diff options
Diffstat (limited to 'external/unbound/smallapp')
-rw-r--r-- | external/unbound/smallapp/unbound-anchor.c | 7 | ||||
-rw-r--r-- | external/unbound/smallapp/unbound-checkconf.c | 24 | ||||
-rw-r--r-- | external/unbound/smallapp/unbound-control-setup.sh.in | 5 | ||||
-rw-r--r-- | external/unbound/smallapp/unbound-control.c | 85 | ||||
-rw-r--r-- | external/unbound/smallapp/unbound-host.c | 4 |
5 files changed, 83 insertions, 42 deletions
diff --git a/external/unbound/smallapp/unbound-anchor.c b/external/unbound/smallapp/unbound-anchor.c index 9df0d95b4..576a30f64 100644 --- a/external/unbound/smallapp/unbound-anchor.c +++ b/external/unbound/smallapp/unbound-anchor.c @@ -116,7 +116,7 @@ #include "config.h" #include "libunbound/unbound.h" -#include "ldns/rrdef.h" +#include "sldns/rrdef.h" #include <expat.h> #ifndef HAVE_EXPAT_H #error "need libexpat to parse root-anchors.xml file." @@ -915,7 +915,10 @@ read_data_chunk(SSL* ssl, size_t len) { size_t got = 0; int r; - char* data = malloc(len+1); + char* data; + if(len >= 0xfffffff0) + return NULL; /* to protect against integer overflow in malloc*/ + data = malloc(len+1); if(!data) { if(verb) printf("out of memory\n"); return NULL; diff --git a/external/unbound/smallapp/unbound-checkconf.c b/external/unbound/smallapp/unbound-checkconf.c index e83867f26..0524edeaa 100644 --- a/external/unbound/smallapp/unbound-checkconf.c +++ b/external/unbound/smallapp/unbound-checkconf.c @@ -53,7 +53,7 @@ #include "iterator/iter_hints.h" #include "validator/validator.h" #include "services/localzone.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" #ifdef HAVE_GETOPT_H #include <getopt.h> #endif @@ -78,6 +78,7 @@ usage() printf(" Checks unbound configuration file for errors.\n"); printf("file if omitted %s is used.\n", CONFIGFILE); printf("-o option print value of option to stdout.\n"); + printf("-f output full pathname with chroot applied, eg. with -o pidfile.\n"); printf("-h show this usage help.\n"); printf("Version %s\n", PACKAGE_VERSION); printf("BSD licensed, see LICENSE in source package for details.\n"); @@ -90,10 +91,15 @@ usage() * @param cfg: config * @param opt: option name without trailing :. * This is different from config_set_option. + * @param final: if final pathname with chroot applied has to be printed. */ static void -print_option(struct config_file* cfg, const char* opt) +print_option(struct config_file* cfg, const char* opt, int final) { + if(strcmp(opt, "pidfile") == 0 && final) { + printf("%s\n", fname_after_chroot(cfg->pidfile, cfg, 1)); + return; + } if(!config_get_option(cfg, opt, config_print_func, stdout)) fatal_exit("cannot print option '%s'", opt); } @@ -416,7 +422,7 @@ morechecks(struct config_file* cfg, const char* fname) endpwent(); } #endif - if(cfg->remote_control_enable) { + if(cfg->remote_control_enable && cfg->remote_control_use_cert) { check_chroot_string("server-key-file", &cfg->server_key_file, cfg->chrootdir, cfg); check_chroot_string("server-cert-file", &cfg->server_cert_file, @@ -456,7 +462,7 @@ check_hints(struct config_file* cfg) /** check config file */ static void -checkconf(const char* cfgfile, const char* opt) +checkconf(const char* cfgfile, const char* opt, int final) { struct config_file* cfg = config_create(); if(!cfg) @@ -467,7 +473,7 @@ checkconf(const char* cfgfile, const char* opt) exit(1); } if(opt) { - print_option(cfg, opt); + print_option(cfg, opt, final); config_delete(cfg); return; } @@ -493,6 +499,7 @@ extern char* optarg; int main(int argc, char* argv[]) { int c; + int final = 0; const char* f; const char* opt = NULL; const char* cfgfile = CONFIGFILE; @@ -505,8 +512,11 @@ int main(int argc, char* argv[]) cfgfile = CONFIGFILE; #endif /* USE_WINSOCK */ /* parse the options */ - while( (c=getopt(argc, argv, "ho:")) != -1) { + while( (c=getopt(argc, argv, "fho:")) != -1) { switch(c) { + case 'f': + final = 1; + break; case 'o': opt = optarg; break; @@ -523,7 +533,7 @@ int main(int argc, char* argv[]) if(argc == 1) f = argv[0]; else f = cfgfile; - checkconf(f, opt); + checkconf(f, opt, final); checklock_stop(); return 0; } diff --git a/external/unbound/smallapp/unbound-control-setup.sh.in b/external/unbound/smallapp/unbound-control-setup.sh.in index 79605dc6f..682ab260a 100644 --- a/external/unbound/smallapp/unbound-control-setup.sh.in +++ b/external/unbound/smallapp/unbound-control-setup.sh.in @@ -36,8 +36,7 @@ # settings: # directory for files -prefix=@prefix@ -DESTDIR=@sysconfdir@/unbound +DESTDIR=@ub_conf_dir@ # issuer and subject name for certificates SERVERNAME=unbound @@ -47,7 +46,7 @@ CLIENTNAME=unbound-control DAYS=7200 # size of keys in bits -BITS=1536 +BITS=3072 # hash algorithm HASH=sha256 diff --git a/external/unbound/smallapp/unbound-control.c b/external/unbound/smallapp/unbound-control.c index ff86184a8..3b47d3bf8 100644 --- a/external/unbound/smallapp/unbound-control.c +++ b/external/unbound/smallapp/unbound-control.c @@ -59,6 +59,10 @@ #include "util/locks.h" #include "util/net_help.h" +#ifdef HAVE_SYS_UN_H +#include <sys/un.h> +#endif + /** Give