Sync with unbound

src/gldns/compare.sh

@@ -3,7 +3,7 @@
 # Meant to be run from this directory
 rm -fr gldns
 mkdir gldns
-svn co http://unbound.net/svn/trunk/sldns/
+svn co https://nlnetlabs.nl/svn/unbound/trunk/sldns/
 mv gbuffer.h sbuffer.h
 mv gbuffer.c sbuffer.c
 for f in sldns/*.[ch]

src/gldns/gbuffer.h

@@ -130,7 +130,7 @@ struct gldns_buffer
 	/** If the buffer is fixed it cannot be resized */
 	unsigned _fixed : 1;
 
-	/** If the buffer is vfixed, no more than capacity bytes willl be
+	/** If the buffer is vfixed, no more than capacity bytes will be
 	 * written to _data, however the _position counter will be updated
 	 * with the amount that would have been written in consecutive
 	 * writes.  This allows for a modus operandi in which a sequence is
@@ -160,7 +160,7 @@ gldns_buffer_invariant(gldns_buffer *buffer)
 	assert(buffer != NULL);
 	assert(buffer->_position <= buffer->_limit || buffer->_vfixed);
 	assert(buffer->_limit <= buffer->_capacity);
-	assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0));
+	assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0 && buffer->_limit == 0));
 }
 #endif
 

src/gldns/import.sh

@@ -16,8 +16,8 @@ then
 	mv sbuffer.h gbuffer.h
 	mv sbuffer.c gbuffer.c
 else
-	svn co http://unbound.net/svn/trunk/sldns/
+	svn co https://nlnetlabs.nl/svn/unbound/trunk/sldns/
-	for f in sldns/*.[ch]
+	for f in ldns/*.[ch]
 	do
 		sed -e 's/sldns_/gldns_/g' \
 		    -e 's/LDNS_/GLDNS_/g' \

src/gldns/parseutil.h

@@ -58,7 +58,7 @@ time_t gldns_mktime_from_utc(const struct tm *tm);
  * The function interprets time as the number of seconds since epoch
  * with respect to now using serial arithmetics (rfc1982).
  * That number of seconds is then converted to broken-out time information.
- * This is especially useful when converting the inception and expiration
+ * This is especially usefull when converting the inception and expiration
  * fields of RRSIG records.
  *
  * \param[in] time number of seconds since epoch (midnight, January 1st, 1970)

src/gldns/rrdef.c

@@ -341,12 +341,9 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 	{GLDNS_RR_TYPE_NSEC3PARAM, "NSEC3PARAM", 4, 4, type_nsec3param_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* 52 */
 	{GLDNS_RR_TYPE_TLSA, "TLSA", 4, 4, type_tlsa_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-	/*53 */
+	/* 53 */
-#ifdef DRAFT_RRTYPES
 	{GLDNS_RR_TYPE_SMIMEA, "SMIMEA", 4, 4, type_tlsa_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-#else
+	/* 54 */
-{GLDNS_RR_TYPE_NULL, "TYPE53", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-#endif
 {GLDNS_RR_TYPE_NULL, "TYPE54", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
         /* 55
 	 * Hip ends with 0 or more Rendezvous Servers represented as dname's.

src/gldns/rrdef.h

@@ -182,9 +182,7 @@ enum gldns_enum_rr_type
 	GLDNS_RR_TYPE_NSEC3PARAM = 51, /* RFC 5155 */
 	GLDNS_RR_TYPE_NSEC3PARAMS = 51,
 	GLDNS_RR_TYPE_TLSA = 52, /* RFC 6698 */
-	GLDNS_RR_TYPE_SMIMEA = 53, /* draft-ietf-dane-smime, TLSA-like but may
+	GLDNS_RR_TYPE_SMIMEA = 53, /* RFC 8162 */
-				     be extended */
-
 	GLDNS_RR_TYPE_HIP = 55, /* RFC 5205 */
 
 	/** draft-reid-dnsext-zs */

src/util/val_secalgo.c

@@ -77,6 +77,22 @@ int fake_dsa = 0;
 /** fake SHA1 support for unit tests */
 int fake_sha1 = 0;
 
+/**
+ * Output a libcrypto openssl error to the logfile.
+ * @param str: string to add to it.
+ * @param e: the error to output, error number from ERR_get_error().
+ */
+static void
+log_crypto_error(const char* str, unsigned long e)
+{
+	char buf[128];
+	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
+	ERR_error_string_n(e, buf, sizeof(buf));
+	/* buf now contains */
+	/* error:[error code]:[library name]:[function name]:[reason string] */
+	log_err("%s crypto %s", str, buf);
+}
+
 /* return size of digest if supported, or 0 otherwise */
 size_t
 nsec3_hash_algo_size_supported(int id)
@@ -96,7 +112,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 {
 	switch(algo) {
 	case NSEC3_HASH_SHA1:
+#ifdef OPENSSL_FIPS
+		if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
+			log_crypto_error("could not digest with EVP_sha1",
+				ERR_get_error());
+#else
 		(void)SHA1(buf, len, res);
+#endif
 		return 1;
 	default:
 		return 0;
@@ -106,7 +128,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 void
 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
 {
+#ifdef OPENSSL_FIPS
+	if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
+		log_crypto_error("could not digest with EVP_sha256",
+			ERR_get_error());
+#else
 	(void)SHA256(buf, len, res);
+#endif
 }
 
 /**
@@ -165,12 +193,24 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
 	switch(algo) {
 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
 		case LDNS_SHA1:
+#ifdef OPENSSL_FIPS
+			if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
+				log_crypto_error("could not digest with EVP_sha1",
+					ERR_get_error());
+#else
 			(void)SHA1(buf, len, res);
+#endif
 			return 1;
 #endif
 #ifdef HAVE_EVP_SHA256
 		case LDNS_SHA256:
+#ifdef OPENSSL_FIPS
+			if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
+				log_crypto_error("could not digest with EVP_sha256",
+					ERR_get_error());
+#else
 			(void)SHA256(buf, len, res);
+#endif
 			return 1;
 #endif
 #ifdef USE_GOST
@@ -181,7 +221,13 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
 #endif
 #ifdef USE_ECDSA
 		case LDNS_SHA384:
+#ifdef OPENSSL_FIPS
+			if(!sldns_digest_evp(buf, len, res, EVP_sha384()))
+				log_crypto_error("could not digest with EVP_sha384",
+					ERR_get_error());
+#else
 			(void)SHA384(buf, len, res);
+#endif
 			return 1;
 #endif
 		default: 
@@ -248,22 +294,6 @@ dnskey_algo_id_is_supported(int id)
 	}
 }
 
-/**
- * Output a libcrypto openssl error to the logfile.
- * @param str: string to add to it.
- * @param e: the error to output, error number from ERR_get_error().
- */
-static void
-log_crypto_error(const char* str, unsigned long e)
-{
-	char buf[128];
-	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
-	ERR_error_string_n(e, buf, sizeof(buf));
-	/* buf now contains */
-	/* error:[error code]:[library name]:[function name]:[reason string] */
-	log_err("%s crypto %s", str, buf);
-}
-
 #ifdef USE_DSA
 /**
  * Setup DSA key digest in DER encoding ...