diff --git a/PLATFORMS.md b/PLATFORMS.md index 3dc2278e09..405871a331 100644 --- a/PLATFORMS.md +++ b/PLATFORMS.md @@ -31,10 +31,13 @@ some of the older systems listed below, you will have to install an updated updated packages. The other option is to build and install `libuv` from source. -Certain optional BIND features have additional library dependencies. -These include `libxml2` and `libjson-c` for statistics, `libmaxminddb` for -geolocation, `libfstrm` and `libprotobuf-c` for DNSTAP, and `libidn2` for -internationalized domain name conversion. +Certain optional BIND features have additional library dependencies: + +* `libfstrm` and `libprotobuf-c` for DNSTAP +* `libidn2` for internationalized domain name conversion. +* `libmaxminddb` for geolocation +* `libnghttp2` for DNS over HTTPS +* `libxml2` and `libjson-c` for statistics channel ISC regularly tests BIND on many operating systems and architectures, but lacks the resources to test all of them. Consequently, ISC is only able to diff --git a/README.md b/README.md index 6d6ba77286..cce47bc687 100644 --- a/README.md +++ b/README.md @@ -188,13 +188,15 @@ installed: To see a full list of configuration options, run `configure --help`. For the server to support DNSSEC, you need to build it with crypto support. -To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the +To use OpenSSL, you must have OpenSSL 1.0.2e or newer installed. If the OpenSSL library is installed in a nonstandard location, specify the prefix using `--with-openssl=` on the configure command line. To use a PKCS#11 hardware service module for cryptographic operations, specify the path to the PKCS#11 provider library using `--with-pkcs11=`, and configure BIND with `--enable-native-pkcs11`. +To support DNS over HTTPS, the server must be linked with `libnghttp2`. + To support the HTTP statistics channel, the server must be linked with at least one of the following libraries: `libxml2` [http://xmlsoft.org](http://xmlsoft.org) or `json-c` diff --git a/bin/dig/dig.c b/bin/dig/dig.c index d8479ed407..7cec01aba1 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -1426,6 +1426,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, FULLCHECK6("https", "https-get", "https-post", "http-plain", "http-plain-get", "http-plain-post"); +#if HAVE_LIBNGHTTP2 if (lookup->https_path != NULL) { isc_mem_free(mctx, lookup->https_path); lookup->https_path = NULL; @@ -1485,6 +1486,9 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, lookup->https_path = isc_mem_strdup(mctx, value); } +#else + fprintf(stderr, ";; DoH support not enabled\n"); +#endif break; default: goto invalid_option; diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index fd4c7389ff..650cee5414 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -2796,6 +2796,7 @@ start_tcp(dig_query_t *query) { &query->sockaddr, tcp_connected, query, local_timeout, 0, query->tlsctx); +#if HAVE_LIBNGHTTP2 } else if (query->lookup->https_mode) { char uri[4096] = { 0 }; snprintf(uri, sizeof(uri), "https://%s:%u%s", @@ -2814,6 +2815,7 @@ start_tcp(dig_query_t *query) { uri, !query->lookup->https_get, tcp_connected, query, query->tlsctx, local_timeout, 0); +#endif } else { isc_nm_tcpdnsconnect(netmgr, &localaddr, &query->sockaddr, tcp_connected, diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am index bd276c96c7..87e60ddcd5 100644 --- a/bin/named/Makefile.am +++ b/bin/named/Makefile.am @@ -21,6 +21,11 @@ AM_CPPFLAGS += \ $(JSON_C_CFLAGS) endif HAVE_JSON_C +if HAVE_LIBNGHTTP2 +AM_CPPFLAGS += \ + $(LIBNGHTTP2_CFLAGS) +endif HAVE_LIBNGHTTP2 + if HAVE_LIBXML2 AM_CPPFLAGS += \ $(LIBXML2_CFLAGS) @@ -112,5 +117,10 @@ named_LDADD += \ $(JSON_C_LIBS) endif HAVE_JSON_C +if HAVE_LIBNGHTTP2 +named_LDADD += \ + $(LIBNGHTTP2_LIBS) +endif HAVE_LIBNGHTTP2 + MAINTAINERCLEANFILES = \ named.conf.rst diff --git a/bin/named/config.c b/bin/named/config.c index 4f7c7fe0b6..6f63b0130b 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -89,9 +89,12 @@ options {\n\ nta-recheck 300;\n\ # pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\ port 53;\n\ - tls-port 853;\n\ - http-port 80;\n\ - https-port 443;\n\ + tls-port 853;\n" +#if HAVE_LIBNGHTTP2 + "http-port 80;\n" + "https-port 443;\n" +#endif + "\ prefetch 2 9;\n\ recursing-file \"named.recursing\";\n\ recursive-clients 1000;\n\ diff --git a/bin/named/main.c b/bin/named/main.c index 4708cda535..9fc84deef1 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -485,7 +485,6 @@ printversion(bool verbose) { cfg_obj_t *config = NULL; const cfg_obj_t *defaults = NULL, *obj = NULL; #endif /* if defined(HAVE_GEOIP2) */ - nghttp2_info *nginfo = NULL; printf("%s%s \n", PACKAGE_STRING, PACKAGE_DESCRIPTION, PACKAGE_SRCID); @@ -527,9 +526,12 @@ printversion(bool verbose) { printf("compiled with libuv version: %d.%d.%d\n", UV_VERSION_MAJOR, UV_VERSION_MINOR, UV_VERSION_PATCH); printf("linked to libuv version: %s\n", uv_version_string()); +#if HAVE_LIBNGHTTP2 + nghttp2_info *nginfo = NULL; printf("compiled with libnghttp2 version: %s\n", NGHTTP2_VERSION); nginfo = nghttp2_version(1); printf("linked to libnghttp2 version: %s\n", nginfo->version_str); +#endif #ifdef HAVE_LIBXML2 printf("compiled with libxml2 version: %s\n", LIBXML_DOTTED_VERSION); printf("linked to libxml2 version: %s\n", xmlParserVersion); diff --git a/bin/named/server.c b/bin/named/server.c index 7b70fe5c6b..d444e38f20 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -8626,6 +8626,7 @@ load_configuration(const char *filename, named_server_t *server, maps[i++] = named_g_defaults; maps[i] = NULL; +#if HAVE_LIBNGHTTP2 obj = NULL; result = named_config_get(maps, "http-port", &obj); INSIST(result == ISC_R_SUCCESS); @@ -8635,6 +8636,7 @@ load_configuration(const char *filename, named_server_t *server, result = named_config_get(maps, "https-port", &obj); INSIST(result == ISC_R_SUCCESS); named_g_httpsport = (in_port_t)cfg_obj_asuint32(obj); +#endif /* * If bind.keys exists, load it. If "dnssec-validation auto" diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 23d2c430f9..10e829ac17 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -75,6 +75,12 @@ do n=`expr $n + 1` echo_i "checking that named-checkconf detects no error in $good ($n)" ret=0 + if ! $FEATURETEST --with-libnghttp2 + then + case $good in + good-doh-*.conf) continue; + esac + fi $CHECKCONF $good > checkconf.out$n 2>&1 if [ $? != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c index 1d29d3036f..c2032f8ce6 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -44,6 +44,7 @@ usage(void) { fprintf(stderr, "\t--with-dlz-filesystem\n"); fprintf(stderr, "\t--with-idn\n"); fprintf(stderr, "\t--with-lmdb\n"); + fprintf(stderr, "\t--with-libnghttp2\n"); } int @@ -171,6 +172,14 @@ main(int argc, char **argv) { #endif /* ifdef HAVE_LMDB */ } + if (strcmp(argv[1], "--with-libnghttp2") == 0) { +#ifdef HAVE_LIBNGHTTP2 + return (0); +#else /* ifdef HAVE_LMDB */ + return (1); +#endif /* ifdef HAVE_LMDB */ + } + fprintf(stderr, "unknown arg: %s\n", argv[1]); usage(); return (1); diff --git a/bin/tests/test_client.c b/bin/tests/test_client.c index 422b3f8115..a0caead0c5 100644 --- a/bin/tests/test_client.c +++ b/bin/tests/test_client.c @@ -392,6 +392,7 @@ connect_cb(isc_nmhandle_t *handle, isc_result_t eresult, void *cbarg) { isc_nm_send(handle, &message, send_cb, NULL); } +#if HAVE_LIBNGHTTP2 static void sockaddr_to_url(isc_sockaddr_t *sa, const bool https, char *outbuf, size_t outbuf_len, const char *append) { @@ -418,6 +419,7 @@ sockaddr_to_url(isc_sockaddr_t *sa, const bool https, char *outbuf, saddr, sa_family == AF_INET ? "" : "]", sa_port, append ? append : ""); } +#endif static void run(void) { @@ -437,6 +439,7 @@ run(void) { connect_cb, NULL, timeout, 0, tls_ctx); break; } +#if HAVE_LIBNGHTTP2 case HTTP_GET: case HTTPS_GET: case HTTPS_POST: @@ -455,6 +458,7 @@ run(void) { req_url, is_post, connect_cb, NULL, tls_ctx, timeout, 0); } break; +#endif default: INSIST(0); ISC_UNREACHABLE(); diff --git a/bin/tests/test_server.c b/bin/tests/test_server.c index 01d49d9188..4e566ad142 100644 --- a/bin/tests/test_server.c +++ b/bin/tests/test_server.c @@ -282,6 +282,7 @@ run(void) { tls_ctx, &sock); break; } +#if HAVE_LIBNGHTTP2 case HTTPS: case HTTP: { bool is_https = protocol == HTTPS; @@ -295,6 +296,7 @@ run(void) { read_cb, NULL, 0); } } break; +#endif default: INSIST(0); ISC_UNREACHABLE(); diff --git a/configure.ac b/configure.ac index da41bca622..03fd0b2725 100644 --- a/configure.ac +++ b/configure.ac @@ -572,14 +572,27 @@ AC_MSG_CHECKING([for libuv]) PKG_CHECK_MODULES([LIBUV], [libuv >= 1.0.0], [], [AC_MSG_ERROR([libuv not found])]) -# libnghttp2 -AC_MSG_CHECKING([for libnghttp2]) -PKG_CHECK_MODULES([LIBNGHTTP2], [libnghttp2 >= 1.6.0], [], - [AC_MSG_ERROR([libnghttp2 not found])]) -AX_SAVE_FLAGS([libnghttp2]) +# [pairwise: --enable-doh --with-libnghttp2=auto, --enable-doh --with-libnghttp2=yes, --disable-doh] +AC_ARG_ENABLE([doh], + [AS_HELP_STRING([--disable-doh], [enable DNS over HTTPS, requires libnghttp2 (default=yes)])], + [], [enable_doh=yes]) -CFLAGS="$CFLAGS $LIBNGHTTP2_CFLAGS" -LIBS="$LIBS $LIBNGHTTP2_LIBS" +# [pairwise: skip] +AC_ARG_WITH([libnghttp2], + [AS_HELP_STRING([--with-libnghttp2], + [build with libnghttp2 library [yes|no|auto] (default is auto)])], + [], [with_libnghttp2="auto"]) + +AS_IF([test "$enable_doh" = "yes"], + [AS_CASE([$with_libnghttp2], + [no],[AC_MSG_ERROR([Use '--disable-doh' to disable DoH])], + [auto|yes],[PKG_CHECK_MODULES([LIBNGHTTP2], [libnghttp2 >= 1.6.0], + [AC_DEFINE([HAVE_LIBNGHTTP2], [1], [Build with DoH support])], + [AC_MSG_ERROR([DoH requested, but libnghttp2 not found])])], + [AC_MSG_ERROR([Specifying libnghttp2 installation path is not supported, adjust PKG_CONFIG_PATH instead])])]) + +AM_CONDITIONAL([HAVE_LIBNGHTTP2], [test -n "$LIBNGHTTP2_LIBS"]) + # # flockfile is usually provided by pthreads diff --git a/lib/bind9/Makefile.am b/lib/bind9/Makefile.am index f3e8c377fc..dac685eac5 100644 --- a/lib/bind9/Makefile.am +++ b/lib/bind9/Makefile.am @@ -29,3 +29,7 @@ libbind9_la_LIBADD = \ libbind9_la_LDFLAGS = \ $(AM_LDFLAGS) \ -release "$(PACKAGE_VERSION)" + +if HAVE_DNSTAP +libbind9_la_CPPFLAGS += $(DNSTAP_CFLAGS) +endif diff --git a/lib/isc/Makefile.am b/lib/isc/Makefile.am index cb57424bdf..deed17c9a9 100644 --- a/lib/isc/Makefile.am +++ b/lib/isc/Makefile.am @@ -123,13 +123,11 @@ libisc_la_SOURCES = \ $(libisc_la_HEADERS) \ $(pk11_HEADERS) \ $(pkcs11_HEADERS) \ - netmgr/http.c \ netmgr/netmgr-int.h \ netmgr/netmgr.c \ netmgr/tcp.c \ netmgr/tcpdns.c \ netmgr/tlsdns.c \ - netmgr/tlsstream.c \ netmgr/udp.c \ netmgr/uv-compat.c \ netmgr/uv-compat.h \ @@ -246,6 +244,18 @@ libisc_la_LIBADD = \ $(OPENSSL_LIBS) \ $(ZLIB_LIBS) +if HAVE_LIBNGHTTP2 +libisc_la_SOURCES += \ + netmgr/http.c \ + netmgr/tlsstream.c + +libisc_la_CPPFLAGS += \ + $(LIBNGHTTP2_CFLAGS) + +libisc_la_LIBADD += \ + $(LIBNGHTTP2_LIBS) +endif + if HAVE_JSON_C libisc_la_CPPFLAGS += \ $(JSON_C_CFLAGS) diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h index 6f654424b0..25ccaa1bfa 100644 --- a/lib/isc/include/isc/netmgr.h +++ b/lib/isc/include/isc/netmgr.h @@ -456,17 +456,6 @@ isc_nm_setstats(isc_nm_t *mgr, isc_stats_t *stats); * full range of socket-related stats counter numbers. */ -isc_result_t -isc_nm_listentls(isc_nm_t *mgr, isc_sockaddr_t *iface, - isc_nm_accept_cb_t accept_cb, void *accept_cbarg, - size_t extrahandlesize, int backlog, isc_quota_t *quota, - isc_tlsctx_t *sslctx, isc_nmsocket_t **sockp); - -void -isc_nm_tlsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, - isc_nm_cb_t cb, void *cbarg, isc_tlsctx_t *ctx, - unsigned int timeout, size_t extrahandlesize); - void isc_nm_tcpdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, isc_nm_cb_t cb, void *cbarg, unsigned int timeout, @@ -489,6 +478,18 @@ isc_nm_tlsdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, * 'cb'. */ +#if HAVE_LIBNGHTTP2 +isc_result_t +isc_nm_listentls(isc_nm_t *mgr, isc_sockaddr_t *iface, + isc_nm_accept_cb_t accept_cb, void *accept_cbarg, + size_t extrahandlesize, int backlog, isc_quota_t *quota, + isc_tlsctx_t *sslctx, isc_nmsocket_t **sockp); + +void +isc_nm_tlsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, + isc_nm_cb_t cb, void *cbarg, isc_tlsctx_t *ctx, + unsigned int timeout, size_t extrahandlesize); + void isc_nm_httpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, const char *uri, bool POST, isc_nm_cb_t cb, void *cbarg, @@ -503,6 +504,7 @@ isc_nm_listenhttp(isc_nm_t *mgr, isc_sockaddr_t *iface, int backlog, isc_result_t isc_nm_http_endpoint(isc_nmsocket_t *sock, const char *uri, isc_nm_recv_cb_t cb, void *cbarg, size_t extrahandlesize); +#endif bool isc_nm_is_http_handle(isc_nmhandle_t *handle); diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h index ba74753a86..af341a344f 100644 --- a/lib/isc/netmgr/netmgr-int.h +++ b/lib/isc/netmgr/netmgr-int.h @@ -1522,17 +1522,6 @@ void isc__nm_tlsdns_send(isc_nmhandle_t *handle, isc_region_t *region, isc_nm_cb_t cb, void *cbarg); -void -isc__nm_tls_send(isc_nmhandle_t *handle, const isc_region_t *region, - isc_nm_cb_t cb, void *cbarg); - -void -isc__nm_tls_cancelread(isc_nmhandle_t *handle); - -/*%< - * Back-end implementation of isc_nm_send() for TLSDNS handles. - */ - void isc__nm_tlsdns_shutdown(isc_nmsocket_t *sock); @@ -1582,6 +1571,18 @@ isc__nm_tlsdns_cancelread(isc_nmhandle_t *handle); * Stop reading on a connected TLSDNS handle. */ +#if HAVE_LIBNGHTTP2 +void +isc__nm_tls_send(isc_nmhandle_t *handle, const isc_region_t *region, + isc_nm_cb_t cb, void *cbarg); + +void +isc__nm_tls_cancelread(isc_nmhandle_t *handle); + +/*%< + * Back-end implementation of isc_nm_send() for TLSDNS handles. + */ + void isc__nm_tls_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg); @@ -1680,6 +1681,8 @@ isc__nm_httpsession_attach(isc_nm_http_session_t *source, void isc__nm_httpsession_detach(isc_nm_http_session_t **sessionp); +#endif + #define isc__nm_uverr2result(x) \ isc___nm_uverr2result(x, true, __FILE__, __LINE__, __func__) isc_result_t diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c index 0876bb3217..9c716423f1 100644 --- a/lib/isc/netmgr/netmgr.c +++ b/lib/isc/netmgr/netmgr.c @@ -954,12 +954,6 @@ process_netievent(isc__networker_t *worker, isc__netievent_t *ievent) { NETIEVENT_CASE(tcpdnsread); NETIEVENT_CASE(tcpdnsstop); - NETIEVENT_CASE(tlsstartread); - NETIEVENT_CASE(tlssend); - NETIEVENT_CASE(tlsclose); - NETIEVENT_CASE(tlsdobio); - NETIEVENT_CASE(tlscancel); - NETIEVENT_CASE(tlsdnscycle); NETIEVENT_CASE(tlsdnsaccept); NETIEVENT_CASE(tlsdnslisten); @@ -971,9 +965,17 @@ process_netievent(isc__networker_t *worker, isc__netievent_t *ievent) { NETIEVENT_CASE(tlsdnsstop); NETIEVENT_CASE(tlsdnsshutdown); +#if HAVE_LIBNGHTTP2 + NETIEVENT_CASE(tlsstartread); + NETIEVENT_CASE(tlssend); + NETIEVENT_CASE(tlsclose); + NETIEVENT_CASE(tlsdobio); + NETIEVENT_CASE(tlscancel); + NETIEVENT_CASE(httpstop); NETIEVENT_CASE(httpsend); NETIEVENT_CASE(httpclose); +#endif NETIEVENT_CASE(connectcb); NETIEVENT_CASE(readcb); @@ -1281,8 +1283,10 @@ nmsocket_cleanup(isc_nmsocket_t *sock, bool dofree FLARG) { isc_mem_free(sock->mgr->mctx, sock->ah_handles); isc_mutex_destroy(&sock->lock); isc_condition_destroy(&sock->scond); +#if HAVE_LIBNGHTTP2 isc__nm_tls_cleanup_data(sock); isc__nm_http_cleanup_data(sock); +#endif #ifdef NETMGR_TRACE LOCK(&sock->mgr->lock); ISC_LIST_UNLINK(sock->mgr->active_sockets, sock, active_link); @@ -1395,15 +1399,17 @@ isc___nmsocket_prep_destroy(isc_nmsocket_t *sock FLARG) { case isc_nm_tcpdnssocket: isc__nm_tcpdns_close(sock); return; - case isc_nm_tlssocket: - isc__nm_tls_close(sock); - break; case isc_nm_tlsdnssocket: isc__nm_tlsdns_close(sock); return; +#if HAVE_LIBNGHTTP2 + case isc_nm_tlssocket: + isc__nm_tls_close(sock); + break; case isc_nm_httpsocket: isc__nm_http_close(sock); return; +#endif default: break; } @@ -1551,7 +1557,9 @@ isc___nmsocket_init(isc_nmsocket_t *sock, isc_nm_t *mgr, isc_nmsocket_type type, atomic_init(&sock->active_child_connections, 0); +#if HAVE_LIBNGHTTP2 isc__nm_http_initsocket(sock); +#endif sock->magic = NMSOCK_MAGIC; } @@ -1699,10 +1707,12 @@ isc___nmhandle_get(isc_nmsocket_t *sock, isc_sockaddr_t *peer, break; } +#if HAVE_LIBNGHTTP2 if (sock->type == isc_nm_httpsocket && sock->h2.session) { isc__nm_httpsession_attach(sock->h2.session, &handle->httpsession); } +#endif return (handle); } @@ -1839,9 +1849,11 @@ nmhandle_detach_cb(isc_nmhandle_t **handlep FLARG) { handle->doreset(handle->opaque); } +#if HAVE_LIBNGHTTP2 if (sock->type == isc_nm_httpsocket && handle->httpsession != NULL) { isc__nm_httpsession_detach(&handle->httpsession); } +#endif nmhandle_deactivate(sock, handle); @@ -2335,12 +2347,14 @@ isc_nmhandle_cleartimeout(isc_nmhandle_t *handle) { REQUIRE(VALID_NMSOCK(handle->sock)); switch (handle->sock->type) { +#if