From 146638ab9423f1d83bfa601f1b40cd04df29dc4c Mon Sep 17 00:00:00 2001 From: Melinda Shore Date: Wed, 28 Jun 2017 22:11:30 -0800 Subject: [PATCH 01/26] Modified Dockerfile to check out getdns master and to use unbound-anchor to install dnssec trust root --- src/tools/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tools/Dockerfile b/src/tools/Dockerfile index 9ae731a3..20bde4c5 100644 --- a/src/tools/Dockerfile +++ b/src/tools/Dockerfile @@ -24,7 +24,7 @@ RUN set -ex \ && cd /usr/src \ && git clone https://github.com/getdnsapi/getdns.git \ && cd /usr/src/getdns \ - && git checkout release/1.1.1 \ + && git checkout master \ && git submodule update --init \ && libtoolize -ci \ && autoreconf -fi \ @@ -35,7 +35,7 @@ RUN set -ex \ && cp src/tools/stubby.conf /etc \ && mkdir -p /etc/unbound \ && cd /etc/unbound \ - && wget http://www.nomountain.net/getdns-root.key + && unbound-anchor -a /etc/unbound/getdns-root.key || : EXPOSE 53 From 28c41c3495c509bf584ec0da4e0c7ee20fd8fb68 Mon Sep 17 00:00:00 2001 From: Sara Dickinson Date: Thu, 6 Jul 2017 12:03:35 +0200 Subject: [PATCH 02/26] Move the SYNC/ASYNC response text to after the dict so the dict is the first thing output and can be parsed without stripping this text (request from user). --- src/tools/getdns_query.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index a28ffe54..2e397d02 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -378,7 +378,8 @@ void callback(getdns_context *context, getdns_callback_type_t callback_type, getdns_print_json_dict(response, json == 1) : getdns_pretty_print_dict(response))) { - fprintf(stdout, "ASYNC response:\n%s\n", response_str); + fprintf(stdout, "%s\n", response_str); + fprintf(stdout, "ASYNC call completed.\n"); validate_chain(response); free(response_str); } @@ -1188,8 +1189,8 @@ getdns_return_t do_the_call(void) getdns_print_json_dict(response, json == 1) : getdns_pretty_print_dict(response))) { - fprintf( stdout, "SYNC response:\n%s\n" - , response_str); + fprintf( stdout, "%s\n", response_str); + fprintf( stdout, "SYNC call completed.\n"); validate_chain(response); free(response_str); } else { From 44787459557d86188a794c350f57eec08a36bbf9 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 6 Jul 2017 12:08:09 +0200 Subject: [PATCH 03/26] No output from getdns_query to stdout except the result (unless -V is used) Resolves issue #315 --- src/tools/getdns_query.c | 61 +++++++++++++++++++++++++--------------- 1 file changed, 38 insertions(+), 23 deletions(-) diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index a28ffe54..ff7537e1 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -48,6 +48,7 @@ typedef unsigned short in_port_t; #define EXAMPLE_PIN "pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"" +static int verbosity = 0; static int i_am_stubby = 0; static const char *default_stubby_config = "{ resolution_type: GETDNS_RESOLUTION_STUB" @@ -255,6 +256,7 @@ print_usage(FILE *out, const char *progname) fprintf(out, "\t-S\tservice lookup ( is ignored)\n"); fprintf(out, "\t-t \tSet timeout in milliseconds\n"); fprintf(out, "\t-v\tPrint getdns release version\n"); + fprintf(out, "\t-V\tIncrease verbosity (may be used more than once)\n"); fprintf(out, "\t-x\tDo not follow redirects\n"); fprintf(out, "\t-X\tFollow redirects (default)\n"); @@ -306,27 +308,27 @@ static getdns_return_t validate_chain(getdns_dict *response) response, "replies_tree", &replies_tree))) goto error; - fprintf(stdout, "replies_tree dnssec_status: "); + if (verbosity) fprintf(stdout, "replies_tree dnssec_status: "); switch ((s = getdns_validate_dnssec( replies_tree, validation_chain, trust_anchor))) { case GETDNS_DNSSEC_SECURE: - fprintf(stdout, "GETDNS_DNSSEC_SECURE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_SECURE\n"); break; case GETDNS_DNSSEC_BOGUS: - fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); break; case GETDNS_DNSSEC_INDETERMINATE: - fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); break; case GETDNS_DNSSEC_INSECURE: - fprintf(stdout, "GETDNS_DNSSEC_INSECURE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INSECURE\n"); break; case GETDNS_DNSSEC_NOT_PERFORMED: - fprintf(stdout, "GETDNS_DNSSEC_NOT_PERFORMED\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_NOT_PERFORMED\n"); break; default: - fprintf(stdout, "%d\n", (int)s); + if (verbosity) fprintf(stdout, "%d\n", (int)s); } i = 0; @@ -335,27 +337,27 @@ static getdns_return_t validate_chain(getdns_dict *response) if ((r = getdns_list_set_dict(to_validate, 0, reply))) goto error; - printf("reply "PRIsz", dnssec_status: ", i); + if (verbosity) printf("reply "PRIsz", dnssec_status: ", i); switch ((s = getdns_validate_dnssec( to_validate, validation_chain, trust_anchor))) { case GETDNS_DNSSEC_SECURE: - fprintf(stdout, "GETDNS_DNSSEC_SECURE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_SECURE\n"); break; case GETDNS_DNSSEC_BOGUS: - fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); break; case GETDNS_DNSSEC_INDETERMINATE: - fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); break; case GETDNS_DNSSEC_INSECURE: - fprintf(stdout, "GETDNS_DNSSEC_INSECURE\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INSECURE\n"); break; case GETDNS_DNSSEC_NOT_PERFORMED: - fprintf(stdout, "GETDNS_DNSSEC_NOT_PERFORMED\n"); + if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_NOT_PERFORMED\n"); break; default: - fprintf(stdout, "%d\n", (int)s); + if (verbosity) fprintf(stdout, "%d\n", (int)s); } } if (r == GETDNS_RETURN_NO_SUCH_LIST_ITEM) @@ -378,13 +380,16 @@ void callback(getdns_context *context, getdns_callback_type_t callback_type, getdns_print_json_dict(response, json == 1) : getdns_pretty_print_dict(response))) { - fprintf(stdout, "ASYNC response:\n%s\n", response_str); + if (verbosity) + fprintf(stdout, "ASYNC response:\n%s\n", response_str); + else + fprintf(stdout, "%s\n", response_str); validate_chain(response); free(response_str); } if (callback_type == GETDNS_CALLBACK_COMPLETE) { - printf("Response code was: GOOD. Status was: Callback with ID %"PRIu64" was successful.\n", + if (verbosity) printf("Response code was: GOOD. Status was: Callback with ID %"PRIu64" was successful.\n", trans_id); } else if (callback_type == GETDNS_CALLBACK_CANCEL) @@ -970,6 +975,9 @@ getdns_return_t parse_args(int argc, char **argv) case 'B': batch_mode = 1; break; + case 'V': + verbosity += 1; + break; case 'z': if (c[1] != 0 || ++i >= argc || !*argv[i]) { @@ -1188,8 +1196,13 @@ getdns_return_t do_the_call(void) getdns_print_json_dict(response, json == 1) : getdns_pretty_print_dict(response))) { - fprintf( stdout, "SYNC response:\n%s\n" - , response_str); + if (verbosity) + fprintf( stdout, "SYNC response:\n%s\n" + , response_str); + else + fprintf( stdout, "%s\n" + , response_str); + validate_chain(response); free(response_str); } else { @@ -1199,7 +1212,8 @@ getdns_return_t do_the_call(void) } } getdns_dict_get_int(response, "status", &status); - fprintf(stdout, "Response code was: GOOD. Status was: %s\n", + if (verbosity) + fprintf(stdout, "Response code was: GOOD. Status was: %s\n", getdns_get_errorstr_by_id(status)); if (response) getdns_dict_destroy(response); @@ -1224,7 +1238,7 @@ void read_line_cb(void *userarg) int linec; if (!fgets(line, 1024, fp) || !*line) { - if (query_file) + if (query_file && verbosity) fprintf(stdout,"End of file."); loop->vmt->clear(loop, read_line_ev); if (listen_count) @@ -1233,7 +1247,7 @@ void read_line_cb(void *userarg) (void) getdns_context_set_idle_timeout(context, 0); return; } - if (query_file) + if (query_file && verbosity) fprintf(stdout,"Found query: %s", line); linev[0] = __FILE__; @@ -1246,7 +1260,8 @@ void read_line_cb(void *userarg) return; } if (*token == '#') { - fprintf(stdout,"Result: Skipping comment\n"); + if (verbosity) + fprintf(stdout,"Result: Skipping comment\n"); if (! query_file) { printf("> "); fflush(stdout); @@ -1779,7 +1794,7 @@ done_destroy_context: else if (r == CONTINUE_ERROR) return 1; - if (!i_am_stubby) + if (!i_am_stubby && verbosity) fprintf(stdout, "\nAll done.