From 0d37d3d380120c78692d00e733454792a6366e3f Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 15 Apr 2014 23:39:52 +0200 Subject: [PATCH] getdns_dane_verify in the tests_dane example --- configure | 284 ++++++++++++++--------------- configure.ac | 2 +- src/config.h.in | 12 ++ src/test/tests_dane.c | 409 ++++++++++++++++++++++++++++++++++++++++-- 4 files changed, 546 insertions(+), 161 deletions(-) diff --git a/configure b/configure index 00848b45..54c6e2a0 100755 --- a/configure +++ b/configure @@ -1,11 +1,13 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for getdns 0.1.1. +# Generated by GNU Autoconf 2.68 for getdns 0.1.1. # # Report bugs to . # # -# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, +# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software +# Foundation, Inc. # # # This configure script is free software; the Free Software Foundation @@ -134,31 +136,6 @@ export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH -# Use a proper internal environment variable to ensure we don't fall - # into an infinite loop, continuously re-executing ourselves. - if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then - _as_can_reexec=no; export _as_can_reexec; - # We cannot yet assume a decent shell, so we have to provide a -# neutralization value for shells without unset; and this also -# works around shells that cannot unset nonexistent variables. -# Preserve -v and -x to the replacement shell. -BASH_ENV=/dev/null -ENV=/dev/null -(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -case $- in # (((( - *v*x* | *x*v* ) as_opts=-vx ;; - *v* ) as_opts=-v ;; - *x* ) as_opts=-x ;; - * ) as_opts= ;; -esac -exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} -# Admittedly, this is quite paranoid, since all the known shells bail -# out after a failed `exec'. -$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 -as_fn_exit 255 - fi - # We don't want this to propagate to other subprocesses. - { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : emulate sh @@ -192,8 +169,7 @@ if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : else exitcode=1; echo positional parameters were not saved. fi -test x\$exitcode = x0 || exit 1 -test -x / || exit 1" +test x\$exitcode = x0 || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && @@ -246,25 +222,21 @@ IFS=$as_save_IFS if test "x$CONFIG_SHELL" != x; then : - export CONFIG_SHELL - # We cannot yet assume a decent shell, so we have to provide a -# neutralization value for shells without unset; and this also -# works around shells that cannot unset nonexistent variables. -# Preserve -v and -x to the replacement shell. -BASH_ENV=/dev/null -ENV=/dev/null -(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -case $- in # (((( - *v*x* | *x*v* ) as_opts=-vx ;; - *v* ) as_opts=-v ;; - *x* ) as_opts=-x ;; - * ) as_opts= ;; -esac -exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} -# Admittedly, this is quite paranoid, since all the known shells bail -# out after a failed `exec'. -$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 -exit 255 + # We cannot yet assume a decent shell, so we have to provide a + # neutralization value for shells without unset; and this also + # works around shells that cannot unset nonexistent variables. + # Preserve -v and -x to the replacement shell. + BASH_ENV=/dev/null + ENV=/dev/null + (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV + export CONFIG_SHELL + case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; + esac + exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"} fi if test x$as_have_required = xno; then : @@ -367,14 +339,6 @@ $as_echo X"$as_dir" | } # as_fn_mkdir_p - -# as_fn_executable_p FILE -# ----------------------- -# Test if FILE is an executable regular file. -as_fn_executable_p () -{ - test -f "$1" && test -x "$1" -} # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take @@ -496,10 +460,6 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits chmod +x "$as_me.lineno" || { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } - # If we had to re-execute with $CONFIG_SHELL, we're ensured to have - # already done that, so ensure we don't try to do so again and fall - # in an infinite loop. This has already happened in practice. - _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). @@ -534,16 +494,16 @@ if (echo >conf$$.file) 2>/dev/null; then # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -pR'. + # In both cases, we have to default to `cp -p'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -pR' + as_ln_s='cp -p' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else - as_ln_s='cp -pR' + as_ln_s='cp -p' fi else - as_ln_s='cp -pR' + as_ln_s='cp -p' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null @@ -555,8 +515,28 @@ else as_mkdir_p=false fi -as_test_x='test -x' -as_executable_p=as_fn_executable_p +if test -x / >/dev/null 2>&1; then + as_test_x='test -x' +else + if ls -dL / >/dev/null 2>&1; then + as_ls_L_option=L + else + as_ls_L_option= + fi + as_test_x=' + eval sh -c '\'' + if test -d "$1"; then + test -d "$1/."; + else + case $1 in #( + -*)set "./$1";; + esac; + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( + ???[sx]*):;;*)false;;esac;fi + '\'' sh + ' +fi +as_executable_p=$as_test_x # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" @@ -1216,6 +1196,8 @@ target=$target_alias if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe + $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. + If a cross compiler is detected then cross compile mode will be used" >&2 elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi @@ -1478,9 +1460,9 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF getdns configure 0.1.1 -generated by GNU Autoconf 2.69 +generated by GNU Autoconf 2.68 -Copyright (C) 2012 Free Software Foundation, Inc. +Copyright (C) 2010 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF @@ -1593,7 +1575,7 @@ $as_echo "$ac_try_echo"; } >&5 test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || - test -x conftest$ac_exeext + $as_test_x conftest$ac_exeext }; then : ac_retval=0 else @@ -1830,8 +1812,7 @@ int main () { static int test_array [1 - 2 * !((($ac_type) -1 >> ($2 / 2 - 1)) >> ($2 / 2 - 1) == 3)]; -test_array [0] = 0; -return test_array [0]; +test_array [0] = 0 ; return 0; @@ -1864,7 +1845,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by getdns $as_me 0.1.1, which was -generated by GNU Autoconf 2.69. Invocation command line was +generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -2241,7 +2222,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -2281,7 +2262,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -2334,7 +2315,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -2375,7 +2356,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue @@ -2433,7 +2414,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -2477,7 +2458,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -2923,7 +2904,8 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include -struct stat; +#include +#include /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); @@ -3377,7 +3359,7 @@ do for ac_prog in sed gsed; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_SED="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_SED" || continue + { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue # Check for GNU ac_path_SED and select it if it is found. # Check for GNU $ac_path_SED case `"$ac_path_SED" --version 2>&1` in @@ -3453,7 +3435,7 @@ do for ac_prog in grep ggrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_GREP" || continue + { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue # Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in @@ -3519,7 +3501,7 @@ do for ac_prog in egrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_EGREP" || continue + { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue # Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in @@ -3586,7 +3568,7 @@ do for ac_prog in fgrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_FGREP" || continue + { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue # Check for GNU ac_path_FGREP and select it if it is found. # Check for GNU $ac_path_FGREP case `"$ac_path_FGREP" --version 2>&1` in @@ -3842,7 +3824,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3886,7 +3868,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_DUMPBIN="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -4310,7 +4292,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -4350,7 +4332,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OBJDUMP="objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -4522,7 +4504,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu) lt_cv_deplibs_check_method=pass_all ;; -netbsd*) +netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' else @@ -4656,7 +4638,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -4696,7 +4678,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_DLLTOOL="dlltool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -4800,7 +4782,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_AR="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -4844,7 +4826,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_AR="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -4969,7 +4951,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5009,7 +4991,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_STRIP="strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5068,7 +5050,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5108,7 +5090,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_RANLIB="ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5212,7 +5194,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_AWK="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5799,7 +5781,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5839,7 +5821,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_MANIFEST_TOOL="mt" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5919,7 +5901,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5959,7 +5941,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_DSYMUTIL="dsymutil" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6011,7 +5993,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6051,7 +6033,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_NMEDIT="nmedit" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6103,7 +6085,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_LIPO="${ac_tool_prefix}lipo" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6143,7 +6125,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_LIPO="lipo" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6195,7 +6177,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OTOOL="${ac_tool_prefix}otool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6235,7 +6217,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OTOOL="otool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6287,7 +6269,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6327,7 +6309,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OTOOL64="otool64" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7134,10 +7116,6 @@ _lt_linker_boilerplate=`cat conftest.err` $RM -r conftest* -## CAVEAT EMPTOR: -## There is no encapsulation within the following macros, do not change -## the running order or otherwise move them around unless you know exactly -## what you are doing... if test -n "$compiler"; then lt_prog_compiler_no_builtin_flag= @@ -7828,6 +7806,9 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie openbsd*) with_gnu_ld=no ;; + linux* | k*bsd*-gnu | gnu*) + link_all_deplibs=no + ;; esac ld_shlibs=yes @@ -8049,7 +8030,7 @@ _LT_EOF fi ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= @@ -8226,6 +8207,7 @@ _LT_EOF if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi + link_all_deplibs=no else # not using gcc if test "$host_cpu" = ia64; then @@ -8679,7 +8661,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; } link_all_deplibs=yes ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out