summaryrefslogtreecommitdiff
path: root/usr.sbin/unbound
diff options
context:
space:
mode:
Diffstat (limited to 'usr.sbin/unbound')
-rw-r--r--usr.sbin/unbound/Makefile.in85
-rwxr-xr-xusr.sbin/unbound/configure186
-rw-r--r--usr.sbin/unbound/configure.ac89
-rw-r--r--usr.sbin/unbound/daemon/remote.c74
-rw-r--r--usr.sbin/unbound/daemon/remote.h6
-rw-r--r--usr.sbin/unbound/daemon/unbound.c13
-rw-r--r--usr.sbin/unbound/doc/Changelog103
-rw-r--r--usr.sbin/unbound/doc/unbound-host.12
-rw-r--r--usr.sbin/unbound/libunbound/libworker.c2
-rw-r--r--usr.sbin/unbound/services/listen_dnsport.c31
-rw-r--r--usr.sbin/unbound/util/netevent.c20
11 files changed, 512 insertions, 99 deletions
diff --git a/usr.sbin/unbound/Makefile.in b/usr.sbin/unbound/Makefile.in
index 4a0c5a5472c..b663303009c 100644
--- a/usr.sbin/unbound/Makefile.in
+++ b/usr.sbin/unbound/Makefile.in
@@ -30,6 +30,7 @@ PYTHONMOD_INSTALL=@PYTHONMOD_INSTALL@
PYTHONMOD_UNINSTALL=@PYTHONMOD_UNINSTALL@
PYUNBOUND_INSTALL=@PYUNBOUND_INSTALL@
PYUNBOUND_UNINSTALL=@PYUNBOUND_UNINSTALL@
+ALLTARGET=@ALLTARGET@
# _unbound.la if pyunbound enabled.
PYUNBOUND_TARGET=@PYUNBOUND_TARGET@
@@ -99,7 +100,8 @@ util/storage/lruhash.c util/storage/slabhash.c util/timehist.c util/tube.c \
util/winsock_event.c validator/autotrust.c validator/val_anchor.c \
validator/validator.c validator/val_kcache.c validator/val_kentry.c \
validator/val_neg.c validator/val_nsec3.c validator/val_nsec.c \
-validator/val_sigcrypt.c validator/val_utils.c $(CHECKLOCK_SRC)
+validator/val_secalgo.c validator/val_sigcrypt.c \
+validator/val_utils.c $(CHECKLOCK_SRC)
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
@@ -109,7 +111,7 @@ fptr_wlist.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
-val_sigcrypt.lo val_utils.lo $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ)
+val_secalgo.lo val_sigcrypt.lo val_utils.lo $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ)
COMMON_OBJ=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
outside_network.lo
# set to $COMMON_OBJ or to "" if --enableallsymbols
@@ -227,9 +229,11 @@ COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS)
LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
LINK_LIB=$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(staticexe) -version-info @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined
-.PHONY: clean realclean doc lint all install uninstall tests test strip lib longtest longcheck check
+.PHONY: clean realclean doc lint all install uninstall tests test strip lib longtest longcheck check alltargets
-all: $(COMMON_OBJ) unbound$(EXEEXT) unbound-checkconf$(EXEEXT) lib unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup $(WINAPPS) $(PYUNBOUND_TARGET)
+all: $(COMMON_OBJ) $(ALLTARGET)
+
+alltargets: unbound$(EXEEXT) unbound-checkconf$(EXEEXT) lib unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup $(WINAPPS) $(PYUNBOUND_TARGET)
# compat with BSD make, register suffix, and an implicit rule to actualise it.
.SUFFIXES: .lo
@@ -564,9 +568,8 @@ msgencode.lo msgencode.o: $(srcdir)/util/data/msgencode.c config.h \
$(srcdir)/util/regional.h $(srcdir)/util/net_help.h
msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h \
$(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/regional.h
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h
msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h \
$(srcdir)/util/data/msgreply.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
@@ -671,7 +674,7 @@ modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/service
$(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \
- $(srcdir)/validator/val_utils.h $(PYTHONMOD_HEADER)
+ $(srcdir)/validator/val_utils.h
outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h \
@@ -712,8 +715,8 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
$(srcdir)/util/data/msgparse.h \
$(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
- $(srcdir)/util/rbtree.h $(srcdir)/daemon/worker.h $(srcdir)/util/alloc.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/util/alloc.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/daemon/remote.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
@@ -721,19 +724,12 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
$(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \
$(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/util/config_file.h $(PYTHONMOD_HEADER)
+ $(srcdir)/util/config_file.h
locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/locks.h
-mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
+mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h
module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h \
@@ -746,7 +742,7 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h \
$(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h \
- $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h \
$(srcdir)/util/net_help.h \
$(srcdir)/util/log.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
@@ -764,8 +760,7 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/regional.h
-rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/util/log.h \
-
+rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h
dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h \
@@ -850,12 +845,16 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h \
$(srcdir)/validator/val_utils.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/net_help.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
+val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h \
+ $(srcdir)/validator/val_secalgo.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+
val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
$(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
+ $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
@@ -865,7 +864,7 @@ val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/val
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \
$(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/testcode/checklocks.h
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h \
@@ -906,11 +905,11 @@ unitverify.lo unitverify.o: $(srcdir)/testcode/unitverify.c config.h $(srcdir)/u
$(srcdir)/testcode/unitmain.h \
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h \
- $(srcdir)/validator/val_nsec.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/validator/val_utils.h \
- $(srcdir)/testcode/ldns-testpkts.h \
+ $(srcdir)/validator/val_secalgo.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/testcode/ldns-testpkts.h \
$(srcdir)/util/data/dname.h \
$(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h
readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/readhex.h \
