From 5abe5bd06f3c60a14df0e84f419c18b59200c458 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 09 2021 09:48:36 +0000
Subject: import unbound-1.7.3-17.el8


---

diff --git a/SOURCES/unbound-1.7.3-rh1830625.patch b/SOURCES/unbound-1.7.3-rh1830625.patch
new file mode 100644
index 0000000..dd36c7e
--- /dev/null
+++ b/SOURCES/unbound-1.7.3-rh1830625.patch
@@ -0,0 +1,203 @@
+diff --git a/config.h.in b/config.h.in
+index 3b06bfa..2beb538 100644
+--- a/config.h.in
++++ b/config.h.in
+@@ -735,6 +735,14 @@
+ /* Define to 1 to use ipsecmod support. */
+ #undef USE_IPSECMOD
+ 
++/* WARNING! This is only for the libunbound on Linux and does not affect
++   unbound resolving daemon itself. This may severely limit the number of
++   available outgoing ports and thus decrease randomness. Define this only
++   when the target system restricts (e.g. some of SELinux enabled
++   distributions) the use of non-ephemeral ports. Define this to enable use of
++   /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. */
++#undef USE_LINUX_IP_LOCAL_PORT_RANGE
++
+ /* Define if you want to use internal select based events */
+ #undef USE_MINI_EVENT
+ 
+diff --git a/configure b/configure
+index 16d50d0..36cf3fa 100755
+--- a/configure
++++ b/configure
+@@ -878,6 +878,7 @@ enable_dnscrypt
+ with_libsodium
+ enable_cachedb
+ enable_ipsecmod
++enable_linux_ip_local_port_range
+ with_libunbound_only
+ '
+       ac_precious_vars='build_alias
+@@ -1565,6 +1566,16 @@ Optional Features:
+                           storage
+   --enable-ipsecmod       Enable ipsecmod module that facilitates
+                           opportunistic IPsec
++  --enable-linux-ip-local-port-range
++                          WARNING! This is only for the libunbound on Linux
++                          and does not affect unbound resolving daemon itself.
++                          This may severely limit the number of available
++                          outgoing ports and thus decrease randomness. Use
++                          this option only when the target system restricts
++                          the use of non-ephemeral ports. (e.g. some of
++                          SELinux enabled distributions) Enable this option to
++                          use /proc/sys/net/ipv4/ip_local_port_range as a
++                          default outgoing port range
+ 
+ Optional Packages:
+   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+@@ -4147,6 +4158,13 @@ else
+ 	else on_mingw="no"; fi
+ fi
+ 
++# are we on Linux?
++if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes"
++else
++	if echo $host $target | grep linux >/dev/null; then on_linux="yes"
++	else on_linux="no"; fi
++fi
++
+ #
+ # Determine configuration file
+ # the eval is to evaluate shell expansion twice
+@@ -20899,6 +20917,23 @@ $as_echo "#define USE_IPSECMOD 1" >>confdefs.h
+ 		;;
+ esac
+ 
++if test $on_linux = "yes"; then
++	# Check whether --enable-linux-ip-local-port-range was given.
++if test "${enable_linux_ip_local_port_range+set}" = set; then :
++  enableval=$enable_linux_ip_local_port_range;
++fi
++
++	case "$enable_linux_ip_local_port_range" in
++		yes)
++
++$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h
++
++			;;
++		no|*)
++			;;
++	esac
++fi
++
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
+ $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
+ # on openBSD, the implicit rule make $< work.
+diff --git a/configure.ac b/configure.ac
+index 1bff4ed..525ad62 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -131,6 +131,13 @@ else
+ 	else on_mingw="no"; fi
+ fi
+ 
++# are we on Linux?
++if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes"
++else
++	if echo $host $target | grep linux >/dev/null; then on_linux="yes"
++	else on_linux="no"; fi
++fi
++
+ #
+ # Determine configuration file
+ # the eval is to evaluate shell expansion twice
+@@ -1520,6 +1527,17 @@ case "$enable_ipsecmod" in
+ 		;;
+ esac
+ 
++if test $on_linux = "yes"; then
++	AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Use this option only when the target system restricts the use of non-ephemeral ports. (e.g. some of SELinux enabled distributions) Enable this option to use /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range]))
++	case "$enable_linux_ip_local_port_range" in
++		yes)
++			AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports. Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range.])
++			;;
++		no|*)
++			;;
++	esac
++fi
++
+ AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
+ # on openBSD, the implicit rule make $< work.
+ # on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
+diff --git a/libunbound/context.c b/libunbound/context.c
+index 6ac8086..e1fbc64 100644
+--- a/libunbound/context.c
++++ b/libunbound/context.c
+@@ -60,6 +60,7 @@ context_finalize(struct ub_ctx* ctx)
+ 	if(ctx->logfile_override)
+ 		log_file(ctx->log_out);
+ 	else	log_init(cfg->logfile, cfg->use_syslog, NULL);
++	cfg_apply_local_port_policy(cfg, 65536);
+ 	config_apply(cfg);
+ 	if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))
+ 		return UB_INITFAIL;
+diff --git a/util/config_file.c b/util/config_file.c
+index 68a0a15..eaf1ca3 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -1474,6 +1474,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail)
+ 	return num;
+ }
+ 
++void cfg_apply_local_port_policy(struct config_file* cfg, int num) {
++(void)cfg;
++(void)num;
++#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
++	{
++		int i = 0;
++		FILE* range_fd;
++		if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) {
++			int min_port = 0;
++			int max_port = num - 1;
++			if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) {
++				for(i=0; i<min_port; i++) {
++					cfg->outgoing_avail_ports[i] = 0;
++				}
++				for(i=max_port+1; i<num; i++) {
++					cfg->outgoing_avail_ports[i] = 0;
++				}
++			} else {
++				log_err("unexpected port range in %s",
++						LINUX_IP_LOCAL_PORT_RANGE_PATH);
++			}
++			fclose(range_fd);
++		} else {
++			log_warn("failed to read from file: %s (%s)",
++					LINUX_IP_LOCAL_PORT_RANGE_PATH,
++					strerror(errno));
++		}
++	}
++#endif
++}
++
+ /** print error with file and line number */
+ static void ub_c_error_va_list(const char *fmt, va_list args)
+ {
+diff --git a/util/config_file.h b/util/config_file.h
+index 1e7f402..3aa71b7 100644
+--- a/util/config_file.h
++++ b/util/config_file.h
+@@ -1009,6 +1009,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num);
+  */
+ int cfg_condense_ports(struct config_file* cfg, int** avail);
+ 
++/**
++ * Apply system specific port range policy.
++ * @param cfg: config file.
++ * @param num: size of the array (65536).
++ */
++void cfg_apply_local_port_policy(struct config_file* cfg, int num);
++
+ /**
+  * Scan ports available
+  * @param avail: the array from cfg.
+@@ -1138,4 +1145,8 @@ void w_config_adjust_directory(struct config_file* cfg);
+ /** debug option for unit tests. */
+ extern int fake_dsa, fake_sha1;
+ 
++#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
++#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
++#endif
++
+ #endif /* UTIL_CONFIG_FILE_H */
diff --git a/SOURCES/unbound.service b/SOURCES/unbound.service
index 287fe8d..49dc7bd 100644
--- a/SOURCES/unbound.service
+++ b/SOURCES/unbound.service
@@ -11,7 +11,7 @@ Wants=nss-lookup.target
 Type=simple
 EnvironmentFile=-/etc/sysconfig/unbound
 ExecStartPre=/usr/sbin/unbound-checkconf
-ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
 ExecReload=/usr/sbin/unbound-control reload
 
diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec
index f67eb73..6f3335f 100644
--- a/SPECS/unbound.spec
+++ b/SPECS/unbound.spec
@@ -34,7 +34,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.7.3
-Release: 15%{?extra_version:.%{extra_version}}%{?dist}
+Release: 17%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@@ -69,6 +69,8 @@ Patch12: unbound-1.7.3-crypto-policy-non-compliance-openssl.patch
 Patch13: unbound-1.7.3-additional-logging.patch
 Patch14: unbound-1.7.3-security-hardening.patch
 Patch15: unbound-1.7.3-symlink-traversal.patch
+# rhbz#1830625 upstream PR https://github.com/NLnetLabs/unbound/pull/415/files
+Patch16: unbound-1.7.3-rh1830625.patch
 
 BuildRequires: gdb
 BuildRequires: gcc, make
@@ -179,6 +181,7 @@ pushd %{pkgname}
 %patch13 -p1 -b .additional-logging
 %patch14 -p1 -b .security-hardening
 %patch15 -p1 -b .symlink-traversal
+%patch16 -p1 -b .rh1830625
 
 # only for snapshots
 # autoreconf -iv
@@ -204,7 +207,8 @@ cp -a %{dir_primary} %{dir_secondary}
             --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
             --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
             --enable-sha2 --disable-gost --enable-ecdsa \\\
-            --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
+            --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
+            --enable-linux-ip-local-port-range
 
 pushd %{dir_primary}
 
@@ -452,6 +456,15 @@ popd
 %verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
 
 %changelog
+* Mon Apr 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-17
+- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux
+- Resolves: rhbz#1830625
+
+* Tue Apr 06 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-16
+- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR
+  environment variable equals to "yes"
+- Resolves: rhbz#1922448
+
 * Tue Sep 01 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-15
 - Fix SPEC file to not check md5 mtime and size of /var/lib/unbound/root.key
 - Resolves: rhbz#1714175