diff options
50 files changed, 639 insertions, 300 deletions
diff --git a/config.h.in b/config.h.in index 04356f334edf..7ffb3c989b10 100644 --- a/config.h.in +++ b/config.h.in @@ -1,5 +1,11 @@ /* config.h.in. Generated from configure.ac by autoheader. */ +/* apply the noreturn attribute to a function that exits the program */ +#undef ATTR_NORETURN + +/* apply the weak attribute to a symbol */ +#undef ATTR_WEAK + /* Directory to chroot to */ #undef CHROOT_DIR @@ -45,6 +51,9 @@ /* Whether the C compiler accepts the "format" attribute */ #undef HAVE_ATTR_FORMAT +/* Whether the C compiler accepts the "noreturn" attribute */ +#undef HAVE_ATTR_NORETURN + /* Whether the C compiler accepts the "unused" attribute */ #undef HAVE_ATTR_UNUSED @@ -199,6 +208,9 @@ /* Define to 1 if you have the <expat.h> header file. */ #undef HAVE_EXPAT_H +/* Define to 1 if you have the `explicit_bzero' function. */ +#undef HAVE_EXPLICIT_BZERO + /* Define to 1 if you have the `fcntl' function. */ #undef HAVE_FCNTL @@ -1144,6 +1156,11 @@ char *strsep(char **stringp, const char *delim); int isblank(int c); #endif +#ifndef HAVE_EXPLICIT_BZERO +#define explicit_bzero unbound_explicit_bzero +void explicit_bzero(void* buf, size_t len); +#endif + #if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP const char *inet_ntop(int af, const void *src, char *dst, size_t size); #endif @@ -1176,7 +1193,6 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size); # endif #endif /* HAVE_LIBRESSL */ #ifndef HAVE_ARC4RANDOM -void explicit_bzero(void* buf, size_t len); int getentropy(void* buf, size_t len); uint32_t arc4random(void); void arc4random_buf(void* buf, size_t n); diff --git a/configure b/configure index d2bdbef84e7a..4f134fca0bcf 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.8.0. +# Generated by GNU Autoconf 2.69 for unbound 1.8.1. # # Report bugs to <unbound-bugs@nlnetlabs.nl>. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.8.0' -PACKAGE_STRING='unbound 1.8.0' +PACKAGE_VERSION='1.8.1' +PACKAGE_STRING='unbound 1.8.1' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl' PACKAGE_URL='' @@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.8.0 to adapt to many kinds of systems. +\`configure' configures unbound 1.8.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1505,7 +1505,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.8.0:";; + short | recursive ) echo "Configuration of unbound 1.8.1:";; esac cat <<\_ACEOF @@ -1722,7 +1722,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.8.0 +unbound configure 1.8.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.8.0, which was +It was created by unbound $as_me 1.8.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2783,11 +2783,11 @@ UNBOUND_VERSION_MAJOR=1 UNBOUND_VERSION_MINOR=8 -UNBOUND_VERSION_MICRO=0 +UNBOUND_VERSION_MICRO=1 LIBUNBOUND_CURRENT=8 -LIBUNBOUND_REVISION=0 +LIBUNBOUND_REVISION=1 LIBUNBOUND_AGE=0 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2850,7 +2850,8 @@ LIBUNBOUND_AGE=0 # 1.7.1 had 7:9:5 # 1.7.2 had 7:10:5 # 1.7.3 had 7:11:5 -# 1.7.4 had 8:0:0 # changes the event callback function signature +# 1.8.0 had 8:0:0 # changes the event callback function signature +# 1.8.1 had 8:1:0 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -6265,6 +6266,54 @@ if test $ac_cv_c_weak_attribute = yes; then $as_echo "#define HAVE_ATTR_WEAK 1" >>confdefs.h + +$as_echo "#define ATTR_WEAK __attribute__((weak))" >>confdefs.h + +fi + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler (${CC-cc}) accepts the \"noreturn\" attribute" >&5 +$as_echo_n "checking whether the C compiler (${CC-cc}) accepts the \"noreturn\" attribute... " >&6; } +if ${ac_cv_c_noreturn_attribute+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_c_noreturn_attribute=no +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include <stdio.h> +__attribute__((noreturn)) void f(int x) { printf("%d", x); } + +int +main () +{ + + f(1); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_c_noreturn_attribute="yes" +else + ac_cv_c_noreturn_attribute="no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_noreturn_attribute" >&5 +$as_echo "$ac_cv_c_noreturn_attribute" >&6; } +if test $ac_cv_c_noreturn_attribute = yes; then + +$as_echo "#define HAVE_ATTR_NORETURN 1" >>confdefs.h + + +$as_echo "#define ATTR_NORETURN __attribute__((__noreturn__))" >>confdefs.h + fi @@ -20033,6 +20082,20 @@ esac fi +ac_fn_c_check_func "$LINENO" "explicit_bzero" "ac_cv_func_explicit_bzero" +if test "x$ac_cv_func_explicit_bzero" = xyes; then : + $as_echo "#define HAVE_EXPLICIT_BZERO 1" >>confdefs.h + +else + case " $LIBOBJS " in + *" explicit_bzero.$ac_objext "* ) ;; + *) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext" + ;; +esac + +fi + + LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS" ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray" @@ -20080,12 +20143,6 @@ fi if test "$ac_cv_func_arc4random" = "no"; then case " $LIBOBJS " in - *" explicit_bzero.$ac_objext "* ) ;; - *) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext" - ;; -esac - - case " $LIBOBJS " in *" arc4_lock.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS arc4_lock.$ac_objext" ;; @@ -21077,7 +21134,7 @@ _ACEOF -version=1.8.0 +version=1.8.1 date=`date +'%b %e, %Y'` @@ -21596,7 +21653,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.8.0, which was +This file was extended by unbound $as_me 1.8.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21662,7 +21719,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.8.0 +unbound config.status 1.8.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index ca98b5459917..772a1417a987 100644 --- a/configure.ac +++ b/configure.ac @@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[8]) -m4_define([VERSION_MICRO],[0]) +m4_define([VERSION_MICRO],[1]) AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=8 -LIBUNBOUND_REVISION=0 +LIBUNBOUND_REVISION=1 LIBUNBOUND_AGE=0 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -81,7 +81,8 @@ LIBUNBOUND_AGE=0 # 1.7.1 had 7:9:5 # 1.7.2 had 7:10:5 # 1.7.3 had 7:11:5 -# 1.7.4 had 8:0:0 # changes the event callback function signature +# 1.8.0 had 8:0:0 # changes the event callback function signature +# 1.8.1 had 8:1:0 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -310,11 +311,36 @@ __attribute__((weak)) void f(int x) { printf("%d", x); } AC_MSG_RESULT($ac_cv_c_weak_attribute) if test $ac_cv_c_weak_attribute = yes; then AC_DEFINE(HAVE_ATTR_WEAK, 1, [Whether the C compiler accepts the "weak" attribute]) + AC_DEFINE(ATTR_WEAK, [__attribute__((weak))], [apply the weak attribute to a symbol]) fi ])dnl End of CHECK_WEAK_ATTRIBUTE CHECK_WEAK_ATTRIBUTE +AC_DEFUN([CHECK_NORETURN_ATTRIBUTE], +[AC_REQUIRE([AC_PROG_CC]) +AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "noreturn" attribute) +AC_CACHE_VAL(ac_cv_c_noreturn_attribute, +[ac_cv_c_noreturn_attribute=no +AC_TRY_COMPILE( +[ #include <stdio.h> +__attribute__((noreturn)) void f(int x) { printf("%d", x); } +], [ + f(1); +], +[ac_cv_c_noreturn_attribute="yes"], +[ac_cv_c_noreturn_attribute="no"]) +]) + +AC_MSG_RESULT($ac_cv_c_noreturn_attribute) +if test $ac_cv_c_noreturn_attribute = yes; then + AC_DEFINE(HAVE_ATTR_NORETURN, 1, [Whether the C compiler accepts the "noreturn" attribute]) + AC_DEFINE(ATTR_NORETURN, [__attribute__((__noreturn__))], [apply the noreturn attribute to a function that exits the program]) +fi +])dnl End of CHECK_NORETURN_ATTRIBUTE + +CHECK_NORETURN_ATTRIBUTE + if test "$srcdir" != "."; then CPPFLAGS="$CPPFLAGS -I$srcdir" fi @@ -1396,6 +1422,7 @@ AC_REPLACE_FUNCS(strlcpy) AC_REPLACE_FUNCS(memmove) AC_REPLACE_FUNCS(gmtime_r) AC_REPLACE_FUNCS(isblank) +AC_REPLACE_FUNCS(explicit_bzero) dnl without CTIME, ARC4-functions and without reallocarray. LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS" AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4) @@ -1404,7 +1431,6 @@ if test "$USE_NSS" = "no"; then AC_REPLACE_FUNCS(arc4random) AC_REPLACE_FUNCS(arc4random_uniform) if test "$ac_cv_func_arc4random" = "no"; then - AC_LIBOBJ(explicit_bzero) AC_LIBOBJ(arc4_lock) AC_CHECK_FUNCS([getentropy],,[ if test "$USE_WINSOCK" = 1; then @@ -1729,6 +1755,11 @@ char *strsep(char **stringp, const char *delim); int isblank(int c); #endif +#ifndef HAVE_EXPLICIT_BZERO +#define explicit_bzero unbound_explicit_bzero +void explicit_bzero(void* buf, size_t len); +#endif + #if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP const char *inet_ntop(int af, const void *src, char *dst, size_t size); #endif @@ -1761,7 +1792,6 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size); # endif #endif /* HAVE_LIBRESSL */ #ifndef HAVE_ARC4RANDOM -void explicit_bzero(void* buf, size_t len); int getentropy(void* buf, size_t len); uint32_t arc4random(void); void arc4random_buf(void* buf, size_t n); diff --git a/contrib/fastrpz.patch b/contrib/fastrpz.patch index b80eeb2bb927..590f843d9fa5 100644 --- a/contrib/fastrpz.patch +++ b/contrib/fastrpz.patch @@ -1,15 +1,11 @@ Description: based on the included patch contrib/fastrpz.patch Author: fastrpz@farsightsecurity.com --- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: unboundfastrpz/Makefile.in =================================================================== -RCS file: ./RCS/Makefile.in,v -retrieving revision 1.1 -Index: unbound-1.7.0~rc1/Makefile.in -=================================================================== ---- unbound-1.7.0~rc1.orig/Makefile.in -+++ unbound-1.7.0~rc1/Makefile.in -@@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c +--- unboundfastrpz/Makefile.in (revision 4923) ++++ unboundfastrpz/Makefile.in (working copy) +@@ -23,6 +23,8 @@ CHECKLOCK_OBJ=@CHECKLOCK_OBJ@ DNSTAP_SRC=@DNSTAP_SRC@ DNSTAP_OBJ=@DNSTAP_OBJ@ @@ -18,7 +14,7 @@ Index: unbound-1.7.0~rc1/Makefile.in DNSCRYPT_SRC=@DNSCRYPT_SRC@ DNSCRYPT_OBJ=@DNSCRYPT_OBJ@ WITH_PYTHONMODULE=@WITH_PYTHONMODULE@ -@@ -125,7 +127,7 @@ validator/val_sigcrypt.c validator/val_u +@@ -126,7 +128,7 @@ edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \ edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \ cachedb/cachedb.c cachedb/redis.c respip/respip.c $(CHECKLOCK_SRC) \ @@ -27,16 +23,16 @@ Index: unbound-1.7.0~rc1/Makefile.in COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \ as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \ iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \ -@@ -137,7 +139,7 @@ slabhash.lo timehist.lo tube.lo winsock_ +@@ -139,7 +141,7 @@ validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \ - val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo authzone.lo\ + val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo redis.lo authzone.lo \ $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \ -$(IPSECMOD_OBJ) respip.lo +$(FASTRPZ_OBJ) $(IPSECMOD_OBJ) respip.lo COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \ outside_network.lo COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo -@@ -400,6 +402,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscry +@@ -405,6 +407,11 @@ $(srcdir)/util/config_file.