unbound-control usage, and exit (1). */ static void usage() @@ -136,32 +140,40 @@ static void ssl_err(const char* s) static SSL_CTX* setup_ctx(struct config_file* cfg) { - char* s_cert, *c_key, *c_cert; + char* s_cert=NULL, *c_key=NULL, *c_cert=NULL; SSL_CTX* ctx; - s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1); - c_key = fname_after_chroot(cfg->control_key_file, cfg, 1); - c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1); - if(!s_cert || !c_key || !c_cert) - fatal_exit("out of memory"); + if(cfg->remote_control_use_cert) { + s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1); + c_key = fname_after_chroot(cfg->control_key_file, cfg, 1); + c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1); + if(!s_cert || !c_key || !c_cert) + fatal_exit("out of memory"); + } ctx = SSL_CTX_new(SSLv23_client_method()); if(!ctx) ssl_err("could not allocate SSL_CTX pointer"); if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) ssl_err("could not set SSL_OP_NO_SSLv2"); - if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) - ssl_err("could not set SSL_OP_NO_SSLv3"); - if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || - !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) - || !SSL_CTX_check_private_key(ctx)) - ssl_err("Error setting up SSL_CTX client key and cert"); - if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1) - ssl_err("Error setting up SSL_CTX verify, server cert"); - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + if(cfg->remote_control_use_cert) { + if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) + ssl_err("could not set SSL_OP_NO_SSLv3"); + if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || + !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) + || !SSL_CTX_check_private_key(ctx)) + ssl_err("Error setting up SSL_CTX client key and cert"); + if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1) + ssl_err("Error setting up SSL_CTX verify, server cert"); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); - free(s_cert); - free(c_key); - free(c_cert); + free(s_cert); + free(c_key); + free(c_cert); + } else { + /* Use ciphers that don't require authentication */ + if(!SSL_CTX_set_cipher_list(ctx, "aNULL")) + ssl_err("Error setting NULL cipher!"); + } return ctx; } @@ -171,6 +183,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd) { struct sockaddr_storage addr; socklen_t addrlen; + int addrfamily = 0; int fd; /* use svr or the first config entry */ if(!svr) { @@ -189,12 +202,25 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd) if(strchr(svr, '@')) { if(!extstrtoaddr(svr, &addr, &addrlen)) fatal_exit("could not parse IP@port: %s", svr); +#ifdef HAVE_SYS_UN_H + } else if(svr[0] == '/') { + struct sockaddr_un* usock = (struct sockaddr_un *) &addr; + usock->sun_family = AF_LOCAL; +#ifdef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN + usock->sun_len = (socklen_t)sizeof(usock); +#endif + (void)strlcpy(usock->sun_path, svr, sizeof(usock->sun_path)); + addrlen = (socklen_t)sizeof(struct sockaddr_un); + addrfamily = AF_LOCAL; +#endif } else { if(!ipstrtoaddr(svr, cfg->control_port, &addr, &addrlen)) fatal_exit("could not parse IP: %s", svr); } - fd = socket(addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET, - SOCK_STREAM, 0); + + if(addrfamily == 0) + addrfamily = addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET; + fd = socket(addrfamily, SOCK_STREAM, 0); if(fd == -1) { #ifndef USE_WINSOCK fatal_exit("socket: %s", strerror(errno)); @@ -223,7 +249,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd) /** setup SSL on the connection */ static SSL* -setup_ssl(SSL_CTX* ctx, int fd) +setup_ssl(SSL_CTX* ctx, int fd, struct config_file* cfg) { SSL* ssl; X509* x; @@ -249,10 +275,13 @@ setup_ssl(SSL_CTX* ctx, int fd) /* check authenticity of server */ if(SSL_get_verify_result(ssl) != X509_V_OK) ssl_err("SSL verification failed"); - x = SSL_get_peer_certificate(ssl); - if(!x) - ssl_err("Server presented no peer certificate"); - X509_free(x); + if(cfg->remote_control_use_cert) { + x = SSL_get_peer_certificate(ssl); + if(!x) + ssl_err("Server presented no peer certificate"); + X509_free(x); + } + return ssl; } @@ -330,11 +359,11 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[]) if(!cfg->remote_control_enable) log_warn("control-enable is 'no' in the config file."); ctx = setup_ctx(cfg); - + /* contact server */ fd = contact_server(svr, cfg, argc>0&&strcmp(argv[0],"status")==0); - ssl = setup_ssl(ctx, fd); - + ssl = setup_ssl(ctx, fd, cfg); + /* send command */ ret = go_cmd(ssl, quiet, argc, argv); diff --git a/external/unbound/smallapp/unbound-host.c b/external/unbound/smallapp/unbound-host.c index 959734109..30fef51fd 100644 --- a/external/unbound/smallapp/unbound-host.c +++ b/external/unbound/smallapp/unbound-host.c @@ -60,8 +60,8 @@ #define unbound_lite_wrapstr(s) s #endif #include "libunbound/unbound.h" -#include "ldns/rrdef.h" -#include "ldns/wire2str.h" +#include "sldns/rrdef.h" +#include "sldns/wire2str.h" #ifdef HAVE_NSS /* nss3 */ #include "nss.h" |