diff options
Diffstat (limited to 'usr.sbin/unbound')
-rw-r--r-- | usr.sbin/unbound/Makefile.in | 85 | ||||
-rwxr-xr-x | usr.sbin/unbound/configure | 186 | ||||
-rw-r--r-- | usr.sbin/unbound/configure.ac | 89 | ||||
-rw-r--r-- | usr.sbin/unbound/daemon/remote.c | 74 | ||||
-rw-r--r-- | usr.sbin/unbound/daemon/remote.h | 6 | ||||
-rw-r--r-- | usr.sbin/unbound/daemon/unbound.c | 13 | ||||
-rw-r--r-- | usr.sbin/unbound/doc/Changelog | 103 | ||||
-rw-r--r-- | usr.sbin/unbound/doc/unbound-host.1 | 2 | ||||
-rw-r--r-- | usr.sbin/unbound/libunbound/libworker.c | 2 | ||||
-rw-r--r-- | usr.sbin/unbound/services/listen_dnsport.c | 31 | ||||
-rw-r--r-- | usr.sbin/unbound/util/netevent.c | 20 |
11 files changed, 512 insertions, 99 deletions
diff --git a/usr.sbin/unbound/Makefile.in b/usr.sbin/unbound/Makefile.in index 4a0c5a5472c..b663303009c 100644 --- a/usr.sbin/unbound/Makefile.in +++ b/usr.sbin/unbound/Makefile.in @@ -30,6 +30,7 @@ PYTHONMOD_INSTALL=@PYTHONMOD_INSTALL@ PYTHONMOD_UNINSTALL=@PYTHONMOD_UNINSTALL@ PYUNBOUND_INSTALL=@PYUNBOUND_INSTALL@ PYUNBOUND_UNINSTALL=@PYUNBOUND_UNINSTALL@ +ALLTARGET=@ALLTARGET@ # _unbound.la if pyunbound enabled. PYUNBOUND_TARGET=@PYUNBOUND_TARGET@ @@ -99,7 +100,8 @@ util/storage/lruhash.c util/storage/slabhash.c util/timehist.c util/tube.c \ util/winsock_event.c validator/autotrust.c validator/val_anchor.c \ validator/validator.c validator/val_kcache.c validator/val_kentry.c \ validator/val_neg.c validator/val_nsec3.c validator/val_nsec.c \ -validator/val_sigcrypt.c validator/val_utils.c $(CHECKLOCK_SRC) +validator/val_secalgo.c validator/val_sigcrypt.c \ +validator/val_utils.c $(CHECKLOCK_SRC) COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \ msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \ iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \ @@ -109,7 +111,7 @@ fptr_wlist.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \ random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \ slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \ validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \ -val_sigcrypt.lo val_utils.lo $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) +val_secalgo.lo val_sigcrypt.lo val_utils.lo $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) COMMON_OBJ=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \ outside_network.lo # set to $COMMON_OBJ or to "" if --enableallsymbols @@ -227,9 +229,11 @@ COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS) LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) LINK_LIB=$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(staticexe) -version-info @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined -.PHONY: clean realclean doc lint all install uninstall tests test strip lib longtest longcheck check +.PHONY: clean realclean doc lint all install uninstall tests test strip lib longtest longcheck check alltargets -all: $(COMMON_OBJ) unbound$(EXEEXT) unbound-checkconf$(EXEEXT) lib unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup $(WINAPPS) $(PYUNBOUND_TARGET) +all: $(COMMON_OBJ) $(ALLTARGET) + +alltargets: unbound$(EXEEXT) unbound-checkconf$(EXEEXT) lib unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup $(WINAPPS) $(PYUNBOUND_TARGET) # compat with BSD make, register suffix, and an implicit rule to actualise it. .SUFFIXES: .lo @@ -564,9 +568,8 @@ msgencode.lo msgencode.o: $(srcdir)/util/data/msgencode.c config.h \ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h \ $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lookup3.h \ - $(srcdir)/util/regional.h + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h \ $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \ @@ -671,7 +674,7 @@ modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/service $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \ - $(srcdir)/validator/val_utils.h $(PYTHONMOD_HEADER) + $(srcdir)/validator/val_utils.h outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \ $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/netevent.h \ @@ -712,8 +715,8 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/ $(srcdir)/util/data/msgparse.h \ $(srcdir)/util/tube.h \ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \ - $(srcdir)/util/rbtree.h $(srcdir)/daemon/worker.h $(srcdir)/util/alloc.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/daemon/remote.h \ + $(srcdir)/daemon/worker.h $(srcdir)/util/alloc.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/daemon/remote.h \ $(srcdir)/services/outside_network.h $(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h \ $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \ @@ -721,19 +724,12 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \ $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/util/config_file.h $(PYTHONMOD_HEADER) + $(srcdir)/util/config_file.h locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h \ $(srcdir)/util/locks.h -mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ - $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h +mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/data/msgreply.h \ @@ -746,7 +742,7 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h \ $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/data/msgparse.