Merge branch 'release/1.3.0' into develop

This commit is contained in:
Willem Toorop 2017-12-22 12:42:47 +01:00
commit 2ff1bf6152
12 changed files with 254 additions and 116 deletions

View File

@ -1,10 +1,20 @@
* 2017-12-??: Version 1.2.2
* 2017-12-21: Version 1.3.0
* Bugfix #300: Detect dnsmasq and skip unit test that fails with it.
Thanks Tim Rühsen and Konomi Kitten
* Specify default available cipher suites for authenticated TLS
upstreams with getdns_context_set_tls_ciphers_list()
An upstream specific available cipher suite may also be given
with the tls_cipher_list setting in the upstream dict with
getdns_context_set_upstream_recursive_servers()
* PR #366: Add support for TLS 1.3 and Chacha20-Poly1305
Thanks Pascal Ernster
* Bugfix #356: Do Zero configuration DNSSEC meta queries over on the
context configured upstreams.
context configured upstreams. Thanks Andreas Schulze
* Report default extension settings with
getdns_context_get_api_information()
* Specify locations at which CA certificates for verification purposes
are located: getdns_context_set_CApath() getdns_context_set_CAfile()
are located: getdns_context_set_tls_ca_path()
getdns_context_set_tls_ca_file()
* getdns_context_set_resolvconf() function to initialize a context
upstreams and suffices with a resolv.conf file.
getdns_context_get_resolvconf() to get the file used to initialize
@ -17,7 +27,7 @@
when available with getdns_context_get_api_information()
* GETDNS_RETURN_IO_ERROR return error code
* Bugfix #359: edns_client_subnet_private should set family
Thanks Daniel Areiza
Thanks Daniel Areiza & Andreas Schulze
* Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC
validation. Thanks Bruno Pagani

View File

@ -36,7 +36,7 @@ sinclude(./m4/acx_getaddrinfo.m4)
sinclude(./m4/ax_check_compile_flag.m4)
sinclude(./m4/pkg.m4)
AC_INIT([getdns], [1.2.2], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
AC_INIT([getdns], [1.3.0], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
# Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian)
# patched to do the same, but frequently (MacOS) not. So add a with option
@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir])
# Dont forget to put a dash in front of the release candidate!!!
# That is how it is done with semantic versioning!
#
AC_SUBST(RELEASE_CANDIDATE, [-rc1])
AC_SUBST(RELEASE_CANDIDATE, [])
# Set current date from system if not set
AC_ARG_WITH([current-date],
@ -62,7 +62,7 @@ AC_ARG_WITH([current-date],
[CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010201c1])
AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01030000])
AC_SUBST(API_VERSION, ["December 2015"])
AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
@ -98,8 +98,8 @@ GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRE
# getdns-1.1.2 had libversion 7:0:1
# getdns-1.1.3 had libversion 7:1:1
# getdns-1.2.0 had libversion 8:0:2
# getdns-1.2.1 has libversion 8:1:2
# getdns-1.2.2 will have libversion 9:0:3
# getdns-1.2.1 had libversion 8:1:2
# getdns-1.3.0 has libversion 9:0:3
#
GETDNS_LIBVERSION=9:0:3

