Index: head/contrib/unbound/config.h =================================================================== --- head/contrib/unbound/config.h (revision 276698) +++ head/contrib/unbound/config.h (revision 276699) @@ -1,1023 +1,1027 @@ /* config.h. Generated from config.h.in by configure. */ /* config.h.in. Generated from configure.ac by autoheader. */ /* Directory to chroot to */ #define CHROOT_DIR "/var/unbound" /* Do sha512 definitions in config.h */ /* #undef COMPAT_SHA512 */ /* Pathname to the Unbound configuration file */ #define CONFIGFILE "/var/unbound/unbound.conf" /* Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work */ /* #undef DARWIN_BROKEN_SETREUID */ /* Whether daemon is deprecated */ /* #undef DEPRECATED_DAEMON */ /* default dnstap socket path */ /* #undef DNSTAP_SOCKET_PATH */ /* Define if you want to use debug lock checking (slow). */ /* #undef ENABLE_LOCK_CHECKS */ /* Define this if you enabled-allsymbols from libunbound to link binaries to it for smaller install size, but the libunbound export table is polluted by internal symbols */ /* #undef EXPORT_ALL_SYMBOLS */ /* Define to 1 if you have the `arc4random' function. */ #define HAVE_ARC4RANDOM 1 /* Define to 1 if you have the `arc4random_uniform' function. */ #define HAVE_ARC4RANDOM_UNIFORM 1 /* Define to 1 if you have the header file. */ #define HAVE_ARPA_INET_H 1 /* Whether the C compiler accepts the "format" attribute */ #define HAVE_ATTR_FORMAT 1 /* Whether the C compiler accepts the "unused" attribute */ #define HAVE_ATTR_UNUSED 1 /* Define to 1 if your system has a working `chown' function. */ #define HAVE_CHOWN 1 /* Define to 1 if you have the `chroot' function. */ #define HAVE_CHROOT 1 /* Define to 1 if you have the `ctime_r' function. */ #define HAVE_CTIME_R 1 /* Define to 1 if you have the `daemon' function. */ #define HAVE_DAEMON 1 /* Define to 1 if you have the declaration of `arc4random', and to 0 if you don't. */ /* #undef HAVE_DECL_ARC4RANDOM */ /* Define to 1 if you have the declaration of `arc4random_uniform', and to 0 if you don't. */ /* #undef HAVE_DECL_ARC4RANDOM_UNIFORM */ /* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you don't. */ #define HAVE_DECL_NID_SECP384R1 1 /* Define to 1 if you have the declaration of `NID_X9_62_prime256v1', and to 0 if you don't. */ #define HAVE_DECL_NID_X9_62_PRIME256V1 1 /* Define to 1 if you have the declaration of `sk_SSL_COMP_pop_free', and to 0 if you don't. */ #define HAVE_DECL_SK_SSL_COMP_POP_FREE 1 /* Define to 1 if you have the declaration of `SSL_COMP_get_compression_methods', and to 0 if you don't. */ #define HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS 1 /* Define to 1 if you have the declaration of `strlcat', and to 0 if you don't. */ /* #undef HAVE_DECL_STRLCAT */ /* Define to 1 if you have the declaration of `strlcpy', and to 0 if you don't. */ /* #undef HAVE_DECL_STRLCPY */ /* Define to 1 if you have the header file. */ #define HAVE_DLFCN_H 1 /* Define to 1 if you have the header file. */ /* #undef HAVE_ENDIAN_H */ /* Define to 1 if you have the `endprotoent' function. */ #define HAVE_ENDPROTOENT 1 /* Define to 1 if you have the `endservent' function. */ #define HAVE_ENDSERVENT 1 /* Define to 1 if you have the `event_base_free' function. */ /* #undef HAVE_EVENT_BASE_FREE */ /* Define to 1 if you have the `event_base_get_method' function. */ /* #undef HAVE_EVENT_BASE_GET_METHOD */ /* Define to 1 if you have the `event_base_new' function. */ /* #undef HAVE_EVENT_BASE_NEW */ /* Define to 1 if you have the `event_base_once' function. */ /* #undef HAVE_EVENT_BASE_ONCE */ /* Define to 1 if you have the header file. */ /* #undef HAVE_EVENT_H */ /* Define to 1 if you have the `EVP_sha1' function. */ #define HAVE_EVP_SHA1 1 /* Define to 1 if you have the `EVP_sha256' function. */ #define HAVE_EVP_SHA256 1 /* Define to 1 if you have the `EVP_sha512' function. */ #define HAVE_EVP_SHA512 1 /* Define to 1 if you have the `ev_default_loop' function. */ /* #undef HAVE_EV_DEFAULT_LOOP */ /* Define to 1 if you have the `ev_loop' function. */ /* #undef HAVE_EV_LOOP */ /* Define to 1 if you have the header file. */ #define HAVE_EXPAT_H 1 /* Define to 1 if you have the `fcntl' function. */ #define HAVE_FCNTL 1 /* Define to 1 if you have the `FIPS_mode' function. */ #define HAVE_FIPS_MODE 1 /* Define to 1 if you have the `fork' function. */ #define HAVE_FORK 1 /* Define to 1 if fseeko (and presumably ftello) exists and is declared. */ #define HAVE_FSEEKO 1 /* Whether getaddrinfo is available */ #define HAVE_GETADDRINFO 1 /* Define to 1 if you have the `getentropy' function. */ /* #undef HAVE_GETENTROPY */ /* Define to 1 if you have the header file. */ #define HAVE_GETOPT_H 1 /* Define to 1 if you have the `getpwnam' function. */ #define HAVE_GETPWNAM 1 /* Define to 1 if you have the `getrlimit' function. */ #define HAVE_GETRLIMIT 1 /* Define to 1 if you have the `glob' function. */ #define HAVE_GLOB 1 /* Define to 1 if you have the header file. */ #define HAVE_GLOB_H 1 /* Define to 1 if you have the `gmtime_r' function. */ #define HAVE_GMTIME_R 1 /* Define to 1 if you have the header file. */ #define HAVE_GRP_H 1 /* If you have HMAC_CTX_init */ #define HAVE_HMAC_CTX_INIT 1 /* Define to 1 if you have the `inet_aton' function. */ #define HAVE_INET_ATON 1 /* Define to 1 if you have the `inet_ntop' function. */ #define HAVE_INET_NTOP 1 /* Define to 1 if you have the `inet_pton' function. */ #define HAVE_INET_PTON 1 /* Define to 1 if you have the `initgroups' function. */ #define HAVE_INITGROUPS 1 /* Define to 1 if you have the header file. */ #define HAVE_INTTYPES_H 1 /* if the function 'ioctlsocket' is available */ /* #undef HAVE_IOCTLSOCKET */ /* Define to 1 if you have the header file. */ /* #undef HAVE_IPHLPAPI_H */ /* Define to 1 if you have the `kill' function. */ #define HAVE_KILL 1 /* Define if we have LibreSSL */ /* #undef HAVE_LIBRESSL */ /* Define to 1 if you have the `localtime_r' function. */ #define HAVE_LOCALTIME_R 1 /* Define to 1 if you have the header file. */ #define HAVE_LOGIN_CAP_H 1 /* If have GNU libc compatible malloc */ #define HAVE_MALLOC 1 /* Define to 1 if you have the `memmove' function. */ #define HAVE_MEMMOVE 1 /* Define to 1 if you have the header file. */ #define HAVE_MEMORY_H 1 /* Define to 1 if you have the header file. */ #define HAVE_NETDB_H 1 /* Define to 1 if you have the header file. */ #define HAVE_NETINET_IN_H 1 /* Use libnss for crypto */ /* #undef HAVE_NSS */ /* Define to 1 if you have the `OPENSSL_config' function. */ #define HAVE_OPENSSL_CONFIG 1 /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_CONF_H 1 /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_ENGINE_H 1 /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_ERR_H 1 /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_RAND_H 1 /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_SSL_H 1 /* Define if you have POSIX threads libraries and header files. */ #define HAVE_PTHREAD 1 /* Have PTHREAD_PRIO_INHERIT. */ #define HAVE_PTHREAD_PRIO_INHERIT 1 /* Define to 1 if the system has the type `pthread_rwlock_t'. */ #define HAVE_PTHREAD_RWLOCK_T 1 /* Define to 1 if the system has the type `pthread_spinlock_t'. */ #define HAVE_PTHREAD_SPINLOCK_T 1 /* Define to 1 if you have the header file. */ #define HAVE_PWD_H 1 /* Define if you have Python libraries and header files. */ /* #undef HAVE_PYTHON */ /* Define to 1 if you have the `random' function. */ #define HAVE_RANDOM 1 /* Define to 1 if you have the `recvmsg' function. */ #define HAVE_RECVMSG 1 /* Define to 1 if you have the `sbrk' function. */ /* #undef HAVE_SBRK */ /* Define to 1 if you have the `sendmsg' function. */ #define HAVE_SENDMSG 1 /* Define to 1 if you have the `setregid' function. */ /* #undef HAVE_SETREGID */ /* Define to 1 if you have the `setresgid' function. */ #define HAVE_SETRESGID 1 /* Define to 1 if you have the `setresuid' function. */ #define HAVE_SETRESUID 1 /* Define to 1 if you have the `setreuid' function. */ /* #undef HAVE_SETREUID */ /* Define to 1 if you have the `setrlimit' function. */ #define HAVE_SETRLIMIT 1 /* Define to 1 if you have the `setsid' function. */ #define HAVE_SETSID 1 /* Define to 1 if you have the `setusercontext' function. */ #define HAVE_SETUSERCONTEXT 1 /* Define to 1 if you have the `SHA512_Update' function. */ /* #undef HAVE_SHA512_UPDATE */ /* Define to 1 if you have the `sigprocmask' function. */ #define HAVE_SIGPROCMASK 1 /* Define to 1 if you have the `sleep' function. */ #define HAVE_SLEEP 1 /* Define to 1 if you have the `snprintf' function. */ #define HAVE_SNPRINTF 1 /* Define to 1 if you have the `socketpair' function. */ #define HAVE_SOCKETPAIR 1 /* Using Solaris threads */ /* #undef HAVE_SOLARIS_THREADS */ /* Define to 1 if you have the `srandom' function. */ #define HAVE_SRANDOM 1 /* Define if you have the SSL libraries installed. */ #define HAVE_SSL /**/ /* Define to 1 if you have the header file. */ #define HAVE_STDARG_H 1 /* Define to 1 if you have the header file. */ #define HAVE_STDBOOL_H 1 /* Define to 1 if you have the header file. */ #define HAVE_STDINT_H 1 /* Define to 1 if you have the header file. */ #define HAVE_STDLIB_H 1 /* Define to 1 if you have the `strftime' function. */ #define HAVE_STRFTIME 1 /* Define to 1 if you have the header file. */ #define HAVE_STRINGS_H 1 /* Define to 1 if you have the header file. */ #define HAVE_STRING_H 1 /* Define to 1 if you have the `strlcat' function. */ #define HAVE_STRLCAT 1 /* Define to 1 if you have the `strlcpy' function. */ #define HAVE_STRLCPY 1 /* Define to 1 if you have the `strptime' function. */ #define HAVE_STRPTIME 1 /* Define to 1 if `ipi_spec_dst' is a member of `struct in_pktinfo'. */ /* #undef HAVE_STRUCT_IN_PKTINFO_IPI_SPEC_DST */ /* Define if you have Swig libraries and header files. */ /* #undef HAVE_SWIG */ /* Define to 1 if you have the header file. */ #define HAVE_SYSLOG_H 1 /* Define to 1 if you have the header file. */ #define HAVE_SYS_PARAM_H 1 /* Define to 1 if you have the header file. */ #define HAVE_SYS_RESOURCE_H 1 /* Define to 1 if you have the header file. */ /* #undef HAVE_SYS_SHA2_H */ /* Define to 1 if you have the header file. */ #define HAVE_SYS_SOCKET_H 1 /* Define to 1 if you have the header file. */ #define HAVE_SYS_STAT_H 1 /* Define to 1 if you have the header file. */ /* #undef HAVE_SYS_SYSCTL_H */ /* Define to 1 if you have the header file. */ #define HAVE_SYS_TYPES_H 1 /* Define to 1 if you have the header file. */ #define HAVE_SYS_UIO_H 1 +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_UN_H 1 + /* Define to 1 if you have the header file. */ #define HAVE_SYS_WAIT_H 1 /* Define to 1 if you have the header file. */ #define HAVE_TIME_H 1 /* Define to 1 if you have the `tzset' function. */ #define HAVE_TZSET 1 /* Define to 1 if you have the header file. */ #define HAVE_UNISTD_H 1 /* Define to 1 if you have the `usleep' function. */ #define HAVE_USLEEP 1 /* Define to 1 if you have the `vfork' function. */ #define HAVE_VFORK 1 /* Define to 1 if you have the header file. */ /* #undef HAVE_VFORK_H */ /* Define to 1 if you have the header file. */ /* #undef HAVE_WINDOWS_H */ /* Using Windows threads */ /* #undef HAVE_WINDOWS_THREADS */ /* Define to 1 if you have the header file. */ /* #undef HAVE_WINSOCK2_H */ /* Define to 1 if `fork' works. */ #define HAVE_WORKING_FORK 1 /* Define to 1 if `vfork' works. */ #define HAVE_WORKING_VFORK 1 /* Define to 1 if you have the `writev' function. */ #define HAVE_WRITEV 1 /* Define to 1 if you have the header file. */ /* #undef HAVE_WS2TCPIP_H */ /* Define to 1 if you have the `_beginthreadex' function. */ /* #undef HAVE__BEGINTHREADEX */ /* if lex has yylex_destroy */ #define LEX_HAS_YYLEX_DESTROY 1 -/* Define to the sub-directory where libtool stores uninstalled libraries. */ +/* Define to the sub-directory in which libtool stores uninstalled libraries. + */ #define LT_OBJDIR ".libs/" /* Define to the maximum message length to pass to syslog. */ #define MAXSYSLOGMSGLEN 10240 /* Define if memcmp() does not compare unsigned bytes */ /* #undef MEMCMP_IS_BROKEN */ /* Define if mkdir has one argument. */ /* #undef MKDIR_HAS_ONE_ARG */ /* Define if the network stack does not fully support nonblocking io (causes lower performance). */ /* #undef NONBLOCKING_IS_BROKEN */ /* Put -D_ALL_SOURCE define in config.h */ /* #undef OMITTED__D_ALL_SOURCE */ /* Put -D_BSD_SOURCE define in config.h */ /* #undef OMITTED__D_BSD_SOURCE */ /* Put -D_GNU_SOURCE define in config.h */ /* #undef OMITTED__D_GNU_SOURCE */ /* Put -D_LARGEFILE_SOURCE=1 define in config.h */ /* #undef OMITTED__D_LARGEFILE_SOURCE_1 */ /* Put -D_POSIX_C_SOURCE=200112 define in config.h */ /* #undef OMITTED__D_POSIX_C_SOURCE_200112 */ /* Put -D_XOPEN_SOURCE=600 define in config.h */ /* #undef OMITTED__D_XOPEN_SOURCE_600 */ /* Put -D_XOPEN_SOURCE_EXTENDED=1 define in config.h */ /* #undef OMITTED__D_XOPEN_SOURCE_EXTENDED_1 */ /* Put -D__EXTENSIONS__ define in config.h */ /* #undef OMITTED__D__EXTENSIONS__ */ /* Define to the address where bug reports for this package should be sent. */ #define PACKAGE_BUGREPORT "unbound-bugs@nlnetlabs.nl" /* Define to the full name of this package. */ #define PACKAGE_NAME "unbound" /* Define to the full name and version of this package. */ #define PACKAGE_STRING "unbound 1.5.1" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "unbound" /* Define to the home page for this package. */ #define PACKAGE_URL "" /* Define to the version of this package. */ #define PACKAGE_VERSION "1.5.1" /* default pidfile location */ #define PIDFILE "/var/unbound/unbound.pid" /* Define to necessary symbol if this constant uses a non-standard name on your system. */ /* #undef PTHREAD_CREATE_JOINABLE */ /* Define as the return type of signal handlers (`int' or `void'). */ #define RETSIGTYPE void /* default rootkey location */ #define ROOT_ANCHOR_FILE "/var/unbound/root.key" /* default rootcert location */ #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem" /* version number for resource files */ #define RSRC_PACKAGE_VERSION 1,5,1,0 /* Directory to chdir to */ #define RUN_DIR "/var/unbound" /* Shared data */ #define SHARE_DIR "/var/unbound" /* The size of `time_t', as computed by sizeof. */ #define SIZEOF_TIME_T 8 /* Define to 1 if you have the ANSI C header files. */ #define STDC_HEADERS 1 /* use default strptime. */ #define STRPTIME_WORKS 1 /* Use win32 resources and API */ /* #undef UB_ON_WINDOWS */ /* default username */ #define UB_USERNAME "unbound" /* use to enable lightweight alloc assertions, for debug use */ /* #undef UNBOUND_ALLOC_LITE */ /* use malloc not regions, for debug use */ /* #undef UNBOUND_ALLOC_NONREGIONAL */ /* use statistics for allocs and frees, for debug use */ /* #undef UNBOUND_ALLOC_STATS */ /* define this to enable debug checks. */ /* #undef UNBOUND_DEBUG */ /* Define to 1 to enable dnstap support */ /* #undef USE_DNSTAP */ /* Define this to enable ECDSA support. */ #define USE_ECDSA 1 /* Define this to enable an EVP workaround for older openssl */ /* #undef USE_ECDSA_EVP_WORKAROUND */ /* Define this to enable GOST support. */ /* #undef USE_GOST */ /* Define if you want to use internal select based events */ #define USE_MINI_EVENT 1 /* Define this to enable SHA256 and SHA512 support. */ #define USE_SHA2 1 /* Enable extensions on AIX 3, Interix. */ #ifndef _ALL_SOURCE # define _ALL_SOURCE 1 #endif /* Enable GNU extensions on systems that have them. */ #ifndef _GNU_SOURCE # define _GNU_SOURCE 1 #endif /* Enable threading extensions on Solaris. */ #ifndef _POSIX_PTHREAD_SEMANTICS # define _POSIX_PTHREAD_SEMANTICS 1 #endif /* Enable extensions on HP NonStop. */ #ifndef _TANDEM_SOURCE # define _TANDEM_SOURCE 1 #endif /* Enable general extensions on Solaris. */ #ifndef __EXTENSIONS__ # define __EXTENSIONS__ 1 #endif /* Whether the windows socket API is used */ /* #undef USE_WINSOCK */ /* the version of the windows API enabled */ #define WINVER 0x0502 /* Define if you want Python module. */ /* #undef WITH_PYTHONMODULE */ /* Define if you want PyUnbound. */ /* #undef WITH_PYUNBOUND */ /* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a `char[]'. */ #define YYTEXT_POINTER 1 /* Enable large inode numbers on Mac OS X 10.5. */ #ifndef _DARWIN_USE_64_BIT_INODE # define _DARWIN_USE_64_BIT_INODE 1 #endif /* Number of bits in a file offset, on hosts where this is settable. */ /* #undef _FILE_OFFSET_BITS */ /* Define to 1 to make fseeko visible on some hosts (e.g. glibc 2.2). */ /* #undef _LARGEFILE_SOURCE */ /* Define for large files, on AIX-style hosts. */ /* #undef _LARGE_FILES */ /* Define to 1 if on MINIX. */ /* #undef _MINIX */ /* Enable for compile on Minix */ /* #undef _NETBSD_SOURCE */ /* Define to 2 if the system does not provide POSIX.1 features except with this defined. */ /* #undef _POSIX_1_SOURCE */ /* Define to 1 if you need to in order for `stat' and other things to work. */ /* #undef _POSIX_SOURCE */ /* Define to empty if `const' does not conform to ANSI C. */ /* #undef const */ /* Define to `int' if doesn't define. */ /* #undef gid_t */ /* in_addr_t */ /* #undef in_addr_t */ /* in_port_t */ /* #undef in_port_t */ /* Define to `__inline__' or `__inline' if that's what the C compiler calls it, or to nothing if 'inline' is not supported under any name. */ #ifndef __cplusplus /* #undef inline */ #endif /* Define to `short' if does not define. */ /* #undef int16_t */ /* Define to `int' if does not define. */ /* #undef int32_t */ /* Define to `long long' if does not define. */ /* #undef int64_t */ /* Define to `signed char' if does not define. */ /* #undef int8_t */ /* Define if replacement function should be used. */ /* #undef malloc */ /* Define to `long int' if does not define. */ /* #undef off_t */ /* Define to `int' if does not define. */ /* #undef pid_t */ /* Define to 'int' if not defined */ /* #undef rlim_t */ /* Define to `unsigned int' if does not define. */ /* #undef size_t */ /* Define to 'int' if not defined */ /* #undef socklen_t */ /* Define to `int' if does not define. */ /* #undef ssize_t */ /* Define to 'unsigned char if not defined */ /* #undef u_char */ /* Define to `int' if doesn't define. */ /* #undef uid_t */ /* Define to `unsigned short' if does not define. */ /* #undef uint16_t */ /* Define to `unsigned int' if does not define. */ /* #undef uint32_t */ /* Define to `unsigned long long' if does not define. */ /* #undef uint64_t */ /* Define to `unsigned char' if does not define. */ /* #undef uint8_t */ /* Define as `fork' if `vfork' does not work. */ /* #undef vfork */ #if defined(OMITTED__D_GNU_SOURCE) && !defined(_GNU_SOURCE) #define _GNU_SOURCE 1 #endif #if defined(OMITTED__D_BSD_SOURCE) && !defined(_BSD_SOURCE) #define _BSD_SOURCE 1 #endif #if defined(OMITTED__D__EXTENSIONS__) && !defined(__EXTENSIONS__) #define __EXTENSIONS__ 1 #endif #if defined(OMITTED__D_POSIX_C_SOURCE_200112) && !defined(_POSIX_C_SOURCE) #define _POSIX_C_SOURCE 200112 #endif #if defined(OMITTED__D_XOPEN_SOURCE_600) && !defined(_XOPEN_SOURCE) #define _XOPEN_SOURCE 600 #endif #if defined(OMITTED__D_XOPEN_SOURCE_EXTENDED_1) && !defined(_XOPEN_SOURCE_EXTENDED) #define _XOPEN_SOURCE_EXTENDED 1 #endif #if defined(OMITTED__D_ALL_SOURCE) && !defined(_ALL_SOURCE) #define _ALL_SOURCE 1 #endif #if defined(OMITTED__D_LARGEFILE_SOURCE_1) && !defined(_LARGEFILE_SOURCE) #define _LARGEFILE_SOURCE 1 #endif #ifndef UNBOUND_DEBUG # define NDEBUG #endif /** Use small-ldns codebase */ #define USE_SLDNS 1 #ifdef HAVE_SSL # define LDNS_BUILD_CONFIG_HAVE_SSL 1 #endif #include #include #include #include #if STDC_HEADERS #include #include #endif #ifdef HAVE_STDARG_H #include #endif #ifdef HAVE_STDINT_H #include #endif #include #if HAVE_SYS_PARAM_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_SYS_UIO_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif #ifdef HAVE_WINSOCK2_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif #ifndef USE_WINSOCK #define ARG_LL "%ll" #else #define ARG_LL "%I64" #endif #ifdef HAVE_ATTR_FORMAT # define ATTR_FORMAT(archetype, string_index, first_to_check) \ __attribute__ ((format (archetype, string_index, first_to_check))) #else /* !HAVE_ATTR_FORMAT */ # define ATTR_FORMAT(archetype, string_index, first_to_check) /* empty */ #endif /* !HAVE_ATTR_FORMAT */ #if defined(DOXYGEN) # define ATTR_UNUSED(x) x #elif defined(__cplusplus) # define ATTR_UNUSED(x) #elif defined(HAVE_ATTR_UNUSED) # define ATTR_UNUSED(x) x __attribute__((unused)) #else /* !HAVE_ATTR_UNUSED */ # define ATTR_UNUSED(x) x #endif /* !HAVE_ATTR_UNUSED */ #ifndef HAVE_FSEEKO #define fseeko fseek #define ftello ftell #endif /* HAVE_FSEEKO */ #ifndef MAXHOSTNAMELEN #define MAXHOSTNAMELEN 256 #endif #ifndef HAVE_SNPRINTF #define snprintf snprintf_unbound #define vsnprintf vsnprintf_unbound #include int snprintf (char *str, size_t count, const char *fmt, ...); int vsnprintf (char *str, size_t count, const char *fmt, va_list arg); #endif /* HAVE_SNPRINTF */ #ifndef HAVE_INET_PTON #define inet_pton inet_pton_unbound int inet_pton(int af, const char* src, void* dst); #endif /* HAVE_INET_PTON */ #ifndef HAVE_INET_NTOP #define inet_ntop inet_ntop_unbound const char *inet_ntop(int af, const void *src, char *dst, size_t size); #endif #ifndef HAVE_INET_ATON #define inet_aton inet_aton_unbound int inet_aton(const char *cp, struct in_addr *addr); #endif #ifndef HAVE_MEMMOVE #define memmove memmove_unbound void *memmove(void *dest, const void *src, size_t n); #endif #ifndef HAVE_STRLCAT #define strlcat strlcat_unbound size_t strlcat(char *dst, const char *src, size_t siz); #endif #ifndef HAVE_STRLCPY #define strlcpy strlcpy_unbound size_t strlcpy(char *dst, const char *src, size_t siz); #endif #ifndef HAVE_GMTIME_R #define gmtime_r gmtime_r_unbound struct tm *gmtime_r(const time_t *timep, struct tm *result); #endif #if !defined(HAVE_SLEEP) || defined(HAVE_WINDOWS_H) #define sleep(x) Sleep((x)*1000) /* on win32 */ #endif /* HAVE_SLEEP */ #ifndef HAVE_USLEEP #define usleep(x) Sleep((x)/1000 + 1) /* on win32 */ #endif /* HAVE_USLEEP */ #ifndef HAVE_RANDOM #define random rand /* on win32, for tests only (bad random) */ #endif /* HAVE_RANDOM */ #ifndef HAVE_SRANDOM #define srandom(x) srand(x) /* on win32, for tests only (bad random) */ #endif /* HAVE_SRANDOM */ /* detect if we need to cast to unsigned int for FD_SET to avoid warnings */ #ifdef HAVE_WINSOCK2_H #define FD_SET_T (u_int) #else #define FD_SET_T #endif #ifndef IPV6_MIN_MTU #define IPV6_MIN_MTU 1280 #endif /* IPV6_MIN_MTU */ #ifdef MEMCMP_IS_BROKEN #include "compat/memcmp.h" #define memcmp memcmp_unbound int memcmp(const void *x, const void *y, size_t n); #endif #ifndef HAVE_CTIME_R #define ctime_r unbound_ctime_r char *ctime_r(const time_t *timep, char *buf); #endif #if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS) #define strptime unbound_strptime struct tm; char *strptime(const char *s, const char *format, struct tm *tm); #endif #ifdef HAVE_LIBRESSL # if !HAVE_DECL_STRLCPY size_t strlcpy(char *dst, const char *src, size_t siz); # endif # if !HAVE_DECL_STRLCAT size_t strlcat(char *dst, const char *src, size_t siz); # endif # if !HAVE_DECL_ARC4RANDOM && defined(HAVE_ARC4RANDOM) uint32_t arc4random(void); # endif # if !HAVE_DECL_ARC4RANDOM_UNIFORM && defined(HAVE_ARC4RANDOM_UNIFORM) uint32_t arc4random_uniform(uint32_t upper_bound); # endif #endif /* HAVE_LIBRESSL */ #ifndef HAVE_ARC4RANDOM void explicit_bzero(void* buf, size_t len); int getentropy(void* buf, size_t len); uint32_t arc4random(void); void arc4random_buf(void* buf, size_t n); void _ARC4_LOCK(void); void _ARC4_UNLOCK(void); #endif #ifndef HAVE_ARC4RANDOM_UNIFORM uint32_t arc4random_uniform(uint32_t upper_bound); #endif #ifdef COMPAT_SHA512 #ifndef SHA512_DIGEST_LENGTH #define SHA512_BLOCK_LENGTH 128 #define SHA512_DIGEST_LENGTH 64 #define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1) typedef struct _SHA512_CTX { uint64_t state[8]; uint64_t bitcount[2]; uint8_t buffer[SHA512_BLOCK_LENGTH]; } SHA512_CTX; #endif /* SHA512_DIGEST_LENGTH */ void SHA512_Init(SHA512_CTX*); void SHA512_Update(SHA512_CTX*, void*, size_t); void SHA512_Final(uint8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*); unsigned char *SHA512(void* data, unsigned int data_len, unsigned char *digest); #endif /* COMPAT_SHA512 */ #if defined(HAVE_EVENT_H) && !defined(HAVE_EVENT_BASE_ONCE) && !(defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && (defined(HAVE_PTHREAD) || defined(HAVE_SOLARIS_THREADS)) /* using version of libevent that is not threadsafe. */ # define LIBEVENT_SIGNAL_PROBLEM 1 #endif #ifndef CHECKED_INET6 # define CHECKED_INET6 # ifdef AF_INET6 # define INET6 # else # define AF_INET6 28 # endif #endif /* CHECKED_INET6 */ #ifndef HAVE_GETADDRINFO struct sockaddr_storage; #include "compat/fake-rfc2553.h" #endif #ifdef UNBOUND_ALLOC_STATS # define malloc(s) unbound_stat_malloc_log(s, __FILE__, __LINE__, __func__) # define calloc(n,s) unbound_stat_calloc_log(n, s, __FILE__, __LINE__, __func__) # define free(p) unbound_stat_free_log(p, __FILE__, __LINE__, __func__) # define realloc(p,s) unbound_stat_realloc_log(p, s, __FILE__, __LINE__, __func__) void *unbound_stat_malloc(size_t size); void *unbound_stat_calloc(size_t nmemb, size_t size); void unbound_stat_free(void *ptr); void *unbound_stat_realloc(void *ptr, size_t size); void *unbound_stat_malloc_log(size_t size, const char* file, int line, const char* func); void *unbound_stat_calloc_log(size_t nmemb, size_t size, const char* file, int line, const char* func); void unbound_stat_free_log(void *ptr, const char* file, int line, const char* func); void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file, int line, const char* func); #elif defined(UNBOUND_ALLOC_LITE) # include "util/alloc.h" #endif /* UNBOUND_ALLOC_LITE and UNBOUND_ALLOC_STATS */ /** default port for DNS traffic. */ #define UNBOUND_DNS_PORT 53 /** default port for unbound control traffic, registered port with IANA, ub-dns-control 8953/tcp unbound dns nameserver control */ #define UNBOUND_CONTROL_PORT 8953 /** the version of unbound-control that this software implements */ #define UNBOUND_CONTROL_VERSION 1 Index: head/contrib/unbound/config.h.in =================================================================== --- head/contrib/unbound/config.h.in (revision 276698) +++ head/contrib/unbound/config.h.in (revision 276699) @@ -1,1022 +1,1026 @@ /* config.h.in. Generated from configure.ac by autoheader. */ /* Directory to chroot to */ #undef CHROOT_DIR /* Do sha512 definitions in config.h */ #undef COMPAT_SHA512 /* Pathname to the Unbound configuration file */ #undef CONFIGFILE /* Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work */ #undef DARWIN_BROKEN_SETREUID /* Whether daemon is deprecated */ #undef DEPRECATED_DAEMON /* default dnstap socket path */ #undef DNSTAP_SOCKET_PATH /* Define if you want to use debug lock checking (slow). */ #undef ENABLE_LOCK_CHECKS /* Define this if you enabled-allsymbols from libunbound to link binaries to it for smaller install size, but the libunbound export table is polluted by internal symbols */ #undef EXPORT_ALL_SYMBOLS /* Define to 1 if you have the `arc4random' function. */ #undef HAVE_ARC4RANDOM /* Define to 1 if you have the `arc4random_uniform' function. */ #undef HAVE_ARC4RANDOM_UNIFORM /* Define to 1 if you have the header file. */ #undef HAVE_ARPA_INET_H /* Whether the C compiler accepts the "format" attribute */ #undef HAVE_ATTR_FORMAT /* Whether the C compiler accepts the "unused" attribute */ #undef HAVE_ATTR_UNUSED /* Define to 1 if your system has a working `chown' function. */ #undef HAVE_CHOWN /* Define to 1 if you have the `chroot' function. */ #undef HAVE_CHROOT /* Define to 1 if you have the `ctime_r' function. */ #undef HAVE_CTIME_R /* Define to 1 if you have the `daemon' function. */ #undef HAVE_DAEMON /* Define to 1 if you have the declaration of `arc4random', and to 0 if you don't. */ #undef HAVE_DECL_ARC4RANDOM /* Define to 1 if you have the declaration of `arc4random_uniform', and to 0 if you don't. */ #undef HAVE_DECL_ARC4RANDOM_UNIFORM /* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you don't. */ #undef HAVE_DECL_NID_SECP384R1 /* Define to 1 if you have the declaration of `NID_X9_62_prime256v1', and to 0 if you don't. */ #undef HAVE_DECL_NID_X9_62_PRIME256V1 /* Define to 1 if you have the declaration of `sk_SSL_COMP_pop_free', and to 0 if you don't. */ #undef HAVE_DECL_SK_SSL_COMP_POP_FREE /* Define to 1 if you have the declaration of `SSL_COMP_get_compression_methods', and to 0 if you don't. */ #undef HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS /* Define to 1 if you have the declaration of `strlcat', and to 0 if you don't. */ #undef HAVE_DECL_STRLCAT /* Define to 1 if you have the declaration of `strlcpy', and to 0 if you don't. */ #undef HAVE_DECL_STRLCPY /* Define to 1 if you have the header file. */ #undef HAVE_DLFCN_H /* Define to 1 if you have the header file. */ #undef HAVE_ENDIAN_H /* Define to 1 if you have the `endprotoent' function. */ #undef HAVE_ENDPROTOENT /* Define to 1 if you have the `endservent' function. */ #undef HAVE_ENDSERVENT /* Define to 1 if you have the `event_base_free' function. */ #undef HAVE_EVENT_BASE_FREE /* Define to 1 if you have the `event_base_get_method' function. */ #undef HAVE_EVENT_BASE_GET_METHOD /* Define to 1 if you have the `event_base_new' function. */ #undef HAVE_EVENT_BASE_NEW /* Define to 1 if you have the `event_base_once' function. */ #undef HAVE_EVENT_BASE_ONCE /* Define to 1 if you have the header file. */ #undef HAVE_EVENT_H /* Define to 1 if you have the `EVP_sha1' function. */ #undef HAVE_EVP_SHA1 /* Define to 1 if you have the `EVP_sha256' function. */ #undef HAVE_EVP_SHA256 /* Define to 1 if you have the `EVP_sha512' function. */ #undef HAVE_EVP_SHA512 /* Define to 1 if you have the `ev_default_loop' function. */ #undef HAVE_EV_DEFAULT_LOOP /* Define to 1 if you have the `ev_loop' function. */ #undef HAVE_EV_LOOP /* Define to 1 if you have the header file. */ #undef HAVE_EXPAT_H /* Define to 1 if you have the `fcntl' function. */ #undef HAVE_FCNTL /* Define to 1 if you have the `FIPS_mode' function. */ #undef HAVE_FIPS_MODE /* Define to 1 if you have the `fork' function. */ #undef HAVE_FORK /* Define to 1 if fseeko (and presumably ftello) exists and is declared. */ #undef HAVE_FSEEKO /* Whether getaddrinfo is available */ #undef HAVE_GETADDRINFO /* Define to 1 if you have the `getentropy' function. */ #undef HAVE_GETENTROPY /* Define to 1 if you have the header file. */ #undef HAVE_GETOPT_H /* Define to 1 if you have the `getpwnam' function. */ #undef HAVE_GETPWNAM /* Define to 1 if you have the `getrlimit' function. */ #undef HAVE_GETRLIMIT /* Define to 1 if you have the `glob' function. */ #undef HAVE_GLOB /* Define to 1 if you have the header file. */ #undef HAVE_GLOB_H /* Define to 1 if you have the `gmtime_r' function. */ #undef HAVE_GMTIME_R /* Define to 1 if you have the header file. */ #undef HAVE_GRP_H /* If you have HMAC_CTX_init */ #undef HAVE_HMAC_CTX_INIT /* Define to 1 if you have the `inet_aton' function. */ #undef HAVE_INET_ATON /* Define to 1 if you have the `inet_ntop' function. */ #undef HAVE_INET_NTOP /* Define to 1 if you have the `inet_pton' function. */ #undef HAVE_INET_PTON /* Define to 1 if you have the `initgroups' function. */ #undef HAVE_INITGROUPS /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H /* if the function 'ioctlsocket' is available */ #undef HAVE_IOCTLSOCKET /* Define to 1 if you have the header file. */ #undef HAVE_IPHLPAPI_H /* Define to 1 if you have the `kill' function. */ #undef HAVE_KILL /* Define if we have LibreSSL */ #undef HAVE_LIBRESSL /* Define to 1 if you have the `localtime_r' function. */ #undef HAVE_LOCALTIME_R /* Define to 1 if you have the header file. */ #undef HAVE_LOGIN_CAP_H /* If have GNU libc compatible malloc */ #undef HAVE_MALLOC /* Define to 1 if you have the `memmove' function. */ #undef HAVE_MEMMOVE /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H /* Define to 1 if you have the header file. */ #undef HAVE_NETDB_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_H /* Use libnss for crypto */ #undef HAVE_NSS /* Define to 1 if you have the `OPENSSL_config' function. */ #undef HAVE_OPENSSL_CONFIG /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_CONF_H /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_ENGINE_H /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_ERR_H /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_RAND_H /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_SSL_H /* Define if you have POSIX threads libraries and header files. */ #undef HAVE_PTHREAD /* Have PTHREAD_PRIO_INHERIT. */ #undef HAVE_PTHREAD_PRIO_INHERIT /* Define to 1 if the system has the type `pthread_rwlock_t'. */ #undef HAVE_PTHREAD_RWLOCK_T /* Define to 1 if the system has the type `pthread_spinlock_t'. */ #undef HAVE_PTHREAD_SPINLOCK_T /* Define to 1 if you have the header file. */ #undef HAVE_PWD_H /* Define if you have Python libraries and header files. */ #undef HAVE_PYTHON /* Define to 1 if you have the `random' function. */ #undef HAVE_RANDOM /* Define to 1 if you have the `recvmsg' function. */ #undef HAVE_RECVMSG /* Define to 1 if you have the `sbrk' function. */ #undef HAVE_SBRK /* Define to 1 if you have the `sendmsg' function. */ #undef HAVE_SENDMSG /* Define to 1 if you have the `setregid' function. */ #undef HAVE_SETREGID /* Define to 1 if you have the `setresgid' function. */ #undef HAVE_SETRESGID /* Define to 1 if you have the `setresuid' function. */ #undef HAVE_SETRESUID /* Define to 1 if you have the `setreuid' function. */ #undef HAVE_SETREUID /* Define to 1 if you have the `setrlimit' function. */ #undef HAVE_SETRLIMIT /* Define to 1 if you have the `setsid' function. */ #undef HAVE_SETSID /* Define to 1 if you have the `setusercontext' function. */ #undef HAVE_SETUSERCONTEXT /* Define to 1 if you have the `SHA512_Update' function. */ #undef HAVE_SHA512_UPDATE /* Define to 1 if you have the `sigprocmask' function. */ #undef HAVE_SIGPROCMASK /* Define to 1 if you have the `sleep' function. */ #undef HAVE_SLEEP /* Define to 1 if you have the `snprintf' function. */ #undef HAVE_SNPRINTF /* Define to 1 if you have the `socketpair' function. */ #undef HAVE_SOCKETPAIR /* Using Solaris threads */ #undef HAVE_SOLARIS_THREADS /* Define to 1 if you have the `srandom' function. */ #undef HAVE_SRANDOM /* Define if you have the SSL libraries installed. */ #undef HAVE_SSL /* Define to 1 if you have the header file. */ #undef HAVE_STDARG_H /* Define to 1 if you have the header file. */ #undef HAVE_STDBOOL_H /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H /* Define to 1 if you have the header file. */ #undef HAVE_STDLIB_H /* Define to 1 if you have the `strftime' function. */ #undef HAVE_STRFTIME /* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H /* Define to 1 if you have the `strlcat' function. */ #undef HAVE_STRLCAT /* Define to 1 if you have the `strlcpy' function. */ #undef HAVE_STRLCPY /* Define to 1 if you have the `strptime' function. */ #undef HAVE_STRPTIME /* Define to 1 if `ipi_spec_dst' is a member of `struct in_pktinfo'. */ #undef HAVE_STRUCT_IN_PKTINFO_IPI_SPEC_DST /* Define if you have Swig libraries and header files. */ #undef HAVE_SWIG /* Define to 1 if you have the header file. */ #undef HAVE_SYSLOG_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_PARAM_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_RESOURCE_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SHA2_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SOCKET_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SYSCTL_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_UIO_H +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_UN_H + /* Define to 1 if you have the header file. */ #undef HAVE_SYS_WAIT_H /* Define to 1 if you have the header file. */ #undef HAVE_TIME_H /* Define to 1 if you have the `tzset' function. */ #undef HAVE_TZSET /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H /* Define to 1 if you have the `usleep' function. */ #undef HAVE_USLEEP /* Define to 1 if you have the `vfork' function. */ #undef HAVE_VFORK /* Define to 1 if you have the header file. */ #undef HAVE_VFORK_H /* Define to 1 if you have the header file. */ #undef HAVE_WINDOWS_H /* Using Windows threads */ #undef HAVE_WINDOWS_THREADS /* Define to 1 if you have the header file. */ #undef HAVE_WINSOCK2_H /* Define to 1 if `fork' works. */ #undef HAVE_WORKING_FORK /* Define to 1 if `vfork' works. */ #undef HAVE_WORKING_VFORK /* Define to 1 if you have the `writev' function. */ #undef HAVE_WRITEV /* Define to 1 if you have the header file. */ #undef HAVE_WS2TCPIP_H /* Define to 1 if you have the `_beginthreadex' function. */ #undef HAVE__BEGINTHREADEX /* if lex has yylex_destroy */ #undef LEX_HAS_YYLEX_DESTROY -/* Define to the sub-directory where libtool stores uninstalled libraries. */ +/* Define to the sub-directory in which libtool stores uninstalled libraries. + */ #undef LT_OBJDIR /* Define to the maximum message length to pass to syslog. */ #undef MAXSYSLOGMSGLEN /* Define if memcmp() does not compare unsigned bytes */ #undef MEMCMP_IS_BROKEN /* Define if mkdir has one argument. */ #undef MKDIR_HAS_ONE_ARG /* Define if the network stack does not fully support nonblocking io (causes lower performance). */ #undef NONBLOCKING_IS_BROKEN /* Put -D_ALL_SOURCE define in config.h */ #undef OMITTED__D_ALL_SOURCE /* Put -D_BSD_SOURCE define in config.h */ #undef OMITTED__D_BSD_SOURCE /* Put -D_GNU_SOURCE define in config.h */ #undef OMITTED__D_GNU_SOURCE /* Put -D_LARGEFILE_SOURCE=1 define in config.h */ #undef OMITTED__D_LARGEFILE_SOURCE_1 /* Put -D_POSIX_C_SOURCE=200112 define in config.h */ #undef OMITTED__D_POSIX_C_SOURCE_200112 /* Put -D_XOPEN_SOURCE=600 define in config.h */ #undef OMITTED__D_XOPEN_SOURCE_600 /* Put -D_XOPEN_SOURCE_EXTENDED=1 define in config.h */ #undef OMITTED__D_XOPEN_SOURCE_EXTENDED_1 /* Put -D__EXTENSIONS__ define in config.h */ #undef OMITTED__D__EXTENSIONS__ /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT /* Define to the full name of this package. */ #undef PACKAGE_NAME /* Define to the full name and version of this package. */ #undef PACKAGE_STRING /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME /* Define to the home page for this package. */ #undef PACKAGE_URL /* Define to the version of this package. */ #undef PACKAGE_VERSION /* default pidfile location */ #undef PIDFILE /* Define to necessary symbol if this constant uses a non-standard name on your system. */ #undef PTHREAD_CREATE_JOINABLE /* Define as the return type of signal handlers (`int' or `void'). */ #undef RETSIGTYPE /* default rootkey location */ #undef ROOT_ANCHOR_FILE /* default rootcert location */ #undef ROOT_CERT_FILE /* version number for resource files */ #undef RSRC_PACKAGE_VERSION /* Directory to chdir to */ #undef RUN_DIR /* Shared data */ #undef SHARE_DIR /* The size of `time_t', as computed by sizeof. */ #undef SIZEOF_TIME_T /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS /* use default strptime. */ #undef STRPTIME_WORKS /* Use win32 resources and API */ #undef UB_ON_WINDOWS /* default username */ #undef UB_USERNAME /* use to enable lightweight alloc assertions, for debug use */ #undef UNBOUND_ALLOC_LITE /* use malloc not regions, for debug use */ #undef UNBOUND_ALLOC_NONREGIONAL /* use statistics for allocs and frees, for debug use */ #undef UNBOUND_ALLOC_STATS /* define this to enable debug checks. */ #undef UNBOUND_DEBUG /* Define to 1 to enable dnstap support */ #undef USE_DNSTAP /* Define this to enable ECDSA support. */ #undef USE_ECDSA /* Define this to enable an EVP workaround for older openssl */ #undef USE_ECDSA_EVP_WORKAROUND /* Define this to enable GOST support. */ #undef USE_GOST /* Define if you want to use internal select based events */ #undef USE_MINI_EVENT /* Define this to enable SHA256 and SHA512 support. */ #undef USE_SHA2 /* Enable extensions on AIX 3, Interix. */ #ifndef _ALL_SOURCE # undef _ALL_SOURCE #endif /* Enable GNU extensions on systems that have them. */ #ifndef _GNU_SOURCE # undef _GNU_SOURCE #endif /* Enable threading extensions on Solaris. */ #ifndef _POSIX_PTHREAD_SEMANTICS # undef _POSIX_PTHREAD_SEMANTICS #endif /* Enable extensions on HP NonStop. */ #ifndef _TANDEM_SOURCE # undef _TANDEM_SOURCE #endif /* Enable general extensions on Solaris. */ #ifndef __EXTENSIONS__ # undef __EXTENSIONS__ #endif /* Whether the windows socket API is used */ #undef USE_WINSOCK /* the version of the windows API enabled */ #undef WINVER /* Define if you want Python module. */ #undef WITH_PYTHONMODULE /* Define if you want PyUnbound. */ #undef WITH_PYUNBOUND /* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a `char[]'. */ #undef YYTEXT_POINTER /* Enable large inode numbers on Mac OS X 10.5. */ #ifndef _DARWIN_USE_64_BIT_INODE # define _DARWIN_USE_64_BIT_INODE 1 #endif /* Number of bits in a file offset, on hosts where this is settable. */ #undef _FILE_OFFSET_BITS /* Define to 1 to make fseeko visible on some hosts (e.g. glibc 2.2). */ #undef _LARGEFILE_SOURCE /* Define for large files, on AIX-style hosts. */ #undef _LARGE_FILES /* Define to 1 if on MINIX. */ #undef _MINIX /* Enable for compile on Minix */ #undef _NETBSD_SOURCE /* Define to 2 if the system does not provide POSIX.1 features except with this defined. */ #undef _POSIX_1_SOURCE /* Define to 1 if you need to in order for `stat' and other things to work. */ #undef _POSIX_SOURCE /* Define to empty if `const' does not conform to ANSI C. */ #undef const /* Define to `int' if doesn't define. */ #undef gid_t /* in_addr_t */ #undef in_addr_t /* in_port_t */ #undef in_port_t /* Define to `__inline__' or `__inline' if that's what the C compiler calls it, or to nothing if 'inline' is not supported under any name. */ #ifndef __cplusplus #undef inline #endif /* Define to `short' if does not define. */ #undef int16_t /* Define to `int' if does not define. */ #undef int32_t /* Define to `long long' if does not define. */ #undef int64_t /* Define to `signed char' if does not define. */ #undef int8_t /* Define if replacement function should be used. */ #undef malloc /* Define to `long int' if does not define. */ #undef off_t /* Define to `int' if does not define. */ #undef pid_t /* Define to 'int' if not defined */ #undef rlim_t /* Define to `unsigned int' if does not define. */ #undef size_t /* Define to 'int' if not defined */ #undef socklen_t /* Define to `int' if does not define. */ #undef ssize_t /* Define to 'unsigned char if not defined */ #undef u_char /* Define to `int' if doesn't define. */ #undef uid_t /* Define to `unsigned short' if does not define. */ #undef uint16_t /* Define to `unsigned int' if does not define. */ #undef uint32_t /* Define to `unsigned long long' if does not define. */ #undef uint64_t /* Define to `unsigned char' if does not define. */ #undef uint8_t /* Define as `fork' if `vfork' does not work. */ #undef vfork #if defined(OMITTED__D_GNU_SOURCE) && !defined(_GNU_SOURCE) #define _GNU_SOURCE 1 #endif #if defined(OMITTED__D_BSD_SOURCE) && !defined(_BSD_SOURCE) #define _BSD_SOURCE 1 #endif #if defined(OMITTED__D__EXTENSIONS__) && !defined(__EXTENSIONS__) #define __EXTENSIONS__ 1 #endif #if defined(OMITTED__D_POSIX_C_SOURCE_200112) && !defined(_POSIX_C_SOURCE) #define _POSIX_C_SOURCE 200112 #endif #if defined(OMITTED__D_XOPEN_SOURCE_600) && !defined(_XOPEN_SOURCE) #define _XOPEN_SOURCE 600 #endif #if defined(OMITTED__D_XOPEN_SOURCE_EXTENDED_1) && !defined(_XOPEN_SOURCE_EXTENDED) #define _XOPEN_SOURCE_EXTENDED 1 #endif #if defined(OMITTED__D_ALL_SOURCE) && !defined(_ALL_SOURCE) #define _ALL_SOURCE 1 #endif #if defined(OMITTED__D_LARGEFILE_SOURCE_1) && !defined(_LARGEFILE_SOURCE) #define _LARGEFILE_SOURCE 1 #endif #ifndef UNBOUND_DEBUG # define NDEBUG #endif /** Use small-ldns codebase */ #define USE_SLDNS 1 #ifdef HAVE_SSL # define LDNS_BUILD_CONFIG_HAVE_SSL 1 #endif #include #include #include #include #if STDC_HEADERS #include #include #endif #ifdef HAVE_STDARG_H #include #endif #ifdef HAVE_STDINT_H #include #endif #include #if HAVE_SYS_PARAM_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_SYS_UIO_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif #ifdef HAVE_WINSOCK2_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif #ifndef USE_WINSOCK #define ARG_LL "%ll" #else #define ARG_LL "%I64" #endif #ifdef HAVE_ATTR_FORMAT # define ATTR_FORMAT(archetype, string_index, first_to_check) \ __attribute__ ((format (archetype, string_index, first_to_check))) #else /* !HAVE_ATTR_FORMAT */ # define ATTR_FORMAT(archetype, string_index, first_to_check) /* empty */ #endif /* !HAVE_ATTR_FORMAT */ #if defined(DOXYGEN) # define ATTR_UNUSED(x) x #elif defined(__cplusplus) # define ATTR_UNUSED(x) #elif defined(HAVE_ATTR_UNUSED) # define ATTR_UNUSED(x) x __attribute__((unused)) #else /* !HAVE_ATTR_UNUSED */ # define ATTR_UNUSED(x) x #endif /* !HAVE_ATTR_UNUSED */ #ifndef HAVE_FSEEKO #define fseeko fseek #define ftello ftell #endif /* HAVE_FSEEKO */ #ifndef MAXHOSTNAMELEN #define MAXHOSTNAMELEN 256 #endif #ifndef HAVE_SNPRINTF #define snprintf snprintf_unbound #define vsnprintf vsnprintf_unbound #include int snprintf (char *str, size_t count, const char *fmt, ...); int vsnprintf (char *str, size_t count, const char *fmt, va_list arg); #endif /* HAVE_SNPRINTF */ #ifndef HAVE_INET_PTON #define inet_pton inet_pton_unbound int inet_pton(int af, const char* src, void* dst); #endif /* HAVE_INET_PTON */ #ifndef HAVE_INET_NTOP #define inet_ntop inet_ntop_unbound const char *inet_ntop(int af, const void *src, char *dst, size_t size); #endif #ifndef HAVE_INET_ATON #define inet_aton inet_aton_unbound int inet_aton(const char *cp, struct in_addr *addr); #endif #ifndef HAVE_MEMMOVE #define memmove memmove_unbound void *memmove(void *dest, const void *src, size_t n); #endif #ifndef HAVE_STRLCAT #define strlcat strlcat_unbound size_t strlcat(char *dst, const char *src, size_t siz); #endif #ifndef HAVE_STRLCPY #define strlcpy strlcpy_unbound size_t strlcpy(char *dst, const char *src, size_t siz); #endif #ifndef HAVE_GMTIME_R #define gmtime_r gmtime_r_unbound struct tm *gmtime_r(const time_t *timep, struct tm *result); #endif #if !defined(HAVE_SLEEP) || defined(HAVE_WINDOWS_H) #define sleep(x) Sleep((x)*1000) /* on win32 */ #endif /* HAVE_SLEEP */ #ifndef HAVE_USLEEP #define usleep(x) Sleep((x)/1000 + 1) /* on win32 */ #endif /* HAVE_USLEEP */ #ifndef HAVE_RANDOM #define random rand /* on win32, for tests only (bad random) */ #endif /* HAVE_RANDOM */ #ifndef HAVE_SRANDOM #define srandom(x) srand(x) /* on win32, for tests only (bad random) */ #endif /* HAVE_SRANDOM */ /* detect if we need to cast to unsigned int for FD_SET to avoid warnings */ #ifdef HAVE_WINSOCK2_H #define FD_SET_T (u_int) #else #define FD_SET_T #endif #ifndef IPV6_MIN_MTU #define IPV6_MIN_MTU 1280 #endif /* IPV6_MIN_MTU */ #ifdef MEMCMP_IS_BROKEN #include "compat/memcmp.h" #define memcmp memcmp_unbound int memcmp(const void *x, const void *y, size_t n); #endif #ifndef HAVE_CTIME_R #define ctime_r unbound_ctime_r char *ctime_r(const time_t *timep, char *buf); #endif #if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS) #define strptime unbound_strptime struct tm; char *strptime(const char *s, const char *format, struct tm *tm); #endif #ifdef HAVE_LIBRESSL # if !HAVE_DECL_STRLCPY size_t strlcpy(char *dst, const char *src, size_t siz); # endif # if !HAVE_DECL_STRLCAT size_t strlcat(char *dst, const char *src, size_t siz); # endif # if !HAVE_DECL_ARC4RANDOM && defined(HAVE_ARC4RANDOM) uint32_t arc4random(void); # endif # if !HAVE_DECL_ARC4RANDOM_UNIFORM && defined(HAVE_ARC4RANDOM_UNIFORM) uint32_t arc4random_uniform(uint32_t upper_bound); # endif #endif /* HAVE_LIBRESSL */ #ifndef HAVE_ARC4RANDOM void explicit_bzero(void* buf, size_t len); int getentropy(void* buf, size_t len); uint32_t arc4random(void); void arc4random_buf(void* buf, size_t n); void _ARC4_LOCK(void); void _ARC4_UNLOCK(void); #endif #ifndef HAVE_ARC4RANDOM_UNIFORM uint32_t arc4random_uniform(uint32_t upper_bound); #endif #ifdef COMPAT_SHA512 #ifndef SHA512_DIGEST_LENGTH #define SHA512_BLOCK_LENGTH 128 #define SHA512_DIGEST_LENGTH 64 #define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1) typedef struct _SHA512_CTX { uint64_t state[8]; uint64_t bitcount[2]; uint8_t buffer[SHA512_BLOCK_LENGTH]; } SHA512_CTX; #endif /* SHA512_DIGEST_LENGTH */ void SHA512_Init(SHA512_CTX*); void SHA512_Update(SHA512_CTX*, void*, size_t); void SHA512_Final(uint8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*); unsigned char *SHA512(void* data, unsigned int data_len, unsigned char *digest); #endif /* COMPAT_SHA512 */ #if defined(HAVE_EVENT_H) && !defined(HAVE_EVENT_BASE_ONCE) && !(defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && (defined(HAVE_PTHREAD) || defined(HAVE_SOLARIS_THREADS)) /* using version of libevent that is not threadsafe. */ # define LIBEVENT_SIGNAL_PROBLEM 1 #endif #ifndef CHECKED_INET6 # define CHECKED_INET6 # ifdef AF_INET6 # define INET6 # else # define AF_INET6 28 # endif #endif /* CHECKED_INET6 */ #ifndef HAVE_GETADDRINFO struct sockaddr_storage; #include "compat/fake-rfc2553.h" #endif #ifdef UNBOUND_ALLOC_STATS # define malloc(s) unbound_stat_malloc_log(s, __FILE__, __LINE__, __func__) # define calloc(n,s) unbound_stat_calloc_log(n, s, __FILE__, __LINE__, __func__) # define free(p) unbound_stat_free_log(p, __FILE__, __LINE__, __func__) # define realloc(p,s) unbound_stat_realloc_log(p, s, __FILE__, __LINE__, __func__) void *unbound_stat_malloc(size_t size); void *unbound_stat_calloc(size_t nmemb, size_t size); void unbound_stat_free(void *ptr); void *unbound_stat_realloc(void *ptr, size_t size); void *unbound_stat_malloc_log(size_t size, const char* file, int line, const char* func); void *unbound_stat_calloc_log(size_t nmemb, size_t size, const char* file, int line, const char* func); void unbound_stat_free_log(void *ptr, const char* file, int line, const char* func); void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file, int line, const char* func); #elif defined(UNBOUND_ALLOC_LITE) # include "util/alloc.h" #endif /* UNBOUND_ALLOC_LITE and UNBOUND_ALLOC_STATS */ /** default port for DNS traffic. */ #define UNBOUND_DNS_PORT 53 /** default port for unbound control traffic, registered port with IANA, ub-dns-control 8953/tcp unbound dns nameserver control */ #define UNBOUND_CONTROL_PORT 8953 /** the version of unbound-control that this software implements */ #define UNBOUND_CONTROL_VERSION 1 Index: head/contrib/unbound/configure.ac =================================================================== --- head/contrib/unbound/configure.ac (revision 276698) +++ head/contrib/unbound/configure.ac (revision 276699) @@ -1,1343 +1,1343 @@ # -*- Autoconf -*- # Process this file with autoconf to produce a configure script. AC_PREREQ(2.56) sinclude(acx_nlnetlabs.m4) sinclude(ax_pthread.m4) sinclude(acx_python.m4) sinclude(ac_pkg_swig.m4) sinclude(dnstap/dnstap.