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h \ - $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h + net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h \ $(srcdir)/util/net_help.h \ $(srcdir)/util/log.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ @@ -764,8 +760,7 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h \ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h \ $(srcdir)/util/regional.h -rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/util/log.h \ - +rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/log.h \ @@ -850,12 +845,16 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h \ $(srcdir)/validator/val_utils.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/net_help.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h +val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h \ + $(srcdir)/validator/val_secalgo.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \ $(srcdir)/validator/val_sigcrypt.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ + $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ @@ -865,7 +864,7 @@ val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/val $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \ $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h + $(srcdir)/util/net_help.h $(srcdir)/util/regional.h checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/testcode/checklocks.h unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h \ @@ -906,11 +905,11 @@ unitverify.lo unitverify.o: $(srcdir)/testcode/unitverify.c config.h $(srcdir)/u $(srcdir)/testcode/unitmain.h \ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h \ - $(srcdir)/validator/val_nsec.h \ - $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/validator/val_utils.h \ - $(srcdir)/testcode/ldns-testpkts.h \ + $(srcdir)/validator/val_secalgo.h \ + $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h \ + $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/msgparse.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/testcode/ldns-testpkts.h \ $(srcdir)/util/data/dname.h \ $(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/readhex.h \ @@ -926,13 +925,12 @@ cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \ $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/util/netevent.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \ - $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ - $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h \ - $(srcdir)/util/storage/dnstree.h + $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \ + $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h \ + $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h \ + $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \ $(srcdir)/daemon/daemon.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h $(srcdir)/daemon/worker.h \ @@ -973,8 +971,7 @@ unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h \ $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/services/cache/infra.h \ $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/net_help.h \ - $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h + $(srcdir)/util/net_help.h worker.lo worker.o: $(srcdir)/daemon/worker.c config.h \ $(srcdir)/util/log.h \ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/util/netevent.h \ @@ -997,8 +994,7 @@ testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/test $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h $(srcdir)/util/storage/slabhash.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h + $(srcdir)/util/data/msgreply.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/net_help.h ldns-testpkts.lo ldns-testpkts.o: $(srcdir)/testcode/ldns-testpkts.c config.h \ $(srcdir)/testcode/ldns-testpkts.h worker.lo worker.o: $(srcdir)/daemon/worker.c config.h \ @@ -1087,7 +1083,7 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c $(srcdir)/util/regional.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ $(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/services/localzone.h $(PYTHONMOD_HEADER) + $(srcdir)/services/localzone.h worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/util/log.h \ $(srcdir)/services/mesh.