unbound: Vendor import 1.16.1

Makefile.in

@@ -345,14 +345,12 @@ test:	unittest$(EXEEXT) testbound$(EXEEXT)
 	./unittest$(EXEEXT)
 	./testbound$(EXEEXT) -s
 	for x in $(srcdir)/testdata/*.rpl; do \
-		printf "%s" "$$x "; \
-		if ./testbound$(EXEEXT) -p $$x >/dev/null 2>&1; then \
-			echo OK; \
+		output=`./testbound$(EXEEXT) -p $$x -o -vvvvv 2>&1`; \
+		if test $$? -eq 0; then \
+			printf "%s OK\n" "$$x "; \
 		else \
-			echo failed; \
-			./testbound$(EXEEXT) -p $$x -o -vvvvv; \
-			printf "%s" "$$x "; \
-			echo failed; \
+			printf "%s\n" "$$output "; \
+			printf "%s failed\n" "$$x "; \
 			exit 1; \
 		fi; \
 	done

config.h.in

@@ -222,6 +222,10 @@
 /* Define to 1 if you have the `EVP_cleanup' function. */
 #undef HAVE_EVP_CLEANUP
 
+/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled'
+   function. */
+#undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
+
 /* Define to 1 if you have the `EVP_DigestVerify' function. */
 #undef HAVE_EVP_DIGESTVERIFY
 

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.16.0.
+# Generated by GNU Autoconf 2.69 for unbound 1.16.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.16.0'
-PACKAGE_STRING='unbound 1.16.0'
+PACKAGE_VERSION='1.16.1'
+PACKAGE_STRING='unbound 1.16.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.16.0 to adapt to many kinds of systems.
+\`configure' configures unbound 1.16.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1543,7 +1543,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.16.0:";;
+     short | recursive ) echo "Configuration of unbound 1.16.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1785,7 +1785,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.16.0
+unbound configure 1.16.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.16.0, which was
+It was created by unbound $as_me 1.16.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2846,11 +2846,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=16
 
-UNBOUND_VERSION_MICRO=0
+UNBOUND_VERSION_MICRO=1
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=16
+LIBUNBOUND_REVISION=17
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2934,6 +2934,7 @@ LIBUNBOUND_AGE=1
 # 1.14.0 had 9:14:1
 # 1.15.0 had 9:15:1
 # 1.16.0 had 9:16:1
+# 1.16.1 had 9:17:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -18545,7 +18546,7 @@ fi
 
 done
 
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -19967,7 +19968,46 @@ if test x_$enable_static_exe = x_yes; then
 		else
 			LIBS="$LIBS -lgdi32"
 		fi
-		LIBS="$LIBS -lz"
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for compress in -lz" >&5
+$as_echo_n "checking for compress in -lz... " >&6; }
+if ${ac_cv_lib_z_compress+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lz  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char compress ();
+int
+main ()
+{
+return compress ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_z_compress=yes
+else
+  ac_cv_lib_z_compress=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_z_compress" >&5
+$as_echo "$ac_cv_lib_z_compress" >&6; }
+if test "x$ac_cv_lib_z_compress" = xyes; then :
+   LIBS="$LIBS -lz"
+fi
+
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi
@@ -19987,7 +20027,46 @@ if test x_$enable_fully_static = x_yes; then
 		else
 			LIBS="$LIBS -lgdi32"
 		fi
-		LIBS="$LIBS -lz"
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for compress in -lz" >&5
+$as_echo_n "checking for compress in -lz... " >&6; }
+if ${ac_cv_lib_z_compress+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lz  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char compress ();
+int
+main ()
+{
+return compress ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_z_compress=yes
+else
+  ac_cv_lib_z_compress=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_z_compress" >&5
+$as_echo "$ac_cv_lib_z_compress" >&6; }
+if test "x$ac_cv_lib_z_compress" = xyes; then :
+   LIBS="$LIBS -lz"
+fi
+
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi
@@ -21934,7 +22013,7 @@ _ACEOF
 