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[5]) m4_define([VERSION_MICRO],[1]) AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=5 LIBUNBOUND_REVISION=3 LIBUNBOUND_AGE=3 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 # 1.0.2 had 0:14:0 # 1.1.0 had 0:15:0 # 1.1.1 had 0:16:0 # 1.2.0 had 0:17:0 # 1.2.1 had 0:18:0 # 1.3.0 had 1:0:0 # ub_cancel and -export-symbols. # 1.3.1 had 1:1:0 # 1.3.2 had 1:2:0 # 1.3.3 had 1:3:0 # 1.3.4 had 1:4:0 # 1.4.0-snapshots had 1:5:0 # 1.4.0 had 1:5:0 (not 2:0:0) # ub_result.why_bogus # 1.4.1 had 2:1:0 # 1.4.2 had 2:2:0 # 1.4.3 had 2:3:0 # 1.4.4 had 2:4:0 # 1.4.5 had 2:5:0 # 1.4.6 had 2:6:0 # 1.4.7 had 2:7:0 # 1.4.8 had 2:8:0 # 1.4.9 had 2:9:0 # 1.4.10 had 2:10:0 # 1.4.11 had 2:11:0 # 1.4.12 had 2:12:0 # 1.4.13 had 2:13:0 # and 1.4.13p1 and 1.4.13.p2 # 1.4.14 had 2:14:0 # 1.4.15 had 3:0:1 # adds ub_version() # 1.4.16 had 3:1:1 # 1.4.17 had 3:2:1 # 1.4.18 had 3:3:1 # 1.4.19 had 3:4:1 # 1.4.20 had 4:0:2 # adds libunbound.ttl # but shipped 3:5:1 # 1.4.21 had 4:1:2 # 1.4.22 had 4:1:2 # 1.5.0 had 5:3:3 # adds ub_ctx_add_ta_autr # 1.5.1 had 5:4:3 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary # API are we supplying? # Age -- How many previous binary API versions do we also # support? # # If we release a new version that does not change the binary API, # increment Revision. # # If we release a new version that changes the binary API, but does # not break programs compiled against the old binary API, increment # Current and Age. Set Revision to 0, since this is the first # implementation of the new API. # # Otherwise, we're changing the binary API and breaking bakward # compatibility with old binaries. Increment Current. Set Age to 0, # since we're backward compatible with no previous APIs. Set Revision # to 0 too. AC_SUBST(LIBUNBOUND_CURRENT) AC_SUBST(LIBUNBOUND_REVISION) AC_SUBST(LIBUNBOUND_AGE) CFLAGS="$CFLAGS" AC_AIX if test "$ac_cv_header_minix_config_h" = "yes"; then AC_DEFINE(_NETBSD_SOURCE,1, [Enable for compile on Minix]) fi dnl dnl By default set prefix to /usr/local dnl case "$prefix" in NONE) prefix="/usr/local" ;; esac # are we on MinGW? if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes" else if echo $target | grep mingw32 >/dev/null; then on_mingw="yes" else on_mingw="no"; fi fi # # Determine configuration file # the eval is to evaluate shell expansion twice if test $on_mingw = "no"; then ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"` else ub_conf_file="C:\\Program Files\\Unbound\\service.conf" fi AC_ARG_WITH([conf_file], AC_HELP_STRING([--with-conf-file=path], [Pathname to the Unbound configuration file]), [ub_conf_file="$withval"]) AC_SUBST(ub_conf_file) ACX_ESCAPE_BACKSLASH($ub_conf_file, hdr_config) AC_DEFINE_UNQUOTED(CONFIGFILE, ["$hdr_config"], [Pathname to the Unbound configuration file]) # Determine run, chroot directory and pidfile locations AC_ARG_WITH(run-dir, AC_HELP_STRING([--with-run-dir=path], [set default directory to chdir to (by default dir part of cfg file)]), UNBOUND_RUN_DIR="$withval", if test $on_mingw = no; then UNBOUND_RUN_DIR=`dirname "$ub_conf_file"` else UNBOUND_RUN_DIR="" fi ) AC_SUBST(UNBOUND_RUN_DIR) ACX_ESCAPE_BACKSLASH($UNBOUND_RUN_DIR, hdr_run) AC_DEFINE_UNQUOTED(RUN_DIR, ["$hdr_run"], [Directory to chdir to]) AC_ARG_WITH(chroot-dir, AC_HELP_STRING([--with-chroot-dir=path], [set default directory to chroot to (by default same as run-dir)]), UNBOUND_CHROOT_DIR="$withval", if test $on_mingw = no; then UNBOUND_CHROOT_DIR="$UNBOUND_RUN_DIR" else UNBOUND_CHROOT_DIR="" fi ) AC_SUBST(UNBOUND_CHROOT_DIR) ACX_ESCAPE_BACKSLASH($UNBOUND_CHROOT_DIR, hdr_chroot) AC_DEFINE_UNQUOTED(CHROOT_DIR, ["$hdr_chroot"], [Directory to chroot to]) AC_ARG_WITH(share-dir, AC_HELP_STRING([--with-share-dir=path], [set default directory with shared data (by default same as share/unbound)]), UNBOUND_SHARE_DIR="$withval", UNBOUND_SHARE_DIR="$UNBOUND_RUN_DIR") AC_SUBST(UNBOUND_SHARE_DIR) AC_DEFINE_UNQUOTED(SHARE_DIR, ["$UNBOUND_SHARE_DIR"], [Shared data]) AC_ARG_WITH(pidfile, AC_HELP_STRING([--with-pidfile=filename], [set default pathname to unbound pidfile (default run-dir/unbound.pid)]), UNBOUND_PIDFILE="$withval", if test $on_mingw = no; then UNBOUND_PIDFILE="$UNBOUND_RUN_DIR/unbound.pid" else UNBOUND_PIDFILE="" fi ) AC_SUBST(UNBOUND_PIDFILE) ACX_ESCAPE_BACKSLASH($UNBOUND_PIDFILE, hdr_pid) AC_DEFINE_UNQUOTED(PIDFILE, ["$hdr_pid"], [default pidfile location]) AC_ARG_WITH(rootkey-file, AC_HELP_STRING([--with-rootkey-file=filename], [set default pathname to root key file (default run-dir/root.key). This file is read and written.]), UNBOUND_ROOTKEY_FILE="$withval", if test $on_mingw = no; then UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key" else UNBOUND_ROOTKEY_FILE="C:\\Program Files\\Unbound\\root.key" fi ) AC_SUBST(UNBOUND_ROOTKEY_FILE) ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTKEY_FILE, hdr_rkey) AC_DEFINE_UNQUOTED(ROOT_ANCHOR_FILE, ["$hdr_rkey"], [default rootkey location]) AC_ARG_WITH(rootcert-file, AC_HELP_STRING([--with-rootcert-file=filename], [set default pathname to root update certificate file (default run-dir/icannbundle.pem). This file need not exist if you are content with the builtin.]), UNBOUND_ROOTCERT_FILE="$withval", if test $on_mingw = no; then UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem" else UNBOUND_ROOTCERT_FILE="C:\\Program Files\\Unbound\\icannbundle.pem" fi ) AC_SUBST(UNBOUND_ROOTCERT_FILE) ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTCERT_FILE, hdr_rpem) AC_DEFINE_UNQUOTED(ROOT_CERT_FILE, ["$hdr_rpem"], [default rootcert location]) AC_ARG_WITH(username, AC_HELP_STRING([--with-username=user], [set default user that unbound changes to (default user is unbound)]), UNBOUND_USERNAME="$withval", UNBOUND_USERNAME="unbound") AC_SUBST(UNBOUND_USERNAME) AC_DEFINE_UNQUOTED(UB_USERNAME, ["$UNBOUND_USERNAME"], [default username]) AC_DEFINE(WINVER, 0x0502, [the version of the windows API enabled]) ACX_RSRC_VERSION(wnvs) AC_DEFINE_UNQUOTED(RSRC_PACKAGE_VERSION, [$wnvs], [version number for resource files]) # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST AC_LANG_C # allow user to override the -g -O2 flags. if test "x$CFLAGS" = "x" ; then ACX_CHECK_COMPILER_FLAG(g, [CFLAGS="$CFLAGS -g"]) ACX_CHECK_COMPILER_FLAG(O2, [CFLAGS="$CFLAGS -O2"]) fi AC_PROG_CC ACX_DEPFLAG ACX_DETERMINE_EXT_FLAGS_UNBOUND # debug mode flags warnings AC_ARG_ENABLE(checking, AC_HELP_STRING([--enable-checking], [Enable warnings, asserts, makefile-dependencies])) AC_ARG_ENABLE(debug, AC_HELP_STRING([--enable-debug], [same as enable-checking])) if test "$enable_debug" = "yes"; then debug_enabled="$enable_debug"; else debug_enabled="$enable_checking"; fi AC_SUBST(debug_enabled) case "$debug_enabled" in yes) ACX_CHECK_COMPILER_FLAG(W, [CFLAGS="$CFLAGS -W"]) ACX_CHECK_COMPILER_FLAG(Wall, [CFLAGS="$CFLAGS -Wall"]) ACX_CHECK_COMPILER_FLAG(Wextra, [CFLAGS="$CFLAGS -Wextra"]) ACX_CHECK_COMPILER_FLAG(Wdeclaration-after-statement, [CFLAGS="$CFLAGS -Wdeclaration-after-statement"]) AC_DEFINE([UNBOUND_DEBUG], [], [define this to enable debug checks.]) ;; no|*) # nothing to do. ;; esac ACX_CHECK_FLTO AC_C_INLINE ACX_CHECK_FORMAT_ATTRIBUTE ACX_CHECK_UNUSED_ATTRIBUTE if test "$srcdir" != "."; then CPPFLAGS="$CPPFLAGS -I$srcdir" fi AC_DEFUN([ACX_YYLEX_DESTROY], [ AC_MSG_CHECKING([for yylex_destroy]) if echo %% | $LEX -t 2>&1 | grep yylex_destroy >/dev/null 2>&1; then AC_DEFINE(LEX_HAS_YYLEX_DESTROY, 1, [if lex has yylex_destroy]) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no); fi ]) AC_PROG_LEX ACX_YYLEX_DESTROY AC_PROG_YACC AC_CHECK_PROG(doxygen, doxygen, doxygen) AC_CHECK_TOOL(STRIP, strip) ACX_LIBTOOL_C_ONLY # Checks for header files. -AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h],,, [AC_INCLUDES_DEFAULT]) # check for types. # Using own tests for int64* because autoconf builtin only give 32bit. AC_CHECK_TYPE(int8_t, signed char) AC_CHECK_TYPE(int16_t, short) AC_CHECK_TYPE(int32_t, int) AC_CHECK_TYPE(int64_t, long long) AC_CHECK_TYPE(uint8_t, unsigned char) AC_CHECK_TYPE(uint16_t, unsigned short) AC_CHECK_TYPE(uint32_t, unsigned int) AC_CHECK_TYPE(uint64_t, unsigned long long) AC_TYPE_SIZE_T AC_CHECK_TYPE(ssize_t, int) AC_TYPE_UID_T AC_TYPE_PID_T AC_TYPE_OFF_T ACX_TYPE_U_CHAR ACX_TYPE_RLIM_T ACX_TYPE_SOCKLEN_T ACX_TYPE_IN_ADDR_T ACX_TYPE_IN_PORT_T ACX_CHECK_MEMCMP_SIGNED AC_CHECK_SIZEOF(time_t,,[ AC_INCLUDES_DEFAULT #ifdef TIME_WITH_SYS_TIME # include # include #else # ifdef HAVE_SYS_TIME_H # include # else # include # endif #endif ]) # add option to disable the evil rpath ACX_ARG_RPATH AC_SUBST(RUNTIME_PATH) # check to see if libraries are needed for these functions. AC_SEARCH_LIBS([inet_pton], [nsl]) AC_SEARCH_LIBS([socket], [socket]) # check wether strptime also works AC_DEFUN([AC_CHECK_STRPTIME_WORKS], [AC_REQUIRE([AC_PROG_CC]) AC_MSG_CHECKING(whether strptime works) if test c${cross_compiling} = cno; then AC_RUN_IFELSE([AC_LANG_SOURCE([[ #define _XOPEN_SOURCE 600 #include int main(void) { struct tm tm; char *res; res = strptime("2010-07-15T00:00:00+00:00", "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm); if (!res) return 2; res = strptime("20070207111842", "%Y%m%d%H%M%S", &tm); if (!res) return 1; return 0; } ]])] , [eval "ac_cv_c_strptime_works=yes"], [eval "ac_cv_c_strptime_works=no"]) else eval "ac_cv_c_strptime_works=maybe" fi AC_MSG_RESULT($ac_cv_c_strptime_works) if test $ac_cv_c_strptime_works = no; then AC_LIBOBJ(strptime) else AC_DEFINE_UNQUOTED([STRPTIME_WORKS], 1, [use default strptime.]) fi ])dnl # check some functions of the OS before linking libs (while still runnable). AC_FUNC_CHOWN AC_FUNC_FORK AC_TYPE_SIGNAL AC_FUNC_FSEEKO ACX_SYS_LARGEFILE ACX_CHECK_NONBLOCKING_BROKEN ACX_MKDIR_ONE_ARG AC_CHECK_FUNCS([strptime],[AC_CHECK_STRPTIME_WORKS],[AC_LIBOBJ([strptime])]) # set memory allocation checking if requested AC_ARG_ENABLE(alloc-checks, AC_HELP_STRING([--enable-alloc-checks], [ enable to memory allocation statistics, for debug purposes ]), , ) AC_ARG_ENABLE(alloc-lite, AC_HELP_STRING([--enable-alloc-lite], [ enable for lightweight alloc assertions, for debug purposes ]), , ) AC_ARG_ENABLE(alloc-nonregional, AC_HELP_STRING([--enable-alloc-nonregional], [ enable nonregional allocs, slow but exposes regional allocations to other memory purifiers, for debug purposes ]), , ) if test x_$enable_alloc_nonregional = x_yes; then AC_DEFINE(UNBOUND_ALLOC_NONREGIONAL, 1, [use malloc not regions, for debug use]) fi if test x_$enable_alloc_checks = x_yes; then AC_DEFINE(UNBOUND_ALLOC_STATS, 1, [use statistics for allocs and frees, for debug use]) else if test x_$enable_alloc_lite = x_yes; then AC_DEFINE(UNBOUND_ALLOC_LITE, 1, [use to enable lightweight alloc assertions, for debug use]) else ACX_FUNC_MALLOC([unbound]) fi fi # check windows threads (we use them, not pthreads, on windows). if test "$on_mingw" = "yes"; then # check windows threads AC_CHECK_HEADERS([windows.h],,, [AC_INCLUDES_DEFAULT]) AC_MSG_CHECKING([for CreateThread]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ #ifdef HAVE_WINDOWS_H #include #endif ], [ HANDLE t = CreateThread(NULL, 0, NULL, NULL, 0, NULL); ])], AC_MSG_RESULT(yes) AC_DEFINE(HAVE_WINDOWS_THREADS, 1, [Using Windows threads]) , AC_MSG_RESULT(no) ) else # not on mingw, check thread libraries. # check for thread library. # check this first, so that the pthread lib does not get linked in via # libssl or libpython, and thus distorts the tests, and we end up using # the non-threadsafe C libraries. AC_ARG_WITH(pthreads, AC_HELP_STRING([--with-pthreads], [use pthreads library, or --without-pthreads to disable threading support.]), [ ],[ withval="yes" ]) ub_have_pthreads=no if test x_$withval != x_no; then AX_PTHREAD([ AC_DEFINE(HAVE_PTHREAD,1,[Define if you have POSIX threads libraries and header files.]) LIBS="$PTHREAD_LIBS $LIBS" CFLAGS="$CFLAGS $PTHREAD_CFLAGS" CC="$PTHREAD_CC" ub_have_pthreads=yes AC_CHECK_TYPES([pthread_spinlock_t, pthread_rwlock_t],,,[#include ]) ]) fi # check solaris thread library AC_ARG_WITH(solaris-threads, AC_HELP_STRING([--with-solaris-threads], [use solaris native thread library.]), [ ],[ withval="no" ]) ub_have_sol_threads=no if test x_$withval != x_no; then if test x_$ub_have_pthreads != x_no; then AC_WARN([Have pthreads already, ignoring --with-solaris-threads]) else AC_SEARCH_LIBS(thr_create, [thread], [ AC_DEFINE(HAVE_SOLARIS_THREADS, 1, [Using Solaris threads]) ACX_CHECK_COMPILER_FLAG(mt, [CFLAGS="$CFLAGS -mt"], [CFLAGS="$CFLAGS -D_REENTRANT"]) ub_have_sol_threads=yes ] , [ AC_ERROR([no solaris threads found.]) ]) fi fi fi # end of non-mingw check of thread libraries # Check for PyUnbound AC_ARG_WITH(pyunbound, AC_HELP_STRING([--with-pyunbound], [build PyUnbound, or --without-pyunbound to skip it. (default=no)]), [], [ withval="no" ]) ub_test_python=no ub_with_pyunbound=no if test x_$withval != x_no; then ub_with_pyunbound=yes ub_test_python=yes fi # Check for Python module AC_ARG_WITH(pythonmodule, AC_HELP_STRING([--with-pythonmodule], [build Python module, or --without-pythonmodule to disable script engine. (default=no)]), [], [ withval="no" ]) ub_with_pythonmod=no if test x_$withval != x_no; then ub_with_pythonmod=yes ub_test_python=yes fi # Check for Python & SWIG only on PyUnbound or PyModule if test x_$ub_test_python != x_no; then # Check for Python ub_have_python=no ac_save_LIBS="$LIBS" dnl otherwise AC_PYTHON_DEVEL thrashes $LIBS AC_PYTHON_DEVEL if test ! -z "$PYTHON_VERSION"; then if test `$PYTHON -c "print('$PYTHON_VERSION' >= '2.4.0')"` = "False"; then AC_ERROR([Python version >= 2.4.0 is required]) fi # Have Python AC_DEFINE(HAVE_PYTHON,1,[Define if you have Python libraries and header files.]) LIBS="$PYTHON_LDFLAGS $LIBS" CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS" ub_have_python=yes # Check for SWIG ub_have_swig=no AC_PROG_SWIG AC_MSG_CHECKING(SWIG) if test ! -x "$SWIG"; then AC_ERROR([failed to find swig tool, install it, or do not build Python module and PyUnbound]) else AC_DEFINE(HAVE_SWIG, 1, [Define if you have Swig libraries and header files.]) AC_SUBST(swig, "$SWIG") AC_MSG_RESULT(present) # If have Python & SWIG # Declare PythonMod if test x_$ub_with_pythonmod != x_no; then AC_DEFINE(WITH_PYTHONMODULE, 1, [Define if you want Python module.]) WITH_PYTHONMODULE=yes AC_SUBST(WITH_PYTHONMODULE) PYTHONMOD_OBJ="pythonmod.lo pythonmod_utils.lo" AC_SUBST(PYTHONMOD_OBJ) PYTHONMOD_HEADER='$(srcdir)/pythonmod/pythonmod.h' AC_SUBST(PYTHONMOD_HEADER) PYTHONMOD_INSTALL=pythonmod-install AC_SUBST(PYTHONMOD_INSTALL) PYTHONMOD_UNINSTALL=pythonmod-uninstall AC_SUBST(PYTHONMOD_UNINSTALL) fi # Declare PyUnbound if test x_$ub_with_pyunbound != x_no; then AC_DEFINE(WITH_PYUNBOUND, 1, [Define if you want PyUnbound.]) WITH_PYUNBOUND=yes AC_SUBST(WITH_PYUNBOUND) PYUNBOUND_OBJ="libunbound_wrap.lo" AC_SUBST(PYUNBOUND_OBJ) PYUNBOUND_TARGET="_unbound.la" AC_SUBST(PYUNBOUND_TARGET) PYUNBOUND_INSTALL=pyunbound-install AC_SUBST(PYUNBOUND_INSTALL) PYUNBOUND_UNINSTALL=pyunbound-uninstall AC_SUBST(PYUNBOUND_UNINSTALL) fi fi else AC_MSG_RESULT([*** Python libraries not found, won't build PythonMod or PyUnbound ***]) ub_with_pyunbound=no ub_with_pythonmod=no fi fi if test "`uname`" = "NetBSD"; then NETBSD_LINTFLAGS='"-D__RENAME(x)=" -D_NETINET_IN_H_' AC_SUBST(NETBSD_LINTFLAGS) fi CONFIG_DATE=`date +%Y%m%d` AC_SUBST(CONFIG_DATE) # Checks for libraries. # libnss USE_NSS="no" AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path], [use libnss instead of openssl, installed at path.]), [ USE_NSS="yes" AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto]) if test "$withval" != "" -a "$withval" != "yes"; then CPPFLAGS="$CPPFLAGS -I$withval/include/nss3" LDFLAGS="$LDFLAGS -L$withval/lib" ACX_RUNTIME_PATH_ADD([$withval/lib]) CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS" else CPPFLAGS="$CPPFLAGS -I/usr/include/nss3" CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS" fi LIBS="$LIBS -lnss3 -lnspr4" ] ) # openssl if test $USE_NSS = "no"; then ACX_WITH_SSL ACX_LIB_SSL AC_MSG_CHECKING([for LibreSSL]) if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then AC_MSG_RESULT([yes]) AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL]) # libressl provides these compat functions, but they may also be # declared by the OS in libc. See if they have been declared. AC_CHECK_DECLS([strlcpy,strlcat,arc4random,arc4random_uniform]) else AC_MSG_RESULT([no]) fi AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode]) AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H #include #endif #ifdef HAVE_OPENSSL_RAND_H #include #endif #ifdef HAVE_OPENSSL_CONF_H #include #endif #ifdef HAVE_OPENSSL_ENGINE_H #include #endif #include #include ]) fi AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support])) case "$enable_sha2" in no) ;; yes|*) AC_DEFINE([USE_SHA2], [1], [Define this to enable SHA256 and SHA512 support.]) ;; esac # check wether gost also works AC_DEFUN([AC_CHECK_GOST_WORKS], [AC_REQUIRE([AC_PROG_CC]) AC_MSG_CHECKING([if GOST works]) if test c${cross_compiling} = cno; then BAKCFLAGS="$CFLAGS" if test -n "$ssldir"; then CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib" fi AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include #include #include #include #include /* routine to load gost (from sldns) */ int load_gost_id(void) { static int gost_id = 0; const EVP_PKEY_ASN1_METHOD* meth; ENGINE* e; if(gost_id) return gost_id; /* see if configuration loaded gost implementation from other engine*/ meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1); if(meth) { EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); return gost_id; } /* see if engine can be loaded already */ e = ENGINE_by_id("gost"); if(!e) { /* load it ourself, in case statically linked */ ENGINE_load_builtin_engines(); ENGINE_load_dynamic(); e = ENGINE_by_id("gost"); } if(!e) { /* no gost engine in openssl */ return 0; } if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { ENGINE_finish(e); ENGINE_free(e); return 0; } meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1); if(!meth) { /* algo not found */ ENGINE_finish(e); ENGINE_free(e); return 0; } EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); return gost_id; } int main(void) { EVP_MD_CTX* ctx; const EVP_MD* md; unsigned char digest[64]; /* its a 256-bit digest, so uses 32 bytes */ const char* str = "Hello world"; const unsigned char check[] = { 0x40 , 0xed , 0xf8 , 0x56 , 0x5a , 0xc5 , 0x36 , 0xe1 , 0x33 , 0x7c , 0x7e , 0x87 , 0x62 , 0x1c , 0x42 , 0xe0 , 0x17 , 0x1b , 0x5e , 0xce , 0xa8 , 0x46 , 0x65 , 0x4d , 0x8d , 0x3e , 0x22 , 0x9b , 0xe1 , 0x30 , 0x19 , 0x9d }; OPENSSL_config(NULL); (void)load_gost_id(); md = EVP_get_digestbyname("md_gost94"); if(!md) return 1; memset(digest, 0, sizeof(digest)); ctx = EVP_MD_CTX_create(); if(!ctx) return 2; if(!EVP_DigestInit_ex(ctx, md, NULL)) return 3; if(!EVP_DigestUpdate(ctx, str, 10)) return 4; if(!EVP_DigestFinal_ex(ctx, digest, NULL)) return 5; /* uncomment to see the hash calculated. {int i; for(i=0; i<32; i++) printf(" %2.2x", (int)digest[i]); printf("\n");} */ if(memcmp(digest, check, sizeof(check)) != 0) return 6; return 0; } ]])] , [eval "ac_cv_c_gost_works=yes"], [eval "ac_cv_c_gost_works=no"]) CFLAGS="$BAKCFLAGS" else eval "ac_cv_c_gost_works=maybe" fi AC_MSG_RESULT($ac_cv_c_gost_works) ])dnl AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support])) use_gost="no" if test $USE_NSS = "no"; then case "$enable_gost" in no) ;; *) AC_CHECK_FUNC(EVP_PKEY_set_type_str, [:],[AC_MSG_ERROR([OpenSSL 1.0.0 is needed for GOST support])]) AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([OpenSSL does not support ECC, needed for GOST support])]) AC_CHECK_GOST_WORKS if test "$ac_cv_c_gost_works" != no; then use_gost="yes" AC_DEFINE([USE_GOST], [1], [Define this to enable GOST support.]) fi ;; esac fi dnl !USE_NSS AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support])) use_ecdsa="no" case "$enable_ecdsa" in no) ;; *) if test $USE_NSS = "no"; then AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])]) AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])]) AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT #include ]) # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency) AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP]) if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then AC_MSG_RESULT([no]) AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl]) else AC_MSG_RESULT([yes]) fi else # not OpenSSL, thus likely LibreSSL, which supports it AC_MSG_RESULT([yes]) fi fi # we now know we have ECDSA and the required curves. AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.]) use_ecdsa="yes" ;; esac AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) libevent-based libunbound API installed to unbound-event.h])) use_unbound_event="no" case "$enable_event_api" in yes) use_unbound_event="yes" ;; *) ;; esac # check for libevent AC_ARG_WITH(libevent, AC_HELP_STRING([--with-libevent=pathname], [use libevent (will check /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr or you can specify an explicit path). Slower, but allows use of large outgoing port ranges.]), [ ],[ withval="no" ]) if test x_$withval = x_yes -o x_$withval != x_no; then AC_MSG_CHECKING(for libevent) if test x_$withval = x_ -o x_$withval = x_yes; then withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" fi for dir in $withval; do thedir="$dir" if test -f "$dir/include/event.h" -o -f "$dir/include/event2/event.h"; then found_libevent="yes" dnl assume /usr is in default path. if test "$thedir" != "/usr"; then CPPFLAGS="$CPPFLAGS -I$thedir/include" fi break; fi done if test x_$found_libevent != x_yes; then if test -f "$dir/event.h" -a \( -f "$dir/libevent.la" -o -f "$dir/libev.la" \) ; then # libevent source directory AC_MSG_RESULT(found in $thedir) CPPFLAGS="$CPPFLAGS -I$thedir -I$thedir/include" BAK_LDFLAGS_SET="1" BAK_LDFLAGS="$LDFLAGS" # remove evdns from linking mkdir build >/dev/null 2>&1 mkdir build/libevent >/dev/null 2>&1 mkdir build/libevent/.libs >/dev/null 2>&1 ev_files_o=`ls $thedir/*.o | grep -v evdns\.o | grep -v bufferevent_openssl\.o` ev_files_lo=`ls $thedir/*.lo | grep -v evdns\.lo | grep -v bufferevent_openssl\.lo` ev_files_libso=`ls $thedir/.libs/*.o | grep -v evdns\.o | grep -v bufferevent_openssl\.o` cp $ev_files_o build/libevent cp $ev_files_lo build/libevent cp $ev_files_libso build/libevent/.libs LATE_LDFLAGS="build/libevent/*.lo -lm" LDFLAGS="build/libevent/*.o $LDFLAGS -lm" else AC_MSG_ERROR([Cannot find the libevent library in $withval You can restart ./configure --with-libevent=no to use a builtin alternative. Please note that this alternative is not as capable as libevent when using large outgoing port ranges. ]) fi else AC_MSG_RESULT(found in $thedir) dnl if event2 exists and no event lib in dir itself, use subdir if test ! -f $thedir/lib/libevent.a -a ! -f $thedir/lib/libevent.so -a -d "$thedir/lib/event2"; then LDFLAGS="$LDFLAGS -L$thedir/lib/event2" ACX_RUNTIME_PATH_ADD([$thedir/lib/event2]) else dnl assume /usr is in default path, do not add "". if test "$thedir" != "/usr" -a "$thedir" != ""; then LDFLAGS="$LDFLAGS -L$thedir/lib" ACX_RUNTIME_PATH_ADD([$thedir/lib]) fi fi fi # check for library used by libevent after 1.3c AC_SEARCH_LIBS([clock_gettime], [rt]) # is the event.h header libev or libevent? AC_CHECK_HEADERS([event.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_DECL(EV_VERSION_MAJOR, [ AC_SEARCH_LIBS(event_set, [ev]) ],[ AC_SEARCH_LIBS(event_set, [event]) ],[AC_INCLUDES_DEFAULT #include ]) AC_CHECK_FUNCS([event_base_free]) # only in libevent 1.2 and later AC_CHECK_FUNCS([event_base_once]) # only in libevent 1.4.1 and later AC_CHECK_FUNCS([event_base_new]) # only in libevent 1.4.1 and later AC_CHECK_FUNCS([event_base_get_method]) # only in libevent 1.4.3 and later AC_CHECK_FUNCS([ev_loop]) # only in libev. (tested on 3.51) AC_CHECK_FUNCS([ev_default_loop]) # only in libev. (tested on 4.00) if test -n "$BAK_LDFLAGS_SET"; then LDFLAGS="$BAK_LDFLAGS" fi if test "$use_unbound_event" = "yes"; then AC_SUBST(UNBOUND_EVENT_INSTALL, [unbound-event-install]) AC_SUBST(UNBOUND_EVENT_UNINSTALL, [unbound-event-uninstall]) fi else AC_DEFINE(USE_MINI_EVENT, 1, [Define if you want to use internal select based events]) fi # check for libexpat AC_ARG_WITH(libexpat, AC_HELP_STRING([--with-libexpat=path], [specify explicit path for libexpat.]), [ ],[ withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" ]) AC_MSG_CHECKING(for libexpat) found_libexpat="no" for dir in $withval ; do if test -f "$dir/include/expat.h"; then found_libexpat="yes" dnl assume /usr is in default path. if test "$dir" != "/usr"; then CPPFLAGS="$CPPFLAGS -I$dir/include" LDFLAGS="$LDFLAGS -L$dir/lib" fi AC_MSG_RESULT(found in $dir) break; fi done if test x_$found_libexpat != x_yes; then AC_ERROR([Could not find libexpat, expat.h]) fi AC_CHECK_HEADERS([expat.h],,, [AC_INCLUDES_DEFAULT]) # set static linking if requested AC_SUBST(staticexe) staticexe="" AC_ARG_ENABLE(static-exe, AC_HELP_STRING([--enable-static-exe], [ enable to compile executables statically against (event) libs, for debug purposes ]), , ) if test x_$enable_static_exe = x_yes; then staticexe="-static" if test "$on_mingw" = yes; then staticexe="-all-static" # for static crosscompile, include gdi32 and zlib here. if test "`uname`" = "Linux"; then LIBS="$LIBS -lgdi32 -lz" fi fi fi # set lock checking if requested AC_ARG_ENABLE(lock_checks, AC_HELP_STRING([--enable-lock-checks], [ enable to check lock and unlock calls, for debug purposes ]), , ) if test x_$enable_lock_checks = x_yes; then AC_DEFINE(ENABLE_LOCK_CHECKS, 1, [Define if you want to use debug lock checking (slow).]) CHECKLOCK_OBJ="checklocks.lo" AC_SUBST(CHECKLOCK_OBJ) fi ACX_CHECK_GETADDRINFO_WITH_INCLUDES if test "$USE_WINSOCK" = 1; then AC_DEFINE(UB_ON_WINDOWS, 1, [Use win32 resources and API]) AC_CHECK_HEADERS([iphlpapi.h],,, [AC_INCLUDES_DEFAULT #include ]) AC_CHECK_TOOL(WINDRES, windres) LIBS="$LIBS -liphlpapi" WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe" AC_SUBST(WINAPPS) WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c" AC_SUBST(WIN_DAEMON_SRC) WIN_DAEMON_OBJ="win_svc.lo w_inst.lo" AC_SUBST(WIN_DAEMON_OBJ) WIN_DAEMON_OBJ_LINK="rsrc_unbound.o" AC_SUBST(WIN_DAEMON_OBJ_LINK) WIN_HOST_OBJ_LINK="rsrc_unbound_host.o" AC_SUBST(WIN_HOST_OBJ_LINK) WIN_UBANCHOR_OBJ_LINK="rsrc_unbound_anchor.o log.lo locks.lo" AC_SUBST(WIN_UBANCHOR_OBJ_LINK) WIN_CONTROL_OBJ_LINK="rsrc_unbound_control.o" AC_SUBST(WIN_CONTROL_OBJ_LINK) WIN_CHECKCONF_OBJ_LINK="rsrc_unbound_checkconf.o" AC_SUBST(WIN_CHECKCONF_OBJ_LINK) fi if test $ac_cv_func_getaddrinfo = no; then AC_LIBOBJ([fake-rfc2553]) fi # check after getaddrinfo for its libraries ACX_FUNC_IOCTLSOCKET # see if daemon(3) exists, and if it is deprecated. AC_CHECK_FUNCS([daemon]) if test $ac_cv_func_daemon = yes; then ACX_FUNC_DEPRECATED([daemon], [(void)daemon(0, 0);], [ #include ]) fi AC_CHECK_MEMBERS([struct in_pktinfo.ipi_spec_dst],,,[ AC_INCLUDES_DEFAULT #if HAVE_SYS_PARAM_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_SYS_UIO_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif #ifdef HAVE_WINSOCK2_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif ]) AC_SEARCH_LIBS([setusercontext], [util]) AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent]) AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])]) AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])]) # check if setreuid en setregid fail, on MacOSX10.4(darwin8). if echo $build_os | grep darwin8 > /dev/null; then AC_DEFINE(DARWIN_BROKEN_SETREUID, 1, [Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work]) fi AC_REPLACE_FUNCS(inet_aton) AC_REPLACE_FUNCS(inet_pton) AC_REPLACE_FUNCS(inet_ntop) AC_REPLACE_FUNCS(snprintf) AC_REPLACE_FUNCS(strlcat) AC_REPLACE_FUNCS(strlcpy) AC_REPLACE_FUNCS(memmove) AC_REPLACE_FUNCS(gmtime_r) LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS" AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4) if test "$USE_NSS" = "no"; then AC_REPLACE_FUNCS(arc4random) AC_REPLACE_FUNCS(arc4random_uniform) if test "$ac_cv_func_arc4random" = "no"; then AC_LIBOBJ(explicit_bzero) AC_LIBOBJ(arc4_lock) AC_CHECK_FUNCS([getentropy],,[ if test "$USE_WINSOCK" = 1; then AC_LIBOBJ(getentropy_win) else case `uname` in Darwin) AC_LIBOBJ(getentropy_osx) ;; SunOS) AC_LIBOBJ(getentropy_solaris) AC_CHECK_HEADERS([sys/sha2.h],, [ AC_CHECK_FUNCS([SHA512_Update],,[ AC_LIBOBJ(sha512) ]) ], [AC_INCLUDES_DEFAULT]) if test "$ac_cv_header_sys_sha2_h" = "yes"; then # this lib needed for sha2 on solaris LIBS="$LIBS -lmd" fi ;; Linux|*) AC_LIBOBJ(getentropy_linux) AC_CHECK_FUNCS([SHA512_Update],,[ AC_DEFINE([COMPAT_SHA512], [1], [Do sha512 definitions in config.h]) AC_LIBOBJ(sha512) ]) AC_CHECK_HEADERS([sys/sysctl.h],,, [AC_INCLUDES_DEFAULT]) AC_SEARCH_LIBS([clock_gettime], [rt]) ;; esac fi ]) fi fi LIBOBJ_WITHOUT_CTIME="$LIBOBJS" AC_SUBST(LIBOBJ_WITHOUT_CTIME) AC_REPLACE_FUNCS(ctime_r) AC_ARG_ENABLE(allsymbols, AC_HELP_STRING([--enable-allsymbols], [export all symbols from libunbound and link binaries to it, smaller install size but libunbound export table is polluted by internal symbols])) case "$enable_allsymbols" in yes) COMMON_OBJ_ALL_SYMBOLS="" UBSYMS="" EXTRALINK="-L. -L.libs -lunbound" AC_DEFINE(EXPORT_ALL_SYMBOLS, 1, [Define this if you enabled-allsymbols from libunbound to link binaries to it for smaller install size, but the libunbound export table is polluted by internal symbols]) ;; no|*) COMMON_OBJ_ALL_SYMBOLS='$(COMMON_OBJ)' UBSYMS='-export-symbols $(srcdir)/libunbound/ubsyms.def' EXTRALINK="" ;; esac AC_SUBST(COMMON_OBJ_ALL_SYMBOLS) AC_SUBST(EXTRALINK) AC_SUBST(UBSYMS) if test x_$enable_lock_checks = x_yes; then UBSYMS="-export-symbols clubsyms.def" cp ${srcdir}/libunbound/ubsyms.def clubsyms.def echo lock_protect >> clubsyms.def echo lock_unprotect >> clubsyms.def echo lock_get_mem >> clubsyms.def echo checklock_start >> clubsyms.def echo checklock_stop >> clubsyms.def echo checklock_lock >> clubsyms.def echo checklock_unlock >> clubsyms.def echo checklock_init >> clubsyms.def echo checklock_thrcreate >> clubsyms.def echo checklock_thrjoin >> clubsyms.def fi # check for dnstap if requested dt_DNSTAP([$UNBOUND_RUN_DIR/dnstap.sock], [ AC_DEFINE([USE_DNSTAP], [1], [Define to 1 to enable dnstap support]) AC_SUBST([ENABLE_DNSTAP], [1]) AC_SUBST([opt_dnstap_socket_path]) ACX_ESCAPE_BACKSLASH($opt_dnstap_socket_path, hdr_dnstap_socket_path) AC_DEFINE_UNQUOTED(DNSTAP_SOCKET_PATH, ["$hdr_dnstap_socket_path"], [default dnstap socket path]) AC_SUBST([DNSTAP_SRC], ["dnstap/dnstap.c dnstap/dnstap.pb-c.c"]) AC_SUBST([DNSTAP_OBJ], ["dnstap.lo dnstap.pb-c.lo"]) ], [ AC_SUBST([ENABLE_DNSTAP], [0]) ] ) AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) # on openBSD, the implicit rule make $< work. # on Solaris, it does not work ($? is changed sources, $^ lists dependencies). # gmake works. cat >conftest.make </dev/null rm -f conftest.make conftest.c conftest.dir/conftest.c rm -rf conftest.dir if test ! -f conftest.lo; then AC_MSG_RESULT(no) SOURCEDETERMINE='echo "$^" | awk "-F " "{print \$$1;}" > .source' SOURCEFILE='`cat .source`' else AC_MSG_RESULT(yes) SOURCEDETERMINE=':' SOURCEFILE='$<' fi rm -f conftest.lo AC_SUBST(SOURCEDETERMINE) AC_SUBST(SOURCEFILE) # see if we want to build the library or everything ALLTARGET="alltargets" INSTALLTARGET="install-all" AC_ARG_WITH(libunbound-only, AC_HELP_STRING([--with-libunbound-only], [do not build daemon and tool programs]), [ if test "$withval" = "yes"; then ALLTARGET="lib" INSTALLTARGET="install-lib" fi ]) AC_SUBST(ALLTARGET) AC_SUBST(INSTALLTARGET) ACX_STRIP_EXT_FLAGS LDFLAGS="$LATE_LDFLAGS $LDFLAGS" AC_DEFINE_UNQUOTED([MAXSYSLOGMSGLEN], [10240], [Define to the maximum message length to pass to syslog.]) AH_BOTTOM( dnl this must be first AH_CONFIG, to define the flags before any includes. AHX_CONFIG_EXT_FLAGS dnl includes [ #ifndef UNBOUND_DEBUG # define NDEBUG #endif /** Use small-ldns codebase */ #define USE_SLDNS 1 #ifdef HAVE_SSL # define LDNS_BUILD_CONFIG_HAVE_SSL 1 #endif #include #include #include #include #if STDC_HEADERS #include #include #endif #ifdef HAVE_STDARG_H #include #endif #ifdef HAVE_STDINT_H #include #endif #include #if HAVE_SYS_PARAM_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_SYS_UIO_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif #ifdef HAVE_WINSOCK2_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif #ifndef USE_WINSOCK #define ARG_LL "%ll" #else #define ARG_LL "%I64" #endif ] AHX_CONFIG_FORMAT_ATTRIBUTE AHX_CONFIG_UNUSED_ATTRIBUTE AHX_CONFIG_FSEEKO AHX_CONFIG_MAXHOSTNAMELEN AHX_CONFIG_SNPRINTF(unbound) AHX_CONFIG_INET_PTON(unbound) AHX_CONFIG_INET_NTOP(unbound) AHX_CONFIG_INET_ATON(unbound) AHX_CONFIG_MEMMOVE(unbound) AHX_CONFIG_STRLCAT(unbound) AHX_CONFIG_STRLCPY(unbound) AHX_CONFIG_GMTIME_R(unbound) AHX_CONFIG_W32_SLEEP AHX_CONFIG_W32_USLEEP AHX_CONFIG_W32_RANDOM AHX_CONFIG_W32_SRANDOM AHX_CONFIG_W32_FD_SET_T AHX_CONFIG_IPV6_MIN_MTU AHX_MEMCMP_BROKEN(unbound) [ #ifndef HAVE_CTIME_R #define ctime_r unbound_ctime_r char *ctime_r(const time_t *timep, char *buf); #endif #if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS) #define strptime unbound_strptime struct tm; char *strptime(const char *s, const char *format, struct tm *tm); #endif #ifdef HAVE_LIBRESSL # if !HAVE_DECL_STRLCPY size_t strlcpy(char *dst, const char *src, size_t siz); # endif # if !HAVE_DECL_STRLCAT size_t strlcat(char *dst, const char *src, size_t siz); # endif # if !HAVE_DECL_ARC4RANDOM && defined(HAVE_ARC4RANDOM) uint32_t arc4random(void); # endif # if !HAVE_DECL_ARC4RANDOM_UNIFORM && defined(HAVE_ARC4RANDOM_UNIFORM) uint32_t arc4random_uniform(uint32_t upper_bound); # endif #endif /* HAVE_LIBRESSL */ #ifndef HAVE_ARC4RANDOM void explicit_bzero(void* buf, size_t len); int getentropy(void* buf, size_t len); uint32_t arc4random(void); void arc4random_buf(void* buf, size_t n); void _ARC4_LOCK(void); void _ARC4_UNLOCK(void); #endif #ifndef HAVE_ARC4RANDOM_UNIFORM uint32_t arc4random_uniform(uint32_t upper_bound); #endif #ifdef COMPAT_SHA512 #ifndef SHA512_DIGEST_LENGTH #define SHA512_BLOCK_LENGTH 128 #define SHA512_DIGEST_LENGTH 64 #define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1) typedef struct _SHA512_CTX { uint64_t state[8]; uint64_t bitcount[2]; uint8_t buffer[SHA512_BLOCK_LENGTH]; } SHA512_CTX; #endif /* SHA512_DIGEST_LENGTH */ void SHA512_Init(SHA512_CTX*); void SHA512_Update(SHA512_CTX*, void*, size_t); void SHA512_Final(uint8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*); unsigned char *SHA512(void* data, unsigned int data_len, unsigned char *digest); #endif /* COMPAT_SHA512 */ #if defined(HAVE_EVENT_H) && !defined(HAVE_EVENT_BASE_ONCE) && !(defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && (defined(HAVE_PTHREAD) || defined(HAVE_SOLARIS_THREADS)) /* using version of libevent that is not threadsafe. */ # define LIBEVENT_SIGNAL_PROBLEM 1 #endif #ifndef CHECKED_INET6 # define CHECKED_INET6 # ifdef AF_INET6 # define INET6 # else # define AF_INET6 28 # endif #endif /* CHECKED_INET6 */ #ifndef HAVE_GETADDRINFO struct sockaddr_storage; #include "compat/fake-rfc2553.h" #endif #ifdef UNBOUND_ALLOC_STATS # define malloc(s) unbound_stat_malloc_log(s, __FILE__, __LINE__, __func__) # define calloc(n,s) unbound_stat_calloc_log(n, s, __FILE__, __LINE__, __func__) # define free(p) unbound_stat_free_log(p, __FILE__, __LINE__, __func__) # define realloc(p,s) unbound_stat_realloc_log(p, s, __FILE__, __LINE__, __func__) void *unbound_stat_malloc(size_t size); void *unbound_stat_calloc(size_t nmemb, size_t size); void unbound_stat_free(void *ptr); void *unbound_stat_realloc(void *ptr, size_t size); void *unbound_stat_malloc_log(size_t size, const char* file, int line, const char* func); void *unbound_stat_calloc_log(size_t nmemb, size_t size, const char* file, int line, const char* func); void unbound_stat_free_log(void *ptr, const char* file, int line, const char* func); void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file, int line, const char* func); #elif defined(UNBOUND_ALLOC_LITE) # include "util/alloc.h" #endif /* UNBOUND_ALLOC_LITE and UNBOUND_ALLOC_STATS */ /** default port for DNS traffic. */ #define UNBOUND_DNS_PORT 53 /** default port for unbound control traffic, registered port with IANA, ub-dns-control 8953/tcp unbound dns nameserver control */ #define UNBOUND_CONTROL_PORT 8953 /** the version of unbound-control that this software implements */ #define UNBOUND_CONTROL_VERSION 1 ]) dnl if we build from source tree, the man pages need @date@ and @version@ dnl if this is a distro tarball, that was already done by makedist.sh AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO]) AC_SUBST(date, [`date +'%b %e, %Y'`]) AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h]) AC_CONFIG_HEADER([config.h]) AC_OUTPUT Index: head/contrib/unbound/daemon/remote.c =================================================================== --- head/contrib/unbound/daemon/remote.c (revision 276698) +++ head/contrib/unbound/daemon/remote.c (revision 276699) @@ -1,2460 +1,2538 @@ /* * daemon/remote.c - remote control for the unbound daemon. * * Copyright (c) 2008, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** * \file * * This file contains the remote control functionality for the daemon. * The remote control can be performed using either the commandline * unbound-control tool, or a TLS capable web browser. * The channel is secured using TLSv1, and certificates. * Both the server and the client(control tool) have their own keys. */ #include "config.h" #ifdef HAVE_OPENSSL_ERR_H #include #endif +#ifndef HEADER_DH_H +#include +#endif + #include #include "daemon/remote.h" #include "daemon/worker.h" #include "daemon/daemon.h" #include "daemon/stats.h" #include "daemon/cachedump.h" #include "util/log.h" #include "util/config_file.h" #include "util/net_help.h" #include "util/module.h" #include "services/listen_dnsport.h" #include "services/cache/rrset.h" #include "services/cache/infra.h" #include "services/mesh.h" #include "services/localzone.h" #include "util/storage/slabhash.h" #include "util/fptr_wlist.h" #include "util/data/dname.h" #include "validator/validator.h" #include "validator/val_kcache.h" #include "validator/val_kentry.h" #include "validator/val_anchor.h" #include "iterator/iterator.h" #include "iterator/iter_fwd.h" #include "iterator/iter_hints.h" #include "iterator/iter_delegpt.h" #include "services/outbound_list.h" #include "services/outside_network.h" #include "ldns/str2wire.h" #include "ldns/parseutil.h" #include "ldns/wire2str.h" #include "ldns/sbuffer.h" #ifdef HAVE_SYS_TYPES_H # include #endif +#ifdef HAVE_SYS_STAT_H +#include +#endif #ifdef HAVE_NETDB_H #include #endif /* just for portability */ #ifdef SQ #undef SQ #endif /** what to put on statistics lines between var and value, ": " or "=" */ #define SQ "=" /** if true, inhibits a lot of =0 lines from the stats output */ static const int inhibit_zero = 1; /** subtract timers and the values do not overflow or become negative */ static void timeval_subtract(struct timeval* d, const struct timeval* end, const struct timeval* start) { #ifndef S_SPLINT_S time_t end_usec = end->tv_usec; d->tv_sec = end->tv_sec - start->tv_sec; if(end_usec < start->tv_usec) { end_usec += 1000000; d->tv_sec--; } d->tv_usec = end_usec - start->tv_usec; #endif } /** divide sum of timers to get average */ static void timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d) { #ifndef S_SPLINT_S size_t leftover; if(d == 0) { avg->tv_sec = 0; avg->tv_usec = 0; return; } avg->tv_sec = sum->tv_sec / d; avg->tv_usec = sum->tv_usec / d; /* handle fraction from seconds divide */ leftover = sum->tv_sec - avg->tv_sec*d; avg->tv_usec += (leftover*1000000)/d; #endif } +/* + * The following function was generated using the openssl utility, using + * the command : "openssl dhparam -dsaparam -C 512" + */ +DH *get_dh512() +{ + static unsigned char dh512_p[]={ + 0xC9,0xD7,0x05,0xDA,0x5F,0xAB,0x14,0xE8,0x11,0x56,0x77,0x85, + 0xB1,0x24,0x2C,0x95,0x60,0xEA,0xE2,0x10,0x6F,0x0F,0x84,0xEC, + 0xF4,0x45,0xE8,0x90,0x7A,0xA7,0x03,0xFF,0x5B,0x88,0x53,0xDE, + 0xC4,0xDE,0xBC,0x42,0x78,0x71,0x23,0x7E,0x24,0xA5,0x5E,0x4E, + 0xEF,0x6F,0xFF,0x5F,0xAF,0xBE,0x8A,0x77,0x62,0xB4,0x65,0x82, + 0x7E,0xC9,0xED,0x2F, + }; + static unsigned char dh512_g[]={ + 0x8D,0x3A,0x52,0xBC,0x8A,0x71,0x94,0x33,0x2F,0xE1,0xE8,0x4C, + 0x73,0x47,0x03,0x4E,0x7D,0x40,0xE5,0x84,0xA0,0xB5,0x6D,0x10, + 0x6F,0x90,0x43,0x05,0x1A,0xF9,0x0B,0x6A,0xD1,0x2A,0x9C,0x25, + 0x0A,0xB9,0xD1,0x14,0xDC,0x35,0x1C,0x48,0x7C,0xC6,0x0C,0x6D, + 0x32,0x1D,0xD3,0xC8,0x10,0xA8,0x82,0x14,0xA2,0x1C,0xF4,0x53, + 0x23,0x3B,0x1C,0xB9, + }; + DH *dh; + + if ((dh=DH_new()) == NULL) return(NULL); + dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); + dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); + if ((dh->p == NULL) || (dh->g == NULL)) + { DH_free(dh); return(NULL); } + dh->length = 160; + return(dh); +} + struct daemon_remote* daemon_remote_create(struct config_file* cfg) { char* s_cert; char* s_key; struct daemon_remote* rc = (struct daemon_remote*)calloc(1, sizeof(*rc)); if(!rc) { log_err("out of memory in daemon_remote_create"); return NULL; } rc->max_active = 10; if(!cfg->remote_control_enable) { rc->ctx = NULL; return rc; } rc->ctx = SSL_CTX_new(SSLv23_server_method()); if(!rc->ctx) { log_crypto_err("could not SSL_CTX_new"); free(rc); return NULL; } /* no SSLv2, SSLv3 because has defects */ if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ log_crypto_err("could not set SSL_OP_NO_SSLv2"); daemon_remote_delete(rc); return NULL; } if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){ log_crypto_err("could not set SSL_OP_NO_SSLv3"); daemon_remote_delete(rc); return NULL; } + + if (cfg->remote_control_use_cert == 0) { + /* No certificates are requested */ + if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL")) { + log_crypto_err("Failed to set aNULL cipher list"); + return NULL; + } + + /* Since we have no certificates and hence no source of + * DH params, let's generate and set them + */ + if(!SSL_CTX_set_tmp_dh(rc->ctx,get_dh512())) { + log_crypto_err("Wanted to set DH param, but failed"); + return NULL; + } + return rc; + } + rc->use_cert = 1; s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1); s_key = fname_after_chroot(cfg->server_key_file, cfg, 1); if(!s_cert || !s_key) { log_err("out of memory in remote control fname"); goto setup_error; } verbose(VERB_ALGO, "setup SSL certificates"); if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) { log_err("Error for server-cert-file: %s", s_cert); log_crypto_err("Error in SSL_CTX use_certificate_file"); goto setup_error; } if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) { log_err("Error for server-key-file: %s", s_key); log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); goto setup_error; } if(!SSL_CTX_check_private_key(rc->ctx)) { log_err("Error for server-key-file: %s", s_key); log_crypto_err("Error in SSL_CTX check_private_key"); goto setup_error; } if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) { log_crypto_err("Error setting up SSL_CTX verify locations"); setup_error: free(s_cert); free(s_key); daemon_remote_delete(rc); return NULL; } SSL_CTX_set_client_CA_list(rc->ctx, SSL_load_client_CA_file(s_cert)); SSL_CTX_set_verify(rc->ctx, SSL_VERIFY_PEER, NULL); free(s_cert); free(s_key); return rc; } void daemon_remote_clear(struct daemon_remote* rc) { struct rc_state* p, *np; if(!rc) return; /* but do not close the ports */ listen_list_delete(rc->accept_list); rc->accept_list = NULL; /* do close these sockets */ p = rc->busy_list; while(p) { np = p->next; if(p->ssl) SSL_free(p->ssl); comm_point_delete(p->c); free(p); p = np; } rc->busy_list = NULL; rc->active = 0; rc->worker = NULL; } void daemon_remote_delete(struct daemon_remote* rc) { if(!rc) return; daemon_remote_clear(rc); if(rc->ctx) { SSL_CTX_free(rc->ctx); } free(rc); } /** * Add and open a new control port * @param ip: ip str * @param nr: port nr * @param list: list head * @param noproto_is_err: if lack of protocol support is an error. * @return false on failure. */ static int -add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err) +add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, + struct config_file* cfg) { struct addrinfo hints; struct addrinfo* res; struct listen_port* n; int noproto; int fd, r; char port[15]; snprintf(port, sizeof(port), "%d", nr); port[sizeof(port)-1]=0; memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; - if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) { -#ifdef USE_WINSOCK - if(!noproto_is_err && r == EAI_NONAME) { - /* tried to lookup the address as name */ - return 1; /* return success, but do nothing */ + + if(ip[0] == '/') { + /* This looks like a local socket */ + fd = create_local_accept_sock(ip, &noproto); + /* + * Change socket ownership and permissions so users other + * than root can access it provided they are in the same + * group as the user we run as. + */ + if(fd != -1) { + if (cfg->username && cfg->username[0]) + chown(ip, cfg->uid, cfg->gid); + chmod(ip, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); } + } else { + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; + if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) { +#ifdef USE_WINSOCK + if(!noproto_is_err && r == EAI_NONAME) { + /* tried to lookup the address as name */ + return 1; /* return success, but do nothing */ + } #endif /* USE_WINSOCK */ - log_err("control interface %s:%s getaddrinfo: %s %s", - ip?ip:"default", port, gai_strerror(r), + log_err("control interface %s:%s getaddrinfo: %s %s", + ip?ip:"default", port, gai_strerror(r), #ifdef EAI_SYSTEM - r==EAI_SYSTEM?(char*)strerror(errno):"" + r==EAI_SYSTEM?(char*)strerror(errno):"" #else - "" + "" #endif ); - return 0; + return 0; + } + + /* open fd */ + fd = create_tcp_accept_sock(res, 1, &noproto, 0); + freeaddrinfo(res); } - /* open fd */ - fd = create_tcp_accept_sock(res, 1, &noproto, 0); - freeaddrinfo(res); if(fd == -1 && noproto) { if(!noproto_is_err) return 1; /* return success, but do nothing */ log_err("cannot open control interface %s %d : " "protocol not supported", ip, nr); return 0; } if(fd == -1) { log_err("cannot open control interface %s %d", ip, nr); return 0; } /* alloc */ n = (struct listen_port*)calloc(1, sizeof(*n)); if(!n) { #ifndef USE_WINSOCK close(fd); #else closesocket(fd); #endif log_err("out of memory"); return 0; } n->next = *list; *list = n; n->fd = fd; return 1; } struct listen_port* daemon_remote_open_ports(struct config_file* cfg) { struct listen_port* l = NULL; log_assert(cfg->remote_control_enable && cfg->control_port); if(cfg->control_ifs) { struct config_strlist* p; for(p = cfg->control_ifs; p; p = p->next) { - if(!add_open(p->str, cfg->control_port, &l, 1)) { + if(!add_open(p->str, cfg->control_port, &l, 1, cfg)) { listening_ports_free(l); return NULL; } } } else { /* defaults */ if(cfg->do_ip6 && - !add_open("::1", cfg->control_port, &l, 0)) { + !add_open("::1", cfg->control_port, &l, 0, cfg)) { listening_ports_free(l); return NULL; } if(cfg->do_ip4 && - !add_open("127.0.0.1", cfg->control_port, &l, 1)) { + !add_open("127.0.0.1", cfg->control_port, &l, 1, cfg)) { listening_ports_free(l); return NULL; } } return l; } /** open accept commpoint */ static int accept_open(struct daemon_remote* rc, int fd) { struct listen_list* n = (struct listen_list*)malloc(sizeof(*n)); if(!n) { log_err("out of memory"); return 0; } n->next = rc->accept_list; rc->accept_list = n; /* open commpt */ n->com = comm_point_create_raw(rc->worker->base, fd, 0, &remote_accept_callback, rc); if(!n->com) return 0; /* keep this port open, its fd is kept in the rc portlist */ n->com->do_not_close = 1; return 1; } int daemon_remote_open_accept(struct daemon_remote* rc, struct listen_port* ports, struct worker* worker) { struct listen_port* p; rc->worker = worker; for(p = ports; p; p = p->next) { if(!accept_open(rc, p->fd)) { log_err("could not create accept comm point"); return 0; } } return 1; } void daemon_remote_stop_accept(struct daemon_remote* rc) { struct listen_list* p; for(p=rc->accept_list; p; p=p->next) { comm_point_stop_listening(p->com); } } void daemon_remote_start_accept(struct daemon_remote* rc) { struct listen_list* p; for(p=rc->accept_list; p; p=p->next) { comm_point_start_listening(p->com, -1, -1); } } int remote_accept_callback(struct comm_point* c, void* arg, int err, struct comm_reply* ATTR_UNUSED(rep)) { struct daemon_remote* rc = (struct daemon_remote*)arg; struct sockaddr_storage addr; socklen_t addrlen; int newfd; struct rc_state* n; if(err != NETEVENT_NOERROR) { log_err("error %d on remote_accept_callback", err); return 0; } /* perform the accept */ newfd = comm_point_perform_accept(c, &addr, &addrlen); if(newfd == -1) return 0; /* create new commpoint unless we are servicing already */ if(rc->active >= rc->max_active) { log_warn("drop incoming remote control: too many connections"); close_exit: #ifndef USE_WINSOCK close(newfd); #else closesocket(newfd); #endif return 0; } /* setup commpoint to service the remote control command */ n = (struct rc_state*)calloc(1, sizeof(*n)); if(!n) { log_err("out of memory"); goto close_exit; } /* start in reading state */ n->c = comm_point_create_raw(rc->worker->base, newfd, 0, &remote_control_callback, n); if(!n->c) { log_err("out of memory"); free(n); goto close_exit; } log_addr(VERB_QUERY, "new control connection from", &addr, addrlen); n->c->do_not_close = 0; comm_point_stop_listening(n->c); comm_point_start_listening(n->c, -1, REMOTE_CONTROL_TCP_TIMEOUT); memcpy(&n->c->repinfo.addr, &addr, addrlen); n->c->repinfo.addrlen = addrlen; n->shake_state = rc_hs_read; n->ssl = SSL_new(rc->ctx); if(!n->ssl) { log_crypto_err("could not SSL_new"); comm_point_delete(n->c); free(n); goto close_exit; } SSL_set_accept_state(n->ssl); (void)SSL_set_mode(n->ssl, SSL_MODE_AUTO_RETRY); if(!SSL_set_fd(n->ssl, newfd)) { log_crypto_err("could not SSL_set_fd"); SSL_free(n->ssl); comm_point_delete(n->c); free(n); goto close_exit; } n->rc = rc; n->next = rc->busy_list; rc->busy_list = n; rc->active ++; /* perform the first nonblocking read already, for windows, * so it can return wouldblock. could be faster too. */ (void)remote_control_callback(n->c, n, NETEVENT_NOERROR, NULL); return 0; } /** delete from list */ static void state_list_remove_elem(struct rc_state** list, struct comm_point* c) { while(*list) { if( (*list)->c == c) { *list = (*list)->next; return; } list = &(*list)->next; } } /** decrease active count and remove commpoint from busy list */ static void clean_point(struct daemon_remote* rc, struct rc_state* s) { state_list_remove_elem(&rc->busy_list, s->c); rc->active --; if(s->ssl) { SSL_shutdown(s->ssl); SSL_free(s->ssl); } comm_point_delete(s->c); free(s); } int ssl_print_text(SSL* ssl, const char* text) { int r; if(!ssl) return 0; ERR_clear_error(); if((r=SSL_write(ssl, text, (int)strlen(text))) <= 0) { if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { verbose(VERB_QUERY, "warning, in SSL_write, peer " "closed connection"); return 0; } log_crypto_err("could not SSL_write"); return 0; } return 1; } /** print text over the ssl connection */ static int ssl_print_vmsg(SSL* ssl, const char* format, va_list args) { char msg[1024]; vsnprintf(msg, sizeof(msg), format, args); return ssl_print_text(ssl, msg); } /** printf style printing to the ssl connection */ int ssl_printf(SSL* ssl, const char* format, ...) { va_list args; int ret; va_start(args, format); ret = ssl_print_vmsg(ssl, format, args); va_end(args); return ret; } int ssl_read_line(SSL* ssl, char* buf, size_t max) { int r; size_t len = 0; if(!ssl) return 0; while(len < max) { ERR_clear_error(); if((r=SSL_read(ssl, buf+len, 1)) <= 0) { if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { buf[len] = 0; return 1; } log_crypto_err("could not SSL_read"); return 0; } if(buf[len] == '\n') { /* return string without \n */ buf[len] = 0; return 1; } len++; } buf[max-1] = 0; log_err("control line too long (%d): %s", (int)max, buf); return 0; } /** skip whitespace, return new pointer into string */ static char* skipwhite(char* str) { /* EOS \0 is not a space */ while( isspace((unsigned char)*str) ) str++; return str; } /** send the OK to the control client */ static void send_ok(SSL* ssl) { (void)ssl_printf(ssl, "ok\n"); } /** do the stop command */ static void do_stop(SSL* ssl, struct daemon_remote* rc) { rc->worker->need_to_exit = 1; comm_base_exit(rc->worker->base); send_ok(ssl); } /** do the reload command */ static void do_reload(SSL* ssl, struct daemon_remote* rc) { rc->worker->need_to_exit = 0; comm_base_exit(rc->worker->base); send_ok(ssl); } /** do the verbosity command */ static void do_verbosity(SSL* ssl, char* str) { int val = atoi(str); if(val == 0 && strcmp(str, "0") != 0) { ssl_printf(ssl, "error in verbosity number syntax: %s\n", str); return; } verbosity = val; send_ok(ssl); } /** print stats from statinfo */ static int print_stats(SSL* ssl, const char* nm, struct stats_info* s) { struct timeval avg; if(!ssl_printf(ssl, "%s.num.queries"SQ"%lu\n", nm, (unsigned long)s->svr.num_queries)) return 0; if(!ssl_printf(ssl, "%s.num.cachehits"SQ"%lu\n", nm, (unsigned long)(s->svr.num_queries - s->svr.num_queries_missed_cache))) return 0; if(!ssl_printf(ssl, "%s.num.cachemiss"SQ"%lu\n", nm, (unsigned long)s->svr.num_queries_missed_cache)) return 0; if(!ssl_printf(ssl, "%s.num.prefetch"SQ"%lu\n", nm, (unsigned long)s->svr.num_queries_prefetch)) return 0; if(!ssl_printf(ssl, "%s.num.recursivereplies"SQ"%lu\n", nm, (unsigned long)s->mesh_replies_sent)) return 0; if(!ssl_printf(ssl, "%s.requestlist.avg"SQ"%g\n", nm, (s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)? (double)s->svr.sum_query_list_size/ (s->svr.num_queries_missed_cache+ s->svr.num_queries_prefetch) : 0.0)) return 0; if(!ssl_printf(ssl, "%s.requestlist.max"SQ"%lu\n", nm, (unsigned long)s->svr.max_query_list_size)) return 0; if(!ssl_printf(ssl, "%s.requestlist.overwritten"SQ"%lu\n", nm, (unsigned long)s->mesh_jostled)) return 0; if(!ssl_printf(ssl, "%s.requestlist.exceeded"SQ"%lu\n", nm, (unsigned long)s->mesh_dropped)) return 0; if(!ssl_printf(ssl, "%s.requestlist.current.all"SQ"%lu\n", nm, (unsigned long)s->mesh_num_states)) return 0; if(!ssl_printf(ssl, "%s.requestlist.current.user"SQ"%lu\n", nm, (unsigned long)s->mesh_num_reply_states)) return 0; timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent); if(!ssl_printf(ssl, "%s.recursion.time.avg"SQ ARG_LL "d.%6.6d\n", nm, (long long)avg.tv_sec, (int)avg.tv_usec)) return 0; if(!ssl_printf(ssl, "%s.recursion.time.median"SQ"%g\n", nm, s->mesh_time_median)) return 0; return 1; } /** print stats for one thread */ static int print_thread_stats(SSL* ssl, int i, struct stats_info* s) { char nm[16]; snprintf(nm, sizeof(nm), "thread%d", i); nm[sizeof(nm)-1]=0; return print_stats(ssl, nm, s); } /** print long number */ static int print_longnum(SSL* ssl, const char* desc, size_t x) { if(x > 1024*1024*1024) { /* more than a Gb */ size_t front = x / (size_t)1000000; size_t back = x % (size_t)1000000; return ssl_printf(ssl, "%s%u%6.6u\n", desc, (unsigned)front, (unsigned)back); } else { return ssl_printf(ssl, "%s%lu\n", desc, (unsigned long)x); } } /** print mem stats */ static int print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon) { int m; size_t msg, rrset, val, iter; #ifdef HAVE_SBRK extern void* unbound_start_brk; void* cur = sbrk(0); if(!print_longnum(ssl, "mem.total.sbrk"SQ, (size_t)((char*)cur - (char*)unbound_start_brk))) return 0; #endif /* HAVE_SBRK */ msg = slabhash_get_mem(daemon->env->msg_cache); rrset = slabhash_get_mem(&daemon->env->rrset_cache->table); val=0; iter=0; m = modstack_find(&worker->env.mesh->mods, "validator"); if(m != -1) { fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh-> mods.mod[m]->get_mem)); val = (*worker->env.mesh->mods.mod[m]->get_mem) (&worker->env, m); } m = modstack_find(&worker->env.mesh->mods, "iterator"); if(m != -1) { fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh-> mods.mod[m]->get_mem)); iter = (*worker->env.mesh->mods.mod[m]->get_mem) (&worker->env, m); } if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset)) return 0; if(!print_longnum(ssl, "mem.cache.message"SQ, msg)) return 0; if(!print_longnum(ssl, "mem.mod.iterator"SQ, iter)) return 0; if(!print_longnum(ssl, "mem.mod.validator"SQ, val)) return 0; return 1; } /** print uptime stats */ static int print_uptime(SSL* ssl, struct worker* worker, int reset) { struct timeval now = *worker->env.now_tv; struct timeval up, dt; timeval_subtract(&up, &now, &worker->daemon->time_boot); timeval_subtract(&dt, &now, &worker->daemon->time_last_stat); if(reset) worker->daemon->time_last_stat = now; if(!ssl_printf(ssl, "time.now"SQ ARG_LL "d.%6.6d\n", (long long)now.tv_sec, (unsigned)now.tv_usec)) return 0; if(!ssl_printf(ssl, "time.up"SQ ARG_LL "d.%6.6d\n", (long long)up.tv_sec, (unsigned)up.tv_usec)) return 0; if(!ssl_printf(ssl, "time.elapsed"SQ ARG_LL "d.%6.6d\n", (long long)dt.tv_sec, (unsigned)dt.tv_usec)) return 0; return 1; } /** print extended histogram */ static int print_hist(SSL* ssl, struct stats_info* s) { struct timehist* hist; size_t i; hist = timehist_setup(); if(!hist) { log_err("out of memory"); return 0; } timehist_import(hist, s->svr.hist, NUM_BUCKETS_HIST); for(i=0; inum; i++) { if(!ssl_printf(ssl, "histogram.%6.6d.%6.6d.to.%6.6d.%6.6d=%lu\n", (int)hist->buckets[i].lower.tv_sec, (int)hist->buckets[i].lower.tv_usec, (int)hist->buckets[i].upper.tv_sec, (int)hist->buckets[i].upper.tv_usec, (unsigned long)hist->buckets[i].count)) { timehist_delete(hist); return 0; } } timehist_delete(hist); return 1; } /** print extended stats */ static int print_ext(SSL* ssl, struct stats_info* s) { int i; char nm[16]; const sldns_rr_descriptor* desc; const sldns_lookup_table* lt; /* TYPE */ for(i=0; isvr.qtype[i] == 0) continue; desc = sldns_rr_descript((uint16_t)i); if(desc && desc->_name) { snprintf(nm, sizeof(nm), "%s", desc->_name); } else if (i == LDNS_RR_TYPE_IXFR) { snprintf(nm, sizeof(nm), "IXFR"); } else if (i == LDNS_RR_TYPE_AXFR) { snprintf(nm, sizeof(nm), "AXFR"); } else if (i == LDNS_RR_TYPE_MAILA) { snprintf(nm, sizeof(nm), "MAILA"); } else if (i == LDNS_RR_TYPE_MAILB) { snprintf(nm, sizeof(nm), "MAILB"); } else if (i == LDNS_RR_TYPE_ANY) { snprintf(nm, sizeof(nm), "ANY"); } else { snprintf(nm, sizeof(nm), "TYPE%d", i); } if(!ssl_printf(ssl, "num.query.type.%s"SQ"%lu\n", nm, (unsigned long)s->svr.qtype[i])) return 0; } if(!inhibit_zero || s->svr.qtype_big) { if(!ssl_printf(ssl, "num.query.type.other"SQ"%lu\n", (unsigned long)s->svr.qtype_big)) return 0; } /* CLASS */ for(i=0; isvr.qclass[i] == 0) continue; lt = sldns_lookup_by_id(sldns_rr_classes, i); if(lt && lt->name) { snprintf(nm, sizeof(nm), "%s", lt->name); } else { snprintf(nm, sizeof(nm), "CLASS%d", i); } if(!ssl_printf(ssl, "num.query.class.%s"SQ"%lu\n", nm, (unsigned long)s->svr.qclass[i])) return 0; } if(!inhibit_zero || s->svr.qclass_big) { if(!ssl_printf(ssl, "num.query.class.other"SQ"%lu\n", (unsigned long)s->svr.qclass_big)) return 0; } /* OPCODE */ for(i=0; isvr.qopcode[i] == 0) continue; lt = sldns_lookup_by_id(sldns_opcodes, i); if(lt && lt->name) { snprintf(nm, sizeof(nm), "%s", lt->name); } else { snprintf(nm, sizeof(nm), "OPCODE%d", i); } if(!ssl_printf(ssl, "num.query.opcode.%s"SQ"%lu\n", nm, (unsigned long)s->svr.qopcode[i])) return 0; } /* transport */ if(!ssl_printf(ssl, "num.query.tcp"SQ"%lu\n", (unsigned long)s->svr.qtcp)) return 0; if(!ssl_printf(ssl, "num.query.tcpout"SQ"%lu\n", (unsigned long)s->svr.qtcp_outgoing)) return 0; if(!ssl_printf(ssl, "num.query.ipv6"SQ"%lu\n", (unsigned long)s->svr.qipv6)) return 0; /* flags */ if(!ssl_printf(ssl, "num.query.flags.QR"SQ"%lu\n", (unsigned long)s->svr.qbit_QR)) return 0; if(!ssl_printf(ssl, "num.query.flags.AA"SQ"%lu\n", (unsigned long)s->svr.qbit_AA)) return 0; if(!ssl_printf(ssl, "num.query.flags.TC"SQ"%lu\n", (unsigned long)s->svr.qbit_TC)) return 0; if(!ssl_printf(ssl, "num.query.flags.RD"SQ"%lu\n", (unsigned long)s->svr.qbit_RD)) return 0; if(!ssl_printf(ssl, "num.query.flags.RA"SQ"%lu\n", (unsigned long)s->svr.qbit_RA)) return 0; if(!ssl_printf(ssl, "num.query.flags.Z"SQ"%lu\n", (unsigned long)s->svr.qbit_Z)) return 0; if(!ssl_printf(ssl, "num.query.flags.AD"SQ"%lu\n", (unsigned long)s->svr.qbit_AD)) return 0; if(!ssl_printf(ssl, "num.query.flags.CD"SQ"%lu\n", (unsigned long)s->svr.qbit_CD)) return 0; if(!ssl_printf(ssl, "num.query.edns.present"SQ"%lu\n", (unsigned long)s->svr.qEDNS)) return 0; if(!ssl_printf(ssl, "num.query.edns.DO"SQ"%lu\n", (unsigned long)s->svr.qEDNS_DO)) return 0; /* RCODE */ for(i=0; i LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0) continue; lt = sldns_lookup_by_id(sldns_rcodes, i); if(lt && lt->name) { snprintf(nm, sizeof(nm), "%s", lt->name); } else { snprintf(nm, sizeof(nm), "RCODE%d", i); } if(!ssl_printf(ssl, "num.answer.rcode.%s"SQ"%lu\n", nm, (unsigned long)s->svr.ans_rcode[i])) return 0; } if(!inhibit_zero || s->svr.ans_rcode_nodata) { if(!ssl_printf(ssl, "num.answer.rcode.nodata"SQ"%lu\n", (unsigned long)s->svr.ans_rcode_nodata)) return 0; } /* validation */ if(!ssl_printf(ssl, "num.answer.secure"SQ"%lu\n", (unsigned long)s->svr.ans_secure)) return 0; if(!ssl_printf(ssl, "num.answer.bogus"SQ"%lu\n", (unsigned long)s->svr.ans_bogus)) return 0; if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n", (unsigned long)s->svr.rrset_bogus)) return 0; /* threat detection */ if(!ssl_printf(ssl, "unwanted.queries"SQ"%lu\n", (unsigned long)s->svr.unwanted_queries)) return 0; if(!ssl_printf(ssl, "unwanted.replies"SQ"%lu\n", (unsigned long)s->svr.unwanted_replies)) return 0; /* cache counts */ if(!ssl_printf(ssl, "msg.cache.count"SQ"%u\n", (unsigned)s->svr.msg_cache_count)) return 0; if(!ssl_printf(ssl, "rrset.cache.count"SQ"%u\n", (unsigned)s->svr.rrset_cache_count)) return 0; if(!ssl_printf(ssl, "infra.cache.count"SQ"%u\n", (unsigned)s->svr.infra_cache_count)) return 0; if(!ssl_printf(ssl, "key.cache.count"SQ"%u\n", (unsigned)s->svr.key_cache_count)) return 0; return 1; } /** do the stats command */ static void do_stats(SSL* ssl, struct daemon_remote* rc, int reset) { struct daemon* daemon = rc->worker->daemon; struct stats_info total; struct stats_info s; int i; log_assert(daemon->num > 0); /* gather all thread statistics in one place */ for(i=0; inum; i++) { server_stats_obtain(rc->worker, daemon->workers[i], &s, reset); if(!print_thread_stats(ssl, i, &s)) return; if(i == 0) total = s; else server_stats_add(&total, &s); } /* print the thread statistics */ total.mesh_time_median /= (double)daemon->num; if(!print_stats(ssl, "total", &total)) return; if(!print_uptime(ssl, rc->worker, reset)) return; if(daemon->cfg->stat_extended) { if(!print_mem(ssl, rc->worker, daemon)) return; if(!print_hist(ssl, &total)) return; if(!print_ext(ssl, &total)) return; } } /** parse commandline argument domain name */ static int parse_arg_name(SSL* ssl, char* str, uint8_t** res, size_t* len, int* labs) { uint8_t nm[LDNS_MAX_DOMAINLEN+1]; size_t nmlen = sizeof(nm); int status; *res = NULL; *len = 0; *labs = 0; status = sldns_str2wire_dname_buf(str, nm, &nmlen); if(status != 0) { ssl_printf(ssl, "error cannot parse name %s at %d: %s\n", str, LDNS_WIREPARSE_OFFSET(status), sldns_get_errorstr_parse(status)); return 0; } *res = memdup(nm, nmlen); if(!