From 540735a956e169eb025be435dbfd6a62d6c403f8 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 4 Jan 2018 15:58:09 +0100
Subject: [PATCH 001/303] Check pins with DANE functions when available

---
 configure.ac  |   2 +-
 src/context.c |   5 +++
 src/stub.c    | 102 ++++++++++++++++++++++++++++++++++++++++++++------
 3 files changed, 97 insertions(+), 12 deletions(-)

diff --git a/configure.ac b/configure.ac
index 9bc7f66a..f18d6c88 100644
--- a/configure.ac
+++ b/configure.ac
@@ -408,7 +408,7 @@ fi
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version])
+AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
diff --git a/src/context.c b/src/context.c
index c8f14363..9f3d19ef 100644
--- a/src/context.c
+++ b/src/context.c
@@ -3622,6 +3622,11 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
 			}
+#  ifdef HAVE_SSL_CTX_DANE_ENABLE
+			int osr = SSL_CTX_dane_enable(context->tls_ctx);
+			DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
+			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+#  endif
 #else /* HAVE_TLS_v1_2 */
 			if (tls_only_is_in_transports_list(context) == 1)
 				return GETDNS_RETURN_BAD_CONTEXT;
diff --git a/src/stub.c b/src/stub.c
index 07f22fcd..9e783035 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -827,7 +827,16 @@ tls_requested(getdns_network_req *netreq)
 	        1 : 0;
 }
 
-int
+
+#ifdef HAVE_SSL_DANE_ENABLE
+
+static int
+_getdns_tls_verify_always_ok(int preverify_ok, X509_STORE_CTX *ctx)
+{ (void)preverify_ok; (void)ctx; return 1; }
+
+#else
+
+static int
 tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 {
 	getdns_upstream *upstream;
@@ -837,11 +846,11 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 		return 0;
 
 	int err = X509_STORE_CTX_get_error(ctx);
-#if defined(STUB_DEBUG) && STUB_DEBUG
+# if defined(STUB_DEBUG) && STUB_DEBUG
 	DEBUG_STUB("%s %-35s: FD:  %d Verify result: (%d) \"%s\"\n",
 	            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err,
 	            X509_verify_cert_error_string(err));
-#endif
+# endif
 	if (!preverify_ok && !upstream->tls_fallback_ok)
 		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
 		    "%-40s : Verify failed : Transport=TLS - *Failure* -  (%d) \"%s\"\n",
@@ -849,14 +858,14 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 		    X509_verify_cert_error_string(err));
 
 	/* First deal with the hostname authentication done by OpenSSL. */
-#ifdef X509_V_ERR_HOSTNAME_MISMATCH
-# if defined(STUB_DEBUG) && STUB_DEBUG
+# ifdef X509_V_ERR_HOSTNAME_MISMATCH
+#  if defined(STUB_DEBUG) && STUB_DEBUG
 	/*Report if error is hostname mismatch*/
 	if (err == X509_V_ERR_HOSTNAME_MISMATCH && upstream->tls_fallback_ok)
 			DEBUG_STUB("%s %-35s: FD:  %d WARNING: Proceeding even though hostname validation failed!\n",
 		                STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
-# endif
-#else
+#  endif
+# else
 	/* if we weren't built against OpenSSL with hostname matching we
 	 * could not have matched the hostname, so this would be an automatic
 	 * tls_auth_fail if there is a hostname provided*/
@@ -864,7 +873,7 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 		upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 		preverify_ok = 0;
 	}
-#endif
+# endif
 
 	/* Now deal with the pinset validation*/
 	if (upstream->tls_pubkey_pinset)
@@ -910,6 +919,8 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 	return (upstream->tls_fallback_ok) ? 1 : preverify_ok;
 }
 
+#endif /* HAVE_SSL_DANE_ENABLE */
+
 static SSL*
 tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 {
@@ -992,7 +1003,30 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, 
 		             __FUNC__);
 	}
+#ifdef HAVE_SSL_DANE_ENABLE
+	int osr = SSL_dane_enable(ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL);
+	DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n"
+	          , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
+	SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+	sha256_pin_t *pin_p;
+	size_t n_pins = 0;
+	for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) {
+		osr = SSL_dane_tlsa_add(ssl, 2, 1, 1,
+		    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
+		DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n"
+			  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+		if (osr > 0)
+			++n_pins;
+		osr = SSL_dane_tlsa_add(ssl, 3, 1, 1,
+		    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
+		DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n"
+			  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+		if (osr > 0)
+			++n_pins;
+	}
+#else
 	SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback);
+#endif
 
 	SSL_set_connect_state(ssl);
 	(void) SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
@@ -1048,16 +1082,62 @@ tls_do_handshake(getdns_upstream *upstream)
 				return STUB_SETUP_ERROR;
 	   }
 	}
-	upstream->tls_hs_state = GETDNS_HS_DONE;
-	upstream->conn_state = GETDNS_CONN_OPEN;
-	upstream->conn_completed++;
 	/* A re-used session is not verified so need to fix up state in that case */
 	if (SSL_session_reused(upstream->tls_obj))
 		upstream->tls_auth_state = upstream->last_tls_auth_state;
+
+	else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
+		X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj);
+		long verify_result = SSL_get_verify_result(upstream->tls_obj);
+
+		upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK
+		                         ? GETDNS_AUTH_OK : GETDNS_AUTH_FAILED;
+		X509_free(peer_cert);
+
+		if (!peer_cert)
+			_getdns_upstream_log(upstream,
+			    GETDNS_LOG_UPSTREAM_STATS,
+			    ( upstream->tls_fallback_ok
+			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
+			    "%-40s : Verify failed : Transport=TLS - %s -  "
+			    "Remote did not offer certificate\n",
+			    upstream->addr_str,
+			    ( upstream->tls_fallback_ok
+			    ? "Allowed because of Opportunistic profile"
+			    : "*Failure*" ));
+
+		else if (verify_result != X509_V_OK)
+			_getdns_upstream_log(upstream,
+			    GETDNS_LOG_UPSTREAM_STATS,
+			    ( upstream->tls_fallback_ok
+			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
+			    "%-40s : Verify failed : Transport=TLS - %s -  "
+			    "(%d) \"%s\"\n", upstream->addr_str,
+			    ( upstream->tls_fallback_ok
+			    ? "Allowed because of Opportunistic profile"
+			    : "*Failure*" ), verify_result,
+			    X509_verify_cert_error_string(verify_result));
+		else
+			_getdns_upstream_log(upstream,
+			    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG,
+			    "%-40s : Verify passed : Transport=TLS - %s -  "
+			    "(%d) \"%s\"\n", upstream->addr_str,
+			    ( upstream->tls_fallback_ok
+			    ? "Allowed because of Opportunistic profile"
+			    : "*Failure*" ), verify_result,
+			    X509_verify_cert_error_string(verify_result));
+
+		if (upstream->tls_auth_state == GETDNS_AUTH_FAILED
+		    && !upstream->tls_fallback_ok)
+			return STUB_SETUP_ERROR;
+	}
 	DEBUG_STUB("%s %-35s: FD:  %d Handshake succeeded with auth state %s. Session is %s.\n", 
 		         STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, 
 		         _getdns_auth_str(upstream->tls_auth_state),
 		         SSL_session_reused(upstream->tls_obj) ?"re-used":"new");
+	upstream->tls_hs_state = GETDNS_HS_DONE;
+	upstream->conn_state = GETDNS_CONN_OPEN;
+	upstream->conn_completed++;
 	if (upstream->tls_session != NULL)
 	    SSL_SESSION_free(upstream->tls_session);
 	upstream->tls_session = SSL_get1_session(upstream->tls_obj);

From 2471f43dead872fa4ae8eb2194720286d9d3c7aa Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 4 Jan 2018 16:15:50 +0100
Subject: [PATCH 002/303] Less logging with successful authenticated upstreams

---
 src/stub.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index 9e783035..cb773190 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1120,12 +1120,8 @@ tls_do_handshake(getdns_upstream *upstream)
 		else
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG,
-			    "%-40s : Verify passed : Transport=TLS - %s -  "
-			    "(%d) \"%s\"\n", upstream->addr_str,
-			    ( upstream->tls_fallback_ok
-			    ? "Allowed because of Opportunistic profile"
-			    : "*Failure*" ), verify_result,
-			    X509_verify_cert_error_string(verify_result));
+			    "%-40s : Verify passed : Transport=TLS\n",
+			    upstream->addr_str);
 
 		if (upstream->tls_auth_state == GETDNS_AUTH_FAILED
 		    && !upstream->tls_fallback_ok)

From 608189710ca9d5e81d68b15363811fc142e48eaa Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 4 Jan 2018 16:35:22 +0100
Subject: [PATCH 003/303] Log printing in getdns_query

---
 src/tools/getdns_query.c | 159 ++++++++++++++++-----------------------
 1 file changed, 63 insertions(+), 96 deletions(-)

diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c
index 713783fc..e963fc35 100644
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@@ -57,19 +57,7 @@ getdns_return_t getdns_yaml2dict(const char *, getdns_dict **dict);
 #define EXAMPLE_PIN "pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\""
 
 static int verbosity = 0;
-static int i_am_stubby = 0;
-static const char *default_stubby_config =
-"{ resolution_type: GETDNS_RESOLUTION_STUB"
-", dns_transport_list: [ GETDNS_TRANSPORT_TLS, GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP ]"
-", idle_timeout: 10000"
-", listen_addresses: [ 127.0.0.1@53, 0::1@53 ]"
-", tls_query_padding_blocksize: 1"
-", edns_client_subnet_private : 1"
-"}";
 static int clear_listen_list_on_arg = 0;
-#ifndef GETDNS_ON_WINDOWS
-static int run_in_foreground = 1;
-#endif
 static int quiet = 0;
 static int batch_mode = 0;
 static char *query_file = NULL;
@@ -95,6 +83,8 @@ static int check_dnssec = 0;
 static char *resolvconf = NULL;
 #endif
 static int print_api_info = 0, print_trust_anchors = 0;
+static int log_level = 0;
+static uint64_t log_systems = 0xFFFFFFFFFFFFFFFF;
 
 static int get_rrtype(const char *t)
 {
@@ -179,19 +169,14 @@ print_usage(FILE *out, const char *progname)
 {
 	fprintf(out, "usage: %s [<option> ...] \\\n"
 	    "\t[@<upstream> ...] [+<extension> ...] [\'{ <settings> }\'] [<name>] [<type>]\n", progname);
-	if (!i_am_stubby) {
-		fprintf(out, "\ndefault mode: "
+
 #ifdef HAVE_LIBUNBOUND
-	            "recursive"
+# define DEFAULT_RESOLUTION_TYPE "recursive"
 #else
-	            "stub"
+# define DEFAULT_RESOLUTION_TYPE "stub"
 #endif
-	            ", synchronous resolution of NS record\n\t\tusing UDP with TCP fallback\n");
-	}
-	else {
-		fprintf(out, "\ndefault mode: "
-			    "stub, asynchronous resolution \n\t\tusing TLS with UDP then TCP fallback\n");
-	}
+	fprintf(out, "\ndefault mode: " DEFAULT_RESOLUTION_TYPE
+            ", synchronous resolution of NS record\n\t\tusing UDP with TCP fallback\n");
 	fprintf(out, "\nupstreams: @<ip>[%%<scope_id>][@<port>][#<tls port>][~<tls name>][^<tsig spec>]");
 	fprintf(out, "\n            <ip>@<port> may be given as <IPv4>:<port>");
 	fprintf(out, "\n                  or \'[\'<IPv6>[%%<scope_id>]\']\':<port> too\n");
@@ -216,12 +201,9 @@ print_usage(FILE *out, const char *progname)
 	fprintf(out, "\t+0\t\t\tClear all extensions\n");
 	fprintf(out, "\nsettings in json dict format (like outputted by -i option).\n");
 	fprintf(out, "\noptions:\n");
-	if (!i_am_stubby) {
-		fprintf(out, "\t-a\tPerform asynchronous resolution "
-		    "(default = synchronous)\n");
-		fprintf(out, "\t-A\taddress lookup (<type> is ignored)\n");
-		fprintf(out, "\t-B\tBatch mode. Schedule all messages before processing responses.\n");
-	}
+	fprintf(out, "\t-a\tPerform asynchronous resolution (default = synchronous)\n");
+	fprintf(out, "\t-A\taddress lookup (<type> is ignored)\n");
+	fprintf(out, "\t-B\tBatch mode. Schedule all messages before processing responses.\n");
 	fprintf(out, "\t-b <bufsize>\tSet edns0 max_udp_payload size\n");
 	fprintf(out, "\t-c\tSend Client Subnet privacy request\n");
 	fprintf(out, "\t-C\t<filename>\n");
@@ -229,28 +211,16 @@ print_usage(FILE *out, const char *progname)
 	fprintf(out, "\t\tThe getdns context will be configured with these settings\n");
 	fprintf(out, "\t\tThe file must be in YAML format (with extension of '.yml')\n");
 	fprintf(out, "\t\tor JSON dict format (with extension '.conf')\n");
-	if (i_am_stubby) {
-		fprintf(out, "\t\tBy default, configuration is first read from");
-		fprintf(out, "\n\t\t\"/etc/stubby.conf\" and then from \"$HOME/.stubby.conf\"\n");
-	}
 	fprintf(out, "\t-D\tSet edns0 do bit\n");
 	fprintf(out, "\t-d\tclear edns0 do bit\n");
 	fprintf(out, "\t-e <idle_timeout>\tSet idle timeout in milliseconds\n");
-	if (!i_am_stubby)
-		fprintf(out, "\t-F <filename>\tread the queries from the specified file\n");
+	fprintf(out, "\t-F <filename>\tread the queries from the specified file\n");
 	fprintf(out, "\t-f <filename>\tRead DNSSEC trust anchors from <filename>\n");
-#ifndef GETDNS_ON_WINDOWS
-	if (i_am_stubby)
-		fprintf(out, "\t-g\tRun stubby in background (default is foreground)\n");
-#endif
-	if (!i_am_stubby) {
-		fprintf(out, "\t-G\tgeneral lookup\n");
-		fprintf(out, "\t-H\thostname lookup. (<name> must be an IP address; <type> is ignored)\n");
-	}
+	fprintf(out, "\t-G\tgeneral lookup\n");
+	fprintf(out, "\t-H\thostname lookup. (<name> must be an IP address; <type> is ignored)\n");
 	fprintf(out, "\t-h\tPrint this help\n");
 	fprintf(out, "\t-i\tPrint api information\n");
-	if (!i_am_stubby)
-		fprintf(out, "\t-I\tInteractive mode (> 1 queries on same context)\n");
+	fprintf(out, "\t-I\tInteractive mode (> 1 queries on same context)\n");
 	fprintf(out, "\t-j\tOutput json response dict\n");
 	fprintf(out, "\t-J\tPretty print json response dict\n");
 	fprintf(out, "\t-k\tPrint root trust anchors\n");
@@ -266,19 +236,21 @@ print_usage(FILE *out, const char *progname)
 	fprintf(out, "\t-P <blocksize>\tPad TLS queries to a multiple of blocksize\n"
 		"\t\t(special values: 0: no padding, 1: sensible default policy)\n");
 	fprintf(out, "\t-q\tQuiet mode - don't print response\n");
-	fprintf( out, "\t-r\tSet recursing resolution type%s\n"
-	       , i_am_stubby ? "(default = stub)" : "");
+	fprintf( out, "\t-r\tSet recursing resolution type (default = "
+	    DEFAULT_RESOLUTION_TYPE ")\n");
 	fprintf(out, "\t-R <filename>\tRead root hints from <filename>\n");
-	fprintf(out, "\t-s\tSet stub resolution type%s\n"
-	       , i_am_stubby ? "" : "(default = recursing)" );
-	if (!i_am_stubby)
-		fprintf(out, "\t-S\tservice lookup (<type> is ignored)\n");
+	fprintf(out, "\t-s\tSet stub resolution type (default = "
+	    DEFAULT_RESOLUTION_TYPE ")\n");
+	fprintf(out, "\t-S\tservice lookup (<type> is ignored)\n");
 	fprintf(out, "\t-t <timeout>\tSet timeout in milliseconds\n");
 	fprintf(out, "\t-v\tPrint getdns release version\n");
 	fprintf(out, "\t-V\tIncrease verbosity (may be used more than once)\n");
 	fprintf(out, "\t-x\tDo not follow redirects\n");
 	fprintf(out, "\t-X\tFollow redirects (default)\n");
-
+	fprintf(out, "\t-y <log level>\tPrint log messages with"
+	    "severity <= <log level> (default = 0)\n");
+	fprintf(out, "\t-Y <log systems>\tBitwise or'ed set of systems for "
+	    " which to print log messages (default == -1 (= all))\n");
 	fprintf(out, "\t-0\tAppend suffix to single label first (default)\n");
 	fprintf(out, "\t-W\tAppend suffix always\n");
 	fprintf(out, "\t-1\tAppend suffix only to single label after failure\n");
@@ -298,8 +270,6 @@ print_usage(FILE *out, const char *progname)
 	fprintf(out, "\t\tListen for DNS requests on the given IP address\n");
 	fprintf(out, "\t\t<listen address> is in the same format as upstreams.\n");
 	fprintf(out, "\t\tThis option can be given more than once.\n");
-	if (i_am_stubby)
-		fprintf(out, "\t\t(default is to listen on 127.0.0.1:53)\n");
 }
 
 static getdns_return_t validate_chain(getdns_dict *response)
@@ -609,6 +579,7 @@ getdns_return_t parse_args(int argc, char **argv)
 	getdns_bindata bindata;
 	size_t upstream_count = 0;
 	FILE *fh;
+	int int_value;
 
 	for (i = 1; i < argc; i++) {
 		arg = argv[i];
@@ -927,17 +898,49 @@ getdns_return_t parse_args(int argc, char **argv)
 				getdns_context_set_follow_redirects(
 				    context, GETDNS_REDIRECTS_FOLLOW);
 				break;
+			case 'y':
+				if (c[1] != 0 || ++i >= argc || !*argv[i]) {
+					fprintf(stderr, "log level expected "
+					    "after -y\n");
+					return GETDNS_RETURN_GENERIC_ERROR;
+				}
+				int_value = strtol(argv[i], &endptr, 10);
+				if (*endptr || int_value < 0) {
+					fprintf(stderr, "positive "
+					    "numeric log level expected "
+					    "after -y\n");
+					return GETDNS_RETURN_GENERIC_ERROR;
+				} else
+					log_level = int_value;
+				goto next;
+
+			case 'Y':
+				if (c[1] != 0 || ++i >= argc || !*argv[i]) {
+					fprintf(stderr, "log systems expected "
+					    "after -y\n");
+					return GETDNS_RETURN_GENERIC_ERROR;
+				}
+				int_value = strtol(argv[i], &endptr, 10);
+				if (*endptr || int_value < 0) {
+					fprintf(stderr, "positive "
+					    "numeric log systems expected "
+					    "after -Y\n");
+					return GETDNS_RETURN_GENERIC_ERROR;
+				} else
+					log_systems = (uint64_t)int_value;
+				goto next;
+
 			case 'e':
 				if (c[1] != 0 || ++i >= argc || !*argv[i]) {
 					fprintf(stderr, "idle timeout expected "
-					    "after -t\n");
+					    "after -e\n");
 					return GETDNS_RETURN_GENERIC_ERROR;
 				}
 				timeout = strtol(argv[i], &endptr, 10);
 				if (*endptr || timeout < 0) {
 					fprintf(stderr, "positive "
 					    "numeric idle timeout expected "
-					    "after -t\n");
+					    "after -e\n");
 					return GETDNS_RETURN_GENERIC_ERROR;
 				}
 				getdns_context_set_idle_timeout(
@@ -1081,12 +1084,6 @@ getdns_return_t parse_args(int argc, char **argv)
 				}
 				break;
 			default:
-#ifndef GETDNS_ON_WINDOWS
-				if (i_am_stubby && *c == 'g') {
-					run_in_foreground = 0;
-					break;
-				}
-#endif
 				fprintf(stderr, "Unknown option "
 				    "\"%c\"\n", *c);
 				for (i = 0; i < argc; i++)
@@ -1655,7 +1652,7 @@ error:
 		getdns_dict_destroy(response);
 }
 
-static void stubby_log(void *userarg, uint64_t system,
+static void _getdns_query_log(void *userarg, uint64_t system,
     getdns_loglevel_type level, const char *fmt, va_list ap)
 {
 	struct timeval tv;
@@ -1664,16 +1661,10 @@ static void stubby_log(void *userarg, uint64_t system,
 #ifdef GETDNS_ON_WINDOWS
 	time_t tsec;
 
-	if (!verbosity)
-		return;
-
 	gettimeofday(&tv, NULL);
 	tsec = (time_t) tv.tv_sec;
 	gmtime_s(&tm, (const time_t *) &tsec);
 #else
-	if (!verbosity)
-		return;
-
 	gettimeofday(&tv, NULL);
 	gmtime_r(&tv.tv_sec, &tm);
 #endif
@@ -1695,18 +1686,7 @@ static void stubby_log(void *userarg, uint64_t system,
 int
 main(int argc, char **argv)
 {
-	char home_stubby_conf_fn[1024];
 	getdns_return_t r;
-#ifndef USE_WINSOCK
-	char *prg_name = strrchr(argv[0], '/');
-#else
-	char *prg_name = strrchr(argv[0], '\\');
-#endif
-	prg_name = prg_name ? prg_name + 1 : argv[0];
-
-	i_am_stubby = strcasecmp(prg_name, "stubby") == 0
-	           || strcasecmp(prg_name, "lt-stubby") == 0
-	           || strcasecmp(prg_name, "stubby.exe") == 0;
 
 	name = the_root;
 	if ((r = getdns_context_create(&context, 1))) {
@@ -1721,22 +1701,6 @@ main(int argc, char **argv)
 		r = GETDNS_RETURN_MEMORY_ERROR;
 		goto done_destroy_context;
 	}
-	if (i_am_stubby) {
-		int n_chars = snprintf( home_stubby_conf_fn
-		                      , sizeof(home_stubby_conf_fn)
-		                      , "%s/.stubby.conf"
-		                      , getenv("HOME")
-		                      );
-		(void) parse_config(default_stubby_config, 0);
-		(void) parse_config_file("/etc/stubby.conf", 0);
-		if (n_chars > 0 && n_chars < (int)sizeof(home_stubby_conf_fn)){
-			(void) parse_config_file(home_stubby_conf_fn, 0);
-		}
-		clear_listen_list_on_arg = 1;
-	}
-	(void) getdns_context_set_logfunc(context, NULL,
-	    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, stubby_log);
-
 	if ((r = parse_args(argc, argv)) && r != CONTINUE)
 		goto done_destroy_context;
 #ifndef USE_WINSOCK
@@ -1749,6 +1713,9 @@ main(int argc, char **argv)
 			goto done_destroy_context;
 	}
 #endif
+	(void) getdns_context_set_logfunc(context, NULL,
+	    log_systems, log_level, _getdns_query_log);
+
 	if (print_api_info) {
 		getdns_dict *api_information = 
 		    getdns_context_get_api_information(context);
@@ -1863,7 +1830,7 @@ done_destroy_context:
 	else if (r == CONTINUE_ERROR)
 		return 1;
 
-	if (!i_am_stubby && verbosity)
+	if (verbosity)
 		fprintf(stdout, "\nAll done.\n");
 
 	return             r ? r 

From a1e5cc44a01186cdfcf3b7ba11942f43b703ba15 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 8 Jan 2018 10:33:25 +0100
Subject: [PATCH 004/303] Add https://github.com/vdukhovni/ssl_dane submodule

---
 .gitmodules  | 3 +++
 src/ssl_dane | 1 +
 2 files changed, 4 insertions(+)
 create mode 160000 src/ssl_dane

diff --git a/.gitmodules b/.gitmodules
index 6f120301..8e995c3d 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -9,3 +9,6 @@
 	path = stubby
 	url = https://github.com/getdnsapi/stubby.git
 	branch = develop
+[submodule "src/ssl_dane"]
+	path = src/ssl_dane
+	url = https://github.com/vdukhovni/ssl_dane
diff --git a/src/ssl_dane b/src/ssl_dane
new file mode 160000
index 00000000..d9767f2f
--- /dev/null
+++ b/src/ssl_dane
@@ -0,0 +1 @@
+Subproject commit d9767f2fc78dbaf990c18df00bf17fd0c2ee2baa

From 546b75a9b15c85e4d38ed54ea5fb112a39135684 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 8 Jan 2018 12:54:48 +0100
Subject: [PATCH 005/303] libidn2 support.  Thanks Paul Wouters

---
 ChangeLog     |   3 ++
 README.md     |   8 ++--
 configure.ac  |  65 +++++++++++++++++++++++++++++---
 src/convert.c | 101 +++++++++++++++++++++++++-------------------------
 4 files changed, 117 insertions(+), 60 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 575855cd..6b372592 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+* 2018-0?-??: Version 1.?.?
+  * libidn2 support.  Thanks Paul Wouters
+
 * 2017-12-21: Version 1.3.0
   * Bugfix #300: Detect dnsmasq and skip unit test that fails with it.
     Thanks Tim Rühsen and Konomi Kitten
diff --git a/README.md b/README.md
index aacfc289..eb662b18 100644
--- a/README.md
+++ b/README.md
@@ -70,13 +70,13 @@ If you are installing from packages, you have to install the library and also th
 External dependencies are linked outside the getdns API build tree (we rely on configure to find them).  We would like to keep the dependency tree short.  Please refer to section for building on Windows for separate dependency and build instructions for that platform.
 
 * [libunbound from NLnet Labs](https://unbound.net/) version 1.4.16 or later.
-* [libidn from the FSF](https://www.gnu.org/software/libidn/) version 1.  (Note that the libidn version means the conversions between A-labels and U-labels may permit conversion of formally invalid labels under IDNA2008.)
+* [libidn from the FSF](https://www.gnu.org/software/libidn/) version 1 or 2.  (Note that the libidn version means the conversions between A-labels and U-labels may permit conversion of formally invalid labels under IDNA2008.)
 * [libssl and libcrypto from the OpenSSL Project](https://www.openssl.org/) version 0.9.7 or later. (Note: version 1.0.1 or later is required for TLS support, version 1.0.2 or later is required for TLS hostname authentication)
 * Doxygen is used to generate documentation; while this is not technically necessary for the build it makes things a lot more pleasant.
 
 For example, to build on a recent version of Ubuntu, you would need the following packages:
 
-    # apt install build-essential libunbound-dev libidn11-dev libssl-dev libtool m4 autoconf
+    # apt install build-essential libunbound-dev libidn2-dev libssl-dev libtool m4 autoconf
 
 If you are building from git, you need to do the following before building:
 
@@ -98,8 +98,8 @@ Note: If you only want to build stubby, then use the `--with-stubby` option when
 ## Minimizing dependencies
 
 * getdns can be configured for stub resolution mode only with the `--enable-stub-only` option to configure.  This removes the dependency on `libunbound`.
-* Currently getdns only offers two helper functions to deal with IDN: `getdns_convert_ulabel_to_alabel` and `getdns_convert_alabel_to_ulabel`.  If you do not need these functions, getdns can be configured to compile without them with the `--without-libidn` option to configure.
-* When both `--enable-stub-only` and `--without-libidn` options are used, getdns has only one dependency left, which is OpenSSL.
+* Currently getdns only offers two helper functions to deal with IDN: `getdns_convert_ulabel_to_alabel` and `getdns_convert_alabel_to_ulabel`.  If you do not need these functions, getdns can be configured to compile without them with the `--without-libidn` and `--without-libidn2` options to configure.
+* When `--enable-stub-only`, `--without-libidn` and `--without-libidn2` options are used, getdns has only one dependency left, which is OpenSSL.
 
 ## Extensions and Event loop dependencies
 
diff --git a/configure.ac b/configure.ac
index 9bc7f66a..caf2cdf3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -763,6 +763,39 @@ else
 	fi
 fi
 
+my_with_libidn2=1
+AC_ARG_WITH(libidn2, AS_HELP_STRING([--with-libidn2=pathname],
+	[path to libidn2 (default: search /usr/local ..)]),
+	[], [withval="yes"])
+if test x_$withval = x_yes; then
+	for dir in /usr/local /opt/local /usr/pkg /usr/sfw; do
+		if test -f "$dir/include/idn2.h"; then
+			CFLAGS="$CFLAGS -I$dir/include"
+			LDFLAGS="$LDFLAGS -L$dir/lib"
+			AC_MSG_NOTICE([Found libidn2 in $dir])
+			break
+		fi
+		if test -f "$dir/include/idn2/idn2.h"; then
+			CFLAGS="$CFLAGS -I$dir/include/idn2"
+			LDFLAGS="$LDFLAGS -L$dir/lib"
+			AC_MSG_NOTICE([Found libidn2 in $dir])
+			break
+		fi
+	done
+	if test -f "/usr/include/idn2/idn2.h"; then
+		CFLAGS="$CFLAGS -I/usr/include/idn2"
+		#LDFLAGS="$LDFLAGS -L/usr/lib"
+		AC_MSG_NOTICE([Found libidn2 in /usr])
+	fi
+else
+	if test x_$withval != x_no; then
+		CFLAGS="$CFLAGS -I$withval/include"
+		LDFLAGS="$LDFLAGS -L$withval/lib"
+	else
+		my_with_libidn2=0
+	fi
+fi
+
 if test $my_with_libunbound = 1
 then
 	# find libunbound
@@ -793,15 +826,37 @@ fi
 found_all_libs=1
 MISSING_DEPS=""
 MISSING_SEP=""
-if test $my_with_libidn = 1
+
+working_libidn2=0
+if test $my_with_libidn2 = 1
 then
-	AC_MSG_NOTICE([Checking for dependency libidn])
-	AC_CHECK_LIB([idn], [idna_to_ascii_8z], [], [
-		MISSING_DEPS="${MISSING_DEPS}${MISSING_SEP}libidn"
+	AC_MSG_NOTICE([Checking for dependency libidn2])
+	AC_CHECK_LIB([idn2], [idn2_to_unicode_8z8z], [
+		working_libidn2=1
+		LIBS="-lidn2 $LIBS"
+		AC_DEFINE_UNQUOTED([HAVE_LIBIDN2], [1], [Define to 1 if you have the `idn2' library (-lidn).]) dnl `
+	], [
+		MISSING_DEPS="${MISSING_DEPS}${MISSING_SEP}libidn2"
 		MISSING_SEP=", "
-		found_all_libs=0
 	])
 fi
+if test $working_libidn2 = 0
+then
+	if test $my_with_libidn = 1
+	then
+		AC_MSG_NOTICE([Checking for dependency libidn])
+		AC_CHECK_LIB([idn], [idna_to_ascii_8z], [], [
+			MISSING_DEPS="${MISSING_DEPS}${MISSING_SEP}libidn"
+			MISSING_SEP=", "
+			found_all_libs=0
+		])
+	else
+		if test $my_with_libidn2 = 1
+		then
+			found_all_libs=0
+		fi
+	fi
+fi
 
 AC_ARG_ENABLE(unbound-event-api, AC_HELP_STRING([--disable-unbound-event-api], [Disable usage of libunbounds event API]))
 case "$enable_unbound_event_api" in
diff --git a/src/convert.c b/src/convert.c
index 71f25491..695cbf27 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -39,7 +39,9 @@
 #ifndef USE_WINSOCK
 #include <arpa/inet.h>
 #endif
-#ifdef HAVE_LIBIDN
+#if defined(HAVE_LIBIDN2)
+#include <idn2.h>
+#elif defined(HAVE_LIBIDN)
 #include <stringprep.h>
 #include <idna.h>
 #endif
@@ -113,48 +115,44 @@ getdns_convert_fqdn_to_dns_name(
 char *
 getdns_convert_ulabel_to_alabel(const char *ulabel)
 {
-#ifdef HAVE_LIBIDN
-    int ret;
-    char *buf;
-    char *prepped;
-    char *prepped2;
+#if defined(HAVE_LIBIDN2)
+	char *alabel;
 
-    if (ulabel == NULL)
-	return 0;
-    prepped2 = malloc(BUFSIZ);
-    if(!prepped2)
-	    return 0;
-    setlocale(LC_ALL, "");
-    if ((prepped = stringprep_locale_to_utf8(ulabel)) == 0) {
-	/* convert to utf8 fails, which it can, but continue anyway */
-	if(strlen(ulabel)+1 > BUFSIZ) {
-	    free(prepped2);
-	    return 0;
-	}
-	memcpy(prepped2, ulabel, strlen(ulabel)+1);
-    } else {
-	if(strlen(prepped)+1 > BUFSIZ) {
-	    free(prepped);
-	    free(prepped2);
-	    return 0;
-	}
-	memcpy(prepped2, prepped, strlen(prepped)+1);
-	free(prepped);
-    }
-    if ((ret = stringprep(prepped2, BUFSIZ, 0, stringprep_nameprep)) != STRINGPREP_OK) {
-	free(prepped2);
-	return 0;
-    }
-    if ((ret = idna_to_ascii_8z(prepped2, &buf, 0)) != IDNA_SUCCESS)  {
-	free(prepped2);
-	return 0;
-    }
-    free(prepped2);
-    return buf;
+	if (!ulabel) return NULL;
+
+	if (idn2_lookup_ul(ulabel, &alabel, IDN2_NONTRANSITIONAL) == IDN2_OK
+	||  idn2_lookup_ul(ulabel, &alabel, IDN2_TRANSITIONAL)    == IDN2_OK)
+		return alabel;
+
+#elif defined(HAVE_LIBIDN)
+	char *alabel;
+	char *prepped;
+	char  prepped2[BUFSIZ];
+
+	if (!ulabel) return NULL;
+
+	setlocale(LC_ALL, "");
+	if ((prepped = stringprep_locale_to_utf8(ulabel))) {
+		if(strlen(prepped)+1 > BUFSIZ) {
+			free(prepped);
+			return NULL;
+		}
+		memcpy(prepped2, prepped, strlen(prepped)+1);
+		free(prepped);
+
+		/* convert to utf8 fails, which it can, but continue anyway */
+	} else if (strlen(ulabel)+1 > BUFSIZ)
+		return NULL;
+	else
+		memcpy(prepped2, ulabel, strlen(ulabel)+1);
+
+	if (stringprep(prepped2, BUFSIZ, 0, stringprep_nameprep) == STRINGPREP_OK
+	&&  idna_to_ascii_8z(prepped2, &alabel, 0) == IDNA_SUCCESS)
+		return alabel;
 #else
-    (void)ulabel;
-    return NULL;
+	(void)ulabel;
 #endif
+	return NULL;
 }
 
 /*---------------------------------------- getdns_convert_alabel_to_ulabel */
@@ -171,20 +169,21 @@ getdns_convert_ulabel_to_alabel(const char *ulabel)
 char *
 getdns_convert_alabel_to_ulabel(const char *alabel)
 {
-#ifdef HAVE_LIBIDN
-    int  ret;              /* just in case we might want to use it someday */
-    char *buf;
+#if defined(HAVE_LIBIDN2) || defined(HAVE_LIBIDN)
+	char *ulabel;
 
-    if (alabel == NULL)
-        return 0;
-    if ((ret = idna_to_unicode_8z8z(alabel, &buf, 0)) != IDNA_SUCCESS)  {
-        return NULL;
-    }
-    return buf;
+	if (!alabel) return NULL;
+
+# if defined(HAVE_LIBIDN2)
+	if (idn2_to_unicode_8z8z(alabel, &ulabel, 0) != IDN2_OK)
+# else
+	if (idna_to_unicode_8z8z(alabel, &ulabel, 0) != IDNA_SUCCESS)
+# endif
+		return ulabel;
 #else
-    (void)alabel;
-    return NULL;
+	(void)alabel;
 #endif
+	return NULL;
 }
 
 

From 9e34588f197e4b634adfcd7f89f583a27008db98 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 8 Jan 2018 16:04:40 +0100
Subject: [PATCH 006/303] logic error

---
 src/convert.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/convert.c b/src/convert.c
index 695cbf27..03a27af2 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -175,9 +175,9 @@ getdns_convert_alabel_to_ulabel(const char *alabel)
 	if (!alabel) return NULL;
 
 # if defined(HAVE_LIBIDN2)
-	if (idn2_to_unicode_8z8z(alabel, &ulabel, 0) != IDN2_OK)
+	if (idn2_to_unicode_8z8z(alabel, &ulabel, 0) == IDN2_OK)
 # else
-	if (idna_to_unicode_8z8z(alabel, &ulabel, 0) != IDNA_SUCCESS)
+	if (idna_to_unicode_8z8z(alabel, &ulabel, 0) == IDNA_SUCCESS)
 # endif
 		return ulabel;
 #else

From 7c5bdd5431d22dd47698428560c1c515572a5b3c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 10 Jan 2018 12:47:14 +0100
Subject: [PATCH 007/303] Use danessl submodule when OpenSSL version between
 1.0.0 and 1.1.0

---
 configure.ac    |  20 +++++++
 src/Makefile.in |   7 ++-
 src/context.c   |  58 ++++++++++++++++++-
 src/stub.c      | 148 +++++++++++++++++++++++++++++++++---------------
 4 files changed, 185 insertions(+), 48 deletions(-)

diff --git a/configure.ac b/configure.ac
index f18d6c88..eb8423a9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -431,6 +431,26 @@ AC_INCLUDES_DEFAULT
 ])
 fi
 
+AC_MSG_CHECKING([whether we need to compile/link DANE support])
+DANESSL_XTRA_OBJS=""
+AC_LANG_PUSH(C)
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM([
+		[#include <openssl/opensslv.h>]
+		[#if OPENSSL_VERSION_NUMBER <  0x1000000fL]
+		[#error "OpenSSL 1.0.0 or higher required for DANE library"]
+		[#elif defined(HAVE_SSL_DANE_ENABLE)]
+		[#error "OpenSSL has native DANE support"]
+		[#endif]
+	],[[]])],
+	[
+		AC_MSG_RESULT([yes])
+		AC_DEFINE([USE_DANESSL], [1], [Define this to use DANE functions from the ssl_dane/danessl library.])
+		DANESSL_XTRA_OBJS="danessl.lo"
+	],
+	[AC_MSG_RESULT([no])])
+AC_LANG_POP(C)
+AC_SUBST(DANESSL_XTRA_OBJS)
 
 AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support]))
 	case "$enable_sha1" in
diff --git a/src/Makefile.in b/src/Makefile.in
index b37d296e..b77672ed 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -96,7 +96,9 @@ JSMN_OBJ=jsmn.lo
 YXML_OBJ=yxml.lo
 
 YAML_OBJ=convert_yaml_to_json.lo
-GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@
+DANESSL_OBJ=danessl.lo
+
+GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@ @DANESSL_XTRA_OBJS@
 STUBBY_XTRA_OBJS=@STUBBY_XTRA_OBJS@
 
 EXTENSION_OBJ=$(DEFAULT_EVENTLOOP_OBJ) libevent.lo libev.lo
@@ -133,6 +135,9 @@ $(JSMN_OBJ):
 $(YAML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@
 
+$(DANESSL_OBJ):
+	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WNOERRORFLAG) -c $(srcdir)/ssl_dane/$(@:.lo=.c) -o $@
+
 $(YXML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -I$(srcdir)/yxml -DYXML_GETDNS -Wno-unused-parameter -c $(srcdir)/yxml/$(@:.lo=.c) -o $@
 
diff --git a/src/context.c b/src/context.c
index 9f3d19ef..67b9eb84 100644
--- a/src/context.c
+++ b/src/context.c
@@ -59,6 +59,7 @@ typedef unsigned short in_port_t;
 
 #include <openssl/opensslv.h>
 #include <openssl/crypto.h>
+#include <openssl/err.h>
 
 #include <sys/stat.h>
 #include <string.h>
@@ -89,6 +90,9 @@ typedef unsigned short in_port_t;
 #include "list.h"
 #include "dict.h"
 #include "pubkey-pinning.h"
+#ifdef USE_DANESSL
+# include "ssl_dane/danessl.h"
+#endif
 
 #define GETDNS_PORT_ZERO 0
 #define GETDNS_PORT_DNS 53
@@ -681,6 +685,27 @@ upstreams_create(getdns_context *context, size_t size)
 	return r;
 }
 
+
+#if defined(STUB_DEBUG) && STUB_DEBUG
+static void _stub_debug_print_openssl_errors(void)
+{
+    unsigned long err;
+    char buffer[1024];
+    const char *file;
+    const char *data;
+    int line;
+    int flags;
+
+    while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
+        ERR_error_string_n(err, buffer, sizeof(buffer));
+        if (flags & ERR_TXT_STRING)
+            DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d:%s\n", buffer, file, line, data);
+        else
+            DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d\n", buffer, file, line);
+    }
+}
+#endif
+
 void
 _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 {
@@ -722,6 +747,12 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 
 		if (upstream->tls_obj != NULL) {
 			SSL_shutdown(upstream->tls_obj);
+#ifdef USE_DANESSL
+# if defined(STUB_DEBUG) && STUB_DEBUG
+			_stub_debug_print_openssl_errors();
+# endif
+			DANESSL_cleanup(upstream->tls_obj);
+#endif
 			SSL_free(upstream->tls_obj);
 		}
 		if (upstream->fd != -1)
@@ -832,6 +863,12 @@ _getdns_upstream_reset(getdns_upstream *upstream)
 	}
 	if (upstream->tls_obj != NULL) {
 		SSL_shutdown(upstream->tls_obj);
+#ifdef USE_DANESSL
+# if defined(STUB_DEBUG) && STUB_DEBUG
+		_stub_debug_print_openssl_errors();
+# endif
+		DANESSL_cleanup(upstream->tls_obj);
+#endif
 		SSL_free(upstream->tls_obj);
 		upstream->tls_obj = NULL;
 	}
@@ -1636,6 +1673,9 @@ getdns_context_create_with_extended_memory_functions(
 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 		OpenSSL_add_all_algorithms();
 		SSL_library_init();
+# ifdef USE_DANESSL
+		(void) DANESSL_library_init();
+# endif
 #else
 		OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS
 		                   | OPENSSL_INIT_ADD_ALL_DIGESTS
@@ -3622,10 +3662,24 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
 			}
-#  ifdef HAVE_SSL_CTX_DANE_ENABLE
-			int osr = SSL_CTX_dane_enable(context->tls_ctx);
+#  if defined(HAVE_SSL_CTX_DANE_ENABLE)
+#   if defined(STUB_DEBUG) && STUB_DEBUG
+			int osr =
+#   else
+			(void)
+#   endif
+				SSL_CTX_dane_enable(context->tls_ctx);
 			DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
 			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+#  elif defined(USE_DANESSL)
+#   if defined(STUB_DEBUG) && STUB_DEBUG
+			int osr =
+#   else
+			(void)
+#   endif
+				DANESSL_CTX_init(context->tls_ctx);
+			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n"
+			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
 #  endif
 #else /* HAVE_TLS_v1_2 */
 			if (tls_only_is_in_transports_list(context) == 1)
diff --git a/src/stub.c b/src/stub.c
index cb773190..1c998b5d 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -55,6 +55,9 @@
 #include "platform.h"
 #include "general.h"
 #include "pubkey-pinning.h"
+#ifdef USE_DANESSL
+# include "ssl_dane/danessl.h"
+#endif
 
 /* WSA TODO: 
  * STUB_TCP_RETRY added to deal with edge triggered event loops (versus
@@ -828,13 +831,34 @@ tls_requested(getdns_network_req *netreq)
 }
 
 
-#ifdef HAVE_SSL_DANE_ENABLE
+#if defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL)
 
 static int
-_getdns_tls_verify_always_ok(int preverify_ok, X509_STORE_CTX *ctx)
-{ (void)preverify_ok; (void)ctx; return 1; }
+_getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
+{ 
+# if defined(STUB_DEBUG) && STUB_DEBUG
+	char	buf[8192];
+	X509   *cert;
+	int	 err;
+	int	 depth;
 
-#else
+	cert = X509_STORE_CTX_get_current_cert(ctx);
+	err = X509_STORE_CTX_get_error(ctx);
+	depth = X509_STORE_CTX_get_error_depth(ctx);
+
+	if (cert)
+		X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
+	else
+		strcpy(buf, "<unknown>");
+	DEBUG_STUB("DEBUG Cert verify: depth=%d verify=%d err=%d subject=%s errorstr=%s\n", depth, ok, err, buf, X509_verify_cert_error_string(err));
+# else /* defined(STUB_DEBUG) && STUB_DEBUG */
+	(void)ok;
+	(void)ctx;
+# endif /* #else defined(STUB_DEBUG) && STUB_DEBUG */
+	return 1; 
+}
+
+#else /* defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */
 
 static int
 tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
@@ -857,25 +881,11 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 		    upstream->addr_str, err,
 		    X509_verify_cert_error_string(err));
 
-	/* First deal with the hostname authentication done by OpenSSL. */
-# ifdef X509_V_ERR_HOSTNAME_MISMATCH
-#  if defined(STUB_DEBUG) && STUB_DEBUG
-	/*Report if error is hostname mismatch*/
-	if (err == X509_V_ERR_HOSTNAME_MISMATCH && upstream->tls_fallback_ok)
-			DEBUG_STUB("%s %-35s: FD:  %d WARNING: Proceeding even though hostname validation failed!\n",
-		                STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
-#  endif
-# else
-	/* if we weren't built against OpenSSL with hostname matching we
-	 * could not have matched the hostname, so this would be an automatic
-	 * tls_auth_fail if there is a hostname provided*/
-	if (upstream->tls_auth_name[0]) {
-		upstream->tls_auth_state = GETDNS_AUTH_FAILED;
-		preverify_ok = 0;
-	}
-# endif
+	/* No need to deal with hostname authentication, since this will be
+	 * dealt with in the DANE preprocessor paths.
+	 */
 
-	/* Now deal with the pinset validation*/
+	/* Deal with the pinset validation */
 	if (upstream->tls_pubkey_pinset)
 		pinset_ret = _getdns_verify_pinset_match(upstream->tls_pubkey_pinset, ctx);
 
@@ -891,22 +901,7 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
 			    "%-40s : Conn failed   : Transport=TLS - *Failure* - Pinset validation failure\n",
 			    upstream->addr_str);
-	} else {
-		/* If we _only_ had a pinset and it is good then force succesful
-		   authentication when the cert self-signed
-		   TODO: We need to check for other error cases here, not blindly accept the cert!! */
-		if ((upstream->tls_pubkey_pinset && upstream->tls_auth_name[0] == '\0') &&
-		     (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
-		      err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
-			preverify_ok = 1;
-			DEBUG_STUB("%s %-35s: FD:  %d, Allowing self-signed (%d) cert since pins match\n",
-		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err);
-			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, 
-			    "%-40s : Verify passed : Transport=TLS - Allowing self-signed cert since pins match\n",
-			    upstream->addr_str);
-		}
 	}
-
 	/* If nothing has failed yet and we had credentials, we have succesfully authenticated*/
 	if (preverify_ok == 0)
 		upstream->tls_auth_state = GETDNS_AUTH_FAILED;
@@ -919,7 +914,7 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 	return (upstream->tls_fallback_ok) ? 1 : preverify_ok;
 }
 
-#endif /* HAVE_SSL_DANE_ENABLE */
+#endif /* #else defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */
 
 static SSL*
 tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
@@ -954,7 +949,10 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
 		SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
 #ifdef HAVE_SSL_HN_AUTH
-		/* Set up native OpenSSL hostname verification*/
+		/* Set up native OpenSSL hostname verification
+		 * ( doesn't work with USE_DANESSL, but we verify the
+		 *   name afterwards in such cases )
+		 */
 		X509_VERIFY_PARAM *param;
 		param = SSL_get0_param(ssl);
 		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
@@ -1003,7 +1001,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, 
 		             __FUNC__);
 	}
-#ifdef HAVE_SSL_DANE_ENABLE
+#if defined(HAVE_SSL_DANE_ENABLE)
 	int osr = SSL_dane_enable(ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL);
 	DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n"
 	          , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
@@ -1024,6 +1022,35 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		if (osr > 0)
 			++n_pins;
 	}
+#elif defined(USE_DANESSL)
+	if (upstream->tls_pubkey_pinset) {
+		const char *auth_names[2] = { upstream->tls_auth_name, NULL };
+		int osr = DANESSL_init(ssl,
+		    *upstream->tls_auth_name ? upstream->tls_auth_name : NULL,
+		    *upstream->tls_auth_name ? auth_names : NULL
+		    );
+		DEBUG_STUB("%s %-35s: DEBUG: DANESSL_init(\"%s\") -> %d\n"
+			  , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
+		SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+		sha256_pin_t *pin_p;
+		size_t n_pins = 0;
+		for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) {
+			osr = DANESSL_add_tlsa(ssl, 3, 1, "sha256",
+			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
+			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
+				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+			if (osr > 0)
+				++n_pins;
+			osr = DANESSL_add_tlsa(ssl, 2, 1, "sha256",
+			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
+			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
+				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+			if (osr > 0)
+				++n_pins;
+		}
+	} else {
+		SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+	}
 #else
 	SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback);
 #endif
@@ -1043,7 +1070,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			            __FUNC__);
 			}
 	}
-
 	return ssl;
 }
 
@@ -1086,14 +1112,27 @@ tls_do_handshake(getdns_upstream *upstream)
 	if (SSL_session_reused(upstream->tls_obj))
 		upstream->tls_auth_state = upstream->last_tls_auth_state;
 
+#if defined(USE_DANESSL) || defined(HAVE_SSL_HN_AUTH)
 	else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
 		X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj);
 		long verify_result = SSL_get_verify_result(upstream->tls_obj);
 
+/* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
+ * we need to verify auth_name explicitely (otherwise it will not be checked,
+ * because this is not required with DANE with an EE match).
+ * This is not needed with native OpenSSL DANE, because EE name checks have
+ * to be disabled explicitely.
+ */
+# if defined(USE_DANESSL) && defined(HAVE_SSL_HN_AUTH)
+		if (peer_cert && verify_result == X509_V_OK
+		    && upstream->tls_auth_name[0]
+		    && upstream->tls_pubkey_pinset
+		    && X509_check_host(peer_cert, upstream->tls_auth_name, 0,
+			    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL) <= 0)
+			verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
+# endif
 		upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK
 		                         ? GETDNS_AUTH_OK : GETDNS_AUTH_FAILED;
-		X509_free(peer_cert);
-
 		if (!peer_cert)
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS,
@@ -1103,7 +1142,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			    "Remote did not offer certificate\n",
 			    upstream->addr_str,
 			    ( upstream->tls_fallback_ok
-			    ? "Allowed because of Opportunistic profile"
+			    ? "Tolerated because of Opportunistic profile"
 			    : "*Failure*" ));
 
 		else if (verify_result != X509_V_OK)
@@ -1114,15 +1153,33 @@ tls_do_handshake(getdns_upstream *upstream)
 			    "%-40s : Verify failed : Transport=TLS - %s -  "
 			    "(%d) \"%s\"\n", upstream->addr_str,
 			    ( upstream->tls_fallback_ok
-			    ? "Allowed because of Opportunistic profile"
+			    ? "Tolerated because of Opportunistic profile"
 			    : "*Failure*" ), verify_result,
 			    X509_verify_cert_error_string(verify_result));
+# ifndef HAVE_SSL_HN_AUTH
+		else if (*upstream->tls_auth_name) {
+			_getdns_upstream_log(upstream,
+			    GETDNS_LOG_UPSTREAM_STATS,
+			    ( upstream->tls_fallback_ok
+			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
+			    "%-40s : Verify failed : Transport=TLS - %s -  "
+			    "Hostname Authentication not available from TLS "
+			    "library (check library version)\n",
+			    upstream->addr_str,
+			    ( upstream->tls_fallback_ok
+			    ? "Tolerated because of Opportunistic profile"
+			    : "*Failure*" ));
+
+			upstream->tls_auth_state = GETDNS_AUTH_FAILED;
+		}
+# endif
 		else
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG,
 			    "%-40s : Verify passed : Transport=TLS\n",
 			    upstream->addr_str);
 
+		X509_free(peer_cert);
 		if (upstream->tls_auth_state == GETDNS_AUTH_FAILED
 		    && !upstream->tls_fallback_ok)
 			return STUB_SETUP_ERROR;
@@ -1146,6 +1203,7 @@ tls_do_handshake(getdns_upstream *upstream)
 	     NULL, upstream_write_cb, NULL));
 	return 0;
 }
+#endif /* defined(USE_DANESSL) || defined(HAVE_SSL_HN_AUTH) */
 
 static int
 tls_connected(getdns_upstream* upstream)

From 712617e568e440baae22c018fc05842d02d25bd6 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 10 Jan 2018 13:54:18 +0100
Subject: [PATCH 008/303] Dead assignment (without stub debugging)

---
 src/stub.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index 1c998b5d..dba63122 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1002,7 +1002,13 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		             __FUNC__);
 	}
 #if defined(HAVE_SSL_DANE_ENABLE)
-	int osr = SSL_dane_enable(ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL);
+	int osr;
+# if defined(STUB_DEBUG) && STUB_DEBUG
+	osr =
+# else
+	(void)
+# endif
+		SSL_dane_enable(ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL);
 	DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n"
 	          , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
 	SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
@@ -1025,7 +1031,13 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 #elif defined(USE_DANESSL)
 	if (upstream->tls_pubkey_pinset) {
 		const char *auth_names[2] = { upstream->tls_auth_name, NULL };
-		int osr = DANESSL_init(ssl,
+		int osr;
+# if defined(STUB_DEBUG) && STUB_DEBUG
+		osr =
+# else
+		(void)
+# endif
+			DANESSL_init(ssl,
 		    *upstream->tls_auth_name ? upstream->tls_auth_name : NULL,
 		    *upstream->tls_auth_name ? auth_names : NULL
 		    );

From 6b4446c7cd80787001a4ec40b303d71412694f02 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 10 Jan 2018 14:34:25 +0100
Subject: [PATCH 009/303] Suppress compiler warnings in danessl library

---
 .gitmodules  | 2 +-
 src/ssl_dane | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitmodules b/.gitmodules
index 8e995c3d..dc06b68a 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -11,4 +11,4 @@
 	branch = develop
 [submodule "src/ssl_dane"]
 	path = src/ssl_dane
-	url = https://github.com/vdukhovni/ssl_dane
+	url = https://github.com/getdnsapi/ssl_dane
diff --git a/src/ssl_dane b/src/ssl_dane
index d9767f2f..0f3cd82f 160000
--- a/src/ssl_dane
+++ b/src/ssl_dane
@@ -1 +1 @@
-Subproject commit d9767f2fc78dbaf990c18df00bf17fd0c2ee2baa
+Subproject commit 0f3cd82f450d2001cf393713e4ad5179ed8b7842

From a746ea5e086e2d0592567d2f9735ba62e69c1af8 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 10 Jan 2018 14:36:33 +0100
Subject: [PATCH 010/303] Dependencies

---
 src/Makefile.in | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/Makefile.in b/src/Makefile.in
index b77672ed..a97b379d 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -260,7 +260,7 @@ Makefile: $(srcdir)/Makefile.in ../config.status
 depend:
 	(cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new )
 
-	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c yxml/*.c extension/*.c ../stubby/src/*.c | \
+	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \
 		sed -e "s? $$blddir/? ?g" \
 		    -e 's? gldns/? $$(srcdir)/gldns/?g' \
 		    -e 's? compat/? $$(srcdir)/compat/?g' \
@@ -268,6 +268,7 @@ depend:
 		    -e 's? util/? $$(srcdir)/util/?g' \
 		    -e 's? jsmn/? $$(srcdir)/jsmn/?g' \
 		    -e 's? yxml/? $$(srcdir)/yxml/?g' \
+		    -e 's? ssl_dane/? $$(srcdir)/ssl_dane/?g' \
 		    -e 's? extension/? $$(srcdir)/extension/?g' \
 		    -e 's? \.\./stubby/? $$(stubbysrcdir)/?g' \
 		    -e 's? \([a-z_-]*\)\.\([ch]\)? $$(srcdir)/\1.\2?g' \
@@ -316,7 +317,7 @@ context.lo context.o: $(srcdir)/context.c \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
  $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
  $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h
+ $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h
 convert.lo convert.o: $(srcdir)/convert.c \
  config.h \
  getdns/getdns.h \
@@ -455,7 +456,7 @@ stub.lo stub.o: $(srcdir)/stub.c \
  $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h \
  $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/anchor.h \
- $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h
+ $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h
 sync.lo sync.o: $(srcdir)/sync.c \
  getdns/getdns.h \
  config.h \
@@ -562,6 +563,7 @@ val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \
  $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h
 jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
 yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
+danessl.lo danessl.o: $(srcdir)/ssl_dane/danessl.c $(srcdir)/ssl_dane/danessl.h
 libev.lo libev.o: $(srcdir)/extension/libev.c \
  config.h \
  $(srcdir)/types-internal.h \

From d44237554db4446818174eb6c6155f89cde66f09 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 11 Jan 2018 12:40:01 +0100
Subject: [PATCH 011/303] No warnings from danessl allowed

---
 src/ssl_dane | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ssl_dane b/src/ssl_dane
index 0f3cd82f..dd093e58 160000
--- a/src/ssl_dane
+++ b/src/ssl_dane
@@ -1 +1 @@
-Subproject commit 0f3cd82f450d2001cf393713e4ad5179ed8b7842
+Subproject commit dd093e585a237e0321d303ec35e84c393ef739f4

From 0fa6d1fe2de95d056108a50360e113c321d0c233 Mon Sep 17 00:00:00 2001
From: Norbert Copones <nrbrt.cpns@gmail.com>
Date: Fri, 12 Jan 2018 05:44:27 +0800
Subject: [PATCH 012/303] src/stub.c: LibreSSL has hostname verification turned
 on by default

---
 src/stub.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index 07f22fcd..c3b74fc3 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -942,13 +942,14 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
 		SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
-#ifdef HAVE_SSL_HN_AUTH
+#if defined(HAVE_SSL_HN_AUTH) && !defined(HAVE_LIBRESSL)
 		/* Set up native OpenSSL hostname verification*/
 		X509_VERIFY_PARAM *param;
 		param = SSL_get0_param(ssl);
 		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 		X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
-#else
+#endif
+#if !defined(HAVE_SSL_HN_AUTH) && !defined(HAVE_LIBRESSL)
 		if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) {
 			DEBUG_STUB("%s %-35s: ERROR: Hostname Authentication not available from TLS library (check library version)\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__);

From 305daab9aa65f595a1740203bad6459e1162aee9 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 12 Jan 2018 16:11:48 +0000
Subject: [PATCH 013/303] Add first version of getdns_server_mon.

Currently only QNAME minimisation check is working.
---
 Makefile.in                   |   9 +-
 configure.ac                  |  16 +
 src/Makefile.in               |   3 +
 src/tools/Makefile.in         |  21 +-
 src/tools/getdns_server_mon.c | 647 ++++++++++++++++++++++++++++++++++
 5 files changed, 691 insertions(+), 5 deletions(-)
 create mode 100644 src/tools/getdns_server_mon.c

diff --git a/Makefile.in b/Makefile.in
index 63216493..d126a0ba 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -44,7 +44,7 @@ libdir = @libdir@
 srcdir = @srcdir@
 INSTALL = @INSTALL@
 
-all : default @GETDNS_QUERY@
+all : default @GETDNS_QUERY@ @GETDNS_SERVER_MON@
 
 everything: default
 	cd src/test && $(MAKE)
@@ -55,7 +55,7 @@ default:
 install-lib:
 	cd src && $(MAKE) install
 
-install: getdns.pc getdns_ext_event.pc install-lib @INSTALL_GETDNS_QUERY@
+install: getdns.pc getdns_ext_event.pc install-lib @INSTALL_GETDNS_QUERY@ @INSTALL_GETDNS_SERVER_MON@
 	$(INSTALL) -m 755 -d $(DESTDIR)$(docdir)
 	$(INSTALL) -m 644 $(srcdir)/AUTHORS $(DESTDIR)$(docdir)
 	$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(docdir)
@@ -93,7 +93,7 @@ install: getdns.pc getdns_ext_event.pc install-lib @INSTALL_GETDNS_QUERY@
 	@echo "***  trust anchor management keeping it up-to-date."
 	@echo "***"
 
-uninstall: @UNINSTALL_GETDNS_QUERY@
+uninstall: @UNINSTALL_GETDNS_QUERY@ @UNINSTALL_GETDNS_SERVER_MON@
 	rm -rf $(DESTDIR)$(docdir)
 	cd doc && $(MAKE) $@
 	cd src && $(MAKE) $@
@@ -110,6 +110,9 @@ test: default
 getdns_query: default
 	cd src/tools && $(MAKE) $@
 
+getdns_server_mon: default
+	cd src/tools && $(MAKE) $@
+
 stubby:
 	cd src && $(MAKE) $@
 
diff --git a/configure.ac b/configure.ac
index 9bc7f66a..eb05012b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1150,6 +1150,22 @@ AC_SUBST(GETDNS_QUERY)
 AC_SUBST(INSTALL_GETDNS_QUERY)
 AC_SUBST(UNINSTALL_GETDNS_QUERY)
 
+AC_ARG_WITH(getdns_server_mon, AS_HELP_STRING([--without-getdns_server_mon],
+	[Do not compile and install the getdns_server_mon tool]),
+	[], [withval="yes"])
+if test x_$withval = x_no; then
+	GETDNS_SERVER_MON=""
+	INSTALL_GETDNS_SERVER_MON=""
+	UNINSTALL_GETDNS_SERVER_MON=""
+else
+	GETDNS_SERVER_MON="getdns_server_mon"
+	INSTALL_GETDNS_SERVER_MON="install-getdns_server_mon"
+	UNINSTALL_GETDNS_SERVER_MON="uninstall-getdns_server_mon"
+fi
+AC_SUBST(GETDNS_SERVER_MON)
+AC_SUBST(INSTALL_GETDNS_SERVER_MON)
+AC_SUBST(UNINSTALL_GETDNS_SERVER_MON)
+
 stubby_with_yaml=0
 AC_ARG_WITH(stubby, AS_HELP_STRING([--with-stubby],
 	[Compile and install stubby, the (stub) resolver daemon]),
diff --git a/src/Makefile.in b/src/Makefile.in
index b37d296e..361205b5 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -197,6 +197,9 @@ test: default
 getdns_query: default
 	cd tools && $(MAKE) $@
 
+getdns_server_mon: default
+	cd tools && $(MAKE) $@
+
 stubby.lo: $(stubbysrcdir)/src/stubby.c
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR=\"$(sysconfdir)/stubby\" -DRUNSTATEDIR=\"$(runstatedir)\" -c $< -o $@
 
diff --git a/src/tools/Makefile.in b/src/tools/Makefile.in
index 3cba9659..88d5f21d 100644
--- a/src/tools/Makefile.in
+++ b/src/tools/Makefile.in
@@ -45,9 +45,9 @@ CFLAGS=-I$(srcdir)/.. -I$(srcdir) -I.. $(cflags) @CFLAGS@ @CPPFLAGS@ $(WPEDANTIC
 LDFLAGS=-L.. @LDFLAGS@
 LDLIBS=../libgetdns.la @LIBS@
 
-ALL_OBJS=getdns_query.lo
+ALL_OBJS=getdns_query.lo getdns_server_mon.lo
 
-PROGRAMS=getdns_query
+PROGRAMS=getdns_query getdns_server_mon
 
 
 .SUFFIXES: .c .o .a .lo .h
@@ -68,6 +68,9 @@ $(ALL_OBJS):
 getdns_query: getdns_query.lo
 	$(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) -o $@ getdns_query.lo $(LDFLAGS) $(LDLIBS)
 
+getdns_server_mon: getdns_server_mon.lo
+	$(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) -o $@ getdns_server_mon.lo $(LDFLAGS) $(LDLIBS)
+
 stubby:
 	cd .. && $(MAKE) $@
 
@@ -78,6 +81,13 @@ install-getdns_query: getdns_query
 uninstall-getdns_query:
 	$(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/getdns_query
 
+install-getdns_server_mon: getdns_server_mon
+	$(INSTALL) -m 755 -d $(DESTDIR)$(bindir)
+	$(LIBTOOL) --mode=install cp getdns_server_mon $(DESTDIR)$(bindir)
+
+uninstall-getdns_server_mon:
+	$(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/getdns_server_mon
+
 install-stubby:
 	cd .. && $(MAKE) $@
 
@@ -117,3 +127,10 @@ getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c \
  $(srcdir)/../debug.h \
  ../getdns/getdns.h \
  ../getdns/getdns_extra.h
+
+# Dependencies for getdns_server_mon
+getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c \
+ ../config.h \
+ $(srcdir)/../debug.h \
+ ../getdns/getdns.h \
+ ../getdns/getdns_extra.h
diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
new file mode 100644
index 00000000..34c6e3c2
--- /dev/null
+++ b/src/tools/getdns_server_mon.c
@@ -0,0 +1,647 @@
+/*
+ * Copyright (c) 2018, NLNet Labs, Sinodun
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "debug.h"
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/bio.h>
+
+#include <getdns/getdns.h>
+#include <getdns/getdns_extra.h>
+
+#define APP_NAME "getdns_server_mon"
+
+#define EXAMPLE_PIN "pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\""
+
+/* Plugin exit values */
+typedef enum {
+        EXIT_OK = 0,
+        EXIT_WARNING,
+        EXIT_CRITICAL,
+        EXIT_UNKNOWN
+} exit_value_t;
+
+/* Plugin verbosity values */
+typedef enum {
+        VERBOSITY_MINIMAL = 0,
+        VERBOSITY_ADDITIONAL,
+        VERBOSITY_CONFIG,
+        VERBOSITY_DEBUG
+} verbosity_t;
+
+static struct test_info_s
+{
+        getdns_context *context;
+
+        /* Output control */
+        bool monitoring;
+        FILE *errout;
+        verbosity_t verbosity;
+
+        /* Test config info */
+        bool fail_on_dns_errors;
+} test_info;
+
+static const char *rcode_text(int rcode)
+{
+        const char *text[] = {
+                "OK",
+                "FORMERR",
+                "SERVFAIL",
+                "NXDOMAIN",
+                "NOTIMP",
+                "REFUSED"
+        };
+
+        if ((size_t) rcode >= sizeof(text) / sizeof(text[0]))
+                return "(?)";
+        else
+                return text[rcode];
+}
+
+/* Thanks to:
+ * https://zakird.com/2013/10/13/certificate-parsing-with-openssl
+ */
+static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t)
+{
+        X509 *cert = d2i_X509(NULL, &data, len);
+        if (!cert)
+                return false;
+
+        ASN1_TIME *not_after = X509_get_notAfter(cert);
+
+        /*
+         * Use ASN1_TIME_diff to get a time delta between now and expiry.
+         * This is much easier than trying to parse the time.
+         */
+        int day, sec;
+        *t = time(NULL);
+        ASN1_TIME_diff(&day, &sec, NULL, not_after);
+        *t += day * 86400 + sec;
+
+        X509_free(cert);
+        return true;
+}
+
+static void exit_tidy()
+{
+        if (test_info.context)
+                getdns_context_destroy(test_info.context);
+}
+
+static void usage()
+{
+        fputs(
+"Usage: " APP_NAME " [-MEr] @upstream testname [<name>] [<type>]\n"
+"  -M|--monitoring               Make output suitable for monitoring tools\n"
+"  -E|--fail-on-dns-errors       Fail on DNS error (NXDOMAIN, SERVFAIL)\n"
+"  -T|--tls     		 Use TLS transport\n"
+"  -S|--strict-usage-profile     Use strict profile (require authentication)\n"
+"  -K|--spki-pin <spki-pin>      SPKI pin for TLS connections (can repeat)\n"
+"  -v|--verbose                  Increase output verbosity\n"
+"  -V|--version                  Report GetDNS version\n"
+"\n"
+"spki-pin: Should look like '" EXAMPLE_PIN "'\n"
+"\n"
+"upstream: @<ip>[%<scope_id][@<port>][#<tls_port>][~tls name>][^<tsig spec>]\n"
+"          <ip>@<port> may be given as <IPv4>:<port> or\n"
+"                      '['<IPv6>[%<scope_id>]']':<port>\n"
+"\n"
+"tsig spec: [<algorithm>:]<name>:<secret in Base64>\n"
+"\n"
+"Tests:\n"
+"  auth [<name> [<type>]]        Check authentication of TLS server\n"
+"                                If both a SPKI pin and authentication name are\n"
+"                                provided, both must authenticate for this test\n"
+"                                to pass.\n"
+"  qname-min                     Check whether server supports QNAME minimisation\n"
+"  cert-valid [<name> [type]] [warn-days,crit-days]\n"
+"                                Check server certificate validity, report\n"
+"                                warning or critical if days to expiry at\n"
+"                                or below thresholds (default 14,7).\n"
+"\n"
+"Enabling monitoring mode ensures output messages and exit statuses conform\n"
+"to the requirements of monitoring plugins (www.monitoring-plugins.org).\n",
+                test_info.errout);
+        exit(EXIT_UNKNOWN);
+}
+
+static void version()
+{
+        fputs(APP_NAME ": getdns " GETDNS_VERSION " , API " GETDNS_API_VERSION ".\n",
+              test_info.errout);
+        exit(EXIT_UNKNOWN);
+}
+
+static exit_value_t search(const struct test_info_s *test_info,
+                           const char *name,
+                           uint16_t type,
+                           getdns_dict **response)
+{
+        getdns_return_t ret;
+        getdns_dict *extensions = getdns_dict_create();
+
+        if ((ret = getdns_dict_set_int(extensions, "return_call_reporting", GETDNS_EXTENSION_TRUE)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot set return call reporting: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                getdns_dict_destroy(extensions);
+                return EXIT_UNKNOWN;
+        }
+        if ((ret = getdns_dict_set_int(extensions, "return_both_v4_and_v6", GETDNS_EXTENSION_TRUE)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot set return both IPv4 and IPv6: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                getdns_dict_destroy(extensions);
+                return EXIT_UNKNOWN;
+        }
+
+        if (test_info->verbosity >= VERBOSITY_DEBUG) {
+                fprintf(test_info->errout,
+                        "Context: %s\n",
+                        getdns_pretty_print_dict(getdns_context_get_api_information(test_info->context)));
+        }
+
+        ret = getdns_general_sync(test_info->context,
+                                  name,
+                                  type,
+                                  extensions,
+                                  response);
+        getdns_dict_destroy(extensions);
+        if (ret != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Error resolving '%s': %s (%d)",
+                        name,
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_CRITICAL;
+        }
+
+        if (test_info->verbosity >= VERBOSITY_DEBUG) {
+                fprintf(test_info->errout,
+                        "Response: %s\n",
+                        getdns_pretty_print_dict(*response));
+        }
+
+        return EXIT_OK;
+}
+
+static exit_value_t check_result(const struct test_info_s *test_info,
+                                 const getdns_dict *response)
+{
+        getdns_return_t ret;
+        uint32_t error_id;
+
+        if ((ret = getdns_dict_get_int(response, "status", &error_id)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get result status: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+
+        if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
+                fprintf(test_info->errout,
+                        "result: %s (%d), ",
+                        getdns_get_errorstr_by_id(error_id),
+                        error_id);
+        }
+
+        if (error_id == GETDNS_RESPSTATUS_GOOD)
+                return EXIT_OK;
+
+        uint32_t rcode;
+
+        ret = getdns_dict_get_int(response, "/replies_tree/0/header/rcode", &rcode);
+        if (ret == GETDNS_RETURN_NO_SUCH_DICT_NAME ||
+            ret == GETDNS_RETURN_NO_SUCH_LIST_ITEM) {
+                fputs("Search had no results, timeout?", test_info->errout);
+                return EXIT_CRITICAL;
+        } else if (ret != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get DNS return code: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+
+        if (test_info->fail_on_dns_errors && rcode > 0) {
+                fprintf(test_info->errout,
+                        "DNS error %s (%d)",
+                        rcode_text(rcode),
+                        rcode);
+                return EXIT_CRITICAL;
+        }
+
+        return EXIT_OK;
+}
+
+static exit_value_t get_report_info(const struct test_info_s *test_info,
+                                    const getdns_dict *response,
+                                    uint32_t *rtt,
+                                    getdns_bindata **auth_status,
+                                    time_t *cert_expire_time)
+{
+        getdns_return_t ret;
+        getdns_list *l;
+        uint32_t rtt_val;
+        getdns_bindata *auth_status_val = NULL;
+        time_t cert_expire_time_val = 0;
+
+        if ((ret = getdns_dict_get_list(response, "call_reporting", &l)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get call report: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+
+        getdns_dict *d;
+        if ((ret = getdns_list_get_dict(l, 0, &d)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get call report first item: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+        if ((ret = getdns_dict_get_int(d, "run_time/ms", &rtt_val)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get RTT: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+        if (rtt)
+                *rtt = rtt_val;
+        if (test_info->verbosity >= VERBOSITY_ADDITIONAL)
+                fprintf(test_info->errout, "RTT %dms, ", rtt_val);
+
+        if (getdns_dict_get_bindata(d, "tls_auth_status", &auth_status_val) == GETDNS_RETURN_GOOD) {
+                /* Just in case - not sure this is necessary */
+                auth_status_val->data[auth_status_val->size] = '\0';
+                if (test_info->verbosity >= VERBOSITY_ADDITIONAL)
+                        fprintf(test_info->errout, "auth. %s, ", (char *) auth_status_val->data);
+        }
+        if (auth_status)
+                *auth_status = auth_status_val;
+
+        getdns_bindata *cert;
+        if (getdns_dict_get_bindata(d, "tls_peer_cert", &cert) == GETDNS_RETURN_GOOD) {
+                if (!extract_cert_expiry(cert->data, cert->size, &cert_expire_time_val)) {
+                        fputs("Cannot parse PKIX certificate", test_info->errout);
+                        return EXIT_UNKNOWN;
+                }
+                if (test_info->verbosity >= VERBOSITY_ADDITIONAL) {
+                        struct tm *tm = gmtime(&cert_expire_time_val);
+                        char buf[25];
+                        strftime(buf, sizeof(buf), "%Y-%m-%d %H:%M:%S", tm);
+                        fprintf(test_info->errout, "cert expiry %s, ", buf);
+                }
+        }
+        if (cert_expire_time)
+                *cert_expire_time = cert_expire_time_val;
+
+        return EXIT_OK;
+}
+
+/**
+ * Test routines.
+ */
+
+static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
+                                            char ** av)
+{
+        if (*av) {
+                fputs("qname-minimisation takes no arguments",
+                      test_info->errout);
+                return EXIT_UNKNOWN;
+        }
+
+        getdns_dict *response;
+        exit_value_t xit = search(test_info, "qnamemintest.internet.nl", GETDNS_RRTYPE_TXT, &response);
+        if (xit != EXIT_OK)
+                return xit;
+
+        xit = check_result(test_info, response);
+        if (xit != EXIT_OK)
+                return xit;
+
+        /* Don't need any of this, but do want check and verbosity reporting. */
+        xit = get_report_info(test_info, response, NULL, NULL, NULL);
+        if (xit != EXIT_OK)
+                return xit;
+
+	getdns_list *answers;
+	getdns_return_t ret;
+
+	if ((ret = getdns_dict_get_list(response, "/replies_tree/0/answer", &answers)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get answers: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+	}
+
+	size_t no_answers;
+	if ((ret = getdns_list_get_length(answers, &no_answers)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get number of answers: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+	}
+	if (no_answers <= 0) {
+		fputs("Got zero answers", test_info->errout);
+		return EXIT_WARNING;
+	}
+
+	for (size_t i = 0; i < no_answers; ++i) {
+		getdns_dict *answer;
+
+		if ((ret = getdns_list_get_dict(answers, i, &answer)) != GETDNS_RETURN_GOOD) {
+			fprintf(test_info->errout,
+				"Cannot get answer number %zu: %s (%d)",
+				i,
+				getdns_get_errorstr_by_id(ret),
+				ret);
+			return EXIT_UNKNOWN;
+		}
+
+		uint32_t rtype;
+
+		if ((ret = getdns_dict_get_int(answer, "type", &rtype)) != GETDNS_RETURN_GOOD) {
+			fprintf(test_info->errout,
+				"Cannot get answer type: %s (%d)",
+				getdns_get_errorstr_by_id(ret),
+				ret);
+			return EXIT_UNKNOWN;
+		}
+		if (rtype != GETDNS_RRTYPE_TXT)
+			continue;
+
+		getdns_bindata *rtxt;
+		if ((ret = getdns_dict_get_bindata(answer, "/rdata/txt_strings/0", &rtxt)) != GETDNS_RETURN_GOOD) {
+			fputs("No answer text", test_info->errout);
+			return EXIT_WARNING;
+		}
+
+		if (rtxt->size > 0 ) {
+			switch(rtxt->data[0]) {
+			case 'H':
+				fputs("QNAME minimisation ON", test_info->errout);
+				return EXIT_OK;
+
+			case 'N':
+				fputs("QNAME minimisation OFF", test_info->errout);
+				return EXIT_WARNING;
+
+			default:
+				/* Unrecognised message. */
+				break;
+			}
+		}
+	}
+
+	fputs("No valid QNAME minimisation data", test_info->errout);
+        return EXIT_UNKNOWN;
+}
+
+static struct test_funcs_s
+{
+        const char *name;
+        exit_value_t (*func)(const struct test_info_s *test_info, char **av);
+} TESTS[] =
+{
+        { "qname-min", test_qname_minimisation },
+        { NULL, NULL }
+};
+
+int main(int ATTR_UNUSED(ac), char *av[])
+{
+        getdns_return_t ret;
+        getdns_list *pinset = NULL;
+        size_t pinset_size = 0;
+        bool strict_usage_profile = false;
+	bool use_tls = false;
+
+        test_info.errout = stderr;
+        atexit(exit_tidy);
+        if ((ret = getdns_context_create(&test_info.context, 1)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info.errout,
+                        "Create context failed: %s (%d)\n",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                exit(EXIT_UNKNOWN);
+        }
+
+        for (++av; *av && *av[0] == '-'; ++av) {
+                if (strcmp(*av, "-M") == 0 ||
+                    strcmp(*av, "--monitoring") == 0) {
+                        test_info.monitoring = true;
+                        test_info.errout = stdout;
+                } else if (strcmp(*av, "-E") == 0 ||
+                           strcmp(*av, "--fail-on-dns-errors") == 0) {
+                        test_info.fail_on_dns_errors = true;
+                } else if (strcmp(*av, "-T") == 0 ||
+                           strcmp(*av, "--tls") == 0 ) {
+                        use_tls = true;
+                } else if (strcmp(*av, "-S") == 0 ||
+                           strcmp(*av, "--strict-usage-profile") == 0 ) {
+                        strict_usage_profile = true;
+			use_tls = true;
+                } else if (strcmp(*av, "-K") == 0 ||
+                           strcmp(*av, "--spki-pin") == 0 ) {
+                        ++av;
+                        if (!*av) {
+                                fputs("pin string of the form " EXAMPLE_PIN "expected after -K|--pin\n", test_info.errout);
+                                exit(EXIT_UNKNOWN);
+                        }
+
+                        getdns_dict *pin;
+
+                        pin = getdns_pubkey_pin_create_from_string(test_info.context, *av);
+                        if (!pin) {
+                                fprintf(test_info.errout,
+                                        "Could not convert '%s' into a public key pin.\n"
+                                        "Good pins look like: " EXAMPLE_PIN "\n"
+                                        "Please see RFC 7469 for details about the format.\n", *av);
+                                exit(EXIT_UNKNOWN);
+                        }
+                        if (!pinset)
+                                pinset = getdns_list_create_with_context(test_info.context);
+                        ret = getdns_list_set_dict(pinset,
+                                                   pinset_size++,
+                                                   pin);
+                        getdns_dict_destroy(pin);
+                        if (ret != GETDNS_RETURN_GOOD) {
+                                fprintf(test_info.errout,
+                                        "Could not add pin '%s' to pin set.\n",
+                                        *av);
+                                getdns_list_destroy(pinset);
+                                exit(EXIT_UNKNOWN);
+
+                        }
+			use_tls = true;
+                } else if (strcmp(*av, "-v") == 0 ||
+                           strcmp(*av, "--verbose") == 0) {
+                        ++test_info.verbosity;
+                } else if (strcmp(*av, "-V") == 0 ||
+                           strcmp(*av, "--version") == 0) {
+                        version();
+                } else {
+                        usage();
+                }
+        }
+
+        if (*av == NULL || *av[0] != '@')
+                usage();
+
+        const char *upstream = *av++;
+        getdns_dict *resolver;
+        getdns_bindata *address;
+
+        if ((ret = getdns_str2dict(&upstream[1], &resolver)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info.errout,
+                        "Could not convert \"%s\" to an IP dict: %s (%d)\n",
+                        &upstream[1],
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                exit(EXIT_UNKNOWN);
+        }
+        if ((ret = getdns_dict_get_bindata(resolver, "address_data", &address)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info.errout,
+                        "\"%s\" did not translate to an IP dict: %s (%d)\n",
+                        &upstream[1],
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                getdns_dict_destroy(resolver);
+                exit(EXIT_UNKNOWN);
+        }
+
+        /* Set parameters on the resolver. */
+        if (pinset) {
+                ret = getdns_dict_set_list(resolver,
+                                           "tls_pubkey_pinset",
+                                           pinset);
+                getdns_list_destroy(pinset);
+                if (ret != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info.errout,
+                                "Cannot set keys for \"%s\": %s (%d)\n",
+                                &upstream[1],
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        exit(EXIT_UNKNOWN);
+                }
+        }
+
+        /* Set getdns context to use the indicated resolver. */
+        getdns_list *l = getdns_list_create();
+        ret = getdns_list_set_dict(l, 0, resolver);
+        getdns_dict_destroy(resolver);
+        if (ret != GETDNS_RETURN_GOOD) {
+                fprintf(test_info.errout,
+                        "Unable to add upstream '%s' to list: %s (%d)\n",
+                        upstream,
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                getdns_list_destroy(l);
+                exit(EXIT_UNKNOWN);
+        }
+        ret = getdns_context_set_upstream_recursive_servers(test_info.context, l);
+        getdns_list_destroy(l);
+        if (ret != GETDNS_RETURN_GOOD) {
+                fprintf(test_info.errout,
+                        "Unable to set upstream resolver to '%s': %s (%d)\n",
+                        upstream,
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                exit(EXIT_UNKNOWN);
+        }
+
+        /* Set context to stub mode. */
+        if ((ret = getdns_context_set_resolution_type(test_info.context, GETDNS_RESOLUTION_STUB)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info.errout,
+                        "Unable to set stub mode: %s (%d)\n",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                exit(EXIT_UNKNOWN);
+        }
+
+        /* Set other context parameters. */
+	if (use_tls) {
+		getdns_transport_list_t t[] = { GETDNS_TRANSPORT_TLS };
+		if ((ret = getdns_context_set_dns_transport_list(test_info.context, 1, t)) != GETDNS_RETURN_GOOD) {
+			fprintf(test_info.errout,
+				"Unable to set TLS transport: %s (%d)\n",
+				getdns_get_errorstr_by_id(ret),
+				ret);
+			exit(EXIT_UNKNOWN);
+		}
+	}
+
+        if (strict_usage_profile) {
+                ret = getdns_context_set_tls_authentication(test_info.context, GETDNS_AUTHENTICATION_REQUIRED);
+                if (ret != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info.errout,
+                                "Unable to set strict profile: %s (%d)\n",
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        exit(EXIT_UNKNOWN);
+                }
+        }
+
+        /* Choose and run test */
+        const char *testname = *av;
+
+        if (!testname)
+                usage();
+        ++av;
+
+        for (const struct test_funcs_s *f = TESTS;
+             f->name != NULL;
+             ++f) {
+                if (strcmp(testname, f->name) == 0) {
+                        exit_value_t xit = f->func(&test_info, av);
+                        fputc('\n', test_info.errout);
+                        exit(xit);
+                }
+        }
+        fprintf(test_info.errout, "Unknown test %s\n", testname);
+        exit(EXIT_UNKNOWN);
+}

From e597daa4c0986ea012a16e4f4ddabf435eaf51b2 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 12 Jan 2018 17:21:00 +0000
Subject: [PATCH 014/303] Add 'auth' test.

---
 src/tools/getdns_server_mon.c | 201 ++++++++++++++++++++++++++++++----
 1 file changed, 177 insertions(+), 24 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 34c6e3c2..21354ad1 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -28,6 +28,7 @@
 #include "config.h"
 #include "debug.h"
 
+#include <ctype.h>
 #include <stdbool.h>
 #include <stddef.h>
 #include <stdio.h>
@@ -76,6 +77,31 @@ static struct test_info_s
         bool fail_on_dns_errors;
 } test_info;
 
+static int get_rrtype(const char *t)
+{
+        char buf[1024] = "GETDNS_RRTYPE_";
+        uint32_t rrtype;
+        long int l;
+        size_t i;
+        char *endptr;
+
+        if (strlen(t) > sizeof(buf) - 15)
+                return -1;
+        for (i = 14; *t && i < sizeof(buf) - 1; i++, t++)
+                buf[i] = *t == '-' ? '_' : toupper(*t);
+        buf[i] = '\0';
+
+        if (!getdns_str2int(buf, &rrtype))
+                return (int)rrtype;
+
+        if (strncasecmp(buf + 14, "TYPE", 4) == 0) {
+                l = strtol(buf + 18, &endptr, 10);
+                if (!*endptr && l >= 0 && l < 65536)
+                        return l;
+        }
+        return -1;
+}
+
 static const char *rcode_text(int rcode)
 {
         const char *text[] = {
@@ -167,6 +193,39 @@ static void version()
         exit(EXIT_UNKNOWN);
 }
 
+/**
+ ** Functions used by tests.
+ **/
+
+static exit_value_t get_name_type_args(const struct test_info_s *test_info,
+				       char ***av,
+				       const char **lookup_name,
+				       uint32_t *lookup_type)
+{
+	*lookup_name = "getdnsapi.net";
+	*lookup_type = GETDNS_RRTYPE_AAAA;
+
+	if (**av) {
+		if (strlen(**av) > 0) {
+			*lookup_name = **av;
+		} else {
+			fputs("Empty name not valid", test_info->errout);
+			return EXIT_UNKNOWN;
+		}
+		++*av;
+
+		if (**av) {
+			int rrtype = get_rrtype(**av);
+			if (rrtype >= 0) {
+				*lookup_type = (uint32_t) rrtype;
+				++*av;
+			}
+		}
+	}
+
+	return EXIT_OK;
+}
+
 static exit_value_t search(const struct test_info_s *test_info,
                            const char *name,
                            uint16_t type,
@@ -340,15 +399,125 @@ static exit_value_t get_report_info(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
+static exit_value_t get_answers(const struct test_info_s *test_info,
+				const getdns_dict *response,
+				getdns_list **answers,
+				size_t *no_answers)
+{
+	getdns_return_t ret;
+
+	if ((ret = getdns_dict_get_list(response, "/replies_tree/0/answer", answers)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get answers: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+	}
+
+	if ((ret = getdns_list_get_length(*answers, no_answers)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get number of answers: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+	}
+	if (*no_answers <= 0) {
+		fputs("Got zero answers", test_info->errout);
+		return EXIT_WARNING;
+	}
+
+	return EXIT_OK;
+}
+
+static exit_value_t check_answer_type(const struct test_info_s *test_info,
+				      const getdns_dict *response,
+				      uint32_t rrtype)
+{
+	getdns_list *answers;
+	size_t no_answers;
+	exit_value_t xit;
+
+	if ((xit = get_answers(test_info, response, &answers, &no_answers)) != EXIT_OK)
+		return xit;
+
+	for (size_t i = 0; i < no_answers; ++i) {
+		getdns_dict *answer;
+		getdns_return_t ret;
+
+		if ((ret = getdns_list_get_dict(answers, i, &answer)) != GETDNS_RETURN_GOOD) {
+			fprintf(test_info->errout,
+				"Cannot get answer number %zu: %s (%d)",
+				i,
+				getdns_get_errorstr_by_id(ret),
+				ret);
+			return EXIT_UNKNOWN;
+		}
+
+		uint32_t rtype;
+
+		if ((ret = getdns_dict_get_int(answer, "type", &rtype)) != GETDNS_RETURN_GOOD) {
+			fprintf(test_info->errout,
+				"Cannot get answer type: %s (%d)",
+				getdns_get_errorstr_by_id(ret),
+				ret);
+			return EXIT_UNKNOWN;
+		}
+		if (rtype == rrtype)
+			return EXIT_OK;
+	}
+
+	fputs("Answer does not contain expected type", test_info->errout);
+        return EXIT_UNKNOWN;
+}
+
 /**
- * Test routines.
- */
+ ** Test routines.
+ **/
+
+static exit_value_t test_authenticate(const struct test_info_s *test_info,
+				      char ** av)
+{
+	const char *lookup_name;
+	uint32_t lookup_type;
+	exit_value_t xit;
+
+	if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
+		return xit;
+
+        if (*av) {
+                fputs("auth takes arguments [<name> [<type>]]",
+                      test_info->errout);
+                return EXIT_UNKNOWN;
+        }
+
+        getdns_dict *response;
+        if ((xit = search(test_info, lookup_name, lookup_type, &response)) != EXIT_OK)
+                return xit;
+
+        if ((xit = check_result(test_info, response)) != EXIT_OK)
+                return xit;
+
+	getdns_bindata *auth_status;
+        if ((xit = get_report_info(test_info, response, NULL, &auth_status, NULL)) != EXIT_OK)
+                return xit;
+
+	if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
+		return xit;
+
+	if (!auth_status || strcmp((char *) auth_status->data, "Success") != 0) {
+		fputs("Authentication failed", test_info->errout);
+		return EXIT_CRITICAL;
+	} else {
+		fputs("Authentication succeeded", test_info->errout);
+		return EXIT_OK;
+	}
+}
 
 static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
                                             char ** av)
 {
         if (*av) {
-                fputs("qname-minimisation takes no arguments",
+                fputs("qname-min takes no arguments",
                       test_info->errout);
                 return EXIT_UNKNOWN;
         }
@@ -368,31 +537,14 @@ static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
                 return xit;
 
 	getdns_list *answers;
-	getdns_return_t ret;
-
-	if ((ret = getdns_dict_get_list(response, "/replies_tree/0/answer", &answers)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get answers: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
-                return EXIT_UNKNOWN;
-	}
-
 	size_t no_answers;
-	if ((ret = getdns_list_get_length(answers, &no_answers)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get number of answers: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
-                return EXIT_UNKNOWN;
-	}
-	if (no_answers <= 0) {
-		fputs("Got zero answers", test_info->errout);
-		return EXIT_WARNING;
-	}
+
+	if ((xit = get_answers(test_info, response, &answers, &no_answers)) != EXIT_OK)
+		return xit;
 
 	for (size_t i = 0; i < no_answers; ++i) {
 		getdns_dict *answer;
+		getdns_return_t ret;
 
 		if ((ret = getdns_list_get_dict(answers, i, &answer)) != GETDNS_RETURN_GOOD) {
 			fprintf(test_info->errout,
@@ -448,6 +600,7 @@ static struct test_funcs_s
         exit_value_t (*func)(const struct test_info_s *test_info, char **av);
 } TESTS[] =
 {
+        { "auth", test_authenticate },
         { "qname-min", test_qname_minimisation },
         { NULL, NULL }
 };

From e7618321ce3f2952abdbb7080b7e7db9ae16c3fa Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 12 Jan 2018 18:21:38 +0000
Subject: [PATCH 015/303] Add cert-valid test.

---
 src/tools/getdns_server_mon.c | 125 ++++++++++++++++++++++++++++++++--
 1 file changed, 120 insertions(+), 5 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 21354ad1..8a235deb 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -46,6 +46,12 @@
 
 #define APP_NAME "getdns_server_mon"
 
+#define CERT_EXPIRY_CRITICAL_DAYS       7
+#define CERT_EXPIRY_WARNING_DAYS        14
+
+#define DEFAULT_LOOKUP_NAME             "getdnsapi.net"
+#define DEFAULT_LOOKUP_TYPE             GETDNS_RRTYPE_AAAA
+
 #define EXAMPLE_PIN "pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\""
 
 /* Plugin exit values */
@@ -197,14 +203,52 @@ static void version()
  ** Functions used by tests.
  **/
 
+static exit_value_t get_cert_valid_thresholds(char ***av,
+					      int *critical_days,
+					      int *warning_days)
+{
+	*critical_days = CERT_EXPIRY_CRITICAL_DAYS;
+	*warning_days = CERT_EXPIRY_WARNING_DAYS;
+
+	if (**av) {
+		char *comma = strchr(**av, ',');
+		if (!comma)
+			return EXIT_UNKNOWN;
+
+		char *end;
+		long w,c;
+
+		c = strtol(**av, &end, 10);
+		/*
+		 * If the number doesn't end at a comma, this isn't a
+		 * properly formatted thresholds arg. Pass over it.
+		 */
+		if (end != comma)
+			return EXIT_UNKNOWN;
+
+		/*
+		 * Similarly, if the number doesn't end at the end of the
+		 * argument, this isn't a properly formatted arg.
+		 */
+		w = strtol(comma + 1, &end, 10);
+		if (*end != '\0')
+			return EXIT_UNKNOWN;
+
+		/* Got two numbers, so consume the argument. */
+		*critical_days = (int) c;
+		*warning_days = (int) w;
+		++*av;
+		return EXIT_OK;
+	}
+
+	return EXIT_UNKNOWN;
+}
+
 static exit_value_t get_name_type_args(const struct test_info_s *test_info,
 				       char ***av,
 				       const char **lookup_name,
 				       uint32_t *lookup_type)
 {
-	*lookup_name = "getdnsapi.net";
-	*lookup_type = GETDNS_RRTYPE_AAAA;
-
 	if (**av) {
 		if (strlen(**av) > 0) {
 			*lookup_name = **av;
@@ -477,8 +521,8 @@ static exit_value_t check_answer_type(const struct test_info_s *test_info,
 static exit_value_t test_authenticate(const struct test_info_s *test_info,
 				      char ** av)
 {
-	const char *lookup_name;
-	uint32_t lookup_type;
+	const char *lookup_name = DEFAULT_LOOKUP_NAME;
+	uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
 	exit_value_t xit;
 
 	if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
@@ -513,6 +557,76 @@ static exit_value_t test_authenticate(const struct test_info_s *test_info,
 	}
 }
 
+static exit_value_t test_certificate_valid(const struct test_info_s *test_info,
+					   char **av)
+{
+	const char *lookup_name = DEFAULT_LOOKUP_NAME;
+	uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
+	exit_value_t xit;
+	int warning_days;
+	int critical_days;
+
+	/* Is first arg the threshold? */
+	if (get_cert_valid_thresholds(&av, &critical_days, &warning_days) != EXIT_OK) {
+		if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
+			return xit;
+
+		if (*av)
+			get_cert_valid_thresholds(&av, &critical_days, &warning_days);
+	}
+
+        if (*av) {
+                fputs("cert-valid takes arguments [<name> [<type>]] [warn-days,crit-days]",
+                      test_info->errout);
+                return EXIT_UNKNOWN;
+        }
+
+        getdns_dict *response;
+        if ((xit = search(test_info, lookup_name, lookup_type, &response)) != EXIT_OK)
+                return xit;
+
+        if ((xit = check_result(test_info, response)) != EXIT_OK)
+                return xit;
+
+	time_t expire_time;
+        if ((xit = get_report_info(test_info, response, NULL, NULL, &expire_time)) != EXIT_OK)
+                return xit;
+
+	if (expire_time == 0) {
+		fputs("No PKIX certificate", test_info->errout);
+		return EXIT_CRITICAL;
+	}
+
+	if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
+		return xit;
+
+	time_t now = time(NULL);
+	int days_to_expiry = (expire_time - now) / 86400;
+
+	if (days_to_expiry < 0) {
+		fprintf(test_info->errout,
+			"Certificate expired %d day%s ago",
+			-days_to_expiry,
+			(days_to_expiry < -1) ? "s" : "");
+		return EXIT_CRITICAL;
+	}
+	if (days_to_expiry == 0) {
+		fputs("Certificate expires today", test_info->errout);
+		return EXIT_CRITICAL;
+	}
+	fprintf(test_info->errout,
+		"Certificate will expire in %d day%s",
+		days_to_expiry,
+		(days_to_expiry > 1) ? "s" : "");
+	if (days_to_expiry <= critical_days) {
+		return EXIT_CRITICAL;
+	}
+	if (days_to_expiry <= warning_days) {
+		return EXIT_WARNING;
+	}
+	return EXIT_OK;
+}
+
 static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
                                             char ** av)
 {
@@ -601,6 +715,7 @@ static struct test_funcs_s
 } TESTS[] =
 {
         { "auth", test_authenticate },
+        { "cert-valid", test_certificate_valid },
         { "qname-min", test_qname_minimisation },
         { NULL, NULL }
 };

From 60118e9241ad26747dc6d74c33f695189b1c5501 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Sat, 13 Jan 2018 14:56:55 +0000
Subject: [PATCH 016/303] Improve cert-valid argument order to most likely
 first.

---
 src/tools/getdns_server_mon.c | 30 +++++++++++++-----------------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 8a235deb..a2d5bd5e 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -181,7 +181,7 @@ static void usage()
 "                                provided, both must authenticate for this test\n"
 "                                to pass.\n"
 "  qname-min                     Check whether server supports QNAME minimisation\n"
-"  cert-valid [<name> [type]] [warn-days,crit-days]\n"
+"  cert-valid [warn-days,crit-days] [<name> [type]]\n"
 "                                Check server certificate validity, report\n"
 "                                warning or critical if days to expiry at\n"
 "                                or below thresholds (default 14,7).\n"
@@ -203,9 +203,9 @@ static void version()
  ** Functions used by tests.
  **/
 
-static exit_value_t get_cert_valid_thresholds(char ***av,
-					      int *critical_days,
-					      int *warning_days)
+static void get_cert_valid_thresholds(char ***av,
+				      int *critical_days,
+				      int *warning_days)
 {
 	*critical_days = CERT_EXPIRY_CRITICAL_DAYS;
 	*warning_days = CERT_EXPIRY_WARNING_DAYS;
@@ -213,7 +213,7 @@ static exit_value_t get_cert_valid_thresholds(char ***av,
 	if (**av) {
 		char *comma = strchr(**av, ',');
 		if (!comma)
-			return EXIT_UNKNOWN;
+			return;
 
 		char *end;
 		long w,c;
@@ -224,7 +224,7 @@ static exit_value_t get_cert_valid_thresholds(char ***av,
 		 * properly formatted thresholds arg. Pass over it.
 		 */
 		if (end != comma)
-			return EXIT_UNKNOWN;
+			return;
 
 		/*
 		 * Similarly, if the number doesn't end at the end of the
@@ -232,16 +232,16 @@ static exit_value_t get_cert_valid_thresholds(char ***av,
 		 */
 		w = strtol(comma + 1, &end, 10);
 		if (*end != '\0')
-			return EXIT_UNKNOWN;
+			return;
 
 		/* Got two numbers, so consume the argument. */
 		*critical_days = (int) c;
 		*warning_days = (int) w;
 		++*av;
-		return EXIT_OK;
+		return;
 	}
 
-	return EXIT_UNKNOWN;
+	return;
 }
 
 static exit_value_t get_name_type_args(const struct test_info_s *test_info,
@@ -566,17 +566,13 @@ static exit_value_t test_certificate_valid(const struct test_info_s *test_info,
 	int warning_days;
 	int critical_days;
 
-	/* Is first arg the threshold? */
-	if (get_cert_valid_thresholds(&av, &critical_days, &warning_days) != EXIT_OK) {
-		if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
-			return xit;
+	get_cert_valid_thresholds(&av, &critical_days, &warning_days);
 
-		if (*av)
-			get_cert_valid_thresholds(&av, &critical_days, &warning_days);
-	}
+	if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
+		return xit;
 
         if (*av) {
-                fputs("cert-valid takes arguments [<name> [<type>]] [warn-days,crit-days]",
+                fputs("cert-valid takes arguments [warn-days,crit-days] [<name> [<type>]]",
                       test_info->errout);
                 return EXIT_UNKNOWN;
         }

From 379662a3f3e3ba29bdba2777ffc294375a189928 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Sun, 14 Jan 2018 13:41:44 +0000
Subject: [PATCH 017/303] Add plain lookup test.

---
 src/tools/getdns_server_mon.c | 37 ++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index a2d5bd5e..0baba280 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -161,7 +161,7 @@ static void usage()
 "Usage: " APP_NAME " [-MEr] @upstream testname [<name>] [<type>]\n"
 "  -M|--monitoring               Make output suitable for monitoring tools\n"
 "  -E|--fail-on-dns-errors       Fail on DNS error (NXDOMAIN, SERVFAIL)\n"
-"  -T|--tls     		 Use TLS transport\n"
+"  -T|--tls                      Use TLS transport\n"
 "  -S|--strict-usage-profile     Use strict profile (require authentication)\n"
 "  -K|--spki-pin <spki-pin>      SPKI pin for TLS connections (can repeat)\n"
 "  -v|--verbose                  Increase output verbosity\n"
@@ -176,6 +176,7 @@ static void usage()
 "tsig spec: [<algorithm>:]<name>:<secret in Base64>\n"
 "\n"
 "Tests:\n"
+"  lookup [<name> [<type>]]      Check lookup on server\n"
 "  auth [<name> [<type>]]        Check authentication of TLS server\n"
 "                                If both a SPKI pin and authentication name are\n"
 "                                provided, both must authenticate for this test\n"
@@ -518,6 +519,39 @@ static exit_value_t check_answer_type(const struct test_info_s *test_info,
  ** Test routines.
  **/
 
+static exit_value_t test_lookup(const struct test_info_s *test_info,
+				char ** av)
+{
+	const char *lookup_name = DEFAULT_LOOKUP_NAME;
+	uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
+	exit_value_t xit;
+
+	if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
+		return xit;
+
+        if (*av) {
+                fputs("lookup takes arguments [<name> [<type>]]",
+                      test_info->errout);
+                return EXIT_UNKNOWN;
+        }
+
+        getdns_dict *response;
+        if ((xit = search(test_info, lookup_name, lookup_type, &response)) != EXIT_OK)
+                return xit;
+
+        if ((xit = check_result(test_info, response)) != EXIT_OK)
+                return xit;
+
+        if ((xit = get_report_info(test_info, response, NULL, NULL, NULL)) != EXIT_OK)
+                return xit;
+
+	if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
+		return xit;
+
+	fputs("lookup succeeded", test_info->errout);
+	return EXIT_OK;
+}
+
 static exit_value_t test_authenticate(const struct test_info_s *test_info,
 				      char ** av)
 {
@@ -710,6 +744,7 @@ static struct test_funcs_s
         exit_value_t (*func)(const struct test_info_s *test_info, char **av);
 } TESTS[] =
 {
+        { "lookup", test_lookup },
         { "auth", test_authenticate },
         { "cert-valid", test_certificate_valid },
         { "qname-min", test_qname_minimisation },

From 3258fdfd5aae043d4b19bcd534ecaffd3890705c Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Sun, 14 Jan 2018 23:28:55 +0000
Subject: [PATCH 018/303] Tabs? Spaces? Currently both, switch to spaces only.

---
 src/tools/getdns_server_mon.c | 436 +++++++++++++++++-----------------
 1 file changed, 218 insertions(+), 218 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 0baba280..40ffbe9b 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -205,70 +205,70 @@ static void version()
  **/
 
 static void get_cert_valid_thresholds(char ***av,
-				      int *critical_days,
-				      int *warning_days)
+                                      int *critical_days,
+                                      int *warning_days)
 {
-	*critical_days = CERT_EXPIRY_CRITICAL_DAYS;
-	*warning_days = CERT_EXPIRY_WARNING_DAYS;
+        *critical_days = CERT_EXPIRY_CRITICAL_DAYS;
+        *warning_days = CERT_EXPIRY_WARNING_DAYS;
 
-	if (**av) {
-		char *comma = strchr(**av, ',');
-		if (!comma)
-			return;
+        if (**av) {
+                char *comma = strchr(**av, ',');
+                if (!comma)
+                        return;
 
-		char *end;
-		long w,c;
+                char *end;
+                long w,c;
 
-		c = strtol(**av, &end, 10);
-		/*
-		 * If the number doesn't end at a comma, this isn't a
-		 * properly formatted thresholds arg. Pass over it.
-		 */
-		if (end != comma)
-			return;
+                c = strtol(**av, &end, 10);
+                /*
+                 * If the number doesn't end at a comma, this isn't a
+                 * properly formatted thresholds arg. Pass over it.
+                 */
+                if (end != comma)
+                        return;
 
-		/*
-		 * Similarly, if the number doesn't end at the end of the
-		 * argument, this isn't a properly formatted arg.
-		 */
-		w = strtol(comma + 1, &end, 10);
-		if (*end != '\0')
-			return;
+                /*
+                 * Similarly, if the number doesn't end at the end of the
+                 * argument, this isn't a properly formatted arg.
+                 */
+                w = strtol(comma + 1, &end, 10);
+                if (*end != '\0')
+                        return;
 
-		/* Got two numbers, so consume the argument. */
-		*critical_days = (int) c;
-		*warning_days = (int) w;
-		++*av;
-		return;
-	}
+                /* Got two numbers, so consume the argument. */
+                *critical_days = (int) c;
+                *warning_days = (int) w;
+                ++*av;
+                return;
+        }
 
-	return;
+        return;
 }
 
 static exit_value_t get_name_type_args(const struct test_info_s *test_info,
-				       char ***av,
-				       const char **lookup_name,
-				       uint32_t *lookup_type)
+                                       char ***av,
+                                       const char **lookup_name,
+                                       uint32_t *lookup_type)
 {
-	if (**av) {
-		if (strlen(**av) > 0) {
-			*lookup_name = **av;
-		} else {
-			fputs("Empty name not valid", test_info->errout);
-			return EXIT_UNKNOWN;
-		}
-		++*av;
+        if (**av) {
+                if (strlen(**av) > 0) {
+                        *lookup_name = **av;
+                } else {
+                        fputs("Empty name not valid", test_info->errout);
+                        return EXIT_UNKNOWN;
+                }
+                ++*av;
 
-		if (**av) {
-			int rrtype = get_rrtype(**av);
-			if (rrtype >= 0) {
-				*lookup_type = (uint32_t) rrtype;
-				++*av;
-			}
-		}
-	}
+                if (**av) {
+                        int rrtype = get_rrtype(**av);
+                        if (rrtype >= 0) {
+                                *lookup_type = (uint32_t) rrtype;
+                                ++*av;
+                        }
+                }
+        }
 
-	return EXIT_OK;
+        return EXIT_OK;
 }
 
 static exit_value_t search(const struct test_info_s *test_info,
@@ -445,73 +445,73 @@ static exit_value_t get_report_info(const struct test_info_s *test_info,
 }
 
 static exit_value_t get_answers(const struct test_info_s *test_info,
-				const getdns_dict *response,
-				getdns_list **answers,
-				size_t *no_answers)
+                                const getdns_dict *response,
+                                getdns_list **answers,
+                                size_t *no_answers)
 {
-	getdns_return_t ret;
+        getdns_return_t ret;
 
-	if ((ret = getdns_dict_get_list(response, "/replies_tree/0/answer", answers)) != GETDNS_RETURN_GOOD) {
+        if ((ret = getdns_dict_get_list(response, "/replies_tree/0/answer", answers)) != GETDNS_RETURN_GOOD) {
                 fprintf(test_info->errout,
                         "Cannot get answers: %s (%d)",
                         getdns_get_errorstr_by_id(ret),
                         ret);
                 return EXIT_UNKNOWN;
-	}
+        }
 
-	if ((ret = getdns_list_get_length(*answers, no_answers)) != GETDNS_RETURN_GOOD) {
+        if ((ret = getdns_list_get_length(*answers, no_answers)) != GETDNS_RETURN_GOOD) {
                 fprintf(test_info->errout,
                         "Cannot get number of answers: %s (%d)",
                         getdns_get_errorstr_by_id(ret),
                         ret);
                 return EXIT_UNKNOWN;
-	}
-	if (*no_answers <= 0) {
-		fputs("Got zero answers", test_info->errout);
-		return EXIT_WARNING;
-	}
+        }
+        if (*no_answers <= 0) {
+                fputs("Got zero answers", test_info->errout);
+                return EXIT_WARNING;
+        }
 
-	return EXIT_OK;
+        return EXIT_OK;
 }
 
 static exit_value_t check_answer_type(const struct test_info_s *test_info,
-				      const getdns_dict *response,
-				      uint32_t rrtype)
+                                      const getdns_dict *response,
+                                      uint32_t rrtype)
 {
-	getdns_list *answers;
-	size_t no_answers;
-	exit_value_t xit;
+        getdns_list *answers;
+        size_t no_answers;
+        exit_value_t xit;
 
-	if ((xit = get_answers(test_info, response, &answers, &no_answers)) != EXIT_OK)
-		return xit;
+        if ((xit = get_answers(test_info, response, &answers, &no_answers)) != EXIT_OK)
+                return xit;
 
-	for (size_t i = 0; i < no_answers; ++i) {
-		getdns_dict *answer;
-		getdns_return_t ret;
+        for (size_t i = 0; i < no_answers; ++i) {
+                getdns_dict *answer;
+                getdns_return_t ret;
 
-		if ((ret = getdns_list_get_dict(answers, i, &answer)) != GETDNS_RETURN_GOOD) {
-			fprintf(test_info->errout,
-				"Cannot get answer number %zu: %s (%d)",
-				i,
-				getdns_get_errorstr_by_id(ret),
-				ret);
-			return EXIT_UNKNOWN;
-		}
+                if ((ret = getdns_list_get_dict(answers, i, &answer)) != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info->errout,
+                                "Cannot get answer number %zu: %s (%d)",
+                                i,
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        return EXIT_UNKNOWN;
+                }
 
-		uint32_t rtype;
+                uint32_t rtype;
 
-		if ((ret = getdns_dict_get_int(answer, "type", &rtype)) != GETDNS_RETURN_GOOD) {
-			fprintf(test_info->errout,
-				"Cannot get answer type: %s (%d)",
-				getdns_get_errorstr_by_id(ret),
-				ret);
-			return EXIT_UNKNOWN;
-		}
-		if (rtype == rrtype)
-			return EXIT_OK;
-	}
+                if ((ret = getdns_dict_get_int(answer, "type", &rtype)) != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info->errout,
+                                "Cannot get answer type: %s (%d)",
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        return EXIT_UNKNOWN;
+                }
+                if (rtype == rrtype)
+                        return EXIT_OK;
+        }
 
-	fputs("Answer does not contain expected type", test_info->errout);
+        fputs("Answer does not contain expected type", test_info->errout);
         return EXIT_UNKNOWN;
 }
 
@@ -520,14 +520,14 @@ static exit_value_t check_answer_type(const struct test_info_s *test_info,
  **/
 
 static exit_value_t test_lookup(const struct test_info_s *test_info,
-				char ** av)
+                                char ** av)
 {
-	const char *lookup_name = DEFAULT_LOOKUP_NAME;
-	uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
-	exit_value_t xit;
+        const char *lookup_name = DEFAULT_LOOKUP_NAME;
+        uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
+        exit_value_t xit;
 
-	if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
-		return xit;
+        if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
+                return xit;
 
         if (*av) {
                 fputs("lookup takes arguments [<name> [<type>]]",
@@ -545,22 +545,22 @@ static exit_value_t test_lookup(const struct test_info_s *test_info,
         if ((xit = get_report_info(test_info, response, NULL, NULL, NULL)) != EXIT_OK)
                 return xit;
 
-	if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
-		return xit;
+        if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
+                return xit;
 
-	fputs("lookup succeeded", test_info->errout);
-	return EXIT_OK;
+        fputs("lookup succeeded", test_info->errout);
+        return EXIT_OK;
 }
 
 static exit_value_t test_authenticate(const struct test_info_s *test_info,
-				      char ** av)
+                                      char ** av)
 {
-	const char *lookup_name = DEFAULT_LOOKUP_NAME;
-	uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
-	exit_value_t xit;
+        const char *lookup_name = DEFAULT_LOOKUP_NAME;
+        uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
+        exit_value_t xit;
 
-	if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
-		return xit;
+        if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
+                return xit;
 
         if (*av) {
                 fputs("auth takes arguments [<name> [<type>]]",
@@ -575,35 +575,35 @@ static exit_value_t test_authenticate(const struct test_info_s *test_info,
         if ((xit = check_result(test_info, response)) != EXIT_OK)
                 return xit;
 
-	getdns_bindata *auth_status;
+        getdns_bindata *auth_status;
         if ((xit = get_report_info(test_info, response, NULL, &auth_status, NULL)) != EXIT_OK)
                 return xit;
 
-	if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
-		return xit;
+        if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
+                return xit;
 
-	if (!auth_status || strcmp((char *) auth_status->data, "Success") != 0) {
-		fputs("Authentication failed", test_info->errout);
-		return EXIT_CRITICAL;
-	} else {
-		fputs("Authentication succeeded", test_info->errout);
-		return EXIT_OK;
-	}
+        if (!auth_status || strcmp((char *) auth_status->data, "Success") != 0) {
+                fputs("Authentication failed", test_info->errout);
+                return EXIT_CRITICAL;
+        } else {
+                fputs("Authentication succeeded", test_info->errout);
+                return EXIT_OK;
+        }
 }
 
 static exit_value_t test_certificate_valid(const struct test_info_s *test_info,
-					   char **av)
+                                           char **av)
 {
-	const char *lookup_name = DEFAULT_LOOKUP_NAME;
-	uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
-	exit_value_t xit;
-	int warning_days;
-	int critical_days;
+        const char *lookup_name = DEFAULT_LOOKUP_NAME;
+        uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
+        exit_value_t xit;
+        int warning_days;
+        int critical_days;
 
-	get_cert_valid_thresholds(&av, &critical_days, &warning_days);
+        get_cert_valid_thresholds(&av, &critical_days, &warning_days);
 
-	if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
-		return xit;
+        if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
+                return xit;
 
         if (*av) {
                 fputs("cert-valid takes arguments [warn-days,crit-days] [<name> [<type>]]",
@@ -618,43 +618,43 @@ static exit_value_t test_certificate_valid(const struct test_info_s *test_info,
         if ((xit = check_result(test_info, response)) != EXIT_OK)
                 return xit;
 
-	time_t expire_time;
+        time_t expire_time;
         if ((xit = get_report_info(test_info, response, NULL, NULL, &expire_time)) != EXIT_OK)
                 return xit;
 
-	if (expire_time == 0) {
-		fputs("No PKIX certificate", test_info->errout);
-		return EXIT_CRITICAL;
-	}
+        if (expire_time == 0) {
+                fputs("No PKIX certificate", test_info->errout);
+                return EXIT_CRITICAL;
+        }
 
-	if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
-		return xit;
+        if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
+                return xit;
 
-	time_t now = time(NULL);
-	int days_to_expiry = (expire_time - now) / 86400;
+        time_t now = time(NULL);
+        int days_to_expiry = (expire_time - now) / 86400;
 
-	if (days_to_expiry < 0) {
-		fprintf(test_info->errout,
-			"Certificate expired %d day%s ago",
-			-days_to_expiry,
-			(days_to_expiry < -1) ? "s" : "");
-		return EXIT_CRITICAL;
-	}
-	if (days_to_expiry == 0) {
-		fputs("Certificate expires today", test_info->errout);
-		return EXIT_CRITICAL;
-	}
-	fprintf(test_info->errout,
-		"Certificate will expire in %d day%s",
-		days_to_expiry,
-		(days_to_expiry > 1) ? "s" : "");
-	if (days_to_expiry <= critical_days) {
-		return EXIT_CRITICAL;
-	}
-	if (days_to_expiry <= warning_days) {
-		return EXIT_WARNING;
-	}
-	return EXIT_OK;
+        if (days_to_expiry < 0) {
+                fprintf(test_info->errout,
+                        "Certificate expired %d day%s ago",
+                        -days_to_expiry,
+                        (days_to_expiry < -1) ? "s" : "");
+                return EXIT_CRITICAL;
+        }
+        if (days_to_expiry == 0) {
+                fputs("Certificate expires today", test_info->errout);
+                return EXIT_CRITICAL;
+        }
+        fprintf(test_info->errout,
+                "Certificate will expire in %d day%s",
+                days_to_expiry,
+                (days_to_expiry > 1) ? "s" : "");
+        if (days_to_expiry <= critical_days) {
+                return EXIT_CRITICAL;
+        }
+        if (days_to_expiry <= warning_days) {
+                return EXIT_WARNING;
+        }
+        return EXIT_OK;
 }
 
 static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
@@ -680,61 +680,61 @@ static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
         if (xit != EXIT_OK)
                 return xit;
 
-	getdns_list *answers;
-	size_t no_answers;
+        getdns_list *answers;
+        size_t no_answers;
 
-	if ((xit = get_answers(test_info, response, &answers, &no_answers)) != EXIT_OK)
-		return xit;
+        if ((xit = get_answers(test_info, response, &answers, &no_answers)) != EXIT_OK)
+                return xit;
 
-	for (size_t i = 0; i < no_answers; ++i) {
-		getdns_dict *answer;
-		getdns_return_t ret;
+        for (size_t i = 0; i < no_answers; ++i) {
+                getdns_dict *answer;
+                getdns_return_t ret;
 
-		if ((ret = getdns_list_get_dict(answers, i, &answer)) != GETDNS_RETURN_GOOD) {
-			fprintf(test_info->errout,
-				"Cannot get answer number %zu: %s (%d)",
-				i,
-				getdns_get_errorstr_by_id(ret),
-				ret);
-			return EXIT_UNKNOWN;
-		}
+                if ((ret = getdns_list_get_dict(answers, i, &answer)) != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info->errout,
+                                "Cannot get answer number %zu: %s (%d)",
+                                i,
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        return EXIT_UNKNOWN;
+                }
 
-		uint32_t rtype;
+                uint32_t rtype;
 
-		if ((ret = getdns_dict_get_int(answer, "type", &rtype)) != GETDNS_RETURN_GOOD) {
-			fprintf(test_info->errout,
-				"Cannot get answer type: %s (%d)",
-				getdns_get_errorstr_by_id(ret),
-				ret);
-			return EXIT_UNKNOWN;
-		}
-		if (rtype != GETDNS_RRTYPE_TXT)
-			continue;
+                if ((ret = getdns_dict_get_int(answer, "type", &rtype)) != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info->errout,
+                                "Cannot get answer type: %s (%d)",
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        return EXIT_UNKNOWN;
+                }
+                if (rtype != GETDNS_RRTYPE_TXT)
+                        continue;
 
-		getdns_bindata *rtxt;
-		if ((ret = getdns_dict_get_bindata(answer, "/rdata/txt_strings/0", &rtxt)) != GETDNS_RETURN_GOOD) {
-			fputs("No answer text", test_info->errout);
-			return EXIT_WARNING;
-		}
+                getdns_bindata *rtxt;
+                if ((ret = getdns_dict_get_bindata(answer, "/rdata/txt_strings/0", &rtxt)) != GETDNS_RETURN_GOOD) {
+                        fputs("No answer text", test_info->errout);
+                        return EXIT_WARNING;
+                }
 
-		if (rtxt->size > 0 ) {
-			switch(rtxt->data[0]) {
-			case 'H':
-				fputs("QNAME minimisation ON", test_info->errout);
-				return EXIT_OK;
+                if (rtxt->size > 0 ) {
+                        switch(rtxt->data[0]) {
+                        case 'H':
+                                fputs("QNAME minimisation ON", test_info->errout);
+                                return EXIT_OK;
 
-			case 'N':
-				fputs("QNAME minimisation OFF", test_info->errout);
-				return EXIT_WARNING;
+                        case 'N':
+                                fputs("QNAME minimisation OFF", test_info->errout);
+                                return EXIT_WARNING;
 
-			default:
-				/* Unrecognised message. */
-				break;
-			}
-		}
-	}
+                        default:
+                                /* Unrecognised message. */
+                                break;
+                        }
+                }
+        }
 
-	fputs("No valid QNAME minimisation data", test_info->errout);
+        fputs("No valid QNAME minimisation data", test_info->errout);
         return EXIT_UNKNOWN;
 }
 
@@ -757,7 +757,7 @@ int main(int ATTR_UNUSED(ac), char *av[])
         getdns_list *pinset = NULL;
         size_t pinset_size = 0;
         bool strict_usage_profile = false;
-	bool use_tls = false;
+        bool use_tls = false;
 
         test_info.errout = stderr;
         atexit(exit_tidy);
@@ -783,7 +783,7 @@ int main(int ATTR_UNUSED(ac), char *av[])
                 } else if (strcmp(*av, "-S") == 0 ||
                            strcmp(*av, "--strict-usage-profile") == 0 ) {
                         strict_usage_profile = true;
-			use_tls = true;
+                        use_tls = true;
                 } else if (strcmp(*av, "-K") == 0 ||
                            strcmp(*av, "--spki-pin") == 0 ) {
                         ++av;
@@ -816,7 +816,7 @@ int main(int ATTR_UNUSED(ac), char *av[])
                                 exit(EXIT_UNKNOWN);
 
                         }
-			use_tls = true;
+                        use_tls = true;
                 } else if (strcmp(*av, "-v") == 0 ||
                            strcmp(*av, "--verbose") == 0) {
                         ++test_info.verbosity;
@@ -903,16 +903,16 @@ int main(int ATTR_UNUSED(ac), char *av[])
         }
 
         /* Set other context parameters. */
-	if (use_tls) {
-		getdns_transport_list_t t[] = { GETDNS_TRANSPORT_TLS };
-		if ((ret = getdns_context_set_dns_transport_list(test_info.context, 1, t)) != GETDNS_RETURN_GOOD) {
-			fprintf(test_info.errout,
-				"Unable to set TLS transport: %s (%d)\n",
-				getdns_get_errorstr_by_id(ret),
-				ret);
-			exit(EXIT_UNKNOWN);
-		}
-	}
+        if (use_tls) {
+                getdns_transport_list_t t[] = { GETDNS_TRANSPORT_TLS };
+                if ((ret = getdns_context_set_dns_transport_list(test_info.context, 1, t)) != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info.errout,
+                                "Unable to set TLS transport: %s (%d)\n",
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        exit(EXIT_UNKNOWN);
+                }
+        }
 
         if (strict_usage_profile) {
                 ret = getdns_context_set_tls_authentication(test_info.context, GETDNS_AUTHENTICATION_REQUIRED);

From b9312e790f82c88fa6a3860b50b1102e9ff739e7 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 15 Jan 2018 10:01:01 +0000
Subject: [PATCH 019/303] Correct certificate expiry custom threshold handling.

---
 src/tools/getdns_server_mon.c | 33 +++++++++++++++------------------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 40ffbe9b..bc49608e 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -204,13 +204,10 @@ static void version()
  ** Functions used by tests.
  **/
 
-static void get_cert_valid_thresholds(char ***av,
-                                      int *critical_days,
-                                      int *warning_days)
+static void get_thresholds(char ***av,
+                           int *critical,
+                           int *warning)
 {
-        *critical_days = CERT_EXPIRY_CRITICAL_DAYS;
-        *warning_days = CERT_EXPIRY_WARNING_DAYS;
-
         if (**av) {
                 char *comma = strchr(**av, ',');
                 if (!comma)
@@ -219,7 +216,7 @@ static void get_cert_valid_thresholds(char ***av,
                 char *end;
                 long w,c;
 
-                c = strtol(**av, &end, 10);
+                w = strtol(**av, &end, 10);
                 /*
                  * If the number doesn't end at a comma, this isn't a
                  * properly formatted thresholds arg. Pass over it.
@@ -231,13 +228,13 @@ static void get_cert_valid_thresholds(char ***av,
                  * Similarly, if the number doesn't end at the end of the
                  * argument, this isn't a properly formatted arg.
                  */
-                w = strtol(comma + 1, &end, 10);
+                c = strtol(comma + 1, &end, 10);
                 if (*end != '\0')
                         return;
 
                 /* Got two numbers, so consume the argument. */
-                *critical_days = (int) c;
-                *warning_days = (int) w;
+                *critical = (int) c;
+                *warning = (int) w;
                 ++*av;
                 return;
         }
@@ -597,10 +594,10 @@ static exit_value_t test_certificate_valid(const struct test_info_s *test_info,
         const char *lookup_name = DEFAULT_LOOKUP_NAME;
         uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
         exit_value_t xit;
-        int warning_days;
-        int critical_days;
+        int warning_days = CERT_EXPIRY_WARNING_DAYS;
+        int critical_days = CERT_EXPIRY_CRITICAL_DAYS;
 
-        get_cert_valid_thresholds(&av, &critical_days, &warning_days);
+        get_thresholds(&av, &critical_days, &warning_days);
 
         if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
                 return xit;
@@ -642,12 +639,12 @@ static exit_value_t test_certificate_valid(const struct test_info_s *test_info,
         }
         if (days_to_expiry == 0) {
                 fputs("Certificate expires today", test_info->errout);
-                return EXIT_CRITICAL;
+        } else {
+                fprintf(test_info->errout,
+                        "Certificate will expire in %d day%s",
+                        days_to_expiry,
+                        (days_to_expiry > 1) ? "s" : "");
         }
-        fprintf(test_info->errout,
-                "Certificate will expire in %d day%s",
-                days_to_expiry,
-                (days_to_expiry > 1) ? "s" : "");
         if (days_to_expiry <= critical_days) {
                 return EXIT_CRITICAL;
         }

From 5d4bc8bc96b4b12c9e679049d17296bd69c9c853 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 15 Jan 2018 10:16:26 +0000
Subject: [PATCH 020/303] Add rtt test.

---
 src/tools/getdns_server_mon.c | 49 +++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index bc49608e..36666ac9 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -46,6 +46,9 @@
 
 #define APP_NAME "getdns_server_mon"
 
+#define RTT_CRITICAL_MS                 250
+#define RTT_WARNING_MS                  500
+
 #define CERT_EXPIRY_CRITICAL_DAYS       7
 #define CERT_EXPIRY_WARNING_DAYS        14
 
@@ -177,6 +180,8 @@ static void usage()
 "\n"
 "Tests:\n"
 "  lookup [<name> [<type>]]      Check lookup on server\n"
+"  rtt [warn-ms,crit-ms] [<name> [<type>]]\n"
+"                                Check server round trip time (default 500,250)\n"
 "  auth [<name> [<type>]]        Check authentication of TLS server\n"
 "                                If both a SPKI pin and authentication name are\n"
 "                                provided, both must authenticate for this test\n"
@@ -549,6 +554,49 @@ static exit_value_t test_lookup(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
+static exit_value_t test_rtt(const struct test_info_s *test_info,
+                             char ** av)
+{
+        const char *lookup_name = DEFAULT_LOOKUP_NAME;
+        uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
+        exit_value_t xit;
+        int critical_ms = RTT_CRITICAL_MS;
+        int warning_ms = RTT_WARNING_MS;
+        uint32_t rtt_val;
+
+        get_thresholds(&av, &critical_ms, &warning_ms);
+
+        if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
+                return xit;
+
+        if (*av) {
+                fputs("lookup takes arguments [<name> [<type>]]",
+                      test_info->errout);
+                return EXIT_UNKNOWN;
+        }
+
+        getdns_dict *response;
+        if ((xit = search(test_info, lookup_name, lookup_type, &response)) != EXIT_OK)
+                return xit;
+
+        if ((xit = check_result(test_info, response)) != EXIT_OK)
+                return xit;
+
+        if ((xit = get_report_info(test_info, response, &rtt_val, NULL, NULL)) != EXIT_OK)
+                return xit;
+
+        if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
+                return xit;
+
+        fputs("lookup succeeded", test_info->errout);
+
+        if ((int) rtt_val > critical_ms)
+                return EXIT_CRITICAL;
+        else if ((int) rtt_val > warning_ms)
+                return EXIT_WARNING;
+        return EXIT_OK;
+}
+
 static exit_value_t test_authenticate(const struct test_info_s *test_info,
                                       char ** av)
 {
@@ -742,6 +790,7 @@ static struct test_funcs_s
 } TESTS[] =
 {
         { "lookup", test_lookup },
+        { "rtt", test_rtt },
         { "auth", test_authenticate },
         { "cert-valid", test_certificate_valid },
         { "qname-min", test_qname_minimisation },

From c0d7d2c27916497022098e58a0f02e655c792191 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 15 Jan 2018 10:21:39 +0000
Subject: [PATCH 021/303] Print exit status at end of main output line.

---
 src/tools/getdns_server_mon.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 36666ac9..3275a3b1 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -983,6 +983,24 @@ int main(int ATTR_UNUSED(ac), char *av[])
              ++f) {
                 if (strcmp(testname, f->name) == 0) {
                         exit_value_t xit = f->func(&test_info, av);
+                        switch(xit) {
+                        case 0:
+                                fputs(" OK", test_info.errout);
+                                break;
+
+                        case 1:
+                                fputs(" WARNING", test_info.errout);
+                                break;
+
+                        case 2:
+                                fputs(" CRITICAL", test_info.errout);
+                                break;
+
+                        default:
+                                fputs(" UNKNOWN", test_info.errout);
+                                break;
+
+                        }
                         fputc('\n', test_info.errout);
                         exit(xit);
                 }

From 22996bf07d4c20eefa9c97cc9c6added2941332c Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 15 Jan 2018 11:00:12 +0000
Subject: [PATCH 022/303] If TLS auth name given, lookup is to go over TLS.

---
 src/tools/getdns_server_mon.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 3275a3b1..e68651c4 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -889,6 +889,12 @@ int main(int ATTR_UNUSED(ac), char *av[])
                         ret);
                 exit(EXIT_UNKNOWN);
         }
+
+        /* If the resolver info include TLS auth name, use TLS. */
+        getdns_bindata *tls_auth_name;
+        if (getdns_dict_get_bindata(resolver, "tls_auth_name", &tls_auth_name) == GETDNS_RETURN_GOOD)
+                use_tls = true;
+
         if ((ret = getdns_dict_get_bindata(resolver, "address_data", &address)) != GETDNS_RETURN_GOOD) {
                 fprintf(test_info.errout,
                         "\"%s\" did not translate to an IP dict: %s (%d)\n",

From 77a5a15cdf687b8070f0389cfe12ef5173924216 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 15 Jan 2018 11:00:38 +0000
Subject: [PATCH 023/303] Minor output corrections.

---
 src/tools/getdns_server_mon.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index e68651c4..8be35aff 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -550,7 +550,7 @@ static exit_value_t test_lookup(const struct test_info_s *test_info,
         if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
                 return xit;
 
-        fputs("lookup succeeded", test_info->errout);
+        fputs("Lookup succeeded", test_info->errout);
         return EXIT_OK;
 }
 
@@ -570,7 +570,7 @@ static exit_value_t test_rtt(const struct test_info_s *test_info,
                 return xit;
 
         if (*av) {
-                fputs("lookup takes arguments [<name> [<type>]]",
+                fputs("rtt takes arguments [warn-ms,crit-ms] [<name> [<type>]]",
                       test_info->errout);
                 return EXIT_UNKNOWN;
         }
@@ -588,7 +588,7 @@ static exit_value_t test_rtt(const struct test_info_s *test_info,
         if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
                 return xit;
 
-        fputs("lookup succeeded", test_info->errout);
+        fputs("RTT lookup succeeded", test_info->errout);
 
         if ((int) rtt_val > critical_ms)
                 return EXIT_CRITICAL;

From cb7af3348890712847960f27b6c896c3f72e9f3c Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 15 Jan 2018 11:28:11 +0000
Subject: [PATCH 024/303] Some tests imply TLS. Explicitly make sure these
 always go over TLS.

---
 src/tools/getdns_server_mon.c | 88 ++++++++++++++++++-----------------
 1 file changed, 46 insertions(+), 42 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 8be35aff..7dc59b17 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -786,15 +786,16 @@ static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
 static struct test_funcs_s
 {
         const char *name;
+        bool implies_tls;
         exit_value_t (*func)(const struct test_info_s *test_info, char **av);
 } TESTS[] =
 {
-        { "lookup", test_lookup },
-        { "rtt", test_rtt },
-        { "auth", test_authenticate },
-        { "cert-valid", test_certificate_valid },
-        { "qname-min", test_qname_minimisation },
-        { NULL, NULL }
+        { "lookup", false, test_lookup },
+        { "rtt", false, test_rtt },
+        { "auth", true, test_authenticate },
+        { "cert-valid", true, test_certificate_valid },
+        { "qname-min", false, test_qname_minimisation },
+        { NULL, false, NULL }
 };
 
 int main(int ATTR_UNUSED(ac), char *av[])
@@ -955,17 +956,6 @@ int main(int ATTR_UNUSED(ac), char *av[])
         }
 
         /* Set other context parameters. */
-        if (use_tls) {
-                getdns_transport_list_t t[] = { GETDNS_TRANSPORT_TLS };
-                if ((ret = getdns_context_set_dns_transport_list(test_info.context, 1, t)) != GETDNS_RETURN_GOOD) {
-                        fprintf(test_info.errout,
-                                "Unable to set TLS transport: %s (%d)\n",
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
-                        exit(EXIT_UNKNOWN);
-                }
-        }
-
         if (strict_usage_profile) {
                 ret = getdns_context_set_tls_authentication(test_info.context, GETDNS_AUTHENTICATION_REQUIRED);
                 if (ret != GETDNS_RETURN_GOOD) {
@@ -984,33 +974,47 @@ int main(int ATTR_UNUSED(ac), char *av[])
                 usage();
         ++av;
 
-        for (const struct test_funcs_s *f = TESTS;
-             f->name != NULL;
-             ++f) {
-                if (strcmp(testname, f->name) == 0) {
-                        exit_value_t xit = f->func(&test_info, av);
-                        switch(xit) {
-                        case 0:
-                                fputs(" OK", test_info.errout);
-                                break;
+        const struct test_funcs_s *f;
+        for (f = TESTS; f->name != NULL; ++f) {
+                if (strcmp(testname, f->name) == 0)
+                        break;
+        }
 
-                        case 1:
-                                fputs(" WARNING", test_info.errout);
-                                break;
+        if (f->name == NULL) {
+                fprintf(test_info.errout, "Unknown test %s\n", testname);
+                exit(EXIT_UNKNOWN);
+        }
 
-                        case 2:
-                                fputs(" CRITICAL", test_info.errout);
-                                break;
-
-                        default:
-                                fputs(" UNKNOWN", test_info.errout);
-                                break;
-
-                        }
-                        fputc('\n', test_info.errout);
-                        exit(xit);
+        if (use_tls || f->implies_tls) {
+                getdns_transport_list_t t[] = { GETDNS_TRANSPORT_TLS };
+                if ((ret = getdns_context_set_dns_transport_list(test_info.context, 1, t)) != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info.errout,
+                                "Unable to set TLS transport: %s (%d)\n",
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        exit(EXIT_UNKNOWN);
                 }
         }
-        fprintf(test_info.errout, "Unknown test %s\n", testname);
-        exit(EXIT_UNKNOWN);
+
+        exit_value_t xit = f->func(&test_info, av);
+        switch(xit) {
+        case 0:
+                fputs(" OK", test_info.errout);
+                break;
+
+        case 1:
+                fputs(" WARNING", test_info.errout);
+                break;
+
+        case 2:
+                fputs(" CRITICAL", test_info.errout);
+                break;
+
+        default:
+                fputs(" UNKNOWN", test_info.errout);
+                break;
+
+        }
+        fputc('\n', test_info.errout);
+        exit(xit);
 }

From 3298b5cd508f921e89c8f0147622c66252e408e7 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 15 Jan 2018 12:37:57 +0000
Subject: [PATCH 025/303] Extract common processing into search_check() and
 parse_search_check().

---
 src/tools/getdns_server_mon.c | 175 ++++++++++++++++------------------
 1 file changed, 84 insertions(+), 91 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 7dc59b17..ee39f495 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -517,12 +517,41 @@ static exit_value_t check_answer_type(const struct test_info_s *test_info,
         return EXIT_UNKNOWN;
 }
 
-/**
- ** Test routines.
- **/
+static exit_value_t search_check(const struct test_info_s *test_info,
+                                 const char *lookup_name,
+                                 uint16_t lookup_type,
+                                 getdns_dict **response,
+                                 uint32_t *rtt,
+                                 getdns_bindata **auth_status,
+                                 time_t *cert_expire_time)
+{
+        exit_value_t xit;
+        getdns_dict *resp;
 
-static exit_value_t test_lookup(const struct test_info_s *test_info,
-                                char ** av)
+        if ((xit = search(test_info, lookup_name, lookup_type, &resp)) != EXIT_OK)
+                return xit;
+
+        if ((xit = check_result(test_info, resp)) != EXIT_OK)
+                return xit;
+
+        if ((xit = get_report_info(test_info, resp, rtt, auth_status, cert_expire_time)) != EXIT_OK)
+                return xit;
+
+        if ((xit = check_answer_type(test_info, resp, lookup_type)) != EXIT_OK)
+                return xit;
+
+        if (response)
+                *response = resp;
+        return xit;
+}
+
+static exit_value_t parse_search_check(const struct test_info_s *test_info,
+                                       char **av,
+                                       const char *usage,
+                                       getdns_dict **response,
+                                       uint32_t *rtt,
+                                       getdns_bindata **auth_status,
+                                       time_t *cert_expire_time)
 {
         const char *lookup_name = DEFAULT_LOOKUP_NAME;
         uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
@@ -532,22 +561,32 @@ static exit_value_t test_lookup(const struct test_info_s *test_info,
                 return xit;
 
         if (*av) {
-                fputs("lookup takes arguments [<name> [<type>]]",
-                      test_info->errout);
+                fputs(usage, test_info->errout);
                 return EXIT_UNKNOWN;
         }
 
-        getdns_dict *response;
-        if ((xit = search(test_info, lookup_name, lookup_type, &response)) != EXIT_OK)
-                return xit;
+        return search_check(test_info,
+                            lookup_name, lookup_type,
+                            response,
+                            rtt, auth_status, cert_expire_time);
+}
 
-        if ((xit = check_result(test_info, response)) != EXIT_OK)
-                return xit;
+/**
+ ** Test routines.
+ **/
 
-        if ((xit = get_report_info(test_info, response, NULL, NULL, NULL)) != EXIT_OK)
-                return xit;
+static exit_value_t test_lookup(const struct test_info_s *test_info,
+                                char ** av)
+{
+        exit_value_t xit;
 
-        if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
+        if ((xit = parse_search_check(test_info,
+                                      av,
+                                      "lookup takes arguments [<name> [<type>]]",
+                                      NULL,
+                                      NULL,
+                                      NULL,
+                                      NULL)) != EXIT_OK)
                 return xit;
 
         fputs("Lookup succeeded", test_info->errout);
@@ -557,8 +596,6 @@ static exit_value_t test_lookup(const struct test_info_s *test_info,
 static exit_value_t test_rtt(const struct test_info_s *test_info,
                              char ** av)
 {
-        const char *lookup_name = DEFAULT_LOOKUP_NAME;
-        uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
         exit_value_t xit;
         int critical_ms = RTT_CRITICAL_MS;
         int warning_ms = RTT_WARNING_MS;
@@ -566,26 +603,13 @@ static exit_value_t test_rtt(const struct test_info_s *test_info,
 
         get_thresholds(&av, &critical_ms, &warning_ms);
 
-        if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
-                return xit;
-
-        if (*av) {
-                fputs("rtt takes arguments [warn-ms,crit-ms] [<name> [<type>]]",
-                      test_info->errout);
-                return EXIT_UNKNOWN;
-        }
-
-        getdns_dict *response;
-        if ((xit = search(test_info, lookup_name, lookup_type, &response)) != EXIT_OK)
-                return xit;
-
-        if ((xit = check_result(test_info, response)) != EXIT_OK)
-                return xit;
-
-        if ((xit = get_report_info(test_info, response, &rtt_val, NULL, NULL)) != EXIT_OK)
-                return xit;
-
-        if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
+        if ((xit = parse_search_check(test_info,
+                                      av,
+                                      "rtt takes arguments [warn-ms,crit-ms] [<name> [<type>]]",
+                                      NULL,
+                                      &rtt_val,
+                                      NULL,
+                                      NULL)) != EXIT_OK)
                 return xit;
 
         fputs("RTT lookup succeeded", test_info->errout);
@@ -600,31 +624,16 @@ static exit_value_t test_rtt(const struct test_info_s *test_info,
 static exit_value_t test_authenticate(const struct test_info_s *test_info,
                                       char ** av)
 {
-        const char *lookup_name = DEFAULT_LOOKUP_NAME;
-        uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
         exit_value_t xit;
-
-        if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
-                return xit;
-
-        if (*av) {
-                fputs("auth takes arguments [<name> [<type>]]",
-                      test_info->errout);
-                return EXIT_UNKNOWN;
-        }
-
-        getdns_dict *response;
-        if ((xit = search(test_info, lookup_name, lookup_type, &response)) != EXIT_OK)
-                return xit;
-
-        if ((xit = check_result(test_info, response)) != EXIT_OK)
-                return xit;
-
         getdns_bindata *auth_status;
-        if ((xit = get_report_info(test_info, response, NULL, &auth_status, NULL)) != EXIT_OK)
-                return xit;
 
-        if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
+        if ((xit = parse_search_check(test_info,
+                                      av,
+                                      "auth takes arguments [<name> [<type>]]",
+                                      NULL,
+                                      NULL,
+                                      &auth_status,
+                                      NULL)) != EXIT_OK)
                 return xit;
 
         if (!auth_status || strcmp((char *) auth_status->data, "Success") != 0) {
@@ -639,42 +648,28 @@ static exit_value_t test_authenticate(const struct test_info_s *test_info,
 static exit_value_t test_certificate_valid(const struct test_info_s *test_info,
                                            char **av)
 {
-        const char *lookup_name = DEFAULT_LOOKUP_NAME;
-        uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
         exit_value_t xit;
         int warning_days = CERT_EXPIRY_WARNING_DAYS;
         int critical_days = CERT_EXPIRY_CRITICAL_DAYS;
+        time_t expire_time;
 
         get_thresholds(&av, &critical_days, &warning_days);
 
-        if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
+        if ((xit = parse_search_check(test_info,
+                                      av,
+                                      "cert-valid takes arguments [warn-days,crit-days] [<name> [<type>]]",
+                                      NULL,
+                                      NULL,
+                                      NULL,
+                                      &expire_time)) != EXIT_OK)
                 return xit;
 
-        if (*av) {
-                fputs("cert-valid takes arguments [warn-days,crit-days] [<name> [<type>]]",
-                      test_info->errout);
-                return EXIT_UNKNOWN;
-        }
-
-        getdns_dict *response;
-        if ((xit = search(test_info, lookup_name, lookup_type, &response)) != EXIT_OK)
-                return xit;
-
-        if ((xit = check_result(test_info, response)) != EXIT_OK)
-                return xit;
-
-        time_t expire_time;
-        if ((xit = get_report_info(test_info, response, NULL, NULL, &expire_time)) != EXIT_OK)
-                return xit;
 
         if (expire_time == 0) {
                 fputs("No PKIX certificate", test_info->errout);
                 return EXIT_CRITICAL;
         }
 
-        if ((xit = check_answer_type(test_info, response, lookup_type)) != EXIT_OK)
-                return xit;
-
         time_t now = time(NULL);
         int days_to_expiry = (expire_time - now) / 86400;
 
@@ -712,17 +707,15 @@ static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
         }
 
         getdns_dict *response;
-        exit_value_t xit = search(test_info, "qnamemintest.internet.nl", GETDNS_RRTYPE_TXT, &response);
-        if (xit != EXIT_OK)
-                return xit;
+        exit_value_t xit;
 
-        xit = check_result(test_info, response);
-        if (xit != EXIT_OK)
-                return xit;
-
-        /* Don't need any of this, but do want check and verbosity reporting. */
-        xit = get_report_info(test_info, response, NULL, NULL, NULL);
-        if (xit != EXIT_OK)
+        if ((xit = search_check(test_info,
+                                "qnamemintest.internet.nl",
+                                GETDNS_RRTYPE_TXT,
+                                &response,
+                                NULL,
+                                NULL,
+                                NULL)) != EXIT_OK)
                 return xit;
 
         getdns_list *answers;

From 08b5976f9cc8f6d91c4be27b09d999af763a326f Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 15 Jan 2018 13:19:48 +0000
Subject: [PATCH 026/303] Decouple from getdns config. This is now a pure
 getdns client.

---
 src/tools/getdns_server_mon.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index ee39f495..14882760 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -25,9 +25,6 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include "config.h"
-#include "debug.h"
-
 #include <ctype.h>
 #include <stdbool.h>
 #include <stddef.h>
@@ -200,8 +197,10 @@ static void usage()
 
 static void version()
 {
-        fputs(APP_NAME ": getdns " GETDNS_VERSION " , API " GETDNS_API_VERSION ".\n",
-              test_info.errout);
+        fprintf(test_info.errout,
+                APP_NAME ": getdns version %s, API version '%s'.\n",
+                getdns_get_version(),
+                getdns_get_api_version());
         exit(EXIT_UNKNOWN);
 }
 
@@ -791,7 +790,7 @@ static struct test_funcs_s
         { NULL, false, NULL }
 };
 
-int main(int ATTR_UNUSED(ac), char *av[])
+int main(int ac, char *av[])
 {
         getdns_return_t ret;
         getdns_list *pinset = NULL;
@@ -799,6 +798,8 @@ int main(int ATTR_UNUSED(ac), char *av[])
         bool strict_usage_profile = false;
         bool use_tls = false;
 
+        (void) ac;
+
         test_info.errout = stderr;
         atexit(exit_tidy);
         if ((ret = getdns_context_create(&test_info.context, 1)) != GETDNS_RETURN_GOOD) {

From 3438c68591d4daf376b7a0d2e115cc93ee7ea8ea Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 15 Jan 2018 13:26:09 +0000
Subject: [PATCH 027/303] Prefix TLS-only options with 'tls-'.

---
 src/tools/getdns_server_mon.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 14882760..e21d1ae7 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -179,12 +179,13 @@ static void usage()
 "  lookup [<name> [<type>]]      Check lookup on server\n"
 "  rtt [warn-ms,crit-ms] [<name> [<type>]]\n"
 "                                Check server round trip time (default 500,250)\n"
-"  auth [<name> [<type>]]        Check authentication of TLS server\n"
+"  qname-min                     Check whether server supports QNAME minimisation\n"
+"\n"
+"  tls_auth [<name> [<type>]]    Check authentication of TLS server\n"
 "                                If both a SPKI pin and authentication name are\n"
 "                                provided, both must authenticate for this test\n"
 "                                to pass.\n"
-"  qname-min                     Check whether server supports QNAME minimisation\n"
-"  cert-valid [warn-days,crit-days] [<name> [type]]\n"
+"  tls_cert-valid [warn-days,crit-days] [<name> [type]]\n"
 "                                Check server certificate validity, report\n"
 "                                warning or critical if days to expiry at\n"
 "                                or below thresholds (default 14,7).\n"
@@ -784,9 +785,9 @@ static struct test_funcs_s
 {
         { "lookup", false, test_lookup },
         { "rtt", false, test_rtt },
-        { "auth", true, test_authenticate },
-        { "cert-valid", true, test_certificate_valid },
         { "qname-min", false, test_qname_minimisation },
+        { "tls-auth", true, test_authenticate },
+        { "tls-cert-valid", true, test_certificate_valid },
         { NULL, false, NULL }
 };
 

From 8dc3a84735e43234c1348aa5dbe7229905bc8b78 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 15 Jan 2018 17:42:43 +0000
Subject: [PATCH 028/303] Add options specifying transport.

---
 src/tools/getdns_server_mon.c | 61 ++++++++++++++++++++++++++++++++---
 1 file changed, 57 insertions(+), 4 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index e21d1ae7..1a3bf743 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -406,6 +406,33 @@ static exit_value_t get_report_info(const struct test_info_s *test_info,
                         ret);
                 return EXIT_UNKNOWN;
         }
+        if (test_info->verbosity >= VERBOSITY_ADDITIONAL) {
+                uint32_t transport;
+                if ((ret = getdns_dict_get_int(d, "transport", &transport)) != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info->errout,
+                                "Cannot get transport: %s (%d)",
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        return EXIT_UNKNOWN;
+                }
+                switch(transport) {
+                case GETDNS_TRANSPORT_UDP:
+                        fputs("UDP, ", test_info->errout);
+                        break;
+
+                case GETDNS_TRANSPORT_TCP:
+                        fputs("TCP, ", test_info->errout);
+                        break;
+
+                case GETDNS_TRANSPORT_TLS:
+                        fputs("TLS, ", test_info->errout);
+                        break;
+
+                default:
+                        fputs("???, ", test_info->errout);
+                        break;
+                }
+        }
         if ((ret = getdns_dict_get_int(d, "run_time/ms", &rtt_val)) != GETDNS_RETURN_GOOD) {
                 fprintf(test_info->errout,
                         "Cannot get RTT: %s (%d)",
@@ -797,6 +824,8 @@ int main(int ac, char *av[])
         getdns_list *pinset = NULL;
         size_t pinset_size = 0;
         bool strict_usage_profile = false;
+        bool use_udp = false;
+        bool use_tcp = false;
         bool use_tls = false;
 
         (void) ac;
@@ -819,6 +848,12 @@ int main(int ac, char *av[])
                 } else if (strcmp(*av, "-E") == 0 ||
                            strcmp(*av, "--fail-on-dns-errors") == 0) {
                         test_info.fail_on_dns_errors = true;
+                } else if (strcmp(*av, "-u") == 0 ||
+                           strcmp(*av, "--udp") == 0 ) {
+                        use_udp = true;
+                } else if (strcmp(*av, "-t") == 0 ||
+                           strcmp(*av, "--tcp") == 0 ) {
+                        use_tcp = true;
                 } else if (strcmp(*av, "-T") == 0 ||
                            strcmp(*av, "--tls") == 0 ) {
                         use_tls = true;
@@ -980,11 +1015,29 @@ int main(int ac, char *av[])
                 exit(EXIT_UNKNOWN);
         }
 
-        if (use_tls || f->implies_tls) {
-                getdns_transport_list_t t[] = { GETDNS_TRANSPORT_TLS };
-                if ((ret = getdns_context_set_dns_transport_list(test_info.context, 1, t)) != GETDNS_RETURN_GOOD) {
+        if (f->implies_tls) {
+                if (use_udp | use_tcp) {
+                        fputs("Test requires TLS, or TLS authentication specified\n", test_info.errout);
+                        exit(EXIT_UNKNOWN);
+                }
+                use_tls = true;
+        }
+
+        if ((use_tls + use_udp + use_tcp) > 1) {
+                fputs("Specify one only of -u, -t, -T\n", test_info.errout);
+                exit(EXIT_UNKNOWN);
+        }
+
+        if (use_tls || use_udp || use_tcp) {
+                getdns_transport_list_t udp[] = { GETDNS_TRANSPORT_UDP };
+                getdns_transport_list_t tcp[] = { GETDNS_TRANSPORT_TCP };
+                getdns_transport_list_t tls[] = { GETDNS_TRANSPORT_TLS };
+                getdns_transport_list_t *transport =
+                        (use_tls) ? tls : (use_tcp) ? tcp : udp;
+                if ((ret = getdns_context_set_dns_transport_list(test_info.context, 1, transport)) != GETDNS_RETURN_GOOD) {
                         fprintf(test_info.errout,
-                                "Unable to set TLS transport: %s (%d)\n",
+                                "Unable to set %s transport: %s (%d)\n",
+                                (use_tls) ? "TLS" : (use_tcp) ? "TCP" : "UDP",
                                 getdns_get_errorstr_by_id(ret),
                                 ret);
                         exit(EXIT_UNKNOWN);

From 5ea0edf2626d90118d0b204ed27e54f0a966b8fa Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 15 Jan 2018 17:42:57 +0000
Subject: [PATCH 029/303] Update usage.

---
 src/tools/getdns_server_mon.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 1a3bf743..3b0001ba 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -158,9 +158,12 @@ static void exit_tidy()
 static void usage()
 {
         fputs(
-"Usage: " APP_NAME " [-MEr] @upstream testname [<name>] [<type>]\n"
+"Usage: " APP_NAME " [-M] [-E] [(-u|-t|-T)] [-S] [-K <spki-pin>]\n"
+"        [-v [-v [-v]]] [-V] @upstream testname [<name>] [<type>]\n"
 "  -M|--monitoring               Make output suitable for monitoring tools\n"
 "  -E|--fail-on-dns-errors       Fail on DNS error (NXDOMAIN, SERVFAIL)\n"
+"  -u|--udp                      Use UDP transport\n"
+"  -t|--tcp                      Use TCP transport\n"
 "  -T|--tls                      Use TLS transport\n"
 "  -S|--strict-usage-profile     Use strict profile (require authentication)\n"
 "  -K|--spki-pin <spki-pin>      SPKI pin for TLS connections (can repeat)\n"

From b8424e494d23311f7f18752be05b58f0562350a9 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 16 Jan 2018 11:05:16 +0000
Subject: [PATCH 030/303] Fix up some small usage typos, and don't report
 result if issuing test usage message.

---
 src/tools/getdns_server_mon.c | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 3b0001ba..85383317 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -59,7 +59,8 @@ typedef enum {
         EXIT_OK = 0,
         EXIT_WARNING,
         EXIT_CRITICAL,
-        EXIT_UNKNOWN
+        EXIT_UNKNOWN,
+        EXIT_USAGE              /* Special case - internal only. */
 } exit_value_t;
 
 /* Plugin verbosity values */
@@ -184,11 +185,11 @@ static void usage()
 "                                Check server round trip time (default 500,250)\n"
 "  qname-min                     Check whether server supports QNAME minimisation\n"
 "\n"
-"  tls_auth [<name> [<type>]]    Check authentication of TLS server\n"
+"  tls-auth [<name> [<type>]]    Check authentication of TLS server\n"
 "                                If both a SPKI pin and authentication name are\n"
 "                                provided, both must authenticate for this test\n"
 "                                to pass.\n"
-"  tls_cert-valid [warn-days,crit-days] [<name> [type]]\n"
+"  tls-cert-valid [warn-days,crit-days] [<name> [type]]\n"
 "                                Check server certificate validity, report\n"
 "                                warning or critical if days to expiry at\n"
 "                                or below thresholds (default 14,7).\n"
@@ -592,7 +593,7 @@ static exit_value_t parse_search_check(const struct test_info_s *test_info,
 
         if (*av) {
                 fputs(usage, test_info->errout);
-                return EXIT_UNKNOWN;
+                return EXIT_USAGE;
         }
 
         return search_check(test_info,
@@ -733,7 +734,7 @@ static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
         if (*av) {
                 fputs("qname-min takes no arguments",
                       test_info->errout);
-                return EXIT_UNKNOWN;
+                return EXIT_USAGE;
         }
 
         getdns_dict *response;
@@ -1049,22 +1050,29 @@ int main(int ac, char *av[])
 
         exit_value_t xit = f->func(&test_info, av);
         switch(xit) {
-        case 0:
+        case EXIT_OK:
                 fputs(" OK", test_info.errout);
                 break;
 
-        case 1:
+        case EXIT_WARNING:
                 fputs(" WARNING", test_info.errout);
                 break;
 
-        case 2:
+        case EXIT_CRITICAL:
                 fputs(" CRITICAL", test_info.errout);
                 break;
 
-        default:
+        case EXIT_UNKNOWN:
                 fputs(" UNKNOWN", test_info.errout);
                 break;
 
+        case EXIT_USAGE:
+                xit = EXIT_UNKNOWN;
+                break;
+
+        default:
+                fputs(" ???", test_info.errout);
+                break;
         }
         fputc('\n', test_info.errout);
         exit(xit);

From fdafb458efda0baf625b9067478a39b6f3795989 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 16 Jan 2018 12:19:33 +0000
Subject: [PATCH 031/303] Decide we don't want return_both_v4_and_v6 on
 queries.

---
 src/tools/getdns_server_mon.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 85383317..e66c7c9d 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -293,14 +293,6 @@ static exit_value_t search(const struct test_info_s *test_info,
                 getdns_dict_destroy(extensions);
                 return EXIT_UNKNOWN;
         }
-        if ((ret = getdns_dict_set_int(extensions, "return_both_v4_and_v6", GETDNS_EXTENSION_TRUE)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot set return both IPv4 and IPv6: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
-                getdns_dict_destroy(extensions);
-                return EXIT_UNKNOWN;
-        }
 
         if (test_info->verbosity >= VERBOSITY_DEBUG) {
                 fprintf(test_info->errout,

From a4ff6de98559e4f8914e39770780888f18c6dcaf Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 16 Jan 2018 12:56:50 +0000
Subject: [PATCH 032/303] Add 'tls-padding' test.

---
 src/tools/getdns_server_mon.c | 152 ++++++++++++++++++++++++++++++++--
 1 file changed, 146 insertions(+), 6 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index e66c7c9d..811a6e4e 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -52,6 +52,8 @@
 #define DEFAULT_LOOKUP_NAME             "getdnsapi.net"
 #define DEFAULT_LOOKUP_TYPE             GETDNS_RRTYPE_AAAA
 
+#define EDNS0_PADDING_CODE              12
+
 #define EXAMPLE_PIN "pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\""
 
 /* Plugin exit values */
@@ -193,6 +195,10 @@ static void usage()
 "                                Check server certificate validity, report\n"
 "                                warning or critical if days to expiry at\n"
 "                                or below thresholds (default 14,7).\n"
+"  tls-padding <blocksize> [<name> [<type>]]\n"
+"                                Check server support for EDNS0 padding in TLS\n"
+"                                Special blocksize values are 0 = off,\n"
+"                                1 = sensible default.\n"
 "\n"
 "Enabling monitoring mode ensures output messages and exit statuses conform\n"
 "to the requirements of monitoring plugins (www.monitoring-plugins.org).\n",
@@ -471,14 +477,19 @@ static exit_value_t get_report_info(const struct test_info_s *test_info,
 
 static exit_value_t get_answers(const struct test_info_s *test_info,
                                 const getdns_dict *response,
+                                const char *section,
                                 getdns_list **answers,
                                 size_t *no_answers)
 {
         getdns_return_t ret;
+        char buf[40];
 
-        if ((ret = getdns_dict_get_list(response, "/replies_tree/0/answer", answers)) != GETDNS_RETURN_GOOD) {
+        snprintf(buf, sizeof(buf), "/replies_tree/0/%s", section);
+
+        if ((ret = getdns_dict_get_list(response, buf, answers)) != GETDNS_RETURN_GOOD) {
                 fprintf(test_info->errout,
-                        "Cannot get answers: %s (%d)",
+                        "Cannot get section '%s': %s (%d)",
+                        section,
                         getdns_get_errorstr_by_id(ret),
                         ret);
                 return EXIT_UNKNOWN;
@@ -486,13 +497,16 @@ static exit_value_t get_answers(const struct test_info_s *test_info,
 
         if ((ret = getdns_list_get_length(*answers, no_answers)) != GETDNS_RETURN_GOOD) {
                 fprintf(test_info->errout,
-                        "Cannot get number of answers: %s (%d)",
+                        "Cannot get number of items in '%s': %s (%d)",
+                        section,
                         getdns_get_errorstr_by_id(ret),
                         ret);
                 return EXIT_UNKNOWN;
         }
         if (*no_answers <= 0) {
-                fputs("Got zero answers", test_info->errout);
+                fprintf(test_info->errout,
+                        "Zero entries in '%s'",
+                        section);
                 return EXIT_WARNING;
         }
 
@@ -507,7 +521,7 @@ static exit_value_t check_answer_type(const struct test_info_s *test_info,
         size_t no_answers;
         exit_value_t xit;
 
-        if ((xit = get_answers(test_info, response, &answers, &no_answers)) != EXIT_OK)
+        if ((xit = get_answers(test_info, response, "answer", &answers, &no_answers)) != EXIT_OK)
                 return xit;
 
         for (size_t i = 0; i < no_answers; ++i) {
@@ -744,7 +758,7 @@ static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
         getdns_list *answers;
         size_t no_answers;
 
-        if ((xit = get_answers(test_info, response, &answers, &no_answers)) != EXIT_OK)
+        if ((xit = get_answers(test_info, response, "answer", &answers, &no_answers)) != EXIT_OK)
                 return xit;
 
         for (size_t i = 0; i < no_answers; ++i) {
@@ -773,6 +787,7 @@ static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
                         continue;
 
                 getdns_bindata *rtxt;
+
                 if ((ret = getdns_dict_get_bindata(answer, "/rdata/txt_strings/0", &rtxt)) != GETDNS_RETURN_GOOD) {
                         fputs("No answer text", test_info->errout);
                         return EXIT_WARNING;
@@ -799,6 +814,130 @@ static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
         return EXIT_UNKNOWN;
 }
 
+static exit_value_t test_padding(const struct test_info_s *test_info,
+                                 char ** av)
+{
+        getdns_dict *response;
+        exit_value_t xit;
+        long blocksize;
+        char *endptr;
+        const char USAGE[] = "padding takes arguments <blocksize> [<name> [<type>]]";
+
+        if (!*av || (blocksize = strtol(*av, &endptr, 10), *endptr != '\0' || blocksize < 0)) {
+                fputs(USAGE, test_info->errout);
+                return EXIT_USAGE;
+        }
+        ++av;
+
+        getdns_return_t ret;
+        if ((ret = getdns_context_set_tls_query_padding_blocksize(test_info->context, (uint16_t) blocksize)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot set padding blocksize: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+
+        if ((xit = parse_search_check(test_info,
+                                      av,
+                                      USAGE,
+                                      &response,
+                                      NULL,
+                                      NULL,
+                                      NULL)) != EXIT_OK)
+                return xit;
+
+        getdns_list *answers;
+        size_t no_answers;
+
+        if ((xit = get_answers(test_info, response, "additional", &answers, &no_answers)) != EXIT_OK)
+                return xit;
+
+        for (size_t i = 0; i < no_answers; ++i) {
+                getdns_dict *answer;
+                getdns_return_t ret;
+
+                if ((ret = getdns_list_get_dict(answers, i, &answer)) != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info->errout,
+                                "Cannot get answer number %zu: %s (%d)",
+                                i,
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        return EXIT_UNKNOWN;
+                }
+
+                uint32_t rtype;
+
+                if ((ret = getdns_dict_get_int(answer, "type", &rtype)) != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info->errout,
+                                "Cannot get answer type: %s (%d)",
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        return EXIT_UNKNOWN;
+                }
+                if (rtype != GETDNS_RRTYPE_OPT)
+                        continue;
+
+                getdns_list *options;
+                size_t no_options;
+
+                if ((ret = getdns_dict_get_list(answer, "/rdata/options", &options)) != GETDNS_RETURN_GOOD) {
+                        goto no_padding;
+                }
+                if ((ret = getdns_list_get_length(options, &no_options)) != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info->errout,
+                                "Cannot get number of options: %s (%d)",
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        return EXIT_UNKNOWN;
+                }
+
+                for (size_t j = 0; j < no_options; ++j) {
+                        getdns_dict *option;
+                        uint32_t code;
+
+                        if ((ret = getdns_list_get_dict(options, j, &option)) != GETDNS_RETURN_GOOD) {
+                                fprintf(test_info->errout,
+                                        "Cannot get option number %zu: %s (%d)",
+                                        j,
+                                        getdns_get_errorstr_by_id(ret),
+                                        ret);
+                                return EXIT_UNKNOWN;
+                        }
+                        if ((ret = getdns_dict_get_int(option, "option_code", &code)) != GETDNS_RETURN_GOOD) {
+                                fprintf(test_info->errout,
+                                        "Cannot get option code: %s (%d)",
+                                        getdns_get_errorstr_by_id(ret),
+                                        ret);
+                                return EXIT_UNKNOWN;
+                        }
+
+                        if (code != EDNS0_PADDING_CODE)
+                                continue;
+
+                        /* Yes, we have padding! */
+                        getdns_bindata *data;
+
+                        if ((ret = getdns_dict_get_bindata(option, "option_data", &data)) != GETDNS_RETURN_GOOD) {
+                                fprintf(test_info->errout,
+                                        "Cannot get option code: %s (%d)",
+                                        getdns_get_errorstr_by_id(ret),
+                                        ret);
+                                return EXIT_UNKNOWN;
+                        }
+
+                        fprintf(test_info->errout,
+                                "Padding found, length %zu",
+                                data->size);
+                        return EXIT_OK;
+                }
+        }
+
+no_padding:
+        fputs("No padding found", test_info->errout);
+        return EXIT_CRITICAL;
+}
+
 static struct test_funcs_s
 {
         const char *name;
@@ -811,6 +950,7 @@ static struct test_funcs_s
         { "qname-min", false, test_qname_minimisation },
         { "tls-auth", true, test_authenticate },
         { "tls-cert-valid", true, test_certificate_valid },
+        { "tls-padding", true, test_padding },
         { NULL, false, NULL }
 };
 

From 3666d994a73d8ca9c12ddf6af708378b64abecd6 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 16 Jan 2018 15:08:22 +0000
Subject: [PATCH 033/303] Add 'keepalive' test and supporting changes to getdns
 library.

Checking for server support for keepalive means we need to know if the server did send a keepalive option to the client. This information is not currently exposed in getdns, so add a flag 'server_keepalive_received' to call_reporting. This is 0 if not received, 1 if received. If received, the actual timeout is in 'idle timeout in ms', though watch out for the overflow alternative.
---
 src/context.c                 |   1 +
 src/context.h                 |   1 +
 src/stub.c                    |   1 +
 src/tools/getdns_server_mon.c | 117 +++++++++++++++++++++++++++++++---
 src/util-internal.c           |   4 ++
 5 files changed, 116 insertions(+), 8 deletions(-)

diff --git a/src/context.c b/src/context.c
index c8f14363..52956370 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1011,6 +1011,7 @@ upstream_init(getdns_upstream *upstream,
 	upstream->responses_timeouts = 0;
 	upstream->keepalive_shutdown = 0;
 	upstream->keepalive_timeout = 0;
+	upstream->server_keepalive_received = 0;
 	/* How is this upstream doing on UDP? */
 	upstream->to_retry =  1;
 	upstream->back_off =  1;
diff --git a/src/context.h b/src/context.h
index b4319403..73e6e519 100644
--- a/src/context.h
+++ b/src/context.h
@@ -193,6 +193,7 @@ typedef struct getdns_upstream {
 	size_t                   responses_timeouts;
 	size_t                   keepalive_shutdown;
 	uint64_t                 keepalive_timeout;
+	int                      server_keepalive_received;
 
 	/* Management of outstanding requests on stateful transports */
 	getdns_network_req      *write_queue;
diff --git a/src/stub.c b/src/stub.c
index 07f22fcd..7879e0c7 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -341,6 +341,7 @@ process_keepalive(
 		}
 		return;
 	}
+	upstream->server_keepalive_received = 1;
 	/* Use server sent value unless the client specified a shorter one.
 	   Convert to ms first (wire value has units of 100ms) */
 	uint64_t server_keepalive = ((uint64_t)gldns_read_uint16(position))*100;
diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 811a6e4e..53e06b7b 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -183,9 +183,12 @@ static void usage()
 "\n"
 "Tests:\n"
 "  lookup [<name> [<type>]]      Check lookup on server\n"
+"  keepalive <timeout-ms> [<name> [<type>]]\n"
+"                                Check server support for EDNS0 keepalive in TCP/TLS\n"
+"                                Timeout of 0 is off.\n"
+"  qname-min                     Check whether server supports QNAME minimisation\n"
 "  rtt [warn-ms,crit-ms] [<name> [<type>]]\n"
 "                                Check server round trip time (default 500,250)\n"
-"  qname-min                     Check whether server supports QNAME minimisation\n"
 "\n"
 "  tls-auth [<name> [<type>]]    Check authentication of TLS server\n"
 "                                If both a SPKI pin and authentication name are\n"
@@ -938,20 +941,109 @@ no_padding:
         return EXIT_CRITICAL;
 }
 
+static exit_value_t test_keepalive(const struct test_info_s *test_info,
+                                   char ** av)
+{
+        getdns_dict *response;
+        exit_value_t xit;
+        long long timeout;
+        char *endptr;
+        const char USAGE[] = "keepalive takes arguments <timeout-ms> [<name> [<type>]]";
+
+        if (!*av || (timeout = strtoll(*av, &endptr, 10), *endptr != '\0' || timeout < 0)) {
+                fputs(USAGE, test_info->errout);
+                return EXIT_USAGE;
+        }
+        ++av;
+
+        getdns_return_t ret;
+        if ((ret = getdns_context_set_idle_timeout(test_info->context, (uint64_t) timeout)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot set keepalive timeout: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+
+        if ((xit = parse_search_check(test_info,
+                                      av,
+                                      USAGE,
+                                      &response,
+                                      NULL,
+                                      NULL,
+                                      NULL)) != EXIT_OK)
+                return xit;
+
+        getdns_list *l;
+
+        if ((ret = getdns_dict_get_list(response, "call_reporting", &l)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get call report: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+
+        getdns_dict *d;
+        if ((ret = getdns_list_get_dict(l, 0, &d)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get call report first item: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+
+        /* Search is forced to be TCP or TLS, so server keepalive flag must exist. */
+        uint32_t server_keepalive_received;
+        if ((ret = getdns_dict_get_int(d, "server_keepalive_received", &server_keepalive_received)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get server keepalive flag: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+
+        if (server_keepalive_received) {
+                uint32_t t;
+                bool overflow = false;
+
+                if (!((ret = getdns_dict_get_int(d, "idle timeout in ms", &t)) == GETDNS_RETURN_GOOD ||
+                      (overflow = true, ret = getdns_dict_get_int(d, "idle timeout in ms (overflow)", &t)) == GETDNS_RETURN_GOOD)) {
+                fprintf(test_info->errout,
+                        "Cannot get idle timeout: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+                }
+
+                if (overflow) {
+                        fputs("Server sent keepalive, idle timeout now (overflow)", test_info->errout);
+                } else {
+                        fprintf(test_info->errout, "Server sent keepalive, idle timeout now %ums", t);
+                }
+                return EXIT_OK;
+        } else {
+                fputs("Server did not send keepalive", test_info->errout);
+                return EXIT_CRITICAL;
+        }
+}
+
 static struct test_funcs_s
 {
         const char *name;
         bool implies_tls;
+        bool implies_tcp;
         exit_value_t (*func)(const struct test_info_s *test_info, char **av);
 } TESTS[] =
 {
-        { "lookup", false, test_lookup },
-        { "rtt", false, test_rtt },
-        { "qname-min", false, test_qname_minimisation },
-        { "tls-auth", true, test_authenticate },
-        { "tls-cert-valid", true, test_certificate_valid },
-        { "tls-padding", true, test_padding },
-        { NULL, false, NULL }
+        { "lookup", false, false, test_lookup },
+        { "rtt", false, false, test_rtt },
+        { "qname-min", false, false, test_qname_minimisation },
+        { "tls-auth", true, false, test_authenticate },
+        { "tls-cert-valid", true, false, test_certificate_valid },
+        { "tls-padding", true, false, test_padding },
+        { "keepalive", false, true, test_keepalive },
+        { NULL, false, false, NULL }
 };
 
 int main(int ac, char *av[])
@@ -1151,6 +1243,15 @@ int main(int ac, char *av[])
                 exit(EXIT_UNKNOWN);
         }
 
+        if (f->implies_tcp) {
+                if (use_udp) {
+                        fputs("Test requires TCP or TLS\n", test_info.errout);
+                        exit(EXIT_UNKNOWN);
+                }
+                if (!use_tls)
+                        use_tcp = true;
+        }
+
         if (f->implies_tls) {
                 if (use_udp | use_tcp) {
                         fputs("Test requires TLS, or TLS authentication specified\n", test_info.errout);
diff --git a/src/util-internal.c b/src/util-internal.c
index 808944c3..3ec15995 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -880,6 +880,10 @@ _getdns_create_call_reporting_dict(
 				return NULL;
 			}
 		}
+		if (getdns_dict_set_int( netreq_debug, "server_keepalive_received", netreq->upstream->server_keepalive_received)) {
+			getdns_dict_destroy(netreq_debug);
+			return NULL;
+		}
 		/* The running totals are only updated when a connection is closed.
 		   Since it is open as we have just used it, calcualte the value on the fly */
 		if (getdns_dict_set_int( netreq_debug, "responses_on_this_connection",

From 6bd0f8b98002151b941639c6acf13d204c29f3ce Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 16 Jan 2018 18:09:35 +0000
Subject: [PATCH 034/303] Encode exit status words in () to make it clear that
 it's not part of the sentence.

'Server validates OK' -> 'Server validates (OK)'
---
 src/tools/getdns_server_mon.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 53e06b7b..cc46851a 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -1284,19 +1284,19 @@ int main(int ac, char *av[])
         exit_value_t xit = f->func(&test_info, av);
         switch(xit) {
         case EXIT_OK:
-                fputs(" OK", test_info.errout);
+                fputs(" (OK)", test_info.errout);
                 break;
 
         case EXIT_WARNING:
-                fputs(" WARNING", test_info.errout);
+                fputs(" (WARNING)", test_info.errout);
                 break;
 
         case EXIT_CRITICAL:
-                fputs(" CRITICAL", test_info.errout);
+                fputs(" (CRITICAL)", test_info.errout);
                 break;
 
         case EXIT_UNKNOWN:
-                fputs(" UNKNOWN", test_info.errout);
+                fputs(" (UNKNOWN)", test_info.errout);
                 break;
 
         case EXIT_USAGE:
@@ -1304,7 +1304,7 @@ int main(int ac, char *av[])
                 break;
 
         default:
-                fputs(" ???", test_info.errout);
+                fputs(" (\?\?\?)", test_info.errout);
                 break;
         }
         fputc('\n', test_info.errout);

From 760269acbd243d7653913c4f24bede1ccdb5fa93 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Wed, 17 Jan 2018 15:35:56 +0000
Subject: [PATCH 035/303] Make internal types POSIX-compliant by not naming
 them *_t.

See: http://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xsh_chap02.html#tag_22_02_12_01

The change tacitly ignores the colossal number of coach and horses the entire world, including getdns, has stampeded through this POSIX hope for decades, but simply hopes for some small recognition when the Recording Angel tots up the damages.
---
 src/tools/getdns_server_mon.c | 60 +++++++++++++++++------------------
 1 file changed, 30 insertions(+), 30 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index cc46851a..9751b52c 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -63,7 +63,7 @@ typedef enum {
         EXIT_CRITICAL,
         EXIT_UNKNOWN,
         EXIT_USAGE              /* Special case - internal only. */
-} exit_value_t;
+} exit_value;
 
 /* Plugin verbosity values */
 typedef enum {
@@ -71,7 +71,7 @@ typedef enum {
         VERBOSITY_ADDITIONAL,
         VERBOSITY_CONFIG,
         VERBOSITY_DEBUG
-} verbosity_t;
+} plugin_verbosity;
 
 static struct test_info_s
 {
@@ -80,7 +80,7 @@ static struct test_info_s
         /* Output control */
         bool monitoring;
         FILE *errout;
-        verbosity_t verbosity;
+        plugin_verbosity verbosity;
 
         /* Test config info */
         bool fail_on_dns_errors;
@@ -260,7 +260,7 @@ static void get_thresholds(char ***av,
         return;
 }
 
-static exit_value_t get_name_type_args(const struct test_info_s *test_info,
+static exit_value get_name_type_args(const struct test_info_s *test_info,
                                        char ***av,
                                        const char **lookup_name,
                                        uint32_t *lookup_type)
@@ -286,7 +286,7 @@ static exit_value_t get_name_type_args(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value_t search(const struct test_info_s *test_info,
+static exit_value search(const struct test_info_s *test_info,
                            const char *name,
                            uint16_t type,
                            getdns_dict **response)
@@ -333,7 +333,7 @@ static exit_value_t search(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value_t check_result(const struct test_info_s *test_info,
+static exit_value check_result(const struct test_info_s *test_info,
                                  const getdns_dict *response)
 {
         getdns_return_t ret;
@@ -383,7 +383,7 @@ static exit_value_t check_result(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value_t get_report_info(const struct test_info_s *test_info,
+static exit_value get_report_info(const struct test_info_s *test_info,
                                     const getdns_dict *response,
                                     uint32_t *rtt,
                                     getdns_bindata **auth_status,
@@ -478,7 +478,7 @@ static exit_value_t get_report_info(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value_t get_answers(const struct test_info_s *test_info,
+static exit_value get_answers(const struct test_info_s *test_info,
                                 const getdns_dict *response,
                                 const char *section,
                                 getdns_list **answers,
@@ -516,13 +516,13 @@ static exit_value_t get_answers(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value_t check_answer_type(const struct test_info_s *test_info,
+static exit_value check_answer_type(const struct test_info_s *test_info,
                                       const getdns_dict *response,
                                       uint32_t rrtype)
 {
         getdns_list *answers;
         size_t no_answers;
-        exit_value_t xit;
+        exit_value xit;
 
         if ((xit = get_answers(test_info, response, "answer", &answers, &no_answers)) != EXIT_OK)
                 return xit;
@@ -557,7 +557,7 @@ static exit_value_t check_answer_type(const struct test_info_s *test_info,
         return EXIT_UNKNOWN;
 }
 
-static exit_value_t search_check(const struct test_info_s *test_info,
+static exit_value search_check(const struct test_info_s *test_info,
                                  const char *lookup_name,
                                  uint16_t lookup_type,
                                  getdns_dict **response,
@@ -565,7 +565,7 @@ static exit_value_t search_check(const struct test_info_s *test_info,
                                  getdns_bindata **auth_status,
                                  time_t *cert_expire_time)
 {
-        exit_value_t xit;
+        exit_value xit;
         getdns_dict *resp;
 
         if ((xit = search(test_info, lookup_name, lookup_type, &resp)) != EXIT_OK)
@@ -585,7 +585,7 @@ static exit_value_t search_check(const struct test_info_s *test_info,
         return xit;
 }
 
-static exit_value_t parse_search_check(const struct test_info_s *test_info,
+static exit_value parse_search_check(const struct test_info_s *test_info,
                                        char **av,
                                        const char *usage,
                                        getdns_dict **response,
@@ -595,7 +595,7 @@ static exit_value_t parse_search_check(const struct test_info_s *test_info,
 {
         const char *lookup_name = DEFAULT_LOOKUP_NAME;
         uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
-        exit_value_t xit;
+        exit_value xit;
 
         if ((xit = get_name_type_args(test_info, &av, &lookup_name, &lookup_type)) != EXIT_OK)
                 return xit;
@@ -615,10 +615,10 @@ static exit_value_t parse_search_check(const struct test_info_s *test_info,
  ** Test routines.
  **/
 
-static exit_value_t test_lookup(const struct test_info_s *test_info,
+static exit_value test_lookup(const struct test_info_s *test_info,
                                 char ** av)
 {
-        exit_value_t xit;
+        exit_value xit;
 
         if ((xit = parse_search_check(test_info,
                                       av,
@@ -633,10 +633,10 @@ static exit_value_t test_lookup(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value_t test_rtt(const struct test_info_s *test_info,
+static exit_value test_rtt(const struct test_info_s *test_info,
                              char ** av)
 {
-        exit_value_t xit;
+        exit_value xit;
         int critical_ms = RTT_CRITICAL_MS;
         int warning_ms = RTT_WARNING_MS;
         uint32_t rtt_val;
@@ -661,10 +661,10 @@ static exit_value_t test_rtt(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value_t test_authenticate(const struct test_info_s *test_info,
+static exit_value test_authenticate(const struct test_info_s *test_info,
                                       char ** av)
 {
-        exit_value_t xit;
+        exit_value xit;
         getdns_bindata *auth_status;
 
         if ((xit = parse_search_check(test_info,
@@ -685,10 +685,10 @@ static exit_value_t test_authenticate(const struct test_info_s *test_info,
         }
 }
 
-static exit_value_t test_certificate_valid(const struct test_info_s *test_info,
+static exit_value test_certificate_valid(const struct test_info_s *test_info,
                                            char **av)
 {
-        exit_value_t xit;
+        exit_value xit;
         int warning_days = CERT_EXPIRY_WARNING_DAYS;
         int critical_days = CERT_EXPIRY_CRITICAL_DAYS;
         time_t expire_time;
@@ -737,7 +737,7 @@ static exit_value_t test_certificate_valid(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
+static exit_value test_qname_minimisation(const struct test_info_s *test_info,
                                             char ** av)
 {
         if (*av) {
@@ -747,7 +747,7 @@ static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
         }
 
         getdns_dict *response;
-        exit_value_t xit;
+        exit_value xit;
 
         if ((xit = search_check(test_info,
                                 "qnamemintest.internet.nl",
@@ -817,11 +817,11 @@ static exit_value_t test_qname_minimisation(const struct test_info_s *test_info,
         return EXIT_UNKNOWN;
 }
 
-static exit_value_t test_padding(const struct test_info_s *test_info,
+static exit_value test_padding(const struct test_info_s *test_info,
                                  char ** av)
 {
         getdns_dict *response;
-        exit_value_t xit;
+        exit_value xit;
         long blocksize;
         char *endptr;
         const char USAGE[] = "padding takes arguments <blocksize> [<name> [<type>]]";
@@ -941,11 +941,11 @@ no_padding:
         return EXIT_CRITICAL;
 }
 
-static exit_value_t test_keepalive(const struct test_info_s *test_info,
+static exit_value test_keepalive(const struct test_info_s *test_info,
                                    char ** av)
 {
         getdns_dict *response;
-        exit_value_t xit;
+        exit_value xit;
         long long timeout;
         char *endptr;
         const char USAGE[] = "keepalive takes arguments <timeout-ms> [<name> [<type>]]";
@@ -1033,7 +1033,7 @@ static struct test_funcs_s
         const char *name;
         bool implies_tls;
         bool implies_tcp;
-        exit_value_t (*func)(const struct test_info_s *test_info, char **av);
+        exit_value (*func)(const struct test_info_s *test_info, char **av);
 } TESTS[] =
 {
         { "lookup", false, false, test_lookup },
@@ -1281,7 +1281,7 @@ int main(int ac, char *av[])
                 }
         }
 
-        exit_value_t xit = f->func(&test_info, av);
+        exit_value xit = f->func(&test_info, av);
         switch(xit) {
         case EXIT_OK:
                 fputs(" (OK)", test_info.errout);

From 155b035cd8ae2d33ad201e747366c7670a9d8833 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 17 Jan 2018 17:07:36 +0100
Subject: [PATCH 036/303] Forgot to surround surround yaml include with defines

---
 src/Makefile.in | 2 +-
 src/convert.c   | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Makefile.in b/src/Makefile.in
index b37d296e..227d683f 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -323,7 +323,7 @@ convert.lo convert.o: $(srcdir)/convert.c \
  $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h \
  $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/wire2str.h \
  $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h \
- $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h $(srcdir)/convert.h
+ $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h
 dict.lo dict.o: $(srcdir)/dict.c \
  config.h \
  $(srcdir)/types-internal.h \
diff --git a/src/convert.c b/src/convert.c
index 03a27af2..82adf241 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -56,7 +56,9 @@
 #include "dict.h"
 #include "list.h"
 #include "jsmn/jsmn.h"
+#ifdef USE_YAML_CONFIG
 #include "yaml/convert_yaml_to_json.h"
+#endif
 #include "convert.h"
 #include "debug.h"
 

From 00c17dca14ad4beb5ffb69430b74764daf6f5b6c Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Wed, 17 Jan 2018 18:38:28 +0000
Subject: [PATCH 037/303] Add to certificate time conversion to cope with
 pre-1.0.2 OpenSSL. Also tag printed time with UTC.

The time parse with pre-1.0.2 is a best effort, and relies on timegm() to convert struct tm in UTC to time_t. There being attractive alternative. Isn't C time handling grotty?
---
 src/tools/getdns_server_mon.c | 61 ++++++++++++++++++++++++++++++++++-
 1 file changed, 60 insertions(+), 1 deletion(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 9751b52c..a1dd05a7 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -139,6 +139,64 @@ static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t
 
         ASN1_TIME *not_after = X509_get_notAfter(cert);
 
+#if OPENSSL_VERSION_NUMBER < 0x10002000
+        /*
+         * OpenSSL before 1.0.2 does not support ASN1_TIME_diff().
+         * So work around by using ASN1_TIME_print() to print to a buffer
+         * and parsing that. This does not do any kind of sane format,
+         * but 'Mar 15 11:58:50 2018 GMT'. Note the month name is not
+         * locale-dependent but always English, so strptime() to parse
+         * isn't going to work. It also *appears* to always end 'GMT'.
+         * timegm() is a glibc-ism, but there is no sensible
+         * alternative. Patches welcome...
+         */
+
+        char buf[40];
+        BIO *b = BIO_new(BIO_s_mem());
+        if (ASN1_TIME_print(b, not_after) <= 0) {
+                BIO_free(b);
+                X509_free(cert);
+                return false;
+        }
+        if (BIO_gets(b, buf, sizeof(buf)) <= 0) {
+                BIO_free(b);
+                X509_free(cert);
+                return false;
+        }
+        BIO_free(b);
+        X509_free(cert);
+
+        struct tm tm;
+        char month[4];
+        char tz[4];
+        memset(&tm, 0, sizeof(tm));
+        if (sscanf(buf,
+                   "%3s %d %d:%d:%d %d %3s",
+                   month,
+                   &tm.tm_mday,
+                   &tm.tm_hour,
+                   &tm.tm_min,
+                   &tm.tm_sec,
+                   &tm.tm_year,
+                   tz) != 7)
+                return false;
+        tm.tm_year -= 1900;
+        if (strcmp(tz, "GMT") != 0)
+                return false;
+
+        const char *mon[] = {
+                "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+                "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
+        };
+
+        while(tm.tm_mon < 12 && strcmp(mon[tm.tm_mon], month) != 0)
+                ++tm.tm_mon;
+        if (tm.tm_mon > 11)
+                return false;
+
+        *t = timegm(&tm);
+        return true;
+#else
         /*
          * Use ASN1_TIME_diff to get a time delta between now and expiry.
          * This is much easier than trying to parse the time.
@@ -150,6 +208,7 @@ static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t
 
         X509_free(cert);
         return true;
+#endif
 }
 
 static void exit_tidy()
@@ -468,7 +527,7 @@ static exit_value get_report_info(const struct test_info_s *test_info,
                 if (test_info->verbosity >= VERBOSITY_ADDITIONAL) {
                         struct tm *tm = gmtime(&cert_expire_time_val);
                         char buf[25];
-                        strftime(buf, sizeof(buf), "%Y-%m-%d %H:%M:%S", tm);
+                        strftime(buf, sizeof(buf), "%Y-%m-%d %H:%M:%S UTC", tm);
                         fprintf(test_info->errout, "cert expiry %s, ", buf);
                 }
         }

From add818fea203d5c55684cd50e495297fc4df6ac3 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 18 Jan 2018 10:55:44 +0000
Subject: [PATCH 038/303] Remove dependency on timegm() when using OpenSSL <
 1.0.2.

Convert dates to Julian and diff. This is basically what ASN1_TIME_diff() does internally.

And that's quite enough near-pointless polishing here.
---
 src/tools/getdns_server_mon.c | 57 ++++++++++++++++++++++++++++-------
 1 file changed, 46 insertions(+), 11 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index a1dd05a7..744a862c 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -128,7 +128,33 @@ static const char *rcode_text(int rcode)
                 return text[rcode];
 }
 
-/* Thanks to:
+#if OPENSSL_VERSION_NUMBER < 0x10002000
+/*
+ * Convert date to Julian day.
+ * See https://en.wikipedia.org/wiki/Julian_day
+ */
+static long julian_day(const struct tm *tm)
+{
+        long dd, mm, yyyy;
+
+        dd = tm->tm_mday;
+        mm = tm->tm_mon + 1;
+        yyyy = tm->tm_year + 1900;
+
+        return (1461 * (yyyy + 4800 + (mm - 14) / 12)) / 4 +
+                (367 * (mm - 2 - 12 * ((mm - 14) / 12))) / 12 -
+                (3 * ((yyyy + 4900 + (mm - 14) / 12) / 100)) / 4 +
+                dd - 32075;
+}
+
+static long secs_in_day(const struct tm *tm)
+{
+        return ((tm->tm_hour * 60) + tm->tm_min) * 60 + tm->tm_sec;
+}
+#endif
+
+/*
+ * Thanks to:
  * https://zakird.com/2013/10/13/certificate-parsing-with-openssl
  */
 static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t)
@@ -137,8 +163,12 @@ static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t
         if (!cert)
                 return false;
 
+        int day_diff, sec_diff;
+        const long SECS_IN_DAY = 60 * 60 * 24;
         ASN1_TIME *not_after = X509_get_notAfter(cert);
 
+        *t = time(NULL);
+
 #if OPENSSL_VERSION_NUMBER < 0x10002000
         /*
          * OpenSSL before 1.0.2 does not support ASN1_TIME_diff().
@@ -147,8 +177,9 @@ static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t
          * but 'Mar 15 11:58:50 2018 GMT'. Note the month name is not
          * locale-dependent but always English, so strptime() to parse
          * isn't going to work. It also *appears* to always end 'GMT'.
-         * timegm() is a glibc-ism, but there is no sensible
-         * alternative. Patches welcome...
+         * Ideally one could then convert this UTC time to a time_t, but
+         * there's no way to do that in standard C/POSIX. So follow the
+         * lead of OpenSSL, convert to Julian days and use the difference.
          */
 
         char buf[40];
@@ -194,21 +225,25 @@ static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t
         if (tm.tm_mon > 11)
                 return false;
 
-        *t = timegm(&tm);
-        return true;
+        struct tm tm_now;
+        gmtime_r(t, &tm_now);
+
+        day_diff = julian_day(&tm) - julian_day(&tm_now);
+        sec_diff = secs_in_day(&tm) - secs_in_day(&tm_now);
+        if (sec_diff < 0) {
+                sec_diff += SECS_IN_DAY;
+                --day_diff;
+        }
 #else
         /*
          * Use ASN1_TIME_diff to get a time delta between now and expiry.
          * This is much easier than trying to parse the time.
          */
-        int day, sec;
-        *t = time(NULL);
-        ASN1_TIME_diff(&day, &sec, NULL, not_after);
-        *t += day * 86400 + sec;
-
+        ASN1_TIME_diff(&day_diff, &sec_diff, NULL, not_after);
         X509_free(cert);
-        return true;
 #endif
+        *t += day_diff * SECS_IN_DAY + sec_diff;
+        return true;
 }
 
 static void exit_tidy()

From f5322c701daf6f30a48f3f7e7270dceeb1a20fc9 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 18 Jan 2018 11:48:56 +0000
Subject: [PATCH 039/303] Add more missing make targets causing test 105 to
 fail.

