diff options
Diffstat (limited to 'contrib/unbound/smallapp')
| -rw-r--r-- | contrib/unbound/smallapp/unbound-anchor.c | 12 | ||||
| -rw-r--r-- | contrib/unbound/smallapp/unbound-checkconf.c | 51 | ||||
| -rw-r--r--[-rwxr-xr-x] | contrib/unbound/smallapp/unbound-control-setup.sh | 227 | ||||
| -rw-r--r-- | contrib/unbound/smallapp/unbound-control.c | 3 |
4 files changed, 205 insertions, 88 deletions
diff --git a/contrib/unbound/smallapp/unbound-anchor.c b/contrib/unbound/smallapp/unbound-anchor.c index 708731a09dd8..55d363da70bb 100644 --- a/contrib/unbound/smallapp/unbound-anchor.c +++ b/contrib/unbound/smallapp/unbound-anchor.c @@ -382,7 +382,7 @@ read_cert_file(const char* file) STACK_OF(X509)* sk; FILE* in; int content = 0; - char buf[128]; + long flen; if(file == NULL || strcmp(file, "") == 0) { return NULL; } @@ -399,6 +399,11 @@ read_cert_file(const char* file) #endif return NULL; } + if(fseek(in, 0, SEEK_END) < 0) + printf("%s fseek: %s\n", file, strerror(errno)); + flen = ftell(in); + if(fseek(in, 0, SEEK_SET) < 0) + printf("%s fseek: %s\n", file, strerror(errno)); while(!feof(in)) { X509* x = PEM_read_X509(in, NULL, NULL, NULL); if(x == NULL) { @@ -414,8 +419,9 @@ read_cert_file(const char* file) exit(0); } content = 1; - /* read away newline after --END CERT-- */ - if(!fgets(buf, (int)sizeof(buf), in)) + /* feof may not be true yet, but if the position is + * at end of file, stop reading more certificates. */ + if(ftell(in) == flen) break; } fclose(in); diff --git a/contrib/unbound/smallapp/unbound-checkconf.c b/contrib/unbound/smallapp/unbound-checkconf.c index 8fd821396025..b3c57fd2a52c 100644 --- a/contrib/unbound/smallapp/unbound-checkconf.c +++ b/contrib/unbound/smallapp/unbound-checkconf.c @@ -294,7 +294,8 @@ view_and_respipchecks(struct config_file* cfg) { struct views* views = NULL; struct respip_set* respip = NULL; - int ignored = 0; + int have_view_respip_cfg = 0; + int use_response_ip = 0; if(!(views = views_create())) fatal_exit("Could not create views: out of memory"); if(!(respip = respip_set_create())) @@ -303,8 +304,11 @@ view_and_respipchecks(struct config_file* cfg) fatal_exit("Could not set up views"); if(!respip_global_apply_cfg(respip, cfg)) fatal_exit("Could not setup respip set"); - if(!respip_views_apply_cfg(views, cfg, &ignored)) + if(!respip_views_apply_cfg(views, cfg, &have_view_respip_cfg)) fatal_exit("Could not setup per-view respip sets"); + use_response_ip = !respip_set_is_empty(respip) || have_view_respip_cfg; + if(use_response_ip && !strstr(cfg->module_conf, "respip")) + fatal_exit("response-ip options require respip module"); acl_view_tag_checks(cfg, views); views_delete(views); respip_set_delete(respip); @@ -450,6 +454,39 @@ ifautomaticportschecks(char* ifautomaticports) } } +/** check control interface strings */ +static void +controlinterfacechecks(struct config_file* cfg) +{ + struct config_strlist* p; + for(p = cfg->control_ifs.first; p; p = p->next) { + struct sockaddr_storage a; + socklen_t alen; + char** rcif = NULL; + int i, num_rcif = 0; + /* See if it is a local socket, starts with a '/'. */ + if(p->str && p->str[0] == '/') + continue; + if(!resolve_interface_names(&p->str, 1, NULL, &rcif, + &num_rcif)) { + fatal_exit("could not resolve interface names, for control-interface: %s", + p->str); + } + for(i=0; i<num_rcif; i++) { + if(!extstrtoaddr(rcif[i], &a, &alen, + cfg->control_port)) { + if(strcmp(p->str, rcif[i])!=0) + fatal_exit("cannot parse control-interface address '%s' from the control-interface specified as '%s'", + rcif[i], p->str); + else + fatal_exit("cannot parse control-interface specified as '%s'", + p->str); + } + } + config_del_strarray(rcif, num_rcif); + } +} + /** check acl ips */ static void aclchecks(struct config_file* cfg) @@ -636,8 +673,10 @@ check_modules_exist(const char* module_conf) } n[j] = s[j]; } - fatal_exit("module_conf lists module '%s' but that " - "module is not available.", n); + fatal_exit("Unknown value in module-config, module: " + "'%s'. This module is not present (not " + "compiled in); see the list of linked modules " + "with unbound -V", n); } s += strlen(names[i]); } @@ -926,6 +965,8 @@ morechecks(struct config_file* cfg) fatal_exit("control-cert-file: \"%s\" does not