Add net.tls_servicename()

The hostname() of a given machine might be different from the service the host is offering. In fact, many hosts might offer the same DNS resolver servicename, while having distinct hostnames. The configuration net.tls_servicename() represents the public-facing name of the service offered by the host. for example, the host might be named "pluto", but the service might be "dns.example.org"

Add net.tls_servicename()
9801e5ac · Daniel Kahn Gillmor · 7069bd2f · 9801e5ac · 9801e5ac · 9801e5ac
Commit 9801e5ac authored 8 years ago by Daniel Kahn Gillmor
--- a/daemon/README.rst
+++ b/daemon/README.rst
@@ -364,6 +364,8 @@ Environment

   :return: Machine hostname.

+   Compare with net.tls_servicename().
+            
 .. function:: verbose(true | false)

   :return: Toggle verbose logging.
@@ -592,6 +594,20 @@ For when listening on ``localhost`` just doesn't cut it.
 	> net.listen("::", 853)
 	> net.listen("::", 443, {tls = true})

+.. function:: net.tls_servicename([servicename])
+
+   Get/set the DNS name of the resolving DNS service.  This can be useful when offering DNS over TLS with a public-facing service with a different name than the local host.
+
+   If this is unset when the value is needed (for example, with ephemeral X.509 certificate generation), kresd will fall back to the hostname.
+
+   Example output:
+
+   .. code-block:: lua
+
+	> net.tls_servicename("dns.example.net")
+	> net.tls_servicename()
+	dns.example.net
+
 Trust anchors and DNSSEC
 ^^^^^^^^^^^^^^^^^^^^^^^^


--- a/daemon/bindings.c
+++ b/daemon/bindings.c
@@ -384,6 +384,24 @@ static int net_tls_key(lua_State *L)
 	return 1;
 }

+static int net_tls_servicename(lua_State *L)
+{
+	struct engine *engine = engine_luaget(L);
+	if (!lua_isstring(L, 1)) {
+		lua_pushstring(L, engine->net.tls_servicename);
+		return 1;
+	}
+
+	int r = network_set_tls_servicename(&engine->net, lua_tostring(L, 1));
+	if (r != 0) {
+		lua_pushstring(L, strerror(ENOMEM));
+		lua_error(L);
+	}
+
+	lua_pushboolean(L, true);
+	return 1;
+}
+
 int lib_net(lua_State *L)
 {
 	static const luaL_Reg lib[] = {
@@ -395,6 +413,7 @@ int lib_net(lua_State *L)
 		{ "tcp_pipeline", net_pipeline },
 		{ "tls_cert",     net_tls_cert },
 		{ "tls_key",      net_tls_key },
+		{ "tls_servicename",      net_tls_servicename },
 		{ NULL, NULL }
 	};
 	register_lib(L, "net", lib);

--- a/daemon/network.c
+++ b/daemon/network.c
@@ -391,6 +391,16 @@ int network_set_tls_key(struct network *net, const char *value)
 	return err;
 }

+int network_set_tls_servicename(struct network *net, const char *value)
+{
+	if (!net) {
+		return kr_error(EINVAL);
+	}
+
+	int err = str_replace(&net->tls_servicename, value);
+	return err;
+}
+
 static void network_creds_changed(uv_fs_event_t* handle, const char* filename, int events, int status)
 {
 	kr_log_info("[tls] credentials file %s changed on disk!\n", filename);

--- a/daemon/network.h
+++ b/daemon/network.h
@@ -47,6 +47,7 @@ struct network {
    map_t endpoints;
    char *tls_cert;
    char *tls_key;
+    char *tls_servicename;
    bool tls_creds_changed;
    struct tls_creds_t *current_tls_creds;
    uv_fs_event_t tls_watch_cert;
@@ -60,4 +61,5 @@ int network_listen(struct network *net, const char *addr, uint16_t port, uint32_
 int network_close(struct network *net, const char *addr, uint16_t port);
 int network_set_tls_cert(struct network *net, const char *cert);
 int network_set_tls_key(struct network *net, const char *key);
+int network_set_tls_servicename(struct network *net, const char *name);
 struct tls_creds_t *network_get_current_tls_creds(struct network *net);