It's amazing how fiddly it is to add a single executable/source file to the build.
---
 Makefile.in | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Makefile.in b/Makefile.in
index d126a0ba..f6d7acab 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -128,6 +128,12 @@ install-getdns_query: install-lib
 uninstall-getdns_query:
 	cd src/tools && $(MAKE) $@
 
+install-getdns_server_mon: install-lib
+	cd src/tools && $(MAKE) $@
+
+uninstall-getdns_server_mon:
+	cd src/tools && $(MAKE) $@
+
 install-stubby:
 	cd src && $(MAKE) $@
 

From ea035fa82e1be4b470b344c23537bd406f68f926 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 18 Jan 2018 17:16:28 +0000
Subject: [PATCH 040/303] Correct some code formatting.

---
 src/tools/getdns_server_mon.c | 82 +++++++++++++++++------------------
 1 file changed, 41 insertions(+), 41 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 744a862c..8ebfd2dd 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -355,9 +355,9 @@ static void get_thresholds(char ***av,
 }
 
 static exit_value get_name_type_args(const struct test_info_s *test_info,
-                                       char ***av,
-                                       const char **lookup_name,
-                                       uint32_t *lookup_type)
+                                     char ***av,
+                                     const char **lookup_name,
+                                     uint32_t *lookup_type)
 {
         if (**av) {
                 if (strlen(**av) > 0) {
@@ -381,9 +381,9 @@ static exit_value get_name_type_args(const struct test_info_s *test_info,
 }
 
 static exit_value search(const struct test_info_s *test_info,
-                           const char *name,
-                           uint16_t type,
-                           getdns_dict **response)
+                         const char *name,
+                         uint16_t type,
+                         getdns_dict **response)
 {
         getdns_return_t ret;
         getdns_dict *extensions = getdns_dict_create();
@@ -428,7 +428,7 @@ static exit_value search(const struct test_info_s *test_info,
 }
 
 static exit_value check_result(const struct test_info_s *test_info,
-                                 const getdns_dict *response)
+                               const getdns_dict *response)
 {
         getdns_return_t ret;
         uint32_t error_id;
@@ -478,10 +478,10 @@ static exit_value check_result(const struct test_info_s *test_info,
 }
 
 static exit_value get_report_info(const struct test_info_s *test_info,
-                                    const getdns_dict *response,
-                                    uint32_t *rtt,
-                                    getdns_bindata **auth_status,
-                                    time_t *cert_expire_time)
+                                  const getdns_dict *response,
+                                  uint32_t *rtt,
+                                  getdns_bindata **auth_status,
+                                  time_t *cert_expire_time)
 {
         getdns_return_t ret;
         getdns_list *l;
@@ -573,10 +573,10 @@ static exit_value get_report_info(const struct test_info_s *test_info,
 }
 
 static exit_value get_answers(const struct test_info_s *test_info,
-                                const getdns_dict *response,
-                                const char *section,
-                                getdns_list **answers,
-                                size_t *no_answers)
+                              const getdns_dict *response,
+                              const char *section,
+                              getdns_list **answers,
+                              size_t *no_answers)
 {
         getdns_return_t ret;
         char buf[40];
@@ -611,8 +611,8 @@ static exit_value get_answers(const struct test_info_s *test_info,
 }
 
 static exit_value check_answer_type(const struct test_info_s *test_info,
-                                      const getdns_dict *response,
-                                      uint32_t rrtype)
+                                    const getdns_dict *response,
+                                    uint32_t rrtype)
 {
         getdns_list *answers;
         size_t no_answers;
@@ -652,12 +652,12 @@ static exit_value check_answer_type(const struct test_info_s *test_info,
 }
 
 static exit_value search_check(const struct test_info_s *test_info,
-                                 const char *lookup_name,
-                                 uint16_t lookup_type,
-                                 getdns_dict **response,
-                                 uint32_t *rtt,
-                                 getdns_bindata **auth_status,
-                                 time_t *cert_expire_time)
+                               const char *lookup_name,
+                               uint16_t lookup_type,
+                               getdns_dict **response,
+                               uint32_t *rtt,
+                               getdns_bindata **auth_status,
+                               time_t *cert_expire_time)
 {
         exit_value xit;
         getdns_dict *resp;
@@ -680,12 +680,12 @@ static exit_value search_check(const struct test_info_s *test_info,
 }
 
 static exit_value parse_search_check(const struct test_info_s *test_info,
-                                       char **av,
-                                       const char *usage,
-                                       getdns_dict **response,
-                                       uint32_t *rtt,
-                                       getdns_bindata **auth_status,
-                                       time_t *cert_expire_time)
+                                     char **av,
+                                     const char *usage,
+                                     getdns_dict **response,
+                                     uint32_t *rtt,
+                                     getdns_bindata **auth_status,
+                                     time_t *cert_expire_time)
 {
         const char *lookup_name = DEFAULT_LOOKUP_NAME;
         uint32_t lookup_type = DEFAULT_LOOKUP_TYPE;
@@ -710,7 +710,7 @@ static exit_value parse_search_check(const struct test_info_s *test_info,
  **/
 
 static exit_value test_lookup(const struct test_info_s *test_info,
-                                char ** av)
+                              char ** av)
 {
         exit_value xit;
 
@@ -728,7 +728,7 @@ static exit_value test_lookup(const struct test_info_s *test_info,
 }
 
 static exit_value test_rtt(const struct test_info_s *test_info,
-                             char ** av)
+                           char ** av)
 {
         exit_value xit;
         int critical_ms = RTT_CRITICAL_MS;
@@ -756,7 +756,7 @@ static exit_value test_rtt(const struct test_info_s *test_info,
 }
 
 static exit_value test_authenticate(const struct test_info_s *test_info,
-                                      char ** av)
+                                    char ** av)
 {
         exit_value xit;
         getdns_bindata *auth_status;
@@ -780,7 +780,7 @@ static exit_value test_authenticate(const struct test_info_s *test_info,
 }
 
 static exit_value test_certificate_valid(const struct test_info_s *test_info,
-                                           char **av)
+                                         char **av)
 {
         exit_value xit;
         int warning_days = CERT_EXPIRY_WARNING_DAYS;
@@ -832,7 +832,7 @@ static exit_value test_certificate_valid(const struct test_info_s *test_info,
 }
 
 static exit_value test_qname_minimisation(const struct test_info_s *test_info,
-                                            char ** av)
+                                          char ** av)
 {
         if (*av) {
                 fputs("qname-min takes no arguments",
@@ -912,7 +912,7 @@ static exit_value test_qname_minimisation(const struct test_info_s *test_info,
 }
 
 static exit_value test_padding(const struct test_info_s *test_info,
-                                 char ** av)
+                               char ** av)
 {
         getdns_dict *response;
         exit_value xit;
@@ -1036,7 +1036,7 @@ no_padding:
 }
 
 static exit_value test_keepalive(const struct test_info_s *test_info,
-                                   char ** av)
+                                 char ** av)
 {
         getdns_dict *response;
         exit_value xit;
@@ -1103,11 +1103,11 @@ static exit_value test_keepalive(const struct test_info_s *test_info,
 
                 if (!((ret = getdns_dict_get_int(d, "idle timeout in ms", &t)) == GETDNS_RETURN_GOOD ||
                       (overflow = true, ret = getdns_dict_get_int(d, "idle timeout in ms (overflow)", &t)) == GETDNS_RETURN_GOOD)) {
-                fprintf(test_info->errout,
-                        "Cannot get idle timeout: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
-                return EXIT_UNKNOWN;
+                        fprintf(test_info->errout,
+                                "Cannot get idle timeout: %s (%d)",
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        return EXIT_UNKNOWN;
                 }
 
                 if (overflow) {

From 1a3025a40574cfc821b38cef3de7157958be33a8 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 18 Jan 2018 17:17:16 +0000
Subject: [PATCH 041/303] If server does not return expected TXT in qname-min,
 return UNKNOWN not WARNING.

---
 src/tools/getdns_server_mon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 8ebfd2dd..8b177541 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -887,7 +887,7 @@ static exit_value test_qname_minimisation(const struct test_info_s *test_info,
 
                 if ((ret = getdns_dict_get_bindata(answer, "/rdata/txt_strings/0", &rtxt)) != GETDNS_RETURN_GOOD) {
                         fputs("No answer text", test_info->errout);
-                        return EXIT_WARNING;
+                        return EXIT_UNKNOWN;
                 }
 
                 if (rtxt->size > 0 ) {

From 3fd4f7f240f907765398edcf6ff4f8d32a1bee84 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 16 Jan 2018 18:06:00 +0000
Subject: [PATCH 042/303] Add 'dnssec-validate' test.

This test checks whether the server does DNSSEC validation. If it manages to find an A record for dnssec-failed.org, it doesn't.
---
 src/tools/getdns_server_mon.c | 113 ++++++++++++++++++++++++++++------
 1 file changed, 93 insertions(+), 20 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 8b177541..6f4523ec 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -284,6 +284,8 @@ static void usage()
 "  rtt [warn-ms,crit-ms] [<name> [<type>]]\n"
 "                                Check server round trip time (default 500,250)\n"
 "\n"
+"  dnssec-validate               Check whether server does DNSSEC validation\n"
+"\n"
 "  tls-auth [<name> [<type>]]    Check authentication of TLS server\n"
 "                                If both a SPKI pin and authentication name are\n"
 "                                provided, both must authenticate for this test\n"
@@ -427,13 +429,14 @@ static exit_value search(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value check_result(const struct test_info_s *test_info,
-                               const getdns_dict *response)
+static exit_value get_result(const struct test_info_s *test_info,
+                             const getdns_dict *response,
+                             uint32_t *error_id,
+                             uint32_t *rcode)
 {
         getdns_return_t ret;
-        uint32_t error_id;
 
-        if ((ret = getdns_dict_get_int(response, "status", &error_id)) != GETDNS_RETURN_GOOD) {
+        if ((ret = getdns_dict_get_int(response, "status", error_id)) != GETDNS_RETURN_GOOD) {
                 fprintf(test_info->errout,
                         "Cannot get result status: %s (%d)",
                         getdns_get_errorstr_by_id(ret),
@@ -441,24 +444,12 @@ static exit_value check_result(const struct test_info_s *test_info,
                 return EXIT_UNKNOWN;
         }
 
-        if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
-                fprintf(test_info->errout,
-                        "result: %s (%d), ",
-                        getdns_get_errorstr_by_id(error_id),
-                        error_id);
+        if (*error_id != GETDNS_RESPSTATUS_GOOD && *error_id != GETDNS_RESPSTATUS_NO_NAME) {
+                *rcode = 0;
+                return EXIT_OK;
         }
 
-        if (error_id == GETDNS_RESPSTATUS_GOOD)
-                return EXIT_OK;
-
-        uint32_t rcode;
-
-        ret = getdns_dict_get_int(response, "/replies_tree/0/header/rcode", &rcode);
-        if (ret == GETDNS_RETURN_NO_SUCH_DICT_NAME ||
-            ret == GETDNS_RETURN_NO_SUCH_LIST_ITEM) {
-                fputs("Search had no results, timeout?", test_info->errout);
-                return EXIT_CRITICAL;
-        } else if (ret != GETDNS_RETURN_GOOD) {
+        if ((ret = getdns_dict_get_int(response, "/replies_tree/0/header/rcode", rcode)) !=  GETDNS_RETURN_GOOD) {
                 fprintf(test_info->errout,
                         "Cannot get DNS return code: %s (%d)",
                         getdns_get_errorstr_by_id(ret),
@@ -466,6 +457,42 @@ static exit_value check_result(const struct test_info_s *test_info,
                 return EXIT_UNKNOWN;
         }
 
+        return EXIT_OK;
+}
+
+static exit_value check_result(const struct test_info_s *test_info,
+                               const getdns_dict *response)
+{
+        exit_value xit;
+        uint32_t error_id, rcode;
+
+        if ((xit = get_result(test_info, response, &error_id, &rcode)) != EXIT_OK)
+                return xit;
+
+        switch(error_id) {
+        case GETDNS_RESPSTATUS_ALL_TIMEOUT:
+                fputs("Search timed out", test_info->errout);
+                return EXIT_CRITICAL;
+
+        case GETDNS_RESPSTATUS_NO_SECURE_ANSWERS:
+                fputs("No secure answers", test_info->errout);
+                return EXIT_CRITICAL;
+
+        case GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS:
+                fputs("All answers are bogus", test_info->errout);
+                return EXIT_CRITICAL;
+
+        default:
+                break;
+        }
+
+        if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
+                fprintf(test_info->errout,
+                        "result: %s (%d), ",
+                        getdns_get_errorstr_by_id(error_id),
+                        error_id);
+        }
+
         if (test_info->fail_on_dns_errors && rcode > 0) {
                 fprintf(test_info->errout,
                         "DNS error %s (%d)",
@@ -1122,6 +1149,51 @@ static exit_value test_keepalive(const struct test_info_s *test_info,
         }
 }
 
+static exit_value test_dnssec_validate(const struct test_info_s *test_info,
+                                       char ** av)
+{
+        if (*av) {
+                fputs("dnssec-validate takes no arguments",
+                      test_info->errout);
+                return EXIT_USAGE;
+        }
+
+        getdns_dict *response;
+        exit_value xit;
+
+        if ((xit = search(test_info,
+                          "dnssec-failed.org",
+                          GETDNS_RRTYPE_A,
+                          &response)) != EXIT_OK)
+                return xit;
+
+        if ((xit = get_report_info(test_info, response, NULL, NULL, NULL)) != EXIT_OK)
+                return xit;
+
+        uint32_t error_id, rcode;
+
+        if ((xit = get_result(test_info, response, &error_id, &rcode)) != EXIT_OK)
+                return xit;
+
+        switch(error_id) {
+        case GETDNS_RESPSTATUS_ALL_TIMEOUT:
+                fputs("Search timed out", test_info->errout);
+                return EXIT_CRITICAL;
+
+        case GETDNS_RESPSTATUS_NO_SECURE_ANSWERS:
+        case GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS:
+        case GETDNS_RESPSTATUS_NO_NAME:
+                fputs("Server validates DNSSEC", test_info->errout);
+                return EXIT_OK;
+
+        default:
+                break;
+        }
+
+        fputs("Server does NOT validate DNSSEC", test_info->errout);
+        return EXIT_CRITICAL;
+}
+
 static struct test_funcs_s
 {
         const char *name;
@@ -1137,6 +1209,7 @@ static struct test_funcs_s
         { "tls-cert-valid", true, false, test_certificate_valid },
         { "tls-padding", true, false, test_padding },
         { "keepalive", false, true, test_keepalive },
+        { "dnssec-validate", false, true, test_dnssec_validate },
         { NULL, false, false, NULL }
 };
 

From 62ad159f152451eca405539f295eb0dce8a79c6d Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Wed, 17 Jan 2018 13:01:29 +0000
Subject: [PATCH 043/303] Update dnssec-validate. Check we can retrieve info
 for bogus domain, and remove must use TCP flag.

Run a second query with the CD bit set and check that succeeds.
---
 src/tools/getdns_server_mon.c | 91 ++++++++++++++++++++++++++---------
 1 file changed, 68 insertions(+), 23 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 6f4523ec..c3dcad9b 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -385,17 +385,21 @@ static exit_value get_name_type_args(const struct test_info_s *test_info,
 static exit_value search(const struct test_info_s *test_info,
                          const char *name,
                          uint16_t type,
+                         getdns_dict *extensions,
                          getdns_dict **response)
 {
         getdns_return_t ret;
-        getdns_dict *extensions = getdns_dict_create();
+        getdns_dict *search_extensions =
+                (extensions) ? extensions : getdns_dict_create();
 
-        if ((ret = getdns_dict_set_int(extensions, "return_call_reporting", GETDNS_EXTENSION_TRUE)) != GETDNS_RETURN_GOOD) {
+        /* We always turn on the return_call_reporting extension. */
+        if ((ret = getdns_dict_set_int(search_extensions, "return_call_reporting", GETDNS_EXTENSION_TRUE)) != GETDNS_RETURN_GOOD) {
                 fprintf(test_info->errout,
                         "Cannot set return call reporting: %s (%d)",
                         getdns_get_errorstr_by_id(ret),
                         ret);
-                getdns_dict_destroy(extensions);
+                if (!extensions)
+                        getdns_dict_destroy(search_extensions);
                 return EXIT_UNKNOWN;
         }
 
@@ -408,9 +412,10 @@ static exit_value search(const struct test_info_s *test_info,
         ret = getdns_general_sync(test_info->context,
                                   name,
                                   type,
-                                  extensions,
+                                  search_extensions,
                                   response);
-        getdns_dict_destroy(extensions);
+        if (!extensions)
+                getdns_dict_destroy(search_extensions);
         if (ret != GETDNS_RETURN_GOOD) {
                 fprintf(test_info->errout,
                         "Error resolving '%s': %s (%d)",
@@ -689,7 +694,7 @@ static exit_value search_check(const struct test_info_s *test_info,
         exit_value xit;
         getdns_dict *resp;
 
-        if ((xit = search(test_info, lookup_name, lookup_type, &resp)) != EXIT_OK)
+        if ((xit = search(test_info, lookup_name, lookup_type, NULL, &resp)) != EXIT_OK)
                 return xit;
 
         if ((xit = check_result(test_info, resp)) != EXIT_OK)
@@ -1164,34 +1169,73 @@ static exit_value test_dnssec_validate(const struct test_info_s *test_info,
         if ((xit = search(test_info,
                           "dnssec-failed.org",
                           GETDNS_RRTYPE_A,
+                          NULL,
                           &response)) != EXIT_OK)
                 return xit;
 
-        if ((xit = get_report_info(test_info, response, NULL, NULL, NULL)) != EXIT_OK)
-                return xit;
-
         uint32_t error_id, rcode;
 
         if ((xit = get_result(test_info, response, &error_id, &rcode)) != EXIT_OK)
                 return xit;
 
-        switch(error_id) {
-        case GETDNS_RESPSTATUS_ALL_TIMEOUT:
+        if (error_id == GETDNS_RESPSTATUS_ALL_TIMEOUT) {
                 fputs("Search timed out", test_info->errout);
                 return EXIT_CRITICAL;
-
-        case GETDNS_RESPSTATUS_NO_SECURE_ANSWERS:
-        case GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS:
-        case GETDNS_RESPSTATUS_NO_NAME:
-                fputs("Server validates DNSSEC", test_info->errout);
-                return EXIT_OK;
-
-        default:
-                break;
         }
 
-        fputs("Server does NOT validate DNSSEC", test_info->errout);
-        return EXIT_CRITICAL;
+        if (rcode != GETDNS_RCODE_SERVFAIL) {
+                fputs("Server does NOT validate DNSSEC", test_info->errout);
+                return EXIT_CRITICAL;
+        }
+
+        /*
+         * Rerun the query, but this time set the CD bit. The lookup should
+         * succeed.
+         */
+        getdns_return_t ret;
+        getdns_dict *response2;
+        getdns_dict *extensions = getdns_dict_create();
+
+        if ((ret = getdns_dict_set_int(extensions, "/header/cd", 1)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot set CD bit: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                getdns_dict_destroy(extensions);
+                return EXIT_UNKNOWN;
+        }
+
+        if ((xit = search(test_info,
+                          "dnssec-failed.org",
+                          GETDNS_RRTYPE_A,
+                          extensions,
+                          &response2)) != EXIT_OK)
+                return xit;
+
+        getdns_dict_destroy(extensions);
+
+        /*
+         * Only now get report info from the first search, so that any
+         * verbose output appears after the context/reponse dumps.
+         */
+        if ((xit = get_report_info(test_info, response, NULL, NULL, NULL)) != EXIT_OK)
+                return xit;
+
+        if ((xit = get_result(test_info, response2, &error_id, &rcode)) != EXIT_OK)
+                return xit;
+
+        if (error_id == GETDNS_RESPSTATUS_ALL_TIMEOUT) {
+                fputs("Search timed out", test_info->errout);
+                return EXIT_CRITICAL;
+        }
+
+        if (error_id != GETDNS_RESPSTATUS_GOOD || rcode != GETDNS_RCODE_NOERROR) {
+                fputs("Server error - cannot determine DNSSEC status", test_info->errout);
+                return EXIT_UNKNOWN;
+        }
+
+        fputs("Server validates DNSSEC", test_info->errout);
+        return EXIT_OK;
 }
 
 static struct test_funcs_s
@@ -1209,7 +1253,7 @@ static struct test_funcs_s
         { "tls-cert-valid", true, false, test_certificate_valid },
         { "tls-padding", true, false, test_padding },
         { "keepalive", false, true, test_keepalive },
-        { "dnssec-validate", false, true, test_dnssec_validate },
+        { "dnssec-validate", false, false, test_dnssec_validate },
         { NULL, false, false, NULL }
 };
 
@@ -1471,6 +1515,7 @@ int main(int ac, char *av[])
                 break;
 
         default:
+                /* ??? is a trigraph... */
                 fputs(" (\?\?\?)", test_info.errout);
                 break;
         }

From 0291e205fdf5de997824e98005798a9f15ad964a Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 18 Jan 2018 13:59:46 +0000
Subject: [PATCH 044/303] Add TLS 1.3 test.

Add a new item tls_version to call_reporting, containing the OpenSSL version string for the name of the protocol used for the connection.

The test does a normal lookup, but first sets the cipher list to TLS1.3 only ciphers. This will cause a Bad Context error at search time, so we can tell if the underlying OpenSSL library lacks TLS 1.3. The check the call reporting for a TLS version of "TLSv1.3".
---
 src/request-internal.c        |   1 +
 src/stub.c                    |  14 ++--
 src/tools/getdns_server_mon.c | 132 +++++++++++++++++++++++++++++++---
 src/types-internal.h          |   1 +
 src/util-internal.c           |   6 ++
 5 files changed, 139 insertions(+), 15 deletions(-)

diff --git a/src/request-internal.c b/src/request-internal.c
index cc082039..8b5dafdb 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -211,6 +211,7 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner,
 	net_req->debug_tls_auth_status = GETDNS_AUTH_NONE;
 	net_req->debug_tls_peer_cert.size = 0;
 	net_req->debug_tls_peer_cert.data = NULL;
+	net_req->debug_tls_version = NULL;
 	net_req->debug_udp = 0;
 
 	/* Scheduling, touch only via _getdns_netreq_change_state!
diff --git a/src/stub.c b/src/stub.c
index 7879e0c7..ad4708c7 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1687,12 +1687,14 @@ upstream_write_cb(void *userarg)
 		remove_from_write_queue(upstream, netreq);
 
 		if (netreq->owner->return_call_reporting &&
-		    netreq->upstream->tls_obj &&
-		    netreq->debug_tls_peer_cert.data == NULL &&
-		    (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj))) {
-			netreq->debug_tls_peer_cert.size = i2d_X509(
-			    cert, &netreq->debug_tls_peer_cert.data);
-			X509_free(cert);
+		    netreq->upstream->tls_obj) {
+			if (netreq->debug_tls_peer_cert.data == NULL &&
+			    (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj))) {
+				netreq->debug_tls_peer_cert.size = i2d_X509(
+					cert, &netreq->debug_tls_peer_cert.data);
+				X509_free(cert);
+			}
+			netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj);
 		}
 		/* Need this because auth status is reset on connection close */
 		netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state;
diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index c3dcad9b..300bffbf 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -54,6 +54,13 @@
 
 #define EDNS0_PADDING_CODE              12
 
+static const char TLS13_CIPHER_SUITE[] =
+        "TLS13-AES-256-GCM-SHA384:"
+        "TLS13-CHACHA20-POLY1305-SHA256:"
+        "TLS13-AES-128-GCM-SHA256:"
+        "TLS13-AES-128-CCM-8-SHA256:"
+        "TLS13-AES-128-CCM-SHA256";
+
 #define EXAMPLE_PIN "pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\""
 
 /* Plugin exit values */
@@ -298,6 +305,7 @@ static void usage()
 "                                Check server support for EDNS0 padding in TLS\n"
 "                                Special blocksize values are 0 = off,\n"
 "                                1 = sensible default.\n"
+"  tls-1.3                       Check whether server supports TLS 1.3\n"
 "\n"
 "Enabling monitoring mode ensures output messages and exit statuses conform\n"
 "to the requirements of monitoring plugins (www.monitoring-plugins.org).\n",
@@ -386,7 +394,8 @@ static exit_value search(const struct test_info_s *test_info,
                          const char *name,
                          uint16_t type,
                          getdns_dict *extensions,
-                         getdns_dict **response)
+                         getdns_dict **response,
+                         getdns_return_t *getdns_return)
 {
         getdns_return_t ret;
         getdns_dict *search_extensions =
@@ -394,6 +403,8 @@ static exit_value search(const struct test_info_s *test_info,
 
         /* We always turn on the return_call_reporting extension. */
         if ((ret = getdns_dict_set_int(search_extensions, "return_call_reporting", GETDNS_EXTENSION_TRUE)) != GETDNS_RETURN_GOOD) {
+                if (getdns_return)
+                        *getdns_return = ret;
                 fprintf(test_info->errout,
                         "Cannot set return call reporting: %s (%d)",
                         getdns_get_errorstr_by_id(ret),
@@ -417,11 +428,15 @@ static exit_value search(const struct test_info_s *test_info,
         if (!extensions)
                 getdns_dict_destroy(search_extensions);
         if (ret != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Error resolving '%s': %s (%d)",
-                        name,
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                if (getdns_return) {
+                        *getdns_return = ret;
+                } else {
+                        fprintf(test_info->errout,
+                                "Error resolving '%s': %s (%d)",
+                                name,
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                }
                 return EXIT_CRITICAL;
         }
 
@@ -431,6 +446,8 @@ static exit_value search(const struct test_info_s *test_info,
                         getdns_pretty_print_dict(*response));
         }
 
+        if (getdns_return)
+                *getdns_return = ret;
         return EXIT_OK;
 }
 
@@ -694,7 +711,7 @@ static exit_value search_check(const struct test_info_s *test_info,
         exit_value xit;
         getdns_dict *resp;
 
-        if ((xit = search(test_info, lookup_name, lookup_type, NULL, &resp)) != EXIT_OK)
+        if ((xit = search(test_info, lookup_name, lookup_type, NULL, &resp, NULL)) != EXIT_OK)
                 return xit;
 
         if ((xit = check_result(test_info, resp)) != EXIT_OK)
@@ -1170,7 +1187,8 @@ static exit_value test_dnssec_validate(const struct test_info_s *test_info,
                           "dnssec-failed.org",
                           GETDNS_RRTYPE_A,
                           NULL,
-                          &response)) != EXIT_OK)
+                          &response,
+                          NULL)) != EXIT_OK)
                 return xit;
 
         uint32_t error_id, rcode;
@@ -1209,7 +1227,8 @@ static exit_value test_dnssec_validate(const struct test_info_s *test_info,
                           "dnssec-failed.org",
                           GETDNS_RRTYPE_A,
                           extensions,
-                          &response2)) != EXIT_OK)
+                          &response2,
+                          NULL)) != EXIT_OK)
                 return xit;
 
         getdns_dict_destroy(extensions);
@@ -1238,6 +1257,100 @@ static exit_value test_dnssec_validate(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
+static exit_value test_tls13(const struct test_info_s *test_info,
+                             char ** av)
+{
+        exit_value xit;
+        getdns_return_t ret;
+
+        if (*av) {
+                fputs("tls-1.3 takes no arguments", test_info->errout);
+                return EXIT_USAGE;
+        }
+
+        /*
+         * Set cipher list to TLS 1.3-only ciphers. If we are using
+         * an OpenSSL version that doesn't support TLS 1.3 this will cause
+         * a Bad Context error on the lookup.
+         */
+        if ((ret = getdns_context_set_tls_cipher_list(test_info->context, TLS13_CIPHER_SUITE)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot set TLS 1.3 cipher list: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+        }
+
+        getdns_dict *response;
+
+        if ((xit = search(test_info,
+                          DEFAULT_LOOKUP_NAME,
+                          DEFAULT_LOOKUP_TYPE,
+                          NULL,
+                          &response,
+                          &ret)) != EXIT_OK) {
+                if (xit == EXIT_CRITICAL) {
+                        if (ret == GETDNS_RETURN_BAD_CONTEXT) {
+                                fputs("Your version of OpenSSL does not support TLS 1.3 ciphers. You need at least OpenSSL 1.1.1.",
+                                      test_info->errout);
+                                return EXIT_UNKNOWN;
+                        } else {
+                                fputs("Cannot establish TLS 1.3 connection.",
+                                      test_info->errout);
+                                return EXIT_CRITICAL;
+                        }
+                } else {
+                        return xit;
+                }
+        }
+
+        if ((xit = get_report_info(test_info, response, NULL, NULL, NULL)) != EXIT_OK)
+                return xit;
+
+        getdns_list *l;
+
+        if ((ret = getdns_dict_get_list(response, "call_reporting", &l)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get call report: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+
+        getdns_dict *d;
+
+        if ((ret = getdns_list_get_dict(l, 0, &d)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get call report first item: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+
+        /* Search is forced TLS, so tls_version flag must exist. */
+        getdns_bindata *version;
+
+        if ((ret = getdns_dict_get_bindata(d, "tls_version", &version)) != GETDNS_RETURN_GOOD) {
+                fprintf(test_info->errout,
+                        "Cannot get TLS version: %s (%d)",
+                        getdns_get_errorstr_by_id(ret),
+                        ret);
+                return EXIT_UNKNOWN;
+        }
+
+        const char TLS_1_3_SIG[] = "TLSv1.3";
+
+        if (strncmp((const char *)version->data, TLS_1_3_SIG, sizeof(TLS_1_3_SIG) - 1) != 0) {
+                fputs("Server does not support TLS 1.3", test_info->errout);
+                return EXIT_CRITICAL;
+        }
+
+        if ((xit = check_result(test_info, response)) != EXIT_OK)
+                return xit;
+
+        fputs("Server supports TLS 1.3", test_info->errout);
+        return EXIT_OK;
+}
+
 static struct test_funcs_s
 {
         const char *name;
@@ -1254,6 +1367,7 @@ static struct test_funcs_s
         { "tls-padding", true, false, test_padding },
         { "keepalive", false, true, test_keepalive },
         { "dnssec-validate", false, false, test_dnssec_validate },
+        { "tls-1.3", true, false, test_tls13 },
         { NULL, false, false, NULL }
 };
 
diff --git a/src/types-internal.h b/src/types-internal.h
index 3199b134..76615625 100644
--- a/src/types-internal.h
+++ b/src/types-internal.h
@@ -242,6 +242,7 @@ typedef struct getdns_network_req
 	uint64_t                debug_end_time;
 	getdns_auth_state_t     debug_tls_auth_status;
 	getdns_bindata          debug_tls_peer_cert;
+	const char             *debug_tls_version;
 	size_t                  debug_udp;
 
 	/* When more space is needed for the wire_data response than is
diff --git a/src/util-internal.c b/src/util-internal.c
index 3ec15995..0bceb002 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -920,6 +920,12 @@ _getdns_create_call_reporting_dict(
 		getdns_dict_destroy(netreq_debug);
 		return NULL;
 	}
+	if (getdns_dict_util_set_string(netreq_debug, "tls_version",
+	    netreq->debug_tls_version)){
+
+		getdns_dict_destroy(netreq_debug);
+		return NULL;
+	}
 	if (getdns_dict_set_bindata(netreq_debug, "tls_peer_cert",
 	    &netreq->debug_tls_peer_cert)) {
 

From f9e4c9f8532bb5c107fdeef92490e3f03c882818 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 22 Jan 2018 14:36:54 +0000
Subject: [PATCH 045/303] Revise output.

If in monitoring mode, make output conform to Nagios norms. This starts with the probe type and result, so we need to save output generated during the operation and print it at the end.

If not in monitoring mode, make the formatting more expansive.
---
 src/tools/getdns_server_mon.c | 611 ++++++++++++++++++++--------------
 1 file changed, 364 insertions(+), 247 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 300bffbf..ab711975 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -26,6 +26,7 @@
  */
 
 #include <ctype.h>
+#include <stdarg.h>
 #include <stdbool.h>
 #include <stddef.h>
 #include <stdio.h>
@@ -80,19 +81,39 @@ typedef enum {
         VERBOSITY_DEBUG
 } plugin_verbosity;
 
+#define MAX_BASE_OUTPUT_LEN             256
+#define MAX_PERF_OUTPUT_LEN             256
+
 static struct test_info_s
 {
         getdns_context *context;
 
-        /* Output control */
+        /* Output */
         bool monitoring;
         FILE *errout;
         plugin_verbosity verbosity;
+        bool debug_output;
+        char base_output[MAX_BASE_OUTPUT_LEN + 1];
+        char perf_output[MAX_PERF_OUTPUT_LEN + 1];
 
         /* Test config info */
         bool fail_on_dns_errors;
 } test_info;
 
+static void snprintcat(char *buf, size_t buflen, const char *format, ...)
+{
+        va_list ap;
+        int l = strlen(buf);
+
+        buf += l;
+        buflen -= l;
+
+        va_start(ap, format);
+        vsnprintf(buf, buflen, format, ap);
+        va_end(ap);
+        buf[buflen] = '\0';
+}
+
 static int get_rrtype(const char *t)
 {
         char buf[1024] = "GETDNS_RRTYPE_";
@@ -263,7 +284,7 @@ static void usage()
 {
         fputs(
 "Usage: " APP_NAME " [-M] [-E] [(-u|-t|-T)] [-S] [-K <spki-pin>]\n"
-"        [-v [-v [-v]]] [-V] @upstream testname [<name>] [<type>]\n"
+"        [-v [-v [-v]]] [-V] @upstream testname [<test args>]\n"
 "  -M|--monitoring               Make output suitable for monitoring tools\n"
 "  -E|--fail-on-dns-errors       Fail on DNS error (NXDOMAIN, SERVFAIL)\n"
 "  -u|--udp                      Use UDP transport\n"
@@ -272,6 +293,7 @@ static void usage()
 "  -S|--strict-usage-profile     Use strict profile (require authentication)\n"
 "  -K|--spki-pin <spki-pin>      SPKI pin for TLS connections (can repeat)\n"
 "  -v|--verbose                  Increase output verbosity\n"
+"  -D|--debug                    Enable debugging output\n"
 "  -V|--version                  Report GetDNS version\n"
 "\n"
 "spki-pin: Should look like '" EXAMPLE_PIN "'\n"
@@ -364,7 +386,7 @@ static void get_thresholds(char ***av,
         return;
 }
 
-static exit_value get_name_type_args(const struct test_info_s *test_info,
+static exit_value get_name_type_args(struct test_info_s *test_info,
                                      char ***av,
                                      const char **lookup_name,
                                      uint32_t *lookup_type)
@@ -373,7 +395,7 @@ static exit_value get_name_type_args(const struct test_info_s *test_info,
                 if (strlen(**av) > 0) {
                         *lookup_name = **av;
                 } else {
-                        fputs("Empty name not valid", test_info->errout);
+                        strcpy(test_info->base_output, "Empty name not valid");
                         return EXIT_UNKNOWN;
                 }
                 ++*av;
@@ -390,7 +412,7 @@ static exit_value get_name_type_args(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value search(const struct test_info_s *test_info,
+static exit_value search(struct test_info_s *test_info,
                          const char *name,
                          uint16_t type,
                          getdns_dict *extensions,
@@ -405,19 +427,24 @@ static exit_value search(const struct test_info_s *test_info,
         if ((ret = getdns_dict_set_int(search_extensions, "return_call_reporting", GETDNS_EXTENSION_TRUE)) != GETDNS_RETURN_GOOD) {
                 if (getdns_return)
                         *getdns_return = ret;
-                fprintf(test_info->errout,
-                        "Cannot set return call reporting: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot set return call reporting: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 if (!extensions)
                         getdns_dict_destroy(search_extensions);
                 return EXIT_UNKNOWN;
         }
 
-        if (test_info->verbosity >= VERBOSITY_DEBUG) {
-                fprintf(test_info->errout,
-                        "Context: %s\n",
-                        getdns_pretty_print_dict(getdns_context_get_api_information(test_info->context)));
+        if (test_info->verbosity >= VERBOSITY_ADDITIONAL &&
+            !test_info->monitoring) {
+                printf("Lookup:\t\t\t%s %u\n", name, type);
+        }
+
+        if (test_info->debug_output) {
+                printf("Context: %s\n",
+                       getdns_pretty_print_dict(getdns_context_get_api_information(test_info->context)));
         }
 
         ret = getdns_general_sync(test_info->context,
@@ -431,19 +458,19 @@ static exit_value search(const struct test_info_s *test_info,
                 if (getdns_return) {
                         *getdns_return = ret;
                 } else {
-                        fprintf(test_info->errout,
-                                "Error resolving '%s': %s (%d)",
-                                name,
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Error resolving '%s': %s (%d)",
+                                 name,
+                                 getdns_get_errorstr_by_id(ret),
+                                 ret);
                 }
                 return EXIT_CRITICAL;
         }
 
-        if (test_info->verbosity >= VERBOSITY_DEBUG) {
-                fprintf(test_info->errout,
-                        "Response: %s\n",
-                        getdns_pretty_print_dict(*response));
+        if (test_info->debug_output) {
+                printf("Response: %s\n",
+                       getdns_pretty_print_dict(*response));
         }
 
         if (getdns_return)
@@ -451,7 +478,7 @@ static exit_value search(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value get_result(const struct test_info_s *test_info,
+static exit_value get_result(struct test_info_s *test_info,
                              const getdns_dict *response,
                              uint32_t *error_id,
                              uint32_t *rcode)
@@ -459,10 +486,11 @@ static exit_value get_result(const struct test_info_s *test_info,
         getdns_return_t ret;
 
         if ((ret = getdns_dict_get_int(response, "status", error_id)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get result status: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get result status: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
@@ -472,17 +500,18 @@ static exit_value get_result(const struct test_info_s *test_info,
         }
 
         if ((ret = getdns_dict_get_int(response, "/replies_tree/0/header/rcode", rcode)) !=  GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get DNS return code: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get DNS return code: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
         return EXIT_OK;
 }
 
-static exit_value check_result(const struct test_info_s *test_info,
+static exit_value check_result(struct test_info_s *test_info,
                                const getdns_dict *response)
 {
         exit_value xit;
@@ -493,15 +522,15 @@ static exit_value check_result(const struct test_info_s *test_info,
 
         switch(error_id) {
         case GETDNS_RESPSTATUS_ALL_TIMEOUT:
-                fputs("Search timed out", test_info->errout);
+                strcpy(test_info->base_output, "Search timed out");
                 return EXIT_CRITICAL;
 
         case GETDNS_RESPSTATUS_NO_SECURE_ANSWERS:
-                fputs("No secure answers", test_info->errout);
+                strcpy(test_info->base_output, "No secure answers");
                 return EXIT_CRITICAL;
 
         case GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS:
-                fputs("All answers are bogus", test_info->errout);
+                strcpy(test_info->base_output, "All answers are bogus");
                 return EXIT_CRITICAL;
 
         default:
@@ -509,24 +538,31 @@ static exit_value check_result(const struct test_info_s *test_info,
         }
 
         if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
-                fprintf(test_info->errout,
-                        "result: %s (%d), ",
-                        getdns_get_errorstr_by_id(error_id),
-                        error_id);
+                if (test_info->monitoring) {
+                        snprintcat(test_info->perf_output,
+                                   MAX_PERF_OUTPUT_LEN,
+                                   "result=%d;",
+                                   error_id);
+                } else {
+                        printf("DNS result:\t\t%s (%d)\n",
+                                   getdns_get_errorstr_by_id(error_id),
+                                   error_id);
+                }
         }
 
         if (test_info->fail_on_dns_errors && rcode > 0) {
-                fprintf(test_info->errout,
-                        "DNS error %s (%d)",
-                        rcode_text(rcode),
-                        rcode);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "DNS error %s (%d)",
+                         rcode_text(rcode),
+                         rcode);
                 return EXIT_CRITICAL;
         }
 
         return EXIT_OK;
 }
 
-static exit_value get_report_info(const struct test_info_s *test_info,
+static exit_value get_report_info(struct test_info_s *test_info,
                                   const getdns_dict *response,
                                   uint32_t *rtt,
                                   getdns_bindata **auth_status,
@@ -539,80 +575,120 @@ static exit_value get_report_info(const struct test_info_s *test_info,
         time_t cert_expire_time_val = 0;
 
         if ((ret = getdns_dict_get_list(response, "call_reporting", &l)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get call report: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get call report: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
         getdns_dict *d;
+
         if ((ret = getdns_list_get_dict(l, 0, &d)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get call report first item: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get call report first item: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
         if (test_info->verbosity >= VERBOSITY_ADDITIONAL) {
                 uint32_t transport;
+                const char *transport_text = "???";
+
                 if ((ret = getdns_dict_get_int(d, "transport", &transport)) != GETDNS_RETURN_GOOD) {
-                        fprintf(test_info->errout,
-                                "Cannot get transport: %s (%d)",
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Cannot get transport: %s (%d)",
+                                 getdns_get_errorstr_by_id(ret),
+                                 ret);
                         return EXIT_UNKNOWN;
                 }
+
                 switch(transport) {
                 case GETDNS_TRANSPORT_UDP:
-                        fputs("UDP, ", test_info->errout);
+                        transport_text = "UDP";
                         break;
 
                 case GETDNS_TRANSPORT_TCP:
-                        fputs("TCP, ", test_info->errout);
+                        transport_text = "TCP";
                         break;
 
                 case GETDNS_TRANSPORT_TLS:
-                        fputs("TLS, ", test_info->errout);
-                        break;
-
-                default:
-                        fputs("???, ", test_info->errout);
+                        transport_text = "TLS";
                         break;
                 }
+
+                if (test_info->monitoring) {
+                        snprintcat(test_info->perf_output,
+                                   MAX_PERF_OUTPUT_LEN,
+                                   "transport=%s;",
+                                   transport_text);
+                } else {
+                        printf("Transport:\t\t%s\n", transport_text);
+                }
         }
+
         if ((ret = getdns_dict_get_int(d, "run_time/ms", &rtt_val)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get RTT: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get RTT: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
         if (rtt)
                 *rtt = rtt_val;
-        if (test_info->verbosity >= VERBOSITY_ADDITIONAL)
-                fprintf(test_info->errout, "RTT %dms, ", rtt_val);
+        if (test_info->verbosity >= VERBOSITY_ADDITIONAL) {
+                if (test_info->monitoring) {
+                        snprintcat(test_info->perf_output,
+                                   MAX_PERF_OUTPUT_LEN,
+                                   "rtt=%dms;",
+                                   rtt_val);
+                } else {
+                        printf("RTT:\t\t\t%dms\n", rtt_val);
+                }
+        }
 
         if (getdns_dict_get_bindata(d, "tls_auth_status", &auth_status_val) == GETDNS_RETURN_GOOD) {
+                const char *auth_status_text = (char *) auth_status_val->data;
+
                 /* Just in case - not sure this is necessary */
                 auth_status_val->data[auth_status_val->size] = '\0';
-                if (test_info->verbosity >= VERBOSITY_ADDITIONAL)
-                        fprintf(test_info->errout, "auth. %s, ", (char *) auth_status_val->data);
+                if (test_info->verbosity >= VERBOSITY_ADDITIONAL) {
+                        if (test_info->monitoring) {
+                        snprintcat(test_info->perf_output,
+                                   MAX_PERF_OUTPUT_LEN,
+                                   "auth=%s;",
+                                   auth_status_text);
+                        } else {
+                                printf("Authentication:\t\t%s\n", auth_status_text);
+                        }
+                }
         }
         if (auth_status)
                 *auth_status = auth_status_val;
 
         getdns_bindata *cert;
+
         if (getdns_dict_get_bindata(d, "tls_peer_cert", &cert) == GETDNS_RETURN_GOOD) {
                 if (!extract_cert_expiry(cert->data, cert->size, &cert_expire_time_val)) {
-                        fputs("Cannot parse PKIX certificate", test_info->errout);
+                        strcpy(test_info->base_output, "Cannot parse PKIX certificate");
                         return EXIT_UNKNOWN;
                 }
                 if (test_info->verbosity >= VERBOSITY_ADDITIONAL) {
                         struct tm *tm = gmtime(&cert_expire_time_val);
                         char buf[25];
-                        strftime(buf, sizeof(buf), "%Y-%m-%d %H:%M:%S UTC", tm);
-                        fprintf(test_info->errout, "cert expiry %s, ", buf);
+                        strftime(buf, sizeof(buf), "%Y-%m-%d %H:%M:%S", tm);
+                        if (test_info->monitoring) {
+                                snprintcat(test_info->perf_output,
+                                           MAX_PERF_OUTPUT_LEN,
+                                           "expire=%s;",
+                                           buf);
+                        } else {
+                                printf("Certicate expires:\t%s UTC\n", buf);
+                        }
                 }
         }
         if (cert_expire_time)
@@ -621,7 +697,7 @@ static exit_value get_report_info(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value get_answers(const struct test_info_s *test_info,
+static exit_value get_answers(struct test_info_s *test_info,
                               const getdns_dict *response,
                               const char *section,
                               getdns_list **answers,
@@ -633,33 +709,36 @@ static exit_value get_answers(const struct test_info_s *test_info,
         snprintf(buf, sizeof(buf), "/replies_tree/0/%s", section);
 
         if ((ret = getdns_dict_get_list(response, buf, answers)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get section '%s': %s (%d)",
-                        section,
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get section '%s': %s (%d)",
+                         section,
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
         if ((ret = getdns_list_get_length(*answers, no_answers)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get number of items in '%s': %s (%d)",
-                        section,
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get number of items in '%s': %s (%d)",
+                         section,
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
         if (*no_answers <= 0) {
-                fprintf(test_info->errout,
-                        "Zero entries in '%s'",
-                        section);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Zero entries in '%s'",
+                         section);
                 return EXIT_WARNING;
         }
 
         return EXIT_OK;
 }
 
-static exit_value check_answer_type(const struct test_info_s *test_info,
+static exit_value check_answer_type(struct test_info_s *test_info,
                                     const getdns_dict *response,
                                     uint32_t rrtype)
 {
@@ -675,32 +754,34 @@ static exit_value check_answer_type(const struct test_info_s *test_info,
                 getdns_return_t ret;
 
                 if ((ret = getdns_list_get_dict(answers, i, &answer)) != GETDNS_RETURN_GOOD) {
-                        fprintf(test_info->errout,
-                                "Cannot get answer number %zu: %s (%d)",
-                                i,
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Cannot get answer number %zu: %s (%d)",
+                                 i,
+                                 getdns_get_errorstr_by_id(ret),
+                                 ret);
                         return EXIT_UNKNOWN;
                 }
 
                 uint32_t rtype;
 
                 if ((ret = getdns_dict_get_int(answer, "type", &rtype)) != GETDNS_RETURN_GOOD) {
-                        fprintf(test_info->errout,
-                                "Cannot get answer type: %s (%d)",
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Cannot get answer type: %s (%d)",
+                                 getdns_get_errorstr_by_id(ret),
+                                 ret);
                         return EXIT_UNKNOWN;
                 }
                 if (rtype == rrtype)
                         return EXIT_OK;
         }
 
-        fputs("Answer does not contain expected type", test_info->errout);
+        strcpy(test_info->base_output, "Answer does not contain expected type");
         return EXIT_UNKNOWN;
 }
 
-static exit_value search_check(const struct test_info_s *test_info,
+static exit_value search_check(struct test_info_s *test_info,
                                const char *lookup_name,
                                uint16_t lookup_type,
                                getdns_dict **response,
@@ -728,7 +809,7 @@ static exit_value search_check(const struct test_info_s *test_info,
         return xit;
 }
 
-static exit_value parse_search_check(const struct test_info_s *test_info,
+static exit_value parse_search_check(struct test_info_s *test_info,
                                      char **av,
                                      const char *usage,
                                      getdns_dict **response,
@@ -744,7 +825,7 @@ static exit_value parse_search_check(const struct test_info_s *test_info,
                 return xit;
 
         if (*av) {
-                fputs(usage, test_info->errout);
+                strcpy(test_info->base_output, usage);
                 return EXIT_USAGE;
         }
 
@@ -758,7 +839,7 @@ static exit_value parse_search_check(const struct test_info_s *test_info,
  ** Test routines.
  **/
 
-static exit_value test_lookup(const struct test_info_s *test_info,
+static exit_value test_lookup(struct test_info_s *test_info,
                               char ** av)
 {
         exit_value xit;
@@ -772,11 +853,11 @@ static exit_value test_lookup(const struct test_info_s *test_info,
                                       NULL)) != EXIT_OK)
                 return xit;
 
-        fputs("Lookup succeeded", test_info->errout);
+        strcpy(test_info->base_output, "Lookup succeeded");
         return EXIT_OK;
 }
 
-static exit_value test_rtt(const struct test_info_s *test_info,
+static exit_value test_rtt(struct test_info_s *test_info,
                            char ** av)
 {
         exit_value xit;
@@ -795,7 +876,10 @@ static exit_value test_rtt(const struct test_info_s *test_info,
                                       NULL)) != EXIT_OK)
                 return xit;
 
-        fputs("RTT lookup succeeded", test_info->errout);
+        snprintf(test_info->base_output,
+                 MAX_BASE_OUTPUT_LEN,
+                 "RTT lookup succeeded in %dms",
+                 rtt_val);
 
         if ((int) rtt_val > critical_ms)
                 return EXIT_CRITICAL;
@@ -804,7 +888,7 @@ static exit_value test_rtt(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value test_authenticate(const struct test_info_s *test_info,
+static exit_value test_authenticate(struct test_info_s *test_info,
                                     char ** av)
 {
         exit_value xit;
@@ -820,15 +904,15 @@ static exit_value test_authenticate(const struct test_info_s *test_info,
                 return xit;
 
         if (!auth_status || strcmp((char *) auth_status->data, "Success") != 0) {
-                fputs("Authentication failed", test_info->errout);
+                strcpy(test_info->base_output, "Authentication failed");
                 return EXIT_CRITICAL;
         } else {
-                fputs("Authentication succeeded", test_info->errout);
+                strcpy(test_info->base_output, "Authentication succeeded");
                 return EXIT_OK;
         }
 }
 
-static exit_value test_certificate_valid(const struct test_info_s *test_info,
+static exit_value test_certificate_valid(struct test_info_s *test_info,
                                          char **av)
 {
         exit_value xit;
@@ -849,7 +933,7 @@ static exit_value test_certificate_valid(const struct test_info_s *test_info,
 
 
         if (expire_time == 0) {
-                fputs("No PKIX certificate", test_info->errout);
+                strcpy(test_info->base_output, "No PKIX certificate");
                 return EXIT_CRITICAL;
         }
 
@@ -857,19 +941,21 @@ static exit_value test_certificate_valid(const struct test_info_s *test_info,
         int days_to_expiry = (expire_time - now) / 86400;
 
         if (days_to_expiry < 0) {
-                fprintf(test_info->errout,
-                        "Certificate expired %d day%s ago",
-                        -days_to_expiry,
-                        (days_to_expiry < -1) ? "s" : "");
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Certificate expired %d day%s ago",
+                         -days_to_expiry,
+                         (days_to_expiry < -1) ? "s" : "");
                 return EXIT_CRITICAL;
         }
         if (days_to_expiry == 0) {
-                fputs("Certificate expires today", test_info->errout);
+                strcpy(test_info->base_output, "Certificate expires today");
         } else {
-                fprintf(test_info->errout,
-                        "Certificate will expire in %d day%s",
-                        days_to_expiry,
-                        (days_to_expiry > 1) ? "s" : "");
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Certificate will expire in %d day%s",
+                         days_to_expiry,
+                         (days_to_expiry > 1) ? "s" : "");
         }
         if (days_to_expiry <= critical_days) {
                 return EXIT_CRITICAL;
@@ -880,12 +966,11 @@ static exit_value test_certificate_valid(const struct test_info_s *test_info,
         return EXIT_OK;
 }
 
-static exit_value test_qname_minimisation(const struct test_info_s *test_info,
+static exit_value test_qname_minimisation(struct test_info_s *test_info,
                                           char ** av)
 {
         if (*av) {
-                fputs("qname-min takes no arguments",
-                      test_info->errout);
+                strcpy(test_info->base_output, "qname-min takes no arguments");
                 return EXIT_USAGE;
         }
 
@@ -912,21 +997,23 @@ static exit_value test_qname_minimisation(const struct test_info_s *test_info,
                 getdns_return_t ret;
 
                 if ((ret = getdns_list_get_dict(answers, i, &answer)) != GETDNS_RETURN_GOOD) {
-                        fprintf(test_info->errout,
-                                "Cannot get answer number %zu: %s (%d)",
-                                i,
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Cannot get answer number %zu: %s (%d)",
+                                 i,
+                                 getdns_get_errorstr_by_id(ret),
+                                 ret);
                         return EXIT_UNKNOWN;
                 }
 
                 uint32_t rtype;
 
                 if ((ret = getdns_dict_get_int(answer, "type", &rtype)) != GETDNS_RETURN_GOOD) {
-                        fprintf(test_info->errout,
-                                "Cannot get answer type: %s (%d)",
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Cannot get answer type: %s (%d)",
+                                 getdns_get_errorstr_by_id(ret),
+                                 ret);
                         return EXIT_UNKNOWN;
                 }
                 if (rtype != GETDNS_RRTYPE_TXT)
@@ -935,19 +1022,19 @@ static exit_value test_qname_minimisation(const struct test_info_s *test_info,
                 getdns_bindata *rtxt;
 
                 if ((ret = getdns_dict_get_bindata(answer, "/rdata/txt_strings/0", &rtxt)) != GETDNS_RETURN_GOOD) {
-                        fputs("No answer text", test_info->errout);
+                        strcpy(test_info->base_output, "No answer text");
                         return EXIT_UNKNOWN;
                 }
 
                 if (rtxt->size > 0 ) {
                         switch(rtxt->data[0]) {
                         case 'H':
-                                fputs("QNAME minimisation ON", test_info->errout);
+                                strcpy(test_info->base_output, "QNAME minimisation ON");
                                 return EXIT_OK;
 
                         case 'N':
-                                fputs("QNAME minimisation OFF", test_info->errout);
-                                return EXIT_WARNING;
+                                strcpy(test_info->base_output, "QNAME minimisation OFF");
+                                return EXIT_CRITICAL;
 
                         default:
                                 /* Unrecognised message. */
@@ -956,11 +1043,11 @@ static exit_value test_qname_minimisation(const struct test_info_s *test_info,
                 }
         }
 
-        fputs("No valid QNAME minimisation data", test_info->errout);
+        strcpy(test_info->base_output, "No valid QNAME minimisation data");
         return EXIT_UNKNOWN;
 }
 
-static exit_value test_padding(const struct test_info_s *test_info,
+static exit_value test_padding(struct test_info_s *test_info,
                                char ** av)
 {
         getdns_dict *response;
@@ -970,17 +1057,18 @@ static exit_value test_padding(const struct test_info_s *test_info,
         const char USAGE[] = "padding takes arguments <blocksize> [<name> [<type>]]";
 
         if (!*av || (blocksize = strtol(*av, &endptr, 10), *endptr != '\0' || blocksize < 0)) {
-                fputs(USAGE, test_info->errout);
+                strcpy(test_info->base_output, USAGE);
                 return EXIT_USAGE;
         }
         ++av;
 
         getdns_return_t ret;
         if ((ret = getdns_context_set_tls_query_padding_blocksize(test_info->context, (uint16_t) blocksize)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot set padding blocksize: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot set padding blocksize: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
@@ -1004,21 +1092,23 @@ static exit_value test_padding(const struct test_info_s *test_info,
                 getdns_return_t ret;
 
                 if ((ret = getdns_list_get_dict(answers, i, &answer)) != GETDNS_RETURN_GOOD) {
-                        fprintf(test_info->errout,
-                                "Cannot get answer number %zu: %s (%d)",
-                                i,
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Cannot get answer number %zu: %s (%d)",
+                                 i,
+                                 getdns_get_errorstr_by_id(ret),
+                                 ret);
                         return EXIT_UNKNOWN;
                 }
 
                 uint32_t rtype;
 
                 if ((ret = getdns_dict_get_int(answer, "type", &rtype)) != GETDNS_RETURN_GOOD) {
-                        fprintf(test_info->errout,
-                                "Cannot get answer type: %s (%d)",
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Cannot get answer type: %s (%d)",
+                                 getdns_get_errorstr_by_id(ret),
+                                 ret);
                         return EXIT_UNKNOWN;
                 }
                 if (rtype != GETDNS_RRTYPE_OPT)
@@ -1031,10 +1121,11 @@ static exit_value test_padding(const struct test_info_s *test_info,
                         goto no_padding;
                 }
                 if ((ret = getdns_list_get_length(options, &no_options)) != GETDNS_RETURN_GOOD) {
-                        fprintf(test_info->errout,
-                                "Cannot get number of options: %s (%d)",
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Cannot get number of options: %s (%d)",
+                                 getdns_get_errorstr_by_id(ret),
+                                 ret);
                         return EXIT_UNKNOWN;
                 }
 
@@ -1043,18 +1134,20 @@ static exit_value test_padding(const struct test_info_s *test_info,
                         uint32_t code;
 
                         if ((ret = getdns_list_get_dict(options, j, &option)) != GETDNS_RETURN_GOOD) {
-                                fprintf(test_info->errout,
-                                        "Cannot get option number %zu: %s (%d)",
-                                        j,
-                                        getdns_get_errorstr_by_id(ret),
-                                        ret);
+                                snprintf(test_info->base_output,
+                                         MAX_BASE_OUTPUT_LEN,
+                                         "Cannot get option number %zu: %s (%d)",
+                                         j,
+                                         getdns_get_errorstr_by_id(ret),
+                                         ret);
                                 return EXIT_UNKNOWN;
                         }
                         if ((ret = getdns_dict_get_int(option, "option_code", &code)) != GETDNS_RETURN_GOOD) {
-                                fprintf(test_info->errout,
-                                        "Cannot get option code: %s (%d)",
-                                        getdns_get_errorstr_by_id(ret),
-                                        ret);
+                                snprintf(test_info->base_output,
+                                         MAX_BASE_OUTPUT_LEN,
+                                         "Cannot get option code: %s (%d)",
+                                         getdns_get_errorstr_by_id(ret),
+                                         ret);
                                 return EXIT_UNKNOWN;
                         }
 
@@ -1065,26 +1158,28 @@ static exit_value test_padding(const struct test_info_s *test_info,
                         getdns_bindata *data;
 
                         if ((ret = getdns_dict_get_bindata(option, "option_data", &data)) != GETDNS_RETURN_GOOD) {
-                                fprintf(test_info->errout,
-                                        "Cannot get option code: %s (%d)",
-                                        getdns_get_errorstr_by_id(ret),
-                                        ret);
+                                snprintf(test_info->base_output,
+                                         MAX_BASE_OUTPUT_LEN,
+                                         "Cannot get option code: %s (%d)",
+                                         getdns_get_errorstr_by_id(ret),
+                                         ret);
                                 return EXIT_UNKNOWN;
                         }
 
-                        fprintf(test_info->errout,
-                                "Padding found, length %zu",
-                                data->size);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Padding found, length %zu",
+                                 data->size);
                         return EXIT_OK;
                 }
         }
 
 no_padding:
-        fputs("No padding found", test_info->errout);
+        strcpy(test_info->base_output, "No padding found");
         return EXIT_CRITICAL;
 }
 
-static exit_value test_keepalive(const struct test_info_s *test_info,
+static exit_value test_keepalive(struct test_info_s *test_info,
                                  char ** av)
 {
         getdns_dict *response;
@@ -1094,17 +1189,18 @@ static exit_value test_keepalive(const struct test_info_s *test_info,
         const char USAGE[] = "keepalive takes arguments <timeout-ms> [<name> [<type>]]";
 
         if (!*av || (timeout = strtoll(*av, &endptr, 10), *endptr != '\0' || timeout < 0)) {
-                fputs(USAGE, test_info->errout);
+                strcpy(test_info->base_output, USAGE);
                 return EXIT_USAGE;
         }
         ++av;
 
         getdns_return_t ret;
         if ((ret = getdns_context_set_idle_timeout(test_info->context, (uint64_t) timeout)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot set keepalive timeout: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot set keepalive timeout: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
@@ -1120,29 +1216,32 @@ static exit_value test_keepalive(const struct test_info_s *test_info,
         getdns_list *l;
 
         if ((ret = getdns_dict_get_list(response, "call_reporting", &l)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get call report: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get call report: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
         getdns_dict *d;
         if ((ret = getdns_list_get_dict(l, 0, &d)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get call report first item: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get call report first item: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
         /* Search is forced to be TCP or TLS, so server keepalive flag must exist. */
         uint32_t server_keepalive_received;
         if ((ret = getdns_dict_get_int(d, "server_keepalive_received", &server_keepalive_received)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get server keepalive flag: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get server keepalive flag: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
@@ -1152,31 +1251,34 @@ static exit_value test_keepalive(const struct test_info_s *test_info,
 
                 if (!((ret = getdns_dict_get_int(d, "idle timeout in ms", &t)) == GETDNS_RETURN_GOOD ||
                       (overflow = true, ret = getdns_dict_get_int(d, "idle timeout in ms (overflow)", &t)) == GETDNS_RETURN_GOOD)) {
-                        fprintf(test_info->errout,
-                                "Cannot get idle timeout: %s (%d)",
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Cannot get idle timeout: %s (%d)",
+                                 getdns_get_errorstr_by_id(ret),
+                                 ret);
                         return EXIT_UNKNOWN;
                 }
 
                 if (overflow) {
-                        fputs("Server sent keepalive, idle timeout now (overflow)", test_info->errout);
+                        strcpy(test_info->base_output, "Server sent keepalive, idle timeout now (overflow)");
                 } else {
-                        fprintf(test_info->errout, "Server sent keepalive, idle timeout now %ums", t);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Server sent keepalive, idle timeout now %ums",
+                                 t);
                 }
                 return EXIT_OK;
         } else {
-                fputs("Server did not send keepalive", test_info->errout);
+                strcpy(test_info->base_output, "Server did not send keepalive");
                 return EXIT_CRITICAL;
         }
 }
 
-static exit_value test_dnssec_validate(const struct test_info_s *test_info,
+static exit_value test_dnssec_validate(struct test_info_s *test_info,
                                        char ** av)
 {
         if (*av) {
-                fputs("dnssec-validate takes no arguments",
-                      test_info->errout);
+                strcpy(test_info->base_output, "dnssec-validate takes no arguments");
                 return EXIT_USAGE;
         }
 
@@ -1197,12 +1299,12 @@ static exit_value test_dnssec_validate(const struct test_info_s *test_info,
                 return xit;
 
         if (error_id == GETDNS_RESPSTATUS_ALL_TIMEOUT) {
-                fputs("Search timed out", test_info->errout);
+                strcpy(test_info->base_output, "Search timed out");
                 return EXIT_CRITICAL;
         }
 
         if (rcode != GETDNS_RCODE_SERVFAIL) {
-                fputs("Server does NOT validate DNSSEC", test_info->errout);
+                strcpy(test_info->base_output, "Server does NOT validate DNSSEC");
                 return EXIT_CRITICAL;
         }
 
@@ -1215,10 +1317,11 @@ static exit_value test_dnssec_validate(const struct test_info_s *test_info,
         getdns_dict *extensions = getdns_dict_create();
 
         if ((ret = getdns_dict_set_int(extensions, "/header/cd", 1)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot set CD bit: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot set CD bit: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 getdns_dict_destroy(extensions);
                 return EXIT_UNKNOWN;
         }
@@ -1244,27 +1347,27 @@ static exit_value test_dnssec_validate(const struct test_info_s *test_info,
                 return xit;
 
         if (error_id == GETDNS_RESPSTATUS_ALL_TIMEOUT) {
-                fputs("Search timed out", test_info->errout);
+                strcpy(test_info->base_output, "Search timed out");
                 return EXIT_CRITICAL;
         }
 
         if (error_id != GETDNS_RESPSTATUS_GOOD || rcode != GETDNS_RCODE_NOERROR) {
-                fputs("Server error - cannot determine DNSSEC status", test_info->errout);
+                strcpy(test_info->base_output, "Server error - cannot determine DNSSEC status");
                 return EXIT_UNKNOWN;
         }
 
-        fputs("Server validates DNSSEC", test_info->errout);
+        strcpy(test_info->base_output, "Server validates DNSSEC");
         return EXIT_OK;
 }
 
-static exit_value test_tls13(const struct test_info_s *test_info,
+static exit_value test_tls13(struct test_info_s *test_info,
                              char ** av)
 {
         exit_value xit;
         getdns_return_t ret;
 
         if (*av) {
-                fputs("tls-1.3 takes no arguments", test_info->errout);
+                strcpy(test_info->base_output, "tls-1.3 takes no arguments");
                 return EXIT_USAGE;
         }
 
@@ -1274,10 +1377,12 @@ static exit_value test_tls13(const struct test_info_s *test_info,
          * a Bad Context error on the lookup.
          */
         if ((ret = getdns_context_set_tls_cipher_list(test_info->context, TLS13_CIPHER_SUITE)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot set TLS 1.3 cipher list: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot set TLS 1.3 cipher list: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
+                return EXIT_UNKNOWN;
         }
 
         getdns_dict *response;
@@ -1290,12 +1395,10 @@ static exit_value test_tls13(const struct test_info_s *test_info,
                           &ret)) != EXIT_OK) {
                 if (xit == EXIT_CRITICAL) {
                         if (ret == GETDNS_RETURN_BAD_CONTEXT) {
-                                fputs("Your version of OpenSSL does not support TLS 1.3 ciphers. You need at least OpenSSL 1.1.1.",
-                                      test_info->errout);
+                                strcpy(test_info->base_output, "Your version of OpenSSL does not support TLS 1.3 ciphers. You need at least OpenSSL 1.1.1.");
                                 return EXIT_UNKNOWN;
                         } else {
-                                fputs("Cannot establish TLS 1.3 connection.",
-                                      test_info->errout);
+                                strcpy(test_info->base_output, "Cannot establish TLS 1.3 connection.");
                                 return EXIT_CRITICAL;
                         }
                 } else {
@@ -1309,20 +1412,22 @@ static exit_value test_tls13(const struct test_info_s *test_info,
         getdns_list *l;
 
         if ((ret = getdns_dict_get_list(response, "call_reporting", &l)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get call report: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get call report: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
         getdns_dict *d;
 
         if ((ret = getdns_list_get_dict(l, 0, &d)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get call report first item: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get call report first item: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
@@ -1330,24 +1435,25 @@ static exit_value test_tls13(const struct test_info_s *test_info,
         getdns_bindata *version;
 
         if ((ret = getdns_dict_get_bindata(d, "tls_version", &version)) != GETDNS_RETURN_GOOD) {
-                fprintf(test_info->errout,
-                        "Cannot get TLS version: %s (%d)",
-                        getdns_get_errorstr_by_id(ret),
-                        ret);
+                snprintf(test_info->base_output,
+                         MAX_BASE_OUTPUT_LEN,
+                         "Cannot get TLS version: %s (%d)",
+                         getdns_get_errorstr_by_id(ret),
+                         ret);
                 return EXIT_UNKNOWN;
         }
 
         const char TLS_1_3_SIG[] = "TLSv1.3";
 
         if (strncmp((const char *)version->data, TLS_1_3_SIG, sizeof(TLS_1_3_SIG) - 1) != 0) {
-                fputs("Server does not support TLS 1.3", test_info->errout);
+                strcpy(test_info->base_output, "Server does not support TLS 1.3");
                 return EXIT_CRITICAL;
         }
 
         if ((xit = check_result(test_info, response)) != EXIT_OK)
                 return xit;
 
-        fputs("Server supports TLS 1.3", test_info->errout);
+        strcpy(test_info->base_output, "Server supports TLS 1.3");
         return EXIT_OK;
 }
 
@@ -1356,7 +1462,7 @@ static struct test_funcs_s
         const char *name;
         bool implies_tls;
         bool implies_tcp;
-        exit_value (*func)(const struct test_info_s *test_info, char **av);
+        exit_value (*func)(struct test_info_s *test_info, char **av);
 } TESTS[] =
 {
         { "lookup", false, false, test_lookup },
@@ -1398,6 +1504,9 @@ int main(int ac, char *av[])
                     strcmp(*av, "--monitoring") == 0) {
                         test_info.monitoring = true;
                         test_info.errout = stdout;
+                } else if (strcmp(*av, "-D") == 0 ||
+                           strcmp(*av, "--debug") == 0) {
+                        test_info.debug_output = true;
                 } else if (strcmp(*av, "-E") == 0 ||
                            strcmp(*av, "--fail-on-dns-errors") == 0) {
                         test_info.fail_on_dns_errors = true;
@@ -1607,32 +1716,40 @@ int main(int ac, char *av[])
         }
 
         exit_value xit = f->func(&test_info, av);
+        const char *xit_text = "(\?\?\?)";
+        FILE *out = stdout;
+
         switch(xit) {
         case EXIT_OK:
-                fputs(" (OK)", test_info.errout);
+                xit_text = "OK";
                 break;
 
         case EXIT_WARNING:
-                fputs(" (WARNING)", test_info.errout);
+                xit_text = "WARNING";
                 break;
 
         case EXIT_CRITICAL:
-                fputs(" (CRITICAL)", test_info.errout);
+                xit_text = "CRITICAL";
                 break;
 
         case EXIT_UNKNOWN:
-                fputs(" (UNKNOWN)", test_info.errout);
-                break;
-
         case EXIT_USAGE:
                 xit = EXIT_UNKNOWN;
-                break;
-
-        default:
-                /* ??? is a trigraph... */
-                fputs(" (\?\?\?)", test_info.errout);
+                xit_text = "UNKNOWN";
+                out = test_info.errout;
                 break;
         }
-        fputc('\n', test_info.errout);
+
+        if (test_info.monitoring)
+                fprintf(out, "DNS SERVER %s - ", xit_text);
+        fputs(test_info.base_output, out);
+
+        if (test_info.verbosity >= VERBOSITY_ADDITIONAL &&
+            test_info.monitoring &&
+            strlen(test_info.perf_output) > 0) {
+                fprintf(out, "|%s", test_info.perf_output);
+        }
+
+        fputc('\n', out);
         exit(xit);
 }

From d38f233a80d879a2b9713edfffe8d5bb0303fb11 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 22 Jan 2018 16:32:17 +0100
Subject: [PATCH 046/303] Track readbuf free's

As tcp_connection_destroy() might be called more than once per connection (depending on outstanding work)
---
 src/server.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/server.c b/src/server.c
index ef5676f8..1f5f218d 100644
--- a/src/server.c
+++ b/src/server.c
@@ -138,11 +138,18 @@ static void tcp_connection_destroy(tcp_connection *conn)
 
 	if (conn->fd >= 0)
 		(void) _getdns_closesocket(conn->fd);
-	GETDNS_FREE(*mf, conn->read_buf);
 
-	for (cur = conn->to_write; cur; cur = next) {
-		next = cur->next;
-		GETDNS_FREE(*mf, cur);
+	if (conn->read_buf) {
+		GETDNS_FREE(*mf, conn->read_buf);
+		conn->read_buf = NULL;
+	}
+	if ((cur = conn->to_write)) {
+		while (cur) {
+			next = cur->next;
+			GETDNS_FREE(*mf, cur);
+			cur = next;
+		}
+		conn->to_write = NULL;
 	}
 	if (conn->to_answer > 0)
 		return;

From 8c3047dbe019881b3fbd9f90108ba11cf856d51c Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Sun, 21 Jan 2018 21:38:58 +0000
Subject: [PATCH 047/303] Add 'concurrent' test

The concurrent test works by sending a known good query synchronously,
and then sending asynchronous queries for three random TLDs followed by
the known good query. The latter should be answerable from cache, and so
give a result before at least one of the random TLDs.
---
 src/tools/getdns_server_mon.c | 130 ++++++++++++++++++++++++++++++++++
 1 file changed, 130 insertions(+)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index ab711975..2f8cd182 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -305,6 +305,8 @@ static void usage()
 "tsig spec: [<algorithm>:]<name>:<secret in Base64>\n"
 "\n"
 "Tests:\n"
+"  concurrent                    Check server support for concurrent query\n"
+"                                processing\n"
 "  lookup [<name> [<type>]]      Check lookup on server\n"
 "  keepalive <timeout-ms> [<name> [<type>]]\n"
 "                                Check server support for EDNS0 keepalive in TCP/TLS\n"
@@ -1457,6 +1459,133 @@ static exit_value test_tls13(struct test_info_s *test_info,
         return EXIT_OK;
 }
 
+struct async_query
+{
+        const char *name;
+        unsigned done_order;
+        bool error;
+};
+
+static void concurrent_callback(getdns_context          *context,
+                                getdns_callback_type_t  callback_type,
+                                getdns_dict             *response,
+                                void                    *userarg,
+                                getdns_transaction_t    transaction_id)
+{
+        (void) context;
+        (void) callback_type;
+        (void) response;
+        (void) transaction_id;
+
+        struct async_query *query = (struct async_query *) userarg;
+        static unsigned callback_no;
+
+        query->done_order = ++callback_no;
+        query->error = (callback_type != GETDNS_CALLBACK_COMPLETE);
+}
+
+static exit_value test_concurrent(const struct test_info_s *test_info,
+                                char ** av)
+{
+        if (*av) {
+                fputs("concurrent takes no arguments",
+                      test_info->errout);
+                return EXIT_USAGE;
+        }
+
+        /* Three names with random TLDs. */
+        const int NAMELEN = 30;
+        char names[3][NAMELEN + 1];
+
+        srandom((unsigned int) time(NULL));
+
+        for (int i = 0; i < 3; ++i) {
+                const char ROOT[] = "getdnsapi.dx";
+                strcpy(names[i], ROOT);
+                for (int j = sizeof(ROOT) - 1; j < NAMELEN; ++j) {
+                        names[i][j] = 'a' + random() % ('z' - 'a');
+                }
+                names[i][NAMELEN] = '\0';
+        }
+
+        /* A set of asynchronous queries to send. One exists. */
+        const char GOOD_NAME[] = "getdnsapi.net";
+        struct async_query async_queries[] = {
+                { names[0], 0, false },
+                { names[1], 0, false },
+                { names[2], 0, false },
+                { GOOD_NAME, 0, false }
+        };
+        unsigned NQUERIES = sizeof(async_queries) / sizeof(async_queries[0]);
+
+        /* Pre-load the cache with result of the good query. */
+        getdns_dict *response;
+        exit_value xit;
+
+        if ((xit = search_check(test_info,
+                                GOOD_NAME,
+                                GETDNS_RRTYPE_AAAA,
+                                &response,
+                                NULL,
+                                NULL,
+                                NULL)) != EXIT_OK)
+                return xit;
+
+        /* Now launch async searches for all the above. */
+        if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
+                fputs("concurrent search: ", test_info->errout);
+        }
+        for (unsigned i = 0; i < NQUERIES; ++i) {
+                getdns_return_t ret;
+
+                if ((ret = getdns_general(test_info->context,
+                                          async_queries[i].name,
+                                          GETDNS_RRTYPE_AAAA,
+                                          NULL,
+                                          &async_queries[i],
+                                          NULL,
+                                          concurrent_callback)) != GETDNS_RETURN_GOOD) {
+                        fprintf(test_info->errout,
+                                "Async search failed: %s (%d)",
+                                getdns_get_errorstr_by_id(ret),
+                                ret);
+                        return EXIT_UNKNOWN;
+                }
+                if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
+                        fprintf(test_info->errout,
+                                "[%u] %s, ",
+                                i, async_queries[i].name);
+                }
+        }
+
+        /* And wait for them to complete. */
+        getdns_context_run(test_info->context);
+        if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
+                fputs("concurrent result: ", test_info->errout);
+        }
+
+        for (unsigned i = 0; i < NQUERIES; ++i) {
+                if (async_queries[i].error) {
+                        fputs("Query did not complete", test_info->errout);
+                        return EXIT_UNKNOWN;
+                }
+                if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
+                        fprintf(test_info->errout,
+                                "[%u] %s, ",
+                                async_queries[i].done_order,
+                                async_queries[i].name);
+                }
+        }
+
+        if (async_queries[NQUERIES - 1].done_order == NQUERIES) {
+                fputs("Queries are not concurrent", test_info->errout);
+                return EXIT_CRITICAL;
+        } else {
+                fputs("Queries are concurrent", test_info->errout);
+                return EXIT_OK;
+        }
+}
+
 static struct test_funcs_s
 {
         const char *name;
@@ -1474,6 +1603,7 @@ static struct test_funcs_s
         { "keepalive", false, true, test_keepalive },
         { "dnssec-validate", false, false, test_dnssec_validate },
         { "tls-1.3", true, false, test_tls13 },
+        { "concurrent", false, true, test_concurrent },
         { NULL, false, false, NULL }
 };
 

From 1e774a95f51b98bd9a45c29a7933137ee4e0406a Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 22 Jan 2018 10:23:29 +0000
Subject: [PATCH 048/303] Don't rely on GCC extensions.

---
 src/tools/getdns_server_mon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 2f8cd182..47401492 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -1494,7 +1494,7 @@ static exit_value test_concurrent(const struct test_info_s *test_info,
         }
 
         /* Three names with random TLDs. */
-        const int NAMELEN = 30;
+        #define NAMELEN 30
         char names[3][NAMELEN + 1];
 
         srandom((unsigned int) time(NULL));

From bedd3a02cf7c44fa5173e833216d04c98857f9f1 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 22 Jan 2018 14:43:37 +0000
Subject: [PATCH 049/303] Revise concurrency test to use
 <n>.delay.getdnsapi.net.

This gives more secure results than the previous method.
---
 src/tools/getdns_server_mon.c | 87 ++++++++++++++++-------------------
 1 file changed, 40 insertions(+), 47 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 47401492..f4f39a31 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -1482,38 +1482,36 @@ static void concurrent_callback(getdns_context          *context,
 
         query->done_order = ++callback_no;
         query->error = (callback_type != GETDNS_CALLBACK_COMPLETE);
-}
 
-static exit_value test_concurrent(const struct test_info_s *test_info,
-                                char ** av)
-{
-        if (*av) {
-                fputs("concurrent takes no arguments",
-                      test_info->errout);
-                return EXIT_USAGE;
+        if (test_info.verbosity >= VERBOSITY_ADDITIONAL) {
+                if (test_info.monitoring) {
+                        snprintcat(test_info.perf_output,
+                                   MAX_PERF_OUTPUT_LEN,
+                                   "->%s;",
+                                   query->name);
+                } else {
+                        printf("Result:\t\t\t%s", query->name);
+                        if (query->error)
+                                printf(" (callback %d)\n", callback_type);
+                        else
+                                putchar('\n');
+                }
         }
 
-        /* Three names with random TLDs. */
-        #define NAMELEN 30
-        char names[3][NAMELEN + 1];
+}
 
-        srandom((unsigned int) time(NULL));
-
-        for (int i = 0; i < 3; ++i) {
-                const char ROOT[] = "getdnsapi.dx";
-                strcpy(names[i], ROOT);
-                for (int j = sizeof(ROOT) - 1; j < NAMELEN; ++j) {
-                        names[i][j] = 'a' + random() % ('z' - 'a');
-                }
-                names[i][NAMELEN] = '\0';
+static exit_value test_concurrent(struct test_info_s *test_info,
+                                  char ** av)
+{
+        if (*av) {
+                strcpy(test_info->base_output, "concurrent takes no arguments");
+                return EXIT_USAGE;
         }
 
         /* A set of asynchronous queries to send. One exists. */
         const char GOOD_NAME[] = "getdnsapi.net";
         struct async_query async_queries[] = {
-                { names[0], 0, false },
-                { names[1], 0, false },
-                { names[2], 0, false },
+                { "1000.delay.getdnsapi.net", 0, false },
                 { GOOD_NAME, 0, false }
         };
         unsigned NQUERIES = sizeof(async_queries) / sizeof(async_queries[0]);
@@ -1532,12 +1530,20 @@ static exit_value test_concurrent(const struct test_info_s *test_info,
                 return xit;
 
         /* Now launch async searches for all the above. */
-        if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
-                fputs("concurrent search: ", test_info->errout);
-        }
         for (unsigned i = 0; i < NQUERIES; ++i) {
                 getdns_return_t ret;
 
+                if (test_info->verbosity >= VERBOSITY_ADDITIONAL) {
+                        if (test_info->monitoring) {
+                                snprintcat(test_info->perf_output,
+                                           MAX_PERF_OUTPUT_LEN,
+                                           "%s->;",
+                                           async_queries[i].name);
+                        } else {
+                                printf("Search:\t\t\t%s\n", async_queries[i].name);
+                        }
+                }
+
                 if ((ret = getdns_general(test_info->context,
                                           async_queries[i].name,
                                           GETDNS_RRTYPE_AAAA,
@@ -1545,43 +1551,30 @@ static exit_value test_concurrent(const struct test_info_s *test_info,
                                           &async_queries[i],
                                           NULL,
                                           concurrent_callback)) != GETDNS_RETURN_GOOD) {
-                        fprintf(test_info->errout,
-                                "Async search failed: %s (%d)",
-                                getdns_get_errorstr_by_id(ret),
-                                ret);
+                        snprintf(test_info->base_output,
+                                 MAX_BASE_OUTPUT_LEN,
+                                 "Async search failed: %s (%d)",
+                                 getdns_get_errorstr_by_id(ret),
+                                 ret);
                         return EXIT_UNKNOWN;
                 }
-                if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
-                        fprintf(test_info->errout,
-                                "[%u] %s, ",
-                                i, async_queries[i].name);
-                }
         }
 
         /* And wait for them to complete. */
         getdns_context_run(test_info->context);
-        if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
-                fputs("concurrent result: ", test_info->errout);
-        }
 
         for (unsigned i = 0; i < NQUERIES; ++i) {
                 if (async_queries[i].error) {
-                        fputs("Query did not complete", test_info->errout);
+                        strcpy(test_info->base_output, "Query did not complete");
                         return EXIT_UNKNOWN;
                 }
-                if (test_info->verbosity >= VERBOSITY_ADDITIONAL){
-                        fprintf(test_info->errout,
-                                "[%u] %s, ",
-                                async_queries[i].done_order,
-                                async_queries[i].name);
-                }
         }
 
         if (async_queries[NQUERIES - 1].done_order == NQUERIES) {
-                fputs("Queries are not concurrent", test_info->errout);
+                strcpy(test_info->base_output, "Queries are not concurrent");
                 return EXIT_CRITICAL;
         } else {
-                fputs("Queries are concurrent", test_info->errout);
+                strcpy(test_info->base_output, "Queries are concurrent");
                 return EXIT_OK;
         }
 }

From 7e884e2cd0b23bec8a592a1aaf7ea07f9af40dd2 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 23 Jan 2018 11:30:12 +0000
Subject: [PATCH 050/303] Rename concurrent to OOOR (Out Of Order Responses).

---
 src/tools/getdns_server_mon.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index f4f39a31..78f05f53 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -305,12 +305,12 @@ static void usage()
 "tsig spec: [<algorithm>:]<name>:<secret in Base64>\n"
 "\n"
 "Tests:\n"
-"  concurrent                    Check server support for concurrent query\n"
-"                                processing\n"
 "  lookup [<name> [<type>]]      Check lookup on server\n"
 "  keepalive <timeout-ms> [<name> [<type>]]\n"
 "                                Check server support for EDNS0 keepalive in TCP/TLS\n"
 "                                Timeout of 0 is off.\n"
+"  OOOR                          Check whether server delivers responses out of\n"
+"                                query order on a TCP or TLS connection\n"
 "  qname-min                     Check whether server supports QNAME minimisation\n"
 "  rtt [warn-ms,crit-ms] [<name> [<type>]]\n"
 "                                Check server round trip time (default 500,250)\n"
@@ -1466,11 +1466,11 @@ struct async_query
         bool error;
 };
 
-static void concurrent_callback(getdns_context          *context,
-                                getdns_callback_type_t  callback_type,
-                                getdns_dict             *response,
-                                void                    *userarg,
-                                getdns_transaction_t    transaction_id)
+static void out_of_order_callback(getdns_context          *context,
+                                  getdns_callback_type_t  callback_type,
+                                  getdns_dict             *response,
+                                  void                    *userarg,
+                                  getdns_transaction_t    transaction_id)
 {
         (void) context;
         (void) callback_type;
@@ -1500,11 +1500,11 @@ static void concurrent_callback(getdns_context          *context,
 
 }
 
-static exit_value test_concurrent(struct test_info_s *test_info,
-                                  char ** av)
+static exit_value test_out_of_order(struct test_info_s *test_info,
+                                    char ** av)
 {
         if (*av) {
-                strcpy(test_info->base_output, "concurrent takes no arguments");
+                strcpy(test_info->base_output, "OOOR takes no arguments");
                 return EXIT_USAGE;
         }
 
@@ -1550,7 +1550,7 @@ static exit_value test_concurrent(struct test_info_s *test_info,
                                           NULL,
                                           &async_queries[i],
                                           NULL,
-                                          concurrent_callback)) != GETDNS_RETURN_GOOD) {
+                                          out_of_order_callback)) != GETDNS_RETURN_GOOD) {
                         snprintf(test_info->base_output,
                                  MAX_BASE_OUTPUT_LEN,
                                  "Async search failed: %s (%d)",
@@ -1571,10 +1571,10 @@ static exit_value test_concurrent(struct test_info_s *test_info,
         }
 
         if (async_queries[NQUERIES - 1].done_order == NQUERIES) {
-                strcpy(test_info->base_output, "Queries are not concurrent");
+                strcpy(test_info->base_output, "Responses are in query order");
                 return EXIT_CRITICAL;
         } else {
-                strcpy(test_info->base_output, "Queries are concurrent");
+                strcpy(test_info->base_output, "Responses are not in query order");
                 return EXIT_OK;
         }
 }
@@ -1596,7 +1596,7 @@ static struct test_funcs_s
         { "keepalive", false, true, test_keepalive },
         { "dnssec-validate", false, false, test_dnssec_validate },
         { "tls-1.3", true, false, test_tls13 },
-        { "concurrent", false, true, test_concurrent },
+        { "OOOR", false, true, test_out_of_order },
         { NULL, false, false, NULL }
 };
 

From a4f17760abdf6c3f64d7d92fa7d9528ef6f8d5c8 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 23 Jan 2018 12:13:59 +0000
Subject: [PATCH 051/303] Revise rcode_text() to get text from getdns, and add
 rrtype_text().

---
 src/tools/getdns_server_mon.c | 55 +++++++++++++++++++++++++----------
 1 file changed, 40 insertions(+), 15 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 78f05f53..5cb05606 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -116,7 +116,7 @@ static void snprintcat(char *buf, size_t buflen, const char *format, ...)
 
 static int get_rrtype(const char *t)
 {
-        char buf[1024] = "GETDNS_RRTYPE_";
+        char buf[128] = "GETDNS_RRTYPE_";
         uint32_t rrtype;
         long int l;
         size_t i;
@@ -139,21 +139,45 @@ static int get_rrtype(const char *t)
         return -1;
 }
 
+static const char *getdns_intval_text(int val, const char *name, const char *prefix)
+{
+        getdns_dict *d = getdns_dict_create();
+        char buf[128];
+        static char res[20];
+
+        if (getdns_dict_set_int(d, name, val) != GETDNS_RETURN_GOOD)
+                goto err;
+
+        getdns_pretty_snprint_dict(buf, sizeof(buf), d);
+
+        const char *p = strstr(buf, prefix);
+
+        if (!p)
+                goto err;
+        p += strlen(prefix);
+
+        char *q = res;
+
+        while (*p && *p != '\n')
+                *q++ = *p++;
+
+        getdns_dict_destroy(d);
+        return res;
+
+err:
+        getdns_dict_destroy(d);
+        snprintf(res, sizeof(res), "%d", val);
+        return res;
+}
+
+static const char *rrtype_text(int rrtype)
+{
+        return getdns_intval_text(rrtype, "type", "GETDNS_RRTYPE_");
+}
+
 static const char *rcode_text(int rcode)
 {
-        const char *text[] = {
-                "OK",
-                "FORMERR",
-                "SERVFAIL",
-                "NXDOMAIN",
-                "NOTIMP",
-                "REFUSED"
-        };
-
-        if ((size_t) rcode >= sizeof(text) / sizeof(text[0]))
-                return "(?)";
-        else
-                return text[rcode];
+        return getdns_intval_text(rcode, "rcode", "GETDNS_RCODE_");
 }
 
 #if OPENSSL_VERSION_NUMBER < 0x10002000
@@ -441,7 +465,8 @@ static exit_value search(struct test_info_s *test_info,
 
         if (test_info->verbosity >= VERBOSITY_ADDITIONAL &&
             !test_info->monitoring) {
-                printf("Lookup:\t\t\t%s %u\n", name, type);
+                printf("DNS Lookup name:\t%s\n", name);
+                printf("DNS Lookup RR type:\t%s\n", rrtype_text(type));
         }
 
         if (test_info->debug_output) {

From f3b2f838797666f04be62d5801c87cc6cd4657bd Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 23 Jan 2018 12:14:40 +0000
Subject: [PATCH 052/303] More output tittivating. Make verbose by default in
 non-monitoring mode.

---
 src/tools/getdns_server_mon.c | 57 +++++++++++++++++++++++++++++++++--
 1 file changed, 55 insertions(+), 2 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 5cb05606..f79a95ce 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -568,10 +568,10 @@ static exit_value check_result(struct test_info_s *test_info,
                 if (test_info->monitoring) {
                         snprintcat(test_info->perf_output,
                                    MAX_PERF_OUTPUT_LEN,
-                                   "result=%d;",
+                                   "getdns=%d;",
                                    error_id);
                 } else {
-                        printf("DNS result:\t\t%s (%d)\n",
+                        printf("getdns result:\t\t%s (%d)\n",
                                    getdns_get_errorstr_by_id(error_id),
                                    error_id);
                 }
@@ -721,6 +721,55 @@ static exit_value get_report_info(struct test_info_s *test_info,
         if (cert_expire_time)
                 *cert_expire_time = cert_expire_time_val;
 
+        getdns_bindata *tls_version;
+
+        if (getdns_dict_get_bindata(d, "tls_version", &tls_version) == GETDNS_RETURN_GOOD) {
+                const char *version_text = (char *) tls_version->data;
+
+                if (test_info->verbosity >= VERBOSITY_ADDITIONAL) {
+                        if (test_info->monitoring) {
+                        snprintcat(test_info->perf_output,
+                                   MAX_PERF_OUTPUT_LEN,
+                                   "tls=%s;",
+                                   version_text);
+                        } else {
+                                printf("TLS version:\t\t%s\n", version_text);
+                        }
+                }
+
+                /*
+                 * This is always in the context, so show only if we got
+                 * TLS info in the call reporting.
+                 */
+                uint32_t tls_auth;
+                getdns_dict *context_dict = getdns_context_get_api_information(test_info->context);
+
+                if (getdns_dict_get_int(context_dict, "/all_context/tls_authentication", &tls_auth) == GETDNS_RETURN_GOOD) {
+                        const char *auth_text = "???";
+
+                        switch(tls_auth) {
+                        case GETDNS_AUTHENTICATION_NONE:
+                                auth_text = "Opportunistic";
+                                break;
+
+                        case GETDNS_AUTHENTICATION_REQUIRED:
+                                auth_text = "Strict";
+                                break;
+                        }
+
+                        if (test_info->verbosity >= VERBOSITY_ADDITIONAL) {
+                                if (test_info->monitoring) {
+                                        snprintcat(test_info->perf_output,
+                                                   MAX_PERF_OUTPUT_LEN,
+                                                   "%s;",
+                                                   auth_text);
+                                } else {
+                                        printf("TLS authentication:\t%s\n", auth_text);
+                                }
+                        }
+                }
+        }
+
         return EXIT_OK;
 }
 
@@ -1718,6 +1767,10 @@ int main(int ac, char *av[])
         if (*av == NULL || *av[0] != '@')
                 usage();
 
+        /* Non-monitoring output is chatty by default. */
+        if (!test_info.monitoring)
+                ++test_info.verbosity;
+
         const char *upstream = *av++;
         getdns_dict *resolver;
         getdns_bindata *address;

From fcaa4f9845ba9d6cdae43fd7e36ce66f10c0b37a Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 23 Jan 2018 12:37:14 +0000
Subject: [PATCH 053/303] Reflow usage message entry.

---
 src/tools/getdns_server_mon.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index f79a95ce..904bd290 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -331,7 +331,8 @@ static void usage()
 "Tests:\n"
 "  lookup [<name> [<type>]]      Check lookup on server\n"
 "  keepalive <timeout-ms> [<name> [<type>]]\n"
-"                                Check server support for EDNS0 keepalive in TCP/TLS\n"
+"                                Check server support for EDNS0 keepalive in\n"
+"                                TCP or TLS connections\n"
 "                                Timeout of 0 is off.\n"
 "  OOOR                          Check whether server delivers responses out of\n"
 "                                query order on a TCP or TLS connection\n"

From 8ba53f10b6a5c8985805aace9790ed6e3b423dcf Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 23 Jan 2018 13:31:16 +0000
Subject: [PATCH 054/303] Correct RTT warning and critical default thresholds.

---
 src/tools/getdns_server_mon.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 904bd290..7a2f74ef 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -44,8 +44,8 @@
 
 #define APP_NAME "getdns_server_mon"
 
-#define RTT_CRITICAL_MS                 250
-#define RTT_WARNING_MS                  500
+#define RTT_CRITICAL_MS                 500
+#define RTT_WARNING_MS                  250
 
 #define CERT_EXPIRY_CRITICAL_DAYS       7
 #define CERT_EXPIRY_WARNING_DAYS        14
@@ -338,7 +338,8 @@ static void usage()
 "                                query order on a TCP or TLS connection\n"
 "  qname-min                     Check whether server supports QNAME minimisation\n"
 "  rtt [warn-ms,crit-ms] [<name> [<type>]]\n"
-"                                Check server round trip time (default 500,250)\n"
+"                                Check if server round trip time exceeds\n"
+"                                thresholds (default 250,500)\n"
 "\n"
 "  dnssec-validate               Check whether server does DNSSEC validation\n"
 "\n"

From b0661b9d9fba60ceee4b7cd93cc5d61d7d23a955 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 23 Jan 2018 13:45:55 +0000
Subject: [PATCH 055/303] Add a tool README.

Use AsciiDoc for this, as the GitHub table support in Markdown is woeful. But AsciiDoc is always better than Markdown anyway.
---
 src/tools/README.adoc | 261 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 261 insertions(+)
 create mode 100644 src/tools/README.adoc

diff --git a/src/tools/README.adoc b/src/tools/README.adoc
new file mode 100644
index 00000000..b8641099
--- /dev/null
+++ b/src/tools/README.adoc
@@ -0,0 +1,261 @@
+= getdns tools
+
+This directory contains some tools based on `getdns`.
+
+* `getdns_query` - a command line wrapper for `getdns`.
+* `getdns_server_mon` - test DNS server function and capabilities.
+
+== `getdns_query`
+
+`getdns_query` is a command line wrapper for `getdns` exposing the
+features of this implementation (both in the official API and the
+additional API functions).
+
+=== Usage
+
+----
+usage: getdns_query [<option> ...] \
+        [@<upstream> ...] [+<extension> ...] ['{ <settings> }'] [<name>] [<type>]
+
+default mode: recursive, synchronous resolution of NS record
+                using UDP with TCP fallback
+
+upstreams: @<ip>[%<scope_id>][@<port>][#<tls port>][~<tls name>][^<tsig spec>]
+            <ip>@<port> may be given as <IPv4>:<port>
+                  or '['<IPv6>[%<scope_id>]']':<port> too
+
+tsig spec: [<algorithm>:]<name>:<secret in Base64>
+
+extensions:
+        +add_warning_for_bad_dns
+        +dnssec_return_status
+        +dnssec_return_only_secure
+        +dnssec_return_all_statuses
+        +dnssec_return_validation_chain
+        +dnssec_return_full_validation_chain
+        +dnssec_roadblock_avoidance
+        +edns_cookies
+        +return_both_v4_and_v6
+        +return_call_reporting
+        +sit=<cookie>           Send along cookie OPT with value <cookie>
+        +specify_class=<class>
+        +0                      Clear all extensions
+
+settings in json dict format (like outputted by -i option).
+
+options:
+        -a      Perform asynchronous resolution (default = synchronous)
+        -A      address lookup (<type> is ignored)
+        -B      Batch mode. Schedule all messages before processing responses.
+        -b <bufsize>    Set edns0 max_udp_payload size
+        -c      Send Client Subnet privacy request
+        -C      <filename>
+                Read settings from config file <filename>
+                The getdns context will be configured with these settings
+                The file must be in YAML format (with extension of '.yml')
+                or JSON dict format (with extension '.conf')
+        -D      Set edns0 do bit
+        -d      clear edns0 do bit
+        -e <idle_timeout>       Set idle timeout in milliseconds
+        -F <filename>   read the queries from the specified file
+        -f <filename>   Read DNSSEC trust anchors from <filename>
+        -G      general lookup
+        -H      hostname lookup. (<name> must be an IP address; <type> is ignored)
+        -h      Print this help
+        -i      Print api information
+        -I      Interactive mode (> 1 queries on same context)
+        -j      Output json response dict
+        -J      Pretty print json response dict
+        -k      Print root trust anchors
+        -K <pin>        Pin a public key for TLS connections (can repeat)
+                (should look like 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="')
+        -m      Set TLS authentication mode to REQUIRED
+        -n      Set TLS authentication mode to NONE (default)
+        -o <filename>   Set resolver configuration file path
+                (default = /etc/resolv.conf)
+        -p      Pretty print response dict (default)
+        -P <blocksize>  Pad TLS queries to a multiple of blocksize
+                (special values: 0: no padding, 1: sensible default policy)
+        -q      Quiet mode - don't print response
+        -r      Set recursing resolution type
+        -R <filename>   Read root hints from <filename>
+        -s      Set stub resolution type(default = recursing)
+        -S      service lookup (<type> is ignored)
+        -t <timeout>    Set timeout in milliseconds
+        -v      Print getdns release version
+        -V      Increase verbosity (may be used more than once)
+        -x      Do not follow redirects
+        -X      Follow redirects (default)
+        -0      Append suffix to single label first (default)
+        -W      Append suffix always
+        -1      Append suffix only to single label after failure
+        -M      Append suffix only to multi label name after failure
+        -N      Never append a suffix
+        -Z <suffixes>   Set suffixes with the given comma separated list
+        -T      Set transport to TCP only
+        -O      Set transport to TCP only keep connections open
+        -L      Set transport to TLS only keep connections open
+        -E      Set transport to TLS with TCP fallback only keep connections open
+        -u      Set transport to UDP with TCP fallback (default)
+        -U      Set transport to UDP only
+        -l <transports> Set transport list. List can contain 1 of each of the characters
+                         U T L for UDP, TCP or TLS e.g 'UT' or 'LTU'
+        -z <listen address>
+                Listen for DNS requests on the given IP address
+                <listen address> is in the same format as upstreams.
+                This option can be given more than once.
+----
+
+== `getdns_server_mon`
+
+`getdns_server_mon` is a collection of DNS server tests. The tests examine
+both server function and server capability.
+
+`get_server_mon` can optionally be run in Monitoring mode. In this mode,
+the tool output is modified to enable it to function as a plugin for
+popular monitoring systems such as https://www.icinga.org[Icinga],
+http://naemon.github.io/[Naemon], http://www.nagios.org[Nagios],
+http://www.shinken-monitoring.org/[Shinken], http://sensuapp.org/[Sensu]
+and others.
+
+=== Usage
+
+----
+Usage: getdns_server_mon [-M] [-E] [(-u|-t|-T)] [-S] [-K <spki-pin>]
+        [-v [-v [-v]]] [-V] @upstream testname [<test args>]
+  -M|--monitoring               Make output suitable for monitoring tools
+  -E|--fail-on-dns-errors       Fail on DNS error (NXDOMAIN, SERVFAIL)
+  -u|--udp                      Use UDP transport
+  -t|--tcp                      Use TCP transport
+  -T|--tls                      Use TLS transport
+  -S|--strict-usage-profile     Use strict profile (require authentication)
+  -K|--spki-pin <spki-pin>      SPKI pin for TLS connections (can repeat)
+  -v|--verbose                  Increase output verbosity
+  -D|--debug                    Enable debugging output
+  -V|--version                  Report GetDNS version
+
+spki-pin: Should look like 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="'
+
+upstream: @<ip>[%<scope_id][@<port>][#<tls_port>][~tls name>][^<tsig spec>]
+          <ip>@<port> may be given as <IPv4>:<port> or
+                      '['<IPv6>[%<scope_id>]']':<port>
+
+tsig spec: [<algorithm>:]<name>:<secret in Base64>
+
+Tests:
+  lookup [<name> [<type>]]      Check lookup on server
+  keepalive <timeout-ms> [<name> [<type>]]
+                                Check server support for EDNS0 keepalive in
+                                TCP or TLS connections
+                                Timeout of 0 is off.
+  OOOR                          Check whether server delivers responses out of
+                                query order on a TCP or TLS connection
+  qname-min                     Check whether server supports QNAME minimisation
+  rtt [warn-ms,crit-ms] [<name> [<type>]]
+                                Check if server round trip time exceeds
+                                thresholds (default 250,500)
+
+  dnssec-validate               Check whether server does DNSSEC validation
+
+  tls-auth [<name> [<type>]]    Check authentication of TLS server
+                                If both a SPKI pin and authentication name are
+                                provided, both must authenticate for this test
+                                to pass.
+  tls-cert-valid [warn-days,crit-days] [<name> [type]]
+                                Check server certificate validity, report
+                                warning or critical if days to expiry at
+                                or below thresholds (default 14,7).
+  tls-padding <blocksize> [<name> [<type>]]
+                                Check server support for EDNS0 padding in TLS
+                                Special blocksize values are 0 = off,
+                                1 = sensible default.
+  tls-1.3                       Check whether server supports TLS 1.3
+
+Enabling monitoring mode ensures output messages and exit statuses conform
+to the requirements of monitoring plugins (www.monitoring-plugins.org).
+----
+
+Note that the server must currently be specified with an IPv4 or an IPv6 address.
+
+=== The tests
+
+Several tests take optional name and RR type parameters. If these are not supplied,
+default values of `getdnsapi.net` and `AAAA` are used. If the lookup returns no
+answering records, `getdns_server_mon` reports a status of WARNING.
+
+[%header]
+|===
+| Test name | Test description | Default connection type
+| `lookup`
+| Check a name lookup succeeds.
+  | UDP with TCP fallback
+
+| `keepalive`
+| See if the server supports EDNS0 keepalive in TCP or TLS
+  connections. Specify a non-zero timeout to set the keepalive timeout
+  in milliseconds, or 0 to disable it.
+| TCP
+
+| `OOOR`
+| Out Of Order Responses. See if the server will send responses to
+  multiple queries in a single TCP or TLS connection in a different
+  order to the order of queries.
+
+This test is experimental, and may give false negative results.
+| TCP
+
+| `qname-min`
+| Does the server support QNAME minimisation?
+| UDP with TCP fallback
+
+|`rtt`
+| Check a lookup round trip time exceeds warning and critical levels in milliseconds.
+If thresholds are not specified, defaults of 500ms (critical) and 250ms (warning) are used.
+| UDP with TCP fallback
+
+|`dnssec-validate`
+| See if the server is doing DNSSEC validation.
+| UDP with TCP fallback
+
+|`tls-auth`
+| Check if a TLS lookup authenticates successfully. You must specify
+  either a SPKI pin, an authentication name, or both. If you supply
+  both, both must authenticate for the test to succeed.
+| TLS
+
+|`tls-cert-valid`
+| Check the server certificate against warning and critical days to
+expiry.  If thresholds are not specified, defaults of 7 days
+(critical) and 14 days (warning) are used.
+| TLS
+
+|`tls-padding`
+| Does the server support EDNS0 padding? Specify a non-zero blocksize to set
+the padding. A padding size of 1 specifies padding of a sensible default size.
+| TLS
+
+|`tls-1.3`
+| Does the server support TLS 1.3? To enable this test,
+  `getdns_server_mon` must be compiled with OpenSSL v1.1.1 or later.
+| TLS
+|===
+=== Exit status
+
+[%header]
+|===
+| Numeric value | Service Status | Status Description
+| 0
+| OK
+| The service was functioning properly
+
+| 1
+| WARNING
+| The service fell below a warning threshold
+
+|2
+| CRITICAL
+| The service was not working or fell below a critical threshold
+
+|3
+| UNKNOWN | Invalid arguments or an internal low-level failure
+|===

From 01ea1d6a22709d86eb2bfe2c1cce45ef33f5d12a Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 23 Jan 2018 13:47:31 +0000
Subject: [PATCH 056/303] Note TLS 1.3 is experimental. At least until we find
 a stable test server.

---
 src/tools/README.adoc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/tools/README.adoc b/src/tools/README.adoc
index b8641099..b13d7356 100644
--- a/src/tools/README.adoc
+++ b/src/tools/README.adoc
@@ -201,7 +201,7 @@ answering records, `getdns_server_mon` reports a status of WARNING.
   multiple queries in a single TCP or TLS connection in a different
   order to the order of queries.
 
-This test is experimental, and may give false negative results.
+This test is currently experimental, and may give false negative results.
 | TCP
 
 | `qname-min`
@@ -237,6 +237,8 @@ the padding. A padding size of 1 specifies padding of a sensible default size.
 |`tls-1.3`
 | Does the server support TLS 1.3? To enable this test,
   `getdns_server_mon` must be compiled with OpenSSL v1.1.1 or later.
+
+This test is currently experimental, and may give false negative results.
 | TLS
 |===
 === Exit status

From 037f6039c864eb19f66de6f0e219d6829807a504 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 23 Jan 2018 13:53:08 +0000
Subject: [PATCH 057/303] Improve AsciiDoc table formatting.

---
 src/tools/README.adoc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/tools/README.adoc b/src/tools/README.adoc
index b13d7356..2f2389eb 100644
--- a/src/tools/README.adoc
+++ b/src/tools/README.adoc
@@ -183,7 +183,7 @@ Several tests take optional name and RR type parameters. If these are not suppli
 default values of `getdnsapi.net` and `AAAA` are used. If the lookup returns no
 answering records, `getdns_server_mon` reports a status of WARNING.
 
-[%header]
+[cols="1,3a,1" options="header"]
 |===
 | Test name | Test description | Default connection type
 | `lookup`
@@ -243,7 +243,7 @@ This test is currently experimental, and may give false negative results.
 |===
 === Exit status
 
-[%header]
+[cols="^1,^1,3a" options="header"]
 |===
 | Numeric value | Service Status | Status Description
 | 0

From 4f37d2b9338fc1265fef255c566bb3701496b3f8 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 23 Jan 2018 16:50:05 +0100
Subject: [PATCH 058/303] No wildcard expansions allowed for RRs used in DNSSEC
 proofs

Signatures of DNSKEYs, DSs, NSECs and NSEC3s can not be wildcard expansions when used with DNSSEC proofs.
Only direct queries for those types are allowed to be wildcard expansions.

This in response to https://unbound.net/downloads/CVE-2017-15105.txt, although getdns was not vulnerable for this specific issue.
---
 src/dnssec.c | 43 ++++++++++++++++++++++++++++++++++---------
 1 file changed, 34 insertions(+), 9 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index d4c6375b..3bf92d58 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1755,6 +1755,26 @@ static int dnskey_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
 	return 0;
 }
 
+/* Returns whether a dnskey for keyset signed a non wildcard rrset. */
+static int a_key_signed_rrset_no_wc(struct mem_funcs *mf, time_t now,
+    uint32_t skew, _getdns_rrset *keyset, _getdns_rrset *rrset)
+{
+	_getdns_rrtype_iter dnskey_spc, *dnskey;
+	const uint8_t *nc_name;
+	int keytag;
+
+	assert(keyset->rr_type == GETDNS_RRTYPE_DNSKEY);
+
+	for ( dnskey = _getdns_rrtype_iter_init(&dnskey_spc, keyset)
+	    ; dnskey ; dnskey = _getdns_rrtype_iter_next(dnskey) ) {
+
+		if ((keytag = dnskey_signed_rrset(mf, now, skew,
+		    dnskey, rrset, &nc_name)) && !nc_name)
+			return keytag;
+	}
+	return 0;
+}
+
 static int find_nsec_covering_name(
     struct mem_funcs *mf, time_t now, uint32_t skew, _getdns_rrset *dnskey,
     _getdns_rrset *rrset, const uint8_t *name, int *opt_out);
@@ -2110,7 +2130,8 @@ static int find_nsec_covering_name(
 		    && (bitmap = _getdns_rdf_iter_init_at(
 				    &bitmap_spc, &nsec_rr->rr_i, 5))
 
-		    && (keytag = a_key_signed_rrset(mf, now, skew, dnskey, n))
+		    && (keytag = a_key_signed_rrset_no_wc(
+				    mf, now, skew, dnskey, n))
 		    && (   keytag & NSEC3_ITERATION_COUNT_HIGH
 
 		        || (   nsec3_covers_name(n, name, opt_out)
@@ -2174,7 +2195,8 @@ static int find_nsec_covering_name(
 		           )
 		       )
 
-		    && (keytag = a_key_signed_rrset(mf,now,skew, dnskey, n))) {
+		    && (keytag = a_key_signed_rrset_no_wc(
+					    mf, now, skew, dnskey, n))) {
 
 			debug_sec_print_rrset("NSEC:   ", n);
 			debug_sec_print_dname("covered: ", name);
@@ -2297,7 +2319,8 @@ static int key_proves_nonexistance(
 		||  bitmap_has_type(bitmap, GETDNS_RRTYPE_SOA))
 
 	    /* And a valid signature please */
-	    && (keytag = a_key_signed_rrset(mf,now,skew,keyset,&nsec_rrset))) {
+	    && (keytag = a_key_signed_rrset_no_wc(
+				    mf, now, skew, keyset, &nsec_rrset))) {
 
 		debug_sec_print_rrset("NSEC NODATA proof for: ", rrset);
 		return keytag;
@@ -2353,7 +2376,7 @@ static int key_proves_nonexistance(
 		       )
 
 		    /* And a valid signature please (as always) */
-		    || !(keytag = a_key_signed_rrset(
+		    || !(keytag = a_key_signed_rrset_no_wc(
 					    mf, now, skew, keyset, cover)))
 			continue;
 
@@ -2437,7 +2460,8 @@ static int key_proves_nonexistance(
 			||  bitmap_has_type(bitmap, GETDNS_RRTYPE_SOA))
 
 		    /* It must have a valid signature */
-		    && (keytag = a_key_signed_rrset(mf, now, skew, keyset, ce))
+		    && (keytag = a_key_signed_rrset_no_wc(
+					    mf, now, skew, keyset, ce))
 
 		    /* The qname must match the NSEC3 */
 		    && (   keytag & NSEC3_ITERATION_COUNT_HIGH
@@ -2493,7 +2517,7 @@ static int key_proves_nonexistance(
 			        && !bitmap_has_type(bitmap, GETDNS_RRTYPE_SOA)
 			       )
 
-			    || !(keytag = a_key_signed_rrset(
+			    || !(keytag = a_key_signed_rrset_no_wc(
 						    mf, now, skew, keyset, ce))
 			    || (   !(keytag & NSEC3_ITERATION_COUNT_HIGH)
 			        && !nsec3_matches_name(ce, ce_name)))
@@ -2545,7 +2569,7 @@ static int chain_node_get_trusted_keys(
 	} else if (ta->rr_type == GETDNS_RRTYPE_DNSKEY) {
 
 		/* ta is KSK */
-		if ((keytag = a_key_signed_rrset(
+		if ((keytag = a_key_signed_rrset_no_wc(
 		    mf, now, skew, ta, &node->dnskey))) {
 			*keys = &node->dnskey;
 			node->dnskey_signer = keytag;
@@ -2563,7 +2587,8 @@ static int chain_node_get_trusted_keys(
 			return GETDNS_DNSSEC_INSECURE;
 		}
 
-		if ((keytag = a_key_signed_rrset(mf,now,skew,ta,&node->ds))) {
+		if ((keytag = a_key_signed_rrset_no_wc(
+					mf, now, skew, ta, &node->ds))) {
 			node->ds_signer = keytag;
 			if ((keytag = ds_authenticates_keys(
 			    mf, now, skew, &node->ds, &node->dnskey))) {
@@ -2597,7 +2622,7 @@ static int chain_node_get_trusted_keys(
 	}
 	if (key_matches_signer(ta, &node->ds)) {
 		
-		if ((node->ds_signer = a_key_signed_rrset(
+		if ((node->ds_signer = a_key_signed_rrset_no_wc(
 						mf, now, skew, ta, &node->ds))
 		   && (keytag = ds_authenticates_keys(
 				mf, now, skew, &node->ds, &node->dnskey))){

From 1d211013e6e16a90cf9fe6a10255d687a83b5273 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 23 Jan 2018 17:55:15 +0000
Subject: [PATCH 059/303] Update top level README to include getdns_server_mon
 in its outline of tools.

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index aacfc289..a01b8236 100644
--- a/README.md
+++ b/README.md
@@ -87,10 +87,11 @@ If you are building from git, you need to do the following before building:
     # autoreconf -fi
 
 
-As well as building the getdns library two other tools may be installed:
+As well as building the getdns library three other tools may be installed:
 
 * getdns_query: a command line test script wrapper for getdns
 * stubby: an experimental DNS Privacy enabled client
+* getdns_server_mon: test DNS server function and capabilities
 
 Note: If you only want to build stubby, then use the `--with-stubby` option when running 'configure'.
 

From 7e3439efbc3cedd86982a591e8236b4c60d682af Mon Sep 17 00:00:00 2001
From: Sara Dickinson <sara@sinodun.com>
Date: Wed, 24 Jan 2018 13:13:14 +0000
Subject: [PATCH 060/303] =?UTF-8?q?Improve=20handling=20of=20opportunistic?=
 =?UTF-8?q?=20back-off.=20If=20other=20transports=20are=20working,=20don?=
 =?UTF-8?q?=E2=80=99t=20forcibly=20promote=20failed=20upstreams=20just=20w?=
 =?UTF-8?q?ait=20for=20the=20re-try=20timer.=20Clean=20up=20logs.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/context.c |   3 +-
 src/stub.c    | 141 ++++++++++++++++++++++++++++++++------------------
 2 files changed, 94 insertions(+), 50 deletions(-)

diff --git a/src/context.c b/src/context.c
index c8f14363..927543f9 100644
--- a/src/context.c
+++ b/src/context.c
@@ -779,8 +779,9 @@ upstream_backoff(getdns_upstream *upstream) {
 	upstream->conn_shutdowns = 0;
 	upstream->conn_backoffs++;
 	_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_NOTICE,
-	    "%-40s : !Backing off this upstream    - Will retry again in %ds at %s",
+	    "%-40s : Upstream   : !Backing off %s on this upstream    - Will retry again in %ds at %s",
 	            upstream->addr_str,
+	            upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP",
 	            upstream->conn_backoff_interval,
 	            asctime(gmtime(&upstream->conn_retry_time)));
 }
diff --git a/src/stub.c b/src/stub.c
index 07f22fcd..ac3bd0fd 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -529,11 +529,7 @@ upstream_failed(getdns_upstream *upstream, int during_setup)
 	   the queries if there is only one upstream.*/
 	GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
 	if (during_setup) {
-		/* Special case if failure was due to authentication issues since this
-		   upstream could be used oppotunistically with no problem.*/
-		if (!(upstream->transport == GETDNS_TRANSPORT_TLS &&
-		    upstream->tls_auth_state == GETDNS_AUTH_FAILED))
-			upstream->conn_setup_failed++;
+		upstream->conn_setup_failed++;
 	} else {
 		upstream->conn_shutdowns++;
 		/* [TLS1]TODO: Re-try these queries if possible.*/
@@ -580,7 +576,7 @@ stub_timeout_cb(void *userarg)
 		netreq->upstream->udp_timeouts++;
 		if (netreq->upstream->udp_timeouts % 100 == 0)
 			_getdns_upstream_log(netreq->upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_INFO,
-			    "%-40s : Upstream stats: Transport=UDP - Resp=%d,Timeouts=%d\n",
+			    "%-40s : Upstream   : UDP - Resps=%6d, Timeouts  =%6d (logged every 100 responses)\n",
 			             netreq->upstream->addr_str,
 			             (int)netreq->upstream->udp_responses, (int)netreq->upstream->udp_timeouts);
 		stub_next_upstream(netreq);
@@ -844,7 +840,7 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 #endif
 	if (!preverify_ok && !upstream->tls_fallback_ok)
 		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
-		    "%-40s : Verify failed : Transport=TLS - *Failure* -  (%d) \"%s\"\n",
+		    "%-40s : Verify failed: TLS - *Failure* -  (%d) \"%s\"\n",
 		    upstream->addr_str, err,
 		    X509_verify_cert_error_string(err));
 
@@ -880,7 +876,7 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
 		else
 			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
-			    "%-40s : Conn failed   : Transport=TLS - *Failure* - Pinset validation failure\n",
+			    "%-40s : Conn failed: TLS - *Failure* - Pinset validation failure\n",
 			    upstream->addr_str);
 	} else {
 		/* If we _only_ had a pinset and it is good then force succesful
@@ -893,7 +889,7 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			DEBUG_STUB("%s %-35s: FD:  %d, Allowing self-signed (%d) cert since pins match\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err);
 			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, 
-			    "%-40s : Verify passed : Transport=TLS - Allowing self-signed cert since pins match\n",
+			    "%-40s : Verify passed : TLS - Allowing self-signed cert since pins match\n",
 			    upstream->addr_str);
 		}
 	}
@@ -956,6 +952,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			    "%-40s : ERROR: Hostname Authentication not available from TLS library (check library version)\n",
 			    upstream->addr_str);
 			upstream->tls_hs_state = GETDNS_HS_FAILED;
+			upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 			return NULL;
 		}
 #endif
@@ -970,9 +967,13 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 				DEBUG_STUB("%s %-35s: Proceeding with only pubkey pinning authentication\n",
 			           STUB_DEBUG_SETUP_TLS, __FUNC__);
 			} else {
-				DEBUG_STUB("%s %-35s: ERROR: No host name or pubkey pinset provided for TLS authentication\n",
+				DEBUG_STUB("%s %-35s: ERROR:No auth name or pinset provided for this upstream for Strict TLS authentication\n",
 			           STUB_DEBUG_SETUP_TLS, __FUNC__);
+				_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR, 
+				    "%-40s : Verify fail: *CONFIG ERROR* - No auth name or pinset provided for this upstream for Strict TLS authentication\n",
+				    upstream->addr_str);
 				upstream->tls_hs_state = GETDNS_HS_FAILED;
+				upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 				return NULL;
 			}
 		} else {
@@ -1409,7 +1410,7 @@ stub_udp_read_cb(void *userarg)
 	if (upstream->udp_responses == 1 || 
 	    upstream->udp_responses % 100 == 0)
 		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_INFO,
-		    "%-40s : Upstream stats: Transport=UDP - Resp=%d,Timeouts=%d\n",
+		    "%-40s : Upstream   : UDP - Resps=%6d, Timeouts  =%6d (logged every 100 responses)\n",
 		    upstream->addr_str,
 		    (int)upstream->udp_responses, (int)upstream->udp_timeouts);
 	_getdns_check_dns_req_complete(dnsreq);
@@ -1671,7 +1672,7 @@ upstream_write_cb(void *userarg)
 		/* Cleaning up after connection or auth check failure. Need to fallback. */
 		stub_cleanup(netreq);
 		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG,
-		    "%-40s : Conn closed   : Transport=%s - *Failure*\n",
+		    "%-40s : Conn closed: %s - *Failure*\n",
 		    upstream->addr_str,
 		    (upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP"));
 		if (fallback_on_write(netreq) == STUB_TCP_ERROR) {
@@ -1826,6 +1827,34 @@ upstream_valid_and_open(getdns_upstream *upstream,
 	 return 1;
 }
 
+static int
+other_transports_working(getdns_network_req *netreq,
+                         getdns_upstreams *upstreams,
+                         getdns_transport_list_t transport)
+{
+	size_t i,j;
+	for (i = 0; i< netreq->transport_count;i++) {
+		if (netreq->transports[i] == transport)
+			continue;
+		if (netreq->transports[i] == GETDNS_TRANSPORT_UDP) {
+			for (j = 0; j < upstreams->count; j+=GETDNS_UPSTREAM_TRANSPORTS) {
+				if (upstreams->upstreams[j].back_off == 1)
+					return 1;
+			}
+		}
+		else if (netreq->transports[i] == GETDNS_TRANSPORT_TCP ||
+		         netreq->transports[i] == GETDNS_TRANSPORT_TLS) {
+			for (j = 0; j < upstreams->count; j++) {
+				if (netreq->transports[i] == upstreams->upstreams[j].transport &&
+				    upstream_valid(&upstreams->upstreams[j], netreq->transports[i],
+					netreq, 0))
+					return 1;
+			}
+		}
+	}
+	return 0;
+}
+
 static getdns_upstream *
 upstream_select_stateful(getdns_network_req *netreq, getdns_transport_list_t transport)
 {
@@ -1843,8 +1872,9 @@ upstream_select_stateful(getdns_network_req *netreq, getdns_transport_list_t tra
 		    upstreams->upstreams[i].conn_retry_time < now) {
 			upstreams->upstreams[i].conn_state = GETDNS_CONN_CLOSED;
 			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_NOTICE,
-			    "%-40s : Re-instating upstream\n",
-		            upstreams->upstreams[i].addr_str);
+			    "%-40s : Upstream   : Re-instating %s for this upstream\n",
+			     upstreams->upstreams[i].addr_str,
+			     upstreams->upstreams[i].transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP");
 		}
 	}
 
@@ -1857,12 +1887,13 @@ upstream_select_stateful(getdns_network_req *netreq, getdns_transport_list_t tra
 	}
 
 	/* OK - Find the next one to use. First check we have at least one valid
-	   upstream (not backed-off) because we completely back off failed 
+	   upstream (not backed-off). Because we completely back off failed 
 	   upstreams we may have no valid upstream at all (in contrast to UDP).*/
 	i = upstreams->current_stateful;
 	do {
-		DEBUG_STUB("%s %-35s: Testing upstreams  %d %d\n", STUB_DEBUG_SETUP, 
-	           __FUNC__, (int)i, (int)upstreams->upstreams[i].conn_state);
+		DEBUG_STUB("%s %-35s: Testing upstreams  %d %d for transport %d \n",
+	            STUB_DEBUG_SETUP, __FUNC__, (int)i,
+	            (int)upstreams->upstreams[i].conn_state, transport);
 		if (upstream_valid(&upstreams->upstreams[i], transport, netreq, 0)) {
 			upstream = &upstreams->upstreams[i];
 			break;
@@ -1871,40 +1902,52 @@ upstream_select_stateful(getdns_network_req *netreq, getdns_transport_list_t tra
 		if (i >= upstreams->count)
 			i = 0;
 	} while (i != upstreams->current_stateful);
+
 	if (!upstream) {
-		/* Oh, oh. We have no valid upstreams. Try to find one that might work so
-		   allow backed off upstreams to be considered valid.
-		   Don't worry about the policy, just use the one with the least bad
-		   stats that still fits the bill (right transport, right authentication)
-		   to try to avoid total failure due to network outages. */
-		do {
-			if (upstream_valid(&upstreams->upstreams[i], transport, netreq, 1)) {
-				upstream = &upstreams->upstreams[i];
-				break;
-			}
-			i++;
-			if (i >= upstreams->count)
-				i = 0;
-		} while (i != upstreams->current_stateful);
-		if (!upstream) {
-			/* We _really_ have nothing that authenticates well enough right now...
-			   leave to regular backoff logic. */
+		/* Oh, oh. We have no valid upstreams for this transport. */
+		/* If there are other fallback transports that are working, we should 
+		use them before forcilby promoting failed upstreams for re-try, since 
+		waiting for the the re-try timer to re-instate them is the right thing 
+		in this case. */
+		if (other_transports_working(netreq, upstreams, transport)) {
 			return NULL;
 		}
-		do {
-			i++;
-			if (i >= upstreams->count)
-				i = 0;
-			if (upstream_valid(&upstreams->upstreams[i], transport, netreq, 1) &&
-			    upstream_stats(&upstreams->upstreams[i]) > upstream_stats(upstream))
-				upstream = &upstreams->upstreams[i];
-		} while (i != upstreams->current_stateful);
-		upstream->conn_state = GETDNS_CONN_CLOSED;
-		upstream->conn_backoff_interval = 1;
-		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_NOTICE,
-		    "%-40s : No valid upstreams... promoting this backed-off upstream for re-try...\n",
-		    upstream->addr_str);
-		return upstream;
+		else {
+			/* Try to find one that might work so
+			   allow backed off upstreams to be considered valid.
+			   Don't worry about the policy, just use the one with the least bad
+			   stats that still fits the bill (right transport, right authentication)
+			   to try to avoid total failure due to network outages. */
+			do {
+				if (upstream_valid(&upstreams->upstreams[i], transport, netreq, 1)) {
+					upstream = &upstreams->upstreams[i];
+					break;
+				}
+				i++;
+				if (i >= upstreams->count)
+					i = 0;
+			} while (i != upstreams->current_stateful);
+			if (!upstream) {
+				/* We _really_ have nothing that authenticates well enough right now...
+				   leave to regular backoff logic. */
+				return NULL;
+			}
+			do {
+				i++;
+				if (i >= upstreams->count)
+					i = 0;
+				if (upstream_valid(&upstreams->upstreams[i], transport, netreq, 1) &&
+				    upstream_stats(&upstreams->upstreams[i]) > upstream_stats(upstream))
+					upstream = &upstreams->upstreams[i];
+			} while (i != upstreams->current_stateful);
+			upstream->conn_state = GETDNS_CONN_CLOSED;
+			upstream->conn_backoff_interval = 1;
+			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_NOTICE,
+			    "%-40s : Upstream   : No valid upstreams for %s... promoting this backed-off upstream for re-try...\n",
+			    upstream->addr_str,
+			    upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP");
+			return upstream;
+		}
 	}
 
 	/* Now select the specific upstream */
@@ -2081,7 +2124,7 @@ upstream_find_for_netreq(getdns_network_req *netreq)
 	/* Handle better, will give generic error*/
 	DEBUG_STUB("%s %-35s: MSG: %p No valid upstream! \n", STUB_DEBUG_SCHEDULE, __FUNC__, (void*)netreq);
 	_getdns_context_log(netreq->owner->context, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
-	    "*FAILURE* no valid transports or upstreams available!\n");
+	    "   *FAILURE* no valid transports or upstreams available!\n");
 	return -1;
 }
 

From 3b5657e5800e8c635bc089ff747935890a71749d Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 29 Jan 2018 10:17:54 +0000
Subject: [PATCH 061/303] Reduce delay on OOOR delayed lookup.

A delay of 1000ms was causing frequent lookup timeouts e.g. on 9.9.9.9. We hypothesise that the delay causes an internal timeout in the server to fire. So reduce the delay to a smaller value that seems to leave the test working but reduces the incidence of timeouts.

We observe this still leaves timeouts on TLS connections to 9.9.9.9. These seem to occur only on TLS connections, and reducing the delay much further does not alter the observed behaviour. We guess there is something else going on there.
---
 src/tools/getdns_server_mon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 7a2f74ef..4d330389 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -1587,7 +1587,7 @@ static exit_value test_out_of_order(struct test_info_s *test_info,
         /* A set of asynchronous queries to send. One exists. */
         const char GOOD_NAME[] = "getdnsapi.net";
         struct async_query async_queries[] = {
-                { "1000.delay.getdnsapi.net", 0, false },
+                { "400.delay.getdnsapi.net", 0, false },
                 { GOOD_NAME, 0, false }
         };
         unsigned NQUERIES = sizeof(async_queries) / sizeof(async_queries[0]);

From 2e03d3799c0fa1c005fbfd9b6acc40d2101e5c99 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 30 Jan 2018 12:23:23 +0100
Subject: [PATCH 062/303] Memory leak on some TLS creation error cases

---
 src/stub.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/stub.c b/src/stub.c
index 07f22fcd..a9ec8240 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -956,6 +956,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			    "%-40s : ERROR: Hostname Authentication not available from TLS library (check library version)\n",
 			    upstream->addr_str);
 			upstream->tls_hs_state = GETDNS_HS_FAILED;
+			SSL_free(ssl);
 			return NULL;
 		}
 #endif
@@ -973,6 +974,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 				DEBUG_STUB("%s %-35s: ERROR: No host name or pubkey pinset provided for TLS authentication\n",
 			           STUB_DEBUG_SETUP_TLS, __FUNC__);
 				upstream->tls_hs_state = GETDNS_HS_FAILED;
+				SSL_free(ssl);
 				return NULL;
 			}
 		} else {

From 1f401f725377808b43a332159bb4389d3cbb60bc Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 30 Jan 2018 12:40:47 +0100
Subject: [PATCH 063/303] Do not return freed netreqs!

---
 src/general.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/general.c b/src/general.c
index 80b40a2c..3e50124d 100644
--- a/src/general.c
+++ b/src/general.c
@@ -697,6 +697,8 @@ getdns_general_ns(getdns_context *context, getdns_eventloop *loop,
 		/* clean up the request */
 		_getdns_context_clear_outbound_request(req);
 		_getdns_dns_req_free(req);
+		if (return_netreq_p)
+			*return_netreq_p = NULL;
 		return r;
 	}
 	return GETDNS_RETURN_GOOD;

From 97b056c3555b24164a8b08a4e9c28d0705868c3c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 30 Jan 2018 15:21:46 +0100
Subject: [PATCH 064/303] Prevent erred TCP connection to be rescheduled ...

	for reading (or writing) when an reply comes in.

Thanks Maddie!
---
 src/server.c | 121 +++++++++++++++++++++++++++++----------------------
 1 file changed, 68 insertions(+), 53 deletions(-)

diff --git a/src/server.c b/src/server.c
index 1f5f218d..ce643aee 100644
--- a/src/server.c
+++ b/src/server.c
@@ -127,21 +127,25 @@ static void tcp_connection_destroy(tcp_connection *conn)
 
 	tcp_to_write *cur, *next;
 
-	if (!(mf = &conn->super.l->set->context->mf))
-		return;
-
+	mf = &conn->super.l->set->context->mf;
 	if (getdns_context_get_eventloop(conn->super.l->set->context, &loop))
 		return;
 
-	if (conn->event.read_cb||conn->event.write_cb||conn->event.timeout_cb)
+	if (conn->event.ev)
 		loop->vmt->clear(loop, &conn->event);
 
-	if (conn->fd >= 0)
+	if (conn->event.read_cb||conn->event.write_cb||conn->event.timeout_cb) {
+		conn->event.read_cb    = conn->event.write_cb =
+		conn->event.timeout_cb = NULL;
+	}
+	if (conn->fd >= 0) {
 		(void) _getdns_closesocket(conn->fd);
-
+		conn->fd = -1;
+	}
 	if (conn->read_buf) {
 		GETDNS_FREE(*mf, conn->read_buf);
-		conn->read_buf = NULL;
+		conn->read_buf = conn->read_pos = NULL;
+		conn->to_read = 0;
 	}
 	if ((cur = conn->to_write)) {
 		while (cur) {
@@ -198,15 +202,14 @@ static void tcp_write_cb(void *userarg)
 	    (const void *)&to_write->write_buf[to_write->written],
 	    to_write->write_buf_len - to_write->written, 0)) == -1) {
 
-		if (_getdns_socketerror_wants_retry())
-			return;
-
-		DEBUG_SERVER("I/O error from send(): %s\n",
-	        	     _getdns_errnostr());
+		if (conn->fd != -1) {
+			if (_getdns_socketerror_wants_retry())
+				return;
 
+			DEBUG_SERVER("I/O error from send(): %s\n",
+	        	     	_getdns_errnostr());
+		}
 		/* IO error, close connection */
-		conn->event.read_cb = conn->event.write_cb =
-		    conn->event.timeout_cb = NULL;
 		tcp_connection_destroy(conn);
 		return;
 	}
@@ -317,6 +320,7 @@ getdns_reply(
 		tcp_to_write **to_write_p;
 		tcp_to_write *to_write;
 
+		loop->vmt->clear(loop, &conn->event);
 		if (conn->fd == -1) {
 			if (conn->to_answer > 0)
 				--conn->to_answer;
@@ -324,8 +328,10 @@ getdns_reply(
 			return GETDNS_RETURN_GOOD;
 		}
 		if (!(to_write = (tcp_to_write *)GETDNS_XMALLOC(
-		    *mf, uint8_t, sizeof(tcp_to_write) + len + 2)))
+		    *mf, uint8_t, sizeof(tcp_to_write) + len + 2))) {
+			tcp_connection_destroy(conn);
 			return GETDNS_RETURN_MEMORY_ERROR;
+		}
 
 		to_write->write_buf_len = len + 2;
 		to_write->write_buf[0] = (len >> 8) & 0xFF;
@@ -341,7 +347,6 @@ getdns_reply(
 			; /* pass */
 		*to_write_p = to_write;
 
-		loop->vmt->clear(loop, &conn->event);
 		conn->event.write_cb = tcp_write_cb;
 		if (conn->to_answer > 0)
 			conn->to_answer--;
@@ -373,18 +378,17 @@ static void tcp_read_cb(void *userarg)
 
 	/* Reset tcp_connection idle timeout */
 	loop->vmt->clear(loop, &conn->event);
-	(void) loop->vmt->schedule(loop, conn->fd,
-	    DOWNSTREAM_IDLE_TIMEOUT, &conn->event);
-
-	if ((bytes_read = recv(conn->fd,
+	if (conn->fd == -1 ||
+	    (bytes_read = recv(conn->fd,
 	    (void *)conn->read_pos, conn->to_read, 0)) < 0) {
-		if (_getdns_socketerror_wants_retry())
-			return; /* Come back to do the read later */
-
-		/* IO error, close connection */
-		DEBUG_SERVER("I/O error from recv(): %s\n",
-	        	     _getdns_errnostr());
+		if (conn->fd != -1) {
+			if (_getdns_socketerror_wants_retry())
+				return; /* Come back to do the read later */
 
+			/* IO error, close connection */
+			DEBUG_SERVER("I/O error from recv(): %s\n",
+				     _getdns_errnostr());
+		}
 		tcp_connection_destroy(conn);
 		return;
 	}
@@ -398,9 +402,9 @@ static void tcp_read_cb(void *userarg)
 	conn->to_read  -= bytes_read;
 	conn->read_pos += bytes_read;
 	if (conn->to_read)
-		return; /* More to read */
+		; /* Schedule for more reading */
 
-	if (conn->read_pos - conn->read_buf == 2) {
+	else if (conn->read_pos - conn->read_buf == 2) {
 		/* read length of dns msg to read */
 		conn->to_read = (conn->read_buf[0] << 8) | conn->read_buf[1];
 		if (conn->to_read > conn->read_buf_len) {
@@ -420,47 +424,49 @@ static void tcp_read_cb(void *userarg)
 			return;
 		}
 		conn->read_pos = conn->read_buf;
-		return;  /* Read DNS message */
-	}
-	if ((r = getdns_wire2msg_dict(conn->read_buf,
-	    (conn->read_pos - conn->read_buf), &request_dict)))
-		; /* FROMERR on input, ignore */
+		; /* Schedule for more reading */
 
-	else {
-		conn->to_answer++;
+	} else {
+		/* Ready for reading a new packet */
 
-		/* TODO: wish list item:
-		 * (void) getdns_dict_set_int64(
-		 *     request_dict, "request_id", intptr_t)conn);
-		 */
-		/* Call request handler */
-		conn->super.l->set->handler(
-		    conn->super.l->set->context, GETDNS_CALLBACK_COMPLETE,
-		    request_dict, conn->super.l->set->userarg, (intptr_t)conn);
+		if (!(r = getdns_wire2msg_dict(conn->read_buf,
+		    (conn->read_pos - conn->read_buf), &request_dict))) {
 
+			conn->to_answer++;
+
+			/* TODO: wish list item:
+			 * (void) getdns_dict_set_int64(
+			 *     request_dict, "request_id", intptr_t)conn);
+			 */
+			/* Call request handler */
+			conn->super.l->set->handler(
+			    conn->super.l->set->context,
+			    GETDNS_CALLBACK_COMPLETE, request_dict,
+			    conn->super.l->set->userarg, (intptr_t)conn);
+		}
 		conn->read_pos = conn->read_buf;
 		conn->to_read = 2;
-		return; /* Read more requests */
+		; /* Schedule for more reading */
 	}
-	conn->read_pos = conn->read_buf;
-	conn->to_read = 2;
 	 /* Read more requests */
+	(void) loop->vmt->schedule(loop, conn->fd,
+	    DOWNSTREAM_IDLE_TIMEOUT, &conn->event);
 }
 
 static void tcp_timeout_cb(void *userarg)
 {
 	tcp_connection *conn = (tcp_connection *)userarg;
+	getdns_eventloop *loop;
 
 	assert(userarg);
 
-	if (conn->to_answer) {
-		getdns_eventloop *loop;
+	if (getdns_context_get_eventloop(
+	    conn->super.l->set->context, &loop))
+		return;
 
-		if (getdns_context_get_eventloop(
-		    conn->super.l->set->context, &loop))
-			return;
+	loop->vmt->clear(loop, &conn->event);
 
-		loop->vmt->clear(loop, &conn->event);
+	if (conn->to_answer && conn->fd >= 0) {
 		(void) loop->vmt->schedule(loop,
 		    conn->fd, DOWNSTREAM_IDLE_TIMEOUT,
 		    &conn->event);
@@ -737,8 +743,17 @@ static void remove_listeners(listen_set *set)
 		
 		conn_p = (tcp_connection **)&l->connections;
 		while (*conn_p) {
+			tcp_connection *prev_conn_p = *conn_p;
+
+			loop->vmt->clear(loop, &(*conn_p)->event);
 			tcp_connection_destroy(*conn_p);
-			if (*conn_p && (*conn_p)->to_answer > 0)
+			/* tcp_connection_destroy() updates the pointer to the
+			 * connection.  For the first connection this is
+			 * l->connections.  When the connection is not actually
+			 * destroyed, the value of *conn_p thus remains the
+			 * same.  When it is destroyed it is updated.
+			 */
+			if (*conn_p == prev_conn_p)
 				conn_p = (tcp_connection **)
 				    &(*conn_p)->super.next;
 		}

From 9bc98272a123faecb2d915743389c5a20d5e3d0e Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 31 Jan 2018 14:33:31 +0100
Subject: [PATCH 065/303] Fixing the fixes

---
 src/server.c | 71 ++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 60 insertions(+), 11 deletions(-)

diff --git a/src/server.c b/src/server.c
index ce643aee..bf3e86bb 100644
--- a/src/server.c
+++ b/src/server.c
@@ -34,6 +34,10 @@
 #include <iphlpapi.h>
 #endif
 
+#if defined(HAVE_FCNTL)
+#include <fcntl.h>
+#endif
+
 #include "getdns/getdns_extra.h"
 #include "context.h"
 #include "types-internal.h"
@@ -118,6 +122,25 @@ typedef struct tcp_connection {
 	size_t                  to_answer;
 } tcp_connection;
 
+/** best effort to set nonblocking */
+static void
+getdns_sock_nonblock(int sockfd)
+{
+#if defined(HAVE_FCNTL)
+	int flag;
+	if((flag = fcntl(sockfd, F_GETFL)) != -1) {
+		flag |= O_NONBLOCK;
+		if(fcntl(sockfd, F_SETFL, flag) == -1) {
+			/* ignore error, continue blockingly */
+		}
+	}
+#elif defined(HAVE_IOCTLSOCKET)
+	unsigned long on = 1;
+	if(ioctlsocket(sockfd, FIONBIO, &on) != 0) {
+		/* ignore error, continue blockingly */
+	}
+#endif
+}
 
 static void free_listen_set_when_done(listen_set *set);
 static void tcp_connection_destroy(tcp_connection *conn)
@@ -203,9 +226,11 @@ static void tcp_write_cb(void *userarg)
 	    to_write->write_buf_len - to_write->written, 0)) == -1) {
 
 		if (conn->fd != -1) {
-			if (_getdns_socketerror_wants_retry())
+			if (_getdns_socketerror_wants_retry()) {
+				(void) loop->vmt->schedule(loop, conn->fd,
+				    DOWNSTREAM_IDLE_TIMEOUT, &conn->event);
 				return;
-
+			}
 			DEBUG_SERVER("I/O error from send(): %s\n",
 	        	     	_getdns_errnostr());
 		}
@@ -340,19 +365,27 @@ getdns_reply(
 		to_write->next = NULL;
 		(void) memcpy(to_write->write_buf + 2, buf, len);
 
-		/* Appen to_write to conn->to_write list */
+		/* Append to_write to conn->to_write list */
 		for ( to_write_p = &conn->to_write
 		    ; *to_write_p
 		    ; to_write_p = &(*to_write_p)->next)
 			; /* pass */
 		*to_write_p = to_write;
 
-		conn->event.write_cb = tcp_write_cb;
 		if (conn->to_answer > 0)
 			conn->to_answer--;
-		(void) loop->vmt->schedule(loop,
-		    conn->fd, DOWNSTREAM_IDLE_TIMEOUT,
-		    &conn->event);
+
+		/* When event is scheduled, and doesn't have tcp_write_cb:
+		 * reschedule.
+		 */
+		if (conn->event.write_cb == NULL) {
+			if (conn->event.ev)
+				loop->vmt->clear(loop, &conn->event);
+			conn->event.write_cb = tcp_write_cb;
+			(void) loop->vmt->schedule(loop,
+			    conn->fd, DOWNSTREAM_IDLE_TIMEOUT,
+			    &conn->event);
+		}
 	}
 	/* TODO: other transport types */
 
@@ -382,9 +415,11 @@ static void tcp_read_cb(void *userarg)
 	    (bytes_read = recv(conn->fd,
 	    (void *)conn->read_pos, conn->to_read, 0)) < 0) {
 		if (conn->fd != -1) {
-			if (_getdns_socketerror_wants_retry())
+			if (_getdns_socketerror_wants_retry()) {
+				(void) loop->vmt->schedule(loop, conn->fd,
+				    DOWNSTREAM_IDLE_TIMEOUT, &conn->event);
 				return; /* Come back to do the read later */
-
+			}
 			/* IO error, close connection */
 			DEBUG_SERVER("I/O error from recv(): %s\n",
 				     _getdns_errnostr());
@@ -439,18 +474,29 @@ static void tcp_read_cb(void *userarg)
 			 *     request_dict, "request_id", intptr_t)conn);
 			 */
 			/* Call request handler */
+
+			conn->to_answer += 1; /* conn removal protection */
 			conn->super.l->set->handler(
 			    conn->super.l->set->context,
 			    GETDNS_CALLBACK_COMPLETE, request_dict,
 			    conn->super.l->set->userarg, (intptr_t)conn);
+			conn->to_answer -= 1; /* conn removal protection */
+
+			if (conn->fd == -1) {
+				tcp_connection_destroy(conn);
+				return;
+			}
 		}
 		conn->read_pos = conn->read_buf;
 		conn->to_read = 2;
 		; /* Schedule for more reading */
 	}
 	 /* Read more requests */
-	(void) loop->vmt->schedule(loop, conn->fd,
-	    DOWNSTREAM_IDLE_TIMEOUT, &conn->event);
+	if (!conn->event.ev) { /* event not scheduled */
+		conn->event.write_cb = conn->to_write ? tcp_write_cb : NULL;
+		(void) loop->vmt->schedule(loop, conn->fd,
+		    DOWNSTREAM_IDLE_TIMEOUT, &conn->event);
+	}
 }
 
 static void tcp_timeout_cb(void *userarg)
@@ -514,8 +560,10 @@ static void tcp_accept_cb(void *userarg)
 		GETDNS_FREE(*mf, conn);
 		return;
 	}
+	getdns_sock_nonblock(conn->fd);
 	if (!(conn->read_buf = malloc(DNS_REQUEST_SZ))) {
 		/* Memory error */
+		(void) _getdns_closesocket(conn->fd);
 		GETDNS_FREE(*mf, conn);
 		return;
 	}
@@ -531,6 +579,7 @@ static void tcp_accept_cb(void *userarg)
 	if (!_getdns_rbtree_insert(
 	    &l->set->connections_set, &conn->super.super)) {
 		/* Memory error */
+		(void) _getdns_closesocket(conn->fd);
 		GETDNS_FREE(*mf, conn);
 		return;
 	}

From ec8b8ba903aa854e367f90b26a9480b2d2abf897 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 31 Jan 2018 14:41:13 +0100
Subject: [PATCH 066/303] One more fixing the fixes fix that slipped through

---
 src/server.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/server.c b/src/server.c
index bf3e86bb..59497bed 100644
--- a/src/server.c
+++ b/src/server.c
@@ -345,7 +345,6 @@ getdns_reply(
 		tcp_to_write **to_write_p;
 		tcp_to_write *to_write;
 
-		loop->vmt->clear(loop, &conn->event);
 		if (conn->fd == -1) {
 			if (conn->to_answer > 0)
 				--conn->to_answer;

From a25f832d8aaeeaeddd781989a41543154ca005fa Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 1 Feb 2018 16:04:22 +0000
Subject: [PATCH 067/303] Remove timeout argument from keepalive test.

The client doesn't send a timeout value to the server, so there's no point having this argument.
---
 src/tools/getdns_server_mon.c | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 4d330389..d394e69a 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -330,8 +330,7 @@ static void usage()
 "\n"
 "Tests:\n"
 "  lookup [<name> [<type>]]      Check lookup on server\n"
-"  keepalive <timeout-ms> [<name> [<type>]]\n"
-"                                Check server support for EDNS0 keepalive in\n"
+"  keepalive [<name> [<type>]]   Check server support for EDNS0 keepalive in\n"
 "                                TCP or TLS connections\n"
 "                                Timeout of 0 is off.\n"
 "  OOOR                          Check whether server delivers responses out of\n"
@@ -1262,18 +1261,9 @@ static exit_value test_keepalive(struct test_info_s *test_info,
 {
         getdns_dict *response;
         exit_value xit;
-        long long timeout;
-        char *endptr;
-        const char USAGE[] = "keepalive takes arguments <timeout-ms> [<name> [<type>]]";
-
-        if (!*av || (timeout = strtoll(*av, &endptr, 10), *endptr != '\0' || timeout < 0)) {
-                strcpy(test_info->base_output, USAGE);
-                return EXIT_USAGE;
-        }
-        ++av;
 
         getdns_return_t ret;
-        if ((ret = getdns_context_set_idle_timeout(test_info->context, (uint64_t) timeout)) != GETDNS_RETURN_GOOD) {
+        if ((ret = getdns_context_set_idle_timeout(test_info->context, 1)) != GETDNS_RETURN_GOOD) {
                 snprintf(test_info->base_output,
                          MAX_BASE_OUTPUT_LEN,
                          "Cannot set keepalive timeout: %s (%d)",
@@ -1284,7 +1274,7 @@ static exit_value test_keepalive(struct test_info_s *test_info,
 
         if ((xit = parse_search_check(test_info,
                                       av,
-                                      USAGE,
+                                      "keepalive takes arguments [<name> [<type>]]",
                                       &response,
                                       NULL,
                                       NULL,

From 13d7a730ee91a10fb2eb32295023cf022db00e14 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Wed, 7 Feb 2018 12:41:24 +0000
Subject: [PATCH 068/303] Further mitigate cache effects for OOOR by adding
 random label to delay lookup.

It turns out that delay.getdnsapi.net only pays attention to the left-most label.
---
 src/tools/getdns_server_mon.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index d394e69a..f592ce81 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -1574,10 +1574,20 @@ static exit_value test_out_of_order(struct test_info_s *test_info,
                 return EXIT_USAGE;
         }
 
-        /* A set of asynchronous queries to send. One exists. */
+        /*
+         * A set of asynchronous queries to send. One exists.
+         *
+         * Replies from delay.getdns.api come back with a 1s TTL. It turns out
+         * that delay.getdns.api will ignore all leftmost labels bar the first,
+         * so to further mitigate any cache effects insert a random string
+         * into the name.
+         */
         const char GOOD_NAME[] = "getdnsapi.net";
+        char delay_name[50];
+        srand(time(NULL));
+        snprintf(delay_name, sizeof(delay_name) - 1, "400.n%04d.delay.getdnsapi.net", rand() % 10000);
         struct async_query async_queries[] = {
-                { "400.delay.getdnsapi.net", 0, false },
+                { delay_name, 0, false },
                 { GOOD_NAME, 0, false }
         };
         unsigned NQUERIES = sizeof(async_queries) / sizeof(async_queries[0]);

From 82c00eb0a59dac2f993a3816066cb03605d7f836 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 7 Feb 2018 13:50:29 +0100
Subject: [PATCH 069/303] version.bind CH TXT for getdns_query

---
 src/tools/getdns_query.c | 49 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 44 insertions(+), 5 deletions(-)

diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c
index 713783fc..66943900 100644
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@@ -1616,7 +1616,43 @@ static void incoming_request_handler(getdns_context *context,
 		fprintf(stderr, "Could set class from query: %s\n",
 		    getdns_get_errorstr_by_id(r));
 
-	else if ((r = getdns_general(context, qname_str, qtype,
+	else if (qtype == GETDNS_RRTYPE_TXT && qclass == GETDNS_RRCLASS_CH &&
+	    strcasecmp(qname_str, "version.bind.") == 0) {
+		const char *getdns_query_version = "getdns_query " GETDNS_VERSION;
+		char getdns_version[100] = "getdns ";
+		char getdns_api_version[100] = "getdns API ";
+
+		response = request;
+		(void) getdns_dict_set_bindata(response, "/answer/0/name", qname);
+		(void) getdns_dict_set_int(response, "/answer/0/type",  qtype);
+		(void) getdns_dict_set_int(response, "/answer/0/class", qclass);
+		(void) getdns_dict_set_int(response, "/answer/0/ttl",   0);
+		(void) getdns_dict_util_set_string(response,
+		    "/answer/0/rdata/txt_strings/0", getdns_query_version);
+
+		(void) getdns_dict_set_bindata(response, "/answer/1/name", qname);
+		(void) getdns_dict_set_int(response, "/answer/1/type",  qtype);
+		(void) getdns_dict_set_int(response, "/answer/1/class", qclass);
+		(void) getdns_dict_set_int(response, "/answer/1/ttl",   0);
+		(void) strncat(getdns_version + 7,
+		    getdns_get_version(), sizeof(getdns_version) - 8);
+		(void) getdns_dict_util_set_string(response,
+		    "/answer/1/rdata/txt_strings/0",getdns_version);
+
+		(void) getdns_dict_set_bindata(response, "/answer/2/name", qname);
+		(void) getdns_dict_set_int(response, "/answer/2/type",  qtype);
+		(void) getdns_dict_set_int(response, "/answer/2/class", qclass);
+		(void) getdns_dict_set_int(response, "/answer/2/ttl",   0);
+		(void) strncat(getdns_api_version + 11,
+		    getdns_get_api_version(), sizeof(getdns_api_version) - 12);
+		(void) getdns_dict_util_set_string(response,
+		    "/answer/2/rdata/txt_strings/0",getdns_api_version);
+
+		(void) getdns_dict_set_int(response, "/header/ancount", 3);
+
+		goto answer_request;
+
+	} else if ((r = getdns_general(context, qname_str, qtype,
 	    qext, msg, &transaction_id, request_cb)))
 		fprintf(stderr, "Could not schedule query: %s\n",
 		    getdns_get_errorstr_by_id(r));
@@ -1627,9 +1663,8 @@ static void incoming_request_handler(getdns_context *context,
 		return;
 	}
 error:
-	if (qname_str)
-		free(qname_str);
 	servfail(msg, &response);
+answer_request:
 #if defined(SERVER_DEBUG) && SERVER_DEBUG
 	do {
 		char *request_str = getdns_pretty_print_dict(request);
@@ -1646,13 +1681,17 @@ error:
 		/* Cancel reply */
 		getdns_reply(context, NULL, request_id);
 	}
+	if (response && response != request)
+		getdns_dict_destroy(response);
+
+	if (qname_str)
+		free(qname_str);
+
 	if (msg) {
 		if (msg->request)
 			getdns_dict_destroy(msg->request);
 		free(msg);
 	}
-	if (response)
-		getdns_dict_destroy(response);
 }
 
 static void stubby_log(void *userarg, uint64_t system,

From c28a293c9f510096caa9c0c6ebf3c96ff1997331 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 7 Feb 2018 14:38:31 +0100
Subject: [PATCH 070/303] "Pinset validation failure" error when it occurred

---
 src/context.c |  2 +-
 src/stub.c    | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/src/context.c b/src/context.c
index 67b9eb84..7856b690 100644
--- a/src/context.c
+++ b/src/context.c
@@ -686,7 +686,7 @@ upstreams_create(getdns_context *context, size_t size)
 }
 
 
-#if defined(STUB_DEBUG) && STUB_DEBUG
+#if defined(USE_DANESSL) && defined(STUB_DEBUG) && STUB_DEBUG
 static void _stub_debug_print_openssl_errors(void)
 {
     unsigned long err;
diff --git a/src/stub.c b/src/stub.c
index 1270d0a4..1863fd4e 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1159,6 +1159,35 @@ tls_do_handshake(getdns_upstream *upstream)
 			    ? "Tolerated because of Opportunistic profile"
 			    : "*Failure*" ));
 
+		/* Since we don't have DANE validation yet, DANE validation
+		 * failures are always pinset validation failures
+		 */
+# if defined(HAVE_SSL_DANE_ENABLE)
+		else if (verify_result == X509_V_ERR_DANE_NO_MATCH)
+			_getdns_upstream_log(upstream,
+			    GETDNS_LOG_UPSTREAM_STATS,
+			    ( upstream->tls_fallback_ok
+			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
+			    "%-40s : Verify failed : Transport=TLS - %s -  "
+			    "Pinset validation failure\n", upstream->addr_str,
+			    ( upstream->tls_fallback_ok
+			    ? "Tolerated because of Opportunistic profile"
+			    : "*Failure*" ));
+# elif defined(USE_DANESSL)
+		else if (verify_result == X509_V_ERR_CERT_UNTRUSTED
+		    && upstream->tls_pubkey_pinset
+		    && !DANESSL_get_match_cert(
+			    upstream->tls_obj, NULL, NULL, NULL))
+			_getdns_upstream_log(upstream,
+			    GETDNS_LOG_UPSTREAM_STATS,
+			    ( upstream->tls_fallback_ok
+			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
+			    "%-40s : Verify failed : Transport=TLS - %s -  "
+			    "Pinset validation failure\n", upstream->addr_str,
+			    ( upstream->tls_fallback_ok
+			    ? "Tolerated because of Opportunistic profile"
+			    : "*Failure*" ));
+# endif
 		else if (verify_result != X509_V_OK)
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS,

From 0eba73a945e6824940928fc029bc28803f535294 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 7 Feb 2018 16:42:11 +0100
Subject: [PATCH 071/303] LibreSSL like OpenSSL < 1.0.2

---
 configure.ac | 2 ++
 src/stub.c   | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 3c37daa3..4e7f3f62 100644
--- a/configure.ac
+++ b/configure.ac
@@ -441,6 +441,8 @@ AC_COMPILE_IFELSE(
 		[#error "OpenSSL 1.0.0 or higher required for DANE library"]
 		[#elif defined(HAVE_SSL_DANE_ENABLE)]
 		[#error "OpenSSL has native DANE support"]
+		[#elif defined(LIBRESSL_VERSION_NUMBER)]
+		[#error "dane_ssl library does not work with LibreSSL"]
 		[#endif]
 	],[[]])],
 	[
diff --git a/src/stub.c b/src/stub.c
index 1863fd4e..3c6e4a8e 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1227,6 +1227,7 @@ tls_do_handshake(getdns_upstream *upstream)
 		    && !upstream->tls_fallback_ok)
 			return STUB_SETUP_ERROR;
 	}
+#endif /* defined(USE_DANESSL) || defined(HAVE_SSL_HN_AUTH) */
 	DEBUG_STUB("%s %-35s: FD:  %d Handshake succeeded with auth state %s. Session is %s.\n", 
 		         STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, 
 		         _getdns_auth_str(upstream->tls_auth_state),
@@ -1246,7 +1247,6 @@ tls_do_handshake(getdns_upstream *upstream)
 	     NULL, upstream_write_cb, NULL));
 	return 0;
 }
-#endif /* defined(USE_DANESSL) || defined(HAVE_SSL_HN_AUTH) */
 
 static int
 tls_connected(getdns_upstream* upstream)

From a72359e058a3ddb1c52a877d8bc732d31e57541a Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 7 Feb 2018 17:08:55 +0100
Subject: [PATCH 072/303] Comply to new style transport logging

---
 src/stub.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index b5481055..1bee5760 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1153,7 +1153,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			    GETDNS_LOG_UPSTREAM_STATS,
 			    ( upstream->tls_fallback_ok
 			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
-			    "%-40s : Verify failed : Transport=TLS - %s -  "
+			    "%-40s : Verify failed : TLS - %s -  "
 			    "Remote did not offer certificate\n",
 			    upstream->addr_str,
 			    ( upstream->tls_fallback_ok
@@ -1169,7 +1169,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			    GETDNS_LOG_UPSTREAM_STATS,
 			    ( upstream->tls_fallback_ok
 			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
-			    "%-40s : Verify failed : Transport=TLS - %s -  "
+			    "%-40s : Verify failed : TLS - %s -  "
 			    "Pinset validation failure\n", upstream->addr_str,
 			    ( upstream->tls_fallback_ok
 			    ? "Tolerated because of Opportunistic profile"
@@ -1183,7 +1183,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			    GETDNS_LOG_UPSTREAM_STATS,
 			    ( upstream->tls_fallback_ok
 			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
-			    "%-40s : Verify failed : Transport=TLS - %s -  "
+			    "%-40s : Verify failed : TLS - %s -  "
 			    "Pinset validation failure\n", upstream->addr_str,
 			    ( upstream->tls_fallback_ok
 			    ? "Tolerated because of Opportunistic profile"
@@ -1194,7 +1194,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			    GETDNS_LOG_UPSTREAM_STATS,
 			    ( upstream->tls_fallback_ok
 			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
-			    "%-40s : Verify failed : Transport=TLS - %s -  "
+			    "%-40s : Verify failed : TLS - %s -  "
 			    "(%d) \"%s\"\n", upstream->addr_str,
 			    ( upstream->tls_fallback_ok
 			    ? "Tolerated because of Opportunistic profile"
@@ -1206,7 +1206,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			    GETDNS_LOG_UPSTREAM_STATS,
 			    ( upstream->tls_fallback_ok
 			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
-			    "%-40s : Verify failed : Transport=TLS - %s -  "
+			    "%-40s : Verify failed : TLS - %s -  "
 			    "Hostname Authentication not available from TLS "
 			    "library (check library version)\n",
 			    upstream->addr_str,
@@ -1220,7 +1220,7 @@ tls_do_handshake(getdns_upstream *upstream)
 		else
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG,
-			    "%-40s : Verify passed : Transport=TLS\n",
+			    "%-40s : Verify passed : TLS\n",
 			    upstream->addr_str);
 
 		X509_free(peer_cert);

From bf1f01c87ef387666d0f321989b4e07ccf9f24e0 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 8 Feb 2018 12:02:48 +0100
Subject: [PATCH 073/303] Syntactic mod to minimizing changes with before PR

So changes are highlighted in side-by-side views.
---
 src/stub.c | 79 ++++++++++++++++++++++++++----------------------------
 1 file changed, 38 insertions(+), 41 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index 44a5e422..2767cf03 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -2082,52 +2082,49 @@ upstream_select_stateful(getdns_network_req *netreq, getdns_transport_list_t tra
 		if (i >= upstreams->count)
 			i = 0;
 	} while (i != upstreams->current_stateful);
-
 	if (!upstream) {
 		/* Oh, oh. We have no valid upstreams for this transport. */
 		/* If there are other fallback transports that are working, we should 
-		use them before forcilby promoting failed upstreams for re-try, since 
-		waiting for the the re-try timer to re-instate them is the right thing 
-		in this case. */
-		if (other_transports_working(netreq, upstreams, transport)) {
+		   use them before forcibly promoting failed upstreams for re-try, since 
+		   waiting for the the re-try timer to re-instate them is the right thing 
+		   in this case. */
+		if (other_transports_working(netreq, upstreams, transport))
+			return NULL;
+
+		/* Try to find one that might work so
+		   allow backed off upstreams to be considered valid.
+		   Don't worry about the policy, just use the one with the least bad
+		   stats that still fits the bill (right transport, right authentication)
+		   to try to avoid total failure due to network outages. */
+		do {
+			if (upstream_valid(&upstreams->upstreams[i], transport, netreq, 1)) {
+				upstream = &upstreams->upstreams[i];
+				break;
+			}
+			i++;
+			if (i >= upstreams->count)
+				i = 0;
+		} while (i != upstreams->current_stateful);
+		if (!upstream) {
+			/* We _really_ have nothing that authenticates well enough right now...
+			   leave to regular backoff logic. */
 			return NULL;
 		}
-		else {
-			/* Try to find one that might work so
-			   allow backed off upstreams to be considered valid.
-			   Don't worry about the policy, just use the one with the least bad
-			   stats that still fits the bill (right transport, right authentication)
-			   to try to avoid total failure due to network outages. */
-			do {
-				if (upstream_valid(&upstreams->upstreams[i], transport, netreq, 1)) {
-					upstream = &upstreams->upstreams[i];
-					break;
-				}
-				i++;
-				if (i >= upstreams->count)
-					i = 0;
-			} while (i != upstreams->current_stateful);
-			if (!upstream) {
-				/* We _really_ have nothing that authenticates well enough right now...
-				   leave to regular backoff logic. */
-				return NULL;
-			}
-			do {
-				i++;
-				if (i >= upstreams->count)
-					i = 0;
-				if (upstream_valid(&upstreams->upstreams[i], transport, netreq, 1) &&
-				    upstream_stats(&upstreams->upstreams[i]) > upstream_stats(upstream))
-					upstream = &upstreams->upstreams[i];
-			} while (i != upstreams->current_stateful);
-			upstream->conn_state = GETDNS_CONN_CLOSED;
-			upstream->conn_backoff_interval = 1;
-			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_NOTICE,
-			    "%-40s : Upstream   : No valid upstreams for %s... promoting this backed-off upstream for re-try...\n",
-			    upstream->addr_str,
-			    upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP");
-			return upstream;
-		}
+		do {
+			i++;
+			if (i >= upstreams->count)
+				i = 0;
+			if (upstream_valid(&upstreams->upstreams[i], transport, netreq, 1) &&
+			    upstream_stats(&upstreams->upstreams[i]) > upstream_stats(upstream))
+				upstream = &upstreams->upstreams[i];
+		} while (i != upstreams->current_stateful);
+		upstream->conn_state = GETDNS_CONN_CLOSED;
+		upstream->conn_backoff_interval = 1;
+		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_NOTICE,
+		    "%-40s : Upstream   : No valid upstreams for %s... promoting this backed-off upstream for re-try...\n",
+		    upstream->addr_str,
+		    upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP");
+		return upstream;
 	}
 
 	/* Now select the specific upstream */

From f7278ca6966012ef5c002e06de169e0722bb43c1 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 8 Feb 2018 12:38:50 +0100
Subject: [PATCH 074/303] Make getdns_server_mon work with libressl

---
 src/tools/getdns_server_mon.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index f592ce81..3a3fd33a 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -180,7 +180,7 @@ static const char *rcode_text(int rcode)
         return getdns_intval_text(rcode, "rcode", "GETDNS_RCODE_");
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x10002000
+#if OPENSSL_VERSION_NUMBER < 0x10002000 || defined(LIBRESSL_VERSION_NUMBER)
 /*
  * Convert date to Julian day.
  * See https://en.wikipedia.org/wiki/Julian_day
@@ -221,7 +221,7 @@ static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t
 
         *t = time(NULL);
 
-#if OPENSSL_VERSION_NUMBER < 0x10002000
+#if OPENSSL_VERSION_NUMBER < 0x10002000 || defined(LIBRESSL_VERSION_NUMBER)
         /*
          * OpenSSL before 1.0.2 does not support ASN1_TIME_diff().
          * So work around by using ASN1_TIME_print() to print to a buffer

From 088d775117b589e5c6433285b62f872fc956c256 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 8 Feb 2018 12:35:45 +0000
Subject: [PATCH 075/303] In Keepalive test, send the maximum possible timeout
 value to the server.

The response will then show the server's value.
---
 src/tools/getdns_server_mon.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index f592ce81..c1f4bc92 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -1261,9 +1261,10 @@ static exit_value test_keepalive(struct test_info_s *test_info,
 {
         getdns_dict *response;
         exit_value xit;
+        const uint64_t MAX_TIMEOUT_VALUE = 0xffff * 10000;
 
         getdns_return_t ret;
-        if ((ret = getdns_context_set_idle_timeout(test_info->context, 1)) != GETDNS_RETURN_GOOD) {
+        if ((ret = getdns_context_set_idle_timeout(test_info->context, MAX_TIMEOUT_VALUE)) != GETDNS_RETURN_GOOD) {
                 snprintf(test_info->base_output,
                          MAX_BASE_OUTPUT_LEN,
                          "Cannot set keepalive timeout: %s (%d)",

From c3e4061fe298c2c104eeb6ed44e9f9189ab4f458 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 9 Feb 2018 15:18:44 +0100
Subject: [PATCH 076/303] hostname auth with libressl

---
 configure.ac |  2 +-
 src/stub.c   | 14 ++++++--------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/configure.ac b/configure.ac
index 66676222..cd437c11 100644
--- a/configure.ac
+++ b/configure.ac
@@ -408,7 +408,7 @@ fi
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add])
+AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
diff --git a/src/stub.c b/src/stub.c
index 9094eac5..de24ef58 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -945,8 +945,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
 		SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL)
-# if defined(HAVE_SSL_HN_AUTH)
+#if defined(HAVE_SSL_HN_AUTH)
 		/* Set up native OpenSSL hostname verification
 		 * ( doesn't work with USE_DANESSL, but we verify the
 		 *   name afterwards in such cases )
@@ -955,7 +954,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		param = SSL_get0_param(ssl);
 		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 		X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
-# else
+#elif !defined(HAVE_X509_CHECK_HOST)
 		if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) {
 			DEBUG_STUB("%s %-35s: ERROR: Hostname Authentication not available from TLS library (check library version)\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__);
@@ -967,7 +966,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 			return NULL;
 		}
-# endif
 #endif
 		/* Allow fallback to opportunistic if settings permit it*/
 		if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
@@ -1133,7 +1131,6 @@ tls_do_handshake(getdns_upstream *upstream)
 	else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
 		X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj);
 		long verify_result = SSL_get_verify_result(upstream->tls_obj);
-		int xch;
 
 /* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
  * we need to verify auth_name explicitely (otherwise it will not be checked,
@@ -1141,10 +1138,11 @@ tls_do_handshake(getdns_upstream *upstream)
  * This is not needed with native OpenSSL DANE, because EE name checks have
  * to be disabled explicitely.
  */
-#if defined(USE_DANESSL) || OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL)
+#if defined(USE_DANESSL) || (!defined(HAVE_SSL_HN_AUTH) && defined(HAVE_X509_CHECK_HOST))
+		int xch;
 		if (peer_cert && verify_result == X509_V_OK
 		    && upstream->tls_auth_name[0]
-# if defined(USE_DANESSL) && !(OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL))
+# if defined(USE_DANESSL) && defined(HAVE_SSL_HN_AUTH)
 		    && upstream->tls_pubkey_pinset
 # endif
 		    && (xch = X509_check_host(peer_cert,
@@ -1208,7 +1206,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			    ? "Tolerated because of Opportunistic profile"
 			    : "*Failure*" ), verify_result,
 			    X509_verify_cert_error_string(verify_result));
-#if !defined(HAVE_SSL_HN_AUTH) && !(OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL))
+#if !defined(HAVE_SSL_HN_AUTH) && !defined(HAVE_X509_CHECK_HOST)
 		else if (*upstream->tls_auth_name) {
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS,

From 401aa2e3b81878d2ca45860470e5442298a7611a Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 12 Feb 2018 15:40:17 +0100
Subject: [PATCH 077/303] Specify the supported curves with TLS

---
 ChangeLog                    |  4 ++
 configure.ac                 |  2 +-
 src/context.c                | 74 +++++++++++++++++++++++++++++++++++-
 src/context.h                |  2 +
 src/getdns/getdns_extra.h.in | 31 +++++++++++++++
 src/stub.c                   |  4 ++
 6 files changed, 115 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6b372592..b53a7b64 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
 * 2018-0?-??: Version 1.?.?
+  * Specify the supported curves with getdns_context_set_tls_curves_list()
+    An upstream specific list of supported curves may also be given
+    with the tls_curves_list setting in the upstream dict with
+    getdns_context_set_upstream_recursive_servers()
   * libidn2 support.  Thanks Paul Wouters
 
 * 2017-12-21: Version 1.3.0
diff --git a/configure.ac b/configure.ac
index caf2cdf3..fd85d72d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -409,7 +409,7 @@ AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version])
-AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
+AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
diff --git a/src/context.c b/src/context.c
index c8f14363..8163309b 100644
--- a/src/context.c
+++ b/src/context.c
@@ -738,6 +738,8 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 		upstream->tls_pubkey_pinset = NULL;
 		if (upstream->tls_cipher_list)
 			GETDNS_FREE(upstreams->mf, upstream->tls_cipher_list);
+		if (upstream->tls_curves_list)
+			GETDNS_FREE(upstreams->mf, upstream->tls_curves_list);
 	}
 	GETDNS_FREE(upstreams->mf, upstreams);
 }
@@ -1022,6 +1024,7 @@ upstream_init(getdns_upstream *upstream,
 	upstream->tls_obj  = NULL;
 	upstream->tls_session = NULL;
 	upstream->tls_cipher_list = NULL;
+	upstream->tls_curves_list = NULL;
 	upstream->transport = GETDNS_TRANSPORT_TCP;
 	upstream->tls_hs_state = GETDNS_HS_NONE;
 	upstream->tls_auth_name[0] = '\0';
@@ -1535,6 +1538,7 @@ getdns_context_create_with_extended_memory_functions(
 	result->tls_ca_path = NULL;
 	result->tls_ca_file = NULL;
 	result->tls_cipher_list = NULL;
+	result->tls_curves_list = NULL;
 
 	(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
 
@@ -1805,6 +1809,8 @@ getdns_context_destroy(struct getdns_context *context)
 		GETDNS_FREE(context->mf, context->tls_ca_file);
 	if (context->tls_cipher_list)
 		GETDNS_FREE(context->mf, context->tls_cipher_list);
+	if (context->tls_curves_list)
+		GETDNS_FREE(context->mf, context->tls_curves_list);
 
 #ifdef USE_WINSOCK
 	WSACleanup();
@@ -2996,6 +3002,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 			if (dict && getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) {
 				getdns_list *pubkey_pinset = NULL;
 				getdns_bindata *tls_cipher_list = NULL;
+				getdns_bindata *tls_curves_list = NULL;
 
 				if ((r = getdns_dict_get_bindata(
 				    dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) {
@@ -3007,6 +3014,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 						 * into account, should not
 						 * be larger than 1024 bytes.
 						 */
+						freeaddrinfo(ai);
 						goto invalid_parameter;
 					}
 					memcpy(upstream->tls_auth_name,
@@ -3022,8 +3030,10 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 					r = _getdns_get_pubkey_pinset_from_list(pubkey_pinset,
 										&(upstreams->mf),
 										&(upstream->tls_pubkey_pinset));
-					if (r != GETDNS_RETURN_GOOD)
+					if (r != GETDNS_RETURN_GOOD) {
+						freeaddrinfo(ai);
 						goto invalid_parameter;
+					}
 				}
 				(void) getdns_dict_get_bindata(
 				    dict, "tls_cipher_list", &tls_cipher_list);
@@ -3031,6 +3041,19 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 				    ? _getdns_strdup2(&upstreams->mf
 				                     , tls_cipher_list)
 				    : NULL;
+				(void) getdns_dict_get_bindata(
+				    dict, "tls_curves_list", &tls_curves_list);
+				if (tls_curves_list) {
+#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
+					upstream->tls_curves_list = 
+					    _getdns_strdup2(&upstreams->mf
+					                   , tls_curves_list);
+#else
+					freeaddrinfo(ai);
+					goto not_implemented;
+#endif
+				} else
+					upstream->tls_curves_list = NULL;
 			}
 			if ((upstream->tsig_alg = tsig_alg)) {
 				if (tsig_name) {
@@ -3068,6 +3091,11 @@ invalid_parameter:
 error:
 	_getdns_upstreams_dereference(upstreams);
 	return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
+#if !defined(HAVE_DECL_SSL_SET1_CURVES_LIST) || !HAVE_DECL_SSL_SET1_CURVES_LIST
+not_implemented:
+	_getdns_upstreams_dereference(upstreams);
+	return GETDNS_RETURN_NOT_IMPLEMENTED;
+#endif
 } /* getdns_context_set_upstream_recursive_servers */
 
 
@@ -3608,6 +3636,12 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 			    context->tls_cipher_list ? context->tls_cipher_list
 			                             : _getdns_default_tls_cipher_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
+
+#  if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
+			if (context->tls_curves_list &&
+			    !SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list))
+				return GETDNS_RETURN_BAD_CONTEXT;
+#  endif
 			/* For strict authentication, we must have local root certs available
 		       Set up is done only when the tls_ctx is created (per getdns_context)*/
 			if ((context->tls_ca_file || context->tls_ca_path) &&
@@ -3924,6 +3958,8 @@ _get_context_settings(getdns_context* context)
 		(void) getdns_dict_util_set_string(result, "tls_ca_file", str_value);
 	if (!getdns_context_get_tls_cipher_list(context, &str_value) && str_value)
 		(void) getdns_dict_util_set_string(result, "tls_cipher_list", str_value);
+	if (!getdns_context_get_tls_curves_list(context, &str_value) && str_value)
+		(void) getdns_dict_util_set_string(result, "tls_curves_list", str_value);
 
 	/* Default settings for extensions */
 	(void)getdns_dict_set_int(
@@ -4513,6 +4549,11 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
 					    d, "tls_cipher_list",
 					    upstream->tls_cipher_list);
 				}
+				if (upstream->tls_curves_list) {
+					(void) getdns_dict_util_set_string(
+					    d, "tls_curves_list",
+					    upstream->tls_curves_list);
+				}
 			}
 		}
 		if (!r)
@@ -4722,6 +4763,7 @@ _getdns_context_config_setting(getdns_context *context,
 	CONTEXT_SETTING_STRING(tls_ca_path)
 	CONTEXT_SETTING_STRING(tls_ca_file)
 	CONTEXT_SETTING_STRING(tls_cipher_list)
+	CONTEXT_SETTING_STRING(tls_curves_list)
 
 	/**************************************/
 	/****                              ****/
@@ -5301,5 +5343,35 @@ getdns_context_get_tls_cipher_list(
 	return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t
+getdns_context_set_tls_curves_list(
+    getdns_context *context, const char *tls_curves_list)
+{
+	if (!context)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+#if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
+	if (context->tls_curves_list)
+		GETDNS_FREE(context->mf, context->tls_curves_list);
+	context->tls_curves_list = tls_curves_list
+	                         ? _getdns_strdup(&context->mf, tls_curves_list)
+	                         : NULL;
+
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST);
+	return GETDNS_RETURN_GOOD;
+#else
+	(void)tls_curves_list;
+	return GETDNS_RETURN_NOT_IMPLEMENTED;
+#endif
+}
+
+getdns_return_t
+getdns_context_get_tls_curves_list(
+    getdns_context *context, const char **tls_curves_list)
+{
+	if (!context || !tls_curves_list)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	*tls_curves_list = context->tls_curves_list;
+	return GETDNS_RETURN_GOOD;
+}
 
 /* context.c */
diff --git a/src/context.h b/src/context.h
index b4319403..7d8a4a6d 100644
--- a/src/context.h
+++ b/src/context.h
@@ -206,6 +206,7 @@ typedef struct getdns_upstream {
 	getdns_auth_state_t      tls_auth_state;
 	unsigned                 tls_fallback_ok : 1;
 	char                    *tls_cipher_list;
+	char                    *tls_curves_list;
 	/* Auth credentials*/
 	char                     tls_auth_name[256];
 	sha256_pin_t            *tls_pubkey_pinset;
@@ -347,6 +348,7 @@ struct getdns_context {
 	char                 *tls_ca_path;
 	char                 *tls_ca_file;
 	char                 *tls_cipher_list;
+	char                 *tls_curves_list;
 
 	getdns_upstreams     *upstreams;
 	uint16_t             limit_outstanding_queries;
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index f8cec882..4837771c 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -100,6 +100,8 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT "Change related to getdns_context_set_tls_ca_file"
 #define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST 633
 #define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT "Change related to getdns_context_set_tls_cipher_list"
+#define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST 634
+#define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT "Change related to getdns_context_set_tls_curves_list"
 
 /** @}
   */
@@ -753,6 +755,20 @@ getdns_return_t
 getdns_context_set_tls_cipher_list(
     getdns_context *context, const char *cipher_list);
 
+/**
+ * Sets the supported curves TLS upstreams.
+ * @see getdns_context_get_tls_curves_list
+ * @param[in] context      The context to configure
+ * @param[in] curves_list  The string is a colon separated list of curve
+ *                         NIDs or names, for example "P-521:P-384:P-256".
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_set_tls_curves_list(
+    getdns_context *context, const char *curves_list);
+
+
 /**
  * Get the current resolution type setting from this context.
  * @see getdns_context_set_resolution_type
@@ -1272,6 +1288,21 @@ getdns_return_t
 getdns_context_get_tls_cipher_list(
     getdns_context *context, const char **cipher_list);
 
+/**
+ * Get the supported curves list if one has been set earlier.
+ * @see getdns_context_set_tls_curves_list
+ * @param[in]  context      The configured context
+ * @param[out] curves_list  The string is a colon separated list of curve
+ *                          NIDs or names, for example "P-521:P-384:P-256",
+ *                          when one has been configured on the context,
+ *                          or NULL when none has been set before.
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_get_tls_curves_list(
+    getdns_context *context, const char **curves_list);
+
 
 /** @}
  */
diff --git a/src/stub.c b/src/stub.c
index a9ec8240..beb20cc6 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -925,6 +925,10 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		SSL_free(ssl);
 		return NULL;
 	}
+#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
+	if (upstream->tls_curves_list)
+		(void) SSL_set1_curves_list(ssl, upstream->tls_curves_list);
+#endif
 	/* make sure we'll be able to find the context again when we need it */
 	if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) {
 		SSL_free(ssl);

From 9a4e389946779f47d2ce400eb5b0f7d0dfb22795 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 12 Feb 2018 15:46:42 +0100
Subject: [PATCH 078/303] Better #ifdef select when to use X509_check_host

---
 src/stub.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index de24ef58..b9164cfa 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1138,13 +1138,10 @@ tls_do_handshake(getdns_upstream *upstream)
  * This is not needed with native OpenSSL DANE, because EE name checks have
  * to be disabled explicitely.
  */
-#if defined(USE_DANESSL) || (!defined(HAVE_SSL_HN_AUTH) && defined(HAVE_X509_CHECK_HOST))
+#if defined(HAVE_X509_CHECK_HOST) && (defined(USE_DANESSL) || !defined(HAVE_SSL_HN_AUTH))
 		int xch;
 		if (peer_cert && verify_result == X509_V_OK
 		    && upstream->tls_auth_name[0]
-# if defined(USE_DANESSL) && defined(HAVE_SSL_HN_AUTH)
-		    && upstream->tls_pubkey_pinset
-# endif
 		    && (xch = X509_check_host(peer_cert,
 				    upstream->tls_auth_name,
 				    strlen(upstream->tls_auth_name),

From 31e5cd5ab6b63fbe423ad94cf0d99857bc978fcf Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 12 Feb 2018 15:54:01 +0100
Subject: [PATCH 079/303] sldns update

---
 src/gldns/gbuffer.h   |  2 +-
 src/gldns/parse.c     |  6 +++---
 src/gldns/parse.h     | 12 ++++++------
 src/gldns/parseutil.c |  8 ++++----
 src/gldns/parseutil.h |  4 ++--
 src/gldns/str2wire.c  | 16 +++++++++++++---
 src/gldns/str2wire.h  |  6 ++++++
 src/gldns/wire2str.c  | 12 +++++++++++-
 src/gldns/wire2str.h  | 16 ++++++++++++++++
 9 files changed, 62 insertions(+), 20 deletions(-)

diff --git a/src/gldns/gbuffer.h b/src/gldns/gbuffer.h
index 32b3f9d1..7aa5a1b8 100644
--- a/src/gldns/gbuffer.h
+++ b/src/gldns/gbuffer.h
@@ -497,7 +497,7 @@ gldns_buffer_set_at(gldns_buffer *buffer, size_t at, int c, size_t count)
  * writes count bytes of data to the current position of the buffer
  * \param[in] buffer the buffer
  * \param[in] data the data to write
- * \param[in] count the lenght of the data to write
+ * \param[in] count the length of the data to write
  */
 INLINE void
 gldns_buffer_write(gldns_buffer *buffer, const void *data, size_t count)
diff --git a/src/gldns/parse.c b/src/gldns/parse.c
index d44c328e..a353c503 100644
--- a/src/gldns/parse.c
+++ b/src/gldns/parse.c
@@ -33,14 +33,14 @@ ssize_t
 gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *line_nr)
 {
 	int c, prev_c;
-	int p; /* 0 -> no parenthese seen, >0 nr of ( seen */
+	int p; /* 0 -> no parentheses seen, >0 nr of ( seen */
 	int com, quoted;
 	char *t;
 	size_t i;
 	const char *d;
 	const char *del;
 
-	/* standard delimeters */
+	/* standard delimiters */
 	if (!delim) {
 		/* from isspace(3) */
 		del = GLDNS_PARSE_NORMAL;
@@ -244,7 +244,7 @@ gldns_bget_token_par(gldns_buffer *b, char *token, const char *delim,
 	size_t limit, int* par, const char* skipw)
 {
 	int c, lc;
-	int p; /* 0 -> no parenthese seen, >0 nr of ( seen */
+	int p; /* 0 -> no parentheses seen, >0 nr of ( seen */
 	int com, quoted;
 	char *t;
 	size_t i;
diff --git a/src/gldns/parse.h b/src/gldns/parse.h
index a62efaf5..e2ea7cb9 100644
--- a/src/gldns/parse.h
+++ b/src/gldns/parse.h
@@ -103,9 +103,9 @@ ssize_t gldns_bget_token(struct gldns_buffer *b, char *token, const char *delim,
  * after the keyword + k_del until we hit d_del
  * \param[in] f file pointer to read from
  * \param[in] keyword keyword to look for
- * \param[in] k_del keyword delimeter 
+ * \param[in] k_del keyword delimiter 
  * \param[out] data the data found 
- * \param[in] d_del the data delimeter
+ * \param[in] d_del the data delimiter
  * \param[in] data_limit maximum size the the data buffer
  * \return the number of character read
  */
@@ -116,9 +116,9 @@ ssize_t gldns_fget_keyword_data(FILE *f, const char *keyword, const char *k_del,
  * after the keyword + k_del until we hit d_del
  * \param[in] f file pointer to read from
  * \param[in] keyword keyword to look for
- * \param[in] k_del keyword delimeter 
+ * \param[in] k_del keyword delimiter 
  * \param[out] data the data found 
- * \param[in] d_del the data delimeter
+ * \param[in] d_del the data delimiter
  * \param[in] data_limit maximum size the the data buffer
  * \param[in] line_nr pointer to an integer containing the current line number (for
 debugging purposes)
@@ -131,9 +131,9 @@ ssize_t gldns_fget_keyword_data_l(FILE *f, const char *keyword, const char *k_de
  * after the keyword + k_del until we hit d_del
  * \param[in] b buffer pointer to read from
  * \param[in] keyword keyword to look for
- * \param[in] k_del keyword delimeter 
+ * \param[in] k_del keyword delimiter 
  * \param[out] data the data found 
- * \param[in] d_del the data delimeter
+ * \param[in] d_del the data delimiter
  * \param[in] data_limit maximum size the the data buffer
  * \return the number of character read
  */
diff --git a/src/gldns/parseutil.c b/src/gldns/parseutil.c
index 558446cb..bc4738b9 100644
--- a/src/gldns/parseutil.c
+++ b/src/gldns/parseutil.c
@@ -165,20 +165,20 @@ gldns_gmtime64_r(int64_t clock, struct tm *result)
 #endif /* SIZEOF_TIME_T <= 4 */
 
 static int64_t
-gldns_serial_arithmitics_time(int32_t time, time_t now)
+gldns_serial_arithmetics_time(int32_t time, time_t now)
 {
 	int32_t offset = time - (int32_t) now;
 	return (int64_t) now + offset;
 }
 
 struct tm *
-gldns_serial_arithmitics_gmtime_r(int32_t time, time_t now, struct tm *result)
+gldns_serial_arithmetics_gmtime_r(int32_t time, time_t now, struct tm *result)
 {
 #if SIZEOF_TIME_T <= 4
-	int64_t secs_since_epoch = gldns_serial_arithmitics_time(time, now);
+	int64_t secs_since_epoch = gldns_serial_arithmetics_time(time, now);
 	return  gldns_gmtime64_r(secs_since_epoch, result);
 #else
-	time_t  secs_since_epoch = gldns_serial_arithmitics_time(time, now);
+	time_t  secs_since_epoch = gldns_serial_arithmetics_time(time, now);
 	return  gmtime_r(&secs_since_epoch, result);
 #endif
 }
diff --git a/src/gldns/parseutil.h b/src/gldns/parseutil.h
index b2b6101d..1546e8be 100644
--- a/src/gldns/parseutil.h
+++ b/src/gldns/parseutil.h
@@ -62,13 +62,13 @@ time_t gldns_mktime_from_utc(const struct tm *tm);
  * fields of RRSIG records.
  *
  * \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
- *            to be intepreted as a serial arithmetics number relative to now.
+ *            to be interpreted as a serial arithmetics number relative to now.
  * \param[in] now number of seconds since epoch (midnight, January 1st, 1970)
  *            to which the time value is compared to determine the final value.
  * \param[out] result the struct with the broken-out time information
  * \return result on success or NULL on error
  */
-struct tm * gldns_serial_arithmitics_gmtime_r(int32_t time, time_t now, struct tm *result);
+struct tm * gldns_serial_arithmetics_gmtime_r(int32_t time, time_t now, struct tm *result);
 
 /**
  * converts a ttl value (like 5d2h) to a long.
diff --git a/src/gldns/str2wire.c b/src/gldns/str2wire.c
index ffd3d464..8ce4b06d 100644
--- a/src/gldns/str2wire.c
+++ b/src/gldns/str2wire.c
@@ -836,7 +836,7 @@ const char* gldns_get_errorstr_parse(int e)
 }
 
 /* Strip whitespace from the start and the end of <line>.  */
-static char *
+char *
 gldns_strip_ws(char *line)
 {
         char *s = line, *e;
@@ -906,7 +906,7 @@ int gldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 		*dname_len = 0;
 		return GLDNS_WIREPARSE_ERR_INCLUDE;
 	} else {
-		return gldns_str2wire_rr_buf(line, rr, len, dname_len,
+		int r = gldns_str2wire_rr_buf(line, rr, len, dname_len,
 			parse_state?parse_state->default_ttl:0,
 			(parse_state&&parse_state->origin_len)?
 				parse_state->origin:NULL,
@@ -914,6 +914,13 @@ int gldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 			(parse_state&&parse_state->prev_rr_len)?
 				parse_state->prev_rr:NULL,
 			parse_state?parse_state->prev_rr_len:0);
+		if(r == GLDNS_WIREPARSE_ERR_OK && (*dname_len) != 0 &&
+			parse_state &&
+			(*dname_len) <= sizeof(parse_state->prev_rr)) {
+			memmove(parse_state->prev_rr, rr, *dname_len);
+			parse_state->prev_rr_len = (*dname_len);
+		}
+		return r;
 	}
 	return GLDNS_WIREPARSE_ERR_OK;
 }
@@ -1541,7 +1548,7 @@ int gldns_str2wire_loc_buf(const char* str, uint8_t* rd, size_t* len)
 		s = strtod(my_str, &my_str);
 	}
 
-	/* skip blanks before norterness */
+	/* skip blanks before northerness */
 	while (isblank((unsigned char) *my_str)) {
 		my_str++;
 	}
@@ -1693,12 +1700,15 @@ int gldns_str2wire_wks_buf(const char* str, uint8_t* rd, size_t* len)
 			struct protoent *p = getprotobyname(token);
 			have_proto = 1;
 			if(p) rd[0] = (uint8_t)p->p_proto;
+			else if(strcasecmp(token, "tcp")==0) rd[0]=6;
+			else if(strcasecmp(token, "udp")==0) rd[0]=17;
 			else rd[0] = (uint8_t)atoi(token);
 			(void)strlcpy(proto_str, token, sizeof(proto_str));
 		} else {
 			int serv_port;
 			struct servent *serv = getservbyname(token, proto_str);
 			if(serv) serv_port=(int)ntohs((uint16_t)serv->s_port);
+			else if(strcasecmp(token, "domain")==0) serv_port=53;
 			else {
 				serv_port = atoi(token);
 				if(serv_port == 0 && strcmp(token, "0") != 0) {
diff --git a/src/gldns/str2wire.h b/src/gldns/str2wire.h
index 1b7777bd..2aba0e10 100644
--- a/src/gldns/str2wire.h
+++ b/src/gldns/str2wire.h
@@ -554,6 +554,12 @@ int gldns_str2wire_hip_buf(const char* str, uint8_t* rd, size_t* len);
  */
 int gldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len);
 
+/**
+ * Strip whitespace from the start and the end of line.
+ * @param line: modified with 0 to shorten it.
+ * @return new start with spaces skipped.
+ */
+char * gldns_strip_ws(char *line);
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/gldns/wire2str.c b/src/gldns/wire2str.c
index f6fda2e5..0cba52cf 100644
--- a/src/gldns/wire2str.c
+++ b/src/gldns/wire2str.c
@@ -255,6 +255,12 @@ int gldns_wire2str_rr_buf(uint8_t* d, size_t dlen, char* s, size_t slen)
 	return gldns_wire2str_rr_scan(&d, &dlen, &s, &slen, NULL, 0);
 }
 
+int gldns_wire2str_rrquestion_buf(uint8_t* d, size_t dlen, char* s, size_t slen)
+{
+	/* use arguments as temporary variables */
+	return gldns_wire2str_rrquestion_scan(&d, &dlen, &s, &slen, NULL, 0);
+}
+
 int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
 	size_t str_len, uint16_t rrtype)
 {
@@ -1331,7 +1337,7 @@ int gldns_wire2str_time_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 	if(*dl < 4) return -1;
 	t = gldns_read_uint32(*d);
 	date_buf[15]=0;
-	if(gldns_serial_arithmitics_gmtime_r(t, time(NULL), &tm) &&
+	if(gldns_serial_arithmetics_gmtime_r(t, time(NULL), &tm) &&
 		strftime(date_buf, 15, "%Y%m%d%H%M%S", &tm)) {
 		(*d) += 4;
 		(*dl) -= 4;
@@ -1467,6 +1473,10 @@ int gldns_wire2str_wks_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 	if(protocol && (protocol->p_name != NULL)) {
 		w += gldns_str_print(s, sl, "%s", protocol->p_name);
 		proto_name = protocol->p_name;
+	} else if(protocol_nr == 6) {
+		w += gldns_str_print(s, sl, "tcp");
+	} else if(protocol_nr == 17) {
+		w += gldns_str_print(s, sl, "udp");
 	} else	{
 		w += gldns_str_print(s, sl, "%u", (unsigned)protocol_nr);
 	}
diff --git a/src/gldns/wire2str.h b/src/gldns/wire2str.h
index 2007fd8e..a7a7c930 100644
--- a/src/gldns/wire2str.h
+++ b/src/gldns/wire2str.h
@@ -358,6 +358,22 @@ int gldns_wire2str_edns_option_code_print(char** str, size_t* str_len,
 int gldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str,
 	size_t str_len);
 
+/**
+ * Convert question RR to string presentation format, on one line.  User buffer.
+ * @param rr: wireformat RR data
+ * @param rr_len: length of the rr wire data.
+ * @param str: the string buffer to write to.
+ * 	If you pass NULL as the str, the return value of the function is
+ * 	the str_len you need for the entire packet.  It does not include
+ * 	the 0 byte at the end.
+ * @param str_len: the size of the string buffer.  If more is needed, it'll
+ * 	silently truncate the output to fit in the buffer.
+ * @return the number of characters for this element, excluding zerobyte.
+ * 	Is larger or equal than str_len if output was truncated.
+ */
+int gldns_wire2str_rrquestion_buf(uint8_t* rr, size_t rr_len, char* str,
+	size_t str_len);
+
 /**
  * 3597 printout of an RR in unknown rr format.
  * There are more format and comment options available for printout

From 1ebd54a1de8901fbb2040bcfc5b4773ba076e761 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 12 Feb 2018 15:54:43 +0100
Subject: [PATCH 080/303] Utils from unbound update

---
 src/util/val_secalgo.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/util/val_secalgo.c b/src/util/val_secalgo.c
index e9ec5a5b..7f5c5181 100644
--- a/src/util/val_secalgo.c
+++ b/src/util/val_secalgo.c
@@ -322,7 +322,7 @@ static int
 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
 {
         /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
-	 * ASN preable:  30440220 <R 32bytefor256> 0220 <S 32bytefor256>
+	 * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
 	 * the '20' is the length of that field (=bnsize).
 i	 * the '44' is the total remaining length.
 	 * if negative, start with leading zero.

