From: Artem Boldariev Date: Thu, 4 May 2023 20:06:23 +0000 (+0300) Subject: Make it possible to use TLS Stream on top of PROXY Stream X-Git-Tag: v9.19.19~10^2~34 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4437096ba0a444868e1d5ec0c7955192e2a44ed9;p=thirdparty%2Fbind9.git Make it possible to use TLS Stream on top of PROXY Stream This commit modifies TLS Stream to make it possible to use over PROXY Stream. That is required to add PROVYv2 support into TLS-based transports (DNS over HTTP, DNS over TLS). --- diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h index 2bc154bc5d6..cd47e77243b 100644 --- a/lib/isc/include/isc/netmgr.h +++ b/lib/isc/include/isc/netmgr.h @@ -616,7 +616,7 @@ isc_nm_is_proxy_handle(isc_nmhandle_t *handle); isc_result_t isc_nm_listentls(isc_nm_t *mgr, uint32_t workers, isc_sockaddr_t *iface, isc_nm_accept_cb_t accept_cb, void *accept_cbarg, int backlog, - isc_quota_t *quota, isc_tlsctx_t *sslctx, + isc_quota_t *quota, isc_tlsctx_t *sslctx, bool proxy, isc_nmsocket_t **sockp); void @@ -624,7 +624,8 @@ isc_nm_tlsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, isc_nm_cb_t connect_cb, void *connect_cbarg, isc_tlsctx_t *ctx, isc_tlsctx_client_session_cache_t *client_sess_cache, - unsigned int timeout); + unsigned int timeout, bool proxy, + isc_nm_proxyheader_info_t *proxy_info); #if HAVE_LIBNGHTTP2 diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c index d74d02d3e2f..f6a11d69d5f 100644 --- a/lib/isc/netmgr/http.c +++ b/lib/isc/netmgr/http.c @@ -1510,7 +1510,8 @@ isc_nm_httpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, if (tlsctx != NULL) { isc_nm_tlsconnect(mgr, local, peer, transport_connect_cb, sock, - tlsctx, client_sess_cache, timeout); + tlsctx, client_sess_cache, timeout, false, + NULL); } else { isc_nm_tcpconnect(mgr, local, peer, transport_connect_cb, sock, timeout); @@ -2485,7 +2486,7 @@ isc_nm_listenhttp(isc_nm_t *mgr, uint32_t workers, isc_sockaddr_t *iface, if (ctx != NULL) { result = isc_nm_listentls(mgr, workers, iface, httplisten_acceptcb, sock, backlog, - quota, ctx, &sock->outer); + quota, ctx, false, &sock->outer); } else { result = isc_nm_listentcp(mgr, workers, iface, httplisten_acceptcb, sock, backlog, diff --git a/lib/isc/netmgr/streamdns.c b/lib/isc/netmgr/streamdns.c index a0926f1a3d0..3199cd61fee 100644 --- a/lib/isc/netmgr/streamdns.c +++ b/lib/isc/netmgr/streamdns.c @@ -397,7 +397,8 @@ isc_nm_streamdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, } else { isc_nm_tlsconnect(mgr, local, peer, streamdns_transport_connected, nsock, ctx, - client_sess_cache, nsock->connect_timeout); + client_sess_cache, nsock->connect_timeout, + false, NULL); } } @@ -743,7 +744,7 @@ isc_nm_listenstreamdns(isc_nm_t *mgr, uint32_t workers, isc_sockaddr_t *iface, } else { result = isc_nm_listentls( mgr, workers, iface, streamdns_accept_cb, listener, - backlog, quota, tlsctx, &listener->outer); + backlog, quota, tlsctx, false, &listener->outer); } if (result != ISC_R_SUCCESS) { listener->closed = true; diff --git a/lib/isc/netmgr/tlsstream.c b/lib/isc/netmgr/tlsstream.c index d81f2500329..16bbc1c5928 100644 --- a/lib/isc/netmgr/tlsstream.c +++ b/lib/isc/netmgr/tlsstream.c @@ -943,7 +943,8 @@ tlslisten_acceptcb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { isc_result_t isc_nm_listentls(isc_nm_t *mgr, uint32_t workers, isc_sockaddr_t *iface, isc_nm_accept_cb_t accept_cb, void *accept_cbarg, int backlog, - isc_quota_t *quota, SSL_CTX *sslctx, isc_nmsocket_t **sockp) { + isc_quota_t *quota, SSL_CTX *sslctx, bool proxy, + isc_nmsocket_t **sockp) { isc_result_t result; isc_nmsocket_t *tlssock = NULL; isc_nmsocket_t *tsock = NULL; @@ -975,8 +976,15 @@ isc_nm_listentls(isc_nm_t *mgr, uint32_t workers, isc_sockaddr_t *iface, * tlssock will be a TLS 'wrapper' around an unencrypted stream. * We set tlssock->outer to a socket listening for a TCP connection. */ - result = isc_nm_listentcp(mgr, workers, iface, tlslisten_acceptcb, - tlssock, backlog, quota, &tlssock->outer); + if (proxy) { + result = isc_nm_listenproxystream( + mgr, workers, iface, tlslisten_acceptcb, tlssock, + backlog, quota, &tlssock->outer); + } else { + result = isc_nm_listentcp(mgr, workers, iface, + tlslisten_acceptcb, tlssock, backlog, + quota, &tlssock->outer); + } if (result != ISC_R_SUCCESS) { tlssock->closed = true; isc__nmsocket_detach(&tlssock); @@ -1171,7 +1179,8 @@ isc_nm_tlsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, isc_nm_cb_t connect_cb, void *connect_cbarg, isc_tlsctx_t *ctx, isc_tlsctx_client_session_cache_t *client_sess_cache, - unsigned int timeout) { + unsigned int timeout, bool proxy, + isc_nm_proxyheader_info_t *proxy_info) { isc_nmsocket_t *sock = NULL; isc__networker_t *worker = NULL; @@ -1198,8 +1207,13 @@ isc_nm_tlsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, client_sess_cache, &sock->tlsstream.client_sess_cache); } - isc_nm_tcpconnect(mgr, local, peer, tcp_connected, sock, - sock->connect_timeout); + if (proxy) { + isc_nm_proxystreamconnect(mgr, local, peer, tcp_connected, sock, + sock->connect_timeout, proxy_info); + } else { + isc_nm_tcpconnect(mgr, local, peer, tcp_connected, sock, + sock->connect_timeout); + } } static void @@ -1269,7 +1283,8 @@ error: void isc__nm_tls_cleanup_data(isc_nmsocket_t *sock) { - if (sock->type == isc_nm_tcplistener && + if ((sock->type == isc_nm_tcplistener || + sock->type == isc_nm_proxystreamlistener) && sock->tlsstream.tlslistener != NULL) { isc__nmsocket_detach(&sock->tlsstream.tlslistener); @@ -1304,7 +1319,8 @@ isc__nm_tls_cleanup_data(isc_nmsocket_t *sock) { sock->tlsstream.send_req, sizeof(*sock->tlsstream.send_req)); } - } else if (sock->type == isc_nm_tcpsocket && + } else if ((sock->type == isc_nm_tcpsocket || + sock->type == isc_nm_proxystreamsocket) && sock->tlsstream.tlssocket != NULL) { /* diff --git a/tests/isc/netmgr_common.c b/tests/isc/netmgr_common.c index 3caa4f5374c..9c523506e2c 100644 --- a/tests/isc/netmgr_common.c +++ b/tests/isc/netmgr_common.c @@ -584,7 +584,8 @@ static void tls_connect(isc_nm_t *nm) { isc_nm_tlsconnect(nm, &tcp_connect_addr, &tcp_listen_addr, connect_connect_cb, NULL, tcp_connect_tlsctx, - tcp_tlsctx_client_sess_cache, T_CONNECT); + tcp_tlsctx_client_sess_cache, T_CONNECT, + stream_use_PROXY, NULL); } isc_nm_proxyheader_info_t * @@ -630,10 +631,10 @@ stream_listen(isc_nm_accept_cb_t accept_cb, void *accept_cbarg, int backlog, isc_result_t result = ISC_R_SUCCESS; if (stream_use_TLS) { - result = isc_nm_listentls(listen_nm, ISC_NM_LISTEN_ALL, - &tcp_listen_addr, accept_cb, - accept_cbarg, backlog, quota, - tcp_listen_tlsctx, sockp); + result = isc_nm_listentls( + listen_nm, ISC_NM_LISTEN_ALL, &tcp_listen_addr, + accept_cb, accept_cbarg, backlog, quota, + tcp_listen_tlsctx, stream_use_PROXY, sockp); return (result); } else if (stream_use_PROXY) { result = isc_nm_listenproxystream( @@ -655,10 +656,10 @@ stream_connect(isc_nm_cb_t cb, void *cbarg, unsigned int timeout) { isc_refcount_increment0(&active_cconnects); if (stream_use_TLS) { - isc_nm_tlsconnect(connect_nm, &tcp_connect_addr, - &tcp_listen_addr, cb, cbarg, - tcp_connect_tlsctx, - tcp_tlsctx_client_sess_cache, timeout); + isc_nm_tlsconnect( + connect_nm, &tcp_connect_addr, &tcp_listen_addr, cb, + cbarg, tcp_connect_tlsctx, tcp_tlsctx_client_sess_cache, + timeout, stream_use_PROXY, NULL); return; } else if (stream_use_PROXY) { isc_nm_proxystreamconnect(connect_nm, &tcp_connect_addr,