Merge branch 'release/1.3.0' into develop

ChangeLog

@@ -1,10 +1,20 @@
-* 2017-12-??: Version 1.2.2
+* 2017-12-21: Version 1.3.0
+  * Bugfix #300: Detect dnsmasq and skip unit test that fails with it.
+    Thanks Tim Rühsen and Konomi Kitten
+  * Specify default available cipher suites for authenticated TLS
+    upstreams with getdns_context_set_tls_ciphers_list()
+    An upstream specific available cipher suite may also be given
+    with the tls_cipher_list setting in the upstream dict with
+    getdns_context_set_upstream_recursive_servers()
+  * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305
+    Thanks Pascal Ernster
   * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the
-    context configured upstreams.
+    context configured upstreams.  Thanks Andreas Schulze
   * Report default extension settings with
     getdns_context_get_api_information()
   * Specify locations at which CA certificates for verification purposes
-    are located: getdns_context_set_CApath() getdns_context_set_CAfile()
+    are located: getdns_context_set_tls_ca_path()
+    getdns_context_set_tls_ca_file()
   * getdns_context_set_resolvconf() function to initialize a context 
     upstreams and suffices with a resolv.conf file.
     getdns_context_get_resolvconf() to get the file used to initialize
@@ -17,7 +27,7 @@
     when available with getdns_context_get_api_information()
   * GETDNS_RETURN_IO_ERROR return error code
   * Bugfix #359: edns_client_subnet_private should set family
-    Thanks Daniel Areiza
+    Thanks Daniel Areiza & Andreas Schulze
   * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC
     validation.  Thanks Bruno Pagani
 

configure.ac

@@ -36,7 +36,7 @@ sinclude(./m4/acx_getaddrinfo.m4)
 sinclude(./m4/ax_check_compile_flag.m4)
 sinclude(./m4/pkg.m4)
 
-AC_INIT([getdns], [1.2.2], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
+AC_INIT([getdns], [1.3.0], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
 
 # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian)
 # patched to do the same, but frequently (MacOS) not. So add a with option
@@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir])
 # Dont forget to put a dash in front of the release candidate!!!
 # That is how it is done with semantic versioning!
 #
-AC_SUBST(RELEASE_CANDIDATE, [-rc1])
+AC_SUBST(RELEASE_CANDIDATE, [])
 
 # Set current date from system if not set
 AC_ARG_WITH([current-date],
@@ -62,7 +62,7 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010201c1])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01030000])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
@@ -98,8 +98,8 @@ GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRE
 # getdns-1.1.2 had libversion 7:0:1
 # getdns-1.1.3 had libversion 7:1:1
 # getdns-1.2.0 had libversion 8:0:2
-# getdns-1.2.1 has libversion 8:1:2
+# getdns-1.2.1 had libversion 8:1:2
-# getdns-1.2.2 will have libversion 9:0:3
+# getdns-1.3.0 has libversion 9:0:3
 #
 GETDNS_LIBVERSION=9:0:3
 

src/const-info.c

@@ -89,8 +89,9 @@ static struct const_info consts_info[] = {
 	{     628, "GETDNS_CONTEXT_CODE_APPDATA_DIR", GETDNS_CONTEXT_CODE_APPDATA_DIR_TEXT },
 	{     629, "GETDNS_CONTEXT_CODE_RESOLVCONF", GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT },
 	{     630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT },
-	{     631, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT },
+	{     631, "GETDNS_CONTEXT_CODE_TLS_CA_PATH", GETDNS_CONTEXT_CODE_TLS_CA_PATH_TEXT },
-	{     632, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT },
+	{     632, "GETDNS_CONTEXT_CODE_TLS_CA_FILE", GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT },
+	{     633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT },
 	{     700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
 	{     701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
 	{     702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT },
@@ -161,8 +162,6 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CALLBACK_TIMEOUT", 702 },
 	{ "GETDNS_CONTEXT_CODE_APPDATA_DIR", 628 },
 	{ "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 },
-	{ "GETDNS_CONTEXT_CODE_CAFILE", 632 },
-	{ "GETDNS_CONTEXT_CODE_CAPATH", 631 },
 	{ "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 },
 	{ "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 },
 	{ "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 },
@@ -186,6 +185,9 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CONTEXT_CODE_TIMEOUT", 616 },
 	{ "GETDNS_CONTEXT_CODE_TLS_AUTHENTICATION", 618 },
 	{ "GETDNS_CONTEXT_CODE_TLS_BACKOFF_TIME", 623 },
+	{ "GETDNS_CONTEXT_CODE_TLS_CA_FILE", 632 },
+	{ "GETDNS_CONTEXT_CODE_TLS_CA_PATH", 631 },
+	{ "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 },
 	{ "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 },

