sync with OpenBSD -current

lib/libcrypto/dsa/dsa_ameth.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ameth.c,v 1.57 2024/01/04 17:01:26 tb Exp $ */
+/* $OpenBSD: dsa_ameth.c,v 1.59 2024/04/13 14:02:51 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -71,6 +71,7 @@
 #include "bn_local.h"
 #include "dsa_local.h"
 #include "evp_local.h"
+#include "x509_local.h"
 
 static int
 dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
@@ -634,11 +635,11 @@ dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 			hnid = OBJ_obj2nid(alg1->algorithm);
 			if (hnid == NID_undef)
 				return -1;
-			if (!OBJ_find_sigid_by_algs(&snid, hnid,
+			if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
-			    EVP_PKEY_id(pkey)))
+				return -1;
+			if (!X509_ALGOR_set0_by_nid(alg2, snid, V_ASN1_UNDEF,
+			    NULL))
 				return -1;
-			X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF,
-			    0);
 		}
 		return 1;
 
@@ -656,7 +657,9 @@ dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 				return -1;
 			if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
 				return -1;
-			X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
+			if (!X509_ALGOR_set0_by_nid(alg2, snid, V_ASN1_UNDEF,
+			    NULL))
+				return -1;
 		}
 		return 1;
 

lib/libcrypto/ec/ec_ameth.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_ameth.c,v 1.51 2024/01/04 17:01:26 tb Exp $ */
+/* $OpenBSD: ec_ameth.c,v 1.52 2024/04/13 14:02:51 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -69,6 +69,7 @@
 #include "asn1_local.h"
 #include "ec_local.h"
 #include "evp_local.h"
+#include "x509_local.h"
 
 #ifndef OPENSSL_NO_CMS
 static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
@@ -637,7 +638,9 @@ ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 				return -1;
 			if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
 				return -1;
-			X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
+			if (!X509_ALGOR_set0_by_nid(alg2, snid, V_ASN1_UNDEF,
+			    NULL))
+			    return -1;
 		}
 		return 1;
 
@@ -655,7 +658,9 @@ ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 				return -1;
 			if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
 				return -1;
-			X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
+			if (!X509_ALGOR_set0_by_nid(alg2, snid, V_ASN1_UNDEF,
+			    NULL))
+			    return -1;
 		}
 		return 1;
 

sbin/iked/iked.conf.5

@@ -1,4 +1,4 @@
-.\" $OpenBSD: iked.conf.5,v 1.95 2022/07/22 20:31:39 jmc Exp $
+.\" $OpenBSD: iked.conf.5,v 1.96 2024/04/13 12:11:08 jmc Exp $
 .\"
 .\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 22 2022 $
+.Dd $Mdocdate: April 13 2024 $
 .Dt IKED.CONF 5
 .Os
 .Sh NAME
@@ -663,6 +663,10 @@ Use ECDSA with a 521-bit elliptic curve key and SHA2-512 for authentication.
 Use a pre-shared key
 .Ar string
 or hex value (starting with 0x) for authentication.
+.It Ic psk file Ar path
+Use a pre-shared hex key (without leading 0x) read from
+.Ar path
+for authentication.
 .It Ic rfc7427
 Only use RFC 7427 signatures for authentication.
 RFC 7427 signatures currently only support SHA2-256 as the hash.

sbin/iked/parse.y

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.144 2023/08/11 11:24:55 tobhe Exp $	*/
+/*	$OpenBSD: parse.y,v 1.145 2024/04/13 15:58:10 jrick Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -1950,8 +1950,8 @@ parsekeyfile(char *filename, struct iked_auth *auth)
 
 	if ((fd = open(filename, O_RDONLY)) == -1)
 		err(1, "open %s", filename);
-	if (fstat(fd, &sb) == -1)
+	if (check_file_secrecy(fd, filename) == -1)
-		err(1, "parsekeyfile: stat %s", filename);
+		exit(1);
 	if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0))
 		errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
 		    "small");

sbin/unwind/libunbound/config.h

@@ -329,9 +329,6 @@
 /* Define to 1 if you have the `if_nametoindex' function. */
 #define HAVE_IF_NAMETOINDEX 1
 
-/* Define to 1 if you have the `if_nametoindex' function. */
-#define HAVE_IF_NAMETOINDEX 1
-
 /* Define to 1 if you have the `inet_aton' function. */
 #define HAVE_INET_ATON 1
 
@@ -776,7 +773,7 @@
 #define PACKAGE_NAME "unbound"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "unbound 1.18.0"
+#define PACKAGE_STRING "unbound 1.19.3"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "unbound"
@@ -785,7 +782,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "1.18.0"
+#define PACKAGE_VERSION "1.19.3"
 
 /* default pidfile location */
 #define PIDFILE ""
@@ -808,7 +805,7 @@
 #define ROOT_CERT_FILE "/var/unbound/etc/icannbundle.pem"
 
 /* version number for resource files */
-#define RSRC_PACKAGE_VERSION 1,18,0,0
+#define RSRC_PACKAGE_VERSION 1,19,3,0
 
 /* Directory to chdir to */
 #define RUN_DIR "/var/unbound/etc"
@@ -889,7 +886,7 @@
 /* #undef USE_ED448 */
 
 /* Define this to enable GOST support. */
-#define USE_GOST 1
+/* #undef USE_GOST */
 
 /* Define to 1 to use ipsecmod support. */
 /* #undef USE_IPSECMOD */

sbin/unwind/libunbound/dns64/dns64.c

@@ -573,28 +573,29 @@ static enum module_ext_state
 handle_event_pass(struct module_qstate* qstate, int id)
 {
 	struct dns64_qstate* iq = (struct dns64_qstate*)qstate->minfo[id];
-	if (iq && iq->state == DNS64_NEW_QUERY
+	int synth_all_cfg = qstate->env->cfg->dns64_synthall;
-            && qstate->qinfo.qtype == LDNS_RR_TYPE_PTR
+	int synth_qname = 0;
-            && qstate->qinfo.qname_len == 74
-            && !strcmp((char*)&qstate->qinfo.qname[64], "\03ip6\04arpa"))
-        /* Handle PTR queries for IPv6 addresses. */
-        return handle_ipv6_ptr(qstate, id);
 
-	if (qstate->env->cfg->dns64_synthall &&
+	if(iq && iq->state == DNS64_NEW_QUERY
-	    iq && iq->state == DNS64_NEW_QUERY
+		&& qstate->qinfo.qtype == LDNS_RR_TYPE_PTR
-	    && qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA)
+		&& qstate->qinfo.qname_len == 74
-		return generate_type_A_query(qstate, id);
+		&& !strcmp((char*)&qstate->qinfo.qname[64], "\03ip6\04arpa")) {
+		/* Handle PTR queries for IPv6 addresses. */
+		return handle_ipv6_ptr(qstate, id);
+	}
 
-	if(dns64_always_synth_for_qname(qstate, id) &&
+	if(iq && iq->state == DNS64_NEW_QUERY &&
-	    iq && iq->state == DNS64_NEW_QUERY
+		qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA &&
-	    && !(qstate->query_flags & BIT_CD)
+		(synth_all_cfg ||
-	    && qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
+		(synth_qname=(dns64_always_synth_for_qname(qstate, id)
-		verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
+			&& !(qstate->query_flags & BIT_CD))))) {
+		if(synth_qname)
+			verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
 		return generate_type_A_query(qstate, id);
 	}
 
 	/* We are finished when our sub-query is finished. */
-	if (iq && iq->state == DNS64_SUBQUERY_FINISHED)
+	if(iq && iq->state == DNS64_SUBQUERY_FINISHED)
 		return module_finished;
 
 	/* Otherwise, pass request to next module. */
@@ -627,32 +628,37 @@ handle_event_moddone(struct module_qstate* qstate, int id)
      *        synthesize in (sec 5.1.2 of RFC6147).
      *   - A successful AAAA query with an answer.
      */
-	if((!iq || iq->state != DNS64_INTERNAL_QUERY)
-            && qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA
-	    && !(qstate->query_flags & BIT_CD)
-	    && !(qstate->return_msg &&
-		    qstate->return_msg->rep &&
-		    reply_find_answer_rrset(&qstate->qinfo,
-			    qstate->return_msg->rep)))
-		/* not internal, type AAAA, not CD, and no answer RRset,
-		 * So, this is a AAAA noerror/nodata answer */
-		return generate_type_A_query(qstate, id);
 
-	if((!iq || iq->state != DNS64_INTERNAL_QUERY)
+	/* When an AAAA query completes check if we want to perform DNS64
-	    && qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA
+	 * synthesis. We skip queries with DNSSEC enabled (!CD) and
-	    && !(qstate->query_flags & BIT_CD)
+	 * ones generated by us to retrive the A/PTR record to use for
-	    && dns64_always_synth_for_qname(qstate, id)) {
+	 * synth. */
-		/* if it is not internal, AAAA, not CD and listed domain,
+	int could_synth =
-		 * generate from A record and ignore AAAA */
+		qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA &&
-		verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
+		(!iq || iq->state != DNS64_INTERNAL_QUERY) &&
+		!(qstate->query_flags & BIT_CD);
+	int has_data = /* whether query returned non-empty rrset */
+		qstate->return_msg &&
+		qstate->return_msg->rep &&
+		reply_find_answer_rrset(&qstate->qinfo, qstate->return_msg->rep);
+	int synth_qname = 0;
+
+	if(could_synth &&
+		(!has_data ||
+		(synth_qname=dns64_always_synth_for_qname(qstate, id)))) {
+		if(synth_qname)
+			verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
 		return generate_type_A_query(qstate, id);
 	}
 
 	/* Store the response in cache. */
-	if ( (!iq || !iq->started_no_cache_store) &&
+	if( (!iq || !iq->started_no_cache_store) &&
-		qstate->return_msg && qstate->return_msg->rep &&
+		qstate->return_msg &&
-		!dns_cache_store(qstate->env, &qstate->qinfo, qstate->return_msg->rep,
+		qstate->return_msg->rep &&
-		0, 0, 0, NULL, qstate->query_flags, qstate->qstarttime))
+		!dns_cache_store(
+			qstate->env, &qstate->qinfo, qstate->return_msg->rep,
+			0, 0, 0, NULL,
+			qstate->query_flags, qstate->qstarttime))
 		log_err("out of memory");
 
 	/* do nothing */
@@ -969,10 +975,19 @@ dns64_inform_super(struct module_qstate* qstate, int id,
 	}
 	super_dq->state = DNS64_SUBQUERY_FINISHED;
 
-	/* If there is no successful answer, we're done. */
+	/* If there is no successful answer, we're done.
-	if (qstate->return_rcode != LDNS_RCODE_NOERROR
+	 * Guarantee that we have at least a NOERROR reply further on. */
-	    || !qstate->return_msg
+	if(qstate->return_rcode != LDNS_RCODE_NOERROR
-	    || !qstate->return_msg->rep) {
+		|| !qstate->return_msg
+		|| !qstate->return_msg->rep) {
+		return;
+	}
+
+	/* When no A record is found for synthesis fall back to AAAA again. */
+	if(qstate->qinfo.qtype == LDNS_RR_TYPE_A &&
+		!reply_find_answer_rrset(&qstate->qinfo,
+			qstate->return_msg->rep)) {
+		super_dq->state = DNS64_INTERNAL_QUERY;
 		return;
 	}
 

sbin/unwind/libunbound/dnstap/dnstap.h

@@ -133,6 +133,7 @@ dt_msg_send_client_query(struct dt_env *env,
 			 struct sockaddr_storage *qsock,
 			 struct sockaddr_storage *rsock,
 			 enum comm_point_type cptype,
+			 void *cpssl,
 			 struct sldns_buffer *qmsg,
 			 struct timeval* tstamp);
 
@@ -149,6 +150,7 @@ dt_msg_send_client_response(struct dt_env *env,
 			    struct sockaddr_storage *qsock,
 			    struct sockaddr_storage *rsock,
 			    enum comm_point_type cptype,
+			    void *cpssl,
 			    struct sldns_buffer *rmsg);
 
 /**
@@ -168,6 +170,7 @@ dt_msg_send_outside_query(struct dt_env *env,
 			  struct sockaddr_storage *rsock,
 			  struct sockaddr_storage *qsock,
 			  enum comm_point_type cptype,
+			  void *cpssl,
 			  uint8_t *zone, size_t zone_len,
 			  struct sldns_buffer *qmsg);
 
@@ -192,6 +195,7 @@ dt_msg_send_outside_response(struct dt_env *env,
 			     struct sockaddr_storage *rsock,
 			     struct sockaddr_storage *qsock,
 			     enum comm_point_type cptype,
+			     void *cpssl,
 			     uint8_t *zone, size_t zone_len,
 			     uint8_t *qbuf, size_t qbuf_len,
 			     const struct timeval *qtime,

sbin/unwind/libunbound/iterator/iter_fwd.c

@@ -523,4 +523,3 @@ forwards_delete_stub_hole(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
 	fwd_zone_free(z);
 	fwd_init_parents(fwd);
 }
-

sbin/unwind/libunbound/iterator/iter_hints.c

@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
 	dp->has_parent_side_NS = 1;
       if(do_ip4) {
 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4"))	goto failed;
-	if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed;
+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2"))	goto failed;
 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12"))	goto failed;
 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13"))	goto failed;
 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
       }
       if(do_ip6) {
 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
-	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed;
 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
@@ -560,4 +560,3 @@ hints_delete_stub(struct iter_hints* hints, uint16_t c, uint8_t* nm)
 	hints_stub_free(z);
 	name_tree_init_parents(&hints->tree);
 }
-

sbin/unwind/libunbound/iterator/iter_priv.c

@@ -207,28 +207,6 @@ size_t priv_get_mem(struct iter_priv* priv)
 	return sizeof(*priv) + regional_get_mem(priv->region);
 }
 
-/** remove RR from msgparse RRset, return true if rrset is entirely bad */
-static int
-remove_rr(const char* str, sldns_buffer* pkt, struct rrset_parse* rrset,
-	struct rr_parse* prev, struct rr_parse** rr, struct sockaddr_storage* addr, socklen_t addrlen)
-{
-	if(verbosity >= VERB_QUERY && rrset->dname_len <= LDNS_MAX_DOMAINLEN && str) {
-		uint8_t buf[LDNS_MAX_DOMAINLEN+1];
-		dname_pkt_copy(pkt, buf, rrset->dname);
-		log_name_addr(VERB_QUERY, str, buf, addr, addrlen);
-	}
-	if(prev)
-		prev->next = (*rr)->next;
-	else	rrset->rr_first = (*rr)->next;
-	if(rrset->rr_last == *rr)
-		rrset->rr_last = prev;
-	rrset->rr_count --;
-	rrset->size -= (*rr)->size;
-	/* rr struct still exists, but is unlinked, so that in the for loop
-	 * the rr->next works fine to continue. */
-	return rrset->rr_count == 0;
-}
-
 int priv_rrset_bad(struct iter_priv* priv, sldns_buffer* pkt,
 	struct rrset_parse* rrset)
 {
@@ -261,7 +239,7 @@ int priv_rrset_bad(struct iter_priv* priv, sldns_buffer* pkt,
 					INET_SIZE);
 				memmove(&addr, &sa, len);
 				if(priv_lookup_addr(priv, &addr, len)) {
-					if(remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, &rr, &addr, len))
+					if(msgparse_rrset_remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, rr, &addr, len))
 						return 1;
 					continue;
 				}
@@ -284,7 +262,7 @@ int priv_rrset_bad(struct iter_priv* priv, sldns_buffer* pkt,
 					INET6_SIZE);
 				memmove(&addr, &sa, len);
 				if(priv_lookup_addr(priv, &addr, len)) {
-					if(remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, &rr, &addr, len))
+					if(msgparse_rrset_remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, rr, &addr, len))
 						return 1;
 					continue;
 				}

sbin/unwind/libunbound/iterator/iter_resptype.c

@@ -42,6 +42,7 @@
 #include "config.h"
 #include "iterator/iter_resptype.h"
 #include "iterator/iter_delegpt.h"
+#include "iterator/iterator.h"
 #include "services/cache/dns.h"
 #include "util/net_help.h"
 #include "util/data/dname.h"
@@ -105,7 +106,8 @@ response_type_from_cache(struct dns_msg* msg,
 
 enum response_type
 response_type_from_server(int rdset,
-	struct dns_msg* msg, struct query_info* request, struct delegpt* dp)
+	struct dns_msg* msg, struct query_info* request, struct delegpt* dp,
+	int* empty_nodata_found)
 {
 	uint8_t* origzone = (uint8_t*)"\000"; /* the default */
 	struct ub_packed_rrset_key* s;
@@ -284,13 +286,22 @@ response_type_from_server(int rdset,
 
 	/* If we've gotten this far, this is NOERROR/NODATA (which could
 	 * be an entirely empty message) */
-	/* but ignore entirely empty messages, noerror/nodata has a soa
+	/* For entirely empty messages, try again, at first, then accept
-	 * negative ttl value in the authority section, this makes it try
+	 * it it happens more. A regular noerror/nodata response has a soa
-	 * again at another authority. And turns it from a 5 second empty
+	 * negative ttl value in the authority section. This makes it try
-	 * message into a 5 second servfail response. */
+	 * again at another authority. And decides between storing a 5 second
+	 * empty message or a 5 second servfail response. */
 	if(msg->rep->an_numrrsets == 0 && msg->rep->ns_numrrsets == 0 &&
-		msg->rep->ar_numrrsets == 0)
+		msg->rep->ar_numrrsets == 0) {
-		return RESPONSE_TYPE_THROWAWAY;
+		if(empty_nodata_found) {
+			/* detect as throwaway at first, but accept later. */
+			(*empty_nodata_found)++;
+			if(*empty_nodata_found < EMPTY_NODATA_RETRY_COUNT)
+				return RESPONSE_TYPE_THROWAWAY;
+			return RESPONSE_TYPE_ANSWER;
+		}
+		return RESPONSE_TYPE_ANSWER;
+	}
 	/* check if recursive answer; saying it has empty cache */
 	if( (msg->rep->flags&BIT_RA) && !(msg->rep->flags&BIT_AA) && !rdset)
 		return RESPONSE_TYPE_REC_LAME;

sbin/unwind/libunbound/iterator/iter_resptype.h

@@ -119,9 +119,11 @@ enum response_type response_type_from_cache(struct dns_msg* msg,
  * @param request: the request that generated the response.
  * @param dp: The delegation point that was being queried
  *          when the response was returned.
+ * @param empty_nodata_found: flag to keep track of empty nodata detection.
  * @return the response type (CNAME or ANSWER).
  */
 enum response_type response_type_from_server(int rdset,
-	struct dns_msg* msg, struct query_info* request, struct delegpt* dp);
+	struct dns_msg* msg, struct query_info* request, struct delegpt* dp,
+	int* empty_nodata_found);
 
 #endif /* ITERATOR_ITER_RESPTYPE_H */

sbin/unwind/libunbound/iterator/iter_scrub.c

@@ -283,7 +283,8 @@ synth_cname_rrset(uint8_t** sname, size_t* snamelen, uint8_t* alias,
 		sizeof(uint32_t)+sizeof(uint16_t)+aliaslen);
 	if(!cn->rr_first->ttl_data)
 		return NULL;
-	sldns_write_uint32(cn->rr_first->ttl_data, 0); /* TTL = 0 */
+	memmove(cn->rr_first->ttl_data, rrset->rr_first->ttl_data,
+		sizeof(uint32_t)); /* RFC6672: synth CNAME TTL == DNAME TTL */
 	sldns_write_uint16(cn->rr_first->ttl_data+4, aliaslen);
 	memmove(cn->rr_first->ttl_data+6, alias, aliaslen);
 	cn->rr_first->size = sizeof(uint16_t)+aliaslen;
@@ -716,6 +717,56 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
 	return 0;
 }
 
+/** Remove individual RRs, if the length is wrong. Returns true if the RRset
+ * has been removed. */
+static int
+scrub_sanitize_rr_length(sldns_buffer* pkt, struct msg_parse* msg,
+	struct rrset_parse* prev, struct rrset_parse** rrset, int* added_ede,
+	struct module_qstate* qstate)
+{
+	struct rr_parse* rr, *rr_prev = NULL;
+	for(rr = (*rrset)->rr_first; rr; rr = rr->next) {
+
+		/* Sanity check for length of records
+		 * An A record should be 6 bytes only
+		 * (2 bytes for length and 4 for IPv4 addr)*/
+		if((*rrset)->type == LDNS_RR_TYPE_A && rr->size != 6 ) {
+			if(!*added_ede) {
+				*added_ede = 1;
+				errinf_ede(qstate, "sanitize: records of inappropriate length have been removed.",
+					LDNS_EDE_OTHER);
+			}
+			if(msgparse_rrset_remove_rr("sanitize: removing type A RR of inappropriate length:",
+				pkt, *rrset, rr_prev, rr, NULL, 0)) {
+				remove_rrset("sanitize: removing type A RRset of inappropriate length:",
+					pkt, msg, prev, rrset);
+				return 1;
+			}
+			continue;
+		}
+
+		/* Sanity check for length of records
+		 * An AAAA record should be 18 bytes only
+		 * (2 bytes for length and 16 for IPv6 addr)*/
+		if((*rrset)->type == LDNS_RR_TYPE_AAAA && rr->size != 18 ) {
+			if(!*added_ede) {
+				*added_ede = 1;
+				errinf_ede(qstate, "sanitize: records of inappropriate length have been removed.",
+					LDNS_EDE_OTHER);
+			}
+			if(msgparse_rrset_remove_rr("sanitize: removing type AAAA RR of inappropriate length:",
+				pkt, *rrset, rr_prev, rr, NULL, 0)) {
+				remove_rrset("sanitize: removing type AAAA RRset of inappropriate length:",
+					pkt, msg, prev, rrset);
+				return 1;
+			}
+			continue;
+		}
+		rr_prev = rr;
+	}
+	return 0;
+}
+
 /**
  * Given a response event, remove suspect RRsets from the response.
  * "Suspect" rrsets are potentially poison. Note that this routine expects
@@ -728,15 +779,17 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
  * @param zonename: name of server zone.
  * @param env: module environment with config and cache.
  * @param ie: iterator environment with private address data.
+ * @param qstate: for setting errinf for EDE error messages.
  * @return 0 on error.
  */
 static int
 scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
 	struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
-	struct iter_env* ie)
+	struct iter_env* ie, struct module_qstate* qstate)
 {
 	int del_addi = 0; /* if additional-holding rrsets are deleted, we
 		do not trust the normalized additional-A-AAAA any more */
+	int added_rrlen_ede = 0;
 	struct rrset_parse* rrset, *prev;
 	prev = NULL;
 	rrset = msg->rrset_first;
@@ -781,6 +834,14 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
 	rrset = msg->rrset_first;
 	while(rrset) {
 
