From 05cb07093d5938f3caf0ffa1f11c4e0aed715ea1 Mon Sep 17 00:00:00 2001 From: frpet Date: Thu, 23 Jan 2020 08:23:16 +0100 Subject: [PATCH 01/30] Update unbound_munin_ Add TLS (DoT) counters --- contrib/unbound_munin_ | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/contrib/unbound_munin_ b/contrib/unbound_munin_ index 5d3dff8e8..2839cd8b5 100755 --- a/contrib/unbound_munin_ +++ b/contrib/unbound_munin_ @@ -242,6 +242,8 @@ if test "$1" = "config" ; then p_config "total.num.prefetch" "cache prefetch" "ABSOLUTE" p_config "num.query.tcp" "TCP queries" "ABSOLUTE" p_config "num.query.tcpout" "TCP out queries" "ABSOLUTE" + p_config "num.query.tls" "TLS queries" "ABSOLUTE" + p_config "num.query.tls.resume" "TLS resumes" "ABSOLUTE" p_config "num.query.ipv6" "IPv6 queries" "ABSOLUTE" p_config "unwanted.queries" "queries that failed acl" "ABSOLUTE" p_config "unwanted.replies" "unwanted or unsolicited replies" "ABSOLUTE" @@ -443,7 +445,8 @@ hits) for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state | sed -e 's/=.*//'` total.num.queries \ total.num.cachehits total.num.prefetch num.query.tcp \ - num.query.tcpout num.query.ipv6 unwanted.queries \ + num.query.tcpout num.query.tls num.query.tls.resume \ + num.query.ipv6 unwanted.queries \ unwanted.replies; do if grep "^"$x"=" $state >/dev/null 2>&1; then print_value $x From 016f742f16bc3ea6e4cbafaf8b3e479581d3d6b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20KUBLER?= Date: Thu, 23 Jan 2020 15:46:53 +0100 Subject: [PATCH 02/30] Added a new unit file to run unbound with systemd and without chroot. See https://github.com/NLnetLabs/unbound/pull/149 --- contrib/unbound_nochroot.service.in | 97 +++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 contrib/unbound_nochroot.service.in diff --git a/contrib/unbound_nochroot.service.in b/contrib/unbound_nochroot.service.in new file mode 100644 index 000000000..301062e38 --- /dev/null +++ b/contrib/unbound_nochroot.service.in @@ -0,0 +1,97 @@ +; This unit file is provided to run unbound without chroot. +; +; To use this unit file, please make sure you either compile unbound with the +; following options: +; +; - --with-pidfile=/run/unbound/unbound.pid +; - --with-chroot-dir="" +; +; Or put the following options in your unbound configuration file: +; +; - chroot: "" +; - pidfile: /run/unbound/unbound.pid +; +; Running without the chroot doesn't mean it's less secure. Simply put, we will +; instead rely on a few systemd directives to harden the service. +; To quote systemd : it's like a chroot on steroids ! +; +; The most important parts are : +; +; - `ProtectSystem=strict` implies we mount the entire file system hierarchy +; read-only for the processes invoked by the unit except for the API file +; system subtrees /dev, /proc and /sys (which are protected by +; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). +; +; - `PrivateTmp=yes` secures access to temporary files of the process, and +; makes sharing between processes via /tmp or /var/tmp impossible. +; +; - `ProtectHome=yes` makes the directories /home, /root, and /run/user +; inaccessible and empty for processes invoked by the unit. +; +; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies +; (accessible through /sys/fs/cgroup) read-only to all processes invoked by +; the unit. It also implies `MountAPIVFS=yes`. +; +; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the +; unit User and Group with read-write permissions (0755) as soon as the +; unit starts. This allows unbound to store its pidfile. The directory and +; its content are automatically removed by systemd when the unit stops. +; +; - `NoNewPrivileges=yes` ensures that the service process and all its +; children can never gain new privileges through execve(). +; +; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID +; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. +; +; - `RestrictRealTime=yes` ensures that any attempts to enable realtime +; scheduling in a process invoked by the unit will be denied. +; +; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing +; is prohibited. +; +; - `LockPersonality=yes` locks down the personality system call so that the +; kernel execution domain may not be changed from the default. +; +; +; For further details about the directives used in this unit file, including +; the above, please refer to systemd's official documentation, available at +; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. +; +; +[Unit] +Description=Validating, recursive, and caching DNS resolver +Documentation=man:unbound(8) +After=network.target +Before=network-online.target nss-lookup.target +Wants=nss-lookup.target + +[Install] +WantedBy=multi-user.target + +[Service] +ExecStart=@UNBOUND_SBIN_DIR@/unbound -d +ExecReload=+/bin/kill -HUP $MAINPID +ExecStop=+/bin/kill -TERM $MAINPID +NotifyAccess=main +Type=notify +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID \ + CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectSystem=strict +ConfigurationDirectory=unbound +RuntimeDirectory=unbound +BindPaths=/run/systemd/notify +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes +RestrictSUIDSGID=yes From c3f6f0a3329e7a533b36b5d8313f8a18ca1c0af1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20KUBLER?= Date: Thu, 23 Jan 2020 15:51:07 +0100 Subject: [PATCH 03/30] Patch configure.ac file to take the new contrib/unbound_nochroot.service unit file in consideration. All props to Wouter Wijngaards for this work. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 4ed9bb872..0104554dc 100644 --- a/configure.ac +++ b/configure.ac @@ -2047,6 +2047,6 @@ dnl if this is a distro tarball, that was already done by makedist.sh AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO]) AC_SUBST(date, [`date +'%b %e, %Y'`]) -AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service]) +AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service]) AC_CONFIG_HEADER([config.h]) AC_OUTPUT From 61456ff81d75a67803c4372948068788b465f558 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 23 Jan 2020 16:16:52 +0100 Subject: [PATCH 04/30] Changelog and contrib/README note for PR#150. - Merge PR#150 from Frzk: Systemd unit without chroot. It add contrib/unbound_nochroot.service.in, a systemd file for use with chroot: "", see comments in the file, it uses systemd protections instead. --- contrib/README | 3 +++ doc/Changelog | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/contrib/README b/contrib/README index f12e52f25..1dce78c09 100644 --- a/contrib/README +++ b/contrib/README @@ -31,6 +31,9 @@ distribution but may be helpful. Contributed by Yuri Voinov. * unbound.socket and unbound.service: systemd files for unbound, install them in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov. +* unbound_nochroot.service.in: systemd file for use with chroot: "", see + comments in the file, it uses systemd protections instead. Contributed + by Frzk. * redirect-bogus.patch: Return configured address for bogus A and AAAA answers, instead of SERVFAIL. Contributed by SIDN. * fastrpz.patch: fastrpz support from Farsight Security. diff --git a/doc/Changelog b/doc/Changelog index 519f4c3ea..e323cb84b 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,9 @@ +23 January 2020: Wouter + - Merge PR#150 from Frzk: Systemd unit without chroot. It add + contrib/unbound_nochroot.service.in, a systemd file for use with + chroot: "", see comments in the file, it uses systemd protections + instead. + 14 January 2020: Wouter - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, because dnscrypt-proxy (2.0.36) does not support the test setup From f6b4f2a14918c96c3c3f5e35775e3edf4418ef24 Mon Sep 17 00:00:00 2001 From: Steven Chamberlain Date: Thu, 16 Feb 2017 12:37:41 +0000 Subject: [PATCH 05/30] Allow use of libbsd functions with configure option --with-libbsd Add a new configure option `--with-libbsd', which allows to use libbsd's portable implementations of: strlcpy strlcat arc4random arc4random_uniform reallocarray instead of the embedded code copies in contrib/, which will be difficult to maintain in the long term. Also patch util/random.c so that, when building with libbsd and without OpenSSL, arc4random can still be used as the PRNG. Otherwise, building with libnettle would need a kernel-specific getentropy implementation, and libbsd does not export one. [edmonds@debian.org: Imported patch description from BTS, refreshed patch against Unbound 