Vendor import of Unbound 1.13.1.vendor/unbound/1.13.1

Includes numerous bugfixes documented at:
https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-13-1

3 files changed, 130 insertions, 45 deletions

diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
index a30523c76215..3e6fc6e6fca8 100644
--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
@@ -155,6 +155,36 @@
 char* wsa_strerror(int err);
 #endif
 
+static const char ICANN_UPDATE_CA[] =
+	/* The ICANN CA fetched at 24 Sep 2010.  Valid to 2028 */
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
+	"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
+	"BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
+	"DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
+	"IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
+	"MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
+	"cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
+	"G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
+	"ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
+	"paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
+	"MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
+	"iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
+	"Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
+	"DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
+	"6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
+	"2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
+	"15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
+	"0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
+	"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
+	"-----END CERTIFICATE-----\n";
+
+static const char DS_TRUST_ANCHOR[] =
+	/* The anchors must start on a new line with ". IN DS and end with \n"[;]
+	 * because the makedist script greps on the source here */
+	/* anchor 20326 is from 2017 */
+". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
+
 /** verbosity for this application */
 static int verb = 0;
 
@@ -213,48 +243,21 @@ usage(void)
 static const char*
 get_builtin_cert(void)
 {
-	return
-/* The ICANN CA fetched at 24 Sep 2010.  Valid to 2028 */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
-"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
-"BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
-"DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
-"IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
-"MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
-"cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
-"G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
-"ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
-"paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
-"MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
-"iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
-"Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
-"DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
-"6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
-"2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
-"15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
-"0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
-"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
-"-----END CERTIFICATE-----\n"
-		;
+	return ICANN_UPDATE_CA;
 }
 
 /** return the built in root DS trust anchor */
 static const char*
 get_builtin_ds(void)
 {
-	return
-/* The anchors must start on a new line with ". IN DS and end with \n"[;]
- * because the makedist script greps on the source here */
-/* anchor 20326 is from 2017 */
-". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
+	return DS_TRUST_ANCHOR;
 }
 
 /** print hex data */
 static void
-print_data(const char* msg, const char* data, int len)
+print_data(const char* msg, const char* data, size_t len)
 {
-	int i;
+	size_t i;
 	printf("%s: ", msg);
 	for(i=0; i<len; i++) {
 		printf(" %2.2x", (unsigned char)data[i]);
@@ -1110,7 +1113,7 @@ read_http_result(SSL* ssl)
 		data = read_data_chunk(ssl, len);
 	}
 	if(!data) return NULL;
-	if(verb >= 4) print_data("read data", data, (int)len);
+	if(verb >= 4) print_data("read data", data, len);
 	m = BIO_new(BIO_s_mem());
 	if(!m) {
 		if(verb) printf("out of memory\n");
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index 842dbe0d85b9..d58f1b2f9493 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -82,6 +82,9 @@ static void usage(void) ATTR_NORETURN;
 static void ssl_err(const char* s) ATTR_NORETURN;
 static void ssl_path_err(const char* s, const char *path) ATTR_NORETURN;
 
+/** timeout to wait for connection over stream, in msec */
+#define UNBOUND_CONTROL_CONNECT_TIMEOUT 5000
+
 /** Give unbound-control usage, and exit (1). */
 static void
 usage(void)
@@ -164,6 +167,9 @@ usage(void)
 	printf("  view_local_data_remove view name  	remove local-data in view\n");
 	printf("  view_local_datas_remove view 		remove list of local-data from view\n");
 	printf("  					one entry per line read from stdin\n");
+	printf("  rpz_enable zone		Enable the RPZ zone if it had previously\n");
+	printf("  				been disabled\n");
+	printf("  rpz_disable zone		Disable the RPZ zone\n");
 	printf("Version %s\n", PACKAGE_VERSION);
 	printf("BSD licensed, see LICENSE in source package for details.\n");
 	printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
@@ -545,6 +551,30 @@ setup_ctx(struct config_file* cfg)
 	return ctx;
 }
 
+/** check connect error */
+static void
+checkconnecterr(int err, const char* svr, struct sockaddr_storage* addr,
+	socklen_t addrlen, int statuscmd, int useport)
+{
+#ifndef USE_WINSOCK
+	if(!useport) log_err("connect: %s for %s", strerror(err), svr);
+	else log_err_addr("connect", strerror(err), addr, addrlen);
+	if(err == ECONNREFUSED && statuscmd) {
+		printf("unbound is stopped\n");
+		exit(3);
+	}
+#else
+	int wsaerr = err;
+	if(!useport) log_err("connect: %s for %s", wsa_strerror(wsaerr), svr);
+	else log_err_addr("connect", wsa_strerror(wsaerr), addr, addrlen);
+	if(wsaerr == WSAECONNREFUSED && statuscmd) {
+		printf("unbound is stopped\n");
+		exit(3);
+	}
+#endif
+	exit(1);
+}
+
 /** contact the server with TCP connect */
 static int
 contact_server(const char* svr, struct config_file* cfg, int statuscmd)
@@ -598,26 +628,75 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
 	if(fd == -1) {
 		fatal_exit("socket: %s", sock_strerror(errno));
 	}
+	fd_set_nonblock(fd);
 	if(connect(fd, (struct sockaddr*)&addr, addrlen) < 0) {
 #ifndef USE_WINSOCK
-		int err = errno;
-		if(!useport) log_err("connect: %s for %s", strerror(err), svr);
-		else log_err_addr("connect", strerror(err), &addr, addrlen);
-		if(err == ECONNREFUSED && statuscmd) {
-			printf("unbound is stopped\n");
-			exit(3);
+#ifdef EINPROGRESS
+		if(errno != EINPROGRESS) {
+			checkconnecterr(errno, svr, &addr,
+				addrlen, statuscmd, useport);
 		}
+#endif
 #else
-		int wsaerr = WSAGetLastError();
-		if(!useport) log_err("connect: %s for %s", wsa_strerror(wsaerr), svr);
-		else log_err_addr("connect", wsa_strerror(wsaerr), &addr, addrlen);
-		if(wsaerr == WSAECONNREFUSED && statuscmd) {
-			printf("unbound is stopped\n");
-			exit(3);
+		if(WSAGetLastError() != WSAEINPROGRESS &&
+			WSAGetLastError() != WSAEWOULDBLOCK) {
+			checkconnecterr(WSAGetLastError(), svr, &addr,
+				addrlen, statuscmd, useport);
 		}
 #endif
-		exit(1);
 	}
+	while(1) {
+		fd_set rset, wset, eset;
+		struct timeval tv;
+		FD_ZERO(&rset);
+		FD_SET(FD_SET_T fd, &rset);
+		FD_ZERO(&wset);
+		FD_SET(FD_SET_T fd, &wset);
+		FD_ZERO(&eset);
+		FD_SET(FD_SET_T fd, &eset);
+		tv.tv_sec = UNBOUND_CONTROL_CONNECT_TIMEOUT/1000;
+		tv.tv_usec= (UNBOUND_CONTROL_CONNECT_TIMEOUT%1000)*1000;
+		if(select(fd+1, &rset, &wset, &eset, &tv) == -1) {
+			fatal_exit("select: %s", sock_strerror(errno));
+		}
+		if(!FD_ISSET(fd, &rset) && !FD_ISSET(fd, &wset) &&
+			!FD_ISSET(fd, &eset)) {
+			fatal_exit("timeout: could not connect to server");
+		} else {
+			/* check nonblocking connect error */
+			int error = 0;
+			socklen_t len = (socklen_t)sizeof(error);
+			if(getsockopt(fd, SOL_SOCKET, SO_ERROR, (void*)&error,
+				&len) < 0) {
+#ifndef USE_WINSOCK
+				error = errno; /* on solaris errno is error */
+#else
+				error = WSAGetLastError();
+#endif
+			}
+			if(error != 0) {
+#ifndef USE_WINSOCK
+#ifdef EINPROGRESS
+				if(error == EINPROGRESS)
+					continue; /* try again later */
+#endif
+#ifdef EWOULDBLOCK
+				if(error == EWOULDBLOCK)
+					continue; /* try again later */
+#endif
+#else
+				if(error == WSAEINPROGRESS)
+					continue; /* try again later */
+				if(error == WSAEWOULDBLOCK)
+					continue; /* try again later */
+#endif
+				checkconnecterr(error, svr, &addr, addrlen,
+					statuscmd, useport);
+			}
+		}
+		break;
+	}
+	fd_set_block(fd);
 	return fd;
 }
 
diff --git a/smallapp/worker_cb.c b/smallapp/worker_cb.c
index 78d921a3c6e9..cdf855dc3659 100644
--- a/smallapp/worker_cb.c
+++ b/smallapp/worker_cb.c
@@ -46,6 +46,9 @@
 #include "util/fptr_wlist.h"
 #include "util/log.h"
 #include "services/mesh.h"
+#ifdef USE_DNSTAP
+#include "dnstap/dtstream.h"
+#endif
 
 void worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
 	uint8_t* ATTR_UNUSED(buffer), size_t ATTR_UNUSED(len),