From: Witold Kręcicki Date: Sun, 4 Nov 2018 18:07:27 +0000 (+0000) Subject: WiP 2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9569475c94d069a43b3297c2202fbf6281b43d8f;p=thirdparty%2Fbind9.git WiP 2 --- diff --git a/bin/named/server.c b/bin/named/server.c index 4f14900f7fb..028cbfae5c9 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6423,7 +6423,8 @@ add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr, goto clean; result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr), - dscp, src_acl, &lelt); + dscp, src_acl, NULL, NULL, + &lelt); if (result != ISC_R_SUCCESS) goto clean; ISC_LIST_APPEND(list->elts, lelt, link); @@ -10410,12 +10411,24 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, uint16_t family, ns_listenelt_t **target) { isc_result_t result; - const cfg_obj_t *portobj, *dscpobj; + const cfg_obj_t *portobj, *dscpobj, *keyobj, *certobj; + const char *cert = NULL, *key=NULL; in_port_t port; isc_dscp_t dscp = -1; ns_listenelt_t *delt = NULL; REQUIRE(target != NULL && *target == NULL); + keyobj = cfg_tuple_get(listener, "key"); + if (cfg_obj_isstring(keyobj)) { + key = cfg_obj_asstring(keyobj); + } + + certobj = cfg_tuple_get(listener, "cert"); + if (cfg_obj_isstring(certobj)) { + cert = cfg_obj_asstring(certobj); + } + + portobj = cfg_tuple_get(listener, "port"); if (!cfg_obj_isuint32(portobj)) { if (named_g_port != 0) { @@ -10448,7 +10461,8 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj); } - result = ns_listenelt_create(mctx, port, dscp, NULL, &delt); + printf("Cert %s key %s port %d\n", cert, key, port); + result = ns_listenelt_create(mctx, port, dscp, NULL, cert, key, &delt); if (result != ISC_R_SUCCESS) return (result); diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h index b54df56acf7..2231fa8694a 100644 --- a/lib/isc/include/isc/result.h +++ b/lib/isc/include/isc/result.h @@ -85,9 +85,9 @@ #define ISC_R_WOULDBLOCK 63 /*%< would block */ #define ISC_R_COMPLETE 64 /*%< complete */ #define ISC_R_CRYPTOFAILURE 65 /*%< cryptography library failure */ - +#define ISC_R_TLSERROR 66 /*%< TLS error */ /*% Not a result code: the number of results. */ -#define ISC_R_NRESULTS 66 +#define ISC_R_NRESULTS 67 ISC_LANG_BEGINDECLS diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h index 8a3c96b14d2..23b7b2e1b13 100644 --- a/lib/isc/include/isc/socket.h +++ b/lib/isc/include/isc/socket.h @@ -1044,4 +1044,7 @@ ISC_LANG_ENDDECLS isc_result_t isc_socket_getsslhexdigest(isc_socket_t *sock0, char *dest, unsigned int len); +isc_result_t +isc_socket_maketls(isc_socket_t *sock0, const char* cert_path, const char* key_path); + #endif /* ISC_SOCKET_H */ diff --git a/lib/isc/result.c b/lib/isc/result.c index 23ff2099ead..dd0a0dadcbc 100644 --- a/lib/isc/result.c +++ b/lib/isc/result.c @@ -100,6 +100,8 @@ static const char *description[ISC_R_NRESULTS] = { "multiple", /*%< 62 */ "would block", /*%< 63 */ "complete", /*%< 64 */ + "cryptography library failure", /*%< 65 */ + "TLS error", /*%< 66 */ }; static const char *identifier[ISC_R_NRESULTS] = { @@ -168,6 +170,8 @@ static const char *identifier[ISC_R_NRESULTS] = { "ISC_R_MULTIPLE", "ISC_R_WOULDBLOCK", "ISC_R_COMPLETE", + "ISC_R_CRYPTOFAILURE", + "ISC_R_TLSERROR" }; #define ISC_RESULT_RESULTSET 2 diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index 