update unbound, fix unbound openssl issue on OS X
This commit is contained in:
parent
32a26332f8
commit
2d43ae8063
|
@ -30,6 +30,15 @@ cmake_minimum_required(VERSION 2.8.7)
|
|||
|
||||
project(unbound C)
|
||||
|
||||
if (APPLE)
|
||||
if (not OpenSSL_DIR)
|
||||
EXECUTE_PROCESS(COMMAND brew --prefix openssl
|
||||
OUTPUT_VARIABLE OPENSSL_ROOT_DIR
|
||||
OUTPUT_STRIP_TRAILING_WHITESPACE)
|
||||
message(STATUS "Using OpenSSL found at ${OPENSSL_ROOT_DIR}")
|
||||
endif()
|
||||
endif()
|
||||
|
||||
find_package(OpenSSL REQUIRED)
|
||||
find_package(Threads)
|
||||
|
||||
|
|
|
@ -38,6 +38,7 @@ UNBOUND_VERSION_MINOR=@UNBOUND_VERSION_MINOR@
|
|||
UNBOUND_VERSION_MICRO=@UNBOUND_VERSION_MICRO@
|
||||
ALLTARGET=@ALLTARGET@
|
||||
INSTALLTARGET=@INSTALLTARGET@
|
||||
SSLLIB=@SSLLIB@
|
||||
|
||||
# _unbound.la if pyunbound enabled.
|
||||
PYUNBOUND_TARGET=@PYUNBOUND_TARGET@
|
||||
|
@ -132,7 +133,7 @@ compat/memcmp.c compat/memmove.c compat/snprintf.c compat/strlcat.c \
|
|||
compat/strlcpy.c compat/strptime.c compat/getentropy_linux.c \
|
||||
compat/getentropy_osx.c compat/getentropy_solaris.c compat/getentropy_win.c \
|
||||
compat/explicit_bzero.c compat/arc4random.c compat/arc4random_uniform.c \
|
||||
compat/arc4_lock.c compat/sha512.c compat/reallocarray.c
|
||||
compat/arc4_lock.c compat/sha512.c compat/reallocarray.c compat/isblank.c
|
||||
COMPAT_OBJ=$(LIBOBJS:.o=.lo)
|
||||
COMPAT_OBJ_WITHOUT_CTIME=$(LIBOBJ_WITHOUT_CTIME:.o=.lo)
|
||||
COMPAT_OBJ_WITHOUT_CTIMEARC4=$(LIBOBJ_WITHOUT_CTIMEARC4:.o=.lo)
|
||||
|
@ -242,7 +243,7 @@ ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
|
|||
$(COMPAT_OBJ) $(PYUNBOUND_OBJ) \
|
||||
$(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ)
|
||||
|
||||
COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS)
|
||||
COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@
|
||||
LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
|
||||
LINK_LIB=$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(staticexe) -version-info @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined
|
||||
|
||||
|
@ -295,22 +296,22 @@ longtest: tests
|
|||
lib: libunbound.la unbound.h
|
||||
|
||||
libunbound.la: $(LIBUNBOUND_OBJ_LINK)
|
||||
$(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) -lssl $(LIBS)
|
||||
$(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound$(EXEEXT): $(DAEMON_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound-checkconf$(EXEEXT): $(CHECKCONF_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound-control$(EXEEXT): $(CONTROL_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound-host$(EXEEXT): $(HOST_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
|
||||
|
||||
unbound-anchor$(EXEEXT): $(UBANCHOR_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound-service-install$(EXEEXT): $(SVCINST_OBJ_LINK)
|
||||
$(LINK) -o $@ $(SVCINST_OBJ_LINK) $(LIBS)
|
||||
|
@ -322,37 +323,37 @@ anchor-update$(EXEEXT): $(ANCHORUPD_OBJ_LINK) libunbound.la
|
|||
$(LINK) -o $@ $(ANCHORUPD_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
|
||||
|
||||
unittest$(EXEEXT): $(UNITTEST_OBJ_LINK)
|
||||
$(LINK) -o $@ $(UNITTEST_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
testbound$(EXEEXT): $(TESTBOUND_OBJ_LINK)
|
||||
$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
lock-verify$(EXEEXT): $(LOCKVERIFY_OBJ_LINK)
|
||||
$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
petal$(EXEEXT): $(PETAL_OBJ_LINK)
|
||||
$(LINK) -o $@ $(PETAL_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(PETAL_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
pktview$(EXEEXT): $(PKTVIEW_OBJ_LINK)
|
||||
$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
memstats$(EXEEXT): $(MEMSTATS_OBJ_LINK)
|
||||
$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
asynclook$(EXEEXT): $(ASYNCLOOK_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) $(LIBS) -L. -L.libs -lunbound
|
||||
|
||||
streamtcp$(EXEEXT): $(STREAMTCP_OBJ_LINK)
|
||||
$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
perf$(EXEEXT): $(PERF_OBJ_LINK)
|
||||
$(LINK) -o $@ $(PERF_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
delayer$(EXEEXT): $(DELAYER_OBJ_LINK)
|
||||
$(LINK) -o $@ $(DELAYER_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
signit$(EXEEXT): testcode/signit.c
|
||||
$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ testcode/signit.c $(LDFLAGS) -lldns -lssl $(LIBS)
|
||||
$(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@ -o $@ testcode/signit.c $(LDFLAGS) -lldns $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound.h: $(srcdir)/libunbound/unbound.h
|
||||
sed -e 's/@''UNBOUND_VERSION_MAJOR@/$(UNBOUND_VERSION_MAJOR)/' -e 's/@''UNBOUND_VERSION_MINOR@/$(UNBOUND_VERSION_MINOR)/' -e 's/@''UNBOUND_VERSION_MICRO@/$(UNBOUND_VERSION_MICRO)/' < $(srcdir)/libunbound/unbound.h > $@
|
||||
|
@ -566,7 +567,7 @@ DEPEND_TARGET2=Makefile.in
|
|||
# then, remove srcdir from the (generated) parser and lexer.
|
||||
# and mention the .lo
|
||||
depend:
|
||||
(cd $(srcdir) ; $(CC) $(DEPFLAG) $(CPPFLAGS) $(CFLAGS) $(ALL_SRC) $(COMPAT_SRC)) | \
|
||||
(cd $(srcdir) ; $(CC) $(DEPFLAG) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@ $(ALL_SRC) $(COMPAT_SRC)) | \
|
||||
sed -e 's!'$$HOME'[^ ]* !!g' -e 's!'$$HOME'[^ ]*$$!!g' \
|
||||
-e 's!/usr[^ ]* !!g' -e 's!/usr[^ ]*$$!!g' \
|
||||
-e 's!/opt[^ ]* !!g' -e 's!/opt[^ ]*$$!!g' | \
|
||||
|
@ -644,7 +645,7 @@ iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterato
|
|||
$(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
|
||||
iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
|
||||
|
@ -727,8 +728,7 @@ outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c confi
|
|||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
|
||||
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h
|
||||
alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
|
@ -776,14 +776,12 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
|
|||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
|
||||
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h \
|
||||
$(srcdir)/sldns/wire2str.h \
|
||||
|
||||
$(srcdir)/sldns/wire2str.h
|
||||
random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
|
||||
rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
|
@ -818,8 +816,7 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
|
|||
$(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
|
||||
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
|
||||
val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
|
||||
|
@ -844,18 +841,16 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
|
|||
val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
|
||||
val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
|
||||
$(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
|
||||
val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h \
|
||||
$(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/validator.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
|
||||
val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
|
||||
val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kentry.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
|
||||
|
@ -867,17 +862,15 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
|
|||
$(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
|
||||
val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/sldns/sbuffer.h \
|
||||
|
||||
$(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/sldns/sbuffer.h
|
||||
val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
|
||||
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
|
||||
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
|
||||
val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
|
@ -895,11 +888,6 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src
|
|||
$(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
|
||||
checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/testcode/checklocks.h
|
||||
dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/dnstap/dnstap.pb-c.h
|
||||
dnstap.pb-c.lo dnstap.pb-c.o: $(srcdir)/dnstap/dnstap.pb-c.c $(srcdir)/dnstap/dnstap.pb-c.h
|
||||
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
|
||||
$(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
|
||||
|
@ -908,8 +896,7 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
|
|||
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
|
||||
unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
|
||||
unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
|
@ -947,38 +934,35 @@ unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/lo
|
|||
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
|
||||
cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
|
||||
$(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h \
|
||||
cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
|
||||
$(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
|
||||
$(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
|
||||
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/wire2str.h \
|
||||
$(srcdir)/sldns/str2wire.h
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
|
||||
remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
|
||||
$(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
|
||||
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
|
@ -1002,35 +986,33 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
|
|||
$(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
|
||||
unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/mini_event.h \
|
||||
$(srcdir)/util/rbtree.h
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
|
||||
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
|
||||
$(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/libunbound/libworker.h
|
||||
testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
|
||||
$(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
|
||||
$(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
|
||||
$(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
|
@ -1046,12 +1028,12 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
|
|||
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
|
||||
$(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
|
||||
|
@ -1059,14 +1041,13 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
|
|||
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
|
||||
|
@ -1141,19 +1122,18 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
|
|||
$(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
|
||||
libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
|
||||
$(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/services/mesh.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
|
||||
libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
|
||||
$(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
|
||||
unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
|
||||
asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
|
@ -1164,21 +1144,18 @@ streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util
|
|||
$(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
|
||||
|
||||
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
|
||||
perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
|
||||
delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
|
||||
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
|
||||
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
|
||||
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
|
||||
|
||||
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
|
||||
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
|
||||
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
|
||||
pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
|
@ -1191,8 +1168,7 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
|
|||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
|
||||
w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
|
||||
unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
|
||||
$(srcdir)/winrc/w_inst.h
|
||||
|
@ -1200,14 +1176,11 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
|
|||
$(srcdir)/winrc/w_inst.h
|
||||
anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
|
||||
keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/sldns/rrdef.h \
|
||||
|
||||
keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
|
||||
sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
|
||||
wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/keyraw.h \
|
||||
|
||||
$(srcdir)/sldns/keyraw.h
|
||||
parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
|
||||
$(srcdir)/sldns/sbuffer.h
|
||||
parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
|
||||
|
@ -1227,8 +1200,7 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
|
|||
strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
|
||||
strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
|
||||
strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
|
||||
getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
|
||||
|
||||
getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
|
||||
getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
|
||||
getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
|
||||
getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
|
||||
|
@ -1238,3 +1210,4 @@ arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.
|
|||
arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h $(srcdir)/util/locks.h
|
||||
sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
|
||||
reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
|
||||
isblank.lo isblank.o: $(srcdir)/compat/isblank.c config.h
|
||||
|
|
|
@ -2,7 +2,11 @@
|
|||
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
|
||||
# BSD licensed.
|
||||
#
|
||||
# Version 27
|
||||
# Version 31
|
||||
# 2015-12-11 FLTO check for new OSX, clang.
|
||||
# 2015-11-18 spelling check fix.
|
||||
# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
|
||||
# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
|
||||
# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
|
||||
# 2013-09-19 FLTO help text improved.
|
||||
# 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
|
||||
|
@ -23,7 +27,7 @@
|
|||
# 2010-07-02 Add check for ss_family (for minix).
|
||||
# 2010-04-26 Fix to use CPPFLAGS for CHECK_COMPILER_FLAGS.
|
||||
# 2010-03-01 Fix RPATH using CONFIG_COMMANDS to run at the very end.
|
||||
# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS seperate, -ldl
|
||||
# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS separate, -ldl
|
||||
# 2010-02-01 added ACX_CHECK_MEMCMP_SIGNED, AHX_MEMCMP_BROKEN
|
||||
# 2010-01-20 added AHX_COONFIG_STRLCAT
|
||||
# 2009-07-14 U_CHAR detection improved for windows crosscompile.
|
||||
|
@ -94,6 +98,8 @@
|
|||
# ACX_CHECK_MEMCMP_SIGNED - check if memcmp uses signed characters.
|
||||
# AHX_MEMCMP_BROKEN - replace memcmp func for CHECK_MEMCMP_SIGNED.
|
||||
# ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family
|
||||
# ACX_CHECK_PIE - add --enable-pie option and check if works
|
||||
# ACX_CHECK_RELRO_NOW - add --enable-relro-now option and check it
|
||||
#
|
||||
|
||||
dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines.
|
||||
|
@ -418,7 +424,7 @@ AC_DEFUN([ACX_CHECK_FLTO], [
|
|||
BAKCFLAGS="$CFLAGS"
|
||||
CFLAGS="$CFLAGS -flto"
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
|
||||
if $CC $CFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
|
||||
if $CC $CFLAGS -o conftest conftest.c 2>&1 | $GREP -e "warning: no debug symbols in executable" -e "warning: object" >/dev/null; then
|
||||
CFLAGS="$BAKCFLAGS"
|
||||
AC_MSG_RESULT(no)
|
||||
else
|
||||
|
@ -712,12 +718,6 @@ AC_DEFUN([ACX_SSL_CHECKS], [
|
|||
fi
|
||||
AC_SUBST(HAVE_SSL)
|
||||
AC_SUBST(RUNTIME_PATH)
|
||||
# openssl engine functionality needs dlopen().
|
||||
BAKLIBS="$LIBS"
|
||||
AC_SEARCH_LIBS([dlopen], [dl])
|
||||
if test "$LIBS" != "$BAKLIBS"; then
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
|
||||
fi
|
||||
fi
|
||||
AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
|
||||
|
@ -1386,4 +1386,46 @@ AC_DEFUN([ACX_CHECK_SS_FAMILY],
|
|||
#endif
|
||||
]) ])
|
||||
|
||||
dnl Check if CC and linker support -fPIE and -pie.
|
||||
dnl If so, sets them in CFLAGS / LDFLAGS.
|
||||
AC_DEFUN([ACX_CHECK_PIE], [
|
||||
AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable Position-Independent Executable (eg. to fully benefit from ASLR, small performance penalty)]))
|
||||
AS_IF([test "x$enable_pie" = "xyes"], [
|
||||
AC_MSG_CHECKING([if $CC supports PIE])
|
||||
BAKLDFLAGS="$LDFLAGS"
|
||||
BAKCFLAGS="$CFLAGS"
|
||||
LDFLAGS="$LDFLAGS -pie"
|
||||
CFLAGS="$CFLAGS -fPIE"
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
|
||||
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
|
||||
LDFLAGS="$BAKLDFLAGS"
|
||||
AC_MSG_RESULT(no)
|
||||
else
|
||||
AC_MSG_RESULT(yes)
|
||||
fi
|
||||
rm -f conftest conftest.c conftest.o
|
||||
], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)])
|
||||
])
|
||||
])
|
||||
|
||||
dnl Check if linker supports -Wl,-z,relro,-z,now.
|
||||
dnl If so, adds it to LDFLAGS.
|
||||
AC_DEFUN([ACX_CHECK_RELRO_NOW], [
|
||||
AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor areas)]))
|
||||
AS_IF([test "x$enable_relro_now" = "xyes"], [
|
||||
AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now])
|
||||
BAKLDFLAGS="$LDFLAGS"
|
||||
LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
|
||||
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
|
||||
LDFLAGS="$BAKLDFLAGS"
|
||||
AC_MSG_RESULT(no)
|
||||
else
|
||||
AC_MSG_RESULT(yes)
|
||||
fi
|
||||
rm -f conftest conftest.c conftest.o
|
||||
], [LDFLAGS="$BAKLDFLAGS" ; AC_MSG_RESULT(no)])
|
||||
])
|
||||
])
|
||||
|
||||
dnl End of file
|
||||
|
|
|
@ -82,7 +82,7 @@
|
|||
# modified version of the Autoconf Macro, you may extend this special
|
||||
# exception to the GPL to apply to your modified version as well.
|
||||
|
||||
#serial 20
|
||||
#serial 21
|
||||
|
||||
AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
|
||||
AC_DEFUN([AX_PTHREAD], [
|
||||
|
@ -103,8 +103,8 @@ if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then
|
|||
save_LIBS="$LIBS"
|
||||
LIBS="$PTHREAD_LIBS $LIBS"
|
||||
AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS])
|
||||
AC_TRY_LINK_FUNC(pthread_join, ax_pthread_ok=yes)
|
||||
AC_MSG_RESULT($ax_pthread_ok)
|
||||
AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes])
|
||||
AC_MSG_RESULT([$ax_pthread_ok])
|
||||
if test x"$ax_pthread_ok" = xno; then
|
||||
PTHREAD_LIBS=""
|
||||
PTHREAD_CFLAGS=""
|
||||
|
@ -164,6 +164,20 @@ case ${host_os} in
|
|||
;;
|
||||
esac
|
||||
|
||||
# Clang doesn't consider unrecognized options an error unless we specify
|
||||
# -Werror. We throw in some extra Clang-specific options to ensure that
|
||||
# this doesn't happen for GCC, which also accepts -Werror.
|
||||
|
||||
AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags])
|
||||
save_CFLAGS="$CFLAGS"
|
||||
ax_pthread_extra_flags="-Werror"
|
||||
CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument"
|
||||
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])],
|
||||
[AC_MSG_RESULT([yes])],
|
||||
[ax_pthread_extra_flags=
|
||||
AC_MSG_RESULT([no])])
|
||||
CFLAGS="$save_CFLAGS"
|
||||
|
||||
if test x"$ax_pthread_ok" = xno; then
|
||||
for flag in $ax_pthread_flags; do
|
||||
|
||||
|
@ -178,7 +192,7 @@ for flag in $ax_pthread_flags; do
|
|||
;;
|
||||
|
||||
pthread-config)
|
||||
AC_CHECK_PROG(ax_pthread_config, pthread-config, yes, no)
|
||||
AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
|
||||
if test x"$ax_pthread_config" = xno; then continue; fi
|
||||
PTHREAD_CFLAGS="`pthread-config --cflags`"
|
||||
PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
|
||||
|
@ -193,7 +207,7 @@ for flag in $ax_pthread_flags; do
|
|||
save_LIBS="$LIBS"
|
||||
save_CFLAGS="$CFLAGS"
|
||||
LIBS="$PTHREAD_LIBS $LIBS"
|
||||
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
|
||||
CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags"
|
||||
|
||||
# Check for various functions. We must include pthread.h,
|
||||
# since some functions may be macros. (On the Sequent, we
|
||||
|
@ -219,7 +233,7 @@ for flag in $ax_pthread_flags; do
|
|||
LIBS="$save_LIBS"
|
||||
CFLAGS="$save_CFLAGS"
|
||||
|
||||
AC_MSG_RESULT($ax_pthread_ok)
|
||||
AC_MSG_RESULT([$ax_pthread_ok])
|
||||
if test "x$ax_pthread_ok" = xyes; then
|
||||
break;
|
||||
fi
|
||||
|
@ -245,9 +259,9 @@ if test "x$ax_pthread_ok" = xyes; then
|
|||
[attr_name=$attr; break],
|
||||
[])
|
||||
done
|
||||
AC_MSG_RESULT($attr_name)
|
||||
AC_MSG_RESULT([$attr_name])
|
||||
if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then
|
||||
AC_DEFINE_UNQUOTED(PTHREAD_CREATE_JOINABLE, $attr_name,
|
||||
AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name],
|
||||
[Define to necessary symbol if this constant
|
||||
uses a non-standard name on your system.])
|
||||
fi
|
||||
|
@ -261,24 +275,25 @@ if test "x$ax_pthread_ok" = xyes; then
|
|||
if test "$GCC" = "yes"; then
|
||||
flag="-D_REENTRANT"
|
||||
else
|
||||
# TODO: What about Clang on Solaris?
|
||||
flag="-mt -D_REENTRANT"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
AC_MSG_RESULT(${flag})
|
||||
AC_MSG_RESULT([$flag])
|
||||
if test "x$flag" != xno; then
|
||||
PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
|
||||
fi
|
||||
|
||||
AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
|
||||
ax_cv_PTHREAD_PRIO_INHERIT, [
|
||||
AC_LINK_IFELSE([
|
||||
AC_LANG_PROGRAM([[#include <pthread.h>]], [[int i = PTHREAD_PRIO_INHERIT;]])],
|
||||
[ax_cv_PTHREAD_PRIO_INHERIT], [
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
|
||||
[[int i = PTHREAD_PRIO_INHERIT;]])],
|
||||
[ax_cv_PTHREAD_PRIO_INHERIT=yes],
|
||||
[ax_cv_PTHREAD_PRIO_INHERIT=no])
|
||||
])
|
||||
AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"],
|
||||
AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], 1, [Have PTHREAD_PRIO_INHERIT.]))
|
||||
[AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])])
|
||||
|
||||
LIBS="$save_LIBS"
|
||||
CFLAGS="$save_CFLAGS"
|
||||
|
@ -301,13 +316,13 @@ fi
|
|||
|
||||
test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
|
||||
|
||||
AC_SUBST(PTHREAD_LIBS)
|
||||
AC_SUBST(PTHREAD_CFLAGS)
|
||||
AC_SUBST(PTHREAD_CC)
|
||||
AC_SUBST([PTHREAD_LIBS])
|
||||
AC_SUBST([PTHREAD_CFLAGS])
|
||||
AC_SUBST([PTHREAD_CC])
|
||||
|
||||
# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
|
||||
if test x"$ax_pthread_ok" = xyes; then
|
||||
ifelse([$1],,AC_DEFINE(HAVE_PTHREAD,1,[Define if you have POSIX threads libraries and header files.]),[$1])
|
||||
ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
|
||||
:
|
||||
else
|
||||
ax_pthread_ok=no
|
||||
|
|
|
@ -26,7 +26,9 @@
|
|||
#include <fcntl.h>
|
||||
#include <limits.h>
|
||||
#include <signal.h>
|
||||
#ifdef HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#endif
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
|
|
@ -46,7 +46,12 @@
|
|||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
|
||||
#if defined(HAVE_SSL)
|
||||
#include <openssl/sha.h>
|
||||
#elif defined(HAVE_NETTLE)
|
||||
#include <nettle/sha.h>
|
||||
#endif
|
||||
|
||||
#include <linux/types.h>
|
||||
#include <linux/random.h>
|
||||
|
@ -67,9 +72,21 @@
|
|||
HD(b); \
|
||||
} while (0)
|
||||
|
||||
#if defined(HAVE_SSL)
|
||||
#define CRYPTO_SHA512_CTX SHA512_CTX
|
||||
#define CRYPTO_SHA512_INIT(x) SHA512_Init(x)
|
||||
#define CRYPTO_SHA512_FINAL(r, c) SHA512_Final(r, c)
|
||||
#define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
|
||||
#define HD(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
|
||||
#define HF(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (void*)))
|
||||
#elif defined(HAVE_NETTLE)
|
||||
#define CRYPTO_SHA512_CTX struct sha512_ctx
|
||||
#define CRYPTO_SHA512_INIT(x) sha512_init(x)
|
||||
#define CRYPTO_SHA512_FINAL(r, c) sha512_digest(c, SHA512_DIGEST_SIZE, r)
|
||||
#define HR(x, l) (sha512_update(&ctx, (l), (uint8_t *)(x)))
|
||||
#define HD(x) (sha512_update(&ctx, sizeof (x), (uint8_t *)&(x)))
|
||||
#define HF(x) (sha512_update(&ctx, sizeof (void*), (uint8_t *)&(x)))
|
||||
#endif
|
||||
|
||||
int getentropy(void *buf, size_t len);
|
||||
|
||||
|
@ -122,7 +139,7 @@ getentropy(void *buf, size_t len)
|
|||
* Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID.
|
||||
* sysctl is a failsafe API, so it guarantees a result. This
|
||||
* should work inside a chroot, or when file descriptors are
|
||||
* exhuasted.
|
||||
* exhausted.
|
||||
*
|
||||
* However this can fail if the Linux kernel removes support
|
||||
* for sysctl. Starting in 2007, there have been efforts to
|
||||
|
@ -337,7 +354,7 @@ getentropy_fallback(void *buf, size_t len)
|
|||
struct rusage ru;
|
||||
sigset_t sigset;
|
||||
struct stat st;
|
||||
SHA512_CTX ctx;
|
||||
CRYPTO_SHA512_CTX ctx;
|
||||
static pid_t lastpid;
|
||||
pid_t pid;
|
||||
size_t i, ii, m;
|
||||
|
@ -354,7 +371,7 @@ getentropy_fallback(void *buf, size_t len)
|
|||
}
|
||||
for (i = 0; i < len; ) {
|
||||
int j;
|
||||
SHA512_Init(&ctx);
|
||||
CRYPTO_SHA512_INIT(&ctx);
|
||||
for (j = 0; j < repeat; j++) {
|
||||
HX((e = gettimeofday(&tv, NULL)) == -1, tv);
|
||||
if (e != -1) {
|
||||
|
@ -526,7 +543,7 @@ getentropy_fallback(void *buf, size_t len)
|
|||
# endif
|
||||
#endif /* HAVE_GETAUXVAL */
|
||||
|
||||
SHA512_Final(results, &ctx);
|
||||
CRYPTO_SHA512_FINAL(results, &ctx);
|
||||
memcpy((char*)buf + i, results, min(sizeof(results), len - i));
|
||||
i += min(sizeof(results), len - i);
|
||||
}
|
||||
|
|
|
@ -30,7 +30,9 @@
|
|||
#include <sys/stat.h>
|
||||
#include <sys/time.h>
|
||||
#include <stdlib.h>
|
||||
#ifdef HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <termios.h>
|
||||
#include <fcntl.h>
|
||||
|
@ -39,10 +41,14 @@
|
|||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
#ifdef HAVE_SYS_SHA2_H
|
||||
#include <sys/sha2.h>
|
||||
#define SHA512_Init SHA512Init
|
||||
#define SHA512_Update SHA512Update
|
||||
#define SHA512_Final SHA512Final
|
||||
#else
|
||||
#include "openssl/sha.h"
|
||||
#endif
|
||||
|
||||
#include <sys/vfs.h>
|
||||
#include <sys/statfs.h>
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
/* isblank - compatibility implementation of isblank
|
||||
*
|
||||
* Copyright (c) 2015, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
||||
/* return true for a blank character: space or tab */
|
||||
int isblank(int c);
|
||||
|
||||
/* implementation of isblank. unsigned char is the argument */
|
||||
int
|
||||
isblank(int c)
|
||||
{
|
||||
return (c==' ' || c=='\t');
|
||||
}
|
|
@ -18,7 +18,10 @@
|
|||
#include "config.h"
|
||||
#include <sys/types.h>
|
||||
#include <errno.h>
|
||||
#ifdef HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#endif
|
||||
#include <limits.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
/*
|
||||
|
|
|
@ -70,7 +70,7 @@ unsigned char *SHA512(void *data, unsigned int data_len, unsigned char *digest);
|
|||
* Please make sure that your system defines BYTE_ORDER. If your
|
||||
* architecture is little-endian, make sure it also defines
|
||||
* LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
|
||||
* equivilent.
|
||||
* equivalent.
