- Create additional tls service interfaces by opening them on other

  portnumbers and listing the portnumbers as additional-tls-port: nr.

git-svn-id: file:///svn/unbound/trunk@4588 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 6432a3471373b11fdcbc0a3365753f14a72808ca..478f12c233aadceeba348e3decc15c976ca6f9d3 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -7,6 +7,8 @@
          should exist).  Patch from Jinmei Tatuya (Infoblox).
        - Fix #3817: core dump happens in libunbound delete, when queued
          servfail hits deleted message queue.
+       - Create additional tls service interfaces by opening them on other
+         portnumbers and listing the portnumbers as additional-tls-port: nr.
 
 13 March 2018: Wouter
        - Fix typo in documentation.

diff --git a/doc/example.conf.in b/doc/example.conf.in
index 32941a0a152f10c06cd0390abef62099506e8857..e0b0081b37b02ba007e62639b717e8413d3e8708 100644 (file)
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -678,6 +678,9 @@ server:
        # Certificates used to authenticate connections made upstream.
        # tls-cert-bundle: ""
 
+       # Also serve tls on these port numbers (eg. 443, ...), by listing
+       # additional-tls-port: portno for each of the port numbers.
+
        # DNS64 prefix. Must be specified when DNS64 is use.
        # Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
        # dns64-prefix: 64:ff9b::0/96

diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
index d099ca9449b74a09e34a212ebbbc375867159e6d..3e7664dfa3771e3dbd51eb2aef4b0d24d9f16a0b 100644 (file)
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@@ -1056,6 +1056,24 @@ set_recvpktinfo(int s, int family)
        return 1;
 }
 
+/** see if interface is ssl, its port number == the ssl port number */
+static int
+if_is_ssl(const char* ifname, const char* port, int ssl_port,
+       struct config_strlist* additional_tls_port)
+{
+       struct config_strlist* s;
+       char* p = strchr(ifname, '@');
+       if(!p && atoi(port) == ssl_port)
+               return 1;
+       if(p && atoi(p+1) == ssl_port)
+               return 1;
+       for(s = additional_tls_port; s; s = s->next) {
+               if(atoi(s->str) == atoi(port))
+                       return 1;
+       }
+       return 0;
+}
+
 /**
  * Helper for ports_open. Creates one interface (or NULL for default).
  * @param ifname: The interface ip address.
@@ -1069,6 +1087,7 @@ set_recvpktinfo(int s, int family)
  * @param rcv: receive buffer size for UDP
  * @param snd: send buffer size for UDP
  * @param ssl_port: ssl service port number
+ * @param additional_tls_port: list of additional ssl service port numbers.
  * @param reuseport: try to set SO_REUSEPORT if nonNULL and true.
  *     set to false on exit if reuseport failed due to no kernel support.
  * @param transparent: set IP_TRANSPARENT socket option.
@@ -1081,8 +1100,10 @@ set_recvpktinfo(int s, int family)
 static int
 ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, 
        struct addrinfo *hints, const char* port, struct listen_port** list,
-       size_t rcv, size_t snd, int ssl_port, int* reuseport, int transparent,
-       int tcp_mss, int freebind, int use_systemd, int dnscrypt_port)
+       size_t rcv, size_t snd, int ssl_port,
+       struct config_strlist* additional_tls_port, int* reuseport,
+       int transparent, int tcp_mss, int freebind, int use_systemd,
+       int dnscrypt_port)
 {
        int s, noip6=0;
 #ifdef USE_DNSCRYPT
@@ -1146,9 +1167,8 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
                }
        }
        if(do_tcp) {
-               int is_ssl = ((strchr(ifname, '@') && 
-                       atoi(strchr(ifname, '@')+1) == ssl_port) ||
-                       (!strchr(ifname, '@') && atoi(port) == ssl_port));
+               int is_ssl = if_is_ssl(ifname, port, ssl_port,
+                       additional_tls_port);
                if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, 
                        &noip6, 0, 0, reuseport, transparent, tcp_mss,
                        freebind, use_systemd)) == -1) {
@@ -1334,8 +1354,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
                                do_auto, cfg->do_udp, do_tcp, 
                                &hints, portbuf, &list,
                                cfg->so_rcvbuf, cfg->so_sndbuf,
-                               cfg->ssl_port, reuseport,
-                               cfg->ip_transparent,
+                               cfg->ssl_port, cfg->additional_tls_port,
+                               reuseport, cfg->ip_transparent,
                                cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
                                cfg->dnscrypt_port)) {
                                listening_ports_free(list);
@@ -1348,8 +1368,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
                                do_auto, cfg->do_udp, do_tcp, 
                                &hints, portbuf, &list,
                                cfg->so_rcvbuf, cfg->so_sndbuf,
-                               cfg->ssl_port, reuseport,
-                               cfg->ip_transparent,
+                               cfg->ssl_port, cfg->additional_tls_port,
+                               reuseport, cfg->ip_transparent,
                                cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
                                cfg->dnscrypt_port)) {
                                listening_ports_free(list);
@@ -1364,8 +1384,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
                        if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
                                do_tcp, &hints, portbuf, &list, 
                                cfg->so_rcvbuf, cfg->so_sndbuf,
-                               cfg->ssl_port, reuseport,
-                               cfg->ip_transparent,
+                               cfg->ssl_port, cfg->additional_tls_port,
+                               reuseport, cfg->ip_transparent,
                                cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
                                cfg->dnscrypt_port)) {
                                listening_ports_free(list);
@@ -1378,8 +1398,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
                        if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
                                do_tcp, &hints, portbuf, &list, 
                                cfg->so_rcvbuf, cfg->so_sndbuf,
-                               cfg->ssl_port, reuseport,
-                               cfg->ip_transparent,
+                               cfg->ssl_port, cfg->additional_tls_port,
+                               reuseport, cfg->ip_transparent,
                                cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
                                cfg->dnscrypt_port)) {
                                listening_ports_free(list);

