]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
allow configuration of dnsrps library path
authorEvan Hunt <each@isc.org>
Mon, 13 Mar 2023 21:13:39 +0000 (14:13 -0700)
committerEvan Hunt <each@isc.org>
Tue, 28 Mar 2023 22:44:31 +0000 (15:44 -0700)
for testing purposes, we need to be able to specify a library path from
which to load the dnsrps implementation. this can now be done with the
"dnsrps-library" option.

DNSRPS can now be enabled in configure regardless of whether librpz.so
is currently installed on the system.

bin/named/config.c
bin/named/include/named/server.h
bin/named/server.c
configure.ac
doc/arm/reference.rst
doc/misc/options
lib/dns/dnsrps.c
lib/dns/include/dns/dnsrps.h
lib/dns/include/dns/librpz.h
lib/isccfg/namedconf.c

index be9724ec71a0c954ced8ec66f971cd680547e117..b470486df466173d061e18dea0fb8f04d5c0a6f5 100644 (file)
@@ -149,6 +149,9 @@ options {\n\
        clients-per-query 10;\n\
        dnssec-accept-expired no;\n\
        dnssec-validation " VALIDATION_DEFAULT "; \n"
+#ifdef USE_DNSRPS
+                           "   dnsrps-library \"" DNSRPS_LIBRPZ_PATH "\";\n"
+#endif /* ifdef USE_DNSRPS */
 #ifdef HAVE_DNSTAP
                            "   dnstap-identity hostname;\n"
 #endif /* ifdef HAVE_DNSTAP */
index 764bd2b77d1fe3d2a303e96daff55eb21f822b5b..ecaf6ca82b1ee1fa36da7c0552198177ff31b61c 100644 (file)
@@ -50,16 +50,15 @@ struct named_server {
        char *statsfile;    /*%< Statistics file name */
        char *dumpfile;     /*%< Dump file name */
        char *secrootsfile; /*%< Secroots file name */
-       char *bindkeysfile; /*%< bind.keys file name
-                            * */
+       char *bindkeysfile; /*%< bind.keys file name */
        char *recfile;      /*%< Recursive file name */
-       bool  version_set;  /*%< User has set version
-                            * */
+       bool  version_set;  /*%< User has set version */
        char *version;      /*%< User-specified version */
-       bool  hostname_set; /*%< User has set hostname
-                            * */
-       char *hostname;     /*%< User-specified hostname
-                            * */
+       bool  hostname_set; /*%< User has set hostname */
+       char *hostname;     /*%< User-specified hostname */
+#ifdef USE_DNSRPS
+       char *dnsrpslib;
+#endif /* ifdef USE_DNSRPS */
 
        /* Server data structures. */
        dns_loadmgr_t     *loadmgr;
index 67b8e1c4a94897b56553156934af9826c86c9adf..2fdf3db1122f6693ca6e24c79c12f94af5aace7a 100644 (file)
@@ -2025,7 +2025,7 @@ conf_dnsrps_sadd(conf_dnsrps_ctx_t *ctx, const char *p, ...) {
 }
 
 /*
- * Get an DNSRPS configuration value using the global and view options
+ * Get a DNSRPS configuration value using the global and view options
  * for the default.  Return false upon failure.
  */
 static bool
@@ -9079,6 +9079,35 @@ load_configuration(const char *filename, named_server_t *server,
        server->kasplist = kasplist;
        kasplist = tmpkasplist;
 
+#ifdef USE_DNSRPS
+       /*
+        * Find the path to the DNSRPS implementation library.
+        */
+       obj = NULL;
+       if (named_config_get(maps, "dnsrps-library", &obj) == ISC_R_SUCCESS) {
+               if (server->dnsrpslib != NULL) {
+                       dns_dnsrps_server_destroy();
+                       isc_mem_free(server->mctx, server->dnsrpslib);
+                       server->dnsrpslib = NULL;
+               }
+               setstring(server, &server->dnsrpslib, cfg_obj_asstring(obj));
+               result = dns_dnsrps_server_create(server->dnsrpslib);
+               isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+                             NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+                             "initializing DNSRPS RPZ provider '%s': %s",
+                             server->dnsrpslib, isc_result_totext(result));
+               /*
+                * It's okay if librpz isn't available. We'll complain
+                * later if it turns out to be needed for a view with
+                * "dnsrps-enable yes".
+                */
+               if (result == ISC_R_FILENOTFOUND) {
+                       result = ISC_R_SUCCESS;
+               }
+               CHECKFATAL(result, "initializing RPZ service interface");
+       }
+#endif /* ifdef USE_DNSRPS */
+
        /*
         * Configure the views.
         */
@@ -10135,18 +10164,13 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
                .recfile = isc_mem_strdup(mctx, "named.recursing"),
        };
 
-#ifdef USE_DNSRPS
-       CHECKFATAL(dns_dnsrps_server_create(), "initializing RPZ service "
-                                              "interface");
-#endif /* ifdef USE_DNSRPS */
-
        /* Initialize server data structures. */
        ISC_LIST_INIT(server->kasplist);
        ISC_LIST_INIT(server->viewlist);
 
