update unbound, fix unbound openssl issue on OS X

external/unbound/util/config_file.c

@@ -100,7 +100,7 @@ config_create(void)
 	cfg->tcp_upstream = 0;
 	cfg->ssl_service_key = NULL;
 	cfg->ssl_service_pem = NULL;
-	cfg->ssl_port = 443;
+	cfg->ssl_port = 853;
 	cfg->ssl_upstream = 0;
 	cfg->use_syslog = 1;
 	cfg->log_time_ascii = 0;
@@ -174,7 +174,7 @@ config_create(void)
 	cfg->harden_dnssec_stripped = 1;
 	cfg->harden_below_nxdomain = 0;
 	cfg->harden_referral_path = 0;
-	cfg->harden_algo_downgrade = 1;
+	cfg->harden_algo_downgrade = 0;
 	cfg->use_caps_bits_for_id = 0;
 	cfg->caps_whitelist = NULL;
 	cfg->private_address = NULL;
@@ -240,6 +240,7 @@ config_create(void)
 	cfg->ratelimit_for_domain = NULL;
 	cfg->ratelimit_below_domain = NULL;
 	cfg->ratelimit_factor = 10;
+	cfg->qname_minimisation = 0;
 	return cfg;
 error_exit:
 	config_delete(cfg); 
@@ -473,6 +474,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_MEMSIZE("ratelimit-size:", ratelimit_size)
 	else S_POW2("ratelimit-slabs:", ratelimit_slabs)
 	else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
+	else S_YNO("qname-minimisation:", qname_minimisation)
 	/* val_sig_skew_min and max are copied into val_env during init,
 	 * so this does not update val_env with set_option */
 	else if(strcmp(opt, "val-sig-skew-min:") == 0)
@@ -747,6 +749,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
 	else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
 	else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
+	else O_YNO(opt, "qname-minimisation", qname_minimisation)
 	/* not here:
 	 * outgoing-permit, outgoing-avoid - have list of ports
 	 * local-zone - zones and nodefault variables
@@ -1555,6 +1558,28 @@ w_lookup_reg_str(const char* key, const char* name)
 	}
 	return result;
 }
+
+void w_config_adjust_directory(struct config_file* cfg)
+{
+	if(cfg->directory && cfg->directory[0]) {
+		TCHAR dirbuf[2*MAX_PATH+4];
+		if(strcmp(cfg->directory, "%EXECUTABLE%") == 0) {
+			/* get executable path, and if that contains
+			 * directories, snip off the filename part */
+			dirbuf[0] = 0;
+			if(!GetModuleFileName(NULL, dirbuf, MAX_PATH))
+				log_err("could not GetModuleFileName");
+			if(strrchr(dirbuf, '\\')) {
+				(strrchr(dirbuf, '\\'))[0] = 0;
+			} else log_err("GetModuleFileName had no path");
+			if(dirbuf[0]) {
+				/* adjust directory for later lookups to work*/
+				free(cfg->directory);
+				cfg->directory = memdup(dirbuf, strlen(dirbuf)+1);
+			}
+		}
+	}
+}
 #endif /* UB_ON_WINDOWS */
 
 void errinf(struct module_qstate* qstate, const char* str)

external/unbound/util/config_file.h

@@ -283,7 +283,7 @@ struct config_file {
 	struct config_str2list* local_zones;
 	/** local zones nodefault list */
 	struct config_strlist* local_zones_nodefault;
-	/** local data RRs configged */
+	/** local data RRs configured */
 	struct config_strlist* local_data;
 	/** unblock lan zones (reverse lookups for 10/8 and so on) */
 	int unblock_lan_zones;
@@ -364,6 +364,8 @@ struct config_file {
 	struct config_str2list* ratelimit_below_domain;
 	/** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
 	int ratelimit_factor;
+	/** minimise outgoing QNAME and hide original QTYPE if possible */
+	int qname_minimisation;
 };
 
 /** from cfg username, after daemonise setup performed */
@@ -739,6 +741,9 @@ void ub_c_error_msg(const char* fmt, ...) ATTR_FORMAT(printf, 1, 2);
  * 	exist on an error (logged with log_err) was encountered.
  */
 char* w_lookup_reg_str(const char* key, const char* name);
+
+/** Modify directory in options for module file name */
+void w_config_adjust_directory(struct config_file* cfg);
 #endif /* UB_ON_WINDOWS */
 
