config/network: add whitelist into network schema

diff --git a/daemon/bindings/net.c b/daemon/bindings/net.c
index 55e9a91424d9397c6f64017bc2575291bfe661d5..9d2c52c90521cdb94d8e6be5e072a7c7cf444664 100644 (file)
--- a/daemon/bindings/net.c
+++ b/daemon/bindings/net.c
@@ -9,6 +9,7 @@
 #include "daemon/network.h"
 #include "daemon/tls.h"
 #include "lib/utils.h"
+#include "lua.h"
 
 #include <stdlib.h>
 
@@ -530,6 +531,19 @@ static int net_pipeline(lua_State *L)
        return 1;
 }
 
+#include "lib/resolve.h"
+static int net_tls_whitelist(lua_State *L)
+{
+       if (!the_network || !the_network->tls_credentials)
+               return 1;
+
+       int r = kr_init_whitelist(lua_tostring(L, 1));
+       lua_error_maybe(L, r);
+
+       lua_pushboolean(L, true);
+       return 1;
+}
+
 static int net_tls(lua_State *L)
 {
        if (kr_fails_assert(the_network)) {
@@ -1232,6 +1246,7 @@ int kr_bindings_net(lua_State *L)
                { "tls_padding",  net_tls_padding },
                { "tls_sticket_secret", net_tls_sticket_secret_string },
                { "tls_sticket_secret_file", net_tls_sticket_secret_file },
+               { "tls_whitelist", net_tls_whitelist },
                { "outgoing_v4",  net_outgoing_v4 },
                { "outgoing_v6",  net_outgoing_v6 },
                { "tcp_in_idle",  net_tcp_in_idle },

diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json
index f2f8adb7df7b63761f4fb089c073bbc7842bf362..1c4fc9f94e05d3d5935732e5952686cf28a765a5 100644 (file)
--- a/doc/_static/config.schema.json
+++ b/doc/_static/config.schema.json
@@ -371,6 +371,14 @@
                             ],
                             "description": "EDNS(0) padding of queries and answers sent over an encrypted channel.",
                             "default": true
+                        },
+                        "whitelist": {
+                            "type": [
+                                "string",
+                                "null"
+                            ],
+                            "description": "Path to certificate authority whitelist file",
+                            "default": null
                         }
                     },
                     "default": {
@@ -380,7 +388,8 @@
                         "sticket_secret": null,
                         "sticket_secret_file": null,
                         "auto_discovery": false,
-                        "padding": true
+                        "padding": true,
+                        "whitelist": null
                     }
                 },
                 "proxy-protocol": {
@@ -539,7 +548,8 @@
                     "sticket_secret": null,
                     "sticket_secret_file": null,
                     "auto_discovery": false,
-                    "padding": true
+                    "padding": true,
+                    "whitelist": null
                 },
                 "proxy_protocol": false,
                 "listen": [

diff --git a/python/knot_resolver/datamodel/network_schema.py b/python/knot_resolver/datamodel/network_schema.py
index e2753a852e35ea939daa49ad17e6172bd7607be7..7810d33d65e6c8b9abecf483ee3d95075013213b 100644 (file)
--- a/python/knot_resolver/datamodel/network_schema.py
+++ b/python/knot_resolver/datamodel/network_schema.py
@@ -61,6 +61,7 @@ class TLSSchema(ConfigSchema):
         sticket_secret_file: Path to file with secret for TLS session resumption via tickets. (RFC 5077).
         auto_discovery: Experimental automatic discovery of authoritative servers supporting DNS-over-TLS.
         padding: EDNS(0) padding of queries and answers sent over an encrypted channel.
+        whitelist: Path to certificate authority whitelist file
         """
 
         files_watchdog: Union[Literal["auto"], bool] = "auto"
@@ -70,6 +71,7 @@ class TLSSchema(ConfigSchema):
         sticket_secret_file: Optional[ReadableFile] = None
         auto_discovery: bool = False
         padding: Union[bool, Int0_512] = True
+        whitelist: Optional[ReadableFile] = None
 
     _LAYER = Raw
 
@@ -80,6 +82,7 @@ class TLSSchema(ConfigSchema):
     sticket_secret_file: Optional[ReadableFile] = None
     auto_discovery: bool = False
     padding: Union[bool, Int0_512] = True
+    whitelist: Optional[ReadableFile] = None
 
     def _files_watchdog(self, obj: Raw) -> Any:
         if obj.files_watchdog == "auto":

diff --git a/python/knot_resolver/datamodel/templates/network.lua.j2 b/python/knot_resolver/datamodel/templates/network.lua.j2
index cfc152cd3837bf1c32d51ebac91fa401762feec1..c20648149cd3c41e7ee7b36b9d28afb2e180af1b 100644 (file)
--- a/python/knot_resolver/datamodel/templates/network.lua.j2
+++ b/python/knot_resolver/datamodel/templates/network.lua.j2
@@ -36,6 +36,11 @@ net.bufsize(
 net.tls('{{ cfg.network.tls.cert_file  }}', '{{ cfg.network.tls.key_file }}')
 {% endif %}
 
+{% if cfg.network.tls.whitelist %}
+-- network.tls_whitelist
+net.tls_whitelist('{{ cfg.network.tls.whitelist }}')
+{% endif %}
+
 {% if cfg.network.tls.sticket_secret %}
 -- network.tls.sticket-secret
 net.tls_sticket_secret('{{ cfg.network.tls.sticket_secret }}')