+		/* Sanity check for length of records */
+		if(rrset->type == LDNS_RR_TYPE_A ||
+			rrset->type == LDNS_RR_TYPE_AAAA) {
+			if(scrub_sanitize_rr_length(pkt, msg, prev, &rrset,
+				&added_rrlen_ede, qstate))
+				continue;
+		}
+
 		/* remove private addresses */
 		if( (rrset->type == LDNS_RR_TYPE_A ||
 			rrset->type == LDNS_RR_TYPE_AAAA)) {
@@ -854,7 +915,8 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
 int
 scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
 	struct query_info* qinfo, uint8_t* zonename, struct regional* region,
-	struct module_env* env, struct iter_env* ie)
+	struct module_env* env, struct module_qstate* qstate,
+	struct iter_env* ie)
 {
 	/* basic sanity checks */
 	log_nametypeclass(VERB_ALGO, "scrub for", zonename, LDNS_RR_TYPE_NS,
@@ -886,7 +948,7 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
 	if(!scrub_normalize(pkt, msg, qinfo, region, env))
 		return 0;
 	/* delete all out-of-zone information */
-	if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie))
+	if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie, qstate))
 		return 0;
 	return 1;
 }

sbin/unwind/libunbound/iterator/iter_scrub.h

@@ -48,6 +48,7 @@ struct query_info;
 struct regional;
 struct module_env;
 struct iter_env;
+struct module_qstate;
 
 /**
  * Cleanup the passed dns message.
@@ -59,11 +60,13 @@ struct iter_env;
  *	Used to determine out of bailiwick information.
  * @param regional: where to allocate (new) parts of the message.
  * @param env: module environment with config settings and cache.
+ * @param qstate: for setting errinf for EDE error messages.
  * @param ie: iterator module environment data.
  * @return: false if the message is total waste. true if scrubbed with success.
  */
 int scrub_message(struct sldns_buffer* pkt, struct msg_parse* msg,
 	struct query_info* qinfo, uint8_t* zonename, struct regional* regional,
-	struct module_env* env, struct iter_env* ie);
+	struct module_env* env, struct module_qstate* qstate,
+	struct iter_env* ie);
 
 #endif /* ITERATOR_ITER_SCRUB_H */

sbin/unwind/libunbound/iterator/iterator.c

@@ -1449,6 +1449,39 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 			}
 			iq->qchase.qname = sname;
 			iq->qchase.qname_len = slen;
+			if(qstate->env->auth_zones) {
+				/* apply rpz qname triggers after cname */
+				struct dns_msg* forged_response =
+					rpz_callback_from_iterator_cname(qstate, iq);
+				while(forged_response && reply_find_rrset_section_an(
+					forged_response->rep, iq->qchase.qname,
+					iq->qchase.qname_len, LDNS_RR_TYPE_CNAME,
+					iq->qchase.qclass)) {
+					/* another cname to follow */
+					if(!handle_cname_response(qstate, iq, forged_response,
+						&sname, &slen)) {
+						errinf(qstate, "malloc failure, CNAME info");
+						return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+					}
+					iq->qchase.qname = sname;
+					iq->qchase.qname_len = slen;
+					forged_response =
+						rpz_callback_from_iterator_cname(qstate, iq);
+				}
+				if(forged_response != NULL) {
+					qstate->ext_state[id] = module_finished;
+					qstate->return_rcode = LDNS_RCODE_NOERROR;
+					qstate->return_msg = forged_response;
+					iq->response = forged_response;
+					next_state(iq, FINISHED_STATE);
+					if(!iter_prepend(iq, qstate->return_msg, qstate->region)) {
+						log_err("rpz: after cached cname, prepend rrsets: out of memory");
+						return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+					}
+					qstate->return_msg->qinfo = qstate->qinfo;
+					return 0;
+				}
+			}
 			/* This *is* a query restart, even if it is a cheap
 			 * one. */
 			iq->dp = NULL;
@@ -2875,7 +2908,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* unset CD if to forwarder(RD set) and not dnssec retry
 		 * (blacklist nonempty) and no trust-anchors are configured
 		 * above the qname or on the first attempt when dnssec is on */
-		EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
+		(qstate->env->cfg->disable_edns_do?0:EDNS_DO)|
+		((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
 		!qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env,
 		&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
 		iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
@@ -2940,7 +2974,7 @@ static int
 processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 	struct iter_env* ie, int id)
 {
-	int dnsseclame = 0, origtypecname = 0;
+	int dnsseclame = 0, origtypecname = 0, orig_empty_nodata_found;
 	enum response_type type;
 
 	iq->num_current_queries--;
@@ -2960,12 +2994,25 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		return next_state(iq, QUERYTARGETS_STATE);
 	}
 	iq->timeout_count = 0;
+	orig_empty_nodata_found = iq->empty_nodata_found;
 	type = response_type_from_server(
 		(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
-		iq->response, &iq->qinfo_out, iq->dp);
+		iq->response, &iq->qinfo_out, iq->dp, &iq->empty_nodata_found);
 	iq->chase_to_rd = 0;
 	/* remove TC flag, if this is erroneously set by TCP upstream */
 	iq->response->rep->flags &= ~BIT_TC;
+	if(orig_empty_nodata_found != iq->empty_nodata_found &&
+		iq->empty_nodata_found < EMPTY_NODATA_RETRY_COUNT) {
+		/* try to search at another server */
+		if(qstate->reply) {
+			struct delegpt_addr* a = delegpt_find_addr(
+				iq->dp, &qstate->reply->remote_addr,
+				qstate->reply->remote_addrlen);
+			/* make selection disprefer it */
+			if(a) a->lame = 1;
+		}
+		return next_state(iq, QUERYTARGETS_STATE);
+	}
 	if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) &&
 		!iq->auth_zone_response) {
 		/* When forwarding (RD bit is set), we handle referrals
@@ -3501,7 +3548,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
 	iq->response->rep->flags &= ~(BIT_RD|BIT_RA); /* ignore rec-lame */
 	type = response_type_from_server(
 		(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
-		iq->response, &iq->qchase, iq->dp);
+		iq->response, &iq->qchase, iq->dp, NULL);
 	if(type == RESPONSE_TYPE_ANSWER) {
 		qstate->return_rcode = LDNS_RCODE_NOERROR;
 		qstate->return_msg = iq->response;
@@ -3874,6 +3921,23 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
 
 	/* explicitly set the EDE string to NULL */
 	iq->response->rep->reason_bogus_str = NULL;
+	if((qstate->env->cfg->val_log_level >= 2 ||
+		qstate->env->cfg->log_servfail) && qstate->errinf &&
+		!qstate->env->cfg->val_log_squelch) {
+		char* err_str = errinf_to_str_misc(qstate);
+		if(err_str) {
+			size_t err_str_len = strlen(err_str);
+			verbose(VERB_ALGO, "iterator EDE: %s", err_str);
+			/* allocate space and store the error
+			 * string */
+			iq->response->rep->reason_bogus_str = regional_alloc(
+				qstate->region,
+				sizeof(char) * (err_str_len+1));
+			memcpy(iq->response->rep->reason_bogus_str,
+				err_str, err_str_len+1);
+		}
+		free(err_str);
+	}
 
 	/* we have finished processing this query */
 	qstate->ext_state[id] = module_finished;
@@ -4087,10 +4151,10 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 			/* like packet got dropped */
 			goto handle_it;
 		}
-		if(!inplace_cb_edns_back_parsed_call(qstate->env, qstate)) {
+	}
-			log_err("unable to call edns_back_parsed callback");
+	if(!inplace_cb_edns_back_parsed_call(qstate->env, qstate)) {
-			goto handle_it;
+		log_err("unable to call edns_back_parsed callback");
-		}
+		goto handle_it;
 	}
 
 	/* remove CD-bit, we asked for in case we handle validation ourself */
@@ -4098,7 +4162,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 
 	/* normalize and sanitize: easy to delete items from linked lists */
 	if(!scrub_message(pkt, prs, &iq->qinfo_out, iq->dp->name,
-		qstate->env->scratch, qstate->env, ie)) {
+		qstate->env->scratch, qstate->env, qstate, ie)) {
 		/* if 0x20 enabled, start fallback, but we have no message */
 		if(event == module_event_capsfail && !iq->caps_fallback) {
 			iq->caps_fallback = 1;

sbin/unwind/libunbound/iterator/iterator.h

@@ -101,6 +101,8 @@ extern int BLACKLIST_PENALTY;
  * Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a
  * fast server, this causes server exploration as a side benefit. msec. */
 #define RTT_BAND 400
+/** Number of retries for empty nodata packets before it is accepted. */
+#define EMPTY_NODATA_RETRY_COUNT 2
 
 /**
  * Global state for the iterator.
@@ -415,6 +417,11 @@ struct iter_qstate {
 	 */
 	int refetch_glue;
 
+	/**
+	 * This flag detects that a completely empty nodata was received,
+	 * already so that it is accepted later. */
+	int empty_nodata_found;
+
 	/** list of pending queries to authoritative servers. */
 	struct outbound_list outlist;
 

sbin/unwind/libunbound/libunbound/libworker.c

@@ -62,6 +62,7 @@
 #include "util/random.h"
 #include "util/config_file.h"
 #include "util/netevent.h"
+#include "util/proxy_protocol.h"
 #include "util/storage/lookup3.h"
 #include "util/storage/slabhash.h"
 #include "util/net_help.h"
@@ -168,6 +169,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 		hints_delete(w->env->hints);
 		w->env->hints = NULL;
 	}
+#ifdef HAVE_SSL
 	w->sslctx = connect_sslctx_create(NULL, NULL,
 		cfg->tls_cert_bundle, cfg->tls_win_cert);
 	if(!w->sslctx) {
@@ -175,6 +177,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 		hints_delete(w->env->hints);
 		w->env->hints = NULL;
 	}
+#endif
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_unlock(&ctx->cfglock);
 	}
@@ -263,6 +266,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 	w->env->kill_sub = &mesh_state_delete;
 	w->env->detect_cycle = &mesh_detect_cycle;
 	comm_base_timept(w->base, &w->env->now, &w->env->now_tv);
+	pp_init(&sldns_write_uint16, &sldns_write_uint32);
 	return w;
 }
 

sbin/unwind/libunbound/services/authzone.c

@@ -2475,6 +2475,7 @@ az_find_ce(struct auth_zone* z, struct query_info* qinfo,
 	struct auth_rrset** rrset)
 {
 	struct auth_data* n = node;
+	struct auth_rrset* lookrrset;
 	*ce = NULL;
 	*rrset = NULL;
 	if(!node_exact) {
@@ -2497,21 +2498,23 @@ az_find_ce(struct auth_zone* z, struct query_info* qinfo,
 		/* see if the current candidate has issues */
 		/* not zone apex and has type NS */
 		if(n->namelen != z->namelen &&
-			(*rrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) &&
+			(lookrrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) &&
 			/* delegate here, but DS at exact the dp has notype */
 			(qinfo->qtype != LDNS_RR_TYPE_DS ||
 			n->namelen != qinfo->qname_len)) {
 			/* referral */
 			/* this is ce and the lowernode is nonexisting */
 			*ce = n;
-			return 0;
+			*rrset = lookrrset;
+			node_exact = 0;
 		}
 		/* not equal to qname and has type DNAME */
 		if(n->namelen != qinfo->qname_len &&
-			(*rrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) {
+			(lookrrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) {
 			/* this is ce and the lowernode is nonexisting */
 			*ce = n;
-			return 0;
+			*rrset = lookrrset;
+			node_exact = 0;
 		}
 
 		if(*ce == NULL && !domain_has_only_nsec3(n)) {
@@ -2699,7 +2702,7 @@ create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region,
 	if(!d)
 		return 0; /* out of memory */
 	(*cname)->entry.data = d;
-	d->ttl = 0; /* 0 for synthesized CNAME TTL */
+	d->ttl = dname->data->ttl; /* RFC6672: synth CNAME TTL == DNAME TTL */
 	d->count = 1;
 	d->rrsig_count = 0;
 	d->trust = rrset_trust_ans_noAA;

sbin/unwind/libunbound/services/cache/dns.c

@@ -80,6 +80,7 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now,
 	struct regional* region, time_t qstarttime)
 {
 	size_t i;
+	time_t ttl, min_ttl = rep->ttl;
 	/* see if rrset already exists in cache, if not insert it. */
 	for(i=0; i<rep->rrset_count; i++) {
 		rep->ref[i].key = rep->rrsets[i];
@@ -112,6 +113,15 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now,
 		case 1: /* ref updated, item inserted */
 			rep->rrsets[i] = rep->ref[i].key;
 		}
+		/* if ref was updated make sure the message ttl is updated to
+		 * the minimum of the current rrsets. */
+		ttl = ((struct packed_rrset_data*)rep->rrsets[i]->entry.data)->ttl;
+		if(ttl < min_ttl) min_ttl = ttl;
+	}
+	if(min_ttl < rep->ttl) {
+		rep->ttl = min_ttl;
+		rep->prefetch_ttl = PREFETCH_TTL_CALC(rep->ttl);
+		rep->serve_expired_ttl = rep->ttl + SERVE_EXPIRED_TTL;
 	}
 }
 
@@ -818,7 +828,7 @@ synth_dname_msg(struct ub_packed_rrset_key* rrset, struct regional* region,
 	if(!newd)
 		return NULL;
 	ck->entry.data = newd;
-	newd->ttl = 0; /* 0 for synthesized CNAME TTL */
+	newd->ttl = d->ttl - now; /* RFC6672: synth CNAME TTL == DNAME TTL */
 	newd->count = 1;
 	newd->rrsig_count = 0;
 	newd->trust = rrset_trust_ans_noAA;

sbin/unwind/libunbound/services/listen_dnsport.c

@@ -1327,7 +1327,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 			log_warn("socket timestamping is not available");
 		}
 		if(!port_insert(list, s, is_dnscrypt
-			?listen_type_udp_dnscrypt:listen_type_udp,
+			?listen_type_udp_dnscrypt :
+			(sock_queue_timeout ?
+				listen_type_udpancil:listen_type_udp),
 			is_pp2, ub_sock)) {
 			sock_close(s);
 			if(ub_sock->addr)
@@ -1498,9 +1500,13 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 			}
 		} else if(ports->ftype == listen_type_udpancil ||
 				  ports->ftype == listen_type_udpancil_dnscrypt) {
+#if defined(AF_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_RECVMSG)
 			cp = comm_point_create_udp_ancil(base, ports->fd,
 				front->udp_buff, ports->pp2_enabled, cb,
 				cb_arg, ports->socket);
+#else
+			log_warn("This system does not support UDP ancilliary data.");
+#endif
 		}
 		if(!cp) {
 			log_err("can't create commpoint");

sbin/unwind/libunbound/services/localzone.c

@@ -1532,7 +1532,7 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 			return 0; /* invalid cname */
 		if(dname_is_wild(ctarget)) {
 			/* synthesize cname target */
-			struct packed_rrset_data* d;
+			struct packed_rrset_data* d, *lr_d;
 			/* -3 for wildcard label and root label from qname */
 			size_t newtargetlen = qinfo->qname_len + ctargetlen - 3;
 
@@ -1560,8 +1560,10 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 				+ newtargetlen);
 			if(!d)
 				return 0; /* out of memory */
+			lr_d = (struct packed_rrset_data*)lr->rrset->entry.data;
 			qinfo->local_alias->rrset->entry.data = d;
-			d->ttl = 0; /* 0 for synthesized CNAME TTL */
+			d->ttl = lr_d->rr_ttl[0]; /* RFC6672-like behavior:
+					    synth CNAME TTL uses original TTL*/
 			d->count = 1;
 			d->rrsig_count = 0;
 			d->trust = rrset_trust_ans_noAA;

sbin/unwind/libunbound/services/mesh.c

@@ -69,6 +69,12 @@
 #include "edns-subnet/subnetmod.h"
 #include "edns-subnet/edns-subnet.h"
 #endif
+#ifdef HAVE_SYS_TYPES_H
+#  include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
 
 /**
  * Compare two response-ip client info entries for the purpose of mesh state
@@ -1197,6 +1203,8 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 		r->edns.udp_size = EDNS_ADVERTISED_SIZE;
 		r->edns.ext_rcode = 0;
 		r->edns.bits &= EDNS_DO;
+		if(m->s.env->cfg->disable_edns_do && (r->edns.bits&EDNS_DO))
+			r->edns.edns_present = 0;
 
 		if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
 			LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region, start_time) ||
@@ -1224,11 +1232,12 @@ static inline int
 mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m)
 {
 	struct respip_action_info const* respip_info = m->s.respip_action_info;
-	return respip_info == NULL
+	return (respip_info == NULL
 			? 0
 			: (respip_info->rpz_used
 			&& !respip_info->rpz_disabled
-			&& respip_info->action == respip_truncate);
+			&& respip_info->action == respip_truncate))
+		|| m->s.tcp_required;
 }
 
 static inline int
@@ -1371,6 +1380,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		r->edns.udp_size = EDNS_ADVERTISED_SIZE;
 		r->edns.ext_rcode = 0;
 		r->edns.bits &= EDNS_DO;
+		if(m->s.env->cfg->disable_edns_do && (r->edns.bits&EDNS_DO))
+			r->edns.edns_present = 0;
 		m->s.qinfo.qname = r->qname;
 		m->s.qinfo.local_alias = r->local_alias;
 
@@ -1424,7 +1435,9 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	if(m->s.env->cfg->log_replies) {
 		log_reply_info(NO_VERBOSE, &m->s.qinfo,
 			&r->query_reply.client_addr,
-			r->query_reply.client_addrlen, duration, 0, r_buffer);
+			r->query_reply.client_addrlen, duration, 0, r_buffer,
+			(m->s.env->cfg->log_destaddr?(void*)r->query_reply.c->socket->addr->ai_addr:NULL),
+			r->query_reply.c->type);
 	}
 }
 

sbin/unwind/libunbound/services/outside_network.c

@@ -550,7 +550,6 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr,
 		log_assert(&key_p.reuse != (struct reuse_tcp*)result);
 		log_assert(&key_p != ((struct reuse_tcp*)result)->pending);
 	}
-	/* not found, return null */
 
 	/* It is possible that we search for something before the first element
 	 * in the tree. Replace a null pointer with the first element.
@@ -560,6 +559,7 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr,
 		result = rbtree_first(&outnet->tcp_reuse);
 	}
 
+	/* not found, return null */
 	if(!result || result == RBTREE_NULL)
 		return NULL;
 
@@ -1009,7 +1009,7 @@ use_free_buffer(struct outside_network* outnet)
 			sldns_buffer tmp;
 			sldns_buffer_init_frm_data(&tmp, w->pkt, w->pkt_len);
 			dt_msg_send_outside_query(outnet->dtenv, &w->sq->addr,
-				&pend_tcp->pi->addr, comm_tcp, w->sq->zone,
+				&pend_tcp->pi->addr, comm_tcp, NULL, w->sq->zone,
 				w->sq->zonelen, &tmp);
 		}
 #endif
@@ -2237,7 +2237,7 @@ randomize_and_send_udp(struct pending* pend, sldns_buffer* packet, int timeout)
 		outnet->dtenv->log_forwarder_query_messages)) {
 			log_addr(VERB_ALGO, "from local addr", &pend->pc->pif->addr, pend->pc->pif->addrlen);
 			log_addr(VERB_ALGO, "request to upstream", &pend->addr, pend->addrlen);
-			dt_msg_send_outside_query(outnet->dtenv, &pend->addr, &pend->pc->pif->addr, comm_udp,
+			dt_msg_send_outside_query(outnet->dtenv, &pend->addr, &pend->pc->pif->addr, comm_udp, NULL,
 				pend->sq->zone, pend->sq->zonelen, packet);
 	}
 #endif
@@ -2517,7 +2517,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
 			sldns_buffer tmp;
 			sldns_buffer_init_frm_data(&tmp, w->pkt, w->pkt_len);
 			dt_msg_send_outside_query(sq->outnet->dtenv, &sq->addr,
-				&pend->pi->addr, comm_tcp, sq->zone,
+				&pend->pi->addr, comm_tcp, NULL, sq->zone,
 				sq->zonelen, &tmp);
 		}
 #endif
@@ -2820,6 +2820,25 @@ serviced_perturb_qname(struct ub_randstate* rnd, uint8_t* qbuf, size_t len)
 	}
 }
 
+static uint16_t
+serviced_query_udp_size(struct serviced_query* sq, enum serviced_query_status status) {
+	uint16_t udp_size;
+	if(status == serviced_query_UDP_EDNS_FRAG) {
+		if(addr_is_ip6(&sq->addr, sq->addrlen)) {
+			if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
+				udp_size = EDNS_FRAG_SIZE_IP6;
+			else	udp_size = EDNS_ADVERTISED_SIZE;
+		} else {
+			if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
+				udp_size = EDNS_FRAG_SIZE_IP4;
+			else	udp_size = EDNS_ADVERTISED_SIZE;
+		}
+	} else {
+		udp_size = EDNS_ADVERTISED_SIZE;
+	}
+	return udp_size;
+}
+
 /** put serviced query into a buffer */
 static void
 serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
@@ -2843,19 +2862,7 @@ serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
 		edns.opt_list_in = NULL;
 		edns.opt_list_out = sq->opt_list;
 		edns.opt_list_inplace_cb_out = NULL;
-		if(sq->status == serviced_query_UDP_EDNS_FRAG) {
+		edns.udp_size = serviced_query_udp_size(sq, sq->status);
-			if(addr_is_ip6(&sq->addr, sq->addrlen)) {
-				if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
-					edns.udp_size = EDNS_FRAG_SIZE_IP6;
-				else	edns.udp_size = EDNS_ADVERTISED_SIZE;
-			} else {
-				if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
-					edns.udp_size = EDNS_FRAG_SIZE_IP4;
-				else	edns.udp_size = EDNS_ADVERTISED_SIZE;
-			}
-		} else {
-			edns.udp_size = EDNS_ADVERTISED_SIZE;
-		}
 		edns.bits = 0;
 		if(sq->dnssec & EDNS_DO)
 			edns.bits = EDNS_DO;
@@ -3083,7 +3090,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
 		log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen);
 		log_addr(VERB_ALGO, "to local addr", &pi->addr, pi->addrlen);
 		dt_msg_send_outside_response(sq->outnet->dtenv, &sq->addr,
-			&pi->addr, c->type, sq->zone, sq->zonelen, sq->qbuf,
+			&pi->addr, c->type, c->ssl, sq->zone, sq->zonelen, sq->qbuf,
 			sq->qbuflen, &sq->last_sent_time, sq->outnet->now_tv,
 			c->buffer);
 	}
@@ -3252,7 +3259,8 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 
 	sq->pending = NULL; /* removed after callback */
 	if(error == NETEVENT_TIMEOUT) {
-		if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000) {
+		if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000 &&
+		   (serviced_query_udp_size(sq, serviced_query_UDP_EDNS_FRAG) < serviced_query_udp_size(sq, serviced_query_UDP_EDNS))) {
 			/* fallback to 1480/1280 */
 			sq->status = serviced_query_UDP_EDNS_FRAG;
 			log_name_addr(VERB_ALGO, "try edns1xx0", sq->qbuf+10,
@@ -3296,7 +3304,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 		log_addr(VERB_ALGO, "to local addr", &p->pc->pif->addr,
 			p->pc->pif->addrlen);
 		dt_msg_send_outside_response(outnet->dtenv, &sq->addr,
-			&p->pc->pif->addr, c->type, sq->zone, sq->zonelen,
+			&p->pc->pif->addr, c->type, c->ssl, sq->zone, sq->zonelen,
 			sq->qbuf, sq->qbuflen, &sq->last_sent_time,
 			sq->outnet->now_tv, c->buffer);
 	}

sbin/unwind/libunbound/services/rpz.c

@@ -2162,7 +2162,7 @@ rpz_apply_nsip_trigger(struct module_qstate* ms, struct rpz* r,
 	case RPZ_TCP_ONLY_ACTION:
 		/* basically a passthru here but the tcp-only will be
 		 * honored before the query gets sent. */
-		ms->respip_action_info->action = respip_truncate;
+		ms->tcp_required = 1;
 		ret = NULL;
 		break;
 	case RPZ_DROP_ACTION:
@@ -2217,7 +2217,7 @@ rpz_apply_nsdname_trigger(struct module_qstate* ms, struct rpz* r,
 	case RPZ_TCP_ONLY_ACTION:
 		/* basically a passthru here but the tcp-only will be
 		 * honored before the query gets sent. */
-		ms->respip_action_info->action = respip_truncate;
+		ms->tcp_required = 1;
 		ret = NULL;
 		break;
 	case RPZ_DROP_ACTION:
@@ -2428,7 +2428,7 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
 	case RPZ_TCP_ONLY_ACTION:
 		/* basically a passthru here but the tcp-only will be
 		 * honored before the query gets sent. */
-		ms->respip_action_info->action = respip_truncate;
+		ms->tcp_required = 1;
 		ret = NULL;
 		break;
 	case RPZ_DROP_ACTION:
@@ -2448,6 +2448,10 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
 			rpz_action_to_string(localzone_type_to_rpz_action(lzt)));
 		ret = NULL;
 	}
+	if(r->log)
+		log_rpz_apply("qname", (z?z->name:NULL), NULL,
+			localzone_type_to_rpz_action(lzt),
+			&is->qchase, NULL, ms, r->log_name);
 	lock_rw_unlock(&z->lock);
 	lock_rw_unlock(&a->lock);
 	return ret;

sbin/unwind/libunbound/sldns/rrdef.h

@@ -196,8 +196,8 @@ enum sldns_enum_rr_type
 	LDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
 	LDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */
 	LDNS_RR_TYPE_ZONEMD = 63, /* draft-ietf-dnsop-dns-zone-digest-12 */
-    LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */
+	LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */
-    LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */
+	LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */
 