src/context.c

@@ -165,6 +165,17 @@ static void set_ub_dnssec_allowed_skew(struct getdns_context*, uint32_t);
 /* Stuff to make it compile pedantically */
 #define RETURN_IF_NULL(ptr, code) if(ptr == NULL) return code;
 
+static char *
+_getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s)
+{
+    char *r;
+    if (!s || !(r = GETDNS_XMALLOC(*mfs, char, s->size + 1)))
+        return NULL;
+    else {
+	r[s->size] = '\0';
+        return memcpy(r, s, s->size);
+    }
+}
 
 #ifdef USE_WINSOCK
 /* For windows, the CA trust store is not read by openssl. 
@@ -717,12 +728,16 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 		{
 			_getdns_closesocket(upstream->fd);
 		}
+		if (upstream->tcp.read_buf)
+			GETDNS_FREE(upstreams->mf, upstream->tcp.read_buf);
 		while (pin) {
 			sha256_pin_t *nextpin = pin->next;
 			GETDNS_FREE(upstreams->mf, pin);
 			pin = nextpin;
 		}
 		upstream->tls_pubkey_pinset = NULL;
+		if (upstream->tls_cipher_list)
+			GETDNS_FREE(upstreams->mf, upstream->tls_cipher_list);
 	}
 	GETDNS_FREE(upstreams->mf, upstreams);
 }
@@ -1006,6 +1021,7 @@ upstream_init(getdns_upstream *upstream,
 	upstream->fd       = -1;
 	upstream->tls_obj  = NULL;
 	upstream->tls_session = NULL;
+	upstream->tls_cipher_list = NULL;
 	upstream->transport = GETDNS_TRANSPORT_TCP;
 	upstream->tls_hs_state = GETDNS_HS_NONE;
 	upstream->tls_auth_name[0] = '\0';
@@ -1377,11 +1393,11 @@ static void _getdns_check_expired_pending_netreqs_cb(void *arg)
 	_getdns_check_expired_pending_netreqs((getdns_context *)arg, &now_ms);
 }
 
-static const char *_getdns_default_trust_anchors_url =
+static char const * const _getdns_default_trust_anchors_url =
     "http://data.iana.org/root-anchors/root-anchors.xml";
 
 /* The ICANN CA fetched at 24 Sep 2010.  Valid to 2028 */
-static const char *_getdns_default_trust_anchors_verify_CA =
+static char const * const _getdns_default_trust_anchors_verify_CA =
 "-----BEGIN CERTIFICATE-----\n"
 "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
 "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
@@ -1404,9 +1420,12 @@ static const char *_getdns_default_trust_anchors_verify_CA =
 "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
 "-----END CERTIFICATE-----\n";
 
-static const char *_getdns_default_trust_anchors_verify_email =
+static char const * const _getdns_default_trust_anchors_verify_email =
     "dnssec@iana.org";
 
+static char const * const _getdns_default_tls_cipher_list = 
+	"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
+	"TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
 
 /*
  * getdns_context_create
@@ -1513,8 +1532,9 @@ getdns_context_create_with_extended_memory_functions(
 	result->trust_anchors_verify_email = NULL;
 	result->trust_anchors_verify_CA = NULL;
 	result->appdata_dir = NULL;
-	result->CApath = NULL;
+	result->tls_ca_path = NULL;
-	result->CAfile = NULL;
+	result->tls_ca_file = NULL;
+	result->tls_cipher_list = NULL;
 
 	(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
 
@@ -1779,11 +1799,12 @@ getdns_context_destroy(struct getdns_context *context)
 		           , context->trust_anchors_verify_email);
 	if (context->appdata_dir)
 		GETDNS_FREE(context->mf, context->appdata_dir);
-	if (context->CApath)
+	if (context->tls_ca_path)
-		GETDNS_FREE(context->mf, context->CApath);
+		GETDNS_FREE(context->mf, context->tls_ca_path);
-	if (context->CAfile)
+	if (context->tls_ca_file)
-		GETDNS_FREE(context->mf, context->CAfile);
+		GETDNS_FREE(context->mf, context->tls_ca_file);
-
+	if (context->tls_cipher_list)
+		GETDNS_FREE(context->mf, context->tls_cipher_list);
 
