diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml index 59f3285aa..47cd527a6 100644 --- a/.github/workflows/analysis_ports.yml +++ b/.github/workflows/analysis_ports.yml @@ -181,21 +181,20 @@ jobs: export LEX="win_flex" echo 'YACC="win_bison -y"' export YACC="win_bison -y" - #echo "curl cpanm" - #curl -L -k -s -S -o cpanm https://cpanmin.us/ - #echo "perl cpanm Pod::Usage" - #perl cpanm Pod::Usage mkdir openssl echo "curl openssl" - curl -L -k -s -S -o openssl-1.1.1j.tar.gz https://www.openssl.org/source/openssl-1.1.1j.tar.gz - tar xzf openssl-1.1.1j.tar.gz - cd openssl-1.1.1j + curl -L -k -s -S -o openssl-3.2.0.tar.gz https://www.openssl.org/source/openssl-3.2.0.tar.gz + tar xzf openssl-3.2.0.tar.gz + cd openssl-3.2.0 # remove pod::Usage because we do not need -help or -man output - # from the Configure script - echo "Fixup ./Configure by removing use Pod::Usage require" - sed -e 's/use Pod::Usage//' < Configure > Configure.fix - echo "./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix=\""$prepath/openssl\""" - ./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix="$prepath/openssl" + # from the Configure script, this fixes it for openssl 1.1.1 + #echo "Fixup ./Configure by removing use Pod::Usage require" + #sed -e 's/use Pod::Usage//' < Configure > Configure.fix + # ./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix="$prepath/openssl" + # pacman is used to install for msys2, with + # C:/msys64/usr/bin/pacman -S perl + echo "C:/msys64/usr/bin/perl ./Configure no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix=\""$prepath/openssl"\" PERL=\"C:/msys64/usr/bin/perl\"" + C:/msys64/usr/bin/perl ./Configure no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix="$prepath/openssl" PERL="C:/msys64/usr/bin/perl" # make the libs only, build faster echo "make build_libs" #make diff --git a/acx_nlnetlabs.m4 b/acx_nlnetlabs.m4 index f27615bd8..6a01dc5a4 100644 --- a/acx_nlnetlabs.m4 +++ b/acx_nlnetlabs.m4 @@ -2,7 +2,10 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 46 +# Version 48 +# 2024-01-16 fix to add -l:libssp.a to -lcrypto link check. +# and check for getaddrinfo with only header. +# 2024-01-15 fix to add crypt32 to -lcrypto link check when checking for gdi32. # 2023-05-04 fix to remove unused whitespace. # 2023-01-26 fix -Wstrict-prototypes. # 2022-09-01 fix checking if nonblocking sockets work on OpenBSD. @@ -707,7 +710,7 @@ AC_DEFUN([ACX_SSL_CHECKS], [ LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib" ACX_RUNTIME_PATH_ADD([$ssldir_lib]) fi - + AC_MSG_CHECKING([for EVP_sha256 in -lcrypto]) LIBS="$LIBS -lcrypto" LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto" @@ -732,40 +735,73 @@ AC_DEFUN([ACX_SSL_CHECKS], [ ]])],[ AC_DEFINE([HAVE_EVP_SHA256], 1, [If you have EVP_sha256]) - AC_MSG_RESULT(yes) + AC_MSG_RESULT(yes) ],[ AC_MSG_RESULT(no) LIBS="$BAKLIBS" LIBSSL_LIBS="$BAKSSLLIBS" - LIBS="$LIBS -ldl" - LIBSSL_LIBS="$LIBSSL_LIBS -ldl" - AC_MSG_CHECKING([if -lcrypto needs -ldl]) - AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ - int EVP_sha256(void); - (void)EVP_sha256(); - ]])],[ - AC_DEFINE([HAVE_EVP_SHA256], 1, - [If you have EVP_sha256]) - AC_MSG_RESULT(yes) - ],[ - AC_MSG_RESULT(no) - LIBS="$BAKLIBS" - LIBSSL_LIBS="$BAKSSLLIBS" - LIBS="$LIBS -ldl -pthread" - LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread" - AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread]) - AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ - int EVP_sha256(void); - (void)EVP_sha256(); - ]])],[ - AC_DEFINE([HAVE_EVP_SHA256], 1, - [If you have