 	LDNS_RR_TYPE_SPF = 99, /* RFC 4408 */
 

sbin/unwind/libunbound/sldns/str2wire.c

@@ -2459,12 +2459,13 @@ int sldns_str2wire_wks_buf(const char* str, uint8_t* rd, size_t* len)
 			(void)strlcpy(proto_str, token, sizeof(proto_str));
 		} else {
 			int serv_port;
-			struct servent *serv = getservbyname(token, proto_str);
+			if(atoi(token) != 0) serv_port=atoi(token);
-			if(serv) serv_port=(int)ntohs((uint16_t)serv->s_port);
+			else if(strcmp(token, "0") == 0) serv_port=0;
 			else if(strcasecmp(token, "domain")==0) serv_port=53;
 			else {
-				serv_port = atoi(token);
+				struct servent *serv = getservbyname(token, proto_str);
-				if(serv_port == 0 && strcmp(token, "0") != 0) {
+				if(serv) serv_port=(int)ntohs((uint16_t)serv->s_port);
+				else {
 #ifdef HAVE_ENDSERVENT
 					endservent();
 #endif
@@ -2474,16 +2475,16 @@ int sldns_str2wire_wks_buf(const char* str, uint8_t* rd, size_t* len)
 					return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX,
 						sldns_buffer_position(&strbuf));
 				}
-				if(serv_port < 0 || serv_port > 65535) {
+			}
+			if(serv_port < 0 || serv_port > 65535) {
 #ifdef HAVE_ENDSERVENT
-					endservent();
+				endservent();
 #endif
 #ifdef HAVE_ENDPROTOENT
-					endprotoent();
+				endprotoent();
 #endif
-					return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX,
+				return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX,
-						sldns_buffer_position(&strbuf));
+					sldns_buffer_position(&strbuf));
-				}
 			}
 			if(rd_len < 1+serv_port/8+1) {
 				/* bitmap is larger, init new bytes at 0 */

sbin/unwind/libunbound/sldns/wire2str.c

@@ -192,6 +192,7 @@ static sldns_lookup_table sldns_edns_options_data[] = {
 	{ 6, "DHU" },
 	{ 7, "N3U" },
 	{ 8, "edns-client-subnet" },
+	{ 10, "COOKIE" },
 	{ 11, "edns-tcp-keepalive"},
 	{ 12, "Padding" },
 	{ 15, "EDE"},
@@ -199,6 +200,38 @@ static sldns_lookup_table sldns_edns_options_data[] = {
 };
 sldns_lookup_table* sldns_edns_options = sldns_edns_options_data;
 
+/* From RFC8914 5.2 Table 3, the "Extended DNS Error Codes" registry. */
+static sldns_lookup_table sldns_edns_ede_codes_data[] = {
+	{ LDNS_EDE_NONE, "None" },
+	{ LDNS_EDE_OTHER, "Other Error" },
+	{ LDNS_EDE_UNSUPPORTED_DNSKEY_ALG, "Unsupported DNSKEY Algorithm" },
+	{ LDNS_EDE_UNSUPPORTED_DS_DIGEST, "Unsupported DS Digest Type" },
+	{ LDNS_EDE_STALE_ANSWER, "Stale Answer" },
+	{ LDNS_EDE_FORGED_ANSWER, "Forged Answer" },
+	{ LDNS_EDE_DNSSEC_INDETERMINATE, "DNSSEC Indeterminate" },
+	{ LDNS_EDE_DNSSEC_BOGUS, "DNSSEC Bogus" },
+	{ LDNS_EDE_SIGNATURE_EXPIRED, "Signature Expired" },
+	{ LDNS_EDE_SIGNATURE_NOT_YET_VALID, "Signature Not Yet Valid" },
+	{ LDNS_EDE_DNSKEY_MISSING, "DNSKEY Missing" },
+	{ LDNS_EDE_RRSIGS_MISSING, "RRSIGs Missing" },
+	{ LDNS_EDE_NO_ZONE_KEY_BIT_SET, "No Zone Key Bit Set" },
+	{ LDNS_EDE_NSEC_MISSING, "NSEC Missing" },
+	{ LDNS_EDE_CACHED_ERROR, "Cached Error" },
+	{ LDNS_EDE_NOT_READY, "Not Ready" },
+	{ LDNS_EDE_BLOCKED, "Blocked" },
+	{ LDNS_EDE_CENSORED, "Censored" },
+	{ LDNS_EDE_FILTERED, "Filtered" },
+	{ LDNS_EDE_PROHIBITED, "Prohibited" },
+	{ LDNS_EDE_STALE_NXDOMAIN_ANSWER, "Stale NXDOMAIN Answer" },
+	{ LDNS_EDE_NOT_AUTHORITATIVE, "Not Authoritative" },
+	{ LDNS_EDE_NOT_SUPPORTED, "Not Supported" },
+	{ LDNS_EDE_NO_REACHABLE_AUTHORITY, "No Reachable Authority" },
+	{ LDNS_EDE_NETWORK_ERROR, "Network Error" },
+	{ LDNS_EDE_INVALID_DATA, "Invalid Data" },
+	{ 0, NULL}
+};
+sldns_lookup_table* sldns_edns_ede_codes = sldns_edns_ede_codes_data;
+
 static sldns_lookup_table sldns_tsig_errors_data[] = {
 	{ LDNS_TSIG_ERROR_NOERROR, "NOERROR" },
 	{ LDNS_RCODE_FORMERR, "FORMERR" },
@@ -2234,6 +2267,52 @@ static int sldns_wire2str_edns_keepalive_print(char** s, size_t* sl,
 	return w;
 }
 
+int sldns_wire2str_edns_ede_print(char** s, size_t* sl,
+	uint8_t* data, size_t len)
+{
+	uint16_t ede_code;
+	int w = 0;
+	sldns_lookup_table *lt;
+	size_t i;
+	int printable;
+
+	if(len < 2) {
+		w += sldns_str_print(s, sl, "malformed ede ");
+		w += print_hex_buf(s, sl, data, len);
+		return w;
+	}
+
+	ede_code = sldns_read_uint16(data);
+	lt = sldns_lookup_by_id(sldns_edns_ede_codes, (int)ede_code);
+	if(lt && lt->name)
+		w += sldns_str_print(s, sl, "%s", lt->name);
+	else 	w += sldns_str_print(s, sl, "%d", (int)ede_code);
+
+	if(len == 2)
+		return w;
+
+	w += sldns_str_print(s, sl, " ");
+
+	/* If it looks like text, show it as text. */
+	printable=1;
+	for(i=2; i<len; i++) {
+		if(isprint((unsigned char)data[i]) || data[i] == '\t')
+			continue;
+		printable = 0;
+		break;
+	}
+	if(printable) {
+		w += sldns_str_print(s, sl, "\"");
+		for(i=2; i<len; i++) {
+			w += str_char_print(s, sl, data[i]);
+		}
+		w += sldns_str_print(s, sl, "\"");
+	} else {
+		w += print_hex_buf(s, sl, data+2, len-2);
+	}
+	return w;
+}
+
 int sldns_wire2str_edns_option_print(char** s, size_t* sl,
 	uint16_t option_code, uint8_t* optdata, size_t optlen)
 {
@@ -2268,6 +2347,9 @@ int sldns_wire2str_edns_option_print(char** s, size_t* sl,
 	case LDNS_EDNS_PADDING:
 		w += print_hex_buf(s, sl, optdata, optlen);
 		break;
+	case LDNS_EDNS_EDE:
+		w += sldns_wire2str_edns_ede_print(s, sl, optdata, optlen);
+		break;
 	default:
 		/* unknown option code */
 		w += print_hex_buf(s, sl, optdata, optlen);

sbin/unwind/libunbound/sldns/wire2str.h

@@ -36,6 +36,8 @@ extern struct sldns_struct_lookup_table* sldns_opcodes;
 extern struct sldns_struct_lookup_table* sldns_edns_flags;
 /** EDNS option codes */
 extern struct sldns_struct_lookup_table* sldns_edns_options;
+/** EDNS EDE codes */
+extern struct sldns_struct_lookup_table* sldns_edns_ede_codes;
 /** error string from wireparse */
 extern struct sldns_struct_lookup_table* sldns_wireparse_errors;
 /** tsig errors are the rcodes with extra (higher) values */
@@ -1020,6 +1022,17 @@ int sldns_wire2str_edns_n3u_print(char** str, size_t* str_len,
 int sldns_wire2str_edns_subnet_print(char** str, size_t* str_len,
 	uint8_t* option_data, size_t option_len);
 
+/**
+ * Print EDNS EDE option data to string. User buffers, moves string pointers.
+ * @param str: string buffer.
+ * @param str_len: length of string buffer.
+ * @param option_data: buffer with EDNS option code data.
+ * @param option_len: length of the data for this option.
+ * @return number of characters (except null) needed to print.
+ */
+int sldns_wire2str_edns_ede_print(char** str, size_t* str_len,
+	uint8_t* option_data, size_t option_len);
+
 /**
  * Print an EDNS option as OPT: VALUE.  User buffers, moves string pointers.
  * @param str: string buffer.

sbin/unwind/libunbound/util/config_file.c

@@ -142,6 +142,7 @@ config_create(void)
 	cfg->log_tag_queryreply = 0;
 	cfg->log_local_actions = 0;
 	cfg->log_servfail = 0;
+	cfg->log_destaddr = 0;
 #ifndef USE_WINSOCK
 #  ifdef USE_MINI_EVENT
 	/* select max 1024 sockets */
@@ -271,6 +272,7 @@ config_create(void)
 	cfg->val_permissive_mode = 0;
 	cfg->aggressive_nsec = 1;
 	cfg->ignore_cd = 0;
+	cfg->disable_edns_do = 0;
 	cfg->serve_expired = 0;
 	cfg->serve_expired_ttl = 0;
 	cfg->serve_expired_ttl_reset = 0;
@@ -381,6 +383,7 @@ config_create(void)
 #ifdef USE_CACHEDB
 	if(!(cfg->cachedb_backend = strdup("testframe"))) goto error_exit;
 	if(!(cfg->cachedb_secret = strdup("default"))) goto error_exit;
+	cfg->cachedb_no_store = 0;
 #ifdef USE_REDIS
 	if(!(cfg->redis_server_host = strdup("127.0.0.1"))) goto error_exit;
 	cfg->redis_server_path = NULL;
@@ -388,6 +391,7 @@ config_create(void)
 	cfg->redis_timeout = 100;
 	cfg->redis_server_port = 6379;
 	cfg->redis_expire_records = 0;
+	cfg->redis_logical_db = 0;
 #endif  /* USE_REDIS */
 #endif  /* USE_CACHEDB */
 #ifdef USE_IPSET
@@ -687,9 +691,11 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("log-tag-queryreply:", log_tag_queryreply)
 	else S_YNO("log-local-actions:", log_local_actions)
 	else S_YNO("log-servfail:", log_servfail)
+	else S_YNO("log-destaddr:", log_destaddr)
 	else S_YNO("val-permissive-mode:", val_permissive_mode)
 	else S_YNO("aggressive-nsec:", aggressive_nsec)
 	else S_YNO("ignore-cd-flag:", ignore_cd)
+	else S_YNO("disable-edns-do:", disable_edns_do)
 	else if(strcmp(opt, "serve-expired:") == 0)
 	{ IS_YES_OR_NO; cfg->serve_expired = (strcmp(val, "yes") == 0);
 	  SERVE_EXPIRED = cfg->serve_expired; }
@@ -819,6 +825,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	{ IS_NUMBER_OR_ZERO; cfg->ipsecmod_max_ttl = atoi(val); }
 	else S_YNO("ipsecmod-strict:", ipsecmod_strict)
 #endif
+#ifdef USE_CACHEDB
+	else S_YNO("cachedb-no-store:", cachedb_no_store)
+#endif /* USE_CACHEDB */
 	else if(strcmp(opt, "define-tag:") ==0) {
 		return config_add_tag(cfg, val);
 	/* val_sig_skew_min, max and val_max_restart are copied into val_env
@@ -1120,6 +1129,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "log-tag-queryreply", log_tag_queryreply)
 	else O_YNO(opt, "log-local-actions", log_local_actions)
 	else O_YNO(opt, "log-servfail", log_servfail)
+	else O_YNO(opt, "log-destaddr", log_destaddr)
 	else O_STR(opt, "pidfile", pidfile)
 	else O_YNO(opt, "hide-identity", hide_identity)
 	else O_YNO(opt, "hide-version", hide_version)
@@ -1149,6 +1159,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "val-permissive-mode", val_permissive_mode)
 	else O_YNO(opt, "aggressive-nsec", aggressive_nsec)
 	else O_YNO(opt, "ignore-cd-flag", ignore_cd)
+	else O_YNO(opt, "disable-edns-do", disable_edns_do)
 	else O_YNO(opt, "serve-expired", serve_expired)
 	else O_DEC(opt, "serve-expired-ttl", serve_expired_ttl)
 	else O_YNO(opt, "serve-expired-ttl-reset", serve_expired_ttl_reset)
@@ -1306,6 +1317,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 #ifdef USE_CACHEDB
 	else O_STR(opt, "backend", cachedb_backend)
 	else O_STR(opt, "secret-seed", cachedb_secret)
+	else O_YNO(opt, "cachedb-no-store", cachedb_no_store)
 #ifdef USE_REDIS
 	else O_STR(opt, "redis-server-host", redis_server_host)
 	else O_DEC(opt, "redis-server-port", redis_server_port)
@@ -1313,6 +1325,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_STR(opt, "redis-server-password", redis_server_password)
 	else O_DEC(opt, "redis-timeout", redis_timeout)
 	else O_YNO(opt, "redis-expire-records", redis_expire_records)
+	else O_DEC(opt, "redis-logical-db", redis_logical_db)
 #endif  /* USE_REDIS */
 #endif  /* USE_CACHEDB */
 #ifdef USE_IPSET

sbin/unwind/libunbound/util/config_file.h

@@ -349,6 +349,8 @@ struct config_file {
 	int log_servfail;
 	/** log identity to report */
 	char* log_identity;
+	/** log dest addr for log_replies */
+	int log_destaddr;
 
 	/** do not report identity (id.server, hostname.bind) */
 	int hide_identity;
@@ -409,6 +411,8 @@ struct config_file {
 	int aggressive_nsec;
 	/** ignore the CD flag in incoming queries and refuse them bogus data */
 	int ignore_cd;
+	/** disable EDNS DO flag in outgoing requests */
+	int disable_edns_do;
 	/** serve expired entries and prefetch them */
 	int serve_expired;
 	/** serve expired entries until TTL after expiration */
@@ -699,6 +703,8 @@ struct config_file {
 	char* cachedb_backend;
 	/** secret seed for hash key calculation */
 	char* cachedb_secret;
+	/** cachedb that does not store, but only reads from database, if on */
+	int cachedb_no_store;
 #ifdef USE_REDIS
 	/** redis server's IP address or host name */
 	char* redis_server_host;
@@ -712,6 +718,8 @@ struct config_file {
 	int redis_timeout;
 	/** set timeout on redis records based on DNS response ttl */
 	int redis_expire_records;
+	/** set the redis logical database upon connection */
+	int redis_logical_db;
 #endif
 #endif
 	/** Downstream DNS Cookies */

sbin/unwind/libunbound/util/configlexer.lex

@@ -403,6 +403,7 @@ val-clean-additional{COLON}	{ YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
 val-permissive-mode{COLON}	{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
 aggressive-nsec{COLON}		{ YDVAR(1, VAR_AGGRESSIVE_NSEC) }
 ignore-cd-flag{COLON}		{ YDVAR(1, VAR_IGNORE_CD_FLAG) }
+disable-edns-do{COLON}		{ YDVAR(1, VAR_DISABLE_EDNS_DO) }
 serve-expired{COLON}		{ YDVAR(1, VAR_SERVE_EXPIRED) }
 serve-expired-ttl{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
 serve-expired-ttl-reset{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
@@ -433,6 +434,7 @@ log-replies{COLON}		{ YDVAR(1, VAR_LOG_REPLIES) }
 log-tag-queryreply{COLON}	{ YDVAR(1, VAR_LOG_TAG_QUERYREPLY) }
 log-local-actions{COLON}       { YDVAR(1, VAR_LOG_LOCAL_ACTIONS) }
 log-servfail{COLON}		{ YDVAR(1, VAR_LOG_SERVFAIL) }
+log-destaddr{COLON}		{ YDVAR(1, VAR_LOG_DESTADDR) }
 local-zone{COLON}		{ YDVAR(2, VAR_LOCAL_ZONE) }
 local-data{COLON}		{ YDVAR(1, VAR_LOCAL_DATA) }
 local-data-ptr{COLON}		{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
@@ -557,12 +559,14 @@ ipsecmod-strict{COLON}		{ YDVAR(1, VAR_IPSECMOD_STRICT) }
 cachedb{COLON}			{ YDVAR(0, VAR_CACHEDB) }
 backend{COLON}			{ YDVAR(1, VAR_CACHEDB_BACKEND) }
 secret-seed{COLON}		{ YDVAR(1, VAR_CACHEDB_SECRETSEED) }
+cachedb-no-store{COLON}		{ YDVAR(1, VAR_CACHEDB_NO_STORE) }
 redis-server-host{COLON}	{ YDVAR(1, VAR_CACHEDB_REDISHOST) }
 redis-server-port{COLON}	{ YDVAR(1, VAR_CACHEDB_REDISPORT) }
 redis-server-path{COLON}	{ YDVAR(1, VAR_CACHEDB_REDISPATH) }
 redis-server-password{COLON}	{ YDVAR(1, VAR_CACHEDB_REDISPASSWORD) }
 redis-timeout{COLON}		{ YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) }
 redis-expire-records{COLON}	{ YDVAR(1, VAR_CACHEDB_REDISEXPIRERECORDS) }
+redis-logical-db{COLON}		{ YDVAR(1, VAR_CACHEDB_REDISLOGICALDB) }
 ipset{COLON}			{ YDVAR(0, VAR_IPSET) }
 name-v4{COLON}			{ YDVAR(1, VAR_IPSET_NAME_V4) }
 name-v6{COLON}			{ YDVAR(1, VAR_IPSET_NAME_V6) }

sbin/unwind/libunbound/util/configparser.h

@@ -283,64 +283,68 @@
 #define VAR_CACHEDB_REDISEXPIRERECORDS 539
 #define VAR_CACHEDB_REDISPATH 540
 #define VAR_CACHEDB_REDISPASSWORD 541
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 542
+#define VAR_CACHEDB_REDISLOGICALDB 542
-#define VAR_FOR_UPSTREAM 543
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 543
-#define VAR_AUTH_ZONE 544
+#define VAR_FOR_UPSTREAM 544
-#define VAR_ZONEFILE 545
+#define VAR_AUTH_ZONE 545
-#define VAR_MASTER 546
+#define VAR_ZONEFILE 546
-#define VAR_URL 547
+#define VAR_MASTER 547
-#define VAR_FOR_DOWNSTREAM 548
+#define VAR_URL 548
-#define VAR_FALLBACK_ENABLED 549
+#define VAR_FOR_DOWNSTREAM 549
-#define VAR_TLS_ADDITIONAL_PORT 550
+#define VAR_FALLBACK_ENABLED 550
-#define VAR_LOW_RTT 551
+#define VAR_TLS_ADDITIONAL_PORT 551
-#define VAR_LOW_RTT_PERMIL 552
+#define VAR_LOW_RTT 552
-#define VAR_FAST_SERVER_PERMIL 553
+#define VAR_LOW_RTT_PERMIL 553
-#define VAR_FAST_SERVER_NUM 554
+#define VAR_FAST_SERVER_PERMIL 554
-#define VAR_ALLOW_NOTIFY 555
+#define VAR_FAST_SERVER_NUM 555
-#define VAR_TLS_WIN_CERT 556
+#define VAR_ALLOW_NOTIFY 556
-#define VAR_TCP_CONNECTION_LIMIT 557
+#define VAR_TLS_WIN_CERT 557
-#define VAR_ANSWER_COOKIE 558
+#define VAR_TCP_CONNECTION_LIMIT 558
-#define VAR_COOKIE_SECRET 559
+#define VAR_ANSWER_COOKIE 559
-#define VAR_IP_RATELIMIT_COOKIE 560
+#define VAR_COOKIE_SECRET 560
-#define VAR_FORWARD_NO_CACHE 561
+#define VAR_IP_RATELIMIT_COOKIE 561
-#define VAR_STUB_NO_CACHE 562
+#define VAR_FORWARD_NO_CACHE 562
-#define VAR_LOG_SERVFAIL 563
+#define VAR_STUB_NO_CACHE 563
-#define VAR_DENY_ANY 564
+#define VAR_LOG_SERVFAIL 564
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 565
+#define VAR_DENY_ANY 565
-#define VAR_LOG_TAG_QUERYREPLY 566
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 566
-#define VAR_STREAM_WAIT_SIZE 567
+#define VAR_LOG_TAG_QUERYREPLY 567
-#define VAR_TLS_CIPHERS 568
+#define VAR_STREAM_WAIT_SIZE 568
-#define VAR_TLS_CIPHERSUITES 569
+#define VAR_TLS_CIPHERS 569
-#define VAR_TLS_USE_SNI 570
+#define VAR_TLS_CIPHERSUITES 570
-#define VAR_IPSET 571
+#define VAR_TLS_USE_SNI 571
-#define VAR_IPSET_NAME_V4 572
+#define VAR_IPSET 572
-#define VAR_IPSET_NAME_V6 573
+#define VAR_IPSET_NAME_V4 573
-#define VAR_TLS_SESSION_TICKET_KEYS 574
+#define VAR_IPSET_NAME_V6 574
-#define VAR_RPZ 575
+#define VAR_TLS_SESSION_TICKET_KEYS 575
-#define VAR_TAGS 576
+#define VAR_RPZ 576
-#define VAR_RPZ_ACTION_OVERRIDE 577
+#define VAR_TAGS 577
-#define VAR_RPZ_CNAME_OVERRIDE 578
+#define VAR_RPZ_ACTION_OVERRIDE 578
-#define VAR_RPZ_LOG 579
+#define VAR_RPZ_CNAME_OVERRIDE 579
-#define VAR_RPZ_LOG_NAME 580
+#define VAR_RPZ_LOG 580
-#define VAR_DYNLIB 581
+#define VAR_RPZ_LOG_NAME 581
-#define VAR_DYNLIB_FILE 582
+#define VAR_DYNLIB 582
-#define VAR_EDNS_CLIENT_STRING 583
+#define VAR_DYNLIB_FILE 583
-#define VAR_EDNS_CLIENT_STRING_OPCODE 584
+#define VAR_EDNS_CLIENT_STRING 584
-#define VAR_NSID 585
+#define VAR_EDNS_CLIENT_STRING_OPCODE 585
-#define VAR_ZONEMD_PERMISSIVE_MODE 586
+#define VAR_NSID 586
-#define VAR_ZONEMD_CHECK 587
+#define VAR_ZONEMD_PERMISSIVE_MODE 587
-#define VAR_ZONEMD_REJECT_ABSENCE 588
+#define VAR_ZONEMD_CHECK 588
-#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 589
+#define VAR_ZONEMD_REJECT_ABSENCE 589
-#define VAR_INTERFACE_AUTOMATIC_PORTS 590
+#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 590
-#define VAR_EDE 591
+#define VAR_INTERFACE_AUTOMATIC_PORTS 591
-#define VAR_INTERFACE_ACTION 592
+#define VAR_EDE 592
-#define VAR_INTERFACE_VIEW 593
+#define VAR_INTERFACE_ACTION 593
-#define VAR_INTERFACE_TAG 594
+#define VAR_INTERFACE_VIEW 594
-#define VAR_INTERFACE_TAG_ACTION 595
+#define VAR_INTERFACE_TAG 595
-#define VAR_INTERFACE_TAG_DATA 596
+#define VAR_INTERFACE_TAG_ACTION 596
-#define VAR_PROXY_PROTOCOL_PORT 597
+#define VAR_INTERFACE_TAG_DATA 597
-#define VAR_STATISTICS_INHIBIT_ZERO 598
+#define VAR_PROXY_PROTOCOL_PORT 598
-#define VAR_HARDEN_UNKNOWN_ADDITIONAL 599
+#define VAR_STATISTICS_INHIBIT_ZERO 599
+#define VAR_HARDEN_UNKNOWN_ADDITIONAL 600
+#define VAR_DISABLE_EDNS_DO 601
+#define VAR_CACHEDB_NO_STORE 602
+#define VAR_LOG_DESTADDR 603
 #ifndef YYSTYPE_DEFINED
 #define YYSTYPE_DEFINED
 typedef union {