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h @@ -48,11 +44,11 @@ Index: unbound-1.7.0~rc1/Makefile.in # Python Module pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \ pythonmod/interface.h \ -Index: unbound-1.7.0~rc1/config.h.in +Index: unboundfastrpz/config.h.in =================================================================== ---- unbound-1.7.0~rc1.orig/config.h.in -+++ unbound-1.7.0~rc1/config.h.in -@@ -1228,4 +1228,11 @@ void *unbound_stat_realloc_log(void *ptr +--- unboundfastrpz/config.h.in (revision 4923) ++++ unboundfastrpz/config.h.in (working copy) +@@ -1272,4 +1272,11 @@ /** the version of unbound-control that this software implements */ #define UNBOUND_CONTROL_VERSION 1 @@ -65,11 +61,11 @@ Index: unbound-1.7.0~rc1/config.h.in +#undef FASTRPZ_LIB_OPEN +/** turn on fastrpz response policy zones */ +#undef ENABLE_FASTRPZ -Index: unbound-1.7.0~rc1/configure.ac +Index: unboundfastrpz/configure.ac =================================================================== ---- unbound-1.7.0~rc1.orig/configure.ac -+++ unbound-1.7.0~rc1/configure.ac -@@ -6,6 +6,7 @@ sinclude(ax_pthread.m4) +--- unboundfastrpz/configure.ac (revision 4923) ++++ unboundfastrpz/configure.ac (working copy) +@@ -6,6 +6,7 @@ sinclude(acx_python.m4) sinclude(ac_pkg_swig.m4) sinclude(dnstap/dnstap.m4) @@ -77,7 +73,7 @@ Index: unbound-1.7.0~rc1/configure.ac sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing -@@ -1453,6 +1454,9 @@ case "$enable_ipsecmod" in +@@ -1565,6 +1566,9 @@ ;; esac @@ -87,11 +83,11 @@ Index: unbound-1.7.0~rc1/configure.ac AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) # on openBSD, the implicit rule make $< work. # on Solaris, it does not work ($? is changed sources, $^ lists dependencies). -Index: unbound-1.7.0~rc1/daemon/daemon.c +Index: unboundfastrpz/daemon/daemon.c =================================================================== ---- unbound-1.7.0~rc1.orig/daemon/daemon.c -+++ unbound-1.7.0~rc1/daemon/daemon.c -@@ -90,6 +90,9 @@ +--- unboundfastrpz/daemon/daemon.c (revision 4923) ++++ unboundfastrpz/daemon/daemon.c (working copy) +@@ -91,6 +91,9 @@ #include "sldns/keyraw.h" #include "respip/respip.h" #include <signal.h> @@ -101,7 +97,7 @@ Index: unbound-1.7.0~rc1/daemon/daemon.c #ifdef HAVE_SYSTEMD #include <systemd/sd-daemon.h> -@@ -461,6 +464,14 @@ daemon_create_workers(struct daemon* dae +@@ -462,6 +465,14 @@ fatal_exit("dnstap enabled in config but not built with dnstap support"); #endif } @@ -116,9 +112,9 @@ Index: unbound-1.7.0~rc1/daemon/daemon.c for(i=0; i<daemon->num; i++) { if(!(daemon->workers[i] = worker_create(daemon, i, shufport+numport*i/daemon->num, -@@ -710,6 +721,9 @@ daemon_cleanup(struct daemon* daemon) - #ifdef USE_DNSCRYPT +@@ -719,6 +730,9 @@ dnsc_delete(daemon->dnscenv); + daemon->dnscenv = NULL; #endif +#ifdef ENABLE_FASTRPZ + rpz_delete(&daemon->rpz_clist, &daemon->rpz_client); @@ -126,11 +122,11 @@ Index: unbound-1.7.0~rc1/daemon/daemon.c daemon->cfg = NULL; } -Index: unbound-1.7.0~rc1/daemon/daemon.h +Index: unboundfastrpz/daemon/daemon.h =================================================================== ---- unbound-1.7.0~rc1.orig/daemon/daemon.h -+++ unbound-1.7.0~rc1/daemon/daemon.h -@@ -134,6 +134,11 @@ struct daemon { +--- unboundfastrpz/daemon/daemon.h (revision 4923) ++++ unboundfastrpz/daemon/daemon.h (working copy) +@@ -136,6 +136,11 @@ /** the dnscrypt environment */ struct dnsc_env* dnscenv; #endif @@ -142,11 +138,11 @@ Index: unbound-1.7.0~rc1/daemon/daemon.h }; /** -Index: unbound-1.7.0~rc1/daemon/worker.c +Index: unboundfastrpz/daemon/worker.c =================================================================== ---- unbound-1.7.0~rc1.orig/daemon/worker.c -+++ unbound-1.7.0~rc1/daemon/worker.c -@@ -74,6 +74,9 @@ +--- unboundfastrpz/daemon/worker.c (revision 4923) ++++ unboundfastrpz/daemon/worker.c (working copy) +@@ -75,6 +75,9 @@ #include "libunbound/context.h" #include "libunbound/libworker.h" #include "sldns/sbuffer.h" @@ -156,7 +152,7 @@ Index: unbound-1.7.0~rc1/daemon/worker.c #include "sldns/wire2str.h" #include "util/shm_side/shm_main.h" #include "dnscrypt/dnscrypt.h" -@@ -527,8 +530,27 @@ answer_norec_from_cache(struct worker* w +@@ -533,8 +536,27 @@ /* not secure */ secure = 0; break; @@ -182,9 +178,9 @@ Index: unbound-1.7.0~rc1/daemon/worker.c + } +#endif /* return this delegation from the cache */ + edns_bak = *edns; edns->edns_version = EDNS_ADVERTISED_VERSION; - edns->udp_size = EDNS_ADVERTISED_SIZE; -@@ -689,6 +711,23 @@ answer_from_cache(struct worker* worker, +@@ -702,6 +724,23 @@ secure = 0; } } else secure = 0; @@ -206,9 +202,9 @@ Index: unbound-1.7.0~rc1/daemon/worker.c + } +#endif + edns_bak = *edns; edns->edns_version = EDNS_ADVERTISED_VERSION; - edns->udp_size = EDNS_ADVERTISED_SIZE; -@@ -1291,6 +1330,15 @@ worker_handle_request(struct comm_point* +@@ -1407,6 +1446,15 @@ log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from", &repinfo->addr, repinfo->addrlen); goto send_reply; @@ -224,7 +220,7 @@ Index: unbound-1.7.0~rc1/daemon/worker.c } /* If we've found a local alias, replace the qname with the alias -@@ -1339,12 +1387,21 @@ lookup_cache: +@@ -1455,12 +1503,21 @@ h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2)); if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) { /* answer from cache - we have acquired a readlock on it */ @@ -248,7 +244,7 @@ Index: unbound-1.7.0~rc1/daemon/worker.c /* prefetch it if the prefetch TTL expired. * Note that if there is more than one pass * its qname must be that used for cache -@@ -1398,11 +1455,19 @@ lookup_cache: +@@ -1514,11 +1571,19 @@ lock_rw_unlock(&e->lock); } if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) { @@ -270,11 +266,11 @@ Index: unbound-1.7.0~rc1/daemon/worker.c goto send_reply; } verbose(VERB_ALGO, "answer norec from cache -- " -Index: unbound-1.7.0~rc1/doc/unbound.conf.5.in +Index: unboundfastrpz/doc/unbound.conf.5.in =================================================================== ---- unbound-1.7.0~rc1.orig/doc/unbound.conf.5.in -+++ unbound-1.7.0~rc1/doc/unbound.conf.5.in -@@ -1705,6 +1705,81 @@ It must be /96 or shorter. The default +--- unboundfastrpz/doc/unbound.conf.5.in (revision 4923) ++++ unboundfastrpz/doc/unbound.conf.5.in (working copy) +@@ -1728,6 +1728,81 @@ used by dns64 processing instead. Can be entered multiple times, list a new domain for which it applies, one per line. Applies also to names underneath the name given. @@ -356,10 +352,10 @@ Index: unbound-1.7.0~rc1/doc/unbound.conf.5.in .SS "DNSCrypt Options" .LP The -Index: unbound-1.7.0~rc1/fastrpz/librpz.h +Index: unboundfastrpz/fastrpz/librpz.h =================================================================== ---- /dev/null -+++ unbound-1.7.0~rc1/fastrpz/librpz.h +--- unboundfastrpz/fastrpz/librpz.h (nonexistent) ++++ unboundfastrpz/fastrpz/librpz.h (working copy) @@ -0,0 +1,957 @@ +/* + * Define the interface from a DNS resolver to the Response Policy Zone @@ -1318,11 +1314,11 @@ Index: unbound-1.7.0~rc1/fastrpz/librpz.h +#endif /* LIBRPZ_LIB_OPEN */ + +#endif /* LIBRPZ_H */ -Index: unbound-1.7.0~rc1/fastrpz/rpz.c +Index: unboundfastrpz/fastrpz/rpz.c =================================================================== ---- /dev/null -+++ unbound-1.7.0~rc1/fastrpz/rpz.c -@@ -0,0 +1,1357 @@ +--- unboundfastrpz/fastrpz/rpz.c (nonexistent) ++++ unboundfastrpz/fastrpz/rpz.c (working copy) +@@ -0,0 +1,1352 @@ +/* + * fastrpz/rpz.c - interface to the fastrpz response policy zone library + * @@ -1438,8 +1434,6 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.c +static void +log_fnc(librpz_log_level_t level, void* ATTR_UNUSED(ctx), const char* buf) +{ -+ char label_buf[sizeof("rpz ")+8]; -+ + /* Setting librpz_log_level overrides the unbound "verbose" level. */ + if(level > LIBRPZ_LOG_TRACE1 && + level <= librpz->log_level_val(LIBRPZ_LOG_INVALID)) @@ -1949,12 +1943,9 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.c + case st_ck_ns: + /* An NSDNAME or NSIP check failed for lack of cached data. */ + return false; -+#pragma clang diagnostic push -+#pragma clang diagnostic ignored "-Wunreachable-code" + default: + fatal_exit("impossible RPZ state %d in rpz_worker_cache()", + rpz->st); -+#pragma clang diagnostic pop + } + + /* Wait for a trigger. */ @@ -2680,10 +2671,10 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.c +} + +#endif /* ENABLE_FASTRPZ */ -Index: unbound-1.7.0~rc1/fastrpz/rpz.h +Index: unboundfastrpz/fastrpz/rpz.h =================================================================== ---- /dev/null -+++ unbound-1.7.0~rc1/fastrpz/rpz.h +--- unboundfastrpz/fastrpz/rpz.h (nonexistent) ++++ unboundfastrpz/fastrpz/rpz.h (working copy) @@ -0,0 +1,138 @@ +/* + * fastrpz/rpz.h - interface to the fastrpz response policy zone library @@ -2823,10 +2814,10 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.h + +#endif /* ENABLE_FASTRPZ */ +#endif /* UNBOUND_FASTRPZ_RPZ_H */ -Index: unbound-1.7.0~rc1/fastrpz/rpz.m4 +Index: unboundfastrpz/fastrpz/rpz.m4 =================================================================== ---- /dev/null -+++ unbound-1.7.0~rc1/fastrpz/rpz.m4 +--- unboundfastrpz/fastrpz/rpz.m4 (nonexistent) ++++ unboundfastrpz/fastrpz/rpz.m4 (working copy) @@ -0,0 +1,64 @@ +# fastrpz/rpz.m4 + @@ -2892,10 +2883,10 @@ Index: unbound-1.7.0~rc1/fastrpz/rpz.m4 + AC_MSG_WARN([[dlopen and librpz.so needed for fastrpz]]) + fi +]) -Index: unbound-1.7.0~rc1/iterator/iterator.c +Index: unboundfastrpz/iterator/iterator.c =================================================================== ---- unbound-1.7.0~rc1.orig/iterator/iterator.c -+++ unbound-1.7.0~rc1/iterator/iterator.c +--- unboundfastrpz/iterator/iterator.c (revision 4923) ++++ unboundfastrpz/iterator/iterator.c (working copy) @@ -68,6 +68,9 @@ #include "sldns/str2wire.h" #include "sldns/parseutil.h" @@ -2906,7 +2897,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c int iter_init(struct module_env* env, int id) -@@ -511,6 +514,23 @@ handle_cname_response(struct module_qsta +@@ -525,6 +528,23 @@ if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME && query_dname_compare(*mname, r->rk.dname) == 0 && !iter_find_rrset_in_prepend_answer(iq, r)) { @@ -2930,7 +2921,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c /* Add this relevant CNAME rrset to the prepend list.