*res) { ssl_printf(ssl, "error out of memory\n"); return 0; } *labs = dname_count_size_labels(*res, len); return 1; } /** find second argument, modifies string */ static int find_arg2(SSL* ssl, char* arg, char** arg2) { char* as = strchr(arg, ' '); char* at = strchr(arg, '\t'); if(as && at) { if(at < as) as = at; as[0]=0; *arg2 = skipwhite(as+1); } else if(as) { as[0]=0; *arg2 = skipwhite(as+1); } else if(at) { at[0]=0; *arg2 = skipwhite(at+1); } else { ssl_printf(ssl, "error could not find next argument " "after %s\n", arg); return 0; } return 1; } /** Add a new zone */ static void do_zone_add(SSL* ssl, struct worker* worker, char* arg) { uint8_t* nm; int nmlabs; size_t nmlen; char* arg2; enum localzone_type t; struct local_zone* z; if(!find_arg2(ssl, arg, &arg2)) return; if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs)) return; if(!local_zone_str2type(arg2, &t)) { ssl_printf(ssl, "error not a zone type. %s\n", arg2); free(nm); return; } lock_rw_wrlock(&worker->daemon->local_zones->lock); if((z=local_zones_find(worker->daemon->local_zones, nm, nmlen, nmlabs, LDNS_RR_CLASS_IN))) { /* already present in tree */ lock_rw_wrlock(&z->lock); z->type = t; /* update type anyway */ lock_rw_unlock(&z->lock); free(nm); lock_rw_unlock(&worker->daemon->local_zones->lock); send_ok(ssl); return; } if(!local_zones_add_zone(worker->daemon->local_zones, nm, nmlen, nmlabs, LDNS_RR_CLASS_IN, t)) { lock_rw_unlock(&worker->daemon->local_zones->lock); ssl_printf(ssl, "error out of memory\n"); return; } lock_rw_unlock(&worker->daemon->local_zones->lock); send_ok(ssl); } /** Remove a zone */ static void do_zone_remove(SSL* ssl, struct worker* worker, char* arg) { uint8_t* nm; int nmlabs; size_t nmlen; struct local_zone* z; if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs)) return; lock_rw_wrlock(&worker->daemon->local_zones->lock); if((z=local_zones_find(worker->daemon->local_zones, nm, nmlen, nmlabs, LDNS_RR_CLASS_IN))) { /* present in tree */ local_zones_del_zone(worker->daemon->local_zones, z); } lock_rw_unlock(&worker->daemon->local_zones->lock); free(nm); send_ok(ssl); } /** Add new RR data */ static void do_data_add(SSL* ssl, struct worker* worker, char* arg) { if(!local_zones_add_RR(worker->daemon->local_zones, arg)) { ssl_printf(ssl,"error in syntax or out of memory, %s\n", arg); return; } send_ok(ssl); } /** Remove RR data */ static void do_data_remove(SSL* ssl, struct worker* worker, char* arg) { uint8_t* nm; int nmlabs; size_t nmlen; if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs)) return; local_zones_del_data(worker->daemon->local_zones, nm, nmlen, nmlabs, LDNS_RR_CLASS_IN); free(nm); send_ok(ssl); } /** cache lookup of nameservers */ static void do_lookup(SSL* ssl, struct worker* worker, char* arg) { uint8_t* nm; int nmlabs; size_t nmlen; if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs)) return; (void)print_deleg_lookup(ssl, worker, nm, nmlen, nmlabs); free(nm); } /** flush something from rrset and msg caches */ static void do_cache_remove(struct worker* worker, uint8_t* nm, size_t nmlen, uint16_t t, uint16_t c) { hashvalue_t h; struct query_info k; rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c, 0); if(t == LDNS_RR_TYPE_SOA) rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c, PACKED_RRSET_SOA_NEG); k.qname = nm; k.qname_len = nmlen; k.qtype = t; k.qclass = c; h = query_info_hash(&k, 0); slabhash_remove(worker->env.msg_cache, h, &k); if(t == LDNS_RR_TYPE_AAAA) { /* for AAAA also flush dns64 bit_cd packet */ h = query_info_hash(&k, BIT_CD); slabhash_remove(worker->env.msg_cache, h, &k); } } /** flush a type */ static void do_flush_type(SSL* ssl, struct worker* worker, char* arg) { uint8_t* nm; int nmlabs; size_t nmlen; char* arg2; uint16_t t; if(!find_arg2(ssl, arg, &arg2)) return; if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs)) return; t = sldns_get_rr_type_by_name(arg2); do_cache_remove(worker, nm, nmlen, t, LDNS_RR_CLASS_IN); free(nm); send_ok(ssl); } /** flush statistics */ static void do_flush_stats(SSL* ssl, struct worker* worker) { worker_stats_clear(worker); send_ok(ssl); } /** * Local info for deletion functions */ struct del_info { /** worker */ struct worker* worker; /** name to delete */ uint8_t* name; /** length */ size_t len; /** labels */ int labs; /** now */ time_t now; /** time to invalidate to */ time_t expired; /** number of rrsets removed */ size_t num_rrsets; /** number of msgs removed */ size_t num_msgs; /** number of key entries removed */ size_t num_keys; /** length of addr */ socklen_t addrlen; /** socket address for host deletion */ struct sockaddr_storage addr; }; /** callback to delete hosts in infra cache */ static void infra_del_host(struct lruhash_entry* e, void* arg) { /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct infra_key* k = (struct infra_key*)e->key; if(sockaddr_cmp(&inf->addr, inf->addrlen, &k->addr, k->addrlen) == 0) { struct infra_data* d = (struct infra_data*)e->data; d->probedelay = 0; d->timeout_A = 0; d->timeout_AAAA = 0; d->timeout_other = 0; rtt_init(&d->rtt); if(d->ttl >= inf->now) { d->ttl = inf->expired; inf->num_keys++; } } } /** flush infra cache */ static void do_flush_infra(SSL* ssl, struct worker* worker, char* arg) { struct sockaddr_storage addr; socklen_t len; struct del_info inf; if(strcmp(arg, "all") == 0) { slabhash_clear(worker->env.infra_cache->hosts); send_ok(ssl); return; } if(!ipstrtoaddr(arg, UNBOUND_DNS_PORT, &addr, &len)) { (void)ssl_printf(ssl, "error parsing ip addr: '%s'\n", arg); return; } /* delete all entries from cache */ /* what we do is to set them all expired */ inf.worker = worker; inf.name = 0; inf.len = 0; inf.labs = 0; inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; inf.num_msgs = 0; inf.num_keys = 0; inf.addrlen = len; memmove(&inf.addr, &addr, len); slabhash_traverse(worker->env.infra_cache->hosts, 1, &infra_del_host, &inf); send_ok(ssl); } /** flush requestlist */ static void do_flush_requestlist(SSL* ssl, struct worker* worker) { mesh_delete_all(worker->env.mesh); send_ok(ssl); } /** callback to delete rrsets in a zone */ static void zone_del_rrset(struct lruhash_entry* e, void* arg) { /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key; if(dname_subdomain_c(k->rk.dname, inf->name)) { struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; if(d->ttl >= inf->now) { d->ttl = inf->expired; inf->num_rrsets++; } } } /** callback to delete messages in a zone */ static void zone_del_msg(struct lruhash_entry* e, void* arg) { /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct msgreply_entry* k = (struct msgreply_entry*)e->key; if(dname_subdomain_c(k->key.qname, inf->name)) { struct reply_info* d = (struct reply_info*)e->data; if(d->ttl >= inf->now) { d->ttl = inf->expired; inf->num_msgs++; } } } /** callback to delete keys in zone */ static void zone_del_kcache(struct lruhash_entry* e, void* arg) { /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct key_entry_key* k = (struct key_entry_key*)e->key; if(dname_subdomain_c(k->name, inf->name)) { struct key_entry_data* d = (struct key_entry_data*)e->data; if(d->ttl >= inf->now) { d->ttl = inf->expired; inf->num_keys++; } } } /** remove all rrsets and keys from zone from cache */ static void do_flush_zone(SSL* ssl, struct worker* worker, char* arg) { uint8_t* nm; int nmlabs; size_t nmlen; struct del_info inf; if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs)) return; /* delete all RRs and key entries from zone */ /* what we do is to set them all expired */ inf.worker = worker; inf.name = nm; inf.len = nmlen; inf.labs = nmlabs; inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; inf.num_msgs = 0; inf.num_keys = 0; slabhash_traverse(&worker->env.rrset_cache->table, 1, &zone_del_rrset, &inf); slabhash_traverse(worker->env.msg_cache, 1, &zone_del_msg, &inf); /* and validator cache */ if(worker->env.key_cache) { slabhash_traverse(worker->env.key_cache->slab, 1, &zone_del_kcache, &inf); } free(nm); (void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages " "and %lu key entries\n", (unsigned long)inf.num_rrsets, (unsigned long)inf.num_msgs, (unsigned long)inf.num_keys); } /** callback to delete bogus rrsets */ static void bogus_del_rrset(struct lruhash_entry* e, void* arg) { /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; if(d->security == sec_status_bogus) { d->ttl = inf->expired; inf->num_rrsets++; } } /** callback to delete bogus messages */ static void bogus_del_msg(struct lruhash_entry* e, void* arg) { /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct reply_info* d = (struct reply_info*)e->data; if(d->security == sec_status_bogus) { d->ttl = inf->expired; inf->num_msgs++; } } /** callback to delete bogus keys */ static void bogus_del_kcache(struct lruhash_entry* e, void* arg) { /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct key_entry_data* d = (struct key_entry_data*)e->data; if(d->isbad) { d->ttl = inf->expired; inf->num_keys++; } } /** remove all bogus rrsets, msgs and keys from cache */ static void do_flush_bogus(SSL* ssl, struct worker* worker) { struct del_info inf; /* what we do is to set them all expired */ inf.worker = worker; inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; inf.num_msgs = 0; inf.num_keys = 0; slabhash_traverse(&worker->env.rrset_cache->table, 1, &bogus_del_rrset, &inf); slabhash_traverse(worker->env.msg_cache, 1, &bogus_del_msg, &inf); /* and validator cache */ if(worker->env.key_cache) { slabhash_traverse(worker->env.key_cache->slab, 1, &bogus_del_kcache, &inf); } (void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages " "and %lu key entries\n", (unsigned long)inf.num_rrsets, (unsigned long)inf.num_msgs, (unsigned long)inf.num_keys); } /** callback to delete negative and servfail rrsets */ static void negative_del_rrset(struct lruhash_entry* e, void* arg) { /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key; struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; /* delete the parentside negative cache rrsets, * these are namerserver rrsets that failed lookup, rdata empty */ if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 && d->rrsig_count == 0 && d->rr_len[0] == 0) { d->ttl = inf->expired; inf->num_rrsets++; } } /** callback to delete negative and servfail messages */ static void negative_del_msg(struct lruhash_entry* e, void* arg) { /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct reply_info* d = (struct reply_info*)e->data; /* rcode not NOERROR: NXDOMAIN, SERVFAIL, ..: an nxdomain or error * or NOERROR rcode with ANCOUNT==0: a NODATA answer */ if(FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) { d->ttl = inf->expired; inf->num_msgs++; } } /** callback to delete negative key entries */ static void negative_del_kcache(struct lruhash_entry* e, void* arg) { /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct key_entry_data* d = (struct key_entry_data*)e->data; /* could be bad because of lookup failure on the DS, DNSKEY, which * was nxdomain or servfail, and thus a result of negative lookups */ if(d->isbad) { d->ttl = inf->expired; inf->num_keys++; } } /** remove all negative(NODATA,NXDOMAIN), and servfail messages from cache */ static void do_flush_negative(SSL* ssl, struct worker* worker) { struct del_info inf; /* what we do is to set them all expired */ inf.worker = worker; inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; inf.num_msgs = 0; inf.num_keys = 0; slabhash_traverse(&worker->env.rrset_cache->table, 1, &negative_del_rrset, &inf); slabhash_traverse(worker->env.msg_cache, 1, &negative_del_msg, &inf); /* and validator cache */ if(worker->env.key_cache) { slabhash_traverse(worker->env.key_cache->slab, 1, &negative_del_kcache, &inf); } (void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages " "and %lu key entries\n", (unsigned long)inf.num_rrsets, (unsigned long)inf.num_msgs, (unsigned long)inf.num_keys); } /** remove name rrset from cache */ static void do_flush_name(SSL* ssl, struct worker* w, char* arg) { uint8_t* nm; int nmlabs; size_t nmlen; if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs)) return; do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_A, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_AAAA, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SOA, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_CNAME, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_DNAME, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_MX, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_PTR, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SRV, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NAPTR, LDNS_RR_CLASS_IN); free(nm); send_ok(ssl); } /** printout a delegation point info */ static int ssl_print_name_dp(SSL* ssl, const char* str, uint8_t* nm, uint16_t dclass, struct delegpt* dp) { char buf[257]; struct delegpt_ns* ns; struct delegpt_addr* a; int f = 0; if(str) { /* print header for forward, stub */ char* c = sldns_wire2str_class(dclass); dname_str(nm, buf); if(!ssl_printf(ssl, "%s %s %s ", buf, (c?c:"CLASS??"), str)) { free(c); return 0; } free(c); } for(ns = dp->nslist; ns; ns = ns->next) { dname_str(ns->name, buf); if(!ssl_printf(ssl, "%s%s", (f?" ":""), buf)) return 0; f = 1; } for(a = dp->target_list; a; a = a->next_target) { addr_to_str(&a->addr, a->addrlen, buf, sizeof(buf)); if(!ssl_printf(ssl, "%s%s", (f?" ":""), buf)) return 0; f = 1; } return ssl_printf(ssl, "\n"); } /** print root forwards */ static int print_root_fwds(SSL* ssl, struct iter_forwards* fwds, uint8_t* root) { struct delegpt* dp; dp = forwards_lookup(fwds, root, LDNS_RR_CLASS_IN); if(!dp) return ssl_printf(ssl, "off (using root hints)\n"); /* if dp is returned it must be the root */ log_assert(query_dname_compare(dp->name, root)==0); return ssl_print_name_dp(ssl, NULL, root, LDNS_RR_CLASS_IN, dp); } /** parse args into delegpt */ static struct delegpt* parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names) { /* parse args and add in */ char* p = args; char* todo; struct delegpt* dp = delegpt_create_mlc(nm); struct sockaddr_storage addr; socklen_t addrlen; if(!dp) { (void)ssl_printf(ssl, "error out of memory\n"); return NULL; } while(p) { todo = p; p = strchr(p, ' '); /* find next spot, if any */ if(p) { *p++ = 0; /* end this spot */ p = skipwhite(p); /* position at next spot */ } /* parse address */ if(!extstrtoaddr(todo, &addr, &addrlen)) { if(allow_names) { uint8_t* n = NULL; size_t ln; int lb; if(!parse_arg_name(ssl, todo, &n, &ln, &lb)) { (void)ssl_printf(ssl, "error cannot " "parse IP address or name " "'%s'\n", todo); delegpt_free_mlc(dp); return NULL; } if(!delegpt_add_ns_mlc(dp, n, 0)) { (void)ssl_printf(ssl, "error out of memory\n"); free(n); delegpt_free_mlc(dp); return NULL; } free(n); } else { (void)ssl_printf(ssl, "error cannot parse" " IP address '%s'\n", todo); delegpt_free_mlc(dp); return NULL; } } else { /* add address */ if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0)) { (void)ssl_printf(ssl, "error out of memory\n"); delegpt_free_mlc(dp); return NULL; } } } return dp; } /** do the status command */ static void do_forward(SSL* ssl, struct worker* worker, char* args) { struct iter_forwards* fwd = worker->env.fwds; uint8_t* root = (uint8_t*)"\000"; if(!fwd) { (void)ssl_printf(ssl, "error: structure not allocated\n"); return; } if(args == NULL || args[0] == 0) { (void)print_root_fwds(ssl, fwd, root); return; } /* set root forwards for this thread. since we are in remote control * the actual mesh is not running, so we can freely edit it. */ /* delete all the existing queries first */ mesh_delete_all(worker->env.mesh); if(strcmp(args, "off") == 0) { forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, root); } else { struct delegpt* dp; if(!(dp = parse_delegpt(ssl, args, root, 0))) return; if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) { (void)ssl_printf(ssl, "error out of memory\n"); return; } } send_ok(ssl); } static int parse_fs_args(SSL* ssl, char* args, uint8_t** nm, struct delegpt** dp, int* insecure, int* prime) { char* zonename; char* rest; size_t nmlen; int nmlabs; /* parse all -x args */ while(args[0] == '+') { if(!find_arg2(ssl, args, &rest)) return 0; while(*(++args) != 0) { if(*args == 'i' && insecure) *insecure = 1; else if(*args == 'p' && prime) *prime = 1; else { (void)ssl_printf(ssl, "error: unknown option %s\n", args); return 0; } } args = rest; } /* parse name */ if(dp) { if(!find_arg2(ssl, args, &rest)) return 0; zonename = args; args = rest; } else zonename = args; if(!parse_arg_name(ssl, zonename, nm, &nmlen, &nmlabs)) return 0; /* parse dp */ if(dp) { if(!(*dp = parse_delegpt(ssl, args, *nm, 1))) { free(*nm); return 0; } } return 1; } /** do the forward_add command */ static void do_forward_add(SSL* ssl, struct worker* worker, char* args) { struct iter_forwards* fwd = worker->env.fwds; int insecure = 0; uint8_t* nm = NULL; struct delegpt* dp = NULL; if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL)) return; if(insecure && worker->env.anchors) { if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm)) { (void)ssl_printf(ssl, "error out of memory\n"); delegpt_free_mlc(dp); free(nm); return; } } if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) { (void)ssl_printf(ssl, "error out of memory\n"); free(nm); return; } free(nm); send_ok(ssl); } /** do the forward_remove command */ static void do_forward_remove(SSL* ssl, struct worker* worker, char* args) { struct iter_forwards* fwd = worker->env.fwds; int insecure = 0; uint8_t* nm = NULL; if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL)) return; if(insecure && worker->env.anchors) anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm); forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, nm); free(nm); send_ok(ssl); } /** do the stub_add command */ static void do_stub_add(SSL* ssl, struct worker* worker, char* args) { struct iter_forwards* fwd = worker->env.fwds; int insecure = 0, prime = 0; uint8_t* nm = NULL; struct delegpt* dp = NULL; if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime)) return; if(insecure && worker->env.anchors) { if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm)) { (void)ssl_printf(ssl, "error out of memory\n"); delegpt_free_mlc(dp); free(nm); return; } } if(!forwards_add_stub_hole(fwd, LDNS_RR_CLASS_IN, nm)) { if(insecure && worker->env.anchors) anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm); (void)ssl_printf(ssl, "error out of memory\n"); delegpt_free_mlc(dp); free(nm); return; } if(!hints_add_stub(worker->env.hints, LDNS_RR_CLASS_IN, dp, !prime)) { (void)ssl_printf(ssl, "error out of memory\n"); forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm); if(insecure && worker->env.anchors) anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm); free(nm); return; } free(nm); send_ok(ssl); } /** do the stub_remove command */ static void do_stub_remove(SSL* ssl, struct worker* worker, char* args) { struct iter_forwards* fwd = worker->env.fwds; int insecure = 0; uint8_t* nm = NULL; if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL)) return; if(insecure && worker->env.anchors) anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm); forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm); hints_delete_stub(worker->env.hints, LDNS_RR_CLASS_IN, nm); free(nm); send_ok(ssl); } /** do the insecure_add command */ static void do_insecure_add(SSL* ssl, struct worker* worker, char* arg) { size_t nmlen; int nmlabs; uint8_t* nm = NULL; if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs)) return; if(worker->env.anchors) { if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm)) { (void)ssl_printf(ssl, "error out of memory\n"); free(nm); return; } } free(nm); send_ok(ssl); } /** do the insecure_remove command */ static void do_insecure_remove(SSL* ssl, struct worker* worker, char* arg) { size_t nmlen; int nmlabs; uint8_t* nm = NULL; if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs)) return; if(worker->env.anchors) anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN, nm); free(nm); send_ok(ssl); } /** do the status command */ static void do_status(SSL* ssl, struct worker* worker) { int i; time_t uptime; if(!ssl_printf(ssl, "version: %s\n", PACKAGE_VERSION)) return; if(!ssl_printf(ssl, "verbosity: %d\n", verbosity)) return; if(!ssl_printf(ssl, "threads: %d\n", worker->daemon->num)) return; if(!ssl_printf(ssl, "modules: %d [", worker->daemon->mods.num)) return; for(i=0; idaemon->mods.num; i++) { if(!ssl_printf(ssl, " %s", worker->daemon->mods.mod[i]->name)) return; } if(!ssl_printf(ssl, " ]\n")) return; uptime = (time_t)time(NULL) - (time_t)worker->daemon->time_boot.tv_sec; if(!ssl_printf(ssl, "uptime: " ARG_LL "d seconds\n", (long long)uptime)) return; if(!ssl_printf(ssl, "options:%s%s\n" , (worker->daemon->reuseport?" reuseport":""), (worker->daemon->rc->accept_list?" control(ssl)":""))) return; if(!ssl_printf(ssl, "unbound (pid %d) is running...\n", (int)getpid())) return; } /** get age for the mesh state */ static void get_mesh_age(struct mesh_state* m, char* buf, size_t len, struct module_env* env) { if(m->reply_list) { struct timeval d; struct mesh_reply* r = m->reply_list; /* last reply is the oldest */ while(r && r->next) r = r->next; timeval_subtract(&d, env->now_tv, &r->start_time); snprintf(buf, len, ARG_LL "d.%6.6d", (long long)d.tv_sec, (int)d.tv_usec); } else { snprintf(buf, len, "-"); } } /** get status of a mesh state */ static void get_mesh_status(struct mesh_area* mesh, struct mesh_state* m, char* buf, size_t len) { enum module_ext_state s = m->s.ext_state[m->s.curmod]; const char *modname = mesh->mods.mod[m->s.curmod]->name; size_t l; if(strcmp(modname, "iterator") == 0 && s == module_wait_reply && m->s.minfo[m->s.curmod]) { /* break into iterator to find out who its waiting for */ struct iter_qstate* qstate = (struct iter_qstate*) m->s.minfo[m->s.curmod]; struct outbound_list* ol = &qstate->outlist; struct outbound_entry* e; snprintf(buf, len, "%s wait for", modname); l = strlen(buf); buf += l; len -= l; if(ol->first == NULL) snprintf(buf, len, " (empty_list)"); for(e = ol->first; e; e = e->next) { snprintf(buf, len, " "); l = strlen(buf); buf += l; len -= l; addr_to_str(&e->qsent->addr, e->qsent->addrlen, buf, len); l = strlen(buf); buf += l; len -= l; } } else if(s == module_wait_subquery) { /* look in subs from mesh state to see what */ char nm[257]; struct mesh_state_ref* sub; snprintf(buf, len, "%s wants", modname); l = strlen(buf); buf += l; len -= l; if(m->sub_set.count == 0) snprintf(buf, len, " (empty_list)"); RBTREE_FOR(sub, struct mesh_state_ref*, &m->sub_set) { char* t = sldns_wire2str_type(sub->s->s.qinfo.qtype); char* c = sldns_wire2str_class(sub->s->s.qinfo.qclass); dname_str(sub->s->s.qinfo.qname, nm); snprintf(buf, len, " %s %s %s", (t?t:"TYPE??"), (c?c:"CLASS??"), nm); l = strlen(buf); buf += l; len -= l; free(t); free(c); } } else { snprintf(buf, len, "%s is %s", modname, strextstate(s)); } } /** do the dump_requestlist command */ static void do_dump_requestlist(SSL* ssl, struct worker* worker) { struct mesh_area* mesh; struct mesh_state* m; int num = 0; char buf[257]; char timebuf[32]; char statbuf[10240]; if(!ssl_printf(ssl, "thread #%d\n", worker->thread_num)) return; if(!ssl_printf(ssl, "# type cl name seconds module status\n")) return; /* show worker mesh contents */ mesh = worker->env.mesh; if(!mesh) return; RBTREE_FOR(m, struct mesh_state*, &mesh->all) { char* t = sldns_wire2str_type(m->s.qinfo.qtype); char* c = sldns_wire2str_class(m->s.qinfo.qclass); dname_str(m->s.qinfo.qname, buf); get_mesh_age(m, timebuf, sizeof(timebuf), &worker->env); get_mesh_status(mesh, m, statbuf, sizeof(statbuf)); if(!ssl_printf(ssl, "%3d %4s %2s %s %s %s\n", num, (t?t:"TYPE??"), (c?c:"CLASS??"), buf, timebuf, statbuf)) { free(t); free(c); return; } num++; free(t); free(c); } } /** structure for argument data for dump infra host */ struct infra_arg { /** the infra cache */ struct infra_cache* infra; /** the SSL connection */ SSL* ssl; /** the time now */ time_t now; /** ssl failure? stop writing and skip the rest. If the tcp * connection is broken, and writes fail, we then stop writing. */ int ssl_failed; }; /** callback for every host element in the infra cache */ static void dump_infra_host(struct lruhash_entry* e, void* arg) { struct infra_arg* a = (struct infra_arg*)arg; struct infra_key* k = (struct infra_key*)e->key; struct infra_data* d = (struct infra_data*)e->data; char ip_str[1024]; char name[257]; if(a->ssl_failed) return; addr_to_str(&k->addr, k->addrlen, ip_str, sizeof(ip_str)); dname_str(k->zonename, name); /* skip expired stuff (only backed off) */ if(d->ttl < a->now) { if(d->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT) { if(!ssl_printf(a->ssl, "%s %s expired rto %d\n", ip_str, name, d->rtt.rto)) { a->ssl_failed = 1; return; } } return; } if(!ssl_printf(a->ssl, "%s %s ttl %lu ping %d var %d rtt %d rto %d " "tA %d tAAAA %d tother %d " "ednsknown %d edns %d delay %d lame dnssec %d rec %d A %d " "other %d\n", ip_str, name, (unsigned long)(d->ttl - a->now), d->rtt.srtt, d->rtt.rttvar, rtt_notimeout(&d->rtt), d->rtt.rto, d->timeout_A, d->timeout_AAAA, d->timeout_other, (int)d->edns_lame_known, (int)d->edns_version, (int)(a->nowprobedelay?d->probedelay-a->now:0), (int)d->isdnsseclame, (int)d->rec_lame, (int)d->lame_type_A, (int)d->lame_other)) { a->ssl_failed = 1; return; } } /** do the dump_infra command */ static void do_dump_infra(SSL* ssl, struct worker* worker) { struct infra_arg arg; arg.infra = worker->env.infra_cache; arg.ssl = ssl; arg.now = *worker->env.now; arg.ssl_failed = 0; slabhash_traverse(arg.infra->hosts, 0, &dump_infra_host, (void*)&arg); } /** do the log_reopen command */ static void do_log_reopen(SSL* ssl, struct worker* worker) { struct config_file* cfg = worker->env.cfg; send_ok(ssl); log_init(cfg->logfile, cfg->use_syslog, cfg->chrootdir); } /** do the set_option command */ static void do_set_option(SSL* ssl, struct worker* worker, char* arg) { char* arg2; if(!find_arg2(ssl, arg, &arg2)) return; if(!config_set_option(worker->env.cfg, arg, arg2)) { (void)ssl_printf(ssl, "error setting option\n"); return; } send_ok(ssl); } /* routine to printout option values over SSL */ void remote_get_opt_ssl(char* line, void* arg) { SSL* ssl = (SSL*)arg; (void)ssl_printf(ssl, "%s\n", line); } /** do the get_option command */ static void do_get_option(SSL* ssl, struct worker* worker, char* arg) { int r; r = config_get_option(worker->env.cfg, arg, remote_get_opt_ssl, ssl); if(!r) { (void)ssl_printf(ssl, "error unknown option\n"); return; } } /** do the list_forwards command */ static void do_list_forwards(SSL* ssl, struct worker* worker) { /* since its a per-worker structure no locks needed */ struct iter_forwards* fwds = worker->env.fwds; struct iter_forward_zone* z; struct trust_anchor* a; int insecure; RBTREE_FOR(z, struct iter_forward_zone*, fwds->tree) { if(!z->dp) continue; /* skip empty marker for stub */ /* see if it is insecure */ insecure = 0; if(worker->env.anchors && (a=anchor_find(worker->env.anchors, z->name, z->namelabs, z->namelen, z->dclass))) { if(!a->keylist && !a->numDS && !a->numDNSKEY) insecure = 1; lock_basic_unlock(&a->lock); } if(!ssl_print_name_dp(ssl, (insecure?"forward +i":"forward"), z->name, z->dclass, z->dp)) return; } } /** do the list_stubs command */ static void do_list_stubs(SSL* ssl, struct worker* worker) { struct iter_hints_stub* z; struct trust_anchor* a; int insecure; char str[32]; RBTREE_FOR(z, struct iter_hints_stub*, &worker->env.hints->tree) { /* see if it is insecure */ insecure = 0; if(worker->env.anchors && (a=anchor_find(worker->env.anchors, z->node.name, z->node.labs, z->node.len, z->node.dclass))) { if(!a->keylist && !a->numDS && !a->numDNSKEY) insecure = 1; lock_basic_unlock(&a->lock); } snprintf(str, sizeof(str), "stub %sprime%s", (z->noprime?"no":""), (insecure?" +i":"")); if(!ssl_print_name_dp(ssl, str, z->node.name, z->node.dclass, z->dp)) return; } } /** do the list_local_zones command */ static void do_list_local_zones(SSL* ssl, struct worker* worker) { struct local_zones* zones = worker->daemon->local_zones; struct local_zone* z; char buf[257]; lock_rw_rdlock(&zones->lock); RBTREE_FOR(z, struct local_zone*, &zones->ztree) { lock_rw_rdlock(&z->lock); dname_str(z->name, buf); if(!ssl_printf(ssl, "%s %s\n", buf, local_zone_type2str(z->type))) { /* failure to print */ lock_rw_unlock(&z->lock); lock_rw_unlock(&zones->lock); return; } lock_rw_unlock(&z->lock); } lock_rw_unlock(&zones->lock); } /** do the list_local_data command */ static void do_list_local_data(SSL* ssl, struct worker* worker) { struct local_zones* zones = worker->daemon->local_zones; struct local_zone* z; struct local_data* d; struct local_rrset* p; char* s = (char*)sldns_buffer_begin(worker->env.scratch_buffer); size_t slen = sldns_buffer_capacity(worker->env.scratch_buffer); lock_rw_rdlock(&zones->lock); RBTREE_FOR(z, struct local_zone*, &zones->ztree) { lock_rw_rdlock(&z->lock); RBTREE_FOR(d, struct local_data*, &z->data) { for(p = d->rrsets; p; p = p->next) { struct packed_rrset_data* d = (struct packed_rrset_data*)p->rrset->entry.data; size_t i; for(i=0; icount + d->rrsig_count; i++) { if(!packed_rr_to_string(p->rrset, i, 0, s, slen)) { if(!ssl_printf(ssl, "BADRR\n")) return; } if(!ssl_printf(ssl, "%s\n", s)) return; } } } lock_rw_unlock(&z->lock); } lock_rw_unlock(&zones->lock); } /** tell other processes to execute the command */ static void distribute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd) { int i; if(!cmd || !ssl) return; /* skip i=0 which is me */ for(i=1; iworker->daemon->num; i++) { worker_send_cmd(rc->worker->daemon->workers[i], worker_cmd_remote); if(!tube_write_msg(rc->worker->daemon->workers[i]->cmd, (uint8_t*)cmd, strlen(cmd)+1, 0)) { ssl_printf(ssl, "error could not distribute cmd\n"); return; } } } /** check for name with end-of-string, space or tab after it */ static int cmdcmp(char* p, const char* cmd, size_t len) { return strncmp(p,cmd,len)==0 && (p[len]==0||p[len]==' '||p[len]=='\t'); } /** execute a remote control command */ static void execute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd, struct worker* worker) { char* p = skipwhite(cmd); /* compare command */ if(cmdcmp(p, "stop", 4)) { do_stop(ssl, rc); return; } else if(cmdcmp(p, "reload", 6)) { do_reload(ssl, rc); return; } else if(cmdcmp(p, "stats_noreset", 13)) { do_stats(ssl, rc, 0); return; } else if(cmdcmp(p, "stats", 5)) { do_stats(ssl, rc, 1); return; } else if(cmdcmp(p, "status", 6)) { do_status(ssl, worker); return; } else if(cmdcmp(p, "dump_cache", 10)) { (void)dump_cache(ssl, worker); return; } else if(cmdcmp(p, "load_cache", 10)) { if(load_cache(ssl, worker)) send_ok(ssl); return; } else if(cmdcmp(p, "list_forwards", 13)) { do_list_forwards(ssl, worker); return; } else if(cmdcmp(p, "list_stubs", 10)) { do_list_stubs(ssl, worker); return; } else if(cmdcmp(p, "list_local_zones", 16)) { do_list_local_zones(ssl, worker); return; } else if(cmdcmp(p, "list_local_data", 15)) { do_list_local_data(ssl, worker); return; } else if(cmdcmp(p, "stub_add", 8)) { /* must always distribute this cmd */ if(rc) distribute_cmd(rc, ssl, cmd); do_stub_add(ssl, worker, skipwhite(p+8)); return; } else if(cmdcmp(p, "stub_remove", 11)) { /* must always distribute this cmd */ if(rc) distribute_cmd(rc, ssl, cmd); do_stub_remove(ssl, worker, skipwhite(p+11)); return; } else if(cmdcmp(p, "forward_add", 11)) { /* must always distribute this cmd */ if(rc) distribute_cmd(rc, ssl, cmd); do_forward_add(ssl, worker, skipwhite(p+11)); return; } else if(cmdcmp(p, "forward_remove", 14)) { /* must always distribute this cmd */ if(rc) distribute_cmd(rc, ssl, cmd); do_forward_remove(ssl, worker, skipwhite(p+14)); return; } else if(cmdcmp(p, "insecure_add", 12)) { /* must always distribute this cmd */ if(rc) distribute_cmd(rc, ssl, cmd); do_insecure_add(ssl, worker, skipwhite(p+12)); return; } else if(cmdcmp(p, "insecure_remove", 15)) { /* must always distribute this cmd */ if(rc) distribute_cmd(rc, ssl, cmd); do_insecure_remove(ssl, worker, skipwhite(p+15)); return; } else if(cmdcmp(p, "forward", 7)) { /* must always distribute this cmd */ if(rc) distribute_cmd(rc, ssl, cmd); do_forward(ssl, worker, skipwhite(p+7)); return; } else if(cmdcmp(p, "flush_stats", 11)) { /* must always distribute this cmd */ if(rc) distribute_cmd(rc, ssl, cmd); do_flush_stats(ssl, worker); return; } else if(cmdcmp(p, "flush_requestlist", 17)) { /* must always distribute this cmd */ if(rc) distribute_cmd(rc, ssl, cmd); do_flush_requestlist(ssl, worker); return; } else if(cmdcmp(p, "lookup", 6)) { do_lookup(ssl, worker, skipwhite(p+6)); return; } #ifdef THREADS_DISABLED /* other processes must execute the command as well */ /* commands that should not be distributed, returned above. */ if(rc) { /* only if this thread is the master (rc) thread */ /* done before the code below, which may split the string */ distribute_cmd(rc, ssl, cmd); } #endif if(cmdcmp(p, "verbosity", 9)) { do_verbosity(ssl, skipwhite(p+9)); } else if(cmdcmp(p, "local_zone_remove", 17)) { do_zone_remove(ssl, worker, skipwhite(p+17)); } else if(cmdcmp(p, "local_zone", 10)) { do_zone_add(ssl, worker, skipwhite(p+10)); } else if(cmdcmp(p, "local_data_remove", 17)) { do_data_remove(ssl, worker, skipwhite(p+17)); } else if(cmdcmp(p, "local_data", 10)) { do_data_add(ssl, worker, skipwhite(p+10)); } else if(cmdcmp(p, "flush_zone", 10)) { do_flush_zone(ssl, worker, skipwhite(p+10)); } else if(cmdcmp(p, "flush_type", 10)) { do_flush_type(ssl, worker, skipwhite(p+10)); } else if(cmdcmp(p, "flush_infra", 11)) { do_flush_infra(ssl, worker, skipwhite(p+11)); } else if(cmdcmp(p, "flush", 5)) { do_flush_name(ssl, worker, skipwhite(p+5)); } else if(cmdcmp(p, "dump_requestlist", 16)) { do_dump_requestlist(ssl, worker); } else if(cmdcmp(p, "dump_infra", 10)) { do_dump_infra(ssl, worker); } else if(cmdcmp(p, "log_reopen", 10)) { do_log_reopen(ssl, worker); } else if(cmdcmp(p, "set_option", 10)) { do_set_option(ssl, worker, skipwhite(p+10)); } else if(cmdcmp(p, "get_option", 10)) { do_get_option(ssl, worker, skipwhite(p+10)); } else if(cmdcmp(p, "flush_bogus", 11)) { do_flush_bogus(ssl, worker); } else if(cmdcmp(p, "flush_negative", 14)) { do_flush_negative(ssl, worker); } else { (void)ssl_printf(ssl, "error unknown command '%s'\n", p); } } void daemon_remote_exec(struct worker* worker) { /* read the cmd string */ uint8_t* msg = NULL; uint32_t len = 0; if(!tube_read_msg(worker->cmd, &msg, &len, 0)) { log_err("daemon_remote_exec: tube_read_msg failed"); return; } verbose(VERB_ALGO, "remote exec distributed: %s", (char*)msg); execute_cmd(NULL, NULL, (char*)msg, worker); free(msg); } /** handle remote control request */ static void handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl) { int r; char pre[10]; char magic[7]; char buf[1024]; #ifdef USE_WINSOCK /* makes it possible to set the socket blocking again. */ /* basically removes it from winsock_event ... */ WSAEventSelect(s->c->fd, NULL, 0); #endif fd_set_block(s->c->fd); /* try to read magic UBCT[version]_space_ string */ ERR_clear_error(); if((r=SSL_read(ssl, magic, (int)sizeof(magic)-1)) <= 0) { if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) return; log_crypto_err("could not SSL_read"); return; } magic[6] = 0; if( r != 6 || strncmp(magic, "UBCT", 4) != 0) { verbose(VERB_QUERY, "control connection has bad magic string"); /* probably wrong tool connected, ignore it completely */ return; } /* read the command line */ if(!ssl_read_line(ssl, buf, sizeof(buf))) { return; } snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION); if(strcmp(magic, pre) != 0) { verbose(VERB_QUERY, "control connection had bad " "version %s, cmd: %s", magic, buf); ssl_printf(ssl, "error version mismatch\n"); return; } verbose(VERB_DETAIL, "control cmd: %s", buf); /* figure out what to do */ execute_cmd(rc, ssl, buf, rc->worker); } int remote_control_callback(struct comm_point* c, void* arg, int err, struct comm_reply* ATTR_UNUSED(rep)) { struct rc_state* s = (struct rc_state*)arg; struct daemon_remote* rc = s->rc; int r; if(err != NETEVENT_NOERROR) { if(err==NETEVENT_TIMEOUT) log_err("remote control timed out"); clean_point(rc, s); return 0; } /* (continue to) setup the SSL connection */ ERR_clear_error(); r = SSL_do_handshake(s->ssl); if(r != 1) { int r2 = SSL_get_error(s->ssl, r); if(r2 == SSL_ERROR_WANT_READ) { if(s->shake_state == rc_hs_read) { /* try again later */ return 0; } s->shake_state = rc_hs_read; comm_point_listen_for_rw(c, 1, 0); return 0; } else if(r2 == SSL_ERROR_WANT_WRITE) { if(s->shake_state == rc_hs_write) { /* try again later */ return 0; } s->shake_state = rc_hs_write; comm_point_listen_for_rw(c, 0, 1); return 0; } else { if(r == 0) log_err("remote control connection closed prematurely"); log_addr(1, "failed connection from", &s->c->repinfo.addr, s->c->repinfo.addrlen); log_crypto_err("remote control failed ssl"); clean_point(rc, s); return 0; } } s->shake_state = rc_none; /* once handshake has completed, check authentication */ - if(SSL_get_verify_result(s->ssl) == X509_V_OK) { + if (!rc->use_cert) { + verbose(VERB_ALGO, "unauthenticated remote control connection"); + } else if(SSL_get_verify_result(s->ssl) == X509_V_OK) { X509* x = SSL_get_peer_certificate(s->ssl); if(!x) { verbose(VERB_DETAIL, "remote control connection " "provided no client certificate"); clean_point(rc, s); return 0; } verbose(VERB_ALGO, "remote control connection authenticated"); X509_free(x); } else { verbose(VERB_DETAIL, "remote control connection failed to " "authenticate with client certificate"); clean_point(rc, s); return 0; } /* if OK start to actually handle the request */ handle_req(rc, s, s->ssl); verbose(VERB_ALGO, "remote control operation completed"); clean_point(rc, s); return 0; } Index: head/contrib/unbound/daemon/remote.h =================================================================== --- head/contrib/unbound/daemon/remote.h (revision 276698) +++ head/contrib/unbound/daemon/remote.h (revision 276699) @@ -1,189 +1,191 @@ /* * daemon/remote.h - remote control for the unbound daemon. * * Copyright (c) 2008, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** * \file * * This file contains the remote control functionality for the daemon. * The remote control can be performed using either the commandline * unbound-control tool, or a SSLv3/TLS capable web browser. * The channel is secured using SSLv3 or TLSv1, and certificates. * Both the server and the client(control tool) have their own keys. */ #ifndef DAEMON_REMOTE_H #define DAEMON_REMOTE_H #ifdef HAVE_OPENSSL_SSL_H #include "openssl/ssl.h" #endif struct config_file; struct listen_list; struct listen_port; struct worker; struct comm_reply; struct comm_point; struct daemon_remote; /** number of seconds timeout on incoming remote control handshake */ #define REMOTE_CONTROL_TCP_TIMEOUT 120 /** * a busy control command connection, SSL state */ struct rc_state { /** the next item in list */ struct rc_state* next; /** the commpoint */ struct comm_point* c; /** in the handshake part */ enum { rc_none, rc_hs_read, rc_hs_write } shake_state; #ifdef HAVE_SSL /** the ssl state */ SSL* ssl; #endif /** the rc this is part of */ struct daemon_remote* rc; }; /** * The remote control tool state. * The state is only created for the first thread, other threads * are called from this thread. Only the first threads listens to * the control port. The other threads do not, but are called on the * command channel(pipe) from the first thread. */ struct daemon_remote { /** the worker for this remote control */ struct worker* worker; /** commpoints for accepting remote control connections */ struct listen_list* accept_list; + /* if certificates are used */ + int use_cert; /** number of active commpoints that are handling remote control */ int active; /** max active commpoints */ int max_active; /** current commpoints busy; should be a short list, malloced */ struct rc_state* busy_list; #ifdef HAVE_SSL /** the SSL context for creating new SSL streams */ SSL_CTX* ctx; #endif }; /** * Create new remote control state for the daemon. * @param cfg: config file with key file settings. * @return new state, or NULL on failure. */ struct daemon_remote* daemon_remote_create(struct config_file* cfg); /** * remote control state to delete. * @param rc: state to delete. */ void daemon_remote_delete(struct daemon_remote* rc); /** * remote control state to clear up. Busy and accept points are closed. * Does not delete the rc itself, or the ssl context (with its keys). * @param rc: state to clear. */ void daemon_remote_clear(struct daemon_remote* rc); /** * Open and create listening ports for remote control. * @param cfg: config options. * @return list of ports or NULL on failure. * can be freed with listening_ports_free(). */ struct listen_port* daemon_remote_open_ports(struct config_file* cfg); /** * Setup comm points for accepting remote control connections. * @param rc: state * @param ports: already opened ports. * @param worker: worker with communication base. and links to command channels. * @return false on error. */ int daemon_remote_open_accept(struct daemon_remote* rc, struct listen_port* ports, struct worker* worker); /** * Stop accept handlers for TCP (until enabled again) * @param rc: state */ void daemon_remote_stop_accept(struct daemon_remote* rc); /** * Stop accept handlers for TCP (until enabled again) * @param rc: state */ void daemon_remote_start_accept(struct daemon_remote* rc); /** * Handle nonthreaded remote cmd execution. * @param worker: this worker (the remote worker). */ void daemon_remote_exec(struct worker* worker); #ifdef HAVE_SSL /** * Print fixed line of text over ssl connection in blocking mode * @param ssl: print to * @param text: the text. * @return false on connection failure. */ int ssl_print_text(SSL* ssl, const char* text); /** * printf style printing to the ssl connection * @param ssl: the SSL connection to print to. Blocking. * @param format: printf style format string. * @return success or false on a network failure. */ int ssl_printf(SSL* ssl, const char* format, ...) ATTR_FORMAT(printf, 2, 3); /** * Read until \n is encountered * If SSL signals EOF, the string up to then is returned (without \n). * @param ssl: the SSL connection to read from. blocking. * @param buf: buffer to read to. * @param max: size of buffer. * @return false on connection failure. */ int ssl_read_line(SSL* ssl, char* buf, size_t max); #endif /* HAVE_SSL */ #endif /* DAEMON_REMOTE_H */ Index: head/contrib/unbound/daemon/unbound.c =================================================================== --- head/contrib/unbound/daemon/unbound.c (revision 276698) +++ head/contrib/unbound/daemon/unbound.c (revision 276699) @@ -1,780 +1,767 @@ /* * daemon/unbound.c - main program for unbound DNS resolver daemon. * * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ /** * \file * * Main program to start the DNS resolver daemon. */ #include "config.h" #ifdef HAVE_GETOPT_H #include #endif #include #include "util/log.h" #include "daemon/daemon.h" #include "daemon/remote.h" #include "util/config_file.h" #include "util/storage/slabhash.h" #include "services/listen_dnsport.h" #include "services/cache/rrset.h" #include "services/cache/infra.h" #include "util/fptr_wlist.h" #include "util/data/msgreply.h" #include "util/module.h" #include "util/net_help.h" #include #include #include #ifdef HAVE_PWD_H #include #endif #ifdef HAVE_GRP_H #include #endif #ifndef S_SPLINT_S /* splint chokes on this system header file */ #ifdef HAVE_SYS_RESOURCE_H #include #endif #endif /* S_SPLINT_S */ #ifdef HAVE_LOGIN_CAP_H #include #endif #ifdef USE_MINI_EVENT # ifdef USE_WINSOCK # include "util/winsock_event.h" # else # include "util/mini_event.h" # endif #else # ifdef HAVE_EVENT_H # include # else # include "event2/event.h" # include "event2/event_struct.h" # include "event2/event_compat.h" # endif #endif #ifdef UB_ON_WINDOWS # include "winrc/win_svc.h" #endif #ifdef HAVE_NSS /* nss3 */ # include "nss.h" #endif #ifdef HAVE_SBRK /** global debug value to keep track of heap memory allocation */ void* unbound_start_brk = 0; #endif #if !defined(HAVE_EVENT_BASE_GET_METHOD) && (defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) static const char* ev_backend2str(int b) { switch(b) { case EVBACKEND_SELECT: return "select"; case EVBACKEND_POLL: return "poll"; case EVBACKEND_EPOLL: return "epoll"; case EVBACKEND_KQUEUE: return "kqueue"; case EVBACKEND_DEVPOLL: return "devpoll"; case EVBACKEND_PORT: return "evport"; } return "unknown"; } #endif /** get the event system in use */ static void get_event_sys(const char** n, const char** s, const char** m) { #ifdef USE_WINSOCK *n = "event"; *s = "winsock"; *m = "WSAWaitForMultipleEvents"; #elif defined(USE_MINI_EVENT) *n = "mini-event"; *s = "internal"; *m = "select"; #else struct event_base* b; *s = event_get_version(); # ifdef HAVE_EVENT_BASE_GET_METHOD *n = "libevent"; b = event_base_new(); *m = event_base_get_method(b); # elif defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP) *n = "libev"; b = (struct event_base*)ev_default_loop(EVFLAG_AUTO); *m = ev_backend2str(ev_backend((struct ev_loop*)b)); # else *n = "unknown"; *m = "not obtainable"; b = NULL; # endif # ifdef HAVE_EVENT_BASE_FREE event_base_free(b); # endif #endif } /** print usage. */ static void usage() { const char** m; const char *evnm="event", *evsys="", *evmethod=""; printf("usage: unbound [options]\n"); printf(" start unbound daemon DNS resolver.\n"); printf("-h this help\n"); printf("-c file config file to read instead of %s\n", CONFIGFILE); printf(" file format is described in unbound.conf(5).\n"); printf("-d do not fork into the background.\n"); printf("-v verbose (more times to increase verbosity)\n"); #ifdef UB_ON_WINDOWS printf("-w opt windows option: \n"); printf(" install, remove - manage the services entry\n"); printf(" service - used to start from services control panel\n"); #endif printf("Version %s\n", PACKAGE_VERSION); get_event_sys(&evnm, &evsys, &evmethod); printf("linked libs: %s %s (it uses %s), %s\n", evnm, evsys, evmethod, #ifdef HAVE_SSL SSLeay_version(SSLEAY_VERSION) #elif defined(HAVE_NSS) NSS_GetVersion() #endif ); printf("linked modules:"); for(m = module_list_avail(); *m; m++) printf(" %s", *m); printf("\n"); printf("BSD licensed, see LICENSE in source package for details.\n"); printf("Report bugs to %s\n", PACKAGE_BUGREPORT); } #ifndef unbound_testbound int replay_var_compare(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b)) { log_assert(0); return 0; } #endif /** check file descriptor count */ static void checkrlimits(struct config_file* cfg) { #ifndef S_SPLINT_S #ifdef HAVE_GETRLIMIT /* list has number of ports to listen to, ifs number addresses */ int list = ((cfg->do_udp?1:0) + (cfg->do_tcp?1 + (int)cfg->incoming_num_tcp:0)); size_t listen_ifs = (size_t)(cfg->num_ifs==0? ((cfg->do_ip4 && !cfg->if_automatic?1:0) + (cfg->do_ip6?1:0)):cfg->num_ifs); size_t listen_num = list*listen_ifs; size_t outudpnum = (size_t)cfg->outgoing_num_ports; size_t outtcpnum = cfg->outgoing_num_tcp; size_t misc = 4; /* logfile, pidfile, stdout... */ size_t perthread_noudp = listen_num + outtcpnum + 2/*cmdpipe*/ + 2/*libevent*/ + misc; size_t perthread = perthread_noudp + outudpnum; #if !defined(HAVE_PTHREAD) && !defined(HAVE_SOLARIS_THREADS) int numthread = 1; /* it forks */ #else int numthread = (cfg->num_threads?cfg->num_threads:1); #endif size_t total = numthread * perthread + misc; size_t avail; struct rlimit rlim; if(total > 1024 && strncmp(event_get_version(), "mini-event", 10) == 0) { log_warn("too many file descriptors requested. The builtin" "mini-event cannot handle more than 1024. Config " "for less fds or compile with libevent"); if(numthread*perthread_noudp+15 > 1024) fatal_exit("too much tcp. not enough fds."); cfg->outgoing_num_ports = (int)((1024 - numthread*perthread_noudp - 10 /* safety margin */) /numthread); log_warn("continuing with less udp ports: %u", cfg->outgoing_num_ports); total = 1024; } if(perthread > 64 && strncmp(event_get_version(), "winsock-event", 13) == 0) { log_err("too many file descriptors requested. The winsock" " event handler cannot handle more than 64 per " " thread. Config for less fds"); if(perthread_noudp+2 > 64) fatal_exit("too much tcp. not enough fds."); cfg->outgoing_num_ports = (int)((64 - perthread_noudp - 2/* safety margin */)); log_warn("continuing with less udp ports: %u", cfg->outgoing_num_ports); total = numthread*(perthread_noudp+ (size_t)cfg->outgoing_num_ports)+misc; } if(getrlimit(RLIMIT_NOFILE, &rlim) < 0) { log_warn("getrlimit: %s", strerror(errno)); return; } if(rlim.rlim_cur == (rlim_t)RLIM_INFINITY) return; if((size_t)rlim.rlim_cur < total) { avail = (size_t)rlim.rlim_cur; rlim.rlim_cur = (rlim_t)(total + 10); rlim.rlim_max = (rlim_t)(total + 10); #ifdef HAVE_SETRLIMIT if(setrlimit(RLIMIT_NOFILE, &rlim) < 0) { log_warn("setrlimit: %s", strerror(errno)); #endif log_warn("cannot increase max open fds from %u to %u", (unsigned)avail, (unsigned)total+10); /* check that calculation below does not underflow, * with 15 as margin */ if(numthread*perthread_noudp+15 > avail) fatal_exit("too much tcp. not enough fds."); cfg->outgoing_num_ports = (int)((avail - numthread*perthread_noudp - 10 /* safety margin */) /numthread); log_warn("continuing with less udp ports: %u", cfg->outgoing_num_ports); log_warn("increase ulimit or decrease threads, " "ports in config to remove this warning"); return; #ifdef HAVE_SETRLIMIT } #endif verbose(VERB_ALGO, "increased limit(open files) from %u to %u", (unsigned)avail, (unsigned)total+10); } #else (void)cfg; #endif /* HAVE_GETRLIMIT */ #endif /* S_SPLINT_S */ } /** set verbosity, check rlimits, cache settings */ static void apply_settings(struct daemon* daemon, struct config_file* cfg, int cmdline_verbose, int debug_mode) { /* apply if they have changed */ verbosity = cmdline_verbose + cfg->verbosity; if (debug_mode > 1) { cfg->use_syslog = 0; cfg->logfile = NULL; } daemon_apply_cfg(daemon, cfg); checkrlimits(cfg); } #ifdef HAVE_KILL /** Read existing pid from pidfile. * @param file: file name of pid file. * @return: the pid from the file or -1 if none. */ static pid_t readpid (const char* file) { int fd; pid_t pid; char pidbuf[32]; char* t; ssize_t l; if ((fd = open(file, O_RDONLY)) == -1) { if(errno != ENOENT) log_err("Could not read pidfile %s: %s", file, strerror(errno)); return -1; } if (((l = read(fd, pidbuf, sizeof(pidbuf)))) == -1) { if(errno != ENOENT) log_err("Could not read pidfile %s: %s", file, strerror(errno)); close(fd); return -1; } close(fd); /* Empty pidfile means no pidfile... */ if (l == 0) { return -1; } pidbuf[sizeof(pidbuf)-1] = 0; pid = (pid_t)strtol(pidbuf, &t, 10); if (*t && *t != '\n') { return -1; } return pid; } /** write pid to file. * @param pidfile: file name of pid file. * @param pid: pid to write to file. */ static void writepid (const char* pidfile, pid_t pid) { FILE* f; if ((f = fopen(pidfile, "w")) == NULL ) { log_err("cannot open pidfile %s: %s", pidfile, strerror(errno)); return; } if(fprintf(f, "%lu\n", (unsigned long)pid) < 0) { log_err("cannot write to pidfile %s: %s", pidfile, strerror(errno)); } fclose(f); } /** * check old pid file. * @param pidfile: the file name of the pid file. * @param inchroot: if pidfile is inchroot and we can thus expect to * be able to delete it. */ static void checkoldpid(char* pidfile, int inchroot) { pid_t old; if((old = readpid(pidfile)) != -1) { /* see if it is still alive */ if(kill(old, 0) == 0 || errno == EPERM) log_warn("unbound is already running as pid %u.", (unsigned)old); else if(inchroot) log_warn("did not exit gracefully last time (%u)", (unsigned)old); } } #endif /* HAVE_KILL */ /** detach from command line */ static void detach(void) { #if defined(HAVE_DAEMON) && !defined(DEPRECATED_DAEMON) /* use POSIX daemon(3) function */ if(daemon(1, 0) != 0) fatal_exit("daemon failed: %s", strerror(errno)); #else /* no HAVE_DAEMON */ #ifdef HAVE_FORK int fd; /* Take off... */ switch (fork()) { case 0: break; case -1: fatal_exit("fork failed: %s", strerror(errno)); default: /* exit interactive session */ exit(0); } /* detach */ #ifdef HAVE_SETSID if(setsid() == -1) fatal_exit("setsid() failed: %s", strerror(errno)); #endif if ((fd = open("/dev/null", O_RDWR, 0)) != -1) { (void)dup2(fd, STDIN_FILENO); (void)dup2(fd, STDOUT_FILENO); (void)dup2(fd, STDERR_FILENO); if (fd > 2) (void)close(fd); } #endif /* HAVE_FORK */ #endif /* HAVE_DAEMON */ } /** daemonize, drop user priviliges and chroot if needed */ static void perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, const char** cfgfile) { + log_assert(cfg); + #ifdef HAVE_GETPWNAM struct passwd *pwd = NULL; - uid_t uid; - gid_t gid; - /* initialize, but not to 0 (root) */ - memset(&uid, 112, sizeof(uid)); - memset(&gid, 112, sizeof(gid)); - log_assert(cfg); if(cfg->username && cfg->username[0]) { if((pwd = getpwnam(cfg->username)) == NULL) fatal_exit("user '%s' does not exist.", cfg->username); - uid = pwd->pw_uid; - gid = pwd->pw_gid; /* endpwent below, in case we need pwd for setusercontext */ } #endif /* init syslog (as root) if needed, before daemonize, otherwise * a fork error could not be printed since daemonize closed stderr.*/ if(cfg->use_syslog) { log_init(cfg->logfile, cfg->use_syslog, cfg->chrootdir); } /* if using a logfile, we cannot open it because the logfile would * be created with the wrong permissions, we cannot chown it because * we cannot chown system logfiles, so we do not open at all. * So, using a logfile, the user does not see errors unless -d is * given to unbound on the commandline. */ /* read ssl keys while superuser and outside chroot */ #ifdef HAVE_SSL if(!(daemon->rc = daemon_remote_create(cfg))) fatal_exit("could not set up remote-control"); if(cfg->ssl_service_key && cfg->ssl_service_key[0]) { if(!(daemon->listen_sslctx = listen_sslctx_create( cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) fatal_exit("could not set up listen SSL_CTX"); } if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, NULL))) fatal_exit("could not set up connect SSL_CTX"); #endif #ifdef HAVE_KILL /* check old pid file before forking */ if(cfg->pidfile && cfg->pidfile[0]) { /* calculate position of pidfile */ if(cfg->pidfile[0] == '/') daemon->pidfile = strdup(cfg->pidfile); else daemon->pidfile = fname_after_chroot(cfg->pidfile, cfg, 1); if(!daemon->pidfile) fatal_exit("pidfile alloc: out of memory"); checkoldpid(daemon->pidfile, /* true if pidfile is inside chrootdir, or nochroot */ !(cfg->chrootdir && cfg->chrootdir[0]) || (cfg->chrootdir && cfg->chrootdir[0] && strncmp(daemon->pidfile, cfg->chrootdir, strlen(cfg->chrootdir))==0)); } #endif /* daemonize because pid is needed by the writepid func */ if(!debug_mode && cfg->do_daemonize) { detach(); } /* write new pidfile (while still root, so can be outside chroot) */ #ifdef HAVE_KILL if(cfg->pidfile && cfg->pidfile[0]) { writepid(daemon->pidfile, getpid()); - if(!(cfg->chrootdir && cfg->chrootdir[0]) || - (cfg->chrootdir && cfg->chrootdir[0] && - strncmp(daemon->pidfile, cfg->chrootdir, - strlen(cfg->chrootdir))==0)) { - /* delete of pidfile could potentially work, - * chown to get permissions */ - if(cfg->username && cfg->username[0]) { - if(chown(daemon->pidfile, uid, gid) == -1) { + if(cfg->username && cfg->username[0]) { + if(chown(daemon->pidfile, cfg->uid, cfg->gid) == -1) { log_err("cannot chown %u.%u %s: %s", - (unsigned)uid, (unsigned)gid, + (unsigned)cfg->uid, (unsigned)cfg->gid, daemon->pidfile, strerror(errno)); - } } } } #else (void)daemon; #endif /* Set user context */ #ifdef HAVE_GETPWNAM if(cfg->username && cfg->username[0]) { #ifdef HAVE_SETUSERCONTEXT /* setusercontext does initgroups, setuid, setgid, and * also resource limits from login config, but we * still call setresuid, setresgid to be sure to set all uid*/ - if(setusercontext(NULL, pwd, uid, (unsigned) + if(setusercontext(NULL, pwd, cfg->uid, (unsigned) LOGIN_SETALL & ~LOGIN_SETUSER & ~LOGIN_SETGROUP) != 0) log_warn("unable to setusercontext %s: %s", cfg->username, strerror(errno)); #endif /* HAVE_SETUSERCONTEXT */ } #endif /* HAVE_GETPWNAM */ /* box into the chroot */ #ifdef HAVE_CHROOT if(cfg->chrootdir && cfg->chrootdir[0]) { if(chdir(cfg->chrootdir)) { fatal_exit("unable to chdir to chroot %s: %s", cfg->chrootdir, strerror(errno)); } verbose(VERB_QUERY, "chdir to %s", cfg->chrootdir); if(chroot(cfg->chrootdir)) fatal_exit("unable to chroot to %s: %s", cfg->chrootdir, strerror(errno)); if(chdir("/")) fatal_exit("unable to chdir to / in chroot %s: %s", cfg->chrootdir, strerror(errno)); verbose(VERB_QUERY, "chroot to %s", cfg->chrootdir); if(strncmp(*cfgfile, cfg->chrootdir, strlen(cfg->chrootdir)) == 0) (*cfgfile) += strlen(cfg->chrootdir); /* adjust stored pidfile for chroot */ if(daemon->pidfile && daemon->pidfile[0] && strncmp(daemon->pidfile, cfg->chrootdir, strlen(cfg->chrootdir))==0) { char* old = daemon->pidfile; daemon->pidfile = strdup(old+strlen(cfg->chrootdir)); free(old); if(!daemon->pidfile) log_err("out of memory in pidfile adjust"); } daemon->chroot = strdup(cfg->chrootdir); if(!daemon->chroot) log_err("out of memory in daemon chroot dir storage"); } #else (void)cfgfile; #endif /* change to working directory inside chroot */ if(cfg->directory && cfg->directory[0]) { char* dir = cfg->directory; if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(dir, cfg->chrootdir, strlen(cfg->chrootdir)) == 0) dir += strlen(cfg->chrootdir); if(dir[0]) { if(chdir(dir)) { fatal_exit("Could not chdir to %s: %s", dir, strerror(errno)); } verbose(VERB_QUERY, "chdir to %s", dir); } } /* drop permissions after chroot, getpwnam, pidfile, syslog done*/ #ifdef HAVE_GETPWNAM if(cfg->username && cfg->username[0]) { # ifdef HAVE_INITGROUPS - if(initgroups(cfg->username, gid) != 0) + if(initgroups(cfg->username, cfg->gid) != 0) log_warn("unable to initgroups %s: %s", cfg->username, strerror(errno)); # endif /* HAVE_INITGROUPS */ endpwent(); #ifdef HAVE_SETRESGID - if(setresgid(gid,gid,gid) != 0) + if(setresgid(cfg->gid,cfg->gid,cfg->gid) != 0) #elif defined(HAVE_SETREGID) && !defined(DARWIN_BROKEN_SETREUID) - if(setregid(gid,gid) != 0) + if(setregid(cfg->gid,cfg->gid) != 0) #else /* use setgid */ - if(setgid(gid) != 0) + if(setgid(cfg->gid) != 0) #endif /* HAVE_SETRESGID */ fatal_exit("unable to set group id of %s: %s", cfg->username, strerror(errno)); #ifdef HAVE_SETRESUID - if(setresuid(uid,uid,uid) != 0) + if(setresuid(cfg->uid,cfg->uid,cfg->uid) != 0) #elif defined(HAVE_SETREUID) && !defined(DARWIN_BROKEN_SETREUID) - if(setreuid(uid,uid) != 0) + if(setreuid(cfg->uid,cfg->uid) != 0) #else /* use setuid */ - if(setuid(uid) != 0) + if(setuid(cfg->uid) != 0) #endif /* HAVE_SETRESUID */ fatal_exit("unable to set user id of %s: %s", cfg->username, strerror(errno)); verbose(VERB_QUERY, "drop user privileges, run as %s", cfg->username); } #endif /* HAVE_GETPWNAM */ /* file logging inited after chroot,chdir,setuid is done so that * it would succeed on SIGHUP as well */ if(!cfg->use_syslog) log_init(cfg->logfile, cfg->use_syslog, cfg->chrootdir); } /** * Run the daemon. * @param cfgfile: the config file name. * @param cmdline_verbose: verbosity resulting from commandline -v. * These increase verbosity as specified in the config file. * @param debug_mode: if set, do not daemonize. */ static void run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode) { struct config_file* cfg = NULL; struct daemon* daemon = NULL; int done_setup = 0; if(!(daemon = daemon_init())) fatal_exit("alloc failure"); while(!daemon->need_to_exit) { if(done_setup) verbose(VERB_OPS, "Restart of %s.", PACKAGE_STRING); else verbose(VERB_OPS, "Start of %s.", PACKAGE_STRING); /* config stuff */ if(!(cfg = config_create())) fatal_exit("Could not alloc config defaults"); if(!config_read(cfg, cfgfile, daemon->chroot)) { if(errno != ENOENT) fatal_exit("Could not read config file: %s", cfgfile); log_warn("Continuing with default config settings"); } apply_settings(daemon, cfg, cmdline_verbose, debug_mode); /* prepare */ if(!daemon_open_shared_ports(daemon)) fatal_exit("could not open ports"); if(!done_setup) { perform_setup(daemon, cfg, debug_mode, &cfgfile); done_setup = 1; } else { /* reopen log after HUP to facilitate log rotation */ if(!cfg->use_syslog) log_init(cfg->logfile, 0, cfg->chrootdir); } /* work */ daemon_fork(daemon); /* clean up for restart */ verbose(VERB_ALGO, "cleanup."); daemon_cleanup(daemon); config_delete(cfg); } verbose(VERB_ALGO, "Exit cleanup."); /* this unlink may not work if the pidfile is located outside * of the chroot/workdir or we no longer have permissions */ if(daemon->pidfile) { int fd; /* truncate pidfile */ fd = open(daemon->pidfile, O_WRONLY | O_TRUNC, 0644); if(fd != -1) close(fd); /* delete pidfile */ unlink(daemon->pidfile); } daemon_delete(daemon); } /** getopt global, in case header files fail to declare it. */ extern int optind; /** getopt global, in case header files fail to declare it. */ extern char* optarg; /** * main program. Set options given commandline arguments. * @param argc: number of commandline arguments. * @param argv: array of commandline arguments. * @return: exit status of the program. */ int main(int argc, char* argv[]) { int c; const char* cfgfile = CONFIGFILE; const char* winopt = NULL; int cmdline_verbose = 0; int debug_mode = 0; #ifdef UB_ON_WINDOWS int cmdline_cfg = 0; #endif #ifdef HAVE_SBRK /* take debug snapshot of heap */ unbound_start_brk = sbrk(0); #endif log_init(NULL, 0, NULL); log_ident_set(strrchr(argv[0],'/')?strrchr(argv[0],'/')+1:argv[0]); /* parse the options */ while( (c=getopt(argc, argv, "c:dhvw:")) != -1) { switch(c) { case 'c': cfgfile = optarg; #ifdef UB_ON_WINDOWS cmdline_cfg = 1; #endif break; case 'v': cmdline_verbose ++; verbosity++; break; case 'd': debug_mode++; break; case 'w': winopt = optarg; break; case '?': case 'h': default: usage(); return 1; } } argc -= optind; argv += optind; if(winopt) { #ifdef UB_ON_WINDOWS wsvc_command_option(winopt, cfgfile, cmdline_verbose, cmdline_cfg); #else fatal_exit("option not supported"); #endif } if(argc != 0) { usage(); return 1; } run_daemon(cfgfile, cmdline_verbose, debug_mode); log_init(NULL, 0, NULL); /* close logfile */ return 0; } Index: head/contrib/unbound/doc/unbound.conf.5 =================================================================== --- head/contrib/unbound/doc/unbound.conf.5 (revision 276698) +++ head/contrib/unbound/doc/unbound.conf.5 (revision 276699) @@ -1,1154 +1,1165 @@ .TH "unbound.conf" "5" "Dec 8, 2014" "NLnet Labs" "unbound 1.5.1" .