21 changed files with 209 additions and 200 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -6,26 +6,26 @@ endif ()

 # The following must be set BEFORE doing project() or enable_language().
 if (NOT CMAKE_BUILD_TYPE)
-  message(STATUS "No build type defined; defaulting to 'RelWithDebInfo'")
-  set(CMAKE_BUILD_TYPE "RelWithDebInfo" CACHE STRING
+  message(STATUS "No build type defined; defaulting to 'Debug'")
+  set(CMAKE_BUILD_TYPE "Debug" CACHE STRING
    "The type of build. Possible values are: Debug, Release, RelWithDebInfo and MinSizeRel.")
 endif ()

 set(PACKAGE "getdns")
 set(PACKAGE_NAME "getdns")
-set(PACKAGE_VERSION "1.7.1")
+set(PACKAGE_VERSION "1.7.0")
 set(PACKAGE_BUGREPORT "team@getdnsapi.net")
 set(PACKAGE_URL "https://getdnsapi.net")

 # Dont forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
-set(RELEASE_CANDIDATE "-rc.1")
+set(RELEASE_CANDIDATE "")

 set(PACKAGE_STRING "${PACKAGE_NAME} ${PACKAGE_VERSION}${RELEASE_CANDIDATE}")
 set(PACKAGE_TARNAME "${PACKAGE}-${PACKAGE_VERSION}${RELEASE_CANDIDATE}")

 set(GETDNS_VERSION "${PACKAGE_VERSION}${RELEASE_CANDIDATE}")
-set(GETDNS_NUMERIC_VERSION 0x010700c1)
+set(GETDNS_NUMERIC_VERSION 0x01070000)
 set(API_VERSION "December 2015")
 set(API_NUMERIC_VERSION 0x07df0c00)

@ -340,7 +340,6 @@ check_include_file(openssl/engine.h HAVE_OPENSSL_ENGINE_H)
 check_include_file(openssl/bn.h HAVE_OPENSSL_BN_H)
 check_include_file(openssl/dsa.h HAVE_OPENSSL_DSA_H)
 check_include_file(openssl/rsa.h HAVE_OPENSSL_RSA_H)
-check_include_file(openssl/param_build.h HAVE_OPENSSL_PARAM_BUILD_H)

 set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES} ${getdns_system_libs})
 check_function_exists(DSA_SIG_set0 HAVE_DSA_SIG_SET0)
@ -1026,8 +1025,6 @@ if (BUILD_TESTING)
 endif ()

 # Substitutions in files.
-string(TOUPPER "${CMAKE_BUILD_TYPE}" GETDNS_BUILD_RELTYPE)
-string(REPLACE "\"" "\\\"" GETDNS_BUILD_CFLAGS "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${GETDNS_BUILD_RELTYPE}}")
 configure_file(cmake/include/cmakeconfig.h.in config.h)
 configure_file(src/getdns/getdns.h.in getdns/getdns.h)
 configure_file(src/getdns/getdns_extra.h.in getdns/getdns_extra.h)
--- a/3
+++ b/3
@ -5,9 +5,6 @@
  * Fix for issue in UDP stream selection in case of timeouts.
    Thanks Shikha Sharma
  * Fix using asterisk in ipstr for any address. Thanks uzlonewolf.
-  * Issue stubby#295: rdata not correctly written for validation for certain 
-    RR type. Also, set default built type to RelWithDebInfo and expose CFLAGS
-    via GETDNS_BUILD_CFLAGS define and via getdns_context_get_api_information()

 * 2021-06-04: Version 1.7.0
  * Make TLS Handshake timeout max 4/5th of timeout for the query,
--- a/cmake/include/cmakeconfig.h.in
+++ b/cmake/include/cmakeconfig.h.in
@ -61,7 +61,6 @@
 #cmakedefine HAVE_OPENSSL_BN_H          1
 #cmakedefine HAVE_OPENSSL_DSA_H         1
 #cmakedefine HAVE_OPENSSL_RSA_H         1
-#cmakedefine HAVE_OPENSSL_PARAM_BUILD_H 1

 #cmakedefine HAVE_DSA_SIG_SET0		1
 #cmakedefine HAVE_DSA_SET0_PQG		1
@ -97,8 +96,6 @@

