diff options
| author | Michael Forney <mforney@mforney.org> | 2021-12-01 20:48:11 -0800 |
|---|---|---|
| committer | Michael Forney <mforney@mforney.org> | 2021-12-22 00:15:13 -0800 |
| commit | 0e0f985268db5afae98c7f7f172064b34bdfe77c (patch) | |
| tree | 9aa40662b7dd8cb7df7d9bd13bb1738de1c53020 /pkg/unbound/patch | |
| parent | 8dc6169bcae4255a996f29ab59c839c559fcdc24 (diff) | |
Add unbound 1.14.0
Patched to use BearSSL for crypto.
Diffstat (limited to 'pkg/unbound/patch')
7 files changed, 1655 insertions, 0 deletions
diff --git a/pkg/unbound/patch/0001-Fix-ub_random_max-preprocessor-guard.patch b/pkg/unbound/patch/0001-Fix-ub_random_max-preprocessor-guard.patch new file mode 100644 index 00000000..d5ac8b35 --- /dev/null +++ b/pkg/unbound/patch/0001-Fix-ub_random_max-preprocessor-guard.patch @@ -0,0 +1,27 @@ +From b9f80118e406d60e0e41b2f6b2549a8502fd1886 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Wed, 1 Dec 2021 12:42:54 -0800 +Subject: [PATCH] Fix ub_random_max preprocessor guard + +|| has lower precedence than &&, so if HAVE_NETTLE and HAVE_LIBBSD +are both defined, ub_random_max would get defined twice. +--- + util/random.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/random.c b/util/random.c +index 6eb102c6..f7bb0a6f 100644 +--- a/util/random.c ++++ b/util/random.c +@@ -186,7 +186,7 @@ long int ub_random(struct ub_randstate* s) + #endif /* HAVE_SSL or HAVE_LIBBSD or HAVE_NSS or HAVE_NETTLE */ + + +-#if defined(HAVE_NSS) || defined(HAVE_NETTLE) && !defined(HAVE_LIBBSD) ++#if (defined(HAVE_NSS) || defined(HAVE_NETTLE)) && !defined(HAVE_LIBBSD) + long int + ub_random_max(struct ub_randstate* state, long int x) + { +-- +2.34.0 + diff --git a/pkg/unbound/patch/0002-Add-support-for-BearSSL-crypto.patch b/pkg/unbound/patch/0002-Add-support-for-BearSSL-crypto.patch new file mode 100644 index 00000000..dba6de7f --- /dev/null +++ b/pkg/unbound/patch/0002-Add-support-for-BearSSL-crypto.patch @@ -0,0 +1,827 @@ +From ca1cd33d7a07b3344d031d9119064c2b12de8e03 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Wed, 1 Dec 2021 12:42:00 -0800 +Subject: [PATCH] Add support for BearSSL crypto + +--- + config.h.in | 3 + + configure | 50 ++++- + configure.ac | 43 ++++- + daemon/unbound.c | 2 + + util/configparser.c | 4 +- + util/configparser.y | 4 +- + util/random.c | 46 ++++- + validator/val_secalgo.c | 382 ++++++++++++++++++++++++++++++++++++++- + validator/val_sigcrypt.c | 2 +- + 9 files changed, 514 insertions(+), 22 deletions(-) + +diff --git a/config.h.in b/config.h.in +index e8a26735..6b0b1c50 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -72,6 +72,9 @@ + /* If we have be64toh */ + #undef HAVE_BE64TOH + ++/* Use bearssl for crypto */ ++#undef HAVE_BEARSSL ++ + /* Define to 1 if you have the `BIO_set_callback_ex' function. */ + #undef HAVE_BIO_SET_CALLBACK_EX + +diff --git a/configure b/configure +index 0e964568..9c33d22f 100755 +--- a/configure ++++ b/configure +@@ -871,6 +871,7 @@ with_pythonmodule + enable_swig_version_check + with_nss + with_nettle ++with_bearssl + with_ssl + with_libbsd + enable_sha1 +@@ -1649,6 +1650,7 @@ Optional Packages: + disable script engine. (default=no) + --with-nss=path use libnss instead of openssl, installed at path. + --with-nettle=path use libnettle as crypto library, installed at path. ++ --with-bearssl=path use bearssl as crypto library, installed at path. + --with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl + /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw + /usr or specify like /usr/include/openssl11) +@@ -17981,11 +17983,35 @@ done + + + ++fi ++ ++ ++# bearssl ++USE_BEARSSL="no" ++ ++# Check whether --with-bearssl was given. ++if test ${with_bearssl+y} ++then : ++ withval=$with_bearssl; ++ USE_BEARSSL="yes" ++ ++printf "%s\n" "#define HAVE_BEARSSL 1" >>confdefs.h ++ ++ if test "$withval" != "" -a "$withval" != "yes"; then ++ CPPFLAGS="$CPPFLAGS -I$withval/include" ++ LDFLAGS="$LDFLAGS -L$withval/lib" ++ fi ++ LIBS="$LIBS -lbearssl" ++ SSLLIB="" ++ PC_CRYPTO_DEPENDENCY="" ++ ++ ++ + fi + + + # openssl +-if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + + + # Check whether --with-ssl was given. +@@ -18790,7 +18816,7 @@ if test "${enable_gost+set}" = set; then : + fi + + use_gost="no" +-if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + case "$enable_gost" in + no) + ;; +@@ -18943,7 +18969,7 @@ case "$enable_ecdsa" in + no) + ;; + *) +- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign" + if test "x$ac_cv_func_ECDSA_sign" = xyes; then : + +@@ -19036,7 +19062,7 @@ use_dsa="no" + case "$enable_dsa" in + yes) + # detect if DSA is supported, and turn it off if not. +- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + ac_fn_c_check_func "$LINENO" "DSA_SIG_new" "ac_cv_func_DSA_SIG_new" + if test "x$ac_cv_func_DSA_SIG_new" = xyes; then : + +@@ -19080,6 +19106,9 @@ else + fi + + else ++ if test $USE_BEARSSL = "yes"; then ++ as_fn_error $? "BearSSL does not support DSA and you used --enable-dsa." "$LINENO" 5 ++ fi + + cat >>confdefs.h <<_ACEOF + #define USE_DSA 1 +@@ -19115,7 +19144,7 @@ case "$enable_ed25519" in + no) + ;; + *) +- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + ac_fn_c_check_decl "$LINENO" "NID_ED25519" "ac_cv_have_decl_NID_ED25519" "$ac_includes_default + #include <openssl/evp.h> + +@@ -19139,6 +19168,9 @@ else + fi + + fi ++ if test $USE_BEARSSL = "yes"; then ++ as_fn_error $? "BearSSL does not support Ed25519 and you used --enable-ed25519." "$LINENO" 5 ++ fi + if test $USE_NETTLE = "yes"; then + for ac_header in nettle/eddsa.h + do : +@@ -19174,7 +19206,7 @@ case "$enable_ed448" in + no) + ;; + *) +- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + ac_fn_c_check_decl "$LINENO" "NID_ED448" "ac_cv_have_decl_NID_ED448" "$ac_includes_default + #include <openssl/evp.h> + +@@ -19198,6 +19230,9 @@ else + fi + + fi ++ if test $USE_BEARSSL = "yes"; then ++ as_fn_error $? "BearSSL does