        /* Must be first. */
-       CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), "initializing "
-                                                              "DST");
+       CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine),
+                  "initializing DST");
 
        CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
                                     &server->in_roothints),
@@ -10218,6 +10242,7 @@ named_server_destroy(named_server_t **serverp) {
 
 #ifdef USE_DNSRPS
        dns_dnsrps_server_destroy();
+       isc_mem_free(server->mctx, server->dnsrpslib);
 #endif /* ifdef USE_DNSRPS */
 
        named_controls_destroy(&server->controls);
index e0e893b50bd345938e401f2a637774abe62d80f4..7ebbb0d2c596aa40404e367b5c6a1e87cfec2093 100644 (file)
@@ -1478,10 +1478,10 @@ AC_COMPILE_IFELSE(
 AC_ARG_ENABLE([dnsrps-dl],
              [AS_HELP_STRING([--enable-dnsrps-dl],
                              [DNS Response Policy Service delayed link
-                              [default=$librpz_dl]])],
-             [enable_librpz_dl="$enableval"], [enable_librpz_dl="$with_dlopen"])
+                              [default=yes]])],
+             [enable_dnsprs_dl="$enableval"], [enable_dnsrps_dl="yes"])
 
-AS_IF([test "$enable_librpz_dl" = "yes" -a "$with_dlopen" = "no"],
+AS_IF([test "$enable_dnsprs_dl" = "yes" -a "$with_dlopen" = "no"],
       [AC_MSG_ERROR([DNS Response Policy Service delayed link requires dlopen to be enabled])])
 
 # [pairwise: skip]
@@ -1497,7 +1497,7 @@ AC_ARG_WITH([dnsrps-dir],
            [librpz_path="$withval/$librpz_name"], [librpz_path="$librpz_name"])
 AC_DEFINE_UNQUOTED([DNSRPS_LIBRPZ_PATH], ["$librpz_path"],
                   [dnsrps $librpz_name])
-AS_IF([test "$enable_librpz_dl" = "yes"],
+AS_IF([test "$enable_dnsrps_dl" = "yes"],
       [
        dnsrps_lib_open=2
       ],[
@@ -1517,8 +1517,6 @@ AC_ARG_ENABLE([dnsrps],
              [enable_dnsrps=$enableval], [enable_dnsrps=no])
 
 AS_IF([test "$enable_dnsrps" != "no"],[
-       AS_IF([test "$dnsrps_avail" != "yes"],
-             [AC_MSG_ERROR([dlopen and librpz.so needed for DNSRPS])])
        AS_IF([test "$dnsrps_lib_open" = "0"],
              [AC_MSG_ERROR([dlopen and librpz.so needed for DNSRPS])])
        AC_DEFINE([USE_DNSRPS], [1], [Enable DNS Response Policy Service API])
index d3effe04a88abe0b1306126fc2e7f9427067bc30..2604b6e71d47f1e23572c902e255212b5b736251 100644 (file)
@@ -5110,6 +5110,15 @@ done to discover problems at the authoritative server.
    (DNSRPS) interface, if it has been compiled in :iscman:`named` using
    ``configure --enable-dnsrps``.
 
+.. namedconf:statement:: dnsrps-library
+   :tags: server, security
+   :short: Turns on the DNS Response Policy Service (DNSRPS) interface.
+
+   This option specifies the path to the DNSRPS provider library. Typically
+   this library is detected when building with ``configure --enable-dnsrps``
+   and does not need to be specified in ``named.conf``; the option exists
+   to override the default library for testing purposes.
+
 .. namedconf:statement:: dnsrps-options
    :tags: server, security
    :short: Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.
@@ -5117,7 +5126,7 @@ done to discover problems at the authoritative server.
    The block provides additional RPZ configuration
    settings, which are passed through to the DNSRPS provider library.
    Multiple DNSRPS settings in an :any:`dnsrps-options` string should be
-   separated with semi-colons (;). The DNSRPS provider, librpz, is passed a
+   separated with semi-colons (;). The DNSRPS provider library is passed a
    configuration string consisting of the :any:`dnsrps-options` text,
    concatenated with settings derived from the :any:`response-policy`
    statement.
index 58298adacbea84591945e3804c6fec1cdf7d3a96..e55cbdd0776765c813347f26d0ef9780a490a6c0 100644 (file)
@@ -112,6 +112,7 @@ options {
        dns64-server <string>;
        dnskey-sig-validity <integer>;
        dnsrps-enable <boolean>; // not configured
+       dnsrps-library <quoted_string>; // not configured
        dnsrps-options { <unspecified-text> }; // not configured
        dnssec-accept-expired <boolean>;
        dnssec-dnskey-kskonly <boolean>;
index c93dc1c874036f00eae0340f43656d8fe8852667..a322c9900bc8829e3d05133531c6579f41521df6 100644 (file)
@@ -33,9 +33,9 @@
 #include <dns/rdatasetiter.h>
 #include <dns/rpz.h>
 
