KNOT_DB_LMDB_RDONLY@Base 3.3.0
KNOT_DB_LMDB_WRITEMAP@Base 3.3.0
KNOT_DUMP_STYLE_DEFAULT@Base 3.3.0
+ knot_creds_cert@Base 3.4.0
+ knot_creds_free@Base 3.4.0
+ knot_creds_init@Base 3.4.0
+ knot_creds_init_peer@Base 3.4.0
knot_ctl_accept@Base 3.3.0
knot_ctl_alloc@Base 3.3.0
knot_ctl_bind@Base 3.3.0
knot_quic_conn_local_port@Base 3.3.0
knot_quic_conn_new_stream@Base 3.3.0
knot_quic_conn_next_timeout@Base 3.3.3
- knot_quic_conn_pin@Base 3.3.0
knot_quic_conn_rtt@Base 3.3.0
knot_quic_conn_stream_free@Base 3.3.0
- knot_quic_creds_cert@Base 3.3.0
- knot_quic_free_creds@Base 3.3.0
knot_quic_handle@Base 3.3.0
knot_quic_hanle_expiry@Base 3.3.3
- knot_quic_init_creds@Base 3.3.0
- knot_quic_init_creds_peer@Base 3.3.0
knot_quic_send@Base 3.3.0
knot_quic_session_available@Base 3.3.0
knot_quic_session_load@Base 3.3.0
knot_tcp_sweep@Base 3.3.0
knot_tcp_table_free@Base 3.3.0
knot_tcp_table_new@Base 3.3.0
+ knot_tls_conn_del@Base 3.4.0
+ knot_tls_conn_new@Base 3.4.0
+ knot_tls_ctx_free@Base 3.4.0
+ knot_tls_ctx_new@Base 3.4.0
+ knot_tls_handshake@Base 3.4.0
+ knot_tls_pin@Base 3.4.0
+ knot_tls_pin_check@Base 3.4.0
+ knot_tls_recv@Base 3.4.0
+ knot_tls_recv_dns@Base 3.4.0
+ knot_tls_send@Base 3.4.0
+ knot_tls_send_dns@Base 3.4.0
+ knot_tls_session@Base 3.4.0
knot_tsig_add@Base 3.3.0
knot_tsig_append@Base 3.3.0
knot_tsig_client_check@Base 3.3.0
-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
int fd,
struct sockaddr_storage *remote,
struct sockaddr_storage *local,
- const struct knot_quic_creds *local_creds,
+ const struct knot_creds *local_creds,
const uint8_t *peer_pin,
uint8_t peer_pin_len,
bool *reused_fd,
r->send_reply = qr_send_reply;
r->free_reply = qr_free_reply;
- struct knot_quic_creds *creds = knot_quic_init_creds_peer(local_creds,
- peer_pin, peer_pin_len);
+ struct knot_creds *creds = knot_creds_init_peer(local_creds, peer_pin, peer_pin_len);
if (creds == NULL) {
free(r);
return KNOT_ENOMEM;
knot_quic_table_t *table = knot_quic_table_new(1, QUIC_BUF_SIZE,
QUIC_BUF_SIZE, 0, creds);
if (table == NULL) {
- knot_quic_free_creds(creds);
+ knot_creds_free(creds);
free(r);
return KNOT_ENOMEM;
}
knot_quic_table_rem(conn, table);
knot_quic_cleanup(&conn, 1);
if (table != NULL) {
- knot_quic_free_creds(table->creds);
+ knot_creds_free(table->creds);
}
knot_quic_table_free(table);
free(r);
-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
int fd,
struct sockaddr_storage *remote,
struct sockaddr_storage *local,
- const struct knot_quic_creds *local_creds,
+ const struct knot_creds *local_creds,
const uint8_t *peer_pin,
uint8_t peer_pin_len,
bool *reused_fd,
const struct sockaddr_storage *remote,
const struct sockaddr_storage *source,
knot_pkt_t *query,
- const struct knot_quic_creds *creds,
+ const struct knot_creds *creds,
const query_edns_data_t *edns,
const knot_tsig_key_t *tsig_key,
const uint8_t *pin,
knot_request_t *knot_request_make(knot_mm_t *mm,
const conf_remote_t *remote,
knot_pkt_t *query,
- const struct knot_quic_creds *creds,
+ const struct knot_creds *creds,
const query_edns_data_t *edns,
knot_request_flag_t flags)
{
knot_sign_context_t sign; /*!< Required for async. DDNS processing. */