@@ -926,13 +925,12 @@ cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
$(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/util/netevent.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/util/storage/dnstree.h
+ $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h \
+ $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
$(srcdir)/daemon/daemon.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h $(srcdir)/daemon/worker.h \
@@ -973,8 +971,7 @@ unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/data/packed_rrset.h \
$(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/net_help.h \
- $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/util/net_help.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h \
$(srcdir)/util/log.h \
$(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/util/netevent.h \
@@ -997,8 +994,7 @@ testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/test
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/net_help.h
ldns-testpkts.lo ldns-testpkts.o: $(srcdir)/testcode/ldns-testpkts.c config.h \
$(srcdir)/testcode/ldns-testpkts.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h \
@@ -1087,7 +1083,7 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
$(srcdir)/util/regional.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/services/localzone.h $(PYTHONMOD_HEADER)
+ $(srcdir)/services/localzone.h
worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/util/log.h \
$(srcdir)/services/mesh.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h \
@@ -1162,8 +1158,7 @@ pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c conf
$(srcdir)/util/data/msgparse.h \
$(srcdir)/util/netevent.h \
$(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
-
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h
win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/alloc.h \
diff --git a/usr.sbin/unbound/configure b/usr.sbin/unbound/configure
index 5bcf62eb007..714941bec3e 100755
--- a/usr.sbin/unbound/configure
+++ b/usr.sbin/unbound/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for unbound 1.4.17.
+# Generated by GNU Autoconf 2.68 for unbound 1.4.18.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
@@ -570,8 +570,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.4.17'
-PACKAGE_STRING='unbound 1.4.17'
+PACKAGE_VERSION='1.4.18'
+PACKAGE_STRING='unbound 1.4.18'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
@@ -613,6 +613,7 @@ ac_includes_default="\
ac_subst_vars='LTLIBOBJS
ldnsdir
+ALLTARGET
SOURCEFILE
SOURCEDETERMINE
UBSYMS
@@ -789,6 +790,7 @@ with_pthreads
with_solaris_threads
with_pyunbound
with_pythonmodule
+with_nss
with_ssl
enable_sha2
enable_gost
@@ -798,6 +800,7 @@ with_libexpat
enable_static_exe
enable_lock_checks
enable_allsymbols
+with_libunbound_only
with_ldns
'
ac_precious_vars='build_alias
@@ -1354,7 +1357,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures unbound 1.4.17 to adapt to many kinds of systems.
+\`configure' configures unbound 1.4.18 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1420,7 +1423,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of unbound 1.4.17:";;
+ short | recursive ) echo "Configuration of unbound 1.4.18:";;
esac
cat <<\_ACEOF
@@ -1489,6 +1492,7 @@ Optional Packages:
(default=no)
--with-pythonmodule build Python module, or --without-pythonmodule to
disable script engine. (default=no)
+ --with-nss=path use libnss instead of openssl, installed at path.
--with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl
/usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
/usr)
@@ -1498,6 +1502,7 @@ Optional Packages:
an explicit path). Slower, but allows use of large
outgoing port ranges.
--with-libexpat=path specify explicit path for libexpat.
+ --with-libunbound-only do not build daemon and tool programs
--with-ldns=PATH specify prefix of path of ldns library to use
Some influential environment variables:
@@ -1586,7 +1591,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-unbound configure 1.4.17
+unbound configure 1.4.18
generated by GNU Autoconf 2.68
Copyright (C) 2010 Free Software Foundation, Inc.
@@ -2112,7 +2117,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.4.17, which was
+It was created by unbound $as_me 1.4.18, which was
generated by GNU Autoconf 2.68. Invocation command line was
$ $0 $@
@@ -2462,7 +2467,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
LIBUNBOUND_CURRENT=3
-LIBUNBOUND_REVISION=1
+LIBUNBOUND_REVISION=3
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -2496,6 +2501,7 @@ LIBUNBOUND_AGE=1
# 1.4.15 had 3:0:1 # adds ub_version()
# 1.4.16 had 3:1:1
# 1.4.17 had 3:2:1
+# 1.4.18 had 3:3:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -4209,6 +4215,71 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
+# allow user to override the -g -O2 flags.
+if test "x$CFLAGS" = "x" ; then
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC supports -g" >&5
+$as_echo_n "checking whether $CC supports -g... " >&6; }
+cache=`echo g | sed 'y%.=/+-%___p_%'`
+if eval \${cv_prog_cc_flag_$cache+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+echo 'void f(){}' >conftest.c
+if test -z "`$CC $CPPFLAGS $CFLAGS -g -c conftest.c 2>&1`"; then
+eval "cv_prog_cc_flag_$cache=yes"
+else
+eval "cv_prog_cc_flag_$cache=no"
+fi
+rm -f conftest conftest.o conftest.c
+
+fi
+
+if eval "test \"`echo '$cv_prog_cc_flag_'$cache`\" = yes"; then
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+:
+CFLAGS="$CFLAGS -g"
+else
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+:
+
+fi
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC supports -O2" >&5
+$as_echo_n "checking whether $CC supports -O2... " >&6; }
+cache=`echo O2 | sed 'y%.=/+-%___p_%'`
+if eval \${cv_prog_cc_flag_$cache+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+echo 'void f(){}' >conftest.c
+if test -z "`$CC $CPPFLAGS $CFLAGS -O2 -c conftest.c 2>&1`"; then
+eval "cv_prog_cc_flag_$cache=yes"
+else
+eval "cv_prog_cc_flag_$cache=no"
+fi
+rm -f conftest conftest.o conftest.c
+
+fi
+
+if eval "test \"`echo '$cv_prog_cc_flag_'$cache`\" = yes"; then
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+:
+CFLAGS="$CFLAGS -O2"
+else
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+:
+
+fi
+
+fi
ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -15682,8 +15753,11 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
ac_compiler_gnu=$ac_cv_c_compiler_gnu
# save current global flags
- LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
- CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+ ac_save_LIBS="$LIBS"
+ ac_save_CPPFLAGS="$CPPFLAGS"
+
+ LIBS="$LIBS $PYTHON_LDFLAGS"
+ CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
@@ -15923,6 +15997,39 @@ CONFIG_DATE=`date +%Y%m%d`
# Checks for libraries.
+# libnss
+USE_NSS="no"
+
+# Check whether --with-nss was given.
+if test "${with_nss+set}" = set; then :
+ withval=$with_nss;
+ USE_NSS="yes"
+
+$as_echo "#define HAVE_NSS 1" >>confdefs.h
+
+ if test "$withval" != "/usr" -a "$withval" != "" -a "$withval" != "yes"; then
+ CPPFLAGS="$CPPFLAGS -I$withval/include"
+ LDFLAGS="$LDFLAGS -L$withval/lib"
+
+ if test "x$enable_rpath" = xyes; then
+ if echo "$withval/lib" | grep "^/" >/dev/null; then
+ RUNTIME_PATH="$RUNTIME_PATH -R$withval/lib"
+ fi
+ fi
+
+ CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
+ else
+ CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
+ fi
+ LIBS="$LIBS -lnss3 -lnspr4"
+
+
+fi
+
+
+# openssl
+if test $USE_NSS = "no"; then
+
# Check whether --with-ssl was given.
if test "${with_ssl+set}" = set; then :
@@ -16314,7 +16421,7 @@ fi
done
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -16387,6 +16494,8 @@ cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_SK_SSL_COMP_POP_FREE $ac_have_decl
_ACEOF
+fi
+
# Check whether --enable-sha2 was given.
if test "${enable_sha2+set}" = set; then :
@@ -16411,6 +16520,7 @@ if test "${enable_gost+set}" = set; then :
fi
use_gost="no"
+if test $USE_NSS = "no"; then
case "$enable_gost" in
no)
;;
@@ -16422,7 +16532,7 @@ else
as_fn_error $? "OpenSSL 1.0.0 is needed for GOST support" "$LINENO" 5
fi
- ac_fn_c_check_func "$LINENO" "EC_KEY_new" "ac_cv_func_EC_KEY_new"
+ ac_fn_c_check_func "$LINENO" "EC_KEY_new" "ac_cv_func_EC_KEY_new"
if test "x$ac_cv_func_EC_KEY_new" = xyes; then :
else
@@ -16544,7 +16654,7 @@ fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_gost_works" >&5
$as_echo "$ac_cv_c_gost_works" >&6; }
- if test $ac_cv_c_gost_works != no; then
+ if test "$ac_cv_c_gost_works" != no; then
use_gost="yes"
$as_echo "#define USE_GOST 1" >>confdefs.h
@@ -16552,7 +16662,7 @@ $as_echo "#define USE_GOST 1" >>confdefs.h
fi
;;
esac
-
+fi
# Check whether --enable-ecdsa was given.
if test "${enable_ecdsa+set}" = set; then :
enableval=$enable_ecdsa;
@@ -16563,21 +16673,22 @@ case "$enable_ecdsa" in
no)
;;
*)
- ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
+ if test $USE_NSS = "no"; then
+ ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
if test "x$ac_cv_func_ECDSA_sign" = xyes; then :
else
as_fn_error $? "OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5
fi
- ac_fn_c_check_func "$LINENO" "SHA384_Init" "ac_cv_func_SHA384_Init"
+ ac_fn_c_check_func "$LINENO" "SHA384_Init" "ac_cv_func_SHA384_Init"
if test "x$ac_cv_func_SHA384_Init" = xyes; then :
else
as_fn_error $? "OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5
fi
- ac_fn_c_check_decl "$LINENO" "NID_X9_62_prime256v1" "ac_cv_have_decl_NID_X9_62_prime256v1" "$ac_includes_default
+ ac_fn_c_check_decl "$LINENO" "NID_X9_62_prime256v1" "ac_cv_have_decl_NID_X9_62_prime256v1" "$ac_includes_default
#include <openssl/evp.h>
"
@@ -16614,20 +16725,21 @@ else
as_fn_error $? "OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5
fi
- # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5
+ # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5
$as_echo_n "checking if openssl supports SHA2 and ECDSA with EVP... " >&6; }
- if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
cat >>confdefs.h <<_ACEOF
#define USE_ECDSA_EVP_WORKAROUND 1
_ACEOF
- else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
+ fi
fi
# we now know we have ECDSA and the required curves.
@@ -17712,6 +17824,20 @@ rm -f conftest.lo
+# see if we want to build the library or everything
+ALLTARGET="alltargets"
+
+# Check whether --with-libunbound-only was given.