|
||||
*
|
||||
* If your system does not define the above, then you can do so by
|
||||
* hand like this:
|
||||
|
|
|
@ -42,6 +42,7 @@
|
|||
#ifdef HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#endif
|
||||
#include <limits.h>
|
||||
|
||||
/* for test */
|
||||
/* #define SNPRINTF_TEST 1 */
|
||||
|
@ -428,7 +429,7 @@ print_num_llp(char** at, size_t* left, int* ret, void* value,
|
|||
char buf[PRINT_DEC_BUFSZ];
|
||||
int negative = 0;
|
||||
int zero = (value == 0);
|
||||
#if defined(UINTPTR_MAX) && defined(UINT32_MAX) && (UINTPTR_MAX == UINT32_MAX)
|
||||
#if defined(SIZE_MAX) && defined(UINT32_MAX) && (UINT32_MAX == SIZE_MAX || INT32_MAX == SIZE_MAX)
|
||||
/* avoid warning about upcast on 32bit systems */
|
||||
unsigned long long llvalue = (unsigned long)value;
|
||||
#else
|
||||
|
|
|
@ -97,6 +97,10 @@
|
|||
don't. */
|
||||
#cmakedefine HAVE_DECL_STRLCPY
|
||||
|
||||
/* Define to 1 if you have the declaration of `XML_StopParser', and to 0 if
|
||||
you don't. */
|
||||
#cmakedefine HAVE_DECL_XML_STOPPARSER
|
||||
|
||||
/* Define to 1 if you have the <dlfcn.h> header file. */
|
||||
#cmakedefine HAVE_DLFCN_H
|
||||
|
||||
|
@ -154,6 +158,9 @@
|
|||
/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
|
||||
#cmakedefine HAVE_FSEEKO
|
||||
|
||||
/* Define to 1 if you have the `fsync' function. */
|
||||
#cmakedefine HAVE_FSYNC
|
||||
|
||||
/* Whether getaddrinfo is available */
|
||||
#cmakedefine HAVE_GETADDRINFO
|
||||
|
||||
|
@ -208,6 +215,9 @@
|
|||
/* Define to 1 if you have the <iphlpapi.h> header file. */
|
||||
#cmakedefine HAVE_IPHLPAPI_H
|
||||
|
||||
/* Define to 1 if you have the `isblank' function. */
|
||||
#undef HAVE_ISBLANK
|
||||
|
||||
/* Define to 1 if you have the `kill' function. */
|
||||
#cmakedefine HAVE_KILL
|
||||
|
||||
|
@ -235,6 +245,9 @@
|
|||
/* Define to 1 if you have the <netinet/in.h> header file. */
|
||||
#cmakedefine HAVE_NETINET_IN_H
|
||||
|
||||
/* Use libnettle for crypto */
|
||||
#cmakedefine HAVE_NETTLE
|
||||
|
||||
/* Use libnss for crypto */
|
||||
#cmakedefine HAVE_NSS
|
||||
|
||||
|
@ -283,7 +296,7 @@
|
|||
/* Define to 1 if you have the `recvmsg' function. */
|
||||
#cmakedefine HAVE_RECVMSG
|
||||
|
||||
/* Define to 1 if you have the `sbrk' function. */
|
||||
/* define if you have the sbrk() call */
|
||||
#cmakedefine HAVE_SBRK
|
||||
|
||||
/* Define to 1 if you have the `sendmsg' function. */
|
||||
|
@ -538,6 +551,9 @@
|
|||
/* The size of `time_t', as computed by sizeof. */
|
||||
#undef SIZEOF_TIME_T
|
||||
|
||||
/* define if (v)snprintf does not return length needed, (but length used) */
|
||||
#undef SNPRINTF_RET_BROKEN
|
||||
|
||||
/* Define to 1 if you have the ANSI C header files. */
|
||||
#cmakedefine STDC_HEADERS
|
||||
|
||||
|
@ -861,13 +877,13 @@
|
|||
#endif
|
||||
|
||||
|
||||
#ifndef HAVE_SNPRINTF
|
||||
#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
|
||||
#define snprintf snprintf_unbound
|
||||
#define vsnprintf vsnprintf_unbound
|
||||
#include <stdarg.h>
|
||||
int snprintf (char *str, size_t count, const char *fmt, ...);
|
||||
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
|
||||
#endif /* HAVE_SNPRINTF */
|
||||
#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
|
||||
|
||||
|
||||
#ifndef HAVE_INET_PTON
|
||||
|
@ -964,6 +980,11 @@ int memcmp(const void *x, const void *y, size_t n);
|
|||
char *ctime_r(const time_t *timep, char *buf);
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_ISBLANK
|
||||
#define isblank unbound_isblank
|
||||
int isblank(int c);
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
|
||||
#define strptime unbound_strptime
|
||||
struct tm;
|
||||
|
|
|
@ -94,6 +94,10 @@
|
|||
don't. */
|
||||
#undef HAVE_DECL_STRLCPY
|
||||
|
||||
/* Define to 1 if you have the declaration of `XML_StopParser', and to 0 if
|
||||
you don't. */
|
||||
#undef HAVE_DECL_XML_STOPPARSER
|
||||
|
||||
/* Define to 1 if you have the <dlfcn.h> header file. */
|
||||
#undef HAVE_DLFCN_H
|
||||
|
||||
|
@ -151,6 +155,9 @@
|
|||
/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
|
||||
#undef HAVE_FSEEKO
|
||||
|
||||
/* Define to 1 if you have the `fsync' function. */
|
||||
#undef HAVE_FSYNC
|
||||
|
||||
/* Whether getaddrinfo is available */
|
||||
#undef HAVE_GETADDRINFO
|
||||
|
||||
|
@ -205,6 +212,9 @@
|
|||
/* Define to 1 if you have the <iphlpapi.h> header file. */
|
||||
#undef HAVE_IPHLPAPI_H
|
||||
|
||||
/* Define to 1 if you have the `isblank' function. */
|
||||
#undef HAVE_ISBLANK
|
||||
|
||||
/* Define to 1 if you have the `kill' function. */
|
||||
#undef HAVE_KILL
|
||||
|
||||
|
@ -232,6 +242,9 @@
|
|||
/* Define to 1 if you have the <netinet/in.h> header file. */
|
||||
#undef HAVE_NETINET_IN_H
|
||||
|
||||
/* Use libnettle for crypto */
|
||||
#undef HAVE_NETTLE
|
||||
|
||||
/* Use libnss for crypto */
|
||||
#undef HAVE_NSS
|
||||
|
||||
|
@ -280,7 +293,7 @@
|
|||
/* Define to 1 if you have the `recvmsg' function. */
|
||||
#undef HAVE_RECVMSG
|
||||
|
||||
/* Define to 1 if you have the `sbrk' function. */
|
||||
/* define if you have the sbrk() call */
|
||||
#undef HAVE_SBRK
|
||||
|
||||
/* Define to 1 if you have the `sendmsg' function. */
|
||||
|
@ -535,6 +548,9 @@
|
|||
/* The size of `time_t', as computed by sizeof. */
|
||||
#undef SIZEOF_TIME_T
|
||||
|
||||
/* define if (v)snprintf does not return length needed, (but length used) */
|
||||
#undef SNPRINTF_RET_BROKEN
|
||||
|
||||
/* Define to 1 if you have the ANSI C header files. */
|
||||
#undef STDC_HEADERS
|
||||
|
||||
|
@ -848,15 +864,13 @@
|
|||
#define MAXHOSTNAMELEN 256
|
||||
#endif
|
||||
|
||||
|
||||
#ifndef HAVE_SNPRINTF
|
||||
#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
|
||||
#define snprintf snprintf_unbound
|
||||
#define vsnprintf vsnprintf_unbound
|
||||
#include <stdarg.h>
|
||||
int snprintf (char *str, size_t count, const char *fmt, ...);
|
||||
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
|
||||
#endif /* HAVE_SNPRINTF */
|
||||
|
||||
#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
|
||||
|
||||
#ifndef HAVE_INET_PTON
|
||||
#define inet_pton inet_pton_unbound
|
||||
|
@ -952,6 +966,11 @@ int memcmp(const void *x, const void *y, size_t n);
|
|||
char *ctime_r(const time_t *timep, char *buf);
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_ISBLANK
|
||||
#define isblank unbound_isblank
|
||||
int isblank(int c);
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
|
||||
#define strptime unbound_strptime
|
||||
struct tm;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.5.5.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.5.8.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
|
||||
#
|
||||
|
@ -590,8 +590,8 @@ MAKEFLAGS=
|
|||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.5.5'
|
||||
PACKAGE_STRING='unbound 1.5.5'
|
||||
PACKAGE_VERSION='1.5.8'
|
||||
PACKAGE_STRING='unbound 1.5.8'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
|
||||
PACKAGE_URL=''
|
||||
|
||||
|
@ -661,6 +661,7 @@ CHECKLOCK_OBJ
|
|||
staticexe
|
||||
UNBOUND_EVENT_UNINSTALL
|
||||
UNBOUND_EVENT_INSTALL
|
||||
SSLLIB
|
||||
HAVE_SSL
|
||||
CONFIG_DATE
|
||||
NETBSD_LINTFLAGS
|
||||
|
@ -683,6 +684,7 @@ PYTHON_LDFLAGS
|
|||
PYTHON_CPPFLAGS
|
||||
PYTHON
|
||||
PYTHON_VERSION
|
||||
PTHREAD_CFLAGS_ONLY
|
||||
PTHREAD_CFLAGS
|
||||
PTHREAD_LIBS
|
||||
PTHREAD_CC
|
||||
|
@ -804,6 +806,8 @@ with_username
|
|||
enable_checking
|
||||
enable_debug
|
||||
enable_flto
|
||||
enable_pie
|
||||
enable_relro_now
|
||||
enable_shared
|
||||
enable_static
|
||||
with_pic
|
||||
|
@ -821,6 +825,7 @@ with_solaris_threads
|
|||
with_pyunbound
|
||||
with_pythonmodule
|
||||
with_nss
|
||||
with_nettle
|
||||
with_ssl
|
||||
enable_sha2
|
||||
enable_gost
|
||||
|
@ -1389,7 +1394,7 @@ if test "$ac_init_help" = "long"; then
|
|||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.5.5 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.5.8 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
|
@ -1454,7 +1459,7 @@ fi
|
|||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.5.5:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.5.8:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
|
@ -1465,6 +1470,10 @@ Optional Features:
|
|||
--enable-checking Enable warnings, asserts, makefile-dependencies
|
||||
--enable-debug same as enable-checking
|
||||
--disable-flto Disable link-time optimization (gcc specific option)
|
||||
--enable-pie Enable Position-Independent Executable (eg. to fully
|
||||
benefit from ASLR, small performance penalty)
|
||||
--enable-relro-now Enable full relocation binding at load-time (RELRO
|
||||
NOW, to protect GOT and .dtor areas)
|
||||
--enable-shared[=PKGS] build shared libraries [default=yes]
|
||||
--enable-static[=PKGS] build static libraries [default=yes]
|
||||
--enable-fast-install[=PKGS]
|
||||
|
@ -1528,6 +1537,7 @@ Optional Packages:
|
|||
--with-pythonmodule build Python module, or --without-pythonmodule to
|
||||
disable script engine. (default=no)
|
||||
--with-nss=path use libnss instead of openssl, installed at path.
|
||||
--with-nettle=path use libnettle as crypto library, installed at path.
|
||||
--with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl
|
||||
/usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
|
||||
/usr)
|
||||
|
@ -1629,7 +1639,7 @@ fi
|
|||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.5.5
|
||||
unbound configure 1.5.8
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
|
@ -2338,7 +2348,7 @@ cat >config.log <<_ACEOF
|
|||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.5.5, which was
|
||||
It was created by unbound $as_me 1.5.8, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
|
@ -2690,11 +2700,11 @@ UNBOUND_VERSION_MAJOR=1
|
|||
|
||||
UNBOUND_VERSION_MINOR=5
|
||||
|
||||
UNBOUND_VERSION_MICRO=5
|
||||
UNBOUND_VERSION_MICRO=8
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=5
|
||||
LIBUNBOUND_REVISION=7
|
||||
LIBUNBOUND_REVISION=11
|
||||
LIBUNBOUND_AGE=3
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
|
@ -2738,6 +2748,10 @@ LIBUNBOUND_AGE=3
|
|||
# 1.5.2 had 5:5:3
|
||||
# 1.5.3 had 5:6:3
|
||||
# 1.5.4 had 5:7:3
|
||||
# 1.5.5 had 5:8:3
|
||||
# 1.5.6 had 5:9:3
|
||||
# 1.5.7 had 5:10:3
|
||||
# 1.5.8 had 5:11:3
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
|
@ -5859,7 +5873,7 @@ main ()
|
|||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
|
||||
if $CC $CFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
|
||||
if $CC $CFLAGS -o conftest conftest.c 2>&1 | $GREP -e "warning: no debug symbols in executable" -e "warning: object" >/dev/null; then
|
||||
CFLAGS="$BAKCFLAGS"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
|
@ -5879,6 +5893,96 @@ rm -f core conftest.err conftest.$ac_objext \
|
|||
fi
|
||||
|
||||
|
||||
# Check whether --enable-pie was given.
|
||||
if test "${enable_pie+set}" = set; then :
|
||||
enableval=$enable_pie;
|
||||
fi
|
||||
|
||||
if test "x$enable_pie" = "xyes"; then :
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports PIE" >&5
|
||||
$as_echo_n "checking if $CC supports PIE... " >&6; }
|
||||
BAKLDFLAGS="$LDFLAGS"
|
||||
BAKCFLAGS="$CFLAGS"
|
||||
LDFLAGS="$LDFLAGS -pie"
|
||||
CFLAGS="$CFLAGS -fPIE"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
|
||||
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
|
||||
LDFLAGS="$BAKLDFLAGS"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
fi
|
||||
rm -f conftest conftest.c conftest.o
|
||||
|
||||
else
|
||||
LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# Check whether --enable-relro_now was given.
|
||||
if test "${enable_relro_now+set}" = set; then :
|
||||
enableval=$enable_relro_now;
|
||||
fi
|
||||
|
||||
if test "x$enable_relro_now" = "xyes"; then :
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wl,-z,relro,-z,now" >&5
|
||||
$as_echo_n "checking if $CC supports -Wl,-z,relro,-z,now... " >&6; }
|
||||
BAKLDFLAGS="$LDFLAGS"
|
||||
LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
|
||||
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
|
||||
LDFLAGS="$BAKLDFLAGS"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
fi
|
||||
rm -f conftest conftest.c conftest.o
|
||||
|
||||
else
|
||||
LDFLAGS="$BAKLDFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
|
||||
fi
|
||||
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5
|
||||
$as_echo_n "checking for inline... " >&6; }
|
||||
if ${ac_cv_c_inline+:} false; then :
|
||||
|
@ -15421,6 +15525,37 @@ case ${host_os} in
|
|||
;;
|
||||
esac
|
||||
|
||||
# Clang doesn't consider unrecognized options an error unless we specify
|
||||
# -Werror. We throw in some extra Clang-specific options to ensure that
|
||||
# this doesn't happen for GCC, which also accepts -Werror.
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if compiler needs -Werror to reject unknown flags" >&5
|
||||
$as_echo_n "checking if compiler needs -Werror to reject unknown flags... " >&6; }
|
||||
save_CFLAGS="$CFLAGS"
|
||||
ax_pthread_extra_flags="-Werror"
|
||||
CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
int foo(void);
|
||||
int
|
||||
main ()
|
||||
{
|
||||
foo()
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_compile "$LINENO"; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
else
|
||||
ax_pthread_extra_flags=
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
CFLAGS="$save_CFLAGS"
|
||||
|
||||
if test x"$ax_pthread_ok" = xno; then
|
||||
for flag in $ax_pthread_flags; do
|
||||
|
||||
|
@ -15490,7 +15625,7 @@ $as_echo_n "checking for the pthreads library -l$flag... " >&6; }
|
|||
save_LIBS="$LIBS"
|
||||
save_CFLAGS="$CFLAGS"
|
||||
LIBS="$PTHREAD_LIBS $LIBS"
|
||||
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
|
||||
CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags"
|
||||
|
||||
# Check for various functions. We must include pthread.h,
|
||||
# since some functions may be macros. (On the Sequent, we
|
||||
|
@ -15588,12 +15723,13 @@ $as_echo_n "checking if more special flags are required for pthreads... " >&6; }
|
|||
if test "$GCC" = "yes"; then
|
||||
flag="-D_REENTRANT"
|
||||
else
|
||||
# TODO: What about Clang on Solaris?
|
||||
flag="-mt -D_REENTRANT"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${flag}" >&5
|
||||
$as_echo "${flag}" >&6; }
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $flag" >&5
|
||||
$as_echo "$flag" >&6; }
|
||||
if test "x$flag" != xno; then
|
||||
PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
|
||||
fi
|
||||
|
@ -15606,8 +15742,7 @@ else
|
|||
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
#include <pthread.h>
|
||||
#include <pthread.h>
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
@ -15739,6 +15874,43 @@ _ACEOF
|
|||
fi
|
||||
|
||||
|
||||
if echo "$CFLAGS" | grep -e "-pthread" >/dev/null; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -pthread unused during linking" >&5
|
||||
$as_echo_n "checking if -pthread unused during linking... " >&6; }
|
||||
# catch clang warning 'argument unused during compilation'
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
$ac_includes_default
|
||||
|
||||
int main(void) {return 0;}
|
||||
|
||||
_ACEOF
|
||||
pthread_unused="yes"
|
||||
# first compile
|
||||
echo "$CC $CFLAGS -c conftest.c -o conftest.o" >&5
|
||||
$CC $CFLAGS -c conftest.c -o conftest.o 2>&5 >&5
|
||||
if test $? = 0; then
|
||||
# then link
|
||||
echo "$CC $CFLAGS -Werror $LDFLAGS $LIBS -o conftest contest.o" >&5
|
||||
$CC $CFLAGS -Werror $LDFLAGS $LIBS -o conftest conftest.o 2>&5 >&5
|
||||
if test $? -ne 0; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
CFLAGS=`echo "$CFLAGS" | sed -e 's/-pthread//'`
|
||||
PTHREAD_CFLAGS_ONLY="-pthread"
|
||||
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi # endif cc successful
|
||||
rm -f conftest conftest.c conftest.o
|
||||
fi # endif -pthread in CFLAGS
|
||||
|
||||
|
||||
:
|
||||
else
|
||||
ax_pthread_ok=no
|
||||
|
@ -16101,7 +16273,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
|||
as_fn_error $? "Python version >= 2.4.0 is required" "$LINENO" 5
|
||||
fi
|
||||
|
||||
PY_MAJOR_VERSION="`$PYTHON -c "import sys; print(sys.version_info.major)"`"
|
||||
PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`"
|
||||
|
||||
# Have Python
|
||||
|
||||
|
@ -16309,13 +16481,44 @@ $as_echo "#define HAVE_NSS 1" >>confdefs.h
|
|||
CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
|
||||
fi
|
||||
LIBS="$LIBS -lnss3 -lnspr4"
|
||||
SSLLIB=""
|
||||
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# libnettle
|
||||
USE_NETTLE="no"
|
||||
|
||||
# Check whether --with-nettle was given.
|
||||
if test "${with_nettle+set}" = set; then :
|
||||
withval=$with_nettle;
|
||||
USE_NETTLE="yes"
|
||||
|
||||
$as_echo "#define HAVE_NETTLE 1" >>confdefs.h
|
||||
|
||||
if test "$withval" != "" -a "$withval" != "yes"; then
|
||||
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
|
||||
LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||
|
||||
if test "x$enable_rpath" = xyes; then
|
||||
if echo "$withval/lib" | grep "^/" >/dev/null; then
|
||||
RUNTIME_PATH="$RUNTIME_PATH -R$withval/lib"
|
||||
fi
|
||||
fi
|
||||
|
||||
else
|
||||
CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
|
||||
fi
|
||||
LIBS="$LIBS -lhogweed -lnettle -lgmp"
|
||||
SSLLIB=""
|
||||
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# openssl
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
|
||||
|
||||
# Check whether --with-ssl was given.
|
||||
|
@ -16484,67 +16687,6 @@ rm -f core conftest.err conftest.$ac_objext \
|
|||
fi
|
||||
|
||||
|
||||
# openssl engine functionality needs dlopen().
|
||||
BAKLIBS="$LIBS"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
|
||||
$as_echo_n "checking for library containing dlopen... " >&6; }
|
||||
if ${ac_cv_search_dlopen+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
ac_func_search_save_LIBS=$LIBS
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
/* Override any GCC internal prototype to avoid an error.
|
||||
Use char because int might match the return type of a GCC
|
||||
builtin and then its argument prototype would still apply. */
|
||||
#ifdef __cplusplus
|
||||
extern "C"
|
||||
#endif
|
||||
char dlopen ();
|
||||
int
|
||||
main ()
|
||||
{
|
||||
return dlopen ();
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
for ac_lib in '' dl; do
|
||||
if test -z "$ac_lib"; then
|
||||
ac_res="none required"
|
||||
else
|
||||
ac_res=-l$ac_lib
|
||||
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
|
||||
fi
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
ac_cv_search_dlopen=$ac_res
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext
|
||||
if ${ac_cv_search_dlopen+:} false; then :
|
||||
break
|
||||
fi
|
||||
done
|
||||
if ${ac_cv_search_dlopen+:} false; then :
|
||||
|
||||
else
|
||||
ac_cv_search_dlopen=no
|
||||
fi
|
||||
rm conftest.$ac_ext
|
||||
LIBS=$ac_func_search_save_LIBS
|
||||
fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5
|
||||
$as_echo "$ac_cv_search_dlopen" >&6; }
|
||||
ac_res=$ac_cv_search_dlopen
|
||||
if test "$ac_res" != no; then :
|
||||
test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
|
||||
|
||||
fi
|
||||
|
||||
if test "$LIBS" != "$BAKLIBS"; then
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
|
||||
fi
|
||||
fi
|
||||
for ac_header in openssl/ssl.h
|
||||
do :
|
||||
|
@ -16682,6 +16824,7 @@ fi
|
|||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
SSLLIB="-lssl"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
|
||||
$as_echo_n "checking for LibreSSL... " >&6; }
|
||||
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
|
@ -16879,6 +17022,7 @@ _ACEOF
|
|||
fi
|
||||
|
||||
|
||||
|
||||
# Check whether --enable-sha2 was given.
|
||||
if test "${enable_sha2+set}" = set; then :
|
||||
enableval=$enable_sha2;
|
||||
|
@ -16902,7 +17046,7 @@ if test "${enable_gost+set}" = set; then :
|
|||
fi
|
||||
|
||||
use_gost="no"
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
case "$enable_gost" in
|
||||
no)
|
||||
;;
|
||||
|
@ -17055,7 +17199,7 @@ case "$enable_ecdsa" in
|
|||
no)
|
||||
;;
|
||||
*)
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
|
||||
if test "x$ac_cv_func_ECDSA_sign" = xyes; then :
|
||||
|
||||
|
@ -17546,6 +17690,20 @@ fi
|
|||
|
||||
done
|
||||
|
||||
ac_fn_c_check_decl "$LINENO" "XML_StopParser" "ac_cv_have_decl_XML_StopParser" "$ac_includes_default
|
||||
#include <expat.h>
|
||||
|
||||
"
|
||||
if test "x$ac_cv_have_decl_XML_StopParser" = xyes; then :
|
||||
ac_have_decl=1
|
||||
else
|
||||
ac_have_decl=0
|
||||
fi
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_XML_STOPPARSER $ac_have_decl
|
||||
_ACEOF
|
||||
|
||||
|
||||
# set static linking if requested
|
||||
|
||||
|
@ -18003,7 +18161,7 @@ if test "$ac_res" != no; then :
|
|||
|
||||
fi
|
||||
|
||||
for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent
|
||||
for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync
|
||||
do :
|
||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
||||
|
@ -18062,6 +18220,33 @@ fi
|
|||
done
|
||||
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sbrk" >&5
|
||||
$as_echo_n "checking for sbrk... " >&6; }
|
||||
# catch the warning of deprecated sbrk
|
||||
old_cflags="$CFLAGS"
|
||||
CFLAGS="$CFLAGS -Werror"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
$ac_includes_default
|
||||
|
||||
int main(void) { void* cur = sbrk(0); printf("%u\n", (unsigned)(size_t)((char*)cur - (char*)sbrk(0))); return 0; }
|
||||
|
||||
_ACEOF
|
||||
if ac_fn_c_try_compile "$LINENO"; then :
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
|
||||
$as_echo "#define HAVE_SBRK 1" >>confdefs.h
|
||||
|
||||
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
CFLAGS="$old_cflags"
|
||||
|
||||
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
|
||||
if echo $build_os | grep darwin8 > /dev/null; then
|
||||
|
||||
|
@ -18124,6 +18309,48 @@ esac
|
|||
fi
|
||||
|
||||
|
||||
# test if snprintf return the proper length
|
||||
if test "x$ac_cv_func_snprintf" = xyes; then
|
||||
if test c${cross_compiling} = cno; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for correct snprintf return value" >&5
|
||||
$as_echo_n "checking for correct snprintf return value... " >&6; }
|
||||
if test "$cross_compiling" = yes; then :
|
||||
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
|
||||
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
|
||||
as_fn_error $? "cannot run test program while cross compiling
|
||||
See \`config.log' for more details" "$LINENO" 5; }
|
||||
else
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
$ac_includes_default
|
||||
|
||||
int main(void) { return !(snprintf(NULL, 0, "test") == 4); }
|
||||
|
||||
_ACEOF
|
||||
if ac_fn_c_try_run "$LINENO"; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
else
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
|
||||
$as_echo "#define SNPRINTF_RET_BROKEN /**/" >>confdefs.h
|
||||
|
||||
case " $LIBOBJS " in
|
||||
*" snprintf.$ac_objext "* ) ;;
|
||||
*) LIBOBJS="$LIBOBJS snprintf.$ac_objext"
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
fi
|
||||
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
|
||||
conftest.$ac_objext conftest.beam conftest.$ac_ext
|
||||
fi
|
||||
|
||||
fi
|
||||
fi
|
||||
ac_fn_c_check_func "$LINENO" "strlcat" "ac_cv_func_strlcat"
|
||||
if test "x$ac_cv_func_strlcat" = xyes; then :
|
||||
$as_echo "#define HAVE_STRLCAT 1" >>confdefs.h
|
||||
|
@ -18180,6 +18407,20 @@ esac
|
|||
fi
|
||||
|
||||
|
||||
ac_fn_c_check_func "$LINENO" "isblank" "ac_cv_func_isblank"
|
||||
if test "x$ac_cv_func_isblank" = xyes; then :
|
||||
$as_echo "#define HAVE_ISBLANK 1" >>confdefs.h
|
||||
|
||||
else
|
||||
case " $LIBOBJS " in
|
||||
*" isblank.$ac_objext "* ) ;;
|
||||
*) LIBOBJS="$LIBOBJS isblank.$ac_objext"
|
||||
;;
|
||||
esac
|
||||
|
||||
fi
|
||||
|
||||
|
||||
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
||||
|
||||
ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
|
||||
|
@ -18920,7 +19161,7 @@ _ACEOF
|
|||
|
||||
|
||||
|
||||
version=1.5.5
|
||||
version=1.5.8
|
||||
|
||||
date=`date +'%b %e, %Y'`
|
||||
|
||||
|
@ -19435,7 +19676,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
|||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.5.5, which was
|
||||
This file was extended by unbound $as_me 1.5.8, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
|
@ -19501,7 +19742,7 @@ _ACEOF
|
|||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.5.5
|
||||
unbound config.status 1.5.8
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
|
|
@ -10,14 +10,14 @@ sinclude(dnstap/dnstap.m4)
|
|||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[5])
|
||||
m4_define([VERSION_MICRO],[5])
|
||||
m4_define([VERSION_MICRO],[8])
|
||||
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
|
||||
|
||||
LIBUNBOUND_CURRENT=5
|
||||
LIBUNBOUND_REVISION=7
|
||||
LIBUNBOUND_REVISION=11
|
||||
LIBUNBOUND_AGE=3
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
|
@ -61,6 +61,10 @@ LIBUNBOUND_AGE=3
|
|||
# 1.5.2 had 5:5:3
|
||||
# 1.5.3 had 5:6:3
|
||||
# 1.5.4 had 5:7:3
|
||||
# 1.5.5 had 5:8:3
|
||||
# 1.5.6 had 5:9:3
|
||||
# 1.5.7 had 5:10:3
|
||||
# 1.5.8 had 5:11:3
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
|
@ -246,6 +250,8 @@ case "$debug_enabled" in
|
|||
;;
|
||||
esac
|
||||
ACX_CHECK_FLTO
|
||||
ACX_CHECK_PIE
|
||||
ACX_CHECK_RELRO_NOW
|
||||
|
||||
AC_C_INLINE
|
||||
ACX_CHECK_FORMAT_ATTRIBUTE
|
||||
|
@ -412,6 +418,36 @@ if test x_$withval != x_no; then
|
|||
CC="$PTHREAD_CC"
|
||||
ub_have_pthreads=yes
|
||||
AC_CHECK_TYPES([pthread_spinlock_t, pthread_rwlock_t],,,[#include <pthread.h>])
|
||||
|
||||
if echo "$CFLAGS" | grep -e "-pthread" >/dev/null; then
|
||||
AC_MSG_CHECKING([if -pthread unused during linking])
|
||||
# catch clang warning 'argument unused during compilation'
|
||||
AC_LANG_CONFTEST([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
|
||||
[[
|
||||
int main(void) {return 0;}
|
||||
]])])
|
||||
pthread_unused="yes"
|
||||
# first compile
|
||||
echo "$CC $CFLAGS -c conftest.c -o conftest.o" >&AS_MESSAGE_LOG_FD
|
||||
$CC $CFLAGS -c conftest.c -o conftest.o 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD
|
||||
if test $? = 0; then
|
||||
# then link
|
||||
echo "$CC $CFLAGS -Werror $LDFLAGS $LIBS -o conftest contest.o" >&AS_MESSAGE_LOG_FD
|
||||
$CC $CFLAGS -Werror $LDFLAGS $LIBS -o conftest conftest.o 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD
|
||||
if test $? -ne 0; then
|
||||
AC_MSG_RESULT(yes)
|
||||
CFLAGS=`echo "$CFLAGS" | sed -e 's/-pthread//'`
|
||||
PTHREAD_CFLAGS_ONLY="-pthread"
|
||||
AC_SUBST(PTHREAD_CFLAGS_ONLY)
|
||||
else
|
||||
AC_MSG_RESULT(no)
|
||||
fi
|
||||
else
|
||||
AC_MSG_RESULT(no)
|
||||
fi # endif cc successful
|
||||
rm -f conftest conftest.c conftest.o
|
||||
fi # endif -pthread in CFLAGS
|
||||
|
||||
])
|
||||
fi
|
||||
|
||||
|
@ -475,7 +511,7 @@ if test x_$ub_test_python != x_no; then
|
|||
AC_ERROR([Python version >= 2.4.0 is required])
|
||||
fi
|
||||
|
||||
PY_MAJOR_VERSION="`$PYTHON -c "import sys; print(sys.version_info.major)"`"
|
||||
[PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`"]
|
||||
AC_SUBST(PY_MAJOR_VERSION)
|
||||
# Have Python
|
||||
AC_DEFINE(HAVE_PYTHON,1,[Define if you have Python libraries and header files.])