From 0c3b6fb2f6b77f96d0c679635a66a087dcfff918 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 12 Feb 2018 15:57:28 +0100
Subject: [PATCH 081/303] Symbols & constants

---
 src/const-info.c      | 2 ++
 src/libgetdns.symbols | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/src/const-info.c b/src/const-info.c
index d8e61f47..d3da5323 100644
--- a/src/const-info.c
+++ b/src/const-info.c
@@ -92,6 +92,7 @@ static struct const_info consts_info[] = {
 	{     631, "GETDNS_CONTEXT_CODE_TLS_CA_PATH", GETDNS_CONTEXT_CODE_TLS_CA_PATH_TEXT },
 	{     632, "GETDNS_CONTEXT_CODE_TLS_CA_FILE", GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT },
 	{     633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT },
+	{     634, "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT },
 	{     700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
 	{     701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
 	{     702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT },
@@ -189,6 +190,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CONTEXT_CODE_TLS_CA_PATH", 631 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 },
+	{ "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", 634 },
 	{ "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA", 626 },
diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols
index 02c64b19..ccbff42a 100644
--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@@ -37,6 +37,7 @@ getdns_context_get_tls_ca_file
 getdns_context_get_tls_ca_path
 getdns_context_get_tls_cipher_list
 getdns_context_get_tls_connection_retries
+getdns_context_get_tls_curves_list
 getdns_context_get_tls_query_padding_blocksize
 getdns_context_get_trust_anchors_url
 getdns_context_get_trust_anchors_verify_CA
@@ -80,6 +81,7 @@ getdns_context_set_tls_ca_file
 getdns_context_set_tls_ca_path
 getdns_context_set_tls_cipher_list
 getdns_context_set_tls_connection_retries
+getdns_context_set_tls_curves_list
 getdns_context_set_tls_query_padding_blocksize
 getdns_context_set_trust_anchors_url
 getdns_context_set_trust_anchors_verify_CA

From 5a420a2aedd486364dee798ffa6b069105a1913e Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 12 Feb 2018 17:14:45 +0100
Subject: [PATCH 082/303] Bump versions

---
 configure.ac | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index 891026de..5b7abc60 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,7 +36,7 @@ sinclude(./m4/acx_getaddrinfo.m4)
 sinclude(./m4/ax_check_compile_flag.m4)
 sinclude(./m4/pkg.m4)
 
-AC_INIT([getdns], [1.3.0], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
+AC_INIT([getdns], [1.4.0], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
 
 # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian)
 # patched to do the same, but frequently (MacOS) not. So add a with option
@@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Dont forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [])
+AC_SUBST(RELEASE_CANDIDATE, [-rc1])
 
 # Set current date from system if not set
 AC_ARG_WITH([current-date],
@@ -62,7 +62,7 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01030000])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x0103c100])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
@@ -99,9 +99,10 @@ GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRE
 # getdns-1.1.3 had libversion 7:1:1
 # getdns-1.2.0 had libversion 8:0:2
 # getdns-1.2.1 had libversion 8:1:2
-# getdns-1.3.0 has libversion 9:0:3
+# getdns-1.3.0 had libversion 9:0:3
+# getdns-1.4.0 will have libversion 10:0:0
 #
-GETDNS_LIBVERSION=9:0:3
+GETDNS_LIBVERSION=10:0:0
 
 AC_SUBST(GETDNS_COMPILATION_COMMENT)
 AC_SUBST(GETDNS_LIBVERSION)

From a1c30563bf65fabb533065e85fc59f41faaffd83 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 12 Feb 2018 17:14:56 +0100
Subject: [PATCH 083/303] Update ChangeLog

---
 ChangeLog | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index b53a7b64..745632d9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,8 +1,30 @@
-* 2018-0?-??: Version 1.?.?
+* 2018-02-??: Version 1.4.0
+  * .so revision bump to please fedora packaging system.
+    Thanks Paul Wouters
   * Specify the supported curves with getdns_context_set_tls_curves_list()
     An upstream specific list of supported curves may also be given
     with the tls_curves_list setting in the upstream dict with
     getdns_context_set_upstream_recursive_servers()
+  * New tool getdns_server_mon for checking upstream recursive
+    resolver's capabilities.
+  * Improved handling of opportunistic back-off.  If other transports
+    are working, don’t forcibly promote failed upstreams just wait for
+    the re-try timer.
+  * Hostname authentication with libressl
+    Thanks Norbert Copones
+  * Security bugfix in response to CVE-2017-15105.  Although getdns was
+    not vulnerable for this specific issue, as a precaution code has been
+    adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not
+    be wildcard expansions when used with DNSSEC proofs.  Only direct
+    queries for those types are allowed to be wildcard expansions.
+  * Bugfix PR#379: Miscelleneous double free or corruption, and corrupted
+    memory double linked list detected issue, whith serving functionality.
+    Thanks maddie and Bruno Pagani
+  * Security Bugfix PR#293: Check sha256 pinset's
+    with OpenSSL native DANE functions for OpenSSL >= 1.1.0
+    with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0
+    don't allow for authentication exceptions (like self-signed
+    certificates) otherwise.  Thanks Viktor Dukhovni
   * libidn2 support.  Thanks Paul Wouters
 
 * 2017-12-21: Version 1.3.0

From 9999907593950adabfc36a82183b0d663f0624fa Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 13 Feb 2018 15:05:29 +0100
Subject: [PATCH 084/303] update Stubby + other dist tarball fixes

---
 Makefile.in     |  5 +++++
 configure.ac    |  2 ++
 src/Makefile.in | 10 +++++++++-
 stubby          |  2 +-
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/Makefile.in b/Makefile.in
index f6d7acab..b160e369 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -213,12 +213,14 @@ $(distdir):
 	mkdir -p $(distdir)/src/tools
 	mkdir -p $(distdir)/src/jsmn
 	mkdir -p $(distdir)/src/yxml
+	mkdir -p $(distdir)/src/ssl_dane
 	mkdir -p $(distdir)/doc
 	mkdir -p $(distdir)/spec
 	mkdir -p $(distdir)/spec/example
 	mkdir -p $(distdir)/stubby
 	mkdir -p $(distdir)/stubby/src
 	mkdir -p $(distdir)/stubby/src/yaml
+	mkdir -p $(distdir)/stubby/doc
 	cp $(srcdir)/configure.ac $(distdir)
 	cp $(srcdir)/configure $(distdir)
 	cp $(srcdir)/AUTHORS $(distdir)
@@ -267,12 +269,15 @@ $(distdir):
 	cp $(srcdir)/stubby/src/yaml/*.[ch] $(distdir)/stubby/src/yaml
 	cp $(srcdir)/stubby/COPYING $(distdir)/stubby
 	cp $(srcdir)/stubby/README.md $(distdir)/stubby
+	cp $(srcdir)/stubby/doc/stubby.1.in $(distdir)/stubby/doc
 	cp $(srcdir)/src/jsmn/*.[ch] $(distdir)/src/jsmn
 	cp $(srcdir)/src/jsmn/LICENSE $(distdir)/src/jsmn
 	cp $(srcdir)/src/jsmn/README.md $(distdir)/src/jsmn
 	cp $(srcdir)/src/yxml/*.[ch] $(distdir)/src/yxml
 	cp $(srcdir)/src/yxml/COPYING $(distdir)/src/yxml
 	cp $(srcdir)/src/yxml/yxml.pod $(distdir)/src/yxml
+	cp $(srcdir)/src/ssl_dane/danessl.[ch] $(distdir)/src/ssl_dane
+	cp $(srcdir)/src/ssl_dane/README.md $(distdir)/src/ssl_dane
 	rm -f $(distdir)/Makefile $(distdir)/src/Makefile $(distdir)/src/getdns/getdns.h $(distdir)/spec/example/Makefile $(distdir)/src/test/Makefile $(distdir)/doc/Makefile $(distdir)/src/config.h
 
 distcheck: $(distdir).tar.gz
diff --git a/configure.ac b/configure.ac
index 5b7abc60..221df401 100644
--- a/configure.ac
+++ b/configure.ac
@@ -67,6 +67,8 @@ AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
 
+AC_DEFINE_UNQUOTED([STUBBY_PACKAGE], ["stubby"], [Stubby package])
+AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.2$RELEASE_CANDIDATE"], [Stubby package string])
 
 # Library version
 # ---------------
diff --git a/src/Makefile.in b/src/Makefile.in
index 59cbfb9b..a7cc9ea4 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -47,6 +47,7 @@ have_libuv = @have_libuv@
 have_libev = @have_libev@
 # datarootdir is here to please some checkers
 datarootdir=@datarootdir@
+mandir=@mandir@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 
@@ -205,6 +206,9 @@ getdns_query: default
 getdns_server_mon: default
 	cd tools && $(MAKE) $@
 
+stubby.1: $(stubbysrcdir)/doc/stubby.1.in
+	sed -e "s|@ETCDIR@|$(stubbyconfdir)|g" $< > $@
+
 stubby.lo: $(stubbysrcdir)/src/stubby.c
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR=\"$(sysconfdir)/stubby\" -DRUNSTATEDIR=\"$(runstatedir)\" -c $< -o $@
 
@@ -228,14 +232,18 @@ install-stubby-files-windows: stubby.yml.windows
 	test -f $(DESTDIR)$(stubbyconfdir)/stubby.yml || \
 		$(INSTALL_DATA) stubby.yml.windows $(DESTDIR)$(stubbyconfdir)/stubby.yml
 
-install-stubby: stubby install-stubby-files-@HOSTOS@
+install-stubby: stubby stubby.1 install-stubby-files-@HOSTOS@
 	$(INSTALL) -m 755 -d $(DESTDIR)$(bindir)
 	$(LIBTOOL) --mode=install cp stubby $(DESTDIR)$(bindir)
 	$(INSTALL) -m 755 -d $(DESTDIR)$(runstatedir)
+	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)
+	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man1
+	$(INSTALL) -m 644 stubby\.1 $(DESTDIR)$(mandir)/man1
 
 uninstall-stubby:
 	$(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/stubby
 	rm -f $(DESTDIR)$(sbindir)/stubby-setdns-macos.sh
+	rm -f $(DESTDIR)$(mandir)/man1/stubby.1
 
 scratchpad: default
 	cd test && $(MAKE) $@
diff --git a/stubby b/stubby
index f0b33045..9657d0e4 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit f0b330454b95a07106af33b1869b7cd18cfaebf2
+Subproject commit 9657d0e492e0a459d8d0ee301cf1604ed6895bd3

From f2c531265b65e9b99b9634ede46829b9c771a3d6 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 13 Feb 2018 16:58:12 +0100
Subject: [PATCH 085/303] libidns2 doesn't detect locale that well...

---
 src/convert.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/convert.c b/src/convert.c
index 82adf241..53d98e99 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -118,13 +118,12 @@ char *
 getdns_convert_ulabel_to_alabel(const char *ulabel)
 {
 #if defined(HAVE_LIBIDN2)
-	char *alabel;
+	uint8_t *alabel;
 
 	if (!ulabel) return NULL;
 
-	if (idn2_lookup_ul(ulabel, &alabel, IDN2_NONTRANSITIONAL) == IDN2_OK
-	||  idn2_lookup_ul(ulabel, &alabel, IDN2_TRANSITIONAL)    == IDN2_OK)
-		return alabel;
+	if (idn2_lookup_u8((uint8_t *)ulabel, &alabel, IDN2_TRANSITIONAL) == IDN2_OK)
+		return (char *)alabel;
 
 #elif defined(HAVE_LIBIDN)
 	char *alabel;

From a150c6d927102df5f1e7808d4d5bfa9e149573ae Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 21 Feb 2018 12:17:51 +0100
Subject: [PATCH 086/303] implied source ($<) not defined in explicit rules

---
 src/Makefile.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Makefile.in b/src/Makefile.in
index a7cc9ea4..1059afca 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -207,10 +207,10 @@ getdns_server_mon: default
 	cd tools && $(MAKE) $@
 
 stubby.1: $(stubbysrcdir)/doc/stubby.1.in
-	sed -e "s|@ETCDIR@|$(stubbyconfdir)|g" $< > $@
+	sed -e "s|@ETCDIR@|$(stubbyconfdir)|g" $(stubbysrcdir)/doc/stubby.1.in > $@
 
 stubby.lo: $(stubbysrcdir)/src/stubby.c
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR=\"$(sysconfdir)/stubby\" -DRUNSTATEDIR=\"$(runstatedir)\" -c $< -o $@
+	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR=\"$(sysconfdir)/stubby\" -DRUNSTATEDIR=\"$(runstatedir)\" -c $(stubbysrcdir)/src/stubby.c -o $@
 
 stubby: stubby.lo libgetdns.la $(STUBBY_XTRA_OBJS)
 	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ stubby.lo $(STUBBY_XTRA_OBJS) $(STUBBY_LDFLAGS) libgetdns.la

From 6325dae56385a7477a1c7c99f24b10f972f5c548 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 21 Feb 2018 13:40:19 +0100
Subject: [PATCH 087/303] Run localhost unit tests on local localhost address

---
 .../275-server-capabilities.c                   | 17 ++++++++++++++---
 .../275-server-capabilities.test                | 14 +++++++++-----
 .../280-limit_outstanding_queries.c             | 12 ++++++++++--
 .../280-limit_outstanding_queries.test          | 14 ++++++++++----
 .../285-out_of_filedescriptors.c                | 12 ++++++++++--
 .../285-out_of_filedescriptors.test             | 14 ++++++++++----
 6 files changed, 63 insertions(+), 20 deletions(-)

diff --git a/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.c b/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.c
index 91756bf6..3e817834 100644
--- a/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.c
+++ b/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.c
@@ -83,7 +83,7 @@ void handler(getdns_context *context, getdns_callback_type_t callback_type,
 	exit(EXIT_FAILURE);
 }
 
-int main()
+int main(int argc, char **argv)
 {
 	getdns_context   *context   = NULL;
 	getdns_list      *listeners = NULL;
@@ -92,9 +92,20 @@ int main()
 	uint32_t          port1     = 18000;
 	uint32_t          port2     = 18000;
 	getdns_return_t   r;
+	char listenliststr[1024];
+	char listendictstr[1024];
 
-	if ((r = getdns_str2list("[ 127.0.0.1:18000 ]", &listeners)) ||
-	    (r = getdns_str2dict("127.0.0.1:18000", &address2)) ||
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s <localhost ipv4>\n", argv[0]);
+		return 1;
+	}
+	(void) snprintf(listenliststr, sizeof(listenliststr),
+	    "[ %s:18000 ]", argv[1]);
+	(void) snprintf(listendictstr, sizeof(listendictstr),
+	    "%s:18000", argv[1]);
+
+	if ((r = getdns_str2list(listenliststr, &listeners)) ||
+	    (r = getdns_str2dict(listendictstr, &address2)) ||
 	    (r = getdns_list_get_dict(listeners, 0, &address)) ||
 	    (r = getdns_context_create(&context, 0)))
 		fprintf(stderr, "Error initializing: ");
diff --git a/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.test b/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.test
index 9935de91..2b144cf7 100644
--- a/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.test
+++ b/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.test
@@ -4,18 +4,22 @@
 # use .tpkg.var.test for in test variable passing
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 
+LOCALHOST=`${GETDNS_STUB_QUERY} '{namespaces:[GETDNS_NAMESPACE_LOCALNAMES]}' -A localhost. -J \
+	 | awk -F: '/\"address_data\".*\"127/{print $2}' \
+	 | sed -e 's/^[^"]*"//g' -e 's/"[^"]*$//g'`
+echo "localhost: $LOCALHOST"
 
-make && "${BUILDDIR}/build-stub-only/libtool" exec valgrind -v --log-file=valgrind.log --leak-check=full --error-exitcode=1 --track-origins=yes "./${TPKG_NAME}" | (
+make && "${BUILDDIR}/build-stub-only/libtool" exec valgrind -v --log-file=valgrind.log --leak-check=full --error-exitcode=1 --track-origins=yes "./${TPKG_NAME}" ${LOCALHOST} | (
 	read PORT
 	read PORT2
 
-	${GETDNS_STUB_QUERY} -s -t 1000 @127.0.0.1:$PORT TXT cancel. +return_call_reporting 2>&1 > time_out
+	${GETDNS_STUB_QUERY} -s -t 1000 @${LOCALHOST}:$PORT TXT cancel. +return_call_reporting 2>&1 > time_out
 
-	${GETDNS_STUB_QUERY} -s @127.0.0.1:$PORT TXT test +return_call_reporting 2>&1 > tcp_out
+	${GETDNS_STUB_QUERY} -s @${LOCALHOST}:$PORT TXT test +return_call_reporting 2>&1 > tcp_out
 
-	${GETDNS_STUB_QUERY} -s -U @127.0.0.1:$PORT2 TXT test +return_call_reporting 2>&1 > udp_out
+	${GETDNS_STUB_QUERY} -s -U @${LOCALHOST}:$PORT2 TXT test +return_call_reporting 2>&1 > udp_out
 
-	${GETDNS_STUB_QUERY} -s -q @127.0.0.1:$PORT TXT quit.
+	${GETDNS_STUB_QUERY} -s -q @${LOCALHOST}:$PORT TXT quit.
 )
 if grep -q 'definitely lost: [^0]' valgrind.log
 then
diff --git a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c
index 1467ec34..8337caf4 100644
--- a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c
+++ b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c
@@ -107,15 +107,23 @@ void handler(getdns_context *context, getdns_callback_type_t callback_type,
 	exit(EXIT_FAILURE);
 }
 
-int main()
+int main(int argc, char **argv)
 {
 	getdns_context   *context   = NULL;
 	getdns_list      *listeners = NULL;
 	getdns_dict      *address   = NULL;
 	uint32_t          port      = 18000;
 	getdns_return_t   r;
+	char              listenliststr[1024];
 
-	if ((r = getdns_str2list("[ 127.0.0.1:18000 ]", &listeners)) ||
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s <localhost ipv4>\n", argv[0]);
+		return 1;
+	}
+	(void) snprintf(listenliststr, sizeof(listenliststr),
+	    "[ %s:18000 ]", argv[1]);
+
+	if ((r = getdns_str2list(listenliststr, &listeners)) ||
 	    (r = getdns_list_get_dict(listeners, 0, &address)) ||
 	    (r = getdns_context_create(&context, 0)))
 		fprintf(stderr, "Error initializing: ");
diff --git a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.test b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.test
index 177cc1c7..e22456c3 100644
--- a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.test
+++ b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.test
@@ -5,21 +5,27 @@
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 
 
+LOCALHOST=`${GETDNS_STUB_QUERY} '{namespaces:[GETDNS_NAMESPACE_LOCALNAMES]}' -A localhost. -J \
+         | awk -F: '/\"address_data\".*\"127/{print $2}' \
+         | sed -e 's/^[^"]*"//g' -e 's/"[^"]*$//g'`
+echo "localhost: $LOCALHOST"
+
 QLIMIT=64
-NQUERIES=`wc "./${TPKG_NAME}.queries"|sed 's/ .*$//g'`
+NQUERIES=`wc "./${TPKG_NAME}.queries"|sed -e 's/^ *//g' -e 's/ .*$//g'`
+echo "# queries: $NQUERIES"
 
 # Test will take NQUERIES / QLIMIT * answer delay
 # For current parameters this is 1000 / 64 * 0.3 = 4.6875
 # which is smaller than 5 seconds default query timeout value,
 # so the test should succeed.
 
-make && "./${TPKG_NAME}" | (
+make && "./${TPKG_NAME}" ${LOCALHOST} | (
 	read PORT
-	${GETDNS_STUB_QUERY} @127.0.0.1:$PORT TXT \
+	${GETDNS_STUB_QUERY} @${LOCALHOST}:$PORT TXT \
 	    -a -F "./${TPKG_NAME}.queries" \
 	          "{limit_outstanding_queries:$QLIMIT}" 2>&1 > out
 
-	${GETDNS_STUB_QUERY} -q @127.0.0.1:$PORT TXT quit.
+	${GETDNS_STUB_QUERY} -q @${LOCALHOST}:$PORT TXT quit.
 ) && grep '"n_requests: [0-9][0-9]*"' out | sed -e 's/^.*n_requests: //g' -e 's/".*$//g' \
     | awk -vQLIMIT=$QLIMIT -vNQUERIES=$NQUERIES '
 
diff --git a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c
index e495466d..88ecaf20 100644
--- a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c
+++ b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c
@@ -112,15 +112,23 @@ void handler(getdns_context *context, getdns_callback_type_t callback_type,
 	exit(EXIT_FAILURE);
 }
 
-int main()
+int main(int argc, char **argv)
 {
 	getdns_context   *context   = NULL;
 	getdns_list      *listeners = NULL;
 	getdns_dict      *address   = NULL;
 	uint32_t          port      = 18000;
 	getdns_return_t   r;
+	char              listenliststr[1024];
 
-	if ((r = getdns_str2list("[ 127.0.0.1:18000 ]", &listeners)) ||
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s <localhost ipv4>\n", argv[0]);
+		return 1;
+        }
+	(void) snprintf(listenliststr, sizeof(listenliststr),
+	    "[ %s:18000 ]", argv[1]);
+
+	if ((r = getdns_str2list(listenliststr, &listeners)) ||
 	    (r = getdns_list_get_dict(listeners, 0, &address)) ||
 	    (r = getdns_context_create(&context, 0)))
 		fprintf(stderr, "Error initializing: ");
diff --git a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.test b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.test
index 64a53cfb..6eeb53d1 100644
--- a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.test
+++ b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.test
@@ -5,8 +5,14 @@
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 
 
+LOCALHOST=`${GETDNS_STUB_QUERY} '{namespaces:[GETDNS_NAMESPACE_LOCALNAMES]}' -A localhost. -J \
+         | awk -F: '/\"address_data\".*\"127/{print $2}' \
+         | sed -e 's/^[^"]*"//g' -e 's/"[^"]*$//g'`
+echo "localhost: $LOCALHOST"
+
 QLIMIT=79
-NQUERIES=`wc "./${TPKG_NAME}.queries"|sed 's/ .*$//g'`
+NQUERIES=`wc "./${TPKG_NAME}.queries"|sed -e 's/^ *//g' -e 's/ .*$//g'`
+echo "# queries: $NQUERIES"
 
 # This time the query limit is set by setting the maximum open
 # filedescriptors. We seem to be needing a higher QLIMIT, than
@@ -21,13 +27,13 @@ NQUERIES=`wc "./${TPKG_NAME}.queries"|sed 's/ .*$//g'`
 # which is smaller than 5 seconds default query timeout value,
 # so the test should succeed.
 
-make && "./${TPKG_NAME}" | (
+make && "./${TPKG_NAME}" ${LOCALHOST}| (
 	read PORT
 	ulimit -n $QLIMIT
-	${GETDNS_STUB_QUERY} @127.0.0.1:$PORT TXT \
+	${GETDNS_STUB_QUERY} @${LOCALHOST}:$PORT TXT \
 	    -a -F "./${TPKG_NAME}.queries" 2>&1 > out
 
-	${GETDNS_STUB_QUERY} -q @127.0.0.1:$PORT TXT quit.
+	${GETDNS_STUB_QUERY} -q @${LOCALHOST}:$PORT TXT quit.
 ) && grep '"n_requests: [0-9][0-9]*"' out | sed -e 's/^.*n_requests: //g' -e 's/".*$//g' \
     | awk -vQLIMIT=$QLIMIT -vNQUERIES=$NQUERIES '
 

From a037398156551ab1c1a8f4453edf10dc7cf8dde4 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 21 Feb 2018 16:45:26 +0100
Subject: [PATCH 088/303] Bump version

---
 ChangeLog    | 2 +-
 configure.ac | 6 +++---
 stubby       | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 745632d9..68763db7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,4 @@
-* 2018-02-??: Version 1.4.0
+* 2018-02-21: Version 1.4.0
   * .so revision bump to please fedora packaging system.
     Thanks Paul Wouters
   * Specify the supported curves with getdns_context_set_tls_curves_list()
diff --git a/configure.ac b/configure.ac
index 221df401..07445b82 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Dont forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [-rc1])
+AC_SUBST(RELEASE_CANDIDATE, [])
 
 # Set current date from system if not set
 AC_ARG_WITH([current-date],
@@ -62,7 +62,7 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x0103c100])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01040000])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
@@ -102,7 +102,7 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.2$RELEASE_CANDIDATE"], [Stubby
 # getdns-1.2.0 had libversion 8:0:2
 # getdns-1.2.1 had libversion 8:1:2
 # getdns-1.3.0 had libversion 9:0:3
-# getdns-1.4.0 will have libversion 10:0:0
+# getdns-1.4.0 has libversion 10:0:0
 #
 GETDNS_LIBVERSION=10:0:0
 
diff --git a/stubby b/stubby
index 9657d0e4..1a6acd64 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 9657d0e492e0a459d8d0ee301cf1604ed6895bd3
+Subproject commit 1a6acd642c7dc9a04cf092e1a3837c5636d4b465

From 65e610f26efcafb19fe6bb87b4f85fdf77773b0e Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 22 Feb 2018 14:44:13 +0100
Subject: [PATCH 089/303] Unit test maintenance, to:

- remove obsolete tests
- test better for parallel installs
- run custom servers through valgrind
---
 .../tpkg/100-compile.tpkg/100-compile.pre     |  2 +-
 .../tpkg/100-compile.tpkg/100-compile.test    |  2 +-
 .../tpkg/105-install.tpkg/105-install.test    |  4 +++-
 src/test/tpkg/110-link.tpkg/110-link.dsc      | 16 ----------------
 src/test/tpkg/110-link.tpkg/110-link.test     | 10 ----------
 .../115-install-linked.dsc                    | 16 ----------------
 .../115-install-linked.test                   |  8 --------
 .../120-run-getdns_query.dsc                  |  2 +-
 .../125-valgrind-checks.ds                    |  1 +
 .../125-valgrind-checks.dsc                   |  2 +-
 .../130-run-unit-tests.dsc                    |  2 +-
 .../200-stub-only-compile-install.dsc}        |  8 ++++----
 .../200-stub-only-compile-install.post}       |  0
 .../200-stub-only-compile-install.pre}        |  2 +-
 .../200-stub-only-compile-install.test}       |  4 +++-
 .../210-stub-only-link.dsc                    | 16 ----------------
 .../210-stub-only-link.test                   | 10 ----------
 .../220-stub-only-run-getdns_query.dsc        |  2 +-
 .../225-stub-only-valgrind-checks.ds          |  1 -
 .../225-stub-only-valgrind-checks.dsc         |  4 ++--
 .../230-stub-only-run-unit-tests.dsc          |  2 +-
 .../275-server-capabilities.dsc               |  2 +-
 .../275-server-capabilities.test              |  8 ++++++--
 .../280-limit_outstanding_queries.dsc         |  2 +-
 .../280-limit_outstanding_queries.test        | 19 +++++++++++++++----
 .../285-out_of_filedescriptors.dsc            |  2 +-
 .../285-out_of_filedescriptors.test           | 19 +++++++++++++++----
 .../290-transports.tpkg/290-transports.dsc    |  2 +-
 .../320-event-loops-compile.test              |  2 +-
 29 files changed, 62 insertions(+), 108 deletions(-)
 delete mode 100644 src/test/tpkg/110-link.tpkg/110-link.dsc
 delete mode 100644 src/test/tpkg/110-link.tpkg/110-link.test
 delete mode 100644 src/test/tpkg/115-install-linked.tpkg/115-install-linked.dsc
 delete mode 100644 src/test/tpkg/115-install-linked.tpkg/115-install-linked.test
 rename src/test/tpkg/{200-stub-only-compile.tpkg/200-stub-only-compile.dsc => 200-stub-only-compile-install.tpkg/200-stub-only-compile-install.dsc} (56%)
 rename src/test/tpkg/{200-stub-only-compile.tpkg/200-stub-only-compile.post => 200-stub-only-compile-install.tpkg/200-stub-only-compile-install.post} (100%)
 rename src/test/tpkg/{200-stub-only-compile.tpkg/200-stub-only-compile.pre => 200-stub-only-compile-install.tpkg/200-stub-only-compile-install.pre} (92%)
 rename src/test/tpkg/{200-stub-only-compile.tpkg/200-stub-only-compile.test => 200-stub-only-compile-install.tpkg/200-stub-only-compile-install.test} (61%)
 delete mode 100644 src/test/tpkg/210-stub-only-link.tpkg/210-stub-only-link.dsc
 delete mode 100644 src/test/tpkg/210-stub-only-link.tpkg/210-stub-only-link.test
 delete mode 100644 src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.ds

diff --git a/src/test/tpkg/100-compile.tpkg/100-compile.pre b/src/test/tpkg/100-compile.tpkg/100-compile.pre
index ea1cacee..6b76edba 100644
--- a/src/test/tpkg/100-compile.tpkg/100-compile.pre
+++ b/src/test/tpkg/100-compile.tpkg/100-compile.pre
@@ -25,4 +25,4 @@ done
 rm -fr "${BUILDDIR}/build"
 mkdir  "${BUILDDIR}/build"
 cd "${BUILDDIR}/build"
-"${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-debug-anchor
+"${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install"
diff --git a/src/test/tpkg/100-compile.tpkg/100-compile.test b/src/test/tpkg/100-compile.tpkg/100-compile.test
index aeb9e084..7ce2f238 100644
--- a/src/test/tpkg/100-compile.tpkg/100-compile.test
+++ b/src/test/tpkg/100-compile.tpkg/100-compile.test
@@ -5,4 +5,4 @@
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 
 cd "${BUILDDIR}/build"
-make XTRA_CFLAGS='-Werror' -j 4
+make XTRA_CFLAGS='-g -Werror' -j 4
diff --git a/src/test/tpkg/105-install.tpkg/105-install.test b/src/test/tpkg/105-install.tpkg/105-install.test
index 16ccbfd2..bdf883af 100644
--- a/src/test/tpkg/105-install.tpkg/105-install.test
+++ b/src/test/tpkg/105-install.tpkg/105-install.test
@@ -5,4 +5,6 @@
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 
 cd "${BUILDDIR}/build"
-make -j 4 install
+make -j 4 install \
+    && echo "export GETDNS_QUERY=\"${BUILDDIR}/build/src/tools/getdns_query\"" \
+       >> ../.tpkg.var.master
diff --git a/src/test/tpkg/110-link.tpkg/110-link.dsc b/src/test/tpkg/110-link.tpkg/110-link.dsc
deleted file mode 100644
index 7c525d9d..00000000
--- a/src/test/tpkg/110-link.tpkg/110-link.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: 110-link
-Version: 1.0
-Description: Link getdns_query program
-CreationDate: do dec 10 11:10:11 CET 2015
-Maintainer: Willem Toorop
-Category: 
-Component:
-CmdDepends: 
-Depends: 100-compile.tpkg
-Help:
-Pre: 
-Post: 
-Test: 110-link.test
-AuxFiles: 
-Passed:
-Failure:
diff --git a/src/test/tpkg/110-link.tpkg/110-link.test b/src/test/tpkg/110-link.tpkg/110-link.test
deleted file mode 100644
index 305132fb..00000000
--- a/src/test/tpkg/110-link.tpkg/110-link.test
+++ /dev/null
@@ -1,10 +0,0 @@
-# #-- 110-link.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-cd "${BUILDDIR}/build"
-make -j 4 getdns_query \
-    &&  echo "export GETDNS_QUERY=\"${BUILDDIR}/build/src/tools/getdns_query\"" \
-        >> ../.tpkg.var.master
diff --git a/src/test/tpkg/115-install-linked.tpkg/115-install-linked.dsc b/src/test/tpkg/115-install-linked.tpkg/115-install-linked.dsc
deleted file mode 100644
index 335e19b2..00000000
--- a/src/test/tpkg/115-install-linked.tpkg/115-install-linked.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: 115-install-linked
-Version: 1.0
-Description: Install the getdns_query program
-CreationDate: vr dec 18 10:52:26 CET 2015
-Maintainer: Willem Toorop
-Category: 
-Component:
-CmdDepends: 
-Depends: 110-link.tpkg
-Help:
-Pre: 
-Post: 
-Test: 115-install-linked.test
-AuxFiles: 
-Passed:
-Failure:
diff --git a/src/test/tpkg/115-install-linked.tpkg/115-install-linked.test b/src/test/tpkg/115-install-linked.tpkg/115-install-linked.test
deleted file mode 100644
index 550052b4..00000000
--- a/src/test/tpkg/115-install-linked.tpkg/115-install-linked.test
+++ /dev/null
@@ -1,8 +0,0 @@
-# #-- 115-install-linked.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-cd "${BUILDDIR}/build"
-make -j 4 install-getdns_query
diff --git a/src/test/tpkg/120-run-getdns_query.tpkg/120-run-getdns_query.dsc b/src/test/tpkg/120-run-getdns_query.tpkg/120-run-getdns_query.dsc
index 55f17b68..3716c307 100644
--- a/src/test/tpkg/120-run-getdns_query.tpkg/120-run-getdns_query.dsc
+++ b/src/test/tpkg/120-run-getdns_query.tpkg/120-run-getdns_query.dsc
@@ -6,7 +6,7 @@ Maintainer: Willem Toorop
 Category: 
 Component:
 CmdDepends: 
-Depends: 110-link.tpkg
+Depends: 105-install.tpkg
 Help:
 Pre: 
 Post: 
diff --git a/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.ds b/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.ds
index 8750f478..47bcd4f0 100644
--- a/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.ds
+++ b/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.ds
@@ -1 +1,2 @@
 .	DS	19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
+.	DS	20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
diff --git a/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.dsc b/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.dsc
index 93163e33..aba888b5 100644
--- a/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.dsc
+++ b/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.dsc
@@ -6,7 +6,7 @@ Maintainer: Willem Toorop
 Category: 
 Component:
 CmdDepends: valgrind
-Depends: 110-link.tpkg
+Depends: 105-install.tpkg
 Help:
 Pre: 
 Post: 
diff --git a/src/test/tpkg/130-run-unit-tests.tpkg/130-run-unit-tests.dsc b/src/test/tpkg/130-run-unit-tests.tpkg/130-run-unit-tests.dsc
index 86500576..6833e43f 100644
--- a/src/test/tpkg/130-run-unit-tests.tpkg/130-run-unit-tests.dsc
+++ b/src/test/tpkg/130-run-unit-tests.tpkg/130-run-unit-tests.dsc
@@ -6,7 +6,7 @@ Maintainer: Willem Toorop
 Category: 
 Component:
 CmdDepends: 
-Depends: 110-link.tpkg
+Depends: 105-install.tpkg
 Help:
 Pre: 
 Post: 
diff --git a/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.dsc b/src/test/tpkg/200-stub-only-compile-install.tpkg/200-stub-only-compile-install.dsc
similarity index 56%
rename from src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.dsc
rename to src/test/tpkg/200-stub-only-compile-install.tpkg/200-stub-only-compile-install.dsc
index 4faf21b2..0888f7ff 100644
--- a/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.dsc
+++ b/src/test/tpkg/200-stub-only-compile-install.tpkg/200-stub-only-compile-install.dsc
@@ -1,4 +1,4 @@
-BaseName: 200-stub-only-compile
+BaseName: 200-stub-only-compile-install
 Version: 1.0
 Description: Create builddir and compile stub only
 CreationDate: do dec 10 11:08:24 CET 2015
@@ -8,9 +8,9 @@ Component:
 CmdDepends: 
 Depends: 
 Help:
-Pre: 200-stub-only-compile.pre
-Post: 200-stub-only-compile.post
-Test: 200-stub-only-compile.test
+Pre: 200-stub-only-compile-install.pre
+Post: 200-stub-only-compile-install.post
+Test: 200-stub-only-compile-install.test
 AuxFiles: 
 Passed:
 Failure:
diff --git a/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.post b/src/test/tpkg/200-stub-only-compile-install.tpkg/200-stub-only-compile-install.post
similarity index 100%
rename from src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.post
rename to src/test/tpkg/200-stub-only-compile-install.tpkg/200-stub-only-compile-install.post
diff --git a/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.pre b/src/test/tpkg/200-stub-only-compile-install.tpkg/200-stub-only-compile-install.pre
similarity index 92%
rename from src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.pre
rename to src/test/tpkg/200-stub-only-compile-install.tpkg/200-stub-only-compile-install.pre
index 39b234eb..587b4fed 100644
--- a/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.pre
+++ b/src/test/tpkg/200-stub-only-compile-install.tpkg/200-stub-only-compile-install.pre
@@ -25,4 +25,4 @@ done
 rm -fr "${BUILDDIR}/build-stub-only"
 mkdir  "${BUILDDIR}/build-stub-only"
 cd "${BUILDDIR}/build-stub-only"
-"${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install-stub-only" --enable-stub-only
+"${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install-stub-only" --enable-stub-only --enable-debug-server --enable-debug-anchor
diff --git a/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.test b/src/test/tpkg/200-stub-only-compile-install.tpkg/200-stub-only-compile-install.test
similarity index 61%
rename from src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.test
rename to src/test/tpkg/200-stub-only-compile-install.tpkg/200-stub-only-compile-install.test
index 4b983110..53b8d656 100644
--- a/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.test
+++ b/src/test/tpkg/200-stub-only-compile-install.tpkg/200-stub-only-compile-install.test
@@ -5,4 +5,6 @@
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 
 cd "${BUILDDIR}/build-stub-only"
-make XTRA_CFLAGS='-Werror' -j 4
+make XTRA_CFLAGS='-g -Werror' -j 4 install \
+    && echo "export GETDNS_STUB_QUERY=\"${BUILDDIR}/build-stub-only/src/tools/getdns_query\"" \
+       >> ../.tpkg.var.master
diff --git a/src/test/tpkg/210-stub-only-link.tpkg/210-stub-only-link.dsc b/src/test/tpkg/210-stub-only-link.tpkg/210-stub-only-link.dsc
deleted file mode 100644
index 4ad88d78..00000000
--- a/src/test/tpkg/210-stub-only-link.tpkg/210-stub-only-link.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: 210-stub-only-link
-Version: 1.0
-Description: Link getdns_query program
-CreationDate: do dec 10 11:08:37 CET 2015
-Maintainer: Willem Toorop
-Category: 
-Component:
-CmdDepends: 
-Depends: 200-stub-only-compile.tpkg
-Help:
-Pre: 
-Post: 
-Test: 210-stub-only-link.test
-AuxFiles: 
-Passed:
-Failure:
diff --git a/src/test/tpkg/210-stub-only-link.tpkg/210-stub-only-link.test b/src/test/tpkg/210-stub-only-link.tpkg/210-stub-only-link.test
deleted file mode 100644
index 23e786cb..00000000
--- a/src/test/tpkg/210-stub-only-link.tpkg/210-stub-only-link.test
+++ /dev/null
@@ -1,10 +0,0 @@
-# #-- 210-stub-only-link.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-cd "${BUILDDIR}/build-stub-only"
-make -j 4 getdns_query \
-    &&  echo "export GETDNS_STUB_QUERY=\"${BUILDDIR}/build-stub-only/src/tools/getdns_query\"" \
-        >> ../.tpkg.var.master
diff --git a/src/test/tpkg/220-stub-only-run-getdns_query.tpkg/220-stub-only-run-getdns_query.dsc b/src/test/tpkg/220-stub-only-run-getdns_query.tpkg/220-stub-only-run-getdns_query.dsc
index 88f24543..8b5ac7c4 100644
--- a/src/test/tpkg/220-stub-only-run-getdns_query.tpkg/220-stub-only-run-getdns_query.dsc
+++ b/src/test/tpkg/220-stub-only-run-getdns_query.tpkg/220-stub-only-run-getdns_query.dsc
@@ -6,7 +6,7 @@ Maintainer: Willem Toorop
 Category: 
 Component:
 CmdDepends: 
-Depends: 210-stub-only-link.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help:
 Pre: 
 Post: 
diff --git a/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.ds b/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.ds
deleted file mode 100644
index 8750f478..00000000
--- a/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.ds
+++ /dev/null
@@ -1 +0,0 @@
-.	DS	19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
diff --git a/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.dsc b/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.dsc
index 7167a541..42f20a57 100644
--- a/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.dsc
+++ b/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.dsc
@@ -1,12 +1,12 @@
 BaseName: 225-stub-only-valgrind-checks
 Version: 1.0
-Description: Run valgrind to detect memory leaks
+Description: Run getdns_query in valgrind + Zero configuration DNSSEC test
 CreationDate: ma mrt 21 16:24:56 CET 2016
 Maintainer: Willem Toorop
 Category: 
 Component:
 CmdDepends: valgrind
-Depends: 210-stub-only-link.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help:
 Pre: 
 Post: 
diff --git a/src/test/tpkg/230-stub-only-run-unit-tests.tpkg/230-stub-only-run-unit-tests.dsc b/src/test/tpkg/230-stub-only-run-unit-tests.tpkg/230-stub-only-run-unit-tests.dsc
index 0a683e77..3ea00b19 100644
--- a/src/test/tpkg/230-stub-only-run-unit-tests.tpkg/230-stub-only-run-unit-tests.dsc
+++ b/src/test/tpkg/230-stub-only-run-unit-tests.tpkg/230-stub-only-run-unit-tests.dsc
@@ -6,7 +6,7 @@ Maintainer: Willem Toorop
 Category: 
 Component:
 CmdDepends: 
-Depends: 210-stub-only-link.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help:
 Pre: 
 Post: 
diff --git a/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.dsc b/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.dsc
index 5ab8c095..a5665693 100644
--- a/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.dsc
+++ b/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.dsc
@@ -6,7 +6,7 @@ Maintainer: Hoda Rohani
 Category: 
 Component:
 CmdDepends: 
-Depends: 210-stub-only-link.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help:
 Pre: 275-server-capabilities.pre
 Post: 
diff --git a/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.test b/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.test
index 2b144cf7..3569346b 100644
--- a/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.test
+++ b/src/test/tpkg/275-server-capabilities.tpkg/275-server-capabilities.test
@@ -21,10 +21,14 @@ make && "${BUILDDIR}/build-stub-only/libtool" exec valgrind -v --log-file=valgri
 
 	${GETDNS_STUB_QUERY} -s -q @${LOCALHOST}:$PORT TXT quit.
 )
-if grep -q 'definitely lost: [^0]' valgrind.log
+if ! awk '/^==.*(definitely|indirectly|possibly) lost/{print;if($4>0)exit(1)}' valgrind.log
+then
+	cat valgrind.log
+	exit 1
+fi
+if ! awk '/^==.* ERROR SUMMARY/{print;if($4>0)exit(1)}' valgrind.log
 then
 	cat valgrind.log
-	echo "error: Memory loss!"
 	exit 1
 fi
 if ! grep -q '"status": GETDNS_RESPSTATUS_ALL_TIMEOUT' time_out
diff --git a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.dsc b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.dsc
index d03124b9..881977b7 100644
--- a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.dsc
+++ b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.dsc
@@ -6,7 +6,7 @@ Maintainer: Willem Toorop
 Category: Resource depletion
 Component:
 CmdDepends: 
-Depends: 210-stub-only-link.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help:
 Pre: 280-limit_outstanding_queries.pre
 Post: 
diff --git a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.test b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.test
index e22456c3..f8d5d556 100644
--- a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.test
+++ b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.test
@@ -19,13 +19,13 @@ echo "# queries: $NQUERIES"
 # which is smaller than 5 seconds default query timeout value,
 # so the test should succeed.
 
-make && "./${TPKG_NAME}" ${LOCALHOST} | (
+make && "${BUILDDIR}/build-stub-only/libtool" exec valgrind -v --log-file=valgrind.log --leak-check=full --error-exitcode=1 --track-origins=yes "./${TPKG_NAME}" ${LOCALHOST} | (
 	read PORT
-	${GETDNS_STUB_QUERY} @${LOCALHOST}:$PORT TXT \
+	${GETDNS_STUB_QUERY} -s @${LOCALHOST}:$PORT TXT \
 	    -a -F "./${TPKG_NAME}.queries" \
 	          "{limit_outstanding_queries:$QLIMIT}" 2>&1 > out
 
-	${GETDNS_STUB_QUERY} -q @${LOCALHOST}:$PORT TXT quit.
+	${GETDNS_STUB_QUERY} -s -q @${LOCALHOST}:$PORT TXT quit.
 ) && grep '"n_requests: [0-9][0-9]*"' out | sed -e 's/^.*n_requests: //g' -e 's/".*$//g' \
     | awk -vQLIMIT=$QLIMIT -vNQUERIES=$NQUERIES '
 
@@ -43,4 +43,15 @@ END{
 		exit(-1);
 	} else
 		print "SUCCESS: No more than "QLIMIT" outstanding queries: "max_outstanding;
-}'
+}' && (
+	if ! awk '/^==.*(definitely|indirectly|possibly) lost/{print;if($4>0)exit(1)}' valgrind.log
+	then
+		cat valgrind.log
+		exit 1
+	fi
+	if ! awk '/^==.* ERROR SUMMARY/{print;if($4>0)exit(1)}' valgrind.log
+	then
+		cat valgrind.log
+		exit 1
+	fi
+)
diff --git a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.dsc b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.dsc
index c76c3bbb..b7322cc7 100644
--- a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.dsc
+++ b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.dsc
@@ -6,7 +6,7 @@ Maintainer: Willem Toorop
 Category: Resource depletion
 Component:
 CmdDepends: 
-Depends: 210-stub-only-link.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help:
 Pre: 285-out_of_filedescriptors.pre
 Post: 
diff --git a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.test b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.test
index 6eeb53d1..f6a832e4 100644
--- a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.test
+++ b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.test
@@ -27,13 +27,13 @@ echo "# queries: $NQUERIES"
 # which is smaller than 5 seconds default query timeout value,
 # so the test should succeed.
 
-make && "./${TPKG_NAME}" ${LOCALHOST}| (
+make && "${BUILDDIR}/build-stub-only/libtool" exec valgrind -v --log-file=valgrind.log --leak-check=full --error-exitcode=1 --track-origins=yes "./${TPKG_NAME}" ${LOCALHOST}| (
 	read PORT
 	ulimit -n $QLIMIT
-	${GETDNS_STUB_QUERY} @${LOCALHOST}:$PORT TXT \
+	${GETDNS_STUB_QUERY} -s @${LOCALHOST}:$PORT TXT \
 	    -a -F "./${TPKG_NAME}.queries" 2>&1 > out
 
-	${GETDNS_STUB_QUERY} -q @${LOCALHOST}:$PORT TXT quit.
+	${GETDNS_STUB_QUERY} -s -q @${LOCALHOST}:$PORT TXT quit.
 ) && grep '"n_requests: [0-9][0-9]*"' out | sed -e 's/^.*n_requests: //g' -e 's/".*$//g' \
     | awk -vQLIMIT=$QLIMIT -vNQUERIES=$NQUERIES '
 
@@ -51,4 +51,15 @@ END{
 		exit(-1);
 	} else
 		print "SUCCESS: No more than "QLIMIT" outstanding queries: "max_outstanding;
-}'
+}' && (
+	if ! awk '/^==.*(definitely|indirectly|possibly) lost/{print;if($4>0)exit(1)}' valgrind.log
+	then
+		cat valgrind.log
+		exit 1
+	fi
+	if ! awk '/^==.* ERROR SUMMARY/{print;if($4>0)exit(1)}' valgrind.log
+	then
+		cat valgrind.log
+		exit 1
+	fi
+)
diff --git a/src/test/tpkg/290-transports.tpkg/290-transports.dsc b/src/test/tpkg/290-transports.tpkg/290-transports.dsc
index acc5f398..c7a289f1 100644
--- a/src/test/tpkg/290-transports.tpkg/290-transports.dsc
+++ b/src/test/tpkg/290-transports.tpkg/290-transports.dsc
@@ -6,7 +6,7 @@ Maintainer: Hoda Rohani
 Category: 
 Component:
 CmdDepends: 
-Depends: 210-stub-only-link.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help:
 Pre: 
 Post: 
diff --git a/src/test/tpkg/320-event-loops-compile.tpkg/320-event-loops-compile.test b/src/test/tpkg/320-event-loops-compile.tpkg/320-event-loops-compile.test
index b4d20345..45176f77 100644
--- a/src/test/tpkg/320-event-loops-compile.tpkg/320-event-loops-compile.test
+++ b/src/test/tpkg/320-event-loops-compile.tpkg/320-event-loops-compile.test
@@ -5,4 +5,4 @@
 [ -f .tpkg.var.test ] && source .tpkg.var.test
 
 cd "${BUILDDIR}/build-event-loops"
-make XTRA_CFLAGS=-Werror -j 4
+make XTRA_CFLAGS="-g -Werror" -j 4 install

From 75297b17aedbdc0ef975cbc7aa9e1f8e4d054318 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 22 Feb 2018 14:45:56 +0100
Subject: [PATCH 090/303] Fixes from running servers with valgrind

---
 src/server.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/src/server.c b/src/server.c
index 59497bed..a6d4008e 100644
--- a/src/server.c
+++ b/src/server.c
@@ -255,7 +255,12 @@ _getdns_cancel_reply(getdns_context *context, connection *conn)
 {
 	struct mem_funcs *mf;
 
-	if (!context || !conn)
+	if (!conn)
+		return;
+
+	if (context && context->server &&
+	    _getdns_rbtree_search(&context->server->connections_set, conn)
+	    != &conn->super)
 		return;
 
 	if (conn->l->transport == GETDNS_TRANSPORT_TCP) {
@@ -293,13 +298,14 @@ getdns_reply(
 	size_t len;
 	getdns_return_t r;
 
-	if (!context || !conn)
+	if (!conn)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-	if (!context->server)
-		return GETDNS_RETURN_GENERIC_ERROR;;
+	if (!context || !context->server) {
+		if (!context)
+			context = conn->l->set->context;
 
-	if (_getdns_rbtree_search(&context->server->connections_set, conn)
+	} else if (_getdns_rbtree_search(&context->server->connections_set, conn)
 	    != &conn->super)
 		return GETDNS_RETURN_NO_SUCH_LIST_ITEM;
 
@@ -750,11 +756,16 @@ static void free_listen_set_when_done(listen_set *set)
 	for (i = 0; i < set->count; i++) {
 		listener *l = &set->items[i];
 
-		if (l->fd >= 0)
+		if (l->fd >= 0) {
+			DEBUG_SERVER("Listener %d still listening on %d\n",
+			    (int)i, l->fd);
 			return;
-
-		if (l->connections)
+		}
+		if (l->connections) {
+			DEBUG_SERVER("Listener %d still has connections %p\n",
+			    (int)i, (void *)l->connections);
 			return;
+		}
 	}
 	GETDNS_FREE(*mf, set);
 	DEBUG_SERVER("Listen set: %p freed\n", (void *)set);

From e705109f22421964344d1ff21816b2c4065cc6f2 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 22 Feb 2018 15:02:11 +0100
Subject: [PATCH 091/303] Fix tpkg dependencies

---
 src/test/tpkg/250-json-pointers.tpkg/250-json-pointers.dsc      | 2 +-
 src/test/tpkg/255-yaml-config.tpkg/255-yaml-config.dsc          | 2 +-
 .../260-conversion-functions.tpkg/260-conversion-functions.dsc  | 2 +-
 src/test/tpkg/265-supported-rrs.tpkg/265-supported-rrs.dsc      | 2 +-
 .../tpkg/270-header-extension.tpkg/270-header-extension.dsc     | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/test/tpkg/250-json-pointers.tpkg/250-json-pointers.dsc b/src/test/tpkg/250-json-pointers.tpkg/250-json-pointers.dsc
index 683876b9..db195ce3 100644
--- a/src/test/tpkg/250-json-pointers.tpkg/250-json-pointers.dsc
+++ b/src/test/tpkg/250-json-pointers.tpkg/250-json-pointers.dsc
@@ -6,7 +6,7 @@ Maintainer: Willem Toorop
 Category: 
 Component:
 CmdDepends: 
-Depends: 200-stub-only-compile.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help:
 Pre: 250-json-pointers.pre
 Post: 
diff --git a/src/test/tpkg/255-yaml-config.tpkg/255-yaml-config.dsc b/src/test/tpkg/255-yaml-config.tpkg/255-yaml-config.dsc
index e00f4468..906681b2 100644
--- a/src/test/tpkg/255-yaml-config.tpkg/255-yaml-config.dsc
+++ b/src/test/tpkg/255-yaml-config.tpkg/255-yaml-config.dsc
@@ -6,7 +6,7 @@ Maintainer: Jim Hague
 Category: 
 Component:
 CmdDepends: 
-Depends: 200-stub-only-compile.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help:
 Pre: 255-yaml-config.pre
 Post: 
diff --git a/src/test/tpkg/260-conversion-functions.tpkg/260-conversion-functions.dsc b/src/test/tpkg/260-conversion-functions.tpkg/260-conversion-functions.dsc
index eb96d979..a3534843 100644
--- a/src/test/tpkg/260-conversion-functions.tpkg/260-conversion-functions.dsc
+++ b/src/test/tpkg/260-conversion-functions.tpkg/260-conversion-functions.dsc
@@ -6,7 +6,7 @@ Maintainer: Willem Toorop
 Category: 
 Component:
 CmdDepends: 
-Depends: 200-stub-only-compile.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help: 260-conversion-functions.help
 Pre: 260-conversion-functions.pre
 Post: 
diff --git a/src/test/tpkg/265-supported-rrs.tpkg/265-supported-rrs.dsc b/src/test/tpkg/265-supported-rrs.tpkg/265-supported-rrs.dsc
index ea49490e..21f66210 100644
--- a/src/test/tpkg/265-supported-rrs.tpkg/265-supported-rrs.dsc
+++ b/src/test/tpkg/265-supported-rrs.tpkg/265-supported-rrs.dsc
@@ -6,7 +6,7 @@ Maintainer: Hoda Rohani
 Category: 
 Component:
 CmdDepends: 
-Depends: 200-stub-only-compile.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help:
 Pre: 265-supported-rrs.pre
 Post: 
diff --git a/src/test/tpkg/270-header-extension.tpkg/270-header-extension.dsc b/src/test/tpkg/270-header-extension.tpkg/270-header-extension.dsc
index f083f1b2..a371179b 100644
--- a/src/test/tpkg/270-header-extension.tpkg/270-header-extension.dsc
+++ b/src/test/tpkg/270-header-extension.tpkg/270-header-extension.dsc
@@ -6,7 +6,7 @@ Maintainer: Willem Toorop
 Category: 
 Component:
 CmdDepends: 
-Depends: 200-stub-only-compile.tpkg
+Depends: 200-stub-only-compile-install.tpkg
 Help:
 Pre: 270-header-extension.pre
 Post: 

From 1fbb022b8860c791d9b6a0f0d307f15c4cf8b7bb Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 22 Feb 2018 16:05:34 +0100
Subject: [PATCH 092/303] Bugfix#382 Do not install tools in parallel

---
 Makefile.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile.in b/Makefile.in
index b160e369..ae535276 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -128,7 +128,7 @@ install-getdns_query: install-lib
 uninstall-getdns_query:
 	cd src/tools && $(MAKE) $@
 
-install-getdns_server_mon: install-lib
+install-getdns_server_mon: install-lib @INSTALL_GETDNS_QUERY@
 	cd src/tools && $(MAKE) $@
 
 uninstall-getdns_server_mon:

From 9301f8970c311fb19e58a2661e7d716d60d8cfd9 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 23 Feb 2018 14:11:46 -0800
Subject: [PATCH 093/303] Fix minor spelling and formatting.

These issues were found with the codespell tool.
---
 ChangeLog                                      |  8 ++++----
 configure.ac                                   |  4 ++--
 project-doc/cachedesign.txt                    |  4 ++--
 src/dnssec.c                                   |  8 ++++----
 src/getdns/getdns.h.in                         |  2 +-
 src/getdns/getdns_extra.h.in                   | 18 +++++++++---------
 src/gldns/parseutil.h                          |  2 +-
 src/gldns/rrdef.h                              |  6 +++---
 src/mdns.c                                     |  2 +-
 src/mdns.h                                     |  2 +-
 src/request-internal.c                         |  2 +-
 src/stub.c                                     | 10 +++++-----
 .../check_getdns_context_set_dns_transport.h   |  2 +-
 .../270-header-extension.c                     |  2 +-
 src/test/tpkg/run-one.sh                       |  2 +-
 src/test/tpkg/tpkg                             |  6 +++---
 src/tools/getdns_server_mon.c                  |  4 ++--
 src/types-internal.h                           |  6 +++---
 18 files changed, 45 insertions(+), 45 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 68763db7..32447f63 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,7 +18,7 @@
     be wildcard expansions when used with DNSSEC proofs.  Only direct
     queries for those types are allowed to be wildcard expansions.
   * Bugfix PR#379: Miscelleneous double free or corruption, and corrupted
-    memory double linked list detected issue, whith serving functionality.
+    memory double linked list detected issue, with serving functionality.
     Thanks maddie and Bruno Pagani
   * Security Bugfix PR#293: Check sha256 pinset's
     with OpenSSL native DANE functions for OpenSSL >= 1.1.0
@@ -235,7 +235,7 @@
     Allow misshing "address_type" in address dicts.
   * TLS session resumption
   * -C <config file> option to getdns_query to configure context 
-    from a json like formated file.  The output of -i (print API
+    from a json like formatted file.  The output of -i (print API
     information) can be used as config file directly.
     Settings may also be given in this format as arguments of
     the getdns_query command directly.
@@ -384,7 +384,7 @@
 * 2015-09-04: Version 0.3.2
   * Fix returned upstreams list by getdns_context_get_api_information()
   * Fix some autoconf issues when srcdir != builddir
-  * Fix remove build date from manpage version for reproducable builds
+  * Fix remove build date from manpage version for reproducible builds
   * Fix transport fallback issues plus transport fallback unit test script
   * Fix string bindata's need not contain trailing zero byte
   * --enable-stub-only configure option for stub only operation.
@@ -537,7 +537,7 @@
   * Build from separate build directory
   * Anticipate libunbound not returning the answer packet
   * Pretty print bindata's representing IP addresses
-  * Anticipate absense of implicit DSO linking
+  * Anticipate absence of implicit DSO linking
   * Mention getdns specific options to configure in INSTALL
     Thanks Paul Hoffman
   * Mac OSX package built instructions for generic user in README.md
diff --git a/configure.ac b/configure.ac
index 07445b82..8ed36418 100644
--- a/configure.ac
+++ b/configure.ac
@@ -49,7 +49,7 @@ AC_ARG_WITH([piddir],
   [with_piddir=${default_piddir}])
 AC_SUBST([runstatedir], [$with_piddir])
 
-# Dont forget to put a dash in front of the release candidate!!!
+# Don't forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
 AC_SUBST(RELEASE_CANDIDATE, [])
@@ -1469,7 +1469,7 @@ AH_BOTTOM([
 
 #ifdef GETDNS_ON_WINDOWS
  /* On windows it is allowed to increase the FD_SETSIZE
-  * (and nescessary to make our custom eventloop work)
+  * (and necessary to make our custom eventloop work)
   * See: https://support.microsoft.com/en-us/kb/111855
   */
 # ifndef FD_SETSIZE
diff --git a/project-doc/cachedesign.txt b/project-doc/cachedesign.txt
index 71606e7c..da5a839f 100644
--- a/project-doc/cachedesign.txt
+++ b/project-doc/cachedesign.txt
@@ -53,9 +53,9 @@ Local configuration via API or local file (e.g. /etc/getdns.conf, ~/.getdnsrc)
     - max TTL/TTL override (separate for pos/neg cache entries)
     - inclusions (use cache for specified domains) (maybe over-eng)
     - exceptions (avoid ache for specified domains) (maybe over-eng)
-    - persistant vs. transitory cache
+    - persistent vs. transitory cache
 
-- cache data store via Berkely db to allow for persistance
+- cache data store via Berkely db to allow for persistence
 
 - negative cache TTL derived from SOA
 
diff --git a/src/dnssec.c b/src/dnssec.c
index 3bf92d58..5a0062dd 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -79,8 +79,8 @@
 /* Outline of operations in this file
  * ==================================
  *
- * Data structure to represent the delegation/referal hierarchy
- * ------------------------------------------------------------
+ * Data structure to represent the delegation/referral hierarchy
+ * -------------------------------------------------------------
  * Both the "dnssec_return_validation_chain" extension, and the 
  * getdns_validate_dnssec() function use the same structs to represent the 
  * involved pieces of the DNS in a hierarchical manner.
@@ -134,7 +134,7 @@
  * in a _getdns_rrset, and the rrsig_iter to iterate over the RRSIGs covering
  * the RRs in the _getdns_rrset.
  *
- * The _getdns_rrsets are already equiped with name/rr_class and rr_type when
+ * The _getdns_rrsets are already equipped with name/rr_class and rr_type when
  * constructing the linked list of chain_nodes up to the root for a chain_head.
  * They are substantiated with the wireformat packets that are returned with 
  * the queries that were sheduled in the context of the 
@@ -146,7 +146,7 @@
  * of non-existance.
  *
  * The getdns_validate_dnssec() function, after it constructed the chain_heads
- * hierarchy, creates an artifical packet for the support records and equips
+ * hierarchy, creates an artificial packet for the support records and equips
  * all the ds and dnskey _getdns_rrsets on the chain_nodes with this packet.
  *
  * The _getdns_rrset + support function and data types are defined in section:
diff --git a/src/getdns/getdns.h.in b/src/getdns/getdns.h.in
index 788f0d94..23e59cf4 100644
--- a/src/getdns/getdns.h.in
+++ b/src/getdns/getdns.h.in
@@ -1392,7 +1392,7 @@ char *getdns_display_ip_address(const getdns_bindata
  * @param value The callback function that will be called when any context is
  *              changed. A update callback function can be deregistered by
  *              passing NULL.
- * @return GETDNS_RETURN_GOOD when succesful.
+ * @return GETDNS_RETURN_GOOD when successful.
  * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
  */
 getdns_return_t
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 4837771c..0859b6b0 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -829,10 +829,10 @@ getdns_context_get_dns_transport_list(getdns_context *context,
     size_t* transport_count, getdns_transport_list_t **transports);
 
 /**
- * Get the current limit for oustanding queries setting from this context.
+ * Get the current limit for outstanding queries setting from this context.
  * @see getdns_context_set_limit_outstanding_queries
  * @param[in]  context The context from which to get the setting
- * @param[out] limit The current limit for oustanding queries
+ * @param[out] limit The current limit for outstanding queries
  * @return GETDNS_RETURN_GOOD when successful
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or limit was NULL.
  */
@@ -1055,7 +1055,7 @@ getdns_return_t
 getdns_context_get_tls_query_padding_blocksize(getdns_context *context, uint16_t* value);
 
 /**
- * Get whether the upstream needs to be authenticated whith DNS over TLS.
+ * Get whether the upstream needs to be authenticated with DNS over TLS.
  * @see getdns_context_set_tls_authentication
  * @see authvaulesandtext
  * @param[in]  context The context from which to get the setting
@@ -1359,7 +1359,7 @@ uint32_t getdns_get_api_version_number(void);
 
 /**
  * Returns a text describing the getdns error code, or NULL when the error
- * code is unkown.
+ * code is unknown.
  * @param err The error code for which to return the describing text
  * @return The describing text for the error code.  The string is in library
  * space and the caller must *not* free this.
@@ -1716,7 +1716,7 @@ getdns_rr_dict2wire_buf(
  *                 the buffer and point right after the just written RR.
  * @param  wire_sz On input the size of the wire buffer,
  *                 On output the amount of wireformat needed for the
- *                 wireformat will have been substracted from wire_sz.
+ *                 wireformat will have been subtracted from wire_sz.
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  * GETDNS_RETURN_NEED_MORE_SPACE will be returned when the buffer was too
  * small.  The function will pretend that it had written beyond the end
@@ -1808,7 +1808,7 @@ getdns_rr_dict2str_buf(
  *                 the buffer and point right after the just written RR.
  * @param  str_len On input the size of the str buffer,
  *                 On output the number of characters needed for the
- *                 string will have been substracted from strlen.
+ *                 string will have been subtracted from strlen.
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  * GETDNS_RETURN_NEED_MORE_SPACE will be returned when the buffer was too
  * small.  The function will pretend that it had written beyond the end
@@ -1887,7 +1887,7 @@ getdns_msg_dict2wire_buf(
  *                  the buffer and point right after the just written RR.
  * @param  wire_sz  On input the size of the wire buffer,
  *                  On output the amount of wireformat needed for the
- *                  wireformat will have been substracted from wire_sz.
+ *                  wireformat will have been subtracted from wire_sz.
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  * GETDNS_RETURN_NEED_MORE_SPACE will be returned when the buffer was too
  * small.  The function will pretend that it had written beyond the end
@@ -1979,7 +1979,7 @@ getdns_msg_dict2str_buf(
  *                  the buffer and point right after the just written RR.
  * @param  str_len  On input the size of the str buffer,
  *                  On output the number of characters needed for the
- *                  string will have been substracted from strlen.
+ *                  string will have been subtracted from strlen.
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  * GETDNS_RETURN_NEED_MORE_SPACE will be returned when the buffer was too
  * small.  The function will pretend that it had written beyond the end
@@ -2131,7 +2131,7 @@ typedef void (*getdns_request_handler_t)(
  * On failure, the current set of listening addresses is left in place.
  * Also, if there is overlap in listening_addresses between the active set
  * and the newly given set, the ones in the active set will remain in their
- * current condition and will not be closed and reopened, also all assoicated
+ * current condition and will not be closed and reopened, also all associated
  * DNS transactions will remain.
  */
 getdns_return_t
diff --git a/src/gldns/parseutil.h b/src/gldns/parseutil.h
index 1546e8be..a044c4de 100644
--- a/src/gldns/parseutil.h
+++ b/src/gldns/parseutil.h
@@ -58,7 +58,7 @@ time_t gldns_mktime_from_utc(const struct tm *tm);
  * The function interprets time as the number of seconds since epoch
  * with respect to now using serial arithmetics (rfc1982).
  * That number of seconds is then converted to broken-out time information.
- * This is especially usefull when converting the inception and expiration
+ * This is especially useful when converting the inception and expiration
  * fields of RRSIG records.
  *
  * \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
diff --git a/src/gldns/rrdef.h b/src/gldns/rrdef.h
index 3db78fe0..f7aaf866 100644
--- a/src/gldns/rrdef.h
+++ b/src/gldns/rrdef.h
@@ -332,13 +332,13 @@ enum gldns_enum_rdf_type
         GLDNS_RDF_TYPE_NSEC3_NEXT_OWNER,
 
         /** 4 shorts represented as 4 * 16 bit hex numbers
-         *  seperated by colons. For NID and L64.
+         *  separated by colons. For NID and L64.
          */
         GLDNS_RDF_TYPE_ILNP64,
 
-        /** 6 * 8 bit hex numbers seperated by dashes. For EUI48. */
+        /** 6 * 8 bit hex numbers separated by dashes. For EUI48. */
         GLDNS_RDF_TYPE_EUI48,
-        /** 8 * 8 bit hex numbers seperated by dashes. For EUI64. */
+        /** 8 * 8 bit hex numbers separated by dashes. For EUI64. */
         GLDNS_RDF_TYPE_EUI64,
 
         /** A non-zero sequence of US-ASCII letters and numbers in lower case.
diff --git a/src/mdns.c b/src/mdns.c
index 30bdab6e..34f95509 100644
--- a/src/mdns.c
+++ b/src/mdns.c
@@ -1638,7 +1638,7 @@ void _getdns_mdns_context_destroy(struct getdns_context *context)
 	}
 }
 
-/* TODO: actualy delete what is required.. */
+/* TODO: actually delete what is required.. */
 static void
 mdns_cleanup(getdns_network_req *netreq)
 {
diff --git a/src/mdns.h b/src/mdns.h
index 79ec05fe..aac5858f 100644
--- a/src/mdns.h
+++ b/src/mdns.h
@@ -59,7 +59,7 @@ typedef struct getdns_mdns_known_record
  * The data part contains:
  * - 64 bit time stamp
  * - 32 bit word describing the record size
- * - 32 bit word describing teh allocated memory size
+ * - 32 bit word describing the allocated memory size
  * - valid DNS response, including 1 query and N answers, 0 AUTH, 0 AD.
  * For economy, the names of all answers are encoded using header compression, pointing
  * to the name in the query, i.e. offset 12 from beginning of message.
diff --git a/src/request-internal.c b/src/request-internal.c
index 8b5dafdb..71110886 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -767,7 +767,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,
 	      request_type == GETDNS_RRTYPE_AAAA );
 	/* Reserve for the buffer at least one more byte
 	 * (to test for udp overflow) (hence the + 1),
-	 * And align on the 8 byte boundry  (hence the (x + 7) / 8 * 8)
+	 * And align on the 8 byte boundary  (hence the (x + 7) / 8 * 8)
 	 */
 	size_t max_query_sz, max_response_sz, netreq_sz, dnsreq_base_sz;
 	uint8_t *region, *suffixes;
diff --git a/src/stub.c b/src/stub.c
index d24aa6fa..f1f5b278 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -112,7 +112,7 @@ rollover_secret()
 		return;
 
 	/* Remember previous secret, in to keep answering on rollover
-	 * boundry with old cookie.
+	 * boundary with old cookie.
 	 */
 	prev_secret = secret;
 	secret = arc4random();
@@ -899,7 +899,7 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			    "%-40s : Conn failed: TLS - *Failure* - Pinset validation failure\n",
 			    upstream->addr_str);
 	}
-	/* If nothing has failed yet and we had credentials, we have succesfully authenticated*/
+	/* If nothing has failed yet and we had credentials, we have successfully authenticated*/
 	if (preverify_ok == 0)
 		upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 	else if (upstream->tls_auth_state == GETDNS_AUTH_NONE &&
@@ -1640,7 +1640,7 @@ stub_udp_write_cb(void *userarg)
 				  , STUB_DEBUG_WRITE, __FUNC__, (void *)netreq
 				  , _getdns_errnostr());
 		else
-			DEBUG_STUB( "%s %-35s: MSG: %p returned: %d, expeced: %d\n"
+			DEBUG_STUB( "%s %-35s: MSG: %p returned: %d, expected: %d\n"
 				  , STUB_DEBUG_WRITE, __FUNC__, (void *)netreq
 				  , (int)written, (int)pkt_len);
 #endif
@@ -1972,9 +1972,9 @@ upstream_valid(getdns_upstream *upstream,
                           getdns_network_req *netreq,
                           int backoff_ok)
 {
-	/* Checking upstreams with backoff_ok true will aslo return upstreams
+	/* Checking upstreams with backoff_ok true will also return upstreams
 	   that are in a backoff state. Otherwise only use upstreams that have
-	   a 'good' connection state. backoff_ok is usefull when no upstreams at all
+	   a 'good' connection state. backoff_ok is useful when no upstreams at all
 	   are valid, for example when the network connection is down and need to 
 	   keep trying to connect before failing completely. */
 	if (!(upstream->transport == transport && upstream_usable(upstream, backoff_ok)))
diff --git a/src/test/check_getdns_context_set_dns_transport.h b/src/test/check_getdns_context_set_dns_transport.h
index fbd7f503..ef847636 100644
--- a/src/test/check_getdns_context_set_dns_transport.h
+++ b/src/test/check_getdns_context_set_dns_transport.h
@@ -148,7 +148,7 @@
        getdns_bindata *version_str = NULL;
 
        /* Note that stricly this test just establishes that the requested transport
-          and the reported transport are consistent, it does not guarentee which
+          and the reported transport are consistent, it does not guarantee which
           transport is used on the wire...*/
 
        CONTEXT_CREATE(TRUE);
diff --git a/src/test/tpkg/270-header-extension.tpkg/270-header-extension.c b/src/test/tpkg/270-header-extension.tpkg/270-header-extension.c
index e845299b..8c344304 100644
--- a/src/test/tpkg/270-header-extension.tpkg/270-header-extension.c
+++ b/src/test/tpkg/270-header-extension.tpkg/270-header-extension.c
@@ -85,7 +85,7 @@ int main()
 		fprintf(stderr, "Could not do lookup");
 
 	else if ((r = getdns_dict_remove_name(response, "replies_full")))
-		fprintf(stderr, "Could not remove reponse['replies_full']");
+		fprintf(stderr, "Could not remove response['replies_full']");
 
 	else if ((r = getdns_dict_remove_name(response, "/replies_tree/0/header/id")))
 		fprintf(stderr, "Could not remove ID from response");
diff --git a/src/test/tpkg/run-one.sh b/src/test/tpkg/run-one.sh
index 10795374..4791cb4a 100755
--- a/src/test/tpkg/run-one.sh
+++ b/src/test/tpkg/run-one.sh
@@ -3,7 +3,7 @@
 export SRCDIR=`dirname $0`
 . `dirname $0`/setup-env.sh
 
-# pass a single test name as the first paramter (without .tpgk extension)
+# pass a single test name as the first parameter (without .tpgk extension)
 ONE_TEST=$1
 shift
 
diff --git a/src/test/tpkg/tpkg b/src/test/tpkg/tpkg
index 3701b723..6fc905bc 100755
--- a/src/test/tpkg/tpkg
+++ b/src/test/tpkg/tpkg
@@ -83,7 +83,7 @@ function write_result() {
 }
 
 function epoch() {
-        # make this sorta portable allthough not needed now
+        # make this sorta portable although not needed now
         epoch=0
         case $OSTYPE in
                 linux*)
@@ -819,7 +819,7 @@ done
 
 # this enhances the template from above
 ## Post Processing of some of these variables
-# dsc_aux is a comma seperated list of files, max 8 files
+# dsc_aux is a comma separated list of files, max 8 files
 i=$( echo $dsc_aux | awk -F', ?' '{ print $1 "\n" $2 "\n" $3 "\n" $4 "\n" \
 $5 "\n" $6 "\n" $7 "\n" $8 }' )
 dsc_aux_files=($i)
@@ -833,7 +833,7 @@ dsc_cmddepends_files_total=${#dsc_cmddepends_files[*]}
 for i in ${dsc_cmddepends_files[*]}; do
         find_cmd $i
 done
-# depends can also be a comma seperated list of package
+# depends can also be a comma separated list of package
 # TODO 
 
 # check is the aux files are also really in the shar
diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 93970f7f..c5aa6741 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -715,7 +715,7 @@ static exit_value get_report_info(struct test_info_s *test_info,
                                            "expire=%s;",
                                            buf);
                         } else {
-                                printf("Certicate expires:\t%s UTC\n", buf);
+                                printf("Certificate expires:\t%s UTC\n", buf);
                         }
                 }
         }
@@ -1407,7 +1407,7 @@ static exit_value test_dnssec_validate(struct test_info_s *test_info,
 
         /*
          * Only now get report info from the first search, so that any
-         * verbose output appears after the context/reponse dumps.
+         * verbose output appears after the context/response dumps.
          */
         if ((xit = get_report_info(test_info, response, NULL, NULL, NULL)) != EXIT_OK)
                 return xit;
diff --git a/src/types-internal.h b/src/types-internal.h
index 76615625..b683ca67 100644
--- a/src/types-internal.h
+++ b/src/types-internal.h
@@ -246,7 +246,7 @@ typedef struct getdns_network_req
 	size_t                  debug_udp;
 
 	/* When more space is needed for the wire_data response than is
-	 * available in wire_data[], it will be allocated seperately.
+	 * available in wire_data[], it will be allocated separately.
 	 * response will then not point to wire_data anymore.
 	 */
 	uint8_t *query;
@@ -380,8 +380,8 @@ typedef struct getdns_dns_req {
 	 *
 	 * Memory for these netreqs has been allocated by the same malloc
 	 * operation that reserved space for this getdns_dns_req.
-	 * They will thus be freed as part of the desctruction of this struct,
-	 * and do not need to be freed seperately.
+	 * They will thus be freed as part of the destruction of this struct,
+	 * and do not need to be freed separately.
 	 */
 	getdns_network_req *netreqs[];
 

From abc69f96fefbadd0e28cd3c27f0011c297e33050 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 2 Mar 2018 11:15:45 +0100
Subject: [PATCH 094/303] Follow unsigned SOA's as insecure zonecut indication

Should resolve issue #385
---
 src/dnssec.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 3bf92d58..8ebafc5a 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -838,6 +838,10 @@ static void add_question2val_chain(struct mem_funcs *mf,
     const uint8_t *qname, uint16_t qtype, uint16_t qclass,
     getdns_network_req *netreq)
 {
+	_getdns_rrset_iter *i, i_spc;
+	_getdns_rrset *rrset;
+	_getdns_rrsig_iter rrsig_spc;
+
 	_getdns_rrset_spc q_rrset;
 	chain_head *head;
 
@@ -864,8 +868,25 @@ static void add_question2val_chain(struct mem_funcs *mf,
 	head = add_rrset2val_chain(mf, chain_p, &q_rrset.rrset, netreq);
 
 	/* On empty packet, find SOA (zonecut) for the qname */
-	if (head && GLDNS_ANCOUNT(pkt) == 0 && GLDNS_NSCOUNT(pkt) == 0)
+	if (head && GLDNS_ANCOUNT(pkt) == 0 && GLDNS_NSCOUNT(pkt) == 0) {
 		val_chain_sched_soa(head, q_rrset.rrset.name);
+		return;
+	}
+	/* Insecure SOA indicating a zonecut in the authority section?
+	 * Then schedule a DS query at the zonecut for insecure proof.
+	 */
+	for ( i = _getdns_rrset_iter_init(&i_spc, pkt, pkt_len
+	                                        , SECTION_AUTHORITY)
+	    ; i ; i = _getdns_rrset_iter_next(i)) {
+		rrset = _getdns_rrset_iter_value(i);
+		debug_sec_print_rrset("rrset: ", rrset);
+
+		if (rrset->rr_type != GETDNS_RRTYPE_SOA ||
+		    _getdns_rrsig_iter_init(&rrsig_spc, rrset))
+			continue;
+
+		val_chain_sched_ds(head, rrset->name);
+	}
 }
 
 

From e29cfb6b6a0afb21600a655a5ba6bbc0daf52ad9 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 2 Mar 2018 14:14:28 +0100
Subject: [PATCH 095/303] Query for DS i.s.o. SOA to find zonecuts

Because of broken setups that have zonecuts without SOA:

```
$ drill -T www.gslb.kpn.com A
.	518400	IN	NS	i.root-servers.net.
com.	172800	IN	NS	a.gtld-servers.net.
kpn.com.	172800	IN	NS	ns1.kpn.net.
kpn.com.	172800	IN	NS	ns2.kpn.net.
gslb.kpn.com.	3600	IN	NS	gss1.kpn.com.
gslb.kpn.com.	3600	IN	NS	gss2.kpn.com.
www.gslb.kpn.com.	10	IN	A	145.7.170.135
```

but

```
$ drill gslb.kpn.com SOA
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 48303
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; gslb.kpn.com.	IN	SOA

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 8 msec
;; SERVER: 185.49.140.100
;; WHEN: Fri Mar  2 14:13:21 2018
;; MSG SIZE  rcvd: 30
```
---
 src/dnssec.c | 137 ++++++---------------------------------------------
 1 file changed, 14 insertions(+), 123 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 8ebafc5a..6a434f08 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -506,8 +506,6 @@ struct chain_node {
 	getdns_network_req *ds_req;
 	int                 ds_signer;
 
-	getdns_network_req *soa_req;
-
 	chain_head  *chains;
 };
 
@@ -521,7 +519,6 @@ struct chain_node {
 static void val_chain_sched(chain_head *head, const uint8_t *dname);
 static void val_chain_sched_ds(chain_head *head, const uint8_t *dname);
 static void val_chain_sched_signer(chain_head *head, _getdns_rrsig_iter *rrsig);
-static void val_chain_sched_soa(chain_head *head, const uint8_t *dname);
 
 static chain_head *add_rrset2val_chain(struct mem_funcs *mf,
     chain_head **chain_p, _getdns_rrset *rrset, getdns_network_req *netreq)
@@ -663,7 +660,6 @@ static chain_head *add_rrset2val_chain(struct mem_funcs *mf,
 		node->dnskey.sections = head->rrset.sections;
 		node->ds_req          = NULL;
 		node->dnskey_req      = NULL;
-		node->soa_req         = NULL;
 		node->ds_signer       = -1;
 		node->dnskey_signer   = -1;
 
@@ -822,9 +818,9 @@ static void add_pkt2val_chain(struct mem_funcs *mf,
 		if (rrset->rr_type == GETDNS_RRTYPE_SOA)
 			val_chain_sched_ds(head, rrset->name);
 		else if (rrset->rr_type == GETDNS_RRTYPE_CNAME)
-			val_chain_sched_soa(head, rrset->name + *rrset->name + 1);
+			val_chain_sched_ds(head, rrset->name + *rrset->name + 1);
 		else
-			val_chain_sched_soa(head, rrset->name);
+			val_chain_sched_ds(head, rrset->name);
 	}
 }
 
@@ -841,6 +837,7 @@ static void add_question2val_chain(struct mem_funcs *mf,
 	_getdns_rrset_iter *i, i_spc;
 	_getdns_rrset *rrset;
 	_getdns_rrsig_iter rrsig_spc;
+	size_t n_soas;
 
 	_getdns_rrset_spc q_rrset;
 	chain_head *head;
@@ -867,26 +864,29 @@ static void add_question2val_chain(struct mem_funcs *mf,
 	debug_sec_print_rrset("Adding NX rrset: ", &q_rrset.rrset);
 	head = add_rrset2val_chain(mf, chain_p, &q_rrset.rrset, netreq);
 
-	/* On empty packet, find SOA (zonecut) for the qname */
-	if (head && GLDNS_ANCOUNT(pkt) == 0 && GLDNS_NSCOUNT(pkt) == 0) {
-		val_chain_sched_soa(head, q_rrset.rrset.name);
-		return;
-	}
 	/* Insecure SOA indicating a zonecut in the authority section?
 	 * Then schedule a DS query at the zonecut for insecure proof.
 	 */
+	n_soas = 0;
 	for ( i = _getdns_rrset_iter_init(&i_spc, pkt, pkt_len
 	                                        , SECTION_AUTHORITY)
 	    ; i ; i = _getdns_rrset_iter_next(i)) {
 		rrset = _getdns_rrset_iter_value(i);
 		debug_sec_print_rrset("rrset: ", rrset);
 
-		if (rrset->rr_type != GETDNS_RRTYPE_SOA ||
-		    _getdns_rrsig_iter_init(&rrsig_spc, rrset))
+		if (rrset->rr_type != GETDNS_RRTYPE_SOA)
+			continue;
+
+		n_soas += 1;
+
+		if (_getdns_rrsig_iter_init(&rrsig_spc, rrset))
 			continue;
 
 		val_chain_sched_ds(head, rrset->name);
 	}
+	/* No answer and no SOA indicating a zonecut? Find zonecut */
+	if (n_soas == 0)
+		val_chain_sched_ds(head, q_rrset.rrset.name);
 }
 
 
@@ -908,55 +908,6 @@ static getdns_dict *CD_extension(getdns_dns_req *dnsreq)
 }
 
 static void check_chain_complete(chain_head *chain);
-static void val_chain_node_soa_cb(getdns_dns_req *dnsreq);
-static void val_chain_sched_soa_node(chain_node *node)
-{
-	getdns_context *context;
-	getdns_eventloop *loop;
-	char  name[1024];
-
-	context = node->chains->netreq->owner->context;
-	loop    = node->chains->netreq->owner->loop;
-
-	if (!gldns_wire2str_dname_buf(
-	    (UNCONST_UINT8_p)node->ds.name, 256, name, sizeof(name)))
-		return;
-
-	DEBUG_SEC("schedule SOA lookup for %s\n", name);
-
-	node->lock++;
-	if (! node->soa_req &&
-	    _getdns_general_loop(context, loop, name, GETDNS_RRTYPE_SOA,
-	    CD_extension(node->chains->netreq->owner), node, &node->soa_req,
-	    NULL, val_chain_node_soa_cb))
-
-		node->soa_req     = NULL;
-
-	if (node->lock) node->lock--;
-}
-
-/* A SOA lookup is scheduled as a last resort.  No signatures were found and
- * no SOA in the authority section.  If a SOA query returns an actual SOA
- * answer, then a DS/DNSKEY lookup will follow the acquire the link of the
- * authentication chain.
- */
-static void val_chain_sched_soa(chain_head *head, const uint8_t *dname)
-{
-	chain_node *node;
-
-	if (!head->netreq)
-		return;
-
-	if (!*dname)
-		return;
-
-	for ( node = head->parent
-	    ; node && !_dname_equal(dname, node->ds.name)
-	    ; node = node->parent);
-
-	if (node)
-		val_chain_sched_soa_node(node);
-}
 
 static chain_head *_dnskey_query(const chain_node *node)
 {
@@ -1145,60 +1096,13 @@ static void val_chain_node_cb(getdns_dns_req *dnsreq)
 		/* No signed DS and no signed proof of non-existance.
 		 * Search further up the tree...
 		 */
-		val_chain_sched_soa_node(node->parent);
+		val_chain_sched_ds_node(node->parent);
 
 	if (node->lock) node->lock--;
 	check_chain_complete(node->chains);
 }
 
 
-static void val_chain_node_soa_cb(getdns_dns_req *dnsreq)
-{
-	chain_node *node = (chain_node *)dnsreq->user_pointer;
-	getdns_network_req *netreq = dnsreq->netreqs[0];
-	_getdns_rrset_iter i_spc, *i;
-	_getdns_rrset *rrset;
-
-	/* A SOA query is always scheduled with a node as the user argument.
-	 */
-	assert(node != NULL);
-
-	for ( i = _getdns_rrset_iter_init(&i_spc, netreq->response
-	                                        , netreq->response_len
-	                                        , SECTION_ANSWER)
-	    ; i
-	    ; i = _getdns_rrset_iter_next(i)) {
-
-		rrset = _getdns_rrset_iter_value(i);
-		if (rrset->rr_type != GETDNS_RRTYPE_SOA)
-			continue;
-
-		while (node &&
-		    ! _dname_equal(node->ds.name, rrset->name))
-			node = node->parent;
-
-		if (node) {
-			node->lock++;
-			val_chain_sched_ds_node(node);
-		} else {
-			/* SOA for a different name */
-			node = (chain_node *)dnsreq->user_pointer;
-			if (node->parent) {
-				node->lock++;
-				val_chain_sched_soa_node(node->parent);
-			}
-		}
-		break;
-	}
-	if (!i && node->parent) {
-		node->lock++;
-		val_chain_sched_soa_node(node->parent);
-	}
-	if (node->lock) node->lock--;
-	check_chain_complete(node->chains);
-}
-
-
 /***************************  DNSSEC Validation  *****************************
  *****************************************************************************/
 
@@ -2923,9 +2827,6 @@ static size_t count_outstanding_requests(chain_head *head)
 
 		if (!_getdns_netreq_finished(node->ds_req))
 			count++;
-
-		if (!_getdns_netreq_finished(node->soa_req))
-			count++;
 	}
 	return count + count_outstanding_requests(head->next);
 }
@@ -3433,12 +3334,6 @@ void _getdns_validation_chain_timeout(getdns_dns_req *dnsreq)
 				    node->ds_req->owner);
 				node->ds_req = NULL;
 			}
-
-			if (!_getdns_netreq_finished(node->soa_req)) {
-				_getdns_context_cancel_request(
-				    node->soa_req->owner);
-				node->soa_req = NULL;
-			}
 		}
 		head = next;
 	}
@@ -3478,10 +3373,6 @@ void _getdns_cancel_validation_chain(getdns_dns_req *dnsreq)
 			if (node->ds_req)
 				_getdns_context_cancel_request(
 				    node->ds_req->owner);
-
-			if (node->soa_req)
-				_getdns_context_cancel_request(
-				    node->soa_req->owner);
 		}
 		GETDNS_FREE(head->my_mf, head);
 		head = next;

From b178f945054001edae20a7c0b853ed78603bdbee Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 2 Mar 2018 15:56:00 +0100
Subject: [PATCH 096/303] Don't retry an already tried upstream

---
 src/request-internal.c | 1 +
 src/stub.c             | 5 +++++
 src/types-internal.h   | 1 +
 3 files changed, 7 insertions(+)

diff --git a/src/request-internal.c b/src/request-internal.c
index 8b5dafdb..ed6f9612 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -201,6 +201,7 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner,
 
 	/* state variables from the resolver, don't touch
 	 */
+	net_req->first_upstream = NULL;
 	net_req->upstream = NULL;
 	net_req->fd = -1;
 	net_req->transport_current = 0;
diff --git a/src/stub.c b/src/stub.c
index d24aa6fa..5da85daf 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -2296,8 +2296,13 @@ upstream_find_for_netreq(getdns_network_req *netreq)
 				return STUB_TRY_AGAIN_LATER;
 			return -1;
 		}
+		if (upstream == netreq->first_upstream)
+			continue;
+
 		netreq->transport_current = i;
 		netreq->upstream = upstream;
+		if (!netreq->first_upstream)
+			netreq->first_upstream = upstream;
 		netreq->keepalive_sent = 0;
 
 		DEBUG_STUB("%s %-35s: MSG: %p found upstream %p with transport %d, fd: %d\n", STUB_DEBUG_SCHEDULE, __FUNC__, (void*)netreq, (void *)upstream, (int)netreq->transports[i], fd);
diff --git a/src/types-internal.h b/src/types-internal.h
index 76615625..10efae7f 100644
--- a/src/types-internal.h
+++ b/src/types-internal.h
@@ -221,6 +221,7 @@ typedef struct getdns_network_req
 	getdns_redirects_t      follow_redirects;
 
 	/* For stub resolving */
+	struct getdns_upstream *first_upstream;
 	struct getdns_upstream *upstream;
 	int                     fd;
 	getdns_transport_list_t transports[GETDNS_TRANSPORTS_MAX];

From 0ff1839a6f34a251e1fd0f7668a3779eb48f6e20 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 2 Mar 2018 23:31:33 +0100
Subject: [PATCH 097/303] Upstream reset on searchpath retry

---
 src/request-internal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/request-internal.c b/src/request-internal.c
index ed6f9612..aeabe4f7 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -134,6 +134,7 @@ netreq_reset(getdns_network_req *net_req)
 	uint8_t *buf;
 	/* variables that need to be reset on reinit 
 	 */
+	net_req->first_upstream = NULL;
 	net_req->unbound_id = -1;
 	_getdns_netreq_change_state(net_req, NET_REQ_NOT_SENT);
 	if (net_req->query_id_registered) {
@@ -201,7 +202,6 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner,
 
 	/* state variables from the resolver, don't touch
 	 */
-	net_req->first_upstream = NULL;
 	net_req->upstream = NULL;
 	net_req->fd = -1;
 	net_req->transport_current = 0;

From 984aeefab29496cf7db62a98e65e1ee54af92e93 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 5 Mar 2018 11:26:20 +0100
Subject: [PATCH 098/303] Setup branch for the 1.4.1 release

---
 .gitignore   |  1 +
 ChangeLog    |  3 +++
 configure.ac | 14 ++++++++------
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/.gitignore b/.gitignore
index c78d500d..def15ebb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -39,6 +39,7 @@ src/test/check_getdns_ev
 src/test/scratchpad
 src/test/scratchpad.c
 src/tools/getdns_query
+src/tools/getdns_server_mon
 src/stubby
 doc/*.3
 src/getdns/getdns.h
diff --git a/ChangeLog b/ChangeLog
index 68763db7..fc21a6d4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+* 2018-03-??: Version 1.4.1
+  * 
+
 * 2018-02-21: Version 1.4.0
   * .so revision bump to please fedora packaging system.
     Thanks Paul Wouters
diff --git a/configure.ac b/configure.ac
index 07445b82..1bba9a5f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,7 +36,7 @@ sinclude(./m4/acx_getaddrinfo.m4)
 sinclude(./m4/ax_check_compile_flag.m4)
 sinclude(./m4/pkg.m4)
 
-AC_INIT([getdns], [1.4.0], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
+AC_INIT([getdns], [1.4.1], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
 
 # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian)
 # patched to do the same, but frequently (MacOS) not. So add a with option
@@ -52,7 +52,8 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Dont forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [])
+AC_SUBST(RELEASE_CANDIDATE, [rc1])
+AC_SUBST(STUBBY_RELEASE_CANDIDATE, [])
 
 # Set current date from system if not set
 AC_ARG_WITH([current-date],
@@ -62,13 +63,13 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01040000])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010400c1])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
 
 AC_DEFINE_UNQUOTED([STUBBY_PACKAGE], ["stubby"], [Stubby package])
-AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.2$RELEASE_CANDIDATE"], [Stubby package string])
+AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.2$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
 
 # Library version
 # ---------------
@@ -102,9 +103,10 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.2$RELEASE_CANDIDATE"], [Stubby
 # getdns-1.2.0 had libversion 8:0:2
 # getdns-1.2.1 had libversion 8:1:2
 # getdns-1.3.0 had libversion 9:0:3
-# getdns-1.4.0 has libversion 10:0:0
+# getdns-1.4.0 had libversion 10:0:0
+# getdns-1.4.1 will have libversion 10:1:0
 #
-GETDNS_LIBVERSION=10:0:0
+GETDNS_LIBVERSION=10:1:0
 
 AC_SUBST(GETDNS_COMPILATION_COMMENT)
 AC_SUBST(GETDNS_LIBVERSION)

From bedc4ba0bb517ccdb9260f0dd9f6e167bd5f878a Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 5 Mar 2018 11:30:18 +0100
Subject: [PATCH 099/303] Bugfix #382: Parallel install of getdns_query and
 getdns_server_mon

---
 ChangeLog | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index fc21a6d4..7fa45b45 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,5 @@
 * 2018-03-??: Version 1.4.1
-  * 
+  * Bugfix #382: Parallel install of getdns_query and getdns_server_mon
 
 * 2018-02-21: Version 1.4.0
   * .so revision bump to please fedora packaging system.

From 1dd5f4dc165c4012f5b147f4bb3b9b0ff4b1a3ff Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 5 Mar 2018 11:34:32 +0100
Subject: [PATCH 100/303] PR #384: Fix minor spelling and formatting. Thanks
 dkg

---
 ChangeLog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog b/ChangeLog
index ffa44e79..5aea0b20 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 * 2018-03-??: Version 1.4.1
+  * PR #384: Fix minor spelling and formatting.  Thanks dkg.
   * Bugfix #382: Parallel install of getdns_query and getdns_server_mon
 
 * 2018-02-21: Version 1.4.0

From 9da06230d9d74bee560526dd4d4abd99f5a66b1e Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 5 Mar 2018 11:51:31 +0100
Subject: [PATCH 101/303] DNSSEC issues from PR #389

---
 ChangeLog | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 5aea0b20..f47fbe98 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
 * 2018-03-??: Version 1.4.1
+  * Bugfix: Find zonecut with DS queries (instead of SOA queries).
+    Thanks Elmer Lastdrager
+  * Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1).
+    Thanks hanvinke
   * PR #384: Fix minor spelling and formatting.  Thanks dkg.
   * Bugfix #382: Parallel install of getdns_query and getdns_server_mon
 

From d1aa3922fedf4174f38bc3898e9ec9cde141d594 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 5 Mar 2018 11:53:03 +0100
Subject: [PATCH 102/303] Bugfix #388

---
 ChangeLog | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index f47fbe98..6225b456 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 * 2018-03-??: Version 1.4.1
+  * Bugfix #388: Prevent fallback to an earlier tries upstream within a
+    single query.  Thanks Robert Groenenberg.
   * Bugfix: Find zonecut with DS queries (instead of SOA queries).
     Thanks Elmer Lastdrager
   * Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1).

From a0fb2c8424daf2cc01f8b977a5823fba49ddd55f Mon Sep 17 00:00:00 2001
From: Robert Groenenberg <Robert.Groenenberg@broadforward.com>
Date: Mon, 26 Feb 2018 16:41:13 +0100
Subject: [PATCH 103/303] Limit back_off value to avoid very long retry
 interval

---
 src/context.c                | 29 +++++++++++++++++++++++++++++
 src/context.h                |  2 ++
 src/getdns/getdns_extra.h.in | 31 ++++++++++++++++++++++++++++++-
 src/libgetdns.symbols        |  2 ++
 src/stub.c                   |  9 +++++++--
 5 files changed, 70 insertions(+), 3 deletions(-)

diff --git a/src/context.c b/src/context.c
index 17b087dd..5baa8771 100644
--- a/src/context.c
+++ b/src/context.c
@@ -679,6 +679,7 @@ upstreams_create(getdns_context *context, size_t size)
 	r->count = 0;
 	r->current_udp = 0;
 	r->current_stateful = 0;
+    r->max_backoff_value = context->max_backoff_value;
 	r->tls_backoff_time = context->tls_backoff_time;
 	r->tls_connection_retries = context->tls_connection_retries;
 	r->log = context->log;
@@ -1664,6 +1665,7 @@ getdns_context_create_with_extended_memory_functions(
 	result->tls_backoff_time = 3600;
 	result->tls_connection_retries = 2;
 	result->limit_outstanding_queries = 0;
+    result->max_backoff_value = 1000;
 
 	/* unbound context is initialized here */
 	/* Unbound needs SSL to be init'ed this early when TLS is used. However we
@@ -2362,6 +2364,22 @@ getdns_context_set_round_robin_upstreams(getdns_context *context, uint8_t value)
     return GETDNS_RETURN_GOOD;
 }               /* getdns_context_set_round_robin_upstreams */
 
+/*
+ * getdns_context_set_max_backoff_value
+ *
+ */
+getdns_return_t
+getdns_context_set_max_backoff_value(getdns_context *context, uint16_t value)
+{
+    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
+
+    context->max_backoff_value = value;
+
+    dispatch_updated(context, GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE);
+
+    return GETDNS_RETURN_GOOD;
+}               /* getdns_context_set_max_backoff_value */
+
 /*
  * getdns_context_set_tls_backoff_time
  *
@@ -3931,6 +3949,8 @@ _get_context_settings(getdns_context* context)
 	                           context->tls_auth)
 	    || getdns_dict_set_int(result, "round_robin_upstreams",
 	                           context->round_robin_upstreams)
+	    || getdns_dict_set_int(result, "max_backoff_value",
+	                           context->max_backoff_value)
 	    || getdns_dict_set_int(result, "tls_backoff_time",
 	                           context->tls_backoff_time)
 	    || getdns_dict_set_int(result, "tls_connection_retries",
@@ -4378,6 +4398,15 @@ getdns_context_get_round_robin_upstreams(getdns_context *context,
     return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t
+getdns_context_get_max_backoff_value(getdns_context *context,
+    uint16_t* value) {
+    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
+    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
+    *value = context->max_backoff_value;
+    return GETDNS_RETURN_GOOD;
+}
+
 getdns_return_t
 getdns_context_get_tls_backoff_time(getdns_context *context,
     uint16_t* value) {
diff --git a/src/context.h b/src/context.h
index 30315b98..27dd2bee 100644
--- a/src/context.h
+++ b/src/context.h
@@ -263,6 +263,7 @@ typedef struct getdns_upstreams {
 	size_t count;
 	size_t current_udp;
 	size_t current_stateful;
+    uint16_t max_backoff_value;
 	uint16_t tls_backoff_time;
 	uint16_t tls_connection_retries;
 	getdns_log_config log;
@@ -357,6 +358,7 @@ struct getdns_context {
 	getdns_tls_authentication_t  tls_auth;  /* What user requested for TLS*/
 	getdns_tls_authentication_t  tls_auth_min; /* Derived minimum auth allowed*/
 	uint8_t              round_robin_upstreams;
+    uint16_t             max_backoff_value;
 	uint16_t             tls_backoff_time;
 	uint16_t             tls_connection_retries;
 
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 0859b6b0..01ef2f07 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -103,6 +103,9 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST 634
 #define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT "Change related to getdns_context_set_tls_curves_list"
 
+#define GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE 635
+#define GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT "Change related to getdns_context_set_max_backoff_value"
+
 /** @}
   */
 
@@ -768,6 +771,19 @@ getdns_return_t
 getdns_context_set_tls_curves_list(
     getdns_context *context, const char *curves_list);
 
+/**
+ * Set the maximum number of messages that can be sent to other upstreams
+ * before the upstream which has previously timed out will be tried again.
+ * @see getdns_context_get_max_backoff_value
+ * @param[in] context  The context to configure
+ * @param[in[ value    Number of messages sent to other upstreams before 
+ *                     retrying the upstream which had timed out.
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
+ */
+getdns_return_t
+getdns_context_set_max_backoff_value(getdns_context *context, uint16_t value);
+
 
 /**
  * Get the current resolution type setting from this context.
@@ -1076,7 +1092,7 @@ getdns_context_get_tls_authentication(getdns_context *context,
 /**
  * Get whether the context is configured to round robin queries over the available
  * upstreams.
- * @see getdns_context_get_round_robin_upstreams
+ * @see getdns_context_set_round_robin_upstreams
  * @param[in]  context The context from which to get the setting
  * @param[out] value 1 if the setting is on, 0 otherwise
  * @return GETDNS_RETURN_GOOD when successful
@@ -1303,6 +1319,19 @@ getdns_return_t
 getdns_context_get_tls_curves_list(
     getdns_context *context, const char **curves_list);
 
+/**
+ * Get the maximum number of messages that can be sent to other upstreams
+ * before the upstream which has previously timed out will be tried again.
+ * @see getdns_context_set_max_backoff_value
+ * @param[in]  context  The context from which to get the setting
+ * @param[out] value    Number of messages sent to other upstreams before 
+ *                      retrying the upstream which had timed out.
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
+ */
+getdns_return_t
+getdns_context_get_max_backoff_value(getdns_context *context,
+    uint16_t* value);
 
 /** @}
  */
diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols
index ccbff42a..991ffcfc 100644
--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@@ -29,6 +29,7 @@ getdns_context_get_num_pending_requests
 getdns_context_get_resolution_type
 getdns_context_get_resolvconf
 getdns_context_get_round_robin_upstreams
+getdns_context_get_max_backoff_value
 getdns_context_get_suffix
 getdns_context_get_timeout
 getdns_context_get_tls_authentication
@@ -73,6 +74,7 @@ getdns_context_set_resolution_type
 getdns_context_set_resolvconf
 getdns_context_set_return_dnssec_status
 getdns_context_set_round_robin_upstreams
+getdns_context_set_max_backoff_value
 getdns_context_set_suffix
 getdns_context_set_timeout
 getdns_context_set_tls_authentication
diff --git a/src/stub.c b/src/stub.c
index 8f52ab4b..0152325f 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -460,8 +460,13 @@ stub_next_upstream(getdns_network_req *netreq)
 {
 	getdns_dns_req *dnsreq = netreq->owner;
 
-	if (! --netreq->upstream->to_retry) 
-		netreq->upstream->to_retry = -(netreq->upstream->back_off *= 2);
+	if (! --netreq->upstream->to_retry) {
+        /* Limit back_off value to configured maximum */
+        if (netreq->upstream->back_off * 2 > dnsreq->context->max_backoff_value)
+            netreq->upstream->to_retry = -(dnsreq->context->max_backoff_value);
+        else
+            netreq->upstream->to_retry = -(netreq->upstream->back_off *= 2);
+    }
 
 	dnsreq->upstreams->current_udp+=GETDNS_UPSTREAM_TRANSPORTS;
 	if (dnsreq->upstreams->current_udp >= dnsreq->upstreams->count)

From f787c87137cd2a5e6d7ae31dfdbed569a26900ec Mon Sep 17 00:00:00 2001
From: Robert Groenenberg <Robert.Groenenberg@broadforward.com>
Date: Mon, 26 Feb 2018 16:42:51 +0100
Subject: [PATCH 104/303] Reset back_off on successful query

---
 src/stub.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/stub.c b/src/stub.c
index 0152325f..8d43aba0 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1595,6 +1595,7 @@ stub_udp_read_cb(void *userarg)
 	netreq->debug_end_time = _getdns_get_time_as_uintt64();
 	_getdns_netreq_change_state(netreq, NET_REQ_FINISHED);
 	upstream->udp_responses++;
+    upstream->back_off = 1;
 	if (upstream->udp_responses == 1 || 
 	    upstream->udp_responses % 100 == 0)
 		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_INFO,

From eec6ec29dd891b900c21ddf7bd1b42200a6b771a Mon Sep 17 00:00:00 2001
From: Robert Groenenberg <Robert.Groenenberg@broadforward.com>
Date: Mon, 26 Feb 2018 16:46:57 +0100
Subject: [PATCH 105/303] [UDP] try upstreams in round-robin fashion when all
 yupstreams have failed

---
 src/stub.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index 8d43aba0..f7818cbc 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -2158,6 +2158,7 @@ upstream_select_stateful(getdns_network_req *netreq, getdns_transport_list_t tra
 	return upstream;
 }
 
+/* Used for UDP only */
 static getdns_upstream *
 upstream_select(getdns_network_req *netreq)
 {
@@ -2167,6 +2168,7 @@ upstream_select(getdns_network_req *netreq)
 
 	if (!upstreams->count)
 		return NULL;
+
 	/* First UPD/TCP upstream is always at i=0 and then start of each upstream block*/
 	/* TODO: Have direct access to sets of upstreams for different transports*/
 	for (i = 0; i < upstreams->count; i+=GETDNS_UPSTREAM_TRANSPORTS)
@@ -2184,14 +2186,17 @@ upstream_select(getdns_network_req *netreq)
 			i = 0;
 	} while (i != upstreams->current_udp);
 
+    /* Select upstream with the lowest back_off value */
 	upstream = upstreams->upstreams;
 	for (i = 0; i < upstreams->count; i+=GETDNS_UPSTREAM_TRANSPORTS)
-		if (upstreams->upstreams[i].back_off <
-		    upstream->back_off)
+		if (upstreams->upstreams[i].back_off < upstream->back_off)
 			upstream = &upstreams->upstreams[i];
 
-	if (upstream->back_off > 1)
-		upstream->back_off--;
+    /* Restrict back_off in case no upstream is available to achieve
+       (more or less) round-robin retry on all upstreams. */
+    if (upstream->back_off > 4)
+        for (i = 0; i < upstreams->count; i+=GETDNS_UPSTREAM_TRANSPORTS)
+            upstreams->upstreams[i].back_off = 2;
 	upstream->to_retry = 1;
 	upstreams->current_udp = upstream - upstreams->upstreams;
 	return upstream;

From 8a2fc5f5a91ad28945e800ca45fac80865dd8006 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 5 Mar 2018 12:42:27 +0100
Subject: [PATCH 106/303] max_udp_backoff should not be public

At least, not with this point release
---
 configure.ac                 |  4 ++++
 src/const-info.c             |  2 ++
 src/const-info.h             |  8 ++++++++
 src/context.c                | 27 ++++++++++++++++++++++-----
 src/getdns/getdns_extra.h.in | 31 -------------------------------
 src/libgetdns.symbols        |  2 --
 src/mk-const-info.c.sh       |  4 ++--
 src/stub.c                   | 13 +++++++------
 8 files changed, 45 insertions(+), 46 deletions(-)

diff --git a/configure.ac b/configure.ac
index 5a83c489..044d5b93 100644
--- a/configure.ac
+++ b/configure.ac
@@ -379,6 +379,10 @@ no)
 	;;
 esac
 
+AC_ARG_WITH(max-udp-backoff, AS_HELP_STRING([--with-max-udp-backoff=<number of queries>],
+    [Set the maximum number of messages that can be sent to other upstreams before the upstream which has previously timed out will be tried again. (defaults to 1000)]),, [withval="1000"])
+AC_DEFINE_UNQUOTED([UDP_MAX_BACKOFF], [$withval], [Maximum number of queries an failed UDP upstream passes before it will retry])
+
 #---- check for pthreads library
 AC_ARG_WITH(libpthread, AS_HELP_STRING([--without-libpthread],
 	[Disable libpthread (default is autodetect)]),
diff --git a/src/const-info.c b/src/const-info.c
index d3da5323..644676e6 100644
--- a/src/const-info.c
+++ b/src/const-info.c
@@ -93,6 +93,7 @@ static struct const_info consts_info[] = {
 	{     632, "GETDNS_CONTEXT_CODE_TLS_CA_FILE", GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT },
 	{     633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT },
 	{     634, "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT },
+	{     699, "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT },
 	{     700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
 	{     701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
 	{     702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT },
@@ -176,6 +177,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CONTEXT_CODE_HOSTS", 630 },
 	{ "GETDNS_CONTEXT_CODE_IDLE_TIMEOUT", 617 },
 	{ "GETDNS_CONTEXT_CODE_LIMIT_OUTSTANDING_QUERIES", 606 },
+	{ "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", 699 },
 	{ "GETDNS_CONTEXT_CODE_MEMORY_FUNCTIONS", 615 },
 	{ "GETDNS_CONTEXT_CODE_NAMESPACES", 600 },
 	{ "GETDNS_CONTEXT_CODE_PUBKEY_PINSET", 621 },
diff --git a/src/const-info.h b/src/const-info.h
index 379e2512..a6eed1d9 100644
--- a/src/const-info.h
+++ b/src/const-info.h
@@ -39,6 +39,14 @@
 #ifndef CONST_INFO_H_
 #define CONST_INFO_H_
 
+#include "getdns/getdns.h"
+#include "getdns/getdns_extra.h"
+
+#ifndef GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE
+#define GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE 699
+#define GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT "Change related to getdns_context_set_max_backoff_value"
+#endif
+
 struct const_info {
 	int code;
 	const char *name;
diff --git a/src/context.c b/src/context.c
index 5baa8771..39d54bbb 100644
--- a/src/context.c
+++ b/src/context.c
@@ -93,6 +93,7 @@ typedef unsigned short in_port_t;
 #ifdef USE_DANESSL
 # include "ssl_dane/danessl.h"
 #endif
+#include "const-info.h"
 
 #define GETDNS_PORT_ZERO 0
 #define GETDNS_PORT_DNS 53
@@ -679,7 +680,7 @@ upstreams_create(getdns_context *context, size_t size)
 	r->count = 0;
 	r->current_udp = 0;
 	r->current_stateful = 0;
-    r->max_backoff_value = context->max_backoff_value;
+	r->max_backoff_value = context->max_backoff_value;
 	r->tls_backoff_time = context->tls_backoff_time;
 	r->tls_connection_retries = context->tls_connection_retries;
 	r->log = context->log;
@@ -1665,7 +1666,7 @@ getdns_context_create_with_extended_memory_functions(
 	result->tls_backoff_time = 3600;
 	result->tls_connection_retries = 2;
 	result->limit_outstanding_queries = 0;
-    result->max_backoff_value = 1000;
+	result->max_backoff_value = UDP_MAX_BACKOFF;
 
 	/* unbound context is initialized here */
 	/* Unbound needs SSL to be init'ed this early when TLS is used. However we
@@ -2364,9 +2365,15 @@ getdns_context_set_round_robin_upstreams(getdns_context *context, uint8_t value)
     return GETDNS_RETURN_GOOD;
 }               /* getdns_context_set_round_robin_upstreams */
 
-/*
- * getdns_context_set_max_backoff_value
- *
+/**
+ * Set the maximum number of messages that can be sent to other upstreams
+ * before the upstream which has previously timed out will be tried again.
+ * @see getdns_context_get_max_backoff_value
+ * @param[in] context  The context to configure
+ * @param[in[ value    Number of messages sent to other upstreams before 
+ *                     retrying the upstream which had timed out.
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
  */
 getdns_return_t
 getdns_context_set_max_backoff_value(getdns_context *context, uint16_t value)
@@ -4398,6 +4405,16 @@ getdns_context_get_round_robin_upstreams(getdns_context *context,
     return GETDNS_RETURN_GOOD;
 }
 
+/**
+ * Get the maximum number of messages that can be sent to other upstreams
+ * before the upstream which has previously timed out will be tried again.
+ * @see getdns_context_set_max_backoff_value
+ * @param[in]  context  The context from which to get the setting
+ * @param[out] value    Number of messages sent to other upstreams before 
+ *                      retrying the upstream which had timed out.
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
+ */
 getdns_return_t
 getdns_context_get_max_backoff_value(getdns_context *context,
     uint16_t* value) {
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 01ef2f07..98abd0c2 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -103,9 +103,6 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST 634
 #define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT "Change related to getdns_context_set_tls_curves_list"
 
-#define GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE 635
-#define GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT "Change related to getdns_context_set_max_backoff_value"
-
 /** @}
   */
 
@@ -771,20 +768,6 @@ getdns_return_t
 getdns_context_set_tls_curves_list(
     getdns_context *context, const char *curves_list);
 
-/**
- * Set the maximum number of messages that can be sent to other upstreams
- * before the upstream which has previously timed out will be tried again.
- * @see getdns_context_get_max_backoff_value
- * @param[in] context  The context to configure
- * @param[in[ value    Number of messages sent to other upstreams before 
- *                     retrying the upstream which had timed out.
- * @return GETDNS_RETURN_GOOD on success
- * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
- */
-getdns_return_t
-getdns_context_set_max_backoff_value(getdns_context *context, uint16_t value);
-
-
 /**
  * Get the current resolution type setting from this context.
  * @see getdns_context_set_resolution_type
@@ -1319,20 +1302,6 @@ getdns_return_t
 getdns_context_get_tls_curves_list(
     getdns_context *context, const char **curves_list);
 
-/**
- * Get the maximum number of messages that can be sent to other upstreams
- * before the upstream which has previously timed out will be tried again.
- * @see getdns_context_set_max_backoff_value
- * @param[in]  context  The context from which to get the setting
- * @param[out] value    Number of messages sent to other upstreams before 
- *                      retrying the upstream which had timed out.
- * @return GETDNS_RETURN_GOOD on success
- * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
- */
-getdns_return_t
-getdns_context_get_max_backoff_value(getdns_context *context,
-    uint16_t* value);
-
 /** @}
  */
 
diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols
index 991ffcfc..ccbff42a 100644
--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@@ -29,7 +29,6 @@ getdns_context_get_num_pending_requests
 getdns_context_get_resolution_type
 getdns_context_get_resolvconf
 getdns_context_get_round_robin_upstreams
-getdns_context_get_max_backoff_value
 getdns_context_get_suffix
 getdns_context_get_timeout
 getdns_context_get_tls_authentication
@@ -74,7 +73,6 @@ getdns_context_set_resolution_type
 getdns_context_set_resolvconf
 getdns_context_set_return_dnssec_status
 getdns_context_set_round_robin_upstreams
-getdns_context_set_max_backoff_value
 getdns_context_set_suffix
 getdns_context_set_timeout
 getdns_context_set_tls_authentication
diff --git a/src/mk-const-info.c.sh b/src/mk-const-info.c.sh
index 715719ef..3a47c103 100755
--- a/src/mk-const-info.c.sh
+++ b/src/mk-const-info.c.sh
@@ -14,7 +14,7 @@ cat > const-info.c << END_OF_HEAD
 static struct const_info consts_info[] = {
 	{   -1, NULL, "/* <unknown getdns value> */" },
 END_OF_HEAD
-gawk '/^[ 	]+GETDNS_[A-Z_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z_]+[ 	]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/  && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in | sed 's/,,/,/g' >> const-info.c
+gawk '/^[ 	]+GETDNS_[A-Z_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z_]+[ 	]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/  && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
 cat >> const-info.c << END_OF_TAIL
 };
 
@@ -49,7 +49,7 @@ getdns_get_errorstr_by_id(uint16_t err)
 
 static struct const_name_info consts_name_info[] = {
 END_OF_TAIL
-gawk '/^[ 	]+GETDNS_[A-Z_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z_]+[ 	]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in | sed 's/,,/,/g' >> const-info.c
+gawk '/^[ 	]+GETDNS_[A-Z_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z_]+[ 	]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
 cat >> const-info.c << END_OF_TAIL
 };
 
diff --git a/src/stub.c b/src/stub.c
index f7818cbc..437c19cc 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -2186,17 +2186,18 @@ upstream_select(getdns_network_req *netreq)
 			i = 0;
 	} while (i != upstreams->current_udp);
 
-    /* Select upstream with the lowest back_off value */
+	/* Select upstream with the lowest back_off value */
 	upstream = upstreams->upstreams;
 	for (i = 0; i < upstreams->count; i+=GETDNS_UPSTREAM_TRANSPORTS)
 		if (upstreams->upstreams[i].back_off < upstream->back_off)
 			upstream = &upstreams->upstreams[i];
 
-    /* Restrict back_off in case no upstream is available to achieve
-       (more or less) round-robin retry on all upstreams. */
-    if (upstream->back_off > 4)
-        for (i = 0; i < upstreams->count; i+=GETDNS_UPSTREAM_TRANSPORTS)
-            upstreams->upstreams[i].back_off = 2;
+	/* Restrict back_off in case no upstream is available to achieve
+	   (more or less) round-robin retry on all upstreams. */
+	if (upstream->back_off > 4) {
+		for (i = 0; i < upstreams->count; i+=GETDNS_UPSTREAM_TRANSPORTS)
+			upstreams->upstreams[i].back_off = 2;
+	}
 	upstream->to_retry = 1;
 	upstreams->current_udp = upstream - upstreams->upstreams;
 	return upstream;

From 1bc056ee70a41b23d479f156a30adfdb1eba3fc4 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 5 Mar 2018 12:47:51 +0100
Subject: [PATCH 107/303] PR #386 in ChangeLog

---
 ChangeLog | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 6225b456..ec034232 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,12 @@
 * 2018-03-??: Version 1.4.1
+  * PR #386: UDP failover improvements:
+    - When all UDP upstreams fail, retry them (more or less) equally
+    - Limit maximum UDP backoff (default to 1000)
+      This is configurable with the --with-max-udp-backoff configure
+      option.
+    Thanks Robert Groenenberg
   * Bugfix #388: Prevent fallback to an earlier tries upstream within a
-    single query.  Thanks Robert Groenenberg.
+    single query.  Thanks Robert Groenenberg
   * Bugfix: Find zonecut with DS queries (instead of SOA queries).
     Thanks Elmer Lastdrager
   * Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1).

From 06e1c741e815bb6d781a651aee67ef298e76e935 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 5 Mar 2018 15:40:16 +0100
Subject: [PATCH 108/303] PR #387: Compile with OpenSSL with deprecated APIs
 disabled.

Thanks Rosen Penev
---
 ChangeLog    |  6 ++++--
 configure.ac | 22 +++++++++++++++++++++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ec034232..0cccaf34 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,12 +1,14 @@
 * 2018-03-??: Version 1.4.1
+  * Bugfix #388: Prevent fallback to an earlier tries upstream within a
+    single query.  Thanks Robert Groenenberg
+  * PR #387: Compile with OpenSSL with deprecated APIs disabled.
+    Thanks Rosen Penev
   * PR #386: UDP failover improvements:
     - When all UDP upstreams fail, retry them (more or less) equally
     - Limit maximum UDP backoff (default to 1000)
       This is configurable with the --with-max-udp-backoff configure
       option.
     Thanks Robert Groenenberg
-  * Bugfix #388: Prevent fallback to an earlier tries upstream within a
-    single query.  Thanks Robert Groenenberg
   * Bugfix: Find zonecut with DS queries (instead of SOA queries).
     Thanks Elmer Lastdrager
   * Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1).
diff --git a/configure.ac b/configure.ac
index 044d5b93..3a96f942 100644
--- a/configure.ac
+++ b/configure.ac
@@ -636,7 +636,27 @@ case "$enable_dsa" in
     *) dnl default
       # detect if DSA is supported, and turn it off if not.
       AC_CHECK_FUNC(DSA_SIG_new, [
-	AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
+	AC_CHECK_TYPE(DSA_SIG*, [
+		AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
+	], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
+	  fi ], [
+AC_INCLUDES_DEFAULT
+#ifdef HAVE_OPENSSL_ENGINE_H
+# include <openssl/engine.h>
+#endif
+
+#ifdef HAVE_OPENSSL_RAND_H
+#include <openssl/rand.h>
+#endif
+
+#ifdef HAVE_OPENSSL_CONF_H
+#include <openssl/conf.h>
+#endif
+
+#ifdef HAVE_OPENSSL_ENGINE_H
+#include <openssl/engine.h>
+#endif
+])
       ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
 	  fi ])
       ;;

From 1e9a7849dea2bea24feab33e992b1cc56cdea0e8 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 5 Mar 2018 16:08:00 +0100
Subject: [PATCH 109/303] Spelling corrections in the spec

---
 spec/example/example-reverse.c        | 2 +-
 spec/example/example-simple-answers.c | 2 +-
 spec/example/example-tree.c           | 2 +-
 spec/index.html                       | 8 ++++----
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/spec/example/example-reverse.c b/spec/example/example-reverse.c
index 4b92040d..3a5e938a 100644
--- a/spec/example/example-reverse.c
+++ b/spec/example/example-reverse.c
@@ -31,7 +31,7 @@ void callback(getdns_context        *context,
 	assert( callback_type == GETDNS_CALLBACK_COMPLETE );
 
 	if ((r = getdns_dict_get_list(response, "/replies_tree/0/answer", &answer)))
-		fprintf(stderr, "Could not get \"answer\" section from first reply in the reponse");
+		fprintf(stderr, "Could not get \"answer\" section from first reply in the response");
 
 	else if ((r = getdns_list_get_length(answer, &n_answers)))
 		fprintf(stderr, "Could not get replies_tree\'s length");
diff --git a/spec/example/example-simple-answers.c b/spec/example/example-simple-answers.c
index a861e0f6..2203ce3b 100644
--- a/spec/example/example-simple-answers.c
+++ b/spec/example/example-simple-answers.c
@@ -35,7 +35,7 @@ void callback(getdns_context        *context,
 	assert( callback_type == GETDNS_CALLBACK_COMPLETE );
 
 	if ((r = getdns_dict_get_int(response, "status", &status)))
-		fprintf(stderr, "Could not get \"status\" from reponse");
+		fprintf(stderr, "Could not get \"status\" from response");
 
 	else if (status != GETDNS_RESPSTATUS_GOOD)
 		fprintf(stderr, "The search had no results, and a return value of %"PRIu32".\n", status);
diff --git a/spec/example/example-tree.c b/spec/example/example-tree.c
index f88299bb..8536aea9 100644
--- a/spec/example/example-tree.c
+++ b/spec/example/example-tree.c
@@ -31,7 +31,7 @@ void callback(getdns_context        *context,
 	assert( callback_type == GETDNS_CALLBACK_COMPLETE );
 
 	if ((r = getdns_dict_get_list(response, "replies_tree", &replies_tree)))
-		fprintf(stderr, "Could not get \"replies_tree\" from reponse");
+		fprintf(stderr, "Could not get \"replies_tree\" from response");
 
 	else if ((r = getdns_list_get_length(replies_tree, &n_replies)))
 		fprintf(stderr, "Could not get replies_tree\'s length");
diff --git a/spec/index.html b/spec/index.html
index 6888489f..d2623e4c 100644
--- a/spec/index.html
+++ b/spec/index.html
@@ -173,7 +173,7 @@ extensions. See <a href="#Extensions">the section below</a> for information on h
 the extensions used for a request.</p>
 
 <p class=define><code><b>*userarg</b></code></p>
-<p class=descrip>A void* that is passed to the function, which the funciton
+<p class=descrip>A void* that is passed to the function, which the function
 returns to the callback function untouched. <code>userarg</code> can be used by the callback
 function for any user-specific data needed. This can be NULL.</p>
 
@@ -1507,7 +1507,7 @@ function.</p>
     <span class="n">assert</span><span class="p">(</span> <span class="n">callback_type</span> <span class="o">==</span> <span class="n">GETDNS_CALLBACK_COMPLETE</span> <span class="p">);</span>
 
     <span class="k">if</span> <span class="p">((</span><span class="n">r</span> <span class="o">=</span> <span class="n">getdns_dict_get_int</span><span class="p">(</span><span class="n">response</span><span class="p">,</span> <span class="s">&quot;status&quot;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">status</span><span class="p">)))</span>
-        <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&quot;Could not get </span><span class="se">\&quot;</span><span class="s">status</span><span class="se">\&quot;</span><span class="s"> from reponse&quot;</span><span class="p">);</span>
+        <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&quot;Could not get </span><span class="se">\&quot;</span><span class="s">status</span><span class="se">\&quot;</span><span class="s"> from response&quot;</span><span class="p">);</span>
 
     <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">status</span> <span class="o">!=</span> <span class="n">GETDNS_RESPSTATUS_GOOD</span><span class="p">)</span>
         <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&quot;The search had no results, and a return value of %&quot;</span><span class="n">PRIu32</span><span class="s">&quot;.</span><span class="se">\n</span><span class="s">&quot;</span><span class="p">,</span> <span class="n">status</span><span class="p">);</span>
@@ -1622,7 +1622,7 @@ their TTLs.</p>
     <span class="n">assert</span><span class="p">(</span> <span class="n">callback_type</span> <span class="o">==</span> <span class="n">GETDNS_CALLBACK_COMPLETE</span> <span class="p">);</span>
 
     <span class="k">if</span> <span class="p">((</span><span class="n">r</span> <span class="o">=</span> <span class="n">getdns_dict_get_list</span><span class="p">(</span><span class="n">response</span><span class="p">,</span> <span class="s">&quot;replies_tree&quot;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">replies_tree</span><span class="p">)))</span>
-        <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&quot;Could not get </span><span class="se">\&quot;</span><span class="s">replies_tree</span><span class="se">\&quot;</span><span class="s"> from reponse&quot;</span><span class="p">);</span>
+        <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&quot;Could not get </span><span class="se">\&quot;</span><span class="s">replies_tree</span><span class="se">\&quot;</span><span class="s"> from response&quot;</span><span class="p">);</span>
 
     <span class="k">else</span> <span class="k">if</span> <span class="p">((</span><span class="n">r</span> <span class="o">=</span> <span class="n">getdns_list_get_length</span><span class="p">(</span><span class="n">replies_tree</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">n_replies</span><span class="p">)))</span>
         <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&quot;Could not get replies_tree</span><span class="se">\&#39;</span><span class="s">s length&quot;</span><span class="p">);</span>
@@ -1854,7 +1854,7 @@ as it is for the synchronous example, it is just done in <code>main()</code>.</p
     <span class="n">assert</span><span class="p">(</span> <span class="n">callback_type</span> <span class="o">==</span> <span class="n">GETDNS_CALLBACK_COMPLETE</span> <span class="p">);</span>
 
     <span class="k">if</span> <span class="p">((</span><span class="n">r</span> <span class="o">=</span> <span class="n">getdns_dict_get_list</span><span class="p">(</span><span class="n">response</span><span class="p">,</span> <span class="s">&quot;/replies_tree/0/answer&quot;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">answer</span><span class="p">)))</span>
-        <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&quot;Could not get </span><span class="se">\&quot;</span><span class="s">answer</span><span class="se">\&quot;</span><span class="s"> section from first reply in the reponse&quot;</span><span class="p">);</span>
+        <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&quot;Could not get </span><span class="se">\&quot;</span><span class="s">answer</span><span class="se">\&quot;</span><span class="s"> section from first reply in the response&quot;</span><span class="p">);</span>
 
     <span class="k">else</span> <span class="k">if</span> <span class="p">((</span><span class="n">r</span> <span class="o">=</span> <span class="n">getdns_list_get_length</span><span class="p">(</span><span class="n">answer</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">n_answers</span><span class="p">)))</span>
         <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&quot;Could not get replies_tree</span><span class="se">\&#39;</span><span class="s">s length&quot;</span><span class="p">);</span>

From 7548b095bce9032b4f997b77dbf4965a875b7359 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 5 Mar 2018 16:12:49 +0100
Subject: [PATCH 110/303] Doxygen fixes

---
 src/getdns/getdns_extra.h.in | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 98abd0c2..34282643 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -591,7 +591,7 @@ getdns_context_set_logfunc(getdns_context *context, void *userarg,
  *                        to be created if it does not exist.  When NULL is
  *                        given, the default location is used which is
  *                        ${HOME}/.getdns/ on Unix line systems (Linux, BSD's,
- *                        MacOS), and %AppData%\getnds\ on Windows.
+ *                        MacOS), and %AppData%\getdns\ on Windows.
  * @return GETDNS_RETURN_GOOD when successful
  * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
  */
@@ -700,7 +700,7 @@ getdns_context_set_trust_anchors_verify_email(
  * @see getdns_context_get_resolvconf
  * @see getdns_context_set_hosts
  * @param[in] context      The context to configure
- * @param[in] resolvonf    Defaults to /etc/resolv.conf
+ * @param[in] resolvconf   Defaults to /etc/resolv.conf
  * @return GETDNS_RETURN_GOOD when successful and error code otherwise.
  */
 getdns_return_t
@@ -1228,7 +1228,7 @@ getdns_context_get_trust_anchors_verify_email(
  * @see getdns_context_set_resolvconf
  * @see getdns_context_get_hosts
  * @param[in]  context      The context to configure
- * @param[out] resolvonf    NULL if the context was not initialized with a
+ * @param[out] resolvconf   NULL if the context was not initialized with a
  *                          resolv.conf file.
  * @return GETDNS_RETURN_GOOD when successful and error code otherwise.
  */

From ef0a77e06150e8c406a3141f83c633f9fe8a3938 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 5 Mar 2018 16:34:50 +0100
Subject: [PATCH 111/303] Forgot the dash before the rc1 again

---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 3a96f942..87daaf1d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Don't forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [rc1])
+AC_SUBST(RELEASE_CANDIDATE, [-rc1])
 AC_SUBST(STUBBY_RELEASE_CANDIDATE, [])
 
 # Set current date from system if not set

From 3d2ac4c16c9c874cf12998f6d5b5f352546d00d2 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 9 Mar 2018 11:37:37 +0100
Subject: [PATCH 112/303] Change git source for yxml submodule

Resolved issue getdnsapi/stubby#84
---
 .gitmodules | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.gitmodules b/.gitmodules
index dc06b68a..26a1f354 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,7 +4,8 @@
 	branch = getdns
 [submodule "src/yxml"]
 	path = src/yxml
-	url = git://g.blicky.net/yxml.git
+	url = https://github.com/getdnsapi/yxml.git
+	branch = master
 [submodule "stubby"]
 	path = stubby
 	url = https://github.com/getdnsapi/stubby.git
@@ -12,3 +13,4 @@
 [submodule "src/ssl_dane"]
 	path = src/ssl_dane
 	url = https://github.com/getdnsapi/ssl_dane
+	branch = getdns

From 75f59b9dfc83b0645aaf17b1fa4f3289efb8127b Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 12 Mar 2018 12:05:09 +0100
Subject: [PATCH 113/303] Bump version

---
 ChangeLog    | 2 +-
 configure.ac | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 0cccaf34..12867743 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,4 @@
-* 2018-03-??: Version 1.4.1
+* 2018-03-12: Version 1.4.1
   * Bugfix #388: Prevent fallback to an earlier tries upstream within a
     single query.  Thanks Robert Groenenberg
   * PR #387: Compile with OpenSSL with deprecated APIs disabled.
diff --git a/configure.ac b/configure.ac
index 87daaf1d..a0d719b4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Don't forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [-rc1])
+AC_SUBST(RELEASE_CANDIDATE, [])
 AC_SUBST(STUBBY_RELEASE_CANDIDATE, [])
 
 # Set current date from system if not set
@@ -63,7 +63,7 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010400c1])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01040100])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
@@ -104,7 +104,7 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.2$STUBBY_RELEASE_CANDIDATE"],
 # getdns-1.2.1 had libversion 8:1:2
 # getdns-1.3.0 had libversion 9:0:3
 # getdns-1.4.0 had libversion 10:0:0
-# getdns-1.4.1 will have libversion 10:1:0
+# getdns-1.4.1 has libversion 10:1:0
 #
 GETDNS_LIBVERSION=10:1:0
 

From ced112ca7484be2ca9f491108e28b3c2bea93ef5 Mon Sep 17 00:00:00 2001
From: saradickinson <sara@sinodun.com>
Date: Thu, 5 Apr 2018 18:35:07 +0100
Subject: [PATCH 114/303] Temporary fix for
 https://github.com/getdnsapi/stubby/issues/87. Detect and ignore duplicate
 certs in the root store.

---
 src/context.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/context.c b/src/context.c
index 39d54bbb..b01f3d70 100644
--- a/src/context.c
+++ b/src/context.c
@@ -193,7 +193,7 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
 	PCCERT_CONTEXT  pTargetCert = NULL;
 
 	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-		"Adding Windows certificates to CA store");
+		"Adding Windows certificates from system root store to CA store");
 
 	/* load just once per context lifetime for this version of getdns
 	   TODO: dynamically update CA trust changes as they are available */
@@ -241,10 +241,18 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
 		else {
 			/* return error if a cert add to store fails */
 			if (X509_STORE_add_cert(store, cert1) == 0) {
-				DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-					"Error adding certificate", ERR_get_error(),
-					ERR_error_string(ERR_get_error(), NULL));
-				return 0;
+				unsigned long error = ERR_peek_last_error();
+ 
+				/* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
+				* certificate is already in the store.  */ 
+				if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
+				   ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+					DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+					    "Error adding certificate", ERR_get_error(),
+					     ERR_error_string(ERR_get_error(), NULL));
+					X509_free(cert1);
+					return 0;
+				}
 			}
 			X509_free(cert1);
 		}
@@ -260,6 +268,8 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
 			hSystemStore, 0))
 			return 0;
 	}
+	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+		"Completed adding Windows certificates to CA store successfully");
 	return 1;
 }
 #endif

From 1b5b0ca79944bf3fd4991b2fda73b20439771bd0 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 23 Apr 2018 15:11:20 +0200
Subject: [PATCH 115/303] Force trailing '\0' with string config settings

Because even though it is added when parsing from JSON, it will be lost when the bindata is copied into a dict with getdns_dict_set_bindata.
---
 src/context.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/context.c b/src/context.c
index 39d54bbb..3167a4c2 100644
--- a/src/context.c
+++ b/src/context.c
@@ -4806,9 +4806,19 @@ static getdns_return_t _get_list_or_read_file(const getdns_dict *config_dict,
 
 #define CONTEXT_SETTING_STRING(X) \
 	} else if (_streq(setting, #X )) { \
-		if (!(r = getdns_dict_get_bindata(config_dict, #X , &bd))) \
-			r = getdns_context_set_ ## X( \
-			    context, (char *)bd->data);
+		if (!(r = getdns_dict_get_bindata(config_dict, #X , &bd))) { \
+			if (bd->size < sizeof(str_buf)) { \
+				(void) memcpy(str_buf, (char *)bd->data, bd->size); \
+				str_buf[bd->size] = '\0'; \
+				r = getdns_context_set_ ## X( \
+				    context, str_buf); \
+			} else if ((tmp_str = _getdns_strdup2(&context->mf, bd))) { \
+				r = getdns_context_set_ ## X( \
+				    context, tmp_str); \
+				GETDNS_FREE(context->mf, tmp_str); \
+			} else \
+				r = GETDNS_RETURN_MEMORY_ERROR; \
+		}
 
 static getdns_return_t
 _getdns_context_config_setting(getdns_context *context,
@@ -4823,6 +4833,7 @@ _getdns_context_config_setting(getdns_context *context,
 	uint32_t n;
 	getdns_bindata *bd;
 	int destroy_list = 0;
+	char str_buf[1024], *tmp_str;
 
 	if (_streq(setting, "all_context")) {
 		if (!(r = getdns_dict_get_dict(config_dict, "all_context", &dict)))

From a834d32718e5e8fbf06f98c808efe54e19486352 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 23 Apr 2018 14:05:02 +0200
Subject: [PATCH 116/303] Fix negative reversed IPv4 test

which assumes 1.1.1.1.in-addr.arpa does not exist
---
 src/test/check_getdns_hostname.h      | 2 +-
 src/test/check_getdns_hostname_sync.h | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/test/check_getdns_hostname.h b/src/test/check_getdns_hostname.h
index 7193fec9..d5e6bf8e 100644
--- a/src/test/check_getdns_hostname.h
+++ b/src/test/check_getdns_hostname.h
@@ -361,7 +361,7 @@
        struct getdns_context *context = NULL;
        struct getdns_dict *address = NULL;
        struct getdns_bindata address_type = { 5, (void *)"IPv4" };
-       struct getdns_bindata address_data = { 4, (void *)"\x01\x01\x01\x01" };
+       struct getdns_bindata address_data = { 4, (void *)"\xb9\x31\x8c\x00" };
        void* eventloop = NULL;
        getdns_transaction_t transaction_id = 0;
 
diff --git a/src/test/check_getdns_hostname_sync.h b/src/test/check_getdns_hostname_sync.h
index 260a0f19..38a33fb2 100644
--- a/src/test/check_getdns_hostname_sync.h
+++ b/src/test/check_getdns_hostname_sync.h
@@ -304,7 +304,7 @@
        struct getdns_context *context = NULL;   
        struct getdns_dict *address = NULL;
        struct getdns_bindata address_type = { 5, (void *)"IPv4" };
-       struct getdns_bindata address_data = { 4, (void *)"\x01\x01\x01\x01" };
+       struct getdns_bindata address_data = { 4, (void *)"\xb9\x31\x8c\x00" };
        struct getdns_dict *response = NULL;
      
        CONTEXT_CREATE(TRUE);

From 7fecf5a93de9218511601f4903ca81c835803564 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 1 May 2018 13:19:24 +0200
Subject: [PATCH 117/303] Allow NSEC spans starting from (unexpanded) wildcards

---
 src/dnssec.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 1a87c77a..7e0d1248 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1685,7 +1685,7 @@ static int a_key_signed_rrset_no_wc(struct mem_funcs *mf, time_t now,
     uint32_t skew, _getdns_rrset *keyset, _getdns_rrset *rrset)
 {
 	_getdns_rrtype_iter dnskey_spc, *dnskey;
-	const uint8_t *nc_name;
+	const uint8_t *nc_name; /* Initialized by dnskey_signed_rrset() */
 	int keytag;
 
 	assert(keyset->rr_type == GETDNS_RRTYPE_DNSKEY);
@@ -1693,8 +1693,17 @@ static int a_key_signed_rrset_no_wc(struct mem_funcs *mf, time_t now,
 	for ( dnskey = _getdns_rrtype_iter_init(&dnskey_spc, keyset)
 	    ; dnskey ; dnskey = _getdns_rrtype_iter_next(dnskey) ) {
 
-		if ((keytag = dnskey_signed_rrset(mf, now, skew,
-		    dnskey, rrset, &nc_name)) && !nc_name)
+		if (!(keytag = dnskey_signed_rrset(mf, now, skew,
+		    dnskey, rrset, &nc_name)))
+			continue;
+
+		if (!nc_name) /* Not a wildcard, then success! */
+			return keytag;
+
+ 		/* Not a wildcard expansion, but the wildcard name itself. */
+		if (rrset->rr_type == GETDNS_RRTYPE_NSEC &&
+		    rrset->name[0] == 1 && rrset->name[1] == '*' &&
+		    nc_name == rrset->name)
 			return keytag;
 	}
 	return 0;
@@ -1709,7 +1718,8 @@ static int a_key_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
     _getdns_rrset *keyset, _getdns_rrset *rrset)
 {
 	_getdns_rrtype_iter dnskey_spc, *dnskey;
-	const uint8_t *nc_name;
+	const uint8_t *nc_name; /* Initialized by dnskey_signed_rrset() */
+
 	int keytag;
 
 	assert(keyset->rr_type == GETDNS_RRTYPE_DNSKEY);
@@ -1728,7 +1738,8 @@ static int a_key_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
 		 * There is no more specific!
 		 */
 		if (rrset->rr_type == GETDNS_RRTYPE_NSEC &&
-		    rrset->name[0] == 1 && rrset->name[1] == '*')
+		    rrset->name[0] == 1 && rrset->name[1] == '*' &&
+		    nc_name == rrset->name)
 			return keytag;
 
 		debug_sec_print_rrset("wildcard expanded to: ", rrset);
@@ -1751,7 +1762,7 @@ static int ds_authenticates_keys(struct mem_funcs *mf,
 	_getdns_rrtype_iter dnskey_spc, *dnskey;
 	_getdns_rrtype_iter ds_spc, *ds;
 	uint16_t keytag;
-	const uint8_t *nc_name;
+	const uint8_t *nc_name; /* Initialized by dnskey_signed_rrset() */
 	size_t valid_dsses = 0, supported_dsses = 0;
 	uint8_t max_supported_digest = 0;
 	int max_supported_result = 0;

From 9c019680487e2cd8e8a7af3f9578688bbfb0a4f1 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 1 May 2018 17:07:16 +0200
Subject: [PATCH 118/303] DS and DNSKEY lookups for tld and sld immediately

Resolves issue getdnsapi/stubby#99
---
 src/dnssec.c | 97 ++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 67 insertions(+), 30 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 7e0d1248..c6041a7a 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -244,13 +244,16 @@ static inline int _dname_equal(const uint8_t *left, const uint8_t *right)
 static int _dname_is_parent(
     const uint8_t * const parent, const uint8_t *subdomain)
 {
-	while (*subdomain) {
+	if (*parent == 0)
+		return 1;
+
+	else while (*subdomain) {
 		if (_dname_equal(parent, subdomain))
 			return 1;
 
 		subdomain += *subdomain + 1;
 	}
-	return *parent == 0;
+	return 0;
 }
 
 static uint8_t *_dname_label_copy(uint8_t *dst, const uint8_t *src, size_t dst_len)
@@ -668,8 +671,16 @@ static chain_head *add_rrset2val_chain(struct mem_funcs *mf,
 	/* On the first chain, max_node == NULL.
 	 * Schedule a root DNSKEY query, we always need that.
 	 */
-	if (!(node[-1].parent = max_node))
+	if (!(node[-1].parent = max_node)) {
 		val_chain_sched(head, (uint8_t *)"\0");
+		if (head->node_count > 1)
+			val_chain_sched(head, node[-2].ds.name);
+		if (head->node_count > 2)
+			val_chain_sched(head, node[-3].ds.name);
+	} else if ((max_labels == 1 || max_labels == 2) && head->node_count > 0)
+		val_chain_sched(head, node[-1].ds.name);
+	if (max_labels == 1 && head->node_count > 1)
+		val_chain_sched(head, node[-2].ds.name);
 
 	return head;
 }
@@ -1051,6 +1062,46 @@ static void val_chain_sched_signer(chain_head *head, _getdns_rrsig_iter *rrsig)
 	val_chain_sched_signer_node(head->parent, rrsig);
 }
 
+/* Cancel all DS and DNSKEY for subdomains of parent_dname,
+ * and also the DNSKEY query at the parent_dname
+ */
+static void cancel_requests_for_subdomains_of(
+    chain_head *head, const uint8_t *parent_dname)
+{
+	chain_head *next;
+	chain_node *node;
+	size_t      node_count;
+
+	while (head) {
+		next = head->next;
+
+		if (!_dname_is_parent(parent_dname, head->rrset.name)) {
+			head = next;
+			continue;
+		}
+		for ( node_count = head->node_count, node = head->parent
+		    ; node_count
+		    ; node_count--, node = node->parent ) {
+
+			if (!_getdns_netreq_finished(node->dnskey_req)) {
+				_getdns_context_cancel_request(
+				    node->dnskey_req->owner);
+				node->dnskey_req = NULL;
+			}
+
+			if (_dname_equal(parent_dname, node->ds.name))
+				break;
+
+			if (!_getdns_netreq_finished(node->ds_req)) {
+				_getdns_context_cancel_request(
+				    node->ds_req->owner);
+				node->ds_req = NULL;
+			}
+		}
+		head = next;
+	}
+}
+
 static void val_chain_node_cb(getdns_dns_req *dnsreq)
 {
 	chain_node *node = (chain_node *)dnsreq->user_pointer;
@@ -1092,12 +1143,22 @@ static void val_chain_node_cb(getdns_dns_req *dnsreq)
 			n_signers++;
 		}
 	}
-	if (netreq->request_type == GETDNS_RRTYPE_DS && n_signers == 0)
+	if (netreq->request_type != GETDNS_RRTYPE_DS)
+		; /* pass */
+	else if (n_signers) {
+		_getdns_rrtype_iter ds_spc;
+
+		if (!_getdns_rrtype_iter_init(&ds_spc, &node->ds)) {
+			debug_sec_print_rrset("A DS NX proof for ", &node->ds);
+			DEBUG_SEC("Cancel all more specific requests\n");
+			cancel_requests_for_subdomains_of(node->chains, node->ds.name);
+		}
+	} else {
 		/* No signed DS and no signed proof of non-existance.
 		 * Search further up the tree...
 		 */
 		val_chain_sched_ds_node(node->parent);
-
+	}
 	if (node->lock) node->lock--;
 	check_chain_complete(node->chains);
 }
@@ -3323,31 +3384,7 @@ void _getdns_ta_notify_dnsreqs(getdns_context *context)
 
 void _getdns_validation_chain_timeout(getdns_dns_req *dnsreq)
 {
-	chain_head *head = dnsreq->chain, *next;
-	chain_node *node;
-	size_t      node_count;
-
-	while (head) {
-		next = head->next;
-
-		for ( node_count = head->node_count, node = head->parent
-		    ; node_count
-		    ; node_count--, node = node->parent ) {
-
-			if (!_getdns_netreq_finished(node->dnskey_req)) {
-				_getdns_context_cancel_request(
-				    node->dnskey_req->owner);
-				node->dnskey_req = NULL;
-			}
-
-			if (!_getdns_netreq_finished(node->ds_req)) {
-				_getdns_context_cancel_request(
-				    node->ds_req->owner);
-				node->ds_req = NULL;
-			}
-		}
-		head = next;
-	}
+	cancel_requests_for_subdomains_of(dnsreq->chain, (uint8_t *)"\0");
 	dnsreq->request_timed_out = 1;
 	check_chain_complete(dnsreq->chain);
 }

From 6c075e2ad860e1392594b81c8ca68ddc0c9781d1 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 2 May 2018 14:01:00 +0200
Subject: [PATCH 119/303] Bugfix #395 : Clarify that libidn2 dependency is for
 version 2.0.0 or higher

---
 ChangeLog    | 4 ++++
 README.md    | 2 +-
 configure.ac | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 12867743..ea2a0ea4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+* 2018-05-??: Version 1.4.2
+  * Bugfix: #395. Clarify that libidn2 dependency is for version 2.0.0
+    or higher. Thanks mire3212
+
 * 2018-03-12: Version 1.4.1
   * Bugfix #388: Prevent fallback to an earlier tries upstream within a
     single query.  Thanks Robert Groenenberg
diff --git a/README.md b/README.md
index cada3b41..565310c7 100644
--- a/README.md
+++ b/README.md
@@ -70,7 +70,7 @@ If you are installing from packages, you have to install the library and also th
 External dependencies are linked outside the getdns API build tree (we rely on configure to find them).  We would like to keep the dependency tree short.  Please refer to section for building on Windows for separate dependency and build instructions for that platform.
 
 * [libunbound from NLnet Labs](https://unbound.net/) version 1.4.16 or later.
-* [libidn from the FSF](https://www.gnu.org/software/libidn/) version 1 or 2.  (Note that the libidn version means the conversions between A-labels and U-labels may permit conversion of formally invalid labels under IDNA2008.)
+* [libidn from the FSF](https://www.gnu.org/software/libidn/) version 1 or 2 (from version 2.0.0 and higher).  (Note that the libidn version means the conversions between A-labels and U-labels may permit conversion of formally invalid labels under IDNA2008.)
 * [libssl and libcrypto from the OpenSSL Project](https://www.openssl.org/) version 0.9.7 or later. (Note: version 1.0.1 or later is required for TLS support, version 1.0.2 or later is required for TLS hostname authentication)
 * Doxygen is used to generate documentation; while this is not technically necessary for the build it makes things a lot more pleasant.
 
diff --git a/configure.ac b/configure.ac
index a0d719b4..18971e83 100644
--- a/configure.ac
+++ b/configure.ac
@@ -887,7 +887,7 @@ then
 		LIBS="-lidn2 $LIBS"
 		AC_DEFINE_UNQUOTED([HAVE_LIBIDN2], [1], [Define to 1 if you have the `idn2' library (-lidn).]) dnl `
 	], [
-		MISSING_DEPS="${MISSING_DEPS}${MISSING_SEP}libidn2"
+		MISSING_DEPS="${MISSING_DEPS}${MISSING_SEP}libidn2 (version 2.0.0 or higher)"
 		MISSING_SEP=", "
 	])
 fi

From 4f050facc37e086479c939048476e44d1d19e4af Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 2 May 2018 14:32:12 +0200
Subject: [PATCH 120/303] Bugfix #394: Update src/compat/getentropy_linux.c

in order to handle ENOSYS (not implemented) fallback.
Thanks Brent Blood
---
 ChangeLog                     |  5 ++-
 src/compat/getentropy_linux.c | 83 +++++++++++++++++++++--------------
 2 files changed, 53 insertions(+), 35 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ea2a0ea4..2b0ba971 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 * 2018-05-??: Version 1.4.2
-  * Bugfix: #395. Clarify that libidn2 dependency is for version 2.0.0
+  * Bugfix #394: Update src/compat/getentropy_linux.c in order to
+    handle ENOSYS (not implemented) fallback.
+    Thanks Brent Blood
+  * Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0
     or higher. Thanks mire3212
 
 * 2018-03-12: Version 1.4.1
diff --git a/src/compat/getentropy_linux.c b/src/compat/getentropy_linux.c
index 37d86a8f..a1159d0c 100644
--- a/src/compat/getentropy_linux.c
+++ b/src/compat/getentropy_linux.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: getentropy_linux.c,v 1.20 2014/07/12 15:43:49 beck Exp $	*/
+/*	$OpenBSD: getentropy_linux.c,v 1.45 2018/03/13 22:53:28 bcook Exp $	*/
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -15,6 +15,9 @@
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Emulation of getentropy(2) as documented at:
+ * http://man.openbsd.org/getentropy.2
  */
 #include "config.h"
 
@@ -39,6 +42,7 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <stdio.h>
+#include <link.h>
 #include <termios.h>
 #include <fcntl.h>
 #include <signal.h>
@@ -55,7 +59,6 @@
 
 #include <linux/types.h>
 #include <linux/random.h>
-#include <linux/sysctl.h>
 #ifdef HAVE_GETAUXVAL
 #include <sys/auxv.h>
 #endif
@@ -75,6 +78,7 @@
 #if defined(HAVE_SSL)
 #define CRYPTO_SHA512_CTX		SHA512_CTX
 #define CRYPTO_SHA512_INIT(x)		SHA512_Init(x)
+#define CRYPTO_SHA512_UPDATE(c, x, l)  (SHA512_Update((c), (char *)(x), (l))
 #define CRYPTO_SHA512_FINAL(r, c)	SHA512_Final(r, c)
 #define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
 #define HD(x)	 (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
@@ -82,6 +86,7 @@
 #elif defined(HAVE_NETTLE)
 #define CRYPTO_SHA512_CTX		struct sha512_ctx
 #define CRYPTO_SHA512_INIT(x)		sha512_init(x)
+#define CRYPTO_SHA512_UPDATE(c, x, l)  (sha512_update((c), (l), (uint8_t *)(x))
 #define CRYPTO_SHA512_FINAL(r, c)	sha512_digest(c, SHA512_DIGEST_SIZE, r)
 #define HR(x, l) (sha512_update(&ctx, (l), (uint8_t *)(x)))
 #define HD(x)	 (sha512_update(&ctx, sizeof (x), (uint8_t *)&(x)))
@@ -90,11 +95,8 @@
 
 int	getentropy(void *buf, size_t len);
 
-#ifdef CAN_REFERENCE_MAIN
-extern int main(int, char *argv[]);
-#endif
 static int gotdata(char *buf, size_t len);
-#ifdef SYS_getrandom
+#if defined(SYS_getrandom) && defined(GRND_NONBLOCK)
 static int getentropy_getrandom(void *buf, size_t len);
 #endif
 static int getentropy_urandom(void *buf, size_t len);
@@ -102,6 +104,7 @@ static int getentropy_urandom(void *buf, size_t len);
 static int getentropy_sysctl(void *buf, size_t len);
 #endif
 static int getentropy_fallback(void *buf, size_t len);
+static int getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data);
 
 int
 getentropy(void *buf, size_t len)
@@ -110,18 +113,21 @@ getentropy(void *buf, size_t len)
 
 	if (len > 256) {
 		errno = EIO;
-		return -1;
+		return (-1);
 	}
 
-#ifdef SYS_getrandom
+#if defined(SYS_getrandom) && defined(GRND_NONBLOCK)
 	/*
-	 * Try descriptor-less getrandom()
+	 * Try descriptor-less getrandom(), in non-blocking mode.
+	 *
+	 * The design of Linux getrandom is broken.  It has an
+	 * uninitialized phase coupled with blocking behaviour, which
+	 * is unacceptable from within a library at boot time without
+	 * possible recovery. See http://bugs.python.org/issue26839#msg267745
 	 */
 	ret = getentropy_getrandom(buf, len);
 	if (ret != -1)
 		return (ret);
-	if (errno != ENOSYS)
-		return (-1);
 #endif
 
 	/*
@@ -175,7 +181,7 @@ getentropy(void *buf, size_t len)
 	 *     - Do the best under the circumstances....
 	 *
 	 * This code path exists to bring light to the issue that Linux
-	 * does not provide a failsafe API for entropy collection.
+	 * still does not provide a failsafe API for entropy collection.
 	 *
 	 * We hope this demonstrates that Linux should either retain their
 	 * sysctl ABI, or consider providing a new failsafe API which
@@ -205,11 +211,11 @@ gotdata(char *buf, size_t len)
 	for (i = 0; i < len; ++i)
 		any_set |= buf[i];
 	if (any_set == 0)
-		return -1;
-	return 0;
+		return (-1);
+	return (0);
 }
 
-#ifdef SYS_getrandom
+#if defined(SYS_getrandom) && defined(GRND_NONBLOCK)
 static int
 getentropy_getrandom(void *buf, size_t len)
 {
@@ -218,7 +224,7 @@ getentropy_getrandom(void *buf, size_t len)
 	if (len > 256)
 		return (-1);
 	do {
-		ret = syscall(SYS_getrandom, buf, len, 0);
+		ret = syscall(SYS_getrandom, buf, len, GRND_NONBLOCK);
 	} while (ret == -1 && errno == EINTR);
 
 	if (ret != (int)len)
@@ -266,7 +272,7 @@ start:
 	}
 	for (i = 0; i < len; ) {
 		size_t wanted = len - i;
-		ssize_t ret = read(fd, (char*)buf + i, wanted);
+		ssize_t ret = read(fd, (char *)buf + i, wanted);
 
 		if (ret == -1) {
 			if (errno == EAGAIN || errno == EINTR)
@@ -279,11 +285,11 @@ start:
 	close(fd);
 	if (gotdata(buf, len) == 0) {
 		errno = save_errno;
-		return 0;		/* satisfied */
+		return (0);		/* satisfied */
 	}
 nodevrandom:
 	errno = EIO;
-	return -1;
+	return (-1);
 }
 
 #ifdef SYS__sysctl
@@ -314,11 +320,11 @@ getentropy_sysctl(void *buf, size_t len)
 	}
 sysctlfailed:
 	errno = EIO;
-	return -1;
+	return (-1);
 }
 #endif /* SYS__sysctl */
 
-static int cl[] = {
+static const int cl[] = {
 	CLOCK_REALTIME,
 #ifdef CLOCK_MONOTONIC
 	CLOCK_MONOTONIC,
@@ -343,6 +349,15 @@ static int cl[] = {
 #endif
 };
 
+static int
+getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data)
+{
+	CRYPTO_SHA512_CTX *ctx = data;
+
+	CRYPTO_SHA512_UPDATE(ctx, &info->dlpi_addr, sizeof (info->dlpi_addr));
+	return (0);
+}
+
 static int
 getentropy_fallback(void *buf, size_t len)
 {
@@ -379,6 +394,8 @@ getentropy_fallback(void *buf, size_t len)
 				cnt += (int)tv.tv_usec;
 			}
 
+			dl_iterate_phdr(getentropy_phdr, &ctx);
+
 			for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]); ii++)
 				HX(clock_gettime(cl[ii], &ts) == -1, ts);
 
@@ -398,9 +415,6 @@ getentropy_fallback(void *buf, size_t len)
 			HX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1,
 			    sigset);
 
-#ifdef CAN_REFERENCE_MAIN
-			HF(main);		/* an addr in program */
-#endif
 			HF(getentropy);	/* an addr in this library */
 			HF(printf);		/* an addr in libc */
 			p = (char *)&p;
@@ -525,33 +539,34 @@ getentropy_fallback(void *buf, size_t len)
 			HD(cnt);
 		}
 #ifdef HAVE_GETAUXVAL
-#  ifdef AT_RANDOM
+#ifdef AT_RANDOM
 		/* Not as random as you think but we take what we are given */
 		p = (char *) getauxval(AT_RANDOM);
 		if (p)
 			HR(p, 16);
-#  endif
-#  ifdef AT_SYSINFO_EHDR
+#endif
+#ifdef AT_SYSINFO_EHDR
 		p = (char *) getauxval(AT_SYSINFO_EHDR);
 		if (p)
 			HR(p, pgs);
-#  endif
-#  ifdef AT_BASE
+#endif
+#ifdef AT_BASE
 		p = (char *) getauxval(AT_BASE);
 		if (p)
 			HD(p);
-#  endif
-#endif /* HAVE_GETAUXVAL */
+#endif
+#endif
 
 		CRYPTO_SHA512_FINAL(results, &ctx);
-		memcpy((char*)buf + i, results, min(sizeof(results), len - i));
+		memcpy((char *)buf + i, results, min(sizeof(results), len - i));
 		i += min(sizeof(results), len - i);
 	}
+	memset(&ctx, 0, sizeof ctx);
 	memset(results, 0, sizeof results);
 	if (gotdata(buf, len) == 0) {
 		errno = save_errno;
-		return 0;		/* satisfied */
+		return (0);		/* satisfied */
 	}
 	errno = EIO;
-	return -1;
+	return (-1);
 }

From f0f101511b35b5dca35774cc4d1d508066e4c6df Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 3 May 2018 11:21:11 +0200
Subject: [PATCH 121/303] _GNU_SOURCE needed for struct dl_phdr_info from
 link.h

---
 src/compat/getentropy_linux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/compat/getentropy_linux.c b/src/compat/getentropy_linux.c
index a1159d0c..4f437bf3 100644
--- a/src/compat/getentropy_linux.c
+++ b/src/compat/getentropy_linux.c
@@ -23,8 +23,8 @@
 
 /*
 #define	_POSIX_C_SOURCE 199309L
-#define	_GNU_SOURCE     1
 */
+#define	_GNU_SOURCE     1
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/ioctl.h>

From f5c588c9554b694b5d07f70bce38ec41e7b70660 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 3 May 2018 11:30:28 +0200
Subject: [PATCH 122/303] Need _GNU_SOURCE before config.h

---
 src/compat/getentropy_linux.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/compat/getentropy_linux.c b/src/compat/getentropy_linux.c
index 4f437bf3..9f216f8c 100644
--- a/src/compat/getentropy_linux.c
+++ b/src/compat/getentropy_linux.c
@@ -19,12 +19,10 @@
  * Emulation of getentropy(2) as documented at:
  * http://man.openbsd.org/getentropy.2
  */
+#define	_GNU_SOURCE     1
+#define	_POSIX_C_SOURCE 199309L
 #include "config.h"
 
-/*
-#define	_POSIX_C_SOURCE 199309L
-*/
-#define	_GNU_SOURCE     1
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/ioctl.h>

From de7f007bf3a63583455ed7dad8634d4789e6bc09 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 3 May 2018 11:40:44 +0200
Subject: [PATCH 123/303] Without dl_iterate_phdr for now...

---
 src/compat/getentropy_linux.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/compat/getentropy_linux.c b/src/compat/getentropy_linux.c
index 9f216f8c..f08f35b1 100644
--- a/src/compat/getentropy_linux.c
+++ b/src/compat/getentropy_linux.c
@@ -19,8 +19,12 @@
  * Emulation of getentropy(2) as documented at:
  * http://man.openbsd.org/getentropy.2
  */
+/* #define WITH_DL_ITERATE_PHDR 1 */
+
+#ifdef WITH_DL_ITERATE_PHDR
 #define	_GNU_SOURCE     1
 #define	_POSIX_C_SOURCE 199309L
+#endif
 #include "config.h"
 
 #include <sys/types.h>
@@ -40,7 +44,9 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <stdio.h>
+#ifdef WITH_DL_ITERATE_PHDR
 #include <link.h>
+#endif
 #include <termios.h>
 #include <fcntl.h>
 #include <signal.h>
@@ -102,7 +108,9 @@ static int getentropy_urandom(void *buf, size_t len);
 static int getentropy_sysctl(void *buf, size_t len);
 #endif
 static int getentropy_fallback(void *buf, size_t len);
+#ifdef WITH_DL_ITERATE_PHDR
 static int getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data);
+#endif
 
 int
 getentropy(void *buf, size_t len)
@@ -347,6 +355,7 @@ static const int cl[] = {
 #endif
 };
 
+#ifdef WITH_DL_ITERATE_PHDR
 static int
 getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data)
 {
@@ -355,6 +364,7 @@ getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data)
 	CRYPTO_SHA512_UPDATE(ctx, &info->dlpi_addr, sizeof (info->dlpi_addr));
 	return (0);
 }
+#endif
 
 static int
 getentropy_fallback(void *buf, size_t len)
@@ -392,7 +402,9 @@ getentropy_fallback(void *buf, size_t len)
 				cnt += (int)tv.tv_usec;
 			}
 
+#ifdef WITH_DL_ITERATE_PHDR
 			dl_iterate_phdr(getentropy_phdr, &ctx);
+#endif
 
 			for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]); ii++)
 				HX(clock_gettime(cl[ii], &ts) == -1, ts);

From 101d6027396b7249930f3aaf9c910c682a2a3747 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 3 May 2018 11:48:07 +0200
Subject: [PATCH 124/303] Travis output showed it was a bracket issue

---
 src/compat/getentropy_linux.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/compat/getentropy_linux.c b/src/compat/getentropy_linux.c
index f08f35b1..3008b49f 100644
--- a/src/compat/getentropy_linux.c
+++ b/src/compat/getentropy_linux.c
@@ -19,11 +19,10 @@
  * Emulation of getentropy(2) as documented at:
  * http://man.openbsd.org/getentropy.2
  */
-/* #define WITH_DL_ITERATE_PHDR 1 */
-
-#ifdef WITH_DL_ITERATE_PHDR
+#define WITH_DL_ITERATE_PHDR 1
+#ifdef  WITH_DL_ITERATE_PHDR
 #define	_GNU_SOURCE     1
-#define	_POSIX_C_SOURCE 199309L
+/* #define	_POSIX_C_SOURCE 199309L */
 #endif
 #include "config.h"
 
@@ -44,7 +43,7 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <stdio.h>
-#ifdef WITH_DL_ITERATE_PHDR
+#ifdef  WITH_DL_ITERATE_PHDR
 #include <link.h>
 #endif
 #include <termios.h>
@@ -82,7 +81,7 @@
 #if defined(HAVE_SSL)
 #define CRYPTO_SHA512_CTX		SHA512_CTX
 #define CRYPTO_SHA512_INIT(x)		SHA512_Init(x)
-#define CRYPTO_SHA512_UPDATE(c, x, l)  (SHA512_Update((c), (char *)(x), (l))
+#define CRYPTO_SHA512_UPDATE(c, x, l)  (SHA512_Update((c), (char *)(x), (l)))
 #define CRYPTO_SHA512_FINAL(r, c)	SHA512_Final(r, c)
 #define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
 #define HD(x)	 (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
@@ -90,7 +89,7 @@
 #elif defined(HAVE_NETTLE)
 #define CRYPTO_SHA512_CTX		struct sha512_ctx
 #define CRYPTO_SHA512_INIT(x)		sha512_init(x)
-#define CRYPTO_SHA512_UPDATE(c, x, l)  (sha512_update((c), (l), (uint8_t *)(x))
+#define CRYPTO_SHA512_UPDATE(c, x, l)  (sha512_update((c), (l), (uint8_t *)(x)))
 #define CRYPTO_SHA512_FINAL(r, c)	sha512_digest(c, SHA512_DIGEST_SIZE, r)
 #define HR(x, l) (sha512_update(&ctx, (l), (uint8_t *)(x)))
 #define HD(x)	 (sha512_update(&ctx, sizeof (x), (uint8_t *)&(x)))
@@ -108,7 +107,7 @@ static int getentropy_urandom(void *buf, size_t len);
 static int getentropy_sysctl(void *buf, size_t len);
 #endif
 static int getentropy_fallback(void *buf, size_t len);
-#ifdef WITH_DL_ITERATE_PHDR
+#ifdef  WITH_DL_ITERATE_PHDR
 static int getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data);
 #endif
 
@@ -355,7 +354,7 @@ static const int cl[] = {
 #endif
 };
 
-#ifdef WITH_DL_ITERATE_PHDR
+#ifdef  WITH_DL_ITERATE_PHDR
 static int
 getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data)
 {
@@ -402,7 +401,7 @@ getentropy_fallback(void *buf, size_t len)
 				cnt += (int)tv.tv_usec;
 			}
 
-#ifdef WITH_DL_ITERATE_PHDR
+#ifdef  WITH_DL_ITERATE_PHDR
 			dl_iterate_phdr(getentropy_phdr, &ctx);
 #endif
 

From 3c355d425bb1f4087ac1e7c27460b93551c39a82 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 3 May 2018 12:15:48 +0200
Subject: [PATCH 125/303] Warnings are errors :(

---
 src/compat/getentropy_linux.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/compat/getentropy_linux.c b/src/compat/getentropy_linux.c
index 3008b49f..744783cd 100644
--- a/src/compat/getentropy_linux.c
+++ b/src/compat/getentropy_linux.c
@@ -359,6 +359,7 @@ static int
 getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data)
 {
 	CRYPTO_SHA512_CTX *ctx = data;
+	(void)size;
 
 	CRYPTO_SHA512_UPDATE(ctx, &info->dlpi_addr, sizeof (info->dlpi_addr));
 	return (0);

From 2a110043da8d33857ba7359a9ee0e4af7493e99c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 3 May 2018 14:35:01 +0200
Subject: [PATCH 126/303] Just some notes about packages

---
 project-doc/packages.txt | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 project-doc/packages.txt

diff --git a/project-doc/packages.txt b/project-doc/packages.txt
new file mode 100644
index 00000000..73398166
--- /dev/null
+++ b/project-doc/packages.txt
@@ -0,0 +1,13 @@
+Some notes about packages and maintainers.
+
+For Homebrew, created and maintained by ilovezfs
+https://github.com/Homebrew/homebrew-core/Formula/getdns.rb
+https://github.com/Homebrew/homebrew-core/Formula/stubby.rb
+
+For Arch, created and maintained by Bruno Pagani (ArchangeGabriel)
+
+For OpenWRT, created and maintained by David Mora (iamperson347)
+https://github.com/openwrt/packages/tree/master/libs/getdns
+https://github.com/openwrt/packages/tree/master/net/stubby
+
+

From 23d2affebfb01807ea0b82e3ea895d1be9dd647d Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 3 May 2018 15:14:12 +0200
Subject: [PATCH 127/303] More ChangeLog entries

---
 ChangeLog                | 7 +++++++
 project-doc/packages.txt | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2b0ba971..ceb927bd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,11 @@
 * 2018-05-??: Version 1.4.2
+  * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
+    up (for tld and sld), to find insecure delegations quicker.
+    Thanks UniverseXXX
+  * Bugfix: Allow NSEC spans starting from (unexpanded) wildcards
+    Bug was introduced when dealing with CVE-2017-15105
+  * Bugfix getdnsapi/stubby#46: Don't assume trailing zero with
+    string bindata's.  Thanks Lonnie Abelbeck
   * Bugfix #394: Update src/compat/getentropy_linux.c in order to
     handle ENOSYS (not implemented) fallback.
     Thanks Brent Blood
diff --git a/project-doc/packages.txt b/project-doc/packages.txt
index 73398166..3544c9ee 100644
--- a/project-doc/packages.txt
+++ b/project-doc/packages.txt
@@ -10,4 +10,5 @@ For OpenWRT, created and maintained by David Mora (iamperson347)
 https://github.com/openwrt/packages/tree/master/libs/getdns
 https://github.com/openwrt/packages/tree/master/net/stubby
 
-
+For AstLinux Project, created and maintained by Lonnie Abelbeck (abelbeck)
+https://github.com/astlinux-project/astlinux/tree/master/package/getdns

From caab2e8592466624988f90880dcc4639077badb5 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 3 May 2018 17:21:58 +0200
Subject: [PATCH 128/303] Bump versions and include release/0.2.3 Stubby
 release branch

---
 configure.ac | 14 +++++++-------
 stubby       |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/configure.ac b/configure.ac
index 18971e83..87367253 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,7 +36,7 @@ sinclude(./m4/acx_getaddrinfo.m4)
 sinclude(./m4/ax_check_compile_flag.m4)
 sinclude(./m4/pkg.m4)
 
-AC_INIT([getdns], [1.4.1], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
+AC_INIT([getdns], [1.4.2], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
 
 # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian)
 # patched to do the same, but frequently (MacOS) not. So add a with option
@@ -52,8 +52,8 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Don't forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [])
-AC_SUBST(STUBBY_RELEASE_CANDIDATE, [])
+AC_SUBST(RELEASE_CANDIDATE, [-rc1])
+AC_SUBST(STUBBY_RELEASE_CANDIDATE, [-rc1])
 
 # Set current date from system if not set
 AC_ARG_WITH([current-date],
@@ -63,13 +63,13 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01040100])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010401c1])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
 
 AC_DEFINE_UNQUOTED([STUBBY_PACKAGE], ["stubby"], [Stubby package])
-AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.2$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
+AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.3$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
 
 # Library version
 # ---------------
@@ -105,8 +105,8 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.2$STUBBY_RELEASE_CANDIDATE"],
 # getdns-1.3.0 had libversion 9:0:3
 # getdns-1.4.0 had libversion 10:0:0
 # getdns-1.4.1 has libversion 10:1:0
-#
-GETDNS_LIBVERSION=10:1:0
+# getdns-1.4.2 has libversion 10:2:0
+GETDNS_LIBVERSION=10:2:0
 
 AC_SUBST(GETDNS_COMPILATION_COMMENT)
 AC_SUBST(GETDNS_LIBVERSION)
diff --git a/stubby b/stubby
index 1a6acd64..ece119a8 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 1a6acd642c7dc9a04cf092e1a3837c5636d4b465
+Subproject commit ece119a8d20cdb07709564300e35ce5798c63a46

From 99bfe4a287819d6e6b1771f539b8e0a86fbedccf Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 4 May 2018 10:40:49 +0200
Subject: [PATCH 129/303] Fallback to current (working) directory (for
 appdata_dir).

To improve integration with system and service managers like systemd
See also getdnsapi/stubby#106
---
 src/context.c | 34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/src/context.c b/src/context.c
index 3167a4c2..8d6d5e13 100644
--- a/src/context.c
+++ b/src/context.c
@@ -5057,14 +5057,19 @@ FILE *_getdns_context_get_priv_fp(getdns_context *context, const char *fn)
 {
 	char path[_GETDNS_PATH_MAX];
 	FILE *f = NULL;
-	size_t len;
+	size_t len = _getdns_get_appdata(context, path);
 
 	(void) context;
-	if (!(len = _getdns_get_appdata(context, path)))
-		DEBUG_ANCHOR("ERROR %s(): Could nog get application data path\n"
-		            , __FUNC__);
-
-	else if (len + strlen(fn) >= sizeof(path))
+/*
+ * Commented out to enable fallback to current directory
+ *
+ *	if (!(len = _getdns_get_appdata(context, path)))
+ *		DEBUG_ANCHOR("ERROR %s(): Could nog get application data path\n"
+ *		            , __FUNC__);
+ *
+ *	else
+ */
+	if (len + strlen(fn) >= sizeof(path))
 		DEBUG_ANCHOR("ERROR %s(): Application data too long\n", __FUNC__);
 
 	else if (!strcpy(path + len, fn))
@@ -5124,13 +5129,18 @@ int _getdns_context_write_priv_file(getdns_context *context,
 	char path[_GETDNS_PATH_MAX], tmpfn[_GETDNS_PATH_MAX];
 	int fd = -1;
 	FILE *f = NULL;
-	size_t len;
+	size_t len = _getdns_get_appdata(context, path);
 
-	if (!(len = _getdns_get_appdata(context, path)))
-		DEBUG_ANCHOR("ERROR %s(): Could nog get application data path\n"
-		            , __FUNC__);
-
-	else if (len + 6          >= sizeof(tmpfn)
+/*
+ * Commented out to enable fallback to current directory
+ *
+ *	if (!(len = _getdns_get_appdata(context, path)))
+ *		DEBUG_ANCHOR("ERROR %s(): Could nog get application data path\n"
+ *		            , __FUNC__);
+ *
+ *	else
+ */
+	if (len + 6          >= sizeof(tmpfn)
 	     ||  len + strlen(fn) >= sizeof(path))
 		DEBUG_ANCHOR("ERROR %s(): Application data too long\n", __FUNC__);
 

From 7e2a8964109e9a4974f8b2b4d7afb2c10eacdf53 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 4 May 2018 11:28:09 +0200
Subject: [PATCH 130/303] Update stubby

---
 stubby | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stubby b/stubby
index ece119a8..1c8fb1ea 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit ece119a8d20cdb07709564300e35ce5798c63a46
+Subproject commit 1c8fb1ea2115f94644490f5d135042a4d87f98be

From 73317179902f2583aa9b24e05e8af78f2f430f2e Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 4 May 2018 15:30:27 +0200
Subject: [PATCH 131/303] Fix for Fallback to current (working) directory (for
 appdata_dir).