sbin/unwind/libunbound/util/configparser.y

@@ -179,6 +179,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
 %token VAR_CACHEDB_REDISHOST VAR_CACHEDB_REDISPORT VAR_CACHEDB_REDISTIMEOUT
 %token VAR_CACHEDB_REDISEXPIRERECORDS VAR_CACHEDB_REDISPATH VAR_CACHEDB_REDISPASSWORD
+%token VAR_CACHEDB_REDISLOGICALDB
 %token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM
 %token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
 %token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
@@ -198,7 +199,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_INTERFACE_ACTION VAR_INTERFACE_VIEW VAR_INTERFACE_TAG
 %token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA
 %token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO
-%token VAR_HARDEN_UNKNOWN_ADDITIONAL
+%token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_DISABLE_EDNS_DO VAR_CACHEDB_NO_STORE
+%token VAR_LOG_DESTADDR
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -332,7 +334,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
 	server_interface_automatic_ports | server_ede |
 	server_proxy_protocol_port | server_statistics_inhibit_zero |
-	server_harden_unknown_additional
+	server_harden_unknown_additional | server_disable_edns_do |
+	server_log_destaddr
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -1249,6 +1252,15 @@ server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG
 		free($2);
 	}
 	;
+server_log_destaddr: VAR_LOG_DESTADDR STRING_ARG
+	{
+		OUTYY(("P(server_log_destaddr:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->log_destaddr = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_log_local_actions: VAR_LOG_LOCAL_ACTIONS STRING_ARG
 	{
 		OUTYY(("P(server_log_local_actions:%s)\n", $2));
@@ -2060,6 +2072,15 @@ server_ignore_cd_flag: VAR_IGNORE_CD_FLAG STRING_ARG
 		free($2);
 	}
 	;
+server_disable_edns_do: VAR_DISABLE_EDNS_DO STRING_ARG
+	{
+		OUTYY(("P(server_disable_edns_do:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->disable_edns_do = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_serve_expired: VAR_SERVE_EXPIRED STRING_ARG
 	{
 		OUTYY(("P(server_serve_expired:%s)\n", $2));
@@ -3701,7 +3722,8 @@ contents_cachedb: contents_cachedb content_cachedb
 	| ;
 content_cachedb: cachedb_backend_name | cachedb_secret_seed |
 	redis_server_host | redis_server_port | redis_timeout |
-	redis_expire_records | redis_server_path | redis_server_password
+	redis_expire_records | redis_server_path | redis_server_password |
+	cachedb_no_store | redis_logical_db
 	;
 cachedb_backend_name: VAR_CACHEDB_BACKEND STRING_ARG
 	{
@@ -3727,6 +3749,19 @@ cachedb_secret_seed: VAR_CACHEDB_SECRETSEED STRING_ARG
 	#endif
 	}
 	;
+cachedb_no_store: VAR_CACHEDB_NO_STORE STRING_ARG
+	{
+	#ifdef USE_CACHEDB
+		OUTYY(("P(cachedb_no_store:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->cachedb_no_store = (strcmp($2, "yes")==0);
+	#else
+		OUTYY(("P(Compiled without cachedb, ignoring)\n"));
+	#endif
+		free($2);
+	}
+	;
 redis_server_host: VAR_CACHEDB_REDISHOST STRING_ARG
 	{
 	#if defined(USE_CACHEDB) && defined(USE_REDIS)
@@ -3804,6 +3839,21 @@ redis_expire_records: VAR_CACHEDB_REDISEXPIRERECORDS STRING_ARG
 		free($2);
 	}
 	;
+redis_logical_db: VAR_CACHEDB_REDISLOGICALDB STRING_ARG
+	{
+	#if defined(USE_CACHEDB) && defined(USE_REDIS)
+		int db;
+		OUTYY(("P(redis_logical_db:%s)\n", $2));
+		db = atoi($2);
+		if((db == 0 && strcmp($2, "0") != 0) || db < 0)
+			yyerror("valid redis logical database index expected");
+		else cfg_parser->cfg->redis_logical_db = db;
+	#else
+		OUTYY(("P(Compiled without cachedb or redis, ignoring)\n"));
+	#endif
+		free($2);
+	}
+	;
 server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG
 	{
 		OUTYY(("P(server_tcp_connection_limit:%s %s)\n", $2, $3));

sbin/unwind/libunbound/util/data/msgencode.c

@@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list)
 				curr->opt_len = 2;
 				prev = curr;
 				curr = curr->next;
+			} else {
+				prev = curr;
+				curr = curr->next;
 			}
 		} else {
 			/* continue */
@@ -1012,8 +1015,10 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
 	ede_size = calc_ede_option_size(edns, &ede_txt_size);
 	if(sldns_buffer_capacity(pkt) < udpsize)
 		udpsize = sldns_buffer_capacity(pkt);
+	if(!edns || !edns->edns_present) {
+		attach_edns = 0;
 	/* EDEs are optional, try to fit anything else before them */
-	if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) {
+	} else if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) {
 		/* packet too small to contain edns, omit it. */
 		attach_edns = 0;
 	} else {

sbin/unwind/libunbound/util/data/msgparse.c

@@ -47,6 +47,7 @@
 #include "util/regional.h"
 #include "util/rfc_1982.h"
 #include "util/edns.h"
+#include "util/net_help.h"
 #include "sldns/rrdef.h"
 #include "sldns/sbuffer.h"
 #include "sldns/parseutil.h"
@@ -1306,3 +1307,27 @@ log_edns_opt_list(enum verbosity_value level, const char* info_str,
 	}
 }
 
+/** remove RR from msgparse RRset, return true if rrset is entirely bad */
+int
+msgparse_rrset_remove_rr(const char* str, sldns_buffer* pkt, struct rrset_parse* rrset,
+	struct rr_parse* prev, struct rr_parse* rr, struct sockaddr_storage* addr, socklen_t addrlen)
+{
+	if(verbosity >= VERB_QUERY && rrset->dname_len <= LDNS_MAX_DOMAINLEN && str) {
+		uint8_t buf[LDNS_MAX_DOMAINLEN+1];
+		dname_pkt_copy(pkt, buf, rrset->dname);
+		if(addr)
+			log_name_addr(VERB_QUERY, str, buf, addr, addrlen);
+		else	log_nametypeclass(VERB_QUERY, str, buf,
+				rrset->type, ntohs(rrset->rrset_class));
+	}
+	if(prev)
+		prev->next = rr->next;
+	else	rrset->rr_first = rr->next;
+	if(rrset->rr_last == rr)
+		rrset->rr_last = prev;
+	rrset->rr_count --;
+	rrset->size -= rr->size;
+	/* rr struct still exists, but is unlinked, so that in the for loop
+	 * the rr->next works fine to continue. */
+	return rrset->rr_count == 0;
+}

sbin/unwind/libunbound/util/data/msgparse.h

@@ -371,4 +371,22 @@ void msgparse_bucket_remove(struct msg_parse* msg, struct rrset_parse* rrset);
 void log_edns_opt_list(enum verbosity_value level, const char* info_str,
 	struct edns_option* list);
 
+/**
+ * Remove RR from msgparse RRset.
+ * @param str: this string is used for logging if verbose. If NULL, there is
+ *	no logging of the remove.
+ * @param pkt: packet in buffer that is removed from. Used to log the name
+ * 	of the item removed.
+ * @param rrset: RRset that the RR is removed from.
+ * @param prev: previous RR in list, or NULL.
+ * @param rr: RR that is removed.
+ * @param addr: address used for logging, if verbose, or NULL then it is not
+ *	used.
+ * @param addrlen: length of addr, if that is not NULL.
+ * @return true if rrset is entirely bad, it would then need to be removed.
+ */
+int msgparse_rrset_remove_rr(const char* str, struct sldns_buffer* pkt,
+	struct rrset_parse* rrset, struct rr_parse* prev, struct rr_parse* rr,
+	struct sockaddr_storage* addr, socklen_t addrlen);
+
 #endif /* UTIL_DATA_MSGPARSE_H */

sbin/unwind/libunbound/util/data/msgreply.c

@@ -918,13 +918,15 @@ log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* rep)
 void
 log_reply_info(enum verbosity_value v, struct query_info *qinf,
 	struct sockaddr_storage *addr, socklen_t addrlen, struct timeval dur,
-	int cached, struct sldns_buffer *rmsg)
+	int cached, struct sldns_buffer *rmsg, struct sockaddr_storage* daddr,
+	enum comm_point_type tp)
 {
 	char qname_buf[LDNS_MAX_DOMAINLEN+1];
 	char clientip_buf[128];
 	char rcode_buf[16];
 	char type_buf[16];
 	char class_buf[16];
+	char dest_buf[160];
 	size_t pktlen;
 	uint16_t rcode = FLAGS_GET_RCODE(sldns_buffer_read_u16_at(rmsg, 2));
 
@@ -933,11 +935,46 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
 
 	sldns_wire2str_rcode_buf((int)rcode, rcode_buf, sizeof(rcode_buf));
 	addr_to_str(addr, addrlen, clientip_buf, sizeof(clientip_buf));
+	if(daddr) {
+		char da[128];
+		int port = 0;
+		char* comm;
+		if(daddr->ss_family == AF_INET6) {
+			struct sockaddr_in6 *d = (struct sockaddr_in6 *)daddr;
+			if(inet_ntop(d->sin6_family, &d->sin6_addr, da,
+				sizeof(*d)) == 0)
+				snprintf(dest_buf, sizeof(dest_buf),
+					"(inet_ntop_error)");
+			port = ntohs(d->sin6_port);
+		} else if(daddr->ss_family == AF_INET) {
+			struct sockaddr_in *d = (struct sockaddr_in *)daddr;
+			if(inet_ntop(d->sin_family, &d->sin_addr, da,
+				sizeof(*d)) == 0)
+				snprintf(dest_buf, sizeof(dest_buf),
+					"(inet_ntop_error)");
+			port = ntohs(d->sin_port);
+		} else {
+			snprintf(da, sizeof(da), "socket%d",
+				(int)daddr->ss_family);
+		}
+		comm = "udp";
+		if(tp == comm_tcp) comm = "tcp";
+		else if(tp == comm_tcp_accept) comm = "tcp";
+		else if(tp == comm_http) comm = "dot";
+		else if(tp == comm_local) comm = "unix";
+		else if(tp == comm_raw) comm = "raw";
+		snprintf(dest_buf, sizeof(dest_buf), " on %s %s %d",
+			comm, da, port);
+	} else {
+		dest_buf[0]=0;
+	}
 	if(rcode == LDNS_RCODE_FORMERR)
 	{
 		if(LOG_TAG_QUERYREPLY)
-			log_reply("%s - - - %s - - - ", clientip_buf, rcode_buf);
+			log_reply("%s - - - %s - - -%s", clientip_buf,
-		else	log_info("%s - - - %s - - - ", clientip_buf, rcode_buf);
+				rcode_buf, dest_buf);
+		else	log_info("%s - - - %s - - -%s", clientip_buf,
+				rcode_buf, dest_buf);
 	} else {
 		if(qinf->qname)
 			dname_str(qinf->qname, qname_buf);
@@ -946,12 +983,14 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
 		sldns_wire2str_type_buf(qinf->qtype, type_buf, sizeof(type_buf));
 		sldns_wire2str_class_buf(qinf->qclass, class_buf, sizeof(class_buf));
 		if(LOG_TAG_QUERYREPLY)
-		     log_reply("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
+		     log_reply("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d%s",
 			clientip_buf, qname_buf, type_buf, class_buf,
-			rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
+			rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec,
-		else log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
+			cached, (int)pktlen, dest_buf);
+		else log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d%s",
 			clientip_buf, qname_buf, type_buf, class_buf,
-			rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
+			rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec,
+			cached, (int)pktlen, dest_buf);
 	}
 }
 

sbin/unwind/libunbound/util/data/msgreply.h

@@ -58,6 +58,7 @@ struct msg_parse;
 struct rrset_parse;
 struct local_rrset;
 struct dns_msg;
+enum comm_point_type;
 
 /** calculate the prefetch TTL as 90% of original. Calculation
  * without numerical overflow (uin32_t) */
@@ -520,10 +521,13 @@ void log_dns_msg(const char* str, struct query_info* qinfo,
  * @param cached: whether or not the reply is coming from
  *                    the cache, or an outside network.
  * @param rmsg: sldns buffer packet.
+ * @param daddr: if not NULL, the destination address and port are logged.
+ * @param tp: type of the comm point for logging destination connection type.
  */
 void log_reply_info(enum verbosity_value v, struct query_info *qinf,
 	struct sockaddr_storage *addr, socklen_t addrlen, struct timeval dur,
-	int cached, struct sldns_buffer *rmsg);
+	int cached, struct sldns_buffer *rmsg, struct sockaddr_storage* daddr,
+	enum comm_point_type tp);
 
 /**
  * Print string with neat domain name, type, class from query info.

sbin/unwind/libunbound/util/data/packed_rrset.c

@@ -275,6 +275,7 @@ int packed_rr_to_string(struct ub_packed_rrset_key* rrset, size_t i,
 	struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
 		entry.data;
 	uint8_t rr[65535];
+	size_t wlen;
 	size_t rlen = rrset->rk.dname_len + 2 + 2 + 4 + d->rr_len[i];
 	time_t adjust = 0;
 	log_assert(dest_len > 0 && dest);
@@ -292,7 +293,9 @@ int packed_rr_to_string(struct ub_packed_rrset_key* rrset, size_t i,
 	sldns_write_uint32(rr+rrset->rk.dname_len+4,
 		(uint32_t)(d->rr_ttl[i]-adjust));
 	memmove(rr+rrset->rk.dname_len+8, d->rr_data[i], d->rr_len[i]);
-	if(sldns_wire2str_rr_buf(rr, rlen, dest, dest_len) == -1) {
+	wlen = (size_t)sldns_wire2str_rr_buf(rr, rlen, dest, dest_len);
+	if(wlen >= dest_len) {
+		/* the output string was truncated */
 		log_info("rrbuf failure %d %s", (int)d->rr_len[i], dest);
 		dest[0] = 0;
 		return 0;

sbin/unwind/libunbound/util/fptr_wlist.c

@@ -169,7 +169,9 @@ int
 fptr_whitelist_event(void (*fptr)(int, short, void *))
 {
 	if(fptr == &comm_point_udp_callback) return 1;
+#if defined(AF_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_RECVMSG)
 	else if(fptr == &comm_point_udp_ancil_callback) return 1;
+#endif
 	else if(fptr == &comm_point_tcp_accept_callback) return 1;
 	else if(fptr == &comm_point_tcp_handle_callback) return 1;
 	else if(fptr == &comm_timer_callback) return 1;

sbin/unwind/libunbound/util/iana_ports.inc

@@ -258,7 +258,6 @@
 356,
 357,
 358,
-359,
 360,
 361,
 362,

sbin/unwind/libunbound/util/log.c

@@ -187,7 +187,7 @@ void log_ident_set_default(const char* id)
 	default_ident = id;
 }
 
-void log_ident_revert_to_default()
+void log_ident_revert_to_default(void)
 {
 	ident = default_ident;
 }

sbin/unwind/libunbound/util/module.c

@@ -194,6 +194,24 @@ char* errinf_to_str_servfail(struct module_qstate* qstate)
 	return p;
 }
 
+char* errinf_to_str_misc(struct module_qstate* qstate)
+{
+	char buf[20480];
+	char* p = buf;
+	size_t left = sizeof(buf);
+	struct errinf_strlist* s;
+	if(!qstate->errinf)
+		snprintf(p, left, "misc failure");
+	else for(s=qstate->errinf; s; s=s->next) {
+		snprintf(p, left, "%s%s", (s==qstate->errinf?"":" "), s->str);
+		left -= strlen(p); p += strlen(p);
+	}
+	p = strdup(buf);
+	if(!p)
+		log_err("malloc failure in errinf_to_str");
+	return p;
+}
+
 void errinf_rrset(struct module_qstate* qstate, struct ub_packed_rrset_key *rr)
 {
 	char buf[1024];

sbin/unwind/libunbound/util/module.h

@@ -691,6 +691,8 @@ struct module_qstate {
 	struct respip_action_info* respip_action_info;
 	/** if the query is rpz passthru, no further rpz processing for it */
 	int rpz_passthru;
+	/* Flag tcp required. */
+	int tcp_required;
 
 	/** whether the reply should be dropped */
 	int is_drop;
@@ -842,6 +844,14 @@ sldns_ede_code errinf_to_reason_bogus(struct module_qstate* qstate);
  */
 char* errinf_to_str_servfail(struct module_qstate* qstate);
 
+/**
+ * Create error info in string.  For misc failures that are not servfail.
+ * @param qstate: query state.
+ * @return string or NULL on malloc failure (already logged).
+ *    This string is malloced and has to be freed by caller.
+ */
+char* errinf_to_str_misc(struct module_qstate* qstate);
+
 /**
  * Initialize the edns known options by allocating the required space.
  * @param env: the module environment.

sbin/unwind/libunbound/util/net_help.c

@@ -952,6 +952,111 @@ void log_crypto_err_code(const char* str, unsigned long err)
 #endif /* HAVE_SSL */
 }
 
+#ifdef HAVE_SSL
+/** Print crypt erro with SSL_get_error want code and err_get_error code */
+static void log_crypto_err_io_code_arg(const char* str, int r,
+	unsigned long err, int err_present)
+{
+	int print_errno = 0, print_crypto_err = 0;
+	const char* inf = NULL;
+
+	switch(r) {
+	case SSL_ERROR_NONE:
+		inf = "no error";
+		break;
+	case SSL_ERROR_ZERO_RETURN:
+		inf = "channel closed";
+		break;
+	case SSL_ERROR_WANT_READ:
+		inf = "want read";
+		break;
+	case SSL_ERROR_WANT_WRITE:
+		inf = "want write";
+		break;
+	case SSL_ERROR_WANT_CONNECT:
+		inf = "want connect";
+		break;
+	case SSL_ERROR_WANT_ACCEPT:
+		inf = "want accept";
+		break;
+	case SSL_ERROR_WANT_X509_LOOKUP:
+		inf = "want X509 lookup";
+		break;
+#ifdef SSL_ERROR_WANT_ASYNC
+	case SSL_ERROR_WANT_ASYNC:
+		inf = "want async";
+		break;
+#endif
+#ifdef SSL_ERROR_WANT_ASYNC_JOB
+	case SSL_ERROR_WANT_ASYNC_JOB:
+		inf = "want async job";
+		break;
+#endif
+#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
+	case SSL_ERROR_WANT_CLIENT_HELLO_CB:
+		inf = "want client hello cb";
+		break;
+#endif
+	case SSL_ERROR_SYSCALL:
+		print_errno = 1;
+		inf = "syscall";
+		break;
+	case SSL_ERROR_SSL:
+		print_crypto_err = 1;
+		inf = "SSL, usually protocol, error";
+		break;
+	default:
+		inf = "unknown SSL_get_error result code";
+		print_errno = 1;
+		print_crypto_err = 1;
+	}
+	if(print_crypto_err) {
+		if(print_errno) {
+			char buf[1024];
+			snprintf(buf, sizeof(buf), "%s with errno %s",
+				str, strerror(errno));
+			if(err_present)
+				log_crypto_err_code(buf, err);
+			else	log_crypto_err(buf);
+		} else {
+			if(err_present)
+				log_crypto_err_code(str, err);
+			else	log_crypto_err(str);
+		}
+	} else {
+		if(print_errno) {
+			if(errno == 0)
+				log_err("str: syscall error with errno %s",
+					strerror(errno));
+			else log_err("str: %s", strerror(errno));
+		} else {
+			log_err("str: %s", inf);
+		}
+	}
+}
+#endif /* HAVE_SSL */
+
+void log_crypto_err_io(const char* str, int r)
+{
+#ifdef HAVE_SSL
+	log_crypto_err_io_code_arg(str, r, 0, 0);
+#else
+	(void)str;
+	(void)r;
+#endif /* HAVE_SSL */
+}
+
+void log_crypto_err_io_code(const char* str, int r, unsigned long err)
+{
+#ifdef HAVE_SSL
+	log_crypto_err_io_code_arg(str, r, err, 1);
+#else
+	(void)str;
+	(void)r;
+	(void)err;
+#endif /* HAVE_SSL */
+}
+
 #ifdef HAVE_SSL
 /** log certificate details */
 void

sbin/unwind/libunbound/util/net_help.h

@@ -429,6 +429,24 @@ void log_crypto_err(const char* str);
  */
 void log_crypto_err_code(const char* str, unsigned long err);
 