 #ifdef USE_WINSOCK
 	WSACleanup();
@@ -2972,16 +2993,19 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 			upstream->addr.ss_family = addr.ss_family;
 			upstream_init(upstream, upstreams, ai);
 			upstream->transport = getdns_upstream_transports[j];
-			if (getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) {
+			if (dict && getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) {
 				getdns_list *pubkey_pinset = NULL;
-				if (dict && (r = getdns_dict_get_bindata(
+				getdns_bindata *tls_cipher_list = NULL;
+
+				if ((r = getdns_dict_get_bindata(
 				    dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) {
 
 					if (tls_auth_name->size >= sizeof(upstream->tls_auth_name)) {
-						/* tls_auth_name's are just 
+						/* tls_auth_name's are 
-						 * domain names and should
+						 * domain names in presentation
-						 * thus not be larger than 256
+						 * format and, taking escaping
-						 * bytes.
+						 * into account, should not
+						 * be larger than 1024 bytes.
 						 */
 						goto invalid_parameter;
 					}
@@ -2991,7 +3015,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 					upstream->tls_auth_name
 					    [tls_auth_name->size] = '\0';
 				}
-				if (dict && (r = getdns_dict_get_list(dict, "tls_pubkey_pinset",
+				if ((r = getdns_dict_get_list(dict, "tls_pubkey_pinset",
 							      &pubkey_pinset)) == GETDNS_RETURN_GOOD) {
 			   /* TODO: what if the user supplies tls_pubkey_pinset with
 			    * something other than a list? */
@@ -3001,6 +3025,12 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 					if (r != GETDNS_RETURN_GOOD)
 						goto invalid_parameter;
 				}
+				(void) getdns_dict_get_bindata(
+				    dict, "tls_cipher_list", &tls_cipher_list);
+				upstream->tls_cipher_list = tls_cipher_list
+				    ? _getdns_strdup2(&upstreams->mf
+				                     , tls_cipher_list)
+				    : NULL;
 			}
 			if ((upstream->tsig_alg = tsig_alg)) {
 				if (tsig_name) {
@@ -3574,14 +3604,15 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 #  endif
 			/* Be strict and only use the cipher suites recommended in RFC7525
 			   Unless we later fallback to opportunistic. */
-			const char* const PREFERRED_CIPHERS = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
+			if (!SSL_CTX_set_cipher_list(context->tls_ctx,
-			if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS))
+			    context->tls_cipher_list ? context->tls_cipher_list
+			                             : _getdns_default_tls_cipher_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
 			/* For strict authentication, we must have local root certs available
 		       Set up is done only when the tls_ctx is created (per getdns_context)*/
-			if ((context->CAfile || context->CApath) &&
+			if ((context->tls_ca_file || context->tls_ca_path) &&
 			    SSL_CTX_load_verify_locations(context->tls_ctx
-				    , context->CAfile, context->CApath))
+				    , context->tls_ca_file, context->tls_ca_path))
 				; /* pass */
 #  ifndef USE_WINSOCK
 			else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
@@ -3625,7 +3656,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 	return r;
 } /* _getdns_context_prepare_for_resolution */
 
-char *
+static char *
 _getdns_strdup(const struct mem_funcs *mfs, const char *s)
 {
     size_t sz;
@@ -3887,10 +3918,12 @@ _get_context_settings(getdns_context* context)
 		(void) getdns_dict_util_set_string(result, "resolvconf", str_value);
 	if (!getdns_context_get_hosts(context, &str_value) && str_value)
 		(void) getdns_dict_util_set_string(result, "hosts", str_value);
-	if (!getdns_context_get_CApath(context, &str_value) && str_value)
+	if (!getdns_context_get_tls_ca_path(context, &str_value) && str_value)
-		(void) getdns_dict_util_set_string(result, "CApath", str_value);
+		(void) getdns_dict_util_set_string(result, "tls_ca_path", str_value);
-	if (!getdns_context_get_CAfile(context, &str_value) && str_value)
+	if (!getdns_context_get_tls_ca_file(context, &str_value) && str_value)
-		(void) getdns_dict_util_set_string(result, "CAfile", str_value);
+		(void) getdns_dict_util_set_string(result, "tls_ca_file", str_value);
+	if (!getdns_context_get_tls_cipher_list(context, &str_value) && str_value)
+		(void) getdns_dict_util_set_string(result, "tls_cipher_list", str_value);
 