6d2d78f4451..402fa0cfd62 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -32,6 +32,7 @@ #endif #include +#include #include #include @@ -346,6 +347,7 @@ typedef struct isc__socketthread isc__socketthread_t; #define TLSSTATE_RWW 0x0002 /* Read Wants to Write */ #define TLSSTATE_WWR 0x0004 /* Write Wants to Read */ #define TLSSTATE_WWW 0x0008 /* Write Wants to Write */ +#define TLSSTATE_DEAD 0x0010 /* Delayed error */ struct isc__socket { @@ -370,8 +372,6 @@ struct isc__socket { ISC_LIST(isc_socket_newconnev_t) accept_list; ISC_LIST(isc_socket_connev_t) connect_list; - SSL * ssl; - isc_sockaddr_t peer_address; /* remote address */ unsigned int listener : 1, /* listener socket */ @@ -380,10 +380,14 @@ struct isc__socket { bound : 1, /* bound to local addr */ dupped : 1, active : 1, /* currently active */ - pktdscp : 1, /* per packet dscp */ - tlsconnecting : 1, /* waiting for TLS conn */ - tlsaccepting : 1; /* waiting for TLS accept */ + pktdscp : 1; /* per packet dscp */ + + SSL *ssl; + /* server ctx for accepting socket */ + SSL_CTX *ssl_ctx; + unsigned int tlsconnecting : 1, /* waiting for TLS conn */ + tlsaccepting : 1; /* waiting for TLS accept */ int tlsstate; #ifdef ISC_PLATFORM_RECVOVERFLOW @@ -410,6 +414,9 @@ struct isc__socketmgr { int reserved; /* unlocked */ isc_condition_t shutdown_ok; int maxudp; + + /* client ctx for created sockets */ + SSL_CTX *ssl_ctx; /* XXXWPK TODO verify thread-safety of that (we're not modifying it, only creating clients) */ }; struct isc__socketthread { @@ -2021,6 +2028,7 @@ allocate_socket(isc__socketmgr_t *manager, isc_sockettype_t type, sock->tlsaccepting = 0; sock->tlsstate = 0; sock->ssl = NULL; + sock->ssl_ctx = NULL; ISC_LINK_INIT(sock, link); @@ -3230,11 +3238,27 @@ internal_accept(isc__socket_t *sock) { /* * Fill in the done event details and send it off. */ - dev->result = result; - task = dev->ev_sender; - dev->ev_sender = sock; - - isc_task_sendtoanddetach(&task, ISC_EVENT_PTR(&dev), sock->threadid); + printf("Accept done %d %p\n", result, sock->ssl_ctx); + if (result == ISC_R_SUCCESS && sock->ssl_ctx != NULL) { + /* + * This socket might be handled by different FD, we can't + * launch internal_accept directly + */ + isc__socket_t *ns = NEWCONNSOCK(dev); + ns->ssl_ctx = sock->ssl_ctx; + ns->tlsstate = TLSSTATE_RWR; + ns->tlsaccepting = 1; + ns->type = isc_sockettype_tls; + printf("Pushing TLS ACCEPT to %p\n", ns); + ISC_LIST_APPEND(ns->accept_list, dev, ev_link); + select_poke(ns->manager, ns->threadid, ns->fd, + SELECT_POKE_READ); + } else { + dev->result = result; + task = dev->ev_sender; + dev->ev_sender = sock; + isc_task_sendtoanddetach(&task, ISC_EVENT_PTR(&dev), sock->threadid); + } return; soft_error: @@ -3245,8 +3269,6 @@ internal_accept(isc__socket_t *sock) { return; } -static void internal_tls_accept(isc__socket_t *sock) { UNUSED(sock); abort(); }; - static void internal_recv(isc__socket_t *sock) { isc_socketevent_t *dev; @@ -3493,7 +3515,7 @@ process_fd(isc__socketthread_t *thread, int fd, bool readable, isc_refcount_increment(&sock->references); - printf("process_fd sock->type %d readable %d writeable %d connecting %d\n", sock->type, readable, writeable, sock->connecting); + printf("process_fd %d sock->type %d readable %d writeable %d connecting %d\n", sock->fd, sock->type, readable, writeable, sock->connecting); if (!sock->listener && !sock->connecting && sock->type == isc_sockettype_tls) { if (readable) { if (sock->tlsstate & TLSSTATE_RWR) { @@ -4230,6 +4252,11 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp, return (ISC_R_UNEXPECTED); } + const SSL_METHOD *meth; + SSL_load_error_strings(); + OpenSSL_add_ssl_algorithms(); + meth = TLS_client_method(); + manager->ssl_ctx = SSL_CTX_new(meth); /* * Start up the select/poll thread. @@ -4366,6 +4393,13 @@ socket_recv(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task, dev->ev_sender = task; + if ((sock->type == isc_sockettype_tls) && (sock->tlsstate & TLSSTATE_DEAD) == TLSSTATE_DEAD) { + dev->result = ISC_R_TLSERROR; + if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0) + send_recvdone_event(sock, &dev); + return (ISC_R_SUCCESS); + } + if (sock->type == isc_sockettype_udp) { io_state = doio_recv(sock, dev); } else { @@ -4531,6 +4565,13 @@ socket_send(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task, } } + if ((sock->type == isc_sockettype_tls) && (sock->tlsstate & TLSSTATE_DEAD) == TLSSTATE_DEAD) { + dev->result = ISC_R_TLSERROR; + if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0) + send_recvdone_event(sock, &dev); + return (ISC_R_SUCCESS); + } + if (sock->type == isc_sockettype_udp) { io_state = doio_send(sock, dev); } else { @@ -5446,14 +5487,12 @@ internal_tls_connect(isc__socket_t *sock) { bool wanted_write = sock->tlsstate & (TLSSTATE_RWW | TLSSTATE_WWW); sock->tlsstate &= ~(TLSSTATE_RWR | TLSSTATE_RWW); + /* + * internal_tls_connect can be called multiple times, if that's the + * first time we need to create SSL object + */ if (sock->ssl == NULL) { - const SSL_METHOD *meth; - SSL_CTX* ctx; - SSL_load_error_strings(); - OpenSSL_add_ssl_algorithms(); - meth = TLS_client_method(); - ctx = SSL_CTX_new(meth); - sock->ssl = SSL_new(ctx); + sock->ssl = SSL_new(sock->manager->ssl_ctx); SSL_set_fd(sock->ssl, sock->fd); SSL_set_connect_state(sock->ssl); } @@ -5483,6 +5522,7 @@ internal_tls_connect(isc__socket_t *sock) { goto finish; } else { printf("Other SSL error in connect %d %d\n", cc, err); + ERR_print_errors_fp(stderr); result = ISC_R_CONNECTIONRESET; } } else { @@ -5500,6 +5540,82 @@ internal_tls_connect(isc__socket_t *sock) { watch_unwatch(sock, wanted_read, wanted_write); } +static void +internal_tls_accept(isc__socket_t *sock) { + isc_socket_newconnev_t *dev; + isc_result_t result; + int threadid = sock->threadid; + sock->tlsaccepting = 1; + bool wanted_read = sock->tlsstate & (TLSSTATE_RWR | TLSSTATE_WWR); + bool wanted_write = sock->tlsstate & (TLSSTATE_RWW | TLSSTATE_WWW); + sock->tlsstate &= ~(TLSSTATE_WWR | TLSSTATE_WWW); + + printf("TLS ACCEPT SOCK %p\n", sock); + dev = ISC_LIST_HEAD(sock->accept_list); + if (dev == NULL) { + abort(); + } + + /* + * internal_tls_accept can be called multiple times, if that's the + * first time we need to create SSL object + */ + if (sock->ssl == NULL) { + sock->ssl = SSL_new(sock->ssl_ctx); + SSL_set_fd(sock->ssl, sock->fd); + SSL_set_accept_state(sock->ssl); +// SSL_set_connect_state(sock->ssl); + } + int cc = SSL_accept(sock->ssl); + printf("SSL_Accept returned %d\n", cc); + if (cc <= 0) { + int err = SSL_get_error(sock->ssl, cc); + if (err == SSL_ERROR_WANT_READ) { + printf("Want read\n"); + if (!wanted_read) { + watch_fd(&sock->manager->threads[sock->threadid], sock->fd, + SELECT_POKE_READ); + } + sock->tlsstate |= TLSSTATE_RWR; + watch_unwatch(sock, wanted_read, wanted_write); + return; + } else if (err == SSL_ERROR_WANT_WRITE) { + printf("Want write\n"); + if (!wanted_write) { + watch_fd(&sock->manager->threads[sock->threadid], sock->fd, + SELECT_POKE_WRITE); + } + sock->tlsstate |= TLSSTATE_RWW; + watch_unwatch(sock, wanted_read, wanted_write); + return; + } else { + printf("Other SSL error in connect %d %d\n", cc, err); + result = ISC_R_CONNECTIONRESET; + + } + } else { + result = ISC_R_SUCCESS; + } + /* + * Since regular accept failures are odd, but SSL negotiation + * failures are quite common, we delay the error to first read/write + * happening on the socket - accept always return SUCCESS at this + * stage. + */ + if (result != ISC_R_SUCCESS) { + sock->tlsstate |= TLSSTATE_DEAD; + } + dev->result = ISC_R_SUCCESS; + sock->tlsaccepting = 0; + isc_task_t *task = dev->ev_sender; + ISC_LIST_UNLINK(sock->accept_list, dev, ev_link); + watch_unwatch(sock, wanted_read, wanted_write); + dev->ev_sender = sock; + isc_task_sendtoanddetach(&task, ISC_EVENT_PTR(&dev), threadid); + + INSIST(ISC_LIST_EMPTY(sock->accept_list)); +} + isc_result_t isc_socket_getpeername(isc_socket_t *sock0, isc_sockaddr_t *addressp) { isc__socket_t *sock = (isc__socket_t *)sock0; @@ -6121,22 +6237,22 @@ isc_socket_getsslhexdigest(isc_socket_t *sock0, char *dest, unsigned int len) { unsigned char digest[EVP_MAX_MD_SIZE]; unsigned int dlen; X509* x509; - if (sock->ssl == NULL) { + if (sock->ssl == NULL) { return (ISC_R_UNSET); } x509 = SSL_get_peer_certificate(sock->ssl); if (x509 == NULL) { return (ISC_R_UNEXPECTED); } - - if (X509_pubkey_digest(x509, EVP_sha256(), digest, &dlen) != 1) { - return (ISC_R_UNEXPECTED); + + if (X509_pubkey_digest(x509, EVP_sha256(), digest, &dlen) != 1) { + return (ISC_R_UNEXPECTED); } - + if (len < 2*dlen + 1) { return (ISC_R_NOSPACE); } - + r.base = digest; r.length = dlen; isc_buffer_init(&buf, dest, len); @@ -6147,4 +6263,35 @@ isc_socket_getsslhexdigest(isc_socket_t *sock0, char *dest, unsigned int len) { isc_buffer_putuint8(&buf, 0); return (ISC_R_SUCCESS); } - + +isc_result_t +isc_socket_maketls(isc_socket_t *sock0, const char* cert_path, const char* key_path) { + printf("Maketls\n"); + isc__socket_t *sock = (isc__socket_t*) sock0; + const SSL_METHOD *meth; + + REQUIRE(VALID_SOCKET(sock)); + REQUIRE(!sock->connected); + REQUIRE(sock->listener); + + REQUIRE(sock->ssl == NULL); + REQUIRE(sock->ssl_ctx == NULL); + + SSL_load_error_strings(); + OpenSSL_add_ssl_algorithms(); + meth = TLS_server_method(); + INSIST(meth != NULL); + sock->ssl_ctx = SSL_CTX_new(meth); + INSIST(sock->ssl_ctx != NULL); +// SSL_set_msg_callback(sock->ssl_ctx,SSL_trace); SSL_set_msg_callback_arg(sock->ssl_ctx,BIO_new_fp(stdout,0)); + if (SSL_CTX_use_certificate_file(sock->ssl_ctx, cert_path, SSL_FILETYPE_PEM) <= 0) { + abort(); + } + if (SSL_CTX_use_PrivateKey_file(sock->ssl_ctx, key_path, SSL_FILETYPE_PEM) <= 0) { + abort(); + } + + sock->type = isc_sockettype_tls; + + return (ISC_R_SUCCESS); +} diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 5af0396034e..c6ddba6fe3c 