+if test "${with_libunbound_only+set}" = set; then :
+ withval=$with_libunbound_only;
+ if test "$withval" = "yes"; then
+ ALLTARGET="lib"
+ fi
+
+fi
+
+
+
# check this after all other compilation checks, since the linking of the lib
# may break checks after this.
@@ -17792,11 +17918,15 @@ if test "x$ac_cv_func_ldns_buffer_copy" = xyes; then :
fi
-ac_fn_c_check_func "$LINENO" "ldns_key_buf2rsa_raw" "ac_cv_func_ldns_key_buf2rsa_raw"
+if test $USE_NSS = "no"; then
+ ac_fn_c_check_func "$LINENO" "ldns_key_buf2rsa_raw" "ac_cv_func_ldns_key_buf2rsa_raw"
if test "x$ac_cv_func_ldns_key_buf2rsa_raw" = xyes; then :
fi
+else
+ ac_cv_func_ldns_key_buf2rsa_raw="yes"
+fi
ac_fn_c_check_func "$LINENO" "ldns_get_random" "ac_cv_func_ldns_get_random"
if test "x$ac_cv_func_ldns_get_random" = xyes; then :
@@ -17807,7 +17937,7 @@ if test "x$ac_cv_func_ldns_b32_ntop_extended_hex" = xyes; then :
fi
-if test x$use_gost = xyes; then
+if test x$use_gost = xyes -a x$USE_NSS = xno; then
ac_fn_c_check_func "$LINENO" "ldns_key_EVP_load_gost_id" "ac_cv_func_ldns_key_EVP_load_gost_id"
if test "x$ac_cv_func_ldns_key_EVP_load_gost_id" = xyes; then :
@@ -17825,7 +17955,7 @@ fi
done
else
- ac_cv_func_ldns_key_EVP_load_gost_id="yes"
+ ac_cv_func_ldns_key_EVP_load_gost_id="yes"
fi
if test x$use_ecdsa = xyes; then
ac_fn_c_check_decl "$LINENO" "LDNS_ECDSAP384SHA384" "ac_cv_have_decl_LDNS_ECDSAP384SHA384" "
@@ -18495,7 +18625,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by unbound $as_me 1.4.17, which was
+This file was extended by unbound $as_me 1.4.18, which was
generated by GNU Autoconf 2.68. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -18561,7 +18691,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-unbound config.status 1.4.17
+unbound config.status 1.4.18
configured by $0, generated by GNU Autoconf 2.68,
with options \\"\$ac_cs_config\\"
diff --git a/usr.sbin/unbound/configure.ac b/usr.sbin/unbound/configure.ac
index 968a1ba55c3..94ebe4602d1 100644
--- a/usr.sbin/unbound/configure.ac
+++ b/usr.sbin/unbound/configure.ac
@@ -6,10 +6,10 @@ sinclude(acx_pthread.m4)
sinclude(acx_python.m4)
sinclude(ac_pkg_swig.m4)
-AC_INIT(unbound, 1.4.17, unbound-bugs@nlnetlabs.nl, unbound)
+AC_INIT(unbound, 1.4.18, unbound-bugs@nlnetlabs.nl, unbound)
LIBUNBOUND_CURRENT=3
-LIBUNBOUND_REVISION=1
+LIBUNBOUND_REVISION=3
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -43,6 +43,7 @@ LIBUNBOUND_AGE=1
# 1.4.15 had 3:0:1 # adds ub_version()
# 1.4.16 had 3:1:1
# 1.4.17 had 3:2:1
+# 1.4.18 had 3:3:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -208,8 +209,11 @@ AC_DEFINE_UNQUOTED(RSRC_PACKAGE_VERSION, [$wnvs], [version number for resource f
# Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
AC_LANG_C
-dnl ACX_CHECK_COMPILER_FLAG(g, [CFLAGS="$CFLAGS -g"])
-dnl ACX_CHECK_COMPILER_FLAG(O2, [CFLAGS="$CFLAGS -O2"])
+# allow user to override the -g -O2 flags.
+if test "x$CFLAGS" = "x" ; then
+ACX_CHECK_COMPILER_FLAG(g, [CFLAGS="$CFLAGS -g"])
+ACX_CHECK_COMPILER_FLAG(O2, [CFLAGS="$CFLAGS -O2"])
+fi
AC_PROG_CC
ACX_DEPFLAG
ACX_DETERMINE_EXT_FLAGS_UNBOUND
@@ -511,11 +515,33 @@ CONFIG_DATE=`date +%Y%m%d`
AC_SUBST(CONFIG_DATE)
# Checks for libraries.
+
+# libnss
+USE_NSS="no"
+AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
+ [use libnss instead of openssl, installed at path.]),
+ [
+ USE_NSS="yes"
+ AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
+ if test "$withval" != "/usr" -a "$withval" != "" -a "$withval" != "yes"; then
+ CPPFLAGS="$CPPFLAGS -I$withval/include"
+ LDFLAGS="$LDFLAGS -L$withval/lib"
+ ACX_RUNTIME_PATH_ADD([$withval/lib])
+ CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
+ else
+ CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
+ fi
+ LIBS="$LIBS -lnss3 -lnspr4"
+ ]
+)
+
+# openssl
+if test $USE_NSS = "no"; then
ACX_WITH_SSL
ACX_LIB_SSL
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
@@ -536,6 +562,8 @@ AC_INCLUDES_DEFAULT
#include <openssl/ssl.h>
#include <openssl/evp.h>
])
+fi
+
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
case "$enable_sha2" in
@@ -646,19 +674,21 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
use_gost="no"
+if test $USE_NSS = "no"; then
case "$enable_gost" in
no)
;;
*)
AC_CHECK_FUNC(EVP_PKEY_set_type_str, [:],[AC_MSG_ERROR([OpenSSL 1.0.0 is needed for GOST support])])
- AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([OpenSSL does not support ECC, needed for GOST support])])
+ AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([OpenSSL does not support ECC, needed for GOST support])])
AC_CHECK_GOST_WORKS
- if test $ac_cv_c_gost_works != no; then
+ if test "$ac_cv_c_gost_works" != no; then
use_gost="yes"
AC_DEFINE([USE_GOST], [1], [Define this to enable GOST support.])
