remote control setup, port binding and service.

git-svn-id: file:///svn/unbound/trunk@1227 be551aaa-1e26-0410-a405-d3ace91eadb9

Makefile.in

@@ -152,7 +152,7 @@ endif
 
 unbound:	$(DAEMON_OBJ) $(ldnslib)
 	$(INFO) Link $@
-	$Q$(LINK) -o $@ $(sort $(DAEMON_OBJ)) $(LIBS)
+	$Q$(LINK) -o $@ $(sort $(DAEMON_OBJ)) -lssl $(LIBS)
 
 unbound-checkconf:	$(CHECKCONF_OBJ) $(ldnslib)
 	$(INFO) Link $@

configure

@@ -20958,7 +20958,6 @@ echo "${ECHO_T}found in $ssldir" >&6; }
 
 	    { echo "$as_me:$LINENO: checking for HMAC_CTX_init in -lcrypto" >&5
 echo $ECHO_N "checking for HMAC_CTX_init in -lcrypto... $ECHO_C" >&6; }
-	    ORIGLIBS="$LIBS"
 	    LIBS="$LIBS -lcrypto"
 	    cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */

configure.ac

@@ -522,7 +522,6 @@ AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
 	    fi
 	
 	    AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto])
-	    ORIGLIBS="$LIBS"
 	    LIBS="$LIBS -lcrypto"
 	    AC_TRY_LINK(, [
 		int HMAC_CTX_init(void);

daemon/daemon.c

@@ -42,6 +42,7 @@
 #include "config.h"
 #include "daemon/daemon.h"
 #include "daemon/worker.h"
+#include "daemon/remote.h"
 #include "daemon/acl_list.h"
 #include "util/log.h"
 #include "util/config_file.h"
@@ -188,12 +189,24 @@ int
 daemon_open_shared_ports(struct daemon* daemon)
 {
 	log_assert(daemon);
-	if(daemon->cfg->port == daemon->listening_port)
+	if(daemon->cfg->port != daemon->listening_port) {
-		return 1;
+		listening_ports_free(daemon->ports);
-	listening_ports_free(daemon->ports);
+		if(!(daemon->ports=listening_ports_open(daemon->cfg)))
-	if(!(daemon->ports=listening_ports_open(daemon->cfg)))
+			return 0;
-		return 0;
+		daemon->listening_port = daemon->cfg->port;
-	daemon->listening_port = daemon->cfg->port;
+	}
+	if(!daemon->cfg->remote_control_enable && daemon->rc_port) {
+		listening_ports_free(daemon->rc_ports);
+		daemon->rc_ports = NULL;
+		daemon->rc_port = 0;
+	}
+	if(daemon->cfg->remote_control_enable && 
+		daemon->cfg->control_port != daemon->rc_port) {
+		listening_ports_free(daemon->rc_ports);
+		if(!(daemon->rc_ports=daemon_remote_open_ports(daemon->cfg)))
+			return 0;
+		daemon->rc_port = daemon->cfg->control_port;
+	}
 	return 1;
 }
 
@@ -391,7 +404,7 @@ daemon_fork(struct daemon* daemon)
 	daemon_start_others(daemon);
 
 	/* Special handling for the main thread. This is the thread
-	 * that handles signals.
+	 * that handles signals and remote control.
 	 */
 	if(!worker_init(daemon->workers[0], daemon->cfg, daemon->ports, 1))
 		fatal_exit("Could not initialize main thread");
@@ -441,6 +454,7 @@ daemon_delete(struct daemon* daemon)
 		return;
 	modstack_desetup(&daemon->mods, daemon->env);
 	listening_ports_free(daemon->ports);
+	listening_ports_free(daemon->rc_ports);
 	if(daemon->env) {
 		slabhash_delete(daemon->env->msg_cache);
 		rrset_cache_delete(daemon->env->rrset_cache);

daemon/daemon.h

@@ -68,6 +68,10 @@ struct daemon {
 	int listening_port;
 	/** listening ports, opened, to be shared by threads */
 	struct listen_port* ports;
+	/** port number fore remote that has ports opened. */
+	int rc_port;
+	/** listening ports for remote control */
+	struct listen_port* rc_ports;
 	/** num threads allocated */
 	int num;
 	/** the worker entries */