\n"); return r; From d589adf1203ec3dfe8c2c45241cdc8e24a0eaeeb Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 6 Jul 2017 12:19:14 +0200 Subject: [PATCH 04/26] Use -V option in transport tests --- src/test/tests_transports.sh | 6 +++--- src/test/tpkg/290-transports.tpkg/290-transports.test | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/test/tests_transports.sh b/src/test/tests_transports.sh index 89604038..99acfc40 100755 --- a/src/test/tests_transports.sh +++ b/src/test/tests_transports.sh @@ -174,21 +174,21 @@ for (( i = 0; i < 2; i+=1 )); do echo "*Success cases:" for (( j = 0; j < $NUM_GOOD_QUERIES; j+=1 )); do - check_good "`$DIR/getdns_query +return_call_reporting $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_QUERIES[$((j*NUM_ARGS))+2]} + check_good "`$DIR/getdns_query -V +return_call_reporting $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_QUERIES[$((j*NUM_ARGS))+2]} echo "getdns_query $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]}" (( COUNT++ )) done echo "*Success fallback cases:" for (( j = 0; j < $NUM_GOOD_FB_QUERIES; j+=1 )); do - check_good "`$DIR/getdns_query +return_call_reporting $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]} + check_good "`$DIR/getdns_query -V +return_call_reporting $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]} echo "getdns_query $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} TESTS: ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]}" (( COUNT++ )) done echo "*Transport not available cases:" for (( j = 0; j < ${#NOT_AVAILABLE_QUERIES[@]}; j+=1 )); do - check_bad "`$DIR/getdns_query $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]} 2>&1`" + check_bad "`$DIR/getdns_query -V $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]} 2>&1`" echo "getdns_query $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]}" (( COUNT++ )) done diff --git a/src/test/tpkg/290-transports.tpkg/290-transports.test b/src/test/tpkg/290-transports.tpkg/290-transports.test index 13a83c15..54f1639e 100644 --- a/src/test/tpkg/290-transports.tpkg/290-transports.test +++ b/src/test/tpkg/290-transports.tpkg/290-transports.test @@ -173,21 +173,21 @@ for (( ii = 0; ii < 1; ii++)); do fi echo "*Success cases:" for (( j = 0; j < $NUM_GOOD_QUERIES; j+=1 )); do - check_good "`"${GETDNS_QUERY}" +return_call_reporting $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]} `" ${GOOD_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_QUERIES[$((j*NUM_ARGS))+2]} + check_good "`"${GETDNS_QUERY}" -V +return_call_reporting $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]} `" ${GOOD_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_QUERIES[$((j*NUM_ARGS))+2]} echo "getdns_query $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]}" (( COUNT++ )) done echo "*Success fallback cases:" for (( j = 0; j < $NUM_GOOD_FB_QUERIES; j+=1 )); do - check_good "`"${GETDNS_QUERY}" +return_call_reporting $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]} + check_good "`"${GETDNS_QUERY}" -V +return_call_reporting $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]} echo "getdns_query $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} TESTS: ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]}" (( COUNT++ )) done echo "*Transport not available cases:" for (( j = 0; j < ${#NOT_AVAILABLE_QUERIES[@]}; j+=1 )); do - check_bad "`"${GETDNS_QUERY}" $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]} 2>&1`" + check_bad "`"${GETDNS_QUERY}" -V $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]} 2>&1`" echo "getdns_query $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]}" (( COUNT++ )) done From c5acb3769b3267c515b939de067189a1226f57bd Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 6 Jul 2017 21:28:34 +0200 Subject: [PATCH 05/26] Exit with error when answers were bogus --- src/tools/getdns_query.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index 58fb70c6..f237585c 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -81,6 +81,8 @@ static uint16_t request_type = GETDNS_RRTYPE_NS; static int timeout, edns0_size, padding_blocksize; static int async = 0, interactive = 0; static enum { GENERAL, ADDRESS, HOSTNAME, SERVICE } calltype = GENERAL; +static int bogus_answers = 0; +static int check_dnssec = 0; static int get_rrtype(const char *t) { @@ -317,6 +319,7 @@ static getdns_return_t validate_chain(getdns_dict *response) break; case GETDNS_DNSSEC_BOGUS: if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); + bogus_answers += 1; break; case GETDNS_DNSSEC_INDETERMINATE: if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); @@ -346,6 +349,7 @@ static getdns_return_t validate_chain(getdns_dict *response) break; case GETDNS_DNSSEC_BOGUS: if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); + bogus_answers += 1; break; case GETDNS_DNSSEC_INDETERMINATE: if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); @@ -389,6 +393,14 @@ void callback(getdns_context *context, getdns_callback_type_t callback_type, if (callback_type == GETDNS_CALLBACK_COMPLETE) { if (verbosity) printf("Response code was: GOOD. Status was: Callback with ID %"PRIu64" was successful.\n", trans_id); + if (check_dnssec) { + uint32_t dnssec_status = GETDNS_DNSSEC_SECURE; + + (void )getdns_dict_get_int(response, + "/replies_tree/0/dnssec_status", &dnssec_status); + if (dnssec_status == GETDNS_DNSSEC_BOGUS) + bogus_answers += 1; + } } else if (callback_type == GETDNS_CALLBACK_CANCEL) fprintf(stderr, @@ -403,7 +415,6 @@ void callback(getdns_context *context, getdns_callback_type_t callback_type, getdns_get_errorstr_by_id(callback_type)); } getdns_dict_destroy(response); - response = NULL; } #define CONTINUE ((getdns_return_t)-2) @@ -578,6 +589,9 @@ getdns_return_t parse_args(int argc, char **argv) continue; } else if (arg[0] == '+') { + if (strncmp(arg+1, "dnssec_", 7) == 0) + check_dnssec = 1; + if (arg[1] == 's' && arg[2] == 'i' && arg[3] == 't' && (arg[4] == '=' || arg[4] == '\0')) { if ((r = set_cookie(extensions, arg+4))) { @@ -1196,6 +1210,7 @@ getdns_return_t do_the_call(void) fprintf( stdout, "%s\n", response_str); if (verbosity) fprintf( stdout, "SYNC call completed.\n"); + validate_chain(response); free(response_str); } else { @@ -1208,8 +1223,18 @@ getdns_return_t do_the_call(void) if (verbosity) fprintf(stdout, "Response code was: GOOD. Status was: %s\n", getdns_get_errorstr_by_id(status)); - if (response) + if (response) { + if (check_dnssec) { + uint32_t dnssec_status = GETDNS_DNSSEC_SECURE; + + (void )getdns_dict_get_int(response, + "/replies_tree/0/dnssec_status", + &dnssec_status); + if (dnssec_status == GETDNS_DNSSEC_BOGUS) + bogus_answers += 1; + } getdns_dict_destroy(response); + } } getdns_dict_destroy(address); return r; @@ -1790,5 +1815,7 @@ done_destroy_context: if (!i_am_stubby && verbosity) fprintf(stdout, "\nAll done.\n"); - return r; + return r ? r + : bogus_answers ? GETDNS_DNSSEC_BOGUS + : GETDNS_RETURN_GOOD; } From bceb6c8c87487561bf0632ca78db29c87fe3007f Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Sat, 15 Jul 2017 11:14:35 +0200 Subject: [PATCH 06/26] Resubmit netreqs when roadblocks need to be avoided --- src/dnssec.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/src/dnssec.c b/src/dnssec.c index fbbc966d..0a1133dc 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -3043,6 +3043,37 @@ static void check_chain_complete(chain_head *chain) netreq->owner = dnsreq; r = _getdns_submit_netreq(netreq, &now_ms); } + if (!dnsreq->dnssec_return_validation_chain) + return; + + for ( head = chain; head ; head = next ) { + next = head->next; + for ( node_count = head->node_count + , node = head->parent + ; node_count + ; node_count--, node = node->parent ) { + + if (node->dnskey_req) { + _getdns_netreq_change_state( + node->dnskey_req, + NET_REQ_NOT_SENT); + node->dnskey_req->owner-> + avoid_dnssec_roadblocks = 1; + r = _getdns_submit_netreq( + node->dnskey_req, &now_ms); + } + if (node->ds_req) { + _getdns_netreq_change_state( + node->ds_req, NET_REQ_NOT_SENT); + node->ds_req->owner-> + avoid_dnssec_roadblocks = 1; + r = _getdns_submit_netreq( + node->ds_req, &now_ms); + } + } + } + DEBUG_SEC("Outstanding requests: %d\n", + (int)count_outstanding_requests(chain)); return; } #endif From 84430e02cdae5bae3b128351ec9ca470ad7cdb9f Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Sat, 15 Jul 2017 17:48:24 +0200 Subject: [PATCH 07/26] Actually working roadblocks and getting validation chains --- src/dnssec.c | 42 +++++++++++++++++++++++++++++++++++------- src/general.c | 7 +++++++ 2 files changed, 42 insertions(+), 7 deletions(-) diff --git a/src/dnssec.c b/src/dnssec.c index 0a1133dc..d694775a 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -550,11 +550,26 @@ static chain_head *add_rrset2val_chain(struct mem_funcs *mf, /* Also, try to prevent adding double rrsets */ if ( rrset->rr_class == head->rrset.rr_class && rrset->rr_type == head->rrset.rr_type - && rrset->pkt == head->rrset.pkt - && rrset->pkt_len == head->rrset.pkt_len - && _dname_equal(rrset->name, head->rrset.name)) - return NULL; + && _dname_equal(rrset->name, head->rrset.name)) { + if (rrset->pkt == head->rrset.pkt && + rrset->pkt_len == head->rrset.pkt_len) + return NULL; + else { + /* Anticipate resubmissions due to + * roadblock avoidance */ + head->rrset.pkt = rrset->pkt; + head->rrset.pkt_len = rrset->pkt_len; + return head; + } + } + + if ( rrset->rr_class == head->rrset.rr_class + && rrset->rr_type == head->rrset.rr_type + && rrset->pkt != head->rrset.pkt + && _dname_equal(rrset->name, head->rrset.name)) { + return NULL; + } for (label = labels; label < last_label; label++) { if (! _dname_is_parent(*label, head->rrset.name)) break; @@ -2416,6 +2431,7 @@ static int key_proves_nonexistance( * ========================+ * First find the closest encloser. */ + if (*rrset->name) for ( nc_name = rrset->name, ce_name = rrset->name + *rrset->name + 1 ; *ce_name ; nc_name = ce_name, ce_name += *ce_name + 1) { @@ -3034,14 +3050,18 @@ static void check_chain_complete(chain_head *chain) uint64_t now_ms = 0; dnsreq->avoid_dnssec_roadblocks = 1; + dnsreq->chain->lock += 1; for ( netreq_p = dnsreq->netreqs - ; !r && (netreq = *netreq_p) + ; (netreq = *netreq_p) ; netreq_p++) { _getdns_netreq_change_state(netreq, NET_REQ_NOT_SENT); + netreq->dnssec_status = + GETDNS_DNSSEC_INDETERMINATE; netreq->owner = dnsreq; r = _getdns_submit_netreq(netreq, &now_ms); + DEBUG_SEC("Resubmitting main netreq returned: %d\n", r); } if (!dnsreq->dnssec_return_validation_chain) return; @@ -3216,11 +3236,16 @@ void _getdns_get_validation_chain(getdns_dns_req *dnsreq) getdns_network_req *netreq, **netreq_p; chain_head *chain = NULL, *chain_p; - if (dnsreq->validating) + if (dnsreq->avoid_dnssec_roadblocks) { + chain = dnsreq->chain; + + } else if (dnsreq->validating) return; dnsreq->validating = 1; - for (netreq_p = dnsreq->netreqs; (netreq = *netreq_p) ; netreq_p++) { + if (dnsreq->avoid_dnssec_roadblocks && chain->lock == 0) + ; /* pass */ + else for (netreq_p = dnsreq->netreqs; (netreq = *netreq_p) ; netreq_p++) { if (! netreq->response || netreq->response_len < GLDNS_HEADER_SIZE || ( GLDNS_RCODE_WIRE(netreq->response) @@ -3248,6 +3273,9 @@ void _getdns_get_validation_chain(getdns_dns_req *dnsreq) if (chain_p->lock) chain_p->lock--; } dnsreq->chain = chain; + if (dnsreq->avoid_dnssec_roadblocks && chain->lock) + chain->lock -= 1; + check_chain_complete(chain); } else { dnsreq->validating = 0; diff --git a/src/general.c b/src/general.c index 280df08d..2420a47c 100644 --- a/src/general.c +++ b/src/general.c @@ -59,6 +59,9 @@ void _getdns_call_user_callback(getdns_dns_req *dnsreq, getdns_dict *response) { _getdns_context_clear_outbound_request(dnsreq); +#if defined(REQ_DEBUG) && REQ_DEBUG + debug_req(__FUNC__, *dnsreq->netreqs); +#endif if (dnsreq->user_callback) { dnsreq->context->processing = 1; dnsreq->user_callback(dnsreq->context, @@ -211,6 +214,7 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) #ifdef STUB_NATIVE_DNSSEC || (dns_req->context->resolution_type == GETDNS_RESOLUTION_STUB + && !dns_req->avoid_dnssec_roadblocks && (dns_req->dnssec_return_status || dns_req->dnssec_return_only_secure || dns_req->dnssec_return_all_statuses @@ -228,6 +232,9 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) NULL, NULL, (getdns_eventloop_callback) _getdns_validation_chain_timeout)); +#if defined(REQ_DEBUG) && REQ_DEBUG + debug_req("getting validation chain for ", *dns_req->netreqs); +#endif _getdns_get_validation_chain(dns_req); } else _getdns_call_user_callback( From e11dc92df1d76f840a2928fbe06b253bae3abdc4 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Sat, 15 Jul 2017 18:38:31 +0200 Subject: [PATCH 08/26] Hopefully the last warning --- src/dnssec.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/dnssec.c b/src/dnssec.c index d694775a..e9962852 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -3045,7 +3045,6 @@ static void check_chain_complete(chain_head *chain) && !dnsreq->avoid_dnssec_roadblocks && dnsreq->netreqs[0]->dnssec_status == GETDNS_DNSSEC_BOGUS) { - int r = GETDNS_RETURN_GOOD; getdns_network_req **netreq_p, *netreq; uint64_t now_ms = 0; @@ -3060,8 +3059,7 @@ static void check_chain_complete(chain_head *chain) netreq->dnssec_status = GETDNS_DNSSEC_INDETERMINATE; netreq->owner = dnsreq; - r = _getdns_submit_netreq(netreq, &now_ms); - DEBUG_SEC("Resubmitting main netreq returned: %d\n", r); + (void) _getdns_submit_netreq(netreq, &now_ms); } if (!dnsreq->dnssec_return_validation_chain) return; @@ -3079,7 +3077,7 @@ static void check_chain_complete(chain_head *chain) NET_REQ_NOT_SENT); node->dnskey_req->owner-> avoid_dnssec_roadblocks = 1; - r = _getdns_submit_netreq( + (void) _getdns_submit_netreq( node->dnskey_req, &now_ms); } if (node->ds_req) { @@ -3087,13 +3085,11 @@ static void check_chain_complete(chain_head *chain) node->ds_req, NET_REQ_NOT_SENT); node->ds_req->owner-> avoid_dnssec_roadblocks = 1; - r = _getdns_submit_netreq( + (void) _getdns_submit_netreq( node->ds_req, &now_ms); } } } - DEBUG_SEC("Outstanding requests: %d\n", - (int)count_outstanding_requests(chain)); return; } #endif From c6c1b5cfa2a2259db5fbde3ce02a4c820ac364b4 Mon Sep 17 00:00:00 2001 From: Paul Hoffman Date: Sun, 16 Jul 2017 10:53:56 +0200 Subject: [PATCH 09/26] Make building instructions clearer ... and add packages for Ubuntu. --- README.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index e866d47d..851a4134 100644 --- a/README.md +++ b/README.md @@ -65,23 +65,28 @@ The following requirements were met as conditions for the present release: # Building and External Dependencies +If you are installing from packages, you have to install the library and also the library-devel (or -dev) for your package management system to get the the necessary compile time files. + External dependencies are linked outside the getdns API build tree (we rely on configure to find them). We would like to keep the dependency tree short. Please refer to section for building on Windows for separate dependency and build instructions for that platform. +Before building, you must do: + + # git submodule update --init + * [libunbound from NLnet Labs](https://unbound.net/) version 1.4.16 or later. * [libidn from the FSF](https://www.gnu.org/software/libidn/) version 1. (Note that the libidn version means the conversions between A-labels and U-labels may permit conversion of formally invalid labels under IDNA2008.) * [libssl and libcrypto from the OpenSSL Project](https://www.openssl.org/) version 0.9.7 or later. (Note: version 1.0.1 or later is required for TLS support, version 1.0.2 or later is required for TLS hostname authentication) * Doxygen is used to generate documentation; while this is not technically necessary for the build it makes things a lot more pleasant. -If you are installing from packages, you have to install the library and also the library-devel (or -dev) for your package management system to get the the necessary compile time files. If you checked out from git you need to copy the libtool helper scripts and rebuild configure thus: +For example, to build on a recent version of Ubuntu, you would need the following packages: + + # apt install build-essential libunbound-dev libidn11-dev libssl-dev libtool m4 autoconf + +If you are building from git, you need to do the following before building: # libtoolize -ci (use glibtoolize for OS X, libtool is installed as glibtool to avoid name conflict on OS X) # autoreconf -fi -If you want to make use of the configuration files that utilise a JSON-like format, you must do - - # git submodule update --init - -before building. As well as building the getdns library 2 other tools are installed by default by the above process: From 2d7d6581b4ac7d3cfaff415c1abf1dbc4027b479 Mon Sep 17 00:00:00 2001 From: Neil Cook Date: Mon, 31 Jul 2017 22:48:09 +0100 Subject: [PATCH 10/26] Ensure netreq->fd is set to -1 after close()/closesocket() If netreq->fd is not set to -1, then multiple functions close the same socket. This causes major issues in multithread code where the socket must not be closed multiple times as it may be owned by a different thread. --- src/stub.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/stub.c b/src/stub.c index c6f25c79..2bff7ae9 100644 --- a/src/stub.c +++ b/src/stub.c @@ -588,6 +588,7 @@ _getdns_cancel_stub_request(getdns_network_req *netreq) #else close(netreq->fd); #endif + netreq->fd = -1; } } @@ -606,6 +607,7 @@ stub_timeout_cb(void *userarg) #else close(netreq->fd); #endif + netreq->fd = -1; netreq->upstream->udp_timeouts++; if (netreq->upstream->udp_timeouts % 100 == 0) _getdns_upstream_log(netreq->upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, @@ -1413,6 +1415,7 @@ stub_udp_read_cb(void *userarg) #else close(netreq->fd); #endif + netreq->fd = -1; stub_next_upstream(netreq); } netreq->debug_end_time = _getdns_get_time_as_uintt64(); @@ -1435,8 +1438,8 @@ stub_udp_read_cb(void *userarg) closesocket(netreq->fd); #else close(netreq->fd); - netreq->fd = -1; #endif + netreq->fd = -1; while (GLDNS_TC_WIRE(netreq->response)) { DEBUG_STUB("%s %-35s: MSG: %p TC bit set in response \n", STUB_DEBUG_READ, __FUNC__, (void*)netreq); @@ -1533,6 +1536,7 @@ stub_udp_write_cb(void *userarg) #else close(netreq->fd); #endif + netreq->fd = -1; stub_next_upstream(netreq); } netreq->debug_end_time = _getdns_get_time_as_uintt64(); From 1555c432f5e637ef16b95e1ab7dd5e7adfaff13b Mon Sep 17 00:00:00 2001 From: Neil Cook Date: Mon, 31 Jul 2017 22:51:24 +0100 Subject: [PATCH 11/26] Fix array bounds bug in upstream_select --- src/stub.