|
||||
|
@ -558,13 +594,34 @@ AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
|
|||
CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
|
||||
fi
|
||||
LIBS="$LIBS -lnss3 -lnspr4"
|
||||
SSLLIB=""
|
||||
]
|
||||
)
|
||||
|
||||
# libnettle
|
||||
USE_NETTLE="no"
|
||||
AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
|
||||
[use libnettle as crypto library, installed at path.]),
|
||||
[
|
||||
USE_NETTLE="yes"
|
||||
AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
|
||||
if test "$withval" != "" -a "$withval" != "yes"; then
|
||||
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
|
||||
LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||
ACX_RUNTIME_PATH_ADD([$withval/lib])
|
||||
else
|
||||
CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
|
||||
fi
|
||||
LIBS="$LIBS -lhogweed -lnettle -lgmp"
|
||||
SSLLIB=""
|
||||
]
|
||||
)
|
||||
|
||||
# openssl
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
ACX_WITH_SSL
|
||||
ACX_LIB_SSL
|
||||
SSLLIB="-lssl"
|
||||
AC_MSG_CHECKING([for LibreSSL])
|
||||
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
AC_MSG_RESULT([yes])
|
||||
|
@ -599,6 +656,7 @@ AC_INCLUDES_DEFAULT
|
|||
#include <openssl/evp.h>
|
||||
])
|
||||
fi
|
||||
AC_SUBST(SSLLIB)
|
||||
|
||||
|
||||
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
|
||||
|
@ -710,7 +768,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
|
|||
|
||||
AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
|
||||
use_gost="no"
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
case "$enable_gost" in
|
||||
no)
|
||||
;;
|
||||
|
@ -724,7 +782,7 @@ case "$enable_gost" in
|
|||
fi
|
||||
;;
|
||||
esac
|
||||
fi dnl !USE_NSS
|
||||
fi dnl !USE_NSS && !USE_NETTLE
|
||||
|
||||
AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
|
||||
use_ecdsa="no"
|
||||
|
@ -732,7 +790,7 @@ case "$enable_ecdsa" in
|
|||
no)
|
||||
;;
|
||||
*)
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
|
||||
AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
|
||||
AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
|
||||
|
@ -878,6 +936,9 @@ if test x_$found_libexpat != x_yes; then
|
|||
AC_ERROR([Could not find libexpat, expat.h])
|
||||
fi
|
||||
AC_CHECK_HEADERS([expat.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_DECLS([XML_StopParser], [], [], [AC_INCLUDES_DEFAULT
|
||||
#include <expat.h>
|
||||
])
|
||||
|
||||
# set static linking if requested
|
||||
AC_SUBST(staticexe)
|
||||
|
@ -982,10 +1043,23 @@ AC_INCLUDES_DEFAULT
|
|||
#endif
|
||||
])
|
||||
AC_SEARCH_LIBS([setusercontext], [util])
|
||||
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent])
|
||||
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync])
|
||||
AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
|
||||
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
|
||||
|
||||
AC_MSG_CHECKING([for sbrk])
|
||||
# catch the warning of deprecated sbrk
|
||||
old_cflags="$CFLAGS"
|
||||
CFLAGS="$CFLAGS -Werror"
|
||||
AC_COMPILE_IFELSE([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
|
||||
[[
|
||||
int main(void) { void* cur = sbrk(0); printf("%u\n", (unsigned)(size_t)((char*)cur - (char*)sbrk(0))); return 0; }
|
||||
]])], [
|
||||
AC_MSG_RESULT(yes)
|
||||
AC_DEFINE(HAVE_SBRK, 1, [define if you have the sbrk() call])
|
||||
], [AC_MSG_RESULT(no)])
|
||||
CFLAGS="$old_cflags"
|
||||
|
||||
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
|
||||
if echo $build_os | grep darwin8 > /dev/null; then
|
||||
AC_DEFINE(DARWIN_BROKEN_SETREUID, 1, [Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work])
|
||||
|
@ -994,10 +1068,25 @@ AC_REPLACE_FUNCS(inet_aton)
|
|||
AC_REPLACE_FUNCS(inet_pton)
|
||||
AC_REPLACE_FUNCS(inet_ntop)
|
||||
AC_REPLACE_FUNCS(snprintf)
|
||||
# test if snprintf return the proper length
|
||||
if test "x$ac_cv_func_snprintf" = xyes; then
|
||||
if test c${cross_compiling} = cno; then
|
||||
AC_MSG_CHECKING([for correct snprintf return value])
|
||||
AC_RUN_IFELSE([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
|
||||
[[
|
||||
int main(void) { return !(snprintf(NULL, 0, "test") == 4); }
|
||||
]])], [AC_MSG_RESULT(yes)], [
|
||||
AC_MSG_RESULT(no)
|
||||
AC_DEFINE([SNPRINTF_RET_BROKEN], [], [define if (v)snprintf does not return length needed, (but length used)])
|
||||
AC_LIBOBJ(snprintf)
|
||||
])
|
||||
fi
|
||||
fi
|
||||
AC_REPLACE_FUNCS(strlcat)
|
||||
AC_REPLACE_FUNCS(strlcpy)
|
||||
AC_REPLACE_FUNCS(memmove)
|
||||
AC_REPLACE_FUNCS(gmtime_r)
|
||||
AC_REPLACE_FUNCS(isblank)
|
||||
dnl without CTIME, ARC4-functions and without reallocarray.
|
||||
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
||||
AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
|
||||
|
@ -1232,7 +1321,13 @@ AHX_CONFIG_FORMAT_ATTRIBUTE
|
|||
AHX_CONFIG_UNUSED_ATTRIBUTE
|
||||
AHX_CONFIG_FSEEKO
|
||||
AHX_CONFIG_MAXHOSTNAMELEN
|
||||
AHX_CONFIG_SNPRINTF(unbound)
|
||||
#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
|
||||
#define snprintf snprintf_unbound
|
||||
#define vsnprintf vsnprintf_unbound
|
||||
#include <stdarg.h>
|
||||
int snprintf (char *str, size_t count, const char *fmt, ...);
|
||||
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
|
||||
#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
|
||||
AHX_CONFIG_INET_PTON(unbound)
|
||||
AHX_CONFIG_INET_NTOP(unbound)
|
||||
AHX_CONFIG_INET_ATON(unbound)
|
||||
|
@ -1255,6 +1350,11 @@ AHX_MEMCMP_BROKEN(unbound)
|
|||
char *ctime_r(const time_t *timep, char *buf);
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_ISBLANK
|
||||
#define isblank unbound_isblank
|
||||
int isblank(int c);
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
|
||||
#define strptime unbound_strptime
|
||||
struct tm;
|
||||
|
|
|
@ -71,6 +71,7 @@ check_function_exists(inet_ntop HAVE_INET_NTOP)
|
|||
check_function_exists(inet_pton HAVE_INET_PTON)
|
||||
check_function_exists(initgroups HAVE_INITGROUPS)
|
||||
check_function_exists(ioctlsocket HAVE_IOCTLSOCKET)
|
||||
check_function_exists(isblank HAVE_ISBLANK)
|
||||
check_function_exists(kill HAVE_KILL)
|
||||
check_function_exists(localtime_r HAVE_LOCALTIME_R)
|
||||
check_function_exists(malloc HAVE_MALLOC)
|
||||
|
@ -211,7 +212,7 @@ set(UNBOUND_PIDFILE "${CMAKE_INSTALL_PREFIX}/etc/unbound/unbound.pid"
|
|||
|
||||
# Copied from configure.ac.
|
||||
set(WINVER 0x0502)
|
||||
set(PACKAGE_VERSION "1.4.23")
|
||||
set(PACKAGE_VERSION "1.5.8")
|
||||
set(PACKAGE_NAME "${PROJECT_NAME}")
|
||||
set(PACKAGE_STRING "${PACKAGE_NAME} ${PACKAGE_VERSION}")
|
||||
set(MAXSYSLOGMSGLEN 10240)
|
||||
|
|
|
@ -312,7 +312,7 @@
|
|||
+ /**
|
||||
* Each time a delegation point changes for a given query or a
|
||||
* query times out and/or wakes up, this state is (re)visited.
|
||||
* This state is reponsible for iterating through a list of
|
||||
* This state is responsible for iterating through a list of
|
||||
@@ -309,6 +320,13 @@ struct iter_qstate {
|
||||
*/
|
||||
int refetch_glue;
|
||||
|
|
|
@ -1,33 +1,33 @@
|
|||
@Echo off
|
||||
rem Convert the Yoyo.org anti-ad server listing
|
||||
rem into an unbound dns spoof redirection list.
|
||||
rem Written by Y.Voinov (c) 2014
|
||||
|
||||
rem Note: Wget required!
|
||||
|
||||
rem Variables
|
||||
set prefix="C:\Program Files (x86)"
|
||||
set dst_dir=%prefix%\Unbound
|
||||
set work_dir=%TEMP%
|
||||
set list_addr="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
|
||||
|
||||
rem Check Wget installed
|
||||
for /f "delims=" %%a in ('where wget') do @set wget=%%a
|
||||
if /I "%wget%"=="" echo Wget not found. If installed, add path to PATH environment variable. & exit 1
|
||||
echo Wget found: %wget%
|
||||
|
||||
"%wget%" -O %work_dir%\yoyo_ad_servers %list_addr%
|
||||
|
||||
del /Q /F /S %dst_dir%\unbound_ad_servers
|
||||
|
||||
for /F "eol=; tokens=*" %%a in (%work_dir%\yoyo_ad_servers) do (
|
||||
echo local-zone: %%a redirect>>%dst_dir%\unbound_ad_servers
|
||||
echo local-data: "%%a A 127.0.0.1">>%dst_dir%\unbound_ad_servers
|
||||
)
|
||||
|
||||
echo Done.
|
||||
rem then add an include line to your unbound.conf pointing to the full path of
|
||||
rem the unbound_ad_servers file:
|
||||
rem
|
||||
rem include: $dst_dir/unbound_ad_servers
|
||||
rem
|
||||
@Echo off
|
||||
rem Convert the Yoyo.org anti-ad server listing
|
||||
rem into an unbound dns spoof redirection list.
|
||||
rem Written by Y.Voinov (c) 2014
|
||||
|
||||
rem Note: Wget required!
|
||||
|
||||
rem Variables
|
||||
set prefix="C:\Program Files (x86)"
|
||||
set dst_dir=%prefix%\Unbound
|
||||
set work_dir=%TEMP%
|
||||
set list_addr="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
|
||||
|
||||
rem Check Wget installed
|
||||
for /f "delims=" %%a in ('where wget') do @set wget=%%a
|
||||
if /I "%wget%"=="" echo Wget not found. If installed, add path to PATH environment variable. & exit 1
|
||||
echo Wget found: %wget%
|
||||
|
||||
"%wget%" -O %work_dir%\yoyo_ad_servers %list_addr%
|
||||
|
||||
del /Q /F /S %dst_dir%\unbound_ad_servers
|
||||
|
||||
for /F "eol=; tokens=*" %%a in (%work_dir%\yoyo_ad_servers) do (
|
||||
echo local-zone: %%a redirect>>%dst_dir%\unbound_ad_servers
|
||||
echo local-data: "%%a A 127.0.0.1">>%dst_dir%\unbound_ad_servers
|
||||
)
|
||||
|
||||
echo Done.
|
||||
rem then add an include line to your unbound.conf pointing to the full path of
|
||||
rem the unbound_ad_servers file:
|
||||
rem
|
||||
rem include: $dst_dir/unbound_ad_servers
|
||||
rem
|
||||
|
|
|
@ -273,7 +273,7 @@ fi
|
|||
- Change make/configure lines to attempt to fix -lphtread linking issue
|
||||
|
||||
* Thu Feb 18 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-2
|
||||
- Removed dependancy for dnssec-conf
|
||||
- Removed dependency for dnssec-conf
|
||||
- Added ISC DLV key (formerly in dnssec-conf)
|
||||
- Fixup old DLV locations in unbound.conf file via %%post
|
||||
- Fix parent child disagreement handling and no-ipv6 present [svn r1953]
|
||||
|
@ -312,7 +312,7 @@ fi
|
|||
- Re-enabled glob.patch
|
||||
|
||||
* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-7
|
||||
- unbound-iterator.patch was not commited
|
||||
- unbound-iterator.patch was not committed
|
||||
|
||||
* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-6
|
||||
- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793
|
||||
|
@ -338,11 +338,11 @@ fi
|
|||
|
||||
* Wed Jan 14 2009 Paul Wouters <paul@xelerance.com - 1.2.0-1
|
||||
- Updated to 1.2.0
|
||||
- Added dependancy on minimum SSL for CVE-2008-5077
|
||||
- Added dependancy on bc for unbound-munin
|
||||
- Added dependency on minimum SSL for CVE-2008-5077
|
||||
- Added dependency on bc for unbound-munin
|
||||
- Added minimum requirement of libevent 1.4.5. Crashes with older versions
|
||||
(note: libevent is stale in EL-4 and not in EL-5, needs fixing there)
|
||||
- Removed dependancy on selinux-policy (will get used when available)
|
||||
- Removed dependency on selinux-policy (will get used when available)
|
||||
- Enable options as per draft-wijngaards-dnsext-resolver-side-mitigation-00.txt
|
||||
- Enable unwanted-reply-threshold to mitigate against a Kaminsky attack
|
||||
- Enable val-clean-additional to drop addition unsigned data from signed
|
||||
|
@ -423,7 +423,7 @@ fi
|
|||
- Build against ldns-1.3.0
|
||||
|
||||
* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-1
|
||||
- Split of -devel package, fixed dependancies, make rpmlint happy
|
||||
- Split of -devel package, fixed dependencies, make rpmlint happy
|
||||
|
||||
* Thu Apr 25 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.12
|
||||
- Using parts from ports collection entry by Jaap Akkerhuis.
|
||||
|
|
|
@ -208,12 +208,14 @@ daemon_remote_create(struct config_file* cfg)
|
|||
return NULL;
|
||||
}
|
||||
/* no SSLv2, SSLv3 because has defects */
|
||||
if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
|
||||
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
|
||||
!= SSL_OP_NO_SSLv2){
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv2");
|
||||
daemon_remote_delete(rc);
|
||||
return NULL;
|
||||
}
|
||||
if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
|
||||
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
|
||||
!= SSL_OP_NO_SSLv3){
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv3");
|
||||
daemon_remote_delete(rc);
|
||||
return NULL;
|
||||
|
@ -1259,8 +1261,6 @@ struct del_info {
|
|||
size_t len;
|
||||
/** labels */
|
||||
int labs;
|
||||
/** now */
|
||||
time_t now;
|
||||
/** time to invalidate to */
|
||||
time_t expired;
|
||||
/** number of rrsets removed */
|
||||
|
@ -1289,7 +1289,7 @@ infra_del_host(struct lruhash_entry* e, void* arg)
|
|||
d->timeout_AAAA = 0;
|
||||
d->timeout_other = 0;
|
||||
rtt_init(&d->rtt);
|
||||
if(d->ttl >= inf->now) {
|
||||
if(d->ttl > inf->expired) {
|
||||
d->ttl = inf->expired;
|
||||
inf->num_keys++;
|
||||
}
|
||||
|
@ -1318,7 +1318,6 @@ do_flush_infra(SSL* ssl, struct worker* worker, char* arg)
|
|||
inf.name = 0;
|
||||
inf.len = 0;
|
||||
inf.labs = 0;
|
||||
inf.now = *worker->env.now;
|
||||
inf.expired = *worker->env.now;
|
||||
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
||||
inf.num_rrsets = 0;
|
||||
|
@ -1349,7 +1348,7 @@ zone_del_rrset(struct lruhash_entry* e, void* arg)
|
|||
if(dname_subdomain_c(k->rk.dname, inf->name)) {
|
||||
struct packed_rrset_data* d =
|
||||
(struct packed_rrset_data*)e->data;
|
||||
if(d->ttl >= inf->now) {
|
||||
if(d->ttl > inf->expired) {
|
||||
d->ttl = inf->expired;
|
||||
inf->num_rrsets++;
|
||||
}
|
||||
|
@ -1365,7 +1364,7 @@ zone_del_msg(struct lruhash_entry* e, void* arg)
|
|||
struct msgreply_entry* k = (struct msgreply_entry*)e->key;
|
||||
if(dname_subdomain_c(k->key.qname, inf->name)) {
|
||||
struct reply_info* d = (struct reply_info*)e->data;
|
||||
if(d->ttl >= inf->now) {
|
||||
if(d->ttl > inf->expired) {
|
||||
d->ttl = inf->expired;
|
||||
inf->num_msgs++;
|
||||
}
|
||||
|
@ -1381,7 +1380,7 @@ zone_del_kcache(struct lruhash_entry* e, void* arg)
|
|||
struct key_entry_key* k = (struct key_entry_key*)e->key;
|
||||
if(dname_subdomain_c(k->name, inf->name)) {
|
||||
struct key_entry_data* d = (struct key_entry_data*)e->data;
|
||||
if(d->ttl >= inf->now) {
|
||||
if(d->ttl > inf->expired) {
|
||||
d->ttl = inf->expired;
|
||||
inf->num_keys++;
|
||||
}
|
||||
|
@ -1404,7 +1403,6 @@ do_flush_zone(SSL* ssl, struct worker* worker, char* arg)
|
|||
inf.name = nm;
|
||||
inf.len = nmlen;
|
||||
inf.labs = nmlabs;
|
||||
inf.now = *worker->env.now;
|
||||
inf.expired = *worker->env.now;
|
||||
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
||||
inf.num_rrsets = 0;
|
||||
|
@ -1474,7 +1472,6 @@ do_flush_bogus(SSL* ssl, struct worker* worker)
|
|||
struct del_info inf;
|
||||
/* what we do is to set them all expired */
|
||||
inf.worker = worker;
|
||||
inf.now = *worker->env.now;
|
||||
inf.expired = *worker->env.now;
|
||||
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
||||
inf.num_rrsets = 0;
|
||||
|
@ -1550,7 +1547,6 @@ do_flush_negative(SSL* ssl, struct worker* worker)
|
|||
struct del_info inf;
|
||||
/* what we do is to set them all expired */
|
||||
inf.worker = worker;
|
||||
inf.now = *worker->env.now;
|
||||
inf.expired = *worker->env.now;
|
||||
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
||||
inf.num_rrsets = 0;
|
||||
|
@ -2283,11 +2279,17 @@ do_list_local_data(SSL* ssl, struct worker* worker)
|
|||
for(i=0; i<d->count + d->rrsig_count; i++) {
|
||||
if(!packed_rr_to_string(p->rrset, i,
|
||||
0, s, slen)) {
|
||||
if(!ssl_printf(ssl, "BADRR\n"))
|
||||
if(!ssl_printf(ssl, "BADRR\n")) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
lock_rw_unlock(&zones->lock);
|
||||
return;
|
||||
}
|
||||
}
|
||||
if(!ssl_printf(ssl, "%s\n", s))
|
||||
if(!ssl_printf(ssl, "%s\n", s)) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
lock_rw_unlock(&zones->lock);
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -180,6 +180,8 @@ static void usage()
|
|||
SSLeay_version(SSLEAY_VERSION)
|
||||
#elif defined(HAVE_NSS)
|
||||
NSS_GetVersion()
|
||||
#elif defined(HAVE_NETTLE)
|
||||
"nettle"
|
||||
#endif
|
||||
);
|
||||
printf("linked modules:");
|
||||
|
@ -450,6 +452,9 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
|
|||
/* endpwent below, in case we need pwd for setusercontext */
|
||||
}
|
||||
#endif
|
||||
#ifdef UB_ON_WINDOWS
|
||||
w_config_adjust_directory(cfg);
|
||||
#endif
|
||||
|
||||
/* init syslog (as root) if needed, before daemonize, otherwise
|
||||
* a fork error could not be printed since daemonize closed stderr.*/
|
||||
|
|
|
@ -866,11 +866,16 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
|||
goto send_reply;
|
||||
}
|
||||
if((ret=parse_edns_from_pkt(c->buffer, &edns)) != 0) {
|
||||
struct edns_data reply_edns;
|
||||
verbose(VERB_ALGO, "worker parse edns: formerror.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
sldns_buffer_rewind(c->buffer);
|
||||
LDNS_QR_SET(sldns_buffer_begin(c->buffer));
|
||||
memset(&reply_edns, 0, sizeof(reply_edns));
|
||||
reply_edns.edns_present = 1;
|
||||
reply_edns.udp_size = EDNS_ADVERTISED_SIZE;
|
||||
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret);
|
||||
error_encode(c->buffer, ret, &qinfo,
|
||||
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
|
||||
sldns_buffer_read_u16_at(c->buffer, 2), &reply_edns);
|
||||
server_stats_insrcode(&worker->stats, c->buffer);
|
||||
goto send_reply;
|
||||
}
|
||||
|
|
|
@ -618,8 +618,10 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
|
|||
dd->rr_ttl = (time_t*)&dd->rr_data[dd->count];
|
||||
for(i = 0; i < fd->count; ++i) {
|
||||
if (fd->rr_len[i] != 6 || fd->rr_data[i][0] != 0
|
||||
|| fd->rr_data[i][1] != 4)
|
||||
|| fd->rr_data[i][1] != 4) {
|
||||
*dd_out = NULL;
|
||||
return;
|
||||
}
|
||||
dd->rr_len[i] = 18;
|
||||
dd->rr_data[i] =
|
||||
(uint8_t*)&dd->rr_ttl[dd->count] + 18*i;
|
||||
|
@ -638,6 +640,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
|
|||
*/
|
||||
if(!dk) {
|
||||
log_err("no key");
|
||||
*dd_out = NULL;
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -646,6 +649,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
|
|||
|
||||
if(!dk->rk.dname) {
|
||||
log_err("out of memory");
|
||||
*dd_out = NULL;
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
@ -105,7 +105,7 @@ message Message {
|
|||
|
||||
enum Type {
|
||||
// AUTH_QUERY is a DNS query message received from a resolver by an
|
||||
// authoritative name server, from the perspective of the authorative
|
||||
// authoritative name server, from the perspective of the authoritative
|
||||
// name server.
|
||||
AUTH_QUERY = 1;
|
||||
|
||||
|
|
|
@ -1,3 +1,175 @@
|
|||
15 December 2015: Ralph
|
||||
- Fix #729: omit use of escape sequences in echo since they are not
|
||||
portable (unbound-control-setup).
|
||||
|
||||
11 December 2015: Wouter
|
||||
- remove NULL-checks before free, patch from Michael McConville.
|
||||
- updated ax_pthread.m4 to version 21 with clang support, this
|
||||
removes a warning from compilation.
|
||||
- OSX portability, detect if sbrk is deprecated.
|
||||
- OSX clang, stop -pthread unused during link stage warnings.
|
||||
- OSX clang new flto check.
|
||||
|
||||
10 December 2015: Wouter
|
||||
- 1.5.7 release
|
||||
- trunk has 1.5.8 in development.
|
||||
|
||||
8 December 2015: Wouter
|
||||
- Fixup 724 for unbound-control.
|
||||
|
||||
7 December 2015: Ralph
|
||||
- Do not minimise forwarded requests.
|
||||
|
||||
4 December 2015: Wouter
|
||||
- Removed unneeded whitespace from example.conf.
|
||||
|
||||
3 December 2015: Ralph
|
||||
- (after rc1 tag)
|
||||
- Committed fix to qname minimisation and unit test case for it.
|
||||
|
||||
3 December 2015: Wouter
|
||||
- iana portlist update.
|
||||
- 1.5.7rc1 prerelease tag.
|
||||
|
||||
2 December 2015: Wouter
|
||||
- Fixup 724: Fix PCA prompt for unbound-service-install.exe.
|
||||
re-enable stdout printout.
|
||||
- For 724: Add Changelog to windows binary dist.
|
||||
|
||||
1 December 2015: Ralph
|
||||
- Qname minimisation review fixes
|
||||
|
||||
1 December 2015: Wouter
|
||||
- Fixup 724 fix for fname_after_chroot() calls.
|
||||
- Remove stdout printout for unbound-service-install.exe
|
||||
- .gitignore for git users.
|
||||
|
||||
30 November 2015: Ralph
|
||||
- Implemented qname minimisation
|
||||
|
||||
30 November 2015: Wouter
|
||||
- Fix for #724: conf syntax to read files from run dir (on Windows).
|
||||
|
||||
25 November 2015: Wouter
|
||||
- Fix for #720, fix unbound-control-setup windows batch file.
|
||||
|
||||
24 November 2015: Wouter
|
||||
- Fix #720: add windows scripts to zip bundle.
|
||||
- iana portlist update.
|
||||
|
||||
20 November 2015: Wouter
|
||||
- Added assert on rrset cache correctness.
|
||||
- Fix that malformed EDNS query gets a response without malformed EDNS.
|
||||
|
||||
18 November 2015: Wouter
|
||||
- newer acx_nlnetlabs.m4.
|
||||
- spelling fixes from Igor Sobrado Delgado.
|
||||
|
||||
17 November 2015: Wouter
|
||||
- Fix #594. libunbound: optionally use libnettle for crypto.
|
||||
Contributed by Luca Bruno. Added --with-nettle for use with
|
||||
--with-libunbound-only.
|
||||
- refactor nsec3 hash implementation to be more library-portable.
|
||||
- iana portlist update.
|
||||
- Fixup DER encoded DSA signatures for libnettle.
|
||||
|
||||
16 November 2015: Wouter
|
||||
- Fix for lenient accept of reverse order DNAME and CNAME.
|
||||
|
||||
6 November 2015: Wouter
|
||||
- Change example.conf: ftp.internic.net to https://www.internic.net
|
||||
|
||||
5 November 2015: Wouter
|
||||
- ACX_SSL_CHECKS no longer adds -ldl needlessly.
|
||||
|
||||
3 November 2015: Wouter
|
||||
- Fix #718: Fix unbound-control-setup with support for env
|
||||
without HEREDOC bash support.
|
||||
|
||||
29 October 2015: Wouter
|
||||
- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
|
||||
- Fix #716: nodata proof with empty non-terminals and wildcards.
|
||||
|
||||
28 October 2015: Wouter
|
||||
- Fix checklock testcode for linux threads on exit.
|
||||
|
||||
27 October 2015: Wouter
|
||||
- isblank() compat implementation.
|
||||
- detect libexpat without xml_StopParser function.
|
||||
- portability fixes.
|
||||
- portability, replace snprintf if return value broken.
|
||||
|
||||
23 October 2015: Wouter
|
||||
- Fix #714: Document config to block private-address for IPv4
|
||||
mapped IPv6 addresses.
|
||||
|
||||
22 October 2015: Wouter
|
||||
- Fix #712: unbound-anchor appears to not fsync root.key.
|
||||
|
||||
20 October 2015: Wouter
|
||||
- 1.5.6 release.
|
||||
- trunk tracks development of 1.5.7.
|
||||
|
||||
15 October 2015: Wouter
|
||||
- Fix segfault in the dns64 module in the formaterror error path.
|
||||
- Fix sldns_wire2str_rdata_scan for malformed RRs.
|
||||
- tag for 1.5.6rc1 release.
|
||||
|
||||
14 October 2015: Wouter
|
||||
- ANY responses include DNAME records if present, as per Evan Hunt's
|
||||
remark in dnsop.
|
||||
- Fix manpage to suggest using SIGTERM to terminate the server.
|
||||
|
||||
9 October 2015: Wouter
|
||||
- Default for ssl-port is port 853, the temporary port assignment
|
||||
for secure domain name system traffic.
|
||||
If you used to rely on the older default of port 443, you have
|
||||
to put a clause in unbound.conf for that. The new value is likely
|
||||
going to be the standardised port number for this traffic.
|
||||
- iana portlist update.
|
||||
|
||||
6 October 2015: Wouter
|
||||
- 1.5.5 release.
|
||||
- trunk tracks the development of 1.5.6.
|
||||
|
||||
28 September 2015: Wouter
|
||||
- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
|
||||
failures.
|
||||
- tag for 1.5.5rc1 release.
|
||||
- makedist.sh: pgp sig echo commands.
|
||||
|
||||
25 September 2015: Wouter
|
||||
- Fix unbound-control flush that does not succeed in removing data.
|
||||
|
||||
22 September 2015: Wouter
|
||||
- Fix config globbed include chroot treatment, this fixes reload of
|
||||
globs (patch from Dag-Erling Smørgrav).
|
||||
- iana portlist update.
|
||||
- Fix #702: New IPs for for h.root-servers.net.
|
||||
- Remove confusion comment from canonical_compare() function.
|
||||
- Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
|
||||
- testbound selftest also works in non-debug mode.
|
||||
- Fix minor error in unbound.conf.5.in
|
||||
- Fix unbound.conf(5) access-control description for precedence
|
||||
and default.
|
||||
|
||||
31 August 2015: Wouter
|
||||
- changed windows setup compression to be more transparent.
|
||||
|
||||
28 August 2015: Wouter
|
||||
- Fix #697: Get PY_MAJOR_VERSION failure at configure for python
|
||||
2.4 to 2.6.
|
||||
- Feature #699: --enable-pie option to that builds PIE binary.
|
||||
- Feature #700: --enable-relro-now option that enables full read-only
|
||||
relocation.
|
||||
|
||||
24 August 2015: Wouter
|
||||
- Fix deadlock for local data add and zone add when unbound-control
|
||||
list_local_data printout is interrupted.
|
||||
- iana portlist update.
|
||||
- Change default of harden-algo-downgrade to off. This is lenient
|
||||
for algorithm rollover.
|
||||
|
||||
13 August 2015: Wouter
|
||||
- 5011 implementation does not insist on all algorithms, when
|
||||
harden-algo-downgrade is turned off.
