From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Fri, 10 Jun 2011 10:11:38 +0000 (+0000)
Subject: - unbound-control has version number in the header,
X-Git-Tag: release-1.4.11rc1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a11fbf9ca01739da474a99aa989733f60ea42ea6;p=thirdparty%2Funbound.git

- unbound-control has version number in the header,
  UBCT[version]_space_ is the header sent by the client now.
- Unbound control port number is registered with IANA:
  ub-dns-control  8953/tcp    unbound dns nameserver control
  This is the new default for the control-port config setting.


git-svn-id: file:///svn/unbound/trunk@2424 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/config.h.in b/config.h.in
index 2c72be45f..b4cf52571 100644
--- a/config.h.in
+++ b/config.h.in
@@ -871,4 +871,10 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
 
 /** default port for DNS traffic. */
 #define UNBOUND_DNS_PORT 53
+/** default port for unbound control traffic, registered port with IANA,
+    ub-dns-control  8953/tcp    unbound dns nameserver control */
+#define UNBOUND_CONTROL_PORT 8953
+/** the version of unbound-control that this software implements */
+#define UNBOUND_CONTROL_VERSION 1
+
 
diff --git a/configure.ac b/configure.ac
index be5457dd9..7d47b637b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -930,6 +930,12 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
 
 /** default port for DNS traffic. */
 #define UNBOUND_DNS_PORT 53
+/** default port for unbound control traffic, registered port with IANA,
+    ub-dns-control  8953/tcp    unbound dns nameserver control */
+#define UNBOUND_CONTROL_PORT 8953
+/** the version of unbound-control that this software implements */
+#define UNBOUND_CONTROL_VERSION 1
+
 ])
 
 AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8])
diff --git a/daemon/remote.c b/daemon/remote.c
index 2f842be50..35dd0fa43 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -1871,7 +1871,8 @@ static void
 handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
 {
 	int r;
-	char magic[5];
+	char pre[10];
+	char magic[7];
 	char buf[1024];
 #ifdef USE_WINSOCK
 	/* makes it possible to set the socket blocking again. */
@@ -1880,7 +1881,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
 #endif
 	fd_set_block(s->c->fd);
 
-	/* try to read magic UBCT string */
+	/* try to read magic UBCT[version]_space_ string */
 	ERR_clear_error();
 	if((r=SSL_read(ssl, magic, (int)sizeof(magic)-1)) <= 0) {
 		if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN)
@@ -1888,9 +1889,10 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
 		log_crypto_err("could not SSL_read");
 		return;
 	}
-	magic[4] = 0;
-	if( r != 4 || strcmp(magic, "UBCT") != 0) {
+	magic[6] = 0;
+	if( r != 6 || strncmp(magic, "UBCT", 4) != 0) {
 		verbose(VERB_QUERY, "control connection has bad magic string");
+		/* probably wrong tool connected, ignore it completely */
 		return;
 	}
 
@@ -1898,6 +1900,13 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
 	if(!ssl_read_line(ssl, buf, sizeof(buf))) {
 		return;
 	}
+	snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION);
+	if(strcmp(magic, pre) != 0) {
+		verbose(VERB_QUERY, "control connection had bad "
+			"version %s, cmd: %s", magic, buf);
+		ssl_printf(ssl, "error version mismatch\n");
+		return;
+	}
 	verbose(VERB_DETAIL, "control cmd: %s", buf);
 
 	/* figure out what to do */
diff --git a/doc/Changelog b/doc/Changelog
index e3a968b96..7c730c845 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,10 @@
+10 June 2011: Wouter
+	- unbound-control has version number in the header,
+	  UBCT[version]_space_ is the header sent by the client now.
+	- Unbound control port number is registered with IANA:
+	  ub-dns-control  8953/tcp    unbound dns nameserver control
+	  This is the new default for the control-port config setting.
+
 30 May 2011: Wouter
 	- Fix Makefile for U in environment, since wrong U is more common than
 	  deansification necessity.
diff --git a/doc/control_proto_spec.txt b/doc/control_proto_spec.txt
index 67bbc915d..d26258f1e 100644
--- a/doc/control_proto_spec.txt
+++ b/doc/control_proto_spec.txt
@@ -1,16 +1,21 @@
 
 Specification for the unbound-control protocol.
 
-Server listens on 953 TCP (localhost by default). Client connects,
+Server listens on 8953 TCP (localhost by default). Client connects,
 SSLv3 or TLSv1 connection setup (server selfsigned certificate, 
 client has cert signed by server certificate).
 
+Port 8953 is registered with IANA as:
+ub-dns-control  8953/tcp    unbound dns nameserver control
+# Wouter Wijngaards <wouter&nlnetlabs.nl> 10 May 2011
+On may 11 2011, ticket [IANA #442315].
+
 Query and Response
 ------------------
 Client sends 
-	UBCT [commandline] \n
-	fixed string UBCT, then an ascii text line, with a command, 
-	some whitespace allowed. Line ends with '\n'.
+	UBCT[version] [commandline] \n
+	fixed string UBCT1 (for version 1), then an ascii text line,
+	with a command, some whitespace allowed. Line ends with '\n'.
 
 Server executes command. And sends reply in ascii text over channel, 
 closes the channel when done.
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 1df9bb7b8..e92d5e0c0 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -472,7 +472,7 @@ remote-control:
 	# control-interface: ::1
 
 	# port number for remote control operations.
-	# control-port: 953
+	# control-port: 8953
 
 	# unbound server key file.
 	# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index b323f25ac..574f63fdb 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -888,7 +888,7 @@ By default localhost (127.0.0.1 and ::1) is listened to.
 Use 0.0.0.0 and ::0 to listen to all interfaces.
 .TP 5
 .B control\-port: <port number>
-The port number to listen on for control commands, default is 953
+The port number to listen on for control commands, default is 8953
 (that is the same port number named uses to listen to rndc).
 If you change this port number, and permissions have been dropped, a
 reload is not sufficient to open the port again, you must then restart.
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index 6b719f84e..a872f92aa 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -258,12 +258,13 @@ send_file(SSL* ssl, FILE* in, char* buf, size_t sz)
 static int
 go_cmd(SSL* ssl, int argc, char* argv[])
 {
-	const char* pre="UBCT";
+	char pre[10];
 	const char* space=" ";
 	const char* newline="\n";
 	int was_error = 0, first_line = 1;
 	int r, i;
 	char buf[1024];
+	snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION);
 	if(SSL_write(ssl, pre, (int)strlen(pre)) <= 0)
 		ssl_err("could not SSL_write");
 	for(i=0; i<argc; i++) {
diff --git a/util/config_file.c b/util/config_file.c
index 55e695f70..6772a2e2d 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -190,7 +190,7 @@ config_create(void)
 	cfg->python_script = NULL;
 	cfg->remote_control_enable = 0;
 	cfg->control_ifs = NULL;
-	cfg->control_port = 953;
+	cfg->control_port = UNBOUND_CONTROL_PORT;
 	if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key"))) 
 		goto error_exit;
 	if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem")))