diff --git a/.gitignore b/.gitignore index 22fedf0d7..c1e2649db 100644 --- a/.gitignore +++ b/.gitignore @@ -42,6 +42,7 @@ /contrib/libunbound.pc /contrib/unbound.service /contrib/unbound.socket +/contrib/unbound_portable.service /dnstap/dnstap.pb-c.c /dnstap/dnstap.pb-c.h /libunbound/python/libunbound_wrap.c diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c index d5cd8dc55..d5ea9e3f6 100644 --- a/cachedb/cachedb.c +++ b/cachedb/cachedb.c @@ -64,26 +64,26 @@ #ifdef HAVE_SYS_ENDIAN_H # include #endif -#ifdef HAVE_LIBKERN_OSBYTEORDER_H -/* In practice this is specific to MacOS X. We assume it doesn't have -* htobe64/be64toh but has alternatives with a different name. */ -# include -# define htobe64(x) OSSwapHostToBigInt64(x) -# define be64toh(x) OSSwapBigToHostInt64(x) -#endif -/* Some compilers do not define __BYTE_ORDER__, like IBM XLC on AIX */ -#ifndef be64toh -#if defined(__sun) || defined(_AIX) -# if __BIG_ENDIAN__ -# define be64toh(n) (n) -# define htobe64(n) (n) +#ifndef HAVE_HTOBE64 +# ifdef HAVE_LIBKERN_OSBYTEORDER_H + /* In practice this is specific to MacOS X. We assume it doesn't have + * htobe64/be64toh but has alternatives with a different name. */ +# include +# define htobe64(x) OSSwapHostToBigInt64(x) +# define be64toh(x) OSSwapBigToHostInt64(x) # else -# define be64toh(n) (((uint64_t)htonl((n) & 0xFFFFFFFF) << 32) | htonl((n) >> 32)) -# define htobe64(n) (((uint64_t)htonl((n) & 0xFFFFFFFF) << 32) | htonl((n) >> 32)) -# endif -#endif -#endif /* be64toh */ + /* not OSX */ + /* Some compilers do not define __BYTE_ORDER__, like IBM XLC on AIX */ +# if __BIG_ENDIAN__ +# define be64toh(n) (n) +# define htobe64(n) (n) +# else +# define be64toh(n) (((uint64_t)htonl((n) & 0xFFFFFFFF) << 32) | htonl((n) >> 32)) +# define htobe64(n) (((uint64_t)htonl((n) & 0xFFFFFFFF) << 32) | htonl((n) >> 32)) +# endif /* _ENDIAN */ +# endif /* HAVE_LIBKERN_OSBYTEORDER_H */ +#endif /* HAVE_BE64TOH */ /** the unit test testframe for cachedb, its module state contains * a cache for a couple queries (in memory). */ diff --git a/config.h.in b/config.h.in index 8c2aa3b94..78d47fedc 100644 --- a/config.h.in +++ b/config.h.in @@ -63,6 +63,15 @@ /* Whether the C compiler accepts the "weak" attribute */ #undef HAVE_ATTR_WEAK +/* If we have be64toh */ +#undef HAVE_BE64TOH + +/* Define to 1 if you have the header file. */ +#undef HAVE_BSD_STDLIB_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_BSD_STRING_H + /* Define to 1 if you have the `chown' function. */ #undef HAVE_CHOWN @@ -284,6 +293,9 @@ /* If you have HMAC_Update */ #undef HAVE_HMAC_UPDATE +/* If we have htobe64 */ +#undef HAVE_HTOBE64 + /* Define to 1 if you have the `inet_aton' function. */ #undef HAVE_INET_ATON @@ -311,6 +323,9 @@ /* Define to 1 if you have the `kill' function. */ #undef HAVE_KILL +/* Use portable libbsd functions */ +#undef HAVE_LIBBSD + /* Define to 1 if you have the header file. */ #undef HAVE_LIBKERN_OSBYTEORDER_H @@ -1231,6 +1246,11 @@ char *strptime(const char *s, const char *format, struct tm *tm); void *reallocarray(void *ptr, size_t nmemb, size_t size); #endif +#ifdef HAVE_LIBBSD +#include +#include +#endif + #ifdef HAVE_LIBRESSL # if !HAVE_DECL_STRLCPY size_t strlcpy(char *dst, const char *src, size_t siz); diff --git a/configure b/configure index eb855554d..63055c516 100755 --- a/configure +++ b/configure @@ -673,8 +673,10 @@ UNBOUND_EVENT_UNINSTALL UNBOUND_EVENT_INSTALL SUBNET_HEADER SUBNET_OBJ +PC_LIBBSD_DEPENDENCY SSLLIB HAVE_SSL +PC_CRYPTO_DEPENDENCY CONFIG_DATE NETBSD_LINTFLAGS PYUNBOUND_UNINSTALL @@ -859,6 +861,7 @@ enable_swig_version_check with_nss with_nettle with_ssl +with_libbsd enable_sha1 enable_sha2 enable_subnet @@ -1620,6 +1623,7 @@ Optional Packages: --with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr) + --with-libbsd Use portable libbsd functions --with-libevent=pathname use libevent (will check /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr or you can specify @@ -17759,6 +17763,8 @@ $as_echo "#define HAVE_NSS 1" >>confdefs.h fi LIBS="$LIBS -lnss3 -lnspr4" SSLLIB="" + PC_CRYPTO_DEPENDENCY="nss nspr" + fi @@ -17802,6 +17808,8 @@ done fi LIBS="$LIBS -lhogweed -lnettle -lgmp" SSLLIB="" + PC_CRYPTO_DEPENDENCY="hogweed nettle" + fi @@ -18152,6 +18160,9 @@ rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext SSLLIB="-lssl" +PC_CRYPTO_DEPENDENCY="libcrypto libssl" + + # check if -lcrypt32 is needed because CAPIENG needs that. (on windows) BAKLIBS="$LIBS" LIBS="-lssl $LIBS" @@ -18442,6 +18453,96 @@ fi fi +# libbsd + +# Check whether --with-libbsd was given. +if test "${with_libbsd+set}" = set; then : + withval=$with_libbsd; + for ac_header in bsd/string.h bsd/stdlib.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default +" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + if test "x$ac_cv_header_bsd_string_h" = xyes -a "x$ac_cv_header_bsd_stdlib_h" = xyes; then + for func in strlcpy strlcat arc4random arc4random_uniform reallocarray; do + as_ac_Search=`$as_echo "ac_cv_search_$func" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing $func" >&5 +$as_echo_n "checking for library containing $func... " >&6; } +if eval \${$as_ac_Search+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $func (); +int +main () +{ +return $func (); + ; + return 0; +} +_ACEOF +for ac_lib in '' bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + eval "$as_ac_Search=\$ac_res" +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if eval \${$as_ac_Search+:} false; then : + break +fi +done +if eval \${$as_ac_Search+:} false; then : + +else + eval "$as_ac_Search=no" +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +eval ac_res=\$$as_ac_Search + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +eval ac_res=\$$as_ac_Search +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + + +$as_echo "#define HAVE_LIBBSD 1" >>confdefs.h + + PC_LIBBSD_DEPENDENCY=libbsd + + +fi + + done + fi + +fi + # Check whether --enable-sha1 was given. if test "${enable_sha1+set}" = set; then : @@ -18745,9 +18846,7 @@ fi use_dsa="no" case "$enable_dsa" in - no) - ;; - *) + yes) # detect if DSA is supported, and turn it off if not. if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ac_fn_c_check_func "$LINENO" "DSA_SIG_new" "ac_cv_func_DSA_SIG_new" @@ -18800,6 +18899,10 @@ _ACEOF fi ;; + *) + # disable dsa by default, RFC 8624 section 3.1, validators MUST NOT + # support DSA for DNSSEC Validation. + ;; esac # Check whether --enable-ed25519 was given. @@ -19924,6 +20027,75 @@ _ACEOF fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for htobe64" >&5 +$as_echo_n "checking for htobe64... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_ENDIAN_H +# include +#endif + +int +main () +{ +unsigned long long x = htobe64(0); printf("%u", (unsigned)x); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAVE_HTOBE64 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for be64toh" >&5 +$as_echo_n "checking for be64toh... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_ENDIAN_H +# include +#endif + +int +main () +{ +unsigned long long x = be64toh(0); printf("%u", (unsigned)x); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAVE_BE64TOH 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing setusercontext" >&5 $as_echo_n "checking for library containing setusercontext... " >&6; } if ${ac_cv_search_setusercontext+:} false; then : @@ -21431,7 +21603,7 @@ version=1.9.7 date=`date +'%b %e, %Y'` -ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service" +ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service" ac_config_headers="$ac_config_headers config.h" @@ -22437,6 +22609,7 @@ do "contrib/libunbound.pc") CONFIG_FILES="$CONFIG_FILES contrib/libunbound.pc" ;; "contrib/unbound.socket") CONFIG_FILES="$CONFIG_FILES contrib/unbound.socket" ;; "contrib/unbound.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound.service" ;; + "contrib/unbound_portable.