\" .\" unbound.conf.5 -- unbound.conf manual .\" .\" Copyright (c) 2007, NLnet Labs. All rights reserved. .\" .\" See LICENSE for the license. .\" .\" .SH "NAME" .B unbound.conf \- Unbound configuration file. .SH "SYNOPSIS" .B unbound.conf .SH "DESCRIPTION" .B unbound.conf is used to configure \fIunbound\fR(8). The file format has attributes and values. Some attributes have attributes inside them. The notation is: attribute: value. .P Comments start with # and last to the end of line. Empty lines are ignored as is whitespace at the beginning of a line. .P The utility \fIunbound\-checkconf\fR(8) can be used to check unbound.conf prior to usage. .SH "EXAMPLE" An example config file is shown below. Copy this to /etc/unbound/unbound.conf and start the server with: .P .nf $ unbound \-c /etc/unbound/unbound.conf .fi .P Most settings are the defaults. Stop the server with: .P .nf $ kill `cat /etc/unbound/unbound.pid` .fi .P Below is a minimal config file. The source distribution contains an extensive example.conf file with all the options. .P .nf # unbound.conf(5) config file for unbound(8). server: directory: "/etc/unbound" username: unbound # make sure unbound can access entropy from inside the chroot. # e.g. on linux the use these commands (on BSD, devfs(8) is used): # mount \-\-bind \-n /dev/random /etc/unbound/dev/random # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log chroot: "/etc/unbound" # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile. pidfile: "/etc/unbound/unbound.pid" # verbosity: 1 # uncomment and increase to get more logging. # listen on all interfaces, answer queries from the local subnet. interface: 0.0.0.0 interface: ::0 access\-control: 10.0.0.0/8 allow access\-control: 2001:DB8::/64 allow .fi .SH "FILE FORMAT" There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute is followed by its containing attributes, or a value. .P Files can be included using the .B include: directive. It can appear anywhere, it accepts a single file name as argument. Processing continues as if the text from the included file was copied into the config file at that point. If also using chroot, using full path names for the included files works, relative pathnames for the included names work if the directory where the daemon is started equals its chroot/working directory. Wildcards can be used to include multiple files, see \fIglob\fR(7). .SS "Server Options" These options are part of the .B server: clause. .TP .B verbosity: \fI The verbosity number, level 0 means no verbosity, only errors. Level 1 gives operational information. Level 2 gives detailed operational information. Level 3 gives query level information, output per query. Level 4 gives algorithm level information. Level 5 logs client identification for cache misses. Default is level 1. The verbosity can also be increased from the commandline, see \fIunbound\fR(8). .TP .B statistics\-interval: \fI The number of seconds between printing statistics to the log for every thread. Disable with value 0 or "". Default is disabled. The histogram statistics are only printed if replies were sent during the statistics interval, requestlist statistics are printed for every interval (but can be 0). This is because the median calculation requires data to be present. .TP .B statistics\-cumulative: \fI If enabled, statistics are cumulative since starting unbound, without clearing the statistics counters after logging the statistics. Default is no. .TP .B extended\-statistics: \fI If enabled, extended statistics are printed from \fIunbound\-control\fR(8). Default is off, because keeping track of more statistics takes time. The counters are listed in \fIunbound\-control\fR(8). .TP .B num\-threads: \fI The number of threads to create to serve clients. Use 1 for no threading. .TP .B port: \fI The port number, default 53, on which the server responds to queries. .TP .B interface: \fI Interface to use to connect to the network. This interface is listened to for queries from clients, and answers to clients are given from it. Can be given multiple times to work on several interfaces. If none are given the default is to listen to localhost. The interfaces are not changed on a reload (kill \-HUP) but only on restart. A port number can be specified with @port (without spaces between interface and port number), if not specified the default port (from \fBport\fR) is used. .TP .B ip\-address: \fI Same as interface: (for easy of compatibility with nsd.conf). .TP .B interface\-automatic: \fI Detect source interface on UDP queries and copy them to replies. This feature is experimental, and needs support in your OS for particular socket options. Default value is no. .TP .B outgoing\-interface: \fI Interface to use to connect to the network. This interface is used to send queries to authoritative servers and receive their replies. Can be given multiple times to work on several interfaces. If none are given the default (all) is used. You can specify the same interfaces in .B interface: and .B outgoing\-interface: lines, the interfaces are then used for both purposes. Outgoing queries are sent via a random outgoing interface to counter spoofing. .TP .B outgoing\-range: \fI Number of ports to open. This number of file descriptors can be opened per thread. Must be at least 1. Default depends on compile options. Larger numbers need extra resources from the operating system. For performance a a very large value is best, use libevent to make this possible. .TP .B outgoing\-port\-permit: \fI Permit unbound to open this port or range of ports for use to send queries. A larger number of permitted outgoing ports increases resilience against spoofing attempts. Make sure these ports are not needed by other daemons. By default only ports above 1024 that have not been assigned by IANA are used. Give a port number or a range of the form "low\-high", without spaces. .IP The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements are processed in the line order of the config file, adding the permitted ports and subtracting the avoided ports from the set of allowed ports. The processing starts with the non IANA allocated ports above 1024 in the set of allowed ports. .TP .B outgoing\-port\-avoid: \fI Do not permit unbound to open this port or range of ports for use to send queries. Use this to make sure unbound does not grab a port that another daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. By default only ports above 1024 that have not been assigned by IANA are used. Give a port number or a range of the form "low\-high", without spaces. .TP .B outgoing\-num\-tcp: \fI Number of outgoing TCP buffers to allocate per thread. Default is 10. If set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers are done. .TP .B incoming\-num\-tcp: \fI Number of incoming TCP buffers to allocate per thread. Default is 10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are accepted. .TP .B edns\-buffer\-size: \fI Number of bytes size to advertise as the EDNS reassembly buffer size. This is the value put into datagrams over UDP towards peers. The actual buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do not set higher than that value. Default is 4096 which is RFC recommended. If you have fragmentation reassembly problems, usually seen as timeouts, then a value of 1480 can fix it. Setting to 512 bypasses even the most stringent path MTU problems, but is seen as extreme, since the amount of TCP fallback generated is excessive (probably also for this resolver, consider tuning the outgoing tcp number). .TP .B max\-udp\-size: \fI Maximum UDP response size (not applied to TCP response). 65536 disables the udp response size maximum, and uses the choice from the client, always. Suggested values are 512 to 4096. Default is 4096. .TP .B msg\-buffer\-size: \fI Number of bytes size of the message buffers. Default is 65552 bytes, enough for 64 Kb packets, the maximum DNS message size. No message larger than this can be sent or received. Can be reduced to use less memory, but some requests for DNS data, such as for huge resource records, will result in a SERVFAIL reply to the client. .TP .B msg\-cache\-size: \fI Number of bytes size of the message cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP .B msg\-cache\-slabs: \fI Number of slabs in the message cache. Slabs reduce lock contention by threads. Must be set to a power of 2. Setting (close) to the number of cpus is a reasonable guess. .TP .B num\-queries\-per\-thread: \fI The number of queries that every thread will service simultaneously. If more queries arrive that need servicing, and no queries can be jostled out (see \fIjostle\-timeout\fR), then the queries are dropped. This forces the client to resend after a timeout; allowing the server time to work on the existing queries. Default depends on compile options, 512 or 1024. .TP .B jostle\-timeout: \fI Timeout used when the server is very busy. Set to a value that usually results in one roundtrip to the authority servers. If too many queries arrive, then 50% of the queries are allowed to run to completion, and the other 50% are replaced with the new incoming query if they have already spent more than their allowed time. This protects against denial of service by slow queries or high query rates. Default 200 milliseconds. The effect is that the qps for long-lasting queries is about (numqueriesperthread / 2) / (average time for such long queries) qps. The qps for short queries can be about (numqueriesperthread / 2) / (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560 qps by default. .TP .B delay\-close: \fI Extra delay for timeouted UDP ports before they are closed, in msec. Default is 0, and that disables it. This prevents very delayed answer packets from the upstream (recursive) servers from bouncing against closed ports and setting off all sort of close-port counters, with eg. 1500 msec. When timeouts happen you need extra sockets, it checks the ID and remote IP of packets, and unwanted packets are added to the unwanted packet counter. .TP .B so\-rcvbuf: \fI If not 0, then set the SO_RCVBUF socket option to get more buffer space on UDP port 53 incoming queries. So that short spikes on busy servers do not drop packets (see counter in netstat \-su). Default is 0 (use system value). Otherwise, the number of bytes to ask for, try "4m" on a busy server. The OS caps it at a maximum, on linux unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. On OpenBSD change header and recompile kernel. On Solaris ndd \-set /dev/udp udp_max_buf 8388608. .TP .B so\-sndbuf: \fI If not 0, then set the SO_SNDBUF socket option to get more buffer space on UDP port 53 outgoing queries. This for very busy servers handles spikes in answer traffic, otherwise 'send: resource temporarily unavailable' can get logged, the buffer overrun is also visible by netstat \-su. Default is 0 (use system value). Specify the number of bytes to ask for, try "4m" on a very busy server. The OS caps it at a maximum, on linux unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar to so\-rcvbuf. .TP .B so\-reuseport: \fI If yes, then open dedicated listening sockets for incoming queries for each thread and try to set the SO_REUSEPORT socket option on each socket. May distribute incoming queries to threads more evenly. Default is no. On Linux it is supported in kernels >= 3.9. On other systems, FreeBSD, OSX it may also work. You can enable it (on any platform and kernel), it then attempts to open the port and passes the option if it was available at compile time, if that works it is used, if it fails, it continues silently (unless verbosity 3) without the option. .TP .B rrset\-cache\-size: \fI Number of bytes size of the RRset cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP .B rrset\-cache\-slabs: \fI Number of slabs in the RRset cache. Slabs reduce lock contention by threads. Must be set to a power of 2. .TP .B cache\-max\-ttl: \fI Time to live maximum for RRsets and messages in the cache. Default is 86400 seconds (1 day). If the maximum kicks in, responses to clients still get decrementing TTLs based on the original (larger) values. When the internal TTL expires, the cache item has expired. Can be set lower to force the resolver to query for data often, and not trust (very large) TTL values. .TP .B cache\-min\-ttl: \fI Time to live minimum for RRsets and messages in the cache. Default is 0. If the the minimum kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. Zero makes sure the data in the cache is as the domain owner intended, higher values, especially more than an hour or so, can lead to trouble as the data in the cache does not match up with the actual data any more. .TP .B infra\-host\-ttl: \fI Time to live for entries in the host cache. The host cache contains roundtrip timing, lameness and EDNS support information. Default is 900. .TP .B infra\-cache\-slabs: \fI Number of slabs in the infrastructure cache. Slabs reduce lock contention by threads. Must be set to a power of 2. .TP .B infra\-cache\-numhosts: \fI Number of hosts for which information is cached. Default is 10000. .TP .B do\-ip4: \fI Enable or disable whether ip4 queries are answered or issued. Default is yes. .TP .B do\-ip6: \fI Enable or disable whether ip6 queries are answered or issued. Default is yes. If disabled, queries are not answered on IPv6, and queries are not sent on IPv6 to the internet nameservers. With this option you can disable the ipv6 transport for sending DNS traffic, it does not impact the contents of the DNS traffic, which may have ip4 and ip6 addresses in it. .TP .B do\-udp: \fI Enable or disable whether UDP queries are answered or issued. Default is yes. .TP .B do\-tcp: \fI Enable or disable whether TCP queries are answered or issued. Default is yes. .TP .B tcp\-upstream: \fI Enable or disable whether the upstream queries use TCP only for transport. Default is no. Useful in tunneling scenarios. .TP .B ssl\-upstream: \fI Enabled or disable whether the upstream queries use SSL only for transport. Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR). .TP .B ssl\-service-key: \fI If enabled, the server provider SSL service on its TCP sockets. The clients have to use ssl\-upstream: yes. The file is the private key for the TLS session. The public certificate is in the ssl\-service\-pem file. Default is "", turned off. Requires a restart (a reload is not enough) if changed, because the private key is read while root permissions are held and before chroot (if any). Normal DNS TCP service is not provided and gives errors, this service is best run with a different \fBport:\fR config or \fI@port\fR suffixes in the \fBinterface\fR config. .TP .B ssl\-service\-pem: \fI The public key certificate pem file for the ssl service. Default is "", turned off. .TP .B ssl\-port: \fI The port number on which to provide TCP SSL service, default 443, only interfaces configured with that port number as @number get the SSL service. .TP .B do\-daemonize: \fI Enable or disable whether the unbound server forks into the background as a daemon. Default is yes. .TP .B access\-control: \fI The netblock is given as an IP4 or IP6 address with /size appended for a classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, \fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. .IP The action \fIdeny\fR stops queries from hosts from that netblock. .IP The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED error message back. .IP The action \fIallow\fR gives access to clients from that netblock. It gives only access for recursion clients (which is what almost all clients need). Nonrecursive queries are refused. .IP The \fIallow\fR action does allow nonrecursive queries to access the local\-data that is configured. The reason is that this does not involve the unbound server recursive lookup algorithm, and static data is served in the reply. This supports normal operations where nonrecursive queries are made for the authoritative data. For nonrecursive queries any replies from the dynamic cache are refused. .IP The action \fIallow_snoop\fR gives nonrecursive access too. This give both recursive and non recursive access. The name \fIallow_snoop\fR refers to cache snooping, a technique to use nonrecursive queries to examine the cache contents (for malicious acts). However, nonrecursive queries can also be a valuable debugging tool (when you want to examine the cache contents). In that case use \fIallow_snoop\fR for your administration host. .IP By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS protocol is not designed to handle dropped packets due to policy, and dropping may result in (possibly excessive) retried queries. .IP The deny_non_local and refuse_non_local settings are for hosts that are only allowed to query for the authoritative local\-data, they are not allowed full recursion but only the static data. With deny_non_local, messages that are disallowed are dropped, with refuse_non_local they receive error code REFUSED. .TP .B chroot: \fI If chroot is enabled, you should pass the configfile (from the commandline) as a full path from the original root. After the chroot has been performed the now defunct portion of the config file path is removed to be able to reread the config after a reload. .IP All other file paths (working dir, logfile, roothints, and key files) can be specified in several ways: as an absolute path relative to the new root, as a relative path to the working directory, or as an absolute path relative to the original root. In the last case the path is adjusted to remove the unused portion. .IP The pidfile can be either a relative path to the working directory, or an absolute path relative to the original root. It is written just prior to chroot and dropping permissions. This allows the pidfile to be /var/run/unbound.pid and the chroot to be /var/unbound, for example. .IP Additionally, unbound may need to access /dev/random (for entropy) from inside the chroot. .IP If given a chroot is done to the given directory. The default is "/var/unbound". If you give "" no chroot is performed. .TP .B username: \fI If given, after binding the port the user privileges are dropped. Default is "unbound". If you give username: "" no user change is performed. .IP If this user is not capable of binding the port, reloads (by signal HUP) will still retain the opened ports. If you change the port number in the config file, and that new port number requires privileges, then a reload will fail; a restart is needed. .TP .B directory: \fI Sets the working directory for the program. Default is "/var/unbound". .TP .B logfile: \fI If "" is given, logging goes to stderr, or nowhere once daemonized. The logfile is appended to, in the following format: .nf [seconds since 1970] unbound[pid:tid]: type: message. .fi If this option is given, the use\-syslog is option is set to "no". The logfile is reopened (for append) when the config file is reread, on SIGHUP. .TP .B use\-syslog: \fI Sets unbound to send log messages to the syslogd, using \fIsyslog\fR(3). The log facility LOG_DAEMON is used, with identity "unbound". The logfile setting is overridden when use\-syslog is turned on. The default is to log to syslog. .TP .B log\-time\-ascii: \fI Sets logfile lines to use a timestamp in UTC ascii. Default is no, which prints the seconds since 1970 in brackets. No effect if using syslog, in that case syslog formats the timestamp printed into the log files. .TP .B log\-queries: \fI Prints one line per query to the log, with the log timestamp and IP address, name, type and class. Default is no. Note that it takes time to print these lines which makes the server (significantly) slower. Odd (nonprintable) characters in names are printed as '?'. .TP .B pidfile: \fI The process id is written to the file. Default is "/var/unbound/unbound.pid". So, .nf kill \-HUP `cat /var/unbound/unbound.pid` .fi triggers a reload, .nf kill \-QUIT `cat /var/unbound/unbound.pid` .fi gracefully terminates. .TP .B root\-hints: \fI Read the root hints from this file. Default is nothing, using builtin hints for the IN class. The file has the format of zone files, with root nameserver names and addresses only. The default may become outdated, when servers change, therefore it is good practice to use a root\-hints file. .TP .B hide\-identity: \fI If enabled id.server and hostname.bind queries are refused. .TP .B identity: \fI Set the identity to report. If set to "", the default, then the hostname of the server is returned. .TP .B hide\-version: \fI If enabled version.server and version.bind queries are refused. .TP .B version: \fI Set the version to report. If set to "", the default, then the package version is returned. .TP .B target\-fetch\-policy: \fI<"list of numbers"> Set the target fetch policy used by unbound to determine if it should fetch nameserver target addresses opportunistically. The policy is described per dependency depth. .IP The number of values determines the maximum dependency depth that unbound will pursue in answering a query. A value of \-1 means to fetch all targets opportunistically for that dependency depth. A value of 0 means to fetch on demand only. A positive value fetches that many targets opportunistically. .IP Enclose the list between quotes ("") and put spaces between numbers. The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour rumoured to be closer to that of BIND 8. .TP .B harden\-short\-bufsize: \fI Very small EDNS buffer sizes from queries are ignored. Default is off, since it is legal protocol wise to send these, and unbound tries to give very small answers to these queries, where possible. .TP .B harden\-large\-queries: \fI Very large queries are ignored. Default is off, since it is legal protocol wise to send these, and could be necessary for operation if TSIG or EDNS payload is very large. .TP .B harden\-glue: \fI Will trust glue only if it is within the servers authority. Default is on. .TP .B harden\-dnssec\-stripped: \fI Require DNSSEC data for trust\-anchored zones, if such data is absent, the zone becomes bogus. If turned off, and no DNSSEC data is received (or the DNSKEY data fails to validate), then the zone is made insecure, this behaves like there is no trust anchor. You could turn this off if you are sometimes behind an intrusive firewall (of some sort) that removes DNSSEC data from packets, or a zone changes from signed to unsigned to badly signed often. If turned off you run the risk of a downgrade attack that disables security for a zone. Default is on. .TP .B harden\-below\-nxdomain: \fI From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name below another name that is already known to be nxdomain. DNSSEC mandates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse IP address lookups), and thus may be incompatible with this. To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not have DNSSEC. Default is off. .TP .B harden\-referral\-path: \fI Harden the referral path by performing additional queries for infrastructure data. Validates the replies if trust anchors are configured and the zones are signed. This enforces DNSSEC validation on nameserver NS sets and the nameserver addresses that are encountered on the referral path to the answer. Default off, because it burdens the authority servers, and it is not RFC standard, and could lead to performance problems because of the extra query load that is generated. Experimental option. If you enable it consider adding more numbers after the target\-fetch\-policy to increase the max depth that is checked to. .TP .B use\-caps\-for\-id: \fI Use 0x20\-encoded random bits in the query to foil spoof attempts. This perturbs the lowercase and uppercase of query names sent to authority servers and checks if the reply still has the correct casing. Disabled by default. This feature is an experimental implementation of draft dns\-0x20. .TP .B private\-address: \fI Give IPv4 of IPv6 addresses or classless subnets. These are addresses on your private network, and are not allowed to be returned for public internet names. Any occurence of such addresses are removed from DNS answers. Additionally, the DNSSEC validator may mark the answers bogus. This protects against so\-called DNS Rebinding, where a user browser is turned into a network proxy, allowing remote access through the browser to other parts of your private network. Some names can be allowed to contain your private addresses, by default all the \fBlocal\-data\fR that you configured is allowed to, and you can specify additional names using \fBprivate\-domain\fR. No private addresses are enabled by default. We consider to enable this for the RFC1918 private IP address space by default in later releases. That would enable private addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 fd00::/8 and fe80::/10, since the RFC standards say these addresses should not be visible on the public internet. Turning on 127.0.0.0/8 would hinder many spamblocklists as they use that. .TP .B private\-domain: \fI Allow this domain, and all its subdomains to contain private addresses. Give multiple times to allow multiple domain names to contain private addresses. Default is none. .TP .B unwanted\-reply\-threshold: \fI If set, a total number of unwanted replies is kept track of in every thread. When it reaches the threshold, a defensive action is taken and a warning is printed to the log. The defensive action is to clear the rrset and message caches, hopefully flushing away any poison. A value of 10 million is suggested. Default is 0 (turned off). .TP .B do\-not\-query\-address: \fI Do not query the given IP address. Can be IP4 or IP6. Append /num to indicate a classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. .TP .B do\-not\-query\-localhost: \fI If yes, localhost is added to the do\-not\-query\-address entries, both IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send queries to. Default is yes. .TP .B prefetch: \fI If yes, message cache elements are prefetched before they expire to keep the cache up to date. Default is no. Turning it on gives about 10 percent more traffic and load on the machine, but popular items do not expire from the cache. .TP .B prefetch-key: \fI If yes, fetch the DNSKEYs earlier in the validation process, when a DS record is encountered. This lowers the latency of requests. It does use a little more CPU. Also if the cache is set to 0, it is no use. Default is no. .TP .B rrset-roundrobin: \fI If yes, Unbound rotates RRSet order in response (the random number is taken from the query ID, for speed and thread safety). Default is no. .TP .B minimal-responses: \fI If yes, Unbound doesn't insert authority/additional sections into response messages when those sections are not required. This reduces response size significantly, and may avoid TCP fallback for some responses. This may cause a slight speedup. The default is no, because the DNS protocol RFCs mandate these sections, and the additional content could be of use and save roundtrips for clients. .TP .B module\-config: \fI<"module names"> Module configuration, a list of module names separated by spaces, surround the string with quotes (""). The modules can be validator, iterator. Setting this to "iterator" will result in a non\-validating server. Setting this to "validator iterator" will turn on DNSSEC validation. The ordering of the modules is important. You must also set trust\-anchors for validation to be useful. .TP .B trust\-anchor\-file: \fI File with trusted keys for validation. Both DS and DNSKEY entries can appear in the file. The format of the file is the standard DNS Zone file format. Default is "", or no trust anchor file. .TP .B auto\-trust\-anchor\-file: \fI File with trust anchor for one zone, which is tracked with RFC5011 probes. The probes are several times per month, thus the machine must be online frequently. The initial file can be one with contents as described in \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated, so the unbound user must have write permission. .TP .B trust\-anchor: \fI<"Resource Record"> A DS or DNSKEY RR for a key to use for validation. Multiple entries can be given to specify multiple trusted keys, in addition to the trust\-anchor\-files. The resource record is entered in the same format as 'dig' or 'drill' prints them, the same format as in the zone file. Has to be on a single line, with "" around it. A TTL can be specified for ease of cut and paste, but is ignored. A class can be specified, but class IN is default. .TP .B trusted\-keys\-file: \fI File with trusted keys for validation. Specify more than one file with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR but has a different file format. Format is BIND\-9 style format, the trusted\-keys { name flag proto algo "key"; }; clauses are read. It is possible to use wildcards with this statement, the wildcard is expanded on start and on reload. .TP .B dlv\-anchor\-file: \fI File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and DNSKEY entries can be used in the file, in the same format as for \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more would be slow. The DLV configured is used as a root trusted DLV, this means that it is a lookaside for the root. Default is "", or no dlv anchor file. .TP .B dlv\-anchor: \fI<"Resource Record"> Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline. .TP .B domain\-insecure: \fI Sets domain name to be insecure, DNSSEC chain of trust is ignored towards the domain name. So a trust anchor above the domain name can not make the domain secure with a DS record, such a DS record is then ignored. Also keys from DLV are ignored for the domain. Can be given multiple times to specify multiple domains that are treated as if unsigned. If you set trust anchors for the domain they override this setting (and the domain is secured). .IP This can be useful if you want to make sure a trust anchor for external lookups does not affect an (unsigned) internal domain. A DS record externally can create validation failures for that internal domain. .TP .B val\-override\-date: \fI Default is "" or "0", which disables this debugging feature. If enabled by giving a RRSIG style date, that date is used for verifying RRSIG inception and expiration dates, instead of the current date. Do not set this unless you are debugging signature inception and expiration. The value \-1 ignores the date altogether, useful for some special applications. .TP .B val\-sig\-skew\-min: \fI Minimum number of seconds of clock skew to apply to validated signatures. A value of 10% of the signature lifetime (expiration \- inception) is used, capped by this setting. Default is 3600 (1 hour) which allows for daylight savings differences. Lower this value for more strict checking of short lived signatures. .TP .B val\-sig\-skew\-max: \fI Maximum number of seconds of clock skew to apply to validated signatures. A value of 10% of the signature lifetime (expiration \- inception) is used, capped by this setting. Default is 86400 (24 hours) which allows for timezone setting problems in stable domains. Setting both min and max very low disables the clock skew allowances. Setting both min and max very high makes the validator check the signature timestamps less strictly. .TP .B val\-bogus\-ttl: \fI The time to live for bogus data. This is data that has failed validation; due to invalid signatures or other checks. The TTL from that data cannot be trusted, and this value is used instead. The value is in seconds, default 60. The time interval prevents repeated revalidation of bogus data. .TP .B val\-clean\-additional: \fI Instruct the validator to remove data from the additional section of secure messages that are not signed properly. Messages that are insecure, bogus, indeterminate or unchecked are not affected. Default is yes. Use this setting to protect the users that rely on this validator for authentication from protentially bad data in the additional section. .TP .B val\-log\-level: \fI Have the validator print validation failures to the log. Regardless of the verbosity setting. Default is 0, off. At 1, for every user query that fails a line is printed to the logs. This way you can monitor what happens with validation. Use a diagnosis tool, such as dig or drill, to find out why validation is failing for these queries. At 2, not only the query that failed is printed but also the reason why unbound thought it was wrong and which server sent the faulty data. .TP .B val\-permissive\-mode: \fI Instruct the validator to mark bogus messages as indeterminate. The security checks are performed, but if the result is bogus (failed security), the reply is not withheld from the client with SERVFAIL as usual. The client receives the bogus data. For messages that are found to be secure the AD bit is set in replies. Also logging is performed as for full validation. The default value is "no". .TP .B ignore\-cd\-flag: \fI Instruct unbound to ignore the CD flag from clients and refuse to return bogus answers to them. Thus, the CD (Checking Disabled) flag does not disable checking any more. This is useful if legacy (w2008) servers that set the CD flag but cannot validate DNSSEC themselves are the clients, and then unbound provides them with DNSSEC protection. The default value is "no". .TP .B val\-nsec3\-keysize\-iterations: \fI<"list of values"> List of keysize and iteration count values, separated by spaces, surrounded by quotes. Default is "1024 150 2048 500 4096 2500". This determines the maximum allowed NSEC3 iteration count before a message is simply marked insecure instead of performing the many hashing iterations. The list must be in ascending order and have at least one entry. If you set it to "1024 65535" there is no restriction to NSEC3 iteration values. This table must be kept short; a very long list could cause slower operation. .TP .B add\-holddown: \fI Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 autotrust updates to add new trust anchors only after they have been visible for this time. Default is 30 days as per the RFC. .TP .B del\-holddown: \fI Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 autotrust updates to remove revoked trust anchors after they have been kept in the revoked list for this long. Default is 30 days as per the RFC. .TP .B keep\-missing: \fI Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 autotrust updates to remove missing trust anchors after they have been unseen for this long. This cleans up the state file if the target zone does not perform trust anchor revocation, so this makes the auto probe mechanism work with zones that perform regular (non\-5011) rollovers. The default is 366 days. The value 0 does not remove missing anchors, as per the RFC. .TP .B key\-cache\-size: \fI Number of bytes size of the key cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP .B key\-cache\-slabs: \fI Number of slabs in the key cache. Slabs reduce lock contention by threads. Must be set to a power of 2. Setting (close) to the number of cpus is a reasonable guess. .TP .B neg\-cache\-size: \fI Number of bytes size of the aggressive negative cache. Default is 1 megabyte. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP .B unblock\-lan\-zones: \fI Default is disabled. If enabled, then for private address space, the reverse lookups are no longer filtered. This allows unbound when running as dns service on a host where it provides service for that host, to put out all of the queries for the 'lan' upstream. When enabled, only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured with default local zones. Disable the option when unbound is running as a (DHCP-) DNS network resolver for a group of machines, where such lookups should be filtered (RFC compliance), this also stops potential data leakage about the local network to the upstream DNS servers. .TP .B local\-zone: \fI Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, transparent, redirect, nodefault, typetransparent, and are explained below. After that the default settings are listed. Use local\-data: to enter data into the local zone. Answers for local zones are authoritative DNS answers. By default the zones are class IN. .IP If you need more complicated authoritative data, with referrals, wildcards, CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for it as detailed in the stub zone section below. .TP 10 \h'5'\fIdeny\fR Do not send an answer, drop the query. If there is a match from local data, the query is answered. .TP 10 \h'5'\fIrefuse\fR Send an error message reply, with rcode REFUSED. If there is a match from local data, the query is answered. .TP 10 \h'5'\fIstatic\fR If there is a match from local data, the query is answered. Otherwise, the query is answered with nodata or nxdomain. For a negative answer a SOA is included in the answer if present as local\-data for the zone apex domain. .TP 10 \h'5'\fItransparent\fR If there is a match from local data, the query is answered. Otherwise if the query has a different name, the query is resolved normally. If the query is for a name given in localdata but no such type of data is given in localdata, then a noerror nodata answer is returned. If no local\-zone is given local\-data causes a transparent zone to be created by default. .TP 10 \h'5'\fItypetransparent\fR If there is a match from local data, the query is answered. If the query is for a different name, or for the same name but for a different type, the query is resolved normally. So, similar to transparent but types that are not listed in local data are resolved normally, so if an A record is in the local data that does not cause a nodata reply for AAAA queries. .TP 10 \h'5'\fIredirect\fR The query is answered from the local data for the zone name. There may be no local data beneath the zone name. This answers queries for the zone, and all subdomains of the zone with the local data for the zone. It can be used to redirect a domain to return a different address record to the end user, with local\-zone: "example.com." redirect and local\-data: "example.com. A 127.0.0.1" queries for www.example.com and www.foo.example.com are redirected, so that users with web browsers cannot access sites with suffix example.com. .TP 10 \h'5'\fInodefault\fR Used to turn off default contents for AS112 zones. The other types also turn off default contents for the zone. The 'nodefault' option has no other effect than turning off default contents for the given zone. .P The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112 zones. The AS112 zones are reverse DNS zones for private use and reserved IP addresses for which the servers on the internet cannot provide correct answers. They are configured by default to give nxdomain (no reverse information) answers. The defaults can be turned off by specifying your own local\-zone of that name, or using the 'nodefault' type. Below is a list of the default zone contents. .TP 10 \h'5'\fIlocalhost\fR The IP4 and IP6 localhost information is given. NS and SOA records are provided for completeness and to satisfy some DNS update tools. Default content: .nf local\-zone: "localhost." static local\-data: "localhost. 10800 IN NS localhost." local\-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" local\-data: "localhost. 10800 IN A 127.0.0.1" local\-data: "localhost. 10800 IN AAAA ::1" .fi .TP 10 \h'5'\fIreverse IPv4 loopback\fR Default content: .nf local\-zone: "127.in\-addr.arpa." static local\-data: "127.in\-addr.arpa. 10800 IN NS localhost." local\-data: "127.in\-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN PTR localhost." .fi .TP 10 \h'5'\fIreverse IPv6 loopback\fR Default content: .nf local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN NS localhost." local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN PTR localhost." .fi .TP 10 \h'5'\fIreverse RFC1918 local use zones\fR Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to 31.172.in\-addr.arpa, 168.192.in\-addr.arpa. The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS records are provided. .TP 10 \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2), 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa. And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space). .TP 10 \h'5'\fIreverse RFC4291 IP6 unspecified\fR Reverse data for zone .nf 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. .fi .TP 10 \h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR Reverse data for zone D.F.ip6.arpa. .TP 10 \h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa. .TP 10 \h'5'\fIreverse IPv6 Example Prefix\fR Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for tutorials and examples. You can remove the block on this zone with: .nf local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault .fi You can also selectively unblock a part of the zone by making that part transparent with a local\-zone statement. This also works with the other default zones. .\" End of local-zone listing. .TP 5 .B local\-data: \fI"" Configure local data, which is served in reply to queries for it. The query has to match exactly unless you configure the local\-zone as redirect. If not matched exactly, the local\-zone type determines further processing. If local\-data is configured that is not a subdomain of a local\-zone, a transparent local\-zone is configured. For record types such as TXT, use single quotes, as in local\-data: 'example. TXT "text"'. .IP If you need more complicated authoritative data, with referrals, wildcards, CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for it as detailed in the stub zone section below. .TP 5 .B local\-data\-ptr: \fI"IPaddr name" Configure local data shorthand for a PTR record with the reversed IPv4 or IPv6 address and the host name. For example "192.0.2.4 www.example.com". TTL can be inserted like this: "2001:DB8::4 7200 www.example.com" .SS "Remote Control Options" In the .B remote\-control: clause are the declarations for the remote control facility. If this is enabled, the \fIunbound\-control\fR(8) utility can be used to send commands to the running unbound server. The server uses these clauses to setup SSLv3 / TLSv1 security for the connection. The \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR section for options. To setup the correct self\-signed certificates use the \fIunbound\-control\-setup\fR(8) utility. .TP 5 -.B control\-enable: \fI +.B control\-enable: \fI The option is used to enable remote control, default is "no". If turned off, the server does not listen for control commands. .TP 5 -.B control\-interface: -Give IPv4 or IPv6 addresses to listen on for control commands. +.B control\-interface: \fI +Give IPv4 or IPv6 addresses or local socket path to listen on for +control commands. By default localhost (127.0.0.1 and ::1) is listened to. Use 0.0.0.0 and ::0 to listen to all interfaces. +If you change this and permissions have been dropped, you must restart +the server for the change to take effect. .TP 5 -.B control\-port: -The port number to listen on for control commands, default is 8953. -If you change this port number, and permissions have been dropped, -a reload is not sufficient to open the port again, you must then restart. +.B control\-port: \fI +The port number to listen on for IPv4 or IPv6 control interfaces, +default is 8953. +If you change this and permissions have been dropped, you must restart +the server for the change to take effect. .TP 5 -.B server\-key\-file: "" +.B control-use-cert: \fI +Whether to require certificate authentication of control connections. +The default is "yes". +This should not be changed unless there are other mechanisms in place +to prevent untrusted users from accessing the remote control +interface. +.TP 5 +.B server\-key\-file: \fI Path to the server private key, by default unbound_server.key. This file is generated by the \fIunbound\-control\-setup\fR utility. This file is used by the unbound server, but not by \fIunbound\-control\fR. .TP 5 -.B server\-cert\-file: "" +.B server\-cert\-file: \fI Path to the server self signed certificate, by default unbound_server.pem. This file is generated by the \fIunbound\-control\-setup\fR utility. This file is used by the unbound server, and also by \fIunbound\-control\fR. .TP 5 -.B control\-key\-file: "" +.B control\-key\-file: \fI Path to the control client private key, by default unbound_control.key. This file is generated by the \fIunbound\-control\-setup\fR utility. This file is used by \fIunbound\-control\fR. .TP 5 -.B control\-cert\-file: "" +.B control\-cert\-file: \fI Path to the control client certificate, by default unbound_control.pem. This certificate has to be signed with the server certificate. This file is generated by the \fIunbound\-control\-setup\fR utility. This file is used by \fIunbound\-control\fR. .SS "Stub Zone Options" .LP There may be multiple .B stub\-zone: clauses. Each with a name: and zero or more hostnames or IP addresses. For the stub zone this list of nameservers is used. Class IN is assumed. The servers should be authority servers, not recursors; unbound performs the recursive processing itself for stub zones. .P The stub zone can be used to configure authoritative data to be used by the resolver that cannot be accessed using the public internet servers. This is useful for company\-local data or private zones. Setup an authoritative server on a different host (or different port). Enter a config entry for unbound with .B stub\-addr: . The unbound resolver can then access the data, without referring to the public internet for it. .P This setup allows DNSSEC signed zones to be served by that authoritative server, in which case a trusted key entry with the public key can be put in config, so that unbound can validate the data and set the AD bit on replies for the private zone (authoritative servers do not set the AD bit). This setup makes unbound capable of answering queries for the private zone, and can even set the AD bit ('authentic'), but the AA ('authoritative') bit is not set on these replies. .TP .B name: \fI Name of the stub zone. .TP .B stub\-host: \fI Name of stub zone nameserver. Is itself resolved before it is used. .TP .B stub\-addr: \fI IP address of stub zone nameserver. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. .TP .B stub\-prime: \fI This option is by default off. If enabled it performs NS set priming, which is similar to root hints, where it starts using the list of nameservers currently published by the zone. Thus, if the hint list is slightly outdated, the resolver picks up a correct list online. .TP .B stub\-first: \fI If enabled, a query is attempted without the stub clause if it fails. The data could not be retrieved and would have caused SERVFAIL because the servers are unreachable, instead it is tried without this clause. The default is no. .SS "Forward Zone Options" .LP There may be multiple .B forward\-zone: clauses. Each with a \fBname:\fR and zero or more hostnames or IP addresses. For the forward zone this list of nameservers is used to forward the queries to. The servers listed as \fBforward\-host:\fR and \fBforward\-addr:\fR have to handle further recursion for the query. Thus, those servers are not authority servers, but are (just like unbound is) recursive servers too; unbound does not perform recursion itself for the forward zone, it lets the remote server do it. Class IN is assumed. A forward\-zone entry with name "." and a forward\-addr target will forward all queries to that other server (unless it can answer from the cache). .TP .B name: \fI Name of the forward zone. .TP .B forward\-host: \fI Name of server to forward to. Is itself resolved before it is used. .TP .B forward\-addr: \fI IP address of server to forward to. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. .TP .B forward\-first: \fI If enabled, a query is attempted without the forward clause if it fails. The data could not be retrieved and would have caused SERVFAIL because the servers are unreachable, instead it is tried without this clause. The default is no. .SS "Python Module Options" .LP The .B python: clause gives the settings for the \fIpython\fR(1) script module. This module acts like the iterator and validator modules do, on queries and answers. To enable the script module it has to be compiled into the daemon, and the word "python" has to be put in the \fBmodule\-config:\fR option (usually first, or between the validator and iterator). .TP .B python\-script: \fI\fR The script file to load. .SS "DNS64 Module Options" .LP The dns64 module must be configured in the \fBmodule\-config:\fR "dns64 validator iterator" directive and be compiled into the daemon to be enabled. These settings go in the \fBserver:\fR section. .TP .B dns64\-prefix: \fI\fR This sets the DNS64 prefix to use to synthesize AAAA records with. It must be /96 or shorter. The default prefix is 64:ff9b::/96. .TP .B dns64\-synthall: \fI\fR Debug option, default no. If enabled, synthesize all AAAA records despite the presence of actual AAAA records. .SH "MEMORY CONTROL EXAMPLE" In the example config settings below memory usage is reduced. Some service levels are lower, notable very large data and a high TCP load are no longer supported. Very large data and high TCP loads are exceptional for the DNS. DNSSEC validation is enabled, just add trust anchors. If you do not have to worry about programs using more than 3 Mb of memory, the below example is not for you. Use the defaults to receive full service, which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. .P .nf # example settings that reduce memory usage server: num\-threads: 1 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers. incoming\-num\-tcp: 1 outgoing\-range: 60 # uses less memory, but less performance. msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'. msg\-cache\-size: 100k msg\-cache\-slabs: 1 rrset\-cache\-size: 100k rrset\-cache\-slabs: 1 infra\-cache\-numhosts: 200 infra\-cache\-slabs: 1 key\-cache\-size: 100k key\-cache\-slabs: 1 neg\-cache\-size: 10k num\-queries\-per\-thread: 30 target\-fetch\-policy: "2 1 0 0 0 0" harden\-large\-queries: "yes" harden\-short\-bufsize: "yes" .fi .SH "FILES" .TP .I /var/unbound default unbound working directory. .TP .I /var/unbound default \fIchroot\fR(2) location. .TP .I /var/unbound/unbound.conf unbound configuration file. .TP .I /var/unbound/unbound.pid default unbound pidfile with process ID of the running daemon. .TP .I unbound.log unbound log file. default is to log to \fIsyslog\fR(3). .SH "SEE ALSO" \fIunbound\fR(8), \fIunbound\-checkconf\fR(8). .SH "AUTHORS" .B Unbound was written by NLnet Labs. Please see CREDITS file in the distribution for further details. Index: head/contrib/unbound/doc/unbound.conf.5.in =================================================================== --- head/contrib/unbound/doc/unbound.conf.5.in (revision 276698) +++ head/contrib/unbound/doc/unbound.conf.5.in (revision 276699) @@ -1,1154 +1,1165 @@ .TH "unbound.conf" "5" "Dec 8, 2014" "NLnet Labs" "unbound 1.5.1" .\" .\" unbound.conf.5 -- unbound.conf manual .\" .\" Copyright (c) 2007, NLnet Labs. All rights reserved. .\" .\" See LICENSE for the license. .\" .\" .SH "NAME" .B unbound.conf \- Unbound configuration file. .SH "SYNOPSIS" .B unbound.conf .SH "DESCRIPTION" .B unbound.conf is used to configure \fIunbound\fR(8). The file format has attributes and values. Some attributes have attributes inside them. The notation is: attribute: value. .P Comments start with # and last to the end of line. Empty lines are ignored as is whitespace at the beginning of a line. .P The utility \fIunbound\-checkconf\fR(8) can be used to check unbound.conf prior to usage. .SH "EXAMPLE" An example config file is shown below. Copy this to /etc/unbound/unbound.conf and start the server with: .P .nf $ unbound \-c /etc/unbound/unbound.conf .fi .P Most settings are the defaults. Stop the server with: .P .nf $ kill `cat /etc/unbound/unbound.pid` .fi .P Below is a minimal config file. The source distribution contains an extensive example.conf file with all the options. .P .nf # unbound.conf(5) config file for unbound(8). server: directory: "/etc/unbound" username: unbound # make sure unbound can access entropy from inside the chroot. # e.g. on linux the use these commands (on BSD, devfs(8) is used): # mount \-\-bind \-n /dev/random /etc/unbound/dev/random # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log chroot: "/etc/unbound" # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile. pidfile: "/etc/unbound/unbound.pid" # verbosity: 1 # uncomment and increase to get more logging. # listen on all interfaces, answer queries from the local subnet. interface: 0.0.0.0 interface: ::0 access\-control: 10.0.0.0/8 allow access\-control: 2001:DB8::/64 allow .fi .SH "FILE FORMAT" There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute is followed by its containing attributes, or a value. .P Files can be included using the .B include: directive. It can appear anywhere, it accepts a single file name as argument. Processing continues as if the text from the included file was copied into the config file at that point. If also using chroot, using full path names for the included files works, relative pathnames for the included names work if the directory where the daemon is started equals its chroot/working directory. Wildcards can be used to include multiple files, see \fIglob\fR(7). .SS "Server Options" These options are part of the .B server: clause. .TP .B verbosity: \fI The verbosity number, level 0 means no verbosity, only errors. Level 1 gives operational information. Level 2 gives detailed operational information. Level 3 gives query level information, output per query. Level 4 gives algorithm level information. Level 5 logs client identification for cache misses. Default is level 1. The verbosity can also be increased from the commandline, see \fIunbound\fR(8). .TP .B statistics\-interval: \fI The number of seconds between printing statistics to the log for every thread. Disable with value 0 or "". Default is disabled. The histogram statistics are only printed if replies were sent during the statistics interval, requestlist statistics are printed for every interval (but can be 0). This is because the median calculation requires data to be present. .TP .B statistics\-cumulative: \fI If enabled, statistics are cumulative since starting unbound, without clearing the statistics counters after logging the statistics. Default is no. .TP .B extended\-statistics: \fI If enabled, extended statistics are printed from \fIunbound\-control\fR(8). Default is off, because keeping track of more statistics takes time. The counters are listed in \fIunbound\-control\fR(8). .TP .B num\-threads: \fI The number of threads to create to serve clients. Use 1 for no threading. .TP .B port: \fI The port number, default 53, on which the server responds to queries. .TP .B interface: \fI Interface to use to connect to the network. This interface is listened to for queries from clients, and answers to clients are given from it. Can be given multiple times to work on several interfaces. If none are given the default is to listen to localhost. The interfaces are not changed on a reload (kill \-HUP) but only on restart. A port number can be specified with @port (without spaces between interface and port number), if not specified the default port (from \fBport\fR) is used. .TP .B ip\-address: \fI Same as interface: (for easy of compatibility with nsd.conf). .TP .B interface\-automatic: \fI Detect source interface on UDP queries and copy them to replies. This feature is experimental, and needs support in your OS for particular socket options. Default value is no. .TP .B outgoing\-interface: \fI Interface to use to connect to the network. This interface is used to send queries to authoritative servers and receive their replies. Can be given multiple times to work on several interfaces. If none are given the default (all) is used. You can specify the same interfaces in .B interface: and .B outgoing\-interface: lines, the interfaces are then used for both purposes. Outgoing queries are sent via a random outgoing interface to counter spoofing. .TP .B outgoing\-range: \fI Number of ports to open. This number of file descriptors can be opened per thread. Must be at least 1. Default depends on compile options. Larger numbers need extra resources from the operating system. For performance a a very large value is best, use libevent to make this possible. .TP .B outgoing\-port\-permit: \fI Permit unbound to open this port or range of ports for use to send queries. A larger number of permitted outgoing ports increases resilience against spoofing attempts. Make sure these ports are not needed by other daemons. By default only ports above 1024 that have not been assigned by IANA are used. Give a port number or a range of the form "low\-high", without spaces. .IP The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements are processed in the line order of the config file, adding the permitted ports and subtracting the avoided ports from the set of allowed ports. The processing starts with the non IANA allocated ports above 1024 in the set of allowed ports. .TP .B outgoing\-port\-avoid: \fI Do not permit unbound to open this port or range of ports for use to send queries. Use this to make sure unbound does not grab a port that another daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. By default only ports above 1024 that have not been assigned by IANA are used. Give a port number or a range of the form "low\-high", without spaces. .TP .B outgoing\-num\-tcp: \fI Number of outgoing TCP buffers to allocate per thread. Default is 10. If set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers are done. .TP .B incoming\-num\-tcp: \fI Number of incoming TCP buffers to allocate per thread. Default is 10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are accepted. .TP .B edns\-buffer\-size: \fI Number of bytes size to advertise as the EDNS reassembly buffer size. This is the value put into datagrams over UDP towards peers. The actual buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do not set higher than that value. Default is 4096 which is RFC recommended. If you have fragmentation reassembly problems, usually seen as timeouts, then a value of 1480 can fix it. Setting to 512 bypasses even the most stringent path MTU problems, but is seen as extreme, since the amount of TCP fallback generated is excessive (probably also for this resolver, consider tuning the outgoing tcp number). .TP .B max\-udp\-size: \fI Maximum UDP response size (not applied to TCP response). 