Update stubby

And expose CFLAGS through GETDNS_BUILD_CFLAGS define and via getdns_context_get_api_information()

CMakeLists.txt

@@ -6,26 +6,26 @@ endif ()
 
 # The following must be set BEFORE doing project() or enable_language().
 if (NOT CMAKE_BUILD_TYPE)
-  message(STATUS "No build type defined; defaulting to 'Debug'")
-  set(CMAKE_BUILD_TYPE "Debug" CACHE STRING
+  message(STATUS "No build type defined; defaulting to 'RelWithDebInfo'")
+  set(CMAKE_BUILD_TYPE "RelWithDebInfo" CACHE STRING
     "The type of build. Possible values are: Debug, Release, RelWithDebInfo and MinSizeRel.")
 endif ()
 
 set(PACKAGE "getdns")
 set(PACKAGE_NAME "getdns")
-set(PACKAGE_VERSION "1.7.0")
+set(PACKAGE_VERSION "1.7.1")
 set(PACKAGE_BUGREPORT "team@getdnsapi.net")
 set(PACKAGE_URL "https://getdnsapi.net")
 
 # Dont forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
-set(RELEASE_CANDIDATE "")
+set(RELEASE_CANDIDATE "-rc.1")
 
 set(PACKAGE_STRING "${PACKAGE_NAME} ${PACKAGE_VERSION}${RELEASE_CANDIDATE}")
 set(PACKAGE_TARNAME "${PACKAGE}-${PACKAGE_VERSION}${RELEASE_CANDIDATE}")
 
 set(GETDNS_VERSION "${PACKAGE_VERSION}${RELEASE_CANDIDATE}")
-set(GETDNS_NUMERIC_VERSION 0x01070000)
+set(GETDNS_NUMERIC_VERSION 0x010700c1)
 set(API_VERSION "December 2015")
 set(API_NUMERIC_VERSION 0x07df0c00)
 
@@ -340,6 +340,7 @@ check_include_file(openssl/engine.h HAVE_OPENSSL_ENGINE_H)
 check_include_file(openssl/bn.h HAVE_OPENSSL_BN_H)
 check_include_file(openssl/dsa.h HAVE_OPENSSL_DSA_H)
 check_include_file(openssl/rsa.h HAVE_OPENSSL_RSA_H)
+check_include_file(openssl/param_build.h HAVE_OPENSSL_PARAM_BUILD_H)
 
 set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES} ${getdns_system_libs})
 check_function_exists(DSA_SIG_set0 HAVE_DSA_SIG_SET0)
@@ -1025,6 +1026,8 @@ if (BUILD_TESTING)
 endif ()
 
 # Substitutions in files.
+string(TOUPPER "${CMAKE_BUILD_TYPE}" GETDNS_BUILD_RELTYPE)
+string(REPLACE "\"" "\\\"" GETDNS_BUILD_CFLAGS "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${GETDNS_BUILD_RELTYPE}}")
 configure_file(cmake/include/cmakeconfig.h.in config.h)
 configure_file(src/getdns/getdns.h.in getdns/getdns.h)
 configure_file(src/getdns/getdns_extra.h.in getdns/getdns_extra.h)

ChangeLog

@@ -5,6 +5,9 @@
   * Fix for issue in UDP stream selection in case of timeouts.
     Thanks Shikha Sharma
   * Fix using asterisk in ipstr for any address. Thanks uzlonewolf.
+  * Issue stubby#295: rdata not correctly written for validation for certain 
+    RR type. Also, set default built type to RelWithDebInfo and expose CFLAGS
+    via GETDNS_BUILD_CFLAGS define and via getdns_context_get_api_information()
 
 * 2021-06-04: Version 1.7.0
   * Make TLS Handshake timeout max 4/5th of timeout for the query,

cmake/include/cmakeconfig.h.in

@@ -61,6 +61,7 @@
 #cmakedefine HAVE_OPENSSL_BN_H          1
 #cmakedefine HAVE_OPENSSL_DSA_H         1
 #cmakedefine HAVE_OPENSSL_RSA_H         1
+#cmakedefine HAVE_OPENSSL_PARAM_BUILD_H 1
 
