Development February 2016

development@lists.ipfire.org

12 participants
60 discussions

Introducing DDNS
by Michael Tremer 21 Jun '16

21 Jun '16

Hello, this is a post to update you all about the recent developments regarding the support for the various upcoming dynamic DNS providers. Rationale Some of the major dynamic DNS providers stopped their free services or made them unusable so that people started searching for alternatives. In IPFire 2, a script called setddns.pl [1] is responsible for updating the dynamic DNS records. This script has grown over the last couple of months and if you have looked into it you will have noticed that it has become from ugly to almost un-maintainable. The decision that we don't want to take this mess with us into the next generation of IPFire was already made many years ago. DDNS A project called ddns was started which is a pure Python client that is much more flexible, cleanly rewritten and easily extensible. It is cross-platform, cross-distribution and does not need any third-party python modules. The basics already written years ago, Stefan Schantl and I worked on making this ready for IPFire 2 and added all the providers that are currently supported by setddns.pl and ez-ipupdate. The source for the new DDNS tool can be found over here: http://git.ipfire.org/?p=ddns.git;a=summary or on GitHub https://github.com/ipfire/ddns were you can send us pull requests for supporting new providers and so on. Bug reports go to the usual place: https://bugzilla.ipfire.org/describecomponents.cgi?product=DDNS%20Updater There is no fixed release schedule for this, but we are pretty sure that this won't take long until DDNS arrives in IPFire 2. That means that we won't take any patches for the setddns.pl script that add support for new providers any more. We appreciate any contribution and as always hope to get some feedback back from the community! Best, -Michael [1] http://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/setddns.pl;h=5…

6 18

Perl 5.22.1 integration
by Marcel Lorenz 28 May '16

28 May '16

Hi, i will start a discussion for the integration of Perl 5.22.x into IPFire. I have been working for over half a year on the files. My motivation came from the use of SpamAssassin. This application is written in Perl. The old Perl modules from IPFire are as a security risk. First i update the Perl LFS and rootfile only. All the other Perl modules remain old. I began individual modules to update, but it was very expensive. Since I had the idea to take all modules to one or two LFS together. This has the advantage that all individual Perl modules disappear make.sh from and this is clearly shorter. The two LFS files and the associated Rootfiles are also easier to maintain. The individual Perl modules in Pakfire can then also be removed. Perl is always complete and up to date with its modules. In my mailserver branch I have this development as far finished. However, I had the modules-LFS divided into two files because make is having trouble with to large LFS files. Also have Perl 5.22.1 integrated into the toolchain. The need still less, gdbm and berkeley DB4 before. I created three files from the many Perl files: perl-buildtools perl-modules1 perl-modules2 The current folder size of /usr/lib/perl5 is about 75MB with Perl 5.22.1 and all modules and 55Mb with Perl 5.12.3. A Perl-Modules list can be found here: http://people.ipfire.org/~mlorenz/mp/22/perl.txt This includes all needed modules for Amavisd, all from Pakfire and many more. All updated to the latest version from CPAN (December 2015) Here the perl-buildtools LFS with the current modules from CPAN as an example. The modules included are needed around the other current Perl modules to build: ############################################################################### # # # IPFire.org - A linux based firewall # # Copyright (C) 2007-2015 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program. If not, see <http://www.gnu.org/licenses/>. # # # ############################################################################### ############################################################################### # Definitions ############################################################################### include Config VER = 2015.10 THISAPP = perl-buildtools-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = perl-buildtools DEPS = "perl" PAK_VER = 1 ############################################################################### # Top-level Rules ############################################################################### objects = ExtUtils-Constant-0.23.tar.gz \ ExtUtils-MakeMaker-7.10.tar.gz \ ExtUtils-Manifest-1.70.tar.gz \ Module-Build-0.4214.tar.gz \ Module-Metadata-1.000027.tar.gz \ Perl-OSType-1.009.tar.gz \ Test-Deep-0.119.tar.gz \ Test-Simple-1.001014.tar.gz \ version-0.9912.tar.gz ExtUtils-Constant-0.23.tar.gz = $(DL_FROM)/ExtUtils-Constant-0.23.tar.gz ExtUtils-MakeMaker-7.10.tar.gz = $(DL_FROM)/ExtUtils-MakeMaker-7.10.tar.gz ExtUtils-Manifest-1.70.tar.gz = $(DL_FROM)/ExtUtils-Manifest-1.70.tar.gz Module-Build-0.4214.tar.gz = $(DL_FROM)/Module-Build-0.4214.tar.gz Module-Metadata-1.000027.tar.gz = $(DL_FROM)/Module-Metadata-1.000027.tar.gz Perl-OSType-1.009.tar.gz = $(DL_FROM)/Perl-OSType-1.009.tar.gz Test-Deep-0.119.tar.gz = $(DL_FROM)/Test-Deep-0.119.tar.gz Test-Simple-1.001014.tar.gz = $(DL_FROM)/Test-Simple-1.001014.tar.gz version-0.9912.tar.gz = $(DL_FROM)/version-0.9912.tar.gz ExtUtils-Constant-0.23.tar.gz_MD5 = bd3ec6d22ffab7e5cc05b1331a888d15 ExtUtils-MakeMaker-7.10.tar.gz_MD5 = 2639a21adee5e0a903730c12dcba08ec ExtUtils-Manifest-1.70.tar.gz_MD5 = 8ccb9c1f3bca14c117a74bc7b43be095 Module-Build-0.4214.tar.gz_MD5 = 7b7ca5a47bef48c50c8b5906ca3ac7fb Module-Metadata-1.000027.tar.gz_MD5 = a0bf9b900dfd49c57702de3ee3801d42 Perl-OSType-1.009.tar.gz_MD5 = 9e0cae3812bc80815f00732bde1b7e61 Test-Deep-0.119.tar.gz_MD5 = edb72e9b1874efe3b0c95324fb063e51 Test-Simple-1.001014.tar.gz_MD5 = db7f57fd595e3e1c93c972307a88fa6e version-0.9912.tar.gz_MD5 = 404a7174f3e38e4f8fad3e1eefce5412 install : $(TARGET) check : $(patsubst %,$(DIR_CHK)/%,$(objects)) download :$(patsubst %,$(DIR_DL)/%,$(objects)) md5 : $(subst %,%_MD5,$(objects)) dist: @$(PAK) ############################################################################### # Downloading, checking, md5sum ############################################################################### $(patsubst %,$(DIR_CHK)/%,$(objects)) : @$(CHECK) $(patsubst %,$(DIR_DL)/%,$(objects)) : @$(LOAD) $(subst %,%_MD5,$(objects)) : @$(MD5) ############################################################################### # Installation Details ############################################################################### $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) cd $(DIR_SRC) && tar zxf $(DIR_DL)/Perl-OSType-1.009.tar.gz cd $(DIR_SRC)/Perl-OSType-1.009 && perl Makefile.PL cd $(DIR_SRC)/Perl-OSType-1.009 && make $(MAKETUNING) cd $(DIR_SRC)/Perl-OSType-1.009 && make install @rm -rf $(DIR_SRC)/Perl-OSType-1.009 cd $(DIR_SRC) && tar zxf $(DIR_DL)/version-0.9912.tar.gz cd $(DIR_SRC)/version-0.9912 && perl Makefile.PL cd $(DIR_SRC)/version-0.9912 && make $(MAKETUNING) cd $(DIR_SRC)/version-0.9912 && make install @rm -rf $(DIR_SRC)/version-0.9912 cd $(DIR_SRC) && tar zxf $(DIR_DL)/Module-Metadata-1.000027.tar.gz cd $(DIR_SRC)/Module-Metadata-1.000027 && perl Makefile.PL cd $(DIR_SRC)/Module-Metadata-1.000027 && make $(MAKETUNING) cd $(DIR_SRC)/Module-Metadata-1.000027 && make install @rm -rf $(DIR_SRC)/Module-Metadata-1.000027 cd $(DIR_SRC) && tar zxf $(DIR_DL)/Module-Build-0.4214.tar.gz cd $(DIR_SRC)/Module-Build-0.4214 && perl Makefile.PL cd $(DIR_SRC)/Module-Build-0.4214 && make $(MAKETUNING) cd $(DIR_SRC)/Module-Build-0.4214 && make install @rm -rf $(DIR_SRC)/Module-Build-0.4214 cd $(DIR_SRC) && tar zxf $(DIR_DL)/Test-Deep-0.119.tar.gz cd $(DIR_SRC)/Test-Deep-0.119 && perl Makefile.PL cd $(DIR_SRC)/Test-Deep-0.119 && make $(MAKETUNING) cd $(DIR_SRC)/Test-Deep-0.119 && make install @rm -rf $(DIR_SRC)/Test-Deep-0.119 cd $(DIR_SRC) && tar zxf $(DIR_DL)/Test-Simple-1.001014.tar.gz cd $(DIR_SRC)/Test-Simple-1.001014 && perl Makefile.PL cd $(DIR_SRC)/Test-Simple-1.001014 && make $(MAKETUNING) cd $(DIR_SRC)/Test-Simple-1.001014 && make install @rm -rf $(DIR_SRC)/Test-Simple-1.001014 cd $(DIR_SRC) && tar zxf $(DIR_DL)/ExtUtils-Constant-0.23.tar.gz cd $(DIR_SRC)/ExtUtils-Constant-0.23 && perl Makefile.PL cd $(DIR_SRC)/ExtUtils-Constant-0.23 && make $(MAKETUNING) cd $(DIR_SRC)/ExtUtils-Constant-0.23 && make install @rm -rf $(DIR_SRC)/ExtUtils-Constant-0.23 cd $(DIR_SRC) && tar zxf $(DIR_DL)/ExtUtils-MakeMaker-7.10.tar.gz cd $(DIR_SRC)/ExtUtils-MakeMaker-7.10 && perl Makefile.PL cd $(DIR_SRC)/ExtUtils-MakeMaker-7.10 && make $(MAKETUNING) cd $(DIR_SRC)/ExtUtils-MakeMaker-7.10 && make install @rm -rf $(DIR_SRC)/ExtUtils-MakeMaker-7.10 cd $(DIR_SRC) && tar zxf $(DIR_DL)/ExtUtils-Manifest-1.70.tar.gz cd $(DIR_SRC)/ExtUtils-Manifest-1.70 && perl Makefile.PL cd $(DIR_SRC)/ExtUtils-Manifest-1.70 && make $(MAKETUNING) cd $(DIR_SRC)/ExtUtils-Manifest-1.70 && make install @rm -rf $(DIR_SRC)/ExtUtils-Manifest-1.70 @$(POSTBUILD) That would be my suggestion for integration of Perl 5.22.1. On request, I can create big patches and send it to the mailing list. Perl 5.22.x works are in several months generated by my ISO's unremarkable. It is known that a few startup scripts need to be adjusted (amavisd). Please forgive me my simple English... Google translator helped me. :) Greetings, Marcel Lorenz

4 5

[PATCH] squid 3.4.14: Bugfix for #4323 (Netfilter broken cross-includes with Linux 4.2)
by Matthias Fischer 07 Apr '16

07 Apr '16

For details see: http://bugs.squid-cache.org/show_bug.cgi?id=4323 Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/squid | 2 ++ lfs/squid | 3 ++- src/patches/squid-3.4-13231.patch | 48 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 src/patches/squid-3.4-13231.patch diff --git a/config/rootfiles/common/squid b/config/rootfiles/common/squid index c8227e3..83cfe3f 100644 --- a/config/rootfiles/common/squid +++ b/config/rootfiles/common/squid @@ -2145,6 +2145,8 @@ usr/lib/squid/icons/silk/script_palette.png usr/lib/squid/log_db_daemon usr/lib/squid/log_file_daemon usr/lib/squid/mib.txt +usr/lib/squid/negotiate_kerberos_auth +usr/lib/squid/negotiate_kerberos_auth_test usr/lib/squid/negotiate_wrapper_auth usr/lib/squid/ntlm_fake_auth usr/lib/squid/ntlm_smb_lm_auth diff --git a/lfs/squid b/lfs/squid index 997c660..a9c5f37 100644 --- a/lfs/squid +++ b/lfs/squid @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2015 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2016 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13228.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4.14-fix-max-file-descriptors.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13230.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13231.patch cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi diff --git a/src/patches/squid-3.4-13231.patch b/src/patches/squid-3.4-13231.patch new file mode 100644 index 0000000..045ad70 --- /dev/null +++ b/src/patches/squid-3.4-13231.patch @@ -0,0 +1,48 @@ +------------------------------------------------------------ +revno: 13231 +revision-id: squid3(a)treenet.co.nz-20160220150859-3unryicod1rcx9rm +parent: squid3(a)treenet.co.nz-20160212045316-zwx4r9we4gf27rx3 +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323 +author: Francesco Chemolli <kinkie(a)squid-cache.org> +committer: Amos Jeffries <squid3(a)treenet.co.nz> +branch nick: 3.4 +timestamp: Sun 2016-02-21 04:08:59 +1300 +message: + Bug 4323: Netfilter broken cross-includes with Linux 4.2 +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20160220150859-3unryicod1rcx9rm +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# testament_sha1: 10fa174d2821207d0bf89ef3013e8f4c3f99f9e3 +# timestamp: 2016-02-20 15:50:56 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# base_revision_id: squid3(a)treenet.co.nz-20160212045316-\ +# zwx4r9we4gf27rx3 +# +# Begin patch +=== modified file 'compat/os/linux.h' +--- compat/os/linux.h 2012-08-28 13:00:30 +0000 ++++ compat/os/linux.h 2016-02-20 15:08:59 +0000 +@@ -22,6 +22,21 @@ + #endif + + /* ++ * Netfilter header madness. (see Bug 4323) ++ * ++ * Netfilter have a history of defining their own versions of network protocol ++ * primitives without sufficient protection against the POSIX defines which are ++ * aways present in Linux. ++ * ++ * netinet/in.h must be included before any other sys header in order to properly ++ * activate include guards in <linux/libc-compat.h> the kernel maintainers added ++ * to workaround it. ++ */ ++#if HAVE_NETINET_IN_H ++#include <netinet/in.h> ++#endif ++ ++/* + * sys/capability.h is only needed in Linux apparently. + * + * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc + -- 2.7.2

3 4

New package iPerf3
by Jonatan Schlag 30 Mar '16

30 Mar '16

Hi, I build iPerf3 for IPFire, (for reasons look here: http://forum.ipfire.org/viewtopic.php?f=50&t=15498) and was told that i should submit changes to the mailing list. Here is a patch with all changes: Signed-off-by: Jonatan Schlag <jonatan(a)familyschlag.de> From a403b42f389cd5617937a0df220c67e279236034 Mon Sep 17 00:00:00 2001 From: jonaschl <jonnyschlag(a)gmail.com> Date: Wed, 23 Dec 2015 13:43:20 +0100 Subject: [PATCH] new package iPerf 3 email: jonnyschlag(a)gmail.com author: jonaschl --- config/rootfiles/packages/iperf3 | 10 +++++ lfs/iperf3 | 84 ++++++++++++++++++++++++++++++++++++++++ make.sh | 1 + 3 files changed, 95 insertions(+) create mode 100644 config/rootfiles/packages/iperf3 create mode 100644 lfs/iperf3 diff --git a/config/rootfiles/packages/iperf3 b/config/rootfiles/packages/iperf3 new file mode 100644 index 0000000..717cc96 --- /dev/null +++ b/config/rootfiles/packages/iperf3 @@ -0,0 +1,10 @@ +usr/bin/iperf3 +#usr/include/iperf_api.h +usr/lib/libiperf.a +usr/lib/libiperf.la +usr/lib/libiperf.so +usr/lib/libiperf.so.0 +usr/lib/libiperf.so.0.0.0 +#usr/share/man/man1/iperf3.1 +#usr/share/man/man3/libiperf.3 + diff --git a/lfs/iperf3 b/lfs/iperf3 new file mode 100644 index 0000000..b8e0cd2 --- /dev/null +++ b/lfs/iperf3 @@ -0,0 +1,84 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2015 IPFire Team <info(a)ipfire.org> # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see <http://www.gnu.org/licenses/>. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 3.1.1 + +THISAPP = iperf3-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = iperf3 +PAK_VER = 1 + +DEPS = "" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 62e3d2a057cca69e88ebfbf35b7483ef + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./configure --prefix=/usr + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 39089cd..b184115 100755 --- a/make.sh +++ b/make.sh @@ -740,6 +740,7 @@ buildipfire() { ipfiremake gutenprint ipfiremake apcupsd ipfiremake iperf + ipfiremake iperf3 ipfiremake netcat ipfiremake 7zip ipfiremake lynis -- 2.1.4 I do not know if i do all right, in the moment I am not so familiar with git and patches. In addition I have a question. When I build iPerf 3 I run into a bug (see https://github.com/esnet/iperf/issues/337). I modified the source package and now iPerf 3 build. There are c flags which are incompatible. What is the better style to modify the source package and use this source package or to create a patch (what I try but I fail) and use the original source package and patch it during the build process? The source package what I use in the moment could be find here: http://forum.ipfire.org/download/file.php?id=1853 Yours sincerely Jonatan Schlag

3 2

[PATCH] privoxy: Update to 3.0.24
by Matthias Fischer 29 Mar '16

29 Mar '16

Changelog - in short: - Security fixes (denial of service): - Prevent invalid reads in case of corrupt chunk-encoded content. CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer. - Remove empty Host headers in client requests. Previously they would result in invalid reads. CVE-2016-1983. Bug discovered with afl-fuzz and AddressSanitizer. Also several bug fixes as well as general, action file, and documentation improvements. For details see: http://www.privoxy.org/announce.txt Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/privoxy | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lfs/privoxy b/lfs/privoxy index bc4848a..de650a2 100644 --- a/lfs/privoxy +++ b/lfs/privoxy @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2015 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2016 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,14 +24,14 @@ include Config -VER = 3.0.23 +VER = 3.0.24 THISAPP = privoxy-$(VER) DL_FILE = $(THISAPP)-stable-src.tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = privoxy -PAK_VER = 2 +PAK_VER = 3 DEPS = "" @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = bbe47d5ff1a54d9f9fc93a160532697f +$(DL_FILE)_MD5 = 44a47d1a5000db8cccd61ace0e25e7f7 install : $(TARGET) @@ -53,7 +53,7 @@ download :$(patsubst %,$(DIR_DL)/%,$(objects)) md5 : $(subst %,%_MD5,$(objects)) -dist: +dist: $(PAK) ############################################################################### -- 2.7.0

2 6

[PATCH] Update: To version Apache-2.4.18 and PHP-5.6-17.
by Erik Kapfer 04 Mar '16