 #cmakedefine HAVE_OPENSSL_INIT_CRYPTO	1

-#cmakedefine HAVE_OSSL_PARAM_BLD_NEW	1
-
 #cmakedefine HAVE_SSL_DANE_ENABLE			1
 #cmakedefine HAVE_DECL_SSL_CTX_SET1_CURVES_LIST		1
 #cmakedefine HAVE_DECL_SSL_SET1_CURVES_LIST		1
--- a/src/context.c
+++ b/src/context.c
@ -4096,9 +4096,6 @@ getdns_context_get_api_information(const getdns_context* context)
 	    && ! getdns_dict_util_set_string(
 	    result, "compilation_comment", GETDNS_COMPILATION_COMMENT)

-	    && ! getdns_dict_util_set_string(
-	    result, "build_cflags", GETDNS_BUILD_CFLAGS)
-
 	    && ! getdns_dict_util_set_string(
 	    result, "default_trust_anchor_location", TRUST_ANCHOR_FILE)

--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@ -128,7 +128,6 @@ extern "C" {
 #define GETDNS_NUMERIC_VERSION @GETDNS_NUMERIC_VERSION@
 #define GETDNS_API_VERSION "@API_VERSION@"
 #define GETDNS_API_NUMERIC_VERSION @API_NUMERIC_VERSION@
-#define GETDNS_BUILD_CFLAGS "@GETDNS_BUILD_CFLAGS@"
 /** @}
  */

--- a/src/gldns/parse.c
+++ b/src/gldns/parse.c
@ -13,7 +13,7 @@
 #include "gldns/gbuffer.h"

 #include <limits.h>
-#include <strings.h>
+#include <stdlib.h>

 gldns_lookup_table gldns_directive_types[] = {
        { GLDNS_DIR_TTL, "$TTL" },
@ -34,7 +34,7 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 {
 	int c, prev_c;
 	int p; /* 0 -> no parentheses seen, >0 nr of ( seen */
-	int com, quoted, only_blank;
+	int com, quoted;
 	char *t;
 	size_t i;
 	const char *d;
@ -53,7 +53,6 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 	com = 0;
 	quoted = 0;
 	prev_c = 0;
-	only_blank = 1;	/* Assume we got only <blank> until now */
 	t = token;
 	if (del[0] == '"') {
 		quoted = 1;
@ -102,22 +101,6 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 			if (line_nr) {
 				*line_nr = *line_nr + 1;
 			}
-			if (only_blank && i > 0) {
-				/* Got only <blank> so far. Reset and try
-				 * again with the next line.
-				 */
-				i = 0;
-				t = token;
-			}
-			if (p == 0) {
-				/* If p != 0 then the next line is a continuation. So
-				 * we assume that the next line starts with a blank only
-				 * if it is actually a new line.
-				 */
-				only_blank = 1;	/* Assume next line starts with
-						 * <blank>.
-						 */
-			}
 			if (p == 0 && i > 0) {
 				goto tokenread;
 			} else {
@ -148,29 +131,12 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l

 		/* check if we hit the delim */
 		for (d = del; *d; d++) {
-			if (c == *d)
-				break;
-		}
-
 			if (c == *d && i > 0 && prev_c != '\\' && p == 0) {
 				if (c == '\n' && line_nr) {
 					*line_nr = *line_nr + 1;
 				}
-			if (only_blank) {
-				/* Got only <blank> so far. Reset and
-				 * try again with the next line.
-				 */
-				i = 0;
-				t = token;
-				only_blank = 1;
-				prev_c = c;
-				continue;
-			}
 				goto tokenread;
 			}
-		if (c != ' ' && c != '\t') {
-			/* Found something that is not <blank> */
-			only_blank= 0;
 		}
 		if (c != '\0' && c != '\n') {
 			i++;
@ -183,14 +149,9 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 		if (c != '\0' && c != '\n') {
 			*t++ = c;
 		}
-		if (c == '\n') {
-			if (line_nr) {
+		if (c == '\n' && line_nr) {
 			*line_nr = *line_nr + 1;
 		}
-			only_blank = 1;	/* Assume next line starts with
-					 * <blank>.
-					 */
-		}
 		if (c == '\\' && prev_c == '\\')
 			prev_c = 0;
 		else	prev_c = c;
--- a/src/gldns/parseutil.c
+++ b/src/gldns/parseutil.c
@ -14,8 +14,12 @@