else @@ -9692,14 +9674,10 @@ fi # before this can be enabled. hardcode_into_libs=yes - # Add ABI-specific directories to the system library path. - sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" - # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" - + sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" fi # We used to test for /lib/ld.so.1 and disable shared libraries on @@ -9711,6 +9689,18 @@ fi dynamic_linker='GNU/Linux ld.so' ;; +netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='NetBSD ld.elf_so' + ;; + netbsd*) version_type=sunos need_lib_prefix=no @@ -10718,7 +10708,7 @@ case $as_dir/ in #(( # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then + if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then if test $ac_prog = install && grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. @@ -11061,7 +11051,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DOXYGEN="" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11088,7 +11078,7 @@ $as_echo "$as_me: WARNING: doxygen not found, continuing without" >&2;} fi # Checks for header files. -for ac_header in inttypes.h netinet/in.h stdint.h stdlib.h string.h +for ac_header in arpa/inet.h inttypes.h netdb.h netinet/in.h openssl/ssl.h stdint.h stdlib.h string.h sys/socket.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default @@ -12021,16 +12011,16 @@ if (echo >conf$$.file) 2>/dev/null; then # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -pR'. + # In both cases, we have to default to `cp -p'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -pR' + as_ln_s='cp -p' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else - as_ln_s='cp -pR' + as_ln_s='cp -p' fi else - as_ln_s='cp -pR' + as_ln_s='cp -p' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null @@ -12090,16 +12080,28 @@ else as_mkdir_p=false fi - -# as_fn_executable_p FILE -# ----------------------- -# Test if FILE is an executable regular file. -as_fn_executable_p () -{ - test -f "$1" && test -x "$1" -} # as_fn_executable_p -as_test_x='test -x' -as_executable_p=as_fn_executable_p +if test -x / >/dev/null 2>&1; then + as_test_x='test -x' +else + if ls -dL / >/dev/null 2>&1; then + as_ls_L_option=L + else + as_ls_L_option= + fi + as_test_x=' + eval sh -c '\'' + if test -d "$1"; then + test -d "$1/."; + else + case $1 in #( + -*)set "./$1";; + esac; + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( + ???[sx]*):;;*)false;;esac;fi + '\'' sh + ' +fi +as_executable_p=$as_test_x # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" @@ -12121,7 +12123,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # values after options handling. ac_log=" This file was extended by getdns $as_me 0.1.1, which was -generated by GNU Autoconf 2.69. Invocation command line was +generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS @@ -12188,10 +12190,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ getdns config.status 0.1.1 -configured by $0, generated by GNU Autoconf 2.69, +configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" -Copyright (C) 2012 Free Software Foundation, Inc. +Copyright (C) 2010 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." @@ -12281,7 +12283,7 @@ fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then - set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' diff --git a/configure.ac b/configure.ac index 88ac07d2..41f870ab 100644 --- a/configure.ac +++ b/configure.ac @@ -181,7 +181,7 @@ if test -z "$DOXYGEN"; fi # Checks for header files. -AC_CHECK_HEADERS([inttypes.h netinet/in.h stdint.h stdlib.h string.