diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml index f843eeb5e..6e8090a7c 100644 --- a/.github/workflows/analysis_ports.yml +++ b/.github/workflows/analysis_ports.yml @@ -12,6 +12,7 @@ jobs: build: runs-on: ${{ matrix.os }} strategy: + fail-fast: false matrix: include: - name: GCC on Linux @@ -48,15 +49,6 @@ jobs: os: ubuntu-latest config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" --disable-flto --disable-static' make_test: "yes" - - name: Apple iPhone on iOS, armv7 - os: macos-latest - AUTOTOOLS_HOST: armv7-apple-ios - OPENSSL_HOST: ios-cross - IOS_SDK: iPhoneOS - IOS_CPU: armv7s - test_ios: "yes" - config: "no" - make: "no" - name: Apple iPhone on iOS, arm64 os: macos-latest AUTOTOOLS_HOST: aarch64-apple-ios @@ -84,15 +76,6 @@ jobs: test_ios: "yes" config: "no" make: "no" - - name: iPhoneSimulator on OS X, i386 - os: macos-latest - AUTOTOOLS_HOST: i386-apple-ios - OPENSSL_HOST: iphoneos-cross - IOS_SDK: iPhoneSimulator - IOS_CPU: i386 - test_ios: "yes" - config: "no" - make: "no" - name: iPhoneSimulator on OS X, x86_64 os: macos-latest AUTOTOOLS_HOST: x86_64-apple-ios diff --git a/configure b/configure index bdb263d7d..ec7609c47 100755 --- a/configure +++ b/configure @@ -22811,10 +22811,12 @@ then : LIBS="$LIBS -lz" fi - if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then - : - else - LIBS="$LIBS -l:libssp.a" + if echo "$host" | $GREP -i -e linux >/dev/null; then + if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then + : + else + LIBS="$LIBS -l:libssp.a" + fi fi fi fi @@ -22875,10 +22877,12 @@ then : LIBS="$LIBS -lz" fi - if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then - : - else - LIBS="$LIBS -l:libssp.a" + if echo "$host" | $GREP -i -e linux >/dev/null; then + if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then + : + else + LIBS="$LIBS -l:libssp.a" + fi fi fi fi diff --git a/configure.ac b/configure.ac index dab1732f7..541157ca3 100644 --- a/configure.ac +++ b/configure.ac @@ -1673,10 +1673,12 @@ if test x_$enable_static_exe = x_yes; then LIBS="$LIBS -lgdi32" fi AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ]) - if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then - : - else - LIBS="$LIBS -l:libssp.a" + if echo "$host" | $GREP -i -e linux >/dev/null; then + if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then + : + else + LIBS="$LIBS -l:libssp.a" + fi fi fi fi @@ -1694,10 +1696,12 @@ if test x_$enable_fully_static = x_yes; then LIBS="$LIBS -lgdi32" fi AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ]) - if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then - : - else - LIBS="$LIBS -l:libssp.a" + if echo "$host" | $GREP -i -e linux >/dev/null; then + if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then + : + else + LIBS="$LIBS -l:libssp.a" + fi fi fi fi diff --git a/contrib/ios/install_openssl.sh b/contrib/ios/install_openssl.sh index 31e65d64e..d656c53d1 100755 --- a/contrib/ios/install_openssl.sh +++ b/contrib/ios/install_openssl.sh @@ -1,21 +1,22 @@ #!