*/ if(!iter_add_prepend_answer(qstate, iq, r)) return 0; -@@ -519,6 +539,9 @@ handle_cname_response(struct module_qsta +@@ -533,6 +553,9 @@ /* Other rrsets in the section are ignored. */ } @@ -2940,7 +2931,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c /* add authority rrsets to authority prepend, for wildcarded CNAMEs */ for(i=msg->rep->an_numrrsets; i<msg->rep->an_numrrsets + msg->rep->ns_numrrsets; i++) { -@@ -1148,6 +1171,7 @@ processInitRequest(struct module_qstate* +@@ -1216,6 +1239,7 @@ uint8_t* delname; size_t delnamelen; struct dns_msg* msg = NULL; @@ -2948,7 +2939,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo); /* check effort */ -@@ -1223,8 +1247,7 @@ processInitRequest(struct module_qstate* +@@ -1302,8 +1326,7 @@ } if(msg) { /* handle positive cache response */ @@ -2958,7 +2949,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c if(verbosity >= VERB_ALGO) { log_dns_msg("msg from cache lookup", &msg->qinfo, msg->rep); -@@ -1232,7 +1255,22 @@ processInitRequest(struct module_qstate* +@@ -1311,7 +1334,22 @@ (int)msg->rep->ttl, (int)msg->rep->prefetch_ttl); } @@ -2981,7 +2972,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c if(type == RESPONSE_TYPE_CNAME) { uint8_t* sname = 0; size_t slen = 0; -@@ -2552,6 +2590,62 @@ processQueryResponse(struct module_qstat +@@ -2716,6 +2754,62 @@ sock_list_insert(&qstate->reply_origin, &qstate->reply->addr, qstate->reply->addrlen, qstate->region); @@ -3041,10 +3032,10 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c + } + } +#endif - if(iq->minimisation_state != DONOT_MINIMISE_STATE) { + if(iq->minimisation_state != DONOT_MINIMISE_STATE + && !(iq->chase_flags & BIT_RD)) { if(FLAGS_GET_RCODE(iq->response->rep->flags) != - LDNS_RCODE_NOERROR) { -@@ -3273,12 +3367,44 @@ processFinished(struct module_qstate* qs +@@ -3462,6 +3556,10 @@ * but only if we did recursion. The nonrecursion referral * from cache does not need to be stored in the msg cache. */ if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) { @@ -3055,6 +3046,7 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c iter_dns_store(qstate->env, &qstate->qinfo, iq->response->rep, 0, qstate->prefetch_leeway, iq->dp&&iq->dp->has_parent_side_NS, +@@ -3468,6 +3566,34 @@ qstate->region, qstate->query_flags); } } @@ -3089,11 +3081,11 @@ Index: unbound-1.7.0~rc1/iterator/iterator.c qstate->return_rcode = LDNS_RCODE_NOERROR; qstate->return_msg = iq->response; return 0; -Index: unbound-1.7.0~rc1/iterator/iterator.h +Index: unboundfastrpz/iterator/iterator.h =================================================================== ---- unbound-1.7.0~rc1.orig/iterator/iterator.h -+++ unbound-1.7.0~rc1/iterator/iterator.h -@@ -383,6 +383,16 @@ struct iter_qstate { +--- unboundfastrpz/iterator/iterator.h (revision 4923) ++++ unboundfastrpz/iterator/iterator.h (working copy) +@@ -386,6 +386,16 @@ */ int minimise_count; @@ -3110,11 +3102,11 @@ Index: unbound-1.7.0~rc1/iterator/iterator.h /** * Count number of time-outs. Used to prevent resolving failures when * the QNAME minimisation QTYPE is blocked. */ -Index: unbound-1.7.0~rc1/services/cache/dns.c +Index: unboundfastrpz/services/cache/dns.c =================================================================== ---- unbound-1.7.0~rc1.orig/services/cache/dns.c -+++ unbound-1.7.0~rc1/services/cache/dns.c -@@ -876,6 +876,14 @@ dns_cache_store(struct module_env* env, +--- unboundfastrpz/services/cache/dns.c (revision 4923) ++++ unboundfastrpz/services/cache/dns.c (working copy) +@@ -928,6 +928,14 @@ struct regional* region, uint32_t flags) { struct reply_info* rep = NULL; @@ -3129,11 +3121,11 @@ Index: unbound-1.7.0~rc1/services/cache/dns.c /* alloc, malloc properly (not in region, like msg is) */ rep = reply_info_copy(msgrep, env->alloc, NULL); if(!rep) -Index: unbound-1.7.0~rc1/services/mesh.c +Index: unboundfastrpz/services/mesh.c =================================================================== ---- unbound-1.7.0~rc1.orig/services/mesh.c -+++ unbound-1.7.0~rc1/services/mesh.c -@@ -59,6 +59,9 @@ +--- unboundfastrpz/services/mesh.c (revision 4923) ++++ unboundfastrpz/services/mesh.c (working copy) +@@ -60,6 +60,9 @@ #include "sldns/wire2str.h" #include "services/localzone.h" #include "util/data/dname.h" @@ -3143,7 +3135,7 @@ Index: unbound-1.7.0~rc1/services/mesh.c #include "respip/respip.h" /** subtract timers and the values do not overflow or become negative */ -@@ -1050,6 +1053,13 @@ mesh_send_reply(struct mesh_state* m, in +@@ -1057,6 +1060,13 @@ else secure = 0; if(!rep && rcode == LDNS_RCODE_NOERROR) rcode = LDNS_RCODE_SERVFAIL; @@ -3157,7 +3149,7 @@ Index: unbound-1.7.0~rc1/services/mesh.c /* send the reply */ /* We don't reuse the encoded answer if either the previous or current * response has a local alias. We could compare the alias records -@@ -1199,6 +1209,7 @@ struct mesh_state* mesh_area_find(struct +@@ -1230,6 +1240,7 @@ key.s.is_valrec = valrec; key.s.qinfo = *qinfo; key.s.query_flags = qflags; @@ -3165,7 +3157,7 @@ Index: unbound-1.7.0~rc1/services/mesh.c /* We are searching for a similar mesh state when we DO want to * aggregate the state. Thus unique is set to NULL. (default when we * desire aggregation).*/ -@@ -1245,6 +1256,10 @@ int mesh_state_add_reply(struct mesh_sta +@@ -1276,6 +1287,10 @@ if(!r) return 0; r->query_reply = *rep; @@ -3176,11 +3168,11 @@ Index: unbound-1.7.0~rc1/services/mesh.c r->edns = *edns; if(edns->opt_list) { r->edns.opt_list = edns_opt_copy_region(edns->opt_list, -Index: unbound-1.7.0~rc1/util/config_file.c +Index: unboundfastrpz/util/config_file.c =================================================================== ---- unbound-1.7.0~rc1.orig/util/config_file.c -+++ unbound-1.7.0~rc1/util/config_file.c -@@ -1323,6 +1323,8 @@ config_delete(struct config_file* cfg) +--- unboundfastrpz/util/config_file.c (revision 4923) ++++ unboundfastrpz/util/config_file.c (working copy) +@@ -1386,6 +1386,8 @@ free(cfg->dnstap_socket_path); free(cfg->dnstap_identity); free(cfg->dnstap_version); @@ -3189,11 +3181,11 @@ Index: unbound-1.7.0~rc1/util/config_file.c config_deldblstrlist(cfg->ratelimit_for_domain); config_deldblstrlist(cfg->ratelimit_below_domain); #ifdef USE_IPSECMOD -Index: unbound-1.7.0~rc1/util/config_file.h +Index: unboundfastrpz/util/config_file.h =================================================================== ---- unbound-1.7.0~rc1.orig/util/config_file.h -+++ unbound-1.7.0~rc1/util/config_file.h -@@ -431,6 +431,11 @@ struct config_file { +--- unboundfastrpz/util/config_file.h (revision 4923) ++++ unboundfastrpz/util/config_file.h (working copy) +@@ -468,6 +468,11 @@ /** true to disable DNSSEC lameness check in iterator */ int disable_dnssec_lame_check; @@ -3205,11 +3197,11 @@ Index: unbound-1.7.0~rc1/util/config_file.h /** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */ int ip_ratelimit; /** number of slabs for ip_ratelimit cache */ -Index: unbound-1.7.0~rc1/util/configlexer.lex +Index: unboundfastrpz/util/configlexer.lex =================================================================== ---- unbound-1.7.0~rc1.orig/util/configlexer.lex -+++ unbound-1.7.0~rc1/util/configlexer.lex -@@ -412,6 +412,10 @@ dnstap-log-forwarder-query-messages{COLO +--- unboundfastrpz/util/configlexer.lex (revision 4923) ++++ unboundfastrpz/util/configlexer.lex (working copy) +@@ -429,6 +429,10 @@ YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) } dnstap-log-forwarder-response-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) } @@ -3220,11 +3212,11 @@ Index: unbound-1.7.0~rc1/util/configlexer.lex disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) } ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) } ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) } -Index: unbound-1.7.0~rc1/util/configparser.y +Index: unboundfastrpz/util/configparser.y =================================================================== ---- unbound-1.7.0~rc1.orig/util/configparser.y -+++ unbound-1.7.0~rc1/util/configparser.y -@@ -124,6 +124,7 @@ extern struct config_parser_state* cfg_p +--- unboundfastrpz/util/configparser.y (revision 4923) ++++ unboundfastrpz/util/configparser.y (working copy) +@@ -125,6 +125,7 @@ %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES %token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES @@ -3232,7 +3224,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y %token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT %token VAR_DISABLE_DNSSEC_LAME_CHECK -@@ -158,7 +159,7 @@ extern struct config_parser_state* cfg_p +@@ -164,7 +165,7 @@ %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -3241,7 +3233,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y forwardstart contents_forward | pythonstart contents_py | rcstart contents_rc | dtstart contents_dt | viewstart contents_view | dnscstart contents_dnsc | cachedbstart contents_cachedb | -@@ -2384,6 +2385,50 @@ dt_dnstap_log_forwarder_response_message +@@ -2546,6 +2547,50 @@ (strcmp($2, "yes")==0); } ; @@ -3269,7 +3261,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y + + OUTYY(("P(rpz_zone:%s)\n", $2)); + old_cstr = cfg_parser->cfg->rpz_cstr; -+ asprintf(&new_cstr, "%s\nzone %s", old_cstr?old_cstr:"", $2); ++ (void)asprintf(&new_cstr, "%s\nzone %s", old_cstr?old_cstr:"", $2); + if(!new_cstr) + yyerror("out of memory"); + free(old_cstr); @@ -3282,7 +3274,7 @@ Index: unbound-1.7.0~rc1/util/configparser.y + + OUTYY(("P(rpz_option:%s)\n", $2)); + old_cstr = cfg_parser->cfg->rpz_cstr; -+ asprintf(&new_cstr, "%s\n%s", old_cstr ? old_cstr : "", $2); ++ (void)asprintf(&new_cstr, "%s\n%s", old_cstr ? old_cstr : "", $2); + if(!new_cstr) + yyerror("out of memory"); + free(old_cstr); @@ -3292,11 +3284,11 @@ Index: unbound-1.7.0~rc1/util/configparser.y pythonstart: VAR_PYTHON { OUTYY(("\nP(python:)\n")); -Index: unbound-1.7.0~rc1/util/data/msgencode.c +Index: unboundfastrpz/util/data/msgencode.c =================================================================== ---- unbound-1.7.0~rc1.orig/util/data/msgencode.c -+++ unbound-1.7.0~rc1/util/data/msgencode.c -@@ -585,6 +585,35 @@ insert_section(struct reply_info* rep, s +--- unboundfastrpz/util/data/msgencode.c (revision 4923) ++++ unboundfastrpz/util/data/msgencode.c (working copy) +@@ -585,6 +585,35 @@ return RETVAL_OK; } @@ -3332,7 +3324,7 @@ Index: unbound-1.7.0~rc1/util/data/msgencode.c /** store query section in wireformat buffer, return RETVAL */ static int insert_query(struct query_info* qinfo, struct compress_tree_node** tree, -@@ -750,6 +779,19 @@ reply_info_encode(struct query_info* qin +@@ -748,6 +777,19 @@ return 0; } sldns_buffer_write_u16_at(buffer, 10, arcount); @@ -3352,13 +3344,13 @@ Index: unbound-1.7.0~rc1/util/data/msgencode.c } sldns_buffer_flip(buffer); return 1; -Index: unbound-1.7.0~rc1/util/data/packed_rrset.c +Index: unboundfastrpz/util/data/packed_rrset.c =================================================================== ---- unbound-1.7.0~rc1.orig/util/data/packed_rrset.c -+++ unbound-1.7.0~rc1/util/data/packed_rrset.c -@@ -254,6 +254,10 @@ sec_status_to_string(enum sec_status s) - case sec_status_indeterminate: return "sec_status_indeterminate"; +--- unboundfastrpz/util/data/packed_rrset.c (revision 4923) ++++ unboundfastrpz/util/data/packed_rrset.c (working copy) +@@ -255,6 +255,10 @@ case sec_status_insecure: return "sec_status_insecure"; + case sec_status_secure_sentinel_fail: return "sec_status_secure_sentinel_fail"; case sec_status_secure: return "sec_status_secure"; +#ifdef ENABLE_FASTRPZ + case sec_status_rpz_rewritten: return "sec_status_rpz_rewritten"; @@ -3367,12 +3359,12 @@ Index: unbound-1.7.0~rc1/util/data/packed_rrset.c } return "unknown_sec_status_value"; } -Index: unbound-1.7.0~rc1/util/data/packed_rrset.h +Index: unboundfastrpz/util/data/packed_rrset.h =================================================================== ---- unbound-1.7.0~rc1.orig/util/data/packed_rrset.h -+++ unbound-1.7.0~rc1/util/data/packed_rrset.h -@@ -189,7 +189,15 @@ enum sec_status { - sec_status_insecure, +--- unboundfastrpz/util/data/packed_rrset.h (revision 4923) ++++ unboundfastrpz/util/data/packed_rrset.h (working copy) +@@ -193,7 +193,15 @@ + sec_status_secure_sentinel_fail, /** SECURE means that the object (RRset or message) validated * according to local policy. */ - sec_status_secure @@ -3388,11 +3380,11 @@ Index: unbound-1.7.0~rc1/util/data/packed_rrset.h }; /** -Index: unbound-1.7.0~rc1/util/netevent.c +Index: unboundfastrpz/util/netevent.c =================================================================== ---- unbound-1.7.0~rc1.orig/util/netevent.c -+++ unbound-1.7.0~rc1/util/netevent.c -@@ -54,6 +54,9 @@ +--- unboundfastrpz/util/netevent.c (revision 4923) ++++ unboundfastrpz/util/netevent.c (working copy) +@@ -56,6 +56,9 @@ #ifdef HAVE_OPENSSL_ERR_H #include <openssl/err.h> #endif @@ -3402,7 +3394,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c /* -------- Start of local definitions -------- */ /** if CMSG_ALIGN is not defined on this platform, a workaround */ -@@ -585,6 +588,9 @@ comm_point_udp_ancil_callback(int fd, sh +@@ -588,6 +591,9 @@ struct cmsghdr* cmsg; #endif /* S_SPLINT_S */ @@ -3412,7 +3404,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c rep.c = (struct comm_point*)arg; log_assert(rep.c->type == comm_udp); -@@ -674,6 +680,9 @@ comm_point_udp_callback(int fd, short ev +@@ -677,6 +683,9 @@ int i; struct sldns_buffer *buffer; @@ -3422,7 +3414,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c rep.c = (struct comm_point*)arg; log_assert(rep.c->type == comm_udp); -@@ -717,6 +726,9 @@ comm_point_udp_callback(int fd, short ev +@@ -720,6 +729,9 @@ (void)comm_point_send_udp_msg(rep.c, buffer, (struct sockaddr*)&rep.addr, rep.addrlen); } @@ -3432,7 +3424,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for another UDP port. Note rep.c cannot be reused with TCP fd. */ break; -@@ -2956,6 +2968,9 @@ comm_point_send_reply(struct comm_reply +@@ -3035,6 +3047,9 @@ comm_point_start_listening(repinfo->c, -1, repinfo->c->tcp_timeout_msec); } @@ -3442,7 +3434,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c } void -@@ -2965,6 +2980,9 @@ comm_point_drop_reply(struct comm_reply* +@@ -3044,6 +3059,9 @@ return; log_assert(repinfo && repinfo->c); log_assert(repinfo->c->type != comm_tcp_accept); @@ -3452,7 +3444,7 @@ Index: unbound-1.7.0~rc1/util/netevent.c if(repinfo->c->type == comm_udp) return; reclaim_tcp_handler(repinfo->c); -@@ -2984,6 +3002,9 @@ comm_point_start_listening(struct comm_p +@@ -3063,6 +3081,9 @@ { verbose(VERB_ALGO, "comm point start listening %d", c->fd==-1?newfd:c->fd); @@ -3462,11 +3454,11 @@ Index: unbound-1.7.0~rc1/util/netevent.c if(c->type == comm_tcp_accept && !c->tcp_free) { /* no use to start listening no free slots. */ return; -Index: unbound-1.7.0~rc1/util/netevent.h +Index: unboundfastrpz/util/netevent.h =================================================================== ---- unbound-1.7.0~rc1.orig/util/netevent.h -+++ unbound-1.7.0~rc1/util/netevent.h -@@ -119,6 +119,10 @@ struct comm_reply { +--- unboundfastrpz/util/netevent.h (revision 4923) ++++ unboundfastrpz/util/netevent.h (working copy) +@@ -120,6 +120,10 @@ /** return type 0 (none), 4(IP4), 6(IP6) */ int srctype; /* DnsCrypt context */ @@ -3477,11 +3469,11 @@ Index: unbound-1.7.0~rc1/util/netevent.h #ifdef USE_DNSCRYPT uint8_t client_nonce[crypto_box_HALF_NONCEBYTES]; uint8_t nmkey[crypto_box_BEFORENMBYTES]; -Index: unbound-1.7.0~rc1/validator/validator.c +Index: unboundfastrpz/validator/validator.c =================================================================== ---- unbound-1.7.0~rc1.orig/validator/validator.c -+++ unbound-1.7.0~rc1/validator/validator.c -@@ -2688,6 +2688,12 @@ ds_response_to_ke(struct module_qstate* +--- unboundfastrpz/validator/validator.c (revision 4923) ++++ unboundfastrpz/validator/validator.c (working copy) +@@ -2755,6 +2755,12 @@ default: /* NSEC proof did not work, try next */ break; @@ -3494,7 +3486,7 @@ Index: unbound-1.7.0~rc1/validator/validator.c } sec = nsec3_prove_nods(qstate->env, ve, -@@ -2721,6 +2727,12 @@ ds_response_to_ke(struct module_qstate* +@@ -2788,6 +2794,12 @@ default: /* NSEC3 proof did not work */ break; @@ -3507,4 +3499,3 @@ Index: unbound-1.7.0~rc1/validator/validator.c } /* Apparently, no available NSEC/NSEC3 proved NODATA, so - diff --git a/daemon/daemon.c b/daemon/daemon.c index a6bfe390271e..4c3d5f1c1a17 100644 --- a/daemon/daemon.c +++ b/daemon/daemon.c @@ -660,18 +660,15 @@ daemon_fork(struct daemon* daemon) /* Start resolver service on main thread. */ #ifdef HAVE_SYSTEMD - if(daemon->cfg->use_systemd) - sd_notify(0, "READY=1"); + sd_notify(0, "READY=1"); #endif log_info("start of service (%s).", PACKAGE_STRING); worker_work(daemon->workers[0]); #ifdef HAVE_SYSTEMD - if(daemon->cfg->use_systemd) { - if (daemon->workers[0]->need_to_exit) - sd_notify(0, "STOPPING=1"); - else - sd_notify(0, "RELOADING=1"); - } + if (daemon->workers[0]->need_to_exit) + sd_notify(0, "STOPPING=1"); + else + sd_notify(0, "RELOADING=1"); #endif log_info("service stopped (%s).", PACKAGE_STRING); diff --git a/daemon/remote.c b/daemon/remote.c index 91e5609f50f8..3971e4540510 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -275,12 +275,13 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, struct addrinfo hints; struct addrinfo* res; struct listen_port* n; - int noproto; + int noproto = 0; int fd, r; char port[15]; snprintf(port, sizeof(port), "%d", nr); port[sizeof(port)-1]=0; memset(&hints, 0, sizeof(hints)); + log_assert(ip); if(ip[0] == '/') { /* This looks like a local socket */ @@ -1069,6 +1070,7 @@ do_stats(RES* ssl, struct daemon_remote* rc, int reset) struct ub_stats_info total; struct ub_stats_info s; int i; + memset(&total, 0, sizeof(total)); log_assert(daemon->num > 0); /* gather all thread statistics in one place */ for(i=0; i<daemon->num; i++) { diff --git a/daemon/unbound.c b/daemon/unbound.c index 3f0f75a560c5..020e453034ad 100644 --- a/daemon/unbound.c +++ b/daemon/unbound.c @@ -730,7 +730,7 @@ main(int argc, char* argv[]) } } argc -= optind; - argv += optind; + /* argv += optind; not using further arguments */ if(winopt) { #ifdef UB_ON_WINDOWS diff --git a/daemon/worker.c b/daemon/worker.c index 9551c60f4a6a..2697ea6534f1 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -1180,7 +1180,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, char addrbuf[128]; addr_to_str(&repinfo->addr, repinfo->addrlen, addrbuf, sizeof(addrbuf)); - verbose(VERB_OPS, "ip_ratelimit allowed through for ip address %s ", + verbose(VERB_QUERY, "ip_ratelimit allowed through for ip address %s because of slip in ip_ratelimit_factor", addrbuf); } else { worker->stats.num_queries_ip_ratelimited++; @@ -1671,14 +1671,14 @@ worker_create(struct daemon* daemon, int id, int* ports, int n) (((unsigned int)worker->thread_num)<<17); /* shift thread_num so it does not match out pid bits */ if(!