 #endif /* UTIL_CONFIG_FILE_H */

external/unbound/util/configlexer.lex

@@ -126,6 +126,10 @@ static void config_start_include_glob(const char* filename)
 #endif
 		;
 		memset(&g, 0, sizeof(g));
+		if(cfg_parser->chroot && strncmp(filename, cfg_parser->chroot,
+			strlen(cfg_parser->chroot)) == 0) {
+			filename += strlen(cfg_parser->chroot);
+		}
 		r = glob(filename, flags, NULL, &g);
 		if(r) {
 			/* some error */
@@ -201,6 +205,7 @@ SQANY     [^\'\n\r\\]|\\.
 	/* note that flex makes the longest match and '.' is any but not nl */
 	LEXOUT(("comment(%s) ", yytext)); /* ignore */ }
 server{COLON}			{ YDVAR(0, VAR_SERVER) }
+qname-minimisation{COLON}	{ YDVAR(1, VAR_QNAME_MINIMISATION) }
 num-threads{COLON}		{ YDVAR(1, VAR_NUM_THREADS) }
 verbosity{COLON}		{ YDVAR(1, VAR_VERBOSITY) }
 port{COLON}			{ YDVAR(1, VAR_PORT) }

external/unbound/util/configparser.h

@@ -204,7 +204,8 @@ extern int yydebug;
      VAR_RATELIMIT_FACTOR = 413,
      VAR_CAPS_WHITELIST = 414,
      VAR_CACHE_MAX_NEGATIVE_TTL = 415,
-     VAR_PERMIT_SMALL_HOLDDOWN = 416
+     VAR_PERMIT_SMALL_HOLDDOWN = 416,
+     VAR_QNAME_MINIMISATION = 417
    };
 #endif
 /* Tokens.  */
@@ -367,6 +368,7 @@ extern int yydebug;
 #define VAR_CAPS_WHITELIST 414
 #define VAR_CACHE_MAX_NEGATIVE_TTL 415
 #define VAR_PERMIT_SMALL_HOLDDOWN 416
+#define VAR_QNAME_MINIMISATION 417
 
 
 
@@ -380,7 +382,7 @@ typedef union YYSTYPE
 
 
 /* Line 2058 of yacc.c  */
-#line 384 "util/configparser.h"
+#line 386 "util/configparser.h"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */

external/unbound/util/configparser.y

@@ -122,6 +122,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
 %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
 %token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
+%token VAR_QNAME_MINIMISATION
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -186,7 +187,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ratelimit_size | server_ratelimit_for_domain |
 	server_ratelimit_below_domain | server_ratelimit_factor |
 	server_caps_whitelist | server_cache_max_negative_ttl |
-	server_permit_small_holddown
+	server_permit_small_holddown | server_qname_minimisation
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -1318,6 +1319,16 @@ server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG
 		free($2);
 	}
 	;
+server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG
+	{
+		OUTYY(("P(server_qname_minimisation:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->qname_minimisation = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 stub_name: VAR_NAME STRING_ARG
 	{
 		OUTYY(("P(name:%s)\n", $2));

external/unbound/util/data/packed_rrset.c

@@ -57,11 +57,9 @@ ub_packed_rrset_parsedelete(struct ub_packed_rrset_key* pkey,
 {
 	if(!pkey)
 		return;
-	if(pkey->entry.data)
-		free(pkey->entry.data);
+	free(pkey->entry.data);
 	pkey->entry.data = NULL;
-	if(pkey->rk.dname)
-		free(pkey->rk.dname);
+	free(pkey->rk.dname);
 	pkey->rk.dname = NULL;
 	pkey->id = 0;
 	alloc_special_release(alloc, pkey);

external/unbound/util/iana_ports.inc

@@ -660,6 +660,7 @@
 833,
 847,
 848,
+853,
 860,
 861,
 862,
@@ -3840,6 +3841,9 @@
 4404,
 4405,
 4406,
+4412,
+4413,
+4416,
 4425,
 4426,
 4430,
@@ -4570,6 +4574,7 @@
 7070,
 7071,
 7080,
+7088,
 7095,
 7099,
 7100,
@@ -5381,6 +5386,7 @@
 38203,
 39681,
 40000,
+40023,
 40841,
 40842,
 40843,

external/unbound/util/locks.c

@@ -232,7 +232,7 @@ void ub_thread_create(ub_thread_t* thr, void* (*func)(void*), void* arg)
 		0, /* default flags, run immediately */
 		NULL); /* do not store thread identifier anywhere */
 #else
-	/* the begintheadex routine setups for the C lib; aligns stack */
+	/* the beginthreadex routine setups for the C lib; aligns stack */
 	*thr=(ub_thread_t)_beginthreadex(NULL, 0, (void*)func, arg, 0, NULL);
 #endif
 	if(*thr == NULL) {

external/unbound/util/mini_event.c

@@ -261,12 +261,9 @@ void event_base_free(struct event_base* base)
 {
 	if(!base)
 		return;
-	if(base->times)
-		free(base->times);
-	if(base->fds)
-		free(base->fds);
-	if(base->signals)
-		free(base->signals);
+	free(base->times);
+	free(base->fds);
+	free(base->signals);
 	free(base);
 }
 

external/unbound/util/net_help.c

@@ -619,12 +619,14 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 		return NULL;
 	}
 	/* no SSLv2, SSLv3 because has defects */
-	if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
+	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+		!= SSL_OP_NO_SSLv2){
 		log_crypto_err("could not set SSL_OP_NO_SSLv2");
 		SSL_CTX_free(ctx);
 		return NULL;
 	}
-	if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
+	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+		!= SSL_OP_NO_SSLv3){
 		log_crypto_err("could not set SSL_OP_NO_SSLv3");
 		SSL_CTX_free(ctx);
 		return NULL;
@@ -690,12 +692,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
 		log_crypto_err("could not allocate SSL_CTX pointer");
 		return NULL;
 	}
-	if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) {
+	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+		!= SSL_OP_NO_SSLv2) {
 		log_crypto_err("could not set SSL_OP_NO_SSLv2");
 		SSL_CTX_free(ctx);
 		return NULL;
 	}
-	if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) {
+	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+		!= SSL_OP_NO_SSLv3) {
 		log_crypto_err("could not set SSL_OP_NO_SSLv3");
 		SSL_CTX_free(ctx);
 		return NULL;

external/unbound/util/random.c

@@ -68,6 +68,8 @@
 /* nss3 */
 #include "secport.h"
 #include "pk11pub.h"
+#elif defined(HAVE_NETTLE)
+#include "yarrow.h"
 #endif
 
 /** 
@@ -76,7 +78,7 @@
  */
 #define MAX_VALUE 0x7fffffff
 
-#ifndef HAVE_NSS
+#if defined(HAVE_SSL)
 void
 ub_systemseed(unsigned int ATTR_UNUSED(seed))
 {
@@ -110,7 +112,7 @@ ub_random_max(struct ub_randstate* state, long int x)
 	return (long)arc4random_uniform((uint32_t)x);
 }
 
-#else
+#elif defined(HAVE_NSS)
 
 /* not much to remember for NSS since we use its pk11_random, placeholder */
 struct ub_randstate {
@@ -144,6 +146,72 @@ long int ub_random(struct ub_randstate* ATTR_UNUSED(state))
 	return x & MAX_VALUE;
 }
 
+#elif defined(HAVE_NETTLE)
+
+/**
+ * libnettle implements a Yarrow-256 generator (SHA256 + AES),
+ * and we have to ensure it is seeded before use.
+ */
+struct ub_randstate {
+	struct yarrow256_ctx ctx;
+	int seeded;
+};
+
+void ub_systemseed(unsigned int ATTR_UNUSED(seed))
+{
+/**
+ * We seed on init and not here, as we need the ctx to re-seed.
+ * This also means that re-seeding is not supported.
+ */
+	log_err("Re-seeding not supported, generator untouched");
+}
+
+struct ub_randstate* ub_initstate(unsigned int seed,
+	struct ub_randstate* ATTR_UNUSED(from))
+{
+	struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
+	uint8_t buf[YARROW256_SEED_FILE_SIZE];
+	if(!s) {
+		log_err("malloc failure in random init");
+		return NULL;
+	}
+	/* Setup Yarrow context */
+	yarrow256_init(&s->ctx, 0, NULL);
+
+	if(getentropy(buf, sizeof(buf)) != -1) {
+		/* got entropy */
+		yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
+		s->seeded = yarrow256_is_seeded(&s->ctx);
+	} else {
+		/* Stretch the uint32 input seed and feed it to Yarrow */
+		uint32_t v = seed;
+		size_t i;
+		for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) {
+			memmove(buf+i*sizeof(seed), &v, sizeof(seed));
+			v = v*seed + (uint32_t)i;
+		}
+		yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
+		s->seeded = yarrow256_is_seeded(&s->ctx);
+	}
+
+	return s;
+}
+
+long int ub_random(struct ub_randstate* s)
+{
+	/* random 31 bit value. */
+	long int x = 0;
+	if (!s || !s->seeded) {
+		log_err("Couldn't generate randomness, Yarrow-256 generator not yet seeded");
+	} else {
+		yarrow256_random(&s->ctx, sizeof(x), (uint8_t *)&x);
+	}
+	return x & MAX_VALUE;
+}
+#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
+
+
+#if defined(HAVE_NSS) || defined(HAVE_NETTLE)
 long int
 ub_random_max(struct ub_randstate* state, long int x)
 {
@@ -155,12 +223,11 @@ ub_random_max(struct ub_randstate* state, long int x)
 		v = ub_random(state);
 	return (v % x);
 }
-#endif /* HAVE_NSS */
+#endif /* HAVE_NSS or HAVE_NETTLE */
 
 void 
 ub_randfree(struct ub_randstate* s)
 {
-	if(s)
-		free(s);
+	free(s);
 	/* user app must do RAND_cleanup(); */
 }

external/unbound/util/rbtree.c

@@ -68,7 +68,7 @@ static void rbtree_insert_fixup(rbtree_t *rbtree, rbnode_t *node);
 static void rbtree_delete_fixup(rbtree_t* rbtree, rbnode_t* child, rbnode_t* child_parent);
 
