dnssec-monitor: use verification port to enable tls

Author: lws-team

lib/system/async-dns/async-dns.c

@@ -725,7 +725,7 @@ lws_async_dns_init(struct lws_context *context)
 	}
 
 	n = lws_plat_asyncdns_init(context, dns);
-	if (n < 0 && !dns->nameservers.count) {
+	if (!dns->nameservers.count) {
 		lwsl_cx_warn(context, "no valid dns server, retry");
 
 		return 1;

lib/system/auth-dns/auth-dns.c

@@ -331,8 +331,7 @@ lws_auth_dns_sign_zone(struct lws_auth_dns_sign_info *info)
 {
 	char obuf[8192]; /* simple large enough buffer for test */
 	int fd, n, ofd = -1, res_wr, temp_len = 0, temp_max = 0;
-	size_t uin = 0, uout = 0;
-	lws_strexp_t exp;
+	size_t uout = 0;
 	struct stat st;
 	char *buf, *expbuf;
 	ssize_t ns;

lib/system/system.c

@@ -269,19 +269,26 @@ lws_extip_report(struct lws_context *cx, lws_extip_src_t src,
                  const lws_sockaddr46 *sa46, int af, int status,
                  const lws_sockaddr46 *peers, int num_peers)
 {
-	lws_sockaddr46 *target = (af == AF_INET) ? &cx->ext_ipv4 : &cx->ext_ipv6;
+	lws_sockaddr46 *target = &cx->ext_ipv4;
+#if defined(LWS_WITH_IPV6)
+	if (af == AF_INET6)
+		target = &cx->ext_ipv6;
+#endif
 	lws_sockaddr46 old = *target;
 
-	if (status == 2 || !sa46 || (af == AF_INET && sa46->sa4.sin_family == 0) ||
-        (af == AF_INET6 && sa46->sa6.sin6_family == 0)) {
+	if (status == 2 || !sa46 || (af == AF_INET && sa46->sa4.sin_family == 0)
+#if defined(LWS_WITH_IPV6)
+        || (af == AF_INET6 && sa46->sa6.sin6_family == 0)
+#endif
+        ) {
 		memset(target, 0, sizeof(*target));
 	} else {
 		*target = *sa46;
 	}
 
 	if (memcmp(&old, target, sizeof(*target))) {
 		int c = 0;
-		char payload[128], buf4[64], buf6[64];
+		char payload[128], buf4[64];
 		char *p = payload, *end = payload + sizeof(payload);
 
 		p += lws_snprintf(p, lws_ptr_diff_size_t(end, p), "{\"ext-ips\": [");
@@ -292,12 +299,15 @@ lws_extip_report(struct lws_context *cx, lws_extip_src_t src,
 			c++;
 		}
 
+#if defined(LWS_WITH_IPV6)
 		if (cx->ext_ipv6.sa6.sin6_family == AF_INET6) {
+			char buf6[64];
 			lws_sa46_write_numeric_address(&cx->ext_ipv6, buf6, sizeof(buf6));
 			if (c)
 				p += lws_snprintf(p, lws_ptr_diff_size_t(end, p), ", ");
 			p += lws_snprintf(p, lws_ptr_diff_size_t(end, p), "\"%s\"", buf6);
 		}
+#endif
 
 		p += lws_snprintf(p, lws_ptr_diff_size_t(end, p), "]}");
 
@@ -308,10 +318,18 @@ lws_extip_report(struct lws_context *cx, lws_extip_src_t src,
 int
 lws_extip_get_best(struct lws_context *cx, int af, lws_sockaddr46 *sa46)
 {
-	lws_sockaddr46 *src = (af == AF_INET) ? &cx->ext_ipv4 : &cx->ext_ipv6;
+	lws_sockaddr46 *src = &cx->ext_ipv4;
 
-	if ((af == AF_INET && src->sa4.sin_family == AF_INET) ||
-	    (af == AF_INET6 && src->sa6.sin6_family == AF_INET6)) {
+#if defined(LWS_WITH_IPV6)
+	if (af == AF_INET6)
+		src = &cx->ext_ipv6;
+#endif
+
+	if ((af == AF_INET && src->sa4.sin_family == AF_INET)
+#if defined(LWS_WITH_IPV6)
+	    || (af == AF_INET6 && src->sa6.sin6_family == AF_INET6)
+#endif
+	   ) {
 		if (sa46)
 			*sa46 = *src;
 		return 0; /* found */

plugins/protocol_lws_dht_dnssec/README.md

@@ -66,6 +66,20 @@ The following substitution keys are provided:
 - `${DANE0}`: Generates a DANE TLSA SHA-256 signature string for the *current* active TLS certificate. The parser natively identities the target `<domain>` context from the front of the corresponding record line (such as `_443._tcp.warmcat.com. IN TLSA ...`) and accesses `/var/dnssec/domains/<domain>/tls/<domain>.crt` to actively compute the `3 1 1 <hash>` DANE data.
 - `${DANE1}`: Acts identically to `DANE0`, however signs the *previous* archived certificate by checking `/var/dnssec/domains/<domain>/tls/<domain>.crt.1`.
 