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h \ @@ -1162,8 +1158,7 @@ pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c conf $(srcdir)/util/data/msgparse.h \ $(srcdir)/util/netevent.h \ $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \ - + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/alloc.h \ diff --git a/usr.sbin/unbound/configure b/usr.sbin/unbound/configure index 5bcf62eb007..714941bec3e 100755 --- a/usr.sbin/unbound/configure +++ b/usr.sbin/unbound/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for unbound 1.4.17. +# Generated by GNU Autoconf 2.68 for unbound 1.4.18. # # Report bugs to <unbound-bugs@nlnetlabs.nl>. # @@ -570,8 +570,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.4.17' -PACKAGE_STRING='unbound 1.4.17' +PACKAGE_VERSION='1.4.18' +PACKAGE_STRING='unbound 1.4.18' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl' PACKAGE_URL='' @@ -613,6 +613,7 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS ldnsdir +ALLTARGET SOURCEFILE SOURCEDETERMINE UBSYMS @@ -789,6 +790,7 @@ with_pthreads with_solaris_threads with_pyunbound with_pythonmodule +with_nss with_ssl enable_sha2 enable_gost @@ -798,6 +800,7 @@ with_libexpat enable_static_exe enable_lock_checks enable_allsymbols +with_libunbound_only with_ldns ' ac_precious_vars='build_alias @@ -1354,7 +1357,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.4.17 to adapt to many kinds of systems. +\`configure' configures unbound 1.4.18 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1420,7 +1423,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.4.17:";; + short | recursive ) echo "Configuration of unbound 1.4.18:";; esac cat <<\_ACEOF @@ -1489,6 +1492,7 @@ Optional Packages: (default=no) --with-pythonmodule build Python module, or --without-pythonmodule to disable script engine. (default=no) + --with-nss=path use libnss instead of openssl, installed at path. --with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr) @@ -1498,6 +1502,7 @@ Optional Packages: an explicit path). Slower, but allows use of large outgoing port ranges. --with-libexpat=path specify explicit path for libexpat. + --with-libunbound-only do not build daemon and tool programs --with-ldns=PATH specify prefix of path of ldns library to use Some influential environment variables: @@ -1586,7 +1591,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.4.17 +unbound configure 1.4.18 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2112,7 +2117,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.4.17, which was +It was created by unbound $as_me 1.4.18, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -2462,7 +2467,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu LIBUNBOUND_CURRENT=3 -LIBUNBOUND_REVISION=1 +LIBUNBOUND_REVISION=3 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2496,6 +2501,7 @@ LIBUNBOUND_AGE=1 # 1.4.15 had 3:0:1 # adds ub_version() # 1.4.16 had 3:1:1 # 1.4.17 had 3:2:1 +# 1.4.18 had 3:3:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -4209,6 +4215,71 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu +# allow user to override the -g -O2 flags. +if test "x$CFLAGS" = "x" ; then + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC supports -g" >&5 +$as_echo_n "checking whether $CC supports -g... " >&6; } +cache=`echo g | sed 'y%.=/+-%___p_%'` +if eval \${cv_prog_cc_flag_$cache+:} false; then : + $as_echo_n "(cached) " >&6 +else + +echo 'void f(){}' >conftest.c +if test -z "`$CC $CPPFLAGS $CFLAGS -g -c conftest.c 2>&1`"; then +eval "cv_prog_cc_flag_$cache=yes" +else +eval "cv_prog_cc_flag_$cache=no" +fi +rm -f conftest conftest.o conftest.c + +fi + +if eval "test \"`echo '$cv_prog_cc_flag_'$cache`\" = yes"; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +: +CFLAGS="$CFLAGS -g" +else +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +: + +fi + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC supports -O2" >&5 +$as_echo_n "checking whether $CC supports -O2... " >&6; } +cache=`echo O2 | sed 'y%.=/+-%___p_%'` +if eval \${cv_prog_cc_flag_$cache+:} false; then : + $as_echo_n "(cached) " >&6 +else + +echo 'void f(){}' >conftest.c +if test -z "`$CC $CPPFLAGS $CFLAGS -O2 -c conftest.c 2>&1`"; then +eval "cv_prog_cc_flag_$cache=yes" +else +eval "cv_prog_cc_flag_$cache=no" +fi +rm -f conftest conftest.o conftest.c + +fi + +if eval "test \"`echo '$cv_prog_cc_flag_'$cache`\" = yes"; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +: +CFLAGS="$CFLAGS -O2" +else +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +: + +fi + +fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -15682,8 +15753,11 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $ ac_compiler_gnu=$ac_cv_c_compiler_gnu # save current global flags - LIBS="$ac_save_LIBS $PYTHON_LDFLAGS" - CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS" + ac_save_LIBS="$LIBS" + ac_save_CPPFLAGS="$CPPFLAGS" + + LIBS="$LIBS $PYTHON_LDFLAGS" + CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -15923,6 +15997,39 @@ CONFIG_DATE=`date +%Y%m%d` # Checks for libraries. +# libnss +USE_NSS="no" + +# Check whether --with-nss was given. +if test "${with_nss+set}" = set; then : + withval=$with_nss; + USE_NSS="yes" + +$as_echo "#define HAVE_NSS 1" >>confdefs.h + + if test "$withval" != "/usr" -a "$withval" != "" -a "$withval" != "yes"; then + CPPFLAGS="$CPPFLAGS -I$withval/include" + LDFLAGS="$LDFLAGS -L$withval/lib" + + if test "x$enable_rpath" = xyes; then + if echo "$withval/lib" | grep "^/" >/dev/null; then + RUNTIME_PATH="$RUNTIME_PATH -R$withval/lib" + fi + fi + + CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS" + else + CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS" + fi + LIBS="$LIBS -lnss3 -lnspr4" + + +fi + + +# openssl +if test $USE_NSS = "no"; then + # Check whether --with-ssl was given. if