daemon/remote.c

@@ -0,0 +1,310 @@
+/*
+ * daemon/remote.c - remote control for the unbound daemon.
+ *
+ * Copyright (c) 2008, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains the remote control functionality for the daemon.
+ * The remote control can be performed using either the commandline
+ * unbound-control tool, or a SSLv3/TLS capable web browser. 
+ * The channel is secured using SSLv3 or TLSv1, and certificates.
+ * Both the server and the client(control tool) have their own keys.
+ */
+#include "config.h"
+#include "daemon/remote.h"
+#include "daemon/worker.h"
+#include "util/log.h"
+#include "util/config_file.h"
+#include "util/net_help.h"
+#include "services/listen_dnsport.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#  include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+struct daemon_remote*
+daemon_remote_create(struct worker* worker)
+{
+	struct daemon_remote* rc = (struct daemon_remote*)calloc(1, 
+		sizeof(*rc));
+	if(!rc) {
+		log_err("out of memory in daemon_remote_create");
+		return NULL;
+	}
+	rc->worker = worker;
+	rc->max_active = 10;
+	/* TODO setup the context */
+	return rc;
+}
+
+void daemon_remote_delete(struct daemon_remote* rc)
+{
+	struct rc_state* p, *np;
+	if(!rc) return;
+	/* but do not close the ports */
+	listen_list_delete(rc->accept_list);
+	/* do close these sockets */
+	p = rc->busy_list;
+	while(p) {
+		np = p->next;
+		if(p->ssl)
+			SSL_free(p->ssl);
+		comm_point_delete(p->c);
+		free(p);
+		p = np;
+	}
+	SSL_CTX_free(rc->ctx);
+	free(rc);
+}
+
+/**
+ * Add and open a new control port
+ * @param ip: ip str
+ * @param nr: port nr
+ * @param list: list head
+ * @param noproto_is_err: if lack of protocol support is an error.
+ * @return false on failure.
+ */
+static int
+add_open(char* ip, int nr, struct listen_port** list, int noproto_is_err)
+{
+	struct addrinfo hints;
+	struct addrinfo* res;
+	struct listen_port* n;
+	int noproto;
+	int fd, r;
+	char port[15];
+	snprintf(port, sizeof(port), "%d", nr);
+	port[sizeof(port)-1]=0;
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+	if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) {
+                log_err("control interface %s:%s getaddrinfo: %s %s",
+			ip?ip:"default", port, gai_strerror(r),
+#ifdef EAI_SYSTEM
+			r==EAI_SYSTEM?(char*)strerror(errno):""
+#else
+			""
+#endif
+			);
+	}
+
+	/* open fd */
+	fd = create_tcp_accept_sock(res, 1, &noproto);
+	freeaddrinfo(res);
+	if(fd == -1 && noproto) {
+		if(!noproto_is_err)
+			return 1; /* return success, but do nothing */
+		log_err("cannot open control interface %s %d : "
+			"protocol not supported", ip, nr);
+		return 0;
+	}
+	if(fd == -1) {
+		log_err("cannot open control interface %s %d", ip, nr);
+		return 0;
+	}
+
+	/* alloc */
+	n = (struct listen_port*)calloc(1, sizeof(*n));
+	if(!n) {
+		close(fd);
+		log_err("out of memory");
+		return 0;
+	}
+	n->next = *list;
+	*list = n;
+	n->fd = fd;
+	return 1;
+}
+
+struct listen_port* daemon_remote_open_ports(struct config_file* cfg)
+{
+	struct listen_port* l = NULL;
+	log_assert(cfg->remote_control_enable && cfg->control_port);
+	if(cfg->control_ifs) {
+		struct config_strlist* p = cfg->control_ifs;
+		for(p = cfg->control_ifs; p; p = p->next) {
+			if(!add_open(p->str, cfg->control_port, &l, 1)) {
+				listening_ports_free(l);
+				return NULL;
+			}
+		}
+	} else {
+		/* defaults */
+		if(cfg->do_ip6 &&
+			!add_open("::1", cfg->control_port, &l, 0)) {
+			listening_ports_free(l);
+			return NULL;
+		}
+		if(cfg->do_ip4 &&
+			!add_open("127.0.0.1", cfg->control_port, &l, 1)) {
+			listening_ports_free(l);
+			return NULL;
+		}
+	}
+	return l;
+}
+
+/** open accept commpoint */
+static int
+accept_open(struct daemon_remote* rc, int fd)
+{
+	struct listen_list* n = (struct listen_list*)malloc(sizeof(*n));
+	if(!n) {
+		log_err("out of memory");
+		return 0;
+	}
+	n->next = rc->accept_list;
+	rc->accept_list = n;
+	/* open commpt */
+	n->com = comm_point_create_raw(rc->worker->base, fd, 0, 
+		&remote_accept_callback, rc);
+	if(!n->com)
+		return 0;
+	/* keep this port open, its fd is kept in the rc portlist */
+	n->com->do_not_close = 1;
+	return 1;
+}
+
+int daemon_remote_open_accept(struct daemon_remote* rc, 
+	struct listen_port* ports)
+{
+	struct listen_port* p;
+	for(p = ports; p; p = p->next) {
+		if(!accept_open(rc, p->fd)) {
+			log_err("could not create accept comm point");
+			return 0;
+		}
+	}
+	return 1;
+}
+
+int remote_accept_callback(struct comm_point* c, void* arg, int err, 
+	struct comm_reply* ATTR_UNUSED(rep))
+{
+	struct daemon_remote* rc = (struct daemon_remote*)arg;
+	struct sockaddr_storage addr;
+	socklen_t addrlen;
+	int newfd;
+	struct rc_state* n;
+	if(err != NETEVENT_NOERROR) {
+		log_err("error %d on remote_accept_callback", err);
+		return 0;
+	}
+	/* perform the accept */
+	newfd = comm_point_perform_accept(c, &addr, &addrlen);
+	if(newfd == -1)
+		return 0;
+	/* create new commpoint unless we are servicing already */
+	if(rc->active >= rc->max_active) {
+		log_warn("drop incoming remote control: too many connections");
+		comm_point_stop_listening(c);
+		close(newfd);
+		return 0;
+	}
+
+	/* setup commpoint to service the remote control command */
+	n = (struct rc_state*)calloc(1, sizeof(*n));
+	if(!n) {
+		log_err("out of memory");
+		close(newfd);
+		return 0;
+	}
+	/* start in reading state */
+	n->c = comm_point_create_raw(rc->worker->base, newfd, 0, 
+		&remote_control_callback, n);
+	if(!n->c) {
+		log_err("out of memory");
+		close(newfd);
+		free(n);
+		return 0;
+	}
+	log_addr(VERB_QUERY, "new control connection from", &addr, addrlen);
+	memcpy(&n->c->repinfo.addr, &addr, addrlen);
+	n->c->repinfo.addrlen = addrlen;
+	/* TODO setup ssl, assign fd */
+	n->rc = rc;
+	n->next = rc->busy_list;
+	rc->busy_list = n;
+	rc->active ++;
+	return 0;
+}
+
+/** delete from list */
+static void
+state_list_remove_elem(struct rc_state** list, struct comm_point* c)
+{
+	while(*list) {
+		if( (*list)->c == c) {
+			*list = (*list)->next;
+			return;
+		}
+		list = &(*list)->next;
+	}
+}
+
+/** decrease active count and remove commpoint from busy list */
+static void
+clean_point(struct daemon_remote* rc, struct rc_state* s)
+{
+	state_list_remove_elem(&rc->busy_list, s->c);
+	rc->active --;
+	if(s->ssl)
+		SSL_free(s->ssl);
+	comm_point_delete(s->c);
+	free(s);
+}
+
+int remote_control_callback(struct comm_point* c, void* arg, int err, 
+	struct comm_reply* ATTR_UNUSED(rep))
+{
+	struct rc_state* s = (struct rc_state*)arg;
+	struct daemon_remote* rc = s->rc;
+	if(err != NETEVENT_NOERROR) {
+		clean_point(rc, s);
+		return 0;
+	}
+	/* TODO (continue to) setup the SSL connection */
+
+	/* once handshake has completed, check authentication */
+
+	/* if OK start to actually handle the request */
+
+	return 0;
+}

daemon/remote.h

@@ -0,0 +1,128 @@
+/*
+ * daemon/remote.h - remote control for the unbound daemon.
+ *
+ * Copyright (c) 2008, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains the remote control functionality for the daemon.
+ * The remote control can be performed using either the commandline
+ * unbound-control tool, or a SSLv3/TLS capable web browser. 
+ * The channel is secured using SSLv3 or TLSv1, and certificates.
+ * Both the server and the client(control tool) have their own keys.
+ */
+
+#ifndef DAEMON_REMOTE_H
+#define DAEMON_REMOTE_H
+struct config_file;
+struct listen_list;
+struct listen_port;
+struct worker;
+struct comm_reply;
+struct comm_point;
+struct daemon_remote;
+
+/**
+ * a busy control command connection, SSL state
+ */
+struct rc_state {
+	/** the next item in list */
+	struct rc_state* next;
+	/** the commpoint */
+	struct comm_point* c;
+	/** the ssl state */
+	SSL* ssl;
+	/** the rc this is part of */
+	struct daemon_remote* rc;
+};
+
+/**
+ * The remote control tool state.
+ * The state is only created for the first thread, other threads
+ * are called from this thread.  Only the first threads listens to
+ * the control port.  The other threads do not, but are called on the
+ * command channel(pipe) from the first thread.
+ */
+struct daemon_remote {
+	/** the worker for this remote control */
+	struct worker* worker;
+	/** commpoints for accepting remote control connections */
+	struct listen_list* accept_list;
+	/** number of active commpoints that are handling remote control */
+	int active;
+	/** max active commpoints */
+	int max_active;
+	/** current commpoints busy; should be a short list, malloced */
+	struct rc_state* busy_list;
+	/** the SSL context for creating new SSL streams */
+	SSL_CTX* ctx;
+};
+
+/**
+ * Create new remote control state for the daemon.
+ * @param worker: worker with communication base. and links to command channels.
+ * @return new state, or NULL on failure.
+ */
+struct daemon_remote* daemon_remote_create(struct worker* worker);
+
+/**
+ * remote control state to delete.
+ * @param rc: state to delete.
+ */
+void daemon_remote_delete(struct daemon_remote* rc);
+
+/**
+ * Open and create listening ports for remote control.
+ * @param cfg: config options.
+ * @return list of ports or NULL on failure.
+ *	can be freed with listening_ports_free().
+ */
+struct listen_port* daemon_remote_open_ports(struct config_file* cfg);
+
+/**
+ * Setup comm points for accepting remote control connections.
+ * @param rc: state
+ * @param ports: already opened ports.
+ * @return false on error.
+ */
+int daemon_remote_open_accept(struct daemon_remote* rc, 
+	struct listen_port* ports);
+
+/** handle remote control accept callbacks */
+int remote_accept_callback(struct comm_point*, void*, int, struct comm_reply*);
+
+/** handle remote control data callbacks */
+int remote_control_callback(struct comm_point*, void*, int, struct comm_reply*);
+
+#endif /* DAEMON_REMOTE_H */