HAVE_LIBNGHTTP2 case isc_nm_httpsocket: isc__nm_http_cleartimeout(handle); return; case isc_nm_tlssocket: isc__nm_tls_cleartimeout(handle); return; +#endif default: handle->sock->read_timeout = 0; @@ -2356,12 +2370,14 @@ isc_nmhandle_settimeout(isc_nmhandle_t *handle, uint32_t timeout) { REQUIRE(VALID_NMSOCK(handle->sock)); switch (handle->sock->type) { +#if HAVE_LIBNGHTTP2 case isc_nm_httpsocket: isc__nm_http_settimeout(handle, timeout); return; case isc_nm_tlssocket: isc__nm_tls_settimeout(handle, timeout); return; +#endif default: handle->sock->read_timeout = timeout; isc__nmsocket_timer_restart(handle->sock); @@ -2472,15 +2488,17 @@ isc_nm_send(isc_nmhandle_t *handle, isc_region_t *region, isc_nm_cb_t cb, case isc_nm_tcpdnssocket: isc__nm_tcpdns_send(handle, region, cb, cbarg); break; - case isc_nm_tlssocket: - isc__nm_tls_send(handle, region, cb, cbarg); - break; case isc_nm_tlsdnssocket: isc__nm_tlsdns_send(handle, region, cb, cbarg); break; +#if HAVE_LIBNGHTTP2 + case isc_nm_tlssocket: + isc__nm_tls_send(handle, region, cb, cbarg); + break; case isc_nm_httpsocket: isc__nm_http_send(handle, region, cb, cbarg); break; +#endif default: INSIST(0); ISC_UNREACHABLE(); @@ -2508,15 +2526,17 @@ isc_nm_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) { case isc_nm_tcpdnssocket: isc__nm_tcpdns_read(handle, cb, cbarg); break; - case isc_nm_tlssocket: - isc__nm_tls_read(handle, cb, cbarg); - break; case isc_nm_tlsdnssocket: isc__nm_tlsdns_read(handle, cb, cbarg); break; +#if HAVE_LIBNGHTTP2 + case isc_nm_tlssocket: + isc__nm_tls_read(handle, cb, cbarg); + break; case isc_nm_httpsocket: isc__nm_http_read(handle, cb, cbarg); break; +#endif default: INSIST(0); ISC_UNREACHABLE(); @@ -2540,9 +2560,11 @@ isc_nm_cancelread(isc_nmhandle_t *handle) { case isc_nm_tlsdnssocket: isc__nm_tlsdns_cancelread(handle); break; +#if HAVE_LIBNGHTTP2 case isc_nm_tlssocket: isc__nm_tls_cancelread(handle); break; +#endif default: INSIST(0); ISC_UNREACHABLE(); @@ -2559,9 +2581,11 @@ isc_nm_pauseread(isc_nmhandle_t *handle) { case isc_nm_tcpsocket: isc__nm_tcp_pauseread(handle); break; +#if HAVE_LIBNGHTTP2 case isc_nm_tlssocket: isc__nm_tls_pauseread(handle); break; +#endif default: INSIST(0); ISC_UNREACHABLE(); @@ -2578,9 +2602,11 @@ isc_nm_resumeread(isc_nmhandle_t *handle) { case isc_nm_tcpsocket: isc__nm_tcp_resumeread(handle); break; +#if HAVE_LIBNGHTTP2 case isc_nm_tlssocket: isc__nm_tls_resumeread(handle); break; +#endif default: INSIST(0); ISC_UNREACHABLE(); @@ -2601,15 +2627,17 @@ isc_nm_stoplistening(isc_nmsocket_t *sock) { case isc_nm_tcplistener: isc__nm_tcp_stoplistening(sock); break; - case isc_nm_tlslistener: - isc__nm_tls_stoplistening(sock); - break; case isc_nm_tlsdnslistener: isc__nm_tlsdns_stoplistening(sock); break; +#if HAVE_LIBNGHTTP2 + case isc_nm_tlslistener: + isc__nm_tls_stoplistening(sock); + break; case isc_nm_httplistener: isc__nm_http_stoplistening(sock); break; +#endif default: INSIST(0); ISC_UNREACHABLE(); diff --git a/lib/isc/tests/Makefile.am b/lib/isc/tests/Makefile.am index b21bd7a4a0..a8b81fc256 100644 --- a/lib/isc/tests/Makefile.am +++ b/lib/isc/tests/Makefile.am @@ -19,7 +19,6 @@ check_PROGRAMS = \ buffer_test \ counter_test \ crc64_test \ - doh_test \ errno_test \ file_test \ hash_test \ @@ -48,15 +47,21 @@ check_PROGRAMS = \ time_test \ timer_test +if HAVE_LIBNGHTTP2 +check_PROGRAMS += \ + doh_test + doh_test_CPPFLAGS = \ $(AM_CPPFLAGS) \ $(LIBUV_CFLAGS) \ + $(LIBNGHTTP2_CFLAGS) \ $(OPENSSL_CFLAGS) doh_test_LDADD = \ $(LDADD) \ - $(LIBUV_LIBS) \ - $(OPENSSL_LIBS) + $(LIBNGHTTP2_LIBS) \ + $(LIBUV_LIBS) +endif HAVE_LIBNGHTTP2 hmac_test_CPPFLAGS = \ $(AM_CPPFLAGS) \ diff --git a/lib/isc/tests/netmgr_test.c b/lib/isc/tests/netmgr_test.c index 507c3a8a6e..7c789d7b3b 100644 --- a/lib/isc/tests/netmgr_test.c +++ b/lib/isc/tests/netmgr_test.c @@ -1145,14 +1145,18 @@ tcp_connect(isc_nm_t *nm) { connect_connect_cb, NULL, T_CONNECT, 0); } +#if HAVE_LIBNGHTTP2 static void tls_connect(isc_nm_t *nm); +#endif static stream_connect_function get_stream_connect_function(void) { +#if HAVE_LIBNGHTTP2 if (stream_use_TLS) { return (tls_connect); } +#endif return (tcp_connect); } @@ -1161,16 +1165,19 @@ stream_listen(isc_nm_accept_cb_t accept_cb, void *accept_cbarg, size_t extrahandlesize, int backlog, isc_quota_t *quota, isc_nmsocket_t **sockp) { isc_result_t result = ISC_R_SUCCESS; + +#if HAVE_LIBNGHTTP2 if (stream_use_TLS) { result = isc_nm_listentls(listen_nm, &tcp_listen_addr, accept_cb, accept_cbarg, extrahandlesize, backlog, quota, tcp_listen_tlsctx, sockp); - } else { - result = isc_nm_listentcp( - listen_nm, &tcp_listen_addr, accept_cb, accept_cbarg, - extrahandlesize, backlog, quota, sockp); + return (result); } +#endif + result = isc_nm_listentcp(listen_nm, &tcp_listen_addr, accept_cb, + accept_cbarg, extrahandlesize, backlog, quota, + sockp); return (result); } @@ -1178,15 +1185,16 @@ stream_listen(isc_nm_accept_cb_t accept_cb, void *accept_cbarg, static void stream_connect(isc_nm_cb_t cb, void *cbarg, unsigned int timeout, size_t extrahandlesize) { +#if HAVE_LIBNGHTTP2 if (stream_use_TLS) { isc_nm_tlsconnect(connect_nm, &tcp_connect_addr, &tcp_listen_addr, cb, cbarg, tcp_connect_tlsctx, timeout, extrahandlesize); - } else { - isc_nm_tcpconnect(connect_nm, &tcp_connect_addr, - &tcp_listen_addr, cb, cbarg, timeout, - extrahandlesize); + return; } +#endif + isc_nm_tcpconnect(connect_nm, &tcp_connect_addr, &tcp_listen_addr, cb, + cbarg, timeout, extrahandlesize); } static void @@ -2121,6 +2129,7 @@ tcpdns_half_recv_half_send(void **state __attribute__((unused))) { /* TLS */ +#if HAVE_LIBNGHTTP2 static void tls_connect(isc_nm_t *nm) { isc_nm_tlsconnect(nm, &tcp_connect_addr, &tcp_listen_addr, @@ -2301,6 +2310,7 @@ tls_half_recv_half_send_quota_sendback(void **state) { atomic_store(&check_listener_quota, true); stream_half_recv_half_send(state); } +#endif /* TLSDNS */ @@ -2833,6 +2843,7 @@ main(void) { cmocka_unit_test_setup_teardown(tcpdns_half_recv_half_send, nm_setup, nm_teardown), +#if HAVE_LIBNGHTTP2 /* TLS */ cmocka_unit_test_setup_teardown(tls_noop, nm_setup, nm_teardown), @@ -2886,6 +2897,7 @@ main(void) { cmocka_unit_test_setup_teardown( tls_half_recv_half_send_quota_sendback, nm_setup, nm_teardown), +#endif /* TLSDNS */ cmocka_unit_test_setup_teardown(tlsdns_recv_one, nm_setup, diff --git a/lib/isc/tests/result_test.c b/lib/isc/tests/result_test.c index 248dea6f8c..ff20f160b7 100644 --- a/lib/isc/tests/result_test.c +++ b/lib/isc/tests/result_test.