fi
;;
esac
+fi dnl !USE_NSS
AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
use_ecdsa="no"
@@ -666,18 +696,20 @@ case "$enable_ecdsa" in
no)
;;
*)
- AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
- AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
- AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
+ if test $USE_NSS = "no"; then
+ AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
+ AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
+ AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
#include <openssl/evp.h>
- ])
- # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
- AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
- if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
- AC_MSG_RESULT([no])
- AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
- else
- AC_MSG_RESULT([yes])
+ ])
+ # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
+ AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
+ if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+ AC_MSG_RESULT([no])
+ AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
+ else
+ AC_MSG_RESULT([yes])
+ fi
fi
# we now know we have ECDSA and the required curves.
AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.])
@@ -969,6 +1001,17 @@ rm -f conftest.lo
AC_SUBST(SOURCEDETERMINE)
AC_SUBST(SOURCEFILE)
+# see if we want to build the library or everything
+ALLTARGET="alltargets"
+AC_ARG_WITH(libunbound-only, AC_HELP_STRING([--with-libunbound-only],
+ [do not build daemon and tool programs]),
+ [
+ if test "$withval" = "yes"; then
+ ALLTARGET="lib"
+ fi
+])
+AC_SUBST(ALLTARGET)
+
# check this after all other compilation checks, since the linking of the lib
# may break checks after this.
AC_ARG_WITH(ldns, AC_HELP_STRING([--with-ldns=PATH],
@@ -990,13 +1033,19 @@ AC_CHECK_LIB(ldns, ldns_rr_new,,[
AC_MSG_ERROR([No ldns library found, install the ldns library into system lib dir or use --with-ldns=path to other location. The --with-ldns can point to the make-dir of ldns. Install the package ldns or download source http://www.nlnetlabs.nl/projects/ldns])
])
AC_CHECK_FUNC(ldns_buffer_copy)
-AC_CHECK_FUNC(ldns_key_buf2rsa_raw)
+if test $USE_NSS = "no"; then
+ AC_CHECK_FUNC(ldns_key_buf2rsa_raw)
+else
+ dnl ignore test
+ ac_cv_func_ldns_key_buf2rsa_raw="yes"
+fi
AC_CHECK_FUNC(ldns_get_random)
AC_CHECK_FUNC(ldns_b32_ntop_extended_hex)
-if test x$use_gost = xyes; then
+if test x$use_gost = xyes -a x$USE_NSS = xno; then
AC_CHECK_FUNC(ldns_key_EVP_load_gost_id)
AC_CHECK_FUNCS([ldns_key_EVP_unload_gost])
else
+ dnl ignore test
ac_cv_func_ldns_key_EVP_load_gost_id="yes"
fi
if test x$use_ecdsa = xyes; then
diff --git a/usr.sbin/unbound/daemon/remote.c b/usr.sbin/unbound/daemon/remote.c
index 38ca15c85cd..5dc05c5fa49 100644
--- a/usr.sbin/unbound/daemon/remote.c
+++ b/usr.sbin/unbound/daemon/remote.c
@@ -1286,6 +1286,74 @@ do_flush_zone(SSL* ssl, struct worker* worker, char* arg)
(unsigned)inf.num_msgs, (unsigned)inf.num_keys);
}
+/** callback to delete bogus rrsets */
+static void
+bogus_del_rrset(struct lruhash_entry* e, void* arg)
+{
+ /* entry is locked */
+ struct del_info* inf = (struct del_info*)arg;
+ struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
+ if(d->security == sec_status_bogus) {
+ d->ttl = inf->expired;
+ inf->num_rrsets++;
+ }
+}
+
+/** callback to delete bogus messages */
+static void
+bogus_del_msg(struct lruhash_entry* e, void* arg)
+{
+ /* entry is locked */
+ struct del_info* inf = (struct del_info*)arg;
+ struct reply_info* d = (struct reply_info*)e->data;
+ if(d->security == sec_status_bogus) {
+ d->ttl = inf->expired;
+ inf->num_msgs++;
+ }
+}
+
+/** callback to delete bogus keys */
+static void
+bogus_del_kcache(struct lruhash_entry* e, void* arg)
+{
+ /* entry is locked */
+ struct del_info* inf = (struct del_info*)arg;
+ struct key_entry_data* d = (struct key_entry_data*)e->data;
+ if(d->isbad) {
+ d->ttl = inf->expired;
+ inf->num_keys++;
+ }
+}
+
+/** remove all rrsets and keys from zone from cache */
+static void
+do_flush_bogus(SSL* ssl, struct worker* worker)
+{
+ struct del_info inf;
+ /* what we do is to set them all expired */
+ inf.worker = worker;
+ inf.now = *worker->env.now;
+ inf.expired = *worker->env.now;
+ inf.expired -= 3; /* handle 3 seconds skew between threads */
+ inf.num_rrsets = 0;
+ inf.num_msgs = 0;
+ inf.num_keys = 0;
+ slabhash_traverse(&worker->env.rrset_cache->table, 1,
+ &bogus_del_rrset, &inf);
+
+ slabhash_traverse(worker->env.msg_cache, 1, &bogus_del_msg, &inf);
+
+ /* and validator cache */
+ if(worker->env.key_cache) {