 #include "config.h"
 #include "gldns/parseutil.h"
+#ifdef HAVE_SYS_TIME_H
 #include <sys/time.h>
+#endif
+#ifdef HAVE_TIME_H
 #include <time.h>
+#endif
 #include <ctype.h>

 gldns_lookup_table *
@ -209,13 +213,11 @@ gldns_hexdigit_to_int(char ch)
 }

 uint32_t
-gldns_str2period(const char *nptr, const char **endptr, int* overflow)
+gldns_str2period(const char *nptr, const char **endptr)
 {
 	int sign = 0;
 	uint32_t i = 0;
 	uint32_t seconds = 0;
-	const uint32_t maxint = 0xffffffff;
-	*overflow = 0;

 	for(*endptr = nptr; **endptr; (*endptr)++) {
 		switch (**endptr) {
@ -238,46 +240,26 @@ gldns_str2period(const char *nptr, const char **endptr, int* overflow)
 				break;
 			case 's':
 			case 'S':
-				if(seconds > maxint-i) {
-					*overflow = 1;
-					return 0;
-				}
 				seconds += i;
 				i = 0;
 				break;
 			case 'm':
 			case 'M':
-				if(i > maxint/60 || seconds > maxint-(i*60)) {
-					*overflow = 1;
-					return 0;
-				}
 				seconds += i * 60;
 				i = 0;
 				break;
 			case 'h':
 			case 'H':
-				if(i > maxint/(60*60) || seconds > maxint-(i*60*60)) {
-					*overflow = 1;
-					return 0;
-				}
 				seconds += i * 60 * 60;
 				i = 0;
 				break;
 			case 'd':
 			case 'D':
-				if(i > maxint/(60*60*24) || seconds > maxint-(i*60*60*24)) {
-					*overflow = 1;
-					return 0;
-				}
 				seconds += i * 60 * 60 * 24;
 				i = 0;
 				break;
 			case 'w':
 			case 'W':
-				if(i > maxint/(60*60*24*7) || seconds > maxint-(i*60*60*24*7)) {
-					*overflow = 1;
-					return 0;
-				}
 				seconds += i * 60 * 60 * 24 * 7;
 				i = 0;
 				break;
@ -291,27 +273,15 @@ gldns_str2period(const char *nptr, const char **endptr, int* overflow)
 			case '7':
 			case '8':
 			case '9':
-				if(i > maxint/10 || i*10 > maxint - (**endptr - '0')) {
-					*overflow = 1;
-					return 0;
-				}
 				i *= 10;
 				i += (**endptr - '0');
 				break;
 			default:
-				if(seconds > maxint-i) {
-					*overflow = 1;
-					return 0;
-				}
 				seconds += i;
 				/* disregard signedness */
 				return seconds;
 		}
 	}
-	if(seconds > maxint-i) {
-		*overflow = 1;
-		return 0;
-	}
 	seconds += i;
 	/* disregard signedness */
 	return seconds;
--- a/src/gldns/parseutil.h
+++ b/src/gldns/parseutil.h
@ -74,11 +74,9 @@ struct tm * gldns_serial_arithmetics_gmtime_r(int32_t time, time_t now, struct t
 * converts a ttl value (like 5d2h) to a long.
 * \param[in] nptr the start of the string
 * \param[out] endptr points to the last char in case of error
- * \param[out] overflow returns if the string causes integer overflow error,
- * 	       the number is too big, string of digits too long.
 * \return the convert duration value
 */
-uint32_t gldns_str2period(const char *nptr, const char **endptr, int* overflow);
+uint32_t gldns_str2period(const char *nptr, const char **endptr);

 /**
 * Returns the int value of the given (hex) digit
--- a/src/gldns/pkthdr.h
+++ b/src/gldns/pkthdr.h
@ -97,22 +97,18 @@ extern "C" {
 #define	QDCOUNT(wirebuf)		(ntohs(*(uint16_t *)(wirebuf+QDCOUNT_OFF)))
 */
 #define	GLDNS_QDCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_QDCOUNT_OFF))
-#define GLDNS_QDCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_QDCOUNT_OFF, i))

