#
1e5d1cd0 |
| 12-Oct-2019 |
florian <florian@openbsd.org> |
Carry the answer in the pending_query struct. Makes it clearer who is responsible for freeing allocated memory.
|
#
ad50aed9 |
| 12-Oct-2019 |
florian <florian@openbsd.org> |
Be more strict with which queries to accept. Modeled after worker_handle_request() in unbound(8).
|
#
4340e121 |
| 12-Oct-2019 |
florian <florian@openbsd.org> |
Don't hand parse the query, libunbound has query_info_parse() for that. This requires a switch to sldns_buffer to satisfy the API. But it will be benefitial later on for even stricter input validatio
Don't hand parse the query, libunbound has query_info_parse() for that. This requires a switch to sldns_buffer to satisfy the API. But it will be benefitial later on for even stricter input validation.
show more ...
|
#
10dfa598 |
| 08-Oct-2019 |
florian <florian@openbsd.org> |
Make sure struct pending_query is fully initialized by using calloc.
Doesn't matter currently but lead to some head scratching while working on new things.
|
#
8b165c1a |
| 06-Oct-2019 |
florian <florian@openbsd.org> |
Eek, check overflow with destination size, not source
|
#
096b3531 |
| 29-Sep-2019 |
florian <florian@openbsd.org> |
annoying trailing whitespaces
|
#
f8ebdb91 |
| 25-Sep-2019 |
florian <florian@openbsd.org> |
Do not leak cur_ns in case of malformed lease file. Found by llvm's scan-build. OK deraadt, benno
|
#
8c2d8af6 |
| 25-Sep-2019 |
florian <florian@openbsd.org> |
Be more robust when dealing with malformed lease files. Do not assume that required tokens have been generated by strsep. (toks[0] cannot be NULL but it doesn't hurt to be explicit about it.) Found b
Be more robust when dealing with malformed lease files. Do not assume that required tokens have been generated by strsep. (toks[0] cannot be NULL but it doesn't hurt to be explicit about it.) Found by llvm's scan-build. OK deraadt, kn
show more ...
|
#
df69c215 |
| 28-Jun-2019 |
deraadt <deraadt@openbsd.org> |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
show more ...
|
#
679647fe |
| 14-May-2019 |
florian <florian@openbsd.org> |
Move common config passing code into a function. OK pamela
|
#
2d988276 |
| 10-May-2019 |
florian <florian@openbsd.org> |
Implement DNS block lists. If unwind is queried for a domain in the block list it answers with rcode REFUSED.
|
#
5418eea5 |
| 08-May-2019 |
florian <florian@openbsd.org> |
When starting up use the built-in DNSSEC trust anchor as well as the on-disk one to give us a better chance on root KSK roll. Either we were online during the time the key rolled or we are r
When starting up use the built-in DNSSEC trust anchor as well as the on-disk one to give us a better chance on root KSK roll. Either we were online during the time the key rolled or we are running on a version of unwind(8) that has the new KSK.
show more ...
|
#
7e9ae0c5 |
| 24-Mar-2019 |
florian <florian@openbsd.org> |
Do not check every resolver every 30 seconds as that is wasteful and pointless.
Trigger a check - on startup - when forwarders change on config reload - when dhcp provided forwarders change - on net
Do not check every resolver every 30 seconds as that is wasteful and pointless.
Trigger a check - on startup - when forwarders change on config reload - when dhcp provided forwarders change - on network interface state change
When a check finishes and the checked resolver cannot resolve anything configure a timer to run another check in the future using an exponential backoff for the timeout.
show more ...
|
#
580cede2 |
| 15-Mar-2019 |
florian <florian@openbsd.org> |
Correctly interlock config reloads imsgs. Only accept a new config reload if it's not currently running and on accept a config reload end if one is currently running. OK pamela
|
#
58b5b9b8 |
| 01-Mar-2019 |
florian <florian@openbsd.org> |
Due to the way we build libunbound inside of unwind .o files collide in the obj directory. Previously this was solved by keeping the libunbound file name (to be able to keep in sync with upstream) an
Due to the way we build libunbound inside of unwind .o files collide in the obj directory. Previously this was solved by keeping the libunbound file name (to be able to keep in sync with upstream) and prefixing the source filename of colliding .o files in unwind with uw_.
However, these files are shared through out our tree (namely parse.y, log.c and log.h) and we try to keep them in sync.