View File

@ -89,8 +89,9 @@ static struct const_info consts_info[] = {
{ 628, "GETDNS_CONTEXT_CODE_APPDATA_DIR", GETDNS_CONTEXT_CODE_APPDATA_DIR_TEXT },
{ 629, "GETDNS_CONTEXT_CODE_RESOLVCONF", GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT },
{ 630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT },
{ 631, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT },
{ 632, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT },
{ 631, "GETDNS_CONTEXT_CODE_TLS_CA_PATH", GETDNS_CONTEXT_CODE_TLS_CA_PATH_TEXT },
{ 632, "GETDNS_CONTEXT_CODE_TLS_CA_FILE", GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT },
{ 633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT },
{ 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
{ 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
{ 702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT },
@ -161,8 +162,6 @@ static struct const_name_info consts_name_info[] = {
{ "GETDNS_CALLBACK_TIMEOUT", 702 },
{ "GETDNS_CONTEXT_CODE_APPDATA_DIR", 628 },
{ "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 },
{ "GETDNS_CONTEXT_CODE_CAFILE", 632 },
{ "GETDNS_CONTEXT_CODE_CAPATH", 631 },
{ "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 },
{ "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 },
{ "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 },
@ -186,6 +185,9 @@ static struct const_name_info consts_name_info[] = {
{ "GETDNS_CONTEXT_CODE_TIMEOUT", 616 },
{ "GETDNS_CONTEXT_CODE_TLS_AUTHENTICATION", 618 },
{ "GETDNS_CONTEXT_CODE_TLS_BACKOFF_TIME", 623 },
{ "GETDNS_CONTEXT_CODE_TLS_CA_FILE", 632 },
{ "GETDNS_CONTEXT_CODE_TLS_CA_PATH", 631 },
{ "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 },
{ "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 },
{ "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 },
{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 },