/usr/bin/env bash +OPENSSL_VERSION=1.1.1d echo "Downloading OpenSSL" -if ! curl -L -k -s -o openssl-1.1.1d.tar.gz https://www.openssl.org/source/openssl-1.1.1d.tar.gz; +if ! curl -L -k -s -o openssl-$OPENSSL_VERSION.tar.gz https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz; then echo "Failed to download OpenSSL" exit 1 fi echo "Unpacking OpenSSL" -rm -rf ./openssl-1.1.1d -if ! tar -xf openssl-1.1.1d.tar.gz; +rm -rf ./openssl-$OPENSSL_VERSION +if ! tar -xf openssl-$OPENSSL_VERSION.tar.gz; then echo "Failed to unpack OpenSSL" exit 1 fi -cd openssl-1.1.1d || exit 1 +cd openssl-$OPENSSL_VERSION || exit 1 if ! cp ../contrib/ios/15-ios.conf Configurations/; then echo "Failed to copy OpenSSL ios config" @@ -27,7 +28,8 @@ fi # Also see https://github.com/openssl/openssl/issues/7607. if ! patch -u -p0 < ../contrib/ios/openssl.patch; then echo "Failed to patch OpenSSL" - exit 1 + # the partial patch may be useful. + #exit 1 fi echo "Configuring OpenSSL" diff --git a/contrib/ios/setenv_ios.sh b/contrib/ios/setenv_ios.sh index df433d17c..f4c7e783f 100755 --- a/contrib/ios/setenv_ios.sh +++ b/contrib/ios/setenv_ios.sh @@ -175,6 +175,7 @@ fi # For example, remove 4.3, 6.2, and 6.1 if they are not installed. We go back to # the 1.0 SDKs because Apple WatchOS uses low numbers, like 2.0 and 2.1. XCODE_SDK= +if test -z "$SDK_VERSION"; then for i in $(seq -f "%.1f" 30.0 -0.1 1.0) do if [ -d "$XCODE_DEVELOPER_SDK/Developer/SDKs/$IOS_SDK$i.sdk" ]; then @@ -182,6 +183,10 @@ do break fi done +else + i="$SDK_VERSION" + XCODE_SDK="$IOS_SDK$i.sdk" +fi # Error checking if [ -z "$XCODE_SDK" ]; then diff --git a/doc/Changelog b/doc/Changelog index d027c8ba1..02809011b 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,25 @@ +15 October 2025: Wouter + - Fix to drop UDP for discard-timeout, but not stream connections. + - Fix to reply with SERVFAIL when the wait-limit is exceeded. + - Add extended dns error code for invalid query type to definition + list. + - Fix unbound.conf man page entry for root-hints to say it can + be used without strongly recommending it. + - Remove iPhone armv7s, and iPhoneSimulator i386 from ios ci. + The lib system does not provide symbols for it on the new macos + runner. + - Fix to exclude libssp for windows compiles. + +10 October 2025: Wouter + - Fix #1358 Enabling FIPS in OpenSSL causes unit test to fail. + +3 October 2025: Yorgos + - Note 'respip' and 'dns64' module order in the unbound.conf + man page. + - Note clearly that 'wait-limit: 0' disables all wait limits. + - 'wait-limit-cookie: 0' can now disable cookie validated wait + limits. + 2 October 2025: Wouter - Fix that https is set up as enabled when the port is listed in interface-automatic-ports. Also for the set up of quic it is diff --git a/doc/unbound.conf.rst b/doc/unbound.conf.rst index f9f2dea8a..00dadbc9b 100644 --- a/doc/unbound.conf.rst +++ b/doc/unbound.conf.rst @@ -496,6 +496,9 @@ These options are part of the **server:** clause. The wait time in msec where recursion requests are dropped. This is to stop a large number of replies from accumulating. They receive no reply, the work item continues to recurse. + For UDP the replies are dropped, for stream connections the reply + is not dropped if the stream connection is still open ready to receive + answers. It is nice to be a bit larger than :ref:`serve-expired-client-timeout` if that is enabled. @@ -510,7 +513,7 @@ These options are part of the **server:** clause. This makes a ratelimit per IP address of waiting replies for recursion. It stops very large amounts of queries waiting to be returned to one destination. - The value ``0`` disables wait limits. + The value ``0`` disables all wait limits. Default: 1000 @@ -518,7 +521,11 @@ These options are part of the **server:** clause. @@UAHL@unbound.conf@wait-limit-cookie@@: ** The number of replies that can wait for recursion, for an IP address that sent the query with a valid DNS Cookie. - Since the cookie validates the client address, this