- dns over ssl support, ssl-service-pem and ssl-service-key files

  can be given and then TCP queries are serviced wrapped in SSL.


git-svn-id: file:///svn/unbound/trunk@2530 be551aaa-1e26-0410-a405-d3ace91eadb9

Makefile.in

@@ -239,7 +239,7 @@ endif
 libunbound.la:	$(LIBUNBOUND_OBJ)
 	$(INFO) Link $@
 ifeq ($(CHECKLOCK_SRC),)
-	$Q$(LINK_LIB) $(UBSYMS) -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) $(LIBS)
+	$Q$(LINK_LIB) $(UBSYMS) -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) -lssl $(LIBS)
 else
 	cp $(srcdir)/libunbound/ubsyms.def $(BUILD)clubsyms.def
 	echo lock_protect >> $(BUILD)clubsyms.def
@@ -252,7 +252,7 @@ else
 	echo checklock_init >> $(BUILD)clubsyms.def
 	echo checklock_thrcreate >> $(BUILD)clubsyms.def
 	echo checklock_thrjoin >> $(BUILD)clubsyms.def
-	$Q$(LINK_LIB) $(CLUBSYMS) -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) $(LIBS)
+	$Q$(LINK_LIB) $(CLUBSYMS) -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) -lssl $(LIBS)
 endif
 
 unbound$(EXEEXT):	$(DAEMON_OBJ) libunbound.la
@@ -289,47 +289,47 @@ anchor-update$(EXEEXT):  $(ANCHORUPD_OBJ) libunbound.la
 
 unittest$(EXEEXT):	$(UNITTEST_OBJ)
 	$(INFO) Link $@
-	$Q$(LINK) -o $@ $(sort $(UNITTEST_OBJ)) $(LIBS)
+	$Q$(LINK) -o $@ $(sort $(UNITTEST_OBJ)) -lssl $(LIBS)
 
 testbound$(EXEEXT):	$(TESTBOUND_OBJ)
 	$(INFO) Link $@
 	$Q$(LINK) -o $@ $(sort $(TESTBOUND_OBJ)) -lssl $(LIBS)
 
 lock-verify$(EXEEXT):	$(LOCKVERIFY_OBJ)
 	$(INFO) Link $@
-	$Q$(LINK) -o $@ $(sort $(LOCKVERIFY_OBJ)) $(LIBS)
+	$Q$(LINK) -o $@ $(sort $(LOCKVERIFY_OBJ)) -lssl $(LIBS)
 
 petal$(EXEEXT):	$(PETAL_OBJ)
 	$(INFO) Link $@
 	$Q$(LINK) -o $@ $(sort $(PETAL_OBJ)) -lssl $(LIBS)
 
 pktview$(EXEEXT):	$(PKTVIEW_OBJ)
 	$(INFO) Link $@
-	$Q$(LINK) -o $@ $(sort $(PKTVIEW_OBJ)) $(LIBS)
+	$Q$(LINK) -o $@ $(sort $(PKTVIEW_OBJ)) -lssl $(LIBS)
 
 signit$(EXEEXT):	$(SIGNIT_OBJ)
 	$(INFO) Link $@
-	$Q$(LINK) -o $@ $(sort $(SIGNIT_OBJ)) $(LIBS)
+	$Q$(LINK) -o $@ $(sort $(SIGNIT_OBJ)) -lssl $(LIBS)
 
 memstats$(EXEEXT):	$(MEMSTATS_OBJ)
 	$(INFO) Link $@
-	$Q$(LINK) -o $@ $(sort $(MEMSTATS_OBJ)) $(LIBS)
+	$Q$(LINK) -o $@ $(sort $(MEMSTATS_OBJ)) -lssl $(LIBS)
 
 asynclook$(EXEEXT):	$(ASYNCLOOK_OBJ) libunbound.la
 	$(INFO) Link $@
 	$Q$(LINK) -o $@ $(sort $(ASYNCLOOK_OBJ)) $(LIBS) -L. -L.libs -lunbound
 
 streamtcp$(EXEEXT):	$(STREAMTCP_OBJ)
 	$(INFO) Link $@
-	$Q$(LINK) -o $@ $(sort $(STREAMTCP_OBJ)) $(LIBS)
+	$Q$(LINK) -o $@ $(sort $(STREAMTCP_OBJ)) -lssl $(LIBS)
 
 perf$(EXEEXT):	$(PERF_OBJ)
 	$(INFO) Link $@
-	$Q$(LINK) -o $@ $(sort $(PERF_OBJ)) $(LIBS)
+	$Q$(LINK) -o $@ $(sort $(PERF_OBJ)) -lssl $(LIBS)
 
