From cd0a2b1af1a9d75ac09e1719ce9a6c76a5e638ae Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 27 Aug 2019 09:56:20 +0200 Subject: [PATCH 1/7] - Master is 1.9.4 in development. --- configure | 23 ++++++++++++----------- configure.ac | 3 ++- doc/Changelog | 5 +++-- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/configure b/configure index 3f30b3e3f..0ed190e67 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.9.3. +# Generated by GNU Autoconf 2.69 for unbound 1.9.4. # # Report bugs to . # @@ -591,8 +591,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.9.3' -PACKAGE_STRING='unbound 1.9.3' +PACKAGE_VERSION='1.9.4' +PACKAGE_STRING='unbound 1.9.4' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues' PACKAGE_URL='' @@ -1445,7 +1445,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.9.3 to adapt to many kinds of systems. +\`configure' configures unbound 1.9.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1510,7 +1510,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.9.3:";; + short | recursive ) echo "Configuration of unbound 1.9.4:";; esac cat <<\_ACEOF @@ -1729,7 +1729,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.9.3 +unbound configure 1.9.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2438,7 +2438,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.9.3, which was +It was created by unbound $as_me 1.9.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2790,7 +2790,7 @@ UNBOUND_VERSION_MAJOR=1 UNBOUND_VERSION_MINOR=9 -UNBOUND_VERSION_MICRO=3 +UNBOUND_VERSION_MICRO=4 LIBUNBOUND_CURRENT=9 @@ -2865,6 +2865,7 @@ LIBUNBOUND_AGE=1 # 1.9.1 had 9:1:1 # 1.9.2 had 9:2:1 # 1.9.3 had 9:3:1 +# 1.9.4 had 9:4:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -21273,7 +21274,7 @@ _ACEOF -version=1.9.3 +version=1.9.4 date=`date +'%b %e, %Y'` @@ -21792,7 +21793,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.9.3, which was +This file was extended by unbound $as_me 1.9.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21858,7 +21859,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.9.3 +unbound config.status 1.9.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 811ad007a..57f7039fb 100644 --- a/configure.ac +++ b/configure.ac @@ -11,7 +11,7 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[9]) -m4_define([VERSION_MICRO],[3]) +m4_define([VERSION_MICRO],[4]) AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) @@ -89,6 +89,7 @@ LIBUNBOUND_AGE=1 # 1.9.1 had 9:1:1 # 1.9.2 had 9:2:1 # 1.9.3 had 9:3:1 +# 1.9.4 had 9:4:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary diff --git a/doc/Changelog b/doc/Changelog index fd139cb0f..cadfc6136 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -3,7 +3,8 @@ 22 August 2019: Wouter - Fix that pkg-config is setup before --enable-systemd needs it. - - 1.9.3rc2 release candidate tag. + - 1.9.3rc2 release candidate tag. And this became the 1.9.3 release. + Master is 1.9.4 in development. 21 August 2019: Wouter - Fix log_dns_msg to log irrespective of minimal responses config. @@ -102,7 +103,7 @@ - Merge PR #6: Python module: support multiple instances - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT - Merge PR #4: Python module: assign something useful to the - per-query data store 'qdata' + per-query data store 'qdata' - Fix python dict reference and double free in config. 17 June 2019: Wouter From 9902a5f81d5d28856ebc3bf39cb229f3a126cd27 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 2 Sep 2019 13:50:42 +0200 Subject: [PATCH 2/7] - ipset module #28: log that an address is added, when verbosity high. --- doc/Changelog | 3 +++ ipset/ipset.c | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index cadfc6136..33ab8096a 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +2 September 2019: Wouter + - ipset module #28: log that an address is added, when verbosity high. + 23 August 2019: Wouter - Fix contrib/fastrpz.patch asprintf return value checks. diff --git a/ipset/ipset.c b/ipset/ipset.c index 85b2edea9..ec62cc356 100755 --- a/ipset/ipset.c +++ b/ipset/ipset.c @@ -8,6 +8,7 @@ #include "config.h" #include "ipset/ipset.h" #include "util/regional.h" +#include "util/net_help.h" #include "util/config_file.h" #include "services/cache/dns.h" @@ -172,7 +173,17 @@ static int ipset_update(struct module_env *env, struct dns_msg *return_msg, stru rr_data = d->rr_data[j]; rd_len = sldns_read_uint16(rr_data); + if(af == AF_INET && rd_len != INET_SIZE) + continue; + if(af == AF_INET6 && rd_len != INET6_SIZE) + continue; if (rr_len - 2 >= rd_len) { + if(verbosity >= VERB_QUERY) { + char ip[128]; + if(inet_ntop(af, rr_data+2, ip, (socklen_t)sizeof(ip)) == 0) + snprintf(ip, sizeof(ip), "(inet_ntop_error)"); + verbose(VERB_QUERY, "ipset: add %s to %s for %s", ip, setname, dname); + } ret = add_to_ipset(mnl, setname, rr_data + 2, af); if (ret < 0) { log_err("ipset: could not add %s into %s", dname, setname); From 7f9aa6734a133cf0014062853ad2be3e82945e68 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 2 Sep 2019 15:17:25 +0200 Subject: [PATCH 3/7] - ipset: refactor long routine into three smaller ones. --- doc/Changelog | 1 + ipset/ipset.c | 135 ++++++++++++++++++++++++++++---------------------- 2 files changed, 78 insertions(+), 58 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 33ab8096a..a3005b91e 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 2 September 2019: Wouter - ipset module #28: log that an address is added, when verbosity high. + - ipset: refactor long routine into three smaller ones. 23 August 2019: Wouter - Fix contrib/fastrpz.patch asprintf return value checks. diff --git a/ipset/ipset.c b/ipset/ipset.c index ec62cc356..f6e2c4a9d 100755 --- a/ipset/ipset.c +++ b/ipset/ipset.c @@ -97,29 +97,93 @@ static int add_to_ipset(struct mnl_socket *mnl, const char *setname, const void return 0; } -static int ipset_update(struct module_env *env, struct dns_msg *return_msg, struct ipset_env *ie) { +static void +ipset_add_rrset_data(struct ipset_env *ie, struct mnl_socket *mnl, + struct packed_rrset_data *d, const char* setname, int af, + const char* dname) +{ int ret; + size_t j, rr_len, rd_len; + uint8_t *rr_data; - struct mnl_socket *mnl; + /* to d->count, not d->rrsig_count, because we do not want to add the RRSIGs, only the addresses */ + for (j = 0; j < d->count; j++) { + rr_len = d->rr_len[j]; + rr_data = d->rr_data[j]; - size_t i, j; + rd_len = sldns_read_uint16(rr_data); + if(af == AF_INET && rd_len != INET_SIZE) + continue; + if(af == AF_INET6 && rd_len != INET6_SIZE) + continue; + if (rr_len - 2 >= rd_len) { + if(verbosity >= VERB_QUERY) { + char ip[128]; + if(inet_ntop(af, rr_data+2, ip, (socklen_t)sizeof(ip)) == 0) + snprintf(ip, sizeof(ip), "(inet_ntop_error)"); + verbose(VERB_QUERY, "ipset: add %s to %s for %s", ip, setname, dname); + } + ret = add_to_ipset(mnl, setname, rr_data + 2, af); + if (ret < 0) { + log_err("ipset: could not add %s into %s", dname, setname); - const char *setname; - - struct ub_packed_rrset_key *rrset; - struct packed_rrset_data *d; - - int af; + mnl_socket_close(mnl); + ie->mnl = NULL; + break; + } + } + } +} +static int +ipset_check_zones_for_rrset(struct module_env *env, struct ipset_env *ie, + struct mnl_socket *mnl, struct ub_packed_rrset_key *rrset, + const char *setname, int af) +{ static char dname[BUFF_LEN]; const char *s; int dlen, plen; struct config_strlist *p; + struct packed_rrset_data *d; - size_t rr_len, rd_len; + dlen = sldns_wire2str_dname_buf(rrset->rk.dname, rrset->rk.dname_len, dname, BUFF_LEN); + if (dlen == 0) { + log_err("bad domain name"); + return -1; + } + if (dname[dlen - 1] == '.') { + dlen--; + } + + for (p = env->cfg->local_zones_ipset; p; p = p->next) { + plen = strlen(p->str); + + if (dlen >= plen) { + s = dname + (dlen - plen); + + if (strncasecmp(p->str, s, plen) == 0) { + d = (struct packed_rrset_data*)rrset->entry.data; + ipset_add_rrset_data(ie, mnl, d, setname, + af, dname); + break; + } + } + } + return 0; +} + +static int ipset_update(struct module_env *env, struct dns_msg *return_msg, struct ipset_env *ie) { + struct mnl_socket *mnl; + + size_t i; + + const char *setname; + + struct ub_packed_rrset_key *rrset; + + int af; - uint8_t *rr_data; mnl = (struct mnl_socket *)ie->mnl; if (!mnl) { @@ -150,54 +214,9 @@ static int ipset_update(struct module_env *env, struct dns_msg *return_msg, stru } if (setname) { - dlen = sldns_wire2str_dname_buf(rrset->rk.dname, rrset->rk.dname_len, dname, BUFF_LEN); - if (dlen == 0) { - log_err("bad domain name"); + if(ipset_check_zones_for_rrset(env, ie, mnl, rrset, + setname, af) == -1) return -1; - } - if (dname[dlen - 1] == '.') { - dlen--; - } - - for (p = env->cfg->local_zones_ipset; p; p = p->next) { - plen = strlen(p->str); - - if (dlen >= plen) { - s = dname + (dlen - plen); - - if (strncasecmp(p->str, s, plen) == 0) { - d = (struct packed_rrset_data*)rrset->entry.data; - /* to d->count, not d->rrsig_count, because we do not want to add the RRSIGs, only the addresses */ - for (j = 0; j < d->count; j++) { - rr_len = d->rr_len[j]; - rr_data = d->rr_data[j]; - - rd_len = sldns_read_uint16(rr_data); - if(af == AF_INET && rd_len != INET_SIZE) - continue; - if(af == AF_INET6 && rd_len != INET6_SIZE) - continue; - if (rr_len - 2 >= rd_len) { - if(verbosity >= VERB_QUERY) { - char ip[128]; - if(inet_ntop(af, rr_data+2, ip, (socklen_t)sizeof(ip)) == 0) - snprintf(ip, sizeof(ip), "(inet_ntop_error)"); - verbose(VERB_QUERY, "ipset: add %s to %s for %s", ip, setname, dname); - } - ret = add_to_ipset(mnl, setname, rr_data + 2, af); - if (ret < 0) { - log_err("ipset: could not add %s into %s", dname, setname); - - mnl_socket_close(mnl); - ie->mnl = NULL; - break; - } - } - } - break; - } - } - } } } From 366296ec14cbb1a665f5e45e9c6064605fb5cded Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 2 Sep 2019 15:56:24 +0200 Subject: [PATCH 4/7] - updated Makefile dependencies. --- Makefile.in | 4 ++-- doc/Changelog | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile.in b/Makefile.in index e90427122..d9d4fe7ad 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1089,8 +1089,8 @@ ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelis ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h $(srcdir)/util/module.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h + $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h diff --git a/doc/Changelog b/doc/Changelog index a3005b91e..cf382ea84 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,7 @@ 2 September 2019: Wouter - ipset module #28: log that an address is added, when verbosity high. - ipset: refactor long routine into three smaller ones. + - updated Makefile dependencies. 23 August 2019: Wouter - Fix contrib/fastrpz.patch asprintf return value checks. From 1089fd6dc13e7d50a2183d51b69cd0896cd3bb4f Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 3 Sep 2019 09:47:27 +0200 Subject: [PATCH 5/7] - squelch DNS over TLS errors 'ssl handshake failed crypto error' on low verbosity, they show on verbosity 3 (query details), because there is a high volume and the operator cannot do anything for the remote failure. Specifically filters the high volume errors. --- doc/Changelog | 6 ++++++ util/net_help.c | 12 +++++++++++- util/net_help.h | 7 +++++++ util/netevent.c | 31 ++++++++++++++++++++++++++++--- 4 files changed, 52 insertions(+), 4 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index cf382ea84..ea45dea0f 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,9 @@ +3 September 2019: Wouter + - squelch DNS over TLS errors 'ssl handshake failed crypto error' + on low verbosity, they show on verbosity 3 (query details), because + there is a high volume and the operator cannot do anything for the + remote failure. Specifically filters the high volume errors. + 2 September 2019: Wouter - ipset module #28: log that an address is added, when verbosity high. - ipset: refactor long routine into three smaller ones. diff --git a/util/net_help.c b/util/net_help.c index 88bfc225a..4f382077e 100644 --- a/util/net_help.c +++ b/util/net_help.c @@ -697,11 +697,20 @@ void sock_list_merge(struct sock_list** list, struct regional* region, void log_crypto_err(const char* str) { +#ifdef HAVE_SSL + log_crypto_err_code(str, ERR_get_error()); +#else + (void)str; +#endif /* HAVE_SSL */ +} + +void log_crypto_err_code(const char* str, unsigned long err) +{ #ifdef HAVE_SSL /* error:[error code]:[library name]:[function name]:[reason string] */ char buf[128]; unsigned long e; - ERR_error_string_n(ERR_get_error(), buf, sizeof(buf)); + ERR_error_string_n(err, buf, sizeof(buf)); log_err("%s crypto %s", str, buf); while( (e=ERR_get_error()) ) { ERR_error_string_n(e, buf, sizeof(buf)); @@ -709,6 +718,7 @@ log_crypto_err(const char* str) } #else (void)str; + (void)err; #endif /* HAVE_SSL */ } diff --git a/util/net_help.h b/util/net_help.h index 0b197fbdd..79e2a8349 100644 --- a/util/net_help.h +++ b/util/net_help.h @@ -378,6 +378,13 @@ void sock_list_merge(struct sock_list** list, struct regional* region, */ void log_crypto_err(const char* str); +/** + * Log libcrypto error from errcode with descriptive string, calls log_err. + * @param str: what failed. + * @param err: error code from ERR_get_error. + */ +void log_crypto_err_code(const char* str, unsigned long err); + /** * Set SSL_OP_NOxxx options on SSL context to disable bad crypto * @param ctxt: SSL_CTX* diff --git a/util/netevent.c b/util/netevent.c index 9e2ba92b5..70cfcf4e0 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -1052,6 +1052,28 @@ log_cert(unsigned level, const char* str, X509* cert) } #endif /* HAVE_SSL */ +#ifdef HAVE_SSL +/** true if the ssl handshake error has to be squelched from the logs */ +static int +squelch_err_ssl_handshake(unsigned long err) +{ + if(verbosity >= VERB_QUERY) + return 0; /* only squelch on low verbosity */ + /* this is very specific, we could filter on ERR_GET_REASON() + * (the third element in ERR_PACK) */ + if(err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTPS_PROXY_REQUEST) || + err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST) || + err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER) || + err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_READ_BYTES, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE) || + err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER) || + err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL) || + err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL) || + err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_VERSION_TOO_LOW)) + return 1; + return 0; +} +#endif /* HAVE_SSL */ + /** continue ssl handshake */ #ifdef HAVE_SSL static int @@ -1096,9 +1118,12 @@ ssl_handshake(struct comm_point* c) strerror(errno)); return 0; } else { - log_crypto_err("ssl handshake failed"); - log_addr(1, "ssl handshake failed", &c->repinfo.addr, - c->repinfo.addrlen); + unsigned long err = ERR_get_error(); + if(!squelch_err_ssl_handshake(err)) { + log_crypto_err_code("ssl handshake failed", err); + log_addr(1, "ssl handshake failed", &c->repinfo.addr, + c->repinfo.addrlen); + } return 0; } } From 05b9f4fd28ba4f134729f1ee5b42b5bde6c3df12 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 4 Sep 2019 08:44:19 +0200 Subject: [PATCH 6/7] - Fix #71: fix openssl error squelch commit compilation error. --- doc/Changelog | 3 +++ util/netevent.c | 17 ++++++++++++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index ea45dea0f..3e5a4b703 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +4 September 2019: Wouter + - Fix #71: fix openssl error squelch commit compilation error. + 3 September 2019: Wouter - squelch DNS over TLS errors 'ssl handshake failed crypto error' on low verbosity, they show on verbosity 3 (query details), because diff --git a/util/netevent.c b/util/netevent.c index 70cfcf4e0..c54c570f6 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -1064,11 +1064,18 @@ squelch_err_ssl_handshake(unsigned long err) if(err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTPS_PROXY_REQUEST) || err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST) || err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER) || - err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_READ_BYTES, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE) || - err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER) || - err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL) || - err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL) || - err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_VERSION_TOO_LOW)) + err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_READ_BYTES, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE) +#ifdef SSL_F_TLS_POST_PROCESS_CLIENT_HELLO + || err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER) +#endif +#ifdef SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO + || err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL) + || err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL) +# ifdef SSL_R_VERSION_TOO_LOW + || err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_VERSION_TOO_LOW) +# endif +#endif + ) return 1; return 0; } From e45e9f1ce00784a147ce4b6ba9ee0ce332e30037 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 9 Sep 2019 14:27:55 +0200 Subject: [PATCH 7/7] - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default LOG_DAEMON (as before) can set the syslog facility that the server uses to log messages. --- config.h.in | 3 +++ configure | 23 +++++++++++++++++++++++ configure.ac | 12 ++++++++++++ doc/Changelog | 5 +++++ util/log.c | 4 +++- 5 files changed, 46 insertions(+), 1 deletion(-) diff --git a/config.h.in b/config.h.in index 1bfe4426d..1e092fd5b 100644 --- a/config.h.in +++ b/config.h.in @@ -730,6 +730,9 @@ /* Use win32 resources and API */ #undef UB_ON_WINDOWS +/* the SYSLOG_FACILITY to use, default LOG_DAEMON */ +#undef UB_SYSLOG_FACILITY + /* default username */ #undef UB_USERNAME diff --git a/configure b/configure index 0ed190e67..cbbc177f2 100755 --- a/configure +++ b/configure @@ -850,6 +850,7 @@ enable_alloc_lite enable_alloc_nonregional with_pthreads with_solaris_threads +with_syslog_facility with_pyunbound with_pythonmodule enable_swig_version_check @@ -1604,6 +1605,8 @@ Optional Packages: --with-pthreads use pthreads library, or --without-pthreads to disable threading support. --with-solaris-threads use solaris native thread library. + --with-syslog-facility=LOCAL0 - LOCAL7 + set SYSLOG_FACILITY, default DAEMON --with-pyunbound build PyUnbound, or --without-pyunbound to skip it. (default=no) --with-pythonmodule build Python module, or --without-pythonmodule to @@ -17099,6 +17102,26 @@ fi fi # end of non-mingw check of thread libraries +# Check for SYSLOG_FACILITY + +# Check whether --with-syslog-facility was given. +if test "${with_syslog_facility+set}" = set; then : + withval=$with_syslog_facility; UNBOUND_SYSLOG_FACILITY="$withval" +fi + +case "${UNBOUND_SYSLOG_FACILITY}" in + + LOCAL[0-7]) UNBOUND_SYSLOG_FACILITY="LOG_${UNBOUND_SYSLOG_FACILITY}" ;; + + *) UNBOUND_SYSLOG_FACILITY="LOG_DAEMON" ;; + +esac + +cat >>confdefs.h <<_ACEOF +#define UB_SYSLOG_FACILITY ${UNBOUND_SYSLOG_FACILITY} +_ACEOF + + # Check for PyUnbound # Check whether --with-pyunbound was given. diff --git a/configure.ac b/configure.ac index 57f7039fb..daa521ceb 100644 --- a/configure.ac +++ b/configure.ac @@ -603,6 +603,18 @@ fi fi # end of non-mingw check of thread libraries +# Check for SYSLOG_FACILITY +AC_ARG_WITH(syslog-facility, AC_HELP_STRING([--with-syslog-facility=LOCAL0 - LOCAL7], [ set SYSLOG_FACILITY, default DAEMON ]), + [ UNBOUND_SYSLOG_FACILITY="$withval" ], []) +case "${UNBOUND_SYSLOG_FACILITY}" in + + LOCAL[[0-7]]) UNBOUND_SYSLOG_FACILITY="LOG_${UNBOUND_SYSLOG_FACILITY}" ;; + + *) UNBOUND_SYSLOG_FACILITY="LOG_DAEMON" ;; + +esac +AC_DEFINE_UNQUOTED(UB_SYSLOG_FACILITY,${UNBOUND_SYSLOG_FACILITY},[the SYSLOG_FACILITY to use, default LOG_DAEMON]) + # Check for PyUnbound AC_ARG_WITH(pyunbound, AC_HELP_STRING([--with-pyunbound], diff --git a/doc/Changelog b/doc/Changelog index 3e5a4b703..19d4e2d8d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +9 September 2019: Wouter + - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default + LOG_DAEMON (as before) can set the syslog facility that the server + uses to log messages. + 4 September 2019: Wouter - Fix #71: fix openssl error squelch commit compilation error. diff --git a/util/log.c b/util/log.c index 318ff1d79..63c42f10b 100644 --- a/util/log.c +++ b/util/log.c @@ -115,7 +115,9 @@ log_init(const char* filename, int use_syslog, const char* chrootdir) if(use_syslog) { /* do not delay opening until first write, because we may * chroot and no longer be able to access dev/log and so on */ - openlog(ident, LOG_NDELAY, LOG_DAEMON); + /* the facility is LOG_DAEMON by default, but + * --with-syslog-facility=LOCAL[0-7] can override it */ + openlog(ident, LOG_NDELAY, UB_SYSLOG_FACILITY); logging_to_syslog = 1; lock_quick_unlock(&log_lock); return;