summaryrefslogtreecommitdiffstats
path: root/contrib
diff options
context:
space:
mode:
authordes <des@FreeBSD.org>2016-01-16 19:06:12 +0000
committerdes <des@FreeBSD.org>2016-01-16 19:06:12 +0000
commitdc5c74f3f12a6f57440056448e551a0f1c335299 (patch)
tree2a7e37ea0ed7669b7017829c084a497ede84c5d0 /contrib
parent28f497d302178844843a97044b9d18027c124fc7 (diff)
downloadFreeBSD-src-dc5c74f3f12a6f57440056448e551a0f1c335299.zip
FreeBSD-src-dc5c74f3f12a6f57440056448e551a0f1c335299.tar.gz
MFH (r292206): upgrade to Unbound 1.5.7
MFH (r292135): run configure script with correct compiler
Diffstat (limited to 'contrib')
-rw-r--r--contrib/unbound/.gitignore38
-rw-r--r--contrib/unbound/Makefile.in247
-rw-r--r--contrib/unbound/acx_nlnetlabs.m412
-rw-r--r--contrib/unbound/compat/arc4random.c2
-rw-r--r--contrib/unbound/compat/getentropy_linux.c25
-rw-r--r--contrib/unbound/compat/getentropy_solaris.c6
-rw-r--r--contrib/unbound/compat/isblank.c45
-rw-r--r--contrib/unbound/compat/reallocarray.c3
-rw-r--r--contrib/unbound/compat/sha512.c2
-rw-r--r--contrib/unbound/compat/snprintf.c3
-rw-r--r--contrib/unbound/config.h35
-rw-r--r--contrib/unbound/config.h.in27
-rwxr-xr-xcontrib/unbound/configure201
-rw-r--r--contrib/unbound/configure.ac69
-rw-r--r--contrib/unbound/daemon/remote.c6
-rw-r--r--contrib/unbound/daemon/unbound.c5
-rw-r--r--contrib/unbound/daemon/worker.c9
-rw-r--r--contrib/unbound/dns64/dns64.c6
-rw-r--r--contrib/unbound/dnstap/dnstap.proto2
-rw-r--r--contrib/unbound/doc/Changelog136
-rw-r--r--contrib/unbound/doc/README2
-rw-r--r--contrib/unbound/doc/example.conf94
-rw-r--r--contrib/unbound/doc/example.conf.in94
-rw-r--r--contrib/unbound/doc/libunbound.34
-rw-r--r--contrib/unbound/doc/libunbound.3.in4
-rw-r--r--contrib/unbound/doc/unbound-anchor.82
-rw-r--r--contrib/unbound/doc/unbound-anchor.8.in2
-rw-r--r--contrib/unbound/doc/unbound-checkconf.82
-rw-r--r--contrib/unbound/doc/unbound-checkconf.8.in2
-rw-r--r--contrib/unbound/doc/unbound-control.84
-rw-r--r--contrib/unbound/doc/unbound-control.8.in4
-rw-r--r--contrib/unbound/doc/unbound-host.12
-rw-r--r--contrib/unbound/doc/unbound-host.1.in2
-rw-r--r--contrib/unbound/doc/unbound.84
-rw-r--r--contrib/unbound/doc/unbound.8.in4
-rw-r--r--contrib/unbound/doc/unbound.conf.547
-rw-r--r--contrib/unbound/doc/unbound.conf.5.in47
-rwxr-xr-xcontrib/unbound/freebsd-configure.sh3
-rw-r--r--contrib/unbound/iterator/iter_scrub.c38
-rw-r--r--contrib/unbound/iterator/iter_utils.c4
-rw-r--r--contrib/unbound/iterator/iterator.c132
-rw-r--r--contrib/unbound/iterator/iterator.h35
-rw-r--r--contrib/unbound/libunbound/libunbound.c3
-rw-r--r--contrib/unbound/libunbound/python/Makefile2
-rw-r--r--contrib/unbound/libunbound/python/doc/install.rst2
-rw-r--r--contrib/unbound/libunbound/python/doc/modules/unbound.rst2
-rw-r--r--contrib/unbound/libunbound/python/examples/dnssec-valid.py2
-rw-r--r--contrib/unbound/libunbound/python/libunbound.i4
-rwxr-xr-xcontrib/unbound/ltmain.sh2
-rw-r--r--contrib/unbound/services/cache/dns.c5
-rw-r--r--contrib/unbound/services/cache/rrset.c1
-rw-r--r--contrib/unbound/sldns/parseutil.h4
-rw-r--r--contrib/unbound/sldns/wire2str.c3
-rw-r--r--contrib/unbound/smallapp/unbound-anchor.c18
-rw-r--r--contrib/unbound/smallapp/unbound-checkconf.c4
-rwxr-xr-xcontrib/unbound/smallapp/unbound-control-setup.sh38
-rwxr-xr-xcontrib/unbound/smallapp/unbound-control-setup.sh.in38
-rw-r--r--contrib/unbound/smallapp/unbound-control.c9
-rw-r--r--contrib/unbound/util/config_file.c27
-rw-r--r--contrib/unbound/util/config_file.h7
-rw-r--r--contrib/unbound/util/configlexer.lex1
-rw-r--r--contrib/unbound/util/configparser.y13
-rw-r--r--contrib/unbound/util/iana_ports.inc4
-rw-r--r--contrib/unbound/util/locks.c2
-rw-r--r--contrib/unbound/util/net_help.c12
-rw-r--r--contrib/unbound/util/random.c74
-rw-r--r--contrib/unbound/util/rbtree.c2
-rw-r--r--contrib/unbound/util/rtt.h2
-rw-r--r--contrib/unbound/util/storage/lookup3.c8
-rw-r--r--contrib/unbound/util/tube.h2
-rw-r--r--contrib/unbound/util/winsock_event.h2
-rw-r--r--contrib/unbound/validator/autotrust.c10
-rw-r--r--contrib/unbound/validator/val_neg.c2
-rw-r--r--contrib/unbound/validator/val_neg.h2
-rw-r--r--contrib/unbound/validator/val_nsec.c28
-rw-r--r--contrib/unbound/validator/val_nsec.h6
-rw-r--r--contrib/unbound/validator/val_nsec3.c136
-rw-r--r--contrib/unbound/validator/val_nsec3.h6
-rw-r--r--contrib/unbound/validator/val_secalgo.c520
-rw-r--r--contrib/unbound/validator/val_secalgo.h15
-rw-r--r--contrib/unbound/validator/val_sigcrypt.c2
-rw-r--r--contrib/unbound/validator/val_utils.h2
-rw-r--r--contrib/unbound/validator/validator.c6
83 files changed, 1833 insertions, 606 deletions
diff --git a/contrib/unbound/.gitignore b/contrib/unbound/.gitignore
new file mode 100644
index 0000000..7fed8d7
--- /dev/null
+++ b/contrib/unbound/.gitignore
@@ -0,0 +1,38 @@
+*.lo
+*.o
+/.libs/
+/Makefile
+/autom4te.cache/
+/config.h
+/config.log
+/config.status
+/dnstap/dnstap_config.h
+/doc/example.conf
+/doc/libunbound.3
+/doc/unbound-anchor.8
+/doc/unbound-checkconf.8
+/doc/unbound-control.8
+/doc/unbound-host.1
+/doc/unbound.8
+/doc/unbound.conf.5
+/libtool
+/libunbound.la
+/smallapp/unbound-control-setup.sh
+/unbound
+/unbound-anchor
+/unbound-checkconf
+/unbound-control
+/unbound-control-setup
+/unbound-host
+/unbound.h
+/asynclook
+/delayer
+/lock-verify
+/memstats
+/perf
+/petal
+/pktview
+/streamtcp
+/testbound
+/unittest
+
diff --git a/contrib/unbound/Makefile.in b/contrib/unbound/Makefile.in
index 20829d8..282c7d6 100644
--- a/contrib/unbound/Makefile.in
+++ b/contrib/unbound/Makefile.in
@@ -38,6 +38,7 @@ UNBOUND_VERSION_MINOR=@UNBOUND_VERSION_MINOR@
UNBOUND_VERSION_MICRO=@UNBOUND_VERSION_MICRO@
ALLTARGET=@ALLTARGET@
INSTALLTARGET=@INSTALLTARGET@
+SSLLIB=@SSLLIB@
# _unbound.la if pyunbound enabled.
PYUNBOUND_TARGET=@PYUNBOUND_TARGET@
@@ -132,7 +133,7 @@ compat/memcmp.c compat/memmove.c compat/snprintf.c compat/strlcat.c \
compat/strlcpy.c compat/strptime.c compat/getentropy_linux.c \
compat/getentropy_osx.c compat/getentropy_solaris.c compat/getentropy_win.c \
compat/explicit_bzero.c compat/arc4random.c compat/arc4random_uniform.c \
-compat/arc4_lock.c compat/sha512.c compat/reallocarray.c
+compat/arc4_lock.c compat/sha512.c compat/reallocarray.c compat/isblank.c
COMPAT_OBJ=$(LIBOBJS:.o=.lo)
COMPAT_OBJ_WITHOUT_CTIME=$(LIBOBJ_WITHOUT_CTIME:.o=.lo)
COMPAT_OBJ_WITHOUT_CTIMEARC4=$(LIBOBJ_WITHOUT_CTIMEARC4:.o=.lo)
@@ -295,22 +296,22 @@ longtest: tests
lib: libunbound.la unbound.h
libunbound.la: $(LIBUNBOUND_OBJ_LINK)
- $(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) -lssl $(LIBS)
+ $(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) $(SSLLIB) $(LIBS)
unbound$(EXEEXT): $(DAEMON_OBJ_LINK) libunbound.la
- $(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
unbound-checkconf$(EXEEXT): $(CHECKCONF_OBJ_LINK) libunbound.la
- $(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
unbound-control$(EXEEXT): $(CONTROL_OBJ_LINK) libunbound.la
- $(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
unbound-host$(EXEEXT): $(HOST_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
unbound-anchor$(EXEEXT): $(UBANCHOR_OBJ_LINK) libunbound.la
- $(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat -lssl $(LIBS)
+ $(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat $(SSLLIB) $(LIBS)
unbound-service-install$(EXEEXT): $(SVCINST_OBJ_LINK)
$(LINK) -o $@ $(SVCINST_OBJ_LINK) $(LIBS)
@@ -322,37 +323,37 @@ anchor-update$(EXEEXT): $(ANCHORUPD_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(ANCHORUPD_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
unittest$(EXEEXT): $(UNITTEST_OBJ_LINK)
- $(LINK) -o $@ $(UNITTEST_OBJ_LINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSLLIB) $(LIBS)
testbound$(EXEEXT): $(TESTBOUND_OBJ_LINK)
- $(LINK) -o $@ $(TESTBOUND_OBJ_LINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSLLIB) $(LIBS)
lock-verify$(EXEEXT): $(LOCKVERIFY_OBJ_LINK)
- $(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSLLIB) $(LIBS)
petal$(EXEEXT): $(PETAL_OBJ_LINK)
- $(LINK) -o $@ $(PETAL_OBJ_LINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(PETAL_OBJ_LINK) $(SSLLIB) $(LIBS)
pktview$(EXEEXT): $(PKTVIEW_OBJ_LINK)
- $(LINK) -o $@ $(PKTVIEW_OBJ_LINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSLLIB) $(LIBS)
memstats$(EXEEXT): $(MEMSTATS_OBJ_LINK)
- $(LINK) -o $@ $(MEMSTATS_OBJ_LINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS)
asynclook$(EXEEXT): $(ASYNCLOOK_OBJ_LINK) libunbound.la
$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) $(LIBS) -L. -L.libs -lunbound
streamtcp$(EXEEXT): $(STREAMTCP_OBJ_LINK)
- $(LINK) -o $@ $(STREAMTCP_OBJ_LINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS)
perf$(EXEEXT): $(PERF_OBJ_LINK)
- $(LINK) -o $@ $(PERF_OBJ_LINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS)
delayer$(EXEEXT): $(DELAYER_OBJ_LINK)
- $(LINK) -o $@ $(DELAYER_OBJ_LINK) -lssl $(LIBS)
+ $(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS)
signit$(EXEEXT): testcode/signit.c
- $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ testcode/signit.c $(LDFLAGS) -lldns -lssl $(LIBS)
+ $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ testcode/signit.c $(LDFLAGS) -lldns $(SSLLIB) $(LIBS)
unbound.h: $(srcdir)/libunbound/unbound.h
sed -e 's/@''UNBOUND_VERSION_MAJOR@/$(UNBOUND_VERSION_MAJOR)/' -e 's/@''UNBOUND_VERSION_MINOR@/$(UNBOUND_VERSION_MINOR)/' -e 's/@''UNBOUND_VERSION_MICRO@/$(UNBOUND_VERSION_MICRO)/' < $(srcdir)/libunbound/unbound.h > $@
@@ -644,7 +645,7 @@ iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterato
$(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
$(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
@@ -727,8 +728,7 @@ outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c confi
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
-
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h
alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@@ -776,14 +776,12 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/wire2str.h \
-
+ $(srcdir)/sldns/wire2str.h
random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
@@ -818,8 +816,7 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
$(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
$(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/services/modstack.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
-
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
@@ -844,18 +841,16 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
-
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
- $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
- $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
-val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/validator.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
+val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kentry.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
@@ -867,17 +862,15 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
$(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h \
-
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/sldns/sbuffer.h
val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
-
+ $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@@ -895,11 +888,6 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src
$(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/testcode/checklocks.h
-dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/dnstap/dnstap.pb-c.h
-dnstap.pb-c.lo dnstap.pb-c.o: $(srcdir)/dnstap/dnstap.pb-c.c $(srcdir)/dnstap/dnstap.pb-c.h
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@@ -908,8 +896,7 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
-unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
$(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
@@ -947,38 +934,35 @@ unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/lo
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
-cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
- $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h \
+cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
$(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
-remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
+remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
$(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
$(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@@ -1002,35 +986,33 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
$(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/mini_event.h \
- $(srcdir)/util/rbtree.h
+ $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/libworker.h
testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
+ $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@@ -1046,12 +1028,12 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
@@ -1059,14 +1041,13 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
@@ -1141,19 +1122,18 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
$(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/services/localzone.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
-libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \
- $(srcdir)/util/netevent.h $(srcdir)/services/mesh.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
+libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
+ $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
@@ -1164,21 +1144,18 @@ streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util
$(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
-
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
- $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
-
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
-
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
+petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
@@ -1191,8 +1168,7 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
$(srcdir)/winrc/w_inst.h
@@ -1200,14 +1176,11 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
$(srcdir)/winrc/w_inst.h
anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
-keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/rrdef.h \
-
+keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/keyraw.h \
-
+ $(srcdir)/sldns/keyraw.h
parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/sldns/sbuffer.h
parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
@@ -1227,8 +1200,7 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
-
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
@@ -1238,3 +1210,4 @@ arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.
arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h $(srcdir)/util/locks.h
sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
+isblank.lo isblank.o: $(srcdir)/compat/isblank.c config.h
diff --git a/contrib/unbound/acx_nlnetlabs.m4 b/contrib/unbound/acx_nlnetlabs.m4
index c9ca755..26513e4 100644
--- a/contrib/unbound/acx_nlnetlabs.m4
+++ b/contrib/unbound/acx_nlnetlabs.m4
@@ -2,7 +2,9 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
-# Version 28
+# Version 30
+# 2015-11-18 spelling check fix.
+# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
# 2013-09-19 FLTO help text improved.
@@ -24,7 +26,7 @@
# 2010-07-02 Add check for ss_family (for minix).
# 2010-04-26 Fix to use CPPFLAGS for CHECK_COMPILER_FLAGS.
# 2010-03-01 Fix RPATH using CONFIG_COMMANDS to run at the very end.
-# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS seperate, -ldl
+# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS separate, -ldl
# 2010-02-01 added ACX_CHECK_MEMCMP_SIGNED, AHX_MEMCMP_BROKEN
# 2010-01-20 added AHX_COONFIG_STRLCAT
# 2009-07-14 U_CHAR detection improved for windows crosscompile.
@@ -715,12 +717,6 @@ AC_DEFUN([ACX_SSL_CHECKS], [
fi
AC_SUBST(HAVE_SSL)
AC_SUBST(RUNTIME_PATH)
- # openssl engine functionality needs dlopen().
- BAKLIBS="$LIBS"
- AC_SEARCH_LIBS([dlopen], [dl])
- if test "$LIBS" != "$BAKLIBS"; then
- LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
- fi
fi
AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
diff --git a/contrib/unbound/compat/arc4random.c b/contrib/unbound/compat/arc4random.c
index 27a626b..2c859f1 100644
--- a/contrib/unbound/compat/arc4random.c
+++ b/contrib/unbound/compat/arc4random.c
@@ -26,7 +26,9 @@
#include <fcntl.h>
#include <limits.h>
#include <signal.h>
+#ifdef HAVE_STDINT_H
#include <stdint.h>
+#endif
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
diff --git a/contrib/unbound/compat/getentropy_linux.c b/contrib/unbound/compat/getentropy_linux.c
index 76f0f9d..37d86a8 100644
--- a/contrib/unbound/compat/getentropy_linux.c
+++ b/contrib/unbound/compat/getentropy_linux.c
@@ -46,7 +46,12 @@
#include <errno.h>
#include <unistd.h>
#include <time.h>
+
+#if defined(HAVE_SSL)
#include <openssl/sha.h>
+#elif defined(HAVE_NETTLE)
+#include <nettle/sha.h>
+#endif
#include <linux/types.h>
#include <linux/random.h>
@@ -67,9 +72,21 @@
HD(b); \
} while (0)
+#if defined(HAVE_SSL)
+#define CRYPTO_SHA512_CTX SHA512_CTX
+#define CRYPTO_SHA512_INIT(x) SHA512_Init(x)
+#define CRYPTO_SHA512_FINAL(r, c) SHA512_Final(r, c)
#define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
#define HD(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
#define HF(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (void*)))
+#elif defined(HAVE_NETTLE)
+#define CRYPTO_SHA512_CTX struct sha512_ctx
+#define CRYPTO_SHA512_INIT(x) sha512_init(x)
+#define CRYPTO_SHA512_FINAL(r, c) sha512_digest(c, SHA512_DIGEST_SIZE, r)
+#define HR(x, l) (sha512_update(&ctx, (l), (uint8_t *)(x)))
+#define HD(x) (sha512_update(&ctx, sizeof (x), (uint8_t *)&(x)))
+#define HF(x) (sha512_update(&ctx, sizeof (void*), (uint8_t *)&(x)))
+#endif
int getentropy(void *buf, size_t len);
@@ -122,7 +139,7 @@ getentropy(void *buf, size_t len)
* Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID.
* sysctl is a failsafe API, so it guarantees a result. This
* should work inside a chroot, or when file descriptors are
- * exhuasted.
+ * exhausted.