- const struct knot_quic_creds *creds;
+ const struct knot_creds *creds;
size_t pin_len;
uint8_t pin[];
} knot_request_t;
const struct sockaddr_storage *remote,
const struct sockaddr_storage *source,
knot_pkt_t *query,
- const struct knot_quic_creds *creds,
+ const struct knot_creds *creds,
const query_edns_data_t *edns,
const knot_tsig_key_t *tsig_key,
const uint8_t *pin,
knot_request_t *knot_request_make(knot_mm_t *mm,
const conf_remote_t *remote,
knot_pkt_t *query,
- const struct knot_quic_creds *creds,
+ const struct knot_creds *creds,
const query_edns_data_t *edns,
knot_request_flag_t flags);
#include "libknot/quic/tls.h"
int knot_tls_req_ctx_init(knot_tls_req_ctx_t *ctx, int fd,
- const struct knot_quic_creds *local_creds,
+ const struct knot_creds *local_creds,
const uint8_t *peer_pin, uint8_t peer_pin_len,
int io_timeout_ms)
{
- struct knot_quic_creds *creds = knot_quic_init_creds_peer(local_creds,
- peer_pin, peer_pin_len);
+ struct knot_creds *creds = knot_creds_init_peer(local_creds, peer_pin, peer_pin_len);
if (creds == NULL) {
return KNOT_ENOMEM;
}
ctx->ctx = knot_tls_ctx_new(creds, io_timeout_ms, false);
if (ctx->ctx == NULL) {
- knot_quic_free_creds(creds);
+ knot_creds_free(creds);
return KNOT_ENOMEM;
}
void knot_tls_req_ctx_deinit(knot_tls_req_ctx_t *ctx)
{
if (ctx != NULL && ctx->ctx != NULL) {
- knot_quic_free_creds(ctx->ctx->creds);
+ knot_creds_free(ctx->ctx->creds);
knot_tls_conn_del(ctx->conn);
knot_tls_ctx_free(ctx->ctx);
memset(ctx, 0, sizeof(*ctx));
struct knot_tls_conn *conn;
} knot_tls_req_ctx_t;
-struct knot_quic_creds;
-
/*!
* \brief Initialize TLS requestor context.
*
* \return KNOT_E*
*/
int knot_tls_req_ctx_init(knot_tls_req_ctx_t *ctx, int fd,
- const struct knot_quic_creds *local_creds,
+ const struct knot_creds *local_creds,
const uint8_t *peer_pin, uint8_t peer_pin_len,
int io_timeout_ms);
log_debug("QUIC/TLS, using self-generated key '%s' with "
"one-time certificate", key_file);
}
- server->quic_creds = knot_quic_init_creds(cert_file, key_file);
+ server->quic_creds = knot_creds_init(cert_file, key_file);
free(cert_file);
if (server->quic_creds == NULL) {
log_error("QUIC/TLS, failed to initialize server credentials with key '%s'",
global_sessticket_pool = NULL;
knot_unreachables_deinit(&global_unreachables);
- knot_quic_free_creds(server->quic_creds);
+ knot_creds_free(server->quic_creds);
}
static int server_init_handler(server_t *server, int index, int thread_count,
size_t bin_pin_size = sizeof(bin_pin);
gnutls_x509_crt_t cert = NULL;
if (server->quic_creds != NULL &&
- knot_quic_creds_cert(server->quic_creds, &cert) == KNOT_EOK &&
+ knot_creds_cert(server->quic_creds, &cert) == KNOT_EOK &&
gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA256,
bin_pin, &bin_pin_size) == GNUTLS_E_SUCCESS) {
pin_size = knot_base64_encode(bin_pin, bin_pin_size, out, out_size);
struct server;
struct knot_xdp_socket;
-struct knot_quic_creds;
+struct knot_creds;
/*!
* \brief I/O handler structure.
zone_backup_ctxs_t backup_ctxs;
/*! \brief Crendentials context for QUIC. */
- struct knot_quic_creds *quic_creds;
+ struct knot_creds *quic_creds;
} server_t;
/*!