+ slabhash_traverse(worker->env.key_cache->slab, 1,
+ &bogus_del_kcache, &inf);
+ }
+
+ (void)ssl_printf(ssl, "ok removed %u rrsets, %u messages "
+ "and %u key entries\n", (unsigned)inf.num_rrsets,
+ (unsigned)inf.num_msgs, (unsigned)inf.num_keys);
+}
+
/** remove name rrset from cache */
static void
do_flush_name(SSL* ssl, struct worker* w, char* arg)
@@ -1393,6 +1461,7 @@ parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names)
}
if(!delegpt_add_ns_mlc(dp, n, 0)) {
(void)ssl_printf(ssl, "error out of memory\n");
+ free(n);
delegpt_free_mlc(dp);
return NULL;
}
@@ -1442,7 +1511,6 @@ do_forward(SSL* ssl, struct worker* worker, char* args)
return;
if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
(void)ssl_printf(ssl, "error out of memory\n");
- delegpt_free_mlc(dp);
return;
}
}
@@ -1514,7 +1582,6 @@ do_forward_add(SSL* ssl, struct worker* worker, char* args)
}
if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
(void)ssl_printf(ssl, "error out of memory\n");
- delegpt_free_mlc(dp);
free(nm);
return;
}
@@ -1571,7 +1638,6 @@ do_stub_add(SSL* ssl, struct worker* worker, char* args)
forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm);
if(insecure) anchors_delete_insecure(worker->env.anchors,
LDNS_RR_CLASS_IN, nm);
- delegpt_free_mlc(dp);
free(nm);
return;
}
@@ -2040,6 +2106,8 @@ execute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd,
do_set_option(ssl, worker, skipwhite(p+10));
} else if(cmdcmp(p, "get_option", 10)) {
do_get_option(ssl, worker, skipwhite(p+10));
+ } else if(cmdcmp(p, "flush_bogus", 11)) {
+ do_flush_bogus(ssl, worker);
} else {
(void)ssl_printf(ssl, "error unknown command '%s'\n", p);
}
diff --git a/usr.sbin/unbound/daemon/remote.h b/usr.sbin/unbound/daemon/remote.h
index 5919be4f2a3..8d5b4125743 100644
--- a/usr.sbin/unbound/daemon/remote.h
+++ b/usr.sbin/unbound/daemon/remote.h
@@ -69,8 +69,10 @@ struct rc_state {
struct comm_point* c;
/** in the handshake part */
enum { rc_none, rc_hs_read, rc_hs_write } shake_state;
+#ifdef HAVE_SSL
/** the ssl state */
SSL* ssl;
+#endif
/** the rc this is part of */
struct daemon_remote* rc;
};
@@ -93,8 +95,10 @@ struct daemon_remote {
int max_active;
/** current commpoints busy; should be a short list, malloced */
struct rc_state* busy_list;
+#ifdef HAVE_SSL
/** the SSL context for creating new SSL streams */
SSL_CTX* ctx;
+#endif
};
/**
@@ -159,6 +163,7 @@ int remote_accept_callback(struct comm_point*, void*, int, struct comm_reply*);
/** handle remote control data callbacks */
int remote_control_callback(struct comm_point*, void*, int, struct comm_reply*);
+#ifdef HAVE_SSL
/**
* Print fixed line of text over ssl connection in blocking mode
* @param ssl: print to
@@ -185,6 +190,7 @@ int ssl_printf(SSL* ssl, const char* format, ...)
* @return false on connection failure.
*/
int ssl_read_line(SSL* ssl, char* buf, size_t max);
+#endif /* HAVE_SSL */
/** routine to printout option values over SSL */
void remote_get_opt_ssl(char* line, void* arg);
diff --git a/usr.sbin/unbound/daemon/unbound.c b/usr.sbin/unbound/daemon/unbound.c
index 6d87a4f6d5c..d64751ab57a 100644
--- a/usr.sbin/unbound/daemon/unbound.c
+++ b/usr.sbin/unbound/daemon/unbound.c
@@ -87,6 +87,10 @@
# include "winrc/win_svc.h"
#endif
+#ifdef HAVE_NSS
+# include <nss3/nss.h>
+#endif
+
/** global debug value to keep track of heap memory allocation */
void* unbound_start_brk = 0;
@@ -159,7 +163,12 @@ static void usage()
get_event_sys(&evnm, &evsys, &evmethod);
printf("linked libs: %s %s (it uses %s), ldns %s, %s\n",
evnm, evsys, evmethod, ldns_version(),
- SSLeay_version(SSLEAY_VERSION));
+#ifdef HAVE_SSL
+ SSLeay_version(SSLEAY_VERSION)
+#elif defined(HAVE_NSS)
+ NSS_GetVersion()
+#endif
+ );
printf("linked modules:");
for(m = module_list_avail(); *m; m++)
printf(" %s", *m);
@@ -445,6 +454,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
* given to unbound on the commandline. */
/* read ssl keys while superuser and outside chroot */
+#ifdef HAVE_SSL
if(!(daemon->rc = daemon_remote_create(cfg)))
fatal_exit("could not set up remote-control");
if(cfg->ssl_service_key && cfg->ssl_service_key[0]) {
@@ -454,6 +464,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
}
if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, NULL)))
fatal_exit("could not set up connect SSL_CTX");
+#endif
#ifdef HAVE_KILL
/* check old pid file before forking */
diff --git a/usr.sbin/unbound/doc/Changelog b/usr.sbin/unbound/doc/Changelog
index 3b2753f818d..2c07ea636e6 100644
--- a/usr.sbin/unbound/doc/Changelog
+++ b/usr.sbin/unbound/doc/Changelog
@@ -1,5 +1,108 @@
+30 July 2012: Wouter
+ - tag 1.4.18rc2.