test "${with_ssl+set}" = set; then : @@ -16314,7 +16421,7 @@ fi done -for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 +for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -16387,6 +16494,8 @@ cat >>confdefs.h <<_ACEOF #define HAVE_DECL_SK_SSL_COMP_POP_FREE $ac_have_decl _ACEOF +fi + # Check whether --enable-sha2 was given. if test "${enable_sha2+set}" = set; then : @@ -16411,6 +16520,7 @@ if test "${enable_gost+set}" = set; then : fi use_gost="no" +if test $USE_NSS = "no"; then case "$enable_gost" in no) ;; @@ -16422,7 +16532,7 @@ else as_fn_error $? "OpenSSL 1.0.0 is needed for GOST support" "$LINENO" 5 fi - ac_fn_c_check_func "$LINENO" "EC_KEY_new" "ac_cv_func_EC_KEY_new" + ac_fn_c_check_func "$LINENO" "EC_KEY_new" "ac_cv_func_EC_KEY_new" if test "x$ac_cv_func_EC_KEY_new" = xyes; then : else @@ -16544,7 +16654,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_gost_works" >&5 $as_echo "$ac_cv_c_gost_works" >&6; } - if test $ac_cv_c_gost_works != no; then + if test "$ac_cv_c_gost_works" != no; then use_gost="yes" $as_echo "#define USE_GOST 1" >>confdefs.h @@ -16552,7 +16662,7 @@ $as_echo "#define USE_GOST 1" >>confdefs.h fi ;; esac - +fi # Check whether --enable-ecdsa was given. if test "${enable_ecdsa+set}" = set; then : enableval=$enable_ecdsa; @@ -16563,21 +16673,22 @@ case "$enable_ecdsa" in no) ;; *) - ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign" + if test $USE_NSS = "no"; then + ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign" if test "x$ac_cv_func_ECDSA_sign" = xyes; then : else as_fn_error $? "OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5 fi - ac_fn_c_check_func "$LINENO" "SHA384_Init" "ac_cv_func_SHA384_Init" + ac_fn_c_check_func "$LINENO" "SHA384_Init" "ac_cv_func_SHA384_Init" if test "x$ac_cv_func_SHA384_Init" = xyes; then : else as_fn_error $? "OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5 fi - ac_fn_c_check_decl "$LINENO" "NID_X9_62_prime256v1" "ac_cv_have_decl_NID_X9_62_prime256v1" "$ac_includes_default + ac_fn_c_check_decl "$LINENO" "NID_X9_62_prime256v1" "ac_cv_have_decl_NID_X9_62_prime256v1" "$ac_includes_default #include <openssl/evp.h> " @@ -16614,20 +16725,21 @@ else as_fn_error $? "OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5 fi - # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency) - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5 + # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5 $as_echo_n "checking if openssl supports SHA2 and ECDSA with EVP... " >&6; } - if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } cat >>confdefs.h <<_ACEOF #define USE_ECDSA_EVP_WORKAROUND 1 _ACEOF - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } + fi fi # we now know we have ECDSA and the required curves. @@ -17712,6 +17824,20 @@ rm -f conftest.lo +# see if we want to build the library or everything +ALLTARGET="alltargets" + +# Check whether --with-libunbound-only was given. +if test "${with_libunbound_only+set}" = set; then : + withval=$with_libunbound_only; + if test "$withval" = "yes"; then + ALLTARGET="lib" + fi + +fi + + + # check this after all other compilation checks, since the linking of the lib # may break checks after this. @@ -17792,11 +17918,15 @@ if test "x$ac_cv_func_ldns_buffer_copy" = xyes; then : fi -ac_fn_c_check_func "$LINENO" "ldns_key_buf2rsa_raw" "ac_cv_func_ldns_key_buf2rsa_raw" +if test $USE_NSS = "no"; then + ac_fn_c_check_func "$LINENO" "ldns_key_buf2rsa_raw" "ac_cv_func_ldns_key_buf2rsa_raw" if test "x$ac_cv_func_ldns_key_buf2rsa_raw" = xyes; then : fi +else + ac_cv_func_ldns_key_buf2rsa_raw="yes" +fi ac_fn_c_check_func "$LINENO" "ldns_get_random" "ac_cv_func_ldns_get_random" if test "x$ac_cv_func_ldns_get_random" = xyes; then : @@ -17807,7 +17937,7 @@ if test "x$ac_cv_func_ldns_b32_ntop_extended_hex" = xyes; then : fi -if test x$use_gost = xyes; then +if test x$use_gost = xyes -a x$USE_NSS = xno; then ac_fn_c_check_func "$LINENO" "ldns_key_EVP_load_gost_id" "ac_cv_func_ldns_key_EVP_load_gost_id" if test "x$ac_cv_func_ldns_key_EVP_load_gost_id" = xyes; then : @@ -17825,7 +17955,7 @@ fi done else - ac_cv_func_ldns_key_EVP_load_gost_id="yes" + ac_cv_func_ldns_key_EVP_load_gost_id="yes" fi if test x$use_ecdsa = xyes; then ac_fn_c_check_decl "$LINENO" "LDNS_ECDSAP384SHA384" "ac_cv_have_decl_LDNS_ECDSAP384SHA384" " @@ -18495,7 +18625,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.4.17, which was +This file was extended by unbound $as_me 1.4.18, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -18561,7 +18691,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.4.17 +unbound config.status 1.4.18 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff --git a/usr.sbin/unbound/configure.ac b/usr.sbin/unbound/configure.ac index 968a1ba55c3..94ebe4602d1 100644 --- a/usr.sbin/unbound/configure.ac +++ b/usr.sbin/unbound/configure.ac @@ -6,10 +6,10 @@ sinclude(acx_pthread.m4) sinclude(acx_python.m4) sinclude(ac_pkg_swig.m4) -AC_INIT(unbound, 1.4.17, unbound-bugs@nlnetlabs.nl, unbound) +AC_INIT(unbound, 1.4.18, unbound-bugs@nlnetlabs.nl, unbound) LIBUNBOUND_CURRENT=3 -LIBUNBOUND_REVISION=1 +LIBUNBOUND_REVISION=3 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -43,6 +43,7 @@ LIBUNBOUND_AGE=1 # 1.4.15 had 3:0:1 # adds ub_version() # 1.4.16 had 3:1:1 # 1.4.17 had 3:2:1 +# 1.4.18 had 3:3:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -208,8 +209,11 @@ AC_DEFINE_UNQUOTED(RSRC_PACKAGE_VERSION, [$wnvs], [version number for resource f # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST AC_LANG_C -dnl ACX_CHECK_COMPILER_FLAG(g, [CFLAGS="$CFLAGS -g"]) -dnl ACX_CHECK_COMPILER_FLAG(O2, [CFLAGS="$CFLAGS -O2"]) +# allow user to override the -g -O2 flags. +if test "x$CFLAGS" = "x" ; then +ACX_CHECK_COMPILER_FLAG(g, [CFLAGS="$CFLAGS -g"]) +ACX_CHECK_COMPILER_FLAG(O2, [CFLAGS="$CFLAGS -O2"]) +fi AC_PROG_CC ACX_DEPFLAG ACX_DETERMINE_EXT_FLAGS_UNBOUND @@ -511,11 +515,33 @@ CONFIG_DATE=`date +%Y%m%d` AC_SUBST(CONFIG_DATE) # Checks for libraries. + +# libnss +USE_NSS="no" +AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path], + [use libnss instead of openssl, installed at path.]), + [ + USE_NSS="yes" + AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto]) + if test "$withval" != "/usr" -a "$withval" != "" -a "$withval" != "yes"; then + CPPFLAGS="$CPPFLAGS -I$withval/include" + LDFLAGS="$LDFLAGS -L$withval/lib" + ACX_RUNTIME_PATH_ADD([$withval/lib]) + CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS" + else + CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS" + fi + LIBS="$LIBS -lnss3 -lnspr4" + ] +) + +# openssl +if test $USE_NSS = "no"; then ACX_WITH_SSL ACX_LIB_SSL AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512]) +AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode]) AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H @@ -536,6 +562,8 @@ AC_INCLUDES_DEFAULT #include <openssl/ssl.h> #include <openssl/evp.h> ]) +fi + AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support])) case "$enable_sha2" in @@ -646,19 +674,21 @@ AC_MSG_RESULT($ac_cv_c_gost_works) AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support])) use_gost="no" +if test $USE_NSS = "no"; then case "$enable_gost" in no) ;; *) AC_CHECK_FUNC(EVP_PKEY_set_type_str, [:],[AC_MSG_ERROR([OpenSSL 1.0.0 is needed for GOST support])]) - AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([OpenSSL does not support ECC, needed for GOST support])]) + AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([OpenSSL does not support ECC, needed for GOST support])]) AC_CHECK_GOST_WORKS - if test $ac_cv_c_gost_works != no; then + if test "$ac_cv_c_gost_works" != no; then use_gost="yes" AC_DEFINE([USE_GOST], [1], [Define this to enable GOST support.]) fi ;; esac +fi dnl !USE_NSS AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support])) use_ecdsa="no" @@ -666,18 +696,20 @@ case "$enable_ecdsa" in no) ;; *) - AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])]) - AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])]) - AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT + if test $USE_NSS = "no"; then + AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])]) + AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])]) + AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT #include <openssl/evp.h> - ]) - # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency) - AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP]) - if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then - AC_MSG_RESULT([no]) - AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl]) - else - AC_MSG_RESULT([yes]) + ]) + # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency) + AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP]) + if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then + AC_MSG_RESULT([no]) + AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl]) + else + AC_MSG_RESULT([yes]) + fi fi # we now know we have ECDSA and the required curves. AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.]) @@ -969,6 +1001,17 @@ rm -f conftest.lo AC_SUBST(SOURCEDETERMINE) AC_SUBST(SOURCEFILE) +# see if we want to build the library or everything +ALLTARGET="alltargets" +AC_ARG_WITH(libunbound-only, AC_HELP_STRING([--with-libunbound-only], + [do not build daemon and tool programs]), + [ + if test "$withval" = "yes"; then + ALLTARGET="lib" + fi +]) +AC_SUBST(ALLTARGET) + # check this after all other compilation checks, since the linking of the lib # may break checks after this. AC_ARG_WITH(ldns, AC_HELP_STRING([--with-ldns=PATH], @@ -990,13 +1033,19 @@ AC_CHECK_LIB(ldns, ldns_rr_new,,[ AC_MSG_ERROR([No ldns library found, install the ldns library into system lib dir or use --with-ldns=path to other location. The --with-ldns can point to the make-dir of ldns. Install the package ldns or download source http://www.nlnetlabs.nl/projects/ldns]) ]) AC_CHECK_FUNC(ldns_buffer_copy) -AC_CHECK_FUNC(ldns_key_buf2rsa_raw) +if test $USE_NSS = "no"; then + AC_CHECK_FUNC(ldns_key_buf2rsa_raw) +else + dnl ignore test + ac_cv_func_ldns_key_buf2rsa_raw="yes" +fi AC_CHECK_FUNC(ldns_get_random) AC_CHECK_FUNC(ldns_b32_ntop_extended_hex) -if test x$use_gost = xyes; then +if test x$use_gost = xyes -a x$USE_NSS = xno; then AC_CHECK_FUNC(ldns_key_EVP_load_gost_id) AC_CHECK_FUNCS([ldns_key_EVP_unload_gost]) else + dnl ignore test ac_cv_func_ldns_key_EVP_load_gost_id="yes" fi if test x$use_ecdsa = xyes; then diff --git a/usr.sbin/unbound/daemon/remote.c b/usr.sbin/unbound/daemon/remote.c index 38ca15c85cd..5dc05c5fa49 100644 --- a/usr.sbin/unbound/daemon/remote.c +++ b/usr.sbin/unbound/daemon/remote.c @@ -1286,6 +1286,74 @@ do_flush_zone(SSL* ssl, struct worker* worker, char* arg) (unsigned)inf.num_msgs, (unsigned)inf.num_keys); } +/** callback to delete bogus rrsets */ +static void +bogus_del_rrset(struct lruhash_entry* e, void* arg) +{ + /* entry is locked */ + struct del_info* inf = (struct del_info*)arg; + struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; + if(d->security == sec_status_bogus) { + d->ttl = inf->expired; + inf->num_rrsets++; + } +} + +/** callback to delete bogus messages */ +static void +bogus_del_msg(struct lruhash_entry* e, void* arg) +{ + /* entry is locked */ + struct del_info* inf = (struct del_info*)arg; + struct reply_info* d = (struct reply_info*)e->data; + if(d->security == sec_status_bogus) { + d->ttl = inf->expired; + inf->num_msgs++; + } +} + +/** callback to delete bogus keys */ +static void +bogus_del_kcache(struct lruhash_entry* e, void* arg) +{ + /* entry is locked */ + struct del_info* inf = (struct del_info*)arg; + struct key_entry_data* d = (struct key_entry_data*)e->data; + if(d->isbad) { + d->ttl = inf->expired; + inf->num_keys++; + } +} + +/** remove all rrsets and keys from zone from cache */ +static void +do_flush_bogus(SSL* ssl, struct worker* worker) +{ + struct del_info inf; + /* what we do is to set them all expired */ + inf.worker = worker; + inf.now = *worker->env.now; + inf.expired = *worker->env.now; + inf.expired -= 3; /* handle 3 seconds skew between threads */ + inf.num_rrsets = 0; + inf.num_msgs = 0; + inf.num_keys = 0; + slabhash_traverse(&worker->env.rrset_cache->table, 1, + &bogus_del_rrset, &inf); + + slabhash_traverse(worker->env.msg_cache, 1, &bogus_del_msg, &inf); + + /* and validator cache */ + if(worker->env.key_cache) { + slabhash_traverse(worker->env.key_cache->slab, 1, + &bogus_del_kcache, &inf); + } + + (void)ssl_printf(ssl, "ok removed %u rrsets, %u messages " + "and %u key entries\n", (unsigned)inf.num_rrsets, + (unsigned)inf.num_msgs, (unsigned)inf.num_keys); +} + /** remove name rrset from cache */ static void do_flush_name(SSL* ssl, struct worker* w, char* arg) @@ -1393,6 +1461,7 @@ parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names) } if(!delegpt_add_ns_mlc(dp, n, 0)) { (void)ssl_printf(ssl, "error out of memory\n"); + free(n); delegpt_free_mlc(dp); return NULL; } @@ -1442,7 +1511,6 @@ do_forward(SSL* ssl, struct worker* worker, char* args) return; if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) { (void)ssl_printf(ssl, "error out of memory\n"); - delegpt_free_mlc(dp); return; } } @@ -1514,7 +1582,6 @@ do_forward_add(SSL* ssl, struct worker* worker, char* args) } if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) { (void)ssl_printf(ssl, "error out of memory\n"); - delegpt_free_mlc(dp); free(nm); return; } @@ -1571,7 +1638,6 @@ do_stub_add(SSL* ssl, struct worker* worker, char* args) forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm); if(insecure) anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm); - delegpt_free_mlc(dp); free(nm); return; } @@ -2040,6 +2106,8 @@ execute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd, do_set_option(ssl, worker, skipwhite(p+10)); } else if(cmdcmp(p, "get_option", 10)) { do_get_option(ssl, worker, skipwhite(p+10)); + } else if(cmdcmp(p, "flush_bogus", 11)) { + do_flush_bogus(ssl, worker); } else { (void)ssl_printf(ssl, "error unknown command '%s'\n", p); } diff --git a/usr.sbin/unbound/daemon/remote.h b/usr.sbin/unbound/daemon/remote.h index 5919be4f2a3..8d5b4125743 100644 --- a/usr.sbin/unbound/daemon/remote.h +++ b/usr.sbin/unbound/daemon/remote.h @@ -69,8 +69,10 @@ struct rc_state { struct comm_point* c; /** in the handshake part */ enum { rc_none, rc_hs_read, rc_hs_write } shake_state; +#ifdef HAVE_SSL /** the ssl state */ SSL* ssl; +#endif /** the rc this is part of */ struct daemon_remote* rc; }; @@ -93,8 +95,10 @@ struct daemon_remote { int max_active; /** current commpoints busy; should be a short list, malloced */ struct rc_state* busy_list; +#ifdef HAVE_SSL /** the SSL context for creating new SSL streams */ SSL_CTX* ctx; +#endif }; /** @@ -159,6 +163,7 @@ int remote_accept_callback(struct comm_point*, void*, int, struct comm_reply*); /** handle remote control data callbacks */ int remote_control_callback(struct comm_point*, void*, int, struct comm_reply*); +#ifdef HAVE_SSL /** * Print fixed line of text over ssl connection in blocking mode * @param ssl: print to @@ -185,6 +190,7 @@ int ssl_printf(SSL* ssl, const char* format, ...) * @return false on connection failure. */ int ssl_read_line(SSL* ssl, char* buf, size_t max); +#endif /* HAVE_SSL */ /** routine to printout option values