 	/* Default settings for extensions */
 	(void)getdns_dict_set_int(
@@ -4475,6 +4508,11 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
 						break;
 					}
 				}
+				if (upstream->tls_cipher_list) {
+					(void) getdns_dict_util_set_string(
+					    d, "tls_cipher_list",
+					    upstream->tls_cipher_list);
+				}
 			}
 		}
 		if (!r)
@@ -4677,10 +4715,13 @@ _getdns_context_config_setting(getdns_context *context,
 	CONTEXT_SETTING_STRING(trust_anchors_verify_CA)
 	CONTEXT_SETTING_STRING(trust_anchors_verify_email)
 	CONTEXT_SETTING_STRING(appdata_dir)
+#ifndef USE_WINSOCK
 	CONTEXT_SETTING_STRING(resolvconf)
+#endif
 	CONTEXT_SETTING_STRING(hosts)
-	CONTEXT_SETTING_STRING(CApath)
+	CONTEXT_SETTING_STRING(tls_ca_path)
-	CONTEXT_SETTING_STRING(CAfile)
+	CONTEXT_SETTING_STRING(tls_ca_file)
+	CONTEXT_SETTING_STRING(tls_cipher_list)
 
 	/**************************************/
 	/****                              ****/
@@ -5149,14 +5190,14 @@ getdns_context *_getdns_context_get_sys_ctxt(
 	    context->mf.mf.ext.free)))
 		DEBUG_ANCHOR("Could not create system context: %s\n"
 			    , getdns_get_errorstr_by_id(r));
-
+#ifndef USE_WINSOCK
 	else if (*context->fchg_resolvconf.fn &&
 	    (r = getdns_context_set_resolvconf(
 	    context->sys_ctxt, context->fchg_resolvconf.fn)))
 		DEBUG_ANCHOR("Could initialize system context with resolvconf "
 		             "\"%s\": %s\n", context->fchg_resolvconf.fn
 			    , getdns_get_errorstr_by_id(r));
-
+#endif
 	else if (*context->fchg_hosts.fn &&
 	    (r = getdns_context_set_hosts(
 	    context->sys_ctxt, context->fchg_hosts.fn)))
@@ -5186,49 +5227,79 @@ getdns_context *_getdns_context_get_sys_ctxt(
 }
 
 getdns_return_t
-getdns_context_set_CApath(getdns_context *context, const char *CApath)
+getdns_context_set_tls_ca_path(getdns_context *context, const char *tls_ca_path)
 {
-	if (!context || !CApath)
+	if (!context || !tls_ca_path)
 		return GETDNS_RETURN_INVALID_PARAMETER;
-	if (context->CApath)
+	if (context->tls_ca_path)
-		GETDNS_FREE(context->mf, context->CApath);
+		GETDNS_FREE(context->mf, context->tls_ca_path);
-	context->CApath = _getdns_strdup(&context->mf, CApath);
+	context->tls_ca_path = _getdns_strdup(&context->mf, tls_ca_path);
 
-	dispatch_updated(context, GETDNS_CONTEXT_CODE_CAPATH);
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CA_PATH);
 	return GETDNS_RETURN_GOOD;
 }
 
 getdns_return_t
-getdns_context_get_CApath(getdns_context *context, const char **CApath)
+getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path)
 {
-	if (!context || !CApath)
+	if (!context || !tls_ca_path)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-	*CApath = context->CApath;
+	*tls_ca_path = context->tls_ca_path;
 	return GETDNS_RETURN_GOOD;
 }
 
 getdns_return_t
-getdns_context_set_CAfile(getdns_context *context, const char *CAfile)
+getdns_context_set_tls_ca_file(getdns_context *context, const char *tls_ca_file)
 {
-	if (!context || !CAfile)
+	if (!context || !tls_ca_file)
 		return GETDNS_RETURN_INVALID_PARAMETER;
-	if (context->CAfile)
+	if (context->tls_ca_file)
-		GETDNS_FREE(context->mf, context->CAfile);
+		GETDNS_FREE(context->mf, context->tls_ca_file);
-	context->CAfile = _getdns_strdup(&context->mf, CAfile);
+	context->tls_ca_file = _getdns_strdup(&context->mf, tls_ca_file);
 
