Also streamlined log messages in unbound plugin.
.TP
.BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
.SS libtnccs section
.TP
.BR libtnccs.tnc_config " [/etc/tnc_config]"
INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+
if MONOLITHIC
noinst_LTLIBRARIES = libstrongswan-unbound.la
#include "unbound_resolver.h"
#include "unbound_response.h"
+/* DNS resolver configuration and DNSSEC trust anchors */
+#define RESOLV_CONF_FILE "/etc/resolv.conf"
+#define TRUST_ANCHOR_FILE IPSEC_CONFDIR "/ipsec.d/dnssec.keys"
+
typedef struct private_resolver_t private_resolver_t;
/**
response = unbound_response_create_frm_libub_response(result);
if (!response)
{
- DBG1(DBG_LIB, "unbound_resolver: Could not create response.");
+ DBG1(DBG_LIB, "unbound resolver failed to create response");
ub_resolve_free(result);
return NULL;
}
ub_resolve_free(result);
+
return (resolver_response_t*)response;
}
/*
* Described in header.
*/
-resolver_t *unbound_resolver_create(char *resolv_conf, char *ta_file)
+resolver_t *unbound_resolver_create(void)
{
private_resolver_t *this;
int ub_retval = 0;
+ char *resolv_conf_file;
+ char *trust_anchor_file;
+
+ resolv_conf_file = lib->settings->get_str(lib->settings,
+ "libstrongswan.plugins.unbound.resolv_conf",
+ RESOLV_CONF_FILE);
+
+ trust_anchor_file = lib->settings->get_str(lib->settings,
+ "libstrongswan.plugins.unbound.trust_anchors",
+ TRUST_ANCHOR_FILE);
INIT(this,
.public = {
},
);
- DBG1(DBG_LIB, "creating an unbound_resolver instance");
-
this->ctx = ub_ctx_create();
if (!this->ctx)
{
- DBG1(DBG_LIB, "failed to create an unbound resolver context");
- _destroy(this);
+ DBG1(DBG_LIB, "failed to create unbound resolver context");
+ destroy(this);
return NULL;
}
- ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf);
+ DBG1(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf_file);
+ ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf_file);
if (ub_retval)
{
- DBG1(DBG_LIB, "failed to read the resolver configuration file. "
- "Unbound error: %s. errno says: %s", ub_strerror(ub_retval),
- strerror(errno));
- _destroy(this);
+ DBG1(DBG_CFG, "failed to read the resolver config: %s (%s)",
+ ub_strerror(ub_retval), strerror(errno));
+ destroy(this);
return NULL;
}
- ub_retval = ub_ctx_add_ta_file(this->ctx, ta_file);
+ DBG1(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchor_file);
+ ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchor_file);
if (ub_retval)
{
- DBG1(DBG_LIB, "failed to load trusted anchors from file %s. "
- "Unbound error: %s. errno says: %s",
- ta_file, ub_strerror(ub_retval), strerror(errno));
+ DBG1(DBG_CFG, "failed to load trust anchors: %s (%s)",
+ ub_strerror(ub_retval), strerror(errno));
}
- DBG1(DBG_LIB, "unbound resolver instance created");
return &this->public;
}
/**
* Create a resolver_t instance.
*/
-resolver_t *unbound_resolver_create(char *resolv_conf, char *ta_file);
+resolver_t *unbound_resolver_create(void);
#endif /** LIBunbound_RESOLVER_H_ @}*/
if (status != LDNS_STATUS_OK)
{
- DBG1(DBG_LIB, "failed to create an unbound_response. "
- "Parsing of DNS packet failed.");
- _destroy(this);
+ DBG1(DBG_LIB, "failed to parse DNS packet");
+ destroy(this);
return NULL;
}
}
else
{
- DBG1(DBG_LIB, "unbound_response: RR creation failed.");
+ DBG1(DBG_LIB, "failed to create RR");
}
}
orig_rdf = ldns_rr_rrsig_typecovered(orig_rr);
if (!orig_rdf)
{
- DBG1(DBG_LIB, "failed to get the type which is covered by "
- "a RRSIG");
+ DBG1(DBG_LIB, "failed to get the type covered by an RRSIG");
}
else if (ldns_rdf2native_int16(orig_rdf) == libub_response->qtype)
{
}
else
{
- DBG1(DBG_LIB, "unbound_response: RRSIG creation "
- "failed.");
+ DBG1(DBG_LIB, "failed to create RRSIG");
}
}
else
{
- DBG1(DBG_LIB, "Warning: Could not determine the type of "
- "Resource Records which is covered "
- "by a RRSIG RR");
+ DBG1(DBG_LIB, "failed to determine the RR type "
+ "covered by RRSIG RR");
}
}
}
typedef struct resolver_t resolver_t;
/**
- * Constructor function which creates resolver instances.
- *
- * Creates a new DNS resolver with settings from the file resolv_conf and
- * keys from the file ta_file as DNSSEC trust anchor.
- *
- * @param resolv_conf path to the file resolv.conf
- * @param ta_file path to a file with the DNSSEC trust anchors
- * @return resolver instance
+ * Constructor function which creates DNS resolver instances.
*/
-typedef resolver_t* (*resolver_constructor_t)(char *resolv_conf, char *ta_file);
+typedef resolver_t* (*resolver_constructor_t)(void);
#include <resolver/resolver_response.h>
#include <resolver/rr_set.h>
METHOD(resolver_manager_t, create, resolver_t*,
private_resolver_manager_t *this)
{
- char *resolv_conf;
- char *trust_anchor_file;
-
- resolv_conf = lib->settings->get_str(lib->settings,
- "libstrongswan.plugins.resolver."
- "resolv_conf",
- "/etc/resolv.conf");
-
- trust_anchor_file = lib->settings->get_str(lib->settings,
- "libstrongswan.plugins.resolver."
- "trust_anchor",
- "/etc/trust.anchors");
-
- return this->constructor(resolv_conf, trust_anchor_file);
+ return this->constructor();
}
METHOD(resolver_manager_t, destroy, void,