update unbound

external/unbound/util/alloc.c

@@ -364,6 +364,9 @@ void *unbound_stat_malloc(size_t size)
 #ifdef calloc
 #undef calloc
 #endif
+#ifndef INT_MAX
+#define INT_MAX (((int)-1)>>1)
+#endif
 /** calloc with stats */
 void *unbound_stat_calloc(size_t nmemb, size_t size)
 {

external/unbound/util/config_file.c

@@ -70,6 +70,8 @@
 uid_t cfg_uid = (uid_t)-1;
 /** from cfg username, after daemonise setup performed */
 gid_t cfg_gid = (gid_t)-1;
+/** for debug allow small timeout values for fast rollovers */
+int autr_permit_small_holddown = 0;
 
 /** global config during parsing */
 struct config_parser_state* cfg_parser = 0;
@@ -200,6 +202,7 @@ config_create(void)
 	cfg->add_holddown = 30*24*3600;
 	cfg->del_holddown = 30*24*3600;
 	cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
+	cfg->permit_small_holddown = 0;
 	cfg->key_cache_size = 4 * 1024 * 1024;
 	cfg->key_cache_slabs = 4;
 	cfg->neg_cache_size = 1 * 1024 * 1024;
@@ -444,6 +447,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
 	else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
 	else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing)
+	else if(strcmp(opt, "permit-small-holddown:") == 0)
+	{ IS_YES_OR_NO; cfg->permit_small_holddown = (strcmp(val, "yes") == 0);
+	  autr_permit_small_holddown = cfg->permit_small_holddown; }
 	else S_MEMSIZE("key-cache-size:", key_cache_size)
 	else S_POW2("key-cache-slabs:", key_cache_slabs)
 	else S_MEMSIZE("neg-cache-size:", neg_cache_size)
@@ -705,6 +711,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_UNS(opt, "add-holddown", add_holddown)
 	else O_UNS(opt, "del-holddown", del_holddown)
 	else O_UNS(opt, "keep-missing", keep_missing)
+	else O_YNO(opt, "permit-small-holddown", permit_small_holddown)
 	else O_MEM(opt, "key-cache-size", key_cache_size)
 	else O_DEC(opt, "key-cache-slabs", key_cache_slabs)
 	else O_MEM(opt, "neg-cache-size", neg_cache_size)
@@ -1243,6 +1250,7 @@ config_apply(struct config_file* config)
 	MINIMAL_RESPONSES = config->minimal_responses;
 	RRSET_ROUNDROBIN = config->rrset_roundrobin;
 	log_set_time_asc(config->log_time_ascii);
+	autr_permit_small_holddown = config->permit_small_holddown;
 }
 
 void config_lookup_uid(struct config_file* cfg)

external/unbound/util/config_file.h

@@ -269,6 +269,8 @@ struct config_file {
 	unsigned int del_holddown;
 	/** autotrust keep_missing time, in seconds. 0 is forever. */
 	unsigned int keep_missing;
+	/** permit small holddown values, allowing 5011 rollover very fast */
+	int permit_small_holddown;
 
 	/** size of the key cache */
 	size_t key_cache_size;
@@ -368,6 +370,8 @@ struct config_file {
 extern uid_t cfg_uid;
 /** from cfg username, after daemonise setup performed */
 extern gid_t cfg_gid;
+/** debug and enable small timeouts */
+extern int autr_permit_small_holddown;
 
 /**
  * Stub config options

external/unbound/util/configlexer.lex

@@ -306,6 +306,7 @@ val-nsec3-keysize-iterations{COLON}	{
 add-holddown{COLON}		{ YDVAR(1, VAR_ADD_HOLDDOWN) }
 del-holddown{COLON}		{ YDVAR(1, VAR_DEL_HOLDDOWN) }
 keep-missing{COLON}		{ YDVAR(1, VAR_KEEP_MISSING) }
+permit-small-holddown{COLON}	{ YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) }
 use-syslog{COLON}		{ YDVAR(1, VAR_USE_SYSLOG) }
 log-time-ascii{COLON}		{ YDVAR(1, VAR_LOG_TIME_ASCII) }
 log-queries{COLON}		{ YDVAR(1, VAR_LOG_QUERIES) }

external/unbound/util/configparser.h

@@ -203,7 +203,8 @@ extern int yydebug;
      VAR_RATELIMIT_BELOW_DOMAIN = 412,
      VAR_RATELIMIT_FACTOR = 413,
      VAR_CAPS_WHITELIST = 414,
-     VAR_CACHE_MAX_NEGATIVE_TTL = 415
+     VAR_CACHE_MAX_NEGATIVE_TTL = 415,
+     VAR_PERMIT_SMALL_HOLDDOWN = 416
    };
 #endif
 /* Tokens.  */
@@ -365,6 +366,7 @@ extern int yydebug;
 #define VAR_RATELIMIT_FACTOR 413
 #define VAR_CAPS_WHITELIST 414
 #define VAR_CACHE_MAX_NEGATIVE_TTL 415
+#define VAR_PERMIT_SMALL_HOLDDOWN 416
 
 
 
@@ -378,7 +380,7 @@ typedef union YYSTYPE
 
 
 /* Line 2058 of yacc.c  */
-#line 382 "util/configparser.h"
+#line 384 "util/configparser.h"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */

external/unbound/util/configparser.y

@@ -121,7 +121,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
 %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
 %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
-%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL
+%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -185,7 +185,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ip_transparent | server_ratelimit | server_ratelimit_slabs |
 	server_ratelimit_size | server_ratelimit_for_domain |
 	server_ratelimit_below_domain | server_ratelimit_factor |
-	server_caps_whitelist | server_cache_max_negative_ttl
+	server_caps_whitelist | server_cache_max_negative_ttl |
+	server_permit_small_holddown
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -1125,6 +1126,15 @@ server_keep_missing: VAR_KEEP_MISSING STRING_ARG
 		free($2);
 	}
 	;
+server_permit_small_holddown: VAR_PERMIT_SMALL_HOLDDOWN STRING_ARG
+	{
+		OUTYY(("P(server_permit_small_holddown:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->permit_small_holddown =
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
 server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_key_cache_size:%s)\n", $2));

external/unbound/util/data/msgencode.c

@@ -283,7 +283,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 	size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
 {
 	struct compress_tree_node* p;
-	struct compress_tree_node** insertpt;
+	struct compress_tree_node** insertpt = NULL;
 	if(!*owner_ptr) {
 		/* compress first time dname */
 		if((p = compress_tree_lookup(tree, key->rk.dname, 

external/unbound/util/data/msgreply.c

@@ -822,13 +822,13 @@ log_query_info(enum verbosity_value v, const char* str,
 }
 
 int
-reply_check_cname_chain(struct reply_info* rep) 
+reply_check_cname_chain(struct query_info* qinfo, struct reply_info* rep) 
 {
 	/* check only answer section rrs for matching cname chain.
 	 * the cache may return changed rdata, but owner names are untouched.*/
 	size_t i;
-	uint8_t* sname = rep->rrsets[0]->rk.dname;
-	size_t snamelen = rep->rrsets[0]->rk.dname_len;
+	uint8_t* sname = qinfo->qname;
+	size_t snamelen = qinfo->qname_len;
 	for(i=0; i<rep->an_numrrsets; i++) {
 		uint16_t t = ntohs(rep->rrsets[i]->rk.type);
 		if(t == LDNS_RR_TYPE_DNAME)

external/unbound/util/data/msgreply.h

@@ -359,10 +359,11 @@ uint8_t* reply_find_final_cname_target(struct query_info* qinfo,
 
 /**
  * Check if cname chain in cached reply is still valid.
+ * @param qinfo: query info with query name.
  * @param rep: reply to check.
  * @return: true if valid, false if invalid.
  */
-int reply_check_cname_chain(struct reply_info* rep);
+int reply_check_cname_chain(struct query_info* qinfo, struct reply_info* rep);
 
 /**
  * Check security status of all RRs in the message.

external/unbound/util/iana_ports.inc

@@ -1066,7 +1066,6 @@
 1404,
 1405,
 1406,
-1407,
 1408,
 1409,
 1410,
@@ -4667,6 +4666,7 @@
 7725,
 7726,
 7727,
+7728,
 7734,
 7738,
 7741,
@@ -4781,6 +4781,7 @@
 8301,
 8320,
 8321,
+8322,
 8351,
 8376,
 8377,
@@ -4788,6 +4789,7 @@
 8379,
 8380,
 8383,
+8384,
 8400,
 8401,
 8402,
@@ -4804,6 +4806,7 @@
 8474,
 8500,
 8501,
+8503,
 8554,
 8555,
 8567,
@@ -5034,6 +5037,7 @@
 10200,
 10201,
 10252,
+10253,
 10260,
 10288,
 10439,
@@ -5168,6 +5172,8 @@
 17220,
 17221,
 17222,
+17224,
+17225,
 17234,
 17235,
 17500,
@@ -5380,6 +5386,7 @@
 40843,
 40853,
 41111,
+41230,
 41794,
 41795,
 42508,

external/unbound/util/net_help.c

@@ -629,9 +629,9 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 		SSL_CTX_free(ctx);
 		return NULL;
 	}
-	if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
+	if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
 		log_err("error for cert file: %s", pem);
-		log_crypto_err("error in SSL_CTX use_certificate_file");
+		log_crypto_err("error in SSL_CTX use_certificate_chain_file");
 		SSL_CTX_free(ctx);
 		return NULL;
 	}
@@ -647,6 +647,23 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 		SSL_CTX_free(ctx);
 		return NULL;
 	}
+#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
+	if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
+		log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
+	}
+#elif defined(USE_ECDSA)
+	if(1) {
+		EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+		if (!ecdh) {
+			log_crypto_err("could not find p256, not enabling ECDHE");
+		} else {
+			if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
+				log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
+			}
+			EC_KEY_free (ecdh);
+		}
+	}
+#endif
 
 	if(verifypem && verifypem[0]) {
 		if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
@@ -684,7 +701,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
 		return NULL;
 	}
 	if(key && key[0]) {
-		if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
+		if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
 			log_err("error in client certificate %s", pem);
 			log_crypto_err("error in certificate file");
 			SSL_CTX_free(ctx);