+/**
+ * Log an error from libcrypto that came from SSL_write and so on, with
+ * a value from SSL_get_error, calls log_err. If that fails it logs with
+ * log_crypto_err.
+ * @param str: what failed
+ * @param r: output of SSL_get_error on the I/O operation result.
+ */
+void log_crypto_err_io(const char* str, int r);
+
+/**
+ * Log an error from libcrypt that came from an I/O routine with the
+ * errcode from ERR_get_error. Calls log_err() and log_crypto_err_code.
+ * @param str: what failed
+ * @param r: output of SSL_get_error on the I/O operation result.
+ * @param err: error code from ERR_get_error
+ */
+void log_crypto_err_io_code(const char* str, int r, unsigned long err);
+
 /**
  * Log certificate details verbosity, string, of X509 cert
  * @param level: verbosity level

sbin/unwind/libunbound/util/netevent.c

@@ -892,15 +892,18 @@ static int udp_recv_needs_log(int err)
 static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep,
 	int stream) {
 	size_t size;
-	struct pp2_header *header = pp2_read_header(buf);
+	struct pp2_header *header;
-	if(header == NULL) return 0;
+	int err = pp2_read_header(sldns_buffer_begin(buf),
+		sldns_buffer_remaining(buf));
+	if(err) return 0;
+	header = (struct pp2_header*)sldns_buffer_begin(buf);
 	size = PP2_HEADER_SIZE + ntohs(header->len);
 	if((header->ver_cmd & 0xF) == PP2_CMD_LOCAL) {
 		/* A connection from the proxy itself.
 		 * No need to do anything with addresses. */
 		goto done;
 	}
-	if(header->fam_prot == 0x00) {
+	if(header->fam_prot == PP2_UNSPEC_UNSPEC) {
 		/* Unspecified family and protocol. This could be used for
 		 * health checks by proxies.
 		 * No need to do anything with addresses. */
@@ -908,8 +911,8 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep,
 	}
 	/* Read the proxied address */
 	switch(header->fam_prot) {
-		case 0x11: /* AF_INET|STREAM */
+		case PP2_INET_STREAM:
-		case 0x12: /* AF_INET|DGRAM */
+		case PP2_INET_DGRAM:
 			{
 			struct sockaddr_in* addr =
 				(struct sockaddr_in*)&rep->client_addr;
@@ -920,8 +923,8 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep,
 			}
 			/* Ignore the destination address; it should be us. */
 			break;
-		case 0x21: /* AF_INET6|STREAM */
+		case PP2_INET6_STREAM:
-		case 0x22: /* AF_INET6|DGRAM */
+		case PP2_INET6_DGRAM:
 			{
 			struct sockaddr_in6* addr =
 				(struct sockaddr_in6*)&rep->client_addr;
@@ -934,6 +937,10 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep,
 			}
 			/* Ignore the destination address; it should be us. */
 			break;
+		default:
+			log_err("proxy_protocol: unsupported family and "
+				"protocol 0x%x", (int)header->fam_prot);
+			return 0;
 	}
 	rep->is_proxied = 1;
 done:
@@ -948,10 +955,10 @@ done:
 	return 1;
 }
 
+#if defined(AF_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_RECVMSG)
 void
 comm_point_udp_ancil_callback(int fd, short event, void* arg)
 {
-#if defined(AF_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_RECVMSG)
 	struct comm_reply rep;
 	struct msghdr msg;
 	struct iovec iov[1];
@@ -1063,21 +1070,21 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg)
 		fptr_ok(fptr_whitelist_comm_point(rep.c->callback));
 		if((*rep.c->callback)(rep.c, rep.c->cb_arg, NETEVENT_NOERROR, &rep)) {
 			/* send back immediate reply */
-			(void)comm_point_send_udp_msg_if(rep.c, rep.c->buffer,
+			struct sldns_buffer *buffer;
+#ifdef USE_DNSCRYPT
+			buffer = rep.c->dnscrypt_buffer;
+#else
+			buffer = rep.c->buffer;
+#endif
+			(void)comm_point_send_udp_msg_if(rep.c, buffer,
 				(struct sockaddr*)&rep.remote_addr,
 				rep.remote_addrlen, &rep);
 		}
 		if(!rep.c || rep.c->fd == -1) /* commpoint closed */
 			break;
 	}
-#else
-	(void)fd;
-	(void)event;
-	(void)arg;
-	fatal_exit("recvmsg: No support for IPV6_PKTINFO; IP_PKTINFO or IP_RECVDSTADDR. "
-		"Please disable interface-automatic");
-#endif /* AF_INET6 && IPV6_PKTINFO && HAVE_RECVMSG */
 }
+#endif /* AF_INET6 && IPV6_PKTINFO && HAVE_RECVMSG */
 
 void
 comm_point_udp_callback(int fd, short event, void* arg)
@@ -1665,7 +1672,13 @@ ssl_handshake(struct comm_point* c)
 		} else {
 			unsigned long err = ERR_get_error();
 			if(!squelch_err_ssl_handshake(err)) {
-				log_crypto_err_code("ssl handshake failed", err);
+				long vr;
+				log_crypto_err_io_code("ssl handshake failed",
+					want, err);
+				if((vr=SSL_get_verify_result(c->ssl)) != 0)
+					log_err("ssl handshake cert error: %s",
+						X509_verify_cert_error_string(
+						vr));
 				log_addr(VERB_OPS, "ssl handshake failed",
 					&c->repinfo.remote_addr,
 					c->repinfo.remote_addrlen);
@@ -1740,6 +1753,9 @@ ssl_handshake(struct comm_point* c)
 			/* connection upgraded to HTTP2 */
 			c->tcp_do_toggle_rw = 0;
 			c->use_h2 = 1;
+		} else {
+			verbose(VERB_ALGO, "client doesn't support HTTP/2");
+			return 0;
 		}
 	}
 #endif
@@ -1815,23 +1831,30 @@ ssl_handle_read(struct comm_point* c)
 								strerror(errno));
 						return 0;
 					}
-					log_crypto_err("could not SSL_read");
+					log_crypto_err_io("could not SSL_read",
+						want);
 					return 0;
 				}
 				c->tcp_byte_count += r;
+				sldns_buffer_skip(c->buffer, r);
 				if(c->tcp_byte_count != current_read_size) return 1;
 				c->pp2_header_state = pp2_header_init;
 			}
 		}
 		if(c->pp2_header_state == pp2_header_init) {
-			header = pp2_read_header(c->buffer);
+			int err;
-			if(!header) {
+			err = pp2_read_header(
+				sldns_buffer_begin(c->buffer),
+				sldns_buffer_limit(c->buffer));
+			if(err) {
 				log_err("proxy_protocol: could not parse "
-					"PROXYv2 header");
+					"PROXYv2 header (%s)",
+					pp_lookup_error(err));
 				return 0;
 			}
+			header = (struct pp2_header*)sldns_buffer_begin(c->buffer);
 			want_read_size = ntohs(header->len);
-			if(sldns_buffer_remaining(c->buffer) <
+			if(sldns_buffer_limit(c->buffer) <
 				PP2_HEADER_SIZE + want_read_size) {
 				log_err_addr("proxy_protocol: not enough "
 					"buffer size to read PROXYv2 header", "",
@@ -1876,10 +1899,12 @@ ssl_handle_read(struct comm_point* c)
 								strerror(errno));
 						return 0;
 					}
-					log_crypto_err("could not SSL_read");
+					log_crypto_err_io("could not SSL_read",
+						want);
 					return 0;
 				}
 				c->tcp_byte_count += r;
+				sldns_buffer_skip(c->buffer, r);
 				if(c->tcp_byte_count != current_read_size) return 1;
 				c->pp2_header_state = pp2_header_done;
 			}
@@ -1890,6 +1915,7 @@ ssl_handle_read(struct comm_point* c)
 				c->repinfo.remote_addrlen);
 			return 0;
 		}
+		sldns_buffer_flip(c->buffer);
 		if(!consume_pp2_header(c->buffer, &c->repinfo, 1)) {
 			log_err_addr("proxy_protocol: could not consume "
 				"PROXYv2 header", "", &c->repinfo.remote_addr,
@@ -1934,7 +1960,7 @@ ssl_handle_read(struct comm_point* c)
 						strerror(errno));
 				return 0;
 			}
-			log_crypto_err("could not SSL_read");
+			log_crypto_err_io("could not SSL_read", want);
 			return 0;
 		}
 		c->tcp_byte_count += r;
@@ -1984,7 +2010,7 @@ ssl_handle_read(struct comm_point* c)
 						strerror(errno));
 				return 0;
 			}
-			log_crypto_err("could not SSL_read");
+			log_crypto_err_io("could not SSL_read", want);
 			return 0;
 		}
 		sldns_buffer_skip(c->buffer, (ssize_t)r);
@@ -2075,7 +2101,7 @@ ssl_handle_write(struct comm_point* c)
 						strerror(errno));
 				return 0;
 			}
-			log_crypto_err("could not SSL_write");
+			log_crypto_err_io("could not SSL_write", want);
 			return 0;
 		}
 		if(c->tcp_write_and_read) {
@@ -2127,7 +2153,7 @@ ssl_handle_write(struct comm_point* c)
 					strerror(errno));
 			return 0;
 		}
-		log_crypto_err("could not SSL_write");
+		log_crypto_err_io("could not SSL_write", want);
 		return 0;
 	}
 	if(c->tcp_write_and_read) {
@@ -2211,19 +2237,25 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
 					goto recv_error_initial;
 				}
 				c->tcp_byte_count += r;
+				sldns_buffer_skip(c->buffer, r);
 				if(c->tcp_byte_count != current_read_size) return 1;
 				c->pp2_header_state = pp2_header_init;
 			}
 		}
 		if(c->pp2_header_state == pp2_header_init) {
-			header = pp2_read_header(c->buffer);
+			int err;
-			if(!header) {
+			err = pp2_read_header(
+				sldns_buffer_begin(c->buffer),
+				sldns_buffer_limit(c->buffer));
+			if(err) {
 				log_err("proxy_protocol: could not parse "
-					"PROXYv2 header");
+					"PROXYv2 header (%s)",
+					pp_lookup_error(err));
 				return 0;
 			}
+			header = (struct pp2_header*)sldns_buffer_begin(c->buffer);
 			want_read_size = ntohs(header->len);
-			if(sldns_buffer_remaining(c->buffer) <
+			if(sldns_buffer_limit(c->buffer) <
 				PP2_HEADER_SIZE + want_read_size) {
 				log_err_addr("proxy_protocol: not enough "
 					"buffer size to read PROXYv2 header", "",
@@ -2250,6 +2282,7 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
 					goto recv_error;
 				}
 				c->tcp_byte_count += r;
+				sldns_buffer_skip(c->buffer, r);
 				if(c->tcp_byte_count != current_read_size) return 1;
 				c->pp2_header_state = pp2_header_done;
 			}
@@ -2260,6 +2293,7 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
 				c->repinfo.remote_addrlen);
 			return 0;
 		}
+		sldns_buffer_flip(c->buffer);
 		if(!consume_pp2_header(c->buffer, &c->repinfo, 1)) {
 			log_err_addr("proxy_protocol: could not consume "
 				"PROXYv2 header", "", &c->repinfo.remote_addr,
@@ -2913,7 +2947,7 @@ ssl_http_read_more(struct comm_point* c)
 					strerror(errno));
 			return 0;
 		}
-		log_crypto_err("could not SSL_read");
+		log_crypto_err_io("could not SSL_read", want);
 		return 0;
 	}
 	verbose(VERB_ALGO, "ssl http read more skip to %d + %d",
@@ -3364,7 +3398,7 @@ ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session), uint8_t* buf,
 						strerror(errno));
 				return NGHTTP2_ERR_CALLBACK_FAILURE;
 			}
-			log_crypto_err("could not SSL_read");
+			log_crypto_err_io("could not SSL_read", want);
 			return NGHTTP2_ERR_CALLBACK_FAILURE;
 		}
 		return r;
@@ -3619,7 +3653,7 @@ ssl_http_write_more(struct comm_point* c)
 					strerror(errno));
 			return 0;
 		}
-		log_crypto_err("could not SSL_write");
+		log_crypto_err_io("could not SSL_write", want);
 		return 0;
 	}
 	sldns_buffer_skip(c->buffer, (ssize_t)r);
@@ -3692,7 +3726,7 @@ ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session), const uint8_t* buf,
 						strerror(errno));
 				return NGHTTP2_ERR_CALLBACK_FAILURE;
 			}
-			log_crypto_err("could not SSL_write");
+			log_crypto_err_io("could not SSL_write", want);
 			return NGHTTP2_ERR_CALLBACK_FAILURE;
 		}
 		return r;
@@ -3958,11 +3992,7 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer,
 	evbits = UB_EV_READ | UB_EV_PERSIST;
 	/* ub_event stuff */
 	c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits,
-#ifdef USE_WINSOCK
 		comm_point_udp_callback, c);
-#else
-		comm_point_udp_ancil_callback, c);
-#endif
 	if(c->ev->ev == NULL) {
 		log_err("could not baseset udp event");
 		comm_point_delete(c);
@@ -3977,6 +4007,7 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer,
 	return c;
 }
 
+#if defined(AF_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_RECVMSG)
 struct comm_point*
 comm_point_create_udp_ancil(struct comm_base *base, int fd,
 	sldns_buffer* buffer, int pp2_enabled,
@@ -4039,6 +4070,7 @@ comm_point_create_udp_ancil(struct comm_base *base, int fd,
 	c->event_added = 1;
 	return c;
 }
+#endif
 
 static struct comm_point*
 comm_point_create_tcp_handler(struct comm_base *base,
@@ -4742,7 +4774,7 @@ comm_point_send_reply(struct comm_reply *repinfo)
 		if(repinfo->c->dtenv != NULL && repinfo->c->dtenv->log_client_response_messages) {
 			log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
 			log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
-			dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->buffer);
+			dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->ssl, repinfo->c->buffer);
 		}
 #endif
 	} else {
@@ -4753,7 +4785,7 @@ comm_point_send_reply(struct comm_reply *repinfo)
 		if(repinfo->c->tcp_parent->dtenv != NULL && repinfo->c->tcp_parent->dtenv->log_client_response_messages) {
 			log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
 			log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
-			dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type,
+			dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->ssl,
 				( repinfo->c->tcp_req_info? repinfo->c->tcp_req_info->spool_buffer: repinfo->c->buffer ));
 		}
 #endif

sbin/unwind/libunbound/util/proxy_protocol.c

@@ -38,102 +38,162 @@
  *
  * This file contains PROXY protocol functions.
  */
-#include "config.h"
-#include "util/log.h"
 #include "util/proxy_protocol.h"
 
-int
+/**
-pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src,
+ * Internal struct initialized with function pointers for writing uint16 and
+ * uint32.
+ */
+struct proxy_protocol_data {
+	void (*write_uint16)(void* buf, uint16_t data);
+	void (*write_uint32)(void* buf, uint32_t data);
+};
+struct proxy_protocol_data pp_data;
+
+/**
+ * Internal lookup table; could be further generic like sldns_lookup_table
+ * for all the future generic stuff.
+ */
+struct proxy_protocol_lookup_table {
+	int id;
+	const char *text;
+};
+
+/**
+ * Internal parsing error text; could be exposed with pp_lookup_error.
+ */
+static struct proxy_protocol_lookup_table pp_parse_errors_data[] = {
+	{ PP_PARSE_NOERROR, "no parse error" },
+	{ PP_PARSE_SIZE, "not enough space for header" },
+	{ PP_PARSE_WRONG_HEADERv2, "could not match PROXYv2 header" },
+	{ PP_PARSE_UNKNOWN_CMD, "unknown command" },
+	{ PP_PARSE_UNKNOWN_FAM_PROT, "unknown family and protocol" },
+};
+
+void
+pp_init(void (*write_uint16)(void* buf, uint16_t data),
+	void (*write_uint32)(void* buf, uint32_t data)) {
+	pp_data.write_uint16 = write_uint16;
+	pp_data.write_uint32 = write_uint32;
+}
+
+const char*
+pp_lookup_error(enum pp_parse_errors error) {
+	return pp_parse_errors_data[error].text;
+}
+
+size_t
+pp2_write_to_buf(uint8_t* buf, size_t buflen,
+#ifdef INET6
+	struct sockaddr_storage* src,
+#else
+	struct sockaddr_in* src,
+#endif
 	int stream)
 {
 	int af;
+	size_t expected_size;
 	if(!src) return 0;
 	af = (int)((struct sockaddr_in*)src)->sin_family;
-	if(sldns_buffer_remaining(buf) <
+	expected_size = PP2_HEADER_SIZE + (af==AF_INET?12:36);
-		PP2_HEADER_SIZE + (af==AF_INET?12:36)) {
+	if(buflen < expected_size) {
 		return 0;
 	}
 	/* sig */
-	sldns_buffer_write(buf, PP2_SIG, PP2_SIG_LEN);
+	memcpy(buf, PP2_SIG, PP2_SIG_LEN);
+	buf += PP2_SIG_LEN;
 	/* version and command */
-	sldns_buffer_write_u8(buf, (PP2_VERSION << 4) | PP2_CMD_PROXY);
+	*buf = (PP2_VERSION << 4) | PP2_CMD_PROXY;
-	if(af==AF_INET) {
+	buf++;
+	switch(af) {
+	case AF_INET:
 		/* family and protocol */
-		sldns_buffer_write_u8(buf,
+		*buf = (PP2_AF_INET<<4) |
-			(PP2_AF_INET<<4) |
+			(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM);
-			(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM));
+		buf++;
 		/* length */
-		sldns_buffer_write_u16(buf, 12);
+		(*pp_data.write_uint16)(buf, 12);
+		buf += 2;
 		/* src addr */
-		sldns_buffer_write(buf,
+		memcpy(buf,
 			&((struct sockaddr_in*)src)->sin_addr.s_addr, 4);
+		buf += 4;
 		/* dst addr */
-		sldns_buffer_write_u32(buf, 0);
+		(*pp_data.write_uint32)(buf, 0);
+		buf += 4;
 		/* src port */
-		sldns_buffer_write(buf,
+		memcpy(buf,
 			&((struct sockaddr_in*)src)->sin_port, 2);
-		/* dst port */
+		buf += 2;
-		sldns_buffer_write_u16(buf, 0);
-	} else {
-		/* family and protocol */
-		sldns_buffer_write_u8(buf,
-			(PP2_AF_INET6<<4) |
-			(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM));
-		/* length */
-		sldns_buffer_write_u16(buf, 36);
-		/* src addr */
-		sldns_buffer_write(buf,
-			&((struct sockaddr_in6*)src)->sin6_addr, 16);
 		/* dst addr */
-		sldns_buffer_set_at(buf,
-			sldns_buffer_position(buf), 0, 16);
-		sldns_buffer_skip(buf, 16);
-		/* src port */
-		sldns_buffer_write(buf,
-			&((struct sockaddr_in6*)src)->sin6_port, 2);
 		/* dst port */
-		sldns_buffer_write_u16(buf, 0);
+		(*pp_data.write_uint16)(buf, 12);
+		break;
+#ifdef INET6
+	case AF_INET6:
+		/* family and protocol */
+		*buf = (PP2_AF_INET6<<4) |
+			(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM);
+		buf++;
+		/* length */
+		(*pp_data.write_uint16)(buf, 36);
+		buf += 2;
+		/* src addr */
+		memcpy(buf,
+			&((struct sockaddr_in6*)src)->sin6_addr, 16);
+		buf += 16;
+		/* dst addr */
+		memset(buf, 0, 16);
+		buf += 16;
+		/* src port */
+		memcpy(buf, &((struct sockaddr_in6*)src)->sin6_port, 2);
+		buf += 2;
+		/* dst port */
+		(*pp_data.write_uint16)(buf, 0);
+		break;
+#endif /* INET6 */
+	case AF_UNIX:
+		/* fallthrough */
+	default:
+		return 0;
 	}
-	return 1;
+	return expected_size;
 }
 
-struct pp2_header*
+int
-pp2_read_header(struct sldns_buffer* buf)
+pp2_read_header(uint8_t* buf, size_t buflen)
 {
 	size_t size;
-	struct pp2_header* header = (struct pp2_header*)sldns_buffer_begin(buf);
+	struct pp2_header* header = (struct pp2_header*)buf;
 	/* Try to fail all the unsupported cases first. */
-	if(sldns_buffer_remaining(buf) < PP2_HEADER_SIZE) {
+	if(buflen < PP2_HEADER_SIZE) {
-		log_err("proxy_protocol: not enough space for header");
+		return PP_PARSE_SIZE;
-		return NULL;
 	}
 	/* Check for PROXYv2 header */
 	if(memcmp(header, PP2_SIG, PP2_SIG_LEN) != 0 ||
 		((header->ver_cmd & 0xF0)>>4) != PP2_VERSION) {
-		log_err("proxy_protocol: could not match PROXYv2 header");
+		return PP_PARSE_WRONG_HEADERv2;
-		return NULL;
 	}
 	/* Check the length */
 	size = PP2_HEADER_SIZE + ntohs(header->len);
-	if(sldns_buffer_remaining(buf) < size) {
+	if(buflen < size) {
-		log_err("proxy_protocol: not enough space for header");
+		return PP_PARSE_SIZE;
-		return NULL;
 	}
 	/* Check for supported commands */
 	if((header->ver_cmd & 0xF) != PP2_CMD_LOCAL &&
 		(header->ver_cmd & 0xF) != PP2_CMD_PROXY) {
-		log_err("proxy_protocol: unsupported command");
+		return PP_PARSE_UNKNOWN_CMD;
-		return NULL;
 	}
 	/* Check for supported family and protocol */
-	if(header->fam_prot != 0x00 /* AF_UNSPEC|UNSPEC */ &&
+	if(header->fam_prot != PP2_UNSPEC_UNSPEC &&
-		header->fam_prot != 0x11 /* AF_INET|STREAM */ &&
+		header->fam_prot != PP2_INET_STREAM &&
-		header->fam_prot != 0x12 /* AF_INET|DGRAM */ &&
+		header->fam_prot != PP2_INET_DGRAM &&
-		header->fam_prot != 0x21 /* AF_INET6|STREAM */ &&
+		header->fam_prot != PP2_INET6_STREAM &&
-		header->fam_prot != 0x22 /* AF_INET6|DGRAM */) {
+		header->fam_prot != PP2_INET6_DGRAM &&
-		log_err("proxy_protocol: unsupported family and protocol");
+		header->fam_prot != PP2_UNIX_STREAM &&
-		return NULL;
+		header->fam_prot != PP2_UNIX_DGRAM) {
+		return PP_PARSE_UNKNOWN_FAM_PROT;
 	}
 	/* We have a correct header */
-	return header;
+	return PP_PARSE_NOERROR;
 }

sbin/unwind/libunbound/util/proxy_protocol.h

@@ -42,7 +42,7 @@
 #ifndef PROXY_PROTOCOL_H
 #define PROXY_PROTOCOL_H
 
-#include "sldns/sbuffer.h"
+#include "config.h"
 
 /** PROXYv2 minimum header size */
 #define PP2_HEADER_SIZE 16
@@ -51,11 +51,11 @@
 #define PP2_SIG "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A"
 #define PP2_SIG_LEN 12
 
-/** PROXYv2 version */
+/** PROXYv2 version (protocol value) */
 #define PP2_VERSION 0x2
 
 /**
- * PROXYv2 command.
+ * PROXYv2 command (protocol value).
  */
 enum pp2_command {
 	PP2_CMD_LOCAL = 0x0,
@@ -63,7 +63,7 @@ enum pp2_command {
 };
 
