diff --git a/.gitignore b/.gitignore index d9315494..c78d500d 100644 --- a/.gitignore +++ b/.gitignore @@ -39,7 +39,7 @@ src/test/check_getdns_ev src/test/scratchpad src/test/scratchpad.c src/tools/getdns_query -src/tools/stubby +src/stubby doc/*.3 src/getdns/getdns.h *.log diff --git a/.gitmodules b/.gitmodules index dacb1c18..6f120301 100644 --- a/.gitmodules +++ b/.gitmodules @@ -5,3 +5,7 @@ [submodule "src/yxml"] path = src/yxml url = git://g.blicky.net/yxml.git +[submodule "stubby"] + path = stubby + url = https://github.com/getdnsapi/stubby.git + branch = develop diff --git a/ChangeLog b/ChangeLog index bae0d547..a0226b71 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,24 @@ +* 2017-0?-??: Version 1.1.3 + * No annotations with the output of getdns_query anymore, + unless -V option is given to increase verbosity + Thanks Ollivier Robert + * getdns_query will now exit with failure status if replies are BOGUS + * Bugfix: dnssec_return_validation_chain now also works when fallback + to full recursion was needed with dnssec_roadblock_avoidance + * More clear build instructions from Paul Hoffman. Thanks. + * Bugfix #320.1: Eliminate multiple closing of file descriptors + Thanks Neil Cook + * Bugfix #320.2: Array bounds bug in upstream_select + Thanks Neil Cook + * Bugfix #318: getdnsapi/getdns/README.md links to nonexistent wiki + pages. Thanks James Raftery + * Bugfix #322: MacOS 10.10 (Yosemite) provides TCP fastopen interface + but does not have it implemented. Thanks Joel Purra + * Compile without Stubby by default. Stubby now has a git repository + of its own. The new Stubby repository is added as a submodule. + Stubby will still be build alongside getdns with the --with-stubby + configure option. + * 2017-07-03: Version 1.1.2 * Bugfix for parallel make install * Bugfix to trigger event callbacks on socket errors diff --git a/Makefile.in b/Makefile.in index 2ea9bdfc..d98bd869 100644 --- a/Makefile.in +++ b/Makefile.in @@ -44,7 +44,7 @@ libdir = @libdir@ srcdir = @srcdir@ INSTALL = @INSTALL@ -all : default @GETDNS_QUERY@ @STUBBY@ +all : default @GETDNS_QUERY@ everything: default cd src/test && $(MAKE) @@ -52,7 +52,10 @@ everything: default default: cd src && $(MAKE) $@ -install: default getdns.pc getdns_ext_event.pc @INSTALL_GETDNS_QUERY@ @INSTALL_STUBBY@ +install-lib: + cd src && $(MAKE) install + +install: getdns.pc getdns_ext_event.pc install-lib @INSTALL_GETDNS_QUERY@ $(INSTALL) -m 755 -d $(DESTDIR)$(docdir) $(INSTALL) -m 644 $(srcdir)/AUTHORS $(DESTDIR)$(docdir) $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(docdir) @@ -66,8 +69,7 @@ install: default getdns.pc getdns_ext_event.pc @INSTALL_GETDNS_QUERY@ @INSTALL_S $(INSTALL) -m 644 getdns_ext_event.pc $(DESTDIR)$(libdir)/pkgconfig $(INSTALL) -m 755 -d $(DESTDIR)$(docdir)/spec $(INSTALL) -m 644 $(srcdir)/spec/index.html $(DESTDIR)$(docdir)/spec - cd src && $(MAKE) $@ - cd doc && $(MAKE) $@ + cd doc && $(MAKE) install @echo "***" @echo "*** !!! IMPORTANT !!!! libgetdns needs a DNSSEC trust anchor!" @echo "***" @@ -86,7 +88,7 @@ install: default getdns.pc getdns_ext_event.pc @INSTALL_GETDNS_QUERY@ @INSTALL_S @echo "*** at package installation time from the post-install script." @echo "***" -uninstall: @UNINSTALL_GETDNS_QUERY@ @UNINSTALL_STUBBY@ +uninstall: @UNINSTALL_GETDNS_QUERY@ rm -rf $(DESTDIR)$(docdir) cd doc && $(MAKE) $@ cd src && $(MAKE) $@ @@ -103,8 +105,8 @@ test: default getdns_query: default cd src/tools && $(MAKE) $@ -stubby: getdns_query - cd src/tools && $(MAKE) $@ +stubby: + cd src && $(MAKE) $@ scratchpad: default cd src/test && $(MAKE) $@ @@ -112,17 +114,17 @@ scratchpad: default pad: scratchpad src/test/scratchpad || ./libtool exec gdb src/test/scratchpad -install-getdns_query: getdns_query +install-getdns_query: install-lib cd src/tools && $(MAKE) $@ uninstall-getdns_query: cd src/tools && $(MAKE) $@ -install-stubby: getdns_query - cd src/tools && $(MAKE) $@ +install-stubby: + cd src && $(MAKE) $@ uninstall-stubby: - cd src/tools && $(MAKE) $@ + cd src && $(MAKE) $@ clean: cd src && $(MAKE) $@ @@ -198,9 +200,10 @@ $(distdir): mkdir -p $(distdir)/src/jsmn mkdir -p $(distdir)/src/yxml mkdir -p $(distdir)/doc - mkdir -p $(distdir)/systemd mkdir -p $(distdir)/spec mkdir -p $(distdir)/spec/example + mkdir -p $(distdir)/stubby + mkdir -p $(distdir)/stubby/src cp $(srcdir)/configure.ac $(distdir) cp $(srcdir)/configure $(distdir) cp $(srcdir)/AUTHORS $(distdir) @@ -241,12 +244,13 @@ $(distdir): cp $(srcdir)/spec/*.html $(distdir)/spec cp $(srcdir)/spec/example/Makefile.in $(distdir)/spec/example cp $(srcdir)/spec/example/*.[ch] $(distdir)/spec/example - cp $(srcdir)/systemd/README.md $(distdir)/systemd - cp $(srcdir)/systemd/stubby.* $(distdir)/systemd cp $(srcdir)/src/tools/Makefile.in $(distdir)/src/tools cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/tools - cp $(srcdir)/src/tools/stubby.conf $(distdir)/src/tools - cp $(srcdir)/src/tools/stubby-setdns-macos.sh $(distdir)/src/tools + cp $(srcdir)/stubby/stubby.conf.example $(distdir)/stubby + cp $(srcdir)/stubby/stubby-setdns-macos.sh $(distdir)/stubby + cp $(srcdir)/stubby/src/stubby.c $(distdir)/stubby/src + cp $(srcdir)/stubby/COPYING $(distdir)/stubby + cp $(srcdir)/stubby/README.md $(distdir)/stubby cp $(srcdir)/src/jsmn/*.[ch] $(distdir)/src/jsmn cp $(srcdir)/src/jsmn/LICENSE $(distdir)/src/jsmn cp $(srcdir)/src/jsmn/README.md $(distdir)/src/jsmn diff --git a/README.md b/README.md index e866d47d..b54c8f73 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,8 @@ The following requirements were met as conditions for the present release: # Building and External Dependencies +If you are installing from packages, you have to install the library and also the library-devel (or -dev) for your package management system to get the the necessary compile time files. + External dependencies are linked outside the getdns API build tree (we rely on configure to find them). We would like to keep the dependency tree short. Please refer to section for building on Windows for separate dependency and build instructions for that platform. * [libunbound from NLnet Labs](https://unbound.net/) version 1.4.16 or later. @@ -72,23 +74,25 @@ External dependencies are linked outside the getdns API build tree (we rely on c * [libssl and libcrypto from the OpenSSL Project](https://www.openssl.org/) version 0.9.7 or later. (Note: version 1.0.1 or later is required for TLS support, version 1.0.2 or later is required for TLS hostname authentication) * Doxygen is used to generate documentation; while this is not technically necessary for the build it makes things a lot more pleasant. -If you are installing from packages, you have to install the library and also the library-devel (or -dev) for your package management system to get the the necessary compile time files. If you checked out from