diff options
author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2018-10-10 07:55:06 +0000 |
---|---|---|
committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2018-10-10 07:55:06 +0000 |
commit | 4c75e3aa0f1368f18240b8bfd0e1e88f64994a1c (patch) | |
tree | 309e2fdf691ad4bcd9c3610746927c1cc299580e /contrib/unbound/smallapp | |
parent | ceb68e4a7c9289b7635055593b02d05612e57c29 (diff) | |
parent | dcaa814d350c5ee7deb2164502a24f2f698b9799 (diff) | |
download | src-4c75e3aa0f1368f18240b8bfd0e1e88f64994a1c.tar.gz src-4c75e3aa0f1368f18240b8bfd0e1e88f64994a1c.zip |
Upgrade Unbound to 1.8.0. More to follow.
Approved by: re (kib)
Notes
Notes:
svn path=/head/; revision=339275
Diffstat (limited to 'contrib/unbound/smallapp')
-rw-r--r-- | contrib/unbound/smallapp/unbound-anchor.c | 66 | ||||
-rw-r--r-- | contrib/unbound/smallapp/unbound-checkconf.c | 61 | ||||
-rw-r--r-- | contrib/unbound/smallapp/unbound-control.c | 36 | ||||
-rw-r--r-- | contrib/unbound/smallapp/unbound-host.c | 8 | ||||
-rw-r--r-- | contrib/unbound/smallapp/worker_cb.c | 6 |
5 files changed, 147 insertions, 30 deletions
diff --git a/contrib/unbound/smallapp/unbound-anchor.c b/contrib/unbound/smallapp/unbound-anchor.c index 6d86ba8fe730..dea674003a35 100644 --- a/contrib/unbound/smallapp/unbound-anchor.c +++ b/contrib/unbound/smallapp/unbound-anchor.c @@ -192,9 +192,10 @@ usage(void) printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER); printf("-4 work using IPv4 only\n"); printf("-6 work using IPv6 only\n"); - printf("-f resolv.conf use given resolv.conf to resolve -u name\n"); - printf("-r root.hints use given root.hints to resolve -u name\n" + printf("-f resolv.conf use given resolv.conf\n"); + printf("-r root.hints use given root.hints\n" " builtin root hints are used by default\n"); + printf("-R fallback from -f to root query on error\n"); printf("-v more verbose\n"); printf("-C conf debug, read config\n"); printf("-P port use port for https connect, default 443\n"); @@ -1913,8 +1914,7 @@ static int do_certupdate(const char* root_anchor_file, const char* root_cert_file, const char* urlname, const char* xmlname, const char* p7sname, const char* p7signer, const char* res_conf, const char* root_hints, - const char* debugconf, int ip4only, int ip6only, int port, - struct ub_result* dnskey) + const char* debugconf, int ip4only, int ip6only, int port) { STACK_OF(X509)* cert; BIO *xml, *p7s; @@ -1954,7 +1954,6 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file, #ifndef S_SPLINT_S sk_X509_pop_free(cert, X509_free); #endif - ub_resolve_free(dnskey); ip_list_free(ip_list); return 1; } @@ -2192,16 +2191,33 @@ probe_date_allows_certupdate(const char* root_anchor_file) return 0; } +static struct ub_result * +fetch_root_key(const char* root_anchor_file, const char* res_conf, + const char* root_hints, const char* debugconf, + int ip4only, int ip6only) +{ + struct ub_ctx* ctx; + struct ub_result* dnskey; + + ctx = create_unbound_context(res_conf, root_hints, debugconf, + ip4only, ip6only); + add_5011_probe_root(ctx, root_anchor_file); + dnskey = prime_root_key(ctx); + ub_ctx_delete(ctx); + return dnskey; +} + /** perform the unbound-anchor work */ static int do_root_update_work(const char* root_anchor_file, const char* root_cert_file, const char* urlname, const char* xmlname, const char* p7sname, const char* p7signer, const char* res_conf, const char* root_hints, - const char* debugconf, int ip4only, int ip6only, int force, int port) + const char* debugconf, int ip4only, int ip6only, int force, + int res_conf_fallback, int port) { - struct ub_ctx* ctx; struct ub_result* dnskey; int used_builtin = 0; + int rcode; /* see if