Release 1.5.2

-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCgAyFiEE3DTuXbJBe8wVHlEA5fj4IS93pJgFAlykwI0UHHdpbGxlbUBu
 bG5ldGxhYnMubmwACgkQ5fj4IS93pJhmUBAAhM1s6SjOHiG3vKpH+vyRfXHRTDSY
 b+VvNy1HHs+FBeCZOpg5Vw8tqlaLIWJh8uO/E1o+x4beo8j/6X39q0ebZLxhuTmZ
 jv0Ja1HBEKT/5c7qC+EFO2NjwdBYA3XJWJn+/iXqaTG9P5Wctcu9GIjAiRAXdEFB
 nGel0ZGBp0HP4ox9cIqs5WSzWmB03MX9vwxRb9Ef1E0myOmvjjGGTwoCK297kdYG
 gs063AVAKByR2cdNbJSM+nRWx4HqYe1oTY2FGxNfO2x9XdSCDpW0wyXSYsfKCZDc
 enJBNEtgeYLNljTtqNjSTqQwivejH/THplTG6ZgVyITJoe7xp/93trFzlSqL2kts
 1tr4SogY0vOCD7/x/S8THaZnSzZza70Je6dW+Low1coEDQl3K7h80sopyRweIoJd
 LyVLPrYUiTbepuYpvTfYtxuhnrIKMzafgkgAAaFZXBMuzQeh8VKtKqF+hMFpVYiv
 ojLz131gfja4qa9ecxwSrc7iEf7YHk7wJ84d5GhhCyWyoPq5EFvK15ngi6vofASd
 uqFAexM7iGPJ4iP0ZLYPiuXgr+TUJmI+Tz6DLQgZiq1HxSymKq5fdHAcz2pup0Mj
 26GrQ7zagZuirApckodDvdCE3Pc4MtPEyBvT7VwI1DwdZI/k8YdZ27YIlsvTTNhO
 Fu1WlmZ2ylSxUu4=
 =ECik
 -----END PGP SIGNATURE-----

Merge tag 'v1.5.2' into develop

Release 1.5.2
This commit is contained in:
Willem Toorop 2019-04-03 16:18:59 +02:00
commit 42ea03ef07
6 changed files with 76 additions and 37 deletions

View File

@ -1,10 +1,15 @@
* 2019-??-??: Version 1.?.? * 2019-04-03: Version 1.5.2
* PR #424: Two small trust anchor fetcher fixes
Thanks Maciej S. Szmigiero
* Issue #422: Enable server side and update client side TCP Fast * Issue #422: Enable server side and update client side TCP Fast
Open implementation. Thanks Craig Andrews Open implementation. Thanks Craig Andrews
* Issue #423: Fix insecure delegation detection while scheduling. * Issue #423: Fix insecure delegation detection while scheduling.
Thanks Charles Milette Thanks Charles Milette
* Issue #419: Escape backslashed when printing in JSON format. * Issue #419: Escape backslashed when printing in JSON format.
Thanks boB Rudis Thanks boB Rudis
* Use GnuTLS instead of OpenSSL for TLS with the --with-gnutls
option to configure. libcrypto (from OpenSSL) still needed
for Zero configuration DNSSEC.
* DOA rr-type * DOA rr-type
* AMTRELAY rr-type * AMTRELAY rr-type