(worker->rndstate = ub_initstate(seed, daemon->rand))) { - seed = 0; + explicit_bzero(&seed, sizeof(seed)); log_err("could not init random numbers."); tube_delete(worker->cmd); free(worker->ports); free(worker); return NULL; } - seed = 0; + explicit_bzero(&seed, sizeof(seed)); #ifdef USE_DNSTAP if(daemon->cfg->dnstap) { log_assert(daemon->dtenv != NULL); diff --git a/doc/Changelog b/doc/Changelog index 7e81304f930f..69bab6f640ad 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,80 @@ +8 October 2018: Wouter + - fastrpz.patch fix included. + +1 October 2018: Wouter + - tag for release 1.8.1rc1. + +27 September 2018: Wouter + - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes + qname minimisation with a forwarder when connectivity has issues + from rejecting responses. + +25 September 2018: Wouter + - Perform TLS SNI indication of the host that is being contacted + for DNS over TLS service. It sets the configured tls auth name. + This is useful for hosts that apart from the DNS over TLS services + also provide other (web) services. + - Fix #4149: Add SSL cleanup for tcp timeout. + +17 September 2018: Wouter + - Fix compile on Mac for unbound, provide explicit_bzero when libc + does not have it. + - Fix unbound for openssl in FIPS mode, it uses the digests with + the EVP call contexts. + - Fix that with harden-below-nxdomain and qname minisation enabled + some iterator states for nonresponsive domains can get into a + state where they waited for an empty list. + - Stop UDP to TCP failover after timeouts that causes the ping count + to be reset by the TCP time measurement (that exists for TLS), + because that causes the UDP part to not be measured as timeout. + - Fix #4156: Fix systemd service manager state change notification. + +13 September 2018: Wouter + - Fix seed for random backup code to use explicit zero when wiped. + - exit log routine is annotated as noreturn function. + - free memory leaks in config strlist and str2list insert functions. + - do not move unused argv variable after getopt. + - Remove unused if clause in testcode. + - in testcode, free async ids, initialise array, and check for null + pointer during test of the test. And use exit for return to note + irregular program stop. + - Free memory leak in config strlist append. + - make sure nsec3 comparison salt is initialized. + - unit test has clang analysis. + - remove unused variable assignment from iterator scrub routine. + - check for null in delegation point during iterator refetch + in forward zone. + - neater pointer cast in libunbound context quit routine. + - initialize statistics totals for printout. + - in authzone check that node exists before adding rrset. + - in unbound-anchor, use readwrite memory BIO. + - assertion in autotrust that packed rrset is formed correctly. + - Fix memory leak when message parse fails partway through copy. + - remove unused udpsize assignment in message encode. + - nicer bio free code in unbound-anchor. + - annotate exit functions with noreturn in unbound-control. + +11 September 2018: Wouter + - Fixed unused return value warnings in contrib/fastrpz.patch for + asprintf. + - Fix to squelch respip warning in unit test, it is printed at + higher verbosity settings. + - Fix spelling errors. + - Fix initialisation in remote.c + +10 September 2018: Wouter + - 1.8.1 in svn trunk. (changes from 4,5,.. sep apply). + - iana port update. + +5 September 2018: Wouter + - Fix spelling error in header, from getdns commit by Andreas Gelmini. + +4 September 2018: Ralph + - More explicitly mention the type of ratelimit when applying + ip-ratelimit. + 4 September 2018: Wouter - - Tag for 1.8.0rc1 release. + - Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018. 31 August 2018: Wouter - Disable minimal-responses in subnet unit tests. @@ -1856,7 +1931,7 @@ compatibility with cisco dns guard. This lowers false positives. 18 April 2016: Wouter - - Fix some malformed reponses to edns queries get fallback to nonedns. + - Fix some malformed responses to edns queries get fallback to nonedns. 15 April 2016: Wouter - cachedb module event handling design. diff --git a/doc/README b/doc/README index ae90773412ff..c817e34be24c 100644 --- a/doc/README +++ b/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.8.0 +README for Unbound 1.8.1 Copyright 2007 NLnet Labs http://unbound.net diff --git a/doc/example.conf.in b/doc/example.conf.in index fadfd9c6827b..fc8bc6b0de8d 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.8.0. +# See unbound.conf(5) man page, version 1.8.1. # # this is a comment. diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in index 9a2fff835601..003c867b1a7f 100644 --- a/doc/libunbound.3.in +++ b/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "libunbound" "3" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -43,7 +43,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.8.0 functions. +\- Unbound DNS validating resolver 1.8.1 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in index ece844deff37..089aa47dfacb 100644 --- a/doc/unbound-anchor.8.in +++ b/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound-anchor" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in index 1fa91d35d3c5..60f56267ff15 100644 --- a/doc/unbound-checkconf.8.in +++ b/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound-checkconf" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index 596138470e53..d176394cf2d3 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound-control" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -301,7 +301,7 @@ you set unbound to validate with for-upstream yes and that can be cleared with \fBflush_zone\fR \fIzone\fR. .TP .B auth_zone_transfer \fIzone\fR -Tranfer the auth zone from master. The auth zone probe sequence is started, +Transfer the auth zone from master. The auth zone probe sequence is started, where the masters are probed to see if they have an updated zone (with the SOA serial check). And then the zone is transferred for a newer zone version. .TP diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in index dacee3d13429..d3a0b42bf5e0 100644 --- a/doc/unbound-host.1.in +++ b/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound\-host" "1" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/doc/unbound.8.in b/doc/unbound.8.in index 7062fb07eacb..65aa4b11d764 100644 --- a/doc/unbound.8.in +++ b/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.8.0. +\- Unbound DNS validating resolver 1.8.1. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index a3536a14a249..bc233fdeb0c7 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0" +.TH "unbound.conf" "5" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -498,7 +498,7 @@ a daemon. Set the value to \fIno\fR when unbound runs as systemd service. Default is yes. .TP .B tcp\-connection\-limit: \fI<IP netblock> <limit> -Allow up to \fIlimit\R simultaneous TCP connections from the given netblock. +Allow up to \fIlimit\fR simultaneous TCP connections from the given netblock. When at the limit, further connections are accepted but closed immediately. This option is experimental at this time. .TP diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c index 12580dcdb539..b354eaa285b0 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c @@ -437,7 +437,9 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, rrset->rrset_all_next = nx->rrset_all_next; nx->rrset_all_next = rrset; - prev = nx; + /* prev = nx; unused, enable if there + * is other rrset removal code after + * this */ } } diff --git a/iterator/iterator.c b/iterator/iterator.c index e99a559fae4d..2f26bd3349de 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -1125,7 +1125,7 @@ forward_request(struct module_qstate* qstate, struct iter_qstate* iq) struct delegpt* dp; uint8_t* delname = iq->qchase.qname; size_t delnamelen = iq->qchase.qname_len; - if(iq->refetch_glue) { + if(iq->refetch_glue && iq->dp) { delname = iq->dp->name; delnamelen = iq->dp->namelen; } @@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, return 0; } - if(iq->minimisation_state == INIT_MINIMISE_STATE) { + if(iq->minimisation_state == INIT_MINIMISE_STATE + && !(iq->chase_flags & BIT_RD)) { /* (Re)set qinfo_out to (new) delegation point, except when * qinfo_out is already a subdomain of dp. This happens when * increasing by more than one label at once (QNAMEs with more @@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, sock_list_insert(&qstate->reply_origin, &qstate->reply->addr, qstate->reply->addrlen, qstate->region); - if(iq->minimisation_state != DONOT_MINIMISE_STATE) { + if(iq->minimisation_state != DONOT_MINIMISE_STATE + && !(iq->chase_flags & BIT_RD)) { if(FLAGS_GET_RCODE(iq->response->rep->flags) != LDNS_RCODE_NOERROR) { if(qstate->env->cfg->qname_minimisation_strict) @@ -2752,6 +2754,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, verbose(VERB_ALGO, "could not validate NXDOMAIN " "response"); + outbound_list_clear(&iq->outlist); + iq->num_current_queries = 0; + fptr_ok(fptr_whitelist_modenv_detach_subs( + qstate->env->detach_subs)); + (*qstate->env->detach_subs)(qstate); + iq->num_target_queries = 0; } } return next_state(iq, QUERYTARGETS_STATE); @@ -2993,7 +3001,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, iq->dp->name, iq->dp->namelen, qstate->qinfo.qclass)) { verbose(VERB_ALGO, "auth zone response bad, and no" " fallback possible, servfail"); - errinf_dname(qstate, "reponse is bad, no fallback, " + errinf_dname(qstate, "response is bad, no fallback, " "for auth zone", iq->dp->name); return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } diff --git a/libunbound/context.c b/libunbound/context.c index 9a35ce56f30f..20e3680ec3bc 100644 --- a/libunbound/context.c +++ b/libunbound/context.c @@ -392,12 +392,12 @@ struct ctx_query* context_deserialize_cancel(struct ub_ctx* ctx, uint8_t* context_serialize_quit(uint32_t* len) { - uint8_t* p = (uint8_t*)malloc(sizeof(uint32_t)); + uint32_t* p = (uint32_t*)malloc(sizeof(uint32_t)); if(!p) return NULL; *len = sizeof(uint32_t); sldns_write_uint32(p, UB_LIBCMD_QUIT); - return p; + return (uint8_t*)p; } enum ub_ctx_cmd context_serial_getcmd(uint8_t* p, uint32_t len) diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c index 275e8d25a168..31adbd54dcdb 100644 --- a/libunbound/libunbound.c +++ b/libunbound/libunbound.c @@ -109,13 +109,13 @@ static struct ub_ctx* ub_ctx_create_nopipe(void) alloc_init(&ctx->superalloc, NULL, 0); seed = (unsigned int)time(NULL) ^ (unsigned int)getpid(); if(!