mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-25 02:47:54 -04:00
creation of client TLS ctx before exclusive mode
When the server is configured (inside `apply_configuration`) a client TLS context cache is created and attached to the global server object. It is then used by `configure_view` flow (and also during runtime though the zone manager). It is now created before the exclusive mode, and the swap of the previous TLS cache ctx is done at the end of the exclusive mode, if everything went well. This allows us (among other follow-up changes) to move the `configure_views` function outside of the exclusive mode.
This commit is contained in:
Colin Vidal
parent
e1be2be4ef
commit
c225ba17c2
1 changed files with 39 additions and 25 deletions
|
|
@ -3795,7 +3795,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
|
|||
cfg_obj_t *vconfig, named_cachelist_t *cachelist,
|
||||
named_cachelist_t *oldcachelist, dns_kasplist_t *kasplist,
|
||||
const cfg_obj_t *bindkeys, isc_mem_t *mctx,
|
||||
cfg_aclconfctx_t *actx, bool need_hints, bool first_time) {
|
||||
cfg_aclconfctx_t *actx, isc_tlsctx_cache_t *tlsctx_client_cache,
|
||||
bool need_hints, bool first_time) {
|
||||
const cfg_obj_t *maps[4];
|
||||
const cfg_obj_t *cfgmaps[3];
|
||||
const cfg_obj_t *optionmaps[3];
|
||||
|
|
@ -4506,8 +4507,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
|
|||
goto cleanup;
|
||||
}
|
||||
|
||||
CHECK(dns_view_createresolver(view, resopts,
|
||||
named_g_server->tlsctx_client_cache,
|
||||
CHECK(dns_view_createresolver(view, resopts, tlsctx_client_cache,
|
||||
dispatch4, dispatch6));
|
||||
|
||||
if (resstats == NULL) {
|
||||
|
|
@ -7896,9 +7896,11 @@ create_views(cfg_obj_t *config, cfg_parser_t *parser,
|
|||
|
||||
static isc_result_t
|
||||
configure_views(cfg_obj_t *config, const cfg_obj_t *bindkeys,
|
||||
cfg_aclconfctx_t *aclconfctx, dns_viewlist_t *viewlist,
|
||||
named_cachelist_t *cachelist, dns_kasplist_t *kasplist,
|
||||
named_server_t *server, bool first_time) {
|
||||
cfg_aclconfctx_t *aclconfctx,
|
||||
isc_tlsctx_cache_t *tlsctx_client_cache,
|
||||
dns_viewlist_t *viewlist, named_cachelist_t *cachelist,
|
||||
dns_kasplist_t *kasplist, named_server_t *server,
|
||||
bool first_time) {
|
||||
isc_result_t result = ISC_R_SUCCESS;
|
||||
const cfg_obj_t *views = NULL;
|
||||
dns_viewlist_t tmpviewlist;
|
||||
|
|
@ -7920,8 +7922,8 @@ configure_views(cfg_obj_t *config, const cfg_obj_t *bindkeys,
|
|||
|
||||
result = configure_view(view, viewlist, config, vconfig,
|
||||
cachelist, &server->cachelist, kasplist,
|
||||
bindkeys, isc_g_mctx, aclconfctx, true,
|
||||
first_time);
|
||||
bindkeys, isc_g_mctx, aclconfctx,
|
||||
tlsctx_client_cache, true, first_time);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_view_detach(&view);
|
||||
return result;
|
||||
|
|
@ -7942,8 +7944,8 @@ configure_views(cfg_obj_t *config, const cfg_obj_t *bindkeys,
|
|||
}
|
||||
result = configure_view(view, viewlist, config, NULL, cachelist,
|
||||
&server->cachelist, kasplist, bindkeys,
|
||||
isc_g_mctx, aclconfctx, true,
|
||||
first_time);
|
||||
isc_g_mctx, aclconfctx,
|
||||
tlsctx_client_cache, true, first_time);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_view_detach(&view);
|
||||
return result;
|
||||
|
|
@ -7969,8 +7971,8 @@ configure_views(cfg_obj_t *config, const cfg_obj_t *bindkeys,
|
|||
|
||||
result = configure_view(view, viewlist, config, vconfig,
|
||||
cachelist, &server->cachelist, kasplist,
|
||||
bindkeys, isc_g_mctx, aclconfctx, false,
|
||||
first_time);
|
||||