 #cmakedefine HAVE_DSA_SIG_SET0		1
 #cmakedefine HAVE_DSA_SET0_PQG		1
@@ -96,6 +97,8 @@
 
 #cmakedefine HAVE_OPENSSL_INIT_CRYPTO	1
 
+#cmakedefine HAVE_OSSL_PARAM_BLD_NEW	1
+
 #cmakedefine HAVE_SSL_DANE_ENABLE			1
 #cmakedefine HAVE_DECL_SSL_CTX_SET1_CURVES_LIST		1
 #cmakedefine HAVE_DECL_SSL_SET1_CURVES_LIST		1

src/context.c

@@ -4096,6 +4096,9 @@ getdns_context_get_api_information(const getdns_context* context)
 	    && ! getdns_dict_util_set_string(
 	    result, "compilation_comment", GETDNS_COMPILATION_COMMENT)
 
+	    && ! getdns_dict_util_set_string(
+	    result, "build_cflags", GETDNS_BUILD_CFLAGS)
+
 	    && ! getdns_dict_util_set_string(
 	    result, "default_trust_anchor_location", TRUST_ANCHOR_FILE)
 

src/getdns/getdns_extra.h.in

@@ -128,6 +128,7 @@ extern "C" {
 #define GETDNS_NUMERIC_VERSION @GETDNS_NUMERIC_VERSION@
 #define GETDNS_API_VERSION "@API_VERSION@"
 #define GETDNS_API_NUMERIC_VERSION @API_NUMERIC_VERSION@
+#define GETDNS_BUILD_CFLAGS "@GETDNS_BUILD_CFLAGS@"
 /** @}
   */
 

src/gldns/parse.c

@@ -13,7 +13,7 @@
 #include "gldns/gbuffer.h"
 
 #include <limits.h>
-#include <stdlib.h>
+#include <strings.h>
 
 gldns_lookup_table gldns_directive_types[] = {
         { GLDNS_DIR_TTL, "$TTL" },
@@ -34,7 +34,7 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 {
 	int c, prev_c;
 	int p; /* 0 -> no parentheses seen, >0 nr of ( seen */
-	int com, quoted;
+	int com, quoted, only_blank;
 	char *t;
 	size_t i;
 	const char *d;
@@ -53,6 +53,7 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 	com = 0;
 	quoted = 0;
 	prev_c = 0;
+	only_blank = 1;	/* Assume we got only <blank> until now */
 	t = token;
 	if (del[0] == '"') {
 		quoted = 1;
@@ -101,6 +102,22 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 			if (line_nr) {
 				*line_nr = *line_nr + 1;
 			}
+			if (only_blank && i > 0) {
+				/* Got only <blank> so far. Reset and try
+				 * again with the next line.
+				 */
+				i = 0;
+				t = token;
+			}
+			if (p == 0) {
+				/* If p != 0 then the next line is a continuation. So
+				 * we assume that the next line starts with a blank only
+				 * if it is actually a new line.
+				 */
+				only_blank = 1;	/* Assume next line starts with
+						 * <blank>.
+						 */
+			}
 			if (p == 0 && i > 0) {
 				goto tokenread;
 			} else {
@@ -131,12 +148,29 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 
 		/* check if we hit the delim */
 		for (d = del; *d; d++) {
+			if (c == *d)
+				break;
+		}
+
 		if (c == *d && i > 0 && prev_c != '\\' && p == 0) {
 			if (c == '\n' && line_nr) {
 				*line_nr = *line_nr + 1;
 			}
+			if (only_blank) {
+				/* Got only <blank> so far. Reset and
+				 * try again with the next line.
+				 */
+				i = 0;
+				t = token;
+				only_blank = 1;
+				prev_c = c;
+				continue;
+			}
 			goto tokenread;
 		}
+		if (c != ' ' && c != '\t') {
+			/* Found something that is not <blank> */
+			only_blank= 0;
 		}
 		if (c != '\0' && c != '\n') {
 			i++;
@@ -149,9 +183,14 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 		if (c != '\0' && c != '\n') {
 			*t++ = c;
 		}
-		if (c == '\n' && line_nr) {
+		if (c == '\n') {
+			if (line_nr) {
 				*line_nr = *line_nr + 1;
 			}
+			only_blank = 1;	/* Assume next line starts with
+					 * <blank>.
+					 */
+		}
 		if (c == '\\' && prev_c == '\\')
 			prev_c = 0;
 		else	prev_c = c;