git you need to copy the libtool helper scripts and rebuild configure thus: +For example, to build on a recent version of Ubuntu, you would need the following packages: - # libtoolize -ci (use glibtoolize for OS X, libtool is installed as glibtool to avoid name conflict on OS X) - # autoreconf -fi + # apt install build-essential libunbound-dev libidn11-dev libssl-dev libtool m4 autoconf + +If you are building from git, you need to do the following before building: -If you want to make use of the configuration files that utilise a JSON-like format, you must do # git submodule update --init -before building. + # libtoolize -ci # (use glibtoolize for OS X, libtool is installed as glibtool to avoid name conflict on OS X) + # autoreconf -fi + As well as building the getdns library 2 other tools are installed by default by the above process: * getdns_query: a command line test script wrapper for getdns * stubby: an experimental DNS Privacy enabled client -Note: If you only want to build stubby, then use the `--enable-stub-only` and `--without-libidn` options when running 'configure'. +Note: If you only want to build stubby, then use the `--with-stubby` option when running 'configure'. ## Minimizing dependencies @@ -99,7 +103,7 @@ Note: If you only want to build stubby, then use the `--enable-stub-only` and `- ## Extensions and Event loop dependencies -The implementation works with a variety of event loops, each built as a separate shared library. See [the wiki](https://github.com/getdnsapi/getdns/wiki/Asynchronous-Support#wiki-included-event-loop-integrations) for more details. +The implementation works with a variety of event loops, each built as a separate shared library. See [this Doxygen page](https://getdnsapi.net/doxygen/group__eventloops.html) and [this man page](https://getdnsapi.net/documentation/manpages/#ASYNCHRONOUS USE) for more details. * [libevent](http://libevent.org). Note: the examples *require* this and should work with either libevent 1.x or 2.x. 2.x is preferred. * [libuv](https://github.com/joyent/libuv) @@ -170,8 +174,8 @@ Non-goals (things we will not be doing at least initially) include: ## Language Bindings In parallel, the team is actively developing bindings for various languages. -For more information, visit the -[wiki](https://github.com/getdnsapi/getdns/wiki/Language-Bindings). +For more information, visit this +[webpage](https://getdnsapi.net/bindings/). ## Unsupported getDNS Features @@ -187,10 +191,10 @@ The following minor implementation omissions are noted: Recursive mode does not support: * TLS as a transport * Non-zero connection idle timeouts or query pipelining +* Anything other than query_type and resolution_type in the return_call_reporting extension Stub mode does not support: * Non zero idle timeouts for synchronous calls -* Limit on number of outstanding queries # Known Issues @@ -264,7 +268,7 @@ build the packages; this is simply the one we chose to use. If you're using [Homebrew](http://brew.sh/), you may run `brew install getdns`. By default, this will only build the core library without any 3rd party event loop support. -To install the [event loop integration libraries](https://github.com/getdnsapi/getdns/wiki/Asynchronous-Support) that enable support for libevent, libuv, and libev, run: `brew install getdns --with-libevent --with-libuv --with-libev`. All switches are optional. +To install the [event loop integration libraries](https://getdnsapi.net/doxygen/group__eventloops.html) that enable support for libevent, libuv, and libev, run: `brew install getdns --with-libevent --with-libuv --with-libev`. All switches are optional. Note that in order to compile the examples, the `--with-libevent` switch is required. diff --git a/configure.ac b/configure.ac index 3efbe5f7..0dc52318 100644 --- a/configure.ac +++ b/configure.ac @@ -36,12 +36,12 @@ sinclude(./m4/acx_getaddrinfo.m4) sinclude(./m4/ax_check_compile_flag.m4) sinclude(./m4/pkg.m4) -AC_INIT([getdns], [1.1.2], [users@getdnsapi.net], [], [https://getdnsapi.net]) +AC_INIT([getdns], [1.1.3], [users@getdnsapi.net], [], [https://getdnsapi.net]) # Dont forget to put a dash in front of the release candidate!!! # That is how it is done with semantic versioning! # -AC_SUBST(RELEASE_CANDIDATE, []) +AC_SUBST(RELEASE_CANDIDATE, [-rc1]) # Set current date from system if not set AC_ARG_WITH([current-date], @@ -51,7 +51,7 @@ AC_ARG_WITH([current-date], [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"]) AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"]) -AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01010200]) +AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010102c1]) AC_SUBST(API_VERSION, ["December 2015"]) AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00]) GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API" @@ -85,8 +85,9 @@ GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRE # getdns-1.1.0 had libversion 6:0:0 # getdns-1.1.1 had libversion 6:1:0 # getdns-1.1.2 has libversion 7:0:1 +# getdns-1.1.3 will have libversion 7:1:1 # -GETDNS_LIBVERSION=7:0:1 +GETDNS_LIBVERSION=7:1:1 AC_SUBST(GETDNS_COMPILATION_COMMENT) AC_SUBST(GETDNS_LIBVERSION) @@ -1045,17 +1046,17 @@ AC_SUBST(GETDNS_QUERY) AC_SUBST(INSTALL_GETDNS_QUERY) AC_SUBST(UNINSTALL_GETDNS_QUERY) -AC_ARG_WITH(stubby, AS_HELP_STRING([--without-stubby], - [Do not compile and install stubby, the (stub) resolver daemon]), - [], [withval="yes"]) -if test x_$withval = x_no; then - STUBBY="" - INSTALL_STUBBY="" - UNINSTALL_STUBBY="" -else +AC_ARG_WITH(stubby, AS_HELP_STRING([--with-stubby], + [Compile and install stubby, the (stub) resolver daemon]), + [], [withval="no"]) +if test x_$withval = x_yes; then STUBBY="stubby" INSTALL_STUBBY="install-stubby" UNINSTALL_STUBBY="uninstall-stubby" +else + STUBBY="" + INSTALL_STUBBY="" + UNINSTALL_STUBBY="" fi AC_SUBST(STUBBY) AC_SUBST(INSTALL_STUBBY) diff --git a/spec/index.html b/spec/index.html index a0432b4c..6888489f 100644 --- a/spec/index.html +++ b/spec/index.html @@ -875,7 +875,7 @@ names:

  • query_name (a bindata) is the name that was sent
  • query_type (an int) is the type that was queried for
  • query_to (a bindata) is the address to which the query was sent
  • -
  • run_time (a bindata) is the difference between the time the successful +
  • run_time/ms (a bindata) is the difference between the time the successful query started and ended in milliseconds, represented as a uint32_t (this does not include time taken for connection set up or transport fallback)
