Upgrade Unbound to 1.8.0. More to follow.

Approved by:	re (kib)

5 files changed, 147 insertions, 30 deletions

diff --git a/contrib/unbound/smallapp/unbound-anchor.c b/contrib/unbound/smallapp/unbound-anchor.c
index 6d86ba8fe730..dea674003a35 100644
--- a/contrib/unbound/smallapp/unbound-anchor.c
+++ b/contrib/unbound/smallapp/unbound-anchor.c
@@ -192,9 +192,10 @@ usage(void)
 	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
 	printf("-4		work using IPv4 only\n");
 	printf("-6		work using IPv6 only\n");
-	printf("-f resolv.conf	use given resolv.conf to resolve -u name\n");
-	printf("-r root.hints	use given root.hints to resolve -u name\n"
+	printf("-f resolv.conf	use given resolv.conf\n");
+	printf("-r root.hints	use given root.hints\n"
 		"		builtin root hints are used by default\n");
+	printf("-R		fallback from -f to root query on error\n");
 	printf("-v		more verbose\n");
 	printf("-C conf		debug, read config\n");
 	printf("-P port		use port for https connect, default 443\n");
@@ -1913,8 +1914,7 @@ static int
 do_certupdate(const char* root_anchor_file, const char* root_cert_file,
 	const char* urlname, const char* xmlname, const char* p7sname,
 	const char* p7signer, const char* res_conf, const char* root_hints,
-	const char* debugconf, int ip4only, int ip6only, int port,
-	struct ub_result* dnskey)
+	const char* debugconf, int ip4only, int ip6only, int port)
 {
 	STACK_OF(X509)* cert;
 	BIO *xml, *p7s;
@@ -1954,7 +1954,6 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file,
 #ifndef S_SPLINT_S
 	sk_X509_pop_free(cert, X509_free);
 #endif
-	ub_resolve_free(dnskey);
 	ip_list_free(ip_list);
 	return 1;
 }
@@ -2192,16 +2191,33 @@ probe_date_allows_certupdate(const char* root_anchor_file)
 	return 0;
 }
 
+static struct ub_result *
+fetch_root_key(const char* root_anchor_file, const char* res_conf,
+	const char* root_hints, const char* debugconf,
+	int ip4only, int ip6only)
+{
+	struct ub_ctx* ctx;
+	struct ub_result* dnskey;
+
+	ctx = create_unbound_context(res_conf, root_hints, debugconf,
+		ip4only, ip6only);
+	add_5011_probe_root(ctx, root_anchor_file);
+	dnskey = prime_root_key(ctx);
+	ub_ctx_delete(ctx);
+	return dnskey;
+}
+
 /** perform the unbound-anchor work */
 static int
 do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
 	const char* urlname, const char* xmlname, const char* p7sname,
 	const char* p7signer, const char* res_conf, const char* root_hints,
-	const char* debugconf, int ip4only, int ip6only, int force, int port)
+	const char* debugconf, int ip4only, int ip6only, int force,
+	int res_conf_fallback, int port)
 {
-	struct ub_ctx* ctx;
 	struct ub_result* dnskey;
 	int used_builtin = 0;
+	int rcode;
 
 	/* see if builtin rootanchor needs to be provided, or if
 	 * rootanchor is 'revoked-trust-point' */
@@ -2210,12 +2226,22 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
 
 	/* make unbound context with 5011-probe for root anchor,
 	 * and probe . DNSKEY */
-	ctx = create_unbound_context(res_conf, root_hints, debugconf,
-		ip4only, ip6only);
-	add_5011_probe_root(ctx, root_anchor_file);
-	dnskey = prime_root_key(ctx);
-	ub_ctx_delete(ctx);
-	
+	dnskey = fetch_root_key(root_anchor_file, res_conf,
+		root_hints, debugconf, ip4only, ip6only);
+	rcode = dnskey->rcode;
+
+	if (res_conf_fallback && res_conf && !dnskey->secure) {
+		if (verb) printf("%s failed, retrying direct\n", res_conf);
+		ub_resolve_free(dnskey);
+		/* try direct query without res_conf */
+		dnskey = fetch_root_key(root_anchor_file, NULL,
+			root_hints, debugconf, ip4only, ip6only);
+		if (rcode != 0 && dnskey->rcode == 0) {
+			res_conf = NULL;
+			rcode = 0;
+		}
+	}
+
 	/* if secure: exit */
 	if(dnskey->secure && !force) {
 		if(verb) printf("success: the anchor is ok\n");
@@ -2223,18 +2249,18 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
 		return used_builtin;
 	}
 	if(force && verb) printf("debug cert update forced\n");
+	ub_resolve_free(dnskey);
 