(ctx->seed_rnd = ub_initstate(seed, NULL))) { - seed = 0; + explicit_bzero(&seed, sizeof(seed)); ub_randfree(ctx->seed_rnd); free(ctx); errno = ENOMEM; return NULL; } - seed = 0; + explicit_bzero(&seed, sizeof(seed)); lock_basic_init(&ctx->qqpipe_lock); lock_basic_init(&ctx->rrpipe_lock); lock_basic_init(&ctx->cfglock); @@ -392,7 +392,6 @@ ub_ctx_add_ta(struct ub_ctx* ctx, const char* ta) } if(!cfg_strlist_insert(&ctx->env->cfg->trust_anchor_list, dup)) { lock_basic_unlock(&ctx->cfglock); - free(dup); return UB_NOMEM; } lock_basic_unlock(&ctx->cfglock); @@ -412,7 +411,6 @@ ub_ctx_add_ta_file(struct ub_ctx* ctx, const char* fname) } if(!cfg_strlist_insert(&ctx->env->cfg->trust_anchor_file_list, dup)) { lock_basic_unlock(&ctx->cfglock); - free(dup); return UB_NOMEM; } lock_basic_unlock(&ctx->cfglock); @@ -432,7 +430,6 @@ int ub_ctx_add_ta_autr(struct ub_ctx* ctx, const char* fname) if(!cfg_strlist_insert(&ctx->env->cfg->auto_trust_anchor_file_list, dup)) { lock_basic_unlock(&ctx->cfglock); - free(dup); return UB_NOMEM; } lock_basic_unlock(&ctx->cfglock); @@ -452,7 +449,6 @@ ub_ctx_trustedkeys(struct ub_ctx* ctx, const char* fname) } if(!cfg_strlist_insert(&ctx->env->cfg->trusted_keys_file_list, dup)) { lock_basic_unlock(&ctx->cfglock); - free(dup); return UB_NOMEM; } lock_basic_unlock(&ctx->cfglock); @@ -962,7 +958,6 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr) return UB_NOMEM; } if(!cfg_strlist_insert(&s->addrs, dupl)) { - free(dupl); lock_basic_unlock(&ctx->cfglock); errno=ENOMEM; return UB_NOMEM; @@ -1045,7 +1040,6 @@ int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr, } if(!cfg_strlist_insert(&elem->addrs, a)) { lock_basic_unlock(&ctx->cfglock); - free(a); errno = ENOMEM; return UB_NOMEM; } @@ -1233,7 +1227,6 @@ ub_ctx_hosts(struct ub_ctx* ctx, const char* fname) ins)) { lock_basic_unlock(&ctx->cfglock); fclose(in); - free(ins); errno=ENOMEM; return UB_NOMEM; } diff --git a/libunbound/libworker.c b/libunbound/libworker.c index 05006a0ec44c..065f0a7b141a 100644 --- a/libunbound/libworker.c +++ b/libunbound/libworker.c @@ -187,7 +187,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb) if(!w->is_bg || w->is_bg_thread) { lock_basic_unlock(&ctx->cfglock); } - seed = 0; + explicit_bzero(&seed, sizeof(seed)); libworker_delete(w); return NULL; } @@ -207,7 +207,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb) hash_set_raninit((uint32_t)ub_random(w->env->rnd)); } } - seed = 0; + explicit_bzero(&seed, sizeof(seed)); if(eb) w->base = comm_base_create_event(eb); diff --git a/respip/respip.c b/respip/respip.c index 135c45fe53c6..aea528f1516e 100644 --- a/respip/respip.c +++ b/respip/respip.c @@ -172,7 +172,7 @@ respip_action_cfg(struct respip_set* set, const char* ipstr, if(!(node=respip_find_or_create(set, ipstr, 1))) return 0; if(node->action != respip_none) { - log_warn("duplicate response-ip action for '%s', overridden.", + verbose(VERB_QUERY, "duplicate response-ip action for '%s', overridden.", ipstr); } if(strcmp(actnstr, "deny") == 0) diff --git a/services/authzone.c b/services/authzone.c index fe56c9f81b65..4d0dd1b5ae9c 100644 --- a/services/authzone.c +++ b/services/authzone.c @@ -218,7 +218,7 @@ msg_add_rrset_an(struct auth_zone* z, struct regional* region, { log_assert(msg->rep->ns_numrrsets == 0); log_assert(msg->rep->ar_numrrsets == 0); - if(!rrset) + if(!rrset || !node) return 1; if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, z->dclass)) @@ -242,7 +242,7 @@ msg_add_rrset_ns(struct auth_zone* z, struct regional* region, struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) { log_assert(msg->rep->ar_numrrsets == 0); - if(!rrset) + if(!rrset || !node) return 1; if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, z->dclass)) @@ -265,7 +265,7 @@ static int msg_add_rrset_ar(struct auth_zone* z, struct regional* region, struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) { - if(!rrset) + if(!rrset || !node) return 1; if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, z->dclass)) diff --git a/services/cache/infra.c b/services/cache/infra.c index 6f8fea6ad826..489f939491d7 100644 --- a/services/cache/infra.c +++ b/services/cache/infra.c @@ -1013,8 +1013,8 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra, char client_ip[128]; addr_to_str((struct sockaddr_storage *)&repinfo->addr, repinfo->addrlen, client_ip, sizeof(client_ip)); - verbose(VERB_OPS, "ratelimit exceeded %s %d", client_ip, - infra_ip_ratelimit); + verbose(VERB_OPS, "ip_ratelimit exceeded %s %d", + client_ip, infra_ip_ratelimit); } return (max <= infra_ip_ratelimit); } diff --git a/services/outside_network.c b/services/outside_network.c index 87c88349b3f8..e2c59c4616dd 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -365,6 +365,11 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len) comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl); #endif pend->c->ssl_shake_state = comm_ssl_shake_write; + if(w->tls_auth_name) { +#ifdef HAVE_SSL + (void)SSL_set_tlsext_host_name(pend->c->ssl, w->tls_auth_name); +#endif + } #ifdef HAVE_SSL_SET1_HOST if(w->tls_auth_name) { SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL); @@ -374,6 +379,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len) if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) { log_err("SSL_set1_host failed"); pend->c->fd = s; + SSL_free(pend->c->ssl); + pend->c->ssl = NULL; comm_point_close(pend->c); return 0; } @@ -1261,6 +1268,13 @@ outnet_tcptimer(void* arg) } else { /* it was in use */ struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting; + if(pend->c->ssl) { +#ifdef HAVE_SSL + SSL_shutdown(pend->c->ssl); + SSL_free(pend->c->ssl); + pend->c->ssl = NULL; +#endif + } comm_point_close(pend->c); pend->query = NULL; pend->next_free = outnet->tcp_free; @@ -1979,7 +1993,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error, return 0; } if(rto >= RTT_MAX_TIMEOUT) { - fallback_tcp = 1; + /* fallback_tcp = 1; */ /* UDP does not work, fallback to TCP below */ } else { serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep); diff --git a/sldns/sbuffer.h b/sldns/sbuffer.h index 2c30b3736708..2241640ddb12 100644 --- a/sldns/sbuffer.h +++ b/sldns/sbuffer.h @@ -130,7 +130,7 @@ struct sldns_buffer /** If the buffer is fixed it cannot be resized */ unsigned _fixed : 1; - /** If the buffer is vfixed, no more than capacity bytes willl be + /** If the buffer is vfixed, no more than capacity bytes will be * written to _data, however the _position counter will be updated * with the amount that would have been written in consecutive * writes. This allows for a modus operandi in which a sequence is @@ -160,7 +160,7 @@ sldns_buffer_invariant(sldns_buffer *buffer) assert(buffer != NULL); assert(buffer->_position <= buffer->_limit || buffer->_vfixed); assert(buffer->_limit <= buffer->_capacity); - assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0)); + assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0 && buffer->_limit == 0)); } #endif diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c index f398509018d9..fbd8f130f554 100644 --- a/smallapp/unbound-anchor.c +++ b/smallapp/unbound-anchor.c @@ -1097,11 +1097,14 @@ read_http_result(SSL* ssl) } if(!data) return NULL; if(verb >= 4) print_data("read data", data, (int)len); - m = BIO_new_mem_buf(data, (int)len); + m = BIO_new(BIO_s_mem()); if(!m) { if(verb) printf("out of memory\n"); + free(data); exit(0); } + BIO_write(m, data, (int)len); + free(data); return m; } @@ -1168,17 +1171,6 @@ https(struct ip_list* ip_list, const char* pathname, const char* urlname) return bio; } -/** free up a downloaded file BIO */ -static void -free_file_bio(BIO* bio) -{ - char* pp = NULL; - (void)BIO_reset(bio); - (void)BIO_get_mem_data(bio, &pp); - free(pp); - BIO_free(bio); -} - /** XML parse private data during the parse */ struct xml_data { /** the parser, reference */ @@ -1603,7 +1595,7 @@ xml_parse(BIO* xml, time_t now) xml_parse_setup(parser, &data, now); /* parse it */ - (void)BIO_reset(xml); + (void)BIO_seek(xml, 0); len = (int)BIO_get_mem_data(xml, &pp); if(!len || !pp) { if(verb) printf("out of memory\n"); @@ -1777,8 +1769,8 @@ verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer) X509_VERIFY_PARAM_free(param); #endif - (void)BIO_reset(p7s); - (void)BIO_reset(data); + (void)BIO_seek(p7s, 0); + (void)BIO_seek(data, 0); /* convert p7s to p7 (the signature) */ p7 = d2i_PKCS7_bio(p7s, NULL); @@ -1956,8 +1948,8 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file, if(verb) printf("success: the anchor has been updated " "using the cert\n"); - free_file_bio(xml); - free_file_bio(p7s); + BIO_free(xml); + BIO_free(p7s); #ifndef S_SPLINT_S sk_X509_pop_free(cert, X509_free); #endif @@ -2349,7 +2341,7 @@ int main(int argc, char* argv[]) } } argc -= optind; - argv += optind; + /* argv += optind; not using further arguments */ if(argc != 0) usage(); diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c index 9e4c006f3b5d..54be62e65dc1 100644 --- a/smallapp/unbound-control.c +++ b/smallapp/unbound-control.c @@ -73,6 +73,10 @@ #include <sys/un.h> #endif +static void usage(void) ATTR_NORETURN; +static void ssl_err(const char* s) ATTR_NORETURN; +static