  • diff --git a/src/Makefile.in b/src/Makefile.in index 02a93a0d..ded0c635 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -35,16 +35,23 @@ libversion = @GETDNS_LIBVERSION@ prefix = @prefix@ exec_prefix = @exec_prefix@ bindir = @bindir@ +sbindir = @sbindir@ libdir = @libdir@ includedir = @includedir@ +sysconfdir = @sysconfdir@ +localstatedir = @localstatedir@ +runstatedir = @runstatedir@ +stubbyconfdir = $(sysconfdir)/stubby have_libevent = @have_libevent@ have_libuv = @have_libuv@ have_libev = @have_libev@ # datarootdir is here to please some checkers datarootdir=@datarootdir@ INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ srcdir = @srcdir@ +stubbysrcdir = $(srcdir)/../stubby LIBTOOL = ../libtool CC=@CC@ @@ -75,6 +82,8 @@ GETDNS_OBJ=const-info.lo convert.lo dict.lo dnssec.lo general.lo \ GLDNS_OBJ=keyraw.lo gbuffer.lo wire2str.lo parse.lo parseutil.lo rrdef.lo \ str2wire.lo +PROGRAMS=@STUBBY@ + LIBOBJDIR= LIBOBJS=@LIBOBJS@ COMPAT_OBJ=$(LIBOBJS:.o=.lo) @@ -98,7 +107,7 @@ NON_C99_OBJS=libuv.lo context.lo anchor.lo default: all -all: libgetdns.la $(EXTENSION_LIBEVENT_LIB) $(EXTENSION_LIBUV_LIB) $(EXTENSION_LIBEV_LIB) +all: libgetdns.la $(EXTENSION_LIBEVENT_LIB) $(EXTENSION_LIBUV_LIB) $(EXTENSION_LIBEV_LIB) $(PROGRAMS) $(GETDNS_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/$(@:.lo=.c) -o $@ @@ -130,25 +139,35 @@ context.lo: libuv.lo: $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/extension/libuv.c -o libuv.lo -install: libgetdns.la +install-headers: getdns/getdns.h getdns/getdns_extra.h $(INSTALL) -m 755 -d $(DESTDIR)$(includedir) $(INSTALL) -m 755 -d $(DESTDIR)$(includedir)/getdns $(INSTALL) -m 644 getdns/getdns.h $(DESTDIR)$(includedir)/getdns/getdns.h $(INSTALL) -m 644 getdns/getdns_extra.h $(DESTDIR)$(includedir)/getdns/getdns_extra.h + if test $(have_libevent) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libevent.h $(DESTDIR)$(includedir)/getdns/ ; fi + if test $(have_libuv) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libuv.h $(DESTDIR)$(includedir)/getdns/ ; fi + if test $(have_libev) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libev.h $(DESTDIR)$(includedir)/getdns/ ; fi + +uninstall-headers: + rm -rf $(DESTDIR)$(includedir)/getdns + +install-libs: libgetdns.la $(INSTALL) -m 755 -d $(DESTDIR)$(libdir) $(LIBTOOL) --mode=install cp libgetdns.la $(DESTDIR)$(libdir) - if test $(have_libevent) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libevent.h $(DESTDIR)$(includedir)/getdns/ ; $(LIBTOOL) --mode=install cp $(EXTENSION_LIBEVENT_LIB) $(DESTDIR)$(libdir) ; fi - if test $(have_libuv) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libuv.h $(DESTDIR)$(includedir)/getdns/ ; $(LIBTOOL) --mode=install cp $(EXTENSION_LIBUV_LIB) $(DESTDIR)$(libdir) ; fi - if test $(have_libev) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libev.h $(DESTDIR)$(includedir)/getdns/ ; $(LIBTOOL) --mode=install cp $(EXTENSION_LIBEV_LIB) $(DESTDIR)$(libdir) ; fi - + if test $(have_libevent) = 1 ; then $(LIBTOOL) --mode=install cp $(EXTENSION_LIBEVENT_LIB) $(DESTDIR)$(libdir) ; fi + if test $(have_libuv) = 1 ; then $(LIBTOOL) --mode=install cp $(EXTENSION_LIBUV_LIB) $(DESTDIR)$(libdir) ; fi + if test $(have_libev) = 1 ; then $(LIBTOOL) --mode=install cp $(EXTENSION_LIBEV_LIB) $(DESTDIR)$(libdir) ; fi $(LIBTOOL) --mode=finish $(DESTDIR)$(libdir) -uninstall: - rm -rf $(DESTDIR)$(includedir)/getdns - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/libgetdns.la +uninstall-libs: if test $(have_libevent) = 1; then $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$(EXTENSION_LIBEVENT_LIB) ; fi if test $(have_libuv) = 1; then $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$(EXTENSION_LIBUV_LIB) ; fi if test $(have_libev) = 1; then $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$(EXTENSION_LIBEV_LIB) ; fi + $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/libgetdns.la + +install: install-libs install-headers @INSTALL_STUBBY@ + +uninstall: @UNINSTALL_STUBBY@ uninstall-headers uninstall-libs libgetdns_ext_event.la: libgetdns.la libevent.lo $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ libevent.lo libgetdns.la $(LDFLAGS) $(EXTENSION_LIBEVENT_LDFLAGS) $(EXTENSION_LIBEVENT_EXT_LIBS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/extension/libevent.symbols @@ -170,8 +189,24 @@ test: default getdns_query: default cd tools && $(MAKE) $@ -stubby: getdns_query - cd tools && $(MAKE) $@ +stubby.lo: $(stubbysrcdir)/src/stubby.c + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR=\"$(sysconfdir)/stubby\" -DRUNSTATEDIR=\"$(runstatedir)\" -c $< -o $@ + +stubby: stubby.lo libgetdns.la + $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ stubby.lo $(LDFLAGS) libgetdns.la + +install-stubby: stubby $(stubbysrcdir)/stubby.conf.example $(stubbysrcdir)/stubby-setdns-macos.sh + $(INSTALL) -m 755 -d $(DESTDIR)$(bindir) + $(LIBTOOL) --mode=install cp stubby $(DESTDIR)$(bindir) + $(INSTALL) -m 755 -d $(DESTDIR)$(sbindir) + $(INSTALL) -m 755 $(stubbysrcdir)/stubby-setdns-macos.sh $(DESTDIR)$(sbindir) + $(INSTALL) -m 755 -d $(DESTDIR)$(stubbyconfdir) + test -f $(DESTDIR)$(stubbyconfdir)/stubby.conf || \ + $(INSTALL_DATA) $(stubbysrcdir)/stubby.conf.example $(DESTDIR)$(stubbyconfdir)/stubby.conf + +uninstall-stubby: + $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/stubby + rm -f $(DESTDIR)$(sbindir)/stubby-setdns-macos.sh scratchpad: default cd test && $(MAKE) $@ diff --git a/src/dnssec.c b/src/dnssec.c index 9cbde394..2a137d7d 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -551,11 +551,26 @@ static chain_head *add_rrset2val_chain(struct mem_funcs *mf, /* Also, try to prevent adding double rrsets */ if ( rrset->rr_class == head->rrset.rr_class && rrset->rr_type == head->rrset.rr_type - && rrset->pkt == head->rrset.pkt - && rrset->pkt_len == head->rrset.pkt_len - && _dname_equal(rrset->name, head->rrset.name)) - return NULL; + && _dname_equal(rrset->name, head->rrset.name)) { + if (rrset->pkt == head->rrset.pkt && + rrset->pkt_len == head->rrset.pkt_len) + return NULL; + else { + /* Anticipate resubmissions due to + * roadblock avoidance */ + head->rrset.pkt = rrset->pkt; + head->rrset.pkt_len = rrset->pkt_len; + return head; + } + } + + if ( rrset->rr_class == head->rrset.rr_class + && rrset->rr_type == head->rrset.rr_type + && rrset->pkt != head->rrset.pkt + && _dname_equal(rrset->name, head->rrset.name)) { + return NULL; + } for (label = labels; label < last_label; label++) { if (! _dname_is_parent(*label, head->rrset.name)) break; @@ -1051,6 +1066,7 @@ static void val_chain_node_cb(getdns_dns_req *dnsreq) break; case GETDNS_RRTYPE_DNSKEY: node->dnskey.pkt = netreq->response; node->dnskey.pkt_len = netreq->response_len; + /* fallthrough */ default : check_chain_complete(node->chains); return; } @@ -2417,6 +2433,7 @@ static int key_proves_nonexistance( * ========================+ * First find the closest encloser. */ + if (*rrset->name) for ( nc_name = rrset->name, ce_name = rrset->name + *rrset->name + 1 ; *ce_name ; nc_name = ce_name, ce_name += *ce_name + 1) { @@ -2679,6 +2696,7 @@ static int chain_head_validate(struct mem_funcs *mf, time_t now, uint32_t