 	/* if not (and NOERROR): check date and do certupdate */
-	if((dnskey->rcode == 0 &&
+	if((rcode == 0 &&
 		probe_date_allows_certupdate(root_anchor_file)) || force) {
 		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
 			xmlname, p7sname, p7signer, res_conf, root_hints,
-			debugconf, ip4only, ip6only, port, dnskey))
+			debugconf, ip4only, ip6only, port))
 			return 1;
 		return used_builtin;
 	}
 	if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
-	ub_resolve_free(dnskey);
 	return used_builtin;
 }
 
@@ -2257,8 +2283,9 @@ int main(int argc, char* argv[])
 	const char* root_hints = NULL;
 	const char* debugconf = NULL;
 	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
+	int res_conf_fallback = 0;
 	/* parse the options */
-	while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) {
+	while( (c=getopt(argc, argv, "46C:FRP:a:c:f:hln:r:s:u:vx:")) != -1) {
 		switch(c) {
 		case 'l':
 			dolist = 1;
@@ -2293,6 +2320,9 @@ int main(int argc, char* argv[])
 		case 'r':
 			root_hints = optarg;
 			break;
+		case 'R':
+			res_conf_fallback = 1;
+			break;
 		case 'C':
 			debugconf = optarg;
 			break;
@@ -2339,5 +2369,5 @@ int main(int argc, char* argv[])
 
 	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
 		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
-		ip4only, ip6only, force, port);
+		ip4only, ip6only, force, res_conf_fallback, port);
 }
diff --git a/contrib/unbound/smallapp/unbound-checkconf.c b/contrib/unbound/smallapp/unbound-checkconf.c
index 9bd7d6a39cb6..b9fd1198a9d5 100644
--- a/contrib/unbound/smallapp/unbound-checkconf.c
+++ b/contrib/unbound/smallapp/unbound-checkconf.c
@@ -43,6 +43,7 @@
  */
 
 #include "config.h"
+#include <ctype.h>
 #include "util/log.h"
 #include "util/config_file.h"
 #include "util/module.h"
@@ -252,6 +253,23 @@ aclchecks(struct config_file* cfg)
 	}
 }
 
+/** check tcp connection limit ips */
+static void
+tcpconnlimitchecks(struct config_file* cfg)
+{
+	int d;
+	struct sockaddr_storage a;
+	socklen_t alen;
+	struct config_str2list* tcl;
+	for(tcl=cfg->tcp_connection_limits; tcl; tcl = tcl->next) {
+		if(!netblockstrtoaddr(tcl->str, UNBOUND_DNS_PORT, &a, &alen,
+			&d)) {
+			fatal_exit("cannot parse tcp connection limit address %s %s",
+				tcl->str, tcl->str2);
+		}
+	}
+}
+
 /** true if fname is a file */
 static int
 is_file(const char* fname)
@@ -373,6 +391,44 @@ ecs_conf_checks(struct config_file* cfg)
 }
 #endif /* CLIENT_SUBNET */
 
