ssl_port setting, so that the dnssec-trigger server can be on one host machine.

git-svn-id: file:///svn/unbound/trunk@2539 be551aaa-1e26-0410-a405-d3ace91eadb9
2024-09-21 14:47:09 +00:00 · 2011-11-08 10:56:42 +00:00 · 2011-11-08 10:56:42 +00:00 · 8f5596f643
commit 8f5596f643
parent a798dcb5bd
12 changed files with 1466 additions and 1404 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
+8 November 2011: Wouter
+	- can configure ssl service to one port number, and not on others.
+
 1 November 2011: Wouter
 	- dns over ssl support as a client, ssl-upstream yes turns it on.
 	  It performs an SSL transaction for every DNS query (250 msec).
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -458,6 +458,7 @@ server:
 	# default is "" (disabled).  requires restart to take effect.
 	# ssl-service-key: "path/to/privatekeyfile.key"
 	# ssl-service-pem: "path/to/publiccertfile.pem"
+	# ssl-port: 443

 	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -315,6 +315,10 @@ suffixes in the \fBinterface\fR config.
 The public key certificate pem file for the ssl service.  Default is "",
 turned off.
 .TP
+.B ssl\-port: \fI<number>
+The port number on which to provide TCP SSL service, default 443, only
+interfaces configured with that port number as @number get the SSL service.
+.TP
 .B do\-daemonize: \fI<yes or no>
 Enable or disable whether the unbound server forks into the background as
 a daemon. Default is yes.
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@ -632,12 +632,13 @@ set_recvpktinfo(int s, int family)
 * @param list: list of open ports, appended to, changed to point to list head.
 * @param rcv: receive buffer size for UDP
 * @param snd: send buffer size for UDP
+ * @param ssl_port: ssl service port number
 * @return: returns false on error.
 */
 static int
 ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, 
 	struct addrinfo *hints, const char* port, struct listen_port** list,
-	size_t rcv, size_t snd)
+	size_t rcv, size_t snd, int ssl_port)
 {
 	int s, noip6=0;
 	if(!do_udp && !do_tcp)
@ -682,6 +683,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 		}
 	}
 	if(do_tcp) {
+		int is_ssl = ((strchr(ifname, '@') && 
+			atoi(strchr(ifname, '@')+1) == ssl_port) ||
+			(!strchr(ifname, '@') && atoi(port) == ssl_port));
 		if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, 
 			&noip6, 0, 0)) == -1) {
 			if(noip6) {
@ -690,7 +694,10 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 			}
 			return 0;
 		}
-		if(!port_insert(list, s, listen_type_tcp)) {
+		if(is_ssl)
+			verbose(VERB_ALGO, "setup TCP for SSL service");
+		if(!port_insert(list, s, is_ssl?listen_type_ssl:
+			listen_type_tcp)) {
 #ifndef USE_WINSOCK
 			close(s);
 #else
@ -736,9 +743,6 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 		free(front);
 		return NULL;
 	}
-	if(sslctx) {
-		verbose(VERB_ALGO, "setup for SSL-wrapped TCP service");
-	}

 	/* create comm points as needed */
 	while(ports) {
@ -746,7 +750,10 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 		if(ports->ftype == listen_type_udp) 
 			cp = comm_point_create_udp(base, ports->fd, 
 				front->udp_buff, cb, cb_arg);
-		else if(ports->ftype == listen_type_tcp) {
+		else if(ports->ftype == listen_type_tcp)
+			cp = comm_point_create_tcp(base, ports->fd, 
+				tcp_accept_count, bufsize, cb, cb_arg);
+		else if(ports->ftype == listen_type_ssl) {
 			cp = comm_point_create_tcp(base, ports->fd, 
 				tcp_accept_count, bufsize, cb, cb_arg);
 			cp->ssl = sslctx;
@ -834,7 +841,8 @@ listening_ports_open(struct config_file* cfg)
 			if(!ports_create_if(do_auto?"::0":"::1", 
 				do_auto, cfg->do_udp, do_tcp, 
 				&hints, portbuf, &list,
-				cfg->so_rcvbuf, cfg->so_sndbuf)) {
+				cfg->so_rcvbuf, cfg->so_sndbuf,
+				cfg->ssl_port)) {
 				listening_ports_free(list);
 				return NULL;
 			}
@ -844,7 +852,8 @@ listening_ports_open(struct config_file* cfg)
 			if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1", 
 				do_auto, cfg->do_udp, do_tcp, 
 				&hints, portbuf, &list,
-				cfg->so_rcvbuf, cfg->so_sndbuf)) {
+				cfg->so_rcvbuf, cfg->so_sndbuf,
+				cfg->ssl_port)) {
 				listening_ports_free(list);
 				return NULL;
 			}
@ -856,7 +865,8 @@ listening_ports_open(struct config_file* cfg)
 			hints.ai_family = AF_INET6;
 			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
 				do_tcp, &hints, portbuf, &list, 
-				cfg->so_rcvbuf, cfg->so_sndbuf)) {
+				cfg->so_rcvbuf, cfg->so_sndbuf,
+				cfg->ssl_port)) {
 				listening_ports_free(list);
 				return NULL;
 			}
@ -866,7 +876,8 @@ listening_ports_open(struct config_file* cfg)
 			hints.ai_family = AF_INET;
 			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
 				do_tcp, &hints, portbuf, &list, 
-				cfg->so_rcvbuf, cfg->so_sndbuf)) {
+				cfg->so_rcvbuf, cfg->so_sndbuf,
+				cfg->ssl_port)) {
 				listening_ports_free(list);
 				return NULL;
 			}
--- a/services/listen_dnsport.h
+++ b/services/listen_dnsport.h
@ -82,7 +82,9 @@ enum listen_type {
 	/** tcp type */
 	listen_type_tcp,
 	/** udp ipv6 (v4mapped) for use with ancillary data */
-	listen_type_udpancil
+	listen_type_udpancil,
+	/** ssl over tcp type */
+	listen_type_ssl
 };