 
 
-version=1.16.0
+version=1.16.1
 
 date=`date +'%b %e, %Y'`
 
@@ -22453,7 +22532,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.16.0, which was
+This file was extended by unbound $as_me 1.16.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22519,7 +22598,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.16.0
+unbound config.status 1.16.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[16])
-m4_define([VERSION_MICRO],[0])
+m4_define([VERSION_MICRO],[1])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=16
+LIBUNBOUND_REVISION=17
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -102,6 +102,7 @@ LIBUNBOUND_AGE=1
 # 1.14.0 had 9:14:1
 # 1.15.0 had 9:15:1
 # 1.16.0 had 9:16:1
+# 1.16.1 had 9:17:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -906,7 +907,7 @@ else
 	AC_MSG_RESULT([no])
 fi
 AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
 
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
@@ -1499,7 +1500,7 @@ if test x_$enable_static_exe = x_yes; then
 		else
 			LIBS="$LIBS -lgdi32"
 		fi
-		LIBS="$LIBS -lz"
+		AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ])
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi
@@ -1516,7 +1517,7 @@ if test x_$enable_fully_static = x_yes; then
 		else
 			LIBS="$LIBS -lgdi32"
 		fi
-		LIBS="$LIBS -lz"
+		AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ])
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi

contrib/metrics.awk

@@ -28,6 +28,7 @@ END {
 	print "unbound_hits_queries{type=\"total.num.prefetch\"} " val["total.num.prefetch"];
 	print "unbound_hits_queries{type=\"num.query.tcp\"} " val["num.query.tcp"];
 	print "unbound_hits_queries{type=\"num.query.tcpout\"} " val["num.query.tcpout"];
+	print "unbound_hits_queries{type=\"num.query.udpout\"} " val["num.query.udpout"];
 	print "unbound_hits_queries{type=\"num.query.tls\"} " val["num.query.tls"];
 	print "unbound_hits_queries{type=\"num.query.tls.resume\"} " val["num.query.tls.resume"];
 	print "unbound_hits_queries{type=\"num.query.ipv6\"} " val["num.query.ipv6"];

contrib/unbound_munin_

@@ -253,6 +253,7 @@ if test "$1" = "config" ; then
 		p_config "total.num.prefetch" "cache prefetch" "ABSOLUTE"
 		p_config "num.query.tcp" "TCP queries" "ABSOLUTE"
 		p_config "num.query.tcpout" "TCP out queries" "ABSOLUTE"
+		p_config "num.query.udpout" "UDP out queries" "ABSOLUTE"
 		p_config "num.query.tls" "TLS queries" "ABSOLUTE"
 		p_config "num.query.tls.resume" "TLS resumes" "ABSOLUTE"
 		p_config "num.query.ipv6" "IPv6 queries" "ABSOLUTE"
@@ -452,7 +453,7 @@ hits)
 	for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state |
 		sed -e 's/=.*//'` total.num.queries \
 		total.num.cachehits total.num.prefetch num.query.tcp \
-		num.query.tcpout num.query.tls num.query.tls.resume \
+		num.query.tcpout num.query.udpout num.query.tls num.query.tls.resume \
 		num.query.ipv6 unwanted.queries \
 		unwanted.replies; do
 		if grep "^"$x"=" $state >/dev/null 2>&1; then

daemon/daemon.c

@@ -795,7 +795,7 @@ daemon_delete(struct daemon* daemon)
 	ub_c_lex_destroy();
 	/* libcrypto cleanup */
 #ifdef HAVE_SSL
-#  if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
+#  if defined(USE_GOST)
 	sldns_key_EVP_unload_gost();
 #  endif
 #  if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS && HAVE_DECL_SK_SSL_COMP_POP_FREE

