mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-04 08:35:31 +00:00
Code Issues Releases Wiki Activity

Add DoT support to bind

Browse Source 
Parse the configuration of tls objects into SSL_CTX* objects.  Listen on
DoT if 'tls' option is setup in listen-on directive.  Use DoT/DoH ports
for DoT/DoH.
This commit is contained in:
Witold Kręcicki
2020-10-01 13:18:47 +02:00
committed by Ondřej Surý
parent 8ed005f924
commit 38b78f59a0
15 changed files with 199 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
bin/named/config.c
View File

@@ -93,6 +93,7 @@ options {\n\
nta-recheck 300;\n\ nta-recheck 300;\n\
# pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\ # pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\
port 53;\n\ port 53;\n\
dot-port 853;\n\
prefetch 2 9;\n\ prefetch 2 9;\n\
recursing-file \"named.recursing\";\n\ recursing-file \"named.recursing\";\n\
recursive-clients 1000;\n\ recursive-clients 1000;\n\
@@ -497,7 +498,7 @@ named_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
} else if (defport != 0) { } else if (defport != 0) {
port = defport; port = defport;
} else { } else {
result = named_config_getport(config, &port); result = named_config_getport(config, "port", &port);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
return (result); return (result);
} }
@@ -644,7 +645,7 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
/* /*
* Get system defaults. * Get system defaults.
*/ */
result = named_config_getport(config, &port); result = named_config_getport(config, "port", &port);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
goto cleanup; goto cleanup;
} }
@@ -925,7 +926,8 @@ cleanup:
} }
isc_result_t isc_result_t
named_config_getport(const cfg_obj_t *config, in_port_t *portp) { named_config_getport(const cfg_obj_t *config, const char *type,
in_port_t *portp) {
const cfg_obj_t *maps[3]; const cfg_obj_t *maps[3];
const cfg_obj_t *options = NULL; const cfg_obj_t *options = NULL;
const cfg_obj_t *portobj = NULL; const cfg_obj_t *portobj = NULL;
@@ -940,7 +942,7 @@ named_config_getport(const cfg_obj_t *config, in_port_t *portp) {
maps[i++] = named_g_defaults; maps[i++] = named_g_defaults;
maps[i] = NULL; maps[i] = NULL;
result = named_config_get(maps, "port", &portobj); result = named_config_get(maps, type, &portobj);
INSIST(result == ISC_R_SUCCESS); INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_asuint32(portobj) >= UINT16_MAX) { if (cfg_obj_asuint32(portobj) >= UINT16_MAX) {
cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR, cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR,
@@ -980,13 +982,15 @@ named_config_getdscp(const cfg_obj_t *config, isc_dscp_t *dscpp) {
struct keyalgorithms { struct keyalgorithms {
const char *str; const char *str;
enum { hmacnone, enum {
hmacnone,
hmacmd5, hmacmd5,
hmacsha1, hmacsha1,
hmacsha224, hmacsha224,
hmacsha256, hmacsha256,
hmacsha384, hmacsha384,
hmacsha512 } hmac; hmacsha512
} hmac;
unsigned int type; unsigned int type;
uint16_t size; uint16_t size;
} algorithms[] = { { "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 }, } algorithms[] = { { "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },

3
bin/named/include/named/config.h
View File

@@ -67,7 +67,8 @@ named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
isc_mem_t *mctx, dns_ipkeylist_t *ipkl); isc_mem_t *mctx, dns_ipkeylist_t *ipkl);
isc_result_t isc_result_t
named_config_getport(const cfg_obj_t *config, in_port_t *portp); named_config_getport(const cfg_obj_t *config, const char *type,
in_port_t *portp);
isc_result_t isc_result_t
named_config_getkeyalgorithm(const char *str, const dns_name_t **name, named_config_getkeyalgorithm(const char *str, const dns_name_t **name,

1
bin/named/include/named/globals.h
View File

@@ -72,6 +72,7 @@ EXTERN const char *named_g_srcid INIT(PACKAGE_SRCID);
EXTERN const char *named_g_configargs INIT(PACKAGE_CONFIGARGS); EXTERN const char *named_g_configargs INIT(PACKAGE_CONFIGARGS);
EXTERN const char *named_g_builder INIT(PACKAGE_BUILDER); EXTERN const char *named_g_builder INIT(PACKAGE_BUILDER);
EXTERN in_port_t named_g_port INIT(0); EXTERN in_port_t named_g_port INIT(0);
EXTERN in_port_t named_g_dot_port INIT(0);
EXTERN isc_dscp_t named_g_dscp INIT(-1); EXTERN isc_dscp_t named_g_dscp INIT(-1);
EXTERN named_server_t *named_g_server INIT(NULL); EXTERN named_server_t *named_g_server INIT(NULL);

