commit: 0e0f985268db5afae98c7f7f172064b34bdfe77c
parent 8dc6169bcae4255a996f29ab59c839c559fcdc24
Author: Michael Forney <mforney@mforney.org>
Date: Wed, 1 Dec 2021 20:48:11 -0800
Add unbound 1.14.0
Patched to use BearSSL for crypto.
Diffstat:
15 files changed, 2186 insertions(+), 0 deletions(-)
diff --git a/.gitmodules b/.gitmodules
@@ -327,6 +327,10 @@
[submodule "pkg/ubase/src"]
path = pkg/ubase/src
url = https://github.com/michaelforney/ubase
+[submodule "pkg/unbound/src"]
+ path = pkg/unbound/src
+ url = https://github.com/NLnetlabs/unbound.git
+ ignore = all
[submodule "pkg/usbids/src"]
path = pkg/usbids/src
url = https://github.com/usbids/usbids.git
diff --git a/pkg/gen.lua b/pkg/gen.lua
@@ -119,6 +119,7 @@ subgen 'tinyemu'
subgen 'transmission'
subgen 'tz'
subgen 'ubase'
+subgen 'unbound'
subgen 'unzip'
subgen 'usbids'
subgen 'u-boot'
diff --git a/pkg/unbound/config.h b/pkg/unbound/config.h
@@ -0,0 +1,408 @@
+#define ATTR_NORETURN __attribute__((noreturn))
+#define ATTR_WEAK __attribute__((weak))
+#define CHROOT_DIR "/etc/unbound"
+/* #undef CLIENT_SUBNET */
+/* #undef COMPAT_SHA512 */
+#define CONFCMDLINE "--prefix= --with-bearssl --disable-ed25519 --disable-ed448"
+#define CONFIGFILE "/etc/unbound/unbound.conf"
+/* #undef DARWIN_BROKEN_SETREUID */
+/* #undef DEPRECATED_DAEMON */
+/* #undef DEPRECATE_RSA_1024 */
+/* #undef DISABLE_EXPLICIT_PORT_RANDOMISATION */
+/* #undef DNSTAP_SOCKET_PATH */
+/* #undef ENABLE_LOCK_CHECKS */
+/* #undef EXPORT_ALL_SYMBOLS */
+#define HAVE_ACCEPT4 1
+/* #undef HAVE_ARC4RANDOM */
+/* #undef HAVE_ARC4RANDOM_UNIFORM */
+#define HAVE_ARPA_INET_H 1
+#define HAVE_ATTR_FORMAT 1
+#define HAVE_ATTR_NORETURN 1
+#define HAVE_ATTR_UNUSED 1
+#define HAVE_ATTR_WEAK 1
+#define HAVE_BE64TOH 1
+#define HAVE_BEARSSL 1
+/* #undef HAVE_BIO_SET_CALLBACK_EX */
+/* #undef HAVE_BSD_STDLIB_H */
+/* #undef HAVE_BSD_STRING_H */
+#define HAVE_CHOWN 1
+#define HAVE_CHROOT 1
+/* #undef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA */
+/* #undef HAVE_CRYPTO_THREADID_SET_CALLBACK */
+#define HAVE_CTIME_R 1
+#define HAVE_DAEMON 1
+/* #undef HAVE_DECL_ARC4RANDOM */
+/* #undef HAVE_DECL_ARC4RANDOM_UNIFORM */
+/* #undef HAVE_DECL_EVSIGNAL_ASSIGN */
+#define HAVE_DECL_INET_NTOP 1
+#define HAVE_DECL_INET_PTON 1
+/* #undef HAVE_DECL_NGHTTP2_SESSION_SERVER_NEW */
+/* #undef HAVE_DECL_NID_ED25519 */
+/* #undef HAVE_DECL_NID_ED448 */
+/* #undef HAVE_DECL_NID_SECP384R1 */
+/* #undef HAVE_DECL_NID_X9_62_PRIME256V1 */
+#define HAVE_DECL_REALLOCARRAY 1
+/* #undef HAVE_DECL_REDISCONNECT */
+/* #undef HAVE_DECL_SK_SSL_COMP_POP_FREE */
+/* #undef HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS */
+/* #undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO */
+/* #undef HAVE_DECL_STRLCAT */
+/* #undef HAVE_DECL_STRLCPY */
+#define HAVE_DECL_XML_STOPPARSER 1
+#define HAVE_DLFCN_H 1
+/* #undef HAVE_DSA_SIG_SET0 */
+#define HAVE_ENDIAN_H 1
+#define HAVE_ENDPROTOENT 1
+#define HAVE_ENDPWENT 1
+#define HAVE_ENDSERVENT 1
+/* #undef HAVE_ENGINE_CLEANUP */
+/* #undef HAVE_ERR_FREE_STRINGS */
+/* #undef HAVE_ERR_LOAD_CRYPTO_STRINGS */
+/* #undef HAVE_EVENT_ASSIGN */
+/* #undef HAVE_EVENT_BASE_FREE */
+/* #undef HAVE_EVENT_BASE_GET_METHOD */
+/* #undef HAVE_EVENT_BASE_NEW */
+/* #undef HAVE_EVENT_BASE_ONCE */
+/* #undef HAVE_EVENT_H */
+/* #undef HAVE_EVP_AES_256_CBC */
+/* #undef HAVE_EVP_CLEANUP */
+/* #undef HAVE_EVP_DIGESTVERIFY */
+/* #undef HAVE_EVP_DSS1 */
+/* #undef HAVE_EVP_ENCRYPTINIT_EX */
+/* #undef HAVE_EVP_MAC_CTX_SET_PARAMS */
+/* #undef HAVE_EVP_MD_CTX_NEW */
+/* #undef HAVE_EVP_SHA1 */
+/* #undef HAVE_EVP_SHA256 */
+/* #undef HAVE_EVP_SHA512 */
+/* #undef HAVE_EV_DEFAULT_LOOP */
+/* #undef HAVE_EV_LOOP */
+#define HAVE_EXPAT_H 1
+#define HAVE_EXPLICIT_BZERO 1
+#define HAVE_FCNTL 1
+/* #undef HAVE_FIPS_MODE */
+#define HAVE_FORK 1
+#define HAVE_FSEEKO 1
+#define HAVE_FSYNC 1
+#define HAVE_GETADDRINFO 1
+/* #undef HAVE_GETAUXVAL */
+#define HAVE_GETENTROPY 1
+#define HAVE_GETIFADDRS 1
+#define HAVE_GETOPT_H 1
+#define HAVE_GETPWNAM 1
+#define HAVE_GETRLIMIT 1
+#define HAVE_GLOB 1
+#define HAVE_GLOB_H 1
+#define HAVE_GMTIME_R 1
+#define HAVE_GRP_H 1
+/* #undef HAVE_HIREDIS_HIREDIS_H */
+/* #undef HAVE_HMAC_INIT_EX */
+#define HAVE_HTOBE64 1
+#define HAVE_IFADDRS_H 1
+#define HAVE_IF_NAMETOINDEX 1
+#define HAVE_INET_ATON 1
+#define HAVE_INET_NTOP 1
+#define HAVE_INET_PTON 1
+#define HAVE_INITGROUPS 1
+#define HAVE_INTTYPES_H 1
+/* #undef HAVE_IOCTLSOCKET */
+/* #undef HAVE_IPHLPAPI_H */
+#define HAVE_ISBLANK 1
+#define HAVE_KILL 1
+/* #undef HAVE_LIBBSD */
+/* #undef HAVE_LIBKERN_OSBYTEORDER_H */
+/* #undef HAVE_LIBRESSL */
+#define HAVE_LOCALTIME_R 1
+/* #undef HAVE_LOGIN_CAP_H */
+#define HAVE_MALLOC 1
+#define HAVE_MEMMOVE 1
+#define HAVE_MEMORY_H 1
+#define HAVE_NETDB_H 1
+#define HAVE_NETINET_IN_H 1
+#define HAVE_NETINET_TCP_H 1
+/* #undef HAVE_NETTLE */
+/* #undef HAVE_NETTLE_DSA_COMPAT_H */
+/* #undef HAVE_NETTLE_EDDSA_H */
+#define HAVE_NET_IF_H 1
+/* #undef HAVE_NGHTTP2 */
+/* #undef HAVE_NGHTTP2_NGHTTP2_H */
+/* #undef HAVE_NSS */
+/* #undef HAVE_OPENSSL_ADD_ALL_DIGESTS */
+/* #undef HAVE_OPENSSL_BN_H */
+/* #undef HAVE_OPENSSL_CONFIG */
+/* #undef HAVE_OPENSSL_CONF_H */
+/* #undef HAVE_OPENSSL_CORE_NAMES_H */
+/* #undef HAVE_OPENSSL_DH_H */
+/* #undef HAVE_OPENSSL_DSA_H */
+/* #undef HAVE_OPENSSL_ENGINE_H */
+/* #undef HAVE_OPENSSL_ERR_H */
+/* #undef HAVE_OPENSSL_INIT_CRYPTO */
+/* #undef HAVE_OPENSSL_INIT_SSL */
+/* #undef HAVE_OPENSSL_PARAM_BUILD_H */
+/* #undef HAVE_OPENSSL_RAND_H */
+/* #undef HAVE_OPENSSL_RSA_H */
+/* #undef HAVE_OPENSSL_SSL_H */
+/* #undef HAVE_OSSL_PARAM_BLD_NEW */
+#define HAVE_PTHREAD 1
+#define HAVE_PTHREAD_PRIO_INHERIT 1
+#define HAVE_PTHREAD_RWLOCK_T 1
+#define HAVE_PTHREAD_SPINLOCK_T 1
+#define HAVE_PWD_H 1
+/* #undef HAVE_PYTHON */
+#define HAVE_RANDOM 1
+/* #undef HAVE_RAND_CLEANUP */
+#define HAVE_REALLOCARRAY 1
+#define HAVE_RECVMSG 1
+#define HAVE_SENDMSG 1
+/* #undef HAVE_SETREGID */
+#define HAVE_SETRESGID 1
+#define HAVE_SETRESUID 1
+/* #undef HAVE_SETREUID */
+#define HAVE_SETRLIMIT 1
+#define HAVE_SETSID 1
+/* #undef HAVE_SETUSERCONTEXT */
+/* #undef HAVE_SHA512_UPDATE */
+#define HAVE_SHMGET 1
+#define HAVE_SIGPROCMASK 1
+#define HAVE_SLEEP 1
+#define HAVE_SNPRINTF 1
+#define HAVE_SOCKETPAIR 1
+/* #undef HAVE_SOLARIS_THREADS */
+#define HAVE_SRANDOM 1
+/* #undef HAVE_SSL */
