From patchwork Tue Aug  4 06:58:33 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yousong Zhou <yszhou4tech@gmail.com>
X-Patchwork-Id: 1340701
X-Patchwork-Delegate: yszhou4tech@gmail.com
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org
 (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=merlin.20170209 header.b=QnJrkuF3;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=GMiO5CVj;
	dkim-atps=neutral
Received: from merlin.infradead.org (merlin.infradead.org
 [IPv6:2001:8b0:10b:1231::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4BLQdq5fRPz9sSt
	for <incoming@patchwork.ozlabs.org>; Tue,  4 Aug 2020 17:01:19 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding:
	Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From:
	Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
	:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner;
	bh=WPIagk4RDhGJe5vjyN4zEiZgeswrkp/MA+En10CuRlk=; b=QnJrkuF3x90YwBGhwKud/UgMmg
	cc0rpPrh+gdAhLsdtw5ooa3fnYsLyQIzLL9AxipRnBOH7wYpHCxqVKYFioMFusNsOjIK5b6+0icxZ
	bZdJGvXNIypEpfpVoAVAmSWTUqwJHpQ2VJKRkxz5t+abxDOxm2xAZNgpwPLXHt1hqTSz5H5nrM/4m
	vEraZegeGDYU6T/nvaJN24Uh/M/BXcC0fDNKWkdIdiHitEvtEIaWYsp5SZwz/Ld2XfuTuuB5JYQom
	niMoSCPu4zYXurFAoIKtUt2OPx/YiZbUdaIwIgsqaziR11+r/DWysbZBVt+3Lb+NQIwbEcAidZYEg
	s2dvKZqg==;
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
	id 1k2quc-0004Ao-Tf; Tue, 04 Aug 2020 06:59:02 +0000
Received: from mail-pj1-x1041.google.com ([2607:f8b0:4864:20::1041])
 by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux))
 id 1k2quZ-0004AE-Oe
 for openwrt-devel@lists.openwrt.org; Tue, 04 Aug 2020 06:59:01 +0000
Received: by mail-pj1-x1041.google.com with SMTP id i92so1138880pje.0
 for <openwrt-devel@lists.openwrt.org>; Mon, 03 Aug 2020 23:58:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=7NVnjhclTmglfvOyLha4YnlknED3buz8SBZivieqRCY=;
 b=GMiO5CVj3AZPrFphYGx+wF2Ra/d6HH9OsrsroAssmnoV7R6h9KG1shJTTPUmDKZFaA
 43btUv5TrIDjxtWNtdjLjMZI/GOdGf75DgEtAjrlDbS/DsSskMPDC95P2Yp9YKIAzd9/
 6e5ckJ8sf/IlQn7QttJm1IPWNrWy/nQ/UAu/9iNDpK9ksHhiwuTJm1yHjm35QISvVYXd
 ggKJo6lBuYD5+orSdCmk1muUkaXCWksblXUGV4u5JKSWLbyByRycK0uEjBOOKnuIWZzm
 DECDDaCE+oljeLZUNO6sDFZS3g1fmDJekuYkWK1GtVcOyO7jAWBzLzZM8eT3sA0un3fX
 u2Ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=7NVnjhclTmglfvOyLha4YnlknED3buz8SBZivieqRCY=;
 b=NXIrHOsw3XLZrgAA3xbPdtr13RXAiGmBtH5+HeyfxXPUxYOiMzSp+lU03A5EAxPI/Q
 yYXPHC7QrBns68vT2bTCeRlJiB5Rpl5z9LTN9NxyRi1fqzMxM3abHSN9sIfZkUvNzSUG
 ttW4hReVEvACxfjDaw57zy5UrZglrPLaztH8Jd4+GWpCqwLKkV6HS3GpkiMkSe474jsU
 D966IZZl3A6Z5tme4TZp5/bAOpvY8a66QqYsNoPeVtehxoZ4MNsEbIPKNlvhELknhNHH
 lAbBQhSorMFM9cejoANxTUyB3daJp+ajb3JYv3oSHskxHZ6GvJa8pxVtWuuXz0BwVkDK
 l/Fg==
X-Gm-Message-State: AOAM532kEGjnr4xveptaRylG3dXFw99ae9VdFpwwn/bzzlPLy6rjYQts
 MEh9WE2Btl8UyxExK7Nq5XoHkO1shyM=
X-Google-Smtp-Source: 
 ABdhPJw94r5bXU6VMcx79CwHrQ9q4cEyGozbQlu/N8pHPlkmGsnR81P4VJYx1wJ7aHbG2BSdjvKk/w==
X-Received: by 2002:a17:902:9689:: with SMTP id
 n9mr17568539plp.160.1596524336846;
 Mon, 03 Aug 2020 23:58:56 -0700 (PDT)
Received: from titan.office.yunion.io ([103.119.177.162])
 by smtp.gmail.com with ESMTPSA id t2sm19387239pfb.123.2020.08.03.23.58.54
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 03 Aug 2020 23:58:55 -0700 (PDT)
From: Yousong Zhou <yszhou4tech@gmail.com>
To: openwrt-devel@lists.openwrt.org
Subject: [PATCH] dnsmasq: abort when dnssec requested but not available
Date: Tue,  4 Aug 2020 14:58:33 +0800
Message-Id: <20200804065833.18459-1-yszhou4tech@gmail.com>
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20200804_025859_876225_964A356A 
X-CRM114-Status: GOOD (  11.79  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary:
 Content analysis details:   (-0.2 points)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [yszhou4tech[at]gmail.com]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [2607:f8b0:4864:20:0:0:0:1041 listed in]
 [list.dnswl.org]
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Cc: Yousong Zhou <yszhou4tech@gmail.com>, ldir@darbyshire-bryant.me.uk
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

Before this commit, if uci option "dnssec" was set, we pass "--dnssec"
and friends to dnsmasq, let it start and decide whether to quit and
whether to emit message for diagnosis

  # dnsmasq --dnssec; echo $?
  dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h
  1

DNSSEC as a feature is different from others like dhcp, tftp in that
it's a security feature.  Better be explicit.  With this change
committed, we make it so by not allowing it in the first in the
initscript, should dnsmasq later decides to not quit (not likely) or
quit without above explicit error (unlikely but less so ;)

So this is just being proactive.  on/off choices with uci option
"dnssec" are still available like before

Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
 package/network/services/dnsmasq/Makefile           | 2 +-
 package/network/services/dnsmasq/files/dnsmasq.init | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index 22ecd12f07..ab3f4fd8d0 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=dnsmasq
 PKG_UPSTREAM_VERSION:=2.82
 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
 PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index 9288971426..932103d8b5 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -42,9 +42,13 @@ dnsmasq_ignore_opt() {
 		bootp-*|\
 		pxe-*)
 			[ -z "$dnsmasq_has_dhcp" ] ;;
-		dnssec-*|\
+		dnssec*|\
 		trust-anchor)
-			[ -z "$dnsmasq_has_dnssec" ] ;;
+			if [ -z "$dnsmasq_has_dnssec" ]; then
+				echo "dnsmasq: \"$opt\" requested, but dnssec support is not available" >&2
+				exit 1
+			fi
+			;;
 		tftp-*)
 			[ -z "$dnsmasq_has_tftp" ] ;;
 		ipset)