void ssl_path_err(const char* s, const char *path) ATTR_NORETURN; + /** Give unbound-control usage, and exit (1). */ static void usage(void) diff --git a/testcode/asynclook.c b/testcode/asynclook.c index 06bcf5ab862a..f82c6dcab71c 100644 --- a/testcode/asynclook.c +++ b/testcode/asynclook.c @@ -182,6 +182,8 @@ struct ext_thr_info { char** argv; /** number of queries to do */ int numq; + /** list of ids to free once threads are done */ + struct track_id* id_list; }; /** if true, we are testing against 'localhost' and extra checking is done */ @@ -309,6 +311,7 @@ ext_thread(void* arg) for(i=0; i<inf->numq; i++) { lock_basic_init(&async_ids[i].lock); } + inf->id_list = async_ids; } for(i=0; i<inf->numq; i++) { if(async_ids) { @@ -347,14 +350,6 @@ ext_thread(void* arg) /* if these locks are destroyed, or if the async_ids is freed, then a use-after-free happens in another thread. The allocation is only part of this test, though. */ - /* - if(async_ids) { - for(i=0; i<inf->numq; i++) { - lock_basic_destroy(&async_ids[i].lock); - } - } - free(async_ids); - */ return NULL; } @@ -375,6 +370,7 @@ ext_test(struct ub_ctx* ctx, int argc, char** argv) inf[i].argc = argc; inf[i].argv = argv; inf[i].numq = 100; + inf[i].id_list = NULL; ub_thread_create(&inf[i].tid, ext_thread, &inf[i]); } /* the work happens here */ @@ -382,6 +378,16 @@ ext_test(struct ub_ctx* ctx, int argc, char** argv) ub_thread_join(inf[i].tid); } printf("extended test end\n"); + /* free the id lists */ + for(i=0; i<NUMTHR; i++) { + if(inf[i].id_list) { + int j; + for(j=0; j<inf[i].numq; j++) { + lock_basic_destroy(&inf[i].id_list[j].lock); + } + free(inf[i].id_list); + } + } ub_ctx_delete(ctx); checklock_stop(); return 0; diff --git a/testcode/delayer.c b/testcode/delayer.c index 5489b591e337..4abcfc235dcd 100644 --- a/testcode/delayer.c +++ b/testcode/delayer.c @@ -788,7 +788,7 @@ service_tcp_relay(struct tcp_proxy** tcp_proxies, struct timeval* now, if(!tcp_relay_write(p->server_s, &p->querylist, &p->querylast, now)) delete_it = 1; - if(p->querylist && p->server_s != -1 && + if(p->querylist && dl_tv_smaller(&p->querylist->wait, now)) FD_SET(FD_SET_T p->server_s, worig); else FD_CLR(FD_SET_T p->server_s, worig); diff --git a/testcode/perf.c b/testcode/perf.c index d11357c4acaa..32a5307edb15 100644 --- a/testcode/perf.c +++ b/testcode/perf.c @@ -610,7 +610,7 @@ int main(int argc, char* argv[]) case 'd': if(atoi(optarg)==0 && strcmp(optarg, "0")!=0) { printf("-d not a number %s", optarg); - return 1; + exit(1); } info.duration = atoi(optarg); break; @@ -635,11 +635,11 @@ int main(int argc, char* argv[]) } if(!extstrtoaddr(argv[0], &info.dest, &info.destlen)) { printf("Could not parse ip: %s\n", argv[0]); - return 1; + exit(1); } if(info.qlist_size == 0) { printf("No queries to make, use -f or -a.\n"); - return 1; + exit(1); } /* do the performance test */ diff --git a/testcode/petal.c b/testcode/petal.c index 1c26fa700346..e1f5f43417e3 100644 --- a/testcode/petal.c +++ b/testcode/petal.c @@ -417,7 +417,7 @@ provide_file_10(SSL* ssl, char* fname) } fclose(in); at += len; - avail -= len; + /* avail -= len; unused */ if(SSL_write(ssl, buf, at-buf) <= 0) { /* write failure */ } @@ -506,7 +506,7 @@ provide_file_chunked(SSL* ssl, char* fname) snprintf(at, avail, "\r\n"); r = strlen(at); at += r; - avail -= r; + /* avail -= r; unused */ } /* send chunk */ if(SSL_write(ssl, buf, at-buf) <= 0) { @@ -569,7 +569,9 @@ do_service(char* addr, int port, char* key, char* cert) while(go) { struct sockaddr_storage from; socklen_t flen = (socklen_t)sizeof(from); - int s = accept(fd, (struct sockaddr*)&from, &flen); + int s; + memset(&from, 0, sizeof(from)); + s = accept(fd, (struct sockaddr*)&from, &flen); if(verb) fflush(stdout); if(s != -1) { SSL* ssl = setup_ssl(s, sslctx); @@ -633,7 +635,7 @@ int main(int argc, char* argv[]) } } argc -= optind; - argv += optind; + /* argv += optind; not using further arguments */ if(argc != 0) usage(); diff --git a/testcode/replay.c b/testcode/replay.c index 08d87470bd00..93a600425ca1 100644 --- a/testcode/replay.c +++ b/testcode/replay.c @@ -458,6 +458,8 @@ replay_scenario_read(FILE* in, const char* name, int* lineno) if(parse_keyword(&parse, ";")) continue; /* comment */ if(parse_keyword(&parse, "SCENARIO_BEGIN")) { + if(scen) + fatal_exit("%d: double SCENARIO_BEGIN", *lineno); scen = make_scenario(parse); if(!scen) fatal_exit("%d: could not make scen", *lineno); @@ -801,14 +803,19 @@ macro_expand(rbtree_type* store, struct replay_runtime* runtime, char** text) /* check for functions */ if(strcmp(buf, "time") == 0) { - snprintf(buf, sizeof(buf), ARG_LL "d", (long long)runtime->now_secs); + if(runtime) + snprintf(buf, sizeof(buf), ARG_LL "d", (long long)runtime->now_secs); + else + snprintf(buf, sizeof(buf), ARG_LL "d", (long long)0); *text += len; return strdup(buf); } else if(strcmp(buf, "timeout") == 0) { time_t res = 0; - struct fake_timer* t = first_timer(runtime); - if(t && (time_t)t->tv.tv_sec >= runtime->now_secs) - res = (time_t)t->tv.tv_sec - runtime->now_secs; + if(runtime) { + struct fake_timer* t = first_timer(runtime); + if(t && (time_t)t->tv.tv_sec >= runtime->now_secs) + res = (time_t)t->tv.tv_sec - runtime->now_secs; + } snprintf(buf, sizeof(buf), ARG_LL "d", (long long)res); *text += len; return strdup(buf); diff --git a/testcode/testbound.c b/testcode/testbound.c index 071ac9c2a5b4..cea74c593540 100644 --- a/testcode/testbound.c +++ b/testcode/testbound.c @@ -429,14 +429,14 @@ main(int argc, char* argv[]) case 'h': default: testbound_usage(); - return 1; + exit(1); } } argc -= optind; - argv += optind; + /* argv += optind; not using further arguments */ if(argc != 0) { testbound_usage(); - return 1; + exit(1); } log_info("Start of %s testbound program.", PACKAGE_STRING); if(atexit(&remove_configfile) != 0) diff --git a/testcode/testpkts.c b/testcode/testpkts.c index ec0f7fe2449a..01f23e48ed2e 100644 --- a/testcode/testpkts.c +++ b/testcode/testpkts.c @@ -46,6 +46,7 @@ enum verbosity_value { NO_VERBOSE=0 }; #endif /** logging routine, provided by caller */ void verbose(enum verbosity_value lvl, const char* msg, ...) ATTR_FORMAT(printf, 2, 3); +static void error(const char* msg, ...) ATTR_NORETURN; /** print error and exit */ static void error(const char* msg, ...) diff --git a/testcode/unitneg.c b/testcode/unitneg.c index 4cd9b306c72e..59c4e8dcc643 100644 --- a/testcode/unitneg.c +++ b/testcode/unitneg.c @@ -118,6 +118,8 @@ static void get_random_data(char** fromp, char** top, char* zname) int labnum1[10], labnum2[10]; int i; char* p; + memset(labnum1, 0, sizeof(int)*10); + memset(labnum2, 0, sizeof(int)*10); *fromp = buf1; *top = buf2; diff --git a/testdata/clang-analysis.tdir/clang-analysis.dsc b/testdata/clang-analysis.tdir/clang-analysis.dsc new file mode 100644 index 000000000000..20a62a3e314c --- /dev/null +++ b/testdata/clang-analysis.tdir/clang-analysis.dsc @@ -0,0 +1,15 @@ +BaseName: clang-analysis +Version: 1.0 +Description: clang analysis +CreationDate: Wed 12 Sep 16:00:26 CEST 2018 +Maintainer: Wouter Wijngaards +Category: +Component: +Depends: +Help: +Pre: +Post: +Test: clang-analysis.test +AuxFiles: +Passed: +Failure: diff --git a/testdata/clang-analysis.tdir/clang-analysis.test b/testdata/clang-analysis.tdir/clang-analysis.test new file mode 100644 index 000000000000..de29bb525dbc --- /dev/null +++ b/testdata/clang-analysis.tdir/clang-analysis.test @@ -0,0 +1,69 @@ +# #-- clang-analysis.test --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test +# common functions +. ../common.sh + +if test ! -x "`which clang 2>&1`"; then + echo "No clang in path" + exit 0 +fi +#echo "have clang" + +# read value from Makefile +# $1: result variable name +# $2: string on Makefile +# $3: Makefile location +read_value () { + x=`grep "$2" $3 | sed -e "s/$2//"` + eval $1="'""$x""'" + # print what we just read + #echo $1"="'"'"`eval echo '$'$1`"'"' +} + +PRE="../.." +# read some values from the Makefile +read_value srcdir '^srcdir=' $PRE/Makefile +read_value CPPFLAGS '^CPPFLAGS=' $PRE/Makefile +read_value LIBOBJS '^LIBOBJS= *' $PRE/Makefile +read_value DNSCRYPT_SRC '^DNSCRYPT_SRC= *' $PRE/Makefile +read_value DNSTAP_SRC '^DNSTAP_SRC= *' $PRE/Makefile +read_value WITH_PYTHONMODULE '^WITH_PYTHONMODULE= *' $PRE/Makefile +read_value WINAPPS '^WINAPPS= *' $PRE/Makefile + +#echo dir is $dir +# turn libobjs into C files +compatfiles=`echo "$LIBOBJS" | sed -e 's?..LIBOBJDIR.?compat/?g' -e 's/.U.o/.c/g'` +#echo compatfiles are $compatfiles +#echo +if test "$WITH_PYTHONMODULE" = "yes"; then PYTHONMOD_SRC="pythonmod/*.c"; fi +if test ! -z "$WINAPPS"; then WIN_SRC="winrc/*.c"; fi + +cd $PRE; cd $srcdir +# check the files in the srcdir +fail="no" +for x in cachedb/*.c daemon/*.c dns64/*.c $DNSCRYPT_SRC $DNSTAP_SRC edns-subnet/*.c ipsecmod/*.c iterator/*.c libunbound/*.c $PYTHONMOD_SRC respip/*.c services/*.c services/*/*.c sldns/*.c smallapp/*.c util/*.c util/*/*.c validator/*.c $WIN_SRC $compatfiles testcode/*.c; do + if test "$x" = "util/configlexer.c"; then continue; fi + if test "$x" = "util/configparser.c"; then continue; fi + if test "$x" = "testcode/signit.c"; then continue; fi + echo clang --analyze $CPPFLAGS $x + plist=`basename $x .c`.plist + rm -rf $plist + clang --analyze $CPPFLAGS $x 2>&1 | tee tmp.$$ + if grep -e warning -e error tmp.$$ >/dev/null; then + fail="yes" + fails="$fails $x" + fi + rm -rf $plist tmp.