+/** check that the modules exist, are compiled in */
+static void
+check_modules_exist(const char* module_conf)
+{
+	const char** names = module_list_avail();
+	const char* s = module_conf;
+	while(*s) {
+		int i = 0;
+		int is_ok = 0;
+		while(*s && isspace((unsigned char)*s))
+			s++;
+		if(!*s) break;
+		while(names[i]) {
+			if(strncmp(names[i], s, strlen(names[i])) == 0) {
+				is_ok = 1;
+				break;
+			}
+			i++;
+		}
+		if(is_ok == 0) {
+			char n[64];
+			size_t j;
+			n[0]=0;
+			n[sizeof(n)-1]=0;
+			for(j=0; j<sizeof(n)-1; j++) {
+				if(!s[j] || isspace((unsigned char)s[j])) {
+					n[j] = 0;
+					break;
+				}
+				n[j] = s[j];
+			}
+			fatal_exit("module_conf lists module '%s' but that "
+				"module is not available.", n);
+		}
+		s += strlen(names[i]);
+	}
+}
+
 /** check configuration for errors */
 static void
 morechecks(struct config_file* cfg, const char* fname)
@@ -381,6 +437,7 @@ morechecks(struct config_file* cfg, const char* fname)
 	warn_hosts("forward-host", cfg->forwards);
 	interfacechecks(cfg);
 	aclchecks(cfg);
+	tcpconnlimitchecks(cfg);
 
 	if(cfg->verbosity < 0)
 		fatal_exit("verbosity value < 0");
@@ -465,6 +522,9 @@ morechecks(struct config_file* cfg, const char* fname)
 	free(cfg->chrootdir);
 	cfg->chrootdir = NULL;
 
+	/* check that the modules listed in module_conf exist */
+	check_modules_exist(cfg->module_conf);
+
 	/* There should be no reason for 'respip' module not to work with
 	 * dns64, but it's not explicitly confirmed,  so the combination is
 	 * excluded below.   It's simply unknown yet for the combination of
@@ -511,7 +571,6 @@ morechecks(struct config_file* cfg, const char* fname)
 #if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET)
 		&& strcmp(cfg->module_conf, "python subnetcache iterator") != 0
 		&& strcmp(cfg->module_conf, "subnetcache python iterator") != 0
-		&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
 		&& strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0
 		&& strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0
 		&& strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0
diff --git a/contrib/unbound/smallapp/unbound-control.c b/contrib/unbound/smallapp/unbound-control.c
index c02249875ccf..408571944d7a 100644
--- a/contrib/unbound/smallapp/unbound-control.c
+++ b/contrib/unbound/smallapp/unbound-control.c
@@ -143,6 +143,8 @@ usage(void)
 	printf("  ip_ratelimit_list [+a]	list ratelimited ip addresses\n");
 	printf("		+a		list all, also not ratelimited\n");
 	printf("  list_auth_zones		list auth zones\n");
+	printf("  auth_zone_reload zone		reload auth zone from zonefile\n");
+	printf("  auth_zone_transfer zone	transfer auth zone from master\n");
 	printf("  view_list_local_zones	view	list local-zones in view\n");
 	printf("  view_list_local_data	view	list local-data RRs in view\n");
 	printf("  view_local_zone view name type  	add local-zone in view\n");
@@ -319,6 +321,7 @@ static void print_extended(struct ub_stats_info* s)
 	/* transport */
 	PR_UL("num.query.tcp", s->svr.qtcp);
 	PR_UL("num.query.tcpout", s->svr.qtcp_outgoing);
+	PR_UL("num.query.tls", s->svr.qtls);
 	PR_UL("num.query.ipv6", s->svr.qipv6);
 
 	/* flags */
@@ -371,6 +374,10 @@ static void print_extended(struct ub_stats_info* s)
 #endif /* USE_DNSCRYPT */
 	PR_UL("num.query.authzone.up", s->svr.num_query_authzone_up);
 	PR_UL("num.query.authzone.down", s->svr.num_query_authzone_down);
+#ifdef CLIENT_SUBNET
+	PR_UL("num.query.subnet", s->svr.num_query_subnet);
+	PR_UL("num.query.subnet_cache", s->svr.num_query_subnet_cache);
+#endif
 }
 
 /** print statistics out of memory structures */
@@ -444,6 +451,22 @@ static void ssl_err(const char* s)
 	exit(1);
 }
 