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_portable.service" ;; "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; diff --git a/configure.ac b/configure.ac index 4ed9bb872..2b91dd3c1 100644 --- a/configure.ac +++ b/configure.ac @@ -761,6 +761,8 @@ AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path], fi LIBS="$LIBS -lnss3 -lnspr4" SSLLIB="" + PC_CRYPTO_DEPENDENCY="nss nspr" + AC_SUBST(PC_CRYPTO_DEPENDENCY) ] ) @@ -781,6 +783,8 @@ AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path], fi LIBS="$LIBS -lhogweed -lnettle -lgmp" SSLLIB="" + PC_CRYPTO_DEPENDENCY="hogweed nettle" + AC_SUBST(PC_CRYPTO_DEPENDENCY) ] ) @@ -790,6 +794,9 @@ ACX_WITH_SSL ACX_LIB_SSL SSLLIB="-lssl" +PC_CRYPTO_DEPENDENCY="libcrypto libssl" +AC_SUBST(PC_CRYPTO_DEPENDENCY) + # check if -lcrypt32 is needed because CAPIENG needs that. (on windows) BAKLIBS="$LIBS" LIBS="-lssl $LIBS" @@ -881,6 +888,19 @@ fi fi AC_SUBST(SSLLIB) +# libbsd +AC_ARG_WITH([libbsd], AC_HELP_STRING([--with-libbsd], [Use portable libbsd functions]), [ + AC_CHECK_HEADERS([bsd/string.h bsd/stdlib.h],,, [AC_INCLUDES_DEFAULT]) + if test "x$ac_cv_header_bsd_string_h" = xyes -a "x$ac_cv_header_bsd_stdlib_h" = xyes; then + for func in strlcpy strlcat arc4random arc4random_uniform reallocarray; do + AC_SEARCH_LIBS([$func], [bsd], [ + AC_DEFINE(HAVE_LIBBSD, 1, [Use portable libbsd functions]) + PC_LIBBSD_DEPENDENCY=libbsd + AC_SUBST(PC_LIBBSD_DEPENDENCY) + ]) + done + fi +]) AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support])) case "$enable_sha1" in @@ -1065,9 +1085,7 @@ esac AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support])) use_dsa="no" case "$enable_dsa" in - no) - ;; - *) + yes) # detect if DSA is supported, and turn it off if not. if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then AC_CHECK_FUNC(DSA_SIG_new, [ @@ -1098,6 +1116,10 @@ AC_INCLUDES_DEFAULT AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.]) fi ;; + *) + # disable dsa by default, RFC 8624 section 3.1, validators MUST NOT + # support DSA for DNSSEC Validation. + ;; esac AC_ARG_ENABLE(ed25519, AC_HELP_STRING([--disable-ed25519], [Disable ED25519 support])) @@ -1468,6 +1490,35 @@ AC_INCLUDES_DEFAULT #include #endif ]) + +AC_MSG_CHECKING([for htobe64]) +AC_LINK_IFELSE([AC_LANG_PROGRAM([ +#include +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_ENDIAN_H +# include +#endif +], [unsigned long long x = htobe64(0); printf("%u", (unsigned)x);])], + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_HTOBE64, 1, [If we have htobe64]), + AC_MSG_RESULT(no)) + +AC_MSG_CHECKING([for be64toh]) +AC_LINK_IFELSE([AC_LANG_PROGRAM([ +#include +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_ENDIAN_H +# include +#endif +], [unsigned long long x = be64toh(0); printf("%u", (unsigned)x);])], + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_BE64TOH, 1, [If we have be64toh]), + AC_MSG_RESULT(no)) + AC_SEARCH_LIBS([setusercontext], [util]) AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4]) AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])]) @@ -1946,6 +1997,11 @@ char *strptime(const char *s, const char *format, struct tm *tm); void *reallocarray(void *ptr, size_t nmemb, size_t size); #endif +#ifdef HAVE_LIBBSD +#include +#include +#endif + #ifdef HAVE_LIBRESSL # if !HAVE_DECL_STRLCPY size_t strlcpy(char *dst, const char *src, size_t siz); @@ -2047,6 +2103,6 @@ dnl if this is a distro tarball, that was already done by makedist.sh AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO]) AC_SUBST(date, [`date +'%b %e, %Y'`]) -AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service]) +AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service]) AC_CONFIG_HEADER([config.h]) AC_OUTPUT diff --git a/contrib/README b/contrib/README index f12e52f25..d8afceabd 100644 --- a/contrib/README +++ b/contrib/README @@ -31,6 +31,8 @@ distribution but may be helpful. Contributed by Yuri Voinov. * unbound.socket and unbound.service: systemd files for unbound, install them in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov. +* unbound_portable.service.in: systemd file for use unbound as portable service, + see comments in the file. Contributed by Frzk. * redirect-bogus.patch: Return configured address for bogus A and AAAA answers, instead of SERVFAIL. Contributed by SIDN. * fastrpz.patch: fastrpz support from Farsight Security. diff --git a/contrib/fastrpz.patch b/contrib/fastrpz.patch index c38ac22b9..2cd6a7182 100644 --- a/contrib/fastrpz.patch +++ b/contrib/fastrpz.patch @@ -2,7 +2,7 @@ Description: based on the included patch contrib/fastrpz.patch Author: fastrpz@farsightsecurity.com --- diff --git a/Makefile.in b/Makefile.in -index 721c01b6..56bfb560 100644 +index 1a2e2c54..028b6cf3 100644 --- a/Makefile.in +++ b/Makefile.in @@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c @@ -45,10 +45,10 @@ index 721c01b6..56bfb560 