not support Ed448 and you used --enable-ed448." "$LINENO" 5 ++ fi + if test $use_ed448 = "yes"; then + + cat >>confdefs.h <<_ACEOF +@@ -21744,6 +21779,9 @@ if test $ALLTARGET = "alltargets"; then + if test $USE_NETTLE = "yes"; then + as_fn_error $? "--with-nettle can only be used in combination with --with-libunbound-only." "$LINENO" 5 + fi ++ if test $USE_BEARSSL = "yes"; then ++ as_fn_error $? "--with-bearssl can only be used in combination with --with-libunbound-only." "$LINENO" 5 ++ fi + fi + + +diff --git a/configure.ac b/configure.ac +index 36fdb459..9e15aee4 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -835,8 +835,25 @@ AC_ARG_WITH([nettle], AS_HELP_STRING([--with-nettle=path],[use libnettle as cryp + ] + ) + ++# bearssl ++USE_BEARSSL="no" ++AC_ARG_WITH([bearssl], AS_HELP_STRING([--with-bearssl=path],[use bearssl as crypto library, installed at path.]), ++ [ ++ USE_BEARSSL="yes" ++ AC_DEFINE(HAVE_BEARSSL, 1, [Use bearssl for crypto]) ++ if test "$withval" != "" -a "$withval" != "yes"; then ++ CPPFLAGS="$CPPFLAGS -I$withval/include" ++ LDFLAGS="$LDFLAGS -L$withval/lib" ++ fi ++ LIBS="$LIBS -lbearssl" ++ SSLLIB="" ++ PC_CRYPTO_DEPENDENCY="" ++ AC_SUBST(PC_CRYPTO_DEPENDENCY) ++ ] ++) ++ + # openssl +-if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + ACX_WITH_SSL + ACX_LIB_SSL + SSLLIB="-lssl" +@@ -1084,7 +1101,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works) + + AC_ARG_ENABLE(gost, AS_HELP_STRING([--disable-gost],[Disable GOST support])) + use_gost="no" +-if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + case "$enable_gost" in + no) + ;; +@@ -1098,7 +1115,7 @@ case "$enable_gost" in + fi + ;; + esac +-fi dnl !USE_NSS && !USE_NETTLE ++fi dnl !USE_NSS && !USE_NETTLE && !USE_BEARSSL + + AC_ARG_ENABLE(ecdsa, AS_HELP_STRING([--disable-ecdsa],[Disable ECDSA support])) + use_ecdsa="no" +@@ -1106,7 +1123,7 @@ case "$enable_ecdsa" in + no) + ;; + *) +- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])]) + AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])]) + AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT +@@ -1137,7 +1154,7 @@ use_dsa="no" + case "$enable_dsa" in + yes) + # detect if DSA is supported, and turn it off if not. +- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + AC_CHECK_FUNC(DSA_SIG_new, [ + AC_CHECK_TYPE(DSA_SIG*, [ + AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.]) +@@ -1163,6 +1180,9 @@ AC_INCLUDES_DEFAULT + ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.]) + fi ]) + else ++ if test $USE_BEARSSL = "yes"; then ++ AC_MSG_ERROR([BearSSL does not support DSA and you used --enable-dsa.]) ++ fi + AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.]) + fi + ;; +@@ -1183,7 +1203,7 @@ case "$enable_ed25519" in + no) + ;; + *) +- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + AC_CHECK_DECLS([NID_ED25519], [ + use_ed25519="yes" + ], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.]) +@@ -1191,6 +1211,9 @@ case "$enable_ed25519" in + #include <openssl/evp.h> + ]) + fi ++ if test $USE_BEARSSL = "yes"; then ++ AC_MSG_ERROR([BearSSL does not support Ed25519 and you used --enable-ed25519.]) ++ fi + if test $USE_NETTLE = "yes"; then + AC_CHECK_HEADERS([nettle/eddsa.h], use_ed25519="yes",, [AC_INCLUDES_DEFAULT]) + fi +@@ -1206,7 +1229,7 @@ case "$enable_ed448" in + no) + ;; + *) +- if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then ++ if test $USE_NSS = "no" -a $USE_NETTLE = "no" -a $USE_BEARSSL = "no"; then + AC_CHECK_DECLS([NID_ED448], [ + use_ed448="yes" + ], [ if test "x$enable_ed448" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED448 and you used --enable-ed448.]) +@@ -1214,6 +1237,9 @@ case "$enable_ed448" in + #include <openssl/evp.h> + ]) + fi ++ if test $USE_BEARSSL = "yes"; then ++ AC_MSG_ERROR([BearSSL does not support Ed448 and you used --enable-ed448.]) ++ fi + if test $use_ed448 = "yes"; then + AC_DEFINE_UNQUOTED([USE_ED448], [1], [Define this to enable ED448 support.]) + fi +@@ -1937,6 +1963,9 @@ if test $ALLTARGET = "alltargets"; then + if test $USE_NETTLE = "yes"; then + AC_MSG_ERROR([--with-nettle can only be used in combination with --with-libunbound-only.]) + fi ++ if test $USE_BEARSSL = "yes"; then ++ AC_MSG_ERROR([--with-bearssl can only be used in combination with --with-libunbound-only.]) ++ fi + fi + + AC_SUBST(ALLTARGET) +diff --git a/daemon/unbound.c b/daemon/unbound.c +index 457a0803..1a31bb3e 100644 +--- a/daemon/unbound.c ++++ b/daemon/unbound.c +@@ -121,6 +121,8 @@ print_build_options(void) + NSS_GetVersion() + #elif defined(HAVE_NETTLE) + "nettle" ++#elif defined(HAVE_BEARSSL) ++ "bearssl" + #endif + ); + printf("Linked modules:"); +diff --git a/util/configparser.c b/util/configparser.c +index 2f155650..f2749753 100644 +--- a/util/configparser.c ++++ b/util/configparser.c +@@ -5649,7 +5649,7 @@ yyreduce: + OUTYY(("P(server_fake_dsa:%s)\n", (yyvsp[0].str))); + if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0) + yyerror("expected yes or no."); +-#if defined(HAVE_SSL) || defined(HAVE_NETTLE) ++#if defined(HAVE_SSL) || defined(HAVE_NETTLE) || defined(HAVE_BEARSSL) + else fake_dsa = (strcmp((yyvsp[0].str), "yes")==0); + if(fake_dsa) + log_warn("test option fake_dsa is enabled"); +@@ -5665,7 +5665,7 @@ yyreduce: + OUTYY(("P(server_fake_sha1:%s)\n", (yyvsp[0].str))); + if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0) + yyerror("expected yes or no."); +-#if defined(HAVE_SSL) || defined(HAVE_NETTLE) ++#if defined(HAVE_SSL) || defined(HAVE_NETTLE) || defined(HAVE_BEARSSL) + else fake_sha1 = (strcmp((yyvsp[0].str), "yes")==0); + if(fake_sha1) + log_warn("test option fake_sha1 is enabled"); +diff --git a/util/configparser.y b/util/configparser.y +index 1daf853d..844c175e 100644 +--- a/util/configparser.y ++++ b/util/configparser.y +@@ -2028,7 +2028,7 @@ server_fake_dsa: VAR_FAKE_DSA STRING_ARG + OUTYY(("P(server_fake_dsa:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); +-#if