-	dispatch_updated(context, GETDNS_CONTEXT_CODE_CAFILE);
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CA_FILE);
 	return GETDNS_RETURN_GOOD;
 }
 
 getdns_return_t
-getdns_context_get_CAfile(getdns_context *context, const char **CAfile)
+getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file)
 {
-	if (!context || !CAfile)
+	if (!context || !tls_ca_file)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-	*CAfile = context->CAfile;
+	*tls_ca_file = context->tls_ca_file;
 	return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t
+getdns_context_set_tls_cipher_list(
+    getdns_context *context, const char *tls_cipher_list)
+{
+	if (!context)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (context->tls_cipher_list)
+		GETDNS_FREE(context->mf, context->tls_cipher_list);
+	context->tls_cipher_list = tls_cipher_list
+	                         ? _getdns_strdup(&context->mf, tls_cipher_list)
+	                         : NULL;
+
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_get_tls_cipher_list(
+    getdns_context *context, const char **tls_cipher_list)
+{
+	if (!context || !tls_cipher_list)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	*tls_cipher_list = context->tls_cipher_list
+	                 ? context->tls_cipher_list
+	                 : _getdns_default_tls_cipher_list;
+	return GETDNS_RETURN_GOOD;
+}
+
+
 /* context.c */

src/context.h

@@ -205,6 +205,7 @@ typedef struct getdns_upstream {
 	getdns_tls_hs_state_t    tls_hs_state;
 	getdns_auth_state_t      tls_auth_state;
 	unsigned                 tls_fallback_ok : 1;
+	char                    *tls_cipher_list;
 	/* Auth credentials*/
 	char                     tls_auth_name[256];
 	sha256_pin_t            *tls_pubkey_pinset;
@@ -343,8 +344,9 @@ struct getdns_context {
 	char                 *appdata_dir;
 	_getdns_property      can_write_appdata;
 
-	char                 *CApath;
+	char                 *tls_ca_path;
-	char                 *CAfile;
+	char                 *tls_ca_file;
+	char                 *tls_cipher_list;
 
 	getdns_upstreams     *upstreams;
 	uint16_t             limit_outstanding_queries;
@@ -527,8 +529,6 @@ void _getdns_context_cancel_request(getdns_dns_req *dnsreq);
  */
 void _getdns_context_request_timed_out(getdns_dns_req *dnsreq);
 
-char *_getdns_strdup(const struct mem_funcs *mfs, const char *str);
-
 struct getdns_bindata *_getdns_bindata_copy(
     struct mem_funcs *mfs, size_t size, const uint8_t *data);
 

src/getdns/getdns.h.in

@@ -1687,6 +1687,8 @@ getdns_context_set_dnssec_allowed_skew(getdns_context *context,
  *                        - `value` A SHA256 hash of the `SubjectPublicKeyInfo`
  *                          of the upstream, which will be used to authenticate
  *                          it.
+ *                      - `tls_cipher_list` (a bindata) that is the string
+ *                        of available ciphers specific for this upstream.
  * @return GETDNS_RETURN_GOOD when successful. 
  * @return GETDNS_RETURN_INVALID_PARAMETER when `context` or `upstream_list` was `NULL`
  * @return GETDNS_RETURN_CONTEXT_UPDATE_FAIL when there were problems parsing

src/getdns/getdns_extra.h.in

@@ -94,10 +94,12 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT "Change related to getdns_context_set_resolvconf"
 #define GETDNS_CONTEXT_CODE_HOSTS 630
 #define GETDNS_CONTEXT_CODE_HOSTS_TEXT "Change related to getdns_context_set_hosts"
-#define GETDNS_CONTEXT_CODE_CAPATH 631
+#define GETDNS_CONTEXT_CODE_TLS_CA_PATH 631
-#define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath"
+#define GETDNS_CONTEXT_CODE_TLS_CA_PATH_TEXT "Change related to getdns_context_set_tls_ca_path"
-#define GETDNS_CONTEXT_CODE_CAFILE 632
+#define GETDNS_CONTEXT_CODE_TLS_CA_FILE 632
-#define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile"
+#define GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT "Change related to getdns_context_set_tls_ca_file"
+#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST 633
+#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT "Change related to getdns_context_set_tls_cipher_list"
 