daemon/remote.c

@@ -988,6 +988,8 @@ print_ext(RES* ssl, struct ub_stats_info* s)
 		(unsigned long)s->svr.qtcp)) return 0;
 	if(!ssl_printf(ssl, "num.query.tcpout"SQ"%lu\n", 
 		(unsigned long)s->svr.qtcp_outgoing)) return 0;
+	if(!ssl_printf(ssl, "num.query.udpout"SQ"%lu\n",
+		(unsigned long)s->svr.qudp_outgoing)) return 0;
 	if(!ssl_printf(ssl, "num.query.tls"SQ"%lu\n", 
 		(unsigned long)s->svr.qtls)) return 0;
 	if(!ssl_printf(ssl, "num.query.tls.resume"SQ"%lu\n", 

daemon/stats.c

@@ -281,6 +281,7 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	/* values from outside network */
 	s->svr.unwanted_replies = (long long)worker->back->unwanted_replies;
 	s->svr.qtcp_outgoing = (long long)worker->back->num_tcp_outgoing;
+	s->svr.qudp_outgoing = (long long)worker->back->num_udp_outgoing;
 
 	/* get and reset validator rrset bogus number */
 	s->svr.rrset_bogus = (long long)get_rrset_bogus(worker, reset);
@@ -424,6 +425,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 		total->svr.qclass_big += a->svr.qclass_big;
 		total->svr.qtcp += a->svr.qtcp;
 		total->svr.qtcp_outgoing += a->svr.qtcp_outgoing;
+		total->svr.qudp_outgoing += a->svr.qudp_outgoing;
 		total->svr.qtls += a->svr.qtls;
 		total->svr.qtls_resume += a->svr.qtls_resume;
 		total->svr.qhttps += a->svr.qhttps;

daemon/worker.c

@@ -1639,26 +1639,25 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		is_secure_answer = 0;
 		h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
 		if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
+			struct reply_info* rep = (struct reply_info*)e->data;
 			/* answer from cache - we have acquired a readlock on it */
-			if(answer_from_cache(worker, &qinfo,
-				cinfo, &need_drop, &is_expired_answer, &is_secure_answer,
-				&alias_rrset, &partial_rep, (struct reply_info*)e->data,
+			if(answer_from_cache(worker, &qinfo, cinfo, &need_drop,
+				&is_expired_answer, &is_secure_answer,
+				&alias_rrset, &partial_rep, rep,
 				*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 				sldns_buffer_read_u16_at(c->buffer, 2), repinfo,
 				&edns)) {
 				/* prefetch it if the prefetch TTL expired.
 				 * Note that if there is more than one pass
 				 * its qname must be that used for cache
 				 * lookup. */
-				if((worker->env.cfg->prefetch && *worker->env.now >=
-							((struct reply_info*)e->data)->prefetch_ttl) ||
-						(worker->env.cfg->serve_expired &&
-						*worker->env.now >= ((struct reply_info*)e->data)->ttl)) {
-
-					time_t leeway = ((struct reply_info*)e->
-						data)->ttl - *worker->env.now;
-					if(((struct reply_info*)e->data)->ttl
-						< *worker->env.now)
+				if((worker->env.cfg->prefetch &&
+					*worker->env.now >= rep->prefetch_ttl) ||
+					(worker->env.cfg->serve_expired &&
+					*worker->env.now > rep->ttl)) {
+
+					time_t leeway = rep->ttl - *worker->env.now;
+					if(rep->ttl < *worker->env.now)
 						leeway = 0;
 					lock_rw_unlock(&e->lock);
 
@@ -2218,6 +2217,7 @@ void worker_stats_clear(struct worker* worker)
 	mesh_stats_clear(worker->env.mesh);
 	worker->back->unwanted_replies = 0;
 	worker->back->num_tcp_outgoing = 0;
+	worker->back->num_udp_outgoing = 0;
 }
 
 void worker_start_accept(void* arg)