d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MFV (r277045): merge upstream version of the local socket patch.

Browse Source
This commit is contained in:
Dag-Erling Smørgrav 2015-01-12 09:46:49 +00:00
commit 748bd82957
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=277057
14 changed files with 859 additions and 744 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
contrib/unbound/config.h
View File

@ -351,6 +351,9 @@
/* Define to 1 if `ipi_spec_dst' is a member of `struct in_pktinfo'. */ /* Define to 1 if `ipi_spec_dst' is a member of `struct in_pktinfo'. */
/* #undef HAVE_STRUCT_IN_PKTINFO_IPI_SPEC_DST */ /* #undef HAVE_STRUCT_IN_PKTINFO_IPI_SPEC_DST */
/* Define to 1 if `sun_len' is a member of `struct sockaddr_un'. */
#define HAVE_STRUCT_SOCKADDR_UN_SUN_LEN 1
/* Define if you have Swig libraries and header files. */ /* Define if you have Swig libraries and header files. */
/* #undef HAVE_SWIG */ /* #undef HAVE_SWIG */

3
contrib/unbound/config.h.in
View File

@ -350,6 +350,9 @@
/* Define to 1 if `ipi_spec_dst' is a member of `struct in_pktinfo'. */ /* Define to 1 if `ipi_spec_dst' is a member of `struct in_pktinfo'. */
#undef HAVE_STRUCT_IN_PKTINFO_IPI_SPEC_DST #undef HAVE_STRUCT_IN_PKTINFO_IPI_SPEC_DST
/* Define to 1 if `sun_len' is a member of `struct sockaddr_un'. */
#undef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN
/* Define if you have Swig libraries and header files. */ /* Define if you have Swig libraries and header files. */
#undef HAVE_SWIG #undef HAVE_SWIG

1518
contrib/unbound/configure vendored
View File

File diff suppressed because it is too large Load Diff

6
contrib/unbound/configure.ac
View File

@ -938,6 +938,12 @@ if test $ac_cv_func_daemon = yes; then
]) ])
fi fi
AC_CHECK_MEMBERS([struct sockaddr_un.sun_len],,,[
AC_INCLUDES_DEFAULT
#ifdef HAVE_SYS_UN_H
#include <sys/un.h>
#endif
])
AC_CHECK_MEMBERS([struct in_pktinfo.ipi_spec_dst],,,[ AC_CHECK_MEMBERS([struct in_pktinfo.ipi_spec_dst],,,[
AC_INCLUDES_DEFAULT AC_INCLUDES_DEFAULT
#if HAVE_SYS_PARAM_H #if HAVE_SYS_PARAM_H

5
contrib/unbound/daemon/remote.c
View File

@ -142,6 +142,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
* The following function was generated using the openssl utility, using * The following function was generated using the openssl utility, using
* the command : "openssl dhparam -dsaparam -C 512" * the command : "openssl dhparam -dsaparam -C 512"
*/ */
#ifndef S_SPLINT_S
DH *get_dh512() DH *get_dh512()
{ {
static unsigned char dh512_p[]={ static unsigned char dh512_p[]={
@ -170,6 +171,7 @@ DH *get_dh512()
dh->length = 160; dh->length = 160;
return(dh); return(dh);
} }
#endif /* SPLINT */
struct daemon_remote* struct daemon_remote*
daemon_remote_create(struct config_file* cfg) daemon_remote_create(struct config_file* cfg)
@ -299,6 +301,7 @@ void daemon_remote_delete(struct daemon_remote* rc)
* @param nr: port nr * @param nr: port nr
* @param list: list head * @param list: list head
* @param noproto_is_err: if lack of protocol support is an error. * @param noproto_is_err: if lack of protocol support is an error.
* @param cfg: config with username for chown of unix-sockets.
* @return false on failure. * @return false on failure.
*/ */
static int static int
@ -326,7 +329,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
if(fd != -1) { if(fd != -1) {
if (cfg->username && cfg->username[0]) if (cfg->username && cfg->username[0])
chown(ip, cfg->uid, cfg->gid); chown(ip, cfg->uid, cfg->gid);
chmod(ip, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
} }
} else { } else {
hints.ai_socktype = SOCK_STREAM; hints.ai_socktype = SOCK_STREAM;