over SSL */ void remote_get_opt_ssl(char* line, void* arg); diff --git a/usr.sbin/unbound/daemon/unbound.c b/usr.sbin/unbound/daemon/unbound.c index 6d87a4f6d5c..d64751ab57a 100644 --- a/usr.sbin/unbound/daemon/unbound.c +++ b/usr.sbin/unbound/daemon/unbound.c @@ -87,6 +87,10 @@ # include "winrc/win_svc.h" #endif +#ifdef HAVE_NSS +# include <nss3/nss.h> +#endif + /** global debug value to keep track of heap memory allocation */ void* unbound_start_brk = 0; @@ -159,7 +163,12 @@ static void usage() get_event_sys(&evnm, &evsys, &evmethod); printf("linked libs: %s %s (it uses %s), ldns %s, %s\n", evnm, evsys, evmethod, ldns_version(), - SSLeay_version(SSLEAY_VERSION)); +#ifdef HAVE_SSL + SSLeay_version(SSLEAY_VERSION) +#elif defined(HAVE_NSS) + NSS_GetVersion() +#endif + ); printf("linked modules:"); for(m = module_list_avail(); *m; m++) printf(" %s", *m); @@ -445,6 +454,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, * given to unbound on the commandline. */ /* read ssl keys while superuser and outside chroot */ +#ifdef HAVE_SSL if(!(daemon->rc = daemon_remote_create(cfg))) fatal_exit("could not set up remote-control"); if(cfg->ssl_service_key && cfg->ssl_service_key[0]) { @@ -454,6 +464,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, } if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, NULL))) fatal_exit("could not set up connect SSL_CTX"); +#endif #ifdef HAVE_KILL /* check old pid file before forking */ diff --git a/usr.sbin/unbound/doc/Changelog b/usr.sbin/unbound/doc/Changelog index 3b2753f818d..2c07ea636e6 100644 --- a/usr.sbin/unbound/doc/Changelog +++ b/usr.sbin/unbound/doc/Changelog @@ -1,5 +1,108 @@ +30 July 2012: Wouter + - tag 1.4.18rc2. + +27 July 2012: Wouter + - unbound-host works with libNSS + - fix bogus nodata cname chain not reported as bogus by validator, + (Thanks Peter van Dijk). + +26 July 2012: Wouter + - iana portlist updated. + - tag 1.4.18rc1. + +25 July 2012: Wouter + - review fix for libnss, check hash prefix allocation size. + +23 July 2012: Wouter + - fix missing break for GOST DS hash function. + - implemented forward_first for the root. + +20 July 2012: Wouter + - Fix bug#452 and another assertion failure in mesh.c, makes + assertions in mesh.c resist duplicates. Fixes DS NS search to + not generate duplicate sub queries. + +19 July 2012: Willem + - Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac, + if CFLAGS is specified at configure time then '-g -O2' is not + appended to CFLAGS, so that the user can override them. + +18 July 2012: Willem + - Fix libunbound report of errors when in background mode. + +11 July 2012: Willem + - updated iana ports list. + +9 July 2012: Willem + - Add flush_bogus option for unbound-control + +6 July 2012: Wouter + - Fix validation of qtype DS queries that result in no data for + non-optout NSEC3 zones. + +4 July 2012: Wouter + - compile libunbound with libnss on Suse, passes regression tests. + +3 July 2012: Wouter + - FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes. + +2 July 2012: Wouter + - updated iana ports list. + +29 June 2012: Wouter + - patch for unbound_munin_ script to handle arbitrary thread count by + Sven Ulland. + +28 June 2012: Wouter + - detect if openssl has FIPS_mode. + - code review: return value of cache_store can be ignored for better + performance in out of memory conditions. + - fix edns-buffer-size and msg-buffer-size manpage documentation. + - updated iana ports list. + +25 June 2012: Wouter + - disable RSAMD5 if in FIPS mode (for openssl and for libnss). + +22 June 2012: Wouter + - implement DS records, NSEC3 and ECDSA for compile with libnss. + +21 June 2012: Wouter + - fix error handling of alloc failure during rrsig verification. + - nss check for verification failure. + - nss crypto works for RSA and DSA. + +20 June 2012: Wouter + - work on --with-nss build option (for now, --with-libunbound-only). + +19 June 2012: Wouter + - --with-libunbound-only build option, only builds the library and + not the daemon and other tools. + +18 June 2012: Wouter + - code review. + +15 June 2012: Wouter + - implement log-time-ascii on windows. + - The key-cache bad key ttl is now 60 seconds. + - updated iana ports list. + - code review. + +11 June 2012: Wouter + - bug #452: fix crash on assert in mesh_state_attachment. + +30 May 2012: Wouter + - silence warning from swig-generated code (md set but not used in + swig initmodule, due to ifdefs in swig-generated code). + +27 May 2012: Wouter + - Fix debian-bugs-658021: Please enable hardened build flags. + +25 May 2012: Wouter + - updated iana ports list. + 24 May 2012: Wouter - tag for 1.4.17 release. + - trunk is 1.4.18 in development. 