X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=pdns%2Fdoh.hh;h=9e51c2e065359951176d3f26343d416cf11fd7c7;hb=8b5f4644ae4cb7c2327f6238764f18ab624bc885;hp=0b90c02c4d18236f597becd1e232f4548c2649d0;hpb=b9d4b2fb04785c783a4aea1ef300be85c7a53403;p=thirdparty%2Fpdns.git

diff --git a/pdns/doh.hh b/pdns/doh.hh
index 0b90c02c4d..9e51c2e065 100644
--- a/pdns/doh.hh
+++ b/pdns/doh.hh
@@ -1,3 +1,24 @@
+/*
+ * This file is part of PowerDNS or dnsdist.
+ * Copyright -- PowerDNS.COM B.V. and its contributors
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * In addition, for the avoidance of any doubt, permission is granted to
+ * link this program with OpenSSL and to (re)distribute the binaries
+ * produced as the result of such linking.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
 #pragma once
 #include "iputils.hh"
 #include "libssl.hh"
@@ -40,33 +61,28 @@ private:
 
 struct DOHFrontend
 {
+  DOHFrontend()
+  {
+  }
+
   std::shared_ptr<DOHServerConfig> d_dsc{nullptr};
-  std::vector<std::pair<std::string, std::string>> d_certKeyPairs;
-  std::vector<std::string> d_ocspFiles;
   std::vector<std::shared_ptr<DOHResponseMapEntry>> d_responsesMap;
-  std::string d_ciphers;
-  std::string d_ciphers13;
+  TLSConfig d_tlsConfig;
+  TLSErrorCounters d_tlsCounters;
   std::string d_serverTokens{"h2o/dnsdist"};
-  LibsslTLSVersion d_minTLSVersion{LibsslTLSVersion::TLS10};
   std::vector<std::pair<std::string, std::string>> d_customResponseHeaders;
   ComboAddress d_local;
 
   uint32_t d_idleTimeout{30};             // HTTP idle timeout in seconds
   std::vector<std::string> d_urls;
 
-  std::atomic<uint64_t> d_httpconnects;   // number of TCP/IP connections established
-  std::atomic<uint64_t> d_tls10queries;   // valid DNS queries received via TLSv1.0
-  std::atomic<uint64_t> d_tls11queries;   // valid DNS queries received via TLSv1.1
-  std::atomic<uint64_t> d_tls12queries;   // valid DNS queries received via TLSv1.2
-  std::atomic<uint64_t> d_tls13queries;   // valid DNS queries received via TLSv1.3
-  std::atomic<uint64_t> d_tlsUnknownqueries;   // valid DNS queries received via unknown TLS version
-
-  std::atomic<uint64_t> d_getqueries;     // valid DNS queries received via GET
-  std::atomic<uint64_t> d_postqueries;    // valid DNS queries received via POST
-  std::atomic<uint64_t> d_badrequests;     // request could not be converted to dns query
-  std::atomic<uint64_t> d_errorresponses; // dnsdist set 'error' on response
-  std::atomic<uint64_t> d_redirectresponses; // dnsdist set 'redirect' on response
-  std::atomic<uint64_t> d_validresponses; // valid responses sent out
+  std::atomic<uint64_t> d_httpconnects{0};   // number of TCP/IP connections established
+  std::atomic<uint64_t> d_getqueries{0};     // valid DNS queries received via GET
+  std::atomic<uint64_t> d_postqueries{0};    // valid DNS queries received via POST
+  std::atomic<uint64_t> d_badrequests{0};     // request could not be converted to dns query
+  std::atomic<uint64_t> d_errorresponses{0}; // dnsdist set 'error' on response
+  std::atomic<uint64_t> d_redirectresponses{0}; // dnsdist set 'redirect' on response
+  std::atomic<uint64_t> d_validresponses{0}; // valid responses sent out
 
   struct HTTPVersionStats
   {
@@ -81,6 +97,13 @@ struct DOHFrontend
 
   HTTPVersionStats d_http1Stats;
   HTTPVersionStats d_http2Stats;
+  bool d_sendCacheControlHeaders{true};
+  bool d_trustForwardedForHeader{false};
+
+  time_t getTicketsKeyRotationDelay() const
+  {
+    return d_tlsConfig.d_ticketsKeyRotationDelay;
+  }
 
 #ifndef HAVE_DNS_OVER_HTTPS
   void setup()
@@ -90,9 +113,39 @@ struct DOHFrontend
   void reloadCertificates()
   {
   }
+
+  void rotateTicketsKey(time_t now)
+  {
+  }
+
+  void loadTicketsKeys(const std::string& keyFile)
+  {
+  }
+
+  void handleTicketsKeyRotation()
+  {
+  }
+
+  time_t getNextTicketsKeyRotation() const
+  {
+    return 0;
+  }
+
+  size_t getTicketsKeysCount() const
+  {
+    size_t res = 0;
+    return res;
+  }
+
 #else
   void setup();
   void reloadCertificates();
+
+  void rotateTicketsKey(time_t now);
+  void loadTicketsKeys(const std::string& keyFile);
+  void handleTicketsKeyRotation();
+  time_t getNextTicketsKeyRotation() const;
+  size_t getTicketsKeysCount() const;
 #endif /* HAVE_DNS_OVER_HTTPS */
 };
 
@@ -108,6 +161,24 @@ struct st_h2o_req_t;
 
 struct DOHUnit
 {
+  DOHUnit()
+  {
+  }
+  DOHUnit(const DOHUnit&) = delete;
+  DOHUnit& operator=(const DOHUnit&) = delete;
+
+  void get()
+  {
+    ++d_refcnt;
+  }
+
+  void release()
+  {
+    if (--d_refcnt == 0) {
+      delete this;
+    }
+  }
+
   std::string query;
   std::string response;
   ComboAddress remote;
@@ -115,6 +186,7 @@ struct DOHUnit
   st_h2o_req_t* req{nullptr};
   DOHUnit** self{nullptr};
   std::string contentType;
+  std::atomic<uint64_t> d_refcnt{1};
   int rsock;
   uint16_t qtype;
   /* the status_code is set from