|
||||
|
@ -693,7 +865,7 @@
|
|||
existence in 4592. NSEC empty non-terminals exist and thus the
|
||||
RCODE should have been NOERROR. If this occurs, and the RRsets
|
||||
are secure, we set the RCODE to NOERROR and the security status
|
||||
of the reponse is also considered secure.
|
||||
of the response is also considered secure.
|
||||
|
||||
14 February 2014: Wouter
|
||||
- Works on Minix (3.2.1).
|
||||
|
@ -1465,7 +1637,7 @@
|
|||
- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
|
||||
- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
|
||||
- Fix warning unused in compat/strptime.c.
|
||||
- Fix malloc detection and double defintion.
|
||||
- Fix malloc detection and double definition.
|
||||
|
||||
2 December 2011: Wouter
|
||||
- configure generated with autoconf 2.68.
|
||||
|
@ -4910,7 +5082,7 @@
|
|||
- Advertise builtin select libevent alternative when no libevent
|
||||
is found.
|
||||
- signit can generate NSEC3 hashes, for generating tests.
|
||||
- multiple nsec3 paramaters in message test.
|
||||
- multiple nsec3 parameters in message test.
|
||||
- too high nsec3 iterations becomes insecure test.
|
||||
|
||||
21 September 2007: Wouter
|
||||
|
@ -4981,7 +5153,7 @@
|
|||
- testbound can replay a TCP query (set MATCH TCP in the QUERY).
|
||||
- DS and noDS referral validation test.
|
||||
- if you configure many trust anchors, parent trust anchors can
|
||||
securely deny existance of child trust anchors, if validated.
|
||||
securely deny existence of child trust anchors, if validated.
|
||||
- not all *.name NSECs are present because a wildcard was matched,
|
||||
and *.name NSECs can prove nodata for empty nonterminals.
|
||||
Also, for wildcard name NSECs, check they are not from the parent
|
||||
|
@ -5288,7 +5460,7 @@
|
|||
|
||||
17 July 2007: Wouter
|
||||
- forward zone options in config file.
|
||||
- forward per zone in iterator. takes precendence over stubs.
|
||||
- forward per zone in iterator. takes precedence over stubs.
|
||||
- fixup commithooks.
|
||||
- removed forward-to and forward-to-port features, subsumed by
|
||||
new forward zones.
|
||||
|
@ -5389,7 +5561,7 @@
|
|||
ldns and libevent are linked statically. Default is off.
|
||||
- make install and make uninstall. Works with static-exe and without.
|
||||
installation of unbound binary and manual pages.
|
||||
- alignement problem fix on solaris 64.
|
||||
- alignment problem fix on solaris 64.
|
||||
- fixup address in case of TCP error.
|
||||
|
||||
12 June 2007: Wouter
|
||||
|
@ -5472,7 +5644,7 @@
|
|||
- removed FLAG_CD from message and rrset caches. This was useful for
|
||||
an agnostic forwarder, but not for a sophisticated (trust value per
|
||||
rrset enabled) cache.
|
||||
- iterator reponse typing.
|
||||
- iterator response typing.
|
||||
- iterator cname handle.
|
||||
- iterator prime start.
|
||||
- subquery work.
|
||||
|
@ -5492,7 +5664,7 @@
|
|||
- Acknowledge use of unbound-java code in iterator. Nicer readme.
|
||||
- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
|
||||
rrset cache from module environment.
|
||||
- packed rrset key has type and class as easily accessable struct
|
||||
- packed rrset key has type and class as easily accessible struct
|
||||
members. They are still kept in network format for fast msg encode.
|
||||
- dns cache find_delegation routine.
|
||||
- iterator main functions setup.
|
||||
|
@ -5576,7 +5748,7 @@
|
|||
- EDNS read from query, used to make reply smaller.
|
||||
- advertised edns value constants.
|
||||
- EDNS BADVERS response, if asked for too high edns version.
|
||||
- EDNS extended error reponses once the EDNS record from the query
|
||||
- EDNS extended error responses once the EDNS record from the query
|
||||
has successfully been parsed.
|
||||
|
||||
4 May 2007: Wouter
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
#Use this to include other text into the file.
|
||||
#include: "otherfile.conf"
|
||||
|
||||
# The server clause sets the main parameters.
|
||||
# The server clause sets the main parameters.
|
||||
server:
|
||||
# whitespace is not necessary, but looks cleaner.
|
||||
|
||||
|
@ -40,7 +40,7 @@ server:
|
|||
# interface: 2001:DB8::5
|
||||
|
||||
# enable this feature to copy the source address of queries to reply.
|
||||
# Socket options are not supported on all platforms. experimental.
|
||||
# Socket options are not supported on all platforms. experimental.
|
||||
# interface-automatic: no
|
||||
|
||||
# port to answer queries from
|
||||
|
@ -84,10 +84,10 @@ server:
|
|||
# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
|
||||
# 0 is system default. Use 4m to handle spikes on very busy servers.
|
||||
# so-sndbuf: 0
|
||||
|
||||
|
||||
# use SO_REUSEPORT to distribute queries over threads.
|
||||
# so-reuseport: no
|
||||
|
||||
|
||||
# use IP_TRANSPARENT so the interface: addresses can be non-local
|
||||
# and you can config non-existing IPs that are going to work later on
|
||||
# ip-transparent: no
|
||||
|
@ -105,7 +105,7 @@ server:
|
|||
# msg-buffer-size: 65552
|
||||
|
||||
# the amount of memory to use for the message cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# msg-cache-size: 4m
|
||||
|
||||
# the number of slabs to use for the message cache.
|
||||
|
@ -118,12 +118,12 @@ server:
|
|||
|
||||
# if very busy, 50% queries run to completion, 50% get timeout in msec
|
||||
# jostle-timeout: 200
|
||||
|
||||
|
||||
# msec to wait before close of port on timeout UDP. 0 disables.
|
||||
# delay-close: 0
|
||||
|
||||
# the amount of memory to use for the RRset cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# rrset-cache-size: 4m
|
||||
|
||||
# the number of slabs to use for the RRset cache.
|
||||
|
@ -145,7 +145,7 @@ server:
|
|||
# the time to live (TTL) value for cached roundtrip times, lameness and
|
||||
# EDNS version information for hosts. In seconds.
|
||||
# infra-host-ttl: 900
|
||||
|
||||
|
||||
# minimum wait time for responses, increase if uplink is long. In msec.
|
||||
# infra-cache-min-rtt: 50
|
||||
|
||||
|
@ -195,8 +195,8 @@ server:
|
|||
#
|
||||
# If chroot is enabled, you should pass the configfile (from the
|
||||
# commandline) as a full path from the original root. After the
|
||||
# chroot has been performed the now defunct portion of the config
|
||||
# file path is removed to be able to reread the config after a reload.
|
||||
# chroot has been performed the now defunct portion of the config
|
||||
# file path is removed to be able to reread the config after a reload.
|
||||
#
|
||||
# All other file paths (working dir, logfile, roothints, and
|
||||
# key files) can be specified in several ways:
|
||||
|
@ -205,7 +205,7 @@ server:
|
|||
# o as an absolute path relative to the original root.
|
||||
# In the last case the path is adjusted to remove the unused portion.
|
||||
#
|
||||
# The pid file can be absolute and outside of the chroot, it is
|
||||
# The pid file can be absolute and outside of the chroot, it is
|
||||
# written just prior to performing the chroot and dropping permissions.
|
||||
#
|
||||
# Additionally, unbound may need to access /dev/random (for entropy).
|
||||
|
@ -219,22 +219,22 @@ server:
|
|||
# If you give "" no privileges are dropped.
|
||||
# username: "@UNBOUND_USERNAME@"
|
||||
|
||||
# the working directory. The relative files in this config are
|
||||
# the working directory. The relative files in this config are
|
||||
# relative to this directory. If you give "" the working directory
|
||||
# is not changed.
|
||||
# directory: "@UNBOUND_RUN_DIR@"
|
||||
|
||||
# the log file, "" means log to stderr.
|
||||
# the log file, "" means log to stderr.
|
||||
# Use of this option sets use-syslog to "no".
|
||||
# logfile: ""
|
||||
|
||||
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
|
||||
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
|
||||
# log to, with identity "unbound". If yes, it overrides the logfile.
|
||||
# use-syslog: yes
|
||||
# use-syslog: yes
|
||||
|
||||
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
|
||||
# log-time-ascii: no
|
||||
|
||||
|
||||
# print one line with time, IP, name, type, class for every query.
|
||||
# log-queries: no
|
||||
|
||||
|
@ -242,7 +242,7 @@ server:
|
|||
# pidfile: "@UNBOUND_PIDFILE@"
|
||||
|
||||
# file to read root hints from.
|
||||
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
|
||||
# get one from https://www.internic.net/domain/named.cache
|
||||
# root-hints: ""
|
||||
|
||||
# enable to not answer id.server and hostname.bind queries.
|
||||
|
@ -258,8 +258,8 @@ server:
|
|||
# version: ""
|
||||
|
||||
# the target fetch policy.
|
||||
# series of integers describing the policy per dependency depth.
|
||||
# The number of values in the list determines the maximum dependency
|
||||
# series of integers describing the policy per dependency depth.
|
||||
# The number of values in the list determines the maximum dependency
|
||||
# depth the recursor will pursue before giving up. Each integer means:
|
||||
# -1 : fetch all targets opportunistically,
|
||||
# 0: fetch on demand,
|
||||
|
@ -267,17 +267,17 @@ server:
|
|||
# Enclose the list of numbers between quotes ("").
|
||||
# target-fetch-policy: "3 2 1 0 0"
|
||||
|
||||
# Harden against very small EDNS buffer sizes.
|
||||
# Harden against very small EDNS buffer sizes.
|
||||
# harden-short-bufsize: no
|
||||
|
||||
# Harden against unseemly large queries.
|
||||
# harden-large-queries: no
|
||||
|
||||
# Harden against out of zone rrsets, to avoid spoofing attempts.
|
||||
# Harden against out of zone rrsets, to avoid spoofing attempts.
|
||||
# harden-glue: yes
|
||||
|
||||
# Harden against receiving dnssec-stripped data. If you turn it
|
||||
# off, failing to validate dnskey data for a trustanchor will
|
||||
# off, failing to validate dnskey data for a trustanchor will
|
||||
# trigger insecure mode for that zone (like without a trustanchor).
|
||||
# Default on, which insists on dnssec data for trust-anchored zones.
|
||||
# harden-dnssec-stripped: yes
|
||||
|
@ -287,27 +287,32 @@ server:
|
|||
|
||||
# Harden the referral path by performing additional queries for
|
||||
# infrastructure data. Validates the replies (if possible).
|
||||
# Default off, because the lookups burden the server. Experimental
|
||||
# Default off, because the lookups burden the server. Experimental
|
||||
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
|
||||
# harden-referral-path: no
|
||||
|
||||
# Harden against algorithm downgrade when multiple algorithms are
|
||||
# advertised in the DS record. If no, allows the weakest algorithm
|
||||
# to validate the zone.
|
||||
# harden-algo-downgrade: yes
|
||||
# harden-algo-downgrade: no
|
||||
|
||||
# Sent minimum amount of information to upstream servers to enhance
|
||||
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
||||
# to NS when possible.
|
||||
# qname-minimisation: no
|
||||
|
||||
# Use 0x20-encoded random bits in the query to foil spoof attempts.
|
||||
# This feature is an experimental implementation of draft dns-0x20.
|
||||
# use-caps-for-id: no
|
||||
|
||||
|
||||
# Domains (and domains in them) without support for dns-0x20 and
|
||||
# the fallback fails because they keep sending different answers.
|
||||
# caps-whitelist: "licdn.com"
|
||||
|
||||
# Enforce privacy of these addresses. Strips them away from answers.
|
||||
# It may cause DNSSEC validation to additionally mark it as bogus.
|
||||
# Protects against 'DNS Rebinding' (uses browser as network proxy).
|
||||
# Only 'private-domain' and 'local-data' names are allowed to have
|
||||
# Enforce privacy of these addresses. Strips them away from answers.
|
||||
# It may cause DNSSEC validation to additionally mark it as bogus.
|
||||
# Protects against 'DNS Rebinding' (uses browser as network proxy).
|
||||
# Only 'private-domain' and 'local-data' names are allowed to have
|
||||
# these private addresses. No default.
|
||||
# private-address: 10.0.0.0/8
|
||||
# private-address: 172.16.0.0/12
|
||||
|
@ -315,6 +320,7 @@ server:
|
|||
# private-address: 169.254.0.0/16
|
||||
# private-address: fd00::/8
|
||||
# private-address: fe80::/10
|
||||
# private-address: ::ffff:0:0/96
|
||||
|
||||
# Allow the domain (and its subdomains) to contain private addresses.
|
||||
# local-data statements are allowed to contain private addresses too.
|
||||
|
@ -373,7 +379,7 @@ server:
|
|||
# Zone file format, with DS and DNSKEY entries.
|
||||
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||
# trust-anchor-file: ""
|
||||
|
||||
|
||||
# Trusted key for validation. DS or DNSKEY. specify the RR on a
|
||||
# single line, surrounded by "". TTL is ignored. class is IN default.
|
||||
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||
|
@ -383,7 +389,7 @@ server:
|
|||
|
||||
# File with trusted keys for validation. Specify more than one file
|
||||
# with several entries, one file per entry. Like trust-anchor-file
|
||||
# but has a different file format. Format is BIND-9 style format,
|
||||
# but has a different file format. Format is BIND-9 style format,
|
||||
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
|
||||
# you need external update procedures to track changes in keys.
|
||||
# trusted-keys-file: ""
|
||||
|
@ -408,7 +414,7 @@ server:
|
|||
|
||||
# Should additional section of secure message also be kept clean of
|
||||
# unsecure data. Useful to shield the users of this validator from
|
||||
# potential bogus data in the additional section. All unsigned data
|
||||
# potential bogus data in the additional section. All unsigned data
|
||||
# in the additional section is removed from secure messages.
|
||||
# val-clean-additional: yes
|
||||
|
||||
|
@ -433,7 +439,7 @@ server:
|
|||
# A message with an NSEC3 with larger count is marked insecure.
|
||||
# List in ascending order the keysize and count values.
|
||||
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
|
||||
|
||||
|
||||
# instruct the auto-trust-anchor-file probing to add anchors after ttl.
|
||||
# add-holddown: 2592000 # 30 days
|
||||
|
||||
|
@ -448,7 +454,7 @@ server:
|
|||
# permit-small-holddown: no
|
||||
|
||||
# the amount of memory to use for the key cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# key-cache-size: 4m
|
||||
|
||||
# the number of slabs to use for the key cache.
|
||||
|
@ -457,7 +463,7 @@ server:
|
|||
# key-cache-slabs: 4
|
||||
|
||||
# the amount of memory to use for the negative cache (used for DLV).
|
||||
# plain value in bytes or you can append k, m or G. default is "1Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "1Mb".
|
||||
# neg-cache-size: 1m
|
||||
|
||||
# By default, for a number of zones a small default 'nothing here'
|
||||
|
@ -501,7 +507,7 @@ server:
|
|||
# local-zone: "b.e.f.ip6.arpa." nodefault
|
||||
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
|
||||
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
|
||||
|
||||
|
||||
# if unbound is running service for the local host then it is useful
|
||||
# to perform lan-wide lookups to the upstream, and unblock the
|
||||
# long list of local-zones above. If this unbound is a dns server
|
||||
|
@ -512,7 +518,7 @@ server:
|
|||
# a number of locally served zones can be configured.
|
||||
# local-zone: <zone> <type>
|
||||
# local-data: "<resource record string>"
|
||||
# o deny serves local data (if any), else, drops queries.
|
||||
# o deny serves local data (if any), else, drops queries.
|
||||
# o refuse serves local data (if any), else, replies with error.
|
||||
# o static serves local data, else, nxdomain or nodata answer.
|
||||
# o transparent gives local data, but resolves normally for other names
|
||||
|
@ -525,7 +531,7 @@ server:
|
|||
# defaults are localhost address, reverse for 127.0.0.1 and ::1
|
||||
# and nxdomain for AS112 zones. If you configure one of these zones
|
||||
# the default content is omitted, or you can omit it with 'nodefault'.
|
||||
#
|
||||
#
|
||||
# If you configure local-data without specifying local-zone, by
|
||||
# default a transparent local-zone is created for the data.
|
||||
#
|
||||
|
@ -552,7 +558,7 @@ server:
|
|||
# default is "" (disabled). requires restart to take effect.
|
||||
# ssl-service-key: "path/to/privatekeyfile.key"
|
||||
# ssl-service-pem: "path/to/publiccertfile.pem"
|
||||
# ssl-port: 443
|
||||
# ssl-port: 853
|
||||
|
||||
# request upstream over SSL (with plain DNS inside the SSL stream).
|
||||
# Default is no. Can be turned on and off with unbound-control.
|
||||
|
@ -571,7 +577,7 @@ server:
|
|||
# ratelimit-size: 4m
|
||||
# ratelimit cache slabs, reduces lock contention if equal to cpucount.
|
||||
# ratelimit-slabs: 4
|
||||
|
||||
|
||||
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
|
||||
# ratelimit-factor: 10
|
||||
|
||||
|
@ -590,7 +596,7 @@ python:
|
|||
# Script file to load
|
||||
# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
|
||||
|
||||
# Remote control config section.
|
||||
# Remote control config section.
|
||||
remote-control:
|
||||
# Enable remote control with unbound-control(8) here.
|
||||
# set up the keys and certificates with unbound-control-setup.
|
||||
|
@ -621,9 +627,9 @@ remote-control:
|
|||
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
|
||||
|
||||
# Stub zones.
|
||||
# Create entries like below, to make all queries for 'example.com' and
|
||||
# 'example.org' go to the given list of nameservers. list zero or more
|
||||
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
|
||||
# Create entries like below, to make all queries for 'example.com' and
|
||||
# 'example.org' go to the given list of nameservers. list zero or more
|
||||
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
|
||||
# the list is treated as priming hints (default is no).
|
||||
# With stub-first yes, it attempts without the stub if it fails.
|
||||
# Consider adding domain-insecure: name and local-zone: name nodefault
|
||||
|
|
|
@ -169,7 +169,7 @@ therefore not flushed. The option must end with a ':' and whitespace
|
|||
must be between the option and the value. Some values may not have an
|
||||
effect if set this way, the new values are not written to the config file,
|
||||
not all options are supported. This is different from the set_option call
|
||||
in libunbound, where all values work because unbound has not been inited.
|
||||
in libunbound, where all values work because unbound has not been initialized.
|
||||
.IP
|
||||
The values that work are: statistics\-interval, statistics\-cumulative,
|
||||
do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
|
||||
|
|
|
@ -296,7 +296,7 @@ trust (very large) TTL values.
|
|||
.TP
|
||||
.B cache\-min\-ttl: \fI<seconds>
|
||||
Time to live minimum for RRsets and messages in the cache. Default is 0.
|
||||
If the the minimum kicks in, the data is cached for longer than the domain
|
||||
If the minimum kicks in, the data is cached for longer than the domain
|
||||
owner intended, and thus less queries are made to look up the data.
|
||||
Zero makes sure the data in the cache is as the domain owner intended,
|
||||
higher values, especially more than an hour or so, can lead to trouble as
|
||||
|
@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service. Default is "",
|
|||
turned off.
|
||||
.TP
|
||||
.B ssl\-port: \fI<number>
|
||||
The port number on which to provide TCP SSL service, default 443, only
|
||||
The port number on which to provide TCP SSL service, default 853, only
|
||||
interfaces configured with that port number as @number get the SSL service.
|
||||
.TP
|
||||
.B do\-daemonize: \fI<yes or no>
|
||||
|
@ -373,6 +373,7 @@ a daemon. Default is yes.
|
|||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
.IP
|
||||
|
@ -443,6 +444,8 @@ requires privileges, then a reload will fail; a restart is needed.
|
|||
.TP
|
||||
.B directory: \fI<directory>
|
||||
Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
|
||||
On Windows the string "%EXECUTABLE%" tries to change to the directory
|
||||
that unbound.exe resides in.
|
||||
.TP
|
||||
.B logfile: \fI<filename>
|
||||
If "" is given, logging goes to stderr, or nowhere once daemonized.
|
||||
|
@ -480,7 +483,7 @@ kill \-HUP `cat @UNBOUND_PIDFILE@`
|
|||
.fi
|
||||
triggers a reload,
|
||||
.nf
|
||||
kill \-QUIT `cat @UNBOUND_PIDFILE@`
|
||||
kill \-TERM `cat @UNBOUND_PIDFILE@`
|
||||
.fi
|
||||
gracefully terminates.
|
||||
.TP
|
||||
|
@ -567,7 +570,7 @@ to increase the max depth that is checked to.
|
|||
.B harden\-algo\-downgrade: \fI<yes or no>
|
||||
Harden against algorithm downgrade when multiple algorithms are
|
||||
advertised in the DS record. If no, allows the weakest algorithm to
|
||||
validate the zone. Default is yes. Zone signers must produce zones
|
||||
validate the zone. Default is no. Zone signers must produce zones
|
||||
that allow this feature to work, but sometimes they do not, and turning
|
||||
this option off avoids that validation failure.
|
||||
.TP
|
||||
|
@ -584,23 +587,30 @@ queries. For domains that do not support 0x20 and also fail with fallback
|
|||
because they keep sending different answers, like some load balancers.
|
||||
Can be given multiple times, for different domains.
|
||||
.TP
|
||||
.B qname\-minimisation: \fI<yes or no>
|
||||
Send minimum amount of information to upstream servers to enhance privacy.
|
||||
Only sent minimum required labels of the QNAME and set QTYPE to NS when
|
||||
possible. Best effort approach, full QNAME and original QTYPE will be sent when
|
||||
upstream replies with a RCODE other than NOERROR. Default is off.
|
||||
.TP
|
||||
.B private\-address: \fI<IP address or subnet>
|
||||
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
|
||||
on your private network, and are not allowed to be returned for public
|
||||
internet names. Any occurence of such addresses are removed from
|
||||
DNS answers. Additionally, the DNSSEC validator may mark the answers
|
||||
bogus. This protects against so\-called DNS Rebinding, where a user browser
|
||||
is turned into a network proxy, allowing remote access through the browser
|
||||
to other parts of your private network. Some names can be allowed to
|
||||
contain your private addresses, by default all the \fBlocal\-data\fR
|
||||
that you configured is allowed to, and you can specify additional
|
||||
names using \fBprivate\-domain\fR. No private addresses are enabled
|
||||
by default. We consider to enable this for the RFC1918 private IP
|
||||
address space by default in later releases. That would enable private
|
||||
addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
|
||||
fd00::/8 and fe80::/10, since the RFC standards say these addresses
|
||||
should not be visible on the public internet. Turning on 127.0.0.0/8
|
||||
would hinder many spamblocklists as they use that.
|
||||
on your private network, and are not allowed to be returned for
|
||||
public internet names. Any occurrence of such addresses are removed
|
||||
from DNS answers. Additionally, the DNSSEC validator may mark the
|
||||
answers bogus. This protects against so\-called DNS Rebinding, where
|
||||
a user browser is turned into a network proxy, allowing remote access
|
||||
through the browser to other parts of your private network. Some names
|
||||
can be allowed to contain your private addresses, by default all the
|
||||
\fBlocal\-data\fR that you configured is allowed to, and you can specify
|
||||
additional names using \fBprivate\-domain\fR. No private addresses are
|
||||
enabled by default. We consider to enable this for the RFC1918 private
|
||||
IP address space by default in later releases. That would enable private
|
||||
addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
|
||||
fd00::/8 and fe80::/10, since the RFC standards say these addresses
|
||||
should not be visible on the public internet. Turning on 127.0.0.0/8
|
||||
would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96
|
||||
stops IPv4-mapped IPv6 addresses from bypassing the filter.
|
||||
.TP
|
||||
.B private\-domain: \fI<domain name>
|
||||
Allow this domain, and all its subdomains to contain private addresses.
|
||||
|
@ -745,7 +755,7 @@ Instruct the validator to remove data from the additional section of secure
|
|||
messages that are not signed properly. Messages that are insecure, bogus,
|
||||
indeterminate or unchecked are not affected. Default is yes. Use this setting
|
||||
to protect the users that rely on this validator for authentication from
|
||||
protentially bad data in the additional section.
|
||||
potentially bad data in the additional section.
|
||||
.TP
|
||||
.B val\-log\-level: \fI<number>
|
||||
Have the validator print validation failures to the log. Regardless of
|
||||
|
@ -1032,7 +1042,7 @@ If set to 0, all queries are dropped for domains where the limit is
|
|||
exceeded. If set to another value, 1 in that number is allowed through
|
||||
to complete. Default is 10, allowing 1/10 traffic to flow normally.
|
||||
This can make ordinary queries complete (if repeatedly queried for),
|
||||
and enter the cache, whilst also mitigiting the traffic flow by the
|
||||
and enter the cache, whilst also mitigating the traffic flow by the
|
||||
factor given.
|
||||
.TP 5
|
||||
.B ratelimit\-for\-domain: \fI<domain> <number qps>
|
||||
|
|
|
@ -135,7 +135,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
|
|||
if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
|
||||
if(!ah(dp, "F.ROOT-SERVERS.NET.", "192.5.5.241")) goto failed;
|
||||
if(!ah(dp, "G.ROOT-SERVERS.NET.", "192.112.36.4")) goto failed;
|
||||
if(!ah(dp, "H.ROOT-SERVERS.NET.", "128.63.2.53")) goto failed;
|
||||
if(!ah(dp, "H.ROOT-SERVERS.NET.", "198.97.190.53")) goto failed;
|
||||
if(!ah(dp, "I.ROOT-SERVERS.NET.", "192.36.148.17")) goto failed;
|
||||
if(!ah(dp, "J.ROOT-SERVERS.NET.", "192.58.128.30")) goto failed;
|
||||
if(!ah(dp, "K.ROOT-SERVERS.NET.", "193.0.14.129")) goto failed;
|
||||
|
@ -148,7 +148,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
|
|||
if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
|
||||
if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
|
||||
if(!ah(dp, "F.ROOT-SERVERS.NET.", "2001:500:2f::f")) goto failed;
|
||||
if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::803f:235")) goto failed;
|
||||
if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::53")) goto failed;
|
||||
if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed;
|
||||
if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) goto failed;
|
||||
if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) goto failed;
|
||||
|
|
|
@ -405,7 +405,43 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
|||
|
||||
/* Follow the CNAME chain. */
|
||||
if(rrset->type == LDNS_RR_TYPE_CNAME) {
|
||||
struct rrset_parse* nx = rrset->rrset_all_next;
|
||||
uint8_t* oldsname = sname;
|
||||
/* see if the next one is a DNAME, if so, swap them */
|
||||
if(nx && nx->section == LDNS_SECTION_ANSWER &&
|
||||
nx->type == LDNS_RR_TYPE_DNAME &&
|
||||
nx->rr_count == 1 &&
|
||||
pkt_strict_sub(pkt, sname, nx->dname)) {
|
||||
/* there is a DNAME after this CNAME, it
|
||||
* is in the ANSWER section, and the DNAME
|
||||
* applies to the name we cover */
|
||||
/* check if the alias of the DNAME equals
|
||||
* this CNAME */
|
||||
uint8_t alias[LDNS_MAX_DOMAINLEN+1];
|
||||
size_t aliaslen = 0;
|
||||
uint8_t* t = NULL;
|
||||
size_t tlen = 0;
|
||||
if(synth_cname(sname, snamelen, nx, alias,
|
||||
&aliaslen, pkt) &&
|
||||
parse_get_cname_target(rrset, &t, &tlen) &&
|
||||
dname_pkt_compare(pkt, alias, t) == 0) {
|
||||
/* the synthesized CNAME equals the
|
||||
* current CNAME. This CNAME is the
|
||||
* one that the DNAME creates, and this
|
||||
* CNAME is better capitalised */
|
||||
verbose(VERB_ALGO, "normalize: re-order of DNAME and its CNAME");
|
||||
if(prev) prev->rrset_all_next = nx;
|
||||
else msg->rrset_first = nx;
|
||||
if(nx->rrset_all_next == NULL)
|
||||
msg->rrset_last = rrset;
|
||||
rrset->rrset_all_next =
|
||||
nx->rrset_all_next;
|
||||
nx->rrset_all_next = rrset;
|
||||
prev = nx;
|
||||
}
|
||||
}
|
||||
|
||||
/* move to next name in CNAME chain */
|
||||
if(!parse_get_cname_target(rrset, &sname, &snamelen))
|
||||
return 0;
|
||||
prev = rrset;
|
||||
|
@ -638,7 +674,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
|
|||
* children of the originating zone. The idea here is that,
|
||||
* as far as we know, the server that we contacted is ONLY
|
||||
* authoritative for the originating zone. It, of course, MAY
|
||||
* be authoriative for any other zones, and of course, MAY
|
||||
* be authoritative for any other zones, and of course, MAY
|
||||
* NOT be authoritative for some subdomains of the originating
|
||||
* zone. */
|
||||
prev = NULL;
|
||||
|
|
|
@ -255,7 +255,7 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
|
|||
return -1; /* server is lame */
|
||||
else if(rtt >= USEFUL_SERVER_TOP_TIMEOUT)
|
||||
/* server is unresponsive,
|
||||
* we used to return TOP_TIMOUT, but fairly useless,
|
||||
* we used to return TOP_TIMEOUT, but fairly useless,
|
||||
* because if == TOP_TIMEOUT is dropped because
|
||||
* blacklisted later, instead, remove it here, so
|
||||
* other choices (that are not blacklisted) can be
|
||||
|
@ -306,7 +306,7 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
|
|||
return got_it;
|
||||
}
|
||||
|
||||
/** filter the addres list, putting best targets at front,
|
||||
/** filter the address list, putting best targets at front,
|
||||
* returns number of best targets (or 0, no suitable targets) */
|
||||
static int
|
||||
iter_filter_order(struct iter_env* iter_env, struct module_env* env,
|
||||
|
|
|
@ -64,6 +64,7 @@
|
|||
#include "util/random.h"
|
||||
#include "sldns/rrdef.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include "sldns/str2wire.h"
|
||||
#include "sldns/parseutil.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
|
||||
|
@ -81,6 +82,21 @@ iter_init(struct module_env* env, int id)
|
|||
log_err("iterator: could not apply configuration settings.");
|
||||
return 0;
|
||||
}
|
||||
if(env->cfg->qname_minimisation) {
|
||||
uint8_t dname[LDNS_MAX_DOMAINLEN+1];
|
||||
size_t len = sizeof(dname);
|
||||
if(sldns_str2wire_dname_buf("ip6.arpa.", dname, &len) != 0) {
|
||||
log_err("ip6.arpa. parse error");
|
||||
return 0;
|
||||
}
|
||||
iter_env->ip6arpa_dname = (uint8_t*)malloc(len);
|
||||
if(!iter_env->ip6arpa_dname) {
|
||||
log_err("malloc failure");
|
||||
return 0;
|
||||
}
|
||||
memcpy(iter_env->ip6arpa_dname, dname, len);
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -101,6 +117,7 @@ iter_deinit(struct module_env* env, int id)
|
|||
if(!env || !env->modinfo[id])
|
||||
return;
|
||||
iter_env = (struct iter_env*)env->modinfo[id];
|
||||
free(iter_env->ip6arpa_dname);
|
||||
free(iter_env->target_fetch_policy);
|
||||
priv_delete(iter_env->priv);
|
||||
donotq_delete(iter_env->donotq);
|
||||
|
@ -145,6 +162,12 @@ iter_new(struct module_qstate* qstate, int id)
|
|||
/* Start with the (current) qname. */
|
||||
iq->qchase = qstate->qinfo;
|
||||
outbound_list_init(&iq->outlist);
|
||||
if (qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
else
|
||||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
|
||||
memset(&iq->qinfo_out, 0, sizeof(struct query_info));
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -176,7 +199,7 @@ next_state(struct iter_qstate* iq, enum iter_state nextstate)
|
|||
/**
|
||||
* Transition an event to its final state. Final states always either return
|
||||
* a result up the module chain, or reactivate a dependent event. Which
|
||||
* final state to transtion to is set in the module state for the event when
|
||||
* final state to transition to is set in the module state for the event when
|
||||
* it was created, and depends on the original purpose of the event.