src/gldns/parseutil.c

@@ -14,12 +14,8 @@
 
 #include "config.h"
 #include "gldns/parseutil.h"
-#ifdef HAVE_SYS_TIME_H
 #include <sys/time.h>
-#endif
-#ifdef HAVE_TIME_H
 #include <time.h>
-#endif
 #include <ctype.h>
 
 gldns_lookup_table *
@@ -213,11 +209,13 @@ gldns_hexdigit_to_int(char ch)
 }
 
 uint32_t
-gldns_str2period(const char *nptr, const char **endptr)
+gldns_str2period(const char *nptr, const char **endptr, int* overflow)
 {
 	int sign = 0;
 	uint32_t i = 0;
 	uint32_t seconds = 0;
+	const uint32_t maxint = 0xffffffff;
+	*overflow = 0;
 
 	for(*endptr = nptr; **endptr; (*endptr)++) {
 		switch (**endptr) {
@@ -240,26 +238,46 @@ gldns_str2period(const char *nptr, const char **endptr)
 				break;
 			case 's':
 			case 'S':
+				if(seconds > maxint-i) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i;
 				i = 0;
 				break;
 			case 'm':
 			case 'M':
+				if(i > maxint/60 || seconds > maxint-(i*60)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60;
 				i = 0;
 				break;
 			case 'h':
 			case 'H':
+				if(i > maxint/(60*60) || seconds > maxint-(i*60*60)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60;
 				i = 0;
 				break;
 			case 'd':
 			case 'D':
+				if(i > maxint/(60*60*24) || seconds > maxint-(i*60*60*24)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60 * 24;
 				i = 0;
 				break;
 			case 'w':
 			case 'W':
+				if(i > maxint/(60*60*24*7) || seconds > maxint-(i*60*60*24*7)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60 * 24 * 7;
 				i = 0;
 				break;
@@ -273,15 +291,27 @@ gldns_str2period(const char *nptr, const char **endptr)
 			case '7':
 			case '8':
 			case '9':
+				if(i > maxint/10 || i*10 > maxint - (**endptr - '0')) {
+					*overflow = 1;
+					return 0;
+				}
 				i *= 10;
 				i += (**endptr - '0');
 				break;
 			default:
+				if(seconds > maxint-i) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i;
 				/* disregard signedness */
 				return seconds;
 		}
 	}
+	if(seconds > maxint-i) {
+		*overflow = 1;
+		return 0;
+	}
 	seconds += i;
 	/* disregard signedness */
 	return seconds;

src/gldns/parseutil.h

@@ -74,9 +74,11 @@ struct tm * gldns_serial_arithmetics_gmtime_r(int32_t time, time_t now, struct t
  * converts a ttl value (like 5d2h) to a long.
  * \param[in] nptr the start of the string
  * \param[out] endptr points to the last char in case of error
+ * \param[out] overflow returns if the string causes integer overflow error,
+ * 	       the number is too big, string of digits too long.
  * \return the convert duration value
  */
-uint32_t gldns_str2period(const char *nptr, const char **endptr);
+uint32_t gldns_str2period(const char *nptr, const char **endptr, int* overflow);
 
 /**
  * Returns the int value of the given (hex) digit

src/gldns/pkthdr.h

@@ -97,18 +97,22 @@ extern "C" {
 #define	QDCOUNT(wirebuf)		(ntohs(*(uint16_t *)(wirebuf+QDCOUNT_OFF)))
 */
 #define	GLDNS_QDCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_QDCOUNT_OFF))
+#define GLDNS_QDCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_QDCOUNT_OFF, i))
 
 /* Counter of the answer section */
 #define GLDNS_ANCOUNT_OFF		6
 #define	GLDNS_ANCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_ANCOUNT_OFF))
+#define GLDNS_ANCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_ANCOUNT_OFF, i))
 
 /* Counter of the authority section */
 #define GLDNS_NSCOUNT_OFF		8
 #define	GLDNS_NSCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_NSCOUNT_OFF))
+#define GLDNS_NSCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_NSCOUNT_OFF, i))
 