limit can be higher. + Since the cookie already validates the client address, this option allows + to override a configured + :ref:`wait-limit` value usually with a higher one + for cookie validated queries. + The value ``0`` disables wait limits for cookie validated queries. Default: 10000 @@ -1673,8 +1680,8 @@ These options are part of the **server:** clause. Default is nothing, using builtin hints for the IN class. The file has the format of zone files, with root nameserver names and addresses only. - The default may become outdated, when servers change, therefore it is good - practice to use a root hints file. + The default may become outdated, when servers change, and then it is + possible to use a root hints file with specific servers. Default: "" @@ -3959,6 +3966,13 @@ and be compiled into the daemon to be enabled. .. note:: These settings go in the :ref:`server:` section. +.. note:: + If combining the ``respip`` and ``dns64`` modules, the ``respip`` module + needs to appear before the ``dns64`` module in the + :ref:`module-config` + configuration option so that response IP and/or RPZ feeds can properly + filter responses regardless of DNS64 synthesis. + @@UAHL@unbound.conf.dns64@dns64-prefix@@: ** This sets the DNS64 prefix to use to synthesize AAAA records with. @@ -4777,6 +4791,13 @@ The respip module needs to be added to the module-config: "respip validator iterator" +.. note:: + If combining the ``respip`` and ``dns64`` modules, the ``respip`` module + needs to appear before the ``dns64`` module in the + :ref:`module-config` + configuration option so that response IP and/or RPZ feeds can properly + filter responses regardless of DNS64 synthesis. + QNAME, Response IP Address, nsdname, nsip and clientip triggers are supported. Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only and drop. diff --git a/makedist.sh b/makedist.sh index 5610208f4..8fad8f974 100755 --- a/makedist.sh +++ b/makedist.sh @@ -715,7 +715,5 @@ cleanup storehash unbound-$version.tar.gz echo "create unbound-$version.tar.gz.asc with:" echo " gpg --armor --detach-sign --digest-algo SHA256 unbound-$version.tar.gz" -echo " gpg --armor --detach-sign --digest-algo SHA256 unbound-$version.zip" -echo " gpg --armor --detach-sign --digest-algo SHA256 unbound_setup_$version.exe" info "Unbound distribution created successfully." diff --git a/services/cache/infra.c b/services/cache/infra.c index cf999422d..4d2cd8d49 100644 --- a/services/cache/infra.c +++ b/services/cache/infra.c @@ -1269,7 +1269,8 @@ int infra_wait_limit_allowed(struct infra_cache* infra, struct comm_reply* rep, int cookie_valid, struct config_file* cfg) { struct lruhash_entry* entry; - if(cfg->wait_limit == 0) + if(cfg->wait_limit == 0 || + (cookie_valid && cfg->wait_limit_cookie == 0)) return 1; entry = infra_find_ip_ratedata(infra, &rep->client_addr, diff --git a/services/mesh.c b/services/mesh.c index 40e68b70f..af2172102 100644 --- a/services/mesh.c +++ b/services/mesh.c @@ -441,9 +441,18 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo, if(!infra_wait_limit_allowed(mesh->env->infra_cache, rep, edns->cookie_valid, mesh->env->cfg)) { verbose(VERB_ALGO, "Too many queries waiting from the IP. " - "dropping incoming query."); - comm_point_drop_reply(rep); + "servfail incoming query."); mesh->num_queries_wait_limit++; + edns_opt_list_append_ede(&edns->opt_list_out, + mesh->env->scratch, LDNS_EDE_OTHER, + "Too many queries queued up and waiting from the