View File

@ -165,6 +165,17 @@ static void set_ub_dnssec_allowed_skew(struct getdns_context*, uint32_t);
/* Stuff to make it compile pedantically */
#define RETURN_IF_NULL(ptr, code) if(ptr == NULL) return code;
static char *
_getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s)
{
char *r;
if (!s || !(r = GETDNS_XMALLOC(*mfs, char, s->size + 1)))
return NULL;
else {
r[s->size] = '\0';
return memcpy(r, s, s->size);
}
}
#ifdef USE_WINSOCK
/* For windows, the CA trust store is not read by openssl.
@ -717,12 +728,16 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
{
_getdns_closesocket(upstream->fd);
}
if (upstream->tcp.read_buf)
GETDNS_FREE(upstreams->mf, upstream->tcp.read_buf);
while (pin) {
sha256_pin_t *nextpin = pin->next;
GETDNS_FREE(upstreams->mf, pin);
pin = nextpin;
}
upstream->tls_pubkey_pinset = NULL;
if (upstream->tls_cipher_list)
GETDNS_FREE(upstreams->mf, upstream->tls_cipher_list);
}
GETDNS_FREE(upstreams->mf, upstreams);
}
@ -1006,6 +1021,7 @@ upstream_init(getdns_upstream *upstream,
upstream->fd = -1;
upstream->tls_obj = NULL;
upstream->tls_session = NULL;
upstream->tls_cipher_list = NULL;
upstream->transport = GETDNS_TRANSPORT_TCP;
upstream->tls_hs_state = GETDNS_HS_NONE;
upstream->tls_auth_name[0] = '\0';
@ -1377,11 +1393,11 @@ static void _getdns_check_expired_pending_netreqs_cb(void *arg)
_getdns_check_expired_pending_netreqs((getdns_context *)arg, &now_ms);
}
static const char *_getdns_default_trust_anchors_url =
static char const * const _getdns_default_trust_anchors_url =
"http://data.iana.org/root-anchors/root-anchors.xml";
/* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */
static const char *_getdns_default_trust_anchors_verify_CA =
static char const * const _getdns_default_trust_anchors_verify_CA =
"-----BEGIN CERTIFICATE-----\n"
"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
@ -1404,9 +1420,12 @@ static const char *_getdns_default_trust_anchors_verify_CA =
"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
"-----END CERTIFICATE-----\n";
static const char *_getdns_default_trust_anchors_verify_email =
static char const * const _getdns_default_trust_anchors_verify_email =
"dnssec@iana.org";
static char const * const _getdns_default_tls_cipher_list =
"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
"TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
/*
* getdns_context_create
@ -1513,8 +1532,9 @@ getdns_context_create_with_extended_memory_functions(
result->trust_anchors_verify_email = NULL;
result->trust_anchors_verify_CA = NULL;
result->appdata_dir = NULL;
result->CApath = NULL;
result->CAfile = NULL;
result->tls_ca_path = NULL;
result->tls_ca_file = NULL;
result->tls_cipher_list = NULL;
(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
@ -1779,11 +1799,12 @@ getdns_context_destroy(struct getdns_context *context)
, context->trust_anchors_verify_email);
if (context->appdata_dir)
GETDNS_FREE(context->mf, context->appdata_dir);
if (context->CApath)
GETDNS_FREE(context->mf, context->CApath);
if (context->CAfile)
GETDNS_FREE(context->mf, context->CAfile);
if (context->tls_ca_path)
GETDNS_FREE(context->mf, context->tls_ca_path);
if (context->tls_ca_file)
GETDNS_FREE(context->mf, context->tls_ca_file);
if (context->tls_cipher_list)
GETDNS_FREE(context->mf, context->tls_cipher_list);
#ifdef USE_WINSOCK
WSACleanup();
@ -2972,16 +2993,19 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
upstream->addr.ss_family = addr.ss_family;
upstream_init(upstream, upstreams, ai);
upstream->transport = getdns_upstream_transports[j];
if (getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) {
if (dict && getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) {
getdns_list *pubkey_pinset = NULL;
if (dict && (r = getdns_dict_get_bindata(
getdns_bindata *tls_cipher_list = NULL;
if ((r = getdns_dict_get_bindata(
dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) {
if (tls_auth_name->size >= sizeof(upstream->tls_auth_name)) {
/* tls_auth_name's are just
* domain names and should
* thus not be larger than 256
* bytes.
/* tls_auth_name's are
* domain names in presentation
* format and, taking escaping
* into account, should not
* be larger than 1024 bytes.
*/
goto invalid_parameter;
}
@ -2991,7 +3015,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
upstream->tls_auth_name
[tls_auth_name->size] = '\0';
}
if (dict && (r = getdns_dict_get_list(dict, "tls_pubkey_pinset",
if ((r = getdns_dict_get_list(dict, "tls_pubkey_pinset",
&pubkey_pinset)) == GETDNS_RETURN_GOOD) {
/* TODO: what if the user supplies tls_pubkey_pinset with
* something other than a list? */
@ -3001,6 +3025,12 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
if (r != GETDNS_RETURN_GOOD)
goto invalid_parameter;
}
(void) getdns_dict_get_bindata(
dict, "tls_cipher_list", &tls_cipher_list);
upstream->tls_cipher_list = tls_cipher_list
? _getdns_strdup2(&upstreams->mf
, tls_cipher_list)
: NULL;
}
if ((upstream->tsig_alg = tsig_alg)) {
if (tsig_name) {
@ -3574,14 +3604,15 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
# endif
/* Be strict and only use the cipher suites recommended in RFC7525
Unless we later fallback to opportunistic. */
const char* const PREFERRED_CIPHERS = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS))
if (!SSL_CTX_set_cipher_list(context->tls_ctx,
context->tls_cipher_list ? context->tls_cipher_list
: _getdns_default_tls_cipher_list))
return GETDNS_RETURN_BAD_CONTEXT;
/* For strict authentication, we must have local root certs available
Set up is done only when the tls_ctx is created (per getdns_context)*/