 /* Counter of the additional section */
 #define GLDNS_ARCOUNT_OFF		10
 #define	GLDNS_ARCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_ARCOUNT_OFF))
+#define GLDNS_ARCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_ARCOUNT_OFF, i))
 
 /**
  * The sections of a packet

src/gldns/rrdef.c

@@ -392,9 +392,9 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 	/* 63 */
 	{GLDNS_RR_TYPE_ZONEMD, "ZONEMD", 4, 4, type_zonemd_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* 64 */
-	{GLDNS_RR_TYPE_SVCB, "SVCB", 2, 2, type_svcb_wireformat, GLDNS_RDF_TYPE_SVCPARAM, GLDNS_RR_NO_COMPRESS, 0 },
+	{GLDNS_RR_TYPE_SVCB, "SVCB", 2, 2, type_svcb_wireformat, GLDNS_RDF_TYPE_SVCPARAM, GLDNS_RR_NO_COMPRESS, 1 },
 	/* 65 */
-	{GLDNS_RR_TYPE_HTTPS, "HTTPS", 2, 2, type_svcb_wireformat, GLDNS_RDF_TYPE_SVCPARAM, GLDNS_RR_NO_COMPRESS, 0 },
+	{GLDNS_RR_TYPE_HTTPS, "HTTPS", 2, 2, type_svcb_wireformat, GLDNS_RDF_TYPE_SVCPARAM, GLDNS_RR_NO_COMPRESS, 1 },
 {(enum gldns_enum_rr_type)0, "TYPE66", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 {(enum gldns_enum_rr_type)0, "TYPE67", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 {(enum gldns_enum_rr_type)0, "TYPE68", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },

src/gldns/rrdef.h

@@ -440,10 +440,42 @@ enum gldns_enum_edns_option
 	GLDNS_EDNS_CLIENT_SUBNET = 8, /* RFC7871 */
 	GLDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
 	GLDNS_EDNS_PADDING = 12, /* RFC7830 */
+	GLDNS_EDNS_EDE = 15, /* RFC8914 */
 	GLDNS_EDNS_CLIENT_TAG = 16 /* draft-bellis-dnsop-edns-tags-01 */
 };
 typedef enum gldns_enum_edns_option gldns_edns_option;
 
+enum gldns_enum_ede_code
+{
+	GLDNS_EDE_NONE = -1, /* EDE undefined for internal use */
+	GLDNS_EDE_OTHER = 0,
+	GLDNS_EDE_UNSUPPORTED_DNSKEY_ALG = 1,
+	GLDNS_EDE_UNSUPPORTED_DS_DIGEST = 2,
+	GLDNS_EDE_STALE_ANSWER = 3,
+	GLDNS_EDE_FORGED_ANSWER = 4,
+	GLDNS_EDE_DNSSEC_INDETERMINATE = 5,
+	GLDNS_EDE_DNSSEC_BOGUS = 6,
+	GLDNS_EDE_SIGNATURE_EXPIRED = 7,
+	GLDNS_EDE_SIGNATURE_NOT_YET_VALID = 8,
+	GLDNS_EDE_DNSKEY_MISSING = 9,
+	GLDNS_EDE_RRSIGS_MISSING = 10,
+	GLDNS_EDE_NO_ZONE_KEY_BIT_SET = 11,
+	GLDNS_EDE_NSEC_MISSING = 12,
+	GLDNS_EDE_CACHED_ERROR = 13,
+	GLDNS_EDE_NOT_READY = 14,
+	GLDNS_EDE_BLOCKED = 15,
+	GLDNS_EDE_CENSORED = 16,
+	GLDNS_EDE_FILTERED = 17,
+	GLDNS_EDE_PROHIBITED = 18,
+	GLDNS_EDE_STALE_NXDOMAIN_ANSWER = 19,
+	GLDNS_EDE_NOT_AUTHORITATIVE = 20,
+	GLDNS_EDE_NOT_SUPPORTED = 21,
+	GLDNS_EDE_NO_REACHABLE_AUTHORITY = 22,
+	GLDNS_EDE_NETWORK_ERROR = 23,
+	GLDNS_EDE_INVALID_DATA = 24,
+};
+typedef enum gldns_enum_ede_code gldns_ede_code;
+
 #define GLDNS_EDNS_MASK_DO_BIT 0x8000
 
 /** TSIG and TKEY extended rcodes (16bit), 0-15 are the normal rcodes. */

src/gldns/str2wire.c

@@ -250,11 +250,16 @@ rrinternal_get_ttl(gldns_buffer* strbuf, char* token, size_t token_len,
 	int* not_there, uint32_t* ttl, uint32_t default_ttl)
 {
 	const char* endptr;
+	int overflow;
 	if(gldns_bget_token(strbuf, token, "\t\n ", token_len) == -1) {
 		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_TTL,
 			gldns_buffer_position(strbuf));
 	}
-	*ttl = (uint32_t) gldns_str2period(token, &endptr);
+	*ttl = (uint32_t) gldns_str2period(token, &endptr, &overflow);
+	if(overflow) {
+		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW,
+			gldns_buffer_position(strbuf));
+	}
 
 	if (strlen(token) > 0 && !isdigit((unsigned char)token[0])) {
 		*not_there = 1;
@@ -374,7 +379,8 @@ rrinternal_get_quoted(gldns_buffer* strbuf, const char** delimiters,
 
 		/* skip spaces */
 		while(gldns_buffer_remaining(strbuf) > 0 &&
-			*(gldns_buffer_current(strbuf)) == ' ') {
+			(*(gldns_buffer_current(strbuf)) == ' ' ||
+			*(gldns_buffer_current(strbuf)) == '\t')) {
 			gldns_buffer_skip(strbuf, 1);
 		}
 
@@ -607,7 +613,7 @@ gldns_affix_token(gldns_buffer* strbuf, char* token, size_t* token_len,
 	/* add space */
 	/* when addlen < 2, the token buffer is full considering the NULL byte
 	 * from strlen and will lead to buffer overflow with the second
-	 * assignement below. */
+	 * assignment below. */
 	if(addlen < 2) return 0;
 	token[*token_strlen] = ' ';
 	token[++(*token_strlen)] = 0;
@@ -671,10 +677,10 @@ static int gldns_str2wire_check_svcbparams(uint8_t* rdata, uint16_t rdata_len)
 	     ,gldns_str2wire_svcparam_key_cmp);
 
 
-	/* The code below revolves around sematic errors in the SVCParam set.
+	/* The code below revolves around semantic errors in the SVCParam set.
 	 * So long as we do not distinguish between running Unbound as a primary
 	 * or as a secondary, we default to secondary behavior and we ignore the
-	 * sematic errors. */
+	 * semantic errors. */
 
 #ifdef SVCB_SEMANTIC_ERRORS
 	{
@@ -776,7 +782,8 @@ rrinternal_parse_rdata(gldns_buffer* strbuf, char* token, size_t token_len,
 
 		/* unknown RR data */
 		if(token_strlen>=2 && strncmp(token, "\\#", 2) == 0 &&
-			!quoted && (token_strlen == 2 || token[2]==' ')) {
+			!quoted && (token_strlen == 2 || token[2]==' ' ||
+			token[2]=='\t')) {
 			was_unknown_rr_format = 1;
 			if((status=rrinternal_parse_unknown(strbuf, token,
 				token_len, rr, rr_len, &rr_cur_len, 
@@ -894,7 +901,7 @@ gldns_str2wire_rr_buf_internal(const char* str, uint8_t* rr, size_t* len,
 {
 	int status;
 	int not_there = 0;
-	char token[GLDNS_MAX_RDFLEN+1] = "";
+	char token[GLDNS_MAX_RDFLEN+1];
 	uint32_t ttl = 0;
 	uint16_t tp = 0, cl = 0;
 	size_t ddlen = 0;
@@ -1056,12 +1063,15 @@ int gldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 		return s;
 	} else if(strncmp(line, "$TTL", 4) == 0 && isspace((unsigned char)line[4])) {
 		const char* end = NULL;
+		int overflow = 0;
 		strlcpy((char*)rr, line, *len);
 		*len = 0;
 		*dname_len = 0;
 		if(!parse_state) return GLDNS_WIREPARSE_ERR_OK;
 		parse_state->default_ttl = gldns_str2period(
-			gldns_strip_ws(line+5), &end);
+			gldns_strip_ws(line+5), &end, &overflow);
+		if(overflow)
+			return GLDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW;
 	} else if (strncmp(line, "$INCLUDE", 8) == 0) {
 		strlcpy((char*)rr, line, *len);
 		*len = 0;
@@ -1118,7 +1128,7 @@ gldns_str2wire_svcparam_key_lookup(const char *key, size_t key_len)
 		if (!strncmp(key, "mandatory", sizeof("mandatory")-1))
 			return SVCB_KEY_MANDATORY;
 		if (!strncmp(key, "echconfig", sizeof("echconfig")-1))
-			return SVCB_KEY_ECH; /* allow "echconfig as well as "ech" */
+			return SVCB_KEY_ECH; /* allow "echconfig" as well as "ech" */
 		break;
 
 	case sizeof("alpn")-1:
@@ -1357,7 +1367,7 @@ gldns_str2wire_svcbparam_mandatory(const char* val, uint8_t* rd, size_t* rd_len)
 	 */
 	qsort((void *)(rd + 4), count, sizeof(uint16_t), gldns_network_uint16_cmp);
 
-	/* The code below revolves around sematic errors in the SVCParam set.
+	/* The code below revolves around semantic errors in the SVCParam set.
 	 * So long as we do not distinguish between running Unbound as a primary
 	 * or as a secondary, we default to secondary behavior and we ignore the
 	 * semantic errors. */
@@ -1589,12 +1599,12 @@ static int gldns_str2wire_svcparam_buf(const char* str, uint8_t* rd, size_t* rd_
 		if (*val_in == '"') {
 			val_in++;
 			while (*val_in != '"'
-			&& (unsigned)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
+			&& (size_t)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
 			&& gldns_parse_char( (uint8_t*) val_out, &val_in)) {
 				val_out++;
 			}
 		} else {
-			while ((unsigned)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
+			while ((size_t)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
 			&& gldns_parse_char( (uint8_t*) val_out, &val_in)) {
 				val_out++;
 			}
@@ -2160,9 +2170,13 @@ int gldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len)
 int gldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len)
 {
 	const char* end;
-	uint32_t p = gldns_str2period(str, &end);
+	int overflow;
+	uint32_t p = gldns_str2period(str, &end, &overflow);
 	if(*end != 0)
 		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_PERIOD, end-str);
+	if(overflow)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW,
+			end-str);
 	if(*len < 4)
 		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
 	gldns_write_uint32(rd, p);

src/gldns/wire2str.c

@@ -196,6 +196,7 @@ static gldns_lookup_table gldns_edns_options_data[] = {
 	{ 8, "edns-client-subnet" },
 	{ 11, "edns-tcp-keepalive"},
 	{ 12, "Padding" },
+	{ 15, "EDE"},
 	{ 0, NULL}
 };
 gldns_lookup_table* gldns_edns_options = gldns_edns_options_data;
@@ -1072,7 +1073,7 @@ static int gldns_wire2str_svcparam_mandatory2str(char** s,
 	assert(data_len > 0);
 
 	if (data_len % sizeof(uint16_t))
-		return -1; // wireformat error, data_len must be multiple of shorts
+		return -1; /* wireformat error, data_len must be multiple of shorts */
 	w += gldns_str_print(s, slen, "=");
 	w += gldns_print_svcparamkey(s, slen, gldns_read_uint16(data));
 	data += 2;

src/gnutls/tls-internal.h

@@ -94,10 +94,4 @@ typedef struct _getdns_tls_x509
 	gnutls_datum_t tls;
 } _getdns_tls_x509;
 
-typedef struct _getdns_tls_hmac
-{
-	gnutls_hmac_hd_t tls;
-	unsigned int md_len;
-} _getdns_tls_hmac;
-
 #endif /* _GETDNS_TLS_INTERNAL_H */

src/gnutls/tls.c

@@ -869,55 +869,6 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const
 	return res;
 }
 