---
 src/context.c | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/src/context.c b/src/context.c
index 8d6d5e13..ae974a5b 100644
--- a/src/context.c
+++ b/src/context.c
@@ -5050,6 +5050,7 @@ static size_t _getdns_get_appdata(getdns_context *context, char *path)
 			return len;
 		}
 	}
+	path[0] = '\0';
 	return 0;
 }
 
@@ -5146,15 +5147,15 @@ int _getdns_context_write_priv_file(getdns_context *context,
 
 
 	else if (snprintf(tmpfn, sizeof(tmpfn), "%sXXXXXX", path) < 0)
-		DEBUG_ANCHOR("ERROR %s(): Creating temporary filename template\n"
-		            , __FUNC__);
+		DEBUG_ANCHOR("ERROR %s(): Creating temporary filename template: \"%s\"\n"
+		            , __FUNC__, tmpfn);
 
 	else if (!strcpy(path + len, fn))
 		; /* strcpy returns path + len always */
 
 	else if ((fd = mkstemp(tmpfn)) < 0)
-		DEBUG_ANCHOR("ERROR %s(): Creating temporary file: %s\n"
-		            , __FUNC__, strerror(errno));
+		DEBUG_ANCHOR("ERROR %s(): Creating temporary file \"%s\": %s\n"
+		            , __FUNC__, tmpfn, strerror(errno));
 
 	else if (!(f = fdopen(fd, "w")))
 		DEBUG_ANCHOR("ERROR %s(): Opening temporary file: %s\n"
@@ -5203,11 +5204,18 @@ int _getdns_context_can_write_appdata(getdns_context *context)
 	if (!_getdns_context_write_priv_file(context, test_fn, &test_content))
 		return 0;
 
-	if (!(len = _getdns_get_appdata(context, path)))
-		DEBUG_ANCHOR("ERROR %s(): Could nog get application data path\n"
-		            , __FUNC__);
-
-	else if (len + strlen(test_fn) >= sizeof(path))
+	len = _getdns_get_appdata(context, path);
+/*
+ * Commented out to enable fallback to current directory
+ *
+ *
+ *	if (!(len = _getdns_get_appdata(context, path)))
+ *		DEBUG_ANCHOR("ERROR %s(): Could not get application data path\n"
+ *		            , __FUNC__);
+ *
+ *	else
+ */
+	if (len + strlen(test_fn) >= sizeof(path))
 		DEBUG_ANCHOR("ERROR %s(): Application data too long\n", __FUNC__);
 
 	else if (!strcpy(path + len, test_fn))

From 9b7999ecf26699ee45fad861c87da119cdb02116 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 4 May 2018 15:19:33 +0200
Subject: [PATCH 132/303] Update stubby

---
 stubby | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stubby b/stubby
index 1c8fb1ea..f5794751 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 1c8fb1ea2115f94644490f5d135042a4d87f98be
+Subproject commit f5794751f8a8b5f06cc2009f4ccfaa54999ec9ed

From 9d48f1cf9794dd5f75ef47c8585f936fbd18612c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 4 May 2018 15:21:05 +0200
Subject: [PATCH 133/303] Update Stubby

---
 stubby | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stubby b/stubby
index f5794751..301f34c3 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit f5794751f8a8b5f06cc2009f4ccfaa54999ec9ed
+Subproject commit 301f34c3e547fea19ee1b076c2d7324f44480f04

From 5a816f3d5121830231bf34aa9bfa8920803039ea Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 4 May 2018 15:29:14 +0200
Subject: [PATCH 134/303] Include systemd and contrib dir with stubby

---
 Makefile.in | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Makefile.in b/Makefile.in
index ae535276..ee6b86bb 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -221,6 +221,8 @@ $(distdir):
 	mkdir -p $(distdir)/stubby/src
 	mkdir -p $(distdir)/stubby/src/yaml
 	mkdir -p $(distdir)/stubby/doc
+	mkdir -p $(distdir)/stubby/systemd
+	mkdir -p $(distdir)/stubby/contrib/upstart
 	cp $(srcdir)/configure.ac $(distdir)
 	cp $(srcdir)/configure $(distdir)
 	cp $(srcdir)/AUTHORS $(distdir)
@@ -270,6 +272,10 @@ $(distdir):
 	cp $(srcdir)/stubby/COPYING $(distdir)/stubby
 	cp $(srcdir)/stubby/README.md $(distdir)/stubby
 	cp $(srcdir)/stubby/doc/stubby.1.in $(distdir)/stubby/doc
+	cp $(srcdir)/stubby/systemd/README.md $(distdir)/stubby/systemd
+	cp $(srcdir)/stubby/systemd/stubby.conf $(distdir)/stubby/systemd
+	cp $(srcdir)/stubby/systemd/stubby.service $(distdir)/stubby/systemd
+	cp $(srcdir)/stubby/contrib/upstart/stubby.conf $(distdir)/stubby/contrib/upstart
 	cp $(srcdir)/src/jsmn/*.[ch] $(distdir)/src/jsmn
 	cp $(srcdir)/src/jsmn/LICENSE $(distdir)/src/jsmn
 	cp $(srcdir)/src/jsmn/README.md $(distdir)/src/jsmn

From a6ec2b244927cd38c1f198b91d43016687a40601 Mon Sep 17 00:00:00 2001
From: Emery Hemingway <ehmry@posteo.net>
Date: Tue, 8 May 2018 14:58:17 +0200
Subject: [PATCH 135/303] No TCP sendto without TCP_FASTOPEN

---
 src/stub.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index 437c19cc..0a18bd37 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -760,10 +760,7 @@ stub_tcp_write(int fd, getdns_tcp_state *tcp, getdns_network_req *netreq)
 		if (written == -1 && _getdns_socketerror() == _getdns_EISCONN) 
 			written = write(fd, netreq->query - 2, pkt_len + 2);
 #else
-		written = sendto(fd, (const char *)(netreq->query - 2),
-		    pkt_len + 2, 0,
-		    (struct sockaddr *)&(netreq->upstream->addr),
-		    netreq->upstream->addr_len);
+		written = write(fd, netreq->query - 2, pkt_len + 2);
 #endif
 		if ((written == -1 && _getdns_socketerror_wants_retry()) ||
 		    (size_t)written < pkt_len + 2) {

From 98b1ff624a3bedc375f4597dcf7e426b7fa461c8 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 11 May 2018 11:23:19 +0200
Subject: [PATCH 136/303] Memory loss with empty string bindata's

---
 src/context.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/context.c b/src/context.c
index ae974a5b..4b5a77ad 100644
--- a/src/context.c
+++ b/src/context.c
@@ -3787,13 +3787,14 @@ _getdns_strdup(const struct mem_funcs *mfs, const char *s)
         return memcpy(r, s, sz);
 }
 
+static uint8_t _getdns_bindata_nodata[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+
 struct getdns_bindata *
 _getdns_bindata_copy(struct mem_funcs *mfs, size_t size, const uint8_t *data)
 {
 	/* Don't know why, but nodata allows
 	 * empty bindatas with the python bindings
 	 */
-	static uint8_t nodata[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
 	struct getdns_bindata *dst;
 
 	if (!(dst = GETDNS_MALLOC(*mfs, struct getdns_bindata)))
@@ -3807,7 +3808,7 @@ _getdns_bindata_copy(struct mem_funcs *mfs, size_t size, const uint8_t *data)
 		}
 		(void) memcpy(dst->data, data, size);
 	} else {
-		dst->data = nodata;
+		dst->data = _getdns_bindata_nodata;
 	}
 	return dst;
 }
@@ -3819,7 +3820,8 @@ _getdns_bindata_destroy(struct mem_funcs *mfs,
 	if (!bindata)
 		return;
 
-	if (bindata->size) GETDNS_FREE(*mfs, bindata->data);
+	if (bindata->data && bindata->data != _getdns_bindata_nodata)
+		GETDNS_FREE(*mfs, bindata->data);
 	GETDNS_FREE(*mfs, bindata);
 }
 

From 6c99e7b8a64dc86d2d9d364a54212968942e0370 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 11 May 2018 11:28:52 +0200
Subject: [PATCH 137/303] Bugfix getdnsapi/stubby#106: Core dump when ...

printing certain configuration. Thanks Han Vinke
---
 ChangeLog  |  2 ++
 src/dict.c | 15 +++++----------
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ceb927bd..667f56f2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 * 2018-05-??: Version 1.4.2
+  * Bugfix getdnsapi/stubby#106: Core dump when printing certain
+    configuration. Thanks Han Vinke
   * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
     up (for tld and sld), to find insecure delegations quicker.
     Thanks UniverseXXX
diff --git a/src/dict.c b/src/dict.c
index 27ed57be..0c86cd0f 100644
--- a/src/dict.c
+++ b/src/dict.c
@@ -737,21 +737,16 @@ getdns_pp_base64(gldns_buffer *buf, getdns_bindata *bindata)
 {
 	size_t p = gldns_buffer_position(buf);
 	size_t base64str_sz;
-	char *target;
-	size_t avail;
 
 	if (gldns_buffer_printf(buf, " <bindata of ") < 0)
 		return -1;
 
 	base64str_sz = gldns_b64_ntop_calculate_size(bindata->size);
-	target = (char *)gldns_buffer_current(buf);
-	avail = gldns_buffer_remaining(buf);
-	if (avail >= base64str_sz)
-		gldns_buffer_skip(buf, gldns_b64_ntop(
-		    bindata->data, bindata->size,
-		    target, base64str_sz));
-	else
-		gldns_buffer_skip(buf, base64str_sz);
+	if (!gldns_buffer_reserve(buf, base64str_sz))
+		return -1;
+
+	gldns_buffer_skip(buf, gldns_b64_ntop(bindata->data, bindata->size,
+	    (char *)gldns_buffer_current(buf), base64str_sz));
 
 	if (gldns_buffer_printf(buf, ">") < 0)
 		return -1;

From 48e0ea013c75d42d26db82f41cc8cafb49b3b065 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 11 May 2018 11:56:00 +0200
Subject: [PATCH 138/303] Include Stubby - v0.2.3 release

---
 configure.ac | 2 +-
 stubby       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 87367253..8500e38d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -53,7 +53,7 @@ AC_SUBST([runstatedir], [$with_piddir])
 # That is how it is done with semantic versioning!
 #
 AC_SUBST(RELEASE_CANDIDATE, [-rc1])
-AC_SUBST(STUBBY_RELEASE_CANDIDATE, [-rc1])
+AC_SUBST(STUBBY_RELEASE_CANDIDATE, [])
 
 # Set current date from system if not set
 AC_ARG_WITH([current-date],
diff --git a/stubby b/stubby
index 301f34c3..8fb853ac 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 301f34c3e547fea19ee1b076c2d7324f44480f04
+Subproject commit 8fb853ac8d6148fd9b53fdcbc107ecd375071ec5

From 0d283fc63f58d486b8853e48460dc99c46221421 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 11 May 2018 12:02:49 +0200
Subject: [PATCH 139/303] 1.4.2 release

---
 ChangeLog    | 2 +-
 configure.ac | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 667f56f2..52a04b0b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,4 @@
-* 2018-05-??: Version 1.4.2
+* 2018-05-11: Version 1.4.2
   * Bugfix getdnsapi/stubby#106: Core dump when printing certain
     configuration. Thanks Han Vinke
   * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
diff --git a/configure.ac b/configure.ac
index 8500e38d..337fa11f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Don't forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [-rc1])
+AC_SUBST(RELEASE_CANDIDATE, [])
 AC_SUBST(STUBBY_RELEASE_CANDIDATE, [])
 
 # Set current date from system if not set
@@ -63,7 +63,7 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010401c1])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01040200])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
@@ -104,7 +104,7 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.3$STUBBY_RELEASE_CANDIDATE"],
 # getdns-1.2.1 had libversion 8:1:2
 # getdns-1.3.0 had libversion 9:0:3
 # getdns-1.4.0 had libversion 10:0:0
-# getdns-1.4.1 has libversion 10:1:0
+# getdns-1.4.1 had libversion 10:1:0
 # getdns-1.4.2 has libversion 10:2:0
 GETDNS_LIBVERSION=10:2:0
 

From e481273ff4bb9ec73f93e204696cb71c40e370e3 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 11 May 2018 13:20:08 +0200
Subject: [PATCH 140/303] Last minute update

---
 ChangeLog                | 4 ++++
 project-doc/packages.txt | 3 +++
 src/stub.c               | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 52a04b0b..290372a0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
 * 2018-05-11: Version 1.4.2
+  * Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs
+    in the Windows root CA store.
+  * PR #397: No TCP sendto without TCP_FASTOPEN
+    Thanks Emery Hemingway
   * Bugfix getdnsapi/stubby#106: Core dump when printing certain
     configuration. Thanks Han Vinke
   * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
diff --git a/project-doc/packages.txt b/project-doc/packages.txt
index 3544c9ee..7e40a201 100644
--- a/project-doc/packages.txt
+++ b/project-doc/packages.txt
@@ -12,3 +12,6 @@ https://github.com/openwrt/packages/tree/master/net/stubby
 
 For AstLinux Project, created and maintained by Lonnie Abelbeck (abelbeck)
 https://github.com/astlinux-project/astlinux/tree/master/package/getdns
+
+For Genode, created and maintained by Emery Hemingway (ehmry)
+https://github.com/genodelabs/genode/blob/master/repos/ports/ports/getdns.port
diff --git a/src/stub.c b/src/stub.c
index 0a18bd37..785d9f1f 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -760,7 +760,7 @@ stub_tcp_write(int fd, getdns_tcp_state *tcp, getdns_network_req *netreq)
 		if (written == -1 && _getdns_socketerror() == _getdns_EISCONN) 
 			written = write(fd, netreq->query - 2, pkt_len + 2);
 #else
-		written = write(fd, netreq->query - 2, pkt_len + 2);
+		written = send(fd, (const char *)(netreq->query - 2), pkt_len + 2, 0);
 #endif
 		if ((written == -1 && _getdns_socketerror_wants_retry()) ||
 		    (size_t)written < pkt_len + 2) {

From 799bd2f6b1110c0b7ee987254f0e71d369ab55a1 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Sun, 13 May 2018 11:59:14 +0200
Subject: [PATCH 141/303] Bugfix #399: Reinclude <linux/sysctl.h> in
 getentropy_linux.c

---
 src/compat/getentropy_linux.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/compat/getentropy_linux.c b/src/compat/getentropy_linux.c
index 744783cd..abb28f49 100644
--- a/src/compat/getentropy_linux.c
+++ b/src/compat/getentropy_linux.c
@@ -62,6 +62,7 @@
 
 #include <linux/types.h>
 #include <linux/random.h>
+#include <linux/sysctl.h>
 #ifdef HAVE_GETAUXVAL
 #include <sys/auxv.h>
 #endif

From 000fa94ae2374380b3bee7ad55b3aac147af1e3c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 22 May 2018 12:44:13 +0200
Subject: [PATCH 142/303] Sync ldns & utils with unbound

---
 src/gldns/import.sh    |  6 +++---
 src/gldns/keyraw.c     | 29 +++++++++++++++++++++++++++++
 src/gldns/keyraw.h     |  9 +++++++++
 src/gldns/str2wire.c   | 13 ++++++++++++-
 src/gldns/wire2str.c   | 15 ++++++++++++---
 src/util/val_secalgo.c | 16 +++++++++++++++-
 6 files changed, 80 insertions(+), 8 deletions(-)

diff --git a/src/gldns/import.sh b/src/gldns/import.sh
index ce85339c..88fcfff4 100755
--- a/src/gldns/import.sh
+++ b/src/gldns/import.sh
@@ -16,8 +16,8 @@ then
 	mv sbuffer.h gbuffer.h
 	mv sbuffer.c gbuffer.c
 else
-	svn co http://unbound.net/svn/trunk/ldns/
-	for f in ldns/*.[ch]
+	svn co http://unbound.net/svn/trunk/sldns/
+	for f in sldns/*.[ch]
 	do
 		sed -e 's/sldns_/gldns_/g' \
 		    -e 's/LDNS_/GLDNS_/g' \
@@ -27,5 +27,5 @@ else
 	done
 	mv sbuffer.h gbuffer.h
 	mv sbuffer.c gbuffer.c
-	rm -r ldns
+	rm -fr sldns
 fi
diff --git a/src/gldns/keyraw.c b/src/gldns/keyraw.c
index 365d6a0e..ed8188c8 100644
--- a/src/gldns/keyraw.c
+++ b/src/gldns/keyraw.c
@@ -89,6 +89,14 @@ gldns_rr_dnskey_key_size_raw(const unsigned char* keydata,
                 return 256;
         case GLDNS_ECDSAP384SHA384:
                 return 384;
+#endif
+#ifdef USE_ED25519
+	case GLDNS_ED25519:
+		return 256;
+#endif
+#ifdef USE_ED448
+	case GLDNS_ED448:
+		return 456;
 #endif
 	default:
 		return 0;
@@ -409,6 +417,27 @@ gldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
 }
 #endif /* USE_ED25519 */
 
+#ifdef USE_ED448
+EVP_PKEY*
+gldns_ed4482pkey_raw(const unsigned char* key, size_t keylen)
+{
+	/* ASN1 for ED448 is 3043300506032b6571033a00 <57byteskey> */
+	uint8_t pre[] = {0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+		0x71, 0x03, 0x3a, 0x00};
+        int pre_len = 12;
+	uint8_t buf[256];
+        EVP_PKEY *evp_key;
+	/* pp gets modified by d2i() */
+        const unsigned char* pp = (unsigned char*)buf;
+	if(keylen != 57 || keylen + pre_len > sizeof(buf))
+		return NULL; /* wrong length */
+	memmove(buf, pre, pre_len);
+	memmove(buf+pre_len, key, keylen);
+	evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
+        return evp_key;
+}
+#endif /* USE_ED448 */
+
 int
 gldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
 	const EVP_MD* md)
diff --git a/src/gldns/keyraw.h b/src/gldns/keyraw.h
index 3d19e96f..a847887c 100644
--- a/src/gldns/keyraw.h
+++ b/src/gldns/keyraw.h
@@ -101,6 +101,15 @@ RSA *gldns_key_buf2rsa_raw(unsigned char* key, size_t len);
  */
 EVP_PKEY* gldns_ed255192pkey_raw(const unsigned char* key, size_t len);
 
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with ED448.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* gldns_ed4482pkey_raw(const unsigned char* key, size_t len);
+
 /**
  * Utility function to calculate hash using generic EVP_MD pointer.
  * \param[in] data the data to hash.
diff --git a/src/gldns/str2wire.c b/src/gldns/str2wire.c
index 8ce4b06d..26c2ea6f 100644
--- a/src/gldns/str2wire.c
+++ b/src/gldns/str2wire.c
@@ -1225,6 +1225,17 @@ int gldns_str2wire_b32_ext_buf(const char* str, uint8_t* rd, size_t* len)
 	return GLDNS_WIREPARSE_ERR_OK;
 }
 
+/** see if the string ends, or ends in whitespace */
+static int
+gldns_is_last_of_string(const char* str)
+{
+	if(*str == 0) return 1;
+	while(isspace((unsigned char)*str))
+		str++;
+	if(*str == 0) return 1;
+	return 0;
+}
+
 int gldns_str2wire_hex_buf(const char* str, uint8_t* rd, size_t* len)
 {
 	const char* s = str;
@@ -1234,7 +1245,7 @@ int gldns_str2wire_hex_buf(const char* str, uint8_t* rd, size_t* len)
 			s++;
 			continue;
 		}
-		if(dlen == 0 && *s == '0' && *(s+1) == 0) {
+		if(dlen == 0 && *s == '0' && gldns_is_last_of_string(s+1)) {
 			*len = 0;
 			return GLDNS_WIREPARSE_ERR_OK;
 		}
diff --git a/src/gldns/wire2str.c b/src/gldns/wire2str.c
index 0cba52cf..54e336d8 100644
--- a/src/gldns/wire2str.c
+++ b/src/gldns/wire2str.c
@@ -1065,7 +1065,11 @@ int gldns_wire2str_tsigtime_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 	d4 = (*d)[4];
 	d5 = (*d)[5];
 	tsigtime = (d0<<40) | (d1<<32) | (d2<<24) | (d3<<16) | (d4<<8) | d5;
-	w = gldns_str_print(s, sl, "%"PRIu64, (uint64_t)tsigtime);
+#ifndef USE_WINSOCK
+	w = gldns_str_print(s, sl, "%llu", (long long)tsigtime);
+#else
+	w = gldns_str_print(s, sl, "%I64u", (long long)tsigtime);
+#endif
 	(*d)+=6;
 	(*dl)-=6;
 	return w;
@@ -1752,8 +1756,13 @@ int gldns_wire2str_edns_llq_print(char** s, size_t* sl, uint8_t* data,
 	if(error_code < llq_errors_num)
 		w += gldns_str_print(s, sl, " %s", llq_errors[error_code]);
 	else	w += gldns_str_print(s, sl, " error %d", (int)error_code);
-	w += gldns_str_print(s, sl, " id %"PRIx64" lease-life %lu",
-		(uint64_t)llq_id, (unsigned long)lease_life);
+#ifndef USE_WINSOCK
+	w += gldns_str_print(s, sl, " id %llx lease-life %lu",
+		(unsigned long long)llq_id, (unsigned long)lease_life);
+#else
+	w += gldns_str_print(s, sl, " id %I64x lease-life %lu",
+		(unsigned long long)llq_id, (unsigned long)lease_life);
+#endif
 	return w;
 }
 
diff --git a/src/util/val_secalgo.c b/src/util/val_secalgo.c
index 7f5c5181..95200a48 100644
--- a/src/util/val_secalgo.c
+++ b/src/util/val_secalgo.c
@@ -231,7 +231,10 @@ dnskey_algo_id_is_supported(int id)
 #ifdef USE_ED25519
 	case LDNS_ED25519:
 #endif
-#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
+#ifdef USE_ED448
+	case LDNS_ED448:
+#endif
+#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
 		return 1;
 #endif
 
@@ -569,6 +572,17 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 			*digest_type = NULL;
 			break;
 #endif /* USE_ED25519 */
+#ifdef USE_ED448
+		case LDNS_ED448:
+			*evp_key = sldns_ed4482pkey_raw(key, keylen);
+			if(!*evp_key) {
+				verbose(VERB_QUERY, "verify: "
+					"sldns_ed4482pkey_raw failed");
+				return 0;
+			}
+			*digest_type = NULL;
+			break;
+#endif /* USE_ED448 */
 		default:
 			verbose(VERB_QUERY, "verify: unknown algorithm %d", 
 				algo);

From 25231aa686fd2f441f7996a1796822820d2c49e2 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 8 Jun 2018 21:38:09 +0200
Subject: [PATCH 143/303] Fix finding signer of NSEC and NSEC3s

Thanks Philip Homburg
---
 ChangeLog    |   5 +++
 src/dnssec.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 111 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 290372a0..0c366782 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+* 2018-0?-??: Version 1.4.3
+  * Bugfix finding signer for validating NSEC and NSEC3s, which
+    caused trouble with the partly tracing DNSSEC from the root
+    up, introduced in 1.4.2.  Thanks Philip Homburg
+
 * 2018-05-11: Version 1.4.2
   * Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs
     in the Windows root CA store.
diff --git a/src/dnssec.c b/src/dnssec.c
index c6041a7a..437b250e 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -178,7 +178,7 @@
  * "DNSSEC Validation".
  *
  * Many functions are of key verification boolean return type; e.g.
- * key_proves_non_existance(), ds_authenticates_keys(), a_key_signed_rrset()
+ * key_proves_nonexistance(), ds_authenticates_keys(), a_key_signed_rrset()
  * These will return the keytag identifying the key that was used to 
  * authenticate + 0x10000 to allow keytag 0.
  *
@@ -671,8 +671,18 @@ static chain_head *add_rrset2val_chain(struct mem_funcs *mf,
 	/* On the first chain, max_node == NULL.
 	 * Schedule a root DNSKEY query, we always need that.
 	 */
-	if (!(node[-1].parent = max_node)) {
+	if (!(node[-1].parent = max_node))
 		val_chain_sched(head, (uint8_t *)"\0");
+
+	/* For an NSEC or NSEC3 query, stop at that.  If it is valid it will
+	 * have a signature which will be chased.
+	 */
+	if (head->rrset.rr_type == GETDNS_RRTYPE_NSEC ||
+	    head->rrset.rr_type == GETDNS_RRTYPE_NSEC3)
+		return head;
+
+	/* Otherwise, schedule key lookups for the tld and sld too. */
+	if (!max_node) {
 		if (head->node_count > 1)
 			val_chain_sched(head, node[-2].ds.name);
 		if (head->node_count > 2)
@@ -2270,6 +2280,7 @@ static int key_proves_nonexistance(
 
 	assert(keyset->rr_type == GETDNS_RRTYPE_DNSKEY);
 
+	debug_sec_print_rrset("Commencing NX proof for: ", rrset);
 	if (opt_out)
 		*opt_out = 0;
 
@@ -2319,6 +2330,14 @@ static int key_proves_nonexistance(
 	    && (keytag = a_key_signed_rrset_no_wc(
 				    mf, now, skew, keyset, &nsec_rrset))) {
 
+		/* Flag an insecure delegation via opt_out.
+		 * See usage of key_proves_nonexistance() from
+		 * chain_node_get_trusted_keys() for explanation.
+		 */
+		if (opt_out && rrset->rr_type == GETDNS_RRTYPE_DS)
+			*opt_out =  bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
+			        && !bitmap_has_type(bitmap, GETDNS_RRTYPE_SOA);
+
 		debug_sec_print_rrset("NSEC NODATA proof for: ", rrset);
 		return keytag;
 	}
@@ -2464,6 +2483,15 @@ static int key_proves_nonexistance(
 		    && (   keytag & NSEC3_ITERATION_COUNT_HIGH
 		        || nsec3_matches_name(ce, rrset->name))) {
 
+			/* Flag an insecure delegation via opt_out.
+			 * See usage of key_proves_nonexistance() from
+			 * chain_node_get_trusted_keys() for explanation.
+			 */
+			if (opt_out && rrset->rr_type == GETDNS_RRTYPE_DS)
+				*opt_out =
+				    bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
+				&& !bitmap_has_type(bitmap, GETDNS_RRTYPE_SOA);
+
 			debug_sec_print_rrset("NSEC3 No Data for: ", rrset);
 			return keytag;
 		}
@@ -2547,6 +2575,7 @@ static int chain_node_get_trusted_keys(
     chain_node *node, _getdns_rrset *ta, _getdns_rrset **keys)
 {
 	int s, keytag;
+	int opt_out;
 
 	/* Ascend up to the root */
 	if (! node)
@@ -2579,11 +2608,22 @@ static int chain_node_get_trusted_keys(
 		}
 		/* ta is parent's ZSK */
 		if ((keytag = key_proves_nonexistance(
-		    mf, now, skew, ta, &node->ds, NULL))) {
+		    mf, now, skew, ta, &node->ds, &opt_out))) {
 			node->ds_signer = keytag;
-			return GETDNS_DNSSEC_INSECURE;
-		}
 
+			/* When the proof is in an opt_out span, result will
+			 * be INSECURE regardless the purpose of the searched
+			 * for key.
+			 *
+			 * Otherwise, INSECURE only when this is a zonecut.
+			 * i.e. a NODATA proof, with the NS bit and no SOA bit.
+			 *
+			 * key_proves_nonexistance() will set opt_out also for
+			 * these conditions.
+			 */
+			return opt_out ? GETDNS_DNSSEC_INSECURE
+			               : GETDNS_DNSSEC_SECURE;
+		}
 		if ((keytag = a_key_signed_rrset_no_wc(
 					mf, now, skew, ta, &node->ds))) {
 			node->ds_signer = keytag;
@@ -2612,10 +2652,22 @@ static int chain_node_get_trusted_keys(
 	/* keys is an authenticated dnskey rrset always now (i.e. ZSK) */
 	ta = *keys;
 	/* Back down to the head */
+	/*************************/
 	if ((keytag = key_proves_nonexistance(
-	    mf, now, skew, ta, &node->ds, NULL))) {
+	    mf, now, skew, ta, &node->ds, &opt_out))) {
 		node->ds_signer = keytag;
-		return GETDNS_DNSSEC_INSECURE;
+
+		/* When the proof is in an opt_out span, result will be
+		 * INSECURE regardless the purpose of the searched for key.
+		 *
+		 * Otherwise, INSECURE only when this is a zonecut.
+		 * i.e. a NODATA proof, with the NS bit, but no SOA bit.
+		 *
+		 * key_proves_nonexistance() will set opt_out also for these
+		 * conditions. (NODATA of DS with NS bit and wihout SOA bit)
+		 */
+		return opt_out ? GETDNS_DNSSEC_INSECURE
+		               : GETDNS_DNSSEC_SECURE;
 	}
 	if (key_matches_signer(ta, &node->ds)) {
 		
@@ -2661,16 +2713,54 @@ static int chain_head_validate_with_ta(struct mem_funcs *mf,
 	_getdns_rrset *keys;
 	int s, keytag, opt_out;
 
-	debug_sec_print_rrset("validating ", &head->rrset);
-	debug_sec_print_rrset("with trust anchor ", ta);
+	_getdns_rrtype_iter nsec_spc, *nsec_rr;
+	_getdns_rdf_iter bitmap_spc, *bitmap;
+	chain_node *parent;
+
+	debug_sec_print_rrset("Validating ", &head->rrset);
+	debug_sec_print_rrset("\twith trust anchor ", ta);
+
+	/* Only at the apex, a NSEC is signed with a DNSKEY with the same
+	 * owner name.  All other are signed by the parent domain or higher.
+	 * Besides a shortcut, choosing to search for a trusted key from the
+	 * parent is essential for NSECs at a delagation point! (which would
+	 * otherwise turn out BOGUS).
+	 */
+	if (    head->rrset.rr_type == GETDNS_RRTYPE_NSEC
+	    &&  head->parent->parent
+	    && (nsec_rr = _getdns_rrtype_iter_init(&nsec_spc, &head->rrset))
+	    && (bitmap = _getdns_rdf_iter_init_at(
+			    &bitmap_spc, &nsec_rr->rr_i, 1))
+	    && !bitmap_has_type(bitmap, GETDNS_RRTYPE_SOA))
+		parent = head->parent->parent;
+
+	/* NSEC3 is always signed by the parent domain!
+	 * ( the ownername of the NSEC3 itself is not in the original zone!
+	 *   so a search for a trusted key at that name gives either INSECURE
+	 *   (with opt-out) or BOGUS! )
+	 */
+	else
+		if (head->rrset.rr_type == GETDNS_RRTYPE_NSEC3
+	    && head->parent->parent)
+		parent = head->parent->parent;
+	else
+		parent = head->parent;
 
 	if ((s = chain_node_get_trusted_keys(
-	    mf, now, skew, head->parent, ta, &keys)) != GETDNS_DNSSEC_SECURE)
+	    mf, now, skew, parent, ta, &keys)) != GETDNS_DNSSEC_SECURE) {
+		debug_sec_print_rrset("Could not get trusted keys "
+		                      "for validating ", &head->rrset);
+		DEBUG_SEC("\tstatus: %d\n", (int)s);
 		return s;
+	}
+	debug_sec_print_rrset("Validating ", &head->rrset);
+	debug_sec_print_rrset("\twith keys ", keys);
 
 	if (_getdns_rrset_has_rrs(&head->rrset)) {
 		if ((keytag = a_key_signed_rrset(
 		    mf, now, skew, keys, &head->rrset))) {
+			DEBUG_SEC("Key %d proved\n", (int)keytag);
+			debug_sec_print_rrset("\tSECURE: ", &head->rrset);
 			head->signer = keytag;
 			return GETDNS_DNSSEC_SECURE;
 
@@ -2679,15 +2769,21 @@ static int chain_head_validate_with_ta(struct mem_funcs *mf,
 					skew, keys, &head->rrset, &opt_out))
 				&& opt_out) {
 
+			DEBUG_SEC("Key %d proved (optout)\n", (int)keytag);
+			debug_sec_print_rrset("\tINSECURE: ", &head->rrset);
 			head->signer = keytag;
 			return GETDNS_DNSSEC_INSECURE;
 		}
 	} else if ((keytag = key_proves_nonexistance(mf, now, skew,
 					keys, &head->rrset, &opt_out))) {
+		DEBUG_SEC("Key %d proved (NX)\n", (int)keytag);
+		debug_sec_print_rrset("\tSECURE: ", &head->rrset);
 		head->signer = keytag;
 		return opt_out || (keytag & NSEC3_ITERATION_COUNT_HIGH)
 		     ? GETDNS_DNSSEC_INSECURE : GETDNS_DNSSEC_SECURE;
 	}
+	debug_sec_print_rrset("BOGUS: ", &head->rrset);
+	debug_sec_print_rrset("\twith trust anchor: ", ta);
 	return GETDNS_DNSSEC_BOGUS;
 }
 

From 884f6ddc5eea377bcb2d6c2250db70ec8700464c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Sun, 10 Jun 2018 16:57:40 +0200
Subject: [PATCH 144/303] DS is always a delegation and never at the apex

---
 src/dnssec.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 437b250e..fd8ac932 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2720,13 +2720,18 @@ static int chain_head_validate_with_ta(struct mem_funcs *mf,
 	debug_sec_print_rrset("Validating ", &head->rrset);
 	debug_sec_print_rrset("\twith trust anchor ", ta);
 
+	/* A DS is never at the apex */
+	if (   head->rrset.rr_type == GETDNS_RRTYPE_DS
+	    && head->parent->parent)
+		parent = head->parent->parent;
+
 	/* Only at the apex, a NSEC is signed with a DNSKEY with the same
 	 * owner name.  All other are signed by the parent domain or higher.
 	 * Besides a shortcut, choosing to search for a trusted key from the
 	 * parent is essential for NSECs at a delagation point! (which would
 	 * otherwise turn out BOGUS).
 	 */
-	if (    head->rrset.rr_type == GETDNS_RRTYPE_NSEC
+	else if (head->rrset.rr_type == GETDNS_RRTYPE_NSEC
 	    &&  head->parent->parent
 	    && (nsec_rr = _getdns_rrtype_iter_init(&nsec_spc, &head->rrset))
 	    && (bitmap = _getdns_rdf_iter_init_at(
@@ -2739,8 +2744,7 @@ static int chain_head_validate_with_ta(struct mem_funcs *mf,
 	 *   so a search for a trusted key at that name gives either INSECURE
 	 *   (with opt-out) or BOGUS! )
 	 */
-	else
-		if (head->rrset.rr_type == GETDNS_RRTYPE_NSEC3
+	else if (head->rrset.rr_type == GETDNS_RRTYPE_NSEC3
 	    && head->parent->parent)
 		parent = head->parent->parent;
 	else

From 9b4e8e9e91618e8735c58d05b12f52cec2c760db Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 12 Jun 2018 16:37:46 +0200
Subject: [PATCH 145/303] X509_get_notAfter not in OpenSSL 1.1.1 anymore

---
 configure.ac                  | 2 +-
 src/tools/getdns_server_mon.c | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 337fa11f..67636c57 100644
--- a/configure.ac
+++ b/configure.ac
@@ -417,7 +417,7 @@ fi
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host])
+AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index c5aa6741..360bf520 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -25,6 +25,7 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#include "config.h"
 #include <ctype.h>
 #include <stdarg.h>
 #include <stdbool.h>
@@ -217,8 +218,11 @@ static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t
 
         int day_diff, sec_diff;
         const long SECS_IN_DAY = 60 * 60 * 24;
-        ASN1_TIME *not_after = X509_get_notAfter(cert);
-
+#if defined(X509_get_notAfter) || defined(HAVE_X509_GET_NOTAFTER)
+        const ASN1_TIME *not_after = X509_get_notAfter(cert);
+#elif defined(X509_get0_notAfter) || defined(HAVE_X509_GET0_NOTAFTER)
+        const ASN1_TIME *not_after = X509_get0_notAfter(cert);
+#endif
         *t = time(NULL);
 
 #if OPENSSL_VERSION_NUMBER < 0x10002000 || defined(LIBRESSL_VERSION_NUMBER)

From 12589d85c26258e65d817ea92d3d0b07a5feed7c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 12 Jun 2018 17:00:45 +0200
Subject: [PATCH 146/303] Wild guess at OpenSSL without engine support

---
 src/gldns/keyraw.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/gldns/keyraw.c b/src/gldns/keyraw.c
index ed8188c8..7fa5bc10 100644
--- a/src/gldns/keyraw.c
+++ b/src/gldns/keyraw.c
@@ -20,8 +20,11 @@
 #include <openssl/rand.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>
+#ifdef HAVE_OPENSSL_CONF_H
+# include <openssl/conf.h>
+#endif
 #ifdef HAVE_OPENSSL_ENGINE_H
-#  include <openssl/engine.h>
+# include <openssl/engine.h>
 #endif
 #ifdef HAVE_OPENSSL_BN_H
 #include <openssl/bn.h>
@@ -130,6 +133,16 @@ uint16_t gldns_calc_keytag_raw(const uint8_t* key, size_t keysize)
 #ifdef HAVE_SSL
 #ifdef USE_GOST
 /** store GOST engine reference loaded into OpenSSL library */
+#ifdef OPENSSL_NO_ENGINE
+int
+gldns_key_EVP_load_gost_id(void)
+{
+	return 0;
+}
+void gldns_key_EVP_unload_gost(void)
+{
+}
+#else
 ENGINE* gldns_gost_engine = NULL;
 
 int
@@ -189,6 +202,7 @@ void gldns_key_EVP_unload_gost(void)
                 gldns_gost_engine = NULL;
         }
 }
+#endif /* ifndef OPENSSL_NO_ENGINE */
 #endif /* USE_GOST */
 
 DSA *

From d9fdd4c10dfc9ce6286e948f8a23b4dfdaef5eba Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Wed, 14 Nov 2018 18:11:49 +0000
Subject: [PATCH 147/303] Abstracting TLS; let's start with context only.

Change data types in context.h and fix up context.c. Do minimal fixups to stub.c.
---
 src/Makefile.in   | 273 ++++++++++++++-------------------
 src/context.c     | 202 ++++---------------------
 src/context.h     |   7 +-
 src/openssl/tls.c | 375 ++++++++++++++++++++++++++++++++++++++++++++++
 src/openssl/tls.h |  84 +++++++++++
 src/stub.c        |  83 +++++-----
 6 files changed, 639 insertions(+), 385 deletions(-)
 create mode 100644 src/openssl/tls.c
 create mode 100644 src/openssl/tls.h

diff --git a/src/Makefile.in b/src/Makefile.in
index 1059afca..de5f3e26 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -56,7 +56,7 @@ stubbysrcdir = $(srcdir)/../stubby
 LIBTOOL = ../libtool
 
 CC=@CC@
-CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS)
+CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/openssl -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS)
 WPEDANTICFLAG=@WPEDANTICFLAG@
 WNOERRORFLAG=@WNOERRORFLAG@
 LDFLAGS=@LDFLAGS@ @LIBS@
@@ -94,6 +94,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo)
 UTIL_OBJ=rbtree.lo val_secalgo.lo lruhash.lo lookup3.lo locks.lo
 
 JSMN_OBJ=jsmn.lo
+TLS_OBJ=tls.lo
 YXML_OBJ=yxml.lo
 
 YAML_OBJ=convert_yaml_to_json.lo
@@ -133,6 +134,9 @@ $(UTIL_OBJ):
 $(JSMN_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -DJSMN_GETDNS -c $(srcdir)/jsmn/$(@:.lo=.c) -o $@
 
+$(TLS_OBJ):
+	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/openssl/$(@:.lo=.c) -o $@
+
 $(YAML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@
 
@@ -194,8 +198,8 @@ libgetdns_ext_uv.la: libgetdns.la libuv.lo
 libgetdns_ext_ev.la: libgetdns.la libev.lo
 	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ libev.lo libgetdns.la $(LDFLAGS) $(EXTENSION_LIBEV_LDFLAGS) $(EXTENSION_LIBEV_EXT_LIBS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/extension/libev.symbols
 
-libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS)
-	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols
+libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS)
+	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols
 
 test: default
 	cd test && $(MAKE) $@
@@ -271,13 +275,14 @@ Makefile: $(srcdir)/Makefile.in ../config.status
 depend:
 	(cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new )
 
-	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \
+	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iopenssl -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c openssl/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \
 		sed -e "s? $$blddir/? ?g" \
 		    -e 's? gldns/? $$(srcdir)/gldns/?g' \
 		    -e 's? compat/? $$(srcdir)/compat/?g' \
 		    -e 's? util/auxiliary/util/? $$(srcdir)/util/auxiliary/util/?g' \
 		    -e 's? util/? $$(srcdir)/util/?g' \
 		    -e 's? jsmn/? $$(srcdir)/jsmn/?g' \
+		    -e 's? openssl/? $$(srcdir)/openssl/?g' \
 		    -e 's? yxml/? $$(srcdir)/yxml/?g' \
 		    -e 's? ssl_dane/? $$(srcdir)/ssl_dane/?g' \
 		    -e 's? extension/? $$(srcdir)/extension/?g' \
@@ -299,137 +304,104 @@ depend:
 FORCE:
 
 # Dependencies for gldns, utils, the extensions and compat functions
-anchor.lo anchor.o: $(srcdir)/anchor.c \
- config.h \
+anchor.lo anchor.o: $(srcdir)/anchor.c config.h \
  $(srcdir)/debug.h $(srcdir)/anchor.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h
 const-info.lo const-info.o: $(srcdir)/const-info.c \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/const-info.h
-context.lo context.o: $(srcdir)/context.c \
- config.h \
- $(srcdir)/anchor.h \
- getdns/getdns.h \
+context.lo context.o: $(srcdir)/context.c config.h \
+ $(srcdir)/anchor.h getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/debug.h \
  $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h
-convert.lo convert.o: $(srcdir)/convert.c \
- config.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h \
+ $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h \
+ $(srcdir)/const-info.h
+convert.lo convert.o: $(srcdir)/convert.c config.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
- $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h \
- $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h \
- $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h
-dict.lo dict.o: $(srcdir)/dict.c \
- config.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
+ $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \
+ $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h \
+ $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h $(srcdir)/debug.h
+dict.lo dict.o: $(srcdir)/dict.c config.h \
  $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/parseutil.h
-dnssec.lo dnssec.o: $(srcdir)/dnssec.c \
- config.h \
- $(srcdir)/debug.h \
- getdns/getdns.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h \
+ $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h
+dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \
+ $(srcdir)/debug.h getdns/getdns.h \
  $(srcdir)/context.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h \
- $(srcdir)/util/orig-headers/val_secalgo.h
-general.lo general.o: $(srcdir)/general.c \
- config.h \
- $(srcdir)/general.h \
- getdns/getdns.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
+ $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h \
+ $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h
+general.lo general.o: $(srcdir)/general.c config.h \
+ $(srcdir)/general.h getdns/getdns.h \
  $(srcdir)/types-internal.h \
  getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/ub_loop.h $(srcdir)/debug.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h \
- $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/platform.h
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h
 list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \
- config.h \
- $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/list.h $(srcdir)/dict.h
-mdns.lo mdns.o: $(srcdir)/mdns.c \
- config.h \
+ config.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/list.h $(srcdir)/dict.h
+mdns.lo mdns.o: $(srcdir)/mdns.c config.h \
  $(srcdir)/debug.h $(srcdir)/context.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h \
- $(srcdir)/platform.h $(srcdir)/mdns.h $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/lookup3.h \
- $(srcdir)/util/orig-headers/lookup3.h
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h
 platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \
  config.h
 pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \
- config.h \
- $(srcdir)/debug.h \
- getdns/getdns.h \
- $(srcdir)/context.h \
+ config.h $(srcdir)/debug.h \
+ getdns/getdns.h $(srcdir)/context.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h
 request-internal.lo request-internal.o: $(srcdir)/request-internal.c \
- config.h \
- $(srcdir)/types-internal.h \
+ config.h $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/dict.h $(srcdir)/convert.h $(srcdir)/general.h
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h
 rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \
  config.h \
  getdns/getdns.h \
@@ -437,26 +409,20 @@ rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \
- $(srcdir)/dict.h
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \
+ $(srcdir)/openssl/tls.h $(srcdir)/dict.h
 rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
  config.h \
  getdns/getdns.h \
  $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h
-server.lo server.o: $(srcdir)/server.c \
- config.h \
+server.lo server.o: $(srcdir)/server.c config.h \
  getdns/getdns_extra.h \
- getdns/getdns.h \
- $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ getdns/getdns.h $(srcdir)/context.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/platform.h
-stub.lo stub.o: $(srcdir)/stub.c \
- config.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h
+stub.lo stub.o: $(srcdir)/stub.c config.h \
  $(srcdir)/debug.h $(srcdir)/stub.h \
  getdns/getdns.h \
  $(srcdir)/types-internal.h \
@@ -464,61 +430,48 @@ stub.lo stub.o: $(srcdir)/stub.c \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \
  $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \
  $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h \
- $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/anchor.h \
- $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h
-sync.lo sync.o: $(srcdir)/sync.c \
- getdns/getdns.h \
- config.h \
- $(srcdir)/context.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \
+ $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h
+sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \
+ config.h $(srcdir)/context.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h
 ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \
- config.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h
+ config.h
 util-internal.lo util-internal.o: $(srcdir)/util-internal.c \
  config.h \
- getdns/getdns.h \
- $(srcdir)/dict.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \
- getdns/getdns_extra.h \
- $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
- $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h \
- $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h
+ getdns/getdns.h $(srcdir)/dict.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \
+ getdns/getdns_extra.h $(srcdir)/list.h \
+ $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
+ $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \
+ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h
 gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \
- config.h \
- $(srcdir)/gldns/gbuffer.h
+ config.h $(srcdir)/gldns/gbuffer.h
 keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \
- config.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/rrdef.h
+ config.h $(srcdir)/gldns/keyraw.h \
+ $(srcdir)/gldns/rrdef.h
 parse.lo parse.o: $(srcdir)/gldns/parse.c \
- config.h \
- $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
+ config.h $(srcdir)/gldns/parse.h \
+ $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
 parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \
- config.h \
- $(srcdir)/gldns/parseutil.h
+ config.h $(srcdir)/gldns/parseutil.h
 rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \
- config.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h
+ config.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/gldns/parseutil.h
 str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \
- config.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h
+ config.h $(srcdir)/gldns/str2wire.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h \
+ $(srcdir)/gldns/parseutil.h
 wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \
- config.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h
+ config.h $(srcdir)/gldns/wire2str.h \
+ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h
 arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \
  config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \
@@ -547,8 +500,7 @@ strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \
  config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c \
  config.h
-locks.lo locks.o: $(srcdir)/util/locks.c \
- config.h \
+locks.lo locks.o: $(srcdir)/util/locks.c config.h \
  $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h
 lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \
  config.h \
@@ -560,10 +512,10 @@ lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \
  $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
  $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h
 rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
- config.h \
- $(srcdir)/util/auxiliary/log.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h \
- $(srcdir)/util/auxiliary/fptr_wlist.h $(srcdir)/util/auxiliary/util/fptr_wlist.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h
+ config.h $(srcdir)/util/auxiliary/log.h \
+ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \
+ $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h
 val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \
  config.h \
  $(srcdir)/util/auxiliary/util/data/packed_rrset.h \
@@ -573,40 +525,37 @@ val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \
  $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \
  $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h
 jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
+tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \
+ $(srcdir)/openssl/tls.h getdns/getdns.h
 yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
 danessl.lo danessl.o: $(srcdir)/ssl_dane/danessl.c $(srcdir)/ssl_dane/danessl.h
 libev.lo libev.o: $(srcdir)/extension/libev.c \
- config.h \
- $(srcdir)/types-internal.h \
+ config.h $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h
 libevent.lo libevent.o: $(srcdir)/extension/libevent.c \
- config.h \
- $(srcdir)/types-internal.h \
+ config.h $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h
 libuv.lo libuv.o: $(srcdir)/extension/libuv.c \
- config.h \
- $(srcdir)/debug.h $(srcdir)/types-internal.h \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h
 poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \
- config.h \
- $(srcdir)/util-internal.h $(srcdir)/context.h \
- getdns/getdns.h \
+ config.h $(srcdir)/util-internal.h \
+ $(srcdir)/context.h getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/platform.h
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/platform.h $(srcdir)/debug.h
 select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \
- config.h \
- $(srcdir)/debug.h $(srcdir)/types-internal.h \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \
diff --git a/src/context.c b/src/context.c
index 56d827ee..c0f4f8e1 100644
--- a/src/context.c
+++ b/src/context.c
@@ -47,20 +47,12 @@
 #include <iphlpapi.h>
 typedef unsigned short in_port_t;
 
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/bio.h>
-
 #include <stdio.h>
 #include <windows.h>
 #include <wincrypt.h>
 #include <shlobj.h>
 #endif
 
-#include <openssl/opensslv.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
 #include <sys/stat.h>
 #include <string.h>
 #include <stdio.h>
@@ -94,6 +86,7 @@ typedef unsigned short in_port_t;
 # include "ssl_dane/danessl.h"
 #endif
 #include "const-info.h"
+#include "tls.h"
 
 #define GETDNS_PORT_ZERO 0
 #define GETDNS_PORT_DNS 53
@@ -182,98 +175,6 @@ _getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s)
     }
 }
 
-#ifdef USE_WINSOCK
-/* For windows, the CA trust store is not read by openssl. 
-   Add code to open the trust store using wincrypt API and add
-   the root certs into openssl trust store */
-static int 
-add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
-{
-	HCERTSTORE      hSystemStore;
-	PCCERT_CONTEXT  pTargetCert = NULL;
-
-	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-		"Adding Windows certificates from system root store to CA store");
-
-	/* load just once per context lifetime for this version of getdns
-	   TODO: dynamically update CA trust changes as they are available */
-	if (!tls_ctx)
-		return 0;
-
-	/* Call wincrypt's CertOpenStore to open the CA root store. */
-
-	if ((hSystemStore = CertOpenStore(
-		CERT_STORE_PROV_SYSTEM,
-		0,
-		0,
-		/* NOTE: mingw does not have this const: replace with 1 << 16 from code 
-		   CERT_SYSTEM_STORE_CURRENT_USER, */
-		1 << 16,
-		L"root")) == 0)
-	{
-		return 0;
-	}
-
-	X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx);
-	if (!store)
-		return 0;
-
-	/* failure if the CA store is empty or the call fails */
-	if ((pTargetCert = CertEnumCertificatesInStore(
-		hSystemStore, pTargetCert)) == 0) {
-		DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-			"CA certificate store for Windows is empty.");
-			return 0;
-	}
-	/* iterate over the windows cert store and add to openssl store */
-	do 
-	{
-		X509 *cert1 = d2i_X509(NULL, 
-			(const unsigned char **)&pTargetCert->pbCertEncoded,
-			pTargetCert->cbCertEncoded);
-		if (!cert1) {
-			/* return error if a cert fails */
-			DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-				"Unable to parse certificate in memory",
-				ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
-			return 0;
-		}
-		else {
-			/* return error if a cert add to store fails */
-			if (X509_STORE_add_cert(store, cert1) == 0) {
-				unsigned long error = ERR_peek_last_error();
- 
-				/* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
-				* certificate is already in the store.  */ 
-				if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
-				   ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
-					DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-					    "Error adding certificate", ERR_get_error(),
-					     ERR_error_string(ERR_get_error(), NULL));
-					X509_free(cert1);
-					return 0;
-				}
-			}
-			X509_free(cert1);
-		}
-	} while ((pTargetCert = CertEnumCertificatesInStore(
-		hSystemStore, pTargetCert)) != 0);
-
-	/* Clean up memory and quit. */
-	if (pTargetCert)
-		CertFreeCertificateContext(pTargetCert);
-	if (hSystemStore)
-	{
-		if (!CertCloseStore(
-			hSystemStore, 0))
-			return 0;
-	}
-	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-		"Completed adding Windows certificates to CA store successfully");
-	return 1;
-}
-#endif
-
 static uint8_t*
 upstream_addr(getdns_upstream *upstream)
 {
@@ -755,17 +656,17 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 			}
 		}
 		if (upstream->tls_session != NULL)
-			SSL_SESSION_free(upstream->tls_session);
+			_getdns_tls_session_free(upstream->tls_session);
 
 		if (upstream->tls_obj != NULL) {
-			SSL_shutdown(upstream->tls_obj);
+			_getdns_tls_connection_shutdown(upstream->tls_obj);
 #ifdef USE_DANESSL
 # if defined(STUB_DEBUG) && STUB_DEBUG
 			_stub_debug_print_openssl_errors();
 # endif
-			DANESSL_cleanup(upstream->tls_obj);
+			DANESSL_cleanup(upstream->tls_obj->ssl);
 #endif
-			SSL_free(upstream->tls_obj);
+			_getdns_tls_connection_free(upstream->tls_obj);
 		}
 		if (upstream->fd != -1)
 		{
@@ -877,14 +778,14 @@ _getdns_upstream_reset(getdns_upstream *upstream)
 		    upstream->loop, &upstream->event);
 	}
 	if (upstream->tls_obj != NULL) {
-		SSL_shutdown(upstream->tls_obj);
+		_getdns_tls_connection_shutdown(upstream->tls_obj);
 #ifdef USE_DANESSL
 # if defined(STUB_DEBUG) && STUB_DEBUG
 		_stub_debug_print_openssl_errors();
 # endif
-		DANESSL_cleanup(upstream->tls_obj);
+		DANESSL_cleanup(upstream->tls_obj->ssl);
 #endif
-		SSL_free(upstream->tls_obj);
+		_getdns_tls_connection_free(upstream->tls_obj);
 		upstream->tls_obj = NULL;
 	}
 	if (upstream->fd != -1) {
@@ -1689,18 +1590,7 @@ getdns_context_create_with_extended_memory_functions(
 #endif
 	/* Only initialise SSL once and ideally in a thread-safe manner */
 	if (ssl_init == false) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
-		OpenSSL_add_all_algorithms();
-		SSL_library_init();
-# ifdef USE_DANESSL
-		(void) DANESSL_library_init();
-# endif
-#else
-		OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS
-		                   | OPENSSL_INIT_ADD_ALL_DIGESTS
-		                   | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
-		(void)OPENSSL_init_ssl(0, NULL);
-#endif
+		_getdns_tls_init();
 		ssl_init = true;
 	}
 #ifdef HAVE_PTHREAD
@@ -1826,7 +1716,7 @@ getdns_context_destroy(struct getdns_context *context)
 		GETDNS_FREE(context->my_mf, context->dns_transports);
 
 	if (context->tls_ctx)
-		SSL_CTX_free(context->tls_ctx);
+		_getdns_tls_context_free(context->tls_ctx);
 
 	getdns_list_destroy(context->dns_root_servers);
 
@@ -3121,7 +3011,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 				(void) getdns_dict_get_bindata(
 				    dict, "tls_curves_list", &tls_curves_list);
 				if (tls_curves_list) {
-#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
+#if HAVE_TLS_CONN_CURVES_LIST					
 					upstream->tls_curves_list = 
 					    _getdns_strdup2(&upstreams->mf
 					                   , tls_curves_list);
@@ -3168,7 +3058,7 @@ invalid_parameter:
 error:
 	_getdns_upstreams_dereference(upstreams);
 	return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
-#if !defined(HAVE_DECL_SSL_SET1_CURVES_LIST) || !HAVE_DECL_SSL_SET1_CURVES_LIST
+#if !HAVE_TLS_CONN_CURVES_LIST
 not_implemented:
 	_getdns_upstreams_dereference(upstreams);
 	return GETDNS_RETURN_NOT_IMPLEMENTED;
@@ -3690,46 +3580,31 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 
 		if (context->tls_ctx == NULL) {
 #ifdef HAVE_TLS_v1_2
-			/* Create client context, use TLS v1.2 only for now */
-#  ifdef HAVE_TLS_CLIENT_METHOD
-			context->tls_ctx = SSL_CTX_new(TLS_client_method());
-#  else
-			context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
-#  endif
-			if(context->tls_ctx == NULL)
+			context->tls_ctx = _getdns_tls_context_new();
+			if (context->tls_ctx == NULL)
 				return GETDNS_RETURN_BAD_CONTEXT;
 
-#  ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
-			if (!SSL_CTX_set_min_proto_version(
-			    context->tls_ctx, TLS1_2_VERSION)) {
-				SSL_CTX_free(context->tls_ctx);
+			r = _getdns_tls_context_set_min_proto_1_2(context->tls_ctx);
+			if (r && r != GETDNS_RETURN_NOT_IMPLEMENTED) {
+				_getdns_tls_context_free(context->tls_ctx);
 				context->tls_ctx = NULL;
 				return GETDNS_RETURN_BAD_CONTEXT;
 			}
-#  endif
 			/* Be strict and only use the cipher suites recommended in RFC7525
 			   Unless we later fallback to opportunistic. */
-			if (!SSL_CTX_set_cipher_list(context->tls_ctx,
+			if (_getdns_tls_context_set_cipher_list(context->tls_ctx,
 			    context->tls_cipher_list ? context->tls_cipher_list
 			                             : _getdns_default_tls_cipher_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
 
-#  if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
 			if (context->tls_curves_list &&
-			    !SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list))
+			    _getdns_tls_context_set_curves_list(context->tls_ctx, context->tls_curves_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
-#  endif
+			
+			
 			/* For strict authentication, we must have local root certs available
 		       Set up is done only when the tls_ctx is created (per getdns_context)*/
-			if ((context->tls_ca_file || context->tls_ca_path) &&
-			    SSL_CTX_load_verify_locations(context->tls_ctx
-				    , context->tls_ca_file, context->tls_ca_path))
-				; /* pass */
-#  ifndef USE_WINSOCK
-			else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
-#  else
-			else if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) {
-#  endif /* USE_WINSOCK */
+			if (!_getdns_tls_context_set_ca(context->tls_ctx, context->tls_ca_file, context->tls_ca_path)) {
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
 			}
@@ -3739,7 +3614,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 #   else
 			(void)
 #   endif
-				SSL_CTX_dane_enable(context->tls_ctx);
+				SSL_CTX_dane_enable(context->tls_ctx->ssl);
 			DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
 			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
 #  elif defined(USE_DANESSL)
@@ -3748,7 +3623,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 #   else
 			(void)
 #   endif
-				DANESSL_CTX_init(context->tls_ctx);
+				DANESSL_CTX_init(context->tls_ctx->ssl);
 			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n"
 			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
 #  endif
@@ -4159,32 +4034,7 @@ getdns_context_get_api_information(getdns_context* context)
 	    && ! getdns_dict_util_set_string(
 	    result, "default_hosts_location", GETDNS_FN_HOSTS)
 
-	    && ! getdns_dict_set_int(
-	    result, "openssl_build_version_number", OPENSSL_VERSION_NUMBER)
-
-#ifdef HAVE_OPENSSL_VERSION_NUM
-	    && ! getdns_dict_set_int(
-	    result, "openssl_version_number", OpenSSL_version_num())
-#endif
-#ifdef HAVE_OPENSSL_VERSION
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_version_string", OpenSSL_version(OPENSSL_VERSION))
-	    
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_cflags", OpenSSL_version(OPENSSL_CFLAGS))
-
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_built_on", OpenSSL_version(OPENSSL_BUILT_ON))
-
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_platform", OpenSSL_version(OPENSSL_PLATFORM))
-
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_dir", OpenSSL_version(OPENSSL_DIR))
-
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_engines_dir", OpenSSL_version(OPENSSL_ENGINES_DIR))
-#endif
+	    && ! _getdns_tls_get_api_information(result)
 
 	    && ! getdns_dict_set_int(
 	    result, "resolution_type", context->resolution_type)
@@ -5497,7 +5347,7 @@ getdns_context_set_tls_curves_list(
 {
 	if (!context)
 		return GETDNS_RETURN_INVALID_PARAMETER;
-#if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
+#if HAVE_TLS_CTX_CURVES_LIST
 	if (context->tls_curves_list)
 		GETDNS_FREE(context->mf, context->tls_curves_list);
 	context->tls_curves_list = tls_curves_list
diff --git a/src/context.h b/src/context.h
index 27dd2bee..61e7fc5d 100644
--- a/src/context.h
+++ b/src/context.h
@@ -50,6 +50,7 @@
 #endif
 #include "rr-iter.h"
 #include "anchor.h"
+#include "tls.h"
 
 struct getdns_dns_req;
 struct ub_ctx;
@@ -201,8 +202,8 @@ typedef struct getdns_upstream {
 	_getdns_rbtree_t         netreq_by_query_id;
 
     /* TLS specific connection handling*/
-	SSL*                     tls_obj;
-	SSL_SESSION*             tls_session;
+	_getdns_tls_connection*  tls_obj;
+	_getdns_tls_session*     tls_session;
 	getdns_tls_hs_state_t    tls_hs_state;
 	getdns_auth_state_t      tls_auth_state;
 	unsigned                 tls_fallback_ok : 1;
@@ -371,7 +372,7 @@ struct getdns_context {
 	int edns_maximum_udp_payload_size; /* -1 is unset */
 	uint8_t edns_client_subnet_private;
 	uint16_t tls_query_padding_blocksize;
-	SSL_CTX* tls_ctx;
+	_getdns_tls_context* tls_ctx;
 
 	getdns_update_callback  update_callback;
 	getdns_update_callback2 update_callback2;
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
new file mode 100644
index 00000000..f6a663a6
--- /dev/null
+++ b/src/openssl/tls.c
@@ -0,0 +1,375 @@
+/**
+ *
+ * \file tls.c
+ * @brief getdns TLS functions
+ */
+
+/*
+ * Copyright (c) 2018, NLnet Labs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/bio.h>
+#include <openssl/ssl.h>
+
+#include <openssl/opensslv.h>
+#include <openssl/crypto.h>
+
+#include "tls.h"
+
+#ifdef USE_DANESSL
+# include "ssl_dane/danessl.h"
+#endif
+
+#ifdef USE_WINSOCK
+/* For windows, the CA trust store is not read by openssl.
+   Add code to open the trust store using wincrypt API and add
+   the root certs into openssl trust store */
+static int
+add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
+{
+	HCERTSTORE      hSystemStore;
+	PCCERT_CONTEXT  pTargetCert = NULL;
+
+	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+		"Adding Windows certificates from system root store to CA store");
+
+	/* load just once per context lifetime for this version of getdns
+	   TODO: dynamically update CA trust changes as they are available */
+	if (!tls_ctx)
+		return 0;
+
+	/* Call wincrypt's CertOpenStore to open the CA root store. */
+
+	if ((hSystemStore = CertOpenStore(
+		CERT_STORE_PROV_SYSTEM,
+		0,
+		0,
+		/* NOTE: mingw does not have this const: replace with 1 << 16 from code
+		   CERT_SYSTEM_STORE_CURRENT_USER, */
+		1 << 16,
+		L"root")) == 0)
+	{
+		return 0;
+	}
+
+	X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx);
+	if (!store)
+		return 0;
+
+	/* failure if the CA store is empty or the call fails */
+	if ((pTargetCert = CertEnumCertificatesInStore(
+		hSystemStore, pTargetCert)) == 0) {
+		DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+			"CA certificate store for Windows is empty.");
+			return 0;
+	}
+	/* iterate over the windows cert store and add to openssl store */
+	do
+	{
+		X509 *cert1 = d2i_X509(NULL,
+			(const unsigned char **)&pTargetCert->pbCertEncoded,
+			pTargetCert->cbCertEncoded);
+		if (!cert1) {
+			/* return error if a cert fails */
+			DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+				"Unable to parse certificate in memory",
+				ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
+			return 0;
+		}
+		else {
+			/* return error if a cert add to store fails */
+			if (X509_STORE_add_cert(store, cert1) == 0) {
+				unsigned long error = ERR_peek_last_error();
+
+				/* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
+				* certificate is already in the store.  */
+				if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
+				   ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+					DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+					    "Error adding certificate", ERR_get_error(),
+					     ERR_error_string(ERR_get_error(), NULL));
+					X509_free(cert1);
+					return 0;
+				}
+			}
+			X509_free(cert1);
+		}
+	} while ((pTargetCert = CertEnumCertificatesInStore(
+		hSystemStore, pTargetCert)) != 0);
+
+	/* Clean up memory and quit. */
+	if (pTargetCert)
+		CertFreeCertificateContext(pTargetCert);
+	if (hSystemStore)
+	{
+		if (!CertCloseStore(
+			hSystemStore, 0))
+			return 0;
+	}
+	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+		"Completed adding Windows certificates to CA store successfully");
+	return 1;
+}
+#endif
+
+void _getdns_tls_init()
+{
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+	OpenSSL_add_all_algorithms();
+	SSL_library_init();
+
+# ifdef USE_DANESSL
+		(void) DANESSL_library_init();
+# endif
+#else
+	OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS
+	                   | OPENSSL_INIT_ADD_ALL_DIGESTS
+	                   | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+	(void)OPENSSL_init_ssl(0, NULL);
+#endif
+}
+
+_getdns_tls_context* _getdns_tls_context_new()
+{
+	_getdns_tls_context* res;
+
+	if (!(res = malloc(sizeof(struct _getdns_tls_context))))
+		return NULL;
+
+	/* Create client context, use TLS v1.2 only for now */
+#  ifdef HAVE_TLS_CLIENT_METHOD
+	res->ssl = SSL_CTX_new(TLS_client_method());
+#  else
+	res->ssl = SSL_CTX_new(TLSv1_2_client_method());
+#  endif
+	if(res->ssl == NULL) {
+		free(res);
+		return NULL;
+	}
+	return res;
+}
+
+getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx)
+{
+	if (!ctx || !ctx->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	SSL_CTX_free(ctx->ssl);
+	free(ctx);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx)
+{
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+	if (!ctx || !ctx->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (!SSL_CTX_set_min_proto_version(ctx->ssl, TLS1_2_VERSION))
+		return GETDNS_RETURN_BAD_CONTEXT;
+	return GETDNS_RETURN_GOOD;
+#else
+	(void) ctx;
+	return GETDNS_RETURN_NOT_IMPLEMENTED;
+#endif
+}
+
+getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list)
+{
+	if (!ctx || !ctx->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (!SSL_CTX_set_cipher_list(ctx->ssl, list))
+		return GETDNS_RETURN_BAD_CONTEXT;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list)
+{
+	if (!ctx || !ctx->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+#if HAVE_TLS_CTX_CURVES_LIST
+	if (list &&
+	    !SSL_CTX_set1_curves_list(ctx->ssl, list))
+		return GETDNS_RETURN_BAD_CONTEXT;
+#else
+	(void) list;
+#endif
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path)
+{
+	if (!ctx || !ctx->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if ((file || path) &&
+	    SSL_CTX_load_verify_locations(ctx->ssl, file, path))
+		return GETDNS_RETURN_GOOD; /* pass */
+#ifndef USE_WINSOCK
+	else if (SSL_CTX_set_default_verify_paths(ctx->ssl))
+		return GETDNS_RETURN_GOOD;
+#else
+	else if (add_WIN_cacerts_to_openssl_store(ctx->ssl))
+		return GETDNS_RETURN_GOOD;
+#endif /* USE_WINSOCK */
+	return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd)
+{
+	_getdns_tls_connection* res;
+
+	if (!ctx || !ctx->ssl)
+		return NULL;
+
+	if (!(res = malloc(sizeof(struct _getdns_tls_connection))))
+		return NULL;
+
+	res->ssl = SSL_new(ctx->ssl);
+	if (!res->ssl) {
+		free(res);
+		return NULL;
+	}
+
+	if (!SSL_set_fd(res->ssl, fd)) {
+		SSL_free(res->ssl);
+		free(res);
+		return NULL;
+	}
+
+	return res;
+}
+
+getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	SSL_free(conn->ssl);
+	free(conn);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	switch(SSL_shutdown(conn->ssl))
+	{
+	case 0:		return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
+	case 1:		return GETDNS_RETURN_GOOD;
+	default:	return GETDNS_RETURN_GENERIC_ERROR;
+	}
+}
+
+getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list)
+{
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (!SSL_set_cipher_list(conn->ssl, list))
+		return GETDNS_RETURN_BAD_CONTEXT;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list)
+{
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+#if HAVE_TLS_CONN_CURVES_LIST
+	if (list &&
+	    !SSL_set1_curves_list(conn->ssl, list))
+		return GETDNS_RETURN_BAD_CONTEXT;
+#else
+	(void) list;
+#endif
+	return GETDNS_RETURN_GOOD;
+}
+
+_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn)
+{
+	_getdns_tls_session* res;
+
+	if (!conn || !conn->ssl)
+		return NULL;
+
+	if (!(res = malloc(sizeof(struct _getdns_tls_session))))
+		return NULL;
+
+	res->ssl = SSL_get1_session(conn->ssl);
+	if (!res->ssl) {
+		free(res);
+		return NULL;
+	}
+
+	return res;
+}
+
+getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s)
+{
+	if (!s || !s->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	SSL_SESSION_free(s->ssl);
+	free(s);
+	return GETDNS_RETURN_GOOD;
+}
+
+
+
+getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict)
+{
+	if (! getdns_dict_set_int(
+	    dict, "openssl_build_version_number", OPENSSL_VERSION_NUMBER)
+
+#ifdef HAVE_OPENSSL_VERSION_NUM
+	    && ! getdns_dict_set_int(
+	    dict, "openssl_version_number", OpenSSL_version_num())
+#endif
+#ifdef HAVE_OPENSSL_VERSION
+	    && ! getdns_dict_util_set_string(
+	    dict, "openssl_version_string", OpenSSL_version(OPENSSL_VERSION))
+
+	    && ! getdns_dict_util_set_string(
+	    dict, "openssl_cflags", OpenSSL_version(OPENSSL_CFLAGS))
+
+	    && ! getdns_dict_util_set_string(
+	    dict, "openssl_built_on", OpenSSL_version(OPENSSL_BUILT_ON))
+
+	    && ! getdns_dict_util_set_string(
+	    dict, "openssl_platform", OpenSSL_version(OPENSSL_PLATFORM))
+
+	    && ! getdns_dict_util_set_string(
+	    dict, "openssl_dir", OpenSSL_version(OPENSSL_DIR))
+
+	    && ! getdns_dict_util_set_string(
+		    dict, "openssl_engines_dir", OpenSSL_version(OPENSSL_ENGINES_DIR))
+#endif
+		)
+		return GETDNS_RETURN_GOOD;
+	return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+/* tls.c */
diff --git a/src/openssl/tls.h b/src/openssl/tls.h
new file mode 100644
index 00000000..f86aa465
--- /dev/null
+++ b/src/openssl/tls.h
@@ -0,0 +1,84 @@
+/**
+ *
+ * \file tls.h
+ * @brief getdns TLS functions
+ */
+
+/*
+ * Copyright (c) 2018, NLnet Labs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _GETDNS_TLS_H
+#define _GETDNS_TLS_H
+
+#include "getdns/getdns.h"
+
+#ifndef HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
+#define HAVE_TLS_CTX_CURVES_LIST	0
+#else
+#define HAVE_TLS_CTX_CURVES_LIST	(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST)
+#endif
+#ifndef HAVE_DECL_SSL_SET1_CURVES_LIST
+#define HAVE_TLS_CONN_CURVES_LIST	0
+#else
+#define HAVE_TLS_CONN_CURVES_LIST	(HAVE_DECL_SSL_SET1_CURVES_LIST)
+#endif
+
+typedef struct _getdns_tls_context {
+	SSL_CTX* ssl;
+} _getdns_tls_context;
+
+typedef struct _getdns_tls_connection {
+	SSL* ssl;
+} _getdns_tls_connection;
+
+typedef struct _getdns_tls_session {
+	SSL_SESSION* ssl;
+} _getdns_tls_session;
+
+void _getdns_tls_init();
+
+_getdns_tls_context* _getdns_tls_context_new();
+getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx);
+
+getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx);
+getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list);
+getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list);
+getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path);
+
+_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd);
+getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* ctx);
+getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn);
+
+getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list);
+getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list);
+_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn);
+
+getdns_return_t _getdns_tls_session_free(_getdns_tls_session* ctx);
+
+getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
+
+#endif /* _GETDNS_TLS_H */
diff --git a/src/stub.c b/src/stub.c
index 785d9f1f..8be04fd7 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -915,28 +915,23 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 
 #endif /* #else defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */
 
-static SSL*
+static _getdns_tls_connection*
 tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 {
-	/* Create SSL instance */
+	/* Create SSL instance and connect with a file descriptor */
 	getdns_context *context = dnsreq->context;
 	if (context->tls_ctx == NULL)
 		return NULL;
-	SSL* ssl = SSL_new(context->tls_ctx);
-	if(!ssl) 
+	_getdns_tls_connection* tls = _getdns_tls_connection_new(context->tls_ctx, fd);
+	if(!tls) 
 		return NULL;
-	/* Connect the SSL object with a file descriptor */
-	if(!SSL_set_fd(ssl,fd)) {
-		SSL_free(ssl);
-		return NULL;
-	}
 #if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
 	if (upstream->tls_curves_list)
-		(void) SSL_set1_curves_list(ssl, upstream->tls_curves_list);
+		_getdns_tls_connection_set_curves_list(tls, upstream->tls_curves_list);
 #endif
 	/* make sure we'll be able to find the context again when we need it */
-	if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) {
-		SSL_free(ssl);
+	if (_getdns_associate_upstream_with_SSL(tls->ssl, upstream) != GETDNS_RETURN_GOOD) {
+		_getdns_tls_connection_free(tls);
 		return NULL;
 	}
 
@@ -950,14 +945,14 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		/*Request certificate for the auth_name*/
 		DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
-		SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
+		SSL_set_tlsext_host_name(tls->ssl, upstream->tls_auth_name);
 #if defined(HAVE_SSL_HN_AUTH)
 		/* Set up native OpenSSL hostname verification
 		 * ( doesn't work with USE_DANESSL, but we verify the
 		 *   name afterwards in such cases )
 		 */
 		X509_VERIFY_PARAM *param;
-		param = SSL_get0_param(ssl);
+		param = SSL_get0_param(tls->ssl);
 		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 		X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
 #elif !defined(HAVE_X509_CHECK_HOST)
@@ -968,7 +963,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			    "%-40s : ERROR: Hostname Authentication not available from TLS library (check library version)\n",
 			    upstream->addr_str);
 			upstream->tls_hs_state = GETDNS_HS_FAILED;
-			SSL_free(ssl);
+			_getdns_tls_connection_free(tls);
 			upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 			return NULL;
 		}
@@ -990,7 +985,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 				    "%-40s : Verify fail: *CONFIG ERROR* - No auth name or pinset provided for this upstream for Strict TLS authentication\n",
 				    upstream->addr_str);
 				upstream->tls_hs_state = GETDNS_HS_FAILED;
-				SSL_free(ssl);
+				_getdns_tls_connection_free(tls);
 				upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 				return NULL;
 			}
@@ -1002,12 +997,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		}
 	}
 	if (upstream->tls_fallback_ok) {
-		SSL_set_cipher_list(ssl, "DEFAULT");
+		_getdns_tls_connection_set_cipher_list(tls, "DEFAULT");
 		DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__);
 	} else {
 		if (upstream->tls_cipher_list)
-			SSL_set_cipher_list(ssl, upstream->tls_cipher_list);
+			_getdns_tls_connection_set_cipher_list(tls, upstream->tls_cipher_list);
 		DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, 
 		             __FUNC__);
 	}
@@ -1018,20 +1013,20 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 # else
 	(void)
 # endif
-		SSL_dane_enable(ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL);
+		SSL_dane_enable(tls->ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL);
 	DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n"
 	          , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
-	SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+	SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
 	sha256_pin_t *pin_p;
 	size_t n_pins = 0;
 	for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) {
-		osr = SSL_dane_tlsa_add(ssl, 2, 1, 1,
+		osr = SSL_dane_tlsa_add(tls->ssl, 2, 1, 1,
 		    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
 		DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n"
 			  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
 		if (osr > 0)
 			++n_pins;
-		osr = SSL_dane_tlsa_add(ssl, 3, 1, 1,
+		osr = SSL_dane_tlsa_add(tls->ssl, 3, 1, 1,
 		    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
 		DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n"
 			  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
@@ -1047,23 +1042,23 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 # else
 		(void)
 # endif
-			DANESSL_init(ssl,
+			DANESSL_init(tls->ssl,
 		    *upstream->tls_auth_name ? upstream->tls_auth_name : NULL,
 		    *upstream->tls_auth_name ? auth_names : NULL
 		    );
 		DEBUG_STUB("%s %-35s: DEBUG: DANESSL_init(\"%s\") -> %d\n"
 			  , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
-		SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+		SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
 		sha256_pin_t *pin_p;
 		size_t n_pins = 0;
 		for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) {
-			osr = DANESSL_add_tlsa(ssl, 3, 1, "sha256",
+			osr = DANESSL_add_tlsa(tls->ssl, 3, 1, "sha256",
 			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
 			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
 				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
 			if (osr > 0)
 				++n_pins;
-			osr = DANESSL_add_tlsa(ssl, 2, 1, "sha256",
+			osr = DANESSL_add_tlsa(tls->ssl, 2, 1, "sha256",
 			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
 			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
 				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
@@ -1071,14 +1066,14 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 				++n_pins;
 		}
 	} else {
-		SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+		SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
 	}
 #else
-	SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback);
+	SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, tls_verify_callback);
 #endif
 
-	SSL_set_connect_state(ssl);
-	(void) SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+	SSL_set_connect_state(tls->ssl);
+	(void) SSL_set_mode(tls->ssl, SSL_MODE_AUTO_RETRY);
 
 	/* Session resumption. There are trade-offs here. Want to do it when
 	   possible only if we have the right type of connection. Note a change
@@ -1087,12 +1082,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		if ((upstream->tls_fallback_ok == 0 &&
 		     upstream->last_tls_auth_state == GETDNS_AUTH_OK) ||
 		     upstream->tls_fallback_ok == 1) {
-			SSL_set_session(ssl, upstream->tls_session);
+			SSL_set_session(tls->ssl, upstream->tls_session->ssl);
 			DEBUG_STUB("%s %-35s: Attempting session re-use\n", STUB_DEBUG_SETUP_TLS, 
 			            __FUNC__);
 			}
 	}
-	return ssl;
+	return tls;
 }
 
 static int
@@ -1103,9 +1098,9 @@ tls_do_handshake(getdns_upstream *upstream)
 	int r;
 	int want;
 	ERR_clear_error();
-	while ((r = SSL_do_handshake(upstream->tls_obj)) != 1)
+	while ((r = SSL_do_handshake(upstream->tls_obj->ssl)) != 1)
 	{
-		want = SSL_get_error(upstream->tls_obj, r);
+		want = SSL_get_error(upstream->tls_obj->ssl, r);
 		switch (want) {
 			case SSL_ERROR_WANT_READ:
 				GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
@@ -1131,12 +1126,12 @@ tls_do_handshake(getdns_upstream *upstream)
 	   }
 	}
 	/* A re-used session is not verified so need to fix up state in that case */
-	if (SSL_session_reused(upstream->tls_obj))
+	if (SSL_session_reused(upstream->tls_obj->ssl))
 		upstream->tls_auth_state = upstream->last_tls_auth_state;
 
 	else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
-		X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj);
-		long verify_result = SSL_get_verify_result(upstream->tls_obj);
+		X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj->ssl);
+		long verify_result = SSL_get_verify_result(upstream->tls_obj->ssl);
 
 /* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
  * we need to verify auth_name explicitely (otherwise it will not be checked,
@@ -1187,7 +1182,7 @@ tls_do_handshake(getdns_upstream *upstream)
 		else if (verify_result == X509_V_ERR_CERT_UNTRUSTED
 		    && upstream->tls_pubkey_pinset
 		    && !DANESSL_get_match_cert(
-			    upstream->tls_obj, NULL, NULL, NULL))
+			    upstream->tls_obj->ssl, NULL, NULL, NULL))
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS,
 			    ( upstream->tls_fallback_ok
@@ -1245,8 +1240,8 @@ tls_do_handshake(getdns_upstream *upstream)
 	upstream->conn_state = GETDNS_CONN_OPEN;
 	upstream->conn_completed++;
 	if (upstream->tls_session != NULL)
-	    SSL_SESSION_free(upstream->tls_session);
-	upstream->tls_session = SSL_get1_session(upstream->tls_obj);
+	    _getdns_tls_session_free(upstream->tls_session);
+	upstream->tls_session = _getdns_tls_connection_get_session(upstream->tls_obj);
 	/* Reset timeout on success*/
 	GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
 	upstream->event.read_cb = NULL;
@@ -1287,7 +1282,7 @@ stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp,
 	ssize_t  read;
 	uint8_t *buf;
 	size_t   buf_size;
-	SSL* tls_obj = upstream->tls_obj;
+	SSL* tls_obj = upstream->tls_obj->ssl;
 
 	int q = tls_connected(upstream);
 	if (q != 0)
@@ -1370,7 +1365,7 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp,
 	ssize_t         written;
 	uint16_t        query_id;
 	intptr_t        query_id_intptr;
-	SSL* tls_obj = upstream->tls_obj;
+	SSL* tls_obj = upstream->tls_obj->ssl;
 	uint16_t        padding_sz;
 
 	int q = tls_connected(upstream);
@@ -1875,12 +1870,12 @@ upstream_write_cb(void *userarg)
 		if (netreq->owner->return_call_reporting &&
 		    netreq->upstream->tls_obj) {
 			if (netreq->debug_tls_peer_cert.data == NULL &&
-			    (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj))) {
+			    (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj->ssl))) {
 				netreq->debug_tls_peer_cert.size = i2d_X509(
 					cert, &netreq->debug_tls_peer_cert.data);
 				X509_free(cert);
 			}
-			netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj);
+			netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj->ssl);
 		}
 		/* Need this because auth status is reset on connection close */
 		netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state;

From ffd1136e94ca82b60169a415bd19f3d0d7a3c414 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 15 Nov 2018 13:23:00 +0000
Subject: [PATCH 148/303] tls_create_object(): Move setting client state and
 auto-retry into connection_new and add setting connection session.

---
 src/openssl/tls.c | 14 ++++++++++++++
 src/openssl/tls.h |  3 ++-
 src/stub.c        |  7 ++-----
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index f6a663a6..c0e6338c 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -261,6 +261,11 @@ _getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int
 		return NULL;
 	}
 
+	/* Connection is a client. */
+	SSL_set_connect_state(res->ssl);
+
+	/* If non-application data received, retry read. */
+	SSL_set_mode(res->ssl, SSL_MODE_AUTO_RETRY);
 	return res;
 }
 
@@ -309,6 +314,15 @@ getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* c
 	return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s)
+{
+	if (!conn || !conn->ssl || !s || !s->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (!SSL_set_session(conn->ssl, s->ssl))
+		return GETDNS_RETURN_GENERIC_ERROR;
+	return GETDNS_RETURN_GOOD;
+}
+
 _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn)
 {
 	_getdns_tls_session* res;
diff --git a/src/openssl/tls.h b/src/openssl/tls.h
index f86aa465..53430653 100644
--- a/src/openssl/tls.h
+++ b/src/openssl/tls.h
@@ -75,9 +75,10 @@ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn);
 
 getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list);
 getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list);
+getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s);
 _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn);
 
-getdns_return_t _getdns_tls_session_free(_getdns_tls_session* ctx);
+getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s);
 
 getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
 
diff --git a/src/stub.c b/src/stub.c
index 8be04fd7..16b49060 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -925,7 +925,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 	_getdns_tls_connection* tls = _getdns_tls_connection_new(context->tls_ctx, fd);
 	if(!tls) 
 		return NULL;
-#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
+#if HAVE_TLS_CONN_CURVES_LIST
 	if (upstream->tls_curves_list)
 		_getdns_tls_connection_set_curves_list(tls, upstream->tls_curves_list);
 #endif
@@ -1072,9 +1072,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 	SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, tls_verify_callback);
 #endif
 
-	SSL_set_connect_state(tls->ssl);
-	(void) SSL_set_mode(tls->ssl, SSL_MODE_AUTO_RETRY);
-
 	/* Session resumption. There are trade-offs here. Want to do it when
 	   possible only if we have the right type of connection. Note a change
 	   to the upstream auth info creates a new upstream so never re-uses.*/
@@ -1082,7 +1079,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		if ((upstream->tls_fallback_ok == 0 &&
 		     upstream->last_tls_auth_state == GETDNS_AUTH_OK) ||
 		     upstream->tls_fallback_ok == 1) {
-			SSL_set_session(tls->ssl, upstream->tls_session->ssl);
+			_getdns_tls_connection_set_session(tls, upstream->tls_session);
 			DEBUG_STUB("%s %-35s: Attempting session re-use\n", STUB_DEBUG_SETUP_TLS, 
 			            __FUNC__);
 			}

From e22c01e212d75c296dee28c5dc09561128d4761a Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 15 Nov 2018 14:28:04 +0000
Subject: [PATCH 149/303] tls_do_handshake: move handshake and check for new
 session into abstraction layer.

---
 src/openssl/tls.c | 38 ++++++++++++++++++++++++++++++++++++++
 src/openssl/tls.h | 27 +++++++++++++++++++++++++++
 src/stub.c        | 15 ++++++---------
 3 files changed, 71 insertions(+), 9 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index c0e6338c..0e0e0f93 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -33,6 +33,7 @@
 
 #include "config.h"
 
+#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/bio.h>
@@ -342,6 +343,43 @@ _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection*
 	return res;
 }
 
+getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn)
+{
+	int r;
+	int err;
+
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	ERR_clear_error();
+	r = SSL_do_handshake(conn->ssl);
+	if (r == 1)
+		return GETDNS_RETURN_GOOD;
+	err = SSL_get_error(conn->ssl, r);
+	switch(err)
+	{
+	case SSL_ERROR_WANT_READ:
+		return GETDNS_RETURN_TLS_WANT_READ;
+
+	case SSL_ERROR_WANT_WRITE:
+		return GETDNS_RETURN_TLS_WANT_WRITE;
+
+	default:
+		return GETDNS_RETURN_GENERIC_ERROR;
+	}
+}
+
+getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (SSL_session_reused(conn->ssl))
+		return GETDNS_RETURN_GOOD;
+	else
+		return GETDNS_RETURN_TLS_CONNECTION_FRESH;
+}
+
 getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s)
 {
 	if (!s || !s->ssl)
diff --git a/src/openssl/tls.h b/src/openssl/tls.h
index 53430653..6dfc503d 100644
--- a/src/openssl/tls.h
+++ b/src/openssl/tls.h
@@ -47,6 +47,11 @@
 #define HAVE_TLS_CONN_CURVES_LIST	(HAVE_DECL_SSL_SET1_CURVES_LIST)
 #endif
 
+/* Additional return codes required by TLS abstraction. Internal use only. */
+#define GETDNS_RETURN_TLS_WANT_READ		((getdns_return_t) 420)
+#define GETDNS_RETURN_TLS_WANT_WRITE		((getdns_return_t) 421)
+#define GETDNS_RETURN_TLS_CONNECTION_FRESH	((getdns_return_t) 422)
+
 typedef struct _getdns_tls_context {
 	SSL_CTX* ssl;
 } _getdns_tls_context;
@@ -78,6 +83,28 @@ getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* c
 getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s);
 _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn);
 
+/**
+ * Attempt TLS handshake.
+ *
+ * @param conn	the connection.
+ * @return GETDNS_RETURN_GOOD if handshake is complete.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL.
+ * @return GETDNS_RETURN_TLS_WANT_READ if handshake needs to read to proceed.
+ * @return GETDNS_RETURN_TLS_WANT_WRITE if handshake needs to write to proceed.
+ * @return GETDNS_RETURN_GENERIC_ERROR if handshake failed.
+ */
+getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn);
+
+/**
+ * See whether the connection is reusing a session.
+ *
+ * @param conn	the connection.
+ * @return GETDNS_RETURN_GOOD if connection is being reused.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL.
+ * @return GETDNS_RETURN_TLS_CONNECTION_FRESH if connection is not being reused.
+ */
+getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn);
+
 getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s);
 
 getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
diff --git a/src/stub.c b/src/stub.c
index 16b49060..3acbb2ea 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1093,13 +1093,10 @@ tls_do_handshake(getdns_upstream *upstream)
 	DEBUG_STUB("%s %-35s: FD:  %d \n", STUB_DEBUG_SETUP_TLS, 
 	             __FUNC__, upstream->fd);
 	int r;
-	int want;
-	ERR_clear_error();
-	while ((r = SSL_do_handshake(upstream->tls_obj->ssl)) != 1)
+	while ((r = _getdns_tls_connection_do_handshake(upstream->tls_obj)) != GETDNS_RETURN_GOOD)
 	{
-		want = SSL_get_error(upstream->tls_obj->ssl, r);
-		switch (want) {
-			case SSL_ERROR_WANT_READ:
+		switch (r) {
+			case GETDNS_RETURN_TLS_WANT_READ:
 				GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
 				upstream->event.read_cb = upstream_read_cb;
 				upstream->event.write_cb = NULL;
@@ -1107,7 +1104,7 @@ tls_do_handshake(getdns_upstream *upstream)
 				    upstream->fd, TIMEOUT_TLS, &upstream->event);
 				upstream->tls_hs_state = GETDNS_HS_READ;
 				return STUB_TCP_RETRY;
-			case SSL_ERROR_WANT_WRITE:
+			case GETDNS_RETURN_TLS_WANT_WRITE:
 				GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
 				upstream->event.read_cb = NULL;
 				upstream->event.write_cb = upstream_write_cb;
@@ -1123,7 +1120,7 @@ tls_do_handshake(getdns_upstream *upstream)
 	   }
 	}
 	/* A re-used session is not verified so need to fix up state in that case */
-	if (SSL_session_reused(upstream->tls_obj->ssl))
+	if (!_getdns_tls_connection_is_session_reused(upstream->tls_obj))
 		upstream->tls_auth_state = upstream->last_tls_auth_state;
 
 	else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
@@ -1232,7 +1229,7 @@ tls_do_handshake(getdns_upstream *upstream)
 	DEBUG_STUB("%s %-35s: FD:  %d Handshake succeeded with auth state %s. Session is %s.\n", 
 		         STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, 
 		         _getdns_auth_str(upstream->tls_auth_state),
-		         SSL_session_reused(upstream->tls_obj) ?"re-used":"new");
+		   _getdns_tls_connection_is_session_reused(upstream->tls_obj) ? "new" : "re-used");
 	upstream->tls_hs_state = GETDNS_HS_DONE;
 	upstream->conn_state = GETDNS_CONN_OPEN;
 	upstream->conn_completed++;

From e7453522d5060a07fc0f202dc8c760b28e0b7485 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 15 Nov 2018 14:50:00 +0000
Subject: [PATCH 150/303] Replace SSL_read().

---
 src/openssl/tls.c | 34 ++++++++++++++++++++++++++++------
 src/openssl/tls.h | 15 +++++++++++++++
 src/stub.c        | 41 ++++++++++++++++++++++-------------------
 3 files changed, 65 insertions(+), 25 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 0e0e0f93..a3267c52 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -284,8 +284,7 @@ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn)
 	if (!conn || !conn->ssl)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-	switch(SSL_shutdown(conn->ssl))
-	{
+	switch (SSL_shutdown(conn->ssl)) {
 	case 0:		return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
 	case 1:		return GETDNS_RETURN_GOOD;
 	default:	return GETDNS_RETURN_GENERIC_ERROR;
@@ -356,8 +355,7 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn
 	if (r == 1)
 		return GETDNS_RETURN_GOOD;
 	err = SSL_get_error(conn->ssl, r);
-	switch(err)
-	{
+	switch (err) {
 	case SSL_ERROR_WANT_READ:
 		return GETDNS_RETURN_TLS_WANT_READ;
 
@@ -380,6 +378,32 @@ getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection*
 		return GETDNS_RETURN_TLS_CONNECTION_FRESH;
 }
 
+getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_t* buf, size_t to_read, size_t* read)
+{
+	int sread;
+
+	if (!conn || !conn->ssl || !read)
+		return -GETDNS_RETURN_INVALID_PARAMETER;
+
+	ERR_clear_error();
+	sread = SSL_read(conn->ssl, buf, to_read);
+	if (sread <= 0) {
+		switch (SSL_get_error(conn->ssl, sread)) {
+		case SSL_ERROR_WANT_READ:
+			return GETDNS_RETURN_TLS_WANT_READ;
+
+		case SSL_ERROR_WANT_WRITE:
+			return GETDNS_RETURN_TLS_WANT_WRITE;
+
+		default:
+			return GETDNS_RETURN_GENERIC_ERROR;
+		}
+	}
+
+	*read = sread;
+	return GETDNS_RETURN_GOOD;
+}
+
 getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s)
 {
 	if (!s || !s->ssl)
@@ -389,8 +413,6 @@ getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s)
 	return GETDNS_RETURN_GOOD;
 }
 
-
-
 getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict)
 {
 	if (! getdns_dict_set_int(
diff --git a/src/openssl/tls.h b/src/openssl/tls.h
index 6dfc503d..44a50bd2 100644
--- a/src/openssl/tls.h
+++ b/src/openssl/tls.h
@@ -105,6 +105,21 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn
  */
 getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn);
 
+/**
+ * Read from TLS.
+ *
+ * @param conn	  the connection.
+ * @param buf	  the buffer to read to.
+ * @param to_read the number of bytes to read.
+ * @param read	  pointer to holder for the number of bytes read.
+ * @return GETDNS_RETURN_GOOD if some bytes were read.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL.
+ * @return GETDNS_RETURN_TLS_WANT_READ if the read needs to be retried.
+ * @return GETDNS_RETURN_TLS_WANT_WRITE if handshake isn't finished.
+ * @return GETDNS_RETURN_GENERIC_ERROR if read failed.
+ */
+getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_t* buf, size_t to_read, size_t* read);
+
 getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s);
 
 getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
diff --git a/src/stub.c b/src/stub.c
index 3acbb2ea..28d2e983 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1273,10 +1273,10 @@ static int
 stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp,
               struct mem_funcs *mf)
 {
-	ssize_t  read;
+	size_t  read;
 	uint8_t *buf;
 	size_t   buf_size;
-	SSL* tls_obj = upstream->tls_obj->ssl;
+	_getdns_tls_connection* tls_obj = upstream->tls_obj;
 
 	int q = tls_connected(upstream);
 	if (q != 0)
@@ -1292,16 +1292,17 @@ stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp,
 		tcp->to_read = 2; /* Packet size */
 	}
 
-	ERR_clear_error();
-	read = SSL_read(tls_obj, tcp->read_pos, tcp->to_read);
-	if (read <= 0) {
-		/* TODO[TLS]: Handle SSL_ERROR_WANT_WRITE which means handshake
-		   renegotiation. Need to keep handshake state to do that.*/
-		int want = SSL_get_error(tls_obj, read);
-		if (want == SSL_ERROR_WANT_READ) {
+	switch ((int)_getdns_tls_connection_read(tls_obj, tcp->read_pos, tcp->to_read, &read)) {
+	case GETDNS_RETURN_GOOD:
+		break;
+
+	case GETDNS_RETURN_TLS_WANT_READ:
 			return STUB_TCP_RETRY; /* Come back later */
-		} else 
-			return STUB_TCP_ERROR;
+
+	default:
+		/* TODO[TLS]: Handle GETDNS_RETURN_TLS_WANT_WRITE which means handshake
+		   renegotiation. Need to keep handshake state to do that.*/
+		return STUB_TCP_ERROR;
 	}
 	tcp->to_read  -= read;
 	tcp->read_pos += read;
@@ -1333,15 +1334,17 @@ stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp,
 
 		/* Ready to start reading the packet */
 		tcp->read_pos = tcp->read_buf;
-		read = SSL_read(tls_obj, tcp->read_pos, tcp->to_read);
-		if (read <= 0) {
-			/* TODO[TLS]: Handle SSL_ERROR_WANT_WRITE which means handshake
+		switch ((int)_getdns_tls_connection_read(tls_obj, tcp->read_pos, tcp->to_read, &read)) {
+		case GETDNS_RETURN_GOOD:
+			break;
+
+		case GETDNS_RETURN_TLS_WANT_READ:
+			return STUB_TCP_RETRY; /* Come back later */
+
+		default:
+			/* TODO[TLS]: Handle GETDNS_RETURN_TLS_WANT_WRITE which means handshake
 			   renegotiation. Need to keep handshake state to do that.*/
-			int want = SSL_get_error(tls_obj, read);
-			if (want == SSL_ERROR_WANT_READ) {
-				return STUB_TCP_RETRY; /* read more later */
-			} else 
-				return STUB_TCP_ERROR;
+			return STUB_TCP_ERROR;
 		}
 		tcp->to_read  -= read;
 		tcp->read_pos += read;

From 09019bee75239d566f716de770d9efff058067d8 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 15 Nov 2018 15:00:19 +0000
Subject: [PATCH 151/303] Replace SSL_write().

---
 src/openssl/tls.c | 33 +++++++++++++++++++++++++++++++++
 src/openssl/tls.h | 15 +++++++++++++++
 src/stub.c        | 31 ++++++++++++-------------------
 3 files changed, 60 insertions(+), 19 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index a3267c52..ad940ef8 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -404,6 +404,39 @@ getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_
 	return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8_t* buf, size_t to_write, size_t* written)
+{
+	int swritten;
+
+	if (!conn || !conn->ssl || !written)
+		return -GETDNS_RETURN_INVALID_PARAMETER;
+
+	ERR_clear_error();
+	swritten = SSL_write(conn->ssl, buf, to_write);
+	if (swritten <= 0) {
+		switch(SSL_get_error(conn->ssl, swritten)) {
+		case SSL_ERROR_WANT_READ:
+			/* SSL_write will not do partial writes, because
+			 * SSL_MODE_ENABLE_PARTIAL_WRITE is not default,
+			 * but the write could fail because of renegotiation.
+			 * In that case SSL_get_error()  will return
+			 * SSL_ERROR_WANT_READ or, SSL_ERROR_WANT_WRITE.
+			 * Return for retry in such cases.
+			 */
+			return GETDNS_RETURN_TLS_WANT_READ;
+
+		case SSL_ERROR_WANT_WRITE:
+			return GETDNS_RETURN_TLS_WANT_WRITE;
+
+		default:
+			return GETDNS_RETURN_GENERIC_ERROR;
+		}
+	}
+
+	*written = swritten;
+	return GETDNS_RETURN_GOOD;
+}
+
 getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s)
 {
 	if (!s || !s->ssl)
diff --git a/src/openssl/tls.h b/src/openssl/tls.h
index 44a50bd2..dda05030 100644
--- a/src/openssl/tls.h
+++ b/src/openssl/tls.h
@@ -120,6 +120,21 @@ getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection*
  */
 getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_t* buf, size_t to_read, size_t* read);
 
+/**
+ * Write to TLS.
+ *
+ * @param conn	   the connection.
+ * @param buf	   the buffer to write from.
+ * @param to_write the number of bytes to write.
+ * @param written  the number of bytes written.
+ * @return GETDNS_RETURN_GOOD if some bytes were read.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL.
+ * @return GETDNS_RETURN_TLS_WANT_READ if handshake isn't finished.
+ * @return GETDNS_RETURN_TLS_WANT_WRITE if the write needs to be retried.
+ * @return GETDNS_RETURN_GENERIC_ERROR if write failed.
+ */
+getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8_t* buf, size_t to_write, size_t* written);
+
 getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s);
 
 getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
diff --git a/src/stub.c b/src/stub.c
index 28d2e983..75ee576d 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1359,10 +1359,10 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp,
                getdns_network_req *netreq)
 {
 	size_t          pkt_len;
-	ssize_t         written;
+	size_t          written;
 	uint16_t        query_id;
 	intptr_t        query_id_intptr;
-	SSL* tls_obj = upstream->tls_obj->ssl;
+	_getdns_tls_connection* tls_obj = upstream->tls_obj;
 	uint16_t        padding_sz;
 
 	int q = tls_connected(upstream);
@@ -1437,7 +1437,6 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp,
 		 * Lets see how much of it we can write */
 		
 		/* TODO[TLS]: Handle error cases, partial writes, renegotiation etc. */
-		ERR_clear_error();
 #if INTERCEPT_COM_DS
 		/* Intercept and do not sent out COM DS queries. For debugging
 		 * purposes only. Never commit with this turned on.
@@ -1454,22 +1453,16 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp,
 			written = pkt_len + 2;
 		} else
 #endif
-		written = SSL_write(tls_obj, netreq->query - 2, pkt_len + 2);
-		if (written <= 0) {
-			/* SSL_write will not do partial writes, because 
-			 * SSL_MODE_ENABLE_PARTIAL_WRITE is not default,
-			 * but the write could fail because of renegotiation.
-			 * In that case SSL_get_error()  will return
-			 * SSL_ERROR_WANT_READ or, SSL_ERROR_WANT_WRITE.
-			 * Return for retry in such cases.
-			 */
-			switch (SSL_get_error(tls_obj, written)) {
-			case SSL_ERROR_WANT_READ:
-			case SSL_ERROR_WANT_WRITE:
-				return STUB_TCP_RETRY;
-			default:
-				return STUB_TCP_ERROR;
-			}
+			switch ((int)_getdns_tls_connection_write(tls_obj, netreq->query - 2, pkt_len + 2, &written)) {
+		case GETDNS_RETURN_GOOD:
+			break;
+
+		case GETDNS_RETURN_TLS_WANT_READ:
+		case GETDNS_RETURN_TLS_WANT_WRITE:
+			return STUB_TCP_RETRY;
+
+		default:
+			return STUB_TCP_ERROR;
 		}
 		/* We were able to write everything!  Start reading. */
 		return (int) query_id;

From 4b8c9d1bd7a158054b8ba7778e9bff086f82d709 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 15 Nov 2018 15:58:19 +0000
Subject: [PATCH 152/303] Replace SSL_get_version().

---
 src/openssl/tls.c | 7 +++++++
 src/openssl/tls.h | 8 ++++++++
 src/stub.c        | 2 +-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index ad940ef8..635ba5ee 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -342,6 +342,13 @@ _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection*
 	return res;
 }
 
+const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return NULL;
+	return SSL_get_version(conn->ssl);
+}
+
 getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn)
 {
 	int r;
diff --git a/src/openssl/tls.h b/src/openssl/tls.h
index dda05030..7e95a165 100644
--- a/src/openssl/tls.h
+++ b/src/openssl/tls.h
@@ -83,6 +83,14 @@ getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* c
 getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s);
 _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn);
 
+/**
+ * Report the TLS version of the connection.
+ *
+ * @param conn	the connection.
+ * @return string with the connection description, NULL on error.
+ */
+const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn);
+
 /**
  * Attempt TLS handshake.
  *
diff --git a/src/stub.c b/src/stub.c
index 75ee576d..fdcc9db6 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1865,7 +1865,7 @@ upstream_write_cb(void *userarg)
 					cert, &netreq->debug_tls_peer_cert.data);
 				X509_free(cert);
 			}
-			netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj->ssl);
+			netreq->debug_tls_version = _getdns_tls_connection_get_version(netreq->upstream->tls_obj);
 		}
 		/* Need this because auth status is reset on connection close */
 		netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state;

From 0fd6fd4c5cf7efb547d4fc9368846caf9c29688b Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 16 Nov 2018 17:09:26 +0000
Subject: [PATCH 153/303] Replace (one instance of) SSL_get_peer_certificate().

---
 src/openssl/tls.c | 37 +++++++++++++++++++++++++++++++++++++
 src/openssl/tls.h | 29 +++++++++++++++++++++++++++++
 src/stub.c        |  8 ++++----
 3 files changed, 70 insertions(+), 4 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 635ba5ee..18a5e970 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -48,6 +48,20 @@
 # include "ssl_dane/danessl.h"
 #endif
 
+static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert)
+{
+	_getdns_tls_x509* res;
+
+	if (!cert)
+		return NULL;
+
+	res = malloc(sizeof(_getdns_tls_x509));
+	if (res)
+		res->ssl = cert;
+
+	return res;
+}
+
 #ifdef USE_WINSOCK
 /* For windows, the CA trust store is not read by openssl.
    Add code to open the trust store using wincrypt API and add
@@ -374,6 +388,14 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn
 	}
 }
 
+_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return NULL;
+
+	return _getdns_tls_x509_new(SSL_get_peer_certificate(conn->ssl));
+}
+
 getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn)
 {
 	if (!conn || !conn->ssl)
@@ -486,4 +508,19 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict)
 	return GETDNS_RETURN_GENERIC_ERROR;
 }
 
+void _getdns_tls_x509_free(_getdns_tls_x509* cert)
+{
+	if (cert && cert->ssl)
+		X509_free(cert->ssl);
+	free(cert);
+}
+
+int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf)
+{
+	if (!cert || !cert->ssl)
+		return 0;
+
+	return i2d_X509(cert->ssl, buf);
+}
+
 /* tls.c */
diff --git a/src/openssl/tls.h b/src/openssl/tls.h
index 7e95a165..92e35459 100644
--- a/src/openssl/tls.h
+++ b/src/openssl/tls.h
@@ -64,6 +64,11 @@ typedef struct _getdns_tls_session {
 	SSL_SESSION* ssl;
 } _getdns_tls_session;
 
+typedef struct _getdns_tls_x509
+{
+	X509* ssl;
+} _getdns_tls_x509;
+
 void _getdns_tls_init();
 
 _getdns_tls_context* _getdns_tls_context_new();
@@ -103,6 +108,14 @@ const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn);
  */
 getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn);
 
+/**
+ * Get the connection peer certificate.
+ *
+ * @param conn	the connection.
+ * @return certificate or NULL on error.
+ */
+_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connection* conn);
+
 /**
  * See whether the connection is reusing a session.
  *
@@ -145,6 +158,22 @@ getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8
 
 getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s);
 
+/**
+ * Free X509 certificate.
+ *
+ * @param cert	the certificate.
+ */
+void _getdns_tls_x509_free(_getdns_tls_x509* cert);
+
+/**
+ * Convert X509 to DER.
+ *
+ * @param cert	the certificate.
+ * @param buf	buffer to receive conversion. NULL to just get the length.
+ * @return length of conversion, 0 on error.
+ */
+int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf);
+
 getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
 
 #endif /* _GETDNS_TLS_H */
diff --git a/src/stub.c b/src/stub.c
index fdcc9db6..d012566b 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1797,7 +1797,7 @@ upstream_write_cb(void *userarg)
 	getdns_upstream *upstream = (getdns_upstream *)userarg;
 	getdns_network_req *netreq = upstream->write_queue;
 	int q;
-	X509 *cert;
+	_getdns_tls_x509 *cert;
 
 	if (!netreq) {
 		GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
@@ -1860,10 +1860,10 @@ upstream_write_cb(void *userarg)
 		if (netreq->owner->return_call_reporting &&
 		    netreq->upstream->tls_obj) {
 			if (netreq->debug_tls_peer_cert.data == NULL &&
-			    (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj->ssl))) {
-				netreq->debug_tls_peer_cert.size = i2d_X509(
+			    (cert = _getdns_tls_connection_get_peer_certificate(netreq->upstream->tls_obj))) {
+				netreq->debug_tls_peer_cert.size = _getdns_tls_x509_to_der(
 					cert, &netreq->debug_tls_peer_cert.data);
-				X509_free(cert);
+				_getdns_tls_x509_free(cert);
 			}
 			netreq->debug_tls_version = _getdns_tls_connection_get_version(netreq->upstream->tls_obj);
 		}

From 5d353d9efbfe34d05f495988a5b3e2a47b58dd8d Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 16 Nov 2018 17:53:08 +0000
Subject: [PATCH 154/303] To aid proof-of-concept work, insist on OpenSSL 1.1.1
 or later.

Remove ssl_dane as now surplus to requirements.
---
 .gitmodules        |   4 --
 configure.ac       |  22 +++---
 src/Makefile.in    |   6 +-
 src/context.c      |  53 --------------
 src/gldns/keyraw.c |  18 -----
 src/openssl/tls.c  |  13 ----
 src/ssl_dane       |   1 -
 src/stub.c         | 173 +--------------------------------------------
 8 files changed, 12 insertions(+), 278 deletions(-)
 delete mode 160000 src/ssl_dane

diff --git a/.gitmodules b/.gitmodules
index 26a1f354..27d60b78 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -10,7 +10,3 @@
 	path = stubby
 	url = https://github.com/getdnsapi/stubby.git
 	branch = develop
-[submodule "src/ssl_dane"]
-	path = src/ssl_dane
-	url = https://github.com/getdnsapi/ssl_dane
-	branch = getdns
diff --git a/configure.ac b/configure.ac
index 67636c57..c361848b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -440,28 +440,24 @@ AC_INCLUDES_DEFAULT
 ])
 fi
 
-AC_MSG_CHECKING([whether we need to compile/link DANE support])
-DANESSL_XTRA_OBJS=""
+AC_MSG_CHECKING([for OpenSSL >= 1.1.1])
 AC_LANG_PUSH(C)
 AC_COMPILE_IFELSE(
 	[AC_LANG_PROGRAM([
 		[#include <openssl/opensslv.h>]
-		[#if OPENSSL_VERSION_NUMBER <  0x1000000fL]
-		[#error "OpenSSL 1.0.0 or higher required for DANE library"]
-		[#elif defined(HAVE_SSL_DANE_ENABLE)]
-		[#error "OpenSSL has native DANE support"]
+		[#if OPENSSL_VERSION_NUMBER <  0x10101000L]
+		[#error "OpenSSL 1.1.1 or higher required"]
 		[#elif defined(LIBRESSL_VERSION_NUMBER)]
-		[#error "dane_ssl library does not work with LibreSSL"]
+		[#error "LibreSSL not supported"]
 		[#endif]
 	],[[]])],
 	[
-		AC_MSG_RESULT([yes])
-		AC_DEFINE([USE_DANESSL], [1], [Define this to use DANE functions from the ssl_dane/danessl library.])
-		DANESSL_XTRA_OBJS="danessl.lo"
-	],
-	[AC_MSG_RESULT([no])])
+                AC_MSG_RESULT([yes])
+        ],
+        [
+                AC_MSG_ERROR([OpenSSL 1.1.1 or later required])
+	])
 AC_LANG_POP(C)
-AC_SUBST(DANESSL_XTRA_OBJS)
 
 AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support]))
 	case "$enable_sha1" in
diff --git a/src/Makefile.in b/src/Makefile.in
index de5f3e26..d7ed0343 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -98,9 +98,8 @@ TLS_OBJ=tls.lo
 YXML_OBJ=yxml.lo
 
 YAML_OBJ=convert_yaml_to_json.lo
-DANESSL_OBJ=danessl.lo
 
-GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@ @DANESSL_XTRA_OBJS@
+GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@
 STUBBY_XTRA_OBJS=@STUBBY_XTRA_OBJS@
 
 EXTENSION_OBJ=$(DEFAULT_EVENTLOOP_OBJ) libevent.lo libev.lo
@@ -140,9 +139,6 @@ $(TLS_OBJ):
 $(YAML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@
 
-$(DANESSL_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WNOERRORFLAG) -c $(srcdir)/ssl_dane/$(@:.lo=.c) -o $@
-
 $(YXML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -I$(srcdir)/yxml -DYXML_GETDNS -Wno-unused-parameter -c $(srcdir)/yxml/$(@:.lo=.c) -o $@
 
diff --git a/src/context.c b/src/context.c
index c0f4f8e1..0729f4d8 100644
--- a/src/context.c
+++ b/src/context.c
@@ -82,9 +82,6 @@ typedef unsigned short in_port_t;
 #include "list.h"
 #include "dict.h"
 #include "pubkey-pinning.h"
-#ifdef USE_DANESSL
-# include "ssl_dane/danessl.h"
-#endif
 #include "const-info.h"
 #include "tls.h"
 
@@ -599,26 +596,6 @@ upstreams_create(getdns_context *context, size_t size)
 }
 
 
-#if defined(USE_DANESSL) && defined(STUB_DEBUG) && STUB_DEBUG
-static void _stub_debug_print_openssl_errors(void)
-{
-    unsigned long err;
-    char buffer[1024];
-    const char *file;
-    const char *data;
-    int line;
-    int flags;
-
-    while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
-        ERR_error_string_n(err, buffer, sizeof(buffer));
-        if (flags & ERR_TXT_STRING)
-            DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d:%s\n", buffer, file, line, data);
-        else
-            DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d\n", buffer, file, line);
-    }
-}
-#endif
-
 void
 _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 {
@@ -660,12 +637,6 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 
 		if (upstream->tls_obj != NULL) {
 			_getdns_tls_connection_shutdown(upstream->tls_obj);
-#ifdef USE_DANESSL
-# if defined(STUB_DEBUG) && STUB_DEBUG
-			_stub_debug_print_openssl_errors();
-# endif
-			DANESSL_cleanup(upstream->tls_obj->ssl);
-#endif
 			_getdns_tls_connection_free(upstream->tls_obj);
 		}
 		if (upstream->fd != -1)
@@ -779,12 +750,6 @@ _getdns_upstream_reset(getdns_upstream *upstream)
 	}
 	if (upstream->tls_obj != NULL) {
 		_getdns_tls_connection_shutdown(upstream->tls_obj);
-#ifdef USE_DANESSL
-# if defined(STUB_DEBUG) && STUB_DEBUG
-		_stub_debug_print_openssl_errors();
-# endif
-		DANESSL_cleanup(upstream->tls_obj->ssl);
-#endif
 		_getdns_tls_connection_free(upstream->tls_obj);
 		upstream->tls_obj = NULL;
 	}
@@ -3579,7 +3544,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 		}
 
 		if (context->tls_ctx == NULL) {
-#ifdef HAVE_TLS_v1_2
 			context->tls_ctx = _getdns_tls_context_new();
 			if (context->tls_ctx == NULL)
 				return GETDNS_RETURN_BAD_CONTEXT;
@@ -3608,7 +3572,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
 			}
-#  if defined(HAVE_SSL_CTX_DANE_ENABLE)
 #   if defined(STUB_DEBUG) && STUB_DEBUG
 			int osr =
 #   else
@@ -3617,22 +3580,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 				SSL_CTX_dane_enable(context->tls_ctx->ssl);
 			DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
 			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
-#  elif defined(USE_DANESSL)
-#   if defined(STUB_DEBUG) && STUB_DEBUG
-			int osr =
-#   else
-			(void)
-#   endif
-				DANESSL_CTX_init(context->tls_ctx->ssl);
-			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n"
-			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
-#  endif
-#else /* HAVE_TLS_v1_2 */
-			if (tls_only_is_in_transports_list(context) == 1)
-				return GETDNS_RETURN_BAD_CONTEXT;
-			/* A null tls_ctx will make TLS fail and fallback to the other
-			   transports will kick-in.*/
-#endif /* HAVE_TLS_v1_2 */
 		}
 	}
 
diff --git a/src/gldns/keyraw.c b/src/gldns/keyraw.c
index ed8188c8..db84743e 100644
--- a/src/gldns/keyraw.c
+++ b/src/gldns/keyraw.c
@@ -232,15 +232,6 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 		BN_free(Y);
 		return NULL;
 	}
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
-#ifndef S_SPLINT_S
-	dsa->p = P;
-	dsa->q = Q;
-	dsa->g = G;
-	dsa->pub_key = Y;
-#endif /* splint */
-
-#else /* OPENSSL_VERSION_NUMBER */
 	if (!DSA_set0_pqg(dsa, P, Q, G)) {
 		/* QPG not yet attached, need to free */
 		BN_free(Q);
@@ -257,7 +248,6 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 		BN_free(Y);
 		return NULL;
 	}
-#endif
 
 	return dsa;
 }
@@ -310,20 +300,12 @@ gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 		BN_free(modulus);
 		return NULL;
 	}
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
-#ifndef S_SPLINT_S
-	rsa->n = modulus;
-	rsa->e = exponent;
-#endif /* splint */
-
-#else /* OPENSSL_VERSION_NUMBER */
 	if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
 		BN_free(exponent);
 		BN_free(modulus);
 		RSA_free(rsa);
 		return NULL;
 	}
-#endif
 
 	return rsa;
 }
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 18a5e970..0c4fd917 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -44,10 +44,6 @@
 
 #include "tls.h"
 
-#ifdef USE_DANESSL
-# include "ssl_dane/danessl.h"
-#endif
-
 static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert)
 {
 	_getdns_tls_x509* res;
@@ -156,19 +152,10 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
 
 void _getdns_tls_init()
 {
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
-	OpenSSL_add_all_algorithms();
-	SSL_library_init();
-
-# ifdef USE_DANESSL
-		(void) DANESSL_library_init();
-# endif
-#else
 	OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS
 	                   | OPENSSL_INIT_ADD_ALL_DIGESTS
 	                   | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
 	(void)OPENSSL_init_ssl(0, NULL);
-#endif
 }
 
 _getdns_tls_context* _getdns_tls_context_new()
diff --git a/src/ssl_dane b/src/ssl_dane
deleted file mode 160000
index dd093e58..00000000
--- a/src/ssl_dane
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit dd093e585a237e0321d303ec35e84c393ef739f4
diff --git a/src/stub.c b/src/stub.c
index d012566b..52478dfb 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -55,9 +55,6 @@
 #include "platform.h"
 #include "general.h"
 #include "pubkey-pinning.h"
-#ifdef USE_DANESSL
-# include "ssl_dane/danessl.h"
-#endif
 
 /* WSA TODO: 
  * STUB_TCP_RETRY added to deal with edge triggered event loops (versus
@@ -829,9 +826,6 @@ tls_requested(getdns_network_req *netreq)
 	        1 : 0;
 }
 
-
-#if defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL)
-
 static int
 _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
 { 
@@ -857,64 +851,6 @@ _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
 	return 1; 
 }
 
-#else /* defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */
-
-static int
-tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
-{
-	getdns_upstream *upstream;
-	getdns_return_t pinset_ret = GETDNS_RETURN_GOOD;
-	upstream = _getdns_upstream_from_x509_store(ctx);
-	if (!upstream)
-		return 0;
-
-	int err = X509_STORE_CTX_get_error(ctx);
-# if defined(STUB_DEBUG) && STUB_DEBUG
-	DEBUG_STUB("%s %-35s: FD:  %d Verify result: (%d) \"%s\"\n",
-	            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err,
-	            X509_verify_cert_error_string(err));
-# endif
-	if (!preverify_ok && !upstream->tls_fallback_ok)
-		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
-		    "%-40s : Verify failed: TLS - *Failure* -  (%d) \"%s\"\n",
-		    upstream->addr_str, err,
-		    X509_verify_cert_error_string(err));
-
-	/* No need to deal with hostname authentication, since this will be
-	 * dealt with in the DANE preprocessor paths.
-	 */
-
-	/* Deal with the pinset validation */
-	if (upstream->tls_pubkey_pinset)
-		pinset_ret = _getdns_verify_pinset_match(upstream->tls_pubkey_pinset, ctx);
-
-	if (pinset_ret != GETDNS_RETURN_GOOD) {
-		DEBUG_STUB("%s %-35s: FD:  %d, WARNING: Pinset validation failure!\n",
-	           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
-		preverify_ok = 0;
-		upstream->tls_auth_state = GETDNS_AUTH_FAILED;
-		if (upstream->tls_fallback_ok)
-			DEBUG_STUB("%s %-35s: FD:  %d, WARNING: Proceeding even though pinset validation failed!\n",
-			            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
-		else
-			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
-			    "%-40s : Conn failed: TLS - *Failure* - Pinset validation failure\n",
-			    upstream->addr_str);
-	}
-	/* If nothing has failed yet and we had credentials, we have successfully authenticated*/
-	if (preverify_ok == 0)
-		upstream->tls_auth_state = GETDNS_AUTH_FAILED;
-	else if (upstream->tls_auth_state == GETDNS_AUTH_NONE &&
-	         (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]))
-		upstream->tls_auth_state = GETDNS_AUTH_OK;
-
-	/* If fallback is allowed, proceed regardless of what the auth error is
-	   (might not be hostname or pinset related) */
-	return (upstream->tls_fallback_ok) ? 1 : preverify_ok;
-}
-
-#endif /* #else defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */
-
 static _getdns_tls_connection*
 tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 {
@@ -946,28 +882,11 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
 		SSL_set_tlsext_host_name(tls->ssl, upstream->tls_auth_name);
-#if defined(HAVE_SSL_HN_AUTH)
-		/* Set up native OpenSSL hostname verification
-		 * ( doesn't work with USE_DANESSL, but we verify the
-		 *   name afterwards in such cases )
-		 */
+		/* Set up native OpenSSL hostname verification */
 		X509_VERIFY_PARAM *param;
 		param = SSL_get0_param(tls->ssl);
 		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 		X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
-#elif !defined(HAVE_X509_CHECK_HOST)
-		if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) {
-			DEBUG_STUB("%s %-35s: ERROR: Hostname Authentication not available from TLS library (check library version)\n",
-		           STUB_DEBUG_SETUP_TLS, __FUNC__);
-			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR, 
-			    "%-40s : ERROR: Hostname Authentication not available from TLS library (check library version)\n",
-			    upstream->addr_str);
-			upstream->tls_hs_state = GETDNS_HS_FAILED;
-			_getdns_tls_connection_free(tls);
-			upstream->tls_auth_state = GETDNS_AUTH_FAILED;
-			return NULL;
-		}
-#endif
 		/* Allow fallback to opportunistic if settings permit it*/
 		if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
 			upstream->tls_fallback_ok = 1;
@@ -1006,7 +925,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, 
 		             __FUNC__);
 	}
-#if defined(HAVE_SSL_DANE_ENABLE)
+
 	int osr;
 # if defined(STUB_DEBUG) && STUB_DEBUG
 	osr =
@@ -1033,44 +952,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		if (osr > 0)
 			++n_pins;
 	}
-#elif defined(USE_DANESSL)
-	if (upstream->tls_pubkey_pinset) {
-		const char *auth_names[2] = { upstream->tls_auth_name, NULL };
-		int osr;
-# if defined(STUB_DEBUG) && STUB_DEBUG
-		osr =
-# else
-		(void)
-# endif
-			DANESSL_init(tls->ssl,
-		    *upstream->tls_auth_name ? upstream->tls_auth_name : NULL,
-		    *upstream->tls_auth_name ? auth_names : NULL
-		    );
-		DEBUG_STUB("%s %-35s: DEBUG: DANESSL_init(\"%s\") -> %d\n"
-			  , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
-		SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
-		sha256_pin_t *pin_p;
-		size_t n_pins = 0;
-		for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) {
-			osr = DANESSL_add_tlsa(tls->ssl, 3, 1, "sha256",
-			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
-			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
-				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
-			if (osr > 0)
-				++n_pins;
-			osr = DANESSL_add_tlsa(tls->ssl, 2, 1, "sha256",
-			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
-			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
-				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
-			if (osr > 0)
-				++n_pins;
-		}
-	} else {
-		SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
-	}
-#else
-	SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, tls_verify_callback);
-#endif
 
 	/* Session resumption. There are trade-offs here. Want to do it when
 	   possible only if we have the right type of connection. Note a change
@@ -1127,23 +1008,6 @@ tls_do_handshake(getdns_upstream *upstream)
 		X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj->ssl);
 		long verify_result = SSL_get_verify_result(upstream->tls_obj->ssl);
 
-/* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
- * we need to verify auth_name explicitely (otherwise it will not be checked,
- * because this is not required with DANE with an EE match).
- * This is not needed with native OpenSSL DANE, because EE name checks have
- * to be disabled explicitely.
- */
-#if defined(HAVE_X509_CHECK_HOST) && (defined(USE_DANESSL) || !defined(HAVE_SSL_HN_AUTH))
-		int xch;
-		if (peer_cert && verify_result == X509_V_OK
-		    && upstream->tls_auth_name[0]
-		    && (xch = X509_check_host(peer_cert,
-				    upstream->tls_auth_name,
-				    strlen(upstream->tls_auth_name),
-				    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
-				    NULL)) <= 0)
-			verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
-#endif
 		upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK
 		                         ? GETDNS_AUTH_OK : GETDNS_AUTH_FAILED;
 		if (!peer_cert)
@@ -1161,7 +1025,6 @@ tls_do_handshake(getdns_upstream *upstream)
 		/* Since we don't have DANE validation yet, DANE validation
 		 * failures are always pinset validation failures
 		 */
-#if defined(HAVE_SSL_DANE_ENABLE)
 		else if (verify_result == X509_V_ERR_DANE_NO_MATCH)
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS,
@@ -1172,21 +1035,6 @@ tls_do_handshake(getdns_upstream *upstream)
 			    ( upstream->tls_fallback_ok
 			    ? "Tolerated because of Opportunistic profile"
 			    : "*Failure*" ));
-#elif defined(USE_DANESSL)
-		else if (verify_result == X509_V_ERR_CERT_UNTRUSTED
-		    && upstream->tls_pubkey_pinset
-		    && !DANESSL_get_match_cert(
-			    upstream->tls_obj->ssl, NULL, NULL, NULL))
-			_getdns_upstream_log(upstream,
-			    GETDNS_LOG_UPSTREAM_STATS,
-			    ( upstream->tls_fallback_ok
-			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
-			    "%-40s : Verify failed : TLS - %s -  "
-			    "Pinset validation failure\n", upstream->addr_str,
-			    ( upstream->tls_fallback_ok
-			    ? "Tolerated because of Opportunistic profile"
-			    : "*Failure*" ));
-#endif
 		else if (verify_result != X509_V_OK)
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS,
@@ -1198,23 +1046,6 @@ tls_do_handshake(getdns_upstream *upstream)
 			    ? "Tolerated because of Opportunistic profile"
 			    : "*Failure*" ), verify_result,
 			    X509_verify_cert_error_string(verify_result));
-#if !defined(HAVE_SSL_HN_AUTH) && !defined(HAVE_X509_CHECK_HOST)
-		else if (*upstream->tls_auth_name) {
-			_getdns_upstream_log(upstream,
-			    GETDNS_LOG_UPSTREAM_STATS,
-			    ( upstream->tls_fallback_ok
-			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
-			    "%-40s : Verify failed : TLS - %s -  "
-			    "Hostname Authentication not available from TLS "
-			    "library (check library version)\n",
-			    upstream->addr_str,
-			    ( upstream->tls_fallback_ok
-			    ? "Tolerated because of Opportunistic profile"
-			    : "*Failure*" ));
-
-			upstream->tls_auth_state = GETDNS_AUTH_FAILED;
-		}
-#endif
 		else
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG,

From aba0e2fb4c7c87ce8b8619b9a89e96b8b5d1c79c Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 19 Nov 2018 09:49:54 +0000
Subject: [PATCH 155/303] Move non-TLS-library specific parts of tls.h to
 ~/src/tls.h and have it include lib-specific tls-internal.h.

Update dependencies.
---
 src/Makefile.in            | 261 -------------------------------------
 src/openssl/tls-internal.h |  67 ++++++++++
 src/test/Makefile.in       |   3 +-
 src/{openssl => }/tls.h    |  28 +---
 src/tools/Makefile.in      |   6 +-
 5 files changed, 70 insertions(+), 295 deletions(-)
 create mode 100644 src/openssl/tls-internal.h
 rename src/{openssl => }/tls.h (91%)

diff --git a/src/Makefile.in b/src/Makefile.in
index d7ed0343..67a36f62 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -300,264 +300,3 @@ depend:
 FORCE:
 
 # Dependencies for gldns, utils, the extensions and compat functions
-anchor.lo anchor.o: $(srcdir)/anchor.c config.h \
- $(srcdir)/debug.h $(srcdir)/anchor.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h
-const-info.lo const-info.o: $(srcdir)/const-info.c \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/const-info.h
-context.lo context.o: $(srcdir)/context.c config.h \
- $(srcdir)/anchor.h getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/debug.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h \
- $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h \
- $(srcdir)/const-info.h
-convert.lo convert.o: $(srcdir)/convert.c config.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
- $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h \
- $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h $(srcdir)/debug.h
-dict.lo dict.o: $(srcdir)/dict.c config.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h
-dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \
- $(srcdir)/debug.h getdns/getdns.h \
- $(srcdir)/context.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h \
- $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h
-general.lo general.o: $(srcdir)/general.c config.h \
- $(srcdir)/general.h getdns/getdns.h \
- $(srcdir)/types-internal.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h
-list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \
- config.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/list.h $(srcdir)/dict.h
-mdns.lo mdns.o: $(srcdir)/mdns.c config.h \
- $(srcdir)/debug.h $(srcdir)/context.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h
-platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \
- config.h
-pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \
- config.h $(srcdir)/debug.h \
- getdns/getdns.h $(srcdir)/context.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h
-request-internal.lo request-internal.o: $(srcdir)/request-internal.c \
- config.h $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h
-rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \
- config.h \
- getdns/getdns.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \
- $(srcdir)/openssl/tls.h $(srcdir)/dict.h
-rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
- config.h \
- getdns/getdns.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h
-server.lo server.o: $(srcdir)/server.c config.h \
- getdns/getdns_extra.h \
- getdns/getdns.h $(srcdir)/context.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h
-stub.lo stub.o: $(srcdir)/stub.c config.h \
- $(srcdir)/debug.h $(srcdir)/stub.h \
- getdns/getdns.h \
- $(srcdir)/types-internal.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \
- $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \
- $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h
-sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \
- config.h $(srcdir)/context.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h
-ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \
- config.h
-util-internal.lo util-internal.o: $(srcdir)/util-internal.c \
- config.h \
- getdns/getdns.h $(srcdir)/dict.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \
- getdns/getdns_extra.h $(srcdir)/list.h \
- $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
- $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h
-gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \
- config.h $(srcdir)/gldns/gbuffer.h
-keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \
- config.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/gldns/rrdef.h
-parse.lo parse.o: $(srcdir)/gldns/parse.c \
- config.h $(srcdir)/gldns/parse.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
-parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \
- config.h $(srcdir)/gldns/parseutil.h
-rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \
- config.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/gldns/parseutil.h
-str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \
- config.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h \
- $(srcdir)/gldns/parseutil.h
-wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \
- config.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h
-arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \
- config.h
-arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \
- config.h \
- $(srcdir)/compat/chacha_private.h
-arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c \
- config.h
-explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c \
- config.h
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c \
- config.h
-getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c \
- config.h
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c \
- config.h
-getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
-gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c \
- config.h
-inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c \
- config.h
-inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c \
- config.h
-sha512.lo sha512.o: $(srcdir)/compat/sha512.c \
- config.h
-strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \
- config.h
-strptime.lo strptime.o: $(srcdir)/compat/strptime.c \
- config.h
-locks.lo locks.o: $(srcdir)/util/locks.c config.h \
- $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h
-lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \
- config.h \
- $(srcdir)/util/auxiliary/util/storage/lookup3.h $(srcdir)/util/lookup3.h \
- $(srcdir)/util/orig-headers/lookup3.h
-lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \
- config.h \
- $(srcdir)/util/auxiliary/util/storage/lruhash.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h
-rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
- config.h $(srcdir)/util/auxiliary/log.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \
- $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h
-val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \
- config.h \
- $(srcdir)/util/auxiliary/util/data/packed_rrset.h \
- $(srcdir)/util/auxiliary/validator/val_secalgo.h $(srcdir)/util/val_secalgo.h \
- $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h
-jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
-tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \
- $(srcdir)/openssl/tls.h getdns/getdns.h
-yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
-danessl.lo danessl.o: $(srcdir)/ssl_dane/danessl.c $(srcdir)/ssl_dane/danessl.h
-libev.lo libev.o: $(srcdir)/extension/libev.c \
- config.h $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h
-libevent.lo libevent.o: $(srcdir)/extension/libevent.c \
- config.h $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h
-libuv.lo libuv.o: $(srcdir)/extension/libuv.c \
- config.h $(srcdir)/debug.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h
-poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \
- config.h $(srcdir)/util-internal.h \
- $(srcdir)/context.h getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/platform.h $(srcdir)/debug.h
-select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \
- config.h $(srcdir)/debug.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \
- $(srcdir)/extension/select_eventloop.h
-stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c \
- config.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h
diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h
new file mode 100644
index 00000000..f13c8602
--- /dev/null
+++ b/src/openssl/tls-internal.h
@@ -0,0 +1,67 @@
+/**
+ *
+ * \file tls-internal.h
+ * @brief getdns TLS implementation-specific items
+ */
+
+/*
+ * Copyright (c) 2018, NLnet Labs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _GETDNS_TLS_INTERNAL_H
+#define _GETDNS_TLS_INTERNAL_H
+
+#include "getdns/getdns.h"
+
+#ifndef HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
+#define HAVE_TLS_CTX_CURVES_LIST	0
+#else
+#define HAVE_TLS_CTX_CURVES_LIST	(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST)
+#endif
+#ifndef HAVE_DECL_SSL_SET1_CURVES_LIST
+#define HAVE_TLS_CONN_CURVES_LIST	0
+#else
+#define HAVE_TLS_CONN_CURVES_LIST	(HAVE_DECL_SSL_SET1_CURVES_LIST)
+#endif
+
+typedef struct _getdns_tls_context {
+	SSL_CTX* ssl;
+} _getdns_tls_context;
+
+typedef struct _getdns_tls_connection {
+	SSL* ssl;
+} _getdns_tls_connection;
+
+typedef struct _getdns_tls_session {
+	SSL_SESSION* ssl;
+} _getdns_tls_session;
+
+typedef struct _getdns_tls_x509
+{
+	X509* ssl;
+} _getdns_tls_x509;
+
+#endif /* _GETDNS_TLS_INTERNAL_H */
diff --git a/src/test/Makefile.in b/src/test/Makefile.in
index 9d4dad00..89f5d3af 100644
--- a/src/test/Makefile.in
+++ b/src/test/Makefile.in
@@ -305,8 +305,7 @@ tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h \
 tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h \
  ../getdns/getdns.h
 tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c \
- ../config.h \
- $(srcdir)/testmessages.h \
+ ../config.h $(srcdir)/testmessages.h \
  ../getdns/getdns.h \
  ../getdns/getdns_extra.h
 tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h \
diff --git a/src/openssl/tls.h b/src/tls.h
similarity index 91%
rename from src/openssl/tls.h
rename to src/tls.h
index 92e35459..9d0b0704 100644
--- a/src/openssl/tls.h
+++ b/src/tls.h
@@ -36,39 +36,13 @@
 
 #include "getdns/getdns.h"
 
-#ifndef HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
-#define HAVE_TLS_CTX_CURVES_LIST	0
-#else
-#define HAVE_TLS_CTX_CURVES_LIST	(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST)
-#endif
-#ifndef HAVE_DECL_SSL_SET1_CURVES_LIST
-#define HAVE_TLS_CONN_CURVES_LIST	0
-#else
-#define HAVE_TLS_CONN_CURVES_LIST	(HAVE_DECL_SSL_SET1_CURVES_LIST)
-#endif
+#include "tls-internal.h"
 
 /* Additional return codes required by TLS abstraction. Internal use only. */
 #define GETDNS_RETURN_TLS_WANT_READ		((getdns_return_t) 420)
 #define GETDNS_RETURN_TLS_WANT_WRITE		((getdns_return_t) 421)
 #define GETDNS_RETURN_TLS_CONNECTION_FRESH	((getdns_return_t) 422)
 
-typedef struct _getdns_tls_context {
-	SSL_CTX* ssl;
-} _getdns_tls_context;
-
-typedef struct _getdns_tls_connection {
-	SSL* ssl;
-} _getdns_tls_connection;
-
-typedef struct _getdns_tls_session {
-	SSL_SESSION* ssl;
-} _getdns_tls_session;
-
-typedef struct _getdns_tls_x509
-{
-	X509* ssl;
-} _getdns_tls_x509;
-
 void _getdns_tls_init();
 
 _getdns_tls_context* _getdns_tls_context_new();
diff --git a/src/tools/Makefile.in b/src/tools/Makefile.in
index 88d5f21d..c51e2daf 100644
--- a/src/tools/Makefile.in
+++ b/src/tools/Makefile.in
@@ -123,14 +123,10 @@ depend:
 
 # Dependencies for getdns_query
 getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c \
- ../config.h \
- $(srcdir)/../debug.h \
+ ../config.h $(srcdir)/../debug.h \
  ../getdns/getdns.h \
  ../getdns/getdns_extra.h
-
-# Dependencies for getdns_server_mon
 getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c \
  ../config.h \
- $(srcdir)/../debug.h \
  ../getdns/getdns.h \
  ../getdns/getdns_extra.h

From 2e8c48544b78b2644dbfff286c7df1efca4c6446 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 19 Nov 2018 13:55:02 +0000
Subject: [PATCH 156/303] Move pubkey-pinning implementation under openssl/.

---
 src/Makefile.in                    | 4 ++--
 src/{ => openssl}/pubkey-pinning.c | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename src/{ => openssl}/pubkey-pinning.c (100%)

diff --git a/src/Makefile.in b/src/Makefile.in
index 67a36f62..f3e253f8 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -78,7 +78,7 @@ C99COMPATFLAGS=@C99COMPATFLAGS@
 DEFAULT_EVENTLOOP_OBJ=@DEFAULT_EVENTLOOP@.lo
 
 GETDNS_OBJ=const-info.lo convert.lo dict.lo dnssec.lo general.lo \
-	list.lo request-internal.lo platform.lo pubkey-pinning.lo rr-dict.lo \
+	list.lo request-internal.lo platform.lo rr-dict.lo \
 	rr-iter.lo server.lo stub.lo sync.lo ub_loop.lo util-internal.lo \
 	mdns.lo
 
@@ -94,7 +94,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo)
 UTIL_OBJ=rbtree.lo val_secalgo.lo lruhash.lo lookup3.lo locks.lo
 
 JSMN_OBJ=jsmn.lo
-TLS_OBJ=tls.lo
+TLS_OBJ=tls.lo pubkey-pinning.lo
 YXML_OBJ=yxml.lo
 
 YAML_OBJ=convert_yaml_to_json.lo
diff --git a/src/pubkey-pinning.c b/src/openssl/pubkey-pinning.c
similarity index 100%
rename from src/pubkey-pinning.c
rename to src/openssl/pubkey-pinning.c

From fb73bcb77e2e938942837bc3ec738f841b1476aa Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 12:43:17 +0000
Subject: [PATCH 157/303] Correct return value error from
 _getdns_tls_connection_(read|write)().

---
 src/openssl/tls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 0c4fd917..134525fd 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -399,7 +399,7 @@ getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_
 	int sread;
 
 	if (!conn || !conn->ssl || !read)
-		return -GETDNS_RETURN_INVALID_PARAMETER;
+		return GETDNS_RETURN_INVALID_PARAMETER;
 
 	ERR_clear_error();
 	sread = SSL_read(conn->ssl, buf, to_read);
@@ -425,7 +425,7 @@ getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8
 	int swritten;
 
 	if (!conn || !conn->ssl || !written)
-		return -GETDNS_RETURN_INVALID_PARAMETER;
+		return GETDNS_RETURN_INVALID_PARAMETER;
 
 	ERR_clear_error();
 	swritten = SSL_write(conn->ssl, buf, to_write);

From e5a53fb1d20c8286cfc9b91bdfc42c89d036024f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 20 Nov 2018 13:57:13 +0100
Subject: [PATCH 158/303] Bumb version

---
 configure.ac | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 67636c57..8c161bbf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,7 +36,7 @@ sinclude(./m4/acx_getaddrinfo.m4)
 sinclude(./m4/ax_check_compile_flag.m4)
 sinclude(./m4/pkg.m4)
 
-AC_INIT([getdns], [1.4.2], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
+AC_INIT([getdns], [1.4.3], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
 
 # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian)
 # patched to do the same, but frequently (MacOS) not. So add a with option
@@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Don't forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [])
+AC_SUBST(RELEASE_CANDIDATE, [-rc1])
 AC_SUBST(STUBBY_RELEASE_CANDIDATE, [])
 
 # Set current date from system if not set
@@ -63,7 +63,7 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01040200])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010402c1])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"

From 1b0a09a23f2b306ec37addd3e564b09b8f903b00 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 14:53:31 +0000
Subject: [PATCH 159/303] Wrap hostname/certificate verification.

This removes the last OpenSSL items from stub.c.
---
 src/openssl/tls.c |  99 ++++++++++++++++++++++++++++++++++++
 src/stub.c        | 127 +++++++++++++---------------------------------
 src/tls.h         |  36 +++++++++++++
 3 files changed, 170 insertions(+), 92 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 134525fd..36a0f9a3 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -34,7 +34,9 @@
 #include "config.h"
 
 #include <openssl/err.h>
+#include <openssl/conf.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/pem.h>
 #include <openssl/bio.h>
 #include <openssl/ssl.h>
@@ -42,8 +44,35 @@
 #include <openssl/opensslv.h>
 #include <openssl/crypto.h>
 
+#include "debug.h"
+#include "context.h"
+
 #include "tls.h"
 
+static int _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
+{
+# if defined(STUB_DEBUG) && STUB_DEBUG
+	char	buf[8192];
+	X509   *cert;
+	int	 err;
+	int	 depth;
+
+	cert = X509_STORE_CTX_get_current_cert(ctx);
+	err = X509_STORE_CTX_get_error(ctx);
+	depth = X509_STORE_CTX_get_error_depth(ctx);
+
+	if (cert)
+		X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
+	else
+		strcpy(buf, "<unknown>");
+	DEBUG_STUB("DEBUG Cert verify: depth=%d verify=%d err=%d subject=%s errorstr=%s\n", depth, ok, err, buf, X509_verify_cert_error_string(err));
+# else /* defined(STUB_DEBUG) && STUB_DEBUG */
+	(void)ok;
+	(void)ctx;
+# endif /* #else defined(STUB_DEBUG) && STUB_DEBUG */
+	return 1;
+}
+
 static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert)
 {
 	_getdns_tls_x509* res;
@@ -394,6 +423,76 @@ getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection*
 		return GETDNS_RETURN_TLS_CONNECTION_FRESH;
 }
 
+getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connection* conn, const char* auth_name)
+{
+	if (!conn || !conn->ssl || !auth_name)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	SSL_set_tlsext_host_name(conn->ssl, auth_name);
+	/* Set up native OpenSSL hostname verification */
+	X509_VERIFY_PARAM *param;
+	param = SSL_get0_param(conn->ssl);
+	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+	X509_VERIFY_PARAM_set1_host(param, auth_name, 0);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* conn, const char* auth_name, const sha256_pin_t* pinset)
+{
+	if (!conn || !conn->ssl || !auth_name)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	int osr = SSL_dane_enable(conn->ssl, *auth_name ? auth_name : NULL);
+	(void) osr;
+	DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n"
+	          , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
+	SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+	const sha256_pin_t *pin_p;
+	size_t n_pins = 0;
+	for (pin_p = pinset; pin_p; pin_p = pin_p->next) {
+		osr = SSL_dane_tlsa_add(conn->ssl, 2, 1, 1,
+		    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
+		DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n"
+			  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+		if (osr > 0)
+			++n_pins;
+		osr = SSL_dane_tlsa_add(conn->ssl, 3, 1, 1,
+		    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
+		DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n"
+			  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+		if (osr > 0)
+			++n_pins;
+	}
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg)
+{
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	long verify_result = SSL_get_verify_result(conn->ssl);
+	switch (verify_result) {
+	case X509_V_OK:
+		return GETDNS_RETURN_GOOD;
+
+	case X509_V_ERR_DANE_NO_MATCH:
+		if (errnum)
+			*errnum = 0;
+		if (errmsg)
+			*errmsg = "Pinset validation failure";
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	default:
+		if (errnum)
+			*errnum = verify_result;
+		if (errmsg)
+			*errmsg = X509_verify_cert_error_string(verify_result);
+		return GETDNS_RETURN_GENERIC_ERROR;
+	}
+}
+
+
 getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_t* buf, size_t to_read, size_t* read)
 {
 	int sread;
diff --git a/src/stub.c b/src/stub.c
index 52478dfb..8db8a7fe 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -39,9 +39,6 @@
 #define INTERCEPT_COM_DS 0
 
 #include "debug.h"
-#include <openssl/err.h>
-#include <openssl/conf.h>
-#include <openssl/x509v3.h>
 #include <fcntl.h>
 #include "stub.h"
 #include "gldns/gbuffer.h"
@@ -826,31 +823,6 @@ tls_requested(getdns_network_req *netreq)
 	        1 : 0;
 }
 
-static int
-_getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
-{ 
-# if defined(STUB_DEBUG) && STUB_DEBUG
-	char	buf[8192];
-	X509   *cert;
-	int	 err;
-	int	 depth;
-
-	cert = X509_STORE_CTX_get_current_cert(ctx);
-	err = X509_STORE_CTX_get_error(ctx);
-	depth = X509_STORE_CTX_get_error_depth(ctx);
-
-	if (cert)
-		X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
-	else
-		strcpy(buf, "<unknown>");
-	DEBUG_STUB("DEBUG Cert verify: depth=%d verify=%d err=%d subject=%s errorstr=%s\n", depth, ok, err, buf, X509_verify_cert_error_string(err));
-# else /* defined(STUB_DEBUG) && STUB_DEBUG */
-	(void)ok;
-	(void)ctx;
-# endif /* #else defined(STUB_DEBUG) && STUB_DEBUG */
-	return 1; 
-}
-
 static _getdns_tls_connection*
 tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 {
@@ -881,12 +853,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		/*Request certificate for the auth_name*/
 		DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
-		SSL_set_tlsext_host_name(tls->ssl, upstream->tls_auth_name);
-		/* Set up native OpenSSL hostname verification */
-		X509_VERIFY_PARAM *param;
-		param = SSL_get0_param(tls->ssl);
-		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-		X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
+		_getdns_tls_connection_setup_hostname_auth(tls, upstream->tls_auth_name);
 		/* Allow fallback to opportunistic if settings permit it*/
 		if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
 			upstream->tls_fallback_ok = 1;
@@ -926,32 +893,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		             __FUNC__);
 	}
 
-	int osr;
-# if defined(STUB_DEBUG) && STUB_DEBUG
-	osr =
-# else
-	(void)
-# endif
-		SSL_dane_enable(tls->ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL);
-	DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n"
-	          , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
-	SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
-	sha256_pin_t *pin_p;
-	size_t n_pins = 0;
-	for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) {
-		osr = SSL_dane_tlsa_add(tls->ssl, 2, 1, 1,
-		    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
-		DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n"
-			  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
-		if (osr > 0)
-			++n_pins;
-		osr = SSL_dane_tlsa_add(tls->ssl, 3, 1, 1,
-		    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
-		DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n"
-			  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
-		if (osr > 0)
-			++n_pins;
-	}
+	_getdns_tls_connection_set_host_pinset(tls, upstream->tls_auth_name, upstream->tls_pubkey_pinset);
 
 	/* Session resumption. There are trade-offs here. Want to do it when
 	   possible only if we have the right type of connection. Note a change
@@ -1005,12 +947,9 @@ tls_do_handshake(getdns_upstream *upstream)
 		upstream->tls_auth_state = upstream->last_tls_auth_state;
 
 	else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
-		X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj->ssl);
-		long verify_result = SSL_get_verify_result(upstream->tls_obj->ssl);
+		_getdns_tls_x509* peer_cert = _getdns_tls_connection_get_peer_certificate(upstream->tls_obj);
 
-		upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK
-		                         ? GETDNS_AUTH_OK : GETDNS_AUTH_FAILED;
-		if (!peer_cert)
+		if (!peer_cert) {
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS,
 			    ( upstream->tls_fallback_ok
@@ -1021,38 +960,42 @@ tls_do_handshake(getdns_upstream *upstream)
 			    ( upstream->tls_fallback_ok
 			    ? "Tolerated because of Opportunistic profile"
 			    : "*Failure*" ));
+			upstream->tls_auth_state = GETDNS_AUTH_FAILED;
+		} else {
+			long verify_errno;
+			const char* verify_errmsg;
 
-		/* Since we don't have DANE validation yet, DANE validation
-		 * failures are always pinset validation failures
-		 */
-		else if (verify_result == X509_V_ERR_DANE_NO_MATCH)
-			_getdns_upstream_log(upstream,
-			    GETDNS_LOG_UPSTREAM_STATS,
-			    ( upstream->tls_fallback_ok
-			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
-			    "%-40s : Verify failed : TLS - %s -  "
-			    "Pinset validation failure\n", upstream->addr_str,
-			    ( upstream->tls_fallback_ok
-			    ? "Tolerated because of Opportunistic profile"
-			    : "*Failure*" ));
-		else if (verify_result != X509_V_OK)
-			_getdns_upstream_log(upstream,
-			    GETDNS_LOG_UPSTREAM_STATS,
-			    ( upstream->tls_fallback_ok
-			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
-			    "%-40s : Verify failed : TLS - %s -  "
-			    "(%d) \"%s\"\n", upstream->addr_str,
-			    ( upstream->tls_fallback_ok
-			    ? "Tolerated because of Opportunistic profile"
-			    : "*Failure*" ), verify_result,
-			    X509_verify_cert_error_string(verify_result));
-		else
+			if (!_getdns_tls_connection_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) {
+				upstream->tls_auth_state = GETDNS_AUTH_OK;
+				if (verify_errno != 0) {
+					_getdns_upstream_log(upstream,
+					    GETDNS_LOG_UPSTREAM_STATS,
+					     ( upstream->tls_fallback_ok
+					       ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),					     "%-40s : Verify failed : TLS - %s -  "
+					     "(%d) \"%s\"\n", upstream->addr_str,
+					     ( upstream->tls_fallback_ok
+					       ? "Tolerated because of Opportunistic profile"
+					       : "*Failure*" ),
+					     verify_errno, verify_errmsg);
+				} else {
+					_getdns_upstream_log(upstream,
+					    GETDNS_LOG_UPSTREAM_STATS,
+					     ( upstream->tls_fallback_ok
+					       ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),					     "%-40s : Verify failed : TLS - %s -  "
+					     "%s\n", upstream->addr_str,
+					     ( upstream->tls_fallback_ok
+					       ? "Tolerated because of Opportunistic profile"
+					       : "*Failure*" ),
+					     verify_errno, verify_errmsg);
+				}
+			} else {
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG,
 			    "%-40s : Verify passed : TLS\n",
 			    upstream->addr_str);
-
-		X509_free(peer_cert);
+			}
+			_getdns_tls_x509_free(peer_cert);
+		}
 		if (upstream->tls_auth_state == GETDNS_AUTH_FAILED
 		    && !upstream->tls_fallback_ok)
 			return STUB_SETUP_ERROR;
diff --git a/src/tls.h b/src/tls.h
index 9d0b0704..295b649c 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -38,6 +38,10 @@
 
 #include "tls-internal.h"
 
+/* Forward declare type. */
+struct sha256_pin;
+typedef struct sha256_pin sha256_pin_t;
+
 /* Additional return codes required by TLS abstraction. Internal use only. */
 #define GETDNS_RETURN_TLS_WANT_READ		((getdns_return_t) 420)
 #define GETDNS_RETURN_TLS_WANT_WRITE		((getdns_return_t) 421)
@@ -100,6 +104,38 @@ _getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connec
  */
 getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn);
 
+/**
+ * Set up host name verification.
+ *
+ * @param conn		the connection.
+ * @param auth_name	the hostname.
+ * @return GETDNS_RETURN_GOOD if all OK.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL.
+ */
+getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connection* conn, const char* auth_name);
+
+/**
+ * Set host pinset.
+ *
+ * @param conn		the connection.
+ * @param auth_name	the hostname.
+ * @return GETDNS_RETURN_GOOD if all OK.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL.
+ */
+getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* conn, const char* auth_name, const sha256_pin_t* pinset);
+
+/**
+ * Get result of certificate verification.
+ *
+ * @param conn		the connection.
+ * @param errno		failure error number.
+ * @param errmsg	failure error message.
+ * @return GETDNS_RETURN_GOOD if all OK.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL.
+ * @return GETDNS_RETURN_GENERIC_ERROR if verification failed.
+ */
+getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg);
+
 /**
  * Read from TLS.
  *

From 52421be5f428a0a3937e3c1aefff24b240d34af0 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 15:12:10 +0000
Subject: [PATCH 160/303] Correct error checking result of
 _getdns_tls_context_set_ca().

---
 src/context.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/context.c b/src/context.c
index 0729f4d8..4ee4b5de 100644
--- a/src/context.c
+++ b/src/context.c
@@ -3568,7 +3568,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 			
 			/* For strict authentication, we must have local root certs available
 		       Set up is done only when the tls_ctx is created (per getdns_context)*/
-			if (!_getdns_tls_context_set_ca(context->tls_ctx, context->tls_ca_file, context->tls_ca_path)) {
+			if (_getdns_tls_context_set_ca(context->tls_ctx, context->tls_ca_file, context->tls_ca_path)) {
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
 			}

From 6a5e96d4e1d09ef535ecc0bf767dc2bb20278d02 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 20 Nov 2018 16:13:57 +0100
Subject: [PATCH 161/303] tls_ciphersuites + bugfix in strdup2!!

---
 configure.ac                 |  2 +-
 src/const-info.c             |  2 ++
 src/context.c                | 66 +++++++++++++++++++++++++++++++++---
 src/context.h                |  2 ++
 src/getdns/getdns_extra.h.in | 28 +++++++++++++++
 src/stub.c                   | 17 ++++++++--
 6 files changed, 110 insertions(+), 7 deletions(-)

diff --git a/configure.ac b/configure.ac
index 8c161bbf..9ce45a81 100644
--- a/configure.ac
+++ b/configure.ac
@@ -418,7 +418,7 @@ AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter])
-AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list], [], [], [
+AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_CTX_set_ciphersuites,SSL_set_ciphersuites], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
diff --git a/src/const-info.c b/src/const-info.c
index 644676e6..b4dde28d 100644
--- a/src/const-info.c
+++ b/src/const-info.c
@@ -93,6 +93,7 @@ static struct const_info consts_info[] = {
 	{     632, "GETDNS_CONTEXT_CODE_TLS_CA_FILE", GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT },
 	{     633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT },
 	{     634, "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT },
+	{     635, "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT },
 	{     699, "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT },
 	{     700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
 	{     701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
@@ -190,6 +191,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CONTEXT_CODE_TLS_BACKOFF_TIME", 623 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CA_FILE", 632 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CA_PATH", 631 },
+	{ "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", 635 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", 634 },
diff --git a/src/context.c b/src/context.c
index 56d827ee..322bfb5b 100644
--- a/src/context.c
+++ b/src/context.c
@@ -178,7 +178,7 @@ _getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s)
         return NULL;
     else {
 	r[s->size] = '\0';
-        return memcpy(r, s, s->size);
+        return memcpy(r, s->data, s->size);
     }
 }
 
@@ -781,6 +781,8 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 		upstream->tls_pubkey_pinset = NULL;
 		if (upstream->tls_cipher_list)
 			GETDNS_FREE(upstreams->mf, upstream->tls_cipher_list);
+		if (upstream->tls_ciphersuites)
+			GETDNS_FREE(upstreams->mf, upstream->tls_ciphersuites);
 		if (upstream->tls_curves_list)
 			GETDNS_FREE(upstreams->mf, upstream->tls_curves_list);
 	}
@@ -1075,6 +1077,7 @@ upstream_init(getdns_upstream *upstream,
 	upstream->tls_obj  = NULL;
 	upstream->tls_session = NULL;
 	upstream->tls_cipher_list = NULL;
+	upstream->tls_ciphersuites = NULL;
 	upstream->tls_curves_list = NULL;
 	upstream->transport = GETDNS_TRANSPORT_TCP;
 	upstream->tls_hs_state = GETDNS_HS_NONE;
@@ -1478,8 +1481,11 @@ static char const * const _getdns_default_trust_anchors_verify_email =
     "dnssec@iana.org";
 
 static char const * const _getdns_default_tls_cipher_list = 
-	"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
-	"TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
+    "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
+    "TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
+
+static char const * const _getdns_default_tls_ciphersuites = 
+  "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
 
 /*
  * getdns_context_create
@@ -1589,6 +1595,7 @@ getdns_context_create_with_extended_memory_functions(
 	result->tls_ca_path = NULL;
 	result->tls_ca_file = NULL;
 	result->tls_cipher_list = NULL;
+	result->tls_ciphersuites = NULL;
 	result->tls_curves_list = NULL;
 
 	(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
@@ -1864,6 +1871,8 @@ getdns_context_destroy(struct getdns_context *context)
 		GETDNS_FREE(context->mf, context->tls_ca_file);
 	if (context->tls_cipher_list)
 		GETDNS_FREE(context->mf, context->tls_cipher_list);
+	if (context->tls_ciphersuites)
+		GETDNS_FREE(context->mf, context->tls_ciphersuites);
 	if (context->tls_curves_list)
 		GETDNS_FREE(context->mf, context->tls_curves_list);
 
@@ -3079,6 +3088,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 			if (dict && getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) {
 				getdns_list *pubkey_pinset = NULL;
 				getdns_bindata *tls_cipher_list = NULL;
+				getdns_bindata *tls_ciphersuites = NULL;
 				getdns_bindata *tls_curves_list = NULL;
 
 				if ((r = getdns_dict_get_bindata(
@@ -3118,6 +3128,12 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 				    ? _getdns_strdup2(&upstreams->mf
 				                     , tls_cipher_list)
 				    : NULL;
+				(void) getdns_dict_get_bindata(
+				    dict, "tls_ciphersuites", &tls_ciphersuites);
+				upstream->tls_ciphersuites = tls_ciphersuites
+				    ? _getdns_strdup2(&upstreams->mf
+				                     , tls_ciphersuites)
+				    : NULL;
 				(void) getdns_dict_get_bindata(
 				    dict, "tls_curves_list", &tls_curves_list);
 				if (tls_curves_list) {
@@ -3713,7 +3729,12 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 			    context->tls_cipher_list ? context->tls_cipher_list
 			                             : _getdns_default_tls_cipher_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
-
+#  if defined(HAVE_DECL_SSL_CTX_SET_CIPHERSUITES) && HAVE_DECL_SSL_CTX_SET_CIPHERSUITES
+			if (!SSL_CTX_set_ciphersuites(context->tls_ctx,
+			    context->tls_ciphersuites ? context->tls_ciphersuites
+			                             : _getdns_default_tls_ciphersuites))
+				return GETDNS_RETURN_BAD_CONTEXT;
+#  endif
 #  if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
 			if (context->tls_curves_list &&
 			    !SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list))
@@ -4058,6 +4079,8 @@ _get_context_settings(getdns_context* context)
 		(void) getdns_dict_util_set_string(result, "tls_ca_file", str_value);
 	if (!getdns_context_get_tls_cipher_list(context, &str_value) && str_value)
 		(void) getdns_dict_util_set_string(result, "tls_cipher_list", str_value);
+	if (!getdns_context_get_tls_ciphersuites(context, &str_value) && str_value)
+		(void) getdns_dict_util_set_string(result, "tls_ciphersuites", str_value);
 	if (!getdns_context_get_tls_curves_list(context, &str_value) && str_value)
 		(void) getdns_dict_util_set_string(result, "tls_curves_list", str_value);
 
@@ -4668,6 +4691,11 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
 					    d, "tls_cipher_list",
 					    upstream->tls_cipher_list);
 				}
+				if (upstream->tls_ciphersuites) {
+					(void) getdns_dict_util_set_string(
+					    d, "tls_ciphersuites",
+					    upstream->tls_ciphersuites);
+				}
 				if (upstream->tls_curves_list) {
 					(void) getdns_dict_util_set_string(
 					    d, "tls_curves_list",
@@ -4893,6 +4921,7 @@ _getdns_context_config_setting(getdns_context *context,
 	CONTEXT_SETTING_STRING(tls_ca_path)
 	CONTEXT_SETTING_STRING(tls_ca_file)
 	CONTEXT_SETTING_STRING(tls_cipher_list)
+	CONTEXT_SETTING_STRING(tls_ciphersuites)
 	CONTEXT_SETTING_STRING(tls_curves_list)
 
 	/**************************************/
@@ -5491,6 +5520,35 @@ getdns_context_get_tls_cipher_list(
 	return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t
+getdns_context_set_tls_ciphersuites(
+    getdns_context *context, const char *tls_ciphersuites)
+{
+	if (!context)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (context->tls_ciphersuites)
+		GETDNS_FREE(context->mf, context->tls_ciphersuites);
+	context->tls_ciphersuites = tls_ciphersuites
+	                         ? _getdns_strdup(&context->mf, tls_ciphersuites)
+	                         : NULL;
+
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_get_tls_ciphersuites(
+    getdns_context *context, const char **tls_ciphersuites)
+{
+	if (!context || !tls_ciphersuites)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	*tls_ciphersuites = context->tls_ciphersuites
+	                 ? context->tls_ciphersuites
+	                 : _getdns_default_tls_ciphersuites;
+	return GETDNS_RETURN_GOOD;
+}
+
 getdns_return_t
 getdns_context_set_tls_curves_list(
     getdns_context *context, const char *tls_curves_list)
diff --git a/src/context.h b/src/context.h
index 27dd2bee..5d453c7d 100644
--- a/src/context.h
+++ b/src/context.h
@@ -207,6 +207,7 @@ typedef struct getdns_upstream {
 	getdns_auth_state_t      tls_auth_state;
 	unsigned                 tls_fallback_ok : 1;
 	char                    *tls_cipher_list;
+	char                    *tls_ciphersuites;
 	char                    *tls_curves_list;
 	/* Auth credentials*/
 	char                     tls_auth_name[256];
@@ -350,6 +351,7 @@ struct getdns_context {
 	char                 *tls_ca_path;
 	char                 *tls_ca_file;
 	char                 *tls_cipher_list;
+	char                 *tls_ciphersuites;
 	char                 *tls_curves_list;
 
 	getdns_upstreams     *upstreams;
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 34282643..83db831f 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -102,6 +102,9 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT "Change related to getdns_context_set_tls_cipher_list"
 #define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST 634
 #define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT "Change related to getdns_context_set_tls_curves_list"
+#define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES 635
+#define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT "Change related to getdns_context_set_tls_ciphersuites"
+
 
 /** @}
   */
@@ -755,6 +758,18 @@ getdns_return_t
 getdns_context_set_tls_cipher_list(
     getdns_context *context, const char *cipher_list);
 
+/**
+ * Configure the available TLS1.3 ciphersuites for authenticated TLS upstreams.
+ * @see getdns_context_get_tls_ciphersuites
+ * @param[in] context       The context to configure
+ * @param[in] ciphersuites  The cipher list
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_set_tls_ciphersuites(
+    getdns_context *context, const char *ciphersuites);
+
 /**
  * Sets the supported curves TLS upstreams.
  * @see getdns_context_get_tls_curves_list
@@ -1287,6 +1302,19 @@ getdns_return_t
 getdns_context_get_tls_cipher_list(
     getdns_context *context, const char **cipher_list);
 
+/**
+ * Get the configured available TLS1.3 ciphersuited for authenticated TLS 
+ * upstreams.
+ * @see getdns_context_set_tls_ciphersuites
+ * @param[in]  context      The context configure
+ * @param[out] ciphersuites  The cipher list
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_get_tls_ciphersuites(
+    getdns_context *context, const char **ciphersuites);
+
 /**
  * Get the supported curves list if one has been set earlier.
  * @see getdns_context_set_tls_curves_list
diff --git a/src/stub.c b/src/stub.c
index 785d9f1f..d4861a53 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1006,11 +1006,24 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__);
 	} else {
-		if (upstream->tls_cipher_list)
-			SSL_set_cipher_list(ssl, upstream->tls_cipher_list);
+		if (upstream->tls_cipher_list &&
+		    !SSL_set_cipher_list(ssl, upstream->tls_cipher_list))
+			_getdns_upstream_log(upstream,
+			    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
+			    "%-40s : Error configuring cipher_list\"%s\"\n",
+			    upstream->addr_str, upstream->tls_cipher_list);
+
 		DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, 
 		             __FUNC__);
 	}
+#if defined(HAVE_DECL_SSL_SET_CIPHERSUITES) && HAVE_DECL_SSL_SET_CIPHERSUITES
+	if (upstream->tls_ciphersuites &&
+	   !SSL_set_ciphersuites(ssl, upstream->tls_ciphersuites)) {
+		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+		    GETDNS_LOG_ERR, "%-40s : Error configuring ciphersuites "
+		    "\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
+	}
+#endif
 #if defined(HAVE_SSL_DANE_ENABLE)
 	int osr;
 # if defined(STUB_DEBUG) && STUB_DEBUG

From cfa78707a36a33eeaacbe1de9e62e3e3d71385a2 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 15:35:59 +0000
Subject: [PATCH 162/303] Add openssl subdir to distribution.

---
 Makefile.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Makefile.in b/Makefile.in
index ee6b86bb..53ffb04a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -210,6 +210,7 @@ $(distdir):
 	mkdir -p $(distdir)/src/compat
 	mkdir -p $(distdir)/src/util
 	mkdir -p $(distdir)/src/gldns
+	mkdir -p $(distdir)/src/openssl
 	mkdir -p $(distdir)/src/tools
 	mkdir -p $(distdir)/src/jsmn
 	mkdir -p $(distdir)/src/yxml
@@ -263,6 +264,7 @@ $(distdir):
 	cp $(srcdir)/spec/*.html $(distdir)/spec
 	cp $(srcdir)/spec/example/Makefile.in $(distdir)/spec/example
 	cp $(srcdir)/spec/example/*.[ch] $(distdir)/spec/example
+	cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/openssl
 	cp $(srcdir)/src/tools/Makefile.in $(distdir)/src/tools
 	cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/tools
 	cp $(srcdir)/stubby/stubby.yml.example $(distdir)/stubby

From 756eda96d852d6dd58ffac18e0c9b42340d254c0 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 15:47:56 +0000
Subject: [PATCH 163/303] Remove ssl_dane dir from dependency generation
 search.

---
 src/Makefile.in | 275 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 273 insertions(+), 2 deletions(-)

diff --git a/src/Makefile.in b/src/Makefile.in
index f3e253f8..b17efd85 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -271,7 +271,7 @@ Makefile: $(srcdir)/Makefile.in ../config.status
 depend:
 	(cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new )
 
-	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iopenssl -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c openssl/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \
+	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iopenssl -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c openssl/*.c yxml/*.c extension/*.c ../stubby/src/*.c | \
 		sed -e "s? $$blddir/? ?g" \
 		    -e 's? gldns/? $$(srcdir)/gldns/?g' \
 		    -e 's? compat/? $$(srcdir)/compat/?g' \
@@ -280,7 +280,6 @@ depend:
 		    -e 's? jsmn/? $$(srcdir)/jsmn/?g' \
 		    -e 's? openssl/? $$(srcdir)/openssl/?g' \
 		    -e 's? yxml/? $$(srcdir)/yxml/?g' \
-		    -e 's? ssl_dane/? $$(srcdir)/ssl_dane/?g' \
 		    -e 's? extension/? $$(srcdir)/extension/?g' \
 		    -e 's? \.\./stubby/? $$(stubbysrcdir)/?g' \
 		    -e 's? \([a-z_-]*\)\.\([ch]\)? $$(srcdir)/\1.\2?g' \
@@ -300,3 +299,275 @@ depend:
 FORCE:
 
 # Dependencies for gldns, utils, the extensions and compat functions
+anchor.lo anchor.o: $(srcdir)/anchor.c config.h \
+ $(srcdir)/debug.h $(srcdir)/anchor.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h \
+ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h \
+ $(srcdir)/platform.h
+const-info.lo const-info.o: $(srcdir)/const-info.c \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/const-info.h
+context.lo context.o: $(srcdir)/context.c config.h \
+ $(srcdir)/anchor.h getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/debug.h \
+ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h \
+ $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h \
+ $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h
+convert.lo convert.o: $(srcdir)/convert.c config.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
+ $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
+ $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h \
+ $(srcdir)/debug.h
+dict.lo dict.o: $(srcdir)/dict.c config.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h \
+ $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h
+dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \
+ $(srcdir)/debug.h getdns/getdns.h \
+ $(srcdir)/context.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
+ $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h \
+ $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h
+general.lo general.o: $(srcdir)/general.c config.h \
+ $(srcdir)/general.h getdns/getdns.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h
+list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \
+ config.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/list.h $(srcdir)/dict.h
+mdns.lo mdns.o: $(srcdir)/mdns.c config.h \
+ $(srcdir)/debug.h $(srcdir)/context.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/general.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h
+platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \
+ config.h
+request-internal.lo request-internal.o: $(srcdir)/request-internal.c \
+ config.h $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h
+rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \
+ config.h \
+ getdns/getdns.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/util-internal.h $(srcdir)/context.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \
+ $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dict.h
+rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ config.h \
+ getdns/getdns.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h
+server.lo server.o: $(srcdir)/server.c config.h \
+ getdns/getdns_extra.h \
+ getdns/getdns.h $(srcdir)/context.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/debug.h \
+ $(srcdir)/util-internal.h $(srcdir)/platform.h
+stub.lo stub.o: $(srcdir)/stub.c config.h \
+ $(srcdir)/debug.h $(srcdir)/stub.h \
+ getdns/getdns.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \
+ $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \
+ $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \
+ $(srcdir)/pubkey-pinning.h
+sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \
+ config.h $(srcdir)/context.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/general.h \
+ $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h
+ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \
+ config.h
+util-internal.lo util-internal.o: $(srcdir)/util-internal.c \
+ config.h \
+ getdns/getdns.h $(srcdir)/dict.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \
+ getdns/getdns_extra.h $(srcdir)/list.h \
+ $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
+ $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
+ $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \
+ $(srcdir)/gldns/rrdef.h
+gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \
+ config.h $(srcdir)/gldns/gbuffer.h
+keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \
+ config.h $(srcdir)/gldns/keyraw.h \
+ $(srcdir)/gldns/rrdef.h
+parse.lo parse.o: $(srcdir)/gldns/parse.c \
+ config.h $(srcdir)/gldns/parse.h \
+ $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
+parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \
+ config.h $(srcdir)/gldns/parseutil.h
+rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \
+ config.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/gldns/parseutil.h
+str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \
+ config.h $(srcdir)/gldns/str2wire.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h \
+ $(srcdir)/gldns/parseutil.h
+wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \
+ config.h $(srcdir)/gldns/wire2str.h \
+ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h
+arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \
+ config.h
+arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \
+ config.h \
+ $(srcdir)/compat/chacha_private.h
+arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c \
+ config.h
+explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c \
+ config.h
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c \
+ config.h
+getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c \
+ config.h
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c \
+ config.h
+getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
+gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c \
+ config.h
+inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c \
+ config.h
+inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c \
+ config.h
+sha512.lo sha512.o: $(srcdir)/compat/sha512.c \
+ config.h
+strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \
+ config.h
+strptime.lo strptime.o: $(srcdir)/compat/strptime.c \
+ config.h
+locks.lo locks.o: $(srcdir)/util/locks.c config.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h
+lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \
+ config.h \
+ $(srcdir)/util/auxiliary/util/storage/lookup3.h $(srcdir)/util/lookup3.h \
+ $(srcdir)/util/orig-headers/lookup3.h
+lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \
+ config.h \
+ $(srcdir)/util/auxiliary/util/storage/lruhash.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h
+rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
+ config.h $(srcdir)/util/auxiliary/log.h \
+ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \
+ $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h
+val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \
+ config.h \
+ $(srcdir)/util/auxiliary/util/data/packed_rrset.h \
+ $(srcdir)/util/auxiliary/validator/val_secalgo.h $(srcdir)/util/val_secalgo.h \
+ $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \
+ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \
+ $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h
+jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
+pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/openssl/pubkey-pinning.c \
+ config.h $(srcdir)/debug.h \
+ getdns/getdns.h $(srcdir)/context.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/context.h
+tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \
+ $(srcdir)/debug.h $(srcdir)/context.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/tls.h
+yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
+libev.lo libev.o: $(srcdir)/extension/libev.c \
+ config.h $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h
+libevent.lo libevent.o: $(srcdir)/extension/libevent.c \
+ config.h $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h
+libuv.lo libuv.o: $(srcdir)/extension/libuv.c \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h
+poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \
+ config.h $(srcdir)/util-internal.h \
+ $(srcdir)/context.h getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h
+select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \
+ $(srcdir)/extension/select_eventloop.h
+stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c \
+ config.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h

From ff9cde2087282b66357b9bd450fef61daf5db7cb Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 15:49:26 +0000
Subject: [PATCH 164/303] Remove SSL type from pubkey-pinning interface.

---
 src/openssl/pubkey-pinning.c | 11 +++++++----
 src/pubkey-pinning.h         |  5 +++--
 src/stub.c                   |  2 +-
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/openssl/pubkey-pinning.c b/src/openssl/pubkey-pinning.c
index 1b9674fd..09cb2c70 100644
--- a/src/openssl/pubkey-pinning.c
+++ b/src/openssl/pubkey-pinning.c
@@ -361,15 +361,18 @@ _getdns_upstream_from_x509_store(X509_STORE_CTX *store)
 }
 
 getdns_return_t
-_getdns_associate_upstream_with_SSL(SSL *ssl,
-				    getdns_upstream *upstream)
+_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
+					   getdns_upstream *upstream)
 {
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	
 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 	int uidx = _get_ssl_getdns_upstream_idx();
 #else
-	int uidx = _get_ssl_getdns_upstream_idx(SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl)));
+	int uidx = _get_ssl_getdns_upstream_idx(SSL_CTX_get_cert_store(SSL_get_SSL_CTX(conn->ssl)));
 #endif
-	if (SSL_set_ex_data(ssl, uidx, upstream))
+	if (SSL_set_ex_data(conn->ssl, uidx, upstream))
 		return GETDNS_RETURN_GOOD;
 	else
 		return GETDNS_RETURN_GENERIC_ERROR;
diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h
index 894ccf00..5f0e4840 100644
--- a/src/pubkey-pinning.h
+++ b/src/pubkey-pinning.h
@@ -34,6 +34,7 @@
 #ifndef PUBKEY_PINNING_H_
 #define PUBKEY_PINNING_H_
 
+#include "tls.h"
 
 /* create and populate a pinset linked list from a getdns_list pinset */
 getdns_return_t
@@ -57,8 +58,8 @@ _getdns_upstream_from_x509_store(X509_STORE_CTX *store);
 
 
 getdns_return_t
-_getdns_associate_upstream_with_SSL(SSL *ssl,
-				    getdns_upstream *upstream);
+_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
+					   getdns_upstream *upstream);
 
 getdns_return_t
 _getdns_verify_pinset_match(const sha256_pin_t *pinset,
diff --git a/src/stub.c b/src/stub.c
index 8db8a7fe..ca4c55d0 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -838,7 +838,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		_getdns_tls_connection_set_curves_list(tls, upstream->tls_curves_list);
 #endif
 	/* make sure we'll be able to find the context again when we need it */
-	if (_getdns_associate_upstream_with_SSL(tls->ssl, upstream) != GETDNS_RETURN_GOOD) {
+	if (_getdns_associate_upstream_with_connection(tls, upstream) != GETDNS_RETURN_GOOD) {
 		_getdns_tls_connection_free(tls);
 		return NULL;
 	}

From 4eb845bc58de7d3c904804ec489dee7c71555e0d Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 15:55:34 +0000
Subject: [PATCH 165/303] Move internal-only functions from public
 pubkey-pinning interface.

The interface now only exposes functions used by the main getdns code.
---
 src/Makefile.in                       |  2 +-
 src/openssl/pubkey-pinning-internal.h | 51 +++++++++++++++++++++++++++
 src/openssl/pubkey-pinning.c          |  2 ++
 src/pubkey-pinning.h                  | 14 +-------
 4 files changed, 55 insertions(+), 14 deletions(-)
 create mode 100644 src/openssl/pubkey-pinning-internal.h

diff --git a/src/Makefile.in b/src/Makefile.in
index b17efd85..72e5002c 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -525,7 +525,7 @@ pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/openssl/pubkey-pinning.c \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/context.h
+ $(srcdir)/context.h $(srcdir)/openssl/pubkey-pinning-internal.h
 tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \
  $(srcdir)/debug.h $(srcdir)/context.h \
  getdns/getdns.h \
diff --git a/src/openssl/pubkey-pinning-internal.h b/src/openssl/pubkey-pinning-internal.h
new file mode 100644
index 00000000..3313dffd
--- /dev/null
+++ b/src/openssl/pubkey-pinning-internal.h
@@ -0,0 +1,51 @@
+/**
+ *
+ * /brief internal functions for dealing with pubkey pinsets
+ *
+ */
+
+/*
+ * Copyright (c) 2015 ACLU
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef PUBKEY_PINNING_INTERNAL_H_
+#define PUBKEY_PINNING_INTERNAL_H_
+
+#include <openssl/x509.h>
+
+/* internal functions for associating X.509 verification processes in
+ * OpenSSL with getdns_upstream objects. */
+
+getdns_upstream*
+_getdns_upstream_from_x509_store(X509_STORE_CTX *store);
+
+
+getdns_return_t
+_getdns_verify_pinset_match(const sha256_pin_t *pinset,
+			    X509_STORE_CTX *store);
+
+#endif
+/* pubkey-pinning-internal.h */
diff --git a/src/openssl/pubkey-pinning.c b/src/openssl/pubkey-pinning.c
index 09cb2c70..8f10ee6f 100644
--- a/src/openssl/pubkey-pinning.c
+++ b/src/openssl/pubkey-pinning.c
@@ -56,6 +56,8 @@
 #include "context.h"
 #include "util-internal.h"
 
+#include "pubkey-pinning-internal.h"
+
 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 #define X509_STORE_CTX_get0_untrusted(store) store->untrusted
 #endif
diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h
index 5f0e4840..4e8a31e5 100644
--- a/src/pubkey-pinning.h
+++ b/src/pubkey-pinning.h
@@ -1,6 +1,6 @@
 /**
  *
- * /brief internal functions for dealing with pubkey pinsets
+ * /brief functions for dealing with pubkey pinsets
  *
  */
 
@@ -49,21 +49,9 @@ _getdns_get_pubkey_pinset_list(getdns_context *ctx,
 			       const sha256_pin_t *pinset_in,
 			       getdns_list **pinset_list);
 
-
-/* internal functions for associating X.509 verification processes in
- * OpenSSL with getdns_upstream objects. */
-
-getdns_upstream*
-_getdns_upstream_from_x509_store(X509_STORE_CTX *store);
-
-
 getdns_return_t
 _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
 					   getdns_upstream *upstream);
 
-getdns_return_t
-_getdns_verify_pinset_match(const sha256_pin_t *pinset,
-			    X509_STORE_CTX *store);
-
 #endif
 /* pubkey-pinning.h */

From da94b52f749e907eecec69df0195d2307069be7f Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 16:21:06 +0000
Subject: [PATCH 166/303] Move val_secalgo.c to openssl.

It contains ports other than OpenSSL (NSS and NETTLE), but we're not worrying about those for our purposes at present.
---
 src/Makefile.in                     | 20 ++++++++++----------
 src/{util => openssl}/val_secalgo.c |  0
 2 files changed, 10 insertions(+), 10 deletions(-)
 rename src/{util => openssl}/val_secalgo.c (100%)

diff --git a/src/Makefile.in b/src/Makefile.in
index 72e5002c..4e1085a8 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -91,10 +91,10 @@ LIBOBJDIR=
 LIBOBJS=@LIBOBJS@
 COMPAT_OBJ=$(LIBOBJS:.o=.lo)
 
-UTIL_OBJ=rbtree.lo val_secalgo.lo lruhash.lo lookup3.lo locks.lo
+UTIL_OBJ=rbtree.lo lruhash.lo lookup3.lo locks.lo
 
 JSMN_OBJ=jsmn.lo
-TLS_OBJ=tls.lo pubkey-pinning.lo
+TLS_OBJ=tls.lo pubkey-pinning.lo val_secalgo.lo
 YXML_OBJ=yxml.lo
 
 YAML_OBJ=convert_yaml_to_json.lo
@@ -508,14 +508,6 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
  $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \
  $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/orig-headers/rbtree.h
-val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \
- config.h \
- $(srcdir)/util/auxiliary/util/data/packed_rrset.h \
- $(srcdir)/util/auxiliary/validator/val_secalgo.h $(srcdir)/util/val_secalgo.h \
- $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h
 jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
 pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/openssl/pubkey-pinning.c \
  config.h $(srcdir)/debug.h \
@@ -534,6 +526,14 @@ tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/tls.h
+val_secalgo.lo val_secalgo.o: $(srcdir)/openssl/val_secalgo.c \
+ config.h \
+ $(srcdir)/util/auxiliary/util/data/packed_rrset.h \
+ $(srcdir)/util/auxiliary/validator/val_secalgo.h $(srcdir)/util/val_secalgo.h \
+ $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \
+ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \
+ $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h
 yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
 libev.lo libev.o: $(srcdir)/extension/libev.c \
  config.h $(srcdir)/types-internal.h \
diff --git a/src/util/val_secalgo.c b/src/openssl/val_secalgo.c
similarity index 100%
rename from src/util/val_secalgo.c
rename to src/openssl/val_secalgo.c

From f3e0f2b9e635609e9740dcd96935e9eca007d55d Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 16:51:17 +0000
Subject: [PATCH 167/303] Split OpenSSL specific bits of keyraw.hc into
 keyraw-internal.hc.

All usage is internal to val_secalgo.c, which is already in openssl.
---
 src/Makefile.in               |  19 +-
 src/gldns/keyraw.c            | 332 --------------------------------
 src/gldns/keyraw.h            |  83 +-------
 src/openssl/keyraw-internal.c | 348 ++++++++++++++++++++++++++++++++++
 src/openssl/keyraw-internal.h | 110 +++++++++++
 5 files changed, 471 insertions(+), 421 deletions(-)
 create mode 100644 src/openssl/keyraw-internal.c
 create mode 100644 src/openssl/keyraw-internal.h

diff --git a/src/Makefile.in b/src/Makefile.in
index 4e1085a8..8da886c5 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -94,7 +94,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo)
 UTIL_OBJ=rbtree.lo lruhash.lo lookup3.lo locks.lo
 
 JSMN_OBJ=jsmn.lo
-TLS_OBJ=tls.lo pubkey-pinning.lo val_secalgo.lo
+TLS_OBJ=tls.lo pubkey-pinning.lo keyraw-internal.lo val_secalgo.lo
 YXML_OBJ=yxml.lo
 
 YAML_OBJ=convert_yaml_to_json.lo
@@ -308,8 +308,8 @@ anchor.lo anchor.o: $(srcdir)/anchor.c config.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h \
  $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h \
- $(srcdir)/platform.h
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h \
+ $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h
 const-info.lo const-info.o: $(srcdir)/const-info.c \
  getdns/getdns.h \
  getdns/getdns_extra.h \
@@ -352,8 +352,8 @@ dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \
  $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h \
- $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h
+ $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \
+ $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h
 general.lo general.o: $(srcdir)/general.c config.h \
  $(srcdir)/general.h getdns/getdns.h \
  $(srcdir)/types-internal.h \
@@ -447,7 +447,7 @@ gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \
  config.h $(srcdir)/gldns/gbuffer.h
 keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \
  config.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/gldns/rrdef.h
+ $(srcdir)/openssl/keyraw-internal.h
 parse.lo parse.o: $(srcdir)/gldns/parse.c \
  config.h $(srcdir)/gldns/parse.h \
  $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
@@ -463,7 +463,7 @@ str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \
 wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \
  config.h $(srcdir)/gldns/wire2str.h \
  $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h
 arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \
  config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \
@@ -509,6 +509,9 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
  $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/orig-headers/rbtree.h
 jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
+keyraw-internal.lo keyraw-internal.o: $(srcdir)/openssl/keyraw-internal.c \
+ config.h $(srcdir)/gldns/keyraw.h \
+ $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/rrdef.h
 pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/openssl/pubkey-pinning.c \
  config.h $(srcdir)/debug.h \
  getdns/getdns.h $(srcdir)/context.h \
@@ -533,7 +536,7 @@ val_secalgo.lo val_secalgo.o: $(srcdir)/openssl/val_secalgo.c \
  $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \
  $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \
  $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h
+ $(srcdir)/openssl/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h
 yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
 libev.lo libev.o: $(srcdir)/extension/libev.c \
  config.h $(srcdir)/types-internal.h \
diff --git a/src/gldns/keyraw.c b/src/gldns/keyraw.c
index db84743e..e59189e0 100644
--- a/src/gldns/keyraw.c
+++ b/src/gldns/keyraw.c
@@ -14,26 +14,6 @@
 #include "gldns/keyraw.h"
 #include "gldns/rrdef.h"
 
-#ifdef HAVE_SSL
-#include <openssl/ssl.h>
-#include <openssl/evp.h>
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/md5.h>
-#ifdef HAVE_OPENSSL_ENGINE_H
-#  include <openssl/engine.h>
-#endif
-#ifdef HAVE_OPENSSL_BN_H
-#include <openssl/bn.h>
-#endif
-#ifdef HAVE_OPENSSL_RSA_H
-#include <openssl/rsa.h>
-#endif
-#ifdef HAVE_OPENSSL_DSA_H
-#include <openssl/dsa.h>
-#endif
-#endif /* HAVE_SSL */
-
 size_t
 gldns_rr_dnskey_key_size_raw(const unsigned char* keydata,
 	const size_t len, int alg)
@@ -126,315 +106,3 @@ uint16_t gldns_calc_keytag_raw(const uint8_t* key, size_t keysize)
 		return (uint16_t) (ac32 & 0xFFFF);
 	}
 }
-
-#ifdef HAVE_SSL
-#ifdef USE_GOST
-/** store GOST engine reference loaded into OpenSSL library */
-ENGINE* gldns_gost_engine = NULL;
-
-int
-gldns_key_EVP_load_gost_id(void)
-{
-	static int gost_id = 0;
-	const EVP_PKEY_ASN1_METHOD* meth;
-	ENGINE* e;
-
-	if(gost_id) return gost_id;
-
-	/* see if configuration loaded gost implementation from other engine*/
-	meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
-	if(meth) {
-		EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
-		return gost_id;
-	}
-
-	/* see if engine can be loaded already */
-	e = ENGINE_by_id("gost");
-	if(!e) {
-		/* load it ourself, in case statically linked */
-		ENGINE_load_builtin_engines();
-		ENGINE_load_dynamic();
-		e = ENGINE_by_id("gost");
-	}
-	if(!e) {
-		/* no gost engine in openssl */
-		return 0;
-	}
-	if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
-		ENGINE_finish(e);
-		ENGINE_free(e);
-		return 0;
-	}
-
-	meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
-	if(!meth) {
-		/* algo not found */
-		ENGINE_finish(e);
-		ENGINE_free(e);
-		return 0;
-	}
-        /* Note: do not ENGINE_finish and ENGINE_free the acquired engine
-         * on some platforms this frees up the meth and unloads gost stuff */
-        gldns_gost_engine = e;
-	
-	EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
-	return gost_id;
-} 
-
-void gldns_key_EVP_unload_gost(void)
-{
-        if(gldns_gost_engine) {
-                ENGINE_finish(gldns_gost_engine);
-                ENGINE_free(gldns_gost_engine);
-                gldns_gost_engine = NULL;
-        }
-}
-#endif /* USE_GOST */
-
-DSA *
-gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
-{
-	uint8_t T;
-	uint16_t length;
-	uint16_t offset;
-	DSA *dsa;
-	BIGNUM *Q; BIGNUM *P;
-	BIGNUM *G; BIGNUM *Y;
-
-	if(len == 0)
-		return NULL;
-	T = (uint8_t)key[0];
-	length = (64 + T * 8);
-	offset = 1;
-
-	if (T > 8) {
-		return NULL;
-	}
-	if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
-		return NULL;
-
-	Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
-	offset += SHA_DIGEST_LENGTH;
-
-	P = BN_bin2bn(key+offset, (int)length, NULL);
-	offset += length;
-
-	G = BN_bin2bn(key+offset, (int)length, NULL);
-	offset += length;
-
-	Y = BN_bin2bn(key+offset, (int)length, NULL);
-
-	/* create the key and set its properties */
-	if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
-		BN_free(Q);
-		BN_free(P);
-		BN_free(G);
-		BN_free(Y);
-		return NULL;
-	}
-	if (!DSA_set0_pqg(dsa, P, Q, G)) {
-		/* QPG not yet attached, need to free */
-		BN_free(Q);
-		BN_free(P);
-		BN_free(G);
-
-		DSA_free(dsa);
-		BN_free(Y);
-		return NULL;
-	}
-	if (!DSA_set0_key(dsa, Y, NULL)) {
-		/* QPG attached, cleaned up by DSA_fre() */
-		DSA_free(dsa);
-		BN_free(Y);
-		return NULL;
-	}
-
-	return dsa;
-}
-
-RSA *
-gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
-{
-	uint16_t offset;
-	uint16_t exp;
-	uint16_t int16;
-	RSA *rsa;
-	BIGNUM *modulus;
-	BIGNUM *exponent;
-
-	if (len == 0)
-		return NULL;
-	if (key[0] == 0) {
-		if(len < 3)
-			return NULL;
-		memmove(&int16, key+1, 2);
-		exp = ntohs(int16);
-		offset = 3;
-	} else {
-		exp = key[0];
-		offset = 1;
-	}
-
-	/* key length at least one */
-	if(len < (size_t)offset + exp + 1)
-		return NULL;
-
-	/* Exponent */
-	exponent = BN_new();
-	if(!exponent) return NULL;
-	(void) BN_bin2bn(key+offset, (int)exp, exponent);
-	offset += exp;
-
-	/* Modulus */
-	modulus = BN_new();
-	if(!modulus) {
-		BN_free(exponent);
-		return NULL;
-	}
-	/* length of the buffer must match the key length! */
-	(void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
-
-	rsa = RSA_new();
-	if(!rsa) {
-		BN_free(exponent);
-		BN_free(modulus);
-		return NULL;
-	}
-	if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
-		BN_free(exponent);
-		BN_free(modulus);
-		RSA_free(rsa);
-		return NULL;
-	}
-
-	return rsa;
-}
-
-#ifdef USE_GOST
-EVP_PKEY*
-gldns_gost2pkey_raw(unsigned char* key, size_t keylen)
-{
-	/* prefix header for X509 encoding */
-	uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85, 
-		0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85, 
-		0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 
-		0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40};
-	unsigned char encoded[37+64];
-	const unsigned char* pp;
-	if(keylen != 64) {
-		/* key wrong size */
-		return NULL;
-	}
-
-	/* create evp_key */
-	memmove(encoded, asn, 37);
-	memmove(encoded+37, key, 64);
-	pp = (unsigned char*)&encoded[0];
-
-	return d2i_PUBKEY(NULL, &pp, (int)sizeof(encoded));
-}
-#endif /* USE_GOST */
-
-#ifdef USE_ECDSA
-EVP_PKEY*
-gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
-{
-	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
-        const unsigned char* pp = buf;
-        EVP_PKEY *evp_key;
-        EC_KEY *ec;
-	/* check length, which uncompressed must be 2 bignums */
-        if(algo == GLDNS_ECDSAP256SHA256) {
-		if(keylen != 2*256/8) return NULL;
-                ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-        } else if(algo == GLDNS_ECDSAP384SHA384) {
-		if(keylen != 2*384/8) return NULL;
-                ec = EC_KEY_new_by_curve_name(NID_secp384r1);
-        } else    ec = NULL;
-        if(!ec) return NULL;
-	if(keylen+1 > sizeof(buf)) { /* sanity check */
-                EC_KEY_free(ec);
-		return NULL;
-	}
-	/* prepend the 0x02 (from docs) (or actually 0x04 from implementation
-	 * of openssl) for uncompressed data */
-	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
-	memmove(buf+1, key, keylen);
-        if(!o2i_ECPublicKey(&ec, &pp, (int)keylen+1)) {
-                EC_KEY_free(ec);
-                return NULL;
-        }
-        evp_key = EVP_PKEY_new();
-        if(!evp_key) {
-                EC_KEY_free(ec);
-                return NULL;
-        }
-        if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
-		EVP_PKEY_free(evp_key);
-		EC_KEY_free(ec);
-		return NULL;
-	}
-        return evp_key;
-}
-#endif /* USE_ECDSA */
-
-#ifdef USE_ED25519
-EVP_PKEY*
-gldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
-{
-	/* ASN1 for ED25519 is 302a300506032b6570032100 <32byteskey> */
-	uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
-		0x70, 0x03, 0x21, 0x00};
-	int pre_len = 12;
-	uint8_t buf[256];
-	EVP_PKEY *evp_key;
-	/* pp gets modified by d2i() */
-	const unsigned char* pp = (unsigned char*)buf;
-	if(keylen != 32 || keylen + pre_len > sizeof(buf))
-		return NULL; /* wrong length */
-	memmove(buf, pre, pre_len);
-	memmove(buf+pre_len, key, keylen);
-	evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
-	return evp_key;
-}
-#endif /* USE_ED25519 */
-
-#ifdef USE_ED448
-EVP_PKEY*
-gldns_ed4482pkey_raw(const unsigned char* key, size_t keylen)
-{
-	/* ASN1 for ED448 is 3043300506032b6571033a00 <57byteskey> */
-	uint8_t pre[] = {0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
-		0x71, 0x03, 0x3a, 0x00};
-        int pre_len = 12;
-	uint8_t buf[256];
-        EVP_PKEY *evp_key;
-	/* pp gets modified by d2i() */
-        const unsigned char* pp = (unsigned char*)buf;
-	if(keylen != 57 || keylen + pre_len > sizeof(buf))
-		return NULL; /* wrong length */
-	memmove(buf, pre, pre_len);
-	memmove(buf+pre_len, key, keylen);
-	evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
-        return evp_key;
-}
-#endif /* USE_ED448 */
-
-int
-gldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
-	const EVP_MD* md)
-{
-	EVP_MD_CTX* ctx;
-	ctx = EVP_MD_CTX_create();
-	if(!ctx)
-		return 0;
-	if(!EVP_DigestInit_ex(ctx, md, NULL) ||
-		!EVP_DigestUpdate(ctx, data, len) ||
-		!EVP_DigestFinal_ex(ctx, dest, NULL)) {
-		EVP_MD_CTX_destroy(ctx);
-		return 0;
-	}
-	EVP_MD_CTX_destroy(ctx);
-	return 1;
-}
-#endif /* HAVE_SSL */
diff --git a/src/gldns/keyraw.h b/src/gldns/keyraw.h
index a847887c..caefad01 100644
--- a/src/gldns/keyraw.h
+++ b/src/gldns/keyraw.h
@@ -20,13 +20,11 @@
 #ifndef GLDNS_KEYRAW_H
 #define GLDNS_KEYRAW_H
 
+#include "keyraw-internal.h"
+
 #ifdef __cplusplus
 extern "C" {
 #endif
-#if GLDNS_BUILD_CONFIG_HAVE_SSL
-#  include <openssl/ssl.h>
-#  include <openssl/evp.h>
-#endif /* GLDNS_BUILD_CONFIG_HAVE_SSL */
 
 /**
  * get the length of the keydata in bits
@@ -46,83 +44,6 @@ size_t gldns_rr_dnskey_key_size_raw(const unsigned char *keydata,
  */
 uint16_t gldns_calc_keytag_raw(const uint8_t* key, size_t keysize);
 
-#if GLDNS_BUILD_CONFIG_HAVE_SSL
-/** 
- * Get the PKEY id for GOST, loads GOST into openssl as a side effect.
- * Only available if GOST is compiled into the library and openssl.
- * \return the gost id for EVP_CTX creation.
- */
-int gldns_key_EVP_load_gost_id(void);
-
-/** Release the engine reference held for the GOST engine. */
-void gldns_key_EVP_unload_gost(void);
-
-/**
- * Like gldns_key_buf2dsa, but uses raw buffer.
- * \param[in] key the uncompressed wireformat of the key.
- * \param[in] len length of key data
- * \return a DSA * structure with the key material
- */
-DSA *gldns_key_buf2dsa_raw(unsigned char* key, size_t len);
-
-/**
- * Converts a holding buffer with key material to EVP PKEY in openssl.
- * Only available if ldns was compiled with GOST.
- * \param[in] key data to convert
- * \param[in] keylen length of the key data
- * \return the key or NULL on error.
- */
-EVP_PKEY* gldns_gost2pkey_raw(unsigned char* key, size_t keylen);
-
-/**
- * Converts a holding buffer with key material to EVP PKEY in openssl.
- * Only available if ldns was compiled with ECDSA.
- * \param[in] key data to convert
- * \param[in] keylen length of the key data
- * \param[in] algo precise algorithm to initialize ECC group values.
- * \return the key or NULL on error.
- */
-EVP_PKEY* gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
-
-/**
- * Like gldns_key_buf2rsa, but uses raw buffer.
- * \param[in] key the uncompressed wireformat of the key.
- * \param[in] len length of key data
- * \return a RSA * structure with the key material
- */
-RSA *gldns_key_buf2rsa_raw(unsigned char* key, size_t len);
-
-/**
- * Converts a holding buffer with key material to EVP PKEY in openssl.
- * Only available if ldns was compiled with ED25519.
- * \param[in] key the uncompressed wireformat of the key.
- * \param[in] len length of key data
- * \return the key or NULL on error.
- */
-EVP_PKEY* gldns_ed255192pkey_raw(const unsigned char* key, size_t len);
-
-/**
- * Converts a holding buffer with key material to EVP PKEY in openssl.
- * Only available if ldns was compiled with ED448.
- * \param[in] key the uncompressed wireformat of the key.
- * \param[in] len length of key data
- * \return the key or NULL on error.
- */
-EVP_PKEY* gldns_ed4482pkey_raw(const unsigned char* key, size_t len);
-
-/**
- * Utility function to calculate hash using generic EVP_MD pointer.
- * \param[in] data the data to hash.
- * \param[in] len  length of data.
- * \param[out] dest the destination of the hash, must be large enough.
- * \param[in] md the message digest to use.
- * \return true if worked, false on failure.
- */
-int gldns_digest_evp(unsigned char* data, unsigned int len, 
-	unsigned char* dest, const EVP_MD* md);
-
-#endif /* GLDNS_BUILD_CONFIG_HAVE_SSL */
-
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/openssl/keyraw-internal.c b/src/openssl/keyraw-internal.c
new file mode 100644
index 00000000..75c53c00
--- /dev/null
+++ b/src/openssl/keyraw-internal.c
@@ -0,0 +1,348 @@
+/*
+ * keyraw.c - raw key operations and conversions - OpenSSL version
+ *
+ * (c) NLnet Labs, 2004-2008
+ *
+ * See the file LICENSE for the license
+ */
+/**
+ * \file
+ * Implementation of raw DNSKEY functions (work on wire rdata).
+ */
+
+#include "config.h"
+#include "gldns/keyraw.h"
+#include "gldns/rrdef.h"
+
+#ifdef HAVE_SSL
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/md5.h>
+#ifdef HAVE_OPENSSL_ENGINE_H
+#  include <openssl/engine.h>
+#endif
+#ifdef HAVE_OPENSSL_BN_H
+#include <openssl/bn.h>
+#endif
+#ifdef HAVE_OPENSSL_RSA_H
+#include <openssl/rsa.h>
+#endif
+#ifdef HAVE_OPENSSL_DSA_H
+#include <openssl/dsa.h>
+#endif
+#endif /* HAVE_SSL */
+
+#ifdef HAVE_SSL
+#ifdef USE_GOST
+
+/** store GOST engine reference loaded into OpenSSL library */
+ENGINE* gldns_gost_engine = NULL;
+
+int
+gldns_key_EVP_load_gost_id(void)
+{
+	static int gost_id = 0;
+	const EVP_PKEY_ASN1_METHOD* meth;
+	ENGINE* e;
+
+	if(gost_id) return gost_id;
+
+	/* see if configuration loaded gost implementation from other engine*/
+	meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
+	if(meth) {
+		EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
+		return gost_id;
+	}
+
+	/* see if engine can be loaded already */
+	e = ENGINE_by_id("gost");
+	if(!e) {
+		/* load it ourself, in case statically linked */
+		ENGINE_load_builtin_engines();
+		ENGINE_load_dynamic();
+		e = ENGINE_by_id("gost");
+	}
+	if(!e) {
+		/* no gost engine in openssl */
+		return 0;
+	}
+	if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+		ENGINE_finish(e);
+		ENGINE_free(e);
+		return 0;
+	}
+
+	meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
+	if(!meth) {
+		/* algo not found */
+		ENGINE_finish(e);
+		ENGINE_free(e);
+		return 0;
+	}
+        /* Note: do not ENGINE_finish and ENGINE_free the acquired engine
+         * on some platforms this frees up the meth and unloads gost stuff */
+        gldns_gost_engine = e;
+	
+	EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
+	return gost_id;
+} 
+
+void gldns_key_EVP_unload_gost(void)
+{
+        if(gldns_gost_engine) {
+                ENGINE_finish(gldns_gost_engine);
+                ENGINE_free(gldns_gost_engine);
+                gldns_gost_engine = NULL;
+        }
+}
+#endif /* USE_GOST */
+
+DSA *
+gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
+{
+	uint8_t T;
+	uint16_t length;
+	uint16_t offset;
+	DSA *dsa;
+	BIGNUM *Q; BIGNUM *P;
+	BIGNUM *G; BIGNUM *Y;
+
+	if(len == 0)
+		return NULL;
+	T = (uint8_t)key[0];
+	length = (64 + T * 8);
+	offset = 1;
+
+	if (T > 8) {
+		return NULL;
+	}
+	if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
+		return NULL;
+
+	Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
+	offset += SHA_DIGEST_LENGTH;
+
+	P = BN_bin2bn(key+offset, (int)length, NULL);
+	offset += length;
+
+	G = BN_bin2bn(key+offset, (int)length, NULL);
+	offset += length;
+
+	Y = BN_bin2bn(key+offset, (int)length, NULL);
+
+	/* create the key and set its properties */
+	if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
+		BN_free(Q);
+		BN_free(P);
+		BN_free(G);
+		BN_free(Y);
+		return NULL;
+	}
+	if (!DSA_set0_pqg(dsa, P, Q, G)) {
+		/* QPG not yet attached, need to free */
+		BN_free(Q);
+		BN_free(P);
+		BN_free(G);
+
+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+	if (!DSA_set0_key(dsa, Y, NULL)) {
+		/* QPG attached, cleaned up by DSA_fre() */
+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+
+	return dsa;
+}
+
+RSA *
+gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
+{
+	uint16_t offset;
+	uint16_t exp;
+	uint16_t int16;
+	RSA *rsa;
+	BIGNUM *modulus;
+	BIGNUM *exponent;
+
+	if (len == 0)
+		return NULL;
+	if (key[0] == 0) {
+		if(len < 3)
+			return NULL;
+		memmove(&int16, key+1, 2);
+		exp = ntohs(int16);
+		offset = 3;
+	} else {
+		exp = key[0];
+		offset = 1;
+	}
+
+	/* key length at least one */
+	if(len < (size_t)offset + exp + 1)
+		return NULL;
+
+	/* Exponent */
+	exponent = BN_new();
+	if(!exponent) return NULL;
+	(void) BN_bin2bn(key+offset, (int)exp, exponent);
+	offset += exp;
+
+	/* Modulus */
+	modulus = BN_new();
+	if(!modulus) {
+		BN_free(exponent);
+		return NULL;
+	}
+	/* length of the buffer must match the key length! */
+	(void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
+
+	rsa = RSA_new();
+	if(!rsa) {
+		BN_free(exponent);
+		BN_free(modulus);
+		return NULL;
+	}
+	if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
+		BN_free(exponent);
+		BN_free(modulus);
+		RSA_free(rsa);
+		return NULL;
+	}
+
+	return rsa;
+}
+
+#ifdef USE_GOST
+EVP_PKEY*
+gldns_gost2pkey_raw(unsigned char* key, size_t keylen)
+{
+	/* prefix header for X509 encoding */
+	uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85, 
+		0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85, 
+		0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 
+		0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40};
+	unsigned char encoded[37+64];
+	const unsigned char* pp;
+	if(keylen != 64) {
+		/* key wrong size */
+		return NULL;
+	}
+
+	/* create evp_key */
+	memmove(encoded, asn, 37);
+	memmove(encoded+37, key, 64);
+	pp = (unsigned char*)&encoded[0];
+
+	return d2i_PUBKEY(NULL, &pp, (int)sizeof(encoded));
+}
+#endif /* USE_GOST */
+
+#ifdef USE_ECDSA
+EVP_PKEY*
+gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
+{
+	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
+        const unsigned char* pp = buf;
+        EVP_PKEY *evp_key;
+        EC_KEY *ec;
+	/* check length, which uncompressed must be 2 bignums */
+        if(algo == GLDNS_ECDSAP256SHA256) {
+		if(keylen != 2*256/8) return NULL;
+                ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+        } else if(algo == GLDNS_ECDSAP384SHA384) {
+		if(keylen != 2*384/8) return NULL;
+                ec = EC_KEY_new_by_curve_name(NID_secp384r1);
+        } else    ec = NULL;
+        if(!ec) return NULL;
+	if(keylen+1 > sizeof(buf)) { /* sanity check */
+                EC_KEY_free(ec);
+		return NULL;
+	}
+	/* prepend the 0x02 (from docs) (or actually 0x04 from implementation
+	 * of openssl) for uncompressed data */
+	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
+	memmove(buf+1, key, keylen);
+        if(!o2i_ECPublicKey(&ec, &pp, (int)keylen+1)) {
+                EC_KEY_free(ec);
+                return NULL;
+        }
+        evp_key = EVP_PKEY_new();
+        if(!evp_key) {
+                EC_KEY_free(ec);
+                return NULL;
+        }
+        if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
+		EVP_PKEY_free(evp_key);
+		EC_KEY_free(ec);
+		return NULL;
+	}
+        return evp_key;
+}
+#endif /* USE_ECDSA */
+
+#ifdef USE_ED25519
+EVP_PKEY*
+gldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
+{
+	/* ASN1 for ED25519 is 302a300506032b6570032100 <32byteskey> */
+	uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+		0x70, 0x03, 0x21, 0x00};
+	int pre_len = 12;
+	uint8_t buf[256];
+	EVP_PKEY *evp_key;
+	/* pp gets modified by d2i() */
+	const unsigned char* pp = (unsigned char*)buf;
+	if(keylen != 32 || keylen + pre_len > sizeof(buf))
+		return NULL; /* wrong length */
+	memmove(buf, pre, pre_len);
+	memmove(buf+pre_len, key, keylen);
+	evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
+	return evp_key;
+}
+#endif /* USE_ED25519 */
+
+#ifdef USE_ED448
+EVP_PKEY*
+gldns_ed4482pkey_raw(const unsigned char* key, size_t keylen)
+{
+	/* ASN1 for ED448 is 3043300506032b6571033a00 <57byteskey> */
+	uint8_t pre[] = {0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+		0x71, 0x03, 0x3a, 0x00};
+        int pre_len = 12;
+	uint8_t buf[256];
+        EVP_PKEY *evp_key;
+	/* pp gets modified by d2i() */
+        const unsigned char* pp = (unsigned char*)buf;
+	if(keylen != 57 || keylen + pre_len > sizeof(buf))
+		return NULL; /* wrong length */
+	memmove(buf, pre, pre_len);
+	memmove(buf+pre_len, key, keylen);
+	evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
+        return evp_key;
+}
+#endif /* USE_ED448 */
+
+int
+gldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
+	const EVP_MD* md)
+{
+	EVP_MD_CTX* ctx;
+	ctx = EVP_MD_CTX_create();
+	if(!ctx)
+		return 0;
+	if(!EVP_DigestInit_ex(ctx, md, NULL) ||
+		!EVP_DigestUpdate(ctx, data, len) ||
+		!EVP_DigestFinal_ex(ctx, dest, NULL)) {
+		EVP_MD_CTX_destroy(ctx);
+		return 0;
+	}
+	EVP_MD_CTX_destroy(ctx);
+	return 1;
+}
+#endif /* HAVE_SSL */
diff --git a/src/openssl/keyraw-internal.h b/src/openssl/keyraw-internal.h
new file mode 100644
index 00000000..92717c95
--- /dev/null
+++ b/src/openssl/keyraw-internal.h
@@ -0,0 +1,110 @@
+/*
+ * keyraw.h -- raw key and signature access and conversion - OpenSSL
+ *
+ * Copyright (c) 2005-2008, NLnet Labs. All rights reserved.
+ *
+ * See LICENSE for the license.
+ *
+ */
+
+/**
+ * \file
+ *
+ * raw key and signature access and conversion
+ *
+ * Since those functions heavily rely op cryptographic operations,
+ * this module is dependent on openssl.
+ * 
+ */
+ 
+#ifndef GLDNS_KEYRAW_INTERNAL_H
+#define GLDNS_KEYRAW_INTERNAL_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+#if GLDNS_BUILD_CONFIG_HAVE_SSL
+#  include <openssl/ssl.h>
+#  include <openssl/evp.h>
+
+/** 
+ * Get the PKEY id for GOST, loads GOST into openssl as a side effect.
+ * Only available if GOST is compiled into the library and openssl.
+ * \return the gost id for EVP_CTX creation.
+ */
+int gldns_key_EVP_load_gost_id(void);
+
+/** Release the engine reference held for the GOST engine. */
+void gldns_key_EVP_unload_gost(void);
+
+/**
+ * Like gldns_key_buf2dsa, but uses raw buffer.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return a DSA * structure with the key material
+ */
+DSA *gldns_key_buf2dsa_raw(unsigned char* key, size_t len);
+
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with GOST.
+ * \param[in] key data to convert
+ * \param[in] keylen length of the key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* gldns_gost2pkey_raw(unsigned char* key, size_t keylen);
+
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with ECDSA.
+ * \param[in] key data to convert
+ * \param[in] keylen length of the key data
+ * \param[in] algo precise algorithm to initialize ECC group values.
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
+
+/**
+ * Like gldns_key_buf2rsa, but uses raw buffer.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return a RSA * structure with the key material
+ */
+RSA *gldns_key_buf2rsa_raw(unsigned char* key, size_t len);
+
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with ED25519.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* gldns_ed255192pkey_raw(const unsigned char* key, size_t len);
+
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with ED448.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* gldns_ed4482pkey_raw(const unsigned char* key, size_t len);
+
+/**
+ * Utility function to calculate hash using generic EVP_MD pointer.
+ * \param[in] data the data to hash.
+ * \param[in] len  length of data.
+ * \param[out] dest the destination of the hash, must be large enough.
+ * \param[in] md the message digest to use.
+ * \return true if worked, false on failure.
+ */
+int gldns_digest_evp(unsigned char* data, unsigned int len, 
+	unsigned char* dest, const EVP_MD* md);
+
+#endif /* GLDNS_BUILD_CONFIG_HAVE_SSL */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* GLDNS_KEYRAW_INTERNAL_H */

From 05f9d30e894bcaf7bf478d062cc44a1351223e4c Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 16:57:48 +0000
Subject: [PATCH 168/303] Move anchor.c to under openssl.