+/** exit with ssl error related to a file path */
+static void ssl_path_err(const char* s, const char *path)
+{
+	unsigned long err;
+	err = ERR_peek_error();
+	if (ERR_GET_LIB(err) == ERR_LIB_SYS &&
+		(ERR_GET_FUNC(err) == SYS_F_FOPEN ||
+		 ERR_GET_FUNC(err) == SYS_F_FREAD) ) {
+		fprintf(stderr, "error: %s\n%s: %s\n",
+			s, path, ERR_reason_error_string(err));
+		exit(1);
+	} else {
+		ssl_err(s);
+	}
+}
+
 /** setup SSL context */
 static SSL_CTX*
 setup_ctx(struct config_file* cfg)
@@ -467,12 +490,15 @@ setup_ctx(struct config_file* cfg)
 	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
 		!= SSL_OP_NO_SSLv3)
 		ssl_err("could not set SSL_OP_NO_SSLv3");
-	if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
-	    !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
-	    || !SSL_CTX_check_private_key(ctx))
-		ssl_err("Error setting up SSL_CTX client key and cert");
+	if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert))
+		ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
+	if (!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM))
+		ssl_path_err("Error setting up SSL_CTX client key", c_key);
+	if (!SSL_CTX_check_private_key(ctx))
+		ssl_err("Error setting up SSL_CTX client key");
 	if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1)
-		ssl_err("Error setting up SSL_CTX verify, server cert");
+		ssl_path_err("Error setting up SSL_CTX verify, server cert",
+			     s_cert);
 	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
 
 	free(s_cert);
diff --git a/contrib/unbound/smallapp/unbound-host.c b/contrib/unbound/smallapp/unbound-host.c
index cd1ffe3351d2..f02511fe5613 100644
--- a/contrib/unbound/smallapp/unbound-host.c
+++ b/contrib/unbound/smallapp/unbound-host.c
@@ -82,9 +82,8 @@ static int verb = 0;
 static void
 usage(void)
 {
-	printf("Usage:	unbound-host [-vdhr46] [-c class] [-t type] hostname\n");
-	printf("                     [-y key] [-f keyfile] [-F namedkeyfile]\n");
-	printf("                     [-C configfile]\n");
+	printf("Usage:	unbound-host [-C configfile] [-vdhr46] [-c class] [-t type]\n");
+	printf("                     [-y key] [-f keyfile] [-F namedkeyfile] hostname\n");
 	printf("  Queries the DNS for information.\n");
 	printf("  The hostname is looked up for IP4, IP6 and mail.\n");
 	printf("  If an ip-address is given a reverse lookup is done.\n");
@@ -98,6 +97,8 @@ usage(void)
 	printf("    -f keyfile		read trust anchors from file, with lines as -y.\n");
 	printf("    -F keyfile		read named.conf-style trust anchors.\n");
 	printf("    -C config		use the specified unbound.conf (none read by default)\n");
+	printf("			pass as first argument if you want to override some\n");
+	printf("			options with further arguments\n");
 	printf("    -r			read forwarder information from /etc/resolv.conf\n");
 	printf("      			breaks validation if the forwarder does not do DNSSEC.\n");
 	printf("    -v			be more verbose, shows nodata and security.\n");
@@ -339,6 +340,7 @@ pretty_output(char* q, int t, int c, struct ub_result* result, int docname)
 					exit(1);
 				}
 				printf("%s\n", s);
+				free(s);
 			} else	printf(" has no %s record", tstr);
 			printf(" %s\n", secstatus);
 		}
diff --git a/contrib/unbound/smallapp/worker_cb.c b/contrib/unbound/smallapp/worker_cb.c
index dda94cc670cf..6c3bd0049082 100644
--- a/contrib/unbound/smallapp/worker_cb.c
+++ b/contrib/unbound/smallapp/worker_cb.c
@@ -168,21 +168,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
 
 void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
-	char* ATTR_UNUSED(why_bogus))
+	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 }
 
 void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
-	char* ATTR_UNUSED(why_bogus))
+	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 }
 
 void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
-	char* ATTR_UNUSED(why_bogus))
+	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 }