1.9.6.] --- configure.ac | 18 ++++++++++++++++++ contrib/libunbound.pc.in | 2 +- util/random.c | 8 ++++---- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index 0104554dc..15efda669 100644 --- a/configure.ac +++ b/configure.ac @@ -881,6 +881,19 @@ fi fi AC_SUBST(SSLLIB) +# libbsd +AC_ARG_WITH([libbsd], AC_HELP_STRING([--with-libbsd], [Use portable libbsd functions]), [ + AC_CHECK_HEADERS([bsd/string.h bsd/stdlib.h],,, [AC_INCLUDES_DEFAULT]) + if test "x$ac_cv_header_bsd_string_h" = xyes -a "x$ac_cv_header_bsd_stdlib_h" = xyes; then + for func in strlcpy strlcat arc4random arc4random_uniform reallocarray; do + AC_SEARCH_LIBS([$func], [bsd], [ + AC_DEFINE(HAVE_LIBBSD, 1, [Use portable libbsd functions]) + PC_LIBBSD_DEPENDENCY=libbsd + AC_SUBST(PC_LIBBSD_DEPENDENCY) + ]) + done + fi +]) AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support])) case "$enable_sha1" in @@ -1946,6 +1959,11 @@ char *strptime(const char *s, const char *format, struct tm *tm); void *reallocarray(void *ptr, size_t nmemb, size_t size); #endif +#ifdef HAVE_LIBBSD +#include +#include +#endif + #ifdef HAVE_LIBRESSL # if !HAVE_DECL_STRLCPY size_t strlcpy(char *dst, const char *src, size_t siz); diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in index 810c57134..e3e842695 100644 --- a/contrib/libunbound.pc.in +++ b/contrib/libunbound.pc.in @@ -8,7 +8,7 @@ Description: Library with validating, recursive, and caching DNS resolver URL: http://www.unbound.net Version: @PACKAGE_VERSION@ Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ -Requires.private: @PC_PY_DEPENDENCY@ +Requires.private: @PC_PY_DEPENDENCY@ @PC_LIBBSD_DEPENDENCY@ Libs: -L${libdir} -lunbound -lssl -lcrypto Libs.private: @SSLLIB@ @LIBS@ Cflags: -I${includedir} diff --git a/util/random.c b/util/random.c index bb564f2f9..6eb102c63 100644 --- a/util/random.c +++ b/util/random.c @@ -78,7 +78,7 @@ */ #define MAX_VALUE 0x7fffffff -#if defined(HAVE_SSL) +#if defined(HAVE_SSL) || defined(HAVE_LIBBSD) struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from)) { @@ -183,10 +183,10 @@ long int ub_random(struct ub_randstate* s) } return x & MAX_VALUE; } -#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ +#endif /* HAVE_SSL or HAVE_LIBBSD or HAVE_NSS or HAVE_NETTLE */ -#if defined(HAVE_NSS) || defined(HAVE_NETTLE) +#if defined(HAVE_NSS) || defined(HAVE_NETTLE) && !defined(HAVE_LIBBSD) long int ub_random_max(struct ub_randstate* state, long int x) { @@ -198,7 +198,7 @@ ub_random_max(struct ub_randstate* state, long int x) v = ub_random(state); return (v % x); } -#endif /* HAVE_NSS or HAVE_NETTLE */ +#endif /* HAVE_NSS or HAVE_NETTLE and !HAVE_LIBBSD */ void ub_randfree(struct ub_randstate* s) From 36b5d74fc4e604e73ddd6689a140f7b324347e30 Mon Sep 17 00:00:00 2001 From: Robert Edmonds Date: Sun, 26 Jan 2020 22:01:38 -0500 Subject: [PATCH 06/30] contrib/libunbound.pc.in: Only specify -lunbound for Libs According to the pkg-config manpage, the "Libs" line in a .pc file should give the link flags "specific to your package", and specifically says not to include link flags for dependencies: Libs: This line should give the link flags specific to your package. Don't add any flags for required packages; pkg-config will add those automatically. --- contrib/libunbound.pc.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in index 810c57134..74dfdb6fc 100644 --- a/contrib/libunbound.pc.in +++ b/contrib/libunbound.pc.in @@ -9,6 +9,6 @@ URL: http://www.unbound.net Version: @PACKAGE_VERSION@ Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ Requires.private: @PC_PY_DEPENDENCY@ -Libs: -L${libdir} -lunbound -lssl -lcrypto +Libs: -L${libdir} -lunbound Libs.private: @SSLLIB@ @LIBS@ -Cflags: -I${includedir} +Cflags: -I${includedir} From 394f9403df102e47bcebc174ed26968a68548c9f Mon Sep 17 00:00:00 2001 From: Robert Edmonds Date: Sun, 26 Jan 2020 22:23:53 -0500 Subject: [PATCH 07/30] contrib/libunbound.pc.in: Embed the correct crypto dependencies This commit removes the hardcoded dependency in the libunbound pkg-config .pc file on the libcrypto and libssl modules and instead populates the .pc file based on which crypto library was selected at configure time. Note that the .pc file specifies pkg-config module names for the "Requires" line and this can vary from the library filename (e.g. "nss" is the pkg-config module name vs. "nss3" being the library name). --- configure.ac | 7 +++++++ contrib/libunbound.pc.in | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 0104554dc..99c662792 100644 --- a/configure.ac +++ b/configure.ac @@ -761,6 +761,8 @@ AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path], fi LIBS="$LIBS -lnss3 -lnspr4" SSLLIB="" + PC_CRYPTO_DEPENDENCY="nss nspr" + AC_SUBST(PC_CRYPTO_DEPENDENCY) ] ) @@ -781,6 +783,8 @@ AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path], fi LIBS="$LIBS -lhogweed -lnettle -lgmp" SSLLIB="" + PC_CRYPTO_DEPENDENCY="hogweed nettle" + AC_SUBST(PC_CRYPTO_DEPENDENCY) ] ) @@ -790,6 +794,9 @@ ACX_WITH_SSL ACX_LIB_SSL SSLLIB="-lssl" +PC_CRYPTO_DEPENDENCY="libcrypto libssl" +AC_SUBST(PC_CRYPTO_DEPENDENCY) + # check if -lcrypt32 is needed because CAPIENG needs that. (on windows) BAKLIBS="$LIBS" LIBS="-lssl $LIBS" diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in index 74dfdb6fc..f7cd1e074 100644 --- a/contrib/libunbound.pc.in +++ b/contrib/libunbound.pc.in @@ -7,7 +7,7 @@ Name: unbound Description: Library with validating, recursive, and caching DNS resolver URL: http://www.unbound.net Version: @PACKAGE_VERSION@ -Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ +Requires: @PC_CRYPTO_DEPENDENCY@ @PC_LIBEVENT_DEPENDENCY@ Requires.private: @PC_PY_DEPENDENCY@ Libs: -L${libdir} -lunbound Libs.private: @SSLLIB@ @LIBS@ From 82a6a2f8ccf6f1a80d15264eb1a9e7799daf08e7 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 27 Jan 2020 09:31:07 +0100 Subject: [PATCH 08/30] Changelog note for PR#155. - Merge PR#155 from Rober Edmonds: contrib/libunbound.pc.in: Fixes to Libs/Requires for crypto library dependencies. --- doc/Changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index e323cb84b..e372886d0 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +27 January 2020: Wouter + - Merge PR#155 from Rober Edmonds: contrib/libunbound.pc.in: Fixes + to Libs/Requires for crypto library dependencies. + 23 January 2020: Wouter - Merge PR#150 from Frzk: Systemd unit without chroot. It add contrib/unbound_nochroot.service.in, a systemd file for use with From 68ff1730ac9cb7f339d6618b87977f69dc02d974 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 27 Jan 2020 09:40:18 +0100 Subject: [PATCH 09/30] - Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance. --- configure | 19 +++++++++++++++---- configure.ac | 8 +++++--- doc/Changelog | 2 ++ 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/configure b/configure index eb855554d..d5f8d8cee 100755 --- a/configure +++ b/configure @@ -675,6 +675,7 @@ SUBNET_HEADER SUBNET_OBJ SSLLIB HAVE_SSL +PC_CRYPTO_DEPENDENCY CONFIG_DATE NETBSD_LINTFLAGS PYUNBOUND_UNINSTALL @@ -17759,6 +17760,8 @@ $as_echo "#define HAVE_NSS 1" >>confdefs.h fi LIBS="$LIBS -lnss3 -lnspr4" SSLLIB="" + PC_CRYPTO_DEPENDENCY="nss nspr" + fi @@ -17802,6 +17805,8 @@ done fi LIBS="$LIBS -lhogweed -lnettle -lgmp" SSLLIB="" + PC_CRYPTO_DEPENDENCY="hogweed nettle" + fi @@ -18152,6 +18157,9 @@ rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext SSLLIB="-lssl" +PC_CRYPTO_DEPENDENCY="libcrypto libssl" + + # check if -lcrypt32 is needed because CAPIENG needs that. (on windows) BAKLIBS="$LIBS" LIBS="-lssl $LIBS" @@ -18745,9 +18753,7 @@ fi use_dsa="no" case "$enable_dsa" in - no) - ;; - *) + yes) # detect if DSA is supported, and turn it off if not. if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ac_fn_c_check_func "$LINENO" "DSA_SIG_new" "ac_cv_func_DSA_SIG_new" @@ -18800,6 +18806,10 @@ _ACEOF fi ;; + *) + # disable dsa by default, RFC 8624 section 3.1, validators MUST NOT + # support DSA for DNSSEC Validation. + ;; esac # Check whether --enable-ed25519 was given. @@ -21431,7 +21441,7 @@ version=1.9.7 date=`date +'%b %e, %Y'` -ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service" +ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service" ac_config_headers="$ac_config_headers config.h" @@ -22437,6 +22447,7 @@ do "contrib/libunbound.pc") CONFIG_FILES="$CONFIG_FILES contrib/libunbound.pc" ;; "contrib/unbound.socket") CONFIG_FILES="$CONFIG_FILES contrib/unbound.socket" ;; "contrib/unbound.