65536 disables the udp response size maximum, and uses the choice from the client, always. Suggested values are 512 to 4096. Default is 4096. .TP .B msg\-buffer\-size: \fI Number of bytes size of the message buffers. Default is 65552 bytes, enough for 64 Kb packets, the maximum DNS message size. No message larger than this can be sent or received. Can be reduced to use less memory, but some requests for DNS data, such as for huge resource records, will result in a SERVFAIL reply to the client. .TP .B msg\-cache\-size: \fI Number of bytes size of the message cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP .B msg\-cache\-slabs: \fI Number of slabs in the message cache. Slabs reduce lock contention by threads. Must be set to a power of 2. Setting (close) to the number of cpus is a reasonable guess. .TP .B num\-queries\-per\-thread: \fI The number of queries that every thread will service simultaneously. If more queries arrive that need servicing, and no queries can be jostled out (see \fIjostle\-timeout\fR), then the queries are dropped. This forces the client to resend after a timeout; allowing the server time to work on the existing queries. Default depends on compile options, 512 or 1024. .TP .B jostle\-timeout: \fI Timeout used when the server is very busy. Set to a value that usually results in one roundtrip to the authority servers. If too many queries arrive, then 50% of the queries are allowed to run to completion, and the other 50% are replaced with the new incoming query if they have already spent more than their allowed time. This protects against denial of service by slow queries or high query rates. Default 200 milliseconds. The effect is that the qps for long-lasting queries is about (numqueriesperthread / 2) / (average time for such long queries) qps. The qps for short queries can be about (numqueriesperthread / 2) / (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560 qps by default. .TP .B delay\-close: \fI Extra delay for timeouted UDP ports before they are closed, in msec. Default is 0, and that disables it. This prevents very delayed answer packets from the upstream (recursive) servers from bouncing against closed ports and setting off all sort of close-port counters, with eg. 1500 msec. When timeouts happen you need extra sockets, it checks the ID and remote IP of packets, and unwanted packets are added to the unwanted packet counter. .TP .B so\-rcvbuf: \fI If not 0, then set the SO_RCVBUF socket option to get more buffer space on UDP port 53 incoming queries. So that short spikes on busy servers do not drop packets (see counter in netstat \-su). Default is 0 (use system value). Otherwise, the number of bytes to ask for, try "4m" on a busy server. The OS caps it at a maximum, on linux unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. On OpenBSD change header and recompile kernel. On Solaris ndd \-set /dev/udp udp_max_buf 8388608. .TP .B so\-sndbuf: \fI If not 0, then set the SO_SNDBUF socket option to get more buffer space on UDP port 53 outgoing queries. This for very busy servers handles spikes in answer traffic, otherwise 'send: resource temporarily unavailable' can get logged, the buffer overrun is also visible by netstat \-su. Default is 0 (use system value). Specify the number of bytes to ask for, try "4m" on a very busy server. The OS caps it at a maximum, on linux unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar to so\-rcvbuf. .TP .B so\-reuseport: \fI If yes, then open dedicated listening sockets for incoming queries for each thread and try to set the SO_REUSEPORT socket option on each socket. May distribute incoming queries to threads more evenly. Default is no. On Linux it is supported in kernels >= 3.9. On other systems, FreeBSD, OSX it may also work. You can enable it (on any platform and kernel), it then attempts to open the port and passes the option if it was available at compile time, if that works it is used, if it fails, it continues silently (unless verbosity 3) without the option. .TP .B rrset\-cache\-size: \fI Number of bytes size of the RRset cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP .B rrset\-cache\-slabs: \fI Number of slabs in the RRset cache. Slabs reduce lock contention by threads. Must be set to a power of 2. .TP .B cache\-max\-ttl: \fI Time to live maximum for RRsets and messages in the cache. Default is 86400 seconds (1 day). If the maximum kicks in, responses to clients still get decrementing TTLs based on the original (larger) values. When the internal TTL expires, the cache item has expired. Can be set lower to force the resolver to query for data often, and not trust (very large) TTL values. .TP .B cache\-min\-ttl: \fI Time to live minimum for RRsets and messages in the cache. Default is 0. If the the minimum kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. Zero makes sure the data in the cache is as the domain owner intended, higher values, especially more than an hour or so, can lead to trouble as the data in the cache does not match up with the actual data any more. .TP .B infra\-host\-ttl: \fI Time to live for entries in the host cache. The host cache contains roundtrip timing, lameness and EDNS support information. Default is 900. .TP .B infra\-cache\-slabs: \fI Number of slabs in the infrastructure cache. Slabs reduce lock contention by threads. Must be set to a power of 2. .TP .B infra\-cache\-numhosts: \fI Number of hosts for which information is cached. Default is 10000. .TP .B do\-ip4: \fI Enable or disable whether ip4 queries are answered or issued. Default is yes. .TP .B do\-ip6: \fI Enable or disable whether ip6 queries are answered or issued. Default is yes. If disabled, queries are not answered on IPv6, and queries are not sent on IPv6 to the internet nameservers. With this option you can disable the ipv6 transport for sending DNS traffic, it does not impact the contents of the DNS traffic, which may have ip4 and ip6 addresses in it. .TP .B do\-udp: \fI Enable or disable whether UDP queries are answered or issued. Default is yes. .TP .B do\-tcp: \fI Enable or disable whether TCP queries are answered or issued. Default is yes. .TP .B tcp\-upstream: \fI Enable or disable whether the upstream queries use TCP only for transport. Default is no. Useful in tunneling scenarios. .TP .B ssl\-upstream: \fI Enabled or disable whether the upstream queries use SSL only for transport. Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR). .TP .B ssl\-service-key: \fI If enabled, the server provider SSL service on its TCP sockets. The clients have to use ssl\-upstream: yes. The file is the private key for the TLS session. The public certificate is in the ssl\-service\-pem file. Default is "", turned off. Requires a restart (a reload is not enough) if changed, because the private key is read while root permissions are held and before chroot (if any). Normal DNS TCP service is not provided and gives errors, this service is best run with a different \fBport:\fR config or \fI@port\fR suffixes in the \fBinterface\fR config. .TP .B ssl\-service\-pem: \fI The public key certificate pem file for the ssl service. Default is "", turned off. .TP .B ssl\-port: \fI The port number on which to provide TCP SSL service, default 443, only interfaces configured with that port number as @number get the SSL service. .TP .B do\-daemonize: \fI Enable or disable whether the unbound server forks into the background as a daemon. Default is yes. .TP .B access\-control: \fI The netblock is given as an IP4 or IP6 address with /size appended for a classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, \fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. .IP The action \fIdeny\fR stops queries from hosts from that netblock. .IP The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED error message back. .IP The action \fIallow\fR gives access to clients from that netblock. It gives only access for recursion clients (which is what almost all clients need). Nonrecursive queries are refused. .IP The \fIallow\fR action does allow nonrecursive queries to access the local\-data that is configured. The reason is that this does not involve the unbound server recursive lookup algorithm, and static data is served in the reply. This supports normal operations where nonrecursive queries are made for the authoritative data. For nonrecursive queries any replies from the dynamic cache are refused. .IP The action \fIallow_snoop\fR gives nonrecursive access too. This give both recursive and non recursive access. The name \fIallow_snoop\fR refers to cache snooping, a technique to use nonrecursive queries to examine the cache contents (for malicious acts). However, nonrecursive queries can also be a valuable debugging tool (when you want to examine the cache contents). In that case use \fIallow_snoop\fR for your administration host. .IP By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS protocol is not designed to handle dropped packets due to policy, and dropping may result in (possibly excessive) retried queries. .IP The deny_non_local and refuse_non_local settings are for hosts that are only allowed to query for the authoritative local\-data, they are not allowed full recursion but only the static data. With deny_non_local, messages that are disallowed are dropped, with refuse_non_local they receive error code REFUSED. .TP .B chroot: \fI If chroot is enabled, you should pass the configfile (from the commandline) as a full path from the original root. After the chroot has been performed the now defunct portion of the config file path is removed to be able to reread the config after a reload. .IP All other file paths (working dir, logfile, roothints, and key files) can be specified in several ways: as an absolute path relative to the new root, as a relative path to the working directory, or as an absolute path relative to the original root. In the last case the path is adjusted to remove the unused portion. .IP The pidfile can be either a relative path to the working directory, or an absolute path relative to the original root. It is written just prior to chroot and dropping permissions. This allows the pidfile to be /var/run/unbound.pid and the chroot to be /var/unbound, for example. .IP Additionally, unbound may need to access /dev/random (for entropy) from inside the chroot. .IP If given a chroot is done to the given directory. The default is "@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed. .TP .B username: \fI If given, after binding the port the user privileges are dropped. Default is "@UNBOUND_USERNAME@". If you give username: "" no user change is performed. .IP If this user is not capable of binding the port, reloads (by signal HUP) will still retain the opened ports. If you change the port number in the config file, and that new port number requires privileges, then a reload will fail; a restart is needed. .TP .B directory: \fI Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@". .TP .B logfile: \fI If "" is given, logging goes to stderr, or nowhere once daemonized. The logfile is appended to, in the following format: .nf [seconds since 1970] unbound[pid:tid]: type: message. .fi If this option is given, the use\-syslog is option is set to "no". The logfile is reopened (for append) when the config file is reread, on SIGHUP. .TP .B use\-syslog: \fI Sets unbound to send log messages to the syslogd, using \fIsyslog\fR(3). The log facility LOG_DAEMON is used, with identity "unbound". The logfile setting is overridden when use\-syslog is turned on. The default is to log to syslog. .TP .B log\-time\-ascii: \fI Sets logfile lines to use a timestamp in UTC ascii. Default is no, which prints the seconds since 1970 in brackets. No effect if using syslog, in that case syslog formats the timestamp printed into the log files. .TP .B log\-queries: \fI Prints one line per query to the log, with the log timestamp and IP address, name, type and class. Default is no. Note that it takes time to print these lines which makes the server (significantly) slower. Odd (nonprintable) characters in names are printed as '?'. .TP .B pidfile: \fI The process id is written to the file. Default is "@UNBOUND_PIDFILE@". So, .nf kill \-HUP `cat @UNBOUND_PIDFILE@` .fi triggers a reload, .nf kill \-QUIT `cat @UNBOUND_PIDFILE@` .fi gracefully terminates. .TP .B root\-hints: \fI Read the root hints from this file. Default is nothing, using builtin hints for the IN class. The file has the format of zone files, with root nameserver names and addresses only. The default may become outdated, when servers change, therefore it is good practice to use a root\-hints file. .TP .B hide\-identity: \fI If enabled id.server and hostname.bind queries are refused. .TP .B identity: \fI Set the identity to report. If set to "", the default, then the hostname of the server is returned. .TP .B hide\-version: \fI If enabled version.server and version.bind queries are refused. .TP .B version: \fI Set the version to report. If set to "", the default, then the package version is returned. .TP .B target\-fetch\-policy: \fI<"list of numbers"> Set the target fetch policy used by unbound to determine if it should fetch nameserver target addresses opportunistically. The policy is described per dependency depth. .IP The number of values determines the maximum dependency depth that unbound will pursue in answering a query. A value of \-1 means to fetch all targets opportunistically for that dependency depth. A value of 0 means to fetch on demand only. A positive value fetches that many targets opportunistically. .IP Enclose the list between quotes ("") and put spaces between numbers. The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour rumoured to be closer to that of BIND 8. .TP .B harden\-short\-bufsize: \fI Very small EDNS buffer sizes from queries are ignored. Default is off, since it is legal protocol wise to send these, and unbound tries to give very small answers to these queries, where possible. .TP .B harden\-large\-queries: \fI Very large queries are ignored. Default is off, since it is legal protocol wise to send these, and could be necessary for operation if TSIG or EDNS payload is very large. .TP .B harden\-glue: \fI Will trust glue only if it is within the servers authority. Default is on. .TP .B harden\-dnssec\-stripped: \fI Require DNSSEC data for trust\-anchored zones, if such data is absent, the zone becomes bogus. If turned off, and no DNSSEC data is received (or the DNSKEY data fails to validate), then the zone is made insecure, this behaves like there is no trust anchor. You could turn this off if you are sometimes behind an intrusive firewall (of some sort) that removes DNSSEC data from packets, or a zone changes from signed to unsigned to badly signed often. If turned off you run the risk of a downgrade attack that disables security for a zone. Default is on. .TP .B harden\-below\-nxdomain: \fI From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name below another name that is already known to be nxdomain. DNSSEC mandates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse IP address lookups), and thus may be incompatible with this. To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not have DNSSEC. Default is off. .TP .B harden\-referral\-path: \fI Harden the referral path by performing additional queries for infrastructure data. Validates the replies if trust anchors are configured and the zones are signed. This enforces DNSSEC validation on nameserver NS sets and the nameserver addresses that are encountered on the referral path to the answer. Default off, because it burdens the authority servers, and it is not RFC standard, and could lead to performance problems because of the extra query load that is generated. Experimental option. If you enable it consider adding more numbers after the target\-fetch\-policy to increase the max depth that is checked to. .TP .B use\-caps\-for\-id: \fI Use 0x20\-encoded random bits in the query to foil spoof attempts. This perturbs the lowercase and uppercase of query names sent to authority servers and checks if the reply still has the correct casing. Disabled by default. This feature is an experimental implementation of draft dns\-0x20. .TP .B private\-address: \fI Give IPv4 of IPv6 addresses or classless subnets. These are addresses on your private network, and are not allowed to be returned for public internet names. Any occurence of such addresses are removed from DNS answers. Additionally, the DNSSEC validator may mark the answers bogus. This protects against so\-called DNS Rebinding, where a user browser is turned into a network proxy, allowing remote access through the browser to other parts of your private network. Some names can be allowed to contain your private addresses, by default all the \fBlocal\-data\fR that you configured is allowed to, and you can specify additional names using \fBprivate\-domain\fR. No private addresses are enabled by default. We consider to enable this for the RFC1918 private IP address space by default in later releases. That would enable private addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 fd00::/8 and fe80::/10, since the RFC standards say these addresses should not be visible on the public internet. Turning on 127.0.0.0/8 would hinder many spamblocklists as they use that. .TP .B private\-domain: \fI Allow this domain, and all its subdomains to contain private addresses. Give multiple times to allow multiple domain names to contain private addresses. Default is none. .TP .B unwanted\-reply\-threshold: \fI If set, a total number of unwanted replies is kept track of in every thread. When it reaches the threshold, a defensive action is taken and a warning is printed to the log. The defensive action is to clear the rrset and message caches, hopefully flushing away any poison. A value of 10 million is suggested. Default is 0 (turned off). .TP .B do\-not\-query\-address: \fI Do not query the given IP address. Can be IP4 or IP6. Append /num to indicate a classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. .TP .B do\-not\-query\-localhost: \fI If yes, localhost is added to the do\-not\-query\-address entries, both IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send queries to. Default is yes. .TP .B prefetch: \fI If yes, message cache elements are prefetched before they expire to keep the cache up to date. Default is no. Turning it on gives about 10 percent more traffic and load on the machine, but popular items do not expire from the cache. .TP .B prefetch-key: \fI If yes, fetch the DNSKEYs earlier in the validation process, when a DS record is encountered. This lowers the latency of requests. It does use a little more CPU. Also if the cache is set to 0, it is no use. Default is no. .TP .B rrset-roundrobin: \fI If yes, Unbound rotates RRSet order in response (the random number is taken from the query ID, for speed and thread safety). Default is no. .TP .B minimal-responses: \fI If yes, Unbound doesn't insert authority/additional sections into response messages when those sections are not required. This reduces response size significantly, and may avoid TCP fallback for some responses. This may cause a slight speedup. The default is no, because the DNS protocol RFCs mandate these sections, and the additional content could be of use and save roundtrips for clients. .TP .B module\-config: \fI<"module names"> Module configuration, a list of module names separated by spaces, surround the string with quotes (""). The modules can be validator, iterator. Setting this to "iterator" will result in a non\-validating server. Setting this to "validator iterator" will turn on DNSSEC validation. The ordering of the modules is important. You must also set trust\-anchors for validation to be useful. .TP .B trust\-anchor\-file: \fI File with trusted keys for validation. Both DS and DNSKEY entries can appear in the file. The format of the file is the standard DNS Zone file format. Default is "", or no trust anchor file. .TP .B auto\-trust\-anchor\-file: \fI File with trust anchor for one zone, which is tracked with RFC5011 probes. The probes are several times per month, thus the machine must be online frequently. The initial file can be one with contents as described in \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated, so the unbound user must have write permission. .TP .B trust\-anchor: \fI<"Resource Record"> A DS or DNSKEY RR for a key to use for validation. Multiple entries can be given to specify multiple trusted keys, in addition to the trust\-anchor\-files. The resource record is entered in the same format as 'dig' or 'drill' prints them, the same format as in the zone file. Has to be on a single line, with "" around it. A TTL can be specified for ease of cut and paste, but is ignored. A class can be specified, but class IN is default. .TP .B trusted\-keys\-file: \fI File with trusted keys for validation. Specify more than one file with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR but has a different file format. Format is BIND\-9 style format, the trusted\-keys { name flag proto algo "key"; }; clauses are read. It is possible to use wildcards with this statement, the wildcard is expanded on start and on reload. .TP .B dlv\-anchor\-file: \fI File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and DNSKEY entries can be used in the file, in the same format as for \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more would be slow. The DLV configured is used as a root trusted DLV, this means that it is a lookaside for the root. Default is "", or no dlv anchor file. .TP .B dlv\-anchor: \fI<"Resource Record"> Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline. .TP .B domain\-insecure: \fI Sets domain name to be insecure, DNSSEC chain of trust is ignored towards the domain name. So a trust anchor above the domain name can not make the domain secure with a DS record, such a DS record is then ignored. Also keys from DLV are ignored for the domain. Can be given multiple times to specify multiple domains that are treated as if unsigned. If you set trust anchors for the domain they override this setting (and the domain is secured). .IP This can be useful if you want to make sure a trust anchor for external lookups does not affect an (unsigned) internal domain. A DS record externally can create validation failures for that internal domain. .TP .B val\-override\-date: \fI Default is "" or "0", which disables this debugging feature. If enabled by giving a RRSIG style date, that date is used for verifying RRSIG inception and expiration dates, instead of the current date. Do not set this unless you are debugging signature inception and expiration. The value \-1 ignores the date altogether, useful for some special applications. .TP .B val\-sig\-skew\-min: \fI Minimum number of seconds of clock skew to apply to validated signatures. A value of 10% of the signature lifetime (expiration \- inception) is used, capped by this setting. Default is 3600 (1 hour) which allows for daylight savings differences. Lower this value for more strict checking of short lived signatures. .TP .B val\-sig\-skew\-max: \fI Maximum number of seconds of clock skew to apply to validated signatures. A value of 10% of the signature lifetime (expiration \- inception) is used, capped by this setting. Default is 86400 (24 hours) which allows for timezone setting problems in stable domains. Setting both min and max very low disables the clock skew allowances. Setting both min and max very high makes the validator check the signature timestamps less strictly. .TP .B val\-bogus\-ttl: \fI The time to live for bogus data. This is data that has failed validation; due to invalid signatures or other checks. The TTL from that data cannot be trusted, and this value is used instead. The value is in seconds, default 60. The time interval prevents repeated revalidation of bogus data. .TP .B val\-clean\-additional: \fI Instruct the validator to remove data from the additional section of secure messages that are not signed properly. Messages that are insecure, bogus, indeterminate or unchecked are not affected. Default is yes. Use this setting to protect the users that rely on this validator for authentication from protentially bad data in the additional section. .TP .B val\-log\-level: \fI Have the validator print validation failures to the log. Regardless of the verbosity setting. Default is 0, off. At 1, for every user query that fails a line is printed to the logs. This way you can monitor what happens with validation. Use a diagnosis tool, such as dig or drill, to find out why validation is failing for these queries. At 2, not only the query that failed is printed but also the reason why unbound thought it was wrong and which server sent the faulty data. .TP .B val\-permissive\-mode: \fI Instruct the validator to mark bogus messages as indeterminate. The security checks are performed, but if the result is bogus (failed security), the reply is not withheld from the client with SERVFAIL as usual. The client receives the bogus data. For messages that are found to be secure the AD bit is set in replies. Also logging is performed as for full validation. The default value is "no". .TP .B ignore\-cd\-flag: \fI Instruct unbound to ignore the CD flag from clients and refuse to return bogus answers to them. Thus, the CD (Checking Disabled) flag does not disable checking any more. This is useful if legacy (w2008) servers that set the CD flag but cannot validate DNSSEC themselves are the clients, and then unbound provides them with DNSSEC protection. The default value is "no". .TP .B val\-nsec3\-keysize\-iterations: \fI<"list of values"> List of keysize and iteration count values, separated by spaces, surrounded by quotes. Default is "1024 150 2048 500 4096 2500". This determines the maximum allowed NSEC3 iteration count before a message is simply marked insecure instead of performing the many hashing iterations. The list must be in ascending order and have at least one entry. If you set it to "1024 65535" there is no restriction to NSEC3 iteration values. This table must be kept short; a very long list could cause slower operation. .TP .B add\-holddown: \fI Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 autotrust updates to add new trust anchors only after they have been visible for this time. Default is 30 days as per the RFC. .TP .B del\-holddown: \fI Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 autotrust updates to remove revoked trust anchors after they have been kept in the revoked list for this long. Default is 30 days as per the RFC. .TP .B keep\-missing: \fI Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 autotrust updates to remove missing trust anchors after they have been unseen for this long. This cleans up the state file if the target zone does not perform trust anchor revocation, so this makes the auto probe mechanism work with zones that perform regular (non\-5011) rollovers. The default is 366 days. The value 0 does not remove missing anchors, as per the RFC. .TP .B key\-cache\-size: \fI Number of bytes size of the key cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP .B key\-cache\-slabs: \fI Number of slabs in the key cache. Slabs reduce lock contention by threads. Must be set to a power of 2. Setting (close) to the number of cpus is a reasonable guess. .TP .B neg\-cache\-size: \fI Number of bytes size of the aggressive negative cache. Default is 1 megabyte. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP .B unblock\-lan\-zones: \fI Default is disabled. If enabled, then for private address space, the reverse lookups are no longer filtered. This allows unbound when running as dns service on a host where it provides service for that host, to put out all of the queries for the 'lan' upstream. When enabled, only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured with default local zones. Disable the option when unbound is running as a (DHCP-) DNS network resolver for a group of machines, where such lookups should be filtered (RFC compliance), this also stops potential data leakage about the local network to the upstream DNS servers. .TP .B local\-zone: \fI Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, transparent, redirect, nodefault, typetransparent, and are explained below. After that the default settings are listed. Use local\-data: to enter data into the local zone. Answers for local zones are authoritative DNS answers. By default the zones are class IN. .IP If you need more complicated authoritative data, with referrals, wildcards, CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for it as detailed in the stub zone section below. .TP 10 \h'5'\fIdeny\fR Do not send an answer, drop the query. If there is a match from local data, the query is answered. .TP 10 \h'5'\fIrefuse\fR Send an error message reply, with rcode REFUSED. If there is a match from local data, the query is answered. .TP 10 \h'5'\fIstatic\fR If there is a match from local data, the query is answered. Otherwise, the query is answered with nodata or nxdomain. For a negative answer a SOA is included in the answer if present as local\-data for the zone apex domain. .TP 10 \h'5'\fItransparent\fR If there is a match from local data, the query is answered. Otherwise if the query has a different name, the query is resolved normally. If the query is for a name given in localdata but no such type of data is given in localdata, then a noerror nodata answer is returned. If no local\-zone is given local\-data causes a transparent zone to be created by default. .TP 10 \h'5'\fItypetransparent\fR If there is a match from local data, the query is answered. If the query is for a different name, or for the same name but for a different type, the query is resolved normally. So, similar to transparent but types that are not listed in local data are resolved normally, so if an A record is in the local data that does not cause a nodata reply for AAAA queries. .TP 10 \h'5'\fIredirect\fR The query is answered from the local data for the zone name. There may be no local data beneath the zone name. This answers queries for the zone, and all subdomains of the zone with the local data for the zone. It can be used to redirect a domain to return a different address record to the end user, with local\-zone: "example.com." redirect and local\-data: "example.com. A 127.0.0.1" queries for www.example.com and www.foo.example.com are redirected, so that users with web browsers cannot access sites with suffix example.com. .TP 10 \h'5'\fInodefault\fR Used to turn off default contents for AS112 zones. The other types also turn off default contents for the zone. The 'nodefault' option has no other effect than turning off default contents for the given zone. .P The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112 zones. The AS112 zones are reverse DNS zones for private use and reserved IP addresses for which the servers on the internet cannot provide correct answers. They are configured by default to give nxdomain (no reverse information) answers. The defaults can be turned off by specifying your own local\-zone of that name, or using the 'nodefault' type. Below is a list of the default zone contents. .TP 10 \h'5'\fIlocalhost\fR The IP4 and IP6 localhost information is given. NS and SOA records are provided for completeness and to satisfy some DNS update tools. Default content: .nf local\-zone: "localhost." static local\-data: "localhost. 10800 IN NS localhost." local\-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" local\-data: "localhost. 10800 IN A 127.0.0.1" local\-data: "localhost. 10800 IN AAAA ::1" .fi .TP 10 \h'5'\fIreverse IPv4 loopback\fR Default content: .nf local\-zone: "127.in\-addr.arpa." static local\-data: "127.in\-addr.arpa. 10800 IN NS localhost." local\-data: "127.in\-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN PTR localhost." .fi .TP 10 \h'5'\fIreverse IPv6 loopback\fR Default content: .nf local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN NS localhost." local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN PTR localhost." .fi .TP 10 \h'5'\fIreverse RFC1918 local use zones\fR Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to 31.172.in\-addr.arpa, 168.192.in\-addr.arpa. The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS records are provided. .TP 10 \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2), 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa. And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space). .TP 10 \h'5'\fIreverse RFC4291 IP6 unspecified\fR Reverse data for zone .nf 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. .fi .TP 10 \h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR Reverse data for zone D.F.ip6.arpa. .TP 10 \h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa. .TP 10 \h'5'\fIreverse IPv6 Example Prefix\fR Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for tutorials and examples. You can remove the block on this zone with: .nf local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault .fi You can also selectively unblock a part of the zone by making that part transparent with a local\-zone statement. This also works with the other default zones. .\" End of local-zone listing. .TP 5 .B local\-data: \fI"" Configure local data, which is served in reply to queries for it. The query has to match exactly unless you configure the local\-zone as redirect. If not matched exactly, the local\-zone type determines further processing. If local\-data is configured that is not a subdomain of a local\-zone, a transparent local\-zone is configured. For record types such as TXT, use single quotes, as in local\-data: 'example. TXT "text"'. .IP If you need more complicated authoritative data, with referrals, wildcards, CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for it as detailed in the stub zone section below. .TP 5 .B local\-data\-ptr: \fI"IPaddr name" Configure local data shorthand for a PTR record with the reversed IPv4 or IPv6 address and the host name. For example "192.0.2.4 www.example.com". TTL can be inserted like this: "2001:DB8::4 7200 www.example.com" .SS "Remote Control Options" In the .B remote\-control: clause are the declarations for the remote control facility. If this is enabled, the \fIunbound\-control\fR(8) utility can be used to send commands to the running unbound server. The server uses these clauses to setup SSLv3 / TLSv1 security for the connection. The \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR section for options. To setup the correct self\-signed certificates use the \fIunbound\-control\-setup\fR(8) utility. .TP 5 -.B control\-enable: \fI +.B control\-enable: \fI The option is used to enable remote control, default is "no". If turned off, the server does not listen for control commands. .TP 5 -.B control\-interface: -Give IPv4 or IPv6 addresses to listen on for control commands. +.B control\-interface: \fI +Give IPv4 or IPv6 addresses or local socket path to listen on for +control commands. By default localhost (127.0.0.1 and ::1) is listened to. Use 0.0.0.0 and ::0 to listen to all interfaces. +If you change this and permissions have been dropped, you must restart +the server for the change to take effect. .TP 5 -.B control\-port: -The port number to listen on for control commands, default is 8953. -If you change this port number, and permissions have been dropped, -a reload is not sufficient to open the port again, you must then restart. +.B control\-port: \fI +The port number to listen on for IPv4 or IPv6 control interfaces, +default is 8953. +If you change this and permissions have been dropped, you must restart +the server for the change to take effect. .TP 5 -.B server\-key\-file: "" +.B control-use-cert: \fI +Whether to require certificate authentication of control connections. +The default is "yes". +This should not be changed unless there are other mechanisms in place +to prevent untrusted users from accessing the remote control +interface. +.TP 5 +.B server\-key\-file: \fI Path to the server private key, by default unbound_server.key. This file is generated by the \fIunbound\-control\-setup\fR utility. This file is used by the unbound server, but not by \fIunbound\-control\fR. .TP 5 -.B server\-cert\-file: "" +.B server\-cert\-file: \fI Path to the server self signed certificate, by default unbound_server.pem. This file is generated by the \fIunbound\-control\-setup\fR utility. This file is used by the unbound server, and also by \fIunbound\-control\fR. .TP 5 -.B control\-key\-file: "" +.B control\-key\-file: \fI Path to the control client private key, by default unbound_control.key. This file is generated by the \fIunbound\-control\-setup\fR utility. This file is used by \fIunbound\-control\fR. .TP 5 -.B control\-cert\-file: "" +.B control\-cert\-file: \fI Path to the control client certificate, by default unbound_control.pem. This certificate has to be signed with the server certificate. This file is generated by the \fIunbound\-control\-setup\fR utility. This file is used by \fIunbound\-control\fR. .SS "Stub Zone Options" .LP There may be multiple .B stub\-zone: clauses. Each with a name: and zero or more hostnames or IP addresses. For the stub zone this list of nameservers is used. Class IN is assumed. The servers should be authority servers, not recursors; unbound performs the recursive processing itself for stub zones. .P The stub zone can be used to configure authoritative data to be used by the resolver that cannot be accessed using the public internet servers. This is useful for company\-local data or private zones. Setup an authoritative server on a different host (or different port). Enter a config entry for unbound with .B stub\-addr: . The unbound resolver can then access the data, without referring to the public internet for it. .P This setup allows DNSSEC signed zones to be served by that authoritative server, in which case a trusted key entry with the public key can be put in config, so that unbound can validate the data and set the AD bit on replies for the private zone (authoritative servers do not set the AD bit). This setup makes unbound capable of answering queries for the private zone, and can even set the AD bit ('authentic'), but the AA ('authoritative') bit is not set on these replies. .TP .B name: \fI Name of the stub zone. .TP .B stub\-host: \fI Name of stub zone nameserver. Is itself resolved before it is used. .TP .B stub\-addr: \fI IP address of stub zone nameserver. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. .TP .B stub\-prime: \fI This option is by default off. If enabled it performs NS set priming, which is similar to root hints, where it starts using the list of nameservers currently published by the zone. Thus, if the hint list is slightly outdated, the resolver picks up a correct list online. .TP .B stub\-first: \fI If enabled, a query is attempted without the stub clause if it fails. The data could not be retrieved and would have caused SERVFAIL because the servers are unreachable, instead it is tried without this clause. The default is no. .SS "Forward Zone Options" .LP There may be multiple .B forward\-zone: clauses. Each with a \fBname:\fR and zero or more hostnames or IP addresses. For the forward zone this list of nameservers is used to forward the queries to. The servers listed as \fBforward\-host:\fR and \fBforward\-addr:\fR have to handle further recursion for the query. Thus, those servers are not authority servers, but are (just like unbound is) recursive servers too; unbound does not perform recursion itself for the forward zone, it lets the remote server do it. Class IN is assumed. A forward\-zone entry with name "." and a forward\-addr target will forward all queries to that other server (unless it can answer from the cache). .TP .B name: \fI Name of the forward zone. .TP .B forward\-host: \fI Name of server to forward to. Is itself resolved before it is used. .TP .B forward\-addr: \fI IP address of server to forward to. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. .TP .B forward\-first: \fI If enabled, a query is attempted without the forward clause if it fails. The data could not be retrieved and would have caused SERVFAIL because the servers are unreachable, instead it is tried without this clause. The default is no. .SS "Python Module Options" .LP The .B python: clause gives the settings for the \fIpython\fR(1) script module. This module acts like the iterator and validator modules do, on queries and answers. To enable the script module it has to be compiled into the daemon, and the word "python" has to be put in the \fBmodule\-config:\fR option (usually first, or between the validator and iterator). .TP .B python\-script: \fI\fR The script file to load. .SS "DNS64 Module Options" .LP The dns64 module must be configured in the \fBmodule\-config:\fR "dns64 validator iterator" directive and be compiled into the daemon to be enabled. These settings go in the \fBserver:\fR section. .TP .B dns64\-prefix: \fI\fR This sets the DNS64 prefix to use to synthesize AAAA records with. It must be /96 or shorter. The default prefix is 64:ff9b::/96. .TP .B dns64\-synthall: \fI\fR Debug option, default no. If enabled, synthesize all AAAA records despite the presence of actual AAAA records. .SH "MEMORY CONTROL EXAMPLE" In the example config settings below memory usage is reduced. Some service levels are lower, notable very large data and a high TCP load are no longer supported. Very large data and high TCP loads are exceptional for the DNS. DNSSEC validation is enabled, just add trust anchors. If you do not have to worry about programs using more than 3 Mb of memory, the below example is not for you. Use the defaults to receive full service, which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. .P .nf # example settings that reduce memory usage server: num\-threads: 1 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers. incoming\-num\-tcp: 1 outgoing\-range: 60 # uses less memory, but less performance. msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'. msg\-cache\-size: 100k msg\-cache\-slabs: 1 rrset\-cache\-size: 100k rrset\-cache\-slabs: 1 infra\-cache\-numhosts: 200 infra\-cache\-slabs: 1 key\-cache\-size: 100k key\-cache\-slabs: 1 neg\-cache\-size: 10k num\-queries\-per\-thread: 30 target\-fetch\-policy: "2 1 0 0 0 0" harden\-large\-queries: "yes" harden\-short\-bufsize: "yes" .fi .SH "FILES" .TP .I @UNBOUND_RUN_DIR@ default unbound working directory. .TP .I @UNBOUND_CHROOT_DIR@ default \fIchroot\fR(2) location. .TP .I @ub_conf_file@ unbound configuration file. .TP .I @UNBOUND_PIDFILE@ default unbound pidfile with process ID of the running daemon. .TP .I unbound.log unbound log file. default is to log to \fIsyslog\fR(3). .SH "SEE ALSO" \fIunbound\fR(8), \fIunbound\-checkconf\fR(8). .SH "AUTHORS" .B Unbound was written by NLnet Labs. Please see CREDITS file in the distribution for further details. Index: head/contrib/unbound/services/listen_dnsport.c =================================================================== --- head/contrib/unbound/services/listen_dnsport.c (revision 276698) +++ head/contrib/unbound/services/listen_dnsport.c (revision 276699) @@ -1,1062 +1,1116 @@ /* * services/listen_dnsport.c - listen on port 53 for incoming DNS queries. * * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** * \file * * This file has functions to get queries from clients. */ #include "config.h" #ifdef HAVE_SYS_TYPES_H # include #endif #include #include "services/listen_dnsport.h" #include "services/outside_network.h" #include "util/netevent.h" #include "util/log.h" #include "util/config_file.h" #include "util/net_help.h" #include "ldns/sbuffer.h" #ifdef HAVE_NETDB_H #include #endif #include +#ifdef HAVE_SYS_UN_H +#include +#endif + /** number of queued TCP connections for listen() */ #define TCP_BACKLOG 256 /** * Debug print of the getaddrinfo returned address. * @param addr: the address returned. */ static void verbose_print_addr(struct addrinfo *addr) { if(verbosity >= VERB_ALGO) { char buf[100]; void* sinaddr = &((struct sockaddr_in*)addr->ai_addr)->sin_addr; #ifdef INET6 if(addr->ai_family == AF_INET6) sinaddr = &((struct sockaddr_in6*)addr->ai_addr)-> sin6_addr; #endif /* INET6 */ if(inet_ntop(addr->ai_family, sinaddr, buf, (socklen_t)sizeof(buf)) == 0) { (void)strlcpy(buf, "(null)", sizeof(buf)); } buf[sizeof(buf)-1] = 0; verbose(VERB_ALGO, "creating %s%s socket %s %d", addr->ai_socktype==SOCK_DGRAM?"udp": addr->ai_socktype==SOCK_STREAM?"tcp":"otherproto", addr->ai_family==AF_INET?"4": addr->ai_family==AF_INET6?"6": "_otherfam", buf, ntohs(((struct sockaddr_in*)addr->ai_addr)->sin_port)); } } int create_udp_sock(int family, int socktype, struct sockaddr* addr, socklen_t addrlen, int v6only, int* inuse, int* noproto, int rcv, int snd, int listen, int* reuseport) { int s; #if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_USE_MIN_MTU) int on=1; #endif #ifdef IPV6_MTU int mtu = IPV6_MIN_MTU; #endif #if !defined(SO_RCVBUFFORCE) && !defined(SO_RCVBUF) (void)rcv; #endif #if !defined(SO_SNDBUFFORCE) && !defined(SO_SNDBUF) (void)snd; #endif #ifndef IPV6_V6ONLY (void)v6only; #endif if((s = socket(family, socktype, 0)) == -1) { *inuse = 0; #ifndef USE_WINSOCK if(errno == EAFNOSUPPORT || errno == EPROTONOSUPPORT) { *noproto = 1; return -1; } log_err("can't create socket: %s", strerror(errno)); #else if(WSAGetLastError() == WSAEAFNOSUPPORT || WSAGetLastError() == WSAEPROTONOSUPPORT) { *noproto = 1; return -1; } log_err("can't create socket: %s", wsa_strerror(WSAGetLastError())); #endif *noproto = 0; return -1; } if(listen) { #ifdef SO_REUSEADDR if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on, (socklen_t)sizeof(on)) < 0) { #ifndef USE_WINSOCK log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s", strerror(errno)); if(errno != ENOSYS) { close(s); *noproto = 0; *inuse = 0; return -1; } #else log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s", wsa_strerror(WSAGetLastError())); closesocket(s); *noproto = 0; *inuse = 0; return -1; #endif } #endif /* SO_REUSEADDR */ #ifdef SO_REUSEPORT /* try to set SO_REUSEPORT so that incoming * queries are distributed evenly among the receiving threads. * Each thread must have its own socket bound to the same port, * with SO_REUSEPORT set on each socket. */ if (reuseport && *reuseport && setsockopt(s, SOL_SOCKET, SO_REUSEPORT, (void*)&on, (socklen_t)sizeof(on)) < 0) { #ifdef ENOPROTOOPT if(errno != ENOPROTOOPT || verbosity >= 3) log_warn("setsockopt(.. SO_REUSEPORT ..) failed: %s", strerror(errno)); #endif /* this option is not essential, we can continue */ *reuseport = 0; } #else (void)reuseport; #endif /* defined(SO_REUSEPORT) */ } if(rcv) { #ifdef SO_RCVBUF int got; socklen_t slen = (socklen_t)sizeof(got); # ifdef SO_RCVBUFFORCE /* Linux specific: try to use root permission to override * system limits on rcvbuf. The limit is stored in * /proc/sys/net/core/rmem_max or sysctl net.core.rmem_max */ if(setsockopt(s, SOL_SOCKET, SO_RCVBUFFORCE, (void*)&rcv, (socklen_t)sizeof(rcv)) < 0) { if(errno != EPERM) { # ifndef USE_WINSOCK log_err("setsockopt(..., SO_RCVBUFFORCE, " "...) failed: %s", strerror(errno)); close(s); # else log_err("setsockopt(..., SO_RCVBUFFORCE, " "...) failed: %s", wsa_strerror(WSAGetLastError())); closesocket(s); # endif *noproto = 0; *inuse = 0; return -1; } # endif /* SO_RCVBUFFORCE */ if(setsockopt(s, SOL_SOCKET, SO_RCVBUF, (void*)&rcv, (socklen_t)sizeof(rcv)) < 0) { # ifndef USE_WINSOCK log_err("setsockopt(..., SO_RCVBUF, " "...) failed: %s", strerror(errno)); close(s); # else log_err("setsockopt(..., SO_RCVBUF, " "...) failed: %s", wsa_strerror(WSAGetLastError())); closesocket(s); # endif *noproto = 0; *inuse = 0; return -1; } /* check if we got the right thing or if system * reduced to some system max. Warn if so */ if(getsockopt(s, SOL_SOCKET, SO_RCVBUF, (void*)&got, &slen) >= 0 && got < rcv/2) { log_warn("so-rcvbuf %u was not granted. " "Got %u. To fix: start with " "root permissions(linux) or sysctl " "bigger net.core.rmem_max(linux) or " "kern.ipc.maxsockbuf(bsd) values.", (unsigned)rcv, (unsigned)got); } # ifdef SO_RCVBUFFORCE } # endif #endif /* SO_RCVBUF */ } /* first do RCVBUF as the receive buffer is more important */ if(snd) { #ifdef SO_SNDBUF int got; socklen_t slen = (socklen_t)sizeof(got); # ifdef SO_SNDBUFFORCE /* Linux specific: try to use root permission to override * system limits on sndbuf. The limit is stored in * /proc/sys/net/core/wmem_max or sysctl net.core.wmem_max */ if(setsockopt(s, SOL_SOCKET, SO_SNDBUFFORCE, (void*)&snd, (socklen_t)sizeof(snd)) < 0) { if(errno != EPERM) { # ifndef USE_WINSOCK log_err("setsockopt(..., SO_SNDBUFFORCE, " "...) failed: %s", strerror(errno)); close(s); # else log_err("setsockopt(..., SO_SNDBUFFORCE, " "...) failed: %s", wsa_strerror(WSAGetLastError())); closesocket(s); # endif *noproto = 0; *inuse = 0; return -1; } # endif /* SO_SNDBUFFORCE */ if(setsockopt(s, SOL_SOCKET, SO_SNDBUF, (void*)&snd, (socklen_t)sizeof(snd)) < 0) { # ifndef USE_WINSOCK log_err("setsockopt(..., SO_SNDBUF, " "...) failed: %s", strerror(errno)); close(s); # else log_err("setsockopt(..., SO_SNDBUF, " "...) failed: %s", wsa_strerror(WSAGetLastError())); closesocket(s); # endif *noproto = 0; *inuse = 0; return -1; } /* check if we got the right thing or if system * reduced to some system max. Warn if so */ if(getsockopt(s, SOL_SOCKET, SO_SNDBUF, (void*)&got, &slen) >= 0 && got < snd/2) { log_warn("so-sndbuf %u was not granted. " "Got %u. To fix: start with " "root permissions(linux) or sysctl " "bigger net.core.wmem_max(linux) or " "kern.ipc.maxsockbuf(bsd) values.", (unsigned)snd, (unsigned)got); } # ifdef SO_SNDBUFFORCE } # endif #endif /* SO_SNDBUF */ } if(family == AF_INET6) { # if defined(IPV6_V6ONLY) if(v6only) { int val=(v6only==2)?0:1; if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void*)&val, (socklen_t)sizeof(val)) < 0) { #ifndef USE_WINSOCK log_err("setsockopt(..., IPV6_V6ONLY" ", ...) failed: %s", strerror(errno)); close(s); #else log_err("setsockopt(..., IPV6_V6ONLY" ", ...) failed: %s", wsa_strerror(WSAGetLastError())); closesocket(s); #endif *noproto = 0; *inuse = 0; return -1; } } # endif # if defined(IPV6_USE_MIN_MTU) /* * There is no fragmentation of IPv6 datagrams * during forwarding in the network. Therefore * we do not send UDP datagrams larger than * the minimum IPv6 MTU of 1280 octets. The * EDNS0 message length can be larger if the * network stack supports IPV6_USE_MIN_MTU. */ if (setsockopt(s, IPPROTO_IPV6, IPV6_USE_MIN_MTU, (void*)&on, (socklen_t)sizeof(on)) < 0) { # ifndef USE_WINSOCK log_err("setsockopt(..., IPV6_USE_MIN_MTU, " "...) failed: %s", strerror(errno)); close(s); # else log_err("setsockopt(..., IPV6_USE_MIN_MTU, " "...) failed: %s", wsa_strerror(WSAGetLastError())); closesocket(s); # endif *noproto = 0; *inuse = 0; return -1; } # elif defined(IPV6_MTU) /* * On Linux, to send no larger than 1280, the PMTUD is * disabled by default for datagrams anyway, so we set * the MTU to use. */ if (setsockopt(s, IPPROTO_IPV6, IPV6_MTU, (void*)&mtu, (socklen_t)sizeof(mtu)) < 0) { # ifndef USE_WINSOCK log_err("setsockopt(..., IPV6_MTU, ...) failed: %s", strerror(errno)); close(s); # else log_err("setsockopt(..., IPV6_MTU, ...) failed: %s", wsa_strerror(WSAGetLastError())); closesocket(s); # endif *noproto = 0; *inuse = 0; return -1; } # endif /* IPv6 MTU */ } else if(family == AF_INET) { # if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT) /* linux 3.15 has IP_PMTUDISC_OMIT, Hannes Frederic Sowa made it so that * PMTU information is not accepted, but fragmentation is allowed * if and only if the packet size exceeds the outgoing interface MTU * (and also uses the interface mtu to determine the size of the packets). * So there won't be any EMSGSIZE error. Against DNS fragmentation attacks. * FreeBSD already has same semantics without setting the option. */ # if defined(IP_PMTUDISC_OMIT) int action = IP_PMTUDISC_OMIT; # else int action = IP_PMTUDISC_DONT; # endif if (setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, &action, (socklen_t)sizeof(action)) < 0) { log_err("setsockopt(..., IP_MTU_DISCOVER, " # if defined(IP_PMTUDISC_OMIT) "IP_PMTUDISC_OMIT" # else "IP_PMTUDISC_DONT" # endif "...) failed: %s", strerror(errno)); # ifndef USE_WINSOCK close(s); # else closesocket(s); # endif *noproto = 0; *inuse = 0; return -1; } # elif defined(IP_DONTFRAG) int off = 0; if (setsockopt(s, IPPROTO_IP, IP_DONTFRAG, &off, (socklen_t)sizeof(off)) < 0) { log_err("setsockopt(..., IP_DONTFRAG, ...) failed: %s", strerror(errno)); # ifndef USE_WINSOCK close(s); # else closesocket(s); # endif *noproto = 0; *inuse = 0; return -1; } # endif /* IPv4 MTU */ } if(bind(s, (struct sockaddr*)addr, addrlen) != 0) { *noproto = 0; *inuse = 0; #ifndef USE_WINSOCK #ifdef EADDRINUSE *inuse = (errno == EADDRINUSE); /* detect freebsd jail with no ipv6 permission */ if(family==AF_INET6 && errno==EINVAL) *noproto = 1; else if(errno != EADDRINUSE) { log_err_addr("can't bind socket", strerror(errno), (struct sockaddr_storage*)addr, addrlen); } #endif /* EADDRINUSE */ close(s); #else /* USE_WINSOCK */ if(WSAGetLastError() != WSAEADDRINUSE && WSAGetLastError() != WSAEADDRNOTAVAIL) { log_err_addr("can't bind socket", wsa_strerror(WSAGetLastError()), (struct sockaddr_storage*)addr, addrlen); } closesocket(s); #endif return -1; } if(!fd_set_nonblock(s)) { *noproto = 0; *inuse = 0; #ifndef USE_WINSOCK close(s); #else closesocket(s); #endif return -1; } return s; } int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto, int* reuseport) { int s; #if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_V6ONLY) int on = 1; #endif /* SO_REUSEADDR || IPV6_V6ONLY */ verbose_print_addr(addr); *noproto = 0; if((s = socket(addr->ai_family, addr->ai_socktype, 0)) == -1) { #ifndef USE_WINSOCK if(errno == EAFNOSUPPORT || errno == EPROTONOSUPPORT) { *noproto = 1; return -1; } log_err("can't create socket: %s", strerror(errno)); #else if(WSAGetLastError() == WSAEAFNOSUPPORT || WSAGetLastError() == WSAEPROTONOSUPPORT) { *noproto = 1; return -1; } log_err("can't create socket: %s", wsa_strerror(WSAGetLastError())); #endif return -1; } #ifdef SO_REUSEADDR if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on, (socklen_t)sizeof(on)) < 0) { #ifndef USE_WINSOCK log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s", strerror(errno)); close(s); #else log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s", wsa_strerror(WSAGetLastError())); closesocket(s); #endif return -1; } #endif /* SO_REUSEADDR */ #ifdef SO_REUSEPORT /* try to set SO_REUSEPORT so that incoming * connections are distributed evenly among the receiving threads. * Each thread must have its own socket bound to the same port, * with SO_REUSEPORT set on each socket. */ if (reuseport && *reuseport && setsockopt(s, SOL_SOCKET, SO_REUSEPORT, (void*)&on, (socklen_t)sizeof(on)) < 0) { #ifdef ENOPROTOOPT if(errno != ENOPROTOOPT || verbosity >= 3) log_warn("setsockopt(.. SO_REUSEPORT ..) failed: %s", strerror(errno)); #endif /* this option is not essential, we can continue */ *reuseport = 0; } #else (void)reuseport; #endif /* defined(SO_REUSEPORT) */ #if defined(IPV6_V6ONLY) if(addr->ai_family == AF_INET6 && v6only) { if(setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void*)&on, (socklen_t)sizeof(on)) < 0) { #ifndef USE_WINSOCK log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s", strerror(errno)); close(s); #else log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s", wsa_strerror(WSAGetLastError())); closesocket(s); #endif return -1; } } #else (void)v6only; #endif /* IPV6_V6ONLY */ if(bind(s, addr->ai_addr, addr->ai_addrlen) != 0) { #ifndef USE_WINSOCK /* detect freebsd jail with no ipv6 permission */ if(addr->ai_family==AF_INET6 && errno==EINVAL) *noproto = 1; else { log_err_addr("can't bind socket", strerror(errno), (struct sockaddr_storage*)addr->ai_addr, addr->ai_addrlen); } close(s); #else log_err_addr("can't bind socket", wsa_strerror(WSAGetLastError()), (struct sockaddr_storage*)addr->ai_addr, addr->ai_addrlen); closesocket(s); #endif return -1; } if(!fd_set_nonblock(s)) { #ifndef USE_WINSOCK close(s); #else closesocket(s); #endif return -1; } if(listen(s, TCP_BACKLOG) == -1) { #ifndef USE_WINSOCK log_err("can't listen: %s", strerror(errno)); close(s); #else log_err("can't listen: %s", wsa_strerror(WSAGetLastError())); closesocket(s); #endif return -1; } return s; } + +int +create_local_accept_sock(char *path, int* noproto) +{ +#ifdef HAVE_SYS_UN_H + int s; + struct sockaddr_un sun; + + sun.sun_len = sizeof(sun); + sun.sun_family = AF_LOCAL; + strlcpy(sun.sun_path, path, 104); + + if ((s = socket(PF_LOCAL, SOCK_STREAM, 0)) == -1) { + log_err("Cannot create local socket %s (%s)", + path, strerror(errno)); + return -1; + } + + if (unlink(path) && errno != ENOENT) { + /* The socket already exists and cannot be removed */ + log_err("Cannot remove old local socket %s (%s)", + path, strerror(errno)); + return -1; + } + + if (bind(s, (struct sockaddr *)&sun, + sizeof(struct sockaddr_un)) == -1) { + log_err("Cannot bind local socket %s (%s)", + path, strerror(errno)); + return -1; + } + + if (!fd_set_nonblock(s)) { + log_err("Cannot set non-blocking mode"); + return -1; + } + + if (listen(s, TCP_BACKLOG) == -1) { + log_err("can't listen: %s", strerror(errno)); + return -1; + } + + return s; +#else + log_err("Local sockets are not supported"); + *noproto = 1; + return -1; +#endif +} + /** * Create socket from getaddrinfo results */ static int make_sock(int stype, const char* ifname, const char* port, struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd, int* reuseport) { struct addrinfo *res = NULL; int r, s, inuse, noproto; hints->ai_socktype = stype; *noip6 = 0; if((r=getaddrinfo(ifname, port, hints, &res)) != 0 || !res) { #ifdef USE_WINSOCK if(r == EAI_NONAME && hints->ai_family == AF_INET6){ *noip6 = 1; /* 'Host not found' for IP6 on winXP */ return -1; } #endif log_err("node %s:%s getaddrinfo: %s %s", ifname?ifname:"default", port, gai_strerror(r), #ifdef EAI_SYSTEM r==EAI_SYSTEM?