defined(HAVE_SSL) || defined(HAVE_NETTLE) ++#if defined(HAVE_SSL) || defined(HAVE_NETTLE) || defined(HAVE_BEARSSL) + else fake_dsa = (strcmp($2, "yes")==0); + if(fake_dsa) + log_warn("test option fake_dsa is enabled"); +@@ -2041,7 +2041,7 @@ server_fake_sha1: VAR_FAKE_SHA1 STRING_ARG + OUTYY(("P(server_fake_sha1:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); +-#if defined(HAVE_SSL) || defined(HAVE_NETTLE) ++#if defined(HAVE_SSL) || defined(HAVE_NETTLE) || defined(HAVE_BEARSSL) + else fake_sha1 = (strcmp($2, "yes")==0); + if(fake_sha1) + log_warn("test option fake_sha1 is enabled"); +diff --git a/util/random.c b/util/random.c +index f7bb0a6f..6bce2f62 100644 +--- a/util/random.c ++++ b/util/random.c +@@ -183,10 +183,52 @@ long int ub_random(struct ub_randstate* s) + } + return x & MAX_VALUE; + } +-#endif /* HAVE_SSL or HAVE_LIBBSD or HAVE_NSS or HAVE_NETTLE */ + ++#elif defined(HAVE_BEARSSL) + +-#if (defined(HAVE_NSS) || defined(HAVE_NETTLE)) && !defined(HAVE_LIBBSD) ++#include <bearssl.h> ++ ++struct ub_randstate { ++ br_hmac_drbg_context ctx; ++ int seeded; ++}; ++ ++struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from)) ++{ ++ struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s)); ++ unsigned char buf[32]; ++ if(!s) { ++ log_err("malloc failure in random init"); ++ return NULL; ++ } ++ if(getentropy(buf, sizeof(buf)) == 0) { ++ /* got entropy */ ++ br_hmac_drbg_init(&s->ctx, &br_sha256_vtable, buf, sizeof(buf)); ++ s->seeded = 1; ++ } else { ++ log_err("bearssl random(hmac-drbg) cannot initialize, " ++ "getentropy failed: %s", strerror(errno)); ++ free(s); ++ return NULL; ++ } ++ ++ return s; ++} ++ ++long int ub_random(struct ub_randstate* s) ++{ ++ unsigned long x = 0; ++ if (!s || !s->seeded) { ++ log_err("couldn't generate randomness, hmac-drbg generator not yet seeded"); ++ } else { ++ br_hmac_drbg_generate(&s->ctx, (unsigned char *)&x, sizeof(x)); ++ } ++ return x & MAX_VALUE; ++} ++ ++#endif /* HAVE_SSL or HAVE_LIBBSD or HAVE_NSS or HAVE_NETTLE or HAVE_BEARSSL */ ++ ++#if (defined(HAVE_NSS) || defined(HAVE_NETTLE) || defined(HAVE_BEARSSL)) && !defined(HAVE_LIBBSD) + long int + ub_random_max(struct ub_randstate* state, long int x) + { +diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c +index 7abf66f0..aa20b57b 100644 +--- a/validator/val_secalgo.c ++++ b/validator/val_secalgo.c +@@ -50,7 +50,7 @@ + #include "sldns/keyraw.h" + #include "sldns/sbuffer.h" + +-#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) ++#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) && !defined(HAVE_BEARSSL) + #error "Need crypto library to do digital signature cryptography" + #endif + +@@ -2067,4 +2067,382 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, + } + } + +-#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ ++#elif defined(HAVE_BEARSSL) ++ ++#include <bearssl.h> ++ ++/* return size of digest if supported, or 0 otherwise */ ++size_t ++nsec3_hash_algo_size_supported(int id) ++{ ++ switch(id) { ++ case NSEC3_HASH_SHA1: ++ return br_sha1_SIZE; ++ default: ++ return 0; ++ } ++} ++ ++/* perform nsec3 hash. return false on failure */ ++int ++secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, ++ unsigned char* res) ++{ ++ br_hash_compat_context ctx; ++ ++ switch(algo) { ++ case NSEC3_HASH_SHA1: ++ br_sha1_init(&ctx.sha1); ++ br_sha1_update(&ctx.sha1, buf, len); ++ br_sha1_out(&ctx.sha1, res); ++ return 1; ++ default: ++ return 0; ++ } ++} ++ ++void ++secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) ++{ ++ br_sha256_context ctx; ++ ++ br_sha256_init(&ctx); ++ br_sha256_update(&ctx, buf, len); ++ br_sha256_out(&ctx, res); ++} ++ ++/** hash structure for keeping track of running hashes */ ++struct secalgo_hash { ++ br_hash_compat_context ctx; ++}; ++ ++/** create secalgo hash with hash type */ ++static struct secalgo_hash* secalgo_hash_create(const br_hash_class *vtable) ++{ ++ struct secalgo_hash* h; ++ h = calloc(1, sizeof(*h)); ++ if(!h) ++ return NULL; ++ vtable->init(&h->ctx.vtable); ++ return h; ++} ++ ++struct secalgo_hash* secalgo_hash_create_sha384(void) ++{ ++ return secalgo_hash_create(&br_sha384_vtable); ++} ++ ++struct secalgo_hash* secalgo_hash_create_sha512(void) ++{ ++ return secalgo_hash_create(&br_sha512_vtable); ++} ++ ++int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len) ++{ ++ hash->ctx.vtable->update(&hash->ctx.vtable, data, len); ++ return 1; ++} ++ ++int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, ++ size_t maxlen, size_t* resultlen) ++{ ++ size_t len; ++ ++ hash->ctx.vtable->out(&hash->ctx.vtable, result); ++ len = hash->ctx.vtable->desc >> BR_HASHDESC_OUT_OFF & BR_HASHDESC_OUT_MASK; ++ if(len > maxlen) { ++ *resultlen = 0; ++ log_err("secalgo_hash_final: hash buffer too small"); ++ return 0; ++ } ++ hash->ctx.vtable->out(&hash->ctx.vtable, result); ++ *resultlen = len; ++ return 1; ++} ++ ++void secalgo_hash_delete(struct secalgo_hash* hash) ++{ ++ if(!hash) return; ++ free(hash); ++} ++ ++size_t ++ds_digest_size_supported(int algo) ++{ ++ switch(algo) { ++ case LDNS_SHA1: ++#ifdef USE_SHA1 ++ return br_sha1_SIZE; ++#else ++ if(fake_sha1) return 20; ++ return 0; ++#endif ++#ifdef USE_SHA2 ++ case LDNS_SHA256: ++ return br_sha256_SIZE; ++#endif ++#ifdef USE_ECDSA ++ case LDNS_SHA384: ++ return br_sha384_SIZE; ++#endif ++ } ++ return 0; ++} ++ ++int ++secalgo_ds_digest(int algo, unsigned char* buf, size_t len, ++ unsigned char* res) ++{ ++ br_hash_compat_context ctx; ++ ++ switch(algo) { ++#ifdef USE_SHA1 ++ case LDNS_SHA1: ++ br_sha1_init(&ctx.sha1); ++ br_sha1_update(&ctx.sha1, buf, len); ++ br_sha1_out(&ctx.sha1, res); ++ return 1; ++#endif ++#ifdef USE_SHA2 ++ case LDNS_SHA256: ++ br_sha256_init(&ctx.sha256); ++ br_sha256_update(&ctx.sha256, buf, len); ++ br_sha256_out(&ctx.sha256, res); ++ return 1; ++#endif ++#ifdef USE_ECDSA ++ case LDNS_SHA384: ++ br_sha384_init(&ctx.sha384); ++ br_sha384_update(&ctx.sha384, buf, len); ++ br_sha384_out(&ctx.sha384, res); ++ return 1; ++#endif ++ default: ++ verbose(VERB_QUERY, "unknown DS digest algorithm %d", algo); ++ break; ++ } ++ return 0; ++} ++ ++int ++dnskey_algo_id_is_supported(int id) ++{ ++ switch(id) { ++ case LDNS_DSA: ++ case LDNS_DSA_NSEC3: ++ if(fake_dsa || fake_sha1) return 1; ++ return 0; ++ case LDNS_RSASHA1: ++ case LDNS_RSASHA1_NSEC3: ++#ifdef USE_SHA1 ++ return 1; ++#else ++ if(fake_sha1) return 1; ++ return 0; ++#endif ++#ifdef USE_SHA2 ++ case LDNS_RSASHA256: ++ case LDNS_RSASHA512: ++#endif ++#ifdef USE_ECDSA ++ case LDNS_ECDSAP256SHA256: ++ case LDNS_ECDSAP384SHA384: ++#endif ++#if defined(USE_SHA1) || defined(USE_SHA2) ++ return 1; ++#endif ++ ++ default: ++ return 0; ++ } ++} ++ ++#if defined(USE_SHA1) || defined(USE_SHA2) ++static char * ++_verify_bearssl_rsa(sldns_buffer* buf, const unsigned char* hash, ++ size_t hashlen, const unsigned char* oid, const unsigned char* sig, ++ size_t siglen, unsigned char* key, size_t keylen) ++{ ++ br_rsa_public_key pubkey; ++ unsigned char sighash[64]; ++ ++ /* RSA pubkey parsing as per RFC 3110 sec. 2 */ ++ if(keylen <= 1) { ++ return "null RSA key"; ++ } ++ if (key[0] != 0) { ++ /* 1-byte length */ ++ pubkey.e = key + 1; ++ pubkey.elen = key[0]; ++ } else { ++ /* 1-byte NUL + 2-bytes exponent length */ ++ if (keylen < 3) { ++ return "incorrect RSA key length"; ++ } ++ pubkey.e = key + 3; ++ pubkey.elen = (unsigned)key[1] << 8 | (unsigned)key[2]; ++ if (pubkey.elen == 0) ++ return "null RSA exponent length"; ++ } ++ /* Check that we are not over-running input length */ ++ if (keylen < (pubkey.e - key) + pubkey.elen + 1) { ++ return "RSA key content shorter than expected"; ++ } ++ pubkey.n = pubkey.e + pubkey.elen; ++ pubkey.nlen = keylen - (pubkey.n - key); ++ ++ if (br_rsa_pkcs1_vrfy_get_default()(sig, siglen, oid, hashlen, &pubkey, ++ sighash) != 1 || memcmp(hash, sighash, hashlen) != 0) { ++ return "RSA signature verification failed"; ++ } else { ++ return NULL; ++ } ++} ++#endif ++ ++#ifdef USE_ECDSA ++static char * ++_verify_bearssl_ecdsa(sldns_buffer* buf, int algo, const unsigned char* hash, ++ size_t hashlen, const unsigned char* sig, size_t siglen, ++ unsigned char* key, size_t keylen) ++{ ++ br_ec_public_key pubkey; ++ unsigned char q[97]; ++ ++ /* uncompressed point format */ ++ q[0] = 4; ++ switch(algo) { ++ case LDNS_ECDSAP256SHA256: ++ pubkey.curve = BR_EC_secp256r1; ++ if (keylen != 64) { ++ return "incorrect ECDSA P-256 key length"; ++ } ++ memcpy(q + 1, key, 64); ++ break; ++ case LDNS_ECDSAP384SHA384: ++ pubkey.curve = BR_EC_secp384r1; ++ if (keylen != 96) { ++ return "incorrect ECDSA P-384 key length"; ++ } ++ memcpy(q + 1, key, 96); ++ break; ++ default: ++ return "unsupported ECDSA algorithm"; ++ } ++ pubkey.q = q; ++ pubkey.qlen = 1 + keylen; ++ ++ if (br_ecdsa_vrfy_raw_get_default()(br_ec_get_default(), hash, hashlen, ++ &pubkey, sig, siglen) != 1) { ++ return "ECDSA signature verification failed"; ++ } else { ++ return NULL; ++ } ++} ++#endif ++ ++/** ++ * Check a canonical sig+rrset and signature against a dnskey ++ * @param buf: buffer with data to verify, the first rrsig part and the ++ * canonicalized rrset. ++ * @param algo: DNSKEY algorithm. ++ * @param sigblock: signature rdata field from RRSIG ++ * @param sigblock_len: length of sigblock data. ++ * @param key: public key data from DNSKEY RR. ++ * @param keylen: length of keydata. ++ * @param reason: bogus reason in more detail. ++ * @return secure if verification succeeded, bogus on crypto failure, ++ * unchecked on format errors and alloc failures. ++ */ ++enum sec_status ++verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sig, ++ unsigned int siglen, unsigned char* key, unsigned int keylen, ++ char** reason) ++{ ++ br_hash_compat_context ctx; ++ const unsigned char *oid; ++ unsigned char hash[64]; ++ size_t hashlen; ++ ++ if (siglen == 0 || keylen == 0) { ++ *reason = "null signature"; ++ return sec_status_bogus; ++ } ++ ++#ifndef USE_DSA ++ if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && (fake_dsa || fake_sha1)) ++ return sec_status_secure; ++#endif ++#ifndef USE_SHA1 ++ if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) ++ return sec_status_secure; ++#endif ++ ++ switch(algo) { ++#ifdef USE_SHA1 ++ case LDNS_RSASHA1: ++ case LDNS_RSASHA1_NSEC3: ++ ctx.vtable = &br_sha1_vtable; ++ oid = BR_HASH_OID_SHA1; ++ break; ++#endif ++#ifdef USE_SHA2 ++ case LDNS_RSASHA256: ++ ctx.vtable = &br_sha256_vtable; ++ oid = BR_HASH_OID_SHA256; ++ break; ++ case LDNS_RSASHA512: ++ ctx.vtable = &br_sha512_vtable; ++ oid = BR_HASH_OID_SHA512; ++ break; ++#endif ++#ifdef USE_ECDSA ++ case LDNS_ECDSAP256SHA256: ++ ctx.vtable = &br_sha256_vtable; ++ break; ++ case LDNS_ECDSAP384SHA384: ++ ctx.vtable = &br_sha384_vtable; ++ break; ++#endif ++ default: ++ *reason = "unable to verify signature, unknown algorithm"; ++ return sec_status_bogus; ++ } ++ ++ ctx.vtable->init(&ctx.vtable); ++ ctx.vtable->update(&ctx.vtable, sldns_buffer_begin(buf), sldns_buffer_limit(buf)); ++ ctx.vtable->out(&ctx.vtable, hash); ++ hashlen = ctx.vtable->desc >> BR_HASHDESC_OUT_OFF & BR_HASHDESC_OUT_MASK; ++ ++ switch(algo) { ++#if defined(USE_SHA1) || defined(USE_SHA2) ++#ifdef USE_SHA1 ++ case LDNS_RSASHA1: ++ case LDNS_RSASHA1_NSEC3: ++#endif ++#ifdef USE_SHA2 ++ case LDNS_RSASHA256: ++ case LDNS_RSASHA512: ++#endif ++ *reason = _verify_bearssl_rsa(buf, hash, hashlen, oid, sig, ++ siglen, key, keylen); ++ break; ++#endif ++#ifdef USE_ECDSA ++ case LDNS_ECDSAP256SHA256: ++ case LDNS_ECDSAP384SHA384: ++ *reason = _verify_bearssl_ecdsa(buf, algo, hash, hashlen, ++ sig, siglen, key, keylen); ++ break; ++#endif ++ default: ++ *reason = "unable to verify signature, unknown algorithm"; ++ } ++ if (*reason != NULL) { ++ return sec_status_bogus; ++ } else { ++ return sec_status_secure; ++ } ++} ++ ++#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE or HAVE_BEARSSL */ +diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c +index b15fba3f..2ffe73b8 100644 +--- a/validator/val_sigcrypt.c ++++ b/validator/val_sigcrypt.c +@@ -58,7 +58,7 @@ + #include "sldns/wire2str.h" + + #include <ctype.h> +-#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) ++#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) && !defined(HAVE_BEARSSL) + #error "Need crypto library to do digital signature cryptography" + #endif + +-- +2.34.1 + diff --git a/pkg/unbound/patch/0003-Remove-need-for-size_t-size-check.patch b/pkg/unbound/patch/0003-Remove-need-for-size_t-size-check.patch new file mode 100644 index 00000000..c2e3e9e5 --- /dev/null +++ b/pkg/unbound/patch/0003-Remove-need-for-size_t-size-check.patch @@ -0,0 +1,89 @@ +From a7120321640d03c0ec7444719366bec99add6542 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Wed, 1 Dec 2021 16:05:33 -0800 +Subject: [PATCH] Remove need for size_t size check + +--- + configure | 33 --------------------------------- + configure.ac | 1 - + util/regional.c | 8 +------- + 3 files changed, 1 insertion(+), 41 deletions(-) + +diff --git a/configure b/configure +index 9c33d22f..8b012048 100755 +--- a/configure ++++ b/configure +@@ -15163,39 +15163,6 @@ cat >>confdefs.h <<_ACEOF + _ACEOF + + +-# The cast to long int works around a bug in the HP C Compiler +-# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +-# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +-# This bug is HP SR number 8606223364. +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5 +-$as_echo_n "checking size of size_t... " >&6; } +-if ${ac_cv_sizeof_size_t+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t" "$ac_includes_default"; then : +- +-else +- if test "$ac_cv_type_size_t" = yes; then +- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error 77 "cannot compute sizeof (size_t) +-See \`config.log' for more details" "$LINENO" 5; } +- else +- ac_cv_sizeof_size_t=0 +- fi +-fi +- +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5 +-$as_echo "$ac_cv_sizeof_size_t" >&6; } +- +- +- +-cat >>confdefs.h <<_ACEOF +-#define SIZEOF_SIZE_T $ac_cv_sizeof_size_t +-_ACEOF +- +- + + # add option to disable the evil rpath + +diff --git a/configure.ac b/configure.ac +index 9e15aee4..750e9bfd 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -448,7 +448,6 @@ AC_INCLUDES_DEFAULT + # endif + #endif + ]) +-AC_CHECK_SIZEOF(size_t) + + # add option to disable the evil rpath + ACX_ARG_RPATH +diff --git a/util/regional.c b/util/regional.c +index 93e911c5..1c6629c3 100644 +--- a/util/regional.c ++++ b/util/regional.c +@@ -146,13 +146,7 @@ regional_alloc(struct regional *r, size_t size) + { + size_t a; + void *s; +- if( +-#if SIZEOF_SIZE_T == 8 +- (unsigned long long)size >= 0xffffffffffffff00ULL +-#else +- (unsigned)size >= (unsigned)0xffffff00UL +-#endif +- ) ++ if(size >= (size_t)-0x100) + return NULL; /* protect against integer overflow in + malloc and ALIGN_UP */ + a = ALIGN_UP(size, ALIGNMENT); +-- +2.34.1 + diff --git a/pkg/unbound/patch/0004-Allow-building-daemon-without-TLS-support.patch b/pkg/unbound/patch/0004-Allow-building-daemon-without-TLS-support.patch new file mode 100644 index 00000000..6266929a --- /dev/null +++ b/pkg/unbound/patch/0004-Allow-building-daemon-without-TLS-support.patch @@ -0,0 +1,499 @@ +From b69e788f3c4b8c3dbdb8d272630fe0616f43406f Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Wed, 1 Dec 2021 13:57:48 -0800 +Subject: [PATCH] Allow building daemon without TLS support + +--- + configure | 11 --------- + configure.ac | 11 --------- + daemon/cachedump.c | 2 ++ + daemon/remote.c | 46 +++++++++++++++++++++++++++++++++----- + daemon/remote.h | 2 -- + daemon/unbound.c | 9 +++++--- + smallapp/unbound-control.c | 44 +++++++++++++++++++++++++++++++----- + 7 files changed, 86 insertions(+), 39 deletions(-) + +diff --git a/configure b/configure +index 8b012048..f2ea348e 100755 +--- a/configure ++++ b/configure +@@ -21739,17 +21739,6 @@ if test "${with_libunbound_only+set}" = set; then : + + fi + +-if test $ALLTARGET = "alltargets"; then +- if test $USE_NSS = "yes"; then +- as_fn_error $? "--with-nss can only be used in combination with --with-libunbound-only." "$LINENO" 5 +- fi +- if test $USE_NETTLE = "yes"; then +- as_fn_error $? "--with-nettle can only be used in combination with --with-libunbound-only." "$LINENO" 5 +- fi +- if test $USE_BEARSSL = "yes"; then +- as_fn_error $? "--with-bearssl can only be used in combination with --with-libunbound-only." "$LINENO" 5 +- fi +-fi + + + +diff --git a/configure.ac b/configure.ac +index 750e9bfd..de6468c8 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1955,17 +1955,6 @@ AC_ARG_WITH(libunbound-only, AS_HELP_STRING([--with-libunbound-only],[do not bui + INSTALLTARGET="install-lib" + fi + ]) +-if test $ALLTARGET = "alltargets"; then +- if test $USE_NSS = "yes"; then +- AC_MSG_ERROR([--with-nss can only be used in combination with --with-libunbound-only.]) +- fi +- if test $USE_NETTLE = "yes"; then +- AC_MSG_ERROR([--with-nettle can only be used in combination with --with-libunbound-only.]) +- fi +- if test $USE_BEARSSL = "yes"; then +- AC_MSG_ERROR([--with-bearssl can only be used in combination with --with-libunbound-only.]) +- fi +-fi + + AC_SUBST(ALLTARGET) + AC_SUBST(INSTALLTARGET) +diff --git a/daemon/cachedump.c b/daemon/cachedump.c +index b1ce53b5..b5636ca7 100644 +--- a/daemon/cachedump.c ++++ b/daemon/cachedump.c +@@ -40,7 +40,9 @@ + * to text format. + */ + #include "config.h" ++#ifdef HAVE_SSL + #include <openssl/ssl.h> ++#endif + #include "daemon/cachedump.h" + #include "daemon/remote.h" + #include "daemon/worker.h" +diff --git a/daemon/remote.c b/daemon/remote.c +index adf03838..94ab5603 100644 +--- a/daemon/remote.c ++++ b/daemon/remote.c +@@ -149,6 +149,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d) + #endif + } + ++#ifdef HAVE_SSL + static int + remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg) + { +@@ -199,6 +200,7 @@ remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg) + free(s_key); + return 1; + } ++#endif + + struct daemon_remote* + daemon_remote_create(struct config_file* cfg) +@@ -211,19 +213,25 @@ daemon_remote_create(struct config_file* cfg) + } + rc->max_active = 10; + ++#ifdef HAVE_SSL ++ rc->ctx = NULL; ++#endif + if(!cfg->remote_control_enable) { +- rc->ctx = NULL; + return rc; + } + if(options_remote_is_address(cfg) && cfg->control_use_cert) { ++#ifdef HAVE_SSL + if(!remote_setup_ctx(rc, cfg)) { + daemon_remote_delete(rc); + return NULL; + } + rc->use_cert = 1; ++#else ++ log_err("unbound built without TLS support"); ++ return NULL; ++#endif + } else { + struct config_strlist* p; +- rc->ctx = NULL; + rc->use_cert = 0; + if(!options_remote_is_address(cfg)) + for(p = cfg->control_ifs.first; p; p = p->next) { +@@ -245,8 +253,10 @@ void daemon_remote_clear(struct daemon_remote* rc) + p = rc->busy_list; + while(p) { + np = p->next; ++#ifdef HAVE_SSL + if(p->ssl) + SSL_free(p->ssl); ++#endif + comm_point_delete(p->c); + free(p); + p = np; +@@ -260,9 +270,11 @@ void daemon_remote_delete(struct daemon_remote* rc) + { + if(!rc) return; + daemon_remote_clear(rc); ++#ifdef HAVE_SSL + if(rc->ctx) { + SSL_CTX_free(rc->ctx); + } ++#endif + free(rc); + } + +@@ -496,6 +508,7 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err, + comm_point_start_listening(n->c, -1, REMOTE_CONTROL_TCP_TIMEOUT); + memcpy(&n->c->repinfo.addr, &addr, addrlen); + n->c->repinfo.addrlen = addrlen; ++#ifdef HAVE_SSL + if(rc->use_cert) { + n->shake_state = rc_hs_read; + n->ssl = SSL_new(rc->ctx); +@@ -517,6 +530,7 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err, + } else { + n->ssl = NULL; + } ++#endif + + n->rc = rc; + n->next = rc->busy_list; +@@ -548,10 +562,12 @@ clean_point(struct daemon_remote* rc, struct rc_state* s) + { + state_list_remove_elem(&rc->busy_list, s->c); + rc->active --; ++#ifdef HAVE_SSL + if(s->ssl) { + SSL_shutdown(s->ssl); + SSL_free(s->ssl); + } ++#endif + comm_point_delete(s->c); + free(s); + } +@@ -562,6 +578,7 @@ ssl_print_text(RES* res, const char* text) + int r; + if(!res) + return 0; ++#ifdef HAVE_SSL + if(res->ssl) { + ERR_clear_error(); + if((r=SSL_write(res->ssl, text, (int)strlen(text))) <= 0) { +@@ -573,7 +590,9 @@ ssl_print_text(RES* res, const char* text) + log_crypto_err("could not SSL_write"); + return 0; + } +- } else { ++ } else ++#endif ++ { + size_t at = 0; + while(at < strlen(text)) { + ssize_t r = send(res->fd, text+at, strlen(text)-at, 0); +@@ -618,6 +637,7 @@ ssl_read_line(RES* res, char* buf, size_t max) + if(!res) + return 0; + while(len < max) { ++#ifdef HAVE_SSL + if(res->ssl) { + ERR_clear_error(); + if((r=SSL_read(res->ssl, buf+len, 1)) <= 0) { +@@ -628,7 +648,9 @@ ssl_read_line(RES* res, char* buf, size_t max) + log_crypto_err("could not SSL_read"); + return 0; + } +- } else { ++ } else ++#endif ++ { + while(1) { + ssize_t rr = recv(res->fd, buf+len, 1, 0); + if(rr <= 0) { +@@ -3232,6 +3254,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res) + fd_set_block(s->c->fd); + + /* try to read magic UBCT[version]_space_ string */ ++#ifdef HAVE_SSL + if(res->ssl) { + ERR_clear_error(); + if((r=SSL_read(res->ssl, magic, (int)sizeof(magic)-1)) <= 0) { +@@ -3240,7 +3263,9 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res) + log_crypto_err("could not SSL_read"); + return; + } +- } else { ++ } else ++#endif ++ { + while(1) { + ssize_t rr = recv(res->fd, magic, sizeof(magic)-1, 0); + if(rr <= 0) { +@@ -3278,6 +3303,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res) + execute_cmd(rc, res, buf, rc->worker); + } + ++#ifdef HAVE_SSL + /** handle SSL_do_handshake changes to the file descriptor to wait for later */ + static int + remote_handshake_later(struct daemon_remote* rc, struct rc_state* s, +@@ -3309,6 +3335,7 @@ remote_handshake_later(struct daemon_remote* rc, struct rc_state* s, + } + return 0; + } ++#endif + + int remote_control_callback(struct comm_point* c, void* arg, int err, + struct comm_reply* ATTR_UNUSED(rep)) +@@ -3323,6 +3350,7 @@ int remote_control_callback(struct comm_point* c, void* arg, int err, + clean_point(rc, s); + return 0; + } ++#ifdef HAVE_SSL + if(s->ssl) { + /* (continue to) setup the SSL connection */ + ERR_clear_error(); +@@ -3333,11 +3361,14 @@ int remote_control_callback(struct comm_point* c, void* arg, int err, + } + s->shake_state = rc_none; + } ++#endif + + /* once handshake has completed, check authentication */ + if (!rc->use_cert) { + verbose(VERB_ALGO, "unauthenticated remote control connection"); +- } else if(SSL_get_verify_result(s->ssl) == X509_V_OK) { ++ } ++#ifdef HAVE_SSL ++ else if(SSL_get_verify_result(s->ssl) == X509_V_OK) { + #ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + X509* x = SSL_get1_peer_certificate(s->ssl); + #else +@@ -3357,9 +3388,12 @@ int remote_control_callback(struct comm_point* c, void* arg, int err, + clean_point(rc, s); + return 0; + } ++#endif + + /* if OK start to actually handle the request */ ++#ifdef HAVE_SSL + res.ssl = s->ssl; ++#endif + res.fd = c->fd; + handle_req(rc, s, &res); + +diff --git a/daemon/remote.h b/daemon/remote.h +index 217ea21e..e2972779 100644 +--- a/daemon/remote.h ++++ b/daemon/remote.h +@@ -174,7 +174,6 @@ void daemon_remote_start_accept(struct daemon_remote* rc); + */ + void daemon_remote_exec(struct worker* worker); + +-#ifdef HAVE_SSL + /** + * Print fixed line of text over ssl connection in blocking mode + * @param ssl: print to +@@ -201,6 +200,5 @@ int ssl_printf(RES* ssl, const char* format, ...) + * @return false on connection failure. + */ + int ssl_read_line(RES* ssl, char* buf, size_t max); +-#endif /* HAVE_SSL */ + + #endif /* DAEMON_REMOTE_H */ +diff --git a/daemon/unbound.c b/daemon/unbound.c +index 1a31bb3e..2baf4dba 100644 +--- a/daemon/unbound.c ++++ b/daemon/unbound.c +@@ -60,14 +60,16 @@ + #include "util/ub_event.h" + #include <signal.h> + #include <fcntl.h> ++#ifdef HAVE_SSL + #include <openssl/crypto.h> ++#include <openssl/ssl.h> ++#endif + #ifdef HAVE_PWD_H + #include <pwd.h> + #endif + #ifdef HAVE_GRP_H + #include <grp.h> + #endif +-#include <openssl/ssl.h> + + #ifndef S_SPLINT_S + /* splint chokes on this system header file */ +@@ -488,10 +490,11 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, + w_config_adjust_directory(cfg); + #endif + +- /* read ssl keys while superuser and outside chroot */ +-#ifdef HAVE_SSL + if(!