vendor/unbound/1.6.6

1 files changed, 33 insertions, 52 deletions

diff --git a/daemon/remote.c b/daemon/remote.c
index bb41cc5df2dbb..243d94c49aa16 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -229,42 +229,10 @@ daemon_remote_create(struct config_file* cfg)
 		free(rc);
 		return NULL;
 	}
-	/* no SSLv2, SSLv3 because has defects */
-	if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
-		!= SSL_OP_NO_SSLv2){
-		log_crypto_err("could not set SSL_OP_NO_SSLv2");
+	if(!listen_sslctx_setup(rc->ctx)) {
 		daemon_remote_delete(rc);
 		return NULL;
 	}
-	if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
-		!= SSL_OP_NO_SSLv3){
-		log_crypto_err("could not set SSL_OP_NO_SSLv3");
-		daemon_remote_delete(rc);
-		return NULL;
-	}
-#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
-	/* if we have tls 1.1 disable 1.0 */
-	if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
-		!= SSL_OP_NO_TLSv1){
-		log_crypto_err("could not set SSL_OP_NO_TLSv1");
-		daemon_remote_delete(rc);
-		return NULL;
-	}
-#endif
-#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
-	/* if we have tls 1.2 disable 1.1 */
-	if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
-		!= SSL_OP_NO_TLSv1_1){
-		log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
-		daemon_remote_delete(rc);
-		return NULL;
-	}
-#endif
-#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
-	/* if we have sha256, set the cipher list to have no known vulns */
-	if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
-		log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
-#endif
 
 	if (cfg->remote_control_use_cert == 0) {
 		/* No certificates are requested */
@@ -314,23 +282,7 @@ daemon_remote_create(struct config_file* cfg)
 		log_crypto_err("Error in SSL_CTX check_private_key");
 		goto setup_error;
 	}
-#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
-	if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
-		log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
-	}
-#elif defined(USE_ECDSA)
-	if(1) {
-		EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
-		if (!ecdh) {
-			log_crypto_err("could not find p256, not enabling ECDHE");
-		} else {
-			if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
-				log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
-			}
-			EC_KEY_free (ecdh);
-		}
-	}
-#endif
+	listen_sslctx_setup_2(rc->ctx);
 	if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
 		log_crypto_err("Error setting up SSL_CTX verify locations");
 	setup_error:
@@ -415,7 +367,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 			if (cfg->username && cfg->username[0] &&
 				cfg_uid != (uid_t)-1) {
 				if(chown(ip, cfg_uid, cfg_gid) == -1)
-					log_err("cannot chown %u.%u %s: %s",
+					verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
 					  (unsigned)cfg_uid, (unsigned)cfg_gid,
 					  ip, strerror(errno));
 			}
@@ -841,7 +793,7 @@ print_stats(SSL* ssl, const char* nm, struct ub_stats_info* s)
 static int
 print_thread_stats(SSL* ssl, int i, struct ub_stats_info* s)
 {
-	char nm[16];
+	char nm[32];
 	snprintf(nm, sizeof(nm), "thread%d", i);
 	nm[sizeof(nm)-1]=0;
 	return print_stats(ssl, nm, s);
@@ -873,6 +825,9 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 #ifdef USE_IPSECMOD
 	size_t ipsecmod = 0;
 #endif /* USE_IPSECMOD */
+#ifdef USE_DNSCRYPT
+	size_t dnscrypt_shared_secret = 0;
+#endif /* USE_DNSCRYPT */
 	msg = slabhash_get_mem(daemon->env->msg_cache);
 	rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
 	val = mod_get_mem(&worker->env, "validator");
@@ -884,6 +839,12 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 #ifdef USE_IPSECMOD
 	ipsecmod = mod_get_mem(&worker->env, "ipsecmod");
 #endif /* USE_IPSECMOD */
+#ifdef USE_DNSCRYPT
+	if(daemon->dnscenv) {
+		dnscrypt_shared_secret = slabhash_get_mem(
+			daemon->dnscenv->shared_secrets_cache);
+	}
+#endif /* USE_DNSCRYPT */
 
 	if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
 		return 0;
@@ -903,6 +864,11 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 	if(!print_longnum(ssl, "mem.mod.ipsecmod"SQ, ipsecmod))
 		return 0;
 #endif /* USE_IPSECMOD */
+#ifdef USE_DNSCRYPT
+	if(!print_longnum(ssl, "mem.cache.dnscrypt_shared_secret"SQ,
+			dnscrypt_shared_secret))
+		return 0;
+#endif /* USE_DNSCRYPT */
 	return 1;
 }
 
@@ -1065,6 +1031,9 @@ print_ext(SSL* ssl, struct ub_stats_info* s)
 		if(!ssl_printf(ssl, "num.answer.rcode.nodata"SQ"%lu\n", 
 			(unsigned long)s->svr.ans_rcode_nodata)) return 0;
 	}
+	/* iteration */
+	if(!ssl_printf(ssl, "num.query.ratelimited"SQ"%lu\n", 
+		(unsigned long)s->svr.queries_ratelimited)) return 0;
 	/* validation */
 	if(!ssl_printf(ssl, "num.answer.secure"SQ"%lu\n", 
 		(unsigned long)s->svr.ans_secure)) return 0;
@@ -1086,6 +1055,12 @@ print_ext(SSL* ssl, struct ub_stats_info* s)
 		(unsigned)s->svr.infra_cache_count)) return 0;
 	if(!ssl_printf(ssl, "key.cache.count"SQ"%u\n",
 		(unsigned)s->svr.key_cache_count)) return 0;
+#ifdef USE_DNSCRYPT
+	if(!ssl_printf(ssl, "dnscrypt_shared_secret.cache.count"SQ"%u\n",
+		(unsigned)s->svr.shared_secret_cache_count)) return 0;
+	if(!ssl_printf(ssl, "num.query.dnscrypt.shared_secret.cachemiss"SQ"%lu\n",
+		(unsigned long)s->svr.num_query_dnscrypt_secret_missed_cache)) return 0;
+#endif /* USE_DNSCRYPT */
 	return 1;
 }
 
@@ -2389,10 +2364,16 @@ dump_infra_host(struct lruhash_entry* e, void* arg)
 	struct infra_data* d = (struct infra_data*)e->data;
 	char ip_str[1024];
 	char name[257];
+	int port;
 	if(a->ssl_failed)
 		return;
 	addr_to_str(&k->addr, k->addrlen, ip_str, sizeof(ip_str));
 	dname_str(k->zonename, name);
+	port = (int)ntohs(((struct sockaddr_in*)&k->addr)->sin_port);
+	if(port != UNBOUND_DNS_PORT) {
+		snprintf(ip_str+strlen(ip_str), sizeof(ip_str)-strlen(ip_str),
+			"@%d", port);
+	}
 	/* skip expired stuff (only backed off) */
 	if(d->ttl < a->now) {
 		if(d->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT) {