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound.service" ;; + "contrib/unbound_nochroot.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_nochroot.service" ;; "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; diff --git a/configure.ac b/configure.ac index 99c662792..a356dcf7d 100644 --- a/configure.ac +++ b/configure.ac @@ -1072,9 +1072,7 @@ esac AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support])) use_dsa="no" case "$enable_dsa" in - no) - ;; - *) + yes) # detect if DSA is supported, and turn it off if not. if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then AC_CHECK_FUNC(DSA_SIG_new, [ @@ -1105,6 +1103,10 @@ AC_INCLUDES_DEFAULT AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.]) fi ;; + *) + # disable dsa by default, RFC 8624 section 3.1, validators MUST NOT + # support DSA for DNSSEC Validation. + ;; esac AC_ARG_ENABLE(ed25519, AC_HELP_STRING([--disable-ed25519], [Disable ED25519 support])) diff --git a/doc/Changelog b/doc/Changelog index e372886d0..e38191ebb 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,8 @@ 27 January 2020: Wouter - Merge PR#155 from Rober Edmonds: contrib/libunbound.pc.in: Fixes to Libs/Requires for crypto library dependencies. + - Fix #153: Disable validation for DSA algorithms. RFC 8624 + compliance. 23 January 2020: Wouter - Merge PR#150 from Frzk: Systemd unit without chroot. It add From 1464bedce25f270508a3c9d921448afedc9ec9a2 Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Fri, 24 Jan 2020 13:41:06 +0100 Subject: [PATCH 10/30] unbound.service.in: add RuntimeDirectory and ConfigurationDirectory Adding 'RuntimeDirectory' is needed when pidfile path is set to subdirectory under /run. Adding ConfigurationDirectory may help in some non-standard setups. Also add more descriptions about used rules to avoid user confusion about they meaning and purpose. --- contrib/unbound.service.in | 63 ++++++++++++++++++++++++++++++++++---- 1 file changed, 57 insertions(+), 6 deletions(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index 13ca4b294..d0e294213 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -1,3 +1,44 @@ +; For further details about the directives used in this unit file, including +; the below, please refer to systemd's official documentation, available at +; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. +; +; +; - `ProtectSystem=strict` implies we mount the entire file system hierarchy +; read-only for the processes invoked by the unit except for the API file +; system subtrees /dev, /proc and /sys (which are protected by +; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). +; +; - `PrivateTmp=yes` secures access to temporary files of the process, and +; makes sharing between processes via /tmp or /var/tmp impossible. +; +; - `ProtectHome=yes` makes the directories /home, /root, and /run/user +; inaccessible and empty for processes invoked by the unit. +; +; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies +; (accessible through /sys/fs/cgroup) read-only to all processes invoked by +; the unit. It also implies `MountAPIVFS=yes`. +; +; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the +; unit User and Group with read-write permissions (0755) as soon as the +; unit starts. This allows unbound to store its pidfile. The directory and +; its content are automatically removed by systemd when the unit stops. +; +; - `NoNewPrivileges=yes` ensures that the service process and all its +; children can never gain new privileges through execve(). +; +; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID +; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. +; +; - `RestrictRealTime=yes` ensures that any attempts to enable realtime +; scheduling in a process invoked by the unit will be denied. +; +; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing +; is prohibited. +; +; - `LockPersonality=yes` locks down the personality system call so that the +; kernel execution domain may not be changed from the default. +; +; [Unit] Description=Validating, recursive, and caching DNS resolver Documentation=man:unbound(8) @@ -22,12 +63,8 @@ ProtectHome=true ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=strict -ReadWritePaths=/run @UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ -TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro -TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro -BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify -BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom -BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log +RuntimeDirectory=unbound +ConfigurationDirectory=unbound RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictRealtime=true SystemCallArchitectures=native @@ -35,3 +72,17 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete RestrictNamespaces=yes LockPersonality=yes RestrictSUIDSGID=yes +ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ + +# Below is needed when pidfile is stored directly under /run like /run/unbound.pid. +# If pidfile is stored under subdirectory like /run/unbound/unbound.pid instead +# then it may be safely removed. +ReadWritePaths=/run + +# Below rules are needed when chroot is enabled (usually it's enabled by default). +# If chroot is disabled like chrooot: "" then they may be safely removed. +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro +BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify +BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom +BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log From 72bfa5a48c309443a5eb62f8cfc2cd1219eb1401 Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Sat, 25 Jan 2020 00:48:25 +0100 Subject: [PATCH 11/30] Move unbound_nochroot.service to unbound_portable.service The real purpose of this service is to make it work with https://systemd.io/PORTABLE_SERVICES/ which are incompatible with chroot workarounds from original unbound.service. The service content is identical to unbound.service with exception for chroot related rules which were modified as needed. --- configure | 4 +- configure.ac | 2 +- contrib/README | 5 +- contrib/unbound_nochroot.service.in | 97 ----------------------------- contrib/unbound_portable.service.in | 50 +++++++++++++++ 5 files changed, 55 insertions(+), 103 deletions(-) delete mode 100644 contrib/unbound_nochroot.service.in create mode 100644 contrib/unbound_portable.service.in diff --git a/configure b/configure index d5f8d8cee..cc9ac46e8 100755 --- a/configure +++ b/configure @@ -21441,7 +21441,7 @@ version=1.9.7 date=`date +'%b %e, %Y'` -ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service" +ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service" ac_config_headers="$ac_config_headers config.h" @@ -22447,7 +22447,7 @@ do "contrib/libunbound.pc") CONFIG_FILES="$CONFIG_FILES contrib/libunbound.pc" ;; "contrib/unbound.socket") CONFIG_FILES="$CONFIG_FILES contrib/unbound.socket" ;; "contrib/unbound.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound.service" ;; - "contrib/unbound_nochroot.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_nochroot.service" ;; + "contrib/unbound_portable.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_portable.service" ;; "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; diff --git a/configure.ac b/configure.ac index a356dcf7d..47a86c560 100644 --- a/configure.ac +++ b/configure.ac @@ -2056,6 +2056,6 @@ dnl if this is a distro tarball, that was already done by makedist.sh AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO]) AC_SUBST(date, [`date +'%b %e, %Y'`]) -AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service]) +AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service]) AC_CONFIG_HEADER([config.h]) AC_OUTPUT diff --git a/contrib/README b/contrib/README index 1dce78c09..d8afceabd 100644 --- a/contrib/README +++ b/contrib/README @@ -31,9 +31,8 @@ distribution but may be helpful. Contributed by Yuri Voinov. * unbound.socket and unbound.service: systemd files for unbound, install them in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov. -* unbound_nochroot.service.in: systemd file for use with chroot: "", see - comments in the file, it uses systemd protections instead. Contributed - by Frzk. +* unbound_portable.service.in: systemd file for use unbound as portable service, + see comments in the file. Contributed by Frzk. * redirect-bogus.patch: Return configured address for bogus A and AAAA answers, instead