- Fix that first control-interface determines if TLS is used. Warn

  when IP address interfaces are used without TLS.

git-svn-id: file:///svn/unbound/trunk@4730 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/daemon/remote.c b/daemon/remote.c
index 67839bbda3a8f5aa538e405b28c2ccfe9cb26efb..a4ac2fea068009bb21a13e5f1ea1d8886df7eccd 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -215,8 +215,13 @@ daemon_remote_create(struct config_file* cfg)
                }
                rc->use_cert = 1;
        } else {
+               struct config_strlist* p;
                rc->ctx = NULL;
                rc->use_cert = 0;
+               for(p = cfg->control_ifs.first; p; p = p->next) {
+                       if(p->str && p->str[0] != '/')
+                               log_warn("control-interface %s is not using TLS, but plain transfer, because first control-interface in config file is a local socket (starts with a /).", p->str);
+               }
        }
        return rc;
 }
@@ -358,9 +363,9 @@ struct listen_port* daemon_remote_open_ports(struct config_file* cfg)
 {
        struct listen_port* l = NULL;
        log_assert(cfg->remote_control_enable && cfg->control_port);
-       if(cfg->control_ifs) {
+       if(cfg->control_ifs.first) {
                struct config_strlist* p;
-               for(p = cfg->control_ifs; p; p = p->next) {
+               for(p = cfg->control_ifs.first; p; p = p->next) {
                        if(!add_open(p->str, cfg->control_port, &l, 1, cfg)) {
                                listening_ports_free(l);
                                return NULL;

diff --git a/doc/Changelog b/doc/Changelog
index c003cf7993964e748b99a7424fa7a6f32e81eef7..40d8f2c166041da99140d1a66d8740bd0c322a50 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 14 June 2018: Wouter
        - #4103: Fix that auth-zone does not insist on SOA record first in
          file for url downloads.
+       - Fix that first control-interface determines if TLS is used.  Warn
+         when IP address interfaces are used without TLS.
 
 12 June 2018: Ralph
        - Don't count CNAME response types received during qname minimisation as

diff --git a/pythonmod/interface.i b/pythonmod/interface.i
index 72e6d99c7cf2315b474579c656a5856efb5c08b2..df06d1064b04096bd765d34d35c8a0ebc5a0fff5 100644 (file)
--- a/pythonmod/interface.i
+++ b/pythonmod/interface.i
@@ -883,7 +883,7 @@ struct config_file {
    struct config_strlist* local_zones_nodefault;
    struct config_strlist* local_data;
    int remote_control_enable;
-   struct config_strlist* control_ifs;
+   struct config_strlist_head control_ifs;
    int control_port;
    char* server_key_file;
    char* server_cert_file;

diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index 4716469c72577a648ecdff3cce4498972e9a331e..3d97de5d3997b1087931c0c19f9a693bb06fb6f5 100644 (file)
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -491,8 +491,8 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
        int fd, useport = 1;
        /* use svr or the first config entry */
        if(!svr) {
-               if(cfg->control_ifs) {
-                       svr = cfg->control_ifs->str;
+               if(cfg->control_ifs.first) {
+                       svr = cfg->control_ifs.first->str;
                } else if(cfg->do_ip4) {
                        svr = "127.0.0.1";
                } else {

diff --git a/util/config_file.c b/util/config_file.c
index 63d2e740c314252b51af8cb30117a3f87985063a..0f5bb6217297ffb62acca08ce1d2a020f302a335 100644 (file)
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -244,7 +244,8 @@ config_create(void)
        cfg->insecure_lan_zones = 0;
        cfg->python_script = NULL;
        cfg->remote_control_enable = 0;
-       cfg->control_ifs = NULL;
+       cfg->control_ifs.first = NULL;
+       cfg->control_ifs.last = NULL;
        cfg->control_port = UNBOUND_CONTROL_PORT;
        cfg->minimal_responses = 0;
        cfg->rrset_roundrobin = 0;
@@ -385,6 +386,9 @@ struct config_file* config_create_forlib(void)
 #define S_STRLIST_UNIQ(str, var) if(strcmp(opt, str)==0) \
        { if(cfg_strlist_find(cfg->var, val)) { return 0;} \
          return cfg_strlist_insert(&cfg->var, strdup(val)); }
+/** append string to strlist */
+#define S_STRLIST_APPEND(str, var) if(strcmp(opt, str)==0) \
+       { return cfg_strlist_append(&cfg->var, strdup(val)); }
 