daemon/worker.c

@@ -45,6 +45,7 @@
 #include "util/random.h"
 #include "daemon/worker.h"
 #include "daemon/daemon.h"
+#include "daemon/remote.h"
 #include "daemon/acl_list.h"
 #include "util/netevent.h"
 #include "util/config_file.h"
@@ -968,8 +969,18 @@ worker_init(struct worker* worker, struct config_file *cfg,
 			return 0;
 		}
 #endif /* LIBEVENT_SIGNAL_PROBLEM */
+		if(!(worker->rc = daemon_remote_create(worker))) {
+			worker_delete(worker);
+			return 0;
+		}
+		if(!daemon_remote_open_accept(worker->rc, 
+			worker->daemon->rc_ports)) {
+			worker_delete(worker);
+			return 0;
+		}
 	} else { /* !do_sigs */
-		worker->comsig = 0;
+		worker->comsig = NULL;
+		worker->rc = NULL;
 	}
 	seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
 		(((unsigned int)worker->thread_num)<<17);
@@ -1082,6 +1093,7 @@ worker_delete(struct worker* worker)
 	comm_signal_delete(worker->comsig);
 	tube_delete(worker->cmd);
 	comm_timer_delete(worker->stat_timer);
+	daemon_remote_delete(worker->rc);
 	free(worker->ports);
 	if(worker->thread_num == 0)
 		log_set_time(NULL);

daemon/worker.h

@@ -59,6 +59,7 @@ struct listen_port;
 struct ub_randstate;
 struct regional;
 struct tube;
+struct daemon_remote;
 
 /** worker commands */
 enum worker_commands {
@@ -95,6 +96,8 @@ struct worker {
 	struct comm_point* cmd_com;
 	/** timer for statistics */
 	struct comm_timer* stat_timer;
+	/** remote control state (for first thread only) */
+	struct daemon_remote* rc;
 
 	/** number of requests that can be handled by this worker */
 	size_t request_size;

doc/Changelog

@@ -1,3 +1,7 @@
+10 September 2008: Wouter
+	- remove memleak in privacy addresses on reloads and quits.
+	- remote control work.
+
 9 September 2008: Wouter
 	- smallapp/unbound-control-setup.sh script to set up certificates.
 

doc/example.conf.in

@@ -35,7 +35,7 @@ server:
 	# interface: 2001:DB8::5
 	
 	# enable this feature to copy the source address of queries to reply.
-	# Socket options not be supported on all platforms. experimental. 
+	# Socket options are not supported on all platforms. experimental. 
 	# interface-automatic: no
 
 	# port to answer queries from
@@ -365,6 +365,31 @@ server:
 	# local-zone: "example.com" redirect
 	# local-data: "example.com A 192.0.2.3"
 
+# Remote control config section. 
+remote-control:
+	# Enable remote control with unbound-control(8) here.
+	# set up the keys and certificates with unbound-control-setup.
+	# control-enable: no
+
+	# what interfaces are listened to for remote control.
+	# give 0.0.0.0 and ::0 to listen to all interfaces.
+	# control-interface: 127.0.0.1
+	# control-interface: ::1
+
+	# port number for remote control operations. Same as BIND rndc uses.
+	# control-port: 953
+
+	# unbound server key file.
+	# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
+
+	# unbound server certificate file.
+	# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
+
+	# unbound-control key file.
+	# control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
+
+	# unbound-control certificate file.
+	# control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
 
 # Stub zones.
 # Create entries like below, to make all queries for 'example.com' and 

iterator/iterator.c

@@ -49,6 +49,7 @@
 #include "iterator/iter_delegpt.h"
 #include "iterator/iter_resptype.h"
 #include "iterator/iter_scrub.h"
+#include "iterator/iter_priv.h"
 #include "services/cache/dns.h"
 #include "services/cache/infra.h"
 #include "util/module.h"
@@ -85,6 +86,7 @@ iter_deinit(struct module_env* env, int id)
 		return;
 	iter_env = (struct iter_env*)env->modinfo[id];
 	free(iter_env->target_fetch_policy);
+	priv_delete(iter_env->priv);
 	hints_delete(iter_env->hints);
 	forwards_delete(iter_env->fwds);
 	donotq_delete(iter_env->donotq);

libunbound/libworker.c

@@ -769,6 +769,22 @@ int worker_handle_service_reply(struct comm_point* ATTR_UNUSED(c),
 	return 0;
 }
 