-_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
-{
-	gnutls_mac_algorithm_t alg;
-	_getdns_tls_hmac* res;
-
-	if (get_gnu_mac_algorithm(algorithm, &alg) != GETDNS_RETURN_GOOD)
-		return NULL;
-
-	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
-		return NULL;
-
-	if (gnutls_hmac_init(&res->tls, alg, key, key_size) < 0) {
-		GETDNS_FREE(*mfs, res);
-		return NULL;
-	}
-	res->md_len = gnutls_hmac_get_len(alg);
-	return res;
-}
-
-getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size)
-{
-	if (!h || !h->tls || !data)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-
-	if (gnutls_hmac(h->tls, data, data_size) < 0)
-		return GETDNS_RETURN_GENERIC_ERROR;
-	else
-		return GETDNS_RETURN_GOOD;
-}
-
-unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size)
-{
-	unsigned char* res;
-
-	if (!h || !h->tls)
-		return NULL;
-
-	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, h->md_len);
-	if (!res)
-		return NULL;
-
-	gnutls_hmac_deinit(h->tls, res);
-	if (output_size)
-		*output_size = h->md_len;
-
-	GETDNS_FREE(*mfs, h);
-	return res;
-}
-
 void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
 {
 	gnutls_hash_fast(GNUTLS_DIG_SHA1, data, data_size, buf);

src/openssl/keyraw-internal.c

@@ -51,7 +51,7 @@
 #ifdef USE_GOST
 
 /** store GOST engine reference loaded into OpenSSL library */
-#ifdef OPENSSL_NO_ENGINE
+#if defined(OPENSSL_NO_ENGINE) || OPENSSL_VERSION_NUMBER > 0x30000000
 int
 gldns_key_EVP_load_gost_id(void)
 {

src/openssl/tls-internal.h

@@ -81,12 +81,4 @@ typedef struct _getdns_tls_x509
 	X509* ssl;
 } _getdns_tls_x509;
 
-typedef struct _getdns_tls_hmac
-{
-	HMAC_CTX *ctx;
-#ifndef HAVE_HMAC_CTX_NEW
-	HMAC_CTX ctx_space;
-#endif
-} _getdns_tls_hmac;
-
 #endif /* _GETDNS_TLS_INTERNAL_H */

src/openssl/tls.c

@@ -1197,70 +1197,6 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const
 	return res;
 }
 
-_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
-{
-	const EVP_MD *digester = get_digester(algorithm);
-	_getdns_tls_hmac* res;
-
-	if (!digester)
-		return NULL;
-
-	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
-		return NULL;
-
-#ifdef HAVE_HMAC_CTX_NEW
-	res->ctx = HMAC_CTX_new();
-	if (!res->ctx) {
-		GETDNS_FREE(*mfs, res);
-		return NULL;
-	}
-#else
-	res->ctx = &res->ctx_space;
-	HMAC_CTX_init(res->ctx);
-#endif
-	if (!HMAC_Init_ex(res->ctx, key, key_size, digester, NULL)) {
-#ifdef HAVE_HMAC_CTX_NEW
-		HMAC_CTX_free(res->ctx);
-#endif
-		GETDNS_FREE(*mfs, res);
-		return NULL;
-	}
-
-	return res;
-}
-
-getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size)
-{
-	if (!h || !h->ctx || !data)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-
-	if (!HMAC_Update(h->ctx, data, data_size))
-		return GETDNS_RETURN_GENERIC_ERROR;
-	else
-		return GETDNS_RETURN_GOOD;
-}
-
-unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size)
-{
-	unsigned char* res;
-	unsigned int md_len;
-
-	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, GETDNS_TLS_MAX_DIGEST_LENGTH);
-	if (!res)
-		return NULL;
-
-	(void) HMAC_Final(h->ctx, res, &md_len);
-
-#ifdef HAVE_HMAC_CTX_NEW
-	HMAC_CTX_free(h->ctx);
-#endif
-	GETDNS_FREE(*mfs, h);
-
-	if (output_size)
-		*output_size = md_len;
-	return res;
-}
-
 void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
 {
 	SHA1(data, data_size, buf);

src/request-internal.c

@@ -500,7 +500,9 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	unsigned char  *result_mac;
 	size_t result_mac_len;
 	uint16_t original_id;
-	_getdns_tls_hmac *hmac;
+	size_t data_size;
+	uint8_t *data;
+
 