+/* #undef HAVE_SSL_CTX_SET_ALPN_PROTOS */
+/* #undef HAVE_SSL_CTX_SET_ALPN_SELECT_CB */
+/* #undef HAVE_SSL_CTX_SET_CIPHERSUITES */
+/* #undef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
+/* #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB */
+/* #undef HAVE_SSL_GET0_ALPN_SELECTED */
+/* #undef HAVE_SSL_GET0_PEERNAME */
+/* #undef HAVE_SSL_GET1_PEER_CERTIFICATE */
+/* #undef HAVE_SSL_SET1_HOST */
+#define HAVE_STDARG_H 1
+#define HAVE_STDBOOL_H 1
+#define HAVE_STDINT_H 1
+#define HAVE_STDLIB_H 1
+#define HAVE_STRFTIME 1
+#define HAVE_STRINGS_H 1
+#define HAVE_STRING_H 1
+#define HAVE_STRLCAT 1
+#define HAVE_STRLCPY 1
+#define HAVE_STRPTIME 1
+#define HAVE_STRSEP 1
+#define HAVE_STRUCT_IN_PKTINFO_IPI_SPEC_DST 1
+/* #undef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN */
+/* #undef HAVE_SWIG */
+/* #undef HAVE_SYSLOG_H */
+/* #undef HAVE_SYSTEMD */
+/* #undef HAVE_SYS_ENDIAN_H */
+#define HAVE_SYS_IPC_H 1
+#define HAVE_SYS_PARAM_H 1
+#define HAVE_SYS_RESOURCE_H 1
+#define HAVE_SYS_SELECT_H 1
+/* #undef HAVE_SYS_SHA2_H */
+#define HAVE_SYS_SHM_H 1
+#define HAVE_SYS_SOCKET_H 1
+#define HAVE_SYS_STAT_H 1
+/* #undef HAVE_SYS_SYSCTL_H */
+#define HAVE_SYS_TYPES_H 1
+#define HAVE_SYS_UIO_H 1
+#define HAVE_SYS_UN_H 1
+#define HAVE_SYS_WAIT_H 1
+/* #undef HAVE_TARGETCONDITIONALS_H */
+#define HAVE_TIME_H 1
+#define HAVE_TZSET 1
+#define HAVE_UNISTD_H 1
+#define HAVE_USLEEP 1
+#define HAVE_VFORK 1
+/* #undef HAVE_VFORK_H */
+/* #undef HAVE_WINDOWS_H */
+/* #undef HAVE_WINDOWS_THREADS */
+/* #undef HAVE_WINSOCK2_H */
+#define HAVE_WORKING_FORK 1
+#define HAVE_WORKING_VFORK 1
+#define HAVE_WRITEV 1
+/* #undef HAVE_WS2TCPIP_H */
+/* #undef HAVE_X509_VERIFY_PARAM_SET1_HOST */
+/* #undef HAVE__BEGINTHREADEX */
+/* #undef HMAC_INIT_EX_RETURNS_VOID */
+#define LEX_HAS_YYLEX_DESTROY 1
+#define LT_OBJDIR ".libs/"
+#define MAXSYSLOGMSGLEN 10240
+/* #undef MEMCMP_IS_BROKEN */
+/* #undef MKDIR_HAS_ONE_ARG */
+/* #undef NONBLOCKING_IS_BROKEN */
+/* #undef OMITTED__D_ALL_SOURCE */
+/* #undef OMITTED__D_BSD_SOURCE */
+/* #undef OMITTED__D_DEFAULT_SOURCE */
+#define OMITTED__D_GNU_SOURCE 1
+/* #undef OMITTED__D_LARGEFILE_SOURCE_1 */
+/* #undef OMITTED__D_POSIX_C_SOURCE_200112 */
+/* #undef OMITTED__D_XOPEN_SOURCE_600 */
+/* #undef OMITTED__D_XOPEN_SOURCE_EXTENDED_1 */
+/* #undef OMITTED__D__EXTENSIONS__ */
+#define PACKAGE_BUGREPORT "unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues"
+#define PACKAGE_NAME "unbound"
+#define PACKAGE_STRING "unbound 1.14.0"
+#define PACKAGE_TARNAME "unbound"
+#define PACKAGE_URL ""
+#define PACKAGE_VERSION "1.14.0"
+#define PIDFILE ""
+/* #undef PTHREAD_CREATE_JOINABLE */
+#define RETSIGTYPE void
+#define REUSEPORT_DEFAULT 1
+#define ROOT_ANCHOR_FILE "/etc/unbound/root.key"
+#define ROOT_CERT_FILE "/etc/unbound/icannbundle.pem"
+#define RSRC_PACKAGE_VERSION 1,14,0,0
+#define RUN_DIR "/etc/unbound"
+#define SHARE_DIR "/etc/unbound"
+#define SIZEOF_TIME_T 8
+/* #undef SNPRINTF_RET_BROKEN */
+/* #undef SODIUM_MISUSE_HANDLER */
+#define STDC_HEADERS 1
+#define STRPTIME_WORKS 1
+/* #undef UB_ON_WINDOWS */
+#define UB_SYSLOG_FACILITY LOG_DAEMON
+#define UB_USERNAME "unbound"
+/* #undef UNBOUND_ALLOC_LITE */
+/* #undef UNBOUND_ALLOC_NONREGIONAL */
+/* #undef UNBOUND_ALLOC_STATS */
+/* #undef UNBOUND_DEBUG */
+/* #undef USE_CACHEDB */
+/* #undef USE_DNSCRYPT */
+/* #undef USE_DNSCRYPT_XCHACHA20 */
+/* #undef USE_DNSTAP */
+/* #undef USE_DSA */
+#define USE_ECDSA 1
+/* #undef USE_ECDSA_EVP_WORKAROUND */
+/* #undef USE_ED25519 */
+/* #undef USE_ED448 */
+/* #undef USE_GOST */
+/* #undef USE_IPSECMOD */
+/* #undef USE_IPSET */
+/* #undef USE_LIBEVENT */
+/* #undef USE_LINUX_IP_LOCAL_PORT_RANGE */
+#define USE_MINI_EVENT 1
+/* #undef USE_MSG_FASTOPEN */
+/* #undef USE_OSX_MSG_FASTOPEN */
+/* #undef USE_REDIS */
+#define USE_SHA1 1
+#define USE_SHA2 1
+#define _GNU_SOURCE 1
+/* #undef USE_TCP_FASTOPEN */
+/* #undef USE_WINSOCK */
+#define WINVER 0x0502
+/* #undef WITH_DYNLIBMODULE */
+/* #undef WITH_PYTHONMODULE */
+/* #undef WITH_PYUNBOUND */
+/* #undef YYTEXT_POINTER */
+/* #undef _FILE_OFFSET_BITS */
+/* #undef _LARGEFILE_SOURCE */
+/* #undef _LARGE_FILES */
+/* #undef _MINIX */
+/* #undef _NETBSD_SOURCE */
+/* #undef _POSIX_1_SOURCE */
+/* #undef _POSIX_SOURCE */
+/* #undef const */
+/* #undef gid_t */
+/* #undef in_addr_t */
+/* #undef in_port_t */
+#ifndef __cplusplus
+/* #undef inline */
+#endif
+/* #undef int16_t */
+/* #undef int32_t */
+/* #undef int64_t */
+/* #undef int8_t */
+/* #undef malloc */
+/* #undef off_t */
+/* #undef pid_t */
+/* #undef rlim_t */
+/* #undef size_t */
+/* #undef socklen_t */
+/* #undef ssize_t */
+/* #undef u_char */
+/* #undef uid_t */
+/* #undef uint16_t */
+/* #undef uint32_t */
+/* #undef uint64_t */
+/* #undef uint8_t */
+/* #undef vfork */
+#ifndef UNBOUND_DEBUG
+# ifndef NDEBUG
+# define NDEBUG
+# endif
+#endif
+#define USE_SLDNS 1
+#ifdef HAVE_SSL
+# define LDNS_BUILD_CONFIG_HAVE_SSL 1
+#endif
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <assert.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <errno.h>
+#if HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include <sys/socket.h>
+#include <sys/uio.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <arpa/inet.h>
+#ifdef HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+#ifndef USE_WINSOCK
+#define ARG_LL "%ll"
+#else
+#define ARG_LL "%I64"
+#endif
+#ifdef HAVE_ATTR_FORMAT
+# define ATTR_FORMAT(archetype, string_index, first_to_check) \
+ __attribute__ ((format (archetype, string_index, first_to_check)))
+#else /* !HAVE_ATTR_FORMAT */
+# define ATTR_FORMAT(archetype, string_index, first_to_check) /* empty */
+#endif /* !HAVE_ATTR_FORMAT */
+#if defined(DOXYGEN)
+# define ATTR_UNUSED(x) x
+#elif defined(__cplusplus)
+# define ATTR_UNUSED(x)
+#elif defined(HAVE_ATTR_UNUSED)
+# define ATTR_UNUSED(x) x __attribute__((unused))
+#else /* !HAVE_ATTR_UNUSED */
+# define ATTR_UNUSED(x) x
+#endif /* !HAVE_ATTR_UNUSED */
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 256
+#endif
+#ifdef HAVE_WINSOCK2_H
+#define FD_SET_T (u_int)
+#else
+#define FD_SET_T
+#endif
+#ifndef IPV6_MIN_MTU
+#define IPV6_MIN_MTU 1280
+#endif /* IPV6_MIN_MTU */
+#if defined(HAVE_EVENT_H) && !defined(HAVE_EVENT_BASE_ONCE) && !(defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && (defined(HAVE_PTHREAD) || defined(HAVE_SOLARIS_THREADS))
+# define LIBEVENT_SIGNAL_PROBLEM 1