---
 src/Makefile.in            | 26 +++++++++++++-------------
 src/{ => openssl}/anchor.c |  0
 2 files changed, 13 insertions(+), 13 deletions(-)
 rename src/{ => openssl}/anchor.c (100%)

diff --git a/src/Makefile.in b/src/Makefile.in
index 8da886c5..c7faf32c 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -146,7 +146,7 @@ $(EXTENSION_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/extension/$(@:.lo=.c) -o $@
 
 anchor.lo:
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/anchor.c -o anchor.lo
+	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/openssl/anchor.c -o anchor.lo
 
 context.lo:
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/context.c -o context.lo
@@ -299,17 +299,6 @@ depend:
 FORCE:
 
 # Dependencies for gldns, utils, the extensions and compat functions
-anchor.lo anchor.o: $(srcdir)/anchor.c config.h \
- $(srcdir)/debug.h $(srcdir)/anchor.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h \
- $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h \
- $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h
 const-info.lo const-info.o: $(srcdir)/const-info.c \
  getdns/getdns.h \
  getdns/getdns_extra.h \
@@ -447,7 +436,7 @@ gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \
  config.h $(srcdir)/gldns/gbuffer.h
 keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \
  config.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/openssl/keyraw-internal.h
+ $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/rrdef.h
 parse.lo parse.o: $(srcdir)/gldns/parse.c \
  config.h $(srcdir)/gldns/parse.h \
  $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
@@ -509,6 +498,17 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
  $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/orig-headers/rbtree.h
 jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
+anchor.lo anchor.o: $(srcdir)/openssl/anchor.c \
+ config.h $(srcdir)/debug.h $(srcdir)/anchor.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h $(srcdir)/types-internal.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h $(srcdir)/ub_loop.h \
+ $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/str2wire.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/keyraw.h \
+ $(srcdir)/openssl/keyraw-internal.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/platform.h
 keyraw-internal.lo keyraw-internal.o: $(srcdir)/openssl/keyraw-internal.c \
  config.h $(srcdir)/gldns/keyraw.h \
  $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/rrdef.h
diff --git a/src/anchor.c b/src/openssl/anchor.c
similarity index 100%
rename from src/anchor.c
rename to src/openssl/anchor.c

From 4f67491971d865ad879afcdee4d4ca85dc285711 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 17:36:56 +0000
Subject: [PATCH 169/303] Remove unnecessary OpenSSL include in dnssec.c.

---
 src/dnssec.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index fd8ac932..0e0e9ba1 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -194,7 +194,6 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <ctype.h>
-#include <openssl/sha.h>
 #include "getdns/getdns.h"
 #include "context.h"
 #include "util-internal.h"

From e7593541ef2bc846cfee222a1aa206f403e71fc9 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 17:37:46 +0000
Subject: [PATCH 170/303] Ensure that compat/getentropy* don't get used, and so
 drag in OpenSSL.

---
 configure.ac | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure.ac b/configure.ac
index c361848b..cc80080e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1434,6 +1434,7 @@ if test "$ac_cv_func_arc4random" = "no"; then
 	    if test "$USE_WINSOCK" = 1; then
 		AC_LIBOBJ(getentropy_win)
 	    else
+                AC_MSG_ERROR([Function getentropy missing.])
 		case `uname` in
 		Darwin)
 			AC_LIBOBJ(getentropy_osx)

From 1904ee73181b8d176061c94584709470915f5d7c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 21 Nov 2018 15:02:28 +0100
Subject: [PATCH 171/303] Enhancement getdnsapi/stubby#56 &
 getdnsapi/stubby#130

Configurable TLS version
---
 ChangeLog                    | 11 +++++
 configure.ac                 |  4 +-
 src/const-info.c             | 22 +++++++++
 src/context.c                | 92 ++++++++++++++++++++++++++++++++----
 src/context.h                | 13 +++--
 src/dict.c                   |  2 +
 src/getdns/getdns_extra.h.in | 79 +++++++++++++++++++++++++++++++
 src/libgetdns.symbols        |  7 +++
 src/mk-const-info.c.sh       |  4 +-
 src/stub.c                   | 54 +++++++++++++++++----
 src/util-internal.h          | 14 ++++++
 11 files changed, 276 insertions(+), 26 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 0c366782..cc3cf584 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,15 @@
 * 2018-0?-??: Version 1.4.3
+  * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
+    Configurable minimum and maximum TLS versions with
+    getdns_context_set_tls_min_version() and
+    getdns_context_set_tls_max_version() functions and
+    tls_min_version and tls_max_version configuration parameters
+    for upstreams.
+  * Configurable TLS1.3 ciphersuites with the
+    getdns_context_set_tls_ciphersuites() function and
+    tls_ciphersuites config parameter for upstreams.
+  * Bugfix in upstream string configurations: tls_cipher_list and
+    tls_curve_list
   * Bugfix finding signer for validating NSEC and NSEC3s, which
     caused trouble with the partly tracing DNSSEC from the root
     up, introduced in 1.4.2.  Thanks Philip Homburg
diff --git a/configure.ac b/configure.ac
index 9ce45a81..9d12285a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -417,8 +417,8 @@ fi
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter])
-AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_CTX_set_ciphersuites,SSL_set_ciphersuites], [], [], [
+AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites])
+AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_set_min_proto_version,SSL_get_min_proto_version], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
diff --git a/src/const-info.c b/src/const-info.c
index b4dde28d..3b9918bc 100644
--- a/src/const-info.c
+++ b/src/const-info.c
@@ -94,6 +94,8 @@ static struct const_info consts_info[] = {
 	{     633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT },
 	{     634, "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT },
 	{     635, "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT },
+	{     636, "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT },
+	{     637, "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT },
 	{     699, "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT },
 	{     700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
 	{     701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
@@ -116,6 +118,11 @@ static struct const_info consts_info[] = {
 	{    1202, "GETDNS_TRANSPORT_TLS", GETDNS_TRANSPORT_TLS_TEXT },
 	{    1300, "GETDNS_AUTHENTICATION_NONE", GETDNS_AUTHENTICATION_NONE_TEXT },
 	{    1301, "GETDNS_AUTHENTICATION_REQUIRED", GETDNS_AUTHENTICATION_REQUIRED_TEXT },
+	{    1400, "GETDNS_SSL3", GETDNS_SSL3_TEXT },
+	{    1401, "GETDNS_TLS1", GETDNS_TLS1_TEXT },
+	{    1402, "GETDNS_TLS1_1", GETDNS_TLS1_1_TEXT },
+	{    1403, "GETDNS_TLS1_2", GETDNS_TLS1_2_TEXT },
+	{    1404, "GETDNS_TLS1_3", GETDNS_TLS1_3_TEXT },
 	{    4096, "GETDNS_LOG_UPSTREAM_STATS", GETDNS_LOG_UPSTREAM_STATS_TEXT },
 };
 
@@ -195,6 +202,8 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", 634 },
+	{ "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", 637 },
+	{ "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", 636 },
 	{ "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA", 626 },
@@ -281,6 +290,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRCLASS_IN", 1 },
 	{ "GETDNS_RRCLASS_NONE", 254 },
 	{ "GETDNS_RRTYPE_A", 1 },
+	{ "GETDNS_RRTYPE_A6", 38 },
 	{ "GETDNS_RRTYPE_AAAA", 28 },
 	{ "GETDNS_RRTYPE_AFSDB", 18 },
 	{ "GETDNS_RRTYPE_ANY", 255 },
@@ -301,6 +311,8 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_DOA", 259 },
 	{ "GETDNS_RRTYPE_DS", 43 },
 	{ "GETDNS_RRTYPE_EID", 31 },
+	{ "GETDNS_RRTYPE_EUI48", 108 },
+	{ "GETDNS_RRTYPE_EUI64", 109 },
 	{ "GETDNS_RRTYPE_GID", 102 },
 	{ "GETDNS_RRTYPE_GPOS", 27 },
 	{ "GETDNS_RRTYPE_HINFO", 13 },
@@ -310,6 +322,8 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_IXFR", 251 },
 	{ "GETDNS_RRTYPE_KEY", 25 },
 	{ "GETDNS_RRTYPE_KX", 36 },
+	{ "GETDNS_RRTYPE_L32", 105 },
+	{ "GETDNS_RRTYPE_L64", 106 },
 	{ "GETDNS_RRTYPE_LOC", 29 },
 	{ "GETDNS_RRTYPE_LP", 107 },
 	{ "GETDNS_RRTYPE_MAILA", 254 },
@@ -329,6 +343,8 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_NSAP", 22 },
 	{ "GETDNS_RRTYPE_NSAP_PTR", 23 },
 	{ "GETDNS_RRTYPE_NSEC", 47 },
+	{ "GETDNS_RRTYPE_NSEC3", 50 },
+	{ "GETDNS_RRTYPE_NSEC3PARAM", 51 },
 	{ "GETDNS_RRTYPE_NULL", 10 },
 	{ "GETDNS_RRTYPE_NXT", 30 },
 	{ "GETDNS_RRTYPE_OPENPGPKEY", 61 },
@@ -357,6 +373,12 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_UNSPEC", 103 },
 	{ "GETDNS_RRTYPE_URI", 256 },
 	{ "GETDNS_RRTYPE_WKS", 11 },
+	{ "GETDNS_RRTYPE_X25", 19 },
+	{ "GETDNS_SSL3", 1400 },
+	{ "GETDNS_TLS1", 1401 },
+	{ "GETDNS_TLS1_1", 1402 },
+	{ "GETDNS_TLS1_2", 1403 },
+	{ "GETDNS_TLS1_3", 1404 },
 	{ "GETDNS_TRANSPORT_TCP", 1201 },
 	{ "GETDNS_TRANSPORT_TCP_ONLY", 542 },
 	{ "GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN", 543 },
diff --git a/src/context.c b/src/context.c
index 322bfb5b..d79d7876 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1079,6 +1079,8 @@ upstream_init(getdns_upstream *upstream,
 	upstream->tls_cipher_list = NULL;
 	upstream->tls_ciphersuites = NULL;
 	upstream->tls_curves_list = NULL;
+	upstream->tls_min_version = (getdns_tls_version_t)0;
+	upstream->tls_max_version = (getdns_tls_version_t)0;
 	upstream->transport = GETDNS_TRANSPORT_TCP;
 	upstream->tls_hs_state = GETDNS_HS_NONE;
 	upstream->tls_auth_name[0] = '\0';
@@ -1597,6 +1599,8 @@ getdns_context_create_with_extended_memory_functions(
 	result->tls_cipher_list = NULL;
 	result->tls_ciphersuites = NULL;
 	result->tls_curves_list = NULL;
+	result->tls_min_version = GETDNS_TLS1_2;
+	result->tls_max_version = (getdns_tls_version_t)0;
 
 	(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
 
@@ -3090,6 +3094,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 				getdns_bindata *tls_cipher_list = NULL;
 				getdns_bindata *tls_ciphersuites = NULL;
 				getdns_bindata *tls_curves_list = NULL;
+				uint32_t        tls_version;
 
 				if ((r = getdns_dict_get_bindata(
 				    dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) {
@@ -3137,16 +3142,17 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 				(void) getdns_dict_get_bindata(
 				    dict, "tls_curves_list", &tls_curves_list);
 				if (tls_curves_list) {
-#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
 					upstream->tls_curves_list = 
 					    _getdns_strdup2(&upstreams->mf
 					                   , tls_curves_list);
-#else
-					freeaddrinfo(ai);
-					goto not_implemented;
-#endif
 				} else
 					upstream->tls_curves_list = NULL;
+				if (!getdns_dict_get_int(
+				    dict, "tls_min_version", &tls_version))
+					upstream->tls_min_version = tls_version;
+				if (!getdns_dict_get_int(
+				    dict, "tls_max_version", &tls_version))
+					upstream->tls_max_version = tls_version;
 			}
 			if ((upstream->tsig_alg = tsig_alg)) {
 				if (tsig_name) {
@@ -3715,9 +3721,17 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 			if(context->tls_ctx == NULL)
 				return GETDNS_RETURN_BAD_CONTEXT;
 
-#  ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
-			if (!SSL_CTX_set_min_proto_version(
-			    context->tls_ctx, TLS1_2_VERSION)) {
+#  if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
+			fprintf(stderr, "SSL_CTX_set_min_proto_version(%d)\n", context->tls_min_version);
+			if (!SSL_CTX_set_min_proto_version(context->tls_ctx,
+			    _getdns_tls_version2openssl_version(context->tls_min_version))) {
+				SSL_CTX_free(context->tls_ctx);
+				context->tls_ctx = NULL;
+				return GETDNS_RETURN_BAD_CONTEXT;
+			}
+			if (context->tls_max_version
+			&& !SSL_CTX_set_max_proto_version(context->tls_ctx,
+			    _getdns_tls_version2openssl_version(context->tls_max_version))) {
 				SSL_CTX_free(context->tls_ctx);
 				context->tls_ctx = NULL;
 				return GETDNS_RETURN_BAD_CONTEXT;
@@ -3729,7 +3743,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 			    context->tls_cipher_list ? context->tls_cipher_list
 			                             : _getdns_default_tls_cipher_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
-#  if defined(HAVE_DECL_SSL_CTX_SET_CIPHERSUITES) && HAVE_DECL_SSL_CTX_SET_CIPHERSUITES
+#  ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 			if (!SSL_CTX_set_ciphersuites(context->tls_ctx,
 			    context->tls_ciphersuites ? context->tls_ciphersuites
 			                             : _getdns_default_tls_ciphersuites))
@@ -4083,6 +4097,12 @@ _get_context_settings(getdns_context* context)
 		(void) getdns_dict_util_set_string(result, "tls_ciphersuites", str_value);
 	if (!getdns_context_get_tls_curves_list(context, &str_value) && str_value)
 		(void) getdns_dict_util_set_string(result, "tls_curves_list", str_value);
+	if (context->tls_min_version)
+		(void) getdns_dict_set_int( result, "tls_min_version"
+		                          , context->tls_min_version);
+	if (context->tls_max_version)
+		(void) getdns_dict_set_int( result, "tls_max_version"
+		                          , context->tls_max_version);
 
 	/* Default settings for extensions */
 	(void)getdns_dict_set_int(
@@ -4701,6 +4721,16 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
 					    d, "tls_curves_list",
 					    upstream->tls_curves_list);
 				}
+				if (upstream->tls_min_version) {
+					(void) getdns_dict_set_int(
+					    d, "tls_min_version",
+					    upstream->tls_min_version);
+				}
+				if (upstream->tls_max_version) {
+					(void) getdns_dict_set_int(
+					    d, "tls_max_version",
+					    upstream->tls_max_version);
+				}
 			}
 		}
 		if (!r)
@@ -4923,6 +4953,8 @@ _getdns_context_config_setting(getdns_context *context,
 	CONTEXT_SETTING_STRING(tls_cipher_list)
 	CONTEXT_SETTING_STRING(tls_ciphersuites)
 	CONTEXT_SETTING_STRING(tls_curves_list)
+	CONTEXT_SETTING_INT(tls_min_version)
+	CONTEXT_SETTING_INT(tls_max_version)
 
 	/**************************************/
 	/****                              ****/
@@ -5580,4 +5612,46 @@ getdns_context_get_tls_curves_list(
 	return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t
+getdns_context_set_tls_min_version(
+    getdns_context *context, getdns_tls_version_t tls_min_version)
+{
+	if (!context)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	context->tls_min_version = tls_min_version;
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_MIN_VERSION);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_get_tls_min_version(
+    getdns_context *context, getdns_tls_version_t *tls_min_version)
+{
+	if (!context || !tls_min_version)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	*tls_min_version = context->tls_min_version;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_set_tls_max_version(
+    getdns_context *context, getdns_tls_version_t tls_max_version)
+{
+	if (!context)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	context->tls_max_version = tls_max_version;
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_MAX_VERSION);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_get_tls_max_version(
+    getdns_context *context, getdns_tls_version_t *tls_max_version)
+{
+	if (!context || !tls_max_version)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	*tls_max_version = context->tls_max_version;
+	return GETDNS_RETURN_GOOD;
+}
+
 /* context.c */
diff --git a/src/context.h b/src/context.h
index 5d453c7d..29890928 100644
--- a/src/context.h
+++ b/src/context.h
@@ -200,16 +200,21 @@ typedef struct getdns_upstream {
 	getdns_network_req      *write_queue_last;
 	_getdns_rbtree_t         netreq_by_query_id;
 
-    /* TLS specific connection handling*/
+	/* TLS specific connection handling */
 	SSL*                     tls_obj;
 	SSL_SESSION*             tls_session;
 	getdns_tls_hs_state_t    tls_hs_state;
 	getdns_auth_state_t      tls_auth_state;
 	unsigned                 tls_fallback_ok : 1;
+
+	/* TLS settings */
 	char                    *tls_cipher_list;
 	char                    *tls_ciphersuites;
 	char                    *tls_curves_list;
-	/* Auth credentials*/
+	getdns_tls_version_t     tls_min_version;
+	getdns_tls_version_t     tls_max_version;
+
+	/* Auth credentials */
 	char                     tls_auth_name[256];
 	sha256_pin_t            *tls_pubkey_pinset;
 
@@ -353,6 +358,8 @@ struct getdns_context {
 	char                 *tls_cipher_list;
 	char                 *tls_ciphersuites;
 	char                 *tls_curves_list;
+	getdns_tls_version_t  tls_min_version;
+	getdns_tls_version_t  tls_max_version;
 
 	getdns_upstreams     *upstreams;
 	uint16_t             limit_outstanding_queries;
@@ -360,7 +367,7 @@ struct getdns_context {
 	getdns_tls_authentication_t  tls_auth;  /* What user requested for TLS*/
 	getdns_tls_authentication_t  tls_auth_min; /* Derived minimum auth allowed*/
 	uint8_t              round_robin_upstreams;
-    uint16_t             max_backoff_value;
+	uint16_t             max_backoff_value;
 	uint16_t             tls_backoff_time;
 	uint16_t             tls_connection_retries;
 
diff --git a/src/dict.c b/src/dict.c
index 0c86cd0f..3a454516 100644
--- a/src/dict.c
+++ b/src/dict.c
@@ -1078,6 +1078,8 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent,
 			     strcmp(item->node.key, "transport") == 0 ||
 			     strcmp(item->node.key, "resolution_type") == 0 ||
 			     strcmp(item->node.key, "tls_authentication") == 0 ||
+			     strcmp(item->node.key, "tls_min_version") == 0 ||
+			     strcmp(item->node.key, "tls_max_version") == 0 ||
 
 			     /* extensions */
 			     strcmp(item->node.key, "add_warning_for_bad_dns") == 0 ||
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 83db831f..135c29bb 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -104,6 +104,11 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT "Change related to getdns_context_set_tls_curves_list"
 #define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES 635
 #define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT "Change related to getdns_context_set_tls_ciphersuites"
+#define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION 636
+#define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT "Change related to getdns_context_set_tls_min_version"
+#define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION 637
+#define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT "Change related to getdns_context_set_tls_max_version"
+
 
 
 /** @}
@@ -783,6 +788,80 @@ getdns_return_t
 getdns_context_set_tls_curves_list(
     getdns_context *context, const char *curves_list);
 
+typedef enum getdns_tls_version_t {
+	GETDNS_SSL3 = 1400,
+	GETDNS_TLS1 = 1401,
+	GETDNS_TLS1_1 = 1402,
+	GETDNS_TLS1_2 = 1403,
+	GETDNS_TLS1_3 = 1404
+} getdns_tls_version_t;
+
+#define GETDNS_SSL3_TEXT   "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_TEXT   "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_1_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_2_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_3_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
+
+/**
+ * Configure context for minimum supported TLS version.
+ * @see getdns_context_set_tls_max_version
+ * @see getdns_context_get_tls_min_version
+ * @param context The context to configure
+ * @param min_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_set_tls_min_version(
+    getdns_context *context, getdns_tls_version_t min_version);
+
+/**
+ * Get configured minimum supported TLS version.
+ * @see getdns_context_get_tls_max_version
+ * @see getdns_context_set_tls_min_version
+ * @param context The context to configure
+ * @param min_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_get_tls_min_version(
+    getdns_context *context, getdns_tls_version_t *min_version);
+
+/**
+ * Configure context for maximum supported TLS version.
+ * @see getdns_context_set_tls_min_version
+ * @see getdns_context_get_tls_max_version
+ * @param context The context to configure
+ * @param max_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_set_tls_max_version(
+    getdns_context *context, getdns_tls_version_t max_version);
+
+/**
+ * Get configured maximum supported TLS version.
+ * @see getdns_context_get_tls_min_version
+ * @see getdns_context_set_tls_max_version
+ * @param context The context to configure
+ * @param max_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_get_tls_max_version(
+    getdns_context *context, getdns_tls_version_t *max_version);
+
 /**
  * Get the current resolution type setting from this context.
  * @see getdns_context_set_resolution_type
diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols
index ccbff42a..5c3fb52d 100644
--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@@ -1,6 +1,7 @@
 getdns_address
 getdns_address_sync
 getdns_cancel_callback
+getdns_context_
 getdns_context_config
 getdns_context_create
 getdns_context_create_with_extended_memory_functions
@@ -36,8 +37,11 @@ getdns_context_get_tls_backoff_time
 getdns_context_get_tls_ca_file
 getdns_context_get_tls_ca_path
 getdns_context_get_tls_cipher_list
+getdns_context_get_tls_ciphersuites
 getdns_context_get_tls_connection_retries
 getdns_context_get_tls_curves_list
+getdns_context_get_tls_max_version
+getdns_context_get_tls_min_version
 getdns_context_get_tls_query_padding_blocksize
 getdns_context_get_trust_anchors_url
 getdns_context_get_trust_anchors_verify_CA
@@ -80,8 +84,11 @@ getdns_context_set_tls_backoff_time
 getdns_context_set_tls_ca_file
 getdns_context_set_tls_ca_path
 getdns_context_set_tls_cipher_list
+getdns_context_set_tls_ciphersuites
 getdns_context_set_tls_connection_retries
 getdns_context_set_tls_curves_list
+getdns_context_set_tls_max_version
+getdns_context_set_tls_min_version
 getdns_context_set_tls_query_padding_blocksize
 getdns_context_set_trust_anchors_url
 getdns_context_set_trust_anchors_verify_CA
diff --git a/src/mk-const-info.c.sh b/src/mk-const-info.c.sh
index 3a47c103..5915bc85 100755
--- a/src/mk-const-info.c.sh
+++ b/src/mk-const-info.c.sh
@@ -14,7 +14,7 @@ cat > const-info.c << END_OF_HEAD
 static struct const_info consts_info[] = {
 	{   -1, NULL, "/* <unknown getdns value> */" },
 END_OF_HEAD
-gawk '/^[ 	]+GETDNS_[A-Z_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z_]+[ 	]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/  && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
+gawk '/^[ 	]+GETDNS_[A-Z0-9_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z0-9_]+[ 	]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/  && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z0-9_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
 cat >> const-info.c << END_OF_TAIL
 };
 
@@ -49,7 +49,7 @@ getdns_get_errorstr_by_id(uint16_t err)
 
 static struct const_name_info consts_name_info[] = {
 END_OF_TAIL
-gawk '/^[ 	]+GETDNS_[A-Z_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z_]+[ 	]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
+gawk '/^[ 	]+GETDNS_[A-Z0-9_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z0-9_]+[ 	]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z0-9_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
 cat >> const-info.c << END_OF_TAIL
 };
 
diff --git a/src/stub.c b/src/stub.c
index d4861a53..f5d59750 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -931,8 +931,50 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		return NULL;
 	}
 #if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
-	if (upstream->tls_curves_list)
-		(void) SSL_set1_curves_list(ssl, upstream->tls_curves_list);
+	if (upstream->tls_curves_list
+	&& !SSL_set1_curves_list(ssl, upstream->tls_curves_list)) {
+		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+		    GETDNS_LOG_ERR, "%-40s : Error configuring tls_curves_list"
+		    "\"%s\"\n", upstream->addr_str, upstream->tls_curves_list);
+	}
+#endif
+#ifdef HAVE_SSL_SET_CIPHERSUITES
+	if (upstream->tls_ciphersuites &&
+	   !SSL_set_ciphersuites(ssl, upstream->tls_ciphersuites)) {
+		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+		    GETDNS_LOG_ERR, "%-40s : Error configuring tls_ciphersuites "
+		    "\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
+	}
+#endif
+#ifdef defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
+	if (upstream->tls_min_version && !SSL_set_min_proto_version(ssl,
+	    _getdns_tls_version2openssl_version(upstream->tls_min_version))) {
+		struct const_info *ci = _getdns_get_const_info(int value);
+		if (ci && *ci->name)
+			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+			    GETDNS_LOG_ERR, "%-40s : Error configuring "
+			    "tls_min_version \"%s\"\n", upstream->addr_str,
+			    ci->name);
+		else
+			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+			    GETDNS_LOG_ERR, "%-40s : Error configuring "
+			    "tls_min_version \"%d\"\n", upstream->addr_str,
+			    upstream->tls_min_version);
+	}
+	if (upstream->tls_max_version && !SSL_set_max_proto_version(ssl,
+	    _getdns_tls_version2openssl_version(upstream->tls_max_version))) {
+		struct const_info *ci = _getdns_get_const_info(int value);
+		if (ci && *ci->name)
+			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+			    GETDNS_LOG_ERR, "%-40s : Error configuring "
+			    "tls_max_version \"%s\"\n", upstream->addr_str,
+			    ci->name);
+		else
+			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+			    GETDNS_LOG_ERR, "%-40s : Error configuring "
+			    "tls_max_version \"%d\"\n", upstream->addr_str,
+			    upstream->tls_max_version);
+	}
 #endif
 	/* make sure we'll be able to find the context again when we need it */
 	if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) {
@@ -1016,14 +1058,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, 
 		             __FUNC__);
 	}
-#if defined(HAVE_DECL_SSL_SET_CIPHERSUITES) && HAVE_DECL_SSL_SET_CIPHERSUITES
-	if (upstream->tls_ciphersuites &&
-	   !SSL_set_ciphersuites(ssl, upstream->tls_ciphersuites)) {
-		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
-		    GETDNS_LOG_ERR, "%-40s : Error configuring ciphersuites "
-		    "\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
-	}
-#endif
 #if defined(HAVE_SSL_DANE_ENABLE)
 	int osr;
 # if defined(STUB_DEBUG) && STUB_DEBUG
diff --git a/src/util-internal.h b/src/util-internal.h
index 3d768de1..529ebce0 100644
--- a/src/util-internal.h
+++ b/src/util-internal.h
@@ -218,5 +218,19 @@ INLINE uint64_t _getdns_ms_until_expiry2(uint64_t expires, uint64_t *now_ms)
 	return *now_ms >= expires ? 0 : expires - *now_ms;
 }
 
+# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
+INLINE int _getdns_tls_version2openssl_version(getdns_tls_version_t v)
+{
+	switch (v) {
+	case GETDNS_SSL3  : return SSL3_VERSION;
+	case GETDNS_TLS1  : return TLS1_VERSION;
+	case GETDNS_TLS1_1: return TLS1_1_VERSION;
+	case GETDNS_TLS1_2: return TLS1_2_VERSION;
+	case GETDNS_TLS1_3: return TLS1_3_VERSION;
+	default           : return TLS_MAX_VERSION;
+	}
+}
+# endif
+
 #endif
 /* util-internal.h */

From 73868643d2ccd5d33a102dcebf30fee4ebaa8ef7 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 21 Nov 2018 16:07:47 +0100
Subject: [PATCH 172/303] Fix compile warnings

---
 src/stub.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index f5d59750..e4f764a4 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -58,6 +58,7 @@
 #ifdef USE_DANESSL
 # include "ssl_dane/danessl.h"
 #endif
+#include "const-info.h"
 
 /* WSA TODO: 
  * STUB_TCP_RETRY added to deal with edge triggered event loops (versus
@@ -946,10 +947,11 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		    "\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
 	}
 #endif
-#ifdef defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
+#if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
 	if (upstream->tls_min_version && !SSL_set_min_proto_version(ssl,
 	    _getdns_tls_version2openssl_version(upstream->tls_min_version))) {
-		struct const_info *ci = _getdns_get_const_info(int value);
+		struct const_info *ci =
+		    _getdns_get_const_info(upstream->tls_min_version);
 		if (ci && *ci->name)
 			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
 			    GETDNS_LOG_ERR, "%-40s : Error configuring "
@@ -963,7 +965,8 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 	}
 	if (upstream->tls_max_version && !SSL_set_max_proto_version(ssl,
 	    _getdns_tls_version2openssl_version(upstream->tls_max_version))) {
-		struct const_info *ci = _getdns_get_const_info(int value);
+		struct const_info *ci =
+		    _getdns_get_const_info(upstream->tls_max_version);
 		if (ci && *ci->name)
 			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
 			    GETDNS_LOG_ERR, "%-40s : Error configuring "

From 4ff9816e3949f4d1c983d77e6315031f9c6944a1 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 21 Nov 2018 17:00:03 +0100
Subject: [PATCH 173/303] google now supports DoT

---
 src/test/tpkg/290-transports.tpkg/290-transports.test | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/test/tpkg/290-transports.tpkg/290-transports.test b/src/test/tpkg/290-transports.tpkg/290-transports.test
index ce3730e2..eba3abc2 100644
--- a/src/test/tpkg/290-transports.tpkg/290-transports.test
+++ b/src/test/tpkg/290-transports.tpkg/290-transports.test
@@ -10,8 +10,8 @@ then
 else
 	HAVE_SSL_HN_AUTH=0
 fi
-SERVER_IP="8.8.8.8"
-SERVER_IPv6="2001:4860:4860::8888"
+SERVER_IP="64.6.64.6"
+SERVER_IPv6="2620:74:1b::1:1"
 
 SERVER_IP_TSIG="185.49.141.37^"
 SERVER_IPv6_TSIG="2a04:b900:0:100::37^"

From 6b105708421949b16cd4f727003babd0c344c0b2 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 22 Nov 2018 10:21:48 +0100
Subject: [PATCH 174/303] DNSSEC bugfix found with static analysis

* Fix for DNSSEC bug in finding most specific key when
  trust anchor proves non-existance of one of the labels
  along the authentication chain other than the non-
  existance of a DS record on a zonecut.
---
 ChangeLog    |  4 ++++
 src/dnssec.c | 17 ++++++++++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index cc3cf584..4a87df27 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
 * 2018-0?-??: Version 1.4.3
+  * Fix for DNSSEC bug in finding most specific key when
+    trust anchor proves non-existance of one of the labels
+    along the authentication chain other than the non-
+    existance of a DS record on a zonecut.
   * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
     Configurable minimum and maximum TLS versions with
     getdns_context_set_tls_min_version() and
diff --git a/src/dnssec.c b/src/dnssec.c
index fd8ac932..4dca78bc 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2606,7 +2606,7 @@ static int chain_node_get_trusted_keys(
 			*keys = ta;
 			return GETDNS_DNSSEC_SECURE;
 		}
-		/* ta is parent's ZSK */
+		/* ta is parent's ZSK proving insecurity below this node? */
 		if ((keytag = key_proves_nonexistance(
 		    mf, now, skew, ta, &node->ds, &opt_out))) {
 			node->ds_signer = keytag;
@@ -2621,12 +2621,18 @@ static int chain_node_get_trusted_keys(
 			 * key_proves_nonexistance() will set opt_out also for
 			 * these conditions.
 			 */
-			return opt_out ? GETDNS_DNSSEC_INSECURE
-			               : GETDNS_DNSSEC_SECURE;
-		}
-		if ((keytag = a_key_signed_rrset_no_wc(
+			if (opt_out)
+				return GETDNS_DNSSEC_INSECURE;
+
+			/* If this is not an insecurity proof,
+			 * continue searching one label up.
+			 */
+
+		/* ta is parent's ZSK authenticating DS? */
+		} else if ((keytag = a_key_signed_rrset_no_wc(
 					mf, now, skew, ta, &node->ds))) {
 			node->ds_signer = keytag;
+			/* DS should authenticate the DNSKEY rrset now */
 			if ((keytag = ds_authenticates_keys(
 			    mf, now, skew, &node->ds, &node->dnskey))) {
 				*keys = &node->dnskey;
@@ -2635,6 +2641,7 @@ static int chain_node_get_trusted_keys(
 				     ? GETDNS_DNSSEC_INSECURE
 				     : GETDNS_DNSSEC_SECURE;
 			}
+			/* DS without DNSKEY rrset == BOGUS */
 			return GETDNS_DNSSEC_BOGUS;
 		}
 	} else

From b90ba236ae1961c4e75c795163af8a945434a2b1 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 22 Nov 2018 11:37:28 +0100
Subject: [PATCH 175/303] tls_ciphersuites, tls_cipher_list, tls_curve_list,

	tls_min_version & tls_max_version settings must cause
	failure when not supported by the TLS library.  Not during
	configure time, but during connection setup so it doesn't
	hamper alternative transports.
---
 src/context.c | 26 +++++++++++++++++++-------
 src/stub.c    | 38 ++++++++++++++++++++++++++++++++++++--
 2 files changed, 55 insertions(+), 9 deletions(-)

diff --git a/src/context.c b/src/context.c
index d79d7876..7b879f60 100644
--- a/src/context.c
+++ b/src/context.c
@@ -3095,6 +3095,9 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 				getdns_bindata *tls_ciphersuites = NULL;
 				getdns_bindata *tls_curves_list = NULL;
 				uint32_t        tls_version;
+				/* Missing support in TLS library is
+				 * detected and reported during connection setup.
+				 */
 
 				if ((r = getdns_dict_get_bindata(
 				    dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) {
@@ -3190,11 +3193,6 @@ invalid_parameter:
 error:
 	_getdns_upstreams_dereference(upstreams);
 	return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
-#if !defined(HAVE_DECL_SSL_SET1_CURVES_LIST) || !HAVE_DECL_SSL_SET1_CURVES_LIST
-not_implemented:
-	_getdns_upstreams_dereference(upstreams);
-	return GETDNS_RETURN_NOT_IMPLEMENTED;
-#endif
 } /* getdns_context_set_upstream_recursive_servers */
 
 
@@ -3721,8 +3719,8 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 			if(context->tls_ctx == NULL)
 				return GETDNS_RETURN_BAD_CONTEXT;
 
-#  if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
-			fprintf(stderr, "SSL_CTX_set_min_proto_version(%d)\n", context->tls_min_version);
+#  if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) \
+           && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
 			if (!SSL_CTX_set_min_proto_version(context->tls_ctx,
 			    _getdns_tls_version2openssl_version(context->tls_min_version))) {
 				SSL_CTX_free(context->tls_ctx);
@@ -3736,6 +3734,14 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 				context->tls_ctx = NULL;
 				return GETDNS_RETURN_BAD_CONTEXT;
 			}
+#  else
+#   ifndef HAVE_TLS_CLIENT_METHOD
+			if ((  context->tls_min_version
+			    && context->tls_min_version != GETDNS_TLS1_2)
+			||     context->tls_max_version) {
+				return GETDNS_RETURN_NOT_IMPLEMENTED;
+			}
+#   endif
 #  endif
 			/* Be strict and only use the cipher suites recommended in RFC7525
 			   Unless we later fallback to opportunistic. */
@@ -3748,11 +3754,17 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 			    context->tls_ciphersuites ? context->tls_ciphersuites
 			                             : _getdns_default_tls_ciphersuites))
 				return GETDNS_RETURN_BAD_CONTEXT;
+#  else
+			if (context->tls_ciphersuites)
+				return GETDNS_RETURN_NOT_IMPLEMENTED;
 #  endif
 #  if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
 			if (context->tls_curves_list &&
 			    !SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
+#  else
+			if (context->tls_curves_list)
+				return GETDNS_RETURN_NOT_IMPLEMENTED;
 #  endif
 			/* For strict authentication, we must have local root certs available
 		       Set up is done only when the tls_ctx is created (per getdns_context)*/
diff --git a/src/stub.c b/src/stub.c
index e4f764a4..7dfcf1cb 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -935,8 +935,18 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 	if (upstream->tls_curves_list
 	&& !SSL_set1_curves_list(ssl, upstream->tls_curves_list)) {
 		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
-		    GETDNS_LOG_ERR, "%-40s : Error configuring tls_curves_list"
+		    GETDNS_LOG_ERR, "%-40s : Error configuring tls_curves_list "
 		    "\"%s\"\n", upstream->addr_str, upstream->tls_curves_list);
+		SSL_free(ssl);
+		return NULL;
+	}
+#else
+	if (upstream->tls_curves_list) {
+		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+		    GETDNS_LOG_ERR, "%-40s : tls_curves_list not supported "
+		    "in tls library\n", upstream->addr_str);
+		SSL_free(ssl);
+		return NULL;
 	}
 #endif
 #ifdef HAVE_SSL_SET_CIPHERSUITES
@@ -946,8 +956,17 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		    GETDNS_LOG_ERR, "%-40s : Error configuring tls_ciphersuites "
 		    "\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
 	}
+#else
+	if (upstream->tls_ciphersuites) {
+		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+		    GETDNS_LOG_ERR, "%-40s : tls_ciphersuites not "
+		    "supported in tls library\n", upstream->addr_str);
+		SSL_free(ssl);
+		return NULL;
+	}
 #endif
-#if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
+#if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) \
+         && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
 	if (upstream->tls_min_version && !SSL_set_min_proto_version(ssl,
 	    _getdns_tls_version2openssl_version(upstream->tls_min_version))) {
 		struct const_info *ci =
@@ -978,6 +997,21 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			    "tls_max_version \"%d\"\n", upstream->addr_str,
 			    upstream->tls_max_version);
 	}
+#else
+	if (upstream->tls_min_version) {
+		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+		    GETDNS_LOG_ERR, "%-40s : tls_min_version not "
+		    "supported in tls library\n", upstream->addr_str);
+		SSL_free(ssl);
+		return NULL;
+	}
+	if (upstream->tls_max_version) {
+		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+		    GETDNS_LOG_ERR, "%-40s : tls_max_version not "
+		    "supported in tls library\n", upstream->addr_str);
+		SSL_free(ssl);
+		return NULL;
+	}
 #endif
 	/* make sure we'll be able to find the context again when we need it */
 	if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) {

From 2d76a5fd5249c1abeacd289520513bd35f7952c0 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 22 Nov 2018 12:16:19 +0100
Subject: [PATCH 176/303] We had complaints for serving the root, so..

	TCP only full recursion test now starting from K-root
	(because other roots are unreliable TCP-wise)
---
 .../check_getdns_context_set_dns_transport.h  | 26 +++++++++++--------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/src/test/check_getdns_context_set_dns_transport.h b/src/test/check_getdns_context_set_dns_transport.h
index ef847636..83b18d6e 100644
--- a/src/test/check_getdns_context_set_dns_transport.h
+++ b/src/test/check_getdns_context_set_dns_transport.h
@@ -292,17 +292,14 @@
        struct getdns_dict *extensions = getdns_dict_create();
 
        /*
-        * Not all servers in the path to large.getdnsapi.net seem to support
-        * TCP consistently.  Many (root) servers are anycasted which decreases
-        * reliability of TCP availability (as we've seen in practice).
-        * To mitigate we provide our own root server for which we are sure that
-        * it supports TCP.  The .net authoritative server are still out of our
-        * control tough.  But because they are managed by a single party I
-        * suspect them to be a bit more reliable.
+        * Not all root servers seem to support TCP reliably. To mitigate,
+	* we put our faith in k.root-servers.net.
         */
        struct getdns_list *root_servers = getdns_list_create();
        struct getdns_list *root_servers2 = getdns_list_create();
-       struct getdns_bindata nlnetlabs_root = { 4, (void *)"\xB9\x31\x8D\x25" };
+       struct getdns_bindata k4_root = {  4, (void *)"\xC1\x00\x0E\x81" };
+       struct getdns_bindata k6_root = { 16, (void *)
+         "\x20\x01\x07\xFD\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" };
        struct getdns_bindata *answer = NULL;
 
        uint32_t status;
@@ -319,7 +316,9 @@
            /* Re-do over TCP */
            ASSERT_RC(getdns_dict_set_int(extensions,"return_call_reporting", GETDNS_EXTENSION_TRUE),
              GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()");
-           ASSERT_RC(getdns_list_set_bindata(root_servers, 0, &nlnetlabs_root),
+           ASSERT_RC(getdns_list_set_bindata(root_servers, 0, &k6_root),
+             GETDNS_RETURN_GOOD, "Return code from getdns_list_set_bindata()");
+           ASSERT_RC(getdns_list_set_bindata(root_servers, 1, &k4_root),
              GETDNS_RETURN_GOOD, "Return code from getdns_list_set_bindata()");
 
            ASSERT_RC(getdns_context_set_dns_root_servers(context, root_servers),
@@ -328,8 +327,13 @@
              GETDNS_RETURN_GOOD, "Return code from getdns_context_get_dns_root_servers()");
            ASSERT_RC(getdns_list_get_bindata(root_servers2, 0, &answer),
              GETDNS_RETURN_GOOD, "Return code from getdns_list_get_bindata()");
-           ck_assert_msg(strncmp((char *)answer->data, (char *)nlnetlabs_root.data, 4) == 0,
-             "Expected answer data to be 185.49.141.37");
+           ck_assert_msg(strncmp((char *)answer->data, (char *)k6_root.data, 16) == 0,
+             "Expected answer data to be 2001:7fd::1");
+           ASSERT_RC(getdns_list_get_bindata(root_servers2, 1, &answer),
+             GETDNS_RETURN_GOOD, "Return code from getdns_list_get_bindata()");
+           ck_assert_msg(strncmp((char *)answer->data, (char *)k4_root.data, 4) == 0,
+             "Expected answer data to be 193.0.14.129");
+
            ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_TCP_ONLY),
              GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");
            ASSERT_RC(getdns_context_set_edns_maximum_udp_payload_size(context, 512),

From 2267863a53ffb6fe85ee0efd64785246895e161c Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 23 Nov 2018 16:20:48 +0000
Subject: [PATCH 177/303] Attempt to improve the preprocessor horror that is
 util/val_secalgo.h.

Convert the main util/val_secalgo.h to a plain interface. Move the preprocessor redefines into validator/val_secalgo.h, and move THAT under openssl, because it is OpenSSL implementation specific at present - you can compile with NSS and Nettle if config allows.
---
 src/Makefile.in                               |  9 ++-
 .../validator/val_nsec3.h                     |  0
 src/openssl/validator/val_secalgo.h           | 48 ++++++++++++++++
 src/util/auxiliary/validator/val_secalgo.h    |  1 -
 src/util/val_secalgo.h                        | 56 +++++--------------
 5 files changed, 67 insertions(+), 47 deletions(-)
 rename src/{util/auxiliary => openssl}/validator/val_nsec3.h (100%)
 create mode 100644 src/openssl/validator/val_secalgo.h
 delete mode 100644 src/util/auxiliary/validator/val_secalgo.h

diff --git a/src/Makefile.in b/src/Makefile.in
index c7faf32c..ed5c95bf 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -342,7 +342,7 @@ dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \
  $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
  $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \
- $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h
+ $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h
 general.lo general.o: $(srcdir)/general.c config.h \
  $(srcdir)/general.h getdns/getdns.h \
  $(srcdir)/types-internal.h \
@@ -531,12 +531,11 @@ tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/tls.h
 val_secalgo.lo val_secalgo.o: $(srcdir)/openssl/val_secalgo.c \
  config.h \
- $(srcdir)/util/auxiliary/util/data/packed_rrset.h \
- $(srcdir)/util/auxiliary/validator/val_secalgo.h $(srcdir)/util/val_secalgo.h \
- $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \
+ $(srcdir)/util/auxiliary/util/data/packed_rrset.h $(srcdir)/openssl/validator/val_secalgo.h \
+ $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h $(srcdir)/openssl/validator/val_nsec3.h \
  $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \
  $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/openssl/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h
+ $(srcdir)/openssl/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h
 yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
 libev.lo libev.o: $(srcdir)/extension/libev.c \
  config.h $(srcdir)/types-internal.h \
diff --git a/src/util/auxiliary/validator/val_nsec3.h b/src/openssl/validator/val_nsec3.h
similarity index 100%
rename from src/util/auxiliary/validator/val_nsec3.h
rename to src/openssl/validator/val_nsec3.h
diff --git a/src/openssl/validator/val_secalgo.h b/src/openssl/validator/val_secalgo.h
new file mode 100644
index 00000000..e4e2a7a7
--- /dev/null
+++ b/src/openssl/validator/val_secalgo.h
@@ -0,0 +1,48 @@
+#ifndef VAL_SECALGO_H_VALIDATOR
+#define VAL_SECALGO_H_VALIDATOR
+
+#define sldns_buffer                    gldns_buffer
+
+#define nsec3_hash_algo_size_supported  _getdns_nsec3_hash_algo_size_supported
+#define secalgo_nsec3_hash              _getdns_secalgo_nsec3_hash
+#define secalgo_hash_sha256             _getdns_secalgo_hash_sha256
+#define ds_digest_size_supported        _getdns_ds_digest_size_supported
+#define secalgo_ds_digest               _getdns_secalgo_ds_digest
+#define dnskey_algo_id_is_supported     _getdns_dnskey_algo_id_is_supported
+#define verify_canonrrset               _getdns_verify_canonrrset
+#define sec_status                      _getdns_sec_status
+#define sec_status_secure               _getdns_sec_status_secure
+#define sec_status_insecure             _getdns_sec_status_insecure
+#define sec_status_unchecked            _getdns_sec_status_unchecked
+#define sec_status_bogus                _getdns_sec_status_bogus
+#define fake_sha1                       _getdns_fake_sha1
+#define fake_dsa                        _getdns_fake_dsa
+
+#define NSEC3_HASH_SHA1                 0x01
+
+#define LDNS_SHA1                       GLDNS_SHA1
+#define LDNS_SHA256                     GLDNS_SHA256
+#define LDNS_SHA384                     GLDNS_SHA384
+#define LDNS_HASH_GOST                  GLDNS_HASH_GOST
+#define LDNS_RSAMD5                     GLDNS_RSAMD5
+#define LDNS_DSA                        GLDNS_DSA
+#define LDNS_DSA_NSEC3                  GLDNS_DSA_NSEC3
+#define LDNS_RSASHA1                    GLDNS_RSASHA1
+#define LDNS_RSASHA1_NSEC3              GLDNS_RSASHA1_NSEC3
+#define LDNS_RSASHA256                  GLDNS_RSASHA256
+#define LDNS_RSASHA512                  GLDNS_RSASHA512
+#define LDNS_ECDSAP256SHA256            GLDNS_ECDSAP256SHA256
+#define LDNS_ECDSAP384SHA384            GLDNS_ECDSAP384SHA384
+#define LDNS_ECC_GOST                   GLDNS_ECC_GOST
+#define sldns_key_EVP_load_gost_id      gldns_key_EVP_load_gost_id
+#define sldns_digest_evp                gldns_digest_evp
+#define sldns_key_buf2dsa_raw           gldns_key_buf2dsa_raw
+#define sldns_key_buf2rsa_raw           gldns_key_buf2rsa_raw
+#define sldns_gost2pkey_raw             gldns_gost2pkey_raw
+#define sldns_ecdsa2pkey_raw            gldns_ecdsa2pkey_raw
+#define sldns_buffer_begin              gldns_buffer_begin
+#define sldns_buffer_limit              gldns_buffer_limit
+
+#include "util/val_secalgo.h"
+
+#endif
diff --git a/src/util/auxiliary/validator/val_secalgo.h b/src/util/auxiliary/validator/val_secalgo.h
deleted file mode 100644
index 1e187cba..00000000
--- a/src/util/auxiliary/validator/val_secalgo.h
+++ /dev/null
@@ -1 +0,0 @@
-#include "util/val_secalgo.h"
diff --git a/src/util/val_secalgo.h b/src/util/val_secalgo.h
index 08f40e83..3554c658 100644
--- a/src/util/val_secalgo.h
+++ b/src/util/val_secalgo.h
@@ -1,7 +1,7 @@
 /**
  *
- * \file rbtree.h
- * /brief Alternative symbol names for unbound's rbtree.h
+ * \file val_secalgo.h
+ * /brief secalgo interface.
  *
  */
 /*
@@ -32,49 +32,23 @@
  */
 #ifndef VAL_SECALGO_H_SYMBOLS
 #define VAL_SECALGO_H_SYMBOLS
-#define sldns_buffer			gldns_buffer
-#define nsec3_hash_algo_size_supported	_getdns_nsec3_hash_algo_size_supported
-#define secalgo_nsec3_hash		_getdns_secalgo_nsec3_hash
-#define secalgo_hash_sha256		_getdns_secalgo_hash_sha256
-#define ds_digest_size_supported	_getdns_ds_digest_size_supported
-#define secalgo_ds_digest		_getdns_secalgo_ds_digest
-#define dnskey_algo_id_is_supported	_getdns_dnskey_algo_id_is_supported
-#define verify_canonrrset		_getdns_verify_canonrrset
-#define sec_status			_getdns_sec_status
-#define sec_status_secure		_getdns_sec_status_secure
-#define sec_status_insecure		_getdns_sec_status_insecure
-#define sec_status_unchecked		_getdns_sec_status_unchecked
-#define sec_status_bogus		_getdns_sec_status_bogus
-#define fake_sha1			_getdns_fake_sha1
-#define fake_dsa			_getdns_fake_dsa
+
+#include "gldns/gbuffer.h"
 
 enum sec_status { sec_status_bogus     = 0
                 , sec_status_unchecked = 0
                 , sec_status_insecure  = 0
 		, sec_status_secure    = 1 };
-#define NSEC3_HASH_SHA1			0x01
 
-#define	LDNS_SHA1			GLDNS_SHA1
-#define	LDNS_SHA256			GLDNS_SHA256
-#define LDNS_SHA384			GLDNS_SHA384
-#define LDNS_HASH_GOST			GLDNS_HASH_GOST
-#define LDNS_RSAMD5			GLDNS_RSAMD5
-#define LDNS_DSA			GLDNS_DSA
-#define LDNS_DSA_NSEC3			GLDNS_DSA_NSEC3
-#define LDNS_RSASHA1			GLDNS_RSASHA1
-#define LDNS_RSASHA1_NSEC3		GLDNS_RSASHA1_NSEC3
-#define LDNS_RSASHA256			GLDNS_RSASHA256
-#define LDNS_RSASHA512			GLDNS_RSASHA512
-#define LDNS_ECDSAP256SHA256		GLDNS_ECDSAP256SHA256
-#define LDNS_ECDSAP384SHA384		GLDNS_ECDSAP384SHA384
-#define LDNS_ECC_GOST			GLDNS_ECC_GOST
-#define sldns_key_EVP_load_gost_id	gldns_key_EVP_load_gost_id
-#define sldns_digest_evp		gldns_digest_evp
-#define sldns_key_buf2dsa_raw		gldns_key_buf2dsa_raw
-#define sldns_key_buf2rsa_raw		gldns_key_buf2rsa_raw
-#define sldns_gost2pkey_raw		gldns_gost2pkey_raw
-#define sldns_ecdsa2pkey_raw		gldns_ecdsa2pkey_raw
-#define sldns_buffer_begin		gldns_buffer_begin
-#define sldns_buffer_limit		gldns_buffer_limit
-#include "util/orig-headers/val_secalgo.h"
+size_t _getdns_ds_digest_size_supported(int algo);
+
+int _getdns_secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+	unsigned char* res);
+
+int _getdns_dnskey_algo_id_is_supported(int id);
+
+enum sec_status _getdns_verify_canonrrset(struct gldns_buffer* buf, int algo,
+	unsigned char* sigblock, unsigned int sigblock_len,
+	unsigned char* key, unsigned int keylen, char** reason);
+
 #endif

From 27a7e4e28f12acb9f69ff2c4b087bfde39aea4dd Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 23 Nov 2018 17:42:35 +0000
Subject: [PATCH 178/303] Attempt minimal autoconf changes to use GnuTLS
 instead of OpenSSL.

I could waste the rest of the available time trying to turn configure.ac into something that cleanly ignores OpenSSL, uses GnuTLS instead and retains all the options. Or even better scrap the whole autoconf mess and start again.

But in the interests of prototyping, do something quick and dirty. This means GnuTLS must for now be configured thus:

$ CFLAGS="-g" ../configure --enable-stub-only --with-gnutls --disable-gost --disable-ecdsa --disable-edns-cookies

to evade other items with hardcoded OpenSSL checks in them.
---
 configure.ac    | 19 +++++++++++++++++--
 src/Makefile.in | 11 ++++++-----
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/configure.ac b/configure.ac
index cc80080e..a16100e3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -399,11 +399,26 @@ yes)
 	;;
 esac
 
+# Which TLS and crypto libs to use.
+AC_ARG_WITH([gnutls],
+    [AS_HELP_STRING([--with-gnutls],
+        [use GnuTLS instead of OpenSSL])],
+    [
+        PKG_CHECK_MODULES([libgnutls], [gnutls >= 3.5.0])
+        LIBS="$libgnutls_LIBS $LIBS"
+        CFLAGS="$libgnutls_CFLAGS $CFLAGS"
+        AC_SUBST([TLSDIR], 'gnutls')
+        AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library])
+    ],
+    [
+        ACX_WITH_SSL_OPTIONAL
+        ACX_LIB_SSL
+        AC_SUBST([TLSDIR], 'openssl')
+    ])
+
 USE_NSS="no"
 # openssl
 if test $USE_NSS = "no"; then
-ACX_WITH_SSL_OPTIONAL
-ACX_LIB_SSL
 AC_MSG_CHECKING([for LibreSSL])
 if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
 	AC_MSG_RESULT([yes])
diff --git a/src/Makefile.in b/src/Makefile.in
index ed5c95bf..88a239ac 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -52,11 +52,12 @@ INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 
 srcdir = @srcdir@
+tlsdir = @TLSDIR@
 stubbysrcdir = $(srcdir)/../stubby
 LIBTOOL = ../libtool
 
 CC=@CC@
-CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/openssl -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS)
+CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/$(tlsdir) -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS)
 WPEDANTICFLAG=@WPEDANTICFLAG@
 WNOERRORFLAG=@WNOERRORFLAG@
 LDFLAGS=@LDFLAGS@ @LIBS@
@@ -134,7 +135,7 @@ $(JSMN_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -DJSMN_GETDNS -c $(srcdir)/jsmn/$(@:.lo=.c) -o $@
 
 $(TLS_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/openssl/$(@:.lo=.c) -o $@
+	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/$(tlsdir)/$(@:.lo=.c) -o $@
 
 $(YAML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@
@@ -146,7 +147,7 @@ $(EXTENSION_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/extension/$(@:.lo=.c) -o $@
 
 anchor.lo:
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/openssl/anchor.c -o anchor.lo
+	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/$(tlsdir)/anchor.c -o anchor.lo
 
 context.lo:
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/context.c -o context.lo
@@ -271,14 +272,14 @@ Makefile: $(srcdir)/Makefile.in ../config.status
 depend:
 	(cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new )
 
-	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iopenssl -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c openssl/*.c yxml/*.c extension/*.c ../stubby/src/*.c | \
+	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -I$(tlsdir) -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c $(tlsdir)/*.c yxml/*.c extension/*.c ../stubby/src/*.c | \
 		sed -e "s? $$blddir/? ?g" \
 		    -e 's? gldns/? $$(srcdir)/gldns/?g' \
 		    -e 's? compat/? $$(srcdir)/compat/?g' \
 		    -e 's? util/auxiliary/util/? $$(srcdir)/util/auxiliary/util/?g' \
 		    -e 's? util/? $$(srcdir)/util/?g' \
 		    -e 's? jsmn/? $$(srcdir)/jsmn/?g' \
-		    -e 's? openssl/? $$(srcdir)/openssl/?g' \
+		    -e 's? $$(tlsdir)/? $$(srcdir)/$$(tlsdir)/?g' \
 		    -e 's? yxml/? $$(srcdir)/yxml/?g' \
 		    -e 's? extension/? $$(srcdir)/extension/?g' \
 		    -e 's? \.\./stubby/? $$(stubbysrcdir)/?g' \

From 4ec93a3df025c8a1773e7ec2fb2fdbb4d2709c28 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Mon, 26 Nov 2018 11:32:03 +0000
Subject: [PATCH 179/303] Add Doxygen for remaining tls.h functions.

---
 src/tls.h | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 130 insertions(+)

diff --git a/src/tls.h b/src/tls.h
index 295b649c..cc654430 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -47,23 +47,146 @@ typedef struct sha256_pin sha256_pin_t;
 #define GETDNS_RETURN_TLS_WANT_WRITE		((getdns_return_t) 421)
 #define GETDNS_RETURN_TLS_CONNECTION_FRESH	((getdns_return_t) 422)
 
+/**
+ * Global initialisation of the TLS interface.
+ */
 void _getdns_tls_init();
 
+/**
+ * Create a new TLS context.
+ *
+ * @return pointer to new context or NULL on error.
+ */
 _getdns_tls_context* _getdns_tls_context_new();
+
+/**
+ * Free a TLS context.
+ *
+ * @param ctx	the context to free.
+ * @return GETDNS_RETURN_GOOD on success.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if <code>ctx</code> is invalid.
+ */
 getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx);
 
+/**
+ * Set TLS 1.2 as minimum TLS version.
+ *
+ * @param ctx	the context.
+ * @return GETDNS_RETURN_GOOD on success.
+ * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer.
+ * @return GETDNS_RETURN_NOT_IMPLEMENTED if not implemented.
+ * @return GETDNS_RETURN_BAD_CONTEXT on failure.
+ */
 getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx);
+
+/**
+ * Set list of allowed ciphers.
+ *
+ * @param ctx	the context.
+ * @param list 	the list of cipher identifiers.
+ * @return GETDNS_RETURN_GOOD on success.
+ * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer.
+ * @return GETDNS_RETURN_BAD_CONTEXT on failure.
+ */
 getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list);
+
+/**
+ * Set list of allowed curves.
+ *
+ * @param ctx	the context.
+ * @param list 	the list of curve identifiers.
+ * @return GETDNS_RETURN_GOOD on success.
+ * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer.
+ * @return GETDNS_RETURN_BAD_CONTEXT on failure.
+ */
 getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list);
+
+
+/**
+ * Set certificate authority details.
+ *
+ * Load CA from either a file or a directory. If both <code>file</code>
+ * and <code>path</code> are <code>NULL</code>, use default locations.
+ *
+ * @param ctx	the context.
+ * @param file	a file of CA certificates in PEM format.
+ * @param path	a directory containing CA certificates in PEM format.
+ * 		Files are looked up by CA subject name hash value.
+ * @return GETDNS_RETURN_GOOD on success.
+ * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer.
+ * @return GETDNS_RETURN_GENERIC_ERROR on failure.
+ */
 getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path);
 
+/**
+ * Create a new TLS connection and associate it with a file descriptior.
+ *
+ * @param ctx	the context.
+ * @param fd	the file descriptor to associate with the connection.
+ * @return pointer to new connection or NULL on error.
+ */
 _getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd);
+
+/**
+ * Free a TLS connection.
+ *
+ * @param conn	the connection to free.
+ * @return GETDNS_RETURN_GOOD on success.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if <code>conn</code> is invalid.
+ */
 getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* ctx);
+
+/**
+ * Shut down a TLS connection.
+ *
+ * @param conn	the connection to shut down.
+ * @return GETDNS_RETURN_GOOD on success.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if <code>conn</code> is invalid.
+ * @return GETDNS_RETURN_CONTEXT_UPDATE_FAIL if shutdown is not finished,
+ * 	   and this routine should be called again.
+ * @return GETDNS_RETURN_GENERIC_ERROR on error.
+ */
 getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn);
 
+/**
+ * Set list of allowed ciphers on this connection.
+ *
+ * @param conn	the connection.
+ * @param list 	the list of cipher identifiers.
+ * @return GETDNS_RETURN_GOOD on success.
+ * @return GETDNS_RETURN_INVALID_PARAMETER on bad connection pointer.
+ * @return GETDNS_RETURN_BAD_CONTEXT on failure.
+ */
 getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list);
+
+/**
+ * Set list of allowed curves on this connection.
+ *
+ * @param conn	the connection.
+ * @param list 	the list of curve identifiers.
+ * @return GETDNS_RETURN_GOOD on success.
+ * @return GETDNS_RETURN_INVALID_PARAMETER on bad connection pointer.
+ * @return GETDNS_RETURN_BAD_CONTEXT on failure.
+ */
 getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list);
+
+/**
+ * Set the session for this connection.
+ *
+ * @param conn	the connection.
+ * @param s 	the session.
+ * @return GETDNS_RETURN_GOOD on success.
+ * @return GETDNS_RETURN_INVALID_PARAMETER on bad connection pointer.
+ * @return GETDNS_RETURN_GENERIC_ERROR on failure.
+ */
 getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s);
+
+/**
+ * Get the session for this connection.
+ *
+ * @param conn	the connection.
+ * @return pointer to the session or NULL on error.
+ */
 _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn);
 
 /**
@@ -184,6 +307,13 @@ void _getdns_tls_x509_free(_getdns_tls_x509* cert);
  */
 int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf);
 
+/**
+ * Fill in dictionary with TLS API information.
+ *
+ * @param dict	the dictionary to add to.
+ * @return GETDNS_RETURN_GOOD if some bytes were read.
+ * @return GETDNS_RETURN_GENERIC_ERROR if items cannot be set.
+ */
 getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
 
 #endif /* _GETDNS_TLS_H */

From bc3106af94d3847db6c41d5aed164ae53c10701e Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 27 Nov 2018 11:49:12 +0000
Subject: [PATCH 180/303] Abstract out HMAC functions in request-internal.c.

---
 src/openssl/tls-internal.h |  12 ++++
 src/openssl/tls.c          | 122 +++++++++++++++++++++++++++++++++++++
 src/request-internal.c     |  93 ++++++----------------------
 src/tls.h                  |  44 +++++++++++++
 4 files changed, 198 insertions(+), 73 deletions(-)

diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h
index f13c8602..59b5b292 100644
--- a/src/openssl/tls-internal.h
+++ b/src/openssl/tls-internal.h
@@ -34,6 +34,10 @@
 #ifndef _GETDNS_TLS_INTERNAL_H
 #define _GETDNS_TLS_INTERNAL_H
 
+#include <openssl/hmac.h>
+#include <openssl/ssl.h>
+#include <openssl/x509.h>
+
 #include "getdns/getdns.h"
 
 #ifndef HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
@@ -64,4 +68,12 @@ typedef struct _getdns_tls_x509
 	X509* ssl;
 } _getdns_tls_x509;
 
+typedef struct _getdns_tls_hmac
+{
+	HMAC_CTX *ctx;
+#ifndef HAVE_HMAC_CTX_NEW
+	HMAC_CTX ctx_space;
+#endif
+} _getdns_tls_hmac;
+
 #endif /* _GETDNS_TLS_INTERNAL_H */
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 36a0f9a3..611fbf3b 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -609,4 +609,126 @@ int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf)
 	return i2d_X509(cert->ssl, buf);
 }
 
+unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size)
+{
+	const EVP_MD* digester;
+	unsigned char* res;
+	unsigned int md_len;
+
+	switch (algorithm) {
+#ifdef HAVE_EVP_MD5
+	case GETDNS_HMAC_MD5   : digester = EVP_md5()   ; break;
+#endif
+#ifdef HAVE_EVP_SHA1
+	case GETDNS_HMAC_SHA1  : digester = EVP_sha1()  ; break;
+#endif
+#ifdef HAVE_EVP_SHA224
+	case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break;
+#endif
+#ifdef HAVE_EVP_SHA256
+	case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break;
+#endif
+#ifdef HAVE_EVP_SHA384
+	case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break;
+#endif
+#ifdef HAVE_EVP_SHA512
+	case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break;
+#endif
+	default                : return NULL;
+	}
+
+	res = (unsigned char*) malloc(EVP_MAX_MD_SIZE);
+	if (!res)
+		return NULL;
+
+	(void) HMAC(digester, key, key_size, data, data_size, res, &md_len);
+
+	if (output_size)
+		*output_size = md_len;
+	return res;
+}
+
+_getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t key_size)
+{
+	const EVP_MD *digester;
+	_getdns_tls_hmac* res;
+
+	switch (algorithm) {
+#ifdef HAVE_EVP_MD5
+	case GETDNS_HMAC_MD5   : digester = EVP_md5()   ; break;
+#endif
+#ifdef HAVE_EVP_SHA1
+	case GETDNS_HMAC_SHA1  : digester = EVP_sha1()  ; break;
+#endif
+#ifdef HAVE_EVP_SHA224
+	case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break;
+#endif
+#ifdef HAVE_EVP_SHA256
+	case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break;
+#endif
+#ifdef HAVE_EVP_SHA384
+	case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break;
+#endif
+#ifdef HAVE_EVP_SHA512
+	case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break;
+#endif
+	default                : return NULL;
+	}
+
+	if (!(res = malloc(sizeof(struct _getdns_tls_hmac))))
+		return NULL;
+
+#ifdef HAVE_HMAC_CTX_NEW
+	res->ctx = HMAC_CTX_new();
+	if (!res->ctx) {
+		free(res);
+		return NULL;
+	}
+#else
+	res->ctx = &res->ctx_space;
+	HMAC_CTX_init(res->ctx);
+#endif
+	if (!HMAC_Init_ex(res->ctx, key, key_size, digester, NULL)) {
+#ifdef HAVE_HMAC_CTX_NEW
+		HMAC_CTX_free(res->ctx);
+#endif
+		free(res);
+		return NULL;
+	}
+
+	return res;
+}
+
+getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size)
+{
+	if (!h || !h->ctx || !data)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (!HMAC_Update(h->ctx, data, data_size))
+		return GETDNS_RETURN_GENERIC_ERROR;
+	else
+		return GETDNS_RETURN_GOOD;
+}
+
+unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size)
+{
+	unsigned char* res;
+	unsigned int md_len;
+
+	res = (unsigned char*) malloc(EVP_MAX_MD_SIZE);
+	if (!res)
+		return NULL;
+
+	(void) HMAC_Final(h->ctx, res, &md_len);
+
+#ifdef HAVE_HMAC_CTX_NEW
+	HMAC_CTX_free(h->ctx);
+#endif
+	free(h);
+
+	if (output_size)
+		*output_size = md_len;
+	return res;
+}
+
 /* tls.c */
diff --git a/src/request-internal.c b/src/request-internal.c
index 89476717..1b2a7cb4 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -401,9 +401,8 @@ _getdns_network_req_add_tsig(getdns_network_req *req)
 	gldns_buffer gbuf;
 	uint16_t arcount;
 	const getdns_tsig_info *tsig_info;
-	uint8_t md_buf[EVP_MAX_MD_SIZE];
-	unsigned int md_len = EVP_MAX_MD_SIZE;
-	const EVP_MD *digester;
+	unsigned char* md_buf;
+	size_t md_len;
 
 	/* Should only be called when in stub mode */
 	assert(req->query);
@@ -436,31 +435,9 @@ _getdns_network_req_add_tsig(getdns_network_req *req)
 	gldns_buffer_write_u16(&gbuf, 0);		/* Error */
 	gldns_buffer_write_u16(&gbuf, 0);		/* Other len */
 
-	switch (upstream->tsig_alg) {
-#ifdef HAVE_EVP_MD5
-	case GETDNS_HMAC_MD5   : digester = EVP_md5()   ; break;
-#endif
-#ifdef HAVE_EVP_SHA1
-	case GETDNS_HMAC_SHA1  : digester = EVP_sha1()  ; break;
-#endif
-#ifdef HAVE_EVP_SHA224
-	case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break;
-#endif
-#ifdef HAVE_EVP_SHA256
-	case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break;
-#endif
-#ifdef HAVE_EVP_SHA384
-	case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break;
-#endif
-#ifdef HAVE_EVP_SHA512
-	case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break;
-#endif
-	default                : return req->response - req->query;
-	}
-
-	(void) HMAC(digester, upstream->tsig_key, upstream->tsig_size,
-	    (void *)req->query, gldns_buffer_current(&gbuf) - req->query,
-	    md_buf, &md_len);
+	md_buf = _getdns_tls_hmac_hash(upstream->tsig_alg, upstream->tsig_key, upstream->tsig_size, (void *)req->query, gldns_buffer_current(&gbuf) - req->query, &md_len);
+	if (!md_buf)
+		return req->response - req->query;
 
 	gldns_buffer_rewind(&gbuf);
 	gldns_buffer_write(&gbuf,
@@ -480,6 +457,8 @@ _getdns_network_req_add_tsig(getdns_network_req *req)
 	gldns_buffer_write_u16(&gbuf, 0);		/* Error */
 	gldns_buffer_write_u16(&gbuf, 0);		/* Other len */
 
+	free(md_buf);
+
 	if (gldns_buffer_position(&gbuf) > gldns_buffer_limit(&gbuf))
 		return req->response - req->query;
 
@@ -506,14 +485,10 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	const uint8_t  *response_mac;
 	uint16_t  response_mac_len;
 	uint8_t   other_len;
-	uint8_t   result_mac[EVP_MAX_MD_SIZE];
-	unsigned int result_mac_len = EVP_MAX_MD_SIZE;
+	unsigned char  *result_mac;
+	size_t result_mac_len;
 	uint16_t original_id;
-	const EVP_MD *digester;
-	HMAC_CTX *ctx;
-#ifndef HAVE_HMAC_CTX_NEW
-	HMAC_CTX ctx_space;
-#endif
+	_getdns_tls_hmac *hmac;
 
 	DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNC__);
 	for ( rr = _getdns_rr_iter_init(&rr_spc, req->query,
@@ -620,39 +595,16 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	    gldns_read_uint16(req->response + 10) - 1);
 	gldns_write_uint16(req->response, original_id);
 
-	switch (req->upstream->tsig_alg) {
-#ifdef HAVE_EVP_MD5
-	case GETDNS_HMAC_MD5   : digester = EVP_md5()   ; break;
-#endif
-#ifdef HAVE_EVP_SHA1
-	case GETDNS_HMAC_SHA1  : digester = EVP_sha1()  ; break;
-#endif
-#ifdef HAVE_EVP_SHA224
-	case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break;
-#endif
-#ifdef HAVE_EVP_SHA256
-	case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break;
-#endif
-#ifdef HAVE_EVP_SHA384
-	case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break;
-#endif
-#ifdef HAVE_EVP_SHA512
-	case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break;
-#endif
-	default                : return;
-	}
-#ifdef HAVE_HMAC_CTX_NEW
-	ctx = HMAC_CTX_new();
-#else
-	ctx = &ctx_space;
-	HMAC_CTX_init(ctx);
-#endif	
-	(void) HMAC_Init_ex(ctx, req->upstream->tsig_key,
-	    req->upstream->tsig_size, digester, NULL);
-	(void) HMAC_Update(ctx, request_mac - 2, request_mac_len + 2);
-	(void) HMAC_Update(ctx, req->response, rr->pos - req->response);
-	(void) HMAC_Update(ctx, tsig_vars, gldns_buffer_position(&gbuf));
-	HMAC_Final(ctx, result_mac, &result_mac_len);
+	hmac = _getdns_tls_hmac_new(req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size);
+	if (!hmac)
+		return;
+
+	_getdns_tls_hmac_add(hmac, request_mac - 2, request_mac_len + 2);
+	_getdns_tls_hmac_add(hmac, req->response, rr->pos - req->response);
+	_getdns_tls_hmac_add(hmac, tsig_vars, gldns_buffer_position(&gbuf));
+	result_mac = _getdns_tls_hmac_end(hmac, &result_mac_len);
+	if (!result_mac)
+		return;
 
 	DEBUG_STUB("%s %-35s: Result MAC length: %d\n",
 	           STUB_DEBUG_TSIG, __FUNC__, (int)(result_mac_len));
@@ -660,11 +612,6 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	    memcmp(result_mac, response_mac, result_mac_len) == 0)
 		req->tsig_status = GETDNS_DNSSEC_SECURE;
 
-#ifdef HAVE_HMAC_CTX_FREE
-	HMAC_CTX_free(ctx);
-#else
-	HMAC_CTX_cleanup(ctx);
-#endif
 	gldns_write_uint16(req->response, gldns_read_uint16(req->query));
 	gldns_write_uint16(req->response + 10,
 	    gldns_read_uint16(req->response + 10) + 1);
diff --git a/src/tls.h b/src/tls.h
index cc654430..a70ea1bb 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -316,4 +316,48 @@ int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf);
  */
 getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
 
+/**
+ * Return buffer with HMAC hash.
+ *
+ * @param algorithm	hash algorithm to use (<code>GETDNS_HMAC_?</code>).
+ * @param key		the key.
+ * @param key_size	the key size.
+ * @param data		the data to hash.
+ * @param data_size	the data size.
+ * @param output_size	the output size will be written here if not NULL.
+ * @return output	malloc'd buffer with output, NULL on error.
+ */
+unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size);
+
+/**
+ * Return a new HMAC handle.
+ *
+ * @param algorithm	hash algorithm to use (<code>GETDNS_HMAC_?</code>).
+ * @param key		the key.
+ * @param key_size	the key size.
+ * @return HMAC handle or NULL on error.
+ */
+_getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t key_size);
+
+/**
+ * Add data to a HMAC.
+ *
+ * @param h		the HMAC.
+ * @param data		the data to add.
+ * @param data_size	the size of data to add.
+ * @return GETDNS_RETURN_GOOD if added.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if h is null or has no HMAC.
+ * @return GETDNS_RETURN_GENERIC_ERROR on error.
+ */
+getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size);
+
+/**
+ * Return the HMAC digest and free the handle.
+ *
+ * @param h		the HMAC.
+ * @param output_size	the output size will be written here if not NULL.
+ * @return output	malloc'd buffer with output, NULL on error.
+ */
+unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size);
+
 #endif /* _GETDNS_TLS_H */

From 5e390a4b235643fe1af4ea478c48e521b5ddd5de Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 27 Nov 2018 14:41:46 +0000
Subject: [PATCH 181/303] Revise all TLS interfaces to pass in GetDNS memory
 functions where necessary.

This means we can remove OpenSSL_free() calls from request-internal.c and util-internal.c.
---
 src/context.c          | 12 +++---
 src/openssl/tls.c      | 84 +++++++++++++++++++++++++-----------------
 src/request-internal.c | 12 +++---
 src/stub.c             | 21 +++++------
 src/tls.h              | 44 +++++++++++++++-------
 src/util-internal.c    |  2 +-
 6 files changed, 105 insertions(+), 70 deletions(-)

diff --git a/src/context.c b/src/context.c
index 4ee4b5de..e5ddf9a6 100644
--- a/src/context.c
+++ b/src/context.c
@@ -633,11 +633,11 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 			}
 		}
 		if (upstream->tls_session != NULL)
-			_getdns_tls_session_free(upstream->tls_session);
+			_getdns_tls_session_free(&upstreams->mf, upstream->tls_session);
 
 		if (upstream->tls_obj != NULL) {
 			_getdns_tls_connection_shutdown(upstream->tls_obj);
-			_getdns_tls_connection_free(upstream->tls_obj);
+			_getdns_tls_connection_free(&upstreams->mf, upstream->tls_obj);
 		}
 		if (upstream->fd != -1)
 		{
@@ -750,7 +750,7 @@ _getdns_upstream_reset(getdns_upstream *upstream)
 	}
 	if (upstream->tls_obj != NULL) {
 		_getdns_tls_connection_shutdown(upstream->tls_obj);
-		_getdns_tls_connection_free(upstream->tls_obj);
+		_getdns_tls_connection_free(&upstream->upstreams->mf, upstream->tls_obj);
 		upstream->tls_obj = NULL;
 	}
 	if (upstream->fd != -1) {
@@ -1681,7 +1681,7 @@ getdns_context_destroy(struct getdns_context *context)
 		GETDNS_FREE(context->my_mf, context->dns_transports);
 
 	if (context->tls_ctx)
-		_getdns_tls_context_free(context->tls_ctx);
+		_getdns_tls_context_free(&context->my_mf, context->tls_ctx);
 
 	getdns_list_destroy(context->dns_root_servers);
 
@@ -3544,13 +3544,13 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 		}
 
 		if (context->tls_ctx == NULL) {
-			context->tls_ctx = _getdns_tls_context_new();
+			context->tls_ctx = _getdns_tls_context_new(&context->my_mf);
 			if (context->tls_ctx == NULL)
 				return GETDNS_RETURN_BAD_CONTEXT;
 
 			r = _getdns_tls_context_set_min_proto_1_2(context->tls_ctx);
 			if (r && r != GETDNS_RETURN_NOT_IMPLEMENTED) {
-				_getdns_tls_context_free(context->tls_ctx);
+				_getdns_tls_context_free(&context->my_mf, context->tls_ctx);
 				context->tls_ctx = NULL;
 				return GETDNS_RETURN_BAD_CONTEXT;
 			}
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 611fbf3b..f14603fb 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -73,14 +73,14 @@ static int _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
 	return 1;
 }
 
-static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert)
+static _getdns_tls_x509* _getdns_tls_x509_new(struct mem_funcs* mfs, X509* cert)
 {
 	_getdns_tls_x509* res;
 
 	if (!cert)
 		return NULL;
 
-	res = malloc(sizeof(_getdns_tls_x509));
+	res = GETDNS_MALLOC(*mfs, _getdns_tls_x509);
 	if (res)
 		res->ssl = cert;
 
@@ -187,11 +187,11 @@ void _getdns_tls_init()
 	(void)OPENSSL_init_ssl(0, NULL);
 }
 
-_getdns_tls_context* _getdns_tls_context_new()
+_getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs)
 {
 	_getdns_tls_context* res;
 
-	if (!(res = malloc(sizeof(struct _getdns_tls_context))))
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_context)))
 		return NULL;
 
 	/* Create client context, use TLS v1.2 only for now */
@@ -201,18 +201,18 @@ _getdns_tls_context* _getdns_tls_context_new()
 	res->ssl = SSL_CTX_new(TLSv1_2_client_method());
 #  endif
 	if(res->ssl == NULL) {
-		free(res);
+		GETDNS_FREE(*mfs, res);
 		return NULL;
 	}
 	return res;
 }
 
-getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx)
+getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx)
 {
 	if (!ctx || !ctx->ssl)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 	SSL_CTX_free(ctx->ssl);
-	free(ctx);
+	GETDNS_FREE(*mfs, ctx);
 	return GETDNS_RETURN_GOOD;
 }
 
@@ -270,25 +270,25 @@ getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char*
 	return GETDNS_RETURN_GENERIC_ERROR;
 }
 
-_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd)
+_getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd)
 {
 	_getdns_tls_connection* res;
 
 	if (!ctx || !ctx->ssl)
 		return NULL;
 
-	if (!(res = malloc(sizeof(struct _getdns_tls_connection))))
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_connection)))
 		return NULL;
 
 	res->ssl = SSL_new(ctx->ssl);
 	if (!res->ssl) {
-		free(res);
+		GETDNS_FREE(*mfs, res);
 		return NULL;
 	}
 
 	if (!SSL_set_fd(res->ssl, fd)) {
 		SSL_free(res->ssl);
-		free(res);
+		GETDNS_FREE(*mfs, res);
 		return NULL;
 	}
 
@@ -300,12 +300,12 @@ _getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int
 	return res;
 }
 
-getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* conn)
+getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_connection* conn)
 {
 	if (!conn || !conn->ssl)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 	SSL_free(conn->ssl);
-	free(conn);
+	GETDNS_FREE(*mfs, conn);
 	return GETDNS_RETURN_GOOD;
 }
 
@@ -353,19 +353,19 @@ getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn,
 	return GETDNS_RETURN_GOOD;
 }
 
-_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn)
+_getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _getdns_tls_connection* conn)
 {
 	_getdns_tls_session* res;
 
 	if (!conn || !conn->ssl)
 		return NULL;
 
-	if (!(res = malloc(sizeof(struct _getdns_tls_session))))
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_session)))
 		return NULL;
 
 	res->ssl = SSL_get1_session(conn->ssl);
 	if (!res->ssl) {
-		free(res);
+		GETDNS_FREE(*mfs, res);
 		return NULL;
 	}
 
@@ -404,12 +404,12 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn
 	}
 }
 
-_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connection* conn)
+_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(struct mem_funcs* mfs, _getdns_tls_connection* conn)
 {
 	if (!conn || !conn->ssl)
 		return NULL;
 
-	return _getdns_tls_x509_new(SSL_get_peer_certificate(conn->ssl));
+	return _getdns_tls_x509_new(mfs, SSL_get_peer_certificate(conn->ssl));
 }
 
 getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn)
@@ -552,12 +552,12 @@ getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8
 	return GETDNS_RETURN_GOOD;
 }
 
-getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s)
+getdns_return_t _getdns_tls_session_free(struct mem_funcs* mfs, _getdns_tls_session* s)
 {
 	if (!s || !s->ssl)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 	SSL_SESSION_free(s->ssl);
-	free(s);
+	GETDNS_FREE(*mfs, s);
 	return GETDNS_RETURN_GOOD;
 }
 
@@ -594,22 +594,38 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict)
 	return GETDNS_RETURN_GENERIC_ERROR;
 }
 
-void _getdns_tls_x509_free(_getdns_tls_x509* cert)
+void _getdns_tls_x509_free(struct mem_funcs* mfs, _getdns_tls_x509* cert)
 {
 	if (cert && cert->ssl)
 		X509_free(cert->ssl);
-	free(cert);
+	GETDNS_FREE(*mfs, cert);
 }
 
-int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf)
+int _getdns_tls_x509_to_der(struct mem_funcs* mfs, _getdns_tls_x509* cert, getdns_bindata* bindata)
 {
-	if (!cert || !cert->ssl)
+	unsigned char* buf = NULL;
+	int len;
+
+	if (!cert || !cert->ssl )
 		return 0;
 
-	return i2d_X509(cert->ssl, buf);
+	if (bindata == NULL)
+		return i2d_X509(cert->ssl, NULL);
+
+	len = i2d_X509(cert->ssl, &buf);
+	if (len == 0 || (bindata->data = GETDNS_XMALLOC(*mfs, uint8_t, len)) == NULL) {
+		bindata->size = 0;
+		bindata->data = NULL;
+	} else {
+		bindata->size = len;
+		(void) memcpy(bindata->data, buf, len);
+		OPENSSL_free(buf);
+	}
+
+	return len;
 }
 
-unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size)
+unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size)
 {
 	const EVP_MD* digester;
 	unsigned char* res;
@@ -637,7 +653,7 @@ unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_
 	default                : return NULL;
 	}
 
-	res = (unsigned char*) malloc(EVP_MAX_MD_SIZE);
+	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, EVP_MAX_MD_SIZE);
 	if (!res)
 		return NULL;
 
@@ -648,7 +664,7 @@ unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_
 	return res;
 }
 
-_getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t key_size)
+_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
 {
 	const EVP_MD *digester;
 	_getdns_tls_hmac* res;
@@ -675,13 +691,13 @@ _getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t ke
 	default                : return NULL;
 	}
 
-	if (!(res = malloc(sizeof(struct _getdns_tls_hmac))))
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
 		return NULL;
 
 #ifdef HAVE_HMAC_CTX_NEW
 	res->ctx = HMAC_CTX_new();
 	if (!res->ctx) {
-		free(res);
+		GETDNS_FREE(*mfs, res);
 		return NULL;
 	}
 #else
@@ -692,7 +708,7 @@ _getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t ke
 #ifdef HAVE_HMAC_CTX_NEW
 		HMAC_CTX_free(res->ctx);
 #endif
-		free(res);
+		GETDNS_FREE(*mfs, res);
 		return NULL;
 	}
 
@@ -710,12 +726,12 @@ getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size
 		return GETDNS_RETURN_GOOD;
 }
 
-unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size)
+unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size)
 {
 	unsigned char* res;
 	unsigned int md_len;
 
-	res = (unsigned char*) malloc(EVP_MAX_MD_SIZE);
+	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, EVP_MAX_MD_SIZE);
 	if (!res)
 		return NULL;
 
@@ -724,7 +740,7 @@ unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size)
 #ifdef HAVE_HMAC_CTX_NEW
 	HMAC_CTX_free(h->ctx);
 #endif
-	free(h);
+	GETDNS_FREE(*mfs, h);
 
 	if (output_size)
 		*output_size = md_len;
diff --git a/src/request-internal.c b/src/request-internal.c
index 1b2a7cb4..76ce6e3e 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -125,7 +125,7 @@ network_req_cleanup(getdns_network_req *net_req)
 		GETDNS_FREE(net_req->owner->my_mf, net_req->response);
 	if (net_req->debug_tls_peer_cert.size &&
 	    net_req->debug_tls_peer_cert.data)
-		OPENSSL_free(net_req->debug_tls_peer_cert.data);
+		GETDNS_FREE(net_req->owner->my_mf, net_req->debug_tls_peer_cert.data);
 }
 
 static uint8_t *
@@ -435,7 +435,7 @@ _getdns_network_req_add_tsig(getdns_network_req *req)
 	gldns_buffer_write_u16(&gbuf, 0);		/* Error */
 	gldns_buffer_write_u16(&gbuf, 0);		/* Other len */
 
-	md_buf = _getdns_tls_hmac_hash(upstream->tsig_alg, upstream->tsig_key, upstream->tsig_size, (void *)req->query, gldns_buffer_current(&gbuf) - req->query, &md_len);
+	md_buf = _getdns_tls_hmac_hash(&req->owner->my_mf, upstream->tsig_alg, upstream->tsig_key, upstream->tsig_size, (void *)req->query, gldns_buffer_current(&gbuf) - req->query, &md_len);
 	if (!md_buf)
 		return req->response - req->query;
 
@@ -457,7 +457,7 @@ _getdns_network_req_add_tsig(getdns_network_req *req)
 	gldns_buffer_write_u16(&gbuf, 0);		/* Error */
 	gldns_buffer_write_u16(&gbuf, 0);		/* Other len */
 
-	free(md_buf);
+	GETDNS_FREE(req->owner->my_mf, md_buf);
 
 	if (gldns_buffer_position(&gbuf) > gldns_buffer_limit(&gbuf))
 		return req->response - req->query;
@@ -595,14 +595,14 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	    gldns_read_uint16(req->response + 10) - 1);
 	gldns_write_uint16(req->response, original_id);
 
-	hmac = _getdns_tls_hmac_new(req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size);
+	hmac = _getdns_tls_hmac_new(&req->owner->my_mf, req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size);
 	if (!hmac)
 		return;
 
 	_getdns_tls_hmac_add(hmac, request_mac - 2, request_mac_len + 2);
 	_getdns_tls_hmac_add(hmac, req->response, rr->pos - req->response);
 	_getdns_tls_hmac_add(hmac, tsig_vars, gldns_buffer_position(&gbuf));
-	result_mac = _getdns_tls_hmac_end(hmac, &result_mac_len);
+	result_mac = _getdns_tls_hmac_end(&req->owner->my_mf, hmac, &result_mac_len);
 	if (!result_mac)
 		return;
 
@@ -612,6 +612,8 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	    memcmp(result_mac, response_mac, result_mac_len) == 0)
 		req->tsig_status = GETDNS_DNSSEC_SECURE;
 
+	GETDNS_FREE(req->owner->my_mf, result_mac);
+
 	gldns_write_uint16(req->response, gldns_read_uint16(req->query));
 	gldns_write_uint16(req->response + 10,
 	    gldns_read_uint16(req->response + 10) + 1);
diff --git a/src/stub.c b/src/stub.c
index ca4c55d0..3bbcc53f 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -830,7 +830,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 	getdns_context *context = dnsreq->context;
 	if (context->tls_ctx == NULL)
 		return NULL;
-	_getdns_tls_connection* tls = _getdns_tls_connection_new(context->tls_ctx, fd);
+	_getdns_tls_connection* tls = _getdns_tls_connection_new(&context->my_mf, context->tls_ctx, fd);
 	if(!tls) 
 		return NULL;
 #if HAVE_TLS_CONN_CURVES_LIST
@@ -839,7 +839,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 #endif
 	/* make sure we'll be able to find the context again when we need it */
 	if (_getdns_associate_upstream_with_connection(tls, upstream) != GETDNS_RETURN_GOOD) {
-		_getdns_tls_connection_free(tls);
+		_getdns_tls_connection_free(&context->my_mf, tls);
 		return NULL;
 	}
 
@@ -871,7 +871,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 				    "%-40s : Verify fail: *CONFIG ERROR* - No auth name or pinset provided for this upstream for Strict TLS authentication\n",
 				    upstream->addr_str);
 				upstream->tls_hs_state = GETDNS_HS_FAILED;
-				_getdns_tls_connection_free(tls);
+				_getdns_tls_connection_free(&upstream->upstreams->mf, tls);
 				upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 				return NULL;
 			}
@@ -947,7 +947,7 @@ tls_do_handshake(getdns_upstream *upstream)
 		upstream->tls_auth_state = upstream->last_tls_auth_state;
 
 	else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
-		_getdns_tls_x509* peer_cert = _getdns_tls_connection_get_peer_certificate(upstream->tls_obj);
+		_getdns_tls_x509* peer_cert = _getdns_tls_connection_get_peer_certificate(&upstream->upstreams->mf, upstream->tls_obj);
 
 		if (!peer_cert) {
 			_getdns_upstream_log(upstream,
@@ -994,7 +994,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			    "%-40s : Verify passed : TLS\n",
 			    upstream->addr_str);
 			}
-			_getdns_tls_x509_free(peer_cert);
+			_getdns_tls_x509_free(&upstream->upstreams->mf, peer_cert);
 		}
 		if (upstream->tls_auth_state == GETDNS_AUTH_FAILED
 		    && !upstream->tls_fallback_ok)
@@ -1008,8 +1008,8 @@ tls_do_handshake(getdns_upstream *upstream)
 	upstream->conn_state = GETDNS_CONN_OPEN;
 	upstream->conn_completed++;
 	if (upstream->tls_session != NULL)
-	    _getdns_tls_session_free(upstream->tls_session);
-	upstream->tls_session = _getdns_tls_connection_get_session(upstream->tls_obj);
+		_getdns_tls_session_free(&upstream->upstreams->mf, upstream->tls_session);
+	upstream->tls_session = _getdns_tls_connection_get_session(&upstream->upstreams->mf, upstream->tls_obj);
 	/* Reset timeout on success*/
 	GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
 	upstream->event.read_cb = NULL;
@@ -1634,10 +1634,9 @@ upstream_write_cb(void *userarg)
 		if (netreq->owner->return_call_reporting &&
 		    netreq->upstream->tls_obj) {
 			if (netreq->debug_tls_peer_cert.data == NULL &&
-			    (cert = _getdns_tls_connection_get_peer_certificate(netreq->upstream->tls_obj))) {
-				netreq->debug_tls_peer_cert.size = _getdns_tls_x509_to_der(
-					cert, &netreq->debug_tls_peer_cert.data);
-				_getdns_tls_x509_free(cert);
+			    (cert = _getdns_tls_connection_get_peer_certificate(&upstream->upstreams->mf, netreq->upstream->tls_obj))) {
+				_getdns_tls_x509_to_der(&upstream->upstreams->mf, cert, &netreq->debug_tls_peer_cert);
+				_getdns_tls_x509_free(&upstream->upstreams->mf, cert);
 			}
 			netreq->debug_tls_version = _getdns_tls_connection_get_version(netreq->upstream->tls_obj);
 		}
diff --git a/src/tls.h b/src/tls.h
index a70ea1bb..8adc47e7 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -55,18 +55,20 @@ void _getdns_tls_init();
 /**
  * Create a new TLS context.
  *
+ * @param mfs	point to getdns memory functions.
  * @return pointer to new context or NULL on error.
  */
-_getdns_tls_context* _getdns_tls_context_new();
+_getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs);
 
 /**
  * Free a TLS context.
  *
+ * @param mfs	point to getdns memory functions.
  * @param ctx	the context to free.
  * @return GETDNS_RETURN_GOOD on success.
  * @return GETDNS_RETURN_INVALID_PARAMETER if <code>ctx</code> is invalid.
  */
-getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx);
+getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx);
 
 /**
  * Set TLS 1.2 as minimum TLS version.
@@ -121,20 +123,22 @@ getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char*
 /**
  * Create a new TLS connection and associate it with a file descriptior.
  *
+ * @param mfs	pointer to getdns memory functions.
  * @param ctx	the context.
  * @param fd	the file descriptor to associate with the connection.
  * @return pointer to new connection or NULL on error.
  */
-_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd);
+_getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd);
 
 /**
  * Free a TLS connection.
  *
+ * @param mfs	pointer to getdns memory functions.
  * @param conn	the connection to free.
  * @return GETDNS_RETURN_GOOD on success.
  * @return GETDNS_RETURN_INVALID_PARAMETER if <code>conn</code> is invalid.
  */
-getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* ctx);
+getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_connection* conn);
 
 /**
  * Shut down a TLS connection.
@@ -184,10 +188,11 @@ getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn,
 /**
  * Get the session for this connection.
  *
+ * @param mfs	pointer to getdns memory functions.
  * @param conn	the connection.
  * @return pointer to the session or NULL on error.
  */
-_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn);
+_getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _getdns_tls_connection* conn);
 
 /**
  * Report the TLS version of the connection.
@@ -212,10 +217,11 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn
 /**
  * Get the connection peer certificate.
  *
+ * @param mfs	pointer to getdns memory functions.
  * @param conn	the connection.
  * @return certificate or NULL on error.
  */
-_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connection* conn);
+_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(struct mem_funcs* mfs, _getdns_tls_connection* conn);
 
 /**
  * See whether the connection is reusing a session.
@@ -289,23 +295,32 @@ getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_
  */
 getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8_t* buf, size_t to_write, size_t* written);
 
-getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s);
+/**
+ * Free a session.
+ *
+ * @param mfs	pointer to getdns memory functions.
+ * @param s	the session.
+ * @return GETDNS_RETURN_GOOD on success.
+ * @return GETDNS_RETURN_INVALID_PARAMETER if s is null or has no SSL.
+ */
+getdns_return_t _getdns_tls_session_free(struct mem_funcs* mfs, _getdns_tls_session* s);
 
 /**
  * Free X509 certificate.
  *
+ * @param mfs	pointer to getdns memory functions.
  * @param cert	the certificate.
  */
-void _getdns_tls_x509_free(_getdns_tls_x509* cert);
+void _getdns_tls_x509_free(struct mem_funcs* mfs, _getdns_tls_x509* cert);
 
 /**
  * Convert X509 to DER.
  *
  * @param cert	the certificate.
- * @param buf	buffer to receive conversion. NULL to just get the length.
+ * @param buf	buffer to receive conversion.
  * @return length of conversion, 0 on error.
  */
-int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf);
+int _getdns_tls_x509_to_der(struct mem_funcs* mfs, _getdns_tls_x509* cert, getdns_bindata* bindata);
 
 /**
  * Fill in dictionary with TLS API information.
@@ -319,6 +334,7 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
 /**
  * Return buffer with HMAC hash.
  *
+ * @param mfs		pointer to getdns memory functions.
  * @param algorithm	hash algorithm to use (<code>GETDNS_HMAC_?</code>).
  * @param key		the key.
  * @param key_size	the key size.
@@ -327,17 +343,18 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
  * @param output_size	the output size will be written here if not NULL.
  * @return output	malloc'd buffer with output, NULL on error.
  */
-unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size);
+unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size);
 
 /**
  * Return a new HMAC handle.
  *
+ * @param mfs		pointer to getdns memory functions.
  * @param algorithm	hash algorithm to use (<code>GETDNS_HMAC_?</code>).
  * @param key		the key.
  * @param key_size	the key size.
  * @return HMAC handle or NULL on error.
  */
-_getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t key_size);
+_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size);
 
 /**
  * Add data to a HMAC.
@@ -354,10 +371,11 @@ getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size
 /**
  * Return the HMAC digest and free the handle.
  *
+ * @param mfs		pointer to getdns memory functions.
  * @param h		the HMAC.
  * @param output_size	the output size will be written here if not NULL.
  * @return output	malloc'd buffer with output, NULL on error.
  */
-unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size);
+unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size);
 
 #endif /* _GETDNS_TLS_H */
diff --git a/src/util-internal.c b/src/util-internal.c
index 0bceb002..a1cc11c5 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -933,7 +933,7 @@ _getdns_create_call_reporting_dict(
 		return NULL;
 	}
 	netreq->debug_tls_peer_cert.size = 0;
-	OPENSSL_free(netreq->debug_tls_peer_cert.data);
+	GETDNS_FREE(context->my_mf, netreq->debug_tls_peer_cert.data);
 	netreq->debug_tls_peer_cert.data = NULL;
 	return netreq_debug;
 }

From 0cdede21df0269530d5ef94b11ff5f5c2d3e1dfd Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 27 Nov 2018 15:29:48 +0000
Subject: [PATCH 182/303] Abstract SHA1 calculation.

---
 src/dnssec.c      |  5 +++--
 src/openssl/tls.c |  5 +++++
 src/tls.h         | 10 ++++++++++
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 0e0e9ba1..4e0f2af3 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -209,6 +209,7 @@
 #include "list.h"
 #include "util/val_secalgo.h"
 #include "anchor.h"
+#include "tls.h"
 
 #define SIGNATURE_VERIFIED         0x10000
 #define NSEC3_ITERATION_COUNT_HIGH 0x20000
@@ -1582,12 +1583,12 @@ static uint8_t *_getdns_nsec3_hash_label(uint8_t *label, size_t label_len,
 	(void)memcpy(dst, salt + 1, *salt);
 	dst += *salt;
 
-	(void)SHA1(buf, dst - buf, md);
+	_getdns_tls_sha1(buf, dst - buf, md);
 	if (iterations) {
 		(void)memcpy(buf + SHA_DIGEST_LENGTH, salt + 1, *salt);
 		while (iterations--) {
 			(void)memcpy(buf, md, SHA_DIGEST_LENGTH);
-			SHA1(buf, SHA_DIGEST_LENGTH + *salt, md);
+			_getdns_tls_sha1(buf, SHA_DIGEST_LENGTH + *salt, md);
 		}
 	}
 	*label = gldns_b32_ntop_extended_hex(
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index f14603fb..d3e61e5e 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -747,4 +747,9 @@ unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h,
 	return res;
 }
 
+void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
+{
+	SHA1(data, data_size, buf);
+}
+
 /* tls.c */
diff --git a/src/tls.h b/src/tls.h
index 8adc47e7..fae8e939 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -378,4 +378,14 @@ getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size
  */
 unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size);
 
+/**
+ * Calculate a SHA1 hash.
+ *
+ * @param data		the data to hash.
+ * @param data_size	the size of the data to hash.
+ * @param buf		the buffer to receive the hash. Must be at least
+ * 			SHA_DIGEST_LENGTH bytes.
+ */
+void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf);
+
 #endif /* _GETDNS_TLS_H */

From af962228fcf25e3f1bbdceff1a857b5c3394e247 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 27 Nov 2018 15:31:05 +0000
Subject: [PATCH 183/303] Abstract maximum digest length.

---
 src/openssl/tls-internal.h | 3 +++
 src/openssl/tls.c          | 2 +-
 src/request-internal.c     | 7 ++++---
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h
index 59b5b292..4b4b4b49 100644
--- a/src/openssl/tls-internal.h
+++ b/src/openssl/tls-internal.h
@@ -34,6 +34,7 @@
 #ifndef _GETDNS_TLS_INTERNAL_H
 #define _GETDNS_TLS_INTERNAL_H
 
+#include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
@@ -51,6 +52,8 @@
 #define HAVE_TLS_CONN_CURVES_LIST	(HAVE_DECL_SSL_SET1_CURVES_LIST)
 #endif
 
+#define GETDNS_TLS_MAX_DIGEST_LENGTH	(EVP_MAX_MD_SIZE)
+
 typedef struct _getdns_tls_context {
 	SSL_CTX* ssl;
 } _getdns_tls_context;
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index d3e61e5e..9569fe89 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -653,7 +653,7 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const
 	default                : return NULL;
 	}
 
-	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, EVP_MAX_MD_SIZE);
+	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, GETDNS_TLS_MAX_DIGEST_LENGTH);
 	if (!res)
 		return NULL;
 
diff --git a/src/request-internal.c b/src/request-internal.c
index 76ce6e3e..c0f347af 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -44,6 +44,7 @@
 #include "debug.h"
 #include "convert.h"
 #include "general.h"
+#include "tls.h"
 
 /* MAXIMUM_TSIG_SPACE = TSIG name      (dname)    : 256
  *                      TSIG type      (uint16_t) :   2
@@ -54,15 +55,15 @@
  *                      Time Signed    (uint48_t) :   6
  *                      Fudge          (uint16_t) :   2
  *                      Mac Size       (uint16_t) :   2
- *                      Mac            (variable) :   EVP_MAX_MD_SIZE
+ *                      Mac            (variable) :   GETDNS_TLS_MAX_DIGEST_LENGTH
  *                      Original Id    (uint16_t) :   2
  *                      Error          (uint16_t) :   2
  *                      Other Len      (uint16_t) :   2
  *                      Other Data     (nothing)  :   0
  *                                                 ---- +
- *                                                  538 + EVP_MAX_MD_SIZE
+ *                                                  538 + GETDNS_TLS_MAX_DIGEST_LENGTH
  */
-#define MAXIMUM_TSIG_SPACE (538 + EVP_MAX_MD_SIZE)
+#define MAXIMUM_TSIG_SPACE (538 + GETDNS_TLS_MAX_DIGEST_LENGTH)
 
 getdns_dict  dnssec_ok_checking_disabled_spc = {
 	{ RBTREE_NULL, 0, (int (*)(const void *, const void *)) strcmp },

From 26bcddd02916b8f5a910063c2db898be026d11b9 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 27 Nov 2018 15:31:33 +0000
Subject: [PATCH 184/303] Abstract cookie SHA256 calculation.

---
 src/openssl/tls.c | 19 ++++++++++++++++++-
 src/stub.c        | 14 +++-----------
 src/tls.h         | 11 +++++++++++
 3 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 9569fe89..72e8645b 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -731,7 +731,7 @@ unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h,
 	unsigned char* res;
 	unsigned int md_len;
 
-	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, EVP_MAX_MD_SIZE);
+	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, GETDNS_TLS_MAX_DIGEST_LENGTH);
 	if (!res)
 		return NULL;
 
@@ -752,4 +752,21 @@ void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
 	SHA1(data, data_size, buf);
 }
 
+void _getdns_tls_cookie_sha256(uint32_t secret, void* addr, size_t addrlen, unsigned char* buf, size_t* buflen)
+{
+	const EVP_MD *md;
+	EVP_MD_CTX *mdctx;
+	unsigned int md_len;
+
+	md = EVP_sha256();
+	mdctx = EVP_MD_CTX_create();
+	EVP_DigestInit_ex(mdctx, md, NULL);
+	EVP_DigestUpdate(mdctx, &secret, sizeof(secret));
+	EVP_DigestUpdate(mdctx, addr, addrlen);
+	EVP_DigestFinal_ex(mdctx, buf, &md_len);
+	EVP_MD_CTX_destroy(mdctx);
+
+	*buflen = md_len;
+}
+
 /* tls.c */
diff --git a/src/stub.c b/src/stub.c
index 3bbcc53f..f1421edb 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -121,10 +121,8 @@ rollover_secret()
 static void
 calc_new_cookie(getdns_upstream *upstream, uint8_t *cookie)
 {
-        const EVP_MD *md;
-        EVP_MD_CTX *mdctx;
-        unsigned char md_value[EVP_MAX_MD_SIZE];
-        unsigned int md_len;
+        unsigned char md_value[GETDNS_TLS_MAX_DIGEST_LENGTH];
+        size_t md_len;
         size_t i;
         sa_family_t af = upstream->addr.ss_family;
         void *sa_addr = ((struct sockaddr*)&upstream->addr)->sa_data;
@@ -132,13 +130,7 @@ calc_new_cookie(getdns_upstream *upstream, uint8_t *cookie)
 	                  : af == AF_INET  ? sizeof(struct sockaddr_in)
 	                  : 0 ) - sizeof(sa_family_t);
 
-        md = EVP_sha256();
-        mdctx = EVP_MD_CTX_create();
-        EVP_DigestInit_ex(mdctx, md, NULL);
-        EVP_DigestUpdate(mdctx, &secret, sizeof(secret));
-        EVP_DigestUpdate(mdctx, sa_addr, addr_len);
-        EVP_DigestFinal_ex(mdctx, md_value, &md_len);
-        EVP_MD_CTX_destroy(mdctx);
+	_getdns_tls_cookie_sha256(secret, sa_addr, addr_len, md_value, &md_len);
 
         (void) memset(cookie, 0, 8);
         for (i = 0; i < md_len; i++)
diff --git a/src/tls.h b/src/tls.h
index fae8e939..434d79fb 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -388,4 +388,15 @@ unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h,
  */
 void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf);
 
+/**
+ * Calculate SHA256 for cookie.
+ *
+ * @param secret	the secret.
+ * @param addr		the address.
+ * @param addrlen	the address length.
+ * @param buf		buffer to receive hash.
+ * @param buflen	receive the hash length.
+ */
+void _getdns_tls_cookie_sha256(uint32_t secret, void* addr, size_t addrlen, unsigned char* buf, size_t* buflen);
+
 #endif /* _GETDNS_TLS_H */

From c101a7a0210bd0d3e287de9b7513e7fd806a5e3a Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 27 Nov 2018 15:41:23 +0000
Subject: [PATCH 185/303] Abstract context DANE initialisation.

---
 src/context.c     |  9 +--------
 src/openssl/tls.c | 12 ++++++++++++
 src/tls.h         |  8 +++++++-
 3 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/src/context.c b/src/context.c
index e5ddf9a6..ddda54de 100644
--- a/src/context.c
+++ b/src/context.c
@@ -3572,14 +3572,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
 			}
-#   if defined(STUB_DEBUG) && STUB_DEBUG
-			int osr =
-#   else
-			(void)
-#   endif
-				SSL_CTX_dane_enable(context->tls_ctx->ssl);
-			DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
-			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+			_getdns_tls_context_dane_init(context->tls_ctx);
 		}
 	}
 
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 72e8645b..2387faf4 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -216,6 +216,18 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont
 	return GETDNS_RETURN_GOOD;
 }
 
+void _getdns_tls_context_dane_init(_getdns_tls_context* ctx)
+{
+#   if defined(STUB_DEBUG) && STUB_DEBUG
+	int osr =
+#   else
+	(void)
+#   endif
+		SSL_CTX_dane_enable(ctx->ssl);
+		DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
+		          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+}
+
 getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx)
 {
 #ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
diff --git a/src/tls.h b/src/tls.h
index 434d79fb..7a98a140 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -70,6 +70,13 @@ _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs);
  */
 getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx);
 
+/**
+ * Initialise any shared state for DANE checking.
+ *
+ * @param ctx	the context to initialise.
+ */
+void _getdns_tls_context_dane_init(_getdns_tls_context* ctx);
+
 /**
  * Set TLS 1.2 as minimum TLS version.
  *
@@ -103,7 +110,6 @@ getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, co
  */
 getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list);
 
-
 /**
  * Set certificate authority details.
  *

From e3b007a43a24a3b0783c6c8deac24c5ec13b7eef Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 27 Nov 2018 16:59:47 +0100
Subject: [PATCH 186/303] Issue #410: Document ownership with
 getdns_context_get_api_information()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

+ const for extensions and namespaces
TODO: Look at other cases that are not const for no good reason.

Thanks Stefan Bühler
---
 ChangeLog                      |  1 +
 src/context.c                  |  2 +-
 src/general.c                  | 32 ++++++++++++++++----------------
 src/general.h                  |  8 ++++----
 src/getdns/getdns.h.in         | 24 +++++++++++++-----------
 src/request-internal.c         |  6 +++---
 src/sync.c                     | 10 +++++-----
 src/types-internal.h           |  3 ++-
 src/util/orig-headers/rbtree.h |  2 +-
 src/util/rbtree.c              |  2 +-
 10 files changed, 47 insertions(+), 43 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 4a87df27..2ba1508e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 * 2018-0?-??: Version 1.4.3
+  * Issue #410: Unspecified ownership of get_api_information()
   * Fix for DNSSEC bug in finding most specific key when
     trust anchor proves non-existance of one of the labels
     along the authentication chain other than the non-
diff --git a/src/context.c b/src/context.c
index 7b879f60..6dcbe489 100644
--- a/src/context.c
+++ b/src/context.c
@@ -2132,7 +2132,7 @@ getdns_context_set_resolution_type(struct getdns_context *context,
  */
 getdns_return_t
 getdns_context_set_namespaces(getdns_context *context,
-    size_t namespace_count, getdns_namespace_t *namespaces)
+    size_t namespace_count, const getdns_namespace_t *namespaces)
 {
 	size_t i;
 	getdns_return_t r = GETDNS_RETURN_GOOD;
diff --git a/src/general.c b/src/general.c
index 3e50124d..9de1d510 100644
--- a/src/general.c
+++ b/src/general.c
@@ -492,7 +492,7 @@ extformatcmp(const void *a, const void *b)
 
 /*---------------------------------------- validate_extensions */
 static getdns_return_t
-validate_extensions(struct getdns_dict * extensions)
+validate_extensions(const getdns_dict * extensions)
 {
 	/**
 	  * this is a comprehensive list of extensions and their data types
@@ -555,7 +555,7 @@ validate_extensions(struct getdns_dict * extensions)
 
 static getdns_return_t
 getdns_general_ns(getdns_context *context, getdns_eventloop *loop,
-    const char *name, uint16_t request_type, getdns_dict *extensions,
+    const char *name, uint16_t request_type, const getdns_dict *extensions,
     void *userarg, getdns_network_req **return_netreq_p,
     getdns_callback_t callbackfn, internal_cb_t internal_cb, int usenamespaces)
 {
@@ -706,7 +706,7 @@ getdns_general_ns(getdns_context *context, getdns_eventloop *loop,
 
 getdns_return_t
 _getdns_general_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, uint16_t request_type, getdns_dict *extensions,
+    const char *name, uint16_t request_type, const getdns_dict *extensions,
     void *userarg, getdns_network_req **netreq_p,
     getdns_callback_t callback, internal_cb_t internal_cb)
 {
@@ -718,33 +718,33 @@ _getdns_general_loop(getdns_context *context, getdns_eventloop *loop,
 
 getdns_return_t
 _getdns_address_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, getdns_dict *extensions, void *userarg,
+    const char *name, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callback)
 {
-	getdns_dict *my_extensions = extensions;
+	getdns_dict *my_extensions = NULL;
 	getdns_return_t r;
 	uint32_t value;
 	getdns_network_req *netreq = NULL;
 
-	if (!my_extensions) {
+	if (!extensions) {
 		if (!(my_extensions=getdns_dict_create_with_context(context)))
 			return GETDNS_RETURN_MEMORY_ERROR;
 	} else if (
-	    getdns_dict_get_int(my_extensions, "return_both_v4_and_v6", &value)
+	    getdns_dict_get_int(extensions, "return_both_v4_and_v6", &value)
 	    && (r = _getdns_dict_copy(extensions, &my_extensions)))
 		return r;
 
-	if (my_extensions != extensions && (r = getdns_dict_set_int(
+	if (my_extensions && (r = getdns_dict_set_int(
 	    my_extensions, "return_both_v4_and_v6", GETDNS_EXTENSION_TRUE)))
 		return r;
 
 	r = getdns_general_ns(context, loop,
-	    name, GETDNS_RRTYPE_AAAA, my_extensions,
+	    name, GETDNS_RRTYPE_AAAA, my_extensions ? my_extensions : extensions,
 	    userarg, &netreq, callback, NULL, 1);
 	if (netreq && transaction_id)
 		*transaction_id = netreq->owner->trans_id;
 
-	if (my_extensions != extensions)
+	if (my_extensions)
 		getdns_dict_destroy(my_extensions);
 
 	return r;
@@ -752,7 +752,7 @@ _getdns_address_loop(getdns_context *context, getdns_eventloop *loop,
 
 getdns_return_t
 _getdns_hostname_loop(getdns_context *context, getdns_eventloop *loop,
-    getdns_dict *address, getdns_dict *extensions, void *userarg,
+    const getdns_dict *address, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callback)
 {
 	struct getdns_bindata *address_data;
@@ -842,7 +842,7 @@ _getdns_hostname_loop(getdns_context *context, getdns_eventloop *loop,
 
 getdns_return_t
 _getdns_service_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, getdns_dict *extensions, void *userarg,
+    const char *name, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t * transaction_id, getdns_callback_t callback)
 {
 	getdns_return_t r;
@@ -859,7 +859,7 @@ _getdns_service_loop(getdns_context *context, getdns_eventloop *loop,
  */
 getdns_return_t
 getdns_general(getdns_context *context,
-    const char *name, uint16_t request_type, getdns_dict *extensions,
+    const char *name, uint16_t request_type, const getdns_dict *extensions,
     void *userarg, getdns_transaction_t * transaction_id,
     getdns_callback_t callbackfn)
 {
@@ -881,7 +881,7 @@ getdns_general(getdns_context *context,
  */
 getdns_return_t
 getdns_address(getdns_context *context,
-    const char *name, getdns_dict *extensions, void *userarg,
+    const char *name, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callbackfn)
 {
 	if (!context) return GETDNS_RETURN_INVALID_PARAMETER;
@@ -896,7 +896,7 @@ getdns_address(getdns_context *context,
  */
 getdns_return_t
 getdns_hostname(getdns_context *context,
-    getdns_dict *address, getdns_dict *extensions, void *userarg,
+    const getdns_dict *address, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callbackfn)
 {
 	if (!context) return GETDNS_RETURN_INVALID_PARAMETER;
@@ -910,7 +910,7 @@ getdns_hostname(getdns_context *context,
  */
 getdns_return_t
 getdns_service(getdns_context *context,
-    const char *name, getdns_dict *extensions, void *userarg,
+    const char *name, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callbackfn)
 {
 	if (!context) return GETDNS_RETURN_INVALID_PARAMETER;
diff --git a/src/general.h b/src/general.h
index e0860c78..f99c1b46 100644
--- a/src/general.h
+++ b/src/general.h
@@ -63,25 +63,25 @@ int _getdns_submit_netreq(getdns_network_req *netreq, uint64_t *now_ms);
 
 getdns_return_t
 _getdns_general_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, uint16_t request_type, getdns_dict *extensions,
+    const char *name, uint16_t request_type, const getdns_dict *extensions,
     void *userarg, getdns_network_req **netreq_p,
     getdns_callback_t callbackfn, internal_cb_t internal_cb);
 
 getdns_return_t
 _getdns_address_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, getdns_dict *extensions,
+    const char *name, const getdns_dict *extensions,
     void *userarg, getdns_transaction_t *transaction_id,
     getdns_callback_t callbackfn);
 
 getdns_return_t
 _getdns_hostname_loop(getdns_context *context, getdns_eventloop *loop,
-    getdns_dict *address, getdns_dict *extensions,
+    const getdns_dict *address, const getdns_dict *extensions,
     void *userarg, getdns_transaction_t *transaction_id,
     getdns_callback_t callbackfn);
 
 getdns_return_t
 _getdns_service_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, getdns_dict *extensions,
+    const char *name, const getdns_dict *extensions,
     void *userarg, getdns_transaction_t *transaction_id,
     getdns_callback_t callbackfn);
 
diff --git a/src/getdns/getdns.h.in b/src/getdns/getdns.h.in
index 23e59cf4..aa7ae128 100644
--- a/src/getdns/getdns.h.in
+++ b/src/getdns/getdns.h.in
@@ -1030,7 +1030,7 @@ getdns_return_t
 getdns_general(getdns_context *context,
     const char *name,
     uint16_t request_type,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     void *userarg,
     getdns_transaction_t * transaction_id, getdns_callback_t callbackfn);
 
@@ -1048,7 +1048,7 @@ getdns_general(getdns_context *context,
 getdns_return_t
 getdns_address(getdns_context *context,
     const char *name,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     void *userarg,
     getdns_transaction_t * transaction_id, getdns_callback_t callbackfn);
 
@@ -1065,8 +1065,8 @@ getdns_address(getdns_context *context,
  */
 getdns_return_t
 getdns_hostname(getdns_context *context,
-    getdns_dict *address,
-    getdns_dict *extensions,
+    const getdns_dict *address,
+    const getdns_dict *extensions,
     void *userarg,
     getdns_transaction_t * transaction_id, getdns_callback_t callbackfn);
 
@@ -1084,7 +1084,7 @@ getdns_hostname(getdns_context *context,
 getdns_return_t
 getdns_service(getdns_context *context,
     const char *name,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     void *userarg,
     getdns_transaction_t * transaction_id, getdns_callback_t callbackfn);
 /** @}
@@ -1201,7 +1201,7 @@ getdns_return_t
 getdns_general_sync(getdns_context *context,
     const char *name,
     uint16_t request_type,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     getdns_dict **response);
 
 /**
@@ -1216,7 +1216,7 @@ getdns_general_sync(getdns_context *context,
 getdns_return_t
 getdns_address_sync(getdns_context *context,
     const char *name,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     getdns_dict **response);
 
 /**
@@ -1230,8 +1230,8 @@ getdns_address_sync(getdns_context *context,
  */
 getdns_return_t
 getdns_hostname_sync(getdns_context *context,
-    getdns_dict *address,
-    getdns_dict *extensions,
+    const getdns_dict *address,
+    const getdns_dict *extensions,
     getdns_dict **response);
 
 /**
@@ -1246,7 +1246,7 @@ getdns_hostname_sync(getdns_context *context,
 getdns_return_t
 getdns_service_sync(getdns_context *context,
     const char *name,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     getdns_dict **response);
 
 /** @}
@@ -1444,7 +1444,7 @@ getdns_context_set_resolution_type(getdns_context *context,
  */
 getdns_return_t
 getdns_context_set_namespaces(getdns_context *context,
-    size_t namespace_count, getdns_namespace_t *namespaces);
+    size_t namespace_count, const getdns_namespace_t *namespaces);
 
 /**
  * Specifies what transport are used for DNS lookups. The default is
@@ -1812,6 +1812,8 @@ getdns_context_set_extended_memory_functions(getdns_context *context,
  *            GETDNS_RESOLUTION_STUB.
  *         - all_context (a dict) with names for all the other settings in
  *           context.
+ *         The application is responsible for cleaning up the returned dictionary 
+ *         object with getdns_dict_destroy.
  */
 getdns_dict*
 getdns_context_get_api_information(getdns_context* context);
diff --git a/src/request-internal.c b/src/request-internal.c
index 89476717..46c77e05 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -92,7 +92,7 @@ getdns_dict *no_dnssec_checking_disabled_opportunistic
     = &no_dnssec_checking_disabled_opportunistic_spc;
 
 static int
-is_extension_set(getdns_dict *extensions, const char *name, int default_value)
+is_extension_set(const getdns_dict *extensions, const char *name, int default_value)
 {
 	getdns_return_t r;
 	uint32_t value;
@@ -167,7 +167,7 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner,
     int with_opt, int edns_maximum_udp_payload_size,
     uint8_t edns_extended_rcode, uint8_t edns_version, int edns_do_bit,
     uint16_t opt_options_size, size_t noptions, getdns_list *options,
-    size_t wire_data_sz, size_t max_query_sz, getdns_dict *extensions)
+    size_t wire_data_sz, size_t max_query_sz, const getdns_dict *extensions)
 {
 	uint8_t *buf;
 	getdns_dict    *option;
@@ -699,7 +699,7 @@ static const uint8_t no_suffixes[] = { 1, 0 };
 /* create a new dns req to be submitted */
 getdns_dns_req *
 _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,
-    const char *name, uint16_t request_type, getdns_dict *extensions,
+    const char *name, uint16_t request_type, const getdns_dict *extensions,
     uint64_t *now_ms)
 {
 	int dnssec_return_status                 = is_extension_set(
diff --git a/src/sync.c b/src/sync.c
index e592e7d1..bcf66e6f 100644
--- a/src/sync.c
+++ b/src/sync.c
@@ -164,7 +164,7 @@ getdns_sync_cb(getdns_context *context, getdns_callback_type_t callback_type,
 
 getdns_return_t
 getdns_general_sync(getdns_context *context, const char *name,
-    uint16_t request_type, getdns_dict *extensions, getdns_dict **response)
+    uint16_t request_type, const getdns_dict *extensions, getdns_dict **response)
 {
 	getdns_sync_data data;
 	getdns_return_t r;
@@ -190,7 +190,7 @@ getdns_general_sync(getdns_context *context, const char *name,
 
 getdns_return_t
 getdns_address_sync(getdns_context *context, const char *name,
-    getdns_dict *extensions, getdns_dict **response)
+    const getdns_dict *extensions, getdns_dict **response)
 {
 	getdns_sync_data data;
 	getdns_return_t r;
@@ -215,8 +215,8 @@ getdns_address_sync(getdns_context *context, const char *name,
 }
 
 getdns_return_t
-getdns_hostname_sync(getdns_context *context, getdns_dict *address,
-    getdns_dict *extensions, getdns_dict **response)
+getdns_hostname_sync(getdns_context *context, const getdns_dict *address,
+    const getdns_dict *extensions, getdns_dict **response)
 {
 	getdns_sync_data data;
 	getdns_return_t r;
@@ -242,7 +242,7 @@ getdns_hostname_sync(getdns_context *context, getdns_dict *address,
 
 getdns_return_t
 getdns_service_sync(getdns_context *context, const char *name,
-    getdns_dict *extensions, getdns_dict **response)
+    const getdns_dict *extensions, getdns_dict **response)
 {
 	getdns_sync_data data;
 	getdns_return_t r;
diff --git a/src/types-internal.h b/src/types-internal.h
index a97b1719..e36b1f60 100644
--- a/src/types-internal.h
+++ b/src/types-internal.h
@@ -431,7 +431,8 @@ extern getdns_dict *no_dnssec_checking_disabled_opportunistic;
 
 /* dns request utils */
 getdns_dns_req *_getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,
-    const char *name, uint16_t request_type, getdns_dict *extensions, uint64_t *now_ms);
+    const char *name, uint16_t request_type, const getdns_dict *extensions,
+    uint64_t *now_ms);
 
 void _getdns_dns_req_free(getdns_dns_req * req);
 
diff --git a/src/util/orig-headers/rbtree.h b/src/util/orig-headers/rbtree.h
index dfcf09ac..2768c2c5 100644
--- a/src/util/orig-headers/rbtree.h
+++ b/src/util/orig-headers/rbtree.h
@@ -143,7 +143,7 @@ int rbtree_find_less_equal(rbtree_type *rbtree, const void *key,
  * @param rbtree: tree
  * @return: smallest element or NULL if tree empty.
  */
-rbnode_type *rbtree_first(rbtree_type *rbtree);
+rbnode_type *rbtree_first(const rbtree_type *rbtree);
 
 /**
  * Returns last (largest) node in the tree
diff --git a/src/util/rbtree.c b/src/util/rbtree.c
index f031c9a1..ff4e3e46 100644
--- a/src/util/rbtree.c
+++ b/src/util/rbtree.c
@@ -546,7 +546,7 @@ rbtree_find_less_equal(rbtree_type *rbtree, const void *key,
  *
  */
 rbnode_type *
-rbtree_first (rbtree_type *rbtree)
+rbtree_first (const rbtree_type *rbtree)
 {
 	rbnode_type *node;
 

From e60d8526371424fed330e8f1f22047d7e16f8dc7 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 27 Nov 2018 16:55:33 +0000
Subject: [PATCH 187/303] Common OpenSSL digester selection.

---
 src/openssl/tls.c | 79 +++++++++++++++++++++--------------------------
 1 file changed, 35 insertions(+), 44 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 2387faf4..de913b42 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -87,6 +87,35 @@ static _getdns_tls_x509* _getdns_tls_x509_new(struct mem_funcs* mfs, X509* cert)
 	return res;
 }
 
+static const EVP_MD* get_digester(int algorithm)
+{
+	const EVP_MD* digester;
+
+	switch (algorithm) {
+#ifdef HAVE_EVP_MD5
+	case GETDNS_HMAC_MD5   : digester = EVP_md5()   ; break;
+#endif
+#ifdef HAVE_EVP_SHA1
+	case GETDNS_HMAC_SHA1  : digester = EVP_sha1()  ; break;
+#endif
+#ifdef HAVE_EVP_SHA224
+	case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break;
+#endif
+#ifdef HAVE_EVP_SHA256
+	case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break;
+#endif
+#ifdef HAVE_EVP_SHA384
+	case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break;
+#endif
+#ifdef HAVE_EVP_SHA512
+	case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break;
+#endif
+	default                : digester = NULL;
+	}
+
+	return digester;
+}
+
 #ifdef USE_WINSOCK
 /* For windows, the CA trust store is not read by openssl.
    Add code to open the trust store using wincrypt API and add
@@ -639,31 +668,12 @@ int _getdns_tls_x509_to_der(struct mem_funcs* mfs, _getdns_tls_x509* cert, getdn
 
 unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size)
 {
-	const EVP_MD* digester;
+	const EVP_MD* digester = get_digester(algorithm);
 	unsigned char* res;
 	unsigned int md_len;
 
-	switch (algorithm) {
-#ifdef HAVE_EVP_MD5
-	case GETDNS_HMAC_MD5   : digester = EVP_md5()   ; break;
-#endif
-#ifdef HAVE_EVP_SHA1
-	case GETDNS_HMAC_SHA1  : digester = EVP_sha1()  ; break;
-#endif
-#ifdef HAVE_EVP_SHA224
-	case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break;
-#endif
-#ifdef HAVE_EVP_SHA256
-	case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break;
-#endif
-#ifdef HAVE_EVP_SHA384
-	case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break;
-#endif
-#ifdef HAVE_EVP_SHA512
-	case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break;
-#endif
-	default                : return NULL;
-	}
+	if (!digester)
+		return NULL;
 
 	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, GETDNS_TLS_MAX_DIGEST_LENGTH);
 	if (!res)
@@ -678,30 +688,11 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const
 
 _getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
 {
-	const EVP_MD *digester;
+	const EVP_MD *digester = get_digester(algorithm);
 	_getdns_tls_hmac* res;
 
-	switch (algorithm) {
-#ifdef HAVE_EVP_MD5
-	case GETDNS_HMAC_MD5   : digester = EVP_md5()   ; break;
-#endif
-#ifdef HAVE_EVP_SHA1
-	case GETDNS_HMAC_SHA1  : digester = EVP_sha1()  ; break;
-#endif
-#ifdef HAVE_EVP_SHA224
-	case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break;
-#endif
-#ifdef HAVE_EVP_SHA256
-	case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break;
-#endif
-#ifdef HAVE_EVP_SHA384
-	case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break;
-#endif
-#ifdef HAVE_EVP_SHA512
-	case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break;
-#endif
-	default                : return NULL;
-	}
+	if (!digester)
+		return NULL;
 
 	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
 		return NULL;

From c4a3f758444a97c72a1e7688d1064f9161856319 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 27 Nov 2018 18:03:27 +0000
Subject: [PATCH 188/303] Correct make depend generation for TLS directory.

---
 src/Makefile.in | 64 ++++++++++++++++++++++++-------------------------
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/src/Makefile.in b/src/Makefile.in
index 88a239ac..05e32b6f 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -279,7 +279,7 @@ depend:
 		    -e 's? util/auxiliary/util/? $$(srcdir)/util/auxiliary/util/?g' \
 		    -e 's? util/? $$(srcdir)/util/?g' \
 		    -e 's? jsmn/? $$(srcdir)/jsmn/?g' \
-		    -e 's? $$(tlsdir)/? $$(srcdir)/$$(tlsdir)/?g' \
+		    -e 's? $(tlsdir)/? $$(srcdir)/$$(tlsdir)/?g' \
 		    -e 's? yxml/? $$(srcdir)/yxml/?g' \
 		    -e 's? extension/? $$(srcdir)/extension/?g' \
 		    -e 's? \.\./stubby/? $$(stubbysrcdir)/?g' \
@@ -311,7 +311,7 @@ context.lo context.o: $(srcdir)/context.c config.h \
  $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
  $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h \
  $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h
 convert.lo convert.o: $(srcdir)/convert.c config.h \
@@ -321,7 +321,7 @@ convert.lo convert.o: $(srcdir)/convert.c config.h \
  $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
  $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
  $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
- $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
  $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h \
  $(srcdir)/debug.h
 dict.lo dict.o: $(srcdir)/dict.c config.h \
@@ -331,7 +331,7 @@ dict.lo dict.o: $(srcdir)/dict.c config.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h \
  $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h
 dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \
  $(srcdir)/debug.h getdns/getdns.h \
@@ -340,9 +340,9 @@ dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
  $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \
+ $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \
  $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h
 general.lo general.o: $(srcdir)/general.c config.h \
  $(srcdir)/general.h getdns/getdns.h \
@@ -351,7 +351,7 @@ general.lo general.o: $(srcdir)/general.c config.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
  $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h
 list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \
  getdns/getdns.h \
@@ -360,7 +360,7 @@ list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \
  config.h $(srcdir)/context.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/list.h $(srcdir)/dict.h
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/list.h $(srcdir)/dict.h
 mdns.lo mdns.o: $(srcdir)/mdns.c config.h \
  $(srcdir)/debug.h $(srcdir)/context.h \
  getdns/getdns.h \
@@ -368,7 +368,7 @@ mdns.lo mdns.o: $(srcdir)/mdns.c config.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/general.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h \
  $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h
 platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \
  config.h
@@ -379,7 +379,7 @@ request-internal.lo request-internal.o: $(srcdir)/request-internal.c \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/rrdef.h \
  $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h
 rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \
  config.h \
@@ -389,7 +389,7 @@ rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \
- $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dict.h
+ $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h
 rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
  config.h \
  getdns/getdns.h \
@@ -400,7 +400,7 @@ server.lo server.o: $(srcdir)/server.c config.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/debug.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/debug.h \
  $(srcdir)/util-internal.h $(srcdir)/platform.h
 stub.lo stub.o: $(srcdir)/stub.c config.h \
  $(srcdir)/debug.h $(srcdir)/stub.h \
@@ -411,7 +411,7 @@ stub.lo stub.o: $(srcdir)/stub.c config.h \
  $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \
  $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
  $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \
- $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \
+ $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \
  $(srcdir)/pubkey-pinning.h
 sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \
  config.h $(srcdir)/context.h \
@@ -419,7 +419,7 @@ sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/general.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h \
  $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h
 ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \
  config.h
@@ -431,13 +431,13 @@ util-internal.lo util-internal.o: $(srcdir)/util-internal.c \
  $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
  $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
  $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
- $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \
+ $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \
  $(srcdir)/gldns/rrdef.h
 gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \
  config.h $(srcdir)/gldns/gbuffer.h
 keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \
  config.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/rrdef.h
+ $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
 parse.lo parse.o: $(srcdir)/gldns/parse.c \
  config.h $(srcdir)/gldns/parse.h \
  $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
@@ -453,7 +453,7 @@ str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \
 wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \
  config.h $(srcdir)/gldns/wire2str.h \
  $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h
 arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \
  config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \
@@ -499,44 +499,44 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
  $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/orig-headers/rbtree.h
 jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
-anchor.lo anchor.o: $(srcdir)/openssl/anchor.c \
+anchor.lo anchor.o: $(srcdir)/$(tlsdir)/anchor.c \
  config.h $(srcdir)/debug.h $(srcdir)/anchor.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h $(srcdir)/types-internal.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h $(srcdir)/ub_loop.h \
- $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
  $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/str2wire.h \
  $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/openssl/keyraw-internal.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/platform.h
-keyraw-internal.lo keyraw-internal.o: $(srcdir)/openssl/keyraw-internal.c \
+ $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/platform.h
+keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c \
  config.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/rrdef.h
-pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/openssl/pubkey-pinning.c \
+ $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
+pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/$(tlsdir)/pubkey-pinning.c \
  config.h $(srcdir)/debug.h \
  getdns/getdns.h $(srcdir)/context.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/context.h $(srcdir)/openssl/pubkey-pinning-internal.h
-tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/context.h $(srcdir)/$(tlsdir)/pubkey-pinning-internal.h
+tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c config.h \
  $(srcdir)/debug.h $(srcdir)/context.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/tls.h
-val_secalgo.lo val_secalgo.o: $(srcdir)/openssl/val_secalgo.c \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/tls.h
+val_secalgo.lo val_secalgo.o: $(srcdir)/$(tlsdir)/val_secalgo.c \
  config.h \
- $(srcdir)/util/auxiliary/util/data/packed_rrset.h $(srcdir)/openssl/validator/val_secalgo.h \
- $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h $(srcdir)/openssl/validator/val_nsec3.h \
+ $(srcdir)/util/auxiliary/util/data/packed_rrset.h $(srcdir)/$(tlsdir)/validator/val_secalgo.h \
+ $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h $(srcdir)/$(tlsdir)/validator/val_nsec3.h \
  $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \
  $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/openssl/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h
+ $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h
 yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
 libev.lo libev.o: $(srcdir)/extension/libev.c \
  config.h $(srcdir)/types-internal.h \
@@ -561,7 +561,7 @@ poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h
 select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \
  config.h $(srcdir)/debug.h \
  $(srcdir)/types-internal.h \

From 153e766edf437298688c2d1ee25990f36da08bc0 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 27 Nov 2018 18:04:14 +0000
Subject: [PATCH 189/303] tls.h uses struct mem_funcs in types-internal.h.

---
 src/tls.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/tls.h b/src/tls.h
index 7a98a140..d475ee53 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -36,6 +36,8 @@
 
 #include "getdns/getdns.h"
 
+#include "types-internal.h"
+
 #include "tls-internal.h"
 
 /* Forward declare type. */

From c1f51815baf43d6c35d8c97f4d12e9708b395aca Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 30 Nov 2018 14:20:12 +0100
Subject: [PATCH 190/303] RFE #408: "dnssec" extension requiring DNSSEC

When this extension is set, GETDNS_DNSSEC_INDETERMINATE status will no
longer be returned.
---
 ChangeLog                |  5 ++++-
 src/context.c            |  6 ++++++
 src/context.h            |  1 +
 src/dict.c               |  1 +
 src/general.c            |  4 ++++
 src/request-internal.c   |  7 ++++++-
 src/tools/getdns_query.c |  1 +
 src/types-internal.h     |  1 +
 src/util-internal.c      | 12 +++++++++---
 9 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2ba1508e..f5626102 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,7 @@
-* 2018-0?-??: Version 1.4.3
+* 2018-??-??: Version 1.4.3
+  * RFE #408: A "dnssec" extension that requires DNSSEC
+    verification.  When this extension is set, Indeterminate
+    DNSSEC status will noging be returned.
   * Issue #410: Unspecified ownership of get_api_information()
   * Fix for DNSSEC bug in finding most specific key when
     trust anchor proves non-existance of one of the labels
diff --git a/src/context.c b/src/context.c
index 6dcbe489..51ef96c2 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1655,6 +1655,7 @@ getdns_context_create_with_extended_memory_functions(
 	result->header = NULL;
 	result->add_opt_parameters = NULL;
 	result->add_warning_for_bad_dns = 0;
+	result->dnssec = 0;
 	result->dnssec_return_all_statuses = 0;
 	result->dnssec_return_full_validation_chain = 0;
 	result->dnssec_return_only_secure = 0;
@@ -4129,6 +4130,10 @@ _get_context_settings(getdns_context* context)
 	    result, "dnssec_return_full_validation_chain",
 	    context->dnssec_return_full_validation_chain ? GETDNS_EXTENSION_TRUE
 	                                                 : GETDNS_EXTENSION_FALSE);
+	(void)getdns_dict_set_int(
+	    result, "dnssec",
+	    context->dnssec ? GETDNS_EXTENSION_TRUE : GETDNS_EXTENSION_FALSE);
+
 	(void)getdns_dict_set_int(
 	    result, "dnssec_return_only_secure",
 	    context->dnssec_return_only_secure ? GETDNS_EXTENSION_TRUE
@@ -4974,6 +4979,7 @@ _getdns_context_config_setting(getdns_context *context,
 	/****                              ****/
 	/**************************************/
 	EXTENSION_SETTING_BOOL(add_warning_for_bad_dns)
+	EXTENSION_SETTING_BOOL(dnssec)
 	EXTENSION_SETTING_BOOL(dnssec_return_all_statuses)
 	EXTENSION_SETTING_BOOL(dnssec_return_full_validation_chain)
 	EXTENSION_SETTING_BOOL(dnssec_return_only_secure)
diff --git a/src/context.h b/src/context.h
index 29890928..c0080930 100644
--- a/src/context.h
+++ b/src/context.h
@@ -442,6 +442,7 @@ struct getdns_context {
 	getdns_dict *header;
 	getdns_dict *add_opt_parameters;
 	unsigned add_warning_for_bad_dns             : 1;
+	unsigned dnssec                              : 1;
 	unsigned dnssec_return_all_statuses          : 1;
 	unsigned dnssec_return_full_validation_chain : 1;
 	unsigned dnssec_return_only_secure           : 1;
diff --git a/src/dict.c b/src/dict.c
index 3a454516..02d3f20f 100644
--- a/src/dict.c
+++ b/src/dict.c
@@ -1083,6 +1083,7 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent,
 
 			     /* extensions */
 			     strcmp(item->node.key, "add_warning_for_bad_dns") == 0 ||
+			     strcmp(item->node.key, "dnssec") == 0 ||
 			     strcmp(item->node.key, "dnssec_return_all_statuses") == 0 ||
 			     strcmp(item->node.key, "dnssec_return_full_validation_chain") == 0 ||
 			     strcmp(item->node.key, "dnssec_return_only_secure") == 0 ||
diff --git a/src/general.c b/src/general.c
index 9de1d510..2cfec678 100644
--- a/src/general.c
+++ b/src/general.c
@@ -218,12 +218,14 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req)
 	        && !dns_req->avoid_dnssec_roadblocks
 	        && (dns_req->dnssec_return_status ||
 	            dns_req->dnssec_return_only_secure ||
+	            dns_req->dnssec ||
 	            dns_req->dnssec_return_all_statuses
 	           ))
 #endif
 	    || (   dns_req->context->resolution_type == GETDNS_RESOLUTION_RECURSING
 	       && (dns_req->dnssec_return_status ||
 	           dns_req->dnssec_return_only_secure ||
+	           dns_req->dnssec ||
 	           dns_req->dnssec_return_all_statuses)
 	       && _getdns_bogus(dns_req))
 	    )) {
@@ -423,6 +425,7 @@ _getdns_submit_netreq(getdns_network_req *netreq, uint64_t *now_ms)
 	if ( context->resolution_type == GETDNS_RESOLUTION_RECURSING
 	    || dns_req->dnssec_return_status
 	    || dns_req->dnssec_return_only_secure
+	    || dns_req->dnssec
 	    || dns_req->dnssec_return_all_statuses
 	    || dns_req->dnssec_return_validation_chain) {
 #endif
@@ -503,6 +506,7 @@ validate_extensions(const getdns_dict * extensions)
 	static getdns_extension_format extformats[] = {
 		{"add_opt_parameters"            , t_dict, 1},
 		{"add_warning_for_bad_dns"       , t_int , 1},
+		{"dnssec"                        , t_int , 1},
 		{"dnssec_return_all_statuses"    , t_int , 1},
 		{"dnssec_return_full_validation_chain", t_int , 1},
 		{"dnssec_return_only_secure"     , t_int , 1},
diff --git a/src/request-internal.c b/src/request-internal.c
index 46c77e05..c94038b7 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -702,6 +702,9 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,
     const char *name, uint16_t request_type, const getdns_dict *extensions,
     uint64_t *now_ms)
 {
+	int dnssec                               = is_extension_set(
+	    extensions, "dnssec",
+	        context->dnssec);
 	int dnssec_return_status                 = is_extension_set(
 	    extensions, "dnssec_return_status",
 	        context->dnssec_return_status);
@@ -728,7 +731,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,
 	    || is_extension_set(extensions, "dnssec_roadblock_avoidance",
 	                            context->dnssec_roadblock_avoidance);
 #endif
-	int dnssec_extension_set = dnssec_return_status
+	int dnssec_extension_set = dnssec || dnssec_return_status
 	    || dnssec_return_only_secure || dnssec_return_all_statuses
 	    || dnssec_return_validation_chain
 	    || dnssec_return_full_validation_chain
@@ -776,6 +779,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,
 	int    opportunistic = 0;
 	
 	if (extensions == no_dnssec_checking_disabled_opportunistic) {
+		dnssec = 0;
 		dnssec_return_status = 0;
 		dnssec_return_only_secure = 0;
 		dnssec_return_all_statuses = 0;
@@ -956,6 +960,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,
 	result->context = context;
 	result->loop = loop;
 	result->trans_id = (uint64_t) (intptr_t) result;
+	result->dnssec                         = dnssec;
 	result->dnssec_return_status           = dnssec_return_status;
 	result->dnssec_return_only_secure      = dnssec_return_only_secure;
 	result->dnssec_return_all_statuses     = dnssec_return_all_statuses;
diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c
index 3102ce1a..1ee253b7 100644
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@@ -183,6 +183,7 @@ print_usage(FILE *out, const char *progname)
 	fprintf(out, "\ntsig spec: [<algorithm>:]<name>:<secret in Base64>\n");
 	fprintf(out, "\nextensions:\n");
 	fprintf(out, "\t+add_warning_for_bad_dns\n");
+	fprintf(out, "\t+dnssec\n");
 	fprintf(out, "\t+dnssec_return_status\n");
 	fprintf(out, "\t+dnssec_return_only_secure\n");
 	fprintf(out, "\t+dnssec_return_all_statuses\n");
diff --git a/src/types-internal.h b/src/types-internal.h
index e36b1f60..12489e9c 100644
--- a/src/types-internal.h
+++ b/src/types-internal.h
@@ -299,6 +299,7 @@ typedef struct getdns_dns_req {
 	unsigned suffix_appended			: 1;
 
 	/* request extensions */
+	unsigned dnssec					: 1;
 	unsigned dnssec_return_status			: 1;
 	unsigned dnssec_return_only_secure		: 1;
 	unsigned dnssec_return_all_statuses		: 1;
diff --git a/src/util-internal.c b/src/util-internal.c
index 0bceb002..2deefba0 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -1133,7 +1133,8 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
 	if (!(result = getdns_dict_create_with_context(context)))
 		return NULL;
 
-	dnssec_return_status = completed_request->dnssec_return_status ||
+	dnssec_return_status = completed_request->dnssec ||
+	                       completed_request->dnssec_return_status ||
 	                       completed_request->dnssec_return_only_secure ||
 	                       completed_request->dnssec_return_all_statuses
 #ifdef DNSSEC_ROADBLOCK_AVOIDANCE
@@ -1210,6 +1211,9 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
 			else if (completed_request->dnssec_return_only_secure
 			    && netreq->dnssec_status != GETDNS_DNSSEC_SECURE)
 				continue;
+			else if (completed_request->dnssec &&
+			    netreq->dnssec_status == GETDNS_DNSSEC_INDETERMINATE)
+				continue;
 			else if (netreq->tsig_status == GETDNS_DNSSEC_BOGUS)
 				continue;
 		}
@@ -1287,9 +1291,11 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
 	if (getdns_dict_set_int(result, GETDNS_STR_KEY_STATUS,
 	    completed_request->request_timed_out ||
 	    nreplies == 0   ? GETDNS_RESPSTATUS_ALL_TIMEOUT :
-	    completed_request->dnssec_return_only_secure && nsecure == 0 && ninsecure > 0
+	    (  completed_request->dnssec_return_only_secure
+	    || completed_request->dnssec ) && nsecure == 0 && ninsecure > 0
 	                    ? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
-	    completed_request->dnssec_return_only_secure && nsecure == 0 && nbogus > 0
+	    (  completed_request->dnssec_return_only_secure
+	    || completed_request->dnssec ) && nsecure == 0 && nbogus > 0
 	                    ? GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS :
 	    nanswers == 0   ? GETDNS_RESPSTATUS_NO_NAME
 	                    : GETDNS_RESPSTATUS_GOOD))

From 1e7da76901e3457fc461c7a789975977fe4f6876 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 29 Nov 2018 15:34:37 +0100
Subject: [PATCH 191/303] Bugfix getdnsapi/stubby#140 fallback on getentropy
 failure

---
 src/compat/arc4random.c         |  93 ++++++++++++++++++++++------
 src/compat/arc4random_uniform.c |   2 +-
 src/compat/getentropy_linux.c   | 103 +++++++++++++-------------------
 3 files changed, 115 insertions(+), 83 deletions(-)

diff --git a/src/compat/arc4random.c b/src/compat/arc4random.c
index 7c9570b9..b2159abd 100644
--- a/src/compat/arc4random.c
+++ b/src/compat/arc4random.c
@@ -51,6 +51,9 @@
 #else				/* !__GNUC__ */
 #define inline
 #endif				/* !__GNUC__ */
+#ifndef MAP_ANON
+#define MAP_ANON MAP_ANONYMOUS
+#endif
 
 #define KEYSZ	32
 #define IVSZ	8
@@ -71,6 +74,72 @@ static struct {
 
 static inline void _rs_rekey(u_char *dat, size_t datlen);
 
+/*
+ * Basic sanity checking; wish we could do better.
+ */
+static int
+fallback_gotdata(char *buf, size_t len)
+{
+	char	any_set = 0;
+	size_t	i;
+
+	for (i = 0; i < len; ++i)
+		any_set |= buf[i];
+	if (any_set == 0)
+		return -1;
+	return 0;
+}
+
+/* fallback for getentropy in case libc returns failure */
+static int
+fallback_getentropy_urandom(void *buf, size_t len)
+{
+	size_t i;
+	int fd, flags;
+	int save_errno = errno;
+
+start:
+
+	flags = O_RDONLY;
+#ifdef O_NOFOLLOW
+	flags |= O_NOFOLLOW;
+#endif
+#ifdef O_CLOEXEC
+	flags |= O_CLOEXEC;
+#endif
+	fd = open("/dev/urandom", flags, 0);
+	if (fd == -1) {
+		if (errno == EINTR)
+			goto start;
+		goto nodevrandom;
+	}
+#ifndef O_CLOEXEC
+#  ifdef HAVE_FCNTL
+	fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#  endif
+#endif
+	for (i = 0; i < len; ) {
+		size_t wanted = len - i;
+		ssize_t ret = read(fd, (char*)buf + i, wanted);
+
+		if (ret == -1) {
+			if (errno == EAGAIN || errno == EINTR)
+				continue;
+			close(fd);
+			goto nodevrandom;
+		}
+		i += ret;
+	}
+	close(fd);
+	if (fallback_gotdata(buf, len) == 0) {
+		errno = save_errno;
+		return 0;		/* satisfied */
+	}
+nodevrandom:
+	errno = EIO;
+	return -1;
+}
+
 static inline void
 _rs_init(u_char *buf, size_t n)
 {
@@ -114,14 +183,14 @@ _rs_stir(void)
 	u_char rnd[KEYSZ + IVSZ];
 
 	if (getentropy(rnd, sizeof rnd) == -1) {
+		if(errno != ENOSYS ||
+			fallback_getentropy_urandom(rnd, sizeof rnd) == -1) {
 #ifdef SIGKILL
-		raise(SIGKILL);
+			raise(SIGKILL);
 #else
-#ifdef GETDNS_ON_WINDOWS
-		DebugBreak();
-#endif
-		exit(9); /* windows */
+			exit(9); /* windows */
 #endif
+		}
 	}
 
 	if (!rs)
@@ -131,9 +200,6 @@ _rs_stir(void)
 	explicit_bzero(rnd, sizeof(rnd));	/* discard source seed */
 
 	/* invalidate rs_buf */
-#ifdef GETDNS_ON_WINDOWS
-	_Analysis_assume_(rs != NULL);
-#endif
 	rs->rs_have = 0;
 	memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
 
@@ -145,15 +211,7 @@ _rs_stir_if_needed(size_t len)
 {
 #ifndef MAP_INHERIT_ZERO
 	static pid_t _rs_pid = 0;
-#ifdef GETDNS_ON_WINDOWS
-	/* 
-	 * TODO: if compiling for the Windows Runtime, use GetCurrentProcessId(),
-	 * but this requires linking with kernel32.lib
-	 */
-	pid_t pid = _getpid();
-#else
 	pid_t pid = getpid();
-#endif
 
 	/* If a system lacks MAP_INHERIT_ZERO, resort to getpid() */
 	if (_rs_pid == 0 || _rs_pid != pid) {
@@ -164,9 +222,6 @@ _rs_stir_if_needed(size_t len)
 #endif
 	if (!rs || rs->rs_count <= len)
 		_rs_stir();
-#ifdef GETDNS_ON_WINDOWS
-	_Analysis_assume_(rs != NULL);
-#endif
 	if (rs->rs_count <= len)
 		rs->rs_count = 0;
 	else
diff --git a/src/compat/arc4random_uniform.c b/src/compat/arc4random_uniform.c
index c03c2c9b..154260eb 100644
--- a/src/compat/arc4random_uniform.c
+++ b/src/compat/arc4random_uniform.c
@@ -39,7 +39,7 @@ arc4random_uniform(uint32_t upper_bound)
 		return 0;
 
 	/* 2**32 % x == (2**32 - x) % x */
-	min = ((uint32_t)(-(int32_t)upper_bound)) % upper_bound;
+	min = -upper_bound % upper_bound;
 
 	/*
 	 * This could theoretically loop forever but each retry has
diff --git a/src/compat/getentropy_linux.c b/src/compat/getentropy_linux.c
index abb28f49..b86c0fba 100644
--- a/src/compat/getentropy_linux.c
+++ b/src/compat/getentropy_linux.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: getentropy_linux.c,v 1.45 2018/03/13 22:53:28 bcook Exp $	*/
+/*	$OpenBSD: getentropy_linux.c,v 1.20 2014/07/12 15:43:49 beck Exp $	*/
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -15,17 +15,13 @@
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Emulation of getentropy(2) as documented at:
- * http://man.openbsd.org/getentropy.2
  */
-#define WITH_DL_ITERATE_PHDR 1
-#ifdef  WITH_DL_ITERATE_PHDR
-#define	_GNU_SOURCE     1
-/* #define	_POSIX_C_SOURCE 199309L */
-#endif
 #include "config.h"
 
+/*
+#define	_POSIX_C_SOURCE 199309L
+#define	_GNU_SOURCE     1
+*/
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/ioctl.h>
@@ -43,9 +39,6 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <stdio.h>
-#ifdef  WITH_DL_ITERATE_PHDR
-#include <link.h>
-#endif
 #include <termios.h>
 #include <fcntl.h>
 #include <signal.h>
@@ -67,6 +60,9 @@
 #include <sys/auxv.h>
 #endif
 #include <sys/vfs.h>
+#ifndef MAP_ANON
+#define MAP_ANON MAP_ANONYMOUS
+#endif
 
 #define REPEAT 5
 #define min(a, b) (((a) < (b)) ? (a) : (b))
@@ -82,7 +78,6 @@
 #if defined(HAVE_SSL)
 #define CRYPTO_SHA512_CTX		SHA512_CTX
 #define CRYPTO_SHA512_INIT(x)		SHA512_Init(x)
-#define CRYPTO_SHA512_UPDATE(c, x, l)  (SHA512_Update((c), (char *)(x), (l)))
 #define CRYPTO_SHA512_FINAL(r, c)	SHA512_Final(r, c)
 #define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
 #define HD(x)	 (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
@@ -90,7 +85,6 @@
 #elif defined(HAVE_NETTLE)
 #define CRYPTO_SHA512_CTX		struct sha512_ctx
 #define CRYPTO_SHA512_INIT(x)		sha512_init(x)
-#define CRYPTO_SHA512_UPDATE(c, x, l)  (sha512_update((c), (l), (uint8_t *)(x)))
 #define CRYPTO_SHA512_FINAL(r, c)	sha512_digest(c, SHA512_DIGEST_SIZE, r)
 #define HR(x, l) (sha512_update(&ctx, (l), (uint8_t *)(x)))
 #define HD(x)	 (sha512_update(&ctx, sizeof (x), (uint8_t *)&(x)))
@@ -99,8 +93,11 @@
 
 int	getentropy(void *buf, size_t len);
 
+#ifdef CAN_REFERENCE_MAIN
+extern int main(int, char *argv[]);
+#endif
 static int gotdata(char *buf, size_t len);
-#if defined(SYS_getrandom) && defined(GRND_NONBLOCK)
+#if defined(SYS_getrandom) && defined(__NR_getrandom)
 static int getentropy_getrandom(void *buf, size_t len);
 #endif
 static int getentropy_urandom(void *buf, size_t len);
@@ -108,9 +105,6 @@ static int getentropy_urandom(void *buf, size_t len);
 static int getentropy_sysctl(void *buf, size_t len);
 #endif
 static int getentropy_fallback(void *buf, size_t len);
-#ifdef  WITH_DL_ITERATE_PHDR
-static int getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data);
-#endif
 
 int
 getentropy(void *buf, size_t len)
@@ -119,21 +113,18 @@ getentropy(void *buf, size_t len)
 
 	if (len > 256) {
 		errno = EIO;
-		return (-1);
+		return -1;
 	}
 
-#if defined(SYS_getrandom) && defined(GRND_NONBLOCK)
+#if defined(SYS_getrandom) && defined(__NR_getrandom)
 	/*
-	 * Try descriptor-less getrandom(), in non-blocking mode.
-	 *
-	 * The design of Linux getrandom is broken.  It has an
-	 * uninitialized phase coupled with blocking behaviour, which
-	 * is unacceptable from within a library at boot time without
-	 * possible recovery. See http://bugs.python.org/issue26839#msg267745
+	 * Try descriptor-less getrandom()
 	 */
 	ret = getentropy_getrandom(buf, len);
 	if (ret != -1)
 		return (ret);
+	if (errno != ENOSYS)
+		return (-1);
 #endif
 
 	/*
@@ -187,7 +178,7 @@ getentropy(void *buf, size_t len)
 	 *     - Do the best under the circumstances....
 	 *
 	 * This code path exists to bring light to the issue that Linux
-	 * still does not provide a failsafe API for entropy collection.
+	 * does not provide a failsafe API for entropy collection.
 	 *
 	 * We hope this demonstrates that Linux should either retain their
 	 * sysctl ABI, or consider providing a new failsafe API which
@@ -217,11 +208,11 @@ gotdata(char *buf, size_t len)
 	for (i = 0; i < len; ++i)
 		any_set |= buf[i];
 	if (any_set == 0)
-		return (-1);
-	return (0);
+		return -1;
+	return 0;
 }
 
-#if defined(SYS_getrandom) && defined(GRND_NONBLOCK)
+#if defined(SYS_getrandom) && defined(__NR_getrandom)
 static int
 getentropy_getrandom(void *buf, size_t len)
 {
@@ -230,7 +221,7 @@ getentropy_getrandom(void *buf, size_t len)
 	if (len > 256)
 		return (-1);
 	do {
-		ret = syscall(SYS_getrandom, buf, len, GRND_NONBLOCK);
+		ret = syscall(SYS_getrandom, buf, len, 0);
 	} while (ret == -1 && errno == EINTR);
 
 	if (ret != (int)len)
@@ -278,7 +269,7 @@ start:
 	}
 	for (i = 0; i < len; ) {
 		size_t wanted = len - i;
-		ssize_t ret = read(fd, (char *)buf + i, wanted);
+		ssize_t ret = read(fd, (char*)buf + i, wanted);
 
 		if (ret == -1) {
 			if (errno == EAGAIN || errno == EINTR)
@@ -291,11 +282,11 @@ start:
 	close(fd);
 	if (gotdata(buf, len) == 0) {
 		errno = save_errno;
-		return (0);		/* satisfied */
+		return 0;		/* satisfied */
 	}
 nodevrandom:
 	errno = EIO;
-	return (-1);
+	return -1;
 }
 
 #ifdef SYS__sysctl
@@ -326,11 +317,11 @@ getentropy_sysctl(void *buf, size_t len)
 	}
 sysctlfailed:
 	errno = EIO;
-	return (-1);
+	return -1;
 }
 #endif /* SYS__sysctl */
 
-static const int cl[] = {
+static int cl[] = {
 	CLOCK_REALTIME,
 #ifdef CLOCK_MONOTONIC
 	CLOCK_MONOTONIC,
@@ -355,18 +346,6 @@ static const int cl[] = {
 #endif
 };
 
-#ifdef  WITH_DL_ITERATE_PHDR
-static int
-getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data)
-{
-	CRYPTO_SHA512_CTX *ctx = data;
-	(void)size;
-
-	CRYPTO_SHA512_UPDATE(ctx, &info->dlpi_addr, sizeof (info->dlpi_addr));
-	return (0);
-}
-#endif
-
 static int
 getentropy_fallback(void *buf, size_t len)
 {
@@ -403,10 +382,6 @@ getentropy_fallback(void *buf, size_t len)
 				cnt += (int)tv.tv_usec;
 			}
 
-#ifdef  WITH_DL_ITERATE_PHDR
-			dl_iterate_phdr(getentropy_phdr, &ctx);
-#endif
-
 			for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]); ii++)
 				HX(clock_gettime(cl[ii], &ts) == -1, ts);
 
@@ -426,6 +401,9 @@ getentropy_fallback(void *buf, size_t len)
 			HX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1,
 			    sigset);
 
+#ifdef CAN_REFERENCE_MAIN
+			HF(main);		/* an addr in program */
+#endif
 			HF(getentropy);	/* an addr in this library */
 			HF(printf);		/* an addr in libc */
 			p = (char *)&p;
@@ -550,34 +528,33 @@ getentropy_fallback(void *buf, size_t len)
 			HD(cnt);
 		}
 #ifdef HAVE_GETAUXVAL
-#ifdef AT_RANDOM
+#  ifdef AT_RANDOM
 		/* Not as random as you think but we take what we are given */
 		p = (char *) getauxval(AT_RANDOM);
 		if (p)
 			HR(p, 16);
-#endif
-#ifdef AT_SYSINFO_EHDR
+#  endif
+#  ifdef AT_SYSINFO_EHDR
 		p = (char *) getauxval(AT_SYSINFO_EHDR);
 		if (p)
 			HR(p, pgs);
-#endif
-#ifdef AT_BASE
+#  endif
+#  ifdef AT_BASE
 		p = (char *) getauxval(AT_BASE);
 		if (p)
 			HD(p);
-#endif
-#endif
+#  endif
+#endif /* HAVE_GETAUXVAL */
 
 		CRYPTO_SHA512_FINAL(results, &ctx);
-		memcpy((char *)buf + i, results, min(sizeof(results), len - i));
+		memcpy((char*)buf + i, results, min(sizeof(results), len - i));
 		i += min(sizeof(results), len - i);
 	}
-	memset(&ctx, 0, sizeof ctx);
 	memset(results, 0, sizeof results);
 	if (gotdata(buf, len) == 0) {
 		errno = save_errno;
-		return (0);		/* satisfied */
+		return 0;		/* satisfied */
 	}
 	errno = EIO;
-	return (-1);
+	return -1;
 }

From a1692359f36f1133c4a0916fdb8b70f04d870a64 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 3 Dec 2018 12:27:31 +0100
Subject: [PATCH 192/303] RFE #408: Retry fetching of TA after backoff time

---
 ChangeLog                    |  6 +++++-
 src/anchor.c                 | 12 +++++++++++-
 src/anchor.h                 |  3 ++-
 src/const-info.c             |  2 ++
 src/context.c                | 30 ++++++++++++++++++++++++++++++
 src/context.h                |  4 +++-
 src/dnssec.c                 | 20 +++++++++++++++-----
 src/general.c                |  9 +++++++--
 src/getdns/getdns_extra.h.in | 33 ++++++++++++++++++++++++++++++++-
 src/libgetdns.symbols        |  2 ++
 10 files changed, 109 insertions(+), 12 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f5626102..4047abbc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,11 @@
 * 2018-??-??: Version 1.4.3
+  * RFE #408: Fetching of trust anchors will be retried
+    after failure, after a certain backoff time. The time
+    can be configured with
+    getdns_context_set_trust_anchors_backoff_time().
   * RFE #408: A "dnssec" extension that requires DNSSEC
     verification.  When this extension is set, Indeterminate
-    DNSSEC status will noging be returned.
+    DNSSEC status will not be returned.
   * Issue #410: Unspecified ownership of get_api_information()
   * Fix for DNSSEC bug in finding most specific key when
     trust anchor proves non-existance of one of the labels
diff --git a/src/anchor.c b/src/anchor.c
index 31e0e6f0..950176a7 100644
--- a/src/anchor.c
+++ b/src/anchor.c
@@ -923,6 +923,8 @@ static void tas_fail(getdns_context *context, tas_connection *a)
 		DEBUG_ANCHOR("Fatal error fetching trust anchor: "
 		             "%s connection failed too\n", rt_str(rt));
 		context->trust_anchors_source = GETDNS_TASRC_FAILED;
+		context->trust_anchors_backoff_expiry = 
+		    _getdns_get_now_ms() + context->trust_anchors_backoff_time;
 		_getdns_ta_notify_dnsreqs(context);
 	} else
 		DEBUG_ANCHOR("%s connection failed, waiting for %s\n"
@@ -1510,7 +1512,8 @@ static void _tas_hostname_lookup_cb(getdns_dns_req *dnsreq)
 	tas_fail(context, a);
 }
 
-void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop)
+void _getdns_start_fetching_ta(
+    getdns_context *context, getdns_eventloop *loop, uint64_t *now_ms)
 {
 	getdns_return_t r;
 	size_t scheduled;
@@ -1587,6 +1590,13 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop)
 		             "schedule address requests for %s\n"
 		            , tas_hostname);
 		context->trust_anchors_source = GETDNS_TASRC_FAILED;
+		if (now_ms) {
+			if (*now_ms == 0) *now_ms = _getdns_get_now_ms();
+			context->trust_anchors_backoff_expiry = 
+			    *now_ms + context->trust_anchors_backoff_time;
+		} else
+			context->trust_anchors_backoff_expiry = 
+			    _getdns_get_now_ms() + context->trust_anchors_backoff_time;
 		_getdns_ta_notify_dnsreqs(context);
 	} else
 		context->trust_anchors_source = GETDNS_TASRC_FETCHING;
diff --git a/src/anchor.h b/src/anchor.h
index 3c826384..f8bff042 100644
--- a/src/anchor.h
+++ b/src/anchor.h
@@ -41,7 +41,8 @@
 
 void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms);
 
-void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop);
+void _getdns_start_fetching_ta(
+    getdns_context *context, getdns_eventloop *loop, uint64_t *now_ms);
 
 #define MAX_KSKS        16
 #define RRSIG_RDATA_LEN 16
diff --git a/src/const-info.c b/src/const-info.c
index 3b9918bc..f6f0d18b 100644
--- a/src/const-info.c
+++ b/src/const-info.c
@@ -96,6 +96,7 @@ static struct const_info consts_info[] = {
 	{     635, "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT },
 	{     636, "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT },
 	{     637, "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT },
+	{     638, "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME", GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME_TEXT },
 	{     699, "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT },
 	{     700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
 	{     701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
@@ -205,6 +206,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", 637 },
 	{ "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", 636 },
 	{ "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 },
+	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME", 638 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA", 626 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL", 627 },
diff --git a/src/context.c b/src/context.c
index 51ef96c2..b1b36231 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1593,6 +1593,7 @@ getdns_context_create_with_extended_memory_functions(
 	result->trust_anchors_url = NULL;
 	result->trust_anchors_verify_email = NULL;
 	result->trust_anchors_verify_CA = NULL;
+	result->trust_anchors_backoff_time = 2500;
 	result->appdata_dir = NULL;
 	result->tls_ca_path = NULL;
 	result->tls_ca_file = NULL;
@@ -4026,6 +4027,8 @@ _get_context_settings(getdns_context* context)
 	                           context->tls_query_padding_blocksize)
 	    || getdns_dict_set_int(result, "resolution_type",
 	                           context->resolution_type)
+	    || getdns_dict_set_int(result, "trust_anchors_backoff_time",
+	                           context->trust_anchors_backoff_time)
 	    )
 		goto error;
 	
@@ -4960,6 +4963,7 @@ _getdns_context_config_setting(getdns_context *context,
 	CONTEXT_SETTING_STRING(trust_anchors_url)
 	CONTEXT_SETTING_STRING(trust_anchors_verify_CA)
 	CONTEXT_SETTING_STRING(trust_anchors_verify_email)
+	CONTEXT_SETTING_INT(trust_anchors_backoff_time)
 	CONTEXT_SETTING_STRING(appdata_dir)
 #ifndef USE_WINSOCK
 	CONTEXT_SETTING_STRING(resolvconf)
@@ -5430,6 +5434,32 @@ getdns_context_get_trust_anchors_verify_email(
 	return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t
+getdns_context_set_trust_anchors_backoff_time(
+    getdns_context *context, uint64_t backoff_time)
+{
+	if (!context)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	context->trust_anchors_backoff_time = backoff_time;
+	if (context->trust_anchors_source == GETDNS_TASRC_FAILED)
+		context->trust_anchors_source = GETDNS_TASRC_NONE;
+	dispatch_updated( context
+	                , GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_get_trust_anchors_backoff_time(
+    getdns_context *context, uint64_t *backoff_time)
+{
+	if (!backoff_time)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	*backoff_time = context->trust_anchors_backoff_time;
+	return GETDNS_RETURN_GOOD;
+}
+
 getdns_return_t
 getdns_context_set_appdata_dir(
     getdns_context *context, const char *appdata_dir)
diff --git a/src/context.h b/src/context.h
index c0080930..ef16855e 100644
--- a/src/context.h
+++ b/src/context.h
@@ -269,7 +269,7 @@ typedef struct getdns_upstreams {
 	size_t count;
 	size_t current_udp;
 	size_t current_stateful;
-    uint16_t max_backoff_value;
+	uint16_t max_backoff_value;
 	uint16_t tls_backoff_time;
 	uint16_t tls_connection_retries;
 	getdns_log_config log;
@@ -347,6 +347,8 @@ struct getdns_context {
 	char                 *trust_anchors_url;
 	char                 *trust_anchors_verify_CA;
 	char                 *trust_anchors_verify_email;
+	uint64_t              trust_anchors_backoff_time;
+	uint64_t              trust_anchors_backoff_expiry;
 
 	_getdns_ksks          root_ksk;
 
diff --git a/src/dnssec.c b/src/dnssec.c
index 4dca78bc..dc0da14a 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -3302,11 +3302,11 @@ static void check_chain_complete(chain_head *chain)
 
 			DEBUG_ANCHOR("root DNSKEY set was bogus!\n");
 			if (!dnsreq->waiting_for_ta) {
-				uint64_t now = 0;
+				uint64_t now_ms = 0;
 
 				dnsreq->waiting_for_ta = 1;
 				_getdns_context_equip_with_anchor(
-				    context, &now);
+				    context, &now_ms);
 
 				if (context->trust_anchors_source
 				    == GETDNS_TASRC_XML) {
@@ -3314,9 +3314,19 @@ static void check_chain_complete(chain_head *chain)
 					check_chain_complete(chain);
 					return;
 				}
-				_getdns_start_fetching_ta(
-				    context,  dnsreq->loop);
-
+				if (context->trust_anchors_source ==
+						GETDNS_TASRC_FAILED
+				&& 0 == _getdns_ms_until_expiry2(
+				    context->trust_anchors_backoff_expiry,
+				    &now_ms)) {
+					context->trust_anchors_source =
+					    GETDNS_TASRC_NONE;
+				}
+				if (context->trust_anchors_source
+				!=  GETDNS_TASRC_FAILED) {
+					_getdns_start_fetching_ta(
+					    context,  dnsreq->loop, &now_ms);
+				}
 				if (dnsreq->waiting_for_ta &&
 				    context->trust_anchors_source
 				    == GETDNS_TASRC_FETCHING) {
diff --git a/src/general.c b/src/general.c
index 2cfec678..f3170072 100644
--- a/src/general.c
+++ b/src/general.c
@@ -595,13 +595,18 @@ getdns_general_ns(getdns_context *context, getdns_eventloop *loop,
 	_getdns_context_track_outbound_request(req);
 
 	if (req->dnssec_extension_set) {
+		if (context->trust_anchors_source == GETDNS_TASRC_FAILED
+		&&  _getdns_ms_until_expiry2(
+		    context->trust_anchors_backoff_expiry, &now_ms) == 0) {
+			context->trust_anchors_source = GETDNS_TASRC_NONE;
+		}
 		if (context->trust_anchors_source == GETDNS_TASRC_XML_UPDATE)
-			_getdns_start_fetching_ta(context, loop);
+			_getdns_start_fetching_ta(context, loop, &now_ms);
 
 		else if (context->trust_anchors_source == GETDNS_TASRC_NONE) {
 			_getdns_context_equip_with_anchor(context, &now_ms);
 			if (context->trust_anchors_source == GETDNS_TASRC_NONE) {
-				_getdns_start_fetching_ta(context, loop);
+				_getdns_start_fetching_ta(context, loop, &now_ms);
 			}
 		}
 	}
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 135c29bb..f1b2af36 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -108,7 +108,8 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT "Change related to getdns_context_set_tls_min_version"
 #define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION 637
 #define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT "Change related to getdns_context_set_tls_max_version"
-
+#define GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME 638
+#define GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME_TEXT "Change related to getdns_context_set_trust_anchors_backoff_time"
 
 
 /** @}
@@ -702,6 +703,22 @@ getdns_return_t
 getdns_context_set_trust_anchors_verify_email(
     getdns_context *context, const char *verify_email);
 
+/**
+ * Configure the amount of milliseconds the trust anchors should not be tried
+ * to be fetched after failure.  Default is 2500 which is two and a half seconds.
+ * Setting the trust anchors backoff time will cause fetching to be retried
+ * immediatly.
+ * @see getdns_context_get_trust_anchors_backoff_time
+ * @param context The context to configure
+ * @param value Number of milliseconds before fetch trust anchors
+ *              will be retried.
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
+ */
+getdns_return_t
+getdns_context_set_trust_anchors_backoff_time(
+    getdns_context *context, uint64_t value);
+
 /**
  * Initialized the context's upstream recursive servers and suffixes
  * with the values from the given resolv.conf file.
@@ -1316,6 +1333,20 @@ getdns_return_t
 getdns_context_get_trust_anchors_verify_email(
     getdns_context *context, const char **verify_email);
 
+/**
+ * Get the amount of milliseconds the trust anchors will not be tried to be
+ * fetched after failure.
+ * @see getdns_context_set_trust_anchors_backoff_time
+ * @param context The context to configure
+ * @param value Number of milliseconds before fetch trust anchors
+ *              will be retried.
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
+ */
+getdns_return_t
+getdns_context_get_trust_anchors_backoff_time(
+    getdns_context *context, uint64_t *value);
+
 /**
  * Get the value with which the context's upstream recursive servers
  * and suffixes were initialized.
diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols
index 5c3fb52d..f0169761 100644
--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@@ -43,6 +43,7 @@ getdns_context_get_tls_curves_list
 getdns_context_get_tls_max_version
 getdns_context_get_tls_min_version
 getdns_context_get_tls_query_padding_blocksize
+getdns_context_get_trust_anchors_backoff_time
 getdns_context_get_trust_anchors_url
 getdns_context_get_trust_anchors_verify_CA
 getdns_context_get_trust_anchors_verify_email
@@ -90,6 +91,7 @@ getdns_context_set_tls_curves_list
 getdns_context_set_tls_max_version
 getdns_context_set_tls_min_version
 getdns_context_set_tls_query_padding_blocksize
+getdns_context_set_trust_anchors_backoff_time
 getdns_context_set_trust_anchors_url
 getdns_context_set_trust_anchors_verify_CA
 getdns_context_set_trust_anchors_verify_email

From 4b688443f4ea658a002d6f707fc0bd9b26bbe5ae Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 3 Dec 2018 12:50:37 +0100
Subject: [PATCH 193/303] Sync with unbound

---
 src/gldns/compare.sh   |  2 +-
 src/gldns/gbuffer.h    |  4 +--
 src/gldns/import.sh    |  4 +--
 src/gldns/parseutil.h  |  2 +-
 src/gldns/rrdef.c      |  7 ++---
 src/gldns/rrdef.h      |  4 +--
 src/util/val_secalgo.c | 62 +++++++++++++++++++++++++++++++-----------
 7 files changed, 55 insertions(+), 30 deletions(-)

diff --git a/src/gldns/compare.sh b/src/gldns/compare.sh
index 415c6bcc..86207bb9 100755
--- a/src/gldns/compare.sh
+++ b/src/gldns/compare.sh
@@ -3,7 +3,7 @@
 # Meant to be run from this directory
 rm -fr gldns
 mkdir gldns
-svn co http://unbound.net/svn/trunk/sldns/
+svn co https://nlnetlabs.nl/svn/unbound/trunk/sldns/
 mv gbuffer.h sbuffer.h
 mv gbuffer.c sbuffer.c
 for f in sldns/*.[ch]
diff --git a/src/gldns/gbuffer.h b/src/gldns/gbuffer.h
index 7aa5a1b8..e04aa23a 100644
--- a/src/gldns/gbuffer.h
+++ b/src/gldns/gbuffer.h
@@ -130,7 +130,7 @@ struct gldns_buffer
 	/** If the buffer is fixed it cannot be resized */
 	unsigned _fixed : 1;
 
-	/** If the buffer is vfixed, no more than capacity bytes willl be
+	/** If the buffer is vfixed, no more than capacity bytes will be
 	 * written to _data, however the _position counter will be updated
 	 * with the amount that would have been written in consecutive
 	 * writes.  This allows for a modus operandi in which a sequence is
@@ -160,7 +160,7 @@ gldns_buffer_invariant(gldns_buffer *buffer)
 	assert(buffer != NULL);
 	assert(buffer->_position <= buffer->_limit || buffer->_vfixed);
 	assert(buffer->_limit <= buffer->_capacity);
-	assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0));
+	assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0 && buffer->_limit == 0));
 }
 #endif
 
diff --git a/src/gldns/import.sh b/src/gldns/import.sh
index 88fcfff4..b9f3cfdd 100755
--- a/src/gldns/import.sh
+++ b/src/gldns/import.sh
@@ -16,8 +16,8 @@ then
 	mv sbuffer.h gbuffer.h
 	mv sbuffer.c gbuffer.c
 else
-	svn co http://unbound.net/svn/trunk/sldns/
-	for f in sldns/*.[ch]
+	svn co https://nlnetlabs.nl/svn/unbound/trunk/sldns/
+	for f in ldns/*.[ch]
 	do
 		sed -e 's/sldns_/gldns_/g' \
 		    -e 's/LDNS_/GLDNS_/g' \
diff --git a/src/gldns/parseutil.h b/src/gldns/parseutil.h
index a044c4de..1546e8be 100644
--- a/src/gldns/parseutil.h
+++ b/src/gldns/parseutil.h
@@ -58,7 +58,7 @@ time_t gldns_mktime_from_utc(const struct tm *tm);
  * The function interprets time as the number of seconds since epoch
  * with respect to now using serial arithmetics (rfc1982).
  * That number of seconds is then converted to broken-out time information.
- * This is especially useful when converting the inception and expiration
+ * This is especially usefull when converting the inception and expiration
  * fields of RRSIG records.
  *
  * \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
diff --git a/src/gldns/rrdef.c b/src/gldns/rrdef.c
index 91739232..52e9cf3b 100644
--- a/src/gldns/rrdef.c
+++ b/src/gldns/rrdef.c
@@ -341,12 +341,9 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 	{GLDNS_RR_TYPE_NSEC3PARAM, "NSEC3PARAM", 4, 4, type_nsec3param_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* 52 */
 	{GLDNS_RR_TYPE_TLSA, "TLSA", 4, 4, type_tlsa_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-	/*53 */
-#ifdef DRAFT_RRTYPES
+	/* 53 */
 	{GLDNS_RR_TYPE_SMIMEA, "SMIMEA", 4, 4, type_tlsa_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-#else
-{GLDNS_RR_TYPE_NULL, "TYPE53", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-#endif
+	/* 54 */
 {GLDNS_RR_TYPE_NULL, "TYPE54", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
         /* 55
 	 * Hip ends with 0 or more Rendezvous Servers represented as dname's.
diff --git a/src/gldns/rrdef.h b/src/gldns/rrdef.h
index f7aaf866..ecbf0749 100644
--- a/src/gldns/rrdef.h
+++ b/src/gldns/rrdef.h
@@ -182,9 +182,7 @@ enum gldns_enum_rr_type
 	GLDNS_RR_TYPE_NSEC3PARAM = 51, /* RFC 5155 */
 	GLDNS_RR_TYPE_NSEC3PARAMS = 51,
 	GLDNS_RR_TYPE_TLSA = 52, /* RFC 6698 */
-	GLDNS_RR_TYPE_SMIMEA = 53, /* draft-ietf-dane-smime, TLSA-like but may
-				     be extended */
-
+	GLDNS_RR_TYPE_SMIMEA = 53, /* RFC 8162 */
 	GLDNS_RR_TYPE_HIP = 55, /* RFC 5205 */
 
 	/** draft-reid-dnsext-zs */
diff --git a/src/util/val_secalgo.c b/src/util/val_secalgo.c
index 95200a48..0613316c 100644
--- a/src/util/val_secalgo.c
+++ b/src/util/val_secalgo.c
@@ -77,6 +77,22 @@ int fake_dsa = 0;
 /** fake SHA1 support for unit tests */
 int fake_sha1 = 0;
 
+/**
+ * Output a libcrypto openssl error to the logfile.
+ * @param str: string to add to it.
+ * @param e: the error to output, error number from ERR_get_error().
+ */
+static void
+log_crypto_error(const char* str, unsigned long e)
+{
+	char buf[128];
+	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
+	ERR_error_string_n(e, buf, sizeof(buf));
+	/* buf now contains */
+	/* error:[error code]:[library name]:[function name]:[reason string] */
+	log_err("%s crypto %s", str, buf);
+}
+
 /* return size of digest if supported, or 0 otherwise */
 size_t
 nsec3_hash_algo_size_supported(int id)
@@ -96,7 +112,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 {
 	switch(algo) {
 	case NSEC3_HASH_SHA1:
+#ifdef OPENSSL_FIPS
+		if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
+			log_crypto_error("could not digest with EVP_sha1",
+				ERR_get_error());
+#else
 		(void)SHA1(buf, len, res);
+#endif
 		return 1;
 	default:
 		return 0;
@@ -106,7 +128,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 void
 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
 {
+#ifdef OPENSSL_FIPS
+	if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
+		log_crypto_error("could not digest with EVP_sha256",
+			ERR_get_error());
+#else
 	(void)SHA256(buf, len, res);
+#endif
 }
 
 /**
@@ -165,12 +193,24 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
 	switch(algo) {
 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
 		case LDNS_SHA1:
+#ifdef OPENSSL_FIPS
+			if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
+				log_crypto_error("could not digest with EVP_sha1",
+					ERR_get_error());
+#else
 			(void)SHA1(buf, len, res);
+#endif
 			return 1;
 #endif
 #ifdef HAVE_EVP_SHA256
 		case LDNS_SHA256:
+#ifdef OPENSSL_FIPS
+			if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
+				log_crypto_error("could not digest with EVP_sha256",
+					ERR_get_error());
+#else
 			(void)SHA256(buf, len, res);
+#endif
 			return 1;
 #endif
 #ifdef USE_GOST
@@ -181,7 +221,13 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
 #endif
 #ifdef USE_ECDSA
 		case LDNS_SHA384:
+#ifdef OPENSSL_FIPS
+			if(!sldns_digest_evp(buf, len, res, EVP_sha384()))
+				log_crypto_error("could not digest with EVP_sha384",
+					ERR_get_error());
+#else
 			(void)SHA384(buf, len, res);
+#endif
 			return 1;
 #endif
 		default: 
@@ -248,22 +294,6 @@ dnskey_algo_id_is_supported(int id)
 	}
 }
 
-/**
- * Output a libcrypto openssl error to the logfile.
- * @param str: string to add to it.
- * @param e: the error to output, error number from ERR_get_error().
- */
-static void
-log_crypto_error(const char* str, unsigned long e)
-{
-	char buf[128];
-	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
-	ERR_error_string_n(e, buf, sizeof(buf));
-	/* buf now contains */
-	/* error:[error code]:[library name]:[function name]:[reason string] */
-	log_err("%s crypto %s", str, buf);
-}
-
 #ifdef USE_DSA
 /**
  * Setup DSA key digest in DER encoding ... 