 delayer$(EXEEXT):	$(DELAYER_OBJ)
 	$(INFO) Link $@
-	$Q$(LINK) -o $@ $(sort $(DELAYER_OBJ)) $(LIBS)
+	$Q$(LINK) -o $@ $(sort $(DELAYER_OBJ)) -lssl $(LIBS)
 
 harvest$(EXEEXT):	$(HARVEST_OBJ) libunbound.la
 	$(INFO) Link $@

daemon/daemon.c

@@ -528,6 +528,8 @@ daemon_delete(struct daemon* daemon)
 	free(daemon->chroot);
 	free(daemon->pidfile);
 	free(daemon->env);
+	SSL_CTX_free((SSL_CTX*)daemon->listen_sslctx);
+	SSL_CTX_free((SSL_CTX*)daemon->connect_sslctx);
 	free(daemon);
 #ifdef LEX_HAS_YYLEX_DESTROY
 	/* lex cleanup */

daemon/daemon.h

@@ -80,6 +80,8 @@ struct daemon {
 	struct listen_port* rc_ports;
 	/** remote control connections management (for first worker) */
 	struct daemon_remote* rc;
+	/** ssl context for listening to dnstcp over ssl, and connecting ssl */
+	void* listen_sslctx, *connect_sslctx;
 	/** num threads allocated */
 	int num;
 	/** the worker entries */

daemon/remote.c

@@ -92,21 +92,6 @@
 /** if true, inhibits a lot of =0 lines from the stats output */
 static const int inhibit_zero = 1;
 
-/** log ssl crypto err */
-static void
-log_crypto_err(const char* str)
-{
-	/* error:[error code]:[library name]:[function name]:[reason string] */
-	char buf[128];
-	unsigned long e;
-	ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
-	log_err("%s crypto %s", str, buf);
-	while( (e=ERR_get_error()) ) {
-		ERR_error_string_n(e, buf, sizeof(buf));
-		log_err("and additionally crypto %s", buf);
-	}
-}
-
 /** subtract timers and the values do not overflow or become negative */
 static void
 timeval_subtract(struct timeval* d, const struct timeval* end, 

daemon/unbound.c

@@ -55,6 +55,7 @@
 #include "services/cache/infra.h"
 #include "util/data/msgreply.h"
 #include "util/module.h"
+#include "util/net_help.h"
 #include <signal.h>
 #include <fcntl.h>
 #include <openssl/crypto.h>
@@ -446,6 +447,13 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 	/* read ssl keys while superuser and outside chroot */
 	if(!(daemon->rc = daemon_remote_create(cfg)))
 		fatal_exit("could not set up remote-control");
+	if(cfg->ssl_service_key && cfg->ssl_service_key[0]) {
+		if(!(daemon->listen_sslctx = listen_sslctx_create(
+			cfg->ssl_service_key, cfg->ssl_service_pem, NULL)))
+			fatal_exit("could not set up listen SSL_CTX");
+	}
+	if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, NULL)))
+		fatal_exit("could not set up connect SSL_CTX");
 
 #ifdef HAVE_KILL
 	/* check old pid file before forking */

daemon/worker.c

@@ -1092,7 +1092,7 @@ worker_init(struct worker* worker, struct config_file *cfg,
 	}
 	worker->front = listen_create(worker->base, ports,
 		cfg->msg_buffer_size, (int)cfg->incoming_num_tcp, 
-		worker_handle_request, worker);
+		worker->daemon->listen_sslctx, worker_handle_request, worker);
 	if(!worker->front) {
 		log_err("could not create listening sockets");
 		worker_delete(worker);
@@ -1105,7 +1105,7 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		worker->daemon->env->infra_cache, worker->rndstate,
 		cfg->use_caps_bits_for_id, worker->ports, worker->numports,
 		cfg->unwanted_threshold, &worker_alloc_cleanup, worker,
-		cfg->do_udp);
+		cfg->do_udp, worker->daemon->connect_sslctx);
 	if(!worker->back) {
 		log_err("could not create outgoing sockets");
 		worker_delete(worker);
@@ -1255,9 +1255,9 @@ worker_send_query(uint8_t* qname, size_t qnamelen, uint16_t qtype,
 	e->qstate = q;
 	e->qsent = outnet_serviced_query(worker->back, qname,
 		qnamelen, qtype, qclass, flags, dnssec, want_dnssec,
-		q->env->cfg->tcp_upstream, addr, addrlen, zone, zonelen,
-		worker_handle_service_reply, e, worker->back->udp_buff,
-		&outbound_entry_compare);
+		q->env->cfg->tcp_upstream || q->env->cfg->ssl_upstream, addr,
+		addrlen, zone, zonelen, worker_handle_service_reply, e,
+		worker->back->udp_buff, &outbound_entry_compare);
 	if(!e->qsent) {
 		return NULL;
 	}

