Upgrade unbound library

These files were pulled from the 1.6.3 release tarball.

This new version builds against OpenSSL version 1.1 which will be
the default in the new Debian Stable which is due to be released
RealSoonNow (tm).

1 files changed, 105 insertions, 9 deletions

diff --git a/external/unbound/daemon/daemon.c b/external/unbound/daemon/daemon.c
index e763f724e..dad9f86b3 100644
--- a/external/unbound/daemon/daemon.c
+++ b/external/unbound/daemon/daemon.c
@@ -73,20 +73,27 @@
 #include "util/log.h"
 #include "util/config_file.h"
 #include "util/data/msgreply.h"
+#include "util/shm_side/shm_main.h"
 #include "util/storage/lookup3.h"
 #include "util/storage/slabhash.h"
 #include "services/listen_dnsport.h"
 #include "services/cache/rrset.h"
 #include "services/cache/infra.h"
 #include "services/localzone.h"
+#include "services/view.h"
 #include "services/modstack.h"
 #include "util/module.h"
 #include "util/random.h"
 #include "util/tube.h"
 #include "util/net_help.h"
 #include "sldns/keyraw.h"
+#include "respip/respip.h"
 #include <signal.h>
 
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
 /** How many quit requests happened. */
 static int sig_record_quit = 0;
 /** How many reload requests happened. */
@@ -174,8 +181,15 @@ static void
 signal_handling_playback(struct worker* wrk)
 {
 #ifdef SIGHUP
-	if(sig_record_reload)
+	if(sig_record_reload) {
+# ifdef HAVE_SYSTEMD
+		sd_notify(0, "RELOADING=1");
+# endif
 		worker_sighandler(SIGHUP, wrk);
+# ifdef HAVE_SYSTEMD
+		sd_notify(0, "READY=1");
+# endif
+	}
 #endif
 	if(sig_record_quit)
 		worker_sighandler(SIGTERM, wrk);
@@ -204,20 +218,29 @@ daemon_init(void)
 	signal_handling_record();
 	checklock_start();
 #ifdef HAVE_SSL
+#  ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
 	ERR_load_crypto_strings();
-	ERR_load_SSL_strings();
-#  ifdef HAVE_OPENSSL_CONFIG
-	OPENSSL_config("unbound");
 #  endif
+	ERR_load_SSL_strings();
 #  ifdef USE_GOST
 	(void)sldns_key_EVP_load_gost_id();
 #  endif
+#  if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
 	OpenSSL_add_all_algorithms();
+#  else
+	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
+		| OPENSSL_INIT_ADD_ALL_DIGESTS
+		| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+#  endif
 #  if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
 	/* grab the COMP method ptr because openssl leaks it */
 	comp_meth = (void*)SSL_COMP_get_compression_methods();
 #  endif
+#  if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
 	(void)SSL_library_init();
+#  else
+	(void)OPENSSL_init_ssl(0, NULL);
+#  endif
 #  if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
 	if(!ub_openssl_lock_init())
 		fatal_exit("could not init openssl locks");
@@ -239,9 +262,16 @@ daemon_init(void)
 		free(daemon);
 		return NULL;
 	}
+	/* init edns_known_options */
+	if(!edns_known_options_init(daemon->env)) {
+		free(daemon->env);
+		free(daemon);
+		return NULL;
+	}
 	alloc_init(&daemon->superalloc, NULL, 0);
 	daemon->acl = acl_list_create();
 	if(!daemon->acl) {
+		edns_known_options_delete(daemon->env);
 		free(daemon->env);
 		free(daemon);
 		return NULL;
@@ -338,6 +368,7 @@ static void daemon_setup_modules(struct daemon* daemon)
 		daemon->env)) {
 		fatal_exit("failed to setup modules");
 	}
+	log_edns_known_options(VERB_ALGO, daemon->env);
 }
 
 /**
@@ -407,6 +438,8 @@ daemon_create_workers(struct daemon* daemon)
 	}
 	daemon->workers = (struct worker**)calloc((size_t)daemon->num, 
 		sizeof(struct worker*));
+	if(!daemon->workers)
+		fatal_exit("out of memory during daemon init");
 	if(daemon->cfg->dnstap) {
 #ifdef USE_DNSTAP
 		daemon->dtenv = dt_create(daemon->cfg->dnstap_socket_path,
@@ -530,17 +563,55 @@ daemon_stop_others(struct daemon* daemon)
 void 
 daemon_fork(struct daemon* daemon)
 {
+	int have_view_respip_cfg = 0;
+
 	log_assert(daemon);
-	if(!acl_list_apply_cfg(daemon->acl, daemon->cfg))
+	if(!(daemon->views = views_create()))
+		fatal_exit("Could not create views: out of memory");
+	/* create individual views and their localzone/data trees */
+	if(!views_apply_cfg(daemon->views, daemon->cfg))
+		fatal_exit("Could not set up views");
+
+	if(!acl_list_apply_cfg(daemon->acl, daemon->cfg, daemon->views))
 		fatal_exit("Could not setup access control list");
+	if(daemon->cfg->dnscrypt) {
+#ifdef USE_DNSCRYPT
+		daemon->dnscenv = dnsc_create();
+		if (!daemon->dnscenv)
+			fatal_exit("dnsc_create failed");
+		dnsc_apply_cfg(daemon->dnscenv, daemon->cfg);
+#else
+		fatal_exit("dnscrypt enabled in config but unbound was not built with "
+				   "dnscrypt support");
+#endif
+	}
+	/* create global local_zones */
 	if(!(daemon->local_zones = local_zones_create()))
 		fatal_exit("Could not create local zones: out of memory");
 	if(!local_zones_apply_cfg(daemon->local_zones, daemon->cfg))
 		fatal_exit("Could not set up local zones");
 
