SecBSD/src
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync with OpenBSD -current

Browse Source
This commit is contained in:
purplerain 2024-04-14 02:31:08 +00:00
parent 137d408ac1
commit e0d126d03b
Signed by: purplerain
GPG Key ID: F42C07F07E2E35B7
143 changed files with 5355 additions and 3727 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
lib/libcrypto/dsa/dsa_ameth.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dsa_ameth.c,v 1.57 2024/01/04 17:01:26 tb Exp $ */
/* $OpenBSD: dsa_ameth.c,v 1.59 2024/04/13 14:02:51 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -71,6 +71,7 @@
#include "bn_local.h"
#include "dsa_local.h"
#include "evp_local.h"
#include "x509_local.h"
static int
dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
@ -634,11 +635,11 @@ dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
hnid = OBJ_obj2nid(alg1->algorithm);
if (hnid == NID_undef)
return -1;
if (!OBJ_find_sigid_by_algs(&snid, hnid,
EVP_PKEY_id(pkey)))
if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
return -1;
if (!X509_ALGOR_set0_by_nid(alg2, snid, V_ASN1_UNDEF,
NULL))
return -1;
X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF,
0);
}
return 1;
@ -656,7 +657,9 @@ dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
return -1;
if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
return -1;
X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
if (!X509_ALGOR_set0_by_nid(alg2, snid, V_ASN1_UNDEF,
NULL))
return -1;
}
return 1;

11
lib/libcrypto/ec/ec_ameth.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ec_ameth.c,v 1.51 2024/01/04 17:01:26 tb Exp $ */
/* $OpenBSD: ec_ameth.c,v 1.52 2024/04/13 14:02:51 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -69,6 +69,7 @@
#include "asn1_local.h"
#include "ec_local.h"
#include "evp_local.h"
#include "x509_local.h"
#ifndef OPENSSL_NO_CMS
static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
@ -637,7 +638,9 @@ ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
return -1;
if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
return -1;
X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
if (!X509_ALGOR_set0_by_nid(alg2, snid, V_ASN1_UNDEF,
NULL))
return -1;
}
return 1;
@ -655,7 +658,9 @@ ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
return -1;
if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
return -1;
X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
if (!X509_ALGOR_set0_by_nid(alg2, snid, V_ASN1_UNDEF,
NULL))
return -1;
}
return 1;

8
sbin/iked/iked.conf.5
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: iked.conf.5,v 1.95 2022/07/22 20:31:39 jmc Exp $
.\" $OpenBSD: iked.conf.5,v 1.96 2024/04/13 12:11:08 jmc Exp $
.\"
.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved.
@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: July 22 2022 $
.Dd $Mdocdate: April 13 2024 $
.Dt IKED.CONF 5
.Os
.Sh NAME
@ -663,6 +663,10 @@ Use ECDSA with a 521-bit elliptic curve key and SHA2-512 for authentication.
Use a pre-shared key
.Ar string
or hex value (starting with 0x) for authentication.
.It Ic psk file Ar path
Use a pre-shared hex key (without leading 0x) read from
.Ar path
for authentication.
.It Ic rfc7427
Only use RFC 7427 signatures for authentication.
RFC 7427 signatures currently only support SHA2-256 as the hash.

6
sbin/iked/parse.y
View File

@ -1,4 +1,4 @@
/* $OpenBSD: parse.y,v 1.144 2023/08/11 11:24:55 tobhe Exp $ */
/* $OpenBSD: parse.y,v 1.145 2024/04/13 15:58:10 jrick Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@ -1950,8 +1950,8 @@ parsekeyfile(char *filename, struct iked_auth *auth)
if ((fd = open(filename, O_RDONLY)) == -1)
err(1, "open %s", filename);
if (fstat(fd, &sb) == -1)
err(1, "parsekeyfile: stat %s", filename);
if (check_file_secrecy(fd, filename) == -1)
exit(1);
if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0))
errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
"small");

11
sbin/unwind/libunbound/config.h
View File

@ -329,9 +329,6 @@
/* Define to 1 if you have the `if_nametoindex' function. */
#define HAVE_IF_NAMETOINDEX 1
/* Define to 1 if you have the `if_nametoindex' function. */
#define HAVE_IF_NAMETOINDEX 1
/* Define to 1 if you have the `inet_aton' function. */
#define HAVE_INET_ATON 1
@ -776,7 +773,7 @@
#define PACKAGE_NAME "unbound"
/* Define to the full name and version of this package. */
#define PACKAGE_STRING "unbound 1.18.0"
#define PACKAGE_STRING "unbound 1.19.3"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "unbound"
@ -785,7 +782,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
#define PACKAGE_VERSION "1.18.0"
#define PACKAGE_VERSION "1.19.3"
/* default pidfile location */
#define PIDFILE ""
@ -808,7 +805,7 @@
#define ROOT_CERT_FILE "/var/unbound/etc/icannbundle.pem"
/* version number for resource files */
#define RSRC_PACKAGE_VERSION 1,18,0,0
#define RSRC_PACKAGE_VERSION 1,19,3,0
/* Directory to chdir to */
#define RUN_DIR "/var/unbound/etc"
@ -889,7 +886,7 @@
/* #undef USE_ED448 */
/* Define this to enable GOST support. */
#define USE_GOST 1
/* #undef USE_GOST */
/* Define to 1 to use ipsecmod support. */
/* #undef USE_IPSECMOD */

97
sbin/unwind/libunbound/dns64/dns64.c
View File

@ -573,28 +573,29 @@ static enum module_ext_state
handle_event_pass(struct module_qstate* qstate, int id)
{
struct dns64_qstate* iq = (struct dns64_qstate*)qstate->minfo[id];
if (iq && iq->state == DNS64_NEW_QUERY
&& qstate->qinfo.qtype == LDNS_RR_TYPE_PTR
&& qstate->qinfo.qname_len == 74
&& !strcmp((char*)&qstate->qinfo.qname[64], "\03ip6\04arpa"))
/* Handle PTR queries for IPv6 addresses. */
return handle_ipv6_ptr(qstate, id);
int synth_all_cfg = qstate->env->cfg->dns64_synthall;
int synth_qname = 0;
if (qstate->env->cfg->dns64_synthall &&
iq && iq->state == DNS64_NEW_QUERY
&& qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA)
return generate_type_A_query(qstate, id);
if(iq && iq->state == DNS64_NEW_QUERY
&& qstate->qinfo.qtype == LDNS_RR_TYPE_PTR
&& qstate->qinfo.qname_len == 74
&& !strcmp((char*)&qstate->qinfo.qname[64], "\03ip6\04arpa")) {
/* Handle PTR queries for IPv6 addresses. */
return handle_ipv6_ptr(qstate, id);
}
if(dns64_always_synth_for_qname(qstate, id) &&
iq && iq->state == DNS64_NEW_QUERY
&& !(qstate->query_flags & BIT_CD)
&& qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
if(iq && iq->state == DNS64_NEW_QUERY &&
qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA &&
(synth_all_cfg ||
(synth_qname=(dns64_always_synth_for_qname(qstate, id)
&& !(qstate->query_flags & BIT_CD))))) {
if(synth_qname)
verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
return generate_type_A_query(qstate, id);
}
/* We are finished when our sub-query is finished. */
if (iq && iq->state == DNS64_SUBQUERY_FINISHED)
if(iq && iq->state == DNS64_SUBQUERY_FINISHED)
return module_finished;
/* Otherwise, pass request to next module. */
@ -627,32 +628,37 @@ handle_event_moddone(struct module_qstate* qstate, int id)
* synthesize in (sec 5.1.2 of RFC6147).
* - A successful AAAA query with an answer.
*/
if((!iq || iq->state != DNS64_INTERNAL_QUERY)
&& qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA
&& !(qstate->query_flags & BIT_CD)
&& !(qstate->return_msg &&
qstate->return_msg->rep &&
reply_find_answer_rrset(&qstate->qinfo,
qstate->return_msg->rep)))
/* not internal, type AAAA, not CD, and no answer RRset,
* So, this is a AAAA noerror/nodata answer */
return generate_type_A_query(qstate, id);
if((!iq || iq->state != DNS64_INTERNAL_QUERY)
&& qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA
&& !(qstate->query_flags & BIT_CD)
&& dns64_always_synth_for_qname(qstate, id)) {
/* if it is not internal, AAAA, not CD and listed domain,
* generate from A record and ignore AAAA */
verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
/* When an AAAA query completes check if we want to perform DNS64
* synthesis. We skip queries with DNSSEC enabled (!CD) and
* ones generated by us to retrive the A/PTR record to use for
* synth. */
int could_synth =
qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA &&
(!iq || iq->state != DNS64_INTERNAL_QUERY) &&
!(qstate->query_flags & BIT_CD);
int has_data = /* whether query returned non-empty rrset */
qstate->return_msg &&
qstate->return_msg->rep &&
reply_find_answer_rrset(&qstate->qinfo, qstate->return_msg->rep);
int synth_qname = 0;
if(could_synth &&
(!has_data ||
(synth_qname=dns64_always_synth_for_qname(qstate, id)))) {
if(synth_qname)
verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
return generate_type_A_query(qstate, id);
}
/* Store the response in cache. */
if ( (!iq || !iq->started_no_cache_store) &&
qstate->return_msg && qstate->return_msg->rep &&
!dns_cache_store(qstate->env, &qstate->qinfo, qstate->return_msg->rep,
0, 0, 0, NULL, qstate->query_flags, qstate->qstarttime))
if( (!iq || !iq->started_no_cache_store) &&
qstate->return_msg &&
qstate->return_msg->rep &&
!dns_cache_store(
qstate->env, &qstate->qinfo, qstate->return_msg->rep,
0, 0, 0, NULL,
qstate->query_flags, qstate->qstarttime))
log_err("out of memory");
/* do nothing */
@ -969,10 +975,19 @@ dns64_inform_super(struct module_qstate* qstate, int id,
}
super_dq->state = DNS64_SUBQUERY_FINISHED;
/* If there is no successful answer, we're done. */
if (qstate->return_rcode != LDNS_RCODE_NOERROR
|| !qstate->return_msg
|| !qstate->return_msg->rep) {
/* If there is no successful answer, we're done.
* Guarantee that we have at least a NOERROR reply further on. */
if(qstate->return_rcode != LDNS_RCODE_NOERROR
|| !qstate->return_msg
|| !qstate->return_msg->rep) {
return;
}
/* When no A record is found for synthesis fall back to AAAA again. */
if(qstate->qinfo.qtype == LDNS_RR_TYPE_A &&
!reply_find_answer_rrset(&qstate->qinfo,
qstate->return_msg->rep)) {
super_dq->state = DNS64_INTERNAL_QUERY;
return;
}

4
sbin/unwind/libunbound/dnstap/dnstap.h
View File

@ -133,6 +133,7 @@ dt_msg_send_client_query(struct dt_env *env,
struct sockaddr_storage *qsock,
struct sockaddr_storage *rsock,
enum comm_point_type cptype,
void *cpssl,
struct sldns_buffer *qmsg,
struct timeval* tstamp);
@ -149,6 +150,7 @@ dt_msg_send_client_response(struct dt_env *env,
struct sockaddr_storage *qsock,
struct sockaddr_storage *rsock,
enum comm_point_type cptype,
void *cpssl,
struct sldns_buffer *rmsg);
/**
@ -168,6 +170,7 @@ dt_msg_send_outside_query(struct dt_env *env,
struct sockaddr_storage *rsock,
struct sockaddr_storage *qsock,
enum comm_point_type cptype,
void *cpssl,
uint8_t *zone, size_t zone_len,
struct sldns_buffer *qmsg);
@ -192,6 +195,7 @@ dt_msg_send_outside_response(struct dt_env *env,
struct sockaddr_storage *rsock,
struct sockaddr_storage *qsock,
enum comm_point_type cptype,
void *cpssl,
uint8_t *zone, size_t zone_len,
uint8_t *qbuf, size_t qbuf_len,
const struct timeval *qtime,

1
sbin/unwind/libunbound/iterator/iter_fwd.c
View File

@ -523,4 +523,3 @@ forwards_delete_stub_hole(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
fwd_zone_free(z);
fwd_init_parents(fwd);
}

5
sbin/unwind/libunbound/iterator/iter_hints.c
View File

@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
dp->has_parent_side_NS = 1;
if(do_ip4) {
if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4")) goto failed;
if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed;
if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2")) goto failed;
if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12")) goto failed;
if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13")) goto failed;
if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
}
if(do_ip6) {
if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed;
if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
@ -560,4 +560,3 @@ hints_delete_stub(struct iter_hints* hints, uint16_t c, uint8_t* nm)
hints_stub_free(z);
name_tree_init_parents(&hints->tree);
}

26
sbin/unwind/libunbound/iterator/iter_priv.c
View File

@ -207,28 +207,6 @@ size_t priv_get_mem(struct iter_priv* priv)
return sizeof(*priv) + regional_get_mem(priv->region);
}
/** remove RR from msgparse RRset, return true if rrset is entirely bad */
static int
remove_rr(const char* str, sldns_buffer* pkt, struct rrset_parse* rrset,
struct rr_parse* prev, struct rr_parse** rr, struct sockaddr_storage* addr, socklen_t addrlen)
{
if(verbosity >= VERB_QUERY && rrset->dname_len <= LDNS_MAX_DOMAINLEN && str) {
uint8_t buf[LDNS_MAX_DOMAINLEN+1];
dname_pkt_copy(pkt, buf, rrset->dname);
log_name_addr(VERB_QUERY, str, buf, addr, addrlen);
}
if(prev)
prev->next = (*rr)->next;
else rrset->rr_first = (*rr)->next;
if(rrset->rr_last == *rr)
rrset->rr_last = prev;
rrset->rr_count --;
rrset->size -= (*rr)->size;
/* rr struct still exists, but is unlinked, so that in the for loop
* the rr->next works fine to continue. */
return rrset->rr_count == 0;
}
int priv_rrset_bad(struct iter_priv* priv, sldns_buffer* pkt,
struct rrset_parse* rrset)
{
@ -261,7 +239,7 @@ int priv_rrset_bad(struct iter_priv* priv, sldns_buffer* pkt,
INET_SIZE);
memmove(&addr, &sa, len);
if(priv_lookup_addr(priv, &addr, len)) {
if(remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, &rr, &addr, len))
if(msgparse_rrset_remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, rr, &addr, len))
return 1;
continue;
}
@ -284,7 +262,7 @@ int priv_rrset_bad(struct iter_priv* priv, sldns_buffer* pkt,
INET6_SIZE);
memmove(&addr, &sa, len);
if(priv_lookup_addr(priv, &addr, len)) {
if(remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, &rr, &addr, len))
if(msgparse_rrset_remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, rr, &addr, len))
return 1;
continue;
}

25
sbin/unwind/libunbound/iterator/iter_resptype.c
View File

@ -42,6 +42,7 @@
#include "config.h"
#include "iterator/iter_resptype.h"
#include "iterator/iter_delegpt.h"
#include "iterator/iterator.h"
#include "services/cache/dns.h"
#include "util/net_help.h"
#include "util/data/dname.h"
@ -105,7 +106,8 @@ response_type_from_cache(struct dns_msg* msg,
enum response_type
response_type_from_server(int rdset,
struct dns_msg* msg, struct query_info* request, struct delegpt* dp)
struct dns_msg* msg, struct query_info* request, struct delegpt* dp,
int* empty_nodata_found)
{
uint8_t* origzone = (uint8_t*)"\000"; /* the default */
struct ub_packed_rrset_key* s;
@ -284,13 +286,22 @@ response_type_from_server(int rdset,
/* If we've gotten this far, this is NOERROR/NODATA (which could
* be an entirely empty message) */
/* but ignore entirely empty messages, noerror/nodata has a soa
* negative ttl value in the authority section, this makes it try
* again at another authority. And turns it from a 5 second empty
* message into a 5 second servfail response. */
/* For entirely empty messages, try again, at first, then accept
* it it happens more. A regular noerror/nodata response has a soa
* negative ttl value in the authority section. This makes it try
* again at another authority. And decides between storing a 5 second
* empty message or a 5 second servfail response. */
if(msg->rep->an_numrrsets == 0 && msg->rep->ns_numrrsets == 0 &&
msg->rep->ar_numrrsets == 0)
return RESPONSE_TYPE_THROWAWAY;
msg->rep->ar_numrrsets == 0) {
if(empty_nodata_found) {
/* detect as throwaway at first, but accept later. */
(*empty_nodata_found)++;
if(*empty_nodata_found < EMPTY_NODATA_RETRY_COUNT)
return RESPONSE_TYPE_THROWAWAY;
return RESPONSE_TYPE_ANSWER;
}
return RESPONSE_TYPE_ANSWER;
}
/* check if recursive answer; saying it has empty cache */
if( (msg->rep->flags&BIT_RA) && !(msg->rep->flags&BIT_AA) && !rdset)
return RESPONSE_TYPE_REC_LAME;

4
sbin/unwind/libunbound/iterator/iter_resptype.h
View File

@ -119,9 +119,11 @@ enum response_type response_type_from_cache(struct dns_msg* msg,
* @param request: the request that generated the response.
* @param dp: The delegation point that was being queried
* when the response was returned.
* @param empty_nodata_found: flag to keep track of empty nodata detection.
* @return the response type (CNAME or ANSWER).
*/
enum response_type response_type_from_server(int rdset,
struct dns_msg* msg, struct query_info* request, struct delegpt* dp);
struct dns_msg* msg, struct query_info* request, struct delegpt* dp,
int* empty_nodata_found);
#endif /* ITERATOR_ITER_RESPTYPE_H */

70
sbin/unwind/libunbound/iterator/iter_scrub.c
View File

@ -283,7 +283,8 @@ synth_cname_rrset(uint8_t** sname, size_t* snamelen, uint8_t* alias,
sizeof(uint32_t)+sizeof(uint16_t)+aliaslen);
if(!cn->rr_first->ttl_data)
return NULL;
sldns_write_uint32(cn->rr_first->ttl_data, 0); /* TTL = 0 */
memmove(cn->rr_first->ttl_data, rrset->rr_first->ttl_data,
sizeof(uint32_t)); /* RFC6672: synth CNAME TTL == DNAME TTL */
sldns_write_uint16(cn->rr_first->ttl_data+4, aliaslen);
memmove(cn->rr_first->ttl_data+6, alias, aliaslen);
cn->rr_first->size = sizeof(uint16_t)+aliaslen;
@ -716,6 +717,56 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
return 0;
}
/** Remove individual RRs, if the length is wrong. Returns true if the RRset
* has been removed. */
static int
scrub_sanitize_rr_length(sldns_buffer* pkt, struct msg_parse* msg,
struct rrset_parse* prev, struct rrset_parse** rrset, int* added_ede,
struct module_qstate* qstate)
{
struct rr_parse* rr, *rr_prev = NULL;
for(rr = (*rrset)->rr_first; rr; rr = rr->next) {
/* Sanity check for length of records
* An A record should be 6 bytes only
* (2 bytes for length and 4 for IPv4 addr)*/
if((*rrset)->type == LDNS_RR_TYPE_A && rr->size != 6 ) {
if(!*added_ede) {
*added_ede = 1;
errinf_ede(qstate, "sanitize: records of inappropriate length have been removed.",
LDNS_EDE_OTHER);
}
if(msgparse_rrset_remove_rr("sanitize: removing type A RR of inappropriate length:",
pkt, *rrset, rr_prev, rr, NULL, 0)) {
remove_rrset("sanitize: removing type A RRset of inappropriate length:",
pkt, msg, prev, rrset);
return 1;
}
continue;
}
/* Sanity check for length of records
* An AAAA record should be 18 bytes only
* (2 bytes for length and 16 for IPv6 addr)*/
if((*rrset)->type == LDNS_RR_TYPE_AAAA && rr->size != 18 ) {
if(!*added_ede) {
*added_ede = 1;
errinf_ede(qstate, "sanitize: records of inappropriate length have been removed.",
LDNS_EDE_OTHER);
}
if(msgparse_rrset_remove_rr("sanitize: removing type AAAA RR of inappropriate length:",
pkt, *rrset, rr_prev, rr, NULL, 0)) {
remove_rrset("sanitize: removing type AAAA RRset of inappropriate length:",
pkt, msg, prev, rrset);
return 1;
}
continue;
}
rr_prev = rr;
}
return 0;
}
/**
* Given a response event, remove suspect RRsets from the response.
* "Suspect" rrsets are potentially poison. Note that this routine expects
@ -728,15 +779,17 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
* @param zonename: name of server zone.
* @param env: module environment with config and cache.
* @param ie: iterator environment with private address data.
* @param qstate: for setting errinf for EDE error messages.
* @return 0 on error.
*/
static int
scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
struct iter_env* ie)
struct iter_env* ie, struct module_qstate* qstate)
{
int del_addi = 0; /* if additional-holding rrsets are deleted, we
do not trust the normalized additional-A-AAAA any more */
int added_rrlen_ede = 0;
struct rrset_parse* rrset, *prev;
prev = NULL;
rrset = msg->rrset_first;
@ -781,6 +834,14 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
rrset = msg->rrset_first;
while(rrset) {
/* Sanity check for length of records */
if(rrset->type == LDNS_RR_TYPE_A ||
rrset->type == LDNS_RR_TYPE_AAAA) {
if(scrub_sanitize_rr_length(pkt, msg, prev, &rrset,
&added_rrlen_ede, qstate))
continue;
}
/* remove private addresses */
if( (rrset->type == LDNS_RR_TYPE_A ||
rrset->type == LDNS_RR_TYPE_AAAA)) {
@ -854,7 +915,8 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
int
scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
struct query_info* qinfo, uint8_t* zonename, struct regional* region,
struct module_env* env, struct iter_env* ie)
struct module_env* env, struct module_qstate* qstate,
struct iter_env* ie)
{
/* basic sanity checks */
log_nametypeclass(VERB_ALGO, "scrub for", zonename, LDNS_RR_TYPE_NS,
@ -886,7 +948,7 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
if(!scrub_normalize(pkt, msg, qinfo, region, env))
return 0;
/* delete all out-of-zone information */
if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie))
if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie, qstate))
return 0;
return 1;
}

5
sbin/unwind/libunbound/iterator/iter_scrub.h
View File

@ -48,6 +48,7 @@ struct query_info;
struct regional;
struct module_env;
struct iter_env;
struct module_qstate;
/**
* Cleanup the passed dns message.
@ -59,11 +60,13 @@ struct iter_env;
* Used to determine out of bailiwick information.
* @param regional: where to allocate (new) parts of the message.
* @param env: module environment with config settings and cache.
* @param qstate: for setting errinf for EDE error messages.
* @param ie: iterator module environment data.
* @return: false if the message is total waste. true if scrubbed with success.
*/
int scrub_message(struct sldns_buffer* pkt, struct msg_parse* msg,
struct query_info* qinfo, uint8_t* zonename, struct regional* regional,
struct module_env* env, struct iter_env* ie);
struct module_env* env, struct module_qstate* qstate,
struct iter_env* ie);
#endif /* ITERATOR_ITER_SCRUB_H */

82
sbin/unwind/libunbound/iterator/iterator.c
View File

@ -1449,6 +1449,39 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
}
iq->qchase.qname = sname;
iq->qchase.qname_len = slen;
if(qstate->env->auth_zones) {
/* apply rpz qname triggers after cname */
struct dns_msg* forged_response =
rpz_callback_from_iterator_cname(qstate, iq);
while(forged_response && reply_find_rrset_section_an(
forged_response->rep, iq->qchase.qname,
iq->qchase.qname_len, LDNS_RR_TYPE_CNAME,
iq->qchase.qclass)) {
/* another cname to follow */
if(!handle_cname_response(qstate, iq, forged_response,
&sname, &slen)) {
errinf(qstate, "malloc failure, CNAME info");
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
iq->qchase.qname = sname;
iq->qchase.qname_len = slen;
forged_response =
rpz_callback_from_iterator_cname(qstate, iq);
}
if(forged_response != NULL) {
qstate->ext_state[id] = module_finished;
qstate->return_rcode = LDNS_RCODE_NOERROR;
qstate->return_msg = forged_response;
iq->response = forged_response;
next_state(iq, FINISHED_STATE);
if(!iter_prepend(iq, qstate->return_msg, qstate->region)) {
log_err("rpz: after cached cname, prepend rrsets: out of memory");
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
qstate->return_msg->qinfo = qstate->qinfo;
return 0;
}
}
/* This *is* a query restart, even if it is a cheap
* one. */
iq->dp = NULL;
@ -2875,7 +2908,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
/* unset CD if to forwarder(RD set) and not dnssec retry
* (blacklist nonempty) and no trust-anchors are configured
* above the qname or on the first attempt when dnssec is on */
EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
(qstate->env->cfg->disable_edns_do?0:EDNS_DO)|
((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
!qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env,
&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
@ -2940,7 +2974,7 @@ static int
processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
struct iter_env* ie, int id)
{
int dnsseclame = 0, origtypecname = 0;
int dnsseclame = 0, origtypecname = 0, orig_empty_nodata_found;
enum response_type type;
iq->num_current_queries--;
@ -2960,12 +2994,25 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
return next_state(iq, QUERYTARGETS_STATE);
}
iq->timeout_count = 0;
orig_empty_nodata_found = iq->empty_nodata_found;
type = response_type_from_server(
(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
iq->response, &iq->qinfo_out, iq->dp);
iq->response, &iq->qinfo_out, iq->dp, &iq->empty_nodata_found);
iq->chase_to_rd = 0;
/* remove TC flag, if this is erroneously set by TCP upstream */
iq->response->rep->flags &= ~BIT_TC;
if(orig_empty_nodata_found != iq->empty_nodata_found &&
iq->empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) {
/* try to search at another server */
if(qstate->reply) {
struct delegpt_addr* a = delegpt_find_addr(
iq->dp, &qstate->reply->remote_addr,
qstate->reply->remote_addrlen);
/* make selection disprefer it */
if(a) a->lame = 1;
}
return next_state(iq, QUERYTARGETS_STATE);
}
if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) &&
!iq->auth_zone_response) {
/* When forwarding (RD bit is set), we handle referrals
@ -3501,7 +3548,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
iq->response->rep->flags &= ~(BIT_RD|BIT_RA); /* ignore rec-lame */
type = response_type_from_server(
(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
iq->response, &iq->qchase, iq->dp);
iq->response, &iq->qchase, iq->dp, NULL);
if(type == RESPONSE_TYPE_ANSWER) {
qstate->return_rcode = LDNS_RCODE_NOERROR;
qstate->return_msg = iq->response;
@ -3874,6 +3921,23 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
/* explicitly set the EDE string to NULL */
iq->response->rep->reason_bogus_str = NULL;
if((qstate->env->cfg->val_log_level >= 2 ||
qstate->env->cfg->log_servfail) && qstate->errinf &&
!qstate->env->cfg->val_log_squelch) {
char* err_str = errinf_to_str_misc(qstate);
if(err_str) {
size_t err_str_len = strlen(err_str);
verbose(VERB_ALGO, "iterator EDE: %s", err_str);
/* allocate space and store the error
* string */
iq->response->rep->reason_bogus_str = regional_alloc(
qstate->region,
sizeof(char) * (err_str_len+1));
memcpy(iq->response->rep->reason_bogus_str,
err_str, err_str_len+1);
}
free(err_str);
}
/* we have finished processing this query */
qstate->ext_state[id] = module_finished;
@ -4087,10 +4151,10 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
/* like packet got dropped */
goto handle_it;
}
if(!inplace_cb_edns_back_parsed_call(qstate->env, qstate)) {
log_err("unable to call edns_back_parsed callback");
goto handle_it;
}
}
if(!inplace_cb_edns_back_parsed_call(qstate->env, qstate)) {
log_err("unable to call edns_back_parsed callback");
goto handle_it;
}
/* remove CD-bit, we asked for in case we handle validation ourself */
@ -4098,7 +4162,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
/* normalize and sanitize: easy to delete items from linked lists */
if(!scrub_message(pkt, prs, &iq->qinfo_out, iq->dp->name,
qstate->env->scratch, qstate->env, ie)) {
qstate->env->scratch, qstate->env, qstate, ie)) {
/* if 0x20 enabled, start fallback, but we have no message */
if(event == module_event_capsfail && !iq->caps_fallback) {
iq->caps_fallback = 1;

7
sbin/unwind/libunbound/iterator/iterator.h
View File

@ -101,6 +101,8 @@ extern int BLACKLIST_PENALTY;
* Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a
* fast server, this causes server exploration as a side benefit. msec. */
#define RTT_BAND 400
/** Number of retries for empty nodata packets before it is accepted. */
#define EMPTY_NODATA_RETRY_COUNT 2
/**
* Global state for the iterator.
@ -415,6 +417,11 @@ struct iter_qstate {
*/
int refetch_glue;
/**
* This flag detects that a completely empty nodata was received,
* already so that it is accepted later. */
int empty_nodata_found;
/** list of pending queries to authoritative servers. */
struct outbound_list outlist;

4
sbin/unwind/libunbound/libunbound/libworker.c
View File

@ -62,6 +62,7 @@
#include "util/random.h"
#include "util/config_file.h"
#include "util/netevent.h"
#include "util/proxy_protocol.h"
#include "util/storage/lookup3.h"
#include "util/storage/slabhash.h"
#include "util/net_help.h"
@ -168,6 +169,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
hints_delete(w->env->hints);
w->env->hints = NULL;
}
#ifdef HAVE_SSL
w->sslctx = connect_sslctx_create(NULL, NULL,
cfg->tls_cert_bundle, cfg->tls_win_cert);
if(!w->sslctx) {
@ -175,6 +177,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
hints_delete(w->env->hints);
w->env->hints = NULL;
}
#endif
if(!w->is_bg || w->is_bg_thread) {
lock_basic_unlock(&ctx->cfglock);
}
@ -263,6 +266,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
w->env->kill_sub = &mesh_state_delete;
w->env->detect_cycle = &mesh_detect_cycle;
comm_base_timept(w->base, &w->env->now, &w->env->now_tv);
pp_init(&sldns_write_uint16, &sldns_write_uint32);
return w;
}

13
sbin/unwind/libunbound/services/authzone.c
View File

@ -2475,6 +2475,7 @@ az_find_ce(struct auth_zone* z, struct query_info* qinfo,
struct auth_rrset** rrset)
{
struct auth_data* n = node;
struct auth_rrset* lookrrset;
*ce = NULL;
*rrset = NULL;
if(!node_exact) {
@ -2497,21 +2498,23 @@ az_find_ce(struct auth_zone* z, struct query_info* qinfo,
/* see if the current candidate has issues */
/* not zone apex and has type NS */
if(n->namelen != z->namelen &&
(*rrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) &&
(lookrrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) &&
/* delegate here, but DS at exact the dp has notype */
(qinfo->qtype != LDNS_RR_TYPE_DS ||
n->namelen != qinfo->qname_len)) {
/* referral */
/* this is ce and the lowernode is nonexisting */
*ce = n;
return 0;
*rrset = lookrrset;
node_exact = 0;
}
/* not equal to qname and has type DNAME */
if(n->namelen != qinfo->qname_len &&
(*rrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) {
(lookrrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) {
/* this is ce and the lowernode is nonexisting */
*ce = n;
return 0;
*rrset = lookrrset;
node_exact = 0;
}
if(*ce == NULL && !domain_has_only_nsec3(n)) {
@ -2699,7 +2702,7 @@ create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region,
if(!d)
return 0; /* out of memory */
(*cname)->entry.data = d;
d->ttl = 0; /* 0 for synthesized CNAME TTL */
d->ttl = dname->data->ttl; /* RFC6672: synth CNAME TTL == DNAME TTL */
d->count = 1;
d->rrsig_count = 0;
d->trust = rrset_trust_ans_noAA;

12
sbin/unwind/libunbound/services/cache/dns.c vendored
View File

@ -80,6 +80,7 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now,
struct regional* region, time_t qstarttime)
{
size_t i;
time_t ttl, min_ttl = rep->ttl;
/* see if rrset already exists in cache, if not insert it. */
for(i=0; i<rep->rrset_count; i++) {
rep->ref[i].key = rep->rrsets[i];
@ -112,6 +113,15 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now,
case 1: /* ref updated, item inserted */
rep->rrsets[i] = rep->ref[i].key;
}
/* if ref was updated make sure the message ttl is updated to
* the minimum of the current rrsets. */
ttl = ((struct packed_rrset_data*)rep->rrsets[i]->entry.data)->ttl;
if(ttl < min_ttl) min_ttl = ttl;
}
if(min_ttl < rep->ttl) {
rep->ttl = min_ttl;
rep->prefetch_ttl = PREFETCH_TTL_CALC(rep->ttl);
rep->serve_expired_ttl = rep->ttl + SERVE_EXPIRED_TTL;
}
}
@ -818,7 +828,7 @@ synth_dname_msg(struct ub_packed_rrset_key* rrset, struct regional* region,
if(!newd)
return NULL;
ck->entry.data = newd;
newd->ttl = 0; /* 0 for synthesized CNAME TTL */
newd->ttl = d->ttl - now; /* RFC6672: synth CNAME TTL == DNAME TTL */
newd->count = 1;
newd->rrsig_count = 0;
newd->trust = rrset_trust_ans_noAA;

8
sbin/unwind/libunbound/services/listen_dnsport.c
View File

@ -1327,7 +1327,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
log_warn("socket timestamping is not available");
}
if(!port_insert(list, s, is_dnscrypt
?listen_type_udp_dnscrypt:listen_type_udp,
?listen_type_udp_dnscrypt :
(sock_queue_timeout ?
listen_type_udpancil:listen_type_udp),
is_pp2, ub_sock)) {
sock_close(s);
if(ub_sock->addr)
@ -1498,9 +1500,13 @@ listen_create(struct comm_base* base, struct listen_port* ports,
}
} else if(ports->ftype == listen_type_udpancil ||
ports->ftype == listen_type_udpancil_dnscrypt) {
#if defined(AF_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_RECVMSG)
cp = comm_point_create_udp_ancil(base, ports->fd,
front->udp_buff, ports->pp2_enabled, cb,
cb_arg, ports->socket);
#else
log_warn("This system does not support UDP ancilliary data.");
#endif
}
if(!cp) {
log_err("can't create commpoint");

6
sbin/unwind/libunbound/services/localzone.c
View File

@ -1532,7 +1532,7 @@ local_data_answer(struct local_zone* z, struct module_env* env,
return 0; /* invalid cname */
if(dname_is_wild(ctarget)) {
/* synthesize cname target */
struct packed_rrset_data* d;
struct packed_rrset_data* d, *lr_d;
/* -3 for wildcard label and root label from qname */
size_t newtargetlen = qinfo->qname_len + ctargetlen - 3;
@ -1560,8 +1560,10 @@ local_data_answer(struct local_zone* z, struct module_env* env,
+ newtargetlen);
if(!d)
return 0; /* out of memory */
lr_d = (struct packed_rrset_data*)lr->rrset->entry.data;
qinfo->local_alias->rrset->entry.data = d;
d->ttl = 0; /* 0 for synthesized CNAME TTL */
d->ttl = lr_d->rr_ttl[0]; /* RFC6672-like behavior:
synth CNAME TTL uses original TTL*/
d->count = 1;
d->rrsig_count = 0;
d->trust = rrset_trust_ans_noAA;

19
sbin/unwind/libunbound/services/mesh.c
View File

@ -69,6 +69,12 @@
#include "edns-subnet/subnetmod.h"
#include "edns-subnet/edns-subnet.h"
#endif
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
/**
* Compare two response-ip client info entries for the purpose of mesh state
@ -1197,6 +1203,8 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
r->edns.udp_size = EDNS_ADVERTISED_SIZE;
r->edns.ext_rcode = 0;
r->edns.bits &= EDNS_DO;
if(m->s.env->cfg->disable_edns_do && (r->edns.bits&EDNS_DO))
r->edns.edns_present = 0;
if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region, start_time) ||
@ -1224,11 +1232,12 @@ static inline int
mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m)
{
struct respip_action_info const* respip_info = m->s.respip_action_info;
return respip_info == NULL
return (respip_info == NULL
? 0
: (respip_info->rpz_used
&& !respip_info->rpz_disabled
&& respip_info->action == respip_truncate);
&& respip_info->action == respip_truncate))
|| m->s.tcp_required;
}
static inline int
@ -1371,6 +1380,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
r->edns.udp_size = EDNS_ADVERTISED_SIZE;
r->edns.ext_rcode = 0;
r->edns.bits &= EDNS_DO;
if(m->s.env->cfg->disable_edns_do && (r->edns.bits&EDNS_DO))
r->edns.edns_present = 0;
m->s.qinfo.qname = r->qname;
m->s.qinfo.local_alias = r->local_alias;
@ -1424,7 +1435,9 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
if(m->s.env->cfg->log_replies) {
log_reply_info(NO_VERBOSE, &m->s.qinfo,
&r->query_reply.client_addr,
r->query_reply.client_addrlen, duration, 0, r_buffer);
r->query_reply.client_addrlen, duration, 0, r_buffer,
(m->s.env->cfg->log_destaddr?(void*)r->query_reply.c->socket->addr->ai_addr:NULL),
r->query_reply.c->type);
}
}

48
sbin/unwind/libunbound/services/outside_network.c
View File

@ -550,7 +550,6 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr,
log_assert(&key_p.reuse != (struct reuse_tcp*)result);
log_assert(&key_p != ((struct reuse_tcp*)result)->pending);
}
/* not found, return null */
/* It is possible that we search for something before the first element
* in the tree. Replace a null pointer with the first element.
@ -560,6 +559,7 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr,
result = rbtree_first(&outnet->tcp_reuse);
}
/* not found, return null */
if(!result || result == RBTREE_NULL)
return NULL;
@ -1009,7 +1009,7 @@ use_free_buffer(struct outside_network* outnet)
sldns_buffer tmp;
sldns_buffer_init_frm_data(&tmp, w->pkt, w->pkt_len);
dt_msg_send_outside_query(outnet->dtenv, &w->sq->addr,
&pend_tcp->pi->addr, comm_tcp, w->sq->zone,
&pend_tcp->pi->addr, comm_tcp, NULL, w->sq->zone,
w->sq->zonelen, &tmp);
}
#endif
@ -2237,7 +2237,7 @@ randomize_and_send_udp(struct pending* pend, sldns_buffer* packet, int timeout)
outnet->dtenv->log_forwarder_query_messages)) {
log_addr(VERB_ALGO, "from local addr", &pend->pc->pif->addr, pend->pc->pif->addrlen);
log_addr(VERB_ALGO, "request to upstream", &pend->addr, pend->addrlen);
dt_msg_send_outside_query(outnet->dtenv, &pend->addr, &pend->pc->pif->addr, comm_udp,
dt_msg_send_outside_query(outnet->dtenv, &pend->addr, &pend->pc->pif->addr, comm_udp, NULL,
pend->sq->zone, pend->sq->zonelen, packet);
}
#endif
@ -2517,7 +2517,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
sldns_buffer tmp;
sldns_buffer_init_frm_data(&tmp, w->pkt, w->pkt_len);
dt_msg_send_outside_query(sq->outnet->dtenv, &sq->addr,
&pend->pi->addr, comm_tcp, sq->zone,
&pend->pi->addr, comm_tcp, NULL, sq->zone,
sq->zonelen, &tmp);
}
#endif
@ -2820,6 +2820,25 @@ serviced_perturb_qname(struct ub_randstate* rnd, uint8_t* qbuf, size_t len)
}
}
static uint16_t
serviced_query_udp_size(struct serviced_query* sq, enum serviced_query_status status) {
uint16_t udp_size;
if(status == serviced_query_UDP_EDNS_FRAG) {
if(addr_is_ip6(&sq->addr, sq->addrlen)) {
if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
udp_size = EDNS_FRAG_SIZE_IP6;
else udp_size = EDNS_ADVERTISED_SIZE;
} else {
if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
udp_size = EDNS_FRAG_SIZE_IP4;
else udp_size = EDNS_ADVERTISED_SIZE;
}
} else {
udp_size = EDNS_ADVERTISED_SIZE;
}
return udp_size;
}
/** put serviced query into a buffer */
static void
serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
@ -2843,19 +2862,7 @@ serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
edns.opt_list_in = NULL;
edns.opt_list_out = sq->opt_list;
edns.opt_list_inplace_cb_out = NULL;
if(sq->status == serviced_query_UDP_EDNS_FRAG) {
if(addr_is_ip6(&sq->addr, sq->addrlen)) {
if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
edns.udp_size = EDNS_FRAG_SIZE_IP6;
else edns.udp_size = EDNS_ADVERTISED_SIZE;
} else {
if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
edns.udp_size = EDNS_FRAG_SIZE_IP4;
else edns.udp_size = EDNS_ADVERTISED_SIZE;
}
} else {
edns.udp_size = EDNS_ADVERTISED_SIZE;
}
edns.udp_size = serviced_query_udp_size(sq, sq->status);
edns.bits = 0;
if(sq->dnssec & EDNS_DO)
edns.bits = EDNS_DO;
@ -3083,7 +3090,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen);
log_addr(VERB_ALGO, "to local addr", &pi->addr, pi->addrlen);
dt_msg_send_outside_response(sq->outnet->dtenv, &sq->addr,
&pi->addr, c->type, sq->zone, sq->zonelen, sq->qbuf,
&pi->addr, c->type, c->ssl, sq->zone, sq->zonelen, sq->qbuf,
sq->qbuflen, &sq->last_sent_time, sq->outnet->now_tv,
c->buffer);
}
@ -3252,7 +3259,8 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
sq->pending = NULL; /* removed after callback */
if(error == NETEVENT_TIMEOUT) {
if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000) {
if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000 &&
(serviced_query_udp_size(sq, serviced_query_UDP_EDNS_FRAG) < serviced_query_udp_size(sq, serviced_query_UDP_EDNS))) {
/* fallback to 1480/1280 */
sq->status = serviced_query_UDP_EDNS_FRAG;
log_name_addr(VERB_ALGO, "try edns1xx0", sq->qbuf+10,
@ -3296,7 +3304,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
log_addr(VERB_ALGO, "to local addr", &p->pc->pif->addr,
p->pc->pif->addrlen);
dt_msg_send_outside_response(outnet->dtenv, &sq->addr,
&p->pc->pif->addr, c->type, sq->zone, sq->zonelen,
&p->pc->pif->addr, c->type, c->ssl, sq->zone, sq->zonelen,
sq->qbuf, sq->qbuflen, &sq->last_sent_time,
sq->outnet->now_tv, c->buffer);
}

10
sbin/unwind/libunbound/services/rpz.c
View File

@ -2162,7 +2162,7 @@ rpz_apply_nsip_trigger(struct module_qstate* ms, struct rpz* r,
case RPZ_TCP_ONLY_ACTION:
/* basically a passthru here but the tcp-only will be
* honored before the query gets sent. */
ms->respip_action_info->action = respip_truncate;
ms->tcp_required = 1;
ret = NULL;
break;
case RPZ_DROP_ACTION:
@ -2217,7 +2217,7 @@ rpz_apply_nsdname_trigger(struct module_qstate* ms, struct rpz* r,
case RPZ_TCP_ONLY_ACTION:
/* basically a passthru here but the tcp-only will be
* honored before the query gets sent. */
ms->respip_action_info->action = respip_truncate;
ms->tcp_required = 1;
ret = NULL;
break;
case RPZ_DROP_ACTION:
@ -2428,7 +2428,7 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
case RPZ_TCP_ONLY_ACTION:
/* basically a passthru here but the tcp-only will be
* honored before the query gets sent. */
ms->respip_action_info->action = respip_truncate;
ms->tcp_required = 1;
ret = NULL;
break;
case RPZ_DROP_ACTION:
@ -2448,6 +2448,10 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
rpz_action_to_string(localzone_type_to_rpz_action(lzt)));
ret = NULL;
}
if(r->log)
log_rpz_apply("qname", (z?z->name:NULL), NULL,
localzone_type_to_rpz_action(lzt),
&is->qchase, NULL, ms, r->log_name);
lock_rw_unlock(&z->lock);
lock_rw_unlock(&a->lock);
return ret;

4
sbin/unwind/libunbound/sldns/rrdef.h
View File

@ -196,8 +196,8 @@ enum sldns_enum_rr_type
LDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
LDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */
LDNS_RR_TYPE_ZONEMD = 63, /* draft-ietf-dnsop-dns-zone-digest-12 */
LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */
LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */
LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */
LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */
LDNS_RR_TYPE_SPF = 99, /* RFC 4408 */

21
sbin/unwind/libunbound/sldns/str2wire.c
View File

@ -2459,12 +2459,13 @@ int sldns_str2wire_wks_buf(const char* str, uint8_t* rd, size_t* len)
(void)strlcpy(proto_str, token, sizeof(proto_str));
} else {
int serv_port;
struct servent *serv = getservbyname(token, proto_str);
if(serv) serv_port=(int)ntohs((uint16_t)serv->s_port);
if(atoi(token) != 0) serv_port=atoi(token);
else if(strcmp(token, "0") == 0) serv_port=0;
else if(strcasecmp(token, "domain")==0) serv_port=53;
else {
serv_port = atoi(token);
if(serv_port == 0 && strcmp(token, "0") != 0) {
struct servent *serv = getservbyname(token, proto_str);
if(serv) serv_port=(int)ntohs((uint16_t)serv->s_port);
else {
#ifdef HAVE_ENDSERVENT
endservent();
#endif
@ -2474,16 +2475,16 @@ int sldns_str2wire_wks_buf(const char* str, uint8_t* rd, size_t* len)
return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX,
sldns_buffer_position(&strbuf));
}
if(serv_port < 0 || serv_port > 65535) {
}
if(serv_port < 0 || serv_port > 65535) {
#ifdef HAVE_ENDSERVENT
endservent();
endservent();
#endif
#ifdef HAVE_ENDPROTOENT
endprotoent();
endprotoent();
#endif
return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX,
sldns_buffer_position(&strbuf));
}
return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX,
sldns_buffer_position(&strbuf));
}
if(rd_len < 1+serv_port/8+1) {
/* bitmap is larger, init new bytes at 0 */

82
sbin/unwind/libunbound/sldns/wire2str.c
View File

@ -192,6 +192,7 @@ static sldns_lookup_table sldns_edns_options_data[] = {
{ 6, "DHU" },
{ 7, "N3U" },
{ 8, "edns-client-subnet" },
{ 10, "COOKIE" },
{ 11, "edns-tcp-keepalive"},
{ 12, "Padding" },
{ 15, "EDE"},
@ -199,6 +200,38 @@ static sldns_lookup_table sldns_edns_options_data[] = {
};
sldns_lookup_table* sldns_edns_options = sldns_edns_options_data;
/* From RFC8914 5.2 Table 3, the "Extended DNS Error Codes" registry. */
static sldns_lookup_table sldns_edns_ede_codes_data[] = {
{ LDNS_EDE_NONE, "None" },
{ LDNS_EDE_OTHER, "Other Error" },
{ LDNS_EDE_UNSUPPORTED_DNSKEY_ALG, "Unsupported DNSKEY Algorithm" },
{ LDNS_EDE_UNSUPPORTED_DS_DIGEST, "Unsupported DS Digest Type" },
{ LDNS_EDE_STALE_ANSWER, "Stale Answer" },
{ LDNS_EDE_FORGED_ANSWER, "Forged Answer" },
{ LDNS_EDE_DNSSEC_INDETERMINATE, "DNSSEC Indeterminate" },
{ LDNS_EDE_DNSSEC_BOGUS, "DNSSEC Bogus" },
{ LDNS_EDE_SIGNATURE_EXPIRED, "Signature Expired" },
{ LDNS_EDE_SIGNATURE_NOT_YET_VALID, "Signature Not Yet Valid" },
{ LDNS_EDE_DNSKEY_MISSING, "DNSKEY Missing" },
{ LDNS_EDE_RRSIGS_MISSING, "RRSIGs Missing" },
{ LDNS_EDE_NO_ZONE_KEY_BIT_SET, "No Zone Key Bit Set" },
{ LDNS_EDE_NSEC_MISSING, "NSEC Missing" },
{ LDNS_EDE_CACHED_ERROR, "Cached Error" },
{ LDNS_EDE_NOT_READY, "Not Ready" },
{ LDNS_EDE_BLOCKED, "Blocked" },
{ LDNS_EDE_CENSORED, "Censored" },
{ LDNS_EDE_FILTERED, "Filtered" },
{ LDNS_EDE_PROHIBITED, "Prohibited" },
{ LDNS_EDE_STALE_NXDOMAIN_ANSWER, "Stale NXDOMAIN Answer" },
{ LDNS_EDE_NOT_AUTHORITATIVE, "Not Authoritative" },
{ LDNS_EDE_NOT_SUPPORTED, "Not Supported" },
{ LDNS_EDE_NO_REACHABLE_AUTHORITY, "No Reachable Authority" },
{ LDNS_EDE_NETWORK_ERROR, "Network Error" },
{ LDNS_EDE_INVALID_DATA, "Invalid Data" },
{ 0, NULL}
};
sldns_lookup_table* sldns_edns_ede_codes = sldns_edns_ede_codes_data;
static sldns_lookup_table sldns_tsig_errors_data[] = {
{ LDNS_TSIG_ERROR_NOERROR, "NOERROR" },
{ LDNS_RCODE_FORMERR, "FORMERR" },
@ -2234,6 +2267,52 @@ static int sldns_wire2str_edns_keepalive_print(char** s, size_t* sl,
return w;
}
int sldns_wire2str_edns_ede_print(char** s, size_t* sl,
uint8_t* data, size_t len)
{
uint16_t ede_code;
int w = 0;
sldns_lookup_table *lt;
size_t i;
int printable;
if(len < 2) {
w += sldns_str_print(s, sl, "malformed ede ");
w += print_hex_buf(s, sl, data, len);
return w;
}
ede_code = sldns_read_uint16(data);
lt = sldns_lookup_by_id(sldns_edns_ede_codes, (int)ede_code);
if(lt && lt->name)
w += sldns_str_print(s, sl, "%s", lt->name);
else w += sldns_str_print(s, sl, "%d", (int)ede_code);
if(len == 2)
return w;
w += sldns_str_print(s, sl, " ");
/* If it looks like text, show it as text. */
printable=1;
for(i=2; i<len; i++) {
if(isprint((unsigned char)data[i]) || data[i] == '\t')
continue;
printable = 0;
break;
}
if(printable) {
w += sldns_str_print(s, sl, "\"");
for(i=2; i<len; i++) {
w += str_char_print(s, sl, data[i]);
}
w += sldns_str_print(s, sl, "\"");
} else {
w += print_hex_buf(s, sl, data+2, len-2);
}
return w;
}
int sldns_wire2str_edns_option_print(char** s, size_t* sl,
uint16_t option_code, uint8_t* optdata, size_t optlen)
{
@ -2268,6 +2347,9 @@ int sldns_wire2str_edns_option_print(char** s, size_t* sl,
case LDNS_EDNS_PADDING:
w += print_hex_buf(s, sl, optdata, optlen);
break;
case LDNS_EDNS_EDE:
w += sldns_wire2str_edns_ede_print(s, sl, optdata, optlen);
break;
default:
/* unknown option code */
w += print_hex_buf(s, sl, optdata, optlen);

13
sbin/unwind/libunbound/sldns/wire2str.h
View File

@ -36,6 +36,8 @@ extern struct sldns_struct_lookup_table* sldns_opcodes;
extern struct sldns_struct_lookup_table* sldns_edns_flags;
/** EDNS option codes */
extern struct sldns_struct_lookup_table* sldns_edns_options;
/** EDNS EDE codes */
extern struct sldns_struct_lookup_table* sldns_edns_ede_codes;
/** error string from wireparse */
extern struct sldns_struct_lookup_table* sldns_wireparse_errors;
/** tsig errors are the rcodes with extra (higher) values */
@ -1020,6 +1022,17 @@ int sldns_wire2str_edns_n3u_print(char** str, size_t* str_len,
int sldns_wire2str_edns_subnet_print(char** str, size_t* str_len,
uint8_t* option_data, size_t option_len);
/**
* Print EDNS EDE option data to string. User buffers, moves string pointers.
* @param str: string buffer.
* @param str_len: length of string buffer.
* @param option_data: buffer with EDNS option code data.
* @param option_len: length of the data for this option.
* @return number of characters (except null) needed to print.
*/
int sldns_wire2str_edns_ede_print(char** str, size_t* str_len,
uint8_t* option_data, size_t option_len);
/**
* Print an EDNS option as OPT: VALUE. User buffers, moves string pointers.
* @param str: string buffer.

13
sbin/unwind/libunbound/util/config_file.c
View File

@ -142,6 +142,7 @@ config_create(void)
cfg->log_tag_queryreply = 0;
cfg->log_local_actions = 0;
cfg->log_servfail = 0;
cfg->log_destaddr = 0;
#ifndef USE_WINSOCK
# ifdef USE_MINI_EVENT
/* select max 1024 sockets */
@ -271,6 +272,7 @@ config_create(void)
cfg->val_permissive_mode = 0;
cfg->aggressive_nsec = 1;
cfg->ignore_cd = 0;
cfg->disable_edns_do = 0;
cfg->serve_expired = 0;
cfg->serve_expired_ttl = 0;
cfg->serve_expired_ttl_reset = 0;
@ -381,6 +383,7 @@ config_create(void)
#ifdef USE_CACHEDB
if(!(cfg->cachedb_backend = strdup("testframe"))) goto error_exit;
if(!(cfg->cachedb_secret = strdup("default"))) goto error_exit;
cfg->cachedb_no_store = 0;
#ifdef USE_REDIS
if(!(cfg->redis_server_host = strdup("127.0.0.1"))) goto error_exit;
cfg->redis_server_path = NULL;
@ -388,6 +391,7 @@ config_create(void)
cfg->redis_timeout = 100;
cfg->redis_server_port = 6379;
cfg->redis_expire_records = 0;
cfg->redis_logical_db = 0;
#endif /* USE_REDIS */
#endif /* USE_CACHEDB */
#ifdef USE_IPSET
@ -687,9 +691,11 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_YNO("log-tag-queryreply:", log_tag_queryreply)
else S_YNO("log-local-actions:", log_local_actions)
else S_YNO("log-servfail:", log_servfail)
else S_YNO("log-destaddr:", log_destaddr)
else S_YNO("val-permissive-mode:", val_permissive_mode)
else S_YNO("aggressive-nsec:", aggressive_nsec)
else S_YNO("ignore-cd-flag:", ignore_cd)
else S_YNO("disable-edns-do:", disable_edns_do)
else if(strcmp(opt, "serve-expired:") == 0)
{ IS_YES_OR_NO; cfg->serve_expired = (strcmp(val, "yes") == 0);
SERVE_EXPIRED = cfg->serve_expired; }
@ -819,6 +825,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
{ IS_NUMBER_OR_ZERO; cfg->ipsecmod_max_ttl = atoi(val); }
else S_YNO("ipsecmod-strict:", ipsecmod_strict)
#endif
#ifdef USE_CACHEDB
else S_YNO("cachedb-no-store:", cachedb_no_store)
#endif /* USE_CACHEDB */
else if(strcmp(opt, "define-tag:") ==0) {
return config_add_tag(cfg, val);
/* val_sig_skew_min, max and val_max_restart are copied into val_env
@ -1120,6 +1129,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "log-tag-queryreply", log_tag_queryreply)
else O_YNO(opt, "log-local-actions", log_local_actions)
else O_YNO(opt, "log-servfail", log_servfail)
else O_YNO(opt, "log-destaddr", log_destaddr)
else O_STR(opt, "pidfile", pidfile)
else O_YNO(opt, "hide-identity", hide_identity)
else O_YNO(opt, "hide-version", hide_version)
@ -1149,6 +1159,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "val-permissive-mode", val_permissive_mode)
else O_YNO(opt, "aggressive-nsec", aggressive_nsec)
else O_YNO(opt, "ignore-cd-flag", ignore_cd)
else O_YNO(opt, "disable-edns-do", disable_edns_do)
else O_YNO(opt, "serve-expired", serve_expired)
else O_DEC(opt, "serve-expired-ttl", serve_expired_ttl)
else O_YNO(opt, "serve-expired-ttl-reset", serve_expired_ttl_reset)
@ -1306,6 +1317,7 @@ config_get_option(struct config_file* cfg, const char* opt,
#ifdef USE_CACHEDB
else O_STR(opt, "backend", cachedb_backend)
else O_STR(opt, "secret-seed", cachedb_secret)
else O_YNO(opt, "cachedb-no-store", cachedb_no_store)
#ifdef USE_REDIS
else O_STR(opt, "redis-server-host", redis_server_host)
else O_DEC(opt, "redis-server-port", redis_server_port)
@ -1313,6 +1325,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_STR(opt, "redis-server-password", redis_server_password)
else O_DEC(opt, "redis-timeout", redis_timeout)
else O_YNO(opt, "redis-expire-records", redis_expire_records)
else O_DEC(opt, "redis-logical-db", redis_logical_db)
#endif /* USE_REDIS */
#endif /* USE_CACHEDB */
#ifdef USE_IPSET

8
sbin/unwind/libunbound/util/config_file.h
View File

@ -349,6 +349,8 @@ struct config_file {
int log_servfail;
/** log identity to report */
char* log_identity;
/** log dest addr for log_replies */
int log_destaddr;
/** do not report identity (id.server, hostname.bind) */
int hide_identity;
@ -409,6 +411,8 @@ struct config_file {
int aggressive_nsec;
/** ignore the CD flag in incoming queries and refuse them bogus data */
int ignore_cd;
/** disable EDNS DO flag in outgoing requests */
int disable_edns_do;
/** serve expired entries and prefetch them */
int serve_expired;
/** serve expired entries until TTL after expiration */
@ -699,6 +703,8 @@ struct config_file {
char* cachedb_backend;
/** secret seed for hash key calculation */
char* cachedb_secret;
/** cachedb that does not store, but only reads from database, if on */
int cachedb_no_store;
#ifdef USE_REDIS
/** redis server's IP address or host name */
char* redis_server_host;
@ -712,6 +718,8 @@ struct config_file {
int redis_timeout;
/** set timeout on redis records based on DNS response ttl */
int redis_expire_records;
/** set the redis logical database upon connection */
int redis_logical_db;
#endif
#endif
/** Downstream DNS Cookies */

5721
sbin/unwind/libunbound/util/configlexer.c
View File

File diff suppressed because it is too large Load Diff

4
sbin/unwind/libunbound/util/configlexer.lex
View File

@ -403,6 +403,7 @@ val-clean-additional{COLON} { YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
val-permissive-mode{COLON} { YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
aggressive-nsec{COLON} { YDVAR(1, VAR_AGGRESSIVE_NSEC) }
ignore-cd-flag{COLON} { YDVAR(1, VAR_IGNORE_CD_FLAG) }
disable-edns-do{COLON} { YDVAR(1, VAR_DISABLE_EDNS_DO) }
serve-expired{COLON} { YDVAR(1, VAR_SERVE_EXPIRED) }
serve-expired-ttl{COLON} { YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
serve-expired-ttl-reset{COLON} { YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
@ -433,6 +434,7 @@ log-replies{COLON} { YDVAR(1, VAR_LOG_REPLIES) }
log-tag-queryreply{COLON} { YDVAR(1, VAR_LOG_TAG_QUERYREPLY) }
log-local-actions{COLON} { YDVAR(1, VAR_LOG_LOCAL_ACTIONS) }
log-servfail{COLON} { YDVAR(1, VAR_LOG_SERVFAIL) }
log-destaddr{COLON} { YDVAR(1, VAR_LOG_DESTADDR) }
local-zone{COLON} { YDVAR(2, VAR_LOCAL_ZONE) }
local-data{COLON} { YDVAR(1, VAR_LOCAL_DATA) }
local-data-ptr{COLON} { YDVAR(1, VAR_LOCAL_DATA_PTR) }
@ -557,12 +559,14 @@ ipsecmod-strict{COLON} { YDVAR(1, VAR_IPSECMOD_STRICT) }
cachedb{COLON} { YDVAR(0, VAR_CACHEDB) }
backend{COLON} { YDVAR(1, VAR_CACHEDB_BACKEND) }
secret-seed{COLON} { YDVAR(1, VAR_CACHEDB_SECRETSEED) }
cachedb-no-store{COLON} { YDVAR(1, VAR_CACHEDB_NO_STORE) }
redis-server-host{COLON} { YDVAR(1, VAR_CACHEDB_REDISHOST) }
redis-server-port{COLON} { YDVAR(1, VAR_CACHEDB_REDISPORT) }
redis-server-path{COLON} { YDVAR(1, VAR_CACHEDB_REDISPATH) }
redis-server-password{COLON} { YDVAR(1, VAR_CACHEDB_REDISPASSWORD) }
redis-timeout{COLON} { YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) }
redis-expire-records{COLON} { YDVAR(1, VAR_CACHEDB_REDISEXPIRERECORDS) }
redis-logical-db{COLON} { YDVAR(1, VAR_CACHEDB_REDISLOGICALDB) }
ipset{COLON} { YDVAR(0, VAR_IPSET) }
name-v4{COLON} { YDVAR(1, VAR_IPSET_NAME_V4) }
name-v6{COLON} { YDVAR(1, VAR_IPSET_NAME_V6) }

120
sbin/unwind/libunbound/util/configparser.h
View File

@ -283,64 +283,68 @@
#define VAR_CACHEDB_REDISEXPIRERECORDS 539
#define VAR_CACHEDB_REDISPATH 540
#define VAR_CACHEDB_REDISPASSWORD 541
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 542
#define VAR_FOR_UPSTREAM 543
#define VAR_AUTH_ZONE 544
#define VAR_ZONEFILE 545
#define VAR_MASTER 546
#define VAR_URL 547
#define VAR_FOR_DOWNSTREAM 548
#define VAR_FALLBACK_ENABLED 549
#define VAR_TLS_ADDITIONAL_PORT 550
#define VAR_LOW_RTT 551
#define VAR_LOW_RTT_PERMIL 552
#define VAR_FAST_SERVER_PERMIL 553
#define VAR_FAST_SERVER_NUM 554
#define VAR_ALLOW_NOTIFY 555
#define VAR_TLS_WIN_CERT 556
#define VAR_TCP_CONNECTION_LIMIT 557
#define VAR_ANSWER_COOKIE 558
#define VAR_COOKIE_SECRET 559
#define VAR_IP_RATELIMIT_COOKIE 560
#define VAR_FORWARD_NO_CACHE 561
#define VAR_STUB_NO_CACHE 562
#define VAR_LOG_SERVFAIL 563
#define VAR_DENY_ANY 564
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 565
#define VAR_LOG_TAG_QUERYREPLY 566
#define VAR_STREAM_WAIT_SIZE 567
#define VAR_TLS_CIPHERS 568
#define VAR_TLS_CIPHERSUITES 569
#define VAR_TLS_USE_SNI 570
#define VAR_IPSET 571
#define VAR_IPSET_NAME_V4 572
#define VAR_IPSET_NAME_V6 573
#define VAR_TLS_SESSION_TICKET_KEYS 574
#define VAR_RPZ 575
#define VAR_TAGS 576
#define VAR_RPZ_ACTION_OVERRIDE 577
#define VAR_RPZ_CNAME_OVERRIDE 578
#define VAR_RPZ_LOG 579
#define VAR_RPZ_LOG_NAME 580
#define VAR_DYNLIB 581
#define VAR_DYNLIB_FILE 582
#define VAR_EDNS_CLIENT_STRING 583
#define VAR_EDNS_CLIENT_STRING_OPCODE 584
#define VAR_NSID 585
#define VAR_ZONEMD_PERMISSIVE_MODE 586
#define VAR_ZONEMD_CHECK 587
#define VAR_ZONEMD_REJECT_ABSENCE 588
#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 589
#define VAR_INTERFACE_AUTOMATIC_PORTS 590
#define VAR_EDE 591
#define VAR_INTERFACE_ACTION 592
#define VAR_INTERFACE_VIEW 593
#define VAR_INTERFACE_TAG 594
#define VAR_INTERFACE_TAG_ACTION 595
#define VAR_INTERFACE_TAG_DATA 596
#define VAR_PROXY_PROTOCOL_PORT 597
#define VAR_STATISTICS_INHIBIT_ZERO 598
#define VAR_HARDEN_UNKNOWN_ADDITIONAL 599
#define VAR_CACHEDB_REDISLOGICALDB 542
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 543
#define VAR_FOR_UPSTREAM 544
#define VAR_AUTH_ZONE 545
#define VAR_ZONEFILE 546
#define VAR_MASTER 547
#define VAR_URL 548
#define VAR_FOR_DOWNSTREAM 549
#define VAR_FALLBACK_ENABLED 550
#define VAR_TLS_ADDITIONAL_PORT 551
#define VAR_LOW_RTT 552
#define VAR_LOW_RTT_PERMIL 553
#define VAR_FAST_SERVER_PERMIL 554
#define VAR_FAST_SERVER_NUM 555
#define VAR_ALLOW_NOTIFY 556
#define VAR_TLS_WIN_CERT 557
#define VAR_TCP_CONNECTION_LIMIT 558
#define VAR_ANSWER_COOKIE 559
#define VAR_COOKIE_SECRET 560
#define VAR_IP_RATELIMIT_COOKIE 561
#define VAR_FORWARD_NO_CACHE 562
#define VAR_STUB_NO_CACHE 563
#define VAR_LOG_SERVFAIL 564
#define VAR_DENY_ANY 565
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 566
#define VAR_LOG_TAG_QUERYREPLY 567
#define VAR_STREAM_WAIT_SIZE 568
#define VAR_TLS_CIPHERS 569
#define VAR_TLS_CIPHERSUITES 570
#define VAR_TLS_USE_SNI 571
#define VAR_IPSET 572
#define VAR_IPSET_NAME_V4 573
#define VAR_IPSET_NAME_V6 574
#define VAR_TLS_SESSION_TICKET_KEYS 575
#define VAR_RPZ 576
#define VAR_TAGS 577
#define VAR_RPZ_ACTION_OVERRIDE 578
#define VAR_RPZ_CNAME_OVERRIDE 579
#define VAR_RPZ_LOG 580
#define VAR_RPZ_LOG_NAME 581
#define VAR_DYNLIB 582
#define VAR_DYNLIB_FILE 583
#define VAR_EDNS_CLIENT_STRING 584
#define VAR_EDNS_CLIENT_STRING_OPCODE 585
#define VAR_NSID 586
#define VAR_ZONEMD_PERMISSIVE_MODE 587
#define VAR_ZONEMD_CHECK 588
#define VAR_ZONEMD_REJECT_ABSENCE 589
#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 590
#define VAR_INTERFACE_AUTOMATIC_PORTS 591
#define VAR_EDE 592
#define VAR_INTERFACE_ACTION 593
#define VAR_INTERFACE_VIEW 594
#define VAR_INTERFACE_TAG 595
#define VAR_INTERFACE_TAG_ACTION 596
#define VAR_INTERFACE_TAG_DATA 597
#define VAR_PROXY_PROTOCOL_PORT 598
#define VAR_STATISTICS_INHIBIT_ZERO 599
#define VAR_HARDEN_UNKNOWN_ADDITIONAL 600
#define VAR_DISABLE_EDNS_DO 601
#define VAR_CACHEDB_NO_STORE 602
#define VAR_LOG_DESTADDR 603
#ifndef YYSTYPE_DEFINED
#define YYSTYPE_DEFINED
typedef union {

56
sbin/unwind/libunbound/util/configparser.y
View File

@ -179,6 +179,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
%token VAR_CACHEDB_REDISHOST VAR_CACHEDB_REDISPORT VAR_CACHEDB_REDISTIMEOUT
%token VAR_CACHEDB_REDISEXPIRERECORDS VAR_CACHEDB_REDISPATH VAR_CACHEDB_REDISPASSWORD
%token VAR_CACHEDB_REDISLOGICALDB
%token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM
%token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
%token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
@ -198,7 +199,8 @@ extern struct config_parser_state* cfg_parser;
%token VAR_INTERFACE_ACTION VAR_INTERFACE_VIEW VAR_INTERFACE_TAG
%token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA
%token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO
%token VAR_HARDEN_UNKNOWN_ADDITIONAL
%token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_DISABLE_EDNS_DO VAR_CACHEDB_NO_STORE
%token VAR_LOG_DESTADDR
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -332,7 +334,8 @@ content_server: server_num_threads | server_verbosity | server_port |
server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
server_interface_automatic_ports | server_ede |
server_proxy_protocol_port | server_statistics_inhibit_zero |
server_harden_unknown_additional
server_harden_unknown_additional | server_disable_edns_do |
server_log_destaddr
;
stubstart: VAR_STUB_ZONE
{
@ -1249,6 +1252,15 @@ server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG
free($2);
}
;
server_log_destaddr: VAR_LOG_DESTADDR STRING_ARG
{
OUTYY(("P(server_log_destaddr:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->log_destaddr = (strcmp($2, "yes")==0);
free($2);
}
;
server_log_local_actions: VAR_LOG_LOCAL_ACTIONS STRING_ARG
{
OUTYY(("P(server_log_local_actions:%s)\n", $2));
@ -2060,6 +2072,15 @@ server_ignore_cd_flag: VAR_IGNORE_CD_FLAG STRING_ARG
free($2);
}
;
server_disable_edns_do: VAR_DISABLE_EDNS_DO STRING_ARG
{
OUTYY(("P(server_disable_edns_do:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->disable_edns_do = (strcmp($2, "yes")==0);
free($2);
}
;
server_serve_expired: VAR_SERVE_EXPIRED STRING_ARG
{
OUTYY(("P(server_serve_expired:%s)\n", $2));
@ -3701,7 +3722,8 @@ contents_cachedb: contents_cachedb content_cachedb
| ;
content_cachedb: cachedb_backend_name | cachedb_secret_seed |
redis_server_host | redis_server_port | redis_timeout |
redis_expire_records | redis_server_path | redis_server_password
redis_expire_records | redis_server_path | redis_server_password |
cachedb_no_store | redis_logical_db
;
cachedb_backend_name: VAR_CACHEDB_BACKEND STRING_ARG
{
@ -3727,6 +3749,19 @@ cachedb_secret_seed: VAR_CACHEDB_SECRETSEED STRING_ARG
#endif
}
;
cachedb_no_store: VAR_CACHEDB_NO_STORE STRING_ARG
{
#ifdef USE_CACHEDB
OUTYY(("P(cachedb_no_store:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->cachedb_no_store = (strcmp($2, "yes")==0);
#else
OUTYY(("P(Compiled without cachedb, ignoring)\n"));
#endif
free($2);
}
;
redis_server_host: VAR_CACHEDB_REDISHOST STRING_ARG
{
#if defined(USE_CACHEDB) && defined(USE_REDIS)
@ -3804,6 +3839,21 @@ redis_expire_records: VAR_CACHEDB_REDISEXPIRERECORDS STRING_ARG
free($2);
}
;
redis_logical_db: VAR_CACHEDB_REDISLOGICALDB STRING_ARG
{
#if defined(USE_CACHEDB) && defined(USE_REDIS)
int db;
OUTYY(("P(redis_logical_db:%s)\n", $2));
db = atoi($2);
if((db == 0 && strcmp($2, "0") != 0) || db < 0)
yyerror("valid redis logical database index expected");
else cfg_parser->cfg->redis_logical_db = db;
#else
OUTYY(("P(Compiled without cachedb or redis, ignoring)\n"));
#endif
free($2);
}
;
server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG
{
OUTYY(("P(server_tcp_connection_limit:%s %s)\n", $2, $3));

7
sbin/unwind/libunbound/util/data/msgencode.c
View File

@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list)
curr->opt_len = 2;
prev = curr;
curr = curr->next;
} else {
prev = curr;
curr = curr->next;
}
} else {
/* continue */
@ -1012,8 +1015,10 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
ede_size = calc_ede_option_size(edns, &ede_txt_size);
if(sldns_buffer_capacity(pkt) < udpsize)
udpsize = sldns_buffer_capacity(pkt);
if(!edns || !edns->edns_present) {
attach_edns = 0;
/* EDEs are optional, try to fit anything else before them */
if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) {
} else if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) {
/* packet too small to contain edns, omit it. */
attach_edns = 0;
} else {

25
sbin/unwind/libunbound/util/data/msgparse.c
View File

@ -47,6 +47,7 @@
#include "util/regional.h"
#include "util/rfc_1982.h"
#include "util/edns.h"
#include "util/net_help.h"
#include "sldns/rrdef.h"
#include "sldns/sbuffer.h"
#include "sldns/parseutil.h"
@ -1306,3 +1307,27 @@ log_edns_opt_list(enum verbosity_value level, const char* info_str,
}
}
/** remove RR from msgparse RRset, return true if rrset is entirely bad */
int
msgparse_rrset_remove_rr(const char* str, sldns_buffer* pkt, struct rrset_parse* rrset,
struct rr_parse* prev, struct rr_parse* rr, struct sockaddr_storage* addr, socklen_t addrlen)
{
if(verbosity >= VERB_QUERY && rrset->dname_len <= LDNS_MAX_DOMAINLEN && str) {
uint8_t buf[LDNS_MAX_DOMAINLEN+1];
dname_pkt_copy(pkt, buf, rrset->dname);
if(addr)
log_name_addr(VERB_QUERY, str, buf, addr, addrlen);
else log_nametypeclass(VERB_QUERY, str, buf,
rrset->type, ntohs(rrset->rrset_class));
}
if(prev)
prev->next = rr->next;
else rrset->rr_first = rr->next;
if(rrset->rr_last == rr)
rrset->rr_last = prev;
rrset->rr_count --;
rrset->size -= rr->size;
/* rr struct still exists, but is unlinked, so that in the for loop
* the rr->next works fine to continue. */
return rrset->rr_count == 0;
}

18
sbin/unwind/libunbound/util/data/msgparse.h
View File

@ -371,4 +371,22 @@ void msgparse_bucket_remove(struct msg_parse* msg, struct rrset_parse* rrset);
void log_edns_opt_list(enum verbosity_value level, const char* info_str,
struct edns_option* list);
/**
* Remove RR from msgparse RRset.
* @param str: this string is used for logging if verbose. If NULL, there is
* no logging of the remove.
* @param pkt: packet in buffer that is removed from. Used to log the name
* of the item removed.
* @param rrset: RRset that the RR is removed from.
* @param prev: previous RR in list, or NULL.
* @param rr: RR that is removed.
* @param addr: address used for logging, if verbose, or NULL then it is not
* used.
* @param addrlen: length of addr, if that is not NULL.
* @return true if rrset is entirely bad, it would then need to be removed.
*/
int msgparse_rrset_remove_rr(const char* str, struct sldns_buffer* pkt,
struct rrset_parse* rrset, struct rr_parse* prev, struct rr_parse* rr,
struct sockaddr_storage* addr, socklen_t addrlen);
#endif /* UTIL_DATA_MSGPARSE_H */

53
sbin/unwind/libunbound/util/data/msgreply.c
View File

@ -918,13 +918,15 @@ log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* rep)
void
log_reply_info(enum verbosity_value v, struct query_info *qinf,
struct sockaddr_storage *addr, socklen_t addrlen, struct timeval dur,
int cached, struct sldns_buffer *rmsg)
int cached, struct sldns_buffer *rmsg, struct sockaddr_storage* daddr,
enum comm_point_type tp)
{
char qname_buf[LDNS_MAX_DOMAINLEN+1];
char clientip_buf[128];
char rcode_buf[16];
char type_buf[16];
char class_buf[16];
char dest_buf[160];
size_t pktlen;
uint16_t rcode = FLAGS_GET_RCODE(sldns_buffer_read_u16_at(rmsg, 2));
@ -933,11 +935,46 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
sldns_wire2str_rcode_buf((int)rcode, rcode_buf, sizeof(rcode_buf));
addr_to_str(addr, addrlen, clientip_buf, sizeof(clientip_buf));
if(daddr) {
char da[128];
int port = 0;
char* comm;
if(daddr->ss_family == AF_INET6) {
struct sockaddr_in6 *d = (struct sockaddr_in6 *)daddr;
if(inet_ntop(d->sin6_family, &d->sin6_addr, da,
sizeof(*d)) == 0)
snprintf(dest_buf, sizeof(dest_buf),
"(inet_ntop_error)");
port = ntohs(d->sin6_port);
} else if(daddr->ss_family == AF_INET) {
struct sockaddr_in *d = (struct sockaddr_in *)daddr;
if(inet_ntop(d->sin_family, &d->sin_addr, da,
sizeof(*d)) == 0)
snprintf(dest_buf, sizeof(dest_buf),
"(inet_ntop_error)");
port = ntohs(d->sin_port);
} else {
snprintf(da, sizeof(da), "socket%d",
(int)daddr->ss_family);
}
comm = "udp";
if(tp == comm_tcp) comm = "tcp";
else if(tp == comm_tcp_accept) comm = "tcp";
else if(tp == comm_http) comm = "dot";
else if(tp == comm_local) comm = "unix";
else if(tp == comm_raw) comm = "raw";
snprintf(dest_buf, sizeof(dest_buf), " on %s %s %d",
comm, da, port);
} else {
dest_buf[0]=0;
}
if(rcode == LDNS_RCODE_FORMERR)
{
if(LOG_TAG_QUERYREPLY)
log_reply("%s - - - %s - - - ", clientip_buf, rcode_buf);
else log_info("%s - - - %s - - - ", clientip_buf, rcode_buf);
log_reply("%s - - - %s - - -%s", clientip_buf,
rcode_buf, dest_buf);
else log_info("%s - - - %s - - -%s", clientip_buf,
rcode_buf, dest_buf);
} else {
if(qinf->qname)
dname_str(qinf->qname, qname_buf);
@ -946,12 +983,14 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
sldns_wire2str_type_buf(qinf->qtype, type_buf, sizeof(type_buf));
sldns_wire2str_class_buf(qinf->qclass, class_buf, sizeof(class_buf));
if(LOG_TAG_QUERYREPLY)
log_reply("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
log_reply("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d%s",
clientip_buf, qname_buf, type_buf, class_buf,
rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
else log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec,
cached, (int)pktlen, dest_buf);
else log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d%s",
clientip_buf, qname_buf, type_buf, class_buf,
rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec,
cached, (int)pktlen, dest_buf);
}
}

6
sbin/unwind/libunbound/util/data/msgreply.h
View File

@ -58,6 +58,7 @@ struct msg_parse;
struct rrset_parse;
struct local_rrset;
struct dns_msg;
enum comm_point_type;
/** calculate the prefetch TTL as 90% of original. Calculation
* without numerical overflow (uin32_t) */
@ -520,10 +521,13 @@ void log_dns_msg(const char* str, struct query_info* qinfo,
* @param cached: whether or not the reply is coming from
* the cache, or an outside network.
* @param rmsg: sldns buffer packet.
* @param daddr: if not NULL, the destination address and port are logged.
* @param tp: type of the comm point for logging destination connection type.
*/
void log_reply_info(enum verbosity_value v, struct query_info *qinf,
struct sockaddr_storage *addr, socklen_t addrlen, struct timeval dur,
int cached, struct sldns_buffer *rmsg);
int cached, struct sldns_buffer *rmsg, struct sockaddr_storage* daddr,
enum comm_point_type tp);
/**
* Print string with neat domain name, type, class from query info.

5
sbin/unwind/libunbound/util/data/packed_rrset.c
View File

@ -275,6 +275,7 @@ int packed_rr_to_string(struct ub_packed_rrset_key* rrset, size_t i,
struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
entry.data;
uint8_t rr[65535];
size_t wlen;
size_t rlen = rrset->rk.dname_len + 2 + 2 + 4 + d->rr_len[i];
time_t adjust = 0;
log_assert(dest_len > 0 && dest);
@ -292,7 +293,9 @@ int packed_rr_to_string(struct ub_packed_rrset_key* rrset, size_t i,
sldns_write_uint32(rr+rrset->rk.dname_len+4,
(uint32_t)(d->rr_ttl[i]-adjust));
memmove(rr+rrset->rk.dname_len+8, d->rr_data[i], d->rr_len[i]);
if(sldns_wire2str_rr_buf(rr, rlen, dest, dest_len) == -1) {
wlen = (size_t)sldns_wire2str_rr_buf(rr, rlen, dest, dest_len);
if(wlen >= dest_len) {
/* the output string was truncated */
log_info("rrbuf failure %d %s", (int)d->rr_len[i], dest);
dest[0] = 0;
return 0;

2
sbin/unwind/libunbound/util/fptr_wlist.c
View File

@ -169,7 +169,9 @@ int
fptr_whitelist_event(void (*fptr)(int, short, void *))
{
if(fptr == &comm_point_udp_callback) return 1;
#if defined(AF_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_RECVMSG)
else if(fptr == &comm_point_udp_ancil_callback) return 1;
#endif
else if(fptr == &comm_point_tcp_accept_callback) return 1;
else if(fptr == &comm_point_tcp_handle_callback) return 1;
else if(fptr == &comm_timer_callback) return 1;

1
sbin/unwind/libunbound/util/iana_ports.inc
View File

@ -258,7 +258,6 @@
356,
357,
358,
359,
360,
361,
362,

2
sbin/unwind/libunbound/util/log.c
View File

@ -187,7 +187,7 @@ void log_ident_set_default(const char* id)
default_ident = id;
}
void log_ident_revert_to_default()
void log_ident_revert_to_default(void)
{
ident = default_ident;
}

18
sbin/unwind/libunbound/util/module.c
View File

@ -194,6 +194,24 @@ char* errinf_to_str_servfail(struct module_qstate* qstate)
return p;
}
char* errinf_to_str_misc(struct module_qstate* qstate)
{
char buf[20480];
char* p = buf;
size_t left = sizeof(buf);
struct errinf_strlist* s;
if(!qstate->errinf)
snprintf(p, left, "misc failure");
else for(s=qstate->errinf; s; s=s->next) {
snprintf(p, left, "%s%s", (s==qstate->errinf?"":" "), s->str);
left -= strlen(p); p += strlen(p);
}
p = strdup(buf);
if(!p)
log_err("malloc failure in errinf_to_str");
return p;
}
void errinf_rrset(struct module_qstate* qstate, struct ub_packed_rrset_key *rr)
{
char buf[1024];

10
sbin/unwind/libunbound/util/module.h
View File

@ -691,6 +691,8 @@ struct module_qstate {
struct respip_action_info* respip_action_info;
/** if the query is rpz passthru, no further rpz processing for it */
int rpz_passthru;
/* Flag tcp required. */
int tcp_required;
/** whether the reply should be dropped */
int is_drop;
@ -842,6 +844,14 @@ sldns_ede_code errinf_to_reason_bogus(struct module_qstate* qstate);
*/
char* errinf_to_str_servfail(struct module_qstate* qstate);
/**
* Create error info in string. For misc failures that are not servfail.
* @param qstate: query state.
* @return string or NULL on malloc failure (already logged).
* This string is malloced and has to be freed by caller.
*/
char* errinf_to_str_misc(struct module_qstate* qstate);
/**
* Initialize the edns known options by allocating the required space.
* @param env: the module environment.

105
sbin/unwind/libunbound/util/net_help.c
View File

@ -952,6 +952,111 @@ void log_crypto_err_code(const char* str, unsigned long err)
#endif /* HAVE_SSL */
}
#ifdef HAVE_SSL
/** Print crypt erro with SSL_get_error want code and err_get_error code */
static void log_crypto_err_io_code_arg(const char* str, int r,
unsigned long err, int err_present)
{
int print_errno = 0, print_crypto_err = 0;
const char* inf = NULL;
switch(r) {
case SSL_ERROR_NONE:
inf = "no error";
break;
case SSL_ERROR_ZERO_RETURN:
inf = "channel closed";
break;
case SSL_ERROR_WANT_READ:
inf = "want read";
break;
case SSL_ERROR_WANT_WRITE:
inf = "want write";
break;
case SSL_ERROR_WANT_CONNECT:
inf = "want connect";
break;
case SSL_ERROR_WANT_ACCEPT:
inf = "want accept";
break;
case SSL_ERROR_WANT_X509_LOOKUP:
inf = "want X509 lookup";
break;
#ifdef SSL_ERROR_WANT_ASYNC
case SSL_ERROR_WANT_ASYNC:
inf = "want async";
break;
#endif
#ifdef SSL_ERROR_WANT_ASYNC_JOB
case SSL_ERROR_WANT_ASYNC_JOB:
inf = "want async job";
break;
#endif
#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
case SSL_ERROR_WANT_CLIENT_HELLO_CB:
inf = "want client hello cb";
break;
#endif
case SSL_ERROR_SYSCALL:
print_errno = 1;
inf = "syscall";
break;
case SSL_ERROR_SSL:
print_crypto_err = 1;
inf = "SSL, usually protocol, error";
break;
default:
inf = "unknown SSL_get_error result code";
print_errno = 1;
print_crypto_err = 1;
}
if(print_crypto_err) {
if(print_errno) {
char buf[1024];
snprintf(buf, sizeof(buf), "%s with errno %s",
str, strerror(errno));
if(err_present)
log_crypto_err_code(buf, err);
else log_crypto_err(buf);
} else {
if(err_present)
log_crypto_err_code(str, err);
else log_crypto_err(str);
}
} else {
if(print_errno) {
if(errno == 0)
log_err("str: syscall error with errno %s",
strerror(errno));
else log_err("str: %s", strerror(errno));
} else {
log_err("str: %s", inf);
}
}
}
#endif /* HAVE_SSL */
void log_crypto_err_io(const char* str, int r)
{
#ifdef HAVE_SSL
log_crypto_err_io_code_arg(str, r, 0, 0);
#else
(void)str;
(void)r;
#endif /* HAVE_SSL */
}
void log_crypto_err_io_code(const char* str, int r, unsigned long err)
{
#ifdef HAVE_SSL
log_crypto_err_io_code_arg(str, r, err, 1);
#else
(void)str;
(void)r;
(void)err;
#endif /* HAVE_SSL */
}
#ifdef HAVE_SSL
/** log certificate details */
void

18
sbin/unwind/libunbound/util/net_help.h
View File

@ -429,6 +429,24 @@ void log_crypto_err(const char* str);
*/
void log_crypto_err_code(const char* str, unsigned long err);
/**
* Log an error from libcrypto that came from SSL_write and so on, with
* a value from SSL_get_error, calls log_err. If that fails it logs with
* log_crypto_err.
* @param str: what failed
* @param r: output of SSL_get_error on the I/O operation result.
*/
void log_crypto_err_io(const char* str, int r);
/**
* Log an error from libcrypt that came from an I/O routine with the
* errcode from ERR_get_error. Calls log_err() and log_crypto_err_code.
* @param str: what failed
* @param r: output of SSL_get_error on the I/O operation result.
* @param err: error code from ERR_get_error
*/
void log_crypto_err_io_code(const char* str, int r, unsigned long err);
/**
* Log certificate details verbosity, string, of X509 cert
* @param level: verbosity level

114
sbin/unwind/libunbound/util/netevent.c
View File

@ -892,15 +892,18 @@ static int udp_recv_needs_log(int err)
static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep,
int stream) {
size_t size;
struct pp2_header *header = pp2_read_header(buf);
if(header == NULL) return 0;
struct pp2_header *header;
int err = pp2_read_header(sldns_buffer_begin(buf),
sldns_buffer_remaining(buf));
if(err) return 0;
header = (struct pp2_header*)sldns_buffer_begin(buf);
size = PP2_HEADER_SIZE + ntohs(header->len);
if((header->ver_cmd & 0xF) == PP2_CMD_LOCAL) {
/* A connection from the proxy itself.
* No need to do anything with addresses. */
goto done;
}
if(header->fam_prot == 0x00) {
if(header->fam_prot == PP2_UNSPEC_UNSPEC) {
/* Unspecified family and protocol. This could be used for
* health checks by proxies.
* No need to do anything with addresses. */
@ -908,8 +911,8 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep,
}
/* Read the proxied address */
switch(header->fam_prot) {
case 0x11: /* AF_INET|STREAM */
case 0x12: /* AF_INET|DGRAM */
case PP2_INET_STREAM:
case PP2_INET_DGRAM:
{
struct sockaddr_in* addr =
(struct sockaddr_in*)&rep->client_addr;
@ -920,8 +923,8 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep,
}
/* Ignore the destination address; it should be us. */
break;
case 0x21: /* AF_INET6|STREAM */
case 0x22: /* AF_INET6|DGRAM */
case PP2_INET6_STREAM:
case PP2_INET6_DGRAM:
{
struct sockaddr_in6* addr =
(struct sockaddr_in6*)&rep->client_addr;
@ -934,6 +937,10 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep,
}
/* Ignore the destination address; it should be us. */
break;
default:
log_err("proxy_protocol: unsupported family and "
"protocol 0x%x", (int)header->fam_prot);
return 0;
}
rep->is_proxied = 1;
done:
@ -948,10 +955,10 @@ done:
return 1;
}
#if defined(AF_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_RECVMSG)
void
comm_point_udp_ancil_callback(int fd, short event, void* arg)
{
#if defined(AF_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_RECVMSG)
struct comm_reply rep;
struct msghdr msg;
struct iovec iov[1];
@ -1063,21 +1070,21 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg)
fptr_ok(fptr_whitelist_comm_point(rep.c->callback));
if((*rep.c->callback)(rep.c, rep.c->cb_arg, NETEVENT_NOERROR, &rep)) {
/* send back immediate reply */
(void)comm_point_send_udp_msg_if(rep.c, rep.c->buffer,
struct sldns_buffer *buffer;
#ifdef USE_DNSCRYPT
buffer = rep.c->dnscrypt_buffer;
#else
buffer = rep.c->buffer;
#endif
(void)comm_point_send_udp_msg_if(rep.c, buffer,
(struct sockaddr*)&rep.remote_addr,
rep.remote_addrlen, &rep);
}
if(!rep.c || rep.c->fd == -1) /* commpoint closed */
break;
}
#else
(void)fd;
(void)event;
(void)arg;
fatal_exit("recvmsg: No support for IPV6_PKTINFO; IP_PKTINFO or IP_RECVDSTADDR. "
"Please disable interface-automatic");
#endif /* AF_INET6 && IPV6_PKTINFO && HAVE_RECVMSG */
}
#endif /* AF_INET6 && IPV6_PKTINFO && HAVE_RECVMSG */
void
comm_point_udp_callback(int fd, short event, void* arg)
@ -1665,7 +1672,13 @@ ssl_handshake(struct comm_point* c)
} else {
unsigned long err = ERR_get_error();
if(!squelch_err_ssl_handshake(err)) {
log_crypto_err_code("ssl handshake failed", err);
long vr;
log_crypto_err_io_code("ssl handshake failed",
want, err);
if((vr=SSL_get_verify_result(c->ssl)) != 0)
log_err("ssl handshake cert error: %s",
X509_verify_cert_error_string(
vr));
log_addr(VERB_OPS, "ssl handshake failed",
&c->repinfo.remote_addr,
c->repinfo.remote_addrlen);
@ -1740,6 +1753,9 @@ ssl_handshake(struct comm_point* c)
/* connection upgraded to HTTP2 */
c->tcp_do_toggle_rw = 0;
c->use_h2 = 1;
} else {
verbose(VERB_ALGO, "client doesn't support HTTP/2");
return 0;
}
}
#endif
@ -1815,23 +1831,30 @@ ssl_handle_read(struct comm_point* c)
strerror(errno));
return 0;
}
log_crypto_err("could not SSL_read");
log_crypto_err_io("could not SSL_read",
want);
return 0;
}
c->tcp_byte_count += r;
sldns_buffer_skip(c->buffer, r);
if(c->tcp_byte_count != current_read_size) return 1;
c->pp2_header_state = pp2_header_init;
}
}
if(c->pp2_header_state == pp2_header_init) {
header = pp2_read_header(c->buffer);
if(!header) {
int err;
err = pp2_read_header(
sldns_buffer_begin(c->buffer),
sldns_buffer_limit(c->buffer));
if(err) {
log_err("proxy_protocol: could not parse "
"PROXYv2 header");
"PROXYv2 header (%s)",
pp_lookup_error(err));
return 0;
}
header = (struct pp2_header*)sldns_buffer_begin(c->buffer);
want_read_size = ntohs(header->len);
if(sldns_buffer_remaining(c->buffer) <
if(sldns_buffer_limit(c->buffer) <
PP2_HEADER_SIZE + want_read_size) {
log_err_addr("proxy_protocol: not enough "
"buffer size to read PROXYv2 header", "",
@ -1876,10 +1899,12 @@ ssl_handle_read(struct comm_point* c)
strerror(errno));
return 0;
}
log_crypto_err("could not SSL_read");
log_crypto_err_io("could not SSL_read",
want);
return 0;
}
c->tcp_byte_count += r;
sldns_buffer_skip(c->buffer, r);
if(c->tcp_byte_count != current_read_size) return 1;
c->pp2_header_state = pp2_header_done;
}
@ -1890,6 +1915,7 @@ ssl_handle_read(struct comm_point* c)
c->repinfo.remote_addrlen);
return 0;
}
sldns_buffer_flip(c->buffer);
if(!consume_pp2_header(c->buffer, &c->repinfo, 1)) {
log_err_addr("proxy_protocol: could not consume "
"PROXYv2 header", "", &c->repinfo.remote_addr,
@ -1934,7 +1960,7 @@ ssl_handle_read(struct comm_point* c)
strerror(errno));
return 0;
}
log_crypto_err("could not SSL_read");
log_crypto_err_io("could not SSL_read", want);
return 0;
}
c->tcp_byte_count += r;
@ -1984,7 +2010,7 @@ ssl_handle_read(struct comm_point* c)
strerror(errno));
return 0;
}
log_crypto_err("could not SSL_read");
log_crypto_err_io("could not SSL_read", want);
return 0;
}
sldns_buffer_skip(c->buffer, (ssize_t)r);
@ -2075,7 +2101,7 @@ ssl_handle_write(struct comm_point* c)
strerror(errno));
return 0;
}
log_crypto_err("could not SSL_write");
log_crypto_err_io("could not SSL_write", want);
return 0;
}
if(c->tcp_write_and_read) {
@ -2127,7 +2153,7 @@ ssl_handle_write(struct comm_point* c)
strerror(errno));
return 0;
}
log_crypto_err("could not SSL_write");
log_crypto_err_io("could not SSL_write", want);
return 0;
}
if(c->tcp_write_and_read) {
@ -2211,19 +2237,25 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
goto recv_error_initial;
}
c->tcp_byte_count += r;
sldns_buffer_skip(c->buffer, r);
if(c->tcp_byte_count != current_read_size) return 1;
c->pp2_header_state = pp2_header_init;
}
}
if(c->pp2_header_state == pp2_header_init) {
header = pp2_read_header(c->buffer);
if(!header) {
int err;
err = pp2_read_header(
sldns_buffer_begin(c->buffer),
sldns_buffer_limit(c->buffer));
if(err) {
log_err("proxy_protocol: could not parse "
"PROXYv2 header");
"PROXYv2 header (%s)",
pp_lookup_error(err));
return 0;
}
header = (struct pp2_header*)sldns_buffer_begin(c->buffer);
want_read_size = ntohs(header->len);
if(sldns_buffer_remaining(c->buffer) <
if(sldns_buffer_limit(c->buffer) <
PP2_HEADER_SIZE + want_read_size) {
log_err_addr("proxy_protocol: not enough "
"buffer size to read PROXYv2 header", "",
@ -2250,6 +2282,7 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
goto recv_error;
}
c->tcp_byte_count += r;
sldns_buffer_skip(c->buffer, r);
if(c->tcp_byte_count != current_read_size) return 1;
c->pp2_header_state = pp2_header_done;
}
@ -2260,6 +2293,7 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
c->repinfo.remote_addrlen);
return 0;
}
sldns_buffer_flip(c->buffer);
if(!consume_pp2_header(c->buffer, &c->repinfo, 1)) {
log_err_addr("proxy_protocol: could not consume "
"PROXYv2 header", "", &c->repinfo.remote_addr,
@ -2913,7 +2947,7 @@ ssl_http_read_more(struct comm_point* c)
strerror(errno));
return 0;
}
log_crypto_err("could not SSL_read");
log_crypto_err_io("could not SSL_read", want);
return 0;
}
verbose(VERB_ALGO, "ssl http read more skip to %d + %d",
@ -3364,7 +3398,7 @@ ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session), uint8_t* buf,
strerror(errno));
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
log_crypto_err("could not SSL_read");
log_crypto_err_io("could not SSL_read", want);
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
return r;
@ -3619,7 +3653,7 @@ ssl_http_write_more(struct comm_point* c)
strerror(errno));
return 0;
}
log_crypto_err("could not SSL_write");
log_crypto_err_io("could not SSL_write", want);
return 0;
}
sldns_buffer_skip(c->buffer, (ssize_t)r);
@ -3692,7 +3726,7 @@ ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session), const uint8_t* buf,
strerror(errno));
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
log_crypto_err("could not SSL_write");
log_crypto_err_io("could not SSL_write", want);
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
return r;
@ -3958,11 +3992,7 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer,
evbits = UB_EV_READ | UB_EV_PERSIST;
/* ub_event stuff */
c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits,
#ifdef USE_WINSOCK
comm_point_udp_callback, c);
#else
comm_point_udp_ancil_callback, c);
#endif
if(c->ev->ev == NULL) {
log_err("could not baseset udp event");
comm_point_delete(c);
@ -3977,6 +4007,7 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer,
return c;
}
#if defined(AF_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_RECVMSG)
struct comm_point*
comm_point_create_udp_ancil(struct comm_base *base, int fd,
sldns_buffer* buffer, int pp2_enabled,
@ -4039,6 +4070,7 @@ comm_point_create_udp_ancil(struct comm_base *base, int fd,
c->event_added = 1;
return c;
}
#endif
static struct comm_point*
comm_point_create_tcp_handler(struct comm_base *base,
@ -4742,7 +4774,7 @@ comm_point_send_reply(struct comm_reply *repinfo)
if(repinfo->c->dtenv != NULL && repinfo->c->dtenv->log_client_response_messages) {
log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->buffer);
dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->ssl, repinfo->c->buffer);
}
#endif
} else {
@ -4753,7 +4785,7 @@ comm_point_send_reply(struct comm_reply *repinfo)
if(repinfo->c->tcp_parent->dtenv != NULL && repinfo->c->tcp_parent->dtenv->log_client_response_messages) {
log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type,
dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->ssl,
( repinfo->c->tcp_req_info? repinfo->c->tcp_req_info->spool_buffer: repinfo->c->buffer ));
}
#endif

174
sbin/unwind/libunbound/util/proxy_protocol.c
View File

@ -38,102 +38,162 @@
*
* This file contains PROXY protocol functions.
*/
#include "config.h"
#include "util/log.h"
#include "util/proxy_protocol.h"
int
pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src,
/**
* Internal struct initialized with function pointers for writing uint16 and
* uint32.
*/
struct proxy_protocol_data {
void (*write_uint16)(void* buf, uint16_t data);
void (*write_uint32)(void* buf, uint32_t data);
};
struct proxy_protocol_data pp_data;
/**
* Internal lookup table; could be further generic like sldns_lookup_table
* for all the future generic stuff.
*/
struct proxy_protocol_lookup_table {
int id;
const char *text;
};
/**
* Internal parsing error text; could be exposed with pp_lookup_error.
*/
static struct proxy_protocol_lookup_table pp_parse_errors_data[] = {
{ PP_PARSE_NOERROR, "no parse error" },
{ PP_PARSE_SIZE, "not enough space for header" },
{ PP_PARSE_WRONG_HEADERv2, "could not match PROXYv2 header" },
{ PP_PARSE_UNKNOWN_CMD, "unknown command" },
{ PP_PARSE_UNKNOWN_FAM_PROT, "unknown family and protocol" },
};
void
pp_init(void (*write_uint16)(void* buf, uint16_t data),
void (*write_uint32)(void* buf, uint32_t data)) {
pp_data.write_uint16 = write_uint16;
pp_data.write_uint32 = write_uint32;
}
const char*
pp_lookup_error(enum pp_parse_errors error) {
return pp_parse_errors_data[error].text;
}
size_t
pp2_write_to_buf(uint8_t* buf, size_t buflen,
#ifdef INET6
struct sockaddr_storage* src,
#else
struct sockaddr_in* src,
#endif
int stream)
{
int af;
size_t expected_size;
if(!src) return 0;
af = (int)((struct sockaddr_in*)src)->sin_family;
if(sldns_buffer_remaining(buf) <
PP2_HEADER_SIZE + (af==AF_INET?12:36)) {
expected_size = PP2_HEADER_SIZE + (af==AF_INET?12:36);
if(buflen < expected_size) {
return 0;
}
/* sig */
sldns_buffer_write(buf, PP2_SIG, PP2_SIG_LEN);
memcpy(buf, PP2_SIG, PP2_SIG_LEN);
buf += PP2_SIG_LEN;
/* version and command */
sldns_buffer_write_u8(buf, (PP2_VERSION << 4) | PP2_CMD_PROXY);
if(af==AF_INET) {
*buf = (PP2_VERSION << 4) | PP2_CMD_PROXY;
buf++;
switch(af) {
case AF_INET:
/* family and protocol */
sldns_buffer_write_u8(buf,
(PP2_AF_INET<<4) |
(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM));
*buf = (PP2_AF_INET<<4) |
(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM);
buf++;
/* length */
sldns_buffer_write_u16(buf, 12);
(*pp_data.write_uint16)(buf, 12);
buf += 2;
/* src addr */
sldns_buffer_write(buf,
memcpy(buf,
&((struct sockaddr_in*)src)->sin_addr.s_addr, 4);
buf += 4;
/* dst addr */
sldns_buffer_write_u32(buf, 0);
(*pp_data.write_uint32)(buf, 0);
buf += 4;
/* src port */
sldns_buffer_write(buf,
memcpy(buf,
&((struct sockaddr_in*)src)->sin_port, 2);
/* dst port */
sldns_buffer_write_u16(buf, 0);
} else {
/* family and protocol */
sldns_buffer_write_u8(buf,
(PP2_AF_INET6<<4) |
(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM));
/* length */
sldns_buffer_write_u16(buf, 36);
/* src addr */
sldns_buffer_write(buf,
&((struct sockaddr_in6*)src)->sin6_addr, 16);
buf += 2;
/* dst addr */
sldns_buffer_set_at(buf,
sldns_buffer_position(buf), 0, 16);
sldns_buffer_skip(buf, 16);
/* src port */
sldns_buffer_write(buf,
&((struct sockaddr_in6*)src)->sin6_port, 2);
/* dst port */
sldns_buffer_write_u16(buf, 0);
(*pp_data.write_uint16)(buf, 12);
break;
#ifdef INET6
case AF_INET6:
/* family and protocol */
*buf = (PP2_AF_INET6<<4) |
(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM);
buf++;
/* length */
(*pp_data.write_uint16)(buf, 36);
buf += 2;
/* src addr */
memcpy(buf,
&((struct sockaddr_in6*)src)->sin6_addr, 16);
buf += 16;
/* dst addr */
memset(buf, 0, 16);
buf += 16;
/* src port */
memcpy(buf, &((struct sockaddr_in6*)src)->sin6_port, 2);
buf += 2;
/* dst port */
(*pp_data.write_uint16)(buf, 0);
break;
#endif /* INET6 */
case AF_UNIX:
/* fallthrough */
default:
return 0;
}
return 1;
return expected_size;
}
struct pp2_header*
pp2_read_header(struct sldns_buffer* buf)
int
pp2_read_header(uint8_t* buf, size_t buflen)
{
size_t size;
struct pp2_header* header = (struct pp2_header*)sldns_buffer_begin(buf);
struct pp2_header* header = (struct pp2_header*)buf;
/* Try to fail all the unsupported cases first. */
if(sldns_buffer_remaining(buf) < PP2_HEADER_SIZE) {
log_err("proxy_protocol: not enough space for header");
return NULL;
if(buflen < PP2_HEADER_SIZE) {
return PP_PARSE_SIZE;
}
/* Check for PROXYv2 header */
if(memcmp(header, PP2_SIG, PP2_SIG_LEN) != 0 ||
((header->ver_cmd & 0xF0)>>4) != PP2_VERSION) {
log_err("proxy_protocol: could not match PROXYv2 header");
return NULL;
return PP_PARSE_WRONG_HEADERv2;
}
/* Check the length */
size = PP2_HEADER_SIZE + ntohs(header->len);
if(sldns_buffer_remaining(buf) < size) {
log_err("proxy_protocol: not enough space for header");
return NULL;
if(buflen < size) {
return PP_PARSE_SIZE;
}
/* Check for supported commands */
if((header->ver_cmd & 0xF) != PP2_CMD_LOCAL &&
(header->ver_cmd & 0xF) != PP2_CMD_PROXY) {
log_err("proxy_protocol: unsupported command");
return NULL;
return PP_PARSE_UNKNOWN_CMD;
}
/* Check for supported family and protocol */
if(header->fam_prot != 0x00 /* AF_UNSPEC|UNSPEC */ &&
header->fam_prot != 0x11 /* AF_INET|STREAM */ &&
header->fam_prot != 0x12 /* AF_INET|DGRAM */ &&
header->fam_prot != 0x21 /* AF_INET6|STREAM */ &&
header->fam_prot != 0x22 /* AF_INET6|DGRAM */) {
log_err("proxy_protocol: unsupported family and protocol");
return NULL;
if(header->fam_prot != PP2_UNSPEC_UNSPEC &&
header->fam_prot != PP2_INET_STREAM &&
header->fam_prot != PP2_INET_DGRAM &&
header->fam_prot != PP2_INET6_STREAM &&
header->fam_prot != PP2_INET6_DGRAM &&
header->fam_prot != PP2_UNIX_STREAM &&
header->fam_prot != PP2_UNIX_DGRAM) {
return PP_PARSE_UNKNOWN_FAM_PROT;
}
/* We have a correct header */
return header;
return PP_PARSE_NOERROR;
}

66
sbin/unwind/libunbound/util/proxy_protocol.h
View File

@ -42,7 +42,7 @@
#ifndef PROXY_PROTOCOL_H
#define PROXY_PROTOCOL_H
#include "sldns/sbuffer.h"
#include "config.h"
/** PROXYv2 minimum header size */
#define PP2_HEADER_SIZE 16
@ -51,11 +51,11 @@
#define PP2_SIG "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A"
#define PP2_SIG_LEN 12
/** PROXYv2 version */
/** PROXYv2 version (protocol value) */
#define PP2_VERSION 0x2
/**
* PROXYv2 command.
* PROXYv2 command (protocol value).
*/
enum pp2_command {
PP2_CMD_LOCAL = 0x0,
@ -63,7 +63,7 @@ enum pp2_command {
};
/**
* PROXYv2 address family.
* PROXYv2 address family (protocol value).
*/
enum pp2_af {
PP2_AF_UNSPEC = 0x0,
@ -73,7 +73,7 @@ enum pp2_af {
};
/**
* PROXYv2 protocol.
* PROXYv2 protocol (protocol value).
*/
enum pp2_protocol {
PP2_PROT_UNSPEC = 0x0,
@ -81,6 +81,19 @@ enum pp2_protocol {
PP2_PROT_DGRAM = 0x2
};
/**
* Expected combinations of address family and protocol values used in checks.
*/
enum pp2_af_protocol_combination {
PP2_UNSPEC_UNSPEC = (PP2_AF_UNSPEC<<4)|PP2_PROT_UNSPEC,
PP2_INET_STREAM = (PP2_AF_INET<<4)|PP2_PROT_STREAM,
PP2_INET_DGRAM = (PP2_AF_INET<<4)|PP2_PROT_DGRAM,
PP2_INET6_STREAM = (PP2_AF_INET6<<4)|PP2_PROT_STREAM,
PP2_INET6_DGRAM = (PP2_AF_INET6<<4)|PP2_PROT_DGRAM,
PP2_UNIX_STREAM = (PP2_AF_UNIX<<4)|PP2_PROT_STREAM,
PP2_UNIX_DGRAM = (PP2_AF_UNIX<<4)|PP2_PROT_DGRAM
};
/**
* PROXYv2 header.
*/
@ -109,23 +122,56 @@ struct pp2_header {
} addr;
};
/**
* PROXY parse errors.
*/
enum pp_parse_errors {
PP_PARSE_NOERROR = 0,
PP_PARSE_SIZE,
PP_PARSE_WRONG_HEADERv2,
PP_PARSE_UNKNOWN_CMD,
PP_PARSE_UNKNOWN_FAM_PROT,
};
/**
* Initialize the internal proxy structure.
* @param write_uint16: pointer to a function that can write uint16.
* @param write_uint32: pointer to a function that can write uint32.
*/
void pp_init(void (*write_uint16)(void* buf, uint16_t data),
void (*write_uint32)(void* buf, uint32_t data));
/**
* Lookup the parsing error description.
* @param error: parsing error from pp2_read_header.
* @return the description.
*/
const char* pp_lookup_error(enum pp_parse_errors error);
/**
* Write a PROXYv2 header at the current position of the buffer.
* @param buf: the buffer to write to.
* @param buf: pointer to the buffer to write data to.
* @param buflen: available size on the buffer.
* @param src: the source address.
* @param stream: if the protocol is stream or datagram.
* @return 1 on success, 0 on failure.
*/
int pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src,
size_t pp2_write_to_buf(uint8_t* buf, size_t buflen,
#ifdef INET6
struct sockaddr_storage* src,
#else
struct sockaddr_in* src,
#endif
int stream);
/**
* Read a PROXYv2 header from the current position of the buffer.
* It does initial validation and returns a pointer to the buffer position on
* success.
* @param buf: the buffer to read from.
* @return the pointer to the buffer position on success, NULL on error.
* @param buf: pointer to the buffer data to read from.
* @param buflen: available size on the buffer.
* @return parsing error, 0 on success.
*/
struct pp2_header* pp2_read_header(struct sldns_buffer* buf);
int pp2_read_header(uint8_t* buf, size_t buflen);
#endif /* PROXY_PROTOCOL_H */

8
sbin/unwind/libunbound/validator/autotrust.c
View File

@ -353,17 +353,21 @@ autr_tp_create(struct val_anchors* anchors, uint8_t* own, size_t own_len,
lock_basic_lock(&anchors->lock);
if(!rbtree_insert(anchors->tree, &tp->node)) {
char buf[LDNS_MAX_DOMAINLEN+1];
lock_basic_unlock(&anchors->lock);
log_err("trust anchor presented twice");
dname_str(tp->name, buf);
log_err("trust anchor for '%s' presented twice", buf);
free(tp->name);
free(tp->autr);
free(tp);
return NULL;
}
if(!rbtree_insert(&anchors->autr->probe, &tp->autr->pnode)) {
char buf[LDNS_MAX_DOMAINLEN+1];
(void)rbtree_delete(anchors->tree, tp);
lock_basic_unlock(&anchors->lock);
log_err("trust anchor in probetree twice");
dname_str(tp->name, buf);
log_err("trust anchor for '%s' in probetree twice", buf);
free(tp->name);
free(tp->autr);
free(tp);

21
sbin/unwind/libunbound/validator/val_anchor.c
View File

@ -1322,3 +1322,24 @@ anchor_has_keytag(struct val_anchors* anchors, uint8_t* name, int namelabs,
free(taglist);
return 0;
}
struct trust_anchor*
anchors_find_any_noninsecure(struct val_anchors* anchors)
{
struct trust_anchor* ta, *next;
lock_basic_lock(&anchors->lock);
ta=(struct trust_anchor*)rbtree_first(anchors->tree);
while((rbnode_type*)ta != RBTREE_NULL) {
next = (struct trust_anchor*)rbtree_next(&ta->node);
lock_basic_lock(&ta->lock);
if(ta->numDS != 0 || ta->numDNSKEY != 0) {
/* not an insecurepoint */
lock_basic_unlock(&anchors->lock);
return ta;
}
lock_basic_unlock(&ta->lock);
ta = next;
}
lock_basic_unlock(&anchors->lock);
return NULL;
}

8
sbin/unwind/libunbound/validator/val_anchor.h
View File

@ -240,4 +240,12 @@ size_t anchor_list_keytags(struct trust_anchor* ta, uint16_t* list, size_t num);
int anchor_has_keytag(struct val_anchors* anchors, uint8_t* name, int namelabs,
size_t namelen, uint16_t dclass, uint16_t keytag);
/**
* Find an anchor that is not an insecure point, if any, or there are no
* DNSSEC verification anchors if none.
* @param anchors: anchor storage
* @return trust anchor or NULL. It is locked.
*/
struct trust_anchor* anchors_find_any_noninsecure(struct val_anchors* anchors);
#endif /* VALIDATOR_VAL_ANCHOR_H */

2
sbin/unwind/libunbound/validator/val_sigcrypt.c
View File

@ -748,7 +748,6 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
return sec_status_bogus;
}
}
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
if(!numchecked) {
*reason = "signature for expected key and algorithm missing";
if(reason_bogus)
@ -761,6 +760,7 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
*reason = "algorithm refused by cryptolib";
return sec_status_indeterminate;
}
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
return sec_status_bogus;
}

55
sbin/unwind/libunbound/validator/val_utils.c
View File

@ -424,11 +424,13 @@ static enum sec_status
verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* dnskey_rrset,
struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
sldns_ede_code *reason_bogus, struct module_qstate* qstate)
sldns_ede_code *reason_bogus, struct module_qstate* qstate,
int *nonechecked)
{
enum sec_status sec = sec_status_bogus;
size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
num = rrset_get_count(dnskey_rrset);
*nonechecked = 0;
for(i=0; i<num; i++) {
/* Skip DNSKEYs that don't match the basic criteria. */
if(ds_get_key_algo(ds_rrset, ds_idx)
@ -476,13 +478,15 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
/* there is a working DS, but that DNSKEY is not supported */
return sec_status_insecure;
}
if(numchecked == 0)
if(numchecked == 0) {
algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
reason, "no keys have a DS");
else if(numhashok == 0)
*nonechecked = 1;
} else if(numhashok == 0) {
*reason = "DS hash mismatches key";
else if(!*reason)
} else if(!*reason) {
*reason = "keyset not secured by DNSKEY that matches DS";
}
return sec_status_bogus;
}
@ -511,7 +515,8 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
{
/* as long as this is false, we can consider this DS rrset to be
* equivalent to no DS rrset. */
int has_useful_ds = 0, digest_algo, alg;
int has_useful_ds = 0, digest_algo, alg, has_algo_refusal = 0,
nonechecked, has_checked_ds = 0;
struct algo_needs needs;
size_t i, num;
enum sec_status sec;
@ -544,9 +549,16 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
}
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
ds_rrset, i, reason, reason_bogus, qstate);
if(sec == sec_status_insecure)
ds_rrset, i, reason, reason_bogus, qstate,
&nonechecked);
if(sec == sec_status_insecure) {
/* DNSKEY too large unsupported or algo refused by
* crypto lib. */
has_algo_refusal = 1;
continue;
}
if(!nonechecked)
has_checked_ds = 1;
/* Once we see a single DS with a known digestID and
* algorithm, we cannot return INSECURE (with a
@ -571,6 +583,15 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
/* None of the DS's worked out. */
/* If none of the DSes have been checked, eg. that means no matches
* for keytags, and the other dses are all algo_refusal, it is an
* insecure delegation point, since the only matched DS records
* have an algo refusal, or are unsupported. */
if(has_algo_refusal && !has_checked_ds) {
verbose(VERB_ALGO, "No supported DS records were found -- "
"treating as insecure.");
return sec_status_insecure;
}
/* If no DSs were understandable, then this is OK. */
if(!has_useful_ds) {
verbose(VERB_ALGO, "No usable DS records were found -- "
@ -624,7 +645,8 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
{
/* as long as this is false, we can consider this anchor to be
* equivalent to no anchor. */
int has_useful_ta = 0, digest_algo = 0, alg;
int has_useful_ta = 0, digest_algo = 0, alg, has_algo_refusal = 0,
nonechecked, has_checked_ds = 0;
struct algo_needs needs;
size_t i, num;
enum sec_status sec;
@ -670,9 +692,13 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
continue;
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
ta_ds, i, reason, reason_bogus, qstate);
if(sec == sec_status_insecure)
ta_ds, i, reason, reason_bogus, qstate, &nonechecked);
if(sec == sec_status_insecure) {
has_algo_refusal = 1;
continue;
}
if(!nonechecked)
has_checked_ds = 1;
/* Once we see a single DS with a known digestID and
* algorithm, we cannot return INSECURE (with a
@ -728,6 +754,15 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
}
}
/* If none of the DSes have been checked, eg. that means no matches
* for keytags, and the other dses are all algo_refusal, it is an
* insecure delegation point, since the only matched DS records
* have an algo refusal, or are unsupported. */
if(has_algo_refusal && !has_checked_ds) {
verbose(VERB_ALGO, "No supported trust anchors were found -- "
"treating as insecure.");
return sec_status_insecure;
}
/* If no DSs were understandable, then this is OK. */
if(!has_useful_ta) {
verbose(VERB_ALGO, "No usable trust anchors were found -- "

13
sbin/unwind/libunbound/validator/validator.c
View File

@ -205,6 +205,17 @@ val_init(struct module_env* env, int id)
log_err("validator: could not apply configuration settings.");
return 0;
}
if(env->cfg->disable_edns_do) {
struct trust_anchor* anchor = anchors_find_any_noninsecure(
env->anchors);
if(anchor) {
char b[LDNS_MAX_DOMAINLEN+2];
dname_str(anchor->name, b);
log_warn("validator: disable-edns-do is enabled, but there is a trust anchor for '%s'. Since DNSSEC could not work, the disable-edns-do setting is turned off. Continuing without it.", b);
lock_basic_unlock(&anchor->lock);
env->cfg->disable_edns_do = 0;
}
}
return 1;
}
@ -2999,6 +3010,8 @@ return_bogus:
* @param msg: result message (if rcode is OK).
* @param qinfo: from the sub query state, query info.
* @param origin: the origin of msg.
* @param suspend: returned true if the task takes too long and needs to
* suspend to continue the effort later.
*/
static void
process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,

26
sys/arch/amd64/amd64/vmm_machdep.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: vmm_machdep.c,v 1.23 2024/04/09 21:55:16 dv Exp $ */
/* $OpenBSD: vmm_machdep.c,v 1.24 2024/04/13 21:57:22 dv Exp $ */
/*
* Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org>
*
@ -941,6 +941,7 @@ vmx_pmap_find_pte_ept(pmap_t pmap, paddr_t addr)
int
vmm_start(void)
{
int rv = 0;
struct cpu_info *self = curcpu();
#ifdef MULTIPROCESSOR
struct cpu_info *ci;
@ -950,16 +951,19 @@ vmm_start(void)
#endif /* MP_LOCKDEBUG */
#endif /* MULTIPROCESSOR */
rw_enter_write(&vmm_softc->sc_slock);
/* VMM is already running */
if (self->ci_flags & CPUF_VMM)
return (0);
goto unlock;
/* Start VMM on this CPU */
start_vmm_on_cpu(self);
if (!(self->ci_flags & CPUF_VMM)) {
printf("%s: failed to enter VMM mode\n",
self->ci_dev->dv_xname);
return (EIO);
rv = EIO;
goto unlock;
}
#ifdef MULTIPROCESSOR
@ -984,8 +988,9 @@ vmm_start(void)
}
}
#endif /* MULTIPROCESSOR */
return (0);
unlock:
rw_exit_write(&vmm_softc->sc_slock);
return (rv);
}
/*
@ -996,6 +1001,7 @@ vmm_start(void)
int
vmm_stop(void)
{
int rv = 0;
struct cpu_info *self = curcpu();
#ifdef MULTIPROCESSOR
struct cpu_info *ci;
@ -1005,16 +1011,19 @@ vmm_stop(void)
#endif /* MP_LOCKDEBUG */
#endif /* MULTIPROCESSOR */
rw_enter_write(&vmm_softc->sc_slock);
/* VMM is not running */
if (!(self->ci_flags & CPUF_VMM))
return (0);
goto unlock;
/* Stop VMM on this CPU */
stop_vmm_on_cpu(self);
if (self->ci_flags & CPUF_VMM) {
printf("%s: failed to exit VMM mode\n",
self->ci_dev->dv_xname);
return (EIO);
rv = EIO;
goto unlock;
}
#ifdef MULTIPROCESSOR
@ -1039,7 +1048,8 @@ vmm_stop(void)
}
}
#endif /* MULTIPROCESSOR */
unlock:
rw_exit_write(&vmm_softc->sc_slock);
return (0);
}

253
sys/arch/arm64/arm64/cpu.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: cpu.c,v 1.113 2024/03/18 21:57:22 kettenis Exp $ */
/* $OpenBSD: cpu.c,v 1.114 2024/04/13 14:19:39 kettenis Exp $ */
/*
* Copyright (c) 2016 Dale Rahn <drahn@dalerahn.com>
@ -278,6 +278,138 @@ void cpu_kstat_attach(struct cpu_info *ci);
void cpu_opp_kstat_attach(struct cpu_info *ci);
#endif
/*
* Enable mitigation for Spectre-V2 branch target injection
* vulnerabilities (CVE-2017-5715).
*/
void
cpu_mitigate_spectre_v2(struct cpu_info *ci)
{
uint64_t id;
/*
* By default we let the firmware decide what mitigation is
* necessary.
*/
ci->ci_flush_bp = cpu_flush_bp_psci;
/* Some specific CPUs are known not to be vulnerable. */
switch (CPU_IMPL(ci->ci_midr)) {
case CPU_IMPL_ARM:
switch (CPU_PART(ci->ci_midr)) {
case CPU_PART_CORTEX_A35:
case CPU_PART_CORTEX_A53:
case CPU_PART_CORTEX_A55:
/* Not vulnerable. */
ci->ci_flush_bp = cpu_flush_bp_noop;
break;
}
break;
case CPU_IMPL_QCOM:
switch (CPU_PART(ci->ci_midr)) {
case CPU_PART_KRYO400_SILVER:
/* Not vulnerable. */
ci->ci_flush_bp = cpu_flush_bp_noop;
break;
}
}
/*
* The architecture has been updated to explicitly tell us if
* we're not vulnerable to Spectre-V2.
*/
id = READ_SPECIALREG(id_aa64pfr0_el1);
if (ID_AA64PFR0_CSV2(id) >= ID_AA64PFR0_CSV2_IMPL)
ci->ci_flush_bp = cpu_flush_bp_noop;
}
/*
* Enable mitigation for Spectre-BHB branch history injection
* vulnerabilities (CVE-2022-23960).
*/
void
cpu_mitigate_spectre_bhb(struct cpu_info *ci)
{
uint64_t id;
/*
* If we know the CPU, we can add a branchy loop that cleans
* the BHB.
*/
switch (CPU_IMPL(ci->ci_midr)) {
case CPU_IMPL_ARM:
switch (CPU_PART(ci->ci_midr)) {
case CPU_PART_CORTEX_A57:
case CPU_PART_CORTEX_A72:
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_loop_8;
break;
case CPU_PART_CORTEX_A76:
case CPU_PART_CORTEX_A76AE:
case CPU_PART_CORTEX_A77:
case CPU_PART_NEOVERSE_N1:
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_loop_24;
break;
case CPU_PART_CORTEX_A78:
case CPU_PART_CORTEX_A78AE:
case CPU_PART_CORTEX_A78C:
case CPU_PART_CORTEX_X1:
case CPU_PART_CORTEX_X2:
case CPU_PART_CORTEX_A710:
case CPU_PART_NEOVERSE_N2:
case CPU_PART_NEOVERSE_V1:
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_loop_32;
break;
}
break;
case CPU_IMPL_AMPERE:
switch (CPU_PART(ci->ci_midr)) {
case CPU_PART_AMPERE1:
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_loop_11;
break;
}
break;
}
/*
* If we're not using a loop, let firmware decide. This also
* covers the original Spectre-V2 in addition to Spectre-BHB.
*/
#if NPSCI > 0
if (ci->ci_trampoline_vectors == (vaddr_t)trampoline_vectors_none &&
smccc_needs_arch_workaround_3()) {
ci->ci_flush_bp = cpu_flush_bp_noop;
if (psci_method() == PSCI_METHOD_HVC)
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_psci_hvc;
if (psci_method() == PSCI_METHOD_SMC)
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_psci_smc;
}
#endif
/* Prefer CLRBHB to mitigate Spectre-BHB. */
id = READ_SPECIALREG(id_aa64isar2_el1);
if (ID_AA64ISAR2_CLRBHB(id) >= ID_AA64ISAR2_CLRBHB_IMPL)
ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_clrbhb;
/* ECBHB tells us Spectre-BHB is mitigated. */
id = READ_SPECIALREG(id_aa64mmfr1_el1);
if (ID_AA64MMFR1_ECBHB(id) >= ID_AA64MMFR1_ECBHB_IMPL)
ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_none;
/*
* The architecture has been updated to explicitly tell us if
* we're not vulnerable to Spectre-BHB.
*/
id = READ_SPECIALREG(id_aa64pfr0_el1);
if (ID_AA64PFR0_CSV2(id) >= ID_AA64PFR0_CSV2_HCXT)
ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_none;
}
/*
* Enable mitigation for Spectre-V4 speculative store bypass
* vulnerabilities (CVE-2018-3639).
@ -459,123 +591,8 @@ cpu_identify(struct cpu_info *ci)
clidr >>= 3;
}
/*
* Some ARM processors are vulnerable to branch target
* injection attacks (CVE-2017-5715).
*/
switch (impl) {
case CPU_IMPL_ARM:
switch (part) {
case CPU_PART_CORTEX_A35:
case CPU_PART_CORTEX_A53:
case CPU_PART_CORTEX_A55:
/* Not vulnerable. */
ci->ci_flush_bp = cpu_flush_bp_noop;
break;
default:
/*
* Potentially vulnerable; call into the
* firmware and hope we're running on top of
* Arm Trusted Firmware with a fix for
* Security Advisory TFV 6.
*/
ci->ci_flush_bp = cpu_flush_bp_psci;
break;
}
break;
default:
/* Not much we can do for an unknown processor. */
ci->ci_flush_bp = cpu_flush_bp_noop;
break;
}
/*
* The architecture has been updated to explicitly tell us if
* we're not vulnerable to regular Spectre.
*/
id = READ_SPECIALREG(id_aa64pfr0_el1);
if (ID_AA64PFR0_CSV2(id) >= ID_AA64PFR0_CSV2_IMPL)
ci->ci_flush_bp = cpu_flush_bp_noop;
/*
* But we might still be vulnerable to Spectre-BHB. If we know the
* CPU, we can add a branchy loop that cleans the BHB.
*/
switch (impl) {
case CPU_IMPL_ARM:
switch (part) {
case CPU_PART_CORTEX_A57:
case CPU_PART_CORTEX_A72:
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_loop_8;
break;
case CPU_PART_CORTEX_A76:
case CPU_PART_CORTEX_A76AE:
case CPU_PART_CORTEX_A77:
case CPU_PART_NEOVERSE_N1:
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_loop_24;
break;
case CPU_PART_CORTEX_A78:
case CPU_PART_CORTEX_A78AE:
case CPU_PART_CORTEX_A78C:
case CPU_PART_CORTEX_X1:
case CPU_PART_CORTEX_X2:
case CPU_PART_CORTEX_A710:
case CPU_PART_NEOVERSE_N2:
case CPU_PART_NEOVERSE_V1:
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_loop_32;
break;
}
break;
case CPU_IMPL_AMPERE:
switch (part) {
case CPU_PART_AMPERE1:
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_loop_11;
break;
}
break;
}
/*
* If we're not using a loop, try and call into PSCI. This also
* covers the original Spectre in addition to Spectre-BHB.
*/
#if NPSCI > 0
if (ci->ci_trampoline_vectors == (vaddr_t)trampoline_vectors_none &&
smccc_needs_arch_workaround_3()) {
ci->ci_flush_bp = cpu_flush_bp_noop;
if (psci_method() == PSCI_METHOD_HVC)
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_psci_hvc;
if (psci_method() == PSCI_METHOD_SMC)
ci->ci_trampoline_vectors =
(vaddr_t)trampoline_vectors_psci_smc;
}
#endif
/* Prefer CLRBHB to mitigate Spectre-BHB. */
id = READ_SPECIALREG(id_aa64isar2_el1);
if (ID_AA64ISAR2_CLRBHB(id) >= ID_AA64ISAR2_CLRBHB_IMPL)
ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_clrbhb;
/* ECBHB tells us Spectre-BHB is mitigated. */
id = READ_SPECIALREG(id_aa64mmfr1_el1);
if (ID_AA64MMFR1_ECBHB(id) >= ID_AA64MMFR1_ECBHB_IMPL)
ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_none;
/*
* The architecture has been updated to explicitly tell us if
* we're not vulnerable.
*/
id = READ_SPECIALREG(id_aa64pfr0_el1);
if (ID_AA64PFR0_CSV2(id) >= ID_AA64PFR0_CSV2_HCXT) {
ci->ci_flush_bp = cpu_flush_bp_noop;
ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_none;
}
cpu_mitigate_spectre_v2(ci);
cpu_mitigate_spectre_bhb(ci);
cpu_mitigate_spectre_v4(ci);
/*

19
sys/dev/acpi/acpitoshiba.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: acpitoshiba.c,v 1.16 2022/04/06 18:59:27 naddy Exp $ */
/* $OpenBSD: acpitoshiba.c,v 1.17 2024/04/13 23:44:11 jsg Exp $ */
/*-
* Copyright (c) 2003 Hiroyuki Aizu <aizu@navi.org>
* All rights reserved.
@ -202,19 +202,18 @@ toshiba_update_brightness(void *arg0, int arg1)
int
toshiba_match(struct device *parent, void *match, void *aux)
{
struct acpi_attach_args *aa = aux;
struct cfdata *cf = match;
struct acpi_attach_args *aa = aux;
struct cfdata *cf = match;
if (acpi_matchhids(aa, acpitoshiba_hids, cf->cf_driver->cd_name))
return (1);
if (acpi_matchhids(aa, acpitoshiba_hids, cf->cf_driver->cd_name))
return (1);
if (aa->aaa_name == NULL ||
strcmp(aa->aaa_name, cf->cf_driver->cd_name) != 0 ||
aa->aaa_table != NULL)
return (0);
return (1);
strcmp(aa->aaa_name, cf->cf_driver->cd_name) != 0 ||
aa->aaa_table != NULL)
return (0);
return (1);
}
int

4
sys/dev/acpi/acpivout.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: acpivout.c,v 1.25 2022/04/06 18:59:27 naddy Exp $ */
/* $OpenBSD: acpivout.c,v 1.26 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2009 Paul Irofti <paul@irofti.net>
*
@ -259,7 +259,7 @@ acpivout_get_bcl(struct acpivout_softc *sc)
value = aml_val2int(res.v_package[i + 2]);
for (j = i; j > 0 && sc->sc_bcl[j - 1] > value; j--)
sc->sc_bcl[j] = sc->sc_bcl[j - 1];
sc->sc_bcl[j] = value;
sc->sc_bcl[j] = value;
}
err:

4
sys/dev/acpi/dsdt.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dsdt.c,v 1.265 2024/01/08 19:52:29 kettenis Exp $ */
/* $OpenBSD: dsdt.c,v 1.266 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2005 Jordan Hargrave <jordan@openbsd.org>
*
@ -4249,7 +4249,7 @@ aml_parse(struct aml_scope *scope, int ret_type, const char *stype)
/* Name: Nt */
rv = opargs[0];
aml_freevalue(rv);
aml_copyvalue(rv, opargs[1]);
aml_copyvalue(rv, opargs[1]);
break;
case AMLOP_ALIAS:
/* Alias: nN */

10
sys/dev/fdt/psci.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: psci.c,v 1.15 2024/03/18 21:57:22 kettenis Exp $ */
/* $OpenBSD: psci.c,v 1.16 2024/04/13 14:20:48 kettenis Exp $ */
/*
* Copyright (c) 2016 Jonathan Gray <jsg@openbsd.org>
@ -212,14 +212,6 @@ psci_flush_bp_smccc_arch_workaround_1(void)
(*sc->sc_callfn)(SMCCC_ARCH_WORKAROUND_1, 0, 0, 0);
}
void
psci_flush_bp_smccc_arch_workaround_3(void)
{
struct psci_softc *sc = psci_sc;
(*sc->sc_callfn)(SMCCC_ARCH_WORKAROUND_3, 0, 0, 0);
}
void
psci_flush_bp(void)
{

1
sys/dev/fdt/pscivar.h
View File

@ -17,7 +17,6 @@ int32_t psci_cpu_on(register_t, register_t, register_t);
int32_t psci_cpu_off(void);
int32_t psci_cpu_suspend(register_t, register_t, register_t);
void psci_flush_bp(void);
int psci_flush_bp_has_bhb(void);
int psci_method(void);
int32_t smccc(uint32_t, register_t, register_t, register_t);

4
sys/dev/ic/adw.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: adw.c,v 1.69 2022/04/16 19:19:58 naddy Exp $ */
/* $OpenBSD: adw.c,v 1.70 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: adw.c,v 1.23 2000/05/27 18:24:50 dante Exp $ */
/*
@ -449,7 +449,7 @@ adw_attach(ADW_SOFTC *sc)
/*
* Zero's the freeze_device status
*/
bzero(sc->sc_freeze_dev, sizeof(sc->sc_freeze_dev));
bzero(sc->sc_freeze_dev, sizeof(sc->sc_freeze_dev));
/*
* Initialize the adapter

8
sys/dev/ic/adwlib.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: adwlib.c,v 1.29 2022/08/29 06:08:03 jsg Exp $ */
/* $OpenBSD: adwlib.c,v 1.30 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: adwlib.c,v 1.20 2000/07/04 04:17:03 itojun Exp $ */
/*
@ -315,9 +315,9 @@ AdwInitFromEEPROM(ADW_SOFTC *sc)
*/
lsw_msb |= (ADW_EEPROM_INTAB >> 8)
& 0xFF;
}
eep_config.cfg_lsw &= 0x00FF;
eep_config.cfg_lsw |= lsw_msb << 8;
}
eep_config.cfg_lsw &= 0x00FF;
eep_config.cfg_lsw |= lsw_msb << 8;
}
break;
}

4
sys/dev/ic/an.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: an.c,v 1.79 2022/04/21 21:03:02 stsp Exp $ */
/* $OpenBSD: an.c,v 1.80 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: an.c,v 1.34 2005/06/20 02:49:18 atatat Exp $ */
/*
* Copyright (c) 1997, 1998, 1999
@ -905,7 +905,7 @@ an_ioctl(struct ifnet *ifp, u_long command, caddr_t data)
if ((error = suser(curproc)) != 0)
break;
error = an_set_nwkey(sc, (struct ieee80211_nwkey *)data);
break;
break;
case SIOCG80211NWKEY:
error = an_get_nwkey(sc, (struct ieee80211_nwkey *)data);
break;

4
sys/dev/ic/bwi.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: bwi.c,v 1.134 2023/11/10 15:51:20 bluhm Exp $ */
/* $OpenBSD: bwi.c,v 1.135 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2007 The DragonFly Project. All rights reserved.
@ -6400,7 +6400,7 @@ bwi_led_attach(struct bwi_softc *sc)
if (led->l_act == BWI_LED_ACT_BLINK_SLOW ||
led->l_act == BWI_LED_ACT_BLINK_POLL ||
led->l_act == BWI_LED_ACT_BLINK) {
led->l_flags |= BWI_LED_F_BLINK;
led->l_flags |= BWI_LED_F_BLINK;
if (led->l_act == BWI_LED_ACT_BLINK_POLL)
led->l_flags |= BWI_LED_F_POLLABLE;
else if (led->l_act == BWI_LED_ACT_BLINK_SLOW)

4
sys/dev/ic/ncr53c9x.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ncr53c9x.c,v 1.81 2024/04/03 18:41:38 miod Exp $ */
/* $OpenBSD: ncr53c9x.c,v 1.82 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: ncr53c9x.c,v 1.56 2000/11/30 14:41:46 thorpej Exp $ */
/*
@ -2456,7 +2456,7 @@ printf("<<RESELECT CONT'd>>");
if (sc->sc_state == NCR_IDLE) {
printf("%s: stray interrupt\n",
sc->sc_dev.dv_xname);
return (0);
return (0);
}
break;

4
sys/dev/ic/siop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: siop.c,v 1.89 2022/04/16 19:19:59 naddy Exp $ */
/* $OpenBSD: siop.c,v 1.90 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: siop.c,v 1.79 2005/11/18 23:10:32 bouyer Exp $ */
/*
@ -579,7 +579,7 @@ siop_intr(void *v)
* unexpected disconnect. Usually the target signals
* a fatal condition this way. Attempt to get sense.
*/
if (siop_cmd) {
if (siop_cmd) {
siop_cmd->cmd_tables->status =
siop_htoc32(&sc->sc_c, SCSI_CHECK);
goto end;

4
sys/dev/ic/siop_common.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: siop_common.c,v 1.44 2022/01/09 05:42:42 jsg Exp $ */
/* $OpenBSD: siop_common.c,v 1.45 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: siop_common.c,v 1.37 2005/02/27 00:27:02 perry Exp $ */
/*
@ -281,7 +281,7 @@ siop_setuptables(struct siop_common_cmd *siop_cmd)
if ((*targ_flags & TARF_DT) &&
(sc->mode == STEST4_MODE_LVD)) {
sc->targets[target]->status = TARST_PPR_NEG;
siop_ppr_msg(siop_cmd, msgoffset, sc->dt_minsync,
siop_ppr_msg(siop_cmd, msgoffset, sc->dt_minsync,
sc->maxoff);
} else if (*targ_flags & TARF_WIDE) {
sc->targets[target]->status = TARST_WIDE_NEG;

17
sys/dev/isa/ad1848.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ad1848.c,v 1.48 2022/10/28 14:55:46 kn Exp $ */
/* $OpenBSD: ad1848.c,v 1.49 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: ad1848.c,v 1.45 1998/01/30 02:02:38 augustss Exp $ */
/*
@ -1244,19 +1244,20 @@ ad1848_set_speed(struct ad1848_softc *sc, u_long *argp)
if (arg > speed_table[n - 1].speed)
selected = n - 1;
for (i = 1 /*really*/ ; selected == -1 && i < n; i++)
for (i = 1 /*really*/ ; selected == -1 && i < n; i++) {
if (speed_table[i].speed == arg)
selected = i;
else if (speed_table[i].speed > arg) {
int diff1, diff2;
diff1 = arg - speed_table[i - 1].speed;
diff2 = speed_table[i].speed - arg;
diff1 = arg - speed_table[i - 1].speed;
diff2 = speed_table[i].speed - arg;
if (diff1 < diff2)
selected = i - 1;
else
selected = i;
if (diff1 < diff2)
selected = i - 1;
else
selected = i;
}
}
if (selected == -1) {

6
sys/dev/mii/brgphy.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: brgphy.c,v 1.108 2022/04/06 18:59:29 naddy Exp $ */
/* $OpenBSD: brgphy.c,v 1.109 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2000
@ -836,7 +836,7 @@ brgphy_reset_bge(struct mii_softc *sc)
if (bge_sc->bge_phy_flags & BGE_PHY_BER_BUG)
brgphy_ber_bug(sc);
else if (bge_sc->bge_phy_flags & BGE_PHY_JITTER_BUG) {
PHY_WRITE(sc, BRGPHY_MII_AUXCTL, 0x0c00);
PHY_WRITE(sc, BRGPHY_MII_AUXCTL, 0x0c00);
PHY_WRITE(sc, BRGPHY_MII_DSP_ADDR_REG, 0x000a);
if (bge_sc->bge_phy_flags & BGE_PHY_ADJUST_TRIM) {
@ -925,7 +925,7 @@ brgphy_reset_bnx(struct mii_softc *sc)
PHY_WRITE(sc, BRGPHY_5708S_PG5_TXACTL3,
bnx_sc->bnx_port_hw_cfg &
BNX_PORT_HW_CFG_CFG_TXCTL3_MASK);
PHY_WRITE(sc, BRGPHY_5708S_BLOCK_ADDR,
PHY_WRITE(sc, BRGPHY_5708S_BLOCK_ADDR,
BRGPHY_5708S_DIG_PG0);
}
} else if (BNX_CHIP_NUM(bnx_sc) == BNX_CHIP_NUM_5709 &&

8
sys/dev/pci/arc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: arc.c,v 1.124 2022/09/06 15:22:11 kn Exp $ */
/* $OpenBSD: arc.c,v 1.125 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2006 David Gwynne <dlg@openbsd.org>
@ -1409,18 +1409,18 @@ arc_enable_all_intr(struct arc_softc *sc)
int_mask &= ~(ARC_RA_INTRMASK_POSTQUEUE |
ARC_RA_INTRMASK_DOORBELL | ARC_RA_INTRMASK_MSG0);
arc_write(sc, ARC_RA_INTRMASK, int_mask);
break;
break;
case ARC_HBA_TYPE_C:
int_mask = arc_read(sc, ARC_RC_INTR_MASK);
int_mask &= ~(ARC_RC_INTR_MASK_POSTQUEUE |
ARC_RC_INTR_MASK_DOORBELL | ARC_RC_INTR_MASK_UTILITY_A);
arc_write(sc, ARC_RC_INTR_MASK, int_mask);
break;
break;
case ARC_HBA_TYPE_D:
int_mask = arc_read(sc, ARC_RD_INTR_ENABLE);
int_mask |= ARC_RD_INTR_ENABLE_ALL;
arc_write(sc, ARC_RD_INTR_ENABLE, int_mask);
break;
break;
}
}

4
sys/dev/pci/auvia.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auvia.c,v 1.66 2022/10/26 20:19:08 kn Exp $ */
/* $OpenBSD: auvia.c,v 1.67 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: auvia.c,v 1.28 2002/11/04 16:38:49 kent Exp $ */
/*-
@ -611,7 +611,7 @@ auvia_set_params(void *addr, int setmode, int usemode,
if (p->channels == 6
&& codec->vtbl->set_rate(codec, reg,
&p->sample_rate))
return (EINVAL);
return (EINVAL);
}
}

8
sys/dev/pci/if_em_hw.c
View File

@ -31,7 +31,7 @@
*******************************************************************************/
/* $OpenBSD: if_em_hw.c,v 1.119 2023/12/03 00:19:25 jsg Exp $ */
/* $OpenBSD: if_em_hw.c,v 1.120 2024/04/13 23:44:11 jsg Exp $ */
/*
* if_em_hw.c Shared functions for accessing and configuring the MAC
*/
@ -6432,9 +6432,9 @@ em_init_eeprom_params(struct em_hw *hw)
case em_pch2lan:
case em_pch_lpt:
{
int32_t i = 0;
uint32_t flash_size =
E1000_READ_ICH_FLASH_REG(hw, ICH_FLASH_GFPREG);
int32_t i = 0;
uint32_t flash_size =
E1000_READ_ICH_FLASH_REG(hw, ICH_FLASH_GFPREG);
eeprom->type = em_eeprom_ich8;
eeprom->use_eerd = FALSE;
eeprom->use_eewr = FALSE;

4
sys/dev/pci/if_iwm.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: if_iwm.c,v 1.414 2024/02/16 11:44:52 stsp Exp $ */
/* $OpenBSD: if_iwm.c,v 1.415 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@ -8169,7 +8169,7 @@ iwm_rval2ridx(int rval)
break;
}
return ridx;
return ridx;
}
void

10
sys/dev/pci/if_iwx.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: if_iwx.c,v 1.182 2024/02/26 18:00:09 stsp Exp $ */
/* $OpenBSD: if_iwx.c,v 1.183 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@ -786,7 +786,7 @@ iwx_alloc_fw_monitor(struct iwx_softc *sc, uint8_t max_power)
}
if (max_power > 26) {
DPRINTF(("%s: External buffer size for monitor is too big %d, "
DPRINTF(("%s: External buffer size for monitor is too big %d, "
"check the FW TLV\n", DEVNAME(sc), max_power));
return 0;
}
@ -7211,7 +7211,7 @@ iwx_rval2ridx(int rval)
break;
}
return ridx;
return ridx;
}
void
@ -9831,7 +9831,7 @@ iwx_rx_pkt(struct iwx_softc *sc, struct iwx_rx_data *data, struct mbuf_list *ml)
* For v5 and above, we can check the version, for older
* versions we need to check the size.
*/
if (iwx_lookup_notif_ver(sc, IWX_LEGACY_GROUP,
if (iwx_lookup_notif_ver(sc, IWX_LEGACY_GROUP,
IWX_ALIVE) == 6) {
SYNC_RESP_STRUCT(resp6, pkt);
if (iwx_rx_packet_payload_len(pkt) !=
@ -10880,7 +10880,7 @@ iwx_find_device_cfg(struct iwx_softc *sc)
cores = IWX_SUBDEVICE_CORES(sdev_id);
for (i = nitems(iwx_dev_info_table) - 1; i >= 0; i--) {
const struct iwx_dev_info *dev_info = &iwx_dev_info_table[i];
const struct iwx_dev_info *dev_info = &iwx_dev_info_table[i];
if (dev_info->device != (uint16_t)IWX_CFG_ANY &&
dev_info->device != sc->sc_pid)

12
sys/dev/pci/if_ngbe.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: if_ngbe.c,v 1.3 2024/04/12 19:27:43 jan Exp $ */
/* $OpenBSD: if_ngbe.c,v 1.4 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2015-2017 Beijing WangXun Technology Co., Ltd.
@ -2952,7 +2952,7 @@ ngbe_host_interface_command(struct ngbe_softc *sc, uint32_t *buffer,
if (length == 0 || length > NGBE_HI_MAX_BLOCK_BYTE_LENGTH) {
printf("%s: buffer length failure\n", DEVNAME(sc));
return EINVAL;
return EINVAL;
}
if (hw->mac.ops.acquire_swfw_sync(sc, NGBE_MNG_SWFW_SYNC_SW_MB))
@ -3706,7 +3706,7 @@ ngbe_reset_hw(struct ngbe_softc *sc)
* mng is using it. If link is down or the flag to force full link
* reset is set, then perform link reset.
*/
if (hw->force_full_reset) {
if (hw->force_full_reset) {
rst_delay = (NGBE_READ_REG(hw, NGBE_MIS_RST_ST) &
NGBE_MIS_RST_ST_RST_INIT) >> NGBE_MIS_RST_ST_RST_INI_SHIFT;
if (hw->reset_type == NGBE_SW_RESET) {
@ -4528,9 +4528,9 @@ ngbe_update_mc_addr_list(struct ngbe_hw *hw, uint8_t *mc_addr_list,
if (clear)
memset(&hw->mac.mta_shadow, 0, sizeof(hw->mac.mta_shadow));
/* Update mta_shadow */
for (i = 0; i < mc_addr_count; i++)
ngbe_set_mta(hw, next(hw, &mc_addr_list, &vmdq));
/* Update mta_shadow */
for (i = 0; i < mc_addr_count; i++)
ngbe_set_mta(hw, next(hw, &mc_addr_list, &vmdq));
/* Enable mta */
for (i = 0; i < hw->mac.mcft_size; i++)

4
sys/dev/pci/if_qwx_pci.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: if_qwx_pci.c,v 1.14 2024/02/22 09:15:34 stsp Exp $ */
/* $OpenBSD: if_qwx_pci.c,v 1.15 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright 2023 Stefan Sperling <stsp@openbsd.org>
@ -2901,7 +2901,7 @@ qwx_mhi_start(struct qwx_pci_softc *psc)
#endif
/* Transition to primary runtime. */
if (MHI_IN_PBL(ee)) {
if (MHI_IN_PBL(ee)) {
ret = qwx_mhi_fw_load_handler(psc);
if (ret)
return ret;

4
sys/dev/pci/if_rge.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: if_rge.c,v 1.23 2023/12/22 05:28:14 kevlo Exp $ */
/* $OpenBSD: if_rge.c,v 1.24 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2019, 2020, 2023 Kevin Lo <kevlo@openbsd.org>
@ -1250,7 +1250,7 @@ rge_rxeof(struct rge_queues *q)
* If this is part of a multi-fragment packet,
* discard all the pieces.
*/
if (q->q_rx.rge_head != NULL) {
if (q->q_rx.rge_head != NULL) {
m_freem(q->q_rx.rge_head);
q->q_rx.rge_head = q->q_rx.rge_tail = NULL;
}

4
sys/dev/pci/if_sis.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: if_sis.c,v 1.143 2023/11/10 15:51:20 bluhm Exp $ */
/* $OpenBSD: if_sis.c,v 1.144 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 1997, 1998, 1999
* Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved.
@ -1791,7 +1791,7 @@ sis_init(void *xsc)
* This resolves an issue with tons of errors in AcceptPerfectMatch
* (non-IFF_PROMISC) mode.
*/
if (sc->sis_type == SIS_TYPE_83815 && sc->sis_srr <= NS_SRR_15D) {
if (sc->sis_type == SIS_TYPE_83815 && sc->sis_srr <= NS_SRR_15D) {
CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001);
CSR_WRITE_4(sc, NS_PHY_CR, 0x189C);
/* set val for c2 */

18
sys/dev/pci/ixgb_hw.c
View File

@ -31,7 +31,7 @@
*******************************************************************************/
/* $OpenBSD: ixgb_hw.c,v 1.9 2022/01/09 05:42:56 jsg Exp $ */
/* $OpenBSD: ixgb_hw.c,v 1.10 2024/04/13 23:44:11 jsg Exp $ */
/* ixgb_hw.c
* Shared functions for accessing and configuring the adapter
@ -83,14 +83,14 @@ ixgb_mac_reset(struct ixgb_hw *hw)
{
uint32_t ctrl_reg;
ctrl_reg = IXGB_CTRL0_RST |
IXGB_CTRL0_SDP3_DIR | /* All pins are Output=1 */
IXGB_CTRL0_SDP2_DIR |
IXGB_CTRL0_SDP1_DIR |
IXGB_CTRL0_SDP0_DIR |
IXGB_CTRL0_SDP3 | /* Initial value 1101 */
IXGB_CTRL0_SDP2 |
IXGB_CTRL0_SDP0;
ctrl_reg = IXGB_CTRL0_RST |
IXGB_CTRL0_SDP3_DIR | /* All pins are Output=1 */
IXGB_CTRL0_SDP2_DIR |
IXGB_CTRL0_SDP1_DIR |
IXGB_CTRL0_SDP0_DIR |
IXGB_CTRL0_SDP3 | /* Initial value 1101 */
IXGB_CTRL0_SDP2 |
IXGB_CTRL0_SDP0;
#ifdef HP_ZX1
/* Workaround for 82597EX reset errata */

4
sys/dev/pci/maestro.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: maestro.c,v 1.50 2022/10/28 15:09:46 kn Exp $ */
/* $OpenBSD: maestro.c,v 1.51 2024/04/13 23:44:11 jsg Exp $ */
/* $FreeBSD: /c/ncvs/src/sys/dev/sound/pci/maestro.c,v 1.3 2000/11/21 12:22:11 julian Exp $ */
/*
* FreeBSD's ESS Agogo/Maestro driver
@ -900,7 +900,7 @@ maestro_set_speed(struct maestro_channel *ch, u_long *prate)
} else {
/* compute 16 bits fixed point value of speed/48000,
* being careful not to overflow */
ch->dv = (((ch->speed % 48000) << 16U) + 24000) / 48000
ch->dv = (((ch->speed % 48000) << 16U) + 24000) / 48000
+ ((ch->speed / 48000) << 16U);
/* And this is the real rate obtained */
ch->speed = (ch->dv >> 16U) * 48000 +

14
sys/dev/pci/pciide.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pciide.c,v 1.363 2022/03/11 18:00:51 mpi Exp $ */
/* $OpenBSD: pciide.c,v 1.364 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: pciide.c,v 1.127 2001/08/03 01:31:08 tsutsui Exp $ */
/*
@ -2939,8 +2939,8 @@ piix_setup_channel(struct channel_softc *chp)
(drvp[1].drive_flags & DRIVE_DMA)) {
mode[0] = mode[1] =
min(drvp[0].DMA_mode, drvp[1].DMA_mode);
drvp[0].DMA_mode = mode[0];
drvp[1].DMA_mode = mode[1];
drvp[0].DMA_mode = mode[0];
drvp[1].DMA_mode = mode[1];
goto ok;
}
/*
@ -4127,7 +4127,7 @@ cmd680_channel_map(struct pci_attach_args *pa, struct pciide_softc *sc,
printf("%s %s: "
"cannot allocate channel queue",
sc->sc_wdcdev.sc_dev.dv_xname, cp->name);
return;
return;
}
/* XXX */
@ -7972,9 +7972,9 @@ acard_setup_channel(struct channel_softc *chp)
acard_act_pio[drvp->PIO_mode],
acard_rec_pio[drvp->PIO_mode]);
}
pci_conf_write(sc->sc_pc, sc->sc_tag, ATP8x0_CTRL,
pci_conf_read(sc->sc_pc, sc->sc_tag, ATP8x0_CTRL)
| ATP8x0_CTRL_EN(channel));
pci_conf_write(sc->sc_pc, sc->sc_tag, ATP8x0_CTRL,
pci_conf_read(sc->sc_pc, sc->sc_tag, ATP8x0_CTRL) |
ATP8x0_CTRL_EN(channel));
}
}

4
sys/dev/pci/qle.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: qle.c,v 1.63 2022/04/16 19:19:59 naddy Exp $ */
/* $OpenBSD: qle.c,v 1.64 2024/04/14 00:38:26 jsg Exp $ */
/*
* Copyright (c) 2013, 2014 Jonathan Matthew <jmatthew@openbsd.org>
@ -359,7 +359,7 @@ qle_attach(struct device *parent, struct device *self, void *aux)
pcireg_t bars[] = { QLE_PCI_MEM_BAR, QLE_PCI_IO_BAR };
pcireg_t memtype;
int r, i, rv, loop_up;
int r, i, rv, loop_up = 0;
sc->sc_pc = pa->pa_pc;
sc->sc_tag = pa->pa_tag;

4
sys/dev/usb/if_umb.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: if_umb.c,v 1.56 2023/10/24 09:13:22 jmatthew Exp $ */
/* $OpenBSD: if_umb.c,v 1.57 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2016 genua mbH
@ -3135,7 +3135,7 @@ umb_intr(struct usbd_xfer *xfer, void *priv, usbd_status status)
if (total_len < UCDC_NOTIFICATION_LENGTH) {
DPRINTF("%s: short notification (%d<%d)\n", DEVNAM(sc),
total_len, UCDC_NOTIFICATION_LENGTH);
return;
return;
}
if (sc->sc_intr_msg.bmRequestType != UCDC_NOTIFICATION) {
DPRINTF("%s: unexpected notification (type=0x%02x)\n",

4
sys/dev/usb/if_ure.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: if_ure.c,v 1.33 2023/09/09 14:23:37 kevlo Exp $ */
/* $OpenBSD: if_ure.c,v 1.34 2024/04/13 23:44:11 jsg Exp $ */
/*-
* Copyright (c) 2015, 2016, 2019 Kevin Lo <kevlo@openbsd.org>
* Copyright (c) 2020 Jonathon Fletcher <jonathon.fletcher@gmail.com>
@ -2078,7 +2078,7 @@ ure_rxeof(struct usbd_xfer *xfer, void *priv, usbd_status status)
if (rxvlan & URE_RXPKT_VLAN_TAG) {
m->m_pkthdr.ether_vtag =
swap16(rxvlan & URE_RXPKT_VLAN_DATA);
m->m_flags |= M_VLANTAG;
m->m_flags |= M_VLANTAG;
}
#endif

7
sys/dev/wscons/wsdisplay_compat_usl.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: wsdisplay_compat_usl.c,v 1.33 2020/09/03 15:30:17 kettenis Exp $ */
/* $OpenBSD: wsdisplay_compat_usl.c,v 1.34 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: wsdisplay_compat_usl.c,v 1.12 2000/03/23 07:01:47 thorpej Exp $ */
/*
@ -440,9 +440,8 @@ wsdisplay_usl_ioctl2(struct wsdisplay_softc *sc, struct wsscreen *scr,
#define PCVT_SYSBEEPF 1193182
if (d >> 16) {
bd.which = WSKBD_BELL_DOPERIOD;
bd.period = d >> 16; /* ms */
}
else
bd.period = d >> 16; /* ms */
} else
bd.which = 0;
if (d & 0xffff) {
bd.which |= WSKBD_BELL_DOPITCH;

4
sys/isofs/udf/udf_subr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: udf_subr.c,v 1.26 2022/09/01 13:45:26 krw Exp $ */
/* $OpenBSD: udf_subr.c,v 1.27 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2006, Miodrag Vallat
@ -201,7 +201,7 @@ udf_vat_get(struct umount *ump, uint32_t lb)
up->u_vatlen = (letoh64(up->u_fentry->inf_len) - 36) >> 2;
ump->um_vat = malloc(sizeof(struct unode), M_UDFMOUNT, M_WAITOK);
*ump->um_vat = *up;
*ump->um_vat = *up;
ump->um_flags &= ~UDF_MNT_FIND_VAT;
ump->um_flags |= UDF_MNT_USES_VAT;

4
sys/kern/kern_acct.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kern_acct.c,v 1.47 2022/08/14 01:58:27 jsg Exp $ */
/* $OpenBSD: kern_acct.c,v 1.48 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: kern_acct.c,v 1.42 1996/02/04 02:15:12 christos Exp $ */
/*-
@ -270,7 +270,7 @@ encode_comp_t(u_long s, u_long ns)
s += ns / (1000000000 / AHZ); /* Maximize precision. */
while (s > MAXFRACT) {
rnd = s & (1 << (EXPSIZE - 1)); /* Round up? */
rnd = s & (1 << (EXPSIZE - 1)); /* Round up? */
s >>= EXPSIZE; /* Base 8 exponent == 3 bit shift. */
exp++;
}

4
sys/net/pf_osfp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pf_osfp.c,v 1.47 2023/10/10 11:25:31 bluhm Exp $ */
/* $OpenBSD: pf_osfp.c,v 1.48 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
@ -382,7 +382,7 @@ pf_osfp_add(struct pf_osfp_ioctl *fpioc)
if ((fp = pf_osfp_find_exact(&fpadd))) {
struct pf_osfp_entry *tentry;
SLIST_FOREACH(tentry, &fp->fp_oses, fp_entry) {
SLIST_FOREACH(tentry, &fp->fp_oses, fp_entry) {
if (PF_OSFP_ENTRY_EQ(tentry, &fpioc->fp_os)) {
PF_UNLOCK();
pool_put(&pf_osfp_entry_pl, entry);

4
sys/net80211/ieee80211_input.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ieee80211_input.c,v 1.251 2024/03/15 17:45:36 stsp Exp $ */
/* $OpenBSD: ieee80211_input.c,v 1.252 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: ieee80211_input.c,v 1.24 2004/05/31 11:12:24 dyoung Exp $ */
/*-
@ -1901,7 +1901,7 @@ ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m,
* This probe response indicates the AP is still serving us
* so don't allow ieee80211_watchdog() to move us into SCAN.
*/
if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0)
if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0)
ic->ic_mgt_timer = 0;
}
/*

13
sys/netinet/tcp_input.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: tcp_input.c,v 1.403 2024/04/12 16:07:09 bluhm Exp $ */
/* $OpenBSD: tcp_input.c,v 1.404 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */
/*
@ -1078,12 +1078,13 @@ findpcb:
* Receive window is amount of space in rcv queue,
* but not less than advertised window.
*/
{ int win;
{
int win;
win = sbspace(so, &so->so_rcv);
if (win < 0)
win = 0;
tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt));
win = sbspace(so, &so->so_rcv);
if (win < 0)
win = 0;
tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt));
}
switch (tp->t_state) {

10
sys/nfs/nfs_vnops.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: nfs_vnops.c,v 1.194 2024/03/25 17:57:07 guenther Exp $ */
/* $OpenBSD: nfs_vnops.c,v 1.195 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: nfs_vnops.c,v 1.62.4.1 1996/07/08 20:26:52 jtc Exp $ */
/*
@ -336,9 +336,9 @@ nfs_access(void *v)
* Check access cache first. If a request has been made for this uid
* shortly before, use the cached result.
*/
cachevalid = (np->n_accstamp != -1 &&
(gettime() - np->n_accstamp) < nfs_attrtimeo(np) &&
np->n_accuid == ap->a_cred->cr_uid);
cachevalid = (np->n_accstamp != -1 &&
(gettime() - np->n_accstamp) < nfs_attrtimeo(np) &&
np->n_accuid == ap->a_cred->cr_uid);
if (cachevalid) {
if (!np->n_accerror) {
@ -408,7 +408,7 @@ nfs_access(void *v)
* If we got the same result as for a previous, different request, OR
* it in. Don't update the timestamp in that case.
*/
if (!error || error == EACCES) {
if (!error || error == EACCES) {
if (cachevalid && np->n_accstamp != -1 &&
error == np->n_accerror) {
if (!error)

4
sys/ufs/ext2fs/ext2fs_bmap.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ext2fs_bmap.c,v 1.28 2021/12/12 09:14:59 visa Exp $ */
/* $OpenBSD: ext2fs_bmap.c,v 1.29 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: ext2fs_bmap.c,v 1.5 2000/03/30 12:41:11 augustss Exp $ */
/*
@ -192,7 +192,7 @@ ext2fs_bmaparray(struct vnode *vp, daddr_t bn, daddr_t *bnp,
devvp = VFSTOUFS(vp->v_mount)->um_devvp;
#ifdef DIAGNOSTIC
if (num > NIADDR + 1 || num < 1) {
if (num > NIADDR + 1 || num < 1) {
printf("ext2fs_bmaparray: num=%d\n", num);
panic("ext2fs_bmaparray: num");
}

4
sys/ufs/ext2fs/ext2fs_vnops.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ext2fs_vnops.c,v 1.92 2024/03/25 17:57:07 guenther Exp $ */
/* $OpenBSD: ext2fs_vnops.c,v 1.93 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: ext2fs_vnops.c,v 1.1 1997/06/11 09:34:09 bouyer Exp $ */
/*
@ -819,7 +819,7 @@ abortit:
UIO_SYSSPACE, IO_NODELOCKED,
tcnp->cn_cred, NULL, curproc);
if (error == 0) {
namlen = dirbuf.dotdot_namlen;
namlen = dirbuf.dotdot_namlen;
if (namlen != 2 ||
dirbuf.dotdot_name[0] != '.' ||
dirbuf.dotdot_name[1] != '.') {

4
sys/ufs/ffs/ffs_balloc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ffs_balloc.c,v 1.46 2024/02/03 18:51:58 beck Exp $ */
/* $OpenBSD: ffs_balloc.c,v 1.47 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: ffs_balloc.c,v 1.3 1996/02/09 22:22:21 christos Exp $ */
/*
@ -750,7 +750,7 @@ fail:
* that we resolve the dependencies in one pass.
* Write the cylinder group buffers for these buffers too.
*/
for (i = num; i >= unwindidx; i--) {
for (i = num; i >= unwindidx; i--) {
if (i == 0)
break;

25
sys/ufs/ffs/ffs_extern.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ffs_extern.h,v 1.47 2024/04/11 16:31:30 otto Exp $ */
/* $OpenBSD: ffs_extern.h,v 1.49 2024/04/13 15:08:37 jca Exp $ */
/* $NetBSD: ffs_extern.h,v 1.4 1996/02/09 22:22:22 christos Exp $ */
/*
@ -36,6 +36,7 @@
#define FFS_CLUSTERWRITE 2 /* cluster writing enabled */
#define FFS_REALLOCBLKS 3 /* block reallocation enabled */
#define FFS_ASYNCFREE 4 /* asynchronous block freeing enabled */
#define FFS_MAX_SOFTDEPS 5 /* maximum structs before slowdown */
#define FFS_SD_TICKDELAY 6 /* ticks to pause during slowdown */
#define FFS_SD_WORKLIST_PUSH 7 /* # of worklist cleanups */
#define FFS_SD_BLK_LIMIT_PUSH 8 /* # of times block limit neared */
@ -59,17 +60,17 @@
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ "sd_tickdelay", CTLTYPE_INT }, \
{ "sd_worklist_push", CTLTYPE_INT }, \
{ "sd_blk_limit_push", CTLTYPE_INT }, \
{ "sd_ino_limit_push", CTLTYPE_INT }, \
{ "sd_blk_limit_hit", CTLTYPE_INT }, \
{ "sd_ino_limit_hit", CTLTYPE_INT }, \
{ "sd_sync_limit_hit", CTLTYPE_INT }, \
{ "sd_indir_blk_ptrs", CTLTYPE_INT }, \
{ "sd_inode_bitmap", CTLTYPE_INT }, \
{ "sd_direct_blk_ptrs", CTLTYPE_INT }, \
{ "sd_dir_entry", CTLTYPE_INT }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ "dirhash_dirsize", CTLTYPE_INT }, \
{ "dirhash_maxmem", CTLTYPE_INT }, \
{ "dirhash_mem", CTLTYPE_INT }, \

4
sys/uvm/uvm_addr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: uvm_addr.c,v 1.32 2022/11/04 09:36:44 mpi Exp $ */
/* $OpenBSD: uvm_addr.c,v 1.33 2024/04/13 23:44:11 jsg Exp $ */
/*
* Copyright (c) 2011 Ariane van der Steldt <ariane@stack.nl>
@ -1406,7 +1406,7 @@ uaddr_stack_brk_select(struct vm_map *map, struct uvm_addr_state *uaddr,
if (uvm_addr_linsearch(map, uaddr, entry_out, addr_out,
0, sz, align, offset, dir, start, end - sz,
before_gap, after_gap) == 0)
return 0;
return 0;
}
return ENOMEM;

4
sys/uvm/uvm_aobj.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: uvm_aobj.c,v 1.109 2024/04/10 15:25:14 mpi Exp $ */
/* $OpenBSD: uvm_aobj.c,v 1.110 2024/04/13 23:44:11 jsg Exp $ */
/* $NetBSD: uvm_aobj.c,v 1.39 2001/02/18 21:19:08 chs Exp $ */
/*
@ -298,7 +298,7 @@ uao_set_swslot(struct uvm_object *uobj, int pageidx, int slot)
/* but a set is not */
printf("uao_set_swslot: uobj = %p\n", uobj);
panic("uao_set_swslot: attempt to set a slot on a NOSWAP object");
panic("uao_set_swslot: attempt to set a slot on a NOSWAP object");
}
/*

Some files were not shown because too many files have changed in this diff Show More