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/stub.c b/src/stub.c index 2bff7ae9..b8ac6710 100644 --- a/src/stub.c +++ b/src/stub.c @@ -1962,7 +1962,7 @@ upstream_select(getdns_network_req *netreq) return &upstreams->upstreams[i]; } i+=GETDNS_UPSTREAM_TRANSPORTS; - if (i > upstreams->count) + if (i >= upstreams->count) i = 0; } while (i != upstreams->current_udp); From 05016e3a3abd8af9e73a0447f1739a1e1fa59371 Mon Sep 17 00:00:00 2001 From: Sara Dickinson Date: Fri, 4 Aug 2017 14:17:50 +0100 Subject: [PATCH 12/26] Remove mention of using the second bit in set_from_os to init OpenSSL as this no longer applies --- src/getdns/getdns.h.in | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/getdns/getdns.h.in b/src/getdns/getdns.h.in index b483c7ea..feba62a1 100644 --- a/src/getdns/getdns.h.in +++ b/src/getdns/getdns.h.in @@ -1101,7 +1101,6 @@ getdns_service(getdns_context *context, * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. * @param context context that can be used immediately with other API calls * @param set_from_os set to 1 to initialize the context with os defaults - * the second bit set (2) prevents OpenSSL library initialization. * @return GETDNS_RETURN_GOOD on success */ getdns_return_t @@ -1114,7 +1113,6 @@ getdns_context_create(getdns_context ** context, int set_from_os); * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. * @param context context that can be used immediately with other API calls * @param set_from_os set to 1 to initialize the context with os defaults - * the second bit set (2) prevents OpenSSL library initialization. * @param malloc custom malloc function * @param realloc custom realloc function * @param free custom free function @@ -1136,7 +1134,6 @@ getdns_context_create_with_memory_functions( * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. * @param context context that can be used immediately with other API calls * @param set_from_os set to 1 to initialize the context with os defaults - * the second bit set (2) prevents OpenSSL library initialization. * @param userarg parameter passed to the custom malloc, realloc and free functions * @param malloc custom malloc function * @param realloc custom realloc function From 8311dc904984f37bd4d30af0152c9c0f65c9f038 Mon Sep 17 00:00:00 2001 From: Sara Dickinson Date: Fri, 4 Aug 2017 14:31:05 +0100 Subject: [PATCH 13/26] =?UTF-8?q?Minor=20updates=20on=20return=5Fcall=5Fre?= =?UTF-8?q?porting.=20Fix=20the=20name=20in=20the=20API=20spec=20and=20add?= =?UTF-8?q?=20a=20know=20issue=20that=20it=20isn=E2=80=99t=20fully=20suppo?= =?UTF-8?q?rted=20in=20recursive=20mode.=20Also=20remove=20known=20issue?= =?UTF-8?q?=20that=20stub=20doesn=E2=80=99t=20limit=20in=20outstanding=20q?= =?UTF-8?q?ueries=20as=20this=20is=20now=20supported.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- spec/index.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e866d47d..f8ad726c 100644 --- a/README.md +++ b/README.md @@ -187,10 +187,10 @@ The following minor implementation omissions are noted: Recursive mode does not support: * TLS as a transport * Non-zero connection idle timeouts or query pipelining +* Anything other than query_type and resolution_type in the return_call_reporting extension Stub mode does not support: * Non zero idle timeouts for synchronous calls -* Limit on number of outstanding queries # Known Issues diff --git a/spec/index.html b/spec/index.html index a0432b4c..6888489f 100644 --- a/spec/index.html +++ b/spec/index.html @@ -875,7 +875,7 @@ names:

  • query_name (a bindata) is the name that was sent
  • query_type (an int) is the type that was queried for
  • query_to (a bindata) is the address to which the query was sent
    • -
  • run_time (a bindata) is the difference between the time the successful +
  • run_time/ms (a bindata) is the difference between the time the successful query started and ended in milliseconds, represented as a uint32_t (this does not include time taken for connection set up or transport fallback)
    • From 9d86928900199bebecd0ef2f5c9e9f12a48cc46c Mon Sep 17 00:00:00 2001 From: Sara Dickinson Date: Fri, 4 Aug 2017 14:50:04 +0100 Subject: [PATCH 14/26] Fix all the outdated links to wiki pages in the README.md --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index e866d47d..be70623a 100644 --- a/README.md +++ b/README.md @@ -99,7 +99,7 @@ Note: If you only want to build stubby, then use the `--enable-stub-only` and `- ## Extensions and Event loop dependencies -The implementation works with a variety of event loops, each built as a separate shared library. See [the wiki](https://github.com/getdnsapi/getdns/wiki/Asynchronous-Support#wiki-included-event-loop-integrations) for more details. +The implementation works with a variety of event loops, each built as a separate shared library. See [this Doxygen page](https://getdnsapi.net/doxygen/group__eventloops.html) and [this man page](https://getdnsapi.net/documentation/manpages/#ASYNCHRONOUS USE) for more details. * [libevent](http://libevent.org). Note: the examples *require* this and should work with either libevent 1.x or 2.x. 2.x is preferred. * [libuv](https://github.com/joyent/libuv) @@ -170,8 +170,8 @@ Non-goals (things we will not be doing at least initially) include: ## Language Bindings In parallel, the team is actively developing bindings for various languages. -For more information, visit the -[wiki](https://github.com/getdnsapi/getdns/wiki/Language-Bindings). +For more information, visit this +[webpage](https://getdnsapi.net/bindings/). ## Unsupported getDNS Features @@ -264,7 +264,7 @@ build the packages; this is simply the one we chose to use. If you're using [Homebrew](http://brew.sh/), you may run `brew install getdns`. By default, this will only build the core library without any 3rd party event loop support. -To install the [event loop integration libraries](https://github.com/getdnsapi/getdns/wiki/Asynchronous-Support) that enable support for libevent, libuv, and libev, run: `brew install getdns --with-libevent --with-libuv --with-libev`. All switches are optional. +To install the [event loop integration libraries](https://getdnsapi.net/doxygen/group__eventloops.html) that enable support for libevent, libuv, and libev, run: `brew install getdns --with-libevent --with-libuv --with-libev`. All switches are optional. Note that in order to compile the examples, the `--with-libevent` switch is required. From 33ff6a95acb52f29c4a2e7a8e10d99f298f2e701 Mon Sep 17 00:00:00 2001 From: Sara Dickinson Date: Fri, 18 Aug 2017 17:59:49 +0100 Subject: [PATCH 15/26] Fix issue on macOX 10.10 where TCP fast open is detected but not implemented causing TCP to fail. The fix allows fallback to regular TCP in this case and is also more robust for cases where connectx() fails for some reason. --- src/stub.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/stub.c b/src/stub.c index b8ac6710..de8121dd 100644 --- a/src/stub.c +++ b/src/stub.c @@ -425,15 +425,14 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport) endpoints.sae_srcaddrlen = 0; endpoints.sae_dstaddr = (struct sockaddr *)&upstream->addr; endpoints.sae_dstaddrlen = upstream->addr_len; - if (connectx(fd, &endpoints, SAE_ASSOCID_ANY, + if (connectx(fd, &endpoints, SAE_ASSOCID_ANY, CONNECT_DATA_IDEMPOTENT | CONNECT_RESUME_ON_READ_WRITE, - NULL, 0, NULL, NULL) == -1) { - if (errno != EINPROGRESS) { - close(fd); - return -1; - } + NULL, 0, NULL, NULL) == 0) { + return fd; + } + if (errno == EINPROGRESS) { + return fd; } - return fd; #else (void)transport; #endif From e57011a3ea79b662f8be0b5cd0b5674176ed9add Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 22 Aug 2017 11:25:47 +0200 Subject: [PATCH 16/26] Compile without stubby by default And with stubby from repo (as submodule) when --with-stubby is specified --- .gitignore | 2 +- .gitmodules | 4 ++ Makefile.in | 34 ++++++----- configure.ac | 16 +++--- src/Makefile.in | 57 +++++++++++++++---- src/tools/Makefile.in | 13 ++--- src/tools/stubby-setdns-macos.sh | 96 -------------------------------- src/tools/stubby.conf | 59 -------------------- stubby | 1 + 9 files changed, 86 insertions(+), 196 deletions(-) delete mode 100755 src/tools/stubby-setdns-macos.sh delete mode 100644 src/tools/stubby.conf create mode 160000 stubby diff --git a/.gitignore b/.gitignore index d9315494..c78d500d 100644 --- a/.gitignore +++ b/.gitignore @@ -39,7 +39,7 @@ src/test/check_getdns_ev src/test/scratchpad src/test/scratchpad.c src/tools/getdns_query -src/tools/stubby +src/stubby doc/*.3 src/getdns/getdns.h *.log diff --git a/.gitmodules b/.gitmodules index a79d3846..aa84f96e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -2,3 +2,7 @@ path = src/jsmn url = https://github.com/getdnsapi/jsmn.git branch = getdns +[submodule "stubby"] + path = stubby + url = https://github.com/getdnsapi/stubby.git + branch = master diff --git a/Makefile.in b/Makefile.in index 22350b55..5c46db2b 100644 --- a/Makefile.in +++ b/Makefile.in @@ -44,7 +44,7 @@ libdir = @libdir@ srcdir = @srcdir@ INSTALL = @INSTALL@ -all : default @GETDNS_QUERY@ @STUBBY@ +all : default @GETDNS_QUERY@ everything: default cd src/test && $(MAKE) @@ -52,7 +52,10 @@ everything: default default: cd src && $(MAKE) $@ -install: default getdns.pc getdns_ext_event.pc @INSTALL_GETDNS_QUERY@ @INSTALL_STUBBY@ +install-lib: + cd src && $(MAKE) install + +install: getdns.pc getdns_ext_event.pc install-lib @INSTALL_GETDNS_QUERY@ $(INSTALL) -m 755 -d $(DESTDIR)$(docdir) $(INSTALL) -m 644 $(srcdir)/AUTHORS $(DESTDIR)$(docdir) $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(docdir) @@ -66,8 +69,7 @@ install: default getdns.pc getdns_ext_event.pc @INSTALL_GETDNS_QUERY@ @INSTALL_S $(INSTALL) -m 644 getdns_ext_event.pc $(DESTDIR)$(libdir)/pkgconfig $(INSTALL) -m 755 -d $(DESTDIR)$(docdir)/spec $(INSTALL) -m 644 $(srcdir)/spec/index.html $(DESTDIR)$(docdir)/spec - cd src && $(MAKE) $@ - cd doc && $(MAKE) $@ + cd doc && $(MAKE) install @echo "***" @echo "*** !!! IMPORTANT !!!! libgetdns needs a DNSSEC trust anchor!" @echo "***" @@ -86,7 +88,7 @@ install: default getdns.pc getdns_ext_event.pc @INSTALL_GETDNS_QUERY@ @INSTALL_S @echo "*** at package installation time from the post-install script." @echo "***" -uninstall: @UNINSTALL_GETDNS_QUERY@ @UNINSTALL_STUBBY@ +uninstall: @UNINSTALL_GETDNS_QUERY@ rm -rf $(DESTDIR)$(docdir) cd doc && $(MAKE) $@ cd src && $(MAKE) $@ @@ -103,8 +105,8 @@ test: default getdns_query: default cd src/tools && $(MAKE) $@ -stubby: getdns_query - cd src/tools && $(MAKE) $@ +stubby: + cd src && $(MAKE) $@ scratchpad: default cd src/test && $(MAKE) $@ @@ -112,17 +114,17 @@ scratchpad: default pad: scratchpad src/test/scratchpad || ./libtool exec gdb src/test/scratchpad -install-getdns_query: getdns_query +install-getdns_query: install-lib cd src/tools && $(MAKE) $@ uninstall-getdns_query: cd src/tools && $(MAKE) $@ -install-stubby: getdns_query - cd src/tools && $(MAKE) $@ +install-stubby: + cd src && $(MAKE) $@ uninstall-stubby: - cd src/tools && $(MAKE) $@ + cd src && $(MAKE) $@ clean: cd src && $(MAKE) $@ @@ -190,7 +192,6 @@ $(distdir): mkdir -p $(distdir)/src mkdir -p $(distdir)/src/getdns mkdir -p $(distdir)/src/test - mkdir -p $(distdir)/src/test/jsmn mkdir -p $(distdir)/src/extension mkdir -p $(distdir)/src/compat mkdir -p $(distdir)/src/util @@ -201,6 +202,8 @@ $(distdir): mkdir -p $(distdir)/systemd mkdir -p $(distdir)/spec mkdir -p $(distdir)/spec/example + mkdir -p $(distdir)/stubby + mkdir -p $(distdir)/stubby/src cp $(srcdir)/configure.ac $(distdir) cp $(srcdir)/configure $(distdir) cp $(srcdir)/AUTHORS $(distdir) @@ -245,8 +248,11 @@ $(distdir): cp $(srcdir)/systemd/stubby.* $(distdir)/systemd cp $(srcdir)/src/tools/Makefile.in $(distdir)/src/tools cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/tools - cp $(srcdir)/src/tools/stubby.conf $(distdir)/src/tools - cp $(srcdir)/src/tools/stubby-setdns-macos.sh $(distdir)/src/tools + cp $(srcdir)/stubby/stubby.conf.example $(distdir)/stubby + cp $(srcdir)/stubby/stubby-setdns-macos.sh $(distdir)/stubby + cp $(srcdir)/stubby/src/stubby.c $(distdir)/stubby/src + cp $(srcdir)/stubby/COPYING $(distdir)/stubby + cp $(srcdir)/stubby/README.md $(distdir)/stubby cp $(srcdir)/src/jsmn/*.[ch] $(distdir)/src/jsmn cp $(srcdir)/src/jsmn/LICENSE $(distdir)/src/jsmn cp $(srcdir)/src/jsmn/README.md $(distdir)/src/jsmn diff --git a/configure.ac b/configure.ac index 7c445a27..a48577e4 100644 --- a/configure.ac +++ b/configure.ac @@ -1009,17 +1009,17 @@ AC_SUBST(GETDNS_QUERY) AC_SUBST(INSTALL_GETDNS_QUERY) AC_SUBST(UNINSTALL_GETDNS_QUERY) -AC_ARG_WITH(stubby, AS_HELP_STRING([--without-stubby], - [Do not compile and install stubby, the (stub) resolver daemon]), - [], [withval="yes"]) -if test x_$withval = x_no; then - STUBBY="" - INSTALL_STUBBY="" - UNINSTALL_STUBBY="" -else +AC_ARG_WITH(stubby, AS_HELP_STRING([--with-stubby], + [Compile and install stubby, the (stub) resolver daemon]), + [], [withval="no"]) +if test x_$withval = x_yes; then STUBBY="stubby" INSTALL_STUBBY="install-stubby" UNINSTALL_STUBBY="uninstall-stubby" +else + STUBBY="" + INSTALL_STUBBY="" + UNINSTALL_STUBBY="" fi AC_SUBST(STUBBY) AC_SUBST(INSTALL_STUBBY) diff --git a/src/Makefile.in b/src/Makefile.in index 2342e250..22056063 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -35,16 +35,23 @@ libversion = @GETDNS_LIBVERSION@ prefix = @prefix@ exec_prefix = @exec_prefix@ bindir = @bindir@ +sbindir = @sbindir@ libdir = @libdir@ includedir = @includedir@ +sysconfdir = @sysconfdir@ +localstatedir = @localstatedir@ +runstatedir = @runstatedir@ +stubbyconfdir = $(sysconfdir)/stubby have_libevent = @have_libevent@ have_libuv = @have_libuv@ have_libev = @have_libev@ # datarootdir is here to please some checkers datarootdir=@datarootdir@ INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ srcdir = @srcdir@ +stubbysrcdir = $(srcdir)/../stubby LIBTOOL = ../libtool CC=@CC@ @@ -75,6 +82,8 @@ GETDNS_OBJ=const-info.lo convert.lo dict.lo dnssec.lo general.lo \ GLDNS_OBJ=keyraw.lo gbuffer.lo wire2str.lo parse.lo parseutil.lo rrdef.lo \ str2wire.lo +PROGRAMS=@STUBBY@ + LIBOBJDIR= LIBOBJS=@LIBOBJS@ COMPAT_OBJ=$(LIBOBJS:.o=.lo) @@ -97,7 +106,7 @@ NON_C99_OBJS=context.lo libuv.lo default: all -all: libgetdns.la $(EXTENSION_LIBEVENT_LIB) $(EXTENSION_LIBUV_LIB) $(EXTENSION_LIBEV_LIB) +all: libgetdns.la $(EXTENSION_LIBEVENT_LIB) $(EXTENSION_LIBUV_LIB) $(EXTENSION_LIBEV_LIB) $(PROGRAMS) $(GETDNS_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/$(@:.lo=.c) -o $@ @@ -123,25 +132,35 @@ context.lo: libuv.lo: $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/extension/libuv.c -o libuv.lo -install: libgetdns.la +install-headers: getdns/getdns.h getdns/getdns_extra.h $(INSTALL) -m 755 -d $(DESTDIR)$(includedir) $(INSTALL) -m 755 -d $(DESTDIR)$(includedir)/getdns $(INSTALL) -m 644 getdns/getdns.h $(DESTDIR)$(includedir)/getdns/getdns.h $(INSTALL) -m 644 getdns/getdns_extra.h $(DESTDIR)$(includedir)/getdns/getdns_extra.h + if test $(have_libevent) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libevent.h $(DESTDIR)$(includedir)/getdns/ ; fi + if test $(have_libuv) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libuv.h $(DESTDIR)$(includedir)/getdns/ ; fi + if test $(have_libev) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libev.h $(DESTDIR)$(includedir)/getdns/ ; fi + +uninstall-headers: + rm -rf $(DESTDIR)$(includedir)/getdns + +install-libs: libgetdns.la $(INSTALL) -m 755 -d $(DESTDIR)$(libdir) $(LIBTOOL) --mode=install cp libgetdns.la $(DESTDIR)$(libdir) - if test $(have_libevent) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libevent.h $(DESTDIR)$(includedir)/getdns/ ; $(LIBTOOL) --mode=install cp $(EXTENSION_LIBEVENT_LIB) $(DESTDIR)$(libdir) ; fi - if test $(have_libuv) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libuv.h $(DESTDIR)$(includedir)/getdns/ ; $(LIBTOOL) --mode=install cp $(EXTENSION_LIBUV_LIB) $(DESTDIR)$(libdir) ; fi - if test $(have_libev) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libev.h $(DESTDIR)$(includedir)/getdns/ ; $(LIBTOOL) --mode=install cp $(EXTENSION_LIBEV_LIB) $(DESTDIR)$(libdir) ; fi - + if test $(have_libevent) = 1 ; then $(LIBTOOL) --mode=install cp $(EXTENSION_LIBEVENT_LIB) $(DESTDIR)$(libdir) ; fi + if test $(have_libuv) = 1 ; then $(LIBTOOL) --mode=install cp $(EXTENSION_LIBUV_LIB) $(DESTDIR)$(libdir) ; fi + if test $(have_libev) = 1 ; then $(LIBTOOL) --mode=install cp $(EXTENSION_LIBEV_LIB) $(DESTDIR)$(libdir) ; fi $(LIBTOOL) --mode=finish $(DESTDIR)$(libdir) -uninstall: - rm -rf $(DESTDIR)$(includedir)/getdns - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/libgetdns.la +uninstall-libs: if test $(have_libevent) = 1; then $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$(EXTENSION_LIBEVENT_LIB) ; fi if test $(have_libuv) = 1; then $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$(EXTENSION_LIBUV_LIB) ; fi if test $(have_libev) = 1; then $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$(EXTENSION_LIBEV_LIB) ; fi + $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/libgetdns.la + +install: install-libs install-headers @INSTALL_STUBBY@ + +uninstall: @UNINSTALL_STUBBY@ uninstall-headers uninstall-libs libgetdns_ext_event.la: libgetdns.la libevent.lo $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ libevent.lo libgetdns.la $(LDFLAGS) $(EXTENSION_LIBEVENT_LDFLAGS) $(EXTENSION_LIBEVENT_EXT_LIBS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/extension/libevent.symbols @@ -163,8 +182,24 @@ test: default getdns_query: default cd tools && $(MAKE) $@ -stubby: getdns_query - cd tools && $(MAKE) $@ +stubby.lo: $(stubbysrcdir)/src/stubby.c + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR=\"$(sysconfdir)/stubby\" -DRUNSTATEDIR=\"$(runstatedir)\" -c $< -o $@ + +stubby: stubby.lo libgetdns.la + $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ stubby.lo $(LDFLAGS) libgetdns.la + +install-stubby: stubby $(stubbysrcdir)/stubby.conf.example $(stubbysrcdir)/stubby-setdns-macos.sh + $(INSTALL) -m 755 -d $(DESTDIR)$(bindir) + $(LIBTOOL) --mode=install cp stubby $(DESTDIR)$(bindir) + $(INSTALL) -m 755 -d $(DESTDIR)$(sbindir) + $(INSTALL) -m 755 $(stubbysrcdir)/stubby-setdns-macos.sh $(DESTDIR)$(sbindir) + $(INSTALL) -m 755 -d $(DESTDIR)$(stubbyconfdir) + test -f $(DESTDIR)$(stubbyconfdir)/stubby.conf || \ + $(INSTALL_DATA) $(stubbysrcdir)/stubby.conf.example $(DESTDIR)$(stubbyconfdir)/stubby.conf + +uninstall-stubby: + $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/stubby + rm -f $(DESTDIR)$(sbindir)/stubby-setdns-macos.sh scratchpad: default cd test && $(MAKE) $@ diff --git a/src/tools/Makefile.in b/src/tools/Makefile.in index 7e291603..3cba9659 100644 --- a/src/tools/Makefile.in +++ b/src/tools/Makefile.in @@ -68,8 +68,8 @@ $(ALL_OBJS): getdns_query: getdns_query.lo $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) -o $@ getdns_query.lo $(LDFLAGS) $(LDLIBS) -stubby: getdns_query.lo - $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) -o $@ getdns_query.lo $(LDFLAGS) $(LDLIBS) +stubby: + cd .. && $(MAKE) $@ install-getdns_query: getdns_query $(INSTALL) -m 755 -d $(DESTDIR)$(bindir) @@ -78,15 +78,14 @@ install-getdns_query: getdns_query uninstall-getdns_query: $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/getdns_query -install-stubby: getdns_query - $(INSTALL) -m 755 -d $(DESTDIR)$(bindir) - $(LIBTOOL) --mode=install cp getdns_query $(DESTDIR)$(bindir)/stubby +install-stubby: + cd .. && $(MAKE) $@ uninstall-stubby: - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/stubby + cd .. && $(MAKE) $@ clean: - rm -f *.o *.lo $(PROGRAMS) stubby + rm -f *.o *.lo $(PROGRAMS) rm -rf .libs distclean : clean diff --git a/src/tools/stubby-setdns-macos.sh b/src/tools/stubby-setdns-macos.sh deleted file mode 100755 index 90f1e45f..00000000 --- a/src/tools/stubby-setdns-macos.sh +++ /dev/null @@ -1,96 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2017, Verisign, Inc., NLnet Labs -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# * Neither the names of the copyright holders nor the -# names of its contributors may be used to endorse or promote products -# derived from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY -# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -# Stubby helper file to set DNS servers on macOS. -# Note - this script doesn't detect or handle network events, simply changes the -# current resolvers -# Must run as root. - -usage () { - echo - echo "Update the system DNS resolvers so that Stubby is used for all DNS" - echo "queries on macOS. (Stubby must already be running)" - echo "This must be run as root." - echo - echo "Usage: $0 options" - echo - echo "Supported options:" - echo " -r Reset DNS resolvers to the default ones (e.g. from DHCP)" - echo " -l List the current DNS settings for all interfaces" - echo " -h Show this help." -} - -RESET=0 -LIST=0 -SERVERS="127.0.0.1 ::1" -OS_X=`uname -a | grep -c 'Darwin'` - -while getopts ":rlh" opt; do - case $opt in - r ) RESET=1 ;; - l ) LIST=1 ;; - h ) usage - exit 1 ;; - \? ) usage - exit 1 ;; - esac -done - - -if [[ $OS_X -eq 0 ]]; then - echo "Sorry - This script only works on macOS and you are on a different OS." - exit 1 -fi - -if [[ $LIST -eq 1 ]]; then - echo "** Current DNS settings **" - networksetup -listallnetworkservices 2>/dev/null | grep -v '*' | while read x ; do - RESULT=`networksetup -getdnsservers "$x"` - RESULT=`echo $RESULT` - printf '%-30s %s\n' "$x:" "$RESULT" - done - exit 1 -fi - -if [ "$USER" != "root" ]; then - echo "Must be root to update system resolvers. Retry using 'sudo stubby-setdns'" - exit 1 -fi - -if [[ $RESET -eq 1 ]]; then - SERVERS="empty" - echo "Setting DNS servers to '"$SERVERS"' - the system will use default DNS service." -else - echo "Setting DNS servers to '"$SERVERS"' - the system will use Stubby if it is running." -fi - -### Set the DNS settings via networksetup ### -networksetup -listallnetworkservices 2>/dev/null | grep -v '*' | while read x ; do - networksetup -setdnsservers "$x" $SERVERS -done - diff --git a/src/tools/stubby.conf b/src/tools/stubby.conf deleted file mode 100644 index 56fffaff..00000000 --- a/src/tools/stubby.conf +++ /dev/null @@ -1,59 +0,0 @@ -{ resolution_type: GETDNS_RESOLUTION_STUB -, dns_transport_list: [ GETDNS_TRANSPORT_TLS ] -, tls_authentication: GETDNS_AUTHENTICATION_REQUIRED -, tls_query_padding_blocksize: 256 -, edns_client_subnet_private : 1 -, listen_addresses: [ 127.0.0.1, 0::1 ] -, idle_timeout: 10000 -, round_robin_upstreams: 1 -, upstream_recursive_servers: - [ { address_data: 145.100.185.15 - , tls_auth_name: "dnsovertls.sinodun.com" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= - } ] - }, - { address_data: 145.100.185.16 - , tls_auth_name: "dnsovertls1.sinodun.com" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= - } ] - }, - { address_data: 185.49.141.37 - , tls_auth_name: "getdnsapi.net" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= - } ] - }, - { address_data: 2001:610:1:40ba:145:100:185:15 - , tls_auth_name: "dnsovertls.sinodun.com" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= - } ] - }, - { address_data: 2001:610:1:40ba:145:100:185:16 - , tls_auth_name: "dnsovertls1.sinodun.com" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= - } ] - }, - { address_data: 2a04:b900:0:100::37 - , tls_auth_name: "getdnsapi.net" - , tls_pubkey_pinset: - [ { digest: "sha256" - , value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= - } ] - }, - { address_data: 89.233.43.71 - , tls_auth_name: "unicast.censurfridns.dk" - }, - { address_data: 2a01:3a0:53:53:: - , tls_auth_name: "unicast.censurfridns.dk" - } - ] -} diff --git a/stubby b/stubby new file mode 160000 index 00000000..ac0be7b0 --- /dev/null +++ b/stubby @@ -0,0 +1 @@ +Subproject commit ac0be7b0549a32fc5e9e7ef11e2d120edda61368 From 2c8e7461dad4efc57494998492f3dbf359fc271d Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 22 Aug 2017 11:47:04 +0200 Subject: [PATCH 17/26] Update stubby module to develop branch --- .gitmodules | 2 +- stubby | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitmodules b/.gitmodules index aa84f96e..bc0b060e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -5,4 +5,4 @@ [submodule "stubby"] path = stubby url = https://github.com/getdnsapi/stubby.git - branch = master + branch = develop diff --git a/stubby b/stubby index ac0be7b0..2fa29a7b 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit ac0be7b0549a32fc5e9e7ef11e2d120edda61368 +Subproject commit 2fa29a7b040a993c045ea3e75ae25420e6807c71 From 516570e1f8a97e7566e5b0cc021a84246d5dfa65 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 22 Aug 2017 12:16:48 +0200 Subject: [PATCH 18/26] Include stubby (building) in tpkg testing --- .../300-event-loops-configure.test | 14 +++++++------- .../400-static-analysis.pre | 14 +++++++------- stubby | 2 +- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test b/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test index 5da09cd9..1169e337 100644 --- a/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test +++ b/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test @@ -7,10 +7,10 @@ rm -fr "${BUILDDIR}/build-event-loops" mkdir "${BUILDDIR}/build-event-loops" cd "${BUILDDIR}/build-event-loops" -"${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libuv +"${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libuv diff --git a/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre b/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre index bda600f8..a79bdeed 100644 --- a/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre +++ b/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre @@ -25,11 +25,11 @@ done rm -fr "${BUILDDIR}/build-static-analysis" mkdir "${BUILDDIR}/build-static-analysis" cd "${BUILDDIR}/build-static-analysis" -"${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libevent \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-getdns_query --with-libuv +"${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev \ + || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libuv diff --git a/stubby b/stubby index 2fa29a7b..1e19dcb5 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 2fa29a7b040a993c045ea3e75ae25420e6807c71 +Subproject commit 1e19dcb50f662b16717040b65e3d5fec4a332bd7 From f949f4a1361ab7649d8d6bb6037a198ccbf7948c Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 22 Aug 2017 12:42:52 +0200 Subject: [PATCH 19/26] Sync with unbound --- src/gldns/gbuffer.c | 2 ++ src/gldns/parseutil.c | 9 +++++++++ src/gldns/str2wire.c | 8 ++++++++ src/gldns/wire2str.c | 6 ++++++ src/util/lookup3.c | 14 +++++++++++++ src/util/val_secalgo.c | 45 ++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 84 insertions(+) diff --git a/src/gldns/gbuffer.c b/src/gldns/gbuffer.c index 04c257fb..180fa631 100644 --- a/src/gldns/gbuffer.c +++ b/src/gldns/gbuffer.c @@ -50,6 +50,8 @@ gldns_buffer_new_frm_data(gldns_buffer *buffer, void *data, size_t size) buffer->_limit = buffer->_capacity = size; buffer->_fixed = 0; buffer->_vfixed = 0; + if (!buffer->_fixed && buffer->_data) + free(buffer->_data); buffer->_data = malloc(size); if(!buffer->_data) { buffer->_status_err = 1; diff --git a/src/gldns/parseutil.c b/src/gldns/parseutil.c index d68fa89c..558446cb 100644 --- a/src/gldns/parseutil.c +++ b/src/gldns/parseutil.c @@ -402,10 +402,12 @@ gldns_b32_ntop_base(const uint8_t* src, size_t src_sz, char* dst, size_t dst_sz, /* ........ ........ ....4444 4....... ........ */ c = src[3] >> 7 ; + /* fallthrough */ case 3: dst[4] = b32[(src[2] & 0x0f) << 1 | c]; /* ........ .......3 3333.... ........ ........ */ c = src[2] >> 4 ; + /* fallthrough */ case 2: dst[3] = b32[(src[1] & 0x01) << 4 | c]; /* ........ ..22222. ........ ........ ........ */ @@ -413,6 +415,7 @@ gldns_b32_ntop_base(const uint8_t* src, size_t src_sz, char* dst, size_t dst_sz, /* .....111 11...... ........ ........ ........ */ c = src[1] >> 6 ; + /* fallthrough */ case 1: dst[1] = b32[(src[0] & 0x07) << 2 | c]; /* 00000... ........ ........ ........ ........ */ @@ -423,9 +426,12 @@ gldns_b32_ntop_base(const uint8_t* src, size_t src_sz, char* dst, size_t dst_sz, switch (src_sz) { case 1: dst[2] = '='; dst[3] = '='; + /* fallthrough */ case 2: dst[4] = '='; + /* fallthrough */ case 3: dst[5] = '='; dst[6] = '='; + /* fallthrough */ case 4: dst[7] = '='; } } @@ -537,15 +543,18 @@ gldns_b32_pton_base(const char* src, size_t src_sz, uint8_t* dst, size_t dst_sz, /* ........ ........ ........ .55555.. ........ */ /* ........ ........ ....4444 4....... ........ */ dst[3] = buf[4] << 7 | buf[5] << 2 | buf[6] >> 3; + /* fallthrough */ case 5: /* ........ ........ ....4444 4....... ........ */ /* ........ .......3 3333.... ........ ........ */ dst[2] = buf[3] << 4 | buf[4] >> 1; + /* fallthrough */ case 4: /* ........ .......3 3333.... ........ ........ */ /* ........ ..22222. ........ ........ ........ */ /* .....111 11...... ........ ........ ........ */ dst[1] = buf[1] << 6 | buf[2] << 1 | buf[3] >> 4; + /* fallthrough */ case 2: /* .....111 11...... ........ ........ ........ */ /* 00000... ........ ........ ........ ........ */ diff --git a/src/gldns/str2wire.c b/src/gldns/str2wire.c index 2762aa38..ffd3d464 100644 --- a/src/gldns/str2wire.c +++ b/src/gldns/str2wire.c @@ -1190,6 +1190,10 @@ int gldns_str2wire_b64_buf(const char* str, uint8_t* rd, size_t* len) { size_t sz = gldns_b64_pton_calculate_size(strlen(str)); int n; + if(strcmp(str, "0") == 0) { + *len = 0; + return GLDNS_WIREPARSE_ERR_OK; + } if(*len < sz) return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL; n = gldns_b64_pton(str, rd, *len); @@ -1223,6 +1227,10 @@ int gldns_str2wire_hex_buf(const char* str, uint8_t* rd, size_t* len) s++; continue; } + if(dlen == 0 && *s == '0' && *(s+1) == 0) { + *len = 0; + return GLDNS_WIREPARSE_ERR_OK; + } if(!isxdigit((unsigned char)*s)) return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_HEX, s-str); if(*len < dlen/2 + 1) diff --git a/src/gldns/wire2str.c b/src/gldns/wire2str.c index 245c9794..2718925e 100644 --- a/src/gldns/wire2str.c +++ b/src/gldns/wire2str.c @@ -1220,11 +1220,17 @@ static int gldns_wire2str_b64_scan_num(uint8_t** d, size_t* dl, char** s, int gldns_wire2str_b64_scan(uint8_t** d, size_t* dl, char** s, size_t* sl) { + if(*dl == 0) { + return gldns_str_print(s, sl, "0"); + } return gldns_wire2str_b64_scan_num(d, dl, s, sl, *dl); } int gldns_wire2str_hex_scan(uint8_t** d, size_t* dl, char** s, size_t* sl) { + if(*dl == 0) { + return gldns_str_print(s, sl, "0"); + } return print_remainder_hex("", d, dl, s, sl); } diff --git a/src/util/lookup3.c b/src/util/lookup3.c index e9b05af3..cc110748 100644 --- a/src/util/lookup3.c +++ b/src/util/lookup3.c @@ -5,6 +5,7 @@ added #ifdef VALGRIND to remove 298,384,660 'unused variable k8' warnings. added include of lookup3.h to check definitions match declarations. removed include of stdint - config.h takes care of platform independence. + added fallthrough comments for new gcc warning suppression. url http://burtleburtle.net/bob/hash/index.html. */ /* @@ -235,7 +236,9 @@ uint32_t initval) /* the previous hash, or an arbitrary value */ switch(length) /* all the case statements fall through */ { case 3 : c+=k[2]; + /* fallthrough */ case 2 : b+=k[1]; + /* fallthrough */ case 1 : a+=k[0]; final(a,b,c); case 0: /* case 0: nothing left to add */ @@ -473,16 +476,27 @@ uint32_t hashlittle( const void *key, size_t length, uint32_t initval) switch(length) /* all the case statements fall through */ { case 12: c+=((uint32_t)k[11])<<24; + /* fallthrough */ case 11: c+=((uint32_t)k[10])<<16; + /* fallthrough */ case 10: c+=((uint32_t)k[9])<<8; + /* fallthrough */ case 9 : c+=k[8]; + /* fallthrough */ case 8 : b+=((uint32_t)k[7])<<24; + /* fallthrough */ case 7 : b+=((uint32_t)k[6])<<16; + /* fallthrough */ case 6 : b+=((uint32_t)k[5])<<8; + /* fallthrough */ case 5 : b+=k[4]; + /* fallthrough */ case 4 : a+=((uint32_t)k[3])<<24; + /* fallthrough */ case 3 : a+=((uint32_t)k[2])<<16; + /* fallthrough */ case 2 : a+=((uint32_t)k[1])<<8; + /* fallthrough */ case 1 : a+=k[0]; break; case 0 : return c; diff --git a/src/util/val_secalgo.c b/src/util/val_secalgo.c index 88d23472..e9ec5a5b 100644 --- a/src/util/val_secalgo.c +++ b/src/util/val_secalgo.c @@ -1320,6 +1320,9 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, #include "ecdsa.h" #include "ecc-curve.h" #endif +#ifdef HAVE_NETTLE_EDDSA_H +#include "eddsa.h" +#endif static int _digest_nettle(int algo, uint8_t* buf, size_t len, @@ -1477,6 +1480,10 @@ dnskey_algo_id_is_supported(int id) case LDNS_ECDSAP384SHA384: #endif return 1; +#ifdef USE_ED25519 + case LDNS_ED25519: + return 1; +#endif case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ case LDNS_ECC_GOST: default: @@ -1718,6 +1725,30 @@ _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* } #endif +#ifdef USE_ED25519 +static char * +_verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock, + unsigned int sigblock_len, unsigned char* key, unsigned int keylen) +{ + int res = 0; + + if(sigblock_len != ED25519_SIGNATURE_SIZE) { + return "wrong ED25519 signature length"; + } + if(keylen != ED25519_KEY_SIZE) { + return "wrong ED25519 key length"; + } + + res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf), + sldns_buffer_begin(buf), (uint8_t*)sigblock); + + if (!res) + return "ED25519 signature verification failed"; + else + return NULL; +} +#endif + /** * Check a canonical sig+rrset and signature against a dnskey * @param buf: buffer with data to verify, the first rrsig part and the @@ -1759,9 +1790,13 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, case LDNS_RSASHA1_NSEC3: digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); #endif + /* double fallthrough annotation to please gcc parser */ + /* fallthrough */ #ifdef USE_SHA2 + /* fallthrough */ case LDNS_RSASHA256: digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); + /* fallthrough */ case LDNS_RSASHA512: digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); @@ -1776,6 +1811,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, #ifdef USE_ECDSA case LDNS_ECDSAP256SHA256: digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); + /* fallthrough */ case LDNS_ECDSAP384SHA384: digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, @@ -1784,6 +1820,15 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, return sec_status_bogus; else return sec_status_secure; +#endif +#ifdef USE_ED25519 + case LDNS_ED25519: + *reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len, + key, keylen); + if (*reason != NULL) + return sec_status_bogus; + else + return sec_status_secure; #endif case LDNS_RSAMD5: case LDNS_ECC_GOST: From 3e07bb519c57c77c6eaff7d47721a5cc666e23ae Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Aug 2017 16:10:47 +0200 Subject: [PATCH 20/26] Remove systemd (because it moved to stubby repo) --- Makefile.in | 3 --- systemd/README.md | 16 ---------------- systemd/stubby.conf | 2 -- systemd/stubby.service | 12 ------------ 4 files changed, 33 deletions(-) delete mode 100644 systemd/README.md delete mode 100644 systemd/stubby.conf delete mode 100644 systemd/stubby.service diff --git a/Makefile.in b/Makefile.in index 5c46db2b..422f6d80 100644 --- a/Makefile.in +++ b/Makefile.in @@ -199,7 +199,6 @@ $(distdir): mkdir -p $(distdir)/src/tools mkdir -p $(distdir)/src/jsmn mkdir -p $(distdir)/doc - mkdir -p $(distdir)/systemd mkdir -p $(distdir)/spec mkdir -p $(distdir)/spec/example mkdir -p $(distdir)/stubby @@ -244,8 +243,6 @@ $(distdir): cp $(srcdir)/spec/*.html $(distdir)/spec cp $(srcdir)/spec/example/Makefile.in $(distdir)/spec/example cp $(srcdir)/spec/example/*.[ch] $(distdir)/spec/example - cp $(srcdir)/systemd/README.md $(distdir)/systemd - cp $(srcdir)/systemd/stubby.