+int remote_accept_callback(struct comm_point* ATTR_UNUSED(c), 
+	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
+        struct comm_reply* ATTR_UNUSED(repinfo))
+{
+	log_assert(0);
+	return 0;
+}
+
+int remote_control_callback(struct comm_point* ATTR_UNUSED(c), 
+	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
+        struct comm_reply* ATTR_UNUSED(repinfo))
+{
+	log_assert(0);
+	return 0;
+}
+
 void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
 {
 	log_assert(0);

services/listen_dnsport.c

@@ -190,14 +190,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 	return s;
 }
 
-/**
+int
- * Create and bind TCP listening socket
- * @param addr: address info ready to make socket.
- * @param v6only: enable ip6 only flag on ip6 sockets.
- * @param noproto: if error caused by lack of protocol support.
- * @return: the socket. -1 on error.
- */
-static int
 create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto)
 {
 	int s;
@@ -533,18 +526,23 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 }
 
 void
-listen_delete(struct listen_dnsport* front)
+listen_list_delete(struct listen_list* list)
 {
-	struct listen_list *p, *pn;
+	struct listen_list *p = list, *pn;
-	if(!front) 
-		return;
-	p = front->cps;
 	while(p) {
 		pn = p->next;
 		comm_point_delete(p->com);
 		free(p);
 		p = pn;
 	}
+}
+
+void 
+listen_delete(struct listen_dnsport* front)
+{
+	if(!front) 
+		return;
+	listen_list_delete(front->cps);
 	ldns_buffer_free(front->udp_buff);
 	free(front);
 }

services/listen_dnsport.h

@@ -46,6 +46,7 @@
 #include "util/netevent.h"
 struct listen_list;
 struct config_file;
+struct addrinfo;
 
 /**
  * Listening for queries structure.
@@ -155,6 +156,13 @@ void listen_resume(struct listen_dnsport* listen);
  */
 void listen_delete(struct listen_dnsport* listen);
 
+/**
+ * delete listen_list of commpoints. Calls commpointdelete() on items.
+ * This may close the fds or not depending on flags.
+ * @param list: to delete.
+ */
+void listen_list_delete(struct listen_list* list);
+
 /**
  * get memory size used by the listening structs
  * @param listen: listening structure.
@@ -178,4 +186,13 @@ size_t listen_get_mem(struct listen_dnsport* listen);
 int create_udp_sock(int family, int socktype, struct sockaddr* addr, 
 	socklen_t addrlen, int v6only, int* inuse, int* noproto);
 
+/**
+ * Create and bind TCP listening socket
+ * @param addr: address info ready to make socket.
+ * @param v6only: enable ip6 only flag on ip6 sockets.
+ * @param noproto: if error caused by lack of protocol support.
+ * @return: the socket. -1 on error.
+ */
+int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto);
+
 #endif /* LISTEN_DNSPORT_H */

smallapp/worker_cb.c

@@ -78,6 +78,22 @@ int worker_handle_service_reply(struct comm_point* ATTR_UNUSED(c),
 	return 0;
 }
 
+int remote_accept_callback(struct comm_point* ATTR_UNUSED(c), 
+	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
+        struct comm_reply* ATTR_UNUSED(repinfo))
+{
+	log_assert(0);
+	return 0;
+}
+
+int remote_control_callback(struct comm_point* ATTR_UNUSED(c), 
+	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
+        struct comm_reply* ATTR_UNUSED(repinfo))
+{
+	log_assert(0);
+	return 0;
+}
+
 void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
 {
 	log_assert(0);

testcode/testbound.c

@@ -42,6 +42,7 @@
 #include "testcode/ldns-testpkts.h"
 #include "testcode/replay.h"
 #include "testcode/fake_event.h"
+#include "daemon/remote.h"
 
 /** 
  * include the main program from the unbound daemon.
@@ -268,3 +269,43 @@ main(int argc, char* argv[])
 		log_info("Testbound Exit Success");
 	return res;
 }
+
+/* fake remote control */
+struct listen_port* daemon_remote_open_ports(struct config_file* 
+	ATTR_UNUSED(cfg))
+{
+	return NULL;
+}
+
+struct daemon_remote* daemon_remote_create(struct worker* ATTR_UNUSED(worker))
+{
+	return (struct daemon_remote*)calloc(1,1);
+}
+
+void daemon_remote_delete(struct daemon_remote* rc)
+{
+	free(rc);
+}
+
+int daemon_remote_open_accept(struct daemon_remote* ATTR_UNUSED(rc),
+        struct listen_port* ATTR_UNUSED(ports))
+{
+	return 1;
+}
+
+int remote_accept_callback(struct comm_point* ATTR_UNUSED(c), 
+	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
+        struct comm_reply* ATTR_UNUSED(repinfo))
+{
+	log_assert(0);
+	return 0;
+}
+
+int remote_control_callback(struct comm_point* ATTR_UNUSED(c), 
+	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
+        struct comm_reply* ATTR_UNUSED(repinfo))
+{
+	log_assert(0);
+	return 0;
+}
+

