Date: Sat, 12 May 2018 14:51:19 +0000 (UTC) From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r333564 - in head/contrib/unbound: . cachedb contrib daemon dns64 dnscrypt doc edns-subnet iterator libunbound libunbound/python/doc/examples services services/cache sldns smallapp util... Message-ID: <201805121451.w4CEpJwT006390@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Sat May 12 14:51:18 2018 New Revision: 333564 URL: https://svnweb.freebsd.org/changeset/base/333564 Log: Upgrade Unbound to 1.6.7. More to follow. Modified: head/contrib/unbound/cachedb/cachedb.c head/contrib/unbound/config.h head/contrib/unbound/configure head/contrib/unbound/configure.ac head/contrib/unbound/contrib/aaaa-filter-iterator.patch head/contrib/unbound/contrib/parseunbound.pl head/contrib/unbound/daemon/remote.c head/contrib/unbound/daemon/stats.c head/contrib/unbound/daemon/unbound.c head/contrib/unbound/daemon/worker.c head/contrib/unbound/dns64/dns64.c head/contrib/unbound/dnscrypt/dnscrypt.c head/contrib/unbound/dnscrypt/dnscrypt.h head/contrib/unbound/doc/Changelog head/contrib/unbound/doc/README head/contrib/unbound/doc/example.conf head/contrib/unbound/doc/example.conf.in head/contrib/unbound/doc/libunbound.3 head/contrib/unbound/doc/libunbound.3.in head/contrib/unbound/doc/requirements.txt head/contrib/unbound/doc/unbound-anchor.8 head/contrib/unbound/doc/unbound-anchor.8.in head/contrib/unbound/doc/unbound-checkconf.8 head/contrib/unbound/doc/unbound-checkconf.8.in head/contrib/unbound/doc/unbound-control.8 head/contrib/unbound/doc/unbound-control.8.in head/contrib/unbound/doc/unbound-host.1 head/contrib/unbound/doc/unbound-host.1.in head/contrib/unbound/doc/unbound.8 head/contrib/unbound/doc/unbound.8.in head/contrib/unbound/doc/unbound.conf.5 head/contrib/unbound/doc/unbound.conf.5.in head/contrib/unbound/edns-subnet/addrtree.h head/contrib/unbound/edns-subnet/subnetmod.c head/contrib/unbound/edns-subnet/subnetmod.h head/contrib/unbound/iterator/iter_utils.h head/contrib/unbound/iterator/iterator.c head/contrib/unbound/iterator/iterator.h head/contrib/unbound/libunbound/context.h head/contrib/unbound/libunbound/libunbound.c head/contrib/unbound/libunbound/libworker.c head/contrib/unbound/libunbound/python/doc/examples/example7.rst head/contrib/unbound/libunbound/unbound.h head/contrib/unbound/services/cache/dns.c head/contrib/unbound/services/cache/dns.h head/contrib/unbound/services/mesh.c head/contrib/unbound/services/outside_network.c head/contrib/unbound/services/view.h head/contrib/unbound/sldns/parse.c head/contrib/unbound/sldns/parse.h head/contrib/unbound/sldns/parseutil.c head/contrib/unbound/sldns/parseutil.h head/contrib/unbound/sldns/rrdef.h head/contrib/unbound/sldns/sbuffer.h head/contrib/unbound/sldns/str2wire.c head/contrib/unbound/sldns/wire2str.c head/contrib/unbound/smallapp/unbound-anchor.c head/contrib/unbound/smallapp/unbound-control.c head/contrib/unbound/smallapp/unbound-host.c head/contrib/unbound/util/config_file.c head/contrib/unbound/util/config_file.h head/contrib/unbound/util/configlexer.lex head/contrib/unbound/util/configparser.y head/contrib/unbound/util/data/msgreply.c head/contrib/unbound/util/data/msgreply.h head/contrib/unbound/util/fptr_wlist.c head/contrib/unbound/util/module.h head/contrib/unbound/util/netevent.c head/contrib/unbound/util/shm_side/shm_main.c head/contrib/unbound/util/storage/slabhash.h head/contrib/unbound/util/ub_event.h head/contrib/unbound/validator/autotrust.c head/contrib/unbound/validator/val_nsec3.c head/contrib/unbound/validator/val_secalgo.c head/contrib/unbound/validator/val_sigcrypt.c head/contrib/unbound/validator/val_utils.h head/contrib/unbound/validator/validator.c Directory Properties: head/contrib/unbound/ (props changed) Modified: head/contrib/unbound/cachedb/cachedb.c ============================================================================== --- head/contrib/unbound/cachedb/cachedb.c Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/cachedb/cachedb.c Sat May 12 14:51:18 2018 (r333564) @@ -347,6 +347,13 @@ prep_data(struct module_qstate* qstate, struct sldns_b if(!qstate->return_msg || !qstate->return_msg->rep) return 0; + /* We don't store the reply if its TTL is 0 unless serve-expired is + * enabled. Such a reply won't be reusable and simply be a waste for + * the backend. It's also compatible with the default behavior of + * dns_cache_store_msg(). */ + if(qstate->return_msg->rep->ttl == 0 && + !qstate->env->cfg->serve_expired) + return 0; if(verbosity >= VERB_ALGO) log_dns_msg("cachedb encoding", &qstate->return_msg->qinfo, qstate->return_msg->rep); @@ -387,32 +394,37 @@ good_expiry_and_qinfo(struct module_qstate* qstate, st &expiry, sizeof(expiry)); expiry = be64toh(expiry); - if((time_t)expiry < *qstate->env->now) + if((time_t)expiry < *qstate->env->now && + !qstate->env->cfg->serve_expired) return 0; return 1; } +/* Adjust the TTL of the given RRset by 'subtract'. If 'subtract' is + * negative, set the TTL to 0. */ static void packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract) { size_t i; size_t total = data->count + data->rrsig_count; - if(data->ttl > subtract) + if(subtract >= 0 && data->ttl > subtract) data->ttl -= subtract; else data->ttl = 0; for(i=0; i<total; i++) { - if(data->rr_ttl[i] > subtract) + if(subtract >= 0 && data->rr_ttl[i] > subtract) data->rr_ttl[i] -= subtract; else data->rr_ttl[i] = 0; } } +/* Adjust the TTL of a DNS message and its RRs by 'adjust'. If 'adjust' is + * negative, set the TTLs to 0. */ static void adjust_msg_ttl(struct dns_msg* msg, time_t adjust) { size_t i; - if(msg->rep->ttl > adjust) + if(adjust >= 0 && msg->rep->ttl > adjust) msg->rep->ttl -= adjust; else msg->rep->ttl = 0; msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); @@ -476,10 +488,26 @@ parse_data(struct module_qstate* qstate, struct sldns_ adjust = *qstate->env->now - (time_t)timestamp; if(qstate->return_msg->rep->ttl < adjust) { verbose(VERB_ALGO, "cachedb msg expired"); - return 0; /* message expired */ + /* If serve-expired is enabled, we still use an expired message + * setting the TTL to 0. */ + if(qstate->env->cfg->serve_expired) + adjust = -1; + else + return 0; /* message expired */ } verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust); adjust_msg_ttl(qstate->return_msg, adjust); + + /* Similar to the unbound worker, if serve-expired is enabled and + * the msg would be considered to be expired, mark the state so a + * refetch will be scheduled. The comparison between 'expiry' and + * 'now' should be redundant given how these values were calculated, + * but we check it just in case as does good_expiry_and_qinfo(). */ + if(qstate->env->cfg->serve_expired && + (adjust == -1 || (time_t)expiry < *qstate->env->now)) { + qstate->need_refetch = 1; + } + return 1; } @@ -563,11 +591,15 @@ cachedb_intcache_lookup(struct module_qstate* qstate) static void cachedb_intcache_store(struct module_qstate* qstate) { + uint32_t store_flags = qstate->query_flags; + + if(qstate->env->cfg->serve_expired) + store_flags |= DNSCACHE_STORE_ZEROTTL; if(!qstate->return_msg) return; (void)dns_cache_store(qstate->env, &qstate->qinfo, qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0, - qstate->region, qstate->query_flags); + qstate->region, store_flags); } /** Modified: head/contrib/unbound/config.h ============================================================================== --- head/contrib/unbound/config.h Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/config.h Sat May 12 14:51:18 2018 (r333564) @@ -605,7 +605,7 @@ #define PACKAGE_NAME "unbound" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "unbound 1.6.6" +#define PACKAGE_STRING "unbound 1.6.7" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "unbound" @@ -614,7 +614,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.6.6" +#define PACKAGE_VERSION "1.6.7" /* default pidfile location */ #define PIDFILE "/var/unbound/unbound.pid" @@ -633,7 +633,7 @@ #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem" /* version number for resource files */ -#define RSRC_PACKAGE_VERSION 1,6,6,0 +#define RSRC_PACKAGE_VERSION 1,6,7,0 /* Directory to chdir to */ #define RUN_DIR "/var/unbound" Modified: head/contrib/unbound/configure ============================================================================== --- head/contrib/unbound/configure Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/configure Sat May 12 14:51:18 2018 (r333564) @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.6.6. +# Generated by GNU Autoconf 2.69 for unbound 1.6.7. # # Report bugs to <unbound-bugs@nlnetlabs.nl>. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.6.6' -PACKAGE_STRING='unbound 1.6.6' +PACKAGE_VERSION='1.6.7' +PACKAGE_STRING='unbound 1.6.7' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl' PACKAGE_URL='' @@ -1437,7 +1437,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.6.6 to adapt to many kinds of systems. +\`configure' configures unbound 1.6.