04 Mar '16

Please DO NOT merge this, this version needs to be tested and optimized. - Apache update to 2.4.18 requires PCRE with version 8.38 which has been also updated. - PCRE-8.38 should have included all seurity patches from 8.37 --> http://www.pcre.org/original/changelog.txt . - Changed bzip2 position cause new pcre version neededs bzlib.h. - Added Apr-Util-1.5.4 which is required by new Apache version. - Apr-Util uses currently sqlite3 since compiling with BDB support without the new BDB-6* version needs long compilation time cause Apr-Util searches for every version from 6.8 backwards until the current available 4.4 version. - Added Apr-1.5.2 which is required by Apr-Util. - Added both Apr-*version into Apache LFS and ROOTFILE. - Added new mpm.conf for Apache Multi-Processing Modules and deleted old entries from httpd.conf. - Added "--enable-mpms-shared=all" in Apache LFS so MPM mode should be changeable on the fly by editing loadmodule.conf. - Enabled '--enable-mods-shared="all cgi' so fastcgi should be available too. - Disable server and version signatur sending in httpd.conf. - Added Modsecurity as an Addon, with outcommented Apache config parameters under loadmodules.conf and httpd.conf. - Modsecurities install.sh will activate the entries in Apache configs, uninstall.sh will also deactivate them. - Modsecurity default configuration from the source package are used. - Added ICU support for PHP. Positioned ICU before boost cause newer boost versions might become also ICU support? - Added new PHP module intl and deleted idn cause it has been merged into intl --> http://php.net/manual/de/ref.intl.idn.php, new modul will also be build like log in PHP LFS and ROOTFILE. - Added PHP Patch for BerkleyDB-6.x. - Added new php.ini. - Added zend optimizer extension into PHP. - FPM switch is activated in php.ini and should use nobody privileges per default. - Disabled 'allow_url_fopen' and 'expose_php' in php.ini. Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org> --- config/httpd/httpd.conf | 15 +- config/httpd/loadmodule.conf | 124 +- config/httpd/server-tuning.conf | 7 +- config/httpd/ssl-global.conf | 3 +- config/php/php.ini | 1674 ++++++++++++++------ config/rootfiles/common/apache2 | 646 ++++++-- config/rootfiles/common/pcre | 145 +- config/rootfiles/common/php | 158 +- lfs/apache2 | 105 +- lfs/pcre | 33 +- lfs/php | 131 +- make.sh | 4 +- .../pcre-8.37-Fix-another-buffer-overflow.patch | 110 -- ...overflow-for-forward-reference-within-bac.patch | 68 - ...overflow-for-named-recursive-back-referen.patch | 87 - ...overflow-for-named-references-in-situatio.patch | 190 --- ...orward-reference-to-duplicate-group-numbe.patch | 98 -- 17 files changed, 2123 insertions(+), 1475 deletions(-) delete mode 100644 src/patches/pcre-8.37-Fix-another-buffer-overflow.patch delete mode 100644 src/patches/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch delete mode 100644 src/patches/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch delete mode 100644 src/patches/pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch delete mode 100644 src/patches/pcre-8.37-Fix-named-forward-reference-to-duplicate-group-numbe.patch diff --git a/config/httpd/httpd.conf b/config/httpd/httpd.conf index 9c1fb2b..dd8b76d 100644 --- a/config/httpd/httpd.conf +++ b/config/httpd/httpd.conf @@ -21,6 +21,7 @@ # |-- mod_mime-defaults.conf . . . . . . . defaults for mod_mime configuration # |-- errors.conf . . . . . . . . . . . . . customize error responses # |-- ssl-global.conf . . . . . . . . . . . SSL conf that applies to default server _and all_ virtual hosts +# |-- mpm.conf . . . . . . . . . . . . . . Server pool management for Multi-Processing Modules (MPMs) # | # |-- default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests # | @@ -40,6 +41,9 @@ Include /etc/httpd/conf/uid.conf # - usage of KeepAlive Include /etc/httpd/conf/server-tuning.conf +# Server-pool management (MPM specific) +Include /etc/httpd/conf/mpm.conf + # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be @@ -65,7 +69,6 @@ Include /etc/httpd/conf/global.conf # associate MIME types with filename extensions TypesConfig /etc/mime.types -DefaultType text/plain # global (server-wide) SSL configuration, that is not specific to # any virtual host @@ -119,3 +122,13 @@ Include /etc/httpd/conf/vhosts.d/*.conf # Dummy LoadModule directive to aid module installations #LoadModule dummy_module /usr/lib/apache2/modules/mod_dummy.so + +# Enable ModSecurity, attaching it to every transactio. +# Modescurity is available as an Addon and needs to be loaded via Pakfire. +#<IfModule security2_module> +# Include /etc/httpd/conf/modsecurity.conf +#</IfModule> + +# Disable sending the server signatur +ServerTokens Prod +ServerSignature Off diff --git a/config/httpd/loadmodule.conf b/config/httpd/loadmodule.conf index e30f79b..3c72281 100644 --- a/config/httpd/loadmodule.conf +++ b/config/httpd/loadmodule.conf @@ -1,51 +1,103 @@ -LoadModule authn_file_module /usr/lib/apache/mod_authn_file.so -#LoadModule authn_dbm_module /usr/lib/apache/mod_authn_dbm.so +LoadModule php5_module /usr/lib/apache/libphp5.so +LoadModule access_compat_module /usr/lib/apache/mod_access_compat.so +#LoadModule actions_module /usr/lib/apache/mod_actions.so +LoadModule alias_module /usr/lib/apache/mod_alias.so +#LoadModule allowmethods_module /usr/lib/apache/mod_allowmethods.so +#LoadModule asis_module /usr/lib/apache/mod_asis.so +LoadModule auth_basic_module /usr/lib/apache/mod_auth_basic.so +LoadModule auth_digest_module /usr/lib/apache/mod_auth_digest.so +#LoadModule auth_form_module /usr/lib/apache/mod_auth_form.so #LoadModule authn_anon_module /usr/lib/apache/mod_authn_anon.so +LoadModule authn_core_module /usr/lib/apache/mod_authn_core.so #LoadModule authn_dbd_module /usr/lib/apache/mod_authn_dbd.so -#LoadModule authn_default_module /usr/lib/apache/mod_authn_default.so -LoadModule authz_host_module /usr/lib/apache/mod_authz_host.so -#LoadModule authz_groupfile_module /usr/lib/apache/mod_authz_groupfile.so -LoadModule authz_user_module /usr/lib/apache/mod_authz_user.so +#LoadModule authn_dbm_module /usr/lib/apache/mod_authn_dbm.so +LoadModule authn_file_module /usr/lib/apache/mod_authn_file.so +#LoadModule authn_socache_module /usr/lib/apache/mod_authn_socache.so +#LoadModule authnz_fcgi_module /usr/lib/apache/mod_authnz_fcgi.so +LoadModule authz_core_module /usr/lib/apache/mod_authz_core.so +#LoadModule authz_dbd_module /usr/lib/apache/mod_authz_dbd.so #LoadModule authz_dbm_module /usr/lib/apache/mod_authz_dbm.so +#LoadModule authz_groupfile_module /usr/lib/apache/mod_authz_groupfile.so +LoadModule authz_host_module /usr/lib/apache/mod_authz_host.so #LoadModule authz_owner_module /usr/lib/apache/mod_authz_owner.so -#LoadModule authz_default_module /usr/lib/apache/mod_authz_default.so -LoadModule auth_basic_module /usr/lib/apache/mod_auth_basic.so -LoadModule auth_digest_module /usr/lib/apache/mod_auth_digest.so +LoadModule authz_user_module /usr/lib/apache/mod_authz_user.so +LoadModule autoindex_module /usr/lib/apache/mod_autoindex.so +#LoadModule buffer_module /usr/lib/apache/mod_buffer.so +#LoadModule disk_module /usr/lib/apache/mod_cache_disk.so +#LoadModule cache_module /usr/lib/apache/mod_cache.so +#LoadModule cache_socache_module /usr/lib/apache/mod_cache_socache.so +#LoadModule cgid_module /usr/lib/apache/mod_cgid.so +LoadModule cgi_module /usr/lib/apache/mod_cgi.so +#LoadModule charset_lite_module /usr/lib/apache/mod_charset_lite.so +#LoadModule data_module /usr/lib/apache/mod_data.so #LoadModule dbd_module /usr/lib/apache/mod_dbd.so +#LoadModule deflate_module /usr/lib/apache/mod_deflate.so +#LoadModule dialup_module /usr/lib/apache/mod_dialup.so +LoadModule dir_module /usr/lib/apache/mod_dir.so #LoadModule dumpio_module /usr/lib/apache/mod_dumpio.so +#LoadModule mod_echo_module /usr/lib/apache/mod_echo.so +LoadModule env_module /usr/lib/apache/mod_env.so +#LoadModule expires_module /usr/lib/apache/mod_expires.so #LoadModule ext_filter_module /usr/lib/apache/mod_ext_filter.so -#LoadModule include_module /usr/lib/apache/mod_include.so +#LoadModule file_cache_module /usr/lib/apache/mod_file_cache.so #LoadModule filter_module /usr/lib/apache/mod_filter.so -#LoadModule deflate_module /usr/lib/apache/mod_deflate.so +LoadModule headers_module /usr/lib/apache/mod_headers.so +#LoadModule heartbeat_module /usr/lib/apache/mod_heartbeat.so +#LoadModule heartmonitor_module /usr/lib/apache/mod_heartmonitor.so +#LoadModule include_module /usr/lib/apache/mod_include.so +#LoadModule info_module /usr/lib/apache/mod_info.so LoadModule log_config_module /usr/lib/apache/mod_log_config.so +#LoadModule log_debug_module /usr/lib/apache/mod_log_debug.so #LoadModule log_forensic_module /usr/lib/apache/mod_log_forensic.so #LoadModule logio_module /usr/lib/apache/mod_logio.so -LoadModule env_module /usr/lib/apache/mod_env.so +#LoadModule macro_module /usr/lib/apache/mod_macro.so #LoadModule mime_magic_module /usr/lib/apache/mod_mime_magic.so -#LoadModule cern_meta_module /usr/lib/apache/mod_cern_meta.so -#LoadModule expires_module /usr/lib/apache/mod_expires.so -LoadModule headers_module /usr/lib/apache/mod_headers.so -#LoadModule ident_module /usr/lib/apache/mod_ident.so -#LoadModule usertrack_module /usr/lib/apache/mod_usertrack.so -#LoadModule unique_id_module /usr/lib/apache/mod_unique_id.so -LoadModule setenvif_module /usr/lib/apache/mod_setenvif.so -#LoadModule version_module /usr/lib/apache/mod_version.so LoadModule mime_module /usr/lib/apache/mod_mime.so -#LoadModule dav_module /usr/lib/apache/mod_dav.so -#LoadModule status_module /usr/lib/apache/mod_status.so -LoadModule autoindex_module /usr/lib/apache/mod_autoindex.so -#LoadModule asis_module /usr/lib/apache/mod_asis.so -#LoadModule info_module /usr/lib/apache/mod_info.so -LoadModule cgi_module /usr/lib/apache/mod_cgi.so -#LoadModule dav_fs_module /usr/lib/apache/mod_dav_fs.so -#LoadModule vhost_alias_module /usr/lib/apache/mod_vhost_alias.so -#LoadModule negotiation_module /usr/lib/apache/mod_negotiation.so -LoadModule dir_module /usr/lib/apache/mod_dir.so -#LoadModule imagemap_module /usr/lib/apache/mod_imagemap.so -#LoadModule actions_module /usr/lib/apache/mod_actions.so -#LoadModule speling_module /usr/lib/apache/mod_speling.so -#LoadModule userdir_module /usr/lib/apache/mod_userdir.so -LoadModule alias_module /usr/lib/apache/mod_alias.so +#LoadModule mpm_event_module /usr/lib/apache/mod_mpm_event.so +#LoadModule mpm_prefork_module /usr/lib/apache/mod_mpm_prefork.so +LoadModule mpm_worker_module /usr/lib/apache/mod_mpm_worker.so +#LoadModule mod_negotiation_module /usr/lib/apache/mod_negotiation.so +#LoadModule proxy_ajp_module /usr/lib/apache/mod_proxy_ajp.so +#LoadModule proxy_balancer_module /usr/lib/apache/mod_proxy_balancer.so +#LoadModule proxy_connect_module /usr/lib/apache/mod_proxy_connect.so +#LoadModule proxy_express_module /usr/lib/apache/mod_proxy_express.so +#LoadModule proxy_fcgi_module /usr/lib/apache/mod_proxy_fcgi.so +#LoadModule proxy_fdpass_module /usr/lib/apache/mod_proxy_fdpass.so +#LoadModule proxy_ftp_module /usr/lib/apache/mod_proxy_ftp.so +#LoadModule proxy_html_module /usr/lib/apache/mod_proxy_html.so +#LoadModule proxy_http_module /usr/lib/apache/mod_proxy_http.so +#LoadModule proxy_scgi_module /usr/lib/apache/mod_proxy_scgi.so +#LoadModule proxy_module /usr/lib/apache/mod_proxy.so +#LoadModule proxy_wstunnel_module /usr/lib/apache/mod_proxy_wstunnel.so +#LoadModule ratelimit_module /usr/lib/apache/mod_ratelimit.so +#LoadModule reflector_module /usr/lib/apache/mod_reflector.so +#LoadModule remoteip_module /usr/lib/apache/mod_remoteip.so +#LoadModule reqtimeout_module /usr/lib/apache/mod_reqtimeout.so +#LoadModule request_module /usr/lib/apache/mod_request.so LoadModule rewrite_module /usr/lib/apache/mod_rewrite.so +#LoadModule sed_module /usr/lib/apache/mod_sed.so +#LoadModule session_cookie_module /usr/lib/apache/mod_session_cookie.so +#LoadModule session_crypto_module /usr/lib/apache/mod_session_crypto.so +#LoadModule session_dbd_module /usr/lib/apache/mod_session_dbd.so +#LoadModule session_module /usr/lib/apache/mod_session.so +#LoadModule security2_module /usr/lib/apache//mod_security2.so +LoadModule setenvif_module /usr/lib/apache/mod_setenvif.so +#LoadModule slotmem_plain_module /usr/lib/apache/mod_slotmem_plain.so +#LoadModule slotmem_shm_module /usr/lib/apache/mod_slotmem_shm.so +#LoadModule socache_dbm_module /usr/lib/apache/mod_socache_dbm.so +#LoadModule socache_memcache_module /usr/lib/apache/mod_socache_memcache.so +LoadModule socache_shmcb_module /usr/lib/apache/mod_socache_shmcb.so +#LoadModule speling_module /usr/lib/apache/mod_speling.so LoadModule ssl_module /usr/lib/apache/mod_ssl.so -LoadModule php5_module /usr/lib/apache/libphp5.so +#LoadModule status_module /usr/lib/apache/mod_status.so +#LoadModule substitute_module /usr/lib/apache/mod_substitute.so +#LoadModule suexec_module /usr/lib/apache/mod_suexec.so +#LoadModule unique_id_module /usr/lib/apache/mod_unique_id.so +LoadModule unixd_module /usr/lib/apache/mod_unixd.so +#LoadModule userdir_module /usr/lib/apache/mod_userdir.so +#LoadModule usertrack_module /usr/lib/apache/mod_usertrack.so +#LoadModule version_module /usr/lib/apache/mod_version.so +#LoadModule vhost_alias_module /usr/lib/apache/mod_vhost_alias.so +#LoadModule watchdog_module /usr/lib/apache/mod_watchdog.so +#LoadModule xml2enc_module /usr/lib/apache/mod_xml2enc.so + diff --git a/config/httpd/server-tuning.conf b/config/httpd/server-tuning.conf index 183ce80..81acb02 100644 --- a/config/httpd/server-tuning.conf +++ b/config/httpd/server-tuning.conf @@ -17,12 +17,6 @@ MaxKeepAliveRequests 100 # KeepAliveTimeout 15 -MinSpareServers 1 -MaxSpareServers 10 -StartServers 1 -MaxClients 10 -MaxRequestsPerChild 100 - # # The following directives modify normal HTTP response behavior to # handle known problems with browser implementations. @@ -32,3 +26,4 @@ BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 + diff --git a/config/httpd/ssl-global.conf b/config/httpd/ssl-global.conf index 9cf4f81..10d61d0 100644 --- a/config/httpd/ssl-global.conf +++ b/config/httpd/ssl-global.conf @@ -42,7 +42,7 @@ # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. - SSLMutex file:/var/log/httpd/ssl_mutex + Mutex file:/var/log/httpd/ default # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the @@ -58,3 +58,4 @@ SSLRandomSeed connect builtin </IfModule> + diff --git a/config/php/php.ini b/config/php/php.ini index 6e82094..928fd8f 100644 --- a/config/php/php.ini +++ b/config/php/php.ini @@ -3,149 +3,234 @@ ;;;;;;;;;;;;;;;;;;; ; About php.ini ; ;;;;;;;;;;;;;;;;;;; -; This file controls many aspects of PHP's behavior. In order for PHP to -; read it, it must be named 'php.ini'. PHP looks for it in the current -; working directory, in the path designated by the environment variable -; PHPRC, and in the path that was defined in compile time (in that order). -; Under Windows, the compile-time path is the Windows directory. The -; path in which the php.ini file is looked for can be overridden using -; the -c argument in command line mode. -; -; The syntax of the file is extremely simple. Whitespace and Lines +; PHP's initialization file, generally called php.ini, is responsible for +; configuring many of the aspects of PHP's behavior. + +; PHP attempts to find and load this configuration from a number of locations. +; The following is a summary of its search order: +; 1. SAPI module specific location. +; 2. The PHPRC environment variable. (As of PHP 5.2.0) +; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) +; 4. Current working directory (except CLI) +; 5. The web server's directory (for SAPI modules), or directory of PHP +; (otherwise in Windows) +; 6. The directory from the --with-config-file-path compile time option, or the +; Windows directory (C:\windows or C:\winnt) +; See the PHP docs for more specific information. +; http://php.net/configuration.file + +; The syntax of the file is extremely simple. Whitespace and lines ; beginning with a semicolon are silently ignored (as you probably guessed). ; Section headers (e.g. [Foo]) are also silently ignored, even though ; they might mean something in the future. -; + +; Directives following the section heading [PATH=/www/mysite] only +; apply to PHP files in the /www/mysite directory. Directives +; following the section heading [HOST=www.example.com] only apply to +; PHP files served from www.example.com. Directives set in these +; special sections cannot be overridden by user-defined INI files or +; at runtime. Currently, [PATH=] and [HOST=] sections only work under +; CGI/FastCGI. +; http://php.net/ini.sections + ; Directives are specified using the following syntax: ; directive = value ; Directive names are *case sensitive* - foo=bar is different from FOO=bar. -; +; Directives are variables used to configure PHP or PHP extensions. +; There is no name validation. If PHP can't find an expected +; directive because it is not set or is mistyped, a default value will be used. + ; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one ; of the INI constants (On, Off, True, False, Yes, No and None) or an expression -; (e.g. E_ALL & ~E_NOTICE), or a quoted string ("foo"). -; +; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a +; previously set variable or directive (e.g. ${foo}) + ; Expressions in the INI file are limited to bitwise operators and parentheses: -; | bitwise OR -; & bitwise AND -; ~ bitwise NOT -; ! boolean NOT -; +; | bitwise OR +; ^ bitwise XOR +; & bitwise AND +; ~ bitwise NOT +; ! boolean NOT + ; Boolean flags can be turned on using the values 1, On, True or Yes. ; They can be turned off using the values 0, Off, False or No. -; + ; An empty string can be denoted by simply not writing anything after the equal ; sign, or by using the None keyword: -; + ; foo = ; sets foo to an empty string -; foo = none ; sets foo to an empty string -; foo = "none" ; sets foo to the string 'none' -; +; foo = None ; sets foo to an empty string +; foo = "None" ; sets foo to the string 'None' + ; If you use constants in your value, and these constants belong to a ; dynamically loaded extension (either a PHP extension or a Zend extension), ; you may only use these constants *after* the line that loads the extension. -; -; + ;;;;;;;;;;;;;;;;;;; ; About this file ; ;;;;;;;;;;;;;;;;;;; -; This is the recommended, PHP 5-style version of the php.ini-dist file. It -; sets some non standard settings, that make PHP more efficient, more secure, -; and encourage cleaner coding. -; -; The price is that with these settings, PHP may be incompatible with some -; applications, and sometimes, more difficult to develop with. Using this -; file is warmly recommended for production sites. As all of the changes from -; the standard settings are thoroughly documented, you can go over each one, -; and decide whether you want to use it or not. -; -; For general information about the php.ini file, please consult the php.ini-dist -; file, included in your PHP distribution. -; -; This file is different from the php.ini-dist file in the fact that it features -; different values for several directives, in order to improve performance, while -; possibly breaking compatibility with the standard out-of-the-box behavior of -; PHP. Please make sure you read what's different, and modify your scripts -; accordingly, if you decide to use this file instead. -; -; - register_long_arrays = Off [Performance] -; Disables registration of the older (and deprecated) long predefined array -; variables ($HTTP_*_VARS). Instead, use the superglobals that were -; introduced in PHP 4.1.0 -; - display_errors = Off [Security] -; With this directive set to off, errors that occur during the execution of -; scripts will no longer be displayed as a part of the script output, and thus, -; will no longer be exposed to remote users. With some errors, the error message -; content may expose information about your script, web server, or database -; server that may be exploitable for hacking. Production sites should have this -; directive set to off. -; - log_errors = On [Security] -; This directive complements the above one. Any errors that occur during the -; execution of your script will be logged (typically, to your server's error log, -; but can be configured in several ways). Along with setting display_errors to off, -; this setup gives you the ability to fully understand what may have gone wrong, -; without exposing any sensitive information to remote users. -; - output_buffering = 4096 [Performance] -; Set a 4KB output buffer. Enabling output buffering typically results in less -; writes, and sometimes less packets sent on the wire, which can often lead to -; better performance. The gain this directive actually yields greatly depends -; on which Web server you're working with, and what kind of scripts you're using. -; - register_argc_argv = Off [Performance] -; Disables registration of the somewhat redundant $argv and $argc global -; variables. -; - magic_quotes_gpc = Off [Performance] -; Input data is no longer escaped with slashes so that it can be sent into -; SQL databases without further manipulation. Instead, you should use the -; function addslashes() on each input element you wish to send to a database. -; - variables_order = "GPCS" [Performance] -; The environment variables are not hashed into the $_ENV. To access -; environment variables, you can use getenv() instead. -; - error_reporting = E_ALL [Code Cleanliness, Security(?)] -; By default, PHP suppresses errors of type E_NOTICE. These error messages -; are emitted for non-critical errors, but that could be a symptom of a bigger -; problem. Most notably, this will cause error messages about the use -; of uninitialized variables to be displayed. -; - allow_call_time_pass_reference = Off [Code cleanliness] -; It's not possible to decide to force a variable to be passed by reference -; when calling a function. The PHP 4 style to do this is by making the -; function require the relevant argument by reference. -; - short_open_tag = Off [Portability] -; Using short tags is discouraged when developing code meant for redistribution -; since short tags may not be supported on the target server. +; PHP comes packaged with two INI files. One that is recommended to be used +; in production environments and one that is recommended to be used in +; development environments. + +; php.ini-production contains settings which hold security, performance and +; best practices at its core. But please be aware, these settings may break +; compatibility with older or less security conscience applications. We +; recommending using the production ini in production and testing environments. + +; php.ini-development is very similar to its production variant, except it is +; much more verbose when it comes to errors. We recommend using the +; development version only in development environments, as errors shown to +; application users can inadvertently leak otherwise secure information. + +; This is php.ini-production INI file. + +;;;;;;;;;;;;;;;;;;; +; Quick Reference ; +;;;;;;;;;;;;;;;;;;; +; The following are all the settings which are different in either the production +; or development versions of the INIs with respect to PHP's default behavior. +; Please see the actual settings later in the document for more details as to why +; we recommend these changes in PHP's behavior. + +; display_errors +; Default Value: On +; Development Value: On +; Production Value: Off + +; display_startup_errors +; Default Value: Off +; Development Value: On +; Production Value: Off + +; error_reporting +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT + +; html_errors +; Default Value: On +; Development Value: On +; Production value: On + +; log_errors +; Default Value: Off +; Development Value: On +; Production Value: On + +; max_input_time +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) + +; output_buffering +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 + +; register_argc_argv +; Default Value: On +; Development Value: Off +; Production Value: Off + +; request_order +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" + +; session.gc_divisor +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 + +; session.hash_bits_per_character +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 + +; short_open_tag +; Default Value: On +; Development Value: Off +; Production Value: Off + +; track_errors +; Default Value: Off +; Development Value: On +; Production Value: Off + +; url_rewriter.tags +; Default Value: "a=href,area=href,frame=src,form=,fieldset=" +; Development Value: "a=href,area=href,frame=src,input=src,form=fakeentry" +; Production Value: "a=href,area=href,frame=src,input=src,form=fakeentry" + +; variables_order +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS" + +;;;;;;;;;;;;;;;;;;;; +; php.ini Options ; +;;;;;;;;;;;;;;;;;;;; +; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini" +;user_ini.filename = ".user.ini" + +; To disable this feature set this option to empty value +;user_ini.filename = + +; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes) +;user_ini.cache_ttl = 300 ;;;;;;;;;;;;;;;;;;;; ; Language Options ; ;;;;;;;;;;;;;;;;;;;; ; Enable the PHP scripting language engine under Apache. +; http://php.net/engine engine = On -; Enable compatibility mode with Zend Engine 1 (PHP 4.x) -zend.ze1_compatibility_mode = Off - -; Allow the <? tag. Otherwise, only <?php and <script> tags are recognized. -; NOTE: Using short tags should be avoided when developing applications or -; libraries that are meant for redistribution, or deployment on PHP -; servers which are not under your control, because short tags may not -; be supported on the target server. For portable, redistributable code, -; be sure not to use short tags. +; This directive determines whether or not PHP will recognize code between +; <? and ?> tags as PHP source which should be processed as such. It is +; generally recommended that <?php and ?> should be used and that this feature +; should be disabled, as enabling it may result in issues when generating XML +; documents, however this remains supported for backward compatibility reasons. +; Note that this directive does not control the <?= shorthand tag, which can be +; used regardless of this directive. +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/short-open-tag short_open_tag = On ; Allow ASP-style <% %> tags. +; http://php.net/asp-tags asp_tags = Off ; The number of significant digits displayed in floating point numbers. -precision = 14 - -; Enforce year 2000 compliance (will cause problems with non-compliant browsers) -y2k_compliance = On - -; Output buffering allows you to send header lines (including cookies) even -; after you send body content, at the price of slowing PHP's output layer a -; bit. You can enable output buffering during runtime by calling the output -; buffering functions. You can also enable output buffering for all files by -; setting this directive to On. If you wish to limit the size of the buffer -; to a certain size - you can use a maximum number of bytes instead of 'On', as -; a value for this directive (e.g., output_buffering=4096). +; http://php.net/precision +precision = 14 + +; Output buffering is a mechanism for controlling how much output data +; (excluding headers and cookies) PHP should keep internally before pushing that +; data to the client. If your application's output exceeds this setting, PHP +; will send that data in chunks of roughly the size you specify. +; Turning on this setting and managing its maximum buffer size can yield some +; interesting side-effects depending on your application and web server. +; You may be able to send headers and cookies after you've already sent output +; through print or echo. You also may see performance benefits if your server is +; emitting less packets due to buffered output versus PHP streaming the output +; as it gets it. On production servers, 4096 bytes is a good setting for performance +; reasons. +; Note: Output buffering can also be controlled via Output Buffering Control +; functions. +; Possible Values: +; On = Enabled and buffer is unlimited. (Use with caution) +; Off = Disabled +; Integer = Enables the buffer and sets its maximum size in bytes. +; Note: This directive is hardcoded to Off for the CLI SAPI +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 +; http://php.net/output-buffering output_buffering = 4096 ; You can redirect all of the output of your scripts to a function. For @@ -153,30 +238,35 @@ output_buffering = 4096 ; encoding will be transparently converted to the specified encoding. ; Setting any output handler automatically turns on output buffering. ; Note: People who wrote portable scripts should not depend on this ini -; directive. Instead, explicitly set the output handler using ob_start(). -; Using this ini directive may cause problems unless you know what script -; is doing. +; directive. Instead, explicitly set the output handler using ob_start(). +; Using this ini directive may cause problems unless you know what script +; is doing. ; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler" -; and you cannot use both "ob_gzhandler" and "zlib.output_compression". +; and you cannot use both "ob_gzhandler" and "zlib.output_compression". ; Note: output_handler must be empty if this is set 'On' !!!! -; Instead you must use zlib.output_handler. +; Instead you must use zlib.output_handler. +; http://php.net/output-handler ;output_handler = ; Transparent output compression using the zlib library ; Valid values for this option are 'off', 'on', or a specific buffer size ; to be used for compression (default is 4KB) ; Note: Resulting chunk size may vary due to nature of compression. PHP -; outputs chunks that are few hundreds bytes each as a result of -; compression. If you prefer a larger chunk size for better -; performance, enable output_buffering in addition. +; outputs chunks that are few hundreds bytes each as a result of +; compression. If you prefer a larger chunk size for better +; performance, enable output_buffering in addition. ; Note: You need to use zlib.output_handler instead of the standard -; output_handler, or otherwise the output will be corrupted. +; output_handler, or otherwise the output will be corrupted. +; http://php.net/zlib.output-compression zlib.output_compression = Off + +; http://php.net/zlib.output-compression-level ;zlib.output_compression_level = -1 ; You cannot specify additional output handlers if zlib.output_compression ; is activated here. This setting does the same as output_handler but in ; a different order. +; http://php.net/zlib.output-handler ;zlib.output_handler = ; Implicit flush tells PHP to tell the output layer to flush itself @@ -184,135 +274,145 @@ zlib.output_compression = Off ; PHP function flush() after each and every call to print() or echo() and each ; and every HTML block. Turning this option on has serious performance ; implications and is generally recommended for debugging purposes only. +; http://php.net/implicit-flush +; Note: This directive is hardcoded to On for the CLI SAPI implicit_flush = Off ; The unserialize callback function will be called (with the undefined class' ; name as parameter), if the unserializer finds an undefined class -; which should be instantiated. -; A warning appears if the specified function is not defined, or if the -; function doesn't include/implement the missing class. +; which should be instantiated. A warning appears if the specified function is +; not defined, or if the function doesn't include/implement the missing class. ; So only set this entry, if you really want to implement such a ; callback-function. -unserialize_callback_func= +unserialize_callback_func = ; When floats & doubles are serialized store serialize_precision significant ; digits after the floating point. The default value ensures that when floats ; are decoded with unserialize, the data will remain the same. serialize_precision = 100 -; Whether to enable the ability to force arguments to be passed by reference -; at function call time. This method is deprecated and is likely to be -; unsupported in future versions of PHP/Zend. The encouraged method of -; specifying which arguments should be passed by reference is in the function -; declaration. You're encouraged to try and turn this option Off and make -; sure your scripts work properly with it in order to ensure they will work -; with future versions of the language (you will receive a warning each time -; you use this feature, and the argument will be passed by value instead of by -; reference). -allow_call_time_pass_reference = Off - -; -; Safe Mode -; -safe_mode = Off - -; By default, Safe Mode does a UID compare check when -; opening files. If you want to relax this to a GID compare, -; then turn on safe_mode_gid. -safe_mode_gid = Off - -; When safe_mode is on, UID/GID checks are bypassed when -; including files from this directory and its subdirectories. -; (directory must also be in include_path or full path must -; be used when including) -safe_mode_include_dir = - -; When safe_mode is on, only executables located in the safe_mode_exec_dir -; will be allowed to be executed via the exec family of functions. -safe_mode_exec_dir = - -; Setting certain environment variables may be a potential security breach. -; This directive contains a comma-delimited list of prefixes. In Safe Mode, -; the user may only alter environment variables whose names begin with the -; prefixes supplied here. By default, users will only be able to set -; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR). -; -; Note: If this directive is empty, PHP will let the user modify ANY -; environment variable! -safe_mode_allowed_env_vars = PHP_ - -; This directive contains a comma-delimited list of environment variables that -; the end user won't be able to change using putenv(). These variables will be -; protected even if safe_mode_allowed_env_vars is set to allow to change them. -safe_mode_protected_env_vars = LD_LIBRARY_PATH - ; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory -; or per-virtualhost web server configuration file. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. +; or per-virtualhost web server configuration file. +; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. -; It receives a comma-delimited list of function names. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. +; It receives a comma-delimited list of function names. +; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes for security reasons. -; It receives a comma-delimited list of class names. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. +; It receives a comma-delimited list of class names. +; http://php.net/disable-classes disable_classes = ; Colors for Syntax Highlighting mode. Anything that's acceptable in ; <span style="color: ???????"> would work. +; http://php.net/syntax-highlighting ;highlight.string = #DD0000 ;highlight.comment = #FF9900 ;highlight.keyword = #007700 -;highlight.bg = #FFFFFF ;highlight.default = #0000BB ;highlight.html = #000000 ; If enabled, the request will be allowed to complete even if the user aborts -; the request. Consider enabling it if executing long request, which may end up -; being interrupted by the user or a browser timing out. -; ignore_user_abort = On +; the request. Consider enabling it if executing long requests, which may end up +; being interrupted by the user or a browser timing out. PHP's default behavior +; is to disable this feature. +; http://php.net/ignore-user-abort +;ignore_user_abort = On ; Determines the size of the realpath cache to be used by PHP. This value should ; be increased on systems where PHP opens many files to reflect the quantity of ; the file operations performed. -; realpath_cache_size=16k +; http://php.net/realpath-cache-size +;realpath_cache_size = 16k ; Duration of time, in seconds for which to cache realpath information for a given ; file or directory. For systems with rarely changing files, consider increasing this ; value. -; realpath_cache_ttl=120 +; http://php.net/realpath-cache-ttl +;realpath_cache_ttl = 120 + +; Enables or disables the circular reference collector. +; http://php.net/zend.enable-gc +zend.enable_gc = On + +; If enabled, scripts may be written in encodings that are incompatible with +; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such +; encodings. To use this feature, mbstring extension must be enabled. +; Default: Off +;zend.multibyte = Off + +; Allows to set the default encoding for the scripts. This value will be used +; unless "declare(encoding=...)" directive appears at the top of the script. +; Only affects if zend.multibyte is set. +; Default: "" +;zend.script_encoding = + +;;;;;;;;;;;;;;;;; +; Miscellaneous ; +;;;;;;;;;;;;;;;;; -; -; Misc -; ; Decides whether PHP may expose the fact that it is installed on the server ; (e.g. by adding its signature to the Web server header). It is no security ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not. -expose_php = On - +; http://php.net/expose-php +expose_php = Off ;;;;;;;;;;;;;;;;;;; ; Resource Limits ; ;;;;;;;;;;;;;;;;;;; -max_execution_time = 30 ; Maximum execution time of each script, in seconds -max_input_time = 60 ; Maximum amount of time each script may spend parsing request data -;max_input_nesting_level = 64 ; Maximum input variable nesting level -memory_limit = 128M ; Maximum amount of memory a script may consume (128MB) +; Maximum execution time of each script, in seconds +; http://php.net/max-execution-time +; Note: This directive is hardcoded to 0 for the CLI SAPI +max_execution_time = 30 + +; Maximum amount of time each script may spend parsing request data. It's a good +; idea to limit this time on productions servers in order to eliminate unexpectedly +; long running scripts. +; Note: This directive is hardcoded to -1 for the CLI SAPI +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) +; http://php.net/max-input-time +max_input_time = 60 + +; Maximum input variable nesting level +; http://php.net/max-input-nesting-level +;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + +; Maximum amount of memory a script may consume (128MB) +; http://php.net/memory-limit +memory_limit = 128M ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Error handling and logging ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -; error_reporting is a bit-field. Or each number up to get desired error -; reporting level -; E_ALL - All errors and warnings (doesn't include E_STRICT) +; This directive informs PHP of which errors, warnings and notices you would like +; it to take action for. The recommended way of setting values for this +; directive is through the use of the error level constants and bitwise +; operators. The error level constants are below here for convenience as well as +; some common settings and their meanings. +; By default, PHP is set to take action on all errors, notices and warnings EXCEPT +; those related to E_NOTICE and E_STRICT, which together cover best practices and +; recommended coding standards in PHP. For performance reasons, this is the +; recommend error reporting setting. Your production server shouldn't be wasting +; resources complaining about best practices and coding standards. That's what +; development servers and development settings are for. +; Note: The php.ini-development file has this setting as E_ALL. This +; means it pretty much reports everything which is exactly what you want during +; development and early testing. +; +; Error Level Constants: +; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0) ; E_ERROR - fatal run-time errors ; E_RECOVERABLE_ERROR - almost fatal run-time errors ; E_WARNING - run-time warnings (non-fatal errors) @@ -320,7 +420,7 @@ memory_limit = 128M ; Maximum amount of memory a script may consume (128MB) ; E_NOTICE - run-time notices (these are warnings which often result ; from a bug in your code, but it's possible that it was ; intentional (e.g., using an uninitialized variable and -; relying on the fact it's automatically initialized to an +; relying on the fact it is automatically initialized to an ; empty string) ; E_STRICT - run-time notices, enable to have PHP suggest changes ; to your code which will ensure the best interoperability @@ -333,183 +433,275 @@ memory_limit = 128M ; Maximum amount of memory a script may consume (128MB) ; E_USER_ERROR - user-generated error message ; E_USER_WARNING - user-generated warning message ; E_USER_NOTICE - user-generated notice message +; E_DEPRECATED - warn about code that will not work in future versions +; of PHP +; E_USER_DEPRECATED - user-generated deprecation warnings ; -; Examples: -; -; - Show all errors, except for notices and coding standards warnings -; -;error_reporting = E_ALL & ~E_NOTICE -; -; - Show all errors, except for notices -; -;error_reporting = E_ALL & ~E_NOTICE | E_STRICT -; -; - Show only errors -; -;error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR -; -; - Show all errors, except coding standards warnings -; -error_reporting = E_ALL - -; Print out errors (as a part of the output). For production web sites, -; you're strongly encouraged to turn this feature off, and use error logging -; instead (see below). Keeping display_errors enabled on a production web site -; may reveal security information to end users, such as file paths on your Web -; server, your database schema or other information. -; -; possible values for display_errors: -; -; Off - Do not display any errors -; stderr - Display errors to STDERR (affects only CGI/CLI binaries!) -; On or stdout - Display errors to STDOUT (default) -; -; To output errors to STDERR with CGI/CLI: -;display_errors = "stderr" -; -; Default -; +; Common Values: +; E_ALL (Show all errors, warnings and notices including coding standards.) +; E_ALL & ~E_NOTICE (Show all errors, except for notices) +; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.) +; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT +; http://php.net/error-reporting +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT + +; This directive controls whether or not and where PHP will output errors, +; notices and warnings too. Error output is very useful during development, but +; it could be very dangerous in production environments. Depending on the code +; which is triggering the error, sensitive information could potentially leak +; out of your application such as database usernames and passwords or worse. +; For production environments, we recommend logging errors rather than +; sending them to STDOUT. +; Possible Values: +; Off = Do not display any errors +; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) +; On or stdout = Display errors to STDOUT +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/display-errors display_errors = Off -; Even when display_errors is on, errors that occur during PHP's startup -; sequence are not displayed. It's strongly recommended to keep -; display_startup_errors off, except for when debugging. +; The display of errors which occur during PHP's startup sequence are handled +; separately from display_errors. PHP's default behavior is to suppress those +; errors from clients. Turning the display of startup errors on can be useful in +; debugging configuration problems. We strongly recommend you +; set this to 'off' for production servers. +; Default Value: Off +; Development Value: On +; Production Value: Off +; http://php.net/display-startup-errors display_startup_errors = Off -; Log errors into a log file (server-specific log, stderr, or error_log (below)) -; As stated above, you're strongly advised to use error logging in place of -; error displaying on production web sites. +; Besides displaying errors, PHP can also log errors to locations such as a +; server-specific log, STDERR, or a location specified by the error_log +; directive found below. While errors should not be displayed on productions +; servers they should still be monitored and logging is a great way to do that. +; Default Value: Off +; Development Value: On +; Production Value: On +; http://php.net/log-errors log_errors = On ; Set maximum length of log_errors. In error_log information about the source is ; added. The default is 1024 and 0 allows to not apply any maximum length at all. +; http://php.net/log-errors-max-len log_errors_max_len = 1024 ; Do not log repeated messages. Repeated errors must occur in same file on same -; line until ignore_repeated_source is set true. +; line unless ignore_repeated_source is set true. +; http://php.net/ignore-repeated-errors ignore_repeated_errors = Off ; Ignore source of message when ignoring repeated messages. When this setting ; is On you will not log errors with repeated messages from different files or ; source lines. +; http://php.net/ignore-repeated-source ignore_repeated_source = Off ; If this parameter is set to Off, then memory leaks will not be shown (on ; stdout or in the log). This has only effect in a debug compile, and if ; error reporting includes E_WARNING in the allowed list +; http://php.net/report-memleaks report_memleaks = On +; This setting is on by default. ;report_zend_debug = 0 -; Store the last error/warning message in $php_errormsg (boolean). +; Store the last error/warning message in $php_errormsg (boolean). Setting this value +; to On can assist in debugging and is appropriate for development servers. It should +; however be disabled on production servers. +; Default Value: Off +; Development Value: On +; Production Value: Off +; http://php.net/track-errors track_errors = Off -; Disable the inclusion of HTML tags in error messages. -; Note: Never use this feature for production boxes. +; Turn off normal error reporting and emit XML-RPC error XML +; http://php.net/xmlrpc-errors +;xmlrpc_errors = 0 + +; An XML-RPC faultCode +;xmlrpc_error_number = 0 + +; When PHP displays or logs an error, it has the capability of formatting the +; error message as HTML for easier reading. This directive controls whether +; the error message is formatted as HTML or not. +; Note: This directive is hardcoded to Off for the CLI SAPI +; Default Value: On +; Development Value: On +; Production value: On +; http://php.net/html-errors ;html_errors = Off -; If html_errors is set On PHP produces clickable error messages that direct -; to a page describing the error or function causing the error in detail. -; You can download a copy of the PHP manual from http://www.php.net/docs.php +; If html_errors is set to On *and* docref_root is not empty, then PHP +; produces clickable error messages that direct to a page describing the error +; or function causing the error in detail. +; You can download a copy of the PHP manual from http://php.net/docs ; and change docref_root to the base URL of your local copy including the ; leading '/'. You must also specify the file extension being used including -; the dot. +; the dot. PHP's default behavior is to leave these settings empty, in which +; case no links to documentation are generated. ; Note: Never use this feature for production boxes. +; http://php.net/docref-root +; Examples ;docref_root = "/phpmanual/" -;docref_ext = .html -; String to output before an error message. -;error_prepend_string = "<font color=ff0000>" - -; String to output after an error message. -;error_append_string = "</font>" - -; Log errors to specified file. -;error_log = filename +; http://php.net/docref-ext +;docref_ext = .html -; Log errors to syslog (Event Log on NT, not valid in Windows 95). +; String to output before an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-prepend-string +; Example: +;error_prepend_string = "<span style='color: #ff0000'>" + +; String to output after an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-append-string +; Example: +;error_append_string = "</span>" + +; Log errors to specified file. PHP's default behavior is to leave this value +; empty. +; http://php.net/error-log +; Example: +;error_log = php_errors.log +; Log errors to syslog (Event Log on Windows). ;error_log = syslog +;windows.show_crt_warning +; Default value: 0 +; Development value: 0 +; Production value: 0 ;;;;;;;;;;;;;;;;; ; Data Handling ; ;;;;;;;;;;;;;;;;; -; -; Note - track_vars is ALWAYS enabled as of PHP 4.0.3 ; The separator used in PHP generated URLs to separate arguments. -; Default is "&". +; PHP's default setting is "&". +; http://php.net/arg-separator.output +; Example: ;arg_separator.output = "&" ; List of separator(s) used by PHP to parse input URLs into variables. -; Default is "&". +; PHP's default setting is "&". ; NOTE: Every character in this directive is considered as separator! +; http://php.net/arg-separator.input +; Example: ;arg_separator.input = ";&" -; This directive describes the order in which PHP registers GET, POST, Cookie, -; Environment and Built-in variables (G, P, C, E & S respectively, often -; referred to as EGPCS or GPC). Registration is done from left to right, newer -; values override older values. +; This directive determines which super global arrays are registered when PHP +; starts up. G,P,C,E & S are abbreviations for the following respective super +; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty +; paid for the registration of these arrays and because ENV is not as commonly +; used as the others, ENV is not recommended on productions servers. You +; can still get access to the environment variables through getenv() should you +; need to. +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS"; +; http://php.net/variables-order variables_order = "GPCS" -; Whether or not to register the EGPCS variables as global variables. You may -; want to turn this off if you don't want to clutter your scripts' global scope -; with user data. This makes most sense when coupled with track_vars - in which -; case you can access all of the GPC variables through the $HTTP_*_VARS[], -; variables. -; -; You should do your best to write your scripts so that they do not require -; register_globals to be on; Using form variables as globals can easily lead -; to possible security problems, if the code is not very well thought of. -register_globals = Off - -; Whether or not to register the old-style input arrays, HTTP_GET_VARS -; and friends. If you're not using them, it's recommended to turn them off, -; for performance reasons. -register_long_arrays = Off - -; This directive tells PHP whether to declare the argv&argc variables (that -; would contain the GET information). If you don't use these variables, you -; should turn it off for increased performance. +; This directive determines which super global data (G,P & C) should be +; registered into the super global array REQUEST. If so, it also determines +; the order in which that data is registered. The values for this directive +; are specified in the same manner as the variables_order directive, +; EXCEPT one. Leaving this value empty will cause PHP to use the value set +; in the variables_order directive. It does not mean it will leave the super +; globals array REQUEST empty. +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" +; http://php.net/request-order +request_order = "GP" + +; This directive determines whether PHP registers $argv & $argc each time it +; runs. $argv contains an array of all the arguments passed to PHP when a script +; is invoked. $argc contains an integer representing the number of arguments +; that were passed when the script was invoked. These arrays are extremely +; useful when running scripts from the command line. When this directive is +; enabled, registering these variables consumes CPU cycles and memory each time +; a script is executed. For performance reasons, this feature should be disabled +; on production servers. +; Note: This directive is hardcoded to On for the CLI SAPI +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/register-argc-argv register_argc_argv = Off -; When enabled, the SERVER and ENV variables are created when they're first -; used (Just In Time) instead of when the script starts. If these variables -; are not used within a script, having this directive on will result in a -; performance gain. The PHP directives register_globals, register_long_arrays, -; and register_argc_argv must be disabled for this directive to have any affect. +; When enabled, the ENV, REQUEST and SERVER variables are created when they're +; first used (Just In Time) instead of when the script starts. If these +; variables are not used within a script, having this directive on will result +; in a performance gain. The PHP directive register_argc_argv must be disabled +; for this directive to have any affect. +; http://php.net/auto-globals-jit auto_globals_jit = On +; Whether PHP will read the POST data. +; This option is enabled by default. +; Most likely, you won't want to disable this option globally. It causes $_POST +; and $_FILES to always be empty; the only way you will be able to read the +; POST data will be through the php://input stream wrapper. This can be useful +; to proxy requests or to process the POST data in a memory efficient fashion. +; http://php.net/enable-post-data-reading +;enable_post_data_reading = Off + ; Maximum size of POST data that PHP will accept. +; Its value may be 0 to disable the limit. It is ignored if POST data reading +; is disabled through enable_post_data_reading. +; http://php.net/post-max-size post_max_size = 8M -; Magic quotes -; - -; Magic quotes for incoming GET/POST/Cookie data. -magic_quotes_gpc = Off - -; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. -magic_quotes_runtime = Off - -; Use Sybase-style magic quotes (escape ' with '' instead of \'). -magic_quotes_sybase = Off - -; Automatically add files before or after any PHP document. +; Automatically add files before PHP document. +; http://php.net/auto-prepend-file auto_prepend_file = + +; Automatically add files after PHP document. +; http://php.net/auto-append-file auto_append_file = -; As of 4.0b4, PHP always outputs a character encoding by default in +; By default, PHP will output a character encoding using ; the Content-type: header. To disable sending of the charset, simply ; set it to be empty. ; ; PHP's built-in default is text/html +; http://php.net/default-mimetype default_mimetype = "text/html" -;default_charset = "iso-8859-1" - -; Always populate the $HTTP_RAW_POST_DATA variable. -;always_populate_raw_post_data = On +; PHP's default character set is set to UTF-8. +; http://php.net/default-charset +default_charset = "UTF-8" + +; PHP internal character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/internal-encoding +;internal_encoding = + +; PHP input character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/input-encoding +;input_encoding = + +; PHP output character encoding is set to empty. +; If empty, default_charset is used. +; mbstring or iconv output handler is used. +; See also output_buffer. +; http://php.net/output-encoding +;output_encoding = + +; Always populate the $HTTP_RAW_POST_DATA variable. PHP's default behavior is +; to disable this feature and it will be removed in a future version. +; If post reading is disabled through enable_post_data_reading, +; $HTTP_RAW_POST_DATA is *NOT* populated. +; http://php.net/always-populate-raw-post-data +;always_populate_raw_post_data = -1 ;;;;;;;;;;;;;;;;;;;;;;;;; ; Paths and Directories ; @@ -520,100 +712,130 @@ default_mimetype = "text/html" ; ; Windows: "\path1;\path2" ;include_path = ".;c:\php\includes" +; +; PHP's default setting for include_path is ".;/path/to/php/pear" +; http://php.net/include-path ; The root of the PHP pages, used only if nonempty. ; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root ; if you are running php as a CGI under any web server (other than IIS) ; see documentation for security issues. The alternate is to use the ; cgi.force_redirect configuration below +; http://php.net/doc-root doc_root = ; The directory under which PHP opens the script using /~username used only ; if nonempty. +; http://php.net/user-dir user_dir = ; Directory in which the loadable extensions (modules) reside. -extension_dir = "/usr/lib/php/extensions/no-debug-non-zts-20090626/" +; http://php.net/extension-dir +; extension_dir = "./" +; On windows: +; extension_dir = "ext" +extension_dir = "/usr/lib/php/extensions/no-debug-zts-20131226/" + +; Directory where the temporary files should be placed. +; Defaults to the system default (see sys_get_temp_dir) +; sys_temp_dir = "/tmp" ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically ; disabled on them. -enable_dl = On +; http://php.net/enable-dl +enable_dl = Off ; cgi.force_redirect is necessary to provide security running PHP as a CGI under ; most web servers. Left undefined, PHP turns this on by default. You can ; turn it off here AT YOUR OWN RISK ; **You CAN safely turn this off for IIS, in fact, you MUST.** -; cgi.force_redirect = 1 +; http://php.net/cgi.force-redirect +;cgi.force_redirect = 1 ; if cgi.nph is enabled it will force cgi to always sent Status: 200 with -; every request. -; cgi.nph = 1 +; every request. PHP's default behavior is to disable this feature. +;cgi.nph = 1 ; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape ; (iPlanet) web servers, you MAY need to set an environment variable name that PHP ; will look for to know it is OK to continue execution. Setting this variable MAY ; cause security issues, KNOW WHAT YOU ARE DOING FIRST. -; cgi.redirect_status_env = ; +; http://php.net/cgi.redirect-status-env +;cgi.redirect_status_env = ; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok ; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting -; this to 1 will cause PHP CGI to fix it's paths to conform to the spec. A setting +; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting ; of zero causes PHP to behave as before. Default is 1. You should fix your scripts ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. -; cgi.fix_pathinfo=1 +; http://php.net/cgi.fix-pathinfo +;cgi.fix_pathinfo=1 ; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate ; security tokens of the calling client. This allows IIS to define the ; security context that the request runs under. mod_fastcgi under Apache ; does not currently support this feature (03/17/2002) ; Set to 1 if running under IIS. Default is zero. -; fastcgi.impersonate = 1; +; http://php.net/fastcgi.impersonate +;fastcgi.impersonate = 1 -; Disable logging through FastCGI connection -; fastcgi.logging = 0 +; Disable logging through FastCGI connection. PHP's default behavior is to enable +; this feature. +;fastcgi.logging = 0 ; cgi.rfc2616_headers configuration option tells PHP what type of headers to -; use when sending HTTP response code. If it's set 0 PHP sends Status: header that -; is supported by Apache. When this option is set to 1 PHP will send +; use when sending HTTP response code. If set to 0, PHP sends Status: header that +; is supported by Apache. When this option is set to 1, PHP will send ; RFC2616 compliant header. ; Default is zero. +; http://php.net/cgi.rfc2616-headers ;cgi.rfc2616_headers = 0 - ;;;;;;;;;;;;;;;; ; File Uploads ; ;;;;;;;;;;;;;;;; ; Whether to allow HTTP file uploads. +; http://php.net/file-uploads file_uploads = On ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). +; http://php.net/upload-tmp-dir ;upload_tmp_dir = ; Maximum allowed size for uploaded files. +; http://php.net/upload-max-filesize upload_max_filesize = 2M +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 20 ;;;;;;;;;;;;;;;;;; ; Fopen wrappers ; ;;;;;;;;;;;;;;;;;; ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. -allow_url_fopen = On +; http://php.net/allow-url-fopen +allow_url_fopen = Off ; Whether to allow include/require to open URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-include allow_url_include = Off -; Define the anonymous ftp password (your email address) +; Define the anonymous ftp password (your email address). PHP's default setting +; for this is empty. +; http://php.net/from ;from="john(a)doe.com" -; Define the User-Agent string -; user_agent="PHP" +; Define the User-Agent string. PHP's default setting for this is empty. +; http://php.net/user-agent +;user_agent="PHP" ; Default timeout for socket based streams (seconds) +; http://php.net/default-socket-timeout default_socket_timeout = 60 ; If your scripts have to deal with files from Macintosh systems, @@ -621,13 +843,13 @@ default_socket_timeout = 60 ; unix or win32 systems, setting this flag will cause PHP to ; automatically detect the EOL character in those files so that ; fgets() and file() will work regardless of the source of the file. -; auto_detect_line_endings = Off - +; http://php.net/auto-detect-line-endings +;auto_detect_line_endings = Off ;;;;;;;;;;;;;;;;;;;;;; ; Dynamic Extensions ; ;;;;;;;;;;;;;;;;;;;;;; -; + ; If you wish to have an extension loaded automatically, use the following ; syntax: ; @@ -640,180 +862,308 @@ default_socket_timeout = 60 ; ... or under UNIX: ; ; extension=msql.so -; -; Note that it should be the name of the module only; no directory information -; needs to go here. Specify the location of the extension with the -; extension_dir directive above. -extension=idn.so +extension=dba.so +; +; ... or with a path: +; +; extension=/path/to/extension/msql.so +; +; If you only provide the name of the extension, PHP will look for it in its +; default extension directory. +; ; Windows Extensions ; Note that ODBC support is built in, so no dll is needed for it. ; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5) ; extension folders as well as the separate PECL DLL download (PHP 5). ; Be sure to appropriately set the extension_dir directive. - +; ;extension=php_bz2.dll ;extension=php_curl.dll -;extension=php_dba.dll -;extension=php_dbase.dll -;extension=php_exif.dll -;extension=php_fdf.dll +;extension=php_fileinfo.dll ;extension=php_gd2.dll ;extension=php_gettext.dll ;extension=php_gmp.dll -;extension=php_ifx.dll +;extension=php_intl.dll ;extension=php_imap.dll ;extension=php_interbase.dll ;extension=php_ldap.dll ;extension=php_mbstring.dll -;extension=php_mcrypt.dll -;extension=php_mhash.dll -;extension=php_mime_magic.dll -;extension=php_ming.dll -;extension=php_msql.dll -;extension=php_mssql.dll +;extension=php_exif.dll ; Must be after mbstring as it depends on it ;extension=php_mysql.dll ;extension=php_mysqli.dll -;extension=php_oci8.dll +;extension=php_oci8_12c.dll ; Use with Oracle Database 12c Instant Client ;extension=php_openssl.dll -;extension=php_pdo.dll ;extension=php_pdo_firebird.dll -;extension=php_pdo_mssql.dll ;extension=php_pdo_mysql.dll ;extension=php_pdo_oci.dll -;extension=php_pdo_oci8.dll ;extension=php_pdo_odbc.dll ;extension=php_pdo_pgsql.dll ;extension=php_pdo_sqlite.dll ;extension=php_pgsql.dll -;extension=php_pspell.dll ;extension=php_shmop.dll + +; The MIBS data available in the PHP distribution must be installed. +; See http://www.php.net/manual/en/snmp.installation.php ;extension=php_snmp.dll + ;extension=php_soap.dll ;extension=php_sockets.dll -;extension=php_sqlite.dll +;extension=php_sqlite3.dll ;extension=php_sybase_ct.dll ;extension=php_tidy.dll ;extension=php_xmlrpc.dll ;extension=php_xsl.dll -;extension=php_zip.dll ;;;;;;;;;;;;;;;;;;; ; Module Settings ; ;;;;;;;;;;;;;;;;;;; +[CLI Server] +; Whether the CLI web server uses ANSI color coding in its terminal output. +cli_server.color = On + [Date] ; Defines the default timezone used by the date functions +; http://php.net/date.timezone ;date.timezone = +; http://php.net/date.default-latitude ;date.default_latitude = 31.7667 + +; http://php.net/date.default-longitude ;date.default_longitude = 35.2333 +; http://php.net/date.sunrise-zenith ;date.sunrise_zenith = 90.583333 + +; http://php.net/date.sunset-zenith ;date.sunset_zenith = 90.583333 [filter] +; http://php.net/filter.default ;filter.default = unsafe_raw + +; http://php.net/filter.default-flags ;filter.default_flags = [iconv] -;iconv.input_encoding = ISO-8859-1 -;iconv.internal_encoding = ISO-8859-1 -;iconv.output_encoding = ISO-8859-1 +; Use of this INI entry is deprecated, use global input_encoding instead. +; If empty, default_charset or input_encoding or iconv.input_encoding is used. +; The precedence is: default_charset < intput_encoding < iconv.input_encoding +;iconv.input_encoding = + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;iconv.internal_encoding = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; If empty, default_charset or output_encoding or iconv.output_encoding is used. +; The precedence is: default_charset < output_encoding < iconv.output_encoding +; To use an output encoding conversion, iconv's output handler must be set +; otherwise output encoding conversion cannot be performed. +;iconv.output_encoding = + +[intl] +;intl.default_locale = +; This directive allows you to produce PHP errors when some error +; happens within intl functions. The value is the level of the error produced. +; Default is 0, which does not produce any errors. +;intl.error_level = E_WARNING [sqlite] +; http://php.net/sqlite.assoc-case ;sqlite.assoc_case = 0 -[xmlrpc] -;xmlrpc_error_number = 0 -;xmlrpc_errors = 0 +[sqlite3] +;sqlite3.extension_dir = [Pcre] ;PCRE library backtracking limit. +; http://php.net/pcre.backtrack-limit ;pcre.backtrack_limit=100000 -;PCRE library recursion limit. -;Please note that if you set this value to a high number you may consume all -;the available process stack and eventually crash PHP (due to reaching the +;PCRE library recursion limit. +;Please note that if you set this value to a high number you may consume all +;the available process stack and eventually crash PHP (due to reaching the ;stack size limit imposed by the Operating System). +; http://php.net/pcre.recursion-limit ;pcre.recursion_limit=100000 -[Syslog] -; Whether or not to define the various syslog variables (e.g. $LOG_PID, -; $LOG_CRON, etc.). Turning it off is a good idea performance-wise. In -; runtime, you can define these variables by calling define_syslog_variables(). -define_syslog_variables = Off +[Pdo] +; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" +; http://php.net/pdo-odbc.connection-pooling +;pdo_odbc.connection_pooling=strict + +;pdo_odbc.db2_instance_name + +[Pdo_mysql] +; If mysqlnd is used: Number of cache slots for the internal result set cache +; http://php.net/pdo_mysql.cache_size +pdo_mysql.cache_size = 2000 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/pdo_mysql.default-socket +pdo_mysql.default_socket= + +[Phar] +; http://php.net/phar.readonly +;phar.readonly = On + +; http://php.net/phar.require-hash +;phar.require_hash = On + +;phar.cache_list = [mail function] ; For Win32 only. +; http://php.net/smtp SMTP = localhost +; http://php.net/smtp-port smtp_port = 25 ; For Win32 only. +; http://php.net/sendmail-from ;sendmail_from = me(a)example.com ; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). +; http://php.net/sendmail-path ;sendmail_path = ; Force the addition of the specified parameters to be passed as extra parameters ; to the sendmail binary. These parameters will always replace the value of -; the 5th parameter to mail(), even in safe mode. +; the 5th parameter to mail(). ;mail.force_extra_parameters = +; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename +mail.add_x_header = On + +; The path to a log file that will log all mail() calls. Log entries include +; the full path of the script, line number, To address and headers. +;mail.log = +; Log mail to syslog (Event Log on Windows). +;mail.log = syslog + [SQL] +; http://php.net/sql.safe-mode sql.safe_mode = Off [ODBC] +; http://php.net/odbc.default-db ;odbc.default_db = Not yet implemented + +; http://php.net/odbc.default-user ;odbc.default_user = Not yet implemented + +; http://php.net/odbc.default-pw ;odbc.default_pw = Not yet implemented +; Controls the ODBC cursor model. +; Default: SQL_CURSOR_STATIC (default). +;odbc.default_cursortype + ; Allow or prevent persistent links. +; http://php.net/odbc.allow-persistent odbc.allow_persistent = On ; Check that a connection is still valid before reuse. +; http://php.net/odbc.check-persistent odbc.check_persistent = On ; Maximum number of persistent links. -1 means no limit. +; http://php.net/odbc.max-persistent odbc.max_persistent = -1 ; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/odbc.max-links odbc.max_links = -1 ; Handling of LONG fields. Returns number of bytes to variables. 0 means ; passthru. +; http://php.net/odbc.defaultlrl odbc.defaultlrl = 4096 ; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. ; See the documentation on odbc_binmode and odbc_longreadlen for an explanation -; of uodbc.defaultlrl and uodbc.defaultbinmode +; of odbc.defaultlrl and odbc.defaultbinmode +; http://php.net/odbc.defaultbinmode odbc.defaultbinmode = 1 +;birdstep.max_links = -1 + +[Interbase] +; Allow or prevent persistent links. +ibase.allow_persistent = 1 + +; Maximum number of persistent links. -1 means no limit. +ibase.