*
* However this can fail if the Linux kernel removes support
* for sysctl. Starting in 2007, there have been efforts to
@@ -337,7 +354,7 @@ getentropy_fallback(void *buf, size_t len)
struct rusage ru;
sigset_t sigset;
struct stat st;
- SHA512_CTX ctx;
+ CRYPTO_SHA512_CTX ctx;
static pid_t lastpid;
pid_t pid;
size_t i, ii, m;
@@ -354,7 +371,7 @@ getentropy_fallback(void *buf, size_t len)
}
for (i = 0; i < len; ) {
int j;
- SHA512_Init(&ctx);
+ CRYPTO_SHA512_INIT(&ctx);
for (j = 0; j < repeat; j++) {
HX((e = gettimeofday(&tv, NULL)) == -1, tv);
if (e != -1) {
@@ -526,7 +543,7 @@ getentropy_fallback(void *buf, size_t len)
# endif
#endif /* HAVE_GETAUXVAL */
- SHA512_Final(results, &ctx);
+ CRYPTO_SHA512_FINAL(results, &ctx);
memcpy((char*)buf + i, results, min(sizeof(results), len - i));
i += min(sizeof(results), len - i);
}
diff --git a/contrib/unbound/compat/getentropy_solaris.c b/contrib/unbound/compat/getentropy_solaris.c
index 8389573..810098a 100644
--- a/contrib/unbound/compat/getentropy_solaris.c
+++ b/contrib/unbound/compat/getentropy_solaris.c
@@ -30,7 +30,9 @@
#include <sys/stat.h>
#include <sys/time.h>
#include <stdlib.h>
+#ifdef HAVE_STDINT_H
#include <stdint.h>
+#endif
#include <stdio.h>
#include <termios.h>
#include <fcntl.h>
@@ -39,10 +41,14 @@
#include <errno.h>
#include <unistd.h>
#include <time.h>
+#ifdef HAVE_SYS_SHA2_H
#include <sys/sha2.h>
#define SHA512_Init SHA512Init
#define SHA512_Update SHA512Update
#define SHA512_Final SHA512Final
+#else
+#include "openssl/sha.h"
+#endif
#include <sys/vfs.h>
#include <sys/statfs.h>
diff --git a/contrib/unbound/compat/isblank.c b/contrib/unbound/compat/isblank.c
new file mode 100644
index 0000000..8feabed
--- /dev/null
+++ b/contrib/unbound/compat/isblank.c
@@ -0,0 +1,45 @@
+/* isblank - compatibility implementation of isblank
+ *
+ * Copyright (c) 2015, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+/* return true for a blank character: space or tab */
+int isblank(int c);
+
+/* implementation of isblank. unsigned char is the argument */
+int
+isblank(int c)
+{
+ return (c==' ' || c=='\t');
+}
diff --git a/contrib/unbound/compat/reallocarray.c b/contrib/unbound/compat/reallocarray.c
index 04d5d71..c969bd0 100644
--- a/contrib/unbound/compat/reallocarray.c
+++ b/contrib/unbound/compat/reallocarray.c
@@ -18,7 +18,10 @@
#include "config.h"
#include <sys/types.h>
#include <errno.h>
+#ifdef HAVE_STDINT_H
#include <stdint.h>
+#endif
+#include <limits.h>
#include <stdlib.h>
/*
diff --git a/contrib/unbound/compat/sha512.c b/contrib/unbound/compat/sha512.c
index ac046ab..744b7ac7b 100644
--- a/contrib/unbound/compat/sha512.c
+++ b/contrib/unbound/compat/sha512.c
@@ -70,7 +70,7 @@ unsigned char *SHA512(void *data, unsigned int data_len, unsigned char *digest);
* Please make sure that your system defines BYTE_ORDER. If your
* architecture is little-endian, make sure it also defines
* LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
- * equivilent.
+ * equivalent.
*
* If your system does not define the above, then you can do so by
* hand like this:
diff --git a/contrib/unbound/compat/snprintf.c b/contrib/unbound/compat/snprintf.c
index 0663557..97cd706 100644
--- a/contrib/unbound/compat/snprintf.c
+++ b/contrib/unbound/compat/snprintf.c
@@ -42,6 +42,7 @@
#ifdef HAVE_STDINT_H
#include <stdint.h>
#endif
+#include <limits.h>
/* for test */
/* #define SNPRINTF_TEST 1 */
@@ -428,7 +429,7 @@ print_num_llp(char** at, size_t* left, int* ret, void* value,
char buf[PRINT_DEC_BUFSZ];
int negative = 0;
int zero = (value == 0);
-#if defined(UINTPTR_MAX) && defined(UINT32_MAX) && (UINTPTR_MAX == UINT32_MAX)
+#if defined(SIZE_MAX) && defined(UINT32_MAX) && (UINT32_MAX == SIZE_MAX || INT32_MAX == SIZE_MAX)
/* avoid warning about upcast on 32bit systems */
unsigned long long llvalue = (unsigned long)value;
#else
diff --git a/contrib/unbound/config.h b/contrib/unbound/config.h
index 6e322ea..5b38868 100644
--- a/contrib/unbound/config.h
+++ b/contrib/unbound/config.h
@@ -95,6 +95,10 @@
don't. */
/* #undef HAVE_DECL_STRLCPY */
+/* Define to 1 if you have the declaration of `XML_StopParser', and to 0 if
+ you don't. */
+#define HAVE_DECL_XML_STOPPARSER 1
+
/* Define to 1 if you have the <dlfcn.h> header file. */
#define HAVE_DLFCN_H 1
@@ -152,6 +156,9 @@
/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
#define HAVE_FSEEKO 1
+/* Define to 1 if you have the `fsync' function. */
+#define HAVE_FSYNC 1
+
/* Whether getaddrinfo is available */
#define HAVE_GETADDRINFO 1
@@ -206,6 +213,9 @@
/* Define to 1 if you have the <iphlpapi.h> header file. */
/* #undef HAVE_IPHLPAPI_H */
+/* Define to 1 if you have the `isblank' function. */
+#define HAVE_ISBLANK 1
+
/* Define to 1 if you have the `kill' function. */
#define HAVE_KILL 1
@@ -233,6 +243,9 @@
/* Define to 1 if you have the <netinet/in.h> header file. */
#define HAVE_NETINET_IN_H 1
+/* Use libnettle for crypto */
+/* #undef HAVE_NETTLE */
+
/* Use libnss for crypto */
/* #undef HAVE_NSS */
@@ -497,7 +510,7 @@
#define PACKAGE_NAME "unbound"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "unbound 1.5.5"
+#define PACKAGE_STRING "unbound 1.5.7"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "unbound"
@@ -506,7 +519,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
-#define PACKAGE_VERSION "1.5.5"
+#define PACKAGE_VERSION "1.5.7"
/* default pidfile location */
#define PIDFILE "/var/unbound/unbound.pid"
@@ -525,7 +538,7 @@
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
/* version number for resource files */
-#define RSRC_PACKAGE_VERSION 1,5,5,0
+#define RSRC_PACKAGE_VERSION 1,5,7,0
/* Directory to chdir to */
#define RUN_DIR "/var/unbound"
@@ -536,6 +549,9 @@
/* The size of `time_t', as computed by sizeof. */
#define SIZEOF_TIME_T 8
+/* define if (v)snprintf does not return length needed, (but length used) */
+/* #undef SNPRINTF_RET_BROKEN */
+
/* Define to 1 if you have the ANSI C header files. */
#define STDC_HEADERS 1
@@ -570,7 +586,7 @@
/* #undef USE_ECDSA_EVP_WORKAROUND */
/* Define this to enable GOST support. */
-/* #undef USE_GOST */
+#define USE_GOST 1
/* Define if you want to use internal select based events */
#define USE_MINI_EVENT 1
@@ -849,15 +865,13 @@
#define MAXHOSTNAMELEN 256
#endif
-
-#ifndef HAVE_SNPRINTF
+#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
#define snprintf snprintf_unbound
#define vsnprintf vsnprintf_unbound
#include <stdarg.h>
int snprintf (char *str, size_t count, const char *fmt, ...);
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
-#endif /* HAVE_SNPRINTF */
-
+#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
#ifndef HAVE_INET_PTON
#define inet_pton inet_pton_unbound
@@ -953,6 +967,11 @@ int memcmp(const void *x, const void *y, size_t n);
char *ctime_r(const time_t *timep, char *buf);
#endif
+#ifndef HAVE_ISBLANK
+#define isblank unbound_isblank
+int isblank(int c);
+#endif
+
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
#define strptime unbound_strptime
struct tm;
diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in
index 7576e15..e90f036 100644
--- a/contrib/unbound/config.h.in
+++ b/contrib/unbound/config.h.in
@@ -94,6 +94,10 @@
don't. */
#undef HAVE_DECL_STRLCPY
+/* Define to 1 if you have the declaration of `XML_StopParser', and to 0 if
+ you don't. */
+#undef HAVE_DECL_XML_STOPPARSER
+
/* Define to 1 if you have the <dlfcn.h> header file. */
#undef HAVE_DLFCN_H
@@ -151,6 +155,9 @@
/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
#undef HAVE_FSEEKO
+/* Define to 1 if you have the `fsync' function. */
+#undef HAVE_FSYNC
+
/* Whether getaddrinfo is available */
#undef HAVE_GETADDRINFO
@@ -205,6 +212,9 @@
/* Define to 1 if you have the <iphlpapi.h> header file. */
#undef HAVE_IPHLPAPI_H
+/* Define to 1 if you have the `isblank' function. */
+#undef HAVE_ISBLANK
+
/* Define to 1 if you have the `kill' function. */
#undef HAVE_KILL
@@ -232,6 +242,9 @@
/* Define to 1 if you have the <netinet/in.h> header file. */
#undef HAVE_NETINET_IN_H
+/* Use libnettle for crypto */
+#undef HAVE_NETTLE
+
/* Use libnss for crypto */
#undef HAVE_NSS
@@ -535,6 +548,9 @@
/* The size of `time_t', as computed by sizeof. */
#undef SIZEOF_TIME_T
+/* define if (v)snprintf does not return length needed, (but length used) */
+#undef SNPRINTF_RET_BROKEN
+
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
@@ -848,15 +864,13 @@
#define MAXHOSTNAMELEN 256
#endif
-
-#ifndef HAVE_SNPRINTF
+#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
#define snprintf snprintf_unbound
#define vsnprintf vsnprintf_unbound
#include <stdarg.h>
int snprintf (char *str, size_t count, const char *fmt, ...);
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
-#endif /* HAVE_SNPRINTF */
-
+#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
#ifndef HAVE_INET_PTON
#define inet_pton inet_pton_unbound
@@ -952,6 +966,11 @@ int memcmp(const void *x, const void *y, size_t n);
char *ctime_r(const time_t *timep, char *buf);
#endif
+#ifndef HAVE_ISBLANK
+#define isblank unbound_isblank
+int isblank(int c);
+#endif
+
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
#define strptime unbound_strptime
struct tm;
diff --git a/contrib/unbound/configure b/contrib/unbound/configure
index 7b0a7e6..acfb107 100755
--- a/contrib/unbound/configure
+++ b/contrib/unbound/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.5.5.
+# Generated by GNU Autoconf 2.69 for unbound 1.5.7.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.5.5'
-PACKAGE_STRING='unbound 1.5.5'
+PACKAGE_VERSION='1.5.7'
+PACKAGE_STRING='unbound 1.5.7'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
@@ -661,6 +661,7 @@ CHECKLOCK_OBJ
staticexe
UNBOUND_EVENT_UNINSTALL
UNBOUND_EVENT_INSTALL
+SSLLIB
HAVE_SSL
CONFIG_DATE
NETBSD_LINTFLAGS
@@ -823,6 +824,7 @@ with_solaris_threads
with_pyunbound
with_pythonmodule
with_nss
+with_nettle
with_ssl
enable_sha2
enable_gost
@@ -1391,7 +1393,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures unbound 1.5.5 to adapt to many kinds of systems.
+\`configure' configures unbound 1.5.7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1456,7 +1458,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of unbound 1.5.5:";;
+ short | recursive ) echo "Configuration of unbound 1.5.7:";;
esac
cat <<\_ACEOF
@@ -1534,6 +1536,7 @@ Optional Packages:
--with-pythonmodule build Python module, or --without-pythonmodule to
disable script engine. (default=no)
--with-nss=path use libnss instead of openssl, installed at path.
+ --with-nettle=path use libnettle as crypto library, installed at path.
--with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl
/usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
/usr)
@@ -1635,7 +1638,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-unbound configure 1.5.5
+unbound configure 1.5.7
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2344,7 +2347,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.5.5, which was
+It was created by unbound $as_me 1.5.7, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2696,11 +2699,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=5
-UNBOUND_VERSION_MICRO=5
+UNBOUND_VERSION_MICRO=7
LIBUNBOUND_CURRENT=5
-LIBUNBOUND_REVISION=8
+LIBUNBOUND_REVISION=10
LIBUNBOUND_AGE=3
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -2745,6 +2748,8 @@ LIBUNBOUND_AGE=3
# 1.5.3 had 5:6:3
# 1.5.4 had 5:7:3
# 1.5.5 had 5:8:3
+# 1.5.6 had 5:9:3
+# 1.5.7 had 5:10:3
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -16406,13 +16411,44 @@ $as_echo "#define HAVE_NSS 1" >>confdefs.h
CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
fi
LIBS="$LIBS -lnss3 -lnspr4"
+ SSLLIB=""
+
+
+fi
+
+
+# libnettle
+USE_NETTLE="no"
+
+# Check whether --with-nettle was given.
+if test "${with_nettle+set}" = set; then :
+ withval=$with_nettle;
+ USE_NETTLE="yes"
+
+$as_echo "#define HAVE_NETTLE 1" >>confdefs.h
+
+ if test "$withval" != "" -a "$withval" != "yes"; then
+ CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
+ LDFLAGS="$LDFLAGS -L$withval/lib"
+
+ if test "x$enable_rpath" = xyes; then
+ if echo "$withval/lib" | grep "^/" >/dev/null; then
+ RUNTIME_PATH="$RUNTIME_PATH -R$withval/lib"
+ fi
+ fi
+
+ else
+ CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
+ fi
+ LIBS="$LIBS -lhogweed -lnettle -lgmp"
+ SSLLIB=""
fi
# openssl
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
# Check whether --with-ssl was given.
@@ -16581,67 +16617,6 @@ rm -f core conftest.err conftest.$ac_objext \
fi
- # openssl engine functionality needs dlopen().
- BAKLIBS="$LIBS"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
-$as_echo_n "checking for library containing dlopen... " >&6; }
-if ${ac_cv_search_dlopen+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' dl; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_dlopen=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_dlopen+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_dlopen+:} false; then :
-
-else
- ac_cv_search_dlopen=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5
-$as_echo "$ac_cv_search_dlopen" >&6; }
-ac_res=$ac_cv_search_dlopen
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-fi
-
- if test "$LIBS" != "$BAKLIBS"; then
- LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
- fi
fi
for ac_header in openssl/ssl.h
do :
@@ -16779,6 +16754,7 @@ fi
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
+SSLLIB="-lssl"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
$as_echo_n "checking for LibreSSL... " >&6; }
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
@@ -16976,6 +16952,7 @@ _ACEOF
fi
+
# Check whether --enable-sha2 was given.
if test "${enable_sha2+set}" = set; then :
enableval=$enable_sha2;
@@ -16999,7 +16976,7 @@ if test "${enable_gost+set}" = set; then :
fi
use_gost="no"
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
case "$enable_gost" in
no)
;;
@@ -17152,7 +17129,7 @@ case "$enable_ecdsa" in
no)
;;
*)
- if test $USE_NSS = "no"; then
+ if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
if test "x$ac_cv_func_ECDSA_sign" = xyes; then :
@@ -17643,6 +17620,20 @@ fi
done
+ac_fn_c_check_decl "$LINENO" "XML_StopParser" "ac_cv_have_decl_XML_StopParser" "$ac_includes_default
+#include <expat.h>
+
+"
+if test "x$ac_cv_have_decl_XML_StopParser" = xyes; then :
+ ac_have_decl=1
+else
+ ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_XML_STOPPARSER $ac_have_decl
+_ACEOF
+
# set static linking if requested
@@ -18100,7 +18091,7 @@ if test "$ac_res" != no; then :
fi
-for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent
+for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -18221,6 +18212,48 @@ esac
fi
+# test if snprintf return the proper length
+if test "x$ac_cv_func_snprintf" = xyes; then
+ if test c${cross_compiling} = cno; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for correct snprintf return value" >&5
+$as_echo_n "checking for correct snprintf return value... " >&6; }
+ if test "$cross_compiling" = yes; then :
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "cannot run test program while cross compiling
+See \`config.log' for more details" "$LINENO" 5; }
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+$ac_includes_default
+
+int main(void) { return !(snprintf(NULL, 0, "test") == 4); }
+
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+$as_echo "#define SNPRINTF_RET_BROKEN /**/" >>confdefs.h
+
+ case " $LIBOBJS " in
+ *" snprintf.$ac_objext "* ) ;;
+ *) LIBOBJS="$LIBOBJS snprintf.$ac_objext"
+ ;;
+esac
+
+
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+ fi
+fi
ac_fn_c_check_func "$LINENO" "strlcat" "ac_cv_func_strlcat"
if test "x$ac_cv_func_strlcat" = xyes; then :
$as_echo "#define HAVE_STRLCAT 1" >>confdefs.h
@@ -18277,6 +18310,20 @@ esac
fi
+ac_fn_c_check_func "$LINENO" "isblank" "ac_cv_func_isblank"
+if test "x$ac_cv_func_isblank" = xyes; then :
+ $as_echo "#define HAVE_ISBLANK 1" >>confdefs.h
+
+else
+ case " $LIBOBJS " in
+ *" isblank.$ac_objext "* ) ;;
+ *) LIBOBJS="$LIBOBJS isblank.$ac_objext"
+ ;;
+esac
+
+fi
+
+
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
@@ -19017,7 +19064,7 @@ _ACEOF
-version=1.5.5
+version=1.5.7
date=`date +'%b %e, %Y'`
@@ -19532,7 +19579,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by unbound $as_me 1.5.5, which was
+This file was extended by unbound $as_me 1.5.7, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -19598,7 +19645,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-unbound config.status 1.5.5
+unbound config.status 1.5.7
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac
index 871ea7c..13d8304 100644
--- a/contrib/unbound/configure.ac
+++ b/contrib/unbound/configure.ac
@@ -10,14 +10,14 @@ sinclude(dnstap/dnstap.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[5])
-m4_define([VERSION_MICRO],[5])
+m4_define([VERSION_MICRO],[7])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=5
-LIBUNBOUND_REVISION=8
+LIBUNBOUND_REVISION=10
LIBUNBOUND_AGE=3
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -62,6 +62,8 @@ LIBUNBOUND_AGE=3
# 1.5.3 had 5:6:3
# 1.5.4 had 5:7:3
# 1.5.5 had 5:8:3
+# 1.5.6 had 5:9:3
+# 1.5.7 had 5:10:3
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -561,13 +563,34 @@ AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
fi
LIBS="$LIBS -lnss3 -lnspr4"
+ SSLLIB=""
+ ]
+)
+
+# libnettle
+USE_NETTLE="no"
+AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
+ [use libnettle as crypto library, installed at path.]),
+ [
+ USE_NETTLE="yes"
+ AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
+ if test "$withval" != "" -a "$withval" != "yes"; then
+ CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
+ LDFLAGS="$LDFLAGS -L$withval/lib"
+ ACX_RUNTIME_PATH_ADD([$withval/lib])
+ else
+ CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
+ fi
+ LIBS="$LIBS -lhogweed -lnettle -lgmp"
+ SSLLIB=""
]
)
# openssl
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
ACX_WITH_SSL
ACX_LIB_SSL
+SSLLIB="-lssl"
AC_MSG_CHECKING([for LibreSSL])
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
AC_MSG_RESULT([yes])
@@ -602,6 +625,7 @@ AC_INCLUDES_DEFAULT
#include <openssl/evp.h>
])
fi
+AC_SUBST(SSLLIB)
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
@@ -713,7 +737,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
use_gost="no"
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
case "$enable_gost" in
no)
;;
@@ -727,7 +751,7 @@ case "$enable_gost" in
fi
;;
esac
-fi dnl !USE_NSS
+fi dnl !USE_NSS && !USE_NETTLE
AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
use_ecdsa="no"
@@ -735,7 +759,7 @@ case "$enable_ecdsa" in
no)
;;
*)
- if test $USE_NSS = "no"; then
+ if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
@@ -881,6 +905,9 @@ if test x_$found_libexpat != x_yes; then
AC_ERROR([Could not find libexpat, expat.h])
fi
AC_CHECK_HEADERS([expat.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_DECLS([XML_StopParser], [], [], [AC_INCLUDES_DEFAULT
+#include <expat.h>
+])
# set static linking if requested
AC_SUBST(staticexe)
@@ -985,7 +1012,7 @@ AC_INCLUDES_DEFAULT
#endif
])
AC_SEARCH_LIBS([setusercontext], [util])
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync])
AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
@@ -997,10 +1024,25 @@ AC_REPLACE_FUNCS(inet_aton)
AC_REPLACE_FUNCS(inet_pton)
AC_REPLACE_FUNCS(inet_ntop)
AC_REPLACE_FUNCS(snprintf)
+# test if snprintf return the proper length
+if test "x$ac_cv_func_snprintf" = xyes; then
+ if test c${cross_compiling} = cno; then
+ AC_MSG_CHECKING([for correct snprintf return value])
+ AC_RUN_IFELSE([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
+[[
+int main(void) { return !(snprintf(NULL, 0, "test") == 4); }
+]])], [AC_MSG_RESULT(yes)], [
+ AC_MSG_RESULT(no)
+ AC_DEFINE([SNPRINTF_RET_BROKEN], [], [define if (v)snprintf does not return length needed, (but length used)])
+ AC_LIBOBJ(snprintf)
+ ])
+ fi
+fi
AC_REPLACE_FUNCS(strlcat)
AC_REPLACE_FUNCS(strlcpy)
AC_REPLACE_FUNCS(memmove)
AC_REPLACE_FUNCS(gmtime_r)
+AC_REPLACE_FUNCS(isblank)
dnl without CTIME, ARC4-functions and without reallocarray.