util/config_file.c

@@ -151,6 +151,19 @@ config_create()
 	cfg->local_zones = NULL;
 	cfg->local_zones_nodefault = NULL;
 	cfg->local_data = NULL;
+
+	cfg->remote_control_enable = 0;
+	cfg->control_ifs = NULL;
+	cfg->control_port = 953;
+	if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key"))) 
+		goto error_exit;
+	if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem"))) 
+		goto error_exit;
+	if(!(cfg->control_key_file = strdup(RUN_DIR"/unbound_control.key"))) 
+		goto error_exit;
+	if(!(cfg->control_cert_file = strdup(RUN_DIR"/unbound_control.pem"))) 
+		goto error_exit;
+
 	if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
 	if(!(cfg->val_nsec3_key_iterations = 
 		strdup("1024 150 2048 500 4096 2500"))) goto error_exit;
@@ -355,6 +368,26 @@ int config_set_option(struct config_file* cfg, const char* opt,
 		return cfg_parse_memsize(val, &cfg->neg_cache_size);
 	} else if(strcmp(opt, "local-data:") == 0) {
 		return cfg_strlist_insert(&cfg->local_data, strdup(val));
+	} else if(strcmp(opt, "control-enable:") == 0) {
+		IS_YES_OR_NO;
+		cfg->remote_control_enable = (strcmp(val, "yes") == 0);
+	} else if(strcmp(opt, "control-interface:") == 0) {
+		return cfg_strlist_insert(&cfg->control_ifs, strdup(val));
+	} else if(strcmp(opt, "control-port:") == 0) {
+		IS_NONZERO_NUMBER;
+		cfg->control_port = atoi(val);
+	} else if(strcmp(opt, "server-key-file:") == 0) {
+		free(cfg->server_key_file);
+		return (cfg->server_key_file = strdup(val)) != NULL;
+	} else if(strcmp(opt, "server-cert-file:") == 0) {
+		free(cfg->server_cert_file);
+		return (cfg->server_cert_file = strdup(val)) != NULL;
+	} else if(strcmp(opt, "control-key-file:") == 0) {
+		free(cfg->control_key_file);
+		return (cfg->control_key_file = strdup(val)) != NULL;
+	} else if(strcmp(opt, "control-cert-file:") == 0) {
+		free(cfg->control_cert_file);
+		return (cfg->control_cert_file = strdup(val)) != NULL;
 	} else if(strcmp(opt, "module-config:") == 0) {
 		free(cfg->module_conf);
 		return (cfg->module_conf = strdup(val)) != NULL;
@@ -483,6 +516,11 @@ config_delete(struct config_file* cfg)
 	config_deldblstrlist(cfg->local_zones);
 	config_delstrlist(cfg->local_zones_nodefault);
 	config_delstrlist(cfg->local_data);
+	config_delstrlist(cfg->control_ifs);
+	free(cfg->server_key_file);
+	free(cfg->server_cert_file);
+	free(cfg->control_key_file);
+	free(cfg->control_cert_file);
 	free(cfg);
 }
 

util/config_file.h

@@ -216,6 +216,21 @@ struct config_file {
 	/** local data RRs configged */
 	struct config_strlist* local_data;
 
+	/** remote control section. enable toggle. */
+	int remote_control_enable;
+	/** the interfaces the remote control should listen on */
+	struct config_strlist* control_ifs;
+	/** port number for the control port */
+	int control_port;
+	/** private key file for server */
+	char* server_key_file;
+	/** certificate file for server */
+	char* server_cert_file;
+	/** private key file for unbound-control */
+	char* control_key_file;
+	/** certificate file for unbound-control */
+	char* control_cert_file;
+
 	/** daemonize, i.e. fork into the background. */
 	int do_daemonize;
 };

util/configlexer.lex

@@ -184,6 +184,14 @@ local-zone{COLON}	{ YDOUT; return VAR_LOCAL_ZONE;}
 local-data{COLON}	{ YDOUT; return VAR_LOCAL_DATA;}
 statistics-interval{COLON}	{ YDOUT; return VAR_STATISTICS_INTERVAL;}
 statistics-cumulative{COLON}	{ YDOUT; return VAR_STATISTICS_CUMULATIVE;}
+remote-control{COLON}	{ YDOUT; return VAR_REMOTE_CONTROL; }
+control-enable{COLON}	{ YDOUT; return VAR_CONTROL_ENABLE; }
+control-interface{COLON}	{ YDOUT; return VAR_CONTROL_INTERFACE; }
+control-port{COLON}	{ YDOUT; return VAR_CONTROL_PORT; }
+server-key-file{COLON}	{ YDOUT; return VAR_SERVER_KEY_FILE; }
+server-cert-file{COLON}	{ YDOUT; return VAR_SERVER_CERT_FILE; }
+control-key-file{COLON}	{ YDOUT; return VAR_CONTROL_KEY_FILE; }
+control-cert-file{COLON}	{ YDOUT; return VAR_CONTROL_CERT_FILE; }
 {NEWLINE}		{ LEXOUT(("NL\n")); cfg_parser->line++;}
 
 	/* Quoted strings. Strip leading and ending quotes */

util/configparser.h

@@ -123,7 +123,15 @@
      VAR_NEG_CACHE_SIZE = 339,
      VAR_HARDEN_REFERRAL_PATH = 340,
      VAR_PRIVATE_ADDRESS = 341,
-     VAR_PRIVATE_DOMAIN = 342
+     VAR_PRIVATE_DOMAIN = 342,
+     VAR_REMOTE_CONTROL = 343,
+     VAR_CONTROL_ENABLE = 344,
+     VAR_CONTROL_INTERFACE = 345,
+     VAR_CONTROL_PORT = 346,
+     VAR_SERVER_KEY_FILE = 347,
+     VAR_SERVER_CERT_FILE = 348,
+     VAR_CONTROL_KEY_FILE = 349,
+     VAR_CONTROL_CERT_FILE = 350
    };
 #endif
 /* Tokens.  */
@@ -212,6 +220,14 @@
 #define VAR_HARDEN_REFERRAL_PATH 340
 #define VAR_PRIVATE_ADDRESS 341
 #define VAR_PRIVATE_DOMAIN 342
+#define VAR_REMOTE_CONTROL 343
+#define VAR_CONTROL_ENABLE 344
+#define VAR_CONTROL_INTERFACE 345
+#define VAR_CONTROL_PORT 346
+#define VAR_SERVER_KEY_FILE 347
+#define VAR_SERVER_CERT_FILE 348
+#define VAR_CONTROL_KEY_FILE 349
+#define VAR_CONTROL_CERT_FILE 350
 
 
 
@@ -223,7 +239,7 @@ typedef union YYSTYPE
 	char*	str;
 }
 /* Line 1489 of yacc.c.  */
-#line 227 "util/configparser.h"
+#line 243 "util/configparser.h"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1

util/configparser.y

@@ -92,12 +92,14 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
 %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
 %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
-%token VAR_PRIVATE_DOMAIN
+%token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
+%token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
+%token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
 toplevelvar: serverstart contents_server | stubstart contents_stub |
-	forwardstart contents_forward
+	forwardstart contents_forward | rcstart contents_rc
 	;
 
 /* server: declaration */
@@ -861,6 +863,71 @@ forward_addr: VAR_FORWARD_ADDR STRING
 			yyerror("out of memory");
 	}
 	;
+rcstart: VAR_REMOTE_CONTROL
+	{ 
+		OUTYY(("\nP(remote-control:)\n")); 
+	}
+	;
+contents_rc: contents_rc content_rc 
+	| ;
+content_rc: rc_control_enable | rc_control_interface | rc_control_port |
+	rc_server_key_file | rc_server_cert_file | rc_control_key_file |
+	rc_control_cert_file
+	;
+rc_control_enable: VAR_CONTROL_ENABLE STRING
+	{
+		OUTYY(("P(control_enable:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->remote_control_enable = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
+rc_control_port: VAR_CONTROL_PORT STRING
+	{
+		OUTYY(("P(control_port:%s)\n", $2));
+		if(atoi($2) == 0)
+			yyerror("control port number expected");
+		else cfg_parser->cfg->control_port = atoi($2);
+		free($2);
+	}
+	;
+rc_control_interface: VAR_CONTROL_INTERFACE STRING
+	{
+		OUTYY(("P(control_interface:%s)\n", $2));
+		if(!cfg_strlist_insert(&cfg_parser->cfg->control_ifs, $2))
+			yyerror("out of memory");
+	}
+	;
+rc_server_key_file: VAR_SERVER_KEY_FILE STRING
+	{
+		OUTYY(("P(rc_server_key_file:%s)\n", $2));
+		free(cfg_parser->cfg->server_key_file);
+		cfg_parser->cfg->server_key_file = $2;
+	}
+	;
+rc_server_cert_file: VAR_SERVER_CERT_FILE STRING
+	{
+		OUTYY(("P(rc_server_cert_file:%s)\n", $2));
+		free(cfg_parser->cfg->server_cert_file);
+		cfg_parser->cfg->server_cert_file = $2;
+	}
+	;
+rc_control_key_file: VAR_CONTROL_KEY_FILE STRING
+	{
+		OUTYY(("P(rc_control_key_file:%s)\n", $2));
+		free(cfg_parser->cfg->control_key_file);
+		cfg_parser->cfg->control_key_file = $2;
+	}
+	;
+rc_control_cert_file: VAR_CONTROL_CERT_FILE STRING
+	{
+		OUTYY(("P(rc_control_cert_file:%s)\n", $2));
+		free(cfg_parser->cfg->control_cert_file);
+		cfg_parser->cfg->control_cert_file = $2;
+	}
+	;
 %%
 