if ((context->CAfile || context->CApath) &&
if ((context->tls_ca_file || context->tls_ca_path) &&
SSL_CTX_load_verify_locations(context->tls_ctx
, context->CAfile, context->CApath))
, context->tls_ca_file, context->tls_ca_path))
; /* pass */
# ifndef USE_WINSOCK
else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
@ -3625,7 +3656,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
return r;
} /* _getdns_context_prepare_for_resolution */
char *
static char *
_getdns_strdup(const struct mem_funcs *mfs, const char *s)
{
size_t sz;
@ -3887,10 +3918,12 @@ _get_context_settings(getdns_context* context)
(void) getdns_dict_util_set_string(result, "resolvconf", str_value);
if (!getdns_context_get_hosts(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "hosts", str_value);
if (!getdns_context_get_CApath(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "CApath", str_value);
if (!getdns_context_get_CAfile(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "CAfile", str_value);
if (!getdns_context_get_tls_ca_path(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "tls_ca_path", str_value);
if (!getdns_context_get_tls_ca_file(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "tls_ca_file", str_value);
if (!getdns_context_get_tls_cipher_list(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "tls_cipher_list", str_value);
/* Default settings for extensions */
(void)getdns_dict_set_int(
@ -4475,6 +4508,11 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
break;
}
}
if (upstream->tls_cipher_list) {
(void) getdns_dict_util_set_string(
d, "tls_cipher_list",
upstream->tls_cipher_list);
}
}
}
if (!r)
@ -4677,10 +4715,13 @@ _getdns_context_config_setting(getdns_context *context,
CONTEXT_SETTING_STRING(trust_anchors_verify_CA)
CONTEXT_SETTING_STRING(trust_anchors_verify_email)
CONTEXT_SETTING_STRING(appdata_dir)
#ifndef USE_WINSOCK
CONTEXT_SETTING_STRING(resolvconf)
#endif
CONTEXT_SETTING_STRING(hosts)
CONTEXT_SETTING_STRING(CApath)
CONTEXT_SETTING_STRING(CAfile)
CONTEXT_SETTING_STRING(tls_ca_path)
CONTEXT_SETTING_STRING(tls_ca_file)
CONTEXT_SETTING_STRING(tls_cipher_list)
/**************************************/
/**** ****/
@ -5149,14 +5190,14 @@ getdns_context *_getdns_context_get_sys_ctxt(
context->mf.mf.ext.free)))
DEBUG_ANCHOR("Could not create system context: %s\n"
, getdns_get_errorstr_by_id(r));
#ifndef USE_WINSOCK
else if (*context->fchg_resolvconf.fn &&
(r = getdns_context_set_resolvconf(
context->sys_ctxt, context->fchg_resolvconf.fn)))
DEBUG_ANCHOR("Could initialize system context with resolvconf "
"\"%s\": %s\n", context->fchg_resolvconf.fn
, getdns_get_errorstr_by_id(r));
#endif
else if (*context->fchg_hosts.fn &&
(r = getdns_context_set_hosts(
context->sys_ctxt, context->fchg_hosts.fn)))
@ -5186,49 +5227,79 @@ getdns_context *_getdns_context_get_sys_ctxt(
}
getdns_return_t
getdns_context_set_CApath(getdns_context *context, const char *CApath)
getdns_context_set_tls_ca_path(getdns_context *context, const char *tls_ca_path)
{
if (!context || !CApath)
if (!context || !tls_ca_path)
return GETDNS_RETURN_INVALID_PARAMETER;
if (context->CApath)
GETDNS_FREE(context->mf, context->CApath);
context->CApath = _getdns_strdup(&context->mf, CApath);
if (context->tls_ca_path)
GETDNS_FREE(context->mf, context->tls_ca_path);
context->tls_ca_path = _getdns_strdup(&context->mf, tls_ca_path);
dispatch_updated(context, GETDNS_CONTEXT_CODE_CAPATH);
dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CA_PATH);
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_get_CApath(getdns_context *context, const char **CApath)
getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path)
{
if (!context || !CApath)
if (!context || !tls_ca_path)
return GETDNS_RETURN_INVALID_PARAMETER;
*CApath = context->CApath;
*tls_ca_path = context->tls_ca_path;
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_set_CAfile(getdns_context *context, const char *CAfile)
getdns_context_set_tls_ca_file(getdns_context *context, const char *tls_ca_file)
{
if (!context || !CAfile)
if (!context || !tls_ca_file)
return GETDNS_RETURN_INVALID_PARAMETER;
if (context->CAfile)
GETDNS_FREE(context->mf, context->CAfile);
context->CAfile = _getdns_strdup(&context->mf, CAfile);
if (context->tls_ca_file)
GETDNS_FREE(context->mf, context->tls_ca_file);
context->tls_ca_file = _getdns_strdup(&context->mf, tls_ca_file);
dispatch_updated(context, GETDNS_CONTEXT_CODE_CAFILE);
dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CA_FILE);
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_get_CAfile(getdns_context *context, const char **CAfile)
getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file)
{
if (!context || !CAfile)
if (!context || !tls_ca_file)
return GETDNS_RETURN_INVALID_PARAMETER;
*CAfile = context->CAfile;
*tls_ca_file = context->tls_ca_file;
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_set_tls_cipher_list(
getdns_context *context, const char *tls_cipher_list)
{
if (!context)
return GETDNS_RETURN_INVALID_PARAMETER;
if (context->tls_cipher_list)
GETDNS_FREE(context->mf, context->tls_cipher_list);
context->tls_cipher_list = tls_cipher_list
? _getdns_strdup(&context->mf, tls_cipher_list)
: NULL;
dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST);
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_get_tls_cipher_list(
getdns_context *context, const char **tls_cipher_list)
{
if (!context || !tls_cipher_list)
return GETDNS_RETURN_INVALID_PARAMETER;
*tls_cipher_list = context->tls_cipher_list
? context->tls_cipher_list
: _getdns_default_tls_cipher_list;
return GETDNS_RETURN_GOOD;
}
/* context.c */

View File

@ -205,6 +205,7 @@ typedef struct getdns_upstream {
getdns_tls_hs_state_t tls_hs_state;
getdns_auth_state_t tls_auth_state;
unsigned tls_fallback_ok : 1;
char *tls_cipher_list;
/* Auth credentials*/
char tls_auth_name[256];
sha256_pin_t *tls_pubkey_pinset;
@ -343,8 +344,9 @@ struct getdns_context {
char *appdata_dir;
_getdns_property can_write_appdata;
char *CApath;
char *CAfile;
char *tls_ca_path;
char *tls_ca_file;
char *tls_cipher_list;
getdns_upstreams *upstreams;
uint16_t limit_outstanding_queries;
@ -527,8 +529,6 @@ void _getdns_context_cancel_request(getdns_dns_req *dnsreq);
*/
void _getdns_context_request_timed_out(getdns_dns_req *dnsreq);
char *_getdns_strdup(const struct mem_funcs *mfs, const char *str);
struct getdns_bindata *_getdns_bindata_copy(
struct mem_funcs *mfs, size_t size, const uint8_t *data);

View File

@ -1687,6 +1687,8 @@ getdns_context_set_dnssec_allowed_skew(getdns_context *context,
* - `value` A SHA256 hash of the `SubjectPublicKeyInfo`
* of the upstream, which will be used to authenticate
* it.
* - `tls_cipher_list` (a bindata) that is the string
* of available ciphers specific for this upstream.
* @return GETDNS_RETURN_GOOD when successful.
* @return GETDNS_RETURN_INVALID_PARAMETER when `context` or `upstream_list` was `NULL`
* @return GETDNS_RETURN_CONTEXT_UPDATE_FAIL when there were problems parsing