100644 pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \ pythonmod/interface.h \ diff --git a/config.h.in b/config.h.in -index 8c2aa3b9..efaf6450 100644 +index 78d47fed..e33073e4 100644 --- a/config.h.in +++ b/config.h.in -@@ -1325,4 +1325,11 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file, +@@ -1345,4 +1345,11 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file, /** the version of unbound-control that this software implements */ #define UNBOUND_CONTROL_VERSION 1 @@ -62,7 +62,7 @@ index 8c2aa3b9..efaf6450 100644 +/** turn on fastrpz response policy zones */ +#undef ENABLE_FASTRPZ diff --git a/configure.ac b/configure.ac -index 5276d441..9d74592e 100644 +index 9a32c577..cc4344ff 100644 --- a/configure.ac +++ b/configure.ac @@ -6,6 +6,7 @@ sinclude(ax_pthread.m4) @@ -73,7 +73,7 @@ index 5276d441..9d74592e 100644 sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing -@@ -1726,6 +1727,9 @@ case "$enable_ipset" in +@@ -1778,6 +1779,9 @@ case "$enable_ipset" in ;; esac @@ -139,7 +139,7 @@ index 5749dbef..64ce230f 100644 /** diff --git a/daemon/worker.c b/daemon/worker.c -index e2ce0e87..f031c656 100644 +index aa16650e..c7c05828 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -75,6 +75,9 @@ @@ -244,7 +244,7 @@ index e2ce0e87..f031c656 100644 /* prefetch it if the prefetch TTL expired. * Note that if there is more than one pass * its qname must be that used for cache -@@ -1518,11 +1575,19 @@ lookup_cache: +@@ -1520,11 +1577,19 @@ lookup_cache: lock_rw_unlock(&e->lock); } if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) { @@ -267,10 +267,10 @@ index e2ce0e87..f031c656 100644 } verbose(VERB_ALGO, "answer norec from cache -- " diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in -index 4bdfcd56..69e70627 100644 +index 6292f0d4..7e91a91f 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in -@@ -1801,6 +1801,81 @@ List domain for which the AAAA records are ignored and the A record is +@@ -1811,6 +1811,81 @@ List domain for which the AAAA records are ignored and the A record is used by dns64 processing instead. Can be entered multiple times, list a new domain for which it applies, one per line. Applies also to names underneath the name given. @@ -3172,7 +3172,7 @@ index d4f814d5..624a9d95 100644 if(edns->opt_list) { r->edns.opt_list = edns_opt_copy_region(edns->opt_list, diff --git a/util/config_file.c b/util/config_file.c -index 119b2223..ce43a234 100644 +index 104c3f83..a5015594 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -1434,6 +1434,8 @@ config_delete(struct config_file* cfg) @@ -3216,7 +3216,7 @@ index a86ddf55..b56bcfb4 100644 ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) } ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) } diff --git a/util/configparser.y b/util/configparser.y -index 10227a2f..cdbcf7cd 100644 +index 8be6bd3e..74d885ad 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -125,6 +125,7 @@ extern struct config_parser_state* cfg_parser; @@ -3236,7 +3236,7 @@ index 10227a2f..cdbcf7cd 100644 forwardstart contents_forward | pythonstart contents_py | rcstart contents_rc | dtstart contents_dt | viewstart contents_view | dnscstart contents_dnsc | cachedbstart contents_cachedb | -@@ -2726,6 +2727,50 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES +@@ -2728,6 +2729,50 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES free($2); } ; @@ -3384,7 +3384,7 @@ index 3a5335dd..20113217 100644 /** diff --git a/util/netevent.c b/util/netevent.c -index 980bb8be..d537d288 100644 +index 9fe5da2d..037e70d1 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -57,6 +57,9 @@ @@ -3427,7 +3427,7 @@ index 980bb8be..d537d288 100644 if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for another UDP port. Note rep.c cannot be reused with TCP fd. */ break; -@@ -3184,6 +3196,9 @@ comm_point_send_reply(struct comm_reply *repinfo) +@@ -3192,6 +3204,9 @@ comm_point_send_reply(struct comm_reply *repinfo) repinfo->c->tcp_timeout_msec); } } @@ -3437,7 +3437,7 @@ index 980bb8be..d537d288 100644 } void -@@ -3193,6 +3208,9 @@ comm_point_drop_reply(struct comm_reply* repinfo) +@@ -3201,6 +3216,9 @@ comm_point_drop_reply(struct comm_reply* repinfo) return; log_assert(repinfo->c); log_assert(repinfo->c->type != comm_tcp_accept); @@ -3447,7 +3447,7 @@ index 980bb8be..d537d288 100644 if(repinfo->c->type == comm_udp) return; if(repinfo->c->tcp_req_info) -@@ -3214,6 +3232,9 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec) +@@ -3222,6 +3240,9 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec) { verbose(VERB_ALGO, "comm point start listening %d (%d msec)", c->fd==-1?newfd:c->fd, msec); @@ -3473,10 +3473,10 @@ index d80c72b3..0233292f 100644 uint8_t client_nonce[crypto_box_HALF_NONCEBYTES]; uint8_t nmkey[crypto_box_BEFORENMBYTES]; diff --git a/validator/validator.c b/validator/validator.c -index 4c560a8e..71de3760 100644 +index c3ca0a27..15251988 100644 --- a/validator/validator.c +++ b/validator/validator.c -@@ -2755,6 +2755,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, +@@ -2761,6 +2761,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, default: /* NSEC proof did not work, try next */ break; @@ -3489,7 +3489,7 @@ index 4c560a8e..71de3760 100644 } sec = nsec3_prove_nods(qstate->env, ve, -@@ -2788,6 +2794,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, +@@ -2794,6 +2800,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, default: /* NSEC3 proof did not work */ break; diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in index 810c57134..1442ed523 100644 --- a/contrib/libunbound.pc.in +++ b/contrib/libunbound.pc.in @@ -7,8 +7,8 @@ Name: unbound Description: Library with validating, recursive, and caching DNS resolver URL: http://www.unbound.net Version: @PACKAGE_VERSION@ -Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ -Requires.private: @PC_PY_DEPENDENCY@ -Libs: -L${libdir} -lunbound -lssl -lcrypto +Requires: @PC_CRYPTO_DEPENDENCY@ @PC_LIBEVENT_DEPENDENCY@ +Requires.private: @PC_PY_DEPENDENCY@ @PC_LIBBSD_DEPENDENCY@ +Libs: -L${libdir} -lunbound Libs.private: @SSLLIB@ @LIBS@ -Cflags: -I${includedir} +Cflags: -I${includedir} diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index 13ca4b294..8c51bcbbe 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -1,3 +1,44 @@ +; For further details about the directives used in this unit file, including +; the below, please refer to systemd's official documentation, available at +; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. +; +; +; - `ProtectSystem=strict` implies we mount the entire file system hierarchy +; read-only for the processes invoked by the unit except for the API file +; system subtrees /dev, /proc and /sys (which are protected by +; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). +; +; - `PrivateTmp=yes` secures access to temporary files of the process, and +; makes sharing between processes via /tmp or /var/tmp impossible. +; +; - `ProtectHome=yes` makes the directories /home, /root, and /run/user +; inaccessible and empty for processes invoked by the unit. +; +; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies +; (accessible through /sys/fs/cgroup) read-only to all processes invoked by +; the unit. It also implies `MountAPIVFS=yes`. +; +; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the +; unit User and Group with read-write permissions (0755) as soon as the +; unit starts. This allows unbound to store its pidfile. The directory and +; its content are automatically removed by systemd when the unit stops. +; +; - `NoNewPrivileges=yes` ensures that the service process and all its +; children can never gain new privileges through execve(). +; +; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID +; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. +; +; - `RestrictRealTime=yes` ensures that any attempts to enable realtime +; scheduling in a process invoked by the unit will be denied. +; +; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing +; is prohibited. +; +; - `LockPersonality=yes` locks down the personality system call so that the +; kernel execution domain may not be changed from the default. +; +; [Unit] Description=Validating, recursive, and caching DNS resolver Documentation=man:unbound(8) @@ -10,10 +51,10 @@ WantedBy=multi-user.target [Service] ExecReload=+/bin/kill -HUP $MAINPID -ExecStart=@UNBOUND_SBIN_DIR@/unbound -d +ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true @@ -22,12 +63,9 @@ ProtectHome=true ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=strict -ReadWritePaths=/run @UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ -TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro -TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro -BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify -BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom -BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log +RuntimeDirectory=unbound +ConfigurationDirectory=unbound +StateDirectory=unbound RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictRealtime=true SystemCallArchitectures=native @@ -35,3 +73,12 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete RestrictNamespaces=yes LockPersonality=yes RestrictSUIDSGID=yes +ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ + +# Below rules are needed when chroot is enabled (usually it's enabled by default). +# If chroot is disabled like chrooot: "" then they may be safely removed. +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro +BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify +BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom +BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log diff --git a/contrib/unbound_munin_ b/contrib/unbound_munin_ index 5d3dff8e8..2839cd8b5 100755 --- a/contrib/unbound_munin_ +++ b/contrib/unbound_munin_ @@ -242,6 +242,8 @@ if test "$1" = "config" ; then p_config "total.num.prefetch" "cache prefetch" "ABSOLUTE" p_config "num.query.tcp" "TCP queries" "ABSOLUTE" p_config "num.query.tcpout" "TCP out queries" "ABSOLUTE" + p_config "num.query.tls" "TLS queries" "ABSOLUTE" + p_config "num.query.tls.resume" "TLS resumes" "ABSOLUTE" p_config "num.query.ipv6" "IPv6 queries" "ABSOLUTE" p_config "unwanted.queries" "queries that failed acl" "ABSOLUTE" p_config "unwanted.replies" "unwanted or unsolicited replies" "ABSOLUTE" @@ -443,7 +445,8 @@ hits) for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state | sed -e 's/=.*//'` total.num.queries \ total.num.cachehits total.num.prefetch num.query.tcp \ - num.query.tcpout num.query.ipv6 unwanted.queries \ + num.query.tcpout num.query.tls num.query.tls.resume \ + num.query.ipv6 unwanted.queries \ unwanted.replies; do if grep "^"$x"=" $state >/dev/null 2>&1; then print_value $x diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in new file mode 100644 index 000000000..998b66dec --- /dev/null +++ b/contrib/unbound_portable.service.in @@ -0,0 +1,49 @@ +; This unit file is provided to run unbound as portable service. +; https://systemd.io/PORTABLE_SERVICES/ +; +; To use this unit file, please make sure you either compile unbound with the +; following options: +; +; - --with-chroot-dir="" +; +; Or put the following options in your unbound configuration file: +; +; - chroot: "" +; +; +[Unit] +Description=Validating, recursive, and caching DNS resolver +Documentation=man:unbound(8) +After=network.target +Before=network-online.target nss-lookup.target +Wants=nss-lookup.target + +[Install] +WantedBy=multi-user.target + +[Service] +ExecReload=+/bin/kill -HUP $MAINPID +ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p +NotifyAccess=main +Type=notify +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectSystem=strict +RuntimeDirectory=unbound +ConfigurationDirectory=unbound +StateDirectory=unbound +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes +RestrictSUIDSGID=yes +BindPaths=/run/systemd/notify +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout diff --git a/daemon/remote.c b/daemon/remote.c index 25547f570..f69e0ef07 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -1479,6 +1479,27 @@ do_view_data_remove(RES* ssl, struct worker* worker, char* arg) lock_rw_unlock(&v->lock); } +/** Remove RR data from stdin from view */ +static void +do_view_datas_remove(RES* ssl, struct worker* worker, char* arg) +{ + struct view* v; + v = views_find_view(worker->daemon->views, + arg, 1 /* get write lock*/); + if(!v) { + ssl_printf(ssl,"no view with name: %s\n", arg); + return; + } + if(!v->local_zones){ + lock_rw_unlock(&v->lock); + ssl_printf(ssl, "removed 0 datas\n"); + return; + } + + do_datas_remove(ssl, v->local_zones); + lock_rw_unlock(&v->lock); +} + /** cache lookup of nameservers */ static void do_lookup(RES* ssl, struct worker* worker, char* arg) @@ -2989,6 +3010,8 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, do_view_zone_add(ssl, worker, skipwhite(p+15)); } else if(cmdcmp(p, "view_local_data_remove", 22)) { do_view_data_remove(ssl, worker, skipwhite(p+22)); + } else if(cmdcmp(p, "view_local_datas_remove", 23)){ + do_view_datas_remove(ssl, worker, skipwhite(p+23)); } else if(cmdcmp(p, "view_local_data", 15)) { do_view_data_add(ssl, worker, skipwhite(p+15)); } else if(cmdcmp(p, "view_local_datas", 16)) { diff --git a/doc/Changelog b/doc/Changelog index 519f4c3ea..1437815e8 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,43 @@ +30 January 2020: Wouter + - Fix subnet tests for disabled DSA algorithm by default. + - Update contrib/fastrpz.patch for clean diff with current code. + - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds + and Frzk. Updates the unbound.service systemd file and adds + a portable systemd service file. + - updated .gitignore for added contrib file. + +29 January 2020: Ralph + - Merge PR#156 from Alexander Berkes; Added unbound-control + view_local_datas_remove command. + +29 January 2020: Wouter + - Fix #157: undefined reference to `htobe64'. + +28 January 2020: Ralph + - Merge PR#147; change rfc reference for reserved top level dns names. + +28 January 2020: Wouter + - iana portlist updated. + - Fix to silence the tls handshake errors for broken pipe and reset + by peer, unless verbosity is set to 2 or higher. + +27 January 2020: Ralph + - Merge PR#154; Allow use of libbsd functions with configure option + --with-libbsd. By Robert Edmonds and Steven Chamberlain. + - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai. + +27 January 2020: Wouter + - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes + to Libs/Requires for crypto library dependencies. + - Fix #153: Disable validation for DSA algorithms. RFC 8624 + compliance. + +23 January 2020: Wouter + - Merge PR#150 from Frzk: Systemd unit without chroot. It add + contrib/unbound_nochroot.service.in, a systemd file for use with + chroot: "", see comments in the file, it uses systemd protections + instead. + 14 January 2020: Wouter - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, because dnscrypt-proxy (2.0.36) does not support the test setup diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index 6ea40009c..1762e2731 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -323,6 +323,9 @@ serial check). And then the zone is transferred for a newer zone version. .B view_local_data_remove \fIview\fR \fIname \fIlocal_data_remove\fR for given view. .TP +.B view_local_datas_remove \fIview\fR +Remove a list of \fIlocal_data\fR for given view from stdin. Like local_datas_remove. +.TP .B view_local_datas \fIview\fR Add a list of \fIlocal_data\fR for given view from stdin. Like local_datas. .SH "EXIT CODE" diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index a4d925499..6292f0d4d 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1296,7 +1296,7 @@ local\-data: "onion. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" .fi .TP 10 -\h'5'\fItest (RFC 2606)\fR +\h'5'\fItest (RFC 6761)\fR Default content: .nf local\-zone: "test." static @@ -1305,7 +1305,7 @@ local\-data: "test. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" .fi .TP 10 -\h'5'\fIinvalid (RFC 2606)\fR +\h'5'\fIinvalid (RFC 6761)\fR Default content: .nf local\-zone: "invalid." static diff --git a/services/localzone.c b/services/localzone.c index 492bb8304..a0faf7d2a 100644 --- a/services/localzone.c +++ b/services/localzone.c @@ -823,12 +823,12 @@ int local_zone_enter_defaults(struct local_zones* zones, struct config_file* cfg log_err("out of memory adding default zone"); return 0; } - /* test. zone (RFC 7686) */ + /* test. zone (RFC 6761) */ if(!add_empty_default(zones, cfg, "test.")) { log_err("out of memory adding default zone"); return 0; } - /* invalid. zone (RFC 7686) */ + /* invalid. zone (RFC 6761) */ if(!add_empty_default(zones, cfg, "invalid.")) { log_err("out of memory adding default zone"); return 0; diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c index 4f51e400e..8e9e9c98d 100644 --- a/smallapp/unbound-control.c +++ b/smallapp/unbound-control.c @@ -157,6 +157,8 @@ usage(void) printf(" view_local_datas view add list of local-data to view\n"); printf(" one entry per line read from stdin\n"); printf(" view_local_data_remove view name remove local-data in view\n"); + printf(" view_local_datas_remove view remove list of local-data from view\n"); + printf(" one entry per line read from stdin\n"); printf("Version %s\n", PACKAGE_VERSION); printf("BSD licensed, see LICENSE in source package for details.