|
||||
*
|
||||
* The response is stored in the qstate->buf buffer.
|
||||
|
@ -506,7 +529,7 @@ target_count_increase(struct iter_qstate* iq, int num)
|
|||
/**
|
||||
* Generate a subrequest.
|
||||
* Generate a local request event. Local events are tied to this module, and
|
||||
* have a correponding (first tier) event that is waiting for this event to
|
||||
* have a corresponding (first tier) event that is waiting for this event to
|
||||
* resolve to continue.
|
||||
*
|
||||
* @param qname The query name for this request.
|
||||
|
@ -590,6 +613,11 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
|
|||
subiq->qchase = subq->qinfo;
|
||||
subiq->chase_flags = subq->query_flags;
|
||||
subiq->refetch_glue = 0;
|
||||
if(qstate->env->cfg->qname_minimisation)
|
||||
subiq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
else
|
||||
subiq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
memset(&subiq->qinfo_out, 0, sizeof(struct query_info));
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
@ -1042,6 +1070,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
iq->query_restart_count++;
|
||||
iq->sent_count = 0;
|
||||
sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
|
||||
if(qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
return next_state(iq, INIT_REQUEST_STATE);
|
||||
}
|
||||
|
||||
|
@ -1062,6 +1092,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
}
|
||||
iq->refetch_glue = 0;
|
||||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
/* the request has been forwarded.
|
||||
* forwarded requests need to be immediately sent to the
|
||||
* next state, QUERYTARGETS. */
|
||||
|
@ -1599,6 +1630,8 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
iq->refetch_glue = 1;
|
||||
iq->query_restart_count++;
|
||||
iq->sent_count = 0;
|
||||
if(qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
return next_state(iq, INIT_REQUEST_STATE);
|
||||
}
|
||||
}
|
||||
|
@ -1975,9 +2008,78 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
}
|
||||
}
|
||||
|
||||
if(iq->minimisation_state == INIT_MINIMISE_STATE) {
|
||||
/* (Re)set qinfo_out to (new) delegation point, except
|
||||
* when qinfo_out is already a subdomain of dp. This happens
|
||||
* when resolving ip6.arpa dnames. */
|
||||
if(!(iq->qinfo_out.qname_len
|
||||
&& dname_subdomain_c(iq->qchase.qname,
|
||||
iq->qinfo_out.qname)
|
||||
&& dname_subdomain_c(iq->qinfo_out.qname,
|
||||
iq->dp->name))) {
|
||||
iq->qinfo_out.qname = iq->dp->name;
|
||||
iq->qinfo_out.qname_len = iq->dp->namelen;
|
||||
iq->qinfo_out.qtype = LDNS_RR_TYPE_NS;
|
||||
iq->qinfo_out.qclass = iq->qchase.qclass;
|
||||
}
|
||||
|
||||
iq->minimisation_state = MINIMISE_STATE;
|
||||
}
|
||||
if(iq->minimisation_state == MINIMISE_STATE) {
|
||||
int labdiff = dname_count_labels(iq->qchase.qname) -
|
||||
dname_count_labels(iq->qinfo_out.qname);
|
||||
|
||||
iq->qinfo_out.qname = iq->qchase.qname;
|
||||
iq->qinfo_out.qname_len = iq->qchase.qname_len;
|
||||
|
||||
/* Special treatment for ip6.arpa lookups.
|
||||
* Reverse IPv6 dname has 34 labels, increment the IP part
|
||||
* (usually first 32 labels) by 8 labels (7 more than the
|
||||
* default 1 label increment). */
|
||||
if(labdiff <= 32 &&
|
||||
dname_subdomain_c(iq->qchase.qname, ie->ip6arpa_dname)) {
|
||||
labdiff -= 7;
|
||||
/* Small chance of zone cut after first label. Stop
|
||||
* minimising */
|
||||
if(labdiff <= 1)
|
||||
labdiff = 0;
|
||||
}
|
||||
|
||||
if(labdiff > 1) {
|
||||
verbose(VERB_QUERY, "removing %d labels", labdiff-1);
|
||||
dname_remove_labels(&iq->qinfo_out.qname,
|
||||
&iq->qinfo_out.qname_len,
|
||||
labdiff-1);
|
||||
}
|
||||
if(labdiff < 1 ||
|
||||
(labdiff < 2 && iq->qchase.qtype == LDNS_RR_TYPE_DS))
|
||||
/* Stop minimising this query, resolve "as usual" */
|
||||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
else {
|
||||
struct dns_msg* msg = dns_cache_lookup(qstate->env,
|
||||
iq->qinfo_out.qname, iq->qinfo_out.qname_len,
|
||||
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
|
||||
qstate->query_flags, qstate->region,
|
||||
qstate->env->scratch);
|
||||
if(msg && msg->rep->an_numrrsets == 0
|
||||
&& FLAGS_GET_RCODE(msg->rep->flags) ==
|
||||
LDNS_RCODE_NOERROR)
|
||||
/* no need to send query if it is already
|
||||
* cached as NOERROR/NODATA */
|
||||
return 1;
|
||||
}
|
||||
|
||||
}
|
||||
if(iq->minimisation_state == SKIP_MINIMISE_STATE)
|
||||
/* Do not increment qname, continue incrementing next
|
||||
* iteration */
|
||||
iq->minimisation_state = MINIMISE_STATE;
|
||||
if(iq->minimisation_state == DONOT_MINIMISE_STATE)
|
||||
iq->qinfo_out = iq->qchase;
|
||||
|
||||
/* We have a valid target. */
|
||||
if(verbosity >= VERB_QUERY) {
|
||||
log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
|
||||
log_query_info(VERB_QUERY, "sending query:", &iq->qinfo_out);
|
||||
log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
|
||||
&target->addr, target->addrlen);
|
||||
verbose(VERB_ALGO, "dnssec status: %s%s",
|
||||
|
@ -1986,8 +2088,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
}
|
||||
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
|
||||
outq = (*qstate->env->send_query)(
|
||||
iq->qchase.qname, iq->qchase.qname_len,
|
||||
iq->qchase.qtype, iq->qchase.qclass,
|
||||
iq->qinfo_out.qname, iq->qinfo_out.qname_len,
|
||||
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
|
||||
iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), EDNS_DO|BIT_CD,
|
||||
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
|
||||
ie, iq), &target->addr, target->addrlen, iq->dp->name,
|
||||
|
@ -2042,6 +2144,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
enum response_type type;
|
||||
iq->num_current_queries--;
|
||||
if(iq->response == NULL) {
|
||||
/* Don't increment qname when QNAME minimisation is enabled */
|
||||
if (qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = SKIP_MINIMISE_STATE;
|
||||
iq->chase_to_rd = 0;
|
||||
iq->dnssec_lame_query = 0;
|
||||
verbose(VERB_ALGO, "query response was timeout");
|
||||
|
@ -2142,6 +2247,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
sock_list_insert(&qstate->reply_origin,
|
||||
&qstate->reply->addr, qstate->reply->addrlen,
|
||||
qstate->region);
|
||||
if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
|
||||
/* Best effort qname-minimisation.
|
||||
* Stop minimising and send full query when RCODE
|
||||
* is not NOERROR */
|
||||
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
|
||||
LDNS_RCODE_NOERROR)
|
||||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
return next_state(iq, QUERYTARGETS_STATE);
|
||||
}
|
||||
return final_state(iq);
|
||||
} else if(type == RESPONSE_TYPE_REFERRAL) {
|
||||
/* REFERRAL type responses get a reset of the
|
||||
|
@ -2201,6 +2315,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
* point to the referral. */
|
||||
iq->deleg_msg = iq->response;
|
||||
iq->dp = delegpt_from_message(iq->response, qstate->region);
|
||||
if (qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
if(!iq->dp)
|
||||
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
if(!cache_fill_missing(qstate->env, iq->qchase.qclass,
|
||||
|
@ -2280,6 +2396,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
/* set the current request's qname to the new value. */
|
||||
iq->qchase.qname = sname;
|
||||
iq->qchase.qname_len = snamelen;
|
||||
if (qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
/* Clear the query state, since this is a query restart. */
|
||||
iq->deleg_msg = NULL;
|
||||
iq->dp = NULL;
|
||||
|
@ -2353,6 +2471,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
/* LAME, THROWAWAY and "unknown" all end up here.
|
||||
* Recycle to the QUERYTARGETS state to hopefully try a
|
||||
* different target. */
|
||||
if (qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
return next_state(iq, QUERYTARGETS_STATE);
|
||||
}
|
||||
|
||||
|
@ -2968,7 +3088,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
prs->flags &= ~BIT_CD;
|
||||
|
||||
/* normalize and sanitize: easy to delete items from linked lists */
|
||||
if(!scrub_message(pkt, prs, &iq->qchase, iq->dp->name,
|
||||
if(!scrub_message(pkt, prs, &iq->qinfo_out, iq->dp->name,
|
||||
qstate->env->scratch, qstate->env, ie)) {
|
||||
/* if 0x20 enabled, start fallback, but we have no message */
|
||||
if(event == module_event_capsfail && !iq->caps_fallback) {
|
||||
|
|
|
@ -54,7 +54,7 @@ struct iter_priv;
|
|||
struct rbtree_t;
|
||||
|
||||
/** max number of targets spawned for a query and its subqueries */
|
||||
#define MAX_TARGET_COUNT 32
|
||||
#define MAX_TARGET_COUNT 64
|
||||
/** max number of query restarts. Determines max number of CNAME chain. */
|
||||
#define MAX_RESTART_COUNT 8
|
||||
/** max number of referrals. Makes sure resolver does not run away */
|
||||
|
@ -112,6 +112,32 @@ struct iter_env {
|
|||
* array of max_dependency_depth+1 size.
|
||||
*/
|
||||
int* target_fetch_policy;
|
||||
|
||||
/** ip6.arpa dname in wireformat, used for qname-minimisation */
|
||||
uint8_t* ip6arpa_dname;
|
||||
};
|
||||
|
||||
/**
|
||||
* QNAME minimisation state
|
||||
*/
|
||||
enum minimisation_state {
|
||||
/**
|
||||
* (Re)start minimisation. Outgoing QNAME should be set to dp->name.
|
||||
* State entered on new query or after following refferal or CNAME.
|
||||
*/
|
||||
INIT_MINIMISE_STATE = 0,
|
||||
/**
|
||||
* QNAME minimisataion ongoing. Increase QNAME on every iteration.
|
||||
*/
|
||||
MINIMISE_STATE,
|
||||
/**
|
||||
* Don't increment QNAME this iteration
|
||||
*/
|
||||
SKIP_MINIMISE_STATE,
|
||||
/**
|
||||
* Send out full QNAME + original QTYPE
|
||||
*/
|
||||
DONOT_MINIMISE_STATE,
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -322,6 +348,15 @@ struct iter_qstate {
|
|||
|
||||
/** list of pending queries to authoritative servers. */
|
||||
struct outbound_list outlist;
|
||||
|
||||
/** QNAME minimisation state */
|
||||
enum minimisation_state minimisation_state;
|
||||
|
||||
/**
|
||||
* The query info that is sent upstream. Will be a subset of qchase
|
||||
* when qname minimisation is enabled.
|
||||
*/
|
||||
struct query_info qinfo_out;
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
@ -68,6 +68,9 @@
|
|||
#ifdef HAVE_SYS_WAIT_H
|
||||
#include <sys/wait.h>
|
||||
#endif
|
||||
#ifdef HAVE_TIME_H
|
||||
#include <time.h>
|
||||
#endif
|
||||
|
||||
#if defined(UB_ON_WINDOWS) && defined (HAVE_WINDOWS_H)
|
||||
#include <windows.h>
|
||||
|
@ -955,7 +958,7 @@ ub_ctx_resolvconf(struct ub_ctx* ctx, const char* fname)
|
|||
while (ptr) {
|
||||
numserv++;
|
||||
if((retval=ub_ctx_set_fwd(ctx,
|
||||
ptr->IpAddress.String)!=0)) {
|
||||
ptr->IpAddress.String))!=0) {
|
||||
free(info);
|
||||
return retval;
|
||||
}
|
||||
|
|
|
@ -36,7 +36,7 @@
|
|||
help:
|
||||
@echo "Please use \`make <target>' where <target> is one of"
|
||||
@echo " testenv to make test environment and run bash "
|
||||
@echo " usefull in case you don't want to install unbound but want to test examples"
|
||||
@echo " useful in case you don't want to install unbound but want to test examples"
|
||||
@echo " doc to make documentation"
|
||||
@echo " clean clean all"
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ You need GNU make to compile sources; SWIG and Python devel libraries to compile
|
|||
|
||||
**Testing**
|
||||
|
||||
If the compilation is successfull, you can test the python LDNS extension module by::
|
||||
If the compilation is successful, you can test the python LDNS extension module by::
|
||||
|
||||
> cd contrib/python
|
||||
> make testenv
|
||||
|
|
|
@ -42,7 +42,7 @@ Class ub_result
|
|||
False, if validation failed or domain queried has no security info.
|
||||
|
||||
It is possible to get a result with no data (havedata is false),
|
||||
and secure is true. This means that the non-existance of the data
|
||||
and secure is true. This means that the non-existence of the data
|
||||
was cryptographically proven (with signatures).
|
||||
|
||||
.. attribute:: bogus
|
||||
|
|
|
@ -44,7 +44,7 @@ ctx.debugout(fw)
|
|||
ctx.debuglevel(2)
|
||||
|
||||
if os.path.isfile("keys"):
|
||||
ctx.add_ta_file("keys") #read public keys for DNSSEC verificatio
|
||||
ctx.add_ta_file("keys") #read public keys for DNSSEC verification
|
||||
|
||||
status, result = ctx.resolve("www.nic.cz", RR_TYPE_A, RR_CLASS_IN)
|
||||
if status == 0 and result.havedata:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* libounbound.i: pyUnbound module (libunbound wrapper for Python)
|
||||
* libunbound.i: pyUnbound module (libunbound wrapper for Python)
|
||||
*
|
||||
* Copyright (c) 2009, Zdenek Vasicek (vasicek AT fit.vutbr.cz)
|
||||
* Marek Vavrusa (xvavru00 AT stud.fit.vutbr.cz)
|
||||
|
@ -455,7 +455,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
|
|||
#_UB_CTX_METHODS#
|
||||
|
||||
def zone_print(self):
|
||||
"""Print local zones using debougout"""
|
||||
"""Print local zones using debugout"""
|
||||
_unbound.ub_ctx_print_local_zones(self)
|
||||
|
||||
def zone_add(self,zonename,zonetype):
|
||||
|
|
|
@ -4394,7 +4394,7 @@ EOF
|
|||
{
|
||||
/* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
|
||||
namespace, but it is not one of the ones we know about and
|
||||
have already dealt with, above (inluding dump-script), then
|
||||
have already dealt with, above (including dump-script), then
|
||||
report an error. Otherwise, targets might begin to believe
|
||||
they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
|
||||
namespace. The first time any user complains about this, we'll
|
||||
|
|
|
@ -328,10 +328,10 @@ if [ "$DOWIN" = "yes" ]; then
|
|||
$strip unbound-service-install.exe
|
||||
$strip unbound-service-remove.exe
|
||||
cd tmp.$$
|
||||
cp ../doc/example.conf example.conf
|
||||
cp ../unbound.exe ../unbound-anchor.exe ../unbound-host.exe ../unbound-control.exe ../unbound-checkconf.exe ../unbound-service-install.exe ../unbound-service-remove.exe ../LICENSE ../winrc/unbound-control-setup.cmd ../winrc/unbound-website.url ../winrc/service.conf ../winrc/README.txt .
|
||||
cp ../doc/example.conf ../doc/Changelog .
|
||||
cp ../unbound.exe ../unbound-anchor.exe ../unbound-host.exe ../unbound-control.exe ../unbound-checkconf.exe ../unbound-service-install.exe ../unbound-service-remove.exe ../LICENSE ../winrc/unbound-control-setup.cmd ../winrc/unbound-website.url ../winrc/service.conf ../winrc/README.txt ../contrib/create_unbound_ad_servers.cmd ../contrib/warmup.cmd ../contrib/unbound_cache.cmd .
|
||||
# zipfile
|
||||
zip ../$file LICENSE README.txt unbound.exe unbound-anchor.exe unbound-host.exe unbound-control.exe unbound-checkconf.exe unbound-service-install.exe unbound-service-remove.exe unbound-control-setup.cmd example.conf service.conf unbound-website.url
|
||||
zip ../$file LICENSE README.txt unbound.exe unbound-anchor.exe unbound-host.exe unbound-control.exe unbound-checkconf.exe unbound-service-install.exe unbound-service-remove.exe unbound-control-setup.cmd example.conf service.conf unbound-website.url create_unbound_ad_servers.cmd warmup.cmd unbound_cache.cmd Changelog
|
||||
info "Testing $file"
|
||||
(cd .. ; zip -T $file )
|
||||
# installer
|
||||
|
@ -451,6 +451,10 @@ tar czf ../unbound-$version.tar.gz unbound-$version || error_cleanup "Failed to
|
|||
cleanup
|
||||
|
||||
storehash unbound-$version.tar.gz
|
||||
echo "create unbound-$version.tar.gz.asc with:"
|
||||
echo " gpg --armor --detach-sign unbound-$version.tar.gz"
|
||||
echo " gpg --armor --detach-sign unbound-$version.zip"
|
||||
echo " gpg --armor --detach-sign unbound_setup_$version.exe"
|
||||
|
||||
info "Unbound distribution created successfully."
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ DNS query and word lookup
|
|||
|
||||
Let's define the following format od DNS queries: ``word1[.]word2[.] ... wordN[.]{en,cs}[._dict_.cz.]``.
|
||||
Word lookup is done by simple ``dict`` lookup from broken DNS request.
|
||||
Query name is divided into a list of labels. This list is accesible as qname_list attribute.
|
||||
Query name is divided into a list of labels. This list is accessible as qname_list attribute.
|
||||
::
|
||||
|
||||
aword = ' '.join(qstate.qinfo.qname_list[0:-4]) #skip last four labels
|
||||
|
|
|
@ -311,7 +311,7 @@ config_file
|
|||
|
||||
.. attribute:: local_data
|
||||
|
||||
Local data RRs configged.
|
||||
Local data RRs configured.
|
||||
|
||||
.. attribute:: remote_control_enable
|
||||
|
||||
|
|
|
@ -68,7 +68,7 @@ Module event
|
|||
|
||||
.. data:: module_event_error
|
||||
|
||||
Error occured.
|
||||
Error occurred.
|
||||
|
||||
Security status
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
|
|
@ -347,12 +347,12 @@ DNSMessage
|
|||
|
||||
.. method:: __init__(self, rr_name, rr_type, rr_class = RR_CLASS_IN, query_flags = 0, default_ttl = 0)
|
||||
|
||||
Prepares an answer (DNS packet) from qiven information. Query flags are combination of PKT_xx contants.
|
||||
Prepares an answer (DNS packet) from given information. Query flags are combination of PKT_xx constants.
|
||||
|
||||
.. method:: set_return_msg(self, qstate)
|
||||
|
||||
This method fills qstate return message according to the given informations.
|
||||
It takes lists of RRs in each section of answer, created necessray RRsets in wire format and store the result in :attr:`qstate.return_msg`.
|
||||
It takes lists of RRs in each section of answer, created necessary RRsets in wire format and store the result in :attr:`qstate.return_msg`.
|
||||
Returns 1 if OK.
|
||||
|
||||
.. attribute:: rr_name
|
||||
|
|
|
@ -9,7 +9,7 @@ Synchronized with database engine, for example *MySQL*.
|
|||
|
||||
Firewall control
|
||||
----------------
|
||||
Control firewall (e.g. enable incomming SSH connection) with DNS query signed with private key.
|
||||
Control firewall (e.g. enable incoming SSH connection) with DNS query signed with private key.
|
||||
So firewall can blocks every service during normal operation.
|
||||
|
||||
Scriptable DNS-based blacklist (DNS-BL_)
|
||||
|
|
|
@ -656,8 +656,9 @@ fill_any(struct module_env* env,
|
|||
time_t now = *env->now;
|
||||
struct dns_msg* msg = NULL;
|
||||
uint16_t lookup[] = {LDNS_RR_TYPE_A, LDNS_RR_TYPE_AAAA,
|
||||
LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS, 0};
|
||||
int i, num=5; /* number of RR types to look up */
|
||||
LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS,
|
||||
LDNS_RR_TYPE_DNAME, 0};
|
||||
int i, num=6; /* number of RR types to look up */
|
||||
log_assert(lookup[num] == 0);
|
||||
|
||||
for(i=0; i<num; i++) {
|
||||
|
|
|
@ -190,6 +190,7 @@ rrset_cache_update(struct rrset_cache* r, struct rrset_ref* ref,
|
|||
uint16_t rrset_type = ntohs(k->rk.type);
|
||||
int equal = 0;
|
||||
log_assert(ref->id != 0 && k->id != 0);
|
||||
log_assert(k->rk.dname != NULL);
|
||||
/* looks up item with a readlock - no editing! */
|
||||
if((e=slabhash_lookup(&r->table, h, k, 0)) != 0) {
|
||||
/* return id and key as they will be used in the cache
|
||||
|
|
|
@ -56,13 +56,13 @@ time_t sldns_mktime_from_utc(const struct tm *tm);
|
|||
|
||||
/**
|
||||
* The function interprets time as the number of seconds since epoch
|
||||
* with respect to now using serial arithmitics (rfc1982).
|
||||
* with respect to now using serial arithmetics (rfc1982).
|
||||
* That number of seconds is then converted to broken-out time information.
|
||||
* This is especially usefull when converting the inception and expiration
|
||||
* fields of RRSIG records.
|
||||
*
|
||||
* \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
|
||||
* to be intepreted as a serial arithmitics number relative to now.
|
||||
* to be intepreted as a serial arithmetics number relative to now.
|
||||
* \param[in] now number of seconds since epoch (midnight, January 1st, 1970)
|
||||
* to which the time value is compared to determine the final value.
|
||||
* \param[out] result the struct with the broken-out time information
|
||||
|
|
|
@ -342,7 +342,7 @@ enum sldns_enum_rdf_type
|
|||
|
||||
/** A <character-string> encoding of the value field as specified
|
||||
* [RFC1035], Section 5.1., encoded as remaining rdata.
|
||||
* For CAA.
|
||||
* For CAA, URI.
|
||||
*/
|
||||
LDNS_RDF_TYPE_LONG_STR,
|
||||
|
||||
|
|
|
@ -697,6 +697,9 @@ int sldns_wire2str_rdata_scan(uint8_t** d, size_t* dlen, char** s,
|
|||
}
|
||||
w += n;
|
||||
}
|
||||
if(*dlen != 0) {
|
||||
goto failed;
|
||||
}
|
||||
return w;
|
||||
}
|
||||
|
||||
|
|
|
@ -95,7 +95,7 @@
|
|||
* signed yet; avoids attacks on system clock). The
|
||||
* last-successful-RFC5011-probe (if available) has to be more than 30 days
|
||||
* in the past (otherwise, RFC5011 should have worked). This keeps
|
||||
* unneccesary https traffic down. If the main certificate is expired, it
|
||||
* unnecessary https traffic down. If the main certificate is expired, it
|
||||
* fails.
|
||||
*
|
||||
* The dates on the keys in the xml are checked (uses the libexpat xml
|
||||
|
@ -1520,7 +1520,11 @@ xml_entitydeclhandler(void *userData,
|
|||
const XML_Char *ATTR_UNUSED(publicId),
|
||||
const XML_Char *ATTR_UNUSED(notationName))
|
||||
{
|
||||
#if HAVE_DECL_XML_STOPPARSER
|
||||
(void)XML_StopParser((XML_Parser)userData, XML_FALSE);
|
||||
#else
|
||||
(void)userData;
|
||||
#endif
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1828,6 +1832,12 @@ write_unsigned_root(const char* root_anchor_file)
|
|||
root_anchor_file);
|
||||
if(verb && errno != 0) printf("%s\n", strerror(errno));
|
||||
}
|
||||
fflush(out);
|
||||
#ifdef HAVE_FSYNC
|
||||
fsync(fileno(out));
|
||||
#else
|
||||
FlushFileBuffers((HANDLE)_fileno(out));
|
||||
#endif
|
||||
fclose(out);
|
||||
}
|
||||
|
||||
|
@ -1854,6 +1864,12 @@ write_root_anchor(const char* root_anchor_file, BIO* ds)
|
|||
root_anchor_file);
|
||||
if(verb && errno != 0) printf("%s\n", strerror(errno));
|
||||
}
|
||||
fflush(out);
|
||||
#ifdef HAVE_FSYNC
|
||||
fsync(fileno(out));
|
||||
#else
|
||||
FlushFileBuffers((HANDLE)_fileno(out));
|
||||
#endif
|
||||
fclose(out);
|
||||
}
|
||||
|
||||
|
|
|
@ -335,7 +335,9 @@ morechecks(struct config_file* cfg, const char* fname)
|
|||
if(cfg->edns_buffer_size > cfg->msg_buffer_size)
|
||||
fatal_exit("edns-buffer-size larger than msg-buffer-size, "
|
||||
"answers will not fit in processing buffer");
|
||||
|
||||
#ifdef UB_ON_WINDOWS
|
||||
w_config_adjust_directory(cfg);
|
||||
#endif
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] &&
|
||||
cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
|
||||
fatal_exit("chootdir %s has trailing slash '/' please remove.",
|
||||
|
|
|
@ -107,16 +107,15 @@ else
|
|||
fi
|
||||
|
||||
# create self-signed cert for server
|
||||
cat >request.cfg <<EOF
|
||||
[req]
|
||||
default_bits=$BITS
|
||||
default_md=$HASH
|
||||
prompt=no
|
||||
distinguished_name=req_distinguished_name
|
||||
echo "[req]" > request.cfg
|
||||
echo "default_bits=$BITS" >> request.cfg
|
||||
echo "default_md=$HASH" >> request.cfg
|
||||
echo "prompt=no" >> request.cfg
|
||||
echo "distinguished_name=req_distinguished_name" >> request.cfg
|
||||
echo "" >> request.cfg
|
||||
echo "[req_distinguished_name]" >> request.cfg
|
||||
echo "commonName=$SERVERNAME" >> request.cfg
|
||||
|
||||
[req_distinguished_name]
|
||||
commonName=$SERVERNAME
|
||||
EOF
|
||||
test -f request.cfg || error "could not create request.cfg"
|
||||
|
||||
echo "create $SVR_BASE.pem (self signed certificate)"
|
||||
|
@ -125,16 +124,15 @@ openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out
|
|||
openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
|
||||
|
||||
# create client request and sign it, piped
|
||||
cat >request.cfg <<EOF
|
||||
[req]
|
||||
default_bits=$BITS
|
||||
default_md=$HASH
|
||||
prompt=no
|
||||
distinguished_name=req_distinguished_name
|
||||
echo "[req]" > request.cfg
|
||||
echo "default_bits=$BITS" >> request.cfg
|
||||
echo "default_md=$HASH" >> request.cfg
|
||||
echo "prompt=no" >> request.cfg
|
||||
echo "distinguished_name=req_distinguished_name" >> request.cfg
|
||||
echo "" >> request.cfg
|
||||
echo "[req_distinguished_name]" >> request.cfg
|
||||
echo "commonName=$CLIENTNAME" >> request.cfg
|
||||
|
||||
[req_distinguished_name]
|
||||
commonName=$CLIENTNAME
|
||||
EOF
|
||||
test -f request.cfg || error "could not create request.cfg"
|
||||
|
||||
echo "create $CTL_BASE.pem (signed client certificate)"
|
||||
|
|
|
@ -156,10 +156,12 @@ setup_ctx(struct config_file* cfg)
|
|||
ctx = SSL_CTX_new(SSLv23_client_method());
|
||||
if(!ctx)
|
||||
ssl_err("could not allocate SSL_CTX pointer");
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
|
||||
!= SSL_OP_NO_SSLv2)
|
||||
ssl_err("could not set SSL_OP_NO_SSLv2");
|
||||
if(cfg->remote_control_use_cert) {
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
|
||||
!= SSL_OP_NO_SSLv3)
|
||||
ssl_err("could not set SSL_OP_NO_SSLv3");
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
|
||||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
|
||||
|
@ -361,6 +363,9 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
|
|||
fatal_exit("could not read config file");
|
||||
if(!cfg->remote_control_enable)
|
||||
log_warn("control-enable is 'no' in the config file.");
|
||||
#ifdef UB_ON_WINDOWS
|
||||
w_config_adjust_directory(cfg);
|
||||
#endif
|
||||
ctx = setup_ctx(cfg);
|
||||
|
||||
/* contact server */
|
||||
|
|
|
@ -430,7 +430,7 @@ finish_acquire_lock(struct thr_check* thr, struct checked_lock* lock,
|
|||
* @param timedfunc: the pthread_mutex_timedlock or similar function.