 /**
- * PROXYv2 address family.
+ * PROXYv2 address family (protocol value).
  */
 enum pp2_af {
 	PP2_AF_UNSPEC = 0x0,
@@ -73,7 +73,7 @@ enum pp2_af {
 };
 
 /**
- * PROXYv2 protocol.
+ * PROXYv2 protocol (protocol value).
  */
 enum pp2_protocol {
 	PP2_PROT_UNSPEC = 0x0,
@@ -81,6 +81,19 @@ enum pp2_protocol {
 	PP2_PROT_DGRAM = 0x2
 };
 
+/**
+ * Expected combinations of address family and protocol values used in checks.
+ */
+enum pp2_af_protocol_combination {
+	PP2_UNSPEC_UNSPEC = (PP2_AF_UNSPEC<<4)|PP2_PROT_UNSPEC,
+	PP2_INET_STREAM = (PP2_AF_INET<<4)|PP2_PROT_STREAM,
+	PP2_INET_DGRAM = (PP2_AF_INET<<4)|PP2_PROT_DGRAM,
+	PP2_INET6_STREAM = (PP2_AF_INET6<<4)|PP2_PROT_STREAM,
+	PP2_INET6_DGRAM = (PP2_AF_INET6<<4)|PP2_PROT_DGRAM,
+	PP2_UNIX_STREAM = (PP2_AF_UNIX<<4)|PP2_PROT_STREAM,
+	PP2_UNIX_DGRAM = (PP2_AF_UNIX<<4)|PP2_PROT_DGRAM
+};
+
 /**
  * PROXYv2 header.
  */
@@ -109,23 +122,56 @@ struct pp2_header {
 	} addr;
 };
 
+/**
+ * PROXY parse errors.
+ */
+enum pp_parse_errors {
+	PP_PARSE_NOERROR = 0,
+	PP_PARSE_SIZE,
+	PP_PARSE_WRONG_HEADERv2,
+	PP_PARSE_UNKNOWN_CMD,
+	PP_PARSE_UNKNOWN_FAM_PROT,
+};
+
+/**
+ * Initialize the internal proxy structure.
+ * @param write_uint16: pointer to a function that can write uint16.
+ * @param write_uint32: pointer to a function that can write uint32.
+ */
+void pp_init(void (*write_uint16)(void* buf, uint16_t data),
+	void (*write_uint32)(void* buf, uint32_t data));
+
+/**
+ * Lookup the parsing error description.
+ * @param error: parsing error from pp2_read_header.
+ * @return the description.
+ */
+const char* pp_lookup_error(enum pp_parse_errors error);
+
 /**
  * Write a PROXYv2 header at the current position of the buffer.
- * @param buf: the buffer to write to.
+ * @param buf: pointer to the buffer to write data to.
+ * @param buflen: available size on the buffer.
  * @param src: the source address.
  * @param stream: if the protocol is stream or datagram.
  * @return 1 on success, 0 on failure.
  */
-int pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src,
+size_t pp2_write_to_buf(uint8_t* buf, size_t buflen,
+#ifdef INET6
+	struct sockaddr_storage* src,
+#else
+	struct sockaddr_in* src,
+#endif
 	int stream);
 
 /**
  * Read a PROXYv2 header from the current position of the buffer.
  * It does initial validation and returns a pointer to the buffer position on
  * success.
- * @param buf: the buffer to read from.
+ * @param buf: pointer to the buffer data to read from.
- * @return the pointer to the buffer position on success, NULL on error.
+ * @param buflen: available size on the buffer.
+ * @return parsing error, 0 on success.
  */
-struct pp2_header* pp2_read_header(struct sldns_buffer* buf);
+int pp2_read_header(uint8_t* buf, size_t buflen);
 
 #endif /* PROXY_PROTOCOL_H */

sbin/unwind/libunbound/validator/autotrust.c

@@ -353,17 +353,21 @@ autr_tp_create(struct val_anchors* anchors, uint8_t* own, size_t own_len,
 
 	lock_basic_lock(&anchors->lock);
 	if(!rbtree_insert(anchors->tree, &tp->node)) {
+		char buf[LDNS_MAX_DOMAINLEN+1];
 		lock_basic_unlock(&anchors->lock);
-		log_err("trust anchor presented twice");
+		dname_str(tp->name, buf);
+		log_err("trust anchor for '%s' presented twice", buf);
 		free(tp->name);
 		free(tp->autr);
 		free(tp);
 		return NULL;
 	}
 	if(!rbtree_insert(&anchors->autr->probe, &tp->autr->pnode)) {
+		char buf[LDNS_MAX_DOMAINLEN+1];
 		(void)rbtree_delete(anchors->tree, tp);
 		lock_basic_unlock(&anchors->lock);
-		log_err("trust anchor in probetree twice");
+		dname_str(tp->name, buf);
+		log_err("trust anchor for '%s' in probetree twice", buf);
 		free(tp->name);
 		free(tp->autr);
 		free(tp);

sbin/unwind/libunbound/validator/val_anchor.c

@@ -1322,3 +1322,24 @@ anchor_has_keytag(struct val_anchors* anchors, uint8_t* name, int namelabs,
 	free(taglist);
 	return 0;
 }
+
+struct trust_anchor*
+anchors_find_any_noninsecure(struct val_anchors* anchors)
+{
+	struct trust_anchor* ta, *next;
+	lock_basic_lock(&anchors->lock);
+	ta=(struct trust_anchor*)rbtree_first(anchors->tree);
+	while((rbnode_type*)ta != RBTREE_NULL) {
+		next = (struct trust_anchor*)rbtree_next(&ta->node);
+		lock_basic_lock(&ta->lock);
+		if(ta->numDS != 0 || ta->numDNSKEY != 0) {
+			/* not an insecurepoint */
+			lock_basic_unlock(&anchors->lock);
+			return ta;
+		}
+		lock_basic_unlock(&ta->lock);
+		ta = next;
+	}
+	lock_basic_unlock(&anchors->lock);
+	return NULL;
+}

sbin/unwind/libunbound/validator/val_anchor.h

@@ -240,4 +240,12 @@ size_t anchor_list_keytags(struct trust_anchor* ta, uint16_t* list, size_t num);
 int anchor_has_keytag(struct val_anchors* anchors, uint8_t* name, int namelabs,
 	size_t namelen, uint16_t dclass, uint16_t keytag);
 
+/**
+ * Find an anchor that is not an insecure point, if any, or there are no
+ * DNSSEC verification anchors if none.
+ * @param anchors: anchor storage
+ * @return trust anchor or NULL. It is locked.
+ */
+struct trust_anchor* anchors_find_any_noninsecure(struct val_anchors* anchors);
+
 #endif /* VALIDATOR_VAL_ANCHOR_H */

sbin/unwind/libunbound/validator/val_sigcrypt.c

@@ -748,7 +748,6 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
 			return sec_status_bogus;
 		}
 	}
-	verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
 	if(!numchecked) {
 		*reason = "signature for expected key and algorithm missing";
 		if(reason_bogus)
@@ -761,6 +760,7 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
 		*reason = "algorithm refused by cryptolib";
 		return sec_status_indeterminate;
 	}
+	verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
 	return sec_status_bogus;
 }
 

sbin/unwind/libunbound/validator/val_utils.c

@@ -424,11 +424,13 @@ static enum sec_status
 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key* dnskey_rrset,
         struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
-	sldns_ede_code *reason_bogus, struct module_qstate* qstate)
+	sldns_ede_code *reason_bogus, struct module_qstate* qstate,
+	int *nonechecked)
 {
 	enum sec_status sec = sec_status_bogus;
 	size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
 	num = rrset_get_count(dnskey_rrset);
+	*nonechecked = 0;
 	for(i=0; i<num; i++) {
 		/* Skip DNSKEYs that don't match the basic criteria. */
 		if(ds_get_key_algo(ds_rrset, ds_idx)
@@ -476,13 +478,15 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
 		/* there is a working DS, but that DNSKEY is not supported */
 		return sec_status_insecure;
 	}
-	if(numchecked == 0)
+	if(numchecked == 0) {
 		algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
 			reason, "no keys have a DS");
-	else if(numhashok == 0)
+		*nonechecked = 1;
+	} else if(numhashok == 0) {
 		*reason = "DS hash mismatches key";
-	else if(!*reason)
+	} else if(!*reason) {
 		*reason = "keyset not secured by DNSKEY that matches DS";
+	}
 	return sec_status_bogus;
 }
 
@@ -511,7 +515,8 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 {
 	/* as long as this is false, we can consider this DS rrset to be
 	 * equivalent to no DS rrset. */
-	int has_useful_ds = 0, digest_algo, alg;
+	int has_useful_ds = 0, digest_algo, alg, has_algo_refusal = 0,
+		nonechecked, has_checked_ds = 0;
 	struct algo_needs needs;
 	size_t i, num;
 	enum sec_status sec;
@@ -544,9 +549,16 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 		}
 
 		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
-			ds_rrset, i, reason, reason_bogus, qstate);
+			ds_rrset, i, reason, reason_bogus, qstate,
-		if(sec == sec_status_insecure)
+			&nonechecked);
+		if(sec == sec_status_insecure) {
+			/* DNSKEY too large unsupported or algo refused by
+			 * crypto lib. */
+			has_algo_refusal = 1;
 			continue;
+		}
+		if(!nonechecked)
+			has_checked_ds = 1;
 
 		/* Once we see a single DS with a known digestID and
 		 * algorithm, we cannot return INSECURE (with a
@@ -571,6 +583,15 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 
 	/* None of the DS's worked out. */
 
+	/* If none of the DSes have been checked, eg. that means no matches
+	 * for keytags, and the other dses are all algo_refusal, it is an
+	 * insecure delegation point, since the only matched DS records
+	 * have an algo refusal, or are unsupported. */
+	if(has_algo_refusal && !has_checked_ds) {
+		verbose(VERB_ALGO, "No supported DS records were found -- "
+			"treating as insecure.");
+		return sec_status_insecure;
+	}
 	/* If no DSs were understandable, then this is OK. */
 	if(!has_useful_ds) {
 		verbose(VERB_ALGO, "No usable DS records were found -- "
@@ -624,7 +645,8 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
 {
 	/* as long as this is false, we can consider this anchor to be
 	 * equivalent to no anchor. */
-	int has_useful_ta = 0, digest_algo = 0, alg;
+	int has_useful_ta = 0, digest_algo = 0, alg, has_algo_refusal = 0,
+		nonechecked, has_checked_ds = 0;
 	struct algo_needs needs;
 	size_t i, num;
 	enum sec_status sec;
@@ -670,9 +692,13 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
 			continue;
 
 		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
-			ta_ds, i, reason, reason_bogus, qstate);
+			ta_ds, i, reason, reason_bogus, qstate, &nonechecked);
-		if(sec == sec_status_insecure)
+		if(sec == sec_status_insecure) {
+			has_algo_refusal = 1;
 			continue;
+		}
+		if(!nonechecked)
+			has_checked_ds = 1;
 
 		/* Once we see a single DS with a known digestID and
 		 * algorithm, we cannot return INSECURE (with a
@@ -728,6 +754,15 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
 	    }
 	}
 
+	/* If none of the DSes have been checked, eg. that means no matches
+	 * for keytags, and the other dses are all algo_refusal, it is an
+	 * insecure delegation point, since the only matched DS records
+	 * have an algo refusal, or are unsupported. */
+	if(has_algo_refusal && !has_checked_ds) {
+		verbose(VERB_ALGO, "No supported trust anchors were found -- "
+			"treating as insecure.");
+		return sec_status_insecure;
+	}
 	/* If no DSs were understandable, then this is OK. */
 	if(!has_useful_ta) {
 		verbose(VERB_ALGO, "No usable trust anchors were found -- "

sbin/unwind/libunbound/validator/validator.c

@@ -205,6 +205,17 @@ val_init(struct module_env* env, int id)
 		log_err("validator: could not apply configuration settings.");
 		return 0;
 	}
+	if(env->cfg->disable_edns_do) {
+		struct trust_anchor* anchor = anchors_find_any_noninsecure(
+			env->anchors);
+		if(anchor) {
+			char b[LDNS_MAX_DOMAINLEN+2];
+			dname_str(anchor->name, b);
+			log_warn("validator: disable-edns-do is enabled, but there is a trust anchor for '%s'. Since DNSSEC could not work, the disable-edns-do setting is turned off. Continuing without it.", b);
+			lock_basic_unlock(&anchor->lock);
+			env->cfg->disable_edns_do = 0;
+		}
+	}
 
 	return 1;
 }
@@ -2999,6 +3010,8 @@ return_bogus:
  * @param msg: result message (if rcode is OK).
  * @param qinfo: from the sub query state, query info.
  * @param origin: the origin of msg.
+ * @param suspend: returned true if the task takes too long and needs to
+ * 	suspend to continue the effort later.
  */
 static void
 process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,

sys/arch/amd64/amd64/vmm_machdep.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: vmm_machdep.c,v 1.23 2024/04/09 21:55:16 dv Exp $ */
+/* $OpenBSD: vmm_machdep.c,v 1.24 2024/04/13 21:57:22 dv Exp $ */
 /*
  * Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org>
  *
@@ -941,6 +941,7 @@ vmx_pmap_find_pte_ept(pmap_t pmap, paddr_t addr)
 int
 vmm_start(void)
 {
+	int rv = 0;
 	struct cpu_info *self = curcpu();
 #ifdef MULTIPROCESSOR
 	struct cpu_info *ci;
@@ -950,16 +951,19 @@ vmm_start(void)
 #endif /* MP_LOCKDEBUG */
 #endif /* MULTIPROCESSOR */
 
+	rw_enter_write(&vmm_softc->sc_slock);
+
 	/* VMM is already running */
 	if (self->ci_flags & CPUF_VMM)
-		return (0);
+		goto unlock;
 
 	/* Start VMM on this CPU */
 	start_vmm_on_cpu(self);
 	if (!(self->ci_flags & CPUF_VMM)) {
 		printf("%s: failed to enter VMM mode\n",
 			self->ci_dev->dv_xname);
-		return (EIO);
+		rv = EIO;
+		goto unlock;
 	}
 
 #ifdef MULTIPROCESSOR
@@ -984,8 +988,9 @@ vmm_start(void)
 		}
 	}
 #endif /* MULTIPROCESSOR */
-
+unlock:
-	return (0);
+	rw_exit_write(&vmm_softc->sc_slock);
+	return (rv);
 }
 
 /*
@@ -996,6 +1001,7 @@ vmm_start(void)
 int
 vmm_stop(void)
 {
+	int rv = 0;
 	struct cpu_info *self = curcpu();
 #ifdef MULTIPROCESSOR
 	struct cpu_info *ci;
@@ -1005,16 +1011,19 @@ vmm_stop(void)
 #endif /* MP_LOCKDEBUG */
 #endif /* MULTIPROCESSOR */
 
+	rw_enter_write(&vmm_softc->sc_slock);
+
 	/* VMM is not running */
 	if (!(self->ci_flags & CPUF_VMM))
-		return (0);
+		goto unlock;
 
 	/* Stop VMM on this CPU */
 	stop_vmm_on_cpu(self);
 	if (self->ci_flags & CPUF_VMM) {
 		printf("%s: failed to exit VMM mode\n",
 			self->ci_dev->dv_xname);
-		return (EIO);
+		rv = EIO;
+		goto unlock;
 	}
 
 #ifdef MULTIPROCESSOR
@@ -1039,7 +1048,8 @@ vmm_stop(void)
 		}
 	}
 #endif /* MULTIPROCESSOR */
-
+unlock:
+	rw_exit_write(&vmm_softc->sc_slock);
 	return (0);
 }
 

sys/arch/arm64/arm64/cpu.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: cpu.c,v 1.113 2024/03/18 21:57:22 kettenis Exp $	*/
+/*	$OpenBSD: cpu.c,v 1.114 2024/04/13 14:19:39 kettenis Exp $	*/
 
 /*
  * Copyright (c) 2016 Dale Rahn <drahn@dalerahn.com>
@@ -278,6 +278,138 @@ void	cpu_kstat_attach(struct cpu_info *ci);
 void	cpu_opp_kstat_attach(struct cpu_info *ci);
 #endif
 
+/*
+ * Enable mitigation for Spectre-V2 branch target injection
+ * vulnerabilities (CVE-2017-5715).
+ */
+void
+cpu_mitigate_spectre_v2(struct cpu_info *ci)
+{
+	uint64_t id;
+
+	/*
+	 * By default we let the firmware decide what mitigation is
+	 * necessary.
+	 */
+	ci->ci_flush_bp = cpu_flush_bp_psci;
+
+	/* Some specific CPUs are known not to be vulnerable. */
+	switch (CPU_IMPL(ci->ci_midr)) {
+	case CPU_IMPL_ARM:
+		switch (CPU_PART(ci->ci_midr)) {
+		case CPU_PART_CORTEX_A35:
+		case CPU_PART_CORTEX_A53:
+		case CPU_PART_CORTEX_A55:
+			/* Not vulnerable. */
+			ci->ci_flush_bp = cpu_flush_bp_noop;
+			break;
+		}
+		break;
+	case CPU_IMPL_QCOM:
+		switch (CPU_PART(ci->ci_midr)) {
+		case CPU_PART_KRYO400_SILVER:
+			/* Not vulnerable. */
+			ci->ci_flush_bp = cpu_flush_bp_noop;
+			break;
+		}
+	}
+
+	/*
+	 * The architecture has been updated to explicitly tell us if
+	 * we're not vulnerable to Spectre-V2.
+	 */
+	id = READ_SPECIALREG(id_aa64pfr0_el1);
+	if (ID_AA64PFR0_CSV2(id) >= ID_AA64PFR0_CSV2_IMPL)
+		ci->ci_flush_bp = cpu_flush_bp_noop;
+}
+
+/*
+ * Enable mitigation for Spectre-BHB branch history injection
+ * vulnerabilities (CVE-2022-23960).
+*/
+void
+cpu_mitigate_spectre_bhb(struct cpu_info *ci)
+{
+	uint64_t id;
+
+	/*
+	 * If we know the CPU, we can add a branchy loop that cleans
+	 * the BHB.
+	 */
+	switch (CPU_IMPL(ci->ci_midr)) {
+	case CPU_IMPL_ARM:
+		switch (CPU_PART(ci->ci_midr)) {
+		case CPU_PART_CORTEX_A57:
+		case CPU_PART_CORTEX_A72:
+			ci->ci_trampoline_vectors =
+			    (vaddr_t)trampoline_vectors_loop_8;
+			break;
+		case CPU_PART_CORTEX_A76:
+		case CPU_PART_CORTEX_A76AE:
+		case CPU_PART_CORTEX_A77:
+		case CPU_PART_NEOVERSE_N1:
+			ci->ci_trampoline_vectors =
+			    (vaddr_t)trampoline_vectors_loop_24;
+			break;
+		case CPU_PART_CORTEX_A78:
+		case CPU_PART_CORTEX_A78AE:
+		case CPU_PART_CORTEX_A78C:
+		case CPU_PART_CORTEX_X1:
+		case CPU_PART_CORTEX_X2:
+		case CPU_PART_CORTEX_A710:
+		case CPU_PART_NEOVERSE_N2:
+		case CPU_PART_NEOVERSE_V1:
+			ci->ci_trampoline_vectors =
+			    (vaddr_t)trampoline_vectors_loop_32;
+			break;
+		}
+		break;
+	case CPU_IMPL_AMPERE:
+		switch (CPU_PART(ci->ci_midr)) {
+		case CPU_PART_AMPERE1:
+			ci->ci_trampoline_vectors =
+			    (vaddr_t)trampoline_vectors_loop_11;
+			break;
+		}
+		break;
+	}
+
+	/*
+	 * If we're not using a loop, let firmware decide.  This also
+	 * covers the original Spectre-V2 in addition to Spectre-BHB.
+	 */
+#if NPSCI > 0
+	if (ci->ci_trampoline_vectors == (vaddr_t)trampoline_vectors_none &&
+	    smccc_needs_arch_workaround_3()) {
+		ci->ci_flush_bp = cpu_flush_bp_noop;
+		if (psci_method() == PSCI_METHOD_HVC)
+			ci->ci_trampoline_vectors =
+			    (vaddr_t)trampoline_vectors_psci_hvc;
+		if (psci_method() == PSCI_METHOD_SMC)
+			ci->ci_trampoline_vectors =
+			    (vaddr_t)trampoline_vectors_psci_smc;
+	}
+#endif
+
+	/* Prefer CLRBHB to mitigate Spectre-BHB. */
+	id = READ_SPECIALREG(id_aa64isar2_el1);
+	if (ID_AA64ISAR2_CLRBHB(id) >= ID_AA64ISAR2_CLRBHB_IMPL)
+		ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_clrbhb;
+
+	/* ECBHB tells us Spectre-BHB is mitigated. */
+	id = READ_SPECIALREG(id_aa64mmfr1_el1);
+	if (ID_AA64MMFR1_ECBHB(id) >= ID_AA64MMFR1_ECBHB_IMPL)
+		ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_none;
+
+	/*
+	 * The architecture has been updated to explicitly tell us if
+	 * we're not vulnerable to Spectre-BHB.
+	 */
+	id = READ_SPECIALREG(id_aa64pfr0_el1);
+	if (ID_AA64PFR0_CSV2(id) >= ID_AA64PFR0_CSV2_HCXT)
+		ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_none;
+}
+
 /*
  * Enable mitigation for Spectre-V4 speculative store bypass
  * vulnerabilities (CVE-2018-3639).
@@ -459,123 +591,8 @@ cpu_identify(struct cpu_info *ci)
 		clidr >>= 3;
 	}
 