* $(distdir)/systemd cp $(srcdir)/src/tools/Makefile.in $(distdir)/src/tools cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/tools cp $(srcdir)/stubby/stubby.conf.example $(distdir)/stubby diff --git a/systemd/README.md b/systemd/README.md deleted file mode 100644 index 98cea72d..00000000 --- a/systemd/README.md +++ /dev/null @@ -1,16 +0,0 @@ -Stubby integration with systemd -=============================== - -For GNU/Linux operating systems which use systemd as a process -manager, you might want to run stubby as a system service. - -This directory provides recommended systemd unit files. - -This setup assumes that there is a system-level user named "stubby" -which is in group "stubby", and try to limit the privileges of the -running daemon to that user as closely as possible. - -Normally, a downstream distributor will install them as: - - /usr/lib/tmpfiles.d/stubby.conf - /lib/systemd/system/stubby.service diff --git a/systemd/stubby.conf b/systemd/stubby.conf deleted file mode 100644 index bf704927..00000000 --- a/systemd/stubby.conf +++ /dev/null @@ -1,2 +0,0 @@ -# tmpfiles.d (5) for use with stubby.service -d /run/stubby 0750 root stubby - - diff --git a/systemd/stubby.service b/systemd/stubby.service deleted file mode 100644 index b85b8e90..00000000 --- a/systemd/stubby.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=stubby DNS resolver - -[Service] -WorkingDirectory=/run/stubby -ExecStart=/usr/bin/stubby -AmbientCapabilities=CAP_NET_BIND_SERVICE -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -User=stubby - -[Install] -WantedBy=multi-user.target From 4ed82b65215a379ac8709ae01aa52a55ae48c903 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Aug 2017 16:12:18 +0200 Subject: [PATCH 21/26] Tweak README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c6426c29..32f1331f 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ As well as building the getdns library 2 other tools are installed by default by * getdns_query: a command line test script wrapper for getdns * stubby: an experimental DNS Privacy enabled client -Note: If you only want to build stubby, then use the `--enable-stub-only` and `--without-libidn` options when running 'configure'. +Note: If you only want to build stubby, then use the `--with-stubby` option when running 'configure'. ## Minimizing dependencies From bef36d12f16ccc044c24d2b0fd5cfa3cf08affdd Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 24 Aug 2017 11:31:05 +0200 Subject: [PATCH 22/26] Stubby submodule on v0.1.2 release tag --- stubby | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stubby b/stubby index 1e19dcb5..499a82f5 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 1e19dcb50f662b16717040b65e3d5fec4a332bd7 +Subproject commit 499a82f55579bbba754cd620f88b20da6a167929 From 4ecf9ad8c6e2a39c1d658828360887937e3c49e6 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 24 Aug 2017 11:36:20 +0200 Subject: [PATCH 23/26] The submodule update --init only for git checkouts --- README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 88570502..b54c8f73 100644 --- a/README.md +++ b/README.md @@ -69,10 +69,6 @@ If you are installing from packages, you have to install the library and also th External dependencies are linked outside the getdns API build tree (we rely on configure to find them). We would like to keep the dependency tree short. Please refer to section for building on Windows for separate dependency and build instructions for that platform. -Before building, you must do: - - # git submodule update --init - * [libunbound from NLnet Labs](https://unbound.net/) version 1.4.16 or later. * [libidn from the FSF](https://www.gnu.org/software/libidn/) version 1. (Note that the libidn version means the conversions between A-labels and U-labels may permit conversion of formally invalid labels under IDNA2008.) * [libssl and libcrypto from the OpenSSL Project](https://www.openssl.org/) version 0.9.7 or later. (Note: version 1.0.1 or later is required for TLS support, version 1.0.2 or later is required for TLS hostname authentication) @@ -84,7 +80,10 @@ For example, to build on a recent version of Ubuntu, you would need the followin If you are building from git, you need to do the following before building: - # libtoolize -ci (use glibtoolize for OS X, libtool is installed as glibtool to avoid name conflict on OS X) + + # git submodule update --init + + # libtoolize -ci # (use glibtoolize for OS X, libtool is installed as glibtool to avoid name conflict on OS X) # autoreconf -fi From 1aef5fb3e4419c7da39bd3ab7216d1085a6e2bc2 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 24 Aug 2017 13:29:16 +0200 Subject: [PATCH 24/26] Bumb version + ChangeLog --- ChangeLog | 21 +++++++++++++++++++++ configure.ac | 9 +++++---- 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index bae0d547..a0226b71 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,24 @@ +* 2017-0?-??: Version 1.1.3 + * No annotations with the output of getdns_query anymore, + unless -V option is given to increase verbosity + Thanks Ollivier Robert + * getdns_query will now exit with failure status if replies are BOGUS + * Bugfix: dnssec_return_validation_chain now also works when fallback + to full recursion was needed with dnssec_roadblock_avoidance + * More clear build instructions from Paul Hoffman. Thanks. + * Bugfix #320.1: Eliminate multiple closing of file descriptors + Thanks Neil Cook + * Bugfix #320.2: Array bounds bug in upstream_select + Thanks Neil Cook + * Bugfix #318: getdnsapi/getdns/README.md links to nonexistent wiki + pages. Thanks James Raftery + * Bugfix #322: MacOS 10.10 (Yosemite) provides TCP fastopen interface + but does not have it implemented. Thanks Joel Purra + * Compile without Stubby by default. Stubby now has a git repository + of its own. The new Stubby repository is added as a submodule. + Stubby will still be build alongside getdns with the --with-stubby + configure option. + * 2017-07-03: Version 1.1.2 * Bugfix for parallel make install * Bugfix to trigger event callbacks on socket errors diff --git a/configure.ac b/configure.ac index a48577e4..2156085e 100644 --- a/configure.ac +++ b/configure.ac @@ -36,12 +36,12 @@ sinclude(./m4/acx_getaddrinfo.m4) sinclude(./m4/ax_check_compile_flag.m4) sinclude(./m4/pkg.m4) -AC_INIT([getdns], [1.1.2], [users@getdnsapi.net], [], [https://getdnsapi.net]) +AC_INIT([getdns], [1.1.3], [users@getdnsapi.net], [], [https://getdnsapi.net]) # Dont forget to put a dash in front of the release candidate!!! # That is how it is done with semantic versioning! # -AC_SUBST(RELEASE_CANDIDATE, []) +AC_SUBST(RELEASE_CANDIDATE, [-rc1]) # Set current date from system if not set AC_ARG_WITH([current-date], @@ -51,7 +51,7 @@ AC_ARG_WITH([current-date], [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"]) AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"]) -AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01010200]) +AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010102c1]) AC_SUBST(API_VERSION, ["December 2015"]) AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00]) GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API" @@ -85,8 +85,9 @@ GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRE # getdns-1.1.0 had libversion 6:0:0 # getdns-1.1.1 had libversion 6:1:0 # getdns-1.1.2 has libversion 7:0:1 +# getdns-1.1.3 will have libversion 7:1:1 # -GETDNS_LIBVERSION=7:0:1 +GETDNS_LIBVERSION=7:1:1 AC_SUBST(GETDNS_COMPILATION_COMMENT) AC_SUBST(GETDNS_LIBVERSION) From 5a9408163432359eff9463406dc2b6311012b9db Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 24 Aug 2017 13:51:58 +0200 Subject: [PATCH 25/26] Make switch/case fallthroughs explicit +1 fallthrough bugfix in getdns_query --- src/dnssec.c | 2 ++ src/jsmn | 2 +- src/tools/getdns_query.c | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/dnssec.c b/src/dnssec.c index e9962852..005604b9 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -1065,6 +1065,7 @@ static void val_chain_node_cb(getdns_dns_req *dnsreq) break; case GETDNS_RRTYPE_DNSKEY: node->dnskey.pkt = netreq->response; node->dnskey.pkt_len = netreq->response_len; + /* fallthrough */ default : check_chain_complete(node->chains); return; } @@ -2694,6 +2695,7 @@ static int chain_head_validate(struct mem_funcs *mf, time_t now, uint32_t skew, if (_getdns_rrset_has_rrs(&ds_ta)) { switch (chain_head_validate_with_ta(mf,now,skew,head,&ds_ta)) { case GETDNS_DNSSEC_SECURE : s = GETDNS_DNSSEC_SECURE; + /* fallthrough */ case GETDNS_DNSSEC_INSECURE: if (s != GETDNS_DNSSEC_SECURE) s = GETDNS_DNSSEC_INSECURE; break; diff --git a/src/jsmn b/src/jsmn index 868c22e3..a6bbcedf 160000 --- a/src/jsmn +++ b/src/jsmn @@ -1 +1 @@ -Subproject commit 868c22e35ec223fc26ddefdb9ca83901dc6e2534 +Subproject commit a6bbcedf43e3db38137b71edf6429467c71a9a5a diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index f237585c..582f2c0c 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -819,6 +819,7 @@ getdns_return_t parse_args(int argc, char **argv) goto next; case 'p': json = 0; + break; case 'q': quiet = 1; break; From fe6d2c97490aeb1036160fdde33791d3eec7323c Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 24 Aug 2017 13:58:13 +0200 Subject: [PATCH 26/26] /* fallthrough */ must be first comment before case --- src/jsmn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/jsmn b/src/jsmn index a6bbcedf..c831c386 160000 --- a/src/jsmn +++ b/src/jsmn @@ -1 +1 @@ -Subproject commit a6bbcedf43e3db38137b71edf6429467c71a9a5a +Subproject commit c831c3869f56a571a79a3cbf58e0a366e588e256