* Tue Sep 04 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-3

- Fix openssl thread locking bug under high query load

unbound-1.4.18-openssl_threads.patch

@@ -0,0 +1,104 @@
+Index: daemon/daemon.c
+===================================================================
+--- daemon/daemon.c	(revision 2732)
++++ daemon/daemon.c	(revision 2733)
+@@ -209,6 +209,10 @@
+ 	comp_meth = (void*)SSL_COMP_get_compression_methods();
+ #  endif
+ 	(void)SSL_library_init();
++#  if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
++	if(!ub_openssl_lock_init())
++		fatal_exit("could not init openssl locks");
++#  endif
+ #elif defined(HAVE_NSS)
+ 	if(NSS_NoDB_Init(NULL) != SECSuccess)
+ 		fatal_exit("could not init NSS");
+@@ -568,6 +572,9 @@
+ 	ERR_remove_state(0);
+ 	ERR_free_strings();
+ 	RAND_cleanup();
++#  if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
++	ub_openssl_lock_delete();
++#  endif
+ #elif defined(HAVE_NSS)
+ 	NSS_Shutdown();
+ #endif /* HAVE_SSL or HAVE_NSS */
+Index: util/net_help.c
+===================================================================
+--- util/net_help.c	(revision 2732)
++++ util/net_help.c	(revision 2733)
+@@ -725,3 +725,54 @@
+ 	return NULL;
+ #endif
+ }
++
++/** global lock list for openssl locks */
++static lock_basic_t *ub_openssl_locks = NULL;
++
++/** callback that gets thread id for openssl */
++static unsigned long
++ub_crypto_id_cb(void)
++{
++	return (unsigned long)ub_thread_self();
++}
++
++static void
++ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
++	int ATTR_UNUSED(line))
++{
++	if((mode&CRYPTO_LOCK)) {
++		lock_basic_lock(&ub_openssl_locks[type]);
++	} else {
++		lock_basic_unlock(&ub_openssl_locks[type]);
++	}
++}
++
++int ub_openssl_lock_init(void)
++{
++#ifdef OPENSSL_THREADS
++	size_t i;
++	ub_openssl_locks = (lock_basic_t*)malloc(
++		sizeof(lock_basic_t)*CRYPTO_num_locks());
++	if(!ub_openssl_locks)
++		return 0;
++	for(i=0; i<CRYPTO_num_locks(); i++) {
++		lock_basic_init(&ub_openssl_locks[i]);
++	}
++	CRYPTO_set_id_callback(&ub_crypto_id_cb);
++	CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
++#endif /* OPENSSL_THREADS */
++	return 1;
++}
++
++void ub_openssl_lock_delete(void)
++{
++#ifdef OPENSSL_THREADS
++	size_t i;
++	if(!ub_openssl_locks)
++		return;
++	for(i=0; i<CRYPTO_num_locks(); i++) {
++		lock_basic_destroy(&ub_openssl_locks[i]);
++	}
++#endif /* OPENSSL_THREADS */
++}
++
+Index: util/net_help.h
+===================================================================
+--- util/net_help.h	(revision 2732)
++++ util/net_help.h	(revision 2733)
+@@ -369,4 +369,15 @@
+  */
+ void* outgoing_ssl_fd(void* sslctx, int fd);
+ 
++/**
++ * Initialize openssl locking for thread safety
++ * @return false on failure (alloc failure).
++ */
++int ub_openssl_lock_init(void);
++
++/**
++ * De-init the allocated openssl locks
++ */
++void ub_openssl_lock_delete(void);
++
+ #endif /* NET_HELP_H */

unbound.spec

@@ -14,7 +14,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.4.18
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
 Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@@ -27,6 +27,7 @@ Source6: dlv.isc.org.key
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Patch1: unbound-1.2-glob.patch
+Patch2: unbound-1.4.18-openssl_threads.patch
 Group: System Environment/Daemons
 BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, 
 BuildRequires: libevent-devel expat-devel
@@ -102,6 +103,7 @@ Python modules and extensions for unbound
 %prep
 %setup -q 
 %patch1 -p1
+%patch2 -p0
 
 %build
 %configure  --with-ldns= --with-libevent --with-pthreads --with-ssl \
@@ -229,6 +231,9 @@ exit 0
 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
 
 %changelog
+* Tue Sep 04 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-3
+- Fix openssl thread locking bug under high query load
+
 * Thu Aug 23 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-2
 - Use new systemd-rpm macros (rhbz#850351)
 - Clean up old obsoleted dnssec-conf from < fedora 15