 /** @}
   */
@@ -717,27 +719,39 @@ getdns_context_set_hosts(getdns_context *context, const char *hosts);
 /**
  * Specify where the location for CA certificates for verification purposes
  * are located.
- * @see getdns_context_get_CApath
+ * @see getdns_context_get_tls_ca_path
- * @see getdns_context_set_CAfile
+ * @see getdns_context_set_tls_ca_file
  * @param[in] context      The context to configure
- * @param[in] CApath       Directory with Certificate Authority certificates.
+ * @param[in] tls_ca_path       Directory with Certificate Authority certificates.
  * @return GETDNS_RETURN_GOOD when successful
  * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
  */
 getdns_return_t
-getdns_context_set_CApath(getdns_context *context, const char *CApath);
+getdns_context_set_tls_ca_path(getdns_context *context, const char *tls_ca_path);
 
 /**
  * Specify the file with CA certificates for verification purposes.
- * @see getdns_context_get_CAfile
+ * @see getdns_context_get_tls_ca_file
- * @see getdns_context_set_CApath
+ * @see getdns_context_set_tls_ca_path
  * @param[in] context      The context to configure
- * @param[in] CAfile       The file with Certificate Authority certificates.
+ * @param[in] tls_ca_file       The file with Certificate Authority certificates.
  * @return GETDNS_RETURN_GOOD when successful
  * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
  */
 getdns_return_t
-getdns_context_set_CAfile(getdns_context *context, const char *CAfile);
+getdns_context_set_tls_ca_file(getdns_context *context, const char *tls_ca_file);
+
+/**
+ * Sets the list of available ciphers for authenticated TLS upstreams.
+ * @see getdns_context_get_tls_cipher_list
+ * @param[in] context      The context to configure
+ * @param[in] cipher_list  The cipher list
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_set_tls_cipher_list(
+    getdns_context *context, const char *cipher_list);
 
 /**
  * Get the current resolution type setting from this context.
@@ -1222,29 +1236,42 @@ getdns_context_get_hosts(getdns_context *context, const char **hosts);
 /**
  * Get the location of the directory for CA certificates for verification
  * purposes.
- * @see getdns_context_set_CApath
+ * @see getdns_context_set_tls_ca_path
- * @see getdns_context_get_CAfile
+ * @see getdns_context_get_tls_ca_file
  * @param[in]  context      The context to configure
- * @param[out] CApath       Directory with Certificate Authority certificates
+ * @param[out] tls_ca_path       Directory with Certificate Authority certificates
  *                          or NULL when one was not configured.
  * @return GETDNS_RETURN_GOOD when successful
  * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
  */
 getdns_return_t
-getdns_context_get_CApath(getdns_context *context, const char **CApath);
+getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path);
 
 /**
  * Get the file location with CA certificates for verification purposes.
- * @see getdns_context_set_CAfile
+ * @see getdns_context_set_tls_ca_file
- * @see getdns_context_get_CApath
+ * @see getdns_context_get_tls_ca_path
  * @param[in]  context      The context to configure
- * @param[out] CAfile       The file with Certificate Authority certificates
+ * @param[out] tls_ca_file       The file with Certificate Authority certificates
  *                          or NULL when one was not configured.
  * @return GETDNS_RETURN_GOOD when successful
  * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
  */
 getdns_return_t
-getdns_context_get_CAfile(getdns_context *context, const char **CAfile);
+getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file);
+
+/**
+ * Get the list of available ciphers for authenticated TLS upstreams.
+ * @see getdns_context_set_tls_cipher_list
+ * @param[in]  context      The context configure
+ * @param[out] cipher_list  The cipher list
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_get_tls_cipher_list(
+    getdns_context *context, const char **cipher_list);
+
 