skew, if (_getdns_rrset_has_rrs(&ds_ta)) { switch (chain_head_validate_with_ta(mf,now,skew,head,&ds_ta)) { case GETDNS_DNSSEC_SECURE : s = GETDNS_DNSSEC_SECURE; + /* fallthrough */ case GETDNS_DNSSEC_INSECURE: if (s != GETDNS_DNSSEC_SECURE) s = GETDNS_DNSSEC_INSECURE; break; @@ -3053,19 +3071,50 @@ static void check_chain_complete(chain_head *chain) && !dnsreq->avoid_dnssec_roadblocks && dnsreq->netreqs[0]->dnssec_status == GETDNS_DNSSEC_BOGUS) { - int r = GETDNS_RETURN_GOOD; getdns_network_req **netreq_p, *netreq; uint64_t now_ms = 0; dnsreq->avoid_dnssec_roadblocks = 1; + dnsreq->chain->lock += 1; for ( netreq_p = dnsreq->netreqs - ; !r && (netreq = *netreq_p) + ; (netreq = *netreq_p) ; netreq_p++) { _getdns_netreq_change_state(netreq, NET_REQ_NOT_SENT); + netreq->dnssec_status = + GETDNS_DNSSEC_INDETERMINATE; netreq->owner = dnsreq; - r = _getdns_submit_netreq(netreq, &now_ms); + (void) _getdns_submit_netreq(netreq, &now_ms); + } + if (!dnsreq->dnssec_return_validation_chain) + return; + + for ( head = chain; head ; head = next ) { + next = head->next; + for ( node_count = head->node_count + , node = head->parent + ; node_count + ; node_count--, node = node->parent ) { + + if (node->dnskey_req) { + _getdns_netreq_change_state( + node->dnskey_req, + NET_REQ_NOT_SENT); + node->dnskey_req->owner-> + avoid_dnssec_roadblocks = 1; + (void) _getdns_submit_netreq( + node->dnskey_req, &now_ms); + } + if (node->ds_req) { + _getdns_netreq_change_state( + node->ds_req, NET_REQ_NOT_SENT); + node->ds_req->owner-> + avoid_dnssec_roadblocks = 1; + (void) _getdns_submit_netreq( + node->ds_req, &now_ms); + } + } } return; } @@ -3232,11 +3281,16 @@ void _getdns_get_validation_chain(getdns_dns_req *dnsreq) getdns_network_req *netreq, **netreq_p; chain_head *chain = NULL, *chain_p; - if (dnsreq->validating) + if (dnsreq->avoid_dnssec_roadblocks) { + chain = dnsreq->chain; + + } else if (dnsreq->validating) return; dnsreq->validating = 1; - for (netreq_p = dnsreq->netreqs; (netreq = *netreq_p) ; netreq_p++) { + if (dnsreq->avoid_dnssec_roadblocks && chain->lock == 0) + ; /* pass */ + else for (netreq_p = dnsreq->netreqs; (netreq = *netreq_p) ; netreq_p++) { if (! netreq->response || netreq->response_len < GLDNS_HEADER_SIZE || ( GLDNS_RCODE_WIRE(netreq->response) @@ -3264,6 +3318,9 @@ void _getdns_get_validation_chain(getdns_dns_req *dnsreq) if (chain_p->lock) chain_p->lock--; } dnsreq->chain = chain; + if (dnsreq->avoid_dnssec_roadblocks && chain->lock) + chain->lock -= 1; + check_chain_complete(chain); } else { dnsreq->validating = 0; diff --git a/src/general.c b/src/general.c index 4374350e..13fc4190 100644 --- a/src/general.c +++ b/src/general.c @@ -60,6 +60,9 @@ void _getdns_call_user_callback(getdns_dns_req *dnsreq, getdns_dict *response) { _getdns_context_clear_outbound_request(dnsreq); +#if defined(REQ_DEBUG) && REQ_DEBUG + debug_req(__FUNC__, *dnsreq->netreqs); +#endif if (dnsreq->user_callback) { dnsreq->context->processing = 1; dnsreq->user_callback(dnsreq->context, @@ -212,6 +215,7 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) #ifdef STUB_NATIVE_DNSSEC || (dns_req->context->resolution_type == GETDNS_RESOLUTION_STUB + && !dns_req->avoid_dnssec_roadblocks && (dns_req->dnssec_return_status || dns_req->dnssec_return_only_secure || dns_req->dnssec_return_all_statuses @@ -229,6 +233,9 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) NULL, NULL, (getdns_eventloop_callback) _getdns_validation_chain_timeout)); +#if defined(REQ_DEBUG) && REQ_DEBUG + debug_req("getting validation chain for ", *dns_req->netreqs); +#endif _getdns_get_validation_chain(dns_req); } else _getdns_call_user_callback( diff --git a/src/getdns/getdns.h.in b/src/getdns/getdns.h.in index b483c7ea..feba62a1 100644 --- a/src/getdns/getdns.h.in +++ b/src/getdns/getdns.h.in @@ -1101,7 +1101,6 @@ getdns_service(getdns_context *context, * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. * @param context context that can be used immediately with other API calls * @param set_from_os set to 1 to initialize the context with os defaults - * the second bit set (2) prevents OpenSSL library initialization. * @return GETDNS_RETURN_GOOD on success */ getdns_return_t @@ -1114,7 +1113,6 @@ getdns_context_create(getdns_context ** context, int set_from_os); * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. * @param context context that can be used immediately with other API calls * @param set_from_os set to 1 to initialize the context with os defaults - * the second bit set (2) prevents OpenSSL library initialization. * @param malloc custom malloc function * @param realloc custom realloc function * @param free custom free function @@ -1136,7 +1134,6 @@ getdns_context_create_with_memory_functions( * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. * @param context context that can be used immediately with other API calls * @param set_from_os set to 1 to initialize the context with os defaults - * the second bit set (2) prevents OpenSSL library initialization. * @param userarg parameter passed to the custom malloc, realloc and free functions * @param malloc custom malloc function * @param realloc custom realloc function diff --git a/src/gldns/gbuffer.c b/src/gldns/gbuffer.c index 04c257fb..180fa631 100644 --- a/src/gldns/gbuffer.c +++ b/src/gldns/gbuffer.c @@ -50,6 +50,8 @@ gldns_buffer_new_frm_data(gldns_buffer *buffer, void *data, size_t size) buffer->_limit = buffer->_capacity = size; buffer->_fixed = 0; buffer->_vfixed = 0; + if (!buffer->_fixed && buffer->_data) + free(buffer->_data); buffer->_data = malloc(size); if(!buffer->_data) { buffer->_status_err = 1; diff --git a/src/gldns/parseutil.c b/src/gldns/parseutil.c index d68fa89c..558446cb 100644 --- a/src/gldns/parseutil.c +++ b/src/gldns/parseutil.c @@ -402,10 +402,12 @@ gldns_b32_ntop_base(const uint8_t* src, size_t src_sz, char* dst, size_t dst_sz, /* ........ ........ ....4444 4....... ........ */ c = src[3] >> 7 ; + /* fallthrough */ case 3: dst[4] = b32[(src[2] & 0x0f) << 1 | c]; /* ........ .......3 3333.... ........ ........ */ c = src[2] >> 4 ; + /* fallthrough */ case 2: dst[3] = b32[(src[1] & 0x01) << 4 | c]; /* ........ ..22222. ........ ........ ........ */ @@ -413,6 +415,7 @@ gldns_b32_ntop_base(const uint8_t* src, size_t src_sz, char* dst, size_t dst_sz, /* .....111 11...... ........ ........ ........ */ c = src[1] >> 6 ; + /* fallthrough */ case 1: dst[1] = b32[(src[0] & 0x07) << 2 | c]; /* 00000... ........ ........ ........ ........ */ @@ -423,9 +426,12 @@ gldns_b32_ntop_base(const uint8_t* src, size_t src_sz, char* dst, size_t dst_sz, switch (src_sz) { case 1: dst[2] = '='; dst[3] = '='; + /* fallthrough */ case 2: dst[4] = '='; + /* fallthrough */ case 3: dst[5] = '='; dst[6] = '='; + /* fallthrough */ case 4: dst[7] = '='; } } @@ -537,15 +543,18 @@ gldns_b32_pton_base(const char* src, size_t src_sz, uint8_t* dst, size_t dst_sz, /* ........ ........ ........ .55555.. ........ */ /* ........ ........ ....4444 4....... ........ */ dst[3] = buf[4] << 7 | buf[5] << 2 | buf[6] >> 3; + /* fallthrough */ case 5: /* ........ ........ ....4444 4....... ........ */ /* ........ .......3 3333.... ........ ........ */ dst[2] = buf[3] << 4 | buf[4] >> 1; + /* fallthrough */ case 4: /* ........ .......3 3333.... ........ ........ */ /* ........ ..22222. ........ ........ ........ */ /* .....111 11...... ........ ........ ........ */ dst[1] = buf[1] << 6 | buf[2] << 1 | buf[3] >> 4; + /* fallthrough */ case 2: /* .....111 11...... ........ ........ ........ */ /* 00000... ........ ........ ........ ........ */ diff --git a/src/gldns/str2wire.c b/src/gldns/str2wire.c index 2762aa38..ffd3d464 100644 --- a/src/gldns/str2wire.c +++ b/src/gldns/str2wire.c @@ -1190,6 +1190,10 @@ int gldns_str2wire_b64_buf(const char* str, uint8_t* rd, size_t* len) { size_t sz = gldns_b64_pton_calculate_size(strlen(str)); int n; + if(strcmp(str, "0") == 0) { + *len = 0; + return GLDNS_WIREPARSE_ERR_OK; + } if(*len < sz) return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL; n = gldns_b64_pton(str, rd, *len); @@ -1223,6 +1227,10 @@ int gldns_str2wire_hex_buf(const char* str, uint8_t* rd, size_t* len) s++; continue; } + if(dlen == 0 && *s == '0' && *(s+1) == 0) { + *len = 0; + return GLDNS_WIREPARSE_ERR_OK; + } if(!isxdigit((unsigned char)*s)) return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_HEX, s-str); if(*len < dlen/2 + 1) diff --git a/src/gldns/wire2str.c b/src/gldns/wire2str.c index 245c9794..2718925e 100644 --- a/src/gldns/wire2str.c +++ b/src/gldns/wire2str.c @@ -1220,11 +1220,17 @@ static int gldns_wire2str_b64_scan_num(uint8_t** d, size_t* dl, char** s, int gldns_wire2str_b64_scan(uint8_t** d, size_t* dl, char** s, size_t* sl) { + if(*dl == 0) { + return gldns_str_print(s, sl, "0"); + } return gldns_wire2str_b64_scan_num(d, dl, s, sl, *dl); } int gldns_wire2str_hex_scan(uint8_t** d, size_t* dl, char** s, size_t* sl) { + if(*dl == 0) { + return gldns_str_print(s, sl, "0"); + } return print_remainder_hex("", d, dl, s, sl); } diff --git a/src/jsmn b/src/jsmn index 868c22e3..c831c386 160000 --- a/src/jsmn +++ b/src/jsmn @@ -1 +1 @@ -Subproject commit 868c22e35ec223fc26ddefdb9ca83901dc6e2534 +Subproject commit c831c3869f56a571a79a3cbf58e0a366e588e256 diff --git a/src/stub.c b/src/stub.c index df2465ca..1a5126bb 100644 --- a/src/stub.c +++ b/src/stub.c @@ -413,15 +413,14 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport) endpoints.sae_srcaddrlen = 0; endpoints.sae_dstaddr = (struct sockaddr *)&upstream->addr; endpoints.sae_dstaddrlen = upstream->addr_len; - if (connectx(fd, &endpoints, SAE_ASSOCID_ANY, + if (connectx(fd, &endpoints, SAE_ASSOCID_ANY, CONNECT_DATA_IDEMPOTENT | CONNECT_RESUME_ON_READ_WRITE, - NULL, 0, NULL, NULL) == -1) { - if (errno != EINPROGRESS) { - close(fd); - return -1; - } + NULL, 0, NULL, NULL) == 0) { + return fd; + } + if (errno == EINPROGRESS) { + return fd; } - return fd; #else (void)transport; #endif @@ -576,6 +575,7 @@ _getdns_cancel_stub_request(getdns_network_req *netreq) #else close(netreq->fd); #endif + netreq->fd = -1; } } @@ -594,6 +594,7 @@ stub_timeout_cb(void *userarg) #else close(netreq->fd); #endif + netreq->fd = -1; netreq->upstream->udp_timeouts++; if (netreq->upstream->udp_timeouts % 100 == 0) _getdns_upstream_log(netreq->upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, @@ -1401,6 +1402,7 @@ stub_udp_read_cb(void *userarg) #else close(netreq->fd); #endif + netreq->fd = -1; stub_next_upstream(netreq); } netreq->debug_end_time = _getdns_get_time_as_uintt64(); @@ -1423,8 +1425,8 @@ stub_udp_read_cb(void *userarg) closesocket(netreq->fd); #else close(netreq->fd); - netreq->fd = -1; #endif + netreq->fd = -1; while (GLDNS_TC_WIRE(netreq->response)) { DEBUG_STUB("%s %-35s: MSG: %p TC bit set in response \n", STUB_DEBUG_READ, __FUNC__, (void*)netreq); @@ -1521,6 +1523,7 @@ stub_udp_write_cb(void *userarg) #else close(netreq->fd); #endif + netreq->fd = -1; stub_next_upstream(netreq); } netreq->debug_end_time = _getdns_get_time_as_uintt64(); @@ -1946,7 +1949,7 @@ upstream_select(getdns_network_req *netreq) return &upstreams->upstreams[i]; } i+=GETDNS_UPSTREAM_TRANSPORTS; - if (i > upstreams->count) + if (i >= upstreams->count) i = 0; } while (i != upstreams->current_udp); diff --git a/src/test/tests_transports.sh b/src/test/tests_transports.sh index 89604038..99acfc40 100755 --- a/src/test/tests_transports.sh +++ b/src/test/tests_transports.sh @@ -174,21 +174,21 @@ for (( i = 0; i < 2; i+=1 )); do echo "*Success cases:" for (( j = 0; j < $NUM_GOOD_QUERIES; j+=1 )); do - check_good "`$DIR/getdns_query +return_call_reporting $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_QUERIES[$((j*NUM_ARGS))+2]} + check_good "`$DIR/getdns_query -V +return_call_reporting $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_QUERIES[$((j*NUM_ARGS))+2]} echo "getdns_query $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]}" (( COUNT++ )) done echo "*Success fallback cases:" for (( j = 0; j < $NUM_GOOD_FB_QUERIES; j+=1 )); do - check_good "`$DIR/getdns_query +return_call_reporting $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]} + check_good "`$DIR/getdns_query -V +return_call_reporting $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]} echo "getdns_query $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} TESTS: ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]}" (( COUNT++ )) done echo "*Transport not available cases:" for (( j = 0; j < ${#NOT_AVAILABLE_QUERIES[@]}; j+=1 )); do - check_bad "`$DIR/getdns_query $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]} 2>&1`" + check_bad "`$DIR/getdns_query -V $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]} 2>&1`" echo "getdns_query $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]}" (( COUNT++ )) done diff --git a/src/test/tpkg/290-transports.tpkg/290-transports.test b/src/test/tpkg/290-transports.tpkg/290-transports.test index 13a83c15..54f1639e 100644 --- a/src/test/tpkg/290-transports.tpkg/290-transports.test +++ b/src/test/tpkg/290-transports.tpkg/290-transports.test @@ -173,21 +173,21 @@ for (( ii = 0; ii < 1; ii++)); do fi echo "*Success cases:" for (( j = 0; j < $NUM_GOOD_QUERIES; j+=1 )); do - check_good "`"${GETDNS_QUERY}" +return_call_reporting $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]} `" ${GOOD_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_QUERIES[$((j*NUM_ARGS))+2]} + check_good "`"${GETDNS_QUERY}" -V +return_call_reporting $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]} `" ${GOOD_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_QUERIES[$((j*NUM_ARGS))+2]} echo "getdns_query $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]}" (( COUNT++ )) done echo "*Success fallback cases:" for (( j = 0; j < $NUM_GOOD_FB_QUERIES; j+=1 )); do - check_good "`"${GETDNS_QUERY}" +return_call_reporting $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]} + check_good "`"${GETDNS_QUERY}" -V +return_call_reporting $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]} echo "getdns_query $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} TESTS: ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]}" (( COUNT++ )) done echo "*Transport not available cases:" for (( j = 0; j < ${#NOT_AVAILABLE_QUERIES[@]}; j+=1 )); do - check_bad "`"${GETDNS_QUERY}" $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]} 2>&1`" + check_bad "`"${GETDNS_QUERY}" -V $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]} 2>&1`" echo "getdns_query $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]}" (( COUNT++ )) done diff --git a/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test b/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test index 5da09cd9..1169e337 100644 --- a/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test +++ b/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test @@ -7,10 +7,10 @@ rm -fr "${BUILDDIR}/build-event-loops" mkdir "${BUILDDIR}/build-event-loops" cd "${BUILDDIR}/build-event-loops" -"${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libuv +"${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libuv diff --git a/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre b/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre index bda600f8..a79bdeed 100644 --- a/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre +++ b/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre @@ -25,11 +25,11 @@ done rm -fr "${BUILDDIR}/build-static-analysis" mkdir "${BUILDDIR}/build-static-analysis" cd "${BUILDDIR}/build-static-analysis" -"${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libuv +"${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libuv diff --git a/src/tools/Dockerfile b/src/tools/Dockerfile index 9ae731a3..20bde4c5 100644 --- a/src/tools/Dockerfile +++ b/src/tools/Dockerfile @@ -24,7 +24,7 @@ RUN set -ex \ && cd /usr/src \ && git clone https://github.com/getdnsapi/getdns.git \ && cd /usr/src/getdns \ - && git checkout release/1.1.1 \ + && git checkout master \ && git submodule update --init \ && libtoolize -ci \ && autoreconf -fi \ @@ -35,7 +35,7 @@ RUN set -ex \ && cp src/tools/stubby.conf /etc \ && mkdir -p /etc/unbound \ && cd /etc/unbound \ - && wget http://www.nomountain.net/getdns-root.key + && unbound-anchor -a /etc/unbound/getdns-root.key || : EXPOSE 53 diff --git a/src/tools/Makefile.in b/src/tools/Makefile.in index 7e291603..3cba9659 100644 --- a/src/tools/Makefile.in +++ b/src/tools/Makefile.in @@ -68,8 +68,8 @@ $(ALL_OBJS): getdns_query: getdns_query.lo $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) -o $@ getdns_query.lo $(LDFLAGS) $(LDLIBS) -stubby: getdns_query.lo - $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) -o $@ getdns_query.lo $(LDFLAGS) $(LDLIBS) +stubby: + cd .. && $(MAKE) $@ install-getdns_query: getdns_query $(INSTALL) -m 755 -d $(DESTDIR)$(bindir) @@ -78,15 +78,14 @@ install-getdns_query: getdns_query uninstall-getdns_query: $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/getdns_query -install-stubby: getdns_query - $(INSTALL) -m 755 -d $(DESTDIR)$(bindir) - $(LIBTOOL) --mode=install cp getdns_query $(DESTDIR)$(bindir)/stubby +install-stubby: + cd .. && $(MAKE) $@ uninstall-stubby: - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/stubby + cd .. && $(MAKE) $@ clean: - rm -f *.o *.lo $(PROGRAMS) stubby + rm -f *.o *.lo $(PROGRAMS) rm -rf .libs distclean : clean diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index a28ffe54..582f2c0c 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -48,6 +48,7 @@ typedef unsigned short in_port_t; #define EXAMPLE_PIN "pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"" +static int verbosity = 0; static int i_am_stubby = 0; static const char *default_stubby_config = "{ resolution_type: GETDNS_RESOLUTION_STUB" @@ -80,6 +81,8 @@ static uint16_t request_type = GETDNS_RRTYPE_NS; static int timeout, edns0_size, padding_blocksize; static int async = 0, interactive = 0; static enum { GENERAL, ADDRESS, HOSTNAME, SERVICE } calltype = GENERAL; +static int bogus_answers = 0; +static int check_dnssec = 0; static int get_rrtype(const char *t) { @@ -255,6 +258,7 @@ print_usage(FILE *out, const char *progname) fprintf(out, "\t-S\tservice lookup ( is ignored)\n"); fprintf(out, "\t-t \tSet timeout in milliseconds\n"); fprintf(out, "\t-v\tPrint getdns release version\n"); + fprintf(out, "\t-V\tIncrease verbosity (may be used more than once)\n"); fprintf(out, "\t-x\tDo not follow redirects\n"); fprintf(out, "\t-X\tFollow redirects (default)\n"); @@ -306,27 +310,28 @@ static getdns_return_t validate_chain(getdns_dict *response) response, "replies_tree", &replies_tree))) goto error; - fprintf(stdout, "replies_tree dnssec_status: "); + if (verbosity) fprintf(stdout, "replies_tree dnssec_status: "); switch ((s = getdns_validate_dnssec( replies_tree, validation_chain, trust_anchor))) { case GETDNS_DNSSEC_SECURE: - fprintf(stdout, "GETDNS_DNSSEC_SECURE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_SECURE\n"); break; case GETDNS_DNSSEC_BOGUS: - fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); + bogus_answers += 1; break; case GETDNS_DNSSEC_INDETERMINATE: - fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); break; case GETDNS_DNSSEC_INSECURE: - fprintf(stdout, "GETDNS_DNSSEC_INSECURE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INSECURE\n"); break; case GETDNS_DNSSEC_NOT_PERFORMED: - fprintf(stdout, "GETDNS_DNSSEC_NOT_PERFORMED\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_NOT_PERFORMED\n"); break; default: - fprintf(stdout, "%d\n", (int)s); + if (verbosity) fprintf(stdout, "%d\n", (int)s); } i = 0; @@ -335,27 +340,28 @@ static getdns_return_t validate_chain(getdns_dict *response) if ((r = getdns_list_set_dict(to_validate, 0, reply))) goto error; - printf("reply "PRIsz", dnssec_status: ", i); + if (verbosity) printf("reply "PRIsz", dnssec_status: ", i); switch ((s = getdns_validate_dnssec( to_validate, validation_chain, trust_anchor))) { case GETDNS_DNSSEC_SECURE: - fprintf(stdout, "GETDNS_DNSSEC_SECURE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_SECURE\n"); break; case GETDNS_DNSSEC_BOGUS: - fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); + bogus_answers += 1; break; case GETDNS_DNSSEC_INDETERMINATE: - fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); break; case GETDNS_DNSSEC_INSECURE: - fprintf(stdout, "GETDNS_DNSSEC_INSECURE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INSECURE\n"); break; case GETDNS_DNSSEC_NOT_PERFORMED: - fprintf(stdout, "GETDNS_DNSSEC_NOT_PERFORMED\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_NOT_PERFORMED\n"); break; default: - fprintf(stdout, "%d\n", (int)s); + if (verbosity) fprintf(stdout, "%d\n", (int)s); } } if (r == GETDNS_RETURN_NO_SUCH_LIST_ITEM) @@ -378,14 +384,23 @@ void callback(getdns_context *context, getdns_callback_type_t callback_type, getdns_print_json_dict(response, json == 1) : getdns_pretty_print_dict(response))) { - fprintf(stdout, "ASYNC response:\n%s\n", response_str); + fprintf(stdout, "%s\n", response_str); + if (verbosity) fprintf(stdout, "ASYNC call completed.