From b93fd4e0c937bf79de91ca82cedb61a60925e098 Mon Sep 17 00:00:00 2001
From: Ralph Dolmans <ralph@nlnetlabs.nl>
Date: Thu, 1 Jun 2017 09:51:05 +0000
Subject: [PATCH] - Fix #1274: automatically trim chroot path from dnscrypt
 key/cert paths (from   Manu Bretelle).

git-svn-id: file:///svn/unbound/trunk@4204 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 dnscrypt/dnscrypt.c | 27 +++++++++++++++++++++++++--
 doc/Changelog       |  4 ++++
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/dnscrypt/dnscrypt.c b/dnscrypt/dnscrypt.c
index 56903e651..a6eb6f8d4 100644
--- a/dnscrypt/dnscrypt.c
+++ b/dnscrypt/dnscrypt.c
@@ -266,6 +266,25 @@ dnsc_read_from_file(char *fname, char *buf, size_t count)
 	return 0;
 }
 
+/**
+ * Given an absolute path on the original root, returns the absolute path
+ * within the chroot. If chroot is disabled, the path is not modified.
+ * No char * is malloced so there is no need to free this.
+ * \param[in] cfg the configuration.
+ * \param[in] path the path from the original root.
+ * \return the path from inside the chroot.
+ */
+static char *
+dnsc_chroot_path(struct config_file *cfg, char *path)
+{
+	char *nm;
+	nm = path;
+	if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
+		cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
+		nm += strlen(cfg->chrootdir);
+	return nm;
+}
+
 /**
  * Parse certificates files provided by the configuration and load them into
  * dnsc_env.
@@ -278,6 +297,7 @@ dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
 {
 	struct config_strlist *head;
 	size_t signed_cert_id;
+	char *nm;
 
 	env->signed_certs_count = 0U;
 	for (head = cfg->dnscrypt_provider_cert; head; head = head->next) {
@@ -288,8 +308,9 @@ dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
 
 	signed_cert_id = 0U;
 	for(head = cfg->dnscrypt_provider_cert; head; head = head->next, signed_cert_id++) {
+		nm = dnsc_chroot_path(cfg, head->str);
 		if(dnsc_read_from_file(
-				head->str,
+				nm,
 				(char *)(env->signed_certs + signed_cert_id),
 				sizeof(struct SignedCert)) != 0) {
 			fatal_exit("dnsc_parse_certs: failed to load %s: %s", head->str, strerror(errno));
@@ -415,6 +436,7 @@ dnsc_parse_keys(struct dnsc_env *env, struct config_file *cfg)
 {
 	struct config_strlist *head;
 	size_t keypair_id;
+	char *nm;
 
 	env->keypairs_count = 0U;
 	for (head = cfg->dnscrypt_secret_key; head; head = head->next) {
@@ -426,8 +448,9 @@ dnsc_parse_keys(struct dnsc_env *env, struct config_file *cfg)
 	keypair_id = 0U;
 	for(head = cfg->dnscrypt_secret_key; head; head = head->next, keypair_id++) {
 		char fingerprint[80];
+		nm = dnsc_chroot_path(cfg, head->str);
 		if(dnsc_read_from_file(
-				head->str,
+				nm,
 				(char *)(env->keypairs[keypair_id].crypt_secretkey),
 				crypto_box_SECRETKEYBYTES) != 0) {
 			fatal_exit("dnsc_parse_keys: failed to load %s: %s", head->str, strerror(errno));
diff --git a/doc/Changelog b/doc/Changelog
index c0da6bc49..7faf7a2fe 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+1 June 2017: Ralph
+	- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
+	  (from Manu Bretelle).
+
 1 June 2017: Wouter
 	- Fix fastopen EPIPE fallthrough to perform connect.