 /**
--- a/util/config_file.c
+++ b/util/config_file.c
@ -90,6 +90,7 @@ config_create(void)
 	cfg->tcp_upstream = 0;
 	cfg->ssl_service_key = NULL;
 	cfg->ssl_service_pem = NULL;
+	cfg->ssl_port = 443;
 	cfg->ssl_upstream = 0;
 	cfg->use_syslog = 1;
 	cfg->log_time_ascii = 0;
@ -332,6 +333,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("ssl-upstream:", ssl_upstream)
 	else S_STR("ssl-service-key:", ssl_service_key)
 	else S_STR("ssl-service-pem:", ssl_service_pem)
+	else S_NUMBER_NONZERO("ssl-port:", ssl_port)
 	else S_YNO("interface-automatic:", if_automatic)
 	else S_YNO("do-daemonize:", do_daemonize)
 	else S_NUMBER_NONZERO("port:", port)
@ -583,6 +585,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "ssl-upstream", ssl_upstream)
 	else O_STR(opt, "ssl-service-key", ssl_service_key)
 	else O_STR(opt, "ssl-service-pem", ssl_service_pem)
+	else O_DEC(opt, "ssl-port", ssl_port)
 	else O_YNO(opt, "do-daemonize", do_daemonize)
 	else O_STR(opt, "chroot", chrootdir)
 	else O_STR(opt, "username", username)
--- a/util/config_file.h
+++ b/util/config_file.h
@ -83,6 +83,8 @@ struct config_file {
 	char* ssl_service_key;
 	/** public key file for dnstcp-ssl service */
 	char* ssl_service_pem;
+	/** port on which to provide ssl service */
+	int ssl_port;
 	/** if outgoing tcp connections use SSL */
 	int ssl_upstream;

--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -140,6 +140,7 @@ tcp-upstream{COLON}		{ YDVAR(1, VAR_TCP_UPSTREAM) }
 ssl-upstream{COLON}		{ YDVAR(1, VAR_SSL_UPSTREAM) }
 ssl-service-key{COLON}		{ YDVAR(1, VAR_SSL_SERVICE_KEY) }
 ssl-service-pem{COLON}		{ YDVAR(1, VAR_SSL_SERVICE_PEM) }
+ssl-port{COLON}			{ YDVAR(1, VAR_SSL_PORT) }
 do-daemonize{COLON}		{ YDVAR(1, VAR_DO_DAEMONIZE) }
 interface{COLON}		{ YDVAR(1, VAR_INTERFACE) }
 outgoing-interface{COLON}	{ YDVAR(1, VAR_OUTGOING_INTERFACE) }
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -159,7 +159,8 @@
     VAR_TCP_UPSTREAM = 376,
     VAR_SSL_UPSTREAM = 377,
     VAR_SSL_SERVICE_KEY = 378,
-     VAR_SSL_SERVICE_PEM = 379
+     VAR_SSL_SERVICE_PEM = 379,
+     VAR_SSL_PORT = 380
   };
 #endif
 /* Tokens.  */
@ -285,6 +286,7 @@
 #define VAR_SSL_UPSTREAM 377
 #define VAR_SSL_SERVICE_KEY 378
 #define VAR_SSL_SERVICE_PEM 379
+#define VAR_SSL_PORT 380



@ -301,7 +303,7 @@ typedef union YYSTYPE


 /* Line 1685 of yacc.c  */
-#line 305 "util/configparser.h"
+#line 307 "util/configparser.h"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
--- a/util/configparser.y
+++ b/util/configparser.y
@ -103,7 +103,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
 %token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_HARDEN_BELOW_NXDOMAIN
 %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
-%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM
+%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT

 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -159,7 +159,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_edns_buffer_size | server_prefetch | server_prefetch_key |
 	server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
 	server_log_queries | server_tcp_upstream | server_ssl_upstream |
-	server_ssl_service_key | server_ssl_service_pem
+	server_ssl_service_key | server_ssl_service_pem | server_ssl_port
 	;
 stubstart: VAR_STUB_ZONE
 	{
@ -399,6 +399,15 @@ server_ssl_service_pem: VAR_SSL_SERVICE_PEM STRING_ARG
 		cfg_parser->cfg->ssl_service_pem = $2;
 	}
 	;
+server_ssl_port: VAR_SSL_PORT STRING_ARG
+	{
+		OUTYY(("P(server_ssl_port:%s)\n", $2));
+		if(atoi($2) == 0)
+			yyerror("port number expected");
+		else cfg_parser->cfg->ssl_port = atoi($2);
+		free($2);
+	}
+	;
 server_do_daemonize: VAR_DO_DAEMONIZE STRING_ARG
 	{
 		OUTYY(("P(server_do_daemonize:%s)\n", $2));