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -125,6 +125,8 @@ static cfg_type_t cfg_type_notifytype; static cfg_type_t cfg_type_optional_allow; static cfg_type_t cfg_type_optional_class; static cfg_type_t cfg_type_optional_dscp; +static cfg_type_t cfg_type_optional_cert; +static cfg_type_t cfg_type_optional_key; static cfg_type_t cfg_type_optional_facility; static cfg_type_t cfg_type_optional_keyref; static cfg_type_t cfg_type_optional_port; @@ -168,6 +170,8 @@ static cfg_type_t cfg_type_tkey_dhkey = { static cfg_tuplefielddef_t listenon_fields[] = { { "port", &cfg_type_optional_port, 0 }, { "dscp", &cfg_type_optional_dscp, 0 }, + { "cert", &cfg_type_optional_cert, 0 }, + { "key", &cfg_type_optional_key, 0 }, { "acl", &cfg_type_bracketed_aml, 0 }, { NULL, NULL, 0 } }; @@ -636,6 +640,20 @@ static cfg_type_t cfg_type_optional_port = { doc_optional_keyvalue, &cfg_rep_uint32, &port_kw }; +static keyword_type_t tlskey_kw = { "key", &cfg_type_qstring }; + +static cfg_type_t cfg_type_optional_key = { + "optional_key", parse_optional_keyvalue, print_keyvalue, + doc_optional_keyvalue, &cfg_rep_string, &tlskey_kw +}; + +static keyword_type_t tlscert_kw = { "cert", &cfg_type_qstring }; + +static cfg_type_t cfg_type_optional_cert = { + "optional_cert", parse_optional_keyvalue, print_keyvalue, + doc_optional_keyvalue, &cfg_rep_string, &tlscert_kw +}; + /*% A list of keys, as in the "key" clause of the controls statement. */ static cfg_type_t cfg_type_keylist = { "keylist", cfg_parse_bracketed_list, cfg_print_bracketed_list, diff --git a/lib/ns/include/ns/interfacemgr.h b/lib/ns/include/ns/interfacemgr.h index 54846fdc273..4daeb752744 100644 --- a/lib/ns/include/ns/interfacemgr.h +++ b/lib/ns/include/ns/interfacemgr.h @@ -81,6 +81,8 @@ struct ns_interface { int ntcpcurrent; /*%< Current ditto, locked */ int nudpdispatch; /*%< Number of UDP dispatches */ ns_clientmgr_t * clientmgr; /*%< Client manager. */ + const char * certpath; /*%< TLS cert path. */ + const char * keypath; /*%< TLS key path. */ ISC_LINK(ns_interface_t) link; }; diff --git a/lib/ns/include/ns/listenlist.h b/lib/ns/include/ns/listenlist.h index f6f631988f6..c3f30cbbef4 100644 --- a/lib/ns/include/ns/listenlist.h +++ b/lib/ns/include/ns/listenlist.h @@ -42,6 +42,8 @@ struct ns_listenelt { isc_mem_t * mctx; in_port_t port; isc_dscp_t dscp; /* -1 = not set, 0..63 */ + const char * certpath; + const char * keypath; dns_acl_t * acl; ISC_LINK(ns_listenelt_t) link; }; @@ -58,7 +60,8 @@ struct ns_listenlist { isc_result_t ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp, - dns_acl_t *acl, ns_listenelt_t **target); + dns_acl_t *acl, const char *certpath, + const char *keypath, ns_listenelt_t **target); /*%< * Create a listen-on list element. */ diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c index adba622d096..c9ac22dc279 100644 --- a/lib/ns/interfacemgr.c +++ b/lib/ns/interfacemgr.c @@ -385,7 +385,8 @@ ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) { static isc_result_t ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, - const char *name, ns_interface_t **ifpret) + const char *name, const char *certpath, + const char *keypath, ns_interface_t **ifpret) { ns_interface_t *ifp; isc_result_t result; @@ -400,6 +401,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, ifp->mgr = NULL; ifp->generation = mgr->generation; ifp->addr = *addr; + ifp->certpath = certpath; + ifp->keypath = keypath; ifp->flags = 0; strlcpy(ifp->name, name, sizeof(ifp->name)); ifp->clientmgr = NULL; @@ -559,7 +562,17 @@ ns_interface_accepttcp(ns_interface_t *ifp) { isc_result_totext(result)); goto tcp_listen_failure; } - + printf("XXX %s\n", ifp->certpath); + if (ifp->certpath != NULL) { + result = isc_socket_maketls(ifp->tcpsocket, ifp->certpath, + ifp->keypath); + if (result != ISC_R_SUCCESS) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, + "setting TLS on TCP socket: %s", + isc_result_totext(result)); + goto tcp_listen_failure; + } + } /* * If/when there a multiple filters listen to the * result. @@ -589,6 +602,7 @@ static isc_result_t ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, const char *name, ns_interface_t **ifpret, bool accept_tcp, isc_dscp_t dscp, + const char *certpath, const char *keypath, bool *addr_in_use) { isc_result_t result; @@ -596,17 +610,18 @@ ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, REQUIRE(ifpret != NULL && *ifpret == NULL); REQUIRE(addr_in_use == NULL || *addr_in_use == false); - result = ns_interface_create(mgr, addr, name, &ifp); + result = ns_interface_create(mgr, addr, name, certpath, keypath, &ifp); if (result != ISC_R_SUCCESS) return (result); ifp->dscp = dscp; - - result = ns_interface_listenudp(ifp); - if (result != ISC_R_SUCCESS) { - if ((result == ISC_R_ADDRINUSE) && (addr_in_use != NULL)) - *addr_in_use = true; - goto cleanup_interface; + if (certpath == NULL) { + result = ns_interface_listenudp(ifp); + if (result != ISC_R_SUCCESS) { + if ((result == ISC_R_ADDRINUSE) && (addr_in_use != NULL)) + *addr_in_use = true; + goto cleanup_interface; + } } if (((mgr->sctx->options & NS_SERVER_NOTCP) == 0) && @@ -932,6 +947,8 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, "", &ifp, true, le->dscp, + le->certpath, + le->keypath, NULL); if (result == ISC_R_SUCCESS) ifp->flags |= NS_INTERFACEFLAG_ANYADDR; @@ -1154,6 +1171,8 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, (adjusting == true) ? false : true, le->dscp, + le->certpath, + le->keypath, &addr_in_use); tried_listening = true; diff --git a/lib/ns/listenlist.c b/lib/ns/listenlist.c index 21ae91bc9f6..a9b42267289 100644 --- a/lib/ns/listenlist.c +++ b/lib/ns/listenlist.c @@ -27,7 +27,8 @@ destroy(ns_listenlist_t *list); isc_result_t ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp, - dns_acl_t *acl, ns_listenelt_t **target) + dns_acl_t *acl, const char *certpath, + const char *keypath, ns_listenelt_t **target) { ns_listenelt_t *elt = NULL; REQUIRE(target != NULL && *target == NULL); @@ -39,6 +40,9 @@ ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp, elt->port = port; elt->dscp = dscp; elt->acl = acl; + elt->certpath = certpath; + elt->keypath = keypath; + printf("LE create %d %s %s\n", port, certpath, keypath); *target = elt; return (ISC_R_SUCCESS); } @@ -111,7 +115,7 @@ ns_listenlist_default(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp, if (result != ISC_R_SUCCESS) goto cleanup; - result = ns_listenelt_create(mctx, port, dscp, acl, &elt); + result = ns_listenelt_create(mctx, port, dscp, acl, NULL, NULL, &elt); if (result != ISC_R_SUCCESS) goto cleanup_acl;