IP"); + if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL, NULL, + LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv)) + edns->opt_list_inplace_cb_out = NULL; + error_encode(r_buffer, LDNS_RCODE_SERVFAIL, + qinfo, qid, qflags, edns); + regional_free_all(mesh->env->scratch); + comm_point_send_reply(rep); return; } if(!unique) @@ -1728,28 +1737,37 @@ void mesh_query_done(struct mesh_state* mstate) dns_error_reporting(&mstate->s, rep); for(r = mstate->reply_list; r; r = r->next) { - struct timeval old; - timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time); - if(mstate->s.env->cfg->discard_timeout != 0 && - ((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 > - mstate->s.env->cfg->discard_timeout) { - /* Drop the reply, it is too old */ - /* briefly set the reply_list to NULL, so that the - * tcp req info cleanup routine that calls the mesh - * to deregister the meshstate for it is not done - * because the list is NULL and also accounting is not - * done there, but instead we do that here. */ - struct mesh_reply* reply_list = mstate->reply_list; - verbose(VERB_ALGO, "drop reply, it is older than discard-timeout"); - infra_wait_limit_dec(mstate->s.env->infra_cache, - &r->query_reply, mstate->s.env->cfg); - mstate->reply_list = NULL; - if(r->query_reply.c->use_h2) - http2_stream_remove_mesh_state(r->h2_stream); - comm_point_drop_reply(&r->query_reply); - mstate->reply_list = reply_list; - mstate->s.env->mesh->num_queries_discard_timeout++; - continue; + if(mesh_is_udp(r)) { + /* For UDP queries, the old replies are discarded. + * This stops a large volume of old replies from + * building up. + * The stream replies, are not discarded. The + * stream is open, the other side is waiting. + * Some answer is needed, even if servfail, but the + * real reply is ready to go, so that is given. */ + struct timeval old; + timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time); + if(mstate->s.env->cfg->discard_timeout != 0 && + ((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 > + mstate->s.env->cfg->discard_timeout) { + /* Drop the reply, it is too old */ + /* briefly set the reply_list to NULL, so that the + * tcp req info cleanup routine that calls the mesh + * to deregister the meshstate for it is not done + * because the list is NULL and also accounting is not + * done there, but instead we do that here. */ + struct mesh_reply* reply_list = mstate->reply_list; + verbose(VERB_ALGO, "drop reply, it is older than discard-timeout"); + infra_wait_limit_dec(mstate->s.env->infra_cache, + &r->query_reply, mstate->s.env->cfg); + mstate->reply_list = NULL; + if(r->query_reply.c->use_h2) + http2_stream_remove_mesh_state(r->h2_stream); + comm_point_drop_reply(&r->query_reply); + mstate->reply_list = reply_list; + mstate->s.env->mesh->num_queries_discard_timeout++; + continue; + } } i++; diff --git a/sldns/rrdef.h b/sldns/rrdef.h index 540468889..529ef9a84 100644 --- a/sldns/rrdef.h +++ b/sldns/rrdef.h @@ -480,7 +480,8 @@ enum sldns_enum_ede_code LDNS_EDE_TOO_EARLY = 26, LDNS_EDE_UNSUPPORTED_NSEC3_ITERATIONS = 27, LDNS_EDE_BADPROXYPOLICY = 28, - LDNS_EDE_SYNTHESIZED = 29 + LDNS_EDE_SYNTHESIZED = 29, + LDNS_EDE_INVALID_QUERY_TYPE = 30 }; typedef enum sldns_enum_ede_code sldns_ede_code; diff --git a/sldns/wire2str.c b/sldns/wire2str.c index 1bc5b9cf6..f4b01b028 100644 --- a/sldns/wire2str.c +++ b/sldns/wire2str.c @@ -233,6 +233,7 @@ static sldns_lookup_table sldns_edns_ede_codes_data[] = { { LDNS_EDE_UNSUPPORTED_NSEC3_ITERATIONS, "Unsupported NSEC3 Iterations