creation of client TLS ctx before exclusive mode

When the server is configured (inside `apply_configuration`) a client
TLS context cache is created and attached to the global server object.
It is then used by `configure_view` flow (and also during runtime though
the zone manager).

It is now created before the exclusive mode, and the swap of the
previous TLS cache ctx is done at the end of the exclusive mode, if
everything went well.

This allows us (among other follow-up changes) to move the
`configure_views` function outside of the exclusive mode.

diff --git a/bin/named/server.c b/bin/named/server.c
index 37cc1dea6abcbfefa3504d146d0ac983c0d7a5cb..ef0a7451f546865566aabc1a2ed6ba80a69977cb 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3795,7 +3795,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
               cfg_obj_t *vconfig, named_cachelist_t *cachelist,
               named_cachelist_t *oldcachelist, dns_kasplist_t *kasplist,
               const cfg_obj_t *bindkeys, isc_mem_t *mctx,
-              cfg_aclconfctx_t *actx, bool need_hints, bool first_time) {
+              cfg_aclconfctx_t *actx, isc_tlsctx_cache_t *tlsctx_client_cache,
+              bool need_hints, bool first_time) {
        const cfg_obj_t *maps[4];
        const cfg_obj_t *cfgmaps[3];
        const cfg_obj_t *optionmaps[3];
@@ -4506,8 +4507,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
                goto cleanup;
        }
 
-       CHECK(dns_view_createresolver(view, resopts,
-                                     named_g_server->tlsctx_client_cache,
+       CHECK(dns_view_createresolver(view, resopts, tlsctx_client_cache,
                                      dispatch4, dispatch6));
 
        if (resstats == NULL) {
@@ -7896,9 +7896,11 @@ create_views(cfg_obj_t *config, cfg_parser_t *parser,
 
 static isc_result_t
 configure_views(cfg_obj_t *config, const cfg_obj_t *bindkeys,
-               cfg_aclconfctx_t *aclconfctx, dns_viewlist_t *viewlist,
-               named_cachelist_t *cachelist, dns_kasplist_t *kasplist,
-               named_server_t *server, bool first_time) {
+               cfg_aclconfctx_t *aclconfctx,
+               isc_tlsctx_cache_t *tlsctx_client_cache,
+               dns_viewlist_t *viewlist, named_cachelist_t *cachelist,
+               dns_kasplist_t *kasplist, named_server_t *server,
+               bool first_time) {
        isc_result_t result = ISC_R_SUCCESS;
        const cfg_obj_t *views = NULL;
        dns_viewlist_t tmpviewlist;
@@ -7920,8 +7922,8 @@ configure_views(cfg_obj_t *config, const cfg_obj_t *bindkeys,
 
                result = configure_view(view, viewlist, config, vconfig,
                                        cachelist, &server->cachelist, kasplist,
-                                       bindkeys, isc_g_mctx, aclconfctx, true,
-                                       first_time);
+                                       bindkeys, isc_g_mctx, aclconfctx,
+                                       tlsctx_client_cache, true, first_time);
                if (result != ISC_R_SUCCESS) {
                        dns_view_detach(&view);
                        return result;
@@ -7942,8 +7944,8 @@ configure_views(cfg_obj_t *config, const cfg_obj_t *bindkeys,
                }
                result = configure_view(view, viewlist, config, NULL, cachelist,
                                        &server->cachelist, kasplist, bindkeys,
-                                       isc_g_mctx, aclconfctx, true,
-                                       first_time);
+                                       isc_g_mctx, aclconfctx,
+                                       tlsctx_client_cache, true, first_time);
                if (result != ISC_R_SUCCESS) {
                        dns_view_detach(&view);
                        return result;
@@ -7969,8 +7971,8 @@ configure_views(cfg_obj_t *config, const cfg_obj_t *bindkeys,
 