 /* Counter of the answer section */
 #define GLDNS_ANCOUNT_OFF		6
 #define	GLDNS_ANCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_ANCOUNT_OFF))
-#define GLDNS_ANCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_ANCOUNT_OFF, i))

 /* Counter of the authority section */
 #define GLDNS_NSCOUNT_OFF		8
 #define	GLDNS_NSCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_NSCOUNT_OFF))
-#define GLDNS_NSCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_NSCOUNT_OFF, i))

 /* Counter of the additional section */
 #define GLDNS_ARCOUNT_OFF		10
 #define	GLDNS_ARCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_ARCOUNT_OFF))
-#define GLDNS_ARCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_ARCOUNT_OFF, i))

 /**
 * The sections of a packet
--- a/src/gldns/rrdef.c
+++ b/src/gldns/rrdef.c
@ -392,9 +392,9 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 	/* 63 */
 	{GLDNS_RR_TYPE_ZONEMD, "ZONEMD", 4, 4, type_zonemd_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* 64 */
-	{GLDNS_RR_TYPE_SVCB, "SVCB", 2, 2, type_svcb_wireformat, GLDNS_RDF_TYPE_SVCPARAM, GLDNS_RR_NO_COMPRESS, 1 },
+	{GLDNS_RR_TYPE_SVCB, "SVCB", 2, 2, type_svcb_wireformat, GLDNS_RDF_TYPE_SVCPARAM, GLDNS_RR_NO_COMPRESS, 0 },
 	/* 65 */
-	{GLDNS_RR_TYPE_HTTPS, "HTTPS", 2, 2, type_svcb_wireformat, GLDNS_RDF_TYPE_SVCPARAM, GLDNS_RR_NO_COMPRESS, 1 },
+	{GLDNS_RR_TYPE_HTTPS, "HTTPS", 2, 2, type_svcb_wireformat, GLDNS_RDF_TYPE_SVCPARAM, GLDNS_RR_NO_COMPRESS, 0 },
 {(enum gldns_enum_rr_type)0, "TYPE66", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 {(enum gldns_enum_rr_type)0, "TYPE67", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 {(enum gldns_enum_rr_type)0, "TYPE68", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
--- a/src/gldns/rrdef.h
+++ b/src/gldns/rrdef.h
@ -440,42 +440,10 @@ enum gldns_enum_edns_option
 	GLDNS_EDNS_CLIENT_SUBNET = 8, /* RFC7871 */
 	GLDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
 	GLDNS_EDNS_PADDING = 12, /* RFC7830 */
-	GLDNS_EDNS_EDE = 15, /* RFC8914 */
 	GLDNS_EDNS_CLIENT_TAG = 16 /* draft-bellis-dnsop-edns-tags-01 */
 };
 typedef enum gldns_enum_edns_option gldns_edns_option;

-enum gldns_enum_ede_code
-{
-	GLDNS_EDE_NONE = -1, /* EDE undefined for internal use */
-	GLDNS_EDE_OTHER = 0,
-	GLDNS_EDE_UNSUPPORTED_DNSKEY_ALG = 1,
-	GLDNS_EDE_UNSUPPORTED_DS_DIGEST = 2,
-	GLDNS_EDE_STALE_ANSWER = 3,
-	GLDNS_EDE_FORGED_ANSWER = 4,
-	GLDNS_EDE_DNSSEC_INDETERMINATE = 5,
-	GLDNS_EDE_DNSSEC_BOGUS = 6,
-	GLDNS_EDE_SIGNATURE_EXPIRED = 7,
-	GLDNS_EDE_SIGNATURE_NOT_YET_VALID = 8,
-	GLDNS_EDE_DNSKEY_MISSING = 9,
-	GLDNS_EDE_RRSIGS_MISSING = 10,
-	GLDNS_EDE_NO_ZONE_KEY_BIT_SET = 11,
-	GLDNS_EDE_NSEC_MISSING = 12,
-	GLDNS_EDE_CACHED_ERROR = 13,
-	GLDNS_EDE_NOT_READY = 14,
-	GLDNS_EDE_BLOCKED = 15,
-	GLDNS_EDE_CENSORED = 16,
-	GLDNS_EDE_FILTERED = 17,
-	GLDNS_EDE_PROHIBITED = 18,
-	GLDNS_EDE_STALE_NXDOMAIN_ANSWER = 19,
-	GLDNS_EDE_NOT_AUTHORITATIVE = 20,
-	GLDNS_EDE_NOT_SUPPORTED = 21,
-	GLDNS_EDE_NO_REACHABLE_AUTHORITY = 22,
-	GLDNS_EDE_NETWORK_ERROR = 23,
-	GLDNS_EDE_INVALID_DATA = 24,
-};
-typedef enum gldns_enum_ede_code gldns_ede_code;
-
 #define GLDNS_EDNS_MASK_DO_BIT 0x8000