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
@@ -1235,7 +1277,13 @@ AHX_CONFIG_FORMAT_ATTRIBUTE
AHX_CONFIG_UNUSED_ATTRIBUTE
AHX_CONFIG_FSEEKO
AHX_CONFIG_MAXHOSTNAMELEN
-AHX_CONFIG_SNPRINTF(unbound)
+#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
+#define snprintf snprintf_unbound
+#define vsnprintf vsnprintf_unbound
+#include <stdarg.h>
+int snprintf (char *str, size_t count, const char *fmt, ...);
+int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
+#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
AHX_CONFIG_INET_PTON(unbound)
AHX_CONFIG_INET_NTOP(unbound)
AHX_CONFIG_INET_ATON(unbound)
@@ -1258,6 +1306,11 @@ AHX_MEMCMP_BROKEN(unbound)
char *ctime_r(const time_t *timep, char *buf);
#endif
+#ifndef HAVE_ISBLANK
+#define isblank unbound_isblank
+int isblank(int c);
+#endif
+
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
#define strptime unbound_strptime
struct tm;
diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c
index c16e4e5..d533e08 100644
--- a/contrib/unbound/daemon/remote.c
+++ b/contrib/unbound/daemon/remote.c
@@ -208,12 +208,14 @@ daemon_remote_create(struct config_file* cfg)
return NULL;
}
/* no SSLv2, SSLv3 because has defects */
- if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
+ if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+ != SSL_OP_NO_SSLv2){
log_crypto_err("could not set SSL_OP_NO_SSLv2");
daemon_remote_delete(rc);
return NULL;
}
- if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
+ if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+ != SSL_OP_NO_SSLv3){
log_crypto_err("could not set SSL_OP_NO_SSLv3");
daemon_remote_delete(rc);
return NULL;
diff --git a/contrib/unbound/daemon/unbound.c b/contrib/unbound/daemon/unbound.c
index 8e07c38..0ceee53 100644
--- a/contrib/unbound/daemon/unbound.c
+++ b/contrib/unbound/daemon/unbound.c
@@ -180,6 +180,8 @@ static void usage()
SSLeay_version(SSLEAY_VERSION)
#elif defined(HAVE_NSS)
NSS_GetVersion()
+#elif defined(HAVE_NETTLE)
+ "nettle"
#endif
);
printf("linked modules:");
@@ -450,6 +452,9 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
/* endpwent below, in case we need pwd for setusercontext */
}
#endif
+#ifdef UB_ON_WINDOWS
+ w_config_adjust_directory(cfg);
+#endif
/* init syslog (as root) if needed, before daemonize, otherwise
* a fork error could not be printed since daemonize closed stderr.*/
diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c
index 79aec4d..c90a659 100644
--- a/contrib/unbound/daemon/worker.c
+++ b/contrib/unbound/daemon/worker.c
@@ -866,11 +866,16 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
goto send_reply;
}
if((ret=parse_edns_from_pkt(c->buffer, &edns)) != 0) {
+ struct edns_data reply_edns;
verbose(VERB_ALGO, "worker parse edns: formerror.");
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
- sldns_buffer_rewind(c->buffer);
- LDNS_QR_SET(sldns_buffer_begin(c->buffer));
+ memset(&reply_edns, 0, sizeof(reply_edns));
+ reply_edns.edns_present = 1;
+ reply_edns.udp_size = EDNS_ADVERTISED_SIZE;
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret);
+ error_encode(c->buffer, ret, &qinfo,
+ *(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
+ sldns_buffer_read_u16_at(c->buffer, 2), &reply_edns);
server_stats_insrcode(&worker->stats, c->buffer);
goto send_reply;
}
diff --git a/contrib/unbound/dns64/dns64.c b/contrib/unbound/dns64/dns64.c
index 63cc808..0de3f66 100644
--- a/contrib/unbound/dns64/dns64.c
+++ b/contrib/unbound/dns64/dns64.c
@@ -618,8 +618,10 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
dd->rr_ttl = (time_t*)&dd->rr_data[dd->count];
for(i = 0; i < fd->count; ++i) {
if (fd->rr_len[i] != 6 || fd->rr_data[i][0] != 0
- || fd->rr_data[i][1] != 4)
+ || fd->rr_data[i][1] != 4) {
+ *dd_out = NULL;
return;
+ }
dd->rr_len[i] = 18;
dd->rr_data[i] =
(uint8_t*)&dd->rr_ttl[dd->count] + 18*i;
@@ -638,6 +640,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
*/
if(!dk) {
log_err("no key");
+ *dd_out = NULL;
return;
}
@@ -646,6 +649,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
if(!dk->rk.dname) {
log_err("out of memory");
+ *dd_out = NULL;
return;
}
diff --git a/contrib/unbound/dnstap/dnstap.proto b/contrib/unbound/dnstap/dnstap.proto
index 3504d99e..32871f4 100644
--- a/contrib/unbound/dnstap/dnstap.proto
+++ b/contrib/unbound/dnstap/dnstap.proto
@@ -105,7 +105,7 @@ message Message {
enum Type {
// AUTH_QUERY is a DNS query message received from a resolver by an
- // authoritative name server, from the perspective of the authorative
+ // authoritative name server, from the perspective of the authoritative
// name server.
AUTH_QUERY = 1;
diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog
index 3f3b245..6824b1d 100644
--- a/contrib/unbound/doc/Changelog
+++ b/contrib/unbound/doc/Changelog
@@ -1,3 +1,121 @@
+8 December 2015: Wouter
+ - Fixup 724 for unbound-control.
+
+7 December 2015: Ralph
+ - Do not minimise forwarded requests.
+
+4 December 2015: Wouter
+ - Removed unneeded whitespace from example.conf.
+
+3 December 2015: Ralph
+ - (after rc1 tag)
+ - Committed fix to qname minimisation and unit test case for it.
+
+3 December 2015: Wouter
+ - iana portlist update.
+ - 1.5.7rc1 prerelease tag.
+
+2 December 2015: Wouter
+ - Fixup 724: Fix PCA prompt for unbound-service-install.exe.
+ re-enable stdout printout.
+ - For 724: Add Changelog to windows binary dist.
+
+1 December 2015: Ralph
+ - Qname minimisation review fixes
+
+1 December 2015: Wouter
+ - Fixup 724 fix for fname_after_chroot() calls.
+ - Remove stdout printout for unbound-service-install.exe
+ - .gitignore for git users.
+
+30 November 2015: Ralph
+ - Implemented qname minimisation
+
+30 November 2015: Wouter
+ - Fix for #724: conf syntax to read files from run dir (on Windows).
+
+25 November 2015: Wouter
+ - Fix for #720, fix unbound-control-setup windows batch file.
+
+24 November 2015: Wouter
+ - Fix #720: add windows scripts to zip bundle.
+ - iana portlist update.
+
+20 November 2015: Wouter
+ - Added assert on rrset cache correctness.
+ - Fix that malformed EDNS query gets a response without malformed EDNS.
+
+18 November 2015: Wouter
+ - newer acx_nlnetlabs.m4.
+ - spelling fixes from Igor Sobrado Delgado.
+
+17 November 2015: Wouter
+ - Fix #594. libunbound: optionally use libnettle for crypto.
+ Contributed by Luca Bruno. Added --with-nettle for use with
+ --with-libunbound-only.
+ - refactor nsec3 hash implementation to be more library-portable.
+ - iana portlist update.
+ - Fixup DER encoded DSA signatures for libnettle.
+
+16 November 2015: Wouter
+ - Fix for lenient accept of reverse order DNAME and CNAME.
+
+6 November 2015: Wouter
+ - Change example.conf: ftp.internic.net to https://www.internic.net
+
+5 November 2015: Wouter
+ - ACX_SSL_CHECKS no longer adds -ldl needlessly.
+
+3 November 2015: Wouter
+ - Fix #718: Fix unbound-control-setup with support for env
+ without HEREDOC bash support.
+
+29 October 2015: Wouter
+ - patch from Doug Hogan for SSL_OP_NO_SSLvx options.
+ - Fix #716: nodata proof with empty non-terminals and wildcards.
+
+28 October 2015: Wouter
+ - Fix checklock testcode for linux threads on exit.
+
+27 October 2015: Wouter
+ - isblank() compat implementation.
+ - detect libexpat without xml_StopParser function.
+ - portability fixes.
+ - portability, replace snprintf if return value broken.
+
+23 October 2015: Wouter
+ - Fix #714: Document config to block private-address for IPv4
+ mapped IPv6 addresses.
+
+22 October 2015: Wouter
+ - Fix #712: unbound-anchor appears to not fsync root.key.
+
+20 October 2015: Wouter
+ - 1.5.6 release.
+ - trunk tracks development of 1.5.7.
+
+15 October 2015: Wouter
+ - Fix segfault in the dns64 module in the formaterror error path.
+ - Fix sldns_wire2str_rdata_scan for malformed RRs.
+ - tag for 1.5.6rc1 release.
+
+14 October 2015: Wouter
+ - ANY responses include DNAME records if present, as per Evan Hunt's
+ remark in dnsop.
+ - Fix manpage to suggest using SIGTERM to terminate the server.
+
+9 October 2015: Wouter
+ - Default for ssl-port is port 853, the temporary port assignment
+ for secure domain name system traffic.
+ If you used to rely on the older default of port 443, you have
+ to put a clause in unbound.conf for that. The new value is likely
+ going to be the standardised port number for this traffic.
+ - iana portlist update.
+
+6 October 2015: Wouter
+ - 1.5.5 release.
+ - trunk tracks the development of 1.5.6.
+
28 September 2015: Wouter
- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
failures.
@@ -731,7 +849,7 @@
existence in 4592. NSEC empty non-terminals exist and thus the
RCODE should have been NOERROR. If this occurs, and the RRsets
are secure, we set the RCODE to NOERROR and the security status
- of the reponse is also considered secure.
+ of the response is also considered secure.
14 February 2014: Wouter
- Works on Minix (3.2.1).
@@ -1503,7 +1621,7 @@
- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
- Fix warning unused in compat/strptime.c.
- - Fix malloc detection and double defintion.
+ - Fix malloc detection and double definition.
2 December 2011: Wouter
- configure generated with autoconf 2.68.
@@ -4948,7 +5066,7 @@
- Advertise builtin select libevent alternative when no libevent
is found.
- signit can generate NSEC3 hashes, for generating tests.
- - multiple nsec3 paramaters in message test.
+ - multiple nsec3 parameters in message test.
- too high nsec3 iterations becomes insecure test.
21 September 2007: Wouter
@@ -5019,7 +5137,7 @@
- testbound can replay a TCP query (set MATCH TCP in the QUERY).
- DS and noDS referral validation test.
- if you configure many trust anchors, parent trust anchors can
- securely deny existance of child trust anchors, if validated.
+ securely deny existence of child trust anchors, if validated.
- not all *.name NSECs are present because a wildcard was matched,
and *.name NSECs can prove nodata for empty nonterminals.
Also, for wildcard name NSECs, check they are not from the parent
@@ -5326,7 +5444,7 @@
17 July 2007: Wouter
- forward zone options in config file.
- - forward per zone in iterator. takes precendence over stubs.
+ - forward per zone in iterator. takes precedence over stubs.
- fixup commithooks.
- removed forward-to and forward-to-port features, subsumed by
new forward zones.
@@ -5427,7 +5545,7 @@
ldns and libevent are linked statically. Default is off.
- make install and make uninstall. Works with static-exe and without.
installation of unbound binary and manual pages.
- - alignement problem fix on solaris 64.
+ - alignment problem fix on solaris 64.
- fixup address in case of TCP error.
12 June 2007: Wouter
@@ -5510,7 +5628,7 @@
- removed FLAG_CD from message and rrset caches. This was useful for
an agnostic forwarder, but not for a sophisticated (trust value per
rrset enabled) cache.
- - iterator reponse typing.
+ - iterator response typing.
- iterator cname handle.
- iterator prime start.
- subquery work.
@@ -5530,7 +5648,7 @@
- Acknowledge use of unbound-java code in iterator. Nicer readme.
- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
rrset cache from module environment.
- - packed rrset key has type and class as easily accessable struct
+ - packed rrset key has type and class as easily accessible struct
members. They are still kept in network format for fast msg encode.
- dns cache find_delegation routine.
- iterator main functions setup.
@@ -5614,7 +5732,7 @@
- EDNS read from query, used to make reply smaller.
- advertised edns value constants.
- EDNS BADVERS response, if asked for too high edns version.
- - EDNS extended error reponses once the EDNS record from the query
+ - EDNS extended error responses once the EDNS record from the query
has successfully been parsed.
4 May 2007: Wouter
diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README
index c8bddcc..8235ea2 100644
--- a/contrib/unbound/doc/README
+++ b/contrib/unbound/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.5.5
+README for Unbound 1.5.7
Copyright 2007 NLnet Labs
http://unbound.net
diff --git a/contrib/unbound/doc/example.conf b/contrib/unbound/doc/example.conf
index 87bbebe..11c3ba9 100644
--- a/contrib/unbound/doc/example.conf
+++ b/contrib/unbound/doc/example.conf
@@ -1,14 +1,14 @@
#
# Example configuration file.
#
-# See unbound.conf(5) man page, version 1.5.5.
+# See unbound.conf(5) man page, version 1.5.7.
#
# this is a comment.
#Use this to include other text into the file.
#include: "otherfile.conf"
-# The server clause sets the main parameters.
+# The server clause sets the main parameters.
server:
# whitespace is not necessary, but looks cleaner.
@@ -40,7 +40,7 @@ server:
# interface: 2001:DB8::5
# enable this feature to copy the source address of queries to reply.
- # Socket options are not supported on all platforms. experimental.
+ # Socket options are not supported on all platforms. experimental.
# interface-automatic: no
# port to answer queries from
@@ -84,10 +84,10 @@ server:
# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
# 0 is system default. Use 4m to handle spikes on very busy servers.
# so-sndbuf: 0
-
+
# use SO_REUSEPORT to distribute queries over threads.
# so-reuseport: no
-
+
# use IP_TRANSPARENT so the interface: addresses can be non-local
# and you can config non-existing IPs that are going to work later on
# ip-transparent: no
@@ -105,7 +105,7 @@ server:
# msg-buffer-size: 65552
# the amount of memory to use for the message cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
+ # plain value in bytes or you can append k, m or G. default is "4Mb".
# msg-cache-size: 4m
# the number of slabs to use for the message cache.
@@ -118,12 +118,12 @@ server:
# if very busy, 50% queries run to completion, 50% get timeout in msec
# jostle-timeout: 200
-
+
# msec to wait before close of port on timeout UDP. 0 disables.
# delay-close: 0
# the amount of memory to use for the RRset cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
+ # plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
# the number of slabs to use for the RRset cache.
@@ -145,7 +145,7 @@ server:
# the time to live (TTL) value for cached roundtrip times, lameness and
# EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
-
+
# minimum wait time for responses, increase if uplink is long. In msec.
# infra-cache-min-rtt: 50
@@ -195,8 +195,8 @@ server:
#
# If chroot is enabled, you should pass the configfile (from the
# commandline) as a full path from the original root. After the
- # chroot has been performed the now defunct portion of the config
- # file path is removed to be able to reread the config after a reload.
+ # chroot has been performed the now defunct portion of the config
+ # file path is removed to be able to reread the config after a reload.
#
# All other file paths (working dir, logfile, roothints, and
# key files) can be specified in several ways:
@@ -205,7 +205,7 @@ server:
# o as an absolute path relative to the original root.
# In the last case the path is adjusted to remove the unused portion.
#
- # The pid file can be absolute and outside of the chroot, it is
+ # The pid file can be absolute and outside of the chroot, it is
# written just prior to performing the chroot and dropping permissions.
#
# Additionally, unbound may need to access /dev/random (for entropy).
@@ -219,22 +219,22 @@ server:
# If you give "" no privileges are dropped.
# username: "unbound"
- # the working directory. The relative files in this config are
+ # the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
# directory: "/var/unbound"
- # the log file, "" means log to stderr.
+ # the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
# logfile: ""
- # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
+ # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# log to, with identity "unbound". If yes, it overrides the logfile.
- # use-syslog: yes
+ # use-syslog: yes
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
# log-time-ascii: no
-
+
# print one line with time, IP, name, type, class for every query.
# log-queries: no
@@ -242,7 +242,7 @@ server:
# pidfile: "/var/unbound/unbound.pid"
# file to read root hints from.
- # get one from ftp://FTP.INTERNIC.NET/domain/named.cache
+ # get one from https://www.internic.net/domain/named.cache
# root-hints: ""
# enable to not answer id.server and hostname.bind queries.
@@ -258,8 +258,8 @@ server:
# version: ""
# the target fetch policy.
- # series of integers describing the policy per dependency depth.
- # The number of values in the list determines the maximum dependency
+ # series of integers describing the policy per dependency depth.
+ # The number of values in the list determines the maximum dependency
# depth the recursor will pursue before giving up. Each integer means:
# -1 : fetch all targets opportunistically,
# 0: fetch on demand,
@@ -267,17 +267,17 @@ server:
# Enclose the list of numbers between quotes ("").
# target-fetch-policy: "3 2 1 0 0"
- # Harden against very small EDNS buffer sizes.
+ # Harden against very small EDNS buffer sizes.
# harden-short-bufsize: no
# Harden against unseemly large queries.
# harden-large-queries: no
- # Harden against out of zone rrsets, to avoid spoofing attempts.
+ # Harden against out of zone rrsets, to avoid spoofing attempts.
# harden-glue: yes
# Harden against receiving dnssec-stripped data. If you turn it
- # off, failing to validate dnskey data for a trustanchor will
+ # off, failing to validate dnskey data for a trustanchor will
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
# harden-dnssec-stripped: yes
@@ -287,7 +287,7 @@ server:
# Harden the referral path by performing additional queries for
# infrastructure data. Validates the replies (if possible).
- # Default off, because the lookups burden the server. Experimental
+ # Default off, because the lookups burden the server. Experimental
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
# harden-referral-path: no
@@ -296,18 +296,23 @@ server:
# to validate the zone.
# harden-algo-downgrade: no
+ # Sent minimum amount of information to upstream servers to enhance
+ # privacy. Only sent minimum required labels of the QNAME and set QTYPE
+ # to NS when possible.
+ # qname-minimisation: no
+
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
# use-caps-for-id: no
-
+
# Domains (and domains in them) without support for dns-0x20 and
# the fallback fails because they keep sending different answers.
# caps-whitelist: "licdn.com"
- # Enforce privacy of these addresses. Strips them away from answers.
- # It may cause DNSSEC validation to additionally mark it as bogus.
- # Protects against 'DNS Rebinding' (uses browser as network proxy).
- # Only 'private-domain' and 'local-data' names are allowed to have
+ # Enforce privacy of these addresses. Strips them away from answers.
+ # It may cause DNSSEC validation to additionally mark it as bogus.
+ # Protects against 'DNS Rebinding' (uses browser as network proxy).
+ # Only 'private-domain' and 'local-data' names are allowed to have
# these private addresses. No default.
# private-address: 10.0.0.0/8
# private-address: 172.16.0.0/12
@@ -315,6 +320,7 @@ server:
# private-address: 169.254.0.0/16
# private-address: fd00::/8
# private-address: fe80::/10
+ # private-address: ::ffff:0:0/96
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
@@ -373,7 +379,7 @@ server:
# Zone file format, with DS and DNSKEY entries.
# Note this gets out of date, use auto-trust-anchor-file please.
# trust-anchor-file: ""
-
+
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
# Note this gets out of date, use auto-trust-anchor-file please.
@@ -383,7 +389,7 @@ server:
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry. Like trust-anchor-file
- # but has a different file format. Format is BIND-9 style format,
+ # but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# you need external update procedures to track changes in keys.
# trusted-keys-file: ""
@@ -408,7 +414,7 @@ server:
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
- # potential bogus data in the additional section. All unsigned data
+ # potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
# val-clean-additional: yes
@@ -433,7 +439,7 @@ server:
# A message with an NSEC3 with larger count is marked insecure.
# List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
-
+
# instruct the auto-trust-anchor-file probing to add anchors after ttl.
# add-holddown: 2592000 # 30 days
@@ -448,7 +454,7 @@ server:
# permit-small-holddown: no
# the amount of memory to use for the key cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
+ # plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
# the number of slabs to use for the key cache.
@@ -457,7 +463,7 @@ server:
# key-cache-slabs: 4
# the amount of memory to use for the negative cache (used for DLV).
- # plain value in bytes or you can append k, m or G. default is "1Mb".
+ # plain value in bytes or you can append k, m or G. default is "1Mb".