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +ibase.max_links = -1 + +; Default database name for ibase_connect(). +;ibase.default_db = + +; Default username for ibase_connect(). +;ibase.default_user = + +; Default password for ibase_connect(). +;ibase.default_password = + +; Default charset for ibase_connect(). +;ibase.default_charset = + +; Default timestamp format. +ibase.timestampformat = "%Y-%m-%d %H:%M:%S" + +; Default date format. +ibase.dateformat = "%Y-%m-%d" + +; Default time format. +ibase.timeformat = "%H:%M:%S" + [MySQL] +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysql.allow_local_infile +mysql.allow_local_infile = On + ; Allow or prevent persistent links. +; http://php.net/mysql.allow-persistent mysql.allow_persistent = On +; If mysqlnd is used: Number of cache slots for the internal result set cache +; http://php.net/mysql.cache_size +mysql.cache_size = 2000 + ; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysql.max-persistent mysql.max_persistent = -1 ; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/mysql.max-links mysql.max_links = -1 ; Default port number for mysql_connect(). If unset, mysql_connect() will use ; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the ; compile-time value defined MYSQL_PORT (in that order). Win32 will only look ; at MYSQL_PORT. +; http://php.net/mysql.default-port mysql.default_port = ; Default socket name for local MySQL connects. If empty, uses the built-in ; MySQL defaults. +; http://php.net/mysql.default-socket mysql.default_socket = /var/run/mysql/mysql.sock ; Default host for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysql.default-host mysql.default_host = ; Default user for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysql.default-user mysql.default_user = ; Default password for mysql_connect() (doesn't apply in safe mode). @@ -821,34 +1171,58 @@ mysql.default_user = ; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password") ; and reveal this password! And of course, any users with read access to this ; file will be able to reveal the password as well. +; http://php.net/mysql.default-password mysql.default_password = ; Maximum time (in seconds) for connect timeout. -1 means no limit +; http://php.net/mysql.connect-timeout mysql.connect_timeout = 60 ; Trace mode. When trace_mode is active (=On), warnings for table/index scans and ; SQL-Errors will be displayed. +; http://php.net/mysql.trace-mode mysql.trace_mode = Off [MySQLi] +; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysqli.max-persistent +mysqli.max_persistent = -1 + +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysqli.allow_local_infile +;mysqli.allow_local_infile = On + +; Allow or prevent persistent links. +; http://php.net/mysqli.allow-persistent +mysqli.allow_persistent = On + ; Maximum number of links. -1 means no limit. +; http://php.net/mysqli.max-links mysqli.max_links = -1 +; If mysqlnd is used: Number of cache slots for the internal result set cache +; http://php.net/mysqli.cache_size +mysqli.cache_size = 2000 + ; Default port number for mysqli_connect(). If unset, mysqli_connect() will use ; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the ; compile-time value defined MYSQL_PORT (in that order). Win32 will only look ; at MYSQL_PORT. +; http://php.net/mysqli.default-port mysqli.default_port = 3306 ; Default socket name for local MySQL connects. If empty, uses the built-in ; MySQL defaults. +; http://php.net/mysqli.default-socket mysqli.default_socket = ; Default host for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-host mysqli.default_host = ; Default user for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-user mysqli.default_user = ; Default password for mysqli_connect() (doesn't apply in safe mode). @@ -856,176 +1230,179 @@ mysqli.default_user = ; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") ; and reveal this password! And of course, any users with read access to this ; file will be able to reveal the password as well. +; http://php.net/mysqli.default-pw mysqli.default_pw = ; Allow or prevent reconnect mysqli.reconnect = Off -[mSQL] -; Allow or prevent persistent links. -msql.allow_persistent = On +[mysqlnd] +; Enable / Disable collection of general statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +; http://php.net/mysqlnd.collect_statistics +mysqlnd.collect_statistics = On -; Maximum number of persistent links. -1 means no limit. -msql.max_persistent = -1 +; Enable / Disable collection of memory usage statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +; http://php.net/mysqlnd.collect_memory_statistics +mysqlnd.collect_memory_statistics = Off -; Maximum number of links (persistent+non persistent). -1 means no limit. -msql.max_links = -1 +; Size of a pre-allocated buffer used when sending commands to MySQL in bytes. +; http://php.net/mysqlnd.net_cmd_buffer_size +;mysqlnd.net_cmd_buffer_size = 2048 + +; Size of a pre-allocated buffer used for reading data sent by the server in +; bytes. +; http://php.net/mysqlnd.net_read_buffer_size +;mysqlnd.net_read_buffer_size = 32768 [OCI8] -; enables privileged connections using external credentials (OCI_SYSOPER, OCI_SYSDBA) + +; Connection: Enables privileged connections using external +; credentials (OCI_SYSOPER, OCI_SYSDBA) +; http://php.net/oci8.privileged-connect ;oci8.privileged_connect = Off ; Connection: The maximum number of persistent OCI8 connections per ; process. Using -1 means no limit. +; http://php.net/oci8.max-persistent ;oci8.max_persistent = -1 ; Connection: The maximum number of seconds a process is allowed to ; maintain an idle persistent connection. Using -1 means idle ; persistent connections will be maintained forever. +; http://php.net/oci8.persistent-timeout ;oci8.persistent_timeout = -1 ; Connection: The number of seconds that must pass before issuing a ; ping during oci_pconnect() to check the connection validity. When ; set to 0, each oci_pconnect() will cause a ping. Using -1 disables ; pings completely. +; http://php.net/oci8.ping-interval ;oci8.ping_interval = 60 +; Connection: Set this to a user chosen connection class to be used +; for all pooled server requests with Oracle 11g Database Resident +; Connection Pooling (DRCP). To use DRCP, this value should be set to +; the same string for all web servers running the same application, +; the database pool must be configured, and the connection string must +; specify to use a pooled server. +;oci8.connection_class = + +; High Availability: Using On lets PHP receive Fast Application +; Notification (FAN) events generated when a database node fails. The +; database must also be configured to post FAN events. +;oci8.events = Off + ; Tuning: This option enables statement caching, and specifies how ; many statements to cache. Using 0 disables statement caching. +; http://php.net/oci8.statement-cache-size ;oci8.statement_cache_size = 20 ; Tuning: Enables statement prefetching and sets the default number of ; rows that will be fetched automatically after statement execution. -;oci8.default_prefetch = 10 +; http://php.net/oci8.default-prefetch +;oci8.default_prefetch = 100 ; Compatibility. Using On means oci_close() will not close ; oci_connect() and oci_new_connect() connections. +; http://php.net/oci8.old-oci-close-semantics ;oci8.old_oci_close_semantics = Off -[PostgresSQL] +[PostgreSQL] ; Allow or prevent persistent links. +; http://php.net/pgsql.allow-persistent pgsql.allow_persistent = On ; Detect broken persistent links always with pg_pconnect(). ; Auto reset feature requires a little overheads. +; http://php.net/pgsql.auto-reset-persistent pgsql.auto_reset_persistent = Off ; Maximum number of persistent links. -1 means no limit. +; http://php.net/pgsql.max-persistent pgsql.max_persistent = -1 ; Maximum number of links (persistent+non persistent). -1 means no limit. +; http://php.net/pgsql.max-links pgsql.max_links = -1 ; Ignore PostgreSQL backends Notice message or not. ; Notice message logging require a little overheads. +; http://php.net/pgsql.ignore-notice pgsql.ignore_notice = 0 -; Log PostgreSQL backends Noitce message or not. +; Log PostgreSQL backends Notice message or not. ; Unless pgsql.ignore_notice=0, module cannot log notice message. +; http://php.net/pgsql.log-notice pgsql.log_notice = 0 -[Sybase] -; Allow or prevent persistent links. -sybase.allow_persistent = On - -; Maximum number of persistent links. -1 means no limit. -sybase.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -sybase.max_links = -1 - -;sybase.interface_file = "/usr/sybase/interfaces" - -; Minimum error severity to display. -sybase.min_error_severity = 10 - -; Minimum message severity to display. -sybase.min_message_severity = 10 - -; Compatibility mode with old versions of PHP 3.0. -; If on, this will cause PHP to automatically assign types to results according -; to their Sybase type, instead of treating them all as strings. This -; compatibility mode will probably not stay around forever, so try applying -; whatever necessary changes to your code, and turn it off. -sybase.compatability_mode = Off - [Sybase-CT] ; Allow or prevent persistent links. +; http://php.net/sybct.allow-persistent sybct.allow_persistent = On ; Maximum number of persistent links. -1 means no limit. +; http://php.net/sybct.max-persistent sybct.max_persistent = -1 ; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/sybct.max-links sybct.max_links = -1 ; Minimum server message severity to display. +; http://php.net/sybct.min-server-severity sybct.min_server_severity = 10 ; Minimum client message severity to display. +; http://php.net/sybct.min-client-severity sybct.min_client_severity = 10 -[bcmath] -; Number of decimal digits for all bcmath functions. -bcmath.scale = 0 - -[browscap] -;browscap = extra/browscap.ini - -[Informix] -; Default host for ifx_connect() (doesn't apply in safe mode). -ifx.default_host = - -; Default user for ifx_connect() (doesn't apply in safe mode). -ifx.default_user = +; Set per-context timeout +; http://php.net/sybct.timeout +;sybct.timeout= -; Default password for ifx_connect() (doesn't apply in safe mode). -ifx.default_password = +;sybct.packet_size -; Allow or prevent persistent links. -ifx.allow_persistent = On - -; Maximum number of persistent links. -1 means no limit. -ifx.max_persistent = -1 +; The maximum time in seconds to wait for a connection attempt to succeed before returning failure. +; Default: one minute +;sybct.login_timeout= -; Maximum number of links (persistent + non-persistent). -1 means no limit. -ifx.max_links = -1 +; The name of the host you claim to be connecting from, for display by sp_who. +; Default: none +;sybct.hostname= -; If on, select statements return the contents of a text blob instead of its id. -ifx.textasvarchar = 0 +; Allows you to define how often deadlocks are to be retried. -1 means "forever". +; Default: 0 +;sybct.deadlock_retry_count= -; If on, select statements return the contents of a byte blob instead of its id. -ifx.byteasvarchar = 0 - -; Trailing blanks are stripped from fixed-length char columns. May help the -; life of Informix SE users. -ifx.charasvarchar = 0 - -; If on, the contents of text and byte blobs are dumped to a file instead of -; keeping them in memory. -ifx.blobinfile = 0 +[bcmath] +; Number of decimal digits for all bcmath functions. +; http://php.net/bcmath.scale +bcmath.scale = 0 -; NULL's are returned as empty strings, unless this is set to 1. In that case, -; NULL's are returned as string 'NULL'. -ifx.nullformat = 0 +[browscap] +; http://php.net/browscap +;browscap = extra/browscap.ini [Session] ; Handler used to store/retrieve data. +; http://php.net/session.save-handler session.save_handler = files ; Argument passed to save_handler. In the case of files, this is the path ; where data files are stored. Note: Windows users have to change this ; variable in order to use PHP's session functions. ; -; As of PHP 4.0.1, you can define the path as: +; The path can be defined as: ; ; session.save_path = "N;/path" ; ; where N is an integer. Instead of storing all the session files in ; /path, what this will do is use subdirectories N-levels deep, and -; store the session data in those directories. This is useful if you -; or your OS have problems with lots of files in one directory, and is -; a more efficient layout for servers that handle lots of sessions. +; store the session data in those directories. This is useful if +; your OS has problems with many files in one directory, and is +; a more efficient layout for servers that handle many sessions. ; ; NOTE 1: PHP will not create this directory structure automatically. ; You can use the script in the ext/session dir for that purpose. @@ -1039,49 +1416,88 @@ session.save_handler = files ; ; where MODE is the octal representation of the mode. Note that this ; does not overwrite the process's umask. +; http://php.net/session.save-path ;session.save_path = "/tmp" +; Whether to use strict session mode. +; Strict session mode does not accept uninitialized session ID and regenerate +; session ID if browser sends uninitialized session ID. Strict mode protects +; applications from session fixation via session adoption vulnerability. It is +; disabled by default for maximum compatibility, but enabling it is encouraged. +; https://wiki.php.net/rfc/strict_sessions +session.use_strict_mode = 0 + ; Whether to use cookies. +; http://php.net/session.use-cookies session.use_cookies = 1 +; http://php.net/session.cookie-secure ;session.cookie_secure = -; This option enables administrators to make their users invulnerable to -; attacks which involve passing session ids in URLs; defaults to 0. -; session.use_only_cookies = 1 +; This option forces PHP to fetch and use a cookie for storing and maintaining +; the session id. We encourage this operation as it's very helpful in combating +; session hijacking when not specifying and managing your own session id. It is +; not the be-all and end-all of session hijacking defense, but it's a good start. +; http://php.net/session.use-only-cookies +session.use_only_cookies = 1 ; Name of the session (used as cookie name). +; http://php.net/session.name session.name = PHPSESSID ; Initialize session on request startup. +; http://php.net/session.auto-start session.auto_start = 0 ; Lifetime in seconds of cookie or, if 0, until browser is restarted. +; http://php.net/session.cookie-lifetime session.cookie_lifetime = 0 ; The path for which the cookie is valid. +; http://php.net/session.cookie-path session.cookie_path = / ; The domain for which the cookie is valid. +; http://php.net/session.cookie-domain session.cookie_domain = ; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. -session.cookie_httponly = +; http://php.net/session.cookie-httponly +session.cookie_httponly = ; Handler used to serialize data. php is the standard serializer of PHP. +; http://php.net/session.serialize-handler session.serialize_handler = php -; Define the probability that the 'garbage collection' process is started -; on every session initialization. -; The probability is calculated by using gc_probability/gc_divisor, -; e.g. 1/100 means there is a 1% chance that the GC process starts -; on each request. - +; Defines the probability that the 'garbage collection' process is started +; on every session initialization. The probability is calculated by using +; gc_probability/gc_divisor. Where session.gc_probability is the numerator +; and gc_divisor is the denominator in the equation. Setting this value to 1 +; when the session.gc_divisor value is 100 will give you approximately a 1% chance +; the gc will run on any give request. +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.gc-probability session.gc_probability = 1 -session.gc_divisor = 1000 + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using the following equation: +; gc_probability/gc_divisor. Where session.gc_probability is the numerator and +; session.gc_divisor is the denominator in the equation. Setting this value to 1 +; when the session.gc_divisor value is 100 will give you approximately a 1% chance +; the gc will run on any give request. Increasing this value to 1000 will give you +; a 0.1% chance the gc will run on any give request. For high volume production servers, +; this is a more efficient approach. +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 +; http://php.net/session.gc-divisor +session.gc_divisor = 1000 ; After this number of seconds, stored data will be seen as 'garbage' and ; cleaned up by the garbage collection process. +; http://php.net/session.gc-maxlifetime session.gc_maxlifetime = 1440 ; NOTE: If you are using the subdirectory option for storing session files @@ -1090,61 +1506,68 @@ session.gc_maxlifetime = 1440 ; collection through a shell script, cron entry, or some other method. ; For example, the following script would is the equivalent of ; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): -; cd /path/to/sessions; find -cmin +24 | xargs rm - -; PHP 4.2 and less have an undocumented feature/bug that allows you to -; to initialize a session variable in the global scope, albeit register_globals -; is disabled. PHP 4.3 and later will warn you, if this feature is used. -; You can disable the feature and the warning separately. At this time, -; the warning is only displayed, if bug_compat_42 is enabled. - -session.bug_compat_42 = 0 -session.bug_compat_warn = 1 +; find /path/to/sessions -cmin +24 -type f | xargs rm ; Check HTTP Referer to invalidate externally stored URLs containing ids. ; HTTP_REFERER has to contain this substring for the session to be ; considered as valid. +; http://php.net/session.referer-check session.referer_check = ; How many bytes to read from the file. +; http://php.net/session.entropy-length session.entropy_length = 0 ; Specified here to create the session id. -session.entropy_file = - -;session.entropy_length = 16 - +; http://php.net/session.entropy-file +; Defaults to /dev/urandom +; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom +; If neither are found at compile time, the default is no entropy file. +; On windows, setting the entropy_length setting will activate the +; Windows random source (using the CryptoAPI) ;session.entropy_file = /dev/urandom ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers. +; http://php.net/session.cache-limiter session.cache_limiter = nocache ; Document expires after n minutes. +; http://php.net/session.cache-expire session.cache_expire = 180 ; trans sid support is disabled by default. -; Use of trans sid may risk your users security. +; Use of trans sid may risk your users' security. ; Use this option with caution. ; - User may send URL contains active session ID ; to other person via. email/irc/etc. ; - URL that contains active session ID may be stored -; in publically accessible computer. +; in publicly accessible computer. ; - User may access your site with the same session ID ; always using URL stored in browser's history or bookmarks. +; http://php.net/session.use-trans-sid session.use_trans_sid = 0 -; Select a hash function -; 0: MD5 (128 bits) -; 1: SHA-1 (160 bits) +; Select a hash function for use in generating session ids. +; Possible Values +; 0 (MD5 128 bits) +; 1 (SHA-1 160 bits) +; This option may also be set to the name of any hash function supported by +; the hash extension. A list of available hashes is returned by the hash_algos() +; function. +; http://php.net/session.hash-function session.hash_function = 0 ; Define how many bits are stored in each character when converting ; the binary hash data to something readable. -; -; 4 bits: 0-9, a-f -; 5 bits: 0-9, a-v -; 6 bits: 0-9, a-z, A-Z, "-", "," +; Possible values: +; 4 (4 bits: 0-9, a-f) +; 5 (5 bits: 0-9, a-v) +; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 +; http://php.net/session.hash-bits-per-character session.hash_bits_per_character = 5 ; The URL rewriter will look for URLs in a defined set of HTML tags. @@ -1152,8 +1575,57 @@ session.hash_bits_per_character = 5 ; add a hidden <input> field with the info which is otherwise appended ; to URLs. If you want XHTML conformity, remove the form entry. ; Note that all valid entries require a "=", even if no value follows. +; Default Value: "a=href,area=href,frame=src,form=,fieldset=" +; Development Value: "a=href,area=href,frame=src,input=src,form=fakeentry" +; Production Value: "a=href,area=href,frame=src,input=src,form=fakeentry" +; http://php.net/url-rewriter.tags url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" +; Enable upload progress tracking in $_SESSION +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.enabled +;session.upload_progress.enabled = On + +; Cleanup the progress information as soon as all POST data has been read +; (i.e. upload completed). +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.cleanup +;session.upload_progress.cleanup = On + +; A prefix used for the upload progress key in $_SESSION +; Default Value: "upload_progress_" +; Development Value: "upload_progress_" +; Production Value: "upload_progress_" +; http://php.net/session.upload-progress.prefix +;session.upload_progress.prefix = "upload_progress_" + +; The index name (concatenated with the prefix) in $_SESSION +; containing the upload progress information +; Default Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Development Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Production Value: "PHP_SESSION_UPLOAD_PROGRESS" +; http://php.net/session.upload-progress.name +;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" + +; How frequently the upload progress should be updated. +; Given either in percentages (per-file), or in bytes +; Default Value: "1%" +; Development Value: "1%" +; Production Value: "1%" +; http://php.net/session.upload-progress.freq +;session.upload_progress.freq = "1%" + +; The minimum delay between updates, in seconds +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.upload-progress.min-freq +;session.upload_progress.min_freq = "1" + [MSSQL] ; Allow or prevent persistent links. mssql.allow_persistent = On @@ -1171,7 +1643,7 @@ mssql.min_error_severity = 10 mssql.min_message_severity = 10 ; Compatibility mode with old versions of PHP 3.0. -mssql.compatability_mode = Off +mssql.compatibility_mode = Off ; Connect timeout ;mssql.connect_timeout = 5 @@ -1201,70 +1673,106 @@ mssql.secure_connection = Off ; FreeTDS defaults to 4096 ;mssql.max_procs = -1 -; Specify client character set. -; If empty or not set the client charset from freetds.comf is used +; Specify client character set. +; If empty or not set the client charset from freetds.conf is used ; This is only used when compiled with FreeTDS ;mssql.charset = "ISO-8859-1" [Assertion] ; Assert(expr); active by default. +; http://php.net/assert.active ;assert.active = On ; Issue a PHP warning for each failed assertion. +; http://php.net/assert.warning ;assert.warning = On ; Don't bail out by default. +; http://php.net/assert.bail ;assert.bail = Off ; User-function to be called if an assertion fails. +; http://php.net/assert.callback ;assert.callback = 0 ; Eval the expression with current error_reporting(). Set to true if you want ; error_reporting(0) around the eval(). +; http://php.net/assert.quiet-eval ;assert.quiet_eval = 0 [COM] ; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs +; http://php.net/com.typelib-file ;com.typelib_file = + ; allow Distributed-COM calls +; http://php.net/com.allow-dcom ;com.allow_dcom = true + ; autoregister constants of a components typlib on com_load() +; http://php.net/com.autoregister-typelib ;com.autoregister_typelib = true + ; register constants casesensitive +; http://php.net/com.autoregister-casesensitive ;com.autoregister_casesensitive = false + ; show warnings on duplicate constant registrations +; http://php.net/com.autoregister-verbose ;com.autoregister_verbose = true +; The default character set code-page to use when passing strings to and from COM objects. +; Default: system ANSI code page +;com.code_page= + [mbstring] ; language for internal character representation. +; This affects mb_send_mail() and mbstrig.detect_order. +; http://php.net/mbstring.language ;mbstring.language = Japanese +; Use of this INI entry is deprecated, use global internal_encoding instead. ; internal/script encoding. -; Some encoding cannot work as internal encoding. -; (e.g. SJIS, BIG5, ISO-2022-*) -;mbstring.internal_encoding = EUC-JP +; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*) +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;mbstring.internal_encoding = +; Use of this INI entry is deprecated, use global input_encoding instead. ; http input encoding. -;mbstring.http_input = auto - -; http output encoding. mb_output_handler must be -; registered as output buffer to function -;mbstring.http_output = SJIS +; mbstring.encoding_traslation = On is needed to use this setting. +; If empty, default_charset or input_encoding or mbstring.input is used. +; The precedence is: default_charset < intput_encoding < mbsting.http_input +; http://php.net/mbstring.http-input +;mbstring.http_input = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; http output encoding. +; mb_output_handler must be registered as output buffer to function. +; If empty, default_charset or output_encoding or mbstring.http_output is used. +; The precedence is: default_charset < output_encoding < mbstring.http_output +; To use an output encoding conversion, mbstring's output handler must be set +; otherwise output encoding conversion cannot be performed. +; http://php.net/mbstring.http-output +;mbstring.http_output = ; enable automatic encoding translation according to ; mbstring.internal_encoding setting. Input chars are ; converted to internal encoding by setting this to On. ; Note: Do _not_ use automatic encoding translation for ; portable libs/applications. +; http://php.net/mbstring.encoding-translation ;mbstring.encoding_translation = Off ; automatic encoding detection order. -; auto means +; "auto" detect order is changed according to mbstring.language +; http://php.net/mbstring.detect-order ;mbstring.detect_order = auto ; substitute_character used when character cannot be converted ; one from another -;mbstring.substitute_character = none; +; http://php.net/mbstring.substitute-character +;mbstring.substitute_character = none ; overload(replace) single byte functions by mbstring functions. ; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(), @@ -1274,30 +1782,23 @@ mssql.secure_connection = Off ; 1: Overload mail() function ; 2: Overload str*() functions ; 4: Overload ereg*() functions +; http://php.net/mbstring.func-overload ;mbstring.func_overload = 0 ; enable strict encoding detection. -;mbstring.strict_encoding = Off - -[FrontBase] -;fbsql.allow_persistent = On -;fbsql.autocommit = On -;fbsql.show_timestamp_decimals = Off -;fbsql.default_database = -;fbsql.default_database_password = -;fbsql.default_host = -;fbsql.default_password = -;fbsql.default_user = "_SYSTEM" -;fbsql.generate_warnings = Off -;fbsql.max_connections = 128 -;fbsql.max_links = 128 -;fbsql.max_persistent = -1 -;fbsql.max_results = 128 +; Default: Off +;mbstring.strict_detection = On + +; This directive specifies the regex pattern of content types for which mb_output_handler() +; is activated. +; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) +;mbstring.http_output_conv_mimetype= [gd] -; Tell the jpeg decode to libjpeg warnings and try to create +; Tell the jpeg decode to ignore warnings and try to create ; a gd image. The warning will then be displayed as notices ; disabled by default +; http://php.net/gd.jpeg-ignore-warning ;gd.jpeg_ignore_warning = 0 [exif] @@ -1306,31 +1807,194 @@ mssql.secure_connection = Off ; given by corresponding encode setting. When empty mbstring.internal_encoding ; is used. For the decode settings you can distinguish between motorola and ; intel byte order. A decode setting cannot be empty. +; http://php.net/exif.encode-unicode ;exif.encode_unicode = ISO-8859-15 + +; http://php.net/exif.decode-unicode-motorola ;exif.decode_unicode_motorola = UCS-2BE + +; http://php.net/exif.decode-unicode-intel ;exif.decode_unicode_intel = UCS-2LE + +; http://php.net/exif.encode-jis ;exif.encode_jis = + +; http://php.net/exif.decode-jis-motorola ;exif.decode_jis_motorola = JIS + +; http://php.net/exif.decode-jis-intel ;exif.decode_jis_intel = JIS [Tidy] ; The path to a default tidy configuration file to use when using tidy +; http://php.net/tidy.default-config ;tidy.default_config = /usr/local/lib/php/default.tcfg ; Should tidy clean and repair output automatically? ; WARNING: Do not use this option if you are generating non-html content ; such as dynamic images +; http://php.net/tidy.clean-output tidy.clean_output = Off [soap] ; Enables or disables WSDL caching feature. +; http://php.net/soap.wsdl-cache-enabled soap.wsdl_cache_enabled=1 + ; Sets the directory name where SOAP extension will put cache files. +; http://php.net/soap.wsdl-cache-dir soap.wsdl_cache_dir="/tmp" -; (time to live) Sets the number of second while cached file will be used + +; (time to live) Sets the number of second while cached file will be used ; instead of original one. +; http://php.net/soap.wsdl-cache-ttl soap.wsdl_cache_ttl=86400 +; Sets the size of the cache limit. (Max. number of WSDL files to cache) +soap.wsdl_cache_limit = 5 + +[sysvshm] +; A default size of the shared memory segment +;sysvshm.init_mem = 10000 + +[ldap] +; Sets the maximum number of open links or -1 for unlimited. +ldap.max_links = -1 + +[mcrypt] +; For more information about mcrypt settings see http://php.net/mcrypt-module-open + +; Directory where to load mcrypt algorithms +; Default: Compiled in into libmcrypt (usually /usr/local/lib/libmcrypt) +;mcrypt.algorithms_dir= + +; Directory where to load mcrypt modes +; Default: Compiled in into libmcrypt (usually /usr/local/lib/libmcrypt) +;mcrypt.modes_dir= + +[dba] +;dba.default_handler= + +[opcache] +; Determines if Zend OPCache is enabled +;opcache.enable=0 + +; Determines if Zend OPCache is enabled for the CLI version of PHP +;opcache.enable_cli=0 + +; The OPcache shared memory storage size. +;opcache.memory_consumption=64 + +; The amount of memory for interned strings in Mbytes. +;opcache.interned_strings_buffer=4 + +; The maximum number of keys (scripts) in the OPcache hash table. +; Only numbers between 200 and 100000 are allowed. +;opcache.max_accelerated_files=2000 + +; The maximum percentage of "wasted" memory until a restart is scheduled. +;opcache.max_wasted_percentage=5 + +; When this directive is enabled, the OPcache appends the current working +; directory to the script key, thus eliminating possible collisions between +; files with the same name (basename). Disabling the directive improves +; performance, but may break existing applications. +;opcache.use_cwd=1 + +; When disabled, you must reset the OPcache manually or restart the +; webserver for changes to the filesystem to take effect. +;opcache.validate_timestamps=1 + +; How often (in seconds) to check file timestamps for changes to the shared +; memory storage allocation. ("1" means validate once per second, but only +; once per request. "0" means always validate) +;opcache.revalidate_freq=2 + +; Enables or disables file search in include_path optimization +;opcache.revalidate_path=0 + +; If disabled, all PHPDoc comments are dropped from the code to reduce the +; size of the optimized code. +;opcache.save_comments=1 + +; If disabled, PHPDoc comments are not loaded from SHM, so "Doc Comments" +; may be always stored (save_comments=1), but not loaded by applications +; that don't need them anyway. +;opcache.load_comments=1 + +; If enabled, a fast shutdown sequence is used for the accelerated code +;opcache.fast_shutdown=0 + +; Allow file existence override (file_exists, etc.) performance feature. +;opcache.enable_file_override=0 + +; A bitmask, where each bit enables or disables the appropriate OPcache +; passes +;opcache.optimization_level=0xffffffff + +;opcache.inherited_hack=1 +;opcache.dups_fix=0 + +; The location of the OPcache blacklist file (wildcards allowed). +; Each OPcache blacklist file is a text file that holds the names of files +; that should not be accelerated. The file format is to add each filename +; to a new line. The filename may be a full path or just a file prefix +; (i.e., /var/www/x blacklists all the files and directories in /var/www +; that start with 'x'). Line starting with a ; are ignored (comments). +;opcache.blacklist_filename= + +; Allows exclusion of large files from being cached. By default all files +; are cached. +;opcache.max_file_size=0 + +; Check the cache checksum each N requests. +; The default value of "0" means that the checks are disabled. +;opcache.consistency_checks=0 + +; How long to wait (in seconds) for a scheduled restart to begin if the cache +; is not being accessed. +;opcache.force_restart_timeout=180 + +; OPcache error_log file name. Empty string assumes "stderr". +;opcache.error_log= + +; All OPcache errors go to the Web server log. +; By default, only fatal errors (level 0) or errors (level 1) are logged. +; You can also enable warnings (level 2), info messages (level 3) or +; debug messages (level 4). +;opcache.log_verbosity_level=1 + +; Preferred Shared Memory back-end. Leave empty and let the system decide. +;opcache.preferred_memory_model= + +; Protect the shared memory from unexpected writing during script execution. +; Useful for internal debugging only. +;opcache.protect_memory=0 + +[curl] +; A default value for the CURLOPT_CAINFO option. This is required to be an +; absolute path. +;curl.cainfo = + +[openssl] +; The location of a Certificate Authority (CA) file on the local filesystem +; to use when verifying the identity of SSL/TLS peers. Most users should +; not specify a value for this directive as PHP will attempt to use the +; OS-managed cert stores in its absence. If specified, this value may still +; be overridden on a per-stream basis via the "cafile" SSL stream context +; option. +;openssl.cafile= + +; If openssl.cafile is not specified or if the CA file is not found, the +; directory pointed to by openssl.capath is searched for a suitable +; certificate. This value must be a correctly hashed certificate directory. +; Most users should not specify a value for this directive as PHP will +; attempt to use the OS-managed cert stores in its absence. If specified, +; this value may still be overridden on a per-stream basis via the "capath" +; SSL stream context option. +;openssl.capath= + ; Local Variables: ; tab-width: 4 ; End: + diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 7e33a15..3f8cb13 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -15,6 +15,7 @@ etc/httpd/conf/default-server.conf #etc/httpd/conf/extra/httpd-ssl.conf #etc/httpd/conf/extra/httpd-userdir.conf #etc/httpd/conf/extra/httpd-vhosts.conf +#etc/httpd/conf/extra/proxy-html.conf etc/httpd/conf/global.conf etc/httpd/conf/hostname.conf etc/httpd/conf/httpd.conf @@ -23,6 +24,7 @@ etc/httpd/conf/loadmodule.conf etc/httpd/conf/magic etc/httpd/conf/mime.types etc/httpd/conf/mod_log_config.conf +etc/httpd/conf/mpm.conf #etc/httpd/conf/original #etc/httpd/conf/original/extra #etc/httpd/conf/original/extra/httpd-autoindex.conf @@ -36,6 +38,7 @@ etc/httpd/conf/mod_log_config.conf #etc/httpd/conf/original/extra/httpd-ssl.conf #etc/httpd/conf/original/extra/httpd-userdir.conf #etc/httpd/conf/original/extra/httpd-vhosts.conf +#etc/httpd/conf/original/extra/proxy-html.conf #etc/httpd/conf/original/httpd.conf etc/httpd/conf/server-tuning.conf etc/httpd/conf/ssl-global.conf @@ -49,6 +52,8 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire #srv/web/ipfire/cgi-bin #srv/web/ipfire/cgi-bin/printenv +#srv/web/ipfire/cgi-bin/printenv.vbs +#srv/web/ipfire/cgi-bin/printenv.wsf #srv/web/ipfire/cgi-bin/test-cgi #srv/web/ipfire/error #srv/web/ipfire/error/HTTP_BAD_GATEWAY.html.var @@ -87,9 +92,9 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/icons/alert.red.png #srv/web/ipfire/icons/apache_pb.gif #srv/web/ipfire/icons/apache_pb.png +#srv/web/ipfire/icons/apache_pb.svg #srv/web/ipfire/icons/apache_pb2.gif #srv/web/ipfire/icons/apache_pb2.png -#srv/web/ipfire/icons/apache_pb2_ani.gif #srv/web/ipfire/icons/back.gif #srv/web/ipfire/icons/back.png #srv/web/ipfire/icons/ball.gray.gif @@ -168,6 +173,23 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/icons/link.png #srv/web/ipfire/icons/movie.gif #srv/web/ipfire/icons/movie.png +#srv/web/ipfire/icons/odf6odb.png +#srv/web/ipfire/icons/odf6odc.png +#srv/web/ipfire/icons/odf6odf.png +#srv/web/ipfire/icons/odf6odg.png +#srv/web/ipfire/icons/odf6odi.png +#srv/web/ipfire/icons/odf6odm.png +#srv/web/ipfire/icons/odf6odp.png +#srv/web/ipfire/icons/odf6ods.png +#srv/web/ipfire/icons/odf6odt.png +#srv/web/ipfire/icons/odf6otc.png +#srv/web/ipfire/icons/odf6otf.png +#srv/web/ipfire/icons/odf6otg.png +#srv/web/ipfire/icons/odf6oth.png +#srv/web/ipfire/icons/odf6oti.png +#srv/web/ipfire/icons/odf6otp.png +#srv/web/ipfire/icons/odf6ots.png +#srv/web/ipfire/icons/odf6ott.png #srv/web/ipfire/icons/p.gif #srv/web/ipfire/icons/p.png #srv/web/ipfire/icons/patch.gif @@ -227,12 +249,12 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/icons/small/compressed.png #srv/web/ipfire/icons/small/continued.gif #srv/web/ipfire/icons/small/continued.png -#srv/web/ipfire/icons/small/dir.gif -#srv/web/ipfire/icons/small/dir.png -#srv/web/ipfire/icons/small/dir2.gif -#srv/web/ipfire/icons/small/dir2.png #srv/web/ipfire/icons/small/doc.gif #srv/web/ipfire/icons/small/doc.png +#srv/web/ipfire/icons/small/folder.gif +#srv/web/ipfire/icons/small/folder.png +#srv/web/ipfire/icons/small/folder2.gif +#srv/web/ipfire/icons/small/folder2.png #srv/web/ipfire/icons/small/forward.gif #srv/web/ipfire/icons/small/forward.png #srv/web/ipfire/icons/small/generic.gif @@ -279,6 +301,7 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/icons/sphere1.png #srv/web/ipfire/icons/sphere2.gif #srv/web/ipfire/icons/sphere2.png +#srv/web/ipfire/icons/svg.png #srv/web/ipfire/icons/tar.gif #srv/web/ipfire/icons/tar.png #srv/web/ipfire/icons/tex.gif @@ -299,7 +322,9 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/icons/world1.png #srv/web/ipfire/icons/world2.gif #srv/web/ipfire/icons/world2.png +#srv/web/ipfire/icons/xml.png #srv/web/ipfire/manual +#srv/web/ipfire/manual/BUILDING #srv/web/ipfire/manual/LICENSE #srv/web/ipfire/manual/bind.html #srv/web/ipfire/manual/bind.html.de @@ -329,6 +354,7 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/custom-error.html #srv/web/ipfire/manual/custom-error.html.en #srv/web/ipfire/manual/custom-error.html.es +#srv/web/ipfire/manual/custom-error.html.fr #srv/web/ipfire/manual/custom-error.html.ja.utf8 #srv/web/ipfire/manual/custom-error.html.ko.euc-kr #srv/web/ipfire/manual/custom-error.html.tr.utf8 @@ -347,31 +373,44 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/developer/index.html #srv/web/ipfire/manual/developer/index.html.en #srv/web/ipfire/manual/developer/index.html.zh-cn.utf8 +#srv/web/ipfire/manual/developer/modguide.html +#srv/web/ipfire/manual/developer/modguide.html.en #srv/web/ipfire/manual/developer/modules.html #srv/web/ipfire/manual/developer/modules.html.en #srv/web/ipfire/manual/developer/modules.html.ja.utf8 +#srv/web/ipfire/manual/developer/new_api_2_4.html +#srv/web/ipfire/manual/developer/new_api_2_4.html.en +#srv/web/ipfire/manual/developer/output-filters.html +#srv/web/ipfire/manual/developer/output-filters.html.en #srv/web/ipfire/manual/developer/request.html #srv/web/ipfire/manual/developer/request.html.en #srv/web/ipfire/manual/developer/thread_safety.html #srv/web/ipfire/manual/developer/thread_safety.html.en #srv/web/ipfire/manual/dns-caveats.html #srv/web/ipfire/manual/dns-caveats.html.en +#srv/web/ipfire/manual/dns-caveats.html.fr #srv/web/ipfire/manual/dns-caveats.html.ja.utf8 #srv/web/ipfire/manual/dns-caveats.html.ko.euc-kr #srv/web/ipfire/manual/dns-caveats.html.tr.utf8 #srv/web/ipfire/manual/dso.html #srv/web/ipfire/manual/dso.html.en +#srv/web/ipfire/manual/dso.html.fr #srv/web/ipfire/manual/dso.html.ja.utf8 #srv/web/ipfire/manual/dso.html.ko.euc-kr #srv/web/ipfire/manual/dso.html.tr.utf8 #srv/web/ipfire/manual/env.html #srv/web/ipfire/manual/env.html.en +#srv/web/ipfire/manual/env.html.fr #srv/web/ipfire/manual/env.html.ja.utf8 #srv/web/ipfire/manual/env.html.ko.euc-kr #srv/web/ipfire/manual/env.html.tr.utf8 +#srv/web/ipfire/manual/expr.html +#srv/web/ipfire/manual/expr.html.en +#srv/web/ipfire/manual/expr.html.fr #srv/web/ipfire/manual/faq #srv/web/ipfire/manual/faq/index.html #srv/web/ipfire/manual/faq/index.html.en +#srv/web/ipfire/manual/faq/index.html.fr #srv/web/ipfire/manual/faq/index.html.tr.utf8 #srv/web/ipfire/manual/faq/index.html.zh-cn.utf8 #srv/web/ipfire/manual/filter.html @@ -381,6 +420,9 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/filter.html.ja.utf8 #srv/web/ipfire/manual/filter.html.ko.euc-kr #srv/web/ipfire/manual/filter.html.tr.utf8 +#srv/web/ipfire/manual/getting-started.html +#srv/web/ipfire/manual/getting-started.html.en +#srv/web/ipfire/manual/getting-started.html.fr #srv/web/ipfire/manual/glossary.html #srv/web/ipfire/manual/glossary.html.de #srv/web/ipfire/manual/glossary.html.en @@ -395,12 +437,12 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/handler.html.fr #srv/web/ipfire/manual/handler.html.ja.utf8 #srv/web/ipfire/manual/handler.html.ko.euc-kr -#srv/web/ipfire/manual/handler.html.ru.koi8-r #srv/web/ipfire/manual/handler.html.tr.utf8 #srv/web/ipfire/manual/handler.html.zh-cn.utf8 #srv/web/ipfire/manual/howto #srv/web/ipfire/manual/howto/access.html #srv/web/ipfire/manual/howto/access.html.en +#srv/web/ipfire/manual/howto/access.html.fr #srv/web/ipfire/manual/howto/auth.html #srv/web/ipfire/manual/howto/auth.html.en #srv/web/ipfire/manual/howto/auth.html.fr @@ -409,6 +451,7 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/howto/auth.html.tr.utf8 #srv/web/ipfire/manual/howto/cgi.html #srv/web/ipfire/manual/howto/cgi.html.en +#srv/web/ipfire/manual/howto/cgi.html.fr #srv/web/ipfire/manual/howto/cgi.html.ja.utf8 #srv/web/ipfire/manual/howto/cgi.html.ko.euc-kr #srv/web/ipfire/manual/howto/htaccess.html @@ -419,20 +462,26 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/howto/htaccess.html.pt-br #srv/web/ipfire/manual/howto/index.html #srv/web/ipfire/manual/howto/index.html.en +#srv/web/ipfire/manual/howto/index.html.fr #srv/web/ipfire/manual/howto/index.html.ja.utf8 #srv/web/ipfire/manual/howto/index.html.ko.euc-kr #srv/web/ipfire/manual/howto/index.html.zh-cn.utf8 #srv/web/ipfire/manual/howto/public_html.html #srv/web/ipfire/manual/howto/public_html.html.en +#srv/web/ipfire/manual/howto/public_html.html.fr #srv/web/ipfire/manual/howto/public_html.html.ja.utf8 #srv/web/ipfire/manual/howto/public_html.html.ko.euc-kr #srv/web/ipfire/manual/howto/public_html.html.tr.utf8 #srv/web/ipfire/manual/howto/ssi.html #srv/web/ipfire/manual/howto/ssi.html.en +#srv/web/ipfire/manual/howto/ssi.html.fr #srv/web/ipfire/manual/howto/ssi.html.ja.utf8 #srv/web/ipfire/manual/howto/ssi.html.ko.euc-kr #srv/web/ipfire/manual/images #srv/web/ipfire/manual/images/apache_header.gif +#srv/web/ipfire/manual/images/build_a_mod_2.png +#srv/web/ipfire/manual/images/build_a_mod_3.png +#srv/web/ipfire/manual/images/build_a_mod_4.png #srv/web/ipfire/manual/images/caching_fig1.gif #srv/web/ipfire/manual/images/caching_fig1.png #srv/web/ipfire/manual/images/caching_fig1.tr.png @@ -457,6 +506,7 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/images/mod_rewrite_fig2.png #srv/web/ipfire/manual/images/pixel.gif #srv/web/ipfire/manual/images/rewrite_backreferences.png +#srv/web/ipfire/manual/images/rewrite_process_uri.png #srv/web/ipfire/manual/images/rewrite_rule_flow.png #srv/web/ipfire/manual/images/right.gif #srv/web/ipfire/manual/images/ssl_intro_fig1.gif @@ -470,6 +520,7 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/images/syntax_rewriterule.png #srv/web/ipfire/manual/images/up.gif #srv/web/ipfire/manual/index.html +#srv/web/ipfire/manual/index.html.da #srv/web/ipfire/manual/index.html.de #srv/web/ipfire/manual/index.html.en #srv/web/ipfire/manual/index.html.es @@ -494,7 +545,6 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/invoking.html.fr #srv/web/ipfire/manual/invoking.html.ja.utf8 #srv/web/ipfire/manual/invoking.html.ko.euc-kr -#srv/web/ipfire/manual/invoking.html.ru.koi8-r #srv/web/ipfire/manual/invoking.html.tr.utf8 #srv/web/ipfire/manual/license.html #srv/web/ipfire/manual/license.html.en @@ -507,39 +557,38 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/misc #srv/web/ipfire/manual/misc/index.html #srv/web/ipfire/manual/misc/index.html.en +#srv/web/ipfire/manual/misc/index.html.fr #srv/web/ipfire/manual/misc/index.html.ko.euc-kr #srv/web/ipfire/manual/misc/index.html.tr.utf8 #srv/web/ipfire/manual/misc/index.html.zh-cn.utf8 #srv/web/ipfire/manual/misc/password_encryptions.html #srv/web/ipfire/manual/misc/password_encryptions.html.en +#srv/web/ipfire/manual/misc/password_encryptions.html.fr #srv/web/ipfire/manual/misc/perf-tuning.html #srv/web/ipfire/manual/misc/perf-tuning.html.en +#srv/web/ipfire/manual/misc/perf-tuning.html.fr #srv/web/ipfire/manual/misc/perf-tuning.html.ko.euc-kr #srv/web/ipfire/manual/misc/perf-tuning.html.tr.utf8 #srv/web/ipfire/manual/misc/relevant_standards.html #srv/web/ipfire/manual/misc/relevant_standards.html.en +#srv/web/ipfire/manual/misc/relevant_standards.html.fr #srv/web/ipfire/manual/misc/relevant_standards.html.ko.euc-kr -#srv/web/ipfire/manual/misc/rewriteguide.html -#srv/web/ipfire/manual/misc/rewriteguide.html.en -#srv/web/ipfire/manual/misc/rewriteguide.html.ko.euc-kr #srv/web/ipfire/manual/misc/security_tips.html #srv/web/ipfire/manual/misc/security_tips.html.en +#srv/web/ipfire/manual/misc/security_tips.html.fr #srv/web/ipfire/manual/misc/security_tips.html.ko.euc-kr #srv/web/ipfire/manual/misc/security_tips.html.tr.utf8 #srv/web/ipfire/manual/mod -#srv/web/ipfire/manual/mod/beos.html -#srv/web/ipfire/manual/mod/beos.html.de -#srv/web/ipfire/manual/mod/beos.html.en -#srv/web/ipfire/manual/mod/beos.html.es -#srv/web/ipfire/manual/mod/beos.html.ko.euc-kr #srv/web/ipfire/manual/mod/core.html #srv/web/ipfire/manual/mod/core.html.de #srv/web/ipfire/manual/mod/core.html.en +#srv/web/ipfire/manual/mod/core.html.es #srv/web/ipfire/manual/mod/core.html.fr #srv/web/ipfire/manual/mod/core.html.ja.utf8 #srv/web/ipfire/manual/mod/core.html.tr.utf8 #srv/web/ipfire/manual/mod/directive-dict.html #srv/web/ipfire/manual/mod/directive-dict.html.en +#srv/web/ipfire/manual/mod/directive-dict.html.fr #srv/web/ipfire/manual/mod/directive-dict.html.ja.utf8 #srv/web/ipfire/manual/mod/directive-dict.html.ko.euc-kr #srv/web/ipfire/manual/mod/directive-dict.html.tr.utf8 @@ -547,33 +596,45 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/mod/directives.html.de #srv/web/ipfire/manual/mod/directives.html.en #srv/web/ipfire/manual/mod/directives.html.es +#srv/web/ipfire/manual/mod/directives.html.fr #srv/web/ipfire/manual/mod/directives.html.ja.utf8 #srv/web/ipfire/manual/mod/directives.html.ko.euc-kr -#srv/web/ipfire/manual/mod/directives.html.ru.koi8-r #srv/web/ipfire/manual/mod/directives.html.tr.utf8 #srv/web/ipfire/manual/mod/directives.html.zh-cn.utf8 #srv/web/ipfire/manual/mod/event.html #srv/web/ipfire/manual/mod/event.html.en +#srv/web/ipfire/manual/mod/event.html.fr #srv/web/ipfire/manual/mod/index.html #srv/web/ipfire/manual/mod/index.html.de #srv/web/ipfire/manual/mod/index.html.en #srv/web/ipfire/manual/mod/index.html.es +#srv/web/ipfire/manual/mod/index.html.fr #srv/web/ipfire/manual/mod/index.html.ja.utf8 #srv/web/ipfire/manual/mod/index.html.ko.euc-kr #srv/web/ipfire/manual/mod/index.html.tr.utf8 #srv/web/ipfire/manual/mod/index.html.zh-cn.utf8 +#srv/web/ipfire/manual/mod/mod_access_compat.html +#srv/web/ipfire/manual/mod/mod_access_compat.html.en +#srv/web/ipfire/manual/mod/mod_access_compat.html.fr +#srv/web/ipfire/manual/mod/mod_access_compat.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_actions.html #srv/web/ipfire/manual/mod/mod_actions.html.de #srv/web/ipfire/manual/mod/mod_actions.html.en +#srv/web/ipfire/manual/mod/mod_actions.html.fr #srv/web/ipfire/manual/mod/mod_actions.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_actions.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_alias.html #srv/web/ipfire/manual/mod/mod_alias.html.en +#srv/web/ipfire/manual/mod/mod_alias.html.fr #srv/web/ipfire/manual/mod/mod_alias.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_alias.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_alias.html.tr.utf8 +#srv/web/ipfire/manual/mod/mod_allowmethods.html +#srv/web/ipfire/manual/mod/mod_allowmethods.html.en +#srv/web/ipfire/manual/mod/mod_allowmethods.html.fr #srv/web/ipfire/manual/mod/mod_asis.html #srv/web/ipfire/manual/mod/mod_asis.html.en +#srv/web/ipfire/manual/mod/mod_asis.html.fr #srv/web/ipfire/manual/mod/mod_asis.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_asis.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_auth_basic.html @@ -585,53 +646,64 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/mod/mod_auth_digest.html.en #srv/web/ipfire/manual/mod/mod_auth_digest.html.fr #srv/web/ipfire/manual/mod/mod_auth_digest.html.ko.euc-kr -#srv/web/ipfire/manual/mod/mod_authn_alias.html -#srv/web/ipfire/manual/mod/mod_authn_alias.html.en -#srv/web/ipfire/manual/mod/mod_authn_alias.html.fr +#srv/web/ipfire/manual/mod/mod_auth_form.html +#srv/web/ipfire/manual/mod/mod_auth_form.html.en +#srv/web/ipfire/manual/mod/mod_auth_form.html.fr #srv/web/ipfire/manual/mod/mod_authn_anon.html #srv/web/ipfire/manual/mod/mod_authn_anon.html.en +#srv/web/ipfire/manual/mod/mod_authn_anon.html.fr #srv/web/ipfire/manual/mod/mod_authn_anon.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_authn_anon.html.ko.euc-kr +#srv/web/ipfire/manual/mod/mod_authn_core.html +#srv/web/ipfire/manual/mod/mod_authn_core.html.en +#srv/web/ipfire/manual/mod/mod_authn_core.html.fr #srv/web/ipfire/manual/mod/mod_authn_dbd.html #srv/web/ipfire/manual/mod/mod_authn_dbd.html.en +#srv/web/ipfire/manual/mod/mod_authn_dbd.html.fr #srv/web/ipfire/manual/mod/mod_authn_dbm.html #srv/web/ipfire/manual/mod/mod_authn_dbm.html.en +#srv/web/ipfire/manual/mod/mod_authn_dbm.html.fr #srv/web/ipfire/manual/mod/mod_authn_dbm.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_authn_dbm.html.ko.euc-kr -#srv/web/ipfire/manual/mod/mod_authn_default.html -#srv/web/ipfire/manual/mod/mod_authn_default.html.en -#srv/web/ipfire/manual/mod/mod_authn_default.html.ja.utf8 -#srv/web/ipfire/manual/mod/mod_authn_default.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_authn_file.html #srv/web/ipfire/manual/mod/mod_authn_file.html.en #srv/web/ipfire/manual/mod/mod_authn_file.html.fr #srv/web/ipfire/manual/mod/mod_authn_file.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_authn_file.html.ko.euc-kr +#srv/web/ipfire/manual/mod/mod_authn_socache.html +#srv/web/ipfire/manual/mod/mod_authn_socache.html.en +#srv/web/ipfire/manual/mod/mod_authn_socache.html.fr +#srv/web/ipfire/manual/mod/mod_authnz_fcgi.html +#srv/web/ipfire/manual/mod/mod_authnz_fcgi.html.en #srv/web/ipfire/manual/mod/mod_authnz_ldap.html #srv/web/ipfire/manual/mod/mod_authnz_ldap.html.en #srv/web/ipfire/manual/mod/mod_authnz_ldap.html.fr +#srv/web/ipfire/manual/mod/mod_authz_core.html +#srv/web/ipfire/manual/mod/mod_authz_core.html.en +#srv/web/ipfire/manual/mod/mod_authz_core.html.fr +#srv/web/ipfire/manual/mod/mod_authz_dbd.html +#srv/web/ipfire/manual/mod/mod_authz_dbd.html.en +#srv/web/ipfire/manual/mod/mod_authz_dbd.html.fr #srv/web/ipfire/manual/mod/mod_authz_dbm.html #srv/web/ipfire/manual/mod/mod_authz_dbm.html.en +#srv/web/ipfire/manual/mod/mod_authz_dbm.html.fr #srv/web/ipfire/manual/mod/mod_authz_dbm.html.ko.euc-kr -#srv/web/ipfire/manual/mod/mod_authz_default.html -#srv/web/ipfire/manual/mod/mod_authz_default.html.en -#srv/web/ipfire/manual/mod/mod_authz_default.html.ja.utf8 -#srv/web/ipfire/manual/mod/mod_authz_default.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_authz_groupfile.html #srv/web/ipfire/manual/mod/mod_authz_groupfile.html.en +#srv/web/ipfire/manual/mod/mod_authz_groupfile.html.fr #srv/web/ipfire/manual/mod/mod_authz_groupfile.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_authz_groupfile.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_authz_host.html #srv/web/ipfire/manual/mod/mod_authz_host.html.en #srv/web/ipfire/manual/mod/mod_authz_host.html.fr -#srv/web/ipfire/manual/mod/mod_authz_host.html.ja.utf8 -#srv/web/ipfire/manual/mod/mod_authz_host.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_authz_owner.html #srv/web/ipfire/manual/mod/mod_authz_owner.html.en +#srv/web/ipfire/manual/mod/mod_authz_owner.html.fr #srv/web/ipfire/manual/mod/mod_authz_owner.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_authz_owner.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_authz_user.html #srv/web/ipfire/manual/mod/mod_authz_user.html.en +#srv/web/ipfire/manual/mod/mod_authz_user.html.fr #srv/web/ipfire/manual/mod/mod_authz_user.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_authz_user.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_autoindex.html @@ -640,180 +712,323 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/mod/mod_autoindex.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_autoindex.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_autoindex.html.tr.utf8 +#srv/web/ipfire/manual/mod/mod_buffer.html +#srv/web/ipfire/manual/mod/mod_buffer.html.en +#srv/web/ipfire/manual/mod/mod_buffer.html.fr #srv/web/ipfire/manual/mod/mod_cache.html #srv/web/ipfire/manual/mod/mod_cache.html.en +#srv/web/ipfire/manual/mod/mod_cache.html.fr #srv/web/ipfire/manual/mod/mod_cache.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_cache.html.ko.euc-kr +#srv/web/ipfire/manual/mod/mod_cache_disk.html +#srv/web/ipfire/manual/mod/mod_cache_disk.html.en +#srv/web/ipfire/manual/mod/mod_cache_disk.html.fr +#srv/web/ipfire/manual/mod/mod_cache_disk.html.ja.utf8 +#srv/web/ipfire/manual/mod/mod_cache_disk.html.ko.euc-kr +#srv/web/ipfire/manual/mod/mod_cache_socache.html +#srv/web/ipfire/manual/mod/mod_cache_socache.html.en +#srv/web/ipfire/manual/mod/mod_cache_socache.html.fr #srv/web/ipfire/manual/mod/mod_cern_meta.html #srv/web/ipfire/manual/mod/mod_cern_meta.html.en +#srv/web/ipfire/manual/mod/mod_cern_meta.html.fr #srv/web/ipfire/manual/mod/mod_cern_meta.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_cgi.html #srv/web/ipfire/manual/mod/mod_cgi.html.en +#srv/web/ipfire/manual/mod/mod_cgi.html.fr #srv/web/ipfire/manual/mod/mod_cgi.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_cgi.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_cgid.html #srv/web/ipfire/manual/mod/mod_cgid.html.en +#srv/web/ipfire/manual/mod/mod_cgid.html.fr #srv/web/ipfire/manual/mod/mod_cgid.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_cgid.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_charset_lite.html #srv/web/ipfire/manual/mod/mod_charset_lite.html.en +#srv/web/ipfire/manual/mod/mod_charset_lite.html.fr #srv/web/ipfire/manual/mod/mod_charset_lite.html.ko.euc-kr +#srv/web/ipfire/manual/mod/mod_data.html +#srv/web/ipfire/manual/mod/mod_data.html.en +#srv/web/ipfire/manual/mod/mod_data.html.fr #srv/web/ipfire/manual/mod/mod_dav.html #srv/web/ipfire/manual/mod/mod_dav.html.en +#srv/web/ipfire/manual/mod/mod_dav.html.fr #srv/web/ipfire/manual/mod/mod_dav.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_dav.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_dav_fs.html #srv/web/ipfire/manual/mod/mod_dav_fs.html.en +#srv/web/ipfire/manual/mod/mod_dav_fs.html.fr #srv/web/ipfire/manual/mod/mod_dav_fs.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_dav_fs.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_dav_lock.html #srv/web/ipfire/manual/mod/mod_dav_lock.html.en +#srv/web/ipfire/manual/mod/mod_dav_lock.html.fr #srv/web/ipfire/manual/mod/mod_dav_lock.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_dbd.html #srv/web/ipfire/manual/mod/mod_dbd.html.en +#srv/web/ipfire/manual/mod/mod_dbd.html.fr #srv/web/ipfire/manual/mod/mod_deflate.html #srv/web/ipfire/manual/mod/mod_deflate.html.en +#srv/web/ipfire/manual/mod/mod_deflate.html.fr #srv/web/ipfire/manual/mod/mod_deflate.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_deflate.html.ko.euc-kr +#srv/web/ipfire/manual/mod/mod_dialup.html +#srv/web/ipfire/manual/mod/mod_dialup.html.en +#srv/web/ipfire/manual/mod/mod_dialup.html.fr #srv/web/ipfire/manual/mod/mod_dir.html #srv/web/ipfire/manual/mod/mod_dir.html.en +#srv/web/ipfire/manual/mod/mod_dir.html.fr #srv/web/ipfire/manual/mod/mod_dir.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_dir.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_dir.html.tr.utf8 -#srv/web/ipfire/manual/mod/mod_disk_cache.html -#srv/web/ipfire/manual/mod/mod_disk_cache.html.en -#srv/web/ipfire/manual/mod/mod_disk_cache.html.ja.utf8 -#srv/web/ipfire/manual/mod/mod_disk_cache.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_dumpio.html #srv/web/ipfire/manual/mod/mod_dumpio.html.en +#srv/web/ipfire/manual/mod/mod_dumpio.html.fr #srv/web/ipfire/manual/mod/mod_dumpio.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_echo.html #srv/web/ipfire/manual/mod/mod_echo.html.en +#srv/web/ipfire/manual/mod/mod_echo.html.fr #srv/web/ipfire/manual/mod/mod_echo.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_echo.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_env.html #srv/web/ipfire/manual/mod/mod_env.html.en +#srv/web/ipfire/manual/mod/mod_env.html.fr #srv/web/ipfire/manual/mod/mod_env.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_env.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_env.html.tr.utf8 -#srv/web/ipfire/manual/mod/mod_example.html -#srv/web/ipfire/manual/mod/mod_example.html.en -#srv/web/ipfire/manual/mod/mod_example.html.ko.euc-kr +#srv/web/ipfire/manual/mod/mod_example_hooks.html +#srv/web/ipfire/manual/mod/mod_example_hooks.html.en +#srv/web/ipfire/manual/mod/mod_example_hooks.html.fr +#srv/web/ipfire/manual/mod/mod_example_hooks.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_expires.html #srv/web/ipfire/manual/mod/mod_expires.html.en +#srv/web/ipfire/manual/mod/mod_expires.html.fr #srv/web/ipfire/manual/mod/mod_expires.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_expires.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_ext_filter.html #srv/web/ipfire/manual/mod/mod_ext_filter.html.en +#srv/web/ipfire/manual/mod/mod_ext_filter.html.fr #srv/web/ipfire/manual/mod/mod_ext_filter.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_ext_filter.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_file_cache.html #srv/web/ipfire/manual/mod/mod_file_cache.html.en +#srv/web/ipfire/manual/mod/mod_file_cache.html.fr #srv/web/ipfire/manual/mod/mod_file_cache.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_filter.html #srv/web/ipfire/manual/mod/mod_filter.html.en +#srv/web/ipfire/manual/mod/mod_filter.html.fr #srv/web/ipfire/manual/mod/mod_headers.html #srv/web/ipfire/manual/mod/mod_headers.html.en +#srv/web/ipfire/manual/mod/mod_headers.html.fr #srv/web/ipfire/manual/mod/mod_headers.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_headers.html.ko.euc-kr +#srv/web/ipfire/manual/mod/mod_heartbeat.html +#srv/web/ipfire/manual/mod/mod_heartbeat.html.en +#srv/web/ipfire/manual/mod/mod_heartbeat.html.fr +#srv/web/ipfire/manual/mod/mod_heartmonitor.html +#srv/web/ipfire/manual/mod/mod_heartmonitor.html.en +#srv/web/ipfire/manual/mod/mod_heartmonitor.html.fr +#srv/web/ipfire/manual/mod/mod_http2.html +#srv/web/ipfire/manual/mod/mod_http2.html.en #srv/web/ipfire/manual/mod/mod_ident.html #srv/web/ipfire/manual/mod/mod_ident.html.en +#srv/web/ipfire/manual/mod/mod_ident.html.fr #srv/web/ipfire/manual/mod/mod_ident.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_ident.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_imagemap.html #srv/web/ipfire/manual/mod/mod_imagemap.html.en +#srv/web/ipfire/manual/mod/mod_imagemap.html.fr #srv/web/ipfire/manual/mod/mod_imagemap.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_include.html #srv/web/ipfire/manual/mod/mod_include.html.en +#srv/web/ipfire/manual/mod/mod_include.html.fr #srv/web/ipfire/manual/mod/mod_include.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_info.html #srv/web/ipfire/manual/mod/mod_info.html.en +#srv/web/ipfire/manual/mod/mod_info.html.fr #srv/web/ipfire/manual/mod/mod_info.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_info.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_isapi.html #srv/web/ipfire/manual/mod/mod_isapi.html.en +#srv/web/ipfire/manual/mod/mod_isapi.html.fr #srv/web/ipfire/manual/mod/mod_isapi.html.ko.euc-kr +#srv/web/ipfire/manual/mod/mod_lbmethod_bybusyness.html +#srv/web/ipfire/manual/mod/mod_lbmethod_bybusyness.html.en +#srv/web/ipfire/manual/mod/mod_lbmethod_bybusyness.html.fr +#srv/web/ipfire/manual/mod/mod_lbmethod_byrequests.html +#srv/web/ipfire/manual/mod/mod_lbmethod_byrequests.html.en +#srv/web/ipfire/manual/mod/mod_lbmethod_byrequests.html.fr +#srv/web/ipfire/manual/mod/mod_lbmethod_bytraffic.html +#srv/web/ipfire/manual/mod/mod_lbmethod_bytraffic.html.en +#srv/web/ipfire/manual/mod/mod_lbmethod_bytraffic.html.fr +#srv/web/ipfire/manual/mod/mod_lbmethod_heartbeat.html +#srv/web/ipfire/manual/mod/mod_lbmethod_heartbeat.html.en +#srv/web/ipfire/manual/mod/mod_lbmethod_heartbeat.html.fr #srv/web/ipfire/manual/mod/mod_ldap.html #srv/web/ipfire/manual/mod/mod_ldap.html.en +#srv/web/ipfire/manual/mod/mod_ldap.html.fr #srv/web/ipfire/manual/mod/mod_log_config.html #srv/web/ipfire/manual/mod/mod_log_config.html.en +#srv/web/ipfire/manual/mod/mod_log_config.html.fr #srv/web/ipfire/manual/mod/mod_log_config.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_log_config.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_log_config.html.tr.utf8 +#srv/web/ipfire/manual/mod/mod_log_debug.html +#srv/web/ipfire/manual/mod/mod_log_debug.html.en +#srv/web/ipfire/manual/mod/mod_log_debug.html.fr #srv/web/ipfire/manual/mod/mod_log_forensic.html #srv/web/ipfire/manual/mod/mod_log_forensic.html.en +#srv/web/ipfire/manual/mod/mod_log_forensic.html.fr #srv/web/ipfire/manual/mod/mod_log_forensic.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_log_forensic.html.tr.utf8 #srv/web/ipfire/manual/mod/mod_logio.html #srv/web/ipfire/manual/mod/mod_logio.html.en +#srv/web/ipfire/manual/mod/mod_logio.html.fr #srv/web/ipfire/manual/mod/mod_logio.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_logio.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_logio.html.tr.utf8 -#srv/web/ipfire/manual/mod/mod_mem_cache.html -#srv/web/ipfire/manual/mod/mod_mem_cache.html.en -#srv/web/ipfire/manual/mod/mod_mem_cache.html.ja.utf8 -#srv/web/ipfire/manual/mod/mod_mem_cache.html.ko.euc-kr +#srv/web/ipfire/manual/mod/mod_lua.html +#srv/web/ipfire/manual/mod/mod_lua.html.en +#srv/web/ipfire/manual/mod/mod_lua.html.fr +#srv/web/ipfire/manual/mod/mod_macro.html +#srv/web/ipfire/manual/mod/mod_macro.html.en +#srv/web/ipfire/manual/mod/mod_macro.html.fr #srv/web/ipfire/manual/mod/mod_mime.html #srv/web/ipfire/manual/mod/mod_mime.html.en +#srv/web/ipfire/manual/mod/mod_mime.html.fr #srv/web/ipfire/manual/mod/mod_mime.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_mime_magic.html #srv/web/ipfire/manual/mod/mod_mime_magic.html.en +#srv/web/ipfire/manual/mod/mod_mime_magic.html.fr #srv/web/ipfire/manual/mod/mod_negotiation.html #srv/web/ipfire/manual/mod/mod_negotiation.html.en +#srv/web/ipfire/manual/mod/mod_negotiation.html.fr #srv/web/ipfire/manual/mod/mod_negotiation.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_nw_ssl.html #srv/web/ipfire/manual/mod/mod_nw_ssl.html.en +#srv/web/ipfire/manual/mod/mod_nw_ssl.html.fr +#srv/web/ipfire/manual/mod/mod_privileges.html +#srv/web/ipfire/manual/mod/mod_privileges.html.en +#srv/web/ipfire/manual/mod/mod_privileges.html.fr #srv/web/ipfire/manual/mod/mod_proxy.html #srv/web/ipfire/manual/mod/mod_proxy.html.en #srv/web/ipfire/manual/mod/mod_proxy.html.fr #srv/web/ipfire/manual/mod/mod_proxy.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_proxy_ajp.html #srv/web/ipfire/manual/mod/mod_proxy_ajp.html.en +#srv/web/ipfire/manual/mod/mod_proxy_ajp.html.fr #srv/web/ipfire/manual/mod/mod_proxy_ajp.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_proxy_balancer.html #srv/web/ipfire/manual/mod/mod_proxy_balancer.html.en +#srv/web/ipfire/manual/mod/mod_proxy_balancer.html.fr #srv/web/ipfire/manual/mod/mod_proxy_balancer.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_proxy_connect.html #srv/web/ipfire/manual/mod/mod_proxy_connect.html.en +#srv/web/ipfire/manual/mod/mod_proxy_connect.html.fr #srv/web/ipfire/manual/mod/mod_proxy_connect.html.ja.utf8 +#srv/web/ipfire/manual/mod/mod_proxy_express.html +#srv/web/ipfire/manual/mod/mod_proxy_express.html.en +#srv/web/ipfire/manual/mod/mod_proxy_express.html.fr +#srv/web/ipfire/manual/mod/mod_proxy_fcgi.html +#srv/web/ipfire/manual/mod/mod_proxy_fcgi.html.en +#srv/web/ipfire/manual/mod/mod_proxy_fcgi.html.fr +#srv/web/ipfire/manual/mod/mod_proxy_fdpass.html +#srv/web/ipfire/manual/mod/mod_proxy_fdpass.html.en +#srv/web/ipfire/manual/mod/mod_proxy_fdpass.html.fr #srv/web/ipfire/manual/mod/mod_proxy_ftp.html #srv/web/ipfire/manual/mod/mod_proxy_ftp.html.en -#srv/web/ipfire/manual/mod/mod_proxy_ftp.html.ja.utf8 +#srv/web/ipfire/manual/mod/mod_proxy_ftp.html.fr +#srv/web/ipfire/manual/mod/mod_proxy_html.html +#srv/web/ipfire/manual/mod/mod_proxy_html.html.en +#srv/web/ipfire/manual/mod/mod_proxy_html.html.fr #srv/web/ipfire/manual/mod/mod_proxy_http.html #srv/web/ipfire/manual/mod/mod_proxy_http.html.en #srv/web/ipfire/manual/mod/mod_proxy_http.html.fr -#srv/web/ipfire/manual/mod/mod_proxy_http.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_proxy_scgi.html #srv/web/ipfire/manual/mod/mod_proxy_scgi.html.en -#srv/web/ipfire/manual/mod/mod_proxy_scgi.html.ja.utf8 +#srv/web/ipfire/manual/mod/mod_proxy_scgi.html.fr +#srv/web/ipfire/manual/mod/mod_proxy_wstunnel.html +#srv/web/ipfire/manual/mod/mod_proxy_wstunnel.html.en +#srv/web/ipfire/manual/mod/mod_ratelimit.html +#srv/web/ipfire/manual/mod/mod_ratelimit.html.en +#srv/web/ipfire/manual/mod/mod_ratelimit.html.fr +#srv/web/ipfire/manual/mod/mod_reflector.html +#srv/web/ipfire/manual/mod/mod_reflector.html.en +#srv/web/ipfire/manual/mod/mod_reflector.html.fr +#srv/web/ipfire/manual/mod/mod_remoteip.html +#srv/web/ipfire/manual/mod/mod_remoteip.html.en +#srv/web/ipfire/manual/mod/mod_remoteip.html.fr #srv/web/ipfire/manual/mod/mod_reqtimeout.html #srv/web/ipfire/manual/mod/mod_reqtimeout.html.en +#srv/web/ipfire/manual/mod/mod_reqtimeout.html.fr +#srv/web/ipfire/manual/mod/mod_request.html +#srv/web/ipfire/manual/mod/mod_request.html.en +#srv/web/ipfire/manual/mod/mod_request.html.fr +#srv/web/ipfire/manual/mod/mod_request.html.tr.utf8 #srv/web/ipfire/manual/mod/mod_rewrite.html #srv/web/ipfire/manual/mod/mod_rewrite.html.en #srv/web/ipfire/manual/mod/mod_rewrite.html.fr +#srv/web/ipfire/manual/mod/mod_sed.html +#srv/web/ipfire/manual/mod/mod_sed.html.en +#srv/web/ipfire/manual/mod/mod_sed.html.fr +#srv/web/ipfire/manual/mod/mod_session.html +#srv/web/ipfire/manual/mod/mod_session.html.en +#srv/web/ipfire/manual/mod/mod_session.html.fr +#srv/web/ipfire/manual/mod/mod_session_cookie.html +#srv/web/ipfire/manual/mod/mod_session_cookie.html.en +#srv/web/ipfire/manual/mod/mod_session_cookie.html.fr +#srv/web/ipfire/manual/mod/mod_session_crypto.html +#srv/web/ipfire/manual/mod/mod_session_crypto.html.en +#srv/web/ipfire/manual/mod/mod_session_crypto.html.fr +#srv/web/ipfire/manual/mod/mod_session_dbd.html +#srv/web/ipfire/manual/mod/mod_session_dbd.html.en +#srv/web/ipfire/manual/mod/mod_session_dbd.html.fr #srv/web/ipfire/manual/mod/mod_setenvif.html #srv/web/ipfire/manual/mod/mod_setenvif.html.en +#srv/web/ipfire/manual/mod/mod_setenvif.html.fr #srv/web/ipfire/manual/mod/mod_setenvif.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_setenvif.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_setenvif.html.tr.utf8 +#srv/web/ipfire/manual/mod/mod_slotmem_plain.html +#srv/web/ipfire/manual/mod/mod_slotmem_plain.html.en +#srv/web/ipfire/manual/mod/mod_slotmem_plain.html.fr +#srv/web/ipfire/manual/mod/mod_slotmem_shm.html +#srv/web/ipfire/manual/mod/mod_slotmem_shm.html.en +#srv/web/ipfire/manual/mod/mod_slotmem_shm.html.fr #srv/web/ipfire/manual/mod/mod_so.html #srv/web/ipfire/manual/mod/mod_so.html.en +#srv/web/ipfire/manual/mod/mod_so.html.fr #srv/web/ipfire/manual/mod/mod_so.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_so.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_so.html.tr.utf8 +#srv/web/ipfire/manual/mod/mod_socache_dbm.html +#srv/web/ipfire/manual/mod/mod_socache_dbm.html.en +#srv/web/ipfire/manual/mod/mod_socache_dbm.html.fr +#srv/web/ipfire/manual/mod/mod_socache_dc.html +#srv/web/ipfire/manual/mod/mod_socache_dc.html.en +#srv/web/ipfire/manual/mod/mod_socache_dc.html.fr +#srv/web/ipfire/manual/mod/mod_socache_memcache.html +#srv/web/ipfire/manual/mod/mod_socache_memcache.html.en +#srv/web/ipfire/manual/mod/mod_socache_memcache.html.fr +#srv/web/ipfire/manual/mod/mod_socache_shmcb.html +#srv/web/ipfire/manual/mod/mod_socache_shmcb.html.en +#srv/web/ipfire/manual/mod/mod_socache_shmcb.html.fr #srv/web/ipfire/manual/mod/mod_speling.html #srv/web/ipfire/manual/mod/mod_speling.html.en +#srv/web/ipfire/manual/mod/mod_speling.html.fr #srv/web/ipfire/manual/mod/mod_speling.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_speling.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_ssl.html #srv/web/ipfire/manual/mod/mod_ssl.html.en +#srv/web/ipfire/manual/mod/mod_ssl.html.fr #srv/web/ipfire/manual/mod/mod_status.html #srv/web/ipfire/manual/mod/mod_status.html.en +#srv/web/ipfire/manual/mod/mod_status.html.fr #srv/web/ipfire/manual/mod/mod_status.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_status.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_status.html.tr.utf8 #srv/web/ipfire/manual/mod/mod_substitute.html #srv/web/ipfire/manual/mod/mod_substitute.html.en +#srv/web/ipfire/manual/mod/mod_substitute.html.fr #srv/web/ipfire/manual/mod/mod_suexec.html #srv/web/ipfire/manual/mod/mod_suexec.html.en #srv/web/ipfire/manual/mod/mod_suexec.html.fr @@ -822,57 +1037,77 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/mod/mod_suexec.html.tr.utf8 #srv/web/ipfire/manual/mod/mod_unique_id.html #srv/web/ipfire/manual/mod/mod_unique_id.html.en +#srv/web/ipfire/manual/mod/mod_unique_id.html.fr #srv/web/ipfire/manual/mod/mod_unique_id.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_unique_id.html.ko.euc-kr +#srv/web/ipfire/manual/mod/mod_unixd.html +#srv/web/ipfire/manual/mod/mod_unixd.html.en +#srv/web/ipfire/manual/mod/mod_unixd.html.fr +#srv/web/ipfire/manual/mod/mod_unixd.html.tr.utf8 #srv/web/ipfire/manual/mod/mod_userdir.html #srv/web/ipfire/manual/mod/mod_userdir.html.en +#srv/web/ipfire/manual/mod/mod_userdir.html.fr #srv/web/ipfire/manual/mod/mod_userdir.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_userdir.