-	/*
+	cpu_mitigate_spectre_v2(ci);
-	 * Some ARM processors are vulnerable to branch target
+	cpu_mitigate_spectre_bhb(ci);
-	 * injection attacks (CVE-2017-5715).
-	 */
-	switch (impl) {
-	case CPU_IMPL_ARM:
-		switch (part) {
-		case CPU_PART_CORTEX_A35:
-		case CPU_PART_CORTEX_A53:
-		case CPU_PART_CORTEX_A55:
-			/* Not vulnerable. */
-			ci->ci_flush_bp = cpu_flush_bp_noop;
-			break;
-		default:
-			/*
-			 * Potentially vulnerable; call into the
-			 * firmware and hope we're running on top of
-			 * Arm Trusted Firmware with a fix for
-			 * Security Advisory TFV 6.
-			 */
-			ci->ci_flush_bp = cpu_flush_bp_psci;
-			break;
-		}
-		break;
-	default:
-		/* Not much we can do for an unknown processor.  */
-		ci->ci_flush_bp = cpu_flush_bp_noop;
-		break;
-	}
-
-	/*
-	 * The architecture has been updated to explicitly tell us if
-	 * we're not vulnerable to regular Spectre.
-	 */
-	id = READ_SPECIALREG(id_aa64pfr0_el1);
-	if (ID_AA64PFR0_CSV2(id) >= ID_AA64PFR0_CSV2_IMPL)
-		ci->ci_flush_bp = cpu_flush_bp_noop;
-
-	/*
-	 * But we might still be vulnerable to Spectre-BHB.  If we know the
-	 * CPU, we can add a branchy loop that cleans the BHB.
-	 */
-	switch (impl) {
-	case CPU_IMPL_ARM:
-		switch (part) {
-		case CPU_PART_CORTEX_A57:
-		case CPU_PART_CORTEX_A72:
-			ci->ci_trampoline_vectors =
-			    (vaddr_t)trampoline_vectors_loop_8;
-			break;
-		case CPU_PART_CORTEX_A76:
-		case CPU_PART_CORTEX_A76AE:
-		case CPU_PART_CORTEX_A77:
-		case CPU_PART_NEOVERSE_N1:
-			ci->ci_trampoline_vectors =
-			    (vaddr_t)trampoline_vectors_loop_24;
-			break;
-		case CPU_PART_CORTEX_A78:
-		case CPU_PART_CORTEX_A78AE:
-		case CPU_PART_CORTEX_A78C:
-		case CPU_PART_CORTEX_X1:
-		case CPU_PART_CORTEX_X2:
-		case CPU_PART_CORTEX_A710:
-		case CPU_PART_NEOVERSE_N2:
-		case CPU_PART_NEOVERSE_V1:
-			ci->ci_trampoline_vectors =
-			    (vaddr_t)trampoline_vectors_loop_32;
-			break;
-		}
-		break;
-	case CPU_IMPL_AMPERE:
-		switch (part) {
-		case CPU_PART_AMPERE1:
-			ci->ci_trampoline_vectors =
-			    (vaddr_t)trampoline_vectors_loop_11;
-			break;
-		}
-		break;
-	}
-
-	/*
-	 * If we're not using a loop, try and call into PSCI.  This also
-	 * covers the original Spectre in addition to Spectre-BHB.
-	 */
-#if NPSCI > 0
-	if (ci->ci_trampoline_vectors == (vaddr_t)trampoline_vectors_none &&
-	    smccc_needs_arch_workaround_3()) {
-		ci->ci_flush_bp = cpu_flush_bp_noop;
-		if (psci_method() == PSCI_METHOD_HVC)
-			ci->ci_trampoline_vectors =
-			    (vaddr_t)trampoline_vectors_psci_hvc;
-		if (psci_method() == PSCI_METHOD_SMC)
-			ci->ci_trampoline_vectors =
-			    (vaddr_t)trampoline_vectors_psci_smc;
-	}
-#endif
-
-	/* Prefer CLRBHB to mitigate Spectre-BHB. */
-	id = READ_SPECIALREG(id_aa64isar2_el1);
-	if (ID_AA64ISAR2_CLRBHB(id) >= ID_AA64ISAR2_CLRBHB_IMPL)
-		ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_clrbhb;
-
-	/* ECBHB tells us Spectre-BHB is mitigated. */
-	id = READ_SPECIALREG(id_aa64mmfr1_el1);
-	if (ID_AA64MMFR1_ECBHB(id) >= ID_AA64MMFR1_ECBHB_IMPL)
-		ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_none;
-
-	/*
-	 * The architecture has been updated to explicitly tell us if
-	 * we're not vulnerable.
-	 */
-	id = READ_SPECIALREG(id_aa64pfr0_el1);
-	if (ID_AA64PFR0_CSV2(id) >= ID_AA64PFR0_CSV2_HCXT) {
-		ci->ci_flush_bp = cpu_flush_bp_noop;
-		ci->ci_trampoline_vectors = (vaddr_t)trampoline_vectors_none;
-	}
-
 	cpu_mitigate_spectre_v4(ci);
 
 	/*

sys/dev/acpi/acpitoshiba.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: acpitoshiba.c,v 1.16 2022/04/06 18:59:27 naddy Exp $ */
+/* $OpenBSD: acpitoshiba.c,v 1.17 2024/04/13 23:44:11 jsg Exp $ */
 /*-
  * Copyright (c) 2003 Hiroyuki Aizu <aizu@navi.org>
  * All rights reserved.
@@ -202,19 +202,18 @@ toshiba_update_brightness(void *arg0, int arg1)
 int
 toshiba_match(struct device *parent, void *match, void *aux)
 {
-      struct acpi_attach_args *aa = aux;
+	struct acpi_attach_args *aa = aux;
-      struct cfdata	      *cf = match;
+	struct cfdata	      *cf = match;
 
-        if (acpi_matchhids(aa, acpitoshiba_hids, cf->cf_driver->cd_name))
+	if (acpi_matchhids(aa, acpitoshiba_hids, cf->cf_driver->cd_name))
-                return (1);
+		return (1);
 
 	if (aa->aaa_name == NULL ||
-	   strcmp(aa->aaa_name, cf->cf_driver->cd_name) != 0 ||
+	    strcmp(aa->aaa_name, cf->cf_driver->cd_name) != 0 ||
-	   aa->aaa_table != NULL)
+	    aa->aaa_table != NULL)
-	      return (0);
+		return (0);
-
-      return (1);
 
+	return (1);
 }
 
 int

sys/dev/acpi/acpivout.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: acpivout.c,v 1.25 2022/04/06 18:59:27 naddy Exp $	*/
+/*	$OpenBSD: acpivout.c,v 1.26 2024/04/13 23:44:11 jsg Exp $	*/
 /*
  * Copyright (c) 2009 Paul Irofti <paul@irofti.net>
  *
@@ -259,7 +259,7 @@ acpivout_get_bcl(struct acpivout_softc *sc)
 		value = aml_val2int(res.v_package[i + 2]);
 		for (j = i; j > 0 && sc->sc_bcl[j - 1] > value; j--)
 			sc->sc_bcl[j] = sc->sc_bcl[j - 1];
-		 sc->sc_bcl[j] = value;
+		sc->sc_bcl[j] = value;
 	}
 
 err:

sys/dev/acpi/dsdt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsdt.c,v 1.265 2024/01/08 19:52:29 kettenis Exp $ */
+/* $OpenBSD: dsdt.c,v 1.266 2024/04/13 23:44:11 jsg Exp $ */
 /*
  * Copyright (c) 2005 Jordan Hargrave <jordan@openbsd.org>
  *
@@ -4249,7 +4249,7 @@ aml_parse(struct aml_scope *scope, int ret_type, const char *stype)
 		/* Name: Nt */
 		rv = opargs[0];
 		aml_freevalue(rv);
-			aml_copyvalue(rv, opargs[1]);
+		aml_copyvalue(rv, opargs[1]);
 		break;
 	case AMLOP_ALIAS:
 		/* Alias: nN */

sys/dev/fdt/psci.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: psci.c,v 1.15 2024/03/18 21:57:22 kettenis Exp $	*/
+/*	$OpenBSD: psci.c,v 1.16 2024/04/13 14:20:48 kettenis Exp $	*/
 
 /*
  * Copyright (c) 2016 Jonathan Gray <jsg@openbsd.org>
@@ -212,14 +212,6 @@ psci_flush_bp_smccc_arch_workaround_1(void)
 	(*sc->sc_callfn)(SMCCC_ARCH_WORKAROUND_1, 0, 0, 0);
 }
 
-void
-psci_flush_bp_smccc_arch_workaround_3(void)
-{
-	struct psci_softc *sc = psci_sc;
-
-	(*sc->sc_callfn)(SMCCC_ARCH_WORKAROUND_3, 0, 0, 0);
-}
-
 void
 psci_flush_bp(void)
 {

sys/dev/fdt/pscivar.h

@@ -17,7 +17,6 @@ int32_t	psci_cpu_on(register_t, register_t, register_t);
 int32_t	psci_cpu_off(void);
 int32_t	psci_cpu_suspend(register_t, register_t, register_t);
 void	psci_flush_bp(void);
-int	psci_flush_bp_has_bhb(void);
 int	psci_method(void);
 
 int32_t	smccc(uint32_t, register_t, register_t, register_t);

sys/dev/ic/adw.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: adw.c,v 1.69 2022/04/16 19:19:58 naddy Exp $ */
+/*	$OpenBSD: adw.c,v 1.70 2024/04/13 23:44:11 jsg Exp $ */
 /* $NetBSD: adw.c,v 1.23 2000/05/27 18:24:50 dante Exp $	 */
 
 /*
@@ -449,7 +449,7 @@ adw_attach(ADW_SOFTC *sc)
 	/*
 	 * Zero's the freeze_device status
 	 */
-	 bzero(sc->sc_freeze_dev, sizeof(sc->sc_freeze_dev));
+	bzero(sc->sc_freeze_dev, sizeof(sc->sc_freeze_dev));
 
 	/*
 	 * Initialize the adapter

sys/dev/ic/adwlib.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: adwlib.c,v 1.29 2022/08/29 06:08:03 jsg Exp $ */
+/*	$OpenBSD: adwlib.c,v 1.30 2024/04/13 23:44:11 jsg Exp $ */
 /* $NetBSD: adwlib.c,v 1.20 2000/07/04 04:17:03 itojun Exp $        */
 
 /*
@@ -315,9 +315,9 @@ AdwInitFromEEPROM(ADW_SOFTC *sc)
 					 */
 					lsw_msb |= (ADW_EEPROM_INTAB >> 8)
 							 & 0xFF;
-				 }
+				}
-				 eep_config.cfg_lsw &= 0x00FF;
+				eep_config.cfg_lsw &= 0x00FF;
-				 eep_config.cfg_lsw |= lsw_msb << 8;
+				eep_config.cfg_lsw |= lsw_msb << 8;
 			}
 			break;
 		}

sys/dev/ic/an.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: an.c,v 1.79 2022/04/21 21:03:02 stsp Exp $	*/
+/*	$OpenBSD: an.c,v 1.80 2024/04/13 23:44:11 jsg Exp $	*/
 /*	$NetBSD: an.c,v 1.34 2005/06/20 02:49:18 atatat Exp $	*/
 /*
  * Copyright (c) 1997, 1998, 1999
@@ -905,7 +905,7 @@ an_ioctl(struct ifnet *ifp, u_long command, caddr_t data)
 		if ((error = suser(curproc)) != 0)
 			break;
 		error = an_set_nwkey(sc, (struct ieee80211_nwkey *)data);
-			break;
+		break;
 	case SIOCG80211NWKEY:
 		error = an_get_nwkey(sc, (struct ieee80211_nwkey *)data);
 		break;

sys/dev/ic/bwi.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: bwi.c,v 1.134 2023/11/10 15:51:20 bluhm Exp $	*/
+/*	$OpenBSD: bwi.c,v 1.135 2024/04/13 23:44:11 jsg Exp $	*/
 
 /*
  * Copyright (c) 2007 The DragonFly Project.  All rights reserved.
@@ -6400,7 +6400,7 @@ bwi_led_attach(struct bwi_softc *sc)
 		if (led->l_act == BWI_LED_ACT_BLINK_SLOW ||
 		    led->l_act == BWI_LED_ACT_BLINK_POLL ||
 		    led->l_act == BWI_LED_ACT_BLINK) {
-		    led->l_flags |= BWI_LED_F_BLINK;
+		    	led->l_flags |= BWI_LED_F_BLINK;
 			if (led->l_act == BWI_LED_ACT_BLINK_POLL)
 				led->l_flags |= BWI_LED_F_POLLABLE;
 			else if (led->l_act == BWI_LED_ACT_BLINK_SLOW)

sys/dev/ic/ncr53c9x.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ncr53c9x.c,v 1.81 2024/04/03 18:41:38 miod Exp $	*/
+/*	$OpenBSD: ncr53c9x.c,v 1.82 2024/04/13 23:44:11 jsg Exp $	*/
 /*     $NetBSD: ncr53c9x.c,v 1.56 2000/11/30 14:41:46 thorpej Exp $    */
 
 /*
@@ -2456,7 +2456,7 @@ printf("<<RESELECT CONT'd>>");
 		if (sc->sc_state == NCR_IDLE) {
 			printf("%s: stray interrupt\n",
 			    sc->sc_dev.dv_xname);
-				return (0);
+			return (0);
 		}
 		break;
 

sys/dev/ic/siop.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: siop.c,v 1.89 2022/04/16 19:19:59 naddy Exp $ */
+/*	$OpenBSD: siop.c,v 1.90 2024/04/13 23:44:11 jsg Exp $ */
 /*	$NetBSD: siop.c,v 1.79 2005/11/18 23:10:32 bouyer Exp $	*/
 
 /*
@@ -579,7 +579,7 @@ siop_intr(void *v)
 			 * unexpected disconnect. Usually the target signals
 			 * a fatal condition this way. Attempt to get sense.
 			 */
-			 if (siop_cmd) {
+			if (siop_cmd) {
 				siop_cmd->cmd_tables->status =
 				    siop_htoc32(&sc->sc_c, SCSI_CHECK);
 				goto end;

sys/dev/ic/siop_common.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: siop_common.c,v 1.44 2022/01/09 05:42:42 jsg Exp $ */
+/*	$OpenBSD: siop_common.c,v 1.45 2024/04/13 23:44:11 jsg Exp $ */
 /*	$NetBSD: siop_common.c,v 1.37 2005/02/27 00:27:02 perry Exp $	*/
 
 /*
@@ -281,7 +281,7 @@ siop_setuptables(struct siop_common_cmd *siop_cmd)
 		if ((*targ_flags & TARF_DT) &&
 		    (sc->mode == STEST4_MODE_LVD)) {
 			sc->targets[target]->status = TARST_PPR_NEG;
-			 siop_ppr_msg(siop_cmd, msgoffset, sc->dt_minsync,
+			siop_ppr_msg(siop_cmd, msgoffset, sc->dt_minsync,
 			    sc->maxoff);
 		} else if (*targ_flags & TARF_WIDE) {
 			sc->targets[target]->status = TARST_WIDE_NEG;

sys/dev/isa/ad1848.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ad1848.c,v 1.48 2022/10/28 14:55:46 kn Exp $	*/
+/*	$OpenBSD: ad1848.c,v 1.49 2024/04/13 23:44:11 jsg Exp $	*/
 /*	$NetBSD: ad1848.c,v 1.45 1998/01/30 02:02:38 augustss Exp $	*/
 
 /*
@@ -1244,19 +1244,20 @@ ad1848_set_speed(struct ad1848_softc *sc, u_long *argp)
 	if (arg > speed_table[n - 1].speed)
 		selected = n - 1;
 
-	for (i = 1 /*really*/ ; selected == -1 && i < n; i++)
+	for (i = 1 /*really*/ ; selected == -1 && i < n; i++) {
 		if (speed_table[i].speed == arg)
 			selected = i;
 		else if (speed_table[i].speed > arg) {
 			int diff1, diff2;
 
-		diff1 = arg - speed_table[i - 1].speed;
+			diff1 = arg - speed_table[i - 1].speed;
-		diff2 = speed_table[i].speed - arg;
+			diff2 = speed_table[i].speed - arg;
 
-		if (diff1 < diff2)
+			if (diff1 < diff2)
-			selected = i - 1;
+				selected = i - 1;
-		else
+			else
-			selected = i;
+				selected = i;
+		}
 	}
 
 	if (selected == -1) {

sys/dev/mii/brgphy.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: brgphy.c,v 1.108 2022/04/06 18:59:29 naddy Exp $	*/
+/*	$OpenBSD: brgphy.c,v 1.109 2024/04/13 23:44:11 jsg Exp $	*/
 
 /*
  * Copyright (c) 2000
@@ -836,7 +836,7 @@ brgphy_reset_bge(struct mii_softc *sc)
 	if (bge_sc->bge_phy_flags & BGE_PHY_BER_BUG)
 		brgphy_ber_bug(sc);
 	else if (bge_sc->bge_phy_flags & BGE_PHY_JITTER_BUG) {
-	    PHY_WRITE(sc, BRGPHY_MII_AUXCTL, 0x0c00);
+	    	PHY_WRITE(sc, BRGPHY_MII_AUXCTL, 0x0c00);
 		PHY_WRITE(sc, BRGPHY_MII_DSP_ADDR_REG, 0x000a);
 
 		if (bge_sc->bge_phy_flags & BGE_PHY_ADJUST_TRIM) {
@@ -925,7 +925,7 @@ brgphy_reset_bnx(struct mii_softc *sc)
 			PHY_WRITE(sc, BRGPHY_5708S_PG5_TXACTL3,
 			    bnx_sc->bnx_port_hw_cfg &
 			    BNX_PORT_HW_CFG_CFG_TXCTL3_MASK);
-			    PHY_WRITE(sc, BRGPHY_5708S_BLOCK_ADDR,
+			PHY_WRITE(sc, BRGPHY_5708S_BLOCK_ADDR,
 			    BRGPHY_5708S_DIG_PG0);
 		}
 	} else if (BNX_CHIP_NUM(bnx_sc) == BNX_CHIP_NUM_5709 &&

sys/dev/pci/arc.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: arc.c,v 1.124 2022/09/06 15:22:11 kn Exp $ */
+/*	$OpenBSD: arc.c,v 1.125 2024/04/13 23:44:11 jsg Exp $ */
 
 /*
  * Copyright (c) 2006 David Gwynne <dlg@openbsd.org>
@@ -1409,18 +1409,18 @@ arc_enable_all_intr(struct arc_softc *sc)
 		int_mask &= ~(ARC_RA_INTRMASK_POSTQUEUE |
 			ARC_RA_INTRMASK_DOORBELL | ARC_RA_INTRMASK_MSG0);
 		arc_write(sc, ARC_RA_INTRMASK, int_mask);
-	    break;
+		break;
 	case ARC_HBA_TYPE_C:
 		int_mask = arc_read(sc, ARC_RC_INTR_MASK);
 		int_mask &= ~(ARC_RC_INTR_MASK_POSTQUEUE |
 			ARC_RC_INTR_MASK_DOORBELL | ARC_RC_INTR_MASK_UTILITY_A);
 		arc_write(sc, ARC_RC_INTR_MASK, int_mask);
-	    break;
+		break;
 	case ARC_HBA_TYPE_D:
 		int_mask = arc_read(sc, ARC_RD_INTR_ENABLE);
 		int_mask |= ARC_RD_INTR_ENABLE_ALL;
 		arc_write(sc, ARC_RD_INTR_ENABLE, int_mask);
-	    break;
+		break;
 	}
 }
 

sys/dev/pci/auvia.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: auvia.c,v 1.66 2022/10/26 20:19:08 kn Exp $ */
+/*	$OpenBSD: auvia.c,v 1.67 2024/04/13 23:44:11 jsg Exp $ */
 /*	$NetBSD: auvia.c,v 1.28 2002/11/04 16:38:49 kent Exp $	*/
 
 /*-
@@ -611,7 +611,7 @@ auvia_set_params(void *addr, int setmode, int usemode,
 				if (p->channels == 6
 				    && codec->vtbl->set_rate(codec, reg,
 				    &p->sample_rate))
- 				return (EINVAL);
+ 					return (EINVAL);
 			}
  		}
 

sys/dev/pci/if_em_hw.c

@@ -31,7 +31,7 @@
 
 *******************************************************************************/
 
-/* $OpenBSD: if_em_hw.c,v 1.119 2023/12/03 00:19:25 jsg Exp $ */
+/* $OpenBSD: if_em_hw.c,v 1.120 2024/04/13 23:44:11 jsg Exp $ */
 /*
  * if_em_hw.c Shared functions for accessing and configuring the MAC
  */
@@ -6432,9 +6432,9 @@ em_init_eeprom_params(struct em_hw *hw)
 	case em_pch2lan:
 	case em_pch_lpt:
 		{
-		int32_t         i = 0;
+			int32_t		i = 0;
-		uint32_t        flash_size =
+			uint32_t	flash_size =
-		    E1000_READ_ICH_FLASH_REG(hw, ICH_FLASH_GFPREG);
+			    E1000_READ_ICH_FLASH_REG(hw, ICH_FLASH_GFPREG);
 			eeprom->type = em_eeprom_ich8;
 			eeprom->use_eerd = FALSE;
 			eeprom->use_eewr = FALSE;

sys/dev/pci/if_iwm.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iwm.c,v 1.414 2024/02/16 11:44:52 stsp Exp $	*/
+/*	$OpenBSD: if_iwm.c,v 1.415 2024/04/13 23:44:11 jsg Exp $	*/
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -8169,7 +8169,7 @@ iwm_rval2ridx(int rval)
 			break;
 	}
 
-       return ridx;
+	return ridx;
 }
 
 void

sys/dev/pci/if_iwx.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iwx.c,v 1.182 2024/02/26 18:00:09 stsp Exp $	*/
+/*	$OpenBSD: if_iwx.c,v 1.183 2024/04/13 23:44:11 jsg Exp $	*/
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -786,7 +786,7 @@ iwx_alloc_fw_monitor(struct iwx_softc *sc, uint8_t max_power)
 	}
 
 	if (max_power > 26) {
-		 DPRINTF(("%s: External buffer size for monitor is too big %d, "
+		DPRINTF(("%s: External buffer size for monitor is too big %d, "
 		     "check the FW TLV\n", DEVNAME(sc), max_power));
 		return 0;
 	}
@@ -7211,7 +7211,7 @@ iwx_rval2ridx(int rval)
 			break;
 	}
 
-       return ridx;
+	return ridx;
 }
 
 void
@@ -9831,7 +9831,7 @@ iwx_rx_pkt(struct iwx_softc *sc, struct iwx_rx_data *data, struct mbuf_list *ml)
 			 * For v5 and above, we can check the version, for older
 			 * versions we need to check the size.
 			 */
-			 if (iwx_lookup_notif_ver(sc, IWX_LEGACY_GROUP,
+			if (iwx_lookup_notif_ver(sc, IWX_LEGACY_GROUP,
 			    IWX_ALIVE) == 6) {
 				SYNC_RESP_STRUCT(resp6, pkt);
 				if (iwx_rx_packet_payload_len(pkt) !=
@@ -10880,7 +10880,7 @@ iwx_find_device_cfg(struct iwx_softc *sc)
 	cores = IWX_SUBDEVICE_CORES(sdev_id);
 
 	for (i = nitems(iwx_dev_info_table) - 1; i >= 0; i--) {
-		 const struct iwx_dev_info *dev_info = &iwx_dev_info_table[i];
+		const struct iwx_dev_info *dev_info = &iwx_dev_info_table[i];
 
 		if (dev_info->device != (uint16_t)IWX_CFG_ANY &&
 		    dev_info->device != sc->sc_pid)

sys/dev/pci/if_ngbe.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_ngbe.c,v 1.3 2024/04/12 19:27:43 jan Exp $	*/
+/*	$OpenBSD: if_ngbe.c,v 1.4 2024/04/13 23:44:11 jsg Exp $	*/
 
 /*
  * Copyright (c) 2015-2017 Beijing WangXun Technology Co., Ltd.
@@ -2952,7 +2952,7 @@ ngbe_host_interface_command(struct ngbe_softc *sc, uint32_t *buffer,
 
 	if (length == 0 || length > NGBE_HI_MAX_BLOCK_BYTE_LENGTH) {
 		printf("%s: buffer length failure\n", DEVNAME(sc));
-			return EINVAL;
+		return EINVAL;
 	}
 
 	if (hw->mac.ops.acquire_swfw_sync(sc, NGBE_MNG_SWFW_SYNC_SW_MB))
@@ -3706,7 +3706,7 @@ ngbe_reset_hw(struct ngbe_softc *sc)
 	 * mng is using it.  If link is down or the flag to force full link
 	 * reset is set, then perform link reset.
 	 */
-	 if (hw->force_full_reset) {
+	if (hw->force_full_reset) {
 	 	rst_delay = (NGBE_READ_REG(hw, NGBE_MIS_RST_ST) &
 		    NGBE_MIS_RST_ST_RST_INIT) >> NGBE_MIS_RST_ST_RST_INI_SHIFT;
 		if (hw->reset_type == NGBE_SW_RESET) {
@@ -4528,9 +4528,9 @@ ngbe_update_mc_addr_list(struct ngbe_hw *hw, uint8_t *mc_addr_list,
 	if (clear)
 		memset(&hw->mac.mta_shadow, 0, sizeof(hw->mac.mta_shadow));
 