EVP_sha256]) - AC_MSG_RESULT(yes) - ],[ - AC_MSG_RESULT(no) - AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required]) + + LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32" + LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32" + AC_MSG_CHECKING([if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ + int EVP_sha256(void); + (void)EVP_sha256(); + ]])],[ + AC_DEFINE([HAVE_EVP_SHA256], 1, + [If you have EVP_sha256]) + AC_MSG_RESULT(yes) + ],[ + AC_MSG_RESULT(no) + LIBS="$BAKLIBS" + LIBSSL_LIBS="$BAKSSLLIBS" + + LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a" + LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a" + AC_MSG_CHECKING([if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ + int EVP_sha256(void); + (void)EVP_sha256(); + ]])],[ + AC_DEFINE([HAVE_EVP_SHA256], 1, + [If you have EVP_sha256]) + AC_MSG_RESULT(yes) + ],[ + AC_MSG_RESULT(no) + LIBS="$BAKLIBS" + LIBSSL_LIBS="$BAKSSLLIBS" + + LIBS="$LIBS -ldl" + LIBSSL_LIBS="$LIBSSL_LIBS -ldl" + AC_MSG_CHECKING([if -lcrypto needs -ldl]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ + int EVP_sha256(void); + (void)EVP_sha256(); + ]])],[ + AC_DEFINE([HAVE_EVP_SHA256], 1, + [If you have EVP_sha256]) + AC_MSG_RESULT(yes) + ],[ + AC_MSG_RESULT(no) + LIBS="$BAKLIBS" + LIBSSL_LIBS="$BAKSSLLIBS" + LIBS="$LIBS -ldl -pthread" + LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread" + AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ + int EVP_sha256(void); + (void)EVP_sha256(); + ]])],[ + AC_DEFINE([HAVE_EVP_SHA256], 1, + [If you have EVP_sha256]) + AC_MSG_RESULT(yes) + ],[ + AC_MSG_RESULT(no) + AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required]) + ]) + ]) ]) - ]) + ]) ]) ]) fi @@ -779,7 +815,7 @@ AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT]) dnl Check for SSL, where SSL is mandatory dnl Adds --with-ssl option, searches for openssl and defines HAVE_SSL if found -dnl Setup of CPPFLAGS, CFLAGS. Adds -lcrypto to LIBS. +dnl Setup of CPPFLAGS, CFLAGS. Adds -lcrypto to LIBS. dnl Checks main header files of SSL. dnl AC_DEFUN([ACX_WITH_SSL], @@ -872,7 +908,7 @@ dnl see if on windows if test "$ac_cv_header_windows_h" = "yes"; then AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used]) USE_WINSOCK="1" - if echo $LIBS | grep 'lws2_32' >/dev/null; then + if echo "$LIBS" | grep 'lws2_32' >/dev/null; then : else LIBS="$LIBS -lws2_32" @@ -880,6 +916,24 @@ if test "$ac_cv_header_windows_h" = "yes"; then fi ], dnl no quick getaddrinfo, try mingw32 and winsock2 library. +dnl perhaps getaddrinfo needs only the include +AC_LINK_IFELSE( +[AC_LANG_PROGRAM( +[ +#ifdef HAVE_WS2TCPIP_H +#include +#endif +], +[ + (void)getaddrinfo(NULL, NULL, NULL, NULL); +] +)], +[ +ac_cv_func_getaddrinfo="yes" +AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used]) +USE_WINSOCK="1" +], + ORIGLIBS="$LIBS" LIBS="$LIBS -lws2_32" AC_LINK_IFELSE( @@ -904,6 +958,7 @@ ac_cv_func_getaddrinfo="no" LIBS="$ORIGLIBS" ]) ) +) AC_MSG_RESULT($ac_cv_func_getaddrinfo) if test $ac_cv_func_getaddrinfo = yes; then diff --git a/configure b/configure index c87c669c8..1f07417ec 100755 --- a/configure +++ b/configure @@ -18104,19 +18104,86 @@ else $as_echo "no" >&6; } LIBS="$BAKLIBS" LIBSSL_LIBS="$BAKSSLLIBS" - LIBS="$LIBS -ldl" - LIBSSL_LIBS="$LIBSSL_LIBS -ldl" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl" >&5 + + LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32" + LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32" >&5 +$as_echo_n "checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + int EVP_sha256(void); + (void)EVP_sha256(); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + +$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LIBS="$BAKLIBS" + LIBSSL_LIBS="$BAKSSLLIBS" + + LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a" + LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a" >&5 +$as_echo_n "checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + int EVP_sha256(void); + (void)EVP_sha256(); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + +$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LIBS="$BAKLIBS" + LIBSSL_LIBS="$BAKSSLLIBS" + + LIBS="$LIBS -ldl" + LIBSSL_LIBS="$LIBSSL_LIBS -ldl" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl" >&5 $as_echo_n "checking if -lcrypto needs -ldl... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { - int EVP_sha256(void); - (void)EVP_sha256(); + int EVP_sha256(void); + (void)EVP_sha256(); ; return 0; @@ -18127,28 +18194,28 @@ if ac_fn_c_try_link "$LINENO"; then : $as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - LIBS="$BAKLIBS" - LIBSSL_LIBS="$BAKSSLLIBS" - LIBS="$LIBS -ldl -pthread" - LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl -pthread" >&5 + LIBS="$BAKLIBS" + LIBSSL_LIBS="$BAKSSLLIBS" + LIBS="$LIBS -ldl -pthread" + LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl -pthread" >&5 $as_echo_n "checking if -lcrypto needs -ldl -pthread... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { - int EVP_sha256(void); - (void)EVP_sha256(); + int EVP_sha256(void); + (void)EVP_sha256(); ; return 0; @@ -18159,14 +18226,22 @@ if ac_fn_c_try_link "$LINENO"; then : $as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5 + as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5 + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext \ @@ -19847,7 +19922,7 @@ if test x_$enable_static_exe = x_yes; then if test "$on_mingw" = yes; then staticexe="-all-static" # for static compile, include gdi32 and zlib here. - if echo $LIBS | grep 'lgdi32' >/dev/null; then + if echo "$LIBS" | grep 'lgdi32' >/dev/null; then : else LIBS="$LIBS -lgdi32" @@ -19892,7 +19967,11 @@ if test "x$ac_cv_lib_z_compress" = xyes; then : LIBS="$LIBS -lz" fi - LIBS="$LIBS -l:libssp.a" + if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then + : + else + LIBS="$LIBS -l:libssp.a" + fi fi fi @@ -19951,7 +20030,11 @@ if test "x$ac_cv_lib_z_compress" = xyes; then : LIBS="$LIBS -lz" fi - LIBS="$LIBS -l:libssp.a" + if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then + : + else + LIBS="$LIBS -l:libssp.a" + fi fi fi @@ -19998,13 +20081,40 @@ if test "$ac_cv_header_windows_h" = "yes"; then $as_echo "#define USE_WINSOCK 1" >>confdefs.h USE_WINSOCK="1" - if echo $LIBS | grep 'lws2_32' >/dev/null; then + if echo "$LIBS" | grep 'lws2_32' >/dev/null; then : else LIBS="$LIBS -lws2_32" fi fi +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#ifdef HAVE_WS2TCPIP_H +#include +#endif + +int +main () +{ + + (void)getaddrinfo(NULL, NULL, NULL, NULL); + + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + +ac_cv_func_getaddrinfo="yes" + +$as_echo "#define USE_WINSOCK 1" >>confdefs.h + +USE_WINSOCK="1" + else ORIGLIBS="$LIBS" LIBS="$LIBS -lws2_32" @@ -20047,6 +20157,10 @@ fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_getaddrinfo" >&5 $as_echo "$ac_cv_func_getaddrinfo" >&6; } if test $ac_cv_func_getaddrinfo = yes; then @@ -20166,7 +20280,11 @@ else WINDRES="$ac_cv_prog_WINDRES" fi - LIBS="$LIBS -liphlpapi -lcrypt32" + if echo "$LIBS" | grep crypt32 >/dev/null; then + LIBS="$LIBS -liphlpapi" + else + LIBS="$LIBS -liphlpapi -lcrypt32" + fi WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe" WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c" diff --git a/configure.ac b/configure.ac index 70fc7e7fd..d4a13e6d6 100644 --- a/configure.ac +++ b/configure.ac @@ -1526,13 +1526,17 @@ if test x_$enable_static_exe = x_yes; then if test "$on_mingw" = yes; then staticexe="-all-static" # for static compile, include gdi32 and zlib here. - if echo $LIBS | grep 'lgdi32' >/dev/null; then + if echo "$LIBS" | grep 'lgdi32' >/dev/null; then : else LIBS="$LIBS -lgdi32" fi AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ]) - LIBS="$LIBS -l:libssp.a" + if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then + : + else + LIBS="$LIBS -l:libssp.a" + fi fi fi @@ -1549,7 +1553,11 @@ if test x_$enable_fully_static = x_yes; then LIBS="$LIBS -lgdi32" fi AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ]) - LIBS="$LIBS -l:libssp.a" + if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then + : + else + LIBS="$LIBS -l:libssp.a" + fi fi fi @@ -1569,7 +1577,11 @@ if test "$USE_WINSOCK" = 1; then #include ]) AC_CHECK_TOOL(WINDRES, windres) - LIBS="$LIBS -liphlpapi -lcrypt32" + if echo "$LIBS" | grep crypt32 >/dev/null; then + LIBS="$LIBS -liphlpapi" + else + LIBS="$LIBS -liphlpapi -lcrypt32" + fi WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe" AC_SUBST(WINAPPS) WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c" diff --git a/doc/Changelog b/doc/Changelog index 40061853b..6721ed5e6 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,27 @@ +23 January 2024: Yorgos + - Update message TTL when using cached RRSETs. It could result in + non-expired messages with expired RRSETs (non-usable messages by + Unbound). + +22 January 2024: Yorgos + - Update error printout for duplicate trust anchors to include the + trust anchor name (relates to #920). + +22 January 2024: Wouter + - Fix for #997: Print details for SSL certificate failure. + +17 January 2024: Wouter + - Update workflow for ports to use newer openssl on windows compile. + - Fix warning for windres on resource files due to redefinition. + +16 January 2024: Wouter + - Fix to link with libssp for libcrypto and getaddrinfo check for + only header. Also update crosscompile to remove ssp for 32bit. + - Merge #993: Update b.root-servers.net also in example config file. + +15 January 2024: Wouter + - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. + 9 January 2024: Wouter - Merge #988: Fix NLnetLabs#981: dump_cache truncates large records. diff --git a/doc/example.conf.in b/doc/example.conf.in index 4085b8616..1ac155b7c 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1169,7 +1169,7 @@ remote-control: # sources of notifies. # auth-zone: # name: "." -# primary: 199.9.14.201 # b.root-servers.net +# primary: 170.247.170.2 # b.root-servers.net # primary: 192.33.4.12 # c.root-servers.net # primary: 199.7.91.13 # d.root-servers.net # primary: 192.5.5.241 # f.root-servers.net @@ -1177,7 +1177,7 @@ remote-control: # primary: 193.0.14.129 # k.root-servers.net # primary: 192.0.47.132 # xfr.cjr.dns.icann.org # primary: 192.0.32.132 # xfr.lax.dns.icann.org -# primary: 2001:500:200::b # b.root-servers.net +# primary: 2801:1b8:10::b # b.root-servers.net # primary: 2001:500:2::c # c.root-servers.net # primary: 2001:500:2d::d # d.root-servers.net # primary: 2001:500:2f::f # f.root-servers.net diff --git a/makedist.sh b/makedist.sh index 84f16d4ea..c86b3b655 100755 --- a/makedist.sh +++ b/makedist.sh @@ -267,10 +267,10 @@ if [ "$DOWIN" = "yes" ]; then # cross-compilation and it is not used anyway # before 1.0.1i need --cross-compile-prefix=i686-w64-mingw32- if test "$mw64" = "mingw64"; then - sslflags="no-asm -DOPENSSL_NO_CAPIENG mingw64" + sslflags="no-asm no-tests -DOPENSSL_NO_CAPIENG mingw64" sspdll="/usr/x86_64-w64-mingw32/sys-root/mingw/bin/libssp-0.dll" else - sslflags="no-asm -DOPENSSL_NO_CAPIENG mingw" + sslflags="no-asm no-tests -DOPENSSL_NO_CAPIENG mingw" sspdll="/usr/i686-w64-mingw32/sys-root/mingw/bin/libssp-0.dll" fi if test -f "$sspdll"; then @@ -282,9 +282,18 @@ if [ "$DOWIN" = "yes" ]; then SSPLIB="" fi info "winssl: Configure no-shared $sslflags" - set -x # echo the configure command - __CNF_LDLIBS=$SSPLIB CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslinstall" no-shared $sslflags || error_cleanup "OpenSSL Configure failed" - set +x + if test "$W64" = "no"; then + # Disable stack-protector for 32-bit windows builds. + # mingw passes an LDFLAGS, so there is something + # passed in the LDFLAGS to stop -lssp passed in it. + set -x # echo the configure command + __CNF_LDLIBS=$SSPLIB __CNF_LDFLAGS="-fno-stack-protector" CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslinstall" no-shared $sslflags || error_cleanup "OpenSSL Configure failed" + set +x + else + set -x # echo the configure command + __CNF_LDLIBS=$SSPLIB CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslinstall" no-shared $sslflags || error_cleanup "OpenSSL Configure failed" + set +x + fi info "winssl: make" make $MINJ || error_cleanup "OpenSSL crosscompile failed" # only install sw not docs, which take a long time. @@ -297,9 +306,15 @@ if [ "$DOWIN" = "yes" ]; then sslsharedinstall="`pwd`/sslsharedinstall" cd openssl_shared info "winssl: Configure shared $sslflags" - set -x # echo the configure command - __CNF_LDLIBS=$SSPLIB CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslsharedinstall" shared $sslflags || error_cleanup "OpenSSL Configure failed" - set +x + if test "$W64" = "no"; then + set -x # echo the configure command + __CNF_LDLIBS=$SSPLIB __CNF_LDFLAGS="-fno-stack-protector" CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslsharedinstall" shared $sslflags || error_cleanup "OpenSSL Configure failed" + set +x + else + set -x # echo the configure command + __CNF_LDLIBS=$SSPLIB CC=${warch}-w64-mingw32-gcc AR=${warch}-w64-mingw32-ar RANLIB=${warch}-w64-mingw32-ranlib WINDRES=${warch}-w64-mingw32-windres ./Configure --prefix="$sslsharedinstall" shared $sslflags || error_cleanup "OpenSSL Configure failed" + set +x + fi info "winssl: make" make $MINJ || error_cleanup "OpenSSL crosscompile failed" info "winssl: make install_sw" @@ -315,7 +330,16 @@ if [ "$DOWIN" = "yes" ]; then wxpinstall="`pwd`/wxpinstall" cd expat-* || error_cleanup "no expat-X dir in tarball" info "wxp: configure" - $configure --prefix="$wxpinstall" --exec-prefix="$wxpinstall" --bindir="$wxpinstall/bin" --includedir="$wxpinstall/include" --mandir="$wxpinstall/man" --libdir="$wxpinstall/lib" || error_cleanup "libexpat configure failed" + if test "$W64" = "no"; then + # Disable stack-protector for 32-bit windows builds. + set -x # echo the configure command + $configure --prefix="$wxpinstall" --exec-prefix="$wxpinstall" --bindir="$wxpinstall/bin" --includedir="$wxpinstall/include" --mandir="$wxpinstall/man" --libdir="$wxpinstall/lib" LDFLAGS="-fno-stack-protector" || error_cleanup "libexpat configure failed" + set +x + else + set -x # echo the configure command + $configure --prefix="$wxpinstall" --exec-prefix="$wxpinstall" --bindir="$wxpinstall/bin" --includedir="$wxpinstall/include" --mandir="$wxpinstall/man" --libdir="$wxpinstall/lib" || error_cleanup "libexpat configure failed" + set +x + fi info "wxp: make" make $MINJ || error_cleanup "libexpat crosscompile failed" info "wxp: make install" @@ -379,8 +403,8 @@ if [ "$DOWIN" = "yes" ]; then fi if test "$W64" = "no"; then # Disable stack-protector for 32-bit windows builds. - echo "$configure"' --enable-debug --enable-static-exe --disable-flto --disable-gost '"$* $cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector' - $configure --enable-debug --enable-static-exe --disable-flto --disable-gost $* $cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'\ + echo "$configure"' --enable-debug --enable-static-exe --disable-flto --disable-gost '"$* $cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector' LDFLAGS="-fno-stack-protector" + $configure --enable-debug --enable-static-exe --disable-flto --disable-gost $* $cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector' LDFLAGS="-fno-stack-protector" \ || error_cleanup "Could not configure" else echo "$configure"' --enable-debug --enable-static-exe --disable-flto --disable-gost '"$* $cross_flag" @@ -396,8 +420,8 @@ if [ "$DOWIN" = "yes" ]; then cd ../unbound_shared if test "$W64" = "no"; then # Disable stack-protector for 32-bit windows builds. - echo "$configure"' --enable-debug --disable-flto --disable-gost '"$* $shared_cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector' - $configure --enable-debug --disable-flto --disable-gost $* $shared_cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector'\ + echo "$configure"' --enable-debug --disable-flto --disable-gost '"$* $shared_cross_flag" "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector' LDFLAGS="-fno-stack-protector" + $configure --enable-debug --disable-flto --disable-gost $* $shared_cross_flag "$file_flag" "$file2_flag" "$file3_flag" CFLAGS='-O2 -g -fno-stack-protector' LDFLAGS="-fno-stack-protector" \ || error_cleanup "Could not configure" else echo "$configure"' --enable-debug --disable-flto --disable-gost '"$* $shared_cross_flag" diff --git a/services/cache/dns.c b/services/cache/dns.c index fa57697a4..5bd0f423f 100644 --- a/services/cache/dns.c +++ b/services/cache/dns.c @@ -80,6 +80,7 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now, struct regional* region, time_t qstarttime) { size_t i; + time_t ttl, min_ttl = rep->ttl; /* see if rrset already exists in cache, if not insert it. */ for(i=0; irrset_count; i++) { rep->ref[i].key = rep->rrsets[i]; @@ -112,6 +113,15 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now, case 1: /* ref updated, item inserted */ rep->rrsets[i] = rep->ref[i].key; } + /* if ref was updated make sure the message ttl is updated to + * the minimum of the current rrsets. */ + ttl = ((struct packed_rrset_data*)rep->rrsets[i]->entry.data)->ttl; + if(ttl < min_ttl) min_ttl = ttl; + } + if(min_ttl < rep->ttl) { + rep->ttl = min_ttl; + rep->prefetch_ttl = PREFETCH_TTL_CALC(rep->ttl); + rep->serve_expired_ttl = rep->ttl + SERVE_EXPIRED_TTL; } } diff --git a/testdata/rrset_use_cached.rpl b/testdata/rrset_use_cached.rpl new file mode 100644 index 000000000..8420ae02a --- /dev/null +++ b/testdata/rrset_use_cached.rpl @@ -0,0 +1,151 @@ +server: + minimal-responses: no + serve-expired: yes + # The value does not matter, we will not simulate delay. + # We do not want only serve-expired because fetches from that + # apply a generous PREFETCH_LEEWAY. + serve-expired-client-timeout: 1000 + # So that we can only have to give one SERVFAIL answer. + outbound-msg-retry: 0 + +forward-zone: name: "." forward-addr: 216.0.0.1 +CONFIG_END + +SCENARIO_BEGIN RRset from cache updates the message TTL. + +STEP 1 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + www.example.com. IN A +ENTRY_END +; the query is sent to the forwarder - no cache yet. +STEP 2 CHECK_OUT_QUERY +ENTRY_BEGIN + MATCH qname qtype opcode + SECTION QUESTION + www.example.com. IN A +ENTRY_END +STEP 3 REPLY +ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + ; authoritative answer + REPLY QR AA RD RA NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. 5 IN A 10.20.30.40 + SECTION AUTHORITY + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 10.20.30.50 +ENTRY_END +STEP 4 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. 5 IN A 10.20.30.40 + SECTION AUTHORITY + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 10.20.30.50 +ENTRY_END + +; Wait for the A RRSET to expire. +STEP 5 TIME_PASSES ELAPSE 6 + +STEP 6 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + www.example.com. IN A +ENTRY_END +; expired answer will not be served due to serve-expired-client-timeout. +STEP 7 CHECK_OUT_QUERY +ENTRY_BEGIN + MATCH qname qtype opcode + SECTION QUESTION + www.example.com. IN A +ENTRY_END +STEP 8 REPLY +ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + ; authoritative answer + REPLY QR AA RD RA NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. 5 IN A 10.20.30.40 + SECTION AUTHORITY + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 10.20.30.50 +ENTRY_END +; The cached NS related RRSETs will not be overwritten by the fresh answer. +; The message should have a TTL of 4 instead of 5 from above. +STEP 9 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. 5 IN A 10.20.30.40 + SECTION AUTHORITY + example.com. 4 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 4 IN A 10.20.30.50 +ENTRY_END + +; Wait for the NS RRSETs to expire. +STEP 10 TIME_PASSES ELAPSE 5 + +STEP 11 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + www.example.com. IN A +ENTRY_END +; The message should be expired, again no expired answer at this point due to +; serve-expired-client-timeout. +STEP 12 CHECK_OUT_QUERY +ENTRY_BEGIN + MATCH qname qtype opcode + SECTION QUESTION + www.example.com. IN A +ENTRY_END +STEP 13 REPLY +ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR RD RA SERVFAIL + SECTION QUESTION + www.example.com. IN A +ENTRY_END +; The SERVFAIL will trigger the serve-expired-client-timeout logic to try and +; replace the SERVFAIL with a possible cached (expired) answer. +; The A RRSET would be at 0TTL left (not expired) but the message should have +; been updated to use a TTL of 4 so expired by now. +; If the message TTL was not updated (bug), this message would be treated as +; non-expired and the now expired NS related RRSETs would fail sanity checks +; for non-expired messages. The result would be SERVFAIL here. +STEP 14 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. 0 IN A 10.20.30.40 + SECTION AUTHORITY + example.com. 30 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 30 IN A 10.20.30.50 +ENTRY_END + +SCENARIO_END diff --git a/util/netevent.c b/util/netevent.c index 1750a3192..1fc8c6b86 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -1672,8 +1672,13 @@ ssl_handshake(struct comm_point* c) } else { unsigned long err = ERR_get_error(); if(!squelch_err_ssl_handshake(err)) { + long vr; log_crypto_err_io_code("ssl handshake failed", want, err); + if((vr=SSL_get_verify_result(c->ssl)) != 0) + log_err("ssl handshake cert error: %s", + X509_verify_cert_error_string( + vr)); log_addr(VERB_OPS, "ssl handshake failed", &c->repinfo.remote_addr, c->repinfo.remote_addrlen); diff --git a/validator/autotrust.c b/validator/autotrust.c index 3011a0ace..3eb13b35c 100644 --- a/validator/autotrust.c +++ b/validator/autotrust.c @@ -353,17 +353,21 @@ autr_tp_create(struct val_anchors* anchors, uint8_t* own, size_t own_len, lock_basic_lock(&anchors->lock); if(!rbtree_insert(anchors->tree, &tp->node)) { + char buf[LDNS_MAX_DOMAINLEN+1]; lock_basic_unlock(&anchors->lock); - log_err("trust anchor presented twice"); + dname_str(tp->name, buf); + log_err("trust anchor for '%s' presented twice", buf); free(tp->name); free(tp->autr); free(tp); return NULL; } if(!rbtree_insert(&anchors->autr->probe, &tp->autr->pnode)) { + char buf[LDNS_MAX_DOMAINLEN+1]; (void)rbtree_delete(anchors->tree, tp); lock_basic_unlock(&anchors->lock); - log_err("trust anchor in probetree twice"); + dname_str(tp->name, buf); + log_err("trust anchor for '%s' in probetree twice", buf); free(tp->name); free(tp->autr); free(tp); diff --git a/winrc/rsrc_anchorupd.rc b/winrc/rsrc_anchorupd.rc index 2419bfad5..ac5167866 100644 --- a/winrc/rsrc_anchorupd.rc +++ b/winrc/rsrc_anchorupd.rc @@ -1,8 +1,8 @@ /* Unbound resource file for windows. For use with windres */ -#include "winver.h" #include "config.h" +#include "winver.h" 1 ICON "winrc/combined.ico" diff --git a/winrc/rsrc_svcinst.rc b/winrc/rsrc_svcinst.rc index cb325f4c4..0ed113695 100644 --- a/winrc/rsrc_svcinst.rc +++ b/winrc/rsrc_svcinst.rc @@ -1,8 +1,8 @@ /* Unbound resource file for windows. For use with windres */ -#include "winver.h" #include "config.h" +#include "winver.h" 1 ICON "winrc/combined.ico" diff --git a/winrc/rsrc_svcuninst.rc b/winrc/rsrc_svcuninst.rc index ecff8dcd3..86bed5e89 100644 --- a/winrc/rsrc_svcuninst.rc +++ b/winrc/rsrc_svcuninst.rc @@ -1,8 +1,8 @@ /* Unbound resource file for windows. For use with windres */ -#include "winver.h" #include "config.h" +#include "winver.h" 1 ICON "winrc/combined.ico" diff --git a/winrc/rsrc_unbound.rc b/winrc/rsrc_unbound.rc index cc05d0eeb..d6db15eeb 100644 --- a/winrc/rsrc_unbound.rc +++ b/winrc/rsrc_unbound.rc @@ -1,8 +1,8 @@ /* Unbound resource file for windows. For use with windres */ -#include "winver.h" #include "config.h" +#include "winver.h" 1 ICON "winrc/combined.ico" /* diff --git a/winrc/rsrc_unbound_anchor.rc b/winrc/rsrc_unbound_anchor.rc index 76b96b785..2550dd051 100644 --- a/winrc/rsrc_unbound_anchor.rc +++ b/winrc/rsrc_unbound_anchor.rc @@ -1,8 +1,8 @@ /* Unbound resource file for windows. For use with windres */ -#include "winver.h" #include "config.h" +#include "winver.h" 1 ICON "winrc/combined.ico" diff --git a/winrc/rsrc_unbound_checkconf.rc b/winrc/rsrc_unbound_checkconf.rc index de61900bf..d974d9602 100644 --- a/winrc/rsrc_unbound_checkconf.rc +++ b/winrc/rsrc_unbound_checkconf.rc @@ -1,8 +1,8 @@ /* Unbound resource file for windows. For use with windres */ -#include "winver.h" #include "config.h" +#include "winver.h" 1 ICON "winrc/combined.ico" diff --git a/winrc/rsrc_unbound_control.rc b/winrc/rsrc_unbound_control.rc index f9e1245db..5360c06be 100644 --- a/winrc/rsrc_unbound_control.rc +++ b/winrc/rsrc_unbound_control.rc @@ -1,8 +1,8 @@ /* Unbound resource file for windows. For use with windres */ -#include "winver.h" #include "config.h" +#include "winver.h" 1 ICON "winrc/combined.ico" diff --git a/winrc/rsrc_unbound_host.rc b/winrc/rsrc_unbound_host.rc index d00f95cf4..ace601049 100644 --- a/winrc/rsrc_unbound_host.rc +++ b/winrc/rsrc_unbound_host.rc @@ -1,8 +1,8 @@ /* Unbound resource file for windows. For use with windres */ -#include "winver.h" #include "config.h" +#include "winver.h" 1 ICON "winrc/combined.ico"