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include @@ -73,6 +74,7 @@ tables(void **state) { assert_non_null(str); assert_string_not_equal(str, "(result code text not " "available)"); + fprintf(stderr, "%u < %u\n", result, (unsigned)ISC_R_NRESULTS); } str = isc_result_toid(result); diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 5fc293d526..cf947fa645 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -10,7 +10,9 @@ */ #include +#if HAVE_LIBNGHTTP2 #include +#endif /* HAVE_LIBNGHTTP2 */ #include #include @@ -388,6 +390,7 @@ isc_tls_free(isc_tls_t **tlsp) { *tlsp = NULL; } +#if HAVE_LIBNGHTTP2 #ifndef OPENSSL_NO_NEXTPROTONEG /* * NPN TLS extension client callback. @@ -480,3 +483,4 @@ isc_tls_get_http2_alpn(isc_tls_t *tls, const unsigned char **alpn, } #endif } +#endif /* HAVE_LIBNGHTTP2 */ diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index e72aac7ab5..555c7d4a65 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -161,8 +161,13 @@ static cfg_type_t cfg_type_tkey_dhkey = { "tkey-dhkey", cfg_parse_tuple, static cfg_tuplefielddef_t listenon_tuple_fields[] = { { "port", &cfg_type_optional_port, 0 }, { "dscp", &cfg_type_uint32, 0 }, +#if HAVE_LIBNGHTTP2 { "tls", &cfg_type_astring, 0 }, { "http", &cfg_type_astring, 0 }, +#else + { "tls", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED }, + { "http", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED }, +#endif { NULL, NULL, 0 } }; static cfg_type_t cfg_type_listen_tuple = { @@ -1244,8 +1249,13 @@ static cfg_clausedef_t options_clauses[] = { { "pid-file", &cfg_type_qstringornone, 0 }, { "port", &cfg_type_uint32, 0 }, { "tls-port", &cfg_type_uint32, 0 }, +#if HAVE_LIBNGHTTP2 { "http-port", &cfg_type_uint32, 0 }, { "https-port", &cfg_type_uint32, 0 }, +#else + { "http-port", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTCONFIGURED }, + { "https-port", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTCONFIGURED }, +#endif { "querylog", &cfg_type_boolean, 0 }, { "random-device", &cfg_type_qstringornone, 0 }, { "recursing-file", &cfg_type_qstring, 0 }, diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c index 54e2ed7a69..adebd6e4a1 100644 --- a/lib/ns/interfacemgr.c +++ b/lib/ns/interfacemgr.c @@ -540,6 +540,7 @@ ns_interface_listentls(ns_interface_t *ifp, isc_tlsctx_t *sslctx) { static isc_result_t ns_interface_listenhttp(ns_interface_t *ifp, isc_tlsctx_t *sslctx, char **eps, size_t neps) { +#if HAVE_LIBNGHTTP2 isc_result_t result; isc_nmsocket_t *sock = NULL; @@ -581,6 +582,13 @@ ns_interface_listenhttp(ns_interface_t *ifp, isc_tlsctx_t *sslctx, char **eps, } return (result); +#else + UNUSED(ifp); + UNUSED(sslctx); + UNUSED(eps); + UNUSED(neps); + return (ISC_R_NOTIMPLEMENTED); +#endif } static isc_result_t diff --git a/lib/ns/query.c b/lib/ns/query.c index ca95abccda..74540df904 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -12029,6 +12029,7 @@ ns_query_start(ns_client_t *client, isc_nmhandle_t *handle) { break; /* Let the query logic handle it. */ case dns_rdatatype_ixfr: case dns_rdatatype_axfr: +#if HAVE_LIBNGHTTP2 if (isc_nm_is_http_handle(handle)) { /* We cannot use DoH for zone transfers. * According to RFC8484 a DoH request contains @@ -12044,9 +12045,10 @@ ns_query_start(ns_client_t *client, isc_nmhandle_t *handle) { * the best thing we can do is to return "not * implemented". */ query_error(client, DNS_R_NOTIMP, __LINE__); - } else { - ns_xfr_start(client, rdataset->type); + return; } +#endif + ns_xfr_start(client, rdataset->type); return; case dns_rdatatype_maila: case dns_rdatatype_mailb: