Merge branch 'master' into rpz

Makefile.in

@@ -1092,8 +1092,8 @@ ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelis
 ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
 unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h

config.h.in

@@ -730,6 +730,9 @@
 /* Use win32 resources and API */
 #undef UB_ON_WINDOWS
 
+/* the SYSLOG_FACILITY to use, default LOG_DAEMON */
+#undef UB_SYSLOG_FACILITY
+
 /* default username */
 #undef UB_USERNAME
 

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.9.3.
+# Generated by GNU Autoconf 2.69 for unbound 1.9.4.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.9.3'
-PACKAGE_STRING='unbound 1.9.3'
+PACKAGE_VERSION='1.9.4'
+PACKAGE_STRING='unbound 1.9.4'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -850,6 +850,7 @@ enable_alloc_lite
 enable_alloc_nonregional
 with_pthreads
 with_solaris_threads
+with_syslog_facility
 with_pyunbound
 with_pythonmodule
 enable_swig_version_check
@@ -1445,7 +1446,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.9.3 to adapt to many kinds of systems.
+\`configure' configures unbound 1.9.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1510,7 +1511,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.9.3:";;
+     short | recursive ) echo "Configuration of unbound 1.9.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1604,6 +1605,8 @@ Optional Packages:
   --with-pthreads         use pthreads library, or --without-pthreads to
                           disable threading support.
   --with-solaris-threads  use solaris native thread library.
+  --with-syslog-facility=LOCAL0 - LOCAL7
+                          set SYSLOG_FACILITY, default DAEMON
   --with-pyunbound        build PyUnbound, or --without-pyunbound to skip it.
                           (default=no)
   --with-pythonmodule     build Python module, or --without-pythonmodule to
@@ -1729,7 +1732,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.9.3
+unbound configure 1.9.4
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2438,7 +2441,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.9.3, which was
+It was created by unbound $as_me 1.9.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2790,7 +2793,7 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=9
 
-UNBOUND_VERSION_MICRO=3
+UNBOUND_VERSION_MICRO=4
 
 
 LIBUNBOUND_CURRENT=9
@@ -2865,6 +2868,7 @@ LIBUNBOUND_AGE=1
 # 1.9.1 had 9:1:1
 # 1.9.2 had 9:2:1
 # 1.9.3 had 9:3:1
+# 1.9.4 had 9:4:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -17098,6 +17102,26 @@ fi
 
 fi # end of non-mingw check of thread libraries
 
+# Check for SYSLOG_FACILITY
+
+# Check whether --with-syslog-facility was given.
+if test "${with_syslog_facility+set}" = set; then :
+  withval=$with_syslog_facility;  UNBOUND_SYSLOG_FACILITY="$withval"
+fi
+
+case "${UNBOUND_SYSLOG_FACILITY}" in
+
+  LOCAL[0-7]) UNBOUND_SYSLOG_FACILITY="LOG_${UNBOUND_SYSLOG_FACILITY}" ;;
+
+           *) UNBOUND_SYSLOG_FACILITY="LOG_DAEMON" ;;
+
+esac
+
+cat >>confdefs.h <<_ACEOF
+#define UB_SYSLOG_FACILITY ${UNBOUND_SYSLOG_FACILITY}
+_ACEOF
+
+
 # Check for PyUnbound
 
 # Check whether --with-pyunbound was given.
@@ -21273,7 +21297,7 @@ _ACEOF
 
 
 
-version=1.9.3
+version=1.9.4
 
 date=`date +'%b %e, %Y'`
 
@@ -21792,7 +21816,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.9.3, which was
+This file was extended by unbound $as_me 1.9.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -21858,7 +21882,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.9.3
+unbound config.status 1.9.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -11,7 +11,7 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[9])
-m4_define([VERSION_MICRO],[3])
+m4_define([VERSION_MICRO],[4])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
@@ -89,6 +89,7 @@ LIBUNBOUND_AGE=1
 # 1.9.1 had 9:1:1
 # 1.9.2 had 9:2:1
 # 1.9.3 had 9:3:1
+# 1.9.4 had 9:4:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -602,6 +603,18 @@ fi
 
 fi # end of non-mingw check of thread libraries
 
+# Check for SYSLOG_FACILITY
+AC_ARG_WITH(syslog-facility, AC_HELP_STRING([--with-syslog-facility=LOCAL0 - LOCAL7], [ set SYSLOG_FACILITY, default DAEMON ]),
+	[ UNBOUND_SYSLOG_FACILITY="$withval" ], [])
+case "${UNBOUND_SYSLOG_FACILITY}" in
+
+  LOCAL[[0-7]]) UNBOUND_SYSLOG_FACILITY="LOG_${UNBOUND_SYSLOG_FACILITY}" ;;
+
+           *) UNBOUND_SYSLOG_FACILITY="LOG_DAEMON" ;;
+
+esac
+AC_DEFINE_UNQUOTED(UB_SYSLOG_FACILITY,${UNBOUND_SYSLOG_FACILITY},[the SYSLOG_FACILITY to use, default LOG_DAEMON])
+
 # Check for PyUnbound
 AC_ARG_WITH(pyunbound,
    AC_HELP_STRING([--with-pyunbound],

doc/Changelog

@@ -1,9 +1,29 @@
+9 September 2019: Wouter
+	- Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
+	  LOG_DAEMON (as before) can set the syslog facility that the server
+	  uses to log messages.
+
+4 September 2019: Wouter
+	- Fix #71: fix openssl error squelch commit compilation error.
+
+3 September 2019: Wouter
+	- squelch DNS over TLS errors 'ssl handshake failed crypto error'
+	  on low verbosity, they show on verbosity 3 (query details), because
+	  there is a high volume and the operator cannot do anything for the
+	  remote failure.  Specifically filters the high volume errors.
+
+2 September 2019: Wouter
+	- ipset module #28: log that an address is added, when verbosity high.
+	- ipset: refactor long routine into three smaller ones.
+	- updated Makefile dependencies.
+
 23 August 2019: Wouter
 	- Fix contrib/fastrpz.patch asprintf return value checks.
 
 22 August 2019: Wouter
 	- Fix that pkg-config is setup before --enable-systemd needs it.
-	- 1.9.3rc2 release candidate tag.
+	- 1.9.3rc2 release candidate tag.  And this became the 1.9.3 release.
+	  Master is 1.9.4 in development.
 
 21 August 2019: Wouter
 	- Fix log_dns_msg to log irrespective of minimal responses config.
@@ -102,7 +122,7 @@
 	- Merge PR #6: Python module: support multiple instances
 	- Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
 	- Merge PR #4: Python module: assign something useful to the
-	  per-query data store 'qdata' 
+	  per-query data store 'qdata'
 	- Fix python dict reference and double free in config.
 
 17 June 2019: Wouter

ipset/ipset.c

@@ -8,6 +8,7 @@
 #include "config.h"
 #include "ipset/ipset.h"
 #include "util/regional.h"
+#include "util/net_help.h"
 #include "util/config_file.h"
 
 #include "services/cache/dns.h"
@@ -96,29 +97,93 @@ static int add_to_ipset(struct mnl_socket *mnl, const char *setname, const void
 	return 0;
 }
 
-static int ipset_update(struct module_env *env, struct dns_msg *return_msg, struct ipset_env *ie) {
+static void
+ipset_add_rrset_data(struct ipset_env *ie, struct mnl_socket *mnl,
+	struct packed_rrset_data *d, const char* setname, int af,
+	const char* dname)
+{
 	int ret;
+	size_t j, rr_len, rd_len;
+	uint8_t *rr_data;
 
-	struct mnl_socket *mnl;
+	/* to d->count, not d->rrsig_count, because we do not want to add the RRSIGs, only the addresses */
+	for (j = 0; j < d->count; j++) {
+		rr_len = d->rr_len[j];
+		rr_data = d->rr_data[j];
 
-	size_t i, j;
+		rd_len = sldns_read_uint16(rr_data);
+		if(af == AF_INET && rd_len != INET_SIZE)
+			continue;
+		if(af == AF_INET6 && rd_len != INET6_SIZE)
+			continue;
+		if (rr_len - 2 >= rd_len) {
+			if(verbosity >= VERB_QUERY) {
+				char ip[128];
+				if(inet_ntop(af, rr_data+2, ip, (socklen_t)sizeof(ip)) == 0)
+					snprintf(ip, sizeof(ip), "(inet_ntop_error)");
+				verbose(VERB_QUERY, "ipset: add %s to %s for %s", ip, setname, dname);
+			}
+			ret = add_to_ipset(mnl, setname, rr_data + 2, af);
+			if (ret < 0) {
+				log_err("ipset: could not add %s into %s", dname, setname);
 
-	const char *setname;
-
-	struct ub_packed_rrset_key *rrset;
-	struct packed_rrset_data *d;
-
-	int af;
+				mnl_socket_close(mnl);
+				ie->mnl = NULL;
+				break;
+			}
+		}
+	}
+}
 
+static int
+ipset_check_zones_for_rrset(struct module_env *env, struct ipset_env *ie,
+	struct mnl_socket *mnl, struct ub_packed_rrset_key *rrset,
+	const char *setname, int af)
+{
 	static char dname[BUFF_LEN];
 	const char *s;
 	int dlen, plen;
 
 	struct config_strlist *p;
+	struct packed_rrset_data *d;
 
-	size_t rr_len, rd_len;
+	dlen = sldns_wire2str_dname_buf(rrset->rk.dname, rrset->rk.dname_len, dname, BUFF_LEN);
+	if (dlen == 0) {
+		log_err("bad domain name");
+		return -1;
+	}
+	if (dname[dlen - 1] == '.') {
+		dlen--;
+	}
+
+	for (p = env->cfg->local_zones_ipset; p; p = p->next) {
+		plen = strlen(p->str);
+
+		if (dlen >= plen) {
+			s = dname + (dlen - plen);
+
+			if (strncasecmp(p->str, s, plen) == 0) {
+				d = (struct packed_rrset_data*)rrset->entry.data;
+				ipset_add_rrset_data(ie, mnl, d, setname,
+					af, dname);
+				break;
+			}
+		}
+	}
+	return 0;
+}
+
+static int ipset_update(struct module_env *env, struct dns_msg *return_msg, struct ipset_env *ie) {
+	struct mnl_socket *mnl;
+
+	size_t i;
+
+	const char *setname;
+
+	struct ub_packed_rrset_key *rrset;
+
+	int af;
 
-	uint8_t *rr_data;
 
 	mnl = (struct mnl_socket *)ie->mnl;
 	if (!mnl) {
@@ -149,44 +214,9 @@ static int ipset_update(struct module_env *env, struct dns_msg *return_msg, stru
 		}
 
 		if (setname) {
-			dlen = sldns_wire2str_dname_buf(rrset->rk.dname, rrset->rk.dname_len, dname, BUFF_LEN);
-			if (dlen == 0) {
-				log_err("bad domain name");
+			if(ipset_check_zones_for_rrset(env, ie, mnl, rrset,
+				setname, af) == -1)
 				return -1;
-			}
-			if (dname[dlen - 1] == '.') {
-				dlen--;
-			}
-
-			for (p = env->cfg->local_zones_ipset; p; p = p->next) {
-				plen = strlen(p->str);
-
-				if (dlen >= plen) {
-					s = dname + (dlen - plen);
-
-					if (strncasecmp(p->str, s, plen) == 0) {
-						d = (struct packed_rrset_data*)rrset->entry.data;
-						/* to d->count, not d->rrsig_count, because we do not want to add the RRSIGs, only the addresses */
-						for (j = 0; j < d->count; j++) {
-							rr_len = d->rr_len[j];
-							rr_data = d->rr_data[j];
-
-							rd_len = sldns_read_uint16(rr_data);
-							if (rr_len - 2 >= rd_len) {
-								ret = add_to_ipset(mnl, setname, rr_data + 2, af);
-								if (ret < 0) {
-									log_err("ipset: could not add %s into %s", dname, setname);
-
-									mnl_socket_close(mnl);
-									ie->mnl = NULL;
-									break;
-								}
-							}
-						}
-						break;
-					}
-				}
-			}
 		}
 	}
 