|
||||
* Uses absolute timeout value.
|
||||
* @param arg: what to pass to tryfunc and timedlock.
|
||||
* @param exclusive: if lock must be exlusive (only one allowed).
|
||||
* @param exclusive: if lock must be exclusive (only one allowed).
|
||||
* @param getwr: if attempts to get writelock (or readlock) for rwlocks.
|
||||
*/
|
||||
static void
|
||||
|
@ -502,6 +502,8 @@ void
|
|||
checklock_rdlock(enum check_lock_type type, struct checked_lock* lock,
|
||||
const char* func, const char* file, int line)
|
||||
{
|
||||
if(key_deleted)
|
||||
return;
|
||||
|
||||
log_assert(type == check_lock_rwlock);
|
||||
checklock_lockit(type, lock, func, file, line,
|
||||
|
@ -520,6 +522,8 @@ void
|
|||
checklock_wrlock(enum check_lock_type type, struct checked_lock* lock,
|
||||
const char* func, const char* file, int line)
|
||||
{
|
||||
if(key_deleted)
|
||||
return;
|
||||
log_assert(type == check_lock_rwlock);
|
||||
checklock_lockit(type, lock, func, file, line,
|
||||
try_wr, timed_wr, &lock->u.rwlock, 0, 1);
|
||||
|
@ -555,6 +559,8 @@ void
|
|||
checklock_lock(enum check_lock_type type, struct checked_lock* lock,
|
||||
const char* func, const char* file, int line)
|
||||
{
|
||||
if(key_deleted)
|
||||
return;
|
||||
log_assert(type != check_lock_rwlock);
|
||||
switch(type) {
|
||||
case check_lock_mutex:
|
||||
|
@ -577,8 +583,10 @@ void
|
|||
checklock_unlock(enum check_lock_type type, struct checked_lock* lock,
|
||||
const char* func, const char* file, int line)
|
||||
{
|
||||
struct thr_check *thr = (struct thr_check*)pthread_getspecific(
|
||||
thr_debug_key);
|
||||
struct thr_check *thr;
|
||||
if(key_deleted)
|
||||
return;
|
||||
thr = (struct thr_check*)pthread_getspecific(thr_debug_key);
|
||||
checktype(type, lock, func, file, line);
|
||||
if(!thr) lock_error(lock, func, file, line, "no thread info");
|
||||
|
||||
|
@ -755,7 +763,8 @@ static void
|
|||
lock_debug_info(struct checked_lock* lock)
|
||||
{
|
||||
if(!lock) return;
|
||||
log_info("+++ Lock %x, %d %d create %s %s %d", (int)lock,
|
||||
log_info("+++ Lock %llx, %d %d create %s %s %d",
|
||||
(unsigned long long)(size_t)lock,
|
||||
lock->create_thread, lock->create_instance,
|
||||
lock->create_func, lock->create_file, lock->create_line);
|
||||
log_info("lock type: %s",
|
||||
|
@ -790,8 +799,9 @@ thread_debug_info(struct thr_check* thr)
|
|||
struct checked_lock* l = NULL;
|
||||
if(!thr) return;
|
||||
log_info("pthread id is %x", (int)thr->id);
|
||||
log_info("thread func is %x", (int)thr->func);
|
||||
log_info("thread arg is %x (%d)", (int)thr->arg,
|
||||
log_info("thread func is %llx", (unsigned long long)(size_t)thr->func);
|
||||
log_info("thread arg is %llx (%d)",
|
||||
(unsigned long long)(size_t)thr->arg,
|
||||
(thr->arg?*(int*)thr->arg:0));
|
||||
log_info("thread num is %d", thr->num);
|
||||
log_info("locks created %d", thr->locks_created);
|
||||
|
@ -801,7 +811,8 @@ thread_debug_info(struct thr_check* thr)
|
|||
w = thr->waiting;
|
||||
f = thr->holding_first;
|
||||
l = thr->holding_last;
|
||||
log_info("thread waiting for a lock: %s %x", w?"yes":"no", (int)w);
|
||||
log_info("thread waiting for a lock: %s %llx", w?"yes":"no",
|
||||
(unsigned long long)(size_t)w);
|
||||
lock_debug_info(w);
|
||||
log_info("thread holding first: %s, last: %s", f?"yes":"no",
|
||||
l?"yes":"no");
|
||||
|
|
|
@ -569,7 +569,7 @@ do_infra_rtt(struct replay_runtime* runtime)
|
|||
free(dp);
|
||||
}
|
||||
|
||||
/** perform exponential backoff on the timout */
|
||||
/** perform exponential backoff on the timeout */
|
||||
static void
|
||||
expon_timeout_backoff(struct replay_runtime* runtime)
|
||||
{
|
||||
|
|
|
@ -44,6 +44,9 @@
|
|||
*/
|
||||
|
||||
#include "config.h"
|
||||
#ifdef HAVE_TIME_H
|
||||
#include <time.h>
|
||||
#endif
|
||||
#include "util/log.h"
|
||||
#include "util/rbtree.h"
|
||||
#include "util/locks.h"
|
||||
|
|
|
@ -499,8 +499,7 @@ replay_scenario_delete(struct replay_scenario* scen)
|
|||
struct replay_range* rng, *rngn;
|
||||
if(!scen)
|
||||
return;
|
||||
if(scen->title)
|
||||
free(scen->title);
|
||||
free(scen->title);
|
||||
mom = scen->mom_first;
|
||||
while(mom) {
|
||||
momn = mom->mom_next;
|
||||
|
@ -909,118 +908,127 @@ macro_assign(rbtree_t* store, char* name, char* value)
|
|||
return x->value != NULL;
|
||||
}
|
||||
|
||||
/* testbound assert function for selftest. counts the number of tests */
|
||||
#define tb_assert(x) \
|
||||
do { if(!(x)) fatal_exit("%s:%d: %s: assertion %s failed", \
|
||||
__FILE__, __LINE__, __func__, #x); \
|
||||
num_asserts++; \
|
||||
} while(0);
|
||||
|
||||
void testbound_selftest(void)
|
||||
{
|
||||
/* test the macro store */
|
||||
rbtree_t* store = macro_store_create();
|
||||
char* v;
|
||||
int r;
|
||||
log_assert(store);
|
||||
int num_asserts = 0;
|
||||
tb_assert(store);
|
||||
|
||||
v = macro_lookup(store, "bla");
|
||||
log_assert(strcmp(v, "") == 0);
|
||||
tb_assert(strcmp(v, "") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_lookup(store, "vlerk");
|
||||
log_assert(strcmp(v, "") == 0);
|
||||
tb_assert(strcmp(v, "") == 0);
|
||||
free(v);
|
||||
|
||||
r = macro_assign(store, "bla", "waarde1");
|
||||
log_assert(r);
|
||||
tb_assert(r);
|
||||
|
||||
v = macro_lookup(store, "vlerk");
|
||||
log_assert(strcmp(v, "") == 0);
|
||||
tb_assert(strcmp(v, "") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_lookup(store, "bla");
|
||||
log_assert(strcmp(v, "waarde1") == 0);
|
||||
tb_assert(strcmp(v, "waarde1") == 0);
|
||||
free(v);
|
||||
|
||||
r = macro_assign(store, "vlerk", "kanteel");
|
||||
log_assert(r);
|
||||
tb_assert(r);
|
||||
|
||||
v = macro_lookup(store, "bla");
|
||||
log_assert(strcmp(v, "waarde1") == 0);
|
||||
tb_assert(strcmp(v, "waarde1") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_lookup(store, "vlerk");
|
||||
log_assert(strcmp(v, "kanteel") == 0);
|
||||
tb_assert(strcmp(v, "kanteel") == 0);
|
||||
free(v);
|
||||
|
||||
r = macro_assign(store, "bla", "ww");
|
||||
log_assert(r);
|
||||
tb_assert(r);
|
||||
|
||||
v = macro_lookup(store, "bla");
|
||||
log_assert(strcmp(v, "ww") == 0);
|
||||
tb_assert(strcmp(v, "ww") == 0);
|
||||
free(v);
|
||||
|
||||
log_assert( macro_length("}") == 1);
|
||||
log_assert( macro_length("blabla}") == 7);
|
||||
log_assert( macro_length("bla${zoink}bla}") == 7+8);
|
||||
log_assert( macro_length("bla${zoink}${bla}bla}") == 7+8+6);
|
||||
tb_assert( macro_length("}") == 1);
|
||||
tb_assert( macro_length("blabla}") == 7);
|
||||
tb_assert( macro_length("bla${zoink}bla}") == 7+8);
|
||||
tb_assert( macro_length("bla${zoink}${bla}bla}") == 7+8+6);
|
||||
|
||||
v = macro_process(store, NULL, "");
|
||||
log_assert( v && strcmp(v, "") == 0);
|
||||
tb_assert( v && strcmp(v, "") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_process(store, NULL, "${}");
|
||||
log_assert( v && strcmp(v, "") == 0);
|
||||
tb_assert( v && strcmp(v, "") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_process(store, NULL, "blabla ${} dinges");
|
||||
log_assert( v && strcmp(v, "blabla dinges") == 0);
|
||||
tb_assert( v && strcmp(v, "blabla dinges") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_process(store, NULL, "1${$bla}2${$bla}3");
|
||||
log_assert( v && strcmp(v, "1ww2ww3") == 0);
|
||||
tb_assert( v && strcmp(v, "1ww2ww3") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_process(store, NULL, "it is ${ctime 123456}");
|
||||
log_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
|
||||
tb_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
|
||||
free(v);
|
||||
|
||||
r = macro_assign(store, "t1", "123456");
|
||||
log_assert(r);
|
||||
tb_assert(r);
|
||||
v = macro_process(store, NULL, "it is ${ctime ${$t1}}");
|
||||
log_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
|
||||
tb_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_process(store, NULL, "it is ${ctime $t1}");
|
||||
log_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
|
||||
tb_assert( v && strcmp(v, "it is Fri Jan 2 10:17:36 1970") == 0);
|
||||
free(v);
|
||||
|
||||
r = macro_assign(store, "x", "1");
|
||||
log_assert(r);
|
||||
tb_assert(r);
|
||||
r = macro_assign(store, "y", "2");
|
||||
log_assert(r);
|
||||
tb_assert(r);
|
||||
v = macro_process(store, NULL, "${$x + $x}");
|
||||
log_assert( v && strcmp(v, "2") == 0);
|
||||
tb_assert( v && strcmp(v, "2") == 0);
|
||||
free(v);
|
||||
v = macro_process(store, NULL, "${$x - $x}");
|
||||
log_assert( v && strcmp(v, "0") == 0);
|
||||
tb_assert( v && strcmp(v, "0") == 0);
|
||||
free(v);
|
||||
v = macro_process(store, NULL, "${$y * $y}");
|
||||
log_assert( v && strcmp(v, "4") == 0);
|
||||
tb_assert( v && strcmp(v, "4") == 0);
|
||||
free(v);
|
||||
v = macro_process(store, NULL, "${32 / $y + $x + $y}");
|
||||
log_assert( v && strcmp(v, "19") == 0);
|
||||
tb_assert( v && strcmp(v, "19") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_process(store, NULL, "${32 / ${$y+$y} + ${${100*3}/3}}");
|
||||
log_assert( v && strcmp(v, "108") == 0);
|
||||
tb_assert( v && strcmp(v, "108") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_process(store, NULL, "${1 2 33 2 1}");
|
||||
log_assert( v && strcmp(v, "1 2 33 2 1") == 0);
|
||||
tb_assert( v && strcmp(v, "1 2 33 2 1") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_process(store, NULL, "${123 3 + 5}");
|
||||
log_assert( v && strcmp(v, "123 8") == 0);
|
||||
tb_assert( v && strcmp(v, "123 8") == 0);
|
||||
free(v);
|
||||
|
||||
v = macro_process(store, NULL, "${123 glug 3 + 5}");
|
||||
log_assert( v && strcmp(v, "123 glug 8") == 0);
|
||||
tb_assert( v && strcmp(v, "123 glug 8") == 0);
|
||||
free(v);
|
||||
|
||||
macro_store_delete(store);
|
||||
printf("selftest successful (%d checks).\n", num_asserts);
|
||||
}
|
||||
|
|
|
@ -35,7 +35,7 @@
|
|||
*/
|
||||
/**
|
||||
* \file
|
||||
* Exits with code 1 on a failure. 0 if all unit tests are successfull.
|
||||
* Exits with code 1 on a failure. 0 if all unit tests are successful.
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
@ -284,10 +284,9 @@ main(int argc, char* argv[])
|
|||
case 's':
|
||||
free(pass_argv[1]);
|
||||
testbound_selftest();
|
||||
printf("selftest successful\n");
|
||||
exit(0);
|
||||
case '2':
|
||||
#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS)) && defined(USE_SHA2)
|
||||
#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
|
||||
printf("SHA256 supported\n");
|
||||
exit(0);
|
||||
#else
|
||||
|
|
|
@ -214,7 +214,7 @@ void delete_entry(struct entry* list);
|
|||
* @param in: file to read from. Filepos must be at the start of a new line.
|
||||
* @param name: name of the file for prettier errors.
|
||||
* @param pstate: file parse state with lineno, default_ttl,
|
||||
* oirigin and prev_rr name.
|
||||
* origin and prev_rr name.
|
||||
* @param skip_whitespace: skip leftside whitespace.
|
||||
* @return: The entry read (malloced) or NULL if no entry could be read.
|
||||
*/
|
||||
|
|
|
@ -359,7 +359,7 @@ testlookup_unlim(struct lruhash* table, testdata_t** ref)
|
|||
static void
|
||||
test_long_table(struct lruhash* table)
|
||||
{
|
||||
/* assuming it all fits in the hastable, this check will work */
|
||||
/* assuming it all fits in the hashtable, this check will work */
|
||||
testdata_t* ref[HASHTESTMAX * 100];
|
||||
size_t i;
|
||||
memset(ref, 0, sizeof(ref));
|
||||
|
|
|
@ -36,7 +36,7 @@
|
|||
/**
|
||||
* \file
|
||||
* Unit test main program. Calls all the other unit tests.
|
||||
* Exits with code 1 on a failure. 0 if all unit tests are successfull.
|
||||
* Exits with code 1 on a failure. 0 if all unit tests are successful.
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
|
|
@ -242,7 +242,7 @@ testlookup_unlim(struct slabhash* table, testdata_t** ref)
|
|||
static void
|
||||
test_long_table(struct slabhash* table)
|
||||
{
|
||||
/* assuming it all fits in the hastable, this check will work */
|
||||
/* assuming it all fits in the hashtable, this check will work */
|
||||
testdata_t* ref[HASHTESTMAX * 100];
|
||||
size_t i;
|
||||
memset(ref, 0, sizeof(ref));
|
||||
|
|
|
@ -504,12 +504,12 @@ verify_test(void)
|
|||
verifytest_file("testdata/test_signatures.6", "20080416005004");
|
||||
verifytest_file("testdata/test_signatures.7", "20070829144150");
|
||||
verifytest_file("testdata/test_signatures.8", "20070829144150");
|
||||
#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS)) && defined(USE_SHA2)
|
||||
#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
|
||||
verifytest_file("testdata/test_sigs.rsasha256", "20070829144150");
|
||||
verifytest_file("testdata/test_sigs.sha1_and_256", "20070829144150");
|
||||
verifytest_file("testdata/test_sigs.rsasha256_draft", "20090101000000");
|
||||
#endif
|
||||
#if (defined(HAVE_EVP_SHA512) || defined(HAVE_NSS)) && defined(USE_SHA2)
|
||||
#if (defined(HAVE_EVP_SHA512) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
|
||||
verifytest_file("testdata/test_sigs.rsasha512_draft", "20070829144150");
|
||||
#endif
|
||||
verifytest_file("testdata/test_sigs.hinfo", "20090107100022");
|
||||
|
|
|
@ -100,7 +100,7 @@ config_create(void)
|
|||
cfg->tcp_upstream = 0;
|
||||
cfg->ssl_service_key = NULL;
|
||||
cfg->ssl_service_pem = NULL;
|
||||
cfg->ssl_port = 443;
|
||||
cfg->ssl_port = 853;
|
||||
cfg->ssl_upstream = 0;
|
||||
cfg->use_syslog = 1;
|
||||
cfg->log_time_ascii = 0;
|
||||
|
@ -174,7 +174,7 @@ config_create(void)
|
|||
cfg->harden_dnssec_stripped = 1;
|
||||
cfg->harden_below_nxdomain = 0;
|
||||
cfg->harden_referral_path = 0;
|
||||
cfg->harden_algo_downgrade = 1;
|
||||
cfg->harden_algo_downgrade = 0;
|
||||
cfg->use_caps_bits_for_id = 0;
|
||||
cfg->caps_whitelist = NULL;
|
||||
cfg->private_address = NULL;
|
||||
|
@ -240,6 +240,7 @@ config_create(void)
|
|||
cfg->ratelimit_for_domain = NULL;
|
||||
cfg->ratelimit_below_domain = NULL;
|
||||
cfg->ratelimit_factor = 10;
|
||||
cfg->qname_minimisation = 0;
|
||||
return cfg;
|
||||
error_exit:
|
||||
config_delete(cfg);
|
||||
|
@ -473,6 +474,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
|||
else S_MEMSIZE("ratelimit-size:", ratelimit_size)
|
||||
else S_POW2("ratelimit-slabs:", ratelimit_slabs)
|
||||
else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
|
||||
else S_YNO("qname-minimisation:", qname_minimisation)
|
||||
/* val_sig_skew_min and max are copied into val_env during init,
|
||||
* so this does not update val_env with set_option */
|
||||
else if(strcmp(opt, "val-sig-skew-min:") == 0)
|
||||
|
@ -747,6 +749,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
|||
else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
|
||||
else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
|
||||
else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
|
||||
else O_YNO(opt, "qname-minimisation", qname_minimisation)
|
||||
/* not here:
|
||||
* outgoing-permit, outgoing-avoid - have list of ports
|
||||
* local-zone - zones and nodefault variables
|
||||
|
@ -1555,6 +1558,28 @@ w_lookup_reg_str(const char* key, const char* name)
|
|||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
void w_config_adjust_directory(struct config_file* cfg)
|
||||
{
|
||||
if(cfg->directory && cfg->directory[0]) {
|
||||
TCHAR dirbuf[2*MAX_PATH+4];
|
||||
if(strcmp(cfg->directory, "%EXECUTABLE%") == 0) {
|
||||
/* get executable path, and if that contains
|
||||
* directories, snip off the filename part */
|
||||
dirbuf[0] = 0;
|
||||
if(!GetModuleFileName(NULL, dirbuf, MAX_PATH))
|
||||
log_err("could not GetModuleFileName");
|
||||
if(strrchr(dirbuf, '\\')) {
|
||||
(strrchr(dirbuf, '\\'))[0] = 0;
|
||||
} else log_err("GetModuleFileName had no path");
|
||||
if(dirbuf[0]) {
|
||||
/* adjust directory for later lookups to work*/
|
||||
free(cfg->directory);
|
||||
cfg->directory = memdup(dirbuf, strlen(dirbuf)+1);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif /* UB_ON_WINDOWS */
|
||||
|
||||
void errinf(struct module_qstate* qstate, const char* str)
|
||||
|
|
|
@ -283,7 +283,7 @@ struct config_file {
|
|||
struct config_str2list* local_zones;
|
||||
/** local zones nodefault list */
|
||||
struct config_strlist* local_zones_nodefault;
|
||||
/** local data RRs configged */
|
||||
/** local data RRs configured */
|
||||
struct config_strlist* local_data;
|
||||
/** unblock lan zones (reverse lookups for 10/8 and so on) */
|
||||
int unblock_lan_zones;
|
||||
|
@ -364,6 +364,8 @@ struct config_file {
|
|||
struct config_str2list* ratelimit_below_domain;
|
||||
/** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
|
||||
int ratelimit_factor;
|
||||
/** minimise outgoing QNAME and hide original QTYPE if possible */
|
||||
int qname_minimisation;
|
||||
};
|
||||
|
||||
/** from cfg username, after daemonise setup performed */
|
||||
|
@ -739,6 +741,9 @@ void ub_c_error_msg(const char* fmt, ...) ATTR_FORMAT(printf, 1, 2);
|
|||
* exist on an error (logged with log_err) was encountered.
|
||||
*/
|
||||
char* w_lookup_reg_str(const char* key, const char* name);
|
||||
|
||||
/** Modify directory in options for module file name */
|
||||
void w_config_adjust_directory(struct config_file* cfg);
|
||||
#endif /* UB_ON_WINDOWS */
|
||||
|
||||
#endif /* UTIL_CONFIG_FILE_H */
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -126,6 +126,10 @@ static void config_start_include_glob(const char* filename)
|
|||
#endif
|
||||
;
|
||||
memset(&g, 0, sizeof(g));
|
||||
if(cfg_parser->chroot && strncmp(filename, cfg_parser->chroot,
|
||||
strlen(cfg_parser->chroot)) == 0) {
|
||||
filename += strlen(cfg_parser->chroot);
|
||||
}
|
||||
r = glob(filename, flags, NULL, &g);
|
||||
if(r) {
|
||||
/* some error */
|
||||
|
@ -201,6 +205,7 @@ SQANY [^\'\n\r\\]|\\.
|
|||
/* note that flex makes the longest match and '.' is any but not nl */
|
||||
LEXOUT(("comment(%s) ", yytext)); /* ignore */ }
|
||||
server{COLON} { YDVAR(0, VAR_SERVER) }
|
||||
qname-minimisation{COLON} { YDVAR(1, VAR_QNAME_MINIMISATION) }
|
||||
num-threads{COLON} { YDVAR(1, VAR_NUM_THREADS) }
|
||||
verbosity{COLON} { YDVAR(1, VAR_VERBOSITY) }
|
||||
port{COLON} { YDVAR(1, VAR_PORT) }
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -204,7 +204,8 @@ extern int yydebug;
|
|||
VAR_RATELIMIT_FACTOR = 413,
|
||||
VAR_CAPS_WHITELIST = 414,
|
||||
VAR_CACHE_MAX_NEGATIVE_TTL = 415,
|
||||
VAR_PERMIT_SMALL_HOLDDOWN = 416
|
||||
VAR_PERMIT_SMALL_HOLDDOWN = 416,
|
||||
VAR_QNAME_MINIMISATION = 417
|
||||
};
|
||||
#endif
|
||||
/* Tokens. */
|
||||
|
@ -367,6 +368,7 @@ extern int yydebug;
|
|||
#define VAR_CAPS_WHITELIST 414
|
||||
#define VAR_CACHE_MAX_NEGATIVE_TTL 415
|
||||
#define VAR_PERMIT_SMALL_HOLDDOWN 416
|
||||
#define VAR_QNAME_MINIMISATION 417
|
||||
|
||||
|
||||
|
||||
|
@ -380,7 +382,7 @@ typedef union YYSTYPE
|
|||
|
||||
|
||||
/* Line 2058 of yacc.c */
|
||||
#line 384 "util/configparser.h"
|
||||
#line 386 "util/configparser.h"
|
||||
} YYSTYPE;
|
||||
# define YYSTYPE_IS_TRIVIAL 1
|
||||
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
|
||||
|
|
|
@ -122,6 +122,7 @@ extern struct config_parser_state* cfg_parser;
|
|||
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
|
||||
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
|
||||
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
|
||||
%token VAR_QNAME_MINIMISATION
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
|
@ -186,7 +187,7 @@ content_server: server_num_threads | server_verbosity | server_port |
|
|||
server_ratelimit_size | server_ratelimit_for_domain |
|
||||
server_ratelimit_below_domain | server_ratelimit_factor |
|
||||
server_caps_whitelist | server_cache_max_negative_ttl |
|
||||
server_permit_small_holddown
|
||||
server_permit_small_holddown | server_qname_minimisation
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
|
@ -1318,6 +1319,16 @@ server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG
|
|||
free($2);
|
||||
}
|
||||
;
|
||||
server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_qname_minimisation:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->qname_minimisation =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
stub_name: VAR_NAME STRING_ARG
|
||||
{
|
||||
OUTYY(("P(name:%s)\n", $2));
|
||||
|
|
|
@ -57,11 +57,9 @@ ub_packed_rrset_parsedelete(struct ub_packed_rrset_key* pkey,
|
|||
{
|
||||
if(!pkey)
|
||||
return;
|
||||
if(pkey->entry.data)
|
||||
free(pkey->entry.data);
|
||||
free(pkey->entry.data);
|
||||
pkey->entry.data = NULL;
|
||||
if(pkey->rk.dname)
|
||||
free(pkey->rk.dname);
|
||||
free(pkey->rk.dname);
|
||||
pkey->rk.dname = NULL;
|
||||
pkey->id = 0;
|
||||
alloc_special_release(alloc, pkey);
|
||||
|
|
|
@ -660,6 +660,7 @@
|
|||
833,
|
||||
847,
|
||||
848,
|
||||
853,
|
||||
860,
|
||||
861,
|
||||
862,
|
||||
|
@ -3840,6 +3841,9 @@
|
|||
4404,
|
||||
4405,
|
||||
4406,
|
||||
4412,
|
||||
4413,
|
||||
4416,
|
||||
4425,
|
||||
4426,
|
||||
4430,
|
||||
|
@ -4570,6 +4574,7 @@
|
|||
7070,
|
||||
7071,
|
||||
7080,
|
||||
7088,
|
||||
7095,
|
||||
7099,
|
||||
7100,
|
||||
|
@ -5381,6 +5386,7 @@
|
|||
38203,
|
||||
39681,
|
||||
40000,
|
||||
40023,
|
||||
40841,
|
||||
40842,
|
||||
40843,
|
||||
|
|
|
@ -232,7 +232,7 @@ void ub_thread_create(ub_thread_t* thr, void* (*func)(void*), void* arg)
|
|||
0, /* default flags, run immediately */
|
||||
NULL); /* do not store thread identifier anywhere */
|
||||
#else
|
||||
/* the begintheadex routine setups for the C lib; aligns stack */
|
||||
/* the beginthreadex routine setups for the C lib; aligns stack */
|
||||
*thr=(ub_thread_t)_beginthreadex(NULL, 0, (void*)func, arg, 0, NULL);
|
||||
#endif
|
||||
if(*thr == NULL) {
|
||||
|
|
|
@ -261,12 +261,9 @@ void event_base_free(struct event_base* base)
|
|||
{
|
||||
if(!base)
|
||||
return;
|
||||
if(base->times)
|
||||
free(base->times);
|
||||
if(base->fds)
|
||||
free(base->fds);
|
||||
if(base->signals)
|
||||
free(base->signals);
|
||||
free(base->times);
|
||||
free(base->fds);
|
||||
free(base->signals);
|
||||
free(base);
|
||||
}
|
||||
|
||||
|
|
|
@ -619,12 +619,14 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
|
|||
return NULL;
|
||||
}
|
||||
/* no SSLv2, SSLv3 because has defects */
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
|
||||
!= SSL_OP_NO_SSLv2){
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv2");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
|
||||
!= SSL_OP_NO_SSLv3){
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv3");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
|
@ -690,12 +692,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
|
|||
log_crypto_err("could not allocate SSL_CTX pointer");
|
||||
return NULL;
|
||||
}
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) {
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
|
||||
!= SSL_OP_NO_SSLv2) {
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv2");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) {
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
|
||||
!= SSL_OP_NO_SSLv3) {
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv3");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
|
|
|
@ -68,6 +68,8 @@
|
|||
/* nss3 */
|
||||
#include "secport.h"
|
||||
#include "pk11pub.h"
|
||||
#elif defined(HAVE_NETTLE)
|
||||
#include "yarrow.h"
|
||||
#endif
|
||||
|
||||
/**
|
||||
|
@ -76,7 +78,7 @@
|
|||
*/
|
||||
#define MAX_VALUE 0x7fffffff
|
||||
|
||||
#ifndef HAVE_NSS
|
||||
#if defined(HAVE_SSL)
|
||||
void
|
||||
ub_systemseed(unsigned int ATTR_UNUSED(seed))
|
||||
{
|
||||
|
@ -110,7 +112,7 @@ ub_random_max(struct ub_randstate* state, long int x)
|
|||
return (long)arc4random_uniform((uint32_t)x);
|
||||
}
|
||||
|
||||
#else
|
||||
#elif defined(HAVE_NSS)
|
||||
|
||||
/* not much to remember for NSS since we use its pk11_random, placeholder */
|
||||
struct ub_randstate {
|
||||
|
@ -144,6 +146,72 @@ long int ub_random(struct ub_randstate* ATTR_UNUSED(state))
|
|||
return x & MAX_VALUE;
|
||||
}
|
||||
|
||||
#elif defined(HAVE_NETTLE)
|
||||
|
||||
/**
|
||||
* libnettle implements a Yarrow-256 generator (SHA256 + AES),
|
||||
* and we have to ensure it is seeded before use.
|
||||
*/
|
||||
struct ub_randstate {
|
||||
struct yarrow256_ctx ctx;
|
||||
int seeded;
|
||||
};
|
||||
|
||||
void ub_systemseed(unsigned int ATTR_UNUSED(seed))
|
||||
{
|
||||
/**
|
||||
* We seed on init and not here, as we need the ctx to re-seed.
|
||||
* This also means that re-seeding is not supported.
|
||||
*/
|
||||
log_err("Re-seeding not supported, generator untouched");
|
||||
}
|
||||
|
||||
struct ub_randstate* ub_initstate(unsigned int seed,
|
||||
struct ub_randstate* ATTR_UNUSED(from))
|
||||
{
|
||||
struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
|
||||
uint8_t buf[YARROW256_SEED_FILE_SIZE];
|
||||
if(!s) {
|
||||
log_err("malloc failure in random init");
|
||||
return NULL;
|
||||
}
|
||||
/* Setup Yarrow context */
|
||||
yarrow256_init(&s->ctx, 0, NULL);
|
||||
|
||||
if(getentropy(buf, sizeof(buf)) != -1) {
|
||||
/* got entropy */
|
||||
yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
|
||||
s->seeded = yarrow256_is_seeded(&s->ctx);
|
||||
} else {
|
||||
/* Stretch the uint32 input seed and feed it to Yarrow */
|
||||
uint32_t v = seed;
|
||||
size_t i;
|
||||
for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) {
|
||||
memmove(buf+i*sizeof(seed), &v, sizeof(seed));
|
||||
v = v*seed + (uint32_t)i;
|
||||
}
|
||||
yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
|
||||
s->seeded = yarrow256_is_seeded(&s->ctx);
|
||||
}
|
||||
|
||||
return s;
|
||||
}
|
||||
|
||||
long int ub_random(struct ub_randstate* s)
|
||||
{
|
||||
/* random 31 bit value. */
|
||||
long int x = 0;
|
||||
if (!s || !s->seeded) {
|
||||
log_err("Couldn't generate randomness, Yarrow-256 generator not yet seeded");
|
||||
} else {
|
||||
yarrow256_random(&s->ctx, sizeof(x), (uint8_t *)&x);
|
||||
}
|
||||
return x & MAX_VALUE;
|
||||
}
|
||||
#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
|
||||
|
||||
|
||||
#if defined(HAVE_NSS) || defined(HAVE_NETTLE)
|
||||
long int
|
||||
ub_random_max(struct ub_randstate* state, long int x)
|
||||
{
|
||||
|
@ -155,12 +223,11 @@ ub_random_max(struct ub_randstate* state, long int x)
|
|||
v = ub_random(state);
|
||||
return (v % x);
|
||||
}
|
||||
#endif /* HAVE_NSS */
|
||||
#endif /* HAVE_NSS or HAVE_NETTLE */
|
||||
|
||||
void
|
||||
ub_randfree(struct ub_randstate* s)
|
||||
{
|
||||
if(s)
|
||||
free(s);
|
||||
free(s);
|
||||
/* user app must do RAND_cleanup(); */
|
||||
}
|
||||
|
|
|
@ -68,7 +68,7 @@ static void rbtree_insert_fixup(rbtree_t *rbtree, rbnode_t *node);
|
|||
static void rbtree_delete_fixup(rbtree_t* rbtree, rbnode_t* child, rbnode_t* child_parent);
|
||||
|
||||
/*
|
||||
* Creates a new red black tree, intializes and returns a pointer to it.
|
||||
* Creates a new red black tree, initializes and returns a pointer to it.
|
||||
*
|
||||
* Return NULL on failure.
|
||||
*
|
||||
|
|
|
@ -96,7 +96,7 @@ int rtt_notimeout(const struct rtt_info* rtt);
|
|||
void rtt_update(struct rtt_info* rtt, int ms);
|
||||
|
||||
/**
|
||||
* Update the statistics with a new timout expired observation.
|
||||
* Update the statistics with a new timeout expired observation.
|
||||
* @param rtt: round trip statistics structure.
|
||||
* @param orig: original rtt time given for the query that timed out.
|
||||
* Used to calculate the maximum responsible backed off time that
|
||||
|
|
|
@ -356,7 +356,7 @@ uint32_t hashlittle( const void *key, size_t length, uint32_t initval)
|
|||
* rest of the string. Every machine with memory protection I've seen
|
||||
* does it on word boundaries, so is OK with this. But VALGRIND will
|
||||
* still catch it and complain. The masking trick does make the hash
|
||||
* noticably faster for short strings (like English words).
|
||||
* noticeably faster for short strings (like English words).
|
||||
*/
|
||||
#ifndef VALGRIND
|
||||
|
||||
|
@ -544,7 +544,7 @@ void hashlittle2(
|
|||
* rest of the string. Every machine with memory protection I've seen
|
||||
* does it on word boundaries, so is OK with this. But VALGRIND will
|
||||
* still catch it and complain. The masking trick does make the hash
|
||||
* noticably faster for short strings (like English words).
|
||||
* noticeably faster for short strings (like English words).
|
||||
*/
|
||||
#ifndef VALGRIND
|
||||
|
||||
|
@ -725,7 +725,7 @@ uint32_t hashbig( const void *key, size_t length, uint32_t initval)
|
|||
* rest of the string. Every machine with memory protection I've seen
|
||||
* does it on word boundaries, so is OK with this. But VALGRIND will
|
||||
* still catch it and complain. The masking trick does make the hash
|
||||
* noticably faster for short strings (like English words).
|
||||
* noticeably faster for short strings (like English words).
|
||||
*/
|
||||
#ifndef VALGRIND
|
||||
|
||||
|
@ -858,7 +858,7 @@ void driver2()
|
|||
{
|
||||
for (j=0; j<8; ++j) /*------------------------ for each input bit, */
|
||||
{
|
||||
for (m=1; m<8; ++m) /*------------ for serveral possible initvals, */
|
||||
for (m=1; m<8; ++m) /*------------ for several possible initvals, */
|
||||
{
|
||||
for (l=0; l<HASHSTATE; ++l)
|
||||
e[l]=f[l]=g[l]=h[l]=x[l]=y[l]=~((uint32_t)0);
|
||||
|
|
|
@ -118,10 +118,8 @@ void tube_remove_bg_listen(struct tube* tube)
|
|||
comm_point_delete(tube->listen_com);
|
||||
tube->listen_com = NULL;
|
||||
}
|
||||
if(tube->cmd_msg) {
|
||||
free(tube->cmd_msg);
|
||||
tube->cmd_msg = NULL;
|
||||
}
|
||||
free(tube->cmd_msg);
|
||||
tube->cmd_msg = NULL;
|
||||
}
|
||||
|
||||
void tube_remove_bg_write(struct tube* tube)
|
||||
|
|
|
@ -83,7 +83,7 @@ struct tube {
|
|||
|
||||
/** background write queue, commpoint to write results back */
|
||||
struct comm_point* res_com;
|
||||
/** are we curently writing a result, 0 if not, else bytecount into
|
||||
/** are we currently writing a result, 0 if not, else bytecount into
|
||||
* the res_list first entry. */
|
||||
size_t res_write;
|
||||
/** list of outstanding results to be written back */
|
||||
|
|
|
@ -459,12 +459,9 @@ void event_base_free(struct event_base *base)
|
|||
verbose(VERB_CLIENT, "winsock_event event_base_free");
|
||||
if(!base)
|
||||
return;
|
||||
if(base->items)
|
||||
free(base->items);
|
||||
if(base->times)
|
||||
free(base->times);
|
||||
if(base->signals)
|
||||
free(base->signals);
|
||||
free(base->items);
|
||||
free(base->times);
|
||||
free(base->signals);
|
||||
free(base);
|
||||
}
|
||||
|
||||
|
|
|
@ -201,7 +201,7 @@ struct event {
|
|||
int stick_events;
|
||||
|
||||
/** true if this event is a signaling WSAEvent by the user.
|
||||
* User created and user closed WSAEvent. Only signaled/unsigneled,
|
||||
* User created and user closed WSAEvent. Only signaled/unsignaled,
|
||||
* no read/write/distinctions needed. */
|
||||
int is_signal;
|
||||
/** used during callbacks to see which events were just checked */
|
||||
|
|
|
@ -1195,6 +1195,14 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp)
|
|||
fatal_exit("could not completely write: %s", fname);
|
||||
return;
|
||||
}
|
||||
if(fflush(out) != 0)
|
||||
log_err("could not fflush(%s): %s", fname, strerror(errno));
|
||||
#ifdef HAVE_FSYNC
|
||||
if(fsync(fileno(out)) != 0)
|
||||
log_err("could not fsync(%s): %s", fname, strerror(errno));
|
||||
#else
|
||||
FlushFileBuffers((HANDLE)_fileno(out));
|
||||
#endif
|
||||
if(fclose(out) != 0) {
|
||||
fatal_exit("could not complete write: %s: %s",
|
||||
fname, strerror(errno));
|
||||
|
@ -2162,7 +2170,7 @@ int autr_process_prime(struct module_env* env, struct val_env* ve,
|
|||
if(!verify_dnskey(env, ve, tp, dnskey_rrset)) {
|
||||
verbose(VERB_ALGO, "autotrust: dnskey did not verify.");
|
||||
/* only increase failure count if this is not the first prime,
|
||||
* this means there was a previous succesful probe */
|
||||
* this means there was a previous successful probe */
|
||||
if(tp->autr->last_success) {
|
||||
tp->autr->query_failed += 1;
|
||||
autr_write_file(env, tp);
|
||||
|
|
|
@ -38,7 +38,7 @@
|
|||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with aggressive negative caching.
|
||||
* This creates new denials of existance, and proofs for absence of types
|
||||
* This creates new denials of existence, and proofs for absence of types
|
||||
* from cached NSEC records.
|
||||
*/
|
||||
#include "config.h"
|
||||
|
|
|
@ -38,7 +38,7 @@
|
|||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with aggressive negative caching.
|
||||
* This creates new denials of existance, and proofs for absence of types
|
||||
* This creates new denials of existence, and proofs for absence of types
|
||||
* from cached NSEC records.
|
||||
*/
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* validator/val_nsec.c - validator NSEC denial of existance functions.
|
||||
* validator/val_nsec.c - validator NSEC denial of existence functions.
|
||||
*
|
||||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
|
@ -38,7 +38,7 @@
|
|||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with NSEC checking, the different NSEC proofs
|
||||
* for denial of existance, and proofs for presence of types.
|
||||
* for denial of existence, and proofs for presence of types.
|
||||
*/
|
||||
#include "config.h"
|
||||
#include "validator/val_nsec.h"
|
||||
|
@ -279,7 +279,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
|
|||
return sec_status_insecure;
|
||||
}
|
||||
|
||||
/* NSEC proof did not conlusively point to DS or no DS */
|
||||
/* NSEC proof did not conclusively point to DS or no DS */
|
||||
return sec_status_unchecked;
|
||||
}
|
||||
|
||||
|
@ -340,6 +340,28 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
|
|||
*wc = ce;
|
||||
return 1;
|
||||
}
|
||||
} else {
|
||||
/* See if the next owner name covers a wildcard
|
||||
* empty non-terminal. */
|
||||
while (dname_strict_subdomain_c(nm, nsec->rk.dname)) {
|
||||
/* wildcard does not apply if qname below
|
||||
* the name that exists under the '*' */
|
||||
if (dname_subdomain_c(qinfo->qname, nm))
|
||||
break;
|
||||
/* but if it is a wildcard and qname is below
|
||||
* it, then the wildcard applies. The wildcard
|
||||
* is an empty nonterminal. nodata proven. */
|
||||
if (dname_is_wild(nm)) {
|
||||
size_t ce_len = ln;
|
||||
uint8_t* ce = nm;
|
||||
dname_remove_label(&ce, &ce_len);
|
||||
if(dname_strict_subdomain_c(qinfo->qname, ce)) {
|
||||
*wc = ce;
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
dname_remove_label(&nm, &ln);
|
||||
}
|
||||
}
|
||||
|
||||
/* Otherwise, this NSEC does not prove ENT and is not a
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* validator/val_nsec.h - validator NSEC denial of existance functions.
|
||||
* validator/val_nsec.h - validator NSEC denial of existence functions.
|
||||
*
|
||||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
|
@ -38,7 +38,7 @@
|
|||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with NSEC checking, the different NSEC proofs
|
||||
* for denial of existance, and proofs for presence of types.
|
||||
* for denial of existence, and proofs for presence of types.
|
||||
*/
|
||||
|
||||
#ifndef VALIDATOR_VAL_NSEC_H
|
||||
|
@ -54,7 +54,7 @@ struct key_entry_key;
|
|||
/**
|
||||
* Check DS absence.
|
||||
* There is a NODATA reply to a DS that needs checking.
|
||||
* NSECs can prove this is not a delegation point, or sucessfully prove
|
||||
* NSECs can prove this is not a delegation point, or successfully prove
|
||||
* that there is no DS. Or this fails.
|
||||
*
|
||||
* @param env: module env for rrsig verification routines.
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* validator/val_nsec3.c - validator NSEC3 denial of existance functions.
|
||||
* validator/val_nsec3.c - validator NSEC3 denial of existence functions.
|
||||
*
|
||||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
|
@ -38,18 +38,12 @@
|
|||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with NSEC3 checking, the different NSEC3 proofs
|
||||
* for denial of existance, and proofs for presence of types.
|
||||
* for denial of existence, and proofs for presence of types.
|
||||
*/
|
||||
#include "config.h"
|
||||
#include <ctype.h>
|
||||
#ifdef HAVE_OPENSSL_SSL_H
|
||||
#include "openssl/ssl.h"
|
||||
#endif
|
||||
#ifdef HAVE_NSS
|
||||
/* nss3 */
|
||||
#include "sechash.h"
|
||||
#endif
|
||||
#include "validator/val_nsec3.h"
|
||||
#include "validator/val_secalgo.h"
|
||||
#include "validator/validator.h"
|
||||
#include "validator/val_kentry.h"
|
||||
#include "services/cache/rrset.h"
|
||||
|
@ -370,8 +364,8 @@ filter_next(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum)
|
|||
/**
|
||||
* Start iterating over NSEC3 records.
|
||||
* @param filter: the filter structure, must have been filter_init-ed.
|
||||
* @param rrsetnum: can be undefined on call, inited.
|
||||
* @param rrnum: can be undefined on call, inited.
|
||||
* @param rrsetnum: can be undefined on call, initialised.
|
||||
* @param rrnum: can be undefined on call, initialised.
|
||||
* @return first rrset of an NSEC3, together with rrnum this points to
|
||||
* the first RR to examine. Is NULL on empty list.
|
||||
*/
|
||||
|
@ -545,46 +539,24 @@ nsec3_get_hashed(sldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
|
|||
query_dname_tolower(sldns_buffer_begin(buf));
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
switch(algo) {
|
||||
#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
|
||||
case NSEC3_HASH_SHA1:
|
||||
#ifdef HAVE_SSL
|
||||
hash_len = SHA_DIGEST_LENGTH;
|
||||
#else
|
||||
hash_len = SHA1_LENGTH;
|
||||
#endif
|
||||
if(hash_len > max)
|
||||
return 0;
|
||||
# ifdef HAVE_SSL
|
||||
(void)SHA1((unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf),
|
||||
(unsigned char*)res);
|
||||
# else
|
||||
(void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)res,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf));
|
||||
# endif
|
||||
for(i=0; i<iter; i++) {
|
||||
sldns_buffer_clear(buf);
|
||||
sldns_buffer_write(buf, res, hash_len);
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
# ifdef HAVE_SSL
|
||||
(void)SHA1(
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf),
|
||||
(unsigned char*)res);
|
||||
# else
|
||||
(void)HASH_HashBuf(HASH_AlgSHA1,
|
||||
(unsigned char*)res,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf));
|
||||
# endif
|
||||
}
|
||||
break;
|
||||
#endif /* HAVE_EVP_SHA1 or NSS */
|
||||
default:
|
||||
log_err("nsec3 hash of unknown algo %d", algo);
|
||||
hash_len = nsec3_hash_algo_size_supported(algo);
|
||||
if(hash_len == 0) {
|
||||
log_err("nsec3 hash of unknown algo %d", algo);
|
||||
return 0;
|
||||
}
|
||||
if(hash_len > max)
|
||||
return 0;
|
||||
if(!secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
|
||||
sldns_buffer_limit(buf), (unsigned char*)res))
|
||||
return 0;
|
||||
for(i=0; i<iter; i++) {
|
||||
sldns_buffer_clear(buf);
|
||||
sldns_buffer_write(buf, res, hash_len);
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
if(!secalgo_nsec3_hash(algo,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
sldns_buffer_limit(buf), (unsigned char*)res))
|
||||
return 0;
|
||||
}
|
||||
return hash_len;
|
||||
|
@ -607,50 +579,24 @@ nsec3_calc_hash(struct regional* region, sldns_buffer* buf,
|
|||
query_dname_tolower(sldns_buffer_begin(buf));
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
switch(algo) {
|
||||
#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
|
||||
case NSEC3_HASH_SHA1:
|
||||
#ifdef HAVE_SSL
|
||||
c->hash_len = SHA_DIGEST_LENGTH;
|
||||
#else
|
||||
c->hash_len = SHA1_LENGTH;
|
||||
#endif
|
||||
c->hash = (uint8_t*)regional_alloc(region,
|
||||
c->hash_len);
|
||||
if(!c->hash)
|
||||
return 0;
|
||||
# ifdef HAVE_SSL
|
||||
(void)SHA1((unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf),
|
||||
(unsigned char*)c->hash);
|
||||
# else
|
||||
(void)HASH_HashBuf(HASH_AlgSHA1,
|
||||
(unsigned char*)c->hash,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf));
|
||||
# endif
|
||||
for(i=0; i<iter; i++) {
|
||||
sldns_buffer_clear(buf);
|
||||
sldns_buffer_write(buf, c->hash, c->hash_len);
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
# ifdef HAVE_SSL
|
||||
(void)SHA1(
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf),
|
||||
(unsigned char*)c->hash);
|
||||
# else
|
||||
(void)HASH_HashBuf(HASH_AlgSHA1,
|
||||
(unsigned char*)c->hash,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf));
|
||||
# endif
|
||||
}
|
||||
break;
|
||||
#endif /* HAVE_EVP_SHA1 or NSS */
|
||||
default:
|
||||
log_err("nsec3 hash of unknown algo %d", algo);
|
||||
return -1;
|
||||
c->hash_len = nsec3_hash_algo_size_supported(algo);
|
||||
if(c->hash_len == 0) {
|
||||
log_err("nsec3 hash of unknown algo %d", algo);
|
||||
return -1;
|
||||
}
|
||||
c->hash = (uint8_t*)regional_alloc(region, c->hash_len);
|
||||
if(!c->hash)
|
||||
return 0;
|
||||
(void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
|
||||
sldns_buffer_limit(buf), (unsigned char*)c->hash);
|
||||
for(i=0; i<iter; i++) {
|
||||
sldns_buffer_clear(buf);
|
||||
sldns_buffer_write(buf, c->hash, c->hash_len);
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
(void)secalgo_nsec3_hash(algo,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
sldns_buffer_limit(buf), (unsigned char*)c->hash);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* validator/val_nsec3.h - validator NSEC3 denial of existance functions.
|
||||
* validator/val_nsec3.h - validator NSEC3 denial of existence functions.
|
||||
*
|
||||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
|
@ -38,7 +38,7 @@
|
|||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with NSEC3 checking, the different NSEC3 proofs
|
||||
* for denial of existance, and proofs for presence of types.
|
||||
* for denial of existence, and proofs for presence of types.
|
||||
*
|
||||
* NSEC3
|
||||
* 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
|
||||
|
@ -256,7 +256,7 @@ int nsec3_hash_cmp(const void* c1, const void* c2);
|
|||
* Used internally by the nsec3 proof functions in this file.
|
||||
* published to enable unit testing of hash algorithms and cache.
|
||||
*
|
||||
* @param table: the cache table. Must be inited at start.
|
||||
* @param table: the cache table. Must be initialised at start.
|
||||
* @param region: scratch region to use for allocation.
|
||||
* This region holds the tree, if you wipe the region, reinit the tree.
|
||||
* @param buf: temporary buffer.
|
||||
|
|
|
@ -44,12 +44,13 @@
|
|||
/* packed_rrset on top to define enum types (forced by c99 standard) */
|
||||
#include "util/data/packed_rrset.h"
|
||||
#include "validator/val_secalgo.h"
|
||||
#include "validator/val_nsec3.h"
|
||||
#include "util/log.h"
|
||||
#include "sldns/rrdef.h"
|
||||
#include "sldns/keyraw.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
|
||||
#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
|
||||
#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
|
||||
#error "Need crypto library to do digital signature cryptography"
|
||||
#endif
|
||||
|
||||
|
@ -71,10 +72,36 @@
|
|||
#include <openssl/engine.h>
|
||||
#endif
|
||||
|
||||
/* return size of digest if supported, or 0 otherwise */
|
||||
size_t
|
||||
nsec3_hash_algo_size_supported(int id)
|
||||
{
|
||||
switch(id) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
return SHA_DIGEST_LENGTH;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* perform nsec3 hash. return false on failure */
|
||||
int
|
||||
secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
|
||||
unsigned char* res)
|
||||
{
|
||||
switch(algo) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
(void)SHA1(buf, len, res);
|
||||
return 1;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Return size of DS digest according to its hash algorithm.
|
||||
* @param algo: DS digest algo.
|
||||
* @return size in bytes of digest, or 0 if not supported.
|
||||
* @return size in bytes of digest, or 0 if not supported.
|
||||
*/
|
||||
size_t
|
||||
ds_digest_size_supported(int algo)
|
||||
|
@ -565,6 +592,32 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
|||
/* nspr4 */
|
||||
#include "prerror.h"
|
||||
|
||||
/* return size of digest if supported, or 0 otherwise */
|
||||
size_t
|
||||
nsec3_hash_algo_size_supported(int id)
|
||||
{
|
||||
switch(id) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
return SHA1_LENGTH;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* perform nsec3 hash. return false on failure */
|
||||
int
|
||||
secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
|
||||
unsigned char* res)
|
||||
{
|
||||
switch(algo) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
(void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
|
||||
return 1;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
size_t
|
||||
ds_digest_size_supported(int algo)
|
||||
{
|
||||
|
@ -1069,5 +1122,466 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
|||
return sec_status_bogus;
|
||||
}
|
||||
|
||||
#elif defined(HAVE_NETTLE)
|
||||
|
||||
#endif /* HAVE_SSL or HAVE_NSS */
|
||||
#include "sha.h"
|
||||
#include "bignum.h"
|
||||
#include "macros.h"
|
||||
#include "rsa.h"
|
||||
#include "dsa.h"
|
||||
#include "asn1.h"
|
||||
#ifdef USE_ECDSA
|
||||
#include "ecdsa.h"
|
||||
#include "ecc-curve.h"
|
||||
#endif
|
||||
|
||||
static int
|
||||
_digest_nettle(int algo, uint8_t* buf, size_t len,
|
||||
unsigned char* res)
|
||||
{
|
||||
switch(algo) {
|
||||
case SHA1_DIGEST_SIZE:
|
||||
{
|
||||
struct sha1_ctx ctx;
|
||||
sha1_init(&ctx);
|
||||
sha1_update(&ctx, len, buf);
|
||||
sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
|
||||
return 1;
|
||||
}
|
||||
case SHA256_DIGEST_SIZE:
|
||||
{
|
||||
struct sha256_ctx ctx;
|
||||
sha256_init(&ctx);
|
||||
sha256_update(&ctx, len, buf);
|
||||
sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
|
||||
return 1;
|
||||
}
|
||||
case SHA384_DIGEST_SIZE:
|
||||
{
|
||||
struct sha384_ctx ctx;
|
||||
sha384_init(&ctx);
|
||||
sha384_update(&ctx, len, buf);
|
||||
sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
|
||||
return 1;
|
||||
}
|
||||
case SHA512_DIGEST_SIZE:
|
||||
{
|
||||
struct sha512_ctx ctx;
|
||||
sha512_init(&ctx);
|
||||
sha512_update(&ctx, len, buf);
|
||||
sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
|
||||
return 1;
|
||||
}
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* return size of digest if supported, or 0 otherwise */
|
||||
size_t
|
||||
nsec3_hash_algo_size_supported(int id)
|
||||
{
|
||||
switch(id) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
return SHA1_DIGEST_SIZE;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* perform nsec3 hash. return false on failure */
|
||||
int
|
||||
secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
|
||||
unsigned char* res)
|
||||
{
|
||||
switch(algo) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
|
||||
res);
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Return size of DS digest according to its hash algorithm.
|
||||
* @param algo: DS digest algo.
|
||||
* @return size in bytes of digest, or 0 if not supported.