4
bin/named/main.c
View File

@@ -789,11 +789,13 @@ parse_command_line(int argc, char *argv[]) {
break; break;
case 'p': case 'p':
port = parse_int(isc_commandline_argument, "port"); port = parse_int(isc_commandline_argument, "port");
if (port < 1 || port > 65535) { if (port < 1 || port > 64735) {
named_main_earlyfatal("port '%s' out of range", named_main_earlyfatal("port '%s' out of range",
isc_commandline_argument); isc_commandline_argument);
} }
named_g_port = port; named_g_port = port;
/* XXXWPK have a separate option for that. */
named_g_dot_port = port + 800;
break; break;
case 's': case 's':
/* XXXRTH temporary syntax */ /* XXXRTH temporary syntax */

1
bin/named/named.conf.rst
View File

@@ -231,6 +231,7 @@ OPTIONS
size ) ] [ versions ( unlimited | integer ) ] [ suffix ( size ) ] [ versions ( unlimited | integer ) ] [ suffix (
increment | timestamp ) ]; increment | timestamp ) ];
dnstap-version ( quoted_string | none ); dnstap-version ( quoted_string | none );
dot-port integer;
dscp integer; dscp integer;
dual-stack-servers [ port integer ] { ( quoted_string [ port dual-stack-servers [ port integer ] { ( quoted_string [ port
integer ] [ dscp integer ] | ipv4_address [ port integer ] [ dscp integer ] | ipv4_address [ port