 /** TSIG and TKEY extended rcodes (16bit), 0-15 are the normal rcodes. */
--- a/src/gldns/str2wire.c
+++ b/src/gldns/str2wire.c
@ -250,16 +250,11 @@ rrinternal_get_ttl(gldns_buffer* strbuf, char* token, size_t token_len,
 	int* not_there, uint32_t* ttl, uint32_t default_ttl)
 {
 	const char* endptr;
-	int overflow;
 	if(gldns_bget_token(strbuf, token, "\t\n ", token_len) == -1) {
 		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_TTL,
 			gldns_buffer_position(strbuf));
 	}
-	*ttl = (uint32_t) gldns_str2period(token, &endptr, &overflow);
-	if(overflow) {
-		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW,
-			gldns_buffer_position(strbuf));
-	}
+	*ttl = (uint32_t) gldns_str2period(token, &endptr);

 	if (strlen(token) > 0 && !isdigit((unsigned char)token[0])) {
 		*not_there = 1;
@ -379,8 +374,7 @@ rrinternal_get_quoted(gldns_buffer* strbuf, const char** delimiters,

 		/* skip spaces */
 		while(gldns_buffer_remaining(strbuf) > 0 &&
-			(*(gldns_buffer_current(strbuf)) == ' ' ||
-			*(gldns_buffer_current(strbuf)) == '\t')) {
+			*(gldns_buffer_current(strbuf)) == ' ') {
 			gldns_buffer_skip(strbuf, 1);
 		}

@ -613,7 +607,7 @@ gldns_affix_token(gldns_buffer* strbuf, char* token, size_t* token_len,
 	/* add space */
 	/* when addlen < 2, the token buffer is full considering the NULL byte
 	 * from strlen and will lead to buffer overflow with the second
-	 * assignment below. */
+	 * assignement below. */
 	if(addlen < 2) return 0;
 	token[*token_strlen] = ' ';
 	token[++(*token_strlen)] = 0;
@ -677,10 +671,10 @@ static int gldns_str2wire_check_svcbparams(uint8_t* rdata, uint16_t rdata_len)
 	     ,gldns_str2wire_svcparam_key_cmp);


-	/* The code below revolves around semantic errors in the SVCParam set.
+	/* The code below revolves around sematic errors in the SVCParam set.
 	 * So long as we do not distinguish between running Unbound as a primary
 	 * or as a secondary, we default to secondary behavior and we ignore the
-	 * semantic errors. */
+	 * sematic errors. */

 #ifdef SVCB_SEMANTIC_ERRORS
 	{
@ -782,8 +776,7 @@ rrinternal_parse_rdata(gldns_buffer* strbuf, char* token, size_t token_len,