(char*)strerror(errno):"" #else "" #endif ); return -1; } if(stype == SOCK_DGRAM) { verbose_print_addr(res); s = create_udp_sock(res->ai_family, res->ai_socktype, (struct sockaddr*)res->ai_addr, res->ai_addrlen, v6only, &inuse, &noproto, (int)rcv, (int)snd, 1, reuseport); if(s == -1 && inuse) { log_err("bind: address already in use"); } else if(s == -1 && noproto && hints->ai_family == AF_INET6){ *noip6 = 1; } } else { s = create_tcp_accept_sock(res, v6only, &noproto, reuseport); if(s == -1 && noproto && hints->ai_family == AF_INET6){ *noip6 = 1; } } freeaddrinfo(res); return s; } /** make socket and first see if ifname contains port override info */ static int make_sock_port(int stype, const char* ifname, const char* port, struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd, int* reuseport) { char* s = strchr(ifname, '@'); if(s) { /* override port with ifspec@port */ char p[16]; char newif[128]; if((size_t)(s-ifname) >= sizeof(newif)) { log_err("ifname too long: %s", ifname); *noip6 = 0; return -1; } if(strlen(s+1) >= sizeof(p)) { log_err("portnumber too long: %s", ifname); *noip6 = 0; return -1; } (void)strlcpy(newif, ifname, sizeof(newif)); newif[s-ifname] = 0; (void)strlcpy(p, s+1, sizeof(p)); p[strlen(s+1)]=0; return make_sock(stype, newif, p, hints, v6only, noip6, rcv, snd, reuseport); } return make_sock(stype, ifname, port, hints, v6only, noip6, rcv, snd, reuseport); } /** * Add port to open ports list. * @param list: list head. changed. * @param s: fd. * @param ftype: if fd is UDP. * @return false on failure. list in unchanged then. */ static int port_insert(struct listen_port** list, int s, enum listen_type ftype) { struct listen_port* item = (struct listen_port*)malloc( sizeof(struct listen_port)); if(!item) return 0; item->next = *list; item->fd = s; item->ftype = ftype; *list = item; return 1; } /** set fd to receive source address packet info */ static int set_recvpktinfo(int s, int family) { #if defined(IPV6_RECVPKTINFO) || defined(IPV6_PKTINFO) || (defined(IP_RECVDSTADDR) && defined(IP_SENDSRCADDR)) || defined(IP_PKTINFO) int on = 1; #else (void)s; #endif if(family == AF_INET6) { # ifdef IPV6_RECVPKTINFO if(setsockopt(s, IPPROTO_IPV6, IPV6_RECVPKTINFO, (void*)&on, (socklen_t)sizeof(on)) < 0) { log_err("setsockopt(..., IPV6_RECVPKTINFO, ...) failed: %s", strerror(errno)); return 0; } # elif defined(IPV6_PKTINFO) if(setsockopt(s, IPPROTO_IPV6, IPV6_PKTINFO, (void*)&on, (socklen_t)sizeof(on)) < 0) { log_err("setsockopt(..., IPV6_PKTINFO, ...) failed: %s", strerror(errno)); return 0; } # else log_err("no IPV6_RECVPKTINFO and no IPV6_PKTINFO option, please " "disable interface-automatic in config"); return 0; # endif /* defined IPV6_RECVPKTINFO */ } else if(family == AF_INET) { # ifdef IP_PKTINFO if(setsockopt(s, IPPROTO_IP, IP_PKTINFO, (void*)&on, (socklen_t)sizeof(on)) < 0) { log_err("setsockopt(..., IP_PKTINFO, ...) failed: %s", strerror(errno)); return 0; } # elif defined(IP_RECVDSTADDR) && defined(IP_SENDSRCADDR) if(setsockopt(s, IPPROTO_IP, IP_RECVDSTADDR, (void*)&on, (socklen_t)sizeof(on)) < 0) { log_err("setsockopt(..., IP_RECVDSTADDR, ...) failed: %s", strerror(errno)); return 0; } # else log_err("no IP_SENDSRCADDR or IP_PKTINFO option, please disable " "interface-automatic in config"); return 0; # endif /* IP_PKTINFO */ } return 1; } /** * Helper for ports_open. Creates one interface (or NULL for default). * @param ifname: The interface ip address. * @param do_auto: use automatic interface detection. * If enabled, then ifname must be the wildcard name. * @param do_udp: if udp should be used. * @param do_tcp: if udp should be used. * @param hints: for getaddrinfo. family and flags have to be set by caller. * @param port: Port number to use (as string). * @param list: list of open ports, appended to, changed to point to list head. * @param rcv: receive buffer size for UDP * @param snd: send buffer size for UDP * @param ssl_port: ssl service port number * @param reuseport: try to set SO_REUSEPORT if nonNULL and true. * set to false on exit if reuseport failed due to no kernel support. * @return: returns false on error. */ static int ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, struct addrinfo *hints, const char* port, struct listen_port** list, size_t rcv, size_t snd, int ssl_port, int* reuseport) { int s, noip6=0; if(!do_udp && !do_tcp) return 0; if(do_auto) { if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, &noip6, rcv, snd, reuseport)) == -1) { if(noip6) { log_warn("IPv6 protocol not available"); return 1; } return 0; } /* getting source addr packet info is highly non-portable */ if(!set_recvpktinfo(s, hints->ai_family)) { #ifndef USE_WINSOCK close(s); #else closesocket(s); #endif return 0; } if(!port_insert(list, s, listen_type_udpancil)) { #ifndef USE_WINSOCK close(s); #else closesocket(s); #endif return 0; } } else if(do_udp) { /* regular udp socket */ if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, &noip6, rcv, snd, reuseport)) == -1) { if(noip6) { log_warn("IPv6 protocol not available"); return 1; } return 0; } if(!port_insert(list, s, listen_type_udp)) { #ifndef USE_WINSOCK close(s); #else closesocket(s); #endif return 0; } } if(do_tcp) { int is_ssl = ((strchr(ifname, '@') && atoi(strchr(ifname, '@')+1) == ssl_port) || (!strchr(ifname, '@') && atoi(port) == ssl_port)); if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, &noip6, 0, 0, reuseport)) == -1) { if(noip6) { /*log_warn("IPv6 protocol not available");*/ return 1; } return 0; } if(is_ssl) verbose(VERB_ALGO, "setup TCP for SSL service"); if(!port_insert(list, s, is_ssl?listen_type_ssl: listen_type_tcp)) { #ifndef USE_WINSOCK close(s); #else closesocket(s); #endif return 0; } } return 1; } /** * Add items to commpoint list in front. * @param c: commpoint to add. * @param front: listen struct. * @return: false on failure. */ static int listen_cp_insert(struct comm_point* c, struct listen_dnsport* front) { struct listen_list* item = (struct listen_list*)malloc( sizeof(struct listen_list)); if(!item) return 0; item->com = c; item->next = front->cps; front->cps = item; return 1; } struct listen_dnsport* listen_create(struct comm_base* base, struct listen_port* ports, size_t bufsize, int tcp_accept_count, void* sslctx, struct dt_env* dtenv, comm_point_callback_t* cb, void *cb_arg) { struct listen_dnsport* front = (struct listen_dnsport*) malloc(sizeof(struct listen_dnsport)); if(!front) return NULL; front->cps = NULL; front->udp_buff = sldns_buffer_new(bufsize); if(!front->udp_buff) { free(front); return NULL; } /* create comm points as needed */ while(ports) { struct comm_point* cp = NULL; if(ports->ftype == listen_type_udp) cp = comm_point_create_udp(base, ports->fd, front->udp_buff, cb, cb_arg); else if(ports->ftype == listen_type_tcp) cp = comm_point_create_tcp(base, ports->fd, tcp_accept_count, bufsize, cb, cb_arg); else if(ports->ftype == listen_type_ssl) { cp = comm_point_create_tcp(base, ports->fd, tcp_accept_count, bufsize, cb, cb_arg); cp->ssl = sslctx; } else if(ports->ftype == listen_type_udpancil) cp = comm_point_create_udp_ancil(base, ports->fd, front->udp_buff, cb, cb_arg); if(!cp) { log_err("can't create commpoint"); listen_delete(front); return NULL; } cp->dtenv = dtenv; cp->do_not_close = 1; if(!listen_cp_insert(cp, front)) { log_err("malloc failed"); comm_point_delete(cp); listen_delete(front); return NULL; } ports = ports->next; } if(!front->cps) { log_err("Could not open sockets to accept queries."); listen_delete(front); return NULL; } return front; } void listen_list_delete(struct listen_list* list) { struct listen_list *p = list, *pn; while(p) { pn = p->next; comm_point_delete(p->com); free(p); p = pn; } } void listen_delete(struct listen_dnsport* front) { if(!front) return; listen_list_delete(front->cps); sldns_buffer_free(front->udp_buff); free(front); } struct listen_port* listening_ports_open(struct config_file* cfg, int* reuseport) { struct listen_port* list = NULL; struct addrinfo hints; int i, do_ip4, do_ip6; int do_tcp, do_auto; char portbuf[32]; snprintf(portbuf, sizeof(portbuf), "%d", cfg->port); do_ip4 = cfg->do_ip4; do_ip6 = cfg->do_ip6; do_tcp = cfg->do_tcp; do_auto = cfg->if_automatic && cfg->do_udp; if(cfg->incoming_num_tcp == 0) do_tcp = 0; /* getaddrinfo */ memset(&hints, 0, sizeof(hints)); hints.ai_flags = AI_PASSIVE; /* no name lookups on our listening ports */ if(cfg->num_ifs > 0) hints.ai_flags |= AI_NUMERICHOST; hints.ai_family = AF_UNSPEC; #ifndef INET6 do_ip6 = 0; #endif if(!do_ip4 && !do_ip6) { return NULL; } /* create ip4 and ip6 ports so that return addresses are nice. */ if(do_auto || cfg->num_ifs == 0) { if(do_ip6) { hints.ai_family = AF_INET6; if(!ports_create_if(do_auto?"::0":"::1", do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, reuseport)) { listening_ports_free(list); return NULL; } } if(do_ip4) { hints.ai_family = AF_INET; if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1", do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, reuseport)) { listening_ports_free(list); return NULL; } } } else for(i = 0; inum_ifs; i++) { if(str_is_ip6(cfg->ifs[i])) { if(!do_ip6) continue; hints.ai_family = AF_INET6; if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, reuseport)) { listening_ports_free(list); return NULL; } } else { if(!do_ip4) continue; hints.ai_family = AF_INET; if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, reuseport)) { listening_ports_free(list); return NULL; } } } return list; } void listening_ports_free(struct listen_port* list) { struct listen_port* nx; while(list) { nx = list->next; if(list->fd != -1) { #ifndef USE_WINSOCK close(list->fd); #else closesocket(list->fd); #endif } free(list); list = nx; } } size_t listen_get_mem(struct listen_dnsport* listen) { size_t s = sizeof(*listen) + sizeof(*listen->base) + sizeof(*listen->udp_buff) + sldns_buffer_capacity(listen->udp_buff); struct listen_list* p; for(p = listen->cps; p; p = p->next) { s += sizeof(*p); s += comm_point_get_mem(p->com); } return s; } void listen_stop_accept(struct listen_dnsport* listen) { /* do not stop the ones that have no tcp_free list * (they have already stopped listening) */ struct listen_list* p; for(p=listen->cps; p; p=p->next) { if(p->com->type == comm_tcp_accept && p->com->tcp_free != NULL) { comm_point_stop_listening(p->com); } } } void listen_start_accept(struct listen_dnsport* listen) { /* do not start the ones that have no tcp_free list, it is no * use to listen to them because they have no free tcp handlers */ struct listen_list* p; for(p=listen->cps; p; p=p->next) { if(p->com->type == comm_tcp_accept && p->com->tcp_free != NULL) { comm_point_start_listening(p->com, -1, -1); } } } Index: head/contrib/unbound/services/listen_dnsport.h =================================================================== --- head/contrib/unbound/services/listen_dnsport.h (revision 276698) +++ head/contrib/unbound/services/listen_dnsport.h (revision 276699) @@ -1,210 +1,219 @@ /* * services/listen_dnsport.h - listen on port 53 for incoming DNS queries. * * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** * \file * * This file has functions to get queries from clients. */ #ifndef LISTEN_DNSPORT_H #define LISTEN_DNSPORT_H #include "util/netevent.h" struct listen_list; struct config_file; struct addrinfo; struct sldns_buffer; /** * Listening for queries structure. * Contains list of query-listen sockets. */ struct listen_dnsport { /** Base for select calls */ struct comm_base* base; /** buffer shared by UDP connections, since there is only one datagram at any time. */ struct sldns_buffer* udp_buff; /** list of comm points used to get incoming events */ struct listen_list* cps; }; /** * Single linked list to store event points. */ struct listen_list { /** next in list */ struct listen_list* next; /** event info */ struct comm_point* com; }; /** * type of ports */ enum listen_type { /** udp type */ listen_type_udp, /** tcp type */ listen_type_tcp, /** udp ipv6 (v4mapped) for use with ancillary data */ listen_type_udpancil, /** ssl over tcp type */ listen_type_ssl }; /** * Single linked list to store shared ports that have been * opened for use by all threads. */ struct listen_port { /** next in list */ struct listen_port* next; /** file descriptor, open and ready for use */ int fd; /** type of file descriptor, udp or tcp */ enum listen_type ftype; }; /** * Create shared listening ports * Getaddrinfo, create socket, bind and listen to zero or more * interfaces for IP4 and/or IP6, for UDP and/or TCP. * On the given port number. It creates the sockets. * @param cfg: settings on what ports to open. * @param reuseport: set to true if you want reuseport, or NULL to not have it, * set to false on exit if reuseport failed to apply (because of no * kernel support). * @return: linked list of ports or NULL on error. */ struct listen_port* listening_ports_open(struct config_file* cfg, int* reuseport); /** * Close and delete the (list of) listening ports. */ void listening_ports_free(struct listen_port* list); /** * Create commpoints with for this thread for the shared ports. * @param base: the comm_base that provides event functionality. * for default all ifs. * @param ports: the list of shared ports. * @param bufsize: size of datagram buffer. * @param tcp_accept_count: max number of simultaneous TCP connections * from clients. * @param sslctx: nonNULL if ssl context. * @param dtenv: nonNULL if dnstap enabled. * @param cb: callback function when a request arrives. It is passed * the packet and user argument. Return true to send a reply. * @param cb_arg: user data argument for callback function. * @return: the malloced listening structure, ready for use. NULL on error. */ struct listen_dnsport* listen_create(struct comm_base* base, struct listen_port* ports, size_t bufsize, int tcp_accept_count, void* sslctx, struct dt_env *dtenv, comm_point_callback_t* cb, void* cb_arg); /** * delete the listening structure * @param listen: listening structure. */ void listen_delete(struct listen_dnsport* listen); /** * delete listen_list of commpoints. Calls commpointdelete() on items. * This may close the fds or not depending on flags. * @param list: to delete. */ void listen_list_delete(struct listen_list* list); /** * get memory size used by the listening structs * @param listen: listening structure. * @return: size in bytes. */ size_t listen_get_mem(struct listen_dnsport* listen); /** * stop accept handlers for TCP (until enabled again) * @param listen: listening structure. */ void listen_stop_accept(struct listen_dnsport* listen); /** * start accept handlers for TCP (was stopped before) * @param listen: listening structure. */ void listen_start_accept(struct listen_dnsport* listen); /** * Create and bind nonblocking UDP socket * @param family: for socket call. * @param socktype: for socket call. * @param addr: for bind call. * @param addrlen: for bind call. * @param v6only: if enabled, IP6 sockets get IP6ONLY option set. * if enabled with value 2 IP6ONLY option is disabled. * @param inuse: on error, this is set true if the port was in use. * @param noproto: on error, this is set true if cause is that the IPv6 proto (family) is not available. * @param rcv: set size on rcvbuf with socket option, if 0 it is not set. * @param snd: set size on sndbuf with socket option, if 0 it is not set. * @param listen: if true, this is a listening UDP port, eg port 53, and * set SO_REUSEADDR on it. * @param reuseport: if nonNULL and true, try to set SO_REUSEPORT on * listening UDP port. Set to false on return if it failed to do so. * @return: the socket. -1 on error. */ int create_udp_sock(int family, int socktype, struct sockaddr* addr, socklen_t addrlen, int v6only, int* inuse, int* noproto, int rcv, int snd, int listen, int* reuseport); /** * Create and bind TCP listening socket * @param addr: address info ready to make socket. * @param v6only: enable ip6 only flag on ip6 sockets. * @param noproto: if error caused by lack of protocol support. * @param reuseport: if nonNULL and true, try to set SO_REUSEPORT on * listening UDP port. Set to false on return if it failed to do so. * @return: the socket. -1 on error. */ int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto, int* reuseport); +/** + * Create and bind local listening socket + * @param path: path to the socket. + * @param noproto: on error, this is set true if cause is that local sockets + * are not supported. + * @return: the socket. -1 on error. + */ +int create_local_accept_sock(char* path, int* noproto); + #endif /* LISTEN_DNSPORT_H */ Index: head/contrib/unbound/smallapp/unbound-checkconf.c =================================================================== --- head/contrib/unbound/smallapp/unbound-checkconf.c (revision 276698) +++ head/contrib/unbound/smallapp/unbound-checkconf.c (revision 276699) @@ -1,529 +1,529 @@ /* * checkconf/unbound-checkconf.c - config file checker for unbound.conf file. * * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** * \file * * The config checker checks for syntax and other errors in the unbound.conf * file, and can be used to check for errors before the server is started * or sigHUPped. * Exit status 1 means an error. */ #include "config.h" #include "util/log.h" #include "util/config_file.h" #include "util/module.h" #include "util/net_help.h" #include "util/regional.h" #include "iterator/iterator.h" #include "iterator/iter_fwd.h" #include "iterator/iter_hints.h" #include "validator/validator.h" #include "services/localzone.h" #include "ldns/sbuffer.h" #ifdef HAVE_GETOPT_H #include #endif #ifdef HAVE_PWD_H #include #endif #ifdef HAVE_SYS_STAT_H #include #endif #ifdef HAVE_GLOB_H #include #endif #ifdef WITH_PYTHONMODULE #include "pythonmod/pythonmod.h" #endif /** Give checkconf usage, and exit (1). */ static void usage() { printf("Usage: unbound-checkconf [file]\n"); printf(" Checks unbound configuration file for errors.\n"); printf("file if omitted %s is used.\n", CONFIGFILE); printf("-o option print value of option to stdout.\n"); printf("-h show this usage help.\n"); printf("Version %s\n", PACKAGE_VERSION); printf("BSD licensed, see LICENSE in source package for details.\n"); printf("Report bugs to %s\n", PACKAGE_BUGREPORT); exit(1); } /** * Print given option to stdout * @param cfg: config * @param opt: option name without trailing :. * This is different from config_set_option. */ static void print_option(struct config_file* cfg, const char* opt) { if(!config_get_option(cfg, opt, config_print_func, stdout)) fatal_exit("cannot print option '%s'", opt); } /** check if module works with config */ static void check_mod(struct config_file* cfg, struct module_func_block* fb) { struct module_env env; memset(&env, 0, sizeof(env)); env.cfg = cfg; env.scratch = regional_create(); env.scratch_buffer = sldns_buffer_new(BUFSIZ); if(!env.scratch || !env.scratch_buffer) fatal_exit("out of memory"); if(!(*fb->init)(&env, 0)) { fatal_exit("bad config for %s module", fb->name); } (*fb->deinit)(&env, 0); sldns_buffer_free(env.scratch_buffer); regional_destroy(env.scratch); } /** check localzones */ static void localzonechecks(struct config_file* cfg) { struct local_zones* zs; if(!(zs = local_zones_create())) fatal_exit("out of memory"); if(!local_zones_apply_cfg(zs, cfg)) fatal_exit("failed local-zone, local-data configuration"); local_zones_delete(zs); } /** emit warnings for IP in hosts */ static void warn_hosts(const char* typ, struct config_stub* list) { struct sockaddr_storage a; socklen_t alen; struct config_stub* s; struct config_strlist* h; for(s=list; s; s=s->next) { for(h=s->hosts; h; h=h->next) { if(extstrtoaddr(h->str, &a, &alen)) { fprintf(stderr, "unbound-checkconf: warning:" " %s %s: \"%s\" is an IP%s address, " "and when looked up as a host name " "during use may not resolve.\n", s->name, typ, h->str, addr_is_ip6(&a, alen)?"6":"4"); } } } } /** check interface strings */ static void interfacechecks(struct config_file* cfg) { struct sockaddr_storage a; socklen_t alen; int i, j; for(i=0; inum_ifs; i++) { if(!extstrtoaddr(cfg->ifs[i], &a, &alen)) { fatal_exit("cannot parse interface specified as '%s'", cfg->ifs[i]); } for(j=0; jnum_ifs; j++) { if(i!=j && strcmp(cfg->ifs[i], cfg->ifs[j])==0) fatal_exit("interface: %s present twice, " "cannot bind same ports twice.", cfg->ifs[i]); } } for(i=0; inum_out_ifs; i++) { if(!ipstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT, &a, &alen)) { fatal_exit("cannot parse outgoing-interface " "specified as '%s'", cfg->out_ifs[i]); } for(j=0; jnum_out_ifs; j++) { if(i!=j && strcmp(cfg->out_ifs[i], cfg->out_ifs[j])==0) fatal_exit("outgoing-interface: %s present " "twice, cannot bind same ports twice.", cfg->out_ifs[i]); } } } /** check acl ips */ static void aclchecks(struct config_file* cfg) { int d; struct sockaddr_storage a; socklen_t alen; struct config_str2list* acl; for(acl=cfg->acls; acl; acl = acl->next) { if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen, &d)) { fatal_exit("cannot parse access control address %s %s", acl->str, acl->str2); } } } /** true if fname is a file */ static int is_file(const char* fname) { struct stat buf; if(stat(fname, &buf) < 0) { if(errno==EACCES) { printf("warning: no search permission for one of the directories in path: %s\n", fname); return 1; } perror(fname); return 0; } if(S_ISDIR(buf.st_mode)) { printf("%s is not a file\n", fname); return 0; } return 1; } /** true if fname is a directory */ static int is_dir(const char* fname) { struct stat buf; if(stat(fname, &buf) < 0) { if(errno==EACCES) { printf("warning: no search permission for one of the directories in path: %s\n", fname); return 1; } perror(fname); return 0; } if(!(S_ISDIR(buf.st_mode))) { printf("%s is not a directory\n", fname); return 0; } return 1; } /** get base dir of a fname */ static char* basedir(char* fname) { char* rev; if(!fname) fatal_exit("out of memory"); rev = strrchr(fname, '/'); if(!rev) return NULL; if(fname == rev) return NULL; rev[0] = 0; return fname; } /** check chroot for a file string */ static void check_chroot_string(const char* desc, char** ss, const char* chrootdir, struct config_file* cfg) { char* str = *ss; if(str && str[0]) { *ss = fname_after_chroot(str, cfg, 1); if(!*ss) fatal_exit("out of memory"); if(!is_file(*ss)) { if(chrootdir && chrootdir[0]) fatal_exit("%s: \"%s\" does not exist in " "chrootdir %s", desc, str, chrootdir); else fatal_exit("%s: \"%s\" does not exist", desc, str); } /* put in a new full path for continued checking */ free(str); } } /** check file list, every file must be inside the chroot location */ static void check_chroot_filelist(const char* desc, struct config_strlist* list, const char* chrootdir, struct config_file* cfg) { struct config_strlist* p; for(p=list; p; p=p->next) { check_chroot_string(desc, &p->str, chrootdir, cfg); } } /** check file list, with wildcard processing */ static void check_chroot_filelist_wild(const char* desc, struct config_strlist* list, const char* chrootdir, struct config_file* cfg) { struct config_strlist* p; for(p=list; p; p=p->next) { #ifdef HAVE_GLOB if(strchr(p->str, '*') || strchr(p->str, '[') || strchr(p->str, '?') || strchr(p->str, '{') || strchr(p->str, '~')) { char* s = p->str; /* adjust whole pattern for chroot and check later */ p->str = fname_after_chroot(p->str, cfg, 1); free(s); } else #endif /* HAVE_GLOB */ check_chroot_string(desc, &p->str, chrootdir, cfg); } } /** check configuration for errors */ static void morechecks(struct config_file* cfg, const char* fname) { warn_hosts("stub-host", cfg->stubs); warn_hosts("forward-host", cfg->forwards); interfacechecks(cfg); aclchecks(cfg); if(cfg->verbosity < 0) fatal_exit("verbosity value < 0"); if(cfg->num_threads <= 0 || cfg->num_threads > 10000) fatal_exit("num_threads value weird"); if(!cfg->do_ip4 && !cfg->do_ip6) fatal_exit("ip4 and ip6 are both disabled, pointless"); if(!cfg->do_udp && !cfg->do_tcp) fatal_exit("udp and tcp are both disabled, pointless"); if(cfg->edns_buffer_size > cfg->msg_buffer_size) fatal_exit("edns-buffer-size larger than msg-buffer-size, " "answers will not fit in processing buffer"); if(cfg->chrootdir && cfg->chrootdir[0] && cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/') fatal_exit("chootdir %s has trailing slash '/' please remove.", cfg->chrootdir); if(cfg->chrootdir && cfg->chrootdir[0] && !is_dir(cfg->chrootdir)) { fatal_exit("bad chroot directory"); } if(cfg->chrootdir && cfg->chrootdir[0]) { char buf[10240]; buf[0] = 0; if(fname[0] != '/') { if(getcwd(buf, sizeof(buf)) == NULL) fatal_exit("getcwd: %s", strerror(errno)); (void)strlcat(buf, "/", sizeof(buf)); } (void)strlcat(buf, fname, sizeof(buf)); if(strncmp(buf, cfg->chrootdir, strlen(cfg->chrootdir)) != 0) fatal_exit("config file %s is not inside chroot %s", buf, cfg->chrootdir); } if(cfg->directory && cfg->directory[0]) { char* ad = fname_after_chroot(cfg->directory, cfg, 0); if(!ad) fatal_exit("out of memory"); if(!is_dir(ad)) fatal_exit("bad chdir directory"); free(ad); } if( (cfg->chrootdir && cfg->chrootdir[0]) || (cfg->directory && cfg->directory[0])) { if(cfg->pidfile && cfg->pidfile[0]) { char* ad = (cfg->pidfile[0]=='/')?strdup(cfg->pidfile): fname_after_chroot(cfg->pidfile, cfg, 1); char* bd = basedir(ad); if(bd && !is_dir(bd)) fatal_exit("pidfile directory does not exist"); free(ad); } if(cfg->logfile && cfg->logfile[0]) { char* ad = fname_after_chroot(cfg->logfile, cfg, 1); char* bd = basedir(ad); if(bd && !is_dir(bd)) fatal_exit("logfile directory does not exist"); free(ad); } } check_chroot_filelist("file with root-hints", cfg->root_hints, cfg->chrootdir, cfg); check_chroot_filelist("trust-anchor-file", cfg->trust_anchor_file_list, cfg->chrootdir, cfg); check_chroot_filelist("auto-trust-anchor-file", cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg); check_chroot_filelist_wild("trusted-keys-file", cfg->trusted_keys_file_list, cfg->chrootdir, cfg); check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file, cfg->chrootdir, cfg); /* remove chroot setting so that modules are not stripping pathnames*/ free(cfg->chrootdir); cfg->chrootdir = NULL; if(strcmp(cfg->module_conf, "iterator") != 0 && strcmp(cfg->module_conf, "validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 iterator") != 0 #ifdef WITH_PYTHONMODULE && strcmp(cfg->module_conf, "python iterator") != 0 && strcmp(cfg->module_conf, "python validator iterator") != 0 && strcmp(cfg->module_conf, "validator python iterator") != 0 && strcmp(cfg->module_conf, "dns64 python iterator") != 0 && strcmp(cfg->module_conf, "dns64 python validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 validator python iterator") != 0 && strcmp(cfg->module_conf, "python dns64 iterator") != 0 && strcmp(cfg->module_conf, "python dns64 validator iterator") != 0 #endif ) { fatal_exit("module conf '%s' is not known to work", cfg->module_conf); } #ifdef HAVE_GETPWNAM if(cfg->username && cfg->username[0]) { if(getpwnam(cfg->username) == NULL) fatal_exit("user '%s' does not exist.", cfg->username); endpwent(); } #endif - if(cfg->remote_control_enable) { + if(cfg->remote_control_enable && cfg->remote_control_use_cert) { check_chroot_string("server-key-file", &cfg->server_key_file, cfg->chrootdir, cfg); check_chroot_string("server-cert-file", &cfg->server_cert_file, cfg->chrootdir, cfg); if(!is_file(cfg->control_key_file)) fatal_exit("control-key-file: \"%s\" does not exist", cfg->control_key_file); if(!is_file(cfg->control_cert_file)) fatal_exit("control-cert-file: \"%s\" does not exist", cfg->control_cert_file); } localzonechecks(cfg); } /** check forwards */ static void check_fwd(struct config_file* cfg) { struct iter_forwards* fwd = forwards_create(); if(!fwd || !forwards_apply_cfg(fwd, cfg)) { fatal_exit("Could not set forward zones"); } forwards_delete(fwd); } /** check hints */ static void check_hints(struct config_file* cfg) { struct iter_hints* hints = hints_create(); if(!hints || !hints_apply_cfg(hints, cfg)) { fatal_exit("Could not set root or stub hints"); } hints_delete(hints); } /** check config file */ static void checkconf(const char* cfgfile, const char* opt) { struct config_file* cfg = config_create(); if(!cfg) fatal_exit("out of memory"); if(!config_read(cfg, cfgfile, NULL)) { /* config_read prints messages to stderr */ config_delete(cfg); exit(1); } if(opt) { print_option(cfg, opt); config_delete(cfg); return; } morechecks(cfg, cfgfile); check_mod(cfg, iter_get_funcblock()); check_mod(cfg, val_get_funcblock()); #ifdef WITH_PYTHONMODULE if(strstr(cfg->module_conf, "python")) check_mod(cfg, pythonmod_get_funcblock()); #endif check_fwd(cfg); check_hints(cfg); printf("unbound-checkconf: no errors in %s\n", cfgfile); config_delete(cfg); } /** getopt global, in case header files fail to declare it. */ extern int optind; /** getopt global, in case header files fail to declare it. */ extern char* optarg; /** Main routine for checkconf */ int main(int argc, char* argv[]) { int c; const char* f; const char* opt = NULL; const char* cfgfile = CONFIGFILE; log_ident_set("unbound-checkconf"); log_init(NULL, 0, NULL); checklock_start(); #ifdef USE_WINSOCK /* use registry config file in preference to compiletime location */ if(!(cfgfile=w_lookup_reg_str("Software\\Unbound", "ConfigFile"))) cfgfile = CONFIGFILE; #endif /* USE_WINSOCK */ /* parse the options */ while( (c=getopt(argc, argv, "ho:")) != -1) { switch(c) { case 'o': opt = optarg; break; case '?': case 'h': default: usage(); } } argc -= optind; argv += optind; if(argc != 0 && argc != 1) usage(); if(argc == 1) f = argv[0]; else f = cfgfile; checkconf(f, opt); checklock_stop(); return 0; } Index: head/contrib/unbound/smallapp/unbound-control.c =================================================================== --- head/contrib/unbound/smallapp/unbound-control.c (revision 276698) +++ head/contrib/unbound/smallapp/unbound-control.c (revision 276699) @@ -1,440 +1,467 @@ /* * checkconf/unbound-control.c - remote control utility for unbound. * * Copyright (c) 2008, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** * \file * * The remote control utility contacts the unbound server over ssl and * sends the command, receives the answer, and displays the result * from the commandline. */ #include "config.h" #ifdef HAVE_GETOPT_H #include #endif #ifdef HAVE_OPENSSL_SSL_H #include #endif #ifdef HAVE_OPENSSL_ERR_H #include #endif #ifdef HAVE_OPENSSL_RAND_H #include #endif #include "util/log.h" #include "util/config_file.h" #include "util/locks.h" #include "util/net_help.h" +#ifdef HAVE_SYS_UN_H +#include +#endif + /** Give unbound-control usage, and exit (1). */ static void usage() { printf("Usage: unbound-control [options] command\n"); printf(" Remote control utility for unbound server.\n"); printf("Options:\n"); printf(" -c file config file, default is %s\n", CONFIGFILE); printf(" -s ip[@port] server address, if omitted config is used.\n"); printf(" -q quiet (don't print anything if it works ok).\n"); printf(" -h show this usage help.\n"); printf("Commands:\n"); printf(" start start server; runs unbound(8)\n"); printf(" stop stops the server\n"); printf(" reload reloads the server\n"); printf(" (this flushes data, stats, requestlist)\n"); printf(" stats print statistics\n"); printf(" stats_noreset peek at statistics\n"); printf(" status display status of server\n"); printf(" verbosity change logging detail\n"); printf(" log_reopen close and open the logfile\n"); printf(" local_zone add new local zone\n"); printf(" local_zone_remove remove local zone and its contents\n"); printf(" local_data add local data, for example\n"); printf(" local_data www.example.com A 192.0.2.1\n"); printf(" local_data_remove remove local RR data from name\n"); printf(" dump_cache print cache to stdout\n"); printf(" load_cache load cache from stdin\n"); printf(" lookup print nameservers for name\n"); printf(" flush flushes common types for name from cache\n"); printf(" types: A, AAAA, MX, PTR, NS,\n"); printf(" SOA, CNAME, DNAME, SRV, NAPTR\n"); printf(" flush_type flush name, type from cache\n"); printf(" flush_zone flush everything at or under name\n"); printf(" from rr and dnssec caches\n"); printf(" flush_bogus flush all bogus data\n"); printf(" flush_negative flush all negative data\n"); printf(" flush_stats flush statistics, make zero\n"); printf(" flush_requestlist drop queries that are worked on\n"); printf(" dump_requestlist show what is worked on\n"); printf(" flush_infra [all | ip] remove ping, edns for one IP or all\n"); printf(" dump_infra show ping and edns entries\n"); printf(" set_option opt: val set option to value, no reload\n"); printf(" get_option opt get option value\n"); printf(" list_stubs list stub-zones and root hints in use\n"); printf(" list_forwards list forward-zones in use\n"); printf(" list_local_zones list local-zones in use\n"); printf(" list_local_data list local-data RRs in use\n"); printf(" insecure_add zone add domain-insecure zone\n"); printf(" insecure_remove zone remove domain-insecure zone\n"); printf(" forward_add [+i] zone addr.. add forward-zone with servers\n"); printf(" forward_remove [+i] zone remove forward zone\n"); printf(" stub_add [+ip] zone addr.. add stub-zone with servers\n"); printf(" stub_remove [+i] zone remove stub zone\n"); printf(" +i also do dnssec insecure point\n"); printf(" +p set stub to use priming\n"); printf(" forward [off | addr ...] without arg show forward setup\n"); printf(" or off to turn off root forwarding\n"); printf(" or give list of ip addresses\n"); printf("Version %s\n", PACKAGE_VERSION); printf("BSD licensed, see LICENSE in source package for details.\n"); printf("Report bugs to %s\n", PACKAGE_BUGREPORT); exit(1); } /** exit with ssl error */ static void ssl_err(const char* s) { fprintf(stderr, "error: %s\n", s); ERR_print_errors_fp(stderr); exit(1); } /** setup SSL context */ static SSL_CTX* setup_ctx(struct config_file* cfg) { char* s_cert, *c_key, *c_cert; SSL_CTX* ctx; - s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1); - c_key = fname_after_chroot(cfg->control_key_file, cfg, 1); - c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1); - if(!s_cert || !c_key || !c_cert) - fatal_exit("out of memory"); + if(cfg->remote_control_use_cert) { + s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1); + c_key = fname_after_chroot(cfg->control_key_file, cfg, 1); + c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1); + if(!s_cert || !c_key || !c_cert) + fatal_exit("out of memory"); + } ctx = SSL_CTX_new(SSLv23_client_method()); if(!ctx) ssl_err("could not allocate SSL_CTX pointer"); if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) ssl_err("could not set SSL_OP_NO_SSLv2"); - if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) - ssl_err("could not set SSL_OP_NO_SSLv3"); - if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || - !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) - || !SSL_CTX_check_private_key(ctx)) - ssl_err("Error setting up SSL_CTX client key and cert"); - if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1) - ssl_err("Error setting up SSL_CTX verify, server cert"); - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + if(cfg->remote_control_use_cert) { + if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) + ssl_err("could not set SSL_OP_NO_SSLv3"); + if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || + !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) + || !SSL_CTX_check_private_key(ctx)) + ssl_err("Error setting up SSL_CTX client key and cert"); + if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1) + ssl_err("Error setting up SSL_CTX verify, server cert"); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); - free(s_cert); - free(c_key); - free(c_cert); + free(s_cert); + free(c_key); + free(c_cert); + } else { + /* Use ciphers that don't require authentication */ + if(!SSL_CTX_set_cipher_list(ctx, "aNULL")) + ssl_err("Error setting NULL cipher!"); + } return ctx; } /** contact the server with TCP connect */ static int contact_server(const char* svr, struct config_file* cfg, int statuscmd) { struct sockaddr_storage addr; socklen_t addrlen; + int addrfamily = 0; int fd; /* use svr or the first config entry */ if(!svr) { if(cfg->control_ifs) svr = cfg->control_ifs->str; else svr = "127.0.0.1"; /* config 0 addr (everything), means ask localhost */ if(strcmp(svr, "0.0.0.0") == 0) svr = "127.0.0.1"; else if(strcmp(svr, "::0") == 0 || strcmp(svr, "0::0") == 0 || strcmp(svr, "0::") == 0 || strcmp(svr, "::") == 0) svr = "::1"; } if(strchr(svr, '@')) { if(!extstrtoaddr(svr, &addr, &addrlen)) fatal_exit("could not parse IP@port: %s", svr); +#ifdef HAVE_SYS_UN_H + } else if(svr[0] == '/') { + struct sockaddr_un* sun = (struct sockaddr_un *) &addr; + sun->sun_family = AF_LOCAL; + sun->sun_len = sizeof(sun); + strlcpy(sun->sun_path, svr, 104); + addrlen = sizeof(struct sockaddr_un); + addrfamily = AF_LOCAL; +#endif } else { if(!ipstrtoaddr(svr, cfg->control_port, &addr, &addrlen)) fatal_exit("could not parse IP: %s", svr); } - fd = socket(addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET, - SOCK_STREAM, 0); + + if(addrfamily == 0) + addrfamily = addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET; + fd = socket(addrfamily, SOCK_STREAM, 0); if(fd == -1) { #ifndef USE_WINSOCK fatal_exit("socket: %s", strerror(errno)); #else fatal_exit("socket: %s", wsa_strerror(WSAGetLastError())); #endif } if(connect(fd, (struct sockaddr*)&addr, addrlen) < 0) { #ifndef USE_WINSOCK log_err_addr("connect", strerror(errno), &addr, addrlen); if(errno == ECONNREFUSED && statuscmd) { printf("unbound is stopped\n"); exit(3); } #else log_err_addr("connect", wsa_strerror(WSAGetLastError()), &addr, addrlen); if(WSAGetLastError() == WSAECONNREFUSED && statuscmd) { printf("unbound is stopped\n"); exit(3); } #endif exit(1); } return fd; } /** setup SSL on the connection */ static SSL* -setup_ssl(SSL_CTX* ctx, int fd) +setup_ssl(SSL_CTX* ctx, int fd, struct config_file* cfg) { SSL* ssl; X509* x; int r; ssl = SSL_new(ctx); if(!ssl) ssl_err("could not SSL_new"); SSL_set_connect_state(ssl); (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); if(!SSL_set_fd(ssl, fd)) ssl_err("could not SSL_set_fd"); while(1) { ERR_clear_error(); if( (r=SSL_do_handshake(ssl)) == 1) break; r = SSL_get_error(ssl, r); if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) ssl_err("SSL handshake failed"); /* wants to be called again */ } /* check authenticity of server */ if(SSL_get_verify_result(ssl) != X509_V_OK) ssl_err("SSL verification failed"); - x = SSL_get_peer_certificate(ssl); - if(!x) - ssl_err("Server presented no peer certificate"); - X509_free(x); + if(cfg->remote_control_use_cert) { + x = SSL_get_peer_certificate(ssl); + if(!x) + ssl_err("Server presented no peer certificate"); + X509_free(x); + } + return ssl; } /** send stdin to server */ static void send_file(SSL* ssl, FILE* in, char* buf, size_t sz) { while(fgets(buf, (int)sz, in)) { if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) ssl_err("could not SSL_write contents"); } } /** send command and display result */ static int go_cmd(SSL* ssl, int quiet, int argc, char* argv[]) { char pre[10]; const char* space=" "; const char* newline="\n"; int was_error = 0, first_line = 1; int r, i; char buf[1024]; snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION); if(SSL_write(ssl, pre, (int)strlen(pre)) <= 0) ssl_err("could not SSL_write"); for(i=0; iremote_control_enable) log_warn("control-enable is 'no' in the config file."); ctx = setup_ctx(cfg); - + /* contact server */ fd = contact_server(svr, cfg, argc>0&&strcmp(argv[0],"status")==0); - ssl = setup_ssl(ctx, fd); - + ssl = setup_ssl(ctx, fd, cfg); + /* send command */ ret = go_cmd(ssl, quiet, argc, argv); SSL_free(ssl); #ifndef USE_WINSOCK close(fd); #else closesocket(fd); #endif SSL_CTX_free(ctx); config_delete(cfg); return ret; } /** getopt global, in case header files fail to declare it. */ extern int optind; /** getopt global, in case header files fail to declare it. */ extern char* optarg; /** Main routine for unbound-control */ int main(int argc, char* argv[]) { int c, ret; int quiet = 0; const char* cfgfile = CONFIGFILE; char* svr = NULL; #ifdef USE_WINSOCK int r; WSADATA wsa_data; #endif #ifdef USE_THREAD_DEBUG /* stop the file output from unbound-control, overwites the servers */ extern int check_locking_order; check_locking_order = 0; #endif /* USE_THREAD_DEBUG */ log_ident_set("unbound-control"); log_init(NULL, 0, NULL); checklock_start(); #ifdef USE_WINSOCK if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) fatal_exit("WSAStartup failed: %s", wsa_strerror(r)); /* use registry config file in preference to compiletime location */ if(!(cfgfile=w_lookup_reg_str("Software\\Unbound", "ConfigFile"))) cfgfile = CONFIGFILE; #endif ERR_load_crypto_strings(); ERR_load_SSL_strings(); OpenSSL_add_all_algorithms(); (void)SSL_library_init(); if(!RAND_status()) { /* try to seed it */ unsigned char buf[256]; unsigned int seed=(unsigned)time(NULL) ^ (unsigned)getpid(); unsigned int v = seed; size_t i; for(i=0; i<256/sizeof(v); i++) { memmove(buf+i*sizeof(v), &v, sizeof(v)); v = v*seed + (unsigned int)i; } RAND_seed(buf, 256); log_warn("no entropy, seeding openssl PRNG with time\n"); } /* parse the options */ while( (c=getopt(argc, argv, "c:s:qh")) != -1) { switch(c) { case 'c': cfgfile = optarg; break; case 's': svr = optarg; break; case 'q': quiet = 1; break; case '?': case 'h': default: usage(); } } argc -= optind; argv += optind; if(argc == 0) usage(); if(argc >= 1 && strcmp(argv[0], "start")==0) { if(execlp("unbound", "unbound", "-c", cfgfile, (char*)NULL) < 0) { fatal_exit("could not exec unbound: %s", strerror(errno)); } } ret = go(cfgfile, svr, quiet, argc, argv); #ifdef USE_WINSOCK WSACleanup(); #endif checklock_stop(); return ret; } Index: head/contrib/unbound/util/config_file.c =================================================================== --- head/contrib/unbound/util/config_file.c (revision 276698) +++ head/contrib/unbound/util/config_file.c (revision 276699) @@ -1,1571 +1,1587 @@ /* * util/config_file.c - reads and stores the config file for unbound. * * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** * \file * * This file contains functions for the config file. */ #include "config.h" #include #include #ifdef HAVE_TIME_H #include #endif #include "util/log.h" #include "util/configyyrename.h" #include "util/config_file.h" #include "configparser.h" #include "util/net_help.h" #include "util/data/msgparse.h" #include "util/module.h" #include "util/regional.h" #include "util/fptr_wlist.h" #include "util/data/dname.h" #include "ldns/wire2str.h" #include "ldns/parseutil.h" #ifdef HAVE_GLOB_H # include #endif +#ifdef HAVE_PWD_H +#include +#endif /** global config during parsing */ struct config_parser_state* cfg_parser = 0; /** init ports possible for use */ static void init_outgoing_availports(int* array, int num); struct config_file* config_create(void) { struct config_file* cfg; cfg = (struct config_file*)calloc(1, sizeof(struct config_file)); if(!cfg) return NULL; /* the defaults if no config is present */ cfg->verbosity = 1; cfg->stat_interval = 0; cfg->stat_cumulative = 0; cfg->stat_extended = 0; cfg->num_threads = 1; cfg->port = UNBOUND_DNS_PORT; cfg->do_ip4 = 1; cfg->do_ip6 = 1; cfg->do_udp = 1; cfg->do_tcp = 1; cfg->tcp_upstream = 0; cfg->ssl_service_key = NULL; cfg->ssl_service_pem = NULL; cfg->ssl_port = 443; cfg->ssl_upstream = 0; cfg->use_syslog = 1; cfg->log_time_ascii = 0; cfg->log_queries = 0; #ifndef USE_WINSOCK # ifdef USE_MINI_EVENT /* select max 1024 sockets */ cfg->outgoing_num_ports = 960; cfg->num_queries_per_thread = 512; # else /* libevent can use many sockets */ cfg->outgoing_num_ports = 4096; cfg->num_queries_per_thread = 1024; # endif cfg->outgoing_num_tcp = 10; cfg->incoming_num_tcp = 10; #else cfg->outgoing_num_ports = 48; /* windows is limited in num fds */ cfg->num_queries_per_thread = 24; cfg->outgoing_num_tcp = 2; /* leaves 64-52=12 for: 4if,1stop,thread4 */ cfg->incoming_num_tcp = 2; #endif cfg->edns_buffer_size = 4096; /* 4k from rfc recommendation */ cfg->msg_buffer_size = 65552; /* 64 k + a small margin */ cfg->msg_cache_size = 4 * 1024 * 1024; cfg->msg_cache_slabs = 4; cfg->jostle_time = 200; cfg->rrset_cache_size = 4 * 1024 * 1024; cfg->rrset_cache_slabs = 4; cfg->host_ttl = 900; cfg->bogus_ttl = 60; cfg->min_ttl = 0; cfg->max_ttl = 3600 * 24; cfg->prefetch = 0; cfg->prefetch_key = 0; cfg->infra_cache_slabs = 4; cfg->infra_cache_numhosts = 10000; cfg->delay_close = 0; if(!(cfg->outgoing_avail_ports = (int*)calloc(65536, sizeof(int)))) goto error_exit; init_outgoing_availports(cfg->outgoing_avail_ports, 65536); if(!(cfg->username = strdup(UB_USERNAME))) goto error_exit; + cfg->uid = (uid_t)-1; + cfg->gid = (gid_t)-1; #ifdef HAVE_CHROOT if(!(cfg->chrootdir = strdup(CHROOT_DIR))) goto error_exit; #endif if(!(cfg->directory = strdup(RUN_DIR))) goto error_exit; if(!(cfg->logfile = strdup(""))) goto error_exit; if(!(cfg->pidfile = strdup(PIDFILE))) goto error_exit; if(!(cfg->target_fetch_policy = strdup("3 2 1 0 0"))) goto error_exit; cfg->donotqueryaddrs = NULL; cfg->donotquery_localhost = 1; cfg->root_hints = NULL; cfg->do_daemonize = 1; cfg->if_automatic = 0; cfg->so_rcvbuf = 0; cfg->so_sndbuf = 0; cfg->so_reuseport = 0; cfg->num_ifs = 0; cfg->ifs = NULL; cfg->num_out_ifs = 0; cfg->out_ifs = NULL; cfg->stubs = NULL; cfg->forwards = NULL; cfg->acls = NULL; cfg->harden_short_bufsize = 0; cfg->harden_large_queries = 0; cfg->harden_glue = 1; cfg->harden_dnssec_stripped = 1; cfg->harden_below_nxdomain = 0; cfg->harden_referral_path = 0; cfg->use_caps_bits_for_id = 0; cfg->private_address = NULL; cfg->private_domain = NULL; cfg->unwanted_threshold = 0; cfg->hide_identity = 0; cfg->hide_version = 0; cfg->identity = NULL; cfg->version = NULL; cfg->auto_trust_anchor_file_list = NULL; cfg->trust_anchor_file_list = NULL; cfg->trust_anchor_list = NULL; cfg->trusted_keys_file_list = NULL; cfg->dlv_anchor_file = NULL; cfg->dlv_anchor_list = NULL; cfg->domain_insecure = NULL; cfg->val_date_override = 0; cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */ cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */ cfg->val_clean_additional = 1; cfg->val_log_level = 0; cfg->val_log_squelch = 0; cfg->val_permissive_mode = 0; cfg->ignore_cd = 0; cfg->add_holddown = 30*24*3600; cfg->del_holddown = 30*24*3600; cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */ cfg->key_cache_size = 4 * 1024 * 1024; cfg->key_cache_slabs = 4; cfg->neg_cache_size = 1 * 1024 * 1024; cfg->local_zones = NULL; cfg->local_zones_nodefault = NULL; cfg->local_data = NULL; cfg->unblock_lan_zones = 0; cfg->python_script = NULL; cfg->remote_control_enable = 0; cfg->control_ifs = NULL; cfg->control_port = UNBOUND_CONTROL_PORT; cfg->minimal_responses = 0; cfg->rrset_roundrobin = 0; cfg->max_udp_size = 4096; if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key"))) goto error_exit; if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem"))) goto error_exit; if(!(cfg->control_key_file = strdup(RUN_DIR"/unbound_control.key"))) goto error_exit; if(!(cfg->control_cert_file = strdup(RUN_DIR"/unbound_control.pem"))) goto error_exit; if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit; if(!(cfg->val_nsec3_key_iterations = strdup("1024 150 2048 500 4096 2500"))) goto error_exit; #if defined(DNSTAP_SOCKET_PATH) if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH))) goto error_exit; #endif return cfg; error_exit: config_delete(cfg); return NULL; } struct config_file* config_create_forlib(void) { struct config_file* cfg = config_create(); if(!cfg) return NULL; /* modifications for library use, less verbose, less memory */ free(cfg->chrootdir); cfg->chrootdir = NULL; cfg->verbosity = 0; cfg->outgoing_num_ports = 16; /* in library use, this is 'reasonable' and probably within the ulimit(maxfds) of the user */ cfg->outgoing_num_tcp = 2; cfg->msg_cache_size = 1024*1024; cfg->msg_cache_slabs = 1; cfg->rrset_cache_size = 1024*1024; cfg->rrset_cache_slabs = 1; cfg->infra_cache_slabs = 1; cfg->use_syslog = 0; cfg->key_cache_size = 1024*1024; cfg->key_cache_slabs = 1; cfg->neg_cache_size = 100 * 1024; cfg->donotquery_localhost = 0; /* allow, so that you can ask a forward nameserver running on localhost */ cfg->val_log_level = 2; /* to fill why_bogus with */ cfg->val_log_squelch = 1; return cfg; } /** check that the value passed is >= 0 */ #define IS_NUMBER_OR_ZERO \ if(atoi(val) == 0 && strcmp(val, "0") != 0) return 0 /** check that the value passed is > 0 */ #define IS_NONZERO_NUMBER \ if(atoi(val) == 0) return 0 /** check that the value passed is not 0 and a power of 2 */ #define IS_POW2_NUMBER \ if(atoi(val) == 0 || !is_pow2((size_t)atoi(val))) return 0 /** check that the value passed is yes or no */ #define IS_YES_OR_NO \ if(strcmp(val, "yes") != 0 && strcmp(val, "no") != 0) return 0 /** put integer_or_zero into variable */ #define S_NUMBER_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \ { IS_NUMBER_OR_ZERO; cfg->var = atoi(val); } /** put integer_nonzero into variable */ #define S_NUMBER_NONZERO(str, var) if(strcmp(opt, str) == 0) \ { IS_NONZERO_NUMBER; cfg->var = atoi(val); } /** put integer_or_zero into unsigned */ #define S_UNSIGNED_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \ { IS_NUMBER_OR_ZERO; cfg->var = (unsigned)atoi(val); } /** put integer_or_zero into size_t */ #define S_SIZET_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \ { IS_NUMBER_OR_ZERO; cfg->var = (size_t)atoi(val); } /** put integer_nonzero into size_t */ #define S_SIZET_NONZERO(str, var) if(strcmp(opt, str) == 0) \ { IS_NONZERO_NUMBER; cfg->var = (size_t)atoi(val); } /** put yesno into variable */ #define S_YNO(str, var) if(strcmp(opt, str) == 0) \ { IS_YES_OR_NO; cfg->var = (strcmp(val, "yes") == 0); } /** put memsize into variable */ #define S_MEMSIZE(str, var) if(strcmp(opt, str)==0) \ { return cfg_parse_memsize(val, &cfg->var); } /** put pow2 number into variable */ #define S_POW2(str, var) if(strcmp(opt, str)==0) \ { IS_POW2_NUMBER; cfg->var = (size_t)atoi(val); } /** put string into variable */ #define S_STR(str, var) if(strcmp(opt, str)==0) \ { free(cfg->var); return (cfg->var = strdup(val)) != NULL; } /** put string into strlist */ #define S_STRLIST(str, var) if(strcmp(opt, str)==0) \ { return cfg_strlist_insert(&cfg->var, strdup(val)); } int config_set_option(struct config_file* cfg, const char* opt, const char* val) { S_NUMBER_OR_ZERO("verbosity:", verbosity) else if(strcmp(opt, "statistics-interval:") == 0) { if(strcmp(val, "0") == 0 || strcmp(val, "") == 0) cfg->stat_interval = 0; else if(atoi(val) == 0) return 0; else cfg->stat_interval = atoi(val); } else if(strcmp(opt, "num_threads:") == 0) { /* not supported, library must have 1 thread in bgworker */ return 0; } else if(strcmp(opt, "outgoing-port-permit:") == 0) { return cfg_mark_ports(val, 1, cfg->outgoing_avail_ports, 65536); } else if(strcmp(opt, "outgoing-port-avoid:") == 0) { return cfg_mark_ports(val, 0, cfg->outgoing_avail_ports, 65536); } else if(strcmp(opt, "local-zone:") == 0) { return cfg_parse_local_zone(cfg, val); } else if(strcmp(opt, "val-override-date:") == 0) { if(strcmp(val, "") == 0 || strcmp(val, "0") == 0) { cfg->val_date_override = 0; } else if(strlen(val) == 14) { cfg->val_date_override = cfg_convert_timeval(val); return cfg->val_date_override != 0; } else { if(atoi(val) == 0) return 0; cfg->val_date_override = (uint32_t)atoi(val); } } else if(strcmp(opt, "local-data-ptr:") == 0) { char* ptr = cfg_ptr_reverse((char*)opt); return cfg_strlist_insert(&cfg->local_data, ptr); } else if(strcmp(opt, "logfile:") == 0) { cfg->use_syslog = 0; free(cfg->logfile); return (cfg->logfile = strdup(val)) != NULL; } else if(strcmp(opt, "log-time-ascii:") == 0) { IS_YES_OR_NO; cfg->log_time_ascii = (strcmp(val, "yes") == 0); log_set_time_asc(cfg->log_time_ascii); } else S_SIZET_NONZERO("max-udp-size:", max_udp_size) else S_YNO("use-syslog:", use_syslog) else S_YNO("extended-statistics:", stat_extended) else S_YNO("statistics-cumulative:", stat_cumulative) else S_YNO("do-ip4:", do_ip4) else S_YNO("do-ip6:", do_ip6) else S_YNO("do-udp:", do_udp) else S_YNO("do-tcp:", do_tcp) else S_YNO("tcp-upstream:", tcp_upstream) else S_YNO("ssl-upstream:", ssl_upstream) else S_STR("ssl-service-key:", ssl_service_key) else S_STR("ssl-service-pem:", ssl_service_pem) else S_NUMBER_NONZERO("ssl-port:", ssl_port) else S_YNO("interface-automatic:", if_automatic) else S_YNO("do-daemonize:", do_daemonize) else S_NUMBER_NONZERO("port:", port) else S_NUMBER_NONZERO("outgoing-range:", outgoing_num_ports) else S_SIZET_OR_ZERO("outgoing-num-tcp:", outgoing_num_tcp) else S_SIZET_OR_ZERO("incoming-num-tcp:", incoming_num_tcp) else S_SIZET_NONZERO("edns-buffer-size:", edns_buffer_size) else S_SIZET_NONZERO("msg-buffer-size:", msg_buffer_size) else S_MEMSIZE("msg-cache-size:", msg_cache_size) else S_POW2("msg-cache-slabs:", msg_cache_slabs) else S_SIZET_NONZERO("num-queries-per-thread:",num_queries_per_thread) else S_SIZET_OR_ZERO("jostle-timeout:", jostle_time) else S_MEMSIZE("so-rcvbuf:", so_rcvbuf) else S_MEMSIZE("so-sndbuf:", so_sndbuf) else S_YNO("so-reuseport:", so_reuseport) else S_MEMSIZE("rrset-cache-size:", rrset_cache_size) else S_POW2("rrset-cache-slabs:", rrset_cache_slabs) else S_YNO("prefetch:", prefetch) else S_YNO("prefetch-key:", prefetch_key) else if(strcmp(opt, "cache-max-ttl:") == 0) { IS_NUMBER_OR_ZERO; cfg->max_ttl = atoi(val); MAX_TTL=(time_t)cfg->max_ttl;} else if(strcmp(opt, "cache-min-ttl:") == 0) { IS_NUMBER_OR_ZERO; cfg->min_ttl = atoi(val); MIN_TTL=(time_t)cfg->min_ttl;} else S_NUMBER_OR_ZERO("infra-host-ttl:", host_ttl) else S_POW2("infra-cache-slabs:", infra_cache_slabs) else S_SIZET_NONZERO("infra-cache-numhosts:", infra_cache_numhosts) else S_NUMBER_OR_ZERO("delay-close:", delay_close) else S_STR("chroot:", chrootdir) else S_STR("username:", username) else S_STR("directory:", directory) else S_STR("pidfile:", pidfile) else S_YNO("hide-identity:", hide_identity) else S_YNO("hide-version:", hide_version) else S_STR("identity:", identity) else S_STR("version:", version) else S_STRLIST("root-hints:", root_hints) else S_STR("target-fetch-policy:", target_fetch_policy) else S_YNO("harden-glue:", harden_glue) else S_YNO("harden-short-bufsize:", harden_short_bufsize) else S_YNO("harden-large-queries:", harden_large_queries) else S_YNO("harden-dnssec-stripped:", harden_dnssec_stripped) else S_YNO("harden-below-nxdomain:", harden_below_nxdomain) else S_YNO("harden-referral-path:", harden_referral_path) else S_YNO("use-caps-for-id", use_caps_bits_for_id) else S_SIZET_OR_ZERO("unwanted-reply-threshold:", unwanted_threshold) else S_STRLIST("private-address:", private_address) else S_STRLIST("private-domain:", private_domain) else S_YNO("do-not-query-localhost:", donotquery_localhost) else S_STRLIST("do-not-query-address:", donotqueryaddrs) else S_STRLIST("auto-trust-anchor-file:", auto_trust_anchor_file_list) else S_STRLIST("trust-anchor-file:", trust_anchor_file_list) else S_STRLIST("trust-anchor:", trust_anchor_list) else S_STRLIST("trusted-keys-file:", trusted_keys_file_list) else S_STR("dlv-anchor-file:", dlv_anchor_file) else S_STRLIST("dlv-anchor:", dlv_anchor_list) else S_STRLIST("domain-insecure:", domain_insecure) else S_NUMBER_OR_ZERO("val-bogus-ttl:", bogus_ttl) else S_YNO("val-clean-additional:", val_clean_additional) else S_NUMBER_OR_ZERO("val-log-level:", val_log_level) else S_YNO("val-log-squelch:", val_log_squelch) else S_YNO("log-queries:", log_queries) else S_YNO("val-permissive-mode:", val_permissive_mode) else S_YNO("ignore-cd-flag:", ignore_cd) else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations) else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown) else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown) else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing) else S_MEMSIZE("key-cache-size:", key_cache_size) else S_POW2("key-cache-slabs:", key_cache_slabs) else S_MEMSIZE("neg-cache-size:", neg_cache_size) else S_YNO("minimal-responses:", minimal_responses) else S_YNO("rrset-roundrobin:", rrset_roundrobin) else S_STRLIST("local-data:", local_data) else S_YNO("unblock-lan-zones:", unblock_lan_zones) else S_YNO("control-enable:", remote_control_enable) else S_STRLIST("control-interface:", control_ifs) else S_NUMBER_NONZERO("control-port:", control_port) else S_STR("server-key-file:", server_key_file) else S_STR("server-cert-file:", server_cert_file) else S_STR("control-key-file:", control_key_file) else S_STR("control-cert-file:", control_cert_file) else S_STR("module-config:", module_conf) else S_STR("python-script:", python_script) /* val_sig_skew_min and max are copied into val_env during init, * so this does not update val_env with set_option */ else if(strcmp(opt, "val-sig-skew-min:") == 0) { IS_NUMBER_OR_ZERO; cfg->val_sig_skew_min = (int32_t)atoi(val); } else if(strcmp(opt, "val-sig-skew-max:") == 0) { IS_NUMBER_OR_ZERO; cfg->val_sig_skew_max = (int32_t)atoi(val); } else if (strcmp(opt, "outgoing-interface:") == 0) { char* d = strdup(val); char** oi = (char**)malloc((cfg->num_out_ifs+1)*sizeof(char*)); if(!d || !oi) { free(d); free(oi); return -1; } if(cfg->out_ifs && cfg->num_out_ifs) { memmove(oi, cfg->out_ifs, cfg->num_out_ifs*sizeof(char*)); free(cfg->out_ifs); } oi[cfg->num_out_ifs++] = d; cfg->out_ifs = oi; } else { /* unknown or unsupported (from the set_option interface): * interface, outgoing-interface, access-control, * stub-zone, name, stub-addr, stub-host, stub-prime * forward-first, stub-first, * forward-zone, name, forward-addr, forward-host */ return 0; } return 1; } void config_print_func(char* line, void* arg) { FILE* f = (FILE*)arg; (void)fprintf(f, "%s\n", line); } /** collate func arg */ struct config_collate_arg { /** list of result items */ struct config_strlist_head list; /** if a malloc error occurred, 0 is OK */ int status; }; void config_collate_func(char* line, void* arg) { struct config_collate_arg* m = (struct config_collate_arg*)arg; if(m->status) return; if(!cfg_strlist_append(&m->list, strdup(line))) m->status = 1; } int config_get_option_list(struct config_file* cfg, const char* opt, struct config_strlist** list) { struct config_collate_arg m; memset(&m, 0, sizeof(m)); *list = NULL; if(!config_get_option(cfg, opt, config_collate_func, &m)) return 1; if(m.status) { config_delstrlist(m.list.first); return 2; } *list = m.list.first; return 0; } int config_get_option_collate(struct config_file* cfg, const char* opt, char** str) { struct config_strlist* list = NULL; int r; *str = NULL; if((r = config_get_option_list(cfg, opt, &list)) != 0) return r; *str = config_collate_cat(list); config_delstrlist(list); if(!