 /*
- * Creates a new red black tree, intializes and returns a pointer to it.
+ * Creates a new red black tree, initializes and returns a pointer to it.
  *
  * Return NULL on failure.
  *

external/unbound/util/rtt.h

@@ -96,7 +96,7 @@ int rtt_notimeout(const struct rtt_info* rtt);
 void rtt_update(struct rtt_info* rtt, int ms);
 
 /**
- * Update the statistics with a new timout expired observation.
+ * Update the statistics with a new timeout expired observation.
  * @param rtt: round trip statistics structure.
  * @param orig: original rtt time given for the query that timed out.
  * 	Used to calculate the maximum responsible backed off time that

external/unbound/util/storage/lookup3.c

@@ -356,7 +356,7 @@ uint32_t hashlittle( const void *key, size_t length, uint32_t initval)
      * rest of the string.  Every machine with memory protection I've seen
      * does it on word boundaries, so is OK with this.  But VALGRIND will
      * still catch it and complain.  The masking trick does make the hash
-     * noticably faster for short strings (like English words).
+     * noticeably faster for short strings (like English words).
      */
 #ifndef VALGRIND
 
@@ -544,7 +544,7 @@ void hashlittle2(
      * rest of the string.  Every machine with memory protection I've seen
      * does it on word boundaries, so is OK with this.  But VALGRIND will
      * still catch it and complain.  The masking trick does make the hash
-     * noticably faster for short strings (like English words).
+     * noticeably faster for short strings (like English words).
      */
 #ifndef VALGRIND
 
@@ -725,7 +725,7 @@ uint32_t hashbig( const void *key, size_t length, uint32_t initval)
      * rest of the string.  Every machine with memory protection I've seen
      * does it on word boundaries, so is OK with this.  But VALGRIND will
      * still catch it and complain.  The masking trick does make the hash
-     * noticably faster for short strings (like English words).
+     * noticeably faster for short strings (like English words).
      */
 #ifndef VALGRIND
 
@@ -858,7 +858,7 @@ void driver2()
     {
       for (j=0; j<8; ++j)   /*------------------------ for each input bit, */
       {
-	for (m=1; m<8; ++m) /*------------ for serveral possible initvals, */
+	for (m=1; m<8; ++m) /*------------ for several possible initvals, */
 	{
 	  for (l=0; l<HASHSTATE; ++l)
 	    e[l]=f[l]=g[l]=h[l]=x[l]=y[l]=~((uint32_t)0);

external/unbound/util/tube.c

@@ -118,10 +118,8 @@ void tube_remove_bg_listen(struct tube* tube)
 		comm_point_delete(tube->listen_com);
 		tube->listen_com = NULL;
 	}
-	if(tube->cmd_msg) {
-		free(tube->cmd_msg);
-		tube->cmd_msg = NULL;
-	}
+	free(tube->cmd_msg);
+	tube->cmd_msg = NULL;
 }
 
 void tube_remove_bg_write(struct tube* tube)

external/unbound/util/tube.h

@@ -83,7 +83,7 @@ struct tube {
 
 	/** background write queue, commpoint to write results back */
 	struct comm_point* res_com;
-	/** are we curently writing a result, 0 if not, else bytecount into
+	/** are we currently writing a result, 0 if not, else bytecount into
 	 * the res_list first entry. */
 	size_t res_write;
 	/** list of outstanding results to be written back */

external/unbound/util/winsock_event.c

@@ -459,12 +459,9 @@ void event_base_free(struct event_base *base)
 	verbose(VERB_CLIENT, "winsock_event event_base_free");
         if(!base)
                 return;
-	if(base->items)
-		free(base->items);
-        if(base->times)
-                free(base->times);
-        if(base->signals)
-                free(base->signals);
+	free(base->items);
+        free(base->times);
+        free(base->signals);
         free(base);
 }
 

external/unbound/util/winsock_event.h

@@ -201,7 +201,7 @@ struct event {
 	int stick_events;
 
 	/** true if this event is a signaling WSAEvent by the user. 
-	 * User created and user closed WSAEvent. Only signaled/unsigneled,
+	 * User created and user closed WSAEvent. Only signaled/unsignaled,
 	 * no read/write/distinctions needed. */
 	int is_signal;
 	/** used during callbacks to see which events were just checked */