of SERVFAIL. Contributed by SIDN. * fastrpz.patch: fastrpz support from Farsight Security. diff --git a/contrib/unbound_nochroot.service.in b/contrib/unbound_nochroot.service.in deleted file mode 100644 index 301062e38..000000000 --- a/contrib/unbound_nochroot.service.in +++ /dev/null @@ -1,97 +0,0 @@ -; This unit file is provided to run unbound without chroot. -; -; To use this unit file, please make sure you either compile unbound with the -; following options: -; -; - --with-pidfile=/run/unbound/unbound.pid -; - --with-chroot-dir="" -; -; Or put the following options in your unbound configuration file: -; -; - chroot: "" -; - pidfile: /run/unbound/unbound.pid -; -; Running without the chroot doesn't mean it's less secure. Simply put, we will -; instead rely on a few systemd directives to harden the service. -; To quote systemd : it's like a chroot on steroids ! -; -; The most important parts are : -; -; - `ProtectSystem=strict` implies we mount the entire file system hierarchy -; read-only for the processes invoked by the unit except for the API file -; system subtrees /dev, /proc and /sys (which are protected by -; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). -; -; - `PrivateTmp=yes` secures access to temporary files of the process, and -; makes sharing between processes via /tmp or /var/tmp impossible. -; -; - `ProtectHome=yes` makes the directories /home, /root, and /run/user -; inaccessible and empty for processes invoked by the unit. -; -; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies -; (accessible through /sys/fs/cgroup) read-only to all processes invoked by -; the unit. It also implies `MountAPIVFS=yes`. -; -; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the -; unit User and Group with read-write permissions (0755) as soon as the -; unit starts. This allows unbound to store its pidfile. The directory and -; its content are automatically removed by systemd when the unit stops. -; -; - `NoNewPrivileges=yes` ensures that the service process and all its -; children can never gain new privileges through execve(). -; -; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID -; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. -; -; - `RestrictRealTime=yes` ensures that any attempts to enable realtime -; scheduling in a process invoked by the unit will be denied. -; -; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing -; is prohibited. -; -; - `LockPersonality=yes` locks down the personality system call so that the -; kernel execution domain may not be changed from the default. -; -; -; For further details about the directives used in this unit file, including -; the above, please refer to systemd's official documentation, available at -; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. -; -; -[Unit] -Description=Validating, recursive, and caching DNS resolver -Documentation=man:unbound(8) -After=network.target -Before=network-online.target nss-lookup.target -Wants=nss-lookup.target - -[Install] -WantedBy=multi-user.target - -[Service] -ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -ExecReload=+/bin/kill -HUP $MAINPID -ExecStop=+/bin/kill -TERM $MAINPID -NotifyAccess=main -Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID \ - CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW -MemoryDenyWriteExecute=true -NoNewPrivileges=true -PrivateDevices=true -PrivateTmp=true -ProtectHome=true -ProtectControlGroups=true -ProtectKernelModules=true -ProtectSystem=strict -ConfigurationDirectory=unbound -RuntimeDirectory=unbound -BindPaths=/run/systemd/notify -BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -RestrictRealtime=true -SystemCallArchitectures=native -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources -RestrictNamespaces=yes -LockPersonality=yes -RestrictSUIDSGID=yes diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in new file mode 100644 index 000000000..53dc8701b --- /dev/null +++ b/contrib/unbound_portable.service.in @@ -0,0 +1,50 @@ +; This unit file is provided to run unbound as portable service. +; https://systemd.io/PORTABLE_SERVICES/ +; +; To use this unit file, please make sure you either compile unbound with the +; following options: +; +; - --with-pidfile=/run/unbound/unbound.pid +; - --with-chroot-dir="" +; +; Or put the following options in your unbound configuration file: +; +; - chroot: "" +; - pidfile: /run/unbound/unbound.pid +; +; +[Unit] +Description=Validating, recursive, and caching DNS resolver +Documentation=man:unbound(8) +After=network.target +Before=network-online.target nss-lookup.target +Wants=nss-lookup.target + +[Install] +WantedBy=multi-user.target + +[Service] +ExecReload=+/bin/kill -HUP $MAINPID +ExecStart=@UNBOUND_SBIN_DIR@/unbound -d +NotifyAccess=main +Type=notify +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectSystem=strict +RuntimeDirectory=unbound +ConfigurationDirectory=unbound +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes +RestrictSUIDSGID=yes +BindPaths=/run/systemd/notify +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout From cfce0a5e60cbe4c11a52b6b084265dae437b05ec Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Mon, 27 Jan 2020 13:46:31 +0100 Subject: [PATCH 12/30] unbound.service.in: add StateDirectory State directory will be created under /var/lib/unbound and will be useful for writing various files managed at runtime like trust anchors updates there instead of in ConfigureDirectory which could be made read-only next. For this chroot needs to be disabled. --- contrib/unbound.service.in | 1 + contrib/unbound_portable.service.in | 1 + 2 files changed, 2 insertions(+) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index d0e294213..b1211a4be 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -65,6 +65,7 @@ ProtectKernelModules=true ProtectSystem=strict RuntimeDirectory=unbound ConfigurationDirectory=unbound +StateDirectory=unbound RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictRealtime=true SystemCallArchitectures=native diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in index 53dc8701b..cbfc58f99 100644 --- a/contrib/unbound_portable.service.in +++ b/contrib/unbound_portable.service.in @@ -39,6 +39,7 @@ ProtectKernelModules=true ProtectSystem=strict RuntimeDirectory=unbound ConfigurationDirectory=unbound +StateDirectory=unbound RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictRealtime=true SystemCallArchitectures=native From 41621fb1df69bd4437073bfdba5b103ff0ad6976 Mon Sep 17 00:00:00 2001 From: Ralph Dolmans Date: Mon, 27 Jan 2020 15:50:12 +0100 Subject: [PATCH 13/30] - Add changelog entry for RP#154 - autoconf after PR#154 --- config.h.in | 14 ++++++ configure | 117 +++++++++++++++++++++++++++++++++++++++++++++++--- doc/Changelog | 6 ++- 3 files changed, 130 insertions(+), 7 deletions(-) diff --git a/config.h.in b/config.h.in index 8c2aa3b94..15940c04f 100644 --- a/config.h.in +++ b/config.h.in @@ -63,6 +63,12 @@ /* Whether the C compiler accepts the "weak" attribute */ #undef HAVE_ATTR_WEAK +/* Define to 1 if you have the header file. */ +#undef HAVE_BSD_STDLIB_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_BSD_STRING_H + /* Define to 1 if you have the `chown' function. */ #undef HAVE_CHOWN @@ -311,6 +317,9 @@ /* Define to 1 if you have the `kill' function. */ #undef HAVE_KILL +/* Use portable libbsd functions */ +#undef HAVE_LIBBSD + /* Define to 1 if you have the header file. */ #undef HAVE_LIBKERN_OSBYTEORDER_H @@ -1231,6 +1240,11 @@ char *strptime(const char *s, const char *format, struct tm *tm); void *reallocarray(void *ptr, size_t nmemb, size_t size); #endif +#ifdef HAVE_LIBBSD +#include +#include +#endif + #ifdef HAVE_LIBRESSL # if !HAVE_DECL_STRLCPY size_t strlcpy(char *dst, const char *src, size_t siz); diff --git a/configure b/configure index d5f8d8cee..c22850d4b 100755 --- a/configure +++ b/configure @@ -673,6 +673,7 @@ UNBOUND_EVENT_UNINSTALL UNBOUND_EVENT_INSTALL SUBNET_HEADER SUBNET_OBJ +PC_LIBBSD_DEPENDENCY SSLLIB HAVE_SSL PC_CRYPTO_DEPENDENCY @@ -802,6 +803,7 @@ infodir docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -860,6 +862,7 @@ enable_swig_version_check with_nss with_nettle with_ssl +with_libbsd enable_sha1 enable_sha2 enable_subnet @@ -948,6 +951,7 @@ datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1200,6 +1204,15 @@ do | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1337,7 +1350,7 @@ fi for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1490,6 +1503,7 @@ Fine tuning of the installation directories: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -1621,6 +1635,7 @@ Optional Packages: --with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr) + --with-libbsd Use portable libbsd functions --with-libevent=pathname use libevent (will check /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr or you can specify @@ -15645,7 +15660,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15691,7 +15706,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15715,7 +15730,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15760,7 +15775,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15784,7 +15799,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -18450,6 +18465,96 @@ fi fi +# libbsd + +# Check whether --with-libbsd was given. +if test "${with_libbsd+set}" = set; then : + withval=$with_libbsd; + for ac_header in bsd/string.h bsd/stdlib.