View File

@ -94,10 +94,12 @@ extern "C" {
#define GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT "Change related to getdns_context_set_resolvconf"
#define GETDNS_CONTEXT_CODE_HOSTS 630
#define GETDNS_CONTEXT_CODE_HOSTS_TEXT "Change related to getdns_context_set_hosts"
#define GETDNS_CONTEXT_CODE_CAPATH 631
#define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath"
#define GETDNS_CONTEXT_CODE_CAFILE 632
#define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile"
#define GETDNS_CONTEXT_CODE_TLS_CA_PATH 631
#define GETDNS_CONTEXT_CODE_TLS_CA_PATH_TEXT "Change related to getdns_context_set_tls_ca_path"
#define GETDNS_CONTEXT_CODE_TLS_CA_FILE 632
#define GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT "Change related to getdns_context_set_tls_ca_file"
#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST 633
#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT "Change related to getdns_context_set_tls_cipher_list"
/** @}
*/
@ -717,27 +719,39 @@ getdns_context_set_hosts(getdns_context *context, const char *hosts);
/**
* Specify where the location for CA certificates for verification purposes
* are located.
* @see getdns_context_get_CApath
* @see getdns_context_set_CAfile
* @see getdns_context_get_tls_ca_path
* @see getdns_context_set_tls_ca_file
* @param[in] context The context to configure
* @param[in] CApath Directory with Certificate Authority certificates.
* @param[in] tls_ca_path Directory with Certificate Authority certificates.
* @return GETDNS_RETURN_GOOD when successful
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
*/
getdns_return_t
getdns_context_set_CApath(getdns_context *context, const char *CApath);
getdns_context_set_tls_ca_path(getdns_context *context, const char *tls_ca_path);
/**
* Specify the file with CA certificates for verification purposes.
* @see getdns_context_get_CAfile
* @see getdns_context_set_CApath
* @see getdns_context_get_tls_ca_file
* @see getdns_context_set_tls_ca_path
* @param[in] context The context to configure
* @param[in] CAfile The file with Certificate Authority certificates.
* @param[in] tls_ca_file The file with Certificate Authority certificates.
* @return GETDNS_RETURN_GOOD when successful
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
*/
getdns_return_t
getdns_context_set_CAfile(getdns_context *context, const char *CAfile);
getdns_context_set_tls_ca_file(getdns_context *context, const char *tls_ca_file);
/**
* Sets the list of available ciphers for authenticated TLS upstreams.
* @see getdns_context_get_tls_cipher_list
* @param[in] context The context to configure
* @param[in] cipher_list The cipher list
* @return GETDNS_RETURN_GOOD when successful
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
*/
getdns_return_t
getdns_context_set_tls_cipher_list(
getdns_context *context, const char *cipher_list);
/**
* Get the current resolution type setting from this context.
@ -1222,29 +1236,42 @@ getdns_context_get_hosts(getdns_context *context, const char **hosts);
/**
* Get the location of the directory for CA certificates for verification
* purposes.
* @see getdns_context_set_CApath
* @see getdns_context_get_CAfile
* @see getdns_context_set_tls_ca_path
* @see getdns_context_get_tls_ca_file
* @param[in] context The context to configure
* @param[out] CApath Directory with Certificate Authority certificates
* @param[out] tls_ca_path Directory with Certificate Authority certificates
* or NULL when one was not configured.
* @return GETDNS_RETURN_GOOD when successful
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
*/
getdns_return_t
getdns_context_get_CApath(getdns_context *context, const char **CApath);
getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path);
/**
* Get the file location with CA certificates for verification purposes.
* @see getdns_context_set_CAfile
* @see getdns_context_get_CApath
* @see getdns_context_set_tls_ca_file
* @see getdns_context_get_tls_ca_path
* @param[in] context The context to configure
* @param[out] CAfile The file with Certificate Authority certificates
* @param[out] tls_ca_file The file with Certificate Authority certificates
* or NULL when one was not configured.
* @return GETDNS_RETURN_GOOD when successful
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
*/
getdns_return_t
getdns_context_get_CAfile(getdns_context *context, const char **CAfile);
getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file);
/**
* Get the list of available ciphers for authenticated TLS upstreams.
* @see getdns_context_set_tls_cipher_list
* @param[in] context The context configure
* @param[out] cipher_list The cipher list
* @return GETDNS_RETURN_GOOD when successful
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
*/
getdns_return_t
getdns_context_get_tls_cipher_list(
getdns_context *context, const char **cipher_list);
/** @}
*/