+#endif
+#ifndef CHECKED_INET6
+# define CHECKED_INET6
+# ifdef AF_INET6
+# define INET6
+# else
+# define AF_INET6 28
+# endif
+#endif /* CHECKED_INET6 */
+#define UNBOUND_DNS_PORT 53
+#define UNBOUND_DNS_OVER_TLS_PORT 853
+#define UNBOUND_DNS_OVER_HTTPS_PORT 443
+#define UNBOUND_CONTROL_PORT 8953
+#define UNBOUND_CONTROL_VERSION 1
diff --git a/pkg/unbound/dnscrypt/dnscrypt_config.h b/pkg/unbound/dnscrypt/dnscrypt_config.h
diff --git a/pkg/unbound/dnstap/dnstap_config.h b/pkg/unbound/dnstap/dnstap_config.h
diff --git a/pkg/unbound/gen.lua b/pkg/unbound/gen.lua
@@ -0,0 +1,116 @@
+cflags{
+ '-I $dir',
+ '-I $srcdir',
+ '-isystem $builddir/pkg/bearssl/include',
+}
+pkg.deps = {
+ 'pkg/bearssl/headers',
+}
+
+exe('unbound', [[
+ daemon/(
+ acl_list.c daemon.c
+ stats.c unbound.c
+ worker.c
+ )
+ util/shm_side/shm_main.c
+ sldns/(
+ keyraw.c sbuffer.c wire2str.c parse.c parseutil.c rrdef.c
+ str2wire.c
+ )
+ util/(
+ edns.c
+ config_file.c
+ configparser.c
+ configlexer.c
+ as112.c
+ timehist.c
+ log.c
+ locks.c
+ tube.c
+ fptr_wlist.c
+ netevent.c
+ regional.c
+ ub_event.c
+ net_help.c
+ rtt.c
+ mini_event.c
+ tcp_conn_limit.c
+ rbtree.c
+ data/(
+ msgparse.c
+ msgencode.c
+ dname.c
+ msgreply.c
+ packed_rrset.c
+ )
+ storage/(
+ slabhash.c
+ lruhash.c
+ dnstree.c
+ lookup3.c
+ )
+ alloc.c
+ random.c
+ module.c
+ )
+ iterator/(
+ iter_utils.c
+ iter_resptype.c
+ iter_hints.c
+ iter_fwd.c
+ iter_delegpt.c
+ iterator.c
+ iter_scrub.c
+ iter_priv.c
+ iter_donotq.c
+ )
+ dns64/dns64.c
+ respip/respip.c
+ services/(
+ rpz.c
+ view.c
+ outside_network.c
+ authzone.c
+ outbound_list.c
+ modstack.c
+ listen_dnsport.c
+ cache/(dns.c rrset.c infra.c)
+ mesh.c
+ localzone.c
+ )
+ validator/(
+ autotrust.c
+ validator.c
+ val_anchor.c
+ val_secalgo.c
+ val_sigcrypt.c
+ val_nsec.c
+ val_nsec3.c
+ val_utils.c
+ val_kentry.c
+ val_kcache.c
+ val_neg.c
+ )
+ $builddir/pkg/bearssl/libbearssl.a
+]])
+
+file('bin/unbound', '755', '$outdir/unbound')
+
+for _, name in ipairs{'unbound.8', 'unbound.conf.5'} do
+ build('sed', '$outdir/'..name, '$srcdir/doc/'..name..'.in', {
+ expr={
+ [[-e 's/@date@/Dec 10, 2021/']],
+ [[-e 's,@version@,1.14.0,']],
+ [[-e 's,@ub_conf_file@,/etc/unbound/unbound.conf,']],
+ [[-e 's,@UNBOUND_CHROOT_DIR@,/etc/unbound,']],
+ [[-e 's,@UNBOUND_USERNAME@,unbound,']],
+ [[-e 's,@UNBOUND_RUN_DIR@,/etc/unbound,']],
+ [[-e 's,@UNBOUND_PIDFILE@,,']],
+ [[-e 's,@DNSTAP_SOCKET_PATH@,,']],
+ },
+ })
+ man{'$outdir/'..name}
+end
+
+fetch 'git'
diff --git a/pkg/unbound/patch/0001-Fix-ub_random_max-preprocessor-guard.patch b/pkg/unbound/patch/0001-Fix-ub_random_max-preprocessor-guard.patch
@@ -0,0 +1,27 @@
+From b9f80118e406d60e0e41b2f6b2549a8502fd1886 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Wed, 1 Dec 2021 12:42:54 -0800
+Subject: [PATCH] Fix ub_random_max preprocessor guard
+
+|| has lower precedence than &&, so if HAVE_NETTLE and HAVE_LIBBSD
+are both defined, ub_random_max would get defined twice.
+---
+ util/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/random.c b/util/random.c
+index 6eb102c6..f7bb0a6f 100644
+--- a/util/random.c
++++ b/util/random.c
+@@ -186,7 +186,7 @@ long int ub_random(struct ub_randstate* s)
+ #endif /* HAVE_SSL or HAVE_LIBBSD or HAVE_NSS or HAVE_NETTLE */
+
+
+-#if defined(HAVE_NSS) || defined(HAVE_NETTLE) && !defined(HAVE_LIBBSD)
++#if (defined(HAVE_NSS) || defined(HAVE_NETTLE)) && !defined(HAVE_LIBBSD)
+ long int
+ ub_random_max(struct ub_randstate* state, long int x)
+ {
+--
+2.34.0
+
diff --git a/pkg/unbound/patch/0002-Add-support-for-BearSSL-crypto.patch b/pkg/unbound/patch/0002-Add-support-for-BearSSL-crypto.patch
@@ -0,0 +1,827 @@
+From ca1cd33d7a07b3344d031d9119064c2b12de8e03 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Wed, 1 Dec 2021 12:42:00 -0800
+Subject: [PATCH] Add support for BearSSL crypto
+
+---
+ config.h.in | 3 +
+ configure | 50 ++++-
+ configure.ac | 43 ++++-
+ daemon/unbound.c | 2 +
+ util/configparser.c | 4 +-
+ util/configparser.y | 4 +-
+ util/random.c | 46 ++++-
+ validator/val_secalgo.c | 382 ++++++++++++++++++++++++++++++++++++++-
+ validator/val_sigcrypt.c | 2 +-
+ 9 files changed, 514 insertions(+), 22 deletions(-)
+
+diff --git a/config.h.in b/config.h.in
+index e8a26735..6b0b1c50 100644
+--- a/config.h.in
++++ b/config.h.in
+@@ -72,6 +72,9 @@
+ /* If we have be64toh */
+ #undef HAVE_BE64TOH
+
++/* Use bearssl for crypto */
++#undef HAVE_BEARSSL
++
+ /* Define to 1 if you have the `BIO_set_callback_ex' function. */
+ #undef HAVE_BIO_SET_CALLBACK_EX
+
+diff --git a/configure b/configure
+index 0e964568..9c33d22f 100755
+--- a/configure
++++ b/configure
+@@ -871,6 +871,7 @@ with_pythonmodule
+ enable_swig_version_check
+ with_nss
+ with_nettle
++with_bearssl
+ with_ssl
+ with_libbsd
+ enable_sha1
+@@ -1649,6 +1650,7 @@ Optional Packages:
+ disable script engine. (default=no)
+ --with-nss=path use libnss instead of openssl, installed at path.
+ --with-nettle=path use libnettle as crypto library, installed at path.
++ --with-bearssl=path use bearssl as crypto library, installed at path.
+ --with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl
+ /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
+ /usr or specify like /usr/include/openssl11)
+@@ -17981,11 +17983,35 @@ done
+
+
+
++fi
++
++
++# bearssl
++USE_BEARSSL="no"
++
++# Check whether --with-bearssl was given.
++if test ${with_bearssl+y}
++then :
++ withval=$with_bearssl;
++ USE_BEARSSL="yes"
++
++printf "%s\n" "#define HAVE_BEARSSL 1" >>confdefs.h
++
++ if test "$withval" != "" -a "$withval" != "yes"; then
++ CPPFLAGS="$CPPFLAGS -I$withval/include"
++ LDFLAGS="$LDFLAGS -L$withval/lib"
++ fi
++ LIBS="$LIBS -lbearssl"
++ SSLLIB=""
++ PC_CRYPTO_DEPENDENCY=""
++
++
++
+ fi
+
+
+ # openssl
+-if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+
+
+ # Check whether --with-ssl was given.
+@@ -18790,7 +18816,7 @@ if test "${enable_gost+set}" = set; then :
+ fi
+
+ use_gost="no"
+-if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+ case "$enable_gost" in
+ no)
+ ;;
+@@ -18943,7 +18969,7 @@ case "$enable_ecdsa" in
+ no)
+ ;;
+ *)
+- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+ ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
+ if test "x$ac_cv_func_ECDSA_sign" = xyes; then :
+
+@@ -19036,7 +19062,7 @@ use_dsa="no"
+ case "$enable_dsa" in
+ yes)
+ # detect if DSA is supported, and turn it off if not.
+- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+ ac_fn_c_check_func "$LINENO" "DSA_SIG_new" "ac_cv_func_DSA_SIG_new"
+ if test "x$ac_cv_func_DSA_SIG_new" = xyes; then :
+
+@@ -19080,6 +19106,9 @@ else
+ fi
+
+ else
++ if test $USE_BEARSSL = "yes"; then
++ as_fn_error $? "BearSSL does not support DSA and you used --enable-dsa." "$LINENO" 5
++ fi
+
+ cat >>confdefs.h <<_ACEOF
+ #define USE_DSA 1
+@@ -19115,7 +19144,7 @@ case "$enable_ed25519" in
+ no)
+ ;;
+ *)
+- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+ ac_fn_c_check_decl "$LINENO" "NID_ED25519" "ac_cv_have_decl_NID_ED25519" "$ac_includes_default
+ #include <openssl/evp.h>
+
+@@ -19139,6 +19168,9 @@ else
+ fi
+
+ fi
++ if test $USE_BEARSSL = "yes"; then
++ as_fn_error $? "BearSSL does not support Ed25519 and you used --enable-ed25519." "$LINENO" 5
++ fi
+ if test $USE_NETTLE = "yes"; then
+ for ac_header in nettle/eddsa.h
+ do :
+@@ -19174,7 +19206,7 @@ case "$enable_ed448" in
+ no)
+ ;;
+ *)
+- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+ ac_fn_c_check_decl "$LINENO" "NID_ED448" "ac_cv_have_decl_NID_ED448" "$ac_includes_default
+ #include <openssl/evp.h>
+
+@@ -19198,6 +19230,9 @@ else
+ fi
+
+ fi
++ if test $USE_BEARSSL = "yes"; then
++ as_fn_error $? "BearSSL does not support Ed448 and you used --enable-ed448." "$LINENO" 5
++ fi
+ if test $use_ed448 = "yes"; then
+
+ cat >>confdefs.h <<_ACEOF
+@@ -21744,6 +21779,9 @@ if test $ALLTARGET = "alltargets"; then
+ if test $USE_NETTLE = "yes"; then
+ as_fn_error $? "--with-nettle can only be used in combination with --with-libunbound-only." "$LINENO" 5
+ fi
++ if test $USE_BEARSSL = "yes"; then
++ as_fn_error $? "--with-bearssl can only be used in combination with --with-libunbound-only." "$LINENO" 5
++ fi
+ fi
+
+
+diff --git a/configure.ac b/configure.ac
+index 36fdb459..9e15aee4 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -835,8 +835,25 @@ AC_ARG_WITH([nettle], AS_HELP_STRING([--with-nettle=path],[use libnettle as cryp
+ ]
+ )
+
++# bearssl
++USE_BEARSSL="no"
++AC_ARG_WITH([bearssl], AS_HELP_STRING([--with-bearssl=path],[use bearssl as crypto library, installed at path.]),
++ [
++ USE_BEARSSL="yes"
++ AC_DEFINE(HAVE_BEARSSL, 1, [Use bearssl for crypto])
++ if test "$withval" != "" -a "$withval" != "yes"; then
++ CPPFLAGS="$CPPFLAGS -I$withval/include"
++ LDFLAGS="$LDFLAGS -L$withval/lib"
++ fi
++ LIBS="$LIBS -lbearssl"
++ SSLLIB=""
++ PC_CRYPTO_DEPENDENCY=""
++ AC_SUBST(PC_CRYPTO_DEPENDENCY)
++ ]
++)
++
+ # openssl
+-if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+ ACX_WITH_SSL
+ ACX_LIB_SSL
+ SSLLIB="-lssl"
+@@ -1084,7 +1101,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
+
+ AC_ARG_ENABLE(gost, AS_HELP_STRING([--disable-gost],[Disable GOST support]))
+ use_gost="no"
+-if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+ case "$enable_gost" in
+ no)
+ ;;
+@@ -1098,7 +1115,7 @@ case "$enable_gost" in
+ fi
+ ;;
+ esac
+-fi dnl !USE_NSS && !USE_NETTLE
++fi dnl !USE_NSS && !USE_NETTLE && !USE_BEARSSL
+
+ AC_ARG_ENABLE(ecdsa, AS_HELP_STRING([--disable-ecdsa],[Disable ECDSA support]))
+ use_ecdsa="no"
+@@ -1106,7 +1123,7 @@ case "$enable_ecdsa" in
+ no)
+ ;;
+ *)
+- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+ AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
+ AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
+ AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
+@@ -1137,7 +1154,7 @@ use_dsa="no"
+ case "$enable_dsa" in
+ yes)
+ # detect if DSA is supported, and turn it off if not.
+- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+ AC_CHECK_FUNC(DSA_SIG_new, [
+ AC_CHECK_TYPE(DSA_SIG*, [
+ AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
+@@ -1163,6 +1180,9 @@ AC_INCLUDES_DEFAULT
+ ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
+ fi ])
+ else
++ if test $USE_BEARSSL = "yes"; then
++ AC_MSG_ERROR([BearSSL does not support DSA and you used --enable-dsa.])
++ fi
+ AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
+ fi
+ ;;
+@@ -1183,7 +1203,7 @@ case "$enable_ed25519" in
+ no)
+ ;;
+ *)
+- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+ AC_CHECK_DECLS([NID_ED25519], [
+ use_ed25519="yes"
+ ], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
+@@ -1191,6 +1211,9 @@ case "$enable_ed25519" in
+ #include <openssl/evp.h>
+ ])
+ fi
++ if test $USE_BEARSSL = "yes"; then
++ AC_MSG_ERROR([BearSSL does not support Ed25519 and you used --enable-ed25519.])
++ fi
+ if test $USE_NETTLE = "yes"; then
+ AC_CHECK_HEADERS([nettle/eddsa.h], use_ed25519="yes",, [AC_INCLUDES_DEFAULT])
+ fi
+@@ -1206,7 +1229,7 @@ case "$enable_ed448" in
+ no)
+ ;;
+ *)
+- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then
+ AC_CHECK_DECLS([NID_ED448], [
+ use_ed448="yes"
+ ], [ if test "x$enable_ed448" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED448 and you used --enable-ed448.])
+@@ -1214,6 +1237,9 @@ case "$enable_ed448" in
+ #include <openssl/evp.h>
+ ])
+ fi
++ if test $USE_BEARSSL = "yes"; then
++ AC_MSG_ERROR([BearSSL does not support Ed448 and you used --enable-ed448.])
++ fi
+ if test $use_ed448 = "yes"; then
+ AC_DEFINE_UNQUOTED([USE_ED448], [1], [Define this to enable ED448 support.])
+ fi
+@@ -1937,6 +1963,9 @@ if test $ALLTARGET = "alltargets"; then
+ if test $USE_NETTLE = "yes"; then
+ AC_MSG_ERROR([--with-nettle can only be used in combination with --with-libunbound-only.])
+ fi
++ if test $USE_BEARSSL = "yes"; then
++ AC_MSG_ERROR([--with-bearssl can only be used in combination with --with-libunbound-only.])
++ fi
+ fi
+
+ AC_SUBST(ALLTARGET)
+diff --git a/daemon/unbound.c b/daemon/unbound.c
+index 457a0803..1a31bb3e 100644
+--- a/daemon/unbound.c
++++ b/daemon/unbound.c
+@@ -121,6 +121,8 @@ print_build_options(void)
+ NSS_GetVersion()
+ #elif defined(HAVE_NETTLE)
+ "nettle"
++#elif defined(HAVE_BEARSSL)
++ "bearssl"
+ #endif
+ );
+ printf("Linked modules:");
+diff --git a/util/configparser.c b/util/configparser.c
+index 2f155650..f2749753 100644
+--- a/util/configparser.c
++++ b/util/configparser.c
+@@ -5649,7 +5649,7 @@ yyreduce:
+ OUTYY(("P(server_fake_dsa:%s)\n", (yyvsp[0].str)));
+ if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+ yyerror("expected yes or no.");
+-#if defined(HAVE_SSL) || defined(HAVE_NETTLE)
++#if defined(HAVE_SSL) || defined(HAVE_NETTLE) || defined(HAVE_BEARSSL)
+ else fake_dsa = (strcmp((yyvsp[0].str), "yes")==0);
+ if(fake_dsa)
+ log_warn("test option fake_dsa is enabled");
+@@ -5665,7 +5665,7 @@ yyreduce:
+ OUTYY(("P(server_fake_sha1:%s)\n", (yyvsp[0].str)));
+ if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+ yyerror("expected yes or no.");
+-#if defined(HAVE_SSL) || defined(HAVE_NETTLE)
++#if defined(HAVE_SSL) || defined(HAVE_NETTLE) || defined(HAVE_BEARSSL)
+ else fake_sha1 = (strcmp((yyvsp[0].str), "yes")==0);
+ if(fake_sha1)
+ log_warn("test option fake_sha1 is enabled");
+diff --git a/util/configparser.y b/util/configparser.y
+index 1daf853d..844c175e 100644
+--- a/util/configparser.y
++++ b/util/configparser.y
+@@ -2028,7 +2028,7 @@ server_fake_dsa: VAR_FAKE_DSA STRING_ARG
+ OUTYY(("P(server_fake_dsa:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+-#if defined(HAVE_SSL) || defined(HAVE_NETTLE)
++#if defined(HAVE_SSL) || defined(HAVE_NETTLE) || defined(HAVE_BEARSSL)
+ else fake_dsa = (strcmp($2, "yes")==0);
+ if(fake_dsa)
+ log_warn("test option fake_dsa is enabled");
+@@ -2041,7 +2041,7 @@ server_fake_sha1: VAR_FAKE_SHA1 STRING_ARG
+ OUTYY(("P(server_fake_sha1:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+-#if defined(HAVE_SSL) || defined(HAVE_NETTLE)
++#if defined(HAVE_SSL) || defined(HAVE_NETTLE) || defined(HAVE_BEARSSL)
+ else fake_sha1 = (strcmp($2, "yes")==0);
+ if(fake_sha1)
+ log_warn("test option fake_sha1 is enabled");
+diff --git a/util/random.c b/util/random.c
+index f7bb0a6f..6bce2f62 100644
+--- a/util/random.c
++++ b/util/random.c
+@@ -183,10 +183,52 @@ long int ub_random(struct ub_randstate* s)
+ }
+ return x & MAX_VALUE;
+ }
+-#endif /* HAVE_SSL or HAVE_LIBBSD or HAVE_NSS or HAVE_NETTLE */
+
++#elif defined(HAVE_BEARSSL)
+
+-#if (defined(HAVE_NSS) || defined(HAVE_NETTLE)) && !defined(HAVE_LIBBSD)
++#include <bearssl.h>
++
++struct ub_randstate {
++ br_hmac_drbg_context ctx;
++ int seeded;
++};
++
++struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
++{
++ struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
++ unsigned char buf[32];
++ if(!s) {
++ log_err("malloc failure in random init");
++ return NULL;
++ }
++ if(getentropy(buf, sizeof(buf)) == 0) {
++ /* got entropy */
++ br_hmac_drbg_init(&s->ctx, &br_sha256_vtable, buf, sizeof(buf));
++ s->seeded = 1;
++ } else {
++ log_err("bearssl random(hmac-drbg) cannot initialize, "
++ "getentropy failed: %s", strerror(errno));
++ free(s);
++ return NULL;
++ }
++
++ return s;
++}
++
++long int ub_random(struct ub_randstate* s)
++{
++ unsigned long x = 0;
++ if (!s || !s->seeded) {
++ log_err("couldn't generate randomness, hmac-drbg generator not yet seeded");
++ } else {
++ br_hmac_drbg_generate(&s->ctx, (unsigned char *)&x, sizeof(x));
++ }
++ return x & MAX_VALUE;
++}
++
++#endif /* HAVE_SSL or HAVE_LIBBSD or HAVE_NSS or HAVE_NETTLE or HAVE_BEARSSL */
++
++#if (defined(HAVE_NSS) || defined(HAVE_NETTLE) || defined(HAVE_BEARSSL)) && !defined(HAVE_LIBBSD)
+ long int
+ ub_random_max(struct ub_randstate* state, long int x)
+ {
+diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
+index 7abf66f0..aa20b57b 100644
+--- a/validator/val_secalgo.c
++++ b/validator/val_secalgo.c
+@@ -50,7 +50,7 @@
+ #include "sldns/keyraw.h"
+ #include "sldns/sbuffer.h"
+
+-#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
++#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) && !defined(HAVE_BEARSSL)
+ #error "Need crypto library to do digital signature cryptography"
+ #endif
+
+@@ -2067,4 +2067,382 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
+ }
+ }
+
+-#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
++#elif defined(HAVE_BEARSSL)
++
++#include <bearssl.h>
++
++/* return size of digest if supported, or 0 otherwise */
++size_t
++nsec3_hash_algo_size_supported(int id)
++{
++ switch(id) {
++ case NSEC3_HASH_SHA1:
++ return br_sha1_SIZE;
++ default:
++ return 0;
++ }
++}
++
++/* perform nsec3 hash. return false on failure */
++int
++secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
++ unsigned char* res)
++{
++ br_hash_compat_context ctx;
++
++ switch(algo) {
++ case NSEC3_HASH_SHA1:
++ br_sha1_init(&ctx.sha1);
++ br_sha1_update(&ctx.sha1, buf, len);
++ br_sha1_out(&ctx.sha1, res);
++ return 1;
++ default:
++ return 0;
++ }
++}
++
++void
++secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
++{
++ br_sha256_context ctx;
++
++ br_sha256_init(&ctx);
++ br_sha256_update(&ctx, buf, len);
++ br_sha256_out(&ctx, res);
++}
++
++/** hash structure for keeping track of running hashes */
++struct secalgo_hash {
++ br_hash_compat_context ctx;
++};
++
++/** create secalgo hash with hash type */
++static struct secalgo_hash* secalgo_hash_create(const br_hash_class *vtable)
++{
++ struct secalgo_hash* h;
++ h = calloc(1, sizeof(*h));
++ if(!h)
++ return NULL;
++ vtable->init(&h->ctx.vtable);
++ return h;
++}
++
++struct secalgo_hash* secalgo_hash_create_sha384(void)
++{
++ return secalgo_hash_create(&br_sha384_vtable);
++}
++
++struct secalgo_hash* secalgo_hash_create_sha512(void)
++{
++ return secalgo_hash_create(&br_sha512_vtable);
++}
++
++int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len)
++{
++ hash->ctx.vtable->update(&hash->ctx.vtable, data, len);
++ return 1;
++}
++
++int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
++ size_t maxlen, size_t* resultlen)
++{
++ size_t len;
++
++ hash->ctx.vtable->out(&hash->ctx.vtable, result);
++ len = hash->ctx.vtable->desc >> BR_HASHDESC_OUT_OFF & BR_HASHDESC_OUT_MASK;
++ if(len > maxlen) {
++ *resultlen = 0;
++ log_err("secalgo_hash_final: hash buffer too small");
++ return 0;
++ }
++ hash->ctx.vtable->out(&hash->ctx.vtable, result);
++ *resultlen = len;
++ return 1;
++}
++
++void secalgo_hash_delete(struct secalgo_hash* hash)
++{
++ if(!hash) return;
++ free(hash);
++}
++
++size_t
++ds_digest_size_supported(int algo)
++{
++ switch(algo) {
++ case LDNS_SHA1:
++#ifdef USE_SHA1
++ return br_sha1_SIZE;
++#else
++ if(fake_sha1) return 20;
++ return 0;
++#endif
++#ifdef USE_SHA2
++ case LDNS_SHA256:
++ return br_sha256_SIZE;
++#endif
++#ifdef USE_ECDSA
++ case LDNS_SHA384:
++ return br_sha384_SIZE;
++#endif
++ }
++ return 0;
++}
++
++int
++secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
++ unsigned char* res)
++{
++ br_hash_compat_context ctx;
++
++ switch(algo) {
++#ifdef USE_SHA1
++ case LDNS_SHA1:
++ br_sha1_init(&ctx.sha1);
++ br_sha1_update(&ctx.sha1, buf, len);
++ br_sha1_out(&ctx.sha1, res);
++ return 1;
++#endif
++#ifdef USE_SHA2
++ case LDNS_SHA256:
++ br_sha256_init(&ctx.sha256);
++ br_sha256_update(&ctx.sha256, buf, len);
++ br_sha256_out(&ctx.sha256, res);
++ return 1;
++#endif
++#ifdef USE_ECDSA
++ case LDNS_SHA384:
++ br_sha384_init(&ctx.sha384);
++ br_sha384_update(&ctx.sha384, buf, len);
++ br_sha384_out(&ctx.sha384, res);
++ return 1;
++#endif
++ default:
++ verbose(VERB_QUERY, "unknown DS digest algorithm %d", algo);
++ break;
++ }
++ return 0;
++}
++
++int
++dnskey_algo_id_is_supported(int id)
++{
++ switch(id) {
++ case LDNS_DSA:
++ case LDNS_DSA_NSEC3:
++ if(fake_dsa || fake_sha1) return 1;
++ return 0;
++ case LDNS_RSASHA1:
++ case LDNS_RSASHA1_NSEC3:
++#ifdef USE_SHA1
++ return 1;
++#else
++ if(fake_sha1) return 1;
++ return 0;
++#endif
++#ifdef USE_SHA2
++ case LDNS_RSASHA256:
++ case LDNS_RSASHA512:
++#endif
++#ifdef USE_ECDSA
++ case LDNS_ECDSAP256SHA256:
++ case LDNS_ECDSAP384SHA384:
++#endif
++#if defined(USE_SHA1) || defined(USE_SHA2)
++ return 1;
++#endif
++
++ default:
++ return 0;
++ }
++}
++
++#if defined(USE_SHA1) || defined(USE_SHA2)
++static char *
++_verify_bearssl_rsa(sldns_buffer* buf, const unsigned char* hash,
++ size_t hashlen, const unsigned char* oid, const unsigned char* sig,
++ size_t siglen, unsigned char* key, size_t keylen)
++{
++ br_rsa_public_key pubkey;
++ unsigned char sighash[64];
++
++ /* RSA pubkey parsing as per RFC 3110 sec. 2 */
++ if(keylen <= 1) {
++ return "null RSA key";
++ }
++ if (key[0] != 0) {
++ /* 1-byte length */
++ pubkey.e = key + 1;
++ pubkey.elen = key[0];
++ } else {
++ /* 1-byte NUL + 2-bytes exponent length */
++ if (keylen < 3) {
++ return "incorrect RSA key length";
++ }
++ pubkey.e = key + 3;
++ pubkey.elen = (unsigned)key[1] << 8 | (unsigned)key[2];
++ if (pubkey.elen == 0)
++ return "null RSA exponent length";
++ }
++ /* Check that we are not over-running input length */
++ if (keylen < (pubkey.e - key) + pubkey.elen + 1) {
++ return "RSA key content shorter than expected";
++ }
++ pubkey.n = pubkey.e + pubkey.elen;
++ pubkey.nlen = keylen - (pubkey.n - key);
++
++ if (br_rsa_pkcs1_vrfy_get_default()(sig, siglen, oid, hashlen, &pubkey,
++ sighash) != 1 || memcmp(hash, sighash, hashlen) != 0) {
++ return "RSA signature verification failed";
++ } else {
++ return NULL;
++ }
++}
++#endif
++
++#ifdef USE_ECDSA
++static char *
++_verify_bearssl_ecdsa(sldns_buffer* buf, int algo, const unsigned char* hash,
++ size_t hashlen, const unsigned char* sig, size_t siglen,
++ unsigned char* key, size_t keylen)
++{
++ br_ec_public_key pubkey;
++ unsigned char q[97];
++
++ /* uncompressed point format */
++ q[0] = 4;
++ switch(algo) {
++ case LDNS_ECDSAP256SHA256:
++ pubkey.curve = BR_EC_secp256r1;
++ if (keylen != 64) {
++ return "incorrect ECDSA P-256 key length";
++ }
++ memcpy(q + 1, key, 64);
++ break;
++ case LDNS_ECDSAP384SHA384:
++ pubkey.curve = BR_EC_secp384r1;
++ if (keylen != 96) {
++ return "incorrect ECDSA P-384 key length";
++ }
++ memcpy(q + 1, key, 96);
++ break;
++ default:
++ return "unsupported ECDSA algorithm";
++ }
++ pubkey.q = q;
++ pubkey.qlen = 1 + keylen;
++
++ if (br_ecdsa_vrfy_raw_get_default()(br_ec_get_default(), hash, hashlen,
++ &pubkey, sig, siglen) != 1) {
++ return "ECDSA signature verification failed";
++ } else {
++ return NULL;
++ }
++}
++#endif
++
++/**
++ * Check a canonical sig+rrset and signature against a dnskey
++ * @param buf: buffer with data to verify, the first rrsig part and the
++ * canonicalized rrset.
++ * @param algo: DNSKEY algorithm.
++ * @param sigblock: signature rdata field from RRSIG
++ * @param sigblock_len: length of sigblock data.
++ * @param key: public key data from DNSKEY RR.
++ * @param keylen: length of keydata.
++ * @param reason: bogus reason in more detail.
++ * @return secure if verification succeeded, bogus on crypto failure,
++ * unchecked on format errors and alloc failures.
