From: Eric Luehrsen Date: Tue, 18 Sep 2018 01:10:33 +0000 (-0400) Subject: unbound: add patches for leaks during TLS query X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=refs%2Fpull%2F7112%2Fhead;p=feed%2Fpackages.git unbound: add patches for leaks during TLS query Signed-off-by: Eric Luehrsen --- diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 354cf59a7c..6624695e4d 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.8.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/patches/100-example-conf-in.patch b/net/unbound/patches/100-example-conf-in.patch index 5559a4870f..0a4b61104b 100644 --- a/net/unbound/patches/100-example-conf-in.patch +++ b/net/unbound/patches/100-example-conf-in.patch @@ -1,3 +1,8 @@ +OpenWrt (modification): +Patch the default configuration file with the tiny memory +configuration example from Unbound documentation. This is the best +starting point for embedded routers if one is not going to use UCI. + Index: doc/example.conf.in =================================================================== --- a/doc/example.conf.in diff --git a/net/unbound/patches/210-query-state-leak.patch b/net/unbound/patches/210-query-state-leak.patch new file mode 100644 index 0000000000..f8a6d25183 --- /dev/null +++ b/net/unbound/patches/210-query-state-leak.patch @@ -0,0 +1,38 @@ +Unbound (trunk): +Fix that with harden-below-nxdomain and qname minisation enabled +some iterator states for nonresponsive domains can get into a +state where they waited for an empty list. +Stop UDP to TCP failover after timeouts that causes the ping count +to be reset by the TCP time measurement (that exists for TLS), +because that causes the UDP part to not be measured as timeout. + +Index: iterator/iterator.c +=================================================================== +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -2752,6 +2752,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + verbose(VERB_ALGO, + "could not validate NXDOMAIN " + "response"); ++ outbound_list_clear(&iq->outlist); ++ iq->num_current_queries = 0; ++ fptr_ok(fptr_whitelist_modenv_detach_subs( ++ qstate->env->detach_subs)); ++ (*qstate->env->detach_subs)(qstate); ++ iq->num_target_queries = 0; + } + } + return next_state(iq, QUERYTARGETS_STATE); +Index: services/outside_network.c +=================================================================== +--- a/services/outside_network.c ++++ b/services/outside_network.c +@@ -1979,7 +1979,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error, + return 0; + } + if(rto >= RTT_MAX_TIMEOUT) { +- fallback_tcp = 1; ++ /* fallback_tcp = 1; */ + /* UDP does not work, fallback to TCP below */ + } else { + serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep); diff --git a/net/unbound/patches/211-tls-timeout-leak.patch b/net/unbound/patches/211-tls-timeout-leak.patch new file mode 100644 index 0000000000..7dfc2a8188 --- /dev/null +++ b/net/unbound/patches/211-tls-timeout-leak.patch @@ -0,0 +1,32 @@ +Unbound (trunk): +For DNS over TLS service, it sets the configured tls auth name. +This is useful for hosts that apart from the DNS over TLS services +also provide other (web) services. Add SSL cleanup for tcp timeout. + +Index: services/outside_network.c +=================================================================== +--- a/services/outside_network.c ++++ b/services/outside_network.c +@@ -377,6 +379,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len) + if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) { + log_err("SSL_set1_host failed"); + pend->c->fd = s; ++ SSL_free(pend->c->ssl); ++ pend->c->ssl = NULL; + comm_point_close(pend->c); + return 0; + } +@@ -1264,6 +1268,13 @@ outnet_tcptimer(void* arg) + } else { + /* it was in use */ + struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting; ++ if(pend->c->ssl) { ++#ifdef HAVE_SSL ++ SSL_shutdown(pend->c->ssl); ++ SSL_free(pend->c->ssl); ++ pend->c->ssl = NULL; ++#endif ++ } + comm_point_close(pend->c); + pend->query = NULL; + pend->next_free = outnet->tcp_free;