From d9153cb35b680b4fb0a3fc1b4976ef9aefcbbd52 Mon Sep 17 00:00:00 2001 From: Artem Egorenkov Date: Thu, 17 Dec 2020 17:00:54 +0100 Subject: [PATCH 01/20] Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux --- config.h.in | 8 ++++++++ configure | 28 ++++++++++++++++++++++++++++ configure.ac | 11 +++++++++++ libunbound/context.c | 1 + util/config_file.c | 31 +++++++++++++++++++++++++++++++ util/config_file.h | 11 +++++++++++ 6 files changed, 90 insertions(+) diff --git a/config.h.in b/config.h.in index cb27afa4f..a3b4bd162 100644 --- a/config.h.in +++ b/config.h.in @@ -856,6 +856,14 @@ /* Define if you enable libevent */ #undef USE_LIBEVENT +/* Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a + default outgoing port range. This is only for the libunbound on Linux and + does not affect unbound resolving daemon itself. This may severely limit + the number of available outgoing ports and thus decrease randomness. Define + this only when the target system restricts (e.g. some of SELinux enabled + distributions) the use of non-ephemeral ports. */ +#undef USE_LINUX_IP_LOCAL_PORT_RANGE + /* Define if you want to use internal select based events */ #undef USE_MINI_EVENT diff --git a/configure b/configure index 7e722b59e..e68013ead 100755 --- a/configure +++ b/configure @@ -902,6 +902,7 @@ enable_ipsecmod enable_ipset with_libmnl enable_explicit_port_randomisation +enable_linux_ip_local_port_range with_libunbound_only ' ac_precious_vars='build_alias @@ -1605,6 +1606,16 @@ Optional Features: --disable-explicit-port-randomisation disable explicit source port randomisation and rely on the kernel to provide random source ports + --enable-linux-ip-local-port-range + Define this to enable use of + /proc/sys/net/ipv4/ip_local_port_range as a default + outgoing port range. This is only for the libunbound + on Linux and does not affect unbound resolving + daemon itself. This may severely limit the number of + available outgoing ports and thus decrease + randomness. Define this only when the target system + restricts (e.g. some of SELinux enabled + distributions) the use of non-ephemeral ports. Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -21632,6 +21643,23 @@ $as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h ;; esac +if echo "$host" | $GREP -i -e linux >/dev/null; then + # Check whether --enable-linux-ip-local-port-range was given. +if test "${enable_linux_ip_local_port_range+set}" = set; then : + enableval=$enable_linux_ip_local_port_range; +fi + + case "$enable_linux_ip_local_port_range" in + yes) + +$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h + + ;; + no|*) + ;; + esac +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5 $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; } diff --git a/configure.ac b/configure.ac index 5ffbe6834..33ed0812c 100644 --- a/configure.ac +++ b/configure.ac @@ -1862,6 +1862,17 @@ case "$enable_explicit_port_randomisation" in ;; esac +if echo "$host" | $GREP -i -e linux >/dev/null; then + AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.])) + case "$enable_linux_ip_local_port_range" in + yes) + AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.]) + ;; + no|*) + ;; + esac +fi + AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) # on openBSD, the implicit rule make $< work. diff --git a/libunbound/context.c b/libunbound/context.c index 267366ae5..e589c6ae2 100644 --- a/libunbound/context.c +++ b/libunbound/context.c @@ -69,6 +69,7 @@ context_finalize(struct ub_ctx* ctx) } else { log_init(cfg->logfile, cfg->use_syslog, NULL); } + cfg_apply_local_port_policy(cfg, 65536); config_apply(cfg); if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env)) return UB_INITFAIL; diff --git a/util/config_file.c b/util/config_file.c index bbbfe24f5..50b0e645a 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -1704,6 +1704,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail) return num; } +void cfg_apply_local_port_policy(struct config_file* cfg, int num) { +(void)cfg; +(void)num; +#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE + { + int i = 0; + FILE* range_fd; + if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) { + int min_port = 0; + int max_port = num - 1; + if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) { + for(i=0; ioutgoing_avail_ports[i] = 0; + } + for(i=max_port+1; ioutgoing_avail_ports[i] = 0; + } + } else { + log_err("unexpected port range in %s", + LINUX_IP_LOCAL_PORT_RANGE_PATH); + } + fclose(range_fd); + } else { + log_err("failed to read from file: %s (%s)", + LINUX_IP_LOCAL_PORT_RANGE_PATH, + strerror(errno)); + } + } +#endif +} + /** print error with file and line number */ static void ub_c_error_va_list(const char *fmt, va_list args) { diff --git a/util/config_file.h b/util/config_file.h index d61f7ce8c..aed6812da 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -1190,6 +1190,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num); */ int cfg_condense_ports(struct config_file* cfg, int** avail); +/** + * Apply system specific port range policy. + * @param cfg: config file. + * @param num: size of the array (65536). + */ +void cfg_apply_local_port_policy(struct config_file* cfg, int num); + /** * Scan ports available * @param avail: the array from cfg. @@ -1329,5 +1336,9 @@ int if_is_https(const char* ifname, const char* port, int https_port); */ int cfg_has_https(struct config_file* cfg); +#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE +#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range" +#endif + #endif /* UTIL_CONFIG_FILE_H */ From 11caae256b0c82a2002162702fe0697f5396baf9 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Fri, 30 Jul 2021 13:35:23 +0200 Subject: [PATCH 02/20] - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to build unbound. --- doc/Changelog | 4 ++++ smallapp/unbound-control.c | 4 +--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 82fd320e7..a2821b44d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +30 July 2021: Wouter + - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to + build unbound. + 26 July 2021: George - Merge #513: Stream reuse, attempt to fix #411, #439, #469. This introduces a couple of fixes for the stream reuse functionality diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c index af72f2a4e..a3df25795 