Moved configuration from resolver manager to unbound plugin
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 15 Feb 2013 14:12:29 +0000 (15:12 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 19 Feb 2013 11:25:00 +0000 (12:25 +0100)
Also streamlined log messages in unbound plugin.

man/strongswan.conf.5.in
src/libstrongswan/plugins/unbound/Makefile.am
src/libstrongswan/plugins/unbound/unbound_resolver.c
src/libstrongswan/plugins/unbound/unbound_resolver.h
src/libstrongswan/plugins/unbound/unbound_response.c
src/libstrongswan/resolver/resolver.h
src/libstrongswan/resolver/resolver_manager.c

index b3902e2..3d80d76 100644 (file)
@@ -779,6 +779,12 @@ File to read random bytes from, instead of @DEV_RANDOM@
 .TP
 .BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
 File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
index 9ee51d9..efb3134 100644 (file)
@@ -1,7 +1,8 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-unbound.la
index 8c6a7d1..44a2c76 100644 (file)
 #include "unbound_resolver.h"
 #include "unbound_response.h"
 
+/* DNS resolver configuration and DNSSEC trust anchors */
+#define RESOLV_CONF_FILE       "/etc/resolv.conf"
+#define TRUST_ANCHOR_FILE      IPSEC_CONFDIR "/ipsec.d/dnssec.keys"
+
 typedef struct private_resolver_t private_resolver_t;
 
 /**
@@ -64,11 +68,12 @@ METHOD(resolver_t, query, resolver_response_t*,
        response = unbound_response_create_frm_libub_response(result);
        if (!response)
        {
-               DBG1(DBG_LIB, "unbound_resolver: Could not create response.");
+               DBG1(DBG_LIB, "unbound resolver failed to create response");
                ub_resolve_free(result);
                return NULL;
        }
        ub_resolve_free(result);
+
        return (resolver_response_t*)response;
 }
 
@@ -85,10 +90,20 @@ METHOD(resolver_t, destroy, void,
 /*
  * Described in header.
  */
-resolver_t *unbound_resolver_create(char *resolv_conf, char *ta_file)
+resolver_t *unbound_resolver_create(void)
 {
        private_resolver_t *this;
        int ub_retval = 0;
+       char *resolv_conf_file;
+       char *trust_anchor_file;
+
+       resolv_conf_file = lib->settings->get_str(lib->settings,
+                                               "libstrongswan.plugins.unbound.resolv_conf",
+                                               RESOLV_CONF_FILE);
+
+       trust_anchor_file = lib->settings->get_str(lib->settings,
+                                               "libstrongswan.plugins.unbound.trust_anchors",
+                                               TRUST_ANCHOR_FILE);
 
        INIT(this,
                .public = {
@@ -97,35 +112,32 @@ resolver_t *unbound_resolver_create(char *resolv_conf, char *ta_file)
                },
        );
 
-       DBG1(DBG_LIB, "creating an unbound_resolver instance");
-
        this->ctx = ub_ctx_create();
        if (!this->ctx)
        {
-               DBG1(DBG_LIB, "failed to create an unbound resolver context");
-               _destroy(this);
+               DBG1(DBG_LIB, "failed to create unbound resolver context");
+               destroy(this);
                return NULL;
        }
 
-       ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf);
+       DBG1(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf_file);
+       ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf_file);
        if (ub_retval)
        {
-               DBG1(DBG_LIB, "failed to read the resolver configuration file. "
-                        "Unbound error: %s. errno says: %s", ub_strerror(ub_retval),
-                        strerror(errno));
-               _destroy(this);
+               DBG1(DBG_CFG, "failed to read the resolver config: %s (%s)",
+                                          ub_strerror(ub_retval), strerror(errno));
+               destroy(this);
                return NULL;
        }
 
-       ub_retval = ub_ctx_add_ta_file(this->ctx, ta_file);
+       DBG1(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchor_file);
+       ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchor_file);
        if (ub_retval)
        {
-               DBG1(DBG_LIB, "failed to load trusted anchors from file %s. "
-                               "Unbound error: %s. errno says: %s",
-                               ta_file, ub_strerror(ub_retval), strerror(errno));
+               DBG1(DBG_CFG, "failed to load trust anchors: %s (%s)",
+                                          ub_strerror(ub_retval), strerror(errno));
        }
 