diff --git a/util/config_file.c b/util/config_file.c
index 0784f055912d9794baec866d62c76cbc5b9c18c6..b215234c734c8b22ff162bba9afea551519f87dd 100644 (file)
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -446,6 +446,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
        else S_STR("ssl-service-pem:", ssl_service_pem)
        else S_NUMBER_NONZERO("ssl-port:", ssl_port)
        else S_STR("tls-cert-bundle:", tls_cert_bundle)
+       else S_STRLIST("additional-tls-port:", additional_tls_port)
        else S_YNO("interface-automatic:", if_automatic)
        else S_YNO("use-systemd:", use_systemd)
        else S_YNO("do-daemonize:", do_daemonize)
@@ -856,6 +857,7 @@ config_get_option(struct config_file* cfg, const char* opt,
        else O_STR(opt, "ssl-service-pem", ssl_service_pem)
        else O_DEC(opt, "ssl-port", ssl_port)
        else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
+       else O_LST(opt, "additional-tls-port", additional_tls_port)
        else O_YNO(opt, "use-systemd", use_systemd)
        else O_YNO(opt, "do-daemonize", do_daemonize)
        else O_STR(opt, "chroot", chrootdir)
@@ -1274,6 +1276,7 @@ config_delete(struct config_file* cfg)
        free(cfg->ssl_service_key);
        free(cfg->ssl_service_pem);
        free(cfg->tls_cert_bundle);
+       config_delstrlist(cfg->additional_tls_port);
        free(cfg->log_identity);
        config_del_strarray(cfg->ifs, cfg->num_ifs);
        config_del_strarray(cfg->out_ifs, cfg->num_out_ifs);

diff --git a/util/config_file.h b/util/config_file.h
index 85d2f645df6851159fee8799407972205c9b31d4..2293e1e7758ab6653cb5103b303ba1357a75282a 100644 (file)
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -102,6 +102,8 @@ struct config_file {
        int ssl_upstream;
        /** cert bundle for outgoing connections */
        char* tls_cert_bundle;
+       /** additional tls ports */
+       struct config_strlist* additional_tls_port;
 
        /** outgoing port range number of ports (per thread) */
        int outgoing_num_ports;