                result = configure_view(view, viewlist, config, vconfig,
                                        cachelist, &server->cachelist, kasplist,
-                                       bindkeys, isc_g_mctx, aclconfctx, false,
-                                       first_time);
+                                       bindkeys, isc_g_mctx, aclconfctx,
+                                       tlsctx_client_cache, false, first_time);
                if (result != ISC_R_SUCCESS) {
                        dns_view_detach(&view);
                        return result;
@@ -8128,6 +8130,7 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
        dns_aclenv_t *env =
                ns_interfacemgr_getaclenv(named_g_server->interfacemgr);
        cfg_aclconfctx_t *tmpaclconfctx, *aclconfctx = NULL;
+       isc_tlsctx_cache_t *tlsctx_client_cache = NULL;
 
        isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
                      ISC_LOG_DEBUG(1), "apply_configuration");
@@ -8176,6 +8179,9 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
                goto cleanup_viewlist;
        }
 
+       /* Create a new client TLS context cache */
+       isc_tlsctx_cache_create(isc_g_mctx, &tlsctx_client_cache);
+
        /* Ensure exclusive access to configuration data. */
        isc_loopmgr_pause();
 
@@ -8197,22 +8203,13 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
                }
        }
 
-       /* Let's recreate the TLS context cache */
+       /* Let's recreate the server TLS context cache */
        if (server->tlsctx_server_cache != NULL) {
                isc_tlsctx_cache_detach(&server->tlsctx_server_cache);
        }
 
        isc_tlsctx_cache_create(isc_g_mctx, &server->tlsctx_server_cache);
 
-       if (server->tlsctx_client_cache != NULL) {
-               isc_tlsctx_cache_detach(&server->tlsctx_client_cache);
-       }
-
-       isc_tlsctx_cache_create(isc_g_mctx, &server->tlsctx_client_cache);
-
-       dns_zonemgr_set_tlsctx_cache(server->zonemgr,
-                                    server->tlsctx_client_cache);
-
 #if HAVE_LIBNGHTTP2
        obj = NULL;
        result = named_config_get(maps, "http-port", &obj);
@@ -8786,8 +8783,9 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
         */
        (void)configure_session_key(maps, server, isc_g_mctx, first_time);
 
-       result = configure_views(config, bindkeys, aclconfctx, &viewlist,
-                                &cachelist, &kasplist, server, first_time);
+       result = configure_views(config, bindkeys, aclconfctx,
+                                tlsctx_client_cache, &viewlist, &cachelist,
+                                &kasplist, server, first_time);
        if (result != ISC_R_SUCCESS) {
                goto cleanup_cachelist;
        }
@@ -9187,6 +9185,17 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
        server->aclconfctx = aclconfctx;
        aclconfctx = tmpaclconfctx;
 
+       /*
+        * Swap client TLS context
+        */
+       if (server->tlsctx_client_cache != NULL) {
+               isc_tlsctx_cache_detach(&server->tlsctx_client_cache);
+       }
+
+       isc_tlsctx_cache_attach(tlsctx_client_cache,
+                               &server->tlsctx_client_cache);
+       dns_zonemgr_set_tlsctx_cache(server->zonemgr, tlsctx_client_cache);
+
        (void)named_server_loadnta(server);
 
        /*
@@ -9225,7 +9234,6 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
                goto cleanup_altsecrets;
        }
 
-
        (void)ns_interfacemgr_scan(server->interfacemgr, true, true);
 
        /*
@@ -9274,6 +9282,12 @@ cleanup_bindkeys_parser:
                isc_loopmgr_resume();
        }
 
+       /*
+        * Detach the TLS client context (whether the one created at the
+        * begining of this function, or the previous running one)
+        */
+       isc_tlsctx_cache_detach(&tlsctx_client_cache);
+
 cleanup_viewlist:
        ISC_LIST_FOREACH(viewlist, view, link) {
                ISC_LIST_UNLINK(viewlist, view, link);