(daemon->rc = daemon_remote_create(cfg))) + fatal_exit("could not set up remote-control"); ++ ++ /* read ssl keys while superuser and outside chroot */ ++#ifdef HAVE_SSL + if(cfg->ssl_service_key && cfg->ssl_service_key[0]) { + if(!(daemon->listen_sslctx = listen_sslctx_create( + cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) +diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c +index c7c38276..fea6a9f7 100644 +--- a/smallapp/unbound-control.c ++++ b/smallapp/unbound-control.c +@@ -45,6 +45,7 @@ + #ifdef HAVE_GETOPT_H + #include <getopt.h> + #endif ++#ifdef HAVE_SSL + #ifdef HAVE_OPENSSL_SSL_H + #include <openssl/ssl.h> + #endif +@@ -54,6 +55,9 @@ + #ifdef HAVE_OPENSSL_RAND_H + #include <openssl/rand.h> + #endif ++#else ++typedef void *SSL; ++#endif + #include "util/log.h" + #include "util/config_file.h" + #include "util/locks.h" +@@ -486,6 +490,7 @@ static void print_stats_shm(const char* cfgfile) + #endif /* HAVE_SHMGET */ + } + ++#ifdef HAVE_SSL + /** exit with ssl error */ + static void ssl_err(const char* s) + { +@@ -515,8 +520,6 @@ setup_ctx(struct config_file* cfg) + char* s_cert=NULL, *c_key=NULL, *c_cert=NULL; + SSL_CTX* ctx; + +- if(!(options_remote_is_address(cfg) && cfg->control_use_cert)) +- return NULL; + s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1); + c_key = fname_after_chroot(cfg->control_key_file, cfg, 1); + c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1); +@@ -555,6 +558,7 @@ setup_ctx(struct config_file* cfg) + free(c_cert); + return ctx; + } ++#endif + + /** check connect error */ + static void +@@ -723,6 +727,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd) + return fd; + } + ++#ifdef HAVE_SSL + /** setup SSL on the connection */ + static SSL* + setup_ssl(SSL_CTX* ctx, int fd) +@@ -759,11 +764,13 @@ setup_ssl(SSL_CTX* ctx, int fd) + + return ssl; + } ++#endif + + /** read from ssl or fd, fatalexit on error, 0 EOF, 1 success */ + static int + remote_read(SSL* ssl, int fd, char* buf, size_t len) + { ++#ifdef HAVE_SSL + if(ssl) { + int r; + ERR_clear_error(); +@@ -775,7 +782,9 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len) + ssl_err("could not SSL_read"); + } + buf[r] = 0; +- } else { ++ } else ++#endif ++ { + ssize_t rr = recv(fd, buf, len-1, 0); + if(rr <= 0) { + if(rr == 0) { +@@ -793,10 +802,13 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len) + static void + remote_write(SSL* ssl, int fd, const char* buf, size_t len) + { ++#ifdef HAVE_SSL + if(ssl) { + if(SSL_write(ssl, buf, (int)len) <= 0) + ssl_err("could not SSL_write"); +- } else { ++ } else ++#endif ++ { + if(send(fd, buf, len, 0) < (ssize_t)len) { + fatal_exit("could not send: %s", sock_strerror(errno)); + } +@@ -894,7 +906,9 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[]) + { + struct config_file* cfg; + int fd, ret; ++#ifdef HAVE_SSL + SSL_CTX* ctx; ++#endif + SSL* ssl; + + /* read config */ +@@ -907,18 +921,34 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[]) + #ifdef UB_ON_WINDOWS + w_config_adjust_directory(cfg); + #endif +- ctx = setup_ctx(cfg); ++ if(options_remote_is_address(cfg) && cfg->control_use_cert) { ++#ifdef HAVE_SSL ++ ctx = setup_ctx(cfg); ++#else ++ fatal_exit("unbound built without TLS support"); ++#endif ++ } else { ++#ifdef HAVE_SSL ++ ctx = NULL; ++#endif ++ } + + /* contact server */ + fd = contact_server(svr, cfg, argc>0&&strcmp(argv[0],"status")==0); ++#ifdef HAVE_SSL + ssl = setup_ssl(ctx, fd); ++#else ++ ssl = NULL; ++#endif + + /* send command */ + ret = go_cmd(ssl, fd, quiet, argc, argv); + ++#ifdef HAVE_SSL + if(ssl) SSL_free(ssl); +- sock_close(fd); + if(ctx) SSL_CTX_free(ctx); ++#endif ++ sock_close(fd); + config_delete(cfg); + return ret; + } +@@ -997,6 +1027,7 @@ int main(int argc, char* argv[]) + fatal_exit("WSAStartup failed: %s", wsa_strerror(r)); + #endif + ++#ifdef HAVE_SSL + #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS + ERR_load_crypto_strings(); + #endif +@@ -1031,6 +1062,7 @@ int main(int argc, char* argv[]) + RAND_seed(buf, 256); + log_warn("no entropy, seeding openssl PRNG with time\n"); + } ++#endif + + ret = go(cfgfile, svr, quiet, argc, argv); + +-- +2.34.1 + diff --git a/pkg/unbound/patch/0005-Allow-building-daemon-without-remote-control.patch b/pkg/unbound/patch/0005-Allow-building-daemon-without-remote-control.patch new file mode 100644 index 00000000..51b2b891 --- /dev/null +++ b/pkg/unbound/patch/0005-Allow-building-daemon-without-remote-control.patch @@ -0,0 +1,162 @@ +From 91e0865f0bd42d28d50ddd1fc1fae6cfaab17e46 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Wed, 1 Dec 2021 16:08:12 -0800 +Subject: [PATCH] Allow building daemon without remote control + +--- + daemon/daemon.c | 13 +++++++++++++ + daemon/unbound.c | 5 +++++ + daemon/worker.c | 8 ++++++++ + util/fptr_wlist.c | 4 ++++ + 4 files changed, 30 insertions(+) + +diff --git a/daemon/daemon.c b/daemon/daemon.c +index 0e3923b4..27132ce1 100644 +--- a/daemon/daemon.c ++++ b/daemon/daemon.c +@@ -68,7 +68,9 @@ + + #include "daemon/daemon.h" + #include "daemon/worker.h" ++#ifdef WITH_REMOTE + #include "daemon/remote.h" ++#endif + #include "daemon/acl_list.h" + #include "util/log.h" + #include "util/config_file.h" +@@ -378,9 +380,16 @@ daemon_open_shared_ports(struct daemon* daemon) + if(daemon->cfg->remote_control_enable && + daemon->cfg->control_port != daemon->rc_port) { + listening_ports_free(daemon->rc_ports); ++#ifdef WITH_REMOTE + if(!