Be less strict regarding "tls" statements in the configuration file

In the 9.17.19 release "tls" statements verification code was
added. The code was too strict and assumed that every such a statement
should have both "cert-file" and "key-file" specified. This turned out
to be a regression, as in some cases we plan to use the "tls"
statement to specify TLS connection parameters.

This commit fixes this behaviour; now a "tls" statement should either
have both "cert-file" and "key-file" specified, or both should be
omitted.

diff --git a/CHANGES b/CHANGES
index fa17ff35cd4d71442388509849944907c33a7e9a..e2e7dff829c472dd51763c1d0b3bccc34aff3e4c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5754.  [bug]           "tls" statements may omit "key-file" and "cert-file",
+                       but if either one is specified, then both must be.
+                       [GL #2986]
+
 5753.  [placeholder]
 
 5752.  [bug]           Fix an assertion failure caused by missing member zones

diff --git a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
new file mode 100644 (file)
index 0000000..9814074
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# In some cases a "tls" statement may omit key-file and cert-file.
+tls local-tls {
+    protocols {TLSv1.2;};
+    hostname "fqdn.example.com";
+};

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 85e3884df3ff3281027a3d12ab8bcd3fc156cb7b..d127b6efa594d142a0a7e93f7877d0234ee0b495 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2165,15 +2165,15 @@ bind9_check_tls_defintion(const cfg_obj_t *tlsobj, const char *name,
                }
        }
 
-       if (cfg_map_get(tlsobj, "key-file", &tls_key) != ISC_R_SUCCESS) {
-               cfg_obj_log(tlsobj, logctx, ISC_LOG_ERROR,
-                           "'key-file' is required in tls clause '%s'", name);
-               result = ISC_R_FAILURE;
-       }
-
-       if (cfg_map_get(tlsobj, "cert-file", &tls_cert) != ISC_R_SUCCESS) {
+       (void)cfg_map_get(tlsobj, "key-file", &tls_key);
+       (void)cfg_map_get(tlsobj, "cert-file", &tls_cert);
+       if ((tls_key == NULL && tls_cert != NULL) ||
+           (tls_cert == NULL && tls_key != NULL))
+       {
                cfg_obj_log(tlsobj, logctx, ISC_LOG_ERROR,
-                           "'cert-file' is required in tls clause '%s'", name);
+                           "tls '%s': 'cert-file' and 'key-file' must "
+                           "both be specified, or both omitted",
+                           name);
                result = ISC_R_FAILURE;
        }