100644 --- a/smallapp/unbound-control.c +++ b/smallapp/unbound-control.c @@ -499,9 +499,7 @@ static void ssl_path_err(const char* s, const char *path) { unsigned long err; err = ERR_peek_error(); - if (ERR_GET_LIB(err) == ERR_LIB_SYS && - (ERR_GET_FUNC(err) == SYS_F_FOPEN || - ERR_GET_FUNC(err) == SYS_F_FREAD) ) { + if (ERR_GET_LIB(err) == ERR_LIB_SYS) { fprintf(stderr, "error: %s\n%s: %s\n", s, path, ERR_reason_error_string(err)); exit(1); From b6abcb150808412678e87e49c829b1a3ef6509da Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Fri, 30 Jul 2021 13:54:43 +0200 Subject: [PATCH 03/20] - For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and SSL_get_peer_certificate. - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check. --- acx_nlnetlabs.m4 | 15 +++++++++++---- config.h.in | 3 +++ configure | 32 ++++++++++++++++---------------- configure.ac | 2 +- daemon/remote.c | 4 ++++ doc/Changelog | 3 +++ util/netevent.c | 8 ++++++++ 7 files changed, 46 insertions(+), 21 deletions(-) diff --git a/acx_nlnetlabs.m4 b/acx_nlnetlabs.m4 index 7ce790708..39e92d875 100644 --- a/acx_nlnetlabs.m4 +++ b/acx_nlnetlabs.m4 @@ -2,7 +2,8 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 40 +# Version 41 +# 2021-07-30 fix for openssl use of lib64 directory. # 2021-06-14 fix nonblocking test to use host instead of target for mingw test. # 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for # 64bit compatibility. @@ -669,9 +670,15 @@ AC_DEFUN([ACX_SSL_CHECKS], [ HAVE_SSL=yes dnl assume /usr is already in the lib and dynlib paths. if test "$ssldir" != "/usr" -a "$ssldir" != ""; then - LDFLAGS="$LDFLAGS -L$ssldir/lib" - LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" - ACX_RUNTIME_PATH_ADD([$ssldir/lib]) + if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then + LDFLAGS="$LDFLAGS -L$ssldir/lib64" + LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64" + ACX_RUNTIME_PATH_ADD([$ssldir/lib64]) + else + LDFLAGS="$LDFLAGS -L$ssldir/lib" + LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" + ACX_RUNTIME_PATH_ADD([$ssldir/lib]) + fi fi AC_MSG_CHECKING([for EVP_sha256 in -lcrypto]) diff --git a/config.h.in b/config.h.in index cb27afa4f..3d45a0953 100644 --- a/config.h.in +++ b/config.h.in @@ -541,6 +541,9 @@ /* Define to 1 if you have the `SSL_get0_peername' function. */ #undef HAVE_SSL_GET0_PEERNAME +/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */ +#undef HAVE_SSL_GET1_PEER_CERTIFICATE + /* Define to 1 if you have the `SSL_set1_host' function. */ #undef HAVE_SSL_SET1_HOST diff --git a/configure b/configure index 7e722b59e..ede92e732 100755 --- a/configure +++ b/configure @@ -811,7 +811,6 @@ infodir docdir oldincludedir includedir -runstatedir localstatedir sharedstatedir sysconfdir @@ -962,7 +961,6 @@ datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' -runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1215,15 +1213,6 @@ do | -silent | --silent | --silen | --sile | --sil) silent=yes ;; - -runstatedir | --runstatedir | --runstatedi | --runstated \ - | --runstate | --runstat | --runsta | --runst | --runs \ - | --run | --ru | --r) - ac_prev=runstatedir ;; - -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ - | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ - | --run=* | --ru=* | --r=*) - runstatedir=$ac_optarg ;; - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1361,7 +1350,7 @@ fi for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir runstatedir + libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1514,7 +1503,6 @@ Fine tuning of the installation directories: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] - --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -18020,8 +18008,19 @@ _ACEOF $as_echo "found in $ssldir" >&6; } HAVE_SSL=yes if test "$ssldir" != "/usr" -a "$ssldir" != ""; then - LDFLAGS="$LDFLAGS -L$ssldir/lib" - LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" + if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then + LDFLAGS="$LDFLAGS -L$ssldir/lib64" + LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64" + + if test "x$enable_rpath" = xyes; then + if echo "$ssldir/lib64" | grep "^/" >/dev/null; then + RUNTIME_PATH="$RUNTIME_PATH -R$ssldir/lib64" + fi + fi + + else + LDFLAGS="$LDFLAGS -L$ssldir/lib" + LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" if test "x$enable_rpath" = xyes; then if echo "$ssldir/lib" | grep "^/" >/dev/null; then @@ -18029,6 +18028,7 @@ $as_echo "found in $ssldir" >&6; } fi fi + fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 in -lcrypto" >&5 @@ -18441,7 +18441,7 @@ done # these check_funcs need -lssl BAKLIBS="$LIBS" LIBS="-lssl $LIBS" -for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos +for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" diff --git a/configure.ac b/configure.ac index 5ffbe6834..933529690 100644 --- a/configure.ac +++ b/configure.ac @@ -865,7 +865,7 @@ AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_C # these check_funcs need -lssl BAKLIBS="$LIBS" LIBS="-lssl $LIBS" -AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos]) +AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate]) LIBS="$BAKLIBS" AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ diff --git a/daemon/remote.c b/daemon/remote.c index dd17bff91..923ddefa4 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -3338,7 +3338,11 @@ int remote_control_callback(struct comm_point* c, void* arg, int err, if (!rc->use_cert) { verbose(VERB_ALGO, "unauthenticated remote control connection"); } else if(SSL_get_verify_result(s->ssl) == X509_V_OK) { +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + X509* x = SSL_get1_peer_certificate(s->ssl); +#else X509* x = SSL_get_peer_certificate(s->ssl); +#endif if(!x) { verbose(VERB_DETAIL, "remote control connection " "provided no client certificate"); diff --git a/doc/Changelog b/doc/Changelog index a2821b44d..aca4b2d1f 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,9 @@ 30 July 2021: Wouter - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to build unbound. + - For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and + SSL_get_peer_certificate. + - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check. 