# neg-cache-size: 1m
# By default, for a number of zones a small default 'nothing here'
@@ -501,7 +507,7 @@ server:
# local-zone: "b.e.f.ip6.arpa." nodefault
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
-
+
# if unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
@@ -512,7 +518,7 @@ server:
# a number of locally served zones can be configured.
# local-zone: <zone> <type>
# local-data: "<resource record string>"
- # o deny serves local data (if any), else, drops queries.
+ # o deny serves local data (if any), else, drops queries.
# o refuse serves local data (if any), else, replies with error.
# o static serves local data, else, nxdomain or nodata answer.
# o transparent gives local data, but resolves normally for other names
@@ -525,7 +531,7 @@ server:
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
# the default content is omitted, or you can omit it with 'nodefault'.
- #
+ #
# If you configure local-data without specifying local-zone, by
# default a transparent local-zone is created for the data.
#
@@ -552,7 +558,7 @@ server:
# default is "" (disabled). requires restart to take effect.
# ssl-service-key: "path/to/privatekeyfile.key"
# ssl-service-pem: "path/to/publiccertfile.pem"
- # ssl-port: 443
+ # ssl-port: 853
# request upstream over SSL (with plain DNS inside the SSL stream).
# Default is no. Can be turned on and off with unbound-control.
@@ -571,7 +577,7 @@ server:
# ratelimit-size: 4m
# ratelimit cache slabs, reduces lock contention if equal to cpucount.
# ratelimit-slabs: 4
-
+
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
# ratelimit-factor: 10
@@ -590,7 +596,7 @@ python:
# Script file to load
# python-script: "/var/unbound/ubmodule-tst.py"
-# Remote control config section.
+# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
@@ -621,9 +627,9 @@ remote-control:
# control-cert-file: "/var/unbound/unbound_control.pem"
# Stub zones.
-# Create entries like below, to make all queries for 'example.com' and
-# 'example.org' go to the given list of nameservers. list zero or more
-# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of nameservers. list zero or more
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
# the list is treated as priming hints (default is no).
# With stub-first yes, it attempts without the stub if it fails.
# Consider adding domain-insecure: name and local-zone: name nodefault
diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in
index 399aa80..ff90e3b 100644
--- a/contrib/unbound/doc/example.conf.in
+++ b/contrib/unbound/doc/example.conf.in
@@ -1,14 +1,14 @@
#
# Example configuration file.
#
-# See unbound.conf(5) man page, version 1.5.5.
+# See unbound.conf(5) man page, version 1.5.7.
#
# this is a comment.
#Use this to include other text into the file.
#include: "otherfile.conf"
-# The server clause sets the main parameters.
+# The server clause sets the main parameters.
server:
# whitespace is not necessary, but looks cleaner.
@@ -40,7 +40,7 @@ server:
# interface: 2001:DB8::5
# enable this feature to copy the source address of queries to reply.
- # Socket options are not supported on all platforms. experimental.
+ # Socket options are not supported on all platforms. experimental.
# interface-automatic: no
# port to answer queries from
@@ -84,10 +84,10 @@ server:
# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
# 0 is system default. Use 4m to handle spikes on very busy servers.
# so-sndbuf: 0
-
+
# use SO_REUSEPORT to distribute queries over threads.
# so-reuseport: no
-
+
# use IP_TRANSPARENT so the interface: addresses can be non-local
# and you can config non-existing IPs that are going to work later on
# ip-transparent: no
@@ -105,7 +105,7 @@ server:
# msg-buffer-size: 65552
# the amount of memory to use for the message cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
+ # plain value in bytes or you can append k, m or G. default is "4Mb".
# msg-cache-size: 4m
# the number of slabs to use for the message cache.
@@ -118,12 +118,12 @@ server:
# if very busy, 50% queries run to completion, 50% get timeout in msec
# jostle-timeout: 200
-
+
# msec to wait before close of port on timeout UDP. 0 disables.
# delay-close: 0
# the amount of memory to use for the RRset cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
+ # plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
# the number of slabs to use for the RRset cache.
@@ -145,7 +145,7 @@ server:
# the time to live (TTL) value for cached roundtrip times, lameness and
# EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
-
+
# minimum wait time for responses, increase if uplink is long. In msec.
# infra-cache-min-rtt: 50
@@ -195,8 +195,8 @@ server:
#
# If chroot is enabled, you should pass the configfile (from the
# commandline) as a full path from the original root. After the
- # chroot has been performed the now defunct portion of the config
- # file path is removed to be able to reread the config after a reload.
+ # chroot has been performed the now defunct portion of the config
+ # file path is removed to be able to reread the config after a reload.
#
# All other file paths (working dir, logfile, roothints, and
# key files) can be specified in several ways:
@@ -205,7 +205,7 @@ server:
# o as an absolute path relative to the original root.
# In the last case the path is adjusted to remove the unused portion.
#
- # The pid file can be absolute and outside of the chroot, it is
+ # The pid file can be absolute and outside of the chroot, it is
# written just prior to performing the chroot and dropping permissions.
#
# Additionally, unbound may need to access /dev/random (for entropy).
@@ -219,22 +219,22 @@ server:
# If you give "" no privileges are dropped.
# username: "@UNBOUND_USERNAME@"
- # the working directory. The relative files in this config are
+ # the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
# directory: "@UNBOUND_RUN_DIR@"
- # the log file, "" means log to stderr.
+ # the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
# logfile: ""
- # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
+ # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# log to, with identity "unbound". If yes, it overrides the logfile.
- # use-syslog: yes
+ # use-syslog: yes
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
# log-time-ascii: no
-
+
# print one line with time, IP, name, type, class for every query.
# log-queries: no
@@ -242,7 +242,7 @@ server:
# pidfile: "@UNBOUND_PIDFILE@"
# file to read root hints from.
- # get one from ftp://FTP.INTERNIC.NET/domain/named.cache
+ # get one from https://www.internic.net/domain/named.cache
# root-hints: ""
# enable to not answer id.server and hostname.bind queries.
@@ -258,8 +258,8 @@ server:
# version: ""
# the target fetch policy.
- # series of integers describing the policy per dependency depth.
- # The number of values in the list determines the maximum dependency
+ # series of integers describing the policy per dependency depth.
+ # The number of values in the list determines the maximum dependency
# depth the recursor will pursue before giving up. Each integer means:
# -1 : fetch all targets opportunistically,
# 0: fetch on demand,
@@ -267,17 +267,17 @@ server:
# Enclose the list of numbers between quotes ("").
# target-fetch-policy: "3 2 1 0 0"
- # Harden against very small EDNS buffer sizes.
+ # Harden against very small EDNS buffer sizes.
# harden-short-bufsize: no
# Harden against unseemly large queries.
# harden-large-queries: no
- # Harden against out of zone rrsets, to avoid spoofing attempts.
+ # Harden against out of zone rrsets, to avoid spoofing attempts.
# harden-glue: yes
# Harden against receiving dnssec-stripped data. If you turn it
- # off, failing to validate dnskey data for a trustanchor will
+ # off, failing to validate dnskey data for a trustanchor will
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
# harden-dnssec-stripped: yes
@@ -287,7 +287,7 @@ server:
# Harden the referral path by performing additional queries for
# infrastructure data. Validates the replies (if possible).
- # Default off, because the lookups burden the server. Experimental
+ # Default off, because the lookups burden the server. Experimental
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
# harden-referral-path: no
@@ -296,18 +296,23 @@ server:
# to validate the zone.
# harden-algo-downgrade: no
+ # Sent minimum amount of information to upstream servers to enhance
+ # privacy. Only sent minimum required labels of the QNAME and set QTYPE
+ # to NS when possible.
+ # qname-minimisation: no
+
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
# use-caps-for-id: no
-
+
# Domains (and domains in them) without support for dns-0x20 and
# the fallback fails because they keep sending different answers.
# caps-whitelist: "licdn.com"
- # Enforce privacy of these addresses. Strips them away from answers.
- # It may cause DNSSEC validation to additionally mark it as bogus.
- # Protects against 'DNS Rebinding' (uses browser as network proxy).
- # Only 'private-domain' and 'local-data' names are allowed to have
+ # Enforce privacy of these addresses. Strips them away from answers.
+ # It may cause DNSSEC validation to additionally mark it as bogus.
+ # Protects against 'DNS Rebinding' (uses browser as network proxy).
+ # Only 'private-domain' and 'local-data' names are allowed to have
# these private addresses. No default.
# private-address: 10.0.0.0/8
# private-address: 172.16.0.0/12
@@ -315,6 +320,7 @@ server:
# private-address: 169.254.0.0/16
# private-address: fd00::/8
# private-address: fe80::/10
+ # private-address: ::ffff:0:0/96
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
@@ -373,7 +379,7 @@ server:
# Zone file format, with DS and DNSKEY entries.
# Note this gets out of date, use auto-trust-anchor-file please.
# trust-anchor-file: ""
-
+
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
# Note this gets out of date, use auto-trust-anchor-file please.
@@ -383,7 +389,7 @@ server:
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry. Like trust-anchor-file
- # but has a different file format. Format is BIND-9 style format,
+ # but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# you need external update procedures to track changes in keys.
# trusted-keys-file: ""
@@ -408,7 +414,7 @@ server:
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
- # potential bogus data in the additional section. All unsigned data
+ # potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
# val-clean-additional: yes
@@ -433,7 +439,7 @@ server:
# A message with an NSEC3 with larger count is marked insecure.
# List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
-
+
# instruct the auto-trust-anchor-file probing to add anchors after ttl.
# add-holddown: 2592000 # 30 days
@@ -448,7 +454,7 @@ server:
# permit-small-holddown: no
# the amount of memory to use for the key cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
+ # plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
# the number of slabs to use for the key cache.
@@ -457,7 +463,7 @@ server:
# key-cache-slabs: 4
# the amount of memory to use for the negative cache (used for DLV).
- # plain value in bytes or you can append k, m or G. default is "1Mb".
+ # plain value in bytes or you can append k, m or G. default is "1Mb".
# neg-cache-size: 1m
# By default, for a number of zones a small default 'nothing here'
@@ -501,7 +507,7 @@ server:
# local-zone: "b.e.f.ip6.arpa." nodefault
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
-
+
# if unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
@@ -512,7 +518,7 @@ server:
# a number of locally served zones can be configured.
# local-zone: <zone> <type>
# local-data: "<resource record string>"
- # o deny serves local data (if any), else, drops queries.
+ # o deny serves local data (if any), else, drops queries.
# o refuse serves local data (if any), else, replies with error.
# o static serves local data, else, nxdomain or nodata answer.
# o transparent gives local data, but resolves normally for other names
@@ -525,7 +531,7 @@ server:
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
# the default content is omitted, or you can omit it with 'nodefault'.
- #
+ #
# If you configure local-data without specifying local-zone, by
# default a transparent local-zone is created for the data.
#
@@ -552,7 +558,7 @@ server:
# default is "" (disabled). requires restart to take effect.
# ssl-service-key: "path/to/privatekeyfile.key"
# ssl-service-pem: "path/to/publiccertfile.pem"
- # ssl-port: 443
+ # ssl-port: 853
# request upstream over SSL (with plain DNS inside the SSL stream).
# Default is no. Can be turned on and off with unbound-control.
@@ -571,7 +577,7 @@ server:
# ratelimit-size: 4m
# ratelimit cache slabs, reduces lock contention if equal to cpucount.
# ratelimit-slabs: 4
-
+
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
# ratelimit-factor: 10
@@ -590,7 +596,7 @@ python:
# Script file to load
# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
-# Remote control config section.
+# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
@@ -621,9 +627,9 @@ remote-control:
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
# Stub zones.
-# Create entries like below, to make all queries for 'example.com' and
-# 'example.org' go to the given list of nameservers. list zero or more
-# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of nameservers. list zero or more
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
# the list is treated as priming hints (default is no).
# With stub-first yes, it attempts without the stub if it fails.
# Consider adding domain-insecure: name and local-zone: name nodefault
diff --git a/contrib/unbound/doc/libunbound.3 b/contrib/unbound/doc/libunbound.3
index 9ef367f..d299330 100644
--- a/contrib/unbound/doc/libunbound.3
+++ b/contrib/unbound/doc/libunbound.3
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "libunbound" "3" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@@ -42,7 +42,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.5 functions.
+\- Unbound DNS validating resolver 1.5.7 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP
diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in
index 9ef367f..d299330 100644
--- a/contrib/unbound/doc/libunbound.3.in
+++ b/contrib/unbound/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "libunbound" "3" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@@ -42,7 +42,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.5 functions.
+\- Unbound DNS validating resolver 1.5.7 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP
diff --git a/contrib/unbound/doc/unbound-anchor.8 b/contrib/unbound/doc/unbound-anchor.8
index 7fbb0a7..5200d18 100644
--- a/contrib/unbound/doc/unbound-anchor.8
+++ b/contrib/unbound/doc/unbound-anchor.8
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-anchor" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in
index e89be5b..e5e6364 100644
--- a/contrib/unbound/doc/unbound-anchor.8.in
+++ b/contrib/unbound/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-anchor" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
diff --git a/contrib/unbound/doc/unbound-checkconf.8 b/contrib/unbound/doc/unbound-checkconf.8
index eaa406b..19ecb1e 100644
--- a/contrib/unbound/doc/unbound-checkconf.8
+++ b/contrib/unbound/doc/unbound-checkconf.8
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-checkconf" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"
diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in
index 234a04a..2d3c4ae 100644
--- a/contrib/unbound/doc/unbound-checkconf.8.in
+++ b/contrib/unbound/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-checkconf" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"
diff --git a/contrib/unbound/doc/unbound-control.8 b/contrib/unbound/doc/unbound-control.8
index 5de37cf..e1fa36ab 100644
--- a/contrib/unbound/doc/unbound-control.8
+++ b/contrib/unbound/doc/unbound-control.8
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-control" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@@ -169,7 +169,7 @@ therefore not flushed. The option must end with a ':' and whitespace
must be between the option and the value. Some values may not have an
effect if set this way, the new values are not written to the config file,
not all options are supported. This is different from the set_option call
-in libunbound, where all values work because unbound has not been inited.
+in libunbound, where all values work because unbound has not been initialized.
.IP
The values that work are: statistics\-interval, statistics\-cumulative,
do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in
index eefd207..57742ae 100644
--- a/contrib/unbound/doc/unbound-control.8.in
+++ b/contrib/unbound/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-control" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@@ -169,7 +169,7 @@ therefore not flushed. The option must end with a ':' and whitespace
must be between the option and the value. Some values may not have an
effect if set this way, the new values are not written to the config file,
not all options are supported. This is different from the set_option call
-in libunbound, where all values work because unbound has not been inited.
+in libunbound, where all values work because unbound has not been initialized.
.IP
The values that work are: statistics\-interval, statistics\-cumulative,
do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
diff --git a/contrib/unbound/doc/unbound-host.1 b/contrib/unbound/doc/unbound-host.1
index d600ee6..70b697f 100644
--- a/contrib/unbound/doc/unbound-host.1
+++ b/contrib/unbound/doc/unbound-host.1
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound\-host" "1" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"
diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in
index a4742d7..eeb25f0 100644
--- a/contrib/unbound/doc/unbound-host.1.in
+++ b/contrib/unbound/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound\-host" "1" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"
diff --git a/contrib/unbound/doc/unbound.8 b/contrib/unbound/doc/unbound.8
index 3935e61..86fcb59 100644
--- a/contrib/unbound/doc/unbound.8
+++ b/contrib/unbound/doc/unbound.8
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound.8 -- unbound manual
.\"
@@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
-\- Unbound DNS validating resolver 1.5.5.
+\- Unbound DNS validating resolver 1.5.7.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]
diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in
index df9baa0..ed139a7 100644
--- a/contrib/unbound/doc/unbound.8.in
+++ b/contrib/unbound/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound.8 -- unbound manual
.\"
@@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
-\- Unbound DNS validating resolver 1.5.5.
+\- Unbound DNS validating resolver 1.5.7.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]
diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5
index 990a0a6..16155de 100644
--- a/contrib/unbound/doc/unbound.conf.5
+++ b/contrib/unbound/doc/unbound.conf.5
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound.conf" "5" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service. Default is "",
turned off.
.TP
.B ssl\-port: \fI<number>
-The port number on which to provide TCP SSL service, default 443, only
+The port number on which to provide TCP SSL service, default 853, only
interfaces configured with that port number as @number get the SSL service.
.TP
.B do\-daemonize: \fI<yes or no>
@@ -444,6 +444,8 @@ requires privileges, then a reload will fail; a restart is needed.
.TP
.B directory: \fI<directory>
Sets the working directory for the program. Default is "/var/unbound".
+On Windows the string "%EXECUTABLE%" tries to change to the directory
+that unbound.exe resides in.
.TP
.B logfile: \fI<filename>
If "" is given, logging goes to stderr, or nowhere once daemonized.
@@ -585,23 +587,30 @@ queries. For domains that do not support 0x20 and also fail with fallback
because they keep sending different answers, like some load balancers.
Can be given multiple times, for different domains.
.TP
+.B qname\-minimisation: \fI<yes or no>
+Send minimum amount of information to upstream servers to enhance privacy.
+Only sent minimum required labels of the QNAME and set QTYPE to NS when
+possible. Best effort approach, full QNAME and original QTYPE will be sent when
+upstream replies with a RCODE other than NOERROR. Default is off.
+.TP
.B private\-address: \fI<IP address or subnet>
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
-on your private network, and are not allowed to be returned for public
-internet names. Any occurence of such addresses are removed from
-DNS answers. Additionally, the DNSSEC validator may mark the answers
-bogus. This protects against so\-called DNS Rebinding, where a user browser
-is turned into a network proxy, allowing remote access through the browser
-to other parts of your private network. Some names can be allowed to
-contain your private addresses, by default all the \fBlocal\-data\fR
-that you configured is allowed to, and you can specify additional
-names using \fBprivate\-domain\fR. No private addresses are enabled
-by default. We consider to enable this for the RFC1918 private IP
-address space by default in later releases. That would enable private
-addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
-fd00::/8 and fe80::/10, since the RFC standards say these addresses
-should not be visible on the public internet. Turning on 127.0.0.0/8
-would hinder many spamblocklists as they use that.
+on your private network, and are not allowed to be returned for
+public internet names. Any occurrence of such addresses are removed
+from DNS answers. Additionally, the DNSSEC validator may mark the
+answers bogus. This protects against so\-called DNS Rebinding, where
+a user browser is turned into a network proxy, allowing remote access
+through the browser to other parts of your private network. Some names
+can be allowed to contain your private addresses, by default all the
+\fBlocal\-data\fR that you configured is allowed to, and you can specify
+additional names using \fBprivate\-domain\fR. No private addresses are
+enabled by default. We consider to enable this for the RFC1918 private
+IP address space by default in later releases. That would enable private
+addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
+fd00::/8 and fe80::/10, since the RFC standards say these addresses
+should not be visible on the public internet. Turning on 127.0.0.0/8
+would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96
+stops IPv4-mapped IPv6 addresses from bypassing the filter.
.TP
.B private\-domain: \fI<domain name>
Allow this domain, and all its subdomains to contain private addresses.
@@ -746,7 +755,7 @@ Instruct the validator to remove data from the additional section of secure
messages that are not signed properly. Messages that are insecure, bogus,
indeterminate or unchecked are not affected. Default is yes. Use this setting
to protect the users that rely on this validator for authentication from
-protentially bad data in the additional section.
+potentially bad data in the additional section.
.TP
.B val\-log\-level: \fI<number>
Have the validator print validation failures to the log. Regardless of
@@ -1033,7 +1042,7 @@ If set to 0, all queries are dropped for domains where the limit is
exceeded. If set to another value, 1 in that number is allowed through
to complete. Default is 10, allowing 1/10 traffic to flow normally.
This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigiting the traffic flow by the
+and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.TP 5
.B ratelimit\-for\-domain: \fI<domain> <number qps>
diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in
index 42653a5..51f7c4e 100644
--- a/contrib/unbound/doc/unbound.conf.5.in
+++ b/contrib/unbound/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound.conf" "5" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service. Default is "",
turned off.
.TP
.B ssl\-port: \fI<number>
-The port number on which to provide TCP SSL service, default 443, only
+The port number on which to provide TCP SSL service, default 853, only
interfaces configured with that port number as @number get the SSL service.
.TP
.B do\-daemonize: \fI<yes or no>
@@ -444,6 +444,8 @@ requires privileges, then a reload will fail; a restart is needed.
.TP
.B directory: \fI<directory>
Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
+On Windows the string "%EXECUTABLE%" tries to change to the directory
+that unbound.exe resides in.