 		/* unknown RR data */
 		if(token_strlen>=2 && strncmp(token, "\\#", 2) == 0 &&
-			!quoted && (token_strlen == 2 || token[2]==' ' ||
-			token[2]=='\t')) {
+			!quoted && (token_strlen == 2 || token[2]==' ')) {
 			was_unknown_rr_format = 1;
 			if((status=rrinternal_parse_unknown(strbuf, token,
 				token_len, rr, rr_len, &rr_cur_len, 
@ -901,7 +894,7 @@ gldns_str2wire_rr_buf_internal(const char* str, uint8_t* rr, size_t* len,
 {
 	int status;
 	int not_there = 0;
-	char token[GLDNS_MAX_RDFLEN+1];
+	char token[GLDNS_MAX_RDFLEN+1] = "";
 	uint32_t ttl = 0;
 	uint16_t tp = 0, cl = 0;
 	size_t ddlen = 0;
@ -1063,15 +1056,12 @@ int gldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 		return s;
 	} else if(strncmp(line, "$TTL", 4) == 0 && isspace((unsigned char)line[4])) {
 		const char* end = NULL;
-		int overflow = 0;
 		strlcpy((char*)rr, line, *len);
 		*len = 0;
 		*dname_len = 0;
 		if(!parse_state) return GLDNS_WIREPARSE_ERR_OK;
 		parse_state->default_ttl = gldns_str2period(
-			gldns_strip_ws(line+5), &end, &overflow);
-		if(overflow)
-			return GLDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW;
+			gldns_strip_ws(line+5), &end);
 	} else if (strncmp(line, "$INCLUDE", 8) == 0) {
 		strlcpy((char*)rr, line, *len);
 		*len = 0;
@ -1128,7 +1118,7 @@ gldns_str2wire_svcparam_key_lookup(const char *key, size_t key_len)
 		if (!strncmp(key, "mandatory", sizeof("mandatory")-1))
 			return SVCB_KEY_MANDATORY;
 		if (!strncmp(key, "echconfig", sizeof("echconfig")-1))
-			return SVCB_KEY_ECH; /* allow "echconfig" as well as "ech" */
+			return SVCB_KEY_ECH; /* allow "echconfig as well as "ech" */
 		break;

 	case sizeof("alpn")-1:
@ -1367,7 +1357,7 @@ gldns_str2wire_svcbparam_mandatory(const char* val, uint8_t* rd, size_t* rd_len)
 	 */
 	qsort((void *)(rd + 4), count, sizeof(uint16_t), gldns_network_uint16_cmp);

-	/* The code below revolves around semantic errors in the SVCParam set.
+	/* The code below revolves around sematic errors in the SVCParam set.
 	 * So long as we do not distinguish between running Unbound as a primary
 	 * or as a secondary, we default to secondary behavior and we ignore the
 	 * semantic errors. */
@ -1599,12 +1589,12 @@ static int gldns_str2wire_svcparam_buf(const char* str, uint8_t* rd, size_t* rd_
 		if (*val_in == '"') {
 			val_in++;
 			while (*val_in != '"'
-			&& (size_t)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
+			&& (unsigned)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
 			&& gldns_parse_char( (uint8_t*) val_out, &val_in)) {
 				val_out++;
 			}
 		} else {
-			while ((size_t)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
+			while ((unsigned)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
 			&& gldns_parse_char( (uint8_t*) val_out, &val_in)) {
 				val_out++;
 			}
@ -2170,13 +2160,9 @@ int gldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len)
 int gldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len)
 {
 	const char* end;
-	int overflow;
-	uint32_t p = gldns_str2period(str, &end, &overflow);
+	uint32_t p = gldns_str2period(str, &end);
 	if(*end != 0)
 		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_PERIOD, end-str);
-	if(overflow)
-		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW,
-			end-str);
 	if(*len < 4)
 		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
 	gldns_write_uint32(rd, p);
--- a/src/gldns/wire2str.c
+++ b/src/gldns/wire2str.c
@ -196,7 +196,6 @@ static gldns_lookup_table gldns_edns_options_data[] = {
 	{ 8, "edns-client-subnet" },
 	{ 11, "edns-tcp-keepalive"},
 	{ 12, "Padding" },
-	{ 15, "EDE"},
 	{ 0, NULL}
 };
 gldns_lookup_table* gldns_edns_options = gldns_edns_options_data;
@ -1073,7 +1072,7 @@ static int gldns_wire2str_svcparam_mandatory2str(char** s,
 	assert(data_len > 0);

 	if (data_len % sizeof(uint16_t))
-		return -1; /* wireformat error, data_len must be multiple of shorts */
+		return -1; // wireformat error, data_len must be multiple of shorts
 	w += gldns_str_print(s, slen, "=");
 	w += gldns_print_svcparamkey(s, slen, gldns_read_uint16(data));
 	data += 2;
--- a/src/gnutls/tls-internal.h
+++ b/src/gnutls/tls-internal.h
@ -94,4 +94,10 @@ typedef struct _getdns_tls_x509
 	gnutls_datum_t tls;
 } _getdns_tls_x509;

+typedef struct _getdns_tls_hmac
+{
+	gnutls_hmac_hd_t tls;
+	unsigned int md_len;
+} _getdns_tls_hmac;
+
 #endif /* _GETDNS_TLS_INTERNAL_H */
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@ -869,6 +869,55 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const
 	return res;
 }