View File

@ -7,8 +7,6 @@ getdns_context_create_with_extended_memory_functions
getdns_context_create_with_memory_functions
getdns_context_destroy
getdns_context_detach_eventloop
getdns_context_get_CAfile
getdns_context_get_CApath
getdns_context_get_api_information
getdns_context_get_append_name
getdns_context_get_dns_root_servers
@ -35,6 +33,9 @@ getdns_context_get_suffix
getdns_context_get_timeout
getdns_context_get_tls_authentication
getdns_context_get_tls_backoff_time
getdns_context_get_tls_ca_file
getdns_context_get_tls_ca_path
getdns_context_get_tls_cipher_list
getdns_context_get_tls_connection_retries
getdns_context_get_tls_query_padding_blocksize
getdns_context_get_trust_anchors_url
@ -44,8 +45,6 @@ getdns_context_get_update_callback
getdns_context_get_upstream_recursive_servers
getdns_context_process_async
getdns_context_run
getdns_context_set_CAfile
getdns_context_set_CApath
getdns_context_set_appdata_dir
getdns_context_set_append_name
getdns_context_set_context_update_callback
@ -77,6 +76,9 @@ getdns_context_set_suffix
getdns_context_set_timeout
getdns_context_set_tls_authentication
getdns_context_set_tls_backoff_time
getdns_context_set_tls_ca_file
getdns_context_set_tls_ca_path
getdns_context_set_tls_cipher_list
getdns_context_set_tls_connection_retries
getdns_context_set_tls_query_padding_blocksize
getdns_context_set_trust_anchors_url

View File

@ -986,9 +986,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
SSL_set_cipher_list(ssl, "DEFAULT");
DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n",
STUB_DEBUG_SETUP_TLS, __FUNC__);
} else
} else {
if (upstream->tls_cipher_list)
SSL_set_cipher_list(ssl, upstream->tls_cipher_list);
DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS,
__FUNC__);
}
SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback);
SSL_set_connect_state(ssl);

View File

@ -144,6 +144,8 @@
uint16_t payload_size;
uint8_t do_bit;
getdns_transport_t trans;
int upstream_is_dnsmasq = 0;
getdns_bindata *version_str = NULL;
/* Note that stricly this test just establishes that the requested transport
and the reported transport are consistent, it does not guarentee which
@ -156,6 +158,7 @@
ASSERT_RC(getdns_dict_set_int(extensions,"return_call_reporting", GETDNS_EXTENSION_TRUE),
GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()");
/* Request a response that should be truncated over UDP */
ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_ONLY),
GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");
@ -163,6 +166,15 @@
GETDNS_RETURN_GOOD, "Return code from getdns_context_get_dns_transport()");
ck_assert_msg(trans == 541, "dns_transport should be 541(GETDNS_TRANSPORT_UDP_ONLY) but got %d", (int)trans);
ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_CH),
GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()");
ASSERT_RC(getdns_general_sync(context, "version.bind.", GETDNS_RRTYPE_TXT, extensions, &response),
GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()");
(void) getdns_dict_get_bindata(response, "/replies_tree/0/answer/0/rdata/txt_strings/0", &version_str);
upstream_is_dnsmasq = version_str && version_str->size > 7 &&
strncmp((char *)version_str->data, "dnsmasq", 7) == 0;
ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_IN),
GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()");
ASSERT_RC(getdns_context_set_edns_maximum_udp_payload_size(context, 512),
GETDNS_RETURN_GOOD, "Return code from getdns_context_set_edns_maximum_udp_payload_size()");
@ -187,35 +199,36 @@
ASSERT_RC(type, GETDNS_RESOLUTION_STUB, "Query did not use stub mode");
ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc),
GETDNS_RETURN_GOOD, "Failed to extract \"tc\"");
ASSERT_RC(tc, 1, "Packet not trucated as expected");
if (!upstream_is_dnsmasq) {
ASSERT_RC(tc, 1, "Packet not truncated as expected");
/* Re-do over TCP */
ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_TCP_ONLY),
GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");
/* Re-do over TCP */
ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_TCP_ONLY),
GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");
ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response),
GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()");
ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response),
GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()");
ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport),
GETDNS_RETURN_GOOD, "Failed to extract \"transport\"");
ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP");
ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc),
GETDNS_RETURN_GOOD, "Failed to extract \"tc\"");
ASSERT_RC(tc, 0, "Packet trucated - not as expected");
ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport),
GETDNS_RETURN_GOOD, "Failed to extract \"transport\"");
ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP");
ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc),
GETDNS_RETURN_GOOD, "Failed to extract \"tc\"");
ASSERT_RC(tc, 0, "Packet trucated - not as expected");
/* Now let it fall back to TCP */
ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP),
GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");
ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response),
GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()");
ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport),
GETDNS_RETURN_GOOD, "Failed to extract \"transport\"");
ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP");
ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc),
GETDNS_RETURN_GOOD, "Failed to extract \"tc\"");
ASSERT_RC(tc, 0, "Packet trucated - not as expected");
/* Now let it fall back to TCP */
ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP),
GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");
ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response),
GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()");
ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport),
GETDNS_RETURN_GOOD, "Failed to extract \"transport\"");
ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP");
ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc),
GETDNS_RETURN_GOOD, "Failed to extract \"tc\"");
ASSERT_RC(tc, 0, "Packet trucated - not as expected");
}
ASSERT_RC(getdns_context_unset_edns_maximum_udp_payload_size(context),
GETDNS_RETURN_GOOD, "Return code from getdns_context_unset_edns_maximum_udp_payload_size()");