+### Substitution Examples
+If an operator authors the following raw zone file config:
+```text
+example.com.      IN A     ${EXTIP4}
+example.com.      IN AAAA  ${EXTIP6}
+_443._tcp.example.com. IN TLSA ${DANE0}
+_443._tcp.example.com. IN TLSA ${DANE1}
+```
+
+Upon `signzone`:
+- If the node **lacks an external IPv6 address**, the entire `example.com. IN AAAA ${EXTIP6}` line will be seamlessly excluded from the resulting signed zone.
+- The `${DANE0}` key evaluates `_443._tcp.example.com.` and automatically locates `/var/dnssec/domains/example.com/tls/example.com.crt`. It hashes the embedded SPKI, returning `3 1 1 e3b0c4429...`.
+- If no archived certificate (`example.com.crt.1`) exists, the second TLSA line containing `${DANE1}` will drop itself natively.
+
 ## `lws-crypto-dnssec` Utility
 Libwebsockets provides the `<build-dir>/bin/lws-crypto-dnssec` standalone utility that interfaces dynamically using the `lws-dht-dnssec` plugin.
 

plugins/protocol_lws_dht_dnssec/protocol_lws_dht_dnssec.c

@@ -3821,28 +3821,30 @@ dnssec_subst_cb(struct lws_auth_dns_sign_info *info, const char *name)
 		free(pembuf);
 
 		/* extracted SPKI */
-		union lws_tls_cert_info_results res;
-		res.ns.name = NULL;
-		res.ns.len = 0;
-
-		if (lws_x509_info(cert, LWS_TLS_CERT_INFO_DER_SPKI, &res, 0) == -1 && res.ns.len > 0) {
-			res.ns.name = malloc((size_t)res.ns.len);
-			if (res.ns.name) {
-				if (lws_x509_info(cert, LWS_TLS_CERT_INFO_DER_SPKI, &res, res.ns.len) == 0) {
+		union lws_tls_cert_info_results res1;
+		union lws_tls_cert_info_results *res;
+		res1.ns.len = 0;
+
+		if (lws_x509_info(cert, LWS_TLS_CERT_INFO_DER_SPKI, &res1, 0) == -1 && res1.ns.len > 0) {
+			size_t alloc_len = sizeof(*res) - sizeof(res1.ns.name) + (size_t)res1.ns.len;
+			res = malloc(alloc_len);
+			if (res) {
+				res->ns.len = 0;
+				if (lws_x509_info(cert, LWS_TLS_CERT_INFO_DER_SPKI, res, (size_t)res1.ns.len) == 0) {
 					/* we have the DER SPKI, now hash it */
 					struct lws_genhash_ctx hash_ctx;
 					uint8_t hash[32];
 
 					if (!lws_genhash_init(&hash_ctx, LWS_GENHASH_TYPE_SHA256)) {
-						if (!lws_genhash_update(&hash_ctx, res.ns.name, (size_t)res.ns.len)) {
+						if (!lws_genhash_update(&hash_ctx, (uint8_t *)res->ns.name, (size_t)res->ns.len)) {
 							if (!lws_genhash_destroy(&hash_ctx, hash)) {
 								char hex[128];
 								int hl = 0;
 								for (int i = 0; i < 32; i++) {
 									hl += lws_snprintf(hex + hl, sizeof(hex) - (size_t)hl, "%02X", hash[i]);
 								}
 								lws_snprintf(ret, sizeof(ret), "3 1 1 %s", hex);
-								free(res.ns.name);
+								free(res);
 								lws_x509_destroy(&cert);
 								return ret;
 							}
@@ -3851,7 +3853,7 @@ dnssec_subst_cb(struct lws_auth_dns_sign_info *info, const char *name)
 						}
 					}
 				}
-				free(res.ns.name);
+				free(res);
 			}
 		}
 

plugins/protocol_lws_dht_dnssec_monitor/assets/index.html

@@ -70,7 +70,7 @@ <h2 id="detail-title">Zone Records: <span>---</span></h2>
                                 <th>TTL</th>
                                 <th>Type</th>
                                 <th>Value</th>
-                                <th>TLS</th>
+                                <th>TLS Port</th>
                                 <th>Actions</th>
                             </tr>
                         </thead>
@@ -140,6 +140,6 @@ <h3>Add TLS Subdomain for <span id="tls-domain-name"></span></h3>
     <!-- Notification Toast -->
     <div id="toast" class="toast"></div>
 
