From a19a5192241b653c1d8c6ed838813a49dc439024 Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Fri, 29 Oct 2021 18:43:40 +0300
Subject: [PATCH] Be less strict regarding "tls" statements in the
 configuration file

In the 9.17.19 release "tls" statements verification code was
added. The code was too strict and assumed that every such a statement
should have both "cert-file" and "key-file" specified. This turned out
to be a regression, as in some cases we plan to use the "tls"
statement to specify TLS connection parameters.

This commit fixes this behaviour; now a "tls" statement should either
have both "cert-file" and "key-file" specified, or both should be
omitted.
---
 CHANGES                                          |  4 ++++
 .../checkconf/good-dot-doh-tls-nokeycert.conf    | 16 ++++++++++++++++
 lib/bind9/check.c                                | 16 ++++++++--------
 3 files changed, 28 insertions(+), 8 deletions(-)
 create mode 100644 bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf

diff --git a/CHANGES b/CHANGES
index fa17ff35cd..e2e7dff829 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5754.	[bug]		"tls" statements may omit "key-file" and "cert-file",
+			but if either one is specified, then both must be.
+			[GL #2986]
+
 5753.	[placeholder]
 
 5752.	[bug]		Fix an assertion failure caused by missing member zones
diff --git a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
new file mode 100644
index 0000000000..9814074ecc
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# In some cases a "tls" statement may omit key-file and cert-file.
+tls local-tls {
+    protocols {TLSv1.2;};
+    hostname "fqdn.example.com";
+};
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 85e3884df3..d127b6efa5 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2165,15 +2165,15 @@ bind9_check_tls_defintion(const cfg_obj_t *tlsobj, const char *name,
 		}
 	}
 
-	if (cfg_map_get(tlsobj, "key-file", &tls_key) != ISC_R_SUCCESS) {
+	(void)cfg_map_get(tlsobj, "key-file", &tls_key);
+	(void)cfg_map_get(tlsobj, "cert-file", &tls_cert);
+	if ((tls_key == NULL && tls_cert != NULL) ||
+	    (tls_cert == NULL && tls_key != NULL))
+	{
 		cfg_obj_log(tlsobj, logctx, ISC_LOG_ERROR,
-			    "'key-file' is required in tls clause '%s'", name);
-		result = ISC_R_FAILURE;
-	}
-
-	if (cfg_map_get(tlsobj, "cert-file", &tls_cert) != ISC_R_SUCCESS) {
-		cfg_obj_log(tlsobj, logctx, ISC_LOG_ERROR,
-			    "'cert-file' is required in tls clause '%s'", name);
+			    "tls '%s': 'cert-file' and 'key-file' must "
+			    "both be specified, or both omitted",
+			    name);
 		result = ISC_R_FAILURE;
 	}