From: Artem Boldariev Date: Fri, 19 May 2023 11:56:45 +0000 (+0300) Subject: DoH: add PROXY over TLS support X-Git-Tag: v9.19.19~10^2~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9d7343cd7d6b5c3464e8ac5dc6026b501fa5b332;p=thirdparty%2Fbind9.git DoH: add PROXY over TLS support This commit extends DNS over HTTP(S) transport with PROXY over TLS support. --- diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index afca0d557e6..901e7837c8d 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -3045,7 +3045,7 @@ start_tcp(dig_query_t *query) { isc_nm_httpconnect(netmgr, &localaddr, &query->sockaddr, uri, !query->lookup->https_get, tcp_connected, connectquery, tlsctx, sess_cache, - local_timeout, false, NULL); + local_timeout, ISC_NM_PROXY_NONE, NULL); #endif } else { isc_nm_streamdnsconnect(netmgr, &localaddr, &query->sockaddr, diff --git a/bin/tests/test_client.c b/bin/tests/test_client.c index 81b3896e7fe..09bcebc8590 100644 --- a/bin/tests/test_client.c +++ b/bin/tests/test_client.c @@ -408,7 +408,7 @@ run(void) { } isc_nm_httpconnect(netmgr, &sockaddr_local, &sockaddr_remote, req_url, is_post, connect_cb, NULL, tls_ctx, - NULL, timeout, false, NULL); + NULL, timeout, ISC_NM_PROXY_NONE, NULL); } break; #endif default: diff --git a/bin/tests/test_server.c b/bin/tests/test_server.c index 95cf3e0b152..d101b6328f7 100644 --- a/bin/tests/test_server.c +++ b/bin/tests/test_server.c @@ -275,9 +275,9 @@ run(void) { eps, ISC_NM_HTTP_DEFAULT_PATH, read_cb, NULL); if (result == ISC_R_SUCCESS) { - result = isc_nm_listenhttp(netmgr, ISC_NM_LISTEN_ALL, - &sockaddr, 0, NULL, tls_ctx, - eps, 0, false, &sock); + result = isc_nm_listenhttp( + netmgr, ISC_NM_LISTEN_ALL, &sockaddr, 0, NULL, + tls_ctx, eps, 0, ISC_NM_PROXY_NONE, &sock); } isc_nm_http_endpoints_detach(&eps); } break; diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h index 18a2f79c3db..e3fb8ae0152 100644 --- a/lib/isc/include/isc/netmgr.h +++ b/lib/isc/include/isc/netmgr.h @@ -660,14 +660,14 @@ isc_nm_httpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, const char *uri, bool POST, isc_nm_cb_t cb, void *cbarg, isc_tlsctx_t *ctx, isc_tlsctx_client_session_cache_t *client_sess_cache, - unsigned int timeout, bool proxy, + unsigned int timeout, isc_nm_proxy_type_t proxy_type, isc_nm_proxyheader_info_t *proxy_info); isc_result_t isc_nm_listenhttp(isc_nm_t *mgr, uint32_t workers, isc_sockaddr_t *iface, int backlog, isc_quota_t *quota, isc_tlsctx_t *ctx, isc_nm_http_endpoints_t *eps, uint32_t max_concurrent_streams, - bool proxy, isc_nmsocket_t **sockp); + isc_nm_proxy_type_t proxy_type, isc_nmsocket_t **sockp); isc_nm_http_endpoints_t * isc_nm_http_endpoints_new(isc_mem_t *mctx); diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c index aa106e06d9d..e4083e5edb9 100644 --- a/lib/isc/netmgr/http.c +++ b/lib/isc/netmgr/http.c @@ -1397,7 +1397,8 @@ transport_connect_cb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { const unsigned char *alpn = NULL; unsigned int alpnlen = 0; - INSIST(transp_sock->type == isc_nm_tlssocket); + INSIST(transp_sock->type == isc_nm_tlssocket || + transp_sock->type == isc_nm_proxystreamsocket); isc__nmhandle_get_selected_alpn(handle, &alpn, &alpnlen); if (alpn == NULL || alpnlen != NGHTTP2_PROTO_VERSION_ID_LEN || @@ -1453,7 +1454,7 @@ isc_nm_httpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, const char *uri, bool post, isc_nm_cb_t cb, void *cbarg, isc_tlsctx_t *tlsctx, isc_tlsctx_client_session_cache_t *client_sess_cache, - unsigned int timeout, bool proxy, + unsigned int timeout, isc_nm_proxy_type_t proxy_type, isc_nm_proxyheader_info_t *proxy_info) { isc_sockaddr_t local_interface; isc_nmsocket_t *sock = NULL; @@ -1516,17 +1517,38 @@ isc_nm_httpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, sock->iface = sock->h2.connect.local_interface; } - if (tlsctx != NULL) { - isc_nm_tlsconnect(mgr, local, peer, transport_connect_cb, sock, - tlsctx, client_sess_cache, timeout, proxy, - NULL); - } else if (proxy) { - isc_nm_proxystreamconnect(mgr, local, peer, - transport_connect_cb, sock, timeout, + switch (proxy_type) { + case ISC_NM_PROXY_NONE: + if (tlsctx != NULL) { + isc_nm_tlsconnect(mgr, local, peer, + transport_connect_cb, sock, tlsctx, + client_sess_cache, timeout, false, + NULL); + } else { + isc_nm_tcpconnect(mgr, local, peer, + transport_connect_cb, sock, timeout); + } + break; + case ISC_NM_PROXY_PLAIN: + if (tlsctx != NULL) { + isc_nm_tlsconnect(mgr, local, peer, + transport_connect_cb, sock, tlsctx, + client_sess_cache, timeout, true, proxy_info); - } else { - isc_nm_tcpconnect(mgr, local, peer, transport_connect_cb, sock, - timeout); + } else { + isc_nm_proxystreamconnect( + mgr, local, peer, transport_connect_cb, sock, + timeout, NULL, NULL, proxy_info); + } + break; + case ISC_NM_PROXY_ENCRYPTED: + INSIST(tlsctx != NULL); + isc_nm_proxystreamconnect( + mgr, local, peer, transport_connect_cb, sock, timeout, + tlsctx, client_sess_cache, proxy_info); + break; + default: + UNREACHABLE(); } } @@ -2473,9 +2495,9 @@ isc_result_t isc_nm_listenhttp(isc_nm_t *mgr, uint32_t workers, isc_sockaddr_t *iface, int backlog, isc_quota_t *quota, isc_tlsctx_t *ctx, isc_nm_http_endpoints_t *eps, uint32_t max_concurrent_streams, - bool proxy, isc_nmsocket_t **sockp) { + isc_nm_proxy_type_t proxy_type, isc_nmsocket_t **sockp) { isc_nmsocket_t *sock = NULL; - isc_result_t result; + isc_result_t result = ISC_R_FAILURE; isc__networker_t *worker = NULL; REQUIRE(VALID_NM(mgr)); @@ -2495,18 +2517,37 @@ isc_nm_listenhttp(isc_nm_t *mgr, uint32_t workers, isc_sockaddr_t *iface, atomic_store(&eps->in_use, true); http_init_listener_endpoints(sock, eps); - if (ctx != NULL) { - result = isc_nm_listentls(mgr, workers, iface, - httplisten_acceptcb, sock, backlog, - quota, ctx, proxy, &sock->outer); - } else if (proxy) { - result = isc_nm_listenproxystream(mgr, workers, iface, + switch (proxy_type) { + case ISC_NM_PROXY_NONE: + if (ctx != NULL) { + result = isc_nm_listentls( + mgr, workers, iface, httplisten_acceptcb, sock, + backlog, quota, ctx, false, &sock->outer); + } else { + result = isc_nm_listentcp(mgr, workers, iface, httplisten_acceptcb, sock, backlog, quota, &sock->outer); - } else { - result = isc_nm_listentcp(mgr, workers, iface, - httplisten_acceptcb, sock, backlog, - quota, &sock->outer); + } + break; + case ISC_NM_PROXY_PLAIN: + if (ctx != NULL) { + result = isc_nm_listentls( + mgr, workers, iface, httplisten_acceptcb, sock, + backlog, quota, ctx, true, &sock->outer); + } else { + result = isc_nm_listenproxystream( + mgr, workers, iface, httplisten_acceptcb, sock, + backlog, quota, NULL, &sock->outer); + } + break; + case ISC_NM_PROXY_ENCRYPTED: + INSIST(ctx != NULL); + result = isc_nm_listenproxystream( + mgr, workers, iface, httplisten_acceptcb, sock, backlog, + quota, ctx, &sock->outer); + break; + default: + UNREACHABLE(); } if (result != ISC_R_SUCCESS) { @@ -2880,7 +2921,7 @@ isc__nm_http_has_encryption(const isc_nmhandle_t *handle) { INSIST(VALID_HTTP2_SESSION(session)); - return (isc_nm_socket_type(session->handle) == isc_nm_tlssocket); + return (isc_nm_has_encryption(session->handle)); } const char * diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c index 1e38498bbd4..39c4bca9f19 100644 --- a/lib/ns/interfacemgr.c +++ b/lib/ns/interfacemgr.c @@ -585,7 +585,7 @@ ns_interface_listenhttp(ns_interface_t *ifp, isc_tlsctx_t *sslctx, char **eps, result = isc_nm_listenhttp( ifp->mgr->nm, ISC_NM_LISTEN_ALL, &ifp->addr, ifp->mgr->backlog, quota, sslctx, epset, - max_concurrent_streams, false, &sock); + max_concurrent_streams, ISC_NM_PROXY_NONE, &sock); } isc_nm_http_endpoints_detach(&epset);