 /** @}
  */

src/libgetdns.symbols

@@ -7,8 +7,6 @@ getdns_context_create_with_extended_memory_functions
 getdns_context_create_with_memory_functions
 getdns_context_destroy
 getdns_context_detach_eventloop
-getdns_context_get_CAfile
-getdns_context_get_CApath
 getdns_context_get_api_information
 getdns_context_get_append_name
 getdns_context_get_dns_root_servers
@@ -35,6 +33,9 @@ getdns_context_get_suffix
 getdns_context_get_timeout
 getdns_context_get_tls_authentication
 getdns_context_get_tls_backoff_time
+getdns_context_get_tls_ca_file
+getdns_context_get_tls_ca_path
+getdns_context_get_tls_cipher_list
 getdns_context_get_tls_connection_retries
 getdns_context_get_tls_query_padding_blocksize
 getdns_context_get_trust_anchors_url
@@ -44,8 +45,6 @@ getdns_context_get_update_callback
 getdns_context_get_upstream_recursive_servers
 getdns_context_process_async
 getdns_context_run
-getdns_context_set_CAfile
-getdns_context_set_CApath
 getdns_context_set_appdata_dir
 getdns_context_set_append_name
 getdns_context_set_context_update_callback
@@ -77,6 +76,9 @@ getdns_context_set_suffix
 getdns_context_set_timeout
 getdns_context_set_tls_authentication
 getdns_context_set_tls_backoff_time
+getdns_context_set_tls_ca_file
+getdns_context_set_tls_ca_path
+getdns_context_set_tls_cipher_list
 getdns_context_set_tls_connection_retries
 getdns_context_set_tls_query_padding_blocksize
 getdns_context_set_trust_anchors_url

src/stub.c

@@ -986,9 +986,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		SSL_set_cipher_list(ssl, "DEFAULT");
 		DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__);
-	} else
+	} else {
+		if (upstream->tls_cipher_list)
+			SSL_set_cipher_list(ssl, upstream->tls_cipher_list);
 		DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, 
 		             __FUNC__);
+	}
 	SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback);
 
 	SSL_set_connect_state(ssl);

src/test/check_getdns_context_set_dns_transport.h

@@ -144,6 +144,8 @@
        uint16_t payload_size;
        uint8_t do_bit;
        getdns_transport_t trans;
+       int upstream_is_dnsmasq = 0;
+       getdns_bindata *version_str = NULL;
 
        /* Note that stricly this test just establishes that the requested transport
           and the reported transport are consistent, it does not guarentee which
@@ -156,6 +158,7 @@
        ASSERT_RC(getdns_dict_set_int(extensions,"return_call_reporting", GETDNS_EXTENSION_TRUE),
          GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()");
 
+
        /* Request a response that should be truncated over UDP */
        ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_ONLY),
          GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");
@@ -163,6 +166,15 @@
          GETDNS_RETURN_GOOD, "Return code from getdns_context_get_dns_transport()");
        ck_assert_msg(trans == 541, "dns_transport should be 541(GETDNS_TRANSPORT_UDP_ONLY) but got %d", (int)trans);
 
+       ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_CH),
+         GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()");
+       ASSERT_RC(getdns_general_sync(context, "version.bind.", GETDNS_RRTYPE_TXT, extensions, &response), 
+         GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()");
+       (void) getdns_dict_get_bindata(response, "/replies_tree/0/answer/0/rdata/txt_strings/0", &version_str);
+       upstream_is_dnsmasq = version_str && version_str->size > 7 &&
+                             strncmp((char *)version_str->data, "dnsmasq", 7) == 0;
+       ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_IN),
+         GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()");
 
        ASSERT_RC(getdns_context_set_edns_maximum_udp_payload_size(context, 512),
            GETDNS_RETURN_GOOD, "Return code from getdns_context_set_edns_maximum_udp_payload_size()");
@@ -187,35 +199,36 @@
        ASSERT_RC(type, GETDNS_RESOLUTION_STUB, "Query did not use stub mode");
        ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc),
          GETDNS_RETURN_GOOD, "Failed to extract \"tc\"");
-       ASSERT_RC(tc, 1, "Packet not trucated as expected");
+       if (!upstream_is_dnsmasq) {
+         ASSERT_RC(tc, 1, "Packet not truncated as expected");
 
-       /* Re-do over TCP */
+         /* Re-do over TCP */
-       ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_TCP_ONLY),
+         ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_TCP_ONLY),
-         GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");   
+           GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");   
   
-       ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), 
+         ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), 
-         GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()");
+           GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()");
 