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1502,7 +1502,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.6.6:";; + short | recursive ) echo "Configuration of unbound 1.6.7:";; esac cat <<\_ACEOF @@ -1714,7 +1714,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.6.6 +unbound configure 1.6.7 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2423,7 +2423,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.6.6, which was +It was created by unbound $as_me 1.6.7, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2775,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1 UNBOUND_VERSION_MINOR=6 -UNBOUND_VERSION_MICRO=6 +UNBOUND_VERSION_MICRO=7 LIBUNBOUND_CURRENT=7 -LIBUNBOUND_REVISION=5 +LIBUNBOUND_REVISION=6 LIBUNBOUND_AGE=5 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2836,6 +2836,7 @@ LIBUNBOUND_AGE=5 # 1.6.4 had 7:3:5 # 1.6.5 had 7:4:5 # 1.6.6 had 7:5:5 +# 1.6.7 had 7:6:5 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -2851,7 +2852,7 @@ LIBUNBOUND_AGE=5 # Current and Age. Set Revision to 0, since this is the first # implementation of the new API. # -# Otherwise, we're changing the binary API and breaking bakward +# Otherwise, we're changing the binary API and breaking backward # compatibility with old binaries. Increment Current. Set Age to 0, # since we're backward compatible with no previous APIs. Set Revision # to 0 too. @@ -20693,7 +20694,7 @@ _ACEOF -version=1.6.6 +version=1.6.7 date=`date +'%b %e, %Y'` @@ -21212,7 +21213,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.6.6, which was +This file was extended by unbound $as_me 1.6.7, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21278,7 +21279,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.6.6 +unbound config.status 1.6.7 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" Modified: head/contrib/unbound/configure.ac ============================================================================== --- head/contrib/unbound/configure.ac Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/configure.ac Sat May 12 14:51:18 2018 (r333564) @@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[6]) -m4_define([VERSION_MICRO],[6]) +m4_define([VERSION_MICRO],[7]) AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=7 -LIBUNBOUND_REVISION=5 +LIBUNBOUND_REVISION=6 LIBUNBOUND_AGE=5 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -75,6 +75,7 @@ LIBUNBOUND_AGE=5 # 1.6.4 had 7:3:5 # 1.6.5 had 7:4:5 # 1.6.6 had 7:5:5 +# 1.6.7 had 7:6:5 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -90,7 +91,7 @@ LIBUNBOUND_AGE=5 # Current and Age. Set Revision to 0, since this is the first # implementation of the new API. # -# Otherwise, we're changing the binary API and breaking bakward +# Otherwise, we're changing the binary API and breaking backward # compatibility with old binaries. Increment Current. Set Age to 0, # since we're backward compatible with no previous APIs. Set Revision # to 0 too. Modified: head/contrib/unbound/contrib/aaaa-filter-iterator.patch ============================================================================== --- head/contrib/unbound/contrib/aaaa-filter-iterator.patch Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/contrib/aaaa-filter-iterator.patch Sat May 12 14:51:18 2018 (r333564) @@ -1,10 +1,10 @@ Index: trunk/doc/unbound.conf.5.in =================================================================== ---- trunk/doc/unbound.conf.5.in (revision 3587) +--- trunk/doc/unbound.conf.5.in (revision 4357) +++ trunk/doc/unbound.conf.5.in (working copy) -@@ -593,6 +593,13 @@ - possible. Best effort approach, full QNAME and original QTYPE will be sent when - upstream replies with a RCODE other than NOERROR. Default is off. +@@ -701,6 +701,13 @@ + this option in enabled. Only use if you know what you are doing. + This option only has effect when qname-minimisation is enabled. Default is off. .TP +.B aaaa\-filter: \fI<yes or no> +Activate behavior similar to BIND's AAAA-filter. @@ -18,7 +18,7 @@ Index: trunk/doc/unbound.conf.5.in on your private network, and are not allowed to be returned for Index: trunk/iterator/iter_scrub.c =================================================================== ---- trunk/iterator/iter_scrub.c (revision 3587) +--- trunk/iterator/iter_scrub.c (revision 4357) +++ trunk/iterator/iter_scrub.c (working copy) @@ -617,6 +617,32 @@ } @@ -75,10 +75,11 @@ Index: trunk/iterator/iter_scrub.c /* At this point, we brutally remove ALL rrsets that aren't * children of the originating zone. The idea here is that, * as far as we know, the server that we contacted is ONLY -@@ -681,6 +715,24 @@ +@@ -680,6 +714,24 @@ + prev = NULL; rrset = msg->rrset_first; while(rrset) { - ++ + /* ASN: For AAAA records only... */ + if((ie->aaaa_filter) && (rrset->type == LDNS_RR_TYPE_AAAA)) { + /* ASN: If this is not a AAAA query, then remove AAAA @@ -96,13 +97,12 @@ Index: trunk/iterator/iter_scrub.c + LDNS_RR_TYPE_AAAA, qinfo->qclass); + } + /* ASN: End of added code */ -+ + /* remove private addresses */ if( (rrset->type == LDNS_RR_TYPE_A || - rrset->type == LDNS_RR_TYPE_AAAA)) { Index: trunk/iterator/iter_utils.c =================================================================== ---- trunk/iterator/iter_utils.c (revision 3587) +--- trunk/iterator/iter_utils.c (revision 4357) +++ trunk/iterator/iter_utils.c (working copy) @@ -175,6 +175,7 @@ } @@ -114,9 +114,9 @@ Index: trunk/iterator/iter_utils.c Index: trunk/iterator/iterator.c =================================================================== ---- trunk/iterator/iterator.c (revision 3587) +--- trunk/iterator/iterator.c (revision 4357) +++ trunk/iterator/iterator.c (working copy) -@@ -1776,6 +1776,53 @@ +@@ -1847,6 +1847,53 @@ return 0; } @@ -170,7 +170,7 @@ Index: trunk/iterator/iterator.c /** * This is the request event state where the request will be sent to one of -@@ -1823,6 +1870,13 @@ +@@ -1894,6 +1941,13 @@ return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } @@ -184,7 +184,7 @@ Index: trunk/iterator/iterator.c /* Make sure we have a delegation point, otherwise priming failed * or another failure occurred */ if(!iq->dp) { -@@ -2922,6 +2976,61 @@ +@@ -3095,6 +3149,61 @@ return 0; } @@ -244,9 +244,9 @@ Index: trunk/iterator/iterator.c +/* ASN: End of added code */ + /* - * Return priming query results to interestes super querystates. + * Return priming query results to interested super querystates. * -@@ -2941,6 +3050,9 @@ +@@ -3114,6 +3223,9 @@ else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*) super->minfo[id])->state == DSNS_FIND_STATE) processDSNSResponse(qstate, id, super); @@ -256,7 +256,7 @@ Index: trunk/iterator/iterator.c else if(qstate->return_rcode != LDNS_RCODE_NOERROR) error_supers(qstate, id, super); else if(qstate->is_priming) -@@ -2978,6 +3090,9 @@ +@@ -3151,6 +3263,9 @@ case INIT_REQUEST_3_STATE: cont = processInitRequest3(qstate, iq, id); break; @@ -266,7 +266,7 @@ Index: trunk/iterator/iterator.c case QUERYTARGETS_STATE: cont = processQueryTargets(qstate, iq, ie, id); break; -@@ -3270,6 +3385,8 @@ +@@ -3460,6 +3575,8 @@ return "INIT REQUEST STATE (stage 2)"; case INIT_REQUEST_3_STATE: return "INIT REQUEST STATE (stage 3)"; @@ -275,7 +275,7 @@ Index: trunk/iterator/iterator.c case QUERYTARGETS_STATE : return "QUERY TARGETS STATE"; case PRIME_RESP_STATE : -@@ -3294,6 +3411,7 @@ +@@ -3484,6 +3601,7 @@ case INIT_REQUEST_STATE : case INIT_REQUEST_2_STATE : case INIT_REQUEST_3_STATE : @@ -285,19 +285,19 @@ Index: trunk/iterator/iterator.c return 0; Index: trunk/iterator/iterator.h =================================================================== ---- trunk/iterator/iterator.h (revision 3587) +--- trunk/iterator/iterator.h (revision 4357) +++ trunk/iterator/iterator.h (working copy) -@@ -113,6 +113,9 @@ +@@ -130,6 +130,9 @@ */ int* target_fetch_policy; + /** ASN: AAAA-filter flag */ + int aaaa_filter; + - /** ip6.arpa dname in wireformat, used for qname-minimisation */ - uint8_t* ip6arpa_dname; - }; -@@ -163,6 +166,14 @@ + /** lock on ratelimit counter */ + lock_basic_type queries_ratelimit_lock; + /** number of queries that have been ratelimited */ +@@ -182,6 +185,14 @@ INIT_REQUEST_3_STATE, /** @@ -311,26 +311,26 @@ Index: trunk/iterator/iterator.h + /** * Each time a delegation point changes for a given query or a * query times out and/or wakes up, this state is (re)visited. - * This state is reponsible for iterating through a list of -@@ -346,6 +357,13 @@ + * This state is responsible for iterating through a list of +@@ -364,6 +375,13 @@ + * be used when creating the state. A higher one will be attempted. */ int refetch_glue; - ++ + /** + * ASN: This is a flag that, if true, means that this query is + * for fetching A records to populate cache and determine if we must + * return AAAA records or not. + */ + int fetch_a_for_aaaa; -+ + /** list of pending queries to authoritative servers. */ struct outbound_list outlist; - Index: trunk/pythonmod/interface.i =================================================================== ---- trunk/pythonmod/interface.i (revision 3587) +--- trunk/pythonmod/interface.i (revision 4357) +++ trunk/pythonmod/interface.i (working copy) -@@ -632,6 +632,7 @@ +@@ -851,6 +851,7 @@ int harden_dnssec_stripped; int harden_referral_path; int use_caps_bits_for_id; @@ -340,9 +340,9 @@ Index: trunk/pythonmod/interface.i size_t unwanted_threshold; Index: trunk/util/config_file.c =================================================================== ---- trunk/util/config_file.c (revision 3587) +--- trunk/util/config_file.c (revision 4357) +++ trunk/util/config_file.c (working copy) -@@ -176,6 +176,7 @@ +@@ -195,6 +195,7 @@ cfg->harden_referral_path = 0; cfg->harden_algo_downgrade = 0; cfg->use_caps_bits_for_id = 0; @@ -352,9 +352,9 @@ Index: trunk/util/config_file.c cfg->private_domain = NULL; Index: trunk/util/config_file.h =================================================================== ---- trunk/util/config_file.h (revision 3587) +--- trunk/util/config_file.h (revision 4357) +++ trunk/util/config_file.h (working copy) -@@ -179,6 +179,8 @@ +@@ -209,6 +209,8 @@ int harden_algo_downgrade; /** use 0x20 bits in query as random ID bits */ int use_caps_bits_for_id; @@ -365,9 +365,9 @@ Index: trunk/util/config_file.h /** strip away these private addrs from answers, no DNS Rebinding */ Index: trunk/util/configlexer.lex =================================================================== ---- trunk/util/configlexer.lex (revision 3587) +--- trunk/util/configlexer.lex (revision 4357) +++ trunk/util/configlexer.lex (working copy) -@@ -267,6 +267,7 @@ +@@ -279,6 +279,7 @@ use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) } caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) } unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) } @@ -377,9 +377,9 @@ Index: trunk/util/configlexer.lex prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) } Index: trunk/util/configparser.y =================================================================== ---- trunk/util/configparser.y (revision 3587) +--- trunk/util/configparser.y (revision 4357) +++ trunk/util/configparser.y (working copy) -@@ -92,6 +92,7 @@ +@@ -95,6 +95,7 @@ %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS @@ -387,7 +387,7 @@ Index: trunk/util/configparser.y %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE -@@ -169,6 +170,7 @@ +@@ -203,6 +204,7 @@ server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size | server_harden_referral_path | server_private_address | server_private_domain | server_extended_statistics | @@ -395,10 +395,12 @@ Index: trunk/util/configparser.y server_local_data_ptr | server_jostle_timeout | server_unwanted_reply_threshold | server_log_time_ascii | server_domain_insecure | server_val_sig_skew_min | -@@ -893,6 +895,15 @@ +@@ -1183,6 +1185,15 @@ + OUTYY(("P(server_caps_whitelist:%s)\n", $2)); + if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, $2)) yyerror("out of memory"); - } - ; ++ } ++ ; +server_aaaa_filter: VAR_AAAA_FILTER STRING_ARG + { + OUTYY(("P(server_aaaa_filter:%s)\n", $2)); @@ -406,8 +408,6 @@ Index: trunk/util/configparser.y + yyerror("expected yes or no."); + else cfg_parser->cfg->aaaa_filter = (strcmp($2, "yes")==0); + free($2); -+ } -+ ; + } + ; server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG - { - OUTYY(("P(server_private_address:%s)\n", $2)); Modified: head/contrib/unbound/contrib/parseunbound.pl ============================================================================== --- head/contrib/unbound/contrib/parseunbound.pl Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/contrib/parseunbound.pl Sat May 12 14:51:18 2018 (r333564) @@ -91,7 +91,7 @@ while ( scalar keys %startstats < $numthreads || scala $allstats{$inthread}->{outstandingexc} = $4; } elsif ( $line =~ m/info: average recursion processing time ([0-9\.]+) sec/ ) { - $allstats{$inthread}->{recursionavg} = int($1 * 1000); # change sec to milisec. + $allstats{$inthread}->{recursionavg} = int($1 * 1000); # change sec to millisec. } elsif ( $line =~ m/info: histogram of recursion processing times/ ) { next; @@ -103,7 +103,7 @@ while ( scalar keys %startstats < $numthreads || scala } elsif ( $line =~ m/info: lower\(secs\) upper\(secs\) recursions/ ) { # since after this line we're unsure if we get these numbers - # at all, we sould consider this marker as the end of the + # at all, we should consider this marker as the end of the # block. Chances that we're parsing a file halfway written # at this stage are small. Bold statement. $donestats{$inthread} = 1; Modified: head/contrib/unbound/daemon/remote.c ============================================================================== --- head/contrib/unbound/daemon/remote.c Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/daemon/remote.c Sat May 12 14:51:18 2018 (r333564) @@ -827,6 +827,7 @@ print_mem(SSL* ssl, struct worker* worker, struct daem #endif /* USE_IPSECMOD */ #ifdef USE_DNSCRYPT size_t dnscrypt_shared_secret = 0; + size_t dnscrypt_nonce = 0; #endif /* USE_DNSCRYPT */ msg = slabhash_get_mem(daemon->env->msg_cache); rrset = slabhash_get_mem(&daemon->env->rrset_cache->table); @@ -843,6 +844,7 @@ print_mem(SSL* ssl, struct worker* worker, struct daem if(daemon->dnscenv) { dnscrypt_shared_secret = slabhash_get_mem( daemon->dnscenv->shared_secrets_cache); + dnscrypt_nonce = slabhash_get_mem(daemon->dnscenv->nonces_cache); } #endif /* USE_DNSCRYPT */ @@ -868,6 +870,9 @@ print_mem(SSL* ssl, struct worker* worker, struct daem if(!print_longnum(ssl, "mem.cache.dnscrypt_shared_secret"SQ, dnscrypt_shared_secret)) return 0; + if(!print_longnum(ssl, "mem.cache.dnscrypt_nonce"SQ, + dnscrypt_nonce)) + return 0; #endif /* USE_DNSCRYPT */ return 1; } @@ -1058,8 +1063,12 @@ print_ext(SSL* ssl, struct ub_stats_info* s) #ifdef USE_DNSCRYPT if(!ssl_printf(ssl, "dnscrypt_shared_secret.cache.count"SQ"%u\n", (unsigned)s->svr.shared_secret_cache_count)) return 