); + free(cfg_parser->cfg->dnstap_tls_cert_bundle); + cfg_parser->cfg->dnstap_tls_cert_bundle = $2; + } + ; +dt_dnstap_tls_client_key_file: VAR_DNSTAP_TLS_CLIENT_KEY_FILE STRING_ARG + { + OUTYY(("P(dt_dnstap_tls_client_key_file:%s)\n", $2)); + free(cfg_parser->cfg->dnstap_tls_client_key_file); + cfg_parser->cfg->dnstap_tls_client_key_file = $2; + } + ; +dt_dnstap_tls_client_cert_file: VAR_DNSTAP_TLS_CLIENT_CERT_FILE STRING_ARG + { + OUTYY(("P(dt_dnstap_tls_client_cert_file:%s)\n", $2)); + free(cfg_parser->cfg->dnstap_tls_client_cert_file); + cfg_parser->cfg->dnstap_tls_client_cert_file = $2; + } + ; dt_dnstap_send_identity: VAR_DNSTAP_SEND_IDENTITY STRING_ARG { OUTYY(("P(dt_dnstap_send_identity:%s)\n", $2)); @@ -2852,6 +2954,21 @@ py_script: VAR_PYTHON_SCRIPT STRING_ARG if(!cfg_strlist_append_ex(&cfg_parser->cfg->python_script, $2)) yyerror("out of memory"); } +dynlibstart: VAR_DYNLIB + { + OUTYY(("\nP(dynlib:)\n")); + } + ; +contents_dl: contents_dl content_dl + | ; +content_dl: dl_file + ; +dl_file: VAR_DYNLIB_FILE STRING_ARG + { + OUTYY(("P(dynlib-file:%s)\n", $2)); + if(!cfg_strlist_append_ex(&cfg_parser->cfg->dynlib_file, $2)) + yyerror("out of memory"); + } server_disable_dnssec_lame_check: VAR_DISABLE_DNSSEC_LAME_CHECK STRING_ARG { OUTYY(("P(disable_dnssec_lame_check:%s)\n", $2)); @@ -3003,7 +3120,8 @@ cachedbstart: VAR_CACHEDB contents_cachedb: contents_cachedb content_cachedb | ; content_cachedb: cachedb_backend_name | cachedb_secret_seed | - redis_server_host | redis_server_port | redis_timeout + redis_server_host | redis_server_port | redis_timeout | + redis_expire_records ; cachedb_backend_name: VAR_CACHEDB_BACKEND STRING_ARG { @@ -3069,6 +3187,19 @@ redis_timeout: VAR_CACHEDB_REDISTIMEOUT STRING_ARG free($2); } ; +redis_expire_records: VAR_CACHEDB_REDISEXPIRERECORDS STRING_ARG + { + #if defined(USE_CACHEDB) && defined(USE_REDIS) + OUTYY(("P(redis_expire_records:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->redis_expire_records = (strcmp($2, "yes")==0); + #else + OUTYY(("P(Compiled without cachedb or redis, ignoring)\n")); + #endif + free($2); + } + ; server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG { OUTYY(("P(server_tcp_connection_limit:%s %s)\n", $2, $3)); diff --git a/usr.sbin/unbound/util/fptr_wlist.c b/usr.sbin/unbound/util/fptr_wlist.c index 84d41cc8464..aa275ed534b 100644 --- a/usr.sbin/unbound/util/fptr_wlist.c +++ b/usr.sbin/unbound/util/fptr_wlist.c @@ -81,6 +81,9 @@ #ifdef WITH_PYTHONMODULE #include "pythonmod/pythonmod.h" #endif +#ifdef WITH_DYNLIBMODULE +#include "dynlibmod/dynlibmod.h" +#endif #ifdef USE_CACHEDB #include "cachedb/cachedb.h" #endif @@ -93,6 +96,9 @@ #ifdef USE_IPSET #include "ipset/ipset.h" #endif +#ifdef USE_DNSTAP +#include "dnstap/dtstream.h" +#endif int fptr_whitelist_comm_point(comm_point_callback_type *fptr) @@ -168,6 +174,15 @@ fptr_whitelist_event(void (*fptr)(int, short, void *)) else if(fptr == &tube_handle_signal) return 1; else if(fptr == &comm_base_handle_slow_accept) return 1; else if(fptr == &comm_point_http_handle_callback) return 1; +#ifdef USE_DNSTAP + else if(fptr == &dtio_output_cb) return 1; + else if(fptr == &dtio_cmd_cb) return 1; + else if(fptr == &dtio_reconnect_timeout_cb) return 1; + else if(fptr == &dtio_stop_timer_cb) return 1; + else if(fptr == &dtio_stop_ev_cb) return 1; + else if(fptr == &dtio_tap_callback) return 1; + else if(fptr == &dtio_mainfdcallback) return 1; +#endif #ifdef UB_ON_WINDOWS else if(fptr == &worker_win_stop_cb) return 1; #endif @@ -380,6 +395,9 @@ fptr_whitelist_mod_init(int (*fptr)(struct module_env* env, int id)) #ifdef WITH_PYTHONMODULE else if(fptr == &pythonmod_init) return 1; #endif +#ifdef WITH_DYNLIBMODULE + else if(fptr == &dynlibmod_init) return 1; +#endif #ifdef USE_CACHEDB else if(fptr == &cachedb_init) return 1; #endif @@ -405,6 +423,9 @@ fptr_whitelist_mod_deinit(void (*fptr)(struct module_env* env, int id)) #ifdef WITH_PYTHONMODULE else if(fptr == &pythonmod_deinit) return 1; #endif +#ifdef WITH_DYNLIBMODULE + else if(fptr == &dynlibmod_deinit) return 1; +#endif #ifdef USE_CACHEDB else if(fptr == &cachedb_deinit) return 1; #endif @@ -431,6 +452,9 @@ fptr_whitelist_mod_operate(void (*fptr)(struct module_qstate* qstate, #ifdef WITH_PYTHONMODULE else if(fptr == &pythonmod_operate) return 1; #endif +#ifdef WITH_DYNLIBMODULE + else if(fptr == &dynlibmod_operate) return 1; +#endif #ifdef USE_CACHEDB else if(fptr == &cachedb_operate) return 1; #endif @@ -457,6 +481,9 @@ fptr_whitelist_mod_inform_super(void (*fptr)( #ifdef WITH_PYTHONMODULE else if(fptr == &pythonmod_inform_super) return 1; #endif +#ifdef WITH_DYNLIBMODULE + else if(fptr == &dynlibmod_inform_super) return 1; +#endif #ifdef USE_CACHEDB else if(fptr == &cachedb_inform_super) return 1; #endif @@ -483,6 +510,9 @@ fptr_whitelist_mod_clear(void (*fptr)(struct module_qstate* qstate, #ifdef WITH_PYTHONMODULE else if(fptr == &pythonmod_clear) return 1; #endif +#ifdef WITH_DYNLIBMODULE + else if(fptr == &dynlibmod_clear) return 1; +#endif #ifdef USE_CACHEDB else if(fptr == &cachedb_clear) return 1; #endif @@ -508,6 +538,9 @@ fptr_whitelist_mod_get_mem(size_t (*fptr)(struct module_env* env, int id)) #ifdef WITH_PYTHONMODULE else if(fptr == &pythonmod_get_mem) return 1; #endif +#ifdef WITH_DYNLIBMODULE + else if(fptr == &dynlibmod_get_mem) return 1; +#endif #ifdef USE_CACHEDB else if(fptr == &cachedb_get_mem) return 1; #endif @@ -566,18 +599,30 @@ int fptr_whitelist_inplace_cb_reply_generic(inplace_cb_reply_func_type* fptr, #ifdef WITH_PYTHONMODULE if(fptr == &python_inplace_cb_reply_generic) return 1; #endif +#ifdef WITH_DYNLIBMODULE + if(fptr == &dynlib_inplace_cb_reply_generic) return 1; +#endif } else if(type == inplace_cb_reply_cache) { #ifdef WITH_PYTHONMODULE if(fptr == &python_inplace_cb_reply_generic) return 1; #endif +#ifdef WITH_DYNLIBMODULE + if(fptr == &dynlib_inplace_cb_reply_generic) return 1; +#endif } else if(type == inplace_cb_reply_local) { #ifdef WITH_PYTHONMODULE if(fptr == &python_inplace_cb_reply_generic) return 1; #endif +#ifdef WITH_DYNLIBMODULE + if(fptr == &dynlib_inplace_cb_reply_generic) return 1; +#endif } else if(type == inplace_cb_reply_servfail) { #ifdef WITH_PYTHONMODULE if(fptr == &python_inplace_cb_reply_generic) return 1; #endif +#ifdef WITH_DYNLIBMODULE + if(fptr == &dynlib_inplace_cb_reply_generic) return 1; +#endif } return 0; } @@ -592,6 +637,10 @@ int fptr_whitelist_inplace_cb_query(inplace_cb_query_func_type* fptr) if(fptr == &python_inplace_cb_query_generic) return 1; #endif +#ifdef WITH_DYNLIBMODULE + if(fptr == &dynlib_inplace_cb_query_generic) + return 1; +#endif (void)fptr; return 0; } @@ -605,6 +654,10 @@ int fptr_whitelist_inplace_cb_edns_back_parsed( #else (void)fptr; #endif +#ifdef WITH_DYNLIBMODULE + if(fptr == &dynlib_inplace_cb_edns_back_parsed) + return 1; +#endif return 0; } @@ -617,6 +670,10 @@ int fptr_whitelist_inplace_cb_query_response( #else (void)fptr; #endif +#ifdef WITH_DYNLIBMODULE + if(fptr == &dynlib_inplace_cb_query_response) + return 1; +#endif return 0; } diff --git a/usr.sbin/unbound/util/iana_ports.inc b/usr.sbin/unbound/util/iana_ports.inc index 3b8afe54e82..79488f49a2c 100644 --- a/usr.sbin/unbound/util/iana_ports.inc +++ b/usr.sbin/unbound/util/iana_ports.inc @@ -3771,6 +3771,7 @@ 4188, 4191, 4192, +4195, 4197, 4199, 4300, @@ -4539,6 +4540,7 @@ 6850, 6868, 6888, +6924, 6935, 6936, 6946, @@ -5229,6 +5231,7 @@ 18241, 18262, 18463, +18516, 18634, 18635, 18668, diff --git a/usr.sbin/unbound/util/log.h b/usr.sbin/unbound/util/log.h index 098a850a559..29a1ba38009 100644 --- a/usr.sbin/unbound/util/log.h +++ b/usr.sbin/unbound/util/log.h @@ -121,7 +121,7 @@ void log_ident_set_default(const char* id); /** * Revert identity to print, back to the recorded default value. */ -void log_ident_revert_to_default(); +void log_ident_revert_to_default(void); /** * Set identity to print if there is an identity, otherwise diff --git a/usr.sbin/unbound/util/mini_event.h b/usr.sbin/unbound/util/mini_event.h index 204894d97af..1734ca574c6 100644 --- a/usr.sbin/unbound/util/mini_event.h +++ b/usr.sbin/unbound/util/mini_event.h @@ -54,6 +54,8 @@ #if defined(USE_MINI_EVENT) && !defined(USE_WINSOCK) +#include <sys/time.h> + #ifndef HAVE_EVENT_BASE_FREE #define HAVE_EVENT_BASE_FREE #endif diff --git a/usr.sbin/unbound/util/net_help.c b/usr.sbin/unbound/util/net_help.c index 0869f91f954..f59a4d65370 100644 --- a/usr.sbin/unbound/util/net_help.c +++ b/usr.sbin/unbound/util/net_help.c @@ -55,6 +55,9 @@ #ifdef HAVE_OPENSSL_ERR_H #include <openssl/err.h> #endif +#ifdef HAVE_OPENSSL_CORE_NAMES_H +#include <openssl/core_names.h> +#endif #ifdef USE_WINSOCK #include <wincrypt.h> #endif @@ -67,8 +70,8 @@ uint16_t EDNS_ADVERTISED_SIZE = 4096; /** minimal responses when positive answer: default is no */ int MINIMAL_RESPONSES = 0; -/** rrset order roundrobin: default is no */ -int RRSET_ROUNDROBIN = 0; +/** rrset order roundrobin: default is yes */ +int RRSET_ROUNDROBIN = 1; /** log tag queries with name instead of 'info' for filtering */ int LOG_TAG_QUERYREPLY = 0; @@ -79,6 +82,32 @@ static struct tls_session_ticket_key { unsigned char *hmac_key; } *ticket_keys; +/** + * callback TLS session ticket encrypt and decrypt + * For use with SSL_CTX_set_tlsext_ticket_key_cb or + * SSL_CTX_set_tlsext_ticket_key_evp_cb + * @param s: the SSL_CTX to use (from connect_sslctx_create()) + * @param key_name: secret name, 16 bytes + * @param iv: up to EVP_MAX_IV_LENGTH. + * @param evp_ctx: the evp cipher context, function sets this. + * @param hmac_ctx: the hmac context, function sets this. + * with ..key_cb it is of type HMAC_CTX* + * with ..key_evp_cb it is of type EVP_MAC_CTX* + * @param enc: 1 is encrypt, 0 is decrypt + * @return 0 on no ticket, 1 for okay, and 2 for okay but renew the ticket + * (the ticket is decrypt only). and <0 for failures. + */ +#ifdef HAVE_SSL +int tls_session_ticket_key_cb(SSL *s, unsigned char* key_name, + unsigned char* iv, EVP_CIPHER_CTX *evp_ctx, +#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB + EVP_MAC_CTX *hmac_ctx, +#else + HMAC_CTX* hmac_ctx, +#endif + int enc); +#endif /* HAVE_SSL */ + /* returns true is string addr is an ip6 specced address */ int str_is_ip6(const char* str) @@ -829,6 +858,32 @@ void log_crypto_err_code(const char* str, unsigned long err) #endif /* HAVE_SSL */ } +#ifdef HAVE_SSL +/** log certificate details */ +void +log_cert(unsigned level, const char* str, void* cert) +{ + BIO* bio; + char nul = 0; + char* pp = NULL; + long len; + if(verbosity < level) return; + bio = BIO_new(BIO_s_mem()); + if(!bio) return; + X509_print_ex(bio, (X509*)cert, 0, (unsigned long)-1 + ^(X509_FLAG_NO_SUBJECT + |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY + |X509_FLAG_NO_EXTENSIONS|X509_FLAG_NO_AUX + |X509_FLAG_NO_ATTRIBUTES)); + BIO_write(bio, &nul, (int)sizeof(nul)); + len = BIO_get_mem_data(bio, &pp); + if(len != 0 && pp) { + verbose(level, "%s: \n%s", str, pp); + } + BIO_free(bio); +} +#endif /* HAVE_SSL */ + int listen_sslctx_setup(void* ctxt) { @@ -970,7 +1025,7 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) } SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file( verifypem)); - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); } return ctx; #else @@ -1191,6 +1246,60 @@ void* outgoing_ssl_fd(void* sslctx, int fd) #endif } +int check_auth_name_for_ssl(char* auth_name) +{ + if(!auth_name) return 1; +#if defined(HAVE_SSL) && !defined(HAVE_SSL_SET1_HOST) && !defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) + log_err("the query has an auth_name %s, but libssl has no call to " + "perform TLS authentication. Remove that name from config " + "or upgrade the ssl crypto library.", auth_name); + return 0; +#else + return 1; +#endif +} + +/** set the authname on an SSL structure, SSL* ssl */ +int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni) +{ + if(!auth_name) return 1; +#ifdef HAVE_SSL + if(use_sni) { + (void)SSL_set_tlsext_host_name(ssl, auth_name); + } +#else + (void)ssl; + (void)use_sni; +#endif +#ifdef HAVE_SSL_SET1_HOST + SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); + /* setting the hostname makes openssl verify the + * host name in the x509 certificate in the + * SSL connection*/ + if(!SSL_set1_host(ssl, auth_name)) { + log_err("SSL_set1_host failed"); + return 0; + } +#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) + /* openssl 1.0.2 has this function that can be used for + * set1_host like verification */ + if(auth_name) { + X509_VERIFY_PARAM* param = SSL_get0_param(ssl); +# ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); +# endif + if(!X509_VERIFY_PARAM_set1_host(param, auth_name, strlen(auth_name))) { + log_err("X509_VERIFY_PARAM_set1_host failed"); + return 0; + } + SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); + } +#else + verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication"); +#endif /* HAVE_SSL_SET1_HOST */ + return 1; +} + #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L /** global lock list for openssl locks */ static lock_basic_type *ub_openssl_locks = NULL; @@ -1285,7 +1394,7 @@ int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_ses if(!data) return 0; - f = fopen(p->str, "r"); + f = fopen(p->str, "rb"); if(!f) { log_err("could not read tls-session-ticket-key %s: %s", p->str, strerror(errno)); free(data); @@ -1308,10 +1417,17 @@ int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_ses } /* terminate array with NULL key name entry */ keys->key_name = NULL; +# ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB + if(SSL_CTX_set_tlsext_ticket_key_evp_cb(sslctx, tls_session_ticket_key_cb) == 0) { + log_err("no support for TLS session ticket"); + return 0; + } +# else if(SSL_CTX_set_tlsext_ticket_key_cb(sslctx, tls_session_ticket_key_cb) == 0) { log_err("no support for TLS session ticket"); return 0; } +# endif return 1; #else (void)sslctx; @@ -1321,13 +1437,27 @@ int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_ses } -int tls_session_ticket_key_cb(void *ATTR_UNUSED(sslctx), unsigned char* key_name, unsigned char* iv, void *evp_sctx, void *hmac_ctx, int enc) +#ifdef HAVE_SSL +int tls_session_ticket_key_cb(SSL *ATTR_UNUSED(sslctx), unsigned char* key_name, + unsigned char* iv, EVP_CIPHER_CTX *evp_sctx, +#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB + EVP_MAC_CTX *hmac_ctx, +#else + HMAC_CTX* hmac_ctx, +#endif + int enc) { #ifdef HAVE_SSL +# ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB + OSSL_PARAM params[3]; +# else const EVP_MD *digest; +# endif const EVP_CIPHER *cipher; int evp_cipher_length; +# ifndef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB digest = EVP_sha256(); +# endif cipher = EVP_aes_256_cbc(); evp_cipher_length = EVP_CIPHER_iv_length(cipher); if( enc == 1 ) { @@ -1342,7 +1472,14 @@ int tls_session_ticket_key_cb(void *ATTR_UNUSED(sslctx), unsigned char* key_name verbose(VERB_CLIENT, "EVP_EncryptInit_ex failed"); return -1; } -#ifndef HMAC_INIT_EX_RETURNS_VOID +#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB + params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, + ticket_keys->hmac_key, 32); + params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, + "sha256", 0); + params[2] = OSSL_PARAM_construct_end(); + EVP_MAC_set_ctx_params(hmac_ctx, params); +#elif !defined(HMAC_INIT_EX_RETURNS_VOID) if (HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL) != 1) { verbose(VERB_CLIENT, "HMAC_Init_ex failed"); return -1; @@ -1366,7 +1503,14 @@ int tls_session_ticket_key_cb(void *ATTR_UNUSED(sslctx), unsigned char* key_name return 0; } -#ifndef HMAC_INIT_EX_RETURNS_VOID +#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB + params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, + key->hmac_key, 32); + params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, + "sha256", 0); + params[2] = OSSL_PARAM_construct_end(); + EVP_MAC_set_ctx_params(hmac_ctx, params); +#elif !defined(HMAC_INIT_EX_RETURNS_VOID) if (HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL) != 1) { verbose(VERB_CLIENT, "HMAC_Init_ex failed"); return -1; @@ -1391,6 +1535,7 @@ int tls_session_ticket_key_cb(void *ATTR_UNUSED(sslctx), unsigned char* key_name return 0; #endif } +#endif /* HAVE_SSL */ void listen_sslctx_delete_ticket_keys(void) diff --git a/usr.sbin/unbound/util/net_help.h b/usr.sbin/unbound/util/net_help.h index 7a33a72035d..29943ada090 100644 --- a/usr.sbin/unbound/util/net_help.h +++ b/usr.sbin/unbound/util/net_help.h @@ -386,6 +386,14 @@ void log_crypto_err(const char* str); void log_crypto_err_code(const char* str, unsigned long err); /** + * Log certificate details verbosity, string, of X509 cert + * @param level: verbosity level + * @param str: string to prefix on output + * @param cert: X509* structure. + */ +void log_cert(unsigned level, const char* str, void* cert); + +/** * Set SSL_OP_NOxxx options on SSL context to disable bad crypto * @param ctxt: SSL_CTX* * @return false on failure. @@ -435,6 +443,22 @@ void* incoming_ssl_fd(void* sslctx, int fd); void* outgoing_ssl_fd(void* sslctx, int fd); /** + * check if authname SSL functionality is available, false if not + * @param auth_name: the name for the remote server, used for error print. + * @return false if SSL functionality to check the SSL name is not available. + */ +int check_auth_name_for_ssl(char* auth_name); + +/** + * set auth name on SSL for verification + * @param ssl: SSL* to set + * @param auth_name: if NULL nothing happens, otherwise the name to check. + * @param use_sni: if SNI will be used. + * @return 1 on success or NULL auth_name, 0 on failure. + */ +int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni); + +/** * Initialize openssl locking for thread safety * @return false on failure (alloc failure). */ @@ -454,20 +478,6 @@ void ub_openssl_lock_delete(void); int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_session_ticket_keys); -/** - * callback TLS session ticket encrypt and decrypt - * For use with SSL_CTX_set_tlsext_ticket_key_cb - * @param s: the SSL_CTX to use (from connect_sslctx_create()) - * @param key_name: secret name, 16 bytes - * @param iv: up to EVP_MAX_IV_LENGTH. - * @param evp_ctx: the evp cipher context, function sets this. - * @param hmac_ctx: the hmax context, function sets this. - * @param enc: 1 is encrypt, 0 is decrypt - * @return 0 on no ticket, 1 for okay, and 2 for okay but renew the ticket - * (the ticket is decrypt only). and <0 for failures. - */ -int tls_session_ticket_key_cb(void *s, unsigned char* key_name,unsigned char* iv, void *evp_ctx, void *hmac_ctx, int enc); - /** Free memory used for TLS session ticket keys */ void listen_sslctx_delete_ticket_keys(void); diff --git a/usr.sbin/unbound/util/netevent.c b/usr.sbin/unbound/util/netevent.c index dbc9f4cd8f3..3e7a433e502 100644 --- a/usr.sbin/unbound/util/netevent.c +++ b/usr.sbin/unbound/util/netevent.c @@ -470,7 +470,7 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet, msg.msg_iovlen = 1; msg.msg_control = control.buf; #ifndef S_SPLINT_S - msg.msg_controllen = sizeof(control); + msg.msg_controllen = sizeof(control.buf); #endif /* S_SPLINT_S */ msg.msg_flags = 0; @@ -480,7 +480,7 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet, #ifdef IP_PKTINFO void* cmsg_data; msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); - log_assert(msg.msg_controllen <= sizeof(control)); + log_assert(msg.msg_controllen <= sizeof(control.buf)); cmsg->cmsg_level = IPPROTO_IP; cmsg->cmsg_type = IP_PKTINFO; memmove(CMSG_DATA(cmsg), &r->pktinfo.v4info, @@ -491,7 +491,7 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet, cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); #elif defined(IP_SENDSRCADDR) msg.msg_controllen = CMSG_SPACE(sizeof(struct in_addr)); - log_assert(msg.msg_controllen <= sizeof(control)); + log_assert(msg.msg_controllen <= sizeof(control.buf)); cmsg->cmsg_level = IPPROTO_IP; cmsg->cmsg_type = IP_SENDSRCADDR; memmove(CMSG_DATA(cmsg), &r->pktinfo.v4addr, @@ -504,7 +504,7 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet, } else if(r->srctype == 6) { void* cmsg_data; msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); - log_assert(msg.msg_controllen <= sizeof(control)); + log_assert(msg.msg_controllen <= sizeof(control.buf)); cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_PKTINFO; memmove(CMSG_DATA(cmsg), &r->pktinfo.v6info, @@ -516,7 +516,7 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet, } else { /* try to pass all 0 to use default route */ msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); - log_assert(msg.msg_controllen <= sizeof(control)); + log_assert(msg.msg_controllen <= sizeof(control.buf)); cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_PKTINFO; memset(CMSG_DATA(cmsg), 0, sizeof(struct in6_pktinfo)); @@ -616,7 +616,7 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg) msg.msg_iovlen = 1; msg.msg_control = ancil.buf; #ifndef S_SPLINT_S - msg.msg_controllen = sizeof(ancil); + msg.msg_controllen = sizeof(ancil.buf); #endif /* S_SPLINT_S */ msg.msg_flags = 0; rcv = recvmsg(fd, &msg, 0); @@ -1033,34 +1033,8 @@ tcp_callback_reader(struct comm_point* c) } #ifdef HAVE_SSL -/** log certificate details */ -static void -log_cert(unsigned level, const char* str, X509* cert) -{ - BIO* bio; - char nul = 0; - char* pp = NULL; - long len; - if(verbosity < level) return; - bio = BIO_new(BIO_s_mem()); - if(!bio) return; - X509_print_ex(bio, cert, 0, (unsigned long)-1 - ^(X509_FLAG_NO_SUBJECT - |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY - |X509_FLAG_NO_EXTENSIONS|X509_FLAG_NO_AUX - |X509_FLAG_NO_ATTRIBUTES)); - BIO_write(bio, &nul, (int)sizeof(nul)); - len = BIO_get_mem_data(bio, &pp); - if(len != 0 && pp) { - verbose(level, "%s: \n%s", str, pp); - } - BIO_free(bio); -} -#endif /* HAVE_SSL */ - -#ifdef HAVE_SSL /** true if the ssl handshake error has to be squelched from the logs */ -static int +int squelch_err_ssl_handshake(unsigned long err) { if(verbosity >= VERB_QUERY) @@ -3189,7 +3163,10 @@ comm_point_send_reply(struct comm_reply *repinfo) if(repinfo->c->tcp_parent->dtenv != NULL && repinfo->c->tcp_parent->dtenv->log_client_response_messages) dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, - &repinfo->addr, repinfo->c->type, repinfo->c->buffer); + &repinfo->addr, repinfo->c->type, + ( repinfo->c->tcp_req_info + ? repinfo->c->tcp_req_info->spool_buffer + : repinfo->c->buffer )); #endif if(repinfo->c->tcp_req_info) { tcp_req_info_send_reply(repinfo->c->tcp_req_info); diff --git a/usr.sbin/unbound/util/netevent.h b/usr.sbin/unbound/util/netevent.h index d80c72b3343..bb2cd1e5373 100644 --- a/usr.sbin/unbound/util/netevent.h +++ b/usr.sbin/unbound/util/netevent.h @@ -783,7 +783,23 @@ void comm_base_handle_slow_accept(int fd, short event, void* arg); void comm_point_tcp_win_bio_cb(struct comm_point* c, void* ssl); #endif -/** see if errno for tcp connect has to be logged or not. This uses errno */ +/** + * See if errno for tcp connect has to be logged or not. This uses errno + * @param addr: apart from checking errno, the addr is checked for ip4mapped + * and broadcast type, hence passed. + * @param addrlen: length of the addr parameter. + * @return true if it needs to be logged. + */ int tcp_connect_errno_needs_log(struct sockaddr* addr, socklen_t addrlen); +#ifdef HAVE_SSL +/** + * True if the ssl handshake error has to be squelched from the logs + * @param err: the error returned by the openssl routine, ERR_get_error. + * This is a packed structure with elements that are examined. + * @return true if the error is squelched (not logged). + */ +int squelch_err_ssl_handshake(unsigned long err); +#endif + #endif /* NET_EVENT_H */ diff --git a/usr.sbin/unbound/util/shm_side/shm_main.c b/usr.sbin/unbound/util/shm_side/shm_main.c index 46a71510fea..af8c5bcf370 100644 --- a/usr.sbin/unbound/util/shm_side/shm_main.c +++ b/usr.sbin/unbound/util/shm_side/shm_main.c @@ -285,6 +285,10 @@ void shm_main_run(struct worker *worker) shm_stat->mem.ipsecmod = (long long)mod_get_mem(&worker->env, "ipsecmod"); #endif +#ifdef WITH_DYNLIBMODULE + shm_stat->mem.dynlib = (long long)mod_get_mem(&worker->env, + "dynlib"); +#endif } server_stats_add(stat_total, stat_info); diff --git a/usr.sbin/unbound/util/ub_event.c b/usr.sbin/unbound/util/ub_event.c index 9af476ad408..68f633bb0ef 100644 --- a/usr.sbin/unbound/util/ub_event.c +++ b/usr.sbin/unbound/util/ub_event.c @@ -148,7 +148,7 @@ const char* ub_event_get_version(void) return event_get_version(); } -#if (defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && defined(EVBACKEND_SELECT) +#if (defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && defined(EV_FEATURE_BACKENDS) static const char* ub_ev_backend2str(int b) { switch(b) { @@ -184,7 +184,7 @@ ub_get_event_sys(struct ub_event_base* base, const char** n, const char** s, *n = "libev"; if (!b) b = (struct event_base*)ev_default_loop(EVFLAG_AUTO); -# ifdef EVBACKEND_SELECT +# ifdef EV_FEATURE_BACKENDS *m = ub_ev_backend2str(ev_backend((struct ev_loop*)b)); # else *m = "not obtainable"; diff --git a/usr.sbin/unbound/validator/val_secalgo.c b/usr.sbin/unbound/validator/val_secalgo.c index 8f17c53e86d..65bca8b69d6 100644 --- a/usr.sbin/unbound/validator/val_secalgo.c +++ b/usr.sbin/unbound/validator/val_secalgo.c @@ -77,6 +77,10 @@ int fake_sha1 = 0; #include <openssl/engine.h> #endif +#if defined(HAVE_OPENSSL_DSA_H) && defined(USE_DSA) +#include <openssl/dsa.h> +#endif + /** * Output a libcrypto openssl error to the logfile. * @param str: string to add to it. @@ -1746,6 +1750,7 @@ _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); mpz_clear(x); mpz_clear(y); + nettle_ecc_point_clear(&pubkey); break; } case SHA384_DIGEST_SIZE: diff --git a/usr.sbin/unbound/validator/val_sigcrypt.c b/usr.sbin/unbound/validator/val_sigcrypt.c index 33d206de8d7..de730f68189 100644 --- a/usr.sbin/unbound/validator/val_sigcrypt.c +++ b/usr.sbin/unbound/validator/val_sigcrypt.c @@ -1343,7 +1343,7 @@ adjust_ttl(struct val_env* ve, uint32_t unow, if(ve->date_override) { now = ve->date_override; } else now = (int32_t)unow; - expittl = expi - now; + expittl = (int32_t)((uint32_t)expi - (uint32_t)now); /* so now: * d->ttl: rrset ttl read from message or cache. May be reduced |