From faddb7371bc6634ba9bbe88ddfad2b08b025b304 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Thu, 12 Aug 2021 17:58:22 -0400 Subject: [PATCH] - Resolves: rhbz#1992985 unbound-1.13.2 is available - Use system-wide crypto policies (cherry picked from commit 0ce96eb7907e1f5d3fe58db16df5889a156b7417) Resolves: rhbz#2087120 --- .gitignore | 2 + sources | 4 +- unbound-1.13.1-rh1952814.patch | 204 --------------------------------- unbound-1.13.1-rh1991005.patch | 15 --- unbound.conf | 84 ++++++++++---- unbound.spec | 18 +-- 6 files changed, 73 insertions(+), 254 deletions(-) delete mode 100644 unbound-1.13.1-rh1952814.patch delete mode 100644 unbound-1.13.1-rh1991005.patch diff --git a/.gitignore b/.gitignore index 1911c71..bb7787d 100644 --- a/.gitignore +++ b/.gitignore @@ -65,3 +65,5 @@ unbound-1.4.5.tar.gz /unbound-1.13.0.tar.gz.asc /unbound-1.13.1.tar.gz /unbound-1.13.1.tar.gz.asc +/unbound-1.13.2.tar.gz +/unbound-1.13.2.tar.gz.asc diff --git a/sources b/sources index c7d1af2..d54a5cf 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.13.1.tar.gz) = f4d26dca28dbcc33a5e65a55147fa01077c331292e88b6a87798cb6c3d4edb0515015d131fd893c92b74d22d9998a640f0adce404e6192d61ebe69a6a599287c -SHA512 (unbound-1.13.1.tar.gz.asc) = a4a943841c4db14b2d236b4b80ac80129148c42f7b3d82246b0e0150c1e3e3e294863d5c72d1ac41c2164126d1d10f9044554f97aa6d94019acb41b5f7ed7d34 +SHA512 (unbound-1.13.2.tar.gz) = 1e89441446e7a25c6a49bded645f8b348c1758c3be54e3a986041cb1f00c45d152fd469dc52666fb820574db9d51b16f1627dc8afcb9519508d4833ca358191a +SHA512 (unbound-1.13.2.tar.gz.asc) = b905f5f981361131e7a8d3403df632603304778bd7d4fffba8d113c4246d8133f26903a5af53d21b979b652cbae8f6e92620d3a262d8b2837ab8c2a5712650ee diff --git a/unbound-1.13.1-rh1952814.patch b/unbound-1.13.1-rh1952814.patch deleted file mode 100644 index 261ed20..0000000 --- a/unbound-1.13.1-rh1952814.patch +++ /dev/null @@ -1,204 +0,0 @@ -diff --git a/config.h.in b/config.h.in -index 103ad9f..0bb29d9 100644 ---- a/config.h.in -+++ b/config.h.in -@@ -847,6 +847,14 @@ - /* Define if you enable libevent */ - #undef USE_LIBEVENT - -+/* WARNING! This is only for the libunbound on Linux and does not affect -+ unbound resolving daemon itself. This may severely limit the number of -+ available outgoing ports and thus decrease randomness. Define this only -+ when the target system restricts (e.g. some of SELinux enabled -+ distributions) the use of non-ephemeral ports. Define this to enable use of -+ /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. */ -+#undef USE_LINUX_IP_LOCAL_PORT_RANGE -+ - /* Define if you want to use internal select based events */ - #undef USE_MINI_EVENT - -diff --git a/configure b/configure -index c91e8a3..826dce9 100755 ---- a/configure -+++ b/configure -@@ -898,6 +898,7 @@ enable_ipsecmod - enable_ipset - with_libmnl - enable_explicit_port_randomisation -+enable_linux_ip_local_port_range - with_libunbound_only - ' - ac_precious_vars='build_alias -@@ -1590,6 +1591,16 @@ Optional Features: - --disable-explicit-port-randomisation - disable explicit source port randomisation and rely - on the kernel to provide random source ports -+ --enable-linux-ip-local-port-range -+ WARNING! This is only for the libunbound on Linux -+ and does not affect unbound resolving daemon itself. -+ This may severely limit the number of available -+ outgoing ports and thus decrease randomness. Use -+ this option only when the target system restricts -+ the use of non-ephemeral ports. (e.g. some of -+ SELinux enabled distributions) Enable this option to -+ use /proc/sys/net/ipv4/ip_local_port_range as a -+ default outgoing port range - - Optional Packages: - --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] -@@ -4202,6 +4213,13 @@ else - else on_mingw="no"; fi - fi - -+# are we on Linux? -+if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes" -+else -+ if echo $host $target | grep linux >/dev/null; then on_linux="yes" -+ else on_linux="no"; fi -+fi -+ - # - # Determine configuration file - # the eval is to evaluate shell expansion twice -@@ -21588,6 +21606,23 @@ $as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h - ;; - esac - -+if test $on_linux = "yes"; then -+ # Check whether --enable-linux-ip-local-port-range was given. -+if test "${enable_linux_ip_local_port_range+set}" = set; then : -+ enableval=$enable_linux_ip_local_port_range; -+fi -+ -+ case "$enable_linux_ip_local_port_range" in -+ yes) -+ -+$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h -+ -+ ;; -+ no|*) -+ ;; -+ esac -+fi -+ - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5 - $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; } -diff --git a/configure.ac b/configure.ac -index 2d88048..1207047 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -152,6 +152,13 @@ else - else on_mingw="no"; fi - fi - -+# are we on Linux? -+if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes" -+else -+ if echo $host $target | grep linux >/dev/null; then on_linux="yes" -+ else on_linux="no"; fi -+fi -+ - # - # Determine configuration file - # the eval is to evaluate shell expansion twice -@@ -1847,6 +1854,17 @@ case "$enable_explicit_port_randomisation" in - ;; - esac - -+if test $on_linux = "yes"; then -+ AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Use this option only when the target system restricts the use of non-ephemeral ports. (e.g. some of SELinux enabled distributions) Enable this option to use /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range])) -+ case "$enable_linux_ip_local_port_range" in -+ yes) -+ AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports. Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range.]) -+ ;; -+ no|*) -+ ;; -+ esac -+fi -+ - - AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) - # on openBSD, the implicit rule make $< work. -diff --git a/libunbound/context.c b/libunbound/context.c -index cff2831..48d76d9 100644 ---- a/libunbound/context.c -+++ b/libunbound/context.c -@@ -69,6 +69,7 @@ context_finalize(struct ub_ctx* ctx) - } else { - log_init(cfg->logfile, cfg->use_syslog, NULL); - } -+ cfg_apply_local_port_policy(cfg, 65536); - config_apply(cfg); - if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env)) - return UB_INITFAIL; -diff --git a/util/config_file.c b/util/config_file.c -index 4d87dee..6b90e48 100644 ---- a/util/config_file.c -+++ b/util/config_file.c -@@ -1681,6 +1681,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail) - return num; - } - -+void cfg_apply_local_port_policy(struct config_file* cfg, int num) { -+(void)cfg; -+(void)num; -+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE -+ { -+ int i = 0; -+ FILE* range_fd; -+ if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) { -+ int min_port = 0; -+ int max_port = num - 1; -+ if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) { -+ for(i=0; ioutgoing_avail_ports[i] = 0; -+ } -+ for(i=max_port+1; ioutgoing_avail_ports[i] = 0; -+ } -+ } else { -+ log_err("unexpected port range in %s", -+ LINUX_IP_LOCAL_PORT_RANGE_PATH); -+ } -+ fclose(range_fd); -+ } else { -+ log_warn("failed to read from file: %s (%s)", -+ LINUX_IP_LOCAL_PORT_RANGE_PATH, -+ strerror(errno)); -+ } -+ } -+#endif -+} -+ - /** print error with file and line number */ - static void ub_c_error_va_list(const char *fmt, va_list args) - { -diff --git a/util/config_file.h b/util/config_file.h -index 7cf27cc..d091ef7 100644 ---- a/util/config_file.h -+++ b/util/config_file.h -@@ -1172,6 +1172,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num); - */ - int cfg_condense_ports(struct config_file* cfg, int** avail); - -+/** -+ * Apply system specific port range policy. -+ * @param cfg: config file. -+ * @param num: size of the array (65536). -+ */ -+void cfg_apply_local_port_policy(struct config_file* cfg, int num); -+ - /** - * Scan ports available - * @param avail: the array from cfg. -@@ -1301,5 +1308,9 @@ void w_config_adjust_directory(struct config_file* cfg); - /** debug option for unit tests. */ - extern int fake_dsa, fake_sha1; - -+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE -+#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range" -+#endif -+ - #endif /* UTIL_CONFIG_FILE_H */ - diff --git a/unbound-1.13.1-rh1991005.patch b/unbound-1.13.1-rh1991005.patch deleted file mode 100644 index 01264ca..0000000 --- a/unbound-1.13.1-rh1991005.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c -index d58f1b2..5bfe15b 100644 ---- a/smallapp/unbound-control.c -+++ b/smallapp/unbound-control.c -@@ -492,9 +492,7 @@ static void ssl_path_err(const char* s, const char *path) - { - unsigned long err; - err = ERR_peek_error(); -- if (ERR_GET_LIB(err) == ERR_LIB_SYS && -- (ERR_GET_FUNC(err) == SYS_F_FOPEN || -- ERR_GET_FUNC(err) == SYS_F_FREAD) ) { -+ if (ERR_GET_LIB(err) == ERR_LIB_SYS) { - fprintf(stderr, "error: %s\n%s: %s\n", - s, path, ERR_reason_error_string(err)); - exit(1); diff --git a/unbound.conf b/unbound.conf index e414f9c..4ee6d10 100644 --- a/unbound.conf +++ b/unbound.conf @@ -393,18 +393,28 @@ server: # enable to not answer version.server and version.bind queries. # hide-version: no - # NSID identity (hex string, or "ascii_somestring"). default disabled. - # nsid: "aabbccdd" + # enable to not set the User-Agent HTTP header. + # hide-http-user-agent: no # enable to not answer trustanchor.unbound queries. # hide-trustanchor: no + # enable to not set the User-Agent HTTP header. + # hide-http-user-agent: no + # the identity to report. Leave "" or default to return hostname. # identity: "" # the version to report. Leave "" or default to return package version. # version: "" + # NSID identity (hex string, or "ascii_somestring"). default disabled. + # nsid: "aabbccdd" + + # User-Agent HTTP header to use. Leave "" or default to use package name + # and version. + # http-user-agent: "" + # the target fetch policy. # series of integers describing the policy per dependency depth. # The number of values in the list determines the maximum dependency @@ -584,6 +594,10 @@ server: # val-sig-skew-min: 3600 # val-sig-skew-max: 86400 + # The maximum number the validator should restart validation with + # another authority in case of failed validation. + # val-max-restart: 5 + # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data @@ -616,7 +630,7 @@ server: # that the expired records will be served as long as there are queries # for it. # serve-expired-ttl-reset: no - + # # TTL value to use when replying with expired data. # serve-expired-reply-ttl: 30 # @@ -642,7 +656,10 @@ server: # keysize. Keep this table very short, as linear search is done. # A message with an NSEC3 with larger count is marked insecure. # List in ascending order the keysize and count values. - # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150" + + # if enabled, ZONEMD verification failures do not block the zone. + # zonemd-permissive-mode: no # instruct the auto-trust-anchor-file probing to add anchors after ttl. # add-holddown: 2592000 # 30 days @@ -795,6 +812,10 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + # TODO: ask system-wide crypto people what to use here + #tls-ciphersuites: "PROFILE=SYSTEM" # does not work # Pad responses to padded queries received over TLS # pad-responses: yes @@ -931,6 +952,13 @@ server: # ipsecmod-allow: "example.com" # ipsecmod-allow: "nlnetlabs.nl" + # Timeout for REUSE entries in milliseconds. + # tcp-reuse-timeout: 60000 + # Max number of queries on a reuse connection. + # max-reuse-tcp-queries: 200 + # Timeout in milliseconds for TCP queries to auth servers. + # tcp-auth-query-timeout: 3000 + # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable. @@ -941,6 +969,17 @@ python: # Script file to load # python-script: "/etc/unbound/ubmodule-tst.py" +# Dynamic library config section. To enable: +# o use --with-dynlibmodule to configure before compiling. +# o list dynlib in the module-config string (above) to enable. +# It can be placed anywhere, the dynlib module is only a very thin wrapper +# to load modules dynamically. +# o and give a dynlib-file to run. If more than one dynlib entry is listed in +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. @@ -1036,29 +1075,32 @@ include: /etc/unbound/conf.d/*.conf # notifies. auth-zone: name: "." + primary: 199.9.14.201 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2001:500:200::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes for-downstream: no for-upstream: yes - fallback-enabled: yes - master: 199.9.14.201 # b.root-servers.net - master: 192.33.4.12 # c.root-servers.net - master: 199.7.91.13 # d.root-servers.net - master: 192.5.5.241 # f.root-servers.net - master: 192.112.36.4 # g.root-servers.net - master: 193.0.14.129 # k.root-servers.net - master: 192.0.47.132 # xfr.cjr.dns.icann.org - master: 192.0.32.132 # xfr.lax.dns.icann.org - master: 2001:500:200::b # b.root-servers.net - master: 2001:500:2::c # c.root-servers.net - master: 2001:500:2d::d # d.root-servers.net - master: 2001:500:2f::f # f.root-servers.net - master: 2001:500:12::d0d # g.root-servers.net - master: 2001:7fd::1 # k.root-servers.net - master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org - master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + # auth-zone: # name: "example.org" # for-downstream: yes # for-upstream: yes +# zonemd-check: no +# zonemd-reject-absence: no # zonefile: "example.org.zone" # Views diff --git a/unbound.spec b/unbound.spec index 6f69935..d475e91 100644 --- a/unbound.spec +++ b/unbound.spec @@ -20,13 +20,6 @@ %if 0%{?rhel} %global with_munin 0 -%if 0%{?with_python2} && 0%{?rhel} <= 6 -# needed just for EPEL -%{!?__python2: %global __python2 /usr/bin/python2} -%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} -%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} -%endif - %if 0%{?rhel} <= 7 %global with_python3 0 %else @@ -36,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.13.1 -Release: 15%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.13.2 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -60,9 +53,6 @@ Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key -# rhbz#1952814 upstream PR https://github.com/NLnetLabs/unbound/pull/415/files -Patch1: unbound-1.13.1-rh1952814.patch -Patch2: unbound-1.13.1-rh1991005.patch Patch3: unbound-1.13.1-rh1977400.patch Patch4: unbound-1.13.1-rh1977401.patch @@ -457,6 +447,10 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon May 02 2022 Paul Wouters - 1.13.2-1 +- Resolves: rhbz#1992985 unbound-1.13.2 is available +- Use system-wide crypto policies + * Mon May 02 2022 Petr Menšík - 1.13.1-15 - Export unbound-devel to CRB repository (#2056116)