Move files back to their original name and instead symlink colliding source files in libunbound to unique filenames by prefixing them with the directory they live in: obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c
Idea to use symlinks deraadt@ via jsg@ OK benno
show more ...
|
#
a9155f32 |
| 18-Feb-2019 |
florian <florian@openbsd.org> |
Introduce IMSG_DATA_SIZE() macro to to replace reoccuring math on imsg.hdr.len and shorten code. Input & OK pamela
|
#
6cee0ce8 |
| 17-Feb-2019 |
florian <florian@openbsd.org> |
Since we do a naive string comparison to see if the trust anchor changed we need to fix the TTL to the value we would get from the root for the ksk DNSKEY (currently 2 days). Otherwise we would inter
Since we do a naive string comparison to see if the trust anchor changed we need to fix the TTL to the value we would get from the root for the ksk DNSKEY (currently 2 days). Otherwise we would interpret a lowerd TTL from a cache as changed trust anchor. Use the same define everywhere.
(Considering the glacial speed with which the root ksk rotates this should be fine for the forseable future.)
show more ...
|
#
bb81f7e1 |
| 17-Feb-2019 |
florian <florian@openbsd.org> |
s/unwind_/uw_/ to save screen real estate; fix style(9) issues while here
|
#
d1b04a40 |
| 10-Feb-2019 |
florian <florian@openbsd.org> |
Simplify trust anchor handling.
Open trust anchor file for reading and writing on startup and pass it to the frontend process. The frontend process seeks and truncates the file apropriately when wri
Simplify trust anchor handling.
Open trust anchor file for reading and writing on startup and pass it to the frontend process. The frontend process seeks and truncates the file apropriately when writing out new trust anchors learned via DNS but never closes the file. On error the file is truncated to zero length.
This is in turn handled on startup by switching to the built in trust anchor when no trustanchor can be read from disk.
This side steps the need for an unveil'ed directory with "c" permission and also removes the wpath and cpath pledges from the parent process.
deraadt@ pointed out that my previous design didn't make sense and I had confused myself along the way. (It did work, but was too complicated for no good reason).
While here validate that we actually read a trust anchor from disk by trying to parse it and checking that it is a DNSKEY. Unfortunately ub_ctx_add_ta() accepts just any string as a trust anchor without any validation.
show more ...
|
#
296cf316 |
| 07-Feb-2019 |
florian <florian@openbsd.org> |
Rewrite trust anchor handling.
Do not use the libunbound's auto trust anchor file feature since it then the resolver process needs rpath, wpath, and cpath pledges and permission on the trust anchor
Rewrite trust anchor handling.
Do not use the libunbound's auto trust anchor file feature since it then the resolver process needs rpath, wpath, and cpath pledges and permission on the trust anchor file.
Instead configure the trust anchor as resource record strings. The parent process opens the file, passes a filedescriptor to the frontend process to parse the file and then passes trust anchors to the resolver process to (re-) configure the resolver contexts.
The resolver process periodically probes for new trust anchors (DNSKEY records of the root zone) and passes those to the frontend process. This in turn requests a file descripter for writing from the parent process. Once the trust anchors have been written the parent process renames the tmp file to the final location.
Also provide a built in trust anchor for boot strapping purposes if no file is found on disk. That way we can get rid of unbound-anchor in unwind's rc.d script.
show more ...
|
#
b2501ead |
| 03-Feb-2019 |
florian <florian@openbsd.org> |
Captive portal detection for unwind(8).
|
#
9c8ccd70 |
| 01-Feb-2019 |
florian <florian@openbsd.org> |
port is in network byte order
|
#
b953c21e |
| 30-Jan-2019 |
benno <benno@openbsd.org> |
fix parsing of imcomplete dhclient.lease files, initialize epoch to 0. ok florian@
|
#
2b821978 |
| 29-Jan-2019 |
florian <florian@openbsd.org> |
Make imsg processing much more paranoid.
If it comes from one of our processes and the size does not match what we expect call fatalx to crash and burn. We either hit a logic bug or something is fis
Make imsg processing much more paranoid.
If it comes from one of our processes and the size does not match what we expect call fatalx to crash and burn. We either hit a logic bug or something is fishy on the other end and we can't trust that process any longer. Not that we trust those processes to begin with.
This also applies to receiving resources that we don't expect. For example if we have an open UDP listen socket and get a new one passed from the main process something is wrong and we should crash and burn.
The only place where we are more lenient is on the control socket. We just ignore wrong sized messages so that users can't bring down unwind.
show more ...
|
#
5472663a |
| 29-Jan-2019 |
florian <florian@openbsd.org> |
We don't need IMSG_SHUTDOWN, we can just close the sockets. pointed out by deraadt
|