aboutsummaryrefslogtreecommitdiff
path: root/external/unbound/smallapp
diff options
context:
space:
mode:
Diffstat (limited to 'external/unbound/smallapp')
-rw-r--r--external/unbound/smallapp/unbound-anchor.c7
-rw-r--r--external/unbound/smallapp/unbound-checkconf.c24
-rw-r--r--external/unbound/smallapp/unbound-control-setup.sh.in5
-rw-r--r--external/unbound/smallapp/unbound-control.c85
-rw-r--r--external/unbound/smallapp/unbound-host.c4
5 files changed, 83 insertions, 42 deletions
diff --git a/external/unbound/smallapp/unbound-anchor.c b/external/unbound/smallapp/unbound-anchor.c
index 9df0d95b4..576a30f64 100644
--- a/external/unbound/smallapp/unbound-anchor.c
+++ b/external/unbound/smallapp/unbound-anchor.c
@@ -116,7 +116,7 @@
#include "config.h"
#include "libunbound/unbound.h"
-#include "ldns/rrdef.h"
+#include "sldns/rrdef.h"
#include <expat.h>
#ifndef HAVE_EXPAT_H
#error "need libexpat to parse root-anchors.xml file."
@@ -915,7 +915,10 @@ read_data_chunk(SSL* ssl, size_t len)
{
size_t got = 0;
int r;
- char* data = malloc(len+1);
+ char* data;
+ if(len >= 0xfffffff0)
+ return NULL; /* to protect against integer overflow in malloc*/
+ data = malloc(len+1);
if(!data) {
if(verb) printf("out of memory\n");
return NULL;
diff --git a/external/unbound/smallapp/unbound-checkconf.c b/external/unbound/smallapp/unbound-checkconf.c
index e83867f26..0524edeaa 100644
--- a/external/unbound/smallapp/unbound-checkconf.c
+++ b/external/unbound/smallapp/unbound-checkconf.c
@@ -53,7 +53,7 @@
#include "iterator/iter_hints.h"
#include "validator/validator.h"
#include "services/localzone.h"
-#include "ldns/sbuffer.h"
+#include "sldns/sbuffer.h"
#ifdef HAVE_GETOPT_H
#include <getopt.h>
#endif
@@ -78,6 +78,7 @@ usage()
printf(" Checks unbound configuration file for errors.\n");
printf("file if omitted %s is used.\n", CONFIGFILE);
printf("-o option print value of option to stdout.\n");
+ printf("-f output full pathname with chroot applied, eg. with -o pidfile.\n");
printf("-h show this usage help.\n");
printf("Version %s\n", PACKAGE_VERSION);
printf("BSD licensed, see LICENSE in source package for details.\n");
@@ -90,10 +91,15 @@ usage()
* @param cfg: config
* @param opt: option name without trailing :.
* This is different from config_set_option.
+ * @param final: if final pathname with chroot applied has to be printed.