|
||||
*/
|
||||
size_t
|
||||
ds_digest_size_supported(int algo)
|
||||
{
|
||||
switch(algo) {
|
||||
case LDNS_SHA1:
|
||||
return SHA1_DIGEST_SIZE;
|
||||
#ifdef USE_SHA2
|
||||
case LDNS_SHA256:
|
||||
return SHA256_DIGEST_SIZE;
|
||||
#endif
|
||||
#ifdef USE_ECDSA
|
||||
case LDNS_SHA384:
|
||||
return SHA384_DIGEST_SIZE;
|
||||
#endif
|
||||
/* GOST not supported */
|
||||
case LDNS_HASH_GOST:
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
|
||||
unsigned char* res)
|
||||
{
|
||||
switch(algo) {
|
||||
case LDNS_SHA1:
|
||||
return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
|
||||
#if defined(USE_SHA2)
|
||||
case LDNS_SHA256:
|
||||
return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
|
||||
#endif
|
||||
#ifdef USE_ECDSA
|
||||
case LDNS_SHA384:
|
||||
return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
|
||||
|
||||
#endif
|
||||
case LDNS_HASH_GOST:
|
||||
default:
|
||||
verbose(VERB_QUERY, "unknown DS digest algorithm %d",
|
||||
algo);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
dnskey_algo_id_is_supported(int id)
|
||||
{
|
||||
/* uses libnettle */
|
||||
switch(id) {
|
||||
case LDNS_DSA:
|
||||
case LDNS_DSA_NSEC3:
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
#ifdef USE_SHA2
|
||||
case LDNS_RSASHA256:
|
||||
case LDNS_RSASHA512:
|
||||
#endif
|
||||
#ifdef USE_ECDSA
|
||||
case LDNS_ECDSAP256SHA256:
|
||||
case LDNS_ECDSAP384SHA384:
|
||||
#endif
|
||||
return 1;
|
||||
case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
|
||||
case LDNS_ECC_GOST:
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
static char *
|
||||
_verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
|
||||
unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
|
||||
{
|
||||
uint8_t digest[SHA1_DIGEST_SIZE];
|
||||
uint8_t key_t;
|
||||
int res = 0;
|
||||
size_t offset;
|
||||
struct dsa_public_key pubkey;
|
||||
struct dsa_signature signature;
|
||||
unsigned int expected_len;
|
||||
|
||||
/* Extract DSA signature from the record */
|
||||
nettle_dsa_signature_init(&signature);
|
||||
/* Signature length: 41 bytes - RFC 2536 sec. 3 */
|
||||
if(sigblock_len == 41) {
|
||||
if(key[0] != sigblock[0])
|
||||
return "invalid T value in DSA signature or pubkey";
|
||||
nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
|
||||
nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
|
||||
} else {
|
||||
/* DER encoded, decode the ASN1 notated R and S bignums */
|
||||
/* SEQUENCE { r INTEGER, s INTEGER } */
|
||||
struct asn1_der_iterator i, seq;
|
||||
if(asn1_der_iterator_first(&i, sigblock_len,
|
||||
(uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
|
||||
|| i.type != ASN1_SEQUENCE)
|
||||
return "malformed DER encoded DSA signature";
|
||||
/* decode this element of i using the seq iterator */
|
||||
if(asn1_der_decode_constructed(&i, &seq) !=
|
||||
ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
|
||||
return "malformed DER encoded DSA signature";
|
||||
if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
|
||||
return "malformed DER encoded DSA signature";
|
||||
if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
|
||||
|| seq.type != ASN1_INTEGER)
|
||||
return "malformed DER encoded DSA signature";
|
||||
if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
|
||||
return "malformed DER encoded DSA signature";
|
||||
if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
|
||||
return "malformed DER encoded DSA signature";
|
||||
}
|
||||
|
||||
/* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
|
||||
key_t = key[0];
|
||||
if (key_t > 8) {
|
||||
return "invalid T value in DSA pubkey";
|
||||
}
|
||||
|
||||
/* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
|
||||
if (keylen < 21) {
|
||||
return "DSA pubkey too short";
|
||||
}
|
||||
|
||||
expected_len = 1 + /* T */
|
||||
20 + /* Q */
|
||||
(64 + key_t*8) + /* P */
|
||||
(64 + key_t*8) + /* G */
|
||||
(64 + key_t*8); /* Y */
|
||||
if (keylen != expected_len ) {
|
||||
return "invalid DSA pubkey length";
|
||||
}
|
||||
|
||||
/* Extract DSA pubkey from the record */
|
||||
nettle_dsa_public_key_init(&pubkey);
|
||||
offset = 1;
|
||||
nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
|
||||
offset += 20;
|
||||
nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset);
|
||||
offset += (64 + key_t*8);
|
||||
nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset);
|
||||
offset += (64 + key_t*8);
|
||||
nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset);
|
||||
|
||||
/* Digest content of "buf" and verify its DSA signature in "sigblock"*/
|
||||
res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
|
||||
|
||||
/* Clear and return */
|
||||
nettle_dsa_signature_clear(&signature);
|
||||
nettle_dsa_public_key_clear(&pubkey);
|
||||
if (!res)
|
||||
return "DSA signature verification failed";
|
||||
else
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static char *
|
||||
_verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
|
||||
unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
|
||||
{
|
||||
uint16_t exp_len = 0;
|
||||
size_t exp_offset = 0, mod_offset = 0;
|
||||
struct rsa_public_key pubkey;
|
||||
mpz_t signature;
|
||||
int res = 0;
|
||||
|
||||
/* RSA pubkey parsing as per RFC 3110 sec. 2 */
|
||||
if( keylen <= 1) {
|
||||
return "null RSA key";
|
||||
}
|
||||
if (key[0] != 0) {
|
||||
/* 1-byte length */
|
||||
exp_len = key[0];
|
||||
exp_offset = 1;
|
||||
} else {
|
||||
/* 1-byte NUL + 2-bytes exponent length */
|
||||
if (keylen < 3) {
|
||||
return "incorrect RSA key length";
|
||||
}
|
||||
exp_len = READ_UINT16(key+1);
|
||||
if (exp_len == 0)
|
||||
return "null RSA exponent length";
|
||||
exp_offset = 3;
|
||||
}
|
||||
/* Check that we are not over-running input length */
|
||||
if (keylen < exp_offset + exp_len + 1) {
|
||||
return "RSA key content shorter than expected";
|
||||
}
|
||||
mod_offset = exp_offset + exp_len;
|
||||
nettle_rsa_public_key_init(&pubkey);
|
||||
pubkey.size = keylen - mod_offset;
|
||||
nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
|
||||
nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
|
||||
|
||||
/* Digest content of "buf" and verify its RSA signature in "sigblock"*/
|
||||
nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
|
||||
switch (digest_size) {
|
||||
case SHA1_DIGEST_SIZE:
|
||||
{
|
||||
uint8_t digest[SHA1_DIGEST_SIZE];
|
||||
res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
|
||||
break;
|
||||
}
|
||||
case SHA256_DIGEST_SIZE:
|
||||
{
|
||||
uint8_t digest[SHA256_DIGEST_SIZE];
|
||||
res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
|
||||
break;
|
||||
}
|
||||
case SHA512_DIGEST_SIZE:
|
||||
{
|
||||
uint8_t digest[SHA512_DIGEST_SIZE];
|
||||
res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
|
||||
break;
|
||||
}
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
/* Clear and return */
|
||||
nettle_rsa_public_key_clear(&pubkey);
|
||||
mpz_clear(signature);
|
||||
if (!res) {
|
||||
return "RSA signature verification failed";
|
||||
} else {
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef USE_ECDSA
|
||||
static char *
|
||||
_verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
|
||||
unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
|
||||
{
|
||||
int res = 0;
|
||||
struct ecc_point pubkey;
|
||||
struct dsa_signature signature;
|
||||
|
||||
/* Always matched strength, as per RFC 6605 sec. 1 */
|
||||
if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
|
||||
return "wrong ECDSA signature length";
|
||||
}
|
||||
|
||||
/* Parse ECDSA signature as per RFC 6605 sec. 4 */
|
||||
nettle_dsa_signature_init(&signature);
|
||||
switch (digest_size) {
|
||||
case SHA256_DIGEST_SIZE:
|
||||
{
|
||||
uint8_t digest[SHA256_DIGEST_SIZE];
|
||||
mpz_t x, y;
|
||||
nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
|
||||
nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
|
||||
nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
|
||||
nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
|
||||
nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
|
||||
res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= nettle_ecc_point_set(&pubkey, x, y);
|
||||
res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
|
||||
mpz_clear(x);
|
||||
mpz_clear(y);
|
||||
break;
|
||||
}
|
||||
case SHA384_DIGEST_SIZE:
|
||||
{
|
||||
uint8_t digest[SHA384_DIGEST_SIZE];
|
||||
mpz_t x, y;
|
||||
nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
|
||||
nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
|
||||
nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
|
||||
nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
|
||||
nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
|
||||
res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= nettle_ecc_point_set(&pubkey, x, y);
|
||||
res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
|
||||
mpz_clear(x);
|
||||
mpz_clear(y);
|
||||
nettle_ecc_point_clear(&pubkey);
|
||||
break;
|
||||
}
|
||||
default:
|
||||
return "unknown ECDSA algorithm";
|
||||
}
|
||||
|
||||
/* Clear and return */
|
||||
nettle_dsa_signature_clear(&signature);
|
||||
if (!res)
|
||||
return "ECDSA signature verification failed";
|
||||
else
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
|
||||
/**
|
||||
* Check a canonical sig+rrset and signature against a dnskey
|
||||
* @param buf: buffer with data to verify, the first rrsig part and the
|
||||
* canonicalized rrset.
|
||||
* @param algo: DNSKEY algorithm.
|
||||
* @param sigblock: signature rdata field from RRSIG
|
||||
* @param sigblock_len: length of sigblock data.
|
||||
* @param key: public key data from DNSKEY RR.
|
||||
* @param keylen: length of keydata.
|
||||
* @param reason: bogus reason in more detail.
|
||||
* @return secure if verification succeeded, bogus on crypto failure,
|
||||
* unchecked on format errors and alloc failures.
|
||||
*/
|
||||
enum sec_status
|
||||
verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
||||
unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
|
||||
char** reason)
|
||||
{
|
||||
unsigned int digest_size = 0;
|
||||
|
||||
if (sigblock_len == 0 || keylen == 0) {
|
||||
*reason = "null signature";
|
||||
return sec_status_bogus;
|
||||
}
|
||||
|
||||
switch(algo) {
|
||||
case LDNS_DSA:
|
||||
case LDNS_DSA_NSEC3:
|
||||
*reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
|
||||
if (*reason != NULL)
|
||||
return sec_status_bogus;
|
||||
else
|
||||
return sec_status_secure;
|
||||
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
|
||||
#ifdef USE_SHA2
|
||||
case LDNS_RSASHA256:
|
||||
digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
|
||||
case LDNS_RSASHA512:
|
||||
digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
|
||||
|
||||
#endif
|
||||
*reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
|
||||
sigblock_len, key, keylen);
|
||||
if (*reason != NULL)
|
||||
return sec_status_bogus;
|
||||
else
|
||||
return sec_status_secure;
|
||||
|
||||
#ifdef USE_ECDSA
|
||||
case LDNS_ECDSAP256SHA256:
|
||||
digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
|
||||
case LDNS_ECDSAP384SHA384:
|
||||
digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
|
||||
*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
|
||||
sigblock_len, key, keylen);
|
||||
if (*reason != NULL)
|
||||
return sec_status_bogus;
|
||||
else
|
||||
return sec_status_secure;
|
||||
#endif
|
||||
case LDNS_RSAMD5:
|
||||
case LDNS_ECC_GOST:
|
||||
default:
|
||||
*reason = "unable to verify signature, unknown algorithm";
|
||||
return sec_status_bogus;
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
|
||||
|
|
|
@ -44,6 +44,21 @@
|
|||
#define VALIDATOR_VAL_SECALGO_H
|
||||
struct sldns_buffer;
|
||||
|
||||
/** Return size of nsec3 hash algorithm, 0 if not supported */
|
||||
size_t nsec3_hash_algo_size_supported(int id);
|
||||
|
||||
/**
|
||||
* Hash a single hash call of an NSEC3 hash algorithm.
|
||||
* Iterations and salt are done by the caller.
|
||||
* @param algo: nsec3 hash algorithm.
|
||||
* @param buf: the buffer to digest
|
||||
* @param len: length of buffer to digest.
|
||||
* @param res: result stored here (must have sufficient space).
|
||||
* @return false on failure.
|
||||
*/
|
||||
int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
|
||||
unsigned char* res);
|
||||
|
||||
/**
|
||||
* Return size of DS digest according to its hash algorithm.
|
||||
* @param algo: DS digest algo.
|
||||
|
|
|
@ -57,7 +57,7 @@
|
|||
#include "sldns/wire2str.h"
|
||||
|
||||
#include <ctype.h>
|
||||
#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
|
||||
#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
|
||||
#error "Need crypto library to do digital signature cryptography"
|
||||
#endif
|
||||
|
||||
|
@ -795,10 +795,6 @@ canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j)
|
|||
|
||||
if(i==j)
|
||||
return 0;
|
||||
/* in case rdata-len is to be compared for canonical order
|
||||
c = memcmp(d->rr_data[i], d->rr_data[j], 2);
|
||||
if(c != 0)
|
||||
return c; */
|
||||
|
||||
switch(type) {
|
||||
/* These RR types have only a name as RDATA.
|
||||
|
|
|
@ -391,7 +391,7 @@ int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset);
|
|||
* Find DS denial message in cache. Saves new qstate allocation and allows
|
||||
* the validator to use partial content which is not enough to construct a
|
||||
* message for network (or user) consumption. Without SOA for example,
|
||||
* which is a common occurence in the unbound code since the referrals contain
|
||||
* which is a common occurrence in the unbound code since the referrals contain
|
||||
* NSEC/NSEC3 rrs without the SOA element, thus do not allow synthesis of a
|
||||
* full negative reply, but do allow synthesis of sufficient proof.
|
||||
* @param env: query env with caches and time.
|
||||
|
|
|
@ -749,7 +749,7 @@ validate_nodata_response(struct module_env* env, struct val_env* ve,
|
|||
/* Since we are here, there must be nothing in the ANSWER section to
|
||||
* validate. */
|
||||
/* (Note: CNAME/DNAME responses will not directly get here --
|
||||
* instead, they are chased down into indiviual CNAME validations,
|
||||
* instead, they are chased down into individual CNAME validations,
|
||||
* and at the end of the cname chain a POSITIVE, or CNAME_NOANSWER
|
||||
* validation.) */
|
||||
|
||||
|
@ -1597,7 +1597,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
|
|||
target_key_name) != 0) {
|
||||
/* check if there is a cache entry : pick up an NSEC if
|
||||
* there is no DS, check if that NSEC has DS-bit unset, and
|
||||
* thus can disprove the secure delagation we seek.
|
||||
* thus can disprove the secure delegation we seek.
|
||||
* We can then use that NSEC even in the absence of a SOA
|
||||
* record that would be required by the iterator to supply
|
||||
* a completely protocol-correct response.
|
||||
|
@ -1829,7 +1829,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
|
|||
* @return true if there is no DLV.
|
||||
* false: processing is finished for the validator operate().
|
||||
* This function may exit in three ways:
|
||||
* o no DLV (agressive cache), so insecure. (true)
|
||||
* o no DLV (aggressive cache), so insecure. (true)
|
||||
* o error - stop processing (false)
|
||||
* o DLV lookup was started, stop processing (false)
|
||||
*/
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
# The NSIS (http://nsis.sourceforge.net) install script.
|
||||
# This script is BSD licensed.
|
||||
SetCompressor /solid /final lzma
|
||||
|
||||
# use the default compression to help anti-virus in scanning us
|
||||
#SetCompressor /solid /final lzma
|
||||
|
||||
!include LogicLib.nsh
|
||||
!include MUI2.nsh
|
||||
|
@ -92,6 +94,7 @@ section "-hidden.postinstall"
|
|||
File "unbound-website.url"
|
||||
File "service.conf"
|
||||
File "..\doc\example.conf"
|
||||
File "..\doc\Changelog"
|
||||
|
||||
# Store Root Key choice
|
||||
SectionGetFlags ${SectionRootKey} $R0
|
||||
|
@ -178,6 +181,7 @@ section "un.Unbound"
|
|||
Delete "$INSTDIR\unbound-website.url"
|
||||
Delete "$INSTDIR\service.conf"
|
||||
Delete "$INSTDIR\example.conf"
|
||||
Delete "$INSTDIR\Changelog"
|
||||
Delete "$INSTDIR\root.key"
|
||||
RMDir "$INSTDIR"
|
||||
|
||||
|
|
|
@ -1,164 +1,164 @@
|
|||
@Echo off
|
||||
rem
|
||||
rem unbound-control-setup.cmd - set up SSL certificates for unbound-control
|
||||
rem
|
||||
rem Copyright (c) 2008, NLnet Labs. All rights reserved.
|
||||
rem Modified for Windows by Y.Voinov (c) 2014
|
||||
rem
|
||||
rem This software is open source.
|
||||
rem
|
||||
rem Redistribution and use in source and binary forms, with or without
|
||||
rem modification, are permitted provided that the following conditions
|
||||
rem are met:
|
||||
rem
|
||||
rem Redistributions of source code must retain the above copyright notice,
|
||||
rem this list of conditions and the following disclaimer.
|
||||
rem
|
||||
rem Redistributions in binary form must reproduce the above copyright notice,
|
||||
rem this list of conditions and the following disclaimer in the documentation
|
||||
rem and/or other materials provided with the distribution.
|
||||
rem
|
||||
rem Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
rem be used to endorse or promote products derived from this software without
|
||||
rem specific prior written permission.
|
||||
rem
|
||||
rem THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
rem "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
rem LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
rem A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
rem HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
rem SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
rem TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
rem PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
rem LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
rem NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
rem SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
rem settings:
|
||||
|
||||
rem directory for files
|
||||
set prefix="C:\Program Files (x86)"
|
||||
set DESTDIR=%prefix%\Unbound
|
||||
|
||||
rem issuer and subject name for certificates
|
||||
set SERVERNAME=unbound
|
||||
set CLIENTNAME=unbound-control
|
||||
|
||||
rem validity period for certificates
|
||||
set DAYS=7200
|
||||
|
||||
rem size of keys in bits
|
||||
set BITS=1536
|
||||
|
||||
rem hash algorithm
|
||||
set HASH=sha256
|
||||
|
||||
rem base name for unbound server keys
|
||||
set SVR_BASE=unbound_server
|
||||
|
||||
rem base name for unbound-control keys
|
||||
set CTL_BASE=unbound_control
|
||||
|
||||
rem end of options
|
||||
|
||||
rem Check OpenSSL installed
|
||||
for /f "delims=" %%a in ('where openssl') do @set SSL_PROGRAM=%%a
|
||||
if /I "%SSL_PROGRAM%"=="" echo SSL not found. If installed, add path to PATH environment variable. & exit 1
|
||||
echo SSL found: %SSL_PROGRAM%
|
||||
|
||||
set arg=%1
|
||||
if /I "%arg%" == "-h" goto help
|
||||
if /I "%arg%"=="-d" set DESTDIR=%2
|
||||
|
||||
rem go!:
|
||||
echo setup in directory %DESTDIR%
|
||||
cd %$DESTDIR%
|
||||
|
||||
rem create certificate keys; do not recreate if they already exist.
|
||||
if exist $SVR_BASE.key (
|
||||
echo %SVR_BASE%.key exists
|
||||
goto next
|
||||
)
|
||||
echo generating %SVR_BASE%.key
|
||||
"%SSL_PROGRAM%" genrsa -out %SVR_BASE%.key %BITS% || echo could not genrsa && exit 1
|
||||
|
||||
:next
|
||||
if exist %CTL_BASE%.key (
|
||||
echo %CTL_BASE%.key exists
|
||||
goto next2
|
||||
)
|
||||
echo generating %CTL_BASE%.key
|
||||
"%SSL_PROGRAM%" genrsa -out %CTL_BASE%.key %BITS% || echo could not genrsa && exit 1
|
||||
|
||||
:next2
|
||||
rem create self-signed cert for server
|
||||
if exist request.cfg (del /F /Q /S request.cfg)
|
||||
echo [req]>>request.cfg
|
||||
echo default_bits=%BITS%>>request.cfg
|
||||
echo default_md=%HASH%>>request.cfg
|
||||
echo prompt=no>>request.cfg
|
||||
echo distinguished_name=req_distinguished_name>>request.cfg
|
||||
echo.>>request.cfg
|
||||
echo [req_distinguished_name]>>request.cfg
|
||||
echo commonName=%SERVERNAME%>>request.cfg
|
||||
|
||||
if not exist request.cfg (
|
||||
echo could not create request.cfg
|
||||
exit 1
|
||||
)
|
||||
|
||||
echo create %SVR_BASE%.pem (self signed certificate)
|
||||
"%SSL_PROGRAM%" req -key %SVR_BASE%.key -config request.cfg -new -x509 -days %DAYS% -out %SVR_BASE%.pem || echo could not create %SVR_BASE%.pem && exit 1
|
||||
rem create trusted usage pem
|
||||
"%SSL_PROGRAM%" x509 -in %SVR_BASE%.pem -addtrust serverAuth -out %SVR_BASE%_trust.pem
|
||||
|
||||
rem create client request and sign it
|
||||
if exist request.cfg (del /F /Q /S request.cfg)
|
||||
echo [req]>>request.cfg
|
||||
echo default_bits=%BITS%>>request.cfg
|
||||
echo default_md=%HASH%>>request.cfg
|
||||
echo prompt=no>>request.cfg
|
||||
echo distinguished_name=req_distinguished_name>>request.cfg
|
||||
echo.>>request.cfg
|
||||
echo [req_distinguished_name]>>request.cfg
|
||||
echo commonName=%CLIENTNAME%>>request.cfg
|
||||
|
||||
if not exist request.cfg (
|
||||
echo could not create request.cfg
|
||||
exit 1
|
||||
)
|
||||
|
||||
echo create %CTL_BASE%.pem (signed client certificate)
|
||||
"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -out %CTL_BASE%.pem
|
||||
|
||||
if not exist %CTL_BASE%.pem (
|
||||
echo could not create %CTL_BASE%.pem
|
||||
exit 1
|
||||
)
|
||||
rem create trusted usage pem
|
||||
rem "%SSL_PROGRAM%" x509 -in %CTL_BASE%.pem -addtrust clientAuth -out %CTL_BASE%_trust.pem
|
||||
|
||||
rem see details with "%SSL_PROGRAM%" x509 -noout -text < %SVR_BASE%.pem
|
||||
rem echo "create %CTL_BASE%_browser.pfx (web client certificate)"
|
||||
rem echo "create webbrowser PKCSrem12 .PFX certificate file. In Firefox import in:"
|
||||
rem echo "preferences - advanced - encryption - view certificates - your certs"
|
||||
rem echo "empty password is used, simply click OK on the password dialog box."
|
||||
rem "%SSL_PROGRAM%" pkcs12 -export -in %CTL_BASE%_trust.pem -inkey %CTL_BASE%.key -name "unbound remote control client cert" -out %CTL_BASE%_browser.pfx -password "pass:" || echo could not create browser certificate && exit 1
|
||||
|
||||
rem remove crap
|
||||
del /F /Q /S request.cfg
|
||||
del /F /Q /S %CTL_BASE%_trust.pem
|
||||
del /F /Q /S %SVR_BASE%_trust.pem
|
||||
del /F /Q /S %SVR_BASE%_trust.srl
|
||||
|
||||
echo Setup success. Certificates created. Enable in unbound.conf file to use
|
||||
|
||||
exit 0
|
||||
|
||||
:help
|
||||
echo unbound-control-setup.cmd - setup SSL keys for unbound-control
|
||||
echo -d dir use directory to store keys and certificates.
|
||||
echo default: %DESTDIR%
|
||||
echo please run this command using the same user id that the
|
||||
echo unbound daemon uses, it needs read privileges.
|
||||
exit 1
|
||||
@Echo off
|
||||
rem
|
||||
rem unbound-control-setup.cmd - set up SSL certificates for unbound-control
|
||||
rem
|
||||
rem Copyright (c) 2008, NLnet Labs. All rights reserved.
|
||||
rem Modified for Windows by Y.Voinov (c) 2014
|
||||
rem
|
||||
rem This software is open source.
|
||||
rem
|
||||
rem Redistribution and use in source and binary forms, with or without
|
||||
rem modification, are permitted provided that the following conditions
|
||||
rem are met:
|
||||
rem
|
||||
rem Redistributions of source code must retain the above copyright notice,
|
||||
rem this list of conditions and the following disclaimer.
|
||||
rem
|
||||
rem Redistributions in binary form must reproduce the above copyright notice,
|
||||
rem this list of conditions and the following disclaimer in the documentation
|
||||
rem and/or other materials provided with the distribution.
|
||||
rem
|
||||
rem Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
rem be used to endorse or promote products derived from this software without
|
||||
rem specific prior written permission.
|
||||
rem
|
||||
rem THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
rem "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
rem LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
rem A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
rem HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
rem SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
rem TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
rem PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
rem LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
rem NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
rem SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
rem settings:
|
||||
|
||||
rem directory for files
|
||||
set prefix="C:\Program Files (x86)"
|
||||
set DESTDIR=%prefix%\Unbound
|
||||
|
||||
rem issuer and subject name for certificates
|
||||
set SERVERNAME=unbound
|
||||
set CLIENTNAME=unbound-control
|
||||
|
||||
rem validity period for certificates
|
||||
set DAYS=7200
|
||||
|
||||
rem size of keys in bits
|
||||
set BITS=1536
|
||||
|
||||
rem hash algorithm
|
||||
set HASH=sha256
|
||||
|
||||
rem base name for unbound server keys
|
||||
set SVR_BASE=unbound_server
|
||||
|
||||
rem base name for unbound-control keys
|
||||
set CTL_BASE=unbound_control
|
||||
|
||||
rem end of options
|
||||
|
||||
rem Check OpenSSL installed
|
||||
for /f "delims=" %%a in ('where openssl') do @set SSL_PROGRAM=%%a
|
||||
if /I "%SSL_PROGRAM%"=="" echo SSL not found. If installed, add path to PATH environment variable. & exit 1
|
||||
echo SSL found: %SSL_PROGRAM%
|
||||
|
||||
set arg=%1
|
||||
if /I "%arg%" == "-h" goto help
|
||||
if /I "%arg%"=="-d" set DESTDIR=%2
|
||||
|
||||
rem go!:
|
||||
echo setup in directory %DESTDIR%
|
||||
cd %DESTDIR%
|
||||
|
||||
rem create certificate keys; do not recreate if they already exist.
|
||||
if exist %SVR_BASE%.key (
|
||||
echo %SVR_BASE%.key exists
|
||||
goto next
|
||||
)
|
||||
echo generating %SVR_BASE%.key
|
||||
"%SSL_PROGRAM%" genrsa -out %SVR_BASE%.key %BITS% || echo could not genrsa && exit 1
|
||||
|
||||
:next
|
||||
if exist %CTL_BASE%.key (
|
||||
echo %CTL_BASE%.key exists
|
||||
goto next2
|
||||
)
|
||||
echo generating %CTL_BASE%.key
|
||||
"%SSL_PROGRAM%" genrsa -out %CTL_BASE%.key %BITS% || echo could not genrsa && exit 1
|
||||
|
||||
:next2
|
||||
rem create self-signed cert for server
|
||||
if exist request.cfg (del /F /Q /S request.cfg)
|
||||
echo [req]>>request.cfg
|
||||
echo default_bits=%BITS%>>request.cfg
|
||||
echo default_md=%HASH%>>request.cfg
|
||||
echo prompt=no>>request.cfg
|
||||
echo distinguished_name=req_distinguished_name>>request.cfg
|
||||
echo.>>request.cfg
|
||||
echo [req_distinguished_name]>>request.cfg
|
||||
echo commonName=%SERVERNAME%>>request.cfg
|
||||
|
||||
if not exist request.cfg (
|
||||
echo could not create request.cfg
|
||||
exit 1
|
||||
)
|
||||
|
||||
echo create %SVR_BASE%.pem (self signed certificate)
|
||||
"%SSL_PROGRAM%" req -key %SVR_BASE%.key -config request.cfg -new -x509 -days %DAYS% -out %SVR_BASE%.pem || echo could not create %SVR_BASE%.pem && exit 1
|
||||
rem create trusted usage pem
|
||||
"%SSL_PROGRAM%" x509 -in %SVR_BASE%.pem -addtrust serverAuth -out %SVR_BASE%_trust.pem
|
||||
|
||||
rem create client request and sign it
|
||||
if exist request.cfg (del /F /Q /S request.cfg)
|
||||
echo [req]>>request.cfg
|
||||
echo default_bits=%BITS%>>request.cfg
|
||||
echo default_md=%HASH%>>request.cfg
|
||||
echo prompt=no>>request.cfg
|
||||
echo distinguished_name=req_distinguished_name>>request.cfg
|
||||
echo.>>request.cfg
|
||||
echo [req_distinguished_name]>>request.cfg
|
||||
echo commonName=%CLIENTNAME%>>request.cfg
|
||||
|
||||
if not exist request.cfg (
|
||||
echo could not create request.cfg
|
||||
exit 1
|
||||
)
|
||||
|
||||
echo create %CTL_BASE%.pem (signed client certificate)
|
||||
"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -out %CTL_BASE%.pem
|
||||
|
||||
if not exist %CTL_BASE%.pem (
|
||||
echo could not create %CTL_BASE%.pem
|
||||
exit 1
|
||||
)
|
||||
rem create trusted usage pem
|
||||
rem "%SSL_PROGRAM%" x509 -in %CTL_BASE%.pem -addtrust clientAuth -out %CTL_BASE%_trust.pem
|
||||
|
||||
rem see details with "%SSL_PROGRAM%" x509 -noout -text < %SVR_BASE%.pem
|
||||
rem echo "create %CTL_BASE%_browser.pfx (web client certificate)"
|
||||
rem echo "create webbrowser PKCSrem12 .PFX certificate file. In Firefox import in:"
|
||||
rem echo "preferences - advanced - encryption - view certificates - your certs"
|
||||
rem echo "empty password is used, simply click OK on the password dialog box."
|
||||
rem "%SSL_PROGRAM%" pkcs12 -export -in %CTL_BASE%_trust.pem -inkey %CTL_BASE%.key -name "unbound remote control client cert" -out %CTL_BASE%_browser.pfx -password "pass:" || echo could not create browser certificate && exit 1
|
||||
|
||||
rem remove crap
|
||||
del /F /Q /S request.cfg
|
||||
del /F /Q /S %CTL_BASE%_trust.pem
|
||||
del /F /Q /S %SVR_BASE%_trust.pem
|
||||
del /F /Q /S %SVR_BASE%_trust.srl
|
||||
|
||||
echo Setup success. Certificates created. Enable in unbound.conf file to use
|
||||
|
||||
exit 0
|
||||
|
||||
:help
|
||||
echo unbound-control-setup.cmd - setup SSL keys for unbound-control
|
||||
echo -d dir use directory to store keys and certificates.
|
||||
echo default: %DESTDIR%
|
||||
echo please run this command using the same user id that the
|
||||
echo unbound daemon uses, it needs read privileges.
|
||||
exit 1
|
||||
|
|
|
@ -13,4 +13,23 @@
|
|||
</ms_asmv2:requestedPrivileges>
|
||||
</ms_asmv2:security>
|
||||
</ms_asmv2:trustInfo>
|
||||
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
|
||||
<application>
|
||||
<!--This Id value indicates the application supports Windows Vista/Server
|
||||
2008 functionality -->
|
||||
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
|
||||
<!--This Id value indicates the application supports Windows 7/Server 2008
|
||||
R2 functionality-->
|
||||
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
|
||||
<!--This Id value indicates the application supports Windows 8/Server 2012
|
||||
functionality-->
|
||||
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
|
||||
<!-- This Id value indicates the application supports Windows Blue/Server
|
||||
2012 R2 functionality-->
|
||||
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
|
||||
<!-- This Id value indicates the application supports Windows Threshold
|
||||
functionality ; Windows 10 -->
|
||||
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
|
||||
</application>
|
||||
</compatibility>
|
||||
</assembly>
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue