Upgrade to 1.4.20.

6 files changed, 133 insertions, 32 deletions

diff --git a/contrib/unbound/daemon/cachedump.c b/contrib/unbound/daemon/cachedump.c
index 988e247..46c625f 100644
--- a/contrib/unbound/daemon/cachedump.c
+++ b/contrib/unbound/daemon/cachedump.c
@@ -44,11 +44,9 @@
 #include "daemon/cachedump.h"
 #include "daemon/remote.h"
 #include "daemon/worker.h"
-#include "daemon/daemon.h"
 #include "services/cache/rrset.h"
 #include "services/cache/dns.h"
 #include "services/cache/infra.h"
-#include "services/modstack.h"
 #include "util/data/msgreply.h"
 #include "util/regional.h"
 #include "util/net_help.h"
diff --git a/contrib/unbound/daemon/daemon.c b/contrib/unbound/daemon/daemon.c
index 9d6ce9f..b91683f 100644
--- a/contrib/unbound/daemon/daemon.c
+++ b/contrib/unbound/daemon/daemon.c
@@ -55,6 +55,12 @@
 #ifdef HAVE_OPENSSL_ENGINE_H
 #include <openssl/engine.h>
 #endif
+
+#ifdef HAVE_NSS
+/* nss3 */
+#include "nss.h"
+#endif
+
 #include <ldns/ldns.h>
 #include "daemon/daemon.h"
 #include "daemon/worker.h"
@@ -73,6 +79,7 @@
 #include "util/module.h"
 #include "util/random.h"
 #include "util/tube.h"
+#include "util/net_help.h"
 #include <signal.h>
 
 /** How many quit requests happened. */
@@ -189,20 +196,29 @@ daemon_init(void)
 #endif /* USE_WINSOCK */
 	signal_handling_record();
 	checklock_start();
+#ifdef HAVE_SSL
 	ERR_load_crypto_strings();
 	ERR_load_SSL_strings();
-#ifdef HAVE_OPENSSL_CONFIG
+#  ifdef HAVE_OPENSSL_CONFIG
 	OPENSSL_config("unbound");
-#endif
-#ifdef USE_GOST
+#  endif
+#  ifdef USE_GOST
 	(void)ldns_key_EVP_load_gost_id();
-#endif
+#  endif
 	OpenSSL_add_all_algorithms();
-#if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
+#  if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
 	/* grab the COMP method ptr because openssl leaks it */
 	comp_meth = (void*)SSL_COMP_get_compression_methods();
-#endif
+#  endif
 	(void)SSL_library_init();
+#  if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+	if(!ub_openssl_lock_init())
+		fatal_exit("could not init openssl locks");
+#  endif
+#elif defined(HAVE_NSS)
+	if(NSS_NoDB_Init(NULL) != SECSuccess)
+		fatal_exit("could not init NSS");
+#endif /* HAVE_SSL or HAVE_NSS */
 #ifdef HAVE_TZSET
 	/* init timezone info while we are not chrooted yet */
 	tzset();
@@ -530,31 +546,40 @@ daemon_delete(struct daemon* daemon)
 	free(daemon->chroot);
 	free(daemon->pidfile);
 	free(daemon->env);
+#ifdef HAVE_SSL
 	SSL_CTX_free((SSL_CTX*)daemon->listen_sslctx);
 	SSL_CTX_free((SSL_CTX*)daemon->connect_sslctx);
+#endif
 	free(daemon);
 #ifdef LEX_HAS_YYLEX_DESTROY
 	/* lex cleanup */
 	ub_c_lex_destroy();
 #endif
 	/* libcrypto cleanup */
-#if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
+#ifdef HAVE_SSL
+#  if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
 	ldns_key_EVP_unload_gost();
-#endif
-#if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS && HAVE_DECL_SK_SSL_COMP_POP_FREE
-#ifndef S_SPLINT_S
+#  endif
+#  if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS && HAVE_DECL_SK_SSL_COMP_POP_FREE
+#    ifndef S_SPLINT_S
 	sk_SSL_COMP_pop_free(comp_meth, (void(*)())CRYPTO_free);
-#endif
-#endif
-#ifdef HAVE_OPENSSL_CONFIG
+#    endif
+#  endif
+#  ifdef HAVE_OPENSSL_CONFIG
 	EVP_cleanup();
 	ENGINE_cleanup();
 	CONF_modules_free();
-#endif
+#  endif
 	CRYPTO_cleanup_all_ex_data(); /* safe, no more threads right now */
 	ERR_remove_state(0);
 	ERR_free_strings();
 	RAND_cleanup();
+#  if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+	ub_openssl_lock_delete();
+#  endif
+#elif defined(HAVE_NSS)
+	NSS_Shutdown();
+#endif /* HAVE_SSL or HAVE_NSS */
 	checklock_stop();
 #ifdef USE_WINSOCK
 	if(WSACleanup() != 0) {
diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c
index 38ca15c..5dc05c5 100644
--- a/contrib/unbound/daemon/remote.c
+++ b/contrib/unbound/daemon/remote.c
@@ -1286,6 +1286,74 @@ do_flush_zone(SSL* ssl, struct worker* worker, char* arg)
 		(unsigned)inf.num_msgs, (unsigned)inf.num_keys);
 }
 
+/** callback to delete bogus rrsets */
+static void
+bogus_del_rrset(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
+	if(d->security == sec_status_bogus) {
+		d->ttl = inf->expired;
+		inf->num_rrsets++;
+	}
+}
+
+/** callback to delete bogus messages */
+static void
+bogus_del_msg(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct reply_info* d = (struct reply_info*)e->data;
+	if(d->security == sec_status_bogus) {
+		d->ttl = inf->expired;
+		inf->num_msgs++;
+	}
+}
+
+/** callback to delete bogus keys */
+static void
+bogus_del_kcache(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct key_entry_data* d = (struct key_entry_data*)e->data;
+	if(d->isbad) {
+		d->ttl = inf->expired;
+		inf->num_keys++;
+	}
+}
+
+/** remove all rrsets and keys from zone from cache */
+static void
+do_flush_bogus(SSL* ssl, struct worker* worker)
+{
+	struct del_info inf;
+	/* what we do is to set them all expired */
+	inf.worker = worker;
+	inf.now = *worker->env.now;
+	inf.expired = *worker->env.now;
+	inf.expired -= 3; /* handle 3 seconds skew between threads */
+	inf.num_rrsets = 0;
+	inf.num_msgs = 0;
+	inf.num_keys = 0;
+	slabhash_traverse(&worker->env.rrset_cache->table, 1, 
+		&bogus_del_rrset, &inf);
+
+	slabhash_traverse(worker->env.msg_cache, 1, &bogus_del_msg, &inf);
+
+	/* and validator cache */
+	if(worker->env.key_cache) {
+		slabhash_traverse(worker->env.key_cache->slab, 1, 
+			&bogus_del_kcache, &inf);
+	}
+
+	(void)ssl_printf(ssl, "ok removed %u rrsets, %u messages "
+		"and %u key entries\n", (unsigned)inf.num_rrsets, 
+		(unsigned)inf.num_msgs, (unsigned)inf.num_keys);
+}
+
 /** remove name rrset from cache */
 static void
 do_flush_name(SSL* ssl, struct worker* w, char* arg)
@@ -1393,6 +1461,7 @@ parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names)
 				}
 				if(!delegpt_add_ns_mlc(dp, n, 0)) {
 					(void)ssl_printf(ssl, "error out of memory\n");
+					free(n);
 					delegpt_free_mlc(dp);
 					return NULL;
 				}
@@ -1442,7 +1511,6 @@ do_forward(SSL* ssl, struct worker* worker, char* args)
 			return;
 		if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
 			(void)ssl_printf(ssl, "error out of memory\n");
-			delegpt_free_mlc(dp);
 			return;
 		}
 	}
@@ -1514,7 +1582,6 @@ do_forward_add(SSL* ssl, struct worker* worker, char* args)
 	}
 	if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
 		(void)ssl_printf(ssl, "error out of memory\n");
-		delegpt_free_mlc(dp);
 		free(nm);
 		return;
 	}
@@ -1571,7 +1638,6 @@ do_stub_add(SSL* ssl, struct worker* worker, char* args)
 		forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm);
 		if(insecure) anchors_delete_insecure(worker->env.anchors,
 			LDNS_RR_CLASS_IN, nm);
-		delegpt_free_mlc(dp);
 		free(nm);
 		return;
 	}
@@ -2040,6 +2106,8 @@ execute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd,
 		do_set_option(ssl, worker, skipwhite(p+10));
 	} else if(cmdcmp(p, "get_option", 10)) {
 		do_get_option(ssl, worker, skipwhite(p+10));
+	} else if(cmdcmp(p, "flush_bogus", 11)) {
+		do_flush_bogus(ssl, worker);
 	} else {
 		(void)ssl_printf(ssl, "error unknown command '%s'\n", p);
 	}
diff --git a/contrib/unbound/daemon/remote.h b/contrib/unbound/daemon/remote.h
index 5919be4..8d5b412 100644
--- a/contrib/unbound/daemon/remote.h
+++ b/contrib/unbound/daemon/remote.h
@@ -69,8 +69,10 @@ struct rc_state {
 	struct comm_point* c;
 	/** in the handshake part */
 	enum { rc_none, rc_hs_read, rc_hs_write } shake_state;
+#ifdef HAVE_SSL
 	/** the ssl state */
 	SSL* ssl;
+#endif
 	/** the rc this is part of */
 	struct daemon_remote* rc;
 };
@@ -93,8 +95,10 @@ struct daemon_remote {
 	int max_active;
 	/** current commpoints busy; should be a short list, malloced */
 	struct rc_state* busy_list;
+#ifdef HAVE_SSL
 	/** the SSL context for creating new SSL streams */
 	SSL_CTX* ctx;
+#endif
 };
 
 /**
@@ -159,6 +163,7 @@ int remote_accept_callback(struct comm_point*, void*, int, struct comm_reply*);
 /** handle remote control data callbacks */
 int remote_control_callback(struct comm_point*, void*, int, struct comm_reply*);
 
+#ifdef HAVE_SSL
 /** 
  * Print fixed line of text over ssl connection in blocking mode
  * @param ssl: print to
@@ -185,6 +190,7 @@ int ssl_printf(SSL* ssl, const char* format, ...)
  * @return false on connection failure.
  */
 int ssl_read_line(SSL* ssl, char* buf, size_t max);
+#endif /* HAVE_SSL */
 
 /** routine to printout option values over SSL */
 void remote_get_opt_ssl(char* line, void* arg);
diff --git a/contrib/unbound/daemon/unbound.c b/contrib/unbound/daemon/unbound.c
index 6d87a4f..cd08c9c 100644
--- a/contrib/unbound/daemon/unbound.c
+++ b/contrib/unbound/daemon/unbound.c
@@ -87,6 +87,11 @@
 #  include "winrc/win_svc.h"
 #endif
 
+#ifdef HAVE_NSS
+/* nss3 */
+#  include "nss.h"
+#endif
+
 /** global debug value to keep track of heap memory allocation */
 void* unbound_start_brk = 0;
 
@@ -159,7 +164,12 @@ static void usage()
 	get_event_sys(&evnm, &evsys, &evmethod);
 	printf("linked libs: %s %s (it uses %s), ldns %s, %s\n", 
 		evnm, evsys, evmethod, ldns_version(), 
-		SSLeay_version(SSLEAY_VERSION));
+#ifdef HAVE_SSL
+		SSLeay_version(SSLEAY_VERSION)
+#elif defined(HAVE_NSS)
+		NSS_GetVersion()
+#endif
+		);
 	printf("linked modules:");
 	for(m = module_list_avail(); *m; m++)
 		printf(" %s", *m);
@@ -445,6 +455,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 	 * given to unbound on the commandline. */
 
 	/* read ssl keys while superuser and outside chroot */
+#ifdef HAVE_SSL
 	if(!(daemon->rc = daemon_remote_create(cfg)))
 		fatal_exit("could not set up remote-control");
 	if(cfg->ssl_service_key && cfg->ssl_service_key[0]) {
@@ -454,6 +465,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 	}
 	if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, NULL)))
 		fatal_exit("could not set up connect SSL_CTX");
+#endif
 
 #ifdef HAVE_KILL
 	/* check old pid file before forking */
@@ -528,6 +540,9 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 		if(chroot(cfg->chrootdir))
 			fatal_exit("unable to chroot to %s: %s", 
 				cfg->chrootdir, strerror(errno));
+		if(chdir("/"))
+			fatal_exit("unable to chdir to / in chroot %s: %s",
+				cfg->chrootdir, strerror(errno));
 		verbose(VERB_QUERY, "chroot to %s", cfg->chrootdir);
 		if(strncmp(*cfgfile, cfg->chrootdir, 
 			strlen(cfg->chrootdir)) == 0) 
diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c
index 832278f..eeb323c 100644
--- a/contrib/unbound/daemon/worker.c
+++ b/contrib/unbound/daemon/worker.c
@@ -1243,17 +1243,6 @@ worker_delete(struct worker* worker)
 	free(worker);
 }
 
-/** compare outbound entry qstates */
-static int
-outbound_entry_compare(void* a, void* b)
-{
-	struct outbound_entry* e1 = (struct outbound_entry*)a;
-	struct outbound_entry* e2 = (struct outbound_entry*)b;
-	if(e1->qstate == e2->qstate)
-		return 1;
-	return 0;
-}
-
 struct outbound_entry*
 worker_send_query(uint8_t* qname, size_t qnamelen, uint16_t qtype,
 	uint16_t qclass, uint16_t flags, int dnssec, int want_dnssec,
@@ -1270,7 +1259,7 @@ worker_send_query(uint8_t* qname, size_t qnamelen, uint16_t qtype,
 		qnamelen, qtype, qclass, flags, dnssec, want_dnssec,
 		q->env->cfg->tcp_upstream, q->env->cfg->ssl_upstream, addr,
 		addrlen, zone, zonelen, worker_handle_service_reply, e,
-		worker->back->udp_buff, &outbound_entry_compare);
+		worker->back->udp_buff);
 	if(!e->qsent) {
 		return NULL;
 	}