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default +" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + if test "x$ac_cv_header_bsd_string_h" = xyes -a "x$ac_cv_header_bsd_stdlib_h" = xyes; then + for func in strlcpy strlcat arc4random arc4random_uniform reallocarray; do + as_ac_Search=`$as_echo "ac_cv_search_$func" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing $func" >&5 +$as_echo_n "checking for library containing $func... " >&6; } +if eval \${$as_ac_Search+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $func (); +int +main () +{ +return $func (); + ; + return 0; +} +_ACEOF +for ac_lib in '' bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + eval "$as_ac_Search=\$ac_res" +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if eval \${$as_ac_Search+:} false; then : + break +fi +done +if eval \${$as_ac_Search+:} false; then : + +else + eval "$as_ac_Search=no" +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +eval ac_res=\$$as_ac_Search + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +eval ac_res=\$$as_ac_Search +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + + +$as_echo "#define HAVE_LIBBSD 1" >>confdefs.h + + PC_LIBBSD_DEPENDENCY=libbsd + + +fi + + done + fi + +fi + # Check whether --enable-sha1 was given. if test "${enable_sha1+set}" = set; then : diff --git a/doc/Changelog b/doc/Changelog index e38191ebb..f5ae1fc80 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,9 @@ +27 January 2020: Ralph + - Merge PR#154; Allow use of libbsd functions with configure option + --with-libbsd. By Robert Edmonds and Steven Chamberlain. + 27 January 2020: Wouter - - Merge PR#155 from Rober Edmonds: contrib/libunbound.pc.in: Fixes + - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes to Libs/Requires for crypto library dependencies. - Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance. From 0feee99055786c24205970faacac6ed39835be28 Mon Sep 17 00:00:00 2001 From: Ralph Dolmans Date: Mon, 27 Jan 2020 16:06:06 +0100 Subject: [PATCH 14/30] - Add changelog entry for PR#148. --- doc/Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/Changelog b/doc/Changelog index f5ae1fc80..b6ff710a1 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,7 @@ 27 January 2020: Ralph - Merge PR#154; Allow use of libbsd functions with configure option --with-libbsd. By Robert Edmonds and Steven Chamberlain. + - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai. 27 January 2020: Wouter - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes From c3fac2550f3e4989cb56c2e540b7e45c4cc6c4bf Mon Sep 17 00:00:00 2001 From: Mikhail Nacharov Date: Tue, 21 Jan 2020 17:13:50 +0500 Subject: [PATCH 15/30] minor #1344 change rfc reference for reserved top level dns names --- doc/unbound.conf.5.in | 4 ++-- services/localzone.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index a4d925499..6292f0d4d 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1296,7 +1296,7 @@ local\-data: "onion. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" .fi .TP 10 -\h'5'\fItest (RFC 2606)\fR +\h'5'\fItest (RFC 6761)\fR Default content: .nf local\-zone: "test." static @@ -1305,7 +1305,7 @@ local\-data: "test. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" .fi .TP 10 -\h'5'\fIinvalid (RFC 2606)\fR +\h'5'\fIinvalid (RFC 6761)\fR Default content: .nf local\-zone: "invalid." static diff --git a/services/localzone.c b/services/localzone.c index 492bb8304..a0faf7d2a 100644 --- a/services/localzone.c +++ b/services/localzone.c @@ -823,12 +823,12 @@ int local_zone_enter_defaults(struct local_zones* zones, struct config_file* cfg log_err("out of memory adding default zone"); return 0; } - /* test. zone (RFC 7686) */ + /* test. zone (RFC 6761) */ if(!add_empty_default(zones, cfg, "test.")) { log_err("out of memory adding default zone"); return 0; } - /* invalid. zone (RFC 7686) */ + /* invalid. zone (RFC 6761) */ if(!add_empty_default(zones, cfg, "invalid.")) { log_err("out of memory adding default zone"); return 0; From c0789a878556b482e53a52228fae30765f2d06b2 Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Mon, 27 Jan 2020 18:31:10 +0100 Subject: [PATCH 16/30] unbound.service.in: allow CAP_CHOWN CAP_CHOWN is needed for changing onwership of pidfile before dropping privileges and truncate pidfile on exit. --- contrib/unbound.service.in | 2 +- contrib/unbound_portable.service.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index b1211a4be..e3361db59 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -54,7 +54,7 @@ ExecReload=+/bin/kill -HUP $MAINPID ExecStart=@UNBOUND_SBIN_DIR@/unbound -d NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in index cbfc58f99..9e830cd21 100644 --- a/contrib/unbound_portable.service.in +++ b/contrib/unbound_portable.service.in @@ -28,7 +28,7 @@ ExecReload=+/bin/kill -HUP $MAINPID ExecStart=@UNBOUND_SBIN_DIR@/unbound -d NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true From f6287fc718527a9f3f7bffc5425781403c700ba7 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 28 Jan 2020 12:25:37 +0100 Subject: [PATCH 17/30] - iana portlist updated. --- doc/Changelog | 3 +++ util/iana_ports.inc | 1 + 2 files changed, 4 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index b6ff710a1..6e0fb35f6 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +28 January 2020: Wouter + - iana portlist updated. + 27 January 2020: Ralph - Merge PR#154; Allow use of libbsd functions with configure option --with-libbsd. By Robert Edmonds and Steven Chamberlain. diff --git a/util/iana_ports.inc b/util/iana_ports.inc index 3e6f3e6be..3b8afe54e 100644 --- a/util/iana_ports.inc +++ b/util/iana_ports.inc @@ -3904,6 +3904,7 @@ 4600, 4601, 4621, +4646, 4658, 4659, 4660, From a930b946588e436706a91d47b4f717779d07b7d5 Mon Sep 17 00:00:00 2001 From: Ralph Dolmans Date: Tue, 28 Jan 2020 13:41:26 +0100 Subject: [PATCH 18/30] - Add PR#147 merge to changelog --- doc/Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 6e0fb35f6..ebaf368af 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +28 January 2020: Ralph + - Merge PR#147; change rfc reference for reserved top level dns names. + 28 January 2020: Wouter - iana portlist updated. From 6c0a863584e888c10a5b3f4afdf42502d36bccc7 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 28 Jan 2020 14:32:06 +0100 Subject: [PATCH 19/30] - Fix to silence the tls handshake errors for broken pipe and reset by peer, unless verbosity is set to 2 or higher. --- doc/Changelog | 2 ++ util/netevent.c | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index ebaf368af..c551dc09c 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -3,6 +3,8 @@ 28 January 2020: Wouter - iana portlist updated. + - Fix to silence the tls handshake errors for broken pipe and reset + by peer, unless verbosity is set to 2 or higher. 27 January 2020: Ralph - Merge PR#154; Allow use of libbsd functions with configure option diff --git a/util/netevent.c b/util/netevent.c index 980bb8bea..9fe5da2d4 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -1120,6 +1120,14 @@ ssl_handshake(struct comm_point* c) return 0; /* closed */ } else if(want == SSL_ERROR_SYSCALL) { /* SYSCALL and errno==0 means closed uncleanly */ +#ifdef EPIPE + if(errno == EPIPE && verbosity < 2) + return 0; /* silence 'broken pipe' */ +#endif +#ifdef ECONNRESET + if(errno == ECONNRESET && verbosity < 2) + return 0; /* silence reset by peer */ +#endif if(errno != 0) log_err("SSL_handshake syscall: %s", strerror(errno)); From 939cf38576727ac2f52d3aacae4b446caad039e5 Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Tue, 28 Jan 2020 18:42:41 +0100 Subject: [PATCH 20/30] unbound.service.in: drop CAP_IPC_LOCK CAP_IPC_LOCK controls whether a process can lock pages into physical memory (for instance to prevent passwords or private keys from being swapped to disk), e.g. mmap() with the MAP_LOCKED flag or shmctl() with the SHM_LOCK command, neither of which seem to be used by unbound. --- contrib/unbound.service.in | 2 +- contrib/unbound_portable.service.