26 July 2021: George - Merge #513: Stream reuse, attempt to fix #411, #439, #469. This diff --git a/util/netevent.c b/util/netevent.c index 01e44c9b6..d1316c5b4 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -1271,7 +1271,11 @@ ssl_handshake(struct comm_point* c) if((SSL_get_verify_mode(c->ssl)&SSL_VERIFY_PEER)) { /* verification */ if(SSL_get_verify_result(c->ssl) == X509_V_OK) { +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + X509* x = SSL_get1_peer_certificate(c->ssl); +#else X509* x = SSL_get_peer_certificate(c->ssl); +#endif if(!x) { log_addr(VERB_ALGO, "SSL connection failed: " "no certificate", @@ -1297,7 +1301,11 @@ ssl_handshake(struct comm_point* c) #endif X509_free(x); } else { +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + X509* x = SSL_get1_peer_certificate(c->ssl); +#else X509* x = SSL_get_peer_certificate(c->ssl); +#endif if(x) { log_cert(VERB_ALGO, "peer certificate", x); X509_free(x); From ca00814e674ac8047e07b6bec55413002c1035d7 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 2 Aug 2021 13:33:32 +0200 Subject: [PATCH 04/20] - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns keyraw functions to produce EVP_PKEY results. --- doc/Changelog | 4 ++++ sldns/keyraw.c | 40 +++++++++++++++++++++++++++++++++ sldns/keyraw.h | 16 +++++++++++++ validator/val_secalgo.c | 50 +++++------------------------------------ 4 files changed, 66 insertions(+), 44 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index aca4b2d1f..8557baf18 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +2 August 2021: Wouter + - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns + keyraw functions to produce EVP_PKEY results. + 30 July 2021: Wouter - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to build unbound. diff --git a/sldns/keyraw.c b/sldns/keyraw.c index 2ec225bc5..34cf94332 100644 --- a/sldns/keyraw.c +++ b/sldns/keyraw.c @@ -262,6 +262,26 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len) return dsa; } +EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len) +{ + DSA* dsa; + EVP_PKEY* evp_key = EVP_PKEY_new(); + if(!evp_key) { + return 0; + } + dsa = sldns_key_buf2dsa_raw(key, len); + if(!dsa) { + EVP_PKEY_free(evp_key); + return 0; + } + if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) { + DSA_free(dsa); + EVP_PKEY_free(evp_key); + return 0; + } + return evp_key; +} + RSA * sldns_key_buf2rsa_raw(unsigned char* key, size_t len) { @@ -328,6 +348,26 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len) return rsa; } +EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len) +{ + RSA* rsa; + EVP_PKEY *evp_key = EVP_PKEY_new(); + if(!evp_key) { + return 0; + } + rsa = sldns_key_buf2rsa_raw(key, len); + if(!rsa) { + EVP_PKEY_free(evp_key); + return 0; + } + if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) { + RSA_free(rsa); + EVP_PKEY_free(evp_key); + return 0; + } + return evp_key; +} + #ifdef USE_GOST EVP_PKEY* sldns_gost2pkey_raw(unsigned char* key, size_t keylen) diff --git a/sldns/keyraw.h b/sldns/keyraw.h index 989b02ce0..0166129b3 100644 --- a/sldns/keyraw.h +++ b/sldns/keyraw.h @@ -65,6 +65,14 @@ void sldns_key_EVP_unload_gost(void); */ DSA *sldns_key_buf2dsa_raw(unsigned char* key, size_t len); +/** + * Converts a holding buffer with DSA key material to EVP PKEY in openssl. + * \param[in] key the uncompressed wireformat of the key. + * \param[in] len length of key data + * \return the key or NULL on error. + */ +EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len); + /** * Converts a holding buffer with key material to EVP PKEY in openssl. * Only available if ldns was compiled with GOST. @@ -92,6 +100,14 @@ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo); */ RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len); +/** + * Converts a holding buffer with RSA key material to EVP PKEY in openssl. + * \param[in] key the uncompressed wireformat of the key. + * \param[in] len length of key data + * \return the key or NULL on error. + */ +EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len); + /** * Converts a holding buffer with key material to EVP PKEY in openssl. * Only available if ldns was compiled with ED25519. diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index a4d020143..5a817a4c8 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -513,29 +513,13 @@ static int setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, unsigned char* key, size_t keylen) { -#if defined(USE_DSA) && defined(USE_SHA1) - DSA* dsa; -#endif - RSA* rsa; - switch(algo) { #if defined(USE_DSA) && defined(USE_SHA1) case LDNS_DSA: case LDNS_DSA_NSEC3: - *evp_key = EVP_PKEY_new(); + *evp_key = sldns_key_dsa2pkey_raw(key, keylen); if(!*evp_key) { - log_err("verify: malloc failure in crypto"); - return 0; - } - dsa = sldns_key_buf2dsa_raw(key, keylen); - if(!dsa) { - verbose(VERB_QUERY, "verify: " - "sldns_key_buf2dsa_raw failed"); - return 0; - } - if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { - verbose(VERB_QUERY, "verify: " - "EVP_PKEY_assign_DSA failed"); + log_err("verify: sldns_key_dsa2pkey failed"); return 0; } #ifdef HAVE_EVP_DSS1 @@ -558,20 +542,9 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) case LDNS_RSASHA512: #endif - *evp_key = EVP_PKEY_new(); + *evp_key = sldns_key_rsa2pkey_raw(key, keylen); if(!*evp_key) { - log_err("verify: malloc failure in crypto"); - return 0; - } - rsa = sldns_key_buf2rsa_raw(key, keylen); - if(!rsa) { - verbose(VERB_QUERY, "verify: " - "sldns_key_buf2rsa_raw SHA failed"); - return 0; - } - if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { - verbose(VERB_QUERY, "verify: " - "EVP_PKEY_assign_RSA SHA failed"); + log_err("verify: sldns_key_rsa2pkey SHA failed"); return 0; } @@ -595,20 +568,9 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */ case LDNS_RSAMD5: - *evp_key = EVP_PKEY_new(); + *evp_key = sldns_key_rsa2pkey_raw(key, keylen); if(!*evp_key) { - log_err("verify: malloc failure in crypto"); - return 0; - } - rsa = sldns_key_buf2rsa_raw(key, keylen); - if(!rsa) { - verbose(VERB_QUERY, "verify: " - "sldns_key_buf2rsa_raw MD5 failed"); - return 0; - } - if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { - verbose(VERB_QUERY, "verify: " - "EVP_PKEY_assign_RSA MD5 failed"); + log_err("verify: sldns_key_rsa2pkey MD5 failed"); return 0; } *digest_type = EVP_md5(); From 60663c766a662dcb8546d840e4793090de00a219 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 2 Aug 2021 13:39:48 +0200 Subject: [PATCH 05/20] Review fixup for keyraw pkey function use. --- validator/val_secalgo.