$$ +done + +echo +if test "$fail" = "yes"; then + echo "Failures" + echo "create reports in file.plist dir with clang --analyze --analyzer-output html $CPPFLAGS""$fails" + exit 1 +fi +echo "OK" +exit 0 diff --git a/testdata/dlv_ask_higher.rpl b/testdata/dlv_ask_higher.rpl index 51ac3d24aaee..fad8355c803b 100644 --- a/testdata/dlv_ask_higher.rpl +++ b/testdata/dlv_ask_higher.rpl @@ -16,7 +16,7 @@ CONFIG_END SCENARIO_BEGIN Test validator with DLV where it needs to ask higher up in dlv. ; at first negative DLV response, it needs to ask higher. -; the SOA record in that negative reponse has a big span (if interpreted as NSEC) +; the SOA record in that negative response has a big span (if interpreted as NSEC) ; then a positive response for DLV. ; K.ROOT-SERVERS.NET. diff --git a/util/config_file.c b/util/config_file.c index 5dffa37ebb5a..2568af2eb5b5 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -841,6 +841,7 @@ config_get_option(struct config_file* cfg, const char* opt, { char buf[1024], nopt[64]; size_t len = sizeof(buf); + if(!opt) return 0; if(opt && opt[strlen(opt)-1] == ':' && strlen(opt)<sizeof(nopt)) { memmove(nopt, opt, strlen(opt)); nopt[strlen(opt)-1] = 0; @@ -1526,11 +1527,15 @@ int ub_c_wrap(void) int cfg_strlist_append(struct config_strlist_head* list, char* item) { struct config_strlist *s; - if(!item || !list) + if(!item || !list) { + free(item); return 0; + } s = (struct config_strlist*)calloc(1, sizeof(struct config_strlist)); - if(!s) + if(!s) { + free(item); return 0; + } s->str = item; s->next = NULL; if(list->last) @@ -1578,11 +1583,15 @@ int cfg_strlist_insert(struct config_strlist** head, char* item) { struct config_strlist *s; - if(!item || !head) + if(!item || !head) { + free(item); return 0; + } s = (struct config_strlist*)calloc(1, sizeof(struct config_strlist)); - if(!s) + if(!s) { + free(item); return 0; + } s->str = item; s->next = *head; *head = s; @@ -1593,11 +1602,17 @@ int cfg_str2list_insert(struct config_str2list** head, char* item, char* i2) { struct config_str2list *s; - if(!item || !i2 || !head) + if(!item || !i2 || !head) { + free(item); + free(i2); return 0; + } s = (struct config_str2list*)calloc(1, sizeof(struct config_str2list)); - if(!s) + if(!s) { + free(item); + free(i2); return 0; + } s->str = item; s->str2 = i2; s->next = *head; diff --git a/util/config_file.h b/util/config_file.h index d1bce1b69be4..8c630b8a109c 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -792,6 +792,7 @@ char* config_collate_cat(struct config_strlist* list); * @param list: list head. zeroed at start. * @param item: new item. malloced by caller. if NULL the insertion fails. * @return true on success. + * on fail the item is free()ed. */ int cfg_strlist_append(struct config_strlist_head* list, char* item); @@ -809,6 +810,7 @@ struct config_strlist* cfg_strlist_find(struct config_strlist* head, * @param head: pointer to strlist head variable. * @param item: new item. malloced by caller. If NULL the insertion fails. * @return: true on success. + * on fail, the item is free()d. */ int cfg_strlist_insert(struct config_strlist** head, char* item); @@ -822,6 +824,7 @@ int cfg_region_strlist_insert(struct regional* region, * @param item: new item. malloced by caller. If NULL the insertion fails. * @param i2: 2nd string, malloced by caller. If NULL the insertion fails. * @return: true on success. + * on fail, the item and i2 are free()d. */ int cfg_str2list_insert(struct config_str2list** head, char* item, char* i2); diff --git a/util/data/msgencode.c b/util/data/msgencode.c index aab7f5dfecba..6bc3216ff9e9 100644 --- a/util/data/msgencode.c +++ b/util/data/msgencode.c @@ -647,8 +647,6 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep, sldns_buffer_clear(buffer); if(udpsize < sldns_buffer_limit(buffer)) sldns_buffer_set_limit(buffer, udpsize); - else if(sldns_buffer_limit(buffer) < udpsize) - udpsize = sldns_buffer_limit(buffer); if(sldns_buffer_remaining(buffer) < LDNS_HEADER_SIZE) return 0; diff --git a/util/data/msgreply.c b/util/data/msgreply.c index 540d7d4b3dec..45d42a87f458 100644 --- a/util/data/msgreply.c +++ b/util/data/msgreply.c @@ -441,10 +441,14 @@ parse_create_msg(sldns_buffer* pkt, struct msg_parse* msg, return 0; if(!parse_create_repinfo(msg, rep, region)) return 0; - if(!reply_info_alloc_rrset_keys(*rep, alloc, region)) + if(!reply_info_alloc_rrset_keys(*rep, alloc, region)) { + if(!region) reply_info_parsedelete(*rep, alloc); return 0; - if(!parse_copy_decompress(pkt, msg, *rep, region)) + } + if(!parse_copy_decompress(pkt, msg, *rep, region)) { + if(!region) reply_info_parsedelete(*rep, alloc); return 0; + } return 1; } diff --git a/util/iana_ports.inc b/util/iana_ports.inc index 55d041e4084a..e24322931326 100644 --- a/util/iana_ports.inc +++ b/util/iana_ports.inc @@ -4860,6 +4860,7 @@ 8800, 8804, 8805, +8807, 8808, 8873, 8880, diff --git a/util/log.h b/util/log.h index 7bc3d9e76152..f73c0754d657 100644 --- a/util/log.h +++ b/util/log.h @@ -174,7 +174,7 @@ void log_buf(enum verbosity_value level, const char* msg, struct sldns_buffer* b * Pass printf formatted arguments. No trailing newline is needed. * @param format: printf-style format string. Arguments follow. */ -void fatal_exit(const char* format, ...) ATTR_FORMAT(printf, 1, 2); +void fatal_exit(const char* format, ...) ATTR_FORMAT(printf, 1, 2) ATTR_NORETURN; /** * va_list argument version of log_info. diff --git a/validator/autotrust.c b/validator/autotrust.c index a34a7c96c814..a72967302df1 100644 --- a/validator/autotrust.c +++ b/validator/autotrust.c @@ -718,6 +718,7 @@ packed_rrset_heap_data(int iter(struct autr_ta**, uint8_t**, size_t*, list_i = list; i = 0; while(iter(&list_i, &rr, &rr_len, &dname_len)) { + log_assert(data->rr_data[i]); memmove(data->rr_data[i], sldns_wirerr_get_rdatawl(rr, rr_len, dname_len), data->rr_len[i]); diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c index 773ed30cde5d..763b5ab7c767 100644 --- a/validator/val_nsec3.c +++ b/validator/val_nsec3.c @@ -520,6 +520,10 @@ nsec3_hash_cmp(const void* c1, const void* c2) } (void)nsec3_get_salt(h1->nsec3, h1->rr, &s1, &s1len); (void)nsec3_get_salt(h2->nsec3, h2->rr, &s2, &s2len); + if(s1len == 0 && s2len == 0) + return 0; + if(!s1) return -1; + if(!s2) return 1; if(s1len != s2len) { if(s1len < s2len) return -1; @@ -736,7 +740,7 @@ find_matching_nsec3(struct module_env* env, struct nsec3_filter* flt, size_t i_rs; int i_rr; struct ub_packed_rrset_key* s; - struct nsec3_cached_hash* hash; + struct nsec3_cached_hash* hash = NULL; int r; /* this loop skips other-zone and unknown NSEC3s, also non-NSEC3 RRs */ @@ -748,7 +752,7 @@ find_matching_nsec3(struct module_env* env, struct nsec3_filter* flt, if(r == 0) { log_err("nsec3: malloc failure"); break; /* alloc failure */ - } else if(r < 0) + } else if(r != 1) continue; /* malformed NSEC3 */ else if(nsec3_hash_matches_owner(flt, hash, s)) { *rrset = s; /* rrset with this name */ @@ -829,7 +833,7 @@ find_covering_nsec3(struct module_env* env, struct nsec3_filter* flt, size_t i_rs; int i_rr; struct ub_packed_rrset_key* s; - struct nsec3_cached_hash* hash; + struct nsec3_cached_hash* hash = NULL; int r; /* this loop skips other-zone and unknown NSEC3s, also non-NSEC3 RRs */ @@ -841,7 +845,7 @@ find_covering_nsec3(struct module_env* env, struct nsec3_filter* flt, if(r == 0) { log_err("nsec3: malloc failure"); break; /* alloc failure */ - } else if(r < 0) + } else if(r != 1) continue; /* malformed NSEC3 */ else if(nsec3_covers(flt->zone, hash, s, i_rr, env->scratch_buffer)) { diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index 95200a48b61b..0613316c9088 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -77,6 +77,22 @@ int fake_dsa = 0; /** fake SHA1 support for unit tests */ int fake_sha1 = 0; +/** + * Output a libcrypto openssl error to the logfile. + * @param str: string to add to it. + * @param e: the error to output, error number from ERR_get_error(). + */ +static void +log_crypto_error(const char* str, unsigned long e) +{ + char buf[128]; + /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ + ERR_error_string_n(e, buf, sizeof(buf)); + /* buf now contains */ + /* error:[error code]:[library name]:[function name]:[reason string] */ + log_err("%s crypto %s", str, buf); +} + /* return size of digest if supported, or 0 otherwise */ size_t nsec3_hash_algo_size_supported(int id) @@ -96,7 +112,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, { switch(algo) { case NSEC3_HASH_SHA1: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha1())) + log_crypto_error("could not digest with EVP_sha1", + ERR_get_error()); +#else (void)SHA1(buf, len, res); +#endif return 1; default: return 0; @@ -106,7 +128,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, void secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) { +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha256())) + log_crypto_error("could not digest with EVP_sha256", + ERR_get_error()); +#else (void)SHA256(buf, len, res); +#endif } /** @@ -165,12 +193,24 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, switch(algo) { #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) case LDNS_SHA1: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha1())) + log_crypto_error("could not digest with EVP_sha1", + ERR_get_error()); +#else (void)SHA1(buf, len, res); +#endif return 1; #endif #ifdef HAVE_EVP_SHA256 case LDNS_SHA256: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha256())) + log_crypto_error("could not digest with EVP_sha256", + ERR_get_error()); +#else (void)SHA256(buf, len, res); +#endif return 1; #endif #ifdef USE_GOST @@ -181,7 +221,13 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, #endif #ifdef USE_ECDSA case LDNS_SHA384: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha384())) + log_crypto_error("could not digest with EVP_sha384", + ERR_get_error()); +#else (void)SHA384(buf, len, res); +#endif return 1; #endif default: @@ -248,22 +294,6 @@ dnskey_algo_id_is_supported(int id) } } -/** - * Output a libcrypto openssl error to the logfile. - * @param str: string to add to it. - * @param e: the error to output, error number from ERR_get_error(). - */ -static void -log_crypto_error(const char* str, unsigned long e) -{ - char buf[128]; - /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ - ERR_error_string_n(e, buf, sizeof(buf)); - /* buf now contains */ - /* error:[error code]:[library name]:[function name]:[reason string] */ - log_err("%s crypto %s", str, buf); -} - #ifdef USE_DSA /** * Setup DSA key digest in DER encoding ... |