diff options
Diffstat (limited to 'contrib/unbound/util')
| -rw-r--r-- | contrib/unbound/util/config_file.c | 27 | ||||
| -rw-r--r-- | contrib/unbound/util/config_file.h | 7 | ||||
| -rw-r--r-- | contrib/unbound/util/configlexer.lex | 1 | ||||
| -rw-r--r-- | contrib/unbound/util/configparser.y | 13 | ||||
| -rw-r--r-- | contrib/unbound/util/iana_ports.inc | 4 | ||||
| -rw-r--r-- | contrib/unbound/util/locks.c | 2 | ||||
| -rw-r--r-- | contrib/unbound/util/net_help.c | 12 | ||||
| -rw-r--r-- | contrib/unbound/util/random.c | 74 | ||||
| -rw-r--r-- | contrib/unbound/util/rbtree.c | 2 | ||||
| -rw-r--r-- | contrib/unbound/util/rtt.h | 2 | ||||
| -rw-r--r-- | contrib/unbound/util/storage/lookup3.c | 8 | ||||
| -rw-r--r-- | contrib/unbound/util/tube.h | 2 | ||||
| -rw-r--r-- | contrib/unbound/util/winsock_event.h | 2 |
13 files changed, 137 insertions, 19 deletions
diff --git a/contrib/unbound/util/config_file.c b/contrib/unbound/util/config_file.c index 062d12d..6354e99 100644 --- a/contrib/unbound/util/config_file.c +++ b/contrib/unbound/util/config_file.c @@ -100,7 +100,7 @@ config_create(void) cfg->tcp_upstream = 0; cfg->ssl_service_key = NULL; cfg->ssl_service_pem = NULL; - cfg->ssl_port = 443; + cfg->ssl_port = 853; cfg->ssl_upstream = 0; cfg->use_syslog = 1; cfg->log_time_ascii = 0; @@ -240,6 +240,7 @@ config_create(void) cfg->ratelimit_for_domain = NULL; cfg->ratelimit_below_domain = NULL; cfg->ratelimit_factor = 10; + cfg->qname_minimisation = 0; return cfg; error_exit: config_delete(cfg); @@ -473,6 +474,7 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_MEMSIZE("ratelimit-size:", ratelimit_size) else S_POW2("ratelimit-slabs:", ratelimit_slabs) else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor) + else S_YNO("qname-minimisation:", qname_minimisation) /* val_sig_skew_min and max are copied into val_env during init, * so this does not update val_env with set_option */ else if(strcmp(opt, "val-sig-skew-min:") == 0) @@ -747,6 +749,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_DEC(opt, "ratelimit-factor", ratelimit_factor) else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min) else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max) + else O_YNO(opt, "qname-minimisation", qname_minimisation) /* not here: * outgoing-permit, outgoing-avoid - have list of ports * local-zone - zones and nodefault variables @@ -1555,6 +1558,28 @@ w_lookup_reg_str(const char* key, const char* name) } return result; } + +void w_config_adjust_directory(struct config_file* cfg) +{ + if(cfg->directory && cfg->directory[0]) { + TCHAR dirbuf[2*MAX_PATH+4]; + if(strcmp(cfg->directory, "%EXECUTABLE%") == 0) { + /* get executable path, and if that contains + * directories, snip off the filename part */ + dirbuf[0] = 0; + if(!GetModuleFileName(NULL, dirbuf, MAX_PATH)) + log_err("could not GetModuleFileName"); + if(strrchr(dirbuf, '\\')) { + (strrchr(dirbuf, '\\'))[0] = 0; + } else log_err("GetModuleFileName had no path"); + if(dirbuf[0]) { + /* adjust directory for later lookups to work*/ + free(cfg->directory); + cfg->directory = memdup(dirbuf, strlen(dirbuf)+1); + } + } + } +} #endif /* UB_ON_WINDOWS */ void errinf(struct module_qstate* qstate, const char* str) diff --git a/contrib/unbound/util/config_file.h b/contrib/unbound/util/config_file.h index 99b15e0..8fa163e 100644 --- a/contrib/unbound/util/config_file.h +++ b/contrib/unbound/util/config_file.h @@ -283,7 +283,7 @@ struct config_file { struct config_str2list* local_zones; /** local zones nodefault list */ struct config_strlist* local_zones_nodefault; - /** local data RRs configged */ + /** local data RRs configured */ struct config_strlist* local_data; /** unblock lan zones (reverse lookups for 10/8 and so on) */ int unblock_lan_zones; @@ -364,6 +364,8 @@ struct config_file { struct config_str2list* ratelimit_below_domain; /** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */ int ratelimit_factor; + /** minimise outgoing QNAME and hide original QTYPE if possible */ + int qname_minimisation; }; /** from cfg username, after daemonise setup performed */ @@ -739,6 +741,9 @@ void ub_c_error_msg(const char* fmt, ...) ATTR_FORMAT(printf, 1, 2); * exist on an error (logged with log_err) was encountered. */ char* w_lookup_reg_str(const char* key, const char* name); + +/** Modify directory in options for module file name */ +void w_config_adjust_directory(struct config_file* cfg); #endif /* UB_ON_WINDOWS */ #endif /* UTIL_CONFIG_FILE_H */ diff --git a/contrib/unbound/util/configlexer.lex b/contrib/unbound/util/configlexer.lex index 1aea22e..a368066 100644 --- a/contrib/unbound/util/configlexer.lex +++ b/contrib/unbound/util/configlexer.lex @@ -207,6 +207,7 @@ SQANY [^\'\n\r\\]|\\. /* note that flex makes the longest match and '.' is any but not nl */ LEXOUT(("comment(%s) ", ub_c_text)); /* ignore */ } server{COLON} { YDVAR(0, VAR_SERVER) } +qname-minimisation{COLON} { YDVAR(1, VAR_QNAME_MINIMISATION) } num-threads{COLON} { YDVAR(1, VAR_NUM_THREADS) } verbosity{COLON} { YDVAR(1, VAR_VERBOSITY) } port{COLON} { YDVAR(1, VAR_PORT) } diff --git a/contrib/unbound/util/configparser.y b/contrib/unbound/util/configparser.y index d6db3c8..abc0bb0 100644 --- a/contrib/unbound/util/configparser.y +++ b/contrib/unbound/util/configparser.y @@ -122,6 +122,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR %token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN +%token VAR_QNAME_MINIMISATION %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -186,7 +187,7 @@ content_server: server_num_threads | server_verbosity | server_port | server_ratelimit_size | server_ratelimit_for_domain | server_ratelimit_below_domain | server_ratelimit_factor | server_caps_whitelist | server_cache_max_negative_ttl | - server_permit_small_holddown + server_permit_small_holddown | server_qname_minimisation ; stubstart: VAR_STUB_ZONE { @@ -1318,6 +1319,16 @@ server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG free($2); } ; +server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG + { + OUTYY(("P(server_qname_minimisation:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->qname_minimisation = + (strcmp($2, "yes")==0); + free($2); + } + ; stub_name: VAR_NAME STRING_ARG { OUTYY(("P(name:%s)\n", $2)); diff --git a/contrib/unbound/util/iana_ports.inc b/contrib/unbound/util/iana_ports.inc index 64edf0b..b09a9ad 100644 --- a/contrib/unbound/util/iana_ports.inc +++ b/contrib/unbound/util/iana_ports.inc @@ -660,6 +660,7 @@ 833, 847, 848, +853, 860, 861, 862, @@ -3842,6 +3843,7 @@ 4406, 4412, 4413, +4416, 4425, 4426, 4430, @@ -4572,6 +4574,7 @@ 7070, 7071, 7080, +7088, 7095, 7099, 7100, @@ -5383,6 +5386,7 @@ 38203, 39681, 40000, +40023, 40841, 40842, 40843, diff --git a/contrib/unbound/util/locks.c b/contrib/unbound/util/locks.c index 509895d..adfb6c0 100644 --- a/contrib/unbound/util/locks.c +++ b/contrib/unbound/util/locks.c @@ -232,7 +232,7 @@ void ub_thread_create(ub_thread_t* thr, void* (*func)(void*), void* arg) 0, /* default flags, run immediately */ NULL); /* do not store thread identifier anywhere */ #else - /* the begintheadex routine setups for the C lib; aligns stack */ + /* the beginthreadex routine setups for the C lib; aligns stack */ *thr=(ub_thread_t)_beginthreadex(NULL, 0, (void*)func, arg, 0, NULL); #endif if(*thr == NULL) { diff --git a/contrib/unbound/util/net_help.c b/contrib/unbound/util/net_help.c index 07605b1..eb03cd0 100644 --- a/contrib/unbound/util/net_help.c +++ b/contrib/unbound/util/net_help.c @@ -619,12 +619,14 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) return NULL; } /* no SSLv2, SSLv3 because has defects */ - if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ + if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) + != SSL_OP_NO_SSLv2){ log_crypto_err("could not set SSL_OP_NO_SSLv2"); SSL_CTX_free(ctx); return NULL; } - if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){ + if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) + != SSL_OP_NO_SSLv3){ log_crypto_err("could not set SSL_OP_NO_SSLv3"); SSL_CTX_free(ctx); return NULL; @@ -690,12 +692,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem) log_crypto_err("could not allocate SSL_CTX pointer"); return NULL; } - if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) { + if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) + != SSL_OP_NO_SSLv2) { log_crypto_err("could not set SSL_OP_NO_SSLv2"); SSL_CTX_free(ctx); return NULL; } - if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) { + if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) + != SSL_OP_NO_SSLv3) { log_crypto_err("could not set SSL_OP_NO_SSLv3"); SSL_CTX_free(ctx); return NULL; diff --git a/contrib/unbound/util/random.c b/contrib/unbound/util/random.c index 71f0ba5..684464e 100644 --- a/contrib/unbound/util/random.c +++ b/contrib/unbound/util/random.c @@ -68,6 +68,8 @@ /* nss3 */ #include "secport.h" #include "pk11pub.h" +#elif defined(HAVE_NETTLE) +#include "yarrow.h" #endif /** @@ -76,7 +78,7 @@ */ #define MAX_VALUE 0x7fffffff -#ifndef HAVE_NSS +#if defined(HAVE_SSL) void ub_systemseed(unsigned int ATTR_UNUSED(seed)) { @@ -110,7 +112,7 @@ ub_random_max(struct ub_randstate* state, long int x) return (long)arc4random_uniform((uint32_t)x); } -#else +#elif defined(HAVE_NSS) /* not much to remember for NSS since we use its pk11_random, placeholder */ struct ub_randstate { @@ -144,6 +146,72 @@ long int ub_random(struct ub_randstate* ATTR_UNUSED(state)) return x & MAX_VALUE; } +#elif defined(HAVE_NETTLE) + +/** + * libnettle implements a Yarrow-256 generator (SHA256 + AES), + * and we have to ensure it is seeded before use. + */ +struct ub_randstate { + struct yarrow256_ctx ctx; + int seeded; +}; + +void ub_systemseed(unsigned int ATTR_UNUSED(seed)) +{ +/** + * We seed on init and not here, as we need the ctx to re-seed. + * This also means that re-seeding is not supported. + */ + log_err("Re-seeding not supported, generator untouched"); +} + +struct ub_randstate* ub_initstate(unsigned int seed, + struct ub_randstate* ATTR_UNUSED(from)) +{ + struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s)); + uint8_t buf[YARROW256_SEED_FILE_SIZE]; + if(!s) { + log_err("malloc failure in random init"); + return NULL; + } + /* Setup Yarrow context */ + yarrow256_init(&s->ctx, 0, NULL); + + if(getentropy(buf, sizeof(buf)) != -1) { + /* got entropy */ + yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf); + s->seeded = yarrow256_is_seeded(&s->ctx); + } else { + /* Stretch the uint32 input seed and feed it to Yarrow */ + uint32_t v = seed; + size_t i; + for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) { + memmove(buf+i*sizeof(seed), &v, sizeof(seed)); + v = v*seed + (uint32_t)i; + } + yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf); + s->seeded = yarrow256_is_seeded(&s->ctx); + } + + return s; +} + +long int ub_random(struct ub_randstate* s) +{ + /* random 31 bit value. */ + long int x = 0; + if (!s || !s->seeded) { + log_err("Couldn't generate randomness, Yarrow-256 generator not yet seeded"); + } else { + yarrow256_random(&s->ctx, sizeof(x), (uint8_t *)&x); + } + return x & MAX_VALUE; +} +#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ + + +#if defined(HAVE_NSS) || defined(HAVE_NETTLE) long int ub_random_max(struct ub_randstate* state, long int x) { @@ -155,7 +223,7 @@ ub_random_max(struct ub_randstate* state, long int x) v = ub_random(state); return (v % x); } -#endif /* HAVE_NSS */ +#endif /* HAVE_NSS or HAVE_NETTLE */ void ub_randfree(struct ub_randstate* s) diff --git a/contrib/unbound/util/rbtree.c b/contrib/unbound/util/rbtree.c index a898f13..ee5446f 100644 --- a/contrib/unbound/util/rbtree.c +++ b/contrib/unbound/util/rbtree.c @@ -68,7 +68,7 @@ static void rbtree_insert_fixup(rbtree_t *rbtree, rbnode_t *node); static void rbtree_delete_fixup(rbtree_t* rbtree, rbnode_t* child, rbnode_t* child_parent); /* - * Creates a new red black tree, intializes and returns a pointer to it. + * Creates a new red black tree, initializes and returns a pointer to it. * * Return NULL on failure. * diff --git a/contrib/unbound/util/rtt.h b/contrib/unbound/util/rtt.h index d6da986..07e65ee 100644 --- a/contrib/unbound/util/rtt.h +++ b/contrib/unbound/util/rtt.h @@ -96,7 +96,7 @@ int rtt_notimeout(const struct rtt_info* rtt); void rtt_update(struct rtt_info* rtt, int ms); /** - * Update the statistics with a new timout expired observation. + * Update the statistics with a new timeout expired observation. * @param rtt: round trip statistics structure. * @param orig: original rtt time given for the query that timed out. * Used to calculate the maximum responsible backed off time that diff --git a/contrib/unbound/util/storage/lookup3.c b/contrib/unbound/util/storage/lookup3.c index de28858..ddcb56e 100644 --- a/contrib/unbound/util/storage/lookup3.c +++ b/contrib/unbound/util/storage/lookup3.c @@ -356,7 +356,7 @@ uint32_t hashlittle( const void *key, size_t length, uint32_t initval) * rest of the string. Every machine with memory protection I've seen * does it on word boundaries, so is OK with this. But VALGRIND will * still catch it and complain. The masking trick does make the hash - * noticably faster for short strings (like English words). + * noticeably faster for short strings (like English words). */ #ifndef VALGRIND @@ -544,7 +544,7 @@ void hashlittle2( * rest of the string. Every machine with memory protection I've seen * does it on word boundaries, so is OK with this. But VALGRIND will * still catch it and complain. The masking trick does make the hash - * noticably faster for short strings (like English words). + * noticeably faster for short strings (like English words). */ #ifndef VALGRIND @@ -725,7 +725,7 @@ uint32_t hashbig( const void *key, size_t length, uint32_t initval) * rest of the string. Every machine with memory protection I've seen * does it on word boundaries, so is OK with this. But VALGRIND will * still catch it and complain. The masking trick does make the hash - * noticably faster for short strings (like English words). + * noticeably faster for short strings (like English words). */ #ifndef VALGRIND @@ -858,7 +858,7 @@ void driver2() { for (j=0; j<8; ++j) /*------------------------ for each input bit, */ { - for (m=1; m<8; ++m) /*------------ for serveral possible initvals, */ + for (m=1; m<8; ++m) /*------------ for several possible initvals, */ { for (l=0; l<HASHSTATE; ++l) e[l]=f[l]=g[l]=h[l]=x[l]=y[l]=~((uint32_t)0); diff --git a/contrib/unbound/util/tube.h b/contrib/unbound/util/tube.h index 9ec50af..6cc6050 100644 --- a/contrib/unbound/util/tube.h +++ b/contrib/unbound/util/tube.h @@ -83,7 +83,7 @@ struct tube { /** background write queue, commpoint to write results back */ struct comm_point* res_com; - /** are we curently writing a result, 0 if not, else bytecount into + /** are we currently writing a result, 0 if not, else bytecount into * the res_list first entry. */ size_t res_write; /** list of outstanding results to be written back */ diff --git a/contrib/unbound/util/winsock_event.h b/contrib/unbound/util/winsock_event.h index f642657..d386a69 100644 --- a/contrib/unbound/util/winsock_event.h +++ b/contrib/unbound/util/winsock_event.h @@ -201,7 +201,7 @@ struct event { int stick_events; /** true if this event is a signaling WSAEvent by the user. - * User created and user closed WSAEvent. Only signaled/unsigneled, + * User created and user closed WSAEvent. Only signaled/unsignaled, * no read/write/distinctions needed. */ int is_signal; /** used during callbacks to see which events were just checked */ |