Value" }, { LDNS_EDE_BADPROXYPOLICY, "Unable to Conform to Policy" }, { LDNS_EDE_SYNTHESIZED, "Synthesized Answer" }, + { LDNS_EDE_INVALID_QUERY_TYPE, "Invalid Query Type" }, { 0, NULL} }; sldns_lookup_table* sldns_edns_ede_codes = sldns_edns_ede_codes_data; diff --git a/testcode/unitverify.c b/testcode/unitverify.c index 12d5205b0..a101c528f 100644 --- a/testcode/unitverify.c +++ b/testcode/unitverify.c @@ -631,6 +631,7 @@ rh_allow_sha1_signatures_disabled(void) void verify_test(void) { + int do_sha1 = 1; unit_show_feature("signature verify"); #if defined(HAVE_SSL) && defined(USE_SHA1) @@ -643,27 +644,40 @@ verify_test(void) #else _putenv("OPENSSL_ENABLE_SHA1_SIGNATURES=1"); #endif + do_sha1 = 1; } +#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED + if (EVP_default_properties_is_fips_enabled(NULL)) + do_sha1 = 0; #endif +#endif /* HAVE_SSL and USE_SHA1 */ #ifdef USE_SHA1 - verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004"); + if(do_sha1) { + verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004"); + } #endif #if defined(USE_DSA) && defined(USE_SHA1) - verifytest_file(SRCDIRSTR "/testdata/test_signatures.2", "20080414005004"); - verifytest_file(SRCDIRSTR "/testdata/test_signatures.3", "20080416005004"); - verifytest_file(SRCDIRSTR "/testdata/test_signatures.4", "20080416005004"); - verifytest_file(SRCDIRSTR "/testdata/test_signatures.5", "20080416005004"); - verifytest_file(SRCDIRSTR "/testdata/test_signatures.6", "20080416005004"); - verifytest_file(SRCDIRSTR "/testdata/test_signatures.7", "20070829144150"); + if(do_sha1) { + verifytest_file(SRCDIRSTR "/testdata/test_signatures.2", "20080414005004"); + verifytest_file(SRCDIRSTR "/testdata/test_signatures.3", "20080416005004"); + verifytest_file(SRCDIRSTR "/testdata/test_signatures.4", "20080416005004"); + verifytest_file(SRCDIRSTR "/testdata/test_signatures.5", "20080416005004"); + verifytest_file(SRCDIRSTR "/testdata/test_signatures.6", "20080416005004"); + verifytest_file(SRCDIRSTR "/testdata/test_signatures.7", "20070829144150"); + } #endif /* USE_DSA */ #ifdef USE_SHA1 - verifytest_file(SRCDIRSTR "/testdata/test_signatures.8", "20070829144150"); + if(do_sha1) { + verifytest_file(SRCDIRSTR "/testdata/test_signatures.8", "20070829144150"); + } #endif #if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2) verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256", "20070829144150"); # ifdef USE_SHA1 - verifytest_file(SRCDIRSTR "/testdata/test_sigs.sha1_and_256", "20070829144150"); + if(do_sha1) { + verifytest_file(SRCDIRSTR "/testdata/test_sigs.sha1_and_256", "20070829144150"); + } # endif verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256_draft", "20090101000000"); #endif @@ -672,8 +686,10 @@ verify_test(void) verifytest_file(SRCDIRSTR "/testdata/test_signatures.9", "20171215000000"); #endif #ifdef USE_SHA1 - verifytest_file(SRCDIRSTR "/testdata/test_sigs.hinfo", "20090107100022"); - verifytest_file(SRCDIRSTR "/testdata/test_sigs.revoked", "20080414005004"); + if(do_sha1) { + verifytest_file(SRCDIRSTR "/testdata/test_sigs.hinfo", "20090107100022"); + verifytest_file(SRCDIRSTR "/testdata/test_sigs.revoked", "20080414005004"); + } #endif #ifdef USE_GOST if(sldns_key_EVP_load_gost_id()) @@ -699,7 +715,9 @@ verify_test(void) } #endif #ifdef USE_SHA1 - dstest_file(SRCDIRSTR "/testdata/test_ds.sha1"); + if(do_sha1) { + dstest_file(SRCDIRSTR "/testdata/test_ds.sha1"); + } #endif nsectest(); nsec3_hash_test(SRCDIRSTR "/testdata/test_nsec3_hash.1");