3
contrib/unbound/daemon/unbound.c
View File

@ -441,8 +441,6 @@ static void
perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
const char** cfgfile) const char** cfgfile)
{ {
log_assert(cfg);
#ifdef HAVE_GETPWNAM #ifdef HAVE_GETPWNAM
struct passwd *pwd = NULL; struct passwd *pwd = NULL;
@ -653,6 +651,7 @@ run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode)
log_warn("Continuing with default config settings"); log_warn("Continuing with default config settings");
} }
apply_settings(daemon, cfg, cmdline_verbose, debug_mode); apply_settings(daemon, cfg, cmdline_verbose, debug_mode);
config_lookup_uid(cfg);
/* prepare */ /* prepare */
if(!daemon_open_shared_ports(daemon)) if(!daemon_open_shared_ports(daemon))

5
contrib/unbound/doc/Changelog
View File

@ -1,6 +1,11 @@
8 December 2014: Wouter 8 December 2014: Wouter
- Fix CVE-2014-8602: denial of service by making resolver chase - Fix CVE-2014-8602: denial of service by making resolver chase
endless series of delegations. endless series of delegations.
- patch for remote control over local sockets, from Dag-Erling
Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
control-use-cert: no.
- Fixup that patch and uid lookup (only for daemon).
- coded the default of control-use-cert, to yes.
1 December 2014: Wouter 1 December 2014: Wouter
- Fix bug#632: unbound fails to build on AArch64, protects - Fix bug#632: unbound fails to build on AArch64, protects

2
contrib/unbound/doc/unbound.conf.5
View File

@ -976,7 +976,7 @@ default is 8953.
If you change this and permissions have been dropped, you must restart If you change this and permissions have been dropped, you must restart
the server for the change to take effect. the server for the change to take effect.
.TP 5 .TP 5
.B control-use-cert: \fI<yes or no> .B control\-use\-cert: \fI<yes or no>
Whether to require certificate authentication of control connections. Whether to require certificate authentication of control connections.
The default is "yes". The default is "yes".
This should not be changed unless there are other mechanisms in place This should not be changed unless there are other mechanisms in place

2
contrib/unbound/doc/unbound.conf.5.in
View File

@ -976,7 +976,7 @@ default is 8953.
If you change this and permissions have been dropped, you must restart If you change this and permissions have been dropped, you must restart
the server for the change to take effect. the server for the change to take effect.
.TP 5 .TP 5
.B control-use-cert: \fI<yes or no> .B control\-use\-cert: \fI<yes or no>
Whether to require certificate authentication of control connections. Whether to require certificate authentication of control connections.
The default is "yes". The default is "yes".
This should not be changed unless there are other mechanisms in place This should not be changed unless there are other mechanisms in place

13
contrib/unbound/services/listen_dnsport.c
View File

@ -576,15 +576,19 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
} }
int int
create_local_accept_sock(char *path, int* noproto) create_local_accept_sock(const char *path, int* noproto)
{ {
#ifdef HAVE_SYS_UN_H #ifdef HAVE_SYS_UN_H
int s; int s;
struct sockaddr_un sun; struct sockaddr_un sun;
sun.sun_len = sizeof(sun); #ifdef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN
/* this member exists on BSDs, not Linux */
sun.sun_len = (sa_family_t)sizeof(sun);
#endif
sun.sun_family = AF_LOCAL; sun.sun_family = AF_LOCAL;
strlcpy(sun.sun_path, path, 104); /* length is 92-108, 104 on FreeBSD */
(void)strlcpy(sun.sun_path, path, sizeof(sun.sun_path));
if ((s = socket(PF_LOCAL, SOCK_STREAM, 0)) == -1) { if ((s = socket(PF_LOCAL, SOCK_STREAM, 0)) == -1) {
log_err("Cannot create local socket %s (%s)", log_err("Cannot create local socket %s (%s)",
@ -600,7 +604,7 @@ create_local_accept_sock(char *path, int* noproto)
} }
if (bind(s, (struct sockaddr *)&sun, if (bind(s, (struct sockaddr *)&sun,
sizeof(struct sockaddr_un)) == -1) { (socklen_t)sizeof(struct sockaddr_un)) == -1) {
log_err("Cannot bind local socket %s (%s)", log_err("Cannot bind local socket %s (%s)",
path, strerror(errno)); path, strerror(errno));
return -1; return -1;
@ -616,6 +620,7 @@ create_local_accept_sock(char *path, int* noproto)
return -1; return -1;
} }
(void)noproto; /*unused*/
return s; return s;
#else #else
log_err("Local sockets are not supported"); log_err("Local sockets are not supported");