doc/Changelog

@@ -1,3 +1,7 @@
+31 October 2011: Wouter
+	- dns over ssl support, ssl-service-pem and ssl-service-key files
+	  can be given and then TCP queries are serviced wrapped in SSL.
+
 27 October 2011: Wouter
 	- lame-ttl and lame-size options no longer exist, it is integrated
 	  with the host info.  They are ignored (with verbose warning) if

libunbound/libworker.c

@@ -44,6 +44,7 @@
 #include "config.h"
 #include <ldns/dname.h>
 #include <ldns/wire2host.h>
+#include <openssl/ssl.h>
 #include "libunbound/libworker.h"
 #include "libunbound/context.h"
 #include "libunbound/unbound.h"
@@ -84,6 +85,7 @@ libworker_delete(struct libworker* w)
 		ub_randfree(w->env->rnd);
 		free(w->env);
 	}
+	SSL_CTX_free(w->sslctx);
 	outside_network_delete(w->back);
 	comm_base_delete(w->base);
 	free(w);
@@ -124,6 +126,13 @@ libworker_setup(struct ub_ctx* ctx, int is_bg)
 		forwards_delete(w->env->fwds);
 		w->env->fwds = NULL;
 	}
+	if(cfg->ssl_upstream) {
+		w->sslctx = connect_sslctx_create(NULL, NULL, NULL);
+		if(!w->sslctx) {
+			libworker_delete(w);
+			return NULL;
+		}
+	}
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_unlock(&ctx->cfglock);
 	}
@@ -171,7 +180,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg)
 		cfg->do_tcp?cfg->outgoing_num_tcp:0,
 		w->env->infra_cache, w->env->rnd, cfg->use_caps_bits_for_id,
 		ports, numports, cfg->unwanted_threshold,
-		&libworker_alloc_cleanup, w, cfg->do_udp);
+		&libworker_alloc_cleanup, w, cfg->do_udp, w->sslctx);
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_unlock(&ctx->cfglock);
 	}
@@ -695,9 +704,9 @@ struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
 	e->qstate = q;
 	e->qsent = outnet_serviced_query(w->back, qname,
 		qnamelen, qtype, qclass, flags, dnssec, want_dnssec,
-		q->env->cfg->tcp_upstream, addr, addrlen, zone, zonelen,
-		libworker_handle_service_reply, e, w->back->udp_buff,
-		&outbound_entry_compare);
+		q->env->cfg->tcp_upstream || q->env->cfg->ssl_upstream, addr,
+		addrlen, zone, zonelen, libworker_handle_service_reply, e,
+		w->back->udp_buff, &outbound_entry_compare);
 	if(!e->qsent) {
 		return NULL;
 	}

libunbound/libworker.h

@@ -81,6 +81,8 @@ struct libworker {
 	struct outside_network* back;
 	/** random() table for this worker. */
 	struct ub_randstate* rndstate;
+	/** sslcontext for SSL wrapped DNS over TCP queries */
+	void* sslctx;
 };
 
 /**

services/listen_dnsport.c

@@ -723,7 +723,7 @@ listen_cp_insert(struct comm_point* c, struct listen_dnsport* front)
 
 struct listen_dnsport* 
 listen_create(struct comm_base* base, struct listen_port* ports,
-	size_t bufsize, int tcp_accept_count,
+	size_t bufsize, int tcp_accept_count, void* sslctx,
 	comm_point_callback_t* cb, void *cb_arg)
 {
 	struct listen_dnsport* front = (struct listen_dnsport*)
@@ -736,17 +736,21 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 		free(front);
 		return NULL;
 	}
-
+	if(sslctx) {
+		verbose(VERB_ALGO, "setup for SSL-wrapped TCP service");
+	}
+
 	/* create comm points as needed */
 	while(ports) {
 		struct comm_point* cp = NULL;
 		if(ports->ftype == listen_type_udp) 
 			cp = comm_point_create_udp(base, ports->fd, 
 				front->udp_buff, cb, cb_arg);
-		else if(ports->ftype == listen_type_tcp)
+		else if(ports->ftype == listen_type_tcp) {
 			cp = comm_point_create_tcp(base, ports->fd, 
 				tcp_accept_count, bufsize, cb, cb_arg);
-		else if(ports->ftype == listen_type_udpancil) 
+			cp->ssl = sslctx;
+		} else if(ports->ftype == listen_type_udpancil) 
 			cp = comm_point_create_udp_ancil(base, ports->fd, 
 				front->udp_buff, cb, cb_arg);
 		if(!cp) {

