logo

oasis

Own branch of Oasis Linux (upstream: <https://git.sr.ht/~mcf/oasis/>) git clone https://anongit.hacktivis.me/git/oasis.git

0004-Allow-building-daemon-without-TLS-support.patch (13314B)


  1. From b69e788f3c4b8c3dbdb8d272630fe0616f43406f Mon Sep 17 00:00:00 2001
  2. From: Michael Forney <mforney@mforney.org>
  3. Date: Wed, 1 Dec 2021 13:57:48 -0800
  4. Subject: [PATCH] Allow building daemon without TLS support
  5. ---
  6. configure | 11 ---------
  7. configure.ac | 11 ---------
  8. daemon/cachedump.c | 2 ++
  9. daemon/remote.c | 46 +++++++++++++++++++++++++++++++++-----
  10. daemon/remote.h | 2 --
  11. daemon/unbound.c | 9 +++++---
  12. smallapp/unbound-control.c | 44 +++++++++++++++++++++++++++++++-----
  13. 7 files changed, 86 insertions(+), 39 deletions(-)
  14. diff --git a/configure b/configure
  15. index 8b012048..f2ea348e 100755
  16. --- a/configure
  17. +++ b/configure
  18. @@ -21739,17 +21739,6 @@ if test "${with_libunbound_only+set}" = set; then :
  19. fi
  20. -if test $ALLTARGET = "alltargets"; then
  21. - if test $USE_NSS = "yes"; then
  22. - as_fn_error $? "--with-nss can only be used in combination with --with-libunbound-only." "$LINENO" 5
  23. - fi
  24. - if test $USE_NETTLE = "yes"; then
  25. - as_fn_error $? "--with-nettle can only be used in combination with --with-libunbound-only." "$LINENO" 5
  26. - fi
  27. - if test $USE_BEARSSL = "yes"; then
  28. - as_fn_error $? "--with-bearssl can only be used in combination with --with-libunbound-only." "$LINENO" 5
  29. - fi
  30. -fi
  31. diff --git a/configure.ac b/configure.ac
  32. index 750e9bfd..de6468c8 100644
  33. --- a/configure.ac
  34. +++ b/configure.ac
  35. @@ -1955,17 +1955,6 @@ AC_ARG_WITH(libunbound-only, AS_HELP_STRING([--with-libunbound-only],[do not bui
  36. INSTALLTARGET="install-lib"
  37. fi
  38. ])
  39. -if test $ALLTARGET = "alltargets"; then
  40. - if test $USE_NSS = "yes"; then
  41. - AC_MSG_ERROR([--with-nss can only be used in combination with --with-libunbound-only.])
  42. - fi
  43. - if test $USE_NETTLE = "yes"; then
  44. - AC_MSG_ERROR([--with-nettle can only be used in combination with --with-libunbound-only.])
  45. - fi
  46. - if test $USE_BEARSSL = "yes"; then
  47. - AC_MSG_ERROR([--with-bearssl can only be used in combination with --with-libunbound-only.])
  48. - fi
  49. -fi
  50. AC_SUBST(ALLTARGET)
  51. AC_SUBST(INSTALLTARGET)
  52. diff --git a/daemon/cachedump.c b/daemon/cachedump.c
  53. index b1ce53b5..b5636ca7 100644
  54. --- a/daemon/cachedump.c
  55. +++ b/daemon/cachedump.c
  56. @@ -40,7 +40,9 @@
  57. * to text format.
  58. */
  59. #include "config.h"
  60. +#ifdef HAVE_SSL
  61. #include <openssl/ssl.h>
  62. +#endif
  63. #include "daemon/cachedump.h"
  64. #include "daemon/remote.h"
  65. #include "daemon/worker.h"
  66. diff --git a/daemon/remote.c b/daemon/remote.c
  67. index adf03838..94ab5603 100644
  68. --- a/daemon/remote.c
  69. +++ b/daemon/remote.c
  70. @@ -149,6 +149,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
  71. #endif
  72. }
  73. +#ifdef HAVE_SSL
  74. static int
  75. remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg)
  76. {
  77. @@ -199,6 +200,7 @@ remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg)
  78. free(s_key);
  79. return 1;
  80. }
  81. +#endif
  82. struct daemon_remote*
  83. daemon_remote_create(struct config_file* cfg)
  84. @@ -211,19 +213,25 @@ daemon_remote_create(struct config_file* cfg)
  85. }
  86. rc->max_active = 10;
  87. +#ifdef HAVE_SSL
  88. + rc->ctx = NULL;
  89. +#endif
  90. if(!cfg->remote_control_enable) {
  91. - rc->ctx = NULL;
  92. return rc;
  93. }
  94. if(options_remote_is_address(cfg) && cfg->control_use_cert) {
  95. +#ifdef HAVE_SSL
  96. if(!remote_setup_ctx(rc, cfg)) {
  97. daemon_remote_delete(rc);
  98. return NULL;
  99. }
  100. rc->use_cert = 1;
  101. +#else
  102. + log_err("unbound built without TLS support");
  103. + return NULL;
  104. +#endif
  105. } else {
  106. struct config_strlist* p;
  107. - rc->ctx = NULL;
  108. rc->use_cert = 0;
  109. if(!options_remote_is_address(cfg))
  110. for(p = cfg->control_ifs.first; p; p = p->next) {
  111. @@ -245,8 +253,10 @@ void daemon_remote_clear(struct daemon_remote* rc)
  112. p = rc->busy_list;
  113. while(p) {
  114. np = p->next;
  115. +#ifdef HAVE_SSL
  116. if(p->ssl)
  117. SSL_free(p->ssl);
  118. +#endif
  119. comm_point_delete(p->c);
  120. free(p);
  121. p = np;
  122. @@ -260,9 +270,11 @@ void daemon_remote_delete(struct daemon_remote* rc)
  123. {
  124. if(!rc) return;
  125. daemon_remote_clear(rc);
  126. +#ifdef HAVE_SSL
  127. if(rc->ctx) {
  128. SSL_CTX_free(rc->ctx);
  129. }
  130. +#endif
  131. free(rc);
  132. }
  133. @@ -496,6 +508,7 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err,
  134. comm_point_start_listening(n->c, -1, REMOTE_CONTROL_TCP_TIMEOUT);
  135. memcpy(&n->c->repinfo.addr, &addr, addrlen);
  136. n->c->repinfo.addrlen = addrlen;
  137. +#ifdef HAVE_SSL
  138. if(rc->use_cert) {
  139. n->shake_state = rc_hs_read;
  140. n->ssl = SSL_new(rc->ctx);
  141. @@ -517,6 +530,7 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err,
  142. } else {
  143. n->ssl = NULL;
  144. }
  145. +#endif
  146. n->rc = rc;
  147. n->next = rc->busy_list;
  148. @@ -548,10 +562,12 @@ clean_point(struct daemon_remote* rc, struct rc_state* s)
  149. {
  150. state_list_remove_elem(&rc->busy_list, s->c);
  151. rc->active --;
  152. +#ifdef HAVE_SSL
  153. if(s->ssl) {
  154. SSL_shutdown(s->ssl);
  155. SSL_free(s->ssl);
  156. }
  157. +#endif
  158. comm_point_delete(s->c);
  159. free(s);
  160. }
  161. @@ -562,6 +578,7 @@ ssl_print_text(RES* res, const char* text)
  162. int r;
  163. if(!res)
  164. return 0;
  165. +#ifdef HAVE_SSL
  166. if(res->ssl) {
  167. ERR_clear_error();
  168. if((r=SSL_write(res->ssl, text, (int)strlen(text))) <= 0) {
  169. @@ -573,7 +590,9 @@ ssl_print_text(RES* res, const char* text)
  170. log_crypto_err("could not SSL_write");
  171. return 0;
  172. }
  173. - } else {
  174. + } else
  175. +#endif
  176. + {
  177. size_t at = 0;
  178. while(at < strlen(text)) {