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index e3361db59..ec6b3ba28 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -54,7 +54,7 @@ ExecReload=+/bin/kill -HUP $MAINPID ExecStart=@UNBOUND_SBIN_DIR@/unbound -d NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in index 9e830cd21..a77df49fa 100644 --- a/contrib/unbound_portable.service.in +++ b/contrib/unbound_portable.service.in @@ -28,7 +28,7 @@ ExecReload=+/bin/kill -HUP $MAINPID ExecStart=@UNBOUND_SBIN_DIR@/unbound -d NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true From 9aa4b5a7a61f3fc03d49e904cca6d31523e8b073 Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Tue, 28 Jan 2020 18:47:21 +0100 Subject: [PATCH 21/30] unbound.service.in: don't write pidfile at start Pidfiles aren't needed while running unbound through systemd. The PID of the unbound daemon can still be obtained with: 'systemctl show --property MainPID --value unbound'. While disabling pidfiles we can also drop CAP_CHOWN and writable /run directory. --- contrib/unbound.service.in | 9 ++------- contrib/unbound_portable.service.in | 6 ++---- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index ec6b3ba28..8c51bcbbe 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -51,10 +51,10 @@ WantedBy=multi-user.target [Service] ExecReload=+/bin/kill -HUP $MAINPID -ExecStart=@UNBOUND_SBIN_DIR@/unbound -d +ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true @@ -75,11 +75,6 @@ LockPersonality=yes RestrictSUIDSGID=yes ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ -# Below is needed when pidfile is stored directly under /run like /run/unbound.pid. -# If pidfile is stored under subdirectory like /run/unbound/unbound.pid instead -# then it may be safely removed. -ReadWritePaths=/run - # Below rules are needed when chroot is enabled (usually it's enabled by default). # If chroot is disabled like chrooot: "" then they may be safely removed. TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in index a77df49fa..998b66dec 100644 --- a/contrib/unbound_portable.service.in +++ b/contrib/unbound_portable.service.in @@ -4,13 +4,11 @@ ; To use this unit file, please make sure you either compile unbound with the ; following options: ; -; - --with-pidfile=/run/unbound/unbound.pid ; - --with-chroot-dir="" ; ; Or put the following options in your unbound configuration file: ; ; - chroot: "" -; - pidfile: /run/unbound/unbound.pid ; ; [Unit] @@ -25,10 +23,10 @@ WantedBy=multi-user.target [Service] ExecReload=+/bin/kill -HUP $MAINPID -ExecStart=@UNBOUND_SBIN_DIR@/unbound -d +ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true From 396d4223d97284f62988d5a6f00fad62edd03791 Mon Sep 17 00:00:00 2001 From: Alexander Berkes Date: Wed, 29 Jan 2020 02:28:00 +0100 Subject: [PATCH 22/30] Added unbound-control view_local_datas_remove command --- daemon/remote.c | 23 +++++++++++++++++++++++ smallapp/unbound-control.c | 8 ++++++-- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/daemon/remote.c b/daemon/remote.c index 25547f570..f69e0ef07 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -1479,6 +1479,27 @@ do_view_data_remove(RES* ssl, struct worker* worker, char* arg) lock_rw_unlock(&v->lock); } +/** Remove RR data from stdin from view */ +static void +do_view_datas_remove(RES* ssl, struct worker* worker, char* arg) +{ + struct view* v; + v = views_find_view(worker->daemon->views, + arg, 1 /* get write lock*/); + if(!v) { + ssl_printf(ssl,"no view with name: %s\n", arg); + return; + } + if(!v->local_zones){ + lock_rw_unlock(&v->lock); + ssl_printf(ssl, "removed 0 datas\n"); + return; + } + + do_datas_remove(ssl, v->local_zones); + lock_rw_unlock(&v->lock); +} + /** cache lookup of nameservers */ static void do_lookup(RES* ssl, struct worker* worker, char* arg) @@ -2989,6 +3010,8 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, do_view_zone_add(ssl, worker, skipwhite(p+15)); } else if(cmdcmp(p, "view_local_data_remove", 22)) { do_view_data_remove(ssl, worker, skipwhite(p+22)); + } else if(cmdcmp(p, "view_local_datas_remove", 23)){ + do_view_datas_remove(ssl, worker, skipwhite(p+23)); } else if(cmdcmp(p, "view_local_data", 15)) { do_view_data_add(ssl, worker, skipwhite(p+15)); } else if(cmdcmp(p, "view_local_datas", 16)) { diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c index 4f51e400e..7c363cdd9 100644 --- a/smallapp/unbound-control.c +++ b/smallapp/unbound-control.c @@ -157,6 +157,8 @@ usage(void) printf(" view_local_datas view add list of local-data to view\n"); printf(" one entry per line read from stdin\n"); printf(" view_local_data_remove view name remove local-data in view\n"); + printf(" view_local_datas_remove view remove list of local-data from view\n"); + printf(" one entry per line read from stdin\n"); printf("Version %s\n", PACKAGE_VERSION); printf("BSD licensed, see LICENSE in source package for details.\n"); printf("Report bugs to %s\n", PACKAGE_BUGREPORT); @@ -706,7 +708,8 @@ check_args_for_listcmd(int argc, char* argv[]) fatal_exit("too many arguments for command '%s', " "content is piped in from stdin", argv[0]); } - if(argc >= 1 && strcmp(argv[0], "view_local_datas") == 0 && + if(argc >= 1 && (strcmp(argv[0], "view_local_datas") == 0 || + strcmp(argv[0], "view_local_datas_remove") == 0) && argc >= 3) { fatal_exit("too many arguments for command '%s', " "content is piped in from stdin", argv[0]); @@ -755,7 +758,8 @@ go_cmd(SSL* ssl, int fd, int quiet, int argc, char* argv[]) strcmp(argv[0], "local_zones_remove") == 0 || strcmp(argv[0], "local_datas") == 0 || strcmp(argv[0], "view_local_datas") == 0 || - strcmp(argv[0], "local_datas_remove") == 0)) { + strcmp(argv[0], "local_datas_remove") == 0) || + strcmp(argv[0], "view_local_datas_remove") == 0) { send_file(ssl, fd, stdin, buf, sizeof(buf)); send_eof(ssl, fd); } From 079de39b4603b7896b5311acc5c32f8c12d87861 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 29 Jan 2020 11:56:29 +0100 Subject: [PATCH 23/30] - Fix #157: undefined reference to `htobe64'. --- cachedb/cachedb.c | 36 +++++++++--------- config.h.in | 6 +++ configure | 93 ++++++++++++++++++++++++++++++++++++++--------- configure.ac | 29 +++++++++++++++ doc/Changelog | 3 ++ 5 files changed, 131 insertions(+), 36 deletions(-) diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c index d5cd8dc55..d5ea9e3f6 100644 --- a/cachedb/cachedb.c +++ b/cachedb/cachedb.c @@ -64,26 +64,26 @@ #ifdef HAVE_SYS_ENDIAN_H # include #endif -#ifdef HAVE_LIBKERN_OSBYTEORDER_H -/* In practice this is specific to MacOS X. We assume it doesn't have -* htobe64/be64toh but has alternatives with a different name. */ -# include -# define htobe64(x) OSSwapHostToBigInt64(x) -# define be64toh(x) OSSwapBigToHostInt64(x) -#endif -/* Some compilers do not define __BYTE_ORDER__, like IBM XLC on AIX */ -#ifndef be64toh -#if defined(__sun) || defined(_AIX) -# if __BIG_ENDIAN__ -# define be64toh(n) (n) -# define htobe64(n) (n) +#ifndef HAVE_HTOBE64 +# ifdef HAVE_LIBKERN_OSBYTEORDER_H + /* In practice this is specific to MacOS X. We assume it doesn't have + * htobe64/be64toh but has alternatives with a different name. */ +# include +# define htobe64(x) OSSwapHostToBigInt64(x) +# define be64toh(x) OSSwapBigToHostInt64(x) # else -# define be64toh(n) (((uint64_t)htonl((n) & 0xFFFFFFFF) << 32) | htonl((n) >> 32)) -# define htobe64(n) (((uint64_t)htonl((n) & 0xFFFFFFFF) << 32) | htonl((n) >> 32)) -# endif -#endif -#endif /* be64toh */ + /* not OSX */ + /* Some compilers do not define __BYTE_ORDER__, like IBM XLC on AIX */ +# if __BIG_ENDIAN__ +# define be64toh(n) (n) +# define htobe64(n) (n) +# else +# define be64toh(n) (((uint64_t)htonl((n) & 0xFFFFFFFF) << 32) | htonl((n) >> 32)) +# define htobe64(n) (((uint64_t)htonl((n) & 0xFFFFFFFF) << 32) | htonl((n) >> 32)) +# endif /* _ENDIAN */ +# endif /* HAVE_LIBKERN_OSBYTEORDER_H */ +#endif /* HAVE_BE64TOH */ /** the unit test testframe for cachedb, its module state contains * a cache for a couple queries (in memory). */ diff --git