-       ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport),
+         ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport),
-         GETDNS_RETURN_GOOD, "Failed to extract \"transport\"");
+           GETDNS_RETURN_GOOD, "Failed to extract \"transport\"");
-       ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP");
+         ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP");
-       ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc),
+         ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc),
-         GETDNS_RETURN_GOOD, "Failed to extract \"tc\"");
+           GETDNS_RETURN_GOOD, "Failed to extract \"tc\"");
-       ASSERT_RC(tc, 0, "Packet trucated - not as expected");
+         ASSERT_RC(tc, 0, "Packet trucated - not as expected");
 
-       /* Now let it fall back to TCP */
+         /* Now let it fall back to TCP */
-       ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP),
+         ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP),
-         GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");   
+           GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()");   
-       ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), 
+         ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), 
-         GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()");
+           GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()");
-
-       ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport),
-         GETDNS_RETURN_GOOD, "Failed to extract \"transport\"");
-       ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP");
-       ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc),
-         GETDNS_RETURN_GOOD, "Failed to extract \"tc\"");
-       ASSERT_RC(tc, 0, "Packet trucated - not as expected");
 
+         ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport),
+           GETDNS_RETURN_GOOD, "Failed to extract \"transport\"");
+         ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP");
+         ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc),
+           GETDNS_RETURN_GOOD, "Failed to extract \"tc\"");
+         ASSERT_RC(tc, 0, "Packet trucated - not as expected");
+       }
        ASSERT_RC(getdns_context_unset_edns_maximum_udp_payload_size(context),
          GETDNS_RETURN_GOOD, "Return code from getdns_context_unset_edns_maximum_udp_payload_size()");
 

src/tools/getdns_query.c

@@ -91,7 +91,9 @@ static int async = 0, interactive = 0;
 static enum { GENERAL, ADDRESS, HOSTNAME, SERVICE } calltype = GENERAL;
 static int bogus_answers = 0;
 static int check_dnssec = 0;
+#ifndef USE_WINSOCK
 static char *resolvconf = NULL;
+#endif
 static int print_api_info = 0, print_trust_anchors = 0;
 
 static int get_rrtype(const char *t)
@@ -256,8 +258,10 @@ print_usage(FILE *out, const char *progname)
 	fprintf(out, "\t\t(should look like '" EXAMPLE_PIN "')\n");
 	fprintf(out, "\t-m\tSet TLS authentication mode to REQUIRED\n");
 	fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default)\n");
+#ifndef USE_WINSOCK
 	fprintf(out, "\t-o <filename>\tSet resolver configuration file path\n");
 	fprintf(out, "\t\t(default = %s)\n", GETDNS_FN_RESOLVCONF);
+#endif
 	fprintf(out, "\t-p\tPretty print response dict (default)\n");
 	fprintf(out, "\t-P <blocksize>\tPad TLS queries to a multiple of blocksize\n"
 		"\t\t(special values: 0: no padding, 1: sensible default policy)\n");
@@ -824,6 +828,7 @@ getdns_return_t parse_args(int argc, char **argv)
 				getdns_context_set_tls_authentication(context,
 				                 GETDNS_AUTHENTICATION_REQUIRED);
 				break;
+#ifndef USE_WINSOCK
 			case 'o':
 				if (c[1] != 0 || ++i >= argc || !*argv[i]) {
 					fprintf(stderr, "<filename>"
@@ -832,6 +837,7 @@ getdns_return_t parse_args(int argc, char **argv)
 				}
 				resolvconf = argv[i];
 				break;
+#endif
 			case 'P':
 				if (c[1] != 0 || ++i >= argc || !*argv[i]) {
 					fprintf(stderr, "tls_query_padding_blocksize "
@@ -1733,6 +1739,7 @@ main(int argc, char **argv)
 
 	if ((r = parse_args(argc, argv)) && r != CONTINUE)
 		goto done_destroy_context;
+#ifndef USE_WINSOCK
 	if (resolvconf) {
 		if ((r = getdns_context_set_resolvconf(context, resolvconf))) {
 			fprintf(stderr, "Problem initializing with resolvconf: %d\n", (int)r);
@@ -1741,6 +1748,7 @@ main(int argc, char **argv)
 		if ((r = parse_args(argc, argv)))
 			goto done_destroy_context;
 	}
+#endif
 	if (print_api_info) {
 		getdns_dict *api_information = 
 		    getdns_context_get_api_information(context);

stubby

@@ -1 +1 @@
-Subproject commit 3d0766f832368ff249020fc5101cca1a41a98620
+Subproject commit f0b330454b95a07106af33b1869b7cd18cfaebf2