update unbound, fix unbound openssl issue on OS X

4 files changed, 45 insertions, 24 deletions

diff --git a/external/unbound/smallapp/unbound-anchor.c b/external/unbound/smallapp/unbound-anchor.c
index 92bfa8428..81bb896f7 100644
--- a/external/unbound/smallapp/unbound-anchor.c
+++ b/external/unbound/smallapp/unbound-anchor.c
@@ -95,7 +95,7 @@
  * signed yet; avoids attacks on system clock).  The
  * last-successful-RFC5011-probe (if available) has to be more than 30 days
  * in the past (otherwise, RFC5011 should have worked).  This keeps
- * unneccesary https traffic down.  If the main certificate is expired, it
+ * unnecessary https traffic down.  If the main certificate is expired, it
  * fails.
  *
  * The dates on the keys in the xml are checked (uses the libexpat xml
@@ -1520,7 +1520,11 @@ xml_entitydeclhandler(void *userData,
 	const XML_Char *ATTR_UNUSED(publicId),
 	const XML_Char *ATTR_UNUSED(notationName))
 {
+#if HAVE_DECL_XML_STOPPARSER
 	(void)XML_StopParser((XML_Parser)userData, XML_FALSE);
+#else
+	(void)userData;
+#endif
 }
 
 /**
@@ -1828,6 +1832,12 @@ write_unsigned_root(const char* root_anchor_file)
 			root_anchor_file);
 		if(verb && errno != 0) printf("%s\n", strerror(errno));
 	}
+	fflush(out);
+#ifdef HAVE_FSYNC
+	fsync(fileno(out));
+#else
+	FlushFileBuffers((HANDLE)_fileno(out));
+#endif
 	fclose(out);
 }
 
@@ -1854,6 +1864,12 @@ write_root_anchor(const char* root_anchor_file, BIO* ds)
 			root_anchor_file);
 		if(verb && errno != 0) printf("%s\n", strerror(errno));
 	}
+	fflush(out);
+#ifdef HAVE_FSYNC
+	fsync(fileno(out));
+#else
+	FlushFileBuffers((HANDLE)_fileno(out));
+#endif
 	fclose(out);
 }
 
diff --git a/external/unbound/smallapp/unbound-checkconf.c b/external/unbound/smallapp/unbound-checkconf.c
index 0524edeaa..ec0771306 100644
--- a/external/unbound/smallapp/unbound-checkconf.c
+++ b/external/unbound/smallapp/unbound-checkconf.c
@@ -335,7 +335,9 @@ morechecks(struct config_file* cfg, const char* fname)
 	if(cfg->edns_buffer_size > cfg->msg_buffer_size)
 		fatal_exit("edns-buffer-size larger than msg-buffer-size, "
 			"answers will not fit in processing buffer");
-
+#ifdef UB_ON_WINDOWS
+	w_config_adjust_directory(cfg);
+#endif
 	if(cfg->chrootdir && cfg->chrootdir[0] && 
 		cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
 		fatal_exit("chootdir %s has trailing slash '/' please remove.",
diff --git a/external/unbound/smallapp/unbound-control-setup.sh.in b/external/unbound/smallapp/unbound-control-setup.sh.in
index 682ab260a..0d759f441 100644
--- a/external/unbound/smallapp/unbound-control-setup.sh.in
+++ b/external/unbound/smallapp/unbound-control-setup.sh.in
@@ -107,16 +107,15 @@ else
 fi
 
 # create self-signed cert for server
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
-
-[req_distinguished_name]
-commonName=$SERVERNAME
-EOF
+echo "[req]" > request.cfg
+echo "default_bits=$BITS" >> request.cfg
+echo "default_md=$HASH" >> request.cfg
+echo "prompt=no" >> request.cfg
+echo "distinguished_name=req_distinguished_name" >> request.cfg
+echo "" >> request.cfg
+echo "[req_distinguished_name]" >> request.cfg
+echo "commonName=$SERVERNAME" >> request.cfg
+
 test -f request.cfg || error "could not create request.cfg"
 
 echo "create $SVR_BASE.pem (self signed certificate)"
@@ -125,16 +124,15 @@ openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out
 openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
 
 # create client request and sign it, piped
-cat >request.cfg <<EOF
-[req]
-default_bits=$BITS
-default_md=$HASH
-prompt=no
-distinguished_name=req_distinguished_name
-
-[req_distinguished_name]
-commonName=$CLIENTNAME
-EOF
+echo "[req]" > request.cfg
+echo "default_bits=$BITS" >> request.cfg
+echo "default_md=$HASH" >> request.cfg
+echo "prompt=no" >> request.cfg
+echo "distinguished_name=req_distinguished_name" >> request.cfg
+echo "" >> request.cfg
+echo "[req_distinguished_name]" >> request.cfg
+echo "commonName=$CLIENTNAME" >> request.cfg
+
 test -f request.cfg || error "could not create request.cfg"
 
 echo "create $CTL_BASE.pem (signed client certificate)"
diff --git a/external/unbound/smallapp/unbound-control.c b/external/unbound/smallapp/unbound-control.c
index 571b4d0b0..fac73b099 100644
--- a/external/unbound/smallapp/unbound-control.c
+++ b/external/unbound/smallapp/unbound-control.c
@@ -156,10 +156,12 @@ setup_ctx(struct config_file* cfg)
         ctx = SSL_CTX_new(SSLv23_client_method());
 	if(!ctx)
 		ssl_err("could not allocate SSL_CTX pointer");
-        if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
+        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+		!= SSL_OP_NO_SSLv2)
 		ssl_err("could not set SSL_OP_NO_SSLv2");
         if(cfg->remote_control_use_cert) {
-		if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
+		if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+			!= SSL_OP_NO_SSLv3)
 			ssl_err("could not set SSL_OP_NO_SSLv3");
 		if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
 		    !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
@@ -361,6 +363,9 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
 		fatal_exit("could not read config file");
 	if(!cfg->remote_control_enable)
 		log_warn("control-enable is 'no' in the config file.");
+#ifdef UB_ON_WINDOWS
+	w_config_adjust_directory(cfg);
+#endif
 	ctx = setup_ctx(cfg);
 
 	/* contact server */