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_userdir.html.tr.utf8 #srv/web/ipfire/manual/mod/mod_usertrack.html #srv/web/ipfire/manual/mod/mod_usertrack.html.en +#srv/web/ipfire/manual/mod/mod_usertrack.html.fr #srv/web/ipfire/manual/mod/mod_version.html #srv/web/ipfire/manual/mod/mod_version.html.en #srv/web/ipfire/manual/mod/mod_version.html.ja.utf8 #srv/web/ipfire/manual/mod/mod_version.html.ko.euc-kr #srv/web/ipfire/manual/mod/mod_vhost_alias.html #srv/web/ipfire/manual/mod/mod_vhost_alias.html.en +#srv/web/ipfire/manual/mod/mod_vhost_alias.html.fr #srv/web/ipfire/manual/mod/mod_vhost_alias.html.tr.utf8 +#srv/web/ipfire/manual/mod/mod_watchdog.html +#srv/web/ipfire/manual/mod/mod_watchdog.html.en +#srv/web/ipfire/manual/mod/mod_xml2enc.html +#srv/web/ipfire/manual/mod/mod_xml2enc.html.en +#srv/web/ipfire/manual/mod/mod_xml2enc.html.fr #srv/web/ipfire/manual/mod/module-dict.html #srv/web/ipfire/manual/mod/module-dict.html.en +#srv/web/ipfire/manual/mod/module-dict.html.fr #srv/web/ipfire/manual/mod/module-dict.html.ja.utf8 #srv/web/ipfire/manual/mod/module-dict.html.ko.euc-kr #srv/web/ipfire/manual/mod/module-dict.html.tr.utf8 #srv/web/ipfire/manual/mod/mpm_common.html #srv/web/ipfire/manual/mod/mpm_common.html.de #srv/web/ipfire/manual/mod/mpm_common.html.en +#srv/web/ipfire/manual/mod/mpm_common.html.fr #srv/web/ipfire/manual/mod/mpm_common.html.ja.utf8 #srv/web/ipfire/manual/mod/mpm_common.html.tr.utf8 #srv/web/ipfire/manual/mod/mpm_netware.html #srv/web/ipfire/manual/mod/mpm_netware.html.en +#srv/web/ipfire/manual/mod/mpm_netware.html.fr #srv/web/ipfire/manual/mod/mpm_winnt.html #srv/web/ipfire/manual/mod/mpm_winnt.html.de #srv/web/ipfire/manual/mod/mpm_winnt.html.en +#srv/web/ipfire/manual/mod/mpm_winnt.html.fr #srv/web/ipfire/manual/mod/mpm_winnt.html.ja.utf8 #srv/web/ipfire/manual/mod/mpmt_os2.html #srv/web/ipfire/manual/mod/mpmt_os2.html.en +#srv/web/ipfire/manual/mod/mpmt_os2.html.fr #srv/web/ipfire/manual/mod/prefork.html #srv/web/ipfire/manual/mod/prefork.html.de #srv/web/ipfire/manual/mod/prefork.html.en +#srv/web/ipfire/manual/mod/prefork.html.fr #srv/web/ipfire/manual/mod/prefork.html.ja.utf8 #srv/web/ipfire/manual/mod/prefork.html.tr.utf8 #srv/web/ipfire/manual/mod/quickreference.html #srv/web/ipfire/manual/mod/quickreference.html.de #srv/web/ipfire/manual/mod/quickreference.html.en #srv/web/ipfire/manual/mod/quickreference.html.es +#srv/web/ipfire/manual/mod/quickreference.html.fr #srv/web/ipfire/manual/mod/quickreference.html.ja.utf8 #srv/web/ipfire/manual/mod/quickreference.html.ko.euc-kr -#srv/web/ipfire/manual/mod/quickreference.html.ru.koi8-r #srv/web/ipfire/manual/mod/quickreference.html.tr.utf8 #srv/web/ipfire/manual/mod/quickreference.html.zh-cn.utf8 #srv/web/ipfire/manual/mod/worker.html #srv/web/ipfire/manual/mod/worker.html.de #srv/web/ipfire/manual/mod/worker.html.en +#srv/web/ipfire/manual/mod/worker.html.fr #srv/web/ipfire/manual/mod/worker.html.ja.utf8 #srv/web/ipfire/manual/mod/worker.html.tr.utf8 #srv/web/ipfire/manual/mpm.html @@ -896,93 +1131,124 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/new_features_2_2.html #srv/web/ipfire/manual/new_features_2_2.html.en #srv/web/ipfire/manual/new_features_2_2.html.fr -#srv/web/ipfire/manual/new_features_2_2.html.ja.utf8 #srv/web/ipfire/manual/new_features_2_2.html.ko.euc-kr #srv/web/ipfire/manual/new_features_2_2.html.pt-br #srv/web/ipfire/manual/new_features_2_2.html.tr.utf8 +#srv/web/ipfire/manual/new_features_2_4.html +#srv/web/ipfire/manual/new_features_2_4.html.en +#srv/web/ipfire/manual/new_features_2_4.html.fr +#srv/web/ipfire/manual/new_features_2_4.html.tr.utf8 #srv/web/ipfire/manual/platform #srv/web/ipfire/manual/platform/ebcdic.html #srv/web/ipfire/manual/platform/ebcdic.html.en #srv/web/ipfire/manual/platform/ebcdic.html.ko.euc-kr #srv/web/ipfire/manual/platform/index.html #srv/web/ipfire/manual/platform/index.html.en +#srv/web/ipfire/manual/platform/index.html.fr #srv/web/ipfire/manual/platform/index.html.ko.euc-kr #srv/web/ipfire/manual/platform/index.html.zh-cn.utf8 #srv/web/ipfire/manual/platform/netware.html #srv/web/ipfire/manual/platform/netware.html.en +#srv/web/ipfire/manual/platform/netware.html.fr #srv/web/ipfire/manual/platform/netware.html.ko.euc-kr #srv/web/ipfire/manual/platform/perf-hp.html #srv/web/ipfire/manual/platform/perf-hp.html.en +#srv/web/ipfire/manual/platform/perf-hp.html.fr #srv/web/ipfire/manual/platform/perf-hp.html.ko.euc-kr +#srv/web/ipfire/manual/platform/rpm.html +#srv/web/ipfire/manual/platform/rpm.html.en #srv/web/ipfire/manual/platform/win_compiling.html #srv/web/ipfire/manual/platform/win_compiling.html.en +#srv/web/ipfire/manual/platform/win_compiling.html.fr #srv/web/ipfire/manual/platform/win_compiling.html.ko.euc-kr #srv/web/ipfire/manual/platform/windows.html #srv/web/ipfire/manual/platform/windows.html.en +#srv/web/ipfire/manual/platform/windows.html.fr #srv/web/ipfire/manual/platform/windows.html.ko.euc-kr #srv/web/ipfire/manual/programs #srv/web/ipfire/manual/programs/ab.html #srv/web/ipfire/manual/programs/ab.html.en +#srv/web/ipfire/manual/programs/ab.html.fr #srv/web/ipfire/manual/programs/ab.html.ko.euc-kr #srv/web/ipfire/manual/programs/ab.html.tr.utf8 #srv/web/ipfire/manual/programs/apachectl.html #srv/web/ipfire/manual/programs/apachectl.html.en +#srv/web/ipfire/manual/programs/apachectl.html.fr #srv/web/ipfire/manual/programs/apachectl.html.ko.euc-kr #srv/web/ipfire/manual/programs/apachectl.html.tr.utf8 #srv/web/ipfire/manual/programs/apxs.html #srv/web/ipfire/manual/programs/apxs.html.en +#srv/web/ipfire/manual/programs/apxs.html.fr #srv/web/ipfire/manual/programs/apxs.html.ko.euc-kr #srv/web/ipfire/manual/programs/apxs.html.tr.utf8 #srv/web/ipfire/manual/programs/configure.html #srv/web/ipfire/manual/programs/configure.html.en +#srv/web/ipfire/manual/programs/configure.html.fr #srv/web/ipfire/manual/programs/configure.html.ko.euc-kr #srv/web/ipfire/manual/programs/configure.html.tr.utf8 #srv/web/ipfire/manual/programs/dbmmanage.html #srv/web/ipfire/manual/programs/dbmmanage.html.en +#srv/web/ipfire/manual/programs/dbmmanage.html.fr #srv/web/ipfire/manual/programs/dbmmanage.html.ko.euc-kr #srv/web/ipfire/manual/programs/dbmmanage.html.tr.utf8 +#srv/web/ipfire/manual/programs/fcgistarter.html +#srv/web/ipfire/manual/programs/fcgistarter.html.en +#srv/web/ipfire/manual/programs/fcgistarter.html.fr +#srv/web/ipfire/manual/programs/fcgistarter.html.tr.utf8 #srv/web/ipfire/manual/programs/htcacheclean.html #srv/web/ipfire/manual/programs/htcacheclean.html.en +#srv/web/ipfire/manual/programs/htcacheclean.html.fr #srv/web/ipfire/manual/programs/htcacheclean.html.ko.euc-kr #srv/web/ipfire/manual/programs/htcacheclean.html.tr.utf8 #srv/web/ipfire/manual/programs/htdbm.html #srv/web/ipfire/manual/programs/htdbm.html.en +#srv/web/ipfire/manual/programs/htdbm.html.fr #srv/web/ipfire/manual/programs/htdbm.html.tr.utf8 #srv/web/ipfire/manual/programs/htdigest.html #srv/web/ipfire/manual/programs/htdigest.html.en +#srv/web/ipfire/manual/programs/htdigest.html.fr #srv/web/ipfire/manual/programs/htdigest.html.ko.euc-kr #srv/web/ipfire/manual/programs/htdigest.html.tr.utf8 #srv/web/ipfire/manual/programs/htpasswd.html #srv/web/ipfire/manual/programs/htpasswd.html.en +#srv/web/ipfire/manual/programs/htpasswd.html.fr #srv/web/ipfire/manual/programs/htpasswd.html.ko.euc-kr #srv/web/ipfire/manual/programs/htpasswd.html.tr.utf8 #srv/web/ipfire/manual/programs/httpd.html #srv/web/ipfire/manual/programs/httpd.html.en +#srv/web/ipfire/manual/programs/httpd.html.fr #srv/web/ipfire/manual/programs/httpd.html.ko.euc-kr #srv/web/ipfire/manual/programs/httpd.html.tr.utf8 #srv/web/ipfire/manual/programs/httxt2dbm.html #srv/web/ipfire/manual/programs/httxt2dbm.html.en +#srv/web/ipfire/manual/programs/httxt2dbm.html.fr #srv/web/ipfire/manual/programs/httxt2dbm.html.tr.utf8 #srv/web/ipfire/manual/programs/index.html #srv/web/ipfire/manual/programs/index.html.en #srv/web/ipfire/manual/programs/index.html.es -#srv/web/ipfire/manual/programs/index.html.ja.utf8 +#srv/web/ipfire/manual/programs/index.html.fr #srv/web/ipfire/manual/programs/index.html.ko.euc-kr -#srv/web/ipfire/manual/programs/index.html.ru.koi8-r #srv/web/ipfire/manual/programs/index.html.tr.utf8 #srv/web/ipfire/manual/programs/index.html.zh-cn.utf8 +#srv/web/ipfire/manual/programs/log_server_status.html +#srv/web/ipfire/manual/programs/log_server_status.html.en #srv/web/ipfire/manual/programs/logresolve.html #srv/web/ipfire/manual/programs/logresolve.html.en +#srv/web/ipfire/manual/programs/logresolve.html.fr #srv/web/ipfire/manual/programs/logresolve.html.ko.euc-kr #srv/web/ipfire/manual/programs/logresolve.html.tr.utf8 #srv/web/ipfire/manual/programs/other.html #srv/web/ipfire/manual/programs/other.html.en +#srv/web/ipfire/manual/programs/other.html.fr #srv/web/ipfire/manual/programs/other.html.ko.euc-kr #srv/web/ipfire/manual/programs/other.html.tr.utf8 #srv/web/ipfire/manual/programs/rotatelogs.html #srv/web/ipfire/manual/programs/rotatelogs.html.en +#srv/web/ipfire/manual/programs/rotatelogs.html.fr #srv/web/ipfire/manual/programs/rotatelogs.html.ko.euc-kr #srv/web/ipfire/manual/programs/rotatelogs.html.tr.utf8 +#srv/web/ipfire/manual/programs/split-logfile.html +#srv/web/ipfire/manual/programs/split-logfile.html.en #srv/web/ipfire/manual/programs/suexec.html #srv/web/ipfire/manual/programs/suexec.html.en #srv/web/ipfire/manual/programs/suexec.html.ko.euc-kr @@ -990,15 +1256,19 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/rewrite #srv/web/ipfire/manual/rewrite/access.html #srv/web/ipfire/manual/rewrite/access.html.en +#srv/web/ipfire/manual/rewrite/access.html.fr #srv/web/ipfire/manual/rewrite/advanced.html #srv/web/ipfire/manual/rewrite/advanced.html.en +#srv/web/ipfire/manual/rewrite/advanced.html.fr #srv/web/ipfire/manual/rewrite/avoid.html #srv/web/ipfire/manual/rewrite/avoid.html.en +#srv/web/ipfire/manual/rewrite/avoid.html.fr #srv/web/ipfire/manual/rewrite/flags.html #srv/web/ipfire/manual/rewrite/flags.html.en #srv/web/ipfire/manual/rewrite/flags.html.fr #srv/web/ipfire/manual/rewrite/htaccess.html #srv/web/ipfire/manual/rewrite/htaccess.html.en +#srv/web/ipfire/manual/rewrite/htaccess.html.fr #srv/web/ipfire/manual/rewrite/index.html #srv/web/ipfire/manual/rewrite/index.html.en #srv/web/ipfire/manual/rewrite/index.html.fr @@ -1009,15 +1279,19 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/rewrite/intro.html.fr #srv/web/ipfire/manual/rewrite/proxy.html #srv/web/ipfire/manual/rewrite/proxy.html.en +#srv/web/ipfire/manual/rewrite/proxy.html.fr #srv/web/ipfire/manual/rewrite/remapping.html #srv/web/ipfire/manual/rewrite/remapping.html.en +#srv/web/ipfire/manual/rewrite/remapping.html.fr #srv/web/ipfire/manual/rewrite/rewritemap.html #srv/web/ipfire/manual/rewrite/rewritemap.html.en +#srv/web/ipfire/manual/rewrite/rewritemap.html.fr #srv/web/ipfire/manual/rewrite/tech.html #srv/web/ipfire/manual/rewrite/tech.html.en #srv/web/ipfire/manual/rewrite/tech.html.fr #srv/web/ipfire/manual/rewrite/vhosts.html #srv/web/ipfire/manual/rewrite/vhosts.html.en +#srv/web/ipfire/manual/rewrite/vhosts.html.fr #srv/web/ipfire/manual/sections.html #srv/web/ipfire/manual/sections.html.en #srv/web/ipfire/manual/sections.html.fr @@ -1026,6 +1300,7 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/sections.html.tr.utf8 #srv/web/ipfire/manual/server-wide.html #srv/web/ipfire/manual/server-wide.html.en +#srv/web/ipfire/manual/server-wide.html.fr #srv/web/ipfire/manual/server-wide.html.ja.utf8 #srv/web/ipfire/manual/server-wide.html.ko.euc-kr #srv/web/ipfire/manual/server-wide.html.tr.utf8 @@ -1033,24 +1308,33 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/sitemap.html.de #srv/web/ipfire/manual/sitemap.html.en #srv/web/ipfire/manual/sitemap.html.es +#srv/web/ipfire/manual/sitemap.html.fr #srv/web/ipfire/manual/sitemap.html.ja.utf8 #srv/web/ipfire/manual/sitemap.html.ko.euc-kr #srv/web/ipfire/manual/sitemap.html.tr.utf8 #srv/web/ipfire/manual/sitemap.html.zh-cn.utf8 +#srv/web/ipfire/manual/socache.html +#srv/web/ipfire/manual/socache.html.en +#srv/web/ipfire/manual/socache.html.fr #srv/web/ipfire/manual/ssl #srv/web/ipfire/manual/ssl/index.html #srv/web/ipfire/manual/ssl/index.html.en +#srv/web/ipfire/manual/ssl/index.html.fr #srv/web/ipfire/manual/ssl/index.html.ja.utf8 #srv/web/ipfire/manual/ssl/index.html.tr.utf8 #srv/web/ipfire/manual/ssl/index.html.zh-cn.utf8 #srv/web/ipfire/manual/ssl/ssl_compat.html #srv/web/ipfire/manual/ssl/ssl_compat.html.en +#srv/web/ipfire/manual/ssl/ssl_compat.html.fr #srv/web/ipfire/manual/ssl/ssl_faq.html #srv/web/ipfire/manual/ssl/ssl_faq.html.en +#srv/web/ipfire/manual/ssl/ssl_faq.html.fr #srv/web/ipfire/manual/ssl/ssl_howto.html #srv/web/ipfire/manual/ssl/ssl_howto.html.en +#srv/web/ipfire/manual/ssl/ssl_howto.html.fr #srv/web/ipfire/manual/ssl/ssl_intro.html #srv/web/ipfire/manual/ssl/ssl_intro.html.en +#srv/web/ipfire/manual/ssl/ssl_intro.html.fr #srv/web/ipfire/manual/ssl/ssl_intro.html.ja.utf8 #srv/web/ipfire/manual/stopping.html #srv/web/ipfire/manual/stopping.html.de @@ -1093,12 +1377,11 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/suexec.html.ko.euc-kr #srv/web/ipfire/manual/suexec.html.tr.utf8 #srv/web/ipfire/manual/upgrading.html -#srv/web/ipfire/manual/upgrading.html.de #srv/web/ipfire/manual/upgrading.html.en #srv/web/ipfire/manual/upgrading.html.fr -#srv/web/ipfire/manual/upgrading.html.ja.utf8 #srv/web/ipfire/manual/urlmapping.html #srv/web/ipfire/manual/urlmapping.html.en +#srv/web/ipfire/manual/urlmapping.html.fr #srv/web/ipfire/manual/urlmapping.html.ja.utf8 #srv/web/ipfire/manual/urlmapping.html.ko.euc-kr #srv/web/ipfire/manual/urlmapping.html.tr.utf8 @@ -1126,7 +1409,6 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/vhosts/index.html.fr #srv/web/ipfire/manual/vhosts/index.html.ja.utf8 #srv/web/ipfire/manual/vhosts/index.html.ko.euc-kr -#srv/web/ipfire/manual/vhosts/index.html.ru.koi8-r #srv/web/ipfire/manual/vhosts/index.html.tr.utf8 #srv/web/ipfire/manual/vhosts/index.html.zh-cn.utf8 #srv/web/ipfire/manual/vhosts/ip-based.html @@ -1137,6 +1419,7 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/vhosts/ip-based.html.tr.utf8 #srv/web/ipfire/manual/vhosts/mass.html #srv/web/ipfire/manual/vhosts/mass.html.en +#srv/web/ipfire/manual/vhosts/mass.html.fr #srv/web/ipfire/manual/vhosts/mass.html.ko.euc-kr #srv/web/ipfire/manual/vhosts/mass.html.tr.utf8 #srv/web/ipfire/manual/vhosts/name-based.html @@ -1146,13 +1429,19 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #srv/web/ipfire/manual/vhosts/name-based.html.ja.utf8 #srv/web/ipfire/manual/vhosts/name-based.html.ko.euc-kr #srv/web/ipfire/manual/vhosts/name-based.html.tr.utf8 -#usr/bin/apr-1-config -#usr/bin/apu-1-config +#usr/bin/ab +usr/bin/apr-1-config +usr/bin/apu-1-config +#usr/bin/apxs +#usr/bin/dbmmanage +#usr/bin/logresolve #usr/include/apache #usr/include/apache/ap_compat.h #usr/include/apache/ap_config.h #usr/include/apache/ap_config_auto.h #usr/include/apache/ap_config_layout.h +#usr/include/apache/ap_expr.h +#usr/include/apache/ap_hooks.h #usr/include/apache/ap_listen.h #usr/include/apache/ap_mmn.h #usr/include/apache/ap_mpm.h @@ -1160,77 +1449,11 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #usr/include/apache/ap_regex.h #usr/include/apache/ap_regkey.h #usr/include/apache/ap_release.h -#usr/include/apache/apr.h -#usr/include/apache/apr_allocator.h -#usr/include/apache/apr_anylock.h -#usr/include/apache/apr_atomic.h -#usr/include/apache/apr_base64.h -#usr/include/apache/apr_buckets.h -#usr/include/apache/apr_crypto.h -#usr/include/apache/apr_date.h -#usr/include/apache/apr_dbd.h -#usr/include/apache/apr_dbm.h -#usr/include/apache/apr_dso.h -#usr/include/apache/apr_env.h -#usr/include/apache/apr_errno.h -#usr/include/apache/apr_escape.h -#usr/include/apache/apr_file_info.h -#usr/include/apache/apr_file_io.h -#usr/include/apache/apr_fnmatch.h -#usr/include/apache/apr_general.h -#usr/include/apache/apr_getopt.h -#usr/include/apache/apr_global_mutex.h -#usr/include/apache/apr_hash.h -#usr/include/apache/apr_hooks.h -#usr/include/apache/apr_inherit.h -#usr/include/apache/apr_ldap.h -#usr/include/apache/apr_ldap_init.h -#usr/include/apache/apr_ldap_option.h -#usr/include/apache/apr_ldap_rebind.h -#usr/include/apache/apr_ldap_url.h -#usr/include/apache/apr_lib.h -#usr/include/apache/apr_md4.h -#usr/include/apache/apr_md5.h -#usr/include/apache/apr_memcache.h -#usr/include/apache/apr_mmap.h -#usr/include/apache/apr_network_io.h -#usr/include/apache/apr_optional.h -#usr/include/apache/apr_optional_hooks.h -#usr/include/apache/apr_poll.h -#usr/include/apache/apr_pools.h -#usr/include/apache/apr_portable.h -#usr/include/apache/apr_proc_mutex.h -#usr/include/apache/apr_queue.h -#usr/include/apache/apr_random.h -#usr/include/apache/apr_reslist.h -#usr/include/apache/apr_ring.h -#usr/include/apache/apr_rmm.h -#usr/include/apache/apr_sdbm.h -#usr/include/apache/apr_sha1.h -#usr/include/apache/apr_shm.h -#usr/include/apache/apr_signal.h -#usr/include/apache/apr_skiplist.h -#usr/include/apache/apr_strings.h -#usr/include/apache/apr_strmatch.h -#usr/include/apache/apr_support.h -#usr/include/apache/apr_tables.h -#usr/include/apache/apr_thread_cond.h -#usr/include/apache/apr_thread_mutex.h -#usr/include/apache/apr_thread_pool.h -#usr/include/apache/apr_thread_proc.h -#usr/include/apache/apr_thread_rwlock.h -#usr/include/apache/apr_time.h -#usr/include/apache/apr_uri.h -#usr/include/apache/apr_user.h -#usr/include/apache/apr_uuid.h -#usr/include/apache/apr_version.h -#usr/include/apache/apr_want.h -#usr/include/apache/apr_xlate.h -#usr/include/apache/apr_xml.h -#usr/include/apache/apu.h -#usr/include/apache/apu_errno.h -#usr/include/apache/apu_version.h -#usr/include/apache/apu_want.h +#usr/include/apache/ap_slotmem.h +#usr/include/apache/ap_socache.h +#usr/include/apache/apache_noprobes.h +#usr/include/apache/cache_common.h +#usr/include/apache/heartbeat.h #usr/include/apache/http_config.h #usr/include/apache/http_connection.h #usr/include/apache/http_core.h @@ -1241,6 +1464,7 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #usr/include/apache/http_vhost.h #usr/include/apache/httpd.h #usr/include/apache/mod_auth.h +#usr/include/apache/mod_cache.h #usr/include/apache/mod_cgi.h #usr/include/apache/mod_core.h #usr/include/apache/mod_dav.h @@ -1248,144 +1472,270 @@ etc/httpd/conf/vhosts.d/ipfire-interface.conf #usr/include/apache/mod_include.h #usr/include/apache/mod_log_config.h #usr/include/apache/mod_proxy.h +#usr/include/apache/mod_request.h #usr/include/apache/mod_rewrite.h +#usr/include/apache/mod_session.h +#usr/include/apache/mod_so.h #usr/include/apache/mod_ssl.h #usr/include/apache/mod_status.h -#usr/include/apache/mpm.h +#usr/include/apache/mod_unixd.h +#usr/include/apache/mod_watchdog.h +#usr/include/apache/mod_xml2enc.h #usr/include/apache/mpm_common.h -#usr/include/apache/mpm_default.h #usr/include/apache/os.h #usr/include/apache/scoreboard.h #usr/include/apache/unixd.h #usr/include/apache/util_cfgtree.h #usr/include/apache/util_charset.h +#usr/include/apache/util_cookies.h #usr/include/apache/util_ebcdic.h +#usr/include/apache/util_fcgi.h #usr/include/apache/util_filter.h #usr/include/apache/util_ldap.h #usr/include/apache/util_md5.h +#usr/include/apache/util_mutex.h #usr/include/apache/util_script.h #usr/include/apache/util_time.h +#usr/include/apache/util_varbuf.h #usr/include/apache/util_xml.h +#usr/include/apr-1 +#usr/include/apr-1/apr.h +#usr/include/apr-1/apr_allocator.h +#usr/include/apr-1/apr_anylock.h +#usr/include/apr-1/apr_atomic.h +#usr/include/apr-1/apr_base64.h +#usr/include/apr-1/apr_buckets.h +#usr/include/apr-1/apr_crypto.h +#usr/include/apr-1/apr_date.h +#usr/include/apr-1/apr_dbd.h +#usr/include/apr-1/apr_dbm.h +#usr/include/apr-1/apr_dso.h +#usr/include/apr-1/apr_env.h +#usr/include/apr-1/apr_errno.h +#usr/include/apr-1/apr_escape.h +#usr/include/apr-1/apr_file_info.h +#usr/include/apr-1/apr_file_io.h +#usr/include/apr-1/apr_fnmatch.h +#usr/include/apr-1/apr_general.h +#usr/include/apr-1/apr_getopt.h +#usr/include/apr-1/apr_global_mutex.h +#usr/include/apr-1/apr_hash.h +#usr/include/apr-1/apr_hooks.h +#usr/include/apr-1/apr_inherit.h +#usr/include/apr-1/apr_ldap.h +#usr/include/apr-1/apr_ldap_init.h +#usr/include/apr-1/apr_ldap_option.h +#usr/include/apr-1/apr_ldap_rebind.h +#usr/include/apr-1/apr_ldap_url.h +#usr/include/apr-1/apr_lib.h +#usr/include/apr-1/apr_md4.h +#usr/include/apr-1/apr_md5.h +#usr/include/apr-1/apr_memcache.h +#usr/include/apr-1/apr_mmap.h +#usr/include/apr-1/apr_network_io.h +#usr/include/apr-1/apr_optional.h +#usr/include/apr-1/apr_optional_hooks.h +#usr/include/apr-1/apr_poll.h +#usr/include/apr-1/apr_pools.h +#usr/include/apr-1/apr_portable.h +#usr/include/apr-1/apr_proc_mutex.h +#usr/include/apr-1/apr_queue.h +#usr/include/apr-1/apr_random.h +#usr/include/apr-1/apr_reslist.h +#usr/include/apr-1/apr_ring.h +#usr/include/apr-1/apr_rmm.h +#usr/include/apr-1/apr_sdbm.h +#usr/include/apr-1/apr_sha1.h +#usr/include/apr-1/apr_shm.h +#usr/include/apr-1/apr_signal.h +#usr/include/apr-1/apr_skiplist.h +#usr/include/apr-1/apr_strings.h +#usr/include/apr-1/apr_strmatch.h +#usr/include/apr-1/apr_support.h +#usr/include/apr-1/apr_tables.h +#usr/include/apr-1/apr_thread_cond.h +#usr/include/apr-1/apr_thread_mutex.h +#usr/include/apr-1/apr_thread_pool.h +#usr/include/apr-1/apr_thread_proc.h +#usr/include/apr-1/apr_thread_rwlock.h +#usr/include/apr-1/apr_time.h +#usr/include/apr-1/apr_uri.h +#usr/include/apr-1/apr_user.h +#usr/include/apr-1/apr_uuid.h +#usr/include/apr-1/apr_version.h +#usr/include/apr-1/apr_want.h +#usr/include/apr-1/apr_xlate.h +#usr/include/apr-1/apr_xml.h +#usr/include/apr-1/apu.h +#usr/include/apr-1/apu_errno.h +#usr/include/apr-1/apu_version.h +#usr/include/apr-1/apu_want.h #usr/lib/apache #usr/lib/apache/build -#usr/lib/apache/build/apr_rules.mk #usr/lib/apache/build/config.nice #usr/lib/apache/build/config_vars.mk #usr/lib/apache/build/instdso.sh #usr/lib/apache/build/library.mk -#usr/lib/apache/build/libtool #usr/lib/apache/build/ltlib.mk -#usr/lib/apache/build/make_exports.awk -#usr/lib/apache/build/make_var_export.awk #usr/lib/apache/build/mkdir.sh #usr/lib/apache/build/program.mk #usr/lib/apache/build/rules.mk #usr/lib/apache/build/special.mk #usr/lib/apache/httpd.exp +usr/lib/apache/mod_access_compat.so usr/lib/apache/mod_actions.so usr/lib/apache/mod_alias.so +usr/lib/apache/mod_allowmethods.so usr/lib/apache/mod_asis.so usr/lib/apache/mod_auth_basic.so usr/lib/apache/mod_auth_digest.so +usr/lib/apache/mod_auth_form.so usr/lib/apache/mod_authn_anon.so +usr/lib/apache/mod_authn_core.so usr/lib/apache/mod_authn_dbd.so usr/lib/apache/mod_authn_dbm.so -usr/lib/apache/mod_authn_default.so usr/lib/apache/mod_authn_file.so +usr/lib/apache/mod_authn_socache.so +usr/lib/apache/mod_authnz_fcgi.so +usr/lib/apache/mod_authz_core.so +usr/lib/apache/mod_authz_dbd.so usr/lib/apache/mod_authz_dbm.so -usr/lib/apache/mod_authz_default.so usr/lib/apache/mod_authz_groupfile.so usr/lib/apache/mod_authz_host.so usr/lib/apache/mod_authz_owner.so usr/lib/apache/mod_authz_user.so usr/lib/apache/mod_autoindex.so -usr/lib/apache/mod_cern_meta.so +usr/lib/apache/mod_buffer.so +usr/lib/apache/mod_cache.so +usr/lib/apache/mod_cache_disk.so +usr/lib/apache/mod_cache_socache.so usr/lib/apache/mod_cgi.so -usr/lib/apache/mod_dav.so -usr/lib/apache/mod_dav_fs.so +usr/lib/apache/mod_cgid.so +usr/lib/apache/mod_charset_lite.so +usr/lib/apache/mod_data.so usr/lib/apache/mod_dbd.so usr/lib/apache/mod_deflate.so +usr/lib/apache/mod_dialup.so usr/lib/apache/mod_dir.so usr/lib/apache/mod_dumpio.so +usr/lib/apache/mod_echo.so usr/lib/apache/mod_env.so usr/lib/apache/mod_expires.so usr/lib/apache/mod_ext_filter.so +usr/lib/apache/mod_file_cache.so usr/lib/apache/mod_filter.so usr/lib/apache/mod_headers.so -usr/lib/apache/mod_ident.so -usr/lib/apache/mod_imagemap.so +usr/lib/apache/mod_heartbeat.so +usr/lib/apache/mod_heartmonitor.so usr/lib/apache/mod_include.so usr/lib/apache/mod_info.so usr/lib/apache/mod_log_config.so +usr/lib/apache/mod_log_debug.so usr/lib/apache/mod_log_forensic.so usr/lib/apache/mod_logio.so +usr/lib/apache/mod_macro.so usr/lib/apache/mod_mime.so usr/lib/apache/mod_mime_magic.so +usr/lib/apache/mod_mpm_event.so +usr/lib/apache/mod_mpm_prefork.so +usr/lib/apache/mod_mpm_worker.so usr/lib/apache/mod_negotiation.so usr/lib/apache/mod_proxy.so usr/lib/apache/mod_proxy_ajp.so usr/lib/apache/mod_proxy_balancer.so usr/lib/apache/mod_proxy_connect.so +usr/lib/apache/mod_proxy_express.so +usr/lib/apache/mod_proxy_fcgi.so +usr/lib/apache/mod_proxy_fdpass.so usr/lib/apache/mod_proxy_ftp.so +usr/lib/apache/mod_proxy_html.so usr/lib/apache/mod_proxy_http.so usr/lib/apache/mod_proxy_scgi.so +usr/lib/apache/mod_proxy_wstunnel.so +usr/lib/apache/mod_ratelimit.so +usr/lib/apache/mod_reflector.so +usr/lib/apache/mod_remoteip.so usr/lib/apache/mod_reqtimeout.so +usr/lib/apache/mod_request.so usr/lib/apache/mod_rewrite.so +usr/lib/apache/mod_sed.so +usr/lib/apache/mod_session.so +usr/lib/apache/mod_session_cookie.so +usr/lib/apache/mod_session_crypto.so +usr/lib/apache/mod_session_dbd.so usr/lib/apache/mod_setenvif.so +usr/lib/apache/mod_slotmem_plain.so +usr/lib/apache/mod_slotmem_shm.so +usr/lib/apache/mod_socache_dbm.so +usr/lib/apache/mod_socache_memcache.so +usr/lib/apache/mod_socache_shmcb.so usr/lib/apache/mod_speling.so usr/lib/apache/mod_ssl.so usr/lib/apache/mod_status.so usr/lib/apache/mod_substitute.so +usr/lib/apache/mod_suexec.so usr/lib/apache/mod_unique_id.so +usr/lib/apache/mod_unixd.so usr/lib/apache/mod_userdir.so usr/lib/apache/mod_usertrack.so usr/lib/apache/mod_version.so usr/lib/apache/mod_vhost_alias.so +usr/lib/apache/mod_watchdog.so +usr/lib/apache/mod_xml2enc.so +usr/lib/apache/suexec #usr/lib/apr-util-1 +usr/lib/apr-util-1/apr_crypto_openssl-1.so +#usr/lib/apr-util-1/apr_crypto_openssl.la +usr/lib/apr-util-1/apr_crypto_openssl.so usr/lib/apr-util-1/apr_dbd_sqlite3-1.so -#usr/lib/apr-util-1/apr_dbd_sqlite3.a #usr/lib/apr-util-1/apr_dbd_sqlite3.la usr/lib/apr-util-1/apr_dbd_sqlite3.so +usr/lib/apr-util-1/apr_dbm_gdbm-1.so +#usr/lib/apr-util-1/apr_dbm_gdbm.la +usr/lib/apr-util-1/apr_dbm_gdbm.so #usr/lib/apr.exp #usr/lib/aprutil.exp -#usr/lib/libapr-1.a #usr/lib/libapr-1.la usr/lib/libapr-1.so usr/lib/libapr-1.so.0 -usr/lib/libapr-1.so.0.5.1 -#usr/lib/libaprutil-1.a +usr/lib/libapr-1.so.0.5.2 #usr/lib/libaprutil-1.la usr/lib/libaprutil-1.so usr/lib/libaprutil-1.so.0 -usr/lib/libaprutil-1.so.0.5.3 +usr/lib/libaprutil-1.so.0.5.4 #usr/lib/pkgconfig/apr-1.pc #usr/lib/pkgconfig/apr-util-1.pc -#usr/sbin/ab usr/sbin/apachectl -#usr/sbin/apxs #usr/sbin/checkgid -#usr/sbin/dbmmanage #usr/sbin/envvars #usr/sbin/envvars-std +#usr/sbin/fcgistarter #usr/sbin/htcacheclean #usr/sbin/htdbm #usr/sbin/htdigest usr/sbin/htpasswd usr/sbin/httpd #usr/sbin/httxt2dbm -#usr/sbin/logresolve #usr/sbin/rotatelogs +#usr/share/apr-1 +#usr/share/apr-1/build +#usr/share/apr-1/build/apr_rules.mk +#usr/share/apr-1/build/libtool +#usr/share/apr-1/build/make_exports.awk +#usr/share/apr-1/build/make_var_export.awk +#usr/share/apr-1/build/mkdir.sh +#usr/share/man/man1/ab.1 +#usr/share/man/man1/apxs.1 #usr/share/man/man1/dbmmanage.1 #usr/share/man/man1/htdbm.1 #usr/share/man/man1/htdigest.1 #usr/share/man/man1/htpasswd.1 #usr/share/man/man1/httxt2dbm.1 -#usr/share/man/man8/ab.8 +#usr/share/man/man1/logresolve.1 #usr/share/man/man8/apachectl.8 -#usr/share/man/man8/apxs.8 +#usr/share/man/man8/fcgistarter.8 #usr/share/man/man8/htcacheclean.8 #usr/share/man/man8/httpd.8 -#usr/share/man/man8/logresolve.8 #usr/share/man/man8/rotatelogs.8 #usr/share/man/man8/suexec.8 var/log/httpd diff --git a/config/rootfiles/common/pcre b/config/rootfiles/common/pcre index 8c4cc2a..12c04a1 100644 --- a/config/rootfiles/common/pcre +++ b/config/rootfiles/common/pcre @@ -10,7 +10,15 @@ #usr/lib/libpcre.la usr/lib/libpcre.so usr/lib/libpcre.so.1 -usr/lib/libpcre.so.1.2.5 +usr/lib/libpcre.so.1.2.6 +#usr/lib/libpcre16.la +usr/lib/libpcre16.so +usr/lib/libpcre16.so.0 +usr/lib/libpcre16.so.0.2.6 +#usr/lib/libpcre32.la +usr/lib/libpcre32.so +usr/lib/libpcre32.so.0 +usr/lib/libpcre32.so.0.0.6 #usr/lib/libpcrecpp.la usr/lib/libpcrecpp.so usr/lib/libpcrecpp.so.0 @@ -20,74 +28,76 @@ usr/lib/libpcreposix.so usr/lib/libpcreposix.so.0 usr/lib/libpcreposix.so.0.0.3 #usr/lib/pkgconfig/libpcre.pc +#usr/lib/pkgconfig/libpcre16.pc +#usr/lib/pkgconfig/libpcre32.pc #usr/lib/pkgconfig/libpcrecpp.pc #usr/lib/pkgconfig/libpcreposix.pc -#usr/share/doc/pcre -#usr/share/doc/pcre/AUTHORS -#usr/share/doc/pcre/COPYING -#usr/share/doc/pcre/ChangeLog -#usr/share/doc/pcre/LICENCE -#usr/share/doc/pcre/NEWS -#usr/share/doc/pcre/README -#usr/share/doc/pcre/html -#usr/share/doc/pcre/html/NON-AUTOTOOLS-BUILD.txt -#usr/share/doc/pcre/html/README.txt -#usr/share/doc/pcre/html/index.html -#usr/share/doc/pcre/html/pcre-config.html -#usr/share/doc/pcre/html/pcre.html -#usr/share/doc/pcre/html/pcre16.html -#usr/share/doc/pcre/html/pcre32.html -#usr/share/doc/pcre/html/pcre_assign_jit_stack.html -#usr/share/doc/pcre/html/pcre_compile.html -#usr/share/doc/pcre/html/pcre_compile2.html -#usr/share/doc/pcre/html/pcre_config.html -#usr/share/doc/pcre/html/pcre_copy_named_substring.html -#usr/share/doc/pcre/html/pcre_copy_substring.html -#usr/share/doc/pcre/html/pcre_dfa_exec.html -#usr/share/doc/pcre/html/pcre_exec.html -#usr/share/doc/pcre/html/pcre_free_study.html -#usr/share/doc/pcre/html/pcre_free_substring.html -#usr/share/doc/pcre/html/pcre_free_substring_list.html -#usr/share/doc/pcre/html/pcre_fullinfo.html -#usr/share/doc/pcre/html/pcre_get_named_substring.html -#usr/share/doc/pcre/html/pcre_get_stringnumber.html -#usr/share/doc/pcre/html/pcre_get_stringtable_entries.html -#usr/share/doc/pcre/html/pcre_get_substring.html -#usr/share/doc/pcre/html/pcre_get_substring_list.html -#usr/share/doc/pcre/html/pcre_jit_exec.html -#usr/share/doc/pcre/html/pcre_jit_stack_alloc.html -#usr/share/doc/pcre/html/pcre_jit_stack_free.html -#usr/share/doc/pcre/html/pcre_maketables.html -#usr/share/doc/pcre/html/pcre_pattern_to_host_byte_order.html -#usr/share/doc/pcre/html/pcre_refcount.html -#usr/share/doc/pcre/html/pcre_study.html -#usr/share/doc/pcre/html/pcre_utf16_to_host_byte_order.html -#usr/share/doc/pcre/html/pcre_utf32_to_host_byte_order.html -#usr/share/doc/pcre/html/pcre_version.html -#usr/share/doc/pcre/html/pcreapi.html -#usr/share/doc/pcre/html/pcrebuild.html -#usr/share/doc/pcre/html/pcrecallout.html -#usr/share/doc/pcre/html/pcrecompat.html -#usr/share/doc/pcre/html/pcrecpp.html -#usr/share/doc/pcre/html/pcredemo.html -#usr/share/doc/pcre/html/pcregrep.html -#usr/share/doc/pcre/html/pcrejit.html -#usr/share/doc/pcre/html/pcrelimits.html -#usr/share/doc/pcre/html/pcrematching.html -#usr/share/doc/pcre/html/pcrepartial.html -#usr/share/doc/pcre/html/pcrepattern.html -#usr/share/doc/pcre/html/pcreperform.html -#usr/share/doc/pcre/html/pcreposix.html -#usr/share/doc/pcre/html/pcreprecompile.html -#usr/share/doc/pcre/html/pcresample.html -#usr/share/doc/pcre/html/pcrestack.html -#usr/share/doc/pcre/html/pcresyntax.html -#usr/share/doc/pcre/html/pcretest.html -#usr/share/doc/pcre/html/pcreunicode.html -#usr/share/doc/pcre/pcre-config.txt -#usr/share/doc/pcre/pcre.txt -#usr/share/doc/pcre/pcregrep.txt -#usr/share/doc/pcre/pcretest.txt +#usr/share/doc/pcre-pcre-8.38 +#usr/share/doc/pcre-pcre-8.38/AUTHORS +#usr/share/doc/pcre-pcre-8.38/COPYING +#usr/share/doc/pcre-pcre-8.38/ChangeLog +#usr/share/doc/pcre-pcre-8.38/LICENCE +#usr/share/doc/pcre-pcre-8.38/NEWS +#usr/share/doc/pcre-pcre-8.38/README +#usr/share/doc/pcre-pcre-8.38/html +#usr/share/doc/pcre-pcre-8.38/html/NON-AUTOTOOLS-BUILD.txt +#usr/share/doc/pcre-pcre-8.38/html/README.txt +#usr/share/doc/pcre-pcre-8.38/html/index.html +#usr/share/doc/pcre-pcre-8.38/html/pcre-config.html +#usr/share/doc/pcre-pcre-8.38/html/pcre.html +#usr/share/doc/pcre-pcre-8.38/html/pcre16.html +#usr/share/doc/pcre-pcre-8.38/html/pcre32.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_assign_jit_stack.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_compile.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_compile2.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_config.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_copy_named_substring.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_copy_substring.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_dfa_exec.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_exec.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_free_study.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_free_substring.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_free_substring_list.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_fullinfo.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_get_named_substring.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_get_stringnumber.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_get_stringtable_entries.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_get_substring.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_get_substring_list.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_jit_exec.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_jit_stack_alloc.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_jit_stack_free.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_maketables.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_pattern_to_host_byte_order.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_refcount.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_study.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_utf16_to_host_byte_order.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_utf32_to_host_byte_order.html +#usr/share/doc/pcre-pcre-8.38/html/pcre_version.html +#usr/share/doc/pcre-pcre-8.38/html/pcreapi.html +#usr/share/doc/pcre-pcre-8.38/html/pcrebuild.html +#usr/share/doc/pcre-pcre-8.38/html/pcrecallout.html +#usr/share/doc/pcre-pcre-8.38/html/pcrecompat.html +#usr/share/doc/pcre-pcre-8.38/html/pcrecpp.html +#usr/share/doc/pcre-pcre-8.38/html/pcredemo.html +#usr/share/doc/pcre-pcre-8.38/html/pcregrep.html +#usr/share/doc/pcre-pcre-8.38/html/pcrejit.html +#usr/share/doc/pcre-pcre-8.38/html/pcrelimits.html +#usr/share/doc/pcre-pcre-8.38/html/pcrematching.html +#usr/share/doc/pcre-pcre-8.38/html/pcrepartial.html +#usr/share/doc/pcre-pcre-8.38/html/pcrepattern.html +#usr/share/doc/pcre-pcre-8.38/html/pcreperform.html +#usr/share/doc/pcre-pcre-8.38/html/pcreposix.html +#usr/share/doc/pcre-pcre-8.38/html/pcreprecompile.html +#usr/share/doc/pcre-pcre-8.38/html/pcresample.html +#usr/share/doc/pcre-pcre-8.38/html/pcrestack.html +#usr/share/doc/pcre-pcre-8.38/html/pcresyntax.html +#usr/share/doc/pcre-pcre-8.38/html/pcretest.html +#usr/share/doc/pcre-pcre-8.38/html/pcreunicode.html +#usr/share/doc/pcre-pcre-8.38/pcre-config.txt +#usr/share/doc/pcre-pcre-8.38/pcre.txt +#usr/share/doc/pcre-pcre-8.38/pcregrep.txt +#usr/share/doc/pcre-pcre-8.38/pcretest.txt #usr/share/man/man1/pcre-config.1 #usr/share/man/man1/pcregrep.1 #usr/share/man/man1/pcretest.1 @@ -191,3 +201,4 @@ usr/lib/libpcreposix.so.0.0.3 #usr/share/man/man3/pcrestack.3 #usr/share/man/man3/pcresyntax.3 #usr/share/man/man3/pcreunicode.3 + diff --git a/config/rootfiles/common/php b/config/rootfiles/common/php index 23031e9..c433fee 100644 --- a/config/rootfiles/common/php +++ b/config/rootfiles/common/php @@ -1,4 +1,5 @@ -etc/pear.conf +#etc/pear.conf +#etc/php-fpm.conf.default etc/php.ini #usr/bin/pear #usr/bin/peardev @@ -6,25 +7,24 @@ etc/php.ini usr/bin/phar usr/bin/phar.phar usr/bin/php +#usr/bin/php-cgi #usr/bin/php-config #usr/bin/phpize #usr/include/php #usr/include/php/TSRM #usr/include/php/TSRM/TSRM.h -#usr/include/php/TSRM/acconfig.h #usr/include/php/TSRM/readdir.h #usr/include/php/TSRM/tsrm_config.h #usr/include/php/TSRM/tsrm_config.w32.h #usr/include/php/TSRM/tsrm_config_common.h #usr/include/php/TSRM/tsrm_nw.h #usr/include/php/TSRM/tsrm_strtok_r.h -#usr/include/php/TSRM/tsrm_virtual_cwd.h #usr/include/php/TSRM/tsrm_win32.h #usr/include/php/Zend -#usr/include/php/Zend/acconfig.h #usr/include/php/Zend/zend.h #usr/include/php/Zend/zend_API.h #usr/include/php/Zend/zend_alloc.h +#usr/include/php/Zend/zend_ast.h #usr/include/php/Zend/zend_build.h #usr/include/php/Zend/zend_builtin_functions.h #usr/include/php/Zend/zend_closures.h @@ -33,14 +33,15 @@ usr/bin/php #usr/include/php/Zend/zend_config.nw.h #usr/include/php/Zend/zend_config.w32.h #usr/include/php/Zend/zend_constants.h +#usr/include/php/Zend/zend_dtrace.h #usr/include/php/Zend/zend_dynamic_array.h #usr/include/php/Zend/zend_errors.h #usr/include/php/Zend/zend_exceptions.h #usr/include/php/Zend/zend_execute.h #usr/include/php/Zend/zend_extensions.h -#usr/include/php/Zend/zend_fast_cache.h #usr/include/php/Zend/zend_float.h #usr/include/php/Zend/zend_gc.h +#usr/include/php/Zend/zend_generators.h #usr/include/php/Zend/zend_globals.h #usr/include/php/Zend/zend_globals_macros.h #usr/include/php/Zend/zend_hash.h @@ -67,13 +68,16 @@ usr/bin/php #usr/include/php/Zend/zend_operators.h #usr/include/php/Zend/zend_ptr_stack.h #usr/include/php/Zend/zend_qsort.h +#usr/include/php/Zend/zend_signal.h #usr/include/php/Zend/zend_stack.h #usr/include/php/Zend/zend_static_allocator.h #usr/include/php/Zend/zend_stream.h +#usr/include/php/Zend/zend_string.h #usr/include/php/Zend/zend_strtod.h #usr/include/php/Zend/zend_ts_hash.h #usr/include/php/Zend/zend_types.h #usr/include/php/Zend/zend_variables.h +#usr/include/php/Zend/zend_virtual_cwd.h #usr/include/php/Zend/zend_vm.h #usr/include/php/Zend/zend_vm_def.h #usr/include/php/Zend/zend_vm_execute.h @@ -99,21 +103,36 @@ usr/bin/php #usr/include/php/ext/filter #usr/include/php/ext/filter/php_filter.h #usr/include/php/ext/gd +#usr/include/php/ext/gd/gd_compat.h #usr/include/php/ext/gd/gdcache.h +#usr/include/php/ext/gd/libgd +#usr/include/php/ext/gd/libgd/gd.h +#usr/include/php/ext/gd/libgd/gd_intern.h +#usr/include/php/ext/gd/libgd/gd_io.h +#usr/include/php/ext/gd/libgd/gdcache.h +#usr/include/php/ext/gd/libgd/gdfontg.h +#usr/include/php/ext/gd/libgd/gdfontl.h +#usr/include/php/ext/gd/libgd/gdfontmb.h +#usr/include/php/ext/gd/libgd/gdfonts.h +#usr/include/php/ext/gd/libgd/gdfontt.h +#usr/include/php/ext/gd/libgd/gdhelpers.h +#usr/include/php/ext/gd/libgd/jisx0208.h +#usr/include/php/ext/gd/libgd/wbmp.h +#usr/include/php/ext/gd/libgd/webpimg.h #usr/include/php/ext/gd/php_gd.h #usr/include/php/ext/hash #usr/include/php/ext/hash/php_hash.h #usr/include/php/ext/hash/php_hash_adler32.h #usr/include/php/ext/hash/php_hash_crc32.h +#usr/include/php/ext/hash/php_hash_fnv.h #usr/include/php/ext/hash/php_hash_gost.h #usr/include/php/ext/hash/php_hash_haval.h +#usr/include/php/ext/hash/php_hash_joaat.h #usr/include/php/ext/hash/php_hash_md.h #usr/include/php/ext/hash/php_hash_ripemd.h -#usr/include/php/ext/hash/php_hash_salsa.h #usr/include/php/ext/hash/php_hash_sha.h #usr/include/php/ext/hash/php_hash_snefru.h #usr/include/php/ext/hash/php_hash_tiger.h -#usr/include/php/ext/hash/php_hash_types.h #usr/include/php/ext/hash/php_hash_whirlpool.h #usr/include/php/ext/iconv #usr/include/php/ext/iconv/php_have_bsd_iconv.h @@ -123,6 +142,7 @@ usr/bin/php #usr/include/php/ext/iconv/php_have_libiconv.h #usr/include/php/ext/iconv/php_iconv.h #usr/include/php/ext/iconv/php_iconv_aliased_libiconv.h +#usr/include/php/ext/iconv/php_iconv_broken_ignore.h #usr/include/php/ext/iconv/php_iconv_supports_errno.h #usr/include/php/ext/iconv/php_php_iconv_h_path.h #usr/include/php/ext/iconv/php_php_iconv_impl.h @@ -154,6 +174,30 @@ usr/bin/php #usr/include/php/ext/mbstring/oniguruma/oniguruma.h #usr/include/php/ext/mbstring/php_mbregex.h #usr/include/php/ext/mbstring/php_onig_compat.h +#usr/include/php/ext/mysqli +#usr/include/php/ext/mysqli/mysqli_mysqlnd.h +#usr/include/php/ext/mysqli/php_mysqli_structs.h +#usr/include/php/ext/mysqlnd +#usr/include/php/ext/mysqlnd/config-win.h +#usr/include/php/ext/mysqlnd/mysql_float_to_double.h +#usr/include/php/ext/mysqlnd/mysqlnd.h +#usr/include/php/ext/mysqlnd/mysqlnd_alloc.h +#usr/include/php/ext/mysqlnd/mysqlnd_block_alloc.h +#usr/include/php/ext/mysqlnd/mysqlnd_charset.h +#usr/include/php/ext/mysqlnd/mysqlnd_debug.h +#usr/include/php/ext/mysqlnd/mysqlnd_enum_n_def.h +#usr/include/php/ext/mysqlnd/mysqlnd_ext_plugin.h +#usr/include/php/ext/mysqlnd/mysqlnd_libmysql_compat.h +#usr/include/php/ext/mysqlnd/mysqlnd_net.h +#usr/include/php/ext/mysqlnd/mysqlnd_portability.h +#usr/include/php/ext/mysqlnd/mysqlnd_priv.h +#usr/include/php/ext/mysqlnd/mysqlnd_result.h +#usr/include/php/ext/mysqlnd/mysqlnd_result_meta.h +#usr/include/php/ext/mysqlnd/mysqlnd_reverse_api.h +#usr/include/php/ext/mysqlnd/mysqlnd_statistics.h +#usr/include/php/ext/mysqlnd/mysqlnd_structs.h +#usr/include/php/ext/mysqlnd/mysqlnd_wireprotocol.h +#usr/include/php/ext/mysqlnd/php_mysqlnd.h #usr/include/php/ext/pcre #usr/include/php/ext/pcre/pcrelib #usr/include/php/ext/pcre/pcrelib/config.h @@ -165,12 +209,16 @@ usr/bin/php #usr/include/php/ext/pdo #usr/include/php/ext/pdo/php_pdo.h #usr/include/php/ext/pdo/php_pdo_driver.h +#usr/include/php/ext/pdo/php_pdo_error.h +#usr/include/php/ext/phar +#usr/include/php/ext/phar/php_phar.h #usr/include/php/ext/session #usr/include/php/ext/session/mod_files.h #usr/include/php/ext/session/mod_user.h #usr/include/php/ext/session/php_session.h -#usr/include/php/ext/sockets -#usr/include/php/ext/sockets/php_sockets.h +#usr/include/php/ext/simplexml +#usr/include/php/ext/simplexml/php_simplexml.h +#usr/include/php/ext/simplexml/php_simplexml_exports.h #usr/include/php/ext/spl #usr/include/php/ext/spl/php_spl.h #usr/include/php/ext/spl/spl_array.h @@ -183,10 +231,6 @@ usr/bin/php #usr/include/php/ext/spl/spl_heap.h #usr/include/php/ext/spl/spl_iterators.h #usr/include/php/ext/spl/spl_observer.h -#usr/include/php/ext/sqlite -#usr/include/php/ext/sqlite/libsqlite -#usr/include/php/ext/sqlite/libsqlite/src -#usr/include/php/ext/sqlite/libsqlite/src/sqlite.h #usr/include/php/ext/sqlite3 #usr/include/php/ext/sqlite3/libsqlite #usr/include/php/ext/sqlite3/libsqlite/sqlite3.h @@ -209,6 +253,7 @@ usr/bin/php #usr/include/php/ext/standard/fsock.h #usr/include/php/ext/standard/head.h #usr/include/php/ext/standard/html.h +#usr/include/php/ext/standard/html_tables.h #usr/include/php/ext/standard/info.h #usr/include/php/ext/standard/md5.h #usr/include/php/ext/standard/microtime.h @@ -234,6 +279,7 @@ usr/bin/php #usr/include/php/ext/standard/php_mail.h #usr/include/php/ext/standard/php_math.h #usr/include/php/ext/standard/php_metaphone.h +#usr/include/php/ext/standard/php_password.h #usr/include/php/ext/standard/php_rand.h #usr/include/php/ext/standard/php_smart_str.h #usr/include/php/ext/standard/php_smart_str_public.h @@ -260,16 +306,13 @@ usr/bin/php #usr/include/php/main/SAPI.h #usr/include/php/main/build-defs.h #usr/include/php/main/fopen_wrappers.h -#usr/include/php/main/logos.h #usr/include/php/main/php.h -#usr/include/php/main/php3_compat.h #usr/include/php/main/php_compat.h #usr/include/php/main/php_config.h #usr/include/php/main/php_content_types.h #usr/include/php/main/php_getopt.h #usr/include/php/main/php_globals.h #usr/include/php/main/php_ini.h -#usr/include/php/main/php_logos.h #usr/include/php/main/php_main.h #usr/include/php/main/php_memory_streams.h #usr/include/php/main/php_network.h @@ -277,13 +320,13 @@ usr/bin/php #usr/include/php/main/php_output.h #usr/include/php/main/php_reentrancy.h #usr/include/php/main/php_scandir.h +#usr/include/php/main/php_stdint.h #usr/include/php/main/php_streams.h #usr/include/php/main/php_syslog.h #usr/include/php/main/php_ticks.h #usr/include/php/main/php_variables.h #usr/include/php/main/php_version.h #usr/include/php/main/rfc1867.h -#usr/include/php/main/safe_mode.h #usr/include/php/main/snprintf.h #usr/include/php/main/spprintf.h #usr/include/php/main/streams @@ -297,6 +340,9 @@ usr/bin/php #usr/include/php/main/streams/php_streams_int.h #usr/include/php/main/win32_internal_function_disabled.h #usr/include/php/main/win95nt.h +#usr/include/php/sapi +#usr/include/php/sapi/cli +#usr/include/php/sapi/cli/cli.h usr/lib/apache/libphp5.so #usr/lib/php #usr/lib/php/.channels @@ -344,8 +390,8 @@ usr/lib/php/Log/sqlite.php usr/lib/php/Log/syslog.php usr/lib/php/Log/win.php #usr/lib/php/OS -#usr/lib/php/OS/Guess.php -usr/lib/php/PEAR +usr/lib/php/OS/Guess.php +#usr/lib/php/PEAR usr/lib/php/PEAR.php usr/lib/php/PEAR/Autoloader.php usr/lib/php/PEAR/Builder.php @@ -386,7 +432,6 @@ usr/lib/php/PEAR/Downloader.php usr/lib/php/PEAR/Downloader/Package.php usr/lib/php/PEAR/ErrorStack.php usr/lib/php/PEAR/Exception.php -usr/lib/php/PEAR/FixPHP5PEARWarnings.php #usr/lib/php/PEAR/Frontend usr/lib/php/PEAR/Frontend.php usr/lib/php/PEAR/Frontend/CLI.php @@ -403,6 +448,8 @@ usr/lib/php/PEAR/Installer/Role/Doc.php usr/lib/php/PEAR/Installer/Role/Doc.xml usr/lib/php/PEAR/Installer/Role/Ext.php usr/lib/php/PEAR/Installer/Role/Ext.xml +usr/lib/php/PEAR/Installer/Role/Man.php +usr/lib/php/PEAR/Installer/Role/Man.xml usr/lib/php/PEAR/Installer/Role/Php.php usr/lib/php/PEAR/Installer/Role/Php.xml usr/lib/php/PEAR/Installer/Role/Script.php @@ -452,7 +499,6 @@ usr/lib/php/PEAR/Validate.php #usr/lib/php/PEAR/Validator usr/lib/php/PEAR/Validator/PECL.php usr/lib/php/PEAR/XMLParser.php -usr/lib/php/PEAR5.php #usr/lib/php/Structures #usr/lib/php/Structures/Graph usr/lib/php/Structures/Graph.php @@ -479,8 +525,6 @@ usr/lib/php/XML/Util.php #usr/lib/php/data/PEAR #usr/lib/php/data/PEAR/package.dtd #usr/lib/php/data/PEAR/template.spec -#usr/lib/php/data/Structures_Graph -#usr/lib/php/data/Structures_Graph/LICENSE #usr/lib/php/doc #usr/lib/php/doc/Archive_Tar #usr/lib/php/doc/Archive_Tar/docs @@ -488,32 +532,10 @@ usr/lib/php/XML/Util.php #usr/lib/php/doc/PEAR #usr/lib/php/doc/PEAR/INSTALL #usr/lib/php/doc/PEAR/LICENSE -#usr/lib/php/doc/PEAR/README +#usr/lib/php/doc/PEAR/README.rst #usr/lib/php/doc/Structures_Graph +#usr/lib/php/doc/Structures_Graph/LICENSE #usr/lib/php/doc/Structures_Graph/docs -#usr/lib/php/doc/Structures_Graph/docs/generate.sh -#usr/lib/php/doc/Structures_Graph/docs/html -#usr/lib/php/doc/Structures_Graph/docs/html/Structures_Graph -#usr/lib/php/doc/Structures_Graph/docs/html/Structures_Graph/Structures_Graph.html -#usr/lib/php/doc/Structures_Graph/docs/html/Structures_Graph/Structures_Graph_Manipulator_AcyclicTest.html -#usr/lib/php/doc/Structures_Graph/docs/html/Structures_Graph/Structures_Graph_Manipulator_TopologicalSorter.html -#usr/lib/php/doc/Structures_Graph/docs/html/Structures_Graph/Structures_Graph_Node.html -#usr/lib/php/doc/Structures_Graph/docs/html/Structures_Graph/_Structures_Graph_Manipulator_AcyclicTest_php.html -#usr/lib/php/doc/Structures_Graph/docs/html/Structures_Graph/_Structures_Graph_Manipulator_TopologicalSorter_php.html -#usr/lib/php/doc/Structures_Graph/docs/html/Structures_Graph/_Structures_Graph_Node_php.html -#usr/lib/php/doc/Structures_Graph/docs/html/Structures_Graph/_Structures_Graph_php.html -#usr/lib/php/doc/Structures_Graph/docs/html/Structures_Graph/tutorial_Structures_Graph.pkg.html -#usr/lib/php/doc/Structures_Graph/docs/html/classtrees_Structures_Graph.html -#usr/lib/php/doc/Structures_Graph/docs/html/elementindex.html -#usr/lib/php/doc/Structures_Graph/docs/html/elementindex_Structures_Graph.html -#usr/lib/php/doc/Structures_Graph/docs/html/errors.html -#usr/lib/php/doc/Structures_Graph/docs/html/index.html -#usr/lib/php/doc/Structures_Graph/docs/html/li_Structures_Graph.html -#usr/lib/php/doc/Structures_Graph/docs/html/media -#usr/lib/php/doc/Structures_Graph/docs/html/media/banner.css -#usr/lib/php/doc/Structures_Graph/docs/html/media/stylesheet.css -#usr/lib/php/doc/Structures_Graph/docs/html/packages.html -#usr/lib/php/doc/Structures_Graph/docs/html/todolist.html #usr/lib/php/doc/Structures_Graph/docs/tutorials #usr/lib/php/doc/Structures_Graph/docs/tutorials/Structures_Graph #usr/lib/php/doc/Structures_Graph/docs/tutorials/Structures_Graph/Structures_Graph.pkg @@ -522,20 +544,28 @@ usr/lib/php/XML/Util.php usr/lib/php/doc/XML_Util/examples/example.php usr/lib/php/doc/XML_Util/examples/example2.php #usr/lib/php/extensions -#usr/lib/php/extensions/no-debug-non-zts-20090626 -usr/lib/php/extensions/no-debug-non-zts-20090626/dba.so -usr/lib/php/extensions/no-debug-non-zts-20090626/idn.so -#usr/lib/php/pearcmd.php -#usr/lib/php/peclcmd.php +#usr/lib/php/extensions/no-debug-zts-20131226 +usr/lib/php/extensions/no-debug-zts-20131226/dba.so +#usr/lib/php/extensions/no-debug-zts-20131226/intl.so +#usr/lib/php/extensions/no-debug-zts-20131226/opcache.so +usr/lib/php/pearcmd.php +usr/lib/php/peclcmd.php #usr/lib/php/test +#usr/lib/php/test/Console_Getopt +#usr/lib/php/test/Console_Getopt/tests +#usr/lib/php/test/Console_Getopt/tests/001-getopt.phpt +#usr/lib/php/test/Console_Getopt/tests/bug10557.phpt +#usr/lib/php/test/Console_Getopt/tests/bug11068.phpt +#usr/lib/php/test/Console_Getopt/tests/bug13140.phpt #usr/lib/php/test/Structures_Graph #usr/lib/php/test/Structures_Graph/tests -#usr/lib/php/test/Structures_Graph/tests/AllTests.php -#usr/lib/php/test/Structures_Graph/tests/testCase -#usr/lib/php/test/Structures_Graph/tests/testCase/BasicGraph.php +usr/lib/php/test/Structures_Graph/tests/AcyclicTestTest.php +usr/lib/php/test/Structures_Graph/tests/AllTests.php +usr/lib/php/test/Structures_Graph/tests/BasicGraphTest.php +usr/lib/php/test/Structures_Graph/tests/TopologicalSorterTest.php +#usr/lib/php/test/Structures_Graph/tests/helper.inc #usr/lib/php/test/XML_Util #usr/lib/php/test/XML_Util/tests -#usr/lib/php/test/XML_Util/tests/AllTests.php #usr/lib/php/test/XML_Util/tests/testBasic_apiVersion.phpt #usr/lib/php/test/XML_Util/tests/testBasic_attributesToString.phpt #usr/lib/php/test/XML_Util/tests/testBasic_collapseEmptyTags.phpt @@ -552,9 +582,17 @@ usr/lib/php/extensions/no-debug-non-zts-20090626/idn.so #usr/lib/php/test/XML_Util/tests/testBasic_replaceEntities.phpt #usr/lib/php/test/XML_Util/tests/testBasic_reverseEntities.phpt #usr/lib/php/test/XML_Util/tests/testBasic_splitQualifiedName.phpt +#usr/lib/php/test/XML_Util/tests/testBug_18343.phpt #usr/lib/php/test/XML_Util/tests/testBug_4950.phpt #usr/lib/php/test/XML_Util/tests/testBug_5392.phpt -#usr/man/man1/php-config.1 -#usr/man/man1/php.1 -#usr/man/man1/phpize.1 -etc/httpd/conf/conf.d/php5.conf +#usr/sbin/php-fpm +#usr/share/man/man1/phar.1 +#usr/share/man/man1/phar.phar.1 +#usr/share/man/man1/php-cgi.1 +#usr/share/man/man1/php-config.1 +#usr/share/man/man1/php.1 +#usr/share/man/man1/phpize.1 +#usr/share/man/man8/php-fpm.8 +#usr/share/php +#usr/share/php/fpm +#usr/share/php/fpm/status.html \ No newline at end of file diff --git a/lfs/apache2 b/lfs/apache2 index 57c3447..cfa70c5 100644 --- a/lfs/apache2 +++ b/lfs/apache2 @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2015 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,27 +25,28 @@ include Config -VER = 2.2.29 +VER = 2.4.18 THISAPP = httpd-$(VER) DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) - TARGET = $(DIR_INFO)/$(THISAPP) +PROG = apache2 ############################################################################### # Top-level Rules ############################################################################### -objects = $(DL_FILE) \ - httpd-2.2.2-config-1.patch +objects = $(DL_FILE) apr-1.5.2.tar.bz2 apr-util-1.5.4.tar.bz2 -$(DL_FILE) = $(DL_FROM)/$(DL_FILE) -httpd-2.2.2-config-1.patch = $(DL_FROM)/httpd-2.2.2-config-1.patch +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) +apr-1.5.2.tar.bz2 = $(DL_FROM)/apr-1.5.2.tar.bz2 +apr-util-1.5.4.tar.bz2 = $(DL_FROM)/apr-util-1.5.4.tar.bz2 -$(DL_FILE)_MD5 = 579342fdeaa7b8b68d17fee91f8fab6e -httpd-2.2.2-config-1.patch_MD5 = e02a3ec5925eb9e111400b9aa229f822 +$(DL_FILE)_MD5 = 3690b3cc991b7dfd22aea9e1264a11b9 +apr-1.5.2.tar.bz2_MD5 = 4e9769f3349fe11fc0a5e1b224c236aa +apr-util-1.5.4.tar.bz2_MD5 = 2202b18f269ad606d70e1864857ed93c install : $(TARGET) @@ -55,16 +56,17 @@ download :$(patsubst %,$(DIR_DL)/%,$(objects)) md5 : $(subst %,%_MD5,$(objects)) +dist: + @$(PAK) + ############################################################################### # Downloading, checking, md5sum ############################################################################### $(patsubst %,$(DIR_CHK)/%,$(objects)) : @$(CHECK) - $(patsubst %,$(DIR_DL)/%,$(objects)) : @$(LOAD) - $(subst %,%_MD5,$(objects)) : @$(MD5) @@ -74,9 +76,35 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) + # Build apr + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/apr-1.5.2.tar.bz2 + cd $(DIR_SRC)/apr-1.5.2 && ./configure \ + --prefix=/usr \ + --disable-static \ + --with-installbuilddir=/usr/share/apr-1/build + + cd $(DIR_SRC)/apr-1.5.2 && make $(MAKETUNING) + cd $(DIR_SRC)/apr-1.5.2 && make install + @rm -rf $(DIR_SRC)/apr-1.5.2 + + # Build apr-util + cd $(DIR_SRC) && tar jxf $(DIR_DL)/apr-util-1.5.4.tar.bz2 + cd $(DIR_SRC)/apr-util-1.5.4 && ./configure \ + --prefix=/usr \ + --with-apr=/usr \ + --with-gdbm=/usr \ + --with-openssl=/usr \ + --with-crypto \ + --with-sqlite3=/usr + + cd $(DIR_SRC)/apr-util-1.5.4 && make $(MAKETUNING) + cd $(DIR_SRC)/apr-util-1.5.4 && make install + @rm -rf $(DIR_SRC)/apr-util-1.5.4 + + # Build Apache + OPT="$(CFLAGS)" @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_DL)/httpd-2.2.2-config-1.patch - + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/httpd-2.4.18_absolut_path_apxs.patch ### Add IPFire's layout, too echo "# IPFire layout" >> $(DIR_APP)/config.layout echo "<Layout IPFire>" >> $(DIR_APP)/config.layout @@ -102,19 +130,50 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) echo " proxycachedir: /var/cache/apache/proxy" >> $(DIR_APP)/config.layout echo "</Layout>" >> $(DIR_APP)/config.layout - cd $(DIR_APP) && ./configure --enable-layout=IPFire \ - --enable-ssl --enable-mods-shared=all --enable-proxy + cd $(DIR_APP) && ./configure --enable-layout=IPFire \ + --enable-ssl \ + --with-ssl=/usr/include/openssl \ + --enable-mods-shared="all cgi" \ + --enable-mpms-shared=all \ + --enable-proxy \ + --enable-dbd \ + --enable-session \ + --enable-cache \ + --enable-authnz-fcgi \ + --enable-authz-dbd \ + --enable-deflate \ + --enable-lbmethod-heartbeat=no \ + --enable-lbmethod-bybusyness=no \ + --enable-lbmethod-byrequests=no \ + --enable-lbmethod-bytraffic=no \ + --enable-suexec=shared \ + --with-apr=/usr/bin/apr-1-config \ + --with-apr-util=/usr/bin/apu-1-config \ + --with-suexec-bin=/usr/lib/apache/suexec \ + --with-suexec-caller=apache \ + --with-suexec-docroot=/srv/web \ + --with-suexec-logfile=/var/log/httpd/suexec.log \ + --with-suexec-uidmin=100 \ + --with-suexec-userdir=public_html \ + --enable-dav=no + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - chown -v root:root /usr/lib/apache/httpd.exp \ - /usr/sbin/{apxs,apachectl,dbmmanage,envvars{,-std}} \ - /usr/share/man/man1/{dbmmanage,ht{dbm,digest,passwd,txt2dbm}}.1 \ - /usr/share/man/man8/{ab,apachectl,apxs,htcacheclean,httpd}.8 \ - /usr/share/man/man8/{logresolve,rotatelogs,suexec}.8 - - # Install apache config - cp -rf $(DIR_CONF)/httpd/* /etc/httpd/conf + chown -v root:root /usr/share/man/man1/{dbmmanage,ht{dbm,digest,passwd,txt2dbm}}.1 \ + /usr/share/man/man8/{apachectl,htcacheclean,httpd,rotatelogs,suexec}.8 + + ### Install apache config + cp -rvf $(DIR_CONF)/httpd/* /etc/httpd/conf ln -sf $(CONFIG_ROOT)/main/hostname.conf /etc/httpd/conf/ + install -d -m 755 /var/run/httpd/ + + ### copy files to old locations + mv -v /usr/bin/htpasswd /usr/sbin/ + mv -v /usr/bin/htdigest /usr/sbin/ + mv -v /usr/bin/htdbm /usr/sbin/ + mv -v /usr/bin/httxt2dbm /usr/sbin/ + mv -v /usr/sbin/suexec /usr/lib/apache/suexec @rm -rf $(DIR_APP) @$(POSTBUILD) + diff --git a/lfs/pcre b/lfs/pcre index fd66350..aa10c64 100644 --- a/lfs/pcre +++ b/lfs/pcre @@ -24,10 +24,10 @@ include Config -VER = 8.37 +VER = 8.38 THISAPP = pcre-$(VER) -DL_FILE = $(THISAPP).tar.gz +DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 6e0cc6d1bdac7a4308151f9b3571b86e +$(DL_FILE)_MD5 = 00aabbfe56d5a48b270f999b508c5ad2 install : $(TARGET) @@ -70,18 +70,23 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/pcre-8.37-Fix-named-forward-reference-to-duplicate-group-numbe.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/pcre-8.37-Fix-another-buffer-overflow.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch - cd $(DIR_APP) && ./configure \ - --prefix=/usr \ - --disable-static \ - --enable-utf8 \ - --disable-jit \ - --enable-unicode-properties + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --disable-static \ + --enable-utf8 \ + --disable-jit \ + --enable-pcre16 \ + --enable-pcre32 \ + --enable-pcregrep-libz \ + --enable-pcregrep-libbz2 \ + --enable-pcretest-libreadline \ + --enable-unicode-properties \ + --disable-static \ + --docdir=/usr/share/doc/pcre-$(THISAPP) + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) @$(POSTBUILD) + diff --git a/lfs/php b/lfs/php index 8139e21..b2ad63e 100644 --- a/lfs/php +++ b/lfs/php @@ -24,10 +24,10 @@ include Config -VER = 5.3.27 +VER = 5.6.17 THISAPP = php-$(VER) -DL_FILE = $(THISAPP).tar.bz2 +DL_FILE = $(THISAPP).tar.xz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) @@ -40,15 +40,15 @@ endif # Top-level Rules ############################################################################### -objects = $(DL_FILE) idn-0.1.tgz Log-1.9.11.tgz +objects = $(DL_FILE) intl-3.0.0.tgz Log-1.12.9.tgz $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -idn-0.1.tgz = $(DL_FROM)/idn-0.1.tgz -Log-1.9.11.tgz = $(DL_FROM)/Log-1.9.11.tgz +intl-3.0.0.tgz = $(DL_FROM)/intl-3.0.0.tgz +Log-1.12.9.tgz = $(DL_FROM)/Log-1.12.9.tgz -$(DL_FILE)_MD5 = 25ae23a5b9615fe8d33de5b63e1bb788 -idn-0.1.tgz_MD5 = ef8635ec22348325a76abd2abddca4a1 -Log-1.9.11.tgz_MD5 = fb7c648b212f12fdb5ce1ab687793513 +$(DL_FILE)_MD5 = 5e080e4b7df5db24f1b64313f8114bd8 +intl-3.0.0.tgz_MD5 = a6029b9e7b1d0fcdb6e8bfad49e59ae9 +Log-1.12.9.tgz_MD5 = 980bda64d7feb22d0899999f4e0bddd9 install : $(TARGET) @@ -77,62 +77,73 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) $(DIR_SRC)/idn-* $(DIR_SRC)/Log-* $(DIR_SRC)/package.xml && \ - cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && ./configure --prefix=/usr \ - --sysconfdir=/etc \ - --with-apxs2 \ - --enable-force-cgi-redirect \ - --enable-discard-path \ - --enable-fastcgi \ - --with-config-file-path=/etc \ - --with-openssl \ - --with-kerberos \ - --with-zlib \ - --enable-bcmath \ - --with-bz2 \ - --enable-calendar \ - --with-curl \ - --with-curlwrappers \ - --enable-dba=shared \ - --with-gdbm \ - --with-db4 \ - --with-inifile \ - --with-flatfile \ - --enable-exif \ - --enable-ftp \ - --with-openssl-dir=/usr \ - --with-gd=/usr \ - --with-jpeg-dir=/usr \ - --with-png-dir=/usr \ - --with-zlib-dir=/usr \ - --with-freetype-dir=/usr \ - --with-gettext \ - --with-gmp \ - --enable-mbstring \ - --with-mysql \ - --with-mysql-sock=/var/run/mysql \ - --with-ncurses \ - --with-pdo-mysql \ - --with-pdo-sqlite \ - --with-readline \ - --enable-sockets \ - --with-xsl \ - --with-iconv \ - --enable-zip - cd $(DIR_APP) && make $(MAKETUNING) + @rm -rf $(DIR_APP) $(DIR_SRC)/intl-* $(DIR_SRC)/Log-* $(DIR_SRC)/package.xml && \ + cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/php-5.6.17_db6.patch + cd $(DIR_APP) && ./configure --prefix=/usr \ + --enable-maintainer-zts \ + --enable-zend-signals \ + --with-apxs2=/usr/bin/apxs \ + --with-config-file-path=/etc \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --datadir=/usr/share/php \ + --mandir=/usr/share/man \ + --enable-intl \ + --enable-calendar \ + --enable-dba=shared \ + --enable-ftp \ + --enable-bcmath \ + --enable-mbstring \ + --enable-zip \ + --enable-exif \ + --enable-soap \ + --enable-zip \ + --enable-fpm \ + --with-fpm-user \ + --with-fpm-group \ + --with-zlib \ + --with-bz2 \ + --with-curl \ + --with-gdbm \ + --with-gmp \ + --with-xsl \ + --with-iconv \ + --with-readline \ + --with-gettext \ + --with-icu-dir=/usr \ + --with-openssl \ + --with-openssl-dir=/usr \ + --with-mysql \ + --with-mysql-sock=/run/mysql \ + --with-mysqli=mysqlnd \ + --with-pear=/usr/lib/php \ + --with-pdo-sqlite \ + --with-pdo-mysql=mysqlnd \ + --with-gd \ + --with-jpeg-dir=/usr \ + --with-png-dir=/usr \ + --with-zlib-dir=/usr \ + --with-freetype-dir=/usr \ + --with-db4 + cd $(DIR_APP) && make install + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && install -v -m644 $(DIR_SRC)/config/php/php.ini /etc/php.ini -grep -v libphp5.so < /etc/httpd/conf/httpd.conf > /etc/httpd/conf/httpd.conf.bak mv -f /etc/httpd/conf/httpd.conf.bak /etc/httpd/conf/httpd.conf - cd $(DIR_SRC) && tar xfz $(DIR_DL)/idn-0.1.tgz - -rm -f $(DIR_SRC)/package.xml - cd $(DIR_SRC)/idn-* && phpize - cd $(DIR_SRC)/idn-* && ./configure --prefix=/usr --with-idn - cd $(DIR_SRC)/idn-* && make $(MAKETUNING) $(EXTRA_MAKE) - cd $(DIR_SRC)/idn-* && make install - cd $(DIR_SRC) && tar xfz $(DIR_DL)/Log-1.9.11.tgz + + # Install intl + cd $(DIR_SRC) && tar xfz $(DIR_DL)/intl-3.0.0.tgz + #-rm -f $(DIR_SRC)/package.xml + cd $(DIR_SRC)/intl-* && phpize + cd $(DIR_SRC)/intl-* && ./configure --prefix=/usr --enable-intl + cd $(DIR_SRC)/intl-* && make $(MAKETUNING) $(EXTRA_MAKE) + cd $(DIR_SRC)/intl-* && make install + cd $(DIR_SRC) && tar xfz $(DIR_DL)/Log-1.12.9.tgz -rm -f $(DIR_SRC)/package.xml + cd $(DIR_SRC)/Log-* && cp -av Log Log.php /usr/lib/php - @rm -rf $(DIR_APP) $(DIR_SRC)/idn-* $(DIR_SRC)/Log-* $(DIR_SRC)/package.xml + @rm -rf $(DIR_APP) $(DIR_SRC)/intl-* $(DIR_SRC)/Log-* $(DIR_SRC)/package.xml @$(POSTBUILD) diff --git a/make.sh b/make.sh index 9f119bf..cfe4ec5 100755 --- a/make.sh +++ b/make.sh @@ -344,12 +344,12 @@ buildbase() { lfsmake2 perl lfsmake2 readline lfsmake2 readline-compat + lfsmake2 bzip2 lfsmake2 pcre lfsmake2 pcre-compat lfsmake2 autoconf lfsmake2 automake lfsmake2 bash - lfsmake2 bzip2 lfsmake2 diffutils lfsmake2 e2fsprogs lfsmake2 ed @@ -483,6 +483,7 @@ buildipfire() { ipfiremake bind ipfiremake dhcp ipfiremake dhcpcd + ipfiremake icu ipfiremake boost ipfiremake linux-atm ipfiremake expat @@ -523,6 +524,7 @@ buildipfire() { ipfiremake cyrus-sasl ipfiremake openldap ipfiremake apache2 + ipfiremake apache2-modsec ipfiremake php ipfiremake web-user-interface ipfiremake flag-icons diff --git a/src/patches/pcre-8.37-Fix-another-buffer-overflow.patch b/src/patches/pcre-8.37-Fix-another-buffer-overflow.patch deleted file mode 100644 index 20ead09..0000000 --- a/src/patches/pcre-8.37-Fix-another-buffer-overflow.patch +++ /dev/null @@ -1,110 +0,0 @@ -From f6efcf125123199d446c5561266c3c3846ed9f30 Mon Sep 17 00:00:00 2001 -From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> -Date: Wed, 3 Jun 2015 16:51:59 +0000 -Subject: [PATCH] Fix another buffer overflow. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Ported to 8.37: - -commit 225f0d5eb16c7a26591a1e3f286c7476907b5a6a -Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> -Date: Wed Jun 3 16:51:59 2015 +0000 - - Fix another buffer overflow. - - git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1562 2f5784b3-3f2a-0410-8824-cb99058d5e15 - -Signed-off-by: Petr Písař <ppisar(a)redhat.com> ---- - pcre_compile.c | 7 ++++++- - testdata/testinput2 | 2 ++ - testdata/testoutput11-16 | 2 +- - testdata/testoutput11-32 | 2 +- - testdata/testoutput11-8 | 2 +- - testdata/testoutput2 | 2 ++ - 6 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index 8b4aaef..f5d2384 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -7210,7 +7210,12 @@ for (;; ptr++) - real compile this will be picked up and the reference wrapped with - OP_ONCE to make it atomic, so we must space in case this occurs. */ - -- if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE; -+ /* In fact, this can happen for a non-forward reference because -+ another group with the same number might be created later. This -+ issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance -+ only mode, we finesse the bug by allowing more memory always. */ -+ -+ /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE; - } - - /* In the real compile, search the name table. We check the name -diff --git a/testdata/testinput2 b/testdata/testinput2 -index 5cc9ce6..e12de3a 100644 ---- a/testdata/testinput2 -+++ b/testdata/testinput2 -@@ -4156,4 +4156,6 @@ backtracking verbs. --/ - - /(?=di(?<=(?1))|(?=(.))))/ - -+"(?J:(?|(?'R')(\k'R')|((?'R'))))" -+ - /-- End of testinput2 --/ -diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 -index 422f2ad..e222e7c 100644 ---- a/testdata/testoutput11-16 -+++ b/testdata/testoutput11-16 -@@ -231,7 +231,7 @@ Memory allocation (code space): 73 - ------------------------------------------------------------------ - - /(?P<a>a)...(?P=a)bbb(?P>a)d/BM --Memory allocation (code space): 61 -+Memory allocation (code space): 77 - ------------------------------------------------------------------ - 0 24 Bra - 2 5 CBra 1 -diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 -index d953ec8..9a80ec9 100644 ---- a/testdata/testoutput11-32 -+++ b/testdata/testoutput11-32 -@@ -231,7 +231,7 @@ Memory allocation (code space): 155 - ------------------------------------------------------------------ - - /(?P<a>a)...(?P=a)bbb(?P>a)d/BM --Memory allocation (code space): 125 -+Memory allocation (code space): 157 - ------------------------------------------------------------------ - 0 24 Bra - 2 5 CBra 1 -diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8 -index 6ec18ec..3adaca2 100644 ---- a/testdata/testoutput11-8 -+++ b/testdata/testoutput11-8 -@@ -231,7 +231,7 @@ Memory allocation (code space): 45 - ------------------------------------------------------------------ - - /(?P<a>a)...(?P=a)bbb(?P>a)d/BM --Memory allocation (code space): 38 -+Memory allocation (code space): 50 - ------------------------------------------------------------------ - 0 30 Bra - 3 7 CBra 1 -diff --git a/testdata/testoutput2 b/testdata/testoutput2 -index 4decb8d..5bad26c 100644 ---- a/testdata/testoutput2 -+++ b/testdata/testoutput2 -@@ -14428,4 +14428,6 @@ Failed: lookbehind assertion is not fixed length at offset 17 - /(?=di(?<=(?1))|(?=(.))))/ - Failed: unmatched parentheses at offset 23 - -+"(?J:(?|(?'R')(\k'R')|((?'R'))))" -+ - /-- End of testinput2 --/ --- -2.4.3 - diff --git a/src/patches/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch b/src/patches/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch deleted file mode 100644 index 16fd45c..0000000 --- a/src/patches/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 354e1f8e921dcb9cf2f3a5eac93cd826d01a7d8a Mon Sep 17 00:00:00 2001 -From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> -Date: Tue, 23 Jun 2015 16:34:53 +0000 -Subject: [PATCH] Fix buffer overflow for forward reference within backward - assertion with excess closing parenthesis. Bugzilla 1651. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is upstream commit ported to 8.37: - -commit 764692f9aea9eab50fdba6cb537441d8b34c6c37 -Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> -Date: Tue Jun 23 16:34:53 2015 +0000 - - Fix buffer overflow for forward reference within backward assertion with excess - closing parenthesis. Bugzilla 1651. - - git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-cb99058d5e15 - -It fixes CVE-2015-5073. - -Signed-off-by: Petr Písař <ppisar(a)redhat.com> ---- - pcre_compile.c | 2 +- - testdata/testinput2 | 2 ++ - testdata/testoutput2 | 3 +++ - 3 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index 6f06912..b66b1f6 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -9392,7 +9392,7 @@ OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The - exceptional ones forgo this. We scan the pattern to check that they are fixed - length, and set their lengths. */ - --if (cd->check_lookbehind) -+if (errorcode == 0 && cd->check_lookbehind) - { - pcre_uchar *cc = (pcre_uchar *)codestart; - -diff --git a/testdata/testinput2 b/testdata/testinput2 -index 83bb471..5cc9ce6 100644 ---- a/testdata/testinput2 -+++ b/testdata/testinput2 -@@ -4154,4 +4154,6 @@ backtracking verbs. --/ - - "(?J)(?'d'(?'d'\g{d}))" - -+/(?=di(?<=(?1))|(?=(.))))/ -+ - /-- End of testinput2 --/ -diff --git a/testdata/testoutput2 b/testdata/testoutput2 -index 7dff52a..4decb8d 100644 ---- a/testdata/testoutput2 -+++ b/testdata/testoutput2 -@@ -14425,4 +14425,7 @@ Failed: lookbehind assertion is not fixed length at offset 17 - - "(?J)(?'d'(?'d'\g{d}))" - -+/(?=di(?<=(?1))|(?=(.))))/ -+Failed: unmatched parentheses at offset 23 -+ - /-- End of testinput2 --/ --- -2.4.3 - diff --git a/src/patches/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch b/src/patches/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch deleted file mode 100644 index c97849f..0000000 --- a/src/patches/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001 -From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> -Date: Fri, 15 May 2015 17:17:03 +0000 -Subject: [PATCH] Fix buffer overflow for named recursive back reference when - the name is duplicated. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Upstream commit ported to pcre-8.37: - -commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19 -Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> -Date: Fri May 15 17:17:03 2015 +0000 - - Fix buffer overflow for named recursive back reference when the name is - duplicated. - - git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15 - -This fixes CVE-2015-3210. - -Signed-off-by: Petr Písař <ppisar(a)redhat.com> ---- - pcre_compile.c | 16 ++++++++++++++-- - testdata/testinput2 | 2 ++ - testdata/testoutput2 | 2 ++ - 3 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index 0efad26..6f06912 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -7173,14 +7173,26 @@ for (;; ptr++) - number. If the name is not found, set the value to 0 for a forward - reference. */ - -+ recno = 0; - ng = cd->named_groups; - for (i = 0; i < cd->names_found; i++, ng++) - { - if (namelen == ng->length && - STRNCMP_UC_UC(name, ng->name, namelen) == 0) -- break; -+ { -+ open_capitem *oc; -+ recno = ng->number; -+ if (is_recurse) break; -+ for (oc = cd->open_caps; oc != NULL; oc = oc->next) -+ { -+ if (oc->number == recno) -+ { -+ oc->flag = TRUE; -+ break; -+ } -+ } -+ } - } -- recno = (i < cd->names_found)? ng->number : 0; - - /* Count named back references. */ - -diff --git a/testdata/testinput2 b/testdata/testinput2 -index 58fe53b..83bb471 100644 ---- a/testdata/testinput2 -+++ b/testdata/testinput2 -@@ -4152,4 +4152,6 @@ backtracking verbs. --/ - - /((?2){73}(?2))((?1))/ - -+"(?J)(?'d'(?'d'\g{d}))" -+ - /-- End of testinput2 --/ -diff --git a/testdata/testoutput2 b/testdata/testoutput2 -index b718df0..7dff52a 100644 ---- a/testdata/testoutput2 -+++ b/testdata/testoutput2 -@@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17 - - /((?2){73}(?2))((?1))/ - -+"(?J)(?'d'(?'d'\g{d}))" -+ - /-- End of testinput2 --/ --- -2.4.3 - diff --git a/src/patches/pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch b/src/patches/pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch deleted file mode 100644 index ab1b962..0000000 --- a/src/patches/pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch +++ /dev/null @@ -1,190 +0,0 @@ -From b3f0b0dd971314df8f865e221aa1a88e75d6d1a6 Mon Sep 17 00:00:00 2001 -From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> -Date: Wed, 5 Aug 2015 15:38:32 +0000 -Subject: [PATCH] Fix buffer overflow for named references in (?| situations. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Ported for 8.37: - -commit 7af8e8717def179fd7b69e173abd347c1a3547cb -Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> -Date: Wed Aug 5 15:38:32 2015 +0000 - - Fix buffer overflow for named references in (?| situations. - - git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1585 2f5784b3-3f2a-0410-8824-cb99058d5e15 - -Signed-off-by: Petr Písař <ppisar(a)redhat.com> ---- - pcre_compile.c | 74 ++++++++++++++++++++++++++++++---------------------- - pcre_internal.h | 1 + - testdata/testinput2 | 2 ++ - testdata/testoutput2 | 2 ++ - 4 files changed, 48 insertions(+), 31 deletions(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index f5d2384..5fe5c1d 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -6641,6 +6641,7 @@ for (;; ptr++) - /* ------------------------------------------------------------ */ - case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */ - reset_bracount = TRUE; -+ cd->dupgroups = TRUE; /* Record (?| encountered */ - /* Fall through */ - - /* ------------------------------------------------------------ */ -@@ -7151,7 +7152,8 @@ for (;; ptr++) - if (lengthptr != NULL) - { - named_group *ng; -- -+ recno = 0; -+ - if (namelen == 0) - { - *errorcodeptr = ERR62; -@@ -7168,32 +7170,6 @@ for (;; ptr++) - goto FAILED; - } - -- /* The name table does not exist in the first pass; instead we must -- scan the list of names encountered so far in order to get the -- number. If the name is not found, set the value to 0 for a forward -- reference. */ -- -- recno = 0; -- ng = cd->named_groups; -- for (i = 0; i < cd->names_found; i++, ng++) -- { -- if (namelen == ng->length && -- STRNCMP_UC_UC(name, ng->name, namelen) == 0) -- { -- open_capitem *oc; -- recno = ng->number; -- if (is_recurse) break; -- for (oc = cd->open_caps; oc != NULL; oc = oc->next) -- { -- if (oc->number == recno) -- { -- oc->flag = TRUE; -- break; -- } -- } -- } -- } -- - /* Count named back references. */ - - if (!is_recurse) cd->namedrefcount++; -@@ -7215,7 +7191,44 @@ for (;; ptr++) - issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance - only mode, we finesse the bug by allowing more memory always. */ - -- /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE; -+ *lengthptr += 2 + 2*LINK_SIZE; -+ -+ /* It is even worse than that. The current reference may be to an -+ existing named group with a different number (so apparently not -+ recursive) but which later on is also attached to a group with the -+ current number. This can only happen if $(| has been previous -+ encountered. In that case, we allow yet more memory, just in case. -+ (Again, this is fixed "properly" in PCRE2. */ -+ -+ if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE; -+ -+ /* Otherwise, check for recursion here. The name table does not exist -+ in the first pass; instead we must scan the list of names encountered -+ so far in order to get the number. If the name is not found, leave -+ the value of recno as 0 for a forward reference. */ -+ -+ else -+ { -+ ng = cd->named_groups; -+ for (i = 0; i < cd->names_found; i++, ng++) -+ { -+ if (namelen == ng->length && -+ STRNCMP_UC_UC(name, ng->name, namelen) == 0) -+ { -+ open_capitem *oc; -+ recno = ng->number; -+ if (is_recurse) break; -+ for (oc = cd->open_caps; oc != NULL; oc = oc->next) -+ { -+ if (oc->number == recno) -+ { -+ oc->flag = TRUE; -+ break; -+ } -+ } -+ } -+ } -+ } - } - - /* In the real compile, search the name table. We check the name -@@ -7262,8 +7275,6 @@ for (;; ptr++) - for (i++; i < cd->names_found; i++) - { - if (STRCMP_UC_UC(slot + IMM2_SIZE, cslot + IMM2_SIZE) != 0) break; -- -- - count++; - cslot += cd->name_entry_size; - } -@@ -9189,6 +9200,7 @@ cd->names_found = 0; - cd->name_entry_size = 0; - cd->name_table = NULL; - cd->dupnames = FALSE; -+cd->dupgroups = FALSE; - cd->namedrefcount = 0; - cd->start_code = cworkspace; - cd->hwm = cworkspace; -@@ -9223,7 +9235,7 @@ if (errorcode != 0) goto PCRE_EARLY_ERROR_RETURN; - - DPRINTF(("end pre-compile: length=%d workspace=%d\n", length, - (int)(cd->hwm - cworkspace))); -- -+ - if (length > MAX_PATTERN_SIZE) - { - errorcode = ERR20; -diff --git a/pcre_internal.h b/pcre_internal.h -index dd0ac7f..7ca6020 100644 ---- a/pcre_internal.h -+++ b/pcre_internal.h -@@ -2446,6 +2446,7 @@ typedef struct compile_data { - BOOL had_pruneorskip; /* (*PRUNE) or (*SKIP) encountered */ - BOOL check_lookbehind; /* Lookbehinds need later checking */ - BOOL dupnames; /* Duplicate names exist */ -+ BOOL dupgroups; /* Duplicate groups exist: (?| found */ - BOOL iscondassert; /* Next assert is a condition */ - int nltype; /* Newline type */ - int nllen; /* Newline string length */ -diff --git a/testdata/testinput2 b/testdata/testinput2 -index e12de3a..8e044f8 100644 ---- a/testdata/testinput2 -+++ b/testdata/testinput2 -@@ -4158,4 +4158,6 @@ backtracking verbs. --/ - - "(?J:(?|(?'R')(\k'R')|((?'R'))))" - -+/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ -+ - /-- End of testinput2 --/ -diff --git a/testdata/testoutput2 b/testdata/testoutput2 -index 5bad26c..6019425 100644 ---- a/testdata/testoutput2 -+++ b/testdata/testoutput2 -@@ -14430,4 +14430,6 @@ Failed: unmatched parentheses at offset 23 - - "(?J:(?|(?'R')(\k'R')|((?'R'))))" - -+/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ -+ - /-- End of testinput2 --/ --- -2.4.3 - diff --git a/src/patches/pcre-8.37-Fix-named-forward-reference-to-duplicate-group-numbe.patch b/src/patches/pcre-8.37-Fix-named-forward-reference-to-duplicate-group-numbe.patch deleted file mode 100644 index 837e86f..0000000 --- a/src/patches/pcre-8.37-Fix-named-forward-reference-to-duplicate-group-numbe.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 83ed574998fe7b844b98ab7cd56291068feb9e31 Mon Sep 17 00:00:00 2001 -From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> -Date: Sat, 16 May 2015 11:05:40 +0000 -Subject: [PATCH] Fix named forward reference to duplicate group number - overflow bug. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Port to 8.37: - -commit 2fa78aa4e42bcebf2d616c4ee89c012f29dc3447 -Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> -Date: Sat May 16 11:05:40 2015 +0000 - - Fix named forward reference to duplicate group number overflow bug. - - git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1559 2f5784b3-3f2a-0410-8824-cb99058d5e15 - -Signed-off-by: Petr Písař <ppisar(a)redhat.com> ---- - pcre_compile.c | 24 ++++++++++++++++-------- - testdata/testinput1 | 3 +++ - testdata/testoutput1 | 5 +++++ - 3 files changed, 24 insertions(+), 8 deletions(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index b66b1f6..8b4aaef 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -7183,15 +7183,15 @@ for (;; ptr++) - open_capitem *oc; - recno = ng->number; - if (is_recurse) break; -- for (oc = cd->open_caps; oc != NULL; oc = oc->next) -- { -- if (oc->number == recno) -- { -- oc->flag = TRUE; -+ for (oc = cd->open_caps; oc != NULL; oc = oc->next) -+ { -+ if (oc->number == recno) -+ { -+ oc->flag = TRUE; - break; -- } -- } -- } -+ } -+ } -+ } - } - - /* Count named back references. */ -@@ -7203,6 +7203,14 @@ for (;; ptr++) - 16-bit data item. */ - - *lengthptr += IMM2_SIZE; -+ -+ /* If this is a forward reference and we are within a (?|...) group, -+ the reference may end up as the number of a group which we are -+ currently inside, that is, it could be a recursive reference. In the -+ real compile this will be picked up and the reference wrapped with -+ OP_ONCE to make it atomic, so we must space in case this occurs. */ -+ -+ if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE; - } - - /* In the real compile, search the name table. We check the name -diff --git a/testdata/testinput1 b/testdata/testinput1 -index 73c2f4d..8379ce0 100644 ---- a/testdata/testinput1 -+++ b/testdata/testinput1 -@@ -5730,4 +5730,7 @@ AbcdCBefgBhiBqz - "(?1)(?#?'){8}(a)" - baaaaaaaaac - -+"(?|(\k'Pm')|(?'Pm'))" -+ abcd -+ - /-- End of testinput1 --/ -diff --git a/testdata/testoutput1 b/testdata/testoutput1 -index 0a53fd0..e852ab9 100644 ---- a/testdata/testoutput1 -+++ b/testdata/testoutput1 -@@ -9429,4 +9429,9 @@ No match - 0: aaaaaaaaa - 1: a - -+"(?|(\k'Pm')|(?'Pm'))" -+ abcd -+ 0: -+ 1: -+ - /-- End of testinput1 --/ --- -2.4.3 - -- 2.4.4