exist", cfg->control_cert_file); } + if(cfg->remote_control_enable) + controlinterfacechecks(cfg); donotquerylocalhostcheck(cfg); localzonechecks(cfg); @@ -966,6 +1007,8 @@ check_auth(struct config_file* cfg) if(!az || !auth_zones_apply_cfg(az, cfg, 0, &is_rpz, NULL, NULL)) { fatal_exit("Could not setup authority zones"); } + if(is_rpz && !strstr(cfg->module_conf, "respip")) + fatal_exit("RPZ requires the respip module"); auth_zones_delete(az); } diff --git a/contrib/unbound/smallapp/unbound-control-setup.sh b/contrib/unbound/smallapp/unbound-control-setup.sh index 3709a8c3118b..872133ccc536 100755..100644 --- a/contrib/unbound/smallapp/unbound-control-setup.sh +++ b/contrib/unbound/smallapp/unbound-control-setup.sh @@ -5,22 +5,22 @@ # Copyright (c) 2008, NLnet Labs. All rights reserved. # # This software is open source. -# +# # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: -# +# # Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. -# +# # Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation # and/or other materials provided with the distribution. -# +# # Neither the name of the NLNET LABS nor the names of its contributors may # be used to endorse or promote products derived from this software without # specific prior written permission. -# +# # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR @@ -57,87 +57,162 @@ SVR_BASE=unbound_server # base name for unbound-control keys CTL_BASE=unbound_control +# flag to recreate generated certificates +RECREATE=0 + # we want -rw-r----- access (say you run this as root: grp=yes (server), all=no). umask 0027 # end of options -# functions: -error ( ) { - echo "$0 fatal error: $1" - exit 1 +set -eu + +cleanup() { + echo "removing artifacts" + + rm -rf \ + server.cnf \ + client.cnf \ + "${SVR_BASE}_trust.pem" \ + "${CTL_BASE}_trust.pem" \ + "${SVR_BASE}_trust.srl" } -# check arguments: -while test $# -ne 0; do - case $1 in - -d) - if test $# -eq 1; then error "need argument for -d"; fi - DESTDIR="$2" - shift - ;; - *) - echo "unbound-control-setup.sh - setup SSL keys for unbound-control" - echo " -d dir use directory to store keys and certificates." - echo " default: $DESTDIR" - echo "please run this command using the same user id that the " - echo "unbound daemon uses, it needs read privileges." - exit 1 - ;; - esac - shift +fatal() { + printf "fatal error: $*\n" >/dev/stderr + exit 1 +} + +usage() { + cat <<EOF +usage: $0 OPTIONS +OPTIONS +-d <dir> used directory to store keys and certificates (default: $DESTDIR) +-h show help notice +-r recreate certificates +EOF +} + +OPTIND=1 +while getopts 'd:hr' arg; do + case "$arg" in + d) DESTDIR="$OPTARG" ;; + h) usage; exit 1 ;; + r) RECREATE=1 ;; + ?) fatal "'$arg' unknown option" ;; + esac done +shift $((OPTIND - 1)) + +if ! openssl version </dev/null >/dev/null 2>&1; then + echo "$0 requires openssl to be installed for keys/certificates generation." >&2 + exit 1 +fi -# go!: echo "setup in directory $DESTDIR" -cd "$DESTDIR" || error "could not cd to $DESTDIR" - -# create certificate keys; do not recreate if they already exist. -if test -f $SVR_BASE.key; then - echo "$SVR_BASE.key exists" -else - echo "generating $SVR_BASE.key" - openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa" +cd "$DESTDIR" + +trap cleanup INT + +# === +# Generate server certificate +# === + +# generate private key; do no recreate it if they already exist. +if [ ! -f "$SVR_BASE.key" ]; then + openssl genrsa -out "$SVR_BASE.key" "$BITS" +fi + +cat >server.cnf <<EOF +[req] +default_bits=$BITS +default_md=$HASH +prompt=no +distinguished_name=req_distinguished_name +x509_extensions=v3_ca +[req_distinguished_name] +commonName=$SERVERNAME +[v3_ca] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=critical,CA:TRUE,pathlen:0 +subjectAltName=DNS:$SERVERNAME +EOF + +[ -f server.cnf ] || fatal "cannot create openssl configuration" + +if [ ! -f "$SVR_BASE.pem" -o $RECREATE -eq 1 ]; then + openssl req \ + -new -x509 \ + -key "$SVR_BASE.key" \ + -config server.cnf \ + -days "$DAYS" \ + -out "$SVR_BASE.pem" + + [ ! -f "SVR_BASE.pem" ] || fatal "cannot create server certificate" fi -if test -f $CTL_BASE.key; then - echo "$CTL_BASE.key exists" -else - echo "generating $CTL_BASE.key" - openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa" + +# === +# Generate