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index 5a817a4c8..7abf66f01 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -519,7 +519,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, case LDNS_DSA_NSEC3: *evp_key = sldns_key_dsa2pkey_raw(key, keylen); if(!*evp_key) { - log_err("verify: sldns_key_dsa2pkey failed"); + verbose(VERB_QUERY, "verify: sldns_key_dsa2pkey failed"); return 0; } #ifdef HAVE_EVP_DSS1 @@ -544,7 +544,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, #endif *evp_key = sldns_key_rsa2pkey_raw(key, keylen); if(!*evp_key) { - log_err("verify: sldns_key_rsa2pkey SHA failed"); + verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey SHA failed"); return 0; } @@ -570,7 +570,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, case LDNS_RSAMD5: *evp_key = sldns_key_rsa2pkey_raw(key, keylen); if(!*evp_key) { - log_err("verify: sldns_key_rsa2pkey MD5 failed"); + verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey MD5 failed"); return 0; } *digest_type = EVP_md5(); From d242bfb73b90bdb1f34c1072dfab49f21729ccb6 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 2 Aug 2021 14:43:51 +0200 Subject: [PATCH 06/20] - Move RSA and DSA to use OpenSSL 3.0.0 API. --- config.h.in | 6 ++ configure | 4 +- configure.ac | 4 +- doc/Changelog | 1 + sldns/keyraw.c | 246 ++++++++++++++++++++++++++++++++++++++++--------- sldns/keyraw.h | 4 + 6 files changed, 217 insertions(+), 48 deletions(-) diff --git a/config.h.in b/config.h.in index 3d45a0953..8fdf83e74 100644 --- a/config.h.in +++ b/config.h.in @@ -429,6 +429,9 @@ /* Define to 1 if you have the `OPENSSL_init_ssl' function. */ #undef HAVE_OPENSSL_INIT_SSL +/* Define to 1 if you have the header file. */ +#undef HAVE_OPENSSL_PARAM_BUILD_H + /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_RAND_H @@ -438,6 +441,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_SSL_H +/* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */ +#undef HAVE_OSSL_PARAM_BLD_NEW + /* Define if you have POSIX threads libraries and header files. */ #undef HAVE_PTHREAD diff --git a/configure b/configure index ede92e732..84c97357f 100755 --- a/configure +++ b/configure @@ -18411,7 +18411,7 @@ else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi -for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h +for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default @@ -18425,7 +18425,7 @@ fi done -for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params +for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" diff --git a/configure.ac b/configure.ac index 933529690..2ec11b970 100644 --- a/configure.ac +++ b/configure.ac @@ -859,8 +859,8 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/ else AC_MSG_RESULT([no]) fi -AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params]) +AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new]) # these check_funcs need -lssl BAKLIBS="$LIBS" diff --git a/doc/Changelog b/doc/Changelog index 8557baf18..686203b8e 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,7 @@ 2 August 2021: Wouter - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns keyraw functions to produce EVP_PKEY results. + - Move RSA and DSA to use OpenSSL 3.0.0 API. 30 July 2021: Wouter - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to diff --git a/sldns/keyraw.c b/sldns/keyraw.c index 34cf94332..ce94dd74e 100644 --- a/sldns/keyraw.c +++ b/sldns/keyraw.c @@ -26,11 +26,15 @@ #ifdef HAVE_OPENSSL_BN_H #include #endif -#ifdef HAVE_OPENSSL_RSA_H -#include -#endif -#ifdef HAVE_OPENSSL_DSA_H -#include +#ifdef HAVE_OPENSSL_PARAM_BUILD_H +# include +#else +# ifdef HAVE_OPENSSL_RSA_H +# include +# endif +# ifdef HAVE_OPENSSL_DSA_H +# include +# endif #endif #endif /* HAVE_SSL */ @@ -191,45 +195,59 @@ void sldns_key_EVP_unload_gost(void) } #endif /* USE_GOST */ -DSA * -sldns_key_buf2dsa_raw(unsigned char* key, size_t len) +/* Retrieve params as BIGNUM from raw buffer */ +static int +sldns_key_dsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** p, + BIGNUM** q, BIGNUM** g, BIGNUM** y) { uint8_t T; uint16_t length; uint16_t offset; - DSA *dsa; - BIGNUM *Q; BIGNUM *P; - BIGNUM *G; BIGNUM *Y; if(len == 0) - return NULL; + return 0; T = (uint8_t)key[0]; length = (64 + T * 8); offset = 1; if (T > 8) { - return NULL; + return 0; } if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length) - return NULL; + return 0; - Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL); + *q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL); offset += SHA_DIGEST_LENGTH; - P = BN_bin2bn(key+offset, (int)length, NULL); + *p = BN_bin2bn(key+offset, (int)length, NULL); offset += length; - G = BN_bin2bn(key+offset, (int)length, NULL); + *g = BN_bin2bn(key+offset, (int)length, NULL); offset += length; - Y = BN_bin2bn(key+offset, (int)length, NULL); + *y = BN_bin2bn(key+offset, (int)length, NULL); + if(!*q || !*p || !*g || !*y) { + BN_free(*q); + BN_free(*p); + BN_free(*g); + BN_free(*y); + return 0; + } + return 1; +} + +#ifndef HAVE_OSSL_PARAM_BLD_NEW +DSA * +sldns_key_buf2dsa_raw(unsigned char* key, size_t len) +{ + DSA *dsa; + BIGNUM *Q=NULL, *P=NULL, *G=NULL, *Y=NULL; + if(!sldns_key_dsa_buf_bignum(key, len, &P, &Q, &G, &Y)) { + return NULL; + } /* create the key and set its properties */ - if(!Q || !P || !G || !Y || !(dsa = DSA_new())) { - BN_free(Q); - BN_free(P); - BN_free(G); - BN_free(Y); + if(!