From 23daf9aac3a0da1d891887cb60407ef84d826e51 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 28 Sep 2017 22:17:36 +0200
Subject: [PATCH] Fix TLS authentication

---
 src/context.c          | 34 ++++++----------------------------
 src/context.h          |  4 +---
 src/dnssec.c           |  2 +-
 src/general.c          |  8 +++++---
 src/request-internal.c |  7 ++++++-
 5 files changed, 19 insertions(+), 36 deletions(-)

diff --git a/src/context.c b/src/context.c
index 750150d5..ada3e7bd 100644
--- a/src/context.c
+++ b/src/context.c
@@ -3521,16 +3521,13 @@ _getdns_ns_dns_setup(struct getdns_context *context)
 }
 
 getdns_return_t
-_getdns_context_prepare_for_resolution(struct getdns_context *context,
-    int usenamespaces)
+_getdns_context_prepare_for_resolution(getdns_context *context)
 {
-	size_t i;
 	getdns_return_t r;
 
 	RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
-    if (context->destroying) {
-        return GETDNS_RETURN_BAD_CONTEXT;
-    }
+	if (context->destroying)
+		return GETDNS_RETURN_BAD_CONTEXT;
 
 	/* Transport can in theory be set per query in stub mode */
 	if (context->resolution_type == GETDNS_RESOLUTION_STUB && 
@@ -3607,28 +3604,9 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
 	 */
 
 
-	if (! usenamespaces) {
-		r = _getdns_ns_dns_setup(context);
-		if (r == GETDNS_RETURN_GOOD)
-			context->resolution_type_set = context->resolution_type;
-		return r;
-	}
-
-	r = GETDNS_RETURN_GOOD;
-	for (i = 0; i < context->namespace_count; i++) {
-		switch (context->namespaces[i]) {
-		case GETDNS_NAMESPACE_DNS:
-			r = _getdns_ns_dns_setup(context);
-			break;
-
-		default:
-			r = GETDNS_RETURN_BAD_CONTEXT;
-			break;
-		}
-		if (r != GETDNS_RETURN_GOOD)
-			return r; /* try again later (resolution_type_set) */
-	}
-	context->resolution_type_set = context->resolution_type;
+	r = _getdns_ns_dns_setup(context);
+	if (r == GETDNS_RETURN_GOOD)
+		context->resolution_type_set = context->resolution_type;
 	return r;
 } /* _getdns_context_prepare_for_resolution */
 
diff --git a/src/context.h b/src/context.h
index 1be44ed2..46f000c0 100644
--- a/src/context.h
+++ b/src/context.h
@@ -495,11 +495,9 @@ void _getdns_context_log(getdns_context *context, uint64_t system,
  * Sets up the unbound contexts with stub or recursive behavior
  * if needed.
  * @param context previously initialized getdns_context
- * @param usenamespaces if 0 then only use the DNS, else use context namespace list
  * @return GETDNS_RETURN_GOOD on success
  */
-getdns_return_t _getdns_context_prepare_for_resolution(struct getdns_context *context,
- int usenamespaces);
+getdns_return_t _getdns_context_prepare_for_resolution(getdns_context *context);
 
 /* Register a getdns_dns_req with context.
  * - Without pluggable unbound event API,
diff --git a/src/dnssec.c b/src/dnssec.c
index f65c654b..92282ddb 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -3284,7 +3284,7 @@ void _getdns_ta_notify_dnsreqs(getdns_context *context)
 			getdns_network_req *netreq, **netreq_p;
 			int r = GETDNS_RETURN_GOOD;
 
-			 (void) _getdns_context_prepare_for_resolution(context, 0);
+			 (void) _getdns_context_prepare_for_resolution(context);
 
 			*dnsreq_p = dnsreq->ta_notify;
 			for ( netreq_p = dnsreq->netreqs
diff --git a/src/general.c b/src/general.c
index d8a2bdf8..23d9b735 100644
--- a/src/general.c
+++ b/src/general.c
@@ -609,10 +609,11 @@ getdns_general_ns(getdns_context *context, getdns_eventloop *loop,
 			context->ta_notify = req;
 			return GETDNS_RETURN_GOOD;
 		}
-		(void) _getdns_context_prepare_for_resolution(context, 0);
+		if ((r = _getdns_context_prepare_for_resolution(context)))
+			; /* pass */
 
 		/* issue all network requests */
-		for ( netreq_p = req->netreqs
+		else for ( netreq_p = req->netreqs
 		    ; !r && (netreq = *netreq_p)
 		    ; netreq_p++) {
 			if ((r = _getdns_submit_netreq(netreq, &now_ms))) {
@@ -667,7 +668,8 @@ getdns_general_ns(getdns_context *context, getdns_eventloop *loop,
 				context->ta_notify = req;
 				return GETDNS_RETURN_GOOD;
 			}
-			(void) _getdns_context_prepare_for_resolution(context, 0);
+			if ((r =  _getdns_context_prepare_for_resolution(context)))
+				break;
 
 			/* TODO: We will get a good return code here even if
 			   the name is not found (NXDOMAIN). We should consider
diff --git a/src/request-internal.c b/src/request-internal.c
index c5a5b0a9..26bd3df2 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -170,7 +170,12 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner,
 	net_req->transport_count = owner->context->dns_transport_count;
 	memcpy(net_req->transports, owner->context->dns_transports,
 	    net_req->transport_count * sizeof(getdns_transport_list_t));
-	net_req->tls_auth_min = owner->context->tls_auth_min;
+	net_req->tls_auth_min =
+	       owner->context->tls_auth == GETDNS_AUTHENTICATION_REQUIRED
+	    && owner->context->dns_transport_count == 1
+	    && owner->context->dns_transports[0] == GETDNS_TRANSPORT_TLS
+	    ? GETDNS_AUTHENTICATION_REQUIRED
+	    : GETDNS_AUTHENTICATION_NONE;
 
 	net_req->follow_redirects = owner->context->follow_redirects;