update unbound, fix unbound openssl issue on OS X

2025-08-03 17:24:17 -04:00 · 2015-12-30 12:57:50 +02:00 · 2015-12-30 12:57:50 +02:00 · 2d43ae8063
commit 2d43ae8063
parent 32a26332f8
101 changed files with 4685 additions and 3057 deletions
--- a/external/unbound/smallapp/unbound-anchor.c
+++ b/external/unbound/smallapp/unbound-anchor.c
@ -95,7 +95,7 @@
 * signed yet; avoids attacks on system clock).  The
 * last-successful-RFC5011-probe (if available) has to be more than 30 days
 * in the past (otherwise, RFC5011 should have worked).  This keeps
- * unneccesary https traffic down.  If the main certificate is expired, it
+ * unnecessary https traffic down.  If the main certificate is expired, it
 * fails.
 *
 * The dates on the keys in the xml are checked (uses the libexpat xml
@ -1520,7 +1520,11 @@ xml_entitydeclhandler(void *userData,
 	const XML_Char *ATTR_UNUSED(publicId),
 	const XML_Char *ATTR_UNUSED(notationName))
 {
+#if HAVE_DECL_XML_STOPPARSER
 	(void)XML_StopParser((XML_Parser)userData, XML_FALSE);
+#else
+	(void)userData;
+#endif
 }

 /**
@ -1828,6 +1832,12 @@ write_unsigned_root(const char* root_anchor_file)
 			root_anchor_file);
 		if(verb && errno != 0) printf("%s\n", strerror(errno));
 	}
+	fflush(out);
+#ifdef HAVE_FSYNC
+	fsync(fileno(out));
+#else
+	FlushFileBuffers((HANDLE)_fileno(out));
+#endif
 	fclose(out);
 }

@ -1854,6 +1864,12 @@ write_root_anchor(const char* root_anchor_file, BIO* ds)
 			root_anchor_file);
 		if(verb && errno != 0) printf("%s\n", strerror(errno));
 	}
+	fflush(out);
+#ifdef HAVE_FSYNC
+	fsync(fileno(out));
+#else
+	FlushFileBuffers((HANDLE)_fileno(out));
+#endif
 	fclose(out);
 }

--- a/external/unbound/smallapp/unbound-checkconf.c
+++ b/external/unbound/smallapp/unbound-checkconf.c
@ -335,7 +335,9 @@ morechecks(struct config_file* cfg, const char* fname)
 	if(cfg->edns_buffer_size > cfg->msg_buffer_size)
 		fatal_exit("edns-buffer-size larger than msg-buffer-size, "
 			"answers will not fit in processing buffer");
-
+#ifdef UB_ON_WINDOWS
+	w_config_adjust_directory(cfg);
+#endif
 	if(cfg->chrootdir && cfg->chrootdir[0] && 
 		cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
 		fatal_exit("chootdir %s has trailing slash '/' please remove.",
--- a/external/unbound/smallapp/unbound-control-setup.sh.in
+++ b/external/unbound/smallapp/unbound-control-setup.sh.in
@ -107,16 +107,15 @@ else
 fi

 # create self-signed cert for server
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
+echo "[req]" > request.cfg
+echo "default_bits=$BITS" >> request.cfg
+echo "default_md=$HASH" >> request.cfg
+echo "prompt=no" >> request.cfg
+echo "distinguished_name=req_distinguished_name" >> request.cfg
+echo "" >> request.cfg
+echo "[req_distinguished_name]" >> request.cfg
+echo "commonName=$SERVERNAME" >> request.cfg

-[req_distinguished_name]
-commonName=$SERVERNAME
-EOF
 test -f request.cfg || error "could not create request.cfg"

 echo "create $SVR_BASE.pem (self signed certificate)"
@ -125,16 +124,15 @@ openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out
 openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"

 # create client request and sign it, piped
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
+echo "[req]" > request.cfg
+echo "default_bits=$BITS" >> request.cfg
+echo "default_md=$HASH" >> request.cfg
+echo "prompt=no" >> request.cfg
+echo "distinguished_name=req_distinguished_name" >> request.cfg
+echo "" >> request.cfg
+echo "[req_distinguished_name]" >> request.cfg
+echo "commonName=$CLIENTNAME" >> request.cfg

-[req_distinguished_name]
-commonName=$CLIENTNAME
-EOF
 test -f request.cfg || error "could not create request.cfg"

 echo "create $CTL_BASE.pem (signed client certificate)"
--- a/external/unbound/smallapp/unbound-control.c
+++ b/external/unbound/smallapp/unbound-control.c
@ -156,10 +156,12 @@ setup_ctx(struct config_file* cfg)
        ctx = SSL_CTX_new(SSLv23_client_method());
 	if(!ctx)
 		ssl_err("could not allocate SSL_CTX pointer");
-        if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
+        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+		!= SSL_OP_NO_SSLv2)
 		ssl_err("could not set SSL_OP_NO_SSLv2");
        if(cfg->remote_control_use_cert) {
-		if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
+		if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+			!= SSL_OP_NO_SSLv3)
 			ssl_err("could not set SSL_OP_NO_SSLv3");
 		if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
 		    !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
@ -361,6 +363,9 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
 		fatal_exit("could not read config file");
 	if(!cfg->remote_control_enable)
 		log_warn("control-enable is 'no' in the config file.");
+#ifdef UB_ON_WINDOWS
+	w_config_adjust_directory(cfg);
+#endif
 	ctx = setup_ctx(cfg);

 	/* contact server */