Merge branch 'artem/tls-do-not-strictly-require-key-and-cert' into 'main'

Be less strict regarding "tls" statements in the configuration file by allowing both "key-file" and "cert-file" be omitted

See merge request isc-projects/bind9!5546

CHANGES

@@ -1,3 +1,7 @@
+5754.	[bug]		"tls" statements may omit "key-file" and "cert-file",
+			but if either one is specified, then both must be.
+			[GL #2986]
+
 5753.	[placeholder]
 
 5752.	[bug]		Fix an assertion failure caused by missing member zones

bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf

@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# In some cases a "tls" statement may omit key-file and cert-file.
+tls local-tls {
+    protocols {TLSv1.2;};
+    hostname "fqdn.example.com";
+};

lib/bind9/check.c

@@ -2165,15 +2165,15 @@ bind9_check_tls_defintion(const cfg_obj_t *tlsobj, const char *name,
 		}
 	}
 
-	if (cfg_map_get(tlsobj, "key-file", &tls_key) != ISC_R_SUCCESS) {
+	(void)cfg_map_get(tlsobj, "key-file", &tls_key);
+	(void)cfg_map_get(tlsobj, "cert-file", &tls_cert);
+	if ((tls_key == NULL && tls_cert != NULL) ||
+	    (tls_cert == NULL && tls_key != NULL))
+	{
 		cfg_obj_log(tlsobj, logctx, ISC_LOG_ERROR,
-			    "'key-file' is required in tls clause '%s'", name);
-		result = ISC_R_FAILURE;
-	}
-
-	if (cfg_map_get(tlsobj, "cert-file", &tls_cert) != ISC_R_SUCCESS) {
-		cfg_obj_log(tlsobj, logctx, ISC_LOG_ERROR,
-			    "'cert-file' is required in tls clause '%s'", name);
+			    "tls '%s': 'cert-file' and 'key-file' must "
+			    "both be specified, or both omitted",
+			    name);
 		result = ISC_R_FAILURE;
 	}