Moved configuration from resolver manager to unbound plugin

Also streamlined log messages in unbound plugin.

man/strongswan.conf.5.in

@@ -779,6 +779,12 @@ File to read random bytes from, instead of @DEV_RANDOM@
 .TP
 .BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
 File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"

src/libstrongswan/plugins/unbound/Makefile.am

@@ -1,7 +1,8 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-unbound.la

src/libstrongswan/plugins/unbound/unbound_resolver.c

@@ -24,6 +24,10 @@
 #include "unbound_resolver.h"
 #include "unbound_response.h"
 
+/* DNS resolver configuration and DNSSEC trust anchors */
+#define RESOLV_CONF_FILE	"/etc/resolv.conf"
+#define TRUST_ANCHOR_FILE	IPSEC_CONFDIR "/ipsec.d/dnssec.keys"
+
 typedef struct private_resolver_t private_resolver_t;
 
 /**
@@ -64,11 +68,12 @@ METHOD(resolver_t, query, resolver_response_t*,
 	response = unbound_response_create_frm_libub_response(result);
 	if (!response)
 	{
-		DBG1(DBG_LIB, "unbound_resolver: Could not create response.");
+		DBG1(DBG_LIB, "unbound resolver failed to create response");
 		ub_resolve_free(result);
 		return NULL;
 	}
 	ub_resolve_free(result);
+
 	return (resolver_response_t*)response;
 }
 
@@ -85,10 +90,20 @@ METHOD(resolver_t, destroy, void,
 /*
  * Described in header.
  */
-resolver_t *unbound_resolver_create(char *resolv_conf, char *ta_file)
+resolver_t *unbound_resolver_create(void)
 {
 	private_resolver_t *this;
 	int ub_retval = 0;
+	char *resolv_conf_file;
+	char *trust_anchor_file;
+
+	resolv_conf_file = lib->settings->get_str(lib->settings,
+						"libstrongswan.plugins.unbound.resolv_conf",
+						RESOLV_CONF_FILE);
+
+	trust_anchor_file = lib->settings->get_str(lib->settings,
+						"libstrongswan.plugins.unbound.trust_anchors",
+						TRUST_ANCHOR_FILE);
 
 	INIT(this,
 		.public = {
@@ -97,35 +112,32 @@ resolver_t *unbound_resolver_create(char *resolv_conf, char *ta_file)
 		},
 	);
 
-	DBG1(DBG_LIB, "creating an unbound_resolver instance");
-
 	this->ctx = ub_ctx_create();
 	if (!this->ctx)
 	{
-		DBG1(DBG_LIB, "failed to create an unbound resolver context");
+		DBG1(DBG_LIB, "failed to create unbound resolver context");
-		_destroy(this);
+		destroy(this);
 		return NULL;
 	}
 
-	ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf);
+	DBG1(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf_file);
+	ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf_file);
 	if (ub_retval)
 	{
-		DBG1(DBG_LIB, "failed to read the resolver configuration file. "
+		DBG1(DBG_CFG, "failed to read the resolver config: %s (%s)",
-			 "Unbound error: %s. errno says: %s", ub_strerror(ub_retval),
+					   ub_strerror(ub_retval), strerror(errno));
-			 strerror(errno));
+		destroy(this);
-		_destroy(this);
 		return NULL;
 	}
 
-	ub_retval = ub_ctx_add_ta_file(this->ctx, ta_file);
+	DBG1(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchor_file);
+	ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchor_file);
 	if (ub_retval)
 	{
-		DBG1(DBG_LIB, "failed to load trusted anchors from file %s. "
+		DBG1(DBG_CFG, "failed to load trust anchors: %s (%s)",
-				"Unbound error: %s. errno says: %s",
+					   ub_strerror(ub_retval), strerror(errno));
-				ta_file, ub_strerror(ub_retval), strerror(errno));
 	}
 