From 390e383a1a7aa74a4b5881f3d5230e594cc53826 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 3 Dec 2018 14:33:21 +0100
Subject: [PATCH 194/303] ED25519 & ED448 DNSSEC validation support

---
 configure.ac           | 80 ++++++++++++++++++++++++++++++++++++++----
 src/util/val_secalgo.h |  4 +++
 2 files changed, 78 insertions(+), 6 deletions(-)

diff --git a/configure.ac b/configure.ac
index 9d12285a..a1f5dee1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -400,8 +400,47 @@ yes)
 esac
 
 USE_NSS="no"
+AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
+        [use libnss instead of openssl, installed at path.]),
+        [
+        USE_NSS="yes"
+        AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
+        if test "$withval" != "" -a "$withval" != "yes"; then
+                CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
+                LDFLAGS="$LDFLAGS -L$withval/lib"
+                ACX_RUNTIME_PATH_ADD([$withval/lib])
+                CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
+        else
+                CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
+                CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
+        fi
+        LIBS="$LIBS -lnss3 -lnspr4"
+        SSLLIB=""
+        ]
+)
+
+# libnettle
+USE_NETTLE="no"
+AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
+        [use libnettle as crypto library, installed at path.]),
+        [
+        USE_NETTLE="yes"
+        AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
+        AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
+        if test "$withval" != "" -a "$withval" != "yes"; then
+                CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
+                LDFLAGS="$LDFLAGS -L$withval/lib"
+                ACX_RUNTIME_PATH_ADD([$withval/lib])
+        else
+                CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
+        fi
+        LIBS="$LIBS -lhogweed -lnettle -lgmp"
+        SSLLIB=""
+        ]
+)
+
 # openssl
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 ACX_WITH_SSL_OPTIONAL
 ACX_LIB_SSL
 AC_MSG_CHECKING([for LibreSSL])
@@ -581,7 +620,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
 
 AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
 use_gost="no"
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 case "$enable_gost" in
 	no)
 	;;
@@ -595,7 +634,7 @@ case "$enable_gost" in
 	fi
 	;;
 esac
-fi dnl !USE_NSS
+fi dnl !USE_NSS && !USE_NETTLE
 
 AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
 use_ecdsa="no"
@@ -603,7 +642,7 @@ case "$enable_ecdsa" in
     no)
       ;;
     *)
-      if test $USE_NSS = "no"; then
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 	      AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
 	      AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
 	      AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
@@ -635,6 +674,7 @@ case "$enable_dsa" in
       ;;
     *) dnl default
       # detect if DSA is supported, and turn it off if not.
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
       AC_CHECK_FUNC(DSA_SIG_new, [
 	AC_CHECK_TYPE(DSA_SIG*, [
 		AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
@@ -659,6 +699,9 @@ AC_INCLUDES_DEFAULT
 ])
       ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
 	  fi ])
+      else
+      AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
+      fi
       ;;
 esac
 
@@ -668,15 +711,40 @@ case "$enable_ed25519" in
     no)
       ;;
     *)
-      if test "$USE_NSS" = "no" -a "$USE_NETTLE" = "no"; then
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
               AC_CHECK_DECLS([NID_ED25519], [
-                AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
                 use_ed25519="yes"
               ], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
                 fi ], [AC_INCLUDES_DEFAULT
 #include <openssl/evp.h>
               ])
       fi
+      if test $USE_NETTLE = "yes"; then
+                AC_CHECK_HEADERS([nettle/eddsa.h], use_ed25519="yes",, [AC_INCLUDES_DEFAULT])
+      fi
+      if test $use_ed25519 = "yes"; then
+                AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
+      fi
+      ;;
+esac
+
+AC_ARG_ENABLE(ed448, AC_HELP_STRING([--disable-ed448], [Disable ED448 support]))
+use_ed448="no"
+case "$enable_ed448" in
+    no)
+      ;;
+    *)
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+              AC_CHECK_DECLS([NID_ED448], [
+                use_ed448="yes"
+              ], [ if test "x$enable_ed448" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED448 and you used --enable-ed448.])
+                fi ], [AC_INCLUDES_DEFAULT
+#include <openssl/evp.h>
+              ])
+      fi
+      if test $use_ed448 = "yes"; then
+                AC_DEFINE_UNQUOTED([USE_ED448], [1], [Define this to enable ED448 support.])
+      fi
       ;;
 esac
 
diff --git a/src/util/val_secalgo.h b/src/util/val_secalgo.h
index 08f40e83..350007f7 100644
--- a/src/util/val_secalgo.h
+++ b/src/util/val_secalgo.h
@@ -68,6 +68,10 @@ enum sec_status { sec_status_bogus     = 0
 #define LDNS_ECDSAP256SHA256		GLDNS_ECDSAP256SHA256
 #define LDNS_ECDSAP384SHA384		GLDNS_ECDSAP384SHA384
 #define LDNS_ECC_GOST			GLDNS_ECC_GOST
+#define LDNS_ED25519			GLDNS_ED25519
+#define LDNS_ED448			GLDNS_ED448
+#define sldns_ed255192pkey_raw		gldns_ed255192pkey_raw
+#define sldns_ed4482pkey_raw		gldns_ed4482pkey_raw
 #define sldns_key_EVP_load_gost_id	gldns_key_EVP_load_gost_id
 #define sldns_digest_evp		gldns_digest_evp
 #define sldns_key_buf2dsa_raw		gldns_key_buf2dsa_raw

From 30a3a6b0261001c063eecc877c1e0c9da756547c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 3 Dec 2018 14:33:56 +0100
Subject: [PATCH 195/303] Longer timeout for recursing_6 test

---
 src/test/check_getdns_context_set_dns_transport.h | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/test/check_getdns_context_set_dns_transport.h b/src/test/check_getdns_context_set_dns_transport.h
index 83b18d6e..07dce329 100644
--- a/src/test/check_getdns_context_set_dns_transport.h
+++ b/src/test/check_getdns_context_set_dns_transport.h
@@ -264,8 +264,6 @@
              GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");
            ASSERT_RC(getdns_context_set_edns_maximum_udp_payload_size(context, 512),
                GETDNS_RETURN_GOOD, "Return code from getdns_context_set_edns_maximum_udp_payload_size()");
-           ASSERT_RC(getdns_context_set_timeout(context, 2000),
-               GETDNS_RETURN_GOOD, "Return code from getdns_context_set_edns_maximum_udp_payload_size()");
            ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), 
              GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()");
 

From ea55b12a08eb7316f94268ba9f488cd8b7123a5e Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 3 Dec 2018 14:52:58 +0100
Subject: [PATCH 196/303] getdns_query for addresses with qname but no qtype

---
 ChangeLog                |  2 ++
 src/tools/getdns_query.c | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 4047abbc..3ca53b2e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 * 2018-??-??: Version 1.4.3
+  * getdns_query queries for addresses when a query name
+    without a type is given.
   * RFE #408: Fetching of trust anchors will be retried
     after failure, after a certain backoff time. The time
     can be configured with
diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c
index 1ee253b7..25f27d60 100644
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@@ -581,11 +581,15 @@ getdns_return_t parse_args(int argc, char **argv)
 	size_t upstream_count = 0;
 	FILE *fh;
 	int int_value;
+	int got_rrtype = 0;
+	int got_calltype = 0;
+	int got_qname = 0;
 
 	for (i = 1; i < argc; i++) {
 		arg = argv[i];
 		if ((t = get_rrtype(arg)) >= 0) {
 			request_type = t;
+			got_rrtype = 1;
 			continue;
 
 		} else if (arg[0] == '+') {
@@ -654,6 +658,7 @@ getdns_return_t parse_args(int argc, char **argv)
 			continue;
 
 		} else if (arg[0] != '-') {
+			got_qname = 1;
 			name = arg;
 			continue;
 		}
@@ -667,6 +672,7 @@ getdns_return_t parse_args(int argc, char **argv)
 				break;
 			case 'A':
 				calltype = ADDRESS;
+				got_calltype = 1;
 				break;
 			case 'b':
 				if (c[1] != 0 || ++i >= argc || !*argv[i]) {
@@ -740,9 +746,11 @@ getdns_return_t parse_args(int argc, char **argv)
 				break;
 			case 'G':
 				calltype = GENERAL;
+				got_calltype = 1;
 				break;
 			case 'H':
 				calltype = HOSTNAME;
+				got_calltype = 1;
 				break;
 			case 'h':
 				print_usage(stdout, argv[0]);
@@ -871,6 +879,7 @@ getdns_return_t parse_args(int argc, char **argv)
 				break;
 			case 'S':
 				calltype = SERVICE;
+				got_calltype = 1;
 				break;
 			case 't':
 				if (c[1] != 0 || ++i >= argc || !*argv[i]) {
@@ -1094,6 +1103,9 @@ getdns_return_t parse_args(int argc, char **argv)
 		}
 next:		;
 	}
+	if (!got_calltype && !got_rrtype && got_qname) {
+		calltype = ADDRESS;
+	}
 	if (r)
 		return r;
 	if (pubkey_pinset && upstream_count) {

From c80aa727257223d1c287b70dcfbc95b192735ba2 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 3 Dec 2018 15:35:03 +0100
Subject: [PATCH 197/303] ED25519 & ED448 support

---
 configure.ac           | 76 +++++++++++++++++++++---------------------
 src/request-internal.c |  4 +++
 src/util-internal.c    | 30 ++++++++++-------
 3 files changed, 60 insertions(+), 50 deletions(-)

diff --git a/configure.ac b/configure.ac
index a1f5dee1..31d75a20 100644
--- a/configure.ac
+++ b/configure.ac
@@ -400,48 +400,49 @@ yes)
 esac
 
 USE_NSS="no"
-AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
-        [use libnss instead of openssl, installed at path.]),
-        [
-        USE_NSS="yes"
-        AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
-        if test "$withval" != "" -a "$withval" != "yes"; then
-                CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
-                LDFLAGS="$LDFLAGS -L$withval/lib"
-                ACX_RUNTIME_PATH_ADD([$withval/lib])
-                CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
-        else
-                CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
-                CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
-        fi
-        LIBS="$LIBS -lnss3 -lnspr4"
-        SSLLIB=""
-        ]
-)
+dnl AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
+dnl         [use libnss instead of openssl, installed at path.]),
+dnl         [
+dnl         USE_NSS="yes"
+dnl         AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
+dnl         if test "$withval" != "" -a "$withval" != "yes"; then
+dnl                 CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
+dnl                 LDFLAGS="$LDFLAGS -L$withval/lib"
+dnl                 ACX_RUNTIME_PATH_ADD([$withval/lib])
+dnl                 CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
+dnl         else
+dnl                 CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
+dnl                 CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
+dnl         fi
+dnl         LIBS="$LIBS -lnss3 -lnspr4"
+dnl         SSLLIB=""
+dnl         ]
+dnl )
 
 # libnettle
 USE_NETTLE="no"
-AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
-        [use libnettle as crypto library, installed at path.]),
-        [
-        USE_NETTLE="yes"
-        AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
-        AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
-        if test "$withval" != "" -a "$withval" != "yes"; then
-                CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
-                LDFLAGS="$LDFLAGS -L$withval/lib"
-                ACX_RUNTIME_PATH_ADD([$withval/lib])
-        else
-                CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
-        fi
-        LIBS="$LIBS -lhogweed -lnettle -lgmp"
-        SSLLIB=""
-        ]
-)
+dnl AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
+dnl         [use libnettle as crypto library, installed at path.]),
+dnl         [
+dnl         USE_NETTLE="yes"
+dnl         AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
+dnl         AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
+dnl         if test "$withval" != "" -a "$withval" != "yes"; then
+dnl                 CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
+dnl                 LDFLAGS="$LDFLAGS -L$withval/lib"
+dnl                 ACX_RUNTIME_PATH_ADD([$withval/lib])
+dnl         else
+dnl                 CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
+dnl         fi
+dnl         LIBS="$LIBS -lhogweed -lnettle -lgmp"
+dnl         SSLLIB=""
+dnl         ]
+dnl )
 
 # openssl
 if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
-ACX_WITH_SSL_OPTIONAL
+ACX_WITH_SSL
+fi
 ACX_LIB_SSL
 AC_MSG_CHECKING([for LibreSSL])
 if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
@@ -453,7 +454,7 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
 else
 	AC_MSG_RESULT([no])
 fi
-AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([openssl/conf.h openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites])
@@ -477,7 +478,6 @@ AC_INCLUDES_DEFAULT
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
 ])
-fi
 
 AC_MSG_CHECKING([whether we need to compile/link DANE support])
 DANESSL_XTRA_OBJS=""
diff --git a/src/request-internal.c b/src/request-internal.c
index c94038b7..d53f85e0 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -495,6 +495,9 @@ _getdns_network_req_add_tsig(getdns_network_req *req)
 void
 _getdns_network_validate_tsig(getdns_network_req *req)
 {
+#if defined(HAVE_NSS) || defined(HAVE_NETTLE)
+	(void)req;
+#else
 	_getdns_rr_iter  rr_spc, *rr;
 	_getdns_rdf_iter rdf_spc, *rdf;
 	const uint8_t *request_mac;
@@ -668,6 +671,7 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	gldns_write_uint16(req->response, gldns_read_uint16(req->query));
 	gldns_write_uint16(req->response + 10,
 	    gldns_read_uint16(req->response + 10) + 1);
+#endif
 }
 
 void
diff --git a/src/util-internal.c b/src/util-internal.c
index 2deefba0..0eaf3435 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -1119,7 +1119,8 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
 	int rrsigs_in_answer = 0;
 	getdns_dict *reply;
 	getdns_bindata *canonical_name = NULL;
-	int nreplies = 0, nanswers = 0, nsecure = 0, ninsecure = 0, nbogus = 0;
+	int nreplies = 0, nanswers = 0;
+	int nsecure = 0, ninsecure = 0, nindeterminate = 0, nbogus = 0;
 	getdns_dict   *netreq_debug;
 	_srvs srvs = { 0, 0, NULL };
 
@@ -1193,16 +1194,18 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
 			_getdns_network_validate_tsig(netreq);
 
 		nreplies++;
-		if (netreq->dnssec_status == GETDNS_DNSSEC_SECURE)
-			nsecure++;
-		else if (netreq->dnssec_status != GETDNS_DNSSEC_BOGUS)
-			ninsecure++;
-
-		if (dnssec_return_status &&
-		    netreq->dnssec_status == GETDNS_DNSSEC_BOGUS)
-			nbogus++;
-
-
+		switch (netreq->dnssec_status) {
+		case GETDNS_DNSSEC_SECURE       : nsecure++;
+						  break;
+		case GETDNS_DNSSEC_INSECURE     : ninsecure++;
+						  break;
+		case GETDNS_DNSSEC_INDETERMINATE: nindeterminate++;
+						  ninsecure++;
+						  break;
+		case GETDNS_DNSSEC_BOGUS        : if (dnssec_return_status)
+							  nbogus++;
+						  break;
+		}
 		if (! completed_request->dnssec_return_all_statuses &&
 		    ! completed_request->dnssec_return_validation_chain) {
 			if (dnssec_return_status &&
@@ -1291,8 +1294,11 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
 	if (getdns_dict_set_int(result, GETDNS_STR_KEY_STATUS,
 	    completed_request->request_timed_out ||
 	    nreplies == 0   ? GETDNS_RESPSTATUS_ALL_TIMEOUT :
+	    (  completed_request->dnssec
+	    && nsecure == 0 && nindeterminate ) > 0
+	                    ? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
 	    (  completed_request->dnssec_return_only_secure
-	    || completed_request->dnssec ) && nsecure == 0 && ninsecure > 0
+	    && nsecure == 0 && ninsecure ) > 0
 	                    ? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
 	    (  completed_request->dnssec_return_only_secure
 	    || completed_request->dnssec ) && nsecure == 0 && nbogus > 0

From 46f0b06f24fd0977f635b1eee4928eb6de0194a5 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 4 Dec 2018 14:17:20 +0100
Subject: [PATCH 198/303] Start release processes for getdns-1.5.0

---
 ChangeLog    | 2 +-
 configure.ac | 9 +++++----
 stubby       | 2 +-
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3ca53b2e..415b35ca 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,4 @@
-* 2018-??-??: Version 1.4.3
+* 2018-12-??: Version 1.5.0
   * getdns_query queries for addresses when a query name
     without a type is given.
   * RFE #408: Fetching of trust anchors will be retried
diff --git a/configure.ac b/configure.ac
index 31d75a20..2c40affb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,7 +36,7 @@ sinclude(./m4/acx_getaddrinfo.m4)
 sinclude(./m4/ax_check_compile_flag.m4)
 sinclude(./m4/pkg.m4)
 
-AC_INIT([getdns], [1.4.3], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
+AC_INIT([getdns], [1.5.0], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
 
 # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian)
 # patched to do the same, but frequently (MacOS) not. So add a with option
@@ -63,13 +63,13 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010402c1])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x0104ffc1])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
 
 AC_DEFINE_UNQUOTED([STUBBY_PACKAGE], ["stubby"], [Stubby package])
-AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.3$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
+AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.4$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
 
 # Library version
 # ---------------
@@ -106,7 +106,8 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.3$STUBBY_RELEASE_CANDIDATE"],
 # getdns-1.4.0 had libversion 10:0:0
 # getdns-1.4.1 had libversion 10:1:0
 # getdns-1.4.2 has libversion 10:2:0
-GETDNS_LIBVERSION=10:2:0
+# getdns-1.5.0 will have libversion 11:0:1
+GETDNS_LIBVERSION=11:0:1
 
 AC_SUBST(GETDNS_COMPILATION_COMMENT)
 AC_SUBST(GETDNS_LIBVERSION)
diff --git a/stubby b/stubby
index 8fb853ac..919b7d91 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 8fb853ac8d6148fd9b53fdcbc107ecd375071ec5
+Subproject commit 919b7d914ca618f4a843464d5825383f45809f3e

From f64aa8703dde7189e3686c45e156fe2d9b78514f Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Wed, 5 Dec 2018 11:25:32 +0000
Subject: [PATCH 199/303] First pass at a mostly stubbed GnuTLS implementation.

This works enough to do a TLS lookup.
---
 src/gnutls/anchor.c          |  48 ++++
 src/gnutls/keyraw-internal.c |  15 ++
 src/gnutls/keyraw-internal.h |  31 +++
 src/gnutls/pubkey-pinning.c  |  84 ++++++
 src/gnutls/tls-internal.h    |  79 ++++++
 src/gnutls/tls.c             | 505 +++++++++++++++++++++++++++++++++++
 src/gnutls/val_secalgo.c     |  58 ++++
 7 files changed, 820 insertions(+)
 create mode 100644 src/gnutls/anchor.c
 create mode 100644 src/gnutls/keyraw-internal.c
 create mode 100644 src/gnutls/keyraw-internal.h
 create mode 100644 src/gnutls/pubkey-pinning.c
 create mode 100644 src/gnutls/tls-internal.h
 create mode 100644 src/gnutls/tls.c
 create mode 100644 src/gnutls/val_secalgo.c

diff --git a/src/gnutls/anchor.c b/src/gnutls/anchor.c
new file mode 100644
index 00000000..57fb60e1
--- /dev/null
+++ b/src/gnutls/anchor.c
@@ -0,0 +1,48 @@
+/**
+ *
+ * /brief functions for DNSSEC trust anchor management
+ *
+ */
+
+/*
+ * Copyright (c) 2017, NLnet Labs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "anchor.h"
+
+void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms)
+{
+}
+
+void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop)
+{
+}
+
+void _getdns_context_update_root_ksk(
+    getdns_context *context, _getdns_rrset *dnskey_set)
+{
+}
diff --git a/src/gnutls/keyraw-internal.c b/src/gnutls/keyraw-internal.c
new file mode 100644
index 00000000..a674033f
--- /dev/null
+++ b/src/gnutls/keyraw-internal.c
@@ -0,0 +1,15 @@
+/*
+ * keyraw.c - raw key operations and conversions - OpenSSL version
+ *
+ * (c) NLnet Labs, 2004-2008
+ *
+ * See the file LICENSE for the license
+ */
+/**
+ * \file
+ * Implementation of raw DNSKEY functions (work on wire rdata).
+ */
+
+#include "config.h"
+#include "gldns/keyraw.h"
+#include "gldns/rrdef.h"
diff --git a/src/gnutls/keyraw-internal.h b/src/gnutls/keyraw-internal.h
new file mode 100644
index 00000000..eaac30c3
--- /dev/null
+++ b/src/gnutls/keyraw-internal.h
@@ -0,0 +1,31 @@
+/*
+ * keyraw.h -- raw key and signature access and conversion - OpenSSL
+ *
+ * Copyright (c) 2005-2008, NLnet Labs. All rights reserved.
+ *
+ * See LICENSE for the license.
+ *
+ */
+
+/**
+ * \file
+ *
+ * raw key and signature access and conversion
+ *
+ * Since those functions heavily rely op cryptographic operations,
+ * this module is dependent on openssl.
+ * 
+ */
+ 
+#ifndef GLDNS_KEYRAW_INTERNAL_H
+#define GLDNS_KEYRAW_INTERNAL_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* GLDNS_KEYRAW_INTERNAL_H */
diff --git a/src/gnutls/pubkey-pinning.c b/src/gnutls/pubkey-pinning.c
new file mode 100644
index 00000000..c1aeedc3
--- /dev/null
+++ b/src/gnutls/pubkey-pinning.c
@@ -0,0 +1,84 @@
+/**
+ *
+ * /brief functions for dealing with pubkey pinsets
+ *
+ */
+
+/*
+ * Copyright (c) 2015 ACLU
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "context.h"
+#include "types-internal.h"
+
+#include "pubkey-pinning.h"
+
+/**
+ ** Interfaces from pubkey-pinning.h
+ **/
+
+/* create and populate a pinset linked list from a getdns_list pinset */
+getdns_return_t
+_getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list,
+				    struct mem_funcs *mf,
+				    sha256_pin_t **pinset_out)
+{
+	return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+
+
+/* create a getdns_list version of the pinset */
+getdns_return_t
+_getdns_get_pubkey_pinset_list(getdns_context *ctx,
+			       const sha256_pin_t *pinset_in,
+			       getdns_list **pinset_list)
+{
+	return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+getdns_return_t
+_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
+					   getdns_upstream *upstream)
+{
+	return GETDNS_RETURN_GOOD;
+}
+
+/**
+ ** Interfaces from getdns_extra.h.
+ **/
+
+getdns_dict*
+getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str)
+{
+	return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+getdns_return_t
+getdns_pubkey_pinset_sanity_check(const getdns_list* pinset, getdns_list* errorlist)
+{
+	return GETDNS_RETURN_GENERIC_ERROR;
+}
diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h
new file mode 100644
index 00000000..2b76d564
--- /dev/null
+++ b/src/gnutls/tls-internal.h
@@ -0,0 +1,79 @@
+/**
+ *
+ * \file tls-internal.h
+ * @brief getdns TLS implementation-specific items
+ */
+
+/*
+ * Copyright (c) 2018, NLnet Labs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _GETDNS_TLS_INTERNAL_H
+#define _GETDNS_TLS_INTERNAL_H
+
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
+#include "getdns/getdns.h"
+
+#define SHA_DIGEST_LENGTH	20
+#define SHA224_DIGEST_LENGTH	28
+#define SHA256_DIGEST_LENGTH	32
+#define SHA384_DIGEST_LENGTH	48
+#define SHA512_DIGEST_LENGTH	64
+
+#define GETDNS_TLS_MAX_DIGEST_LENGTH	(SHA512_DIGEST_LENGTH)
+
+#define HAVE_TLS_CTX_CURVES_LIST	0
+#define HAVE_TLS_CONN_CURVES_LIST	0
+
+
+typedef struct _getdns_tls_context {
+	int unused;
+} _getdns_tls_context;
+
+typedef struct _getdns_tls_connection {
+	gnutls_session_t tls;
+	gnutls_certificate_credentials_t cred;
+	int shutdown;
+} _getdns_tls_connection;
+
+typedef struct _getdns_tls_session {
+	gnutls_datum_t tls;
+} _getdns_tls_session;
+
+typedef struct _getdns_tls_x509
+{
+	gnutls_datum_t tls;
+} _getdns_tls_x509;
+
+typedef struct _getdns_tls_hmac
+{
+	gnutls_hmac_hd_t tls;
+	unsigned int md_len;
+} _getdns_tls_hmac;
+
+#endif /* _GETDNS_TLS_INTERNAL_H */
diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
new file mode 100644
index 00000000..34c1d24c
--- /dev/null
+++ b/src/gnutls/tls.c
@@ -0,0 +1,505 @@
+/**
+ *
+ * \file tls.c
+ * @brief getdns TLS functions
+ */
+
+/*
+ * Copyright (c) 2018, NLnet Labs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <gnutls/x509.h>
+
+#include "config.h"
+
+#include "debug.h"
+#include "context.h"
+
+#include "tls.h"
+
+static getdns_return_t error_may_want_read_write(_getdns_tls_connection* conn, int err)
+{
+	switch (err) {
+	case GNUTLS_E_INTERRUPTED:
+	case GNUTLS_E_AGAIN:
+	case GNUTLS_E_WARNING_ALERT_RECEIVED:
+	case GNUTLS_E_GOT_APPLICATION_DATA:
+		if (gnutls_record_get_direction(conn->tls) == 0)
+			return GETDNS_RETURN_TLS_WANT_READ;
+		else
+			return GETDNS_RETURN_TLS_WANT_WRITE;
+
+	default:
+		return GETDNS_RETURN_GENERIC_ERROR;
+	}
+}
+
+static getdns_return_t get_gnu_mac_algorithm(int algorithm, gnutls_mac_algorithm_t* gnualg)
+{
+	switch (algorithm) {
+	case GETDNS_HMAC_MD5   : *gnualg = GNUTLS_MAC_MD5   ; break;
+	case GETDNS_HMAC_SHA1  : *gnualg = GNUTLS_MAC_SHA1  ; break;
+	case GETDNS_HMAC_SHA224: *gnualg = GNUTLS_MAC_SHA224; break;
+	case GETDNS_HMAC_SHA256: *gnualg = GNUTLS_MAC_SHA256; break;
+	case GETDNS_HMAC_SHA384: *gnualg = GNUTLS_MAC_SHA384; break;
+	case GETDNS_HMAC_SHA512: *gnualg = GNUTLS_MAC_SHA512; break;
+	default                : return GETDNS_RETURN_GENERIC_ERROR;
+	}
+
+	return GETDNS_RETURN_GOOD;
+}
+
+static _getdns_tls_x509* _getdns_tls_x509_new(struct mem_funcs* mfs, gnutls_datum_t cert)
+{
+	_getdns_tls_x509* res;
+
+	res = GETDNS_MALLOC(*mfs, _getdns_tls_x509);
+	if (res)
+		res->tls = cert;
+
+	return res;
+}
+
+void _getdns_tls_init()
+{
+	gnutls_global_init();
+}
+
+_getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs)
+{
+	_getdns_tls_context* res;
+
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_context)))
+		return NULL;
+
+	return res;
+}
+
+getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx)
+{
+	if (!ctx)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	GETDNS_FREE(*mfs, ctx);
+	return GETDNS_RETURN_GOOD;
+}
+
+void _getdns_tls_context_dane_init(_getdns_tls_context* ctx)
+{
+	(void) ctx;
+}
+
+getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx)
+{
+	(void) ctx;
+	return GETDNS_RETURN_NOT_IMPLEMENTED;
+}
+
+getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list)
+{
+	(void) list;
+
+	if (!ctx)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list)
+{
+	(void) list;
+
+	if (!ctx)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path)
+{
+	(void) file;
+	(void) path;
+
+	if (!ctx)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	return GETDNS_RETURN_GOOD;
+}
+
+_getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd)
+{
+	_getdns_tls_connection* res;
+	int r;
+
+	if (!ctx)
+		return NULL;
+
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_connection)))
+		return NULL;
+
+	res->shutdown = 0;
+
+	r = gnutls_certificate_allocate_credentials(&res->cred);
+	if (r == GNUTLS_E_SUCCESS)
+		gnutls_certificate_set_x509_system_trust(res->cred);
+	if (r == GNUTLS_E_SUCCESS)
+		r = gnutls_init(&res->tls, GNUTLS_CLIENT | GNUTLS_NONBLOCK);
+	if (r == GNUTLS_E_SUCCESS)
+		r = gnutls_set_default_priority(res->tls);
+	if (r == GNUTLS_E_SUCCESS)
+		r = gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred);
+	if (r != GNUTLS_E_SUCCESS) {
+		_getdns_tls_connection_free(mfs, res);
+		return NULL;
+	}
+
+	gnutls_transport_set_int(res->tls, fd);
+	return res;
+}
+
+getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_connection* conn)
+{
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	gnutls_deinit(conn->tls);
+	gnutls_certificate_free_credentials(conn->cred);
+	GETDNS_FREE(*mfs, conn);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (conn->shutdown == 0) {
+		gnutls_bye(conn->tls, GNUTLS_SHUT_WR);
+		conn->shutdown++;
+	} else {
+		gnutls_bye(conn->tls, GNUTLS_SHUT_RDWR);
+		conn->shutdown++;
+	}
+
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list)
+{
+	(void) list;
+
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list)
+{
+	(void) list;
+
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s)
+{
+	int r;
+
+	if (!conn || !conn->tls || !s)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	r = gnutls_session_set_data(conn->tls, s->tls.data, s->tls.size);
+	if (r != GNUTLS_E_SUCCESS)
+		return GETDNS_RETURN_GENERIC_ERROR;
+	return GETDNS_RETURN_GOOD;
+}
+
+_getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _getdns_tls_connection* conn)
+{
+	_getdns_tls_session* res;
+	int r;
+
+	if (!conn || !conn->tls)
+		return NULL;
+
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_session)))
+		return NULL;
+
+	r = gnutls_session_get_data2(conn->tls, &res->tls);
+	if (r != GNUTLS_E_SUCCESS) {
+		GETDNS_FREE(*mfs, res);
+		return NULL;
+	}
+
+	return res;
+}
+
+const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->tls)
+		return NULL;
+
+	return gnutls_protocol_get_name(gnutls_protocol_get_version(conn->tls));
+}
+
+getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn)
+{
+	int r;
+
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	r = gnutls_handshake(conn->tls);
+	if (r == GNUTLS_E_SUCCESS)
+		return GETDNS_RETURN_GOOD;
+	else
+		return error_may_want_read_write(conn, r);
+}
+
+_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(struct mem_funcs* mfs, _getdns_tls_connection* conn)
+{
+	const gnutls_datum_t *cert_list;
+	unsigned int cert_list_size;
+
+	if (!conn || !conn->tls)
+		return NULL;
+
+	cert_list = gnutls_certificate_get_peers(conn->tls, &cert_list_size);
+	if (cert_list == NULL)
+		return NULL;
+
+	return _getdns_tls_x509_new(mfs, *cert_list);
+}
+
+getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (gnutls_session_is_resumed(conn->tls) != 0)
+		return GETDNS_RETURN_GOOD;
+	else
+		return GETDNS_RETURN_TLS_CONNECTION_FRESH;
+}
+
+getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connection* conn, const char* auth_name)
+{
+	if (!conn || !conn->tls || !auth_name)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* conn, const char* auth_name, const sha256_pin_t* pinset)
+{
+	(void) pinset;
+
+	if (!conn || !conn->tls || !auth_name)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg)
+{
+	(void) errnum;
+	(void) errmsg;
+
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	return GETDNS_RETURN_GOOD;
+}
+
+
+getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_t* buf, size_t to_read, size_t* read)
+{
+	ssize_t sread;
+
+	if (!conn || !conn->tls || !read)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	sread = gnutls_record_recv(conn->tls, buf, to_read);
+	if (sread < 0)
+		return error_may_want_read_write(conn, sread);
+
+	*read = sread;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8_t* buf, size_t to_write, size_t* written)
+{
+	int swritten;
+
+	if (!conn || !conn->tls || !written)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	swritten = gnutls_record_send(conn->tls, buf, to_write);
+	if (swritten < 0)
+		return error_may_want_read_write(conn, swritten);
+
+	*written = swritten;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_session_free(struct mem_funcs* mfs, _getdns_tls_session* s)
+{
+	if (!s)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	GETDNS_FREE(*mfs, s);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict)
+{
+	if (! getdns_dict_set_int(
+	    dict, "gnutls_version_number", GNUTLS_VERSION_NUMBER)
+
+	    && ! getdns_dict_util_set_string(
+	    dict, "gnutls_version_string", GNUTLS_VERSION)
+		)
+		return GETDNS_RETURN_GOOD;
+	return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+void _getdns_tls_x509_free(struct mem_funcs* mfs, _getdns_tls_x509* cert)
+{
+	if (cert)
+		GETDNS_FREE(*mfs, cert);
+}
+
+int _getdns_tls_x509_to_der(struct mem_funcs* mfs, _getdns_tls_x509* cert, getdns_bindata* bindata)
+{
+	gnutls_x509_crt_t crt;
+	size_t s;
+
+	if (!cert || gnutls_x509_crt_init(&crt) != GNUTLS_E_SUCCESS)
+		return 0;
+
+	gnutls_x509_crt_import(crt, &cert->tls, GNUTLS_X509_FMT_DER);
+	gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER, NULL, &s);
+
+	if (!bindata) {
+		gnutls_x509_crt_deinit(crt);
+		return s;
+	}
+
+	bindata->data = GETDNS_XMALLOC(*mfs, uint8_t, s);
+	if (!bindata->data) {
+		gnutls_x509_crt_deinit(crt);
+		return 0;
+	}
+
+	gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER, bindata->data, &s);
+	bindata->size = s;
+	gnutls_x509_crt_deinit(crt);
+	return s;
+}
+
+unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size)
+{
+	gnutls_mac_algorithm_t alg;
+	unsigned int md_len;
+	unsigned char* res;
+
+	if (get_gnu_mac_algorithm(algorithm, &alg) != GETDNS_RETURN_GOOD)
+		return NULL;
+
+	md_len = gnutls_hmac_get_len(alg);
+	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, md_len);
+	if (!res)
+		return NULL;
+
+	(void) gnutls_hmac_fast(alg, key, key_size, data, data_size, res);
+
+	if (output_size)
+		*output_size = md_len;
+	return res;
+}
+
+_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
+{
+	gnutls_mac_algorithm_t alg;
+	_getdns_tls_hmac* res;
+
+	if (get_gnu_mac_algorithm(algorithm, &alg) != GETDNS_RETURN_GOOD)
+		return NULL;
+
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
+		return NULL;
+
+	if (gnutls_hmac_init(&res->tls, alg, key, key_size) < 0) {
+		GETDNS_FREE(*mfs, res);
+		return NULL;
+	}
+	res->md_len = gnutls_hmac_get_len(alg);
+	return res;
+}
+
+getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size)
+{
+	if (!h || !h->tls || !data)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (gnutls_hmac(h->tls, data, data_size) < 0)
+		return GETDNS_RETURN_GENERIC_ERROR;
+	else
+		return GETDNS_RETURN_GOOD;
+}
+
+unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size)
+{
+	unsigned char* res;
+
+	if (!h || !h->tls)
+		return NULL;
+
+	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, h->md_len);
+	if (!res)
+		return NULL;
+
+	gnutls_hmac_deinit(h->tls, res);
+	if (output_size)
+		*output_size = h->md_len;
+
+	GETDNS_FREE(*mfs, h);
+	return res;
+}
+
+void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
+{
+	gnutls_hash_fast(GNUTLS_DIG_SHA1, data, data_size, buf);
+}
+
+void _getdns_tls_cookie_sha256(uint32_t secret, void* addr, size_t addrlen, unsigned char* buf, size_t* buflen)
+{
+	gnutls_hash_hd_t digest;
+
+	gnutls_hash_init(&digest, GNUTLS_DIG_SHA256);
+	gnutls_hash(digest, &secret, sizeof(secret));
+	gnutls_hash(digest, addr, addrlen);
+	gnutls_hash_deinit(digest, buf);
+	*buflen = gnutls_hash_get_len(GNUTLS_DIG_SHA256);
+}
+
+/* tls.c */
diff --git a/src/gnutls/val_secalgo.c b/src/gnutls/val_secalgo.c
new file mode 100644
index 00000000..2290eb4c
--- /dev/null
+++ b/src/gnutls/val_secalgo.c
@@ -0,0 +1,58 @@
+/**
+ *
+ * /brief secalgo interface.
+ *
+ */
+/*
+ * Copyright (c) 2017, NLnet Labs, the getdns team
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "util/val_secalgo.h"
+
+size_t _getdns_ds_digest_size_supported(int algo)
+{
+	return 0;
+}
+
+int _getdns_secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+	unsigned char* res)
+{
+	return 0;
+}
+
+int _getdns_dnskey_algo_id_is_supported(int id)
+{
+	return 0;
+}
+
+enum sec_status _getdns_verify_canonrrset(struct gldns_buffer* buf, int algo,
+	unsigned char* sigblock, unsigned int sigblock_len,
+	unsigned char* key, unsigned int keylen, char** reason)
+{
+	return sec_status_bogus;
+}

From b2312aee12e32e3eae1ef9e8a6c33ce4a5f36ff6 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Wed, 5 Dec 2018 17:20:28 +0000
Subject: [PATCH 200/303] Implement hostname authentication.

---
 src/gnutls/tls.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index 34c1d24c..8588670c 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -304,9 +304,16 @@ getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection*
 
 getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connection* conn, const char* auth_name)
 {
+	int r;
+
 	if (!conn || !conn->tls || !auth_name)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
+	r = gnutls_server_name_set(conn->tls, GNUTLS_NAME_DNS, auth_name, strlen(auth_name));
+	if (r != GNUTLS_E_SUCCESS)
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	gnutls_session_set_verify_cert(conn->tls, auth_name, 0);
 	return GETDNS_RETURN_GOOD;
 }
 

From c6dffa1239bf362577a7c8b8430ce5911b512560 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 6 Dec 2018 10:41:58 +0000
Subject: [PATCH 201/303] Add use of libnettle, and enable val_secalgo routines
 from existing Nettle implementation.

Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.

GnuTLS uses Nettle itself, so this is not adding a new dependency.
---
 configure.ac              |  2 +
 m4/ax_lib_nettle.m4       | 80 +++++++++++++++++++++++++++++++++++++++
 src/gnutls/val_secalgo.c  | 59 +----------------------------
 src/gnutls/validator      |  1 +
 src/openssl/val_secalgo.c | 20 +++++-----
 5 files changed, 94 insertions(+), 68 deletions(-)
 create mode 100644 m4/ax_lib_nettle.m4
 mode change 100644 => 120000 src/gnutls/val_secalgo.c
 create mode 120000 src/gnutls/validator

diff --git a/configure.ac b/configure.ac
index a16100e3..865e21b4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -33,6 +33,7 @@ AC_PREREQ([2.68])
 AC_CONFIG_MACRO_DIRS([m4])
 sinclude(./m4/acx_openssl.m4)
 sinclude(./m4/acx_getaddrinfo.m4)
+sinclude(./m4/ac_lib_nettle.m4)
 sinclude(./m4/ax_check_compile_flag.m4)
 sinclude(./m4/pkg.m4)
 
@@ -409,6 +410,7 @@ AC_ARG_WITH([gnutls],
         CFLAGS="$libgnutls_CFLAGS $CFLAGS"
         AC_SUBST([TLSDIR], 'gnutls')
         AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library])
+        AX_LIB_NETTLE(yes)
     ],
     [
         ACX_WITH_SSL_OPTIONAL
diff --git a/m4/ax_lib_nettle.m4 b/m4/ax_lib_nettle.m4
new file mode 100644
index 00000000..e0ba1eac
--- /dev/null
+++ b/m4/ax_lib_nettle.m4
@@ -0,0 +1,80 @@
+# ===========================================================================
+#      https://www.gnu.org/software/autoconf-archive/ax_lib_nettle.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_LIB_NETTLE([yes|no|auto])
+#
+# DESCRIPTION
+#
+#   Searches for the 'nettle' library with the --with... option.
+#
+#   If found, define HAVE_NETTLE and macro NETTLE_LIBS. Also defines
+#   NETTLE_WITH_<algo> for the algorithms found available. Possible
+#   algorithms: AES ARCTWO BLOWFISH CAST128 DES DES3 SERPENT TWOFISH MD2 MD4
+#   MD5 SHA1 SHA256.
+#
+#   The argument is used if no --with...-nettle option is set. Value "yes"
+#   requires the configuration by default. Value "no" does not require it by
+#   default. Value "auto" configures the library only if available.
+#
+#   See also AX_LIB_BEECRYPT, AX_LIB_CRYPTO, and AX_LIB_GCRYPT.
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Fabien Coelho <autoconf.archive@coelho.net>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 10
+
+# AX_CHECK_NETTLE_ALGO([name],[function])
+AC_DEFUN([AX_CHECK_NETTLE_ALGO],[
+  AC_CHECK_LIB([nettle], [nettle_$2],
+    AC_DEFINE([NETTLE_WITH_$1],[1],[Algorithm $1 in nettle library]))
+])
+
+# AX_LIB_NETTLE([yes|no|auto])
+AC_DEFUN([AX_LIB_NETTLE],[
+  AC_MSG_CHECKING([whether nettle is enabled])
+  AC_ARG_WITH([nettle],
+        AC_HELP_STRING([--with-nettle], [Require nettle library (required with GnuTLS)]),[
+    AC_MSG_RESULT([$withval])
+    ax_with_nettle=$withval
+  ],[
+    AC_MSG_RESULT([$1])
+    ax_with_nettle=$1
+  ])
+  if test "$ax_with_nettle" = "yes" -o "$ax_with_nettle" = "auto" ; then
+    AC_CHECK_HEADERS([nettle/nettle-meta.h],[
+      AC_CHECK_LIB([nettle],[nettle_base64_encode_final],[
+        AC_DEFINE([HAVE_NETTLE],[1],[Nettle library is available])
+	HAVE_NETTLE=1
+        AC_SUBST([NETTLE_LIBS],[-lnettle])
+	# ciphers
+        AX_CHECK_NETTLE_ALGO([AES],[aes_encrypt])
+        AX_CHECK_NETTLE_ALGO([ARCTWO],[arctwo_encrypt])
+        AX_CHECK_NETTLE_ALGO([BLOWFISH],[blowfish_encrypt])
+        AX_CHECK_NETTLE_ALGO([CAST128],[cast128_encrypt])
+        AX_CHECK_NETTLE_ALGO([DES],[des_encrypt])
+        AX_CHECK_NETTLE_ALGO([DES3],[des3_encrypt])
+        AX_CHECK_NETTLE_ALGO([SERPENT],[serpent_encrypt])
+        AX_CHECK_NETTLE_ALGO([TWOFISH],[twofish_encrypt])
+	# digests
+        AX_CHECK_NETTLE_ALGO([MD2],[md2_digest])
+        AX_CHECK_NETTLE_ALGO([MD4],[md4_digest])
+        AX_CHECK_NETTLE_ALGO([MD5],[md5_digest])
+        AX_CHECK_NETTLE_ALGO([SHA1],[sha1_digest])
+        AX_CHECK_NETTLE_ALGO([SHA256],[sha256_digest])
+      ])
+    ])
+    # complain only if explicitly required
+    if test "$ax_with_nettle" = "yes" -a "x$HAVE_NETTLE" = "x" ; then
+        AC_MSG_ERROR([cannot configure required nettle library])
+    fi
+  fi
+])
diff --git a/src/gnutls/val_secalgo.c b/src/gnutls/val_secalgo.c
deleted file mode 100644
index 2290eb4c..00000000
--- a/src/gnutls/val_secalgo.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/**
- *
- * /brief secalgo interface.
- *
- */
-/*
- * Copyright (c) 2017, NLnet Labs, the getdns team
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * * Redistributions of source code must retain the above copyright
- *   notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- *   notice, this list of conditions and the following disclaimer in the
- *   documentation and/or other materials provided with the distribution.
- * * Neither the names of the copyright holders nor the
- *   names of its contributors may be used to endorse or promote products
- *   derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include "util/val_secalgo.h"
-
-size_t _getdns_ds_digest_size_supported(int algo)
-{
-	return 0;
-}
-
-int _getdns_secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
-	unsigned char* res)
-{
-	return 0;
-}
-
-int _getdns_dnskey_algo_id_is_supported(int id)
-{
-	return 0;
-}
-
-enum sec_status _getdns_verify_canonrrset(struct gldns_buffer* buf, int algo,
-	unsigned char* sigblock, unsigned int sigblock_len,
-	unsigned char* key, unsigned int keylen, char** reason)
-{
-	return sec_status_bogus;
-}
diff --git a/src/gnutls/val_secalgo.c b/src/gnutls/val_secalgo.c
new file mode 120000
index 00000000..446f8e5f
--- /dev/null
+++ b/src/gnutls/val_secalgo.c
@@ -0,0 +1 @@
+../openssl/val_secalgo.c
\ No newline at end of file
diff --git a/src/gnutls/validator b/src/gnutls/validator
new file mode 120000
index 00000000..3e9ba44b
--- /dev/null
+++ b/src/gnutls/validator
@@ -0,0 +1 @@
+../openssl/validator
\ No newline at end of file
diff --git a/src/openssl/val_secalgo.c b/src/openssl/val_secalgo.c
index 95200a48..03fc96f2 100644
--- a/src/openssl/val_secalgo.c
+++ b/src/openssl/val_secalgo.c
@@ -1321,21 +1321,21 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 
 #elif defined(HAVE_NETTLE)
 
-#include "sha.h"
-#include "bignum.h"
-#include "macros.h"
-#include "rsa.h"
-#include "dsa.h"
+#include <nettle/sha.h>
+#include <nettle/bignum.h>
+#include <nettle/macros.h>
+#include <nettle/rsa.h>
+#include <nettle/dsa.h>
 #ifdef HAVE_NETTLE_DSA_COMPAT_H
-#include "dsa-compat.h"
+#include <nettle/dsa-compat.h>
 #endif
-#include "asn1.h"
+#include <nettle/asn1.h>
 #ifdef USE_ECDSA
-#include "ecdsa.h"
-#include "ecc-curve.h"
+#include <nettle/ecdsa.h>
+#include <nettle/ecc-curve.h>
 #endif
 #ifdef HAVE_NETTLE_EDDSA_H
-#include "eddsa.h"
+#include <nettle/eddsa.h>
 #endif
 
 static int

From 91764fb6b0bda5c523f93d3e1cca05c0690303f6 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 6 Dec 2018 11:04:00 +0000
Subject: [PATCH 202/303] Correct checking of connection validation result.

---
 src/stub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/stub.c b/src/stub.c
index f1421edb..723bd149 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -957,7 +957,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			long verify_errno;
 			const char* verify_errmsg;
 
-			if (!_getdns_tls_connection_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) {
+			if (_getdns_tls_connection_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) {
 				upstream->tls_auth_state = GETDNS_AUTH_OK;
 				if (verify_errno != 0) {
 					_getdns_upstream_log(upstream,

From e73ab48687fc8d929c64714a852db41bea9b58a9 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 6 Dec 2018 13:40:07 +0000
Subject: [PATCH 203/303] Extract non-OpenSSL specific code from anchor.c, and
 move it back to common source.

OpenSSL-specific items are in anchor-internal.c.
---
 src/Makefile.in                            |   4 +-
 src/{openssl => }/anchor.c                 | 338 +-----------------
 src/anchor.h                               |  23 ++
 src/gnutls/{anchor.c => anchor-internal.c} |  14 +-
 src/openssl/anchor-internal.c              | 382 +++++++++++++++++++++
 5 files changed, 417 insertions(+), 344 deletions(-)
 rename src/{openssl => }/anchor.c (80%)
 rename src/gnutls/{anchor.c => anchor-internal.c} (82%)
 create mode 100644 src/openssl/anchor-internal.c

diff --git a/src/Makefile.in b/src/Makefile.in
index 05e32b6f..48e8da3e 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -95,7 +95,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo)
 UTIL_OBJ=rbtree.lo lruhash.lo lookup3.lo locks.lo
 
 JSMN_OBJ=jsmn.lo
-TLS_OBJ=tls.lo pubkey-pinning.lo keyraw-internal.lo val_secalgo.lo
+TLS_OBJ=tls.lo pubkey-pinning.lo keyraw-internal.lo val_secalgo.lo anchor-internal.lo
 YXML_OBJ=yxml.lo
 
 YAML_OBJ=convert_yaml_to_json.lo
@@ -147,7 +147,7 @@ $(EXTENSION_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/extension/$(@:.lo=.c) -o $@
 
 anchor.lo:
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/$(tlsdir)/anchor.c -o anchor.lo
+	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/anchor.c -o anchor.lo
 
 context.lo:
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/context.c -o context.lo
diff --git a/src/openssl/anchor.c b/src/anchor.c
similarity index 80%
rename from src/openssl/anchor.c
rename to src/anchor.c
index 31e0e6f0..12f16841 100644
--- a/src/openssl/anchor.c
+++ b/src/anchor.c
@@ -33,9 +33,6 @@
 #include "debug.h"
 #include "anchor.h"
 #include <fcntl.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/err.h>
 #include <strings.h>
 #include <time.h>
 #include "types-internal.h"
@@ -52,141 +49,6 @@
 #include "util-internal.h"
 #include "platform.h"
 
-/* get key usage out of its extension, returns 0 if no key_usage extension */
-static unsigned long
-_getdns_get_usage_of_ex(X509* cert)
-{
-	unsigned long val = 0;
-	ASN1_BIT_STRING* s;
-
-	if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) {
-		if(s->length > 0) {
-			val = s->data[0];
-			if(s->length > 1)
-				val |= s->data[1] << 8;
-		}
-		ASN1_BIT_STRING_free(s);
-	}
-	return val;
-}
-
-/** get valid signers from the list of signers in the signature */
-static STACK_OF(X509)*
-_getdns_get_valid_signers(PKCS7* p7, const char* p7signer)
-{
-	int i;
-	STACK_OF(X509)* validsigners = sk_X509_new_null();
-	STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0);
-	unsigned long usage = 0;
-	if(!validsigners) {
-		DEBUG_ANCHOR("ERROR %s(): Failed to allocated validsigners\n"
-		            , __FUNC__);
-		sk_X509_free(signers);
-		return NULL;
-	}
-	if(!signers) {
-		DEBUG_ANCHOR("ERROR %s(): Failed to allocated signers\n"
-		            , __FUNC__);
-		sk_X509_free(validsigners);
-		return NULL;
-	}
-	for(i=0; i<sk_X509_num(signers); i++) {
-		char buf[1024];
-		X509_NAME* nm = X509_get_subject_name(
-			sk_X509_value(signers, i));
-		if(!nm) {
-			DEBUG_ANCHOR("%s(): cert %d has no subject name\n"
-				    , __FUNC__, i);
-			continue;
-		}
-		if(!p7signer || strcmp(p7signer, "")==0) {
-			/* there is no name to check, return all records */
-			DEBUG_ANCHOR("%s(): did not check commonName of signer\n"
-				    , __FUNC__);
-		} else {
-			if(!X509_NAME_get_text_by_NID(nm,
-				NID_pkcs9_emailAddress,
-				buf, (int)sizeof(buf))) {
-				DEBUG_ANCHOR("%s(): removed cert with no name\n"
-					    , __FUNC__);
-				continue; /* no name, no use */
-			}
-			if(strcmp(buf, p7signer) != 0) {
-				DEBUG_ANCHOR("%s(): removed cert with wrong name\n"
-					    , __FUNC__);
-				continue; /* wrong name, skip it */
-			}
-		}
-
-		/* check that the key usage allows digital signatures
-		 * (the p7s) */
-		usage = _getdns_get_usage_of_ex(sk_X509_value(signers, i));
-		if(!(usage & KU_DIGITAL_SIGNATURE)) {
-			DEBUG_ANCHOR("%s(): removed cert with no key usage "
-			             "Digital Signature allowed\n"
-				    , __FUNC__);
-			continue;
-		}
-
-		/* we like this cert, add it to our list of valid
-		 * signers certificates */
-		sk_X509_push(validsigners, sk_X509_value(signers, i));
-	}
-	sk_X509_free(signers);
-	return validsigners;
-}
-
-static int
-_getdns_verify_p7sig(BIO* data, BIO* p7s, X509_STORE *store, const char* p7signer)
-{
-	PKCS7* p7;
-	STACK_OF(X509)* validsigners;
-	int secure = 0;
-#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
-	X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new();
-	if(!param) {
-		DEBUG_ANCHOR("ERROR %s(): Failed to allocated param\n"
-		            , __FUNC__);
-		return 0;
-	}
-	/* do the selfcheck on the root certificate; it checks that the
-	 * input is valid */
-	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE);
-	X509_STORE_set1_param(store, param);
-	X509_VERIFY_PARAM_free(param);
-#endif
-	(void)BIO_reset(p7s);
-	(void)BIO_reset(data);
-
-	/* convert p7s to p7 (the signature) */
-	p7 = d2i_PKCS7_bio(p7s, NULL);
-	if(!p7) {
-		DEBUG_ANCHOR("ERROR %s(): could not parse p7s signature file\n"
-		            , __FUNC__);
-		return 0;
-	}
-	/* check what is in the Subject name of the certificates,
-	 * and build a stack that contains only the right certificates */
-	validsigners = _getdns_get_valid_signers(p7, p7signer);
-	if(!validsigners) {
-		PKCS7_free(p7);
-		return 0;
-	}
-	if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) {
-		secure = 1;
-	}
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
-	else {
-		DEBUG_ANCHOR("ERROR %s(): the PKCS7 signature did not verify\n"
-		            , __FUNC__);
-		ERR_print_errors_cb(_getdns_ERR_print_errors_cb_f, NULL);
-	}
-#endif
-	sk_X509_free(validsigners);
-	PKCS7_free(p7);
-	return secure;
-}
-
 typedef struct ta_iter {
 	uint8_t yxml_buf[4096];
 	yxml_t x;
@@ -213,7 +75,7 @@ typedef struct ta_iter {
  * @param str: the string
  * @return a time_t representation or 0 on failure.
  */
-static time_t
+time_t
 _getdns_xml_convertdate(const char* str)
 {
 	time_t t = 0;
@@ -558,7 +420,7 @@ static ta_iter *ta_iter_init(ta_iter *ta, const char *doc, size_t doc_len)
 	return ta_iter_next(ta);
 }
 
-static uint16_t _getdns_parse_xml_trust_anchors_buf(
+uint16_t _getdns_parse_xml_trust_anchors_buf(
     gldns_buffer *gbuf, uint64_t *now_ms, char *xml_data, size_t xml_len)
 {
 	ta_iter ta_spc, *ta;
@@ -647,200 +509,6 @@ static uint16_t _getdns_parse_xml_trust_anchors_buf(
 	return ta_count;
 }
 
-static uint8_t *tas_validate(struct mem_funcs *mf,
-    const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd,
-    const getdns_bindata *crt_bd, const char *p7signer,
-    uint64_t *now_ms, uint8_t *tas, size_t *tas_len)
-{
-	BIO *xml = NULL, *p7s = NULL, *crt = NULL;
-	X509 *x = NULL;
-	X509_STORE *store = NULL;
-	uint8_t *success = NULL;
-
-	if (!(xml = BIO_new_mem_buf(xml_bd->data, xml_bd->size)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n"
-		            , __FUNC__);
-
-	else if (!(p7s = BIO_new_mem_buf(p7s_bd->data, p7s_bd->size)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n"
-		            , __FUNC__);
-	
-	else if (!(crt = BIO_new_mem_buf(crt_bd->data, crt_bd->size)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n"
-		            , __FUNC__);
-
-	else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL)))
-		DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n"
-		            , __FUNC__);
-
-	else if (!(store = X509_STORE_new()))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n"
-		            , __FUNC__);
-
-	else if (!X509_STORE_add_cert(store, x))
-		DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n"
-		            , __FUNC__);
-
-	else if (_getdns_verify_p7sig(xml, p7s, store, p7signer)) {
-		gldns_buffer gbuf;
-
-		gldns_buffer_init_vfixed_frm_data(&gbuf, tas, *tas_len);
-
-		if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms,
-		    (char *)xml_bd->data, xml_bd->size))
-			DEBUG_ANCHOR("Failed to parse trust anchor XML data");
-
-		else if (gldns_buffer_position(&gbuf) > *tas_len) {
-			*tas_len = gldns_buffer_position(&gbuf);
-			if ((success = GETDNS_XMALLOC(*mf, uint8_t, *tas_len))) {
-				gldns_buffer_init_frm_data(&gbuf, success, *tas_len);
-				if (!_getdns_parse_xml_trust_anchors_buf(&gbuf,
-				    now_ms, (char *)xml_bd->data, xml_bd->size)) {
-
-					DEBUG_ANCHOR("Failed to re-parse trust"
-					             " anchor XML data\n");
-					GETDNS_FREE(*mf, success);
-					success = NULL;
-				}
-			} else
-				DEBUG_ANCHOR("Could not allocate space for "
-				             "trust anchors\n");
-		} else {
-			success = tas;
-			*tas_len = gldns_buffer_position(&gbuf);
-		}
-	} else {
-		DEBUG_ANCHOR("Verifying trust-anchors failed!\n");
-	}
-	if (store)	X509_STORE_free(store);
-	if (x)		X509_free(x);
-	if (crt)	BIO_free(crt);
-	if (xml)	BIO_free(xml);
-	if (p7s)	BIO_free(p7s);
-	return success;
-}
-
-void _getdns_context_equip_with_anchor(
-    getdns_context *context, uint64_t *now_ms)
-{
-	uint8_t xml_spc[4096], *xml_data = NULL;
-	uint8_t p7s_spc[4096], *p7s_data = NULL;
-	size_t xml_len, p7s_len;
-	const char *verify_email = NULL;
-	const char *verify_CA = NULL;
-	getdns_return_t r;
-
-	BIO *xml = NULL, *p7s = NULL, *crt = NULL;
-	X509 *x = NULL;
-	X509_STORE *store = NULL;
-
-	if ((r = getdns_context_get_trust_anchors_verify_CA(
-	    context, &verify_CA)))
-		DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify"
-			     " CA: \"%s\"\n", __FUNC__
-			    , getdns_get_errorstr_by_id(r));
-
-	else if (!verify_CA || !*verify_CA)
-		DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely "
-		             "disabled by empty verify CA\n");
-
-	else if ((r = getdns_context_get_trust_anchors_verify_email(
-	    context, &verify_email)))
-		DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify email "
-		             "address: \"%s\"\n", __FUNC__
-		            , getdns_get_errorstr_by_id(r));
-
-	else if (!verify_email || !*verify_email)
-		DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely "
-		             "disabled by empty verify email\n");
-
-	else if (!(xml_data = _getdns_context_get_priv_file(context,
-	    "root-anchors.xml", xml_spc, sizeof(xml_spc), &xml_len)))
-		DEBUG_ANCHOR("DEBUG %s(): root-anchors.xml not present\n"
-		            , __FUNC__);
-
-	else if (!(p7s_data = _getdns_context_get_priv_file(context,
-	    "root-anchors.p7s", p7s_spc, sizeof(p7s_spc), &p7s_len)))
-		DEBUG_ANCHOR("DEBUG %s(): root-anchors.p7s not present\n"
-		            , __FUNC__);
-
-	else if (!(xml = BIO_new_mem_buf(xml_data, xml_len)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n"
-		            , __FUNC__);
-
-	else if (!(p7s = BIO_new_mem_buf(p7s_data, p7s_len)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n"
-		            , __FUNC__);
-
-	else if (!(crt = BIO_new_mem_buf((void *)verify_CA, -1)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n"
-		            , __FUNC__);
-
-	else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL)))
-		DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n"
-		            , __FUNC__);
-
-	else if (!(store = X509_STORE_new()))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n"
-		            , __FUNC__);
-
-	else if (!X509_STORE_add_cert(store, x))
-		DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n"
-		            , __FUNC__);
-
-	else if (_getdns_verify_p7sig(xml, p7s, store, verify_email)) {
-		uint8_t ta_spc[sizeof(context->trust_anchors_spc)];
-		size_t ta_len;
-		uint8_t *ta = NULL;
-		gldns_buffer gbuf;
-
-		gldns_buffer_init_vfixed_frm_data(
-		    &gbuf, ta_spc, sizeof(ta_spc));
-
-		if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms,
-		    (char *)xml_data, xml_len))
-			DEBUG_ANCHOR("Failed to parse trust anchor XML data");
-		else if ((ta_len = gldns_buffer_position(&gbuf)) > sizeof(ta_spc)) {
-			if ((ta = GETDNS_XMALLOC(context->mf, uint8_t, ta_len))) {
-				gldns_buffer_init_frm_data(&gbuf, ta,
-				    gldns_buffer_position(&gbuf));
-				if (!_getdns_parse_xml_trust_anchors_buf(
-				    &gbuf, now_ms, (char *)xml_data, xml_len)) {
-					DEBUG_ANCHOR("Failed to re-parse trust"
-					             " anchor XML data");
-					GETDNS_FREE(context->mf, ta);
-				} else {
-					context->trust_anchors = ta;
-					context->trust_anchors_len = ta_len;
-					context->trust_anchors_source = GETDNS_TASRC_XML;
-					_getdns_ta_notify_dnsreqs(context);
-				}
-			} else
-				DEBUG_ANCHOR("Could not allocate space for XML file");
-		} else {
-			(void)memcpy(context->trust_anchors_spc, ta_spc, ta_len);
-			context->trust_anchors = context->trust_anchors_spc;
-			context->trust_anchors_len = ta_len;
-			context->trust_anchors_source = GETDNS_TASRC_XML;
-			_getdns_ta_notify_dnsreqs(context);
-		}
-		DEBUG_ANCHOR("ta: %p, ta_len: %d\n",
-		    (void *)context->trust_anchors, (int)context->trust_anchors_len);
-		
-	} else {
-		DEBUG_ANCHOR("Verifying trust-anchors failed!\n");
-	}
-	if (store)	X509_STORE_free(store);
-	if (x)		X509_free(x);
-	if (crt)	BIO_free(crt);
-	if (xml)	BIO_free(xml);
-	if (p7s)	BIO_free(p7s);
-	if (xml_data && xml_data != xml_spc)
-		GETDNS_FREE(context->mf, xml_data);
-	if (p7s_data && p7s_data != p7s_spc)
-		GETDNS_FREE(context->mf, p7s_data);
-}
-
 static const char tas_write_p7s_buf[] =
 "GET %s HTTP/1.1\r\n"
 "Host: %s\r\n"
@@ -1032,7 +700,7 @@ static void tas_doc_read(getdns_context *context, tas_connection *a)
 				     " email address: \"%s\"\n", __FUNC__
 				    , getdns_get_errorstr_by_id(r));
 
-		else if (!(tas = tas_validate(&context->mf, &a->xml, &p7s_bd,
+		else if (!(tas = _getdns_tas_validate(&context->mf, &a->xml, &p7s_bd,
 		    &verify_CA, verify_email, &now_ms, tas, &tas_len)))
 			; /* pass */
 
diff --git a/src/anchor.h b/src/anchor.h
index 3c826384..139dd341 100644
--- a/src/anchor.h
+++ b/src/anchor.h
@@ -39,6 +39,29 @@
 #include <time.h>
 #include "rr-iter.h"
 
+#include "types-internal.h"
+
+/**
+ ** Internal functions, implemented in anchor-internal.c.
+ **/
+void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms);
+
+uint8_t *_getdns_tas_validate(struct mem_funcs *mf,
+    const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd,
+    const getdns_bindata *crt_bd, const char *p7signer,
+                      uint64_t *now_ms, uint8_t *tas, size_t *tas_len);
+
+
+/**
+ ** anchor.c functions used by anchor-internal.c.
+ **/
+time_t _getdns_xml_convertdate(const char* str);
+
+uint16_t _getdns_parse_xml_trust_anchors_buf(gldns_buffer *gbuf, uint64_t *now_ms, char *xml_data, size_t xml_len);
+
+/**
+ ** Public interface.
+ **/
 void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms);
 
 void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop);
diff --git a/src/gnutls/anchor.c b/src/gnutls/anchor-internal.c
similarity index 82%
rename from src/gnutls/anchor.c
rename to src/gnutls/anchor-internal.c
index 57fb60e1..45b58d52 100644
--- a/src/gnutls/anchor.c
+++ b/src/gnutls/anchor-internal.c
@@ -34,15 +34,15 @@
 #include "config.h"
 #include "anchor.h"
 
-void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms)
+void _getdns_context_equip_with_anchor(
+        getdns_context *context, uint64_t *now_ms)
 {
 }
 
-void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop)
-{
-}
-
-void _getdns_context_update_root_ksk(
-    getdns_context *context, _getdns_rrset *dnskey_set)
+uint8_t *_getdns_tas_validate(struct mem_funcs *mf,
+    const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd,
+    const getdns_bindata *crt_bd, const char *p7signer,
+                      uint64_t *now_ms, uint8_t *tas, size_t *tas_len)
 {
+        return NULL;
 }
diff --git a/src/openssl/anchor-internal.c b/src/openssl/anchor-internal.c
new file mode 100644
index 00000000..db9e01f8
--- /dev/null
+++ b/src/openssl/anchor-internal.c
@@ -0,0 +1,382 @@
+/**
+ *
+ * /brief functions for DNSSEC trust anchor management
+ */
+/*
+ * Copyright (c) 2017, NLnet Labs, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "debug.h"
+#include "anchor.h"
+#include <fcntl.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/err.h>
+#include <strings.h>
+#include <time.h>
+#include "types-internal.h"
+#include "context.h"
+#include "dnssec.h"
+#include "yxml/yxml.h"
+#include "gldns/parseutil.h"
+#include "gldns/gbuffer.h"
+#include "gldns/str2wire.h"
+#include "gldns/wire2str.h"
+#include "gldns/pkthdr.h"
+#include "gldns/keyraw.h"
+#include "general.h"
+#include "util-internal.h"
+#include "platform.h"
+
+/* get key usage out of its extension, returns 0 if no key_usage extension */
+static unsigned long
+_getdns_get_usage_of_ex(X509* cert)
+{
+	unsigned long val = 0;
+	ASN1_BIT_STRING* s;
+
+	if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) {
+		if(s->length > 0) {
+			val = s->data[0];
+			if(s->length > 1)
+				val |= s->data[1] << 8;
+		}
+		ASN1_BIT_STRING_free(s);
+	}
+	return val;
+}
+
+/** get valid signers from the list of signers in the signature */
+static STACK_OF(X509)*
+_getdns_get_valid_signers(PKCS7* p7, const char* p7signer)
+{
+	int i;
+	STACK_OF(X509)* validsigners = sk_X509_new_null();
+	STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0);
+	unsigned long usage = 0;
+	if(!validsigners) {
+		DEBUG_ANCHOR("ERROR %s(): Failed to allocated validsigners\n"
+		            , __FUNC__);
+		sk_X509_free(signers);
+		return NULL;
+	}
+	if(!signers) {
+		DEBUG_ANCHOR("ERROR %s(): Failed to allocated signers\n"
+		            , __FUNC__);
+		sk_X509_free(validsigners);
+		return NULL;
+	}
+	for(i=0; i<sk_X509_num(signers); i++) {
+		char buf[1024];
+		X509_NAME* nm = X509_get_subject_name(
+			sk_X509_value(signers, i));
+		if(!nm) {
+			DEBUG_ANCHOR("%s(): cert %d has no subject name\n"
+				    , __FUNC__, i);
+			continue;
+		}
+		if(!p7signer || strcmp(p7signer, "")==0) {
+			/* there is no name to check, return all records */
+			DEBUG_ANCHOR("%s(): did not check commonName of signer\n"
+				    , __FUNC__);
+		} else {
+			if(!X509_NAME_get_text_by_NID(nm,
+				NID_pkcs9_emailAddress,
+				buf, (int)sizeof(buf))) {
+				DEBUG_ANCHOR("%s(): removed cert with no name\n"
+					    , __FUNC__);
+				continue; /* no name, no use */
+			}
+			if(strcmp(buf, p7signer) != 0) {
+				DEBUG_ANCHOR("%s(): removed cert with wrong name\n"
+					    , __FUNC__);
+				continue; /* wrong name, skip it */
+			}
+		}
+
+		/* check that the key usage allows digital signatures
+		 * (the p7s) */
+		usage = _getdns_get_usage_of_ex(sk_X509_value(signers, i));
+		if(!(usage & KU_DIGITAL_SIGNATURE)) {
+			DEBUG_ANCHOR("%s(): removed cert with no key usage "
+			             "Digital Signature allowed\n"
+				    , __FUNC__);
+			continue;
+		}
+
+		/* we like this cert, add it to our list of valid
+		 * signers certificates */
+		sk_X509_push(validsigners, sk_X509_value(signers, i));
+	}
+	sk_X509_free(signers);
+	return validsigners;
+}
+
+static int
+_getdns_verify_p7sig(BIO* data, BIO* p7s, X509_STORE *store, const char* p7signer)
+{
+	PKCS7* p7;
+	STACK_OF(X509)* validsigners;
+	int secure = 0;
+#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
+	X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new();
+	if(!param) {
+		DEBUG_ANCHOR("ERROR %s(): Failed to allocated param\n"
+		            , __FUNC__);
+		return 0;
+	}
+	/* do the selfcheck on the root certificate; it checks that the
+	 * input is valid */
+	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE);
+	X509_STORE_set1_param(store, param);
+	X509_VERIFY_PARAM_free(param);
+#endif
+	(void)BIO_reset(p7s);
+	(void)BIO_reset(data);
+
+	/* convert p7s to p7 (the signature) */
+	p7 = d2i_PKCS7_bio(p7s, NULL);
+	if(!p7) {
+		DEBUG_ANCHOR("ERROR %s(): could not parse p7s signature file\n"
+		            , __FUNC__);
+		return 0;
+	}
+	/* check what is in the Subject name of the certificates,
+	 * and build a stack that contains only the right certificates */
+	validsigners = _getdns_get_valid_signers(p7, p7signer);
+	if(!validsigners) {
+		PKCS7_free(p7);
+		return 0;
+	}
+	if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) {
+		secure = 1;
+	}
+#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
+	else {
+		DEBUG_ANCHOR("ERROR %s(): the PKCS7 signature did not verify\n"
+		            , __FUNC__);
+		ERR_print_errors_cb(_getdns_ERR_print_errors_cb_f, NULL);
+	}
+#endif
+	sk_X509_free(validsigners);
+	PKCS7_free(p7);
+	return secure;
+}
+
+uint8_t *_getdns_tas_validate(struct mem_funcs *mf,
+    const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd,
+    const getdns_bindata *crt_bd, const char *p7signer,
+    uint64_t *now_ms, uint8_t *tas, size_t *tas_len)
+{
+	BIO *xml = NULL, *p7s = NULL, *crt = NULL;
+	X509 *x = NULL;
+	X509_STORE *store = NULL;
+	uint8_t *success = NULL;
+
+	if (!(xml = BIO_new_mem_buf(xml_bd->data, xml_bd->size)))
+		DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n"
+		            , __FUNC__);
+
+	else if (!(p7s = BIO_new_mem_buf(p7s_bd->data, p7s_bd->size)))
+		DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n"
+		            , __FUNC__);
+	
+	else if (!(crt = BIO_new_mem_buf(crt_bd->data, crt_bd->size)))
+		DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n"
+		            , __FUNC__);
+
+	else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL)))
+		DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n"
+		            , __FUNC__);
+
+	else if (!(store = X509_STORE_new()))
+		DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n"
+		            , __FUNC__);
+
+	else if (!X509_STORE_add_cert(store, x))
+		DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n"
+		            , __FUNC__);
+
+	else if (_getdns_verify_p7sig(xml, p7s, store, p7signer)) {
+		gldns_buffer gbuf;
+
+		gldns_buffer_init_vfixed_frm_data(&gbuf, tas, *tas_len);
+
+		if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms,
+		    (char *)xml_bd->data, xml_bd->size))
+			DEBUG_ANCHOR("Failed to parse trust anchor XML data");
+
+		else if (gldns_buffer_position(&gbuf) > *tas_len) {
+			*tas_len = gldns_buffer_position(&gbuf);
+			if ((success = GETDNS_XMALLOC(*mf, uint8_t, *tas_len))) {
+				gldns_buffer_init_frm_data(&gbuf, success, *tas_len);
+				if (!_getdns_parse_xml_trust_anchors_buf(&gbuf,
+				    now_ms, (char *)xml_bd->data, xml_bd->size)) {
+
+					DEBUG_ANCHOR("Failed to re-parse trust"
+					             " anchor XML data\n");
+					GETDNS_FREE(*mf, success);
+					success = NULL;
+				}
+			} else
+				DEBUG_ANCHOR("Could not allocate space for "
+				             "trust anchors\n");
+		} else {
+			success = tas;
+			*tas_len = gldns_buffer_position(&gbuf);
+		}
+	} else {
+		DEBUG_ANCHOR("Verifying trust-anchors failed!\n");
+	}
+	if (store)	X509_STORE_free(store);
+	if (x)		X509_free(x);
+	if (crt)	BIO_free(crt);
+	if (xml)	BIO_free(xml);
+	if (p7s)	BIO_free(p7s);
+	return success;
+}
+
+void _getdns_context_equip_with_anchor(
+    getdns_context *context, uint64_t *now_ms)
+{
+	uint8_t xml_spc[4096], *xml_data = NULL;
+	uint8_t p7s_spc[4096], *p7s_data = NULL;
+	size_t xml_len, p7s_len;
+	const char *verify_email = NULL;
+	const char *verify_CA = NULL;
+	getdns_return_t r;
+
+	BIO *xml = NULL, *p7s = NULL, *crt = NULL;
+	X509 *x = NULL;
+	X509_STORE *store = NULL;
+
+	if ((r = getdns_context_get_trust_anchors_verify_CA(
+	    context, &verify_CA)))
+		DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify"
+			     " CA: \"%s\"\n", __FUNC__
+			    , getdns_get_errorstr_by_id(r));
+
+	else if (!verify_CA || !*verify_CA)
+		DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely "
+		             "disabled by empty verify CA\n");
+
+	else if ((r = getdns_context_get_trust_anchors_verify_email(
+	    context, &verify_email)))
+		DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify email "
+		             "address: \"%s\"\n", __FUNC__
+		            , getdns_get_errorstr_by_id(r));
+
+	else if (!verify_email || !*verify_email)
+		DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely "
+		             "disabled by empty verify email\n");
+
+	else if (!(xml_data = _getdns_context_get_priv_file(context,
+	    "root-anchors.xml", xml_spc, sizeof(xml_spc), &xml_len)))
+		DEBUG_ANCHOR("DEBUG %s(): root-anchors.xml not present\n"
+		            , __FUNC__);
+
+	else if (!(p7s_data = _getdns_context_get_priv_file(context,
+	    "root-anchors.p7s", p7s_spc, sizeof(p7s_spc), &p7s_len)))
+		DEBUG_ANCHOR("DEBUG %s(): root-anchors.p7s not present\n"
+		            , __FUNC__);
+
+	else if (!(xml = BIO_new_mem_buf(xml_data, xml_len)))
+		DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n"
+		            , __FUNC__);
+
+	else if (!(p7s = BIO_new_mem_buf(p7s_data, p7s_len)))
+		DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n"
+		            , __FUNC__);
+
+	else if (!(crt = BIO_new_mem_buf((void *)verify_CA, -1)))
+		DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n"
+		            , __FUNC__);
+
+	else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL)))
+		DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n"
+		            , __FUNC__);
+
+	else if (!(store = X509_STORE_new()))
+		DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n"
+		            , __FUNC__);
+
+	else if (!X509_STORE_add_cert(store, x))
+		DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n"
+		            , __FUNC__);
+
+	else if (_getdns_verify_p7sig(xml, p7s, store, verify_email)) {
+		uint8_t ta_spc[sizeof(context->trust_anchors_spc)];
+		size_t ta_len;
+		uint8_t *ta = NULL;
+		gldns_buffer gbuf;
+
+		gldns_buffer_init_vfixed_frm_data(
+		    &gbuf, ta_spc, sizeof(ta_spc));
+
+		if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms,
+		    (char *)xml_data, xml_len))
+			DEBUG_ANCHOR("Failed to parse trust anchor XML data");
+		else if ((ta_len = gldns_buffer_position(&gbuf)) > sizeof(ta_spc)) {
+			if ((ta = GETDNS_XMALLOC(context->mf, uint8_t, ta_len))) {
+				gldns_buffer_init_frm_data(&gbuf, ta,
+				    gldns_buffer_position(&gbuf));
+				if (!_getdns_parse_xml_trust_anchors_buf(
+				    &gbuf, now_ms, (char *)xml_data, xml_len)) {
+					DEBUG_ANCHOR("Failed to re-parse trust"
+					             " anchor XML data");
+					GETDNS_FREE(context->mf, ta);
+				} else {
+					context->trust_anchors = ta;
+					context->trust_anchors_len = ta_len;
+					context->trust_anchors_source = GETDNS_TASRC_XML;
+					_getdns_ta_notify_dnsreqs(context);
+				}
+			} else
+				DEBUG_ANCHOR("Could not allocate space for XML file");
+		} else {
+			(void)memcpy(context->trust_anchors_spc, ta_spc, ta_len);
+			context->trust_anchors = context->trust_anchors_spc;
+			context->trust_anchors_len = ta_len;
+			context->trust_anchors_source = GETDNS_TASRC_XML;
+			_getdns_ta_notify_dnsreqs(context);
+		}
+		DEBUG_ANCHOR("ta: %p, ta_len: %d\n",
+		    (void *)context->trust_anchors, (int)context->trust_anchors_len);
+		
+	} else {
+		DEBUG_ANCHOR("Verifying trust-anchors failed!\n");
+	}
+	if (store)	X509_STORE_free(store);
+	if (x)		X509_free(x);
+	if (crt)	BIO_free(crt);
+	if (xml)	BIO_free(xml);
+	if (p7s)	BIO_free(p7s);
+	if (xml_data && xml_data != xml_spc)
+		GETDNS_FREE(context->mf, xml_data);
+	if (p7s_data && p7s_data != p7s_spc)
+		GETDNS_FREE(context->mf, p7s_data);
+}

From 72d9b91a2e44ec5a3a74214a334b5f4c61a9184d Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 6 Dec 2018 14:09:30 +0000
Subject: [PATCH 204/303] Extract non-OpenSSL specific code from
 pubkey-pinning.c, and move it back to common source.

OpenSSL-specific items are in pubkey-pinning-internal.c.
---
 src/Makefile.in                               |   4 +-
 ...ey-pinning.c => pubkey-pinning-internal.c} |  26 --
 src/gnutls/pubkey-pinning-internal.h          |   0
 ...ey-pinning.c => pubkey-pinning-internal.c} | 161 ------------
 src/pubkey-pinning.c                          | 231 ++++++++++++++++++
 src/pubkey-pinning.h                          |   9 +
 6 files changed, 242 insertions(+), 189 deletions(-)
 rename src/gnutls/{pubkey-pinning.c => pubkey-pinning-internal.c} (76%)
 create mode 100644 src/gnutls/pubkey-pinning-internal.h
 rename src/openssl/{pubkey-pinning.c => pubkey-pinning-internal.c} (71%)
 create mode 100644 src/pubkey-pinning.c

diff --git a/src/Makefile.in b/src/Makefile.in
index 48e8da3e..cfec9a47 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -81,7 +81,7 @@ DEFAULT_EVENTLOOP_OBJ=@DEFAULT_EVENTLOOP@.lo
 GETDNS_OBJ=const-info.lo convert.lo dict.lo dnssec.lo general.lo \
 	list.lo request-internal.lo platform.lo rr-dict.lo \
 	rr-iter.lo server.lo stub.lo sync.lo ub_loop.lo util-internal.lo \
-	mdns.lo
+	mdns.lo pubkey-pinning.lo
 
 GLDNS_OBJ=keyraw.lo gbuffer.lo wire2str.lo parse.lo parseutil.lo rrdef.lo \
 	str2wire.lo
@@ -95,7 +95,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo)
 UTIL_OBJ=rbtree.lo lruhash.lo lookup3.lo locks.lo
 
 JSMN_OBJ=jsmn.lo
-TLS_OBJ=tls.lo pubkey-pinning.lo keyraw-internal.lo val_secalgo.lo anchor-internal.lo
+TLS_OBJ=tls.lo pubkey-pinning-internal.lo keyraw-internal.lo val_secalgo.lo anchor-internal.lo
 YXML_OBJ=yxml.lo
 
 YAML_OBJ=convert_yaml_to_json.lo
diff --git a/src/gnutls/pubkey-pinning.c b/src/gnutls/pubkey-pinning-internal.c
similarity index 76%
rename from src/gnutls/pubkey-pinning.c
rename to src/gnutls/pubkey-pinning-internal.c
index c1aeedc3..0d58712c 100644
--- a/src/gnutls/pubkey-pinning.c
+++ b/src/gnutls/pubkey-pinning-internal.c
@@ -40,26 +40,6 @@
  ** Interfaces from pubkey-pinning.h
  **/
 
-/* create and populate a pinset linked list from a getdns_list pinset */
-getdns_return_t
-_getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list,
-				    struct mem_funcs *mf,
-				    sha256_pin_t **pinset_out)
-{
-	return GETDNS_RETURN_GENERIC_ERROR;
-}
-
-
-
-/* create a getdns_list version of the pinset */
-getdns_return_t
-_getdns_get_pubkey_pinset_list(getdns_context *ctx,
-			       const sha256_pin_t *pinset_in,
-			       getdns_list **pinset_list)
-{
-	return GETDNS_RETURN_GENERIC_ERROR;
-}
-
 getdns_return_t
 _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
 					   getdns_upstream *upstream)
@@ -76,9 +56,3 @@ getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str)
 {
 	return GETDNS_RETURN_GENERIC_ERROR;
 }
-
-getdns_return_t
-getdns_pubkey_pinset_sanity_check(const getdns_list* pinset, getdns_list* errorlist)
-{
-	return GETDNS_RETURN_GENERIC_ERROR;
-}
diff --git a/src/gnutls/pubkey-pinning-internal.h b/src/gnutls/pubkey-pinning-internal.h
new file mode 100644
index 00000000..e69de29b
diff --git a/src/openssl/pubkey-pinning.c b/src/openssl/pubkey-pinning-internal.c
similarity index 71%
rename from src/openssl/pubkey-pinning.c
rename to src/openssl/pubkey-pinning-internal.c
index 8f10ee6f..ab2d7c08 100644
--- a/src/openssl/pubkey-pinning.c
+++ b/src/openssl/pubkey-pinning-internal.c
@@ -148,167 +148,6 @@ getdns_dict* getdns_pubkey_pin_create_from_string(
 	return NULL;
 }
 
-
-/* Test whether a given pinset is reasonable, including:
-
- * is it well-formed?
- * are there at least two pins?
- * are the digests used sane?
-
-   if errorlist is NULL, the sanity check just returns success or
-   failure.
-
-   if errorlist is not NULL, we append human-readable strings to
-   report the errors.
-*/
-
-#define PKP_SC_ERR(e) { \
-       if (errorlist) \
-	       _getdns_list_append_const_bindata(errorlist, \
-				       sizeof(e), e); \
-       errorcount++; \
-	}
-#define PKP_SC_HARDERR(e, val) { \
-		PKP_SC_ERR(e); return val; \
-	}
-getdns_return_t getdns_pubkey_pinset_sanity_check(
-	const getdns_list* pinset,
-	getdns_list* errorlist)
-{
-	size_t errorcount = 0, pins = 0, i;
-	getdns_dict * pin;
-	getdns_bindata * data;
-
-	if (getdns_list_get_length(pinset, &pins))
-		PKP_SC_HARDERR("Can't get length of pinset",
-			       GETDNS_RETURN_INVALID_PARAMETER);
-	if (pins < 2)
-		PKP_SC_ERR("This pinset has fewer than 2 pins");
-	for (i = 0; i < pins; i++)
-	{
-		/* is it a dict? */
-		if (getdns_list_get_dict(pinset, i, &pin)) {
-			PKP_SC_ERR("Could not retrieve a pin");
-		} else {
-		/* does the pin have the right digest type? */
-			if (getdns_dict_get_bindata(pin, "digest", &data)) {
-				PKP_SC_ERR("Pin has no 'digest' entry");
-			} else {
-				if (data->size != sha256.size ||
-				    memcmp(data->data, sha256.data, sha256.size))
-					PKP_SC_ERR("Pin has 'digest' other than sha256");
-			}
-			/* if it does, is the value the right length? */
-			if (getdns_dict_get_bindata(pin, "value", &data)) {
-				PKP_SC_ERR("Pin has no 'value' entry");
-			} else {
-				if (data->size != SHA256_DIGEST_LENGTH)
-					PKP_SC_ERR("Pin has the wrong size 'value' (should be 32 octets for sha256)");
-			}
-			
-		/* should we choke if it has some other key? for
-		 * extensibility, we will not treat this as an
-		 * error.*/
-		}
-	}
-	
-	if (errorcount > 0)
-		return GETDNS_RETURN_GENERIC_ERROR;
-	return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-_getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list,
-				    struct mem_funcs *mf,
-				    sha256_pin_t **pinset_out)
-{
-	getdns_return_t r;
-	size_t pins, i;
-	sha256_pin_t *out = NULL, *onext = NULL;
-	getdns_dict * pin;
-	getdns_bindata * data = NULL;
-	
-	if (r = getdns_list_get_length(pinset_list, &pins), r)
-		return r;
-	for (i = 0; i < pins; i++)
-	{
-		if (r = getdns_list_get_dict(pinset_list, i, &pin), r)
-			goto fail;
-		/* does the pin have the right digest type? */
-		if (r = getdns_dict_get_bindata(pin, "digest", &data), r)
-			goto fail;
-		if (data->size != sha256.size ||
-		    memcmp(data->data, sha256.data, sha256.size)) {
-			r = GETDNS_RETURN_INVALID_PARAMETER;
-			goto fail;
-		}
-		/* if it does, is the value the right length? */
-		if (r = getdns_dict_get_bindata(pin, "value", &data), r)
-			goto fail;
-		if (data->size != SHA256_DIGEST_LENGTH) {
-			r = GETDNS_RETURN_INVALID_PARAMETER;
-			goto fail;
-		}
-		/* make a new pin */
-		onext = GETDNS_MALLOC(*mf, sha256_pin_t);
-		if (onext == NULL) {
-			r = GETDNS_RETURN_MEMORY_ERROR;
-			goto fail;
-		}
-		onext->next = out;
-		memcpy(onext->pin, data->data, SHA256_DIGEST_LENGTH);
-		out = onext;
-	}
-	
-	*pinset_out = out;
-	return GETDNS_RETURN_GOOD;
- fail:
-	while (out) {
-		onext = out->next;
-		GETDNS_FREE(*mf, out);
-		out = onext;
-	}
-	return r;
-}
-
-getdns_return_t
-_getdns_get_pubkey_pinset_list(getdns_context *ctx,
-			       const sha256_pin_t *pinset_in,
-			       getdns_list **pinset_list)
-{
-	getdns_list *out = getdns_list_create_with_context(ctx);
-	getdns_return_t r;
-	uint8_t buf[SHA256_DIGEST_LENGTH];
-	getdns_bindata value = { .size = SHA256_DIGEST_LENGTH, .data = buf };
-	getdns_dict *pin = NULL;
-
-	if (out == NULL)
-		return GETDNS_RETURN_MEMORY_ERROR;
-	while (pinset_in) {
-		pin = getdns_dict_create_with_context(ctx);
-		if (pin == NULL) {
-			r = GETDNS_RETURN_MEMORY_ERROR;
-			goto fail;
-		}
-		if (r = getdns_dict_set_bindata(pin, "digest", &sha256), r)
-			goto fail;
-		memcpy(buf, pinset_in->pin, sizeof(buf));
-		if (r = getdns_dict_set_bindata(pin, "value", &value), r)
-			goto fail;
-		if (r = _getdns_list_append_this_dict(out, pin), r)
-			goto fail;
-		pin = NULL;
-		pinset_in = pinset_in->next;
-	}
-
-	*pinset_list = out;
-	return GETDNS_RETURN_GOOD;
- fail:
-	getdns_dict_destroy(pin);
-	getdns_list_destroy(out);
-	return r;
-}
-
 /* this should only happen once ever in the life of the library. it's
    used to associate a getdns_context_t with an SSL_CTX, to be able to
    do custom verification.
diff --git a/src/pubkey-pinning.c b/src/pubkey-pinning.c
new file mode 100644
index 00000000..aaff6eb3
--- /dev/null
+++ b/src/pubkey-pinning.c
@@ -0,0 +1,231 @@
+/**
+ *
+ * /brief functions for Public Key Pinning
+ *
+ */
+
+/*
+ * Copyright (c) 2015, Daniel Kahn Gillmor
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * getdns Public Key Pinning
+ * 
+ * a public key pinset is a list of dicts.  each dict should have a
+ * "digest" and a "value".
+ * 
+ * "digest": a string indicating the type of digest. at the moment, we
+ *           only support a "digest" of "sha256".
+ * 
+ * "value": a binary representation of the digest provided.
+ * 
+ * given a such a pinset, we should be able to validate a chain
+ * properly according to section 2.6 of RFC 7469.
+ */
+#include "config.h"
+#include "debug.h"
+#include <getdns/getdns.h>
+#include <string.h>
+#include "context.h"
+#include "util-internal.h"
+
+#include "pubkey-pinning-internal.h"
+
+/* we only support sha256 at the moment.  adding support for another
+   digest is more complex than just adding another entry here. in
+   particular, you'll probably need a match for a particular cert
+   against all supported algorithms.  better to wait on doing that
+   until it is a better-understood problem (i.e. wait until hpkp is
+   updated and follow the guidance in rfc7469bis)
+*/
+
+static const getdns_bindata sha256 = {
+	.size = sizeof("sha256") - 1,
+	.data = (uint8_t*)"sha256"
+};
+  
+
+/* Test whether a given pinset is reasonable, including:
+
+ * is it well-formed?
+ * are there at least two pins?
+ * are the digests used sane?
+
+   if errorlist is NULL, the sanity check just returns success or
+   failure.
+
+   if errorlist is not NULL, we append human-readable strings to
+   report the errors.
+*/
+
+#define PKP_SC_ERR(e) { \
+       if (errorlist) \
+	       _getdns_list_append_const_bindata(errorlist, \
+				       sizeof(e), e); \
+       errorcount++; \
+	}
+#define PKP_SC_HARDERR(e, val) { \
+		PKP_SC_ERR(e); return val; \
+	}
+getdns_return_t getdns_pubkey_pinset_sanity_check(
+	const getdns_list* pinset,
+	getdns_list* errorlist)
+{
+	size_t errorcount = 0, pins = 0, i;
+	getdns_dict * pin;
+	getdns_bindata * data;
+
+	if (getdns_list_get_length(pinset, &pins))
+		PKP_SC_HARDERR("Can't get length of pinset",
+			       GETDNS_RETURN_INVALID_PARAMETER);
+	if (pins < 2)
+		PKP_SC_ERR("This pinset has fewer than 2 pins");
+	for (i = 0; i < pins; i++)
+	{
+		/* is it a dict? */
+		if (getdns_list_get_dict(pinset, i, &pin)) {
+			PKP_SC_ERR("Could not retrieve a pin");
+		} else {
+		/* does the pin have the right digest type? */
+			if (getdns_dict_get_bindata(pin, "digest", &data)) {
+				PKP_SC_ERR("Pin has no 'digest' entry");
+			} else {
+				if (data->size != sha256.size ||
+				    memcmp(data->data, sha256.data, sha256.size))
+					PKP_SC_ERR("Pin has 'digest' other than sha256");
+			}
+			/* if it does, is the value the right length? */
+			if (getdns_dict_get_bindata(pin, "value", &data)) {
+				PKP_SC_ERR("Pin has no 'value' entry");
+			} else {
+				if (data->size != SHA256_DIGEST_LENGTH)
+					PKP_SC_ERR("Pin has the wrong size 'value' (should be 32 octets for sha256)");
+			}
+			
+		/* should we choke if it has some other key? for
+		 * extensibility, we will not treat this as an
+		 * error.*/
+		}
+	}
+	
+	if (errorcount > 0)
+		return GETDNS_RETURN_GENERIC_ERROR;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+_getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list,
+				    struct mem_funcs *mf,
+				    sha256_pin_t **pinset_out)
+{
+	getdns_return_t r;
+	size_t pins, i;
+	sha256_pin_t *out = NULL, *onext = NULL;
+	getdns_dict * pin;
+	getdns_bindata * data = NULL;
+	
+	if (r = getdns_list_get_length(pinset_list, &pins), r)
+		return r;
+	for (i = 0; i < pins; i++)
+	{
+		if (r = getdns_list_get_dict(pinset_list, i, &pin), r)
+			goto fail;
+		/* does the pin have the right digest type? */
+		if (r = getdns_dict_get_bindata(pin, "digest", &data), r)
+			goto fail;
+		if (data->size != sha256.size ||
+		    memcmp(data->data, sha256.data, sha256.size)) {
+			r = GETDNS_RETURN_INVALID_PARAMETER;
+			goto fail;
+		}
+		/* if it does, is the value the right length? */
+		if (r = getdns_dict_get_bindata(pin, "value", &data), r)
+			goto fail;
+		if (data->size != SHA256_DIGEST_LENGTH) {
+			r = GETDNS_RETURN_INVALID_PARAMETER;
+			goto fail;
+		}
+		/* make a new pin */
+		onext = GETDNS_MALLOC(*mf, sha256_pin_t);
+		if (onext == NULL) {
+			r = GETDNS_RETURN_MEMORY_ERROR;
+			goto fail;
+		}
+		onext->next = out;
+		memcpy(onext->pin, data->data, SHA256_DIGEST_LENGTH);
+		out = onext;
+	}
+	
+	*pinset_out = out;
+	return GETDNS_RETURN_GOOD;
+ fail:
+	while (out) {
+		onext = out->next;
+		GETDNS_FREE(*mf, out);
+		out = onext;
+	}
+	return r;
+}
+
+getdns_return_t
+_getdns_get_pubkey_pinset_list(getdns_context *ctx,
+			       const sha256_pin_t *pinset_in,
+			       getdns_list **pinset_list)
+{
+	getdns_list *out = getdns_list_create_with_context(ctx);
+	getdns_return_t r;
+	uint8_t buf[SHA256_DIGEST_LENGTH];
+	getdns_bindata value = { .size = SHA256_DIGEST_LENGTH, .data = buf };
+	getdns_dict *pin = NULL;
+
+	if (out == NULL)
+		return GETDNS_RETURN_MEMORY_ERROR;
+	while (pinset_in) {
+		pin = getdns_dict_create_with_context(ctx);
+		if (pin == NULL) {
+			r = GETDNS_RETURN_MEMORY_ERROR;
+			goto fail;
+		}
+		if (r = getdns_dict_set_bindata(pin, "digest", &sha256), r)
+			goto fail;
+		memcpy(buf, pinset_in->pin, sizeof(buf));
+		if (r = getdns_dict_set_bindata(pin, "value", &value), r)
+			goto fail;
+		if (r = _getdns_list_append_this_dict(out, pin), r)
+			goto fail;
+		pin = NULL;
+		pinset_in = pinset_in->next;
+	}
+
+	*pinset_list = out;
+	return GETDNS_RETURN_GOOD;
+ fail:
+	getdns_dict_destroy(pin);
+	getdns_list_destroy(out);
+	return r;
+}
+
+/* pubkey-pinning.c */
diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h
index 4e8a31e5..5f12baf2 100644
--- a/src/pubkey-pinning.h
+++ b/src/pubkey-pinning.h
@@ -36,6 +36,15 @@
 
 #include "tls.h"
 
+/**
+ ** Internal functions, implemented in pubkey-pinning-internal.c.
+ **/
+getdns_dict* getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str);
+
+/**
+ ** Public interface.
+ **/
+
 /* create and populate a pinset linked list from a getdns_list pinset */
 getdns_return_t
 _getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list,

From 46c49cbcfe1f385161381fe7ba6687515753d513 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 6 Dec 2018 16:32:20 +0000
Subject: [PATCH 205/303] Modify getdns_server_mon to use GnuTLS or OpenSSL.

Untested.
---
 src/tools/getdns_server_mon.c | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 360bf520..3b2d1045 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -36,9 +36,13 @@
 #include <string.h>
 #include <time.h>
 
+#ifdef USE_GNUTLS
+#include <gnutls/x509.h>
+#else
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/bio.h>
+#endif
 
 #include <getdns/getdns.h>
 #include <getdns/getdns_extra.h>
@@ -181,7 +185,7 @@ static const char *rcode_text(int rcode)
         return getdns_intval_text(rcode, "rcode", "GETDNS_RCODE_");
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x10002000 || defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(USE_GNUTLS) && (OPENSSL_VERSION_NUMBER < 0x10002000 || defined(LIBRESSL_VERSION_NUMBER))
 /*
  * Convert date to Julian day.
  * See https://en.wikipedia.org/wiki/Julian_day
@@ -212,6 +216,27 @@ static long secs_in_day(const struct tm *tm)
  */
 static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t)
 {
+#ifdef USE_GNUTLS
+        gnutls_x509_crt_t cert;
+        gnutls_datum_t datum;
+        bool res = false;
+
+        datum.data = (unsigned char*) data;
+        datum.size = len;
+
+        if (gnutls_x509_crt_init(&cert) != GNUTLS_E_SUCCESS)
+                return false;
+
+        if (gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER) == GNUTLS_E_SUCCESS) {
+                time_t expiry = gnutls_x509_crt_get_expiration_time(cert);
+                if (expiry != GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION) {
+                        res = true;
+                        *t = expiry;
+                }
+        }
+        gnutls_x509_crt_deinit(cert);
+        return res;
+#else
         X509 *cert = d2i_X509(NULL, &data, len);
         if (!cert)
                 return false;
@@ -299,6 +324,7 @@ static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t
         X509_free(cert);
 #endif
         *t += day_diff * SECS_IN_DAY + sec_diff;
+#endif /* USE_GNUTLS */
         return true;
 }
 

From b0c057e8ae62ede13973943b2a21eb3226fabcb8 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 6 Dec 2018 16:35:43 +0000
Subject: [PATCH 206/303] Update dependencies for GnuTLS.

In practice a 'make depend' is required before building with either OpenSSL or GnuTLS.
---
 src/Makefile.in       | 146 +++++++++++++++++++++++++-----------------
 src/test/Makefile.in  |   3 +-
 src/tools/Makefile.in |   3 +-
 3 files changed, 92 insertions(+), 60 deletions(-)

diff --git a/src/Makefile.in b/src/Makefile.in
index cfec9a47..2047ca0e 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -300,21 +300,34 @@ depend:
 FORCE:
 
 # Dependencies for gldns, utils, the extensions and compat functions
+anchor.lo anchor.o: $(srcdir)/anchor.c \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/anchor.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dnssec.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h \
+ $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h
 const-info.lo const-info.o: $(srcdir)/const-info.c \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/const-info.h
-context.lo context.o: $(srcdir)/context.c config.h \
- $(srcdir)/anchor.h getdns/getdns.h \
+context.lo context.o: $(srcdir)/context.c \
+ config.h $(srcdir)/anchor.h \
+ getdns/getdns.h \
  getdns/getdns_extra.h \
- $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/debug.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
- $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h \
- $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h
-convert.lo convert.o: $(srcdir)/convert.c config.h \
+ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h $(srcdir)/gldns/str2wire.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h \
+ $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h
+convert.lo convert.o: $(srcdir)/convert.c \
+ config.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
@@ -333,8 +346,9 @@ dict.lo dict.o: $(srcdir)/dict.c config.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h \
  $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h
-dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \
- $(srcdir)/debug.h getdns/getdns.h \
+dnssec.lo dnssec.o: $(srcdir)/dnssec.c \
+ config.h $(srcdir)/debug.h \
+ getdns/getdns.h \
  $(srcdir)/context.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
@@ -344,8 +358,9 @@ dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \
  $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
  $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \
  $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h
-general.lo general.o: $(srcdir)/general.c config.h \
- $(srcdir)/general.h getdns/getdns.h \
+general.lo general.o: $(srcdir)/general.c \
+ config.h $(srcdir)/general.h \
+ getdns/getdns.h \
  $(srcdir)/types-internal.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
@@ -372,8 +387,19 @@ mdns.lo mdns.o: $(srcdir)/mdns.c config.h \
  $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h
 platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \
  config.h
+pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \
+ config.h $(srcdir)/debug.h \
+ getdns/getdns.h \
+ $(srcdir)/context.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/$(tlsdir)/pubkey-pinning-internal.h
 request-internal.lo request-internal.o: $(srcdir)/request-internal.c \
- config.h $(srcdir)/types-internal.h \
+ config.h \
+ $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
@@ -394,10 +420,11 @@ rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.
  config.h \
  getdns/getdns.h \
  $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h
-server.lo server.o: $(srcdir)/server.c config.h \
+server.lo server.o: $(srcdir)/server.c \
+ config.h \
  getdns/getdns_extra.h \
- getdns/getdns.h $(srcdir)/context.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ getdns/getdns.h \
+ $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/debug.h \
@@ -413,7 +440,8 @@ stub.lo stub.o: $(srcdir)/stub.c config.h \
  $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \
  $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \
  $(srcdir)/pubkey-pinning.h
-sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \
+sync.lo sync.o: $(srcdir)/sync.c \
+ getdns/getdns.h \
  config.h $(srcdir)/context.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
@@ -427,33 +455,36 @@ util-internal.lo util-internal.o: $(srcdir)/util-internal.c \
  config.h \
  getdns/getdns.h $(srcdir)/dict.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \
- getdns/getdns_extra.h $(srcdir)/list.h \
- $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
  $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
  $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
  $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \
  $(srcdir)/gldns/rrdef.h
 gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \
- config.h $(srcdir)/gldns/gbuffer.h
+ config.h \
+ $(srcdir)/gldns/gbuffer.h
 keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \
- config.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
+ config.h \
+ $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
 parse.lo parse.o: $(srcdir)/gldns/parse.c \
  config.h $(srcdir)/gldns/parse.h \
  $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
 parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \
- config.h $(srcdir)/gldns/parseutil.h
+ config.h \
+ $(srcdir)/gldns/parseutil.h
 rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \
  config.h $(srcdir)/gldns/rrdef.h \
  $(srcdir)/gldns/parseutil.h
 str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \
- config.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h \
- $(srcdir)/gldns/parseutil.h
+ config.h \
+ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h
 wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \
- config.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h
+ config.h \
+ $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h \
+ $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h \
+ $(srcdir)/$(tlsdir)/keyraw-internal.h
 arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \
  config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \
@@ -482,8 +513,9 @@ strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \
  config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c \
  config.h
-locks.lo locks.o: $(srcdir)/util/locks.c config.h \
- $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h
+locks.lo locks.o: $(srcdir)/util/locks.c \
+ config.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h
 lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \
  config.h \
  $(srcdir)/util/auxiliary/util/storage/lookup3.h $(srcdir)/util/lookup3.h \
@@ -494,36 +526,31 @@ lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \
  $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
  $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h
 rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
- config.h $(srcdir)/util/auxiliary/log.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \
- $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h
+ config.h \
+ $(srcdir)/util/auxiliary/log.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h \
+ $(srcdir)/util/auxiliary/fptr_wlist.h $(srcdir)/util/auxiliary/util/fptr_wlist.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h
 jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
-anchor.lo anchor.o: $(srcdir)/$(tlsdir)/anchor.c \
- config.h $(srcdir)/debug.h $(srcdir)/anchor.h \
+anchor-internal.lo anchor-internal.o: $(srcdir)/$(tlsdir)/anchor-internal.c \
+ config.h $(srcdir)/anchor.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h $(srcdir)/types-internal.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h $(srcdir)/ub_loop.h \
- $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/platform.h
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h
 keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c \
- config.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
-pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/$(tlsdir)/pubkey-pinning.c \
- config.h $(srcdir)/debug.h \
- getdns/getdns.h $(srcdir)/context.h \
+ config.h \
+ $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
+pubkey-pinning-internal.lo pubkey-pinning-internal.o: $(srcdir)/$(tlsdir)/pubkey-pinning-internal.c $(srcdir)/context.h \
+ getdns/getdns.h \
  getdns/getdns_extra.h \
+ config.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/context.h $(srcdir)/$(tlsdir)/pubkey-pinning-internal.h
-tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c config.h \
- $(srcdir)/debug.h $(srcdir)/context.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/pubkey-pinning.h
+tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/context.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
@@ -539,12 +566,14 @@ val_secalgo.lo val_secalgo.o: $(srcdir)/$(tlsdir)/val_secalgo.c \
  $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h
 yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
 libev.lo libev.o: $(srcdir)/extension/libev.c \
- config.h $(srcdir)/types-internal.h \
+ config.h \
+ $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h
 libevent.lo libevent.o: $(srcdir)/extension/libevent.c \
- config.h $(srcdir)/types-internal.h \
+ config.h \
+ $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h
@@ -555,8 +584,9 @@ libuv.lo libuv.o: $(srcdir)/extension/libuv.c \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h
 poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \
- config.h $(srcdir)/util-internal.h \
- $(srcdir)/context.h getdns/getdns.h \
+ config.h \
+ $(srcdir)/util-internal.h $(srcdir)/context.h \
+ getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
diff --git a/src/test/Makefile.in b/src/test/Makefile.in
index 89f5d3af..9d4dad00 100644
--- a/src/test/Makefile.in
+++ b/src/test/Makefile.in
@@ -305,7 +305,8 @@ tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h \
 tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h \
  ../getdns/getdns.h
 tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c \
- ../config.h $(srcdir)/testmessages.h \
+ ../config.h \
+ $(srcdir)/testmessages.h \
  ../getdns/getdns.h \
  ../getdns/getdns_extra.h
 tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h \
diff --git a/src/tools/Makefile.in b/src/tools/Makefile.in
index c51e2daf..6cefffcd 100644
--- a/src/tools/Makefile.in
+++ b/src/tools/Makefile.in
@@ -123,7 +123,8 @@ depend:
 
 # Dependencies for getdns_query
 getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c \
- ../config.h $(srcdir)/../debug.h \
+ ../config.h \
+ $(srcdir)/../debug.h \
  ../getdns/getdns.h \
  ../getdns/getdns_extra.h
 getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c \

From 64f0d6aaa81ffd4fc38e8473d221318c55d89352 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 7 Dec 2018 11:09:20 +0000
Subject: [PATCH 207/303] Rename _getdns_tls_connection_verify() to
 _getdns_tls_connection_certificate_verify().

I managed to mislead myself about what it did, which suggests the name should be clearer.
---
 src/gnutls/tls.c  | 2 +-
 src/openssl/tls.c | 2 +-
 src/stub.c        | 2 +-
 src/tls.h         | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index 8588670c..2d515b3a 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -327,7 +327,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 	return GETDNS_RETURN_GOOD;
 }
 
-getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg)
+getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg)
 {
 	(void) errnum;
 	(void) errmsg;
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index de913b42..dcc68494 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -507,7 +507,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 	return GETDNS_RETURN_GOOD;
 }
 
-getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg)
+getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg)
 {
 	if (!conn || !conn->ssl)
 		return GETDNS_RETURN_INVALID_PARAMETER;
diff --git a/src/stub.c b/src/stub.c
index 723bd149..b6a9cdf1 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -957,7 +957,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			long verify_errno;
 			const char* verify_errmsg;
 
-			if (_getdns_tls_connection_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) {
+			if (_getdns_tls_connection_certificate_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) {
 				upstream->tls_auth_state = GETDNS_AUTH_OK;
 				if (verify_errno != 0) {
 					_getdns_upstream_log(upstream,
diff --git a/src/tls.h b/src/tls.h
index d475ee53..fe05dc52 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -271,7 +271,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
  * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL.
  * @return GETDNS_RETURN_GENERIC_ERROR if verification failed.
  */
-getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg);
+getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg);
 
 /**
  * Read from TLS.

From 511dfc75ef8aaf7c2b516c7a8e8ce6fb8931788e Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 7 Dec 2018 11:11:33 +0000
Subject: [PATCH 208/303] Implement _getdns_tls_context_set_min_proto_1_2().

Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake.
This means we need to access the context from a connection, so add a pointer to the context to the connection.
---
 src/gnutls/tls-internal.h |  5 ++++-
 src/gnutls/tls.c          | 12 ++++++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h
index 2b76d564..15115b4d 100644
--- a/src/gnutls/tls-internal.h
+++ b/src/gnutls/tls-internal.h
@@ -34,6 +34,8 @@
 #ifndef _GETDNS_TLS_INTERNAL_H
 #define _GETDNS_TLS_INTERNAL_H
 
+#include <stdbool.h>
+
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 
@@ -52,13 +54,14 @@
 
 
 typedef struct _getdns_tls_context {
-	int unused;
+	bool min_proto_1_2;
 } _getdns_tls_context;
 
 typedef struct _getdns_tls_connection {
 	gnutls_session_t tls;
 	gnutls_certificate_credentials_t cred;
 	int shutdown;
+	_getdns_tls_context* ctx;
 } _getdns_tls_connection;
 
 typedef struct _getdns_tls_session {
diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index 2d515b3a..5a2b6c94 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -95,6 +95,7 @@ _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs)
 	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_context)))
 		return NULL;
 
+	res->min_proto_1_2 = false;
 	return res;
 }
 
@@ -113,7 +114,9 @@ void _getdns_tls_context_dane_init(_getdns_tls_context* ctx)
 
 getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx)
 {
-	(void) ctx;
+	if (!ctx)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	ctx->min_proto_1_2 = true;
 	return GETDNS_RETURN_NOT_IMPLEMENTED;
 }
 
@@ -157,6 +160,7 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn
 		return NULL;
 
 	res->shutdown = 0;
+	res->ctx = ctx;
 
 	r = gnutls_certificate_allocate_credentials(&res->cred);
 	if (r == GNUTLS_E_SUCCESS)
@@ -270,8 +274,12 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
 	r = gnutls_handshake(conn->tls);
-	if (r == GNUTLS_E_SUCCESS)
+	if (r == GNUTLS_E_SUCCESS) {
+		if (conn->ctx->min_proto_1_2 &&
+		    gnutls_protocol_get_version(conn->tls) < GNUTLS_TLS1_2)
+			return GETDNS_RETURN_GENERIC_ERROR;
 		return GETDNS_RETURN_GOOD;
+	}
 	else
 		return error_may_want_read_write(conn, r);
 }

From bdfdd996456cb5c1815f0d4e5e5ae4f5a9e09f4e Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 7 Dec 2018 14:00:47 +0100
Subject: [PATCH 209/303] Anticipate different openssl versions

---
 src/util-internal.h | 33 ++++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/src/util-internal.h b/src/util-internal.h
index 529ebce0..4d5fbf56 100644
--- a/src/util-internal.h
+++ b/src/util-internal.h
@@ -218,19 +218,46 @@ INLINE uint64_t _getdns_ms_until_expiry2(uint64_t expires, uint64_t *now_ms)
 	return *now_ms >= expires ? 0 : expires - *now_ms;
 }
 
-# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
+#if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) \
+	 && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
+
 INLINE int _getdns_tls_version2openssl_version(getdns_tls_version_t v)
 {
 	switch (v) {
+# ifdef SSL3_VERSION
 	case GETDNS_SSL3  : return SSL3_VERSION;
+# endif
+# ifdef TLS1_VERSION
 	case GETDNS_TLS1  : return TLS1_VERSION;
+# endif
+# ifdef TLS1_1_VERSION
 	case GETDNS_TLS1_1: return TLS1_1_VERSION;
+# endif
+# ifdef TLS1_2_VERSION
 	case GETDNS_TLS1_2: return TLS1_2_VERSION;
+# endif
+# ifdef TLS1_3_VERSION
 	case GETDNS_TLS1_3: return TLS1_3_VERSION;
-	default           : return TLS_MAX_VERSION;
+# endif
+	default           :
+# if   defined(TLS_MAX_VERSION)
+			    return TLS_MAX_VERSION;
+# elif defined(TLS1_3_VERSION)
+			    return TLS1_3_VERSION;
+# elif defined(TLS1_2_VERSION)
+			    return TLS1_2_VERSION;
+# elif defined(TLS1_1_VERSION)
+			    return TLS1_1_VERSION;
+# elif defined(TLS1_VERSION)
+			    return TLS1_VERSION;
+# elif defined(SSL3_VERSION)
+			    return SSL3_VERSION;
+# else
+			    return -1;
+# endif
 	}
 }
-# endif
+#endif
 
 #endif
 /* util-internal.h */

From 8a7226baeeb75bcd3166817c7f428965d3c26fe4 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 7 Dec 2018 14:02:17 +0100
Subject: [PATCH 210/303] Move from debugging to logging for

  - upstream_stats & stub system
---
 src/context.c                | 157 +++++++++++++--------------------
 src/context.h                |  37 ++++++--
 src/dnssec.c                 |   2 +-
 src/getdns/getdns_extra.h.in |   5 +-
 src/pubkey-pinning.c         | 166 ++++++++++++++++++++++++++++-------
 src/pubkey-pinning.h         |   4 +-
 src/stub.c                   |   9 +-
 7 files changed, 239 insertions(+), 141 deletions(-)

diff --git a/src/context.c b/src/context.c
index b1b36231..5a720023 100644
--- a/src/context.c
+++ b/src/context.c
@@ -187,18 +187,19 @@ _getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s)
    Add code to open the trust store using wincrypt API and add
    the root certs into openssl trust store */
 static int 
-add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
+add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
 {
 	HCERTSTORE      hSystemStore;
 	PCCERT_CONTEXT  pTargetCert = NULL;
-
-	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-		"Adding Windows certificates from system root store to CA store");
+	
+	_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG
+	    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+	    , "Adding Windows certificates from system root store to CA store")
+	    ;
 
 	/* load just once per context lifetime for this version of getdns
 	   TODO: dynamically update CA trust changes as they are available */
-	if (!tls_ctx)
-		return 0;
+	assert(tls_ctx);
 
 	/* Call wincrypt's CertOpenStore to open the CA root store. */
 
@@ -211,19 +212,27 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
 		1 << 16,
 		L"root")) == 0)
 	{
+		_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+		    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+		    , "Could not CertOpenStore()");
 		return 0;
 	}
 
 	X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx);
-	if (!store)
+	if (!store) {
+		_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+		    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+		    , "Could not SSL_CTX_get_cert_store()");
 		return 0;
+	}
 
 	/* failure if the CA store is empty or the call fails */
 	if ((pTargetCert = CertEnumCertificatesInStore(
-		hSystemStore, pTargetCert)) == 0) {
-		DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-			"CA certificate store for Windows is empty.");
-			return 0;
+	    hSystemStore, pTargetCert)) == 0) {
+		_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_NOTICE
+		    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+		    , "CA certificate store for Windows is empty.");
+		return 0;
 	}
 	/* iterate over the windows cert store and add to openssl store */
 	do 
@@ -233,9 +242,13 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
 			pTargetCert->cbCertEncoded);
 		if (!cert1) {
 			/* return error if a cert fails */
-			DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-				"Unable to parse certificate in memory",
-				ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
+			_getdns_log(&ctxt->log
+			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR,
+			    , "%s %-35s: %s %d:%s\n"
+			    , STUB_DEBUG_SETUP_TLS, __FUNC__
+			    , "Unable to parse certificate in memory"
+			    , ERR_get_error()
+			    , ERR_error_string(ERR_get_error(), NULL));
 			return 0;
 		}
 		else {
@@ -247,9 +260,16 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
 				* certificate is already in the store.  */ 
 				if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
 				   ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
-					DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-					    "Error adding certificate", ERR_get_error(),
-					     ERR_error_string(ERR_get_error(), NULL));
+					_getdns_log(&ctxt->log
+					    , GETDNS_LOG_SYS_STUB
+					    , GETDNS_LOG_ERR
+					    , "%s %-35s: %s %d:%s\n"
+					    , STUB_DEBUG_SETUP_TLS, __FUNC__
+					    , "Error adding certificate"
+					    , ERR_get_error()
+					    , ERR_error_string( ERR_get_error()
+					                      , NULL)
+					    );
 					X509_free(cert1);
 					return 0;
 				}
@@ -264,12 +284,18 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
 		CertFreeCertificateContext(pTargetCert);
 	if (hSystemStore)
 	{
-		if (!CertCloseStore(
-			hSystemStore, 0))
+		if (!CertCloseStore(hSystemStore, 0)) {
+			_getdns_log(&ctxt->log
+			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+			    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+			    , "Could not CertCloseStore()");
 			return 0;
+		}
 	}
-	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-		"Completed adding Windows certificates to CA store successfully");
+	_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_INFO
+	    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+	    , "Completed adding Windows certificates to CA store successfully")
+	    ;
 	return 1;
 }
 #endif
@@ -698,26 +724,6 @@ upstreams_create(getdns_context *context, size_t size)
 }
 
 
-#if defined(USE_DANESSL) && defined(STUB_DEBUG) && STUB_DEBUG
-static void _stub_debug_print_openssl_errors(void)
-{
-    unsigned long err;
-    char buffer[1024];
-    const char *file;
-    const char *data;
-    int line;
-    int flags;
-
-    while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
-        ERR_error_string_n(err, buffer, sizeof(buffer));
-        if (flags & ERR_TXT_STRING)
-            DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d:%s\n", buffer, file, line, data);
-        else
-            DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d\n", buffer, file, line);
-    }
-}
-#endif
-
 void
 _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 {
@@ -760,9 +766,6 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 		if (upstream->tls_obj != NULL) {
 			SSL_shutdown(upstream->tls_obj);
 #ifdef USE_DANESSL
-# if defined(STUB_DEBUG) && STUB_DEBUG
-			_stub_debug_print_openssl_errors();
-# endif
 			DANESSL_cleanup(upstream->tls_obj);
 #endif
 			SSL_free(upstream->tls_obj);
@@ -789,22 +792,6 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 	GETDNS_FREE(upstreams->mf, upstreams);
 }
 
-void _getdns_upstream_log(getdns_upstream *upstream, uint64_t system,
-    getdns_loglevel_type level, const char *fmt, ...)
-{
-	va_list args;
-
-	if (!upstream || !upstream->upstreams || !upstream->upstreams->log.func
-	    || !(upstream->upstreams->log.system & system)
-	    || level > upstream->upstreams->log.level)
-		return;
-
-	va_start(args, fmt);
-	upstream->upstreams->log.func(
-	    upstream->upstreams->log.userarg, system, level, fmt, args);
-	va_end(args);
-}
-
 static void
 upstream_backoff(getdns_upstream *upstream) {
 	upstream->conn_state = GETDNS_CONN_BACKOFF;
@@ -881,9 +868,6 @@ _getdns_upstream_reset(getdns_upstream *upstream)
 	if (upstream->tls_obj != NULL) {
 		SSL_shutdown(upstream->tls_obj);
 #ifdef USE_DANESSL
-# if defined(STUB_DEBUG) && STUB_DEBUG
-		_stub_debug_print_openssl_errors();
-# endif
 		DANESSL_cleanup(upstream->tls_obj);
 #endif
 		SSL_free(upstream->tls_obj);
@@ -1941,20 +1925,6 @@ getdns_context_set_logfunc(getdns_context *context, void *userarg,
 	return GETDNS_RETURN_GOOD;
 }
 
-void _getdns_context_log(getdns_context *context, uint64_t system,
-    getdns_loglevel_type level, const char *fmt, ...)
-{
-	va_list args;
-
-	if (!context || !context->log.func || !(context->log.system & system)
-	    || level > context->log.level)
-		return;
-
-	va_start(args, fmt);
-	context->log.func(context->log.userarg, system, level, fmt, args);
-	va_end(args);
-}
-
 #ifdef HAVE_LIBUNBOUND
 /*
  * Helpers to set options on the unbound ctx
@@ -3692,8 +3662,11 @@ getdns_return_t
 _getdns_context_prepare_for_resolution(getdns_context *context)
 {
 	getdns_return_t r;
+#if defined(HAVE_SSL_CTX_DANE_ENABLE) || defined(USE_DANESSL)
+	int osr;
+#endif
 
-	RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
+	assert(context);
 	if (context->destroying)
 		return GETDNS_RETURN_BAD_CONTEXT;
 
@@ -3777,29 +3750,23 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 #  ifndef USE_WINSOCK
 			else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
 #  else
-			else if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) {
+			else if (!add_WIN_cacerts_to_openssl_store(context, context->tls_ctx)) {
 #  endif /* USE_WINSOCK */
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
 			}
 #  if defined(HAVE_SSL_CTX_DANE_ENABLE)
-#   if defined(STUB_DEBUG) && STUB_DEBUG
-			int osr =
-#   else
-			(void)
-#   endif
-				SSL_CTX_dane_enable(context->tls_ctx);
-			DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
-			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+			osr = SSL_CTX_dane_enable(context->tls_ctx);
+			_getdns_log(&context->log
+			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG
+			    , "%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
+			    , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
 #  elif defined(USE_DANESSL)
-#   if defined(STUB_DEBUG) && STUB_DEBUG
-			int osr =
-#   else
-			(void)
-#   endif
-				DANESSL_CTX_init(context->tls_ctx);
-			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n"
-			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+			osr = DANESSL_CTX_init(context->tls_ctx);
+			_getdns_log(&context->log
+			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG
+			    , "%s %-35s: DEBUG: DANESSL_CTX_init() returned "
+			      "%d\n", STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
 #  endif
 #else /* HAVE_TLS_v1_2 */
 			if (tls_only_is_in_transports_list(context) == 1)
diff --git a/src/context.h b/src/context.h
index ef16855e..bf3d7da6 100644
--- a/src/context.h
+++ b/src/context.h
@@ -127,7 +127,7 @@ const getdns_tsig_info *_getdns_get_tsig_info(getdns_tsig_algo tsig_alg);
 
 /* for doing public key pinning of TLS-capable upstreams: */
 typedef struct sha256_pin {
-	char pin[SHA256_DIGEST_LENGTH];
+	uint8_t pin[SHA256_DIGEST_LENGTH];
 	struct sha256_pin *next;
 } sha256_pin_t;
 
@@ -502,11 +502,38 @@ struct getdns_context {
 #endif /* HAVE_MDNS_SUPPORT */
 }; /* getdns_context */
 
-void _getdns_upstream_log(getdns_upstream *upstream, uint64_t system,
-    getdns_loglevel_type level, const char *fmt, ...);
+static inline int _getdns_check_log(const getdns_log_config *log,
+    uint64_t system, getdns_loglevel_type level)
+{ assert(log)
+; return log->func && (log->system & system) && level <= log->level; }
 
-void _getdns_context_log(getdns_context *context, uint64_t system,
-    getdns_loglevel_type level, const char *fmt, ...);
+static inline void _getdns_log(const getdns_log_config *log,
+    uint64_t system, getdns_loglevel_type level, const char *fmt, ...)
+{
+	va_list args;
+
+	if (!_getdns_check_log(log, system, level))
+		return;
+
+	va_start(args, fmt);
+	log->func(log->userarg, system, level, fmt, args);
+	va_end(args);
+}
+
+static inline void _getdns_upstream_log(const getdns_upstream *up,
+    uint64_t system, getdns_loglevel_type level, const char *fmt, ...)
+{
+	va_list args;
+
+	if (!up || !up->upstreams
+	||  !_getdns_check_log(&up->upstreams->log, system, level))
+		return;
+
+	va_start(args, fmt);
+	up->upstreams->log.func(
+	    up->upstreams->log.userarg, system, level, fmt, args);
+	va_end(args);
+}
 
 
 /** internal functions **/
diff --git a/src/dnssec.c b/src/dnssec.c
index dc0da14a..7fa8e0b1 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -3481,7 +3481,7 @@ void _getdns_ta_notify_dnsreqs(getdns_context *context)
 			getdns_network_req *netreq, **netreq_p;
 			int r = GETDNS_RETURN_GOOD;
 
-			 (void) _getdns_context_prepare_for_resolution(context);
+			(void) _getdns_context_prepare_for_resolution(context);
 
 			*dnsreq_p = dnsreq->ta_notify;
 			for ( netreq_p = dnsreq->netreqs
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index f1b2af36..9b81f6c3 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -557,8 +557,11 @@ typedef enum getdns_loglevel_type {
 #define GETDNS_LOG_INFO_TEXT    "Informational message"
 #define GETDNS_LOG_DEBUG_TEXT   "Debug-level message"
 
-#define GETDNS_LOG_UPSTREAM_STATS 4096
+#define GETDNS_LOG_UPSTREAM_STATS 0x1000
 #define GETDNS_LOG_UPSTREAM_STATS_TEXT "Log messages about upstream statistics"
+#define GETDNS_LOG_SYS_STUB       0x2000
+#define GETDNS_LOG_SYS_STUB_TEXT "Log messages involving non upstream specific stub matters"
+
 
 typedef void (*getdns_logfunc_type) (void *userarg, uint64_t log_systems,
     getdns_loglevel_type, const char *, va_list ap);
diff --git a/src/pubkey-pinning.c b/src/pubkey-pinning.c
index 1b9674fd..9edcb71b 100644
--- a/src/pubkey-pinning.c
+++ b/src/pubkey-pinning.c
@@ -55,6 +55,7 @@
 #include <string.h>
 #include "context.h"
 #include "util-internal.h"
+#include "gldns/parseutil.h"
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 #define X509_STORE_CTX_get0_untrusted(store) store->untrusted
@@ -378,20 +379,20 @@ _getdns_associate_upstream_with_SSL(SSL *ssl,
 }
 
 getdns_return_t
-_getdns_verify_pinset_match(const sha256_pin_t *pinset,
-			    X509_STORE_CTX *store)
+_getdns_verify_pinset_match(const getdns_upstream *upstream,
+    const sha256_pin_t *pinset, X509_STORE_CTX *store)
 {
-	getdns_return_t ret = GETDNS_RETURN_GENERIC_ERROR;
 	X509 *x, *prev = NULL;
+	char x_name_spc[1024], *x_name, prev_name_spc[1024];
 	int i, len;
 	unsigned char raw[4096];
 	unsigned char *next;
 	unsigned char buf[sizeof(pinset->pin)];
 	const sha256_pin_t *p;
 
-	if (pinset == NULL || store == NULL)
-		return GETDNS_RETURN_GENERIC_ERROR;
-	
+	assert(pinset);
+	assert(store);
+
 	/* start at the base of the chain (the end-entity cert) and
 	 * make sure that some valid element of the chain does match
 	 * the pinset. */
@@ -407,29 +408,74 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
 
 	/* TODO: how do we handle raw public keys? */
 
-	for (i = 0; i < sk_X509_num(X509_STORE_CTX_get0_untrusted(store)); i++, prev = x) {
-
+	for ( i = 0
+	    ; i < sk_X509_num(X509_STORE_CTX_get0_untrusted(store))
+	    ; i++, prev = x) {
 		x = sk_X509_value(X509_STORE_CTX_get0_untrusted(store), i);
-#if defined(STUB_DEBUG) && STUB_DEBUG
-		DEBUG_STUB("%s %-35s: Name of cert: %d ",
-		           STUB_DEBUG_SETUP_TLS, __FUNC__, i);
-		X509_NAME_print_ex_fp(stderr, X509_get_subject_name(x), 1, XN_FLAG_ONELINE);
-		fprintf(stderr, "\n");
-#endif
+		x_name = NULL;
+
+		if (upstream->upstreams
+		&& _getdns_check_log(&upstream->upstreams->log,
+		    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG)) {
+
+			x_name = X509_NAME_oneline( X509_get_subject_name(x)
+			                          , x_name_spc
+			                          , sizeof(x_name_spc));
+			_getdns_upstream_log( upstream
+			    , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG
+			    , "%-40s : Verifying pinsets with cert: %d %s\n"
+			    , upstream->addr_str, i, x_name);
+		}
 		if (i > 0) {
-		/* we ensure that "prev" is signed by "x" */
+			/* we ensure that "prev" is signed by "x" */
 			EVP_PKEY *pkey = X509_get_pubkey(x);
 			int verified;
+
 			if (!pkey) {
-				DEBUG_STUB("%s %-35s: Could not get pubkey from cert %d (%p)\n",
-					   STUB_DEBUG_SETUP_TLS, __FUNC__, i, (void*)x);
+				if (!upstream->upstreams
+				||  !_getdns_check_log(
+				      &upstream->upstreams->log
+				    , GETDNS_LOG_UPSTREAM_STATS
+				    , GETDNS_LOG_ERR
+				    ))
+					return GETDNS_RETURN_GENERIC_ERROR;
+
+				if (!x_name)
+					x_name = X509_NAME_oneline(
+					      X509_get_subject_name(x)
+					    , x_name_spc, sizeof(x_name_spc));
+				_getdns_upstream_log( upstream
+				    , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR
+				    , "%-40s : Could not get pubkey from cert "
+				      "cert: %d %s\n"
+				    , upstream->addr_str, i, x_name);
 				return GETDNS_RETURN_GENERIC_ERROR;
 			}
 			verified = X509_verify(prev, pkey);
 			EVP_PKEY_free(pkey);
 			if (!verified) {
-				DEBUG_STUB("%s %-35s: cert %d (%p) was not signed by cert %d\n",
-					   STUB_DEBUG_SETUP_TLS, __FUNC__, i-1, (void*)prev, i);
+				if (!upstream->upstreams
+				||  !_getdns_check_log(
+				      &upstream->upstreams->log
+				    , GETDNS_LOG_UPSTREAM_STATS
+				    , GETDNS_LOG_ERR
+				    ))
+					return GETDNS_RETURN_GENERIC_ERROR;
+
+				if (!x_name)
+					x_name = X509_NAME_oneline(
+					      X509_get_subject_name(x)
+					    , x_name_spc, sizeof(x_name_spc));
+				_getdns_upstream_log( upstream
+				    , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR
+				    , "%-40s : Cert: %d %swas not signed "
+				      "by cert %d %s\n", upstream->addr_str
+				    , i - 1
+				    , X509_NAME_oneline(
+				            X509_get_subject_name(prev)
+					  , prev_name_spc
+				          , sizeof(prev_name_spc) )
+				    , i, x_name);
 				return GETDNS_RETURN_GENERIC_ERROR;
 			}
 		}
@@ -437,31 +483,85 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
 		/* digest the cert with sha256 */
 		len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), NULL);
 		if (len > (int)sizeof(raw)) {
-			DEBUG_STUB("%s %-35s: Pubkey %d is larger than %"PRIsz" octets\n",
-			           STUB_DEBUG_SETUP_TLS, __FUNC__, i, sizeof(raw));
+			if (!upstream->upstreams
+			||  !_getdns_check_log( &upstream->upstreams->log
+			                      , GETDNS_LOG_UPSTREAM_STATS
+			                      , GETDNS_LOG_WARNING ))
+				continue;
+
+			if (!x_name)
+				x_name = X509_NAME_oneline(
+				      X509_get_subject_name(x)
+				    , x_name_spc, sizeof(x_name_spc));
+			_getdns_upstream_log( upstream
+			    , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING
+			    , "%-40s : Skipping cert %d %s, because pubkey is "
+			      "larger than buffer size (%"PRIsz" octets)\n"
+			    , upstream->addr_str, i, x_name, sizeof(raw));
 			continue;
 		}
 		next = raw;
 		i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &next);
 		if (next - raw != len) {
-			DEBUG_STUB("%s %-35s: Pubkey %d claimed it needed %d octets, really needed %"PRIsz"\n",
-			           STUB_DEBUG_SETUP_TLS, __FUNC__, i, len, next - raw);
+			if (!upstream->upstreams
+			||  !_getdns_check_log( &upstream->upstreams->log
+			                      , GETDNS_LOG_UPSTREAM_STATS
+			                      , GETDNS_LOG_WARNING ))
+				continue;
+
+			if (!x_name)
+				x_name = X509_NAME_oneline(
+				      X509_get_subject_name(x)
+				    , x_name_spc, sizeof(x_name_spc));
+			_getdns_upstream_log( upstream
+			    , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING
+			    , "%-40s : Skipping cert %d %s, because pubkey si"
+			      "ze %"PRIsz" differs from earlier reported %d\n"
+			    , upstream->addr_str, i, x_name, next - raw, len);
 			continue;
 		}
 		SHA256(raw, len, buf);
 
 		/* compare it */
-		for (p = pinset; p; p = p->next)
-			if (0 == memcmp(buf, p->pin, sizeof(p->pin))) {
-				DEBUG_STUB("%s %-35s: Pubkey %d matched pin %p (%"PRIsz")\n",
-					   STUB_DEBUG_SETUP_TLS, __FUNC__, i, (void*)p, sizeof(p->pin));
-				return GETDNS_RETURN_GOOD;
-			} else
-				DEBUG_STUB("%s %-35s: Pubkey %d did not match pin %p\n",
-					   STUB_DEBUG_SETUP_TLS, __FUNC__, i, (void*)p);
-	}
+		for (p = pinset; p; p = p->next) {
+			char pin_str[1024];
+			
+			if (x_name) /* only when debugging */
+				gldns_b64_ntop( p->pin , sizeof(p->pin)
+				              , pin_str, sizeof(pin_str) );
 
-	return ret;
+			if (0 == memcmp(buf, p->pin, sizeof(p->pin))) {
+				if (!upstream->upstreams
+				||  !_getdns_check_log(
+				      &upstream->upstreams->log
+				    , GETDNS_LOG_UPSTREAM_STATS
+				    , GETDNS_LOG_INFO))
+					return GETDNS_RETURN_GOOD;
+
+				if (!x_name) {
+					x_name = X509_NAME_oneline(
+					      X509_get_subject_name(x)
+					    , x_name_spc, sizeof(x_name_spc));
+					gldns_b64_ntop( p->pin , sizeof(p->pin)
+					              , pin_str
+						      , sizeof(pin_str) );
+				}
+				_getdns_upstream_log( upstream
+				    , GETDNS_LOG_UPSTREAM_STATS
+				    , GETDNS_LOG_INFO
+				    , "%-40s : Pubkey of cert %d %s matched "
+				      "pin %s\n", upstream->addr_str
+				    , i, x_name, pin_str);
+				return GETDNS_RETURN_GOOD;
+			}
+			_getdns_upstream_log( upstream
+			    , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG
+			    , "%-40s : Pubkey of cert %d %s did not match"
+			      " pin %s\n", upstream->addr_str
+			    , i, x_name, pin_str);
+		}
+	}
+	return GETDNS_RETURN_GENERIC_ERROR;
 }
 
 /* pubkey-pinning.c */
diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h
index 894ccf00..8a09b2f3 100644
--- a/src/pubkey-pinning.h
+++ b/src/pubkey-pinning.h
@@ -61,8 +61,8 @@ _getdns_associate_upstream_with_SSL(SSL *ssl,
 				    getdns_upstream *upstream);
 
 getdns_return_t
-_getdns_verify_pinset_match(const sha256_pin_t *pinset,
-			    X509_STORE_CTX *store);
+_getdns_verify_pinset_match(const getdns_upstream *upstream,
+    const sha256_pin_t *pinset, X509_STORE_CTX *store);
 
 #endif
 /* pubkey-pinning.h */
diff --git a/src/stub.c b/src/stub.c
index 7dfcf1cb..d7af6eb4 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -887,7 +887,8 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 
 	/* Deal with the pinset validation */
 	if (upstream->tls_pubkey_pinset)
-		pinset_ret = _getdns_verify_pinset_match(upstream->tls_pubkey_pinset, ctx);
+		pinset_ret = _getdns_verify_pinset_match(
+		    upstream, upstream->tls_pubkey_pinset, ctx);
 
 	if (pinset_ret != GETDNS_RETURN_GOOD) {
 		DEBUG_STUB("%s %-35s: FD:  %d, WARNING: Pinset validation failure!\n",
@@ -2402,9 +2403,9 @@ upstream_find_for_netreq(getdns_network_req *netreq)
 		return fd;
 	}
 	/* Handle better, will give generic error*/
-	DEBUG_STUB("%s %-35s: MSG: %p No valid upstream! \n", STUB_DEBUG_SCHEDULE, __FUNC__, (void*)netreq);
-	_getdns_context_log(netreq->owner->context, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
-	    "   *FAILURE* no valid transports or upstreams available!\n");
+	_getdns_log(&netreq->owner->context->log
+	    , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR
+	    , "   *FAILURE* no valid transports or upstreams available!\n");
 	return -1;
 }
 

From bb99321e571c01f574f85faac99a40febf035355 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 7 Dec 2018 16:34:03 +0100
Subject: [PATCH 211/303] More constness for issue #410

---
 src/context.c                | 501 ++++++++++++-----------------------
 src/context.h                |   5 +-
 src/dict.c                   |   5 +-
 src/dnssec.c                 |  62 ++---
 src/getdns/getdns.h.in       |  19 +-
 src/getdns/getdns_extra.h.in | 148 ++++++-----
 src/list.c                   |   2 +-
 src/pubkey-pinning.c         |   9 +-
 src/pubkey-pinning.h         |   2 +-
 src/server.c                 |   4 +-
 src/util-internal.c          |  17 +-
 src/util-internal.h          |  13 +-
 12 files changed, 319 insertions(+), 468 deletions(-)

diff --git a/src/context.c b/src/context.c
index 5a720023..8a020677 100644
--- a/src/context.c
+++ b/src/context.c
@@ -330,16 +330,15 @@ static void destroy_local_host(_getdns_rbnode_t * node, void *arg)
  * TODO: Determine from OS
  */
 static getdns_return_t
-create_default_namespaces(struct getdns_context *context)
+create_default_namespaces(getdns_context *context)
 {
-	context->namespaces = GETDNS_XMALLOC(context->my_mf, getdns_namespace_t, 2);
-	if(context->namespaces == NULL)
-		return GETDNS_RETURN_GENERIC_ERROR;
+	if (!( context->namespaces
+	     = GETDNS_XMALLOC(context->my_mf, getdns_namespace_t, 2)))
+		return GETDNS_RETURN_MEMORY_ERROR;
 
 	context->namespaces[0] = GETDNS_NAMESPACE_LOCALNAMES;
 	context->namespaces[1] = GETDNS_NAMESPACE_DNS;
 	context->namespace_count = 2;
-
 	return GETDNS_RETURN_GOOD;
 }
 
@@ -347,11 +346,11 @@ create_default_namespaces(struct getdns_context *context)
  * Helper to get default transports.
  */
 static getdns_return_t
-create_default_dns_transports(struct getdns_context *context)
+create_default_dns_transports(getdns_context *context)
 {
-	context->dns_transports = GETDNS_XMALLOC(context->my_mf, getdns_transport_list_t, 2);
-	if(context->dns_transports == NULL)
-		return GETDNS_RETURN_GENERIC_ERROR;
+	if (!( context->dns_transports
+	     = GETDNS_XMALLOC(context->my_mf, getdns_transport_list_t, 2)))
+		return GETDNS_RETURN_MEMORY_ERROR;
 
 	context->dns_transports[0] = GETDNS_TRANSPORT_UDP;
 	context->dns_transports[1] = GETDNS_TRANSPORT_TCP;
@@ -415,7 +414,7 @@ local_host_cmp(const void *id1, const void *id2)
 }
 
 /** return 0 on success */
-static int
+static getdns_return_t
 add_local_host(getdns_context *context, getdns_dict *address, const char *str)
 {
 	uint8_t host_name[256];
@@ -424,9 +423,10 @@ add_local_host(getdns_context *context, getdns_dict *address, const char *str)
 	getdns_bindata *address_type;
 	int hnas_found = 0;
 	getdns_list **addrs;
+	getdns_return_t r;
 
 	if (gldns_str2wire_dname_buf(str, host_name, &host_name_len))
-		return -1;
+		return GETDNS_RETURN_BAD_DOMAIN_NAME;
 
 	canonicalize_dname(host_name);
 	
@@ -435,7 +435,7 @@ add_local_host(getdns_context *context, getdns_dict *address, const char *str)
 
 		if (!(hnas = (host_name_addrs *)GETDNS_XMALLOC(context->mf,
 		    uint8_t, sizeof(host_name_addrs) + host_name_len)))
-			return -1;
+			return GETDNS_RETURN_MEMORY_ERROR;
 
 		hnas->ipv4addrs = NULL;
 		hnas->ipv6addrs = NULL;
@@ -445,35 +445,33 @@ add_local_host(getdns_context *context, getdns_dict *address, const char *str)
 	} else
 		hnas_found = 1;
 	
-	if (getdns_dict_get_bindata(address, "address_type", &address_type) ||
-
-	    address_type->size < 4 ||
-
-	    !(addrs = address_type->data[3] == '4'? &hnas->ipv4addrs
+	if ((r = getdns_dict_get_bindata(address,"address_type",&address_type))
+	||  address_type->size < 4
+	||  !(addrs = address_type->data[3] == '4'? &hnas->ipv4addrs
 	            : address_type->data[3] == '6'? &hnas->ipv4addrs : NULL)) {
 
 		if (!hnas_found) GETDNS_FREE(context->mf, hnas);
-		return -1;
+		return r ? r : GETDNS_RETURN_WRONG_TYPE_REQUESTED;
 	}
 	if (!*addrs && !(*addrs = getdns_list_create_with_context(context))) {
 		if (!hnas_found) GETDNS_FREE(context->mf, hnas);
-		return -1;
+		return GETDNS_RETURN_MEMORY_ERROR;
 	}
-	if (_getdns_list_append_this_dict(*addrs, address)) {
+	if ((r = _getdns_list_append_this_dict(*addrs, address))) {
 	       	if (!hnas_found) {
 			getdns_list_destroy(*addrs);
 			GETDNS_FREE(context->mf, hnas);
 		}
-		return -1;
+		return r;
 
 	} else if (!hnas_found)
 		(void)_getdns_rbtree_insert(&context->local_hosts, &hnas->node);
 
-	return 0;
+	return GETDNS_RETURN_GOOD;
 }
 
 static getdns_dict *
-sockaddr_dict(getdns_context *context, struct sockaddr *sa)
+sockaddr_dict(const getdns_context *context, struct sockaddr *sa)
 {
 	getdns_dict *address = getdns_dict_create_with_context(context);
 	char addrstr[1024], *b;
@@ -591,7 +589,7 @@ getdns_return_t
 getdns_context_set_hosts(getdns_context *context, const char *hosts)
 {
 	/* enough space in buf for longest allowed domain name */
-	char buf[1024];
+	char buf[2048];
 	char *pos = buf, prev_c, *start_of_word = NULL;
 	FILE *in;
 	int start_of_line = 1;
@@ -603,7 +601,7 @@ getdns_context_set_hosts(getdns_context *context, const char *hosts)
 	if (!(in = fopen(hosts, "r")))
 		return GETDNS_RETURN_IO_ERROR;
 
-	(void)strlcpy(context->fchg_hosts.fn, hosts, _GETDNS_PATH_MAX);
+	(void) strlcpy(context->fchg_hosts.fn, hosts, _GETDNS_PATH_MAX);
 	(void) memset(&context->fchg_hosts.prevstat, 0, sizeof(struct stat));
 	context->fchg_hosts.changes = GETDNS_FCHG_NOCHANGES;
 	context->fchg_hosts.errors = GETDNS_FCHG_NOERROR;
@@ -695,7 +693,7 @@ read_more:	;
 }
 
 getdns_return_t
-getdns_context_get_hosts(getdns_context *context, const char **hosts)
+getdns_context_get_hosts(const getdns_context *context, const char **hosts)
 {
 	if (!context || !hosts)
 		return GETDNS_RETURN_INVALID_PARAMETER;
@@ -1193,7 +1191,7 @@ set_os_defaults_windows(getdns_context *context)
 
     info = (FIXED_INFO *)malloc(sizeof(FIXED_INFO));
     if (info == NULL)
-		return GETDNS_RETURN_GENERIC_ERROR;
+		return GETDNS_RETURN_MEMORY_ERROR;
 
 	if ((info_err = GetNetworkParams(info, &buflen)) == ERROR_BUFFER_OVERFLOW) {
 		free(info);
@@ -1373,7 +1371,8 @@ getdns_context_set_resolvconf(getdns_context *context, const char *resolvconf)
 #endif
 
 getdns_return_t
-getdns_context_get_resolvconf(getdns_context *context, const char **resolvconf)
+getdns_context_get_resolvconf(
+    const getdns_context *context, const char **resolvconf)
 {
 	if (!context || !resolvconf)
 		return GETDNS_RETURN_INVALID_PARAMETER;
@@ -1897,7 +1896,8 @@ getdns_context_set_update_callback(getdns_context *context, void *userarg,
 }
 
 getdns_return_t
-getdns_context_get_update_callback(getdns_context *context, void **userarg,
+getdns_context_get_update_callback(const getdns_context *context,
+    void **userarg,
     void (**cb)(getdns_context *, getdns_context_code_t, void *))
 {
 	if (!context || !userarg || !cb)
@@ -3854,7 +3854,7 @@ _getdns_bindata_destroy(struct mem_funcs *mfs,
 /* TODO: Remove next_timeout argument from getdns_context_get_num_pending_requests
  */
 uint32_t
-getdns_context_get_num_pending_requests(getdns_context* context,
+getdns_context_get_num_pending_requests(const getdns_context* context,
     struct timeval* next_timeout)
 {
 	(void)next_timeout;
@@ -3928,7 +3928,8 @@ getdns_context_set_eventloop(getdns_context* context, getdns_eventloop* loop)
 }
 
 getdns_return_t
-getdns_context_get_eventloop(getdns_context *context, getdns_eventloop **loop)
+getdns_context_get_eventloop(
+    const getdns_context *context, getdns_eventloop **loop)
 {
 	if (!context || !loop)
 		return GETDNS_RETURN_INVALID_PARAMETER;
@@ -3941,9 +3942,9 @@ getdns_context_get_eventloop(getdns_context *context, getdns_eventloop **loop)
 	return GETDNS_RETURN_GOOD;
 }
 
-static size_t _getdns_get_appdata(getdns_context *context, char *path);
+static size_t _getdns_get_appdata(const getdns_context *context, char *path);
 static getdns_dict*
-_get_context_settings(getdns_context* context)
+_get_context_settings(const getdns_context* context)
 {
 	getdns_dict *result = getdns_dict_create_with_context(context);
 	getdns_list *list;
@@ -4155,7 +4156,7 @@ error:
 }
 
 getdns_dict*
-getdns_context_get_api_information(getdns_context* context)
+getdns_context_get_api_information(const getdns_context* context)
 {
 	getdns_dict* result;
 	getdns_dict* settings;
@@ -4350,197 +4351,117 @@ priv_getdns_context_mf(getdns_context *context)
 }
 
 /** begin getters **/
+
+#define CONTEXT_GETTER2(NAME,TYPE,VALUE) \
+    getdns_return_t \
+    getdns_context_get_ ## NAME ( \
+        const getdns_context *context, TYPE *value) \
+    { if (!context || !value)	return GETDNS_RETURN_INVALID_PARAMETER \
+    ; *value = context-> VALUE;	return GETDNS_RETURN_GOOD; }
+
+#define CONTEXT_GETTER(NAME,TYPE) CONTEXT_GETTER2(NAME,TYPE,NAME)
+
+CONTEXT_GETTER(resolution_type, getdns_resolution_t)
+
 getdns_return_t
-getdns_context_get_resolution_type(getdns_context *context,
-    getdns_resolution_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->resolution_type;
-    return GETDNS_RETURN_GOOD;
+getdns_context_get_namespaces(const getdns_context *context,
+    size_t* namespace_count, getdns_namespace_t **namespaces)
+{
+	if (!context || !namespace_count || !namespaces)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	*namespace_count = context->namespace_count;
+	if (!context->namespace_count) {
+		*namespaces = NULL;
+		return GETDNS_RETURN_GOOD;
+	}
+	// use normal malloc here so users can do normal free
+	*namespaces = malloc(
+	    context->namespace_count * sizeof(getdns_namespace_t));
+	memcpy(*namespaces, context->namespaces,
+	    context->namespace_count * sizeof(getdns_namespace_t));
+	return GETDNS_RETURN_GOOD;
 }
 
 getdns_return_t
-getdns_context_get_namespaces(getdns_context *context,
-    size_t* namespace_count, getdns_namespace_t **namespaces) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(namespace_count, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(namespaces, GETDNS_RETURN_INVALID_PARAMETER);
-    *namespace_count = context->namespace_count;
-    if (!context->namespace_count) {
-        *namespaces = NULL;
-        return GETDNS_RETURN_GOOD;
-    }
-    // use normal malloc here so users can do normal free
-    *namespaces = malloc(context->namespace_count * sizeof(getdns_namespace_t));
-    memcpy(*namespaces, context->namespaces,
-           context->namespace_count * sizeof(getdns_namespace_t));
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_dns_transport(getdns_context *context,
-    getdns_transport_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-	int count = context->dns_transport_count;
-	getdns_transport_list_t *transports = context->dns_transports;
-    if (!count)
-        return GETDNS_RETURN_WRONG_TYPE_REQUESTED;
-
-    /* Best effort mapping for backwards compatibility*/
-    if (transports[0] == GETDNS_TRANSPORT_UDP) {
-        if (count == 1) 
-            *value = GETDNS_TRANSPORT_UDP_ONLY;
-        else if (count == 2 && transports[1] == GETDNS_TRANSPORT_TCP)
-            *value = GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP;
-        else
-            return GETDNS_RETURN_WRONG_TYPE_REQUESTED;
-    }
-    if (transports[0] == GETDNS_TRANSPORT_TCP) {
-        if (count == 1) 
-            *value = GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN;
-    }
-    if (transports[0] == GETDNS_TRANSPORT_TLS) {
-        if (count == 1) 
-            *value = GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN;
-        else if (count == 2 && transports[1] == GETDNS_TRANSPORT_TCP)
-            *value = GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN;
-        else
-            return GETDNS_RETURN_WRONG_TYPE_REQUESTED;
-    }
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_dns_transport_list(getdns_context *context,
-    size_t* transport_count, getdns_transport_list_t **transports) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(transport_count, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(transports, GETDNS_RETURN_INVALID_PARAMETER);
-   *transport_count = context->dns_transport_count;
-    if (!context->dns_transport_count) {
-        *transports = NULL;
-        return GETDNS_RETURN_GOOD;
-    }
-    // use normal malloc here so users can do normal free
-    *transports = malloc(context->dns_transport_count * sizeof(getdns_transport_list_t));
-    memcpy(*transports, context->dns_transports,
-           context->dns_transport_count * sizeof(getdns_transport_list_t));
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_tls_authentication(getdns_context *context,
-    getdns_tls_authentication_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->tls_auth;
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_round_robin_upstreams(getdns_context *context,
-    uint8_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->round_robin_upstreams;
-    return GETDNS_RETURN_GOOD;
-}
-
-/**
- * Get the maximum number of messages that can be sent to other upstreams
- * before the upstream which has previously timed out will be tried again.
- * @see getdns_context_set_max_backoff_value
- * @param[in]  context  The context from which to get the setting
- * @param[out] value    Number of messages sent to other upstreams before 
- *                      retrying the upstream which had timed out.
- * @return GETDNS_RETURN_GOOD on success
- * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
- */
-getdns_return_t
-getdns_context_get_max_backoff_value(getdns_context *context,
-    uint16_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->max_backoff_value;
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_tls_backoff_time(getdns_context *context,
-    uint16_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->tls_backoff_time;
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_tls_connection_retries(getdns_context *context,
-    uint16_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->tls_connection_retries;
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_limit_outstanding_queries(getdns_context *context,
-    uint16_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->limit_outstanding_queries;
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_timeout(getdns_context *context, uint64_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->timeout;
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_idle_timeout(getdns_context *context, uint64_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->idle_timeout;
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_follow_redirects(
-    getdns_context *context, getdns_redirects_t* value)
+getdns_context_get_dns_transport(
+    const getdns_context *context, getdns_transport_t* value)
 {
 	if (!context || !value)
 		return GETDNS_RETURN_INVALID_PARAMETER;
-	*value = context->follow_redirects;
-	return GETDNS_RETURN_NOT_IMPLEMENTED;
+
+	if (context->dns_transport_count == 0)
+		return GETDNS_RETURN_WRONG_TYPE_REQUESTED;
+
+	/* Best effort mapping for backwards compatibility*/
+	if (context->dns_transports[0] == GETDNS_TRANSPORT_UDP) {
+		if (context->dns_transport_count == 1) 
+			*value = GETDNS_TRANSPORT_UDP_ONLY;
+		else if (context->dns_transport_count == 2
+		     &&  context->dns_transports[1] == GETDNS_TRANSPORT_TCP)
+			*value = GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP;
+		else
+			return GETDNS_RETURN_WRONG_TYPE_REQUESTED;
+	}
+	if (context->dns_transports[0] == GETDNS_TRANSPORT_TCP) {
+		if (context->dns_transport_count == 1) 
+			*value = GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN;
+	}
+	if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS) {
+		if (context->dns_transport_count == 1) 
+			*value = GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN;
+		else if (context->dns_transport_count == 2
+		     &&  context->dns_transports[1] == GETDNS_TRANSPORT_TCP)
+			*value = GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN;
+		else
+			return GETDNS_RETURN_WRONG_TYPE_REQUESTED;
+	}
+	return GETDNS_RETURN_GOOD;
 }
 
 getdns_return_t
-getdns_context_get_dns_root_servers(getdns_context *context,
-    getdns_list **value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = NULL;
-    if (context->dns_root_servers)
-        return _getdns_list_copy(context->dns_root_servers, value);
-    return GETDNS_RETURN_GOOD;
+getdns_context_get_dns_transport_list(const getdns_context *context,
+    size_t* transport_count, getdns_transport_list_t **transports)
+{
+	if (!context || !transport_count || !transports)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	*transport_count = context->dns_transport_count;
+	if (!context->dns_transport_count) {
+		*transports = NULL;
+		return GETDNS_RETURN_GOOD;
+	}
+	// use normal malloc here so users can do normal free
+	*transports = malloc(
+	    context->dns_transport_count * sizeof(getdns_transport_t));
+	memcpy(*transports, context->dns_transports,
+	    context->dns_transport_count * sizeof(getdns_transport_t));
+	return GETDNS_RETURN_GOOD;
 }
 
-getdns_return_t
-getdns_context_get_append_name(getdns_context *context,
-    getdns_append_name_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->append_name;
-    return GETDNS_RETURN_GOOD;
-}
+CONTEXT_GETTER2(tls_authentication, getdns_tls_authentication_t, tls_auth)
+CONTEXT_GETTER(round_robin_upstreams      , uint8_t)
+CONTEXT_GETTER(max_backoff_value          , uint16_t)
+CONTEXT_GETTER(tls_backoff_time           , uint16_t)
+CONTEXT_GETTER(tls_connection_retries     , uint16_t)
+CONTEXT_GETTER(limit_outstanding_queries  , uint16_t)
+CONTEXT_GETTER(timeout                    , uint64_t)
+CONTEXT_GETTER(idle_timeout               , uint64_t)
+CONTEXT_GETTER(follow_redirects           , getdns_redirects_t)
 
 getdns_return_t
-getdns_context_get_suffix(getdns_context *context, getdns_list **value)
+getdns_context_get_dns_root_servers(
+    const getdns_context *context, getdns_list **value)
+{
+	if (!context || !value) return GETDNS_RETURN_INVALID_PARAMETER;
+	if (context->dns_root_servers)
+		return _getdns_list_copy(context->dns_root_servers, value);
+	*value = NULL;
+	return GETDNS_RETURN_GOOD;
+}
+
+CONTEXT_GETTER(append_name                , getdns_append_name_t)
+
+getdns_return_t
+getdns_context_get_suffix(const getdns_context *context, getdns_list **value)
 {
 	size_t dname_len;
 	const uint8_t *dname;
@@ -4578,10 +4499,9 @@ getdns_context_get_suffix(getdns_context *context, getdns_list **value)
 
 getdns_return_t
 getdns_context_get_dnssec_trust_anchors(
-    getdns_context *context, getdns_list **value)
+    const getdns_context *context, getdns_list **value)
 {
-	RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-	RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
+	if (!context || !value) return GETDNS_RETURN_INVALID_PARAMETER;
 
 	if (context->trust_anchors) {
 		if ((*value = getdns_list_create_with_context(context)))
@@ -4597,17 +4517,17 @@ getdns_context_get_dnssec_trust_anchors(
 }
 
 getdns_return_t
-getdns_context_get_dnssec_allowed_skew(getdns_context *context,
-    uint32_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->dnssec_allowed_skew;
-    return GETDNS_RETURN_GOOD;
+getdns_context_get_dnssec_allowed_skew(
+    const getdns_context *context, uint32_t* value)
+{
+	if (!context || !value) return GETDNS_RETURN_INVALID_PARAMETER;
+	*value = context->dnssec_allowed_skew;
+	return GETDNS_RETURN_GOOD;
 }
 
 getdns_return_t
-getdns_context_get_upstream_recursive_servers(getdns_context *context,
-    getdns_list **upstreams_r)
+getdns_context_get_upstream_recursive_servers(
+    const getdns_context *context, getdns_list **upstreams_r)
 {
 	size_t i;
 	getdns_list *upstreams;
@@ -4733,55 +4653,20 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
 }
 
 getdns_return_t
-getdns_context_get_edns_maximum_udp_payload_size(getdns_context *context,
-    uint16_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->edns_maximum_udp_payload_size == -1 ? 0
-           : context->edns_maximum_udp_payload_size;
-    return GETDNS_RETURN_GOOD;
+getdns_context_get_edns_maximum_udp_payload_size(
+    const getdns_context *context, uint16_t* value)
+{
+	if (!context || !value) return GETDNS_RETURN_INVALID_PARAMETER;
+	*value = context->edns_maximum_udp_payload_size == -1 ? 0
+	       : context->edns_maximum_udp_payload_size;
+	return GETDNS_RETURN_GOOD;
 }
 
-getdns_return_t
-getdns_context_get_edns_extended_rcode(getdns_context *context,
-    uint8_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->edns_extended_rcode;
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_edns_version(getdns_context *context, uint8_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->edns_version;
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_edns_do_bit(getdns_context *context, uint8_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->edns_do_bit;
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_edns_client_subnet_private(getdns_context *context, uint8_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->edns_client_subnet_private;
-    return GETDNS_RETURN_GOOD;
-}
-
-getdns_return_t
-getdns_context_get_tls_query_padding_blocksize(getdns_context *context, uint16_t* value) {
-    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
-    *value = context->tls_query_padding_blocksize;
-    return GETDNS_RETURN_GOOD;
-}
+CONTEXT_GETTER(edns_extended_rcode        , uint8_t)
+CONTEXT_GETTER(edns_version               , uint8_t)
+CONTEXT_GETTER(edns_do_bit                , uint8_t)
+CONTEXT_GETTER(edns_client_subnet_private , uint8_t)
+CONTEXT_GETTER(tls_query_padding_blocksize, uint16_t)
 
 static int _streq(const getdns_bindata *name, const char *str)
 {
@@ -5043,7 +4928,7 @@ getdns_context_config(getdns_context *context, const getdns_dict *config_dict)
 	return r;
 }
 
-static size_t _getdns_get_appdata(getdns_context *context, char *path)
+static size_t _getdns_get_appdata(const getdns_context *context, char *path)
 {
 	size_t len = 0;
 
@@ -5116,7 +5001,8 @@ static size_t _getdns_get_appdata(getdns_context *context, char *path)
 	return 0;
 }
 
-FILE *_getdns_context_get_priv_fp(getdns_context *context, const char *fn)
+FILE *_getdns_context_get_priv_fp(
+    const getdns_context *context, const char *fn)
 {
 	char path[_GETDNS_PATH_MAX];
 	FILE *f = NULL;
@@ -5145,7 +5031,7 @@ FILE *_getdns_context_get_priv_fp(getdns_context *context, const char *fn)
 	return f;
 }
 
-uint8_t *_getdns_context_get_priv_file(getdns_context *context,
+uint8_t *_getdns_context_get_priv_file(const getdns_context *context,
     const char *fn, uint8_t *buf, size_t buf_len, size_t *file_sz)
 {
 	FILE *f = NULL;
@@ -5330,7 +5216,7 @@ getdns_context_set_trust_anchors_url(
 
 getdns_return_t
 getdns_context_get_trust_anchors_url(
-    getdns_context *context, const char **url)
+    const getdns_context *context, const char **url)
 {
 	if (!context || !url)
 		return GETDNS_RETURN_INVALID_PARAMETER;
@@ -5360,7 +5246,7 @@ getdns_context_set_trust_anchors_verify_CA(
 
 getdns_return_t
 getdns_context_get_trust_anchors_verify_CA(
-    getdns_context *context, const char **verify_CA)
+    const getdns_context *context, const char **verify_CA)
 {
 	if (!verify_CA)
 		return GETDNS_RETURN_INVALID_PARAMETER;
@@ -5390,7 +5276,7 @@ getdns_context_set_trust_anchors_verify_email(
 
 getdns_return_t
 getdns_context_get_trust_anchors_verify_email(
-    getdns_context *context, const char **verify_email)
+    const getdns_context *context, const char **verify_email)
 {
 	if (!verify_email)
 		return GETDNS_RETURN_INVALID_PARAMETER;
@@ -5416,16 +5302,7 @@ getdns_context_set_trust_anchors_backoff_time(
 	return GETDNS_RETURN_GOOD;
 }
 
-getdns_return_t
-getdns_context_get_trust_anchors_backoff_time(
-    getdns_context *context, uint64_t *backoff_time)
-{
-	if (!backoff_time)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-
-	*backoff_time = context->trust_anchors_backoff_time;
-	return GETDNS_RETURN_GOOD;
-}
+CONTEXT_GETTER(trust_anchors_backoff_time , uint64_t)
 
 getdns_return_t
 getdns_context_set_appdata_dir(
@@ -5505,15 +5382,7 @@ getdns_context_set_tls_ca_path(getdns_context *context, const char *tls_ca_path)
 	return GETDNS_RETURN_GOOD;
 }
 
-getdns_return_t
-getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path)
-{
-	if (!context || !tls_ca_path)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-
-	*tls_ca_path = context->tls_ca_path;
-	return GETDNS_RETURN_GOOD;
-}
+CONTEXT_GETTER(tls_ca_path                , const char *)
 
 getdns_return_t
 getdns_context_set_tls_ca_file(getdns_context *context, const char *tls_ca_file)
@@ -5528,15 +5397,7 @@ getdns_context_set_tls_ca_file(getdns_context *context, const char *tls_ca_file)
 	return GETDNS_RETURN_GOOD;
 }
 
-getdns_return_t
-getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file)
-{
-	if (!context || !tls_ca_file)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-
-	*tls_ca_file = context->tls_ca_file;
-	return GETDNS_RETURN_GOOD;
-}
+CONTEXT_GETTER(tls_ca_file                , const char *)
 
 getdns_return_t
 getdns_context_set_tls_cipher_list(
@@ -5556,7 +5417,7 @@ getdns_context_set_tls_cipher_list(
 
 getdns_return_t
 getdns_context_get_tls_cipher_list(
-    getdns_context *context, const char **tls_cipher_list)
+    const getdns_context *context, const char **tls_cipher_list)
 {
 	if (!context || !tls_cipher_list)
 		return GETDNS_RETURN_INVALID_PARAMETER;
@@ -5585,7 +5446,7 @@ getdns_context_set_tls_ciphersuites(
 
 getdns_return_t
 getdns_context_get_tls_ciphersuites(
-    getdns_context *context, const char **tls_ciphersuites)
+    const getdns_context *context, const char **tls_ciphersuites)
 {
 	if (!context || !tls_ciphersuites)
 		return GETDNS_RETURN_INVALID_PARAMETER;
@@ -5617,15 +5478,7 @@ getdns_context_set_tls_curves_list(
 #endif
 }
 
-getdns_return_t
-getdns_context_get_tls_curves_list(
-    getdns_context *context, const char **tls_curves_list)
-{
-	if (!context || !tls_curves_list)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-	*tls_curves_list = context->tls_curves_list;
-	return GETDNS_RETURN_GOOD;
-}
+CONTEXT_GETTER(tls_curves_list            , const char *)
 
 getdns_return_t
 getdns_context_set_tls_min_version(
@@ -5638,15 +5491,7 @@ getdns_context_set_tls_min_version(
 	return GETDNS_RETURN_GOOD;
 }
 
-getdns_return_t
-getdns_context_get_tls_min_version(
-    getdns_context *context, getdns_tls_version_t *tls_min_version)
-{
-	if (!context || !tls_min_version)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-	*tls_min_version = context->tls_min_version;
-	return GETDNS_RETURN_GOOD;
-}
+CONTEXT_GETTER(tls_min_version            , getdns_tls_version_t)
 
 getdns_return_t
 getdns_context_set_tls_max_version(
@@ -5659,14 +5504,6 @@ getdns_context_set_tls_max_version(
 	return GETDNS_RETURN_GOOD;
 }
 
-getdns_return_t
-getdns_context_get_tls_max_version(
-    getdns_context *context, getdns_tls_version_t *tls_max_version)
-{
-	if (!context || !tls_max_version)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-	*tls_max_version = context->tls_max_version;
-	return GETDNS_RETURN_GOOD;
-}
+CONTEXT_GETTER(tls_max_version            , getdns_tls_version_t)
 
 /* context.c */
diff --git a/src/context.h b/src/context.h
index bf3d7da6..72b9d9d2 100644
--- a/src/context.h
+++ b/src/context.h
@@ -590,8 +590,9 @@ void _getdns_upstreams_dereference(getdns_upstreams *upstreams);
 
 void _getdns_upstream_shutdown(getdns_upstream *upstream);
 
-FILE *_getdns_context_get_priv_fp(getdns_context *context, const char *fn);
-uint8_t *_getdns_context_get_priv_file(getdns_context *context,
+FILE *_getdns_context_get_priv_fp(
+    const getdns_context *context, const char *fn);
+uint8_t *_getdns_context_get_priv_file(const getdns_context *context,
     const char *fn, uint8_t *buf, size_t buf_len, size_t *file_sz);
 
 int _getdns_context_write_priv_file(getdns_context *context,
diff --git a/src/dict.c b/src/dict.c
index 02d3f20f..d2ce53a9 100644
--- a/src/dict.c
+++ b/src/dict.c
@@ -434,7 +434,7 @@ getdns_dict_create_with_memory_functions(void *(*malloc)(size_t),
 
 /*-------------------------- getdns_dict_create_with_context */
 struct getdns_dict *
-getdns_dict_create_with_context(struct getdns_context *context)
+getdns_dict_create_with_context(const getdns_context *context)
 {
 	if (context)
 		return getdns_dict_create_with_extended_memory_functions(
@@ -655,7 +655,8 @@ getdns_dict_set_bindata(
 
 /*---------------------------------------- getdns_dict_set_bindata */
 getdns_return_t
-getdns_dict_util_set_string(getdns_dict *dict, char *name, const char *value)
+getdns_dict_util_set_string(getdns_dict *dict,
+    const char *name, const char *value)
 {
 	getdns_item    *item;
 	getdns_bindata *newbindata;
diff --git a/src/dnssec.c b/src/dnssec.c
index 7fa8e0b1..0e318c7e 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -523,7 +523,7 @@ static void val_chain_sched(chain_head *head, const uint8_t *dname);
 static void val_chain_sched_ds(chain_head *head, const uint8_t *dname);
 static void val_chain_sched_signer(chain_head *head, _getdns_rrsig_iter *rrsig);
 
-static chain_head *add_rrset2val_chain(struct mem_funcs *mf,
+static chain_head *add_rrset2val_chain(const struct mem_funcs *mf,
     chain_head **chain_p, _getdns_rrset *rrset, getdns_network_req *netreq)
 {
 	chain_head *head;
@@ -788,7 +788,7 @@ static int is_synthesized_cname(_getdns_rrset *cname)
  * When a SOA query was successful, a query for DS will follow for that
  * owner name.
  */
-static void add_pkt2val_chain(struct mem_funcs *mf,
+static void add_pkt2val_chain(const struct mem_funcs *mf,
     chain_head **chain_p, uint8_t *pkt, size_t pkt_len,
     getdns_network_req *netreq)
 {
@@ -850,7 +850,7 @@ static void add_pkt2val_chain(struct mem_funcs *mf,
  * checked eventually.
  * But only if we know the question of course...
  */
-static void add_question2val_chain(struct mem_funcs *mf,
+static void add_question2val_chain(const struct mem_funcs *mf,
     chain_head **chain_p, uint8_t *pkt, size_t pkt_len,
     const uint8_t *qname, uint16_t qtype, uint16_t qclass,
     getdns_network_req *netreq)
@@ -1364,8 +1364,9 @@ static int _rr_iter_rdata_cmp(const void *a, const void *b)
  * nc_name will be set to the next closer (within rrset->name).
  */
 #define VAL_RRSET_SPC_SZ 256
-static int _getdns_verify_rrsig(struct mem_funcs *mf,
-    _getdns_rrset *rrset, _getdns_rrsig_iter *rrsig, _getdns_rrtype_iter *key, const uint8_t **nc_name)
+static int _getdns_verify_rrsig(const struct mem_funcs *mf,
+    _getdns_rrset *rrset, _getdns_rrsig_iter *rrsig, _getdns_rrtype_iter *key,
+    const uint8_t **nc_name)
 {
 	int r;
 	int to_skip;
@@ -1683,8 +1684,9 @@ static int check_dates(time_t now, int32_t skew, int32_t exp, int32_t inc)
 /* Returns whether dnskey signed rrset.  If the rrset was a valid wildcard
  * expansion, nc_name will point to the next closer part of the name in rrset.
  */
-static int dnskey_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
-    _getdns_rrtype_iter *dnskey, _getdns_rrset *rrset, const uint8_t **nc_name)
+static int dnskey_signed_rrset(const struct mem_funcs *mf, time_t now,
+    uint32_t skew, _getdns_rrtype_iter *dnskey, _getdns_rrset *rrset,
+    const uint8_t **nc_name)
 {
 	_getdns_rrsig_iter rrsig_spc, *rrsig;
 	_getdns_rdf_iter rdf_spc, *rdf;
@@ -1752,7 +1754,7 @@ static int dnskey_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
 }
 
 /* Returns whether a dnskey for keyset signed a non wildcard rrset. */
-static int a_key_signed_rrset_no_wc(struct mem_funcs *mf, time_t now,
+static int a_key_signed_rrset_no_wc(const struct mem_funcs *mf, time_t now,
     uint32_t skew, _getdns_rrset *keyset, _getdns_rrset *rrset)
 {
 	_getdns_rrtype_iter dnskey_spc, *dnskey;
@@ -1780,13 +1782,13 @@ static int a_key_signed_rrset_no_wc(struct mem_funcs *mf, time_t now,
 	return 0;
 }
 
-static int find_nsec_covering_name(
-    struct mem_funcs *mf, time_t now, uint32_t skew, _getdns_rrset *dnskey,
+static int find_nsec_covering_name(const struct mem_funcs *mf,
+    time_t now, uint32_t skew, _getdns_rrset *dnskey,
     _getdns_rrset *rrset, const uint8_t *name, int *opt_out);
 
 /* Returns whether a dnskey for keyset signed rrset. */
-static int a_key_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
-    _getdns_rrset *keyset, _getdns_rrset *rrset)
+static int a_key_signed_rrset(const struct mem_funcs *mf, time_t now,
+    uint32_t skew, _getdns_rrset *keyset, _getdns_rrset *rrset)
 {
 	_getdns_rrtype_iter dnskey_spc, *dnskey;
 	const uint8_t *nc_name; /* Initialized by dnskey_signed_rrset() */
@@ -1827,7 +1829,7 @@ static int a_key_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
 /* Returns whether a DS in ds_set matches a dnskey in dnskey_set which in turn
  * signed the dnskey set.
  */
-static int ds_authenticates_keys(struct mem_funcs *mf,
+static int ds_authenticates_keys(const struct mem_funcs *mf,
     time_t now, uint32_t skew, _getdns_rrset *ds_set, _getdns_rrset *dnskey_set)
 {
 	_getdns_rrtype_iter dnskey_spc, *dnskey;
@@ -2112,8 +2114,8 @@ static int nsec3_covers_name(
 	}
 }
 
-static int find_nsec_covering_name(
-    struct mem_funcs *mf, time_t now, uint32_t skew, _getdns_rrset *dnskey,
+static int find_nsec_covering_name(const struct mem_funcs *mf, time_t now,
+    uint32_t skew, _getdns_rrset *dnskey,
     _getdns_rrset *rrset, const uint8_t *name, int *opt_out)
 {
 	_getdns_rrset_iter i_spc, *i;
@@ -2215,7 +2217,7 @@ static int find_nsec_covering_name(
 }
 
 static int nsec3_find_next_closer(
-    struct mem_funcs *mf, time_t now, uint32_t skew,
+    const struct mem_funcs *mf, time_t now, uint32_t skew,
     _getdns_rrset *dnskey, _getdns_rrset *rrset,
     const uint8_t *nc_name, int *opt_out)
 {
@@ -2267,7 +2269,7 @@ static int nsec3_find_next_closer(
  * verifying key: it returns keytag + NSEC3_ITERATION_COUNT_HIGH (0x20000)
  */
 static int key_proves_nonexistance(
-    struct mem_funcs *mf, time_t now, uint32_t skew,
+    const struct mem_funcs *mf, time_t now, uint32_t skew,
     _getdns_rrset *keyset, _getdns_rrset *rrset, int *opt_out)
 {
 	_getdns_rrset nsec_rrset, *cover, *ce;
@@ -2571,7 +2573,7 @@ static int key_proves_nonexistance(
  * non-existence of a DS along the path is proofed, and SECURE otherwise.
  */
 static int chain_node_get_trusted_keys(
-    struct mem_funcs *mf, time_t now, uint32_t skew,
+    const struct mem_funcs *mf, time_t now, uint32_t skew,
     chain_node *node, _getdns_rrset *ta, _getdns_rrset **keys)
 {
 	int s, keytag;
@@ -2714,7 +2716,7 @@ static int chain_node_get_trusted_keys(
  * For this first a secure keyset is looked up, with which the keyset is 
  * evaluated.
  */
-static int chain_head_validate_with_ta(struct mem_funcs *mf,
+static int chain_head_validate_with_ta(const struct mem_funcs *mf,
     time_t now, uint32_t skew, chain_head *head, _getdns_rrset *ta)
 {
 	_getdns_rrset *keys;
@@ -2801,8 +2803,8 @@ static int chain_head_validate_with_ta(struct mem_funcs *mf,
 /* The DNSSEC status of the rrset in head is evaluated by trying the trust
  * anchors in tas in turn.  The best outcome counts.
  */
-static int chain_head_validate(struct mem_funcs *mf, time_t now, uint32_t skew,
-    chain_head *head, _getdns_rrset_iter *tas)
+static int chain_head_validate(const struct mem_funcs *mf, time_t now,
+    uint32_t skew, chain_head *head, _getdns_rrset_iter *tas)
 {
 	_getdns_rrset_iter *i;
 	_getdns_rrset *ta, dnskey_ta, ds_ta;
@@ -2951,7 +2953,7 @@ static void chain_clear_netreq_dnssec_status(chain_head *chain)
  * processing each head in turn.  The worst outcome is the dnssec status for
  * the whole.
  */
-static int chain_validate_dnssec(struct mem_funcs *mf,
+static int chain_validate_dnssec(const struct mem_funcs *mf,
     time_t now, uint32_t skew, chain_head *chain, _getdns_rrset_iter *tas)
 {
 	int s = GETDNS_DNSSEC_INDETERMINATE, t;
@@ -3606,7 +3608,7 @@ void _getdns_get_validation_chain(getdns_dns_req *dnsreq)
  *****************************************************************************/
 
 
-static int wire_validate_dnssec(struct mem_funcs *mf,
+static int wire_validate_dnssec(const struct mem_funcs *mf,
     time_t now, uint32_t skew, uint8_t *to_val, size_t to_val_len,
     uint8_t *support, size_t support_len, uint8_t *tas, size_t tas_len)
 {
@@ -3688,9 +3690,9 @@ static int wire_validate_dnssec(struct mem_funcs *mf,
  *
  */
 getdns_return_t
-getdns_validate_dnssec2(getdns_list *records_to_validate,
-    getdns_list *support_records,
-    getdns_list *trust_anchors,
+getdns_validate_dnssec2(const getdns_list *records_to_validate,
+    const getdns_list *support_records,
+    const getdns_list *trust_anchors,
     time_t now, uint32_t skew)
 {
 	uint8_t to_val_buf[4096], *to_val,
@@ -3702,7 +3704,7 @@ getdns_validate_dnssec2(getdns_list *records_to_validate,
 	       tas_len = sizeof(tas_buf);
 
 	int r = GETDNS_RETURN_MEMORY_ERROR;
-	struct mem_funcs *mf;
+	const struct mem_funcs *mf;
 
 	size_t i;
 	getdns_dict *reply;
@@ -3783,9 +3785,9 @@ exit_free_support:
 
 
 getdns_return_t
-getdns_validate_dnssec(getdns_list *records_to_validate,
-    getdns_list *support_records,
-    getdns_list *trust_anchors)
+getdns_validate_dnssec(const getdns_list *records_to_validate,
+    const getdns_list *support_records,
+    const getdns_list *trust_anchors)
 {
 	return getdns_validate_dnssec2(records_to_validate, support_records,
 	    trust_anchors, time(NULL), 0);
diff --git a/src/getdns/getdns.h.in b/src/getdns/getdns.h.in
index aa7ae128..b3ef64e1 100644
--- a/src/getdns/getdns.h.in
+++ b/src/getdns/getdns.h.in
@@ -743,7 +743,7 @@ getdns_list *getdns_list_create();
  *                used to create and initialize the list.
  * @return pointer to an allocated list, NULL if insufficient memory
  */
-getdns_list *getdns_list_create_with_context(getdns_context *context);
+getdns_list *getdns_list_create_with_context(const getdns_context *context);
 
 /**
  * create a new list with no items, creating and initializing it with the
@@ -863,7 +863,7 @@ getdns_dict *getdns_dict_create();
  *                used to create and initialize the dict.
  * @return pointer to an allocated dict, NULL if insufficient memory
  */
-getdns_dict *getdns_dict_create_with_context(getdns_context *context);
+getdns_dict *getdns_dict_create_with_context(const getdns_context *context);
 
 /**
  * create a new dict with no items, creating and initializing it with the
@@ -1032,7 +1032,7 @@ getdns_general(getdns_context *context,
     uint16_t request_type,
     const getdns_dict *extensions,
     void *userarg,
-    getdns_transaction_t * transaction_id, getdns_callback_t callbackfn);
+    getdns_transaction_t *transaction_id, getdns_callback_t callbackfn);
 
 /**
  * retrieve address assigned to a DNS name
@@ -1050,7 +1050,7 @@ getdns_address(getdns_context *context,
     const char *name,
     const getdns_dict *extensions,
     void *userarg,
-    getdns_transaction_t * transaction_id, getdns_callback_t callbackfn);
+    getdns_transaction_t *transaction_id, getdns_callback_t callbackfn);
 
 /**
  * retrieve hostname assigned to an IP address
@@ -1068,7 +1068,7 @@ getdns_hostname(getdns_context *context,
     const getdns_dict *address,
     const getdns_dict *extensions,
     void *userarg,
-    getdns_transaction_t * transaction_id, getdns_callback_t callbackfn);
+    getdns_transaction_t *transaction_id, getdns_callback_t callbackfn);
 
 /**
  * retrieve a service assigned to a DNS name
@@ -1086,7 +1086,7 @@ getdns_service(getdns_context *context,
     const char *name,
     const getdns_dict *extensions,
     void *userarg,
-    getdns_transaction_t * transaction_id, getdns_callback_t callbackfn);
+    getdns_transaction_t *transaction_id, getdns_callback_t callbackfn);
 /** @}
  */
 
@@ -1341,9 +1341,8 @@ char *getdns_convert_alabel_to_ulabel(const char *alabel);
  * depending on the validation status.
  */
 getdns_return_t
-getdns_validate_dnssec(getdns_list *to_validate,
-    getdns_list *support_records,
-    getdns_list *trust_anchors);
+getdns_validate_dnssec(const getdns_list *to_validate,
+    const getdns_list *support_records, const getdns_list *trust_anchors);
 
 /**
  * Get the default list of trust anchor records that is used by the library
@@ -1816,7 +1815,7 @@ getdns_context_set_extended_memory_functions(getdns_context *context,
  *         object with getdns_dict_destroy.
  */
 getdns_dict*
-getdns_context_get_api_information(getdns_context* context);
+getdns_context_get_api_information(const getdns_context *context);
 
 /** @}
  */
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 9b81f6c3..279abce0 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -361,7 +361,7 @@ struct getdns_eventloop_vmt {
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or eventloop were NULL.
  */
 getdns_return_t
-getdns_context_set_eventloop(getdns_context* context,
+getdns_context_set_eventloop(getdns_context *context,
     getdns_eventloop *eventloop);
 
 /**
@@ -377,7 +377,7 @@ getdns_context_set_eventloop(getdns_context* context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or evenloop were NULL
  */
 getdns_return_t
-getdns_context_get_eventloop(getdns_context* context,
+getdns_context_get_eventloop(const getdns_context *context,
     getdns_eventloop **eventloop);
 
 /**
@@ -850,7 +850,7 @@ getdns_context_set_tls_min_version(
  */
 getdns_return_t
 getdns_context_get_tls_min_version(
-    getdns_context *context, getdns_tls_version_t *min_version);
+    const getdns_context *context, getdns_tls_version_t *min_version);
 
 /**
  * Configure context for maximum supported TLS version.
@@ -880,7 +880,7 @@ getdns_context_set_tls_max_version(
  */
 getdns_return_t
 getdns_context_get_tls_max_version(
-    getdns_context *context, getdns_tls_version_t *max_version);
+    const getdns_context *context, getdns_tls_version_t *max_version);
 
 /**
  * Get the current resolution type setting from this context.
@@ -893,8 +893,8 @@ getdns_context_get_tls_max_version(
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_resolution_type(getdns_context *context,
-    getdns_resolution_t* value);
+getdns_context_get_resolution_type(const getdns_context *context,
+    getdns_resolution_t *value);
 
 /**
  * Get a copy of the namespaces list setting from this context.
@@ -908,8 +908,8 @@ getdns_context_get_resolution_type(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when any of the arguments was NULL.
  */
 getdns_return_t
-getdns_context_get_namespaces(getdns_context *context,
-    size_t* namespace_count, getdns_namespace_t **namespaces);
+getdns_context_get_namespaces(const getdns_context *context,
+    size_t *namespace_count, getdns_namespace_t **namespaces);
 
 /**
  * Get what transports are used for DNS lookups.
@@ -922,8 +922,8 @@ getdns_context_get_namespaces(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when any of the arguments was NULL.
  */
 getdns_return_t
-getdns_context_get_dns_transport(getdns_context *context,
-    getdns_transport_t* value);
+getdns_context_get_dns_transport(const getdns_context *context,
+    getdns_transport_t *value);
 
 /**
  * Get a copy of the transports list setting from this context.
@@ -938,8 +938,8 @@ getdns_context_get_dns_transport(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when any of the arguments was NULL.
  */
 getdns_return_t
-getdns_context_get_dns_transport_list(getdns_context *context,
-    size_t* transport_count, getdns_transport_list_t **transports);
+getdns_context_get_dns_transport_list(const getdns_context *context,
+    size_t *transport_count, getdns_transport_list_t **transports);
 
 /**
  * Get the current limit for outstanding queries setting from this context.
@@ -950,8 +950,8 @@ getdns_context_get_dns_transport_list(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or limit was NULL.
  */
 getdns_return_t
-getdns_context_get_limit_outstanding_queries(getdns_context *context,
-    uint16_t* limit);
+getdns_context_get_limit_outstanding_queries(const getdns_context *context,
+    uint16_t *limit);
 
 /**
  * Get the current number of milliseconds the API will wait for request
@@ -964,7 +964,7 @@ getdns_context_get_limit_outstanding_queries(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or limit was NULL.
  */
 getdns_return_t
-getdns_context_get_timeout(getdns_context *context, uint64_t* timeout);
+getdns_context_get_timeout(const getdns_context *context, uint64_t *timeout);
 
 /**
  * Get the current number of milliseconds the API will leave an idle TCP or TLS
@@ -978,7 +978,8 @@ getdns_context_get_timeout(getdns_context *context, uint64_t* timeout);
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or timeout was NULL.
  */
 getdns_return_t
-getdns_context_get_idle_timeout(getdns_context *context, uint64_t* timeout);
+getdns_context_get_idle_timeout(
+    const getdns_context *context, uint64_t *timeout);
 
 /**
  * Get the setting that says whether or not DNS queries follow redirects.
@@ -990,8 +991,8 @@ getdns_context_get_idle_timeout(getdns_context *context, uint64_t* timeout);
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_follow_redirects(getdns_context *context,
-    getdns_redirects_t* value);
+getdns_context_get_follow_redirects(const getdns_context *context,
+    getdns_redirects_t *value);
 
 /**
  * Get a copy of the list of addresses in use for looking up top-level domains
@@ -1008,7 +1009,7 @@ getdns_context_get_follow_redirects(getdns_context *context,
  * @return GETDNS_RETURN_MEMORY_ERROR when the copy could not be allocated
  */
 getdns_return_t
-getdns_context_get_dns_root_servers(getdns_context *context,
+getdns_context_get_dns_root_servers(const getdns_context *context,
     getdns_list **addresses);
 
 /**
@@ -1026,8 +1027,8 @@ getdns_context_get_dns_root_servers(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_append_name(getdns_context *context,
-    getdns_append_name_t* value);
+getdns_context_get_append_name(const getdns_context *context,
+    getdns_append_name_t *value);
 
 /**
  * Get a copy of the list of suffixes to be appended based on the value off the 
@@ -1043,7 +1044,7 @@ getdns_context_get_append_name(getdns_context *context,
  * @return GETDNS_RETURN_MEMORY_ERROR when the copy could not be allocated
  */
 getdns_return_t
-getdns_context_get_suffix(getdns_context *context, getdns_list **value);
+getdns_context_get_suffix(const getdns_context *context, getdns_list **value);
 
 /**
  * Get a copy of the list of DNSSEC trust anchors in use by context.
@@ -1058,7 +1059,7 @@ getdns_context_get_suffix(getdns_context *context, getdns_list **value);
  * @return GETDNS_RETURN_MEMORY_ERROR when the copy could not be allocated
  */
 getdns_return_t
-getdns_context_get_dnssec_trust_anchors(getdns_context *context,
+getdns_context_get_dnssec_trust_anchors(const getdns_context *context,
     getdns_list **value);
 
 /**
@@ -1072,8 +1073,8 @@ getdns_context_get_dnssec_trust_anchors(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_dnssec_allowed_skew(getdns_context *context,
-    uint32_t* value);
+getdns_context_get_dnssec_allowed_skew(const getdns_context *context,
+    uint32_t *value);
 
 /**
  * Get a copy of the list of upstream that will be targeted in stub resolution
@@ -1089,7 +1090,7 @@ getdns_context_get_dnssec_allowed_skew(getdns_context *context,
  * @return GETDNS_RETURN_MEMORY_ERROR when the copy could not be allocated
  */
 getdns_return_t
-getdns_context_get_upstream_recursive_servers(getdns_context *context,
+getdns_context_get_upstream_recursive_servers(const getdns_context *context,
     getdns_list **upstream_list);
 
 /**
@@ -1104,8 +1105,8 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_edns_maximum_udp_payload_size(getdns_context *context,
-    uint16_t* value);
+getdns_context_get_edns_maximum_udp_payload_size(const getdns_context *context,
+    uint16_t *value);
 
 /**
  * Get the rcode advertised in an EDNS0 OPT record setting from context
@@ -1116,8 +1117,8 @@ getdns_context_get_edns_maximum_udp_payload_size(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_edns_extended_rcode(getdns_context *context,
-    uint8_t* value);
+getdns_context_get_edns_extended_rcode(const getdns_context *context,
+    uint8_t *value);
 
 /**
  * Get the version advertised in an EDNS0 OPT record setting from context
@@ -1128,7 +1129,7 @@ getdns_context_get_edns_extended_rcode(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_edns_version(getdns_context *context, uint8_t* value);
+getdns_context_get_edns_version(const getdns_context *context, uint8_t *value);
 
 /**
  * Get the DO bit advertised in an EDNS0 OPT record setting from context
@@ -1140,7 +1141,7 @@ getdns_context_get_edns_version(getdns_context *context, uint8_t* value);
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_edns_do_bit(getdns_context *context, uint8_t* value);
+getdns_context_get_edns_do_bit(const getdns_context *context, uint8_t *value);
 
 /**
  * Get whether queries with this context will have the EDNS Client Subnet 
@@ -1153,7 +1154,8 @@ getdns_context_get_edns_do_bit(getdns_context *context, uint8_t* value);
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_edns_client_subnet_private(getdns_context *context, uint8_t* value);
+getdns_context_get_edns_client_subnet_private(const getdns_context *context,
+    uint8_t *value);
 
 /**
  * Get the blocksize that will be used to pad outgoing queries over TLS.
@@ -1165,7 +1167,8 @@ getdns_context_get_edns_client_subnet_private(getdns_context *context, uint8_t*
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_query_padding_blocksize(getdns_context *context, uint16_t* value);
+getdns_context_get_tls_query_padding_blocksize(
+    const getdns_context *context, uint16_t *value);
 
 /**
  * Get whether the upstream needs to be authenticated with DNS over TLS.
@@ -1183,8 +1186,8 @@ getdns_context_get_tls_query_padding_blocksize(getdns_context *context, uint16_t
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_authentication(getdns_context *context,
-    getdns_tls_authentication_t* value);
+getdns_context_get_tls_authentication(const getdns_context *context,
+    getdns_tls_authentication_t *value);
 
 /**
  * Get whether the context is configured to round robin queries over the available
@@ -1196,8 +1199,8 @@ getdns_context_get_tls_authentication(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_round_robin_upstreams(getdns_context *context,
-    uint8_t* value);
+getdns_context_get_round_robin_upstreams(const getdns_context *context,
+    uint8_t *value);
 
 /**
  * Get the amount of seconds a TLS connection should not be tried with
@@ -1211,8 +1214,8 @@ getdns_context_get_round_robin_upstreams(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_backoff_time(getdns_context *context,
-    uint16_t* value);
+getdns_context_get_tls_backoff_time(const getdns_context *context,
+    uint16_t *value);
 
 /**
  * Get the number of times getdns retries to setup DNS over TLS with a
@@ -1226,8 +1229,8 @@ getdns_context_get_tls_backoff_time(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_connection_retries(getdns_context *context,
-    uint16_t* value);
+getdns_context_get_tls_connection_retries(const getdns_context *context,
+    uint16_t *value);
 
 /**
  * Get the currently registered callback function and user defined argument
@@ -1244,7 +1247,8 @@ getdns_context_get_tls_connection_retries(getdns_context *context,
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t
-getdns_context_get_update_callback(getdns_context *context, void **userarg,
+getdns_context_get_update_callback(const getdns_context *context,
+    void **userarg,
     void (**value) (getdns_context *, getdns_context_code_t, void *));
 
 
@@ -1298,7 +1302,7 @@ getdns_context_get_update_callback(getdns_context *context, void **userarg,
  */
 getdns_return_t
 getdns_context_get_trust_anchors_url(
-    getdns_context *context, const char **url);
+    const getdns_context *context, const char **url);
 
 /**
  * Gets the public certificate for the Certificate Authority with which to
@@ -1317,7 +1321,7 @@ getdns_context_get_trust_anchors_url(
  */
 getdns_return_t
 getdns_context_get_trust_anchors_verify_CA(
-    getdns_context *context, const char **verify_CA);
+    const getdns_context *context, const char **verify_CA);
 
 /**
  * Gets the email address for the Subject of the signer's certificate from the
@@ -1334,7 +1338,7 @@ getdns_context_get_trust_anchors_verify_CA(
  */
 getdns_return_t
 getdns_context_get_trust_anchors_verify_email(
-    getdns_context *context, const char **verify_email);
+    const getdns_context *context, const char **verify_email);
 
 /**
  * Get the amount of milliseconds the trust anchors will not be tried to be
@@ -1348,7 +1352,7 @@ getdns_context_get_trust_anchors_verify_email(
  */
 getdns_return_t
 getdns_context_get_trust_anchors_backoff_time(
-    getdns_context *context, uint64_t *value);
+    const getdns_context *context, uint64_t *value);
 
 /**
  * Get the value with which the context's upstream recursive servers
@@ -1361,7 +1365,8 @@ getdns_context_get_trust_anchors_backoff_time(
  * @return GETDNS_RETURN_GOOD when successful and error code otherwise.
  */
 getdns_return_t
-getdns_context_get_resolvconf(getdns_context *context, const char **resolvconf);
+getdns_context_get_resolvconf(
+    const getdns_context *context, const char **resolvconf);
 
 /**
  * Get the value with which the context's GETDNS_NAMESPACE_LOCALNAMES namespace 
@@ -1374,7 +1379,8 @@ getdns_context_get_resolvconf(getdns_context *context, const char **resolvconf);
  * @return GETDNS_RETURN_GOOD when successful and error code otherwise.
  */
 getdns_return_t
-getdns_context_get_hosts(getdns_context *context, const char **hosts);
+getdns_context_get_hosts(
+    const getdns_context *context, const char **hosts);
 
 /**
  * Get the location of the directory for CA certificates for verification
@@ -1388,7 +1394,8 @@ getdns_context_get_hosts(getdns_context *context, const char **hosts);
  * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path);
+getdns_context_get_tls_ca_path(
+    const getdns_context *context, const char **tls_ca_path);
 
 /**
  * Get the file location with CA certificates for verification purposes.
@@ -1401,7 +1408,8 @@ getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path
  * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file);
+getdns_context_get_tls_ca_file(
+    const getdns_context *context, const char **tls_ca_file);
 
 /**
  * Get the list of available ciphers for authenticated TLS upstreams.
@@ -1413,7 +1421,7 @@ getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file
  */
 getdns_return_t
 getdns_context_get_tls_cipher_list(
-    getdns_context *context, const char **cipher_list);
+    const getdns_context *context, const char **cipher_list);
 
 /**
  * Get the configured available TLS1.3 ciphersuited for authenticated TLS 
@@ -1426,7 +1434,7 @@ getdns_context_get_tls_cipher_list(
  */
 getdns_return_t
 getdns_context_get_tls_ciphersuites(
-    getdns_context *context, const char **ciphersuites);
+    const getdns_context *context, const char **ciphersuites);
 
 /**
  * Get the supported curves list if one has been set earlier.
@@ -1441,7 +1449,7 @@ getdns_context_get_tls_ciphersuites(
  */
 getdns_return_t
 getdns_context_get_tls_curves_list(
-    getdns_context *context, const char **curves_list);
+    const getdns_context *context, const char **curves_list);
 
 /** @}
  */
@@ -1529,7 +1537,8 @@ const char *getdns_get_errorstr_by_id(uint16_t err);
  * @return GETDNS_RETURN_MEMORY_ERROR when the copy could not be allocated
  */
 getdns_return_t
-getdns_dict_util_set_string(getdns_dict *dict, char *name, const char *value);
+getdns_dict_util_set_string(
+    getdns_dict *dict, const char *name, const char *value);
 
 /**
  * Get the string associated with the speicifed name.  The string should not
@@ -1542,7 +1551,8 @@ getdns_dict_util_set_string(getdns_dict *dict, char *name, const char *value);
  * @return GETDNS_RETURN_NO_SUCH_DICT_NAME if dict is invalid or name does not exist
  */
 getdns_return_t
-getdns_dict_util_get_string(getdns_dict * dict, char *name, char **result);
+getdns_dict_util_get_string(
+    const getdns_dict * dict, const char *name, char **result);
 
 /** @}
  */
@@ -1583,9 +1593,9 @@ getdns_dict_util_get_string(getdns_dict * dict, char *name, char **result);
  *         return code.
  */
 getdns_return_t
-getdns_validate_dnssec2(getdns_list *to_validate,
-    getdns_list *support_records,
-    getdns_list *trust_anchors,
+getdns_validate_dnssec2(const getdns_list *to_validate,
+    const getdns_list *support_records,
+    const getdns_list *trust_anchors,
     time_t validation_time, uint32_t skew);
 
 
@@ -1628,9 +1638,9 @@ getdns_validate_dnssec2(getdns_list *to_validate,
  * @param str the pinning string to parse
  * @return a dict created from ctx, or  NULL if the string did not match. 
  */
-getdns_dict* getdns_pubkey_pin_create_from_string(
-	getdns_context* context,
-	const char* str);
+getdns_dict *getdns_pubkey_pin_create_from_string(
+	const getdns_context *context,
+	const char *str);
 
 
 /**
@@ -1647,8 +1657,8 @@ getdns_dict* getdns_pubkey_pin_create_from_string(
  * @return GETDNS_RETURN_GOOD if the pinset passes the sanity check.
  */ 
 getdns_return_t getdns_pubkey_pinset_sanity_check(
-	const getdns_list* pinset,
-	getdns_list* errorlist);
+	const getdns_list *pinset,
+	getdns_list *errorlist);
 
 /** @}
  */
@@ -2296,7 +2306,7 @@ getdns_context_set_listen_addresses(
  */
 getdns_return_t
 getdns_reply(getdns_context *context,
-    getdns_dict *reply, getdns_transaction_t request_id);
+    const getdns_dict *reply, getdns_transaction_t request_id);
 
 
 /** @}
@@ -2320,7 +2330,7 @@ getdns_return_t getdns_strerror(getdns_return_t err, char *buf, size_t buflen);
  * WARNING! Do not use this function.  This function will be removed in
  * future versions of getdns.
  */
-getdns_return_t getdns_context_process_async(getdns_context* context);
+getdns_return_t getdns_context_process_async(getdns_context *context);
 
 /**
  * Return the number of pending requests and the point of time of the next
@@ -2328,8 +2338,8 @@ getdns_return_t getdns_context_process_async(getdns_context* context);
  * WARNING! Do not use this function.  This function will be removed in
  * future versions of getdns.
  */
-uint32_t getdns_context_get_num_pending_requests(getdns_context* context,
-    struct timeval* next_timeout);
+uint32_t getdns_context_get_num_pending_requests(const getdns_context *context,
+    struct timeval *next_timeout);
 
 /**
  * Detach the eventloop from the context.  Resets the context with the default
@@ -2354,7 +2364,7 @@ getdns_context_detach_eventloop(getdns_context *context);
  * @return GETDNS_RETURN_GOOD on success
  * @return GETDNS_RETURN_INVALID_PARAMETER if context is NULL
  */
-getdns_return_t getdns_context_set_use_threads(getdns_context* context,
+getdns_return_t getdns_context_set_use_threads(getdns_context *context,
     int use_threads);
 
 /** @}
diff --git a/src/list.c b/src/list.c
index c7bd476b..555a847f 100644
--- a/src/list.c
+++ b/src/list.c
@@ -418,7 +418,7 @@ getdns_list_create_with_memory_functions(void *(*malloc)(size_t),
 
 /*-------------------------- getdns_list_create_with_context */
 struct getdns_list *
-getdns_list_create_with_context(struct getdns_context *context)
+getdns_list_create_with_context(const getdns_context *context)
 {
 	if (context)
 		return getdns_list_create_with_extended_memory_functions(
diff --git a/src/pubkey-pinning.c b/src/pubkey-pinning.c
index 9edcb71b..e7aae2f7 100644
--- a/src/pubkey-pinning.c
+++ b/src/pubkey-pinning.c
@@ -93,16 +93,15 @@ static const getdns_bindata sha256 = {
    It is the caller's responsibility to call getdns_dict_destroy when
    it is no longer needed.
  */
-getdns_dict* getdns_pubkey_pin_create_from_string(
-	getdns_context* context,
-	const char* str)
+getdns_dict *getdns_pubkey_pin_create_from_string(
+   const getdns_context *context, const char *str)
 {
 	BIO *bio = NULL;
 	size_t i;
 	uint8_t buf[SHA256_DIGEST_LENGTH];
 	char inbuf[B64_ENCODED_SHA256_LENGTH + 1];
 	getdns_bindata value = { .size = SHA256_DIGEST_LENGTH, .data = buf };
-	getdns_dict* out = NULL;
+	getdns_dict *out = NULL;
 	
 	/* we only do sha256 right now, make sure this is well-formed */
 	if (!str || strncmp(PIN_PREFIX, str, PIN_PREFIX_LENGTH))
@@ -271,7 +270,7 @@ _getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list,
 }
 
 getdns_return_t
-_getdns_get_pubkey_pinset_list(getdns_context *ctx,
+_getdns_get_pubkey_pinset_list(const getdns_context *ctx,
 			       const sha256_pin_t *pinset_in,
 			       getdns_list **pinset_list)
 {
diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h
index 8a09b2f3..a17ecb61 100644
--- a/src/pubkey-pinning.h
+++ b/src/pubkey-pinning.h
@@ -44,7 +44,7 @@ _getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list,
 
 /* create a getdns_list version of the pinset */
 getdns_return_t
-_getdns_get_pubkey_pinset_list(getdns_context *ctx,
+_getdns_get_pubkey_pinset_list(const getdns_context *ctx,
 			       const sha256_pin_t *pinset_in,
 			       getdns_list **pinset_list);
 
diff --git a/src/server.c b/src/server.c
index a6d4008e..3736a6f2 100644
--- a/src/server.c
+++ b/src/server.c
@@ -287,8 +287,8 @@ _getdns_cancel_reply(getdns_context *context, connection *conn)
 }
 
 getdns_return_t
-getdns_reply(
-    getdns_context *context, getdns_dict *reply, getdns_transaction_t request_id)
+getdns_reply(getdns_context *context,
+    const getdns_dict *reply, getdns_transaction_t request_id)
 {
 	/* TODO: Check request_id at context->outbound_requests */
 	connection *conn = (connection *)(intptr_t)request_id;
diff --git a/src/util-internal.c b/src/util-internal.c
index 0eaf3435..45fd2fda 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -54,7 +54,8 @@
 
 
 getdns_return_t
-getdns_dict_util_get_string(getdns_dict * dict, char *name, char **result)
+getdns_dict_util_get_string(const getdns_dict *dict,
+    const char *name, char **result)
 {
 	struct getdns_bindata *bindata = NULL;
 	if (!result) {
@@ -1454,7 +1455,7 @@ _getdns_validate_dname(const char* dname) {
 } /* _getdns_validate_dname */
 
 
-static void _getdns_reply2wire_buf(gldns_buffer *buf, getdns_dict *reply)
+static void _getdns_reply2wire_buf(gldns_buffer *buf, const getdns_dict *reply)
 {
 	getdns_dict *rr_dict, *q_dict, *h_dict;
 	getdns_list *section;
@@ -1510,7 +1511,7 @@ static void _getdns_reply2wire_buf(gldns_buffer *buf, getdns_dict *reply)
 	}
 }
 
-static void _getdns_list2wire_buf(gldns_buffer *buf, getdns_list *l)
+static void _getdns_list2wire_buf(gldns_buffer *buf, const getdns_list *l)
 {
 	getdns_dict *rr_dict;
 	size_t i, pkt_start;
@@ -1548,8 +1549,8 @@ static void _getdns_list2wire_buf(gldns_buffer *buf, getdns_list *l)
 	gldns_buffer_write_u16_at(buf, pkt_start+GLDNS_ANCOUNT_OFF, ancount);
 }
 
-uint8_t *_getdns_list2wire(
-    getdns_list *l, uint8_t *buf, size_t *buf_len, struct mem_funcs *mf)
+uint8_t *_getdns_list2wire(const getdns_list *l,
+    uint8_t *buf, size_t *buf_len, const struct mem_funcs *mf)
 {
 	gldns_buffer gbuf;
 	size_t sz;
@@ -1569,8 +1570,8 @@ uint8_t *_getdns_list2wire(
 	return buf;
 }
 
-uint8_t *_getdns_reply2wire(
-    getdns_dict *r, uint8_t *buf, size_t *buf_len, struct mem_funcs *mf)
+uint8_t *_getdns_reply2wire(const getdns_dict *r,
+    uint8_t *buf, size_t *buf_len, const struct mem_funcs *mf)
 {
 	gldns_buffer gbuf;
 	size_t sz;
@@ -1590,7 +1591,7 @@ uint8_t *_getdns_reply2wire(
 	return buf;
 }
 
-void _getdns_wire2list(uint8_t *pkt, size_t pkt_len, getdns_list *l)
+void _getdns_wire2list(const uint8_t *pkt, size_t pkt_len, getdns_list *l)
 {
 	_getdns_rr_iter rr_spc, *rr;
 	getdns_dict *rr_dict;
diff --git a/src/util-internal.h b/src/util-internal.h
index 4d5fbf56..d512a9d2 100644
--- a/src/util-internal.h
+++ b/src/util-internal.h
@@ -147,17 +147,18 @@ _getdns_rr_iter2rr_dict_canonical(
     struct mem_funcs *mf, _getdns_rr_iter *i, uint32_t *orig_ttl);
 
 struct getdns_dns_req;
-struct getdns_dict *_getdns_create_getdns_response(struct getdns_dns_req *completed_request);
+struct getdns_dict *_getdns_create_getdns_response(
+    struct getdns_dns_req *completed_request);
 
 getdns_return_t _getdns_validate_dname(const char* dname);
 
-uint8_t *_getdns_list2wire(
-    getdns_list *l, uint8_t *buf, size_t *buf_len, struct mem_funcs *mf);
+uint8_t *_getdns_list2wire(const getdns_list *l,
+    uint8_t *buf, size_t *buf_len, const struct mem_funcs *mf);
 
-uint8_t *_getdns_reply2wire(
-    getdns_dict *r, uint8_t *buf, size_t *buf_len, struct mem_funcs *mf);
+uint8_t *_getdns_reply2wire(const getdns_dict *r,
+    uint8_t *buf, size_t *buf_len, const struct mem_funcs *mf);
 
-void _getdns_wire2list(uint8_t *pkt, size_t pkt_len, getdns_list *l);
+void _getdns_wire2list(const uint8_t *pkt, size_t pkt_len, getdns_list *l);
 
 
 /**

From fee864c25cc8537803796daeb14b9b36a9ebf59b Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 7 Dec 2018 12:38:17 +0000
Subject: [PATCH 212/303] Implement setting cipher/curve lists.

Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
---
 src/context.c             |  10 +---
 src/gnutls/tls-internal.h |   6 ++
 src/gnutls/tls.c          | 116 ++++++++++++++++++++++++++++++++++----
 src/openssl/tls.c         |  16 ++++++
 src/stub.c                |   2 +-
 src/tls.h                 |  13 +++--
 6 files changed, 139 insertions(+), 24 deletions(-)

diff --git a/src/context.c b/src/context.c
index ddda54de..6e919114 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1343,10 +1343,6 @@ static char const * const _getdns_default_trust_anchors_verify_CA =
 static char const * const _getdns_default_trust_anchors_verify_email =
     "dnssec@iana.org";
 
-static char const * const _getdns_default_tls_cipher_list = 
-	"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
-	"TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
-
 /*
  * getdns_context_create
  *
@@ -3556,9 +3552,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 			}
 			/* Be strict and only use the cipher suites recommended in RFC7525
 			   Unless we later fallback to opportunistic. */
-			if (_getdns_tls_context_set_cipher_list(context->tls_ctx,
-			    context->tls_cipher_list ? context->tls_cipher_list
-			                             : _getdns_default_tls_cipher_list))
+			if (_getdns_tls_context_set_cipher_list(context->tls_ctx, context->tls_cipher_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
 
 			if (context->tls_curves_list &&
@@ -5277,7 +5271,7 @@ getdns_context_get_tls_cipher_list(
 
 	*tls_cipher_list = context->tls_cipher_list
 	                 ? context->tls_cipher_list
-	                 : _getdns_default_tls_cipher_list;
+		         : _getdns_tls_context_default_cipher_list;
 	return GETDNS_RETURN_GOOD;
 }
 
diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h
index 15115b4d..d9ac1974 100644
--- a/src/gnutls/tls-internal.h
+++ b/src/gnutls/tls-internal.h
@@ -54,6 +54,9 @@
 
 
 typedef struct _getdns_tls_context {
+	struct mem_funcs* mfs;
+	char* cipher_list;
+	char* curve_list;
 	bool min_proto_1_2;
 } _getdns_tls_context;
 
@@ -62,6 +65,9 @@ typedef struct _getdns_tls_connection {
 	gnutls_certificate_credentials_t cred;
 	int shutdown;
 	_getdns_tls_context* ctx;
+	struct mem_funcs* mfs;
+	char* cipher_list;
+	char* curve_list;
 } _getdns_tls_connection;
 
 typedef struct _getdns_tls_session {
diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index 5a2b6c94..a60dcddf 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -40,6 +40,75 @@
 
 #include "tls.h"
 
+/*
+ * Cipher suites recommended in RFC7525.
+ *
+ * The GnuTLS 3.5.19 being used for this proof of concept doesn't have
+ * TLS 1.3 support, as in the OpenSSL equivalent. Fall back for now to
+ * a known working priority string.
+ */
+char const * const _getdns_tls_context_default_cipher_list =
+	"SECURE192:-VERS-ALL:+VERS-TLS1.2";
+
+static char const * const _getdns_tls_connection_opportunistic_cipher_list =
+	"NORMAL";
+
+static char* getdns_strdup(struct mem_funcs* mfs, const char* s)
+{
+	char* res;
+
+	if (!s)
+		return NULL;
+
+	res = GETDNS_XMALLOC(*mfs, char, strlen(s) + 1);
+	if (!res)
+		return NULL;
+	strcpy(res, s);
+	return res;
+}
+
+static char* getdns_priappend(struct mem_funcs* mfs, char* s1, const char* s2)
+{
+	char* res;
+
+	if (!s1)
+		return getdns_strdup(mfs, s2);
+	if (!s2)
+		return s1;
+
+	res = GETDNS_XMALLOC(*mfs, char, strlen(s1) + strlen(s2) + 2);
+	if (!res)
+		return NULL;
+	strcpy(res, s1);
+	strcat(res, ":");
+	strcat(res, s2);
+	GETDNS_FREE(*mfs, s1);
+	return res;
+}
+
+static int set_connection_ciphers(_getdns_tls_connection* conn)
+{
+	char* pri = NULL;
+	int res;
+
+	if (conn->cipher_list)
+		pri = getdns_priappend(conn->mfs, pri, conn->cipher_list);
+	else if (conn->ctx->cipher_list)
+		pri = getdns_priappend(conn->mfs, pri, conn->ctx->cipher_list);
+
+	if (conn->curve_list)
+		pri = getdns_priappend(conn->mfs, pri, conn->curve_list);
+	else if (conn->ctx->curve_list)
+		pri = getdns_priappend(conn->mfs, pri, conn->ctx->curve_list);
+
+	if (pri)
+		res = gnutls_priority_set_direct(conn->tls, pri, NULL);
+	else
+		res = gnutls_set_default_priority(conn->tls);
+	GETDNS_FREE(*conn->mfs, pri);
+	return res;
+}
+
 static getdns_return_t error_may_want_read_write(_getdns_tls_connection* conn, int err)
 {
 	switch (err) {
@@ -95,7 +164,9 @@ _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs)
 	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_context)))
 		return NULL;
 
+	res->mfs = mfs;
 	res->min_proto_1_2 = false;
+	res->cipher_list = res->curve_list = NULL;
 	return res;
 }
 
@@ -103,6 +174,8 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont
 {
 	if (!ctx)
 		return GETDNS_RETURN_INVALID_PARAMETER;
+	GETDNS_FREE(*mfs, ctx->curve_list);
+	GETDNS_FREE(*mfs, ctx->cipher_list);
 	GETDNS_FREE(*mfs, ctx);
 	return GETDNS_RETURN_GOOD;
 }
@@ -122,19 +195,24 @@ getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx)
 
 getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list)
 {
-	(void) list;
-
 	if (!ctx)
 		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (!list)
+		list = _getdns_tls_context_default_cipher_list;
+
+	GETDNS_FREE(*ctx->mfs, ctx->cipher_list);
+	ctx->cipher_list = getdns_strdup(ctx->mfs, list);
 	return GETDNS_RETURN_GOOD;
 }
 
 getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list)
 {
-	(void) list;
-
 	if (!ctx)
 		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	GETDNS_FREE(*ctx->mfs, ctx->curve_list);
+	ctx->curve_list = getdns_strdup(ctx->mfs, list);
 	return GETDNS_RETURN_GOOD;
 }
 
@@ -161,6 +239,9 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn
 
 	res->shutdown = 0;
 	res->ctx = ctx;
+	res->mfs = mfs;
+	res->cipher_list = NULL;
+	res->curve_list = NULL;
 
 	r = gnutls_certificate_allocate_credentials(&res->cred);
 	if (r == GNUTLS_E_SUCCESS)
@@ -168,7 +249,7 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn
 	if (r == GNUTLS_E_SUCCESS)
 		r = gnutls_init(&res->tls, GNUTLS_CLIENT | GNUTLS_NONBLOCK);
 	if (r == GNUTLS_E_SUCCESS)
-		r = gnutls_set_default_priority(res->tls);
+		r = set_connection_ciphers(res);
 	if (r == GNUTLS_E_SUCCESS)
 		r = gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred);
 	if (r != GNUTLS_E_SUCCESS) {
@@ -187,6 +268,8 @@ getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_c
 
 	gnutls_deinit(conn->tls);
 	gnutls_certificate_free_credentials(conn->cred);
+	GETDNS_FREE(*mfs, conn->curve_list);
+	GETDNS_FREE(*mfs, conn->cipher_list);
 	GETDNS_FREE(*mfs, conn);
 	return GETDNS_RETURN_GOOD;
 }
@@ -209,20 +292,31 @@ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn)
 
 getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list)
 {
-	(void) list;
-
 	if (!conn || !conn->tls)
 		return GETDNS_RETURN_INVALID_PARAMETER;
-	return GETDNS_RETURN_GOOD;
+
+	if (!list)
+		list = _getdns_tls_connection_opportunistic_cipher_list;
+
+	GETDNS_FREE(*conn->mfs, conn->cipher_list);
+	conn->cipher_list = getdns_strdup(conn->mfs, list);
+	if (set_connection_ciphers(conn) == GNUTLS_E_SUCCESS)
+		return GETDNS_RETURN_GOOD;
+	else
+		return GETDNS_RETURN_GENERIC_ERROR;
 }
 
 getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list)
 {
-	(void) list;
-
 	if (!conn || !conn->tls)
 		return GETDNS_RETURN_INVALID_PARAMETER;
-	return GETDNS_RETURN_GOOD;
+
+	GETDNS_FREE(*conn->mfs, conn->curve_list);
+	conn->curve_list = getdns_strdup(conn->mfs, list);
+	if (set_connection_ciphers(conn) == GNUTLS_E_SUCCESS)
+		return GETDNS_RETURN_GOOD;
+	else
+		return GETDNS_RETURN_GENERIC_ERROR;
 }
 
 getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s)
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index dcc68494..82fa0870 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -49,6 +49,14 @@
 
 #include "tls.h"
 
+/* Cipher suites recommended in RFC7525. */
+char const * const _getdns_tls_context_default_cipher_list =
+	"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
+	"TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
+
+static char const * const _getdns_tls_connection_opportunistic_cipher_list =
+	"DEFAULT";
+
 static int _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
 {
 # if defined(STUB_DEBUG) && STUB_DEBUG
@@ -275,6 +283,10 @@ getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, co
 {
 	if (!ctx || !ctx->ssl)
 		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (!list)
+		list = _getdns_tls_context_default_cipher_list;
+
 	if (!SSL_CTX_set_cipher_list(ctx->ssl, list))
 		return GETDNS_RETURN_BAD_CONTEXT;
 	return GETDNS_RETURN_GOOD;
@@ -366,6 +378,10 @@ getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* c
 {
 	if (!conn || !conn->ssl)
 		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (!list)
+		list = _getdns_tls_connection_opportunistic_cipher_list;
+
 	if (!SSL_set_cipher_list(conn->ssl, list))
 		return GETDNS_RETURN_BAD_CONTEXT;
 	return GETDNS_RETURN_GOOD;
diff --git a/src/stub.c b/src/stub.c
index b6a9cdf1..7cbfe9a2 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -875,7 +875,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		}
 	}
 	if (upstream->tls_fallback_ok) {
-		_getdns_tls_connection_set_cipher_list(tls, "DEFAULT");
+		_getdns_tls_connection_set_cipher_list(tls, NULL);
 		DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__);
 	} else {
diff --git a/src/tls.h b/src/tls.h
index fe05dc52..e58d4ce3 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -94,7 +94,7 @@ getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx);
  * Set list of allowed ciphers.
  *
  * @param ctx	the context.
- * @param list 	the list of cipher identifiers.
+ * @param list 	the list of cipher identifiers. NULL for default setting.
  * @return GETDNS_RETURN_GOOD on success.
  * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer.
  * @return GETDNS_RETURN_BAD_CONTEXT on failure.
@@ -105,7 +105,7 @@ getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, co
  * Set list of allowed curves.
  *
  * @param ctx	the context.
- * @param list 	the list of curve identifiers.
+ * @param list 	the list of curve identifiers. NULL for default setting.
  * @return GETDNS_RETURN_GOOD on success.
  * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer.
  * @return GETDNS_RETURN_BAD_CONTEXT on failure.
@@ -164,7 +164,7 @@ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn);
  * Set list of allowed ciphers on this connection.
  *
  * @param conn	the connection.
- * @param list 	the list of cipher identifiers.
+ * @param list 	the list of cipher identifiers. NULL for opportunistic setting.
  * @return GETDNS_RETURN_GOOD on success.
  * @return GETDNS_RETURN_INVALID_PARAMETER on bad connection pointer.
  * @return GETDNS_RETURN_BAD_CONTEXT on failure.
@@ -175,7 +175,7 @@ getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* c
  * Set list of allowed curves on this connection.
  *
  * @param conn	the connection.
- * @param list 	the list of curve identifiers.
+ * @param list 	the list of curve identifiers. NULL for default setting.
  * @return GETDNS_RETURN_GOOD on success.
  * @return GETDNS_RETURN_INVALID_PARAMETER on bad connection pointer.
  * @return GETDNS_RETURN_BAD_CONTEXT on failure.
@@ -407,4 +407,9 @@ void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf);
  */
 void _getdns_tls_cookie_sha256(uint32_t secret, void* addr, size_t addrlen, unsigned char* buf, size_t* buflen);
 
+/**
+ * Default context cipher list.
+ */
+const char* const _getdns_tls_context_default_cipher_list;
+
 #endif /* _GETDNS_TLS_H */

From 1acd880f268846974e00bd457a39444e3876b0d4 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 7 Dec 2018 17:56:12 +0000
Subject: [PATCH 213/303] Correct error return value from stub.

---
 src/gnutls/pubkey-pinning-internal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gnutls/pubkey-pinning-internal.c b/src/gnutls/pubkey-pinning-internal.c
index 0d58712c..6568f52a 100644
--- a/src/gnutls/pubkey-pinning-internal.c
+++ b/src/gnutls/pubkey-pinning-internal.c
@@ -54,5 +54,5 @@ _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
 getdns_dict*
 getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str)
 {
-	return GETDNS_RETURN_GENERIC_ERROR;
+	return NULL;
 }

From ff7ffc246c1340e8420764e855286a297f949159 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 11 Dec 2018 12:46:05 +0000
Subject: [PATCH 214/303] Rename TLS Interface DANE init to pinset init. That's
 what it's actually used for.

---
 src/context.c     | 2 +-
 src/gnutls/tls.c  | 2 +-
 src/openssl/tls.c | 2 +-
 src/tls.h         | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/context.c b/src/context.c
index 6e919114..5c40f2e3 100644
--- a/src/context.c
+++ b/src/context.c
@@ -3566,7 +3566,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
 			}
-			_getdns_tls_context_dane_init(context->tls_ctx);
+			_getdns_tls_context_pinset_init(context->tls_ctx);
 		}
 	}
 
diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index a60dcddf..f0555289 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -180,7 +180,7 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont
 	return GETDNS_RETURN_GOOD;
 }
 
-void _getdns_tls_context_dane_init(_getdns_tls_context* ctx)
+void _getdns_tls_context_pinset_init(_getdns_tls_context* ctx)
 {
 	(void) ctx;
 }
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 82fa0870..111c15d0 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -253,7 +253,7 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont
 	return GETDNS_RETURN_GOOD;
 }
 
-void _getdns_tls_context_dane_init(_getdns_tls_context* ctx)
+void _getdns_tls_context_pinset_init(_getdns_tls_context* ctx)
 {
 #   if defined(STUB_DEBUG) && STUB_DEBUG
 	int osr =
diff --git a/src/tls.h b/src/tls.h
index e58d4ce3..4f65bf64 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -73,11 +73,11 @@ _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs);
 getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx);
 
 /**
- * Initialise any shared state for DANE checking.
+ * Initialise any shared state for pinset checking.
  *
  * @param ctx	the context to initialise.
  */
-void _getdns_tls_context_dane_init(_getdns_tls_context* ctx);
+void _getdns_tls_context_pinset_init(_getdns_tls_context* ctx);
 
 /**
  * Set TLS 1.2 as minimum TLS version.

From a6ab7ffe416279f114b14c7c46f0f5107fbea405 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 11 Dec 2018 15:05:09 +0100
Subject: [PATCH 215/303] ed25519 and ecdsa support with libnettle

---
 configure.ac                        | 100 ++++++++++++++++++++++++----
 src/openssl/validator/val_secalgo.h |   5 ++
 2 files changed, 93 insertions(+), 12 deletions(-)

diff --git a/configure.ac b/configure.ac
index 865e21b4..77f9b091 100644
--- a/configure.ac
+++ b/configure.ac
@@ -400,6 +400,45 @@ yes)
 	;;
 esac
 
+USE_NSS="no"
+AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
+        [use libnss instead of openssl, installed at path.]),
+        [
+        USE_NSS="yes"
+        AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
+        if test "$withval" != "" -a "$withval" != "yes"; then
+                CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
+                LDFLAGS="$LDFLAGS -L$withval/lib"
+                ACX_RUNTIME_PATH_ADD([$withval/lib])
+                CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
+        else
+                CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
+                CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
+        fi
+        LIBS="$LIBS -lnss3 -lnspr4"
+        SSLLIB=""
+        ]
+)
+
+# libnettle
+USE_NETTLE="no"
+AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
+        [use libnettle as crypto library, installed at path.]),
+        [
+        USE_NETTLE="yes"
+        AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
+        AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
+        if test "$withval" != "" -a "$withval" != "yes"; then
+                CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
+                LDFLAGS="$LDFLAGS -L$withval/lib"
+                ACX_RUNTIME_PATH_ADD([$withval/lib])
+        else
+                CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
+        fi
+        LIBS="$LIBS -lhogweed -lnettle -lgmp"
+        SSLLIB=""
+        ]
+)
 # Which TLS and crypto libs to use.
 AC_ARG_WITH([gnutls],
     [AS_HELP_STRING([--with-gnutls],
@@ -410,17 +449,25 @@ AC_ARG_WITH([gnutls],
         CFLAGS="$libgnutls_CFLAGS $CFLAGS"
         AC_SUBST([TLSDIR], 'gnutls')
         AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library])
-        AX_LIB_NETTLE(yes)
+	if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+		
+	        AX_LIB_NETTLE(yes)
+		USE_NETTLE="yes"
+		AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
+        	AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
+	fi
     ],
     [
-        ACX_WITH_SSL_OPTIONAL
+	if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+        ACX_WITH_SSL
+	fi
         ACX_LIB_SSL
         AC_SUBST([TLSDIR], 'openssl')
     ])
 
-USE_NSS="no"
+
 # openssl
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no" ; then
 AC_MSG_CHECKING([for LibreSSL])
 if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
 	AC_MSG_RESULT([yes])
@@ -431,11 +478,11 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
 else
 	AC_MSG_RESULT([no])
 fi
-AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([openssl/conf.h openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter])
-AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list], [], [], [
+AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites])
+AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_set_min_proto_version,SSL_get_min_proto_version], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
@@ -594,7 +641,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
 
 AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
 use_gost="no"
-if test $USE_NSS = "no"; then
+if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 case "$enable_gost" in
 	no)
 	;;
@@ -608,7 +655,7 @@ case "$enable_gost" in
 	fi
 	;;
 esac
-fi dnl !USE_NSS
+fi dnl !USE_NSS && !USE_NETTLE
 
 AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
 use_ecdsa="no"
@@ -616,7 +663,7 @@ case "$enable_ecdsa" in
     no)
       ;;
     *)
-      if test $USE_NSS = "no"; then
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
 	      AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
 	      AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
 	      AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
@@ -648,6 +695,7 @@ case "$enable_dsa" in
       ;;
     *) dnl default
       # detect if DSA is supported, and turn it off if not.
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
       AC_CHECK_FUNC(DSA_SIG_new, [
 	AC_CHECK_TYPE(DSA_SIG*, [
 		AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
@@ -672,6 +720,9 @@ AC_INCLUDES_DEFAULT
 ])
       ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
 	  fi ])
+      else
+      AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
+      fi
       ;;
 esac
 
@@ -681,15 +732,40 @@ case "$enable_ed25519" in
     no)
       ;;
     *)
-      if test "$USE_NSS" = "no" -a "$USE_NETTLE" = "no"; then
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
               AC_CHECK_DECLS([NID_ED25519], [
-                AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
                 use_ed25519="yes"
               ], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
                 fi ], [AC_INCLUDES_DEFAULT
 #include <openssl/evp.h>
               ])
       fi
+      if test $USE_NETTLE = "yes"; then
+                AC_CHECK_HEADERS([nettle/eddsa.h], use_ed25519="yes",, [AC_INCLUDES_DEFAULT])
+      fi
+      if test $use_ed25519 = "yes"; then
+                AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
+      fi
+      ;;
+esac
+
+AC_ARG_ENABLE(ed448, AC_HELP_STRING([--disable-ed448], [Disable ED448 support]))
+use_ed448="no"
+case "$enable_ed448" in
+    no)
+      ;;
+    *)
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+              AC_CHECK_DECLS([NID_ED448], [
+                use_ed448="yes"
+              ], [ if test "x$enable_ed448" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED448 and you used --enable-ed448.])
+                fi ], [AC_INCLUDES_DEFAULT
+#include <openssl/evp.h>
+              ])
+      fi
+      if test $use_ed448 = "yes"; then
+                AC_DEFINE_UNQUOTED([USE_ED448], [1], [Define this to enable ED448 support.])
+      fi
       ;;
 esac
 
diff --git a/src/openssl/validator/val_secalgo.h b/src/openssl/validator/val_secalgo.h
index e4e2a7a7..ef26cf34 100644
--- a/src/openssl/validator/val_secalgo.h
+++ b/src/openssl/validator/val_secalgo.h
@@ -18,6 +18,7 @@
 #define fake_sha1                       _getdns_fake_sha1
 #define fake_dsa                        _getdns_fake_dsa
 
+
 #define NSEC3_HASH_SHA1                 0x01
 
 #define LDNS_SHA1                       GLDNS_SHA1
@@ -34,6 +35,10 @@
 #define LDNS_ECDSAP256SHA256            GLDNS_ECDSAP256SHA256
 #define LDNS_ECDSAP384SHA384            GLDNS_ECDSAP384SHA384
 #define LDNS_ECC_GOST                   GLDNS_ECC_GOST
+#define LDNS_ED25519                    GLDNS_ED25519
+#define LDNS_ED448                      GLDNS_ED448
+#define sldns_ed255192pkey_raw          gldns_ed255192pkey_raw
+#define sldns_ed4482pkey_raw            gldns_ed4482pkey_raw
 #define sldns_key_EVP_load_gost_id      gldns_key_EVP_load_gost_id
 #define sldns_digest_evp                gldns_digest_evp
 #define sldns_key_buf2dsa_raw           gldns_key_buf2dsa_raw

From ab700e70fe1b9c41f141070eaaf874914a9c9a27 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 11 Dec 2018 15:13:17 +0100
Subject: [PATCH 216/303] DNS Cookies with libnettle too

---
 configure.ac | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 77f9b091..21f386e5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -791,8 +791,8 @@ case "$enable_edns_cookies" in
 	no)
 		;;
 	yes|*)
-		if test "x_$HAVE_SSL" != "x_yes"; then
-			AC_MSG_ERROR([edns cookies need openssl libcrypto which is not available, please rerun with --disable-edns-cookies])
+		if test "x_$HAVE_SSL" != "x_yes" -a $USE_NETTLE = "no"; then
+			AC_MSG_ERROR([edns cookies needs crypto library which is not available, please rerun with --disable-edns-cookies])
 		fi
 		AC_DEFINE_UNQUOTED([EDNS_COOKIES], [1], [Define this to enable the experimental edns cookies.])
 		;;

From 2c6ec5e0be8ed2bfe93241880eba34c87bf72aa2 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 11 Dec 2018 14:59:21 +0000
Subject: [PATCH 217/303] Implement setting up pinset for DANE. Verification to
 come.

---
 src/gnutls/tls-internal.h |  4 +++
 src/gnutls/tls.c          | 60 +++++++++++++++++++++++++++++++++++++--
 2 files changed, 61 insertions(+), 3 deletions(-)

diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h
index d9ac1974..9186184a 100644
--- a/src/gnutls/tls-internal.h
+++ b/src/gnutls/tls-internal.h
@@ -38,6 +38,7 @@
 
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
+#include <gnutls/dane.h>
 
 #include "getdns/getdns.h"
 
@@ -68,6 +69,9 @@ typedef struct _getdns_tls_connection {
 	struct mem_funcs* mfs;
 	char* cipher_list;
 	char* curve_list;
+	dane_query_t dane_query;
+	dane_state_t dane_state;
+	char* tlsa;
 } _getdns_tls_connection;
 
 typedef struct _getdns_tls_session {
diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index f0555289..c4d48bd1 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -242,6 +242,8 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn
 	res->mfs = mfs;
 	res->cipher_list = NULL;
 	res->curve_list = NULL;
+	res->dane_query = NULL;
+	res->tlsa = NULL;
 
 	r = gnutls_certificate_allocate_credentials(&res->cred);
 	if (r == GNUTLS_E_SUCCESS)
@@ -252,7 +254,9 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn
 		r = set_connection_ciphers(res);
 	if (r == GNUTLS_E_SUCCESS)
 		r = gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred);
-	if (r != GNUTLS_E_SUCCESS) {
+	if (r == GNUTLS_E_SUCCESS)
+		r = dane_state_init(&res->dane_state, DANE_F_INSECURE | DANE_F_IGNORE_DNSSEC);
+	if (r != DANE_E_SUCCESS) {
 		_getdns_tls_connection_free(mfs, res);
 		return NULL;
 	}
@@ -266,8 +270,11 @@ getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_c
 	if (!conn || !conn->tls)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
+	dane_query_deinit(conn->dane_query);
+	dane_state_deinit(conn->dane_state);
 	gnutls_deinit(conn->tls);
 	gnutls_certificate_free_credentials(conn->cred);
+	GETDNS_FREE(*mfs, conn->tlsa);
 	GETDNS_FREE(*mfs, conn->curve_list);
 	GETDNS_FREE(*mfs, conn->cipher_list);
 	GETDNS_FREE(*mfs, conn);
@@ -421,12 +428,59 @@ getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connectio
 
 getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* conn, const char* auth_name, const sha256_pin_t* pinset)
 {
-	(void) pinset;
+	int r;
 
 	if (!conn || !conn->tls || !auth_name)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-	return GETDNS_RETURN_GOOD;
+	size_t tlsa_len = 0;
+	size_t npins = 0;
+	for (const sha256_pin_t* pin = pinset; pin; pin = pin->next)
+		npins++;
+	tlsa_len += (SHA256_DIGEST_LENGTH + 3) * 2;
+
+	GETDNS_FREE(*conn->mfs, conn->tlsa);
+	conn->tlsa = GETDNS_XMALLOC(*conn->mfs, char, npins * (SHA256_DIGEST_LENGTH + 3) * 2);
+	if (!conn->tlsa)
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	char** dane_data = GETDNS_XMALLOC(*conn->mfs, char*, npins * 2 + 1);
+	if (!dane_data)
+		return GETDNS_RETURN_GENERIC_ERROR;
+	int* dane_data_len = GETDNS_XMALLOC(*conn->mfs, int, npins * 2 + 1);
+	if (!dane_data_len) {
+		GETDNS_FREE(*conn->mfs, dane_data);
+		return GETDNS_RETURN_GENERIC_ERROR;
+	}
+
+	char** dane_p = dane_data;
+	int* dane_len_p = dane_data_len;
+	char* p = conn->tlsa;
+	for (const sha256_pin_t* pin = pinset; pin; pin = pin->next) {
+		*dane_p++ = p;
+		*dane_len_p++ = SHA_DIGEST_LENGTH + 3;
+		p[0] = 2;
+		p[1] = 1;
+		p[2] = 1;
+		memcpy(&p[3], pin->pin, SHA256_DIGEST_LENGTH);
+		p += SHA256_DIGEST_LENGTH + 3;
+
+		*dane_p++ = p;
+		*dane_len_p++ = SHA_DIGEST_LENGTH + 3;
+		p[0] = 3;
+		p[1] = 1;
+		p[2] = 1;
+		memcpy(&p[3], pin->pin, SHA256_DIGEST_LENGTH);
+		p += SHA256_DIGEST_LENGTH + 3;
+	}
+	*dane_p = NULL;
+
+	dane_query_deinit(conn->dane_query);
+	r = dane_raw_tlsa(conn->dane_state, &conn->dane_query, dane_data, dane_data_len, 0, 0);
+	GETDNS_FREE(*conn->mfs, dane_data_len);
+	GETDNS_FREE(*conn->mfs, dane_data);
+
+	return (r == DANE_E_SUCCESS) ? GETDNS_RETURN_GOOD : GETDNS_RETURN_GENERIC_ERROR;
 }
 
 getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg)

From aa49a935c7b37d88fd94edd59322099801b7b300 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 11 Dec 2018 17:56:14 +0000
Subject: [PATCH 218/303] Fixed error detection in certificate verification.

---
 src/stub.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index 7cbfe9a2..66de58fe 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -958,7 +958,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			const char* verify_errmsg;
 
 			if (_getdns_tls_connection_certificate_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) {
-				upstream->tls_auth_state = GETDNS_AUTH_OK;
+				upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 				if (verify_errno != 0) {
 					_getdns_upstream_log(upstream,
 					    GETDNS_LOG_UPSTREAM_STATS,
@@ -978,13 +978,14 @@ tls_do_handshake(getdns_upstream *upstream)
 					     ( upstream->tls_fallback_ok
 					       ? "Tolerated because of Opportunistic profile"
 					       : "*Failure*" ),
-					     verify_errno, verify_errmsg);
+					     verify_errmsg);
 				}
 			} else {
-			_getdns_upstream_log(upstream,
-			    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG,
-			    "%-40s : Verify passed : TLS\n",
-			    upstream->addr_str);
+				upstream->tls_auth_state = GETDNS_AUTH_OK;
+				_getdns_upstream_log(upstream,
+						     GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG,
+						     "%-40s : Verify passed : TLS\n",
+						     upstream->addr_str);
 			}
 			_getdns_tls_x509_free(&upstream->upstreams->mf, peer_cert);
 		}

From bf011d929441ff406adaf7fce6a50200b26a01eb Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 11 Dec 2018 18:02:03 +0000
Subject: [PATCH 219/303] Add GnuTLS DANE library to configure detection when
 using GnuTLS.

---
 configure.ac | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 21f386e5..6fadac38 100644
--- a/configure.ac
+++ b/configure.ac
@@ -445,8 +445,9 @@ AC_ARG_WITH([gnutls],
         [use GnuTLS instead of OpenSSL])],
     [
         PKG_CHECK_MODULES([libgnutls], [gnutls >= 3.5.0])
-        LIBS="$libgnutls_LIBS $LIBS"
-        CFLAGS="$libgnutls_CFLAGS $CFLAGS"
+        PKG_CHECK_MODULES([libgnutlsdane], [gnutls-dane >= 3.5.0])
+        LIBS="$libgnutls_LIBS $libgnutlsdane_LIBS $LIBS"
+        CFLAGS="$libgnutls_CFLAGS $libgnutlsdane_CFLAGS $CFLAGS"
         AC_SUBST([TLSDIR], 'gnutls')
         AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library])
 	if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then

From 35b4969216322ca9baf03f009bc198f78c66b2a1 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 11 Dec 2018 18:03:00 +0000
Subject: [PATCH 220/303] Abstract out OpenSSL specific parts of
 getdns_pubkey_pin_create_from_string().

The only OpenSSL function is decoding Base64.
---
 src/gnutls/pubkey-pinning-internal.c  |   9 +--
 src/gnutls/tls.c                      | 110 +++++++++++++++++++++++++-
 src/openssl/pubkey-pinning-internal.c |  69 ++--------------
 src/pubkey-pinning.c                  |  62 +++++++++++++++
 src/pubkey-pinning.h                  |   4 +-
 5 files changed, 180 insertions(+), 74 deletions(-)

diff --git a/src/gnutls/pubkey-pinning-internal.c b/src/gnutls/pubkey-pinning-internal.c
index 6568f52a..2ae97bf7 100644
--- a/src/gnutls/pubkey-pinning-internal.c
+++ b/src/gnutls/pubkey-pinning-internal.c
@@ -47,12 +47,7 @@ _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
 	return GETDNS_RETURN_GOOD;
 }
 
-/**
- ** Interfaces from getdns_extra.h.
- **/
-
-getdns_dict*
-getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str)
+getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size)
 {
-	return NULL;
+	return GETDNS_RETURN_GENERIC_ERROR;
 }
diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index c4d48bd1..33d0047a 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -485,12 +485,116 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 
 getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg)
 {
-	(void) errnum;
-	(void) errmsg;
-
 	if (!conn || !conn->tls)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
+	/* Most of the internals of dane_verify_session_crt() */
+
+	const gnutls_datum_t* cert_list;
+	unsigned int cert_list_size = 0;
+	unsigned int type;
+	int ret;
+	const gnutls_datum_t* cl;
+	gnutls_datum_t* new_cert_list = NULL;
+	int clsize;
+	unsigned int verify;
+
+	cert_list = gnutls_certificate_get_peers(conn->tls, &cert_list_size);
+	if (cert_list_size == 0) {
+		*errnum = 1;
+		*errmsg = "No peer certificate";
+		return GETDNS_RETURN_GENERIC_ERROR;
+        }
+	cl = cert_list;
+
+        type = gnutls_certificate_type_get(conn->tls);
+
+        /* this list may be incomplete, try to get the self-signed CA if any */
+        if (cert_list_size > 0) {
+                gnutls_x509_crt_t crt, ca;
+                gnutls_certificate_credentials_t sc;
+
+                ret = gnutls_x509_crt_init(&crt);
+                if (ret < 0)
+                        goto failsafe;
+
+                ret = gnutls_x509_crt_import(crt, &cert_list[cert_list_size-1], GNUTLS_X509_FMT_DER);
+                if (ret < 0) {
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+
+                /* if it is already self signed continue normally */
+                ret = gnutls_x509_crt_check_issuer(crt, crt);
+                if (ret != 0) {
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+
+                /* chain does not finish in a self signed cert, try to obtain the issuer */
+                ret = gnutls_credentials_get(conn->tls, GNUTLS_CRD_CERTIFICATE, (void**)&sc);
+                if (ret < 0) {
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+
+                ret = gnutls_certificate_get_issuer(sc, crt, &ca, 0);
+                if (ret < 0) {
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+
+                /* make the new list */
+                new_cert_list = GETDNS_XMALLOC(*conn->mfs, gnutls_datum_t, cert_list_size + 1);
+                if (new_cert_list == NULL) {
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+
+                memcpy(new_cert_list, cert_list, cert_list_size*sizeof(gnutls_datum_t));
+		cl = new_cert_list;
+
+                ret = gnutls_x509_crt_export2(ca, GNUTLS_X509_FMT_DER, &new_cert_list[cert_list_size]);
+                if (ret < 0) {
+                        GETDNS_FREE(*conn->mfs, new_cert_list);
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+	}
+
+failsafe:
+
+	clsize = cert_list_size;
+	if (cl == new_cert_list)
+		clsize += 1;
+
+	ret = dane_verify_crt_raw(NULL, cl, clsize, type, conn->dane_query, 0, 0, &verify);
+
+	if (new_cert_list) {
+		gnutls_free(new_cert_list[cert_list_size].data);
+		GETDNS_FREE(*conn->mfs, new_cert_list);
+	}
+
+	if (ret != DANE_E_SUCCESS)
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	switch (verify) {
+	case DANE_VERIFY_CA_CONSTRAINTS_VIOLATED:
+		*errnum = 2;
+		*errmsg = "CA constraints violated";
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	case DANE_VERIFY_CERT_DIFFERS:
+		*errnum = 3;
+		*errmsg = "Certificate differs";
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	case DANE_VERIFY_UNKNOWN_DANE_INFO:
+		*errnum = 4;
+		*errmsg = "Unknown DANE info";
+		return GETDNS_RETURN_GENERIC_ERROR;
+	}
+
 	return GETDNS_RETURN_GOOD;
 }
 
diff --git a/src/openssl/pubkey-pinning-internal.c b/src/openssl/pubkey-pinning-internal.c
index ab2d7c08..5ef02db2 100644
--- a/src/openssl/pubkey-pinning-internal.c
+++ b/src/openssl/pubkey-pinning-internal.c
@@ -70,82 +70,25 @@
    updated and follow the guidance in rfc7469bis)
 */
 
-static const getdns_bindata sha256 = {
-	.size = sizeof("sha256") - 1,
-	.data = (uint8_t*)"sha256"
-};
-  
-
-#define PIN_PREFIX "pin-sha256=\""
-#define PIN_PREFIX_LENGTH (sizeof(PIN_PREFIX) - 1)
 /* b64 turns every 3 octets (or fraction thereof) into 4 octets */
 #define B64_ENCODED_SHA256_LENGTH (((SHA256_DIGEST_LENGTH + 2)/3)  * 4)
-
-/* convert an HPKP-style pin description to an appropriate getdns data
-   structure.  An example string is: (with the quotes, without any
-   leading or trailing whitespace):
-
-      pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="
-
-   getdns_build_pin_from_string returns a dict created from ctx, or
-   NULL if the string did not match.  If ctx is NULL, the dict is
-   created via getdns_dict_create().
-
-   It is the caller's responsibility to call getdns_dict_destroy when
-   it is no longer needed.
- */
-getdns_dict* getdns_pubkey_pin_create_from_string(
-	getdns_context* context,
-	const char* str)
+getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size)
 {
 	BIO *bio = NULL;
-	size_t i;
-	uint8_t buf[SHA256_DIGEST_LENGTH];
 	char inbuf[B64_ENCODED_SHA256_LENGTH + 1];
-	getdns_bindata value = { .size = SHA256_DIGEST_LENGTH, .data = buf };
-	getdns_dict* out = NULL;
-	
-	/* we only do sha256 right now, make sure this is well-formed */
-	if (!str || strncmp(PIN_PREFIX, str, PIN_PREFIX_LENGTH))
-		return NULL;
-	for (i = PIN_PREFIX_LENGTH; i < PIN_PREFIX_LENGTH + B64_ENCODED_SHA256_LENGTH - 1; i++)
-		if (!((str[i] >= 'a' && str[i] <= 'z') ||
-		      (str[i] >= 'A' && str[i] <= 'Z') ||
-		      (str[i] >= '0' && str[i] <= '9') ||
-		      (str[i] == '+') || (str[i] == '/')))
-			return NULL;
-	if (str[i++] != '=')
-		return NULL;
-	if (str[i++] != '"')
-		return NULL;
-	if (str[i++] != '\0')
-		return NULL;
+	getdns_return_t ret = GETDNS_RETURN_GOOD;
 
 	/* openssl needs a trailing newline to base64 decode */
-	memcpy(inbuf, str + PIN_PREFIX_LENGTH, B64_ENCODED_SHA256_LENGTH);
+	memcpy(inbuf, str, B64_ENCODED_SHA256_LENGTH);
 	inbuf[B64_ENCODED_SHA256_LENGTH] = '\n';
 	
 	bio = BIO_push(BIO_new(BIO_f_base64()),
 		       BIO_new_mem_buf(inbuf, sizeof(inbuf)));
-	if (BIO_read(bio, buf, sizeof(buf)) != sizeof(buf))
-		goto fail;
-	
-	if (context)
-		out = getdns_dict_create_with_context(context);
-	else
-		out = getdns_dict_create();
-	if (out == NULL)
-		goto fail;
-	if (getdns_dict_set_bindata(out, "digest", &sha256))
-		goto fail;
-	if (getdns_dict_set_bindata(out, "value", &value))
-		goto fail;
-	return out;
+	if (BIO_read(bio, res, res_size) != (int) res_size)
+		ret = GETDNS_RETURN_GENERIC_ERROR;
 
- fail:
 	BIO_free_all(bio);
-	getdns_dict_destroy(out);
-	return NULL;
+	return ret;
 }
 
 /* this should only happen once ever in the life of the library. it's
diff --git a/src/pubkey-pinning.c b/src/pubkey-pinning.c
index aaff6eb3..983888fa 100644
--- a/src/pubkey-pinning.c
+++ b/src/pubkey-pinning.c
@@ -52,6 +52,7 @@
 #include "context.h"
 #include "util-internal.h"
 
+#include "pubkey-pinning.h"
 #include "pubkey-pinning-internal.h"
 
 /* we only support sha256 at the moment.  adding support for another
@@ -67,6 +68,67 @@ static const getdns_bindata sha256 = {
 	.data = (uint8_t*)"sha256"
 };
   
+#define PIN_PREFIX "pin-sha256=\""
+#define PIN_PREFIX_LENGTH (sizeof(PIN_PREFIX) - 1)
+/* b64 turns every 3 octets (or fraction thereof) into 4 octets */
+#define B64_ENCODED_SHA256_LENGTH (((SHA256_DIGEST_LENGTH + 2)/3)  * 4)
+/* convert an HPKP-style pin description to an appropriate getdns data
+   structure.  An example string is: (with the quotes, without any
+   leading or trailing whitespace):
+
+      pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="
+
+   getdns_build_pin_from_string returns a dict created from ctx, or
+   NULL if the string did not match.  If ctx is NULL, the dict is
+   created via getdns_dict_create().
+
+   It is the caller's responsibility to call getdns_dict_destroy when
+   it is no longer needed.
+ */
+getdns_dict* getdns_pubkey_pin_create_from_string(
+	getdns_context* context,
+	const char* str)
+{
+	size_t i;
+	uint8_t buf[SHA256_DIGEST_LENGTH];
+	getdns_bindata value = { .size = SHA256_DIGEST_LENGTH, .data = buf };
+	getdns_dict* out = NULL;
+	
+	/* we only do sha256 right now, make sure this is well-formed */
+	if (!str || strncmp(PIN_PREFIX, str, PIN_PREFIX_LENGTH))
+		return NULL;
+	for (i = PIN_PREFIX_LENGTH; i < PIN_PREFIX_LENGTH + B64_ENCODED_SHA256_LENGTH - 1; i++)
+		if (!((str[i] >= 'a' && str[i] <= 'z') ||
+		      (str[i] >= 'A' && str[i] <= 'Z') ||
+		      (str[i] >= '0' && str[i] <= '9') ||
+		      (str[i] == '+') || (str[i] == '/')))
+			return NULL;
+	if (str[i++] != '=')
+		return NULL;
+	if (str[i++] != '"')
+		return NULL;
+	if (str[i++] != '\0')
+		return NULL;
+
+	if (_getdns_decode_base64(str + PIN_PREFIX_LENGTH, buf, sizeof(buf)) != GETDNS_RETURN_GOOD)
+	    goto fail;
+	    
+	if (context)
+		out = getdns_dict_create_with_context(context);
+	else
+		out = getdns_dict_create();
+	if (out == NULL)
+		goto fail;
+	if (getdns_dict_set_bindata(out, "digest", &sha256))
+		goto fail;
+	if (getdns_dict_set_bindata(out, "value", &value))
+		goto fail;
+	return out;
+
+ fail:
+	getdns_dict_destroy(out);
+	return NULL;
+}
 
 /* Test whether a given pinset is reasonable, including:
 
diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h
index 5f12baf2..b94f58af 100644
--- a/src/pubkey-pinning.h
+++ b/src/pubkey-pinning.h
@@ -39,7 +39,7 @@
 /**
  ** Internal functions, implemented in pubkey-pinning-internal.c.
  **/
-getdns_dict* getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str);
+getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size);
 
 /**
  ** Public interface.
@@ -62,5 +62,7 @@ getdns_return_t
 _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
 					   getdns_upstream *upstream);
 
+getdns_dict* getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str);
+
 #endif
 /* pubkey-pinning.h */

From 0dec4a6f2170517122e436c866d0e1ead8316dcb Mon Sep 17 00:00:00 2001
From: Jim Hague <jim.hague@acm.org>
Date: Wed, 12 Dec 2018 14:59:13 +0000
Subject: [PATCH 221/303] Correct format string, fixing type error in
 specifier.

I was wondering why the error output did appear.
---
 src/stub.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index 66de58fe..d110cf06 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -963,8 +963,9 @@ tls_do_handshake(getdns_upstream *upstream)
 					_getdns_upstream_log(upstream,
 					    GETDNS_LOG_UPSTREAM_STATS,
 					     ( upstream->tls_fallback_ok
-					       ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),					     "%-40s : Verify failed : TLS - %s -  "
-					     "(%d) \"%s\"\n", upstream->addr_str,
+					       ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
+					     "%-40s : Verify failed : TLS - %s - "
+					     "(%ld) \"%s\"\n", upstream->addr_str,
 					     ( upstream->tls_fallback_ok
 					       ? "Tolerated because of Opportunistic profile"
 					       : "*Failure*" ),

From b51c7384e6891c8c0df0b65d31ea131d74cd4b76 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim.hague@acm.org>
Date: Wed, 12 Dec 2018 15:00:03 +0000
Subject: [PATCH 222/303] Implement _getdns_decode_base64() for GnuTLS.

Use primitives in libnettle.
---
 src/gnutls/pubkey-pinning-internal.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/gnutls/pubkey-pinning-internal.c b/src/gnutls/pubkey-pinning-internal.c
index 2ae97bf7..61d94645 100644
--- a/src/gnutls/pubkey-pinning-internal.c
+++ b/src/gnutls/pubkey-pinning-internal.c
@@ -32,6 +32,8 @@
  */
 
 #include "context.h"
+#include <nettle/base64.h>
+
 #include "types-internal.h"
 
 #include "pubkey-pinning.h"
@@ -49,5 +51,16 @@ _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
 
 getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size)
 {
-	return GETDNS_RETURN_GENERIC_ERROR;
+	struct base64_decode_ctx ctx;
+	uint8_t* lim = res + res_size;
+
+	base64_decode_init(&ctx);
+
+	for(; *str != '\0' && res < lim; ++str) {
+		int r = base64_decode_single(&ctx, res, *str);
+		if (r == -1 )
+			return GETDNS_RETURN_GENERIC_ERROR;
+		res += r;
+	}
+	return (res == lim) ? GETDNS_RETURN_GOOD : GETDNS_RETURN_GENERIC_ERROR;
 }

From 45be26642b1770377277d464e97fb94e2be43ca1 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim.hague@acm.org>
Date: Wed, 12 Dec 2018 15:01:07 +0000
Subject: [PATCH 223/303] Fix dane query handling and verify error reporting.

Verify error is flags, not values. And deiniting a dane_query that is
NULL segfaults.
---
 src/gnutls/tls.c | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index 33d0047a..21c85063 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -270,7 +270,8 @@ getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_c
 	if (!conn || !conn->tls)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-	dane_query_deinit(conn->dane_query);
+	if (conn->dane_query)
+		dane_query_deinit(conn->dane_query);
 	dane_state_deinit(conn->dane_state);
 	gnutls_deinit(conn->tls);
 	gnutls_certificate_free_credentials(conn->cred);
@@ -475,7 +476,8 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 	}
 	*dane_p = NULL;
 
-	dane_query_deinit(conn->dane_query);
+	if (conn->dane_query)
+		dane_query_deinit(conn->dane_query);
 	r = dane_raw_tlsa(conn->dane_state, &conn->dane_query, dane_data, dane_data_len, 0, 0);
 	GETDNS_FREE(*conn->mfs, dane_data_len);
 	GETDNS_FREE(*conn->mfs, dane_data);
@@ -578,20 +580,17 @@ failsafe:
 	if (ret != DANE_E_SUCCESS)
 		return GETDNS_RETURN_GENERIC_ERROR;
 
-	switch (verify) {
-	case DANE_VERIFY_CA_CONSTRAINTS_VIOLATED:
-		*errnum = 2;
-		*errmsg = "CA constraints violated";
-		return GETDNS_RETURN_GENERIC_ERROR;
-
-	case DANE_VERIFY_CERT_DIFFERS:
-		*errnum = 3;
-		*errmsg = "Certificate differs";
-		return GETDNS_RETURN_GENERIC_ERROR;
-
-	case DANE_VERIFY_UNKNOWN_DANE_INFO:
-		*errnum = 4;
-		*errmsg = "Unknown DANE info";
+	if (verify != 0) {
+		if (verify & DANE_VERIFY_CERT_DIFFERS) {
+			*errnum = 3;
+			*errmsg = "Certificate differs";
+		} else if (verify &  DANE_VERIFY_CA_CONSTRAINTS_VIOLATED) {
+			*errnum = 2;
+			*errmsg = "CA constraints violated";
+		} else {
+			*errnum = 4;
+			*errmsg = "Unknown DANE info";
+		}
 		return GETDNS_RETURN_GENERIC_ERROR;
 	}
 

From 91a3a3db362ae8ca743db2d66bb79eae8ccb76e5 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 12 Dec 2018 16:12:07 +0100
Subject: [PATCH 224/303] More specific return codes, more logging

---
 src/const-info.c             |  10 +-
 src/context.c                | 480 +++++++++++++++++++++++++----------
 src/getdns/getdns_extra.h.in |  10 +-
 src/mk-const-info.c.sh       |   4 +-
 4 files changed, 360 insertions(+), 144 deletions(-)

diff --git a/src/const-info.c b/src/const-info.c
index f6f0d18b..2de662e5 100644
--- a/src/const-info.c
+++ b/src/const-info.c
@@ -124,7 +124,10 @@ static struct const_info consts_info[] = {
 	{    1402, "GETDNS_TLS1_1", GETDNS_TLS1_1_TEXT },
 	{    1403, "GETDNS_TLS1_2", GETDNS_TLS1_2_TEXT },
 	{    1404, "GETDNS_TLS1_3", GETDNS_TLS1_3_TEXT },
-	{    4096, "GETDNS_LOG_UPSTREAM_STATS", GETDNS_LOG_UPSTREAM_STATS_TEXT },
+	{    8192, "GETDNS_LOG_SYS_STUB", GETDNS_LOG_SYS_STUB_TEXT },
+	{   12288, "GETDNS_LOG_UPSTREAM_STATS", GETDNS_LOG_UPSTREAM_STATS_TEXT },
+	{   16384, "GETDNS_LOG_SYS_RECURSING", GETDNS_LOG_SYS_RECURSING_TEXT },
+	{   24576, "GETDNS_LOG_SYS_RESOLVING", GETDNS_LOG_SYS_RESOLVING_TEXT },
 };
 
 static int const_info_cmp(const void *a, const void *b)
@@ -225,7 +228,10 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_LOG_ERR", 3 },
 	{ "GETDNS_LOG_INFO", 6 },
 	{ "GETDNS_LOG_NOTICE", 5 },
-	{ "GETDNS_LOG_UPSTREAM_STATS", 4096 },
+	{ "GETDNS_LOG_SYS_RECURSING", 16384 },
+	{ "GETDNS_LOG_SYS_RESOLVING", 24576 },
+	{ "GETDNS_LOG_SYS_STUB", 8192 },
+	{ "GETDNS_LOG_UPSTREAM_STATS", 12288 },
 	{ "GETDNS_LOG_WARNING", 4 },
 	{ "GETDNS_NAMESPACE_DNS", 500 },
 	{ "GETDNS_NAMESPACE_LOCALNAMES", 501 },
diff --git a/src/context.c b/src/context.c
index 8a020677..0b8e4e49 100644
--- a/src/context.c
+++ b/src/context.c
@@ -127,15 +127,15 @@ typedef struct host_name_addrs {
 } host_name_addrs;
 
 
-/*  If changing these lists also remember to 
+/*  If changing these lists also remember to
     change the value of GETDNS_UPSTREAM_TRANSPORTS */
-static getdns_transport_list_t 
+static getdns_transport_list_t
 getdns_upstream_transports[GETDNS_UPSTREAM_TRANSPORTS] = {
 	GETDNS_TRANSPORT_TCP,
 	GETDNS_TRANSPORT_TLS,
 };
 
-static in_port_t 
+static in_port_t
 getdns_port_array[GETDNS_UPSTREAM_TRANSPORTS] = {
 	GETDNS_PORT_DNS,
 	GETDNS_PORT_DNS_OVER_TLS
@@ -183,17 +183,17 @@ _getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s)
 }
 
 #ifdef USE_WINSOCK
-/* For windows, the CA trust store is not read by openssl. 
+/* For windows, the CA trust store is not read by openssl.
    Add code to open the trust store using wincrypt API and add
    the root certs into openssl trust store */
-static int 
+static int
 add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
 {
 	HCERTSTORE      hSystemStore;
 	PCCERT_CONTEXT  pTargetCert = NULL;
 	
 	_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG
-	    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+	    , "%s: %s\n", STUB_DEBUG_SETUP_TLS,
 	    , "Adding Windows certificates from system root store to CA store")
 	    ;
 
@@ -207,13 +207,13 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
 		CERT_STORE_PROV_SYSTEM,
 		0,
 		0,
-		/* NOTE: mingw does not have this const: replace with 1 << 16 from code 
+		/* NOTE: mingw does not have this const: replace with 1 << 16 from code
 		   CERT_SYSTEM_STORE_CURRENT_USER, */
 		1 << 16,
 		L"root")) == 0)
 	{
 		_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
-		    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+		    , "%s: %s\n", STUB_DEBUG_SETUP_TLS
 		    , "Could not CertOpenStore()");
 		return 0;
 	}
@@ -221,7 +221,7 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
 	X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx);
 	if (!store) {
 		_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
-		    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+		    , "%s: %s\n", STUB_DEBUG_SETUP_TLS
 		    , "Could not SSL_CTX_get_cert_store()");
 		return 0;
 	}
@@ -230,22 +230,22 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
 	if ((pTargetCert = CertEnumCertificatesInStore(
 	    hSystemStore, pTargetCert)) == 0) {
 		_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_NOTICE
-		    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+		    , "%s: %s\n", STUB_DEBUG_SETUP_TLS
 		    , "CA certificate store for Windows is empty.");
 		return 0;
 	}
 	/* iterate over the windows cert store and add to openssl store */
-	do 
+	do
 	{
-		X509 *cert1 = d2i_X509(NULL, 
+		X509 *cert1 = d2i_X509(NULL,
 			(const unsigned char **)&pTargetCert->pbCertEncoded,
 			pTargetCert->cbCertEncoded);
 		if (!cert1) {
 			/* return error if a cert fails */
 			_getdns_log(&ctxt->log
 			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR,
-			    , "%s %-35s: %s %d:%s\n"
-			    , STUB_DEBUG_SETUP_TLS, __FUNC__
+			    , "%s: %s %d:%s\n"
+			    , STUB_DEBUG_SETUP_TLS
 			    , "Unable to parse certificate in memory"
 			    , ERR_get_error()
 			    , ERR_error_string(ERR_get_error(), NULL));
@@ -255,16 +255,16 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
 			/* return error if a cert add to store fails */
 			if (X509_STORE_add_cert(store, cert1) == 0) {
 				unsigned long error = ERR_peek_last_error();
- 
+
 				/* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
-				* certificate is already in the store.  */ 
+				* certificate is already in the store.  */
 				if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
 				   ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
 					_getdns_log(&ctxt->log
 					    , GETDNS_LOG_SYS_STUB
 					    , GETDNS_LOG_ERR
-					    , "%s %-35s: %s %d:%s\n"
-					    , STUB_DEBUG_SETUP_TLS, __FUNC__
+					    , "%s: %s %d:%s\n"
+					    , STUB_DEBUG_SETUP_TLS
 					    , "Error adding certificate"
 					    , ERR_get_error()
 					    , ERR_error_string( ERR_get_error()
@@ -287,13 +287,13 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
 		if (!CertCloseStore(hSystemStore, 0)) {
 			_getdns_log(&ctxt->log
 			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
-			    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+			    , "%s: %s\n", STUB_DEBUG_SETUP_TLS
 			    , "Could not CertCloseStore()");
 			return 0;
 		}
 	}
 	_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_INFO
-	    , "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__
+	    , "%s: %s\n", STUB_DEBUG_SETUP_TLS
 	    , "Completed adding Windows certificates to CA store successfully")
 	    ;
 	return 1;
@@ -615,7 +615,7 @@ getdns_context_set_hosts(getdns_context *context, const char *hosts)
 		/* Break out of for to read more */
 		for (;;) {
 			/* Skip whitespace */
-			while (*pos == ' '  || *pos == '\f' 
+			while (*pos == ' '  || *pos == '\f'
 			    || *pos == '\t' || *pos == '\v')
 				pos++;
 
@@ -654,7 +654,7 @@ getdns_context_set_hosts(getdns_context *context, const char *hosts)
 			*pos = '\0';
 			if (start_of_line) {
 				start_of_line = 0;
-				if (address) 
+				if (address)
 					getdns_dict_destroy(address);
 				if (!(address =
 				    str_addr_dict(context, start_of_word)))
@@ -709,15 +709,18 @@ upstreams_create(getdns_context *context, size_t size)
 	getdns_upstreams *r = (void *) GETDNS_XMALLOC(context->mf, char,
 	    sizeof(getdns_upstreams) +
 	    sizeof(getdns_upstream) * size);
-	r->mf = context->mf;
-	r->referenced = 1;
-	r->count = 0;
-	r->current_udp = 0;
-	r->current_stateful = 0;
-	r->max_backoff_value = context->max_backoff_value;
-	r->tls_backoff_time = context->tls_backoff_time;
-	r->tls_connection_retries = context->tls_connection_retries;
-	r->log = context->log;
+
+	if (r) {
+		r->mf = context->mf;
+		r->referenced = 1;
+		r->count = 0;
+		r->current_udp = 0;
+		r->current_stateful = 0;
+		r->max_backoff_value = context->max_backoff_value;
+		r->tls_backoff_time = context->tls_backoff_time;
+		r->tls_connection_retries = context->tls_connection_retries;
+		r->log = context->log;
+	}
 	return r;
 }
 
@@ -822,8 +825,8 @@ static void
 _getdns_upstream_reset(getdns_upstream *upstream)
 {
 	/* Back off connections that never got up service at all (probably no
-	   TCP service or incompatible TLS version/cipher). 
-	   Leave choice between working upstreams to the stub. 
+	   TCP service or incompatible TLS version/cipher).
+	   Leave choice between working upstreams to the stub.
 	   This back-off should be time based for TLS according to RFC7858. For now,
 	   use the same basis if we simply can't get TCP service either.*/
 	/* [TLS1]TODO: This arbitrary logic at the moment - review and improve!*/
@@ -837,16 +840,16 @@ _getdns_upstream_reset(getdns_upstream *upstream)
 	     && upstream->total_responses == 0)
 
 	    || (upstream->conn_completed >= conn_retries &&
-	     upstream->total_responses == 0 && 
+	     upstream->total_responses == 0 &&
 	     upstream->total_timeouts > GETDNS_TRANSPORT_FAIL_MULT)) {
 
 		upstream_backoff(upstream);
 	}
 
 	/* If we didn't backoff it would be nice to reset the conn_backoff_interval
-	   if the upstream is working well again otherwise it would get stuck at the 
+	   if the upstream is working well again otherwise it would get stuck at the
 	   tls_backoff_time forever... How about */
-	if (upstream->conn_state != GETDNS_CONN_BACKOFF && 
+	if (upstream->conn_state != GETDNS_CONN_BACKOFF &&
 	    upstream->responses_received > 1)
 		upstream->conn_backoff_interval = 1;
 
@@ -1029,7 +1032,7 @@ upstream_init(getdns_upstream *upstream,
 
 	upstream->addr_len = ai->ai_addrlen;
 	(void) memcpy(&upstream->addr, ai->ai_addr, ai->ai_addrlen);
-	inet_ntop(upstream->addr.ss_family, upstream_addr(upstream), 
+	inet_ntop(upstream->addr.ss_family, upstream_addr(upstream),
 	          upstream->addr_str, INET6_ADDRSTRLEN);
 
 	/* How is this upstream doing on connections? */
@@ -1125,7 +1128,7 @@ static int get_dns_suffix_windows(getdns_list *suffix, char* domain)
     {
         returnStatus = RegQueryValueEx(hKey,
              TEXT("SearchList"), 0, &dwType,(LPBYTE)&lszValue, &dwSize);
-        if (returnStatus == ERROR_SUCCESS) 
+        if (returnStatus == ERROR_SUCCESS)
         {
            if ((strlen(lszValue)) > 0) {
            parse = lszValue;
@@ -1465,11 +1468,11 @@ static char const * const _getdns_default_trust_anchors_verify_CA =
 static char const * const _getdns_default_trust_anchors_verify_email =
     "dnssec@iana.org";
 
-static char const * const _getdns_default_tls_cipher_list = 
+static char const * const _getdns_default_tls_cipher_list =
     "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
     "TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
 
-static char const * const _getdns_default_tls_ciphersuites = 
+static char const * const _getdns_default_tls_ciphersuites =
   "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
 
 /*
@@ -1666,7 +1669,7 @@ getdns_context_create_with_extended_memory_functions(
 	result->edns_maximum_udp_payload_size = -1;
 	if ((r = create_default_dns_transports(result)))
 		goto error;
-	result->tls_auth = GETDNS_AUTHENTICATION_NONE; 
+	result->tls_auth = GETDNS_AUTHENTICATION_NONE;
 	result->tls_auth_min = GETDNS_AUTHENTICATION_NONE;
 	result->round_robin_upstreams = 0;
 	result->tls_backoff_time = 3600;
@@ -1716,7 +1719,7 @@ getdns_context_create_with_extended_memory_functions(
 #endif
 
 	// resolv.conf does not exist on Windows, handle differently
-#ifndef USE_WINSOCK 
+#ifndef USE_WINSOCK
 	if ((set_from_os & 1)) {
 		(void) getdns_context_set_resolvconf(result, GETDNS_FN_RESOLVCONF);
 		(void) getdns_context_set_hosts(result, GETDNS_FN_HOSTS);
@@ -2222,7 +2225,7 @@ set_ub_dns_transport(struct getdns_context* context) {
                     break;
                 }
             }
-            if (fallback == 0) 
+            if (fallback == 0)
                 /* Use TLS if it is the only thing.*/
                 set_ub_string_opt(context, "ssl-upstream:", "yes");
             break;
@@ -2329,7 +2332,7 @@ getdns_context_set_tls_authentication(getdns_context *context,
                                       getdns_tls_authentication_t value)
 {
     RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    if (value != GETDNS_AUTHENTICATION_NONE && 
+    if (value != GETDNS_AUTHENTICATION_NONE &&
         value != GETDNS_AUTHENTICATION_REQUIRED) {
         return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
     }
@@ -2365,7 +2368,7 @@ getdns_context_set_round_robin_upstreams(getdns_context *context, uint8_t value)
  * before the upstream which has previously timed out will be tried again.
  * @see getdns_context_get_max_backoff_value
  * @param[in] context  The context to configure
- * @param[in[ value    Number of messages sent to other upstreams before 
+ * @param[in[ value    Number of messages sent to other upstreams before
  *                     retrying the upstream which had timed out.
  * @return GETDNS_RETURN_GOOD on success
  * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
@@ -3075,7 +3078,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 				    dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) {
 
 					if (tls_auth_name->size >= sizeof(upstream->tls_auth_name)) {
-						/* tls_auth_name's are 
+						/* tls_auth_name's are
 						 * domain names in presentation
 						 * format and, taking escaping
 						 * into account, should not
@@ -3117,7 +3120,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 				(void) getdns_dict_get_bindata(
 				    dict, "tls_curves_list", &tls_curves_list);
 				if (tls_curves_list) {
-					upstream->tls_curves_list = 
+					upstream->tls_curves_list =
 					    _getdns_strdup2(&upstreams->mf
 					                   , tls_curves_list);
 				} else
@@ -3523,18 +3526,36 @@ ub_setup_stub(struct ub_ctx *ctx, getdns_context *context)
 	getdns_upstream *upstream;
 	char addr[1024];
 	getdns_upstreams *upstreams = context->upstreams;
+	int r;
 
-	(void) ub_ctx_set_fwd(ctx, NULL);
+	if ((r = ub_ctx_set_fwd(ctx, NULL))) {
+		_getdns_log(&context->log
+		    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_WARNING
+		    , "%s: %s (%s)\n"
+		    , STUB_DEBUG_SETUP
+		    , "Error while clearing forwarding modus on unbound context"
+		    , ub_strerror(r));
+	}
 	for (i = 0; i < upstreams->count; i++) {
 		upstream = &upstreams->upstreams[i];
-		/*[TLS]: Use only the TLS subset of upstreams when TLS is the only thing
-		 * used. All other cases must currently fallback to TCP for libunbound.*/
+		/* [TLS]: Use only the TLS subset of upstreams when TLS is the
+		 * only thing used. All other cases must currently fallback to
+		 * TCP for libunbound.*/
 		if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS &&
 		    context->dns_transport_count ==1 &&
 			upstream->transport !=  GETDNS_TRANSPORT_TLS)
 				continue;
 		upstream_ntop_buf(upstream, addr, 1024);
-		ub_ctx_set_fwd(ctx, addr);
+		if ((r = ub_ctx_set_fwd(ctx, addr))) {
+			_getdns_log(&context->log
+			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_WARNING
+			    , "%s: %s '%s' (%s)\n"
+			    , STUB_DEBUG_SETUP
+			    , "Error while setting up unbound context for "
+			      "forwarding to"
+			    , addr
+			    , ub_strerror(r));
+		}
 	}
 
 	/* Allow lookups of:
@@ -3604,8 +3625,16 @@ ub_setup_recursing(struct ub_ctx *ctx, getdns_context *context)
 {
 	_getdns_rr_iter rr_spc, *rr;
 	char ta_str[8192];
+	int r;
 
-	(void) ub_ctx_set_fwd(ctx, NULL);
+	if ((r = ub_ctx_set_fwd(ctx, NULL))) {
+		_getdns_log(&context->log
+		    , GETDNS_LOG_SYS_RECURSING, GETDNS_LOG_WARNING
+		    , "%s: %s (%s)\n"
+		    , STUB_DEBUG_SETUP
+		    , "Error while clearing forwarding modus on unbound context"
+		    , ub_strerror(r));
+	}
 	if (!context->unbound_ta_set && context->trust_anchors) {
 		for ( rr = _getdns_rr_iter_init( &rr_spc
 		                               , context->trust_anchors
@@ -3614,7 +3643,17 @@ ub_setup_recursing(struct ub_ctx *ctx, getdns_context *context)
 
 			(void) gldns_wire2str_rr_buf((UNCONST_UINT8_p)rr->pos,
 			    rr->nxt - rr->pos, ta_str, sizeof(ta_str));
-			(void) ub_ctx_add_ta(ctx, ta_str);
+			if ((r = ub_ctx_add_ta(ctx, ta_str))) {
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_RECURSING
+				    , GETDNS_LOG_WARNING
+				    , "%s: %s '%s' (%s)\n"
+				    , STUB_DEBUG_SETUP
+				    , "Error while equiping unbound context "
+				      "with trust anchor"
+				    , ta_str
+				    , ub_strerror(r));
+			}
 		}
 		context->unbound_ta_set = 1;
 	}
@@ -3629,8 +3668,15 @@ _getdns_ns_dns_setup(struct getdns_context *context)
 
 	switch (context->resolution_type) {
 	case GETDNS_RESOLUTION_STUB:
-		if (!context->upstreams || !context->upstreams->count)
-			return GETDNS_RETURN_GENERIC_ERROR;
+		if (!context->upstreams || !context->upstreams->count) {
+			_getdns_log(&context->log
+			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+			    , "%s: %s\n"
+			    , STUB_DEBUG_SETUP
+			    , "Stub resolution requested, but no upstreams "
+			      "configured");
+			return GETDNS_RETURN_BAD_CONTEXT;
+		}
 #ifdef STUB_NATIVE_DNSSEC
 # ifdef DNSSEC_ROADBLOCK_AVOIDANCE
 #  ifdef HAVE_LIBUNBOUND
@@ -3655,6 +3701,12 @@ _getdns_ns_dns_setup(struct getdns_context *context)
 		return GETDNS_RETURN_NOT_IMPLEMENTED;
 #endif
 	}
+	_getdns_log(&context->log
+	    , GETDNS_LOG_SYS_RESOLVING
+	    , GETDNS_LOG_ERR
+	    , "%s: %s (%d)\n", STUB_DEBUG_SETUP
+	    , "Unknown resolution type: "
+	    , context->resolution_type);
 	return GETDNS_RETURN_BAD_CONTEXT;
 }
 
@@ -3662,22 +3714,23 @@ getdns_return_t
 _getdns_context_prepare_for_resolution(getdns_context *context)
 {
 	getdns_return_t r;
-#if defined(HAVE_SSL_CTX_DANE_ENABLE) || defined(USE_DANESSL)
+	char ssl_err[256];
 	int osr;
-#endif
 
 	assert(context);
 	if (context->destroying)
 		return GETDNS_RETURN_BAD_CONTEXT;
 
 	/* Transport can in theory be set per query in stub mode */
-	if (context->resolution_type == GETDNS_RESOLUTION_STUB && 
+	if (context->resolution_type == GETDNS_RESOLUTION_STUB &&
 	    tls_is_in_transports_list(context) == 1) {
 		/* Check minimum require authentication level*/
-		if (tls_only_is_in_transports_list(context) == 1 && 
+		if (tls_only_is_in_transports_list(context) == 1 &&
 		    context->tls_auth == GETDNS_AUTHENTICATION_REQUIRED) {
 			context->tls_auth_min = GETDNS_AUTHENTICATION_REQUIRED;
-			/* TODO: If no auth data provided for any upstream, fail here */
+			/* TODO: If no auth data provided for any upstream,
+			 * fail here
+			 */
 		}
 		else {
 			context->tls_auth_min = GETDNS_AUTHENTICATION_NONE;
@@ -3691,22 +3744,52 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 #  else
 			context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
 #  endif
-			if(context->tls_ctx == NULL)
+			if(context->tls_ctx == NULL) {
+				ERR_error_string_n( ERR_get_error()
+				                  , ssl_err, sizeof(ssl_err));
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+				    , "%s: %s (%s)\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "Error creating TLS context"
+				    , ssl_err);
 				return GETDNS_RETURN_BAD_CONTEXT;
+			}
 
 #  if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) \
            && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
 			if (!SSL_CTX_set_min_proto_version(context->tls_ctx,
-			    _getdns_tls_version2openssl_version(context->tls_min_version))) {
+			    _getdns_tls_version2openssl_version(
+			    context->tls_min_version))) {
 				SSL_CTX_free(context->tls_ctx);
 				context->tls_ctx = NULL;
+				ERR_error_string_n( ERR_get_error()
+				                  , ssl_err, sizeof(ssl_err));
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+				    , "%s: %s (%s)\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "Error configuring TLS context with "
+				      "minimum TLS version"
+				    , ssl_err);
 				return GETDNS_RETURN_BAD_CONTEXT;
 			}
 			if (context->tls_max_version
 			&& !SSL_CTX_set_max_proto_version(context->tls_ctx,
-			    _getdns_tls_version2openssl_version(context->tls_max_version))) {
+			    _getdns_tls_version2openssl_version(
+			    context->tls_max_version))) {
 				SSL_CTX_free(context->tls_ctx);
 				context->tls_ctx = NULL;
+				ERR_error_string_n( ERR_get_error()
+				                  , ssl_err, sizeof(ssl_err));
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+				    , "%s: %s (%s)\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "Error configuring TLS context with "
+				      "maximum TLS version"
+				    , ssl_err);
+
 				return GETDNS_RETURN_BAD_CONTEXT;
 			}
 #  else
@@ -3714,65 +3797,181 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 			if ((  context->tls_min_version
 			    && context->tls_min_version != GETDNS_TLS1_2)
 			||     context->tls_max_version) {
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+				    , "%s: %s\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "This version of OpenSSL does not "
+				      "support setting of mimum or maximum "
+				      "TLS versions");
 				return GETDNS_RETURN_NOT_IMPLEMENTED;
 			}
 #   endif
 #  endif
-			/* Be strict and only use the cipher suites recommended in RFC7525
-			   Unless we later fallback to opportunistic. */
+			/* Be strict and only use the cipher suites recommended
+			 * in RFC7525 Unless we later fallback to opportunistic.
+			 */
 			if (!SSL_CTX_set_cipher_list(context->tls_ctx,
-			    context->tls_cipher_list ? context->tls_cipher_list
-			                             : _getdns_default_tls_cipher_list))
+			    context->tls_cipher_list
+			  ? context->tls_cipher_list
+			  : _getdns_default_tls_cipher_list)) {
+				ERR_error_string_n( ERR_get_error()
+				                  , ssl_err, sizeof(ssl_err));
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+				    , "%s: %s (%s)\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "Error configuring TLS context with "
+				      "cipher list"
+				    , ssl_err);
+
 				return GETDNS_RETURN_BAD_CONTEXT;
+			}
 #  ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 			if (!SSL_CTX_set_ciphersuites(context->tls_ctx,
-			    context->tls_ciphersuites ? context->tls_ciphersuites
-			                             : _getdns_default_tls_ciphersuites))
+			    context->tls_ciphersuites
+			  ? context->tls_ciphersuites
+			  : _getdns_default_tls_ciphersuites)) {
+				ERR_error_string_n( ERR_get_error()
+				                  , ssl_err, sizeof(ssl_err));
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+				    , "%s: %s (%s)\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "Error configuring TLS context with "
+				      "cipher suites"
+				    , ssl_err);
+
 				return GETDNS_RETURN_BAD_CONTEXT;
-#  else
-			if (context->tls_ciphersuites)
-				return GETDNS_RETURN_NOT_IMPLEMENTED;
-#  endif
-#  if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
-			if (context->tls_curves_list &&
-			    !SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list))
-				return GETDNS_RETURN_BAD_CONTEXT;
-#  else
-			if (context->tls_curves_list)
-				return GETDNS_RETURN_NOT_IMPLEMENTED;
-#  endif
-			/* For strict authentication, we must have local root certs available
-		       Set up is done only when the tls_ctx is created (per getdns_context)*/
-			if ((context->tls_ca_file || context->tls_ca_path) &&
-			    SSL_CTX_load_verify_locations(context->tls_ctx
-				    , context->tls_ca_file, context->tls_ca_path))
-				; /* pass */
-#  ifndef USE_WINSOCK
-			else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
-#  else
-			else if (!add_WIN_cacerts_to_openssl_store(context, context->tls_ctx)) {
-#  endif /* USE_WINSOCK */
-				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
-					return GETDNS_RETURN_BAD_CONTEXT;
 			}
+#  else
+			if (context->tls_ciphersuites) {
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+				    , "%s: %s\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "This version of OpenSSL does not "
+				      "support configuring cipher suites");
+				return GETDNS_RETURN_NOT_IMPLEMENTED;
+			}
+#  endif
+#  if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) \
+           && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
+			if (context->tls_curves_list &&
+			    !SSL_CTX_set1_curves_list(context->tls_ctx,
+			    context->tls_curves_list)) {
+				ERR_error_string_n( ERR_get_error()
+				                  , ssl_err, sizeof(ssl_err));
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+				    , "%s: %s (%s)\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "Error configuring TLS context with "
+				      "curves list"
+				    , ssl_err);
+				return GETDNS_RETURN_BAD_CONTEXT;
+			}
+#  else
+			if (context->tls_curves_list) {
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+				    , "%s: %s\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "This version of OpenSSL does not "
+				      "support configuring curves list");
+				return GETDNS_RETURN_NOT_IMPLEMENTED;
+			}
+#  endif
+			/* For strict authentication, we must have local root
+			 * certs available. Set up is done only when the tls_ctx
+			 * is created (per getdns_context)
+			 */
+			osr = 0;
+			if (context->tls_ca_file || context->tls_ca_path) {
+				osr = SSL_CTX_load_verify_locations(
+				      context->tls_ctx
+				    , context->tls_ca_file
+				    , context->tls_ca_path );
+				if (!osr) {
+					ERR_error_string_n( ERR_get_error()
+							  , ssl_err
+							  , sizeof(ssl_err));
+					_getdns_log(&context->log
+					    , GETDNS_LOG_SYS_STUB
+					    , GETDNS_LOG_WARNING
+					    , "%s: %s (%s)\n"
+					    , STUB_DEBUG_SETUP_TLS
+					    , "Could not load verify locations"
+					    , ssl_err);
+				} else {
+					_getdns_log(&context->log
+					    , GETDNS_LOG_SYS_STUB
+					    , GETDNS_LOG_DEBUG
+					    , "%s: %s\n"
+					    , STUB_DEBUG_SETUP_TLS
+					    , "Verify locations loaded");
+				}
+			}
+			if (osr)
+				; /* verify locations loaded: pass */
+#  ifndef USE_WINSOCK
+			else if (!SSL_CTX_set_default_verify_paths(
+						context->tls_ctx) &&
+#  else
+			else if (!add_WIN_cacerts_to_openssl_store(
+						context, context->tls_ctx) &&
+#  endif /* USE_WINSOCK */
+			    context->tls_auth_min
+			 == GETDNS_AUTHENTICATION_REQUIRED) {
+				ERR_error_string_n( ERR_get_error()
+						  , ssl_err, sizeof(ssl_err));
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB
+				    , GETDNS_LOG_ERR
+				    , "%s: %s (%s)\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "Authentication is needed but no default "
+				      "verify location could be loaded"
+				    , ssl_err);
+				return GETDNS_RETURN_BAD_CONTEXT;
+			}
+
 #  if defined(HAVE_SSL_CTX_DANE_ENABLE)
-			osr = SSL_CTX_dane_enable(context->tls_ctx);
-			_getdns_log(&context->log
-			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG
-			    , "%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
-			    , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+			if (!SSL_CTX_dane_enable(context->tls_ctx)) {
+				ERR_error_string_n( ERR_get_error()
+						  , ssl_err, sizeof(ssl_err));
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_WARNING
+				    , "%s: %s (%s)\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "Could not enable DANE on TLX context"
+				    , ssl_err);
+			}
 #  elif defined(USE_DANESSL)
-			osr = DANESSL_CTX_init(context->tls_ctx);
-			_getdns_log(&context->log
-			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG
-			    , "%s %-35s: DEBUG: DANESSL_CTX_init() returned "
-			      "%d\n", STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+			if (!DANESSL_CTX_init(context->tls_ctx)) {
+				ERR_error_string_n( ERR_get_error()
+						  , ssl_err, sizeof(ssl_err));
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_WARNING
+				    , "%s: %s (%s)\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "Could not enable DANE on TLX context"
+				    , ssl_err);
+			}
 #  endif
 #else /* HAVE_TLS_v1_2 */
-			if (tls_only_is_in_transports_list(context) == 1)
-				return GETDNS_RETURN_BAD_CONTEXT;
-			/* A null tls_ctx will make TLS fail and fallback to the other
-			   transports will kick-in.*/
+			if (tls_only_is_in_transports_list(context) == 1) {
+				_getdns_log(&context->log
+				    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+				    , "%s: %s\n"
+				    , STUB_DEBUG_SETUP_TLS
+				    , "This version of OpenSSL does not "
+				      "support authenticated TLS");
+				return GETDNS_RETURN_NOT_IMPLEMENTED;
+			}
+			/* A null tls_ctx will make TLS fail and fallback to
+			 * the other transports will kick-in.
+			 */
 #endif /* HAVE_TLS_v1_2 */
 		}
 	}
@@ -3780,10 +3979,16 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 	/* Block use of TLS ONLY in recursive mode as it won't work */
     /* Note: If TLS is used in recursive mode this will try TLS on port
      * 53 so it is blocked here. */
-	if (context->resolution_type == GETDNS_RESOLUTION_RECURSING &&
-		tls_only_is_in_transports_list(context) == 1)
-		return GETDNS_RETURN_BAD_CONTEXT;
-
+	if (context->resolution_type == GETDNS_RESOLUTION_RECURSING
+	&&  tls_only_is_in_transports_list(context) == 1) {
+		_getdns_log(&context->log
+		    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
+		    , "%s: %s\n"
+		    , STUB_DEBUG_SETUP_TLS
+		    , "TLS only transport is not supported for the recursing "
+		      "resolution type");
+		return GETDNS_RETURN_NOT_IMPLEMENTED;
+	}
 	if (context->resolution_type_set == context->resolution_type)
         	/* already set and no config changes
 		 * have caused this to be bad.
@@ -3794,8 +3999,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 	 * the spec calls for us to treat the namespace list as ordered
 	 * so we need to respect that order
 	 */
-
-
 	r = _getdns_ns_dns_setup(context);
 	if (r == GETDNS_RETURN_GOOD)
 		context->resolution_type_set = context->resolution_type;
@@ -4200,7 +4403,7 @@ getdns_context_get_api_information(const getdns_context* context)
 #ifdef HAVE_OPENSSL_VERSION
 	    && ! getdns_dict_util_set_string(
 	    result, "openssl_version_string", OpenSSL_version(OPENSSL_VERSION))
-	    
+	
 	    && ! getdns_dict_util_set_string(
 	    result, "openssl_cflags", OpenSSL_version(OPENSSL_CFLAGS))
 
@@ -4268,7 +4471,7 @@ _getdns_context_local_namespace_resolve(
 	getdns_context  *context = dnsreq->context;
 	host_name_addrs *hnas;
 	uint8_t lookup[256];
-	getdns_list    empty_list = { 0, 0, NULL, { NULL, {{ NULL, NULL, NULL }}}};
+	getdns_list    empty_list = { 0, 0, NULL, { NULL, {{ NULL,NULL,NULL}}}};
 	getdns_bindata bindata;
 	getdns_list   *jaa;
 	size_t         i;
@@ -4279,9 +4482,10 @@ _getdns_context_local_namespace_resolve(
 	int ipv6 = dnsreq->netreqs[0]->request_type == GETDNS_RRTYPE_AAAA ||
 	    (dnsreq->netreqs[1] &&
 	     dnsreq->netreqs[1]->request_type == GETDNS_RRTYPE_AAAA);
+	getdns_return_t r;
 
 	if (!ipv4 && !ipv6)
-		return GETDNS_RETURN_GENERIC_ERROR;
+		return GETDNS_RETURN_WRONG_TYPE_REQUESTED;
 
 	/*Do the lookup*/
 	(void)memcpy(lookup, dnsreq->name, dnsreq->name_len);
@@ -4289,59 +4493,61 @@ _getdns_context_local_namespace_resolve(
 
 	if (!(hnas = (host_name_addrs *)
 	    _getdns_rbtree_search(&context->local_hosts, lookup)))
-		return GETDNS_RETURN_GENERIC_ERROR;
+		return GETDNS_RETURN_NO_SUCH_DICT_NAME;
 
 	if (!hnas->ipv4addrs && (!ipv6 || !hnas->ipv6addrs))
-		return GETDNS_RETURN_GENERIC_ERROR;
+		return GETDNS_RETURN_NO_SUCH_DICT_NAME;
 
 	if (!hnas->ipv6addrs && (!ipv4 || !hnas->ipv4addrs))
-		return GETDNS_RETURN_GENERIC_ERROR;
+		return GETDNS_RETURN_NO_SUCH_DICT_NAME;
 
 	if (!(*response = getdns_dict_create_with_context(context)))
-		return GETDNS_RETURN_GENERIC_ERROR;
+		return GETDNS_RETURN_MEMORY_ERROR;
 
 	bindata.size = dnsreq->name_len;
 	bindata.data = dnsreq->name;
-	if (getdns_dict_set_bindata(*response, "canonical_name", &bindata))
+	if ((r = getdns_dict_set_bindata(*response,"canonical_name",&bindata)))
 		goto error;
 
 	empty_list.mf = context->mf;
-	if (getdns_dict_set_list(*response, "replies_full", &empty_list))
+	if ((r = getdns_dict_set_list(*response, "replies_full", &empty_list)))
 		goto error;
 
-	if (getdns_dict_set_list(*response, "replies_tree", &empty_list))
+	if ((r = getdns_dict_set_list(*response, "replies_tree", &empty_list)))
 		goto error;
 
-	if (getdns_dict_set_int(*response, "status", GETDNS_RESPSTATUS_GOOD))
+	if ((r=getdns_dict_set_int(*response,"status",GETDNS_RESPSTATUS_GOOD)))
 		goto error;
 
 	if (!ipv4 || !hnas->ipv4addrs) {
-		if (getdns_dict_set_list(*response,
-		    "just_address_answers", hnas->ipv6addrs))
+		if ((r = getdns_dict_set_list(*response,
+		    "just_address_answers", hnas->ipv6addrs)))
 			goto error;
 		return GETDNS_RETURN_GOOD;
 	} else if (!ipv6 || !hnas->ipv6addrs) {
-		if (getdns_dict_set_list(*response,
-		    "just_address_answers", hnas->ipv4addrs))
+		if ((r = getdns_dict_set_list(*response,
+		    "just_address_answers", hnas->ipv4addrs)))
 			goto error;
 		return GETDNS_RETURN_GOOD;
 	}
-	if (!(jaa = getdns_list_create_with_context(context)))
+	if (!(jaa = getdns_list_create_with_context(context))) {
+		r = GETDNS_RETURN_MEMORY_ERROR;
 		goto error;
+	}
 
 	for (i = 0; !getdns_list_get_dict(hnas->ipv4addrs, i, &addr); i++)
-		if (_getdns_list_append_dict(jaa, addr))
+		if ((r = _getdns_list_append_dict(jaa, addr)))
 			break;
 	for (i = 0; !getdns_list_get_dict(hnas->ipv6addrs, i, &addr); i++)
-		if (_getdns_list_append_dict(jaa, addr))
+		if ((r = _getdns_list_append_dict(jaa, addr)))
 			break;
-	if (!_getdns_dict_set_this_list(*response, "just_address_answers", jaa))
+	if (!(r = _getdns_dict_set_this_list(*response, "just_address_answers", jaa)))
 		return GETDNS_RETURN_GOOD;
 	else
 		getdns_list_destroy(jaa);
 error:
 	getdns_dict_destroy(*response);
-	return GETDNS_RETURN_GENERIC_ERROR;
+	return r;
 }
 
 struct mem_funcs *
@@ -4394,7 +4600,7 @@ getdns_context_get_dns_transport(
 
 	/* Best effort mapping for backwards compatibility*/
 	if (context->dns_transports[0] == GETDNS_TRANSPORT_UDP) {
-		if (context->dns_transport_count == 1) 
+		if (context->dns_transport_count == 1)
 			*value = GETDNS_TRANSPORT_UDP_ONLY;
 		else if (context->dns_transport_count == 2
 		     &&  context->dns_transports[1] == GETDNS_TRANSPORT_TCP)
@@ -4403,11 +4609,11 @@ getdns_context_get_dns_transport(
 			return GETDNS_RETURN_WRONG_TYPE_REQUESTED;
 	}
 	if (context->dns_transports[0] == GETDNS_TRANSPORT_TCP) {
-		if (context->dns_transport_count == 1) 
+		if (context->dns_transport_count == 1)
 			*value = GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN;
 	}
 	if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS) {
-		if (context->dns_transport_count == 1) 
+		if (context->dns_transport_count == 1)
 			*value = GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN;
 		else if (context->dns_transport_count == 2
 		     &&  context->dns_transports[1] == GETDNS_TRANSPORT_TCP)
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 279abce0..7182d3c4 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -557,10 +557,14 @@ typedef enum getdns_loglevel_type {
 #define GETDNS_LOG_INFO_TEXT    "Informational message"
 #define GETDNS_LOG_DEBUG_TEXT   "Debug-level message"
 
-#define GETDNS_LOG_UPSTREAM_STATS 0x1000
+#define GETDNS_LOG_UPSTREAM_STATS 0x3000
 #define GETDNS_LOG_UPSTREAM_STATS_TEXT "Log messages about upstream statistics"
-#define GETDNS_LOG_SYS_STUB       0x2000
-#define GETDNS_LOG_SYS_STUB_TEXT "Log messages involving non upstream specific stub matters"
+#define GETDNS_LOG_SYS_STUB 0x2000
+#define GETDNS_LOG_SYS_STUB_TEXT "Log messages about stub resolving"
+#define GETDNS_LOG_SYS_RECURSING 0x4000
+#define GETDNS_LOG_SYS_RECURSING_TEXT "Log messages about recursive resolving"
+#define GETDNS_LOG_SYS_RESOLVING 0x6000
+#define GETDNS_LOG_SYS_RESOLVING_TEXT "Log messages about resolving"
 
 
 typedef void (*getdns_logfunc_type) (void *userarg, uint64_t log_systems,
diff --git a/src/mk-const-info.c.sh b/src/mk-const-info.c.sh
index 5915bc85..26c2f626 100755
--- a/src/mk-const-info.c.sh
+++ b/src/mk-const-info.c.sh
@@ -14,7 +14,7 @@ cat > const-info.c << END_OF_HEAD
 static struct const_info consts_info[] = {
 	{   -1, NULL, "/* <unknown getdns value> */" },
 END_OF_HEAD
-gawk '/^[ 	]+GETDNS_[A-Z0-9_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z0-9_]+[ 	]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/  && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z0-9_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
+gawk --non-decimal-data '/^[ 	]+GETDNS_[A-Z0-9_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z0-9_]+[ 	]+(0[xX][0-9a-fA-F]+|[0-9]+)/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/  && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z0-9_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
 cat >> const-info.c << END_OF_TAIL
 };
 
@@ -49,7 +49,7 @@ getdns_get_errorstr_by_id(uint16_t err)
 
 static struct const_name_info consts_name_info[] = {
 END_OF_TAIL
-gawk '/^[ 	]+GETDNS_[A-Z0-9_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z0-9_]+[ 	]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z0-9_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
+gawk --non-decimal-data '/^[ 	]+GETDNS_[A-Z0-9_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z0-9_]+[ 	]+(0[xX][0-9a-fA-F]+|[0-9]+)/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z0-9_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
 cat >> const-info.c << END_OF_TAIL
 };
 

From fa9d8885f0f8045dd0d5337b7d18db53dc4ace07 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim.hague@acm.org>
Date: Thu, 13 Dec 2018 11:03:31 +0000
Subject: [PATCH 225/303] Fix problems with GnuTLS pinset handling.

Pinset validation now seems to work.
---
 src/gnutls/tls.c | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index 21c85063..adfac78c 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -255,7 +255,7 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn
 	if (r == GNUTLS_E_SUCCESS)
 		r = gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred);
 	if (r == GNUTLS_E_SUCCESS)
-		r = dane_state_init(&res->dane_state, DANE_F_INSECURE | DANE_F_IGNORE_DNSSEC);
+		r = dane_state_init(&res->dane_state, DANE_F_IGNORE_DNSSEC);
 	if (r != DANE_E_SUCCESS) {
 		_getdns_tls_connection_free(mfs, res);
 		return NULL;
@@ -434,11 +434,9 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 	if (!conn || !conn->tls || !auth_name)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-	size_t tlsa_len = 0;
 	size_t npins = 0;
 	for (const sha256_pin_t* pin = pinset; pin; pin = pin->next)
 		npins++;
-	tlsa_len += (SHA256_DIGEST_LENGTH + 3) * 2;
 
 	GETDNS_FREE(*conn->mfs, conn->tlsa);
 	conn->tlsa = GETDNS_XMALLOC(*conn->mfs, char, npins * (SHA256_DIGEST_LENGTH + 3) * 2);
@@ -459,18 +457,18 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 	char* p = conn->tlsa;
 	for (const sha256_pin_t* pin = pinset; pin; pin = pin->next) {
 		*dane_p++ = p;
-		*dane_len_p++ = SHA_DIGEST_LENGTH + 3;
-		p[0] = 2;
-		p[1] = 1;
-		p[2] = 1;
+		*dane_len_p++ = SHA256_DIGEST_LENGTH + 3;
+		p[0] = DANE_CERT_USAGE_LOCAL_CA;
+		p[1] = DANE_CERT_PK;
+		p[2] = DANE_MATCH_SHA2_256;
 		memcpy(&p[3], pin->pin, SHA256_DIGEST_LENGTH);
 		p += SHA256_DIGEST_LENGTH + 3;
 
 		*dane_p++ = p;
-		*dane_len_p++ = SHA_DIGEST_LENGTH + 3;
-		p[0] = 3;
-		p[1] = 1;
-		p[2] = 1;
+		*dane_len_p++ = SHA256_DIGEST_LENGTH + 3;
+		p[0] = DANE_CERT_USAGE_LOCAL_EE;
+		p[1] = DANE_CERT_PK;
+		p[2] = DANE_MATCH_SHA2_256;
 		memcpy(&p[3], pin->pin, SHA256_DIGEST_LENGTH);
 		p += SHA256_DIGEST_LENGTH + 3;
 	}
@@ -490,6 +488,10 @@ getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection
 	if (!conn || !conn->tls)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
+	/* If no pinset, no DANE info to check. */
+	if (!conn->dane_query)
+		return GETDNS_RETURN_GOOD;
+
 	/* Most of the internals of dane_verify_session_crt() */
 
 	const gnutls_datum_t* cert_list;
@@ -570,7 +572,7 @@ failsafe:
 	if (cl == new_cert_list)
 		clsize += 1;
 
-	ret = dane_verify_crt_raw(NULL, cl, clsize, type, conn->dane_query, 0, 0, &verify);
+	ret = dane_verify_crt_raw(conn->dane_state, cl, clsize, type, conn->dane_query, 0, 0, &verify);
 
 	if (new_cert_list) {
 		gnutls_free(new_cert_list[cert_list_size].data);
@@ -583,13 +585,13 @@ failsafe:
 	if (verify != 0) {
 		if (verify & DANE_VERIFY_CERT_DIFFERS) {
 			*errnum = 3;
-			*errmsg = "Certificate differs";
+			*errmsg = "Pinset validation: Certificate differs";
 		} else if (verify &  DANE_VERIFY_CA_CONSTRAINTS_VIOLATED) {
 			*errnum = 2;
-			*errmsg = "CA constraints violated";
+			*errmsg = "Pinset validation: CA constraints violated";
 		} else {
 			*errnum = 4;
-			*errmsg = "Unknown DANE info";
+			*errmsg = "Pinset validation: Unknown DANE info";
 		}
 		return GETDNS_RETURN_GENERIC_ERROR;
 	}

From 2759d727e5a5d5192f35e8d49dccc968b6108e85 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim.hague@acm.org>
Date: Thu, 13 Dec 2018 11:54:41 +0000
Subject: [PATCH 226/303] Minor speeling fix.

---
 src/stub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/stub.c b/src/stub.c
index d110cf06..b1e3772b 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -876,7 +876,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 	}
 	if (upstream->tls_fallback_ok) {
 		_getdns_tls_connection_set_cipher_list(tls, NULL);
-		DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n",
+		DEBUG_STUB("%s %-35s: WARNING: Using Opportunistic TLS (fallback allowed)!\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__);
 	} else {
 		if (upstream->tls_cipher_list)

From e8f34d48fb13b3d3c9141e7f5e319757e89b9ddc Mon Sep 17 00:00:00 2001
From: Jim Hague <jim.hague@acm.org>
Date: Thu, 13 Dec 2018 12:04:01 +0000
Subject: [PATCH 227/303] Adjust default cipher list so required authentication
 works with getdnsapi.

The previous default cipher string wouldn't connect with getdnsapi.
Selection of cipher strings requires some deep study, I think.

So, taking working with getdnsapi.net as our target, discover that we
need SECURE128 as well as SECURE192. And rather than disable everything
except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects
to TLS1.3.
---
 src/gnutls/tls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index adfac78c..fe6fbc07 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -48,7 +48,7 @@
  * a known working priority string.
  */
 char const * const _getdns_tls_context_default_cipher_list =
-	"SECURE192:-VERS-ALL:+VERS-TLS1.2";
+	"SECURE128:SECURE192:-VERS-TLS1.0:-VERS-TLS1.1";
 
 static char const * const _getdns_tls_connection_opportunistic_cipher_list =
 	"NORMAL";

From 41f4940072260c98a174d83f2f43222731ba9f72 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 13 Dec 2018 14:23:32 +0100
Subject: [PATCH 228/303] Log messages about trust anchor fetching and
 installing

---
 src/anchor.c                 | 316 ++++++++++++++++++++++-------------
 src/context.c                | 173 ++++++++++---------
 src/dnssec.c                 |   5 +-
 src/general.c                |   1 -
 src/getdns/getdns_extra.h.in |   3 +
 5 files changed, 301 insertions(+), 197 deletions(-)

diff --git a/src/anchor.c b/src/anchor.c
index 950176a7..afdf1bf1 100644
--- a/src/anchor.c
+++ b/src/anchor.c
@@ -703,7 +703,7 @@ static uint8_t *tas_validate(struct mem_funcs *mf,
 					success = NULL;
 				}
 			} else
-				DEBUG_ANCHOR("Could not allocate space for "
+				DEBUG_ANCHOR("Cannot allocate space for "
 				             "trust anchors\n");
 		} else {
 			success = tas;
@@ -736,57 +736,71 @@ void _getdns_context_equip_with_anchor(
 
 	if ((r = getdns_context_get_trust_anchors_verify_CA(
 	    context, &verify_CA)))
-		DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify"
-			     " CA: \"%s\"\n", __FUNC__
-			    , getdns_get_errorstr_by_id(r));
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Cannot get trust anchor verify CA: \"%s\"\n"
+			   , getdns_get_errorstr_by_id(r));
 
 	else if (!verify_CA || !*verify_CA)
-		DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely "
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
+		           , "Trust anchor verification explicitely "
 		             "disabled by empty verify CA\n");
 
 	else if ((r = getdns_context_get_trust_anchors_verify_email(
 	    context, &verify_email)))
-		DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify email "
-		             "address: \"%s\"\n", __FUNC__
-		            , getdns_get_errorstr_by_id(r));
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Cannot get trust anchor verify email address: "
+			      "\"%s\"\n", getdns_get_errorstr_by_id(r));
 
 	else if (!verify_email || !*verify_email)
-		DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely "
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
+		           , "Trust anchor verification explicitely "
 		             "disabled by empty verify email\n");
 
 	else if (!(xml_data = _getdns_context_get_priv_file(context,
 	    "root-anchors.xml", xml_spc, sizeof(xml_spc), &xml_len)))
-		DEBUG_ANCHOR("DEBUG %s(): root-anchors.xml not present\n"
-		            , __FUNC__);
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+		           , "root-anchors.xml not present\n");
 
 	else if (!(p7s_data = _getdns_context_get_priv_file(context,
 	    "root-anchors.p7s", p7s_spc, sizeof(p7s_spc), &p7s_len)))
-		DEBUG_ANCHOR("DEBUG %s(): root-anchors.p7s not present\n"
-		            , __FUNC__);
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
+		           , "root-anchors.xml not present\n");
 
 	else if (!(xml = BIO_new_mem_buf(xml_data, xml_len)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n"
-		            , __FUNC__);
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Failed allocating xml BIO\n");
 
 	else if (!(p7s = BIO_new_mem_buf(p7s_data, p7s_len)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n"
-		            , __FUNC__);
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Failed allocating p7s BIO\n");
 
 	else if (!(crt = BIO_new_mem_buf((void *)verify_CA, -1)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n"
-		            , __FUNC__);
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Failed allocating crt BIO\n");
 
 	else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL)))
-		DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n"
-		            , __FUNC__);
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Cannot parse builtin certificate\n");
 
 	else if (!(store = X509_STORE_new()))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n"
-		            , __FUNC__);
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Failed allocating X509 store\n");
 
 	else if (!X509_STORE_add_cert(store, x))
-		DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n"
-		            , __FUNC__);
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Cannot add certificate to X509 store\n");
 
 	else if (_getdns_verify_p7sig(xml, p7s, store, verify_email)) {
 		uint8_t ta_spc[sizeof(context->trust_anchors_spc)];
@@ -799,15 +813,21 @@ void _getdns_context_equip_with_anchor(
 
 		if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms,
 		    (char *)xml_data, xml_len))
-			DEBUG_ANCHOR("Failed to parse trust anchor XML data");
+			_getdns_log( &context->log
+			           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Failed to parse trust anchor XML data\n");
+
 		else if ((ta_len = gldns_buffer_position(&gbuf)) > sizeof(ta_spc)) {
 			if ((ta = GETDNS_XMALLOC(context->mf, uint8_t, ta_len))) {
 				gldns_buffer_init_frm_data(&gbuf, ta,
 				    gldns_buffer_position(&gbuf));
 				if (!_getdns_parse_xml_trust_anchors_buf(
 				    &gbuf, now_ms, (char *)xml_data, xml_len)) {
-					DEBUG_ANCHOR("Failed to re-parse trust"
-					             " anchor XML data");
+					_getdns_log( &context->log
+						   , GETDNS_LOG_SYS_ANCHOR
+						   , GETDNS_LOG_ERR
+						   , "Error re-parsing trust "
+						     "anchor XML data\n");
 					GETDNS_FREE(context->mf, ta);
 				} else {
 					context->trust_anchors = ta;
@@ -816,7 +836,11 @@ void _getdns_context_equip_with_anchor(
 					_getdns_ta_notify_dnsreqs(context);
 				}
 			} else
-				DEBUG_ANCHOR("Could not allocate space for XML file");
+				_getdns_log( &context->log
+					   , GETDNS_LOG_SYS_ANCHOR
+					   , GETDNS_LOG_ERR
+					   , "Cannot allocate space for "
+					     "XML file");
 		} else {
 			(void)memcpy(context->trust_anchors_spc, ta_spc, ta_len);
 			context->trust_anchors = context->trust_anchors_spc;
@@ -828,7 +852,9 @@ void _getdns_context_equip_with_anchor(
 		    (void *)context->trust_anchors, (int)context->trust_anchors_len);
 		
 	} else {
-		DEBUG_ANCHOR("Verifying trust-anchors failed!\n");
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+			   , "Verifying trust-anchors XML failed!\n");
 	}
 	if (store)	X509_STORE_free(store);
 	if (x)		X509_free(x);
@@ -855,10 +881,8 @@ static const char tas_write_xml_p7s_buf[] =
 "\r\n";
 
 
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 static inline const char * rt_str(uint16_t rt)
 { return rt == GETDNS_RRTYPE_A ? "A" : rt == GETDNS_RRTYPE_AAAA ? "AAAA" : "?"; }
-#endif
 
 static int tas_busy(tas_connection *a)
 {
@@ -905,7 +929,8 @@ static void tas_success(getdns_context *context, tas_connection *a)
 	tas_cleanup(context, a);
 	tas_cleanup(context, other);
 
-	DEBUG_ANCHOR("Successfully fetched new trust anchors\n");
+	_getdns_log( &context->log, GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
+	           , "Successfully fetched new trust anchors\n");
 	context->trust_anchors_source = GETDNS_TASRC_XML;
 	_getdns_ta_notify_dnsreqs(context);
 }
@@ -913,22 +938,26 @@ static void tas_success(getdns_context *context, tas_connection *a)
 static void tas_fail(getdns_context *context, tas_connection *a)
 {
 	tas_connection *other = &context->a == a ? &context->aaaa : &context->a;
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 	uint16_t rt = &context->a == a ? GETDNS_RRTYPE_A : GETDNS_RRTYPE_AAAA;
-	uint16_t ort = rt == GETDNS_RRTYPE_A ? GETDNS_RRTYPE_AAAA : GETDNS_RRTYPE_A;
-#endif
+
 	tas_cleanup(context, a);
 
 	if (!tas_busy(other)) {
-		DEBUG_ANCHOR("Fatal error fetching trust anchor: "
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+			   , "Fatal error fetching trust anchor: "
 		             "%s connection failed too\n", rt_str(rt));
 		context->trust_anchors_source = GETDNS_TASRC_FAILED;
 		context->trust_anchors_backoff_expiry = 
 		    _getdns_get_now_ms() + context->trust_anchors_backoff_time;
 		_getdns_ta_notify_dnsreqs(context);
 	} else
-		DEBUG_ANCHOR("%s connection failed, waiting for %s\n"
-		            , rt_str(rt), rt_str(ort));
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+			   , "%s connection failed, waiting for %s\n"
+		            , rt_str(rt)
+			    , rt_str( rt == GETDNS_RRTYPE_A 
+				    ? GETDNS_RRTYPE_AAAA : GETDNS_RRTYPE_A));
 }
 
 static void tas_connect(getdns_context *context, tas_connection *a);
@@ -960,7 +989,9 @@ static void tas_timeout_cb(void *userarg)
 		a = &context->a;
 	else	a = &context->aaaa;
 
-	DEBUG_ANCHOR("Trust anchor fetch timeout\n");
+	_getdns_log( &context->log, GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+	           , "Trust anchor fetch timeout\n");
+
 	GETDNS_CLEAR_EVENT(a->loop, &a->event);
 	tas_next(context, a);
 }
@@ -976,7 +1007,9 @@ static void tas_reconnect_cb(void *userarg)
 		a = &context->a;
 	else	a = &context->aaaa;
 
-	DEBUG_ANCHOR("Waiting for second document timeout. Reconnecting...\n");
+	_getdns_log( &context->log, GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+	           , "Waiting for second document timeout. Reconnecting...\n");
+
 	GETDNS_CLEAR_EVENT(a->loop, &a->event);
 	close(a->fd);
 	a->fd = -1;
@@ -991,8 +1024,6 @@ static void tas_read_cb(void *userarg);
 static void tas_write_cb(void *userarg);
 static void tas_doc_read(getdns_context *context, tas_connection *a)
 {
-	DEBUG_ANCHOR("doc (size: %d)\n", (int)a->tcp.read_buf_len);
-
 	assert(a->tcp.read_pos == a->tcp.read_buf + a->tcp.read_buf_len);
 	assert(context);
 
@@ -1021,18 +1052,20 @@ static void tas_doc_read(getdns_context *context, tas_connection *a)
 
 		if ((r = getdns_context_get_trust_anchors_verify_CA(
 		    context, (const char **)&verify_CA.data)))
-			DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify"
-				     " CA: \"%s\"\n", __FUNC__
-				    , getdns_get_errorstr_by_id(r));
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Cannot get trust anchor verify CA: "
+				     "\"%s\"\n", getdns_get_errorstr_by_id(r));
 
 		else if (!(verify_CA.size = strlen((const char *)verify_CA.data)))
 			; /* pass */
 
 		else if ((r = getdns_context_get_trust_anchors_verify_email(
 		    context, &verify_email)))
-			DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify"
-				     " email address: \"%s\"\n", __FUNC__
-				    , getdns_get_errorstr_by_id(r));
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Cannot get trust anchor verify email: "
+				     "\"%s\"\n", getdns_get_errorstr_by_id(r));
 
 		else if (!(tas = tas_validate(&context->mf, &a->xml, &p7s_bd,
 		    &verify_CA, verify_email, &now_ms, tas, &tas_len)))
@@ -1157,7 +1190,11 @@ static void tas_read_cb(void *userarg)
 			DEBUG_ANCHOR("i: %d, n: %d, doc_len: %d\n"
 			            , (int)i, (int)n, doc_len);
 			if (!doc)
-				DEBUG_ANCHOR("Memory error");
+				_getdns_log( &context->log
+					   , GETDNS_LOG_SYS_ANCHOR
+					   , GETDNS_LOG_ERR
+					   , "Memory error while reading "
+					     "trust anchor\n");
 			else {
 				ssize_t surplus = n - i;
 
@@ -1204,7 +1241,11 @@ static void tas_read_cb(void *userarg)
 	} else if (_getdns_socketerror_wants_retry())
 		return;
 
-	DEBUG_ANCHOR("Read error: %d %s\n", (int)n, _getdns_errnostr());
+	_getdns_log( &context->log
+		   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		   , "Error while receiving trust anchor: %s\n"
+		   , _getdns_errnostr());
+
 	GETDNS_CLEAR_EVENT(a->loop, &a->event);
 	tas_next(context, a);
 }
@@ -1254,7 +1295,9 @@ static void tas_write_cb(void *userarg)
 	} else if (_getdns_socketerror_wants_retry())
 		return;
 
-	DEBUG_ANCHOR("Write error: %s\n", _getdns_errnostr());
+	_getdns_log( &context->log, GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		   , "Error while sending to trust anchor site: %s\n"
+		   , _getdns_errnostr());
 	GETDNS_CLEAR_EVENT(a->loop, &a->event);
 	tas_next(context, a);
 }
@@ -1293,9 +1336,7 @@ static getdns_return_t _getdns_get_tas_url_hostname(
 
 static void tas_connect(getdns_context *context, tas_connection *a)
 {
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 	char a_buf[40];
-#endif
 	int r;
 
 #ifdef HAVE_FCNTL
@@ -1311,15 +1352,19 @@ static void tas_connect(getdns_context *context, tas_connection *a)
 		tas_next(context, a);
 		return;
 	}
-	DEBUG_ANCHOR("Initiating connection to %s\n"
-		    , inet_ntop(( a->req->request_type == GETDNS_RRTYPE_A
-				? AF_INET : AF_INET6)
-	            , a->rr->rr_i.rr_type + 10, a_buf, sizeof(a_buf)));
+
+	_getdns_log( &context->log, GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+		   , "Setting op connection to: %s\n"
+		   , inet_ntop( ( a->req->request_type == GETDNS_RRTYPE_A
+	                        ? AF_INET : AF_INET6)
+	                      , a->rr->rr_i.rr_type + 10
+	                      , a_buf, sizeof(a_buf)));
 
 	if ((a->fd = socket(( a->req->request_type == GETDNS_RRTYPE_A
 	    ? AF_INET : AF_INET6), SOCK_STREAM, IPPROTO_TCP)) == -1) {
-		DEBUG_ANCHOR("Error creating socket: %s\n",
-		             _getdns_errnostr());
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+			   , "Error creating socket: %s\n", _getdns_errnostr());
 		tas_next(context, a);
 		return;
 	}
@@ -1370,9 +1415,11 @@ static void tas_connect(getdns_context *context, tas_connection *a)
 		}
 		if ((R = _getdns_get_tas_url_hostname(
 		    context, tas_hostname, &path))) {
-			DEBUG_ANCHOR("ERROR %s(): Could not get_tas_url_hostname"
-				     ": \"%s\"", __FUNC__
-				    , getdns_get_errorstr_by_id(r));
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Cannot get hostname from trust anchor "
+				     "url: \"%s\"\n"
+				   , getdns_get_errorstr_by_id(r));
 			goto error;
 		}
 		hostname_len = strlen(tas_hostname);
@@ -1380,8 +1427,10 @@ static void tas_connect(getdns_context *context, tas_connection *a)
 			tas_hostname[--hostname_len] = '\0';
 		path_len = strlen(path);
 		if (path_len < 4) {
-			DEBUG_ANCHOR("ERROR %s(): path of tas_url \"%s\" too "
-			             "small\n", __FUNC__, path);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Trust anchor path \"%s\" too small\n"
+				   , path);
 			goto error;
 		}
 		if (a->state == TAS_RETRY_GET_PS7) {
@@ -1394,8 +1443,10 @@ static void tas_connect(getdns_context *context, tas_connection *a)
 			fmt = tas_write_xml_p7s_buf;
 		}
 		if (!(write_buf = GETDNS_XMALLOC(context->mf, char, buf_sz))) {
-			DEBUG_ANCHOR("ERROR %s(): Could not allocate write "
-			             "buffer\n", __FUNC__);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Cannot allocate write buffer for "
+				     "sending to trust anchor host\n");
 			goto error;
 		}
 		if (a->state == TAS_RETRY_GET_PS7) {
@@ -1429,8 +1480,10 @@ static void tas_connect(getdns_context *context, tas_connection *a)
 		DEBUG_ANCHOR("Scheduled write with event\n");
 		return;
 	} else
-		DEBUG_ANCHOR("Connect error: %s\n", _getdns_errnostr());
-
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+			   , "Error connecting to trust anchor host: %s\n "
+			   , _getdns_errnostr());
 error:
 	tas_next(context, a);
 }
@@ -1444,7 +1497,10 @@ static void tas_happy_eyeballs_cb(void *userarg)
 	if (tas_fetching(&context->aaaa))
 		return;
 	else {
-		DEBUG_ANCHOR("AAAA came too late, clearing Happy Eyeballs timer\n");
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+			   , "Too late reception of AAAA for trust anchor "
+			     "host for Happy Eyeballs\n");
 		GETDNS_CLEAR_EVENT(context->a.loop, &context->a.event);
 		tas_connect(context, &context->a);
 	}
@@ -1463,28 +1519,31 @@ static void _tas_hostname_lookup_cb(getdns_dns_req *dnsreq)
 	    &a->rrset_spc, a->req->response, a->req->response_len);
 
 	if (!a->rrset) {
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 		char tas_hostname[256] = "<no hostname>";
 		(void) _getdns_get_tas_url_hostname(context, tas_hostname, NULL);
-		DEBUG_ANCHOR("%s lookup for %s returned no response\n"
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+			   , "%s lookup for %s returned no response\n"
 		            , rt_str(a->req->request_type), tas_hostname);
-#endif
+
 	} else if (a->req->response_len < dnsreq->name_len + 12 ||
 	    !_getdns_dname_equal(a->req->response + 12, dnsreq->name) ||
 	    a->rrset->rr_type != a->req->request_type) {
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 		char tas_hostname[256] = "<no hostname>";
 		(void) _getdns_get_tas_url_hostname(context, tas_hostname, NULL);
-		DEBUG_ANCHOR("%s lookup for %s returned wrong response\n"
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+			   , "%s lookup for %s returned wrong response\n"
 		            , rt_str(a->req->request_type), tas_hostname);
-#endif
+
 	} else  if (!(a->rr = _getdns_rrtype_iter_init(&a->rr_spc, a->rrset))) {
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 		char tas_hostname[256] = "<no hostname>";
 		(void) _getdns_get_tas_url_hostname(context, tas_hostname, NULL);
-		DEBUG_ANCHOR("%s lookup for %s returned no addresses\n"
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+			   , "%s lookup for %s returned no addresses\n"
 		            , rt_str(a->req->request_type), tas_hostname);
-#endif
+
 	} else {
 		tas_connection *other = a == &context->a ? &context->aaaa
 		                                         : &context->a;
@@ -1494,8 +1553,9 @@ static void _tas_hostname_lookup_cb(getdns_dns_req *dnsreq)
 			; /* pass */
 
 		else if (a == &context->a && tas_busy(other)) {
-			DEBUG_ANCHOR("Postponing connection initiation: "
-			             "Happy Eyeballs\n");
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+				   , "Waiting 25ms for AAAA to arrive\n");
 			GETDNS_SCHEDULE_EVENT(a->loop, a->fd, 25,
 			    getdns_eventloop_event_init(&a->event,
 			    a->req->owner, NULL, NULL, tas_happy_eyeballs_cb));
@@ -1522,38 +1582,47 @@ void _getdns_start_fetching_ta(
 	const char *verify_email;
 
 	if ((r = _getdns_get_tas_url_hostname(context, tas_hostname, NULL))) {
-		DEBUG_ANCHOR("ERROR %s(): Could not get_tas_url_hostname"
-		             ": \"%s\"", __FUNC__
-		            , getdns_get_errorstr_by_id(r));
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+			   , "Cannot get hostname from trust anchor url: "
+			     "\"%s\"\n", getdns_get_errorstr_by_id(r));
 		return;
 
 	} else if ((r = getdns_context_get_trust_anchors_verify_CA(
 	    context, &verify_CA))) {
-		DEBUG_ANCHOR("ERROR %s(): Could not get verify CA"
-		             ": \"%s\"", __FUNC__
-		            , getdns_get_errorstr_by_id(r));
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Cannot get trust anchor verify CA: \"%s\"\n"
+			   , getdns_get_errorstr_by_id(r));
 		return;
 
 	} else if (!verify_CA || !*verify_CA) {
-		DEBUG_ANCHOR("NOTICE: Trust anchor fetching explicitely "
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
+		           , "Trust anchor verification explicitely "
 		             "disabled by empty verify CA\n");
 		return;
 
 	} else if ((r = getdns_context_get_trust_anchors_verify_email(
 	    context, &verify_email))) {
-		DEBUG_ANCHOR("ERROR %s(): Could not get verify email address"
-		             ": \"%s\"", __FUNC__
-		            , getdns_get_errorstr_by_id(r));
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Cannot get trust anchor verify email: \"%s\"\n"
+			   , getdns_get_errorstr_by_id(r));
 		return;
 
 	} else if (!verify_email || !*verify_email) {
-		DEBUG_ANCHOR("NOTICE: Trust anchor fetching explicitely "
-		             "disabled by empty verify email address\n");
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
+		           , "Trust anchor verification explicitely "
+		             "disabled by empty verify email\n");
 		return;
 
 	} else if (!_getdns_context_can_write_appdata(context)) {
-		DEBUG_ANCHOR("NOTICE %s(): Not fetching TA, because "
-		             "non writeable appdata directory\n", __FUNC__);
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+		           , "Not fetching TA, because "
+		             "non writeable appdata directory\n");
 		return;
 	} 
 	DEBUG_ANCHOR("Hostname: %s\n", tas_hostname);
@@ -1561,34 +1630,36 @@ void _getdns_start_fetching_ta(
 	             loop == &context->sync_eventloop.loop ? "" : "a");
 
 	scheduled = 0;
-#if 1
 	context->a.state = TAS_LOOKUP_ADDRESSES;
 	if ((r = _getdns_general_loop(context, loop,
 	    tas_hostname, GETDNS_RRTYPE_A,
 	    no_dnssec_checking_disabled_opportunistic,
 	    context, &context->a.req, NULL, _tas_hostname_lookup_cb))) {
-		DEBUG_ANCHOR("Error scheduling A lookup for %s: %s\n"
-		            , tas_hostname, getdns_get_errorstr_by_id(r));
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+		           , "Error scheduling A lookup for %s: %s\n"
+		           , tas_hostname, getdns_get_errorstr_by_id(r));
 	} else
 		scheduled += 1;
-#endif
 
-#if 1
 	context->aaaa.state = TAS_LOOKUP_ADDRESSES;
 	if ((r = _getdns_general_loop(context, loop,
 	    tas_hostname, GETDNS_RRTYPE_AAAA,
 	    no_dnssec_checking_disabled_opportunistic,
 	    context, &context->aaaa.req, NULL, _tas_hostname_lookup_cb))) {
-		DEBUG_ANCHOR("Error scheduling AAAA lookup for %s: %s\n"
-		            , tas_hostname, getdns_get_errorstr_by_id(r));
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+		           , "Error scheduling AAAA lookup for %s: %s\n"
+		           , tas_hostname, getdns_get_errorstr_by_id(r));
 	} else
 		scheduled += 1;
-#endif
 
 	if (!scheduled) {
-		DEBUG_ANCHOR("Fatal error fetching trust anchor: Unable to "
-		             "schedule address requests for %s\n"
-		            , tas_hostname);
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+		           , "Error scheduling address lookups for %s\n"
+		           , tas_hostname);
+
 		context->trust_anchors_source = GETDNS_TASRC_FAILED;
 		if (now_ms) {
 			if (*now_ms == 0) *now_ms = _getdns_get_now_ms();
@@ -1713,7 +1784,10 @@ static void _getdns_context_read_root_ksk(getdns_context *context)
 			buf_sz *= 2;
 		}
 		if (!(buf = GETDNS_XMALLOC(context->mf, uint8_t, buf_sz))) {
-			DEBUG_ANCHOR("ERROR %s(): Memory error\n", __FUNC__);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Error allocating memory to read "
+				     "root.key\n");
 			break;;
 		}
 		ptr = buf;
@@ -1798,8 +1872,10 @@ _getdns_context_update_root_ksk(
 			break;
 		}
 		if (str_buf != str_spc) {
-			DEBUG_ANCHOR("ERROR %s(): Buffer size determination "
-			             "error\n", __FUNC__);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Error determining buffer size for root "
+				     "KSK\n");
 			if (str_buf)
 				GETDNS_FREE(context->mf, str_buf);
 
@@ -1807,11 +1883,13 @@ _getdns_context_update_root_ksk(
 		}
 		if (!(str_pos = str_buf = GETDNS_XMALLOC( context->mf, char,
 		    (str_sz = sizeof(str_spc) - remaining) + 1))) {
-			DEBUG_ANCHOR("ERROR %s(): Memory error\n", __FUNC__);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Error allocating memory to read "
+				     "root KSK\n");
 			return;
 		}
 		remaining = str_sz + 1;
-		DEBUG_ANCHOR("Retrying with buf size: %d\n", remaining);
 	};
 
 	/* Write presentation format DNSKEY rrset to "root.key" file */
@@ -1886,17 +1964,21 @@ _getdns_context_update_root_ksk(
 					break;
 			}
 			if (!ta) {
-				DEBUG_ANCHOR("NOTICE %s(): Key with id %d "
-				             "*not* found in TA.\n"
-				             "\"root-anchors.xml\" need "
-					     "updating.\n", __FUNC__
+				_getdns_log( &context->log
+					   , GETDNS_LOG_SYS_ANCHOR
+					   , GETDNS_LOG_NOTICE
+					   , "Key with id %d not found in TA; "
+				             "\"root-anchors.xml\" needs to be "
+					     "updated.\n"
 				            , context->root_ksk.ids[i]);
 				context->trust_anchors_source =
 				    GETDNS_TASRC_XML_UPDATE;
 				break;
 			}
-			DEBUG_ANCHOR("DEBUG %s(): Key with id %d found in TA\n"
-			            , __FUNC__, context->root_ksk.ids[i]);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+				   , "Key with id %d found in TA\n"
+			           , context->root_ksk.ids[i]);
 		}
 	}
 	if (str_buf && str_buf != str_spc)
diff --git a/src/context.c b/src/context.c
index 0b8e4e49..23bd0e75 100644
--- a/src/context.c
+++ b/src/context.c
@@ -5148,12 +5148,15 @@ static size_t _getdns_get_appdata(const getdns_context *context, char *path)
 
 	} else if (! SUCCEEDED(SHGetFolderPath(NULL,
 	    CSIDL_APPDATA | CSIDL_FLAG_CREATE, NULL, 0, path)))
-		DEBUG_ANCHOR("ERROR %s(): Could not get %%AppData%% directory\n"
-		            , __FUNC__);
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_NOTICE
+			   , "Could not get %%AppData%% directory\n");
 
-	else if ((len = strlen(path)) + sizeof(APPDATA_SUBDIR) + 2 >= _GETDNS_PATH_MAX)
-		DEBUG_ANCHOR("ERROR %s(): Home path too long for appdata\n"
-		            , __FUNC__);
+	else if ((len = strlen(path))
+			+ sizeof(APPDATA_SUBDIR) + 2 >= _GETDNS_PATH_MAX)
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Path name for appdata directory too long\n");
 #else
 # define SLASHTOK '/'
 # define APPDATA_SUBDIR ".getdns"
@@ -5165,12 +5168,14 @@ static size_t _getdns_get_appdata(const getdns_context *context, char *path)
 		len = strlen(path);
 
 	} else if (!(home = p ? p->pw_dir : getenv("HOME")))
-		DEBUG_ANCHOR("ERROR %s(): Could not get home directory\n"
-		            , __FUNC__);
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_NOTICE
+		           , "Unable to determine home directory location\n");
 
 	else if ((len = strlen(home)) + sizeof(APPDATA_SUBDIR) + 2 >= _GETDNS_PATH_MAX)
-		DEBUG_ANCHOR("ERROR %s(): Home path too long for appdata\n"
-		            , __FUNC__);
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Path name for appdata directory too long\n");
 
 	else if (!strcpy(path, home))
 		; /* strcpy returns path always */
@@ -5195,8 +5200,10 @@ static size_t _getdns_get_appdata(const getdns_context *context, char *path)
 		    mkdir(path, 0755)
 #endif
 		    && errno != EEXIST)
-			DEBUG_ANCHOR("ERROR %s(): Could not mkdir %s: %s\n"
-				    , __FUNC__, path, strerror(errno));
+			_getdns_log(&context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "mkdir(\"%s\") failed: %s\n"
+				   , path, _getdns_errnostr());
 		else {
 			path[len++] = SLASHTOK;
 			path[len  ] = '\0';
@@ -5214,26 +5221,20 @@ FILE *_getdns_context_get_priv_fp(
 	FILE *f = NULL;
 	size_t len = _getdns_get_appdata(context, path);
 
-	(void) context;
-/*
- * Commented out to enable fallback to current directory
- *
- *	if (!(len = _getdns_get_appdata(context, path)))
- *		DEBUG_ANCHOR("ERROR %s(): Could nog get application data path\n"
- *		            , __FUNC__);
- *
- *	else
- */
 	if (len + strlen(fn) >= sizeof(path))
-		DEBUG_ANCHOR("ERROR %s(): Application data too long\n", __FUNC__);
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Path name for appdata directory too long\n");
+
 
 	else if (!strcpy(path + len, fn))
 		; /* strcpy returns path + len always */
 
 	else if (!(f = fopen(path, "r")))
-		DEBUG_ANCHOR("ERROR %s(): Opening \"%s\": %s\n"
-		            , __FUNC__, path, strerror(errno));
-
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
+		           , "Error opening \"%s\": %s\n"
+			   , path, _getdns_errnostr());
 	return f;
 }
 
@@ -5251,20 +5252,26 @@ uint8_t *_getdns_context_get_priv_file(const getdns_context *context,
 		return buf;
 	}
 	else if (fseek(f, 0, SEEK_END) < 0)
-		DEBUG_ANCHOR("ERROR %s(): Determining size of \"%s\": %s\n"
-		            , __FUNC__, fn, strerror(errno));
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Error determining size of \"%s\": %s\n"
+			   , fn, _getdns_errnostr());
 
 	else if (!(buf = GETDNS_XMALLOC(
 	    context->mf, uint8_t, (buf_len = ftell(f) + 1))))
-		DEBUG_ANCHOR("ERROR %s(): Allocating %d memory for \"%s\"\n"
-		            , __FUNC__, (int)buf_len, fn);
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Error allocating %d bytes of memory for \"%s\"\n"
+			   , (int)buf_len, fn);
 
 	else {
 		rewind(f);
 		if ((*file_sz = fread(buf, 1, buf_len, f)) >= buf_len || !feof(f)) {
 			GETDNS_FREE(context->mf, buf);
-			DEBUG_ANCHOR("ERROR %s(): Reading \"%s\": %s\n"
-				    , __FUNC__, fn, strerror(errno));
+			_getdns_log(&context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Error reding \"%s\": %s\n"
+				   , fn, _getdns_errnostr());
 		}
 		else {
 			buf[*file_sz] = 0;
@@ -5286,46 +5293,51 @@ int _getdns_context_write_priv_file(getdns_context *context,
 	FILE *f = NULL;
 	size_t len = _getdns_get_appdata(context, path);
 
-/*
- * Commented out to enable fallback to current directory
- *
- *	if (!(len = _getdns_get_appdata(context, path)))
- *		DEBUG_ANCHOR("ERROR %s(): Could nog get application data path\n"
- *		            , __FUNC__);
- *
- *	else
- */
 	if (len + 6          >= sizeof(tmpfn)
 	     ||  len + strlen(fn) >= sizeof(path))
-		DEBUG_ANCHOR("ERROR %s(): Application data too long\n", __FUNC__);
-
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Application data filename \"%s\" too long\n"
+			   , fn);
 
 	else if (snprintf(tmpfn, sizeof(tmpfn), "%sXXXXXX", path) < 0)
-		DEBUG_ANCHOR("ERROR %s(): Creating temporary filename template: \"%s\"\n"
-		            , __FUNC__, tmpfn);
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Error creating temporary file template \"%s\"\n"
+			   , tmpfn);
 
 	else if (!strcpy(path + len, fn))
 		; /* strcpy returns path + len always */
 
 	else if ((fd = mkstemp(tmpfn)) < 0)
-		DEBUG_ANCHOR("ERROR %s(): Creating temporary file \"%s\": %s\n"
-		            , __FUNC__, tmpfn, strerror(errno));
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
+		           , "Could not create temporary file \"%s\": %s\n"
+			   , tmpfn, _getdns_errnostr());
 
 	else if (!(f = fdopen(fd, "w")))
-		DEBUG_ANCHOR("ERROR %s(): Opening temporary file: %s\n"
-		            , __FUNC__, strerror(errno));
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Error opening temporary file \"%s\": %s\n"
+			   , tmpfn, _getdns_errnostr());
 
 	else if (fwrite(content->data, 1, content->size, f) < content->size)
-		DEBUG_ANCHOR("ERROR %s(): Writing temporary file: %s\n"
-		            , __FUNC__, strerror(errno));
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Error writing to temporary file \"%s\": %s\n"
+			   , tmpfn, _getdns_errnostr());
 
 	else if (fclose(f) < 0)
-		DEBUG_ANCHOR("ERROR %s(): Closing temporary file: %s\n"
-		            , __FUNC__, strerror(errno));
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Error closing temporary file \"%s\": %s\n"
+			   , tmpfn, _getdns_errnostr());
 
 	else if (rename(tmpfn, path) < 0)
-		DEBUG_ANCHOR("ERROR %s(): Renaming temporary file: %s\n"
-		            , __FUNC__, strerror(errno));
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Error renaming temporary file \"%s\" to \"%s\""
+			     ": %s\n", tmpfn, path, _getdns_errnostr());
 	else {
 		context->can_write_appdata = PROP_ABLE;
 		return 1;
@@ -5359,26 +5371,21 @@ int _getdns_context_can_write_appdata(getdns_context *context)
 		return 0;
 
 	len = _getdns_get_appdata(context, path);
-/*
- * Commented out to enable fallback to current directory
- *
- *
- *	if (!(len = _getdns_get_appdata(context, path)))
- *		DEBUG_ANCHOR("ERROR %s(): Could not get application data path\n"
- *		            , __FUNC__);
- *
- *	else
- */
+
 	if (len + strlen(test_fn) >= sizeof(path))
-		DEBUG_ANCHOR("ERROR %s(): Application data too long\n", __FUNC__);
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Application data too long \"%s\" + \"%s\"\n"
+			   , path, test_fn);
 
 	else if (!strcpy(path + len, test_fn))
 		; /* strcpy returns path + len always */
 
 	else if (unlink(path) < 0)
-		DEBUG_ANCHOR("ERROR %s(): Unlinking write test file \"%s\": %s\n"
-		            , __FUNC__, path, strerror(errno));
-
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Error unlinking write test file: \"%s\": %s\n"
+			   , path, _getdns_errnostr());
 	return 1;
 }
 
@@ -5537,26 +5544,36 @@ getdns_context *_getdns_context_get_sys_ctxt(
 	   &context->sys_ctxt, 1, context->mf.mf_arg,
 	    context->mf.mf.ext.malloc, context->mf.mf.ext.realloc,
 	    context->mf.mf.ext.free)))
-		DEBUG_ANCHOR("Could not create system context: %s\n"
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Could not create system context: %s\n"
 			    , getdns_get_errorstr_by_id(r));
 #ifndef USE_WINSOCK
 	else if (*context->fchg_resolvconf.fn &&
 	    (r = getdns_context_set_resolvconf(
 	    context->sys_ctxt, context->fchg_resolvconf.fn)))
-		DEBUG_ANCHOR("Could initialize system context with resolvconf "
-		             "\"%s\": %s\n", context->fchg_resolvconf.fn
-			    , getdns_get_errorstr_by_id(r));
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Could not initialize system context with "
+			     "resolvconf \"%s\": %s\n"
+			   , context->fchg_resolvconf.fn
+			   , getdns_get_errorstr_by_id(r));
 #endif
 	else if (*context->fchg_hosts.fn &&
 	    (r = getdns_context_set_hosts(
 	    context->sys_ctxt, context->fchg_hosts.fn)))
-		DEBUG_ANCHOR("Could initialize system context with hosts "
-		             "\"%s\": %s\n", context->fchg_resolvconf.fn
-			    , getdns_get_errorstr_by_id(r));
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Could not initialize system context with "
+			     "hosts \"%s\": %s\n"
+			   , context->fchg_hosts.fn
+			   , getdns_get_errorstr_by_id(r));
 
 	else if ((r = getdns_context_set_eventloop(
 	    context->sys_ctxt, loop)))
-		DEBUG_ANCHOR("Could not configure %ssynchronous loop "
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Could not configure %ssynchronous loop "
 			     "with system context: %s\n"
 			    , ( loop == &context->sync_eventloop.loop
 			      ? "" : "a" )
@@ -5564,7 +5581,9 @@ getdns_context *_getdns_context_get_sys_ctxt(
 
 	else if ((r = getdns_context_set_resolution_type(
 	    context->sys_ctxt, GETDNS_RESOLUTION_STUB)))
-		DEBUG_ANCHOR("Could not configure system context for "
+		_getdns_log(&context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Could not configure system context for "
 			     "stub resolver: %s\n"
 			    , getdns_get_errorstr_by_id(r));
 	else
diff --git a/src/dnssec.c b/src/dnssec.c
index 0e318c7e..d4f6aff3 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -3289,7 +3289,6 @@ static void check_chain_complete(chain_head *chain)
        	
 	} else if (_getdns_bogus(dnsreq)) {
 		_getdns_rrsig_iter rrsig_spc;
-		DEBUG_ANCHOR("Request was bogus!\n");
 
 		if ((head = chain) && (node = _to_the_root(head->parent))
  		    /* The root DNSKEY rrset */
@@ -3302,7 +3301,9 @@ static void check_chain_complete(chain_head *chain)
 		    && _getdns_rrsig_iter_init(&rrsig_spc, &node->dnskey)
 		    ){
 
-			DEBUG_ANCHOR("root DNSKEY set was bogus!\n");
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_NOTICE
+				   , "root DNSKEY set was bogus!\n");
 			if (!dnsreq->waiting_for_ta) {
 				uint64_t now_ms = 0;
 
diff --git a/src/general.c b/src/general.c
index f3170072..cb923187 100644
--- a/src/general.c
+++ b/src/general.c
@@ -243,7 +243,6 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req)
 #if defined(REQ_DEBUG) && REQ_DEBUG
 		debug_req("getting validation chain for ", *dns_req->netreqs);
 #endif
-		DEBUG_ANCHOR("Valchain lookup\n");
 		_getdns_get_validation_chain(dns_req);
 	} else
 		_getdns_call_user_callback(
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 7182d3c4..a11b52ea 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -565,6 +565,9 @@ typedef enum getdns_loglevel_type {
 #define GETDNS_LOG_SYS_RECURSING_TEXT "Log messages about recursive resolving"
 #define GETDNS_LOG_SYS_RESOLVING 0x6000
 #define GETDNS_LOG_SYS_RESOLVING_TEXT "Log messages about resolving"
+#define GETDNS_LOG_SYS_ANCHOR 0x8000
+#define GETDNS_LOG_SYS_ANCHOR_TEXT "Log messages about fetching trust anchors"
+
 
 
 typedef void (*getdns_logfunc_type) (void *userarg, uint64_t log_systems,

From a4590bafcbc3f55a44ca4cca4dff2acdbdad9ef4 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim.hague@acm.org>
Date: Thu, 13 Dec 2018 13:33:54 +0000
Subject: [PATCH 229/303] Implement reading CAs from file or dir.

I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot
easier than I feared. Plus a little diggiing shows that if you're
loading the system defaults, GnuTLS on Windows does load them from the
Windows certificate store.
---
 src/gnutls/tls-internal.h |  2 ++
 src/gnutls/tls.c          | 50 ++++++++++++++++++++++++++-------------
 2 files changed, 35 insertions(+), 17 deletions(-)

diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h
index 9186184a..1fafe550 100644
--- a/src/gnutls/tls-internal.h
+++ b/src/gnutls/tls-internal.h
@@ -59,6 +59,8 @@ typedef struct _getdns_tls_context {
 	char* cipher_list;
 	char* curve_list;
 	bool min_proto_1_2;
+	char* ca_trust_file;
+	char* ca_trust_path;
 } _getdns_tls_context;
 
 typedef struct _getdns_tls_connection {
diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index fe6fbc07..e7265ee1 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -167,6 +167,9 @@ _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs)
 	res->mfs = mfs;
 	res->min_proto_1_2 = false;
 	res->cipher_list = res->curve_list = NULL;
+	res->ca_trust_file = NULL;
+	res->ca_trust_path = NULL;
+
 	return res;
 }
 
@@ -174,6 +177,9 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont
 {
 	if (!ctx)
 		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	GETDNS_FREE(*mfs, ctx->ca_trust_path);
+	GETDNS_FREE(*mfs, ctx->ca_trust_file);
 	GETDNS_FREE(*mfs, ctx->curve_list);
 	GETDNS_FREE(*mfs, ctx->cipher_list);
 	GETDNS_FREE(*mfs, ctx);
@@ -218,18 +224,19 @@ getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, co
 
 getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path)
 {
-	(void) file;
-	(void) path;
-
 	if (!ctx)
 		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	GETDNS_FREE(*ctx->mfs, ctx->ca_trust_file);
+	ctx->ca_trust_file = getdns_strdup(ctx->mfs, file);
+	GETDNS_FREE(*ctx->mfs, ctx->ca_trust_path);
+	ctx->ca_trust_path = getdns_strdup(ctx->mfs, path);
 	return GETDNS_RETURN_GOOD;
 }
 
 _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd)
 {
 	_getdns_tls_connection* res;
-	int r;
 
 	if (!ctx)
 		return NULL;
@@ -245,24 +252,33 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn
 	res->dane_query = NULL;
 	res->tlsa = NULL;
 
-	r = gnutls_certificate_allocate_credentials(&res->cred);
-	if (r == GNUTLS_E_SUCCESS)
+	if (gnutls_certificate_allocate_credentials(&res->cred) != GNUTLS_E_SUCCESS)
+		goto failed;
+
+	if (!ctx->ca_trust_file && !ctx->ca_trust_path)
 		gnutls_certificate_set_x509_system_trust(res->cred);
-	if (r == GNUTLS_E_SUCCESS)
-		r = gnutls_init(&res->tls, GNUTLS_CLIENT | GNUTLS_NONBLOCK);
-	if (r == GNUTLS_E_SUCCESS)
-		r = set_connection_ciphers(res);
-	if (r == GNUTLS_E_SUCCESS)
-		r = gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred);
-	if (r == GNUTLS_E_SUCCESS)
-		r = dane_state_init(&res->dane_state, DANE_F_IGNORE_DNSSEC);
-	if (r != DANE_E_SUCCESS) {
-		_getdns_tls_connection_free(mfs, res);
-		return NULL;
+	else {
+		if (ctx->ca_trust_file)
+			gnutls_certificate_set_x509_trust_file(res->cred, ctx->ca_trust_file, GNUTLS_X509_FMT_PEM);
+		if (ctx->ca_trust_path)
+			gnutls_certificate_set_x509_trust_dir(res->cred, ctx->ca_trust_path, GNUTLS_X509_FMT_PEM);
 	}
 
+	if (gnutls_init(&res->tls, GNUTLS_CLIENT | GNUTLS_NONBLOCK) != GNUTLS_E_SUCCESS)
+		goto failed;
+	if (set_connection_ciphers(res) != GNUTLS_E_SUCCESS)
+		goto failed;
+	if (gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred) != GNUTLS_E_SUCCESS)
+		goto failed;
+	if (dane_state_init(&res->dane_state, DANE_F_IGNORE_DNSSEC) != DANE_E_SUCCESS)
+		goto failed;
+
 	gnutls_transport_set_int(res->tls, fd);
 	return res;
+
+failed:
+	_getdns_tls_connection_free(mfs, res);
+	return NULL;
 }
 
 getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_connection* conn)

From 93b7cb6a01f8541bbcc53d6628bdc41d0c8cebe9 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 13 Dec 2018 14:53:41 +0100
Subject: [PATCH 230/303] ZONEMD rr-type

---
 ChangeLog              |  1 +
 src/getdns/getdns.h.in |  1 +
 src/gldns/rrdef.c      |  6 +++++-
 src/gldns/rrdef.h      |  1 +
 src/rr-dict.c          | 11 ++++++++---
 5 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 415b35ca..5133ba7b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 * 2018-12-??: Version 1.5.0
+  * ZONEMD rr-type
   * getdns_query queries for addresses when a query name
     without a type is given.
   * RFE #408: Fetching of trust anchors will be retried
diff --git a/src/getdns/getdns.h.in b/src/getdns/getdns.h.in
index b3ef64e1..5e4873b5 100644
--- a/src/getdns/getdns.h.in
+++ b/src/getdns/getdns.h.in
@@ -416,6 +416,7 @@ typedef enum getdns_callback_type_t {
 #define GETDNS_RRTYPE_CDNSKEY   60
 #define GETDNS_RRTYPE_OPENPGPKEY 61
 #define GETDNS_RRTYPE_CSYNC     62
+#define GETDNS_RRTYPE_ZONEMD    63
 #define GETDNS_RRTYPE_SPF       99
 #define GETDNS_RRTYPE_UINFO     100
 #define GETDNS_RRTYPE_UID       101
diff --git a/src/gldns/rrdef.c b/src/gldns/rrdef.c
index 52e9cf3b..9f27a5a1 100644
--- a/src/gldns/rrdef.c
+++ b/src/gldns/rrdef.c
@@ -150,6 +150,9 @@ static const gldns_rdf_type type_openpgpkey_wireformat[] = {
 static const gldns_rdf_type type_csync_wireformat[] = {
 	GLDNS_RDF_TYPE_INT32, GLDNS_RDF_TYPE_INT16, GLDNS_RDF_TYPE_NSEC
 };
+static const gldns_rdf_type type_zonemd_wireformat[] = {
+	GLDNS_RDF_TYPE_INT32, GLDNS_RDF_TYPE_INT8, GLDNS_RDF_TYPE_INT8, GLDNS_RDF_TYPE_HEX
+};
 /* nsec3 is some vars, followed by same type of data of nsec */
 static const gldns_rdf_type type_nsec3_wireformat[] = {
 /*	GLDNS_RDF_TYPE_NSEC3_VARS, GLDNS_RDF_TYPE_NSEC3_NEXT_OWNER, GLDNS_RDF_TYPE_NSEC*/
@@ -372,7 +375,8 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 {GLDNS_RR_TYPE_OPENPGPKEY, "OPENPGPKEY", 1, 1, type_openpgpkey_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* 62 */
 	{GLDNS_RR_TYPE_CSYNC, "CSYNC", 3, 3, type_csync_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE63", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+	/* 63 */
+	{GLDNS_RR_TYPE_ZONEMD, "ZONEMD", 4, 4, type_zonemd_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 {GLDNS_RR_TYPE_NULL, "TYPE64", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 {GLDNS_RR_TYPE_NULL, "TYPE65", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 {GLDNS_RR_TYPE_NULL, "TYPE66", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
diff --git a/src/gldns/rrdef.h b/src/gldns/rrdef.h
index ecbf0749..a11984b3 100644
--- a/src/gldns/rrdef.h
+++ b/src/gldns/rrdef.h
@@ -195,6 +195,7 @@ enum gldns_enum_rr_type
 	GLDNS_RR_TYPE_CDNSKEY = 60, /** RFC 7344 */
 	GLDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
 	GLDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */
+	GLDNS_RR_TYPE_ZONEMD = 63, /* draft-wessels-dns-zone-digest */
 
 	GLDNS_RR_TYPE_SPF = 99, /* RFC 4408 */
 
diff --git a/src/rr-dict.c b/src/rr-dict.c
index ab0c2b82..79fb7bcc 100644
--- a/src/rr-dict.c
+++ b/src/rr-dict.c
@@ -613,6 +613,11 @@ static _getdns_rdata_def        csync_rdata[] = {
 	{ "serial"                      , GETDNS_RDF_I4     , NULL },
 	{ "flags"                       , GETDNS_RDF_I2     , NULL },
 	{ "type_bit_maps"               , GETDNS_RDF_X      , NULL }};
+static _getdns_rdata_def     zonemd_rdata[] = {
+	{ "serial"                      , GETDNS_RDF_I4     , NULL },
+	{ "digest_type"                 , GETDNS_RDF_I1     , NULL },
+	{ "reserved"                    , GETDNS_RDF_I1     , NULL },
+	{ "digest"                      , GETDNS_RDF_X      , NULL }};
 static _getdns_rdata_def        spf_rdata[] = {
 	{ "text"                        , GETDNS_RDF_S_M    , NULL }};
 static _getdns_rdata_def        nid_rdata[] = {
@@ -723,9 +728,9 @@ static _getdns_rr_def _getdns_rr_defs[] = {
 	{     "TALINK",     talink_rdata, ALEN(    talink_rdata) },
 	{        "CDS",         ds_rdata, ALEN(        ds_rdata) },
 	{    "CDNSKEY",     dnskey_rdata, ALEN(    dnskey_rdata) },
-	{ "OPENPGPKEY", openpgpkey_rdata, ALEN(openpgpkey_rdata) }, /* 61 - */
-	{      "CSYNC",      csync_rdata, ALEN(     csync_rdata) }, /* - 62 */
-	{         NULL,             NULL, 0                      },
+	{ "OPENPGPKEY", openpgpkey_rdata, ALEN(openpgpkey_rdata) },
+	{      "CSYNC",      csync_rdata, ALEN(     csync_rdata) },
+	{     "ZONEMD",     zonemd_rdata, ALEN(    zonemd_rdata) }, /* - 63 */
 	{         NULL,             NULL, 0                      },
 	{         NULL,             NULL, 0                      },
 	{         NULL,             NULL, 0                      },

From 154f98e32115777201d117db482f0e4ae04d2cd3 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 13 Dec 2018 15:24:19 +0100
Subject: [PATCH 231/303] Update consts

---
 src/const-info.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/const-info.c b/src/const-info.c
index 2de662e5..ebff80a4 100644
--- a/src/const-info.c
+++ b/src/const-info.c
@@ -128,6 +128,7 @@ static struct const_info consts_info[] = {
 	{   12288, "GETDNS_LOG_UPSTREAM_STATS", GETDNS_LOG_UPSTREAM_STATS_TEXT },
 	{   16384, "GETDNS_LOG_SYS_RECURSING", GETDNS_LOG_SYS_RECURSING_TEXT },
 	{   24576, "GETDNS_LOG_SYS_RESOLVING", GETDNS_LOG_SYS_RESOLVING_TEXT },
+	{   32768, "GETDNS_LOG_SYS_ANCHOR", GETDNS_LOG_SYS_ANCHOR_TEXT },
 };
 
 static int const_info_cmp(const void *a, const void *b)
@@ -228,6 +229,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_LOG_ERR", 3 },
 	{ "GETDNS_LOG_INFO", 6 },
 	{ "GETDNS_LOG_NOTICE", 5 },
+	{ "GETDNS_LOG_SYS_ANCHOR", 32768 },
 	{ "GETDNS_LOG_SYS_RECURSING", 16384 },
 	{ "GETDNS_LOG_SYS_RESOLVING", 24576 },
 	{ "GETDNS_LOG_SYS_STUB", 8192 },
@@ -382,6 +384,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_URI", 256 },
 	{ "GETDNS_RRTYPE_WKS", 11 },
 	{ "GETDNS_RRTYPE_X25", 19 },
+	{ "GETDNS_RRTYPE_ZONEMD", 63 },
 	{ "GETDNS_SSL3", 1400 },
 	{ "GETDNS_TLS1", 1401 },
 	{ "GETDNS_TLS1_1", 1402 },

From eecc18703a71ed5c00e8a9ae5e863707ad2deeac Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 13 Dec 2018 15:24:27 +0100
Subject: [PATCH 232/303] Issue found with static analysis

---
 src/context.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/context.c b/src/context.c
index 23bd0e75..aaea6d59 100644
--- a/src/context.c
+++ b/src/context.c
@@ -4637,9 +4637,9 @@ getdns_context_get_dns_transport_list(const getdns_context *context,
 	}
 	// use normal malloc here so users can do normal free
 	*transports = malloc(
-	    context->dns_transport_count * sizeof(getdns_transport_t));
+	    context->dns_transport_count * sizeof(getdns_transport_list_t));
 	memcpy(*transports, context->dns_transports,
-	    context->dns_transport_count * sizeof(getdns_transport_t));
+	    context->dns_transport_count * sizeof(getdns_transport_list_t));
 	return GETDNS_RETURN_GOOD;
 }
 

From dc6bb0fa524858ee263abe2e964817dc30a15b1a Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 13 Dec 2018 15:24:37 +0100
Subject: [PATCH 233/303] Something wrong with /etc/hosts?

---
 src/test/check_getdns_address.h      |  2 +-
 src/test/check_getdns_address_sync.h |  2 +-
 src/test/check_getdns_common.c       | 10 +++++++---
 src/test/check_getdns_common.h       |  1 +
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/test/check_getdns_address.h b/src/test/check_getdns_address.h
index f898bdd8..10e4b7b2 100644
--- a/src/test/check_getdns_address.h
+++ b/src/test/check_getdns_address.h
@@ -192,7 +192,7 @@
        CONTEXT_CREATE(TRUE);
        EVENT_BASE_CREATE;
 
-       ASSERT_RC(getdns_address(context, "localhost", NULL,
+       ASSERT_RC(getdns_address(context, "localhost.", NULL,
          &fn_ref, &transaction_id, callbackfn),
          GETDNS_RETURN_GOOD, "Return code from getdns_address()");
 
diff --git a/src/test/check_getdns_address_sync.h b/src/test/check_getdns_address_sync.h
index f9e6b97d..07f8408f 100644
--- a/src/test/check_getdns_address_sync.h
+++ b/src/test/check_getdns_address_sync.h
@@ -127,7 +127,7 @@
      
        CONTEXT_CREATE(TRUE);
 
-       ASSERT_RC(getdns_address_sync(context, "localhost", NULL, &response), 
+       ASSERT_RC(getdns_address_sync(context, "localhost.", NULL, &response), 
          GETDNS_RETURN_GOOD, "Return code from getdns_address_sync()");
 
        EXTRACT_LOCAL_RESPONSE;
diff --git a/src/test/check_getdns_common.c b/src/test/check_getdns_common.c
index af894be5..a13e671a 100644
--- a/src/test/check_getdns_common.c
+++ b/src/test/check_getdns_common.c
@@ -70,6 +70,7 @@ void extract_response(struct getdns_dict *response, struct extracted_response *e
    * If it is absent, do not try to decompose the replies_tree, because the
    * answer most likely came not from DNS.
    */
+  ex_response->reponse = response;
   have_answer_type = getdns_dict_get_int(response, "answer_type", &ex_response->top_answer_type) ==
     GETDNS_RETURN_GOOD;
 
@@ -233,11 +234,14 @@ void assert_address_in_answer(struct extracted_response *ex_response, int a, int
  */
 void assert_address_in_just_address_answers(struct extracted_response *ex_response)
 {
-  size_t length;
+  size_t length = 0;
+  char *resp_str = "";
   ASSERT_RC(getdns_list_get_length(ex_response->just_address_answers, &length),
     GETDNS_RETURN_GOOD, "Failed to extract \"just_address_answers\" length");
-
-  ck_assert_msg(length > 0, "Expected \"just_address_answers\" length > 0, got %d", length);
+  
+  if (length == 0) resp_str = getdns_pretty_print_dict(ex_response->response);
+  ck_assert_msg(length > 0, "Expected \"just_address_answers\" length > 0, got %d\n%s", length, resp_str);
+  if (length == 0) free(resp_str);
 }
 
 /*
diff --git a/src/test/check_getdns_common.h b/src/test/check_getdns_common.h
index 6fb3b555..c9691b59 100644
--- a/src/test/check_getdns_common.h
+++ b/src/test/check_getdns_common.h
@@ -41,6 +41,7 @@
 
      struct extracted_response {
        uint32_t top_answer_type;
+       struct getdns_dict *response;
        struct getdns_bindata *top_canonical_name;
        struct getdns_list *just_address_answers;
        struct getdns_list *replies_full;

From 990372329c898a7f9b4d067624adfcd74e74d32e Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 13 Dec 2018 15:26:13 +0100
Subject: [PATCH 234/303] typo

---
 src/test/check_getdns_common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/test/check_getdns_common.c b/src/test/check_getdns_common.c
index a13e671a..192ab661 100644
--- a/src/test/check_getdns_common.c
+++ b/src/test/check_getdns_common.c
@@ -70,7 +70,7 @@ void extract_response(struct getdns_dict *response, struct extracted_response *e
    * If it is absent, do not try to decompose the replies_tree, because the
    * answer most likely came not from DNS.
    */
-  ex_response->reponse = response;
+  ex_response->response = response;
   have_answer_type = getdns_dict_get_int(response, "answer_type", &ex_response->top_answer_type) ==
     GETDNS_RETURN_GOOD;
 

From 232f655663b3c09b1a19c8aa303917b7f9860be7 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 14 Dec 2018 13:42:43 +0100
Subject: [PATCH 235/303] trust_anchor_backoff_time also when appdata dir is
 not writable

---
 src/context.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/context.c b/src/context.c
index aaea6d59..d952d8d6 100644
--- a/src/context.c
+++ b/src/context.c
@@ -5349,6 +5349,8 @@ int _getdns_context_write_priv_file(getdns_context *context,
 		(void) close(fd);
 
 	context->can_write_appdata = PROP_UNABLE;
+	context->trust_anchors_backoff_expiry =
+	    _getdns_get_now_ms() + context->trust_anchors_backoff_time;
 	return 0;
 }
 
@@ -5361,9 +5363,12 @@ int _getdns_context_can_write_appdata(getdns_context *context)
 	if (context->can_write_appdata == PROP_ABLE)
 		return 1;
 
-	else if (context->can_write_appdata == PROP_UNABLE)
-		return 0;
-
+	else if (context->can_write_appdata == PROP_UNABLE) {
+		if (_getdns_ms_until_expiry(
+		    context->trust_anchors_backoff_expiry) > 0)
+			return 0;
+		context->can_write_appdata = PROP_UNKNOWN;
+	}
 	(void) snprintf( test_fn, sizeof(test_fn)
 	               , "write-test-%d.tmp", arc4random());
 

From 36cb9b0243a4a73b98efd79bcbe5a0b87e1b746f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 14 Dec 2018 13:45:22 +0100
Subject: [PATCH 236/303] We also always publish sha1 over tarballs

---
 Makefile.in | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/Makefile.in b/Makefile.in
index ee6b86bb..180fc2c5 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -165,7 +165,7 @@ distclean:
 	rm -f m4/ltoptions.m4
 	rm -f m4/ltsugar.m4
 	rm -f m4/ltversion.m4
-	rm -f $(distdir).tar.gz $(distdir).tar.gz.sha256
+	rm -f $(distdir).tar.gz $(distdir).tar.gz.sha256 $(distdir).tar.gz.sha1
 	rm -f $(distdir).tar.gz.md5 $(distdir).tar.gz.asc
 
 megaclean:
@@ -177,11 +177,14 @@ autoclean: megaclean
 
 dist: $(distdir).tar.gz
 
-pub: $(distdir).tar.gz.sha256 $(distdir).tar.gz.md5 $(distdir).tar.gz.asc
+pub: $(distdir).tar.gz.sha256 $(distdir).tar.gz.md5 $(distdir).tar.gz.asc $(distdir).tar.gz.sha1
 
 $(distdir).tar.gz.sha256: $(distdir).tar.gz
 	openssl sha256 $(distdir).tar.gz >$@
 
+$(distdir).tar.gz.sha1: $(distdir).tar.gz
+	openssl sha1 $(distdir).tar.gz >$@
+
 $(distdir).tar.gz.md5: $(distdir).tar.gz
 	openssl md5 $(distdir).tar.gz >$@
 

From c1bf12c8a252e7ec2c32768ca2b17a8664baa641 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 14 Dec 2018 15:23:23 +0000
Subject: [PATCH 237/303] Update default GnuTLS cipher suite priority string to
 one that gives the same ciphers as the OpenSSL version.

Also fix deinit segfault.

./gnutls-ciphers "NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL"
Cipher suites for NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL
TLS_ECDHE_RSA_AES_256_GCM_SHA384                  	0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256                  	0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305                   	0xcc, 0xa8 TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                0xc0, 0x2 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305                 0xcc, 0xa9 TLS1.2

$ openssl ciphers -v TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
---
 src/gnutls/tls.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index e7265ee1..b2ea8e91 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -43,12 +43,13 @@
 /*
  * Cipher suites recommended in RFC7525.
  *
- * The GnuTLS 3.5.19 being used for this proof of concept doesn't have
- * TLS 1.3 support, as in the OpenSSL equivalent. Fall back for now to
- * a known working priority string.
+ * The following string generates a list with the same ciphers that are
+ * generated by the equivalent string in the OpenSSL version of this file.
  */
 char const * const _getdns_tls_context_default_cipher_list =
-	"SECURE128:SECURE192:-VERS-TLS1.0:-VERS-TLS1.1";
+	"NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:"
+	"+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:"
+	"+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL";
 
 static char const * const _getdns_tls_connection_opportunistic_cipher_list =
 	"NORMAL";
@@ -247,8 +248,10 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn
 	res->shutdown = 0;
 	res->ctx = ctx;
 	res->mfs = mfs;
+	res->tls = NULL;
 	res->cipher_list = NULL;
 	res->curve_list = NULL;
+	res->dane_state = NULL;
 	res->dane_query = NULL;
 	res->tlsa = NULL;
 
@@ -288,8 +291,10 @@ getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_c
 
 	if (conn->dane_query)
 		dane_query_deinit(conn->dane_query);
-	dane_state_deinit(conn->dane_state);
-	gnutls_deinit(conn->tls);
+	if (conn->dane_state)
+		dane_state_deinit(conn->dane_state);
+	if (conn->tls)
+		gnutls_deinit(conn->tls);
 	gnutls_certificate_free_credentials(conn->cred);
 	GETDNS_FREE(*mfs, conn->tlsa);
 	GETDNS_FREE(*mfs, conn->curve_list);

From 65f4fbbc81b799d324f486b8294cd08166f92fc7 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 14 Dec 2018 15:38:32 +0000
Subject: [PATCH 238/303] Make sure all connection deinits are only called if
 there is something to deinit.

---
 src/gnutls/tls.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index b2ea8e91..a9e96241 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -248,6 +248,7 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn
 	res->shutdown = 0;
 	res->ctx = ctx;
 	res->mfs = mfs;
+	res->cred = NULL;
 	res->tls = NULL;
 	res->cipher_list = NULL;
 	res->curve_list = NULL;
@@ -295,7 +296,8 @@ getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_c
 		dane_state_deinit(conn->dane_state);
 	if (conn->tls)
 		gnutls_deinit(conn->tls);
-	gnutls_certificate_free_credentials(conn->cred);
+	if (conn->cred)
+		gnutls_certificate_free_credentials(conn->cred);
 	GETDNS_FREE(*mfs, conn->tlsa);
 	GETDNS_FREE(*mfs, conn->curve_list);
 	GETDNS_FREE(*mfs, conn->cipher_list);

From ff1cdce6f8ddcea95a8e3fad4e56384211d882f3 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 20 Dec 2018 15:06:01 +0100
Subject: [PATCH 239/303] s/explicitely/explicitly/g

Thanks Andreas Schulze
---
 src/anchor.c        | 8 ++++----
 src/stub.c          | 4 ++--
 src/util-internal.c | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/anchor.c b/src/anchor.c
index afdf1bf1..cefa2477 100644
--- a/src/anchor.c
+++ b/src/anchor.c
@@ -744,7 +744,7 @@ void _getdns_context_equip_with_anchor(
 	else if (!verify_CA || !*verify_CA)
 		_getdns_log( &context->log
 		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
-		           , "Trust anchor verification explicitely "
+		           , "Trust anchor verification explicitly "
 		             "disabled by empty verify CA\n");
 
 	else if ((r = getdns_context_get_trust_anchors_verify_email(
@@ -757,7 +757,7 @@ void _getdns_context_equip_with_anchor(
 	else if (!verify_email || !*verify_email)
 		_getdns_log( &context->log
 		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
-		           , "Trust anchor verification explicitely "
+		           , "Trust anchor verification explicitly "
 		             "disabled by empty verify email\n");
 
 	else if (!(xml_data = _getdns_context_get_priv_file(context,
@@ -1599,7 +1599,7 @@ void _getdns_start_fetching_ta(
 	} else if (!verify_CA || !*verify_CA) {
 		_getdns_log( &context->log
 		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
-		           , "Trust anchor verification explicitely "
+		           , "Trust anchor verification explicitly "
 		             "disabled by empty verify CA\n");
 		return;
 
@@ -1614,7 +1614,7 @@ void _getdns_start_fetching_ta(
 	} else if (!verify_email || !*verify_email) {
 		_getdns_log( &context->log
 		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
-		           , "Trust anchor verification explicitely "
+		           , "Trust anchor verification explicitly "
 		             "disabled by empty verify email\n");
 		return;
 
diff --git a/src/stub.c b/src/stub.c
index d7af6eb4..ad9b0b24 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1224,10 +1224,10 @@ tls_do_handshake(getdns_upstream *upstream)
 		long verify_result = SSL_get_verify_result(upstream->tls_obj);
 
 /* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
- * we need to verify auth_name explicitely (otherwise it will not be checked,
+ * we need to verify auth_name explicitly (otherwise it will not be checked,
  * because this is not required with DANE with an EE match).
  * This is not needed with native OpenSSL DANE, because EE name checks have
- * to be disabled explicitely.
+ * to be disabled explicitly.
  */
 #if defined(HAVE_X509_CHECK_HOST) && (defined(USE_DANESSL) || !defined(HAVE_SSL_HN_AUTH))
 		int xch;
diff --git a/src/util-internal.c b/src/util-internal.c
index 45fd2fda..437a9679 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -711,7 +711,7 @@ _getdns_create_reply_dict(getdns_context *context, getdns_network_req *req,
 	else	goto error;
 
 	/* other stuff
-	 * Note that spec doesn't explicitely mention these.
+	 * Note that spec doesn't explicitly mention these.
 	 * They are only showcased in the response dict example */
 	if (getdns_dict_set_int(result, "answer_type", GETDNS_NAMETYPE_DNS))
 		goto error;

From 13e1e36ba3447810f370dfeb4d4b7c38bc01d21c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 21 Dec 2018 11:28:00 +0100
Subject: [PATCH 240/303] RESPSTATUS_NO_NAME when no answers found

(so for NODATA answers too)
---
 src/util-internal.c | 5 +++--
 stubby              | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/util-internal.c b/src/util-internal.c
index 437a9679..5b007c0b 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -1124,6 +1124,7 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
 	int nsecure = 0, ninsecure = 0, nindeterminate = 0, nbogus = 0;
 	getdns_dict   *netreq_debug;
 	_srvs srvs = { 0, 0, NULL };
+	_getdns_rrset_spc answer_spc;
 
 	/* info (bools) about dns_req */
 	int dnssec_return_status;
@@ -1235,8 +1236,8 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
 		/* TODO: Check instead if canonical_name for request_type
 		 *       is in the answer section.
 		 */
-		if (GLDNS_RCODE_NOERROR ==
-		    GLDNS_RCODE_WIRE(netreq->response))
+		if (_getdns_rrset_answer(&answer_spc, netreq->response
+		                                    , netreq->response_len))
 			nanswers++;
 
 		if (dnssec_return_status ||
diff --git a/stubby b/stubby
index 919b7d91..b04882ad 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 919b7d914ca618f4a843464d5825383f45809f3e
+Subproject commit b04882ad76cc2efdba6238f59e233844e4223908

From 5247fc8de408679b140264e4ebdd28364573a08f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 21 Dec 2018 11:44:04 +0100
Subject: [PATCH 241/303] Mention RESPSTATUS_NO_NAME change in Changelog

---
 ChangeLog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog b/ChangeLog
index 5133ba7b..8549d293 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 * 2018-12-??: Version 1.5.0
+  * GETDNS_RESPSTATUS_NO_NAME for NODATA answers too
   * ZONEMD rr-type
   * getdns_query queries for addresses when a query name
     without a type is given.

From 431f86f41406380d712da9cc4a23880bbb2bc916 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 21 Dec 2018 12:10:19 +0100
Subject: [PATCH 242/303] Make tests aware of NODATA == NO_NAME change

---
 src/test/check_getdns_address.h      | 2 +-
 src/test/check_getdns_address_sync.h | 3 ++-
 src/test/check_getdns_common.c       | 9 ++++++++-
 src/test/check_getdns_general.h      | 6 +++---
 src/test/check_getdns_general_sync.h | 6 +++---
 5 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/src/test/check_getdns_address.h b/src/test/check_getdns_address.h
index 10e4b7b2..a4eaad71 100644
--- a/src/test/check_getdns_address.h
+++ b/src/test/check_getdns_address.h
@@ -178,7 +178,7 @@
      {
       /*
        *  name = "localhost"   name should be resolved from host file
-       *  expect: NOERROR/NODATA response:
+       *  expect: NOERROR response:
        *    status = GETDNS_RESPSTATUS_GOOD
        *    rcode = 0
        *    ancount = 1 (number of records in ANSWER section)
diff --git a/src/test/check_getdns_address_sync.h b/src/test/check_getdns_address_sync.h
index 07f8408f..c5c4ae92 100644
--- a/src/test/check_getdns_address_sync.h
+++ b/src/test/check_getdns_address_sync.h
@@ -147,7 +147,7 @@
       /*
        *  name = "willem.getdnsapi.net"  need to replace this with domain from unbound zone
        *  expect: NOERROR/NODATA response:
-       *    status = GETDNS_RESPSTATUS_GOOD
+       *    status = GETDNS_RESPSTATUS_NO_DATA
        *    rcode = 0
        *    ancount = 0 (number of records in ANSWER section)
        */
@@ -162,6 +162,7 @@
        EXTRACT_RESPONSE;
 
        assert_noerror(&ex_response);
+       assert_nodata(&ex_response);
        //assert_soa_in_authority(&ex_response);
 
        CONTEXT_DESTROY;
diff --git a/src/test/check_getdns_common.c b/src/test/check_getdns_common.c
index 192ab661..9816f8ff 100644
--- a/src/test/check_getdns_common.c
+++ b/src/test/check_getdns_common.c
@@ -160,10 +160,15 @@ void extract_local_response(struct getdns_dict *response, struct extracted_respo
 void assert_noerror(struct extracted_response *ex_response)
 {
   uint32_t rcode;
+  uint32_t ancount = 0;
 
-  ASSERT_RC(ex_response->status, GETDNS_RESPSTATUS_GOOD, "Unexpected value for \"status\"");
   ASSERT_RC(getdns_dict_get_int(ex_response->header, "rcode", &rcode), GETDNS_RETURN_GOOD, "Failed to extract \"rcode\"");
   ck_assert_msg(rcode == 0, "Expected rcode == 0, got %d", rcode);
+
+  ASSERT_RC(getdns_dict_get_int(ex_response->header, "ancount", &ancount),
+    GETDNS_RETURN_GOOD, "Failed to extract \"ancount\"");
+
+  ASSERT_RC(ex_response->status, ((ancount > 0) ? GETDNS_RESPSTATUS_GOOD : GETDNS_RESPSTATUS_NO_NAME), "Unexpected value for \"status\"");
 }
 
 /*
@@ -182,6 +187,8 @@ void assert_nodata(struct extracted_response *ex_response)
   ASSERT_RC(getdns_list_get_length(ex_response->answer, &length),
     GETDNS_RETURN_GOOD, "Failed to extract \"answer\" length");
   ck_assert_msg(length == 0, "Expected \"answer\" length == 0, got %d", length);
+
+  ASSERT_RC(ex_response->status, GETDNS_RESPSTATUS_NO_NAME, "Unexpected value for \"status\"");
 }
 
 /*
diff --git a/src/test/check_getdns_general.h b/src/test/check_getdns_general.h
index f073cd86..23bb7e77 100644
--- a/src/test/check_getdns_general.h
+++ b/src/test/check_getdns_general.h
@@ -146,7 +146,7 @@
        *  name = "google.com"
        *  request_type = 0 (minimum valid RRTYPE)
        *  expect: NOERROR/NODATA response:
-       *    status = GETDNS_RESPSTATUS_GOOD
+       *    status = GETDNS_RESPSTATUS_NO_NAME
        *    rcode = 0
        *    ancount = 0 (number of records in ANSWER section)
        */
@@ -180,7 +180,7 @@
        *  name = "google.com"
        *  request_type = 65279 (maximum unassigned RRTYPE)
        *  expect: NOERROR/NODATA response:
-       *    status = GETDNS_RESPSTATUS_GOOD
+       *    status = GETDNS_RESPSTATUS_NO_NAME
        *    rcode = 0
        *    ancount = 0 (number of records in ANSWER section)
        */
@@ -322,7 +322,7 @@
        *  name = "willem.getdnsapi.net"  and unbound zone
        *  request_type = GETDNS_RRTYPE_MX
        *  expect: NOERROR/NODATA response:
-       *    status = GETDNS_RESPSTATUS_GOOD
+       *    status = GETDNS_RESPSTATUS_NO_NAME
        *    rcode = 0
        *    ancount = 0 (number of records in ANSWER section)
        */
diff --git a/src/test/check_getdns_general_sync.h b/src/test/check_getdns_general_sync.h
index 5386ff53..52eacaff 100644
--- a/src/test/check_getdns_general_sync.h
+++ b/src/test/check_getdns_general_sync.h
@@ -128,7 +128,7 @@
        *  name = "google.com"
        *  request_type = 0 (minimum valid RRTYPE)
        *  expect: NOERROR/NODATA response:
-       *    status = GETDNS_RESPSTATUS_GOOD
+       *    status = GETDNS_RESPSTATUS_NO_NAME
        *    rcode = 0
        *    ancount = 0 (number of records in ANSWER section)
        */
@@ -155,7 +155,7 @@
        *  name = "google.com"
        *  request_type = 65279 (maximum unassigned RRTYPE)
        *  expect: NOERROR/NODATA response:
-       *    status = GETDNS_RESPSTATUS_GOOD
+       *    status = GETDNS_RESPSTATUS_NO_NAME
        *    rcode = 0
        *    ancount = 0 (number of records in ANSWER section)
        */
@@ -269,7 +269,7 @@
        *  name = "willem.getdnsapi.net" an unbound zone (as in no MX)
        *  request_type = GETDNS_RRTYPE_MX
        *  expect: NOERROR/NODATA response:
-       *    status = GETDNS_RESPSTATUS_GOOD
+       *    status = GETDNS_RESPSTATUS_NO_NAME
        *    rcode = 0
        *    ancount = 0 (number of records in ANSWER section)
        */

From 7c52883341c626870b94c1de2de616121acf0b09 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 21 Dec 2018 12:44:51 +0100
Subject: [PATCH 243/303] Remove truncated response from transport test

---
 .../tpkg/290-transports.tpkg/290-transports.test     | 12 ++++++------
 src/test/tpkg/run-one.sh                             |  5 +++--
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/src/test/tpkg/290-transports.tpkg/290-transports.test b/src/test/tpkg/290-transports.tpkg/290-transports.test
index eba3abc2..c66ac5c5 100644
--- a/src/test/tpkg/290-transports.tpkg/290-transports.test
+++ b/src/test/tpkg/290-transports.tpkg/290-transports.test
@@ -134,7 +134,7 @@ for (( ii = 0; ii < 1; ii++)); do
 
 	if [[ $HAVE_SSL_HN_AUTH = 1 ]]
 	then
-		NUM_GOOD_QUERIES=9
+		NUM_GOOD_QUERIES=8
 		GOOD_QUERIES=(
 		"-s -A  getdnsapi.net -l U        @${SERVER_IP} +edns_cookies"              "U" "-"
 		"-s -A  getdnsapi.net -l T        @${SERVER_IP}"              "T" "-"
@@ -143,18 +143,18 @@ for (( ii = 0; ii < 1; ii++)); do
 		"-s -A  getdnsapi.net -l L        @${TLS_SERVER_IP_NO_NAME}"  "L" "N"
 		"-s -A  getdnsapi.net -l L -m     @${TLS_SERVER_IP}"          "L" "S"
 		"-s -A  getdnsapi.net -l L -m     @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S"
-		"-s -A  getdnsapi.net -l L -m     @${TLS_SERVER_IP} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S"
-		"-s -G DNSKEY getdnsapi.net -l U  @${SERVER_IP} -b 512 -D" "U" "-")
+		"-s -A  getdnsapi.net -l L -m     @${TLS_SERVER_IP} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S")
+# "-s -G DNSKEY getdnsapi.net -l U  @${SERVER_IP} -b 512 -D" "U" "-")
 	else
-		NUM_GOOD_QUERIES=7
+		NUM_GOOD_QUERIES=6
 		GOOD_QUERIES=(
 		"-s -A  getdnsapi.net -l U        @${SERVER_IP} +edns_cookies"              "U" "-"
 		"-s -A  getdnsapi.net -l T        @${SERVER_IP}"              "T" "-"
 		"-s -A  getdnsapi.net -l U        @${SERVER_IP_TSIG}${TSIG_ALG}:${TSIG_NAME}:${TSIG_SECRET}" "U" "-"
 		"-s -A  getdnsapi.net -l U        @${SERVER_IP_TSIG}${TSIG_NAME}:${TSIG_SECRET}" "U" "-"
 		"-s -A  getdnsapi.net -l L        @${TLS_SERVER_IP_NO_NAME}"  "L" "N"
-		"-s -A  getdnsapi.net -l L -m     @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S"
-		"-s -G DNSKEY getdnsapi.net -l U  @${SERVER_IP} -b 512 -D" "U" "-")
+		"-s -A  getdnsapi.net -l L -m     @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S")
+# "-s -G DNSKEY getdnsapi.net -l U  @${SERVER_IP} -b 512 -D" "U" "-")
 	fi
 #"-s -A  getdnsapi.net -l L -m     @${TLS_SERVER_SS_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_SS_KEY}\"" "L" "S"
 
diff --git a/src/test/tpkg/run-one.sh b/src/test/tpkg/run-one.sh
index 4791cb4a..d8032e04 100755
--- a/src/test/tpkg/run-one.sh
+++ b/src/test/tpkg/run-one.sh
@@ -3,8 +3,9 @@
 export SRCDIR=`dirname $0`
 . `dirname $0`/setup-env.sh
 
-# pass a single test name as the first parameter (without .tpgk extension)
-ONE_TEST=$1
+# pass a single test name as the first parameter
+ONE_TEST=${1%/}
+ONE_TEST=${ONE_TEST%.tpkg}
 shift
 
 "${TPKG}" $* exe ${SRCDIR}/${ONE_TEST}.tpkg

From 4be406ce1f35e8fcb53a95ff16bef083bf62def5 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 21 Dec 2018 15:40:13 +0100
Subject: [PATCH 244/303] Bump version

---
 ChangeLog    | 2 +-
 configure.ac | 8 ++++----
 stubby       | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8549d293..ce1cab78 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,4 @@
-* 2018-12-??: Version 1.5.0
+* 2018-12-21: Version 1.5.0
   * GETDNS_RESPSTATUS_NO_NAME for NODATA answers too
   * ZONEMD rr-type
   * getdns_query queries for addresses when a query name
diff --git a/configure.ac b/configure.ac
index 2c40affb..40c94977 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Don't forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [-rc1])
+AC_SUBST(RELEASE_CANDIDATE, [])
 AC_SUBST(STUBBY_RELEASE_CANDIDATE, [])
 
 # Set current date from system if not set
@@ -63,7 +63,7 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x0104ffc1])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050000])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
@@ -105,8 +105,8 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.4$STUBBY_RELEASE_CANDIDATE"],
 # getdns-1.3.0 had libversion 9:0:3
 # getdns-1.4.0 had libversion 10:0:0
 # getdns-1.4.1 had libversion 10:1:0
-# getdns-1.4.2 has libversion 10:2:0
-# getdns-1.5.0 will have libversion 11:0:1
+# getdns-1.4.2 had libversion 10:2:0
+# getdns-1.5.0 has libversion 11:0:1
 GETDNS_LIBVERSION=11:0:1
 
 AC_SUBST(GETDNS_COMPILATION_COMMENT)
diff --git a/stubby b/stubby
index b04882ad..dc019d38 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit b04882ad76cc2efdba6238f59e233844e4223908
+Subproject commit dc019d38f9ef3b68adc7bc663ea9dd6d32677d5a

From 345ed9a734b87ef115ab5df9b62c573c2456c250 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 21 Dec 2018 15:52:46 +0100
Subject: [PATCH 245/303] Final stubby update

---
 stubby | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stubby b/stubby
index dc019d38..58200cad 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit dc019d38f9ef3b68adc7bc663ea9dd6d32677d5a
+Subproject commit 58200cadec6371f95e31a7f3735225c5a46ecf75

From 309db67f8b3ea721b377f728b0389fbd769122ab Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 21 Dec 2018 16:30:46 +0100
Subject: [PATCH 246/303] RFE getdnsapi/stubby#121 log re-instantiating TLS ...