util/log.c

@@ -115,7 +115,9 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
 	if(use_syslog) {
 		/* do not delay opening until first write, because we may
 		 * chroot and no longer be able to access dev/log and so on */
-		openlog(ident, LOG_NDELAY, LOG_DAEMON);
+		/* the facility is LOG_DAEMON by default, but
+		 * --with-syslog-facility=LOCAL[0-7] can override it */
+		openlog(ident, LOG_NDELAY, UB_SYSLOG_FACILITY);
 		logging_to_syslog = 1;
 		lock_quick_unlock(&log_lock);
 		return;

util/net_help.c

@@ -783,11 +783,20 @@ void sock_list_merge(struct sock_list** list, struct regional* region,
 void
 log_crypto_err(const char* str)
 {
+#ifdef HAVE_SSL
+	log_crypto_err_code(str, ERR_get_error());
+#else
+	(void)str;
+#endif /* HAVE_SSL */
+}
+
+void log_crypto_err_code(const char* str, unsigned long err)
+{
 #ifdef HAVE_SSL
 	/* error:[error code]:[library name]:[function name]:[reason string] */
 	char buf[128];
 	unsigned long e;
-	ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
+	ERR_error_string_n(err, buf, sizeof(buf));
 	log_err("%s crypto %s", str, buf);
 	while( (e=ERR_get_error()) ) {
 		ERR_error_string_n(e, buf, sizeof(buf));
@@ -795,6 +804,7 @@ log_crypto_err(const char* str)
 	}
 #else
 	(void)str;
+	(void)err;
 #endif /* HAVE_SSL */
 }
 

util/net_help.h

@@ -378,6 +378,13 @@ void sock_list_merge(struct sock_list** list, struct regional* region,
  */
 void log_crypto_err(const char* str);
 
+/**
+ * Log libcrypto error from errcode with descriptive string, calls log_err.
+ * @param str: what failed.
+ * @param err: error code from ERR_get_error.
+ */
+void log_crypto_err_code(const char* str, unsigned long err);
+
 /**
  * Set SSL_OP_NOxxx options on SSL context to disable bad crypto
  * @param ctxt: SSL_CTX*

util/netevent.c

@@ -1052,6 +1052,35 @@ log_cert(unsigned level, const char* str, X509* cert)
 }
 #endif /* HAVE_SSL */
 
+#ifdef HAVE_SSL
+/** true if the ssl handshake error has to be squelched from the logs */
+static int
+squelch_err_ssl_handshake(unsigned long err)
+{
+	if(verbosity >= VERB_QUERY)
+		return 0; /* only squelch on low verbosity */
+	/* this is very specific, we could filter on ERR_GET_REASON()
+	 * (the third element in ERR_PACK) */
+	if(err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTPS_PROXY_REQUEST) ||
+		err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST) ||
+		err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER) ||
+		err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_READ_BYTES, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE)
+#ifdef SSL_F_TLS_POST_PROCESS_CLIENT_HELLO
+		|| err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER)
+#endif
+#ifdef SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO
+		|| err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL)
+		|| err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL)
+#  ifdef SSL_R_VERSION_TOO_LOW
+		|| err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_VERSION_TOO_LOW)
+#  endif
+#endif
+		)
+		return 1;
+	return 0;
+}
+#endif /* HAVE_SSL */
+
 /** continue ssl handshake */
 #ifdef HAVE_SSL
 static int
@@ -1096,9 +1125,12 @@ ssl_handshake(struct comm_point* c)
 					strerror(errno));
 			return 0;
 		} else {
-			log_crypto_err("ssl handshake failed");
-			log_addr(1, "ssl handshake failed", &c->repinfo.addr,
-				c->repinfo.addrlen);
+			unsigned long err = ERR_get_error();
+			if(!squelch_err_ssl_handshake(err)) {
+				log_crypto_err_code("ssl handshake failed", err);
+				log_addr(1, "ssl handshake failed", &c->repinfo.addr,
+					c->repinfo.addrlen);
+			}
 			return 0;
 		}
 	}