*/
static void
-print_option(struct config_file* cfg, const char* opt)
+print_option(struct config_file* cfg, const char* opt, int final)
{
+ if(strcmp(opt, "pidfile") == 0 && final) {
+ printf("%s\n", fname_after_chroot(cfg->pidfile, cfg, 1));
+ return;
+ }
if(!config_get_option(cfg, opt, config_print_func, stdout))
fatal_exit("cannot print option '%s'", opt);
}
@@ -416,7 +422,7 @@ morechecks(struct config_file* cfg, const char* fname)
endpwent();
}
#endif
- if(cfg->remote_control_enable) {
+ if(cfg->remote_control_enable && cfg->remote_control_use_cert) {
check_chroot_string("server-key-file", &cfg->server_key_file,
cfg->chrootdir, cfg);
check_chroot_string("server-cert-file", &cfg->server_cert_file,
@@ -456,7 +462,7 @@ check_hints(struct config_file* cfg)
/** check config file */
static void
-checkconf(const char* cfgfile, const char* opt)
+checkconf(const char* cfgfile, const char* opt, int final)
{
struct config_file* cfg = config_create();
if(!cfg)
@@ -467,7 +473,7 @@ checkconf(const char* cfgfile, const char* opt)
exit(1);
}
if(opt) {
- print_option(cfg, opt);
+ print_option(cfg, opt, final);
config_delete(cfg);
return;
}
@@ -493,6 +499,7 @@ extern char* optarg;
int main(int argc, char* argv[])
{
int c;
+ int final = 0;
const char* f;
const char* opt = NULL;
const char* cfgfile = CONFIGFILE;
@@ -505,8 +512,11 @@ int main(int argc, char* argv[])
cfgfile = CONFIGFILE;
#endif /* USE_WINSOCK */
/* parse the options */
- while( (c=getopt(argc, argv, "ho:")) != -1) {
+ while( (c=getopt(argc, argv, "fho:")) != -1) {
switch(c) {
+ case 'f':
+ final = 1;
+ break;
case 'o':
opt = optarg;
break;
@@ -523,7 +533,7 @@ int main(int argc, char* argv[])
if(argc == 1)
f = argv[0];
else f = cfgfile;
- checkconf(f, opt);
+ checkconf(f, opt, final);
checklock_stop();
return 0;
}
diff --git a/external/unbound/smallapp/unbound-control-setup.sh.in b/external/unbound/smallapp/unbound-control-setup.sh.in
index 79605dc6f..682ab260a 100644
--- a/external/unbound/smallapp/unbound-control-setup.sh.in
+++ b/external/unbound/smallapp/unbound-control-setup.sh.in
@@ -36,8 +36,7 @@
# settings:
# directory for files
-prefix=@prefix@
-DESTDIR=@sysconfdir@/unbound
+DESTDIR=@ub_conf_dir@
# issuer and subject name for certificates
SERVERNAME=unbound
@@ -47,7 +46,7 @@ CLIENTNAME=unbound-control
DAYS=7200
# size of keys in bits
-BITS=1536
+BITS=3072
# hash algorithm
HASH=sha256
diff --git a/external/unbound/smallapp/unbound-control.c b/external/unbound/smallapp/unbound-control.c
index ff86184a8..3b47d3bf8 100644
--- a/external/unbound/smallapp/unbound-control.c
+++ b/external/unbound/smallapp/unbound-control.c
@@ -59,6 +59,10 @@
#include "util/locks.h"
#include "util/net_help.h"
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
+
/** Give unbound-control usage, and exit (1). */
static void
usage()
@@ -136,32 +140,40 @@ static void ssl_err(const char* s)
static SSL_CTX*
setup_ctx(struct config_file* cfg)
{
- char* s_cert, *c_key, *c_cert;
+ char* s_cert=NULL, *c_key=NULL, *c_cert=NULL;
SSL_CTX* ctx;
- s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
- c_key = fname_after_chroot(cfg->control_key_file, cfg, 1);
- c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1);
- if(!s_cert || !c_key || !c_cert)
- fatal_exit("out of memory");
+ if(cfg->remote_control_use_cert) {
+ s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
+ c_key = fname_after_chroot(cfg->control_key_file, cfg, 1);
+ c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1);
+ if(!s_cert || !c_key || !c_cert)
+ fatal_exit("out of memory");
+ }
ctx = SSL_CTX_new(SSLv23_client_method());
if(!ctx)
ssl_err("could not allocate SSL_CTX pointer");
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
ssl_err("could not set SSL_OP_NO_SSLv2");
- if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
- ssl_err("could not set SSL_OP_NO_SSLv3");
- if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
