- Fix #267: Allow unencrypted local operation of nsd-control.

NLnetLabs · Feb 16, 2023 · bc92c92 · bc92c92
1 parent 16adef8
commit bc92c92
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 28 deletions.
diff --git a/configure.ac b/configure.ac
@@ -1095,7 +1095,6 @@ AC_INCLUDES_DEFAULT
 	LIBS="$BAKLIBS"
 
 else
-	AC_MSG_WARN([No SSL, therefore remote-control is disabled])
 	AC_MSG_WARN([No SSL, therefore TLS is disabled])
 fi
 

diff --git a/doc/ChangeLog b/doc/ChangeLog
@@ -1,5 +1,6 @@
 16 February 2022: Wouter
 	- Fix #266: Fix build with --without-ssl.
+	- Fix #267: Allow unencrypted local operation of nsd-control.
 
 2 February 2022: Wouter
 	- Merge #265: Fix C99 compatibility issue.

diff --git a/doc/RELNOTES b/doc/RELNOTES
@@ -4,6 +4,7 @@ NSD RELEASE NOTES
 ================
 FEATURES:
 	- Merge #263: Add bash autocompletion script for nsd-control.
+	- Fix #267: Allow unencrypted local operation of nsd-control.
 BUG FIXES:
 	- Fix #239: -Wincompatible-pointer-types warning in remote.c.
 	- Fix configure for -Wstrict-prototypes.

diff --git a/nsd-control.c b/nsd-control.c
@@ -57,10 +57,11 @@ int zonec_parse_string(struct region* ATTR_UNUSED(region),
 	return 0;
 }
 
-#ifdef HAVE_SSL
 #include <sys/types.h>
 #include <unistd.h>
 #include <string.h>
+#include <errno.h>
+#ifdef HAVE_SSL
 #ifdef HAVE_OPENSSL_SSL_H
 #include <openssl/ssl.h>
 #endif
@@ -70,6 +71,7 @@ int zonec_parse_string(struct region* ATTR_UNUSED(region),
 #ifdef HAVE_OPENSSL_RAND_H
 #include <openssl/rand.h>
 #endif
+#endif /* HAVE_SSL */
 #ifdef HAVE_SYS_UN_H
 #include <sys/un.h>
 #endif
@@ -83,8 +85,13 @@ int zonec_parse_string(struct region* ATTR_UNUSED(region),
 #include "zonec.h"
 
 static void usage(void) ATTR_NORETURN;
+#ifdef HAVE_SSL
 static void ssl_err(const char* s) ATTR_NORETURN;
 static void ssl_path_err(const char* s, const char *path) ATTR_NORETURN;
+#else
+/* define SSL to use as a boolean to turn it off in function calls. */
+#define SSL int
+#endif
 
 /** timeout to wait for connection over stream, in msec */
 #define NSD_CONTROL_CONNECT_TIMEOUT 5000
@@ -135,6 +142,7 @@ usage()
 	exit(1);
 }
 
+#ifdef HAVE_SSL
 /** exit with ssl error */
 static void ssl_err(const char* s)
 {
@@ -208,6 +216,7 @@ setup_ctx(struct nsd_options* cfg)
 
 	return ctx;
 }
+#endif /* HAVE_SSL */
 
 /** check connect error */
 static void
@@ -360,6 +369,7 @@ contact_server(const char* svr, struct nsd_options* cfg, int statuscmd)
 	return fd;
 }
 
+#ifdef HAVE_SSL
 /** setup SSL on the connection */
 static SSL*
 setup_ssl(SSL_CTX* ctx, int fd)
@@ -395,12 +405,14 @@ setup_ssl(SSL_CTX* ctx, int fd)
 	X509_free(x);
 	return ssl;
 }
+#endif /* HAVE_SSL */
 
 /** read from ssl or fd, fatalexit on error, 0 EOF, 1 success */
 static int
 remote_read(SSL* ssl, int fd, char* buf, size_t len)
 {
 	if(ssl) {
+#ifdef HAVE_SSL
 		int r;
 		ERR_clear_error();
 		if((r = SSL_read(ssl, buf, (int)len-1)) <= 0) {
@@ -411,6 +423,7 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len)
 			ssl_err("could not SSL_read");
 		}
 		buf[r] = 0;
+#endif /* HAVE_SSL */
 	} else {
 		ssize_t rr = read(fd, buf, len-1);
 		if(rr <= 0) {
@@ -432,8 +445,10 @@ static void
 remote_write(SSL* ssl, int fd, const char* buf, size_t len)
 {
 	if(ssl) {
+#ifdef HAVE_SSL
 		if(SSL_write(ssl, buf, (int)len) <= 0)
 			ssl_err("could not SSL_write");
+#endif /* HAVE_SSL */
 	} else {
 		if(write(fd, buf, len) < (ssize_t)len) {
 			fprintf(stderr, "could not write: %s\n",
@@ -497,8 +512,10 @@ go(const char* cfgfile, char* svr, int argc, char* argv[])
 {
 	struct nsd_options* opt;
 	int fd, ret;
-	SSL_CTX* ctx;
-	SSL* ssl;
+#ifdef HAVE_SSL
+	SSL_CTX* ctx = NULL;
+#endif
+	SSL* ssl = NULL;
 
 	/* read config */
 	if(!(opt = nsd_options_create(region_create(xalloc, free)))) {
@@ -513,18 +530,31 @@ go(const char* cfgfile, char* svr, int argc, char* argv[])
 	if(!opt->control_enable)
 		fprintf(stderr, "warning: control-enable is 'no' in the config file.\n");
 	resolve_interface_names(opt);
+#ifdef HAVE_SSL
 	ctx = setup_ctx(opt);
+#else
+	if(options_remote_is_address(opt)) {
+		fprintf(stderr, "error: NSD was compiled without SSL.\n");
+		exit(1);
+	}
+#endif /* HAVE_SSL */
 
 	/* contact server */
 	fd = contact_server(svr, opt, argc>0&&strcmp(argv[0],"status")==0);
+#ifdef HAVE_SSL
 	ssl = setup_ssl(ctx, fd);
+#endif
 
 	/* send command */
 	ret = go_cmd(ssl, fd, argc, argv);
 
+#ifdef HAVE_SSL
 	if(ssl) SSL_free(ssl);
+#endif
 	close(fd);
+#ifdef HAVE_SSL
 	if(ctx) SSL_CTX_free(ctx);
+#endif
 	region_destroy(opt->region);
 	return ret;
 }
@@ -542,6 +572,7 @@ int main(int argc, char* argv[])
 	char* svr = NULL;
 	log_init("nsd-control");
 
+#ifdef HAVE_SSL
 #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
 	ERR_load_crypto_strings();
 #endif
@@ -574,6 +605,7 @@ int main(int argc, char* argv[])
                 RAND_seed(buf, 256);
 		fprintf(stderr, "warning: no entropy, seeding openssl PRNG with time\n");
 	}
+#endif /* HAVE_SSL */
 
 	/* parse the options */
 	while( (c=getopt(argc, argv, "c:s:h")) != -1) {
@@ -608,11 +640,3 @@ int main(int argc, char* argv[])
 
 	return go(cfgfile, svr, argc, argv);
 }
-
-#else /* HAVE_SSL */
-int main(void)
-{
-	printf("error: NSD was compiled without SSL.\n");
-	return 1;
-}
-#endif /* HAVE_SSL */
diff --git a/nsd.c b/nsd.c
@@ -1556,11 +1556,13 @@ main(int argc, char *argv[])
 	if(nsd.options->control_enable || (nsd.options->tls_service_key && nsd.options->tls_service_key[0])) {
 		perform_openssl_init();
 	}
+#endif /* HAVE_SSL */
 	if(nsd.options->control_enable) {
 		/* read ssl keys while superuser and outside chroot */
 		if(!(nsd.rc = daemon_remote_create(nsd.options)))
 			error("could not perform remote control setup");
 	}
+#if defined(HAVE_SSL)
 	if(nsd.options->tls_service_key && nsd.options->tls_service_key[0]
 	   && nsd.options->tls_service_pem && nsd.options->tls_service_pem[0]) {
 		if(!(nsd.tls_ctx = server_tls_ctx_create(&nsd, NULL,