-librpz_t *librpz;
+librpz_t *librpz = NULL;
 librpz_emsg_t librpz_lib_open_emsg;
-static void *librpz_handle;
+static void *librpz_handle = NULL;
 
 #define RPSDB_MAGIC       ISC_MAGIC('R', 'P', 'Z', 'F')
 #define VALID_RPSDB(rpsdb) ((rpsdb)->common.impmagic == RPSDB_MAGIC)
@@ -129,7 +129,7 @@ dnsrps_log_fnc(librpz_log_level_t level, void *ctxt, const char *buf) {
  *     This is not thread safe, but it is called by a single thread.
  */
 isc_result_t
-dns_dnsrps_server_create(void) {
+dns_dnsrps_server_create(const char *librpz_path) {
        librpz_emsg_t emsg;
 
        INSIST(clist == NULL);
@@ -140,14 +140,9 @@ dns_dnsrps_server_create(void) {
         * Notice if librpz is available.
         */
        librpz = librpz_lib_open(&librpz_lib_open_emsg, &librpz_handle,
-                                DNSRPS_LIBRPZ_PATH);
-       /*
-        * Stop now without complaining if librpz is not available.
-        * Complain later if and when librpz is needed for a view with
-        * "dnsrps-enable yes" (including the default view).
-        */
+                                librpz_path);
        if (librpz == NULL) {
-               return (ISC_R_SUCCESS);
+               return (ISC_R_FILENOTFOUND);
        }
 
        isc_mutex_init(&dnsrps_mutex);
@@ -176,7 +171,7 @@ dns_dnsrps_server_destroy(void) {
                librpz->clist_detach(&clist);
        }
 
-#ifdef LIBRPZ_USE_DLOPEN
+#if DNSRPS_LIB_OPEN == 2
        if (librpz != NULL) {
                INSIST(librpz_handle != NULL);
                if (dlclose(librpz_handle) != 0) {
@@ -185,8 +180,9 @@ dns_dnsrps_server_destroy(void) {
                                      "dnsrps: dlclose(): %s", dlerror());
                }
                librpz_handle = NULL;
+               librpz = NULL;
        }
-#endif /* ifdef LIBRPZ_USE_DLOPEN */
+#endif
 }
 
 /*
index 15066f0fcb1712c9b35b2d6bb8c74471e214294d..ed297ddcc3e8980d16d770796e59cda1b888c1ae 100644 (file)
@@ -79,7 +79,7 @@ dns_dnsrps_type2trig(dns_rpz_type_t type);
  * Start dnsrps for the entire server.
  */
 isc_result_t
-dns_dnsrps_server_create(void);
+dns_dnsrps_server_create(const char *librpz_path);
 
 /*
  * Stop dnsrps for the entire server.
index c99920cb77f93312d9189abc8d5b134aa3fdf37c..60496be8eed5d2149faf5d47fc68fde2f67f4142 100644 (file)
@@ -845,7 +845,7 @@ extern librpz_0_t librpz_def_0;
 typedef librpz_0_t librpz_t;
 extern librpz_t          *librpz;
 
-#if LIBRPZ_LIB_OPEN == 2
+#if DNSRPS_LIB_OPEN == 2
 #include <dlfcn.h>
 
 /**
@@ -932,13 +932,13 @@ librpz_lib_open(librpz_emsg_t *emsg, void **dl_handle, const char *path) {
                *dl_handle = NULL;
        }
 
-#if LIBRPZ_LIB_OPEN == 1
+#if DNSRPS_LIB_OPEN == 1
        emsg->c[0] = '\0';
        return (&LIBRPZ_DEF);
-#else  /* if LIBRPZ_LIB_OPEN == 1 */
+#else  /* if DNSRPS_LIB_OPEN == 1 */
        snprintf(emsg->c, sizeof(librpz_emsg_t),
                 "librpz not available via ./configure");
        return (NULL);
-#endif /* LIBRPZ_LIB_OPEN */
+#endif /* DNSRPS_LIB_OPEN */
 }
 #endif /* LIBRPZ_LIB_OPEN */
index a6accd8ffdd420d1a87a70860abd79f25868a07b..2f0363a3a34ba2717571c5af7512c6a36462e19a 100644 (file)
@@ -1206,6 +1206,11 @@ static cfg_clausedef_t options_clauses[] = {
        { "datasize", &cfg_type_size, CFG_CLAUSEFLAG_ANCIENT },
        { "deallocate-on-exit", NULL, CFG_CLAUSEFLAG_ANCIENT },
        { "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
+#ifdef USE_DNSRPS
+       { "dnsrps-library", &cfg_type_qstring, 0 },
+#else  /* ifdef USE_DNSRPS */
+       { "dnsrps-library", &cfg_type_qstring, CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif /* ifdef USE_DNSRPS */
 #ifdef HAVE_DNSTAP
        { "dnstap-output", &cfg_type_dnstapoutput, 0 },
        { "dnstap-identity", &cfg_type_serverid, 0 },