-	DBG1(DBG_LIB, "unbound resolver instance created");
 	return &this->public;
 }
 

src/libstrongswan/plugins/unbound/unbound_resolver.h

@@ -24,6 +24,6 @@
 /**
  * Create a resolver_t instance.
  */
-resolver_t *unbound_resolver_create(char *resolv_conf, char *ta_file);
+resolver_t *unbound_resolver_create(void);
 
 #endif /** LIBunbound_RESOLVER_H_ @}*/

src/libstrongswan/plugins/unbound/unbound_response.c

@@ -179,9 +179,8 @@ unbound_response_t *unbound_response_create_frm_libub_response(
 
 		if (status != LDNS_STATUS_OK)
 		{
-			DBG1(DBG_LIB, "failed to create an unbound_response. "
+			DBG1(DBG_LIB, "failed to parse DNS packet");
-						  "Parsing of DNS packet failed.");
+			destroy(this);
-			_destroy(this);
 			return NULL;
 		}
 
@@ -210,7 +209,7 @@ unbound_response_t *unbound_response_create_frm_libub_response(
 				}
 				else
 				{
-					DBG1(DBG_LIB, "unbound_response: RR creation failed.");
+					DBG1(DBG_LIB, "failed to create RR");
 				}
 			}
 
@@ -219,8 +218,7 @@ unbound_response_t *unbound_response_create_frm_libub_response(
 				orig_rdf = ldns_rr_rrsig_typecovered(orig_rr);
 				if (!orig_rdf)
 				{
-					DBG1(DBG_LIB, "failed to get the type which is covered by "
+					DBG1(DBG_LIB, "failed to get the type covered by an RRSIG");
-								  "a RRSIG");
 				}
 				else if (ldns_rdf2native_int16(orig_rdf) == libub_response->qtype)
 				{
@@ -239,15 +237,13 @@ unbound_response_t *unbound_response_create_frm_libub_response(
 					}
 					else
 					{
-						DBG1(DBG_LIB, "unbound_response: RRSIG creation "
+						DBG1(DBG_LIB, "failed to create RRSIG");
-									  "failed.");
 					}
 				}
 				else
 				{
-					DBG1(DBG_LIB, "Warning: Could not determine the type of "
+					DBG1(DBG_LIB, "failed to determine the RR type "
-								  "Resource Records which is covered "
+								  "covered by RRSIG RR");
-								  "by a RRSIG RR");
 				}
 			}
 		}

src/libstrongswan/resolver/resolver.h

@@ -24,16 +24,9 @@
 typedef struct resolver_t resolver_t;
 
 /**
- * Constructor function which creates resolver instances.
+ * Constructor function which creates DNS resolver instances.
- *
- * Creates a new DNS resolver with settings from the file resolv_conf and
- * keys from the file ta_file as DNSSEC trust anchor.
- *
- * @param resolv_conf	path to the file resolv.conf
- * @param ta_file		path to a file with the DNSSEC trust anchors
- * @return				resolver instance
  */
-typedef resolver_t* (*resolver_constructor_t)(char *resolv_conf, char *ta_file);
+typedef resolver_t* (*resolver_constructor_t)(void);
 
 #include <resolver/resolver_response.h>
 #include <resolver/rr_set.h>

src/libstrongswan/resolver/resolver_manager.c

@@ -56,20 +56,7 @@ METHOD(resolver_manager_t, remove_resolver, void,
 METHOD(resolver_manager_t, create, resolver_t*,
 	private_resolver_manager_t *this)
 {
-	char *resolv_conf;
+	return this->constructor();
-	char *trust_anchor_file;
-
-	resolv_conf = lib->settings->get_str(lib->settings,
-										 "libstrongswan.plugins.resolver."
-										 "resolv_conf",
-										 "/etc/resolv.conf");
-
-	trust_anchor_file = lib->settings->get_str(lib->settings,
-											   "libstrongswan.plugins.resolver."
-											   "trust_anchor",
-											   "/etc/trust.anchors");
-
-	return this->constructor(resolv_conf, trust_anchor_file);
 }
 
 METHOD(resolver_manager_t, destroy, void,