++ */
++enum sec_status
++verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sig,
++ unsigned int siglen, unsigned char* key, unsigned int keylen,
++ char** reason)
++{
++ br_hash_compat_context ctx;
++ const unsigned char *oid;
++ unsigned char hash[64];
++ size_t hashlen;
++
++ if (siglen == 0 || keylen == 0) {
++ *reason = "null signature";
++ return sec_status_bogus;
++ }
++
++#ifndef USE_DSA
++ if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && (fake_dsa || fake_sha1))
++ return sec_status_secure;
++#endif
++#ifndef USE_SHA1
++ if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3))
++ return sec_status_secure;
++#endif
++
++ switch(algo) {
++#ifdef USE_SHA1
++ case LDNS_RSASHA1:
++ case LDNS_RSASHA1_NSEC3:
++ ctx.vtable = &br_sha1_vtable;
++ oid = BR_HASH_OID_SHA1;
++ break;
++#endif
++#ifdef USE_SHA2
++ case LDNS_RSASHA256:
++ ctx.vtable = &br_sha256_vtable;
++ oid = BR_HASH_OID_SHA256;
++ break;
++ case LDNS_RSASHA512:
++ ctx.vtable = &br_sha512_vtable;
++ oid = BR_HASH_OID_SHA512;
++ break;
++#endif
++#ifdef USE_ECDSA
++ case LDNS_ECDSAP256SHA256:
++ ctx.vtable = &br_sha256_vtable;
++ break;
++ case LDNS_ECDSAP384SHA384:
++ ctx.vtable = &br_sha384_vtable;
++ break;
++#endif
++ default:
++ *reason = "unable to verify signature, unknown algorithm";
++ return sec_status_bogus;
++ }
++
++ ctx.vtable->init(&ctx.vtable);
++ ctx.vtable->update(&ctx.vtable, sldns_buffer_begin(buf), sldns_buffer_limit(buf));
++ ctx.vtable->out(&ctx.vtable, hash);
++ hashlen = ctx.vtable->desc >> BR_HASHDESC_OUT_OFF & BR_HASHDESC_OUT_MASK;
++
++ switch(algo) {
++#if defined(USE_SHA1) || defined(USE_SHA2)
++#ifdef USE_SHA1
++ case LDNS_RSASHA1:
++ case LDNS_RSASHA1_NSEC3:
++#endif
++#ifdef USE_SHA2
++ case LDNS_RSASHA256:
++ case LDNS_RSASHA512:
++#endif
++ *reason = _verify_bearssl_rsa(buf, hash, hashlen, oid, sig,
++ siglen, key, keylen);
++ break;
++#endif
++#ifdef USE_ECDSA
++ case LDNS_ECDSAP256SHA256:
++ case LDNS_ECDSAP384SHA384:
++ *reason = _verify_bearssl_ecdsa(buf, algo, hash, hashlen,
++ sig, siglen, key, keylen);
++ break;
++#endif
++ default:
++ *reason = "unable to verify signature, unknown algorithm";
++ }
++ if (*reason != NULL) {
++ return sec_status_bogus;
++ } else {
++ return sec_status_secure;
++ }
++}
++
++#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE or HAVE_BEARSSL */
+diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
+index b15fba3f..2ffe73b8 100644
+--- a/validator/val_sigcrypt.c
++++ b/validator/val_sigcrypt.c
+@@ -58,7 +58,7 @@
+ #include "sldns/wire2str.h"
+
+ #include <ctype.h>
+-#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
++#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) && !defined(HAVE_BEARSSL)
+ #error "Need crypto library to do digital signature cryptography"
+ #endif
+
+--
+2.34.1
+
diff --git a/pkg/unbound/patch/0003-Remove-need-for-size_t-size-check.patch b/pkg/unbound/patch/0003-Remove-need-for-size_t-size-check.patch
@@ -0,0 +1,89 @@
+From a7120321640d03c0ec7444719366bec99add6542 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Wed, 1 Dec 2021 16:05:33 -0800
+Subject: [PATCH] Remove need for size_t size check
+
+---
+ configure | 33 ---------------------------------
+ configure.ac | 1 -
+ util/regional.c | 8 +-------
+ 3 files changed, 1 insertion(+), 41 deletions(-)
+
+diff --git a/configure b/configure
+index 9c33d22f..8b012048 100755
+--- a/configure
++++ b/configure
+@@ -15163,39 +15163,6 @@ cat >>confdefs.h <<_ACEOF
+ _ACEOF
+
+
+-# The cast to long int works around a bug in the HP C Compiler
+-# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
+-# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
+-# This bug is HP SR number 8606223364.
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5
+-$as_echo_n "checking size of size_t... " >&6; }
+-if ${ac_cv_sizeof_size_t+:} false; then :
+- $as_echo_n "(cached) " >&6
+-else
+- if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t" "$ac_includes_default"; then :
+-
+-else
+- if test "$ac_cv_type_size_t" = yes; then
+- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+-as_fn_error 77 "cannot compute sizeof (size_t)
+-See \`config.log' for more details" "$LINENO" 5; }
+- else
+- ac_cv_sizeof_size_t=0
+- fi
+-fi
+-
+-fi
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5
+-$as_echo "$ac_cv_sizeof_size_t" >&6; }
+-
+-
+-
+-cat >>confdefs.h <<_ACEOF
+-#define SIZEOF_SIZE_T $ac_cv_sizeof_size_t
+-_ACEOF
+-
+-
+
+ # add option to disable the evil rpath
+
+diff --git a/configure.ac b/configure.ac
+index 9e15aee4..750e9bfd 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -448,7 +448,6 @@ AC_INCLUDES_DEFAULT
+ # endif
+ #endif
+ ])
+-AC_CHECK_SIZEOF(size_t)
+
+ # add option to disable the evil rpath
+ ACX_ARG_RPATH
+diff --git a/util/regional.c b/util/regional.c
+index 93e911c5..1c6629c3 100644
+--- a/util/regional.c
++++ b/util/regional.c
+@@ -146,13 +146,7 @@ regional_alloc(struct regional *r, size_t size)
+ {
+ size_t a;
+ void *s;
+- if(
+-#if SIZEOF_SIZE_T == 8
+- (unsigned long long)size >= 0xffffffffffffff00ULL
+-#else
+- (unsigned)size >= (unsigned)0xffffff00UL
+-#endif
+- )
++ if(size >= (size_t)-0x100)
+ return NULL; /* protect against integer overflow in
+ malloc and ALIGN_UP */
+ a = ALIGN_UP(size, ALIGNMENT);
+--
+2.34.1
+
diff --git a/pkg/unbound/patch/0004-Allow-building-daemon-without-TLS-support.patch b/pkg/unbound/patch/0004-Allow-building-daemon-without-TLS-support.patch
@@ -0,0 +1,499 @@
+From b69e788f3c4b8c3dbdb8d272630fe0616f43406f Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Wed, 1 Dec 2021 13:57:48 -0800
+Subject: [PATCH] Allow building daemon without TLS support
+
+---
+ configure | 11 ---------
+ configure.ac | 11 ---------
+ daemon/cachedump.c | 2 ++
+ daemon/remote.c | 46 +++++++++++++++++++++++++++++++++-----
+ daemon/remote.h | 2 --
+ daemon/unbound.c | 9 +++++---
+ smallapp/unbound-control.c | 44 +++++++++++++++++++++++++++++++-----
+ 7 files changed, 86 insertions(+), 39 deletions(-)
+
+diff --git a/configure b/configure
+index 8b012048..f2ea348e 100755
+--- a/configure
++++ b/configure
+@@ -21739,17 +21739,6 @@ if test "${with_libunbound_only+set}" = set; then :
+
+ fi
+
+-if test $ALLTARGET = "alltargets"; then
+- if test $USE_NSS = "yes"; then
+- as_fn_error $? "--with-nss can only be used in combination with --with-libunbound-only." "$LINENO" 5
+- fi
+- if test $USE_NETTLE = "yes"; then
+- as_fn_error $? "--with-nettle can only be used in combination with --with-libunbound-only." "$LINENO" 5
+- fi
+- if test $USE_BEARSSL = "yes"; then
+- as_fn_error $? "--with-bearssl can only be used in combination with --with-libunbound-only." "$LINENO" 5
+- fi
+-fi
+
+
+
+diff --git a/configure.ac b/configure.ac
+index 750e9bfd..de6468c8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1955,17 +1955,6 @@ AC_ARG_WITH(libunbound-only, AS_HELP_STRING([--with-libunbound-only],[do not bui
+ INSTALLTARGET="install-lib"
+ fi
+ ])
+-if test $ALLTARGET = "alltargets"; then
+- if test $USE_NSS = "yes"; then
+- AC_MSG_ERROR([--with-nss can only be used in combination with --with-libunbound-only.])
+- fi
+- if test $USE_NETTLE = "yes"; then
+- AC_MSG_ERROR([--with-nettle can only be used in combination with --with-libunbound-only.])
+- fi
+- if test $USE_BEARSSL = "yes"; then
+- AC_MSG_ERROR([--with-bearssl can only be used in combination with --with-libunbound-only.])
+- fi
+-fi
+
+ AC_SUBST(ALLTARGET)
+ AC_SUBST(INSTALLTARGET)
+diff --git a/daemon/cachedump.c b/daemon/cachedump.c
+index b1ce53b5..b5636ca7 100644
+--- a/daemon/cachedump.c
++++ b/daemon/cachedump.c
+@@ -40,7 +40,9 @@
+ * to text format.
