mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 06:25:31 +00:00
Add DoT support to bind
Parse the configuration of tls objects into SSL_CTX* objects. Listen on DoT if 'tls' option is setup in listen-on directive. Use DoT/DoH ports for DoT/DoH.
This commit is contained in:
Witold Kręcicki
committed by
Ondřej Surý
Ondřej Surý
parent
8ed005f924
commit
38b78f59a0
@@ -502,10 +502,48 @@ ns_interface_listentcp(ns_interface_t *ifp) {
|
||||
return (result);
|
||||
}
|
||||
|
||||
/*
|
||||
* XXXWPK we should probably pass a complete object with key, cert, and other
|
||||
* TLS related options.
|
||||
*/
|
||||
static isc_result_t
|
||||
ns_interface_listentls(ns_interface_t *ifp, SSL_CTX *sslctx) {
|
||||
isc_result_t result;
|
||||
SSL_CTX *ctx = NULL;
|
||||
|
||||
result = isc_nm_listentlsdns(
|
||||
ifp->mgr->nm, (isc_nmiface_t *)&ifp->addr, ns__client_request,
|
||||
ifp, ns__client_tcpconn, ifp, sizeof(ns_client_t),
|
||||
ifp->mgr->backlog, &ifp->mgr->sctx->tcpquota, sslctx,
|
||||
&ifp->tcplistensocket);
|
||||
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
|
||||
"creating TLS socket: %s",
|
||||
isc_result_totext(result));
|
||||
SSL_CTX_free(ctx);
|
||||
return (result);
|
||||
}
|
||||
|
||||
/*
|
||||
* We call this now to update the tcp-highwater statistic:
|
||||
* this is necessary because we are adding to the TCP quota just
|
||||
* by listening.
|
||||
*/
|
||||
result = ns__client_tcpconn(NULL, ISC_R_SUCCESS, ifp);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
|
||||
"updating TCP stats: %s",
|
||||
isc_result_totext(result));
|
||||
}
|
||||
|
||||
return (result);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
|
||||
const char *name, ns_interface_t **ifpret, bool accept_tcp,
|
||||
isc_dscp_t dscp, bool *addr_in_use) {
|
||||
ns_listenelt_t *elt, bool *addr_in_use) {
|
||||
isc_result_t result;
|
||||
ns_interface_t *ifp = NULL;
|
||||
REQUIRE(ifpret != NULL && *ifpret == NULL);
|
||||
@@ -516,7 +554,16 @@ ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
|
||||
return (result);
|
||||
}
|
||||
|
||||
ifp->dscp = dscp;
|
||||
ifp->dscp = elt->dscp;
|
||||
|
||||
if (elt->sslctx != NULL) {
|
||||
result = ns_interface_listentls(ifp, elt->sslctx);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto cleanup_interface;
|
||||
}
|
||||
*ifpret = ifp;
|
||||
return (result);
|
||||
}
|
||||
|
||||
result = ns_interface_listenudp(ifp);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
@@ -865,7 +912,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
|
||||
le->port);
|
||||
result = ns_interface_setup(mgr, &listen_addr,
|
||||
"<any>", &ifp, true,
|
||||
le->dscp, NULL);
|
||||
le, NULL);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
ifp->flags |= NS_INTERFACEFLAG_ANYADDR;
|
||||
} else {
|
||||
@@ -1087,8 +1134,8 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
|
||||
|
||||
result = ns_interface_setup(
|
||||
mgr, &listen_sockaddr, interface.name,
|
||||
&ifp, (adjusting) ? false : true,
|
||||
le->dscp, &addr_in_use);
|
||||
&ifp, (adjusting) ? false : true, le,
|
||||
&addr_in_use);
|
||||
|
||||
tried_listening = true;
|
||||
if (!addr_in_use) {
|
||||
|
||||
Reference in New Issue
Block a user