\n"); printf("Report bugs to %s\n", PACKAGE_BUGREPORT); @@ -706,7 +708,8 @@ check_args_for_listcmd(int argc, char* argv[]) fatal_exit("too many arguments for command '%s', " "content is piped in from stdin", argv[0]); } - if(argc >= 1 && strcmp(argv[0], "view_local_datas") == 0 && + if(argc >= 1 && (strcmp(argv[0], "view_local_datas") == 0 || + strcmp(argv[0], "view_local_datas_remove") == 0) && argc >= 3) { fatal_exit("too many arguments for command '%s', " "content is piped in from stdin", argv[0]); @@ -755,7 +758,8 @@ go_cmd(SSL* ssl, int fd, int quiet, int argc, char* argv[]) strcmp(argv[0], "local_zones_remove") == 0 || strcmp(argv[0], "local_datas") == 0 || strcmp(argv[0], "view_local_datas") == 0 || - strcmp(argv[0], "local_datas_remove") == 0)) { + strcmp(argv[0], "local_datas_remove") == 0 || + strcmp(argv[0], "view_local_datas_remove") == 0)) { send_file(ssl, fd, stdin, buf, sizeof(buf)); send_eof(ssl, fd); } diff --git a/testdata/subnet_cached.crpl b/testdata/subnet_cached.crpl index a0d89af51..209831335 100644 --- a/testdata/subnet_cached.crpl +++ b/testdata/subnet_cached.crpl @@ -10,6 +10,8 @@ server: max-client-subnet-ipv4: 17 module-config: "subnetcache validator iterator" verbosity: 3 + fake-sha1: yes + fake-dsa: yes access-control: 127.0.0.1 allow_snoop qname-minimisation: "no" minimal-responses: no diff --git a/testdata/subnet_val_positive.crpl b/testdata/subnet_val_positive.crpl index afec59933..01456e58b 100644 --- a/testdata/subnet_val_positive.crpl +++ b/testdata/subnet_val_positive.crpl @@ -9,6 +9,8 @@ server: max-client-subnet-ipv4: 17 module-config: "subnetcache validator iterator" verbosity: 3 + fake-sha1: yes + fake-dsa: yes qname-minimisation: "no" minimal-responses: no diff --git a/testdata/subnet_val_positive_client.crpl b/testdata/subnet_val_positive_client.crpl index e631a64e6..b573742b7 100644 --- a/testdata/subnet_val_positive_client.crpl +++ b/testdata/subnet_val_positive_client.crpl @@ -10,6 +10,8 @@ server: max-client-subnet-ipv4: 17 module-config: "subnetcache validator iterator" verbosity: 3 + fake-sha1: yes + fake-dsa: yes qname-minimisation: "no" minimal-responses: no diff --git a/util/iana_ports.inc b/util/iana_ports.inc index 3e6f3e6be..3b8afe54e 100644 --- a/util/iana_ports.inc +++ b/util/iana_ports.inc @@ -3904,6 +3904,7 @@ 4600, 4601, 4621, +4646, 4658, 4659, 4660, diff --git a/util/netevent.c b/util/netevent.c index 980bb8bea..9fe5da2d4 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -1120,6 +1120,14 @@ ssl_handshake(struct comm_point* c) return 0; /* closed */ } else if(want == SSL_ERROR_SYSCALL) { /* SYSCALL and errno==0 means closed uncleanly */ +#ifdef EPIPE + if(errno == EPIPE && verbosity < 2) + return 0; /* silence 'broken pipe' */ +#endif +#ifdef ECONNRESET + if(errno == ECONNRESET && verbosity < 2) + return 0; /* silence reset by peer */ +#endif if(errno != 0) log_err("SSL_handshake syscall: %s", strerror(errno)); diff --git a/util/random.c b/util/random.c index bb564f2f9..6eb102c63 100644 --- a/util/random.c +++ b/util/random.c @@ -78,7 +78,7 @@ */ #define MAX_VALUE 0x7fffffff -#if defined(HAVE_SSL) +#if defined(HAVE_SSL) || defined(HAVE_LIBBSD) struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from)) { @@ -183,10 +183,10 @@ long int ub_random(struct ub_randstate* s) } return x & MAX_VALUE; } -#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ +#endif /* HAVE_SSL or HAVE_LIBBSD or HAVE_NSS or HAVE_NETTLE */ -#if defined(HAVE_NSS) || defined(HAVE_NETTLE) +#if defined(HAVE_NSS) || defined(HAVE_NETTLE) && !defined(HAVE_LIBBSD) long int ub_random_max(struct ub_randstate* state, long int x) { @@ -198,7 +198,7 @@ ub_random_max(struct ub_randstate* state, long int x) v = ub_random(state); return (v % x); } -#endif /* HAVE_NSS or HAVE_NETTLE */ +#endif /* HAVE_NSS or HAVE_NETTLE and !HAVE_LIBBSD */ void ub_randfree(struct ub_randstate* s)