From: Artem Boldariev Date: Thu, 31 Mar 2022 10:48:14 +0000 (+0300) Subject: Replace listener TLS contexts on reconfiguration X-Git-Tag: v9.19.0~10^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=77b2db82468d4b49ad22455ce738e7a065c0f2cd;p=thirdparty%2Fbind9.git Replace listener TLS contexts on reconfiguration This commit makes use of isc_nmsocket_set_tlsctx(). Now, instead of recreating TLS-enabled listeners (including the underlying TCP listener sockets), only the TLS context in use is replaced. --- diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c index d3bdb953e45..395aa04e1bc 100644 --- a/lib/ns/interfacemgr.c +++ b/lib/ns/interfacemgr.c @@ -909,6 +909,25 @@ clearlistenon(ns_interfacemgr_t *mgr) { } } +static void +replace_listener_tlsctx(ns_interfacemgr_t *mgr, ns_interface_t *ifp, + isc_tlsctx_t *newctx) { + char sabuf[ISC_SOCKADDR_FORMATSIZE]; + REQUIRE(NS_INTERFACE_VALID(ifp)); + + LOCK(&mgr->lock); + isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf)); + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO, + "updating TLS context on %s", sabuf); + if (ifp->tcplistensocket != NULL) { + /* 'tcplistensocket' is used for DoT */ + isc_nmsocket_set_tlsctx(ifp->tcplistensocket, newctx); + } else if (ifp->http_secure_listensocket != NULL) { + isc_nmsocket_set_tlsctx(ifp->http_secure_listensocket, newctx); + } + UNLOCK(&mgr->lock); +} + static isc_result_t do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) { isc_interfaceiter_t *iter = NULL; @@ -976,42 +995,30 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) { ifp = find_matching_interface(mgr, &listen_addr); if (ifp != NULL) { - /* - * We need to recreate the TLS/HTTPS listeners - * during reconfiguration because the - * certificates could have been changed. - */ - if (config && LISTENING(ifp) && - le->sslctx != NULL) { - INSIST(NS_INTERFACE_VALID(ifp)); - LOCK(&mgr->lock); - isc_sockaddr_format(&ifp->addr, sabuf, + ifp->generation = mgr->generation; + if (le->dscp != -1 && ifp->dscp == -1) { + ifp->dscp = le->dscp; + } else if (le->dscp != ifp->dscp) { + isc_sockaddr_format(&listen_addr, sabuf, sizeof(sabuf)); isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_INFO, - "no longer listening on " - "%s", - sabuf); - interface_destroy(&ifp); - UNLOCK(&mgr->lock); - } else { - ifp->generation = mgr->generation; - if (le->dscp != -1 && ifp->dscp == -1) { - ifp->dscp = le->dscp; - } else if (le->dscp != ifp->dscp) { - isc_sockaddr_format( - &listen_addr, sabuf, - sizeof(sabuf)); - isc_log_write( - IFMGR_COMMON_LOGARGS, - ISC_LOG_WARNING, - "%s: conflicting DSCP " - "values, using %d", - sabuf, ifp->dscp); - } - if (LISTENING(ifp)) { - continue; + ISC_LOG_WARNING, + "%s: conflicting DSCP " + "values, using %d", + sabuf, ifp->dscp); + } + if (LISTENING(ifp)) { + /* + * We need to update the TLS contexts + * inside the TLS/HTTPS listeners during + * a reconfiguration because the + * certificates could have been changed. + */ + if (config && le->sslctx != NULL) { + replace_listener_tlsctx( + mgr, ifp, le->sslctx); } + continue; } } @@ -1152,42 +1159,32 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) { ifp = find_matching_interface(mgr, &listen_sockaddr); if (ifp != NULL) { - /* - * We need to recreate the TLS/HTTPS listeners - * during a reconfiguration because the - * certificates could have been changed. - */ - if (config && LISTENING(ifp) && - le->sslctx != NULL) { - INSIST(NS_INTERFACE_VALID(ifp)); - LOCK(&mgr->lock); - isc_sockaddr_format(&ifp->addr, sabuf, + ifp->generation = mgr->generation; + if (le->dscp != -1 && ifp->dscp == -1) { + ifp->dscp = le->dscp; + } else if (le->dscp != ifp->dscp) { + isc_sockaddr_format(&listen_sockaddr, + sabuf, sizeof(sabuf)); isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_INFO, - "no longer listening on " - "%s", - sabuf); - interface_destroy(&ifp); - UNLOCK(&mgr->lock); - } else { - ifp->generation = mgr->generation; - if (le->dscp != -1 && ifp->dscp == -1) { - ifp->dscp = le->dscp; - } else if (le->dscp != ifp->dscp) { - isc_sockaddr_format( - &listen_sockaddr, sabuf, - sizeof(sabuf)); - isc_log_write( - IFMGR_COMMON_LOGARGS, - ISC_LOG_WARNING, - "%s: conflicting DSCP " - "values, using %d", - sabuf, ifp->dscp); - } - if (LISTENING(ifp)) { - continue; + ISC_LOG_WARNING, + "%s: conflicting DSCP " + "values, using %d", + sabuf, ifp->dscp); + } + if (LISTENING(ifp)) { + /* + * We need to update the TLS contexts + * inside the TLS/HTTPS listeners during + * a reconfiguration because the + * certificates could have been changed. + */ + if (config && le->sslctx != NULL) { + replace_listener_tlsctx( + mgr, ifp, le->sslctx); } + + continue; } }