(dsa = DSA_new())) { return NULL; } #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) @@ -261,42 +279,110 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len) return dsa; } +#endif /* HAVE_OSSL_PARAM_BLD_NEW */ EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len) { +#ifdef HAVE_OSSL_PARAM_BLD_NEW + EVP_PKEY* evp_key = NULL; + EVP_PKEY_CTX* ctx; + BIGNUM *p=NULL, *q=NULL, *g=NULL, *y=NULL; + OSSL_PARAM_BLD* param_bld; + OSSL_PARAM* params = NULL; + if(!sldns_key_dsa_buf_bignum(key, len, &p, &q, &g, &y)) { + return NULL; + } + + param_bld = OSSL_PARAM_BLD_new(); + if(!param_bld) { + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(y); + return NULL; + } + if(!OSSL_PARAM_BLD_push_BN(param_bld, "p", p) || + !OSSL_PARAM_BLD_push_BN(param_bld, "g", g) || + !OSSL_PARAM_BLD_push_BN(param_bld, "q", q) || + !OSSL_PARAM_BLD_push_BN(param_bld, "pub", y)) { + OSSL_PARAM_BLD_free(param_bld); + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(y); + return NULL; + } + params = OSSL_PARAM_BLD_to_param(param_bld); + OSSL_PARAM_BLD_free(param_bld); + + ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL); + if(!ctx) { + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(y); + return NULL; + } + if(EVP_PKEY_fromdata_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + OSSL_PARAM_free(params); + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(y); + return NULL; + } + if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) { + EVP_PKEY_CTX_free(ctx); + OSSL_PARAM_free(params); + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(y); + return NULL; + } + + EVP_PKEY_CTX_free(ctx); + OSSL_PARAM_free(params); + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(y); + return evp_key; +#else DSA* dsa; EVP_PKEY* evp_key = EVP_PKEY_new(); if(!evp_key) { - return 0; + return NULL; } dsa = sldns_key_buf2dsa_raw(key, len); if(!dsa) { EVP_PKEY_free(evp_key); - return 0; + return NULL; } if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) { DSA_free(dsa); EVP_PKEY_free(evp_key); - return 0; + return NULL; } return evp_key; +#endif } -RSA * -sldns_key_buf2rsa_raw(unsigned char* key, size_t len) +/* Retrieve params as BIGNUM from raw buffer, n is modulus, e is exponent */ +static int +sldns_key_rsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** n, + BIGNUM** e) { uint16_t offset; uint16_t exp; uint16_t int16; - RSA *rsa; - BIGNUM *modulus; - BIGNUM *exponent; if (len == 0) - return NULL; + return 0; if (key[0] == 0) { if(len < 3) - return NULL; + return 0; memmove(&int16, key+1, 2); exp = ntohs(int16); offset = 3; @@ -307,23 +393,34 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len) /* key length at least one */ if(len < (size_t)offset + exp + 1) - return NULL; + return 0; /* Exponent */ - exponent = BN_new(); - if(!exponent) return NULL; - (void) BN_bin2bn(key+offset, (int)exp, exponent); + *e = BN_new(); + if(!*e) return 0; + (void) BN_bin2bn(key+offset, (int)exp, *e); offset += exp; /* Modulus */ - modulus = BN_new(); - if(!modulus) { - BN_free(exponent); - return NULL; + *n = BN_new(); + if(!*n) { + BN_free(*e); + return 0; } /* length of the buffer must match the key length! */ - (void) BN_bin2bn(key+offset, (int)(len - offset), modulus); + (void) BN_bin2bn(key+offset, (int)(len - offset), *n); + return 1; +} +#ifndef HAVE_OSSL_PARAM_BLD_NEW +RSA * +sldns_key_buf2rsa_raw(unsigned char* key, size_t len) +{ + BIGNUM* modulus = NULL; + BIGNUM* exponent = NULL; + RSA *rsa; + if(!sldns_key_rsa_buf_bignum(key, len, &modulus, &exponent)) + return NULL; rsa = RSA_new(); if(!rsa) { BN_free(exponent); @@ -347,25 +444,86 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len) return rsa; } +#endif /* HAVE_OSSL_PARAM_BLD_NEW */ EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len) { +#ifdef HAVE_OSSL_PARAM_BLD_NEW + EVP_PKEY* evp_key = NULL; + EVP_PKEY_CTX* ctx; + BIGNUM *n=NULL, *e=NULL; + OSSL_PARAM_BLD* param_bld; + OSSL_PARAM* params = NULL; + + if(!sldns_key_rsa_buf_bignum(key, len, &n, &e)) { + return NULL; + } + + param_bld = OSSL_PARAM_BLD_new(); + if(!param_bld) { + BN_free(n); + BN_free(e); + return NULL; + } + if(!OSSL_PARAM_BLD_push_BN(param_bld, "n", n)) { + OSSL_PARAM_BLD_free(param_bld); + BN_free(n); + BN_free(e); + return NULL; + } + if(!OSSL_PARAM_BLD_push_BN(param_bld, "e", e)) { + OSSL_PARAM_BLD_free(param_bld); + BN_free(n); + BN_free(e); + return NULL; + } + params = OSSL_PARAM_BLD_to_param(param_bld); + OSSL_PARAM_BLD_free(param_bld); + + ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + if(!ctx) { + BN_free(n); + BN_free(e); + return NULL; + } + if(EVP_PKEY_fromdata_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + OSSL_PARAM_free(params); + BN_free(n); + BN_free(e); + return NULL; + } + if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) { + EVP_PKEY_CTX_free(ctx); + OSSL_PARAM_free(params); + BN_free(n); + BN_free(e); + return NULL; + } + + EVP_PKEY_CTX_free(ctx); + OSSL_PARAM_free(params); + BN_free(n); + BN_free(e); + return evp_key; +#else RSA* rsa; EVP_PKEY *evp_key = EVP_PKEY_new(); if(!evp_key) { - return 0; + return NULL; } rsa = sldns_key_buf2rsa_raw(key, len); if(!rsa) { EVP_PKEY_free(evp_key); - return 0; + return NULL; } if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) { RSA_free(rsa); EVP_PKEY_free(evp_key); - return 0; + return NULL; } return evp_key; +#endif } #ifdef USE_GOST diff --git a/sldns/keyraw.h b/sldns/keyraw.h index 0166129b3..b1f19740c 100644 --- a/sldns/keyraw.h +++ b/sldns/keyraw.h @@ -57,6 +57,7 @@ int sldns_key_EVP_load_gost_id(void); /** Release the engine reference held for the GOST engine. */ void sldns_key_EVP_unload_gost(void); +#ifndef HAVE_OSSL_PARAM_BLD_NEW /** * Like sldns_key_buf2dsa, but uses raw buffer. * \param[in] key the uncompressed wireformat of the key. @@ -64,6 +65,7 @@ void sldns_key_EVP_unload_gost(void); * \return a DSA * structure with the key material */ DSA *sldns_key_buf2dsa_raw(unsigned char* key, size_t len); +#endif /** * Converts a holding buffer with DSA key material to EVP PKEY in openssl. @@ -92,6 +94,7 @@ EVP_PKEY* sldns_gost2pkey_raw(unsigned char* key, size_t keylen); */ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo); +#ifndef HAVE_OSSL_PARAM_BLD_NEW /** * Like sldns_key_buf2rsa, but uses raw buffer. * \param[in] key the uncompressed wireformat of the key. @@ -99,6 +102,7 @@ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo); * \return a RSA * structure with the key material */ RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len); +#endif /** * Converts a holding buffer with RSA key material to EVP PKEY in openssl. From 0bdcbc80b96983bca6c3710e58e34ccd7d4019ed Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 2 Aug 2021 15:06:26 +0200 Subject: [PATCH 07/20] - Move ECDSA functions to use OpenSSL 3.0.0 API. --- doc/Changelog | 1 + sldns/keyraw.