+	/* process raw response-ip configuration data */
+	if(!(daemon->respip_set = respip_set_create()))
+		fatal_exit("Could not create response IP set");
+	if(!respip_global_apply_cfg(daemon->respip_set, daemon->cfg))
+		fatal_exit("Could not set up response IP set");
+	if(!respip_views_apply_cfg(daemon->views, daemon->cfg,
+		&have_view_respip_cfg))
+		fatal_exit("Could not set up per-view response IP sets");
+	daemon->use_response_ip = !respip_set_is_empty(daemon->respip_set) ||
+		have_view_respip_cfg;
+
 	/* setup modules */
 	daemon_setup_modules(daemon);
 
+	/* response-ip-xxx options don't work as expected without the respip
+	 * module.  To avoid run-time operational surprise we reject such
+	 * configuration. */
+	if(daemon->use_response_ip &&
+		modstack_find(&daemon->mods, "respip") < 0)
+		fatal_exit("response-ip options require respip module");
+
 	/* first create all the worker structures, so we can pass
 	 * them to the newly created threads. 
 	 */
@@ -567,14 +638,26 @@ daemon_fork(struct daemon* daemon)
 #endif
 	signal_handling_playback(daemon->workers[0]);
 
+	if (!shm_main_init(daemon))
+		log_warn("SHM has failed");
+
 	/* Start resolver service on main thread. */
+#ifdef HAVE_SYSTEMD
+	sd_notify(0, "READY=1");
+#endif
 	log_info("start of service (%s).", PACKAGE_STRING);
 	worker_work(daemon->workers[0]);
+#ifdef HAVE_SYSTEMD
+	sd_notify(0, "STOPPING=1");
+#endif
 	log_info("service stopped (%s).", PACKAGE_STRING);
 
 	/* we exited! a signal happened! Stop other threads */
 	daemon_stop_others(daemon);
 
+	/* Shutdown SHM */
+	shm_main_shutdown(daemon);
+
 	daemon->need_to_exit = daemon->workers[0]->need_to_exit;
 }
 
@@ -589,13 +672,16 @@ daemon_cleanup(struct daemon* daemon)
 	log_thread_set(NULL);
 	/* clean up caches because
 	 * a) RRset IDs will be recycled after a reload, causing collisions
-	 * b) validation config can change, thus rrset, msg, keycache clear 
-	 * The infra cache is kept, the timing and edns info is still valid */
+	 * b) validation config can change, thus rrset, msg, keycache clear */
 	slabhash_clear(&daemon->env->rrset_cache->table);
 	slabhash_clear(daemon->env->msg_cache);
 	local_zones_delete(daemon->local_zones);
 	daemon->local_zones = NULL;
-	/* key cache is cleared by module desetup during next daemon_init() */
+	respip_set_delete(daemon->respip_set);
+	daemon->respip_set = NULL;
+	views_delete(daemon->views);
+	daemon->views = NULL;
+	/* key cache is cleared by module desetup during next daemon_fork() */
 	daemon_remote_clear(daemon->rc);
 	for(i=0; i<daemon->num; i++)
 		worker_delete(daemon->workers[i]);
@@ -624,6 +710,7 @@ daemon_delete(struct daemon* daemon)
 		slabhash_delete(daemon->env->msg_cache);
 		rrset_cache_delete(daemon->env->rrset_cache);
 		infra_delete(daemon->env->infra_cache);
+		edns_known_options_delete(daemon->env);
 	}
 	ub_randfree(daemon->rand);
 	alloc_clear(&daemon->superalloc);
@@ -647,18 +734,27 @@ daemon_delete(struct daemon* daemon)
 #  endif
 #  if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS && HAVE_DECL_SK_SSL_COMP_POP_FREE
 #    ifndef S_SPLINT_S
+#      if OPENSSL_VERSION_NUMBER < 0x10100000
 	sk_SSL_COMP_pop_free(comp_meth, (void(*)())CRYPTO_free);
+#      endif
 #    endif
 #  endif
 #  ifdef HAVE_OPENSSL_CONFIG
 	EVP_cleanup();
+#  if OPENSSL_VERSION_NUMBER < 0x10100000
 	ENGINE_cleanup();
+#  endif
 	CONF_modules_free();
 #  endif
+#  ifdef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
 	CRYPTO_cleanup_all_ex_data(); /* safe, no more threads right now */
-	ERR_remove_state(0);
+#  endif
+#  ifdef HAVE_ERR_FREE_STRINGS
 	ERR_free_strings();
+#  endif
+#  if OPENSSL_VERSION_NUMBER < 0x10100000
 	RAND_cleanup();
+#  endif
 #  if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
 	ub_openssl_lock_delete();
 #  endif