(daemon->rc_ports=daemon_remote_open_ports(daemon->cfg))) + return 0; + daemon->rc_port = daemon->cfg->control_port; ++#else ++ log_err("unbound built without remote control"); ++ daemon->rc_ports = NULL; ++ daemon->rc_port = 0; ++ return 0; ++#endif + } + return 1; + } +@@ -738,8 +747,10 @@ daemon_cleanup(struct daemon* daemon) + daemon->views = NULL; + if(daemon->env->auth_zones) + auth_zones_cleanup(daemon->env->auth_zones); ++#ifdef WITH_REMOTE + /* key cache is cleared by module desetup during next daemon_fork() */ + daemon_remote_clear(daemon->rc); ++#endif + for(i=0; i<daemon->num; i++) + worker_delete(daemon->workers[i]); + free(daemon->workers); +@@ -764,7 +775,9 @@ daemon_delete(struct daemon* daemon) + if(!daemon) + return; + modstack_desetup(&daemon->mods, daemon->env); ++#ifdef WITH_REMOTE + daemon_remote_delete(daemon->rc); ++#endif + for(i = 0; i < daemon->num_ports; i++) + listening_ports_free(daemon->ports[i]); + free(daemon->ports); +diff --git a/daemon/unbound.c b/daemon/unbound.c +index 2baf4dba..7925d91b 100644 +--- a/daemon/unbound.c ++++ b/daemon/unbound.c +@@ -490,8 +490,13 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, + w_config_adjust_directory(cfg); + #endif + ++ ++#ifdef WITH_REMOTE + if(!(daemon->rc = daemon_remote_create(cfg))) + fatal_exit("could not set up remote-control"); ++#else ++ daemon->rc = NULL; ++#endif + + /* read ssl keys while superuser and outside chroot */ + #ifdef HAVE_SSL +diff --git a/daemon/worker.c b/daemon/worker.c +index 5d2483cd..f3c32279 100644 +--- a/daemon/worker.c ++++ b/daemon/worker.c +@@ -376,10 +376,12 @@ worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube), uint8_t* msg, + verbose(VERB_ALGO, "got control cmd stats_noreset"); + server_stats_reply(worker, 0); + break; ++#ifdef WITH_REMOTE + case worker_cmd_remote: + verbose(VERB_ALGO, "got control cmd remote"); + daemon_remote_exec(worker); + break; ++#endif + default: + log_err("bad command %d", (int)cmd); + break; +@@ -1731,11 +1733,13 @@ worker_init(struct worker* worker, struct config_file *cfg, + return 0; + } + #endif /* LIBEVENT_SIGNAL_PROBLEM */ ++#ifdef WITH_REMOTE + if(!daemon_remote_open_accept(worker->daemon->rc, + worker->daemon->rc_ports, worker)) { + worker_delete(worker); + return 0; + } ++#endif + #ifdef UB_ON_WINDOWS + wsvc_setup_worker(worker); + #endif /* UB_ON_WINDOWS */ +@@ -2007,16 +2011,20 @@ void worker_start_accept(void* arg) + { + struct worker* worker = (struct worker*)arg; + listen_start_accept(worker->front); ++#ifdef WITH_REMOTE + if(worker->thread_num == 0) + daemon_remote_start_accept(worker->daemon->rc); ++#endif + } + + void worker_stop_accept(void* arg) + { + struct worker* worker = (struct worker*)arg; + listen_stop_accept(worker->front); ++#ifdef WITH_REMOTE + if(worker->thread_num == 0) + daemon_remote_stop_accept(worker->daemon->rc); ++#endif + } + + /* --- fake callbacks for fptr_wlist to work --- */ +diff --git a/util/fptr_wlist.c b/util/fptr_wlist.c +index f8dac65c..f98ec5f3 100644 +--- a/util/fptr_wlist.c ++++ b/util/fptr_wlist.c +@@ -118,8 +118,10 @@ fptr_whitelist_comm_point_raw(comm_point_callback_type *fptr) + { + if(fptr == &tube_handle_listen) return 1; + else if(fptr == &tube_handle_write) return 1; ++#ifdef WITH_REMOTE + else if(fptr == &remote_accept_callback) return 1; + else if(fptr == &remote_control_callback) return 1; ++#endif + return 0; + } + +@@ -587,7 +589,9 @@ int fptr_whitelist_print_func(void (*fptr)(char*,void*)) + { + if(fptr == &config_print_func) return 1; + else if(fptr == &config_collate_func) return 1; ++#ifdef WITH_REMOTE + else if(fptr == &remote_get_opt_ssl) return 1; ++#endif + return 0; + } + +-- +2.34.1 + diff --git a/pkg/unbound/patch/0006-Remove-unintended-use-of-VLA.patch b/pkg/unbound/patch/0006-Remove-unintended-use-of-VLA.patch new file mode 100644 index 00000000..12fb722b --- /dev/null +++ b/pkg/unbound/patch/0006-Remove-unintended-use-of-VLA.patch @@ -0,0 +1,27 @@ +From ba9aa51428c55309c307c70c02706777a0403f13 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Tue, 21 Dec 2021 13:24:55 -0800 +Subject: [PATCH] Remove unintended use of VLA + +--- + services/authzone.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/services/authzone.c b/services/authzone.c +index e83af533..918874cc 100644 +--- a/services/authzone.c ++++ b/services/authzone.c +@@ -7553,8 +7553,8 @@ static int zonemd_simple_domain(struct auth_zone* z, int hashalgo, + struct secalgo_hash* h, struct auth_data* node, + struct regional* region, struct sldns_buffer* buf, char** reason) + { +- const size_t rrlistsize = 65536; +- struct auth_rrset* rrlist[rrlistsize]; ++ struct auth_rrset* rrlist[65536]; ++ const size_t rrlistsize = sizeof(rrlist) / sizeof(*rrlist); + size_t i, rrnum = 0; + /* see if the domain is out of scope, the zone origin, + * that would be omitted */ +-- +2.34.1 + diff --git a/pkg/unbound/patch/0007-Remove-use-of-uninitialized-variable.patch b/pkg/unbound/patch/0007-Remove-use-of-uninitialized-variable.patch new file mode 100644 index 00000000..f1751966 --- /dev/null +++ b/pkg/unbound/patch/0007-Remove-use-of-uninitialized-variable.patch @@ -0,0 +1,24 @@ +From ede4d741adeb68ca6e244dfa07af164f1a204432 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Tue, 21 Dec 2021 15:03:44 -0800 +Subject: [PATCH] Remove use of uninitialized variable + +--- + util/ub_event.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/util/ub_event.c b/util/ub_event.c +index 8cd87ec4..54db6866 100644 +--- a/util/ub_event.c ++++ b/util/ub_event.c +@@ -211,7 +211,6 @@ ub_default_event_base(int sigs, time_t* time_secs, struct timeval* time_tv) + { + void* base; + +- (void)base; + #ifdef USE_MINI_EVENT + (void)sigs; + /* use mini event time-sharing feature */ +-- +2.34.1 + |