2
contrib/unbound/services/listen_dnsport.h
View File

@ -214,6 +214,6 @@ int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
* are not supported. * are not supported.
* @return: the socket. -1 on error. * @return: the socket. -1 on error.
*/ */
int create_local_accept_sock(char* path, int* noproto); int create_local_accept_sock(const char* path, int* noproto);
#endif /* LISTEN_DNSPORT_H */ #endif /* LISTEN_DNSPORT_H */

10
contrib/unbound/smallapp/unbound-control.c
View File

@ -140,7 +140,7 @@ static void ssl_err(const char* s)
static SSL_CTX* static SSL_CTX*
setup_ctx(struct config_file* cfg) setup_ctx(struct config_file* cfg)
{ {
char* s_cert, *c_key, *c_cert; char* s_cert=NULL, *c_key=NULL, *c_cert=NULL;
SSL_CTX* ctx; SSL_CTX* ctx;
if(cfg->remote_control_use_cert) { if(cfg->remote_control_use_cert) {
@ -206,9 +206,11 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
} else if(svr[0] == '/') { } else if(svr[0] == '/') {
struct sockaddr_un* sun = (struct sockaddr_un *) &addr; struct sockaddr_un* sun = (struct sockaddr_un *) &addr;
sun->sun_family = AF_LOCAL; sun->sun_family = AF_LOCAL;
sun->sun_len = sizeof(sun); #ifdef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN
strlcpy(sun->sun_path, svr, 104); sun->sun_len = (sa_family_t)sizeof(sun);
addrlen = sizeof(struct sockaddr_un); #endif
(void)strlcpy(sun->sun_path, svr, sizeof(sun->sun_path));
addrlen = (socklen_t)sizeof(struct sockaddr_un);
addrfamily = AF_LOCAL; addrfamily = AF_LOCAL;
#endif #endif
} else { } else {

25
contrib/unbound/util/config_file.c
View File

@ -201,6 +201,7 @@ config_create(void)
cfg->remote_control_enable = 0; cfg->remote_control_enable = 0;
cfg->control_ifs = NULL; cfg->control_ifs = NULL;
cfg->control_port = UNBOUND_CONTROL_PORT; cfg->control_port = UNBOUND_CONTROL_PORT;
cfg->remote_control_use_cert = 1;
cfg->minimal_responses = 0; cfg->minimal_responses = 0;
cfg->rrset_roundrobin = 0; cfg->rrset_roundrobin = 0;
cfg->max_udp_size = 4096; cfg->max_udp_size = 4096;
@ -805,16 +806,6 @@ config_read(struct config_file* cfg, const char* filename, const char* chroot)
return 0; return 0;
} }
#ifdef HAVE_GETPWNAM
/* translate username into uid and gid */
if(cfg->username && cfg->username[0]) {
struct passwd *pwd;
if((pwd = getpwnam(cfg->username)) == NULL)
log_err("user '%s' does not exist.", cfg->username);
cfg->uid = pwd->pw_uid;
cfg->gid = pwd->pw_gid;
}
#endif
return 1; return 1;
} }
@ -1203,6 +1194,20 @@ config_apply(struct config_file* config)
log_set_time_asc(config->log_time_ascii); log_set_time_asc(config->log_time_ascii);
} }
void config_lookup_uid(struct config_file* cfg)
{
#ifdef HAVE_GETPWNAM
/* translate username into uid and gid */
if(cfg->username && cfg->username[0]) {
struct passwd *pwd;
if((pwd = getpwnam(cfg->username)) == NULL)
log_err("user '%s' does not exist.", cfg->username);
cfg->uid = pwd->pw_uid;
cfg->gid = pwd->pw_gid;
}
#endif
}
/** /**
* Calculate string length of full pathname in original filesys * Calculate string length of full pathname in original filesys
* @param fname: the path name to convert. * @param fname: the path name to convert.

6
contrib/unbound/util/config_file.h
View File

@ -426,6 +426,12 @@ void config_delete(struct config_file* config);
*/ */
void config_apply(struct config_file* config); void config_apply(struct config_file* config);
/**
* Find username, sets uid and gid.
* @param config: the config structure.
*/
void config_lookup_uid(struct config_file* config);
/** /**
* Set the given keyword to the given value. * Set the given keyword to the given value.
* @param config: where to store config * @param config: where to store config