Merge remote-tracking branch 'nlnet/master'

* nlnet/master: (24 commits)
  - Fix NLnetLabs#369: dnstap showing extra responses; for client responses   right from the cache when replying with expired data or   prefetching.
  - Fix NLnetLabs#1035: Potential Bug while parsing port from the "stub-host"   string; also affected forward-zones and remote-control host   directives.
  - For NLnetLabs#1040: adjust error text and disallow negative ports in other   parts of cfg_mark_ports.
  Changelog note for NLnetLabs#1040 - Fix NLnetLabs#1040: fix heap-buffer-overflow issue in function cfg_mark_ports   of file util/config_file.c.
  fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c
  - Fix for crypto related failures to have a better error string.
  - Fix NLnetLabs#1034: DoT forward-zone via unbound-control.
  - Fix that the server does not chown the pidfile.
  - Fix that when the server truncates the pidfile, it does not follow   symbolic links.
  - Fix to add unit test for lruhash space that exercises the routines.
  - Fix comment in lruhash space function.
  - Fix for NLnetLabs#1032, add safeguard to make table space positive.
  - Fix NLnetLabs#1032: The size of subnet_msg_cache calculation mistake cause   memory usage increased beyond expectations.
  - Fix name of unit test for subnet cache response.
  - For NLnetLabs#831: Format text, use exclamation icon and explicit label   names.
  Changelog entry for NLnetLabs#831 - Merge NLnetLabs#831 from Pierre4012: Improve Windows NSIS installer   script (setup.nsi).
  Improve Windows NSIS installer script (setup.nsi) (NLnetLabs#831)
  - Fix localdata and rpz localdata to match CNAME only if no direct   type match is available.
  - Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that   clientip and nsip can give a CNAME.
  - Fix rpz for qtype CNAME after nameserver trigger.
  ...

contrib/rc_d_unbound

@@ -22,4 +22,13 @@ pidfile=${unbound_pidfile:-"/usr/local/etc/unbound/unbound.pid"}
 command_args=${unbound_flags:-"-c /usr/local/etc/unbound/unbound.conf"}
 extra_commands="reload"
 
+if test "$1" = "stop" ; then
+	run_rc_command "$1"
+	ret=$?
+	if test $ret -eq 0; then
+		rm -f "$pidfile"
+	fi
+	exit $ret
+fi
+
 run_rc_command "$1"

contrib/unbound.init

@@ -75,6 +75,7 @@ stop() {
     retval=$?
     echo
     [ $retval -eq 0 ] && rm -f $lockfile
+    [ $retval -eq 0 ] && rm -f $pidfile
     if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
 	umount ${rootdir}/dev/log >/dev/null 2>&1
     fi;

contrib/unbound.init_fedora

@@ -58,6 +58,7 @@ stop() {
     killproc -p $pidfile unbound
     retval=$?
     [ $retval -eq 0 ] && rm -f $lockfile
+    [ $retval -eq 0 ] && rm -f $pidfile
     for mountfile in /dev/log /dev/urandom /etc/localtime /etc/resolv.conf /var/run/unbound
     do
     if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}''${mountfile}'' /proc/mounts; then

contrib/unbound.init_yocto

@@ -75,6 +75,7 @@ stop() {
     retval=$?
     echo
     [ $retval -eq 0 ] && rm -f $lockfile
+    [ $retval -eq 0 ] && rm -f $pidfile
     if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
 	umount ${rootdir}/dev/log >/dev/null 2>&1
     fi;

daemon/remote.c

@@ -2097,7 +2097,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
 
 static int
 parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
-	int* insecure, int* prime)
+	int* insecure, int* prime, int* tls)
 {
 	char* zonename;
 	char* rest;
@@ -2112,6 +2112,8 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
 				*insecure = 1;
 			else if(*args == 'p' && prime)
 				*prime = 1;
+			else if(*args == 't' && tls)
+				*tls = 1;
 			else {
 				(void)ssl_printf(ssl, "error: unknown option %s\n", args);
 				return 0;
@@ -2144,11 +2146,13 @@ static void
 do_forward_add(RES* ssl, struct worker* worker, char* args)
 {
 	struct iter_forwards* fwd = worker->env.fwds;
-	int insecure = 0;
+	int insecure = 0, tls = 0;
 	uint8_t* nm = NULL;
 	struct delegpt* dp = NULL;
-	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL))
+	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls))
 		return;
+	if(tls)
+		dp->ssl_upstream = 1;
 	if(insecure && worker->env.anchors) {
 		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
 			nm)) {
@@ -2174,7 +2178,7 @@ do_forward_remove(RES* ssl, struct worker* worker, char* args)
 	struct iter_forwards* fwd = worker->env.fwds;
 	int insecure = 0;
 	uint8_t* nm = NULL;
-	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
+	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
 		return;
 	if(insecure && worker->env.anchors)
 		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
@@ -2189,11 +2193,13 @@ static void
 do_stub_add(RES* ssl, struct worker* worker, char* args)
 {
 	struct iter_forwards* fwd = worker->env.fwds;
-	int insecure = 0, prime = 0;
+	int insecure = 0, prime = 0, tls = 0;
 	uint8_t* nm = NULL;
 	struct delegpt* dp = NULL;
-	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime))
+	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls))
 		return;
+	if(tls)
+		dp->ssl_upstream = 1;
 	if(insecure && worker->env.anchors) {
 		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
 			nm)) {
@@ -2232,7 +2238,7 @@ do_stub_remove(RES* ssl, struct worker* worker, char* args)
 	struct iter_forwards* fwd = worker->env.fwds;
 	int insecure = 0;
 	uint8_t* nm = NULL;
-	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
+	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
 		return;
 	if(insecure && worker->env.anchors)
 		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,

daemon/unbound.c

@@ -366,9 +366,8 @@ readpid (const char* file)
 /** write pid to file. 
  * @param pidfile: file name of pid file.
  * @param pid: pid to write to file.
- * @return false on failure
  */
-static int
+static void
 writepid (const char* pidfile, pid_t pid)
 {
 	int fd;
@@ -383,7 +382,7 @@ writepid (const char* pidfile, pid_t pid)
 		, 0644)) == -1) {
 		log_err("cannot open pidfile %s: %s", 
 			pidfile, strerror(errno));
-		return 0;
+		return;
 	}
 	while(count < strlen(pidbuf)) {
 		ssize_t r = write(fd, pidbuf+count, strlen(pidbuf)-count);
@@ -393,17 +392,16 @@ writepid (const char* pidfile, pid_t pid)
 			log_err("cannot write to pidfile %s: %s",
 				pidfile, strerror(errno));
 			close(fd);
-			return 0;
+			return;
 		} else if(r == 0) {
 			log_err("cannot write any bytes to pidfile %s: "
 				"write returns 0 bytes written", pidfile);
 			close(fd);
-			return 0;
+			return;
 		}
 		count += r;
 	}
 	close(fd);
-	return 1;
 }
 
 /**
@@ -545,7 +543,15 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 				cfg, 1);
 		if(!daemon->pidfile)
 			fatal_exit("pidfile alloc: out of memory");
-		checkoldpid(daemon->pidfile, pidinchroot);
+		/* Check old pid if there is no username configured.
+		 * With a username, the assumption is that the privilege
+		 * drop makes a pidfile not removed when the server stopped
+		 * last time. The server does not chown the pidfile for it,
+		 * because that creates privilege escape problems, with the
+		 * pidfile writable by unprivileged users, but used by
+		 * privileged users. */
+		if(cfg->username && cfg->username[0])
+			checkoldpid(daemon->pidfile, pidinchroot);
 	}
 #endif
 
@@ -557,18 +563,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 	/* write new pidfile (while still root, so can be outside chroot) */
 #ifdef HAVE_KILL
 	if(cfg->pidfile && cfg->pidfile[0] && need_pidfile) {
-		if(writepid(daemon->pidfile, getpid())) {
-			if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1 &&
-				pidinchroot) {
-#  ifdef HAVE_CHOWN
-				if(chown(daemon->pidfile, cfg_uid, cfg_gid) == -1) {
-					verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
-						(unsigned)cfg_uid, (unsigned)cfg_gid,
-						daemon->pidfile, strerror(errno));
-				}
-#  endif /* HAVE_CHOWN */
-			}
-		}
+		writepid(daemon->pidfile, getpid());
 	}
 #else
 	(void)daemon;
@@ -746,7 +741,11 @@ run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode, int need_pi
 	if(daemon->pidfile) {
 		int fd;
 		/* truncate pidfile */
-		fd = open(daemon->pidfile, O_WRONLY | O_TRUNC, 0644);
+		fd = open(daemon->pidfile, O_WRONLY | O_TRUNC
+#ifdef O_NOFOLLOW
+			| O_NOFOLLOW
+#endif
+			, 0644);
 		if(fd != -1)
 			close(fd);
 		/* delete pidfile */

daemon/worker.c

@@ -1943,7 +1943,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	/*
 	 * sending src (client)/dst (local service) addresses over DNSTAP from send_reply code label (when we serviced local zone for ex.)
 	 */
-	if(worker->dtenv.log_client_response_messages) {
+	if(worker->dtenv.log_client_response_messages && rc !=0) {
 		log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr, repinfo->c->socket->addrlen);
 		log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
 		dt_msg_send_client_response(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr, c->type, c->ssl, c->buffer);

doc/Changelog

@@ -1,3 +1,53 @@
+3 April 2024: Wouter
+	- Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports
+	  of file util/config_file.c.
+	- For #1040: adjust error text and disallow negative ports in other
+	  parts of cfg_mark_ports.
+
+3 April 2024: Yorgos
+	- Fix #1035: Potential Bug while parsing port from the "stub-host"
+	  string; also affected forward-zones and remote-control host
+	  directives.
+	- Fix #369: dnstap showing extra responses; for client responses
+	  right from the cache when replying with expired data or
+	  prefetching.
+
+28 March 2024: Wouter
+	- Fix #1034: DoT forward-zone via unbound-control.
+	- Fix for crypto related failures to have a better error string.
+
+27 March 2024: Wouter
+	- Fix name of unit test for subnet cache response.
+	- Fix #1032: The size of subnet_msg_cache calculation mistake cause
+	  memory usage increased beyond expectations.
+	- Fix for #1032, add safeguard to make table space positive.
+	- Fix comment in lruhash space function.
+	- Fix to add unit test for lruhash space that exercises the routines.
+	- Fix that when the server truncates the pidfile, it does not follow
+	  symbolic links.
+	- Fix that the server does not chown the pidfile.
+
+25 March 2024: Yorgos
+	- Merge #831 from Pierre4012: Improve Windows NSIS installer
+	  script (setup.nsi).
+	- For #831: Format text, use exclamation icon and explicit label
+	  names.
+
+19 March 2024: Wouter
+	- Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that
+	  clientip and nsip can give a CNAME.
+	- Fix localdata and rpz localdata to match CNAME only if no direct
+	  type match is available.
+
+18 March 2024: Wouter
+	- Fix that rpz CNAME content is limited to the max number of cnames.
+	- Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets
+	  the reply query_info values, that is better for debug logging.
+	- Fix rpz that copies the cname override completely to the temp
+	  region, so there are no references to the rpz region.
+	- Add rpz unit test for nsip action override.
+	- Fix rpz for qtype CNAME after nameserver trigger.
+
 15 March 2024: Yorgos
 	- Merge #1030: Persist the openssl and expat directories for repeated
 	  Windows builds.

doc/unbound-control.8.in

@@ -239,22 +239,24 @@ still be bogus, use \fBflush_zone\fR to remove it), does not affect the config f
 .B insecure_remove \fIzone
 Removes domain\-insecure for the given zone.
 .TP
-.B forward_add \fR[\fI+i\fR] \fIzone addr ...
+.B forward_add \fR[\fI+it\fR] \fIzone addr ...
 Add a new forward zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
 a DNSSEC root trust anchor configured for other names).
 The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
 in unbound.conf.
+The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes.
 .TP
 .B forward_remove \fR[\fI+i\fR] \fIzone
 Remove a forward zone from running Unbound.  The +i also removes a
 \fIdomain\-insecure\fR for the zone.
 .TP
-.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
+.B stub_add \fR[\fI+ipt\fR] \fIzone addr ...
 Add a new stub zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone.  With +p the stub zone is set to prime,
 without it it is set to notprime.  The addr can be IP4, IP6 or nameserver
 names, like the \fIstub-zone\fR config in unbound.conf.
+The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes.
 .TP
 .B stub_remove \fR[\fI+i\fR] \fIzone
 Remove a stub zone from running Unbound.  The +i also removes a

edns-subnet/subnetmod.c

@@ -310,9 +310,18 @@ delfunc(void *envptr, void *elemptr) {
 static size_t
 sizefunc(void *elemptr) {
 	struct reply_info *elem  = (struct reply_info *)elemptr;
-	return sizeof (struct reply_info) - sizeof (struct rrset_ref)
+	size_t s = sizeof (struct reply_info) - sizeof (struct rrset_ref)
 		+ elem->rrset_count * sizeof (struct rrset_ref)
 		+ elem->rrset_count * sizeof (struct ub_packed_rrset_key *);
+	size_t i;
+	for (i = 0; i < elem->rrset_count; i++) {
+		struct ub_packed_rrset_key *key = elem->rrsets[i];
+		struct packed_rrset_data *data = key->entry.data;
+		s += ub_rrset_sizefunc(key, data);
+	}
+	if(elem->reason_bogus_str)
+		s += strlen(elem->reason_bogus_str)+1;
+	return s;
 }
 
 /**
@@ -352,7 +361,7 @@ update_cache(struct module_qstate *qstate, int id)
 	struct slabhash *subnet_msg_cache = sne->subnet_msg_cache;
 	struct ecs_data *edns = &sq->ecs_client_in;
 	size_t i;
-	int only_match_scope_zero;
+	int only_match_scope_zero, diff_size;
 
 	/* We already calculated hash upon lookup (lookup_and_reply) if we were
 	 * allowed to look in the ECS cache */
@@ -417,14 +426,19 @@ update_cache(struct module_qstate *qstate, int id)
 	if(edns->subnet_source_mask == 0 && edns->subnet_scope_mask == 0)
 		only_match_scope_zero = 1;
 	else only_match_scope_zero = 0;
+	diff_size = (int)tree->size_bytes;
 	addrtree_insert(tree, (addrkey_t*)edns->subnet_addr, 
 		edns->subnet_source_mask, sq->max_scope, rep,
 		rep->ttl, *qstate->env->now, only_match_scope_zero);
+	diff_size = (int)tree->size_bytes - diff_size;
 
 	lock_rw_unlock(&lru_entry->lock);
 	if (need_to_insert) {
 		slabhash_insert(subnet_msg_cache, h, lru_entry, lru_entry->data,
 			NULL);
+	} else {
+		slabhash_update_space_used(subnet_msg_cache, h, NULL,
+			diff_size);
 	}
 }