-       DBG1(DBG_LIB, "unbound resolver instance created");
        return &this->public;
 }
 
index 17ac601..818a717 100644 (file)
@@ -24,6 +24,6 @@
 /**
  * Create a resolver_t instance.
  */
-resolver_t *unbound_resolver_create(char *resolv_conf, char *ta_file);
+resolver_t *unbound_resolver_create(void);
 
 #endif /** LIBunbound_RESOLVER_H_ @}*/
index 6359261..6f6c25e 100644 (file)
@@ -179,9 +179,8 @@ unbound_response_t *unbound_response_create_frm_libub_response(
 
                if (status != LDNS_STATUS_OK)
                {
-                       DBG1(DBG_LIB, "failed to create an unbound_response. "
-                                                 "Parsing of DNS packet failed.");
-                       _destroy(this);
+                       DBG1(DBG_LIB, "failed to parse DNS packet");
+                       destroy(this);
                        return NULL;
                }
 
@@ -210,7 +209,7 @@ unbound_response_t *unbound_response_create_frm_libub_response(
                                }
                                else
                                {
-                                       DBG1(DBG_LIB, "unbound_response: RR creation failed.");
+                                       DBG1(DBG_LIB, "failed to create RR");
                                }
                        }
 
@@ -219,8 +218,7 @@ unbound_response_t *unbound_response_create_frm_libub_response(
                                orig_rdf = ldns_rr_rrsig_typecovered(orig_rr);
                                if (!orig_rdf)
                                {
-                                       DBG1(DBG_LIB, "failed to get the type which is covered by "
-                                                                 "a RRSIG");
+                                       DBG1(DBG_LIB, "failed to get the type covered by an RRSIG");
                                }
                                else if (ldns_rdf2native_int16(orig_rdf) == libub_response->qtype)
                                {
@@ -239,15 +237,13 @@ unbound_response_t *unbound_response_create_frm_libub_response(
                                        }
                                        else
                                        {
-                                               DBG1(DBG_LIB, "unbound_response: RRSIG creation "
-                                                                         "failed.");
+                                               DBG1(DBG_LIB, "failed to create RRSIG");
                                        }
                                }
                                else
                                {
-                                       DBG1(DBG_LIB, "Warning: Could not determine the type of "
-                                                                 "Resource Records which is covered "
-                                                                 "by a RRSIG RR");
+                                       DBG1(DBG_LIB, "failed to determine the RR type "
+                                                                 "covered by RRSIG RR");
                                }
                        }
                }
index 5cc81bb..5be52b8 100644 (file)
 typedef struct resolver_t resolver_t;
 
 /**
- * Constructor function which creates resolver instances.
- *
- * Creates a new DNS resolver with settings from the file resolv_conf and
- * keys from the file ta_file as DNSSEC trust anchor.
- *
- * @param resolv_conf  path to the file resolv.conf
- * @param ta_file              path to a file with the DNSSEC trust anchors
- * @return                             resolver instance
+ * Constructor function which creates DNS resolver instances.
  */
-typedef resolver_t* (*resolver_constructor_t)(char *resolv_conf, char *ta_file);
+typedef resolver_t* (*resolver_constructor_t)(void);
 
 #include <resolver/resolver_response.h>
 #include <resolver/rr_set.h>
index 6486909..8effe46 100644 (file)
@@ -56,20 +56,7 @@ METHOD(resolver_manager_t, remove_resolver, void,
 METHOD(resolver_manager_t, create, resolver_t*,
        private_resolver_manager_t *this)
 {
-       char *resolv_conf;
-       char *trust_anchor_file;
-
-       resolv_conf = lib->settings->get_str(lib->settings,
-                                                                                "libstrongswan.plugins.resolver."
-                                                                                "resolv_conf",
-                                                                                "/etc/resolv.conf");
-
-       trust_anchor_file = lib->settings->get_str(lib->settings,
-                                                                                          "libstrongswan.plugins.resolver."
-                                                                                          "trust_anchor",
-                                                                                          "/etc/trust.anchors");
-
-       return this->constructor(resolv_conf, trust_anchor_file);
+       return this->constructor();
 }
 
 METHOD(resolver_manager_t, destroy, void,