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 686203b8e..29f8cbe75 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,7 @@ - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns keyraw functions to produce EVP_PKEY results. - Move RSA and DSA to use OpenSSL 3.0.0 API. + - Move ECDSA functions to use OpenSSL 3.0.0 API. 30 July 2021: Wouter - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to diff --git a/sldns/keyraw.c b/sldns/keyraw.c index ce94dd74e..b1e60d8b5 100644 --- a/sldns/keyraw.c +++ b/sldns/keyraw.c @@ -317,6 +317,7 @@ EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len) ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL); if(!ctx) { + OSSL_PARAM_free(params); BN_free(p); BN_free(q); BN_free(g); @@ -482,6 +483,7 @@ EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len) ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); if(!ctx) { + OSSL_PARAM_free(params); BN_free(n); BN_free(e); return NULL; @@ -555,6 +557,62 @@ sldns_gost2pkey_raw(unsigned char* key, size_t keylen) EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo) { +#ifdef HAVE_OSSL_PARAM_BLD_NEW + unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ + EVP_PKEY *evp_key = NULL; + EVP_PKEY_CTX* ctx; + OSSL_PARAM_BLD* param_bld; + OSSL_PARAM* params = NULL; + char* group = NULL; + + /* check length, which uncompressed must be 2 bignums */ + if(algo == LDNS_ECDSAP256SHA256) { + if(keylen != 2*256/8) return NULL; + group = "prime256v1"; + } else if(algo == LDNS_ECDSAP384SHA384) { + if(keylen != 2*384/8) return NULL; + group = "P-384"; + } else { + return NULL; + } + if(keylen+1 > sizeof(buf)) { /* sanity check */ + return NULL; + } + /* prepend the 0x04 for uncompressed format */ + buf[0] = POINT_CONVERSION_UNCOMPRESSED; + memmove(buf+1, key, keylen); + + param_bld = OSSL_PARAM_BLD_new(); + if(!param_bld) { + return NULL; + } + if(!OSSL_PARAM_BLD_push_utf8_string(param_bld, "group", group, 0) || + !OSSL_PARAM_BLD_push_octet_string(param_bld, "pub", buf, keylen+1)) { + OSSL_PARAM_BLD_free(param_bld); + return NULL; + } + params = OSSL_PARAM_BLD_to_param(param_bld); + OSSL_PARAM_BLD_free(param_bld); + + ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); + if(!ctx) { + OSSL_PARAM_free(params); + return NULL; + } + if(EVP_PKEY_fromdata_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + OSSL_PARAM_free(params); + return NULL; + } + if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) { + EVP_PKEY_CTX_free(ctx); + OSSL_PARAM_free(params); + return NULL; + } + EVP_PKEY_CTX_free(ctx); + OSSL_PARAM_free(params); + return evp_key; +#else unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ const unsigned char* pp = buf; EVP_PKEY *evp_key; @@ -591,6 +649,7 @@ sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo) return NULL; } return evp_key; +#endif /* HAVE_OSSL_PARAM_BLD_NEW */ } #endif /* USE_ECDSA */ From 89e2f2f753cb5dcca765ba57b44d190e7a9c6f24 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 2 Aug 2021 15:26:20 +0200 Subject: [PATCH 08/20] - iana portlist update. --- doc/Changelog | 1 + util/iana_ports.inc | 1 + 2 files changed, 2 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 29f8cbe75..6ec117b30 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -3,6 +3,7 @@ keyraw functions to produce EVP_PKEY results. - Move RSA and DSA to use OpenSSL 3.0.0 API. - Move ECDSA functions to use OpenSSL 3.0.0 API. + - iana portlist update. 30 July 2021: Wouter - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to diff --git a/util/iana_ports.inc b/util/iana_ports.inc index f928d0669..b93af015d 100644 --- a/util/iana_ports.inc +++ b/util/iana_ports.inc @@ -4244,6 +4244,7 @@ 5504, 5505, 5506, +5540, 5553, 5554, 5555, From 3ed5b62578809b5d891045b1cb9b5196d0f86a92 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 2 Aug 2021 16:06:36 +0200 Subject: [PATCH 09/20] - Fix verbose printout failure in tcp reuse unit test. --- doc/Changelog | 1 + services/outside_network.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 6ec117b30..9d002be11 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -4,6 +4,7 @@ - Move RSA and DSA to use OpenSSL 3.0.0 API. - Move ECDSA functions to use OpenSSL 3.0.0 API. - iana portlist update. + - Fix verbose printout failure in tcp reuse unit test. 30 July 2021: Wouter - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to diff --git a/services/outside_network.c b/services/outside_network.c index 73cb4ff32..a3f982e72 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -347,6 +347,8 @@ log_reuse_tcp(enum verbosity_value v, const char* msg, struct reuse_tcp* reuse) uint16_t port; char addrbuf[128]; if(verbosity < v) return; + if(!reuse || !reuse->pending || !reuse->pending->c) + return; addr_to_str(&reuse->addr, reuse->addrlen, addrbuf, sizeof(addrbuf)); port = ntohs(((struct sockaddr_in*)&reuse->addr)->sin_port); verbose(v, "%s %s#%u fd %d", msg, addrbuf, (unsigned)port, From 0784ad7a1185c3f2852e6d44308c06409e05f0d5 Mon Sep 17 00:00:00 2001 From: daiyunwei Date: Tue, 3 Aug 2021 11:40:30 +0800 Subject: [PATCH 10/20] #420 clear the c->buffer in the comm_point_send_reply does resolve the "can't fit qbuffer in c->buffer" issue, but it breaks the mesh reply list function that need to reuse the answer. because the c->buffer is cleared in the comm_point_send_reply, it cannot be resued again. it means that it is not inappropriate to clear c->buffer in the comm_point_send_reply. After some investigation, i found it is appropriate to clear c->buffer before use in the http2_query_read_done. --- services/listen_dnsport.c | 4 ++++ util/netevent.c | 1 - 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index 52b0a2ee9..b43def567 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -2477,6 +2477,10 @@ static int http2_query_read_done(struct http2_session* h2_session, "buffer already assigned to stream"); return -1; } + + /* the c->buffer might be used by mesh_send_reply and no be cleard + * need to be cleared before use */ + sldns_buffer_clear(h2_session->c->buffer); if(sldns_buffer_remaining(h2_session->c->buffer) < sldns_buffer_remaining(h2_stream->qbuffer)) { /* qbuffer will be free'd in frame close cb */ diff --git a/util/netevent.c b/util/netevent.c index d1316c5b4..a2defcb5f 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -4063,7 +4063,6 @@ comm_point_send_reply(struct comm_reply *repinfo) } repinfo->c->h2_stream = NULL; repinfo->c->tcp_is_reading = 0; - sldns_buffer_clear(repinfo->c->buffer); comm_point_stop_listening(repinfo->c); comm_point_start_listening(repinfo->c, -1, adjusted_tcp_timeout(repinfo->c)); From ca67691092127aafd3c11ead622dcb659959e1bf Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Tue, 3 Aug 2021 12:18:58 +0200 Subject: [PATCH 11/20] - Listen to read or write events after the SSL handshake. Sticky events on windows would stick on read when write was needed. --- doc/Changelog | 4 ++++ util/netevent.