 /* parse helper routines could be here */

util/fptr_wlist.c

@@ -47,6 +47,7 @@
 #include "util/fptr_wlist.h"
 #include "util/mini_event.h"
 #include "daemon/worker.h"
+#include "daemon/remote.h"
 #include "services/outside_network.h"
 #include "services/mesh.h"
 #include "services/localzone.h"
@@ -84,6 +85,8 @@ fptr_whitelist_comm_point_raw(comm_point_callback_t *fptr)
 {
 	if(fptr == &tube_handle_listen) return 1;
 	else if(fptr == &tube_handle_write) return 1;
+	else if(fptr == &remote_accept_callback) return 1;
+	else if(fptr == &remote_control_callback) return 1;
 	return 0;
 }
 

util/netevent.c

@@ -539,6 +539,44 @@ setup_tcp_handler(struct comm_point* c, int fd)
 	comm_point_start_listening(c, fd, TCP_QUERY_TIMEOUT);
 }
 
+int comm_point_perform_accept(struct comm_point* c,
+	struct sockaddr_storage* addr, socklen_t* addrlen)
+{
+	int new_fd;
+	*addrlen = (socklen_t)sizeof(*addr);
+	new_fd = accept(c->fd, (struct sockaddr*)addr, addrlen);
+	if(new_fd == -1) {
+#ifndef USE_WINSOCK
+		/* EINTR is signal interrupt. others are closed connection. */
+		if(	errno != EINTR 
+#ifdef EWOULDBLOCK
+			&& errno != EWOULDBLOCK 
+#endif
+#ifdef ECONNABORTED
+			&& errno != ECONNABORTED 
+#endif
+#ifdef EPROTO
+			&& errno != EPROTO
+#endif /* EPROTO */
+			)
+			return -1;
+		log_err("accept failed: %s", strerror(errno));
+#else /* USE_WINSOCK */
+		if(WSAGetLastError() == WSAEINPROGRESS ||
+			WSAGetLastError() == WSAECONNRESET)
+			return -1;
+		if(WSAGetLastError() == WSAEWOULDBLOCK) {
+			winsock_tcp_wouldblock(&c->ev->ev, EV_READ);
+			return -1;
+		}
+		log_err("accept failed: %s", wsa_strerror(WSAGetLastError()));
+#endif
+		log_addr(0, "remote address is", addr, *addrlen);
+		return -1;
+	}
+	return new_fd;
+}
+
 void 
 comm_point_tcp_accept_callback(int fd, short event, void* arg)
 {
@@ -557,40 +595,10 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
 	}
 	/* accept incoming connection. */
 	c_hdl = c->tcp_free;
-	c_hdl->repinfo.addrlen = (socklen_t)sizeof(c_hdl->repinfo.addr);
 	log_assert(fd != -1);
-	new_fd = accept(fd, (struct sockaddr*)&c_hdl->repinfo.addr, 
+	new_fd = comm_point_perform_accept(c, &c_hdl->repinfo.addr,
 		&c_hdl->repinfo.addrlen);
-	if(new_fd == -1) {
+
-#ifndef USE_WINSOCK
-		/* EINTR is signal interrupt. others are closed connection. */
-		if(	errno != EINTR 
-#ifdef EWOULDBLOCK
-			&& errno != EWOULDBLOCK 
-#endif
-#ifdef ECONNABORTED
-			&& errno != ECONNABORTED 
-#endif
-#ifdef EPROTO
-			&& errno != EPROTO
-#endif /* EPROTO */
-			)
-			return;
-		log_err("accept failed: %s", strerror(errno));
-#else /* USE_WINSOCK */
-		if(WSAGetLastError() == WSAEINPROGRESS ||
-			WSAGetLastError() == WSAECONNRESET)
-			return;
-		if(WSAGetLastError() == WSAEWOULDBLOCK) {
-			winsock_tcp_wouldblock(&c->ev->ev, EV_READ);
-			return ;
-		}
-		log_err("accept failed: %s", wsa_strerror(WSAGetLastError()));
-#endif
-		log_addr(0, "remote address is", &c_hdl->repinfo.addr,
-			c_hdl->repinfo.addrlen);
-		return;
-	}
 	/* grab the tcp handler buffers */
 	c->tcp_free = c_hdl->tcp_free;
 	if(!c->tcp_free) {

util/netevent.h

@@ -520,6 +520,17 @@ int comm_signal_bind(struct comm_signal* comsig, int sig);
  */
 void comm_signal_delete(struct comm_signal* comsig);
 
+/**
+ * perform accept(2) with error checking.
+ * @param c: commpoint with accept fd.
+ * @param addr: remote end returned here.
+ * @param len: length of remote end returned here.
+ * @return new fd, or -1 on error.
+ *	if -1, error message has been printed if necessary, simply drop
+ *	out of the reading handler.
+ */
+int comm_point_perform_accept(struct comm_point* c, 
+	struct sockaddr_storage* addr, socklen_t* addrlen);
 
 /**** internal routines ****/