+_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
+{
+	gnutls_mac_algorithm_t alg;
+	_getdns_tls_hmac* res;
+
+	if (get_gnu_mac_algorithm(algorithm, &alg) != GETDNS_RETURN_GOOD)
+		return NULL;
+
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
+		return NULL;
+
+	if (gnutls_hmac_init(&res->tls, alg, key, key_size) < 0) {
+		GETDNS_FREE(*mfs, res);
+		return NULL;
+	}
+	res->md_len = gnutls_hmac_get_len(alg);
+	return res;
+}
+
+getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size)
+{
+	if (!h || !h->tls || !data)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (gnutls_hmac(h->tls, data, data_size) < 0)
+		return GETDNS_RETURN_GENERIC_ERROR;
+	else
+		return GETDNS_RETURN_GOOD;
+}
+
+unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size)
+{
+	unsigned char* res;
+
+	if (!h || !h->tls)
+		return NULL;
+
+	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, h->md_len);
+	if (!res)
+		return NULL;
+
+	gnutls_hmac_deinit(h->tls, res);
+	if (output_size)
+		*output_size = h->md_len;
+
+	GETDNS_FREE(*mfs, h);
+	return res;
+}
+
 void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
 {
 	gnutls_hash_fast(GNUTLS_DIG_SHA1, data, data_size, buf);
--- a/src/openssl/keyraw-internal.c
+++ b/src/openssl/keyraw-internal.c
@ -51,7 +51,7 @@
 #ifdef USE_GOST

 /** store GOST engine reference loaded into OpenSSL library */
-#if defined(OPENSSL_NO_ENGINE) || OPENSSL_VERSION_NUMBER > 0x30000000
+#ifdef OPENSSL_NO_ENGINE
 int
 gldns_key_EVP_load_gost_id(void)
 {
--- a/src/openssl/tls-internal.h
+++ b/src/openssl/tls-internal.h
@ -81,4 +81,12 @@ typedef struct _getdns_tls_x509
 	X509* ssl;
 } _getdns_tls_x509;

+typedef struct _getdns_tls_hmac
+{
+	HMAC_CTX *ctx;
+#ifndef HAVE_HMAC_CTX_NEW
+	HMAC_CTX ctx_space;
+#endif
+} _getdns_tls_hmac;
+
 #endif /* _GETDNS_TLS_INTERNAL_H */
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@ -1197,6 +1197,70 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const
 	return res;
 }

+_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
+{
+	const EVP_MD *digester = get_digester(algorithm);
+	_getdns_tls_hmac* res;
+
+	if (!digester)
+		return NULL;
+
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
+		return NULL;
+
+#ifdef HAVE_HMAC_CTX_NEW
+	res->ctx = HMAC_CTX_new();
+	if (!res->ctx) {
+		GETDNS_FREE(*mfs, res);
+		return NULL;
+	}
+#else
+	res->ctx = &res->ctx_space;
+	HMAC_CTX_init(res->ctx);
+#endif
+	if (!HMAC_Init_ex(res->ctx, key, key_size, digester, NULL)) {
+#ifdef HAVE_HMAC_CTX_NEW
+		HMAC_CTX_free(res->ctx);
+#endif
+		GETDNS_FREE(*mfs, res);
+		return NULL;
+	}
+
+	return res;
+}
+
+getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size)
+{
+	if (!h || !h->ctx || !data)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (!HMAC_Update(h->ctx, data, data_size))
+		return GETDNS_RETURN_GENERIC_ERROR;
+	else
+		return GETDNS_RETURN_GOOD;
+}
+
+unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size)
+{
+	unsigned char* res;
+	unsigned int md_len;
+
+	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, GETDNS_TLS_MAX_DIGEST_LENGTH);
+	if (!res)
+		return NULL;
+
+	(void) HMAC_Final(h->ctx, res, &md_len);
+
+#ifdef HAVE_HMAC_CTX_NEW
+	HMAC_CTX_free(h->ctx);
+#endif
+	GETDNS_FREE(*mfs, h);
+
+	if (output_size)
+		*output_size = md_len;
+	return res;
+}
+
 void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
 {
 	SHA1(data, data_size, buf);
--- a/src/request-internal.c
+++ b/src/request-internal.c
@ -500,9 +500,7 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	unsigned char  *result_mac;
 	size_t result_mac_len;
 	uint16_t original_id;
-	size_t data_size;
-	uint8_t *data;
-
+	_getdns_tls_hmac *hmac;