75
bin/named/server.c
View File

@@ -674,11 +674,13 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, const char **namestrp,
dns_name_t *name = NULL; dns_name_t *name = NULL;
isc_buffer_t namebuf; isc_buffer_t namebuf;
const char *atstr = NULL; const char *atstr = NULL;
enum { INIT_DNSKEY, enum {
INIT_DNSKEY,
STATIC_DNSKEY, STATIC_DNSKEY,
INIT_DS, INIT_DS,
STATIC_DS, STATIC_DS,
TRUSTED } anchortype; TRUSTED
} anchortype;
REQUIRE(namestrp != NULL && *namestrp == NULL); REQUIRE(namestrp != NULL && *namestrp == NULL);
REQUIRE(ds != NULL); REQUIRE(ds != NULL);
@@ -3962,7 +3964,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
/* /*
* Set the view's port number for outgoing queries. * Set the view's port number for outgoing queries.
*/ */
CHECKM(named_config_getport(config, &port), "port"); CHECKM(named_config_getport(config, "port", &port), "port");
dns_view_setdstport(view, port); dns_view_setdstport(view, port);
/* /*
@@ -5762,7 +5764,7 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view,
/* /*
* Determine which port to send requests to. * Determine which port to send requests to.
*/ */
CHECKM(named_config_getport(config, &port), "port"); CHECKM(named_config_getport(config, "port", &port), "port");
if (alternates != NULL) { if (alternates != NULL) {
portobj = cfg_tuple_get(alternates, "port"); portobj = cfg_tuple_get(alternates, "port");
@@ -5850,7 +5852,7 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view,
/* /*
* Determine which port to send forwarded requests to. * Determine which port to send forwarded requests to.
*/ */
CHECKM(named_config_getport(config, &port), "port"); CHECKM(named_config_getport(config, "port", &port), "port");
if (forwarders != NULL) { if (forwarders != NULL) {
portobj = cfg_tuple_get(forwarders, "port"); portobj = cfg_tuple_get(forwarders, "port");
@@ -6735,7 +6737,8 @@ add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
} }
result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr), result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
dscp, src_acl, &lelt); dscp, src_acl, false, NULL, NULL,
&lelt);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
goto clean; goto clean;
} }
@@ -6822,8 +6825,7 @@ adjust_interfaces(named_server_t *server, isc_mem_t *mctx) {
for (view = ISC_LIST_HEAD(server->viewlist); for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL && view != zoneview; view != NULL && view != zoneview;
view = ISC_LIST_NEXT(view, link)) view = ISC_LIST_NEXT(view, link))
{ {}
}
if (view == NULL) { if (view == NULL) {
continue; continue;
} }
@@ -8799,7 +8801,8 @@ load_configuration(const char *filename, named_server_t *server,
if (named_g_port != 0) { if (named_g_port != 0) {
listen_port = named_g_port; listen_port = named_g_port;
} else { } else {
CHECKM(named_config_getport(config, &listen_port), "port"); CHECKM(named_config_getport(config, "port", &listen_port),
"port");
} }
/* /*
@@ -10860,22 +10863,69 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
cfg_aclconfctx_t *actx, isc_mem_t *mctx, cfg_aclconfctx_t *actx, isc_mem_t *mctx,
uint16_t family, ns_listenelt_t **target) { uint16_t family, ns_listenelt_t **target) {
isc_result_t result; isc_result_t result;
const cfg_obj_t *portobj, *dscpobj; const cfg_obj_t *tlsobj, *portobj, *dscpobj;
in_port_t port; in_port_t port;
isc_dscp_t dscp = -1; isc_dscp_t dscp = -1;
const char *key = NULL, *cert = NULL;
bool tls = false;
ns_listenelt_t *delt = NULL; ns_listenelt_t *delt = NULL;
REQUIRE(target != NULL && *target == NULL); REQUIRE(target != NULL && *target == NULL);
/* XXXWPK TODO be more verbose on failures. */
tlsobj = cfg_tuple_get(listener, "tls");
if (tlsobj != NULL && cfg_obj_isstring(tlsobj)) {
const cfg_obj_t *tlsconfigs = NULL;
const cfg_listelt_t *element;
(void)cfg_map_get(config, "tls", &tlsconfigs);
for (element = cfg_list_first(tlsconfigs); element != NULL;
element = cfg_list_next(element))
{
cfg_obj_t *tconfig = cfg_listelt_value(element);
const cfg_obj_t *name = cfg_map_getname(tconfig);
if (!strcmp(cfg_obj_asstring(name),
cfg_obj_asstring(tlsobj))) {
tls = true;
const cfg_obj_t *keyo = NULL, *certo = NULL;
(void)cfg_map_get(tconfig, "key-file", &keyo);
if (keyo == NULL) {
return (ISC_R_FAILURE);
}
(void)cfg_map_get(tconfig, "cert-file", &certo);
if (certo == NULL) {
return (ISC_R_FAILURE);
}
key = cfg_obj_asstring(keyo);
cert = cfg_obj_asstring(certo);
break;
}
}
if (!tls) {
return (ISC_R_FAILURE);
}
}
portobj = cfg_tuple_get(listener, "port"); portobj = cfg_tuple_get(listener, "port");
if (!cfg_obj_isuint32(portobj)) { if (!cfg_obj_isuint32(portobj)) {
if (tls) {
if (named_g_dot_port != 0) {
port = named_g_dot_port;
} else {
result = named_config_getport(
config, "dot-port", &port);
if (result != ISC_R_SUCCESS) {
return (result);
}
}
} else {
if (named_g_port != 0) { if (named_g_port != 0) {
port = named_g_port; port = named_g_port;
} else { } else {
result = named_config_getport(config, &port); result = named_config_getport(config, "port",
&port);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
return (result); return (result);
} }
} }
}
} else { } else {
if (cfg_obj_asuint32(portobj) >= UINT16_MAX) { if (cfg_obj_asuint32(portobj) >= UINT16_MAX) {
cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR, cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR,
@@ -10899,7 +10949,8 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj); dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
} }
result = ns_listenelt_create(mctx, port, dscp, NULL, &delt); result = ns_listenelt_create(mctx, port, dscp, NULL, tls, key, cert,
&delt);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
return (result); return (result);
} }

1
doc/misc/options
View File

@@ -173,6 +173,7 @@ options {
<size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
increment | timestamp ) ]; increment | timestamp ) ];
dnstap-version ( <quoted_string> | none ); dnstap-version ( <quoted_string> | none );
dot-port <integer>;
dscp <integer>; dscp <integer>;
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port <integer> ] [ dscp <integer> ] | <ipv4_address> [ port

1
doc/misc/options.active
View File

@@ -159,6 +159,7 @@ options {
<size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
increment | timestamp ) ]; increment | timestamp ) ];
dnstap-version ( <quoted_string> | none ); dnstap-version ( <quoted_string> | none );
dot-port <integer>;
dscp <integer>; dscp <integer>;
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port <integer> ] [ dscp <integer> ] | <ipv4_address> [ port

1
doc/misc/options.grammar.rst
View File

@@ -89,6 +89,7 @@
<size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
increment | timestamp ) ]; increment | timestamp ) ];
dnstap-version ( <quoted_string> | none ); dnstap-version ( <quoted_string> | none );
dot-port <integer>;
dscp <integer>; dscp <integer>;
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port <integer> ] [ dscp <integer> ] | <ipv4_address> [ port