- !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
- || !SSL_CTX_check_private_key(ctx))
- ssl_err("Error setting up SSL_CTX client key and cert");
- if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1)
- ssl_err("Error setting up SSL_CTX verify, server cert");
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+ if(cfg->remote_control_use_cert) {
+ if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
+ ssl_err("could not set SSL_OP_NO_SSLv3");
+ if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
+ !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
+ || !SSL_CTX_check_private_key(ctx))
+ ssl_err("Error setting up SSL_CTX client key and cert");
+ if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1)
+ ssl_err("Error setting up SSL_CTX verify, server cert");
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
- free(s_cert);
- free(c_key);
- free(c_cert);
+ free(s_cert);
+ free(c_key);
+ free(c_cert);
+ } else {
+ /* Use ciphers that don't require authentication */
+ if(!SSL_CTX_set_cipher_list(ctx, "aNULL"))
+ ssl_err("Error setting NULL cipher!");
+ }
return ctx;
}
@@ -171,6 +183,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
{
struct sockaddr_storage addr;
socklen_t addrlen;
+ int addrfamily = 0;
int fd;
/* use svr or the first config entry */
if(!svr) {
@@ -189,12 +202,25 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
if(strchr(svr, '@')) {
if(!extstrtoaddr(svr, &addr, &addrlen))
fatal_exit("could not parse IP@port: %s", svr);
+#ifdef HAVE_SYS_UN_H
+ } else if(svr[0] == '/') {
+ struct sockaddr_un* usock = (struct sockaddr_un *) &addr;
+ usock->sun_family = AF_LOCAL;
+#ifdef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN
+ usock->sun_len = (socklen_t)sizeof(usock);
+#endif
+ (void)strlcpy(usock->sun_path, svr, sizeof(usock->sun_path));
+ addrlen = (socklen_t)sizeof(struct sockaddr_un);
+ addrfamily = AF_LOCAL;
+#endif
} else {
if(!ipstrtoaddr(svr, cfg->control_port, &addr, &addrlen))
fatal_exit("could not parse IP: %s", svr);
}
- fd = socket(addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET,
- SOCK_STREAM, 0);
+
+ if(addrfamily == 0)
+ addrfamily = addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET;
+ fd = socket(addrfamily, SOCK_STREAM, 0);
if(fd == -1) {
#ifndef USE_WINSOCK
fatal_exit("socket: %s", strerror(errno));
@@ -223,7 +249,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
/** setup SSL on the connection */
static SSL*
-setup_ssl(SSL_CTX* ctx, int fd)
+setup_ssl(SSL_CTX* ctx, int fd, struct config_file* cfg)
{
SSL* ssl;
X509* x;
@@ -249,10 +275,13 @@ setup_ssl(SSL_CTX* ctx, int fd)
/* check authenticity of server */
if(SSL_get_verify_result(ssl) != X509_V_OK)
ssl_err("SSL verification failed");
- x = SSL_get_peer_certificate(ssl);
- if(!x)
- ssl_err("Server presented no peer certificate");
- X509_free(x);
+ if(cfg->remote_control_use_cert) {
+ x = SSL_get_peer_certificate(ssl);
+ if(!x)
+ ssl_err("Server presented no peer certificate");
+ X509_free(x);
+ }
+
return ssl;
}
@@ -330,11 +359,11 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
if(!cfg->remote_control_enable)
log_warn("control-enable is 'no' in the config file.");
ctx = setup_ctx(cfg);
-
+
/* contact server */
fd = contact_server(svr, cfg, argc>0&&strcmp(argv[0],"status")==0);
- ssl = setup_ssl(ctx, fd);
-
+ ssl = setup_ssl(ctx, fd, cfg);
+
/* send command */
ret = go_cmd(ssl, quiet, argc, argv);
diff --git a/external/unbound/smallapp/unbound-host.c b/external/unbound/smallapp/unbound-host.c
index 959734109..30fef51fd 100644
--- a/external/unbound/smallapp/unbound-host.c
+++ b/external/unbound/smallapp/unbound-host.c
@@ -60,8 +60,8 @@
#define unbound_lite_wrapstr(s) s
#endif
#include "libunbound/unbound.h"
-#include "ldns/rrdef.h"
-#include "ldns/wire2str.h"
+#include "sldns/rrdef.h"
+#include "sldns/wire2str.h"
#ifdef HAVE_NSS
/* nss3 */
#include "nss.h"