.TP
.B logfile: \fI<filename>
If "" is given, logging goes to stderr, or nowhere once daemonized.
@@ -585,23 +587,30 @@ queries. For domains that do not support 0x20 and also fail with fallback
because they keep sending different answers, like some load balancers.
Can be given multiple times, for different domains.
.TP
+.B qname\-minimisation: \fI<yes or no>
+Send minimum amount of information to upstream servers to enhance privacy.
+Only sent minimum required labels of the QNAME and set QTYPE to NS when
+possible. Best effort approach, full QNAME and original QTYPE will be sent when
+upstream replies with a RCODE other than NOERROR. Default is off.
+.TP
.B private\-address: \fI<IP address or subnet>
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
-on your private network, and are not allowed to be returned for public
-internet names. Any occurence of such addresses are removed from
-DNS answers. Additionally, the DNSSEC validator may mark the answers
-bogus. This protects against so\-called DNS Rebinding, where a user browser
-is turned into a network proxy, allowing remote access through the browser
-to other parts of your private network. Some names can be allowed to
-contain your private addresses, by default all the \fBlocal\-data\fR
-that you configured is allowed to, and you can specify additional
-names using \fBprivate\-domain\fR. No private addresses are enabled
-by default. We consider to enable this for the RFC1918 private IP
-address space by default in later releases. That would enable private
-addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
-fd00::/8 and fe80::/10, since the RFC standards say these addresses
-should not be visible on the public internet. Turning on 127.0.0.0/8
-would hinder many spamblocklists as they use that.
+on your private network, and are not allowed to be returned for
+public internet names. Any occurrence of such addresses are removed
+from DNS answers. Additionally, the DNSSEC validator may mark the
+answers bogus. This protects against so\-called DNS Rebinding, where
+a user browser is turned into a network proxy, allowing remote access
+through the browser to other parts of your private network. Some names
+can be allowed to contain your private addresses, by default all the
+\fBlocal\-data\fR that you configured is allowed to, and you can specify
+additional names using \fBprivate\-domain\fR. No private addresses are
+enabled by default. We consider to enable this for the RFC1918 private
+IP address space by default in later releases. That would enable private
+addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
+fd00::/8 and fe80::/10, since the RFC standards say these addresses
+should not be visible on the public internet. Turning on 127.0.0.0/8
+would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96
+stops IPv4-mapped IPv6 addresses from bypassing the filter.
.TP
.B private\-domain: \fI<domain name>
Allow this domain, and all its subdomains to contain private addresses.
@@ -746,7 +755,7 @@ Instruct the validator to remove data from the additional section of secure
messages that are not signed properly. Messages that are insecure, bogus,
indeterminate or unchecked are not affected. Default is yes. Use this setting
to protect the users that rely on this validator for authentication from
-protentially bad data in the additional section.
+potentially bad data in the additional section.
.TP
.B val\-log\-level: \fI<number>
Have the validator print validation failures to the log. Regardless of
@@ -1033,7 +1042,7 @@ If set to 0, all queries are dropped for domains where the limit is
exceeded. If set to another value, 1 in that number is allowed through
to complete. Default is 10, allowing 1/10 traffic to flow normally.
This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigiting the traffic flow by the
+and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.TP 5
.B ratelimit\-for\-domain: \fI<domain> <number qps>
diff --git a/contrib/unbound/freebsd-configure.sh b/contrib/unbound/freebsd-configure.sh
index c8852e7..e698878 100755
--- a/contrib/unbound/freebsd-configure.sh
+++ b/contrib/unbound/freebsd-configure.sh
@@ -24,6 +24,9 @@ ldnsobj=$(realpath $(make -C$ldnsbld -V.OBJDIR))
[ -f $ldnsobj/libldns.a ] || error "can't find LDNS object directory"
export LDFLAGS="-L$ldnsobj"
+export CC=$(echo ".include <bsd.lib.mk>" | make -f /dev/stdin -VCC)
+export CPP=$(echo ".include <bsd.lib.mk>" | make -f /dev/stdin -VCPP)
+
autoconf
autoheader
./configure \
diff --git a/contrib/unbound/iterator/iter_scrub.c b/contrib/unbound/iterator/iter_scrub.c
index cc05867..8a3fc17 100644
--- a/contrib/unbound/iterator/iter_scrub.c
+++ b/contrib/unbound/iterator/iter_scrub.c
@@ -405,7 +405,43 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
/* Follow the CNAME chain. */
if(rrset->type == LDNS_RR_TYPE_CNAME) {
+ struct rrset_parse* nx = rrset->rrset_all_next;
uint8_t* oldsname = sname;
+ /* see if the next one is a DNAME, if so, swap them */
+ if(nx && nx->section == LDNS_SECTION_ANSWER &&
+ nx->type == LDNS_RR_TYPE_DNAME &&
+ nx->rr_count == 1 &&
+ pkt_strict_sub(pkt, sname, nx->dname)) {
+ /* there is a DNAME after this CNAME, it
+ * is in the ANSWER section, and the DNAME
+ * applies to the name we cover */
+ /* check if the alias of the DNAME equals
+ * this CNAME */
+ uint8_t alias[LDNS_MAX_DOMAINLEN+1];
+ size_t aliaslen = 0;
+ uint8_t* t = NULL;
+ size_t tlen = 0;
+ if(synth_cname(sname, snamelen, nx, alias,
+ &aliaslen, pkt) &&
+ parse_get_cname_target(rrset, &t, &tlen) &&
+ dname_pkt_compare(pkt, alias, t) == 0) {
+ /* the synthesized CNAME equals the
+ * current CNAME. This CNAME is the
+ * one that the DNAME creates, and this
+ * CNAME is better capitalised */
+ verbose(VERB_ALGO, "normalize: re-order of DNAME and its CNAME");
+ if(prev) prev->rrset_all_next = nx;
+ else msg->rrset_first = nx;
+ if(nx->rrset_all_next == NULL)
+ msg->rrset_last = rrset;
+ rrset->rrset_all_next =
+ nx->rrset_all_next;
+ nx->rrset_all_next = rrset;
+ prev = nx;
+ }
+ }
+
+ /* move to next name in CNAME chain */
if(!parse_get_cname_target(rrset, &sname, &snamelen))
return 0;
prev = rrset;
@@ -638,7 +674,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
* children of the originating zone. The idea here is that,
* as far as we know, the server that we contacted is ONLY
* authoritative for the originating zone. It, of course, MAY
- * be authoriative for any other zones, and of course, MAY
+ * be authoritative for any other zones, and of course, MAY
* NOT be authoritative for some subdomains of the originating
* zone. */
prev = NULL;
diff --git a/contrib/unbound/iterator/iter_utils.c b/contrib/unbound/iterator/iter_utils.c
index bc94ef6..58e62fb 100644
--- a/contrib/unbound/iterator/iter_utils.c
+++ b/contrib/unbound/iterator/iter_utils.c
@@ -255,7 +255,7 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
return -1; /* server is lame */
else if(rtt >= USEFUL_SERVER_TOP_TIMEOUT)
/* server is unresponsive,
- * we used to return TOP_TIMOUT, but fairly useless,
+ * we used to return TOP_TIMEOUT, but fairly useless,
* because if == TOP_TIMEOUT is dropped because
* blacklisted later, instead, remove it here, so
* other choices (that are not blacklisted) can be
@@ -306,7 +306,7 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
return got_it;
}
-/** filter the addres list, putting best targets at front,
+/** filter the address list, putting best targets at front,
* returns number of best targets (or 0, no suitable targets) */
static int
iter_filter_order(struct iter_env* iter_env, struct module_env* env,
diff --git a/contrib/unbound/iterator/iterator.c b/contrib/unbound/iterator/iterator.c
index 96918fa..b1bf902 100644
--- a/contrib/unbound/iterator/iterator.c
+++ b/contrib/unbound/iterator/iterator.c
@@ -64,6 +64,7 @@
#include "util/random.h"
#include "sldns/rrdef.h"
#include "sldns/wire2str.h"
+#include "sldns/str2wire.h"
#include "sldns/parseutil.h"
#include "sldns/sbuffer.h"
@@ -81,6 +82,21 @@ iter_init(struct module_env* env, int id)
log_err("iterator: could not apply configuration settings.");
return 0;
}
+ if(env->cfg->qname_minimisation) {
+ uint8_t dname[LDNS_MAX_DOMAINLEN+1];
+ size_t len = sizeof(dname);
+ if(sldns_str2wire_dname_buf("ip6.arpa.", dname, &len) != 0) {
+ log_err("ip6.arpa. parse error");
+ return 0;
+ }
+ iter_env->ip6arpa_dname = (uint8_t*)malloc(len);
+ if(!iter_env->ip6arpa_dname) {
+ log_err("malloc failure");
+ return 0;
+ }
+ memcpy(iter_env->ip6arpa_dname, dname, len);
+ }
+
return 1;
}
@@ -101,6 +117,7 @@ iter_deinit(struct module_env* env, int id)
if(!env || !env->modinfo[id])
return;
iter_env = (struct iter_env*)env->modinfo[id];
+ free(iter_env->ip6arpa_dname);
free(iter_env->target_fetch_policy);
priv_delete(iter_env->priv);
donotq_delete(iter_env->donotq);
@@ -145,6 +162,12 @@ iter_new(struct module_qstate* qstate, int id)
/* Start with the (current) qname. */
iq->qchase = qstate->qinfo;
outbound_list_init(&iq->outlist);
+ if (qstate->env->cfg->qname_minimisation)
+ iq->minimisation_state = INIT_MINIMISE_STATE;
+ else
+ iq->minimisation_state = DONOT_MINIMISE_STATE;
+
+ memset(&iq->qinfo_out, 0, sizeof(struct query_info));
return 1;
}
@@ -176,7 +199,7 @@ next_state(struct iter_qstate* iq, enum iter_state nextstate)
/**
* Transition an event to its final state. Final states always either return
* a result up the module chain, or reactivate a dependent event. Which
- * final state to transtion to is set in the module state for the event when
+ * final state to transition to is set in the module state for the event when
* it was created, and depends on the original purpose of the event.
*
* The response is stored in the qstate->buf buffer.
@@ -506,7 +529,7 @@ target_count_increase(struct iter_qstate* iq, int num)
/**
* Generate a subrequest.
* Generate a local request event. Local events are tied to this module, and
- * have a correponding (first tier) event that is waiting for this event to
+ * have a corresponding (first tier) event that is waiting for this event to
* resolve to continue.
*
* @param qname The query name for this request.
@@ -590,6 +613,11 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
subiq->qchase = subq->qinfo;
subiq->chase_flags = subq->query_flags;
subiq->refetch_glue = 0;
+ if(qstate->env->cfg->qname_minimisation)
+ subiq->minimisation_state = INIT_MINIMISE_STATE;
+ else
+ subiq->minimisation_state = DONOT_MINIMISE_STATE;
+ memset(&subiq->qinfo_out, 0, sizeof(struct query_info));
}
return 1;
}
@@ -1042,6 +1070,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
iq->query_restart_count++;
iq->sent_count = 0;
sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
+ if(qstate->env->cfg->qname_minimisation)
+ iq->minimisation_state = INIT_MINIMISE_STATE;
return next_state(iq, INIT_REQUEST_STATE);
}
@@ -1062,6 +1092,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
iq->refetch_glue = 0;
+ iq->minimisation_state = DONOT_MINIMISE_STATE;
/* the request has been forwarded.
* forwarded requests need to be immediately sent to the
* next state, QUERYTARGETS. */
@@ -1599,6 +1630,8 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
iq->refetch_glue = 1;
iq->query_restart_count++;
iq->sent_count = 0;
+ if(qstate->env->cfg->qname_minimisation)
+ iq->minimisation_state = INIT_MINIMISE_STATE;
return next_state(iq, INIT_REQUEST_STATE);
}
}
@@ -1975,9 +2008,78 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
}
+ if(iq->minimisation_state == INIT_MINIMISE_STATE) {
+ /* (Re)set qinfo_out to (new) delegation point, except
+ * when qinfo_out is already a subdomain of dp. This happens
+ * when resolving ip6.arpa dnames. */
+ if(!(iq->qinfo_out.qname_len
+ && dname_subdomain_c(iq->qchase.qname,
+ iq->qinfo_out.qname)
+ && dname_subdomain_c(iq->qinfo_out.qname,
+ iq->dp->name))) {
+ iq->qinfo_out.qname = iq->dp->name;
+ iq->qinfo_out.qname_len = iq->dp->namelen;
+ iq->qinfo_out.qtype = LDNS_RR_TYPE_NS;
+ iq->qinfo_out.qclass = iq->qchase.qclass;
+ }
+
+ iq->minimisation_state = MINIMISE_STATE;
+ }
+ if(iq->minimisation_state == MINIMISE_STATE) {
+ int labdiff = dname_count_labels(iq->qchase.qname) -
+ dname_count_labels(iq->qinfo_out.qname);
+
+ iq->qinfo_out.qname = iq->qchase.qname;
+ iq->qinfo_out.qname_len = iq->qchase.qname_len;
+
+ /* Special treatment for ip6.arpa lookups.
+ * Reverse IPv6 dname has 34 labels, increment the IP part
+ * (usually first 32 labels) by 8 labels (7 more than the
+ * default 1 label increment). */
+ if(labdiff <= 32 &&
+ dname_subdomain_c(iq->qchase.qname, ie->ip6arpa_dname)) {
+ labdiff -= 7;
+ /* Small chance of zone cut after first label. Stop
+ * minimising */
+ if(labdiff <= 1)
+ labdiff = 0;
+ }
+
+ if(labdiff > 1) {
+ verbose(VERB_QUERY, "removing %d labels", labdiff-1);
+ dname_remove_labels(&iq->qinfo_out.qname,
+ &iq->qinfo_out.qname_len,
+ labdiff-1);
+ }
+ if(labdiff < 1 ||
+ (labdiff < 2 && iq->qchase.qtype == LDNS_RR_TYPE_DS))
+ /* Stop minimising this query, resolve "as usual" */
+ iq->minimisation_state = DONOT_MINIMISE_STATE;
+ else {
+ struct dns_msg* msg = dns_cache_lookup(qstate->env,
+ iq->qinfo_out.qname, iq->qinfo_out.qname_len,
+ iq->qinfo_out.qtype, iq->qinfo_out.qclass,
+ qstate->query_flags, qstate->region,
+ qstate->env->scratch);
+ if(msg && msg->rep->an_numrrsets == 0
+ && FLAGS_GET_RCODE(msg->rep->flags) ==
+ LDNS_RCODE_NOERROR)
+ /* no need to send query if it is already
+ * cached as NOERROR/NODATA */
+ return 1;
+ }
+
+ }
+ if(iq->minimisation_state == SKIP_MINIMISE_STATE)
+ /* Do not increment qname, continue incrementing next
+ * iteration */
+ iq->minimisation_state = MINIMISE_STATE;
+ if(iq->minimisation_state == DONOT_MINIMISE_STATE)
+ iq->qinfo_out = iq->qchase;
+
/* We have a valid target. */
if(verbosity >= VERB_QUERY) {
- log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
+ log_query_info(VERB_QUERY, "sending query:", &iq->qinfo_out);
log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
&target->addr, target->addrlen);
verbose(VERB_ALGO, "dnssec status: %s%s",
@@ -1986,8 +2088,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
outq = (*qstate->env->send_query)(
- iq->qchase.qname, iq->qchase.qname_len,
- iq->qchase.qtype, iq->qchase.qclass,
+ iq->qinfo_out.qname, iq->qinfo_out.qname_len,
+ iq->qinfo_out.qtype, iq->qinfo_out.qclass,
iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), EDNS_DO|BIT_CD,
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
ie, iq), &target->addr, target->addrlen, iq->dp->name,
@@ -2042,6 +2144,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
enum response_type type;
iq->num_current_queries--;
if(iq->response == NULL) {
+ /* Don't increment qname when QNAME minimisation is enabled */
+ if (qstate->env->cfg->qname_minimisation)
+ iq->minimisation_state = SKIP_MINIMISE_STATE;
iq->chase_to_rd = 0;
iq->dnssec_lame_query = 0;
verbose(VERB_ALGO, "query response was timeout");
@@ -2142,6 +2247,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
sock_list_insert(&qstate->reply_origin,
&qstate->reply->addr, qstate->reply->addrlen,
qstate->region);
+ if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
+ /* Best effort qname-minimisation.
+ * Stop minimising and send full query when RCODE
+ * is not NOERROR */
+ if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
+ LDNS_RCODE_NOERROR)
+ iq->minimisation_state = DONOT_MINIMISE_STATE;
+ return next_state(iq, QUERYTARGETS_STATE);
+ }
return final_state(iq);
} else if(type == RESPONSE_TYPE_REFERRAL) {
/* REFERRAL type responses get a reset of the
@@ -2201,6 +2315,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
* point to the referral. */
iq->deleg_msg = iq->response;
iq->dp = delegpt_from_message(iq->response, qstate->region);
+ if (qstate->env->cfg->qname_minimisation)
+ iq->minimisation_state = INIT_MINIMISE_STATE;
if(!iq->dp)
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
if(!cache_fill_missing(qstate->env, iq->qchase.qclass,
@@ -2280,6 +2396,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* set the current request's qname to the new value. */
iq->qchase.qname = sname;
iq->qchase.qname_len = snamelen;
+ if (qstate->env->cfg->qname_minimisation)
+ iq->minimisation_state = INIT_MINIMISE_STATE;
/* Clear the query state, since this is a query restart. */
iq->deleg_msg = NULL;
iq->dp = NULL;
@@ -2353,6 +2471,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* LAME, THROWAWAY and "unknown" all end up here.
* Recycle to the QUERYTARGETS state to hopefully try a
* different target. */
+ if (qstate->env->cfg->qname_minimisation)
+ iq->minimisation_state = DONOT_MINIMISE_STATE;
return next_state(iq, QUERYTARGETS_STATE);
}
@@ -2968,7 +3088,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
prs->flags &= ~BIT_CD;
/* normalize and sanitize: easy to delete items from linked lists */
- if(!scrub_message(pkt, prs, &iq->qchase, iq->dp->name,
+ if(!scrub_message(pkt, prs, &iq->qinfo_out, iq->dp->name,
qstate->env->scratch, qstate->env, ie)) {
/* if 0x20 enabled, start fallback, but we have no message */
if(event == module_event_capsfail && !iq->caps_fallback) {
diff --git a/contrib/unbound/iterator/iterator.h b/contrib/unbound/iterator/iterator.h
index 9cf53b2..b7aa82e 100644
--- a/contrib/unbound/iterator/iterator.h
+++ b/contrib/unbound/iterator/iterator.h
@@ -112,6 +112,32 @@ struct iter_env {
* array of max_dependency_depth+1 size.
*/
int* target_fetch_policy;
+
+ /** ip6.arpa dname in wireformat, used for qname-minimisation */
+ uint8_t* ip6arpa_dname;
+};
+
+/**
+ * QNAME minimisation state
+ */
+enum minimisation_state {
+ /**
+ * (Re)start minimisation. Outgoing QNAME should be set to dp->name.
+ * State entered on new query or after following refferal or CNAME.
+ */
+ INIT_MINIMISE_STATE = 0,
+ /**
+ * QNAME minimisataion ongoing. Increase QNAME on every iteration.
+ */
+ MINIMISE_STATE,
+ /**
+ * Don't increment QNAME this iteration
+ */
+ SKIP_MINIMISE_STATE,
+ /**
+ * Send out full QNAME + original QTYPE
+ */
+ DONOT_MINIMISE_STATE,
};
/**
@@ -322,6 +348,15 @@ struct iter_qstate {
/** list of pending queries to authoritative servers. */
struct outbound_list outlist;
+
+ /** QNAME minimisation state */
+ enum minimisation_state minimisation_state;
+
+ /**
+ * The query info that is sent upstream. Will be a subset of qchase
+ * when qname minimisation is enabled.
+ */
+ struct query_info qinfo_out;
};
/**
diff --git a/contrib/unbound/libunbound/libunbound.c b/contrib/unbound/libunbound/libunbound.c
index 7c2509b..17f50e8 100644
--- a/contrib/unbound/libunbound/libunbound.c
+++ b/contrib/unbound/libunbound/libunbound.c
@@ -68,6 +68,9 @@
#ifdef HAVE_SYS_WAIT_H
#include <sys/wait.h>
#endif
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
#if defined(UB_ON_WINDOWS) && defined (HAVE_WINDOWS_H)
#include <windows.h>
diff --git a/contrib/unbound/libunbound/python/Makefile b/contrib/unbound/libunbound/python/Makefile
index 01b0577..9a98ef5 100644
--- a/contrib/unbound/libunbound/python/Makefile
+++ b/contrib/unbound/libunbound/python/Makefile
@@ -36,7 +36,7 @@
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " testenv to make test environment and run bash "
- @echo " usefull in case you don't want to install unbound but want to test examples"
+ @echo " useful in case you don't want to install unbound but want to test examples"
@echo " doc to make documentation"
@echo " clean clean all"
diff --git a/contrib/unbound/libunbound/python/doc/install.rst b/contrib/unbound/libunbound/python/doc/install.rst
index f638ed1..a073a5c 100644
--- a/contrib/unbound/libunbound/python/doc/install.rst
+++ b/contrib/unbound/libunbound/python/doc/install.rst
@@ -22,7 +22,7 @@ You need GNU make to compile sources; SWIG and Python devel libraries to compile
**Testing**
-If the compilation is successfull, you can test the python LDNS extension module by::
+If the compilation is successful, you can test the python LDNS extension module by::
> cd contrib/python
> make testenv
diff --git a/contrib/unbound/libunbound/python/doc/modules/unbound.rst b/contrib/unbound/libunbound/python/doc/modules/unbound.rst
index 21f4a12..77e4cd1 100644
--- a/contrib/unbound/libunbound/python/doc/modules/unbound.rst
+++ b/contrib/unbound/libunbound/python/doc/modules/unbound.rst
@@ -42,7 +42,7 @@ Class ub_result
False, if validation failed or domain queried has no security info.
It is possible to get a result with no data (havedata is false),
- and secure is true. This means that the non-existance of the data
+ and secure is true. This means that the non-existence of the data
was cryptographically proven (with signatures).
.. attribute:: bogus
diff --git a/contrib/unbound/libunbound/python/examples/dnssec-valid.py b/contrib/unbound/libunbound/python/examples/dnssec-valid.py
index 386f4c2..c5517ef 100644
--- a/contrib/unbound/libunbound/python/examples/dnssec-valid.py
+++ b/contrib/unbound/libunbound/python/examples/dnssec-valid.py
@@ -44,7 +44,7 @@ ctx.debugout(fw)
ctx.debuglevel(2)
if os.path.isfile("keys"):
- ctx.add_ta_file("keys") #read public keys for DNSSEC verificatio
+ ctx.add_ta_file("keys") #read public keys for DNSSEC verification
status, result = ctx.resolve("www.nic.cz", RR_TYPE_A, RR_CLASS_IN)
if status == 0 and result.havedata:
diff --git a/contrib/unbound/libunbound/python/libunbound.i b/contrib/unbound/libunbound/python/libunbound.i
index 3c0e45b..50a9b67 100644
--- a/contrib/unbound/libunbound/python/libunbound.i
+++ b/contrib/unbound/libunbound/python/libunbound.i
@@ -1,5 +1,5 @@
/*
- * libounbound.i: pyUnbound module (libunbound wrapper for Python)
+ * libunbound.i: pyUnbound module (libunbound wrapper for Python)
*
* Copyright (c) 2009, Zdenek Vasicek (vasicek AT fit.vutbr.cz)
* Marek Vavrusa (xvavru00 AT stud.fit.vutbr.cz)
@@ -455,7 +455,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
#_UB_CTX_METHODS#
def zone_print(self):
- """Print local zones using debougout"""
+ """Print local zones using debugout"""
_unbound.ub_ctx_print_local_zones(self)
def zone_add(self,zonename,zonetype):
diff --git a/contrib/unbound/ltmain.sh b/contrib/unbound/ltmain.sh
index 63ae69d..6fdf4ba 100755
--- a/contrib/unbound/ltmain.sh
+++ b/contrib/unbound/ltmain.sh
@@ -4394,7 +4394,7 @@ EOF
{
/* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
namespace, but it is not one of the ones we know about and
- have already dealt with, above (inluding dump-script), then
+ have already dealt with, above (including dump-script), then
report an error. Otherwise, targets might begin to believe
they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
namespace. The first time any user complains about this, we'll
diff --git a/contrib/unbound/services/cache/dns.c b/contrib/unbound/services/cache/dns.c
index ba81afd..e14e636 100644
--- a/contrib/unbound/services/cache/dns.c
+++ b/contrib/unbound/services/cache/dns.c
@@ -656,8 +656,9 @@ fill_any(struct module_env* env,
time_t now = *env->now;
struct dns_msg* msg = NULL;
uint16_t lookup[] = {LDNS_RR_TYPE_A, LDNS_RR_TYPE_AAAA,
- LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS, 0};
- int i, num=5; /* number of RR types to look up */
+ LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS,
+ LDNS_RR_TYPE_DNAME, 0};
+ int i, num=6; /* number of RR types to look up */
log_assert(lookup[num] == 0);
for(i=0; i<num; i++) {
diff --git a/contrib/unbound/services/cache/rrset.c b/contrib/unbound/services/cache/rrset.c
index 2c85529..2f6a1b5 100644
--- a/contrib/unbound/services/cache/rrset.c
+++ b/contrib/unbound/services/cache/rrset.c
@@ -190,6 +190,7 @@ rrset_cache_update(struct rrset_cache* r, struct rrset_ref* ref,
uint16_t rrset_type = ntohs(k->rk.type);
int equal = 0;
log_assert(ref->id != 0 && k->id != 0);
+ log_assert(k->rk.dname != NULL);
/* looks up item with a readlock - no editing! */
if((e=slabhash_lookup(&r->table, h, k, 0)) != 0) {
/* return id and key as they will be used in the cache
diff --git a/contrib/unbound/sldns/parseutil.h b/contrib/unbound/sldns/parseutil.h
index dfa1c2a..c5238bc 100644
--- a/contrib/unbound/sldns/parseutil.h
+++ b/contrib/unbound/sldns/parseutil.h
@@ -56,13 +56,13 @@ time_t sldns_mktime_from_utc(const struct tm *tm);
/**
* The function interprets time as the number of seconds since epoch
- * with respect to now using serial arithmitics (rfc1982).
+ * with respect to now using serial arithmetics (rfc1982).
* That number of seconds is then converted to broken-out time information.
* This is especially usefull when converting the inception and expiration
* fields of RRSIG records.
*
* \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
- * to be intepreted as a serial arithmitics number relative to now.
+ * to be intepreted as a serial arithmetics number relative to now.
* \param[in] now number of seconds since epoch (midnight, January 1st, 1970)
* to which the time value is compared to determine the final value.
* \param[out] result the struct with the broken-out time information
diff --git a/contrib/unbound/sldns/wire2str.c b/contrib/unbound/sldns/wire2str.c
index cec3bc7..5cbd78e 100644
--- a/contrib/unbound/sldns/wire2str.c
+++ b/contrib/unbound/sldns/wire2str.c
@@ -697,6 +697,9 @@ int sldns_wire2str_rdata_scan(uint8_t** d, size_t* dlen, char** s,
}
w += n;
}
+ if(*dlen != 0) {
+ goto failed;
+ }
return w;
}
diff --git a/contrib/unbound/smallapp/unbound-anchor.c b/contrib/unbound/smallapp/unbound-anchor.c
index 92bfa84..81bb896 100644
--- a/contrib/unbound/smallapp/unbound-anchor.c
+++ b/contrib/unbound/smallapp/unbound-anchor.c
@@ -95,7 +95,7 @@
* signed yet; avoids attacks on system clock). The
* last-successful-RFC5011-probe (if available) has to be more than 30 days
* in the past (otherwise, RFC5011 should have worked). This keeps
- * unneccesary https traffic down. If the main certificate is expired, it
+ * unnecessary https traffic down. If the main certificate is expired, it
* fails.
*
* The dates on the keys in the xml are checked (uses the libexpat xml
@@ -1520,7 +1520,11 @@ xml_entitydeclhandler(void *userData,
const XML_Char *ATTR_UNUSED(publicId),
const XML_Char *ATTR_UNUSED(notationName))
{
+#if HAVE_DECL_XML_STOPPARSER
(void)XML_StopParser((XML_Parser)userData, XML_FALSE);
+#else
+ (void)userData;
+#endif
}
/**
@@ -1828,6 +1832,12 @@ write_unsigned_root(const char* root_anchor_file)
root_anchor_file);
if(verb && errno != 0) printf("%s\n", strerror(errno));
}
+ fflush(out);
+#ifdef HAVE_FSYNC
+ fsync(fileno(out));
+#else
+ FlushFileBuffers((HANDLE)_fileno(out));
+#endif
fclose(out);
}
@@ -1854,6 +1864,12 @@ write_root_anchor(const char* root_anchor_file, BIO* ds)
root_anchor_file);
if(verb && errno != 0) printf("%s\n", strerror(errno));
}
+ fflush(out);
+#ifdef HAVE_FSYNC
+ fsync(fileno(out));
+#else
+ FlushFileBuffers((HANDLE)_fileno(out));
+#endif
fclose(out);
}
diff --git a/contrib/unbound/smallapp/unbound-checkconf.c b/contrib/unbound/smallapp/unbound-checkconf.c
index 0524ede..ec07713 100644
--- a/contrib/unbound/smallapp/unbound-checkconf.c
+++ b/contrib/unbound/smallapp/unbound-checkconf.c
@@ -335,7 +335,9 @@ morechecks(struct config_file* cfg, const char* fname)
if(cfg->edns_buffer_size > cfg->msg_buffer_size)
fatal_exit("edns-buffer-size larger than msg-buffer-size, "
"answers will not fit in processing buffer");
-
+#ifdef UB_ON_WINDOWS
+ w_config_adjust_directory(cfg);
+#endif
if(cfg->chrootdir && cfg->chrootdir[0] &&
cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
fatal_exit("chootdir %s has trailing slash '/' please remove.",
diff --git a/contrib/unbound/smallapp/unbound-control-setup.sh b/contrib/unbound/smallapp/unbound-control-setup.sh
index 816b4f5..28690b3 100755
--- a/contrib/unbound/smallapp/unbound-control-setup.sh
+++ b/contrib/unbound/smallapp/unbound-control-setup.sh
@@ -107,16 +107,15 @@ else
fi
# create self-signed cert for server
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
-
-[req_distinguished_name]
-commonName=$SERVERNAME
-EOF
+echo "[req]\n" > request.cfg
+echo "default_bits=$BITS\n" >> request.cfg
+echo "default_md=$HASH\n" >> request.cfg
+echo "prompt=no\n" >> request.cfg
+echo "distinguished_name=req_distinguished_name\n" >> request.cfg
+echo "\n" >> request.cfg
+echo "[req_distinguished_name]\n" >> request.cfg
+echo "commonName=$SERVERNAME\n" >> request.cfg
+
test -f request.cfg || error "could not create request.cfg"
echo "create $SVR_BASE.pem (self signed certificate)"
@@ -125,16 +124,15 @@ openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out
openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
# create client request and sign it, piped
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
-
-[req_distinguished_name]
-commonName=$CLIENTNAME
-EOF
+echo "[req]\n" > request.cfg
+echo "default_bits=$BITS\n" >> request.cfg
+echo "default_md=$HASH\n" >> request.cfg
+echo "prompt=no\n" >> request.cfg
+echo "distinguished_name=req_distinguished_name\n" >> request.cfg
+echo "\n" >> request.cfg
+echo "[req_distinguished_name]\n" >> request.cfg
+echo "commonName=$CLIENTNAME" >> request.cfg
+
test -f request.cfg || error "could not create request.cfg"
echo "create $CTL_BASE.pem (signed client certificate)"
diff --git a/contrib/unbound/smallapp/unbound-control-setup.sh.in b/contrib/unbound/smallapp/unbound-control-setup.sh.in
index 682ab26..f99d7bc 100755
--- a/contrib/unbound/smallapp/unbound-control-setup.sh.in
+++ b/contrib/unbound/smallapp/unbound-control-setup.sh.in
@@ -107,16 +107,15 @@ else
fi
# create self-signed cert for server
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
-
-[req_distinguished_name]
-commonName=$SERVERNAME
-EOF
+echo "[req]\n" > request.cfg
+echo "default_bits=$BITS\n" >> request.cfg
+echo "default_md=$HASH\n" >> request.cfg
+echo "prompt=no\n" >> request.cfg
+echo "distinguished_name=req_distinguished_name\n" >> request.cfg
+echo "\n" >> request.cfg
+echo "[req_distinguished_name]\n" >> request.cfg
+echo "commonName=$SERVERNAME\n" >> request.cfg
+
test -f request.cfg || error "could not create request.cfg"
echo "create $SVR_BASE.pem (self signed certificate)"
@@ -125,16 +124,15 @@ openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out
openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
# create client request and sign it, piped
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
-
-[req_distinguished_name]
-commonName=$CLIENTNAME
-EOF
+echo "[req]\n" > request.cfg
+echo "default_bits=$BITS\n" >> request.cfg
+echo "default_md=$HASH\n" >> request.cfg
+echo "prompt=no\n" >> request.cfg
+echo "distinguished_name=req_distinguished_name\n" >> request.cfg
+echo "\n" >> request.cfg
+echo "[req_distinguished_name]\n" >> request.cfg
+echo "commonName=$CLIENTNAME" >> request.cfg
+
test -f request.cfg || error "could not create request.cfg"
echo "create $CTL_BASE.pem (signed client certificate)"
diff --git a/contrib/unbound/smallapp/unbound-control.c b/contrib/unbound/smallapp/unbound-control.c
index 571b4d0..fac73b0 100644
--- a/contrib/unbound/smallapp/unbound-control.c
+++ b/contrib/unbound/smallapp/unbound-control.c
@@ -156,10 +156,12 @@ setup_ctx(struct config_file* cfg)
ctx = SSL_CTX_new(SSLv23_client_method());
if(!ctx)
ssl_err("could not allocate SSL_CTX pointer");
- if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+ != SSL_OP_NO_SSLv2)
ssl_err("could not set SSL_OP_NO_SSLv2");
if(cfg->remote_control_use_cert) {
- if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+ != SSL_OP_NO_SSLv3)
ssl_err("could not set SSL_OP_NO_SSLv3");
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
@@ -361,6 +363,9 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
fatal_exit("could not read config file");
if(!cfg->remote_control_enable)
log_warn("control-enable is 'no' in the config file.");
+#ifdef UB_ON_WINDOWS
+ w_config_adjust_directory(cfg);
+#endif
ctx = setup_ctx(cfg);
/* contact server */
diff --git a/contrib/unbound/util/config_file.c b/contrib/unbound/util/config_file.c
index 062d12d..6354e99 100644
--- a/contrib/unbound/util/config_file.c
+++ b/contrib/unbound/util/config_file.c
@@ -100,7 +100,7 @@ config_create(void)
cfg->tcp_upstream = 0;
cfg->ssl_service_key = NULL;
cfg->ssl_service_pem = NULL;
- cfg->ssl_port = 443;
+ cfg->ssl_port = 853;
cfg->ssl_upstream = 0;
cfg->use_syslog = 1;
cfg->log_time_ascii = 0;
@@ -240,6 +240,7 @@ config_create(void)
cfg->ratelimit_for_domain = NULL;
cfg->ratelimit_below_domain = NULL;
cfg->ratelimit_factor = 10;
+ cfg->qname_minimisation = 0;
return cfg;
error_exit:
config_delete(cfg);
@@ -473,6 +474,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_MEMSIZE("ratelimit-size:", ratelimit_size)
else S_POW2("ratelimit-slabs:", ratelimit_slabs)
else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
+ else S_YNO("qname-minimisation:", qname_minimisation)
/* val_sig_skew_min and max are copied into val_env during init,
* so this does not update val_env with set_option */
else if(strcmp(opt, "val-sig-skew-min:") == 0)
@@ -747,6 +749,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
+ else O_YNO(opt, "qname-minimisation", qname_minimisation)
/* not here:
* outgoing-permit, outgoing-avoid - have list of ports
* local-zone - zones and nodefault variables
@@ -1555,6 +1558,28 @@ w_lookup_reg_str(const char* key, const char* name)
}
return result;
}
+
+void w_config_adjust_directory(struct config_file* cfg)
+{
+ if(cfg->directory && cfg->directory[0]) {
+ TCHAR dirbuf[2*MAX_PATH+4];
+ if(strcmp(cfg->directory, "%EXECUTABLE%") == 0) {
+ /* get executable path, and if that contains
+ * directories, snip off the filename part */
+ dirbuf[0] = 0;
+ if(!GetModuleFileName(NULL, dirbuf, MAX_PATH))
+ log_err("could not GetModuleFileName");
+ if(strrchr(dirbuf, '\\')) {
+ (strrchr(dirbuf, '\\'))[0] = 0;
+ } else log_err("GetModuleFileName had no path");
+ if(dirbuf[0]) {
+ /* adjust directory for later lookups to work*/
+ free(cfg->directory);
+ cfg->directory = memdup(dirbuf, strlen(dirbuf)+1);
+ }
+ }
+ }
+}
#endif /* UB_ON_WINDOWS */
void errinf(struct module_qstate* qstate, const char* str)
diff --git a/contrib/unbound/util/config_file.h b/contrib/unbound/util/config_file.h
index 99b15e0..8fa163e 100644
--- a/contrib/unbound/util/config_file.h
+++ b/contrib/unbound/util/config_file.h
@@ -283,7 +283,7 @@ struct config_file {
struct config_str2list* local_zones;
/** local zones nodefault list */
struct config_strlist* local_zones_nodefault;
- /** local data RRs configged */
+ /** local data RRs configured */
struct config_strlist* local_data;
/** unblock lan zones (reverse lookups for 10/8 and so on) */
int unblock_lan_zones;
@@ -364,6 +364,8 @@ struct config_file {
struct config_str2list* ratelimit_below_domain;
/** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
int ratelimit_factor;
+ /** minimise outgoing QNAME and hide original QTYPE if possible */
+ int qname_minimisation;
};
/** from cfg username, after daemonise setup performed */
@@ -739,6 +741,9 @@ void ub_c_error_msg(const char* fmt, ...) ATTR_FORMAT(printf, 1, 2);
* exist on an error (logged with log_err) was encountered.
*/
char* w_lookup_reg_str(const char* key, const char* name);
+
+/** Modify directory in options for module file name */
+void w_config_adjust_directory(struct config_file* cfg);
#endif /* UB_ON_WINDOWS */
#endif /* UTIL_CONFIG_FILE_H */
diff --git a/contrib/unbound/util/configlexer.lex b/contrib/unbound/util/configlexer.lex
index 1aea22e..a368066 100644
--- a/contrib/unbound/util/configlexer.lex
+++ b/contrib/unbound/util/configlexer.lex
@@ -207,6 +207,7 @@ SQANY [^\'\n\r\\]|\\.
