import unbound 1.16.2, ok florian@ tb@ also tested by Alex Holst

5 files changed, 53 insertions, 8 deletions

diff --git a/usr.sbin/unbound/SECURITY.md b/usr.sbin/unbound/SECURITY.md
new file mode 100644
index 00000000000..5770ccd7991
--- /dev/null
+++ b/usr.sbin/unbound/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+## Supported Versions
+
+NLnet Labs adheres to the straightforward, semantic versioning scheme that is
+commonly used in the software industry.
+
+Support is provided in respect of the latest release, i.e. releases with the
+highest minor and patch version level. We do not backport security fixes to
+older (minor) versions. In the event a new major version is released (e.g.  from
+3.2.18 to 4.0.0), support will also be provided on the latest minor  version of
+the previous major version (3.2.18) for a period of one year from the release of
+the new major version (4.0.0).
+
+In the event that, during this period, a new patch or minor version of the
+previous major version is released, then support on these versions will only be
+provided for the remainder of the one-year-period.
+
+You can find detailed information on our software support policy here:
+
+https://www.nlnetlabs.nl/support/software-support-policy/
+
+## Reporting a Vulnerability
+
+We take security very seriously. If you have discovered a security vulnerability
+in one of our projects and you would like to report it to us, you can send an
+encrypted message to our Security Entry Point.
+
+Details are described here:
+
+https://www.nlnetlabs.nl/security-report/
diff --git a/usr.sbin/unbound/testcode/dohclient.c b/usr.sbin/unbound/testcode/dohclient.c
index d35f5a82c66..82e522f90d5 100644
--- a/usr.sbin/unbound/testcode/dohclient.c
+++ b/usr.sbin/unbound/testcode/dohclient.c
@@ -551,7 +551,7 @@ run(struct http2_session* h2_session, int port, int no_tls, int count, char** q)
 	if(ctx) {
 		SSL_CTX_free(ctx);
 	}
-	close(fd);
+	sock_close(fd);
 }
 
 /** getopt global, in case header files fail to declare it. */
diff --git a/usr.sbin/unbound/testcode/mini_tdir.sh b/usr.sbin/unbound/testcode/mini_tdir.sh
index 0457a95e709..6bbece8d936 100755
--- a/usr.sbin/unbound/testcode/mini_tdir.sh
+++ b/usr.sbin/unbound/testcode/mini_tdir.sh
@@ -5,6 +5,10 @@ if test "$1" = "-a"; then
 	shift
 	shift
 fi
+
+# This will keep the temporary directory around and return 1 when the test failed.
+DEBUG=0
+
 quiet=0
 if test "$1" = "-q"; then
 	quiet=1
@@ -184,11 +188,18 @@ echo "DateRunEnd: "`date "+%s" 2>/dev/null` >> $result
 
 mv $result ..
 cd ..
-rm -rf $dir
-# compat for windows where deletion may not succeed initially (files locked
-# by processes that still have to exit).
-if test $? -eq 1; then
-	echo "minitdir waiting for processes to terminate"
-	sleep 2 # some time to exit, and try again
+if test $DEBUG -eq 0; then
 	rm -rf $dir
+	# compat for windows where deletion may not succeed initially (files locked
+	# by processes that still have to exit).
+	if test $? -eq 1; then
+		echo "minitdir waiting for processes to terminate"
+		sleep 2 # some time to exit, and try again
+		rm -rf $dir
+	fi
+else
+	if test $success == "no"; then
+		exit 1
+	fi
+	exit 0
 fi
diff --git a/usr.sbin/unbound/testcode/unitmain.c b/usr.sbin/unbound/testcode/unitmain.c
index 16aa8845021..b6dac5507fa 100644
--- a/usr.sbin/unbound/testcode/unitmain.c
+++ b/usr.sbin/unbound/testcode/unitmain.c
@@ -918,7 +918,7 @@ main(int argc, char* argv[])
 	checklock_stop();
 	printf("%d checks ok.\n", testcount);
 #ifdef HAVE_SSL
-#  if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
+#  if defined(USE_GOST)
 	sldns_key_EVP_unload_gost();
 #  endif
 #  ifdef HAVE_OPENSSL_CONFIG
diff --git a/usr.sbin/unbound/util/rtt.c b/usr.sbin/unbound/util/rtt.c
index f51576fb57f..b64206ecad1 100644
--- a/usr.sbin/unbound/util/rtt.c
+++ b/usr.sbin/unbound/util/rtt.c
@@ -45,6 +45,9 @@
 
 /* overwritten by config: infra_cache_min_rtt: */
 int RTT_MIN_TIMEOUT = 50;
+/* overwritten by config: infra_cache_max_rtt: */
+int RTT_MAX_TIMEOUT = 120000;
+
 /** calculate RTO from rtt information */
 static int
 calc_rto(const struct rtt_info* rtt)