*str) return 2; return 0; } char* config_collate_cat(struct config_strlist* list) { size_t total = 0, left; struct config_strlist* s; char *r, *w; if(!list) /* no elements */ return strdup(""); if(list->next == NULL) /* one element , no newline at end. */ return strdup(list->str); /* count total length */ for(s=list; s; s=s->next) total += strlen(s->str) + 1; /* len + newline */ left = total+1; /* one extra for nul at end */ r = malloc(left); if(!r) return NULL; w = r; for(s=list; s; s=s->next) { size_t this = strlen(s->str); if(this+2 > left) { /* sanity check */ free(r); return NULL; } snprintf(w, left, "%s\n", s->str); this = strlen(w); w += this; left -= this; } return r; } /** compare and print decimal option */ #define O_DEC(opt, str, var) if(strcmp(opt, str)==0) \ {snprintf(buf, len, "%d", (int)cfg->var); \ func(buf, arg);} /** compare and print unsigned option */ #define O_UNS(opt, str, var) if(strcmp(opt, str)==0) \ {snprintf(buf, len, "%u", (unsigned)cfg->var); \ func(buf, arg);} /** compare and print yesno option */ #define O_YNO(opt, str, var) if(strcmp(opt, str)==0) \ {func(cfg->var?"yes":"no", arg);} /** compare and print string option */ #define O_STR(opt, str, var) if(strcmp(opt, str)==0) \ {func(cfg->var?cfg->var:"", arg);} /** compare and print array option */ #define O_IFC(opt, str, num, arr) if(strcmp(opt, str)==0) \ {int i; for(i=0; inum; i++) func(cfg->arr[i], arg);} /** compare and print memorysize option */ #define O_MEM(opt, str, var) if(strcmp(opt, str)==0) { \ if(cfg->var > 1024*1024*1024) { \ size_t f=cfg->var/(size_t)1000000, b=cfg->var%(size_t)1000000; \ snprintf(buf, len, "%u%6.6u\n", (unsigned)f, (unsigned)b); \ } else snprintf(buf, len, "%u\n", (unsigned)cfg->var); \ func(buf, arg);} /** compare and print list option */ #define O_LST(opt, name, lst) if(strcmp(opt, name)==0) { \ struct config_strlist* p = cfg->lst; \ for(p = cfg->lst; p; p = p->next) \ func(p->str, arg); \ } /** compare and print list option */ #define O_LS2(opt, name, lst) if(strcmp(opt, name)==0) { \ struct config_str2list* p = cfg->lst; \ for(p = cfg->lst; p; p = p->next) \ snprintf(buf, len, "%s %s\n", p->str, p->str2); \ func(buf, arg); \ } int config_get_option(struct config_file* cfg, const char* opt, void (*func)(char*,void*), void* arg) { char buf[1024]; size_t len = sizeof(buf); fptr_ok(fptr_whitelist_print_func(func)); O_DEC(opt, "verbosity", verbosity) else O_DEC(opt, "statistics-interval", stat_interval) else O_YNO(opt, "statistics-cumulative", stat_cumulative) else O_YNO(opt, "extended-statistics", stat_extended) else O_YNO(opt, "use-syslog", use_syslog) else O_YNO(opt, "log-time-ascii", log_time_ascii) else O_DEC(opt, "num-threads", num_threads) else O_IFC(opt, "interface", num_ifs, ifs) else O_IFC(opt, "outgoing-interface", num_out_ifs, out_ifs) else O_YNO(opt, "interface-automatic", if_automatic) else O_DEC(opt, "port", port) else O_DEC(opt, "outgoing-range", outgoing_num_ports) else O_DEC(opt, "outgoing-num-tcp", outgoing_num_tcp) else O_DEC(opt, "incoming-num-tcp", incoming_num_tcp) else O_DEC(opt, "edns-buffer-size", edns_buffer_size) else O_DEC(opt, "msg-buffer-size", msg_buffer_size) else O_MEM(opt, "msg-cache-size", msg_cache_size) else O_DEC(opt, "msg-cache-slabs", msg_cache_slabs) else O_DEC(opt, "num-queries-per-thread", num_queries_per_thread) else O_UNS(opt, "jostle-timeout", jostle_time) else O_MEM(opt, "so-rcvbuf", so_rcvbuf) else O_MEM(opt, "so-sndbuf", so_sndbuf) else O_YNO(opt, "so-reuseport", so_reuseport) else O_MEM(opt, "rrset-cache-size", rrset_cache_size) else O_DEC(opt, "rrset-cache-slabs", rrset_cache_slabs) else O_YNO(opt, "prefetch-key", prefetch_key) else O_YNO(opt, "prefetch", prefetch) else O_DEC(opt, "cache-max-ttl", max_ttl) else O_DEC(opt, "cache-min-ttl", min_ttl) else O_DEC(opt, "infra-host-ttl", host_ttl) else O_DEC(opt, "infra-cache-slabs", infra_cache_slabs) else O_MEM(opt, "infra-cache-numhosts", infra_cache_numhosts) else O_UNS(opt, "delay-close", delay_close) else O_YNO(opt, "do-ip4", do_ip4) else O_YNO(opt, "do-ip6", do_ip6) else O_YNO(opt, "do-udp", do_udp) else O_YNO(opt, "do-tcp", do_tcp) else O_YNO(opt, "tcp-upstream", tcp_upstream) else O_YNO(opt, "ssl-upstream", ssl_upstream) else O_STR(opt, "ssl-service-key", ssl_service_key) else O_STR(opt, "ssl-service-pem", ssl_service_pem) else O_DEC(opt, "ssl-port", ssl_port) else O_YNO(opt, "do-daemonize", do_daemonize) else O_STR(opt, "chroot", chrootdir) else O_STR(opt, "username", username) else O_STR(opt, "directory", directory) else O_STR(opt, "logfile", logfile) else O_YNO(opt, "log-queries", log_queries) else O_STR(opt, "pidfile", pidfile) else O_YNO(opt, "hide-identity", hide_identity) else O_YNO(opt, "hide-version", hide_version) else O_STR(opt, "identity", identity) else O_STR(opt, "version", version) else O_STR(opt, "target-fetch-policy", target_fetch_policy) else O_YNO(opt, "harden-short-bufsize", harden_short_bufsize) else O_YNO(opt, "harden-large-queries", harden_large_queries) else O_YNO(opt, "harden-glue", harden_glue) else O_YNO(opt, "harden-dnssec-stripped", harden_dnssec_stripped) else O_YNO(opt, "harden-below-nxdomain", harden_below_nxdomain) else O_YNO(opt, "harden-referral-path", harden_referral_path) else O_YNO(opt, "use-caps-for-id", use_caps_bits_for_id) else O_DEC(opt, "unwanted-reply-threshold", unwanted_threshold) else O_YNO(opt, "do-not-query-localhost", donotquery_localhost) else O_STR(opt, "module-config", module_conf) else O_STR(opt, "dlv-anchor-file", dlv_anchor_file) else O_DEC(opt, "val-bogus-ttl", bogus_ttl) else O_YNO(opt, "val-clean-additional", val_clean_additional) else O_DEC(opt, "val-log-level", val_log_level) else O_YNO(opt, "val-permissive-mode", val_permissive_mode) else O_YNO(opt, "ignore-cd-flag", ignore_cd) else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations) else O_UNS(opt, "add-holddown", add_holddown) else O_UNS(opt, "del-holddown", del_holddown) else O_UNS(opt, "keep-missing", keep_missing) else O_MEM(opt, "key-cache-size", key_cache_size) else O_DEC(opt, "key-cache-slabs", key_cache_slabs) else O_MEM(opt, "neg-cache-size", neg_cache_size) else O_YNO(opt, "control-enable", remote_control_enable) else O_DEC(opt, "control-port", control_port) else O_STR(opt, "server-key-file", server_key_file) else O_STR(opt, "server-cert-file", server_cert_file) else O_STR(opt, "control-key-file", control_key_file) else O_STR(opt, "control-cert-file", control_cert_file) else O_LST(opt, "root-hints", root_hints) else O_LS2(opt, "access-control", acls) else O_LST(opt, "do-not-query-address", donotqueryaddrs) else O_LST(opt, "private-address", private_address) else O_LST(opt, "private-domain", private_domain) else O_LST(opt, "auto-trust-anchor-file", auto_trust_anchor_file_list) else O_LST(opt, "trust-anchor-file", trust_anchor_file_list) else O_LST(opt, "trust-anchor", trust_anchor_list) else O_LST(opt, "trusted-keys-file", trusted_keys_file_list) else O_LST(opt, "dlv-anchor", dlv_anchor_list) else O_LST(opt, "control-interface", control_ifs) else O_LST(opt, "domain-insecure", domain_insecure) else O_UNS(opt, "val-override-date", val_date_override) else O_YNO(opt, "minimal-responses", minimal_responses) else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin) else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones) else O_DEC(opt, "max-udp-size", max_udp_size) else O_STR(opt, "python-script", python_script) else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min) else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max) /* not here: * outgoing-permit, outgoing-avoid - have list of ports * local-zone - zones and nodefault variables * local-data - see below * local-data-ptr - converted to local-data entries * stub-zone, name, stub-addr, stub-host, stub-prime * forward-zone, name, forward-addr, forward-host */ else return 0; return 1; } /** initialize the global cfg_parser object */ static void create_cfg_parser(struct config_file* cfg, char* filename, const char* chroot) { static struct config_parser_state st; cfg_parser = &st; cfg_parser->filename = filename; cfg_parser->line = 1; cfg_parser->errors = 0; cfg_parser->cfg = cfg; cfg_parser->chroot = chroot; init_cfg_parse(); } int config_read(struct config_file* cfg, const char* filename, const char* chroot) { FILE *in; char *fname = (char*)filename; #ifdef HAVE_GLOB glob_t g; size_t i; int r, flags; #endif if(!fname) return 1; /* check for wildcards */ #ifdef HAVE_GLOB if(!(!strchr(fname, '*') && !strchr(fname, '?') && !strchr(fname, '[') && !strchr(fname, '{') && !strchr(fname, '~'))) { verbose(VERB_QUERY, "wildcard found, processing %s", fname); flags = 0 #ifdef GLOB_ERR | GLOB_ERR #endif #ifdef GLOB_NOSORT | GLOB_NOSORT #endif #ifdef GLOB_BRACE | GLOB_BRACE #endif #ifdef GLOB_TILDE | GLOB_TILDE #endif ; memset(&g, 0, sizeof(g)); r = glob(fname, flags, NULL, &g); if(r) { /* some error */ globfree(&g); if(r == GLOB_NOMATCH) { verbose(VERB_QUERY, "include: " "no matches for %s", fname); return 1; } else if(r == GLOB_NOSPACE) { log_err("include: %s: " "fnametern out of memory", fname); } else if(r == GLOB_ABORTED) { log_err("wildcard include: %s: expansion " "aborted (%s)", fname, strerror(errno)); } else { log_err("wildcard include: %s: expansion " "failed (%s)", fname, strerror(errno)); } /* ignore globs that yield no files */ return 1; } /* process files found, if any */ for(i=0; i<(size_t)g.gl_pathc; i++) { if(!config_read(cfg, g.gl_pathv[i], chroot)) { log_err("error reading wildcard " "include: %s", g.gl_pathv[i]); globfree(&g); return 0; } } globfree(&g); return 1; } #endif /* HAVE_GLOB */ in = fopen(fname, "r"); if(!in) { log_err("Could not open %s: %s", fname, strerror(errno)); return 0; } create_cfg_parser(cfg, fname, chroot); ub_c_in = in; ub_c_parse(); fclose(in); if(cfg_parser->errors != 0) { fprintf(stderr, "read %s failed: %d errors in configuration file\n", fname, cfg_parser->errors); errno=EINVAL; return 0; } + +#ifdef HAVE_GETPWNAM + /* translate username into uid and gid */ + if(cfg->username && cfg->username[0]) { + struct passwd *pwd; + if((pwd = getpwnam(cfg->username)) == NULL) + log_err("user '%s' does not exist.", cfg->username); + cfg->uid = pwd->pw_uid; + cfg->gid = pwd->pw_gid; + } +#endif return 1; } void config_delstrlist(struct config_strlist* p) { struct config_strlist *np; while(p) { np = p->next; free(p->str); free(p); p = np; } } void config_deldblstrlist(struct config_str2list* p) { struct config_str2list *np; while(p) { np = p->next; free(p->str); free(p->str2); free(p); p = np; } } void config_delstubs(struct config_stub* p) { struct config_stub* np; while(p) { np = p->next; free(p->name); config_delstrlist(p->hosts); config_delstrlist(p->addrs); free(p); p = np; } } void config_delete(struct config_file* cfg) { if(!cfg) return; free(cfg->username); free(cfg->chrootdir); free(cfg->directory); free(cfg->logfile); free(cfg->pidfile); free(cfg->target_fetch_policy); free(cfg->ssl_service_key); free(cfg->ssl_service_pem); if(cfg->ifs) { int i; for(i=0; inum_ifs; i++) free(cfg->ifs[i]); free(cfg->ifs); } if(cfg->out_ifs) { int i; for(i=0; inum_out_ifs; i++) free(cfg->out_ifs[i]); free(cfg->out_ifs); } config_delstubs(cfg->stubs); config_delstubs(cfg->forwards); config_delstrlist(cfg->donotqueryaddrs); config_delstrlist(cfg->root_hints); free(cfg->identity); free(cfg->version); free(cfg->module_conf); free(cfg->outgoing_avail_ports); config_delstrlist(cfg->private_address); config_delstrlist(cfg->private_domain); config_delstrlist(cfg->auto_trust_anchor_file_list); config_delstrlist(cfg->trust_anchor_file_list); config_delstrlist(cfg->trusted_keys_file_list); config_delstrlist(cfg->trust_anchor_list); config_delstrlist(cfg->domain_insecure); free(cfg->dlv_anchor_file); config_delstrlist(cfg->dlv_anchor_list); config_deldblstrlist(cfg->acls); free(cfg->val_nsec3_key_iterations); config_deldblstrlist(cfg->local_zones); config_delstrlist(cfg->local_zones_nodefault); config_delstrlist(cfg->local_data); config_delstrlist(cfg->control_ifs); free(cfg->server_key_file); free(cfg->server_cert_file); free(cfg->control_key_file); free(cfg->control_cert_file); free(cfg->dnstap_socket_path); free(cfg->dnstap_identity); free(cfg->dnstap_version); free(cfg); } static void init_outgoing_availports(int* a, int num) { /* generated with make iana_update */ const int iana_assigned[] = { #include "util/iana_ports.inc" -1 }; /* end marker to put behind trailing comma */ int i; /* do not use <1024, that could be trouble with the system, privs */ for(i=1024; i= (int)sizeof(buf) ) { log_err("cannot parse port number '%s'", str); return 0; } if(mid > str) memcpy(buf, str, (size_t)(mid-str)); buf[mid-str] = 0; low = atoi(buf); if(low == 0 && strcmp(buf, "0") != 0) { log_err("cannot parse port number '%s'", buf); return 0; } for(i=low; i<=high; i++) { if(i < num) avail[i] = (allow?i:0); } return 1; } return 1; } int cfg_scan_ports(int* avail, int num) { int i; int count = 0; for(i=0; ioutgoing_avail_ports, 65536); int i, at = 0; *avail = NULL; if(num == 0) return 0; *avail = (int*)malloc(sizeof(int)*num); if(!*avail) return 0; for(i=0; i<65536; i++) { if(cfg->outgoing_avail_ports[i]) (*avail)[at++] = cfg->outgoing_avail_ports[i]; } log_assert(at == num); return num; } /** print error with file and line number */ static void ub_c_error_va_list(const char *fmt, va_list args) { cfg_parser->errors++; fprintf(stderr, "%s:%d: error: ", cfg_parser->filename, cfg_parser->line); vfprintf(stderr, fmt, args); fprintf(stderr, "\n"); } /** print error with file and line number */ void ub_c_error_msg(const char* fmt, ...) { va_list args; va_start(args, fmt); ub_c_error_va_list(fmt, args); va_end(args); } void ub_c_error(const char *str) { cfg_parser->errors++; fprintf(stderr, "%s:%d: error: %s\n", cfg_parser->filename, cfg_parser->line, str); } int ub_c_wrap(void) { return 1; } int cfg_strlist_append(struct config_strlist_head* list, char* item) { struct config_strlist *s; if(!item || !list) return 0; s = (struct config_strlist*)calloc(1, sizeof(struct config_strlist)); if(!s) return 0; s->str = item; s->next = NULL; if(list->last) list->last->next = s; else list->first = s; list->last = s; return 1; } int cfg_strlist_insert(struct config_strlist** head, char* item) { struct config_strlist *s; if(!item || !head) return 0; s = (struct config_strlist*)calloc(1, sizeof(struct config_strlist)); if(!s) return 0; s->str = item; s->next = *head; *head = s; return 1; } int cfg_str2list_insert(struct config_str2list** head, char* item, char* i2) { struct config_str2list *s; if(!item || !i2 || !head) return 0; s = (struct config_str2list*)calloc(1, sizeof(struct config_str2list)); if(!s) return 0; s->str = item; s->str2 = i2; s->next = *head; *head = s; return 1; } time_t cfg_convert_timeval(const char* str) { time_t t; struct tm tm; memset(&tm, 0, sizeof(tm)); if(strlen(str) < 14) return 0; if(sscanf(str, "%4d%2d%2d%2d%2d%2d", &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) return 0; tm.tm_year -= 1900; tm.tm_mon--; /* Check values */ if (tm.tm_year < 70) return 0; if (tm.tm_mon < 0 || tm.tm_mon > 11) return 0; if (tm.tm_mday < 1 || tm.tm_mday > 31) return 0; if (tm.tm_hour < 0 || tm.tm_hour > 23) return 0; if (tm.tm_min < 0 || tm.tm_min > 59) return 0; if (tm.tm_sec < 0 || tm.tm_sec > 59) return 0; /* call ldns conversion function */ t = sldns_mktime_from_utc(&tm); return t; } int cfg_count_numbers(const char* s) { /* format ::= (sp num)+ sp */ /* num ::= [-](0-9)+ */ /* sp ::= (space|tab)* */ int num = 0; while(*s) { while(*s && isspace((unsigned char)*s)) s++; if(!*s) /* end of string */ break; if(*s == '-') s++; if(!*s) /* only - not allowed */ return 0; if(!isdigit((unsigned char)*s)) /* bad character */ return 0; while(*s && isdigit((unsigned char)*s)) s++; num++; } return num; } /** all digit number */ static int isalldigit(const char* str, size_t l) { size_t i; for(i=0; i0 && str[len-1]==' ') len--; if(len > 1 && str[len-1] == 'b') len--; else if(len > 1 && str[len-1] == 'B') len--; if(len > 1 && tolower((unsigned char)str[len-1]) == 'g') mult = 1024*1024*1024; else if(len > 1 && tolower((unsigned char)str[len-1]) == 'm') mult = 1024*1024; else if(len > 1 && tolower((unsigned char)str[len-1]) == 'k') mult = 1024; else if(len > 0 && isdigit((unsigned char)str[len-1])) mult = 1; else { log_err("unknown size specifier: '%s'", str); return 0; } while(len>1 && str[len-2]==' ') len--; if(!isalldigit(str, len-1)) { log_err("unknown size specifier: '%s'", str); return 0; } *res = ((size_t)atol(str)) * mult; return 1; } void config_apply(struct config_file* config) { MAX_TTL = (time_t)config->max_ttl; MIN_TTL = (time_t)config->min_ttl; EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size; MINIMAL_RESPONSES = config->minimal_responses; RRSET_ROUNDROBIN = config->rrset_roundrobin; log_set_time_asc(config->log_time_ascii); } /** * Calculate string length of full pathname in original filesys * @param fname: the path name to convert. * Must not be null or empty. * @param cfg: config struct for chroot and chdir (if set). * @param use_chdir: if false, only chroot is applied. * @return length of string. * remember to allocate one more for 0 at end in mallocs. */ static size_t strlen_after_chroot(const char* fname, struct config_file* cfg, int use_chdir) { size_t len = 0; int slashit = 0; if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(cfg->chrootdir, fname, strlen(cfg->chrootdir)) == 0) { /* already full pathname, return it */ return strlen(fname); } /* chroot */ if(cfg->chrootdir && cfg->chrootdir[0]) { /* start with chrootdir */ len += strlen(cfg->chrootdir); slashit = 1; } /* chdir */ #ifdef UB_ON_WINDOWS if(fname[0] != 0 && fname[1] == ':') { /* full path, no chdir */ } else #endif if(fname[0] == '/' || !use_chdir) { /* full path, no chdir */ } else if(cfg->directory && cfg->directory[0]) { /* prepend chdir */ if(slashit && cfg->directory[0] != '/') len++; if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(cfg->chrootdir, cfg->directory, strlen(cfg->chrootdir)) == 0) len += strlen(cfg->directory)-strlen(cfg->chrootdir); else len += strlen(cfg->directory); slashit = 1; } /* fname */ if(slashit && fname[0] != '/') len++; len += strlen(fname); return len; } char* fname_after_chroot(const char* fname, struct config_file* cfg, int use_chdir) { size_t len = strlen_after_chroot(fname, cfg, use_chdir)+1; int slashit = 0; char* buf = (char*)malloc(len); if(!buf) return NULL; buf[0] = 0; /* is fname already in chroot ? */ if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(cfg->chrootdir, fname, strlen(cfg->chrootdir)) == 0) { /* already full pathname, return it */ (void)strlcpy(buf, fname, len); buf[len-1] = 0; return buf; } /* chroot */ if(cfg->chrootdir && cfg->chrootdir[0]) { /* start with chrootdir */ (void)strlcpy(buf, cfg->chrootdir, len); slashit = 1; } #ifdef UB_ON_WINDOWS if(fname[0] != 0 && fname[1] == ':') { /* full path, no chdir */ } else #endif /* chdir */ if(fname[0] == '/' || !use_chdir) { /* full path, no chdir */ } else if(cfg->directory && cfg->directory[0]) { /* prepend chdir */ if(slashit && cfg->directory[0] != '/') (void)strlcat(buf, "/", len); /* is the directory already in the chroot? */ if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(cfg->chrootdir, cfg->directory, strlen(cfg->chrootdir)) == 0) (void)strlcat(buf, cfg->directory+strlen(cfg->chrootdir), len); else (void)strlcat(buf, cfg->directory, len); slashit = 1; } /* fname */ if(slashit && fname[0] != '/') (void)strlcat(buf, "/", len); (void)strlcat(buf, fname, len); buf[len-1] = 0; return buf; } /** return next space character in string */ static char* next_space_pos(const char* str) { char* sp = strchr(str, ' '); char* tab = strchr(str, '\t'); if(!tab && !sp) return NULL; if(!sp) return tab; if(!tab) return sp; return (sptab)?sp:tab; } int cfg_parse_local_zone(struct config_file* cfg, const char* val) { const char *type, *name_end, *name; char buf[256]; /* parse it as: [zone_name] [between stuff] [zone_type] */ name = val; while(*name && isspace((unsigned char)*name)) name++; if(!*name) { log_err("syntax error: too short: %s", val); return 0; } name_end = next_space_pos(name); if(!name_end || !*name_end) { log_err("syntax error: expected zone type: %s", val); return 0; } if (name_end - name > 255) { log_err("syntax error: bad zone name: %s", val); return 0; } (void)strlcpy(buf, name, sizeof(buf)); buf[name_end-name] = '\0'; type = last_space_pos(name_end); while(type && *type && isspace((unsigned char)*type)) type++; if(!type || !*type) { log_err("syntax error: expected zone type: %s", val); return 0; } if(strcmp(type, "nodefault")==0) { return cfg_strlist_insert(&cfg->local_zones_nodefault, strdup(name)); } else { return cfg_str2list_insert(&cfg->local_zones, strdup(buf), strdup(type)); } } char* cfg_ptr_reverse(char* str) { char* ip, *ip_end; char* name; char* result; char buf[1024]; struct sockaddr_storage addr; socklen_t addrlen; /* parse it as: [IP] [between stuff] [name] */ ip = str; while(*ip && isspace((unsigned char)*ip)) ip++; if(!*ip) { log_err("syntax error: too short: %s", str); return NULL; } ip_end = next_space_pos(ip); if(!ip_end || !*ip_end) { log_err("syntax error: expected name: %s", str); return NULL; } name = last_space_pos(ip_end); if(!name || !*name) { log_err("syntax error: expected name: %s", str); return NULL; } sscanf(ip, "%100s", buf); buf[sizeof(buf)-1]=0; if(!ipstrtoaddr(buf, UNBOUND_DNS_PORT, &addr, &addrlen)) { log_err("syntax error: cannot parse address: %s", str); return NULL; } /* reverse IPv4: * ddd.ddd.ddd.ddd.in-addr-arpa. * IPv6: (h.){32}.ip6.arpa. */ if(addr_is_ip6(&addr, addrlen)) { uint8_t ad[16]; const char* hex = "0123456789abcdef"; char *p = buf; int i; memmove(ad, &((struct sockaddr_in6*)&addr)->sin6_addr, sizeof(ad)); for(i=15; i>=0; i--) { uint8_t b = ad[i]; *p++ = hex[ (b&0x0f) ]; *p++ = '.'; *p++ = hex[ (b&0xf0) >> 4 ]; *p++ = '.'; } snprintf(buf+16*4, sizeof(buf)-16*4, "ip6.arpa. "); } else { uint8_t ad[4]; memmove(ad, &((struct sockaddr_in*)&addr)->sin_addr, sizeof(ad)); snprintf(buf, sizeof(buf), "%u.%u.%u.%u.in-addr.arpa. ", (unsigned)ad[3], (unsigned)ad[2], (unsigned)ad[1], (unsigned)ad[0]); } /* printed the reverse address, now the between goop and name on end */ while(*ip_end && isspace((unsigned char)*ip_end)) ip_end++; if(name>ip_end) { snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), "%.*s", (int)(name-ip_end), ip_end); } snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), " PTR %s", name); result = strdup(buf); if(!result) { log_err("out of memory parsing %s", str); return NULL; } return result; } #ifdef UB_ON_WINDOWS char* w_lookup_reg_str(const char* key, const char* name) { HKEY hk = NULL; DWORD type = 0; BYTE buf[1024]; DWORD len = (DWORD)sizeof(buf); LONG ret; char* result = NULL; ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE, key, 0, KEY_READ, &hk); if(ret == ERROR_FILE_NOT_FOUND) return NULL; /* key does not exist */ else if(ret != ERROR_SUCCESS) { log_err("RegOpenKeyEx failed"); return NULL; } ret = RegQueryValueEx(hk, (LPCTSTR)name, 0, &type, buf, &len); if(RegCloseKey(hk)) log_err("RegCloseKey"); if(ret == ERROR_FILE_NOT_FOUND) return NULL; /* name does not exist */ else if(ret != ERROR_SUCCESS) { log_err("RegQueryValueEx failed"); return NULL; } if(type == REG_SZ || type == REG_MULTI_SZ || type == REG_EXPAND_SZ) { buf[sizeof(buf)-1] = 0; buf[sizeof(buf)-2] = 0; /* for multi_sz */ result = strdup((char*)buf); if(!result) log_err("out of memory"); } return result; } #endif /* UB_ON_WINDOWS */ void errinf(struct module_qstate* qstate, const char* str) { struct config_strlist* p; if(qstate->env->cfg->val_log_level < 2 || !str) return; p = (struct config_strlist*)regional_alloc(qstate->region, sizeof(*p)); if(!p) { log_err("malloc failure in validator-error-info string"); return; } p->next = NULL; p->str = regional_strdup(qstate->region, str); if(!p->str) { log_err("malloc failure in validator-error-info string"); return; } /* add at end */ if(qstate->errinf) { struct config_strlist* q = qstate->errinf; while(q->next) q = q->next; q->next = p; } else qstate->errinf = p; } void errinf_origin(struct module_qstate* qstate, struct sock_list *origin) { struct sock_list* p; if(qstate->env->cfg->val_log_level < 2) return; for(p=origin; p; p=p->next) { char buf[256]; if(p == origin) snprintf(buf, sizeof(buf), "from "); else snprintf(buf, sizeof(buf), "and "); if(p->len == 0) snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), "cache"); else addr_to_str(&p->addr, p->len, buf+strlen(buf), sizeof(buf)-strlen(buf)); errinf(qstate, buf); } } char* errinf_to_str(struct module_qstate* qstate) { char buf[20480]; char* p = buf; size_t left = sizeof(buf); struct config_strlist* s; char dname[LDNS_MAX_DOMAINLEN+1]; char t[16], c[16]; sldns_wire2str_type_buf(qstate->qinfo.qtype, t, sizeof(t)); sldns_wire2str_class_buf(qstate->qinfo.qclass, c, sizeof(c)); dname_str(qstate->qinfo.qname, dname); snprintf(p, left, "validation failure <%s %s %s>:", dname, t, c); left -= strlen(p); p += strlen(p); if(!qstate->errinf) snprintf(p, left, " misc failure"); else for(s=qstate->errinf; s; s=s->next) { snprintf(p, left, " %s", s->str); left -= strlen(p); p += strlen(p); } p = strdup(buf); if(!p) log_err("malloc failure in errinf_to_str"); return p; } void errinf_rrset(struct module_qstate* qstate, struct ub_packed_rrset_key *rr) { char buf[1024]; char dname[LDNS_MAX_DOMAINLEN+1]; char t[16], c[16]; if(qstate->env->cfg->val_log_level < 2 || !rr) return; sldns_wire2str_type_buf(ntohs(rr->rk.type), t, sizeof(t)); sldns_wire2str_class_buf(ntohs(rr->rk.rrset_class), c, sizeof(c)); dname_str(rr->rk.dname, dname); snprintf(buf, sizeof(buf), "for <%s %s %s>", dname, t, c); errinf(qstate, buf); } void errinf_dname(struct module_qstate* qstate, const char* str, uint8_t* dname) { char b[1024]; char buf[LDNS_MAX_DOMAINLEN+1]; if(qstate->env->cfg->val_log_level < 2 || !str || !dname) return; dname_str(dname, buf); snprintf(b, sizeof(b), "%s %s", str, buf); errinf(qstate, b); } Index: head/contrib/unbound/util/config_file.h =================================================================== --- head/contrib/unbound/util/config_file.h (revision 276698) +++ head/contrib/unbound/util/config_file.h (revision 276699) @@ -1,704 +1,708 @@ /* * util/config_file.h - reads and stores the config file for unbound. * * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** * \file * * This file contains functions for the config file. */ #ifndef UTIL_CONFIG_FILE_H #define UTIL_CONFIG_FILE_H struct config_stub; struct config_strlist; struct config_str2list; struct module_qstate; struct sock_list; struct ub_packed_rrset_key; /** * The configuration options. * Strings are malloced. */ struct config_file { /** verbosity level as specified in the config file */ int verbosity; /** statistics interval (in seconds) */ int stat_interval; /** if false, statistics values are reset after printing them */ int stat_cumulative; /** if true, the statistics are kept in greater detail */ int stat_extended; /** number of threads to create */ int num_threads; /** port on which queries are answered. */ int port; /** do ip4 query support. */ int do_ip4; /** do ip6 query support. */ int do_ip6; /** do udp query support. */ int do_udp; /** do tcp query support. */ int do_tcp; /** tcp upstream queries (no UDP upstream queries) */ int tcp_upstream; /** private key file for dnstcp-ssl service (enabled if not NULL) */ char* ssl_service_key; /** public key file for dnstcp-ssl service */ char* ssl_service_pem; /** port on which to provide ssl service */ int ssl_port; /** if outgoing tcp connections use SSL */ int ssl_upstream; /** outgoing port range number of ports (per thread) */ int outgoing_num_ports; /** number of outgoing tcp buffers per (per thread) */ size_t outgoing_num_tcp; /** number of incoming tcp buffers per (per thread) */ size_t incoming_num_tcp; /** allowed udp port numbers, array with 0 if not allowed */ int* outgoing_avail_ports; /** EDNS buffer size to use */ size_t edns_buffer_size; /** number of bytes buffer size for DNS messages */ size_t msg_buffer_size; /** size of the message cache */ size_t msg_cache_size; /** slabs in the message cache. */ size_t msg_cache_slabs; /** number of queries every thread can service */ size_t num_queries_per_thread; /** number of msec to wait before items can be jostled out */ size_t jostle_time; /** size of the rrset cache */ size_t rrset_cache_size; /** slabs in the rrset cache */ size_t rrset_cache_slabs; /** host cache ttl in seconds */ int host_ttl; /** number of slabs in the infra host cache */ size_t infra_cache_slabs; /** max number of hosts in the infra cache */ size_t infra_cache_numhosts; /** delay close of udp-timeouted ports, if 0 no delayclose. in msec */ int delay_close; /** the target fetch policy for the iterator */ char* target_fetch_policy; /** automatic interface for incoming messages. Uses ipv6 remapping, * and recvmsg/sendmsg ancillary data to detect interfaces, boolean */ int if_automatic; /** SO_RCVBUF size to set on port 53 UDP socket */ size_t so_rcvbuf; /** SO_SNDBUF size to set on port 53 UDP socket */ size_t so_sndbuf; /** SO_REUSEPORT requested on port 53 sockets */ int so_reuseport; /** number of interfaces to open. If 0 default all interfaces. */ int num_ifs; /** interface description strings (IP addresses) */ char **ifs; /** number of outgoing interfaces to open. * If 0 default all interfaces. */ int num_out_ifs; /** outgoing interface description strings (IP addresses) */ char **out_ifs; /** the root hints */ struct config_strlist* root_hints; /** the stub definitions, linked list */ struct config_stub* stubs; /** the forward zone definitions, linked list */ struct config_stub* forwards; /** list of donotquery addresses, linked list */ struct config_strlist* donotqueryaddrs; /** list of access control entries, linked list */ struct config_str2list* acls; /** use default localhost donotqueryaddr entries */ int donotquery_localhost; /** harden against very small edns buffer sizes */ int harden_short_bufsize; /** harden against very large query sizes */ int harden_large_queries; /** harden against spoofed glue (out of zone data) */ int harden_glue; /** harden against receiving no DNSSEC data for trust anchor */ int harden_dnssec_stripped; /** harden against queries that fall under known nxdomain names */ int harden_below_nxdomain; /** harden the referral path, query for NS,A,AAAA and validate */ int harden_referral_path; /** use 0x20 bits in query as random ID bits */ int use_caps_bits_for_id; /** strip away these private addrs from answers, no DNS Rebinding */ struct config_strlist* private_address; /** allow domain (and subdomains) to use private address space */ struct config_strlist* private_domain; /** what threshold for unwanted action. */ size_t unwanted_threshold; /** the number of seconds maximal TTL used for RRsets and messages */ int max_ttl; /** the number of seconds minimum TTL used for RRsets and messages */ int min_ttl; /** if prefetching of messages should be performed. */ int prefetch; /** if prefetching of DNSKEYs should be performed. */ int prefetch_key; /** chrootdir, if not "" or chroot will be done */ char* chrootdir; /** username to change to, if not "". */ char* username; + uid_t uid; + gid_t gid; /** working directory */ char* directory; /** filename to log to. */ char* logfile; /** pidfile to write pid to. */ char* pidfile; /** should log messages be sent to syslogd */ int use_syslog; /** log timestamp in ascii UTC */ int log_time_ascii; /** log queries with one line per query */ int log_queries; /** do not report identity (id.server, hostname.bind) */ int hide_identity; /** do not report version (version.server, version.bind) */ int hide_version; /** identity, hostname is returned if "". */ char* identity; /** version, package version returned if "". */ char* version; /** the module configuration string */ char* module_conf; /** files with trusted DS and DNSKEYs in zonefile format, list */ struct config_strlist* trust_anchor_file_list; /** list of trustanchor keys, linked list */ struct config_strlist* trust_anchor_list; /** files with 5011 autotrust tracked keys */ struct config_strlist* auto_trust_anchor_file_list; /** files with trusted DNSKEYs in named.conf format, list */ struct config_strlist* trusted_keys_file_list; /** DLV anchor file */ char* dlv_anchor_file; /** DLV anchor inline */ struct config_strlist* dlv_anchor_list; /** insecure domain list */ struct config_strlist* domain_insecure; /** if not 0, this value is the validation date for RRSIGs */ int32_t val_date_override; /** the minimum for signature clock skew */ int32_t val_sig_skew_min; /** the maximum for signature clock skew */ int32_t val_sig_skew_max; /** this value sets the number of seconds before revalidating bogus */ int bogus_ttl; /** should validator clean additional section for secure msgs */ int val_clean_additional; /** log bogus messages by the validator */ int val_log_level; /** squelch val_log_level to log - this is library goes to callback */ int val_log_squelch; /** should validator allow bogus messages to go through */ int val_permissive_mode; /** ignore the CD flag in incoming queries and refuse them bogus data */ int ignore_cd; /** nsec3 maximum iterations per key size, string */ char* val_nsec3_key_iterations; /** autotrust add holddown time, in seconds */ unsigned int add_holddown; /** autotrust del holddown time, in seconds */ unsigned int del_holddown; /** autotrust keep_missing time, in seconds. 0 is forever. */ unsigned int keep_missing; /** size of the key cache */ size_t key_cache_size; /** slabs in the key cache. */ size_t key_cache_slabs; /** size of the neg cache */ size_t neg_cache_size; /** local zones config */ struct config_str2list* local_zones; /** local zones nodefault list */ struct config_strlist* local_zones_nodefault; /** local data RRs configged */ struct config_strlist* local_data; /** unblock lan zones (reverse lookups for 10/8 and so on) */ int unblock_lan_zones; /** remote control section. enable toggle. */ int remote_control_enable; /** the interfaces the remote control should listen on */ struct config_strlist* control_ifs; /** port number for the control port */ int control_port; + /** use certificates for remote control */ + int remote_control_use_cert; /** private key file for server */ char* server_key_file; /** certificate file for server */ char* server_cert_file; /** private key file for unbound-control */ char* control_key_file; /** certificate file for unbound-control */ char* control_cert_file; /** Python script file */ char* python_script; /** daemonize, i.e. fork into the background. */ int do_daemonize; /* minimal response when positive answer */ int minimal_responses; /* RRSet roundrobin */ int rrset_roundrobin; /* maximum UDP response size */ size_t max_udp_size; /* DNS64 prefix */ char* dns64_prefix; /* Synthetize all AAAA record despite the presence of an authoritative one */ int dns64_synthall; /** true to enable dnstap support */ int dnstap; /** dnstap socket path */ char* dnstap_socket_path; /** true to send "identity" via dnstap */ int dnstap_send_identity; /** true to send "version" via dnstap */ int dnstap_send_version; /** dnstap "identity", hostname is used if "". */ char* dnstap_identity; /** dnstap "version", package version is used if "". */ char* dnstap_version; /** true to log dnstap RESOLVER_QUERY message events */ int dnstap_log_resolver_query_messages; /** true to log dnstap RESOLVER_RESPONSE message events */ int dnstap_log_resolver_response_messages; /** true to log dnstap CLIENT_QUERY message events */ int dnstap_log_client_query_messages; /** true to log dnstap CLIENT_RESPONSE message events */ int dnstap_log_client_response_messages; /** true to log dnstap FORWARDER_QUERY message events */ int dnstap_log_forwarder_query_messages; /** true to log dnstap FORWARDER_RESPONSE message events */ int dnstap_log_forwarder_response_messages; }; /** * Stub config options */ struct config_stub { /** next in list */ struct config_stub* next; /** domain name (in text) of the stub apex domain */ char* name; /** list of stub nameserver hosts (domain name) */ struct config_strlist* hosts; /** list of stub nameserver addresses (IP address) */ struct config_strlist* addrs; /** if stub-prime is set */ int isprime; /** if forward-first is set (failover to without if fails) */ int isfirst; }; /** * List of strings for config options */ struct config_strlist { /** next item in list */ struct config_strlist* next; /** config option string */ char* str; }; /** * List of two strings for config options */ struct config_str2list { /** next item in list */ struct config_str2list* next; /** first string */ char* str; /** second string */ char* str2; }; /** List head for strlist processing, used for append operation. */ struct config_strlist_head { /** first in list of text items */ struct config_strlist* first; /** last in list of text items */ struct config_strlist* last; }; /** * Create config file structure. Filled with default values. * @return: the new structure or NULL on memory error. */ struct config_file* config_create(void); /** * Create config file structure for library use. Filled with default values. * @return: the new structure or NULL on memory error. */ struct config_file* config_create_forlib(void); /** * Read the config file from the specified filename. * @param config: where options are stored into, must be freshly created. * @param filename: name of configfile. If NULL nothing is done. * @param chroot: if not NULL, the chroot dir currently in use (for include). * @return: false on error. In that case errno is set, ENOENT means * file not found. */ int config_read(struct config_file* config, const char* filename, const char* chroot); /** * Destroy the config file structure. * @param config: to delete. */ void config_delete(struct config_file* config); /** * Apply config to global constants; this routine is called in single thread. * @param config: to apply. Side effect: global constants change. */ void config_apply(struct config_file* config); /** * Set the given keyword to the given value. * @param config: where to store config * @param option: option name, including the ':' character. * @param value: value, this string is copied if needed, or parsed. * The caller owns the value string. * @return 0 on error (malloc or syntax error). */ int config_set_option(struct config_file* config, const char* option, const char* value); /** * Call print routine for the given option. * @param cfg: config. * @param opt: option name without trailing :. * This is different from config_set_option. * @param func: print func, called as (str, arg) for every data element. * @param arg: user argument for print func. * @return false if the option name is not supported (syntax error). */ int config_get_option(struct config_file* cfg, const char* opt, void (*func)(char*,void*), void* arg); /** * Get an option and return strlist * @param cfg: config file * @param opt: option name. * @param list: list is returned here. malloced, caller must free it. * @return 0=OK, 1=syntax error, 2=malloc failed. */ int config_get_option_list(struct config_file* cfg, const char* opt, struct config_strlist** list); /** * Get an option and collate results into string * @param cfg: config file * @param opt: option name. * @param str: string. malloced, caller must free it. * @return 0=OK, 1=syntax error, 2=malloc failed. */ int config_get_option_collate(struct config_file* cfg, const char* opt, char** str); /** * function to print to a file, use as func with config_get_option. * @param line: text to print. \n appended. * @param arg: pass a FILE*, like stdout. */ void config_print_func(char* line, void* arg); /** * function to collate the text strings into a strlist_head. * @param line: text to append. * @param arg: pass a strlist_head structure. zeroed on start. */ void config_collate_func(char* line, void* arg); /** * take a strlist_head list and return a malloc string. separated with newline. * @param list: strlist first to collate. zeroes return "". * @return NULL on malloc failure. Or if malloc failure happened in strlist. */ char* config_collate_cat(struct config_strlist* list); /** * Append text at end of list. * @param list: list head. zeroed at start. * @param item: new item. malloced by caller. if NULL the insertion fails. * @return true on success. */ int cfg_strlist_append(struct config_strlist_head* list, char* item); /** * Insert string into strlist. * @param head: pointer to strlist head variable. * @param item: new item. malloced by caller. If NULL the insertion fails. * @return: true on success. */ int cfg_strlist_insert(struct config_strlist** head, char* item); /** * Insert string into str2list. * @param head: pointer to str2list head variable. * @param item: new item. malloced by caller. If NULL the insertion fails. * @param i2: 2nd string, malloced by caller. If NULL the insertion fails. * @return: true on success. */ int cfg_str2list_insert(struct config_str2list** head, char* item, char* i2); /** * Delete items in config string list. * @param list: list. */ void config_delstrlist(struct config_strlist* list); /** * Delete items in config double string list. * @param list: list. */ void config_deldblstrlist(struct config_str2list* list); /** * Delete items in config stub list. * @param list: list. */ void config_delstubs(struct config_stub* list); /** * Convert 14digit to time value * @param str: string of 14 digits * @return time value or 0 for error. */ time_t cfg_convert_timeval(const char* str); /** * Count number of values in the string. * format ::= (sp num)+ sp * num ::= [-](0-9)+ * sp ::= (space|tab)* * * @param str: string * @return: 0 on parse error, or empty string, else * number of integer values in the string. */ int cfg_count_numbers(const char* str); /** * Convert a 'nice' memory or file size into a bytecount * From '100k' to 102400. and so on. Understands kKmMgG. * k=1024, m=1024*1024, g=1024*1024*1024. * @param str: string * @param res: result is stored here, size in bytes. * @return: true if parsed correctly, or 0 on a parse error (and an error * is logged). */ int cfg_parse_memsize(const char* str, size_t* res); /** * Parse local-zone directive into two strings and register it in the config. * @param cfg: to put it in. * @param val: argument strings to local-zone, "example.com nodefault". * @return: false on failure */ int cfg_parse_local_zone(struct config_file* cfg, const char* val); /** * Mark "number" or "low-high" as available or not in ports array. * @param str: string in input * @param allow: give true if this range is permitted. * @param avail: the array from cfg. * @param num: size of the array (65536). * @return: true if parsed correctly, or 0 on a parse error (and an error * is logged). */ int cfg_mark_ports(const char* str, int allow, int* avail, int num); /** * Get a condensed list of ports returned. allocated. * @param cfg: config file. * @param avail: the available ports array is returned here. * @return: number of ports in array or 0 on error. */ int cfg_condense_ports(struct config_file* cfg, int** avail); /** * Scan ports available * @param avail: the array from cfg. * @param num: size of the array (65536). * @return the number of ports available for use. */ int cfg_scan_ports(int* avail, int num); /** * Convert a filename to full pathname in original filesys * @param fname: the path name to convert. * Must not be null or empty. * @param cfg: config struct for chroot and chdir (if set). * @param use_chdir: if false, only chroot is applied. * @return pointer to malloced buffer which is: [chroot][chdir]fname * or NULL on malloc failure. */ char* fname_after_chroot(const char* fname, struct config_file* cfg, int use_chdir); /** * Convert a ptr shorthand into a full reverse-notation PTR record. * @param str: input string, "IP name" * @return: malloced string "reversed-ip-name PTR name" */ char* cfg_ptr_reverse(char* str); /** * Append text to the error info for validation. * @param qstate: query state. * @param str: copied into query region and appended. * Failures to allocate are logged. */ void errinf(struct module_qstate* qstate, const char* str); /** * Append text to error info: from 1.2.3.4 * @param qstate: query state. * @param origin: sock list with origin of trouble. * Every element added. * If NULL: nothing is added. * if 0len element: 'from cache' is added. */ void errinf_origin(struct module_qstate* qstate, struct sock_list *origin); /** * Append text to error info: for RRset name type class * @param qstate: query state. * @param rr: rrset_key. */ void errinf_rrset(struct module_qstate* qstate, struct ub_packed_rrset_key *rr); /** * Append text to error info: str dname * @param qstate: query state. * @param str: explanation string * @param dname: the dname. */ void errinf_dname(struct module_qstate* qstate, const char* str, uint8_t* dname); /** * Create error info in string * @param qstate: query state. * @return string or NULL on malloc failure (already logged). * This string is malloced and has to be freed by caller. */ char* errinf_to_str(struct module_qstate* qstate); /** * Used during options parsing */ struct config_parser_state { /** name of file being parser */ char* filename; /** line number in the file, starts at 1 */ int line; /** number of errors encountered */ int errors; /** the result of parsing is stored here. */ struct config_file* cfg; /** the current chroot dir (or NULL if none) */ const char* chroot; }; /** global config parser object used during config parsing */ extern struct config_parser_state* cfg_parser; /** init lex state */ void init_cfg_parse(void); /** lex in file */ extern FILE* ub_c_in; /** lex out file */ extern FILE* ub_c_out; /** the yacc lex generated parse function */ int ub_c_parse(void); /** the lexer function */ int ub_c_lex(void); /** wrap function */ int ub_c_wrap(void); /** parsing helpers: print error with file and line numbers */ void ub_c_error(const char* msg); /** parsing helpers: print error with file and line numbers */ void ub_c_error_msg(const char* fmt, ...) ATTR_FORMAT(printf, 1, 2); #ifdef UB_ON_WINDOWS /** * Obtain registry string (if it exists). * @param key: key string * @param name: name of value to fetch. * @return malloced string with the result or NULL if it did not * exist on an error (logged with log_err) was encountered. */ char* w_lookup_reg_str(const char* key, const char* name); #endif /* UB_ON_WINDOWS */ #endif /* UTIL_CONFIG_FILE_H */ Index: head/contrib/unbound/util/configlexer.lex =================================================================== --- head/contrib/unbound/util/configlexer.lex (revision 276698) +++ head/contrib/unbound/util/configlexer.lex (revision 276699) @@ -1,446 +1,447 @@ %{ /* * configlexer.lex - lexical analyzer for unbound config file * * Copyright (c) 2001-2006, NLnet Labs. All rights reserved * * See LICENSE for the license. * */ #include "config.h" #include #include #include #ifdef HAVE_GLOB_H # include #endif #include "util/config_file.h" #include "configparser.h" void ub_c_error(const char *message); #if 0 #define LEXOUT(s) printf s /* used ONLY when debugging */ #else #define LEXOUT(s) #endif /** avoid warning in about fwrite return value */ #define ECHO ub_c_error_msg("syntax error at text: %s", ub_c_text) /** A parser variable, this is a statement in the config file which is * of the form variable: value1 value2 ... nargs is the number of values. */ #define YDVAR(nargs, var) \ num_args=(nargs); \ LEXOUT(("v(%s%d) ", ub_c_text, num_args)); \ if(num_args > 0) { BEGIN(val); } \ return (var); struct inc_state { char* filename; int line; YY_BUFFER_STATE buffer; struct inc_state* next; }; static struct inc_state* config_include_stack = NULL; static int inc_depth = 0; static int inc_prev = 0; static int num_args = 0; void init_cfg_parse(void) { config_include_stack = NULL; inc_depth = 0; inc_prev = 0; num_args = 0; } static void config_start_include(const char* filename) { FILE *input; struct inc_state* s; char* nm; if(inc_depth++ > 100000) { ub_c_error_msg("too many include files"); return; } if(strlen(filename) == 0) { ub_c_error_msg("empty include file name"); return; } s = (struct inc_state*)malloc(sizeof(*s)); if(!s) { ub_c_error_msg("include %s: malloc failure", filename); return; } if(cfg_parser->chroot && strncmp(filename, cfg_parser->chroot, strlen(cfg_parser->chroot)) == 0) { filename += strlen(cfg_parser->chroot); } nm = strdup(filename); if(!nm) { ub_c_error_msg("include %s: strdup failure", filename); free(s); return; } input = fopen(filename, "r"); if(!input) { ub_c_error_msg("cannot open include file '%s': %s", filename, strerror(errno)); free(s); free(nm); return; } LEXOUT(("switch_to_include_file(%s)\n", filename)); s->filename = cfg_parser->filename; s->line = cfg_parser->line; s->buffer = YY_CURRENT_BUFFER; s->next = config_include_stack; config_include_stack = s; cfg_parser->filename = nm; cfg_parser->line = 1; yy_switch_to_buffer(yy_create_buffer(input, YY_BUF_SIZE)); } static void config_start_include_glob(const char* filename) { /* check for wildcards */ #ifdef HAVE_GLOB glob_t g; size_t i; int r, flags; if(!(!strchr(filename, '*') && !strchr(filename, '?') && !strchr(filename, '[') && !strchr(filename, '{') && !strchr(filename, '~'))) { flags = 0 #ifdef GLOB_ERR | GLOB_ERR #endif #ifdef GLOB_NOSORT | GLOB_NOSORT #endif #ifdef GLOB_BRACE | GLOB_BRACE #endif #ifdef GLOB_TILDE | GLOB_TILDE #endif ; memset(&g, 0, sizeof(g)); r = glob(filename, flags, NULL, &g); if(r) { /* some error */ globfree(&g); if(r == GLOB_NOMATCH) return; /* no matches for pattern */ config_start_include(filename); /* let original deal with it */ return; } /* process files found, if any */ for(i=0; i<(size_t)g.gl_pathc; i++) { config_start_include(g.gl_pathv[i]); } globfree(&g); return; } #endif /* HAVE_GLOB */ config_start_include(filename); } static void config_end_include(void) { struct inc_state* s = config_include_stack; --inc_depth; if(!s) return; free(cfg_parser->filename); cfg_parser->filename = s->filename; cfg_parser->line = s->line; yy_delete_buffer(YY_CURRENT_BUFFER); yy_switch_to_buffer(s->buffer); config_include_stack = s->next; free(s); } #ifndef yy_set_bol /* compat definition, for flex 2.4.6 */ #define yy_set_bol(at_bol) \ { \ if ( ! yy_current_buffer ) \ yy_current_buffer = yy_create_buffer( ub_c_in, YY_BUF_SIZE ); \ yy_current_buffer->yy_ch_buf[0] = ((at_bol)?'\n':' '); \ } #endif %} %option noinput %option nounput %{ #ifndef YY_NO_UNPUT #define YY_NO_UNPUT 1 #endif #ifndef YY_NO_INPUT #define YY_NO_INPUT 1 #endif %} SPACE [ \t] LETTER [a-zA-Z] UNQUOTEDLETTER [^\'\"\n\r \t\\]|\\. UNQUOTEDLETTER_NOCOLON [^\:\'\"\n\r \t\\]|\\. NEWLINE [\r\n] COMMENT \# COLON \: DQANY [^\"\n\r\\]|\\. SQANY [^\'\n\r\\]|\\. %x quotedstring singlequotedstr include include_quoted val %% {SPACE}* { LEXOUT(("SP ")); /* ignore */ } {SPACE}*{COMMENT}.