a/config.h.in b/config.h.in index 15940c04f..78d47fedc 100644 --- a/config.h.in +++ b/config.h.in @@ -63,6 +63,9 @@ /* Whether the C compiler accepts the "weak" attribute */ #undef HAVE_ATTR_WEAK +/* If we have be64toh */ +#undef HAVE_BE64TOH + /* Define to 1 if you have the header file. */ #undef HAVE_BSD_STDLIB_H @@ -290,6 +293,9 @@ /* If you have HMAC_Update */ #undef HAVE_HMAC_UPDATE +/* If we have htobe64 */ +#undef HAVE_HTOBE64 + /* Define to 1 if you have the `inet_aton' function. */ #undef HAVE_INET_ATON diff --git a/configure b/configure index c22850d4b..8f8f9a088 100755 --- a/configure +++ b/configure @@ -803,7 +803,6 @@ infodir docdir oldincludedir includedir -runstatedir localstatedir sharedstatedir sysconfdir @@ -951,7 +950,6 @@ datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' -runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1204,15 +1202,6 @@ do | -silent | --silent | --silen | --sile | --sil) silent=yes ;; - -runstatedir | --runstatedir | --runstatedi | --runstated \ - | --runstate | --runstat | --runsta | --runst | --runs \ - | --run | --ru | --r) - ac_prev=runstatedir ;; - -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ - | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ - | --run=* | --ru=* | --r=*) - runstatedir=$ac_optarg ;; - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1350,7 +1339,7 @@ fi for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir runstatedir + libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1503,7 +1492,6 @@ Fine tuning of the installation directories: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] - --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -15660,7 +15648,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15706,7 +15694,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15730,7 +15718,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15775,7 +15763,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15799,7 +15787,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -20039,6 +20027,75 @@ _ACEOF fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for htobe64" >&5 +$as_echo_n "checking for htobe64... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_ENDIAN_H +# include +#endif + +int +main () +{ +unsigned long long x = htobe64(0); printf("%u", (unsigned)x); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAVE_HTOBE64 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for be64toh" >&5 +$as_echo_n "checking for be64toh... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_ENDIAN_H +# include +#endif + +int +main () +{ +unsigned long long x = be64toh(0); printf("%u", (unsigned)x); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAVE_BE64TOH 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing setusercontext" >&5 $as_echo_n "checking for library containing setusercontext... " >&6; } if ${ac_cv_search_setusercontext+:} false; then : diff --git a/configure.ac b/configure.ac index 1358b08de..9a32c577c 100644 --- a/configure.ac +++ b/configure.ac @@ -1490,6 +1490,35 @@ AC_INCLUDES_DEFAULT #include #endif ]) + +AC_MSG_CHECKING([for htobe64]) +AC_LINK_IFELSE([AC_LANG_PROGRAM([ +#include +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_ENDIAN_H +# include +#endif +], [unsigned long long x = htobe64(0); printf("%u", (unsigned)x);])], + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_HTOBE64, 1, [If we have htobe64]), + AC_MSG_RESULT(no)) + +AC_MSG_CHECKING([for be64toh]) +AC_LINK_IFELSE([AC_LANG_PROGRAM([ +#include +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_ENDIAN_H +# include +#endif +], [unsigned long long x = be64toh(0); printf("%u", (unsigned)x);])], + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_BE64TOH, 1, [If we have be64toh]), + AC_MSG_RESULT(no)) + AC_SEARCH_LIBS([setusercontext], [util]) AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4]) AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])]) diff --git a/doc/Changelog b/doc/Changelog index c551dc09c..709879044 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +29 January 2020: Wouter + - Fix #157: undefined reference to `htobe64'. + 28 January 2020: Ralph - Merge PR#147; change rfc reference for reserved top level dns names. From 61c2333174659f62404b50d86ef5da1d2922132e Mon Sep 17 00:00:00 2001 From: Alexander Berkes Date: Wed, 29 Jan 2020 15:32:55 +0100 Subject: [PATCH 24/30] Added view_local_datas_remove description to documentation --- doc/unbound-control.8.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index 6ea40009c..1762e2731 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -323,6 +323,9 @@ serial check). And then the zone is transferred for a newer zone version. .B view_local_data_remove \fIview\fR \fIname \fIlocal_data_remove\fR for given view. .TP +.B view_local_datas_remove \fIview\fR +Remove a list of \fIlocal_data\fR for given view from stdin. Like local_datas_remove. +.TP .B view_local_datas \fIview\fR Add a list of \fIlocal_data\fR for given view from stdin. Like local_datas. .SH "EXIT CODE" From 4326b1016977be0e679e75d73ae8a6187beb3e51 Mon Sep 17 00:00:00 2001 From: Ralph Dolmans Date: Wed, 29 Jan 2020 15:46:05 +0100 Subject: [PATCH 25/30] - Add PR#156 merge to changelog (Added unbound-control view_local_datas_remove command) --- doc/Changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 709879044..fd3d9aa05 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +29 January 2020: Ralph + - Merge PR#156 from Alexander Berkes; Added unbound-control + view_local_datas_remove command. + 29 January 2020: Wouter - Fix #157: undefined reference to `htobe64'. From 5fcae2f0e04f42a21138d9782c1c962b8e2edcf9 Mon Sep 17 00:00:00 2001 From: Ralph Dolmans Date: Wed, 29 Jan 2020 16:32:03 +0100 Subject: [PATCH 26/30] - Fix misplaced parentheses from PR#156 --- smallapp/unbound-control.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c index 7c363cdd9..8e9e9c98d 100644 --- a/smallapp/unbound-control.c +++ b/smallapp/unbound-control.c @@ -758,8 +758,8 @@ go_cmd(SSL* ssl, int fd, int quiet, int argc, char* argv[]) strcmp(argv[0], "local_zones_remove") == 0 || strcmp(argv[0], "local_datas") == 0 || strcmp(argv[0], "view_local_datas") == 0 || - strcmp(argv[0], "local_datas_remove") == 0) || - strcmp(argv[0], "view_local_datas_remove") == 0) { + strcmp(argv[0], "local_datas_remove") == 0 || + strcmp(argv[0], "view_local_datas_remove") == 0)) { send_file(ssl, fd, stdin, buf, sizeof(buf)); send_eof(ssl, fd); } From bf13191b87db3279357959782c328e9101580964 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 30 Jan 2020 09:08:19 +0100 Subject: [PATCH 27/30] - Fix subnet tests for disabled DSA algorithm by default. --- doc/Changelog | 3 +++ testdata/subnet_cached.crpl | 2 ++ testdata/subnet_val_positive.crpl | 2 ++ testdata/subnet_val_positive_client.crpl | 2 ++ 4 files changed, 9 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index fd3d9aa05..c3df350d0 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +30 January 2020: Wouter + - Fix subnet tests for disabled DSA algorithm by default. + 29 January 2020: Ralph - Merge PR#156 from Alexander Berkes; Added unbound-control view_local_datas_remove command. diff --git a/testdata/subnet_cached.crpl b/testdata/subnet_cached.crpl index a0d89af51..209831335 100644 --- a/testdata/subnet_cached.crpl +++ b/testdata/subnet_cached.crpl @@ -10,6 +10,8 @@ server: max-client-subnet-ipv4: 17 module-config: "subnetcache validator iterator" verbosity: 3 + fake-sha1: yes + fake-dsa: yes access-control: 127.0.0.1 allow_snoop qname-minimisation: "no" minimal-responses: no diff --git a/testdata/subnet_val_positive.crpl b/testdata/subnet_val_positive.crpl index afec59933..01456e58b 100644 --- a/testdata/subnet_val_positive.crpl +++ b/testdata/subnet_val_positive.crpl @@ -9,6 +9,8 @@ server: max-client-subnet-ipv4: 17 module-config: "subnetcache validator iterator" verbosity: 3 + fake-sha1: yes + fake-dsa: yes qname-minimisation: "no" minimal-responses: no diff --git a/testdata/subnet_val_positive_client.crpl b/testdata/subnet_val_positive_client.crpl index e631a64e6..b573742b7 100644 --- a/testdata/subnet_val_positive_client.crpl +++ b/testdata/subnet_val_positive_client.crpl @@ -10,6 +10,8 @@ server: max-client-subnet-ipv4: 17 module-config: "subnetcache validator iterator" verbosity: 3 + fake-sha1: yes + fake-dsa: yes qname-minimisation: "no" minimal-responses: no From 20a2574da1415038eaa838cd8466e2643f25594f Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 