- tls-win-cert option that adds the system certificate store for

authenticating DNS-over-TLS connections.  It can be used instead
  of the tls-cert-bundle option, or with it to add certificates.


git-svn-id: file:///svn/unbound/trunk@4698 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,6 +1,9 @@
 28 May 2018: Wouter
 	- Fix windows tcp and tls spin on events.
 	- Add routine from getdns to add windows cert store to the SSL_CTX.
+	- tls-win-cert option that adds the system certificate store for
+	  authenticating DNS-over-TLS connections.  It can be used instead
+	  of the tls-cert-bundle option, or with it to add certificates.
 
 25 May 2018: Wouter
 	- For TCP and TLS connections that don't establish, perform address

doc/example.conf.in

@@ -681,6 +681,9 @@ server:
 	# Certificates used to authenticate connections made upstream.
 	# tls-cert-bundle: ""
 
+	# Add system certs to the cert bundle, from the Windows Cert Store
+	# tls-win-cert: no
+
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
 	# additional-tls-port: portno for each of the port numbers.
 

doc/unbound.conf.5.in

@@ -403,6 +403,8 @@ Enabled or disable whether the upstream queries use TLS only for transport.
 Default is no.  Useful in tunneling scenarios.  The TLS contains plain DNS in
 TCP wireformat.  The other server must support this (see
 \fBtls\-service\-key\fR).
+If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
+load CA certs, otherwise the connections cannot be authenticated.
 .TP
 .B ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config
@@ -444,6 +446,12 @@ urls, and also DNS over TLS connections.
 .B ssl\-cert\-bundle: \fI<file>
 Alternate syntax for \fBtls\-cert\-bundle\fR.
 .TP
+.B tls\-win\-cert: \fI<yes or no>
+Add the system certificates to the cert bundle certificates for authentication.
+If no cert bundle, it uses only these certificates.  Default is no.
+On windows this option uses the certificates from the cert store.  Use
+the tls\-cert\-bundle option on other systems.
+.TP
 .B additional\-tls\-port: \fI<portnr>
 List portnumbers as additional\-tls\-port, and when interfaces are defined,
 eg. with the @port suffix, as this port number, they provide dns over TLS
@@ -1490,6 +1498,8 @@ The default is no.
 .B forward\-tls\-upstream: \fI<yes or no>
 Enabled or disable whether the queries to this forwarder use TLS for transport.
 Default is no.
+If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
+load CA certs, otherwise the connections cannot be authenticated.
 .TP
 .B forward\-ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBforward\-tls\-upstream\fR.

util/config_file.c

@@ -456,6 +456,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STR("ssl-service-pem:", ssl_service_pem)
 	else S_NUMBER_NONZERO("ssl-port:", ssl_port)
 	else S_STR("tls-cert-bundle:", tls_cert_bundle)
+	else S_YNO("tls-win-cert:", tls_win_cert)
 	else S_STRLIST("additional-tls-port:", additional_tls_port)
 	else S_YNO("interface-automatic:", if_automatic)
 	else S_YNO("use-systemd:", use_systemd)
@@ -876,6 +877,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_STR(opt, "ssl-service-pem", ssl_service_pem)
 	else O_DEC(opt, "ssl-port", ssl_port)
 	else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
+	else O_YNO(opt, "tls-win-cert", tls_win_cert)
 	else O_LST(opt, "additional-tls-port", additional_tls_port)
 	else O_YNO(opt, "use-systemd", use_systemd)
 	else O_YNO(opt, "do-daemonize", do_daemonize)

util/configlexer.lex

@@ -238,6 +238,7 @@ ssl-port{COLON}			{ YDVAR(1, VAR_SSL_PORT) }
 tls-port{COLON}			{ YDVAR(1, VAR_SSL_PORT) }
 ssl-cert-bundle{COLON}		{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
 tls-cert-bundle{COLON}		{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
+tls-win-cert{COLON}		{ YDVAR(1, VAR_TLS_WIN_CERT) }
 additional-ssl-port{COLON}	{ YDVAR(1, VAR_ADDITIONAL_TLS_PORT) }
 additional-tls-port{COLON}	{ YDVAR(1, VAR_ADDITIONAL_TLS_PORT) }
 use-systemd{COLON}		{ YDVAR(1, VAR_USE_SYSTEMD) }

util/configparser.h

@@ -283,7 +283,8 @@ extern int yydebug;
     VAR_ADDITIONAL_TLS_PORT = 493,
     VAR_LOW_RTT = 494,
     VAR_LOW_RTT_PERMIL = 495,
-    VAR_ALLOW_NOTIFY = 496
+    VAR_ALLOW_NOTIFY = 496,
+    VAR_TLS_WIN_CERT = 497
   };
 #endif
 /* Tokens.  */
@@ -526,6 +527,7 @@ extern int yydebug;
 #define VAR_LOW_RTT 494
 #define VAR_LOW_RTT_PERMIL 495
 #define VAR_ALLOW_NOTIFY 496
+#define VAR_TLS_WIN_CERT 497
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -536,7 +538,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 540 "util/configparser.h" /* yacc.c:1909  */
+#line 542 "util/configparser.h" /* yacc.c:1909  */
 };
 
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -157,7 +157,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM
 %token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
 %token VAR_FALLBACK_ENABLED VAR_ADDITIONAL_TLS_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
-%token VAR_ALLOW_NOTIFY
+%token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -249,7 +249,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ipsecmod_whitelist | server_ipsecmod_strict |
 	server_udp_upstream_without_downstream | server_aggressive_nsec |
 	server_tls_cert_bundle | server_additional_tls_port | server_low_rtt |
-	server_low_rtt_permil
+	server_low_rtt_permil | server_tls_win_cert
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -688,6 +688,15 @@ server_tls_cert_bundle: VAR_TLS_CERT_BUNDLE STRING_ARG
 		cfg_parser->cfg->tls_cert_bundle = $2;
 	}
 	;
+server_tls_win_cert: VAR_TLS_WIN_CERT STRING_ARG
+	{
+		OUTYY(("P(server_tls_win_cert:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->tls_win_cert = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_additional_tls_port: VAR_ADDITIONAL_TLS_PORT STRING_ARG
 	{
 		OUTYY(("P(server_additional_tls_port:%s)\n", $2));