+ */
+ #include "config.h"
++#ifdef HAVE_SSL
+ #include <openssl/ssl.h>
++#endif
+ #include "daemon/cachedump.h"
+ #include "daemon/remote.h"
+ #include "daemon/worker.h"
+diff --git a/daemon/remote.c b/daemon/remote.c
+index adf03838..94ab5603 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -149,6 +149,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
+ #endif
+ }
+
++#ifdef HAVE_SSL
+ static int
+ remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg)
+ {
+@@ -199,6 +200,7 @@ remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg)
+ free(s_key);
+ return 1;
+ }
++#endif
+
+ struct daemon_remote*
+ daemon_remote_create(struct config_file* cfg)
+@@ -211,19 +213,25 @@ daemon_remote_create(struct config_file* cfg)
+ }
+ rc->max_active = 10;
+
++#ifdef HAVE_SSL
++ rc->ctx = NULL;
++#endif
+ if(!cfg->remote_control_enable) {
+- rc->ctx = NULL;
+ return rc;
+ }
+ if(options_remote_is_address(cfg) && cfg->control_use_cert) {
++#ifdef HAVE_SSL
+ if(!remote_setup_ctx(rc, cfg)) {
+ daemon_remote_delete(rc);
+ return NULL;
+ }
+ rc->use_cert = 1;
++#else
++ log_err("unbound built without TLS support");
++ return NULL;
++#endif
+ } else {
+ struct config_strlist* p;
+- rc->ctx = NULL;
+ rc->use_cert = 0;
+ if(!options_remote_is_address(cfg))
+ for(p = cfg->control_ifs.first; p; p = p->next) {
+@@ -245,8 +253,10 @@ void daemon_remote_clear(struct daemon_remote* rc)
+ p = rc->busy_list;
+ while(p) {
+ np = p->next;
++#ifdef HAVE_SSL
+ if(p->ssl)
+ SSL_free(p->ssl);
++#endif
+ comm_point_delete(p->c);
+ free(p);
+ p = np;
+@@ -260,9 +270,11 @@ void daemon_remote_delete(struct daemon_remote* rc)
+ {
+ if(!rc) return;
+ daemon_remote_clear(rc);
++#ifdef HAVE_SSL
+ if(rc->ctx) {
+ SSL_CTX_free(rc->ctx);
+ }
++#endif
+ free(rc);
+ }
+
+@@ -496,6 +508,7 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err,
+ comm_point_start_listening(n->c, -1, REMOTE_CONTROL_TCP_TIMEOUT);
+ memcpy(&n->c->repinfo.addr, &addr, addrlen);
+ n->c->repinfo.addrlen = addrlen;
++#ifdef HAVE_SSL
+ if(rc->use_cert) {
+ n->shake_state = rc_hs_read;
+ n->ssl = SSL_new(rc->ctx);
+@@ -517,6 +530,7 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err,
+ } else {
+ n->ssl = NULL;
+ }
++#endif
+
+ n->rc = rc;
+ n->next = rc->busy_list;
+@@ -548,10 +562,12 @@ clean_point(struct daemon_remote* rc, struct rc_state* s)
+ {
+ state_list_remove_elem(&rc->busy_list, s->c);
+ rc->active --;
++#ifdef HAVE_SSL
+ if(s->ssl) {
+ SSL_shutdown(s->ssl);
+ SSL_free(s->ssl);
+ }
++#endif
+ comm_point_delete(s->c);
+ free(s);
+ }
+@@ -562,6 +578,7 @@ ssl_print_text(RES* res, const char* text)
+ int r;
+ if(!res)
+ return 0;
++#ifdef HAVE_SSL
+ if(res->ssl) {
+ ERR_clear_error();
+ if((r=SSL_write(res->ssl, text, (int)strlen(text))) <= 0) {
+@@ -573,7 +590,9 @@ ssl_print_text(RES* res, const char* text)
+ log_crypto_err("could not SSL_write");
+ return 0;
+ }
+- } else {
++ } else
++#endif
++ {
+ size_t at = 0;
+ while(at < strlen(text)) {
+ ssize_t r = send(res->fd, text+at, strlen(text)-at, 0);
+@@ -618,6 +637,7 @@ ssl_read_line(RES* res, char* buf, size_t max)
+ if(!res)
+ return 0;
+ while(len < max) {
++#ifdef HAVE_SSL
+ if(res->ssl) {
+ ERR_clear_error();
+ if((r=SSL_read(res->ssl, buf+len, 1)) <= 0) {
+@@ -628,7 +648,9 @@ ssl_read_line(RES* res, char* buf, size_t max)
+ log_crypto_err("could not SSL_read");
+ return 0;
+ }
+- } else {
++ } else
++#endif
++ {
+ while(1) {
+ ssize_t rr = recv(res->fd, buf+len, 1, 0);
+ if(rr <= 0) {
+@@ -3232,6 +3254,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
+ fd_set_block(s->c->fd);
+
+ /* try to read magic UBCT[version]_space_ string */
++#ifdef HAVE_SSL
+ if(res->ssl) {
+ ERR_clear_error();
+ if((r=SSL_read(res->ssl, magic, (int)sizeof(magic)-1)) <= 0) {
+@@ -3240,7 +3263,9 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
+ log_crypto_err("could not SSL_read");
+ return;
+ }
+- } else {
++ } else
++#endif
++ {
+ while(1) {
+ ssize_t rr = recv(res->fd, magic, sizeof(magic)-1, 0);
+ if(rr <= 0) {
+@@ -3278,6 +3303,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
+ execute_cmd(rc, res, buf, rc->worker);
+ }
+
++#ifdef HAVE_SSL
+ /** handle SSL_do_handshake changes to the file descriptor to wait for later */
+ static int
+ remote_handshake_later(struct daemon_remote* rc, struct rc_state* s,
+@@ -3309,6 +3335,7 @@ remote_handshake_later(struct daemon_remote* rc, struct rc_state* s,
+ }
+ return 0;
+ }
++#endif
+
+ int remote_control_callback(struct comm_point* c, void* arg, int err,
+ struct comm_reply* ATTR_UNUSED(rep))
+@@ -3323,6 +3350,7 @@ int remote_control_callback(struct comm_point* c, void* arg, int err,
+ clean_point(rc, s);
+ return 0;
+ }
++#ifdef HAVE_SSL
+ if(s->ssl) {
+ /* (continue to) setup the SSL connection */
+ ERR_clear_error();
+@@ -3333,11 +3361,14 @@ int remote_control_callback(struct comm_point* c, void* arg, int err,
+ }
+ s->shake_state = rc_none;
+ }
++#endif
+
+ /* once handshake has completed, check authentication */
+ if (!rc->use_cert) {
+ verbose(VERB_ALGO, "unauthenticated remote control connection");
+- } else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
++ }
++#ifdef HAVE_SSL
++ else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
+ #ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+ X509* x = SSL_get1_peer_certificate(s->ssl);
+ #else
+@@ -3357,9 +3388,12 @@ int remote_control_callback(struct comm_point* c, void* arg, int err,
+ clean_point(rc, s);
+ return 0;
+ }
++#endif
+
+ /* if OK start to actually handle the request */
++#ifdef HAVE_SSL
+ res.ssl = s->ssl;
++#endif
+ res.fd = c->fd;
+ handle_req(rc, s, &res);
+
+diff --git a/daemon/remote.h b/daemon/remote.h
+index 217ea21e..e2972779 100644
+--- a/daemon/remote.h
++++ b/daemon/remote.h
+@@ -174,7 +174,6 @@ void daemon_remote_start_accept(struct daemon_remote* rc);
+ */
+ void daemon_remote_exec(struct worker* worker);
+
+-#ifdef HAVE_SSL
+ /**
+ * Print fixed line of text over ssl connection in blocking mode
+ * @param ssl: print to
+@@ -201,6 +200,5 @@ int ssl_printf(RES* ssl, const char* format, ...)
+ * @return false on connection failure.
+ */
+ int ssl_read_line(RES* ssl, char* buf, size_t max);
+-#endif /* HAVE_SSL */
+
+ #endif /* DAEMON_REMOTE_H */
+diff --git a/daemon/unbound.c b/daemon/unbound.c
+index 1a31bb3e..2baf4dba 100644
+--- a/daemon/unbound.c
++++ b/daemon/unbound.c
+@@ -60,14 +60,16 @@
+ #include "util/ub_event.h"
+ #include <signal.h>
+ #include <fcntl.h>
++#ifdef HAVE_SSL
+ #include <openssl/crypto.h>
++#include <openssl/ssl.h>
++#endif
+ #ifdef HAVE_PWD_H
+ #include <pwd.h>
+ #endif
+ #ifdef HAVE_GRP_H
+ #include <grp.h>
+ #endif
+-#include <openssl/ssl.h>
+
+ #ifndef S_SPLINT_S
+ /* splint chokes on this system header file */
+@@ -488,10 +490,11 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
+ w_config_adjust_directory(cfg);
+ #endif
+
+- /* read ssl keys while superuser and outside chroot */
+-#ifdef HAVE_SSL
+ if(!(daemon->rc = daemon_remote_create(cfg)))
+ fatal_exit("could not set up remote-control");
++
++ /* read ssl keys while superuser and outside chroot */
++#ifdef HAVE_SSL
+ if(cfg->ssl_service_key && cfg->ssl_service_key[0]) {
+ if(!(daemon->listen_sslctx = listen_sslctx_create(
+ cfg->ssl_service_key, cfg->ssl_service_pem, NULL)))
+diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
+index c7c38276..fea6a9f7 100644
+--- a/smallapp/unbound-control.c
++++ b/smallapp/unbound-control.c
+@@ -45,6 +45,7 @@
+ #ifdef HAVE_GETOPT_H
+ #include <getopt.h>
+ #endif
++#ifdef HAVE_SSL
+ #ifdef HAVE_OPENSSL_SSL_H
+ #include <openssl/ssl.h>
+ #endif
+@@ -54,6 +55,9 @@
+ #ifdef HAVE_OPENSSL_RAND_H
+ #include <openssl/rand.h>
+ #endif
++#else
++typedef void *SSL;
++#endif
+ #include "util/log.h"
+ #include "util/config_file.h"
+ #include "util/locks.h"
+@@ -486,6 +490,7 @@ static void print_stats_shm(const char* cfgfile)
+ #endif /* HAVE_SHMGET */
+ }
+
++#ifdef HAVE_SSL
+ /** exit with ssl error */
+ static void ssl_err(const char* s)
+ {
+@@ -515,8 +520,6 @@ setup_ctx(struct config_file* cfg)
+ char* s_cert=NULL, *c_key=NULL, *c_cert=NULL;
+ SSL_CTX* ctx;
+
+- if(!(options_remote_is_address(cfg) && cfg->control_use_cert))
+- return NULL;
+ s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
+ c_key = fname_after_chroot(cfg->control_key_file, cfg, 1);
+ c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1);
+@@ -555,6 +558,7 @@ setup_ctx(struct config_file* cfg)
+ free(c_cert);
+ return ctx;
+ }
++#endif
+
+ /** check connect error */
+ static void
+@@ -723,6 +727,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
+ return fd;
+ }
+
++#ifdef HAVE_SSL
+ /** setup SSL on the connection */
+ static SSL*
+ setup_ssl(SSL_CTX* ctx, int fd)
+@@ -759,11 +764,13 @@ setup_ssl(SSL_CTX* ctx, int fd)
+
+ return ssl;
+ }
++#endif
+
+ /** read from ssl or fd, fatalexit on error, 0 EOF, 1 success */
+ static int
+ remote_read(SSL* ssl, int fd, char* buf, size_t len)
+ {
++#ifdef HAVE_SSL
+ if(ssl) {
+ int r;
+ ERR_clear_error();
+@@ -775,7 +782,9 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len)
+ ssl_err("could not SSL_read");
+ }
+ buf[r] = 0;
+- } else {
++ } else
++#endif
++ {
+ ssize_t rr = recv(fd, buf, len-1, 0);
+ if(rr <= 0) {
+ if(rr == 0) {
+@@ -793,10 +802,13 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len)
+ static void
+ remote_write(SSL* ssl, int fd, const char* buf, size_t len)
+ {
++#ifdef HAVE_SSL
+ if(ssl) {
+ if(SSL_write(ssl, buf, (int)len) <= 0)
+ ssl_err("could not SSL_write");
+- } else {
++ } else
++#endif
++ {
+ if(send(fd, buf, len, 0) < (ssize_t)len) {
+ fatal_exit("could not send: %s", sock_strerror(errno));
+ }
+@@ -894,7 +906,9 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
+ {
+ struct config_file* cfg;
+ int fd, ret;
++#ifdef HAVE_SSL
+ SSL_CTX* ctx;
++#endif
+ SSL* ssl;
+
+ /* read config */
+@@ -907,18 +921,34 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
+ #ifdef UB_ON_WINDOWS
+ w_config_adjust_directory(cfg);
+ #endif
+- ctx = setup_ctx(cfg);
++ if(options_remote_is_address(cfg) && cfg->control_use_cert) {
++#ifdef HAVE_SSL
++ ctx = setup_ctx(cfg);
++#else
++ fatal_exit("unbound built without TLS support");
++#endif
++ } else {
++#ifdef HAVE_SSL
++ ctx = NULL;
++#endif
++ }
+
+ /* contact server */
+ fd = contact_server(svr, cfg, argc>0&&strcmp(argv[0],"status")==0);
++#ifdef HAVE_SSL
+ ssl = setup_ssl(ctx, fd);
++#else
++ ssl = NULL;
++#endif
+
+ /* send command */
+ ret = go_cmd(ssl, fd, quiet, argc, argv);
+
++#ifdef HAVE_SSL
+ if(ssl) SSL_free(ssl);
+- sock_close(fd);
+ if(ctx) SSL_CTX_free(ctx);
++#endif
++ sock_close(fd);
+ config_delete(cfg);
+ return ret;
+ }
+@@ -997,6 +1027,7 @@ int main(int argc, char* argv[])
+ fatal_exit("WSAStartup failed: %s", wsa_strerror(r));
+ #endif
+
++#ifdef HAVE_SSL
+ #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
+ ERR_load_crypto_strings();
+ #endif
+@@ -1031,6 +1062,7 @@ int main(int argc, char* argv[])
+ RAND_seed(buf, 256);
+ log_warn("no entropy, seeding openssl PRNG with time\n");
+ }
++#endif
+
+ ret = go(cfgfile, svr, quiet, argc, argv);
+
+--
+2.34.1
+
diff --git a/pkg/unbound/patch/0005-Allow-building-daemon-without-remote-control.patch b/pkg/unbound/patch/0005-Allow-building-daemon-without-remote-control.patch
@@ -0,0 +1,162 @@
+From 91e0865f0bd42d28d50ddd1fc1fae6cfaab17e46 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Wed, 1 Dec 2021 16:08:12 -0800
+Subject: [PATCH] Allow building daemon without remote control
+
+---
+ daemon/daemon.c | 13 +++++++++++++
+ daemon/unbound.c | 5 +++++
+ daemon/worker.c | 8 ++++++++
+ util/fptr_wlist.c | 4 ++++
+ 4 files changed, 30 insertions(+)
+
+diff --git a/daemon/daemon.c b/daemon/daemon.c
+index 0e3923b4..27132ce1 100644
+--- a/daemon/daemon.c
++++ b/daemon/daemon.c
+@@ -68,7 +68,9 @@
+
+ #include "daemon/daemon.h"
+ #include "daemon/worker.h"
++#ifdef WITH_REMOTE
+ #include "daemon/remote.h"
++#endif
+ #include "daemon/acl_list.h"
+ #include "util/log.h"
+ #include "util/config_file.h"
+@@ -378,9 +380,16 @@ daemon_open_shared_ports(struct daemon* daemon)
+ if(daemon->cfg->remote_control_enable &&
+ daemon->cfg->control_port != daemon->rc_port) {
+ listening_ports_free(daemon->rc_ports);
++#ifdef WITH_REMOTE
+ if(!(daemon->rc_ports=daemon_remote_open_ports(daemon->cfg)))
+ return 0;
+ daemon->rc_port = daemon->cfg->control_port;
++#else
++ log_err("unbound built without remote control");
++ daemon->rc_ports = NULL;
++ daemon->rc_port = 0;
++ return 0;
++#endif
+ }
+ return 1;
+ }
+@@ -738,8 +747,10 @@ daemon_cleanup(struct daemon* daemon)
+ daemon->views = NULL;
+ if(daemon->env->auth_zones)
+ auth_zones_cleanup(daemon->env->auth_zones);
++#ifdef WITH_REMOTE
+ /* key cache is cleared by module desetup during next daemon_fork() */
+ daemon_remote_clear(daemon->rc);
++#endif
+ for(i=0; i<daemon->num; i++)
+ worker_delete(daemon->workers[i]);
+ free(daemon->workers);
+@@ -764,7 +775,9 @@ daemon_delete(struct daemon* daemon)
+ if(!daemon)
+ return;
+ modstack_desetup(&daemon->mods, daemon->env);
++#ifdef WITH_REMOTE
+ daemon_remote_delete(daemon->rc);
++#endif
+ for(i = 0; i < daemon->num_ports; i++)
+ listening_ports_free(daemon->ports[i]);
+ free(daemon->ports);
+diff --git a/daemon/unbound.c b/daemon/unbound.c
+index 2baf4dba..7925d91b 100644
+--- a/daemon/unbound.c
++++ b/daemon/unbound.c
+@@ -490,8 +490,13 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
+ w_config_adjust_directory(cfg);
+ #endif
+
++
++#ifdef WITH_REMOTE
+ if(!(daemon->rc = daemon_remote_create(cfg)))
+ fatal_exit("could not set up remote-control");
++#else
++ daemon->rc = NULL;
++#endif
+
+ /* read ssl keys while superuser and outside chroot */
+ #ifdef HAVE_SSL
+diff --git a/daemon/worker.c b/daemon/worker.c
+index 5d2483cd..f3c32279 100644
+--- a/daemon/worker.c
++++ b/daemon/worker.c
+@@ -376,10 +376,12 @@ worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube), uint8_t* msg,
+ verbose(VERB_ALGO, "got control cmd stats_noreset");
+ server_stats_reply(worker, 0);
+ break;
++#ifdef WITH_REMOTE
+ case worker_cmd_remote:
+ verbose(VERB_ALGO, "got control cmd remote");
+ daemon_remote_exec(worker);
+ break;
++#endif
+ default:
+ log_err("bad command %d", (int)cmd);
+ break;
+@@ -1731,11 +1733,13 @@ worker_init(struct worker* worker, struct config_file *cfg,
+ return 0;
+ }
+ #endif /* LIBEVENT_SIGNAL_PROBLEM */
++#ifdef WITH_REMOTE
+ if(!daemon_remote_open_accept(worker->daemon->rc,
+ worker->daemon->rc_ports, worker)) {
+ worker_delete(worker);
+ return 0;
+ }
++#endif
+ #ifdef UB_ON_WINDOWS
+ wsvc_setup_worker(worker);
+ #endif /* UB_ON_WINDOWS */
+@@ -2007,16 +2011,20 @@ void worker_start_accept(void* arg)
+ {
+ struct worker* worker = (struct worker*)arg;
+ listen_start_accept(worker->front);
++#ifdef WITH_REMOTE
+ if(worker->thread_num == 0)
+ daemon_remote_start_accept(worker->daemon->rc);
++#endif
+ }
+
+ void worker_stop_accept(void* arg)
+ {
+ struct worker* worker = (struct worker*)arg;
+ listen_stop_accept(worker->front);
++#ifdef WITH_REMOTE
+ if(worker->thread_num == 0)
+ daemon_remote_stop_accept(worker->daemon->rc);
++#endif
+ }
+
+ /* --- fake callbacks for fptr_wlist to work --- */
+diff --git a/util/fptr_wlist.c b/util/fptr_wlist.c
+index f8dac65c..f98ec5f3 100644
+--- a/util/fptr_wlist.c
++++ b/util/fptr_wlist.c
+@@ -118,8 +118,10 @@ fptr_whitelist_comm_point_raw(comm_point_callback_type *fptr)
+ {
+ if(fptr == &tube_handle_listen) return 1;
+ else if(fptr == &tube_handle_write) return 1;
++#ifdef WITH_REMOTE
+ else if(fptr == &remote_accept_callback) return 1;
+ else if(fptr == &remote_control_callback) return 1;
++#endif
+ return 0;
+ }
+
+@@ -587,7 +589,9 @@ int fptr_whitelist_print_func(void (*fptr)(char*,void*))
+ {
+ if(fptr == &config_print_func) return 1;
+ else if(fptr == &config_collate_func) return 1;
++#ifdef WITH_REMOTE
+ else if(fptr == &remote_get_opt_ssl) return 1;
++#endif
+ return 0;
+ }
+
+--
+2.34.1
+
diff --git a/pkg/unbound/patch/0006-Remove-unintended-use-of-VLA.patch b/pkg/unbound/patch/0006-Remove-unintended-use-of-VLA.patch
@@ -0,0 +1,27 @@
+From ba9aa51428c55309c307c70c02706777a0403f13 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Tue, 21 Dec 2021 13:24:55 -0800
+Subject: [PATCH] Remove unintended use of VLA
+
+---
+ services/authzone.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/services/authzone.c b/services/authzone.c
+index e83af533..918874cc 100644
+--- a/services/authzone.c
++++ b/services/authzone.c
+@@ -7553,8 +7553,8 @@ static int zonemd_simple_domain(struct auth_zone* z, int hashalgo,
+ struct secalgo_hash* h, struct auth_data* node,
+ struct regional* region, struct sldns_buffer* buf, char** reason)
+ {
+- const size_t rrlistsize = 65536;
+- struct auth_rrset* rrlist[rrlistsize];
++ struct auth_rrset* rrlist[65536];
++ const size_t rrlistsize = sizeof(rrlist) / sizeof(*rrlist);
+ size_t i, rrnum = 0;
+ /* see if the domain is out of scope, the zone origin,
+ * that would be omitted */
+--
+2.34.1
+
diff --git a/pkg/unbound/patch/0007-Remove-use-of-uninitialized-variable.patch b/pkg/unbound/patch/0007-Remove-use-of-uninitialized-variable.patch
@@ -0,0 +1,24 @@
+From ede4d741adeb68ca6e244dfa07af164f1a204432 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Tue, 21 Dec 2021 15:03:44 -0800
+Subject: [PATCH] Remove use of uninitialized variable
+
+---
+ util/ub_event.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/util/ub_event.c b/util/ub_event.c
+index 8cd87ec4..54db6866 100644
+--- a/util/ub_event.c
++++ b/util/ub_event.c
+@@ -211,7 +211,6 @@ ub_default_event_base(int sigs, time_t* time_secs, struct timeval* time_tv)
+ {
+ void* base;
+
+- (void)base;
+ #ifdef USE_MINI_EVENT
+ (void)sigs;
+ /* use mini event time-sharing feature */
+--
+2.34.1
+
diff --git a/pkg/unbound/src b/pkg/unbound/src
@@ -0,0 +1 @@
+Subproject commit 919c8c9527281a7289415c00f8f2aed12b17a9aa
diff --git a/pkg/unbound/ver b/pkg/unbound/ver
@@ -0,0 +1 @@
+1.14.0 r0
