From d62fff2c7ca3deca08000b623d34c0d4d9248468 Mon Sep 17 00:00:00 2001
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Date: Mon, 20 Jan 2025 15:49:37 +0100
Subject: [PATCH] - Create the quic SSL listening context only when needed.

---
 daemon/unbound.c   |  8 +++++---
 doc/Changelog      |  1 +
 util/config_file.c | 19 +++++++++++++++++++
 util/config_file.h |  7 +++++++
 4 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/daemon/unbound.c b/daemon/unbound.c
index feea43180..8de7eb0a5 100644
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@@ -505,9 +505,11 @@ setup_sslctxs(struct daemon* daemon, struct config_file* cfg)
 		}
 #endif
 #ifdef HAVE_NGTCP2
-		if(!(daemon->listen_quic_sslctx = quic_sslctx_create(
-			cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) {
-			fatal_exit("could not set up quic SSL_CTX");
+		if(cfg_has_quic(cfg)) {
+			if(!(daemon->listen_quic_sslctx = quic_sslctx_create(
+				cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) {
+				fatal_exit("could not set up quic SSL_CTX");
+			}
 		}
 #endif /* HAVE_NGTCP2 */
 	}
diff --git a/doc/Changelog b/doc/Changelog
index 050304516..e7d8803aa 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,7 @@
 20 January 2025: Yorgos
 	- Merge #1222: Unique DoT and DoH SSL contexts to allow for different
 	  ALPN.
+	- Create the quic SSL listening context only when needed.
 
 15 January 2025: Yorgos
 	- Merge #1221: Consider auth zones when checking for forwarders.
diff --git a/util/config_file.c b/util/config_file.c
index dbe1b7081..b1f0d8741 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -2866,3 +2866,22 @@ if_is_quic(const char* ifname, const char* port, int quic_port)
 	return 0;
 #endif
 }
+
+/** see if config contains quic turned on */
+int
+cfg_has_quic(struct config_file* cfg)
+{
+#ifndef HAVE_NGTCP2
+	(void)cfg;
+	return 0;
+#else
+	int i;
+	char portbuf[32];
+	snprintf(portbuf, sizeof(portbuf), "%d", cfg->port);
+	for(i = 0; i<cfg->num_ifs; i++) {
+		if(if_is_quic(cfg->ifs[i], portbuf, cfg->quic_port))
+			return 1;
+	}
+	return 0;
+#endif
+}
diff --git a/util/config_file.h b/util/config_file.h
index 07e539f06..6f808b960 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -1419,6 +1419,13 @@ int if_is_dnscrypt(const char* ifname, const char* port, int dnscrypt_port);
 /** see if interface is quic, its port number == the quic port number */
 int if_is_quic(const char* ifname, const char* port, int quic_port);
 
+/**
+ * Return true if the config contains settings that enable quic.
+ * @param cfg: config information.
+ * @return true if quic ports are used for server.
+ */
+int cfg_has_quic(struct config_file* cfg);
+
 #ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
 #define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
 #endif