-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
_public_
knot_quic_table_t *knot_quic_table_new(size_t max_conns, size_t max_ibufs, size_t max_obufs,
- size_t udp_payload, struct knot_quic_creds *creds)
+ size_t udp_payload, struct knot_creds *creds)
{
size_t table_size = max_conns * BUCKETS_PER_CONNS;
-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#define MAX_STREAMS_PER_CONN 10 // this limits the number of un-finished streams per conn (i.e. if response has been recvd with FIN, it doesn't count)
struct ngtcp2_cid; // declaration taken from wherever in ngtcp2
-struct knot_quic_creds;
+struct knot_creds;
struct knot_quic_reply;
struct knot_sweep_stats;
void (*log_cb)(const char *);
const char *qlog_dir;
uint64_t hash_secret[4];
- struct knot_quic_creds *creds;
+ struct knot_creds *creds;
struct heap *expiry_heap;
knot_quic_cid_t *conns[];
} knot_quic_table_t;
* \return Allocated table, or NULL.
*/
knot_quic_table_t *knot_quic_table_new(size_t max_conns, size_t max_ibufs, size_t max_obufs,
- size_t udp_payload, struct knot_quic_creds *creds);
+ size_t udp_payload, struct knot_creds *creds);
/*!
* \brief Free QUIC table including its contents.
#define EAGAIN_MAX_FOR_GNUTLS 10 // gnutls_record_recv() has been observed to return GNUTLS_E_AGAIN repetitively and excessively, leading to infinite loops. This limits the number of re-tries.
_public_
-knot_tls_ctx_t *knot_tls_ctx_new(struct knot_quic_creds *creds, unsigned io_timeout,
+knot_tls_ctx_t *knot_tls_ctx_new(struct knot_creds *creds, unsigned io_timeout,
bool server)
{
knot_tls_ctx_t *res = calloc(1, sizeof(*res));
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
+/*!
+ * \file
+ *
+ * \brief Pure TLS functionality.
+ *
+ * \addtogroup quic
+ * @{
+ */
+
#pragma once
#include <stdbool.h>
#include <sys/types.h>
typedef struct knot_tls_ctx {
- struct knot_quic_creds *creds;
+ struct knot_creds *creds;
unsigned handshake_timeout;
unsigned io_timeout;
bool server;
*
* \return Initialized context or NULL.
*/
-knot_tls_ctx_t *knot_tls_ctx_new(struct knot_quic_creds *creds, unsigned io_timeout,
+knot_tls_ctx_t *knot_tls_ctx_new(struct knot_creds *creds, unsigned io_timeout,
bool server);
/*!
* \return Either exactly 'size' or a negative error code.
*/
ssize_t knot_tls_send_dns(knot_tls_conn_t *conn, void *data, size_t size);
+
+/*! @} */
#include "libknot/attribute.h"
#include "libknot/error.h"
-typedef struct knot_quic_creds {
+typedef struct knot_creds {
gnutls_certificate_credentials_t tls_cert;
gnutls_anti_replay_t tls_anti_replay;
gnutls_datum_t tls_ticket_key;
bool peer;
uint8_t peer_pin_len;
uint8_t peer_pin[];
-} knot_quic_creds_t;
+} knot_creds_t;
static int tls_anti_replay_db_add_func(void *dbf, time_t exp_time,
const gnutls_datum_t *key,
}
_public_
-struct knot_quic_creds *knot_quic_init_creds(const char *cert_file,
- const char *key_file)
+struct knot_creds *knot_creds_init(const char *cert_file, const char *key_file)
{
- knot_quic_creds_t *creds = calloc(1, sizeof(*creds));
+ knot_creds_t *creds = calloc(1, sizeof(*creds));
if (creds == NULL) {
return NULL;
}
return creds;
fail:
- knot_quic_free_creds(creds);
+ knot_creds_free(creds);
return NULL;
}
_public_
-struct knot_quic_creds *knot_quic_init_creds_peer(const struct knot_quic_creds *local_creds,
- const uint8_t *peer_pin,
- uint8_t peer_pin_len)
+struct knot_creds *knot_creds_init_peer(const struct knot_creds *local_creds,
+ const uint8_t *peer_pin,
+ uint8_t peer_pin_len)
{
- knot_quic_creds_t *creds = calloc(1, sizeof(*creds) + peer_pin_len);
+ knot_creds_t *creds = calloc(1, sizeof(*creds) + peer_pin_len);
if (creds == NULL) {
return NULL;
}
}
_public_
-int knot_quic_creds_cert(struct knot_quic_creds *creds, struct gnutls_x509_crt_int **cert)
+int knot_creds_cert(struct knot_creds *creds, struct gnutls_x509_crt_int **cert)
{
if (creds == NULL || cert == NULL) {
return KNOT_EINVAL;
}
_public_
-void knot_quic_free_creds(struct knot_quic_creds *creds)
+void knot_creds_free(struct knot_creds *creds)
{
if (creds == NULL) {
return;
_public_
int knot_tls_session(struct gnutls_session_int **session,
- struct knot_quic_creds *creds,
+ struct knot_creds *creds,
const char *priority,
const char *alpn,
bool early_data,
_public_
int knot_tls_pin_check(struct gnutls_session_int *session,
- struct knot_quic_creds *creds)
+ struct knot_creds *creds)
{
if (creds->peer_pin_len == 0) {
return KNOT_EOK;
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
+/*!