 	DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNC__);
 	for ( rr = _getdns_rr_iter_init(&rr_spc, req->query,
@ -609,33 +607,19 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	    gldns_read_uint16(req->response + 10) - 1);
 	gldns_write_uint16(req->response, original_id);

-	data_size = request_mac_len + 2
-	          + (size_t)(rr->pos - req->response) 
-	          + gldns_buffer_position(&gbuf);
-	data = GETDNS_XMALLOC(req->owner->my_mf, uint8_t, data_size);
-	if (!data) {
-		DEBUG_STUB("%s %-35s: Error allocating %d bytes\n",
-			   STUB_DEBUG_TSIG, __FUNC__, (int)(data_size));
+	hmac = _getdns_tls_hmac_new(&req->owner->my_mf, req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size);
+	if (!hmac)
 		return;
-	}
-	memcpy(data , request_mac - 2 , request_mac_len + 2);
-	memcpy(data + request_mac_len + 2, req->response, rr->pos - req->response);
-	memcpy(data + request_mac_len + 2 + (size_t)(rr->pos - req->response)
-	                                 , tsig_vars, gldns_buffer_position(&gbuf));

-	result_mac = _getdns_tls_hmac_hash(&req->owner->my_mf
-	                                  , req->upstream->tsig_alg
-					  , req->upstream->tsig_key
-					  , req->upstream->tsig_size
-					  , data, data_size , &result_mac_len);
-	GETDNS_FREE(req->owner->my_mf, data);
-	if (!result_mac) {
-		DEBUG_STUB("%s %-35s: Error calculating TSIG digest\n",
-			   STUB_DEBUG_TSIG, __FUNC__);
+	_getdns_tls_hmac_add(hmac, request_mac - 2, request_mac_len + 2);
+	_getdns_tls_hmac_add(hmac, req->response, rr->pos - req->response);
+	_getdns_tls_hmac_add(hmac, tsig_vars, gldns_buffer_position(&gbuf));
+	result_mac = _getdns_tls_hmac_end(&req->owner->my_mf, hmac, &result_mac_len);
+	if (!result_mac)
 		return;
-	}
-	DEBUG_STUB("%s %-35s: Result MAC length: %d for %d bytes of data\n",
-	           STUB_DEBUG_TSIG, __FUNC__, (int)(result_mac_len), (int)data_size);
+
+	DEBUG_STUB("%s %-35s: Result MAC length: %d\n",
+	           STUB_DEBUG_TSIG, __FUNC__, (int)(result_mac_len));
 	if (result_mac_len == response_mac_len &&
 	    memcmp(result_mac, response_mac, result_mac_len) == 0)
 		req->tsig_status = GETDNS_DNSSEC_SECURE;
--- a/src/tls.h
+++ b/src/tls.h
@ -408,6 +408,39 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
 */
 unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size);

+/**
+ * Return a new HMAC handle.
+ *
+ * @param mfs		pointer to getdns memory functions.
+ * @param algorithm	hash algorithm to use (<code>GETDNS_HMAC_?</code>).
+ * @param key		the key.
+ * @param key_size	the key size.
+ * @return HMAC handle or NULL on error.
+ */
+_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size);
+
+/**
+ * Add data to a HMAC.
+ *
+ * @param h		the HMAC.
+ * @param data		the data to add.
+ * @param data_size	the size of data to add.
+ * @return GETDNS_RETURN_GOOD if added.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if h is null or has no HMAC.
+ * @return GETDNS_RETURN_GENERIC_ERROR on error.
+ */
+getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size);
+
+/**
+ * Return the HMAC digest and free the handle.
+ *
+ * @param mfs		pointer to getdns memory functions.
+ * @param h		the HMAC.
+ * @param output_size	the output size will be written here if not NULL.
+ * @return output	malloc'd buffer with output, NULL on error.
+ */
+unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size);
+
 /**
 * Calculate a SHA1 hash.
 *
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit a1a6f6c6b512c88cc3ec5965eaee255b08bdc7cd
+Subproject commit 40b6bf95391f639cc86e5d328e89011ef4c16437