Merge pull request #7112 from EricLuehrsen/unbound_leak

unbound: add patches for leaks during TLS query

net/unbound/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
 PKG_VERSION:=1.8.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE

net/unbound/patches/100-example-conf-in.patch

@@ -1,3 +1,8 @@
+OpenWrt (modification):
+Patch the default configuration file with the tiny memory
+configuration example from Unbound documentation. This is the best
+starting point for embedded routers if one is not going to use UCI.
+
 Index: doc/example.conf.in
 ===================================================================
 --- a/doc/example.conf.in

net/unbound/patches/210-query-state-leak.patch

@@ -0,0 +1,38 @@
+Unbound (trunk):
+Fix that with harden-below-nxdomain and qname minisation enabled
+some iterator states for nonresponsive domains can get into a
+state where they waited for an empty list.
+Stop UDP to TCP failover after timeouts that causes the ping count
+to be reset by the TCP time measurement (that exists for TLS),
+because that causes the UDP part to not be measured as timeout.
+
+Index: iterator/iterator.c
+===================================================================
+--- a/iterator/iterator.c
++++ b/iterator/iterator.c
+@@ -2752,6 +2752,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
+ 						verbose(VERB_ALGO,
+ 						"could not validate NXDOMAIN "
+ 						"response");
++					outbound_list_clear(&iq->outlist);
++					iq->num_current_queries = 0;
++					fptr_ok(fptr_whitelist_modenv_detach_subs(
++						qstate->env->detach_subs));
++					(*qstate->env->detach_subs)(qstate);
++					iq->num_target_queries = 0;
+ 				}
+ 			}
+ 			return next_state(iq, QUERYTARGETS_STATE);
+Index: services/outside_network.c
+===================================================================
+--- a/services/outside_network.c
++++ b/services/outside_network.c
+@@ -1979,7 +1979,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
+ 			return 0;
+ 		}
+ 		if(rto >= RTT_MAX_TIMEOUT) {
+-			fallback_tcp = 1;
++			/* fallback_tcp = 1; */
+ 			/* UDP does not work, fallback to TCP below */
+ 		} else {
+ 			serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep);

net/unbound/patches/211-tls-timeout-leak.patch

@@ -0,0 +1,32 @@
+Unbound (trunk):
+For DNS over TLS service, it sets the configured tls auth name.
+This is useful for hosts that apart from the DNS over TLS services
+also provide other (web) services. Add SSL cleanup for tcp timeout.
+
+Index: services/outside_network.c
+===================================================================
+--- a/services/outside_network.c
++++ b/services/outside_network.c
+@@ -377,6 +379,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
+                         if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
+                                 log_err("SSL_set1_host failed");
+ 				pend->c->fd = s;
++				SSL_free(pend->c->ssl);
++				pend->c->ssl = NULL;
+ 				comm_point_close(pend->c);
+ 				return 0;
+ 			}
+@@ -1264,6 +1268,13 @@ outnet_tcptimer(void* arg)
+ 	} else {
+ 		/* it was in use */
+ 		struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting;
++		if(pend->c->ssl) {
++#ifdef HAVE_SSL
++			SSL_shutdown(pend->c->ssl);
++			SSL_free(pend->c->ssl);
++			pend->c->ssl = NULL;
++#endif
++		}
+ 		comm_point_close(pend->c);
+ 		pend->query = NULL;
+ 		pend->next_free = outnet->tcp_free;