client certificate +# === + +# generate private key; do no recreate it if they already exist. +if [ ! -f "$CTL_BASE.key" ]; then + openssl genrsa -out "$CTL_BASE.key" "$BITS" fi -# create self-signed cert for server -echo "[req]" > request.cfg -echo "default_bits=$BITS" >> request.cfg -echo "default_md=$HASH" >> request.cfg -echo "prompt=no" >> request.cfg -echo "distinguished_name=req_distinguished_name" >> request.cfg -echo "" >> request.cfg -echo "[req_distinguished_name]" >> request.cfg -echo "commonName=$SERVERNAME" >> request.cfg +cat >client.cnf <<EOF +[req] +default_bits=$BITS +default_md=$HASH +prompt=no +distinguished_name=req_distinguished_name +req_extensions=v3_req +[req_distinguished_name] +commonName=$CLIENTNAME +[v3_req] +basicConstraints=critical,CA:FALSE +subjectAltName=DNS:$CLIENTNAME +EOF + +[ -f client.cnf ] || fatal "cannot create openssl configuration" + +if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then + openssl x509 \ + -addtrust serverAuth \ + -in "$SVR_BASE.pem" \ + -out "${SVR_BASE}_trust.pem" + + openssl req \ + -new \ + -config client.cnf \ + -key "$CTL_BASE.key" \ + | openssl x509 \ + -req \ + -days "$DAYS" \ + -CA "${SVR_BASE}_trust.pem" \ + -CAkey "$SVR_BASE.key" \ + -CAcreateserial \ + -$HASH \ + -extfile client.cnf \ + -extensions v3_req \ + -out "$CTL_BASE.pem" + + [ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate" +fi -test -f request.cfg || error "could not create request.cfg" +# remove unused permissions +chmod o-rw \ + "$SVR_BASE.pem" \ + "$SVR_BASE.key" +chmod g+r,o-rw \ + "$CTL_BASE.pem" \ + "$CTL_BASE.key" + +cleanup + +echo "Setup success. Certificates created. Enable in unbound.conf file to use" -echo "create $SVR_BASE.pem (self signed certificate)" -openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" -# create trusted usage pem -openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" - -# create client request and sign it, piped -echo "[req]" > request.cfg -echo "default_bits=$BITS" >> request.cfg -echo "default_md=$HASH" >> request.cfg -echo "prompt=no" >> request.cfg -echo "distinguished_name=req_distinguished_name" >> request.cfg -echo "" >> request.cfg -echo "[req_distinguished_name]" >> request.cfg -echo "commonName=$CLIENTNAME" >> request.cfg - -test -f request.cfg || error "could not create request.cfg" - -echo "create $CTL_BASE.pem (signed client certificate)" -openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem -test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" # create trusted usage pem # openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" @@ -148,13 +223,3 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" # echo "empty password is used, simply click OK on the password dialog box." # openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" -# set desired permissions -chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key - -# remove crap -rm -f request.cfg -rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" - -echo "Setup success. Certificates created. Enable in unbound.conf file to use" - -exit 0 diff --git a/contrib/unbound/smallapp/unbound-control.c b/contrib/unbound/smallapp/unbound-control.c index cf5abe7eb29d..b7e9d98a27b9 100644 --- a/contrib/unbound/smallapp/unbound-control.c +++ b/contrib/unbound/smallapp/unbound-control.c @@ -143,6 +143,8 @@ usage(void) printf(" load_cache load cache from stdin\n"); printf(" (not supported in remote unbounds in\n"); printf(" multi-process operation)\n"); + printf(" cache_lookup [+t] <names> print rrsets and msgs at or under the names\n"); + printf(" +t allow tld and root names.\n"); printf(" lookup <name> print nameservers for name\n"); printf(" flush [+c] <name> flushes common types for name from cache\n"); printf(" types: A, AAAA, MX, PTR, NS,\n"); @@ -409,6 +411,7 @@ static void print_extended(struct ub_stats_info* s, int inhibit_zero) PR_UL("num.answer.secure", s->svr.ans_secure); PR_UL("num.answer.bogus", s->svr.ans_bogus); PR_UL("num.rrset.bogus", s->svr.rrset_bogus); + PR_UL("num.valops", s->svr.val_ops); PR_UL("num.query.aggressive.NOERROR", s->svr.num_neg_cache_noerror); PR_UL("num.query.aggressive.NXDOMAIN", s->svr.num_neg_cache_nxdomain); /* threat detection */ |