3 5

[PATCH] dnsmasq: 2.76test10 with latest patches (001-004)
by Matthias Fischer 04 Mar '16

04 Mar '16

This is 'dnsmasq 2.76test10', based on current 'next', containing latest patches. Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/dnsmasq | 39 +- ...TL_parameter_to_--host-record_and_--cname.patch | 265 +++ ...01-include_0_0_0_0_8_in_DNS_rebind_checks.patch | 41 - .../dnsmasq/002-Add_--dhcp-ttl_option.patch | 117 ++ ...subnet_to_allow_arbitary_subnet_addresses.patch | 271 --- src/patches/dnsmasq/003-Update_CHANGELOG.patch | 17 + ...h_zones_locally_when_localise_queries_set.patch | 34 - .../dnsmasq/004-Add_--tftp-mtu_option.patch | 136 ++ .../004-fix_behaviour_of_empty_dhcp-option.patch | 38 - ...ution_to_ENOMEM_error_with_IPv6_multicast.patch | 50 - ...page_on_RDNSS_set_in_router_advertisement.patch | 35 - ...gned_dangling_CNAME_replies_to_DS_queries.patch | 30 - ...6_option_56_does_not_hold_an_address_list.patch | 25 - ...pect_the_--no_resolv_flag_in_inotify_code.patch | 47 - ..._5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch | 26 - ...11-Catch_errors_from_sendmsg_in_DHCP_code.patch | 32 - ...12-Update_list_of_subnet_for_--bogus-priv.patch | 48 - ...y_address_from_DNS_overlays_A_record_from.patch | 43 - ...14-Handle_unknown_DS_hash_algos_correctly.patch | 39 - .../015-Fix_crash_at_start_up_with_conf-dir.patch | 38 - ...ajor_rationalisation_of_DNSSEC_validation.patch | 2209 -------------------- ...hing_RRSIGs_and_returning_them_from_cache.patch | 612 ------ ...caches_DS_records_to_a_more_logical_place.patch | 269 --- ...lise_RR-filtering_code_for_use_with_EDNS0.patch | 755 ------- .../dnsmasq/020-DNSSEC_validation_tweak.patch | 134 -- ...1-Tweaks_to_EDNS0_handling_in_DNS_replies.patch | 133 -- ..._code_Check_zone_status_is_NSEC_proof_bad.patch | 409 ---- ...023-Fix_brace_botch_in_dnssec_validate_ds.patch | 98 - ...ning_which_DNSSEC_sig_algos_are_supported.patch | 145 -- ...EDNS0_handling_and_computation_use_of_udp.patch | 643 ------ ...aks_in_handling_unknown_DNSSEC_algorithms.patch | 262 --- ...obscure_off-by-one_in_DNSSEC_hostname_cmp.patch | 27 - .../028-Minor_tweak_to_previous_commit.patch | 39 - .../dnsmasq/029-NSEC3_check_RFC5155_para_8_2.patch | 39 - 34 files changed, 542 insertions(+), 6603 deletions(-) create mode 100644 src/patches/dnsmasq/001-Add_TTL_parameter_to_--host-record_and_--cname.patch delete mode 100644 src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch create mode 100644 src/patches/dnsmasq/002-Add_--dhcp-ttl_option.patch delete mode 100644 src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch create mode 100644 src/patches/dnsmasq/003-Update_CHANGELOG.patch delete mode 100644 src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch create mode 100644 src/patches/dnsmasq/004-Add_--tftp-mtu_option.patch delete mode 100644 src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch delete mode 100644 src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch delete mode 100644 src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch delete mode 100644 src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch delete mode 100644 src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch delete mode 100644 src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch delete mode 100644 src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch delete mode 100644 src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch delete mode 100644 src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch delete mode 100644 src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch delete mode 100644 src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch delete mode 100644 src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch delete mode 100644 src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch delete mode 100644 src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_cache.patch delete mode 100644 src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_logical_place.patch delete mode 100644 src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0.patch delete mode 100644 src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch delete mode 100644 src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch delete mode 100644 src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch delete mode 100644 src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch delete mode 100644 src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch delete mode 100644 src/patches/dnsmasq/025-Major_tidy_up_of_EDNS0_handling_and_computation_use_of_udp.patch delete mode 100644 src/patches/dnsmasq/026-More_tweaks_in_handling_unknown_DNSSEC_algorithms.patch delete mode 100644 src/patches/dnsmasq/027-Nasty_rare_and_obscure_off-by-one_in_DNSSEC_hostname_cmp.patch delete mode 100644 src/patches/dnsmasq/028-Minor_tweak_to_previous_commit.patch delete mode 100644 src/patches/dnsmasq/029-NSEC3_check_RFC5155_para_8_2.patch diff --git a/lfs/dnsmasq b/lfs/dnsmasq index 8058663..29d7895 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2015 Michael Tremer & Christian Schmidt # +# Copyright (C) 2016 Michael Tremer & Christian Schmidt # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 2.75 +VER = 2.76test10 THISAPP = dnsmasq-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 887236f1ddde6eb57cdb9d01916c9f72 +$(DL_FILE)_MD5 = 4b51474ed6081b18c61407077f254cf7 install : $(TARGET) @@ -73,35 +73,10 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_cache.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_logical_place.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/025-Major_tidy_up_of_EDNS0_handling_and_computation_use_of_udp.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/026-More_tweaks_in_handling_unknown_DNSSEC_algorithms.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/027-Nasty_rare_and_obscure_off-by-one_in_DNSSEC_hostname_cmp.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/028-Minor_tweak_to_previous_commit.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/029-NSEC3_check_RFC5155_para_8_2.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-Add_TTL_parameter_to_--host-record_and_--cname.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Add_--dhcp-ttl_option.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Update_CHANGELOG.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-Add_--tftp-mtu_option.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch cd $(DIR_APP) && sed -i src/config.h \ diff --git a/src/patches/dnsmasq/001-Add_TTL_parameter_to_--host-record_and_--cname.patch b/src/patches/dnsmasq/001-Add_TTL_parameter_to_--host-record_and_--cname.patch new file mode 100644 index 0000000..86fbc9c --- /dev/null +++ b/src/patches/dnsmasq/001-Add_TTL_parameter_to_--host-record_and_--cname.patch @@ -0,0 +1,265 @@ +From df3d54f776a3c9b60735b45c0b7fd88b66a2d5c4 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon(a)thekelleys.org.uk> +Date: Wed, 24 Feb 2016 21:03:38 +0000 +Subject: [PATCH] Add TTL parameter to --host-record and --cname. + +--- + man/dnsmasq.8 | 12 ++++++++++-- + src/cache.c | 7 +++++++ + src/dnsmasq.h | 2 ++ + src/option.c | 46 ++++++++++++++++++++++++++++++++++++++-------- + src/rfc1035.c | 6 +++++- + 5 files changed, 62 insertions(+), 11 deletions(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index b782eaf..7bc1394 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -529,7 +529,7 @@ zone files: the port, weight and priority numbers are in a different + order. More than one SRV record for a given service/domain is allowed, + all that match are returned. + .TP +-.B --host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>] ++.B --host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>] + Add A, AAAA and PTR records to the DNS. This adds one or more names to + the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may + appear in more than one +@@ -546,6 +546,10 @@ is in effect. Short and long names may appear in the same + .B host-record, + eg. + .B --host-record=laptop,laptop.thekelleys.org,192.168.0.1,1234::100 ++ ++If the time-to-live is given, it overrides the default, which is zero ++or the value of --local-ttl. The value is a positive integer and gives ++the time-to-live in seconds. + .TP + .B \-Y, --txt-record=<name>[[,<text>],<text>] + Return a TXT DNS record. The value of TXT record is a set of strings, +@@ -559,7 +563,7 @@ Return a PTR DNS record. + .B --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<replacement>] + Return an NAPTR DNS record, as specified in RFC3403. + .TP +-.B --cname=<cname>,<target> ++.B --cname=<cname>,<target>[,<TTL>] + Return a CNAME record which indicates that <cname> is really + <target>. There are significant limitations on the target; it must be a + DNS name which is known to dnsmasq from /etc/hosts (or additional +@@ -568,6 +572,10 @@ hosts files), from DHCP, from --interface-name or from another + If the target does not satisfy this + criteria, the whole cname is ignored. The cname must be unique, but it + is permissable to have more than one cname pointing to the same target. ++ ++If the time-to-live is given, it overrides the default, which is zero ++or the value of -local-ttl. The value is a positive integer and gives ++the time-to-live in seconds. + .TP + .B --dns-rr=<name>,<RR-number>,[<hex data>] + Return an arbitrary DNS Resource Record. The number is the type of the +diff --git a/src/cache.c b/src/cache.c +index a9eaa65..4ecd535 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -778,6 +778,7 @@ static void add_hosts_cname(struct crec *target) + (crec = whine_malloc(sizeof(struct crec)))) + { + crec->flags = F_FORWARD | F_IMMORTAL | F_NAMEP | F_CONFIG | F_CNAME; ++ crec->ttd = a->ttl; + crec->name.namep = a->alias; + crec->addr.cname.target.cache = target; + crec->addr.cname.uid = target->uid; +@@ -981,6 +982,7 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size, struct cr + strcat(cache->name.sname, "."); + strcat(cache->name.sname, domain_suffix); + cache->flags = flags; ++ cache->ttd = daemon->local_ttl; + add_hosts_entry(cache, &addr, addrlen, index, rhash, hashsz); + name_count++; + } +@@ -988,6 +990,7 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size, struct cr + { + strcpy(cache->name.sname, canon); + cache->flags = flags; ++ cache->ttd = daemon->local_ttl; + add_hosts_entry(cache, &addr, addrlen, index, rhash, hashsz); + name_count++; + } +@@ -1057,6 +1060,7 @@ void cache_reload(void) + ((cache = whine_malloc(sizeof(struct crec))))) + { + cache->flags = F_FORWARD | F_NAMEP | F_CNAME | F_IMMORTAL | F_CONFIG; ++ cache->ttd = a->ttl; + cache->name.namep = a->alias; + cache->addr.cname.target.int_name = intr; + cache->addr.cname.uid = SRC_INTERFACE; +@@ -1071,6 +1075,7 @@ void cache_reload(void) + (cache->addr.ds.keydata = blockdata_alloc(ds->digest, ds->digestlen))) + { + cache->flags = F_FORWARD | F_IMMORTAL | F_DS | F_CONFIG | F_NAMEP; ++ cache->ttd = daemon->local_ttl; + cache->name.namep = ds->name; + cache->addr.ds.keylen = ds->digestlen; + cache->addr.ds.algo = ds->algo; +@@ -1095,6 +1100,7 @@ void cache_reload(void) + (cache = whine_malloc(sizeof(struct crec)))) + { + cache->name.namep = nl->name; ++ cache->ttd = hr->ttl; + cache->flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV4 | F_NAMEP | F_CONFIG; + add_hosts_entry(cache, (struct all_addr *)&hr->addr, INADDRSZ, SRC_CONFIG, (struct crec **)daemon->packet, revhashsz); + } +@@ -1103,6 +1109,7 @@ void cache_reload(void) + (cache = whine_malloc(sizeof(struct crec)))) + { + cache->name.namep = nl->name; ++ cache->ttd = hr->ttl; + cache->flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV6 | F_NAMEP | F_CONFIG; + add_hosts_entry(cache, (struct all_addr *)&hr->addr6, IN6ADDRSZ, SRC_CONFIG, (struct crec **)daemon->packet, revhashsz); + } +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 6d1c5ae..6344df5 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -308,6 +308,7 @@ struct ptr_record { + }; + + struct cname { ++ int ttl; + char *alias, *target; + struct cname *next; + }; +@@ -344,6 +345,7 @@ struct auth_zone { + + + struct host_record { ++ int ttl; + struct name_list { + char *name; + struct name_list *next; +diff --git a/src/option.c b/src/option.c +index c98bdc9..7c5e6bc 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -448,20 +448,20 @@ static struct { + { LOPT_GEN_NAMES, ARG_DUP, "[=tag:<tag>]", gettext_noop("Generate hostnames based on MAC address for nameless clients."), NULL}, + { LOPT_PROXY, ARG_DUP, "[=<ipaddr>]...", gettext_noop("Use these DHCP relays as full proxies."), NULL }, + { LOPT_RELAY, ARG_DUP, "<local-addr>,<server>[,<interface>]", gettext_noop("Relay DHCP requests to a remote server"), NULL}, +- { LOPT_CNAME, ARG_DUP, "<alias>,<target>", gettext_noop("Specify alias name for LOCAL DNS name."), NULL }, ++ { LOPT_CNAME, ARG_DUP, "<alias>,<target>[,<ttl>]", gettext_noop("Specify alias name for LOCAL DNS name."), NULL }, + { LOPT_PXE_PROMT, ARG_DUP, "<prompt>,[<timeout>]", gettext_noop("Prompt to send to PXE clients."), NULL }, + { LOPT_PXE_SERV, ARG_DUP, "<service>", gettext_noop("Boot service for PXE menu."), NULL }, + { LOPT_TEST, 0, NULL, gettext_noop("Check configuration syntax."), NULL }, + { LOPT_ADD_MAC, ARG_DUP, "[=base64|text]", gettext_noop("Add requestor's MAC address to forwarded DNS queries."), NULL }, + { LOPT_ADD_SBNET, ARG_ONE, "<v4 pref>[,<v6 pref>]", gettext_noop("Add specified IP subnet to forwarded DNS queries."), NULL }, +- { LOPT_CPE_ID, ARG_ONE, "<text>", gettext_noop("Add client identification to forwarded DNS queries."), NULL }, ++ { LOPT_CPE_ID, ARG_ONE, "<text>", gettext_noop("Add client identification to forwarded DNS queries."), NULL }, + { LOPT_DNSSEC, OPT_DNSSEC_PROXY, NULL, gettext_noop("Proxy DNSSEC validation results from upstream nameservers."), NULL }, + { LOPT_INCR_ADDR, OPT_CONSEC_ADDR, NULL, gettext_noop("Attempt to allocate sequential IP addresses to DHCP clients."), NULL }, + { LOPT_CONNTRACK, OPT_CONNTRACK, NULL, gettext_noop("Copy connection-track mark from queries to upstream connections."), NULL }, + { LOPT_FQDN, OPT_FQDN_UPDATE, NULL, gettext_noop("Allow DHCP clients to do their own DDNS updates."), NULL }, + { LOPT_RA, OPT_RA, NULL, gettext_noop("Send router-advertisements for interfaces doing DHCPv6"), NULL }, + { LOPT_DUID, ARG_ONE, "<enterprise>,<duid>", gettext_noop("Specify DUID_EN-type DHCPv6 server DUID"), NULL }, +- { LOPT_HOST_REC, ARG_DUP, "<name>,<address>", gettext_noop("Specify host (A/AAAA and PTR) records"), NULL }, ++ { LOPT_HOST_REC, ARG_DUP, "<name>,<address>[,<ttl>]", gettext_noop("Specify host (A/AAAA and PTR) records"), NULL }, + { LOPT_RR, ARG_DUP, "<name>,<RR-number>,[<data>]", gettext_noop("Specify arbitrary DNS resource record"), NULL }, + { LOPT_CLVERBIND, OPT_CLEVERBIND, NULL, gettext_noop("Bind to interfaces in use - check for new interfaces"), NULL }, + { LOPT_AUTHSERV, ARG_ONE, "<NS>,<interface>", gettext_noop("Export local names to global DNS"), NULL }, +@@ -3692,12 +3692,15 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + case LOPT_CNAME: /* --cname */ + { + struct cname *new; +- char *alias; +- char *target; ++ char *alias, *target, *ttls; ++ int ttl = -1; + + if (!(comma = split(arg))) + ret_err(gen_err); + ++ if ((ttls = split(comma)) && !atoi_check(ttls, &ttl)) ++ ret_err(_("bad TTL")); ++ + alias = canonicalise_opt(arg); + target = canonicalise_opt(comma); + +@@ -3713,6 +3716,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + daemon->cnames = new; + new->alias = alias; + new->target = target; ++ new->ttl = ttl; + } + + break; +@@ -3913,14 +3917,22 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + { + struct host_record *new = opt_malloc(sizeof(struct host_record)); + memset(new, 0, sizeof(struct host_record)); +- ++ new->ttl = -1; ++ + if (!arg || !(comma = split(arg))) + ret_err(_("Bad host-record")); + + while (arg) + { + struct all_addr addr; +- if (inet_pton(AF_INET, arg, &addr)) ++ char *dig; ++ ++ for (dig = arg; *dig != 0; dig++) ++ if (*dig < '0' || *dig > '9') ++ break; ++ if (*dig == 0) ++ new->ttl = atoi(arg); ++ else if (inet_pton(AF_INET, arg, &addr)) + new->addr = addr.addr.addr4; + #ifdef HAVE_IPV6 + else if (inet_pton(AF_INET6, arg, &addr)) +@@ -4601,7 +4613,25 @@ void read_opts(int argc, char **argv, char *compile_opts) + } + } + } +- ++ ++ if (daemon->host_records) ++ { ++ struct host_record *hr; ++ ++ for (hr = daemon->host_records; hr; hr = hr->next) ++ if (hr->ttl == -1) ++ hr->ttl = daemon->local_ttl; ++ } ++ ++ if (daemon->cnames) ++ { ++ struct cname *cn; ++ ++ for (cn = daemon->cnames; cn; cn = cn->next) ++ if (cn->ttl == -1) ++ cn->ttl = daemon->local_ttl; ++ } ++ + if (daemon->if_addrs) + { + struct iname *tmp; +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 9c0ddb5..3535a71 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1169,9 +1169,13 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now) + /* Return 0 ttl for DHCP entries, which might change + before the lease expires. */ + +- if (crecp->flags & (F_IMMORTAL | F_DHCP)) ++ if (crecp->flags & F_DHCP) + return daemon->local_ttl; + ++ /* Immortal entries other than DHCP are local, and hold TTL in TTD field. */ ++ if (crecp->flags & F_IMMORTAL) ++ return crecp->ttd; ++ + /* Return the Max TTL value if it is lower then the actual TTL */ + if (daemon->max_ttl == 0 || ((unsigned)(crecp->ttd - now) < daemon->max_ttl)) + return crecp->ttd - now; +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch b/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch deleted file mode 100644 index 8a2557a..0000000 --- a/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch +++ /dev/null @@ -1,41 +0,0 @@ -From d2aa7dfbb6d1088dcbea9fecc61b9293b320eb95 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Mon, 3 Aug 2015 21:52:12 +0100 -Subject: [PATCH] Include 0.0.0.0/8 in DNS rebind checks. - ---- - CHANGELOG | 7 +++++++ - src/rfc1035.c | 3 ++- - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 901da47..3f4026d 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -1,3 +1,10 @@ -+version 2.76 -+ Include 0.0.0.0/8 in DNS rebind checks. This range -+ translates to hosts on the local network, or, at -+ least, 0.0.0.0 accesses the local host, so could -+ be targets for DNS rebinding. See RFC 5735 section 3 -+ for details. Thanks to Stephen RÃ¶ttger for the bug report. -+ - version 2.75 - Fix reversion on 2.74 which caused 100% CPU use when a - dhcp-script is configured. Thanks to Adrian Davey for -diff --git a/src/rfc1035.c b/src/rfc1035.c -index 56647b0..29e9e65 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -728,7 +728,8 @@ int private_net(struct in_addr addr, int ban_localhost) - in_addr_t ip_addr = ntohl(addr.s_addr); - - return -- (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ || -+ (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ || -+ ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ || - ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || - ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ || - ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ || --- -1.7.10.4 diff --git a/src/patches/dnsmasq/002-Add_--dhcp-ttl_option.patch b/src/patches/dnsmasq/002-Add_--dhcp-ttl_option.patch new file mode 100644 index 0000000..45e3b9b --- /dev/null +++ b/src/patches/dnsmasq/002-Add_--dhcp-ttl_option.patch @@ -0,0 +1,117 @@ +From 832e47beab95c2918b5264f0504f2fe6fe523e4c Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon(a)thekelleys.org.uk> +Date: Wed, 24 Feb 2016 21:24:45 +0000 +Subject: [PATCH] Add --dhcp-ttl option. + +--- + man/dnsmasq.8 | 5 ++++- + src/dnsmasq.h | 2 +- + src/option.c | 13 +++++++++++-- + src/rfc1035.c | 2 +- + 4 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index 7bc1394..2bcce20 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -60,7 +60,7 @@ in the same way as for DHCP-derived names. Note that this does not + apply to domain names in cnames, PTR records, TXT records etc. + .TP + .B \-T, --local-ttl=<time> +-When replying with information from /etc/hosts or the DHCP leases ++When replying with information from /etc/hosts or configuration or the DHCP leases + file dnsmasq by default sets the time-to-live field to zero, meaning + that the requester should not itself cache the information. This is + the correct thing to do in almost all situations. This option allows a +@@ -68,6 +68,9 @@ time-to-live (in seconds) to be given for these replies. This will + reduce the load on the server at the expense of clients using stale + data under some circumstances. + .TP ++.B --dhcp-ttl=<time> ++As for --local-ttl, but affects only replies with information from DHCP leases. If both are given, --dhcp-ttl applies for DHCP information, and --local-ttl for others. Setting this to zero eliminates the effect of --local-ttl for DHCP. ++.TP + .B --neg-ttl=<time> + Negative replies from upstream servers normally contain time-to-live + information in SOA records which dnsmasq uses for caching. If the +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 6344df5..9f73c3b 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -955,7 +955,7 @@ extern struct daemon { + int max_logs; /* queue limit */ + int cachesize, ftabsize; + int port, query_port, min_port, max_port; +- unsigned long local_ttl, neg_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl; ++ unsigned long local_ttl, neg_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl, dhcp_ttl, use_dhcp_ttl; + char *dns_client_id; + struct hostsfile *addn_hosts; + struct dhcp_context *dhcp, *dhcp6; +diff --git a/src/option.c b/src/option.c +index 7c5e6bc..3f6d162 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -157,6 +157,7 @@ struct myoption { + #define LOPT_MAXPORT 345 + #define LOPT_CPE_ID 346 + #define LOPT_SCRIPT_ARP 347 ++#define LOPT_DHCPTTL 348 + + #ifdef HAVE_GETOPT_LONG + static const struct option opts[] = +@@ -319,6 +320,7 @@ static const struct myoption opts[] = + { "quiet-ra", 0, 0, LOPT_QUIET_RA }, + { "dns-loop-detect", 0, 0, LOPT_LOOP_DETECT }, + { "script-arp", 0, 0, LOPT_SCRIPT_ARP }, ++ { "dhcp-ttl", 1, 0 , LOPT_DHCPTTL }, + { NULL, 0, 0, 0 } + }; + +@@ -485,9 +487,10 @@ static struct { + { LOPT_QUIET_DHCP, OPT_QUIET_DHCP, NULL, gettext_noop("Do not log routine DHCP."), NULL }, + { LOPT_QUIET_DHCP6, OPT_QUIET_DHCP6, NULL, gettext_noop("Do not log routine DHCPv6."), NULL }, + { LOPT_QUIET_RA, OPT_QUIET_RA, NULL, gettext_noop("Do not log RA."), NULL }, +- { LOPT_LOCAL_SERVICE, OPT_LOCAL_SERVICE, NULL, gettext_noop("Accept queries only from directly-connected networks"), NULL }, +- { LOPT_LOOP_DETECT, OPT_LOOP_DETECT, NULL, gettext_noop("Detect and remove DNS forwarding loops"), NULL }, ++ { LOPT_LOCAL_SERVICE, OPT_LOCAL_SERVICE, NULL, gettext_noop("Accept queries only from directly-connected networks."), NULL }, ++ { LOPT_LOOP_DETECT, OPT_LOOP_DETECT, NULL, gettext_noop("Detect and remove DNS forwarding loops."), NULL }, + { LOPT_IGNORE_ADDR, ARG_DUP, "<ipaddr>", gettext_noop("Ignore DNS responses containing ipaddr."), NULL }, ++ { LOPT_DHCPTTL, ARG_ONE, "<ttl>", gettext_noop("Set TTL in DNS responses with DHCP-derived addresses."), NULL }, + { 0, 0, NULL, NULL, NULL } + }; + +@@ -2580,6 +2583,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + case LOPT_MINCTTL: /* --min-cache-ttl */ + case LOPT_MAXCTTL: /* --max-cache-ttl */ + case LOPT_AUTHTTL: /* --auth-ttl */ ++ case LOPT_DHCPTTL: /* --dhcp-ttl */ + { + int ttl; + if (!atoi_check(arg, &ttl)) +@@ -2598,6 +2602,11 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + daemon->max_cache_ttl = (unsigned long)ttl; + else if (option == LOPT_AUTHTTL) + daemon->auth_ttl = (unsigned long)ttl; ++ else if (option == LOPT_DHCPTTL) ++ { ++ daemon->dhcp_ttl = (unsigned long)ttl; ++ daemon->use_dhcp_ttl = 1; ++ } + else + daemon->local_ttl = (unsigned long)ttl; + break; +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 3535a71..8f1e3b4 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1170,7 +1170,7 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now) + before the lease expires. */ + + if (crecp->flags & F_DHCP) +- return daemon->local_ttl; ++ return daemon->use_dhcp_ttl ? daemon->dhcp_ttl : daemon->local_ttl; + + /* Immortal entries other than DHCP are local, and hold TTL in TTD field. */ + if (crecp->flags & F_IMMORTAL) +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch b/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch deleted file mode 100644 index 2d3d6e4..0000000 --- a/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch +++ /dev/null @@ -1,271 +0,0 @@ -From a7369bef8abd241c3d85633fa9c870943f091e76 Mon Sep 17 00:00:00 2001 -From: Ed Bardsley <ebardsley(a)google.com> -Date: Wed, 5 Aug 2015 21:17:18 +0100 -Subject: [PATCH] Enhance --add-subnet to allow arbitary subnet addresses. - ---- - CHANGELOG | 4 ++++ - man/dnsmasq.8 | 32 ++++++++++++++++++++----------- - src/dnsmasq.h | 13 ++++++++++--- - src/option.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++----- - src/rfc1035.c | 39 +++++++++++++++++++++++++++++++------- - 5 files changed, 121 insertions(+), 26 deletions(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 3f4026d..bbc2834 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -4,6 +4,10 @@ version 2.76 - least, 0.0.0.0 accesses the local host, so could - be targets for DNS rebinding. See RFC 5735 section 3 - for details. Thanks to Stephen RÃ¶ttger for the bug report. -+ -+ Enhance --add-subnet to allow arbitrary subnet addresses. -+ Thanks to Ed Barsley for the patch. -+ - - version 2.75 - Fix reversion on 2.74 which caused 100% CPU use when a -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index c8913b5..a23c898 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -604,17 +604,27 @@ experimental. Also note that exposing MAC addresses in this way may - have security and privacy implications. The warning about caching - given for --add-subnet applies to --add-mac too. - .TP --.B --add-subnet[[=<IPv4 prefix length>],<IPv6 prefix length>] --Add the subnet address of the requestor to the DNS queries which are --forwarded upstream. The amount of the address forwarded depends on the --prefix length parameter: 32 (128 for IPv6) forwards the whole address, --zero forwards none of it but still marks the request so that no --upstream nameserver will add client address information either. The --default is zero for both IPv4 and IPv6. Note that upstream nameservers --may be configured to return different results based on this --information, but the dnsmasq cache does not take account. If a dnsmasq --instance is configured such that different results may be encountered, --caching should be disabled. -+.B --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]] -+Add a subnet address to the DNS queries which are forwarded -+upstream. If an address is specified in the flag, it will be used, -+otherwise, the address of the requestor will be used. The amount of -+the address forwarded depends on the prefix length parameter: 32 (128 -+for IPv6) forwards the whole address, zero forwards none of it but -+still marks the request so that no upstream nameserver will add client -+address information either. The default is zero for both IPv4 and -+IPv6. Note that upstream nameservers may be configured to return -+different results based on this information, but the dnsmasq cache -+does not take account. If a dnsmasq instance is configured such that -+different results may be encountered, caching should be disabled. -+ -+For example, -+.B --add-subnet=24,96 -+will add the /24 and /96 subnets of the requestor for IPv4 and IPv6 requestors, respectively. -+.B --add-subnet=1.2.3.4/24 -+will add 1.2.3.0/24 for IPv4 requestors and ::/0 for IPv6 requestors. -+.B --add-subnet=1.2.3.4/24,1.2.3.4/24 -+will add 1.2.3.0/24 for both IPv4 and IPv6 requestors. -+ - .TP - .B \-c, --cache-size=<cachesize> - Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index cf1a782..f42acdb 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -541,6 +541,13 @@ struct iname { - struct iname *next; - }; - -+/* subnet parameters from command line */ -+struct mysubnet { -+ union mysockaddr addr; -+ int addr_used; -+ int mask; -+}; -+ - /* resolv-file parms from command-line */ - struct resolvc { - struct resolvc *next; -@@ -935,9 +942,9 @@ extern struct daemon { - struct auth_zone *auth_zones; - struct interface_name *int_names; - char *mxtarget; -- int addr4_netmask; -- int addr6_netmask; -- char *lease_file; -+ struct mysubnet *add_subnet4; -+ struct mysubnet *add_subnet6; -+ char *lease_file; - char *username, *groupname, *scriptuser; - char *luascript; - char *authserver, *hostmaster; -diff --git a/src/option.c b/src/option.c -index ecc2619..746cd11 100644 ---- a/src/option.c -+++ b/src/option.c -@@ -445,7 +445,7 @@ static struct { - { LOPT_PXE_SERV, ARG_DUP, "<service>", gettext_noop("Boot service for PXE menu."), NULL }, - { LOPT_TEST, 0, NULL, gettext_noop("Check configuration syntax."), NULL }, - { LOPT_ADD_MAC, OPT_ADD_MAC, NULL, gettext_noop("Add requestor's MAC address to forwarded DNS queries."), NULL }, -- { LOPT_ADD_SBNET, ARG_ONE, "<v4 pref>[,<v6 pref>]", gettext_noop("Add requestor's IP subnet to forwarded DNS queries."), NULL }, -+ { LOPT_ADD_SBNET, ARG_ONE, "<v4 pref>[,<v6 pref>]", gettext_noop("Add specified IP subnet to forwarded DNS queries."), NULL }, - { LOPT_DNSSEC, OPT_DNSSEC_PROXY, NULL, gettext_noop("Proxy DNSSEC validation results from upstream nameservers."), NULL }, - { LOPT_INCR_ADDR, OPT_CONSEC_ADDR, NULL, gettext_noop("Attempt to allocate sequential IP addresses to DHCP clients."), NULL }, - { LOPT_CONNTRACK, OPT_CONNTRACK, NULL, gettext_noop("Copy connection-track mark from queries to upstream connections."), NULL }, -@@ -722,6 +722,20 @@ static void do_usage(void) - - #define ret_err(x) do { strcpy(errstr, (x)); return 0; } while (0) - -+static char *parse_mysockaddr(char *arg, union mysockaddr *addr) -+{ -+ if (inet_pton(AF_INET, arg, &addr->in.sin_addr) > 0) -+ addr->sa.sa_family = AF_INET; -+#ifdef HAVE_IPV6 -+ else if (inet_pton(AF_INET6, arg, &addr->in6.sin6_addr) > 0) -+ addr->sa.sa_family = AF_INET6; -+#endif -+ else -+ return _("bad address"); -+ -+ return NULL; -+} -+ - char *parse_server(char *arg, union mysockaddr *addr, union mysockaddr *source_addr, char *interface, int *flags) - { - int source_port = 0, serv_port = NAMESERVER_PORT; -@@ -1585,7 +1599,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma - li = match_suffix->next; - free(match_suffix->suffix); - free(match_suffix); -- } -+ } - break; - } - -@@ -1593,10 +1607,45 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma - set_option_bool(OPT_CLIENT_SUBNET); - if (arg) - { -+ char *err, *end; - comma = split(arg); -- if (!atoi_check(arg, &daemon->addr4_netmask) || -- (comma && !atoi_check(comma, &daemon->addr6_netmask))) -- ret_err(gen_err); -+ -+ struct mysubnet* new = opt_malloc(sizeof(struct mysubnet)); -+ if ((end = split_chr(arg, '/'))) -+ { -+ /* has subnet+len */ -+ err = parse_mysockaddr(arg, &new->addr); -+ if (err) -+ ret_err(err); -+ if (!atoi_check(end, &new->mask)) -+ ret_err(gen_err); -+ new->addr_used = 1; -+ } -+ else if (!atoi_check(arg, &new->mask)) -+ ret_err(gen_err); -+ -+ daemon->add_subnet4 = new; -+ -+ new = opt_malloc(sizeof(struct mysubnet)); -+ if (comma) -+ { -+ if ((end = split_chr(comma, '/'))) -+ { -+ /* has subnet+len */ -+ err = parse_mysockaddr(comma, &new->addr); -+ if (err) -+ ret_err(err); -+ if (!atoi_check(end, &new->mask)) -+ ret_err(gen_err); -+ new->addr_used = 1; -+ } -+ else -+ { -+ if (!atoi_check(comma, &new->mask)) -+ ret_err(gen_err); -+ } -+ } -+ daemon->add_subnet6 = new; - } - break; - -diff --git a/src/rfc1035.c b/src/rfc1035.c -index 29e9e65..6a51b30 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -629,26 +629,47 @@ struct subnet_opt { - #endif - }; - -+static void *get_addrp(union mysockaddr *addr, const short family) -+{ -+#ifdef HAVE_IPV6 -+ if (family == AF_INET6) -+ return &addr->in6.sin6_addr; -+#endif -+ -+ return &addr->in.sin_addr; -+} -+ - static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source) - { - /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */ - - int len; - void *addrp; -+ int sa_family = source->sa.sa_family; - - #ifdef HAVE_IPV6 - if (source->sa.sa_family == AF_INET6) - { -- opt->family = htons(2); -- opt->source_netmask = daemon->addr6_netmask; -- addrp = &source->in6.sin6_addr; -+ opt->source_netmask = daemon->add_subnet6->mask; -+ if (daemon->add_subnet6->addr_used) -+ { -+ sa_family = daemon->add_subnet6->addr.sa.sa_family; -+ addrp = get_addrp(&daemon->add_subnet6->addr, sa_family); -+ } -+ else -+ addrp = &source->in6.sin6_addr; - } - else - #endif - { -- opt->family = htons(1); -- opt->source_netmask = daemon->addr4_netmask; -- addrp = &source->in.sin_addr; -+ opt->source_netmask = daemon->add_subnet4->mask; -+ if (daemon->add_subnet4->addr_used) -+ { -+ sa_family = daemon->add_subnet4->addr.sa.sa_family; -+ addrp = get_addrp(&daemon->add_subnet4->addr, sa_family); -+ } -+ else -+ addrp = &source->in.sin_addr; - } - - opt->scope_netmask = 0; -@@ -656,6 +677,11 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source) - - if (opt->source_netmask != 0) - { -+#ifdef HAVE_IPV6 -+ opt->family = htons(sa_family == AF_INET6 ? 2 : 1); -+#else -+ opt->family = htons(1); -+#endif - len = ((opt->source_netmask - 1) >> 3) + 1; - memcpy(opt->addr, addrp, len); - if (opt->source_netmask & 7) -@@ -2335,4 +2361,3 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - - return len; - } -- --- -1.7.10.4 diff --git a/src/patches/dnsmasq/003-Update_CHANGELOG.patch b/src/patches/dnsmasq/003-Update_CHANGELOG.patch new file mode 100644 index 0000000..f04f943 --- /dev/null +++ b/src/patches/dnsmasq/003-Update_CHANGELOG.patch @@ -0,0 +1,17 @@ +X-Git-Url: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blobdiff_plain;f=CHANGELOG… + +diff --git a/CHANGELOG b/CHANGELOG +index 14354f2..6d9ba49 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -48,6 +48,10 @@ version 2.76 + (ie xx::0 to xx::ffff:ffff:ffff:ffff) + Thanks to Laurent Bendel for spotting this problem. + ++ Add support for a TTL parameter in --host-record and ++ --cname. ++ ++ Add --dhcp-ttl option. + + version 2.75 + Fix reversion on 2.74 which caused 100% CPU use when a diff --git a/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch b/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch deleted file mode 100644 index cfbcdfb..0000000 --- a/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 3a3965ac21b1b759eab8799b6edb09195b671306 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Sun, 9 Aug 2015 17:45:06 +0100 -Subject: [PATCH] Don't answer non-auth queries for auth zones locally when - --localise-queries set. - ---- - src/forward.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/forward.c b/src/forward.c -index 2731b90..b76a974 100644 ---- a/src/forward.c -+++ b/src/forward.c -@@ -1365,7 +1365,7 @@ void receive_query(struct listener *listen, time_t now) - - #ifdef HAVE_AUTH - /* find queries for zones we're authoritative for, and answer them directly */ -- if (!auth_dns) -+ if (!auth_dns && !option_bool(OPT_LOCALISE)) - for (zone = daemon->auth_zones; zone; zone = zone->next) - if (in_zone(zone, daemon->namebuff, NULL)) - { -@@ -1904,7 +1904,7 @@ unsigned char *tcp_request(int confd, time_t now, - - #ifdef HAVE_AUTH - /* find queries for zones we're authoritative for, and answer them directly */ -- if (!auth_dns) -+ if (!auth_dns && !option_bool(OPT_LOCALISE)) - for (zone = daemon->auth_zones; zone; zone = zone->next) - if (in_zone(zone, daemon->namebuff, NULL)) - { --- -1.7.10.4 diff --git a/src/patches/dnsmasq/004-Add_--tftp-mtu_option.patch b/src/patches/dnsmasq/004-Add_--tftp-mtu_option.patch new file mode 100644 index 0000000..c06705a --- /dev/null +++ b/src/patches/dnsmasq/004-Add_--tftp-mtu_option.patch @@ -0,0 +1,136 @@ +From bec366b4041df72b559e713f1c924177676e6eb0 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon(a)thekelleys.org.uk> +Date: Wed, 24 Feb 2016 22:03:26 +0000 +Subject: [PATCH] Add --tftp-mtu option. + +--- + CHANGELOG | 4 ++++ + man/dnsmasq.8 | 4 ++++ + src/dnsmasq.h | 2 +- + src/option.c | 10 +++++++++- + src/tftp.c | 14 ++++++++++++-- + 5 files changed, 30 insertions(+), 4 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 6d9ba49..9218b8c 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -53,6 +53,10 @@ version 2.76 + + Add --dhcp-ttl option. + ++ Add --tftp-mtu option. Thanks to Patrick McLean for the ++ initial patch. ++ ++ + version 2.75 + Fix reversion on 2.74 which caused 100% CPU use when a + dhcp-script is configured. Thanks to Adrian Davey for +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index 2bcce20..3cf48cd 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -1810,6 +1810,10 @@ require about (2*n) + 10 descriptors. If + .B --tftp-port-range + is given, that can affect the number of concurrent connections. + .TP ++.B --tftp-mtu=<mtu size> ++Use size as the ceiling of the MTU supported by the intervening network when ++negotiating TFTP blocksize, overriding the MTU setting of the local interface if it is larger. ++.TP + .B --tftp-no-blocksize + Stop the TFTP server from negotiating the "blocksize" option with a + client. Some buggy clients request this option but then behave badly +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 9f73c3b..280ad9d 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -975,7 +975,7 @@ extern struct daemon { + struct dhcp_netid_list *dhcp_ignore, *dhcp_ignore_names, *dhcp_gen_names; + struct dhcp_netid_list *force_broadcast, *bootp_dynamic; + struct hostsfile *dhcp_hosts_file, *dhcp_opts_file, *dynamic_dirs; +- int dhcp_max, tftp_max; ++ int dhcp_max, tftp_max, tftp_mtu; + int dhcp_server_port, dhcp_client_port; + int start_tftp_port, end_tftp_port; + unsigned int min_leasetime; +diff --git a/src/option.c b/src/option.c +index 3f6d162..765965f 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -158,7 +158,8 @@ struct myoption { + #define LOPT_CPE_ID 346 + #define LOPT_SCRIPT_ARP 347 + #define LOPT_DHCPTTL 348 +- ++#define LOPT_TFTP_MTU 349 ++ + #ifdef HAVE_GETOPT_LONG + static const struct option opts[] = + #else +@@ -244,6 +245,7 @@ static const struct myoption opts[] = + { "tftp-unique-root", 0, 0, LOPT_APREF }, + { "tftp-root", 1, 0, LOPT_PREFIX }, + { "tftp-max", 1, 0, LOPT_TFTP_MAX }, ++ { "tftp-mtu", 1, 0, LOPT_TFTP_MTU }, + { "tftp-lowercase", 0, 0, LOPT_TFTP_LC }, + { "ptr-record", 1, 0, LOPT_PTR }, + { "naptr-record", 1, 0, LOPT_NAPTR }, +@@ -432,6 +434,7 @@ static struct { + { LOPT_SECURE, OPT_TFTP_SECURE, NULL, gettext_noop("Allow access only to files owned by the user running dnsmasq."), NULL }, + { LOPT_TFTP_NO_FAIL, OPT_TFTP_NO_FAIL, NULL, gettext_noop("Do not terminate the service if TFTP directories are inaccessible."), NULL }, + { LOPT_TFTP_MAX, ARG_ONE, "<integer>", gettext_noop("Maximum number of conncurrent TFTP transfers (defaults to %s)."), "#" }, ++ { LOPT_TFTP_MTU, ARG_ONE, "<integer>", gettext_noop("Maximum MTU to use for TFTP transfers."), NULL }, + { LOPT_NOBLOCK, OPT_TFTP_NOBLOCK, NULL, gettext_noop("Disable the TFTP blocksize extension."), NULL }, + { LOPT_TFTP_LC, OPT_TFTP_LC, NULL, gettext_noop("Convert TFTP filenames to lowercase"), NULL }, + { LOPT_TFTPPORTS, ARG_ONE, "<start>,<end>", gettext_noop("Ephemeral port range for use by TFTP transfers."), NULL }, +@@ -2625,6 +2628,11 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + ret_err(gen_err); + break; + ++ case LOPT_TFTP_MTU: /* --tftp-mtu */ ++ if (!atoi_check(arg, &daemon->tftp_mtu)) ++ ret_err(gen_err); ++ break; ++ + case LOPT_PREFIX: /* --tftp-prefix */ + comma = split(arg); + if (comma) +diff --git a/src/tftp.c b/src/tftp.c +index 00ed2fc..dc4aa85 100644 +--- a/src/tftp.c ++++ b/src/tftp.c +@@ -103,8 +103,10 @@ void tftp_request(struct listener *listen, time_t now) + if (listen->iface) + { + addr = listen->iface->addr; +- mtu = listen->iface->mtu; + name = listen->iface->name; ++ mtu = listen->iface->mtu; ++ if (daemon->tftp_mtu != 0 && daemon->tftp_mtu < mtu) ++ mtu = daemon->tftp_mtu; + } + else + { +@@ -234,9 +236,17 @@ void tftp_request(struct listener *listen, time_t now) + + strncpy(ifr.ifr_name, name, IF_NAMESIZE); + if (ioctl(listen->tftpfd, SIOCGIFMTU, &ifr) != -1) +- mtu = ifr.ifr_mtu; ++ { ++ mtu = ifr.ifr_mtu; ++ if (daemon->tftp_mtu != 0 && daemon->tftp_mtu < mtu) ++ mtu = daemon->tftp_mtu; ++ } + } + ++ /* Failed to get interface mtu - can use configured value. */ ++ if (mtu == 0) ++ mtu = daemon->tftp_mtu; ++ + if (name) + { + /* check for per-interface prefix */ +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch b/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch deleted file mode 100644 index 492ada9..0000000 --- a/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 5e3e464ac4022ee0b3794513abe510817e2cf3ca Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Tue, 25 Aug 2015 23:08:39 +0100 -Subject: [PATCH] Fix behaviour of empty dhcp-option=option6:dns-server, which - should inhibit sending option. - ---- - src/rfc3315.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/src/rfc3315.c b/src/rfc3315.c -index 2665d0d..3f1f9ee 100644 ---- a/src/rfc3315.c -+++ b/src/rfc3315.c -@@ -1320,15 +1320,16 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh) - - if (opt_cfg->opt == OPTION6_REFRESH_TIME) - done_refresh = 1; -+ -+ if (opt_cfg->opt == OPTION6_DNS_SERVER) -+ done_dns = 1; - -- if (opt_cfg->flags & DHOPT_ADDR6) -+ /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */ -+ if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt == OPTION6_DNS_SERVER) - { - int len, j; - struct in6_addr *a; - -- if (opt_cfg->opt == OPTION6_DNS_SERVER) -- done_dns = 1; -- - for (a = (struct in6_addr *)opt_cfg->val, len = opt_cfg->len, j = 0; - j < opt_cfg->len; j += IN6ADDRSZ, a++) - if ((IN6_IS_ADDR_ULA_ZERO(a) && IN6_IS_ADDR_UNSPECIFIED(state->ula_addr)) || --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch b/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch deleted file mode 100644 index c7cee60..0000000 --- a/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 9cdcfe9f19ffd45bac4e5b459879bf7c50a287ed Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Wed, 26 Aug 2015 22:38:08 +0100 -Subject: [PATCH] Suggest solution to ENOMEM error with IPv6 multicast. - ---- - src/network.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/src/network.c b/src/network.c -index a1d90c8..819302f 100644 ---- a/src/network.c -+++ b/src/network.c -@@ -1076,23 +1076,30 @@ void join_multicast(int dienow) - - if ((daemon->doing_dhcp6 || daemon->relay6) && - setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1) -- err = 1; -+ err = errno; - - inet_pton(AF_INET6, ALL_SERVERS, &mreq.ipv6mr_multiaddr); - - if (daemon->doing_dhcp6 && - setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1) -- err = 1; -+ err = errno; - - inet_pton(AF_INET6, ALL_ROUTERS, &mreq.ipv6mr_multiaddr); - - if (daemon->doing_ra && - setsockopt(daemon->icmp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1) -- err = 1; -+ err = errno; - - if (err) - { - char *s = _("interface %s failed to join DHCPv6 multicast group: %s"); -+ errno = err; -+ -+#ifdef HAVE_LINUX_NETWORK -+ if (errno == ENOMEM) -+ my_syslog(LOG_ERR, _("try increasing /proc/sys/net/core/optmem_max")); -+#endif -+ - if (dienow) - die(s, iface->name, EC_BADNET); - else --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch b/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch deleted file mode 100644 index 19c76e6..0000000 --- a/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 20fd11e11a9d09edcea94de135396ae1541fbbab Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Wed, 26 Aug 2015 22:48:13 +0100 -Subject: [PATCH] Clarify man page on RDNSS set in router advertisement. - ---- - man/dnsmasq.8 | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index a23c898..d51b10f 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -1687,15 +1687,15 @@ creation are handled by a different protocol. When DHCP is in use, - only a subset of this is needed, and dnsmasq can handle it, using - existing DHCP configuration to provide most data. When RA is enabled, - dnsmasq will advertise a prefix for each dhcp-range, with default --router and recursive DNS server as the relevant link-local address on --the machine running dnsmasq. By default, he "managed address" bits are set, and -+router as the relevant link-local address on -+the machine running dnsmasq. By default, the "managed address" bits are set, and - the "use SLAAC" bit is reset. This can be changed for individual - subnets with the mode keywords described in - .B --dhcp-range. - RFC6106 DNS parameters are included in the advertisements. By default, - the relevant link-local address of the machine running dnsmasq is sent - as recursive DNS server. If provided, the DHCPv6 options dns-server and --domain-search are used for RDNSS and DNSSL. -+domain-search are used for the DNS server (RDNSS) and the domain serach list (DNSSL). - .TP - .B --ra-param=<interface>,[high|low],[[<ra-interval>],<router lifetime>] - Set non-default values for router advertisements sent via an --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch b/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch deleted file mode 100644 index 832a22e..0000000 --- a/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 6de81f1250fd323c9155de065d5a9dc200a6f20b Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Wed, 9 Sep 2015 22:51:13 +0100 -Subject: [PATCH] Handle signed dangling CNAME replies to DS queries. - ---- - src/dnssec.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index 4deda24..67ce486 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -1232,11 +1232,8 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char - - /* If we return STAT_NO_SIG, name contains the name of the DS query */ - if (val == STAT_NO_SIG) -- { -- *keyname = 0; -- return val; -- } -- -+ return val; -+ - /* If the key needed to validate the DS is on the same domain as the DS, we'll - loop getting nowhere. Stop that now. This can happen of the DS answer comes - from the DS's zone, and not the parent zone. */ --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch b/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch deleted file mode 100644 index fdccd0e..0000000 --- a/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 102208df695e886a3086754d32bf7f8c541fbe46 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Thu, 10 Sep 2015 21:50:00 +0100 -Subject: [PATCH] DHCPv6 option 56 does not hold an address list. (RFC 5908). - ---- - src/dhcp-common.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/dhcp-common.c b/src/dhcp-common.c -index bc48f41..8fc171a 100644 ---- a/src/dhcp-common.c -+++ b/src/dhcp-common.c -@@ -599,7 +599,7 @@ static const struct opttab_t opttab6[] = { - { "sntp-server", 31, OT_ADDR_LIST }, - { "information-refresh-time", 32, OT_TIME }, - { "FQDN", 39, OT_INTERNAL | OT_RFC1035_NAME }, -- { "ntp-server", 56, OT_ADDR_LIST }, -+ { "ntp-server", 56, 0 }, - { "bootfile-url", 59, OT_NAME }, - { "bootfile-param", 60, OT_CSTRING }, - { NULL, 0, 0 } --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch b/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch deleted file mode 100644 index 2014fdb..0000000 --- a/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 77607cbea0ad0f876dfb79c8b2c121ee400d57d0 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Thu, 10 Sep 2015 23:08:43 +0100 -Subject: [PATCH] Respect the --no-resolv flag in inotify code. - ---- - CHANGELOG | 7 ++++++- - debian/changelog | 6 ++++++ - src/inotify.c | 3 +++ - 3 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/CHANGELOG b/CHANGELOG -index bbc2834..d6e309f 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -7,8 +7,13 @@ version 2.76 - - Enhance --add-subnet to allow arbitrary subnet addresses. - Thanks to Ed Barsley for the patch. -+ -+ Respect the --no-resolv flag in inotify code. Fixes bug -+ which caused dnsmasq to fail to start if a resolv-file -+ was a dangling symbolic link, even of --no-resolv set. -+ Thanks to Alexander Kurtz for spotting the problem. -+ - -- - version 2.75 - Fix reversion on 2.74 which caused 100% CPU use when a - dhcp-script is configured. Thanks to Adrian Davey for -diff --git a/src/inotify.c b/src/inotify.c -index 52d412f..ef05c58 100644 ---- a/src/inotify.c -+++ b/src/inotify.c -@@ -90,6 +90,9 @@ void inotify_dnsmasq_init() - - if (daemon->inotifyfd == -1) - die(_("failed to create inotify: %s"), NULL, EC_MISC); -+ -+ if (option_bool(OPT_NO_RESOLV)) -+ return; - - for (res = daemon->resolv_files; res; res = res->next) - { --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch b/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch deleted file mode 100644 index 281697f..0000000 --- a/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 27b78d990b7cd901866ad6f1a17b9d633a95fdce Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Sat, 26 Sep 2015 21:40:45 +0100 -Subject: [PATCH] Rationalise 5e3e464ac4022ee0b3794513abe510817e2cf3ca - ---- - src/rfc3315.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/src/rfc3315.c b/src/rfc3315.c -index 3f1f9ee..3ed8623 100644 ---- a/src/rfc3315.c -+++ b/src/rfc3315.c -@@ -1324,8 +1324,7 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh) - if (opt_cfg->opt == OPTION6_DNS_SERVER) - done_dns = 1; - -- /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */ -- if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt == OPTION6_DNS_SERVER) -+ if (opt_cfg->flags & DHOPT_ADDR6) - { - int len, j; - struct in6_addr *a; --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch b/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch deleted file mode 100644 index 631495f..0000000 --- a/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 98079ea89851da1df4966dfdfa1852a98da02912 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Tue, 13 Oct 2015 20:30:32 +0100 -Subject: [PATCH] Catch errors from sendmsg in DHCP code. Logs, eg, iptables - DROPS of dest 255.255.255.255 - ---- - src/dhcp.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/dhcp.c b/src/dhcp.c -index e6fceb1..1c85e42 100644 ---- a/src/dhcp.c -+++ b/src/dhcp.c -@@ -452,8 +452,13 @@ void dhcp_packet(time_t now, int pxe_fd) - #endif - - while(retry_send(sendmsg(fd, &msg, 0))); -+ -+ /* This can fail when, eg, iptables DROPS destination 255.255.255.255 */ -+ if (errno != 0) -+ my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"), -+ inet_ntoa(dest.sin_addr), strerror(errno)); - } -- -+ - /* check against secondary interface addresses */ - static int check_listen_addrs(struct in_addr local, int if_index, char *label, - struct in_addr netmask, struct in_addr broadcast, void *vparam) --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch b/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch deleted file mode 100644 index 3ba98fc..0000000 --- a/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 90477fb79420a34124b66ebd808c578817a30e4c Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Tue, 20 Oct 2015 21:21:32 +0100 -Subject: [PATCH] Update list of subnet for --bogus-priv - -RFC6303 specifies & recommends following zones not be forwarded -to globally facing servers. -+------------------------------+-----------------------+ -| Zone | Description | -+------------------------------+-----------------------+ -| 0.IN-ADDR.ARPA | IPv4 "THIS" NETWORK | -| 127.IN-ADDR.ARPA | IPv4 Loopback NETWORK | -| 254.169.IN-ADDR.ARPA | IPv4 LINK LOCAL | -| 2.0.192.IN-ADDR.ARPA | IPv4 TEST-NET-1 | -| 100.51.198.IN-ADDR.ARPA | IPv4 TEST-NET-2 | -| 113.0.203.IN-ADDR.ARPA | IPv4 TEST-NET-3 | -| 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST | -+------------------------------+-----------------------+ - -Signed-off-by: Kevin Darbyshire-Bryant <kevin(a)darbyshire-bryant.me.uk> ---- - src/rfc1035.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/rfc1035.c b/src/rfc1035.c -index 6a51b30..4eb1772 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -756,10 +756,14 @@ int private_net(struct in_addr addr, int ban_localhost) - return - (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ || - ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ || -- ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || - ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ || - ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ || -- ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ; -+ ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || -+ ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ || -+ ((ip_addr & 0xFFFFFF00) == 0xC0000200) /* 192.0.2.0/24 (test-net) */ || -+ ((ip_addr & 0xFFFFFF00) == 0xC6336400) /* 198.51.100.0/24(test-net) */ || -+ ((ip_addr & 0xFFFFFF00) == 0xCB007100) /* 203.0.113.0/24 (test-net) */ || -+ ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF) /* 255.255.255.255/32 (broadcast)*/ ; - } - - static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, char *name, int *doctored) --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch b/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch deleted file mode 100644 index 736cf38..0000000 --- a/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 41a8d9e99be9f2cc8b02051dd322cb45e0faac87 Mon Sep 17 00:00:00 2001 -From: =?utf8?q?Edwin=20T=C3=B6r=C3=B6k?= <edwin+ml-cerowrt(a)etorok.net> -Date: Sat, 14 Nov 2015 17:45:48 +0000 -Subject: [PATCH] Fix crash when empty address from DNS overlays A record from - hosts. - ---- - CHANGELOG | 5 +++++ - src/cache.c | 2 +- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/CHANGELOG b/CHANGELOG -index d6e309f..93c73d0 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -13,6 +13,11 @@ version 2.76 - was a dangling symbolic link, even of --no-resolv set. - Thanks to Alexander Kurtz for spotting the problem. - -+ Fix crash when an A or AAAA record is defined locally, -+ in a hosts file, and an upstream server sends a reply -+ that the same name is empty. Thanks to Edwin TÃ¶rÃ¶k for -+ the patch. -+ - - version 2.75 - Fix reversion on 2.74 which caused 100% CPU use when a -diff --git a/src/cache.c b/src/cache.c -index 178d654..1b76b67 100644 ---- a/src/cache.c -+++ b/src/cache.c -@@ -481,7 +481,7 @@ struct crec *cache_insert(char *name, struct all_addr *addr, - existing record is for an A or AAAA and - the record we're trying to insert is the same, - just drop the insert, but don't error the whole process. */ -- if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD)) -+ if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD) && addr) - { - if ((flags & F_IPV4) && (new->flags & F_IPV4) && - new->addr.addr.addr.addr4.s_addr == addr->addr.addr4.s_addr) --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch b/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch deleted file mode 100644 index 8b17431..0000000 --- a/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 67ab3285b5d9a1b1e20e034cf272867fdab8a0f9 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Fri, 20 Nov 2015 23:20:47 +0000 -Subject: [PATCH] Handle unknown DS hash algos correctly. - -When we can validate a DS RRset, but don't speak the hash algo it -contains, treat that the same as an NSEC/3 proving that the DS -doesn't exist. 4025 5.2 ---- - src/dnssec.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/src/dnssec.c b/src/dnssec.c -index 67ce486..b4dc14e 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - if (crecp->flags & F_NEG) - return STAT_INSECURE_DS; - -+ /* 4035 5.2 -+ If the validator does not support any of the algorithms listed in an -+ authenticated DS RRset, then the resolver has no supported -+ authentication path leading from the parent to the child. The -+ resolver should treat this case as it would the case of an -+ authenticated NSEC RRset proving that no DS RRset exists, */ -+ for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS)) -+ if (hash_find(ds_digest_name(recp1->addr.ds.digest))) -+ break; -+ -+ if (!recp1) -+ return STAT_INSECURE_DS; -+ - /* NOTE, we need to find ONE DNSKEY which matches the DS */ - for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--) - { --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch b/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch deleted file mode 100644 index a9102c1..0000000 --- a/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0007ee90646a5a78a96ee729932e89d31c69513a Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Sat, 21 Nov 2015 21:47:41 +0000 -Subject: [PATCH] Fix crash at start up with conf-dir=/path,* - -Thanks to Brian Carpenter and American Fuzzy Lop for finding the bug. ---- - src/option.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/src/option.c b/src/option.c -index 746cd11..71beb98 100644 ---- a/src/option.c -+++ b/src/option.c -@@ -1515,10 +1515,16 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma - li = opt_malloc(sizeof(struct list)); - if (*arg == '*') - { -- li->next = match_suffix; -- match_suffix = li; -- /* Have to copy: buffer is overwritten */ -- li->suffix = opt_string_alloc(arg+1); -+ /* "*" with no suffix is a no-op */ -+ if (arg[1] == 0) -+ free(li); -+ else -+ { -+ li->next = match_suffix; -+ match_suffix = li; -+ /* Have to copy: buffer is overwritten */ -+ li->suffix = opt_string_alloc(arg+1); -+ } - } - else - { --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch b/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch deleted file mode 100644 index 7f25066..0000000 --- a/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch +++ /dev/null @@ -1,2209 +0,0 @@ -From 9a31b68b59adcac01016d4026d906b69c4216c01 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Tue, 15 Dec 2015 10:20:39 +0000 -Subject: [PATCH] Major rationalisation of DNSSEC validation. - -Much gnarly special-case code removed and replaced with correct -general implementaion. Checking of zone-status moved to DNSSEC code, -where it should be, vastly simplifying query-forwarding code. ---- - src/dnsmasq.h | 19 +- - src/dnssec.c | 926 ++++++++++++++++++++++++++++++--------------------------- - src/forward.c | 741 ++++++++++----------------------------------- - 3 files changed, 653 insertions(+), 1033 deletions(-) - -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index f42acdb..023a1cf 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -586,12 +586,8 @@ struct hostsfile { - #define STAT_NEED_KEY 5 - #define STAT_TRUNCATED 6 - #define STAT_SECURE_WILDCARD 7 --#define STAT_NO_SIG 8 --#define STAT_NO_DS 9 --#define STAT_NO_NS 10 --#define STAT_NEED_DS_NEG 11 --#define STAT_CHASE_CNAME 12 --#define STAT_INSECURE_DS 13 -+#define STAT_OK 8 -+#define STAT_ABANDONED 9 - - #define FREC_NOREBIND 1 - #define FREC_CHECKING_DISABLED 2 -@@ -601,8 +597,7 @@ struct hostsfile { - #define FREC_AD_QUESTION 32 - #define FREC_DO_QUESTION 64 - #define FREC_ADDED_PHEADER 128 --#define FREC_CHECK_NOSIGN 256 --#define FREC_TEST_PKTSZ 512 -+#define FREC_TEST_PKTSZ 256 - - #ifdef HAVE_DNSSEC - #define HASH_SIZE 20 /* SHA-1 digest size */ -@@ -626,9 +621,7 @@ struct frec { - #ifdef HAVE_DNSSEC - int class, work_counter; - struct blockdata *stash; /* Saved reply, whilst we validate */ -- struct blockdata *orig_domain; /* domain of original query, whilst -- we're seeing is if in unsigned domain */ -- size_t stash_len, name_start, name_len; -+ size_t stash_len; - struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */ - struct frec *blocking_query; /* Query which is blocking us. */ - #endif -@@ -1162,8 +1155,8 @@ int in_zone(struct auth_zone *zone, char *name, char **cut); - size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, int class, int type, union mysockaddr *addr, int edns_pktsz); - int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t n, char *name, char *keyname, int class); - int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class); --int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer, int *nons); --int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname); -+int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, -+ int check_unsigned, int *neganswer, int *nons); - int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen); - size_t filter_rrsigs(struct dns_header *header, size_t plen); - unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name); -diff --git a/src/dnssec.c b/src/dnssec.c -index b4dc14e..de7b335 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -65,8 +65,10 @@ static char *algo_digest_name(int algo) - case 8: return "sha256"; - case 10: return "sha512"; - case 12: return "gosthash94"; -+#ifndef NO_NETTLE_ECC - case 13: return "sha256"; - case 14: return "sha384"; -+#endif - default: return NULL; - } - } -@@ -592,30 +594,30 @@ static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, - } - } - --static int expand_workspace(unsigned char ***wkspc, int *sz, int new) -+static int expand_workspace(unsigned char ***wkspc, int *szp, int new) - { - unsigned char **p; -- int new_sz = *sz; -- -- if (new_sz > new) -+ int old = *szp; -+ -+ if (old >= new+1) - return 1; - - if (new >= 100) - return 0; - -- new_sz += 5; -+ new += 5; - -- if (!(p = whine_malloc((new_sz) * sizeof(unsigned char **)))) -+ if (!(p = whine_malloc(new * sizeof(unsigned char **)))) - return 0; - -- if (*wkspc) -+ if (old != 0 && *wkspc) - { -- memcpy(p, *wkspc, *sz * sizeof(unsigned char **)); -+ memcpy(p, *wkspc, old * sizeof(unsigned char **)); - free(*wkspc); - } - - *wkspc = p; -- *sz = new_sz; -+ *szp = new; - - return 1; - } -@@ -706,47 +708,28 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int - } while (swap); - } - --/* Validate a single RRset (class, type, name) in the supplied DNS reply -- Return code: -- STAT_SECURE if it validates. -- STAT_SECURE_WILDCARD if it validates and is the result of wildcard expansion. -- (In this case *wildcard_out points to the "body" of the wildcard within name.) -- STAT_NO_SIG no RRsigs found. -- STAT_INSECURE RRset empty. -- STAT_BOGUS signature is wrong, bad packet. -- STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname) -- -- if key is non-NULL, use that key, which has the algo and tag given in the params of those names, -- otherwise find the key in the cache. -+static unsigned char **rrset = NULL, **sigs = NULL; - -- name is unchanged on exit. keyname is used as workspace and trashed. --*/ --static int validate_rrset(time_t now, struct dns_header *header, size_t plen, int class, int type, -- char *name, char *keyname, char **wildcard_out, struct blockdata *key, int keylen, int algo_in, int keytag_in) -+/* Get pointers to RRset menbers and signature(s) for same. -+ Check signatures, and return keyname associated in keyname. */ -+static int explore_rrset(struct dns_header *header, size_t plen, int class, int type, -+ char *name, char *keyname, int *sigcnt, int *rrcnt) - { -- static unsigned char **rrset = NULL, **sigs = NULL; -- static int rrset_sz = 0, sig_sz = 0; -- -+ static int rrset_sz = 0, sig_sz = 0; - unsigned char *p; -- int rrsetidx, sigidx, res, rdlen, j, name_labels; -- struct crec *crecp = NULL; -- int type_covered, algo, labels, orig_ttl, sig_expiration, sig_inception, key_tag; -- u16 *rr_desc = get_desc(type); -- -- if (wildcard_out) -- *wildcard_out = NULL; -- -+ int rrsetidx, sigidx, j, rdlen, res; -+ int name_labels = count_labels(name); /* For 4035 5.3.2 check */ -+ int gotkey = 0; -+ - if (!(p = skip_questions(header, plen))) - return STAT_BOGUS; -- -- name_labels = count_labels(name); /* For 4035 5.3.2 check */ - -- /* look for RRSIGs for this RRset and get pointers to each RR in the set. */ -+ /* look for RRSIGs for this RRset and get pointers to each RR in the set. */ - for (rrsetidx = 0, sigidx = 0, j = ntohs(header->ancount) + ntohs(header->nscount); - j != 0; j--) - { - unsigned char *pstart, *pdata; -- int stype, sclass; -+ int stype, sclass, algo, type_covered, labels, sig_expiration, sig_inception; - - pstart = p; - -@@ -762,14 +745,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - GETSHORT(rdlen, p); - - if (!CHECK_LEN(header, p, plen, rdlen)) -- return STAT_BOGUS; -+ return 0; - - if (res == 1 && sclass == class) - { - if (stype == type) - { - if (!expand_workspace(&rrset, &rrset_sz, rrsetidx)) -- return STAT_BOGUS; -+ return 0; - - rrset[rrsetidx++] = pstart; - } -@@ -777,14 +760,54 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - if (stype == T_RRSIG) - { - if (rdlen < 18) -- return STAT_BOGUS; /* bad packet */ -+ return 0; /* bad packet */ - - GETSHORT(type_covered, p); -+ algo = *p++; -+ labels = *p++; -+ p += 4; /* orig_ttl */ -+ GETLONG(sig_expiration, p); -+ GETLONG(sig_inception, p); -+ p += 2; /* key_tag */ - -- if (type_covered == type) -+ if (gotkey) -+ { -+ /* If there's more than one SIG, ensure they all have same keyname */ -+ if (extract_name(header, plen, &p, keyname, 0, 0) != 1) -+ return 0; -+ } -+ else -+ { -+ gotkey = 1; -+ -+ if (!extract_name(header, plen, &p, keyname, 1, 0)) -+ return 0; -+ -+ /* RFC 4035 5.3.1 says that the Signer's Name field MUST equal -+ the name of the zone containing the RRset. We can't tell that -+ for certain, but we can check that the RRset name is equal to -+ or encloses the signers name, which should be enough to stop -+ an attacker using signatures made with the key of an unrelated -+ zone he controls. Note that the root key is always allowed. */ -+ if (*keyname != 0) -+ { -+ char *name_start; -+ for (name_start = name; !hostname_isequal(name_start, keyname); ) -+ if ((name_start = strchr(name_start, '.'))) -+ name_start++; /* chop a label off and try again */ -+ else -+ return 0; -+ } -+ } -+ -+ /* Don't count signatures for algos we don't support */ -+ if (check_date_range(sig_inception, sig_expiration) && -+ labels <= name_labels && -+ type_covered == type && -+ algo_digest_name(algo)) - { - if (!expand_workspace(&sigs, &sig_sz, sigidx)) -- return STAT_BOGUS; -+ return 0; - - sigs[sigidx++] = pdata; - } -@@ -794,17 +817,45 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - } - - if (!ADD_RDLEN(header, p, plen, rdlen)) -- return STAT_BOGUS; -+ return 0; - } - -- /* RRset empty */ -- if (rrsetidx == 0) -- return STAT_INSECURE; -+ *sigcnt = sigidx; -+ *rrcnt = rrsetidx; -+ -+ return 1; -+} -+ -+/* Validate a single RRset (class, type, name) in the supplied DNS reply -+ Return code: -+ STAT_SECURE if it validates. -+ STAT_SECURE_WILDCARD if it validates and is the result of wildcard expansion. -+ (In this case *wildcard_out points to the "body" of the wildcard within name.) -+ STAT_BOGUS signature is wrong, bad packet. -+ STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname) -+ STAT_NEED_DS need DS to complete validation (name is returned in keyname) -+ -+ if key is non-NULL, use that key, which has the algo and tag given in the params of those names, -+ otherwise find the key in the cache. - -- /* no RRSIGs */ -- if (sigidx == 0) -- return STAT_NO_SIG; -+ name is unchanged on exit. keyname is used as workspace and trashed. -+ -+ Call explore_rrset first to find and count RRs and sigs. -+*/ -+static int validate_rrset(time_t now, struct dns_header *header, size_t plen, int class, int type, int sigidx, int rrsetidx, -+ char *name, char *keyname, char **wildcard_out, struct blockdata *key, int keylen, int algo_in, int keytag_in) -+{ -+ unsigned char *p; -+ int rdlen, j, name_labels; -+ struct crec *crecp = NULL; -+ int algo, labels, orig_ttl, key_tag; -+ u16 *rr_desc = get_desc(type); -+ -+ if (wildcard_out) -+ *wildcard_out = NULL; - -+ name_labels = count_labels(name); /* For 4035 5.3.2 check */ -+ - /* Sort RRset records into canonical order. - Note that at this point keyname and daemon->workspacename buffs are - unused, and used as workspace by the sort. */ -@@ -828,44 +879,16 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - algo = *p++; - labels = *p++; - GETLONG(orig_ttl, p); -- GETLONG(sig_expiration, p); -- GETLONG(sig_inception, p); -+ p += 8; /* sig_expiration, sig_inception already checked */ - GETSHORT(key_tag, p); - - if (!extract_name(header, plen, &p, keyname, 1, 0)) - return STAT_BOGUS; - -- /* RFC 4035 5.3.1 says that the Signer's Name field MUST equal -- the name of the zone containing the RRset. We can't tell that -- for certain, but we can check that the RRset name is equal to -- or encloses the signers name, which should be enough to stop -- an attacker using signatures made with the key of an unrelated -- zone he controls. Note that the root key is always allowed. */ -- if (*keyname != 0) -- { -- int failed = 0; -- -- for (name_start = name; !hostname_isequal(name_start, keyname); ) -- if ((name_start = strchr(name_start, '.'))) -- name_start++; /* chop a label off and try again */ -- else -- { -- failed = 1; -- break; -- } -- -- /* Bad sig, try another */ -- if (failed) -- continue; -- } -- -- /* Other 5.3.1 checks */ -- if (!check_date_range(sig_inception, sig_expiration) || -- labels > name_labels || -- !(hash = hash_find(algo_digest_name(algo))) || -+ if (!(hash = hash_find(algo_digest_name(algo))) || - !hash_init(hash, &ctx, &digest)) - continue; -- -+ - /* OK, we have the signature record, see if the relevant DNSKEY is in the cache. */ - if (!key && !(crecp = cache_find_by_name(NULL, keyname, now, F_DNSKEY))) - return STAT_NEED_KEY; -@@ -971,10 +994,11 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - /* The DNS packet is expected to contain the answer to a DNSKEY query. - Put all DNSKEYs in the answer which are valid into the cache. - return codes: -- STAT_SECURE At least one valid DNSKEY found and in cache. -- STAT_BOGUS No DNSKEYs found, which can be validated with DS, -- or self-sign for DNSKEY RRset is not valid, bad packet. -- STAT_NEED_DS DS records to validate a key not found, name in keyname -+ STAT_OK Done, key(s) in cache. -+ STAT_BOGUS No DNSKEYs found, which can be validated with DS, -+ or self-sign for DNSKEY RRset is not valid, bad packet. -+ STAT_NEED_DS DS records to validate a key not found, name in keyname -+ STAT_NEED_DNSKEY DNSKEY records to validate a key not found, name in keyname - */ - int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) - { -@@ -1001,23 +1025,6 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - return STAT_NEED_DS; - } - -- /* If we've cached that DS provably doesn't exist, result must be INSECURE */ -- if (crecp->flags & F_NEG) -- return STAT_INSECURE_DS; -- -- /* 4035 5.2 -- If the validator does not support any of the algorithms listed in an -- authenticated DS RRset, then the resolver has no supported -- authentication path leading from the parent to the child. The -- resolver should treat this case as it would the case of an -- authenticated NSEC RRset proving that no DS RRset exists, */ -- for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS)) -- if (hash_find(ds_digest_name(recp1->addr.ds.digest))) -- break; -- -- if (!recp1) -- return STAT_INSECURE_DS; -- - /* NOTE, we need to find ONE DNSKEY which matches the DS */ - for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--) - { -@@ -1070,7 +1077,8 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - void *ctx; - unsigned char *digest, *ds_digest; - const struct nettle_hash *hash; -- -+ int sigcnt, rrcnt; -+ - if (recp1->addr.ds.algo == algo && - recp1->addr.ds.keytag == keytag && - recp1->uid == (unsigned int)class && -@@ -1088,10 +1096,14 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - - from_wire(name); - -- if (recp1->addr.ds.keylen == (int)hash->digest_size && -+ if (!(recp1->flags & F_NEG) && -+ recp1->addr.ds.keylen == (int)hash->digest_size && - (ds_digest = blockdata_retrieve(recp1->addr.key.keydata, recp1->addr.ds.keylen, NULL)) && - memcmp(ds_digest, digest, recp1->addr.ds.keylen) == 0 && -- validate_rrset(now, header, plen, class, T_DNSKEY, name, keyname, NULL, key, rdlen - 4, algo, keytag) == STAT_SECURE) -+ explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &rrcnt) && -+ sigcnt != 0 && rrcnt != 0 && -+ validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name, keyname, -+ NULL, key, rdlen - 4, algo, keytag) == STAT_SECURE) - { - valid = 1; - break; -@@ -1112,7 +1124,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - { - /* Ensure we have type, class TTL and length */ - if (!(rc = extract_name(header, plen, &p, name, 0, 10))) -- return STAT_INSECURE; /* bad packet */ -+ return STAT_BOGUS; /* bad packet */ - - GETSHORT(qtype, p); - GETSHORT(qclass, p); -@@ -1198,7 +1210,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - - /* commit cache insert. */ - cache_end_insert(); -- return STAT_SECURE; -+ return STAT_OK; - } - - log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DNSKEY"); -@@ -1207,12 +1219,14 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - - /* The DNS packet is expected to contain the answer to a DS query - Put all DSs in the answer which are valid into the cache. -+ Also handles replies which prove that there's no DS at this location, -+ either because the zone is unsigned or this isn't a zone cut. These are -+ cached too. - return codes: -- STAT_SECURE At least one valid DS found and in cache. -- STAT_NO_DS It's proved there's no DS here. -- STAT_NO_NS It's proved there's no DS _or_ NS here. -+ STAT_OK At least one valid DS found and in cache. - STAT_BOGUS no DS in reply or not signed, fails validation, bad packet. - STAT_NEED_KEY DNSKEY records to validate a DS not found, name in keyname -+ STAT_NEED_DS DS record needed. - */ - - int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) -@@ -1230,7 +1244,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char - if (qtype != T_DS || qclass != class) - val = STAT_BOGUS; - else -- val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, &neganswer, &nons); -+ val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons); - /* Note dnssec_validate_reply() will have cached positive answers */ - - if (val == STAT_INSECURE) -@@ -1242,22 +1256,21 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char - - if (!(p = skip_section(p, ntohs(header->ancount), header, plen))) - val = STAT_BOGUS; -- -- /* If we return STAT_NO_SIG, name contains the name of the DS query */ -- if (val == STAT_NO_SIG) -- return val; - - /* If the key needed to validate the DS is on the same domain as the DS, we'll - loop getting nowhere. Stop that now. This can happen of the DS answer comes - from the DS's zone, and not the parent zone. */ -- if (val == STAT_BOGUS || (val == STAT_NEED_KEY && hostname_isequal(name, keyname))) -+ if (val == STAT_BOGUS || (val == STAT_NEED_KEY && hostname_isequal(name, keyname))) - { - log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS"); - return STAT_BOGUS; - } -+ -+ if (val != STAT_SECURE) -+ return val; - - /* By here, the answer is proved secure, and a positive answer has been cached. */ -- if (val == STAT_SECURE && neganswer) -+ if (neganswer) - { - int rdlen, flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK; - unsigned long ttl, minttl = ULONG_MAX; -@@ -1317,15 +1330,14 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char - - cache_end_insert(); - -- log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, nons ? "no delegation" : "no DS"); -+ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "no DS"); - } -- -- return nons ? STAT_NO_NS : STAT_NO_DS; - } - -- return val; -+ return STAT_OK; - } - -+ - /* 4034 6.1 */ - static int hostname_cmp(const char *a, const char *b) - { -@@ -1452,7 +1464,7 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - int mask = 0x80 >> (type & 0x07); - - if (nons) -- *nons = 0; -+ *nons = 1; - - /* Find NSEC record that proves name doesn't exist */ - for (i = 0; i < nsec_count; i++) -@@ -1480,9 +1492,22 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - /* rdlen is now length of type map, and p points to it */ - - /* If we can prove that there's no NS record, return that information. */ -- if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0) -- *nons = 1; -+ if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) != 0) -+ *nons = 0; - -+ if (rdlen >= 2 && p[0] == 0) -+ { -+ /* A CNAME answer would also be valid, so if there's a CNAME is should -+ have been returned. */ -+ if ((p[2] & (0x80 >> T_CNAME)) != 0) -+ return STAT_BOGUS; -+ -+ /* If the SOA bit is set for a DS record, then we have the -+ DS from the wrong side of the delegation. */ -+ if (type == T_DS && (p[2] & (0x80 >> T_SOA)) != 0) -+ return STAT_BOGUS; -+ } -+ - while (rdlen >= 2) - { - if (!CHECK_LEN(header, p, plen, rdlen)) -@@ -1586,7 +1611,7 @@ static int base32_decode(char *in, unsigned char *out) - static int check_nsec3_coverage(struct dns_header *header, size_t plen, int digest_len, unsigned char *digest, int type, - char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_count, int *nons) - { -- int i, hash_len, salt_len, base32_len, rdlen; -+ int i, hash_len, salt_len, base32_len, rdlen, flags; - unsigned char *p, *psave; - - for (i = 0; i < nsec_count; i++) -@@ -1599,7 +1624,9 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige - p += 8; /* class, type, TTL */ - GETSHORT(rdlen, p); - psave = p; -- p += 4; /* algo, flags, iterations */ -+ p++; /* algo */ -+ flags = *p++; /* flags */ -+ p += 2; /* iterations */ - salt_len = *p++; /* salt_len */ - p += salt_len; /* salt */ - hash_len = *p++; /* p now points to next hashed name */ -@@ -1626,16 +1653,29 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige - return 0; - - /* If we can prove that there's no NS record, return that information. */ -- if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0) -- *nons = 1; -+ if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) != 0) -+ *nons = 0; - -+ if (rdlen >= 2 && p[0] == 0) -+ { -+ /* A CNAME answer would also be valid, so if there's a CNAME is should -+ have been returned. */ -+ if ((p[2] & (0x80 >> T_CNAME)) != 0) -+ return 0; -+ -+ /* If the SOA bit is set for a DS record, then we have the -+ DS from the wrong side of the delegation. */ -+ if (type == T_DS && (p[2] & (0x80 >> T_SOA)) != 0) -+ return 0; -+ } -+ - while (rdlen >= 2) - { - if (p[0] == type >> 8) - { - /* Does the NSEC3 say our type exists? */ - if (offset < p[1] && (p[offset+2] & mask) != 0) -- return STAT_BOGUS; -+ return 0; - - break; /* finshed checking */ - } -@@ -1643,7 +1683,7 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige - rdlen -= p[1]; - p += p[1]; - } -- -+ - return 1; - } - else if (rc < 0) -@@ -1651,16 +1691,27 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige - /* Normal case, hash falls between NSEC3 name-hash and next domain name-hash, - wrap around case, name-hash falls between NSEC3 name-hash and end */ - if (memcmp(p, digest, digest_len) >= 0 || memcmp(workspace2, p, digest_len) >= 0) -- return 1; -+ { -+ if ((flags & 0x01) && nons) /* opt out */ -+ *nons = 0; -+ -+ return 1; -+ } - } - else - { - /* wrap around case, name falls between start and next domain name */ - if (memcmp(workspace2, p, digest_len) >= 0 && memcmp(p, digest, digest_len) >= 0) -- return 1; -+ { -+ if ((flags & 0x01) && nons) /* opt out */ -+ *nons = 0; -+ -+ return 1; -+ } - } - } - } -+ - return 0; - } - -@@ -1673,7 +1724,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - char *closest_encloser, *next_closest, *wildcard; - - if (nons) -- *nons = 0; -+ *nons = 1; - - /* Look though the NSEC3 records to find the first one with - an algorithm we support (currently only algo == 1). -@@ -1813,16 +1864,81 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - - return STAT_SECURE; - } -- --/* Validate all the RRsets in the answer and authority sections of the reply (4035:3.2.3) */ --/* Returns are the same as validate_rrset, plus the class if the missing key is in *class */ -+ -+/* Check signing status of name. -+ returns: -+ STAT_SECURE zone is signed. -+ STAT_INSECURE zone proved unsigned. -+ STAT_NEED_DS require DS record of name returned in keyname. -+ -+ name returned unaltered. -+*/ -+static int zone_status(char *name, int class, char *keyname, time_t now) -+{ -+ int name_start = strlen(name); -+ struct crec *crecp; -+ char *p; -+ -+ while (1) -+ { -+ strcpy(keyname, &name[name_start]); -+ -+ if (!(crecp = cache_find_by_name(NULL, keyname, now, F_DS))) -+ return STAT_NEED_DS; -+ else -+ do -+ { -+ if (crecp->uid == (unsigned int)class) -+ { -+ /* F_DNSSECOK misused in DS cache records to non-existance of NS record. -+ F_NEG && !F_DNSSECOK implies that we've proved there's no DS record here, -+ but that's because there's no NS record either, ie this isn't the start -+ of a zone. We only prove that the DNS tree below a node is unsigned when -+ we prove that we're at a zone cut AND there's no DS record. -+ */ -+ if (crecp->flags & F_NEG) -+ { -+ if (crecp->flags & F_DNSSECOK) -+ return STAT_INSECURE; /* proved no DS here */ -+ } -+ else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crecp->addr.ds.algo)) -+ return STAT_INSECURE; /* algo we can't use - insecure */ -+ } -+ } -+ while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS))); -+ -+ if (name_start == 0) -+ break; -+ -+ for (p = &name[name_start-2]; (*p != '.') && (p != name); p--); -+ -+ if (p != name) -+ p++; -+ -+ name_start = p - name; -+ } -+ -+ return STAT_SECURE; -+} -+ -+/* Validate all the RRsets in the answer and authority sections of the reply (4035:3.2.3) -+ Return code: -+ STAT_SECURE if it validates. -+ STAT_INSECURE at least one RRset not validated, because in unsigned zone. -+ STAT_BOGUS signature is wrong, bad packet, no validation where there should be. -+ STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname, class in *class) -+ STAT_NEED_DS need DS to complete validation (name is returned in keyname) -+*/ - int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, -- int *class, int *neganswer, int *nons) -+ int *class, int check_unsigned, int *neganswer, int *nons) - { -- unsigned char *ans_start, *qname, *p1, *p2, **nsecs; -- int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype; -- int i, j, rc, nsec_count, cname_count = CNAME_CHAIN; -- int nsec_type = 0, have_answer = 0; -+ static unsigned char **targets = NULL; -+ static int target_sz = 0; -+ -+ unsigned char *ans_start, *p1, *p2, **nsecs; -+ int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype, targetidx; -+ int i, j, rc, nsec_count; -+ int nsec_type; - - if (neganswer) - *neganswer = 0; -@@ -1833,70 +1949,51 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - if (RCODE(header) != NXDOMAIN && RCODE(header) != NOERROR) - return STAT_INSECURE; - -- qname = p1 = (unsigned char *)(header+1); -+ p1 = (unsigned char *)(header+1); - -+ /* Find all the targets we're looking for answers to. -+ The zeroth array element is for the query, subsequent ones -+ for CNAME targets, unless the query is for a CNAME. */ -+ -+ if (!expand_workspace(&targets, &target_sz, 0)) -+ return STAT_BOGUS; -+ -+ targets[0] = p1; -+ targetidx = 1; -+ - if (!extract_name(header, plen, &p1, name, 1, 4)) - return STAT_BOGUS; -- -+ - GETSHORT(qtype, p1); - GETSHORT(qclass, p1); - ans_start = p1; -- -- if (qtype == T_ANY) -- have_answer = 1; - -- /* Can't validate an RRISG query */ -+ /* Can't validate an RRSIG query */ - if (qtype == T_RRSIG) - return STAT_INSECURE; -- -- cname_loop: -- for (j = ntohs(header->ancount); j != 0; j--) -- { -- /* leave pointer to missing name in qname */ -- -- if (!(rc = extract_name(header, plen, &p1, name, 0, 10))) -- return STAT_BOGUS; /* bad packet */ -- -- GETSHORT(type2, p1); -- GETSHORT(class2, p1); -- p1 += 4; /* TTL */ -- GETSHORT(rdlen2, p1); -- -- if (rc == 1 && qclass == class2) -- { -- /* Do we have an answer for the question? */ -- if (type2 == qtype) -- { -- have_answer = 1; -- break; -- } -- else if (type2 == T_CNAME) -- { -- qname = p1; -- -- /* looped CNAMES */ -- if (!cname_count-- || !extract_name(header, plen, &p1, name, 1, 0)) -- return STAT_BOGUS; -- -- p1 = ans_start; -- goto cname_loop; -- } -- } -- -- if (!ADD_RDLEN(header, p1, plen, rdlen2)) -- return STAT_BOGUS; -- } -- -- if (neganswer && !have_answer) -- *neganswer = 1; - -- /* No data, therefore no sigs */ -- if (ntohs(header->ancount) + ntohs(header->nscount) == 0) -- { -- *keyname = 0; -- return STAT_NO_SIG; -- } -- -+ if (qtype != T_CNAME) -+ for (j = ntohs(header->ancount); j != 0; j--) -+ { -+ if (!(p1 = skip_name(p1, header, plen, 10))) -+ return STAT_BOGUS; /* bad packet */ -+ -+ GETSHORT(type2, p1); -+ p1 += 6; /* class, TTL */ -+ GETSHORT(rdlen2, p1); -+ -+ if (type2 == T_CNAME) -+ { -+ if (!expand_workspace(&targets, &target_sz, targetidx)) -+ return STAT_BOGUS; -+ -+ targets[targetidx++] = p1; /* pointer to target name */ -+ } -+ -+ if (!ADD_RDLEN(header, p1, plen, rdlen2)) -+ return STAT_BOGUS; -+ } -+ - for (p1 = ans_start, i = 0; i < ntohs(header->ancount) + ntohs(header->nscount); i++) - { - if (!extract_name(header, plen, &p1, name, 1, 10)) -@@ -1931,7 +2028,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - /* Not done, validate now */ - if (j == i) - { -- int ttl, keytag, algo, digest, type_covered; -+ int ttl, keytag, algo, digest, type_covered, sigcnt, rrcnt; - unsigned char *psave; - struct all_addr a; - struct blockdata *key; -@@ -1939,143 +2036,186 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - char *wildname; - int have_wildcard = 0; - -- rc = validate_rrset(now, header, plen, class1, type1, name, keyname, &wildname, NULL, 0, 0, 0); -- -- if (rc == STAT_SECURE_WILDCARD) -- { -- have_wildcard = 1; -- -- /* An attacker replay a wildcard answer with a different -- answer and overlay a genuine RR. To prove this -- hasn't happened, the answer must prove that -- the gennuine record doesn't exist. Check that here. */ -- if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, class1))) -- return STAT_BOGUS; /* No NSECs or bad packet */ -- -- if (nsec_type == T_NSEC) -- rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, NULL); -- else -- rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, -- keyname, name, type1, wildname, NULL); -- -- if (rc != STAT_SECURE) -- return rc; -- } -- else if (rc != STAT_SECURE) -- { -- if (class) -- *class = class1; /* Class for DS or DNSKEY */ -+ if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigcnt, &rrcnt)) -+ return STAT_BOGUS; - -- if (rc == STAT_NO_SIG) -+ /* No signatures for RRset. We can be configured to assume this is OK and return a INSECURE result. */ -+ if (sigcnt == 0) -+ { -+ if (check_unsigned) - { -- /* If we dropped off the end of a CNAME chain, return -- STAT_NO_SIG and the last name is keyname. This is used for proving non-existence -- if DS records in CNAME chains. */ -- if (cname_count == CNAME_CHAIN || i < ntohs(header->ancount)) -- /* No CNAME chain, or no sig in answer section, return empty name. */ -- *keyname = 0; -- else if (!extract_name(header, plen, &qname, keyname, 1, 0)) -- return STAT_BOGUS; -+ rc = zone_status(name, class1, keyname, now); -+ if (rc == STAT_SECURE) -+ rc = STAT_BOGUS; -+ if (class) -+ *class = class1; /* Class for NEED_DS or NEED_DNSKEY */ - } -- -+ else -+ rc = STAT_INSECURE; -+ - return rc; - } - -- /* Cache RRsigs in answer section, and if we just validated a DS RRset, cache it */ -- cache_start_insert(); -+ /* explore_rrset() gives us key name from sigs in keyname. -+ Can't overwrite name here. */ -+ strcpy(daemon->workspacename, keyname); -+ rc = zone_status(daemon->workspacename, class1, keyname, now); -+ if (rc != STAT_SECURE) -+ { -+ /* Zone is insecure, don't need to validate RRset */ -+ if (class) -+ *class = class1; /* Class for NEED_DS or NEED_DNSKEY */ -+ return rc; -+ } -+ -+ rc = validate_rrset(now, header, plen, class1, type1, sigcnt, rrcnt, name, keyname, &wildname, NULL, 0, 0, 0); - -- for (p2 = ans_start, j = 0; j < ntohs(header->ancount); j++) -+ if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS) - { -- if (!(rc = extract_name(header, plen, &p2, name, 0, 10))) -- return STAT_BOGUS; /* bad packet */ -+ if (class) -+ *class = class1; /* Class for DS or DNSKEY */ -+ return rc; -+ } -+ else -+ { -+ /* rc is now STAT_SECURE or STAT_SECURE_WILDCARD */ -+ -+ /* Note if we've validated either the answer to the question -+ or the target of a CNAME. Any not noted will need NSEC or -+ to be in unsigned space. */ -+ -+ for (j = 0; j <targetidx; j++) -+ if ((p2 = targets[j])) -+ { -+ if (!(rc = extract_name(header, plen, &p2, name, 0, 10))) -+ return STAT_BOGUS; /* bad packet */ -+ -+ if (class1 == qclass && rc == 1 && (type1 == T_CNAME || type1 == qtype || qtype == T_ANY )) -+ targets[j] = NULL; -+ } -+ -+ if (rc == STAT_SECURE_WILDCARD) -+ { -+ have_wildcard = 1; - -- GETSHORT(type2, p2); -- GETSHORT(class2, p2); -- GETLONG(ttl, p2); -- GETSHORT(rdlen2, p2); -- -- if (!CHECK_LEN(header, p2, plen, rdlen2)) -- return STAT_BOGUS; /* bad packet */ -- -- if (class2 == class1 && rc == 1) -- { -- psave = p2; -+ /* An attacker replay a wildcard answer with a different -+ answer and overlay a genuine RR. To prove this -+ hasn't happened, the answer must prove that -+ the gennuine record doesn't exist. Check that here. */ -+ if (!(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, class1))) -+ return STAT_BOGUS; /* No NSECs or bad packet */ -+ -+ /* Note that we may not yet have validated the NSEC/NSEC3 RRsets. Since the check -+ below returns either SECURE or BOGUS, that's not a problem. If the RRsets later fail -+ we'll return BOGUS then. */ - -- if (type1 == T_DS && type2 == T_DS) -- { -- if (rdlen2 < 4) -- return STAT_BOGUS; /* bad packet */ -- -- GETSHORT(keytag, p2); -- algo = *p2++; -- digest = *p2++; -- -- /* Cache needs to known class for DNSSEC stuff */ -- a.addr.dnssec.class = class2; -- -- if ((key = blockdata_alloc((char*)p2, rdlen2 - 4))) -- { -- if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F_DNSSECOK))) -- blockdata_free(key); -- else -- { -- a.addr.keytag = keytag; -- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u"); -- crecp->addr.ds.digest = digest; -- crecp->addr.ds.keydata = key; -- crecp->addr.ds.algo = algo; -- crecp->addr.ds.keytag = keytag; -- crecp->addr.ds.keylen = rdlen2 - 4; -- } -- } -- } -- else if (type2 == T_RRSIG) -- { -- if (rdlen2 < 18) -- return STAT_BOGUS; /* bad packet */ -+ if (nsec_type == T_NSEC) -+ rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, NULL); -+ else -+ rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, -+ keyname, name, type1, wildname, NULL); -+ -+ if (rc == STAT_BOGUS) -+ return rc; -+ } -+ -+ /* Cache RRsigs in answer section, and if we just validated a DS RRset, cache it */ -+ /* Also note if the RRset is the answer to the question, or the target of a CNAME */ -+ cache_start_insert(); -+ -+ for (p2 = ans_start, j = 0; j < ntohs(header->ancount); j++) -+ { -+ if (!(rc = extract_name(header, plen, &p2, name, 0, 10))) -+ return STAT_BOGUS; /* bad packet */ -+ -+ GETSHORT(type2, p2); -+ GETSHORT(class2, p2); -+ GETLONG(ttl, p2); -+ GETSHORT(rdlen2, p2); -+ -+ if (!CHECK_LEN(header, p2, plen, rdlen2)) -+ return STAT_BOGUS; /* bad packet */ -+ -+ if (class2 == class1 && rc == 1) -+ { -+ psave = p2; - -- GETSHORT(type_covered, p2); -- -- if (type_covered == type1 && -- (type_covered == T_A || type_covered == T_AAAA || -- type_covered == T_CNAME || type_covered == T_DS || -- type_covered == T_DNSKEY || type_covered == T_PTR)) -+ if (type1 == T_DS && type2 == T_DS) - { -- a.addr.dnssec.type = type_covered; -- a.addr.dnssec.class = class1; -+ if (rdlen2 < 4) -+ return STAT_BOGUS; /* bad packet */ - -- algo = *p2++; -- p2 += 13; /* labels, orig_ttl, expiration, inception */ - GETSHORT(keytag, p2); -+ algo = *p2++; -+ digest = *p2++; -+ -+ /* Cache needs to known class for DNSSEC stuff */ -+ a.addr.dnssec.class = class2; - -- /* We don't cache sigs for wildcard answers, because to reproduce the -- answer from the cache will require one or more NSEC/NSEC3 records -- which we don't cache. The lack of the RRSIG ensures that a query for -- this RRset asking for a secure answer will always be forwarded. */ -- if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2))) -+ if ((key = blockdata_alloc((char*)p2, rdlen2 - 4))) - { -- if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS))) -+ if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F_DNSSECOK))) - blockdata_free(key); - else - { -- crecp->addr.sig.keydata = key; -- crecp->addr.sig.keylen = rdlen2; -- crecp->addr.sig.keytag = keytag; -- crecp->addr.sig.type_covered = type_covered; -- crecp->addr.sig.algo = algo; -+ a.addr.keytag = keytag; -+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u"); -+ crecp->addr.ds.digest = digest; -+ crecp->addr.ds.keydata = key; -+ crecp->addr.ds.algo = algo; -+ crecp->addr.ds.keytag = keytag; -+ crecp->addr.ds.keylen = rdlen2 - 4; -+ } -+ } -+ } -+ else if (type2 == T_RRSIG) -+ { -+ if (rdlen2 < 18) -+ return STAT_BOGUS; /* bad packet */ -+ -+ GETSHORT(type_covered, p2); -+ -+ if (type_covered == type1 && -+ (type_covered == T_A || type_covered == T_AAAA || -+ type_covered == T_CNAME || type_covered == T_DS || -+ type_covered == T_DNSKEY || type_covered == T_PTR)) -+ { -+ a.addr.dnssec.type = type_covered; -+ a.addr.dnssec.class = class1; -+ -+ algo = *p2++; -+ p2 += 13; /* labels, orig_ttl, expiration, inception */ -+ GETSHORT(keytag, p2); -+ -+ /* We don't cache sigs for wildcard answers, because to reproduce the -+ answer from the cache will require one or more NSEC/NSEC3 records -+ which we don't cache. The lack of the RRSIG ensures that a query for -+ this RRset asking for a secure answer will always be forwarded. */ -+ if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2))) -+ { -+ if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS))) -+ blockdata_free(key); -+ else -+ { -+ crecp->addr.sig.keydata = key; -+ crecp->addr.sig.keylen = rdlen2; -+ crecp->addr.sig.keytag = keytag; -+ crecp->addr.sig.type_covered = type_covered; -+ crecp->addr.sig.algo = algo; -+ } - } - } - } -+ -+ p2 = psave; - } - -- p2 = psave; -+ if (!ADD_RDLEN(header, p2, plen, rdlen2)) -+ return STAT_BOGUS; /* bad packet */ - } - -- if (!ADD_RDLEN(header, p2, plen, rdlen2)) -- return STAT_BOGUS; /* bad packet */ -+ cache_end_insert(); - } -- -- cache_end_insert(); - } - } - -@@ -2083,143 +2223,49 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - return STAT_BOGUS; - } - -- /* OK, all the RRsets validate, now see if we have a NODATA or NXDOMAIN reply */ -- if (have_answer) -- return STAT_SECURE; -- -- /* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist */ -- /* First marshall the NSEC records, if we've not done it previously */ -- if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass))) -- { -- /* No NSEC records. If we dropped off the end of a CNAME chain, return -- STAT_NO_SIG and the last name is keyname. This is used for proving non-existence -- if DS records in CNAME chains. */ -- if (cname_count == CNAME_CHAIN) /* No CNAME chain, return empty name. */ -- *keyname = 0; -- else if (!extract_name(header, plen, &qname, keyname, 1, 0)) -- return STAT_BOGUS; -- return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME pointing into -- an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */ -- } -- -- /* Get name of missing answer */ -- if (!extract_name(header, plen, &qname, name, 1, 0)) -- return STAT_BOGUS; -- -- if (nsec_type == T_NSEC) -- return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons); -- else -- return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL, nons); --} -- --/* Chase the CNAME chain in the packet until the first record which _doesn't validate. -- Needed for proving answer in unsigned space. -- Return STAT_NEED_* -- STAT_BOGUS - error -- STAT_INSECURE - name of first non-secure record in name --*/ --int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname) --{ -- unsigned char *p = (unsigned char *)(header+1); -- int type, class, qclass, rdlen, j, rc; -- int cname_count = CNAME_CHAIN; -- char *wildname; -- -- /* Get question */ -- if (!extract_name(header, plen, &p, name, 1, 4)) -- return STAT_BOGUS; -- -- p +=2; /* type */ -- GETSHORT(qclass, p); -- -- while (1) -- { -- for (j = ntohs(header->ancount); j != 0; j--) -- { -- if (!(rc = extract_name(header, plen, &p, name, 0, 10))) -- return STAT_BOGUS; /* bad packet */ -- -- GETSHORT(type, p); -- GETSHORT(class, p); -- p += 4; /* TTL */ -- GETSHORT(rdlen, p); -- -- /* Not target, loop */ -- if (rc == 2 || qclass != class) -- { -- if (!ADD_RDLEN(header, p, plen, rdlen)) -- return STAT_BOGUS; -- continue; -- } -- -- /* Got to end of CNAME chain. */ -- if (type != T_CNAME) -- return STAT_INSECURE; -- -- /* validate CNAME chain, return if insecure or need more data */ -- rc = validate_rrset(now, header, plen, class, type, name, keyname, &wildname, NULL, 0, 0, 0); -- -- if (rc == STAT_SECURE_WILDCARD) -- { -- int nsec_type, nsec_count, i; -- unsigned char **nsecs; -- -- /* An attacker can replay a wildcard answer with a different -- answer and overlay a genuine RR. To prove this -- hasn't happened, the answer must prove that -- the genuine record doesn't exist. Check that here. */ -- if (!(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, class))) -- return STAT_BOGUS; /* No NSECs or bad packet */ -- -- /* Note that we're called here because something didn't validate in validate_reply, -- so we can't assume that any NSEC records have been validated. We do them by steam here */ -- -- for (i = 0; i < nsec_count; i++) -- { -- unsigned char *p1 = nsecs[i]; -- -- if (!extract_name(header, plen, &p1, daemon->workspacename, 1, 0)) -- return STAT_BOGUS; -- -- rc = validate_rrset(now, header, plen, class, nsec_type, daemon->workspacename, keyname, NULL, NULL, 0, 0, 0); -+ /* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */ -+ for (j = 0; j <targetidx; j++) -+ if ((p2 = targets[j])) -+ { -+ if (neganswer) -+ *neganswer = 1; - -- /* NSECs can't be wildcards. */ -- if (rc == STAT_SECURE_WILDCARD) -- rc = STAT_BOGUS; -+ if (!extract_name(header, plen, &p2, name, 1, 10)) -+ return STAT_BOGUS; /* bad packet */ -+ -+ /* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */ - -- if (rc != STAT_SECURE) -+ /* For anything other than a DS record, this situation is OK if either -+ the answer is in an unsigned zone, or there's a NSEC records. */ -+ if (!(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass))) -+ { -+ /* Empty DS without NSECS */ -+ if (qtype == T_DS) -+ return STAT_BOGUS; -+ else -+ { -+ rc = zone_status(name, qclass, keyname, now); -+ if (rc != STAT_SECURE) -+ { -+ if (class) -+ *class = qclass; /* Class for NEED_DS or NEED_DNSKEY */ - return rc; -- } -- -- if (nsec_type == T_NSEC) -- rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type, NULL); -- else -- rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, -- keyname, name, type, wildname, NULL); -- -- if (rc != STAT_SECURE) -- return rc; -- } -- -- if (rc != STAT_SECURE) -- { -- if (rc == STAT_NO_SIG) -- rc = STAT_INSECURE; -- return rc; -- } -+ } -+ -+ return STAT_BOGUS; /* signed zone, no NSECs */ -+ } -+ } - -- /* Loop down CNAME chain/ */ -- if (!cname_count-- || -- !extract_name(header, plen, &p, name, 1, 0) || -- !(p = skip_questions(header, plen))) -- return STAT_BOGUS; -- -- break; -- } -+ if (nsec_type == T_NSEC) -+ rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons); -+ else -+ rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL, nons); - -- /* End of CNAME chain */ -- return STAT_INSECURE; -- } -+ if (rc != STAT_SECURE) -+ return rc; -+ } -+ -+ return STAT_SECURE; - } - - -diff --git a/src/forward.c b/src/forward.c -index b76a974..dd22a62 100644 ---- a/src/forward.c -+++ b/src/forward.c -@@ -23,15 +23,6 @@ static struct frec *lookup_frec_by_sender(unsigned short id, - static unsigned short get_id(void); - static void free_frec(struct frec *f); - --#ifdef HAVE_DNSSEC --static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, -- int class, char *name, char *keyname, struct server *server, int *keycount); --static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname); --static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen, -- char *name, char *keyname); --#endif -- -- - /* Send a UDP packet with its source address set as "source" - unless nowild is true, when we just send it with the kernel default */ - int send_from(int fd, int nowild, char *packet, size_t len, -@@ -825,236 +816,142 @@ void reply_query(int fd, int family, time_t now) - #ifdef HAVE_DNSSEC - if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED)) - { -- int status; -+ int status = 0; - - /* We've had a reply already, which we're validating. Ignore this duplicate */ - if (forward->blocking_query) - return; -- -- if (header->hb3 & HB3_TC) -- { -- /* Truncated answer can't be validated. -+ -+ /* Truncated answer can't be validated. - If this is an answer to a DNSSEC-generated query, we still - need to get the client to retry over TCP, so return - an answer with the TC bit set, even if the actual answer fits. - */ -- status = STAT_TRUNCATED; -- } -- else if (forward->flags & FREC_DNSKEY_QUERY) -- status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); -- else if (forward->flags & FREC_DS_QUERY) -- { -- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); -- /* Provably no DS, everything below is insecure, even if signatures are offered */ -- if (status == STAT_NO_DS) -- /* We only cache sigs when we've validated a reply. -- Avoid caching a reply with sigs if there's a vaildated break in the -- DS chain, so we don't return replies from cache missing sigs. */ -- status = STAT_INSECURE_DS; -- else if (status == STAT_NO_SIG) -- { -- if (option_bool(OPT_DNSSEC_NO_SIGN)) -- { -- status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); -- if (status == STAT_INSECURE) -- status = STAT_INSECURE_DS; -- } -- else -- status = STAT_INSECURE_DS; -- } -- else if (status == STAT_NO_NS) -- status = STAT_BOGUS; -- } -- else if (forward->flags & FREC_CHECK_NOSIGN) -- { -- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); -- if (status != STAT_NEED_KEY) -- status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname); -- } -- else -+ if (header->hb3 & HB3_TC) -+ status = STAT_TRUNCATED; -+ -+ while (1) - { -- status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL); -- if (status == STAT_NO_SIG) -+ /* As soon as anything returns BOGUS, we stop and unwind, to do otherwise -+ would invite infinite loops, since the answers to DNSKEY and DS queries -+ will not be cached, so they'll be repeated. */ -+ if (status != STAT_BOGUS && status != STAT_TRUNCATED && status != STAT_ABANDONED) - { -- if (option_bool(OPT_DNSSEC_NO_SIGN)) -- status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); -+ if (forward->flags & FREC_DNSKEY_QUERY) -+ status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); -+ else if (forward->flags & FREC_DS_QUERY) -+ status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); - else -- status = STAT_INSECURE; -+ status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, -+ option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL); - } -- } -- /* Can't validate, as we're missing key data. Put this -- answer aside, whilst we get that. */ -- if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY) -- { -- struct frec *new, *orig; -- -- /* Free any saved query */ -- if (forward->stash) -- blockdata_free(forward->stash); -- -- /* Now save reply pending receipt of key data */ -- if (!(forward->stash = blockdata_alloc((char *)header, n))) -- return; -- forward->stash_len = n; - -- anotherkey: -- /* Find the original query that started it all.... */ -- for (orig = forward; orig->dependent; orig = orig->dependent); -- -- if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1))) -- status = STAT_INSECURE; -- else -+ /* Can't validate, as we're missing key data. Put this -+ answer aside, whilst we get that. */ -+ if (status == STAT_NEED_DS || status == STAT_NEED_KEY) - { -- int fd; -- struct frec *next = new->next; -- *new = *forward; /* copy everything, then overwrite */ -- new->next = next; -- new->blocking_query = NULL; -- new->sentto = server; -- new->rfd4 = NULL; -- new->orig_domain = NULL; --#ifdef HAVE_IPV6 -- new->rfd6 = NULL; --#endif -- new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN); -+ struct frec *new, *orig; - -- new->dependent = forward; /* to find query awaiting new one. */ -- forward->blocking_query = new; /* for garbage cleaning */ -- /* validate routines leave name of required record in daemon->keyname */ -- if (status == STAT_NEED_KEY) -- { -- new->flags |= FREC_DNSKEY_QUERY; -- nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz, -- daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz); -- } -- else -- { -- if (status == STAT_NEED_DS_NEG) -- new->flags |= FREC_CHECK_NOSIGN; -- else -- new->flags |= FREC_DS_QUERY; -- nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz, -- daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz); -- } -- if ((hash = hash_questions(header, nn, daemon->namebuff))) -- memcpy(new->hash, hash, HASH_SIZE); -- new->new_id = get_id(); -- header->id = htons(new->new_id); -- /* Save query for retransmission */ -- if (!(new->stash = blockdata_alloc((char *)header, nn))) -+ /* Free any saved query */ -+ if (forward->stash) -+ blockdata_free(forward->stash); -+ -+ /* Now save reply pending receipt of key data */ -+ if (!(forward->stash = blockdata_alloc((char *)header, n))) - return; -- -- new->stash_len = nn; -+ forward->stash_len = n; - -- /* Don't resend this. */ -- daemon->srv_save = NULL; -+ /* Find the original query that started it all.... */ -+ for (orig = forward; orig->dependent; orig = orig->dependent); - -- if (server->sfd) -- fd = server->sfd->fd; -+ if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1))) -+ status = STAT_ABANDONED; - else - { -- fd = -1; -+ int fd; -+ struct frec *next = new->next; -+ *new = *forward; /* copy everything, then overwrite */ -+ new->next = next; -+ new->blocking_query = NULL; -+ new->sentto = server; -+ new->rfd4 = NULL; - #ifdef HAVE_IPV6 -- if (server->addr.sa.sa_family == AF_INET6) -+ new->rfd6 = NULL; -+#endif -+ new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY); -+ -+ new->dependent = forward; /* to find query awaiting new one. */ -+ forward->blocking_query = new; /* for garbage cleaning */ -+ /* validate routines leave name of required record in daemon->keyname */ -+ if (status == STAT_NEED_KEY) -+ { -+ new->flags |= FREC_DNSKEY_QUERY; -+ nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz, -+ daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz); -+ } -+ else - { -- if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6))) -- fd = new->rfd6->fd; -+ new->flags |= FREC_DS_QUERY; -+ nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz, -+ daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz); - } -+ if ((hash = hash_questions(header, nn, daemon->namebuff))) -+ memcpy(new->hash, hash, HASH_SIZE); -+ new->new_id = get_id(); -+ header->id = htons(new->new_id); -+ /* Save query for retransmission */ -+ new->stash = blockdata_alloc((char *)header, nn); -+ new->stash_len = nn; -+ -+ /* Don't resend this. */ -+ daemon->srv_save = NULL; -+ -+ if (server->sfd) -+ fd = server->sfd->fd; - else -+ { -+ fd = -1; -+#ifdef HAVE_IPV6 -+ if (server->addr.sa.sa_family == AF_INET6) -+ { -+ if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6))) -+ fd = new->rfd6->fd; -+ } -+ else - #endif -+ { -+ if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET))) -+ fd = new->rfd4->fd; -+ } -+ } -+ -+ if (fd != -1) - { -- if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET))) -- fd = new->rfd4->fd; -+ while (retry_send(sendto(fd, (char *)header, nn, 0, -+ &server->addr.sa, -+ sa_len(&server->addr)))); -+ server->queries++; - } -- } -- -- if (fd != -1) -- { -- while (retry_send(sendto(fd, (char *)header, nn, 0, -- &server->addr.sa, -- sa_len(&server->addr)))); -- server->queries++; -- } -- -+ } - return; - } -- } - -- /* Ok, we reached far enough up the chain-of-trust that we can validate something. -- Now wind back down, pulling back answers which wouldn't previously validate -- and validate them with the new data. Note that if an answer needs multiple -- keys to validate, we may find another key is needed, in which case we set off -- down another branch of the tree. Once we get to the original answer -- (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */ -- while (forward->dependent) -- { -+ /* Validated original answer, all done. */ -+ if (!forward->dependent) -+ break; -+ -+ /* validated subsdiary query, (and cached result) -+ pop that and return to the previous query we were working on. */ - struct frec *prev = forward->dependent; - free_frec(forward); - forward = prev; - forward->blocking_query = NULL; /* already gone */ - blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); - n = forward->stash_len; -- -- if (status == STAT_SECURE) -- { -- if (forward->flags & FREC_DNSKEY_QUERY) -- status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); -- else if (forward->flags & FREC_DS_QUERY) -- { -- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); -- /* Provably no DS, everything below is insecure, even if signatures are offered */ -- if (status == STAT_NO_DS) -- /* We only cache sigs when we've validated a reply. -- Avoid caching a reply with sigs if there's a vaildated break in the -- DS chain, so we don't return replies from cache missing sigs. */ -- status = STAT_INSECURE_DS; -- else if (status == STAT_NO_SIG) -- { -- if (option_bool(OPT_DNSSEC_NO_SIGN)) -- { -- status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); -- if (status == STAT_INSECURE) -- status = STAT_INSECURE_DS; -- } -- else -- status = STAT_INSECURE_DS; -- } -- else if (status == STAT_NO_NS) -- status = STAT_BOGUS; -- } -- else if (forward->flags & FREC_CHECK_NOSIGN) -- { -- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); -- if (status != STAT_NEED_KEY) -- status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname); -- } -- else -- { -- status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL); -- if (status == STAT_NO_SIG) -- { -- if (option_bool(OPT_DNSSEC_NO_SIGN)) -- status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); -- else -- status = STAT_INSECURE; -- } -- } -- -- if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY) -- goto anotherkey; -- } - } -+ - - no_cache_dnssec = 0; -- -- if (status == STAT_INSECURE_DS) -- { -- /* We only cache sigs when we've validated a reply. -- Avoid caching a reply with sigs if there's a vaildated break in the -- DS chain, so we don't return replies from cache missing sigs. */ -- status = STAT_INSECURE; -- no_cache_dnssec = 1; -- } - - if (status == STAT_TRUNCATED) - header->hb3 |= HB3_TC; -@@ -1062,7 +959,7 @@ void reply_query(int fd, int family, time_t now) - { - char *result, *domain = "result"; - -- if (forward->work_counter == 0) -+ if (status == STAT_ABANDONED) - { - result = "ABANDONED"; - status = STAT_BOGUS; -@@ -1072,7 +969,7 @@ void reply_query(int fd, int family, time_t now) - - if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL)) - domain = daemon->namebuff; -- -+ - log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result); - } - -@@ -1415,315 +1312,49 @@ void receive_query(struct listener *listen, time_t now) - } - - #ifdef HAVE_DNSSEC -- --/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS -- and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or -- STAT_NEED_DS_NEG and keyname if we need to do the query. */ --static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen, -- char *name, char *keyname) --{ -- int status = dnssec_chase_cname(now, header, plen, name, keyname); -- -- if (status != STAT_INSECURE) -- return status; -- -- /* Store the domain we're trying to check. */ -- forward->name_start = strlen(name); -- forward->name_len = forward->name_start + 1; -- if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len))) -- return STAT_BOGUS; -- -- return do_check_sign(forward, 0, now, name, keyname); --} -- --/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */ --static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname) --{ -- /* get domain we're checking back from blockdata store, it's stored on the original query. */ -- while (forward->dependent && !forward->orig_domain) -- forward = forward->dependent; -- -- blockdata_retrieve(forward->orig_domain, forward->name_len, name); -- -- while (1) -- { -- char *p; -- -- if (status == 0) -- { -- struct crec *crecp; -- -- /* Haven't received answer, see if in cache */ -- if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS))) -- { -- /* put name of DS record we're missing into keyname */ -- strcpy(keyname, &name[forward->name_start]); -- /* and wait for reply to arrive */ -- return STAT_NEED_DS_NEG; -- } -- -- /* F_DNSSECOK misused in DS cache records to non-existance of NS record */ -- if (!(crecp->flags & F_NEG)) -- status = STAT_SECURE; -- else if (crecp->flags & F_DNSSECOK) -- status = STAT_NO_DS; -- else -- status = STAT_NO_NS; -- } -- -- /* Have entered non-signed part of DNS tree. */ -- if (status == STAT_NO_DS) -- return forward->dependent ? STAT_INSECURE_DS : STAT_INSECURE; -- -- if (status == STAT_BOGUS) -- return STAT_BOGUS; -- -- if (status == STAT_NO_SIG && *keyname != 0) -- { -- /* There is a validated CNAME chain that doesn't end in a DS record. Start -- the search again in that domain. */ -- blockdata_free(forward->orig_domain); -- forward->name_start = strlen(keyname); -- forward->name_len = forward->name_start + 1; -- if (!(forward->orig_domain = blockdata_alloc(keyname, forward->name_len))) -- return STAT_BOGUS; -- -- strcpy(name, keyname); -- status = 0; /* force to cache when we iterate. */ -- continue; -- } -- -- /* There's a proven DS record, or we're within a zone, where there doesn't need -- to be a DS record. Add a name and try again. -- If we've already tried the whole name, then fail */ -- -- if (forward->name_start == 0) -- return STAT_BOGUS; -- -- for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--); -- -- if (p != name) -- p++; -- -- forward->name_start = p - name; -- status = 0; /* force to cache when we iterate. */ -- } --} -- --/* Move down from the root, until we find a signed non-existance of a DS, in which case -- an unsigned answer is OK, or we find a signed DS, in which case there should be -- a signature, and the answer is BOGUS */ --static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name, -- char *keyname, struct server *server, int *keycount) --{ -- size_t m; -- unsigned char *packet, *payload; -- u16 *length; -- int status, name_len; -- struct blockdata *block; -- -- char *name_start; -- -- /* Get first insecure entry in CNAME chain */ -- status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount); -- if (status == STAT_BOGUS) -- return STAT_BOGUS; -- -- if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)))) -- return STAT_BOGUS; -- -- payload = &packet[2]; -- header = (struct dns_header *)payload; -- length = (u16 *)packet; -- -- /* Stash the name away, since the buffer will be trashed when we recurse */ -- name_len = strlen(name) + 1; -- name_start = name + name_len - 1; -- -- if (!(block = blockdata_alloc(name, name_len))) -- { -- free(packet); -- return STAT_BOGUS; -- } -- -- while (1) -- { -- unsigned char c1, c2; -- struct crec *crecp; -- -- if (--(*keycount) == 0) -- { -- free(packet); -- blockdata_free(block); -- return STAT_BOGUS; -- } -- -- while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS))) -- { -- if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK)) -- { -- /* Found a secure denial of DS - delegation is indeed insecure */ -- free(packet); -- blockdata_free(block); -- return STAT_INSECURE; -- } -- -- /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation. -- Add another label and continue. */ -- -- if (name_start == name) -- { -- free(packet); -- blockdata_free(block); -- return STAT_BOGUS; /* run out of labels */ -- } -- -- name_start -= 2; -- while (*name_start != '.' && name_start != name) -- name_start--; -- if (name_start != name) -- name_start++; -- } -- -- /* Can't find it in the cache, have to send a query */ -- -- m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr, server->edns_pktsz); -- -- *length = htons(m); -- -- if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) && -- read_write(server->tcpfd, &c1, 1, 1) && -- read_write(server->tcpfd, &c2, 1, 1) && -- read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) -- { -- m = (c1 << 8) | c2; -- -- /* Note this trashes all three name workspaces */ -- status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount); -- -- if (status == STAT_NO_DS) -- { -- /* Found a secure denial of DS - delegation is indeed insecure */ -- free(packet); -- blockdata_free(block); -- return STAT_INSECURE; -- } -- -- if (status == STAT_NO_SIG && *keyname != 0) -- { -- /* There is a validated CNAME chain that doesn't end in a DS record. Start -- the search again in that domain. */ -- blockdata_free(block); -- name_len = strlen(keyname) + 1; -- name_start = name + name_len - 1; -- -- if (!(block = blockdata_alloc(keyname, name_len))) -- return STAT_BOGUS; -- -- strcpy(name, keyname); -- continue; -- } -- -- if (status == STAT_BOGUS) -- { -- free(packet); -- blockdata_free(block); -- return STAT_BOGUS; -- } -- -- /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation. -- Add another label and continue. */ -- -- /* Get name we're checking back. */ -- blockdata_retrieve(block, name_len, name); -- -- if (name_start == name) -- { -- free(packet); -- blockdata_free(block); -- return STAT_BOGUS; /* run out of labels */ -- } -- -- name_start -= 2; -- while (*name_start != '.' && name_start != name) -- name_start--; -- if (name_start != name) -- name_start++; -- } -- else -- { -- /* IO failure */ -- free(packet); -- blockdata_free(block); -- return STAT_BOGUS; /* run out of labels */ -- } -- } --} -- - static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, - int class, char *name, char *keyname, struct server *server, int *keycount) - { - /* Recurse up the key heirarchy */ - int new_status; -+ unsigned char *packet = NULL; -+ size_t m; -+ unsigned char *payload = NULL; -+ struct dns_header *new_header = NULL; -+ u16 *length = NULL; -+ unsigned char c1, c2; - -- /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */ -- if (--(*keycount) == 0) -- return STAT_INSECURE; -- -- if (status == STAT_NEED_KEY) -- new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class); -- else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG) -+ while (1) - { -- new_status = dnssec_validate_ds(now, header, n, name, keyname, class); -- if (status == STAT_NEED_DS) -+ /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */ -+ if (--(*keycount) == 0) -+ new_status = STAT_ABANDONED; -+ else if (status == STAT_NEED_KEY) -+ new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class); -+ else if (status == STAT_NEED_DS) -+ new_status = dnssec_validate_ds(now, header, n, name, keyname, class); -+ else -+ new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL); -+ -+ if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY) -+ break; -+ -+ /* Can't validate because we need a key/DS whose name now in keyname. -+ Make query for same, and recurse to validate */ -+ if (!packet) - { -- if (new_status == STAT_NO_DS) -- new_status = STAT_INSECURE_DS; -- if (new_status == STAT_NO_SIG) -- { -- if (option_bool(OPT_DNSSEC_NO_SIGN)) -- { -- new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount); -- if (new_status == STAT_INSECURE) -- new_status = STAT_INSECURE_DS; -- } -- else -- new_status = STAT_INSECURE_DS; -- } -- else if (new_status == STAT_NO_NS) -- new_status = STAT_BOGUS; -+ packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)); -+ payload = &packet[2]; -+ new_header = (struct dns_header *)payload; -+ length = (u16 *)packet; - } -- } -- else if (status == STAT_CHASE_CNAME) -- new_status = dnssec_chase_cname(now, header, n, name, keyname); -- else -- { -- new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL); - -- if (new_status == STAT_NO_SIG) -+ if (!packet) - { -- if (option_bool(OPT_DNSSEC_NO_SIGN)) -- new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount); -- else -- new_status = STAT_INSECURE; -+ new_status = STAT_ABANDONED; -+ break; - } -- } -- -- /* Can't validate because we need a key/DS whose name now in keyname. -- Make query for same, and recurse to validate */ -- if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY) -- { -- size_t m; -- unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)); -- unsigned char *payload = &packet[2]; -- struct dns_header *new_header = (struct dns_header *)payload; -- u16 *length = (u16 *)packet; -- unsigned char c1, c2; -- -- if (!packet) -- return STAT_INSECURE; -- -- another_tcp_key: -+ - m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class, - new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz); - -@@ -1733,65 +1364,22 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si - !read_write(server->tcpfd, &c1, 1, 1) || - !read_write(server->tcpfd, &c2, 1, 1) || - !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) -- new_status = STAT_INSECURE; -- else - { -- m = (c1 << 8) | c2; -- -- new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount); -- -- if (new_status == STAT_SECURE) -- { -- /* Reached a validated record, now try again at this level. -- Note that we may get ANOTHER NEED_* if an answer needs more than one key. -- If so, go round again. */ -- -- if (status == STAT_NEED_KEY) -- new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class); -- else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG) -- { -- new_status = dnssec_validate_ds(now, header, n, name, keyname, class); -- if (status == STAT_NEED_DS) -- { -- if (new_status == STAT_NO_DS) -- new_status = STAT_INSECURE_DS; -- else if (new_status == STAT_NO_SIG) -- { -- if (option_bool(OPT_DNSSEC_NO_SIGN)) -- { -- new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount); -- if (new_status == STAT_INSECURE) -- new_status = STAT_INSECURE_DS; -- } -- else -- new_status = STAT_INSECURE_DS; -- } -- else if (new_status == STAT_NO_NS) -- new_status = STAT_BOGUS; -- } -- } -- else if (status == STAT_CHASE_CNAME) -- new_status = dnssec_chase_cname(now, header, n, name, keyname); -- else -- { -- new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL); -- -- if (new_status == STAT_NO_SIG) -- { -- if (option_bool(OPT_DNSSEC_NO_SIGN)) -- new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount); -- else -- new_status = STAT_INSECURE; -- } -- } -- -- if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY) -- goto another_tcp_key; -- } -+ new_status = STAT_ABANDONED; -+ break; - } -+ -+ m = (c1 << 8) | c2; - -- free(packet); -+ new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount); -+ -+ if (new_status != STAT_OK) -+ break; - } -+ -+ if (packet) -+ free(packet); -+ - return new_status; - } - #endif -@@ -2075,19 +1663,10 @@ unsigned char *tcp_request(int confd, time_t now, - if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled) - { - int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */ -- int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount); -+ int status = tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount); - char *result, *domain = "result"; -- -- if (status == STAT_INSECURE_DS) -- { -- /* We only cache sigs when we've validated a reply. -- Avoid caching a reply with sigs if there's a vaildated break in the -- DS chain, so we don't return replies from cache missing sigs. */ -- status = STAT_INSECURE; -- no_cache_dnssec = 1; -- } - -- if (keycount == 0) -+ if (status == STAT_ABANDONED) - { - result = "ABANDONED"; - status = STAT_BOGUS; -@@ -2179,7 +1758,6 @@ static struct frec *allocate_frec(time_t now) - f->dependent = NULL; - f->blocking_query = NULL; - f->stash = NULL; -- f->orig_domain = NULL; - #endif - daemon->frec_list = f; - } -@@ -2248,12 +1826,6 @@ static void free_frec(struct frec *f) - f->stash = NULL; - } - -- if (f->orig_domain) -- { -- blockdata_free(f->orig_domain); -- f->orig_domain = NULL; -- } -- - /* Anything we're waiting on is pointless now, too */ - if (f->blocking_query) - free_frec(f->blocking_query); -@@ -2281,14 +1853,23 @@ struct frec *get_new_frec(time_t now, int *wait, int force) - target = f; - else - { -- if (difftime(now, f->time) >= 4*TIMEOUT) -- { -- free_frec(f); -- target = f; -- } -- -- if (!oldest || difftime(f->time, oldest->time) <= 0) -- oldest = f; -+#ifdef HAVE_DNSSEC -+ /* Don't free DNSSEC sub-queries here, as we may end up with -+ dangling references to them. They'll go when their "real" query -+ is freed. */ -+ if (!f->dependent) -+#endif -+ { -+ if (difftime(now, f->time) >= 4*TIMEOUT) -+ { -+ free_frec(f); -+ target = f; -+ } -+ -+ -+ if (!oldest || difftime(f->time, oldest->time) <= 0) -+ oldest = f; -+ } - } - - if (target) --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_cache.patch b/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_cache.patch deleted file mode 100644 index 5ffaf97..0000000 --- a/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_cache.patch +++ /dev/null @@ -1,612 +0,0 @@ -From 93be5b1e023b0c661e1ec2cd6d811a8ec9055c49 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Tue, 15 Dec 2015 12:04:40 +0000 -Subject: [PATCH] Abandon caching RRSIGs and returning them from cache. - -The list of exceptions to being able to locally answer -cached data for validated records when DNSSEC data is requested -was getting too long, so don't ever do that. This means -that the cache no longer has to hold RRSIGS and allows -us to lose lots of code. Note that cached validated -answers are still returned as long as do=0 ---- - src/cache.c | 38 ++--------- - src/dnsmasq.h | 10 +-- - src/dnssec.c | 94 ++++----------------------- - src/rfc1035.c | 197 ++++++--------------------------------------------------- - 4 files changed, 42 insertions(+), 297 deletions(-) - -diff --git a/src/cache.c b/src/cache.c -index 1b76b67..51ba7cc 100644 ---- a/src/cache.c -+++ b/src/cache.c -@@ -189,12 +189,7 @@ static void cache_hash(struct crec *crecp) - static void cache_blockdata_free(struct crec *crecp) - { - if (crecp->flags & F_DNSKEY) -- { -- if (crecp->flags & F_DS) -- blockdata_free(crecp->addr.sig.keydata); -- else -- blockdata_free(crecp->addr.key.keydata); -- } -+ blockdata_free(crecp->addr.key.keydata); - else if ((crecp->flags & F_DS) && !(crecp->flags & F_NEG)) - blockdata_free(crecp->addr.ds.keydata); - } -@@ -369,13 +364,8 @@ static struct crec *cache_scan_free(char *name, struct all_addr *addr, time_t no - } - - #ifdef HAVE_DNSSEC -- /* Deletion has to be class-sensitive for DS, DNSKEY, RRSIG, also -- type-covered sensitive for RRSIG */ -- if ((flags & (F_DNSKEY | F_DS)) && -- (flags & (F_DNSKEY | F_DS)) == (crecp->flags & (F_DNSKEY | F_DS)) && -- crecp->uid == addr->addr.dnssec.class && -- (!((flags & (F_DS | F_DNSKEY)) == (F_DS | F_DNSKEY)) || -- crecp->addr.sig.type_covered == addr->addr.dnssec.type)) -+ /* Deletion has to be class-sensitive for DS and DNSKEY */ -+ if ((flags & crecp->flags & (F_DNSKEY | F_DS)) && crecp->uid == addr->addr.dnssec.class) - { - if (crecp->flags & F_CONFIG) - return crecp; -@@ -532,13 +522,9 @@ struct crec *cache_insert(char *name, struct all_addr *addr, - struct all_addr free_addr = new->addr.addr;; - - #ifdef HAVE_DNSSEC -- /* For DNSSEC records, addr holds class and type_covered for RRSIG */ -+ /* For DNSSEC records, addr holds class. */ - if (new->flags & (F_DS | F_DNSKEY)) -- { -- free_addr.addr.dnssec.class = new->uid; -- if ((new->flags & (F_DS | F_DNSKEY)) == (F_DS | F_DNSKEY)) -- free_addr.addr.dnssec.type = new->addr.sig.type_covered; -- } -+ free_addr.addr.dnssec.class = new->uid; - #endif - - free_avail = 1; /* Must be free space now. */ -@@ -653,9 +639,6 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi - if (!is_expired(now, crecp) && !is_outdated_cname_pointer(crecp)) - { - if ((crecp->flags & F_FORWARD) && --#ifdef HAVE_DNSSEC -- (((crecp->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) || (prot & F_NSIGMATCH)) && --#endif - (crecp->flags & prot) && - hostname_isequal(cache_get_name(crecp), name)) - { -@@ -713,9 +696,6 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi - - if (ans && - (ans->flags & F_FORWARD) && --#ifdef HAVE_DNSSEC -- (((ans->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) || (prot & F_NSIGMATCH)) && --#endif - (ans->flags & prot) && - hostname_isequal(cache_get_name(ans), name)) - return ans; -@@ -1472,11 +1452,7 @@ void dump_cache(time_t now) - #ifdef HAVE_DNSSEC - else if (cache->flags & F_DS) - { -- if (cache->flags & F_DNSKEY) -- /* RRSIG */ -- sprintf(a, "%5u %3u %s", cache->addr.sig.keytag, -- cache->addr.sig.algo, querystr("", cache->addr.sig.type_covered)); -- else if (!(cache->flags & F_NEG)) -+ if (!(cache->flags & F_NEG)) - sprintf(a, "%5u %3u %3u", cache->addr.ds.keytag, - cache->addr.ds.algo, cache->addr.ds.digest); - } -@@ -1502,8 +1478,6 @@ void dump_cache(time_t now) - else if (cache->flags & F_CNAME) - t = "C"; - #ifdef HAVE_DNSSEC -- else if ((cache->flags & (F_DS | F_DNSKEY)) == (F_DS | F_DNSKEY)) -- t = "G"; /* DNSKEY and DS set -> RRISG */ - else if (cache->flags & F_DS) - t = "S"; - else if (cache->flags & F_DNSKEY) -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index 023a1cf..4344cae 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -398,14 +398,9 @@ struct crec { - unsigned char algo; - unsigned char digest; - } ds; -- struct { -- struct blockdata *keydata; -- unsigned short keylen, type_covered, keytag; -- char algo; -- } sig; - } addr; - time_t ttd; /* time to die */ -- /* used as class if DNSKEY/DS/RRSIG, index to source for F_HOSTS */ -+ /* used as class if DNSKEY/DS, index to source for F_HOSTS */ - unsigned int uid; - unsigned short flags; - union { -@@ -445,8 +440,7 @@ struct crec { - #define F_SECSTAT (1u<<24) - #define F_NO_RR (1u<<25) - #define F_IPSET (1u<<26) --#define F_NSIGMATCH (1u<<27) --#define F_NOEXTRA (1u<<28) -+#define F_NOEXTRA (1u<<27) - - /* Values of uid in crecs with F_CONFIG bit set. */ - #define SRC_INTERFACE 0 -diff --git a/src/dnssec.c b/src/dnssec.c -index de7b335..1ae03a6 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -1004,7 +1004,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - { - unsigned char *psave, *p = (unsigned char *)(header+1); - struct crec *crecp, *recp1; -- int rc, j, qtype, qclass, ttl, rdlen, flags, algo, valid, keytag, type_covered; -+ int rc, j, qtype, qclass, ttl, rdlen, flags, algo, valid, keytag; - struct blockdata *key; - struct all_addr a; - -@@ -1115,7 +1115,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - - if (valid) - { -- /* DNSKEY RRset determined to be OK, now cache it and the RRsigs that sign it. */ -+ /* DNSKEY RRset determined to be OK, now cache it. */ - cache_start_insert(); - - p = skip_questions(header, plen); -@@ -1155,7 +1155,10 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - if ((key = blockdata_alloc((char*)p, rdlen - 4))) - { - if (!(recp1 = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK))) -- blockdata_free(key); -+ { -+ blockdata_free(key); -+ return STAT_BOGUS; -+ } - else - { - a.addr.keytag = keytag; -@@ -1169,38 +1172,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - } - } - } -- else if (qtype == T_RRSIG) -- { -- /* RRSIG, cache if covers DNSKEY RRset */ -- if (rdlen < 18) -- return STAT_BOGUS; /* bad packet */ -- -- GETSHORT(type_covered, p); -- -- if (type_covered == T_DNSKEY) -- { -- a.addr.dnssec.class = class; -- a.addr.dnssec.type = type_covered; -- -- algo = *p++; -- p += 13; /* labels, orig_ttl, expiration, inception */ -- GETSHORT(keytag, p); -- if ((key = blockdata_alloc((char*)psave, rdlen))) -- { -- if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS))) -- blockdata_free(key); -- else -- { -- crecp->addr.sig.keydata = key; -- crecp->addr.sig.keylen = rdlen; -- crecp->addr.sig.keytag = keytag; -- crecp->addr.sig.type_covered = type_covered; -- crecp->addr.sig.algo = algo; -- } -- } -- } -- } -- -+ - p = psave; - } - -@@ -1326,7 +1298,8 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char - cache_start_insert(); - - a.addr.dnssec.class = class; -- cache_insert(name, &a, now, ttl, flags); -+ if (!cache_insert(name, &a, now, ttl, flags)) -+ return STAT_BOGUS; - - cache_end_insert(); - -@@ -2028,14 +2001,13 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - /* Not done, validate now */ - if (j == i) - { -- int ttl, keytag, algo, digest, type_covered, sigcnt, rrcnt; -+ int ttl, keytag, algo, digest, sigcnt, rrcnt; - unsigned char *psave; - struct all_addr a; - struct blockdata *key; - struct crec *crecp; - char *wildname; -- int have_wildcard = 0; -- -+ - if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigcnt, &rrcnt)) - return STAT_BOGUS; - -@@ -2096,8 +2068,6 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - - if (rc == STAT_SECURE_WILDCARD) - { -- have_wildcard = 1; -- - /* An attacker replay a wildcard answer with a different - answer and overlay a genuine RR. To prove this - hasn't happened, the answer must prove that -@@ -2119,7 +2089,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - return rc; - } - -- /* Cache RRsigs in answer section, and if we just validated a DS RRset, cache it */ -+ /* If we just validated a DS RRset, cache it */ - /* Also note if the RRset is the answer to the question, or the target of a CNAME */ - cache_start_insert(); - -@@ -2168,45 +2138,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - } - } - } -- else if (type2 == T_RRSIG) -- { -- if (rdlen2 < 18) -- return STAT_BOGUS; /* bad packet */ -- -- GETSHORT(type_covered, p2); -- -- if (type_covered == type1 && -- (type_covered == T_A || type_covered == T_AAAA || -- type_covered == T_CNAME || type_covered == T_DS || -- type_covered == T_DNSKEY || type_covered == T_PTR)) -- { -- a.addr.dnssec.type = type_covered; -- a.addr.dnssec.class = class1; -- -- algo = *p2++; -- p2 += 13; /* labels, orig_ttl, expiration, inception */ -- GETSHORT(keytag, p2); -- -- /* We don't cache sigs for wildcard answers, because to reproduce the -- answer from the cache will require one or more NSEC/NSEC3 records -- which we don't cache. The lack of the RRSIG ensures that a query for -- this RRset asking for a secure answer will always be forwarded. */ -- if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2))) -- { -- if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS))) -- blockdata_free(key); -- else -- { -- crecp->addr.sig.keydata = key; -- crecp->addr.sig.keylen = rdlen2; -- crecp->addr.sig.keytag = keytag; -- crecp->addr.sig.type_covered = type_covered; -- crecp->addr.sig.algo = algo; -- } -- } -- } -- } -- -+ - p2 = psave; - } - -diff --git a/src/rfc1035.c b/src/rfc1035.c -index 4eb1772..def8fa0 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -1275,11 +1275,9 @@ int check_for_local_domain(char *name, time_t now) - struct naptr *naptr; - - /* Note: the call to cache_find_by_name is intended to find any record which matches -- ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting both F_DS and F_DNSKEY, -- cache_find_by name ordinarily only returns records with an exact match on those bits (ie -- for the call below, only DS records). The F_NSIGMATCH bit changes this behaviour */ -+ ie A, AAAA, CNAME. */ - -- if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME | F_DS | F_NO_RR | F_NSIGMATCH)) && -+ if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME |F_NO_RR)) && - (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG))) - return 1; - -@@ -1566,9 +1564,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - GETSHORT(flags, pheader); - - if ((sec_reqd = flags & 0x8000)) -- *do_bit = 1;/* do bit */ -+ { -+ *do_bit = 1;/* do bit */ -+ *ad_reqd = 1; -+ } - -- *ad_reqd = 1; - dryrun = 1; - } - -@@ -1636,98 +1636,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - } - } - --#ifdef HAVE_DNSSEC -- if (option_bool(OPT_DNSSEC_VALID) && (qtype == T_DNSKEY || qtype == T_DS)) -- { -- int gotone = 0; -- struct blockdata *keydata; -- -- /* Do we have RRSIG? Can't do DS or DNSKEY otherwise. */ -- if (sec_reqd) -- { -- crecp = NULL; -- while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS))) -- if (crecp->uid == qclass && crecp->addr.sig.type_covered == qtype) -- break; -- } -- -- if (!sec_reqd || crecp) -- { -- if (qtype == T_DS) -- { -- crecp = NULL; -- while ((crecp = cache_find_by_name(crecp, name, now, F_DS))) -- if (crecp->uid == qclass) -- { -- gotone = 1; -- if (!dryrun) -- { -- if (crecp->flags & F_NEG) -- { -- if (crecp->flags & F_NXDOMAIN) -- nxdomain = 1; -- log_query(F_UPSTREAM, name, NULL, "no DS"); -- } -- else if ((keydata = blockdata_retrieve(crecp->addr.ds.keydata, crecp->addr.ds.keylen, NULL))) -- { -- struct all_addr a; -- a.addr.keytag = crecp->addr.ds.keytag; -- log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DS keytag %u"); -- if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, -- crec_ttl(crecp, now), &nameoffset, -- T_DS, qclass, "sbbt", -- crecp->addr.ds.keytag, crecp->addr.ds.algo, -- crecp->addr.ds.digest, crecp->addr.ds.keylen, keydata)) -- anscount++; -- -- } -- } -- } -- } -- else /* DNSKEY */ -- { -- crecp = NULL; -- while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY))) -- if (crecp->uid == qclass) -- { -- gotone = 1; -- if (!dryrun && (keydata = blockdata_retrieve(crecp->addr.key.keydata, crecp->addr.key.keylen, NULL))) -- { -- struct all_addr a; -- a.addr.keytag = crecp->addr.key.keytag; -- log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DNSKEY keytag %u"); -- if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, -- crec_ttl(crecp, now), &nameoffset, -- T_DNSKEY, qclass, "sbbt", -- crecp->addr.key.flags, 3, crecp->addr.key.algo, crecp->addr.key.keylen, keydata)) -- anscount++; -- } -- } -- } -- } -- -- /* Now do RRSIGs */ -- if (gotone) -- { -- ans = 1; -- auth = 0; -- if (!dryrun && sec_reqd) -- { -- crecp = NULL; -- while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS))) -- if (crecp->uid == qclass && crecp->addr.sig.type_covered == qtype && -- (keydata = blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig.keylen, NULL))) -- { -- add_resource_record(header, limit, &trunc, nameoffset, &ansp, -- crec_ttl(crecp, now), &nameoffset, -- T_RRSIG, qclass, "t", crecp->addr.sig.keylen, keydata); -- anscount++; -- } -- } -- } -- } --#endif -- - if (qclass == C_IN) - { - struct txt_record *t; -@@ -1736,6 +1644,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - if ((t->class == qtype || qtype == T_ANY) && hostname_isequal(name, t->name)) - { - ans = 1; -+ sec_data = 0; - if (!dryrun) - { - log_query(F_CONFIG | F_RRNAME, name, NULL, "<RR>"); -@@ -1792,6 +1701,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - - if (intr) - { -+ sec_data = 0; - ans = 1; - if (!dryrun) - { -@@ -1805,6 +1715,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - else if (ptr) - { - ans = 1; -+ sec_data = 0; - if (!dryrun) - { - log_query(F_CONFIG | F_RRNAME, name, NULL, "<PTR>"); -@@ -1819,38 +1730,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - } - else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa))) - { -- if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd) -- { -- if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))) -- crecp = NULL; --#ifdef HAVE_DNSSEC -- else if (crecp->flags & F_DNSSECOK) -- { -- int gotsig = 0; -- struct crec *rr_crec = NULL; -- -- while ((rr_crec = cache_find_by_name(rr_crec, name, now, F_DS | F_DNSKEY))) -- { -- if (rr_crec->addr.sig.type_covered == T_PTR && rr_crec->uid == C_IN) -- { -- char *sigdata = blockdata_retrieve(rr_crec->addr.sig.keydata, rr_crec->addr.sig.keylen, NULL); -- gotsig = 1; -- -- if (!dryrun && -- add_resource_record(header, limit, &trunc, nameoffset, &ansp, -- rr_crec->ttd - now, &nameoffset, -- T_RRSIG, C_IN, "t", crecp->addr.sig.keylen, sigdata)) -- anscount++; -- } -- } -- -- if (!gotsig) -- crecp = NULL; -- } --#endif -- } -- -- if (crecp) -+ /* Don't use cache when DNSSEC data required. */ -+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(crecp->flags & F_DNSSECOK)) - { - do - { -@@ -1860,19 +1741,19 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - - if (!(crecp->flags & F_DNSSECOK)) - sec_data = 0; -- -+ -+ ans = 1; -+ - if (crecp->flags & F_NEG) - { -- ans = 1; - auth = 0; - if (crecp->flags & F_NXDOMAIN) - nxdomain = 1; - if (!dryrun) - log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL); - } -- else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd || option_bool(OPT_DNSSEC_VALID)) -+ else - { -- ans = 1; - if (!(crecp->flags & (F_HOSTS | F_DHCP))) - auth = 0; - if (!dryrun) -@@ -1892,6 +1773,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - else if (is_rev_synth(is_arpa, &addr, name)) - { - ans = 1; -+ sec_data = 0; - if (!dryrun) - { - log_query(F_CONFIG | F_REVERSE | is_arpa, name, &addr, NULL); -@@ -1908,6 +1790,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - { - /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */ - ans = 1; -+ sec_data = 0; - nxdomain = 1; - if (!dryrun) - log_query(F_CONFIG | F_REVERSE | F_IPV4 | F_NEG | F_NXDOMAIN, -@@ -1955,6 +1838,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - if (i == 4) - { - ans = 1; -+ sec_data = 0; - if (!dryrun) - { - addr.addr.addr4.s_addr = htonl(a); -@@ -1993,6 +1877,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - continue; - #endif - ans = 1; -+ sec_data = 0; - if (!dryrun) - { - gotit = 1; -@@ -2032,48 +1917,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - crecp = save; - } - -- /* If the client asked for DNSSEC and we can't provide RRSIGs, either -- because we've not doing DNSSEC or the cached answer is signed by negative, -- don't answer from the cache, forward instead. */ -- if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd) -- { -- if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))) -- crecp = NULL; --#ifdef HAVE_DNSSEC -- else if (crecp->flags & F_DNSSECOK) -- { -- /* We're returning validated data, need to return the RRSIG too. */ -- struct crec *rr_crec = NULL; -- int sigtype = type; -- /* The signature may have expired even though the data is still in cache, -- forward instead of answering from cache if so. */ -- int gotsig = 0; -- -- if (crecp->flags & F_CNAME) -- sigtype = T_CNAME; -- -- while ((rr_crec = cache_find_by_name(rr_crec, name, now, F_DS | F_DNSKEY))) -- { -- if (rr_crec->addr.sig.type_covered == sigtype && rr_crec->uid == C_IN) -- { -- char *sigdata = blockdata_retrieve(rr_crec->addr.sig.keydata, rr_crec->addr.sig.keylen, NULL); -- gotsig = 1; -- -- if (!dryrun && -- add_resource_record(header, limit, &trunc, nameoffset, &ansp, -- rr_crec->ttd - now, &nameoffset, -- T_RRSIG, C_IN, "t", rr_crec->addr.sig.keylen, sigdata)) -- anscount++; -- } -- } -- -- if (!gotsig) -- crecp = NULL; -- } --#endif -- } -- -- if (crecp) -+ /* If the client asked for DNSSEC don't use cached data. */ -+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(crecp->flags & F_DNSSECOK)) - do - { - /* don't answer wildcard queries with data not from /etc/hosts --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_logical_place.patch b/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_logical_place.patch deleted file mode 100644 index ff055f7..0000000 --- a/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_logical_place.patch +++ /dev/null @@ -1,269 +0,0 @@ -From d64c81fff7faf4392b688223ef3a617c5c07e7dc Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Tue, 15 Dec 2015 16:11:06 +0000 -Subject: [PATCH] Move code which caches DS records to a more logical place. - ---- - src/dnssec.c | 179 +++++++++++++++++++++++++++++----------------------------- - 1 file changed, 90 insertions(+), 89 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index 1ae03a6..359231f 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -1204,7 +1204,10 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) - { - unsigned char *p = (unsigned char *)(header+1); -- int qtype, qclass, val, i, neganswer, nons; -+ int qtype, qclass, rc, i, neganswer, nons; -+ int aclass, atype, rdlen; -+ unsigned long ttl; -+ struct all_addr a; - - if (ntohs(header->qdcount) != 1 || - !(p = skip_name(p, header, plen, 4))) -@@ -1214,40 +1217,100 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char - GETSHORT(qclass, p); - - if (qtype != T_DS || qclass != class) -- val = STAT_BOGUS; -+ rc = STAT_BOGUS; - else -- val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons); -+ rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons); - /* Note dnssec_validate_reply() will have cached positive answers */ - -- if (val == STAT_INSECURE) -- val = STAT_BOGUS; -- -+ if (rc == STAT_INSECURE) -+ rc = STAT_BOGUS; -+ - p = (unsigned char *)(header+1); - extract_name(header, plen, &p, name, 1, 4); - p += 4; /* qtype, qclass */ - -- if (!(p = skip_section(p, ntohs(header->ancount), header, plen))) -- val = STAT_BOGUS; -- - /* If the key needed to validate the DS is on the same domain as the DS, we'll - loop getting nowhere. Stop that now. This can happen of the DS answer comes - from the DS's zone, and not the parent zone. */ -- if (val == STAT_BOGUS || (val == STAT_NEED_KEY && hostname_isequal(name, keyname))) -+ if (rc == STAT_BOGUS || (rc == STAT_NEED_KEY && hostname_isequal(name, keyname))) - { - log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS"); - return STAT_BOGUS; - } - -- if (val != STAT_SECURE) -- return val; -- -- /* By here, the answer is proved secure, and a positive answer has been cached. */ -- if (neganswer) -+ if (rc != STAT_SECURE) -+ return rc; -+ -+ if (!neganswer) - { -- int rdlen, flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK; -- unsigned long ttl, minttl = ULONG_MAX; -- struct all_addr a; -+ cache_start_insert(); -+ -+ for (i = 0; i < ntohs(header->ancount); i++) -+ { -+ if (!(rc = extract_name(header, plen, &p, name, 0, 10))) -+ return STAT_BOGUS; /* bad packet */ -+ -+ GETSHORT(atype, p); -+ GETSHORT(aclass, p); -+ GETLONG(ttl, p); -+ GETSHORT(rdlen, p); -+ -+ if (!CHECK_LEN(header, p, plen, rdlen)) -+ return STAT_BOGUS; /* bad packet */ -+ -+ if (aclass == class && atype == T_DS && rc == 1) -+ { -+ int algo, digest, keytag; -+ unsigned char *psave = p; -+ struct blockdata *key; -+ struct crec *crecp; - -+ if (rdlen < 4) -+ return STAT_BOGUS; /* bad packet */ -+ -+ GETSHORT(keytag, p); -+ algo = *p++; -+ digest = *p++; -+ -+ /* Cache needs to known class for DNSSEC stuff */ -+ a.addr.dnssec.class = class; -+ -+ if ((key = blockdata_alloc((char*)p, rdlen - 4))) -+ { -+ if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F_DNSSECOK))) -+ { -+ blockdata_free(key); -+ return STAT_BOGUS; -+ } -+ else -+ { -+ a.addr.keytag = keytag; -+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u"); -+ crecp->addr.ds.digest = digest; -+ crecp->addr.ds.keydata = key; -+ crecp->addr.ds.algo = algo; -+ crecp->addr.ds.keytag = keytag; -+ crecp->addr.ds.keylen = rdlen - 4; -+ } -+ } -+ -+ p = psave; -+ -+ if (!ADD_RDLEN(header, p, plen, rdlen)) -+ return STAT_BOGUS; /* bad packet */ -+ } -+ -+ cache_end_insert(); -+ } -+ } -+ else -+ { -+ int flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK; -+ unsigned long minttl = ULONG_MAX; -+ -+ if (!(p = skip_section(p, ntohs(header->ancount), header, plen))) -+ return STAT_BOGUS; -+ - if (RCODE(header) == NXDOMAIN) - flags |= F_NXDOMAIN; - -@@ -1261,20 +1324,20 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char - if (!(p = skip_name(p, header, plen, 0))) - return STAT_BOGUS; - -- GETSHORT(qtype, p); -- GETSHORT(qclass, p); -+ GETSHORT(atype, p); -+ GETSHORT(aclass, p); - GETLONG(ttl, p); - GETSHORT(rdlen, p); -- -+ - if (!CHECK_LEN(header, p, plen, rdlen)) - return STAT_BOGUS; /* bad packet */ -- -- if (qclass != class || qtype != T_SOA) -+ -+ if (aclass != class || atype != T_SOA) - { - p += rdlen; - continue; - } -- -+ - if (ttl < minttl) - minttl = ttl; - -@@ -1306,7 +1369,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char - log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "no DS"); - } - } -- -+ - return STAT_OK; - } - -@@ -2001,11 +2064,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - /* Not done, validate now */ - if (j == i) - { -- int ttl, keytag, algo, digest, sigcnt, rrcnt; -- unsigned char *psave; -- struct all_addr a; -- struct blockdata *key; -- struct crec *crecp; -+ int sigcnt, rrcnt; - char *wildname; - - if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigcnt, &rrcnt)) -@@ -2032,6 +2091,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - Can't overwrite name here. */ - strcpy(daemon->workspacename, keyname); - rc = zone_status(daemon->workspacename, class1, keyname, now); -+ - if (rc != STAT_SECURE) - { - /* Zone is insecure, don't need to validate RRset */ -@@ -2088,65 +2148,6 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - if (rc == STAT_BOGUS) - return rc; - } -- -- /* If we just validated a DS RRset, cache it */ -- /* Also note if the RRset is the answer to the question, or the target of a CNAME */ -- cache_start_insert(); -- -- for (p2 = ans_start, j = 0; j < ntohs(header->ancount); j++) -- { -- if (!(rc = extract_name(header, plen, &p2, name, 0, 10))) -- return STAT_BOGUS; /* bad packet */ -- -- GETSHORT(type2, p2); -- GETSHORT(class2, p2); -- GETLONG(ttl, p2); -- GETSHORT(rdlen2, p2); -- -- if (!CHECK_LEN(header, p2, plen, rdlen2)) -- return STAT_BOGUS; /* bad packet */ -- -- if (class2 == class1 && rc == 1) -- { -- psave = p2; -- -- if (type1 == T_DS && type2 == T_DS) -- { -- if (rdlen2 < 4) -- return STAT_BOGUS; /* bad packet */ -- -- GETSHORT(keytag, p2); -- algo = *p2++; -- digest = *p2++; -- -- /* Cache needs to known class for DNSSEC stuff */ -- a.addr.dnssec.class = class2; -- -- if ((key = blockdata_alloc((char*)p2, rdlen2 - 4))) -- { -- if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F_DNSSECOK))) -- blockdata_free(key); -- else -- { -- a.addr.keytag = keytag; -- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u"); -- crecp->addr.ds.digest = digest; -- crecp->addr.ds.keydata = key; -- crecp->addr.ds.algo = algo; -- crecp->addr.ds.keytag = keytag; -- crecp->addr.ds.keylen = rdlen2 - 4; -- } -- } -- } -- -- p2 = psave; -- } -- -- if (!ADD_RDLEN(header, p2, plen, rdlen2)) -- return STAT_BOGUS; /* bad packet */ -- } -- -- cache_end_insert(); - } - } - } --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0.patch b/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0.patch deleted file mode 100644 index 0a4942a..0000000 --- a/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0.patch +++ /dev/null @@ -1,755 +0,0 @@ -From c2bcd1e183bcc5fdd63811c045355fc57e36ecfd Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Tue, 15 Dec 2015 17:25:21 +0000 -Subject: [PATCH] Generalise RR-filtering code, for use with EDNS0. - ---- - Makefile | 3 +- - bld/Android.mk | 2 +- - src/dnsmasq.h | 5 + - src/dnssec.c | 307 +------------------------------------------------- - src/forward.c | 2 +- - src/rrfilter.c | 339 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 6 files changed, 349 insertions(+), 309 deletions(-) - create mode 100644 src/rrfilter.c - -diff --git a/Makefile b/Makefile -index 4c87ea9..b664160 100644 ---- a/Makefile -+++ b/Makefile -@@ -73,7 +73,8 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \ - dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ - helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ -- domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o -+ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ -+ poll.o rrfilter.o - - hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ - dns-protocol.h radv-protocol.h ip6addr.h -diff --git a/bld/Android.mk b/bld/Android.mk -index 5364ee7..67b9c4b 100644 ---- a/bld/Android.mk -+++ b/bld/Android.mk -@@ -10,7 +10,7 @@ LOCAL_SRC_FILES := bpf.c cache.c dbus.c dhcp.c dnsmasq.c \ - dhcp6.c rfc3315.c dhcp-common.c outpacket.c \ - radv.c slaac.c auth.c ipset.c domain.c \ - dnssec.c dnssec-openssl.c blockdata.c tables.c \ -- loop.c inotify.c poll.c -+ loop.c inotify.c poll.c rrfilter.c - - LOCAL_MODULE := dnsmasq - -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index 4344cae..39a930c 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -1513,3 +1513,8 @@ int poll_check(int fd, short event); - void poll_listen(int fd, short event); - int do_poll(int timeout); - -+/* rrfilter.c */ -+size_t rrfilter(struct dns_header *header, size_t plen, int mode); -+u16 *rrfilter_desc(int type); -+int expand_workspace(unsigned char ***wkspc, int *szp, int new); -+ -diff --git a/src/dnssec.c b/src/dnssec.c -index 359231f..fa3eb81 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -507,50 +507,6 @@ static int check_date_range(unsigned long date_start, unsigned long date_end) - && serial_compare_32(curtime, date_end) == SERIAL_LT; - } - --static u16 *get_desc(int type) --{ -- /* List of RRtypes which include domains in the data. -- 0 -> domain -- integer -> no of plain bytes -- -1 -> end -- -- zero is not a valid RRtype, so the final entry is returned for -- anything which needs no mangling. -- */ -- -- static u16 rr_desc[] = -- { -- T_NS, 0, -1, -- T_MD, 0, -1, -- T_MF, 0, -1, -- T_CNAME, 0, -1, -- T_SOA, 0, 0, -1, -- T_MB, 0, -1, -- T_MG, 0, -1, -- T_MR, 0, -1, -- T_PTR, 0, -1, -- T_MINFO, 0, 0, -1, -- T_MX, 2, 0, -1, -- T_RP, 0, 0, -1, -- T_AFSDB, 2, 0, -1, -- T_RT, 2, 0, -1, -- T_SIG, 18, 0, -1, -- T_PX, 2, 0, 0, -1, -- T_NXT, 0, -1, -- T_KX, 2, 0, -1, -- T_SRV, 6, 0, -1, -- T_DNAME, 0, -1, -- 0, -1 /* wildcard/catchall */ -- }; -- -- u16 *p = rr_desc; -- -- while (*p != type && *p != 0) -- while (*p++ != (u16)-1); -- -- return p+1; --} -- - /* Return bytes of canonicalised rdata, when the return value is zero, the remaining - data, pointed to by *p, should be used raw. */ - static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen, -@@ -594,34 +550,6 @@ static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, - } - } - --static int expand_workspace(unsigned char ***wkspc, int *szp, int new) --{ -- unsigned char **p; -- int old = *szp; -- -- if (old >= new+1) -- return 1; -- -- if (new >= 100) -- return 0; -- -- new += 5; -- -- if (!(p = whine_malloc(new * sizeof(unsigned char **)))) -- return 0; -- -- if (old != 0 && *wkspc) -- { -- memcpy(p, *wkspc, old * sizeof(unsigned char **)); -- free(*wkspc); -- } -- -- *wkspc = p; -- *szp = new; -- -- return 1; --} -- - /* Bubble sort the RRset into the canonical order. - Note that the byte-streams from two RRs may get unsynced: consider - RRs which have two domain-names at the start and then other data. -@@ -849,7 +777,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - int rdlen, j, name_labels; - struct crec *crecp = NULL; - int algo, labels, orig_ttl, key_tag; -- u16 *rr_desc = get_desc(type); -+ u16 *rr_desc = rrfilter_desc(type); - - if (wildcard_out) - *wildcard_out = NULL; -@@ -2266,239 +2194,6 @@ size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, i - return ret; - } - --/* Go through a domain name, find "pointers" and fix them up based on how many bytes -- we've chopped out of the packet, or check they don't point into an elided part. */ --static int check_name(unsigned char **namep, struct dns_header *header, size_t plen, int fixup, unsigned char **rrs, int rr_count) --{ -- unsigned char *ansp = *namep; -- -- while(1) -- { -- unsigned int label_type; -- -- if (!CHECK_LEN(header, ansp, plen, 1)) -- return 0; -- -- label_type = (*ansp) & 0xc0; -- -- if (label_type == 0xc0) -- { -- /* pointer for compression. */ -- unsigned int offset; -- int i; -- unsigned char *p; -- -- if (!CHECK_LEN(header, ansp, plen, 2)) -- return 0; -- -- offset = ((*ansp++) & 0x3f) << 8; -- offset |= *ansp++; -- -- p = offset + (unsigned char *)header; -- -- for (i = 0; i < rr_count; i++) -- if (p < rrs[i]) -- break; -- else -- if (i & 1) -- offset -= rrs[i] - rrs[i-1]; -- -- /* does the pointer end up in an elided RR? */ -- if (i & 1) -- return 0; -- -- /* No, scale the pointer */ -- if (fixup) -- { -- ansp -= 2; -- *ansp++ = (offset >> 8) | 0xc0; -- *ansp++ = offset & 0xff; -- } -- break; -- } -- else if (label_type == 0x80) -- return 0; /* reserved */ -- else if (label_type == 0x40) -- { -- /* Extended label type */ -- unsigned int count; -- -- if (!CHECK_LEN(header, ansp, plen, 2)) -- return 0; -- -- if (((*ansp++) & 0x3f) != 1) -- return 0; /* we only understand bitstrings */ -- -- count = *(ansp++); /* Bits in bitstring */ -- -- if (count == 0) /* count == 0 means 256 bits */ -- ansp += 32; -- else -- ansp += ((count-1)>>3)+1; -- } -- else -- { /* label type == 0 Bottom six bits is length */ -- unsigned int len = (*ansp++) & 0x3f; -- -- if (!ADD_RDLEN(header, ansp, plen, len)) -- return 0; -- -- if (len == 0) -- break; /* zero length label marks the end. */ -- } -- } -- -- *namep = ansp; -- -- return 1; --} -- --/* Go through RRs and check or fixup the domain names contained within */ --static int check_rrs(unsigned char *p, struct dns_header *header, size_t plen, int fixup, unsigned char **rrs, int rr_count) --{ -- int i, type, class, rdlen; -- unsigned char *pp; -- -- for (i = 0; i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount); i++) -- { -- pp = p; -- -- if (!(p = skip_name(p, header, plen, 10))) -- return 0; -- -- GETSHORT(type, p); -- GETSHORT(class, p); -- p += 4; /* TTL */ -- GETSHORT(rdlen, p); -- -- if (type != T_NSEC && type != T_NSEC3 && type != T_RRSIG) -- { -- /* fixup name of RR */ -- if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) -- return 0; -- -- if (class == C_IN) -- { -- u16 *d; -- -- for (pp = p, d = get_desc(type); *d != (u16)-1; d++) -- { -- if (*d != 0) -- pp += *d; -- else if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) -- return 0; -- } -- } -- } -- -- if (!ADD_RDLEN(header, p, plen, rdlen)) -- return 0; -- } -- -- return 1; --} -- -- --size_t filter_rrsigs(struct dns_header *header, size_t plen) --{ -- static unsigned char **rrs; -- static int rr_sz = 0; -- -- unsigned char *p = (unsigned char *)(header+1); -- int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns, chop_ar; -- -- if (ntohs(header->qdcount) != 1 || -- !(p = skip_name(p, header, plen, 4))) -- return plen; -- -- GETSHORT(qtype, p); -- GETSHORT(qclass, p); -- -- /* First pass, find pointers to start and end of all the records we wish to elide: -- records added for DNSSEC, unless explicity queried for */ -- for (rr_found = 0, chop_ns = 0, chop_an = 0, chop_ar = 0, i = 0; -- i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount); -- i++) -- { -- unsigned char *pstart = p; -- int type, class; -- -- if (!(p = skip_name(p, header, plen, 10))) -- return plen; -- -- GETSHORT(type, p); -- GETSHORT(class, p); -- p += 4; /* TTL */ -- GETSHORT(rdlen, p); -- -- if ((type == T_NSEC || type == T_NSEC3 || type == T_RRSIG) && -- (type != qtype || class != qclass)) -- { -- if (!expand_workspace(&rrs, &rr_sz, rr_found + 1)) -- return plen; -- -- rrs[rr_found++] = pstart; -- -- if (!ADD_RDLEN(header, p, plen, rdlen)) -- return plen; -- -- rrs[rr_found++] = p; -- -- if (i < ntohs(header->ancount)) -- chop_an++; -- else if (i < (ntohs(header->nscount) + ntohs(header->ancount))) -- chop_ns++; -- else -- chop_ar++; -- } -- else if (!ADD_RDLEN(header, p, plen, rdlen)) -- return plen; -- } -- -- /* Nothing to do. */ -- if (rr_found == 0) -- return plen; -- -- /* Second pass, look for pointers in names in the records we're keeping and make sure they don't -- point to records we're going to elide. This is theoretically possible, but unlikely. If -- it happens, we give up and leave the answer unchanged. */ -- p = (unsigned char *)(header+1); -- -- /* question first */ -- if (!check_name(&p, header, plen, 0, rrs, rr_found)) -- return plen; -- p += 4; /* qclass, qtype */ -- -- /* Now answers and NS */ -- if (!check_rrs(p, header, plen, 0, rrs, rr_found)) -- return plen; -- -- /* Third pass, elide records */ -- for (p = rrs[0], i = 1; i < rr_found; i += 2) -- { -- unsigned char *start = rrs[i]; -- unsigned char *end = (i != rr_found - 1) ? rrs[i+1] : ((unsigned char *)(header+1)) + plen; -- -- memmove(p, start, end-start); -- p += end-start; -- } -- -- plen = p - (unsigned char *)header; -- header->ancount = htons(ntohs(header->ancount) - chop_an); -- header->nscount = htons(ntohs(header->nscount) - chop_ns); -- header->arcount = htons(ntohs(header->arcount) - chop_ar); -- -- /* Fourth pass, fix up pointers in the remaining records */ -- p = (unsigned char *)(header+1); -- -- check_name(&p, header, plen, 1, rrs, rr_found); -- p += 4; /* qclass, qtype */ -- -- check_rrs(p, header, plen, 1, rrs, rr_found); -- -- return plen; --} -- - unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name) - { - int q; -diff --git a/src/forward.c b/src/forward.c -index dd22a62..3e801c8 100644 ---- a/src/forward.c -+++ b/src/forward.c -@@ -662,7 +662,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server - - /* If the requestor didn't set the DO bit, don't return DNSSEC info. */ - if (!do_bit) -- n = filter_rrsigs(header, n); -+ n = rrfilter(header, n, 1); - #endif - - /* do this after extract_addresses. Ensure NODATA reply and remove -diff --git a/src/rrfilter.c b/src/rrfilter.c -new file mode 100644 -index 0000000..ae12261 ---- /dev/null -+++ b/src/rrfilter.c -@@ -0,0 +1,339 @@ -+/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; version 2 dated June, 1991, or -+ (at your option) version 3 dated 29 June, 2007. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see <http://www.gnu.org/licenses/>. -+*/ -+ -+/* Code to safely remove RRs from an DNS answer */ -+ -+#include "dnsmasq.h" -+ -+/* Go through a domain name, find "pointers" and fix them up based on how many bytes -+ we've chopped out of the packet, or check they don't point into an elided part. */ -+static int check_name(unsigned char **namep, struct dns_header *header, size_t plen, int fixup, unsigned char **rrs, int rr_count) -+{ -+ unsigned char *ansp = *namep; -+ -+ while(1) -+ { -+ unsigned int label_type; -+ -+ if (!CHECK_LEN(header, ansp, plen, 1)) -+ return 0; -+ -+ label_type = (*ansp) & 0xc0; -+ -+ if (label_type == 0xc0) -+ { -+ /* pointer for compression. */ -+ unsigned int offset; -+ int i; -+ unsigned char *p; -+ -+ if (!CHECK_LEN(header, ansp, plen, 2)) -+ return 0; -+ -+ offset = ((*ansp++) & 0x3f) << 8; -+ offset |= *ansp++; -+ -+ p = offset + (unsigned char *)header; -+ -+ for (i = 0; i < rr_count; i++) -+ if (p < rrs[i]) -+ break; -+ else -+ if (i & 1) -+ offset -= rrs[i] - rrs[i-1]; -+ -+ /* does the pointer end up in an elided RR? */ -+ if (i & 1) -+ return 0; -+ -+ /* No, scale the pointer */ -+ if (fixup) -+ { -+ ansp -= 2; -+ *ansp++ = (offset >> 8) | 0xc0; -+ *ansp++ = offset & 0xff; -+ } -+ break; -+ } -+ else if (label_type == 0x80) -+ return 0; /* reserved */ -+ else if (label_type == 0x40) -+ { -+ /* Extended label type */ -+ unsigned int count; -+ -+ if (!CHECK_LEN(header, ansp, plen, 2)) -+ return 0; -+ -+ if (((*ansp++) & 0x3f) != 1) -+ return 0; /* we only understand bitstrings */ -+ -+ count = *(ansp++); /* Bits in bitstring */ -+ -+ if (count == 0) /* count == 0 means 256 bits */ -+ ansp += 32; -+ else -+ ansp += ((count-1)>>3)+1; -+ } -+ else -+ { /* label type == 0 Bottom six bits is length */ -+ unsigned int len = (*ansp++) & 0x3f; -+ -+ if (!ADD_RDLEN(header, ansp, plen, len)) -+ return 0; -+ -+ if (len == 0) -+ break; /* zero length label marks the end. */ -+ } -+ } -+ -+ *namep = ansp; -+ -+ return 1; -+} -+ -+/* Go through RRs and check or fixup the domain names contained within */ -+static int check_rrs(unsigned char *p, struct dns_header *header, size_t plen, int fixup, unsigned char **rrs, int rr_count) -+{ -+ int i, j, type, class, rdlen; -+ unsigned char *pp; -+ -+ for (i = 0; i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount); i++) -+ { -+ pp = p; -+ -+ if (!(p = skip_name(p, header, plen, 10))) -+ return 0; -+ -+ GETSHORT(type, p); -+ GETSHORT(class, p); -+ p += 4; /* TTL */ -+ GETSHORT(rdlen, p); -+ -+ /* If this RR is to be elided, don't fix up its contents */ -+ for (j = 0; j < rr_count; j += 2) -+ if (rrs[j] == pp) -+ break; -+ -+ if (j >= rr_count) -+ { -+ /* fixup name of RR */ -+ if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) -+ return 0; -+ -+ if (class == C_IN) -+ { -+ u16 *d; -+ -+ for (pp = p, d = rrfilter_desc(type); *d != (u16)-1; d++) -+ { -+ if (*d != 0) -+ pp += *d; -+ else if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) -+ return 0; -+ } -+ } -+ } -+ -+ if (!ADD_RDLEN(header, p, plen, rdlen)) -+ return 0; -+ } -+ -+ return 1; -+} -+ -+ -+/* mode is 0 to remove EDNS0, 1 to filter DNSSEC RRs */ -+size_t rrfilter(struct dns_header *header, size_t plen, int mode) -+{ -+ static unsigned char **rrs; -+ static int rr_sz = 0; -+ -+ unsigned char *p = (unsigned char *)(header+1); -+ int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns, chop_ar; -+ -+ if (ntohs(header->qdcount) != 1 || -+ !(p = skip_name(p, header, plen, 4))) -+ return plen; -+ -+ GETSHORT(qtype, p); -+ GETSHORT(qclass, p); -+ -+ /* First pass, find pointers to start and end of all the records we wish to elide: -+ records added for DNSSEC, unless explicity queried for */ -+ for (rr_found = 0, chop_ns = 0, chop_an = 0, chop_ar = 0, i = 0; -+ i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount); -+ i++) -+ { -+ unsigned char *pstart = p; -+ int type, class; -+ -+ if (!(p = skip_name(p, header, plen, 10))) -+ return plen; -+ -+ GETSHORT(type, p); -+ GETSHORT(class, p); -+ p += 4; /* TTL */ -+ GETSHORT(rdlen, p); -+ -+ if (!ADD_RDLEN(header, p, plen, rdlen)) -+ return plen; -+ -+ /* Don't remove the answer. */ -+ if (i < ntohs(header->ancount) && type == qtype && class == qclass) -+ continue; -+ -+ if (mode == 0) /* EDNS */ -+ { -+ /* EDNS mode, remove T_OPT from additional section only */ -+ if (i < (ntohs(header->nscount) + ntohs(header->ancount)) || type != T_OPT) -+ continue; -+ } -+ else if (type != T_NSEC && type != T_NSEC3 && type != T_RRSIG) -+ /* DNSSEC mode, remove SIGs and NSECs from all three sections. */ -+ continue; -+ -+ -+ if (!expand_workspace(&rrs, &rr_sz, rr_found + 1)) -+ return plen; -+ -+ rrs[rr_found++] = pstart; -+ rrs[rr_found++] = p; -+ -+ if (i < ntohs(header->ancount)) -+ chop_an++; -+ else if (i < (ntohs(header->nscount) + ntohs(header->ancount))) -+ chop_ns++; -+ else -+ chop_ar++; -+ } -+ -+ /* Nothing to do. */ -+ if (rr_found == 0) -+ return plen; -+ -+ /* Second pass, look for pointers in names in the records we're keeping and make sure they don't -+ point to records we're going to elide. This is theoretically possible, but unlikely. If -+ it happens, we give up and leave the answer unchanged. */ -+ p = (unsigned char *)(header+1); -+ -+ /* question first */ -+ if (!check_name(&p, header, plen, 0, rrs, rr_found)) -+ return plen; -+ p += 4; /* qclass, qtype */ -+ -+ /* Now answers and NS */ -+ if (!check_rrs(p, header, plen, 0, rrs, rr_found)) -+ return plen; -+ -+ /* Third pass, elide records */ -+ for (p = rrs[0], i = 1; i < rr_found; i += 2) -+ { -+ unsigned char *start = rrs[i]; -+ unsigned char *end = (i != rr_found - 1) ? rrs[i+1] : ((unsigned char *)(header+1)) + plen; -+ -+ memmove(p, start, end-start); -+ p += end-start; -+ } -+ -+ plen = p - (unsigned char *)header; -+ header->ancount = htons(ntohs(header->ancount) - chop_an); -+ header->nscount = htons(ntohs(header->nscount) - chop_ns); -+ header->arcount = htons(ntohs(header->arcount) - chop_ar); -+ -+ /* Fourth pass, fix up pointers in the remaining records */ -+ p = (unsigned char *)(header+1); -+ -+ check_name(&p, header, plen, 1, rrs, rr_found); -+ p += 4; /* qclass, qtype */ -+ -+ check_rrs(p, header, plen, 1, rrs, rr_found); -+ -+ return plen; -+} -+ -+/* This is used in the DNSSEC code too, hence it's exported */ -+u16 *rrfilter_desc(int type) -+{ -+ /* List of RRtypes which include domains in the data. -+ 0 -> domain -+ integer -> no of plain bytes -+ -1 -> end -+ -+ zero is not a valid RRtype, so the final entry is returned for -+ anything which needs no mangling. -+ */ -+ -+ static u16 rr_desc[] = -+ { -+ T_NS, 0, -1, -+ T_MD, 0, -1, -+ T_MF, 0, -1, -+ T_CNAME, 0, -1, -+ T_SOA, 0, 0, -1, -+ T_MB, 0, -1, -+ T_MG, 0, -1, -+ T_MR, 0, -1, -+ T_PTR, 0, -1, -+ T_MINFO, 0, 0, -1, -+ T_MX, 2, 0, -1, -+ T_RP, 0, 0, -1, -+ T_AFSDB, 2, 0, -1, -+ T_RT, 2, 0, -1, -+ T_SIG, 18, 0, -1, -+ T_PX, 2, 0, 0, -1, -+ T_NXT, 0, -1, -+ T_KX, 2, 0, -1, -+ T_SRV, 6, 0, -1, -+ T_DNAME, 0, -1, -+ 0, -1 /* wildcard/catchall */ -+ }; -+ -+ u16 *p = rr_desc; -+ -+ while (*p != type && *p != 0) -+ while (*p++ != (u16)-1); -+ -+ return p+1; -+} -+ -+int expand_workspace(unsigned char ***wkspc, int *szp, int new) -+{ -+ unsigned char **p; -+ int old = *szp; -+ -+ if (old >= new+1) -+ return 1; -+ -+ if (new >= 100) -+ return 0; -+ -+ new += 5; -+ -+ if (!(p = whine_malloc(new * sizeof(unsigned char **)))) -+ return 0; -+ -+ if (old != 0 && *wkspc) -+ { -+ memcpy(p, *wkspc, old * sizeof(unsigned char **)); -+ free(*wkspc); -+ } -+ -+ *wkspc = p; -+ *szp = new; -+ -+ return 1; -+} --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch b/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch deleted file mode 100644 index ffb412b..0000000 --- a/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 2dbba34b2c1289a108f876c78b84889f2a93115d Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Wed, 16 Dec 2015 13:41:58 +0000 -Subject: [PATCH] DNSSEC validation tweak. - -A zone which has at least one key with an algorithm we don't -support should be considered as insecure. ---- - src/dnssec.c | 82 ++++++++++++++++++++++++++++++++++++++-------------------- - 1 file changed, 54 insertions(+), 28 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index fa3eb81..dc563e0 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -763,10 +763,10 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int - STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname) - STAT_NEED_DS need DS to complete validation (name is returned in keyname) - -- if key is non-NULL, use that key, which has the algo and tag given in the params of those names, -+ If key is non-NULL, use that key, which has the algo and tag given in the params of those names, - otherwise find the key in the cache. - -- name is unchanged on exit. keyname is used as workspace and trashed. -+ Name is unchanged on exit. keyname is used as workspace and trashed. - - Call explore_rrset first to find and count RRs and sigs. - */ -@@ -919,6 +919,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - return STAT_BOGUS; - } - -+ - /* The DNS packet is expected to contain the answer to a DNSKEY query. - Put all DNSKEYs in the answer which are valid into the cache. - return codes: -@@ -1831,15 +1832,15 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - - /* Check signing status of name. - returns: -- STAT_SECURE zone is signed. -- STAT_INSECURE zone proved unsigned. -- STAT_NEED_DS require DS record of name returned in keyname. -- -+ STAT_SECURE zone is signed. -+ STAT_INSECURE zone proved unsigned. -+ STAT_NEED_DS require DS record of name returned in keyname. -+ STAT_NEED_DNSKEY require DNSKEY record of name returned in keyname. - name returned unaltered. - */ - static int zone_status(char *name, int class, char *keyname, time_t now) - { -- int name_start = strlen(name); -+ int secure_ds, name_start = strlen(name); - struct crec *crecp; - char *p; - -@@ -1850,27 +1851,52 @@ static int zone_status(char *name, int class, char *keyname, time_t now) - if (!(crecp = cache_find_by_name(NULL, keyname, now, F_DS))) - return STAT_NEED_DS; - else -- do -- { -- if (crecp->uid == (unsigned int)class) -- { -- /* F_DNSSECOK misused in DS cache records to non-existance of NS record. -- F_NEG && !F_DNSSECOK implies that we've proved there's no DS record here, -- but that's because there's no NS record either, ie this isn't the start -- of a zone. We only prove that the DNS tree below a node is unsigned when -- we prove that we're at a zone cut AND there's no DS record. -- */ -- if (crecp->flags & F_NEG) -- { -- if (crecp->flags & F_DNSSECOK) -- return STAT_INSECURE; /* proved no DS here */ -- } -- else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crecp->addr.ds.algo)) -- return STAT_INSECURE; /* algo we can't use - insecure */ -- } -- } -- while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS))); -- -+ { -+ secure_ds = 0; -+ -+ do -+ { -+ if (crecp->uid == (unsigned int)class) -+ { -+ /* F_DNSSECOK misused in DS cache records to non-existance of NS record. -+ F_NEG && !F_DNSSECOK implies that we've proved there's no DS record here, -+ but that's because there's no NS record either, ie this isn't the start -+ of a zone. We only prove that the DNS tree below a node is unsigned when -+ we prove that we're at a zone cut AND there's no DS record. -+ */ -+ if (crecp->flags & F_NEG) -+ { -+ if (crecp->flags & F_DNSSECOK) -+ return STAT_INSECURE; /* proved no DS here */ -+ } -+ else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crecp->addr.ds.algo)) -+ return STAT_INSECURE; /* algo we can't use - insecure */ -+ else -+ secure_ds = 1; -+ } -+ } -+ while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS))); -+ } -+ -+ if (secure_ds) -+ { -+ /* We've found only DS records that attest to the DNSKEY RRset in the zone, so we believe -+ that RRset is good. Furthermore the DNSKEY whose hash is proved by the DS record is -+ one we can use. However the DNSKEY RRset may contain more than one key and -+ one of the other keys may use an algorithm we don't support. If that's -+ the case the zone is insecure for us. */ -+ -+ if (!(crecp = cache_find_by_name(NULL, keyname, now, F_DNSKEY))) -+ return STAT_NEED_KEY; -+ -+ do -+ { -+ if (crecp->uid == (unsigned int)class && !algo_digest_name(crecp->addr.key.algo)) -+ return STAT_INSECURE; -+ } -+ while ((crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY))); -+ } -+ - if (name_start == 0) - break; - --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch b/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch deleted file mode 100644 index c3c74cc..0000000 --- a/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch +++ /dev/null @@ -1,133 +0,0 @@ -From dd4ad9ac7ea6d51dcc34a1f2cd2da14efbb87714 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Thu, 17 Dec 2015 10:44:58 +0000 -Subject: [PATCH] Tweaks to EDNS0 handling in DNS replies. - ---- - src/dnssec.c | 20 +++++++++----------- - src/rfc1035.c | 57 +++++++++++++++++++++++++++++++++------------------------ - 2 files changed, 42 insertions(+), 35 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index dc563e0..012b2a6 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -2129,18 +2129,16 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - /* Empty DS without NSECS */ - if (qtype == T_DS) - return STAT_BOGUS; -- else -+ -+ rc = zone_status(name, qclass, keyname, now); -+ if (rc != STAT_SECURE) - { -- rc = zone_status(name, qclass, keyname, now); -- if (rc != STAT_SECURE) -- { -- if (class) -- *class = qclass; /* Class for NEED_DS or NEED_DNSKEY */ -- return rc; -- } -- -- return STAT_BOGUS; /* signed zone, no NSECs */ -- } -+ if (class) -+ *class = qclass; /* Class for NEED_DS or NEED_DNSKEY */ -+ return rc; -+ } -+ -+ return STAT_BOGUS; /* signed zone, no NSECs */ - } - - if (nsec_type == T_NSEC) -diff --git a/src/rfc1035.c b/src/rfc1035.c -index def8fa0..188d05f 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -1539,7 +1539,13 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1; - struct mx_srv_record *rec; - size_t len; -- -+ -+ if (ntohs(header->ancount) != 0 || -+ ntohs(header->nscount) != 0 || -+ ntohs(header->qdcount) == 0 || -+ OPCODE(header) != QUERY ) -+ return 0; -+ - /* Don't return AD set if checking disabled. */ - if (header->hb4 & HB4_CD) - sec_data = 0; -@@ -1548,33 +1554,32 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - *ad_reqd = header->hb4 & HB4_AD; - *do_bit = 0; - -- /* If there is an RFC2671 pseudoheader then it will be overwritten by -+ /* If there is an additional data section then it will be overwritten by - partial replies, so we have to do a dry run to see if we can answer -- the query. We check to see if the do bit is set, if so we always -- forward rather than answering from the cache, which doesn't include -- security information, unless we're in DNSSEC validation mode. */ -+ the query. */ - -- if (find_pseudoheader(header, qlen, NULL, &pheader, NULL)) -- { -- unsigned short flags; -- -- have_pseudoheader = 1; -+ if (ntohs(header->arcount) != 0) -+ { -+ dryrun = 1; - -- pheader += 4; /* udp size, ext_rcode */ -- GETSHORT(flags, pheader); -- -- if ((sec_reqd = flags & 0x8000)) -- { -- *do_bit = 1;/* do bit */ -- *ad_reqd = 1; -+ /* If there's an additional section, there might be an EDNS(0) pseudoheader */ -+ if (find_pseudoheader(header, qlen, NULL, &pheader, NULL)) -+ { -+ unsigned short flags; -+ -+ have_pseudoheader = 1; -+ -+ pheader += 4; /* udp size, ext_rcode */ -+ GETSHORT(flags, pheader); -+ -+ if ((sec_reqd = flags & 0x8000)) -+ { -+ *do_bit = 1;/* do bit */ -+ *ad_reqd = 1; -+ } - } -- -- dryrun = 1; - } - -- if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY ) -- return 0; -- - for (rec = daemon->mxnames; rec; rec = rec->next) - rec->offset = 0; - -@@ -1730,8 +1735,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - } - else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa))) - { -- /* Don't use cache when DNSSEC data required. */ -- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(crecp->flags & F_DNSSECOK)) -+ /* Don't use cache when DNSSEC data required, unless we know that -+ the zone is unsigned, which implies that we're doing -+ validation. */ -+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || -+ !sec_reqd || -+ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))) - { - do - { --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch b/src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch deleted file mode 100644 index 60503e9..0000000 --- a/src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch +++ /dev/null @@ -1,409 +0,0 @@ -From b40f26c0199235073abc37e1e1d6ed93bed372f5 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Thu, 17 Dec 2015 11:57:26 +0000 -Subject: [PATCH] Tidy up DNSSEC non-existence code. Check zone status is NSEC - proof bad. - ---- - src/dnssec.c | 207 +++++++++++++++++++++++++--------------------------------- - 1 file changed, 90 insertions(+), 117 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index 012b2a6..ddae497 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -1367,59 +1367,6 @@ static int hostname_cmp(const char *a, const char *b) - } - } - --/* Find all the NSEC or NSEC3 records in a reply. -- return an array of pointers to them. */ --static int find_nsec_records(struct dns_header *header, size_t plen, unsigned char ***nsecsetp, int *nsecsetl, int class_reqd) --{ -- static unsigned char **nsecset = NULL; -- static int nsecset_sz = 0; -- -- int type_found = 0; -- unsigned char *p = skip_questions(header, plen); -- int type, class, rdlen, i, nsecs_found; -- -- /* Move to NS section */ -- if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen))) -- return 0; -- -- for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--) -- { -- unsigned char *pstart = p; -- -- if (!(p = skip_name(p, header, plen, 10))) -- return 0; -- -- GETSHORT(type, p); -- GETSHORT(class, p); -- p += 4; /* TTL */ -- GETSHORT(rdlen, p); -- -- if (class == class_reqd && (type == T_NSEC || type == T_NSEC3)) -- { -- /* No mixed NSECing 'round here, thankyouverymuch */ -- if (type_found == T_NSEC && type == T_NSEC3) -- return 0; -- if (type_found == T_NSEC3 && type == T_NSEC) -- return 0; -- -- type_found = type; -- -- if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found)) -- return 0; -- -- nsecset[nsecs_found++] = pstart; -- } -- -- if (!ADD_RDLEN(header, p, plen, rdlen)) -- return 0; -- } -- -- *nsecsetp = nsecset; -- *nsecsetl = nsecs_found; -- -- return type_found; --} -- - static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, - char *workspace1, char *workspace2, char *name, int type, int *nons) - { -@@ -1436,12 +1383,12 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - { - p = nsecs[i]; - if (!extract_name(header, plen, &p, workspace1, 1, 10)) -- return STAT_BOGUS; -+ return 0; - p += 8; /* class, type, TTL */ - GETSHORT(rdlen, p); - psave = p; - if (!extract_name(header, plen, &p, workspace2, 1, 10)) -- return STAT_BOGUS; -+ return 0; - - rc = hostname_cmp(workspace1, name); - -@@ -1449,7 +1396,7 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - { - /* 4035 para 5.4. Last sentence */ - if (type == T_NSEC || type == T_RRSIG) -- return STAT_SECURE; -+ return 1; - - /* NSEC with the same name as the RR we're testing, check - that the type in question doesn't appear in the type map */ -@@ -1465,24 +1412,24 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - /* A CNAME answer would also be valid, so if there's a CNAME is should - have been returned. */ - if ((p[2] & (0x80 >> T_CNAME)) != 0) -- return STAT_BOGUS; -+ return 0; - - /* If the SOA bit is set for a DS record, then we have the - DS from the wrong side of the delegation. */ - if (type == T_DS && (p[2] & (0x80 >> T_SOA)) != 0) -- return STAT_BOGUS; -+ return 0; - } - - while (rdlen >= 2) - { - if (!CHECK_LEN(header, p, plen, rdlen)) -- return STAT_BOGUS; -+ return 0; - - if (p[0] == type >> 8) - { - /* Does the NSEC say our type exists? */ - if (offset < p[1] && (p[offset+2] & mask) != 0) -- return STAT_BOGUS; -+ return 0; - - break; /* finshed checking */ - } -@@ -1491,24 +1438,24 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - p += p[1]; - } - -- return STAT_SECURE; -+ return 1; - } - else if (rc == -1) - { - /* Normal case, name falls between NSEC name and next domain name, - wrap around case, name falls between NSEC name (rc == -1) and end */ - if (hostname_cmp(workspace2, name) >= 0 || hostname_cmp(workspace1, workspace2) >= 0) -- return STAT_SECURE; -+ return 1; - } - else - { - /* wrap around case, name falls between start and next domain name */ - if (hostname_cmp(workspace1, workspace2) >= 0 && hostname_cmp(workspace2, name) >=0 ) -- return STAT_SECURE; -+ return 1; - } - } - -- return STAT_BOGUS; -+ return 0; - } - - /* return digest length, or zero on error */ -@@ -1701,7 +1648,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - for (i = 0; i < nsec_count; i++) - { - if (!(p = skip_name(nsecs[i], header, plen, 15))) -- return STAT_BOGUS; /* bad packet */ -+ return 0; /* bad packet */ - - p += 10; /* type, class, TTL, rdlen */ - algo = *p++; -@@ -1712,14 +1659,14 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - - /* No usable NSEC3s */ - if (i == nsec_count) -- return STAT_BOGUS; -+ return 0; - - p++; /* flags */ - GETSHORT (iterations, p); - salt_len = *p++; - salt = p; - if (!CHECK_LEN(header, salt, plen, salt_len)) -- return STAT_BOGUS; /* bad packet */ -+ return 0; /* bad packet */ - - /* Now prune so we only have NSEC3 records with same iterations, salt and algo */ - for (i = 0; i < nsec_count; i++) -@@ -1730,7 +1677,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - nsecs[i] = NULL; /* Speculative, will be restored if OK. */ - - if (!(p = skip_name(nsec3p, header, plen, 15))) -- return STAT_BOGUS; /* bad packet */ -+ return 0; /* bad packet */ - - p += 10; /* type, class, TTL, rdlen */ - -@@ -1747,7 +1694,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - continue; - - if (!CHECK_LEN(header, p, plen, salt_len)) -- return STAT_BOGUS; /* bad packet */ -+ return 0; /* bad packet */ - - if (memcmp(p, salt, salt_len) != 0) - continue; -@@ -1758,13 +1705,13 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - - /* Algo is checked as 1 above */ - if (!(hash = hash_find("sha1"))) -- return STAT_BOGUS; -+ return 0; - - if ((digest_len = hash_name(name, &digest, hash, salt, salt_len, iterations)) == 0) -- return STAT_BOGUS; -+ return 0; - - if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, nons)) -- return STAT_SECURE; -+ return 1; - - /* Can't find an NSEC3 which covers the name directly, we need the "closest encloser NSEC3" - or an answer inferred from a wildcard record. */ -@@ -1780,14 +1727,14 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - break; - - if ((digest_len = hash_name(closest_encloser, &digest, hash, salt, salt_len, iterations)) == 0) -- return STAT_BOGUS; -+ return 0; - - for (i = 0; i < nsec_count; i++) - if ((p = nsecs[i])) - { - if (!extract_name(header, plen, &p, workspace1, 1, 0) || - !(base32_len = base32_decode(workspace1, (unsigned char *)workspace2))) -- return STAT_BOGUS; -+ return 0; - - if (digest_len == base32_len && - memcmp(digest, workspace2, digest_len) == 0) -@@ -1802,32 +1749,81 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - while ((closest_encloser = strchr(closest_encloser, '.'))); - - if (!closest_encloser) -- return STAT_BOGUS; -+ return 0; - - /* Look for NSEC3 that proves the non-existence of the next-closest encloser */ - if ((digest_len = hash_name(next_closest, &digest, hash, salt, salt_len, iterations)) == 0) -- return STAT_BOGUS; -+ return 0; - - if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL)) -- return STAT_BOGUS; -+ return 0; - - /* Finally, check that there's no seat of wildcard synthesis */ - if (!wildname) - { - if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest) -- return STAT_BOGUS; -+ return 0; - - wildcard--; - *wildcard = '*'; - - if ((digest_len = hash_name(wildcard, &digest, hash, salt, salt_len, iterations)) == 0) -- return STAT_BOGUS; -+ return 0; - - if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL)) -- return STAT_BOGUS; -+ return 0; - } - -- return STAT_SECURE; -+ return 1; -+} -+ -+static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons) -+{ -+ static unsigned char **nsecset = NULL; -+ static int nsecset_sz = 0; -+ -+ int type_found = 0; -+ unsigned char *p = skip_questions(header, plen); -+ int type, class, rdlen, i, nsecs_found; -+ -+ /* Move to NS section */ -+ if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen))) -+ return 0; -+ -+ for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--) -+ { -+ unsigned char *pstart = p; -+ -+ if (!(p = skip_name(p, header, plen, 10))) -+ return 0; -+ -+ GETSHORT(type, p); -+ GETSHORT(class, p); -+ p += 4; /* TTL */ -+ GETSHORT(rdlen, p); -+ -+ if (class == qclass && (type == T_NSEC || type == T_NSEC3)) -+ { -+ /* No mixed NSECing 'round here, thankyouverymuch */ -+ if (type_found != 0 && type_found != type) -+ return 0; -+ -+ type_found = type; -+ -+ if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found)) -+ return 0; -+ -+ nsecset[nsecs_found++] = pstart; -+ } -+ -+ if (!ADD_RDLEN(header, p, plen, rdlen)) -+ return 0; -+ } -+ -+ if (type_found == T_NSEC) -+ return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); -+ else -+ return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons); - } - - /* Check signing status of name. -@@ -1925,10 +1921,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - static unsigned char **targets = NULL; - static int target_sz = 0; - -- unsigned char *ans_start, *p1, *p2, **nsecs; -+ unsigned char *ans_start, *p1, *p2; - int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype, targetidx; -- int i, j, rc, nsec_count; -- int nsec_type; -+ int i, j, rc; - - if (neganswer) - *neganswer = 0; -@@ -2080,28 +2075,15 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - targets[j] = NULL; - } - -- if (rc == STAT_SECURE_WILDCARD) -- { -- /* An attacker replay a wildcard answer with a different -- answer and overlay a genuine RR. To prove this -- hasn't happened, the answer must prove that -- the gennuine record doesn't exist. Check that here. */ -- if (!(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, class1))) -- return STAT_BOGUS; /* No NSECs or bad packet */ -- -- /* Note that we may not yet have validated the NSEC/NSEC3 RRsets. Since the check -- below returns either SECURE or BOGUS, that's not a problem. If the RRsets later fail -- we'll return BOGUS then. */ -- -- if (nsec_type == T_NSEC) -- rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, NULL); -- else -- rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, -- keyname, name, type1, wildname, NULL); -- -- if (rc == STAT_BOGUS) -- return rc; -- } -+ /* An attacker replay a wildcard answer with a different -+ answer and overlay a genuine RR. To prove this -+ hasn't happened, the answer must prove that -+ the gennuine record doesn't exist. Check that here. -+ Note that we may not yet have validated the NSEC/NSEC3 RRsets. -+ That's not a problem since if the RRsets later fail -+ we'll return BOGUS then. */ -+ if (rc == STAT_SECURE_WILDCARD && !prove_non_existence(header, plen, keyname, name, type1, class1, wildname, NULL)) -+ return STAT_BOGUS; - } - } - } -@@ -2124,14 +2106,13 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - - /* For anything other than a DS record, this situation is OK if either - the answer is in an unsigned zone, or there's a NSEC records. */ -- if (!(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass))) -+ if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons)) - { - /* Empty DS without NSECS */ - if (qtype == T_DS) - return STAT_BOGUS; - -- rc = zone_status(name, qclass, keyname, now); -- if (rc != STAT_SECURE) -+ if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE) - { - if (class) - *class = qclass; /* Class for NEED_DS or NEED_DNSKEY */ -@@ -2140,14 +2121,6 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - - return STAT_BOGUS; /* signed zone, no NSECs */ - } -- -- if (nsec_type == T_NSEC) -- rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons); -- else -- rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL, nons); -- -- if (rc != STAT_SECURE) -- return rc; - } - - return STAT_SECURE; --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch b/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch deleted file mode 100644 index eda6fbd..0000000 --- a/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 3b799c826db05fc2da1c6d15cbe372e394209d27 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Thu, 17 Dec 2015 16:58:04 +0000 -Subject: [PATCH] Fix brace botch in dnssec_validate_ds() -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -Thanks to MichaÅ KÄpieÅ for spotting this. ---- - src/dnssec.c | 34 +++++++++++++++++----------------- - 1 file changed, 17 insertions(+), 17 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index ddae497..1f8c954 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -923,11 +923,11 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - /* The DNS packet is expected to contain the answer to a DNSKEY query. - Put all DNSKEYs in the answer which are valid into the cache. - return codes: -- STAT_OK Done, key(s) in cache. -- STAT_BOGUS No DNSKEYs found, which can be validated with DS, -- or self-sign for DNSKEY RRset is not valid, bad packet. -- STAT_NEED_DS DS records to validate a key not found, name in keyname -- STAT_NEED_DNSKEY DNSKEY records to validate a key not found, name in keyname -+ STAT_OK Done, key(s) in cache. -+ STAT_BOGUS No DNSKEYs found, which can be validated with DS, -+ or self-sign for DNSKEY RRset is not valid, bad packet. -+ STAT_NEED_DS DS records to validate a key not found, name in keyname -+ STAT_NEED_KEY DNSKEY records to validate a key not found, name in keyname - */ - int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) - { -@@ -1224,13 +1224,13 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char - } - - p = psave; -- -- if (!ADD_RDLEN(header, p, plen, rdlen)) -- return STAT_BOGUS; /* bad packet */ - } -- -- cache_end_insert(); -+ if (!ADD_RDLEN(header, p, plen, rdlen)) -+ return STAT_BOGUS; /* bad packet */ - } -+ -+ cache_end_insert(); -+ - } - else - { -@@ -1828,10 +1828,10 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key - - /* Check signing status of name. - returns: -- STAT_SECURE zone is signed. -- STAT_INSECURE zone proved unsigned. -- STAT_NEED_DS require DS record of name returned in keyname. -- STAT_NEED_DNSKEY require DNSKEY record of name returned in keyname. -+ STAT_SECURE zone is signed. -+ STAT_INSECURE zone proved unsigned. -+ STAT_NEED_DS require DS record of name returned in keyname. -+ STAT_NEED_KEY require DNSKEY record of name returned in keyname. - name returned unaltered. - */ - static int zone_status(char *name, int class, char *keyname, time_t now) -@@ -2028,7 +2028,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - if (rc == STAT_SECURE) - rc = STAT_BOGUS; - if (class) -- *class = class1; /* Class for NEED_DS or NEED_DNSKEY */ -+ *class = class1; /* Class for NEED_DS or NEED_KEY */ - } - else - rc = STAT_INSECURE; -@@ -2045,7 +2045,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - { - /* Zone is insecure, don't need to validate RRset */ - if (class) -- *class = class1; /* Class for NEED_DS or NEED_DNSKEY */ -+ *class = class1; /* Class for NEED_DS or NEED_KEY */ - return rc; - } - -@@ -2115,7 +2115,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch - if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE) - { - if (class) -- *class = qclass; /* Class for NEED_DS or NEED_DNSKEY */ -+ *class = qclass; /* Class for NEED_DS or NEED_KEY */ - return rc; - } - --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch b/src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch deleted file mode 100644 index abcae5c..0000000 --- a/src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 14a4ae883d51130d33da7133287e8867c64bab65 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Thu, 17 Dec 2015 17:23:03 +0000 -Subject: [PATCH] Do a better job of determining which DNSSEC sig algos are - supported. - ---- - src/dnssec.c | 52 +++++++++++++++++++++++++++++++++++++--------------- - 1 file changed, 37 insertions(+), 15 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index 1f8c954..82394ee 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -65,10 +65,9 @@ static char *algo_digest_name(int algo) - case 8: return "sha256"; - case 10: return "sha512"; - case 12: return "gosthash94"; --#ifndef NO_NETTLE_ECC - case 13: return "sha256"; - case 14: return "sha384"; --#endif -+ - default: return NULL; - } - } -@@ -129,13 +128,15 @@ static int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char - } - - static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, -- unsigned char *digest, int algo) -+ unsigned char *digest, size_t digest_len, int algo) - { - unsigned char *p; - size_t exp_len; - - static struct rsa_public_key *key = NULL; - static mpz_t sig_mpz; -+ -+ (void)digest_len; - - if (key == NULL) - { -@@ -181,7 +182,7 @@ static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, - } - - static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, -- unsigned char *digest, int algo) -+ unsigned char *digest, size_t digest_len, int algo) - { - unsigned char *p; - unsigned int t; -@@ -189,6 +190,8 @@ static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, - static struct dsa_public_key *key = NULL; - static struct dsa_signature *sig_struct; - -+ (void)digest_len; -+ - if (key == NULL) - { - if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))) || -@@ -292,26 +295,45 @@ static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len - } - #endif - --static int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, -- unsigned char *digest, size_t digest_len, int algo) -+static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, -+ unsigned char *digest, size_t digest_len, int algo) - { -- (void)digest_len; -- -+ -+ /* Enure at runtime that we have support for this digest */ -+ if (!hash_find(algo_digest_name(algo))) -+ return NULL; -+ -+ /* This switch defines which sig algorithms we support, can't introspect Nettle for that. */ - switch (algo) - { - case 1: case 5: case 7: case 8: case 10: -- return dnsmasq_rsa_verify(key_data, key_len, sig, sig_len, digest, algo); -+ return dnsmasq_rsa_verify; - - case 3: case 6: -- return dnsmasq_dsa_verify(key_data, key_len, sig, sig_len, digest, algo); -+ return dnsmasq_dsa_verify; - - #ifndef NO_NETTLE_ECC - case 13: case 14: -- return dnsmasq_ecdsa_verify(key_data, key_len, sig, sig_len, digest, digest_len, algo); -+ return dnsmasq_ecdsa_verify; - #endif - } - -- return 0; -+ return NULL; -+} -+ -+static int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, -+ unsigned char *digest, size_t digest_len, int algo) -+{ -+ -+ int (*func)(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, -+ unsigned char *digest, size_t digest_len, int algo); -+ -+ func = verify_func(algo); -+ -+ if (!func) -+ return 0; -+ -+ return (*func)(key_data, key_len, sig, sig_len, digest, digest_len, algo); - } - - /* Convert from presentation format to wire format, in place. -@@ -732,7 +754,7 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int - if (check_date_range(sig_inception, sig_expiration) && - labels <= name_labels && - type_covered == type && -- algo_digest_name(algo)) -+ verify_func(algo)) - { - if (!expand_workspace(&sigs, &sig_sz, sigidx)) - return 0; -@@ -1865,7 +1887,7 @@ static int zone_status(char *name, int class, char *keyname, time_t now) - if (crecp->flags & F_DNSSECOK) - return STAT_INSECURE; /* proved no DS here */ - } -- else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crecp->addr.ds.algo)) -+ else if (!hash_find(ds_digest_name(crecp->addr.ds.digest)) || !verify_func(crecp->addr.ds.algo)) - return STAT_INSECURE; /* algo we can't use - insecure */ - else - secure_ds = 1; -@@ -1887,7 +1909,7 @@ static int zone_status(char *name, int class, char *keyname, time_t now) - - do - { -- if (crecp->uid == (unsigned int)class && !algo_digest_name(crecp->addr.key.algo)) -+ if (crecp->uid == (unsigned int)class && !verify_func(crecp->addr.key.algo)) - return STAT_INSECURE; - } - while ((crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY))); --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/025-Major_tidy_up_of_EDNS0_handling_and_computation_use_of_udp.patch b/src/patches/dnsmasq/025-Major_tidy_up_of_EDNS0_handling_and_computation_use_of_udp.patch deleted file mode 100644 index c016e73..0000000 --- a/src/patches/dnsmasq/025-Major_tidy_up_of_EDNS0_handling_and_computation_use_of_udp.patch +++ /dev/null @@ -1,643 +0,0 @@ -From fa14bec83b2db010fd076910fddab56957b9375d Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Sun, 20 Dec 2015 17:12:16 +0000 -Subject: [PATCH] Major tidy up of EDNS0 handling and computation/use of udp - packet size. - ---- - src/auth.c | 8 ++- - src/dnsmasq.h | 7 ++- - src/dnssec.c | 1 - - src/forward.c | 184 ++++++++++++++++++++++++++++++++++++++++---------------- - src/netlink.c | 3 +- - src/rfc1035.c | 81 +++++++------------------ - src/rrfilter.c | 2 +- - 7 files changed, 168 insertions(+), 118 deletions(-) - -diff --git a/src/auth.c b/src/auth.c -index 2b0b7d6..85bd5e7 100644 ---- a/src/auth.c -+++ b/src/auth.c -@@ -81,7 +81,8 @@ int in_zone(struct auth_zone *zone, char *name, char **cut) - } - - --size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, int local_query) -+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, -+ int local_query, int do_bit, int have_pseudoheader) - { - char *name = daemon->namebuff; - unsigned char *p, *ansp; -@@ -820,6 +821,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n - header->ancount = htons(anscount); - header->nscount = htons(authcount); - header->arcount = htons(0); -+ -+ /* Advertise our packet size limit in our reply */ -+ if (have_pseudoheader) -+ return add_pseudoheader(header, ansp - (unsigned char *)header, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit); -+ - return ansp - (unsigned char *)header; - } - -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index 39a930c..abb34c5 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -1113,7 +1113,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *namebuff, - int no_cache, int secure, int *doctored); - size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - struct in_addr local_addr, struct in_addr local_netmask, -- time_t now, int *ad_reqd, int *do_bit); -+ time_t now, int ad_reqd, int do_bit, int have_pseudoheader); - int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name, - struct bogus_addr *addr, time_t now); - int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr); -@@ -1123,6 +1123,8 @@ int check_for_local_domain(char *name, time_t now); - unsigned int questions_crc(struct dns_header *header, size_t plen, char *buff); - size_t resize_packet(struct dns_header *header, size_t plen, - unsigned char *pheader, size_t hlen); -+size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit, -+ unsigned short udp_sz, int optno, unsigned char *opt, size_t optlen, int set_do); - size_t add_mac(struct dns_header *header, size_t plen, char *limit, union mysockaddr *l3); - size_t add_source_addr(struct dns_header *header, size_t plen, char *limit, union mysockaddr *source); - #ifdef HAVE_DNSSEC -@@ -1141,7 +1143,8 @@ int private_net(struct in_addr addr, int ban_localhost); - /* auth.c */ - #ifdef HAVE_AUTH - size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, -- time_t now, union mysockaddr *peer_addr, int local_query); -+ time_t now, union mysockaddr *peer_addr, int local_query, -+ int do_bit, int have_pseudoheader); - int in_zone(struct auth_zone *zone, char *name, char **cut); - #endif - -diff --git a/src/dnssec.c b/src/dnssec.c -index 82394ee..299ca64 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -67,7 +67,6 @@ static char *algo_digest_name(int algo) - case 12: return "gosthash94"; - case 13: return "sha256"; - case 14: return "sha384"; -- - default: return NULL; - } - } -diff --git a/src/forward.c b/src/forward.c -index 3e801c8..041353c 100644 ---- a/src/forward.c -+++ b/src/forward.c -@@ -244,7 +244,6 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, - void *hash = &crc; - #endif - unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); -- unsigned char *pheader; - - (void)do_bit; - -@@ -264,7 +263,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, - there's no point retrying the query, retry the key query instead...... */ - if (forward->blocking_query) - { -- int fd; -+ int fd, is_sign; -+ unsigned char *pheader; - - forward->flags &= ~FREC_TEST_PKTSZ; - -@@ -276,8 +276,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, - blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); - plen = forward->stash_len; - -- if (find_pseudoheader(header, plen, NULL, &pheader, NULL)) -- PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : forward->sentto->edns_pktsz, pheader); -+ if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign) && !is_sign) -+ PUTSHORT(SAFE_PKTSZ, pheader); - - if (forward->sentto->addr.sa.sa_family == AF_INET) - log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); -@@ -394,32 +394,40 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, - forward->log_id = daemon->log_id; - - if (option_bool(OPT_ADD_MAC)) -- plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source); -- -+ { -+ size_t new = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source); -+ if (new != plen) -+ { -+ plen = new; -+ forward->flags |= FREC_ADDED_PHEADER; -+ } -+ } -+ - if (option_bool(OPT_CLIENT_SUBNET)) - { - size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source); - if (new != plen) - { - plen = new; -- forward->flags |= FREC_HAS_SUBNET; -+ forward->flags |= FREC_HAS_SUBNET | FREC_ADDED_PHEADER; - } - } - - #ifdef HAVE_DNSSEC - if (option_bool(OPT_DNSSEC_VALID)) - { -- size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz); -+ size_t new = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz); - -+ if (new != plen) -+ forward->flags |= FREC_ADDED_PHEADER; -+ -+ plen = new; -+ - /* For debugging, set Checking Disabled, otherwise, have the upstream check too, - this allows it to select auth servers when one is returning bad data. */ - if (option_bool(OPT_DNSSEC_DEBUG)) - header->hb4 |= HB4_CD; - -- if (new_plen != plen) -- forward->flags |= FREC_ADDED_PHEADER; -- -- plen = new_plen; - } - #endif - -@@ -469,10 +477,23 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, - } - #endif - } -- -- if (find_pseudoheader(header, plen, NULL, &pheader, NULL)) -- PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : start->edns_pktsz, pheader); - -+#ifdef HAVE_DNSSEC -+ if (option_bool(OPT_DNSSEC_VALID) && !do_bit) -+ { -+ /* Difficult one here. If our client didn't send EDNS0, we will have set the UDP -+ packet size to 512. But that won't provide space for the RRSIGS in many cases. -+ The RRSIGS will be stripped out before the answer goes back, so the packet should -+ shrink again. So, if we added a do-bit, bump the udp packet size to the value -+ known to be OK for this server. Maybe check returned size after stripping and set -+ the truncated bit? */ -+ unsigned char *pheader; -+ int is_sign; -+ if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign)) -+ PUTSHORT(start->edns_pktsz, pheader); -+ } -+#endif -+ - if (retry_send(sendto(fd, (char *)header, plen, 0, - &start->addr.sa, - sa_len(&start->addr)))) -@@ -563,30 +584,34 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server - } - #endif - -- /* If upstream is advertising a larger UDP packet size -- than we allow, trim it so that we don't get overlarge -- requests for the client. We can't do this for signed packets. */ -- - if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign))) - { -- unsigned short udpsz; -- unsigned char *psave = sizep; -- -- GETSHORT(udpsz, sizep); -- -- if (!is_sign && udpsz > daemon->edns_pktsz) -- PUTSHORT(daemon->edns_pktsz, psave); -- - if (check_subnet && !check_source(header, plen, pheader, query_source)) - { - my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch")); - return 0; - } - -- if (added_pheader) -+ if (!is_sign) - { -- pheader = 0; -- header->arcount = htons(0); -+ if (added_pheader) -+ { -+ /* client didn't send EDNS0, we added one, strip it off before returning answer. */ -+ n = rrfilter(header, n, 0); -+ pheader = NULL; -+ } -+ else -+ { -+ /* If upstream is advertising a larger UDP packet size -+ than we allow, trim it so that we don't get overlarge -+ requests for the client. We can't do this for signed packets. */ -+ unsigned short udpsz; -+ unsigned char *psave = sizep; -+ -+ GETSHORT(udpsz, sizep); -+ if (udpsz > daemon->edns_pktsz) -+ PUTSHORT(daemon->edns_pktsz, psave); -+ } - } - } - -@@ -655,14 +680,16 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server - } - - if (option_bool(OPT_DNSSEC_VALID)) -- header->hb4 &= ~HB4_AD; -- -- if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure) -- header->hb4 |= HB4_AD; -- -- /* If the requestor didn't set the DO bit, don't return DNSSEC info. */ -- if (!do_bit) -- n = rrfilter(header, n, 1); -+ { -+ header->hb4 &= ~HB4_AD; -+ -+ if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure) -+ header->hb4 |= HB4_AD; -+ -+ /* If the requestor didn't set the DO bit, don't return DNSSEC info. */ -+ if (!do_bit) -+ n = rrfilter(header, n, 1); -+ } - #endif - - /* do this after extract_addresses. Ensure NODATA reply and remove -@@ -761,8 +788,14 @@ void reply_query(int fd, int family, time_t now) - if ((nn = resize_packet(header, (size_t)n, pheader, plen))) - { - header->hb3 &= ~(HB3_QR | HB3_AA | HB3_TC); -- header->hb4 &= ~(HB4_RA | HB4_RCODE); -- forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0); -+ header->hb4 &= ~(HB4_RA | HB4_RCODE | HB4_CD | HB4_AD); -+ if (forward->flags |= FREC_CHECKING_DISABLED) -+ header->hb4 |= HB4_CD; -+ if (forward->flags |= FREC_AD_QUESTION) -+ header->hb4 |= HB4_AD; -+ if (forward->flags & FREC_DO_QUESTION) -+ add_do_bit(header, nn, (char *)pheader + plen); -+ forward_query(-1, NULL, NULL, 0, header, nn, now, forward, forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION); - return; - } - } -@@ -1007,12 +1040,13 @@ void receive_query(struct listener *listen, time_t now) - { - struct dns_header *header = (struct dns_header *)daemon->packet; - union mysockaddr source_addr; -- unsigned short type; -+ unsigned char *pheader; -+ unsigned short type, udp_size = PACKETSZ; /* default if no EDNS0 */ - struct all_addr dst_addr; - struct in_addr netmask, dst_addr_4; - size_t m; - ssize_t n; -- int if_index = 0, auth_dns = 0; -+ int if_index = 0, auth_dns = 0, do_bit = 0, have_pseudoheader = 0; - #ifdef HAVE_AUTH - int local_auth = 0; - #endif -@@ -1279,10 +1313,30 @@ void receive_query(struct listener *listen, time_t now) - #endif - } - -+ if (find_pseudoheader(header, (size_t)n, NULL, &pheader, NULL)) -+ { -+ unsigned short flags; -+ -+ have_pseudoheader = 1; -+ GETSHORT(udp_size, pheader); -+ pheader += 2; /* ext_rcode */ -+ GETSHORT(flags, pheader); -+ -+ if (flags & 0x8000) -+ do_bit = 1;/* do bit */ -+ -+ /* If the client provides an EDNS0 UDP size, use that to limit our reply. -+ (bounded by the maximum configured). If no EDNS0, then it -+ defaults to 512 */ -+ if (udp_size > daemon->edns_pktsz) -+ udp_size = daemon->edns_pktsz; -+ } -+ - #ifdef HAVE_AUTH - if (auth_dns) - { -- m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth); -+ m = answer_auth(header, ((char *) header) + udp_size, (size_t)n, now, &source_addr, -+ local_auth, do_bit, have_pseudoheader); - if (m >= 1) - { - send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), -@@ -1293,9 +1347,13 @@ void receive_query(struct listener *listen, time_t now) - else - #endif - { -- int ad_reqd, do_bit; -- m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, -- dst_addr_4, netmask, now, &ad_reqd, &do_bit); -+ int ad_reqd = do_bit; -+ /* RFC 6840 5.7 */ -+ if (header->hb4 & HB4_AD) -+ ad_reqd = 1; -+ -+ m = answer_request(header, ((char *) header) + udp_size, (size_t)n, -+ dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader); - - if (m >= 1) - { -@@ -1397,7 +1455,7 @@ unsigned char *tcp_request(int confd, time_t now, - #ifdef HAVE_AUTH - int local_auth = 0; - #endif -- int checking_disabled, ad_question, do_bit, added_pheader = 0; -+ int checking_disabled, do_bit, added_pheader = 0, have_pseudoheader = 0; - int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; - size_t m; - unsigned short qtype; -@@ -1414,6 +1472,7 @@ unsigned char *tcp_request(int confd, time_t now, - union mysockaddr peer_addr; - socklen_t peer_len = sizeof(union mysockaddr); - int query_count = 0; -+ unsigned char *pheader; - - if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1) - return packet; -@@ -1508,15 +1567,35 @@ unsigned char *tcp_request(int confd, time_t now, - else - dst_addr_4.s_addr = 0; - -+ do_bit = 0; -+ -+ if (find_pseudoheader(header, (size_t)size, NULL, &pheader, NULL)) -+ { -+ unsigned short flags; -+ -+ have_pseudoheader = 1; -+ pheader += 4; /* udp_size, ext_rcode */ -+ GETSHORT(flags, pheader); -+ -+ if (flags & 0x8000) -+ do_bit = 1;/* do bit */ -+ } -+ - #ifdef HAVE_AUTH - if (auth_dns) -- m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth); -+ m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, -+ local_auth, do_bit, have_pseudoheader); - else - #endif - { -- /* m > 0 if answered from cache */ -- m = answer_request(header, ((char *) header) + 65536, (size_t)size, -- dst_addr_4, netmask, now, &ad_question, &do_bit); -+ int ad_reqd = do_bit; -+ /* RFC 6840 5.7 */ -+ if (header->hb4 & HB4_AD) -+ ad_reqd = 1; -+ -+ /* m > 0 if answered from cache */ -+ m = answer_request(header, ((char *) header) + 65536, (size_t)size, -+ dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader); - - /* Do this by steam now we're not in the select() loop */ - check_log_writer(1); -@@ -1615,6 +1694,7 @@ unsigned char *tcp_request(int confd, time_t now, - } - - #ifdef HAVE_DNSSEC -+ added_pheader = 0; - if (option_bool(OPT_DNSSEC_VALID)) - { - size_t new_size = add_do_bit(header, size, ((char *) header) + 65536); -@@ -1719,7 +1799,7 @@ unsigned char *tcp_request(int confd, time_t now, - - m = process_reply(header, now, last_server, (unsigned int)m, - option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer, -- ad_question, do_bit, added_pheader, check_subnet, &peer_addr); -+ ad_reqd, do_bit, added_pheader, check_subnet, &peer_addr); - - break; - } -diff --git a/src/netlink.c b/src/netlink.c -index 753784d..3376d68 100644 ---- a/src/netlink.c -+++ b/src/netlink.c -@@ -288,7 +288,8 @@ int iface_enumerate(int family, void *parm, int (*callback)()) - rta = RTA_NEXT(rta, len1); - } - -- if (inaddr && mac && callback_ok) -+ if (!(neigh->ndm_state & (NUD_NOARP | NUD_INCOMPLETE | NUD_FAILED)) && -+ inaddr && mac && callback_ok) - if (!((*callback)(neigh->ndm_family, inaddr, mac, maclen, parm))) - callback_ok = 0; - } -diff --git a/src/rfc1035.c b/src/rfc1035.c -index 188d05f..18858a8 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -489,8 +489,8 @@ struct macparm { - union mysockaddr *l3; - }; - --static size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit, -- int optno, unsigned char *opt, size_t optlen, int set_do) -+size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit, -+ unsigned short udp_sz, int optno, unsigned char *opt, size_t optlen, int set_do) - { - unsigned char *lenp, *datap, *p; - int rdlen, is_sign; -@@ -508,7 +508,7 @@ static size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned - return plen; - *p++ = 0; /* empty name */ - PUTSHORT(T_OPT, p); -- PUTSHORT(SAFE_PKTSZ, p); /* max packet length, this will be overwritten */ -+ PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ - PUTSHORT(0, p); /* extended RCODE and version */ - PUTSHORT(set_do ? 0x8000 : 0, p); /* DO flag */ - lenp = p; -@@ -594,7 +594,7 @@ static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *p - if (!match) - return 1; /* continue */ - -- parm->plen = add_pseudoheader(parm->header, parm->plen, parm->limit, EDNS0_OPTION_MAC, (unsigned char *)mac, maclen, 0); -+ parm->plen = add_pseudoheader(parm->header, parm->plen, parm->limit, PACKETSZ, EDNS0_OPTION_MAC, (unsigned char *)mac, maclen, 0); - - return 0; /* done */ - } -@@ -603,12 +603,6 @@ size_t add_mac(struct dns_header *header, size_t plen, char *limit, union mysock - { - struct macparm parm; - --/* Must have an existing pseudoheader as the only ar-record, -- or have no ar-records. Must also not be signed */ -- -- if (ntohs(header->arcount) > 1) -- return plen; -- - parm.header = header; - parm.limit = (unsigned char *)limit; - parm.plen = plen; -@@ -699,13 +693,13 @@ size_t add_source_addr(struct dns_header *header, size_t plen, char *limit, unio - struct subnet_opt opt; - - len = calc_subnet_opt(&opt, source); -- return add_pseudoheader(header, plen, (unsigned char *)limit, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0); -+ return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0); - } - - #ifdef HAVE_DNSSEC - size_t add_do_bit(struct dns_header *header, size_t plen, char *limit) - { -- return add_pseudoheader(header, plen, (unsigned char *)limit, 0, NULL, 0, 1); -+ return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, 0, NULL, 0, 1); - } - #endif - -@@ -1525,16 +1519,16 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now) - /* return zero if we can't answer from cache, or packet size if we can */ - size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - struct in_addr local_addr, struct in_addr local_netmask, -- time_t now, int *ad_reqd, int *do_bit) -+ time_t now, int ad_reqd, int do_bit, int have_pseudoheader) - { - char *name = daemon->namebuff; -- unsigned char *p, *ansp, *pheader; -+ unsigned char *p, *ansp; - unsigned int qtype, qclass; - struct all_addr addr; - int nameoffset; - unsigned short flag; - int q, ans, anscount = 0, addncount = 0; -- int dryrun = 0, sec_reqd = 0, have_pseudoheader = 0; -+ int dryrun = 0; - struct crec *crecp; - int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1; - struct mx_srv_record *rec; -@@ -1550,35 +1544,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - if (header->hb4 & HB4_CD) - sec_data = 0; - -- /* RFC 6840 5.7 */ -- *ad_reqd = header->hb4 & HB4_AD; -- *do_bit = 0; -- - /* If there is an additional data section then it will be overwritten by - partial replies, so we have to do a dry run to see if we can answer - the query. */ -- - if (ntohs(header->arcount) != 0) -- { -- dryrun = 1; -- -- /* If there's an additional section, there might be an EDNS(0) pseudoheader */ -- if (find_pseudoheader(header, qlen, NULL, &pheader, NULL)) -- { -- unsigned short flags; -- -- have_pseudoheader = 1; -- -- pheader += 4; /* udp size, ext_rcode */ -- GETSHORT(flags, pheader); -- -- if ((sec_reqd = flags & 0x8000)) -- { -- *do_bit = 1;/* do bit */ -- *ad_reqd = 1; -- } -- } -- } -+ dryrun = 1; - - for (rec = daemon->mxnames; rec; rec = rec->next) - rec->offset = 0; -@@ -1603,11 +1573,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - GETSHORT(qtype, p); - GETSHORT(qclass, p); - -- /* Don't filter RRSIGS from answers to ANY queries, even if do-bit -- not set. */ -- if (qtype == T_ANY) -- *do_bit = 1; -- - ans = 0; /* have we answered this question */ - - if (qtype == T_TXT || qtype == T_ANY) -@@ -1739,7 +1704,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - the zone is unsigned, which implies that we're doing - validation. */ - if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || -- !sec_reqd || -+ !do_bit || - (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))) - { - do -@@ -1927,7 +1892,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - } - - /* If the client asked for DNSSEC don't use cached data. */ -- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(crecp->flags & F_DNSSECOK)) -+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK)) - do - { - /* don't answer wildcard queries with data not from /etc/hosts -@@ -1961,17 +1926,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - - if (crecp->flags & F_NEG) - { -- /* We don't cache NSEC records, so if a DNSSEC-validated negative answer -- is cached and the client wants DNSSEC, forward rather than answering from the cache */ -- if (!sec_reqd || !(crecp->flags & F_DNSSECOK)) -- { -- ans = 1; -- auth = 0; -- if (crecp->flags & F_NXDOMAIN) -- nxdomain = 1; -- if (!dryrun) -- log_query(crecp->flags, name, NULL, NULL); -- } -+ ans = 1; -+ auth = 0; -+ if (crecp->flags & F_NXDOMAIN) -+ nxdomain = 1; -+ if (!dryrun) -+ log_query(crecp->flags, name, NULL, NULL); - } - else - { -@@ -2209,10 +2169,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - - len = ansp - (unsigned char *)header; - -+ /* Advertise our packet size limit in our reply */ - if (have_pseudoheader) -- len = add_pseudoheader(header, len, (unsigned char *)limit, 0, NULL, 0, sec_reqd); -+ len = add_pseudoheader(header, len, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit); - -- if (*ad_reqd && sec_data) -+ if (ad_reqd && sec_data) - header->hb4 |= HB4_AD; - else - header->hb4 &= ~HB4_AD; -diff --git a/src/rrfilter.c b/src/rrfilter.c -index ae12261..b26b39f 100644 ---- a/src/rrfilter.c -+++ b/src/rrfilter.c -@@ -243,7 +243,7 @@ size_t rrfilter(struct dns_header *header, size_t plen, int mode) - for (p = rrs[0], i = 1; i < rr_found; i += 2) - { - unsigned char *start = rrs[i]; -- unsigned char *end = (i != rr_found - 1) ? rrs[i+1] : ((unsigned char *)(header+1)) + plen; -+ unsigned char *end = (i != rr_found - 1) ? rrs[i+1] : ((unsigned char *)header) + plen; - - memmove(p, start, end-start); - p += end-start; --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/026-More_tweaks_in_handling_unknown_DNSSEC_algorithms.patch b/src/patches/dnsmasq/026-More_tweaks_in_handling_unknown_DNSSEC_algorithms.patch deleted file mode 100644 index 910921b..0000000 --- a/src/patches/dnsmasq/026-More_tweaks_in_handling_unknown_DNSSEC_algorithms.patch +++ /dev/null @@ -1,262 +0,0 @@ -From d67ecac59d58f249707d26e38d49c29b552af4d8 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Sun, 20 Dec 2015 20:44:23 +0000 -Subject: [PATCH] More tweaks in handling unknown DNSSEC algorithms. - ---- - src/dnssec.c | 128 +++++++++++++++++++++++++++++----------------------------- - 1 file changed, 63 insertions(+), 65 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index 299ca64..e09f304 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -70,7 +70,17 @@ static char *algo_digest_name(int algo) - default: return NULL; - } - } -- -+ -+/* http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parame… */ -+static char *nsec3_digest_name(int digest) -+{ -+ switch (digest) -+ { -+ case 1: return "sha1"; -+ default: return NULL; -+ } -+} -+ - /* Find pointer to correct hash function in nettle library */ - static const struct nettle_hash *hash_find(char *name) - { -@@ -667,7 +677,6 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int - static int rrset_sz = 0, sig_sz = 0; - unsigned char *p; - int rrsetidx, sigidx, j, rdlen, res; -- int name_labels = count_labels(name); /* For 4035 5.3.2 check */ - int gotkey = 0; - - if (!(p = skip_questions(header, plen))) -@@ -678,7 +687,7 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int - j != 0; j--) - { - unsigned char *pstart, *pdata; -- int stype, sclass, algo, type_covered, labels, sig_expiration, sig_inception; -+ int stype, sclass, type_covered; - - pstart = p; - -@@ -712,12 +721,7 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int - return 0; /* bad packet */ - - GETSHORT(type_covered, p); -- algo = *p++; -- labels = *p++; -- p += 4; /* orig_ttl */ -- GETLONG(sig_expiration, p); -- GETLONG(sig_inception, p); -- p += 2; /* key_tag */ -+ p += 16; /* algo, labels, orig_ttl, sig_expiration, sig_inception, key_tag */ - - if (gotkey) - { -@@ -749,11 +753,8 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int - } - } - -- /* Don't count signatures for algos we don't support */ -- if (check_date_range(sig_inception, sig_expiration) && -- labels <= name_labels && -- type_covered == type && -- verify_func(algo)) -+ -+ if (type_covered == type) - { - if (!expand_workspace(&sigs, &sig_sz, sigidx)) - return 0; -@@ -795,7 +796,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - char *name, char *keyname, char **wildcard_out, struct blockdata *key, int keylen, int algo_in, int keytag_in) - { - unsigned char *p; -- int rdlen, j, name_labels; -+ int rdlen, j, name_labels, sig_expiration, sig_inception; - struct crec *crecp = NULL; - int algo, labels, orig_ttl, key_tag; - u16 *rr_desc = rrfilter_desc(type); -@@ -828,13 +829,16 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - algo = *p++; - labels = *p++; - GETLONG(orig_ttl, p); -- p += 8; /* sig_expiration, sig_inception already checked */ -+ GETLONG(sig_expiration, p); -+ GETLONG(sig_inception, p); - GETSHORT(key_tag, p); - - if (!extract_name(header, plen, &p, keyname, 1, 0)) - return STAT_BOGUS; - -- if (!(hash = hash_find(algo_digest_name(algo))) || -+ if (!check_date_range(sig_inception, sig_expiration) || -+ labels > name_labels || -+ !(hash = hash_find(algo_digest_name(algo))) || - !hash_init(hash, &ctx, &digest)) - continue; - -@@ -1112,7 +1116,10 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch - else - { - a.addr.keytag = keytag; -- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %u"); -+ if (verify_func(algo)) -+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %u"); -+ else -+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %u (not supported)"); - - recp1->addr.key.keylen = rdlen - 4; - recp1->addr.key.keydata = key; -@@ -1235,7 +1242,11 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char - else - { - a.addr.keytag = keytag; -- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u"); -+ if (hash_find(ds_digest_name(digest)) && verify_func(algo)) -+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u"); -+ else -+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u (not supported)"); -+ - crecp->addr.ds.digest = digest; - crecp->addr.ds.keydata = key; - crecp->addr.ds.algo = algo; -@@ -1660,7 +1671,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - *nons = 1; - - /* Look though the NSEC3 records to find the first one with -- an algorithm we support (currently only algo == 1). -+ an algorithm we support. - - Take the algo, iterations, and salt of that record - as the ones we're going to use, and prune any -@@ -1674,7 +1685,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - p += 10; /* type, class, TTL, rdlen */ - algo = *p++; - -- if (algo == 1) -+ if ((hash = hash_find(nsec3_digest_name(algo)))) - break; /* known algo */ - } - -@@ -1724,10 +1735,6 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - nsecs[i] = nsec3p; - } - -- /* Algo is checked as 1 above */ -- if (!(hash = hash_find("sha1"))) -- return 0; -- - if ((digest_len = hash_name(name, &digest, hash, salt, salt_len, iterations)) == 0) - return 0; - -@@ -1843,8 +1850,10 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key - - if (type_found == T_NSEC) - return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); -- else -+ else if (type_found == T_NSEC3) - return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons); -+ else -+ return 0; - } - - /* Check signing status of name. -@@ -1857,7 +1866,7 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key - */ - static int zone_status(char *name, int class, char *keyname, time_t now) - { -- int secure_ds, name_start = strlen(name); -+ int name_start = strlen(name); - struct crec *crecp; - char *p; - -@@ -1867,51 +1876,40 @@ static int zone_status(char *name, int class, char *keyname, time_t now) - - if (!(crecp = cache_find_by_name(NULL, keyname, now, F_DS))) - return STAT_NEED_DS; -+ -+ /* F_DNSSECOK misused in DS cache records to non-existance of NS record. -+ F_NEG && !F_DNSSECOK implies that we've proved there's no DS record here, -+ but that's because there's no NS record either, ie this isn't the start -+ of a zone. We only prove that the DNS tree below a node is unsigned when -+ we prove that we're at a zone cut AND there's no DS record. */ -+ if (crecp->flags & F_NEG) -+ { -+ if (crecp->flags & F_DNSSECOK) -+ return STAT_INSECURE; /* proved no DS here */ -+ } - else - { -- secure_ds = 0; -- -+ int gotone = 0; -+ -+ /* If all the DS records have digest and/or sig algos we don't support, -+ then the zone is insecure. Note that if an algo -+ appears in the DS, then RRSIGs for that algo MUST -+ exist for each RRset: 4035 para 2.2 So if we find -+ a DS here with digest and sig we can do, we're entitled -+ to assume we can validate the zone and if we can't later, -+ because an RRSIG is missing we return BOGUS. -+ */ - do - { -- if (crecp->uid == (unsigned int)class) -- { -- /* F_DNSSECOK misused in DS cache records to non-existance of NS record. -- F_NEG && !F_DNSSECOK implies that we've proved there's no DS record here, -- but that's because there's no NS record either, ie this isn't the start -- of a zone. We only prove that the DNS tree below a node is unsigned when -- we prove that we're at a zone cut AND there's no DS record. -- */ -- if (crecp->flags & F_NEG) -- { -- if (crecp->flags & F_DNSSECOK) -- return STAT_INSECURE; /* proved no DS here */ -- } -- else if (!hash_find(ds_digest_name(crecp->addr.ds.digest)) || !verify_func(crecp->addr.ds.algo)) -- return STAT_INSECURE; /* algo we can't use - insecure */ -- else -- secure_ds = 1; -- } -+ if (crecp->uid == (unsigned int)class && -+ hash_find(ds_digest_name(crecp->addr.ds.digest)) && -+ verify_func(crecp->addr.ds.algo)) -+ gotone = 1; - } - while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS))); -- } -- -- if (secure_ds) -- { -- /* We've found only DS records that attest to the DNSKEY RRset in the zone, so we believe -- that RRset is good. Furthermore the DNSKEY whose hash is proved by the DS record is -- one we can use. However the DNSKEY RRset may contain more than one key and -- one of the other keys may use an algorithm we don't support. If that's -- the case the zone is insecure for us. */ -- -- if (!(crecp = cache_find_by_name(NULL, keyname, now, F_DNSKEY))) -- return STAT_NEED_KEY; - -- do -- { -- if (crecp->uid == (unsigned int)class && !verify_func(crecp->addr.key.algo)) -- return STAT_INSECURE; -- } -- while ((crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY))); -+ if (!gotone) -+ return STAT_INSECURE; - } - - if (name_start == 0) --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/027-Nasty_rare_and_obscure_off-by-one_in_DNSSEC_hostname_cmp.patch b/src/patches/dnsmasq/027-Nasty_rare_and_obscure_off-by-one_in_DNSSEC_hostname_cmp.patch deleted file mode 100644 index 031339e..0000000 --- a/src/patches/dnsmasq/027-Nasty_rare_and_obscure_off-by-one_in_DNSSEC_hostname_cmp.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3e86d316c4bb406ed813aa5256615c8a95cac6d8 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Sun, 20 Dec 2015 20:50:05 +0000 -Subject: [PATCH] Nasty, rare and obscure off-by-one in DNSSEC hostname_cmp(). - ---- - src/dnssec.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index e09f304..29848e1 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -1394,8 +1394,8 @@ static int hostname_cmp(const char *a, const char *b) - if (sb == b) - return 1; - -- ea = sa--; -- eb = sb--; -+ ea = --sa; -+ eb = --sb; - } - } - --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/028-Minor_tweak_to_previous_commit.patch b/src/patches/dnsmasq/028-Minor_tweak_to_previous_commit.patch deleted file mode 100644 index f3758fc..0000000 --- a/src/patches/dnsmasq/028-Minor_tweak_to_previous_commit.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a86fdf437ecc29398f9715ceb5240442a17ac014 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Sun, 20 Dec 2015 21:19:20 +0000 -Subject: [PATCH] Minor tweak to previous commit. - ---- - src/dnssec.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index 29848e1..9fa64b6 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -1889,8 +1889,6 @@ static int zone_status(char *name, int class, char *keyname, time_t now) - } - else - { -- int gotone = 0; -- - /* If all the DS records have digest and/or sig algos we don't support, - then the zone is insecure. Note that if an algo - appears in the DS, then RRSIGs for that algo MUST -@@ -1904,11 +1902,11 @@ static int zone_status(char *name, int class, char *keyname, time_t now) - if (crecp->uid == (unsigned int)class && - hash_find(ds_digest_name(crecp->addr.ds.digest)) && - verify_func(crecp->addr.ds.algo)) -- gotone = 1; -+ break; - } - while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS))); - -- if (!gotone) -+ if (!crecp) - return STAT_INSECURE; - } - --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/029-NSEC3_check_RFC5155_para_8_2.patch b/src/patches/dnsmasq/029-NSEC3_check_RFC5155_para_8_2.patch deleted file mode 100644 index 33219d2..0000000 --- a/src/patches/dnsmasq/029-NSEC3_check_RFC5155_para_8_2.patch +++ /dev/null @@ -1,39 +0,0 @@ -From ce5732e84fc46d7f99c152f736cfb4ef5ec98a01 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon(a)thekelleys.org.uk> -Date: Sun, 20 Dec 2015 21:39:19 +0000 -Subject: [PATCH] NSEC3 check: RFC5155 para 8.2 - ---- - src/dnssec.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index 9fa64b6..486e422 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -1704,7 +1704,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - for (i = 0; i < nsec_count; i++) - { - unsigned char *nsec3p = nsecs[i]; -- int this_iter; -+ int this_iter, flags; - - nsecs[i] = NULL; /* Speculative, will be restored if OK. */ - -@@ -1716,8 +1716,12 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - if (*p++ != algo) - continue; - -- p++; /* flags */ -+ flags = *p++; /* flags */ - -+ /* 5155 8.2 */ -+ if (flags != 0 && flags != 1) -+ continue; -+ - GETSHORT(this_iter, p); - if (this_iter != iterations) - continue; --- -1.7.10.4 - -- 2.7.2