18 May 2012: Wouter - Review comments, removed duplicate memset to zero in delegpt. diff --git a/usr.sbin/unbound/doc/unbound-host.1 b/usr.sbin/unbound/doc/unbound-host.1 index e83ecae1ac8..771b68b295a 100644 --- a/usr.sbin/unbound/doc/unbound-host.1 +++ b/usr.sbin/unbound/doc/unbound-host.1 @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Feb 2, 2012" "NLnet Labs" "unbound 1.4.16" +.TH "unbound\-host" "1" "Aug 2, 2012" "NLnet Labs" "unbound 1.4.18" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/usr.sbin/unbound/libunbound/libworker.c b/usr.sbin/unbound/libunbound/libworker.c index 917a9106d07..b23d560ab28 100644 --- a/usr.sbin/unbound/libunbound/libworker.c +++ b/usr.sbin/unbound/libunbound/libworker.c @@ -643,6 +643,8 @@ libworker_bg_done_cb(void* arg, int rcode, ldns_buffer* buf, enum sec_status s, return; } q->msg_security = s; + if(!buf) + buf = q->w->env->scratch_buffer; if(rcode != 0) { error_encode(buf, rcode, NULL, 0, BIT_RD, NULL); } diff --git a/usr.sbin/unbound/services/listen_dnsport.c b/usr.sbin/unbound/services/listen_dnsport.c index 59ca1991eb1..647cbe07ebd 100644 --- a/usr.sbin/unbound/services/listen_dnsport.c +++ b/usr.sbin/unbound/services/listen_dnsport.c @@ -323,6 +323,11 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, log_err("setsockopt(..., IP_MTU_DISCOVER, " "IP_PMTUDISC_DONT...) failed: %s", strerror(errno)); +# ifndef USE_WINSOCK + close(s); +# else + closesocket(s); +# endif return -1; } # elif defined(IP_DONTFRAG) @@ -331,6 +336,11 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, &off, (socklen_t)sizeof(off)) < 0) { log_err("setsockopt(..., IP_DONTFRAG, ...) failed: %s", strerror(errno)); +# ifndef USE_WINSOCK + close(s); +# else + closesocket(s); +# endif return -1; } # endif /* IPv4 MTU */ @@ -408,9 +418,11 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto) #ifndef USE_WINSOCK log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s", strerror(errno)); + close(s); #else log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s", wsa_strerror(WSAGetLastError())); + closesocket(s); #endif return -1; } @@ -422,9 +434,11 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto) #ifndef USE_WINSOCK log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s", strerror(errno)); + close(s); #else log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s", wsa_strerror(WSAGetLastError())); + closesocket(s); #endif return -1; } @@ -443,23 +457,32 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto) (struct sockaddr_storage*)addr->ai_addr, addr->ai_addrlen); } + close(s); #else log_err("can't bind socket: %s", wsa_strerror(WSAGetLastError())); log_addr(0, "failed address", (struct sockaddr_storage*)addr->ai_addr, addr->ai_addrlen); + closesocket(s); #endif return -1; } if(!fd_set_nonblock(s)) { +#ifndef USE_WINSOCK + close(s); +#else + closesocket(s); +#endif return -1; } if(listen(s, TCP_BACKLOG) == -1) { #ifndef USE_WINSOCK log_err("can't listen: %s", strerror(errno)); + close(s); #else log_err("can't listen: %s", wsa_strerror(WSAGetLastError())); + closesocket(s); #endif return -1; } @@ -653,8 +676,14 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, return 0; } /* getting source addr packet info is highly non-portable */ - if(!set_recvpktinfo(s, hints->ai_family)) + if(!set_recvpktinfo(s, hints->ai_family)) { +#ifndef USE_WINSOCK + close(s); +#else + closesocket(s); +#endif return 0; + } if(!port_insert(list, s, listen_type_udpancil)) { #ifndef USE_WINSOCK close(s); diff --git a/usr.sbin/unbound/util/netevent.c b/usr.sbin/unbound/util/netevent.c index 5b869765cc3..3c1c69d7e1b 100644 --- a/usr.sbin/unbound/util/netevent.c +++ b/usr.sbin/unbound/util/netevent.c @@ -44,8 +44,12 @@ #include "util/log.h" #include "util/net_help.h" #include "util/fptr_wlist.h" +#ifdef HAVE_OPENSSL_SSL_H #include <openssl/ssl.h> +#endif +#ifdef HAVE_OPENSSL_ERR_H #include <openssl/err.h> +#endif /* -------- Start of local definitions -------- */ /** if CMSG_ALIGN is not defined on this platform, a workaround */ @@ -846,9 +850,11 @@ reclaim_tcp_handler(struct comm_point* c) { log_assert(c->type == comm_tcp); if(c->ssl) { +#ifdef HAVE_SSL SSL_shutdown(c->ssl); SSL_free(c->ssl); c->ssl = NULL; +#endif } comm_point_close(c); if(c->tcp_parent) { @@ -893,6 +899,7 @@ tcp_callback_reader(struct comm_point* c) } /** continue ssl handshake */ +#ifdef HAVE_SSL static int ssl_handshake(struct comm_point* c) { @@ -955,11 +962,13 @@ ssl_handshake(struct comm_point* c) c->ssl_shake_state = comm_ssl_shake_none; return 1; } +#endif /* HAVE_SSL */ /** ssl read callback on TCP */ static int ssl_handle_read(struct comm_point* c) { +#ifdef HAVE_SSL int r; if(c->ssl_shake_state != comm_ssl_shake_none) { if(!ssl_handshake(c)) @@ -1036,12 +1045,17 @@ ssl_handle_read(struct comm_point* c) tcp_callback_reader(c); } return 1; +#else + (void)c; + return 0; +#endif /* HAVE_SSL */ } /** ssl write callback on TCP */ static int ssl_handle_write(struct comm_point* c) { +#ifdef HAVE_SSL int r; if(c->ssl_shake_state != comm_ssl_shake_none) { if(!ssl_handshake(c)) @@ -1115,6 +1129,10 @@ ssl_handle_write(struct comm_point* c) tcp_callback_writer(c); } return 1; +#else + (void)c; + return 0; +#endif /* HAVE_SSL */ } /** handle ssl tcp connection with dns contents */ @@ -1844,8 +1862,10 @@ comm_point_delete(struct comm_point* c) if(!c) return; if(c->type == comm_tcp && c->ssl) { +#ifdef HAVE_SSL SSL_shutdown(c->ssl); SSL_free(c->ssl); +#endif } comm_point_close(c); if(c->tcp_handlers) { |