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 82fd320e7..94daab83b 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +3 August 2021: George + - Listen to read or write events after the SSL handshake. + Sticky events on windows would stick on read when write was needed. + 26 July 2021: George - Merge #513: Stream reuse, attempt to fix #411, #439, #469. This introduces a couple of fixes for the stream reuse functionality diff --git a/util/netevent.c b/util/netevent.c index 01e44c9b6..9c99c677b 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -1214,7 +1214,7 @@ ssl_handshake(struct comm_point* c) int r; if(c->ssl_shake_state == comm_ssl_shake_hs_read) { /* read condition satisfied back to writing */ - comm_point_listen_for_rw(c, 1, 1); + comm_point_listen_for_rw(c, 0, 1); c->ssl_shake_state = comm_ssl_shake_none; return 1; } @@ -1333,7 +1333,7 @@ ssl_handshake(struct comm_point* c) if(c->ssl_shake_state != comm_ssl_shake_read) comm_point_listen_for_rw(c, 1, 0); } else { - comm_point_listen_for_rw(c, 1, 1); + comm_point_listen_for_rw(c, 0, 1); } c->ssl_shake_state = comm_ssl_shake_none; return 1; From dd7dc30294b8bdfdd499a81570a76fd50ee5c81d Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 3 Aug 2021 13:11:18 +0200 Subject: [PATCH 12/20] Changelog note for #517 - Merge PR #517 from dyunwei: #420 breaks the mesh reply list function that need to reuse the dns answer. --- doc/Changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 8544a8266..8c3c8abc3 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,10 @@ - Listen to read or write events after the SSL handshake. Sticky events on windows would stick on read when write was needed. +3 August 2021: Wouter + - Merge PR #517 from dyunwei: #420 breaks the mesh reply list + function that need to reuse the dns answer. + 2 August 2021: Wouter - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns keyraw functions to produce EVP_PKEY results. From 2a0df9e72e523ad4e2d9274e06ae0de6cc38cc80 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 3 Aug 2021 14:08:30 +0200 Subject: [PATCH 13/20] - Annotate assertion into error printout; we think it may be an error, but the situation looks harmless. --- doc/Changelog | 2 ++ util/netevent.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 8c3c8abc3..c8c9b7041 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -5,6 +5,8 @@ 3 August 2021: Wouter - Merge PR #517 from dyunwei: #420 breaks the mesh reply list function that need to reuse the dns answer. + - Annotate assertion into error printout; we think it may be an + error, but the situation looks harmless. 2 August 2021: Wouter - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns diff --git a/util/netevent.c b/util/netevent.c index d2d1481f7..11c642a2b 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -1727,7 +1727,8 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) (int)sldns_buffer_limit(c->buffer)); } - log_assert(sldns_buffer_remaining(c->buffer) > 0); + if(sldns_buffer_remaining(c->buffer) == 0) + log_err("in comm_point_tcp_handle_read buffer_remaining is not > 0 as expected, continuing with (harmless) 0 length recv"); r = recv(fd, (void*)sldns_buffer_current(c->buffer), sldns_buffer_remaining(c->buffer), 0); if(r == 0) { From c639dc956a14d5db4b281676e8ccf08030bf0ccf Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 3 Aug 2021 14:13:37 +0200 Subject: [PATCH 14/20] - Fix sign comparison warning on FreeBSD. --- daemon/unbound.c | 2 +- doc/Changelog | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/daemon/unbound.c b/daemon/unbound.c index 78771dbdd..934a96c80 100644 --- a/daemon/unbound.c +++ b/daemon/unbound.c @@ -222,7 +222,7 @@ checkrlimits(struct config_file* cfg) #endif if(getrlimit(RLIMIT_DATA, &rlim) == 0) { if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY && - rlim.rlim_cur < memsize_expect) { + rlim.rlim_cur < (rlim_t)memsize_expect) { log_warn("the ulimit(data seg size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect); } } diff --git a/doc/Changelog b/doc/Changelog index c8c9b7041..15a2b00b7 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -7,6 +7,7 @@ function that need to reuse the dns answer. - Annotate assertion into error printout; we think it may be an error, but the situation looks harmless. + - Fix sign comparison warning on FreeBSD. 2 August 2021: Wouter - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns From f5d53928a34ff2a5a3f50d3e9c4b5aa7ded32511 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 4 Aug 2021 09:58:38 +0200 Subject: [PATCH 15/20] - In unit test use openssl set security level to allow keys in test. --- doc/Changelog | 3 +++ testcode/petal.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 15a2b00b7..ad229cbe4 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +4 August 2021: Wouter + - In unit test use openssl set security level to allow keys in test. + 3 August 2021: George - Listen to read or write events after the SSL handshake. Sticky events on windows would stick on read when write was needed. diff --git a/testcode/petal.c b/testcode/petal.c index 123684aab..a1a376155 100644 --- a/testcode/petal.c +++ b/testcode/petal.c @@ -238,6 +238,9 @@ setup_ctx(char* key, char* cert) (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); #endif (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL + SSL_CTX_set_security_level(ctx, 0); /* for keys in tests */ +#endif if(!SSL_CTX_use_certificate_chain_file(ctx, cert)) print_exit("cannot read cert"); if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) From efa15747a248dc7ca89e5070d8c6f1616c08e167 Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Wed, 4 Aug 2021 10:46:17 +0200 Subject: [PATCH 16/20] Changelog note for #415: - Merge PR #415 from sibeream: Use /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing ports. --- doc/Changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index ad229cbe4..a1b02a040 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +4 