- Create additional tls service interfaces by opening them on other

portnumbers and listing the portnumbers as additional-tls-port: nr.


git-svn-id: file:///svn/unbound/trunk@4588 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -7,6 +7,8 @@
 	  should exist).  Patch from Jinmei Tatuya (Infoblox).
 	- Fix #3817: core dump happens in libunbound delete, when queued
 	  servfail hits deleted message queue.
+	- Create additional tls service interfaces by opening them on other
+	  portnumbers and listing the portnumbers as additional-tls-port: nr.
 
 13 March 2018: Wouter
 	- Fix typo in documentation.

doc/example.conf.in

@@ -678,6 +678,9 @@ server:
 	# Certificates used to authenticate connections made upstream.
 	# tls-cert-bundle: ""
 
+	# Also serve tls on these port numbers (eg. 443, ...), by listing
+	# additional-tls-port: portno for each of the port numbers.
+
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96

services/listen_dnsport.c

@@ -1056,6 +1056,24 @@ set_recvpktinfo(int s, int family)
 	return 1;
 }
 
+/** see if interface is ssl, its port number == the ssl port number */
+static int
+if_is_ssl(const char* ifname, const char* port, int ssl_port,
+	struct config_strlist* additional_tls_port)
+{
+	struct config_strlist* s;
+	char* p = strchr(ifname, '@');
+	if(!p && atoi(port) == ssl_port)
+		return 1;
+	if(p && atoi(p+1) == ssl_port)
+		return 1;
+	for(s = additional_tls_port; s; s = s->next) {
+		if(atoi(s->str) == atoi(port))
+			return 1;
+	}
+	return 0;
+}
+
 /**
  * Helper for ports_open. Creates one interface (or NULL for default).
  * @param ifname: The interface ip address.
@@ -1069,6 +1087,7 @@ set_recvpktinfo(int s, int family)
  * @param rcv: receive buffer size for UDP
  * @param snd: send buffer size for UDP
  * @param ssl_port: ssl service port number
+ * @param additional_tls_port: list of additional ssl service port numbers.
  * @param reuseport: try to set SO_REUSEPORT if nonNULL and true.
  * 	set to false on exit if reuseport failed due to no kernel support.
  * @param transparent: set IP_TRANSPARENT socket option.
@@ -1081,8 +1100,10 @@ set_recvpktinfo(int s, int family)
 static int
 ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, 
 	struct addrinfo *hints, const char* port, struct listen_port** list,
-	size_t rcv, size_t snd, int ssl_port, int* reuseport, int transparent,
+	size_t rcv, size_t snd, int ssl_port,
-	int tcp_mss, int freebind, int use_systemd, int dnscrypt_port)
+	struct config_strlist* additional_tls_port, int* reuseport,
+	int transparent, int tcp_mss, int freebind, int use_systemd,
+	int dnscrypt_port)
 {
 	int s, noip6=0;
 #ifdef USE_DNSCRYPT
@@ -1146,9 +1167,8 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 		}
 	}
 	if(do_tcp) {
-		int is_ssl = ((strchr(ifname, '@') && 
+		int is_ssl = if_is_ssl(ifname, port, ssl_port,
-			atoi(strchr(ifname, '@')+1) == ssl_port) ||
+			additional_tls_port);
-			(!strchr(ifname, '@') && atoi(port) == ssl_port));
 		if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, 
 			&noip6, 0, 0, reuseport, transparent, tcp_mss,
 			freebind, use_systemd)) == -1) {
@@ -1334,8 +1354,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				do_auto, cfg->do_udp, do_tcp, 
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, reuseport,
+				cfg->ssl_port, cfg->additional_tls_port,
-				cfg->ip_transparent,
+				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {
 				listening_ports_free(list);
@@ -1348,8 +1368,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				do_auto, cfg->do_udp, do_tcp, 
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, reuseport,
+				cfg->ssl_port, cfg->additional_tls_port,
-				cfg->ip_transparent,
+				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {
 				listening_ports_free(list);
@@ -1364,8 +1384,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, reuseport,
+				cfg->ssl_port, cfg->additional_tls_port,
-				cfg->ip_transparent,
+				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {
 				listening_ports_free(list);
@@ -1378,8 +1398,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 			if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, 
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
-				cfg->ssl_port, reuseport,
+				cfg->ssl_port, cfg->additional_tls_port,
-				cfg->ip_transparent,
+				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
 				cfg->dnscrypt_port)) {
 				listening_ports_free(list);

util/config_file.c

@@ -446,6 +446,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STR("ssl-service-pem:", ssl_service_pem)
 	else S_NUMBER_NONZERO("ssl-port:", ssl_port)
 	else S_STR("tls-cert-bundle:", tls_cert_bundle)
+	else S_STRLIST("additional-tls-port:", additional_tls_port)
 	else S_YNO("interface-automatic:", if_automatic)
 	else S_YNO("use-systemd:", use_systemd)
 	else S_YNO("do-daemonize:", do_daemonize)
@@ -856,6 +857,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_STR(opt, "ssl-service-pem", ssl_service_pem)
 	else O_DEC(opt, "ssl-port", ssl_port)
 	else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
+	else O_LST(opt, "additional-tls-port", additional_tls_port)
 	else O_YNO(opt, "use-systemd", use_systemd)
 	else O_YNO(opt, "do-daemonize", do_daemonize)
 	else O_STR(opt, "chroot", chrootdir)
@@ -1274,6 +1276,7 @@ config_delete(struct config_file* cfg)
 	free(cfg->ssl_service_key);
 	free(cfg->ssl_service_pem);
 	free(cfg->tls_cert_bundle);
+	config_delstrlist(cfg->additional_tls_port);
 	free(cfg->log_identity);
 	config_del_strarray(cfg->ifs, cfg->num_ifs);
 	config_del_strarray(cfg->out_ifs, cfg->num_out_ifs);

util/config_file.h

@@ -102,6 +102,8 @@ struct config_file {
 	int ssl_upstream;
 	/** cert bundle for outgoing connections */
 	char* tls_cert_bundle;
+	/** additional tls ports */
+	struct config_strlist* additional_tls_port;
 
 	/** outgoing port range number of ports (per thread) */
 	int outgoing_num_ports;