\n"); validate_chain(response); free(response_str); } if (callback_type == GETDNS_CALLBACK_COMPLETE) { - printf("Response code was: GOOD. Status was: Callback with ID %"PRIu64" was successful.\n", + if (verbosity) printf("Response code was: GOOD. Status was: Callback with ID %"PRIu64" was successful.\n", trans_id); + if (check_dnssec) { + uint32_t dnssec_status = GETDNS_DNSSEC_SECURE; + + (void )getdns_dict_get_int(response, + "/replies_tree/0/dnssec_status", &dnssec_status); + if (dnssec_status == GETDNS_DNSSEC_BOGUS) + bogus_answers += 1; + } } else if (callback_type == GETDNS_CALLBACK_CANCEL) fprintf(stderr, @@ -400,7 +415,6 @@ void callback(getdns_context *context, getdns_callback_type_t callback_type, getdns_get_errorstr_by_id(callback_type)); } getdns_dict_destroy(response); - response = NULL; } #define CONTINUE ((getdns_return_t)-2) @@ -575,6 +589,9 @@ getdns_return_t parse_args(int argc, char **argv) continue; } else if (arg[0] == '+') { + if (strncmp(arg+1, "dnssec_", 7) == 0) + check_dnssec = 1; + if (arg[1] == 's' && arg[2] == 'i' && arg[3] == 't' && (arg[4] == '=' || arg[4] == '\0')) { if ((r = set_cookie(extensions, arg+4))) { @@ -802,6 +819,7 @@ getdns_return_t parse_args(int argc, char **argv) goto next; case 'p': json = 0; + break; case 'q': quiet = 1; break; @@ -970,6 +988,9 @@ getdns_return_t parse_args(int argc, char **argv) case 'B': batch_mode = 1; break; + case 'V': + verbosity += 1; + break; case 'z': if (c[1] != 0 || ++i >= argc || !*argv[i]) { @@ -1188,8 +1209,9 @@ getdns_return_t do_the_call(void) getdns_print_json_dict(response, json == 1) : getdns_pretty_print_dict(response))) { - fprintf( stdout, "SYNC response:\n%s\n" - , response_str); + fprintf( stdout, "%s\n", response_str); + if (verbosity) fprintf( stdout, "SYNC call completed.\n"); + validate_chain(response); free(response_str); } else { @@ -1199,10 +1221,21 @@ getdns_return_t do_the_call(void) } } getdns_dict_get_int(response, "status", &status); - fprintf(stdout, "Response code was: GOOD. Status was: %s\n", + if (verbosity) + fprintf(stdout, "Response code was: GOOD. Status was: %s\n", getdns_get_errorstr_by_id(status)); - if (response) + if (response) { + if (check_dnssec) { + uint32_t dnssec_status = GETDNS_DNSSEC_SECURE; + + (void )getdns_dict_get_int(response, + "/replies_tree/0/dnssec_status", + &dnssec_status); + if (dnssec_status == GETDNS_DNSSEC_BOGUS) + bogus_answers += 1; + } getdns_dict_destroy(response); + } } getdns_dict_destroy(address); return r; @@ -1224,7 +1257,7 @@ void read_line_cb(void *userarg) int linec; if (!fgets(line, 1024, fp) || !*line) { - if (query_file) + if (query_file && verbosity) fprintf(stdout,"End of file."); loop->vmt->clear(loop, read_line_ev); if (listen_count) @@ -1233,7 +1266,7 @@ void read_line_cb(void *userarg) (void) getdns_context_set_idle_timeout(context, 0); return; } - if (query_file) + if (query_file && verbosity) fprintf(stdout,"Found query: %s", line); linev[0] = __FILE__; @@ -1246,7 +1279,8 @@ void read_line_cb(void *userarg) return; } if (*token == '#') { - fprintf(stdout,"Result: Skipping comment\n"); + if (verbosity) + fprintf(stdout,"Result: Skipping comment\n"); if (! query_file) { printf("> "); fflush(stdout); @@ -1779,8 +1813,10 @@ done_destroy_context: else if (r == CONTINUE_ERROR) return 1; - if (!i_am_stubby) + if (!i_am_stubby && verbosity) fprintf(stdout, "\nAll done.\n"); - return r; + return r ? r + : bogus_answers ? GETDNS_DNSSEC_BOGUS + : GETDNS_RETURN_GOOD; } diff --git a/src/tools/stubby-setdns-macos.sh b/src/tools/stubby-setdns-macos.sh deleted file mode 100755 index 90f1e45f..00000000 --- a/src/tools/stubby-setdns-macos.sh +++ /dev/null @@ -1,96 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2017, Verisign, Inc., NLnet Labs -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# * Neither the names of the copyright holders nor the -# names of its contributors may be used to endorse or promote products -# derived from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY -# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -# Stubby helper file to set DNS servers on macOS. -# Note - this script doesn't detect or handle network events, simply changes the -# current resolvers -# Must run as root. - -usage () { - echo - echo "Update the system DNS resolvers so that Stubby is used for all DNS" - echo "queries on macOS. (Stubby must already be running)" - echo "This must be run as root." - echo - echo "Usage: $0 options" - echo - echo "Supported options:" - echo " -r Reset DNS resolvers to the default ones (e.g. from DHCP)" - echo " -l List the current DNS settings for all interfaces" - echo " -h Show this help." -} - -RESET=0 -LIST=0 -SERVERS="127.0.0.1 ::1" -OS_X=`uname -a | grep -c 'Darwin'` - -while getopts ":rlh" opt; do - case $opt in - r ) RESET=1 ;; - l ) LIST=1 ;; - h ) usage - exit 1 ;; - \? ) usage - exit 1 ;; - esac -done - - -if [[ $OS_X -eq 0 ]]; then - echo "Sorry - This script only works on macOS and you are on a different OS." - exit 1 -fi - -if [[ $LIST -eq 1 ]]; then - echo "** Current DNS settings **" - networksetup -listallnetworkservices 2>/dev/null | grep -v '*' | while read x ; do - RESULT=`networksetup -getdnsservers "$x"` - RESULT=`echo $RESULT` - printf '%-30s %s\n' "$x:" "$RESULT" - done - exit 1 -fi - -if [ "$USER" != "root" ]; then - echo "Must be root to update system resolvers. Retry using 'sudo stubby-setdns'" - exit 1 -fi - -if [[ $RESET -eq 1 ]]; then - SERVERS="empty" - echo "Setting DNS servers to '"$SERVERS"' - the system will use default DNS service." -else - echo "Setting DNS servers to '"$SERVERS"' - the system will use Stubby if it is running." -fi - -### Set the DNS settings via networksetup ### -networksetup -listallnetworkservices 2>/dev/null | grep -v '*' | while read x ; do - networksetup -setdnsservers "$x" $SERVERS -done - diff --git a/src/tools/stubby.conf b/src/tools/stubby.conf deleted file mode 100644 index 56fffaff..00000000 --- a/src/tools/stubby.conf +++ /dev/null @@ -1,59 +0,0 @@ -{ resolution_type: GETDNS_RESOLUTION_STUB -, dns_transport_list: [ GETDNS_TRANSPORT_TLS ] -, tls_authentication: GETDNS_AUTHENTICATION_REQUIRED -, tls_query_padding_blocksize: 256 -, edns_client_subnet_private : 1 -, listen_addresses: [ 127.0.0.1, 0::1 ] -, idle_timeout: 10000 -, round_robin_upstreams: 1 -, upstream_recursive_servers: - [ { address_data: 145.100.185.15 - , tls_auth_name: "dnsovertls.sinodun.com" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= - } ] - }, - { address_data: 145.100.185.16 - , tls_auth_name: "dnsovertls1.sinodun.com" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= - } ] - }, - { address_data: 185.49.141.37 - , tls_auth_name: "getdnsapi.net" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= - } ] - }, - { address_data: 2001:610:1:40ba:145:100:185:15 - , tls_auth_name: "dnsovertls.sinodun.com" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= - } ] - }, - { address_data: 2001:610:1:40ba:145:100:185:16 - , tls_auth_name: "dnsovertls1.sinodun.com" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= - } ] - }, - { address_data: 2a04:b900:0:100::37 - , tls_auth_name: "getdnsapi.net" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= - } ] - }, - { address_data: 89.233.43.71 - , tls_auth_name: "unicast.censurfridns.dk" - }, - { address_data: 2a01:3a0:53:53:: - , tls_auth_name: "unicast.censurfridns.dk" - } - ] -} diff --git a/src/util/lookup3.c b/src/util/lookup3.c index e9b05af3..cc110748 100644 --- a/src/util/lookup3.c +++ b/src/util/lookup3.c @@ -5,6 +5,7 @@ added #ifdef VALGRIND to remove 298,384,660 'unused variable k8' warnings. added include of lookup3.h to check definitions match declarations. removed include of stdint - config.h takes care of platform independence. + added fallthrough comments for new gcc warning suppression. url http://burtleburtle.net/bob/hash/index.html. */ /* @@ -235,7 +236,9 @@ uint32_t initval) /* the previous hash, or an arbitrary value */ switch(length) /* all the case statements fall through */ { case 3 : c+=k[2]; + /* fallthrough */ case 2 : b+=k[1]; + /* fallthrough */ case 1 : a+=k[0]; final(a,b,c); case 0: /* case 0: nothing left to add */ @@ -473,16 +476,27 @@ uint32_t hashlittle( const void *key, size_t length, uint32_t initval) switch(length) /* all the case statements fall through */ { case 12: c+=((uint32_t)k[11])<<24; + /* fallthrough */ case 11: c+=((uint32_t)k[10])<<16; + /* fallthrough */ case 10: c+=((uint32_t)k[9])<<8; + /* fallthrough */ case 9 : c+=k[8]; + /* fallthrough */ case 8 : b+=((uint32_t)k[7])<<24; + /* fallthrough */ case 7 : b+=((uint32_t)k[6])<<16; + /* fallthrough */ case 6 : b+=((uint32_t)k[5])<<8; + /* fallthrough */ case 5 : b+=k[4]; + /* fallthrough */ case 4 : a+=((uint32_t)k[3])<<24; + /* fallthrough */ case 3 : a+=((uint32_t)k[2])<<16; + /* fallthrough */ case 2 : a+=((uint32_t)k[1])<<8; + /* fallthrough */ case 1 : a+=k[0]; break; case 0 : return c; diff --git a/src/util/val_secalgo.c b/src/util/val_secalgo.c index 88d23472..e9ec5a5b 100644 --- a/src/util/val_secalgo.c +++ b/src/util/val_secalgo.c @@ -1320,6 +1320,9 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, #include "ecdsa.h" #include "ecc-curve.h" #endif +#ifdef HAVE_NETTLE_EDDSA_H +#include "eddsa.h" +#endif static int _digest_nettle(int algo, uint8_t* buf, size_t len, @@ -1477,6 +1480,10 @@ dnskey_algo_id_is_supported(int id) case LDNS_ECDSAP384SHA384: #endif return 1; +#ifdef USE_ED25519 + case LDNS_ED25519: + return 1; +#endif case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ case LDNS_ECC_GOST: default: @@ -1718,6 +1725,30 @@ _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* } #endif +#ifdef USE_ED25519 +static char * +_verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock, + unsigned int sigblock_len, unsigned char* key, unsigned int keylen) +{ + int res = 0; + + if(sigblock_len != ED25519_SIGNATURE_SIZE) { + return "wrong ED25519 signature length"; + } + if(keylen != ED25519_KEY_SIZE) { + return "wrong ED25519 key length"; + } + + res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf), + sldns_buffer_begin(buf), (uint8_t*)sigblock); + + if (!res) + return "ED25519 signature verification failed"; + else + return NULL; +} +#endif + /** * Check a canonical sig+rrset and signature against a dnskey * @param buf: buffer with data to verify, the first rrsig part and the @@ -1759,9 +1790,13 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, case LDNS_RSASHA1_NSEC3: digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); #endif + /* double fallthrough annotation to please gcc parser */ + /* fallthrough */ #ifdef USE_SHA2 + /* fallthrough */ case LDNS_RSASHA256: digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); + /* fallthrough */ case LDNS_RSASHA512: digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); @@ -1776,6 +1811,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, #ifdef USE_ECDSA case LDNS_ECDSAP256SHA256: digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); + /* fallthrough */ case LDNS_ECDSAP384SHA384: digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, @@ -1784,6 +1820,15 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, return sec_status_bogus; else return sec_status_secure; +#endif +#ifdef USE_ED25519 + case LDNS_ED25519: + *reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len, + key, keylen); + if (*reason != NULL) + return sec_status_bogus; + else + return sec_status_secure; #endif case LDNS_RSAMD5: case LDNS_ECC_GOST: diff --git a/stubby b/stubby new file mode 160000 index 00000000..499a82f5 --- /dev/null +++ b/stubby @@ -0,0 +1 @@ +Subproject commit 499a82f55579bbba754cd620f88b20da6a167929 diff --git a/systemd/README.md b/systemd/README.md deleted file mode 100644 index 98cea72d..00000000 --- a/systemd/README.md +++ /dev/null @@ -1,16 +0,0 @@ -Stubby integration with systemd -=============================== - -For GNU/Linux operating systems which use systemd as a process -manager, you might want to run stubby as a system service. - -This directory provides recommended systemd unit files. - -This setup assumes that there is a system-level user named "stubby" -which is in group "stubby", and try to limit the privileges of the -running daemon to that user as closely as possible. - -Normally, a downstream distributor will install them as: - - /usr/lib/tmpfiles.d/stubby.conf - /lib/systemd/system/stubby.service diff --git a/systemd/stubby.conf b/systemd/stubby.conf deleted file mode 100644 index bf704927..00000000 --- a/systemd/stubby.conf +++ /dev/null @@ -1,2 +0,0 @@ -# tmpfiles.d (5) for use with stubby.service -d /run/stubby 0750 root stubby - - diff --git a/systemd/stubby.service b/systemd/stubby.service deleted file mode 100644 index b85b8e90..00000000 --- a/systemd/stubby.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=stubby DNS resolver - -[Service] -WorkingDirectory=/run/stubby -ExecStart=/usr/bin/stubby -AmbientCapabilities=CAP_NET_BIND_SERVICE -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -User=stubby - -[Install] -WantedBy=multi-user.target