Merge remote-tracking branch 'nlnet/master'

* nlnet/master: (44 commits)
  - Fix NLnetLabs#927: unbound 1.18.0 make test error. Fix make test without SHA1.
  - Fix autoconf 2.69 warnings in configure.
  - Fix for WKS call to getservbyname that creates allocation on exit   in unit test by testing numbers first and testing from the services   list later.
  Tag 1.18.0rc1 became the 1.18.0 release on 30 aug 2023, with the fix from 25 aug, fix compile on NetBSD included. The repository continues with version 1.18.1.
  - Fix for version generation race condition that ignored changes.
  - Fix compile error on NetBSD in util/netevent.h.
  - Tag for 1.18.0rc1 release.
  - Set version number to 1.18.0.
  - Fix unit test for unbound-control to work when threads are disabled,   and fix cache dump check.
  - Fix NLnetLabs#923: processQueryResponse() THROWAWAY should be mindful of   fail_reply.
  - Fix for NLnetLabs#925: unbound.service: Main process exited, code=killed,   status=11/SEGV. Fixes cachedb configuration handling.
  - Fix windows ci workflow to install bison and flex.
  Further debug for windows ci workflow.
  - Debug Windows ci workflow.
  - Fix stat_values test to work with dig that enables DNS cookies.
  - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
  Changelog for commit. - Fix for iter_dec_attempts that could cause a hang, part of   capsforid and qname minimisation, depending on the settings.
  - Fix for iter_dec_attempts that could cause a hang, part of   capsforid and qname minimisation, depending on the settings.
  - Fix ip_ratelimit test to work with dig that enables DNS cookies.
  - Fix regional_alloc_init for potential unaligned source of the copy.
  ...

.github/workflows/analysis_ports.yml

@@ -175,6 +175,12 @@ jobs:
           cd ..
           export prepath=`pwd`
           echo prepath=${prepath}
+          echo "choco install winflexbison3"
+          choco install winflexbison3
+          echo 'LEX="win_flex"'
+          export LEX="win_flex"
+          echo 'YACC="win_bison -y"'
+          export YACC="win_bison -y"
           #echo "curl cpanm"
           #curl -L -k -s -S -o cpanm https://cpanmin.us/
           #echo "perl cpanm Pod::Usage"

Makefile.in

@@ -122,13 +122,13 @@ iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
 iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
 iterator/iter_scrub.c iterator/iter_utils.c services/listen_dnsport.c \
 services/localzone.c services/mesh.c services/modstack.c services/view.c \
-services/rpz.c \
+services/rpz.c util/rfc_1982.c \
 services/outbound_list.c services/outside_network.c util/alloc.c \
 util/config_file.c util/configlexer.c util/configparser.c \
 util/shm_side/shm_main.c services/authzone.c \
 util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
 util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
-util/rtt.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
+util/rtt.c util/siphash.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
 util/storage/lruhash.c util/storage/slabhash.c util/tcp_conn_limit.c \
 util/timehist.c util/tube.c util/proxy_protocol.c util/timeval_func.c \
 util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \
@@ -145,10 +145,10 @@ as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
 iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo view.lo \
 outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
-fptr_wlist.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
+fptr_wlist.lo siphash.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
 random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
 slabhash.lo tcp_conn_limit.lo timehist.lo tube.lo winsock_event.lo \
-autotrust.lo val_anchor.lo rpz.lo proxy_protocol.lo \
+autotrust.lo val_anchor.lo rpz.lo rfc_1982.lo proxy_protocol.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
 val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo $(CACHEDB_OBJ) authzone.lo \
 $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
@@ -917,7 +917,8 @@ config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/ut
 configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
  $(srcdir)/util/config_file.h util/configparser.h
 configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/sldns/rrdef.h
 shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
@@ -1008,6 +1009,8 @@ rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/itera
  $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h
+siphash.lo siphash.o: $(srcdir)/util/siphash.c
+rfc_1982.lo rfc_1982.o: $(srcdir)/util/rfc_1982.c
 edns.lo edns.o: $(srcdir)/util/edns.c config.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/regional.h \

cachedb/cachedb.c

@@ -226,6 +226,8 @@ static int
 cachedb_apply_cfg(struct cachedb_env* cachedb_env, struct config_file* cfg)
 {
 	const char* backend_str = cfg->cachedb_backend;
+	if(!backend_str || *backend_str==0)
+		return 1;
 	cachedb_env->backend = cachedb_find_backend(backend_str);
 	if(!cachedb_env->backend) {
 		log_err("cachedb: cannot find backend name '%s'", backend_str);

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.17.2.
+# Generated by GNU Autoconf 2.69 for unbound 1.18.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.17.2'
-PACKAGE_STRING='unbound 1.17.2'
+PACKAGE_VERSION='1.18.1'
+PACKAGE_STRING='unbound 1.18.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.17.2 to adapt to many kinds of systems.
+\`configure' configures unbound 1.18.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1543,7 +1543,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.17.2:";;
+     short | recursive ) echo "Configuration of unbound 1.18.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1785,7 +1785,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.17.2
+unbound configure 1.18.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.17.2, which was
+It was created by unbound $as_me 1.18.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2844,13 +2844,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 UNBOUND_VERSION_MAJOR=1
 
-UNBOUND_VERSION_MINOR=17
+UNBOUND_VERSION_MINOR=18
 
-UNBOUND_VERSION_MICRO=2
+UNBOUND_VERSION_MICRO=1
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=22
+LIBUNBOUND_REVISION=23
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2939,7 +2939,8 @@ LIBUNBOUND_AGE=1
 # 1.16.3 had 9:19:1
 # 1.17.0 had 9:20:1
 # 1.17.1 had 9:21:1
-# 1.17.2 had 9:22:1
+# 1.18.0 had 9:22:1
+# 1.18.1 had 9:23:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -16247,10 +16248,7 @@ _ACEOF
 $as_echo_n "checking whether strptime works... " >&6; }
 if test c${cross_compiling} = cno; then
 if test "$cross_compiling" = yes; then :
-  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
+  eval "ac_cv_c_strptime_works=maybe"
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
@@ -19039,10 +19037,7 @@ if test -n "$ssldir"; then
 	CFLAGS="$CFLAGS -Wl,-rpath,$ssldir_lib"
 fi
 if test "$cross_compiling" = yes; then :
-  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
+  eval "ac_cv_c_gost_works=maybe"
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
@@ -20916,10 +20911,8 @@ if test "x$ac_cv_func_snprintf" = xyes; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for correct snprintf return value" >&5
 $as_echo_n "checking for correct snprintf return value... " >&6; }
 	if test "$cross_compiling" = yes; then :
-  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: maybe" >&5
+$as_echo "maybe" >&6; }
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
@@ -22148,7 +22141,7 @@ _ACEOF
 
 
 
-version=1.17.2
+version=1.18.1
 
 date=`date +'%b %e, %Y'`
 
@@ -22667,7 +22660,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.17.2, which was
+This file was extended by unbound $as_me 1.18.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22733,7 +22726,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.17.2
+unbound config.status 1.18.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
 
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[17])
-m4_define([VERSION_MICRO],[2])
+m4_define([VERSION_MINOR],[18])
+m4_define([VERSION_MICRO],[1])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=22
+LIBUNBOUND_REVISION=23
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -107,7 +107,8 @@ LIBUNBOUND_AGE=1
 # 1.16.3 had 9:19:1
 # 1.17.0 had 9:20:1
 # 1.17.1 had 9:21:1
-# 1.17.2 had 9:22:1
+# 1.18.0 had 9:22:1
+# 1.18.1 had 9:23:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -525,7 +526,8 @@ res = strptime("2010-07-15T00:00:00+00:00", "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:
 if (!res) return 2;
 res = strptime("20070207111842", "%Y%m%d%H%M%S", &tm);
 if (!res) return 1; return 0; }
-]])] , [eval "ac_cv_c_strptime_works=yes"], [eval "ac_cv_c_strptime_works=no"])
+]])] , [eval "ac_cv_c_strptime_works=yes"], [eval "ac_cv_c_strptime_works=no"],
+[eval "ac_cv_c_strptime_works=maybe"])
 else
 eval "ac_cv_c_strptime_works=maybe"
 fi
@@ -1137,7 +1139,8 @@ int main(void) {
 		return 6;
 	return 0;
 }
-]])] , [eval "ac_cv_c_gost_works=yes"], [eval "ac_cv_c_gost_works=no"])
+]])] , [eval "ac_cv_c_gost_works=yes"], [eval "ac_cv_c_gost_works=no"],
+[eval "ac_cv_c_gost_works=maybe"])
 CFLAGS="$BAKCFLAGS"
 else
 eval "ac_cv_c_gost_works=maybe"
@@ -1714,7 +1717,7 @@ int main(void) { return !(snprintf(NULL, 0, "test") == 4); }
 		AC_MSG_RESULT(no)
 		AC_DEFINE([SNPRINTF_RET_BROKEN], [], [define if (v)snprintf does not return length needed, (but length used)])
 		AC_LIBOBJ(snprintf)
-	  ])
+	  ], [AC_MSG_RESULT(maybe)])
     fi
 fi
 AC_REPLACE_FUNCS(strlcat)
@@ -1944,7 +1947,7 @@ case "$enable_explicit_port_randomisation" in
 esac
 
 if echo "$host" | $GREP -i -e linux >/dev/null; then
-	AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.]))
+	AC_ARG_ENABLE(linux-ip-local-port-range, AS_HELP_STRING([--enable-linux-ip-local-port-range], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.]))
 	case "$enable_linux_ip_local_port_range" in
 		yes)
 			AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.])

daemon/acl_list.c

@@ -109,6 +109,8 @@ parse_acl_access(const char* str, enum acl_access* control)
 		*control = acl_allow_snoop;
 	else if(strcmp(str, "allow_setrd") == 0)
 		*control = acl_allow_setrd;
+	else if (strcmp(str, "allow_cookie") == 0)
+		*control = acl_allow_cookie;
 	else {
 		log_err("access control type %s unknown", str);
 		return 0;

daemon/acl_list.h

@@ -64,8 +64,12 @@ enum acl_access {
 	acl_allow,
 	/** allow full access for all queries, recursion and cache snooping */
 	acl_allow_snoop,
-	/** allow full access for recursion queries and set RD flag regardless of request */
-	acl_allow_setrd
+	/** allow full access for recursion queries and set RD flag regardless
+	 *  of request */
+	acl_allow_setrd,
+	/** allow full access for recursion (+RD) queries if valid cookie
+	 *  present or stateful transport */
+	acl_allow_cookie
 };
 
 /**

daemon/remote.c

@@ -672,6 +672,12 @@ print_stats(RES* ssl, const char* nm, struct ub_stats_info* s)
 		(unsigned long)s->svr.num_queries)) return 0;
 	if(!ssl_printf(ssl, "%s.num.queries_ip_ratelimited"SQ"%lu\n", nm,
 		(unsigned long)s->svr.num_queries_ip_ratelimited)) return 0;
+	if(!ssl_printf(ssl, "%s.num.queries_cookie_valid"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_queries_cookie_valid)) return 0;
+	if(!ssl_printf(ssl, "%s.num.queries_cookie_client"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_queries_cookie_client)) return 0;
+	if(!ssl_printf(ssl, "%s.num.queries_cookie_invalid"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_queries_cookie_invalid)) return 0;
 	if(!ssl_printf(ssl, "%s.num.cachehits"SQ"%lu\n", nm,
 		(unsigned long)(s->svr.num_queries
 			- s->svr.num_queries_missed_cache))) return 0;

daemon/stats.c

@@ -435,6 +435,9 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 {
 	total->svr.num_queries += a->svr.num_queries;
 	total->svr.num_queries_ip_ratelimited += a->svr.num_queries_ip_ratelimited;
+	total->svr.num_queries_cookie_valid += a->svr.num_queries_cookie_valid;
+	total->svr.num_queries_cookie_client += a->svr.num_queries_cookie_client;
+	total->svr.num_queries_cookie_invalid += a->svr.num_queries_cookie_invalid;
 	total->svr.num_queries_missed_cache += a->svr.num_queries_missed_cache;
 	total->svr.num_queries_prefetch += a->svr.num_queries_prefetch;
 	total->svr.num_queries_timed_out += a->svr.num_queries_timed_out;
@@ -568,3 +571,16 @@ void server_stats_insrcode(struct ub_server_stats* stats, sldns_buffer* buf)
 			stats->ans_rcode_nodata ++;
 	}
 }
+
+void server_stats_downstream_cookie(struct ub_server_stats* stats,
+	struct edns_data* edns)
+{
+	if(!(edns->edns_present && edns->cookie_present)) return;
+	if(edns->cookie_valid) {
+		stats->num_queries_cookie_valid++;
+	} else if(edns->cookie_client) {
+		stats->num_queries_cookie_client++;
+	} else {
+		stats->num_queries_cookie_invalid++;
+	}
+}

daemon/stats.h

@@ -126,4 +126,11 @@ void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
  */
 void server_stats_insrcode(struct ub_server_stats* stats, struct sldns_buffer* buf);
 
+/**
+ * Add DNS Cookie stats for this query
+ * @param stats: the stats
+ * @param edns: edns record
+ */
+void server_stats_downstream_cookie(struct ub_server_stats* stats,
+	struct edns_data* edns);
 #endif /* DAEMON_STATS_H */