... upstreams (because they reached tls_backoff_time) at log level 4 (WARNING)
---
 ChangeLog  | 3 +++
 src/stub.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index ce1cab78..2a77898c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,7 @@
 * 2018-12-21: Version 1.5.0
+  * RFE getdnsapi/stubby#121 log re-instantiating TLS
+    upstreams (because they reached tls_backoff_time) at
+    log level 4 (WARNING)
   * GETDNS_RESPSTATUS_NO_NAME for NODATA answers too
   * ZONEMD rr-type
   * getdns_query queries for addresses when a query name
diff --git a/src/stub.c b/src/stub.c
index ad9b0b24..55bd0628 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -2144,7 +2144,7 @@ upstream_select_stateful(getdns_network_req *netreq, getdns_transport_list_t tra
 		if (upstreams->upstreams[i].conn_state == GETDNS_CONN_BACKOFF &&
 		    upstreams->upstreams[i].conn_retry_time < now) {
 			upstreams->upstreams[i].conn_state = GETDNS_CONN_CLOSED;
-			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_NOTICE,
+			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING,
 			    "%-40s : Upstream   : Re-instating %s for this upstream\n",
 			     upstreams->upstreams[i].addr_str,
 			     upstreams->upstreams[i].transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP");

From 1962c03b799b9d9faac5a60c59abb059230f3c8e Mon Sep 17 00:00:00 2001
From: Bruno Pagani <bruno.n.pagani@gmail.com>
Date: Sun, 23 Dec 2018 11:31:27 +0000
Subject: [PATCH 247/303] context: remove TLS13 cipher from cipher_list

TLS 1.3 ciphers have to be set in ciphersuites instead.
---
 src/context.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/context.c b/src/context.c
index d952d8d6..1429d5e4 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1469,8 +1469,7 @@ static char const * const _getdns_default_trust_anchors_verify_email =
     "dnssec@iana.org";
 
 static char const * const _getdns_default_tls_cipher_list =
-    "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
-    "TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
+    "EECDH+AESGCM:EECDH+CHACHA20";
 
 static char const * const _getdns_default_tls_ciphersuites =
   "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";

From bbe7dff25748455852128196fd7ce4fee0b4e60f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 31 Dec 2018 16:13:20 +0100
Subject: [PATCH 248/303] No TLS1.3 ciphers in cipher_list only when ...

SSL_set_ciphersuites in OpenSSL API.
---
 src/context.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/context.c b/src/context.c
index 1429d5e4..825d6309 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1468,7 +1468,12 @@ static char const * const _getdns_default_trust_anchors_verify_CA =
 static char const * const _getdns_default_trust_anchors_verify_email =
     "dnssec@iana.org";
 
+
 static char const * const _getdns_default_tls_cipher_list =
+#ifndef HAVE_SSL_CTX_SET_CIPHERSUITES
+    "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
+    "TLS13-CHACHA20-POLY1305-SHA256:"
+#endif
     "EECDH+AESGCM:EECDH+CHACHA20";
 
 static char const * const _getdns_default_tls_ciphersuites =

From 014ac3d3680645cd1f68042ef614791966ff08a6 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 3 Jan 2019 11:19:13 +0100
Subject: [PATCH 249/303] Stubby with trust_anchors_backoff_time example config

---
 stubby | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stubby b/stubby
index 58200cad..006e43fd 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 58200cadec6371f95e31a7f3735225c5a46ecf75
+Subproject commit 006e43fdcb9ed9cbb0123914a77cc415f7765664

From a4020a6841d124a0aa69421c2b37638b54d6fa9b Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 7 Jan 2019 11:33:21 +0100
Subject: [PATCH 250/303] mk-symfiles.sh improvent

to filter out #defines as intended.
Thanks Zero King
---
 ChangeLog             | 4 ++++
 src/libgetdns.symbols | 2 +-
 src/mk-symfiles.sh    | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2a77898c..aa8a3827 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+* 2019-01-??: Version 1.5.1
+  * Issue #415: Filter out #defines etc. when creating
+    symbols file.  Thanks Zero King
+
 * 2018-12-21: Version 1.5.0
   * RFE getdnsapi/stubby#121 log re-instantiating TLS
     upstreams (because they reached tls_backoff_time) at
diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols
index f0169761..d6dbd3d9 100644
--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@@ -1,7 +1,7 @@
+ * if 
 getdns_address
 getdns_address_sync
 getdns_cancel_callback
-getdns_context_
 getdns_context_config
 getdns_context_create
 getdns_context_create_with_extended_memory_functions
diff --git a/src/mk-symfiles.sh b/src/mk-symfiles.sh
index 099181e6..618cdb7a 100755
--- a/src/mk-symfiles.sh
+++ b/src/mk-symfiles.sh
@@ -3,7 +3,7 @@
 write_symbols() {
 	OUTPUT=$1
 	shift
-	grep 'getdns_[0-9a-zA-Z_]*(' $* | grep -v '^#' | grep -v 'INLINE' | grep -v 'getdns_extra\.h\.in: \* if' \
+	grep -h 'getdns_[0-9a-zA-Z_]*(' $* | grep -v '^#' | grep -v 'INLINE' | grep -v 'getdns_extra\.h\.in: \* if' \
 	| sed -e 's/(.*$//g' -e 's/^.*getdns_/getdns_/g' | LC_ALL=C sort | uniq > $OUTPUT
 }
 

From 411c5cf5715ee61412165b7555d33f465780cef5 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 7 Jan 2019 12:08:26 +0100
Subject: [PATCH 251/303] Git rid of * if in libgetdns.symbols

---
 src/libgetdns.symbols | 1 -
 src/mk-symfiles.sh    | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols
index d6dbd3d9..b8b6cffe 100644
--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@@ -1,4 +1,3 @@
- * if 
 getdns_address
 getdns_address_sync
 getdns_cancel_callback
diff --git a/src/mk-symfiles.sh b/src/mk-symfiles.sh
index 618cdb7a..26424e27 100755
--- a/src/mk-symfiles.sh
+++ b/src/mk-symfiles.sh
@@ -3,7 +3,7 @@
 write_symbols() {
 	OUTPUT=$1
 	shift
-	grep -h 'getdns_[0-9a-zA-Z_]*(' $* | grep -v '^#' | grep -v 'INLINE' | grep -v 'getdns_extra\.h\.in: \* if' \
+	grep -h 'getdns_[0-9a-zA-Z_]*(' $* | grep -v '^#' | grep -v 'INLINE' | grep -v '^ \* if' \
 	| sed -e 's/(.*$//g' -e 's/^.*getdns_/getdns_/g' | LC_ALL=C sort | uniq > $OUTPUT
 }
 

From 35077bdc6d8c80d7347891354d18ddb211c8fb45 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 11 Jan 2019 12:08:38 +0100
Subject: [PATCH 252/303] Update ChangeLog & bumb version

---
 ChangeLog    | 5 ++++-
 configure.ac | 9 +++++----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index aa8a3827..0eb7383c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,7 @@
-* 2019-01-??: Version 1.5.1
+* 2019-01-11: Version 1.5.1
+  * PR #414: remove TLS13 ciphers from cipher_list, but
+    only when SSL_CTX_set_ciphersuites is available.
+    Thanks Bruno Pagani
   * Issue #415: Filter out #defines etc. when creating
     symbols file.  Thanks Zero King
 
diff --git a/configure.ac b/configure.ac
index 40c94977..4edd248f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,7 +36,7 @@ sinclude(./m4/acx_getaddrinfo.m4)
 sinclude(./m4/ax_check_compile_flag.m4)
 sinclude(./m4/pkg.m4)
 
-AC_INIT([getdns], [1.5.0], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
+AC_INIT([getdns], [1.5.1], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
 
 # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian)
 # patched to do the same, but frequently (MacOS) not. So add a with option
@@ -63,13 +63,13 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050000])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050100])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
 
 AC_DEFINE_UNQUOTED([STUBBY_PACKAGE], ["stubby"], [Stubby package])
-AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.4$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
+AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.5$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
 
 # Library version
 # ---------------
@@ -107,7 +107,8 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.4$STUBBY_RELEASE_CANDIDATE"],
 # getdns-1.4.1 had libversion 10:1:0
 # getdns-1.4.2 had libversion 10:2:0
 # getdns-1.5.0 has libversion 11:0:1
-GETDNS_LIBVERSION=11:0:1
+# getdns-1.5.1 has libversion 11:1:1
+GETDNS_LIBVERSION=11:1:1
 
 AC_SUBST(GETDNS_COMPILATION_COMMENT)
 AC_SUBST(GETDNS_LIBVERSION)

From 51cb57080961db6b5fdfa97642534e38021d446c Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 11 Jan 2019 11:16:48 +0000
Subject: [PATCH 253/303] Re-add support for OpenSSL prior to 1.1, but now
 require at least 1.0.2 and drop LibreSSL support.

---
 .gitmodules                   |   4 +
 configure.ac                  |  44 ++++-----
 src/Makefile.in               |   6 +-
 src/openssl/keyraw-internal.c |  18 ++++
 src/openssl/tls-internal.h    |   8 +-
 src/openssl/tls.c             | 173 +++++++++++++++++++++++++++++++---
 src/ssl_dane                  |   1 +
 7 files changed, 213 insertions(+), 41 deletions(-)
 create mode 160000 src/ssl_dane

diff --git a/.gitmodules b/.gitmodules
index 27d60b78..26a1f354 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -10,3 +10,7 @@
 	path = stubby
 	url = https://github.com/getdnsapi/stubby.git
 	branch = develop
+[submodule "src/ssl_dane"]
+	path = src/ssl_dane
+	url = https://github.com/getdnsapi/ssl_dane
+	branch = getdns
diff --git a/configure.ac b/configure.ac
index 6fadac38..d5a7f25e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -464,6 +464,24 @@ AC_ARG_WITH([gnutls],
 	fi
         ACX_LIB_SSL
         AC_SUBST([TLSDIR], 'openssl')
+
+        # Verify OpenSSL is at least version 1.0.2.
+        # We also check it's not LibreSSL, but that's a little later, not here.
+        AC_CHECK_FUNCS([X509_check_host SSL_dane_enable])
+        if test "x$ac_cv_func_X509_check_host" != xyes; then
+           AC_MSG_ERROR([getdns requires OpenSSL version 1.0.2 or later])
+        fi
+        
+        AC_MSG_CHECKING([whether we need to compile/link DANE support])
+        DANESSL_XTRA_OBJS=""
+        if test "x$ac_cv_func_SSL_dane_enable" = xyes; then
+            AC_MSG_RESULT([no])
+        else
+            AC_MSG_RESULT([yes])
+            AC_DEFINE([USE_DANESSL], [1], [Define this to use DANE functions from the ssl_dane/danessl library.])
+            DANESSL_XTRA_OBJS="danessl.lo"
+        fi
+        AC_SUBST(DANESSL_XTRA_OBJS)
     ])
 
 
@@ -472,17 +490,14 @@ if test $USE_NSS = "no" -a $USE_NETTLE = "no" ; then
 AC_MSG_CHECKING([for LibreSSL])
 if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
 	AC_MSG_RESULT([yes])
-	AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
-	# libressl provides these compat functions, but they may also be
-	# declared by the OS in libc.  See if they have been declared.
-	AC_CHECK_DECLS([strlcpy,arc4random,arc4random_uniform])
+        AC_MSG_ERROR([getdns does not support LibreSSL])
 else
 	AC_MSG_RESULT([no])
 fi
 AC_CHECK_HEADERS([openssl/conf.h openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites])
+AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites OPENSSL_init_crypto DSA_set0_pqg DSA_set0_key RSA_set0_key])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_set_min_proto_version,SSL_get_min_proto_version], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
@@ -505,25 +520,6 @@ AC_INCLUDES_DEFAULT
 ])
 fi
 
-AC_MSG_CHECKING([for OpenSSL >= 1.1.1])
-AC_LANG_PUSH(C)
-AC_COMPILE_IFELSE(
-	[AC_LANG_PROGRAM([
-		[#include <openssl/opensslv.h>]
-		[#if OPENSSL_VERSION_NUMBER <  0x10101000L]
-		[#error "OpenSSL 1.1.1 or higher required"]
-		[#elif defined(LIBRESSL_VERSION_NUMBER)]
-		[#error "LibreSSL not supported"]
-		[#endif]
-	],[[]])],
-	[
-                AC_MSG_RESULT([yes])
-        ],
-        [
-                AC_MSG_ERROR([OpenSSL 1.1.1 or later required])
-	])
-AC_LANG_POP(C)
-
 AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support]))
 	case "$enable_sha1" in
 	no)
diff --git a/src/Makefile.in b/src/Makefile.in
index 2047ca0e..411f5874 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -99,8 +99,9 @@ TLS_OBJ=tls.lo pubkey-pinning-internal.lo keyraw-internal.lo val_secalgo.lo anch
 YXML_OBJ=yxml.lo
 
 YAML_OBJ=convert_yaml_to_json.lo
+DANESSL_OBJ=danessl.lo
 
-GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@
+GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@ @DANESSL_XTRA_OBJS@
 STUBBY_XTRA_OBJS=@STUBBY_XTRA_OBJS@
 
 EXTENSION_OBJ=$(DEFAULT_EVENTLOOP_OBJ) libevent.lo libev.lo
@@ -140,6 +141,9 @@ $(TLS_OBJ):
 $(YAML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@
 
+$(DANESSL_OBJ):
+	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WNOERRORFLAG) -c $(srcdir)/ssl_dane/$(@:.lo=.c) -o $@
+
 $(YXML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -I$(srcdir)/yxml -DYXML_GETDNS -Wno-unused-parameter -c $(srcdir)/yxml/$(@:.lo=.c) -o $@
 
diff --git a/src/openssl/keyraw-internal.c b/src/openssl/keyraw-internal.c
index 75c53c00..b8077049 100644
--- a/src/openssl/keyraw-internal.c
+++ b/src/openssl/keyraw-internal.c
@@ -140,6 +140,8 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 		BN_free(Y);
 		return NULL;
 	}
+
+#if defined(HAVE_DSA_SET0_PQG) && defined(HAVE_DSA_SET0_KEY)
 	if (!DSA_set0_pqg(dsa, P, Q, G)) {
 		/* QPG not yet attached, need to free */
 		BN_free(Q);
@@ -156,6 +158,14 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 		BN_free(Y);
 		return NULL;
 	}
+#else
+#  ifndef S_SPLINT_S
+	dsa->p = P;
+	dsa->q = Q;
+	dsa->g = G;
+	dsa->pub_key = Y;
+#  endif /* splint */
+#endif
 
 	return dsa;
 }
@@ -208,12 +218,20 @@ gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 		BN_free(modulus);
 		return NULL;
 	}
+
+#if defined(HAVE_RSA_SET0_KEY)	
 	if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
 		BN_free(exponent);
 		BN_free(modulus);
 		RSA_free(rsa);
 		return NULL;
 	}
+#else	
+#  ifndef S_SPLINT_S
+	rsa->n = modulus;
+	rsa->e = exponent;
+#  endif /* splint */
+#endif
 
 	return rsa;
 }
diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h
index 4b4b4b49..06f95bda 100644
--- a/src/openssl/tls-internal.h
+++ b/src/openssl/tls-internal.h
@@ -5,7 +5,7 @@
  */
 
 /*
- * Copyright (c) 2018, NLnet Labs
+ * Copyright (c) 2018-2019, NLnet Labs
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -54,12 +54,18 @@
 
 #define GETDNS_TLS_MAX_DIGEST_LENGTH	(EVP_MAX_MD_SIZE)
 
+typedef struct sha256_pin sha256_pin_t;
+
 typedef struct _getdns_tls_context {
 	SSL_CTX* ssl;
 } _getdns_tls_context;
 
 typedef struct _getdns_tls_connection {
 	SSL* ssl;
+#if defined(USE_DANESSL)
+	const char* auth_name;
+	sha256_pin_t* pinset;
+#endif
 } _getdns_tls_connection;
 
 typedef struct _getdns_tls_session {
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 111c15d0..ba1648f1 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -5,7 +5,7 @@
  */
 
 /*
- * Copyright (c) 2018, NLnet Labs
+ * Copyright (c) 2018-2019, NLnet Labs
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -47,8 +47,20 @@
 #include "debug.h"
 #include "context.h"
 
+#ifdef USE_DANESSL
+# include "ssl_dane/danessl.h"
+#endif
+
 #include "tls.h"
 
+/* Double check configure has worked as expected. */
+#if defined(USE_DANESSL) && \
+	(defined(HAVE_SSL_DANE_ENABLE) || \
+	 defined(HAVE_OPENSSL_INIT_CRYPTO) || \
+	 defined(HAVE_SSL_CTX_DANE_ENABLE))
+#error Configure error USE_DANESSL defined with OpenSSL 1.1 functions!
+#endif
+
 /* Cipher suites recommended in RFC7525. */
 char const * const _getdns_tls_context_default_cipher_list =
 	"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
@@ -57,6 +69,26 @@ char const * const _getdns_tls_context_default_cipher_list =
 static char const * const _getdns_tls_connection_opportunistic_cipher_list =
 	"DEFAULT";
 
+#if defined(USE_DANESSL) && defined(STUB_DEBUG) && STUB_DEBUG
+static void _stub_debug_print_openssl_errors(void)
+{
+    unsigned long err;
+    char buffer[1024];
+    const char *file;
+    const char *data;
+    int line;
+    int flags;
+
+    while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
+        ERR_error_string_n(err, buffer, sizeof(buffer));
+        if (flags & ERR_TXT_STRING)
+            DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d:%s\n", buffer, file, line, data);
+        else
+            DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d\n", buffer, file, line);
+    }
+}
+#endif
+
 static int _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
 {
 # if defined(STUB_DEBUG) && STUB_DEBUG
@@ -218,10 +250,19 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
 
 void _getdns_tls_init()
 {
+#ifdef HAVE_OPENSSL_INIT_CRYPTO
 	OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS
 	                   | OPENSSL_INIT_ADD_ALL_DIGESTS
 	                   | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
 	(void)OPENSSL_init_ssl(0, NULL);
+#else
+	OpenSSL_add_all_algorithms();
+	SSL_library_init();
+
+# ifdef USE_DANESSL
+		(void) DANESSL_library_init();
+# endif
+#endif
 }
 
 _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs)
@@ -255,14 +296,20 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont
 
 void _getdns_tls_context_pinset_init(_getdns_tls_context* ctx)
 {
-#   if defined(STUB_DEBUG) && STUB_DEBUG
-	int osr =
-#   else
-	(void)
-#   endif
-		SSL_CTX_dane_enable(ctx->ssl);
-		DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
-		          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+	int osr;
+	(void) osr;
+
+#if defined(HAVE_SSL_CTX_DANE_ENABLE)
+	osr = SSL_CTX_dane_enable(ctx->ssl);
+	DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n",
+		   STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+#elif defined(USE_DANESSL)
+	osr = DANESSL_CTX_init(ctx->ssl);
+	DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n",
+		   STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+#else
+#error Must have either DANE SSL or OpenSSL v1.1.
+#endif
 }
 
 getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx)
@@ -367,6 +414,13 @@ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn)
 	if (!conn || !conn->ssl)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
+#ifdef USE_DANESSL
+# if defined(STUB_DEBUG) && STUB_DEBUG
+	_stub_debug_print_openssl_errors();
+# endif
+	DANESSL_cleanup(conn->ssl);
+#endif
+
 	switch (SSL_shutdown(conn->ssl)) {
 	case 0:		return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
 	case 1:		return GETDNS_RETURN_GOOD;
@@ -485,12 +539,19 @@ getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connectio
 	if (!conn || !conn->ssl || !auth_name)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
+#if defined(HAVE_SSL_DANE_ENABLE)
 	SSL_set_tlsext_host_name(conn->ssl, auth_name);
 	/* Set up native OpenSSL hostname verification */
 	X509_VERIFY_PARAM *param;
 	param = SSL_get0_param(conn->ssl);
 	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 	X509_VERIFY_PARAM_set1_host(param, auth_name, 0);
+#elif defined(USE_DANESSL)
+	/* Stash auth name away for use in cert verification. */
+	conn->auth_name = auth_name;
+#else
+#error Must have either DANE SSL or OpenSSL v1.1.
+#endif
 	return GETDNS_RETURN_GOOD;
 }
 
@@ -499,6 +560,13 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 	if (!conn || !conn->ssl || !auth_name)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
+#if defined(USE_DANE_SSL)
+	/* Stash auth name and pinset away for use in cert verification. */
+	conn->auth_name = auth_name;
+	conn->pinset = pinset;
+#endif
+
+#if defined(HAVE_SSL_DANE_ENABLE)
 	int osr = SSL_dane_enable(conn->ssl, *auth_name ? auth_name : NULL);
 	(void) osr;
 	DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n"
@@ -520,6 +588,38 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 		if (osr > 0)
 			++n_pins;
 	}
+#elif defined(USE_DANESSL)
+	if (pinset) {
+		const char *auth_names[2] = { auth_name, NULL };
+		int osr = DANESSL_init(conn->ssl,
+				       *auth_name ? auth_name : NULL,
+				       *auth_name ? auth_names : NULL);
+		(void) osr;
+		DEBUG_STUB("%s %-35s: DEBUG: DANESSL_init(\"%s\") -> %d\n"
+			  , STUB_DEBUG_SETUP_TLS, __FUNC__, auth_name, osr);
+		SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+		const sha256_pin_t *pin_p;
+		size_t n_pins = 0;
+		for (pin_p = pinset; pin_p; pin_p = pin_p->next) {
+			osr = DANESSL_add_tlsa(conn->ssl, 3, 1, "sha256",
+			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
+			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
+				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+			if (osr > 0)
+				++n_pins;
+			osr = DANESSL_add_tlsa(conn->ssl, 2, 1, "sha256",
+			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
+			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
+				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
+			if (osr > 0)
+				++n_pins;
+		}
+	} else {
+		SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+	}
+#else
+#error Must have either DANE SSL or OpenSSL v1.1.
+#endif
 	return GETDNS_RETURN_GOOD;
 }
 
@@ -529,10 +629,38 @@ getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
 	long verify_result = SSL_get_verify_result(conn->ssl);
+
+	/* Since we don't have DANE validation yet, DANE validation
+	 * failures are always pinset validation failures */
+
 	switch (verify_result) {
 	case X509_V_OK:
+#if defined(USE_DANESSL)
+	{
+		getdns_return_t res = GETDNS_RETURN_GOOD;
+		X509* peer_cert = SSL_get_peer_certificate(conn->ssl);
+		if (peer_cert) {
+			if (conn->auth_name[0] &&
+			    X509_check_host(peer_cert,
+					    conn->auth_name,
+					    strlen(conn->auth_name),
+					    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
+					    NULL) <= 0) {
+				if (errnum)
+					*errnum = 1;
+				if (errmsg)
+					*errmsg = "Hostname mismatch";
+				res = GETDNS_RETURN_GENERIC_ERROR;
+			}
+			X509_free(peer_cert);
+		}
+		return res;
+	}
+#else
 		return GETDNS_RETURN_GOOD;
+#endif
 
+#if defined(HAVE_SSL_DANE_ENABLE)
 	case X509_V_ERR_DANE_NO_MATCH:
 		if (errnum)
 			*errnum = 0;
@@ -540,13 +668,28 @@ getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection
 			*errmsg = "Pinset validation failure";
 		return GETDNS_RETURN_GENERIC_ERROR;
 
-	default:
-		if (errnum)
-			*errnum = verify_result;
-		if (errmsg)
-			*errmsg = X509_verify_cert_error_string(verify_result);
-		return GETDNS_RETURN_GENERIC_ERROR;
+#elif defined(USE_DANESSL)
+	case X509_V_ERR_CERT_UNTRUSTED:
+		if (conn->pinset &&
+		    !DANESSL_get_match_cert(conn->ssl, NULL, NULL, NULL)) {
+			if (errnum)
+				*errnum = 0;
+			if (errmsg)
+				*errmsg = "Pinset validation failure";
+			return GETDNS_RETURN_GENERIC_ERROR;
+		}
+		break;
+#else
+#error Must have either DANE SSL or OpenSSL v1.1.
+#endif
 	}
+
+	/* General error if we get here. */
+	if (errnum)
+		*errnum = verify_result;
+	if (errmsg)
+		*errmsg = X509_verify_cert_error_string(verify_result);
+	return GETDNS_RETURN_GENERIC_ERROR;
 }
 
 
diff --git a/src/ssl_dane b/src/ssl_dane
new file mode 160000
index 00000000..dd093e58
--- /dev/null
+++ b/src/ssl_dane
@@ -0,0 +1 @@
+Subproject commit dd093e585a237e0321d303ec35e84c393ef739f4

From 78d6bc30f5bb38d196d1392004080d483ab41b73 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 11 Jan 2019 13:04:07 +0100
Subject: [PATCH 254/303] Update stubby to 0.2.5

---
 stubby | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stubby b/stubby
index 006e43fd..85215233 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 006e43fdcb9ed9cbb0123914a77cc415f7765664
+Subproject commit 85215233ee82904fb7f2199fedd425f9336cb110

From 66f63b21bc53e13a06d1d2e1f7108b09d00578ba Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 11 Jan 2019 14:52:40 +0100
Subject: [PATCH 255/303] Stubby with dns.google in stubby.yml.example

---
 stubby | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stubby b/stubby
index 85215233..9c6e55a1 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 85215233ee82904fb7f2199fedd425f9336cb110
+Subproject commit 9c6e55a16af8f3258736b804b17eac3d35daebf3

From 24774fefd674bb230c271ede1c825856bdd56d1f Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 15 Jan 2019 11:01:58 +0000
Subject: [PATCH 256/303] Remove 'upstream' association with connection, now
 unused.

---
 src/gnutls/pubkey-pinning-internal.c  |  7 ----
 src/openssl/pubkey-pinning-internal.c | 56 ---------------------------
 src/pubkey-pinning.h                  |  4 --
 src/stub.c                            |  4 --
 4 files changed, 71 deletions(-)

diff --git a/src/gnutls/pubkey-pinning-internal.c b/src/gnutls/pubkey-pinning-internal.c
index 61d94645..41033bf3 100644
--- a/src/gnutls/pubkey-pinning-internal.c
+++ b/src/gnutls/pubkey-pinning-internal.c
@@ -42,13 +42,6 @@
  ** Interfaces from pubkey-pinning.h
  **/
 
-getdns_return_t
-_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
-					   getdns_upstream *upstream)
-{
-	return GETDNS_RETURN_GOOD;
-}
-
 getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size)
 {
 	struct base64_decode_ctx ctx;
diff --git a/src/openssl/pubkey-pinning-internal.c b/src/openssl/pubkey-pinning-internal.c
index fd8ad6fe..d18103de 100644
--- a/src/openssl/pubkey-pinning-internal.c
+++ b/src/openssl/pubkey-pinning-internal.c
@@ -58,10 +58,6 @@
 
 #include "pubkey-pinning-internal.h"
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000 
-#define X509_STORE_CTX_get0_untrusted(store) store->untrusted
-#endif
-
 /* we only support sha256 at the moment.  adding support for another
    digest is more complex than just adding another entry here. in
    particular, you'll probably need a match for a particular cert
@@ -91,56 +87,4 @@ getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_
 	return ret;
 }
 
-/* this should only happen once ever in the life of the library. it's
-   used to associate a getdns_context_t with an SSL_CTX, to be able to
-   do custom verification.
-   
-   see doc/HOWTO/proxy_certificates.txt as an example
-*/
-static int
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
-_get_ssl_getdns_upstream_idx(void)
-#else
-_get_ssl_getdns_upstream_idx(X509_STORE *store)
-#endif
-{
-	static volatile int idx = -1;
-	if (idx < 0) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000
-		CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
-#else
-		X509_STORE_lock(store);
-#endif
-		if (idx < 0)
-			idx = SSL_get_ex_new_index(0, "associated getdns upstream",
-						   NULL,NULL,NULL);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
-		CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
-#else
-		X509_STORE_unlock(store);
-#endif
-	}
-	return idx;
-}
-
-getdns_return_t
-_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
-					   getdns_upstream *upstream)
-{
-	if (!conn || !conn->ssl)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-	
-#if OPENSSL_VERSION_NUMBER < 0x10100000
-	int uidx = _get_ssl_getdns_upstream_idx();
-#else
-	int uidx = _get_ssl_getdns_upstream_idx(SSL_CTX_get_cert_store(SSL_get_SSL_CTX(conn->ssl)));
-#endif
-	if (SSL_set_ex_data(conn->ssl, uidx, upstream))
-		return GETDNS_RETURN_GOOD;
-	else
-		return GETDNS_RETURN_GENERIC_ERROR;
-	/* TODO: if we want more details about errors somehow, we
-	 * might call ERR_get_error (see CRYPTO_set_ex_data(3ssl))*/
-}
-
 /* pubkey-pinning.c */
diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h
index c60a7eca..0e2347b2 100644
--- a/src/pubkey-pinning.h
+++ b/src/pubkey-pinning.h
@@ -52,9 +52,5 @@ _getdns_get_pubkey_pinset_list(const getdns_context *ctx,
 			       const sha256_pin_t *pinset_in,
 			       getdns_list **pinset_list);
 
-getdns_return_t
-_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
-					   getdns_upstream *upstream);
-
 #endif
 /* pubkey-pinning.h */
diff --git a/src/stub.c b/src/stub.c
index 29929613..d9736288 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -843,10 +843,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			r = _getdns_tls_connection_set_cipher_list(tls, upstream->tls_cipher_list);
 	}
 	
-	/* make sure we'll be able to find the context again when we need it */
-	if (!r)
-		r = _getdns_associate_upstream_with_connection(tls, upstream);
-
 	if (r) {
 		_getdns_tls_connection_free(&upstream->upstreams->mf, tls);
 		upstream->tls_auth_state = r;

From ccd6c3592d63ffb351b9b6ff87ecd81abf6e643f Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 15 Jan 2019 11:30:56 +0000
Subject: [PATCH 257/303] GnuTLS: Can't set priority for SSL3.

---
 src/gnutls/tls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index 304fbda9..e9863159 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -57,7 +57,7 @@ static char const * const _getdns_tls_connection_opportunistic_cipher_list =
 
 static char const * const _getdns_tls_priorities[] = {
 	NULL,			/* No protocol */
-	"+VERS-TLS1.0",	/* SSL3 */
+	NULL,		/* SSL3 - no available keyword. */
 	"+VERS-TLS1.0",	/* TLS1.0 */
 	"+VERS-TLS1.1",	/* TLS1.1 */
 	"+VERS-TLS1.2",	/* TLS1.2 */

From 8609a35e5bdf97ac74f324b62d3c907336f95268 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 15 Jan 2019 11:31:22 +0000
Subject: [PATCH 258/303] GnuTLS: Add support for TLS 1.3.

---
 src/gnutls/tls.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index e9863159..5ef1849f 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -193,6 +193,9 @@ static gnutls_protocol_t _getdns_tls_version2gnutls_version(getdns_tls_version_t
 	case GETDNS_TLS1  : return GNUTLS_TLS1;
 	case GETDNS_TLS1_1: return GNUTLS_TLS1_1;
 	case GETDNS_TLS1_2: return GNUTLS_TLS1_2;
+#if GNUTLS_VERSION_NUMBER >= 0x030605
+	case GETDNS_TLS1_3: return GNUTLS_TLS1_3;
+#endif
 	default           : return GNUTLS_TLS_VERSION_MAX;
 	}
 }

From 6553aa3aad44633242bf2f39767767229b8cc5a3 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 15 Jan 2019 12:11:13 +0000
Subject: [PATCH 259/303] The new minimum OpenSSL version means that Travis
 must switch to Xenial.

---
 .travis.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 2cace3f4..e4a2b9e6 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,4 +1,5 @@
 sudo: false
+dist: xenial
 language: c
 compiler:
   - gcc
@@ -6,6 +7,7 @@ compiler:
 addons:
   apt:
     packages:
+    - libssl-dev
     - libunbound-dev
     - libidn11-dev
     - libyaml-dev

From ee6bc7d978147382ad1e6134e8e437893672f0bd Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 15 Jan 2019 12:39:02 +0000
Subject: [PATCH 260/303] Remove development test erroneously checked in.

---
 configure.ac | 1 -
 1 file changed, 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 182209c6..f927ef6c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1527,7 +1527,6 @@ if test "$ac_cv_func_arc4random" = "no"; then
 	    if test "$USE_WINSOCK" = 1; then
 		AC_LIBOBJ(getentropy_win)
 	    else
-                AC_MSG_ERROR([Function getentropy missing.])
 		case `uname` in
 		Darwin)
 			AC_LIBOBJ(getentropy_osx)

From 9024fd773694ee630809c9f9af293dbac6c1f957 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 15 Jan 2019 15:19:50 +0000
Subject: [PATCH 261/303] Fix build with INTERCEPT_COM_DS defined.

Decide that layout of handling write results is more readable, and use with read too.
---
 src/stub.c | 35 +++++++++++++++--------------------
 1 file changed, 15 insertions(+), 20 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index d9736288..05e48f0a 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1072,18 +1072,14 @@ stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp,
 		tcp->to_read = 2; /* Packet size */
 	}
 
-	switch ((int)_getdns_tls_connection_read(tls_obj, tcp->read_pos, tcp->to_read, &read)) {
-	case GETDNS_RETURN_GOOD:
-		break;
-
-	case GETDNS_RETURN_TLS_WANT_READ:
-			return STUB_TCP_RETRY; /* Come back later */
-
-	default:
-		/* TODO[TLS]: Handle GETDNS_RETURN_TLS_WANT_WRITE which means handshake
-		   renegotiation. Need to keep handshake state to do that.*/
+	getdns_return_t r = _getdns_tls_connection_read(tls_obj, tcp->read_pos, tcp->to_read, &read);
+	/* TODO[TLS]: Handle GETDNS_RETURN_TLS_WANT_WRITE which means handshake
+	   renegotiation. Need to keep handshake state to do that.*/
+	if (r == GETDNS_RETURN_TLS_WANT_READ)
+		return STUB_TCP_RETRY;
+	else if (r != GETDNS_RETURN_GOOD)
 		return STUB_TCP_ERROR;
-	}
+
 	tcp->to_read  -= read;
 	tcp->read_pos += read;
 
@@ -1217,6 +1213,8 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp,
 		 * Lets see how much of it we can write */
 		
 		/* TODO[TLS]: Handle error cases, partial writes, renegotiation etc. */
+		getdns_return_t r;
+		
 #if INTERCEPT_COM_DS
 		/* Intercept and do not sent out COM DS queries. For debugging
 		 * purposes only. Never commit with this turned on.
@@ -1231,19 +1229,16 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp,
 
 			debug_req("Intercepting", netreq);
 			written = pkt_len + 2;
+			r = GETDNS_RETURN_GOOD;
 		} else
 #endif
-			switch ((int)_getdns_tls_connection_write(tls_obj, netreq->query - 2, pkt_len + 2, &written)) {
-		case GETDNS_RETURN_GOOD:
-			break;
-
-		case GETDNS_RETURN_TLS_WANT_READ:
-		case GETDNS_RETURN_TLS_WANT_WRITE:
+		r = _getdns_tls_connection_write(tls_obj, netreq->query - 2, pkt_len + 2, &written);
+		if (r == GETDNS_RETURN_TLS_WANT_READ ||
+		    r == GETDNS_RETURN_TLS_WANT_WRITE)
 			return STUB_TCP_RETRY;
-
-		default:
+		else if (r != GETDNS_RETURN_GOOD)
 			return STUB_TCP_ERROR;
-		}
+
 		/* We were able to write everything!  Start reading. */
 		return (int) query_id;
 

From 09ca9a826b3446c6f63ed40e4f9eefb3416dfe3e Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 15 Jan 2019 17:13:13 +0000
Subject: [PATCH 262/303] Fix gcc 8 warnings.

---
 src/anchor.c | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/src/anchor.c b/src/anchor.c
index 602a0153..1d685130 100644
--- a/src/anchor.c
+++ b/src/anchor.c
@@ -68,6 +68,15 @@ typedef struct ta_iter {
 	char  digest[2048];
 } ta_iter;
 
+static void strcpytrunc(char* dst, const char* src, size_t dstsize)
+{
+	size_t to_copy = strlen(src);
+	if (to_copy >= dstsize)
+		to_copy = dstsize -1;
+	memcpy(dst, src, to_copy);
+	dst[to_copy] = '\0';
+}
+
 /**
  * XML convert DateTime element to time_t.
  * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm]
@@ -190,8 +199,8 @@ static ta_iter *ta_iter_next(ta_iter *ta)
 
 				else if (level == 0 && cur) {
 					/* <Zone> content ready */
-					(void) strncpy( ta->zone, value
-					              , sizeof(ta->zone));
+					strcpytrunc( ta->zone, value
+						     , sizeof(ta->zone));
 
 					/* Reset to start of <TrustAnchor> */
 					cur = NULL;
@@ -366,20 +375,20 @@ static ta_iter *ta_iter_next(ta_iter *ta)
 			DEBUG_ANCHOR("elem end: %s\n", value);
 			switch (elem_type) {
 			case KEYTAG:
-				(void) strncpy( ta->keytag, value
-				              , sizeof(ta->keytag));
+				strcpytrunc( ta->keytag, value
+					     , sizeof(ta->keytag));
 				break;
 			case ALGORITHM:
-				(void) strncpy( ta->algorithm, value
-				              , sizeof(ta->algorithm));
+				strcpytrunc( ta->algorithm, value
+					     , sizeof(ta->algorithm));
 				break;
 			case DIGESTTYPE:
-				(void) strncpy( ta->digesttype, value
-				              , sizeof(ta->digesttype));
+				strcpytrunc( ta->digesttype, value
+					     , sizeof(ta->digesttype));
 				break;
 			case DIGEST:
-				(void) strncpy( ta->digest, value
-				              , sizeof(ta->digest));
+				strcpytrunc( ta->digest, value
+					     , sizeof(ta->digest));
 				break;
 			}
 			break;

From 814ee2c4cf0fba8da553a1a1a275750f9375a20c Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 17 Jan 2019 11:23:39 +0000
Subject: [PATCH 263/303] Fix more gcc 8 warnings.

As warnings, these cause builds to fail when running the test suite.
---
 src/general.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/general.c b/src/general.c
index cb923187..43cc7bd0 100644
--- a/src/general.c
+++ b/src/general.c
@@ -252,9 +252,17 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req)
 #ifdef HAVE_LIBUNBOUND
 #ifdef HAVE_UNBOUND_EVENT_API
 static void
+#if UNBOUND_VERSION_MAJOR > 1 || (UNBOUND_VERSION_MAJOR == 1 && UNBOUND_VERSION_MINOR >= 8)
+ub_resolve_event_callback(void* arg, int rcode, void *pkt, int pkt_len,
+    int sec, char* why_bogus, int was_ratelimited)
+{
+	(void) was_ratelimited;
+#else
+static void
 ub_resolve_event_callback(void* arg, int rcode, void *pkt, int pkt_len,
     int sec, char* why_bogus)
 {
+#endif
 	getdns_network_req *netreq = (getdns_network_req *) arg;
 	getdns_dns_req *dns_req = netreq->owner;
 

From 61cae868e393a316b8327852073751eeab3eedc9 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 17 Jan 2019 11:24:40 +0000
Subject: [PATCH 264/303] Update ChangeLog to include changes in this branch.

---
 ChangeLog | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2f2023dd..234077f2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,11 +1,17 @@
 * 2019-01-11: Version 1.5.1
+  * Introduce proof of concept GnuTLS implementation. Incomplete support
+    for Trust Anchor validation. Requires GnuTLS DANE library. Currently
+    untested with GnuTLS prior to 3.5.19, so configure demands a minumum
+    version of 3.5.0.
+  * Be consistent and always fail connection setup if setting ciphers/curves/
+    TLS version/cipher suites fails.
+  * Refactor OpenSSL usage into modules under src/openssl.
+    Drop support for LibreSSL and versions of OpenSSL prior to 1.0.2.
   * PR #414: remove TLS13 ciphers from cipher_list, but
     only when SSL_CTX_set_ciphersuites is available.
     Thanks Bruno Pagani
   * Issue #415: Filter out #defines etc. when creating
     symbols file.  Thanks Zero King
-  * Be consistent and always fail connection setup if setting ciphers/curves/
-    TLS version/cipher suites fails.
 
 * 2018-12-21: Version 1.5.0
   * RFE getdnsapi/stubby#121 log re-instantiating TLS

From 79fbef07d889559da688a208d1adf06f94cf94e7 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 23 Jan 2019 10:27:17 +0100
Subject: [PATCH 265/303] type specifier misplaced by #ifdef unclarity

---
 src/general.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/general.c b/src/general.c
index 43cc7bd0..3ed067ba 100644
--- a/src/general.c
+++ b/src/general.c
@@ -251,8 +251,8 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req)
 
 #ifdef HAVE_LIBUNBOUND
 #ifdef HAVE_UNBOUND_EVENT_API
-static void
 #if UNBOUND_VERSION_MAJOR > 1 || (UNBOUND_VERSION_MAJOR == 1 && UNBOUND_VERSION_MINOR >= 8)
+static void
 ub_resolve_event_callback(void* arg, int rcode, void *pkt, int pkt_len,
     int sec, char* why_bogus, int was_ratelimited)
 {

From ac379787a21b55c98116afb40ff447d188573684 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 23 Jan 2019 10:29:20 +0100
Subject: [PATCH 266/303] Reassure clang static analyzer that all is OK

---
 src/compat/arc4random.c  | 3 +++
 src/test/tpkg/run-all.sh | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/compat/arc4random.c b/src/compat/arc4random.c
index b2159abd..3ba57dc1 100644
--- a/src/compat/arc4random.c
+++ b/src/compat/arc4random.c
@@ -171,6 +171,9 @@ _rs_init(u_char *buf, size_t n)
 		if(!rsx)
 			abort();
 #endif
+		/* Pleast older clang scan-build */
+		if (!buf)
+			buf = rsx->rs_buf;
 	}
 
 	chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8, 0);
diff --git a/src/test/tpkg/run-all.sh b/src/test/tpkg/run-all.sh
index 94a5623a..0822a159 100755
--- a/src/test/tpkg/run-all.sh
+++ b/src/test/tpkg/run-all.sh
@@ -11,7 +11,8 @@ control_c()
 }
 
 
-for TEST_PKG in ${SRCDIR}/*.tpkg
+# for TEST_PKG in ${SRCDIR}/*.tpkg
+for TEST_PKG in ${SRCDIR}/400-static-analysis.tpkg
 do
 	"${TPKG}" $* exe "${TEST_PKG}"
 	# trap keyboard interrupt (control-c)

From 0af9a629f4695d081dfec8e4b60f59bfb50bad58 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 23 Jan 2019 10:50:57 +0100
Subject: [PATCH 267/303] Does smaller delay make a difference?

---
 .../280-limit_outstanding_queries.c                             | 2 +-
 .../285-out_of_filedescriptors.c                                | 2 +-
 src/test/tpkg/run-all.sh                                        | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c
index 8337caf4..3d3f2429 100644
--- a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c
+++ b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c
@@ -98,7 +98,7 @@ void handler(getdns_context *context, getdns_callback_type_t callback_type,
 		trans->ev.timeout_cb = delay_cb;
 
 		if (getdns_context_get_eventloop(context, &trans->loop)
-		||  trans->loop->vmt->schedule(trans->loop, -1, 300, &trans->ev))
+		||  trans->loop->vmt->schedule(trans->loop, -1, 200, &trans->ev))
 			fprintf(stderr, "Could not schedule delay\n");
 		else	return;
 	}
diff --git a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c
index 88ecaf20..4135b74a 100644
--- a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c
+++ b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c
@@ -103,7 +103,7 @@ void handler(getdns_context *context, getdns_callback_type_t callback_type,
 		fprintf(stderr, "sched delay for query %s, n_request %d\n", fqdn, (int)n_requests);
 		free(fqdn);
 		if (getdns_context_get_eventloop(context, &trans->loop)
-		||  trans->loop->vmt->schedule(trans->loop, -1, 300, &trans->ev))
+		||  trans->loop->vmt->schedule(trans->loop, -1, 200, &trans->ev))
 			fprintf(stderr, "Could not schedule delay\n");
 		else	return;
 	}
diff --git a/src/test/tpkg/run-all.sh b/src/test/tpkg/run-all.sh
index 0822a159..cc59ed6b 100755
--- a/src/test/tpkg/run-all.sh
+++ b/src/test/tpkg/run-all.sh
@@ -12,7 +12,7 @@ control_c()
 
 
 # for TEST_PKG in ${SRCDIR}/*.tpkg
-for TEST_PKG in ${SRCDIR}/400-static-analysis.tpkg
+for TEST_PKG in ${SRCDIR}/280-limit_outstanding_queries.tpkg ${SRCDIR}/285-out_of_filedescriptors.tpkg
 do
 	"${TPKG}" $* exe "${TEST_PKG}"
 	# trap keyboard interrupt (control-c)

From 8980f5f5ee5df0f780764bdc70fbf38b57dd5ba3 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 23 Jan 2019 11:41:00 +0100
Subject: [PATCH 268/303] Fix nested scheduling with getdns_query -F and -I

+ add 1 millisecond delay between batched queries, just because...
---
 src/tools/getdns_query.c | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c
index 25f27d60..7845a407 100644
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@@ -1181,7 +1181,7 @@ getdns_return_t do_the_call(void)
 			r = GETDNS_RETURN_GENERIC_ERROR;
 			break;
 		}
-		if (r == GETDNS_RETURN_GOOD && !batch_mode) 
+		if (r == GETDNS_RETURN_GOOD && !batch_mode && !interactive) 
 			getdns_context_run(context);
 		if (r != GETDNS_RETURN_GOOD)
 			fprintf(stderr, "An error occurred: %d '%s'\n", (int)r,
@@ -1258,6 +1258,17 @@ static void incoming_request_handler(getdns_context *context,
     void *userarg, getdns_transaction_t request_id);
 
 
+void read_line_cb(void *userarg);
+void read_line_tiny_delay_cb(void *userarg)
+{
+	getdns_eventloop_event *read_line_ev = userarg;
+
+	loop->vmt->clear(loop, read_line_ev);
+	read_line_ev->timeout_cb = NULL;
+	read_line_ev->read_cb = read_line_cb;
+	loop->vmt->schedule(loop, fileno(fp), -1, read_line_ev);
+}
+
 void read_line_cb(void *userarg)
 {
 	getdns_eventloop_event *read_line_ev = userarg;
@@ -1312,9 +1323,18 @@ void read_line_cb(void *userarg)
 	    (r != CONTINUE && r != CONTINUE_ERROR))
 		loop->vmt->clear(loop, read_line_ev);
 
-	else if (! query_file) {
-		printf("> ");
-		fflush(stdout);
+	else {
+		/* Tiny delay, to make sending queries less bursty with
+		 * -F parameter.
+		 */
+		loop->vmt->clear(loop, read_line_ev);
+		read_line_ev->read_cb = NULL;
+		read_line_ev->timeout_cb = read_line_tiny_delay_cb;
+		loop->vmt->schedule(loop, fileno(fp), 1, read_line_ev);
+		if (! query_file) {
+			printf("> ");
+			fflush(stdout);
+		}
 	}
 }
 

From cdc0d4331556993b637d0bbfad879fa34e4b840d Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Wed, 23 Jan 2019 11:34:02 +0000
Subject: [PATCH 269/303] Correct auth state thinko. Spotter credit to Willem.

---
 src/stub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/stub.c b/src/stub.c
index 05e48f0a..c5a467fe 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -845,7 +845,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 	
 	if (r) {
 		_getdns_tls_connection_free(&upstream->upstreams->mf, tls);
-		upstream->tls_auth_state = r;
+		upstream->tls_auth_state = GETDNS_AUTH_NONE;
 		return NULL;
 	}
 

From d71dccaf2cbae24d20a4cb981bd80d7c9667c1ea Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 23 Jan 2019 12:43:20 +0100
Subject: [PATCH 270/303] - Nested getdns_context_runt() prevention

- Fix address query with qname and missing qtype for -I and -F too
- disable tiny delay again
---
 src/tools/getdns_query.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c
index 7845a407..95866587 100644
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@@ -74,9 +74,11 @@ static getdns_dict *listen_dict = NULL;
 static size_t pincount = 0;
 static size_t listen_count = 0;
 static uint16_t request_type = GETDNS_RRTYPE_NS;
+static int got_rrtype = 0;
 static int timeout, edns0_size, padding_blocksize;
 static int async = 0, interactive = 0;
 static enum { GENERAL, ADDRESS, HOSTNAME, SERVICE } calltype = GENERAL;
+static int got_calltype = 0;
 static int bogus_answers = 0;
 static int check_dnssec = 0;
 #ifndef USE_WINSOCK
@@ -581,8 +583,6 @@ getdns_return_t parse_args(int argc, char **argv)
 	size_t upstream_count = 0;
 	FILE *fh;
 	int int_value;
-	int got_rrtype = 0;
-	int got_calltype = 0;
 	int got_qname = 0;
 
 	for (i = 1; i < argc; i++) {
@@ -1271,12 +1271,15 @@ void read_line_tiny_delay_cb(void *userarg)
 
 void read_line_cb(void *userarg)
 {
+	static int n = 0;
 	getdns_eventloop_event *read_line_ev = userarg;
 	getdns_return_t r;
 
 	char line[1024], *token, *linev[256];
 	int linec;
 
+	assert(n == 0);
+	n += 1;
 	if (!fgets(line, 1024, fp) || !*line) {
 		if (query_file && verbosity)
 			fprintf(stdout,"End of file.");
@@ -1287,6 +1290,7 @@ void read_line_cb(void *userarg)
 		if (interactive && !query_file)
 			(void) getdns_context_set_upstream_recursive_servers(
 			    context, NULL);
+		n -= 1;
 		return;
 	}
 	if (query_file && verbosity)
@@ -1299,6 +1303,7 @@ void read_line_cb(void *userarg)
 			printf("> ");
 			fflush(stdout);
 		}
+		n -= 1;
 		return;
 	}
 	if (*token == '#') {
@@ -1308,6 +1313,7 @@ void read_line_cb(void *userarg)
 			printf("> ");
 			fflush(stdout);
 		}
+		n -= 1;
 		return;
 	}
 	do linev[linec++] = token;
@@ -1324,18 +1330,22 @@ void read_line_cb(void *userarg)
 		loop->vmt->clear(loop, read_line_ev);
 
 	else {
+#if 0
 		/* Tiny delay, to make sending queries less bursty with
 		 * -F parameter.
+		 *
 		 */
 		loop->vmt->clear(loop, read_line_ev);
 		read_line_ev->read_cb = NULL;
 		read_line_ev->timeout_cb = read_line_tiny_delay_cb;
 		loop->vmt->schedule(loop, fileno(fp), 1, read_line_ev);
+#endif
 		if (! query_file) {
 			printf("> ");
 			fflush(stdout);
 		}
 	}
+	n -= 1;
 }
 
 typedef struct dns_msg {

From 35f2ce37c001e5689040d96ce29ae6cae12819cf Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 23 Jan 2019 12:49:22 +0100
Subject: [PATCH 271/303] Restore original serve delays

---
 .../280-limit_outstanding_queries.c                             | 2 +-
 .../285-out_of_filedescriptors.c                                | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c
index 3d3f2429..8337caf4 100644
--- a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c
+++ b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c
@@ -98,7 +98,7 @@ void handler(getdns_context *context, getdns_callback_type_t callback_type,
 		trans->ev.timeout_cb = delay_cb;
 
 		if (getdns_context_get_eventloop(context, &trans->loop)
-		||  trans->loop->vmt->schedule(trans->loop, -1, 200, &trans->ev))
+		||  trans->loop->vmt->schedule(trans->loop, -1, 300, &trans->ev))
 			fprintf(stderr, "Could not schedule delay\n");
 		else	return;
 	}
diff --git a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c
index 4135b74a..88ecaf20 100644
--- a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c
+++ b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c
@@ -103,7 +103,7 @@ void handler(getdns_context *context, getdns_callback_type_t callback_type,
 		fprintf(stderr, "sched delay for query %s, n_request %d\n", fqdn, (int)n_requests);
 		free(fqdn);
 		if (getdns_context_get_eventloop(context, &trans->loop)
-		||  trans->loop->vmt->schedule(trans->loop, -1, 200, &trans->ev))
+		||  trans->loop->vmt->schedule(trans->loop, -1, 300, &trans->ev))
 			fprintf(stderr, "Could not schedule delay\n");
 		else	return;
 	}

From e657024531f66afc568d77551957ce2b43e6ea46 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 23 Jan 2019 12:50:44 +0100
Subject: [PATCH 272/303] Run all unit tests again

---
 src/test/tpkg/run-all.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/test/tpkg/run-all.sh b/src/test/tpkg/run-all.sh
index cc59ed6b..94a5623a 100755
--- a/src/test/tpkg/run-all.sh
+++ b/src/test/tpkg/run-all.sh
@@ -11,8 +11,7 @@ control_c()
 }
 
 
-# for TEST_PKG in ${SRCDIR}/*.tpkg
-for TEST_PKG in ${SRCDIR}/280-limit_outstanding_queries.tpkg ${SRCDIR}/285-out_of_filedescriptors.tpkg
+for TEST_PKG in ${SRCDIR}/*.tpkg
 do
 	"${TPKG}" $* exe "${TEST_PKG}"
 	# trap keyboard interrupt (control-c)

From f72fe60035f465c1f9269ffa21acdd9de32b77b1 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 23 Jan 2019 13:55:29 +0100
Subject: [PATCH 273/303] Cannot reuse qname (via name) after read_line_cb..

.. returns.
---
 src/tools/getdns_query.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c
index 95866587..b3dca443 100644
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@@ -62,8 +62,7 @@ static int quiet = 0;
 static int batch_mode = 0;
 static char *query_file = NULL;
 static int json = 0;
-static char *the_root = ".";
-static char *name;
+static char name[2048] = ".";
 static getdns_context *context;
 static getdns_dict *extensions;
 static getdns_dict *query_extensions_spc = NULL;
@@ -659,7 +658,11 @@ getdns_return_t parse_args(int argc, char **argv)
 
 		} else if (arg[0] != '-') {
 			got_qname = 1;
-			name = arg;
+			if (strlen(arg) > sizeof(name)) {
+				fprintf(stderr, "Query name too long\n");
+				return GETDNS_RETURN_BAD_DOMAIN_NAME;
+			}
+			(void) strlcpy(name, arg, sizeof(name));
 			continue;
 		}
 		for (c = arg+1; *c; c++) {
@@ -1770,7 +1773,6 @@ main(int argc, char **argv)
 {
 	getdns_return_t r;
 
-	name = the_root;
 	if ((r = getdns_context_create(&context, 1))) {
 		fprintf(stderr, "Create context failed: %d\n", (int)r);
 		return r;

From cad7eb2461e20d206436bd3968b0544d68f0640e Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 23 Jan 2019 14:06:04 +0100
Subject: [PATCH 274/303] Probably the strlcpy

---
 src/tools/getdns_query.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c
index b3dca443..dc866586 100644
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@@ -657,12 +657,15 @@ getdns_return_t parse_args(int argc, char **argv)
 			continue;
 
 		} else if (arg[0] != '-') {
+			size_t arg_len = strlen(arg);
+
 			got_qname = 1;
-			if (strlen(arg) > sizeof(name)) {
+			if (arg_len > sizeof(name) - 1) {
 				fprintf(stderr, "Query name too long\n");
 				return GETDNS_RETURN_BAD_DOMAIN_NAME;
 			}
-			(void) strlcpy(name, arg, sizeof(name));
+			(void) memcpy(name, arg, arg_len);
+			name[arg_len] = 0;
 			continue;
 		}
 		for (c = arg+1; *c; c++) {

From 7c1b43b4208c3bb984dae7249c0f5a34061fea3a Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 23 Jan 2019 14:33:35 +0000
Subject: [PATCH 275/303] Fix sole pinset validation with ssl_dane library

---
 src/openssl/tls-internal.h | 2 +-
 src/openssl/tls.c          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h
index e640150d..615f79e3 100644
--- a/src/openssl/tls-internal.h
+++ b/src/openssl/tls-internal.h
@@ -67,7 +67,7 @@ typedef struct _getdns_tls_connection {
 	const getdns_log_config* log;
 #if defined(USE_DANESSL)
 	const char* auth_name;
-	sha256_pin_t* pinset;
+	const sha256_pin_t* pinset;
 #endif
 } _getdns_tls_connection;
 
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 33e37a4c..3a8878ce 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -904,7 +904,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 	if (!conn || !conn->ssl || !auth_name)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-#if defined(USE_DANE_SSL)
+#if defined(USE_DANESSL)
 	/* Stash auth name and pinset away for use in cert verification. */
 	conn->auth_name = auth_name;
 	conn->pinset = pinset;

From c68f5a7a8d2dcd166cea0a55e8ef1f26f7025dac Mon Sep 17 00:00:00 2001
From: Havard Eidnes <he@uninett.no>
Date: Mon, 28 Jan 2019 11:24:10 +0100
Subject: [PATCH 276/303] Fix various build warnings uncovered on NetBSD
 w/pkgsrc.

The isxxxx() and toxxxx() functions have a limited well-defined
input value range, namely that of "unsigned char" plus EOF.  Cast
args accordingly.

Bring strncasecmp() into scope by including <strings.h>.
---
 src/context.c                 | 1 +
 src/convert.c                 | 2 +-
 src/tools/getdns_query.c      | 4 ++--
 src/tools/getdns_server_mon.c | 2 +-
 src/util-internal.c           | 4 ++--
 5 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/context.c b/src/context.c
index aa0478ff..0a0e4456 100644
--- a/src/context.c
+++ b/src/context.c
@@ -55,6 +55,7 @@ typedef unsigned short in_port_t;
 
 #include <sys/stat.h>
 #include <string.h>
+#include <strings.h>
 #include <stdio.h>
 #include <stdlib.h>
 
diff --git a/src/convert.c b/src/convert.c
index 53d98e99..42365c84 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -1670,7 +1670,7 @@ getdns_str2dict(const char *str, getdns_dict **dict)
 	if (!str || !dict)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-	while (*str && isspace(*str))
+	while (*str && isspace((unsigned char)*str))
 		str++;
 
 	if (*str != '{') {
diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c
index dc866586..80b94dbd 100644
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@@ -98,7 +98,7 @@ static int get_rrtype(const char *t)
 	if (strlen(t) > sizeof(buf) - 15)
 		return -1;
 	for (i = 14; *t && i < sizeof(buf) - 1; i++, t++)
-		buf[i] = *t == '-' ? '_' : toupper(*t);
+		buf[i] = *t == '-' ? '_' : toupper((unsigned char)*t);
 	buf[i] = '\0';
 
 	if (!getdns_str2int(buf, &rrtype))
@@ -123,7 +123,7 @@ static int get_rrclass(const char *t)
 	if (strlen(t) > sizeof(buf) - 16)
 		return -1;
 	for (i = 15; *t && i < sizeof(buf) - 1; i++, t++)
-		buf[i] = toupper(*t);
+		buf[i] = toupper((unsigned char)*t);
 	buf[i] = '\0';
 
 	if (!getdns_str2int(buf, &rrclass))
diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 3b2d1045..a11ed55e 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -130,7 +130,7 @@ static int get_rrtype(const char *t)
         if (strlen(t) > sizeof(buf) - 15)
                 return -1;
         for (i = 14; *t && i < sizeof(buf) - 1; i++, t++)
-                buf[i] = *t == '-' ? '_' : toupper(*t);
+                buf[i] = *t == '-' ? '_' : toupper((unsigned char)*t);
         buf[i] = '\0';
 
         if (!getdns_str2int(buf, &rrtype))
diff --git a/src/util-internal.c b/src/util-internal.c
index a592b90d..be919637 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -1428,9 +1428,9 @@ _getdns_validate_dname(const char* dname) {
                 break;
 	    case '\\':
 		s += 1;
-		if (isdigit(s[0])) {
+		if (isdigit((unsigned char)s[0])) {
 			/* octet value */
-			if (! isdigit(s[1]) && ! isdigit(s[2]))
+			if (! isdigit((unsigned char)s[1]) && ! isdigit((unsigned char)s[2]))
 				return GETDNS_RETURN_BAD_DOMAIN_NAME;
 
 			if ((s[0] - '0') * 100 +

From 0fef131e9b31593a4c4be41a9980ab52700d4d23 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 4 Feb 2019 15:46:10 +0100
Subject: [PATCH 277/303] bugfix #418 duplicate ,'s in Windows build

---
 src/openssl/tls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 33e37a4c..e53cb60b 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -194,7 +194,7 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx, const getdns_log_config* log)
 	PCCERT_CONTEXT  pTargetCert = NULL;
 
 	_getdns_log(log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG
-	    , "%s: %s\n", STUB_DEBUG_SETUP_TLS,
+	    , "%s: %s\n", STUB_DEBUG_SETUP_TLS
 	    , "Adding Windows certificates from system root store to CA store")
 	    ;
 
@@ -244,7 +244,7 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx, const getdns_log_config* log)
 		if (!cert1) {
 			/* return error if a cert fails */
 			_getdns_log(log
-			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR,
+			    , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
 			    , "%s: %s %d:%s\n"
 			    , STUB_DEBUG_SETUP_TLS
 			    , "Unable to parse certificate in memory"

From c3d0afd47d9693588b4c7d16aca3856425d07a96 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Feb 2019 10:29:39 +0100
Subject: [PATCH 278/303] Issue #419: Escape backslashes when printing json

Thanks boB Rudis
---
 ChangeLog           |  4 ++++
 src/dict.c          | 28 +++++++++++++++++++++++-----
 src/gldns/gbuffer.c |  2 ++
 3 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 234077f2..dccc733d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+* 2019-??-??: Version 1.?.?
+  * Issue #419: Escape backslashed when printing in JSON format.
+    Thanks boB Rudis
+
 * 2019-01-11: Version 1.5.1
   * Introduce proof of concept GnuTLS implementation. Incomplete support
     for Trust Anchor validation. Requires GnuTLS DANE library. Currently
diff --git a/src/dict.c b/src/dict.c
index d2ce53a9..69c8d06d 100644
--- a/src/dict.c
+++ b/src/dict.c
@@ -782,13 +782,31 @@ getdns_pp_bindata(gldns_buffer *buf, getdns_bindata *bindata,
 
 	if (bindata->size > 0 && i == bindata->size) {     /* all printable? */
 
-		if (json)
-			(void)snprintf(spc, sizeof(spc), "\"%%.%ds\"", (int)i);
-		else
+		if (json) {
+			const uint8_t *s = bindata->data;
+			const uint8_t *e = s + bindata->size;
+			const uint8_t *b;
+
+			if (!gldns_buffer_reserve(buf, (e - s) + 2))
+				return -1;
+			gldns_buffer_write_u8(buf, '"');
+			while ((b = memchr(s, '\\', e - s))) {
+				if (!gldns_buffer_reserve(buf, (b - s) + 3))
+					return -1;
+				gldns_buffer_write(buf, s, b - s);
+				gldns_buffer_write_u8(buf, '\\');
+				gldns_buffer_write_u8(buf, '\\');
+				s = b + 1;
+			}
+			if (s < e)
+			       	gldns_buffer_write(buf, s, e - s);
+			gldns_buffer_write_u8(buf, '"');
+		} else {
 			(void)snprintf(spc, sizeof(spc), "of \"%%.%ds\"%s>",
 			    (int)(i > 32 ? 32 : i), (i > 32 ? "..." : ""));
-		if (gldns_buffer_printf(buf, spc, bindata->data) < 0)
-			return -1;
+			if (gldns_buffer_printf(buf, spc, bindata->data) < 0)
+				return -1;
+		}
 
 	} else if (bindata->size > 1 &&         /* null terminated printable */
 	    i == bindata->size - 1 && bindata->data[i] == 0) {
diff --git a/src/gldns/gbuffer.c b/src/gldns/gbuffer.c
index 180fa631..3b39f438 100644
--- a/src/gldns/gbuffer.c
+++ b/src/gldns/gbuffer.c
@@ -106,6 +106,8 @@ int
 gldns_buffer_reserve(gldns_buffer *buffer, size_t amount)
 {
 	gldns_buffer_invariant(buffer);
+	if (buffer->_vfixed)
+		return 1;
 	assert(!buffer->_fixed);
 	if (buffer->_capacity < buffer->_position + amount) {
 		size_t new_capacity = buffer->_capacity * 3 / 2;

From 71b773ab2f80bbe95463c389d683aac55c1c3dc0 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Feb 2019 10:44:49 +0100
Subject: [PATCH 279/303] '"' needs to be escaped too in json

---
 src/dict.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/dict.c b/src/dict.c
index 69c8d06d..f1ccb1a4 100644
--- a/src/dict.c
+++ b/src/dict.c
@@ -790,12 +790,18 @@ getdns_pp_bindata(gldns_buffer *buf, getdns_bindata *bindata,
 			if (!gldns_buffer_reserve(buf, (e - s) + 2))
 				return -1;
 			gldns_buffer_write_u8(buf, '"');
-			while ((b = memchr(s, '\\', e - s))) {
+			for (;;) {
+				for ( b = s
+				    ; b < e && *b != '\\' && *b != '"'
+				    ; b++)
+					; /* pass */
+				if (b == e)
+					break;
 				if (!gldns_buffer_reserve(buf, (b - s) + 3))
 					return -1;
 				gldns_buffer_write(buf, s, b - s);
 				gldns_buffer_write_u8(buf, '\\');
-				gldns_buffer_write_u8(buf, '\\');
+				gldns_buffer_write_u8(buf, *b);
 				s = b + 1;
 			}
 			if (s < e)

From 034b775e5c69d223c9b0e2101a6acae6874d327f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Feb 2019 13:36:39 +0100
Subject: [PATCH 280/303] DOA & AMTRELAY RR types implementation

---
 ChangeLog              |   2 +
 src/const-info.c       |   1 +
 src/getdns/getdns.h.in |   1 +
 src/gldns/rrdef.c      |  15 +++
 src/gldns/rrdef.h      |   8 +-
 src/gldns/str2wire.c   |  76 ++++++++++++++
 src/gldns/str2wire.h   |   9 ++
 src/gldns/wire2str.c   |  58 +++++++++++
 src/gldns/wire2str.h   |  15 +++
 src/rr-dict.c          | 228 ++++++++++++++++++++++++++++++++++++++++-
 10 files changed, 407 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index dccc733d..b50e946c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,8 @@
 * 2019-??-??: Version 1.?.?
   * Issue #419: Escape backslashed when printing in JSON format.
     Thanks boB Rudis
+  * DOA rr-type
+  * AMTRELAY rr-type
 
 * 2019-01-11: Version 1.5.1
   * Introduce proof of concept GnuTLS implementation. Incomplete support
diff --git a/src/const-info.c b/src/const-info.c
index ebff80a4..6265c523 100644
--- a/src/const-info.c
+++ b/src/const-info.c
@@ -303,6 +303,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_A6", 38 },
 	{ "GETDNS_RRTYPE_AAAA", 28 },
 	{ "GETDNS_RRTYPE_AFSDB", 18 },
+	{ "GETDNS_RRTYPE_AMTRELAY", 260 },
 	{ "GETDNS_RRTYPE_ANY", 255 },
 	{ "GETDNS_RRTYPE_APL", 42 },
 	{ "GETDNS_RRTYPE_ATMA", 34 },
diff --git a/src/getdns/getdns.h.in b/src/getdns/getdns.h.in
index 5e4873b5..b2702d43 100644
--- a/src/getdns/getdns.h.in
+++ b/src/getdns/getdns.h.in
@@ -439,6 +439,7 @@ typedef enum getdns_callback_type_t {
 #define GETDNS_RRTYPE_CAA       257
 #define GETDNS_RRTYPE_AVC       258
 #define GETDNS_RRTYPE_DOA       259
+#define GETDNS_RRTYPE_AMTRELAY  260
 #define GETDNS_RRTYPE_TA        32768
 #define GETDNS_RRTYPE_DLV       32769
 /** @}
diff --git a/src/gldns/rrdef.c b/src/gldns/rrdef.c
index 9f27a5a1..114f807e 100644
--- a/src/gldns/rrdef.c
+++ b/src/gldns/rrdef.c
@@ -232,6 +232,15 @@ static const gldns_rdf_type type_caa_wireformat[] = {
 	GLDNS_RDF_TYPE_TAG,
 	GLDNS_RDF_TYPE_LONG_STR
 };
+#ifdef DRAFT_RRTYPES
+static const gldns_rdf_type type_doa_wireformat[] = {
+	GLDNS_RDF_TYPE_INT32, GLDNS_RDF_TYPE_INT32, GLDNS_RDF_TYPE_INT8,
+	GLDNS_RDF_TYPE_STR, GLDNS_RDF_TYPE_B64
+};
+static const gldns_rdf_type type_amtrelay_wireformat[] = {
+	GLDNS_RDF_TYPE_AMTRELAY
+};
+#endif
 
 /* All RR's defined in 1035 are well known and can thus
  * be compressed. See RFC3597. These RR's are:
@@ -608,8 +617,14 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 #ifdef DRAFT_RRTYPES
 	/* 258 */
 	{GLDNS_RR_TYPE_AVC, "AVC", 1, 0, NULL, GLDNS_RDF_TYPE_STR, GLDNS_RR_NO_COMPRESS, 0 },
+	/* 259 */
+	{GLDNS_RR_TYPE_DOA, "DOA", 1, 0, type_doa_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+	/* 260 */
+	{GLDNS_RR_TYPE_AMTRELAY, "AMTRELAY", 1, 0, type_amtrelay_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 #else
 {GLDNS_RR_TYPE_NULL, "TYPE258", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{GLDNS_RR_TYPE_NULL, "TYPE259", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{GLDNS_RR_TYPE_NULL, "TYPE260", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 #endif
 
 /* split in array, no longer contiguous */
diff --git a/src/gldns/rrdef.h b/src/gldns/rrdef.h
index a11984b3..a393dc8e 100644
--- a/src/gldns/rrdef.h
+++ b/src/gldns/rrdef.h
@@ -38,7 +38,7 @@ extern "C" {
 #define GLDNS_KEY_REVOKE_KEY 0x0080 /* used to revoke KSK, rfc 5011 */
 
 /* The first fields are contiguous and can be referenced instantly */
-#define GLDNS_RDATA_FIELD_DESCRIPTORS_COMMON 259
+#define GLDNS_RDATA_FIELD_DESCRIPTORS_COMMON 260
 
 /** lookuptable for rr classes  */
 extern struct gldns_struct_lookup_table* gldns_rr_classes;
@@ -226,7 +226,8 @@ enum gldns_enum_rr_type
 	GLDNS_RR_TYPE_URI = 256, /* RFC 7553 */
 	GLDNS_RR_TYPE_CAA = 257, /* RFC 6844 */
 	GLDNS_RR_TYPE_AVC = 258,
-	GLDNS_RR_TYPE_DOA = 259,
+	GLDNS_RR_TYPE_DOA = 259, /* draft-durand-doa-over-dns */
+	GLDNS_RR_TYPE_AMTRELAY= 260, /* draft-ietf-mboned-driad-amt-discovery */
 
 	/** DNSSEC Trust Authorities */
 	GLDNS_RR_TYPE_TA = 32768,
@@ -351,6 +352,9 @@ enum gldns_enum_rdf_type
          */
         GLDNS_RDF_TYPE_LONG_STR,
 
+	/* draft-ietf-mboned-driad-amt-discovery */
+	GLDNS_RDF_TYPE_AMTRELAY,
+
 	/** TSIG extended 16bit error value */
 	GLDNS_RDF_TYPE_TSIGERROR,
 
diff --git a/src/gldns/str2wire.c b/src/gldns/str2wire.c
index 26c2ea6f..708df50e 100644
--- a/src/gldns/str2wire.c
+++ b/src/gldns/str2wire.c
@@ -997,6 +997,8 @@ int gldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
 		return gldns_str2wire_hip_buf(str, rd, len);
 	case GLDNS_RDF_TYPE_INT16_DATA:
 		return gldns_str2wire_int16_data_buf(str, rd, len);
+	case GLDNS_RDF_TYPE_AMTRELAY:
+		return gldns_str2wire_amtrelay_buf(str, rd, len);
 	case GLDNS_RDF_TYPE_UNKNOWN:
 	case GLDNS_RDF_TYPE_SERVICE:
 		return GLDNS_WIREPARSE_ERR_NOT_IMPL;
@@ -2118,3 +2120,77 @@ int gldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len)
 	*len = ((size_t)n)+2;
 	return GLDNS_WIREPARSE_ERR_OK;
 }
+
+int gldns_str2wire_amtrelay_buf(const char* str, uint8_t* rd, size_t* len)
+{
+	size_t relay_len = 0;
+	int s;
+	uint8_t relay_type;
+	char token[512];
+	gldns_buffer strbuf;
+	gldns_buffer_init_frm_data(&strbuf, (uint8_t*)str, strlen(str));
+
+	if(*len < 2)
+		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+	/* precedence */
+	if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	rd[0] = (uint8_t)atoi(token);
+	/* discovery_optional */
+	if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	if ((token[0] != '0' && token[0] != '1') || token[1] != 0)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+
+	rd[1] = *token == '1' ? 0x80 : 0x00;
+	/* relay_type */
+	if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	relay_type = (uint8_t)atoi(token);
+	if (relay_type > 0x7F)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	rd[1] |= relay_type;
+
+	if (relay_type == 0) {
+		*len = 2;
+		return GLDNS_WIREPARSE_ERR_OK;
+	}
+	/* relay */
+	if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	if(relay_type == 1) {
+		/* IP4 */
+		relay_len = *len - 2;
+		s = gldns_str2wire_a_buf(token, rd+2, &relay_len);
+		if(s) return RET_ERR_SHIFT(s, gldns_buffer_position(&strbuf));
+	} else if(relay_type == 2) {
+		/* IP6 */
+		relay_len = *len - 2;
+		s = gldns_str2wire_aaaa_buf(token, rd+2, &relay_len);
+		if(s) return RET_ERR_SHIFT(s, gldns_buffer_position(&strbuf));
+	} else if(relay_type == 3) {
+		/* DNAME */
+		relay_len = *len - 2;
+		s = gldns_str2wire_dname_buf(token, rd+2, &relay_len);
+		if(s) return RET_ERR_SHIFT(s, gldns_buffer_position(&strbuf));
+	} else {
+		/* unknown gateway type */
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	}
+	/* double check for size */
+	if(*len < 2 + relay_len)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
+			gldns_buffer_position(&strbuf));
+
+	*len = 2 + relay_len;
+	return GLDNS_WIREPARSE_ERR_OK;
+}
+
+
diff --git a/src/gldns/str2wire.h b/src/gldns/str2wire.h
index 2aba0e10..293a4981 100644
--- a/src/gldns/str2wire.h
+++ b/src/gldns/str2wire.h
@@ -554,6 +554,15 @@ int gldns_str2wire_hip_buf(const char* str, uint8_t* rd, size_t* len);
  */
 int gldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len);
 
+/**
+ * Convert rdf of type GLDNS_RDF_TYPE_AMTRELAY from string to wireformat.
+ * @param str: the text to convert for this rdata element.
+ * @param rd: rdata buffer for the wireformat.
+ * @param len: length of rd buffer on input, used length on output.
+ * @return 0 on success, error on failure.
+ */
+int gldns_str2wire_amtrelay_buf(const char* str, uint8_t* rd, size_t* len);
+
 /**
  * Strip whitespace from the start and the end of line.
  * @param line: modified with 0 to shorten it.
diff --git a/src/gldns/wire2str.c b/src/gldns/wire2str.c
index 54e336d8..28b7863b 100644
--- a/src/gldns/wire2str.c
+++ b/src/gldns/wire2str.c
@@ -1004,6 +1004,9 @@ int gldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 		return gldns_wire2str_tag_scan(d, dlen, s, slen);
 	case GLDNS_RDF_TYPE_LONG_STR:
 		return gldns_wire2str_long_str_scan(d, dlen, s, slen);
+	case GLDNS_RDF_TYPE_AMTRELAY:
+		return gldns_wire2str_amtrelay_scan(d, dlen, s, slen, pkt,
+			pktlen);
 	case GLDNS_RDF_TYPE_TSIGERROR:
 		return gldns_wire2str_tsigerror_scan(d, dlen, s, slen);
 	}
@@ -1707,6 +1710,61 @@ int gldns_wire2str_long_str_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 	return w;
 }
 
+/* internal scan routine that can modify arguments on failure */
+static int gldns_wire2str_amtrelay_scan_internal(uint8_t** d, size_t* dl,
+	char** s, size_t* sl, uint8_t* pkt, size_t pktlen)
+{
+	/* https://www.ietf.org/id/draft-ietf-mboned-driad-amt-discovery-01.txt */
+	uint8_t precedence, discovery_optional, relay_type;
+	int w = 0;
+
+	if(*dl < 2) return -1;
+	precedence = (*d)[0];
+	discovery_optional= (*d)[1] >> 7;
+	relay_type = (*d)[1] % 0x7F;
+	if(relay_type > 3)
+		return -1; /* unknown */
+	(*d)+=2;
+	(*dl)-=2;
+	w += gldns_str_print(s, sl, "%d %d %d ",
+		(int)precedence, (int)discovery_optional, (int)relay_type);
+
+	switch(relay_type) {
+	case 0: /* no relay */
+		break;
+	case 1: /* ip4 */
+		w += gldns_wire2str_a_scan(d, dl, s, sl);
+		break;
+	case 2: /* ip6 */
+		w += gldns_wire2str_aaaa_scan(d, dl, s, sl);
+		break;
+	case 3: /* dname */
+		w += gldns_wire2str_dname_scan(d, dl, s, sl, pkt, pktlen);
+		break;
+	default: /* unknown */
+		return -1;
+	}
+	return w;
+}
+
+int gldns_wire2str_amtrelay_scan(uint8_t** d, size_t* dl, char** s, size_t* sl,
+	uint8_t* pkt, size_t pktlen)
+{
+	uint8_t* od = *d;
+	char* os = *s;
+	size_t odl = *dl, osl = *sl;
+	int w=gldns_wire2str_amtrelay_scan_internal(d, dl, s, sl, pkt, pktlen);
+	if(w == -1) {
+		*d = od;
+		*s = os;
+		*dl = odl;
+		*sl = osl;
+		return -1;
+	}
+	return w;
+}
+
+
 int gldns_wire2str_tsigerror_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 {
 	gldns_lookup_table *lt;
diff --git a/src/gldns/wire2str.h b/src/gldns/wire2str.h
index a7a7c930..99a737a1 100644
--- a/src/gldns/wire2str.h
+++ b/src/gldns/wire2str.h
@@ -916,6 +916,21 @@ int gldns_wire2str_tag_scan(uint8_t** data, size_t* data_len, char** str,
 int gldns_wire2str_long_str_scan(uint8_t** data, size_t* data_len, char** str,
 	size_t* str_len);
 
+/**
+ * Scan wireformat AMTRELAY field to string, with user buffers.
+ * It shifts the arguments to move along (see gldns_wire2str_pkt_scan).
+ * @param data: wireformat data.
+ * @param data_len: length of data buffer.
+ * @param str: string buffer.
+ * @param str_len: length of string buffer.
+ * @param pkt: packet for decompression, if NULL no decompression.
+ * @param pktlen: length of packet buffer.
+ * @return number of characters (except null) needed to print.
+ * 	Can return -1 on failure.
+ */
+int gldns_wire2str_amtrelay_scan(uint8_t** data, size_t* data_len, char** str,
+	size_t* str_len, uint8_t* pkt, size_t pktlen);
+
 /**
  * Print EDNS LLQ option data to string.  User buffers, moves string pointers.
  * @param str: string buffer.
diff --git a/src/rr-dict.c b/src/rr-dict.c
index 79fb7bcc..0ad75a43 100644
--- a/src/rr-dict.c
+++ b/src/rr-dict.c
@@ -431,6 +431,214 @@ static _getdns_rdf_special hip_public_key = {
     hip_public_key_dict2wire, NULL
 };
 
+static const uint8_t *
+amtrelay_D_rdf_end(const uint8_t *pkt, const uint8_t *pkt_end, const uint8_t *rdf)
+{
+	(void)pkt;
+	return rdf < pkt_end ? rdf + 1 : NULL;
+}
+static getdns_return_t
+amtrelay_D_wire2dict(getdns_dict *dict, const uint8_t *rdf)
+{
+	return getdns_dict_set_int(dict, "discovery_optional", (*rdf  >> 7));
+}
+static getdns_return_t
+amtrelay_D_dict2wire(const getdns_dict *dict,
+    uint8_t *rdata, uint8_t *rdf, size_t *rdf_len)
+{
+	getdns_return_t r;
+	uint32_t        value;
+	(void)rdata; /* unused parameter */
+
+	if ((r = getdns_dict_get_int(dict, "discovery_optional", &value)))
+		return r;
+
+	*rdf_len = 1;
+	if (*rdf_len < 1)
+		return GETDNS_RETURN_NEED_MORE_SPACE;
+
+	*rdf_len = 1;
+	*rdf = value ? 0x80 : 0x00;
+	return GETDNS_RETURN_GOOD;
+}
+static _getdns_rdf_special amtrelay_D = {
+    amtrelay_D_rdf_end,
+    amtrelay_D_wire2dict, NULL,
+    amtrelay_D_dict2wire, NULL 
+};
+
+static const uint8_t *
+amtrelay_rtype_rdf_end(
+    const uint8_t *pkt, const uint8_t *pkt_end, const uint8_t *rdf)
+{
+	return rdf;
+}
+static getdns_return_t
+amtrelay_rtype_wire2dict(getdns_dict *dict, const uint8_t *rdf)
+{
+	return _getdns_dict_set_int(
+	    dict, "replay_type", (rdf[-1] & 0x7F));
+}
+static getdns_return_t
+amtrelay_rtype_dict2wire(
+    const getdns_dict *dict, uint8_t *rdata, uint8_t *rdf, size_t *rdf_len)
+{
+	getdns_return_t r;
+	uint32_t value;
+
+	if ((r = getdns_dict_get_int(dict, "relay_type", &value)))
+		return r;
+
+	if (rdf - 1 < rdata)
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	*rdf_len = 0;
+	rdf[-1] |= (value & 0x7F);
+
+	return GETDNS_RETURN_GOOD;
+}
+static _getdns_rdf_special amtrelay_rtype = {
+    amtrelay_rtype_rdf_end,
+    amtrelay_rtype_wire2dict, NULL,
+    amtrelay_rtype_dict2wire, NULL 
+};
+
+static const uint8_t *
+amtrelay_relay_rdf_end(
+    const uint8_t *pkt, const uint8_t *pkt_end, const uint8_t *rdf)
+{
+	const uint8_t *end;
+
+	if (rdf - 4 < pkt)
+		return NULL;
+	switch (rdf[-1] & 0x7F) {
+	case 0:	end = rdf;
+		break;
+	case 1: end = rdf + 4;
+		break;
+	case 2: end = rdf + 16;
+		break;
+	case 3: for (end = rdf; end < pkt_end; end += *end + 1)
+			if ((*end & 0xC0) == 0xC0)
+				end  += 2;
+			else if (*end & 0xC0)
+				return NULL;
+			else if (!*end) {
+				end += 1;
+				break;
+			}
+		break;
+	default:
+		return NULL;
+	}
+	return end <= pkt_end ? end : NULL;
+}
+static getdns_return_t
+amtrelay_relay_equip_const_bindata(
+    const uint8_t *rdf, size_t *size, const uint8_t **data)
+{
+	*data = rdf;
+	switch (rdf[-1] & 0x7F) {
+	case 0:	*size = 0;
+		break;
+	case 1: *size = 4;
+		break;
+	case 2: *size = 16;
+		break;
+	case 3: while (*rdf)
+			if ((*rdf & 0xC0) == 0xC0)
+				rdf += 2;
+			else if (*rdf & 0xC0)
+				return GETDNS_RETURN_GENERIC_ERROR;
+			else
+				rdf += *rdf + 1;
+		*size = rdf + 1 - *data;
+		break;
+	default:
+		return GETDNS_RETURN_GENERIC_ERROR;
+	}
+	return GETDNS_RETURN_GOOD;
+}
+
+static getdns_return_t
+amtrelay_relay_wire2dict(getdns_dict *dict, const uint8_t *rdf)
+{
+	size_t size;
+	const uint8_t *data;
+
+	if (amtrelay_relay_equip_const_bindata(rdf, &size, &data))
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	else if (! size)
+		return GETDNS_RETURN_GOOD;
+	else
+		return _getdns_dict_set_const_bindata(dict, "relay", size, data);
+}
+static getdns_return_t
+amtrelay_relay_2wire(
+    const getdns_bindata *value, uint8_t *rdata, uint8_t *rdf, size_t *rdf_len)
+{
+	assert(rdf - 1 >= rdata && (rdf[-1] & 0x7F) > 0);
+
+	switch (rdf[-1] & 0x7F) {
+	case 1: if (!value || value->size != 4)
+			return GETDNS_RETURN_INVALID_PARAMETER;
+		if (*rdf_len < 4) {
+			*rdf_len = 4;
+			return GETDNS_RETURN_NEED_MORE_SPACE;
+		}
+		*rdf_len = 4;
+		(void)memcpy(rdf, value->data, 4);
+		return GETDNS_RETURN_GOOD;
+	case 2: if (!value || value->size != 16)
+			return GETDNS_RETURN_INVALID_PARAMETER;
+		if (*rdf_len < 16) {
+			*rdf_len = 16;
+			return GETDNS_RETURN_NEED_MORE_SPACE;
+		}
+		*rdf_len = 16;
+		(void)memcpy(rdf, value->data, 16);
+		return GETDNS_RETURN_GOOD;
+	case 3: if (!value || value->size == 0)
+			return GETDNS_RETURN_INVALID_PARAMETER;
+		/* Assume bindata is a valid dname; garbage in, garbage out */
+		if (*rdf_len < value->size) {
+			*rdf_len = value->size;
+			return GETDNS_RETURN_NEED_MORE_SPACE;
+		}
+		*rdf_len = value->size;
+		(void)memcpy(rdf, value->data, value->size);
+		return GETDNS_RETURN_GOOD;
+	default:
+		return GETDNS_RETURN_GENERIC_ERROR;
+	}
+	return GETDNS_RETURN_GOOD;
+}
+static getdns_return_t
+amtrelay_relay_dict2wire(
+    const getdns_dict *dict, uint8_t *rdata, uint8_t *rdf, size_t *rdf_len)
+{
+	getdns_return_t r;
+	getdns_bindata *value;
+
+	if (rdf - 1 < rdata)
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	else if ((rdf[-1] & 0x7F) == 0) {
+		*rdf_len = 0;
+		return GETDNS_RETURN_GOOD;
+	}
+	else if ((r = getdns_dict_get_bindata(dict, "relay", &value)))
+		return r;
+	else
+		return amtrelay_relay_2wire(value, rdata, rdf, rdf_len);
+}
+static _getdns_rdf_special amtrelay_relay = {
+    amtrelay_relay_rdf_end,
+    amtrelay_relay_wire2dict, NULL,
+    amtrelay_relay_dict2wire, NULL 
+};
+
 
 static _getdns_rdata_def          a_rdata[] = {
 	{ "ipv4_address"                , GETDNS_RDF_A      , NULL }};
@@ -665,6 +873,17 @@ static _getdns_rdata_def        dlv_rdata[] = {
 	{ "algorithm"                   , GETDNS_RDF_I1     , NULL },
 	{ "digest_type"                 , GETDNS_RDF_I1     , NULL },
 	{ "digest"                      , GETDNS_RDF_X      , NULL }};
+static _getdns_rdata_def        doa_rdata[] = {
+	{ "enterprise"                  , GETDNS_RDF_I4     , NULL },
+	{ "type"                        , GETDNS_RDF_I4     , NULL },
+	{ "location"                    , GETDNS_RDF_I1     , NULL },
+	{ "media_type"                  , GETDNS_RDF_S      , NULL },
+	{ "data"                        , GETDNS_RDF_B      , NULL }};
+static _getdns_rdata_def   amtrelay_rdata[] = {
+	{ "precedence"                  , GETDNS_RDF_I1     , NULL },
+	{ "discovery_optional"          , GETDNS_RDF_SPECIAL, &amtrelay_D},
+	{ "relay_type"                  , GETDNS_RDF_SPECIAL, &amtrelay_rtype },
+	{ "relay"                       , GETDNS_RDF_SPECIAL, &amtrelay_relay }};
 
 static _getdns_rr_def _getdns_rr_defs[] = {
 	{         NULL,             NULL, 0                      },
@@ -926,7 +1145,8 @@ static _getdns_rr_def _getdns_rr_defs[] = {
 	{        "URI",        uri_rdata, ALEN(       uri_rdata) }, /* 256 - */
 	{        "CAA",        caa_rdata, ALEN(       caa_rdata) },
 	{        "AVC",        txt_rdata, ALEN(       txt_rdata) },
-	{        "DOA",    UNKNOWN_RDATA, 0                      }, /* - 259 */
+	{        "DOA",        doa_rdata, ALEN(       doa_rdata) },
+	{   "AMTRELAY",   amtrelay_rdata, ALEN(  amtrelay_rdata) }, /* - 260 */
 	{         "TA",         ds_rdata, ALEN(        ds_rdata) }, /* 32768 */
 	{        "DLV",        dlv_rdata, ALEN(       dlv_rdata) }  /* 32769 */
 };
@@ -934,12 +1154,12 @@ static _getdns_rr_def _getdns_rr_defs[] = {
 const _getdns_rr_def *
 _getdns_rr_def_lookup(uint16_t rr_type)
 {
-	if (rr_type <= 259)
+	if (rr_type <= 260)
 		return &_getdns_rr_defs[rr_type];
 	else if (rr_type == 32768)
-		return &_getdns_rr_defs[260];
-	else if (rr_type == 32769)
 		return &_getdns_rr_defs[261];
+	else if (rr_type == 32769)
+		return &_getdns_rr_defs[262];
 	return _getdns_rr_defs;
 }
 

From 30367dada2a9f299011dbb999c89fe945a724434 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Feb 2019 13:43:28 +0100
Subject: [PATCH 281/303] space needed for unit test to succeed

---
 src/gldns/rrdef.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gldns/rrdef.h b/src/gldns/rrdef.h
index a393dc8e..ef3c8d9d 100644
--- a/src/gldns/rrdef.h
+++ b/src/gldns/rrdef.h
@@ -227,7 +227,7 @@ enum gldns_enum_rr_type
 	GLDNS_RR_TYPE_CAA = 257, /* RFC 6844 */
 	GLDNS_RR_TYPE_AVC = 258,
 	GLDNS_RR_TYPE_DOA = 259, /* draft-durand-doa-over-dns */
-	GLDNS_RR_TYPE_AMTRELAY= 260, /* draft-ietf-mboned-driad-amt-discovery */
+	GLDNS_RR_TYPE_AMTRELAY = 260, /* draft-ietf-mboned-driad-amt-discovery */
 
 	/** DNSSEC Trust Authorities */
 	GLDNS_RR_TYPE_TA = 32768,

From acc9b1cbd502b4195f1d815a8b246d5688fc8362 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Feb 2019 13:46:28 +0100
Subject: [PATCH 282/303] Typo and unused parameter warning

---
 src/rr-dict.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/rr-dict.c b/src/rr-dict.c
index 0ad75a43..fc675830 100644
--- a/src/rr-dict.c
+++ b/src/rr-dict.c
@@ -471,12 +471,13 @@ static const uint8_t *
 amtrelay_rtype_rdf_end(
     const uint8_t *pkt, const uint8_t *pkt_end, const uint8_t *rdf)
 {
+	(void)pkt; (void)pkt_end;
 	return rdf;
 }
 static getdns_return_t
 amtrelay_rtype_wire2dict(getdns_dict *dict, const uint8_t *rdf)
 {
-	return _getdns_dict_set_int(
+	return getdns_dict_set_int(
 	    dict, "replay_type", (rdf[-1] & 0x7F));
 }
 static getdns_return_t

From a7a17f3725b4824b06887dfdaf5bb6ffe96e5a43 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Wed, 20 Feb 2019 11:06:21 +0000
Subject: [PATCH 283/303] Fix builds in mingw32.

On mingw64, configure does not find declarations for inet_ntop() and inet_pton(), but does find implementations, and so does not try to compile the compat versions.
On mingw32, configure find neither declarations or implementations, and so tries to compile the compat versions. However, there are declarations in ws2tcpip.h, and these do not have the same prototype as compat. The build fails, complaining about conflicting types for inet_ntop().

The declarations in ws2tcpip.h are #defines to Windows functions InetNtopA() and InetPtonA(). Which is not good, but we're stuck with it. Try to work around this by including ws2tcpip.h in the headers while checking for declarations. Unfortunately it looks like you can't do that when checking for implementations and substituting compat versions when not found. So only do that if we don't find declarations; we're already making sure that ws2tcpip.h is included via config.h in source modules.
---
 configure.ac | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index f927ef6c..0412f538 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1514,9 +1514,20 @@ CFLAGS="$CFLAGS $LIBBSD_CFLAGS"
 ],[
 AC_MSG_WARN([libbsd not found or usable; using embedded code instead])
 ])
-AC_CHECK_DECLS([inet_pton,inet_ntop,strlcpy,arc4random,arc4random_uniform])
-AC_REPLACE_FUNCS(inet_pton)
-AC_REPLACE_FUNCS(inet_ntop)
+AC_CHECK_DECLS([inet_pton,inet_ntop,strlcpy,arc4random,arc4random_uniform], [], [], [
+AC_INCLUDES_DEFAULT
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+])
+AS_IF([test "x$ac_cv_have_decl_inet_pton" = xyes],
+    [],
+    [AC_REPLACE_FUNCS(inet_pton)]
+)
+AS_IF([test "x$ac_cv_have_decl_inet_ntop" = xyes],
+    [],
+    [AC_REPLACE_FUNCS(inet_ntop)]
+)
 AC_REPLACE_FUNCS(strlcpy)
 AC_REPLACE_FUNCS(arc4random)
 AC_REPLACE_FUNCS(arc4random_uniform)

From 968e914e948d86ad38d395c9d85c94741aa3012a Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 21 Feb 2019 14:37:25 +0000
Subject: [PATCH 284/303] Avoid build errors if $sysconfdir or $runstatedir
 contain a space.

Building on Windows was failing if sysconfdir was, e.g. C:\Program Files.
---
 src/Makefile.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Makefile.in b/src/Makefile.in
index 411f5874..93a72425 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -215,7 +215,7 @@ stubby.1: $(stubbysrcdir)/doc/stubby.1.in
 	sed -e "s|@ETCDIR@|$(stubbyconfdir)|g" $(stubbysrcdir)/doc/stubby.1.in > $@
 
 stubby.lo: $(stubbysrcdir)/src/stubby.c
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR=\"$(sysconfdir)/stubby\" -DRUNSTATEDIR=\"$(runstatedir)\" -c $(stubbysrcdir)/src/stubby.c -o $@
+	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR='"$(sysconfdir)/stubby"' -DRUNSTATEDIR='"$(runstatedir)"' -c $(stubbysrcdir)/src/stubby.c -o $@
 
 stubby: stubby.lo libgetdns.la $(STUBBY_XTRA_OBJS)
 	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ stubby.lo $(STUBBY_XTRA_OBJS) $(STUBBY_LDFLAGS) libgetdns.la

From eebea43b84f64815d74289cd8ff2e5946baa1893 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Wed, 27 Feb 2019 18:28:04 +0000
Subject: [PATCH 285/303] Update README to document root anchor storage
 directory on Windows.

This fixes Stubby issue #153.
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 565310c7..c777f507 100644
--- a/README.md
+++ b/README.md
@@ -134,9 +134,9 @@ format.  Note that this is different than the format of BIND.keys.
 
 When the root trust anchor is not installed in the default location and a DNSSEC query is done, getdns will try to use the trust anchors published here: http://data.iana.org/root-anchors/root-anchors.xml .
 It will validate these anchors with the ICANN Certificate Authority certificate following the procedure described in [RFC7958].
-The `root-anchors.xml` and `root-anchors.p7s` S/MIME signature will be cached in the `$HOME/.getdns` directory.
+The `root-anchors.xml` and `root-anchors.p7s` S/MIME signature will be cached in the `$HOME/.getdns` directory on Unixes, and the `%appdata%\getdns` directory on Windows.
 
-When using trust-anchors from the `root-anchors.xml` file, getdns will track the keys in the root DNSKEY rrset and store a copy in $HOME/.getdns/root.key.
+When using trust-anchors from the `root-anchors.xml` file, getdns will track the keys in the root DNSKEY rrset and store a copy in `$HOME/.getdns/root.key` on Unixes, and `%appdata%\getdns\root.key` on Windows.
 Only when the KSK DNSKEY's change, a new version of `root-anchors.xml` is tried to be retrieved from [data.iana.org](https://data.iana.org/root-anchors/).
 
 A installed trust-anchor from the default location (`/etc/unbound/getdns-root.key`) that fails to validate the root DNSKEY RRset, will also trigger the "Zero configuration DNSSEC" procedure described above.

From 0abd2345defec5c654b3a607beaaa39f476fd13f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 28 Feb 2019 16:07:11 +0100
Subject: [PATCH 286/303] New commits in stubby

---
 stubby | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stubby b/stubby
index 8fb853ac..14444aaf 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 8fb853ac8d6148fd9b53fdcbc107ecd375071ec5
+Subproject commit 14444aaf167ccacbfae4c618affb5a572eb719f1

From 13976cca685ae2cd6baa6699aa579c419f6724b4 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Fri, 1 Mar 2019 12:27:48 +0000
Subject: [PATCH 287/303] Update to latest Stubby develop.

---
 stubby | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stubby b/stubby
index 14444aaf..108a15c6 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 14444aaf167ccacbfae4c618affb5a572eb719f1
+Subproject commit 108a15c63dc08b50d6fd3800cef6948f87e14c8a

From 99d15b999cf0a8f37f4cacec16f68854860e2f68 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 13 Mar 2019 14:21:06 +0100
Subject: [PATCH 288/303] Issue #423: Fix insecure delegation detection while
 scheduling

---
 ChangeLog    |  1 +
 src/dnssec.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 70 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b50e946c..4764e9f4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 * 2019-??-??: Version 1.?.?
+  * Issue #423: Fix insecure delegation detection while scheduling.
   * Issue #419: Escape backslashed when printing in JSON format.
     Thanks boB Rudis
   * DOA rr-type
diff --git a/src/dnssec.c b/src/dnssec.c
index 2be6096e..ab4aa8a0 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1110,6 +1110,65 @@ static void cancel_requests_for_subdomains_of(
 		}
 		head = next;
 	}
+
+}
+
+static int nsec3_matches_name(_getdns_rrset *nsec3, const uint8_t *name);
+static int nsec3_covers_name(
+    _getdns_rrset *nsec3, const uint8_t *name, int *opt_out);
+
+static int insecure_delegation(_getdns_rrset *ds_rrset)
+{
+	_getdns_rrset        nsec_rrset;
+	_getdns_rrtype_iter *rr, rr_spc;
+	_getdns_rrsig_iter   rrsig_spc;
+	_getdns_rdf_iter     bitmap_spc, *bitmap;
+	_getdns_rrset_iter  *i, i_spc;
+
+	/* For NSEC, an insecure delegation is a NODATA proof for DS */
+	nsec_rrset = *ds_rrset;
+	nsec_rrset.rr_type = GETDNS_RRTYPE_NSEC;
+	if (!_getdns_rrsig_iter_init(&rrsig_spc, &nsec_rrset))
+		; /* pass */
+	else for ( rr = _getdns_rrtype_iter_init(&rr_spc, &nsec_rrset)
+	         ; rr ; rr = _getdns_rrtype_iter_next(rr)) {
+
+		if ((bitmap = _getdns_rdf_iter_init_at( &bitmap_spc
+		                                      , &rr->rr_i, 1))
+		    &&  bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
+		    && !bitmap_has_type(bitmap, GETDNS_RRTYPE_DS)
+		    && _getdns_rrsig_iter_init(&rrsig_spc, &nsec_rrset))
+			return 1;
+	}
+
+	/* For NSEC3 it is either a NODATA proof with a delegation,
+           or a NSEC3 opt-out coverage  */
+	for ( i = _getdns_rrset_iter_init(&i_spc, ds_rrset->pkt
+	                                        , ds_rrset->pkt_len
+	                                        , SECTION_NO_ADDITIONAL)
+	    ; i ; i = _getdns_rrset_iter_next(i)) {
+		_getdns_rrset *nsec3_rrset = _getdns_rrset_iter_value(i);
+		int opt_out;
+
+		if (  !nsec3_rrset
+		    || nsec3_rrset->rr_type != GETDNS_RRTYPE_NSEC3
+		    ||!(rr = _getdns_rrtype_iter_init(&rr_spc, nsec3_rrset)))
+			continue;
+
+		if (!nsec3_covers_name(nsec3_rrset, ds_rrset->name, &opt_out))
+			continue;
+
+		if (nsec3_matches_name(nsec3_rrset, ds_rrset->name)) {
+			bitmap = _getdns_rdf_iter_init_at( &bitmap_spc
+			                                 , &rr->rr_i, 5);
+			return  bitmap
+			    &&  bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
+			    && !bitmap_has_type(bitmap, GETDNS_RRTYPE_DS);
+		}
+		else if (opt_out)
+			return 1;
+	}
+	return 0;
 }
 
 static void val_chain_node_cb(getdns_dns_req *dnsreq)
@@ -1158,10 +1217,16 @@ static void val_chain_node_cb(getdns_dns_req *dnsreq)
 	else if (n_signers) {
 		_getdns_rrtype_iter ds_spc;
 
-		if (!_getdns_rrtype_iter_init(&ds_spc, &node->ds)) {
-			debug_sec_print_rrset("A DS NX proof for ", &node->ds);
-			DEBUG_SEC("Cancel all more specific requests\n");
-			cancel_requests_for_subdomains_of(node->chains, node->ds.name);
+		if (_getdns_rrtype_iter_init(&ds_spc, &node->ds))
+			; /* pass */
+
+		else if (insecure_delegation(&node->ds)) {
+			debug_sec_print_rrset("Insecure delegation. "
+			    "Canceling requests below ", &node->ds);
+			cancel_requests_for_subdomains_of(
+			    node->chains, node->ds.name);
+		} else {
+			debug_sec_print_rrset("No DS at ", &node->ds);
 		}
 	} else {
 		/* No signed DS and no signed proof of non-existance.

From 7438de712af16995fdbf1a0c094b3b32de737a7c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Mar 2019 12:13:38 +0100
Subject: [PATCH 289/303] Issue #422: Update server & client TFO

Seems to work for TLS now too.
At least on Linux.
Thanks Craig Andrews
---
 ChangeLog    |  3 +++
 configure.ac | 30 ++++++++++++++++++++++++++----
 src/server.c |  8 +++++++-
 src/stub.c   | 50 ++++++++++++++++++++++++++++++++++++++------------
 4 files changed, 74 insertions(+), 17 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 4764e9f4..3054561f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 * 2019-??-??: Version 1.?.?
+  * Issue #422: Enable server side and update client side TCP Fast
+    Open implementation. Thanks Craig Andrews
   * Issue #423: Fix insecure delegation detection while scheduling.
+    Thanks Charles Milette
   * Issue #419: Escape backslashed when printing in JSON format.
     Thanks boB Rudis
   * DOA rr-type
diff --git a/configure.ac b/configure.ac
index 0412f538..ff837502 100644
--- a/configure.ac
+++ b/configure.ac
@@ -302,13 +302,31 @@ if test "x$enable_tcp_fastopen" = xno; then
         AC_MSG_WARN([TCP Fast Open is disabled])
 else
     case `uname` in
-        Linux) AC_CHECK_DECL([MSG_FASTOPEN], [AC_DEFINE_UNQUOTED([USE_TCP_FASTOPEN], [1], [Define this to enable TCP fast open.])],
-                          [AC_MSG_WARN([TCP Fast Open is not available, continuing without])], [#include <sys/socket.h>])
-          ;;
         Darwin) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_DEFINE_UNQUOTED([USE_OSX_TCP_FASTOPEN], [1], [Define this to enable TCP fast open.])],
                       [AC_MSG_WARN([TCP Fast Open is not available, continuing without])], [#include <sys/socket.h>])
           ;;
-        *) AC_MSG_WARN([TCP Fast Open is not available, continuing without])
+        *)
+		AC_CHECK_HEADERS([sys/socket.h netinet/tcp.h],,, [AC_INCLUDES_DEFAULT])
+		AC_CHECK_DECL([TCP_FASTOPEN], [
+			AC_DEFINE_UNQUOTED([USE_TCP_FASTOPEN], [1], [Define this to enable TCP fast open.])
+			AC_CHECK_DECLS([TCP_FASTOPEN,MSG_FASTOPEN,TCP_FASTOPEN_CONNECT], [], [], [AC_INCLUDES_DEFAULT
+#ifdef HAVE_SYS_SOCKET_H
+# include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_TCP_H
+# include <netinet/tcp.h>
+#endif
+])
+		], [
+			AC_MSG_WARN([TCP Fast Open is not available, continuing without])
+		], [AC_INCLUDES_DEFAULT
+#ifdef HAVE_SYS_SOCKET_H
+# include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_TCP_H
+# include <netinet/tcp.h>
+#endif
+])
           ;;
     esac
 fi
@@ -1731,6 +1749,10 @@ static inline int _gldns_custom_vsnprintf(char *str, size_t size, const char *fo
 #include <sys/socket.h>
 #endif
 
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+
 #ifdef HAVE_SYS_SELECT_H
 #include <sys/select.h>
 #endif
diff --git a/src/server.c b/src/server.c
index 3736a6f2..5b1edd86 100644
--- a/src/server.c
+++ b/src/server.c
@@ -860,9 +860,15 @@ static getdns_return_t add_listeners(listen_set *set)
 			break;
 
 		if (setsockopt(l->fd, SOL_SOCKET, SO_REUSEADDR,
-		    &enable, sizeof(int)) < 0) {
+		    &enable, sizeof(enable)) < 0) {
 			; /* Ignore */
 		}
+#ifdef HAVE_DECL_TCP_FASTOPEN
+		if (setsockopt(l->fd, IPPROTO_TCP, TCP_FASTOPEN,
+		    &enable, sizeof(enable)) < 0) {
+			; /* Ignore */
+		}
+#endif
 		if (bind(l->fd, (struct sockaddr *)&l->addr,
 		    l->addr_len) == -1)
 			/* IO error */
diff --git a/src/stub.c b/src/stub.c
index c5a467fe..c71ce1ca 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -375,22 +375,23 @@ getdns_sock_nonblock(int sockfd)
 static int
 tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport) 
 {
+#if defined(TCP_FASTOPEN) || defined(TCP_FASTOPEN_CONNECT)
+# ifdef USE_WINSOCK
+	static const char enable = 1;
+# else
+	static const int  enable = 1;
+# endif
+#endif
 	int fd = -1;
+
+
 	DEBUG_STUB("%s %-35s: Creating TCP connection:      %p\n", STUB_DEBUG_SETUP, 
 	           __FUNC__, (void*)upstream);
 	if ((fd = socket(upstream->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
 		return -1;
 
 	getdns_sock_nonblock(fd);
-	/* Note that error detection is different with TFO. Since the handshake
-	   doesn't start till the sendto() lack of connection is often delayed until
-	   then or even the subsequent event depending on the error and platform.*/
-#ifdef USE_TCP_FASTOPEN
-	/* Leave the connect to the later call to sendto() if using TCP*/
-	if (transport == GETDNS_TRANSPORT_TCP)
-		return fd;
-#elif USE_OSX_TCP_FASTOPEN
-	(void)transport;
+#ifdef USE_OSX_TCP_FASTOPEN
 	sa_endpoints_t endpoints;
 	endpoints.sae_srcif = 0;
 	endpoints.sae_srcaddr = NULL;
@@ -405,9 +406,29 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport)
 	if (_getdns_socketerror() == _getdns_EINPROGRESS ||
 	    _getdns_socketerror() == _getdns_EWOULDBLOCK)
 		return fd;
-#else
+
 	(void)transport;
-#endif
+#else	/* USE_OSX_TCP_FASTOPEN */
+	/* Note that error detection is different with TFO. Since the handshake
+	   doesn't start till the sendto() lack of connection is often delayed until
+	   then or even the subsequent event depending on the error and platform.*/
+# ifdef     HAVE_DECL_TCP_FASTOPEN_CONNECT
+	(void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT
+	                , (void *)&enable, sizeof(enable));
+# else	/* HAVE_DECL_TCP_FASTOPEN_CONNECT */
+#  ifdef  HAVE_DECL_TCP_FASTOPEN
+	(void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN
+	                , (void *)&enable, sizeof(enable));
+#  endif/* HAVE_DECL_TCP_FASTOPEN*/
+# endif	/* HAVE_DECL_TCP_FASTOPEN_CONNECT */
+# ifdef    HAVE_DECL_MSG_FASTOPEN
+	/* Leave the connect to the later call to sendto() if using TCP*/
+	if (transport == GETDNS_TRANSPORT_TCP)
+		return fd;
+# else  /* HAVE_DECL_MSG_FASTOPEN */
+	(void)transport;
+# endif /* HAVE_DECL_MSG_FASTOPEN */
+#endif	/* USE_OSX_TCP_FASTOPEN */
 	if (connect(fd, (struct sockaddr *)&upstream->addr,
 	    upstream->addr_len) == -1) {
 		if (_getdns_socketerror() == _getdns_EINPROGRESS ||
@@ -739,7 +760,12 @@ stub_tcp_write(int fd, getdns_tcp_state *tcp, getdns_network_req *netreq)
 		/* We use sendto() here which will do both a connect and send */
 #ifdef USE_TCP_FASTOPEN
 		written = sendto(fd, netreq->query - 2, pkt_len + 2,
-		    MSG_FASTOPEN, (struct sockaddr *)&(netreq->upstream->addr),
+# ifdef HAVE_DECL_MSG_FASTOPEN
+		    MSG_FASTOPEN,
+# else
+		    0,
+# endif
+		    (struct sockaddr *)&(netreq->upstream->addr),
 		    netreq->upstream->addr_len);
 		/* If pipelining we will find that the connection is already up so 
 		   just fall back to a 'normal' write. */

From 324370c537edaaf415f9b57545236993689d13c1 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Mar 2019 16:50:10 +0100
Subject: [PATCH 290/303] GnuTLS with Zero configuration DNSSEC

---
 configure.ac                                  |  12 +-
 spec/example/Makefile.in                      |  24 +-
 src/Makefile.in                               | 480 +++++++-----------
 src/gnutls/anchor-internal.c                  |  48 --
 src/gnutls/pubkey-pinning-internal.h          |   0
 src/gnutls/val_secalgo.c                      |   1 -
 src/gnutls/validator                          |   1 -
 src/test/Makefile.in                          |  71 +--
 src/{openssl => tls}/anchor-internal.c        |   1 +
 .../pubkey-pinning-internal.h                 |   0
 src/{openssl => tls}/val_secalgo.c            |   2 +-
 src/{openssl => tls}/validator/val_nsec3.h    |   0
 src/{openssl => tls}/validator/val_secalgo.h  |   0
 src/tools/Makefile.in                         |  11 +-
 14 files changed, 235 insertions(+), 416 deletions(-)
 delete mode 100644 src/gnutls/anchor-internal.c
 delete mode 100644 src/gnutls/pubkey-pinning-internal.h
 delete mode 120000 src/gnutls/val_secalgo.c
 delete mode 120000 src/gnutls/validator
 rename src/{openssl => tls}/anchor-internal.c (99%)
 rename src/{openssl => tls}/pubkey-pinning-internal.h (100%)
 rename src/{openssl => tls}/val_secalgo.c (99%)
 rename src/{openssl => tls}/validator/val_nsec3.h (100%)
 rename src/{openssl => tls}/validator/val_secalgo.h (100%)

diff --git a/configure.ac b/configure.ac
index ff837502..e7625f5b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -478,6 +478,14 @@ AC_ARG_WITH([gnutls],
 		AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
         	AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
 	fi
+	# Zero configuration DNSSEC we still need libcrypto
+	AC_CHECK_HEADERS([openssl/x509.h],,, [AC_INCLUDES_DEFAULT])
+	AC_CHECK_LIB([crypto], [X509_STORE_new], [
+	AC_DEFINE_UNQUOTED([HAVE_LIBCRYPTO], [2], [Define to 1 if you have the `crypto' library (-lcrypto).]) dnl
+		LIBS="-lcrypto $LIBS"
+	], [
+	AC_MSG_ERROR([libcrypto still needed for Zero configuration DNSSEC])
+	])
     ],
     [
 	if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
@@ -1773,10 +1781,6 @@ static inline int _gldns_custom_vsnprintf(char *str, size_t size, const char *fo
 #include <arpa/inet.h>
 #endif
 
-#ifdef HAVE_OPENSSL_SSL_H
-#include <openssl/ssl.h>
-#endif
-
 #ifdef HAVE_INTTYPES_H
 #include <inttypes.h>
 #endif
diff --git a/spec/example/Makefile.in b/spec/example/Makefile.in
index 8ff7f2d1..7bf5e016 100644
--- a/spec/example/Makefile.in
+++ b/spec/example/Makefile.in
@@ -149,24 +149,16 @@ depend:
 
 # Dependencies for the examples
 example-all-functions.lo example-all-functions.o: $(srcdir)/example-all-functions.c $(srcdir)/getdns_libevent.h \
- ../../src/config.h \
- ../../src/getdns/getdns.h \
- $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
- ../../src/getdns/getdns_extra.h
-example-reverse.lo example-reverse.o: $(srcdir)/example-reverse.c $(srcdir)/getdns_libevent.h \
- ../../src/config.h \
- ../../src/getdns/getdns.h \
- $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
+ ../../src/config.h ../../src/getdns/getdns.h \
+ $(srcdir)/../../src/getdns/getdns_ext_libevent.h ../../src/getdns/getdns_extra.h
+example-reverse.lo example-reverse.o: $(srcdir)/example-reverse.c $(srcdir)/getdns_libevent.h ../../src/config.h \
+ ../../src/getdns/getdns.h $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
  ../../src/getdns/getdns_extra.h
 example-simple-answers.lo example-simple-answers.o: $(srcdir)/example-simple-answers.c $(srcdir)/getdns_libevent.h \
- ../../src/config.h \
- ../../src/getdns/getdns.h \
- $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
- ../../src/getdns/getdns_extra.h
+ ../../src/config.h ../../src/getdns/getdns.h \
+ $(srcdir)/../../src/getdns/getdns_ext_libevent.h ../../src/getdns/getdns_extra.h
 example-synchronous.lo example-synchronous.o: $(srcdir)/example-synchronous.c $(srcdir)/getdns_core_only.h \
  ../../src/getdns/getdns.h
-example-tree.lo example-tree.o: $(srcdir)/example-tree.c $(srcdir)/getdns_libevent.h \
- ../../src/config.h \
- ../../src/getdns/getdns.h \
- $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
+example-tree.lo example-tree.o: $(srcdir)/example-tree.c $(srcdir)/getdns_libevent.h ../../src/config.h \
+ ../../src/getdns/getdns.h $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
  ../../src/getdns/getdns_extra.h
diff --git a/src/Makefile.in b/src/Makefile.in
index 93a72425..2632d11b 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -57,7 +57,7 @@ stubbysrcdir = $(srcdir)/../stubby
 LIBTOOL = ../libtool
 
 CC=@CC@
-CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/$(tlsdir) -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS)
+CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/tls -I$(srcdir)/$(tlsdir) -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS)
 WPEDANTICFLAG=@WPEDANTICFLAG@
 WNOERRORFLAG=@WNOERRORFLAG@
 LDFLAGS=@LDFLAGS@ @LIBS@
@@ -95,7 +95,8 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo)
 UTIL_OBJ=rbtree.lo lruhash.lo lookup3.lo locks.lo
 
 JSMN_OBJ=jsmn.lo
-TLS_OBJ=tls.lo pubkey-pinning-internal.lo keyraw-internal.lo val_secalgo.lo anchor-internal.lo
+TLS_OBJ=tls.lo pubkey-pinning-internal.lo keyraw-internal.lo
+TLS_COMMON_OBJ=val_secalgo.lo anchor-internal.lo
 YXML_OBJ=yxml.lo
 
 YAML_OBJ=convert_yaml_to_json.lo
@@ -138,6 +139,9 @@ $(JSMN_OBJ):
 $(TLS_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/$(tlsdir)/$(@:.lo=.c) -o $@
 
+$(TLS_COMMON_OBJ):
+	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/tls/$(@:.lo=.c) -o $@
+
 $(YAML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@
 
@@ -199,8 +203,8 @@ libgetdns_ext_uv.la: libgetdns.la libuv.lo
 libgetdns_ext_ev.la: libgetdns.la libev.lo
 	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ libev.lo libgetdns.la $(LDFLAGS) $(EXTENSION_LIBEV_LDFLAGS) $(EXTENSION_LIBEV_EXT_LIBS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/extension/libev.symbols
 
-libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS)
-	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols
+libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(TLS_COMMON_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS)
+	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(TLS_COMMON_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols
 
 test: default
 	cd test && $(MAKE) $@
@@ -276,7 +280,7 @@ Makefile: $(srcdir)/Makefile.in ../config.status
 depend:
 	(cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new )
 
-	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -I$(tlsdir) -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c $(tlsdir)/*.c yxml/*.c extension/*.c ../stubby/src/*.c | \
+	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Itls -I$(tlsdir) -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c $(tlsdir)/*.c yxml/*.c extension/*.c ../stubby/src/*.c | \
 		sed -e "s? $$blddir/? ?g" \
 		    -e 's? gldns/? $$(srcdir)/gldns/?g' \
 		    -e 's? compat/? $$(srcdir)/compat/?g' \
@@ -304,307 +308,207 @@ depend:
 FORCE:
 
 # Dependencies for gldns, utils, the extensions and compat functions
-anchor.lo anchor.o: $(srcdir)/anchor.c \
- config.h $(srcdir)/debug.h \
- $(srcdir)/anchor.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dnssec.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \
+anchor.lo anchor.o: $(srcdir)/anchor.c config.h $(srcdir)/debug.h $(srcdir)/anchor.h getdns/getdns.h \
+ getdns/getdns_extra.h getdns/getdns.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ config.h $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
+ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \
  $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h \
  $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h
-const-info.lo const-info.o: $(srcdir)/const-info.c \
- getdns/getdns.h \
- getdns/getdns_extra.h \
+const-info.lo const-info.o: $(srcdir)/const-info.c getdns/getdns.h getdns/getdns_extra.h \
+ getdns/getdns.h $(srcdir)/const-info.h
+context.lo context.o: $(srcdir)/context.c config.h $(srcdir)/anchor.h getdns/getdns.h \
+ getdns/getdns_extra.h getdns/getdns.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \
+ $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
+ $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h \
  $(srcdir)/const-info.h
-context.lo context.o: $(srcdir)/context.c \
- config.h $(srcdir)/anchor.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h \
- $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h
-convert.lo convert.o: $(srcdir)/convert.c \
- config.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
- $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
- $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h \
- $(srcdir)/debug.h
-dict.lo dict.o: $(srcdir)/dict.c config.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h \
- $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h
-dnssec.lo dnssec.o: $(srcdir)/dnssec.c \
- config.h $(srcdir)/debug.h \
- getdns/getdns.h \
- $(srcdir)/context.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
+convert.lo convert.o: $(srcdir)/convert.c config.h getdns/getdns.h getdns/getdns_extra.h \
+ getdns/getdns.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \
+ $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
+ $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/wire2str.h \
+ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h \
+ $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h
+dict.lo dict.o: $(srcdir)/dict.c config.h $(srcdir)/types-internal.h getdns/getdns.h \
+ getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \
+ getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
+ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
+ $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h \
+ $(srcdir)/gldns/parseutil.h
+dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h $(srcdir)/debug.h getdns/getdns.h $(srcdir)/context.h \
+ getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \
+ $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
+ $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \
+ $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
  $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \
  $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h
-general.lo general.o: $(srcdir)/general.c \
- config.h $(srcdir)/general.h \
- getdns/getdns.h \
- $(srcdir)/types-internal.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h
-list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \
- config.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+general.lo general.o: $(srcdir)/general.c config.h $(srcdir)/general.h getdns/getdns.h $(srcdir)/types-internal.h \
+ getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \
+ getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
+ $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h
+list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h getdns/getdns.h getdns/getdns_extra.h \
+ getdns/getdns.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \
+ config.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \
+ $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
+ $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/list.h $(srcdir)/dict.h
-mdns.lo mdns.o: $(srcdir)/mdns.c config.h \
- $(srcdir)/debug.h $(srcdir)/context.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h
-platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \
- config.h
-pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \
- config.h $(srcdir)/debug.h \
- getdns/getdns.h \
- $(srcdir)/context.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+mdns.lo mdns.o: $(srcdir)/mdns.c config.h $(srcdir)/debug.h $(srcdir)/context.h getdns/getdns.h \
+ getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \
+ $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
+ $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \
+ $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h
+platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h config.h
+pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c config.h $(srcdir)/debug.h getdns/getdns.h \
+ $(srcdir)/context.h getdns/getdns.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
+ config.h $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/$(tlsdir)/pubkey-pinning-internal.h
-request-internal.lo request-internal.o: $(srcdir)/request-internal.c \
- config.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h
-rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \
- config.h \
- getdns/getdns.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- getdns/getdns_extra.h \
+ $(srcdir)/gldns/parseutil.h $(srcdir)/pubkey-pinning.h tls/pubkey-pinning-internal.h
+request-internal.lo request-internal.o: $(srcdir)/request-internal.c config.h $(srcdir)/types-internal.h \
+ getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \
+ getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
+ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
+ $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/dict.h $(srcdir)/convert.h $(srcdir)/general.h
+rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h config.h getdns/getdns.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/util-internal.h $(srcdir)/context.h getdns/getdns_extra.h getdns/getdns.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \
- $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h
-rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
- config.h \
- getdns/getdns.h \
+ $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \
+ getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
+ $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h
+rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h config.h getdns/getdns.h \
  $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h
-server.lo server.o: $(srcdir)/server.c \
- config.h \
- getdns/getdns_extra.h \
- getdns/getdns.h \
- $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/debug.h \
- $(srcdir)/util-internal.h $(srcdir)/platform.h
-stub.lo stub.o: $(srcdir)/stub.c config.h \
- $(srcdir)/debug.h $(srcdir)/stub.h \
- getdns/getdns.h \
- $(srcdir)/types-internal.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \
- $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \
- $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \
- $(srcdir)/pubkey-pinning.h
-sync.lo sync.o: $(srcdir)/sync.c \
- getdns/getdns.h \
- config.h $(srcdir)/context.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+server.lo server.o: $(srcdir)/server.c config.h getdns/getdns_extra.h getdns/getdns.h \
+ $(srcdir)/context.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \
+ $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
+ $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/platform.h
+stub.lo stub.o: $(srcdir)/stub.c config.h $(srcdir)/debug.h $(srcdir)/stub.h getdns/getdns.h $(srcdir)/types-internal.h \
+ getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \
+ $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
+ $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h
+sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h config.h $(srcdir)/context.h getdns/getdns_extra.h \
+ getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \
+ $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
+ $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h \
  $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h
-ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \
- config.h
-util-internal.lo util-internal.o: $(srcdir)/util-internal.c \
- config.h \
- getdns/getdns.h $(srcdir)/dict.h \
+ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h config.h getdns/getdns.h \
+ getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h
+util-internal.lo util-internal.o: $(srcdir)/util-internal.c config.h getdns/getdns.h $(srcdir)/dict.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \
- getdns/getdns_extra.h \
- $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
- $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
+ getdns/getdns_extra.h getdns/getdns.h $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \
+ getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
+ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
  $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \
  $(srcdir)/gldns/rrdef.h
-gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \
- config.h \
+version.lo version.o: version.c
+gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c config.h $(srcdir)/gldns/gbuffer.h
+keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c config.h $(srcdir)/gldns/keyraw.h \
+ $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
+parse.lo parse.o: $(srcdir)/gldns/parse.c config.h $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h \
  $(srcdir)/gldns/gbuffer.h
-keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \
- config.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
-parse.lo parse.o: $(srcdir)/gldns/parse.c \
- config.h $(srcdir)/gldns/parse.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
-parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \
- config.h \
- $(srcdir)/gldns/parseutil.h
-rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \
- config.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/gldns/parseutil.h
-str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \
- config.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h
-wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \
- config.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/$(tlsdir)/keyraw-internal.h
-arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \
- config.h
-arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \
- config.h \
- $(srcdir)/compat/chacha_private.h
-arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c \
- config.h
-explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c \
- config.h
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c \
- config.h
-getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c \
- config.h
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c \
- config.h
+parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c config.h $(srcdir)/gldns/parseutil.h
+rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c config.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h
+str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c config.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h
+wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c config.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h
+arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h
+arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h
+arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c config.h
+explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
+getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
 getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
-gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c \
- config.h
-inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c \
- config.h
-inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c \
- config.h
-sha512.lo sha512.o: $(srcdir)/compat/sha512.c \
- config.h
-strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \
- config.h
-strptime.lo strptime.o: $(srcdir)/compat/strptime.c \
- config.h
-locks.lo locks.o: $(srcdir)/util/locks.c \
- config.h $(srcdir)/util/locks.h \
- $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h
-lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \
- config.h \
- $(srcdir)/util/auxiliary/util/storage/lookup3.h $(srcdir)/util/lookup3.h \
- $(srcdir)/util/orig-headers/lookup3.h
-lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \
- config.h \
- $(srcdir)/util/auxiliary/util/storage/lruhash.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h
-rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
- config.h \
- $(srcdir)/util/auxiliary/log.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h \
- $(srcdir)/util/auxiliary/fptr_wlist.h $(srcdir)/util/auxiliary/util/fptr_wlist.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h
+gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c config.h
+inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c config.h
+inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c config.h
+sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
+strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
+strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
+locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h
+lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c config.h $(srcdir)/util/auxiliary/util/storage/lookup3.h \
+ $(srcdir)/util/lookup3.h $(srcdir)/util/orig-headers/lookup3.h
+lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c config.h $(srcdir)/util/auxiliary/util/storage/lruhash.h \
+ $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h \
+ $(srcdir)/util/auxiliary/util/fptr_wlist.h
+rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/auxiliary/log.h \
+ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h $(srcdir)/util/auxiliary/fptr_wlist.h \
+ $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h
 jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
-anchor-internal.lo anchor-internal.o: $(srcdir)/$(tlsdir)/anchor-internal.c \
- config.h $(srcdir)/anchor.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h
-keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c \
- config.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
-pubkey-pinning-internal.lo pubkey-pinning-internal.o: $(srcdir)/$(tlsdir)/pubkey-pinning-internal.c $(srcdir)/context.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- config.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/pubkey-pinning.h
-tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c \
- config.h $(srcdir)/debug.h \
- $(srcdir)/context.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/tls.h
-val_secalgo.lo val_secalgo.o: $(srcdir)/$(tlsdir)/val_secalgo.c \
- config.h \
- $(srcdir)/util/auxiliary/util/data/packed_rrset.h $(srcdir)/$(tlsdir)/validator/val_secalgo.h \
- $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h $(srcdir)/$(tlsdir)/validator/val_nsec3.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h
+keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c config.h $(srcdir)/gldns/keyraw.h \
+ $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
+pubkey-pinning-internal.lo pubkey-pinning-internal.o: $(srcdir)/$(tlsdir)/pubkey-pinning-internal.c config.h \
+ $(srcdir)/debug.h config.h getdns/getdns.h $(srcdir)/context.h getdns/getdns.h \
+ getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
+ $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/context.h tls/pubkey-pinning-internal.h
+tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c config.h $(srcdir)/debug.h config.h $(srcdir)/context.h getdns/getdns.h \
+ getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
+ $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/const-info.h $(srcdir)/tls.h
 yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
-libev.lo libev.o: $(srcdir)/extension/libev.c \
- config.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h
-libevent.lo libevent.o: $(srcdir)/extension/libevent.c \
- config.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h
-libuv.lo libuv.o: $(srcdir)/extension/libuv.c \
- config.h $(srcdir)/debug.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h
-poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \
- config.h \
- $(srcdir)/util-internal.h $(srcdir)/context.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
+libev.lo libev.o: $(srcdir)/extension/libev.c config.h $(srcdir)/types-internal.h getdns/getdns.h \
+ getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h \
+ getdns/getdns_extra.h
+libevent.lo libevent.o: $(srcdir)/extension/libevent.c config.h $(srcdir)/types-internal.h \
+ getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h \
+ getdns/getdns_extra.h
+libuv.lo libuv.o: $(srcdir)/extension/libuv.c config.h $(srcdir)/debug.h config.h $(srcdir)/types-internal.h \
+ getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h \
+ getdns/getdns_extra.h
+poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c config.h $(srcdir)/util-internal.h \
+ config.h $(srcdir)/context.h getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h
-select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \
- config.h $(srcdir)/debug.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \
- $(srcdir)/extension/select_eventloop.h
-stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c \
- config.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h
+ getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
+ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
+ $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h
+select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c config.h $(srcdir)/debug.h \
+ config.h $(srcdir)/types-internal.h getdns/getdns.h getdns/getdns_extra.h \
+ getdns/getdns.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \
+ $(srcdir)/extension/select_eventloop.h getdns/getdns_extra.h
+stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c config.h getdns/getdns.h \
+ getdns/getdns_extra.h $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h
diff --git a/src/gnutls/anchor-internal.c b/src/gnutls/anchor-internal.c
deleted file mode 100644
index 45b58d52..00000000
--- a/src/gnutls/anchor-internal.c
+++ /dev/null
@@ -1,48 +0,0 @@
-/**
- *
- * /brief functions for DNSSEC trust anchor management
- *
- */
-
-/*
- * Copyright (c) 2017, NLnet Labs
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * * Redistributions of source code must retain the above copyright
- *   notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- *   notice, this list of conditions and the following disclaimer in the
- *   documentation and/or other materials provided with the distribution.
- * * Neither the names of the copyright holders nor the
- *   names of its contributors may be used to endorse or promote products
- *   derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "anchor.h"
-
-void _getdns_context_equip_with_anchor(
-        getdns_context *context, uint64_t *now_ms)
-{
-}
-
-uint8_t *_getdns_tas_validate(struct mem_funcs *mf,
-    const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd,
-    const getdns_bindata *crt_bd, const char *p7signer,
-                      uint64_t *now_ms, uint8_t *tas, size_t *tas_len)
-{
-        return NULL;
-}
diff --git a/src/gnutls/pubkey-pinning-internal.h b/src/gnutls/pubkey-pinning-internal.h
deleted file mode 100644
index e69de29b..00000000
diff --git a/src/gnutls/val_secalgo.c b/src/gnutls/val_secalgo.c
deleted file mode 120000
index 446f8e5f..00000000
--- a/src/gnutls/val_secalgo.c
+++ /dev/null
@@ -1 +0,0 @@
-../openssl/val_secalgo.c
\ No newline at end of file
diff --git a/src/gnutls/validator b/src/gnutls/validator
deleted file mode 120000
index 3e9ba44b..00000000
--- a/src/gnutls/validator
+++ /dev/null
@@ -1 +0,0 @@
-../openssl/validator
\ No newline at end of file
diff --git a/src/test/Makefile.in b/src/test/Makefile.in
index 9d4dad00..00211237 100644
--- a/src/test/Makefile.in
+++ b/src/test/Makefile.in
@@ -231,13 +231,10 @@ depend:
 .PHONY: clean test
 
 # Dependencies for the unit tests
-check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c \
- ../getdns/getdns.h \
- $(srcdir)/check_getdns_common.h \
- ../getdns/getdns_extra.h \
- $(srcdir)/check_getdns_address.h $(srcdir)/check_getdns_address_sync.h \
- $(srcdir)/check_getdns_cancel_callback.h $(srcdir)/check_getdns_context_create.h \
- $(srcdir)/check_getdns_context_destroy.h \
+check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c ../getdns/getdns.h $(srcdir)/check_getdns_common.h \
+ ../getdns/getdns_extra.h $(srcdir)/check_getdns_address.h \
+ $(srcdir)/check_getdns_address_sync.h $(srcdir)/check_getdns_cancel_callback.h \
+ $(srcdir)/check_getdns_context_create.h $(srcdir)/check_getdns_context_destroy.h \
  $(srcdir)/check_getdns_context_set_context_update_callback.h \
  $(srcdir)/check_getdns_context_set_dns_transport.h \
  $(srcdir)/check_getdns_context_set_timeout.h \
@@ -257,58 +254,34 @@ check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c \
  $(srcdir)/check_getdns_list_get_list.h $(srcdir)/check_getdns_pretty_print_dict.h \
  $(srcdir)/check_getdns_service.h $(srcdir)/check_getdns_service_sync.h \
  $(srcdir)/check_getdns_transport.h
-check_getdns_common.lo check_getdns_common.o: $(srcdir)/check_getdns_common.c \
- ../getdns/getdns.h \
- ../config.h \
- $(srcdir)/check_getdns_common.h \
- ../getdns/getdns_extra.h \
+check_getdns_common.lo check_getdns_common.o: $(srcdir)/check_getdns_common.c ../getdns/getdns.h \
+ ../config.h $(srcdir)/check_getdns_common.h ../getdns/getdns_extra.h \
  $(srcdir)/check_getdns_eventloop.h
 check_getdns_context_set_timeout.lo check_getdns_context_set_timeout.o: $(srcdir)/check_getdns_context_set_timeout.c \
  $(srcdir)/check_getdns_context_set_timeout.h $(srcdir)/check_getdns_common.h \
- ../getdns/getdns.h \
- ../getdns/getdns_extra.h
+ ../getdns/getdns.h ../getdns/getdns_extra.h
 check_getdns_libev.lo check_getdns_libev.o: $(srcdir)/check_getdns_libev.c $(srcdir)/check_getdns_eventloop.h \
- ../config.h \
- ../getdns/getdns.h \
- $(srcdir)/../getdns/getdns_ext_libev.h \
- ../getdns/getdns_extra.h \
- $(srcdir)/check_getdns_common.h
+ ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libev.h \
+ ../getdns/getdns_extra.h $(srcdir)/check_getdns_common.h
 check_getdns_libevent.lo check_getdns_libevent.o: $(srcdir)/check_getdns_libevent.c $(srcdir)/check_getdns_eventloop.h \
- ../config.h \
- ../getdns/getdns.h \
- $(srcdir)/../getdns/getdns_ext_libevent.h \
- ../getdns/getdns_extra.h \
- $(srcdir)/check_getdns_libevent.h $(srcdir)/check_getdns_common.h
+ ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libevent.h \
+ ../getdns/getdns_extra.h $(srcdir)/check_getdns_libevent.h $(srcdir)/check_getdns_common.h
 check_getdns_libuv.lo check_getdns_libuv.o: $(srcdir)/check_getdns_libuv.c $(srcdir)/check_getdns_eventloop.h \
- ../config.h \
- ../getdns/getdns.h \
- $(srcdir)/../getdns/getdns_ext_libuv.h \
- ../getdns/getdns_extra.h \
- $(srcdir)/check_getdns_common.h
+ ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libuv.h \
+ ../getdns/getdns_extra.h $(srcdir)/check_getdns_common.h
 check_getdns_selectloop.lo check_getdns_selectloop.o: $(srcdir)/check_getdns_selectloop.c \
- $(srcdir)/check_getdns_eventloop.h \
- ../config.h \
- ../getdns/getdns.h \
+ $(srcdir)/check_getdns_eventloop.h ../config.h ../getdns/getdns.h \
  ../getdns/getdns_extra.h
 check_getdns_transport.lo check_getdns_transport.o: $(srcdir)/check_getdns_transport.c \
- $(srcdir)/check_getdns_transport.h $(srcdir)/check_getdns_common.h \
- ../getdns/getdns.h \
+ $(srcdir)/check_getdns_transport.h $(srcdir)/check_getdns_common.h ../getdns/getdns.h \
  ../getdns/getdns_extra.h
-scratchpad.template.lo scratchpad.template.o: scratchpad.template.c \
- ../getdns/getdns.h \
+scratchpad.template.lo scratchpad.template.o: scratchpad.template.c ../getdns/getdns.h \
  ../getdns/getdns_extra.h
 testmessages.lo testmessages.o: $(srcdir)/testmessages.c $(srcdir)/testmessages.h
-tests_dict.lo tests_dict.o: $(srcdir)/tests_dict.c $(srcdir)/testmessages.h \
- ../getdns/getdns.h
-tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h \
- ../getdns/getdns.h
-tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h \
- ../getdns/getdns.h
-tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c \
- ../config.h \
- $(srcdir)/testmessages.h \
- ../getdns/getdns.h \
- ../getdns/getdns_extra.h
-tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h \
- ../getdns/getdns.h \
+tests_dict.lo tests_dict.o: $(srcdir)/tests_dict.c $(srcdir)/testmessages.h ../getdns/getdns.h
+tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h ../getdns/getdns.h
+tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h ../getdns/getdns.h
+tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c ../config.h $(srcdir)/testmessages.h \
+ ../getdns/getdns.h ../getdns/getdns_extra.h
+tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h ../getdns/getdns.h \
  ../getdns/getdns_extra.h
diff --git a/src/openssl/anchor-internal.c b/src/tls/anchor-internal.c
similarity index 99%
rename from src/openssl/anchor-internal.c
rename to src/tls/anchor-internal.c
index db9e01f8..a981f556 100644
--- a/src/openssl/anchor-internal.c
+++ b/src/tls/anchor-internal.c
@@ -35,6 +35,7 @@
 #include <fcntl.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include <openssl/pem.h>
 #include <openssl/err.h>
 #include <strings.h>
 #include <time.h>
diff --git a/src/openssl/pubkey-pinning-internal.h b/src/tls/pubkey-pinning-internal.h
similarity index 100%
rename from src/openssl/pubkey-pinning-internal.h
rename to src/tls/pubkey-pinning-internal.h
diff --git a/src/openssl/val_secalgo.c b/src/tls/val_secalgo.c
similarity index 99%
rename from src/openssl/val_secalgo.c
rename to src/tls/val_secalgo.c
index c7158d82..765eafa7 100644
--- a/src/openssl/val_secalgo.c
+++ b/src/tls/val_secalgo.c
@@ -55,7 +55,7 @@
 #endif
 
 /* OpenSSL implementation */
-#ifdef HAVE_SSL
+#if defined(HAVE_SSL) && !defined(HAVE_NETTLE)
 #ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
 #endif
diff --git a/src/openssl/validator/val_nsec3.h b/src/tls/validator/val_nsec3.h
similarity index 100%
rename from src/openssl/validator/val_nsec3.h
rename to src/tls/validator/val_nsec3.h
diff --git a/src/openssl/validator/val_secalgo.h b/src/tls/validator/val_secalgo.h
similarity index 100%
rename from src/openssl/validator/val_secalgo.h
rename to src/tls/validator/val_secalgo.h
diff --git a/src/tools/Makefile.in b/src/tools/Makefile.in
index 6cefffcd..7d94edb7 100644
--- a/src/tools/Makefile.in
+++ b/src/tools/Makefile.in
@@ -122,12 +122,7 @@ depend:
 .PHONY: clean test
 
 # Dependencies for getdns_query
-getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c \
- ../config.h \
- $(srcdir)/../debug.h \
- ../getdns/getdns.h \
- ../getdns/getdns_extra.h
-getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c \
- ../config.h \
- ../getdns/getdns.h \
+getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c ../config.h $(srcdir)/../debug.h ../config.h \
+ ../getdns/getdns.h ../getdns/getdns_extra.h
+getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c ../config.h ../getdns/getdns.h \
  ../getdns/getdns_extra.h

From 754d65eb6d2fa8415aaf579aa67ce526c0bd953e Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Mar 2019 16:58:10 +0100
Subject: [PATCH 291/303] Correct dependencies

---
 spec/example/Makefile.in |  24 +-
 src/Makefile.in          | 468 +++++++++++++++++++++++----------------
 src/test/Makefile.in     |  71 ++++--
 src/tools/Makefile.in    |  11 +-
 4 files changed, 356 insertions(+), 218 deletions(-)

diff --git a/spec/example/Makefile.in b/spec/example/Makefile.in
index 7bf5e016..8ff7f2d1 100644
--- a/spec/example/Makefile.in
+++ b/spec/example/Makefile.in
@@ -149,16 +149,24 @@ depend:
 
 # Dependencies for the examples
 example-all-functions.lo example-all-functions.o: $(srcdir)/example-all-functions.c $(srcdir)/getdns_libevent.h \
- ../../src/config.h ../../src/getdns/getdns.h \
- $(srcdir)/../../src/getdns/getdns_ext_libevent.h ../../src/getdns/getdns_extra.h
-example-reverse.lo example-reverse.o: $(srcdir)/example-reverse.c $(srcdir)/getdns_libevent.h ../../src/config.h \
- ../../src/getdns/getdns.h $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
+ ../../src/config.h \
+ ../../src/getdns/getdns.h \
+ $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
+ ../../src/getdns/getdns_extra.h
+example-reverse.lo example-reverse.o: $(srcdir)/example-reverse.c $(srcdir)/getdns_libevent.h \
+ ../../src/config.h \
+ ../../src/getdns/getdns.h \
+ $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
  ../../src/getdns/getdns_extra.h
 example-simple-answers.lo example-simple-answers.o: $(srcdir)/example-simple-answers.c $(srcdir)/getdns_libevent.h \
- ../../src/config.h ../../src/getdns/getdns.h \
- $(srcdir)/../../src/getdns/getdns_ext_libevent.h ../../src/getdns/getdns_extra.h
+ ../../src/config.h \
+ ../../src/getdns/getdns.h \
+ $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
+ ../../src/getdns/getdns_extra.h
 example-synchronous.lo example-synchronous.o: $(srcdir)/example-synchronous.c $(srcdir)/getdns_core_only.h \
  ../../src/getdns/getdns.h
-example-tree.lo example-tree.o: $(srcdir)/example-tree.c $(srcdir)/getdns_libevent.h ../../src/config.h \
- ../../src/getdns/getdns.h $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
+example-tree.lo example-tree.o: $(srcdir)/example-tree.c $(srcdir)/getdns_libevent.h \
+ ../../src/config.h \
+ ../../src/getdns/getdns.h \
+ $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
  ../../src/getdns/getdns_extra.h
diff --git a/src/Makefile.in b/src/Makefile.in
index 2632d11b..9b206491 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -287,6 +287,7 @@ depend:
 		    -e 's? util/auxiliary/util/? $$(srcdir)/util/auxiliary/util/?g' \
 		    -e 's? util/? $$(srcdir)/util/?g' \
 		    -e 's? jsmn/? $$(srcdir)/jsmn/?g' \
+		    -e 's? tls/? $$(srcdir)/tls/?g' \
 		    -e 's? $(tlsdir)/? $$(srcdir)/$$(tlsdir)/?g' \
 		    -e 's? yxml/? $$(srcdir)/yxml/?g' \
 		    -e 's? extension/? $$(srcdir)/extension/?g' \
@@ -308,207 +309,304 @@ depend:
 FORCE:
 
 # Dependencies for gldns, utils, the extensions and compat functions
-anchor.lo anchor.o: $(srcdir)/anchor.c config.h $(srcdir)/debug.h $(srcdir)/anchor.h getdns/getdns.h \
- getdns/getdns_extra.h getdns/getdns.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- config.h $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h \
+anchor.lo anchor.o: $(srcdir)/anchor.c \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/anchor.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
  $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \
  $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h \
  $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h
-const-info.lo const-info.o: $(srcdir)/const-info.c getdns/getdns.h getdns/getdns_extra.h \
- getdns/getdns.h $(srcdir)/const-info.h
-context.lo context.o: $(srcdir)/context.c config.h $(srcdir)/anchor.h getdns/getdns.h \
- getdns/getdns_extra.h getdns/getdns.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \
- $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
- $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h \
+const-info.lo const-info.o: $(srcdir)/const-info.c \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
  $(srcdir)/const-info.h
-convert.lo convert.o: $(srcdir)/convert.c config.h getdns/getdns.h getdns/getdns_extra.h \
- getdns/getdns.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \
- $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
- $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h \
- $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h
-dict.lo dict.o: $(srcdir)/dict.c config.h $(srcdir)/types-internal.h getdns/getdns.h \
- getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \
- getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
+context.lo context.o: $(srcdir)/context.c \
+ config.h $(srcdir)/anchor.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h $(srcdir)/gldns/str2wire.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h \
+ $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h
+convert.lo convert.o: $(srcdir)/convert.c \
+ config.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
  $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
- $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/parseutil.h
-dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h $(srcdir)/debug.h getdns/getdns.h $(srcdir)/context.h \
- getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \
- $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
- $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \
- $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \
- $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h
-general.lo general.o: $(srcdir)/general.c config.h $(srcdir)/general.h getdns/getdns.h $(srcdir)/types-internal.h \
- getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \
- getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h
+dict.lo dict.o: $(srcdir)/dict.c \
+ config.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
  $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
- $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h
-list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h getdns/getdns.h getdns/getdns_extra.h \
- getdns/getdns.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \
- config.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \
- $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
- $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/list.h $(srcdir)/dict.h
-mdns.lo mdns.o: $(srcdir)/mdns.c config.h $(srcdir)/debug.h $(srcdir)/context.h getdns/getdns.h \
- getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \
- $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
- $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \
- $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h
-platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h config.h
-pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c config.h $(srcdir)/debug.h getdns/getdns.h \
- $(srcdir)/context.h getdns/getdns.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
- config.h $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h \
+ $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h
+dnssec.lo dnssec.o: $(srcdir)/dnssec.c \
+ config.h $(srcdir)/debug.h \
+ getdns/getdns.h \
+ $(srcdir)/context.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/pubkey-pinning.h tls/pubkey-pinning-internal.h
-request-internal.lo request-internal.o: $(srcdir)/request-internal.c config.h $(srcdir)/types-internal.h \
- getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \
- getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
- $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
- $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/dict.h $(srcdir)/convert.h $(srcdir)/general.h
-rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h config.h getdns/getdns.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/util-internal.h $(srcdir)/context.h getdns/getdns_extra.h getdns/getdns.h \
+ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
+ $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \
+ $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h
+general.lo general.o: $(srcdir)/general.c \
+ config.h $(srcdir)/general.h \
+ getdns/getdns.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/ub_loop.h $(srcdir)/debug.h \
+ $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
+ $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h
+list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \
+ config.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
+ $(srcdir)/list.h $(srcdir)/dict.h
+mdns.lo mdns.o: $(srcdir)/mdns.c \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/context.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \
- getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
- $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h
-rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h config.h getdns/getdns.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h
-server.lo server.o: $(srcdir)/server.c config.h getdns/getdns_extra.h getdns/getdns.h \
- $(srcdir)/context.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \
- $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
- $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/platform.h
-stub.lo stub.o: $(srcdir)/stub.c config.h $(srcdir)/debug.h $(srcdir)/stub.h getdns/getdns.h $(srcdir)/types-internal.h \
- getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
- $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \
- $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
- $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h
-sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h config.h $(srcdir)/context.h getdns/getdns_extra.h \
- getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \
- $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
- $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h \
- $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h
-ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h config.h getdns/getdns.h \
- getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h
-util-internal.lo util-internal.o: $(srcdir)/util-internal.c config.h getdns/getdns.h $(srcdir)/dict.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \
- getdns/getdns_extra.h getdns/getdns.h $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \
- getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h
+platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \
+ config.h
+pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \
+ config.h $(srcdir)/debug.h \
+ getdns/getdns.h \
+ $(srcdir)/context.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
+ $(srcdir)/gldns/parseutil.h $(srcdir)/pubkey-pinning.h $(srcdir)/tls/pubkey-pinning-internal.h
+request-internal.lo request-internal.o: $(srcdir)/request-internal.c \
+ config.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/convert.h $(srcdir)/general.h
+rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \
+ config.h \
+ getdns/getdns.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/util-internal.h $(srcdir)/context.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h \
+ $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h
+rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ config.h \
+ getdns/getdns.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h
+server.lo server.o: $(srcdir)/server.c \
+ config.h \
+ getdns/getdns_extra.h \
+ getdns/getdns.h \
+ $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
+ $(srcdir)/util-internal.h $(srcdir)/platform.h
+stub.lo stub.o: $(srcdir)/stub.c \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/stub.h \
+ getdns/getdns.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \
+ $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \
+ $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \
+ $(srcdir)/pubkey-pinning.h
+sync.lo sync.o: $(srcdir)/sync.c \
+ getdns/getdns.h \
+ config.h $(srcdir)/context.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
+ $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h
+ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \
+ config.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h
+util-internal.lo util-internal.o: $(srcdir)/util-internal.c \
+ config.h \
+ getdns/getdns.h \
+ $(srcdir)/dict.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
  $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
  $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \
  $(srcdir)/gldns/rrdef.h
-version.lo version.o: version.c
-gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c config.h $(srcdir)/gldns/gbuffer.h
-keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c config.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
-parse.lo parse.o: $(srcdir)/gldns/parse.c config.h $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h \
+gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \
+ config.h \
  $(srcdir)/gldns/gbuffer.h
-parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c config.h $(srcdir)/gldns/parseutil.h
-rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c config.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h
-str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c config.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h
-wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c config.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h
-arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h
-arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h
-arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c config.h
-explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
-getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
+keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \
+ config.h \
+ $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
+parse.lo parse.o: $(srcdir)/gldns/parse.c \
+ config.h \
+ $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
+parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \
+ config.h \
+ $(srcdir)/gldns/parseutil.h
+rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \
+ config.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h
+str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \
+ config.h \
+ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h
+wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \
+ config.h \
+ $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h \
+ $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h \
+ $(srcdir)/$(tlsdir)/keyraw-internal.h
+arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \
+ config.h
+arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \
+ config.h \
+ $(srcdir)/compat/chacha_private.h
+arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c \
+ config.h
+explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c \
+ config.h
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c \
+ config.h
+getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c \
+ config.h
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c \
+ config.h
 getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
-gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c config.h
-inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c config.h
-inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c config.h
-sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
-strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
-strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
-locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h
-lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c config.h $(srcdir)/util/auxiliary/util/storage/lookup3.h \
- $(srcdir)/util/lookup3.h $(srcdir)/util/orig-headers/lookup3.h
-lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c config.h $(srcdir)/util/auxiliary/util/storage/lruhash.h \
- $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h \
- $(srcdir)/util/auxiliary/util/fptr_wlist.h
-rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/auxiliary/log.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h $(srcdir)/util/auxiliary/fptr_wlist.h \
- $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h
+gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c \
+ config.h
+inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c \
+ config.h
+inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c \
+ config.h
+sha512.lo sha512.o: $(srcdir)/compat/sha512.c \
+ config.h
+strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \
+ config.h
+strptime.lo strptime.o: $(srcdir)/compat/strptime.c \
+ config.h
+locks.lo locks.o: $(srcdir)/util/locks.c \
+ config.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h
+lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \
+ config.h \
+ $(srcdir)/util/auxiliary/util/storage/lookup3.h $(srcdir)/util/lookup3.h \
+ $(srcdir)/util/orig-headers/lookup3.h
+lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \
+ config.h \
+ $(srcdir)/util/auxiliary/util/storage/lruhash.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h
+rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
+ config.h \
+ $(srcdir)/util/auxiliary/log.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h \
+ $(srcdir)/util/auxiliary/fptr_wlist.h $(srcdir)/util/auxiliary/util/fptr_wlist.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h
 jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
-keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c config.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
-pubkey-pinning-internal.lo pubkey-pinning-internal.o: $(srcdir)/$(tlsdir)/pubkey-pinning-internal.c config.h \
- $(srcdir)/debug.h config.h getdns/getdns.h $(srcdir)/context.h getdns/getdns.h \
- getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
- $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/context.h tls/pubkey-pinning-internal.h
-tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c config.h $(srcdir)/debug.h config.h $(srcdir)/context.h getdns/getdns.h \
- getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \
- $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/const-info.h $(srcdir)/tls.h
-yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
-libev.lo libev.o: $(srcdir)/extension/libev.c config.h $(srcdir)/types-internal.h getdns/getdns.h \
- getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h \
- getdns/getdns_extra.h
-libevent.lo libevent.o: $(srcdir)/extension/libevent.c config.h $(srcdir)/types-internal.h \
- getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h \
- getdns/getdns_extra.h
-libuv.lo libuv.o: $(srcdir)/extension/libuv.c config.h $(srcdir)/debug.h config.h $(srcdir)/types-internal.h \
- getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h \
- getdns/getdns_extra.h
-poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c config.h $(srcdir)/util-internal.h \
- config.h $(srcdir)/context.h getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h \
+keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c \
+ config.h \
+ $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h
+pubkey-pinning-internal.lo pubkey-pinning-internal.o: $(srcdir)/$(tlsdir)/pubkey-pinning-internal.c \
+ config.h $(srcdir)/debug.h \
+ getdns/getdns.h \
+ $(srcdir)/context.h \
+ getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
- $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \
- $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h
-select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c config.h $(srcdir)/debug.h \
- config.h $(srcdir)/types-internal.h getdns/getdns.h getdns/getdns_extra.h \
- getdns/getdns.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \
- $(srcdir)/extension/select_eventloop.h getdns/getdns_extra.h
-stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c config.h getdns/getdns.h \
- getdns/getdns_extra.h $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
+ $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/tls/pubkey-pinning-internal.h
+tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/context.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
+ $(srcdir)/const-info.h $(srcdir)/tls.h
+yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
+libev.lo libev.o: $(srcdir)/extension/libev.c \
+ config.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h
+libevent.lo libevent.o: $(srcdir)/extension/libevent.c \
+ config.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h
+libuv.lo libuv.o: $(srcdir)/extension/libuv.c \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h
+poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \
+ config.h \
+ $(srcdir)/util-internal.h $(srcdir)/context.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \
+ $(srcdir)/platform.h $(srcdir)/debug.h
+select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \
+ config.h $(srcdir)/debug.h \
+ $(srcdir)/types-internal.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \
+ $(srcdir)/extension/select_eventloop.h
+stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c \
+ config.h \
+ getdns/getdns.h \
+ getdns/getdns_extra.h \
+ $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h
diff --git a/src/test/Makefile.in b/src/test/Makefile.in
index 00211237..9d4dad00 100644
--- a/src/test/Makefile.in
+++ b/src/test/Makefile.in
@@ -231,10 +231,13 @@ depend:
 .PHONY: clean test
 
 # Dependencies for the unit tests
-check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c ../getdns/getdns.h $(srcdir)/check_getdns_common.h \
- ../getdns/getdns_extra.h $(srcdir)/check_getdns_address.h \
- $(srcdir)/check_getdns_address_sync.h $(srcdir)/check_getdns_cancel_callback.h \
- $(srcdir)/check_getdns_context_create.h $(srcdir)/check_getdns_context_destroy.h \
+check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c \
+ ../getdns/getdns.h \
+ $(srcdir)/check_getdns_common.h \
+ ../getdns/getdns_extra.h \
+ $(srcdir)/check_getdns_address.h $(srcdir)/check_getdns_address_sync.h \
+ $(srcdir)/check_getdns_cancel_callback.h $(srcdir)/check_getdns_context_create.h \
+ $(srcdir)/check_getdns_context_destroy.h \
  $(srcdir)/check_getdns_context_set_context_update_callback.h \
  $(srcdir)/check_getdns_context_set_dns_transport.h \
  $(srcdir)/check_getdns_context_set_timeout.h \
@@ -254,34 +257,58 @@ check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c ../getdns/getdns.h $(sr
  $(srcdir)/check_getdns_list_get_list.h $(srcdir)/check_getdns_pretty_print_dict.h \
  $(srcdir)/check_getdns_service.h $(srcdir)/check_getdns_service_sync.h \
  $(srcdir)/check_getdns_transport.h
-check_getdns_common.lo check_getdns_common.o: $(srcdir)/check_getdns_common.c ../getdns/getdns.h \
- ../config.h $(srcdir)/check_getdns_common.h ../getdns/getdns_extra.h \
+check_getdns_common.lo check_getdns_common.o: $(srcdir)/check_getdns_common.c \
+ ../getdns/getdns.h \
+ ../config.h \
+ $(srcdir)/check_getdns_common.h \
+ ../getdns/getdns_extra.h \
  $(srcdir)/check_getdns_eventloop.h
 check_getdns_context_set_timeout.lo check_getdns_context_set_timeout.o: $(srcdir)/check_getdns_context_set_timeout.c \
  $(srcdir)/check_getdns_context_set_timeout.h $(srcdir)/check_getdns_common.h \
- ../getdns/getdns.h ../getdns/getdns_extra.h
+ ../getdns/getdns.h \
+ ../getdns/getdns_extra.h
 check_getdns_libev.lo check_getdns_libev.o: $(srcdir)/check_getdns_libev.c $(srcdir)/check_getdns_eventloop.h \
- ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libev.h \
- ../getdns/getdns_extra.h $(srcdir)/check_getdns_common.h
+ ../config.h \
+ ../getdns/getdns.h \
+ $(srcdir)/../getdns/getdns_ext_libev.h \
+ ../getdns/getdns_extra.h \
+ $(srcdir)/check_getdns_common.h
 check_getdns_libevent.lo check_getdns_libevent.o: $(srcdir)/check_getdns_libevent.c $(srcdir)/check_getdns_eventloop.h \
- ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libevent.h \
- ../getdns/getdns_extra.h $(srcdir)/check_getdns_libevent.h $(srcdir)/check_getdns_common.h
+ ../config.h \
+ ../getdns/getdns.h \
+ $(srcdir)/../getdns/getdns_ext_libevent.h \
+ ../getdns/getdns_extra.h \
+ $(srcdir)/check_getdns_libevent.h $(srcdir)/check_getdns_common.h
 check_getdns_libuv.lo check_getdns_libuv.o: $(srcdir)/check_getdns_libuv.c $(srcdir)/check_getdns_eventloop.h \
- ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libuv.h \
- ../getdns/getdns_extra.h $(srcdir)/check_getdns_common.h
+ ../config.h \
+ ../getdns/getdns.h \
+ $(srcdir)/../getdns/getdns_ext_libuv.h \
+ ../getdns/getdns_extra.h \
+ $(srcdir)/check_getdns_common.h
 check_getdns_selectloop.lo check_getdns_selectloop.o: $(srcdir)/check_getdns_selectloop.c \
- $(srcdir)/check_getdns_eventloop.h ../config.h ../getdns/getdns.h \
+ $(srcdir)/check_getdns_eventloop.h \
+ ../config.h \
+ ../getdns/getdns.h \
  ../getdns/getdns_extra.h
 check_getdns_transport.lo check_getdns_transport.o: $(srcdir)/check_getdns_transport.c \
- $(srcdir)/check_getdns_transport.h $(srcdir)/check_getdns_common.h ../getdns/getdns.h \
+ $(srcdir)/check_getdns_transport.h $(srcdir)/check_getdns_common.h \
+ ../getdns/getdns.h \
  ../getdns/getdns_extra.h
-scratchpad.template.lo scratchpad.template.o: scratchpad.template.c ../getdns/getdns.h \
+scratchpad.template.lo scratchpad.template.o: scratchpad.template.c \
+ ../getdns/getdns.h \
  ../getdns/getdns_extra.h
 testmessages.lo testmessages.o: $(srcdir)/testmessages.c $(srcdir)/testmessages.h
-tests_dict.lo tests_dict.o: $(srcdir)/tests_dict.c $(srcdir)/testmessages.h ../getdns/getdns.h
-tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h ../getdns/getdns.h
-tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h ../getdns/getdns.h
-tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c ../config.h $(srcdir)/testmessages.h \
- ../getdns/getdns.h ../getdns/getdns_extra.h
-tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h ../getdns/getdns.h \
+tests_dict.lo tests_dict.o: $(srcdir)/tests_dict.c $(srcdir)/testmessages.h \
+ ../getdns/getdns.h
+tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h \
+ ../getdns/getdns.h
+tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h \
+ ../getdns/getdns.h
+tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c \
+ ../config.h \
+ $(srcdir)/testmessages.h \
+ ../getdns/getdns.h \
+ ../getdns/getdns_extra.h
+tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h \
+ ../getdns/getdns.h \
  ../getdns/getdns_extra.h
diff --git a/src/tools/Makefile.in b/src/tools/Makefile.in
index 7d94edb7..6cefffcd 100644
--- a/src/tools/Makefile.in
+++ b/src/tools/Makefile.in
@@ -122,7 +122,12 @@ depend:
 .PHONY: clean test
 
 # Dependencies for getdns_query
-getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c ../config.h $(srcdir)/../debug.h ../config.h \
- ../getdns/getdns.h ../getdns/getdns_extra.h
-getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c ../config.h ../getdns/getdns.h \
+getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c \
+ ../config.h \
+ $(srcdir)/../debug.h \
+ ../getdns/getdns.h \
+ ../getdns/getdns_extra.h
+getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c \
+ ../config.h \
+ ../getdns/getdns.h \
  ../getdns/getdns_extra.h

From 342b1090f8e700eaf742ee882740c6d125c93e30 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Mar 2019 17:22:31 +0100
Subject: [PATCH 292/303] Declarations are always defined

---
 src/server.c | 2 +-
 src/stub.c   | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/server.c b/src/server.c
index 5b1edd86..4339d593 100644
--- a/src/server.c
+++ b/src/server.c
@@ -863,7 +863,7 @@ static getdns_return_t add_listeners(listen_set *set)
 		    &enable, sizeof(enable)) < 0) {
 			; /* Ignore */
 		}
-#ifdef HAVE_DECL_TCP_FASTOPEN
+#if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN
 		if (setsockopt(l->fd, IPPROTO_TCP, TCP_FASTOPEN,
 		    &enable, sizeof(enable)) < 0) {
 			; /* Ignore */
diff --git a/src/stub.c b/src/stub.c
index c71ce1ca..0a5b4b46 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -412,16 +412,16 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport)
 	/* Note that error detection is different with TFO. Since the handshake
 	   doesn't start till the sendto() lack of connection is often delayed until
 	   then or even the subsequent event depending on the error and platform.*/
-# ifdef     HAVE_DECL_TCP_FASTOPEN_CONNECT
+# if  defined(HAVE_DECL_TCP_FASTOPEN_CONNECT) && HAVE_DECL_TCP_FASTOPEN_CONNECT
 	(void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT
 	                , (void *)&enable, sizeof(enable));
 # else	/* HAVE_DECL_TCP_FASTOPEN_CONNECT */
-#  ifdef  HAVE_DECL_TCP_FASTOPEN
+#  if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN
 	(void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN
 	                , (void *)&enable, sizeof(enable));
 #  endif/* HAVE_DECL_TCP_FASTOPEN*/
 # endif	/* HAVE_DECL_TCP_FASTOPEN_CONNECT */
-# ifdef    HAVE_DECL_MSG_FASTOPEN
+# if  defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN
 	/* Leave the connect to the later call to sendto() if using TCP*/
 	if (transport == GETDNS_TRANSPORT_TCP)
 		return fd;
@@ -760,7 +760,7 @@ stub_tcp_write(int fd, getdns_tcp_state *tcp, getdns_network_req *netreq)
 		/* We use sendto() here which will do both a connect and send */
 #ifdef USE_TCP_FASTOPEN
 		written = sendto(fd, netreq->query - 2, pkt_len + 2,
-# ifdef HAVE_DECL_MSG_FASTOPEN
+# if   defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN
 		    MSG_FASTOPEN,
 # else
 		    0,

From 82b9f5781e130e266e33f00ff2561e263e62c4a2 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Mar 2019 20:28:41 +0100
Subject: [PATCH 293/303] Take along new dirs in distributions

---
 Makefile.in | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Makefile.in b/Makefile.in
index f92fccdf..0532bd08 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -213,6 +213,8 @@ $(distdir):
 	mkdir -p $(distdir)/src/compat
 	mkdir -p $(distdir)/src/util
 	mkdir -p $(distdir)/src/gldns
+	mkdir -p $(distdir)/src/tls/validator
+	mkdir -p $(distdir)/src/gnutls
 	mkdir -p $(distdir)/src/openssl
 	mkdir -p $(distdir)/src/tools
 	mkdir -p $(distdir)/src/jsmn
@@ -261,13 +263,16 @@ $(distdir):
 	cp -r $(srcdir)/src/util/orig-headers $(distdir)/src/util
 	cp -r $(srcdir)/src/util/auxiliary $(distdir)/src/util
 	cp $(srcdir)/src/gldns/*.[ch] $(distdir)/src/gldns
+	cp $(srcdir)/src/tls/*.[ch] $(distdir)/src/tls
+	cp $(srcdir)/src/tls/validator/*.[ch] $(distdir)/src/tls/validator
+	cp $(srcdir)/src/gnutls/*.[ch] $(distdir)/src/gnutls
+	cp $(srcdir)/src/openssl/*.[ch] $(distdir)/src/openssl
 	cp $(srcdir)/doc/Makefile.in $(distdir)/doc
 	cp $(srcdir)/doc/*.in $(distdir)/doc
 	cp $(srcdir)/doc/manpgaltnames $(distdir)/doc
 	cp $(srcdir)/spec/*.html $(distdir)/spec
 	cp $(srcdir)/spec/example/Makefile.in $(distdir)/spec/example
 	cp $(srcdir)/spec/example/*.[ch] $(distdir)/spec/example
-	cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/openssl
 	cp $(srcdir)/src/tools/Makefile.in $(distdir)/src/tools
 	cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/tools
 	cp $(srcdir)/stubby/stubby.yml.example $(distdir)/stubby

From 5b20971464b301a7ef862bd0096fe7a525641423 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Mar 2019 20:45:04 +0100
Subject: [PATCH 294/303] Setup branch for the 1.5.2 release process

---
 ChangeLog    |  5 ++++-
 configure.ac | 17 +++++++++--------
 stubby       |  2 +-
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3054561f..d319b220 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,13 @@
-* 2019-??-??: Version 1.?.?
+* 2019-03-??: Version 1.5.2
   * Issue #422: Enable server side and update client side TCP Fast
     Open implementation. Thanks Craig Andrews
   * Issue #423: Fix insecure delegation detection while scheduling.
     Thanks Charles Milette
   * Issue #419: Escape backslashed when printing in JSON format.
     Thanks boB Rudis
+  * Use GnuTLS instead of OpenSSL for TLS with the --with-gnutls
+    option to configure.  libcrypto (from OpenSSL) still needed
+    for Zero configuration DNSSEC.
   * DOA rr-type
   * AMTRELAY rr-type
 
diff --git a/configure.ac b/configure.ac
index e7625f5b..670d6035 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,7 +37,7 @@ sinclude(./m4/ac_lib_nettle.m4)
 sinclude(./m4/ax_check_compile_flag.m4)
 sinclude(./m4/pkg.m4)
 
-AC_INIT([getdns], [1.5.1], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
+AC_INIT([getdns], [1.5.2], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
 
 # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian)
 # patched to do the same, but frequently (MacOS) not. So add a with option
@@ -53,8 +53,8 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Don't forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [])
-AC_SUBST(STUBBY_RELEASE_CANDIDATE, [])
+AC_SUBST(RELEASE_CANDIDATE, [rc1])
+AC_SUBST(STUBBY_RELEASE_CANDIDATE, [rc1])
 
 # Set current date from system if not set
 AC_ARG_WITH([current-date],
@@ -64,13 +64,13 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050100])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010501c1])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
 
 AC_DEFINE_UNQUOTED([STUBBY_PACKAGE], ["stubby"], [Stubby package])
-AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.5$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
+AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.6$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
 
 # Library version
 # ---------------
@@ -107,9 +107,10 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.5$STUBBY_RELEASE_CANDIDATE"],
 # getdns-1.4.0 had libversion 10:0:0
 # getdns-1.4.1 had libversion 10:1:0
 # getdns-1.4.2 had libversion 10:2:0
-# getdns-1.5.0 has libversion 11:0:1
-# getdns-1.5.1 has libversion 11:1:1
-GETDNS_LIBVERSION=11:1:1
+# getdns-1.5.0 had libversion 11:0:1
+# getdns-1.5.1 had libversion 11:1:1
+# getdns-1.5.2 will have libversion 11:2:1
+GETDNS_LIBVERSION=11:2:1
 
 AC_SUBST(GETDNS_COMPILATION_COMMENT)
 AC_SUBST(GETDNS_LIBVERSION)
diff --git a/stubby b/stubby
index 108a15c6..376a8dbc 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 108a15c63dc08b50d6fd3800cef6948f87e14c8a
+Subproject commit 376a8dbc5c4a8b1f52726182966b2ea9ff36be9d

From 1527979129a24722d988660a0e366ce731380d02 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 15 Mar 2019 21:16:13 +0100
Subject: [PATCH 295/303] Release candidate need dashes before rc

---
 configure.ac | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 670d6035..262b56fd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -53,8 +53,8 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Don't forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [rc1])
-AC_SUBST(STUBBY_RELEASE_CANDIDATE, [rc1])
+AC_SUBST(RELEASE_CANDIDATE, [-rc1])
+AC_SUBST(STUBBY_RELEASE_CANDIDATE, [-rc1])
 
 # Set current date from system if not set
 AC_ARG_WITH([current-date],

From 99e32f1e46749d380edbe3c8543e847c2a010165 Mon Sep 17 00:00:00 2001
From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
Date: Sun, 24 Mar 2019 00:40:19 +0100
Subject: [PATCH 296/303] Increase anchor fetch timeout in tas_doc_read()

tas_doc_read() uses a very short 50 msec network read timeout which makes
fetching trust anchors pretty much impossible on high-latency connections
like 3G.

Use a 2 second read timeout, just like the other tas_read_cb() callback
setter does.
---
 src/anchor.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/anchor.c b/src/anchor.c
index 1d685130..09f71232 100644
--- a/src/anchor.c
+++ b/src/anchor.c
@@ -750,7 +750,7 @@ static void tas_doc_read(getdns_context *context, tas_connection *a)
 		a->tcp.read_pos = a->tcp.read_buf;
 		a->tcp.to_read = sizeof(context->tas_hdr_spc);
 	}
-	GETDNS_SCHEDULE_EVENT(a->loop, a->fd, 50,
+	GETDNS_SCHEDULE_EVENT(a->loop, a->fd, 2000,
 	    getdns_eventloop_event_init(&a->event, a->req->owner,
 	    tas_read_cb, NULL, tas_reconnect_cb));
 	return;

From 0a1883047d6874857fe2848e3212fed881da695d Mon Sep 17 00:00:00 2001
From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
Date: Sun, 24 Mar 2019 00:50:19 +0100
Subject: [PATCH 297/303] Don't transmit an extra NULL byte in the anchor fetch
 HTTP request

When calculating HTTP request buffer size tas_connect() unnecessarily adds
an extra octet for the terminating NULL byte.
The terminating NULL was already accounted for by sizeof(fmt), however,
since sizeof("123") = 4.

The extra NULL byte at the end of the anchor fetch HTTP request resulted
in an extra "501 Not implemented" HTTP response from the trust anchor
server.
---
 src/anchor.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/anchor.c b/src/anchor.c
index 09f71232..16fd8042 100644
--- a/src/anchor.c
+++ b/src/anchor.c
@@ -1086,11 +1086,11 @@ static void tas_connect(getdns_context *context, tas_connection *a)
 		}
 		if (a->state == TAS_RETRY_GET_PS7) {
 			buf_sz = sizeof(tas_write_p7s_buf)
-			       + 1 * (hostname_len - 2) + 1 * (path_len - 2) + 1;
+			       + 1 * (hostname_len - 2) + 1 * (path_len - 2);
 			fmt = tas_write_p7s_buf;
 		} else {
 			buf_sz = sizeof(tas_write_xml_p7s_buf)
-			       + 2 * (hostname_len - 2) + 2 * (path_len - 2) + 1;
+			       + 2 * (hostname_len - 2) + 2 * (path_len - 2);
 			fmt = tas_write_xml_p7s_buf;
 		}
 		if (!(write_buf = GETDNS_XMALLOC(context->mf, char, buf_sz))) {

From b6e290f42a6be2cb4b596455841984377a814222 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 3 Apr 2019 11:51:35 +0200
Subject: [PATCH 298/303] Fix compiling for debugging

---
 src/openssl/tls.c | 2 +-
 src/stub.c        | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 94335848..af1c3122 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -914,7 +914,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 	int osr = SSL_dane_enable(conn->ssl, *auth_name ? auth_name : NULL);
 	(void) osr;
 	DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n"
-	          , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
+	          , STUB_DEBUG_SETUP_TLS, __FUNC__, auth_name, osr);
 	SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
 	const sha256_pin_t *pin_p;
 	size_t n_pins = 0;
diff --git a/src/stub.c b/src/stub.c
index 0a5b4b46..4bf470d8 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -967,8 +967,7 @@ tls_do_handshake(getdns_upstream *upstream)
 				return STUB_TCP_RETRY;
 			default:
 				DEBUG_STUB("%s %-35s: FD:  %d Handshake failed %d\n", 
-				            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd,
-				            want);
+				            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, r);
 				return STUB_SETUP_ERROR;
 	   }
 	}

From b22768709af464ccc3ff7281520952fbb6c5f7c6 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 3 Apr 2019 12:24:09 +0200
Subject: [PATCH 299/303] Runtime fallback and FreeBSD compatible TFO

---
 src/context.h |  6 ++--
 src/stub.c    | 80 +++++++++++++++++++++++++++++++++++----------------
 2 files changed, 60 insertions(+), 26 deletions(-)

diff --git a/src/context.h b/src/context.h
index 10031014..eb42382f 100644
--- a/src/context.h
+++ b/src/context.h
@@ -201,12 +201,14 @@ typedef struct getdns_upstream {
 	getdns_network_req      *write_queue_last;
 	_getdns_rbtree_t         netreq_by_query_id;
 
-    /* TLS specific connection handling*/
+	/* TCP specific connection handling*/
+	unsigned                 tfo_use_sendto  : 1;
+	/* TLS specific connection handling*/
+	unsigned                 tls_fallback_ok : 1;
 	_getdns_tls_connection*  tls_obj;
 	_getdns_tls_session*     tls_session;
 	getdns_tls_hs_state_t    tls_hs_state;
 	getdns_auth_state_t      tls_auth_state;
-	unsigned                 tls_fallback_ok : 1;
 
 	/* TLS settings */
 	char                    *tls_cipher_list;
diff --git a/src/stub.c b/src/stub.c
index 4bf470d8..2547d10f 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -385,6 +385,7 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport)
 	int fd = -1;
 
 
+	upstream->tfo_use_sendto = 0;
 	DEBUG_STUB("%s %-35s: Creating TCP connection:      %p\n", STUB_DEBUG_SETUP, 
 	           __FUNC__, (void*)upstream);
 	if ((fd = socket(upstream->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
@@ -413,21 +414,50 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport)
 	   doesn't start till the sendto() lack of connection is often delayed until
 	   then or even the subsequent event depending on the error and platform.*/
 # if  defined(HAVE_DECL_TCP_FASTOPEN_CONNECT) && HAVE_DECL_TCP_FASTOPEN_CONNECT
-	(void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT
-	                , (void *)&enable, sizeof(enable));
+	if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT
+	              , (void *)&enable, sizeof(enable)) < 0) {
+		/* runtime fallback to TCP_FASTOPEN option */
+		_getdns_upstream_log(upstream,
+		    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING,
+		    "%-40s : Upstream   : "
+		    "Could not setup TLS capable TFO connect\n",
+		     upstream->addr_str);
+#  if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN
+		/* TCP_FASTOPEN works for TCP only (not TLS) */
+		if (transport != GETDNS_TRANSPORT_TCP)
+			; /* This variant of TFO doesn't work with TLS */
+		else if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN
+		                   , (void *)&enable, sizeof(enable)) >= 0) {
+
+			upstream->tfo_use_sendto = 1;
+			return fd;
+		} else
+			_getdns_upstream_log(upstream,
+			    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING,
+			    "%-40s : Upstream   : "
+			    "Could not fallback to TCP TFO\n",
+			     upstream->addr_str);
+#  endif/* HAVE_DECL_TCP_FASTOPEN*/
+	}
+	/* On success regular connect is fine, TFO will happen automagically */
 # else	/* HAVE_DECL_TCP_FASTOPEN_CONNECT */
 #  if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN
-	(void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN
-	                , (void *)&enable, sizeof(enable));
+	/* TCP_FASTOPEN works for TCP only (not TLS) */
+	if (transport != GETDNS_TRANSPORT_TCP)
+		; /* This variant of TFO doesn't work with TLS */
+	else if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN
+	                  , (void *)&enable, sizeof(enable)) >= 0) {
+
+		upstream->tfo_use_sendto = 1;
+		return fd;
+	} else
+		_getdns_upstream_log(upstream,
+		    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING,
+		    "%-40s : Upstream   : Could not setup TCP TFO\n",
+		     upstream->addr_str);
+
 #  endif/* HAVE_DECL_TCP_FASTOPEN*/
 # endif	/* HAVE_DECL_TCP_FASTOPEN_CONNECT */
-# if  defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN
-	/* Leave the connect to the later call to sendto() if using TCP*/
-	if (transport == GETDNS_TRANSPORT_TCP)
-		return fd;
-# else  /* HAVE_DECL_MSG_FASTOPEN */
-	(void)transport;
-# endif /* HAVE_DECL_MSG_FASTOPEN */
 #endif	/* USE_OSX_TCP_FASTOPEN */
 	if (connect(fd, (struct sockaddr *)&upstream->addr,
 	    upstream->addr_len) == -1) {
@@ -758,22 +788,24 @@ stub_tcp_write(int fd, getdns_tcp_state *tcp, getdns_network_req *netreq)
 		 * Lets see how much of it we can write
 		 */
 		/* We use sendto() here which will do both a connect and send */
-#ifdef USE_TCP_FASTOPEN
-		written = sendto(fd, netreq->query - 2, pkt_len + 2,
+		if (netreq->upstream->tfo_use_sendto) {
+			written = sendto(fd, netreq->query - 2, pkt_len + 2,
 # if   defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN
-		    MSG_FASTOPEN,
+			    MSG_FASTOPEN,
 # else
-		    0,
+			    0,
 # endif
-		    (struct sockaddr *)&(netreq->upstream->addr),
-		    netreq->upstream->addr_len);
-		/* If pipelining we will find that the connection is already up so 
-		   just fall back to a 'normal' write. */
-		if (written == -1 && _getdns_socketerror() == _getdns_EISCONN) 
-			written = write(fd, netreq->query - 2, pkt_len + 2);
-#else
-		written = send(fd, (const char *)(netreq->query - 2), pkt_len + 2, 0);
-#endif
+			    (struct sockaddr *)&(netreq->upstream->addr),
+			    netreq->upstream->addr_len);
+			/* If pipelining we will find that the connection is already up so 
+			   just fall back to a 'normal' write. */
+			if (written == -1
+			&&  _getdns_socketerror() == _getdns_EISCONN) 
+				written = write(fd, netreq->query - 2
+				                  , pkt_len + 2);
+		} else
+			written = send(fd, (const char *)(netreq->query - 2)
+			                 , pkt_len + 2, 0);
 		if ((written == -1 && _getdns_socketerror_wants_retry()) ||
 		    (size_t)written < pkt_len + 2) {
 

From ffe471543bd947d6d96ddd212ee987ba3787fb36 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 3 Apr 2019 12:36:04 +0200
Subject: [PATCH 300/303] Bumb versions for 1.5.2 release

---
 ChangeLog    | 4 +++-
 configure.ac | 8 ++++----
 stubby       | 2 +-
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d319b220..2fb2fce3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
-* 2019-03-??: Version 1.5.2
+* 2019-04-03: Version 1.5.2
+  * PR #424: Two small trust anchor fetcher fixes
+    Thanks Maciej S. Szmigiero
   * Issue #422: Enable server side and update client side TCP Fast
     Open implementation. Thanks Craig Andrews
   * Issue #423: Fix insecure delegation detection while scheduling.
diff --git a/configure.ac b/configure.ac
index 262b56fd..dd8ff09f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -53,8 +53,8 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Don't forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [-rc1])
-AC_SUBST(STUBBY_RELEASE_CANDIDATE, [-rc1])
+AC_SUBST(RELEASE_CANDIDATE, [])
+AC_SUBST(STUBBY_RELEASE_CANDIDATE, [])
 
 # Set current date from system if not set
 AC_ARG_WITH([current-date],
@@ -64,7 +64,7 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010501c1])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050200])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
@@ -109,7 +109,7 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.6$STUBBY_RELEASE_CANDIDATE"],
 # getdns-1.4.2 had libversion 10:2:0
 # getdns-1.5.0 had libversion 11:0:1
 # getdns-1.5.1 had libversion 11:1:1
-# getdns-1.5.2 will have libversion 11:2:1
+# getdns-1.5.2 has libversion 11:2:1
 GETDNS_LIBVERSION=11:2:1
 
 AC_SUBST(GETDNS_COMPILATION_COMMENT)
diff --git a/stubby b/stubby
index 376a8dbc..b0d3154a 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 376a8dbc5c4a8b1f52726182966b2ea9ff36be9d
+Subproject commit b0d3154af61e1b46a30b56d239dc074273642217

From 4f4ed981124e720a1aa3227a693576a6ac206dd9 Mon Sep 17 00:00:00 2001
From: Vladislav Grishenko <themiron@mail.ru>
Date: Fri, 12 Apr 2019 01:40:51 +0500
Subject: [PATCH 301/303] Fix build error with gnu99 compilers

Typedefs sha256_pin_t & getdns_log_config multiple declaration in context.h,
tls.h and tls_internal.h causes build error with some gnu99 compilers, even
if the redefinition is identical.
One possible way is to protect each occurence with ifdefs, but it seems too
brute, other one is to keep typedef in context.h only and use struct types
in recently added tls* scope.

Error example:
../libtool --quiet --tag=CC --mode=compile arm-brcm-linux-uclibcgnueabi-gcc
-std=gnu99 -I. -I. -I./util/auxiliary -I./tls -I./openssl -I./../stubby/src
-Wall -Wextra -D_BSD_SOURCE -D_DEFAULT_SOURCE ... -c ./convert.c -o convert.lo
In file included from ./context.h:53:0,
                 from ./util-internal.h:42,
                 from ./convert.c:50:
./tls.h:45:27: error: redefinition of typedef 'sha256_pin_t'
./openssl/tls-internal.h:57:27: note: previous declaration of 'sha256_pin_t' was here
In file included from ./util-internal.h:42:0,
                 from ./convert.c:50:
./context.h:133:3: error: redefinition of typedef 'sha256_pin_t'
./tls.h:45:27: note: previous declaration of 'sha256_pin_t' was here
./context.h:267:3: error: redefinition of typedef 'getdns_log_config'
./openssl/tls-internal.h:58:34: note: previous declaration of 'getdns_log_config' was here
---
 src/gnutls/tls-internal.h  |  7 ++++---
 src/openssl/tls-internal.h | 11 ++++++-----
 src/tls.h                  |  8 ++++----
 3 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h
index 4f7f24f8..bfc563ef 100644
--- a/src/gnutls/tls-internal.h
+++ b/src/gnutls/tls-internal.h
@@ -53,7 +53,8 @@
 #define HAVE_TLS_CTX_CURVES_LIST	0
 #define HAVE_TLS_CONN_CURVES_LIST	0
 
-typedef struct getdns_log_config getdns_log_config;
+/* Forward declare type. */
+struct getdns_log_config;
 
 typedef struct _getdns_tls_context {
 	struct mem_funcs* mfs;
@@ -64,7 +65,7 @@ typedef struct _getdns_tls_context {
 	gnutls_protocol_t max_tls;
 	char* ca_trust_file;
 	char* ca_trust_path;
-	const getdns_log_config* log;
+	const struct getdns_log_config* log;
 } _getdns_tls_context;
 
 typedef struct _getdns_tls_connection {
@@ -81,7 +82,7 @@ typedef struct _getdns_tls_connection {
 	dane_query_t dane_query;
 	dane_state_t dane_state;
 	char* tlsa;
-	const getdns_log_config* log;
+	const struct getdns_log_config* log;
 } _getdns_tls_connection;
 
 typedef struct _getdns_tls_session {
diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h
index 615f79e3..fc3d48e5 100644
--- a/src/openssl/tls-internal.h
+++ b/src/openssl/tls-internal.h
@@ -54,20 +54,21 @@
 
 #define GETDNS_TLS_MAX_DIGEST_LENGTH	(EVP_MAX_MD_SIZE)
 
-typedef struct sha256_pin sha256_pin_t;
-typedef struct getdns_log_config getdns_log_config;
+/* Forward declare type. */
+struct sha256_pin;
+struct getdns_log_config;
 
 typedef struct _getdns_tls_context {
 	SSL_CTX* ssl;
-	const getdns_log_config* log;
+	const struct getdns_log_config* log;
 } _getdns_tls_context;
 
 typedef struct _getdns_tls_connection {
 	SSL* ssl;
-	const getdns_log_config* log;
+	const struct getdns_log_config* log;
 #if defined(USE_DANESSL)
 	const char* auth_name;
-	const sha256_pin_t* pinset;
+	const struct sha256_pin* pinset;
 #endif
 } _getdns_tls_connection;
 
diff --git a/src/tls.h b/src/tls.h
index aacf4257..a9be6a16 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -42,7 +42,7 @@
 
 /* Forward declare type. */
 struct sha256_pin;
-typedef struct sha256_pin sha256_pin_t;
+struct getdns_log_config;
 
 /* Additional return codes required by TLS abstraction. Internal use only. */
 #define GETDNS_RETURN_TLS_WANT_READ		((getdns_return_t) 420)
@@ -61,7 +61,7 @@ void _getdns_tls_init();
  * @paam log	pointer to context log config.
  * @return pointer to new context or NULL on error.
  */
-_getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs, const getdns_log_config* log);
+_getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs, const struct getdns_log_config* log);
 
 /**
  * Free a TLS context.
@@ -166,7 +166,7 @@ getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char*
  * @paam log	pointer to connection log config.
  * @return pointer to new connection or NULL on error.
  */
-_getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd, const getdns_log_config* log);
+_getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd, const struct getdns_log_config* log);
 
 /**
  * Free a TLS connection.
@@ -314,7 +314,7 @@ getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connectio
  * @return GETDNS_RETURN_GOOD if all OK.
  * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL.
  */
-getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* conn, const char* auth_name, const sha256_pin_t* pinset);
+getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* conn, const char* auth_name, const struct sha256_pin* pinset);
 
 /**
  * Get result of certificate verification.

From 416c55734b8f7e48ad51021a081fbae0df8e3847 Mon Sep 17 00:00:00 2001
From: Vladislav Grishenko <themiron@mail.ru>
Date: Thu, 25 Apr 2019 02:11:03 +0500
Subject: [PATCH 302/303] Optimize local addresses enumeration with old uClibc

uClibc 0.9.30rc1 - 0.9.32rc5 has bug - getaddrinfo() does not accept numeric
service without any hints. As the related side effect, hint struct with
ai_socktype == 0 (unspec) and ai_protocol == 0 (unpsec) gives the same
EAI_SERVICE error instead of same address with different proto enumebration.
For more details please refer https://bugs.busybox.net/show_bug.cgi?id=3841 and
https://git.uclibc.org/uClibc/commit/?id=bc3be18145e4d57e7268506f123c0f0f373a15e2

Since 0.9.3x uClibc versions are still not somewhat unique in embedded (issue
https://github.com/getdnsapi/stubby/issues/124 as example) and non-zero
ai_socktype allows to avoid address dups for each supported UDP/TCP/etc proto,
seems worth to have it specified, as a minor memory allocation optimization at
least.

SOCK_DGRAM vs SOCK_STREAM choice doesn't really matter here, both are actually
used for DNS and both are non-zero, no difference is expected on *nix. So
SOCK_DGRAM selected due original comment only.
---
 src/context.c | 4 ++--
 src/server.c  | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/context.c b/src/context.c
index 0a0e4456..395c1539 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1161,7 +1161,7 @@ getdns_context_set_resolvconf(getdns_context *context, const char *resolvconf)
 
 	memset(&hints, 0, sizeof(struct addrinfo));
 	hints.ai_family    = AF_UNSPEC;      /* Allow IPv4 or IPv6 */
-	hints.ai_socktype  = 0;              /* Datagram socket */
+	hints.ai_socktype  = SOCK_DGRAM;     /* Datagram socket */
 	hints.ai_flags     = AI_NUMERICHOST; /* No reverse name lookups */
 	hints.ai_protocol  = 0;              /* Any protocol */
 	hints.ai_canonname = NULL;
@@ -2736,7 +2736,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 	}
 	memset(&hints, 0, sizeof(struct addrinfo));
 	hints.ai_family    = AF_UNSPEC;      /* Allow IPv4 or IPv6 */
-	hints.ai_socktype  = 0;              /* Datagram socket */
+	hints.ai_socktype  = SOCK_DGRAM;     /* Datagram socket */
 	hints.ai_flags     = AI_NUMERICHOST; /* No reverse name lookups */
 	hints.ai_protocol  = 0;              /* Any protocol */
 	hints.ai_canonname = NULL;
diff --git a/src/server.c b/src/server.c
index 4339d593..7e6c1f04 100644
--- a/src/server.c
+++ b/src/server.c
@@ -978,6 +978,7 @@ getdns_return_t getdns_context_set_listen_addresses(
 
 	(void) memset(&hints, 0, sizeof(struct addrinfo));
 	hints.ai_family    = AF_UNSPEC;
+	hints.ai_socktype  = SOCK_DGRAM;
 	hints.ai_flags     = AI_NUMERICHOST;
 
 	for (i = 0; !r && i < new_set_count; i++) {

From ad8ca06c577f5f1477c8cff482c102a6ff88aca2 Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Tue, 17 Sep 2019 23:24:09 +0200
Subject: [PATCH 303/303] Update libuv URL in README

I can state with some authority that the old URL hasn't been canonical
for almost five years now.
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c777f507..ad8cd65f 100644
--- a/README.md
+++ b/README.md
@@ -107,7 +107,7 @@ Note: If you only want to build stubby, then use the `--with-stubby` option when
 The implementation works with a variety of event loops, each built as a separate shared library.  See [this Doxygen page](https://getdnsapi.net/doxygen/group__eventloops.html) and [this man page](https://getdnsapi.net/documentation/manpages/#ASYNCHRONOUS USE) for more details.
 
 * [libevent](http://libevent.org).  Note: the examples *require* this and should work with either libevent 1.x or 2.x.  2.x is preferred.
-* [libuv](https://github.com/joyent/libuv)
+* [libuv](https://libuv.org/)
 * [libev](http://software.schmorp.de/pkg/libev.html)
 
 ## Stubby