/* note that flex makes the longest match and '.' is any but not nl */
LEXOUT(("comment(%s) ", ub_c_text)); /* ignore */ }
server{COLON} { YDVAR(0, VAR_SERVER) }
+qname-minimisation{COLON} { YDVAR(1, VAR_QNAME_MINIMISATION) }
num-threads{COLON} { YDVAR(1, VAR_NUM_THREADS) }
verbosity{COLON} { YDVAR(1, VAR_VERBOSITY) }
port{COLON} { YDVAR(1, VAR_PORT) }
diff --git a/contrib/unbound/util/configparser.y b/contrib/unbound/util/configparser.y
index d6db3c8..abc0bb0 100644
--- a/contrib/unbound/util/configparser.y
+++ b/contrib/unbound/util/configparser.y
@@ -122,6 +122,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
+%token VAR_QNAME_MINIMISATION
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -186,7 +187,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_ratelimit_size | server_ratelimit_for_domain |
server_ratelimit_below_domain | server_ratelimit_factor |
server_caps_whitelist | server_cache_max_negative_ttl |
- server_permit_small_holddown
+ server_permit_small_holddown | server_qname_minimisation
;
stubstart: VAR_STUB_ZONE
{
@@ -1318,6 +1319,16 @@ server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG
free($2);
}
;
+server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG
+ {
+ OUTYY(("P(server_qname_minimisation:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->qname_minimisation =
+ (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
stub_name: VAR_NAME STRING_ARG
{
OUTYY(("P(name:%s)\n", $2));
diff --git a/contrib/unbound/util/iana_ports.inc b/contrib/unbound/util/iana_ports.inc
index 64edf0b..b09a9ad 100644
--- a/contrib/unbound/util/iana_ports.inc
+++ b/contrib/unbound/util/iana_ports.inc
@@ -660,6 +660,7 @@
833,
847,
848,
+853,
860,
861,
862,
@@ -3842,6 +3843,7 @@
4406,
4412,
4413,
+4416,
4425,
4426,
4430,
@@ -4572,6 +4574,7 @@
7070,
7071,
7080,
+7088,
7095,
7099,
7100,
@@ -5383,6 +5386,7 @@
38203,
39681,
40000,
+40023,
40841,
40842,
40843,
diff --git a/contrib/unbound/util/locks.c b/contrib/unbound/util/locks.c
index 509895d..adfb6c0 100644
--- a/contrib/unbound/util/locks.c
+++ b/contrib/unbound/util/locks.c
@@ -232,7 +232,7 @@ void ub_thread_create(ub_thread_t* thr, void* (*func)(void*), void* arg)
0, /* default flags, run immediately */
NULL); /* do not store thread identifier anywhere */
#else
- /* the begintheadex routine setups for the C lib; aligns stack */
+ /* the beginthreadex routine setups for the C lib; aligns stack */
*thr=(ub_thread_t)_beginthreadex(NULL, 0, (void*)func, arg, 0, NULL);
#endif
if(*thr == NULL) {
diff --git a/contrib/unbound/util/net_help.c b/contrib/unbound/util/net_help.c
index 07605b1..eb03cd0 100644
--- a/contrib/unbound/util/net_help.c
+++ b/contrib/unbound/util/net_help.c
@@ -619,12 +619,14 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
return NULL;
}
/* no SSLv2, SSLv3 because has defects */
- if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+ != SSL_OP_NO_SSLv2){
log_crypto_err("could not set SSL_OP_NO_SSLv2");
SSL_CTX_free(ctx);
return NULL;
}
- if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+ != SSL_OP_NO_SSLv3){
log_crypto_err("could not set SSL_OP_NO_SSLv3");
SSL_CTX_free(ctx);
return NULL;
@@ -690,12 +692,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
log_crypto_err("could not allocate SSL_CTX pointer");
return NULL;
}
- if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) {
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+ != SSL_OP_NO_SSLv2) {
log_crypto_err("could not set SSL_OP_NO_SSLv2");
SSL_CTX_free(ctx);
return NULL;
}
- if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) {
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+ != SSL_OP_NO_SSLv3) {
log_crypto_err("could not set SSL_OP_NO_SSLv3");
SSL_CTX_free(ctx);
return NULL;
diff --git a/contrib/unbound/util/random.c b/contrib/unbound/util/random.c
index 71f0ba5..684464e 100644
--- a/contrib/unbound/util/random.c
+++ b/contrib/unbound/util/random.c
@@ -68,6 +68,8 @@
/* nss3 */
#include "secport.h"
#include "pk11pub.h"
+#elif defined(HAVE_NETTLE)
+#include "yarrow.h"
#endif
/**
@@ -76,7 +78,7 @@
*/
#define MAX_VALUE 0x7fffffff
-#ifndef HAVE_NSS
+#if defined(HAVE_SSL)
void
ub_systemseed(unsigned int ATTR_UNUSED(seed))
{
@@ -110,7 +112,7 @@ ub_random_max(struct ub_randstate* state, long int x)
return (long)arc4random_uniform((uint32_t)x);
}
-#else
+#elif defined(HAVE_NSS)
/* not much to remember for NSS since we use its pk11_random, placeholder */
struct ub_randstate {
@@ -144,6 +146,72 @@ long int ub_random(struct ub_randstate* ATTR_UNUSED(state))
return x & MAX_VALUE;
}
+#elif defined(HAVE_NETTLE)
+
+/**
+ * libnettle implements a Yarrow-256 generator (SHA256 + AES),
+ * and we have to ensure it is seeded before use.
+ */
+struct ub_randstate {
+ struct yarrow256_ctx ctx;
+ int seeded;
+};
+
+void ub_systemseed(unsigned int ATTR_UNUSED(seed))
+{
+/**
+ * We seed on init and not here, as we need the ctx to re-seed.
+ * This also means that re-seeding is not supported.
+ */
+ log_err("Re-seeding not supported, generator untouched");
+}
+
+struct ub_randstate* ub_initstate(unsigned int seed,
+ struct ub_randstate* ATTR_UNUSED(from))
+{
+ struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
+ uint8_t buf[YARROW256_SEED_FILE_SIZE];
+ if(!s) {
+ log_err("malloc failure in random init");
+ return NULL;
+ }
+ /* Setup Yarrow context */
+ yarrow256_init(&s->ctx, 0, NULL);
+
+ if(getentropy(buf, sizeof(buf)) != -1) {
+ /* got entropy */
+ yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
+ s->seeded = yarrow256_is_seeded(&s->ctx);
+ } else {
+ /* Stretch the uint32 input seed and feed it to Yarrow */
+ uint32_t v = seed;
+ size_t i;
+ for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) {
+ memmove(buf+i*sizeof(seed), &v, sizeof(seed));
+ v = v*seed + (uint32_t)i;
+ }
+ yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
+ s->seeded = yarrow256_is_seeded(&s->ctx);
+ }
+
+ return s;
+}
+
+long int ub_random(struct ub_randstate* s)
+{
+ /* random 31 bit value. */
+ long int x = 0;
+ if (!s || !s->seeded) {
+ log_err("Couldn't generate randomness, Yarrow-256 generator not yet seeded");
+ } else {
+ yarrow256_random(&s->ctx, sizeof(x), (uint8_t *)&x);
+ }
+ return x & MAX_VALUE;
+}
+#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
+
+
+#if defined(HAVE_NSS) || defined(HAVE_NETTLE)
long int
ub_random_max(struct ub_randstate* state, long int x)
{
@@ -155,7 +223,7 @@ ub_random_max(struct ub_randstate* state, long int x)
v = ub_random(state);
return (v % x);
}
-#endif /* HAVE_NSS */
+#endif /* HAVE_NSS or HAVE_NETTLE */
void
ub_randfree(struct ub_randstate* s)
diff --git a/contrib/unbound/util/rbtree.c b/contrib/unbound/util/rbtree.c
index a898f13..ee5446f 100644
--- a/contrib/unbound/util/rbtree.c
+++ b/contrib/unbound/util/rbtree.c
@@ -68,7 +68,7 @@ static void rbtree_insert_fixup(rbtree_t *rbtree, rbnode_t *node);
static void rbtree_delete_fixup(rbtree_t* rbtree, rbnode_t* child, rbnode_t* child_parent);
/*
- * Creates a new red black tree, intializes and returns a pointer to it.
+ * Creates a new red black tree, initializes and returns a pointer to it.
*
* Return NULL on failure.
*
diff --git a/contrib/unbound/util/rtt.h b/contrib/unbound/util/rtt.h
index d6da986..07e65ee 100644
--- a/contrib/unbound/util/rtt.h
+++ b/contrib/unbound/util/rtt.h
@@ -96,7 +96,7 @@ int rtt_notimeout(const struct rtt_info* rtt);
void rtt_update(struct rtt_info* rtt, int ms);
/**
- * Update the statistics with a new timout expired observation.
+ * Update the statistics with a new timeout expired observation.
* @param rtt: round trip statistics structure.
* @param orig: original rtt time given for the query that timed out.
* Used to calculate the maximum responsible backed off time that
diff --git a/contrib/unbound/util/storage/lookup3.c b/contrib/unbound/util/storage/lookup3.c
index de28858..ddcb56e 100644
--- a/contrib/unbound/util/storage/lookup3.c
+++ b/contrib/unbound/util/storage/lookup3.c
@@ -356,7 +356,7 @@ uint32_t hashlittle( const void *key, size_t length, uint32_t initval)
* rest of the string. Every machine with memory protection I've seen
* does it on word boundaries, so is OK with this. But VALGRIND will
* still catch it and complain. The masking trick does make the hash
- * noticably faster for short strings (like English words).
+ * noticeably faster for short strings (like English words).
*/
#ifndef VALGRIND
@@ -544,7 +544,7 @@ void hashlittle2(
* rest of the string. Every machine with memory protection I've seen
* does it on word boundaries, so is OK with this. But VALGRIND will
* still catch it and complain. The masking trick does make the hash
- * noticably faster for short strings (like English words).
+ * noticeably faster for short strings (like English words).
*/
#ifndef VALGRIND
@@ -725,7 +725,7 @@ uint32_t hashbig( const void *key, size_t length, uint32_t initval)
* rest of the string. Every machine with memory protection I've seen
* does it on word boundaries, so is OK with this. But VALGRIND will
* still catch it and complain. The masking trick does make the hash
- * noticably faster for short strings (like English words).
+ * noticeably faster for short strings (like English words).
*/
#ifndef VALGRIND
@@ -858,7 +858,7 @@ void driver2()
{
for (j=0; j<8; ++j) /*------------------------ for each input bit, */
{
- for (m=1; m<8; ++m) /*------------ for serveral possible initvals, */
+ for (m=1; m<8; ++m) /*------------ for several possible initvals, */
{
for (l=0; l<HASHSTATE; ++l)
e[l]=f[l]=g[l]=h[l]=x[l]=y[l]=~((uint32_t)0);
diff --git a/contrib/unbound/util/tube.h b/contrib/unbound/util/tube.h
index 9ec50af..6cc6050 100644
--- a/contrib/unbound/util/tube.h
+++ b/contrib/unbound/util/tube.h
@@ -83,7 +83,7 @@ struct tube {
/** background write queue, commpoint to write results back */
struct comm_point* res_com;
- /** are we curently writing a result, 0 if not, else bytecount into
+ /** are we currently writing a result, 0 if not, else bytecount into
* the res_list first entry. */
size_t res_write;
/** list of outstanding results to be written back */
diff --git a/contrib/unbound/util/winsock_event.h b/contrib/unbound/util/winsock_event.h
index f642657..d386a69 100644
--- a/contrib/unbound/util/winsock_event.h
+++ b/contrib/unbound/util/winsock_event.h
@@ -201,7 +201,7 @@ struct event {
int stick_events;
/** true if this event is a signaling WSAEvent by the user.
- * User created and user closed WSAEvent. Only signaled/unsigneled,
+ * User created and user closed WSAEvent. Only signaled/unsignaled,
* no read/write/distinctions needed. */
int is_signal;
/** used during callbacks to see which events were just checked */
diff --git a/contrib/unbound/validator/autotrust.c b/contrib/unbound/validator/autotrust.c
index e63b086..f8c9c8c 100644
--- a/contrib/unbound/validator/autotrust.c
+++ b/contrib/unbound/validator/autotrust.c
@@ -1195,6 +1195,14 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp)
fatal_exit("could not completely write: %s", fname);
return;
}
+ if(fflush(out) != 0)
+ log_err("could not fflush(%s): %s", fname, strerror(errno));
+#ifdef HAVE_FSYNC
+ if(fsync(fileno(out)) != 0)
+ log_err("could not fsync(%s): %s", fname, strerror(errno));
+#else
+ FlushFileBuffers((HANDLE)_fileno(out));
+#endif
if(fclose(out) != 0) {
fatal_exit("could not complete write: %s: %s",
fname, strerror(errno));
@@ -2162,7 +2170,7 @@ int autr_process_prime(struct module_env* env, struct val_env* ve,
if(!verify_dnskey(env, ve, tp, dnskey_rrset)) {
verbose(VERB_ALGO, "autotrust: dnskey did not verify.");
/* only increase failure count if this is not the first prime,
- * this means there was a previous succesful probe */
+ * this means there was a previous successful probe */
if(tp->autr->last_success) {
tp->autr->query_failed += 1;
autr_write_file(env, tp);
diff --git a/contrib/unbound/validator/val_neg.c b/contrib/unbound/validator/val_neg.c
index b1ff8d9..ab31f48 100644
--- a/contrib/unbound/validator/val_neg.c
+++ b/contrib/unbound/validator/val_neg.c
@@ -38,7 +38,7 @@
*
* This file contains helper functions for the validator module.
* The functions help with aggressive negative caching.
- * This creates new denials of existance, and proofs for absence of types
+ * This creates new denials of existence, and proofs for absence of types
* from cached NSEC records.
*/
#include "config.h"
diff --git a/contrib/unbound/validator/val_neg.h b/contrib/unbound/validator/val_neg.h
index 967d1a7..bf3a247 100644
--- a/contrib/unbound/validator/val_neg.h
+++ b/contrib/unbound/validator/val_neg.h
@@ -38,7 +38,7 @@
*
* This file contains helper functions for the validator module.
* The functions help with aggressive negative caching.
- * This creates new denials of existance, and proofs for absence of types
+ * This creates new denials of existence, and proofs for absence of types
* from cached NSEC records.
*/
diff --git a/contrib/unbound/validator/val_nsec.c b/contrib/unbound/validator/val_nsec.c
index bdfe3c8..f104a34 100644
--- a/contrib/unbound/validator/val_nsec.c
+++ b/contrib/unbound/validator/val_nsec.c
@@ -1,5 +1,5 @@
/*
- * validator/val_nsec.c - validator NSEC denial of existance functions.
+ * validator/val_nsec.c - validator NSEC denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
@@ -38,7 +38,7 @@
*
* This file contains helper functions for the validator module.
* The functions help with NSEC checking, the different NSEC proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
*/
#include "config.h"
#include "validator/val_nsec.h"
@@ -279,7 +279,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
return sec_status_insecure;
}
- /* NSEC proof did not conlusively point to DS or no DS */
+ /* NSEC proof did not conclusively point to DS or no DS */
return sec_status_unchecked;
}
@@ -340,6 +340,28 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
*wc = ce;
return 1;
}
+ } else {
+ /* See if the next owner name covers a wildcard
+ * empty non-terminal. */
+ while (dname_strict_subdomain_c(nm, nsec->rk.dname)) {
+ /* wildcard does not apply if qname below
+ * the name that exists under the '*' */
+ if (dname_subdomain_c(qinfo->qname, nm))
+ break;
+ /* but if it is a wildcard and qname is below
+ * it, then the wildcard applies. The wildcard
+ * is an empty nonterminal. nodata proven. */
+ if (dname_is_wild(nm)) {
+ size_t ce_len = ln;
+ uint8_t* ce = nm;
+ dname_remove_label(&ce, &ce_len);
+ if(dname_strict_subdomain_c(qinfo->qname, ce)) {
+ *wc = ce;
+ return 1;
+ }
+ }
+ dname_remove_label(&nm, &ln);
+ }
}
/* Otherwise, this NSEC does not prove ENT and is not a
diff --git a/contrib/unbound/validator/val_nsec.h b/contrib/unbound/validator/val_nsec.h
index f680d08..c031c9a 100644
--- a/contrib/unbound/validator/val_nsec.h
+++ b/contrib/unbound/validator/val_nsec.h
@@ -1,5 +1,5 @@
/*
- * validator/val_nsec.h - validator NSEC denial of existance functions.
+ * validator/val_nsec.h - validator NSEC denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
@@ -38,7 +38,7 @@
*
* This file contains helper functions for the validator module.
* The functions help with NSEC checking, the different NSEC proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
*/
#ifndef VALIDATOR_VAL_NSEC_H
@@ -54,7 +54,7 @@ struct key_entry_key;
/**
* Check DS absence.
* There is a NODATA reply to a DS that needs checking.
- * NSECs can prove this is not a delegation point, or sucessfully prove
+ * NSECs can prove this is not a delegation point, or successfully prove
* that there is no DS. Or this fails.
*
* @param env: module env for rrsig verification routines.
diff --git a/contrib/unbound/validator/val_nsec3.c b/contrib/unbound/validator/val_nsec3.c
index 80ca4d0..22867d1 100644
--- a/contrib/unbound/validator/val_nsec3.c
+++ b/contrib/unbound/validator/val_nsec3.c
@@ -1,5 +1,5 @@
/*
- * validator/val_nsec3.c - validator NSEC3 denial of existance functions.
+ * validator/val_nsec3.c - validator NSEC3 denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
@@ -38,18 +38,12 @@
*
* This file contains helper functions for the validator module.
* The functions help with NSEC3 checking, the different NSEC3 proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
*/
#include "config.h"
#include <ctype.h>
-#ifdef HAVE_OPENSSL_SSL_H
-#include "openssl/ssl.h"
-#endif
-#ifdef HAVE_NSS
-/* nss3 */
-#include "sechash.h"
-#endif
#include "validator/val_nsec3.h"
+#include "validator/val_secalgo.h"
#include "validator/validator.h"
#include "validator/val_kentry.h"
#include "services/cache/rrset.h"
@@ -370,8 +364,8 @@ filter_next(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum)
/**
* Start iterating over NSEC3 records.
* @param filter: the filter structure, must have been filter_init-ed.
- * @param rrsetnum: can be undefined on call, inited.
- * @param rrnum: can be undefined on call, inited.
+ * @param rrsetnum: can be undefined on call, initialised.
+ * @param rrnum: can be undefined on call, initialised.
* @return first rrset of an NSEC3, together with rrnum this points to
* the first RR to examine. Is NULL on empty list.
*/
@@ -545,46 +539,24 @@ nsec3_get_hashed(sldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
query_dname_tolower(sldns_buffer_begin(buf));
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
- switch(algo) {
-#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
- case NSEC3_HASH_SHA1:
-#ifdef HAVE_SSL
- hash_len = SHA_DIGEST_LENGTH;
-#else
- hash_len = SHA1_LENGTH;
-#endif
- if(hash_len > max)
- return 0;
-# ifdef HAVE_SSL
- (void)SHA1((unsigned char*)sldns_buffer_begin(buf),
- (unsigned long)sldns_buffer_limit(buf),
- (unsigned char*)res);
-# else
- (void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)res,
- (unsigned char*)sldns_buffer_begin(buf),
- (unsigned long)sldns_buffer_limit(buf));
-# endif
- for(i=0; i<iter; i++) {
- sldns_buffer_clear(buf);
- sldns_buffer_write(buf, res, hash_len);
- sldns_buffer_write(buf, salt, saltlen);
- sldns_buffer_flip(buf);
-# ifdef HAVE_SSL
- (void)SHA1(
- (unsigned char*)sldns_buffer_begin(buf),
- (unsigned long)sldns_buffer_limit(buf),
- (unsigned char*)res);
-# else
- (void)HASH_HashBuf(HASH_AlgSHA1,
- (unsigned char*)res,
- (unsigned char*)sldns_buffer_begin(buf),
- (unsigned long)sldns_buffer_limit(buf));
-# endif
- }
- break;
-#endif /* HAVE_EVP_SHA1 or NSS */
- default:
- log_err("nsec3 hash of unknown algo %d", algo);
+ hash_len = nsec3_hash_algo_size_supported(algo);
+ if(hash_len == 0) {
+ log_err("nsec3 hash of unknown algo %d", algo);
+ return 0;
+ }
+ if(hash_len > max)
+ return 0;
+ if(!secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
+ sldns_buffer_limit(buf), (unsigned char*)res))
+ return 0;
+ for(i=0; i<iter; i++) {
+ sldns_buffer_clear(buf);
+ sldns_buffer_write(buf, res, hash_len);
+ sldns_buffer_write(buf, salt, saltlen);
+ sldns_buffer_flip(buf);
+ if(!secalgo_nsec3_hash(algo,
+ (unsigned char*)sldns_buffer_begin(buf),
+ sldns_buffer_limit(buf), (unsigned char*)res))
return 0;
}
return hash_len;
@@ -607,50 +579,24 @@ nsec3_calc_hash(struct regional* region, sldns_buffer* buf,
query_dname_tolower(sldns_buffer_begin(buf));
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
- switch(algo) {
-#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
- case NSEC3_HASH_SHA1:
-#ifdef HAVE_SSL
- c->hash_len = SHA_DIGEST_LENGTH;
-#else
- c->hash_len = SHA1_LENGTH;
-#endif
- c->hash = (uint8_t*)regional_alloc(region,
- c->hash_len);
- if(!c->hash)
- return 0;
-# ifdef HAVE_SSL
- (void)SHA1((unsigned char*)sldns_buffer_begin(buf),
- (unsigned long)sldns_buffer_limit(buf),
- (unsigned char*)c->hash);
-# else
- (void)HASH_HashBuf(HASH_AlgSHA1,
- (unsigned char*)c->hash,
- (unsigned char*)sldns_buffer_begin(buf),
- (unsigned long)sldns_buffer_limit(buf));
-# endif
- for(i=0; i<iter; i++) {
- sldns_buffer_clear(buf);
- sldns_buffer_write(buf, c->hash, c->hash_len);
- sldns_buffer_write(buf, salt, saltlen);
- sldns_buffer_flip(buf);
-# ifdef HAVE_SSL
- (void)SHA1(
- (unsigned char*)sldns_buffer_begin(buf),
- (unsigned long)sldns_buffer_limit(buf),
- (unsigned char*)c->hash);
-# else
- (void)HASH_HashBuf(HASH_AlgSHA1,
- (unsigned char*)c->hash,
- (unsigned char*)sldns_buffer_begin(buf),
- (unsigned long)sldns_buffer_limit(buf));
-# endif
- }
- break;
-#endif /* HAVE_EVP_SHA1 or NSS */
- default:
- log_err("nsec3 hash of unknown algo %d", algo);
- return -1;
+ c->hash_len = nsec3_hash_algo_size_supported(algo);
+ if(c->hash_len == 0) {
+ log_err("nsec3 hash of unknown algo %d", algo);
+ return -1;
+ }
+ c->hash = (uint8_t*)regional_alloc(region, c->hash_len);
+ if(!c->hash)
+ return 0;
+ (void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
+ sldns_buffer_limit(buf), (unsigned char*)c->hash);
+ for(i=0; i<iter; i++) {
+ sldns_buffer_clear(buf);
+ sldns_buffer_write(buf, c->hash, c->hash_len);
+ sldns_buffer_write(buf, salt, saltlen);
+ sldns_buffer_flip(buf);
+ (void)secalgo_nsec3_hash(algo,
+ (unsigned char*)sldns_buffer_begin(buf),
+ sldns_buffer_limit(buf), (unsigned char*)c->hash);
}
return 1;
}
diff --git a/contrib/unbound/validator/val_nsec3.h b/contrib/unbound/validator/val_nsec3.h
index d619d67..69ba78d 100644
--- a/contrib/unbound/validator/val_nsec3.h
+++ b/contrib/unbound/validator/val_nsec3.h
@@ -1,5 +1,5 @@
/*
- * validator/val_nsec3.h - validator NSEC3 denial of existance functions.