4 6

[PATCH] dnsmasq: 2.76test10 with latest patch (005) and some fixes
by Matthias Fischer 29 Feb '16

29 Feb '16

1. Added patch 005 because of the discussion on the dnsmasq-list: "I've noticed that replies which get their TTL from the dhcp-ttl option always get the TTL specified in dhcp-ttl. I'd prefer something like max(0, min(<dhcp-ttl>, <lease-expire-time> - <now>)). Otherwise, dns might hand out a high TTL for a dhcp-lease which expires one second later. ... Seems a sensible addition. Cheers, Simon." 2. Fixed several line numbers and patch lines in 'dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch'. On the last build I got some "Hunk failed" messages. Patches are now applied exactly at the given lines. 3. Nevertheless, I still get some warnings: ... dnsmasq.c: In function 'main': dnsmasq.c:55:7: warning: unused variable 'did_bind' [-Wunused-variable] int did_bind = 0; ^ dnsmasq.c:54:9: warning: unused variable 'bound_device' [-Wunused-variable] char *bound_device = NULL; ^ ... isc.c: In function 'dhcp_lease_new': isc.c:40:3: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result [-Wunused-result] asprintf(&lease->fqdn, "%s.%s", hostname, daemon->domain_suffix); ^ Asking about these warnings in the dnsmasq-list showed no reaction - no one answered. Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/dnsmasq | 1 + ...q-Add-support-to-read-ISC-DHCP-lease-file.patch | 14 ++++---- ...ease_length_to_TTL_when_--dhcp-ttl_in_use.patch | 37 ++++++++++++++++++++++ 3 files changed, 45 insertions(+), 7 deletions(-) create mode 100644 src/patches/dnsmasq/005-Apply_ceiling_of_lease_length_to_TTL_when_--dhcp-ttl_in_use.patch diff --git a/lfs/dnsmasq b/lfs/dnsmasq index 29d7895..84585c1 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -77,6 +77,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Add_--dhcp-ttl_option.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Update_CHANGELOG.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-Add_--tftp-mtu_option.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-Apply_ceiling_of_lease_length_to_TTL_when_--dhcp-ttl_in_use.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch cd $(DIR_APP) && sed -i src/config.h \ diff --git a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch index f55ebe8..703e94f 100644 --- a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch +++ b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch @@ -19,7 +19,7 @@ #ifdef HAVE_DNSSEC cache_blockdata_free(crecp); #endif -@@ -1131,7 +1134,7 @@ +@@ -1138,7 +1141,7 @@ } @@ -28,7 +28,7 @@ struct in_addr a_record_from_hosts(char *name, time_t now) { struct crec *crecp = NULL; -@@ -1274,7 +1277,11 @@ +@@ -1281,7 +1284,11 @@ else crec->ttd = ttd; crec->addr.addr = *host_address; @@ -42,7 +42,7 @@ --- a/src/dnsmasq.c Thu Jul 30 20:59:06 2015 +++ b/src/dnsmasq.c Wed Dec 16 19:38:32 2015 -@@ -982,6 +982,11 @@ +@@ -1013,6 +1013,11 @@ poll_resolv(0, daemon->last_resolv != 0, now); daemon->last_resolv = now; @@ -56,7 +56,7 @@ --- a/src/dnsmasq.h Wed Dec 16 19:24:12 2015 +++ b/src/dnsmasq.h Wed Dec 16 19:40:11 2015 -@@ -1513,8 +1513,12 @@ +@@ -1514,6 +1514,11 @@ void poll_listen(int fd, short event); int do_poll(int timeout); @@ -326,7 +326,7 @@ +#endif --- a/src/option.c Wed Dec 16 19:24:12 2015 +++ b/src/option.c Wed Dec 16 19:42:48 2015 -@@ -1754,7 +1754,7 @@ +@@ -1769,7 +1769,7 @@ ret_err(_("bad MX target")); break; @@ -341,8 +341,8 @@ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ -- poll.o rrfilter.o -+ poll.o rrfilter.o isc.o +- poll.o rrfilter.o edns0.o arp.o ++ poll.o rrfilter.o edns0.o arp.o isc.o hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ dns-protocol.h radv-protocol.h ip6addr.h diff --git a/src/patches/dnsmasq/005-Apply_ceiling_of_lease_length_to_TTL_when_--dhcp-ttl_in_use.patch b/src/patches/dnsmasq/005-Apply_ceiling_of_lease_length_to_TTL_when_--dhcp-ttl_in_use.patch new file mode 100644 index 0000000..2875d2c --- /dev/null +++ b/src/patches/dnsmasq/005-Apply_ceiling_of_lease_length_to_TTL_when_--dhcp-ttl_in_use.patch @@ -0,0 +1,37 @@ +From 7480aeffc8ad195e9fd8bcf424bae0fab3839d55 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon(a)thekelleys.org.uk> +Date: Fri, 26 Feb 2016 21:58:20 +0000 +Subject: [PATCH] Apply ceiling of lease length to TTL when --dhcp-ttl in use. + +--- + src/rfc1035.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 8f1e3b4..bed5312 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1167,10 +1167,18 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int + static unsigned long crec_ttl(struct crec *crecp, time_t now) + { + /* Return 0 ttl for DHCP entries, which might change +- before the lease expires. */ ++ before the lease expires, unless configured otherwise. */ + + if (crecp->flags & F_DHCP) +- return daemon->use_dhcp_ttl ? daemon->dhcp_ttl : daemon->local_ttl; ++ { ++ int conf_ttl = daemon->use_dhcp_ttl ? daemon->dhcp_ttl : daemon->local_ttl; ++ ++ /* Apply ceiling of actual lease length to configured TTL. */ ++ if (!(crecp->flags & F_IMMORTAL) && (crecp->ttd - now) < conf_ttl) ++ return crecp->ttd - now; ++ ++ return conf_ttl; ++ } + + /* Immortal entries other than DHCP are local, and hold TTL in TTD field. */ + if (crecp->flags & F_IMMORTAL) +-- +1.7.10.4 + -- 2.7.2

2 3

[PATCH] Bugfix for #4323 (Netfilter broken cross-includes with Linux 4.2)
by Matthias Fischer 27 Feb '16

27 Feb '16

1 0

[PATCH] dnsmasq: 2.76test10 with latest patches (001-004)
by Matthias Fischer 26 Feb '16

26 Feb '16

Hi, For explanation - I hope I didn't garble anything... Thinking it over, I decided to create a new diff-patch for '2.75' => '2.76test10', completely based on current 'next' - containing the latest patches. This version was tested here and is running right now. Best, Matthias

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development February 2016