* { /* note that flex makes the longest match and '.' is any but not nl */ LEXOUT(("comment(%s) ", ub_c_text)); /* ignore */ } server{COLON} { YDVAR(0, VAR_SERVER) } num-threads{COLON} { YDVAR(1, VAR_NUM_THREADS) } verbosity{COLON} { YDVAR(1, VAR_VERBOSITY) } port{COLON} { YDVAR(1, VAR_PORT) } outgoing-range{COLON} { YDVAR(1, VAR_OUTGOING_RANGE) } outgoing-port-permit{COLON} { YDVAR(1, VAR_OUTGOING_PORT_PERMIT) } outgoing-port-avoid{COLON} { YDVAR(1, VAR_OUTGOING_PORT_AVOID) } outgoing-num-tcp{COLON} { YDVAR(1, VAR_OUTGOING_NUM_TCP) } incoming-num-tcp{COLON} { YDVAR(1, VAR_INCOMING_NUM_TCP) } do-ip4{COLON} { YDVAR(1, VAR_DO_IP4) } do-ip6{COLON} { YDVAR(1, VAR_DO_IP6) } do-udp{COLON} { YDVAR(1, VAR_DO_UDP) } do-tcp{COLON} { YDVAR(1, VAR_DO_TCP) } tcp-upstream{COLON} { YDVAR(1, VAR_TCP_UPSTREAM) } ssl-upstream{COLON} { YDVAR(1, VAR_SSL_UPSTREAM) } ssl-service-key{COLON} { YDVAR(1, VAR_SSL_SERVICE_KEY) } ssl-service-pem{COLON} { YDVAR(1, VAR_SSL_SERVICE_PEM) } ssl-port{COLON} { YDVAR(1, VAR_SSL_PORT) } do-daemonize{COLON} { YDVAR(1, VAR_DO_DAEMONIZE) } interface{COLON} { YDVAR(1, VAR_INTERFACE) } ip-address{COLON} { YDVAR(1, VAR_INTERFACE) } outgoing-interface{COLON} { YDVAR(1, VAR_OUTGOING_INTERFACE) } interface-automatic{COLON} { YDVAR(1, VAR_INTERFACE_AUTOMATIC) } so-rcvbuf{COLON} { YDVAR(1, VAR_SO_RCVBUF) } so-sndbuf{COLON} { YDVAR(1, VAR_SO_SNDBUF) } so-reuseport{COLON} { YDVAR(1, VAR_SO_REUSEPORT) } chroot{COLON} { YDVAR(1, VAR_CHROOT) } username{COLON} { YDVAR(1, VAR_USERNAME) } directory{COLON} { YDVAR(1, VAR_DIRECTORY) } logfile{COLON} { YDVAR(1, VAR_LOGFILE) } pidfile{COLON} { YDVAR(1, VAR_PIDFILE) } root-hints{COLON} { YDVAR(1, VAR_ROOT_HINTS) } edns-buffer-size{COLON} { YDVAR(1, VAR_EDNS_BUFFER_SIZE) } msg-buffer-size{COLON} { YDVAR(1, VAR_MSG_BUFFER_SIZE) } msg-cache-size{COLON} { YDVAR(1, VAR_MSG_CACHE_SIZE) } msg-cache-slabs{COLON} { YDVAR(1, VAR_MSG_CACHE_SLABS) } rrset-cache-size{COLON} { YDVAR(1, VAR_RRSET_CACHE_SIZE) } rrset-cache-slabs{COLON} { YDVAR(1, VAR_RRSET_CACHE_SLABS) } cache-max-ttl{COLON} { YDVAR(1, VAR_CACHE_MAX_TTL) } cache-min-ttl{COLON} { YDVAR(1, VAR_CACHE_MIN_TTL) } infra-host-ttl{COLON} { YDVAR(1, VAR_INFRA_HOST_TTL) } infra-lame-ttl{COLON} { YDVAR(1, VAR_INFRA_LAME_TTL) } infra-cache-slabs{COLON} { YDVAR(1, VAR_INFRA_CACHE_SLABS) } infra-cache-numhosts{COLON} { YDVAR(1, VAR_INFRA_CACHE_NUMHOSTS) } infra-cache-lame-size{COLON} { YDVAR(1, VAR_INFRA_CACHE_LAME_SIZE) } num-queries-per-thread{COLON} { YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) } jostle-timeout{COLON} { YDVAR(1, VAR_JOSTLE_TIMEOUT) } delay-close{COLON} { YDVAR(1, VAR_DELAY_CLOSE) } target-fetch-policy{COLON} { YDVAR(1, VAR_TARGET_FETCH_POLICY) } harden-short-bufsize{COLON} { YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) } harden-large-queries{COLON} { YDVAR(1, VAR_HARDEN_LARGE_QUERIES) } harden-glue{COLON} { YDVAR(1, VAR_HARDEN_GLUE) } harden-dnssec-stripped{COLON} { YDVAR(1, VAR_HARDEN_DNSSEC_STRIPPED) } harden-below-nxdomain{COLON} { YDVAR(1, VAR_HARDEN_BELOW_NXDOMAIN) } harden-referral-path{COLON} { YDVAR(1, VAR_HARDEN_REFERRAL_PATH) } use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) } unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) } private-address{COLON} { YDVAR(1, VAR_PRIVATE_ADDRESS) } private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) } prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) } prefetch{COLON} { YDVAR(1, VAR_PREFETCH) } stub-zone{COLON} { YDVAR(0, VAR_STUB_ZONE) } name{COLON} { YDVAR(1, VAR_NAME) } stub-addr{COLON} { YDVAR(1, VAR_STUB_ADDR) } stub-host{COLON} { YDVAR(1, VAR_STUB_HOST) } stub-prime{COLON} { YDVAR(1, VAR_STUB_PRIME) } stub-first{COLON} { YDVAR(1, VAR_STUB_FIRST) } forward-zone{COLON} { YDVAR(0, VAR_FORWARD_ZONE) } forward-addr{COLON} { YDVAR(1, VAR_FORWARD_ADDR) } forward-host{COLON} { YDVAR(1, VAR_FORWARD_HOST) } forward-first{COLON} { YDVAR(1, VAR_FORWARD_FIRST) } do-not-query-address{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) } do-not-query-localhost{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) } access-control{COLON} { YDVAR(2, VAR_ACCESS_CONTROL) } hide-identity{COLON} { YDVAR(1, VAR_HIDE_IDENTITY) } hide-version{COLON} { YDVAR(1, VAR_HIDE_VERSION) } identity{COLON} { YDVAR(1, VAR_IDENTITY) } version{COLON} { YDVAR(1, VAR_VERSION) } module-config{COLON} { YDVAR(1, VAR_MODULE_CONF) } dlv-anchor{COLON} { YDVAR(1, VAR_DLV_ANCHOR) } dlv-anchor-file{COLON} { YDVAR(1, VAR_DLV_ANCHOR_FILE) } trust-anchor-file{COLON} { YDVAR(1, VAR_TRUST_ANCHOR_FILE) } auto-trust-anchor-file{COLON} { YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) } trusted-keys-file{COLON} { YDVAR(1, VAR_TRUSTED_KEYS_FILE) } trust-anchor{COLON} { YDVAR(1, VAR_TRUST_ANCHOR) } val-override-date{COLON} { YDVAR(1, VAR_VAL_OVERRIDE_DATE) } val-sig-skew-min{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MIN) } val-sig-skew-max{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MAX) } val-bogus-ttl{COLON} { YDVAR(1, VAR_BOGUS_TTL) } val-clean-additional{COLON} { YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) } val-permissive-mode{COLON} { YDVAR(1, VAR_VAL_PERMISSIVE_MODE) } ignore-cd-flag{COLON} { YDVAR(1, VAR_IGNORE_CD_FLAG) } val-log-level{COLON} { YDVAR(1, VAR_VAL_LOG_LEVEL) } key-cache-size{COLON} { YDVAR(1, VAR_KEY_CACHE_SIZE) } key-cache-slabs{COLON} { YDVAR(1, VAR_KEY_CACHE_SLABS) } neg-cache-size{COLON} { YDVAR(1, VAR_NEG_CACHE_SIZE) } val-nsec3-keysize-iterations{COLON} { YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) } add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) } del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) } keep-missing{COLON} { YDVAR(1, VAR_KEEP_MISSING) } use-syslog{COLON} { YDVAR(1, VAR_USE_SYSLOG) } log-time-ascii{COLON} { YDVAR(1, VAR_LOG_TIME_ASCII) } log-queries{COLON} { YDVAR(1, VAR_LOG_QUERIES) } local-zone{COLON} { YDVAR(2, VAR_LOCAL_ZONE) } local-data{COLON} { YDVAR(1, VAR_LOCAL_DATA) } local-data-ptr{COLON} { YDVAR(1, VAR_LOCAL_DATA_PTR) } unblock-lan-zones{COLON} { YDVAR(1, VAR_UNBLOCK_LAN_ZONES) } statistics-interval{COLON} { YDVAR(1, VAR_STATISTICS_INTERVAL) } statistics-cumulative{COLON} { YDVAR(1, VAR_STATISTICS_CUMULATIVE) } extended-statistics{COLON} { YDVAR(1, VAR_EXTENDED_STATISTICS) } remote-control{COLON} { YDVAR(0, VAR_REMOTE_CONTROL) } control-enable{COLON} { YDVAR(1, VAR_CONTROL_ENABLE) } control-interface{COLON} { YDVAR(1, VAR_CONTROL_INTERFACE) } control-port{COLON} { YDVAR(1, VAR_CONTROL_PORT) } +control-use-cert{COLON} { YDVAR(1, VAR_CONTROL_USE_CERT) } server-key-file{COLON} { YDVAR(1, VAR_SERVER_KEY_FILE) } server-cert-file{COLON} { YDVAR(1, VAR_SERVER_CERT_FILE) } control-key-file{COLON} { YDVAR(1, VAR_CONTROL_KEY_FILE) } control-cert-file{COLON} { YDVAR(1, VAR_CONTROL_CERT_FILE) } python-script{COLON} { YDVAR(1, VAR_PYTHON_SCRIPT) } python{COLON} { YDVAR(0, VAR_PYTHON) } domain-insecure{COLON} { YDVAR(1, VAR_DOMAIN_INSECURE) } minimal-responses{COLON} { YDVAR(1, VAR_MINIMAL_RESPONSES) } rrset-roundrobin{COLON} { YDVAR(1, VAR_RRSET_ROUNDROBIN) } max-udp-size{COLON} { YDVAR(1, VAR_MAX_UDP_SIZE) } dns64-prefix{COLON} { YDVAR(1, VAR_DNS64_PREFIX) } dns64-synthall{COLON} { YDVAR(1, VAR_DNS64_SYNTHALL) } dnstap{COLON} { YDVAR(0, VAR_DNSTAP) } dnstap-enable{COLON} { YDVAR(1, VAR_DNSTAP_ENABLE) } dnstap-socket-path{COLON} { YDVAR(1, VAR_DNSTAP_SOCKET_PATH) } dnstap-send-identity{COLON} { YDVAR(1, VAR_DNSTAP_SEND_IDENTITY) } dnstap-send-version{COLON} { YDVAR(1, VAR_DNSTAP_SEND_VERSION) } dnstap-identity{COLON} { YDVAR(1, VAR_DNSTAP_IDENTITY) } dnstap-version{COLON} { YDVAR(1, VAR_DNSTAP_VERSION) } dnstap-log-resolver-query-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES) } dnstap-log-resolver-response-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES) } dnstap-log-client-query-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES) } dnstap-log-client-response-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES) } dnstap-log-forwarder-query-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) } dnstap-log-forwarder-response-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) } {NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } /* Quoted strings. Strip leading and ending quotes */ \" { BEGIN(quotedstring); LEXOUT(("QS ")); } <> { ub_c_error("EOF inside quoted string"); if(--num_args == 0) { BEGIN(INITIAL); } else { BEGIN(val); } } {DQANY}* { LEXOUT(("STR(%s) ", ub_c_text)); yymore(); } {NEWLINE} { ub_c_error("newline inside quoted string, no end \""); cfg_parser->line++; BEGIN(INITIAL); } \" { LEXOUT(("QE ")); if(--num_args == 0) { BEGIN(INITIAL); } else { BEGIN(val); } ub_c_text[ub_c_leng - 1] = '\0'; ub_c_lval.str = strdup(ub_c_text); if(!ub_c_lval.str) ub_c_error("out of memory"); return STRING_ARG; } /* Single Quoted strings. Strip leading and ending quotes */ \' { BEGIN(singlequotedstr); LEXOUT(("SQS ")); } <> { ub_c_error("EOF inside quoted string"); if(--num_args == 0) { BEGIN(INITIAL); } else { BEGIN(val); } } {SQANY}* { LEXOUT(("STR(%s) ", ub_c_text)); yymore(); } {NEWLINE} { ub_c_error("newline inside quoted string, no end '"); cfg_parser->line++; BEGIN(INITIAL); } \' { LEXOUT(("SQE ")); if(--num_args == 0) { BEGIN(INITIAL); } else { BEGIN(val); } ub_c_text[ub_c_leng - 1] = '\0'; ub_c_lval.str = strdup(ub_c_text); if(!ub_c_lval.str) ub_c_error("out of memory"); return STRING_ARG; } /* include: directive */ include{COLON} { LEXOUT(("v(%s) ", ub_c_text)); inc_prev = YYSTATE; BEGIN(include); } <> { ub_c_error("EOF inside include directive"); BEGIN(inc_prev); } {SPACE}* { LEXOUT(("ISP ")); /* ignore */ } {NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++;} \" { LEXOUT(("IQS ")); BEGIN(include_quoted); } {UNQUOTEDLETTER}* { LEXOUT(("Iunquotedstr(%s) ", ub_c_text)); config_start_include_glob(ub_c_text); BEGIN(inc_prev); } <> { ub_c_error("EOF inside quoted string"); BEGIN(inc_prev); } {DQANY}* { LEXOUT(("ISTR(%s) ", ub_c_text)); yymore(); } {NEWLINE} { ub_c_error("newline before \" in include name"); cfg_parser->line++; BEGIN(inc_prev); } \" { LEXOUT(("IQE ")); ub_c_text[ub_c_leng - 1] = '\0'; config_start_include_glob(ub_c_text); BEGIN(inc_prev); } <> { LEXOUT(("LEXEOF ")); yy_set_bol(1); /* Set beginning of line, so "^" rules match. */ if (!config_include_stack) { yyterminate(); } else { fclose(ub_c_in); config_end_include(); } } {UNQUOTEDLETTER}* { LEXOUT(("unquotedstr(%s) ", ub_c_text)); if(--num_args == 0) { BEGIN(INITIAL); } ub_c_lval.str = strdup(ub_c_text); return STRING_ARG; } {UNQUOTEDLETTER_NOCOLON}* { ub_c_error_msg("unknown keyword '%s'", ub_c_text); } <*>. { ub_c_error_msg("stray '%s'", ub_c_text); } %% Index: head/contrib/unbound/util/configparser.y =================================================================== --- head/contrib/unbound/util/configparser.y (revision 276698) +++ head/contrib/unbound/util/configparser.y (revision 276699) @@ -1,1462 +1,1473 @@ /* * configparser.y -- yacc grammar for unbound configuration files * * Copyright (c) 2001-2006, NLnet Labs. All rights reserved. * * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ %{ #include "config.h" #include #include #include #include #include #include "util/configyyrename.h" #include "util/config_file.h" #include "util/net_help.h" int ub_c_lex(void); void ub_c_error(const char *message); /* these need to be global, otherwise they cannot be used inside yacc */ extern struct config_parser_state* cfg_parser; #if 0 #define OUTYY(s) printf s /* used ONLY when debugging */ #else #define OUTYY(s) #endif %} %union { char* str; }; %token SPACE LETTER NEWLINE COMMENT COLON ANY ZONESTR %token STRING_ARG %token VAR_SERVER VAR_VERBOSITY VAR_NUM_THREADS VAR_PORT %token VAR_OUTGOING_RANGE VAR_INTERFACE %token VAR_DO_IP4 VAR_DO_IP6 VAR_DO_UDP VAR_DO_TCP %token VAR_CHROOT VAR_USERNAME VAR_DIRECTORY VAR_LOGFILE VAR_PIDFILE %token VAR_MSG_CACHE_SIZE VAR_MSG_CACHE_SLABS VAR_NUM_QUERIES_PER_THREAD %token VAR_RRSET_CACHE_SIZE VAR_RRSET_CACHE_SLABS VAR_OUTGOING_NUM_TCP %token VAR_INFRA_HOST_TTL VAR_INFRA_LAME_TTL VAR_INFRA_CACHE_SLABS %token VAR_INFRA_CACHE_NUMHOSTS VAR_INFRA_CACHE_LAME_SIZE VAR_NAME %token VAR_STUB_ZONE VAR_STUB_HOST VAR_STUB_ADDR VAR_TARGET_FETCH_POLICY %token VAR_HARDEN_SHORT_BUFSIZE VAR_HARDEN_LARGE_QUERIES %token VAR_FORWARD_ZONE VAR_FORWARD_HOST VAR_FORWARD_ADDR %token VAR_DO_NOT_QUERY_ADDRESS VAR_HIDE_IDENTITY VAR_HIDE_VERSION %token VAR_IDENTITY VAR_VERSION VAR_HARDEN_GLUE VAR_MODULE_CONF %token VAR_TRUST_ANCHOR_FILE VAR_TRUST_ANCHOR VAR_VAL_OVERRIDE_DATE %token VAR_BOGUS_TTL VAR_VAL_CLEAN_ADDITIONAL VAR_VAL_PERMISSIVE_MODE %token VAR_INCOMING_NUM_TCP VAR_MSG_BUFFER_SIZE VAR_KEY_CACHE_SIZE %token VAR_KEY_CACHE_SLABS VAR_TRUSTED_KEYS_FILE %token VAR_VAL_NSEC3_KEYSIZE_ITERATIONS VAR_USE_SYSLOG %token VAR_OUTGOING_INTERFACE VAR_ROOT_HINTS VAR_DO_NOT_QUERY_LOCALHOST %token VAR_CACHE_MAX_TTL VAR_HARDEN_DNSSEC_STRIPPED VAR_ACCESS_CONTROL %token VAR_LOCAL_ZONE VAR_LOCAL_DATA VAR_INTERFACE_AUTOMATIC %token VAR_STATISTICS_INTERVAL VAR_DO_DAEMONIZE VAR_USE_CAPS_FOR_ID %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE +%token VAR_CONTROL_USE_CERT %token VAR_EXTENDED_STATISTICS VAR_LOCAL_DATA_PTR VAR_JOSTLE_TIMEOUT %token VAR_STUB_PRIME VAR_UNWANTED_REPLY_THRESHOLD VAR_LOG_TIME_ASCII %token VAR_DOMAIN_INSECURE VAR_PYTHON VAR_PYTHON_SCRIPT VAR_VAL_SIG_SKEW_MIN %token VAR_VAL_SIG_SKEW_MAX VAR_CACHE_MIN_TTL VAR_VAL_LOG_LEVEL %token VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING VAR_ADD_HOLDDOWN %token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH %token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT VAR_HARDEN_BELOW_NXDOMAIN %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN %token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UNBLOCK_LAN_ZONES %token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL %token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH %token VAR_DNSTAP_SEND_IDENTITY VAR_DNSTAP_SEND_VERSION %token VAR_DNSTAP_IDENTITY VAR_DNSTAP_VERSION %token VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES %token VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES %token VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES %token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; toplevelvar: serverstart contents_server | stubstart contents_stub | forwardstart contents_forward | pythonstart contents_py | rcstart contents_rc | dtstart contents_dt ; /* server: declaration */ serverstart: VAR_SERVER { OUTYY(("\nP(server:)\n")); } ; contents_server: contents_server content_server | ; content_server: server_num_threads | server_verbosity | server_port | server_outgoing_range | server_do_ip4 | server_do_ip6 | server_do_udp | server_do_tcp | server_interface | server_chroot | server_username | server_directory | server_logfile | server_pidfile | server_msg_cache_size | server_msg_cache_slabs | server_num_queries_per_thread | server_rrset_cache_size | server_rrset_cache_slabs | server_outgoing_num_tcp | server_infra_host_ttl | server_infra_lame_ttl | server_infra_cache_slabs | server_infra_cache_numhosts | server_infra_cache_lame_size | server_target_fetch_policy | server_harden_short_bufsize | server_harden_large_queries | server_do_not_query_address | server_hide_identity | server_hide_version | server_identity | server_version | server_harden_glue | server_module_conf | server_trust_anchor_file | server_trust_anchor | server_val_override_date | server_bogus_ttl | server_val_clean_additional | server_val_permissive_mode | server_incoming_num_tcp | server_msg_buffer_size | server_key_cache_size | server_key_cache_slabs | server_trusted_keys_file | server_val_nsec3_keysize_iterations | server_use_syslog | server_outgoing_interface | server_root_hints | server_do_not_query_localhost | server_cache_max_ttl | server_harden_dnssec_stripped | server_access_control | server_local_zone | server_local_data | server_interface_automatic | server_statistics_interval | server_do_daemonize | server_use_caps_for_id | server_statistics_cumulative | server_outgoing_port_permit | server_outgoing_port_avoid | server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size | server_harden_referral_path | server_private_address | server_private_domain | server_extended_statistics | server_local_data_ptr | server_jostle_timeout | server_unwanted_reply_threshold | server_log_time_ascii | server_domain_insecure | server_val_sig_skew_min | server_val_sig_skew_max | server_cache_min_ttl | server_val_log_level | server_auto_trust_anchor_file | server_add_holddown | server_del_holddown | server_keep_missing | server_so_rcvbuf | server_edns_buffer_size | server_prefetch | server_prefetch_key | server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag | server_log_queries | server_tcp_upstream | server_ssl_upstream | server_ssl_service_key | server_ssl_service_pem | server_ssl_port | server_minimal_responses | server_rrset_roundrobin | server_max_udp_size | server_so_reuseport | server_delay_close | server_unblock_lan_zones | server_dns64_prefix | server_dns64_synthall ; stubstart: VAR_STUB_ZONE { struct config_stub* s; OUTYY(("\nP(stub_zone:)\n")); s = (struct config_stub*)calloc(1, sizeof(struct config_stub)); if(s) { s->next = cfg_parser->cfg->stubs; cfg_parser->cfg->stubs = s; } else yyerror("out of memory"); } ; contents_stub: contents_stub content_stub | ; content_stub: stub_name | stub_host | stub_addr | stub_prime | stub_first ; forwardstart: VAR_FORWARD_ZONE { struct config_stub* s; OUTYY(("\nP(forward_zone:)\n")); s = (struct config_stub*)calloc(1, sizeof(struct config_stub)); if(s) { s->next = cfg_parser->cfg->forwards; cfg_parser->cfg->forwards = s; } else yyerror("out of memory"); } ; contents_forward: contents_forward content_forward | ; content_forward: forward_name | forward_host | forward_addr | forward_first ; server_num_threads: VAR_NUM_THREADS STRING_ARG { OUTYY(("P(server_num_threads:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->num_threads = atoi($2); free($2); } ; server_verbosity: VAR_VERBOSITY STRING_ARG { OUTYY(("P(server_verbosity:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->verbosity = atoi($2); free($2); } ; server_statistics_interval: VAR_STATISTICS_INTERVAL STRING_ARG { OUTYY(("P(server_statistics_interval:%s)\n", $2)); if(strcmp($2, "") == 0 || strcmp($2, "0") == 0) cfg_parser->cfg->stat_interval = 0; else if(atoi($2) == 0) yyerror("number expected"); else cfg_parser->cfg->stat_interval = atoi($2); free($2); } ; server_statistics_cumulative: VAR_STATISTICS_CUMULATIVE STRING_ARG { OUTYY(("P(server_statistics_cumulative:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->stat_cumulative = (strcmp($2, "yes")==0); free($2); } ; server_extended_statistics: VAR_EXTENDED_STATISTICS STRING_ARG { OUTYY(("P(server_extended_statistics:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->stat_extended = (strcmp($2, "yes")==0); free($2); } ; server_port: VAR_PORT STRING_ARG { OUTYY(("P(server_port:%s)\n", $2)); if(atoi($2) == 0) yyerror("port number expected"); else cfg_parser->cfg->port = atoi($2); free($2); } ; server_interface: VAR_INTERFACE STRING_ARG { OUTYY(("P(server_interface:%s)\n", $2)); if(cfg_parser->cfg->num_ifs == 0) cfg_parser->cfg->ifs = calloc(1, sizeof(char*)); else cfg_parser->cfg->ifs = realloc(cfg_parser->cfg->ifs, (cfg_parser->cfg->num_ifs+1)*sizeof(char*)); if(!cfg_parser->cfg->ifs) yyerror("out of memory"); else cfg_parser->cfg->ifs[cfg_parser->cfg->num_ifs++] = $2; } ; server_outgoing_interface: VAR_OUTGOING_INTERFACE STRING_ARG { OUTYY(("P(server_outgoing_interface:%s)\n", $2)); if(cfg_parser->cfg->num_out_ifs == 0) cfg_parser->cfg->out_ifs = calloc(1, sizeof(char*)); else cfg_parser->cfg->out_ifs = realloc( cfg_parser->cfg->out_ifs, (cfg_parser->cfg->num_out_ifs+1)*sizeof(char*)); if(!cfg_parser->cfg->out_ifs) yyerror("out of memory"); else cfg_parser->cfg->out_ifs[ cfg_parser->cfg->num_out_ifs++] = $2; } ; server_outgoing_range: VAR_OUTGOING_RANGE STRING_ARG { OUTYY(("P(server_outgoing_range:%s)\n", $2)); if(atoi($2) == 0) yyerror("number expected"); else cfg_parser->cfg->outgoing_num_ports = atoi($2); free($2); } ; server_outgoing_port_permit: VAR_OUTGOING_PORT_PERMIT STRING_ARG { OUTYY(("P(server_outgoing_port_permit:%s)\n", $2)); if(!cfg_mark_ports($2, 1, cfg_parser->cfg->outgoing_avail_ports, 65536)) yyerror("port number or range (\"low-high\") expected"); free($2); } ; server_outgoing_port_avoid: VAR_OUTGOING_PORT_AVOID STRING_ARG { OUTYY(("P(server_outgoing_port_avoid:%s)\n", $2)); if(!cfg_mark_ports($2, 0, cfg_parser->cfg->outgoing_avail_ports, 65536)) yyerror("port number or range (\"low-high\") expected"); free($2); } ; server_outgoing_num_tcp: VAR_OUTGOING_NUM_TCP STRING_ARG { OUTYY(("P(server_outgoing_num_tcp:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->outgoing_num_tcp = atoi($2); free($2); } ; server_incoming_num_tcp: VAR_INCOMING_NUM_TCP STRING_ARG { OUTYY(("P(server_incoming_num_tcp:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->incoming_num_tcp = atoi($2); free($2); } ; server_interface_automatic: VAR_INTERFACE_AUTOMATIC STRING_ARG { OUTYY(("P(server_interface_automatic:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->if_automatic = (strcmp($2, "yes")==0); free($2); } ; server_do_ip4: VAR_DO_IP4 STRING_ARG { OUTYY(("P(server_do_ip4:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->do_ip4 = (strcmp($2, "yes")==0); free($2); } ; server_do_ip6: VAR_DO_IP6 STRING_ARG { OUTYY(("P(server_do_ip6:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->do_ip6 = (strcmp($2, "yes")==0); free($2); } ; server_do_udp: VAR_DO_UDP STRING_ARG { OUTYY(("P(server_do_udp:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->do_udp = (strcmp($2, "yes")==0); free($2); } ; server_do_tcp: VAR_DO_TCP STRING_ARG { OUTYY(("P(server_do_tcp:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->do_tcp = (strcmp($2, "yes")==0); free($2); } ; server_tcp_upstream: VAR_TCP_UPSTREAM STRING_ARG { OUTYY(("P(server_tcp_upstream:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->tcp_upstream = (strcmp($2, "yes")==0); free($2); } ; server_ssl_upstream: VAR_SSL_UPSTREAM STRING_ARG { OUTYY(("P(server_ssl_upstream:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->ssl_upstream = (strcmp($2, "yes")==0); free($2); } ; server_ssl_service_key: VAR_SSL_SERVICE_KEY STRING_ARG { OUTYY(("P(server_ssl_service_key:%s)\n", $2)); free(cfg_parser->cfg->ssl_service_key); cfg_parser->cfg->ssl_service_key = $2; } ; server_ssl_service_pem: VAR_SSL_SERVICE_PEM STRING_ARG { OUTYY(("P(server_ssl_service_pem:%s)\n", $2)); free(cfg_parser->cfg->ssl_service_pem); cfg_parser->cfg->ssl_service_pem = $2; } ; server_ssl_port: VAR_SSL_PORT STRING_ARG { OUTYY(("P(server_ssl_port:%s)\n", $2)); if(atoi($2) == 0) yyerror("port number expected"); else cfg_parser->cfg->ssl_port = atoi($2); free($2); } ; server_do_daemonize: VAR_DO_DAEMONIZE STRING_ARG { OUTYY(("P(server_do_daemonize:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->do_daemonize = (strcmp($2, "yes")==0); free($2); } ; server_use_syslog: VAR_USE_SYSLOG STRING_ARG { OUTYY(("P(server_use_syslog:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->use_syslog = (strcmp($2, "yes")==0); #if !defined(HAVE_SYSLOG_H) && !defined(UB_ON_WINDOWS) if(strcmp($2, "yes") == 0) yyerror("no syslog services are available. " "(reconfigure and compile to add)"); #endif free($2); } ; server_log_time_ascii: VAR_LOG_TIME_ASCII STRING_ARG { OUTYY(("P(server_log_time_ascii:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->log_time_ascii = (strcmp($2, "yes")==0); free($2); } ; server_log_queries: VAR_LOG_QUERIES STRING_ARG { OUTYY(("P(server_log_queries:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->log_queries = (strcmp($2, "yes")==0); free($2); } ; server_chroot: VAR_CHROOT STRING_ARG { OUTYY(("P(server_chroot:%s)\n", $2)); free(cfg_parser->cfg->chrootdir); cfg_parser->cfg->chrootdir = $2; } ; server_username: VAR_USERNAME STRING_ARG { OUTYY(("P(server_username:%s)\n", $2)); free(cfg_parser->cfg->username); cfg_parser->cfg->username = $2; } ; server_directory: VAR_DIRECTORY STRING_ARG { OUTYY(("P(server_directory:%s)\n", $2)); free(cfg_parser->cfg->directory); cfg_parser->cfg->directory = $2; } ; server_logfile: VAR_LOGFILE STRING_ARG { OUTYY(("P(server_logfile:%s)\n", $2)); free(cfg_parser->cfg->logfile); cfg_parser->cfg->logfile = $2; cfg_parser->cfg->use_syslog = 0; } ; server_pidfile: VAR_PIDFILE STRING_ARG { OUTYY(("P(server_pidfile:%s)\n", $2)); free(cfg_parser->cfg->pidfile); cfg_parser->cfg->pidfile = $2; } ; server_root_hints: VAR_ROOT_HINTS STRING_ARG { OUTYY(("P(server_root_hints:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->root_hints, $2)) yyerror("out of memory"); } ; server_dlv_anchor_file: VAR_DLV_ANCHOR_FILE STRING_ARG { OUTYY(("P(server_dlv_anchor_file:%s)\n", $2)); free(cfg_parser->cfg->dlv_anchor_file); cfg_parser->cfg->dlv_anchor_file = $2; } ; server_dlv_anchor: VAR_DLV_ANCHOR STRING_ARG { OUTYY(("P(server_dlv_anchor:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->dlv_anchor_list, $2)) yyerror("out of memory"); } ; server_auto_trust_anchor_file: VAR_AUTO_TRUST_ANCHOR_FILE STRING_ARG { OUTYY(("P(server_auto_trust_anchor_file:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg-> auto_trust_anchor_file_list, $2)) yyerror("out of memory"); } ; server_trust_anchor_file: VAR_TRUST_ANCHOR_FILE STRING_ARG { OUTYY(("P(server_trust_anchor_file:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg-> trust_anchor_file_list, $2)) yyerror("out of memory"); } ; server_trusted_keys_file: VAR_TRUSTED_KEYS_FILE STRING_ARG { OUTYY(("P(server_trusted_keys_file:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg-> trusted_keys_file_list, $2)) yyerror("out of memory"); } ; server_trust_anchor: VAR_TRUST_ANCHOR STRING_ARG { OUTYY(("P(server_trust_anchor:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->trust_anchor_list, $2)) yyerror("out of memory"); } ; server_domain_insecure: VAR_DOMAIN_INSECURE STRING_ARG { OUTYY(("P(server_domain_insecure:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->domain_insecure, $2)) yyerror("out of memory"); } ; server_hide_identity: VAR_HIDE_IDENTITY STRING_ARG { OUTYY(("P(server_hide_identity:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->hide_identity = (strcmp($2, "yes")==0); free($2); } ; server_hide_version: VAR_HIDE_VERSION STRING_ARG { OUTYY(("P(server_hide_version:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->hide_version = (strcmp($2, "yes")==0); free($2); } ; server_identity: VAR_IDENTITY STRING_ARG { OUTYY(("P(server_identity:%s)\n", $2)); free(cfg_parser->cfg->identity); cfg_parser->cfg->identity = $2; } ; server_version: VAR_VERSION STRING_ARG { OUTYY(("P(server_version:%s)\n", $2)); free(cfg_parser->cfg->version); cfg_parser->cfg->version = $2; } ; server_so_rcvbuf: VAR_SO_RCVBUF STRING_ARG { OUTYY(("P(server_so_rcvbuf:%s)\n", $2)); if(!cfg_parse_memsize($2, &cfg_parser->cfg->so_rcvbuf)) yyerror("buffer size expected"); free($2); } ; server_so_sndbuf: VAR_SO_SNDBUF STRING_ARG { OUTYY(("P(server_so_sndbuf:%s)\n", $2)); if(!cfg_parse_memsize($2, &cfg_parser->cfg->so_sndbuf)) yyerror("buffer size expected"); free($2); } ; server_so_reuseport: VAR_SO_REUSEPORT STRING_ARG { OUTYY(("P(server_so_reuseport:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->so_reuseport = (strcmp($2, "yes")==0); free($2); } ; server_edns_buffer_size: VAR_EDNS_BUFFER_SIZE STRING_ARG { OUTYY(("P(server_edns_buffer_size:%s)\n", $2)); if(atoi($2) == 0) yyerror("number expected"); else if (atoi($2) < 12) yyerror("edns buffer size too small"); else if (atoi($2) > 65535) cfg_parser->cfg->edns_buffer_size = 65535; else cfg_parser->cfg->edns_buffer_size = atoi($2); free($2); } ; server_msg_buffer_size: VAR_MSG_BUFFER_SIZE STRING_ARG { OUTYY(("P(server_msg_buffer_size:%s)\n", $2)); if(atoi($2) == 0) yyerror("number expected"); else if (atoi($2) < 4096) yyerror("message buffer size too small (use 4096)"); else cfg_parser->cfg->msg_buffer_size = atoi($2); free($2); } ; server_msg_cache_size: VAR_MSG_CACHE_SIZE STRING_ARG { OUTYY(("P(server_msg_cache_size:%s)\n", $2)); if(!cfg_parse_memsize($2, &cfg_parser->cfg->msg_cache_size)) yyerror("memory size expected"); free($2); } ; server_msg_cache_slabs: VAR_MSG_CACHE_SLABS STRING_ARG { OUTYY(("P(server_msg_cache_slabs:%s)\n", $2)); if(atoi($2) == 0) yyerror("number expected"); else { cfg_parser->cfg->msg_cache_slabs = atoi($2); if(!is_pow2(cfg_parser->cfg->msg_cache_slabs)) yyerror("must be a power of 2"); } free($2); } ; server_num_queries_per_thread: VAR_NUM_QUERIES_PER_THREAD STRING_ARG { OUTYY(("P(server_num_queries_per_thread:%s)\n", $2)); if(atoi($2) == 0) yyerror("number expected"); else cfg_parser->cfg->num_queries_per_thread = atoi($2); free($2); } ; server_jostle_timeout: VAR_JOSTLE_TIMEOUT STRING_ARG { OUTYY(("P(server_jostle_timeout:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->jostle_time = atoi($2); free($2); } ; server_delay_close: VAR_DELAY_CLOSE STRING_ARG { OUTYY(("P(server_delay_close:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->delay_close = atoi($2); free($2); } ; server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG { OUTYY(("P(server_unblock_lan_zones:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->unblock_lan_zones = (strcmp($2, "yes")==0); free($2); } ; server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG { OUTYY(("P(server_rrset_cache_size:%s)\n", $2)); if(!cfg_parse_memsize($2, &cfg_parser->cfg->rrset_cache_size)) yyerror("memory size expected"); free($2); } ; server_rrset_cache_slabs: VAR_RRSET_CACHE_SLABS STRING_ARG { OUTYY(("P(server_rrset_cache_slabs:%s)\n", $2)); if(atoi($2) == 0) yyerror("number expected"); else { cfg_parser->cfg->rrset_cache_slabs = atoi($2); if(!is_pow2(cfg_parser->cfg->rrset_cache_slabs)) yyerror("must be a power of 2"); } free($2); } ; server_infra_host_ttl: VAR_INFRA_HOST_TTL STRING_ARG { OUTYY(("P(server_infra_host_ttl:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->host_ttl = atoi($2); free($2); } ; server_infra_lame_ttl: VAR_INFRA_LAME_TTL STRING_ARG { OUTYY(("P(server_infra_lame_ttl:%s)\n", $2)); verbose(VERB_DETAIL, "ignored infra-lame-ttl: %s (option " "removed, use infra-host-ttl)", $2); free($2); } ; server_infra_cache_numhosts: VAR_INFRA_CACHE_NUMHOSTS STRING_ARG { OUTYY(("P(server_infra_cache_numhosts:%s)\n", $2)); if(atoi($2) == 0) yyerror("number expected"); else cfg_parser->cfg->infra_cache_numhosts = atoi($2); free($2); } ; server_infra_cache_lame_size: VAR_INFRA_CACHE_LAME_SIZE STRING_ARG { OUTYY(("P(server_infra_cache_lame_size:%s)\n", $2)); verbose(VERB_DETAIL, "ignored infra-cache-lame-size: %s " "(option removed, use infra-cache-numhosts)", $2); free($2); } ; server_infra_cache_slabs: VAR_INFRA_CACHE_SLABS STRING_ARG { OUTYY(("P(server_infra_cache_slabs:%s)\n", $2)); if(atoi($2) == 0) yyerror("number expected"); else { cfg_parser->cfg->infra_cache_slabs = atoi($2); if(!is_pow2(cfg_parser->cfg->infra_cache_slabs)) yyerror("must be a power of 2"); } free($2); } ; server_target_fetch_policy: VAR_TARGET_FETCH_POLICY STRING_ARG { OUTYY(("P(server_target_fetch_policy:%s)\n", $2)); free(cfg_parser->cfg->target_fetch_policy); cfg_parser->cfg->target_fetch_policy = $2; } ; server_harden_short_bufsize: VAR_HARDEN_SHORT_BUFSIZE STRING_ARG { OUTYY(("P(server_harden_short_bufsize:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->harden_short_bufsize = (strcmp($2, "yes")==0); free($2); } ; server_harden_large_queries: VAR_HARDEN_LARGE_QUERIES STRING_ARG { OUTYY(("P(server_harden_large_queries:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->harden_large_queries = (strcmp($2, "yes")==0); free($2); } ; server_harden_glue: VAR_HARDEN_GLUE STRING_ARG { OUTYY(("P(server_harden_glue:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->harden_glue = (strcmp($2, "yes")==0); free($2); } ; server_harden_dnssec_stripped: VAR_HARDEN_DNSSEC_STRIPPED STRING_ARG { OUTYY(("P(server_harden_dnssec_stripped:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->harden_dnssec_stripped = (strcmp($2, "yes")==0); free($2); } ; server_harden_below_nxdomain: VAR_HARDEN_BELOW_NXDOMAIN STRING_ARG { OUTYY(("P(server_harden_below_nxdomain:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->harden_below_nxdomain = (strcmp($2, "yes")==0); free($2); } ; server_harden_referral_path: VAR_HARDEN_REFERRAL_PATH STRING_ARG { OUTYY(("P(server_harden_referral_path:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->harden_referral_path = (strcmp($2, "yes")==0); free($2); } ; server_use_caps_for_id: VAR_USE_CAPS_FOR_ID STRING_ARG { OUTYY(("P(server_use_caps_for_id:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->use_caps_bits_for_id = (strcmp($2, "yes")==0); free($2); } ; server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG { OUTYY(("P(server_private_address:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->private_address, $2)) yyerror("out of memory"); } ; server_private_domain: VAR_PRIVATE_DOMAIN STRING_ARG { OUTYY(("P(server_private_domain:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->private_domain, $2)) yyerror("out of memory"); } ; server_prefetch: VAR_PREFETCH STRING_ARG { OUTYY(("P(server_prefetch:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->prefetch = (strcmp($2, "yes")==0); free($2); } ; server_prefetch_key: VAR_PREFETCH_KEY STRING_ARG { OUTYY(("P(server_prefetch_key:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->prefetch_key = (strcmp($2, "yes")==0); free($2); } ; server_unwanted_reply_threshold: VAR_UNWANTED_REPLY_THRESHOLD STRING_ARG { OUTYY(("P(server_unwanted_reply_threshold:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->unwanted_threshold = atoi($2); free($2); } ; server_do_not_query_address: VAR_DO_NOT_QUERY_ADDRESS STRING_ARG { OUTYY(("P(server_do_not_query_address:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->donotqueryaddrs, $2)) yyerror("out of memory"); } ; server_do_not_query_localhost: VAR_DO_NOT_QUERY_LOCALHOST STRING_ARG { OUTYY(("P(server_do_not_query_localhost:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->donotquery_localhost = (strcmp($2, "yes")==0); free($2); } ; server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG { OUTYY(("P(server_access_control:%s %s)\n", $2, $3)); if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 && strcmp($3, "deny_non_local")!=0 && strcmp($3, "refuse_non_local")!=0 && strcmp($3, "allow")!=0 && strcmp($3, "allow_snoop")!=0) { yyerror("expected deny, refuse, deny_non_local, " "refuse_non_local, allow or allow_snoop " "in access control action"); } else { if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3)) fatal_exit("out of memory adding acl"); } } ; server_module_conf: VAR_MODULE_CONF STRING_ARG { OUTYY(("P(server_module_conf:%s)\n", $2)); free(cfg_parser->cfg->module_conf); cfg_parser->cfg->module_conf = $2; } ; server_val_override_date: VAR_VAL_OVERRIDE_DATE STRING_ARG { OUTYY(("P(server_val_override_date:%s)\n", $2)); if(strlen($2) == 0 || strcmp($2, "0") == 0) { cfg_parser->cfg->val_date_override = 0; } else if(strlen($2) == 14) { cfg_parser->cfg->val_date_override = cfg_convert_timeval($2); if(!cfg_parser->cfg->val_date_override) yyerror("bad date/time specification"); } else { if(atoi($2) == 0) yyerror("number expected"); cfg_parser->cfg->val_date_override = atoi($2); } free($2); } ; server_val_sig_skew_min: VAR_VAL_SIG_SKEW_MIN STRING_ARG { OUTYY(("P(server_val_sig_skew_min:%s)\n", $2)); if(strlen($2) == 0 || strcmp($2, "0") == 0) { cfg_parser->cfg->val_sig_skew_min = 0; } else { cfg_parser->cfg->val_sig_skew_min = atoi($2); if(!cfg_parser->cfg->val_sig_skew_min) yyerror("number expected"); } free($2); } ; server_val_sig_skew_max: VAR_VAL_SIG_SKEW_MAX STRING_ARG { OUTYY(("P(server_val_sig_skew_max:%s)\n", $2)); if(strlen($2) == 0 || strcmp($2, "0") == 0) { cfg_parser->cfg->val_sig_skew_max = 0; } else { cfg_parser->cfg->val_sig_skew_max = atoi($2); if(!cfg_parser->cfg->val_sig_skew_max) yyerror("number expected"); } free($2); } ; server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG { OUTYY(("P(server_cache_max_ttl:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->max_ttl = atoi($2); free($2); } ; server_cache_min_ttl: VAR_CACHE_MIN_TTL STRING_ARG { OUTYY(("P(server_cache_min_ttl:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->min_ttl = atoi($2); free($2); } ; server_bogus_ttl: VAR_BOGUS_TTL STRING_ARG { OUTYY(("P(server_bogus_ttl:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->bogus_ttl = atoi($2); free($2); } ; server_val_clean_additional: VAR_VAL_CLEAN_ADDITIONAL STRING_ARG { OUTYY(("P(server_val_clean_additional:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->val_clean_additional = (strcmp($2, "yes")==0); free($2); } ; server_val_permissive_mode: VAR_VAL_PERMISSIVE_MODE STRING_ARG { OUTYY(("P(server_val_permissive_mode:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->val_permissive_mode = (strcmp($2, "yes")==0); free($2); } ; server_ignore_cd_flag: VAR_IGNORE_CD_FLAG STRING_ARG { OUTYY(("P(server_ignore_cd_flag:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->ignore_cd = (strcmp($2, "yes")==0); free($2); } ; server_val_log_level: VAR_VAL_LOG_LEVEL STRING_ARG { OUTYY(("P(server_val_log_level:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->val_log_level = atoi($2); free($2); } ; server_val_nsec3_keysize_iterations: VAR_VAL_NSEC3_KEYSIZE_ITERATIONS STRING_ARG { OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", $2)); free(cfg_parser->cfg->val_nsec3_key_iterations); cfg_parser->cfg->val_nsec3_key_iterations = $2; } ; server_add_holddown: VAR_ADD_HOLDDOWN STRING_ARG { OUTYY(("P(server_add_holddown:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->add_holddown = atoi($2); free($2); } ; server_del_holddown: VAR_DEL_HOLDDOWN STRING_ARG { OUTYY(("P(server_del_holddown:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->del_holddown = atoi($2); free($2); } ; server_keep_missing: VAR_KEEP_MISSING STRING_ARG { OUTYY(("P(server_keep_missing:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->keep_missing = atoi($2); free($2); } ; server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG { OUTYY(("P(server_key_cache_size:%s)\n", $2)); if(!cfg_parse_memsize($2, &cfg_parser->cfg->key_cache_size)) yyerror("memory size expected"); free($2); } ; server_key_cache_slabs: VAR_KEY_CACHE_SLABS STRING_ARG { OUTYY(("P(server_key_cache_slabs:%s)\n", $2)); if(atoi($2) == 0) yyerror("number expected"); else { cfg_parser->cfg->key_cache_slabs = atoi($2); if(!is_pow2(cfg_parser->cfg->key_cache_slabs)) yyerror("must be a power of 2"); } free($2); } ; server_neg_cache_size: VAR_NEG_CACHE_SIZE STRING_ARG { OUTYY(("P(server_neg_cache_size:%s)\n", $2)); if(!cfg_parse_memsize($2, &cfg_parser->cfg->neg_cache_size)) yyerror("memory size expected"); free($2); } ; server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG { OUTYY(("P(server_local_zone:%s %s)\n", $2, $3)); if(strcmp($3, "static")!=0 && strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 && strcmp($3, "redirect")!=0 && strcmp($3, "transparent")!=0 && strcmp($3, "nodefault")!=0 && strcmp($3, "typetransparent")!=0) yyerror("local-zone type: expected static, deny, " "refuse, redirect, transparent, " "typetransparent or nodefault"); else if(strcmp($3, "nodefault")==0) { if(!cfg_strlist_insert(&cfg_parser->cfg-> local_zones_nodefault, $2)) fatal_exit("out of memory adding local-zone"); free($3); } else { if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones, $2, $3)) fatal_exit("out of memory adding local-zone"); } } ; server_local_data: VAR_LOCAL_DATA STRING_ARG { OUTYY(("P(server_local_data:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->local_data, $2)) fatal_exit("out of memory adding local-data"); } ; server_local_data_ptr: VAR_LOCAL_DATA_PTR STRING_ARG { char* ptr; OUTYY(("P(server_local_data_ptr:%s)\n", $2)); ptr = cfg_ptr_reverse($2); free($2); if(ptr) { if(!cfg_strlist_insert(&cfg_parser->cfg-> local_data, ptr)) fatal_exit("out of memory adding local-data"); } else { yyerror("local-data-ptr could not be reversed"); } } ; server_minimal_responses: VAR_MINIMAL_RESPONSES STRING_ARG { OUTYY(("P(server_minimal_responses:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->minimal_responses = (strcmp($2, "yes")==0); free($2); } ; server_rrset_roundrobin: VAR_RRSET_ROUNDROBIN STRING_ARG { OUTYY(("P(server_rrset_roundrobin:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->rrset_roundrobin = (strcmp($2, "yes")==0); free($2); } ; server_max_udp_size: VAR_MAX_UDP_SIZE STRING_ARG { OUTYY(("P(server_max_udp_size:%s)\n", $2)); cfg_parser->cfg->max_udp_size = atoi($2); free($2); } ; server_dns64_prefix: VAR_DNS64_PREFIX STRING_ARG { OUTYY(("P(dns64_prefix:%s)\n", $2)); free(cfg_parser->cfg->dns64_prefix); cfg_parser->cfg->dns64_prefix = $2; } ; server_dns64_synthall: VAR_DNS64_SYNTHALL STRING_ARG { OUTYY(("P(server_dns64_synthall:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->dns64_synthall = (strcmp($2, "yes")==0); free($2); } ; stub_name: VAR_NAME STRING_ARG { OUTYY(("P(name:%s)\n", $2)); if(cfg_parser->cfg->stubs->name) yyerror("stub name override, there must be one name " "for one stub-zone"); free(cfg_parser->cfg->stubs->name); cfg_parser->cfg->stubs->name = $2; } ; stub_host: VAR_STUB_HOST STRING_ARG { OUTYY(("P(stub-host:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->hosts, $2)) yyerror("out of memory"); } ; stub_addr: VAR_STUB_ADDR STRING_ARG { OUTYY(("P(stub-addr:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->addrs, $2)) yyerror("out of memory"); } ; stub_first: VAR_STUB_FIRST STRING_ARG { OUTYY(("P(stub-first:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->stubs->isfirst=(strcmp($2, "yes")==0); free($2); } ; stub_prime: VAR_STUB_PRIME STRING_ARG { OUTYY(("P(stub-prime:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->stubs->isprime = (strcmp($2, "yes")==0); free($2); } ; forward_name: VAR_NAME STRING_ARG { OUTYY(("P(name:%s)\n", $2)); if(cfg_parser->cfg->forwards->name) yyerror("forward name override, there must be one " "name for one forward-zone"); free(cfg_parser->cfg->forwards->name); cfg_parser->cfg->forwards->name = $2; } ; forward_host: VAR_FORWARD_HOST STRING_ARG { OUTYY(("P(forward-host:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->hosts, $2)) yyerror("out of memory"); } ; forward_addr: VAR_FORWARD_ADDR STRING_ARG { OUTYY(("P(forward-addr:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->addrs, $2)) yyerror("out of memory"); } ; forward_first: VAR_FORWARD_FIRST STRING_ARG { OUTYY(("P(forward-first:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->forwards->isfirst=(strcmp($2, "yes")==0); free($2); } ; rcstart: VAR_REMOTE_CONTROL { OUTYY(("\nP(remote-control:)\n")); } ; contents_rc: contents_rc content_rc | ; content_rc: rc_control_enable | rc_control_interface | rc_control_port | rc_server_key_file | rc_server_cert_file | rc_control_key_file | - rc_control_cert_file + rc_control_cert_file | rc_control_use_cert ; rc_control_enable: VAR_CONTROL_ENABLE STRING_ARG { OUTYY(("P(control_enable:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->remote_control_enable = (strcmp($2, "yes")==0); free($2); } ; rc_control_port: VAR_CONTROL_PORT STRING_ARG { OUTYY(("P(control_port:%s)\n", $2)); if(atoi($2) == 0) yyerror("control port number expected"); else cfg_parser->cfg->control_port = atoi($2); free($2); } ; rc_control_interface: VAR_CONTROL_INTERFACE STRING_ARG { OUTYY(("P(control_interface:%s)\n", $2)); if(!cfg_strlist_insert(&cfg_parser->cfg->control_ifs, $2)) yyerror("out of memory"); + } + ; +rc_control_use_cert: VAR_CONTROL_USE_CERT STRING_ARG + { + OUTYY(("P(control_use_cert:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->remote_control_use_cert = + (strcmp($2, "yes")==0); + free($2); } ; rc_server_key_file: VAR_SERVER_KEY_FILE STRING_ARG { OUTYY(("P(rc_server_key_file:%s)\n", $2)); free(cfg_parser->cfg->server_key_file); cfg_parser->cfg->server_key_file = $2; } ; rc_server_cert_file: VAR_SERVER_CERT_FILE STRING_ARG { OUTYY(("P(rc_server_cert_file:%s)\n", $2)); free(cfg_parser->cfg->server_cert_file); cfg_parser->cfg->server_cert_file = $2; } ; rc_control_key_file: VAR_CONTROL_KEY_FILE STRING_ARG { OUTYY(("P(rc_control_key_file:%s)\n", $2)); free(cfg_parser->cfg->control_key_file); cfg_parser->cfg->control_key_file = $2; } ; rc_control_cert_file: VAR_CONTROL_CERT_FILE STRING_ARG { OUTYY(("P(rc_control_cert_file:%s)\n", $2)); free(cfg_parser->cfg->control_cert_file); cfg_parser->cfg->control_cert_file = $2; } ; dtstart: VAR_DNSTAP { OUTYY(("\nP(dnstap:)\n")); } ; contents_dt: contents_dt content_dt | ; content_dt: dt_dnstap_enable | dt_dnstap_socket_path | dt_dnstap_send_identity | dt_dnstap_send_version | dt_dnstap_identity | dt_dnstap_version | dt_dnstap_log_resolver_query_messages | dt_dnstap_log_resolver_response_messages | dt_dnstap_log_client_query_messages | dt_dnstap_log_client_response_messages | dt_dnstap_log_forwarder_query_messages | dt_dnstap_log_forwarder_response_messages ; dt_dnstap_enable: VAR_DNSTAP_ENABLE STRING_ARG { OUTYY(("P(dt_dnstap_enable:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->dnstap = (strcmp($2, "yes")==0); } ; dt_dnstap_socket_path: VAR_DNSTAP_SOCKET_PATH STRING_ARG { OUTYY(("P(dt_dnstap_socket_path:%s)\n", $2)); free(cfg_parser->cfg->dnstap_socket_path); cfg_parser->cfg->dnstap_socket_path = $2; } ; dt_dnstap_send_identity: VAR_DNSTAP_SEND_IDENTITY STRING_ARG { OUTYY(("P(dt_dnstap_send_identity:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->dnstap_send_identity = (strcmp($2, "yes")==0); } ; dt_dnstap_send_version: VAR_DNSTAP_SEND_VERSION STRING_ARG { OUTYY(("P(dt_dnstap_send_version:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->dnstap_send_version = (strcmp($2, "yes")==0); } ; dt_dnstap_identity: VAR_DNSTAP_IDENTITY STRING_ARG { OUTYY(("P(dt_dnstap_identity:%s)\n", $2)); free(cfg_parser->cfg->dnstap_identity); cfg_parser->cfg->dnstap_identity = $2; } ; dt_dnstap_version: VAR_DNSTAP_VERSION STRING_ARG { OUTYY(("P(dt_dnstap_version:%s)\n", $2)); free(cfg_parser->cfg->dnstap_version); cfg_parser->cfg->dnstap_version = $2; } ; dt_dnstap_log_resolver_query_messages: VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES STRING_ARG { OUTYY(("P(dt_dnstap_log_resolver_query_messages:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->dnstap_log_resolver_query_messages = (strcmp($2, "yes")==0); } ; dt_dnstap_log_resolver_response_messages: VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES STRING_ARG { OUTYY(("P(dt_dnstap_log_resolver_response_messages:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->dnstap_log_resolver_response_messages = (strcmp($2, "yes")==0); } ; dt_dnstap_log_client_query_messages: VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES STRING_ARG { OUTYY(("P(dt_dnstap_log_client_query_messages:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->dnstap_log_client_query_messages = (strcmp($2, "yes")==0); } ; dt_dnstap_log_client_response_messages: VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES STRING_ARG { OUTYY(("P(dt_dnstap_log_client_response_messages:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->dnstap_log_client_response_messages = (strcmp($2, "yes")==0); } ; dt_dnstap_log_forwarder_query_messages: VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES STRING_ARG { OUTYY(("P(dt_dnstap_log_forwarder_query_messages:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->dnstap_log_forwarder_query_messages = (strcmp($2, "yes")==0); } ; dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES STRING_ARG { OUTYY(("P(dt_dnstap_log_forwarder_response_messages:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); else cfg_parser->cfg->dnstap_log_forwarder_response_messages = (strcmp($2, "yes")==0); } ; pythonstart: VAR_PYTHON { OUTYY(("\nP(python:)\n")); } ; contents_py: contents_py content_py | ; content_py: py_script ; py_script: VAR_PYTHON_SCRIPT STRING_ARG { OUTYY(("P(python-script:%s)\n", $2)); free(cfg_parser->cfg->python_script); cfg_parser->cfg->python_script = $2; } %% /* parse helper routines could be here */ Index: head/contrib/unbound/util/net_help.c =================================================================== --- head/contrib/unbound/util/net_help.c (revision 276698) +++ head/contrib/unbound/util/net_help.c (revision 276699) @@ -1,814 +1,814 @@ /* * util/net_help.c - implementation of the network helper code * * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** * \file * Implementation of net_help.h. */ #include "config.h" #include "util/net_help.h" #include "util/log.h" #include "util/data/dname.h" #include "util/module.h" #include "util/regional.h" #include "ldns/parseutil.h" #include "ldns/wire2str.h" #include #ifdef HAVE_OPENSSL_SSL_H #include #endif #ifdef HAVE_OPENSSL_ERR_H #include #endif /** max length of an IP address (the address portion) that we allow */ #define MAX_ADDR_STRLEN 128 /* characters */ /** default value for EDNS ADVERTISED size */ uint16_t EDNS_ADVERTISED_SIZE = 4096; /** minimal responses when positive answer: default is no */ int MINIMAL_RESPONSES = 0; /** rrset order roundrobin: default is no */ int RRSET_ROUNDROBIN = 0; /* returns true is string addr is an ip6 specced address */ int str_is_ip6(const char* str) { if(strchr(str, ':')) return 1; else return 0; } int fd_set_nonblock(int s) { #ifdef HAVE_FCNTL int flag; if((flag = fcntl(s, F_GETFL)) == -1) { log_err("can't fcntl F_GETFL: %s", strerror(errno)); flag = 0; } flag |= O_NONBLOCK; if(fcntl(s, F_SETFL, flag) == -1) { log_err("can't fcntl F_SETFL: %s", strerror(errno)); return 0; } #elif defined(HAVE_IOCTLSOCKET) unsigned long on = 1; if(ioctlsocket(s, FIONBIO, &on) != 0) { log_err("can't ioctlsocket FIONBIO on: %s", wsa_strerror(WSAGetLastError())); } #endif return 1; } int fd_set_block(int s) { #ifdef HAVE_FCNTL int flag; if((flag = fcntl(s, F_GETFL)) == -1) { log_err("cannot fcntl F_GETFL: %s", strerror(errno)); flag = 0; } flag &= ~O_NONBLOCK; if(fcntl(s, F_SETFL, flag) == -1) { log_err("cannot fcntl F_SETFL: %s", strerror(errno)); return 0; } #elif defined(HAVE_IOCTLSOCKET) unsigned long off = 0; if(ioctlsocket(s, FIONBIO, &off) != 0) { log_err("can't ioctlsocket FIONBIO off: %s", wsa_strerror(WSAGetLastError())); } #endif return 1; } int is_pow2(size_t num) { if(num == 0) return 1; return (num & (num-1)) == 0; } void* memdup(void* data, size_t len) { void* d; if(!data) return NULL; if(len == 0) return NULL; d = malloc(len); if(!d) return NULL; memcpy(d, data, len); return d; } void log_addr(enum verbosity_value v, const char* str, struct sockaddr_storage* addr, socklen_t addrlen) { uint16_t port; const char* family = "unknown"; char dest[100]; int af = (int)((struct sockaddr_in*)addr)->sin_family; void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; if(verbosity < v) return; switch(af) { case AF_INET: family="ip4"; break; case AF_INET6: family="ip6"; sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; break; - case AF_UNIX: family="unix"; break; + case AF_LOCAL: family="local"; break; default: break; } if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); } dest[sizeof(dest)-1] = 0; port = ntohs(((struct sockaddr_in*)addr)->sin_port); if(verbosity >= 4) verbose(v, "%s %s %s port %d (len %d)", str, family, dest, (int)port, (int)addrlen); else verbose(v, "%s %s port %d", str, dest, (int)port); } int extstrtoaddr(const char* str, struct sockaddr_storage* addr, socklen_t* addrlen) { char* s; int port = UNBOUND_DNS_PORT; if((s=strchr(str, '@'))) { char buf[MAX_ADDR_STRLEN]; if(s-str >= MAX_ADDR_STRLEN) { return 0; } (void)strlcpy(buf, str, sizeof(buf)); buf[s-str] = 0; port = atoi(s+1); if(port == 0 && strcmp(s+1,"0")!=0) { return 0; } return ipstrtoaddr(buf, port, addr, addrlen); } return ipstrtoaddr(str, port, addr, addrlen); } int ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, socklen_t* addrlen) { uint16_t p; if(!ip) return 0; p = (uint16_t) port; if(str_is_ip6(ip)) { char buf[MAX_ADDR_STRLEN]; char* s; struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; *addrlen = (socklen_t)sizeof(struct sockaddr_in6); memset(sa, 0, *addrlen); sa->sin6_family = AF_INET6; sa->sin6_port = (in_port_t)htons(p); if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */ if(s-ip >= MAX_ADDR_STRLEN) return 0; (void)strlcpy(buf, ip, sizeof(buf)); buf[s-ip]=0; sa->sin6_scope_id = (uint32_t)atoi(s+1); ip = buf; } if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) { return 0; } } else { /* ip4 */ struct sockaddr_in* sa = (struct sockaddr_in*)addr; *addrlen = (socklen_t)sizeof(struct sockaddr_in); memset(sa, 0, *addrlen); sa->sin_family = AF_INET; sa->sin_port = (in_port_t)htons(p); if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) { return 0; } } return 1; } int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr, socklen_t* addrlen, int* net) { char* s = NULL; *net = (str_is_ip6(str)?128:32); if((s=strchr(str, '/'))) { if(atoi(s+1) > *net) { log_err("netblock too large: %s", str); return 0; } *net = atoi(s+1); if(*net == 0 && strcmp(s+1, "0") != 0) { log_err("cannot parse netblock: '%s'", str); return 0; } if(!(s = strdup(str))) { log_err("out of memory"); return 0; } *strchr(s, '/') = '\0'; } if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) { free(s); log_err("cannot parse ip address: '%s'", str); return 0; } if(s) { free(s); addr_mask(addr, *addrlen, *net); } return 1; } void log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name, uint16_t type, uint16_t dclass) { char buf[LDNS_MAX_DOMAINLEN+1]; char t[12], c[12]; const char *ts, *cs; if(verbosity < v) return; dname_str(name, buf); if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG"; else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR"; else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR"; else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB"; else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA"; else if(type == LDNS_RR_TYPE_ANY) ts = "ANY"; else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name) ts = sldns_rr_descript(type)->_name; else { snprintf(t, sizeof(t), "TYPE%d", (int)type); ts = t; } if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) && sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name) cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name; else { snprintf(c, sizeof(c), "CLASS%d", (int)dclass); cs = c; } log_info("%s %s %s %s", str, buf, ts, cs); } void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone, struct sockaddr_storage* addr, socklen_t addrlen) { uint16_t port; const char* family = "unknown_family "; char namebuf[LDNS_MAX_DOMAINLEN+1]; char dest[100]; int af = (int)((struct sockaddr_in*)addr)->sin_family; void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; if(verbosity < v) return; switch(af) { case AF_INET: family=""; break; case AF_INET6: family=""; sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; break; - case AF_UNIX: family="unix_family "; break; + case AF_LOCAL: family="local "; break; default: break; } if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); } dest[sizeof(dest)-1] = 0; port = ntohs(((struct sockaddr_in*)addr)->sin_port); dname_str(zone, namebuf); if(af != AF_INET && af != AF_INET6) verbose(v, "%s <%s> %s%s#%d (addrlen %d)", str, namebuf, family, dest, (int)port, (int)addrlen); else verbose(v, "%s <%s> %s%s#%d", str, namebuf, family, dest, (int)port); } void log_err_addr(const char* str, const char* err, struct sockaddr_storage* addr, socklen_t addrlen) { uint16_t port; char dest[100]; int af = (int)((struct sockaddr_in*)addr)->sin_family; void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; if(af == AF_INET6) sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); } dest[sizeof(dest)-1] = 0; port = ntohs(((struct sockaddr_in*)addr)->sin_port); if(verbosity >= 4) log_err("%s: %s for %s port %d (len %d)", str, err, dest, (int)port, (int)addrlen); else log_err("%s: %s for %s", str, err, dest); } int sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1, struct sockaddr_storage* addr2, socklen_t len2) { struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; if(len1 < len2) return -1; if(len1 > len2) return 1; log_assert(len1 == len2); if( p1_in->sin_family < p2_in->sin_family) return -1; if( p1_in->sin_family > p2_in->sin_family) return 1; log_assert( p1_in->sin_family == p2_in->sin_family ); /* compare ip4 */ if( p1_in->sin_family == AF_INET ) { /* just order it, ntohs not required */ if(p1_in->sin_port < p2_in->sin_port) return -1; if(p1_in->sin_port > p2_in->sin_port) return 1; log_assert(p1_in->sin_port == p2_in->sin_port); return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); } else if (p1_in6->sin6_family == AF_INET6) { /* just order it, ntohs not required */ if(p1_in6->sin6_port < p2_in6->sin6_port) return -1; if(p1_in6->sin6_port > p2_in6->sin6_port) return 1; log_assert(p1_in6->sin6_port == p2_in6->sin6_port); return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, INET6_SIZE); } else { /* eek unknown type, perform this comparison for sanity. */ return memcmp(addr1, addr2, len1); } } int sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1, struct sockaddr_storage* addr2, socklen_t len2) { struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; if(len1 < len2) return -1; if(len1 > len2) return 1; log_assert(len1 == len2); if( p1_in->sin_family < p2_in->sin_family) return -1; if( p1_in->sin_family > p2_in->sin_family) return 1; log_assert( p1_in->sin_family == p2_in->sin_family ); /* compare ip4 */ if( p1_in->sin_family == AF_INET ) { return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); } else if (p1_in6->sin6_family == AF_INET6) { return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, INET6_SIZE); } else { /* eek unknown type, perform this comparison for sanity. */ return memcmp(addr1, addr2, len1); } } int addr_is_ip6(struct sockaddr_storage* addr, socklen_t len) { if(len == (socklen_t)sizeof(struct sockaddr_in6) && ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6) return 1; else return 0; } void addr_mask(struct sockaddr_storage* addr, socklen_t len, int net) { uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe}; int i, max; uint8_t* s; if(addr_is_ip6(addr, len)) { s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; max = 128; } else { s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr; max = 32; } if(net >= max) return; for(i=net/8+1; isin6_addr; s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr; to = 16; } else { s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr; s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr; to = 4; } /* match = bits_in_common(s1, s2, to); */ for(i=0; i min) match = min; return match; } void addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen, char* buf, size_t len) { int af = (int)((struct sockaddr_in*)addr)->sin_family; void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; if(addr_is_ip6(addr, addrlen)) sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) { snprintf(buf, len, "(inet_ntop_error)"); } } int addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen) { /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */ const uint8_t map_prefix[16] = {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0}; uint8_t* s; if(!addr_is_ip6(addr, addrlen)) return 0; /* s is 16 octet ipv6 address string */ s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; return (memcmp(s, map_prefix, 12) == 0); } int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen) { int af = (int)((struct sockaddr_in*)addr)->sin_family; void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) && memcmp(sinaddr, "\377\377\377\377", 4) == 0; } int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen) { int af = (int)((struct sockaddr_in*)addr)->sin_family; void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr; if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) && memcmp(sinaddr, "\000\000\000\000", 4) == 0) return 1; else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6) && memcmp(sin6addr, "\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000", 16) == 0) return 1; return 0; } void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr, socklen_t len, struct regional* region) { struct sock_list* add = (struct sock_list*)regional_alloc(region, sizeof(*add) - sizeof(add->addr) + (size_t)len); if(!add) { log_err("out of memory in socketlist insert"); return; } log_assert(list); add->next = *list; add->len = len; *list = add; if(len) memmove(&add->addr, addr, len); } void sock_list_prepend(struct sock_list** list, struct sock_list* add) { struct sock_list* last = add; if(!last) return; while(last->next) last = last->next; last->next = *list; *list = add; } int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr, socklen_t len) { while(list) { if(len == list->len) { if(len == 0 || sockaddr_cmp_addr(addr, len, &list->addr, list->len) == 0) return 1; } list = list->next; } return 0; } void sock_list_merge(struct sock_list** list, struct regional* region, struct sock_list* add) { struct sock_list* p; for(p=add; p; p=p->next) { if(!sock_list_find(*list, &p->addr, p->len)) sock_list_insert(list, &p->addr, p->len, region); } } void log_crypto_err(const char* str) { #ifdef HAVE_SSL /* error:[error code]:[library name]:[function name]:[reason string] */ char buf[128]; unsigned long e; ERR_error_string_n(ERR_get_error(), buf, sizeof(buf)); log_err("%s crypto %s", str, buf); while( (e=ERR_get_error()) ) { ERR_error_string_n(e, buf, sizeof(buf)); log_err("and additionally crypto %s", buf); } #else (void)str; #endif /* HAVE_SSL */ } void* listen_sslctx_create(char* key, char* pem, char* verifypem) { #ifdef HAVE_SSL SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); if(!ctx) { log_crypto_err("could not SSL_CTX_new"); return NULL; } /* no SSLv2, SSLv3 because has defects */ if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ log_crypto_err("could not set SSL_OP_NO_SSLv2"); SSL_CTX_free(ctx); return NULL; } if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){ log_crypto_err("could not set SSL_OP_NO_SSLv3"); SSL_CTX_free(ctx); return NULL; } if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { log_err("error for cert file: %s", pem); log_crypto_err("error in SSL_CTX use_certificate_file"); SSL_CTX_free(ctx); return NULL; } if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { log_err("error for private key file: %s", key); log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); SSL_CTX_free(ctx); return NULL; } if(!SSL_CTX_check_private_key(ctx)) { log_err("error for key file: %s", key); log_crypto_err("Error in SSL_CTX check_private_key"); SSL_CTX_free(ctx); return NULL; } if(verifypem && verifypem[0]) { if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { log_crypto_err("Error in SSL_CTX verify locations"); SSL_CTX_free(ctx); return NULL; } SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file( verifypem)); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); } return ctx; #else (void)key; (void)pem; (void)verifypem; return NULL; #endif } void* connect_sslctx_create(char* key, char* pem, char* verifypem) { #ifdef HAVE_SSL SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method()); if(!ctx) { log_crypto_err("could not allocate SSL_CTX pointer"); return NULL; } if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) { log_crypto_err("could not set SSL_OP_NO_SSLv2"); SSL_CTX_free(ctx); return NULL; } if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) { log_crypto_err("could not set SSL_OP_NO_SSLv3"); SSL_CTX_free(ctx); return NULL; } if(key && key[0]) { if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { log_err("error in client certificate %s", pem); log_crypto_err("error in certificate file"); SSL_CTX_free(ctx); return NULL; } if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { log_err("error in client private key %s", key); log_crypto_err("error in key file"); SSL_CTX_free(ctx); return NULL; } if(!SSL_CTX_check_private_key(ctx)) { log_err("error in client key %s", key); log_crypto_err("error in SSL_CTX_check_private_key"); SSL_CTX_free(ctx); return NULL; } } if(verifypem && verifypem[0]) { if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { log_crypto_err("error in SSL_CTX verify"); SSL_CTX_free(ctx); return NULL; } SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); } return ctx; #else (void)key; (void)pem; (void)verifypem; return NULL; #endif } void* incoming_ssl_fd(void* sslctx, int fd) { #ifdef HAVE_SSL SSL* ssl = SSL_new((SSL_CTX*)sslctx); if(!ssl) { log_crypto_err("could not SSL_new"); return NULL; } SSL_set_accept_state(ssl); (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); if(!SSL_set_fd(ssl, fd)) { log_crypto_err("could not SSL_set_fd"); SSL_free(ssl); return NULL; } return ssl; #else (void)sslctx; (void)fd; return NULL; #endif } void* outgoing_ssl_fd(void* sslctx, int fd) { #ifdef HAVE_SSL SSL* ssl = SSL_new((SSL_CTX*)sslctx); if(!ssl) { log_crypto_err("could not SSL_new"); return NULL; } SSL_set_connect_state(ssl); (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); if(!SSL_set_fd(ssl, fd)) { log_crypto_err("could not SSL_set_fd"); SSL_free(ssl); return NULL; } return ssl; #else (void)sslctx; (void)fd; return NULL; #endif } #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) /** global lock list for openssl locks */ static lock_basic_t *ub_openssl_locks = NULL; /** callback that gets thread id for openssl */ static unsigned long ub_crypto_id_cb(void) { return (unsigned long)ub_thread_self(); } static void ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file), int ATTR_UNUSED(line)) { if((mode&CRYPTO_LOCK)) { lock_basic_lock(&ub_openssl_locks[type]); } else { lock_basic_unlock(&ub_openssl_locks[type]); } } #endif /* OPENSSL_THREADS */ int ub_openssl_lock_init(void) { #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) int i; ub_openssl_locks = (lock_basic_t*)malloc( sizeof(lock_basic_t)*CRYPTO_num_locks()); if(!ub_openssl_locks) return 0; for(i=0; i