-    <script src="monitor.js"></script>
+    <script src="monitor.js?v=2"></script>
 </body>
 </html>

plugins/protocol_lws_dht_dnssec_monitor/assets/monitor.js

@@ -1,6 +1,17 @@
 let ws;
 let currentDomain = '';
 let currentZone = null;
+let certCheckQueue = [];
+let isCheckingCert = false;
+
+function processCertQueue() {
+    if (isCheckingCert || certCheckQueue.length === 0) return;
+    isCheckingCert = true;
+    let task = certCheckQueue.shift();
+    let span = document.getElementById(`cert-status-${task.fqdn}`);
+    if (span) span.innerText = 'Checking...';
+    sendReq({ req: 'check_cert', domain: currentDomain, subdomain: task.fqdn, port: task.port });
+}
 
 function generateId() {
     return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
@@ -297,7 +308,21 @@ function handleResponse(data) {
         case 'create_tls':
         case 'delete_tls':
             showToast(data.req === 'create_tls' ? 'TLS collection enabled' : 'TLS collection disabled');
-            sendReq({ req: 'get_tls', domain: currentDomain });
+            // We don't fetch get_tls again because we update window.activeTls synchronously.
+            break;
+        case 'cert_status':
+            let span = document.getElementById(`cert-status-${data.subdomain}`);
+            if (span) {
+                if (data.status === 'ok') {
+                    span.innerText = data.msg;
+                    span.style.color = '#34d399';
+                } else {
+                    span.innerText = data.msg;
+                    span.style.color = '#f87171';
+                }
+            }
+            isCheckingCert = false;
+            processCertQueue();
             break;
     }
 }
@@ -375,6 +400,8 @@ function renderZoneTable() {
 
     if (!currentZone) return;
 
+    certCheckQueue = [];
+    isCheckingCert = false;
     window.renderedTlsFqdns = new Set();
     const records = currentZone.records.filter(r => r.type !== 'comment' && r.type !== 'macro');
 
@@ -408,9 +435,13 @@ function renderZoneTable() {
 
         if (isTlsCapable && !window.renderedTlsFqdns.has(fqdn)) {
             window.renderedTlsFqdns.add(fqdn);
-            let checked = (window.activeTls && window.activeTls.includes(fqdn + '.json')) ? 'checked' : '';
+            let activeConfig = window.activeTls ? window.activeTls.find(t => t.fqdn === fqdn) : null;
+            let portVal = activeConfig ? activeConfig.port : '';
             tlsTd = `<td class="ext-tls-cell">
-                         <input type="checkbox" class="tls-checkbox" data-fqdn="${fqdn}" title="${fqdn}" ${checked}>
+                         <div style="display:flex; align-items:center; justify-content:flex-start; gap: 0.5rem">
+                             <input type="number" class="tls-port ext-port" data-fqdn="${fqdn}" value="${portVal}" maxlength="5" placeholder="Port" style="width:70px; background: rgba(0,0,0,0.2); color:#fff; border:1px solid #444; border-radius:4px; padding:2px;">
+                             <span id="cert-status-${fqdn}" class="cert-status" style="font-size:0.8em; color:#aaa;"></span>
+                         </div>
                      </td>`;
         }
 
@@ -422,19 +453,32 @@ function renderZoneTable() {
             ${tlsTd}
         `;
 
-        const checkbox = tr.querySelector('.tls-checkbox');
-        if (checkbox) {
-            checkbox.onclick = (e) => e.stopPropagation();
-            checkbox.onchange = (e) => {
-                let isEnabled = e.target.checked;
-                sendReq({ req: isEnabled ? 'create_tls' : 'delete_tls', domain: currentDomain, subdomain: fqdn });
-                if (isEnabled) {
-                    if (!window.activeTls) window.activeTls = [];
-                    window.activeTls.push(fqdn + '.json');
+        const portInput = tr.querySelector('.tls-port');
+        if (portInput) {
+            portInput.onclick = (e) => e.stopPropagation();
+            portInput.onchange = (e) => {
+                let p = e.target.value.trim();
+                let pnum = parseInt(p, 10);
+                if (!p || isNaN(pnum) || pnum <= 0 || pnum > 65535) {
+                    sendReq({ req: 'delete_tls', domain: currentDomain, subdomain: fqdn });
+                    if (window.activeTls) window.activeTls = window.activeTls.filter(x => x.fqdn !== fqdn);
+                    document.getElementById(`cert-status-${fqdn}`).innerText = '';
                 } else {
-                    if (window.activeTls) window.activeTls = window.activeTls.filter(x => x !== fqdn + '.json');
+                    sendReq({ req: 'create_tls', domain: currentDomain, subdomain: fqdn, port: pnum });
+                    if (!window.activeTls) window.activeTls = [];
+                    let exist = window.activeTls.find(x => x.fqdn === fqdn);
+                    if (exist) exist.port = pnum;
+                    else window.activeTls.push({fqdn: fqdn, port: pnum});
+                    
+                    certCheckQueue.push({fqdn: fqdn, port: pnum});
+                    processCertQueue();
                 }
             };
+
+            if (portInput.value) {
+                let pnum = parseInt(portInput.value, 10);
+                certCheckQueue.push({fqdn: fqdn, port: pnum});
+            }
         }
 
         const tdAct = document.createElement('td');
@@ -622,8 +666,8 @@ function openEditor(id) {
         });
 
         if (window.activeTls) {
-            window.activeTls.forEach(tlsFilename => {
-                let fqdn = tlsFilename.replace('.json', '');
+            window.activeTls.forEach(obj => {
+                let fqdn = obj.fqdn;
                 if (!existingFqdns.has(fqdn)) {
                     sendReq({ req: 'delete_tls', domain: currentDomain, subdomain: fqdn });
                 }