From: Wouter Wijngaards Date: Thu, 15 Mar 2018 14:19:02 +0000 (+0000) Subject: - Create additional tls service interfaces by opening them on other X-Git-Tag: release-1.7.1rc1~76 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d2d33d01ac24797cc96f4bb5b7ec6fb63871b4b;p=thirdparty%2Funbound.git - Create additional tls service interfaces by opening them on other portnumbers and listing the portnumbers as additional-tls-port: nr. git-svn-id: file:///svn/unbound/trunk@4588 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 6432a3471..478f12c23 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -7,6 +7,8 @@ should exist). Patch from Jinmei Tatuya (Infoblox). - Fix #3817: core dump happens in libunbound delete, when queued servfail hits deleted message queue. + - Create additional tls service interfaces by opening them on other + portnumbers and listing the portnumbers as additional-tls-port: nr. 13 March 2018: Wouter - Fix typo in documentation. diff --git a/doc/example.conf.in b/doc/example.conf.in index 32941a0a1..e0b0081b3 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -678,6 +678,9 @@ server: # Certificates used to authenticate connections made upstream. # tls-cert-bundle: "" + # Also serve tls on these port numbers (eg. 443, ...), by listing + # additional-tls-port: portno for each of the port numbers. + # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index d099ca944..3e7664dfa 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -1056,6 +1056,24 @@ set_recvpktinfo(int s, int family) return 1; } +/** see if interface is ssl, its port number == the ssl port number */ +static int +if_is_ssl(const char* ifname, const char* port, int ssl_port, + struct config_strlist* additional_tls_port) +{ + struct config_strlist* s; + char* p = strchr(ifname, '@'); + if(!p && atoi(port) == ssl_port) + return 1; + if(p && atoi(p+1) == ssl_port) + return 1; + for(s = additional_tls_port; s; s = s->next) { + if(atoi(s->str) == atoi(port)) + return 1; + } + return 0; +} + /** * Helper for ports_open. Creates one interface (or NULL for default). * @param ifname: The interface ip address. @@ -1069,6 +1087,7 @@ set_recvpktinfo(int s, int family) * @param rcv: receive buffer size for UDP * @param snd: send buffer size for UDP * @param ssl_port: ssl service port number + * @param additional_tls_port: list of additional ssl service port numbers. * @param reuseport: try to set SO_REUSEPORT if nonNULL and true. * set to false on exit if reuseport failed due to no kernel support. * @param transparent: set IP_TRANSPARENT socket option. @@ -1081,8 +1100,10 @@ set_recvpktinfo(int s, int family) static int ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, struct addrinfo *hints, const char* port, struct listen_port** list, - size_t rcv, size_t snd, int ssl_port, int* reuseport, int transparent, - int tcp_mss, int freebind, int use_systemd, int dnscrypt_port) + size_t rcv, size_t snd, int ssl_port, + struct config_strlist* additional_tls_port, int* reuseport, + int transparent, int tcp_mss, int freebind, int use_systemd, + int dnscrypt_port) { int s, noip6=0; #ifdef USE_DNSCRYPT @@ -1146,9 +1167,8 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, } } if(do_tcp) { - int is_ssl = ((strchr(ifname, '@') && - atoi(strchr(ifname, '@')+1) == ssl_port) || - (!strchr(ifname, '@') && atoi(port) == ssl_port)); + int is_ssl = if_is_ssl(ifname, port, ssl_port, + additional_tls_port); if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, &noip6, 0, 0, reuseport, transparent, tcp_mss, freebind, use_systemd)) == -1) { @@ -1334,8 +1354,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport) do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, reuseport, - cfg->ip_transparent, + cfg->ssl_port, cfg->additional_tls_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, cfg->dnscrypt_port)) { listening_ports_free(list); @@ -1348,8 +1368,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport) do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, reuseport, - cfg->ip_transparent, + cfg->ssl_port, cfg->additional_tls_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, cfg->dnscrypt_port)) { listening_ports_free(list); @@ -1364,8 +1384,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport) if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, reuseport, - cfg->ip_transparent, + cfg->ssl_port, cfg->additional_tls_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, cfg->dnscrypt_port)) { listening_ports_free(list); @@ -1378,8 +1398,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport) if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, reuseport, - cfg->ip_transparent, + cfg->ssl_port, cfg->additional_tls_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, cfg->dnscrypt_port)) { listening_ports_free(list); diff --git a/util/config_file.c b/util/config_file.c index 0784f0559..b215234c7 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -446,6 +446,7 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_STR("ssl-service-pem:", ssl_service_pem) else S_NUMBER_NONZERO("ssl-port:", ssl_port) else S_STR("tls-cert-bundle:", tls_cert_bundle) + else S_STRLIST("additional-tls-port:", additional_tls_port) else S_YNO("interface-automatic:", if_automatic) else S_YNO("use-systemd:", use_systemd) else S_YNO("do-daemonize:", do_daemonize) @@ -856,6 +857,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_STR(opt, "ssl-service-pem", ssl_service_pem) else O_DEC(opt, "ssl-port", ssl_port) else O_STR(opt, "tls-cert-bundle", tls_cert_bundle) + else O_LST(opt, "additional-tls-port", additional_tls_port) else O_YNO(opt, "use-systemd", use_systemd) else O_YNO(opt, "do-daemonize", do_daemonize) else O_STR(opt, "chroot", chrootdir) @@ -1274,6 +1276,7 @@ config_delete(struct config_file* cfg) free(cfg->ssl_service_key); free(cfg->ssl_service_pem); free(cfg->tls_cert_bundle); + config_delstrlist(cfg->additional_tls_port); free(cfg->log_identity); config_del_strarray(cfg->ifs, cfg->num_ifs); config_del_strarray(cfg->out_ifs, cfg->num_out_ifs); diff --git a/util/config_file.h b/util/config_file.h index 85d2f645d..2293e1e77 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -102,6 +102,8 @@ struct config_file { int ssl_upstream; /** cert bundle for outgoing connections */ char* tls_cert_bundle; + /** additional tls ports */ + struct config_strlist* additional_tls_port; /** outgoing port range number of ports (per thread) */ int outgoing_num_ports;