August 2021: George + - Merge PR #415 from sibeream: Use + /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing + ports. (New --enable-linux-ip-local-port-range configuration option) + 4 August 2021: Wouter - In unit test use openssl set security level to allow keys in test. From 8878680898b23671d31857930891f65affe639c8 Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Wed, 4 Aug 2021 10:51:02 +0200 Subject: [PATCH 17/20] - Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This allows longer CNAME chains in Unbound. --- doc/Changelog | 6 ++++-- iterator/iterator.h | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index a1b02a040..4503feea9 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,7 +1,9 @@ 4 August 2021: George - Merge PR #415 from sibeream: Use - /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing - ports. (New --enable-linux-ip-local-port-range configuration option) + /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing + ports. (New --enable-linux-ip-local-port-range configuration option) + - Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This + allows longer CNAME chains in Unbound. 4 August 2021: Wouter - In unit test use openssl set security level to allow keys in test. diff --git a/iterator/iterator.h b/iterator/iterator.h index 7952f26df..dc5e57527 100644 --- a/iterator/iterator.h +++ b/iterator/iterator.h @@ -61,7 +61,7 @@ struct rbtree_type; * its subqueries */ #define MAX_TARGET_NX 5 /** max number of query restarts. Determines max number of CNAME chain. */ -#define MAX_RESTART_COUNT 8 +#define MAX_RESTART_COUNT 11 /** max number of referrals. Makes sure resolver does not run away */ #define MAX_REFERRAL_COUNT 130 /** max number of queries-sent-out. Make sure large NS set does not loop */ From c9bb0604db222739ce9aec18685f26b4f06f4452 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 4 Aug 2021 10:58:08 +0200 Subject: [PATCH 18/20] - Fix static analysis warnings about localzone locks that are unused. --- doc/Changelog | 1 + services/localzone.c | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 4503feea9..ccd40966c 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -7,6 +7,7 @@ 4 August 2021: Wouter - In unit test use openssl set security level to allow keys in test. + - Fix static analysis warnings about localzone locks that are unused. 3 August 2021: George - Listen to read or write events after the SSL handshake. diff --git a/services/localzone.c b/services/localzone.c index fd2ff2bb6..54f55ab81 100644 --- a/services/localzone.c +++ b/services/localzone.c @@ -745,9 +745,15 @@ static int lz_enter_zones(struct local_zones* zones, struct config_file* cfg) { struct config_str2list* p; +#ifndef THREADS_DISABLED struct local_zone* z; +#endif for(p = cfg->local_zones; p; p = p->next) { - if(!(z=lz_enter_zone(zones, p->str, p->str2, + if(!( +#ifndef THREADS_DISABLED + z= +#endif + lz_enter_zone(zones, p->str, p->str2, LDNS_RR_CLASS_IN))) return 0; lock_rw_unlock(&z->lock); @@ -1027,7 +1033,9 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg) } if(have_name) { uint8_t* n2; +#ifndef THREADS_DISABLED struct local_zone* z; +#endif /* allocate zone of smallest shared topdomain to contain em */ n2 = nm; dname_remove_labels(&n2, &nmlen, nmlabs - match); @@ -1039,7 +1047,11 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg) } log_nametypeclass(VERB_ALGO, "implicit transparent local-zone", n2, 0, dclass); - if(!(z=lz_enter_zone_dname(zones, n2, nmlen, match, + if(!( +#ifndef THREADS_DISABLED + z= +#endif + lz_enter_zone_dname(zones, n2, nmlen, match, local_zone_transparent, dclass))) { return 0; } From 6dd270d625b5e31697a4d0085d7d4db1f5e819f7 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 4 Aug 2021 11:05:51 +0200 Subject: [PATCH 19/20] - Fix missing locks in zonemd unit test. --- doc/Changelog | 1 + testcode/unitzonemd.c | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index ccd40966c..ac992b345 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -8,6 +8,7 @@ 4 August 2021: Wouter - In unit test use openssl set security level to allow keys in test. - Fix static analysis warnings about localzone locks that are unused. + - Fix missing locks in zonemd unit test. 3 August 2021: George - Listen to read or write events after the SSL handshake. diff --git a/testcode/unitzonemd.c b/testcode/unitzonemd.c index 3352a7c37..b5b865eab 100644 --- a/testcode/unitzonemd.c +++ b/testcode/unitzonemd.c @@ -82,7 +82,9 @@ static void zonemd_generate_test(const char* zname, char* zfile, /* read file */ z = authtest_addzone(az, zname, zfile); unit_assert(z); + lock_rw_wrlock(&z->lock); z->zonemd_check = 1; + lock_rw_unlock(&z->lock); /* create zonemd digest */ result = auth_zone_generate_zonemd_hash(z, scheme, hashalgo, @@ -197,7 +199,9 @@ static void zonemd_check_test(void) /* read file */ z = authtest_addzone(az, zname, zfile); unit_assert(z); + lock_rw_wrlock(&z->lock); z->zonemd_check = 1; + lock_rw_unlock(&z->lock); hashlen = sizeof(hash); if(sldns_str2wire_hex_buf(digest, hash, &hashlen) != 0) { unit_assert(0); /* parse failure */ From 592cfe3afccc832aa5753fccf349fe82efee7d4a Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 4 Aug 2021 11:43:29 +0200 Subject: [PATCH 20/20] - Fix readzone compile under debug config. --- Makefile.in | 2 +- doc/Changelog | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 476545ea9..3ac3b1681 100644 --- a/Makefile.in +++ b/Makefile.in @@ -248,7 +248,7 @@ DELAYER_OBJ_LINK=$(DELAYER_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \ $(SLDNS_OBJ) READZONE_SRC=testcode/readzone.c READZONE_OBJ=readzone.lo -READZONE_OBJ_LINK=$(READZONE_OBJ) $(COMPAT_OBJ) $(SLDNS_OBJ) +READZONE_OBJ_LINK=$(READZONE_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) $(SLDNS_OBJ) IPSET_SRC=@IPSET_SRC@ IPSET_OBJ=@IPSET_OBJ@ DNSTAP_SOCKET_SRC=dnstap/unbound-dnstap-socket.c diff --git a/doc/Changelog b/doc/Changelog index ac992b345..8c4eb0023 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -9,6 +9,7 @@ - In unit test use openssl set security level to allow keys in test. - Fix static analysis warnings about localzone locks that are unused. - Fix missing locks in zonemd unit test. + - Fix readzone compile under debug config. 3 August 2021: George - Listen to read or write events after the SSL handshake.