+ * validator/val_nsec3.h - validator NSEC3 denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
@@ -38,7 +38,7 @@
*
* This file contains helper functions for the validator module.
* The functions help with NSEC3 checking, the different NSEC3 proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
*
* NSEC3
* 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
@@ -256,7 +256,7 @@ int nsec3_hash_cmp(const void* c1, const void* c2);
* Used internally by the nsec3 proof functions in this file.
* published to enable unit testing of hash algorithms and cache.
*
- * @param table: the cache table. Must be inited at start.
+ * @param table: the cache table. Must be initialised at start.
* @param region: scratch region to use for allocation.
* This region holds the tree, if you wipe the region, reinit the tree.
* @param buf: temporary buffer.
diff --git a/contrib/unbound/validator/val_secalgo.c b/contrib/unbound/validator/val_secalgo.c
index 8ed403d..7c8d7b2 100644
--- a/contrib/unbound/validator/val_secalgo.c
+++ b/contrib/unbound/validator/val_secalgo.c
@@ -44,12 +44,13 @@
/* packed_rrset on top to define enum types (forced by c99 standard) */
#include "util/data/packed_rrset.h"
#include "validator/val_secalgo.h"
+#include "validator/val_nsec3.h"
#include "util/log.h"
#include "sldns/rrdef.h"
#include "sldns/keyraw.h"
#include "sldns/sbuffer.h"
-#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
+#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
#error "Need crypto library to do digital signature cryptography"
#endif
@@ -71,10 +72,36 @@
#include <openssl/engine.h>
#endif
+/* return size of digest if supported, or 0 otherwise */
+size_t
+nsec3_hash_algo_size_supported(int id)
+{
+ switch(id) {
+ case NSEC3_HASH_SHA1:
+ return SHA_DIGEST_LENGTH;
+ default:
+ return 0;
+ }
+}
+
+/* perform nsec3 hash. return false on failure */
+int
+secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+ unsigned char* res)
+{
+ switch(algo) {
+ case NSEC3_HASH_SHA1:
+ (void)SHA1(buf, len, res);
+ return 1;
+ default:
+ return 0;
+ }
+}
+
/**
* Return size of DS digest according to its hash algorithm.
* @param algo: DS digest algo.
- * @return size in bytes of digest, or 0 if not supported.
+ * @return size in bytes of digest, or 0 if not supported.
*/
size_t
ds_digest_size_supported(int algo)
@@ -565,6 +592,32 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
/* nspr4 */
#include "prerror.h"
+/* return size of digest if supported, or 0 otherwise */
+size_t
+nsec3_hash_algo_size_supported(int id)
+{
+ switch(id) {
+ case NSEC3_HASH_SHA1:
+ return SHA1_LENGTH;
+ default:
+ return 0;
+ }
+}
+
+/* perform nsec3 hash. return false on failure */
+int
+secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+ unsigned char* res)
+{
+ switch(algo) {
+ case NSEC3_HASH_SHA1:
+ (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
+ return 1;
+ default:
+ return 0;
+ }
+}
+
size_t
ds_digest_size_supported(int algo)
{
@@ -1069,5 +1122,466 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
return sec_status_bogus;
}
+#elif defined(HAVE_NETTLE)
+
+#include "sha.h"
+#include "bignum.h"
+#include "macros.h"
+#include "rsa.h"
+#include "dsa.h"
+#include "asn1.h"
+#ifdef USE_ECDSA
+#include "ecdsa.h"
+#include "ecc-curve.h"
+#endif
+
+static int
+_digest_nettle(int algo, uint8_t* buf, size_t len,
+ unsigned char* res)
+{
+ switch(algo) {
+ case SHA1_DIGEST_SIZE:
+ {
+ struct sha1_ctx ctx;
+ sha1_init(&ctx);
+ sha1_update(&ctx, len, buf);
+ sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
+ return 1;
+ }
+ case SHA256_DIGEST_SIZE:
+ {
+ struct sha256_ctx ctx;
+ sha256_init(&ctx);
+ sha256_update(&ctx, len, buf);
+ sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
+ return 1;
+ }
+ case SHA384_DIGEST_SIZE:
+ {
+ struct sha384_ctx ctx;
+ sha384_init(&ctx);
+ sha384_update(&ctx, len, buf);
+ sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
+ return 1;
+ }
+ case SHA512_DIGEST_SIZE:
+ {
+ struct sha512_ctx ctx;
+ sha512_init(&ctx);
+ sha512_update(&ctx, len, buf);
+ sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
+ return 1;
+ }
+ default:
+ break;
+ }
+ return 0;
+}
+
+/* return size of digest if supported, or 0 otherwise */
+size_t
+nsec3_hash_algo_size_supported(int id)
+{
+ switch(id) {
+ case NSEC3_HASH_SHA1:
+ return SHA1_DIGEST_SIZE;
+ default:
+ return 0;
+ }
+}
+
+/* perform nsec3 hash. return false on failure */
+int
+secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+ unsigned char* res)
+{
+ switch(algo) {
+ case NSEC3_HASH_SHA1:
+ return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
+ res);
+ default:
+ return 0;
+ }
+}
+
+/**
+ * Return size of DS digest according to its hash algorithm.
+ * @param algo: DS digest algo.
+ * @return size in bytes of digest, or 0 if not supported.
+ */
+size_t
+ds_digest_size_supported(int algo)
+{
+ switch(algo) {
+ case LDNS_SHA1:
+ return SHA1_DIGEST_SIZE;
+#ifdef USE_SHA2
+ case LDNS_SHA256:
+ return SHA256_DIGEST_SIZE;
+#endif
+#ifdef USE_ECDSA
+ case LDNS_SHA384:
+ return SHA384_DIGEST_SIZE;
+#endif
+ /* GOST not supported */
+ case LDNS_HASH_GOST:
+ default:
+ break;
+ }
+ return 0;
+}
+
+int
+secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+ unsigned char* res)
+{
+ switch(algo) {
+ case LDNS_SHA1:
+ return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
+#if defined(USE_SHA2)
+ case LDNS_SHA256:
+ return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
+#endif
+#ifdef USE_ECDSA
+ case LDNS_SHA384:
+ return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
+
+#endif
+ case LDNS_HASH_GOST:
+ default:
+ verbose(VERB_QUERY, "unknown DS digest algorithm %d",
+ algo);
+ break;
+ }
+ return 0;
+}
+
+int
+dnskey_algo_id_is_supported(int id)
+{
+ /* uses libnettle */
+ switch(id) {
+ case LDNS_DSA:
+ case LDNS_DSA_NSEC3:
+ case LDNS_RSASHA1:
+ case LDNS_RSASHA1_NSEC3:
+#ifdef USE_SHA2
+ case LDNS_RSASHA256:
+ case LDNS_RSASHA512:
+#endif
+#ifdef USE_ECDSA
+ case LDNS_ECDSAP256SHA256:
+ case LDNS_ECDSAP384SHA384:
+#endif
+ return 1;
+ case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
+ case LDNS_ECC_GOST:
+ default:
+ return 0;
+ }
+}
+
+static char *
+_verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
+ unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
+{
+ uint8_t digest[SHA1_DIGEST_SIZE];
+ uint8_t key_t;
+ int res = 0;
+ size_t offset;
+ struct dsa_public_key pubkey;
+ struct dsa_signature signature;
+ unsigned int expected_len;
+
+ /* Extract DSA signature from the record */
+ nettle_dsa_signature_init(&signature);
+ /* Signature length: 41 bytes - RFC 2536 sec. 3 */
+ if(sigblock_len == 41) {
+ if(key[0] != sigblock[0])
+ return "invalid T value in DSA signature or pubkey";
+ nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
+ nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
+ } else {
+ /* DER encoded, decode the ASN1 notated R and S bignums */
+ /* SEQUENCE { r INTEGER, s INTEGER } */
+ struct asn1_der_iterator i, seq;
+ if(asn1_der_iterator_first(&i, sigblock_len,
+ (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
+ || i.type != ASN1_SEQUENCE)
+ return "malformed DER encoded DSA signature";
+ /* decode this element of i using the seq iterator */
+ if(asn1_der_decode_constructed(&i, &seq) !=
+ ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
+ return "malformed DER encoded DSA signature";
+ if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
+ return "malformed DER encoded DSA signature";
+ if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
+ || seq.type != ASN1_INTEGER)
+ return "malformed DER encoded DSA signature";
+ if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
+ return "malformed DER encoded DSA signature";
+ if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
+ return "malformed DER encoded DSA signature";
+ }
+
+ /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
+ key_t = key[0];
+ if (key_t > 8) {
+ return "invalid T value in DSA pubkey";
+ }
+
+ /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
+ if (keylen < 21) {
+ return "DSA pubkey too short";
+ }
+
+ expected_len = 1 + /* T */
+ 20 + /* Q */
+ (64 + key_t*8) + /* P */
+ (64 + key_t*8) + /* G */
+ (64 + key_t*8); /* Y */
+ if (keylen != expected_len ) {
+ return "invalid DSA pubkey length";
+ }
+
+ /* Extract DSA pubkey from the record */
+ nettle_dsa_public_key_init(&pubkey);
+ offset = 1;
+ nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
+ offset += 20;
+ nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset);
+ offset += (64 + key_t*8);
+ nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset);
+ offset += (64 + key_t*8);
+ nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset);
+
+ /* Digest content of "buf" and verify its DSA signature in "sigblock"*/
+ res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+ (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+ res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
+
+ /* Clear and return */
+ nettle_dsa_signature_clear(&signature);
+ nettle_dsa_public_key_clear(&pubkey);
+ if (!res)
+ return "DSA signature verification failed";
+ else
+ return NULL;
+}
+
+static char *
+_verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
+ unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
+{
+ uint16_t exp_len = 0;
+ size_t exp_offset = 0, mod_offset = 0;
+ struct rsa_public_key pubkey;
+ mpz_t signature;
+ int res = 0;
+
+ /* RSA pubkey parsing as per RFC 3110 sec. 2 */
+ if( keylen <= 1) {
+ return "null RSA key";
+ }
+ if (key[0] != 0) {
+ /* 1-byte length */
+ exp_len = key[0];
+ exp_offset = 1;
+ } else {
+ /* 1-byte NUL + 2-bytes exponent length */
+ if (keylen < 3) {
+ return "incorrect RSA key length";
+ }
+ exp_len = READ_UINT16(key+1);
+ if (exp_len == 0)
+ return "null RSA exponent length";
+ exp_offset = 3;
+ }
+ /* Check that we are not over-running input length */
+ if (keylen < exp_offset + exp_len + 1) {
+ return "RSA key content shorter than expected";
+ }
+ mod_offset = exp_offset + exp_len;
+ nettle_rsa_public_key_init(&pubkey);
+ pubkey.size = keylen - mod_offset;
+ nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
+ nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
+
+ /* Digest content of "buf" and verify its RSA signature in "sigblock"*/
+ nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
+ switch (digest_size) {
+ case SHA1_DIGEST_SIZE:
+ {
+ uint8_t digest[SHA1_DIGEST_SIZE];
+ res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+ (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+ res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
+ break;
+ }
+ case SHA256_DIGEST_SIZE:
+ {
+ uint8_t digest[SHA256_DIGEST_SIZE];
+ res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+ (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+ res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
+ break;
+ }
+ case SHA512_DIGEST_SIZE:
+ {
+ uint8_t digest[SHA512_DIGEST_SIZE];
+ res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+ (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+ res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
+ break;
+ }
+ default:
+ break;
+ }
+
+ /* Clear and return */
+ nettle_rsa_public_key_clear(&pubkey);
+ mpz_clear(signature);
+ if (!res) {
+ return "RSA signature verification failed";
+ } else {
+ return NULL;
+ }
+}
+
+#ifdef USE_ECDSA
+static char *
+_verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
+ unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
+{
+ int res = 0;
+ struct ecc_point pubkey;
+ struct dsa_signature signature;
+
+ /* Always matched strength, as per RFC 6605 sec. 1 */
+ if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
+ return "wrong ECDSA signature length";
+ }
+
+ /* Parse ECDSA signature as per RFC 6605 sec. 4 */
+ nettle_dsa_signature_init(&signature);
+ switch (digest_size) {
+ case SHA256_DIGEST_SIZE:
+ {
+ uint8_t digest[SHA256_DIGEST_SIZE];
+ mpz_t x, y;
+ nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
+ nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
+ nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
+ nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
+ nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
+ res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+ (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+ res &= nettle_ecc_point_set(&pubkey, x, y);
+ res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
+ mpz_clear(x);
+ mpz_clear(y);
+ break;
+ }
+ case SHA384_DIGEST_SIZE:
+ {
+ uint8_t digest[SHA384_DIGEST_SIZE];
+ mpz_t x, y;
+ nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
+ nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
+ nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
+ nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
+ nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
+ res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
+ (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
+ res &= nettle_ecc_point_set(&pubkey, x, y);
+ res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
+ mpz_clear(x);
+ mpz_clear(y);
+ nettle_ecc_point_clear(&pubkey);
+ break;
+ }
+ default:
+ return "unknown ECDSA algorithm";
+ }
+
+ /* Clear and return */
+ nettle_dsa_signature_clear(&signature);
+ if (!res)
+ return "ECDSA signature verification failed";
+ else
+ return NULL;
+}
+#endif
+
+/**
+ * Check a canonical sig+rrset and signature against a dnskey
+ * @param buf: buffer with data to verify, the first rrsig part and the
+ * canonicalized rrset.
+ * @param algo: DNSKEY algorithm.
+ * @param sigblock: signature rdata field from RRSIG
+ * @param sigblock_len: length of sigblock data.
+ * @param key: public key data from DNSKEY RR.
+ * @param keylen: length of keydata.
+ * @param reason: bogus reason in more detail.
+ * @return secure if verification succeeded, bogus on crypto failure,
+ * unchecked on format errors and alloc failures.
+ */
+enum sec_status
+verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
+ unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
+ char** reason)
+{
+ unsigned int digest_size = 0;
+
+ if (sigblock_len == 0 || keylen == 0) {
+ *reason = "null signature";
+ return sec_status_bogus;
+ }
+
+ switch(algo) {
+ case LDNS_DSA:
+ case LDNS_DSA_NSEC3:
+ *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
+ if (*reason != NULL)
+ return sec_status_bogus;
+ else
+ return sec_status_secure;
+
+ case LDNS_RSASHA1:
+ case LDNS_RSASHA1_NSEC3:
+ digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
+#ifdef USE_SHA2
+ case LDNS_RSASHA256:
+ digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
+ case LDNS_RSASHA512:
+ digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
+
+#endif
+ *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
+ sigblock_len, key, keylen);
+ if (*reason != NULL)
+ return sec_status_bogus;
+ else
+ return sec_status_secure;
+
+#ifdef USE_ECDSA
+ case LDNS_ECDSAP256SHA256:
+ digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
+ case LDNS_ECDSAP384SHA384:
+ digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
+ *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
+ sigblock_len, key, keylen);
+ if (*reason != NULL)
+ return sec_status_bogus;
+ else
+ return sec_status_secure;
+#endif
+ case LDNS_RSAMD5:
+ case LDNS_ECC_GOST:
+ default:
+ *reason = "unable to verify signature, unknown algorithm";
+ return sec_status_bogus;
+ }
+}
-#endif /* HAVE_SSL or HAVE_NSS */
+#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
diff --git a/contrib/unbound/validator/val_secalgo.h b/contrib/unbound/validator/val_secalgo.h
index 085fbc5..589f1f1 100644
--- a/contrib/unbound/validator/val_secalgo.h
+++ b/contrib/unbound/validator/val_secalgo.h
@@ -44,6 +44,21 @@
#define VALIDATOR_VAL_SECALGO_H
struct sldns_buffer;
+/** Return size of nsec3 hash algorithm, 0 if not supported */
+size_t nsec3_hash_algo_size_supported(int id);
+
+/**
+ * Hash a single hash call of an NSEC3 hash algorithm.
+ * Iterations and salt are done by the caller.
+ * @param algo: nsec3 hash algorithm.
+ * @param buf: the buffer to digest
+ * @param len: length of buffer to digest.
+ * @param res: result stored here (must have sufficient space).
+ * @return false on failure.
+*/
+int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+ unsigned char* res);
+
/**
* Return size of DS digest according to its hash algorithm.
* @param algo: DS digest algo.
diff --git a/contrib/unbound/validator/val_sigcrypt.c b/contrib/unbound/validator/val_sigcrypt.c
index a2f1265..1dd07b4 100644
--- a/contrib/unbound/validator/val_sigcrypt.c
+++ b/contrib/unbound/validator/val_sigcrypt.c
@@ -57,7 +57,7 @@
#include "sldns/wire2str.h"
#include <ctype.h>
-#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
+#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
#error "Need crypto library to do digital signature cryptography"
#endif
diff --git a/contrib/unbound/validator/val_utils.h b/contrib/unbound/validator/val_utils.h
index cdb8769..051824a 100644
--- a/contrib/unbound/validator/val_utils.h
+++ b/contrib/unbound/validator/val_utils.h
@@ -391,7 +391,7 @@ int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset);
* Find DS denial message in cache. Saves new qstate allocation and allows
* the validator to use partial content which is not enough to construct a
* message for network (or user) consumption. Without SOA for example,
- * which is a common occurence in the unbound code since the referrals contain
+ * which is a common occurrence in the unbound code since the referrals contain
* NSEC/NSEC3 rrs without the SOA element, thus do not allow synthesis of a
* full negative reply, but do allow synthesis of sufficient proof.
* @param env: query env with caches and time.
diff --git a/contrib/unbound/validator/validator.c b/contrib/unbound/validator/validator.c
index f8b429e..db4383b 100644
--- a/contrib/unbound/validator/validator.c
+++ b/contrib/unbound/validator/validator.c
@@ -749,7 +749,7 @@ validate_nodata_response(struct module_env* env, struct val_env* ve,
/* Since we are here, there must be nothing in the ANSWER section to
* validate. */
/* (Note: CNAME/DNAME responses will not directly get here --
- * instead, they are chased down into indiviual CNAME validations,
+ * instead, they are chased down into individual CNAME validations,
* and at the end of the cname chain a POSITIVE, or CNAME_NOANSWER
* validation.) */
@@ -1597,7 +1597,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
target_key_name) != 0) {
/* check if there is a cache entry : pick up an NSEC if
* there is no DS, check if that NSEC has DS-bit unset, and
- * thus can disprove the secure delagation we seek.
+ * thus can disprove the secure delegation we seek.
* We can then use that NSEC even in the absence of a SOA
* record that would be required by the iterator to supply
* a completely protocol-correct response.
@@ -1829,7 +1829,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
* @return true if there is no DLV.
* false: processing is finished for the validator operate().
* This function may exit in three ways:
- * o no DLV (agressive cache), so insecure. (true)
+ * o no DLV (aggressive cache), so insecure. (true)
* o error - stop processing (false)
* o DLV lookup was started, stop processing (false)
*/
OpenPOWER on IntegriCloud