+
+27 July 2012: Wouter
+ - unbound-host works with libNSS
+ - fix bogus nodata cname chain not reported as bogus by validator,
+ (Thanks Peter van Dijk).
+
+26 July 2012: Wouter
+ - iana portlist updated.
+ - tag 1.4.18rc1.
+
+25 July 2012: Wouter
+ - review fix for libnss, check hash prefix allocation size.
+
+23 July 2012: Wouter
+ - fix missing break for GOST DS hash function.
+ - implemented forward_first for the root.
+
+20 July 2012: Wouter
+ - Fix bug#452 and another assertion failure in mesh.c, makes
+ assertions in mesh.c resist duplicates. Fixes DS NS search to
+ not generate duplicate sub queries.
+
+19 July 2012: Willem
+ - Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac,
+ if CFLAGS is specified at configure time then '-g -O2' is not
+ appended to CFLAGS, so that the user can override them.
+
+18 July 2012: Willem
+ - Fix libunbound report of errors when in background mode.
+
+11 July 2012: Willem
+ - updated iana ports list.
+
+9 July 2012: Willem
+ - Add flush_bogus option for unbound-control
+
+6 July 2012: Wouter
+ - Fix validation of qtype DS queries that result in no data for
+ non-optout NSEC3 zones.
+
+4 July 2012: Wouter
+ - compile libunbound with libnss on Suse, passes regression tests.
+
+3 July 2012: Wouter
+ - FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
+
+2 July 2012: Wouter
+ - updated iana ports list.
+
+29 June 2012: Wouter
+ - patch for unbound_munin_ script to handle arbitrary thread count by
+ Sven Ulland.
+
+28 June 2012: Wouter
+ - detect if openssl has FIPS_mode.
+ - code review: return value of cache_store can be ignored for better
+ performance in out of memory conditions.
+ - fix edns-buffer-size and msg-buffer-size manpage documentation.
+ - updated iana ports list.
+
+25 June 2012: Wouter
+ - disable RSAMD5 if in FIPS mode (for openssl and for libnss).
+
+22 June 2012: Wouter
+ - implement DS records, NSEC3 and ECDSA for compile with libnss.
+
+21 June 2012: Wouter
+ - fix error handling of alloc failure during rrsig verification.
+ - nss check for verification failure.
+ - nss crypto works for RSA and DSA.
+
+20 June 2012: Wouter
+ - work on --with-nss build option (for now, --with-libunbound-only).
+
+19 June 2012: Wouter
+ - --with-libunbound-only build option, only builds the library and
+ not the daemon and other tools.
+
+18 June 2012: Wouter
+ - code review.
+
+15 June 2012: Wouter
+ - implement log-time-ascii on windows.
+ - The key-cache bad key ttl is now 60 seconds.
+ - updated iana ports list.
+ - code review.
+
+11 June 2012: Wouter
+ - bug #452: fix crash on assert in mesh_state_attachment.
+
+30 May 2012: Wouter
+ - silence warning from swig-generated code (md set but not used in
+ swig initmodule, due to ifdefs in swig-generated code).
+
+27 May 2012: Wouter
+ - Fix debian-bugs-658021: Please enable hardened build flags.
+
+25 May 2012: Wouter
+ - updated iana ports list.
+
24 May 2012: Wouter
- tag for 1.4.17 release.
+ - trunk is 1.4.18 in development.
18 May 2012: Wouter
- Review comments, removed duplicate memset to zero in delegpt.