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([arpa/inet.h inttypes.h netdb.h netinet/in.h openssl/ssl.h stdint.h stdlib.h string.h sys/socket.h],,, [AC_INCLUDES_DEFAULT]) # Checks for typedefs, structures, and compiler characteristics. AC_TYPE_SIZE_T diff --git a/src/config.h.in b/src/config.h.in index e15a2edd..677ccfd9 100644 --- a/src/config.h.in +++ b/src/config.h.in @@ -1,5 +1,8 @@ /* src/config.h.in. Generated from configure.ac by autoheader. */ +/* Define to 1 if you have the header file. */ +#undef HAVE_ARPA_INET_H + /* Define to 1 if you have the header file. */ #undef HAVE_DLFCN_H @@ -33,9 +36,15 @@ /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H +/* Define to 1 if you have the header file. */ +#undef HAVE_NETDB_H + /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_H +/* Define to 1 if you have the header file. */ +#undef HAVE_OPENSSL_SSL_H + /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H @@ -48,6 +57,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_SOCKET_H + /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H diff --git a/src/test/tests_dane.c b/src/test/tests_dane.c index 53b67b06..8c657da6 100644 --- a/src/test/tests_dane.c +++ b/src/test/tests_dane.c @@ -54,11 +54,393 @@ #include #endif -#ifdef HAVE_LDNS_DANE_VERIFY -#ifdef HAVE_SSL +#ifndef getdns_get_errorstr_by_id +const char *getdns_get_errorstr_by_id(uint16_t err); +#endif + +#ifdef HAVE_OPENSSL_SSL_H #include #include #include +#include + +#define GETDNS_DANE_TLSA_DID_NOT_MATCH 3000 +#define GETDNS_DANE_TLSA_DID_NOT_MATCH_TEXT "None of the given TLSAs matched" +#define GETDNS_DANE_PKIX_DID_NOT_VALIDATE 3001 +#define GETDNS_DANE_PKIX_DID_NOT_VALIDATE_TEXT \ + "A TLSA matched but PKIX validation failed." +#define GETDNS_DANE_NON_CA_CERTIFICATE 3002 +#define GETDNS_DANE_NON_CA_CERTIFICATE_TEXT \ + "A non CA certificate is matched" + +#define GETDNS_DANE_USAGE_PKIX_TA 0 +#define GETDNS_DANE_USAGE_PKIX_EE 1 +#define GETDNS_DANE_USAGE_DANE_TA 2 +#define GETDNS_DANE_USAGE_DANE_EE 3 + +#define GETDNS_DANE_SELECTOR_CERT 0 +#define GETDNS_DANE_SELECTOR_SPKI 1 + +#define GETDNS_DANE_MATCHING_TYPE_FULL 0 +#define GETDNS_DANE_MATCHING_TYPE_SHA2_256 1 +#define GETDNS_DANE_MATCHING_TYPE_SHA2_512 2 + +/* Ordinary PKIX validation of cert (with extra_certs to help) + * against the CA's in store + */ +static int +getdns_dane_pkix_validate( + X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* store) +{ + X509_STORE_CTX* vrfy_ctx; + int r; + + if (! store) + return GETDNS_DANE_PKIX_DID_NOT_VALIDATE; + + vrfy_ctx = X509_STORE_CTX_new(); + if (! vrfy_ctx) + return GETDNS_RETURN_MEMORY_ERROR; + + else if (X509_STORE_CTX_init(vrfy_ctx, store, + cert, extra_certs) != 1) + r = GETDNS_RETURN_GENERIC_ERROR; + + else if (X509_verify_cert(vrfy_ctx) == 1) + r = GETDNS_RETURN_GOOD; + else + r = GETDNS_DANE_PKIX_DID_NOT_VALIDATE; + + X509_STORE_CTX_free(vrfy_ctx); + return r; +} + + +/* Ordinary PKIX validation of cert (with extra_certs to help) + * against the CA's in store, but also return the validation chain. + */ +static int +getdns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert, + STACK_OF(X509)* extra_certs, X509_STORE* store) +{ + int r; + X509_STORE* empty_store = NULL; + X509_STORE_CTX* vrfy_ctx; + + if (! store) + store = empty_store = X509_STORE_new(); + + r = GETDNS_RETURN_GENERIC_ERROR; + vrfy_ctx = X509_STORE_CTX_new(); + if (! vrfy_ctx) + goto exit_free_empty_store; + + else if (X509_STORE_CTX_init(vrfy_ctx, store, + cert, extra_certs) != 1) + goto exit_free_vrfy_ctx; + + else if (X509_verify_cert(vrfy_ctx) == 1) + r = GETDNS_RETURN_GOOD; + else + r = GETDNS_DANE_PKIX_DID_NOT_VALIDATE; + + *chain = X509_STORE_CTX_get1_chain(vrfy_ctx); + if (! *chain) + r = GETDNS_RETURN_GENERIC_ERROR; + +exit_free_vrfy_ctx: + X509_STORE_CTX_free(vrfy_ctx); + +exit_free_empty_store: + if (empty_store) + X509_STORE_free(empty_store); + return r; +} + + +/* Return the validation chain that can be build out of cert, with extra_certs. + */ +static int +getdns_dane_pkix_get_chain(STACK_OF(X509)** chain, + X509* cert, STACK_OF(X509)* extra_certs) +{ + int r; + X509_STORE* empty_store = NULL; + X509_STORE_CTX* vrfy_ctx; + + empty_store = X509_STORE_new(); + r = GETDNS_RETURN_GENERIC_ERROR; + vrfy_ctx = X509_STORE_CTX_new(); + if (! vrfy_ctx) + goto exit_free_empty_store; + + else if (X509_STORE_CTX_init(vrfy_ctx, empty_store, + cert, extra_certs) != 1) + goto