0; + if(!ssl_printf(ssl, "dnscrypt_nonce.cache.count"SQ"%u\n", + (unsigned)s->svr.nonce_cache_count)) return 0; if(!ssl_printf(ssl, "num.query.dnscrypt.shared_secret.cachemiss"SQ"%lu\n", (unsigned long)s->svr.num_query_dnscrypt_secret_missed_cache)) return 0; + if(!ssl_printf(ssl, "num.query.dnscrypt.replay"SQ"%lu\n", + (unsigned long)s->svr.num_query_dnscrypt_replay)) return 0; #endif /* USE_DNSCRYPT */ return 1; } @@ -1771,7 +1780,7 @@ negative_del_rrset(struct lruhash_entry* e, void* arg) struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key; struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; /* delete the parentside negative cache rrsets, - * these are namerserver rrsets that failed lookup, rdata empty */ + * these are nameserver rrsets that failed lookup, rdata empty */ if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 && d->rrsig_count == 0 && d->rr_len[0] == 0) { d->ttl = inf->expired; Modified: head/contrib/unbound/daemon/stats.c ============================================================================== --- head/contrib/unbound/daemon/stats.c Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/daemon/stats.c Sat May 12 14:51:18 2018 (r333564) @@ -174,6 +174,21 @@ get_dnscrypt_cache_miss(struct worker* worker, int res lock_basic_unlock(&de->shared_secrets_cache_lock); return r; } + +/** get the number of replayed queries */ +static size_t +get_dnscrypt_replay(struct worker* worker, int reset) +{ + size_t r; + struct dnsc_env* de = worker->daemon->dnscenv; + + lock_basic_lock(&de->nonces_cache_lock); + r = de->num_query_dnscrypt_replay; + if(reset && !worker->env.cfg->stat_cumulative) + de->num_query_dnscrypt_replay = 0; + lock_basic_unlock(&de->nonces_cache_lock); + return r; +} #endif /* USE_DNSCRYPT */ void @@ -225,13 +240,21 @@ server_stats_compile(struct worker* worker, struct ub_ (long long)get_dnscrypt_cache_miss(worker, reset); s->svr.shared_secret_cache_count = (long long)count_slabhash_entries( worker->daemon->dnscenv->shared_secrets_cache); + s->svr.nonce_cache_count = (long long)count_slabhash_entries( + worker->daemon->dnscenv->nonces_cache); + s->svr.num_query_dnscrypt_replay = + (long long)get_dnscrypt_replay(worker, reset); } else { s->svr.num_query_dnscrypt_secret_missed_cache = 0; s->svr.shared_secret_cache_count = 0; + s->svr.nonce_cache_count = 0; + s->svr.num_query_dnscrypt_replay = 0; } #else s->svr.num_query_dnscrypt_secret_missed_cache = 0; s->svr.shared_secret_cache_count = 0; + s->svr.nonce_cache_count = 0; + s->svr.num_query_dnscrypt_replay = 0; #endif /* USE_DNSCRYPT */ /* get tcp accept usage */ Modified: head/contrib/unbound/daemon/unbound.c ============================================================================== --- head/contrib/unbound/daemon/unbound.c Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/daemon/unbound.c Sat May 12 14:51:18 2018 (r333564) @@ -400,7 +400,7 @@ detach(void) #endif /* HAVE_DAEMON */ } -/** daemonize, drop user priviliges and chroot if needed */ +/** daemonize, drop user privileges and chroot if needed */ static void perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, const char** cfgfile, int need_pidfile) Modified: head/contrib/unbound/daemon/worker.c ============================================================================== --- head/contrib/unbound/daemon/worker.c Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/daemon/worker.c Sat May 12 14:51:18 2018 (r333564) @@ -1633,7 +1633,8 @@ worker_init(struct worker* worker, struct config_file cfg->use_caps_bits_for_id, worker->ports, worker->numports, cfg->unwanted_threshold, cfg->outgoing_tcp_mss, &worker_alloc_cleanup, worker, - cfg->do_udp, worker->daemon->connect_sslctx, cfg->delay_close, + cfg->do_udp || cfg->udp_upstream_without_downstream, + worker->daemon->connect_sslctx, cfg->delay_close, dtenv); if(!worker->back) { log_err("could not create outgoing sockets"); Modified: head/contrib/unbound/dns64/dns64.c ============================================================================== --- head/contrib/unbound/dns64/dns64.c Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/dns64/dns64.c Sat May 12 14:51:18 2018 (r333564) @@ -792,6 +792,10 @@ dns64_inform_super(struct module_qstate* qstate, int i qstate->return_msg->rep)) return; + /* Use return code from A query in response to client. */ + if (super->return_rcode != LDNS_RCODE_NOERROR) + super->return_rcode = qstate->return_rcode; + /* Generate a response suitable for the original query. */ if (qstate->qinfo.qtype == LDNS_RR_TYPE_A) { dns64_adjust_a(id, super, qstate); Modified: head/contrib/unbound/dnscrypt/dnscrypt.c ============================================================================== --- head/contrib/unbound/dnscrypt/dnscrypt.c Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/dnscrypt/dnscrypt.c Sat May 12 14:51:18 2018 (r333564) @@ -60,6 +60,17 @@ struct shared_secret_cache_key { }; +struct nonce_cache_key { + /** the nonce used by the client */ + uint8_t nonce[crypto_box_HALF_NONCEBYTES]; + /** the client_magic used by the client, this is associated to 1 cert only */ + uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN]; + /** the client public key */ + uint8_t client_publickey[crypto_box_PUBLICKEYBYTES]; + /** the hash table entry, data is uint8_t */ + struct lruhash_entry entry; +}; + /** * Generate a key suitable to find shared secret in slabhash. * \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH @@ -136,6 +147,87 @@ dnsc_shared_secrets_lookup(struct slabhash* cache, } /** + * Generate a key hash suitable to find a nonce in slabhash. + * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES + * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN + * \param[in] pk: The public key of the client. uint8_t pointer of size + * crypto_box_PUBLICKEYBYTES. + * \return the hash of the key. + */ +static uint32_t +dnsc_nonce_cache_key_hash(const uint8_t nonce[crypto_box_HALF_NONCEBYTES], + const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN], + const uint8_t pk[crypto_box_PUBLICKEYBYTES]) +{ + uint32_t h = 0; + h = hashlittle(nonce, crypto_box_HALF_NONCEBYTES, h); + h = hashlittle(magic_query, DNSCRYPT_MAGIC_HEADER_LEN, h); + return hashlittle(pk, crypto_box_PUBLICKEYBYTES, h); +} + +/** + * Inserts a nonce, magic_query, pk tuple into the nonces_cache slabhash. + * \param[in] cache: the slabhash in which to look for the key. + * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES + * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN + * \param[in] pk: The public key of the client. uint8_t pointer of size + * crypto_box_PUBLICKEYBYTES. + * \param[in] hash: the hash of the key. + */ +static void +dnsc_nonce_cache_insert(struct slabhash *cache, + const uint8_t nonce[crypto_box_HALF_NONCEBYTES], + const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN], + const uint8_t pk[crypto_box_PUBLICKEYBYTES], + uint32_t hash) +{ + struct nonce_cache_key* k = + (struct nonce_cache_key*)calloc(1, sizeof(*k)); + if(!k) { + free(k); + return; + } + lock_rw_init(&k->entry.lock); + memcpy(k->nonce, nonce, crypto_box_HALF_NONCEBYTES); + memcpy(k->magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN); + memcpy(k->client_publickey, pk, crypto_box_PUBLICKEYBYTES); + k->entry.hash = hash; + k->entry.key = k; + k->entry.data = NULL; + slabhash_insert(cache, + hash, &k->entry, + NULL, + NULL); +} + +/** + * Lookup a record in nonces_cache. + * \param[in] cache: the slabhash in which to look for the key. + * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES + * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN + * \param[in] pk: The public key of the client. uint8_t pointer of size + * crypto_box_PUBLICKEYBYTES. + * \param[in] hash: the hash of the key. + * \return a pointer to the locked cache entry or NULL on failure. + */ +static struct lruhash_entry* +dnsc_nonces_lookup(struct slabhash* cache, + const uint8_t nonce[crypto_box_HALF_NONCEBYTES], + const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN], + const uint8_t pk[crypto_box_PUBLICKEYBYTES], + uint32_t hash) +{ + struct nonce_cache_key k; + memset(&k, 0, sizeof(k)); + k.entry.hash = hash; + memcpy(k.nonce, nonce, crypto_box_HALF_NONCEBYTES); + memcpy(k.magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN); + memcpy(k.client_publickey, pk, crypto_box_PUBLICKEYBYTES); + + return slabhash_lookup(cache, hash, &k, 0); +} + +/** * Decrypt a query using the dnsccert that was found using dnsc_find_cert. * The client nonce will be extracted from the encrypted query and stored in * client_nonce, a shared secret will be computed and stored in nmkey and the @@ -163,11 +255,44 @@ dnscrypt_server_uncurve(struct dnsc_env* env, struct lruhash_entry* entry; uint32_t hash; + uint32_t nonce_hash; + if (len <= DNSCRYPT_QUERY_HEADER_SIZE) { return -1; } query_header = (struct dnscrypt_query_header *)buf; + + /* Detect replay attacks */ + nonce_hash = dnsc_nonce_cache_key_hash( + query_header->nonce, + cert->magic_query, + query_header->publickey); + + lock_basic_lock(&env->nonces_cache_lock); + entry = dnsc_nonces_lookup( + env->nonces_cache, + query_header->nonce, + cert->magic_query, + query_header->publickey, + nonce_hash); + + if(entry) { + lock_rw_unlock(&entry->lock); + env->num_query_dnscrypt_replay++; + lock_basic_unlock(&env->nonces_cache_lock); + return -1; + } + + dnsc_nonce_cache_insert( + env->nonces_cache, + query_header->nonce, + cert->magic_query, + query_header->publickey, + nonce_hash); + lock_basic_unlock(&env->nonces_cache_lock); + + /* Find existing shared secret */ hash = dnsc_shared_secrets_cache_key(key, cert->es_version[1], query_header->publickey, @@ -547,7 +672,7 @@ dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_ * In order to be able to serve certs over TXT, we can reuse the local-zone and * local-data config option. The zone and qname are infered from the * provider_name and the content of the TXT record from the certificate content. - * returns the number of certtificate TXT record that were loaded. + * returns the number of certificate TXT record that were loaded. * < 0 in case of error. */ static int @@ -770,8 +895,16 @@ dnsc_create(void) env = (struct dnsc_env *) calloc(1, sizeof(struct dnsc_env)); lock_basic_init(&env->shared_secrets_cache_lock); lock_protect(&env->shared_secrets_cache_lock, - &env->num_query_dnscrypt_secret_missed_cache, - sizeof(env->num_query_dnscrypt_secret_missed_cache)); + &env->num_query_dnscrypt_secret_missed_cache, + sizeof(env->num_query_dnscrypt_secret_missed_cache)); + lock_basic_init(&env->nonces_cache_lock); + lock_protect(&env->nonces_cache_lock, + &env->nonces_cache, + sizeof(env->nonces_cache)); + lock_protect(&env->nonces_cache_lock, + &env->num_query_dnscrypt_replay, + sizeof(env->num_query_dnscrypt_replay)); + return env; } @@ -803,6 +936,16 @@ dnsc_apply_cfg(struct dnsc_env *env, struct config_fil if(!env->shared_secrets_cache){ fatal_exit("dnsc_apply_cfg: could not create shared secrets cache."); } + env->nonces_cache = slabhash_create( + cfg->dnscrypt_nonce_cache_slabs, + HASH_DEFAULT_STARTARRAY, + cfg->dnscrypt_nonce_cache_size, + dnsc_nonces_sizefunc, + dnsc_nonces_compfunc, + dnsc_nonces_delkeyfunc, + dnsc_nonces_deldatafunc, + NULL + ); return 0; } @@ -817,7 +960,9 @@ dnsc_delete(struct dnsc_env *env) sodium_free(env->certs); sodium_free(env->keypairs); slabhash_delete(env->shared_secrets_cache); + slabhash_delete(env->nonces_cache); lock_basic_destroy(&env->shared_secrets_cache_lock); + lock_basic_destroy(&env->nonces_cache_lock); free(env); } @@ -857,4 +1002,52 @@ dnsc_shared_secrets_deldatafunc(void* d, void* ATTR_UN { uint8_t* data = (uint8_t*)d; free(data); +} + +/** + * ######################################################### + * ############### Nonces cache functions ################## + * ######################################################### + */ + +size_t +dnsc_nonces_sizefunc(void *k, void* ATTR_UNUSED(d)) +{ + struct nonce_cache_key* nk = (struct nonce_cache_key*)k; + size_t key_size = sizeof(struct nonce_cache_key) + + lock_get_mem(&nk->entry.lock); + (void)nk; /* otherwise ssk is unused if no threading, or fixed locksize */ + return key_size; +} + +int +dnsc_nonces_compfunc(void *m1, void *m2) +{ + struct nonce_cache_key *k1 = m1, *k2 = m2; + return + sodium_memcmp( + k1->nonce, + k2->nonce, + crypto_box_HALF_NONCEBYTES) != 0 || + sodium_memcmp( + k1->magic_query, + k2->magic_query, + DNSCRYPT_MAGIC_HEADER_LEN) != 0 || + sodium_memcmp( + k1->client_publickey, k2->client_publickey, + crypto_box_PUBLICKEYBYTES) != 0; +} + +void +dnsc_nonces_delkeyfunc(void *k, void* ATTR_UNUSED(arg)) +{ + struct nonce_cache_key* nk = (struct nonce_cache_key*)k; + lock_rw_destroy(&nk->entry.lock); + free(nk); +} + +void +dnsc_nonces_deldatafunc(void* ATTR_UNUSED(d), void* ATTR_UNUSED(arg)) +{ + return; } Modified: head/contrib/unbound/dnscrypt/dnscrypt.h ============================================================================== --- head/contrib/unbound/dnscrypt/dnscrypt.h Sat May 12 14:48:38 2018 (r333563) +++ head/contrib/unbound/dnscrypt/dnscrypt.h Sat May 12 14:51:18 2018 (r333564) @@ -63,11 +63,20 @@ struct dnsc_env { uint64_t nonce_ts_last; unsigned char hash_key[crypto_shorthash_KEYBYTES]; char * provider_name; + + /** Caches */ struct slabhash *shared_secrets_cache; /** lock on shared secret cache counters */ lock_basic_type shared_secrets_cache_lock; /** number of misses from shared_secrets_cache */ size_t num_query_dnscrypt_secret_missed_cache; + + /** slabhash keeping track of nonce/cient pk/server sk pairs. */ + struct slabhash *nonces_cache; + /** lock on nonces_cache, used to avoid race condition in updating the hash */ + lock_basic_type nonces_cache_lock; + /** number of replayed queries */ + size_t num_query_dnscrypt_replay; }; struct dnscrypt_query_header { @@ -138,6 +147,27 @@ void dnsc_shared_secrets_delkeyfunc(void *k, void* arg * Function to delete a share secret cache value. */ void dnsc_shared_secrets_deldatafunc(void* d, void* arg); + +/** + * Computes the size of the nonce cache entry. + */ +size_t dnsc_nonces_sizefunc(void *k, void *d); + +/** + * Compares two nonce cache keys. *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201805121451.w4CEpJwT006390>