View File

@ -91,7 +91,9 @@ static int async = 0, interactive = 0;
static enum { GENERAL, ADDRESS, HOSTNAME, SERVICE } calltype = GENERAL;
static int bogus_answers = 0;
static int check_dnssec = 0;
#ifndef USE_WINSOCK
static char *resolvconf = NULL;
#endif
static int print_api_info = 0, print_trust_anchors = 0;
static int get_rrtype(const char *t)
@ -256,8 +258,10 @@ print_usage(FILE *out, const char *progname)
fprintf(out, "\t\t(should look like '" EXAMPLE_PIN "')\n");
fprintf(out, "\t-m\tSet TLS authentication mode to REQUIRED\n");
fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default)\n");
#ifndef USE_WINSOCK
fprintf(out, "\t-o <filename>\tSet resolver configuration file path\n");
fprintf(out, "\t\t(default = %s)\n", GETDNS_FN_RESOLVCONF);
#endif
fprintf(out, "\t-p\tPretty print response dict (default)\n");
fprintf(out, "\t-P <blocksize>\tPad TLS queries to a multiple of blocksize\n"
"\t\t(special values: 0: no padding, 1: sensible default policy)\n");
@ -824,6 +828,7 @@ getdns_return_t parse_args(int argc, char **argv)
getdns_context_set_tls_authentication(context,
GETDNS_AUTHENTICATION_REQUIRED);
break;
#ifndef USE_WINSOCK
case 'o':
if (c[1] != 0 || ++i >= argc || !*argv[i]) {
fprintf(stderr, "<filename>"
@ -832,6 +837,7 @@ getdns_return_t parse_args(int argc, char **argv)
}
resolvconf = argv[i];
break;
#endif
case 'P':
if (c[1] != 0 || ++i >= argc || !*argv[i]) {
fprintf(stderr, "tls_query_padding_blocksize "
@ -1733,6 +1739,7 @@ main(int argc, char **argv)
if ((r = parse_args(argc, argv)) && r != CONTINUE)
goto done_destroy_context;
#ifndef USE_WINSOCK
if (resolvconf) {
if ((r = getdns_context_set_resolvconf(context, resolvconf))) {
fprintf(stderr, "Problem initializing with resolvconf: %d\n", (int)r);
@ -1741,6 +1748,7 @@ main(int argc, char **argv)
if ((r = parse_args(argc, argv)))
goto done_destroy_context;
}
#endif
if (print_api_info) {
getdns_dict *api_information =
getdns_context_get_api_information(context);

2
stubby

@ -1 +1 @@
Subproject commit 3d0766f832368ff249020fc5101cca1a41a98620
Subproject commit f0b330454b95a07106af33b1869b7cd18cfaebf2