  179. ssize_t r = send(res->fd, text+at, strlen(text)-at, 0);
  180. @@ -618,6 +637,7 @@ ssl_read_line(RES* res, char* buf, size_t max)
  181. if(!res)
  182. return 0;
  183. while(len < max) {
  184. +#ifdef HAVE_SSL
  185. if(res->ssl) {
  186. ERR_clear_error();
  187. if((r=SSL_read(res->ssl, buf+len, 1)) <= 0) {
  188. @@ -628,7 +648,9 @@ ssl_read_line(RES* res, char* buf, size_t max)
  189. log_crypto_err("could not SSL_read");
  190. return 0;
  191. }
  192. - } else {
  193. + } else
  194. +#endif
  195. + {
  196. while(1) {
  197. ssize_t rr = recv(res->fd, buf+len, 1, 0);
  198. if(rr <= 0) {
  199. @@ -3232,6 +3254,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
  200. fd_set_block(s->c->fd);
  201. /* try to read magic UBCT[version]_space_ string */
  202. +#ifdef HAVE_SSL
  203. if(res->ssl) {
  204. ERR_clear_error();
  205. if((r=SSL_read(res->ssl, magic, (int)sizeof(magic)-1)) <= 0) {
  206. @@ -3240,7 +3263,9 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
  207. log_crypto_err("could not SSL_read");
  208. return;
  209. }
  210. - } else {
  211. + } else
  212. +#endif
  213. + {
  214. while(1) {
  215. ssize_t rr = recv(res->fd, magic, sizeof(magic)-1, 0);
  216. if(rr <= 0) {
  217. @@ -3278,6 +3303,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
  218. execute_cmd(rc, res, buf, rc->worker);
  219. }
  220. +#ifdef HAVE_SSL
  221. /** handle SSL_do_handshake changes to the file descriptor to wait for later */
  222. static int
  223. remote_handshake_later(struct daemon_remote* rc, struct rc_state* s,
  224. @@ -3309,6 +3335,7 @@ remote_handshake_later(struct daemon_remote* rc, struct rc_state* s,
  225. }
  226. return 0;
  227. }
  228. +#endif
  229. int remote_control_callback(struct comm_point* c, void* arg, int err,
  230. struct comm_reply* ATTR_UNUSED(rep))
  231. @@ -3323,6 +3350,7 @@ int remote_control_callback(struct comm_point* c, void* arg, int err,
  232. clean_point(rc, s);
  233. return 0;
  234. }
  235. +#ifdef HAVE_SSL
  236. if(s->ssl) {
  237. /* (continue to) setup the SSL connection */
  238. ERR_clear_error();
  239. @@ -3333,11 +3361,14 @@ int remote_control_callback(struct comm_point* c, void* arg, int err,
  240. }
  241. s->shake_state = rc_none;
  242. }
  243. +#endif
  244. /* once handshake has completed, check authentication */
  245. if (!rc->use_cert) {
  246. verbose(VERB_ALGO, "unauthenticated remote control connection");
  247. - } else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
  248. + }
  249. +#ifdef HAVE_SSL
  250. + else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
  251. #ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
  252. X509* x = SSL_get1_peer_certificate(s->ssl);
  253. #else
  254. @@ -3357,9 +3388,12 @@ int remote_control_callback(struct comm_point* c, void* arg, int err,
  255. clean_point(rc, s);
  256. return 0;
  257. }
  258. +#endif
  259. /* if OK start to actually handle the request */
  260. +#ifdef HAVE_SSL
  261. res.ssl = s->ssl;
  262. +#endif
  263. res.fd = c->fd;
  264. handle_req(rc, s, &res);
  265. diff --git a/daemon/remote.h b/daemon/remote.h
  266. index 217ea21e..e2972779 100644
  267. --- a/daemon/remote.h
  268. +++ b/daemon/remote.h
  269. @@ -174,7 +174,6 @@ void daemon_remote_start_accept(struct daemon_remote* rc);
  270. */
  271. void daemon_remote_exec(struct worker* worker);
  272. -#ifdef HAVE_SSL
  273. /**
  274. * Print fixed line of text over ssl connection in blocking mode
  275. * @param ssl: print to
  276. @@ -201,6 +200,5 @@ int ssl_printf(RES* ssl, const char* format, ...)
  277. * @return false on connection failure.
  278. */
  279. int ssl_read_line(RES* ssl, char* buf, size_t max);
  280. -#endif /* HAVE_SSL */
  281. #endif /* DAEMON_REMOTE_H */
  282. diff --git a/daemon/unbound.c b/daemon/unbound.c
  283. index 1a31bb3e..2baf4dba 100644
  284. --- a/daemon/unbound.c
  285. +++ b/daemon/unbound.c
  286. @@ -60,14 +60,16 @@
  287. #include "util/ub_event.h"
  288. #include <signal.h>
  289. #include <fcntl.h>
  290. +#ifdef HAVE_SSL
  291. #include <openssl/crypto.h>
  292. +#include <openssl/ssl.h>
  293. +#endif
  294. #ifdef HAVE_PWD_H
  295. #include <pwd.h>
  296. #endif
  297. #ifdef HAVE_GRP_H
  298. #include <grp.h>
  299. #endif
  300. -#include <openssl/ssl.h>
  301. #ifndef S_SPLINT_S
  302. /* splint chokes on this system header file */
  303. @@ -488,10 +490,11 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
  304. w_config_adjust_directory(cfg);
  305. #endif
  306. - /* read ssl keys while superuser and outside chroot */
  307. -#ifdef HAVE_SSL
  308. if(!(daemon->rc = daemon_remote_create(cfg)))
  309. fatal_exit("could not set up remote-control");
  310. +
  311. + /* read ssl keys while superuser and outside chroot */
  312. +#ifdef HAVE_SSL
  313. if(cfg->ssl_service_key && cfg->ssl_service_key[0]) {
  314. if(!(daemon->listen_sslctx = listen_sslctx_create(
  315. cfg->ssl_service_key, cfg->ssl_service_pem, NULL)))
  316. diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
  317. index c7c38276..fea6a9f7 100644
  318. --- a/smallapp/unbound-control.c
  319. +++ b/smallapp/unbound-control.c
  320. @@ -45,6 +45,7 @@
  321. #ifdef HAVE_GETOPT_H
  322. #include <getopt.h>
  323. #endif
  324. +#ifdef HAVE_SSL
  325. #ifdef HAVE_OPENSSL_SSL_H
  326. #include <openssl/ssl.h>
  327. #endif
  328. @@ -54,6 +55,9 @@
  329. #ifdef HAVE_OPENSSL_RAND_H
  330. #include <openssl/rand.h>
  331. #endif
  332. +#else
  333. +typedef void *SSL;
  334. +#endif
  335. #include "util/log.h"
  336. #include "util/config_file.h"
  337. #include "util/locks.h"
  338. @@ -486,6 +490,7 @@ static void print_stats_shm(const char* cfgfile)
  339. #endif /* HAVE_SHMGET */
  340. }
  341. +#ifdef HAVE_SSL
  342. /** exit with ssl error */
  343. static void ssl_err(const char* s)
  344. {
  345. @@ -515,8 +520,6 @@ setup_ctx(struct config_file* cfg)
  346. char* s_cert=NULL, *c_key=NULL, *c_cert=NULL;
  347. SSL_CTX* ctx;
  348. - if(!(options_remote_is_address(cfg) && cfg->control_use_cert))
  349. - return NULL;
  350. s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
  351. c_key = fname_after_chroot(cfg->control_key_file, cfg, 1);
  352. c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1);
  353. @@ -555,6 +558,7 @@ setup_ctx(struct config_file* cfg)
  354. free(c_cert);
  355. return ctx;
  356. }
  357. +#endif
  358. /** check connect error */
  359. static void
  360. @@ -723,6 +727,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
  361. return fd;
  362. }
  363. +#ifdef HAVE_SSL