exit_free_vrfy_ctx; + + (void) X509_verify_cert(vrfy_ctx); + *chain = X509_STORE_CTX_get1_chain(vrfy_ctx); + if (! *chain) + r = GETDNS_RETURN_GENERIC_ERROR; + else + r = GETDNS_RETURN_GOOD; + +exit_free_vrfy_ctx: + X509_STORE_CTX_free(vrfy_ctx); + +exit_free_empty_store: + X509_STORE_free(empty_store); + return r; +} + +/* Return whether cert/selector/matching_type matches data. + */ +static int +getdns_dane_match_cert_with_data(X509* cert, + uint32_t selector, uint32_t matching_type, getdns_bindata *data) +{ + int r = GETDNS_RETURN_GOOD; + + unsigned char *buf = NULL; + size_t len; + + X509_PUBKEY* xpubkey; + EVP_PKEY* epubkey; + + unsigned char hash[SHA512_DIGEST_LENGTH]; + SHA256_CTX sha256; + SHA512_CTX sha512; + + switch (selector) { + case GETDNS_DANE_SELECTOR_CERT: + + len = (size_t)i2d_X509(cert, &buf); + break; + + case GETDNS_DANE_SELECTOR_SPKI: + + xpubkey = X509_get_X509_PUBKEY(cert); + if (! xpubkey) + return GETDNS_RETURN_GENERIC_ERROR; + + epubkey = X509_PUBKEY_get(xpubkey); + if (! epubkey) + return GETDNS_RETURN_GENERIC_ERROR; + + len = (size_t)i2d_PUBKEY(epubkey, &buf); + break; + + default: + return GETDNS_RETURN_GENERIC_ERROR; + } + + switch(matching_type) { + case GETDNS_DANE_MATCHING_TYPE_FULL: + + if (data->size != len || memcmp(data->data, buf, len)) + r = GETDNS_DANE_TLSA_DID_NOT_MATCH; + break; + + case GETDNS_DANE_MATCHING_TYPE_SHA2_256: + + if (data->size != SHA256_DIGEST_LENGTH) + r = GETDNS_DANE_TLSA_DID_NOT_MATCH; + else { + SHA256_Init(&sha256); + SHA256_Update(&sha256, buf, len); + SHA256_Final(hash, &sha256); + if (memcmp(data->data, hash, SHA256_DIGEST_LENGTH)) + r = GETDNS_DANE_TLSA_DID_NOT_MATCH; + } + break; + + case GETDNS_DANE_MATCHING_TYPE_SHA2_512: + + if (data->size != SHA512_DIGEST_LENGTH) + r = GETDNS_DANE_TLSA_DID_NOT_MATCH; + else { + SHA512_Init(&sha512); + SHA512_Update(&sha512, buf, len); + SHA512_Final(hash, &sha512); + if (memcmp(data->data, hash, SHA512_DIGEST_LENGTH)) + r = GETDNS_DANE_TLSA_DID_NOT_MATCH; + } + break; + + default: + r = GETDNS_RETURN_GENERIC_ERROR; + } + free(buf); + return r; +} + +/* Return whether any certificate from the chain with selector/matching_type + * matches data. + * ca should be 1 if the certificate has to be a CA certificate too. + */ +static int +getdns_dane_match_any_cert_with_data(STACK_OF(X509)* chain, + uint32_t selector, uint32_t matching_type, getdns_bindata* data, int ca) +{ + int r = GETDNS_DANE_TLSA_DID_NOT_MATCH; + size_t n, i; + X509* cert; + + n = (size_t)sk_X509_num(chain); + for (i = 0; i < n; i++) { + cert = sk_X509_pop(chain); + if (! cert) { + r = GETDNS_RETURN_GENERIC_ERROR; + break; + } + r = getdns_dane_match_cert_with_data( + cert, selector, matching_type, data); + if (ca && r == GETDNS_RETURN_GOOD && ! X509_check_ca(cert)) + r = GETDNS_DANE_NON_CA_CERTIFICATE; + X509_free(cert); + if (r != GETDNS_DANE_TLSA_DID_NOT_MATCH) + break; + /* when r == GETDNS_DANE_TLSA_DID_NOT_MATCH, + * try to match the next certificate + */ + } + return r; +} + +int /* actually extended getdns_return_t */ +getdns_dane_verify(getdns_list *tlsas, X509 *cert, + STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store ) +{ + getdns_return_t r = GETDNS_RETURN_GOOD, prev_r = GETDNS_RETURN_GOOD; + size_t tlsas_len, i, n_tlsas; + getdns_dict *tlsa_rr; + uint32_t rr_type; + getdns_dict *rdata; + uint32_t usage, selector, matching_type; + getdns_bindata *data; /* Certificate association data */ + STACK_OF(X509) *pkix_validation_chain; + + if ((r = getdns_list_get_length(tlsas, &tlsas_len))) + return r; + + for (n_tlsas = 0, i = 0; i < tlsas_len; i++) { + + prev_r = r; + + if ((r = getdns_list_get_dict(tlsas, i, &tlsa_rr))) + break; + + if ((r = getdns_dict_get_int(tlsa_rr, "type", &rr_type))) + break; + + if (rr_type != GETDNS_RRTYPE_TLSA + || (r = getdns_dict_get_dict(tlsa_rr, "rdata", &rdata)) + || (r = getdns_dict_get_int(rdata, + "certificate_usage" , &usage)) + || (r = getdns_dict_get_int(rdata, + "selector", &selector)) + || (r = getdns_dict_get_int(rdata, + "matching_type", &matching_type)) + || (r = getdns_dict_get_bindata(rdata, + "certificate_association_data", &data)) + || usage > 3 || selector > 1 || matching_type > 2) { + + r = prev_r; + continue; + } else + n_tlsas++; + + pkix_validation_chain = NULL; + switch (usage) { + case GETDNS_DANE_USAGE_PKIX_TA: + r = getdns_dane_pkix_validate_and_get_chain( + &pkix_validation_chain, + cert, extra_certs, + pkix_validation_store); + + if (! pkix_validation_chain) + break; + if (r == GETDNS_DANE_PKIX_DID_NOT_VALIDATE) { + /* + * NO PKIX validation. We still try to match + * *any* certificate from the chain, so we + * return TLSA errors over PKIX errors. + * + * i.e. When the TLSA matches no certificate, + * we return * TLSA_DID_NOT_MATCH and not + * PKIX_DID_NOT_VALIDATE + */ + r = getdns_dane_match_any_cert_with_data( + pkix_validation_chain, + selector, matching_type, data, 1); + + if (r == GETDNS_RETURN_GOOD) { + /* A TLSA record did match a cert from + * the chain, thus the error is failed + * PKIX validation. + */ + r = GETDNS_DANE_PKIX_DID_NOT_VALIDATE; + } + + } else if (r == GETDNS_RETURN_GOOD) { + /* PKIX validated, does the TLSA match too? */ + + r = getdns_dane_match_any_cert_with_data( + pkix_validation_chain, + selector, matching_type, data, 1); + } + sk_X509_pop_free(pkix_validation_chain, X509_free); + break; + + case GETDNS_DANE_USAGE_PKIX_EE: + r = getdns_dane_match_cert_with_data( + cert, selector, matching_type, data); + + r = r ? r : getdns_dane_pkix_validate( + cert, extra_certs, pkix_validation_store); + break; + + case GETDNS_DANE_USAGE_DANE_TA: + r = getdns_dane_pkix_get_chain( + &pkix_validation_chain, cert, extra_certs); + + r = r ? r : getdns_dane_match_any_cert_with_data( + pkix_validation_chain, + selector, matching_type, data, 0); + + if (pkix_validation_chain) + sk_X509_pop_free( + pkix_validation_chain, X509_free); + break; + + case GETDNS_DANE_USAGE_DANE_EE: + r = getdns_dane_match_cert_with_data( + cert, selector, matching_type, data); + break; + default: + r = GETDNS_RETURN_GENERIC_ERROR; + break; + } + + if (r != GETDNS_DANE_TLSA_DID_NOT_MATCH && + r != GETDNS_DANE_PKIX_DID_NOT_VALIDATE) { + + /* which would be GETDNS_RETURN_GOOD (match) + * or some fatal error preventing use from + * trying the next TLSA record. + */ + break; + } + r = (r < prev_r ? prev_r : r); /* prefer PKIX_DID_NOT_VALIDATE + * over TLSA_DID_NOT_MATCH + */ + } + if (n_tlsas == 0) + return getdns_dane_pkix_validate( + cert, extra_certs, pkix_validation_store); + + return r; +} void print_usage(const char *progname, FILE *out, int exit_code) @@ -474,8 +856,9 @@ main(int argc, char * const *argv) /* * Dane validate the certificate */ - switch (getdns_dane_verify(tlsas, cert, extra_certs, - certificate_authorities)) { + int s; + switch ((s = getdns_dane_verify(tlsas, cert, extra_certs, + certificate_authorities))) { case GETDNS_RETURN_GOOD: /***************************************************** @@ -505,7 +888,7 @@ main(int argc, char * const *argv) printf("No matching TLSA found\n"); break; default: - printf("An error occurred when verifying TLSA's\n"); + printf("An error occurred when verifying TLSA's (%d)\n", s); break; } while (SSL_shutdown(ssl) == 0); @@ -535,7 +918,7 @@ done_destroy_context: return r ? r : (naddresses == nsuccess ? EXIT_SUCCESS : EXIT_FAILURE); } -#else /* HAVE_SSL */ +#else /* HAVE_OPENSSL_SSL_H */ int main(int argc, char *const *argv) { @@ -545,18 +928,6 @@ main(int argc, char *const *argv) "which has not been compiled in.\n", progname); return EXIT_FAILURE; } -#endif /* HAVE_SSL */ -#else /* HAVE_LDNS_DANE_VERIFY */ -int -main(int argc, char *const *argv) -{ - const char *progname = strrchr(argv[0], '/'); - progname = progname ? progname + 1 : argv[0]; - fprintf(stderr, "%s needs dane support in the ldns library, " - "which has not been compiled in.\n", progname); - fprintf(stderr, "ldns has dane support since version 1.6.14.\n"); - return EXIT_FAILURE; -} -#endif /* HAVE_LDNS_DANE_VERIFY */ +#endif /* HAVE_OPENSSL_SSL_H */ /* tests_dane.c */