30 Jan 2020 13:05:35 +0100 Subject: [PATCH 28/30] - Update contrib/fastrpz.patch for clean diff with current code. --- contrib/fastrpz.patch | 38 +++++++++++++++++++------------------- doc/Changelog | 1 + 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/contrib/fastrpz.patch b/contrib/fastrpz.patch index c38ac22b9..2cd6a7182 100644 --- a/contrib/fastrpz.patch +++ b/contrib/fastrpz.patch @@ -2,7 +2,7 @@ Description: based on the included patch contrib/fastrpz.patch Author: fastrpz@farsightsecurity.com --- diff --git a/Makefile.in b/Makefile.in -index 721c01b6..56bfb560 100644 +index 1a2e2c54..028b6cf3 100644 --- a/Makefile.in +++ b/Makefile.in @@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c @@ -45,10 +45,10 @@ index 721c01b6..56bfb560 100644 pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \ pythonmod/interface.h \ diff --git a/config.h.in b/config.h.in -index 8c2aa3b9..efaf6450 100644 +index 78d47fed..e33073e4 100644 --- a/config.h.in +++ b/config.h.in -@@ -1325,4 +1325,11 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file, +@@ -1345,4 +1345,11 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file, /** the version of unbound-control that this software implements */ #define UNBOUND_CONTROL_VERSION 1 @@ -62,7 +62,7 @@ index 8c2aa3b9..efaf6450 100644 +/** turn on fastrpz response policy zones */ +#undef ENABLE_FASTRPZ diff --git a/configure.ac b/configure.ac -index 5276d441..9d74592e 100644 +index 9a32c577..cc4344ff 100644 --- a/configure.ac +++ b/configure.ac @@ -6,6 +6,7 @@ sinclude(ax_pthread.m4) @@ -73,7 +73,7 @@ index 5276d441..9d74592e 100644 sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing -@@ -1726,6 +1727,9 @@ case "$enable_ipset" in +@@ -1778,6 +1779,9 @@ case "$enable_ipset" in ;; esac @@ -139,7 +139,7 @@ index 5749dbef..64ce230f 100644 /** diff --git a/daemon/worker.c b/daemon/worker.c -index e2ce0e87..f031c656 100644 +index aa16650e..c7c05828 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -75,6 +75,9 @@ @@ -244,7 +244,7 @@ index e2ce0e87..f031c656 100644 /* prefetch it if the prefetch TTL expired. * Note that if there is more than one pass * its qname must be that used for cache -@@ -1518,11 +1575,19 @@ lookup_cache: +@@ -1520,11 +1577,19 @@ lookup_cache: lock_rw_unlock(&e->lock); } if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) { @@ -267,10 +267,10 @@ index e2ce0e87..f031c656 100644 } verbose(VERB_ALGO, "answer norec from cache -- " diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in -index 4bdfcd56..69e70627 100644 +index 6292f0d4..7e91a91f 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in -@@ -1801,6 +1801,81 @@ List domain for which the AAAA records are ignored and the A record is +@@ -1811,6 +1811,81 @@ List domain for which the AAAA records are ignored and the A record is used by dns64 processing instead. Can be entered multiple times, list a new domain for which it applies, one per line. Applies also to names underneath the name given. @@ -3172,7 +3172,7 @@ index d4f814d5..624a9d95 100644 if(edns->opt_list) { r->edns.opt_list = edns_opt_copy_region(edns->opt_list, diff --git a/util/config_file.c b/util/config_file.c -index 119b2223..ce43a234 100644 +index 104c3f83..a5015594 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -1434,6 +1434,8 @@ config_delete(struct config_file* cfg) @@ -3216,7 +3216,7 @@ index a86ddf55..b56bcfb4 100644 ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) } ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) } diff --git a/util/configparser.y b/util/configparser.y -index 10227a2f..cdbcf7cd 100644 +index 8be6bd3e..74d885ad 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -125,6 +125,7 @@ extern struct config_parser_state* cfg_parser; @@ -3236,7 +3236,7 @@ index 10227a2f..cdbcf7cd 100644 forwardstart contents_forward | pythonstart contents_py | rcstart contents_rc | dtstart contents_dt | viewstart contents_view | dnscstart contents_dnsc | cachedbstart contents_cachedb | -@@ -2726,6 +2727,50 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES +@@ -2728,6 +2729,50 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES free($2); } ; @@ -3384,7 +3384,7 @@ index 3a5335dd..20113217 100644 /** diff --git a/util/netevent.c b/util/netevent.c -index 980bb8be..d537d288 100644 +index 9fe5da2d..037e70d1 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -57,6 +57,9 @@ @@ -3427,7 +3427,7 @@ index 980bb8be..d537d288 100644 if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for another UDP port. Note rep.c cannot be reused with TCP fd. */ break; -@@ -3184,6 +3196,9 @@ comm_point_send_reply(struct comm_reply *repinfo) +@@ -3192,6 +3204,9 @@ comm_point_send_reply(struct comm_reply *repinfo) repinfo->c->tcp_timeout_msec); } } @@ -3437,7 +3437,7 @@ index 980bb8be..d537d288 100644 } void -@@ -3193,6 +3208,9 @@ comm_point_drop_reply(struct comm_reply* repinfo) +@@ -3201,6 +3216,9 @@ comm_point_drop_reply(struct comm_reply* repinfo) return; log_assert(repinfo->c); log_assert(repinfo->c->type != comm_tcp_accept); @@ -3447,7 +3447,7 @@ index 980bb8be..d537d288 100644 if(repinfo->c->type == comm_udp) return; if(repinfo->c->tcp_req_info) -@@ -3214,6 +3232,9 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec) +@@ -3222,6 +3240,9 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec) { verbose(VERB_ALGO, "comm point start listening %d (%d msec)", c->fd==-1?newfd:c->fd, msec); @@ -3473,10 +3473,10 @@ index d80c72b3..0233292f 100644 uint8_t client_nonce[crypto_box_HALF_NONCEBYTES]; uint8_t nmkey[crypto_box_BEFORENMBYTES]; diff --git a/validator/validator.c b/validator/validator.c -index 4c560a8e..71de3760 100644 +index c3ca0a27..15251988 100644 --- a/validator/validator.c +++ b/validator/validator.c -@@ -2755,6 +2755,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, +@@ -2761,6 +2761,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, default: /* NSEC proof did not work, try next */ break; @@ -3489,7 +3489,7 @@ index 4c560a8e..71de3760 100644 } sec = nsec3_prove_nods(qstate->env, ve, -@@ -2788,6 +2794,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, +@@ -2794,6 +2800,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, default: /* NSEC3 proof did not work */ break; diff --git a/doc/Changelog b/doc/Changelog index c3df350d0..43a17b5e1 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 30 January 2020: Wouter - Fix subnet tests for disabled DSA algorithm by default. + - Update contrib/fastrpz.patch for clean diff with current code. 29 January 2020: Ralph - Merge PR#156 from Alexander Berkes; Added unbound-control From de5c0d42283e915be99e8112300f1c95c72c1fae Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 30 Jan 2020 14:11:41 +0100 Subject: [PATCH 29/30] Changelog note for PR#151. - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds and Frzk. Updates the unbound.service systemd file and adds a portable systemd service file. --- doc/Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 43a17b5e1..9758a6d84 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,9 @@ 30 January 2020: Wouter - Fix subnet tests for disabled DSA algorithm by default. - Update contrib/fastrpz.patch for clean diff with current code. + - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds + and Frzk. Updates the unbound.service systemd file and adds + a portable systemd service file. 29 January 2020: Ralph - Merge PR#156 from Alexander Berkes; Added unbound-control From a5f133ef2f566a6ad7f990b86b022054ffe8e7c0 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 30 Jan 2020 14:20:08 +0100 Subject: [PATCH 30/30] - updated .gitignore for added contrib file. --- .gitignore | 1 + doc/Changelog | 1 + 2 files changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 22fedf0d7..c1e2649db 100644 --- a/.gitignore +++ b/.gitignore @@ -42,6 +42,7 @@ /contrib/libunbound.pc /contrib/unbound.service /contrib/unbound.socket +/contrib/unbound_portable.service /dnstap/dnstap.pb-c.c /dnstap/dnstap.pb-c.h /libunbound/python/libunbound_wrap.c diff --git a/doc/Changelog b/doc/Changelog index 9758a6d84..1437815e8 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -4,6 +4,7 @@ - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds and Frzk. Updates the unbound.service systemd file and adds a portable systemd service file. + - updated .gitignore for added contrib file. 29 January 2020: Ralph - Merge PR#156 from Alexander Berkes; Added unbound-control