services/listen_dnsport.h

@@ -121,14 +121,15 @@ void listening_ports_free(struct listen_port* list);
  * @param bufsize: size of datagram buffer.
  * @param tcp_accept_count: max number of simultaneous TCP connections 
  * 	from clients.
+ * @param sslctx: nonNULL if ssl context.
  * @param cb: callback function when a request arrives. It is passed
  *	  the packet and user argument. Return true to send a reply.
  * @param cb_arg: user data argument for callback function.
  * @return: the malloced listening structure, ready for use. NULL on error.
  */
 struct listen_dnsport* listen_create(struct comm_base* base,
 	struct listen_port* ports, size_t bufsize, int tcp_accept_count,
-	comm_point_callback_t* cb, void* cb_arg);
+	void* sslctx, comm_point_callback_t* cb, void* cb_arg);
 
 /**
  * delete the listening structure

services/outside_network.c

@@ -535,7 +535,8 @@ outside_network_create(struct comm_base *base, size_t bufsize,
 	int do_ip6, size_t num_tcp, struct infra_cache* infra,
 	struct ub_randstate* rnd, int use_caps_for_id, int* availports, 
 	int numavailports, size_t unwanted_threshold,
-	void (*unwanted_action)(void*), void* unwanted_param, int do_udp)
+	void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
+	void* sslctx)
 {
 	struct outside_network* outnet = (struct outside_network*)
 		calloc(1, sizeof(struct outside_network));
@@ -549,6 +550,7 @@ outside_network_create(struct comm_base *base, size_t bufsize,
 	outnet->num_tcp = num_tcp;
 	outnet->infra = infra;
 	outnet->rnd = rnd;
+	outnet->sslctx = sslctx;
 	outnet->svcd_overhead = 0;
 	outnet->want_to_quit = 0;
 	outnet->unwanted_threshold = unwanted_threshold;

services/outside_network.h

@@ -118,6 +118,8 @@ struct outside_network {
 	struct infra_cache* infra;
 	/** where to get random numbers */
 	struct ub_randstate* rnd;
+	/** ssl context to create ssl wrapped TCP with DNS connections */
+	void* sslctx;
 
 	/**
 	 * Array of tcp pending used for outgoing TCP connections.
@@ -369,14 +371,16 @@ struct serviced_query {
  * @param unwanted_action: the action to take.
  * @param unwanted_param: user parameter to action.
  * @param do_udp: if udp is done.
+ * @param sslctx: context to create outgoing connections with (if enabled).
  * @return: the new structure (with no pending answers) or NULL on error.
  */
 struct outside_network* outside_network_create(struct comm_base* base,
 	size_t bufsize, size_t num_ports, char** ifs, int num_ifs,
 	int do_ip4, int do_ip6, size_t num_tcp, struct infra_cache* infra, 
 	struct ub_randstate* rnd, int use_caps_for_id, int* availports, 
 	int numavailports, size_t unwanted_threshold,
-	void (*unwanted_action)(void*), void* unwanted_param, int do_udp);
+	void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
+	void* sslctx);
 
 /**
  * Delete outside_network structure.

testcode/fake_event.c

@@ -708,7 +708,7 @@ run_scenario(struct replay_runtime* runtime)
 struct listen_dnsport* 
 listen_create(struct comm_base* base, struct listen_port* ATTR_UNUSED(ports),
 	size_t bufsize, int ATTR_UNUSED(tcp_accept_count),
-	comm_point_callback_t* cb, void* cb_arg)
+	void* ATTR_UNUSED(sslctx), comm_point_callback_t* cb, void* cb_arg)
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)base;
 	struct listen_dnsport* l= calloc(1, sizeof(struct listen_dnsport));
@@ -877,7 +877,7 @@ outside_network_create(struct comm_base* base, size_t bufsize,
 	int ATTR_UNUSED(use_caps_for_id), int* ATTR_UNUSED(availports),
 	int ATTR_UNUSED(numavailports), size_t ATTR_UNUSED(unwanted_threshold),
 	void (*unwanted_action)(void*), void* ATTR_UNUSED(unwanted_param),
-	int ATTR_UNUSED(do_udp))
+	int ATTR_UNUSED(do_udp), void* ATTR_UNUSED(sslctx))
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)base;
 	struct outside_network* outnet =  calloc(1,