builtin rootanchor needs to be provided, or if * rootanchor is 'revoked-trust-point' */ @@ -2210,12 +2226,22 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file, /* make unbound context with 5011-probe for root anchor, * and probe . DNSKEY */ - ctx = create_unbound_context(res_conf, root_hints, debugconf, - ip4only, ip6only); - add_5011_probe_root(ctx, root_anchor_file); - dnskey = prime_root_key(ctx); - ub_ctx_delete(ctx); - + dnskey = fetch_root_key(root_anchor_file, res_conf, + root_hints, debugconf, ip4only, ip6only); + rcode = dnskey->rcode; + + if (res_conf_fallback && res_conf && !dnskey->secure) { + if (verb) printf("%s failed, retrying direct\n", res_conf); + ub_resolve_free(dnskey); + /* try direct query without res_conf */ + dnskey = fetch_root_key(root_anchor_file, NULL, + root_hints, debugconf, ip4only, ip6only); + if (rcode != 0 && dnskey->rcode == 0) { + res_conf = NULL; + rcode = 0; + } + } + /* if secure: exit */ if(dnskey->secure && !force) { if(verb) printf("success: the anchor is ok\n"); @@ -2223,18 +2249,18 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file, return used_builtin; } if(force && verb) printf("debug cert update forced\n"); + ub_resolve_free(dnskey); /* if not (and NOERROR): check date and do certupdate */ - if((dnskey->rcode == 0 && + if((rcode == 0 && probe_date_allows_certupdate(root_anchor_file)) || force) { if(do_certupdate(root_anchor_file, root_cert_file, urlname, xmlname, p7sname, p7signer, res_conf, root_hints, - debugconf, ip4only, ip6only, port, dnskey)) + debugconf, ip4only, ip6only, port)) return 1; return used_builtin; } if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n"); - ub_resolve_free(dnskey); return used_builtin; } @@ -2257,8 +2283,9 @@ int main(int argc, char* argv[]) const char* root_hints = NULL; const char* debugconf = NULL; int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT; + int res_conf_fallback = 0; /* parse the options */ - while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) { + while( (c=getopt(argc, argv, "46C:FRP:a:c:f:hln:r:s:u:vx:")) != -1) { switch(c) { case 'l': dolist = 1; @@ -2293,6 +2320,9 @@ int main(int argc, char* argv[]) case 'r': root_hints = optarg; break; + case 'R': + res_conf_fallback = 1; + break; case 'C': debugconf = optarg; break; @@ -2339,5 +2369,5 @@ int main(int argc, char* argv[]) return do_root_update_work(root_anchor_file, root_cert_file, urlname, xmlname, p7sname, p7signer, res_conf, root_hints, debugconf, - ip4only, ip6only, force, port); + ip4only, ip6only, force, res_conf_fallback, port); } diff --git a/contrib/unbound/smallapp/unbound-checkconf.c b/contrib/unbound/smallapp/unbound-checkconf.c index 9bd7d6a39cb6..b9fd1198a9d5 100644 --- a/contrib/unbound/smallapp/unbound-checkconf.c +++ b/contrib/unbound/smallapp/unbound-checkconf.c @@ -43,6 +43,7 @@ */ #include "config.h" +#include <ctype.h> #include "util/log.h" #include "util/config_file.h" #include "util/module.h" @@ -252,6 +253,23 @@ aclchecks(struct config_file* cfg) } } +/** check tcp connection limit ips */ +static void +tcpconnlimitchecks(struct config_file* cfg) +{ + int d; + struct sockaddr_storage a; + socklen_t alen; + struct config_str2list* tcl; + for(tcl=cfg->tcp_connection_limits; tcl; tcl = tcl->next) { + if(!netblockstrtoaddr(tcl->str, UNBOUND_DNS_PORT, &a, &alen, + &d)) { + fatal_exit("cannot parse tcp connection limit address %s %s", + tcl->str, tcl->str2); + } + } +} + /** true if fname is a file */ static int is_file(const char* fname) @@ -373,6 +391,44 @@ ecs_conf_checks(struct config_file* cfg) } #endif /* CLIENT_SUBNET */ +/** check that the modules exist, are compiled in */ +static void +check_modules_exist(const char* module_conf) +{ + const char** names = module_list_avail(); + const char* s = module_conf; + while(*s) { + int i = 0; + int is_ok = 0; + while(*s && isspace((unsigned char)*s)) + s++; + if(!