bindkeys, isc_g_mctx, aclconfctx,
|
||||
tlsctx_client_cache, false, first_time);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_view_detach(&view);
|
||||
return result;
|
||||
|
|
@ -8128,6 +8130,7 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
|
|||
dns_aclenv_t *env =
|
||||
ns_interfacemgr_getaclenv(named_g_server->interfacemgr);
|
||||
cfg_aclconfctx_t *tmpaclconfctx, *aclconfctx = NULL;
|
||||
isc_tlsctx_cache_t *tlsctx_client_cache = NULL;
|
||||
|
||||
isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
|
||||
ISC_LOG_DEBUG(1), "apply_configuration");
|
||||
|
|
@ -8176,6 +8179,9 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
|
|||
goto cleanup_viewlist;
|
||||
}
|
||||
|
||||
/* Create a new client TLS context cache */
|
||||
isc_tlsctx_cache_create(isc_g_mctx, &tlsctx_client_cache);
|
||||
|
||||
/* Ensure exclusive access to configuration data. */
|
||||
isc_loopmgr_pause();
|
||||
|
||||
|
|
@ -8197,22 +8203,13 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
|
|||
}
|
||||
}
|
||||
|
||||
/* Let's recreate the TLS context cache */
|
||||
/* Let's recreate the server TLS context cache */
|
||||
if (server->tlsctx_server_cache != NULL) {
|
||||
isc_tlsctx_cache_detach(&server->tlsctx_server_cache);
|
||||
}
|
||||
|
||||
isc_tlsctx_cache_create(isc_g_mctx, &server->tlsctx_server_cache);
|
||||
|
||||
if (server->tlsctx_client_cache != NULL) {
|
||||
isc_tlsctx_cache_detach(&server->tlsctx_client_cache);
|
||||
}
|
||||
|
||||
isc_tlsctx_cache_create(isc_g_mctx, &server->tlsctx_client_cache);
|
||||
|
||||
dns_zonemgr_set_tlsctx_cache(server->zonemgr,
|
||||
server->tlsctx_client_cache);
|
||||
|
||||
#if HAVE_LIBNGHTTP2
|
||||
obj = NULL;
|
||||
result = named_config_get(maps, "http-port", &obj);
|
||||
|
|
@ -8786,8 +8783,9 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
|
|||
*/
|
||||
(void)configure_session_key(maps, server, isc_g_mctx, first_time);
|
||||
|
||||
result = configure_views(config, bindkeys, aclconfctx, &viewlist,
|
||||
&cachelist, &kasplist, server, first_time);
|
||||
result = configure_views(config, bindkeys, aclconfctx,
|
||||
tlsctx_client_cache, &viewlist, &cachelist,
|
||||
&kasplist, server, first_time);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto cleanup_cachelist;
|
||||
}
|
||||
|
|
@ -9187,6 +9185,17 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
|
|||
server->aclconfctx = aclconfctx;
|
||||
aclconfctx = tmpaclconfctx;
|
||||
|
||||
/*
|
||||
* Swap client TLS context
|
||||
*/
|
||||
if (server->tlsctx_client_cache != NULL) {
|
||||
isc_tlsctx_cache_detach(&server->tlsctx_client_cache);
|
||||
}
|
||||
|
||||
isc_tlsctx_cache_attach(tlsctx_client_cache,
|
||||
&server->tlsctx_client_cache);
|
||||
dns_zonemgr_set_tlsctx_cache(server->zonemgr, tlsctx_client_cache);
|
||||
|
||||
(void)named_server_loadnta(server);
|
||||
|
||||
/*
|
||||
|
|
@ -9225,7 +9234,6 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
|
|||
goto cleanup_altsecrets;
|
||||
}
|
||||
|
||||
|
||||
(void)ns_interfacemgr_scan(server->interfacemgr, true, true);
|
||||
|
||||
/*
|
||||
|
|
@ -9274,6 +9282,12 @@ cleanup_bindkeys_parser:
|
|||
isc_loopmgr_resume();
|
||||
}
|
||||
|
||||
/*
|
||||
* Detach the TLS client context (whether the one created at the
|
||||
* begining of this function, or the previous running one)
|
||||
*/
|
||||
isc_tlsctx_cache_detach(&tlsctx_client_cache);
|
||||
|
||||
cleanup_viewlist:
|
||||
ISC_LIST_FOREACH(viewlist, view, link) {
|
||||
ISC_LIST_UNLINK(viewlist, view, link);
|
||||
|
|
|
|||
Loading…
Reference in a new issue