diff --git a/usr.sbin/unbound/doc/unbound-host.1 b/usr.sbin/unbound/doc/unbound-host.1
index e83ecae1ac8..771b68b295a 100644
--- a/usr.sbin/unbound/doc/unbound-host.1
+++ b/usr.sbin/unbound/doc/unbound-host.1
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Feb 2, 2012" "NLnet Labs" "unbound 1.4.16"
+.TH "unbound\-host" "1" "Aug 2, 2012" "NLnet Labs" "unbound 1.4.18"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"
diff --git a/usr.sbin/unbound/libunbound/libworker.c b/usr.sbin/unbound/libunbound/libworker.c
index 917a9106d07..b23d560ab28 100644
--- a/usr.sbin/unbound/libunbound/libworker.c
+++ b/usr.sbin/unbound/libunbound/libworker.c
@@ -643,6 +643,8 @@ libworker_bg_done_cb(void* arg, int rcode, ldns_buffer* buf, enum sec_status s,
return;
}
q->msg_security = s;
+ if(!buf)
+ buf = q->w->env->scratch_buffer;
if(rcode != 0) {
error_encode(buf, rcode, NULL, 0, BIT_RD, NULL);
}
diff --git a/usr.sbin/unbound/services/listen_dnsport.c b/usr.sbin/unbound/services/listen_dnsport.c
index 59ca1991eb1..647cbe07ebd 100644
--- a/usr.sbin/unbound/services/listen_dnsport.c
+++ b/usr.sbin/unbound/services/listen_dnsport.c
@@ -323,6 +323,11 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
log_err("setsockopt(..., IP_MTU_DISCOVER, "
"IP_PMTUDISC_DONT...) failed: %s",
strerror(errno));
+# ifndef USE_WINSOCK
+ close(s);
+# else
+ closesocket(s);
+# endif
return -1;
}
# elif defined(IP_DONTFRAG)
@@ -331,6 +336,11 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
&off, (socklen_t)sizeof(off)) < 0) {
log_err("setsockopt(..., IP_DONTFRAG, ...) failed: %s",
strerror(errno));
+# ifndef USE_WINSOCK
+ close(s);
+# else
+ closesocket(s);
+# endif
return -1;
}
# endif /* IPv4 MTU */
@@ -408,9 +418,11 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto)
#ifndef USE_WINSOCK
log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
strerror(errno));
+ close(s);
#else
log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
wsa_strerror(WSAGetLastError()));
+ closesocket(s);
#endif
return -1;
}
@@ -422,9 +434,11 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto)
#ifndef USE_WINSOCK
log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s",
strerror(errno));
+ close(s);
#else
log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s",
wsa_strerror(WSAGetLastError()));
+ closesocket(s);
#endif
return -1;
}
@@ -443,23 +457,32 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto)
(struct sockaddr_storage*)addr->ai_addr,
addr->ai_addrlen);
}
+ close(s);
#else
log_err("can't bind socket: %s",
wsa_strerror(WSAGetLastError()));
log_addr(0, "failed address",
(struct sockaddr_storage*)addr->ai_addr,
addr->ai_addrlen);
+ closesocket(s);
#endif
return -1;
}
if(!fd_set_nonblock(s)) {
+#ifndef USE_WINSOCK
+ close(s);
+#else
+ closesocket(s);
+#endif
return -1;
}
if(listen(s, TCP_BACKLOG) == -1) {
#ifndef USE_WINSOCK
log_err("can't listen: %s", strerror(errno));
+ close(s);
#else
log_err("can't listen: %s", wsa_strerror(WSAGetLastError()));
+ closesocket(s);
#endif
return -1;
}
@@ -653,8 +676,14 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
return 0;
}
/* getting source addr packet info is highly non-portable */
- if(!set_recvpktinfo(s, hints->ai_family))
+ if(!set_recvpktinfo(s, hints->ai_family)) {
+#ifndef USE_WINSOCK
+ close(s);
+#else
+ closesocket(s);
+#endif
return 0;
+ }
if(!port_insert(list, s, listen_type_udpancil)) {
#ifndef USE_WINSOCK
close(s);
diff --git a/usr.sbin/unbound/util/netevent.c b/usr.sbin/unbound/util/netevent.c
index 5b869765cc3..3c1c69d7e1b 100644
--- a/usr.sbin/unbound/util/netevent.c
+++ b/usr.sbin/unbound/util/netevent.c
@@ -44,8 +44,12 @@
#include "util/log.h"
#include "util/net_help.h"
#include "util/fptr_wlist.h"
+#ifdef HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
+#endif
+#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
+#endif
/* -------- Start of local definitions -------- */
/** if CMSG_ALIGN is not defined on this platform, a workaround */
@@ -846,9 +850,11 @@ reclaim_tcp_handler(struct comm_point* c)
{
log_assert(c->type == comm_tcp);
if(c->ssl) {
+#ifdef HAVE_SSL
SSL_shutdown(c->ssl);
SSL_free(c->ssl);
c->ssl = NULL;
+#endif
}
comm_point_close(c);
if(c->tcp_parent) {
@@ -893,6 +899,7 @@ tcp_callback_reader(struct comm_point* c)
}
/** continue ssl handshake */
+#ifdef HAVE_SSL
static int
ssl_handshake(struct comm_point* c)
{
@@ -955,11 +962,13 @@ ssl_handshake(struct comm_point* c)
c->ssl_shake_state = comm_ssl_shake_none;
return 1;
}
+#endif /* HAVE_SSL */
/** ssl read callback on TCP */
static int
ssl_handle_read(struct comm_point* c)
{
+#ifdef HAVE_SSL
int r;
if(c->ssl_shake_state != comm_ssl_shake_none) {
if(!ssl_handshake(c))
@@ -1036,12 +1045,17 @@ ssl_handle_read(struct comm_point* c)
tcp_callback_reader(c);
}
return 1;
+#else
+ (void)c;
+ return 0;
+#endif /* HAVE_SSL */
}
/** ssl write callback on TCP */
static int
ssl_handle_write(struct comm_point* c)
{
+#ifdef HAVE_SSL
int r;
if(c->ssl_shake_state != comm_ssl_shake_none) {
if(!ssl_handshake(c))
@@ -1115,6 +1129,10 @@ ssl_handle_write(struct comm_point* c)
tcp_callback_writer(c);
}
return 1;
+#else
+ (void)c;
+ return 0;
+#endif /* HAVE_SSL */
}
/** handle ssl tcp connection with dns contents */
@@ -1844,8 +1862,10 @@ comm_point_delete(struct comm_point* c)
if(!c)
return;
if(c->type == comm_tcp && c->ssl) {
+#ifdef HAVE_SSL
SSL_shutdown(c->ssl);
SSL_free(c->ssl);
+#endif
}
comm_point_close(c);
if(c->tcp_handlers) {