+ * \file
+ *
+ * \brief Credentials handling common to QUIC and TLS.
+ *
+ * \addtogroup quic
+ * @{
+ */
+
#pragma once
#include <stdbool.h>
struct gnutls_session_int;
struct gnutls_x509_crt_int;
-struct knot_quic_creds;
+struct knot_creds;
/*!
* \brief Init server TLS certificate for DoQ.
*
* \return Initialized creds.
*/
-struct knot_quic_creds *knot_quic_init_creds(const char *cert_file,
- const char *key_file);
+struct knot_creds *knot_creds_init(const char *cert_file, const char *key_file);
/*!
* \brief Init peer TLS certificate for DoQ.
*
* \return Initialized creds.
*/
-struct knot_quic_creds *knot_quic_init_creds_peer(const struct knot_quic_creds *local_creds,
- const uint8_t *peer_pin,
- uint8_t peer_pin_len);
+struct knot_creds *knot_creds_init_peer(const struct knot_creds *local_creds,
+ const uint8_t *peer_pin,
+ uint8_t peer_pin_len);
/*!
* \brief Gets the certificate from credentials.
*
* \return KNOT_E*
*/
-int knot_quic_creds_cert(struct knot_quic_creds *creds, struct gnutls_x509_crt_int **cert);
+int knot_creds_cert(struct knot_creds *creds, struct gnutls_x509_crt_int **cert);
/*!
* \brief Deinit server TLS certificate for DoQ.
*/
-void knot_quic_free_creds(struct knot_quic_creds *creds);
+void knot_creds_free(struct knot_creds *creds);
/*!
* \brief Initialize GnuTLS session with credentials, ALPN, etc.
* \return KNOT_E*
*/
int knot_tls_session(struct gnutls_session_int **session,
- struct knot_quic_creds *creds,
+ struct knot_creds *creds,
const char *priority,
const char *alpn,
bool early_data,
* \return KNOT_EOK or KNOT_EBADCERTKEY
*/
int knot_tls_pin_check(struct gnutls_session_int *session,
- struct knot_quic_creds *creds);
+ struct knot_creds *creds);
+
+/*! @} */
knot_tcp_table_t *tcp_table = NULL;
#ifdef ENABLE_QUIC
knot_quic_table_t *quic_table = NULL;
- struct knot_quic_creds *quic_creds = NULL;
+ struct knot_creds *quic_creds = NULL;
list_t quic_sessions;
init_list(&quic_sessions);
#endif // ENABLE_QUIC
}
if (ctx->quic) {
#ifdef ENABLE_QUIC
- quic_creds = knot_quic_init_creds_peer(NULL, NULL, 0);
+ quic_creds = knot_creds_init_peer(NULL, NULL, 0);
if (quic_creds == NULL) {
ERR2("failed to initialize QUIC context");
return NULL;
WALK_LIST_DELSAFE(n, nxt, quic_sessions) {
knot_quic_session_load(NULL, n);
}
- knot_quic_free_creds(quic_creds);
+ knot_creds_free(quic_creds);
#endif // ENABLE_QUIC
char recv_str[40] = "", lost_str[40] = "", err_str[40] = "";
projects / thirdparty / knot-dns.git / commitdiff