-	 /* Update mta_shadow */
+	/* Update mta_shadow */
-	 for (i = 0; i < mc_addr_count; i++)
+	for (i = 0; i < mc_addr_count; i++)
-	 	ngbe_set_mta(hw, next(hw, &mc_addr_list, &vmdq));
+		ngbe_set_mta(hw, next(hw, &mc_addr_list, &vmdq));
 
 	/* Enable mta */
 	for (i = 0; i < hw->mac.mcft_size; i++)

sys/dev/pci/if_qwx_pci.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_qwx_pci.c,v 1.14 2024/02/22 09:15:34 stsp Exp $	*/
+/*	$OpenBSD: if_qwx_pci.c,v 1.15 2024/04/13 23:44:11 jsg Exp $	*/
 
 /*
  * Copyright 2023 Stefan Sperling <stsp@openbsd.org>
@@ -2901,7 +2901,7 @@ qwx_mhi_start(struct qwx_pci_softc *psc)
 #endif
 
 	/* Transition to primary runtime. */
-	 if (MHI_IN_PBL(ee)) {
+	if (MHI_IN_PBL(ee)) {
 		ret = qwx_mhi_fw_load_handler(psc);
 		if (ret)
 			return ret;

sys/dev/pci/if_rge.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_rge.c,v 1.23 2023/12/22 05:28:14 kevlo Exp $	*/
+/*	$OpenBSD: if_rge.c,v 1.24 2024/04/13 23:44:11 jsg Exp $	*/
 
 /*
  * Copyright (c) 2019, 2020, 2023 Kevin Lo <kevlo@openbsd.org>
@@ -1250,7 +1250,7 @@ rge_rxeof(struct rge_queues *q)
 			 * If this is part of a multi-fragment packet,
 			 * discard all the pieces.
 			 */
-			 if (q->q_rx.rge_head != NULL) {
+			if (q->q_rx.rge_head != NULL) {
 				m_freem(q->q_rx.rge_head);
 				q->q_rx.rge_head = q->q_rx.rge_tail = NULL;
 			}

sys/dev/pci/if_sis.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_sis.c,v 1.143 2023/11/10 15:51:20 bluhm Exp $ */
+/*	$OpenBSD: if_sis.c,v 1.144 2024/04/13 23:44:11 jsg Exp $ */
 /*
  * Copyright (c) 1997, 1998, 1999
  *	Bill Paul <wpaul@ctr.columbia.edu>.  All rights reserved.
@@ -1791,7 +1791,7 @@ sis_init(void *xsc)
 	 * This resolves an issue with tons of errors in AcceptPerfectMatch
 	 * (non-IFF_PROMISC) mode.
 	 */
-	 if (sc->sis_type == SIS_TYPE_83815 && sc->sis_srr <= NS_SRR_15D) {
+	if (sc->sis_type == SIS_TYPE_83815 && sc->sis_srr <= NS_SRR_15D) {
 		CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001);
 		CSR_WRITE_4(sc, NS_PHY_CR, 0x189C);
 		/* set val for c2 */

sys/dev/pci/ixgb_hw.c

@@ -31,7 +31,7 @@
 
 *******************************************************************************/
 
-/* $OpenBSD: ixgb_hw.c,v 1.9 2022/01/09 05:42:56 jsg Exp $ */
+/* $OpenBSD: ixgb_hw.c,v 1.10 2024/04/13 23:44:11 jsg Exp $ */
 
 /* ixgb_hw.c
  * Shared functions for accessing and configuring the adapter
@@ -83,14 +83,14 @@ ixgb_mac_reset(struct ixgb_hw *hw)
 {
 	uint32_t ctrl_reg;
 
-    ctrl_reg =  IXGB_CTRL0_RST |
+	ctrl_reg =  IXGB_CTRL0_RST |
-                IXGB_CTRL0_SDP3_DIR |   /* All pins are Output=1 */
+	    IXGB_CTRL0_SDP3_DIR |   /* All pins are Output=1 */
-                IXGB_CTRL0_SDP2_DIR |
+	    IXGB_CTRL0_SDP2_DIR |
-                IXGB_CTRL0_SDP1_DIR |
+	    IXGB_CTRL0_SDP1_DIR |
-                IXGB_CTRL0_SDP0_DIR |
+	    IXGB_CTRL0_SDP0_DIR |
-                IXGB_CTRL0_SDP3     |   /* Initial value 1101   */
+	    IXGB_CTRL0_SDP3     |   /* Initial value 1101   */
-                IXGB_CTRL0_SDP2     |
+	    IXGB_CTRL0_SDP2     |
-                IXGB_CTRL0_SDP0;
+	    IXGB_CTRL0_SDP0;
 
 #ifdef HP_ZX1
 	/* Workaround for 82597EX reset errata */

sys/dev/pci/maestro.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: maestro.c,v 1.50 2022/10/28 15:09:46 kn Exp $	*/
+/*	$OpenBSD: maestro.c,v 1.51 2024/04/13 23:44:11 jsg Exp $	*/
 /* $FreeBSD: /c/ncvs/src/sys/dev/sound/pci/maestro.c,v 1.3 2000/11/21 12:22:11 julian Exp $ */
 /*
  * FreeBSD's ESS Agogo/Maestro driver
@@ -900,7 +900,7 @@ maestro_set_speed(struct maestro_channel *ch, u_long *prate)
 	} else {
 		/* compute 16 bits fixed point value of speed/48000,
 		 * being careful not to overflow */
-		 ch->dv = (((ch->speed % 48000) << 16U) + 24000) / 48000
+		ch->dv = (((ch->speed % 48000) << 16U) + 24000) / 48000
 		    + ((ch->speed / 48000) << 16U);
 		/* And this is the real rate obtained */
 		ch->speed = (ch->dv >> 16U) * 48000 +

sys/dev/pci/pciide.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pciide.c,v 1.363 2022/03/11 18:00:51 mpi Exp $	*/
+/*	$OpenBSD: pciide.c,v 1.364 2024/04/13 23:44:11 jsg Exp $	*/
 /*	$NetBSD: pciide.c,v 1.127 2001/08/03 01:31:08 tsutsui Exp $	*/
 
 /*
@@ -2939,8 +2939,8 @@ piix_setup_channel(struct channel_softc *chp)
 	    (drvp[1].drive_flags & DRIVE_DMA)) {
 		mode[0] = mode[1] =
 		    min(drvp[0].DMA_mode, drvp[1].DMA_mode);
-		    drvp[0].DMA_mode = mode[0];
+		drvp[0].DMA_mode = mode[0];
-		    drvp[1].DMA_mode = mode[1];
+		drvp[1].DMA_mode = mode[1];
 		goto ok;
 	}
 	/*
@@ -4127,7 +4127,7 @@ cmd680_channel_map(struct pci_attach_args *pa, struct pciide_softc *sc,
 		printf("%s %s: "
 		    "cannot allocate channel queue",
 		    sc->sc_wdcdev.sc_dev.dv_xname, cp->name);
-		    return;
+		return;
 	}
 
 	/* XXX */
@@ -7972,9 +7972,9 @@ acard_setup_channel(struct channel_softc *chp)
 				    acard_act_pio[drvp->PIO_mode],
 				    acard_rec_pio[drvp->PIO_mode]);
 			}
-		pci_conf_write(sc->sc_pc, sc->sc_tag, ATP8x0_CTRL,
+			pci_conf_write(sc->sc_pc, sc->sc_tag, ATP8x0_CTRL,
-		    pci_conf_read(sc->sc_pc, sc->sc_tag, ATP8x0_CTRL)
+			    pci_conf_read(sc->sc_pc, sc->sc_tag, ATP8x0_CTRL) |
-		    | ATP8x0_CTRL_EN(channel));
+			    ATP8x0_CTRL_EN(channel));
 		}
 	}
 

sys/dev/pci/qle.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: qle.c,v 1.63 2022/04/16 19:19:59 naddy Exp $ */
+/*	$OpenBSD: qle.c,v 1.64 2024/04/14 00:38:26 jsg Exp $ */
 
 /*
  * Copyright (c) 2013, 2014 Jonathan Matthew <jmatthew@openbsd.org>
@@ -359,7 +359,7 @@ qle_attach(struct device *parent, struct device *self, void *aux)
 
 	pcireg_t bars[] = { QLE_PCI_MEM_BAR, QLE_PCI_IO_BAR };
 	pcireg_t memtype;
-	int r, i, rv, loop_up;
+	int r, i, rv, loop_up = 0;
 
 	sc->sc_pc = pa->pa_pc;
 	sc->sc_tag = pa->pa_tag;

sys/dev/usb/if_umb.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_umb.c,v 1.56 2023/10/24 09:13:22 jmatthew Exp $ */
+/*	$OpenBSD: if_umb.c,v 1.57 2024/04/13 23:44:11 jsg Exp $ */
 
 /*
  * Copyright (c) 2016 genua mbH
@@ -3135,7 +3135,7 @@ umb_intr(struct usbd_xfer *xfer, void *priv, usbd_status status)
 	if (total_len < UCDC_NOTIFICATION_LENGTH) {
 		DPRINTF("%s: short notification (%d<%d)\n", DEVNAM(sc),
 		    total_len, UCDC_NOTIFICATION_LENGTH);
-		    return;
+		return;
 	}
 	if (sc->sc_intr_msg.bmRequestType != UCDC_NOTIFICATION) {
 		DPRINTF("%s: unexpected notification (type=0x%02x)\n",

sys/dev/usb/if_ure.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_ure.c,v 1.33 2023/09/09 14:23:37 kevlo Exp $	*/
+/*	$OpenBSD: if_ure.c,v 1.34 2024/04/13 23:44:11 jsg Exp $	*/
 /*-
  * Copyright (c) 2015, 2016, 2019 Kevin Lo <kevlo@openbsd.org>
  * Copyright (c) 2020 Jonathon Fletcher <jonathon.fletcher@gmail.com>
@@ -2078,7 +2078,7 @@ ure_rxeof(struct usbd_xfer *xfer, void *priv, usbd_status status)
 		if (rxvlan & URE_RXPKT_VLAN_TAG) {
 			m->m_pkthdr.ether_vtag =
 			    swap16(rxvlan & URE_RXPKT_VLAN_DATA);
-			 m->m_flags |= M_VLANTAG;
+			m->m_flags |= M_VLANTAG;
 		}
 #endif
 

sys/dev/wscons/wsdisplay_compat_usl.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: wsdisplay_compat_usl.c,v 1.33 2020/09/03 15:30:17 kettenis Exp $ */
+/* $OpenBSD: wsdisplay_compat_usl.c,v 1.34 2024/04/13 23:44:11 jsg Exp $ */
 /* $NetBSD: wsdisplay_compat_usl.c,v 1.12 2000/03/23 07:01:47 thorpej Exp $ */
 
 /*
@@ -440,9 +440,8 @@ wsdisplay_usl_ioctl2(struct wsdisplay_softc *sc, struct wsscreen *scr,
 #define PCVT_SYSBEEPF	1193182
 			if (d >> 16) {
 				bd.which = WSKBD_BELL_DOPERIOD;
-			bd.period = d >> 16; /* ms */
+				bd.period = d >> 16; /* ms */
-			}
+			} else
-			else
 				bd.which = 0;
 			if (d & 0xffff) {
 				bd.which |= WSKBD_BELL_DOPITCH;

sys/isofs/udf/udf_subr.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: udf_subr.c,v 1.26 2022/09/01 13:45:26 krw Exp $	*/
+/*	$OpenBSD: udf_subr.c,v 1.27 2024/04/13 23:44:11 jsg Exp $	*/
 
 /*
  * Copyright (c) 2006, Miodrag Vallat
@@ -201,7 +201,7 @@ udf_vat_get(struct umount *ump, uint32_t lb)
 	up->u_vatlen = (letoh64(up->u_fentry->inf_len) - 36) >> 2;
 
 	ump->um_vat = malloc(sizeof(struct unode), M_UDFMOUNT, M_WAITOK);
-       *ump->um_vat = *up;
+	*ump->um_vat = *up;
 
 	ump->um_flags &= ~UDF_MNT_FIND_VAT;
 	ump->um_flags |=  UDF_MNT_USES_VAT;

sys/kern/kern_acct.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_acct.c,v 1.47 2022/08/14 01:58:27 jsg Exp $	*/
+/*	$OpenBSD: kern_acct.c,v 1.48 2024/04/13 23:44:11 jsg Exp $	*/
 /*	$NetBSD: kern_acct.c,v 1.42 1996/02/04 02:15:12 christos Exp $	*/
 
 /*-
@@ -270,7 +270,7 @@ encode_comp_t(u_long s, u_long ns)
 	s += ns / (1000000000 / AHZ);	/* Maximize precision. */
 
 	while (s > MAXFRACT) {
-	rnd = s & (1 << (EXPSIZE - 1));	/* Round up? */
+		rnd = s & (1 << (EXPSIZE - 1));	/* Round up? */
 		s >>= EXPSIZE;		/* Base 8 exponent == 3 bit shift. */
 		exp++;
 	}

sys/net/pf_osfp.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_osfp.c,v 1.47 2023/10/10 11:25:31 bluhm Exp $ */
+/*	$OpenBSD: pf_osfp.c,v 1.48 2024/04/13 23:44:11 jsg Exp $ */
 
 /*
  * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
@@ -382,7 +382,7 @@ pf_osfp_add(struct pf_osfp_ioctl *fpioc)
 	if ((fp = pf_osfp_find_exact(&fpadd))) {
 		struct pf_osfp_entry *tentry;
 
-		 SLIST_FOREACH(tentry, &fp->fp_oses, fp_entry) {
+		SLIST_FOREACH(tentry, &fp->fp_oses, fp_entry) {
 			if (PF_OSFP_ENTRY_EQ(tentry, &fpioc->fp_os)) {
 				PF_UNLOCK();
 				pool_put(&pf_osfp_entry_pl, entry);

sys/net80211/ieee80211_input.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ieee80211_input.c,v 1.251 2024/03/15 17:45:36 stsp Exp $	*/
+/*	$OpenBSD: ieee80211_input.c,v 1.252 2024/04/13 23:44:11 jsg Exp $	*/
 /*	$NetBSD: ieee80211_input.c,v 1.24 2004/05/31 11:12:24 dyoung Exp $	*/
 
 /*-
@@ -1901,7 +1901,7 @@ ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m,
 		 * This probe response indicates the AP is still serving us
 		 * so don't allow ieee80211_watchdog() to move us into SCAN.
 		 */
-		 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0)
+		if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0)
 		 	ic->ic_mgt_timer = 0;
 	}
 	/*

sys/netinet/tcp_input.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.403 2024/04/12 16:07:09 bluhm Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.404 2024/04/13 23:44:11 jsg Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -1078,12 +1078,13 @@ findpcb:
 	 * Receive window is amount of space in rcv queue,
 	 * but not less than advertised window.
 	 */
-	{ int win;
+	{
+		int win;
 
-	win = sbspace(so, &so->so_rcv);
+		win = sbspace(so, &so->so_rcv);
-	if (win < 0)
+		if (win < 0)
-		win = 0;
+			win = 0;
-	tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt));
+		tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt));
 	}
 
 	switch (tp->t_state) {

sys/nfs/nfs_vnops.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: nfs_vnops.c,v 1.194 2024/03/25 17:57:07 guenther Exp $	*/
+/*	$OpenBSD: nfs_vnops.c,v 1.195 2024/04/13 23:44:11 jsg Exp $	*/
 /*	$NetBSD: nfs_vnops.c,v 1.62.4.1 1996/07/08 20:26:52 jtc Exp $	*/
 
 /*
@@ -336,9 +336,9 @@ nfs_access(void *v)
 	 * Check access cache first. If a request has been made for this uid
 	 * shortly before, use the cached result.
 	 */
-	 cachevalid = (np->n_accstamp != -1 &&
+	cachevalid = (np->n_accstamp != -1 &&
-	     (gettime() - np->n_accstamp) < nfs_attrtimeo(np) &&
+	    (gettime() - np->n_accstamp) < nfs_attrtimeo(np) &&
-	     np->n_accuid == ap->a_cred->cr_uid);
+	    np->n_accuid == ap->a_cred->cr_uid);
 
 	if (cachevalid) {
 		if (!np->n_accerror) {
@@ -408,7 +408,7 @@ nfs_access(void *v)
 	 * If we got the same result as for a previous, different request, OR
 	 * it in. Don't update the timestamp in that case.
 	 */
-	 if (!error || error == EACCES) {
+	if (!error || error == EACCES) {
 		if (cachevalid && np->n_accstamp != -1 &&
 		    error == np->n_accerror) {
 			if (!error)

sys/ufs/ext2fs/ext2fs_bmap.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ext2fs_bmap.c,v 1.28 2021/12/12 09:14:59 visa Exp $	*/
+/*	$OpenBSD: ext2fs_bmap.c,v 1.29 2024/04/13 23:44:11 jsg Exp $	*/
 /*	$NetBSD: ext2fs_bmap.c,v 1.5 2000/03/30 12:41:11 augustss Exp $	*/
 
 /*
@@ -192,7 +192,7 @@ ext2fs_bmaparray(struct vnode *vp, daddr_t bn, daddr_t *bnp,
 	devvp = VFSTOUFS(vp->v_mount)->um_devvp;
 
 #ifdef DIAGNOSTIC
-    if (num > NIADDR + 1 || num < 1) {
+	if (num > NIADDR + 1 || num < 1) {
 		printf("ext2fs_bmaparray: num=%d\n", num);
 		panic("ext2fs_bmaparray: num");
 	}

sys/ufs/ext2fs/ext2fs_vnops.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ext2fs_vnops.c,v 1.92 2024/03/25 17:57:07 guenther Exp $	*/
+/*	$OpenBSD: ext2fs_vnops.c,v 1.93 2024/04/13 23:44:11 jsg Exp $	*/
 /*	$NetBSD: ext2fs_vnops.c,v 1.1 1997/06/11 09:34:09 bouyer Exp $	*/
 
 /*
@@ -819,7 +819,7 @@ abortit:
 				UIO_SYSSPACE, IO_NODELOCKED,
 				tcnp->cn_cred, NULL, curproc);
 			if (error == 0) {
-					namlen = dirbuf.dotdot_namlen;
+				namlen = dirbuf.dotdot_namlen;
 				if (namlen != 2 ||
 				    dirbuf.dotdot_name[0] != '.' ||
 				    dirbuf.dotdot_name[1] != '.') {

sys/ufs/ffs/ffs_balloc.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ffs_balloc.c,v 1.46 2024/02/03 18:51:58 beck Exp $	*/
+/*	$OpenBSD: ffs_balloc.c,v 1.47 2024/04/13 23:44:11 jsg Exp $	*/
 /*	$NetBSD: ffs_balloc.c,v 1.3 1996/02/09 22:22:21 christos Exp $	*/
 
 /*
@@ -750,7 +750,7 @@ fail:
 		 * that we resolve the dependencies in one pass.
 		 * Write the cylinder group buffers for these buffers too.
 		 */
-		 for (i = num; i >= unwindidx; i--) {
+		for (i = num; i >= unwindidx; i--) {
 		 	if (i == 0)
 				break;
 

sys/ufs/ffs/ffs_extern.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ffs_extern.h,v 1.47 2024/04/11 16:31:30 otto Exp $	*/
+/*	$OpenBSD: ffs_extern.h,v 1.49 2024/04/13 15:08:37 jca Exp $	*/
 /*	$NetBSD: ffs_extern.h,v 1.4 1996/02/09 22:22:22 christos Exp $	*/
 
 /*
@@ -36,6 +36,7 @@
 #define FFS_CLUSTERWRITE	2	/* cluster writing enabled */
 #define FFS_REALLOCBLKS		3	/* block reallocation enabled */
 #define FFS_ASYNCFREE		4	/* asynchronous block freeing enabled */
+#define	FFS_MAX_SOFTDEPS	5	/* maximum structs before slowdown */
 #define	FFS_SD_TICKDELAY	6	/* ticks to pause during slowdown */
 #define	FFS_SD_WORKLIST_PUSH	7	/* # of worklist cleanups */
 #define	FFS_SD_BLK_LIMIT_PUSH	8	/* # of times block limit neared */
@@ -59,17 +60,17 @@
 	{ 0, 0 }, \
 	{ 0, 0 }, \
 	{ 0, 0 }, \
-	{ "sd_tickdelay", CTLTYPE_INT }, \
+	{ 0, 0 }, \
-	{ "sd_worklist_push", CTLTYPE_INT }, \
+	{ 0, 0 }, \
-	{ "sd_blk_limit_push", CTLTYPE_INT }, \
+	{ 0, 0 }, \
-	{ "sd_ino_limit_push", CTLTYPE_INT }, \
+	{ 0, 0 }, \
-	{ "sd_blk_limit_hit", CTLTYPE_INT }, \
+	{ 0, 0 }, \
-	{ "sd_ino_limit_hit", CTLTYPE_INT }, \
+	{ 0, 0 }, \
-	{ "sd_sync_limit_hit", CTLTYPE_INT }, \
+	{ 0, 0 }, \
-	{ "sd_indir_blk_ptrs", CTLTYPE_INT }, \
+	{ 0, 0 }, \
-	{ "sd_inode_bitmap", CTLTYPE_INT }, \
+	{ 0, 0 }, \
-	{ "sd_direct_blk_ptrs", CTLTYPE_INT }, \
+	{ 0, 0 }, \
-	{ "sd_dir_entry", CTLTYPE_INT }, \
+	{ 0, 0 }, \
 	{ "dirhash_dirsize", CTLTYPE_INT }, \
 	{ "dirhash_maxmem", CTLTYPE_INT }, \
 	{ "dirhash_mem", CTLTYPE_INT }, \

sys/uvm/uvm_addr.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_addr.c,v 1.32 2022/11/04 09:36:44 mpi Exp $	*/
+/*	$OpenBSD: uvm_addr.c,v 1.33 2024/04/13 23:44:11 jsg Exp $	*/
 
 /*
  * Copyright (c) 2011 Ariane van der Steldt <ariane@stack.nl>
@@ -1406,7 +1406,7 @@ uaddr_stack_brk_select(struct vm_map *map, struct uvm_addr_state *uaddr,
 		if (uvm_addr_linsearch(map, uaddr, entry_out, addr_out,
 		    0, sz, align, offset, dir, start, end - sz,
 		    before_gap, after_gap) == 0)
-		return 0;
+			return 0;
 	}
 
 	return ENOMEM;

sys/uvm/uvm_aobj.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_aobj.c,v 1.109 2024/04/10 15:25:14 mpi Exp $	*/
+/*	$OpenBSD: uvm_aobj.c,v 1.110 2024/04/13 23:44:11 jsg Exp $	*/
 /*	$NetBSD: uvm_aobj.c,v 1.39 2001/02/18 21:19:08 chs Exp $	*/
 
 /*
@@ -298,7 +298,7 @@ uao_set_swslot(struct uvm_object *uobj, int pageidx, int slot)
 
 		/* but a set is not */
 		printf("uao_set_swslot: uobj = %p\n", uobj);
-	    panic("uao_set_swslot: attempt to set a slot on a NOSWAP object");
+	    	panic("uao_set_swslot: attempt to set a slot on a NOSWAP object");
 	}
 
 	/*