  364. /** setup SSL on the connection */
  365. static SSL*
  366. setup_ssl(SSL_CTX* ctx, int fd)
  367. @@ -759,11 +764,13 @@ setup_ssl(SSL_CTX* ctx, int fd)
  368. return ssl;
  369. }
  370. +#endif
  371. /** read from ssl or fd, fatalexit on error, 0 EOF, 1 success */
  372. static int
  373. remote_read(SSL* ssl, int fd, char* buf, size_t len)
  374. {
  375. +#ifdef HAVE_SSL
  376. if(ssl) {
  377. int r;
  378. ERR_clear_error();
  379. @@ -775,7 +782,9 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len)
  380. ssl_err("could not SSL_read");
  381. }
  382. buf[r] = 0;
  383. - } else {
  384. + } else
  385. +#endif
  386. + {
  387. ssize_t rr = recv(fd, buf, len-1, 0);
  388. if(rr <= 0) {
  389. if(rr == 0) {
  390. @@ -793,10 +802,13 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len)
  391. static void
  392. remote_write(SSL* ssl, int fd, const char* buf, size_t len)
  393. {
  394. +#ifdef HAVE_SSL
  395. if(ssl) {
  396. if(SSL_write(ssl, buf, (int)len) <= 0)
  397. ssl_err("could not SSL_write");
  398. - } else {
  399. + } else
  400. +#endif
  401. + {
  402. if(send(fd, buf, len, 0) < (ssize_t)len) {
  403. fatal_exit("could not send: %s", sock_strerror(errno));
  404. }
  405. @@ -894,7 +906,9 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
  406. {
  407. struct config_file* cfg;
  408. int fd, ret;
  409. +#ifdef HAVE_SSL
  410. SSL_CTX* ctx;
  411. +#endif
  412. SSL* ssl;
  413. /* read config */
  414. @@ -907,18 +921,34 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
  415. #ifdef UB_ON_WINDOWS
  416. w_config_adjust_directory(cfg);
  417. #endif
  418. - ctx = setup_ctx(cfg);
  419. + if(options_remote_is_address(cfg) && cfg->control_use_cert) {
  420. +#ifdef HAVE_SSL
  421. + ctx = setup_ctx(cfg);
  422. +#else
  423. + fatal_exit("unbound built without TLS support");
  424. +#endif
  425. + } else {
  426. +#ifdef HAVE_SSL
  427. + ctx = NULL;
  428. +#endif
  429. + }
  430. /* contact server */
  431. fd = contact_server(svr, cfg, argc>0&&strcmp(argv[0],"status")==0);
  432. +#ifdef HAVE_SSL
  433. ssl = setup_ssl(ctx, fd);
  434. +#else
  435. + ssl = NULL;
  436. +#endif
  437. /* send command */
  438. ret = go_cmd(ssl, fd, quiet, argc, argv);
  439. +#ifdef HAVE_SSL
  440. if(ssl) SSL_free(ssl);
  441. - sock_close(fd);
  442. if(ctx) SSL_CTX_free(ctx);
  443. +#endif
  444. + sock_close(fd);
  445. config_delete(cfg);
  446. return ret;
  447. }
  448. @@ -997,6 +1027,7 @@ int main(int argc, char* argv[])
  449. fatal_exit("WSAStartup failed: %s", wsa_strerror(r));
  450. #endif
  451. +#ifdef HAVE_SSL
  452. #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
  453. ERR_load_crypto_strings();
  454. #endif
  455. @@ -1031,6 +1062,7 @@ int main(int argc, char* argv[])
  456. RAND_seed(buf, 256);
  457. log_warn("no entropy, seeding openssl PRNG with time\n");
  458. }
  459. +#endif
  460. ret = go(cfgfile, svr, quiet, argc, argv);
  461. --
  462. 2.34.1