 	DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNC__);
 	for ( rr = _getdns_rr_iter_init(&rr_spc, req->query,
@@ -607,19 +609,33 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	    gldns_read_uint16(req->response + 10) - 1);
 	gldns_write_uint16(req->response, original_id);
 
-	hmac = _getdns_tls_hmac_new(&req->owner->my_mf, req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size);
-	if (!hmac)
+	data_size = request_mac_len + 2
+	          + (size_t)(rr->pos - req->response) 
+	          + gldns_buffer_position(&gbuf);
+	data = GETDNS_XMALLOC(req->owner->my_mf, uint8_t, data_size);
+	if (!data) {
+		DEBUG_STUB("%s %-35s: Error allocating %d bytes\n",
+			   STUB_DEBUG_TSIG, __FUNC__, (int)(data_size));
 		return;
+	}
+	memcpy(data , request_mac - 2 , request_mac_len + 2);
+	memcpy(data + request_mac_len + 2, req->response, rr->pos - req->response);
+	memcpy(data + request_mac_len + 2 + (size_t)(rr->pos - req->response)
+	                                 , tsig_vars, gldns_buffer_position(&gbuf));
 
-	_getdns_tls_hmac_add(hmac, request_mac - 2, request_mac_len + 2);
-	_getdns_tls_hmac_add(hmac, req->response, rr->pos - req->response);
-	_getdns_tls_hmac_add(hmac, tsig_vars, gldns_buffer_position(&gbuf));
-	result_mac = _getdns_tls_hmac_end(&req->owner->my_mf, hmac, &result_mac_len);
-	if (!result_mac)
+	result_mac = _getdns_tls_hmac_hash(&req->owner->my_mf
+	                                  , req->upstream->tsig_alg
+					  , req->upstream->tsig_key
+					  , req->upstream->tsig_size
+					  , data, data_size , &result_mac_len);
+	GETDNS_FREE(req->owner->my_mf, data);
+	if (!result_mac) {
+		DEBUG_STUB("%s %-35s: Error calculating TSIG digest\n",
+			   STUB_DEBUG_TSIG, __FUNC__);
 		return;
-
-	DEBUG_STUB("%s %-35s: Result MAC length: %d\n",
-	           STUB_DEBUG_TSIG, __FUNC__, (int)(result_mac_len));
+	}
+	DEBUG_STUB("%s %-35s: Result MAC length: %d for %d bytes of data\n",
+	           STUB_DEBUG_TSIG, __FUNC__, (int)(result_mac_len), (int)data_size);
 	if (result_mac_len == response_mac_len &&
 	    memcmp(result_mac, response_mac, result_mac_len) == 0)
 		req->tsig_status = GETDNS_DNSSEC_SECURE;

src/tls.h

@@ -408,39 +408,6 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
  */
 unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size);
 
-/**
- * Return a new HMAC handle.
- *
- * @param mfs		pointer to getdns memory functions.
- * @param algorithm	hash algorithm to use (<code>GETDNS_HMAC_?</code>).
- * @param key		the key.
- * @param key_size	the key size.
- * @return HMAC handle or NULL on error.
- */
-_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size);
-
-/**
- * Add data to a HMAC.
- *
- * @param h		the HMAC.
- * @param data		the data to add.
- * @param data_size	the size of data to add.
- * @return GETDNS_RETURN_GOOD if added.
- * @return GETDNS_RETURN_INVALID_PARAMETER if h is null or has no HMAC.
- * @return GETDNS_RETURN_GENERIC_ERROR on error.
- */
-getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size);
-
-/**
- * Return the HMAC digest and free the handle.
- *
- * @param mfs		pointer to getdns memory functions.
- * @param h		the HMAC.
- * @param output_size	the output size will be written here if not NULL.
- * @return output	malloc'd buffer with output, NULL on error.
- */
-unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size);
-
 /**
  * Calculate a SHA1 hash.
  *

stubby

@@ -1 +1 @@
-Subproject commit 40b6bf95391f639cc86e5d328e89011ef4c16437
+Subproject commit a1a6f6c6b512c88cc3ec5965eaee255b08bdc7cd