 int config_set_option(struct config_file* cfg, const char* opt,
        const char* val)
@@ -555,7 +559,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
        else S_YNO("unblock-lan-zones:", unblock_lan_zones)
        else S_YNO("insecure-lan-zones:", insecure_lan_zones)
        else S_YNO("control-enable:", remote_control_enable)
-       else S_STRLIST("control-interface:", control_ifs)
+       else S_STRLIST_APPEND("control-interface:", control_ifs)
        else S_NUMBER_NONZERO("control-port:", control_port)
        else S_STR("server-key-file:", server_key_file)
        else S_STR("server-cert-file:", server_cert_file)
@@ -941,7 +945,7 @@ config_get_option(struct config_file* cfg, const char* opt,
        else O_YNO(opt, "trust-anchor-signaling", trust_anchor_signaling)
        else O_YNO(opt, "root-key-sentinel", root_key_sentinel)
        else O_LST(opt, "dlv-anchor", dlv_anchor_list)
-       else O_LST(opt, "control-interface", control_ifs)
+       else O_LST(opt, "control-interface", control_ifs.first)
        else O_LST(opt, "domain-insecure", domain_insecure)
        else O_UNS(opt, "val-override-date", val_date_override)
        else O_YNO(opt, "minimal-responses", minimal_responses)
@@ -1344,7 +1348,7 @@ config_delete(struct config_file* cfg)
        config_del_strbytelist(cfg->respip_tags);
        config_deltrplstrlist(cfg->acl_tag_actions);
        config_deltrplstrlist(cfg->acl_tag_datas);
-       config_delstrlist(cfg->control_ifs);
+       config_delstrlist(cfg->control_ifs.first);
        free(cfg->server_key_file);
        free(cfg->server_cert_file);
        free(cfg->control_key_file);
@@ -2268,8 +2272,8 @@ void errinf_dname(struct module_qstate* qstate, const char* str, uint8_t* dname)
 int options_remote_is_address(struct config_file* cfg)
 {
        if(!cfg->remote_control_enable) return 0;
-       if(!cfg->control_ifs) return 1;
-       if(!cfg->control_ifs->str) return 1;
-       if(cfg->control_ifs->str[0] == 0) return 1;
-       return (cfg->control_ifs->str[0] != '/');
+       if(!cfg->control_ifs.first) return 1;
+       if(!cfg->control_ifs.first->str) return 1;
+       if(cfg->control_ifs.first->str[0] == 0) return 1;
+       return (cfg->control_ifs.first->str[0] != '/');
 }

diff --git a/util/config_file.h b/util/config_file.h
index 7766f66cd881ee7f5547297d43d265649a550bb8..0cd0cdd73d69c6629b1b956c7eba8a4a716fc69e 100644 (file)
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -53,6 +53,14 @@ struct sock_list;
 struct ub_packed_rrset_key;
 struct regional;
 
+/** List head for strlist processing, used for append operation. */
+struct config_strlist_head {
+       /** first in list of text items */
+       struct config_strlist* first;
+       /** last in list of text items */
+       struct config_strlist* last;
+};
+
 /**
  * The configuration options.
  * Strings are malloced.
@@ -374,7 +382,7 @@ struct config_file {
        /** remote control section. enable toggle. */
        int remote_control_enable;
        /** the interfaces the remote control should listen on */
-       struct config_strlist* control_ifs;
+       struct config_strlist_head control_ifs;
        /** port number for the control port */
        int control_port;
        /** private key file for server */
@@ -651,14 +659,6 @@ struct config_strbytelist {
        size_t str2len;
 };
 
-/** List head for strlist processing, used for append operation. */
-struct config_strlist_head {
-       /** first in list of text items */
-       struct config_strlist* first;
-       /** last in list of text items */
-       struct config_strlist* last;
-};
-
 /**
  * Create config file structure. Filled with default values.
  * @return: the new structure or NULL on memory error.

diff --git a/util/configparser.c b/util/configparser.c
index 0b25a3f32bec10df00d64425a57a7d4f969caa6b..facddca10434e7f7b6fe98ff4c16cafd58859d7d 100644 (file)
--- a/util/configparser.c
+++ b/util/configparser.c
@@ -5072,7 +5072,7 @@ yyreduce:
 #line 2288 "./util/configparser.y" /* yacc.c:1646  */
     {
                OUTYY(("P(control_interface:%s)\n", (yyvsp[0].str)));
-               if(!cfg_strlist_insert(&cfg_parser->cfg->control_ifs, (yyvsp[0].str)))
+               if(!cfg_strlist_append(&cfg_parser->cfg->control_ifs, (yyvsp[0].str)))
                        yyerror("out of memory");
        }
 #line 5079 "util/configparser.c" /* yacc.c:1646  */

diff --git a/util/configparser.y b/util/configparser.y
index 058dfca56d216234656a594f070b22fc7f9613ad..7a5b06899853834fbea689155dc6e6673a07998d 100644 (file)
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -2287,7 +2287,7 @@ rc_control_port: VAR_CONTROL_PORT STRING_ARG
 rc_control_interface: VAR_CONTROL_INTERFACE STRING_ARG
        {
                OUTYY(("P(control_interface:%s)\n", $2));
-               if(!cfg_strlist_insert(&cfg_parser->cfg->control_ifs, $2))
+               if(!cfg_strlist_append(&cfg_parser->cfg->control_ifs, $2))
                        yyerror("out of memory");
        }
        ;