View File

@ -37,7 +37,7 @@ sinclude(./m4/ac_lib_nettle.m4)
sinclude(./m4/ax_check_compile_flag.m4) sinclude(./m4/ax_check_compile_flag.m4)
sinclude(./m4/pkg.m4) sinclude(./m4/pkg.m4)
AC_INIT([getdns], [1.5.1], [team@getdnsapi.net], [getdns], [https://getdnsapi.net]) AC_INIT([getdns], [1.5.2], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
# Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian) # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian)
# patched to do the same, but frequently (MacOS) not. So add a with option # patched to do the same, but frequently (MacOS) not. So add a with option
@ -64,13 +64,13 @@ AC_ARG_WITH([current-date],
[CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"]) [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"]) AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050100]) AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050200])
AC_SUBST(API_VERSION, ["December 2015"]) AC_SUBST(API_VERSION, ["December 2015"])
AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00]) AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API" GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
AC_DEFINE_UNQUOTED([STUBBY_PACKAGE], ["stubby"], [Stubby package]) AC_DEFINE_UNQUOTED([STUBBY_PACKAGE], ["stubby"], [Stubby package])
AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.5$STUBBY_RELEASE_CANDIDATE"], [Stubby package string]) AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.6$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
# Library version # Library version
# --------------- # ---------------
@ -107,9 +107,10 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.5$STUBBY_RELEASE_CANDIDATE"],
# getdns-1.4.0 had libversion 10:0:0 # getdns-1.4.0 had libversion 10:0:0
# getdns-1.4.1 had libversion 10:1:0 # getdns-1.4.1 had libversion 10:1:0
# getdns-1.4.2 had libversion 10:2:0 # getdns-1.4.2 had libversion 10:2:0
# getdns-1.5.0 has libversion 11:0:1 # getdns-1.5.0 had libversion 11:0:1
# getdns-1.5.1 has libversion 11:1:1 # getdns-1.5.1 had libversion 11:1:1
GETDNS_LIBVERSION=11:1:1 # getdns-1.5.2 has libversion 11:2:1
GETDNS_LIBVERSION=11:2:1
AC_SUBST(GETDNS_COMPILATION_COMMENT) AC_SUBST(GETDNS_COMPILATION_COMMENT)
AC_SUBST(GETDNS_LIBVERSION) AC_SUBST(GETDNS_LIBVERSION)

View File

@ -201,12 +201,14 @@ typedef struct getdns_upstream {
getdns_network_req *write_queue_last; getdns_network_req *write_queue_last;
_getdns_rbtree_t netreq_by_query_id; _getdns_rbtree_t netreq_by_query_id;
/* TLS specific connection handling*/ /* TCP specific connection handling*/
unsigned tfo_use_sendto : 1;
/* TLS specific connection handling*/
unsigned tls_fallback_ok : 1;
_getdns_tls_connection* tls_obj; _getdns_tls_connection* tls_obj;
_getdns_tls_session* tls_session; _getdns_tls_session* tls_session;
getdns_tls_hs_state_t tls_hs_state; getdns_tls_hs_state_t tls_hs_state;
getdns_auth_state_t tls_auth_state; getdns_auth_state_t tls_auth_state;
unsigned tls_fallback_ok : 1;
/* TLS settings */ /* TLS settings */
char *tls_cipher_list; char *tls_cipher_list;

View File

@ -914,7 +914,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
int osr = SSL_dane_enable(conn->ssl, *auth_name ? auth_name : NULL); int osr = SSL_dane_enable(conn->ssl, *auth_name ? auth_name : NULL);
(void) osr; (void) osr;
DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n" DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n"
, STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr); , STUB_DEBUG_SETUP_TLS, __FUNC__, auth_name, osr);
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
const sha256_pin_t *pin_p; const sha256_pin_t *pin_p;
size_t n_pins = 0; size_t n_pins = 0;

View File

@ -385,6 +385,7 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport)
int fd = -1; int fd = -1;
upstream->tfo_use_sendto = 0;
DEBUG_STUB("%s %-35s: Creating TCP connection: %p\n", STUB_DEBUG_SETUP, DEBUG_STUB("%s %-35s: Creating TCP connection: %p\n", STUB_DEBUG_SETUP,
__FUNC__, (void*)upstream); __FUNC__, (void*)upstream);
if ((fd = socket(upstream->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) if ((fd = socket(upstream->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
@ -413,21 +414,50 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport)
doesn't start till the sendto() lack of connection is often delayed until doesn't start till the sendto() lack of connection is often delayed until
then or even the subsequent event depending on the error and platform.*/ then or even the subsequent event depending on the error and platform.*/
# if defined(HAVE_DECL_TCP_FASTOPEN_CONNECT) && HAVE_DECL_TCP_FASTOPEN_CONNECT # if defined(HAVE_DECL_TCP_FASTOPEN_CONNECT) && HAVE_DECL_TCP_FASTOPEN_CONNECT
(void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT
, (void *)&enable, sizeof(enable)); , (void *)&enable, sizeof(enable)) < 0) {
/* runtime fallback to TCP_FASTOPEN option */
_getdns_upstream_log(upstream,
GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING,
"%-40s : Upstream : "
"Could not setup TLS capable TFO connect\n",
upstream->addr_str);
# if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN
/* TCP_FASTOPEN works for TCP only (not TLS) */
if (transport != GETDNS_TRANSPORT_TCP)
; /* This variant of TFO doesn't work with TLS */
else if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN
, (void *)&enable, sizeof(enable)) >= 0) {
upstream->tfo_use_sendto = 1;
return fd;
} else
_getdns_upstream_log(upstream,
GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING,
"%-40s : Upstream : "
"Could not fallback to TCP TFO\n",
upstream->addr_str);
# endif/* HAVE_DECL_TCP_FASTOPEN*/
}
/* On success regular connect is fine, TFO will happen automagically */
# else /* HAVE_DECL_TCP_FASTOPEN_CONNECT */ # else /* HAVE_DECL_TCP_FASTOPEN_CONNECT */
# if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN # if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN
(void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN /* TCP_FASTOPEN works for TCP only (not TLS) */
, (void *)&enable, sizeof(enable)); if (transport != GETDNS_TRANSPORT_TCP)
; /* This variant of TFO doesn't work with TLS */
else if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN
, (void *)&enable, sizeof(enable)) >= 0) {
upstream->tfo_use_sendto = 1;
return fd;
} else
_getdns_upstream_log(upstream,
GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING,
"%-40s : Upstream : Could not setup TCP TFO\n",
upstream->addr_str);
# endif/* HAVE_DECL_TCP_FASTOPEN*/ # endif/* HAVE_DECL_TCP_FASTOPEN*/
# endif /* HAVE_DECL_TCP_FASTOPEN_CONNECT */ # endif /* HAVE_DECL_TCP_FASTOPEN_CONNECT */
# if defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN
/* Leave the connect to the later call to sendto() if using TCP*/
if (transport == GETDNS_TRANSPORT_TCP)
return fd;
# else /* HAVE_DECL_MSG_FASTOPEN */
(void)transport;
# endif /* HAVE_DECL_MSG_FASTOPEN */
#endif /* USE_OSX_TCP_FASTOPEN */ #endif /* USE_OSX_TCP_FASTOPEN */
if (connect(fd, (struct sockaddr *)&upstream->addr, if (connect(fd, (struct sockaddr *)&upstream->addr,
upstream->addr_len) == -1) { upstream->addr_len) == -1) {
@ -758,22 +788,24 @@ stub_tcp_write(int fd, getdns_tcp_state *tcp, getdns_network_req *netreq)
* Lets see how much of it we can write * Lets see how much of it we can write
*/ */
/* We use sendto() here which will do both a connect and send */ /* We use sendto() here which will do both a connect and send */
#ifdef USE_TCP_FASTOPEN if (netreq->upstream->tfo_use_sendto) {
written = sendto(fd, netreq->query - 2, pkt_len + 2, written = sendto(fd, netreq->query - 2, pkt_len + 2,
# if defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN # if defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN
MSG_FASTOPEN, MSG_FASTOPEN,
# else # else
0, 0,
# endif # endif
(struct sockaddr *)&(netreq->upstream->addr), (struct sockaddr *)&(netreq->upstream->addr),
netreq->upstream->addr_len); netreq->upstream->addr_len);
/* If pipelining we will find that the connection is already up so /* If pipelining we will find that the connection is already up so
just fall back to a 'normal' write. */ just fall back to a 'normal' write. */
if (written == -1 && _getdns_socketerror() == _getdns_EISCONN) if (written == -1
written = write(fd, netreq->query - 2, pkt_len + 2); && _getdns_socketerror() == _getdns_EISCONN)
#else written = write(fd, netreq->query - 2
written = send(fd, (const char *)(netreq->query - 2), pkt_len + 2, 0); , pkt_len + 2);
#endif } else
written = send(fd, (const char *)(netreq->query - 2)
, pkt_len + 2, 0);
if ((written == -1 && _getdns_socketerror_wants_retry()) || if ((written == -1 && _getdns_socketerror_wants_retry()) ||
(size_t)written < pkt_len + 2) { (size_t)written < pkt_len + 2) {
@ -967,8 +999,7 @@ tls_do_handshake(getdns_upstream *upstream)
return STUB_TCP_RETRY; return STUB_TCP_RETRY;
default: default:
DEBUG_STUB("%s %-35s: FD: %d Handshake failed %d\n", DEBUG_STUB("%s %-35s: FD: %d Handshake failed %d\n",
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, r);
want);
return STUB_SETUP_ERROR; return STUB_SETUP_ERROR;
} }
} }

2
stubby

@ -1 +1 @@
Subproject commit 108a15c63dc08b50d6fd3800cef6948f87e14c8a Subproject commit b0d3154af61e1b46a30b56d239dc074273642217