1
lib/isc/netmgr/tcpdns.c
View File

@@ -471,6 +471,7 @@ isc__nm_async_tcpdnsstop(isc__networker_t *worker, isc__netievent_t *ev0) {
break; break;
default: default:
INSIST(0); INSIST(0);
ISC_UNREACHABLE();
} }
isc__nmsocket_detach(&sock->outer); isc__nmsocket_detach(&sock->outer);
} }

1
lib/isccfg/namedconf.c
View File

@@ -1201,6 +1201,7 @@ static cfg_clausedef_t options_clauses[] = {
{ "notify-rate", &cfg_type_uint32, 0 }, { "notify-rate", &cfg_type_uint32, 0 },
{ "pid-file", &cfg_type_qstringornone, 0 }, { "pid-file", &cfg_type_qstringornone, 0 },
{ "port", &cfg_type_uint32, 0 }, { "port", &cfg_type_uint32, 0 },
{ "dot-port", &cfg_type_uint32, 0 },
{ "querylog", &cfg_type_boolean, 0 }, { "querylog", &cfg_type_boolean, 0 },
{ "random-device", &cfg_type_qstringornone, 0 }, { "random-device", &cfg_type_qstringornone, 0 },
{ "recursing-file", &cfg_type_qstring, 0 }, { "recursing-file", &cfg_type_qstring, 0 },

6
lib/ns/Makefile.am
View File

@@ -44,12 +44,14 @@ libns_la_CPPFLAGS = \
$(LIBDNS_CFLAGS) \ $(LIBDNS_CFLAGS) \
$(LIBISC_CFLAGS) \ $(LIBISC_CFLAGS) \
$(LIBNS_CFLAGS) \ $(LIBNS_CFLAGS) \
$(LIBUV_CFLAGS) $(LIBUV_CFLAGS) \
$(OPENSSL_CFLAGS)
libns_la_LIBADD = \ libns_la_LIBADD = \
$(LIBDNS_LIBS) \ $(LIBDNS_LIBS) \
$(LIBISC_LIBS) \ $(LIBISC_LIBS) \
$(LIBUV_LIBS) $(LIBUV_LIBS) \
$(OPENSSL_LIBS)
libns_la_LDFLAGS = \ libns_la_LDFLAGS = \
$(AM_LDFLAGS) \ $(AM_LDFLAGS) \

6
lib/ns/include/ns/listenlist.h
View File

@@ -31,6 +31,8 @@
#include <dns/types.h> #include <dns/types.h>
#include <openssl/ssl.h>
/*** /***
*** Types *** Types
***/ ***/
@@ -43,6 +45,7 @@ struct ns_listenelt {
in_port_t port; in_port_t port;
isc_dscp_t dscp; /* -1 = not set, 0..63 */ isc_dscp_t dscp; /* -1 = not set, 0..63 */
dns_acl_t *acl; dns_acl_t *acl;
SSL_CTX * sslctx;
ISC_LINK(ns_listenelt_t) link; ISC_LINK(ns_listenelt_t) link;
}; };
@@ -58,7 +61,8 @@ struct ns_listenlist {
isc_result_t isc_result_t
ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp, ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
dns_acl_t *acl, ns_listenelt_t **target); dns_acl_t *acl, bool tls, const char *key, const char *cert,
ns_listenelt_t **target);
/*%< /*%<
* Create a listen-on list element. * Create a listen-on list element.
*/ */