*s) break; + while(names[i]) { + if(strncmp(names[i], s, strlen(names[i])) == 0) { + is_ok = 1; + break; + } + i++; + } + if(is_ok == 0) { + char n[64]; + size_t j; + n[0]=0; + n[sizeof(n)-1]=0; + for(j=0; j<sizeof(n)-1; j++) { + if(!s[j] || isspace((unsigned char)s[j])) { + n[j] = 0; + break; + } + n[j] = s[j]; + } + fatal_exit("module_conf lists module '%s' but that " + "module is not available.", n); + } + s += strlen(names[i]); + } +} + /** check configuration for errors */ static void morechecks(struct config_file* cfg, const char* fname) @@ -381,6 +437,7 @@ morechecks(struct config_file* cfg, const char* fname) warn_hosts("forward-host", cfg->forwards); interfacechecks(cfg); aclchecks(cfg); + tcpconnlimitchecks(cfg); if(cfg->verbosity < 0) fatal_exit("verbosity value < 0"); @@ -465,6 +522,9 @@ morechecks(struct config_file* cfg, const char* fname) free(cfg->chrootdir); cfg->chrootdir = NULL; + /* check that the modules listed in module_conf exist */ + check_modules_exist(cfg->module_conf); + /* There should be no reason for 'respip' module not to work with * dns64, but it's not explicitly confirmed, so the combination is * excluded below. It's simply unknown yet for the combination of @@ -511,7 +571,6 @@ morechecks(struct config_file* cfg, const char* fname) #if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET) && strcmp(cfg->module_conf, "python subnetcache iterator") != 0 && strcmp(cfg->module_conf, "subnetcache python iterator") != 0 - && strcmp(cfg->module_conf, "subnetcache validator iterator") != 0 && strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0 && strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0 && strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0 diff --git a/contrib/unbound/smallapp/unbound-control.c b/contrib/unbound/smallapp/unbound-control.c index c02249875ccf..408571944d7a 100644 --- a/contrib/unbound/smallapp/unbound-control.c +++ b/contrib/unbound/smallapp/unbound-control.c @@ -143,6 +143,8 @@ usage(void) printf(" ip_ratelimit_list [+a] list ratelimited ip addresses\n"); printf(" +a list all, also not ratelimited\n"); printf(" list_auth_zones list auth zones\n"); + printf(" auth_zone_reload zone reload auth zone from zonefile\n"); + printf(" auth_zone_transfer zone transfer auth zone from master\n"); printf(" view_list_local_zones view list local-zones in view\n"); printf(" view_list_local_data view list local-data RRs in view\n"); printf(" view_local_zone view name type add local-zone in view\n"); @@ -319,6 +321,7 @@ static void print_extended(struct ub_stats_info* s) /* transport */ PR_UL("num.query.tcp", s->svr.qtcp); PR_UL("num.query.tcpout", s->svr.qtcp_outgoing); + PR_UL("num.query.tls", s->svr.qtls); PR_UL("num.query.ipv6", s->svr.qipv6); /* flags */ @@ -371,6 +374,10 @@ static void print_extended(struct ub_stats_info* s) #endif /* USE_DNSCRYPT */ PR_UL("num.query.authzone.up", s->svr.num_query_authzone_up); PR_UL("num.query.authzone.down", s->svr.num_query_authzone_down); +#ifdef CLIENT_SUBNET + PR_UL("num.query.subnet", s->svr.num_query_subnet); + PR_UL("num.query.subnet_cache", s->svr.num_query_subnet_cache); +#endif } /** print statistics out of memory structures */ @@ -444,6 +451,22 @@ static void ssl_err(const char* s) exit(1); } +/** exit with ssl error related to a file path */ +static void ssl_path_err(const char* s, const char *path) +{ + unsigned long err; + err = ERR_peek_error(); + if (ERR_GET_LIB(err) == ERR_LIB_SYS && + (ERR_GET_FUNC(err) == SYS_F_FOPEN || + ERR_GET_FUNC(err) == SYS_F_FREAD) ) { + fprintf(stderr, "error: %s\n%s: %s\n", + s, path, ERR_reason_error_string(err)); + exit(1); + } else { + ssl_err(s); + } +} + /** setup SSL context */ static SSL_CTX* setup_ctx(struct config_file* cfg) @@ -467,12 +490,15 @@ setup_ctx(struct config_file* cfg) if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) != SSL_OP_NO_SSLv3) ssl_err("could not set SSL_OP_NO_SSLv3"); - if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) || - !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) - || !SSL_CTX_check_private_key(ctx)) - ssl_err("Error setting up SSL_CTX client key and cert"); + if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert)) + ssl_path_err("Error setting up SSL_CTX client cert", c_cert); + if (!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)) + ssl_path_err("Error setting up SSL_CTX client key", c_key); + if (!SSL_CTX_check_private_key(ctx)) + ssl_err("Error setting up SSL_CTX client key"); if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1) - ssl_err("Error setting up SSL_CTX verify, server cert"); + ssl_path_err("Error setting up SSL_CTX verify, server cert", + s_cert); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); free(s_cert); diff --git a/contrib/unbound/smallapp/unbound-host.c b/contrib/unbound/smallapp/unbound-host.c index cd1ffe3351d2..f02511fe5613 100644 --- a/contrib/unbound/smallapp/unbound-host.c +++ b/contrib/unbound/smallapp/unbound-host.c @@ -82,9 +82,8 @@ static int verb = 0; static void usage(void) { - printf("Usage: unbound-host [-vdhr46] [-c class] [-t type] hostname\n"); - printf(" [-y key] [-f keyfile] [-F namedkeyfile]\n"); - printf(" [-C configfile]\n"); + printf("Usage: unbound-host [-C configfile] [-vdhr46] [-c class] [-t type]\n"); + printf(" [-y key] [-f keyfile] [-F namedkeyfile] hostname\n"); printf(" Queries the DNS for information.\n"); printf(" The hostname is looked up for IP4, IP6 and mail.\n"); printf(" If an ip-address is given a reverse lookup is done.\n"); @@ -98,6 +97,8 @@ usage(void) printf(" -f keyfile read trust anchors from file, with lines as -y.\n"); printf(" -F keyfile read named.conf-style trust anchors.\n"); printf(" -C config use the specified unbound.conf (none read by default)\n"); + printf(" pass as first argument if you want to override some\n"); + printf(" options with further arguments\n"); printf(" -r read forwarder information from /etc/resolv.conf\n"); printf(" breaks validation if the forwarder does not do DNSSEC.\n"); printf(" -v be more verbose, shows nodata and security.\n"); @@ -339,6 +340,7 @@ pretty_output(char* q, int t, int c, struct ub_result* result, int docname) exit(1); } printf("%s\n", s); + free(s); } else printf(" has no %s record", tstr); printf(" %s\n", secstatus); } diff --git a/contrib/unbound/smallapp/worker_cb.c b/contrib/unbound/smallapp/worker_cb.c index dda94cc670cf..6c3bd0049082 100644 --- a/contrib/unbound/smallapp/worker_cb.c +++ b/contrib/unbound/smallapp/worker_cb.c @@ -168,21 +168,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube), void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s), - char* ATTR_UNUSED(why_bogus)) + char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited)) { log_assert(0); } void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s), - char* ATTR_UNUSED(why_bogus)) + char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited)) { log_assert(0); } void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s), - char* ATTR_UNUSED(why_bogus)) + char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited)) { log_assert(0); } |