57
lib/ns/interfacemgr.c
View File

@@ -502,10 +502,48 @@ ns_interface_listentcp(ns_interface_t *ifp) {
return (result); return (result);
} }
/*
* XXXWPK we should probably pass a complete object with key, cert, and other
* TLS related options.
*/
static isc_result_t
ns_interface_listentls(ns_interface_t *ifp, SSL_CTX *sslctx) {
isc_result_t result;
SSL_CTX *ctx = NULL;
result = isc_nm_listentlsdns(
ifp->mgr->nm, (isc_nmiface_t *)&ifp->addr, ns__client_request,
ifp, ns__client_tcpconn, ifp, sizeof(ns_client_t),
ifp->mgr->backlog, &ifp->mgr->sctx->tcpquota, sslctx,
&ifp->tcplistensocket);
if (result != ISC_R_SUCCESS) {
isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
"creating TLS socket: %s",
isc_result_totext(result));
SSL_CTX_free(ctx);
return (result);
}
/*
* We call this now to update the tcp-highwater statistic:
* this is necessary because we are adding to the TCP quota just
* by listening.
*/
result = ns__client_tcpconn(NULL, ISC_R_SUCCESS, ifp);
if (result != ISC_R_SUCCESS) {
isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
"updating TCP stats: %s",
isc_result_totext(result));
}
return (result);
}
static isc_result_t static isc_result_t
ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
const char *name, ns_interface_t **ifpret, bool accept_tcp, const char *name, ns_interface_t **ifpret, bool accept_tcp,
isc_dscp_t dscp, bool *addr_in_use) { ns_listenelt_t *elt, bool *addr_in_use) {
isc_result_t result; isc_result_t result;
ns_interface_t *ifp = NULL; ns_interface_t *ifp = NULL;
REQUIRE(ifpret != NULL && *ifpret == NULL); REQUIRE(ifpret != NULL && *ifpret == NULL);
@@ -516,7 +554,16 @@ ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
return (result); return (result);
} }
ifp->dscp = dscp; ifp->dscp = elt->dscp;
if (elt->sslctx != NULL) {
result = ns_interface_listentls(ifp, elt->sslctx);
if (result != ISC_R_SUCCESS) {
goto cleanup_interface;
}
*ifpret = ifp;
return (result);
}
result = ns_interface_listenudp(ifp); result = ns_interface_listenudp(ifp);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
@@ -865,7 +912,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
le->port); le->port);
result = ns_interface_setup(mgr, &listen_addr, result = ns_interface_setup(mgr, &listen_addr,
"<any>", &ifp, true, "<any>", &ifp, true,
le->dscp, NULL); le, NULL);
if (result == ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) {
ifp->flags |= NS_INTERFACEFLAG_ANYADDR; ifp->flags |= NS_INTERFACEFLAG_ANYADDR;
} else { } else {
@@ -1087,8 +1134,8 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
result = ns_interface_setup( result = ns_interface_setup(
mgr, &listen_sockaddr, interface.name, mgr, &listen_sockaddr, interface.name,
&ifp, (adjusting) ? false : true, &ifp, (adjusting) ? false : true, le,
le->dscp, &addr_in_use); &addr_in_use);
tried_listening = true; tried_listening = true;
if (!addr_in_use) { if (!addr_in_use) {

19
lib/ns/listenlist.c
View File

@@ -14,6 +14,7 @@
#include <stdbool.h> #include <stdbool.h>
#include <isc/mem.h> #include <isc/mem.h>
#include <isc/netmgr.h>
#include <isc/util.h> #include <isc/util.h>
#include <dns/acl.h> #include <dns/acl.h>
@@ -25,8 +26,10 @@ destroy(ns_listenlist_t *list);
isc_result_t isc_result_t
ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp, ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
dns_acl_t *acl, ns_listenelt_t **target) { dns_acl_t *acl, bool tls, const char *key, const char *cert,
ns_listenelt_t **target) {
ns_listenelt_t *elt = NULL; ns_listenelt_t *elt = NULL;
isc_result_t result = ISC_R_SUCCESS;
REQUIRE(target != NULL && *target == NULL); REQUIRE(target != NULL && *target == NULL);
elt = isc_mem_get(mctx, sizeof(*elt)); elt = isc_mem_get(mctx, sizeof(*elt));
elt->mctx = mctx; elt->mctx = mctx;
@@ -34,6 +37,13 @@ ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
elt->port = port; elt->port = port;
elt->dscp = dscp; elt->dscp = dscp;
elt->acl = acl; elt->acl = acl;
elt->sslctx = NULL;
if (tls) {
result = isc_nm_tls_create_server_ctx(key, cert, &elt->sslctx);
if (result != ISC_R_SUCCESS) {
return (result);
}
}
*target = elt; *target = elt;
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} }
@@ -43,6 +53,10 @@ ns_listenelt_destroy(ns_listenelt_t *elt) {
if (elt->acl != NULL) { if (elt->acl != NULL) {
dns_acl_detach(&elt->acl); dns_acl_detach(&elt->acl);
} }
if (elt->sslctx != NULL) {
SSL_CTX_free(elt->sslctx);
elt->sslctx = NULL;
}
isc_mem_put(elt->mctx, elt, sizeof(*elt)); isc_mem_put(elt->mctx, elt, sizeof(*elt));
} }
@@ -104,7 +118,8 @@ ns_listenlist_default(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
goto cleanup; goto cleanup;
} }
result = ns_listenelt_create(mctx, port, dscp, acl, &elt); result = ns_listenelt_create(mctx, port, dscp, acl, false, NULL, NULL,
&elt);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
goto cleanup_acl; goto cleanup_acl;
} }