mirror of https://github.com/getdnsapi/getdns.git
1) Fix enum mapping error.
2) Also add detection of TLS 1.2 in openssl during configure and warn that it if not available then TLS will not be available. Using TLS_ONLY in stub mode will then error with BAD_CONTEXT. TLS/TCP will fallback to TCP. 3) Explicitly disallow use of TLS_ONLY in RECURSIVE mode since it isn't supported yet. TLS/TCP will fallback to TCP. 4) Fix for MAC OS X build where openssl not linked correctly
This commit is contained in:
parent
ab4fb8d9e9
commit
6c7ffc4e4e
|
@ -48,8 +48,8 @@ AC_DEFUN([ACX_SSL_CHECKS], [
|
|||
fi
|
||||
|
||||
AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto])
|
||||
LIBS="$LIBS -lcrypto"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
|
||||
LIBS="$LIBS -lcrypto -lssl"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto -lssl"
|
||||
AC_TRY_LINK(, [
|
||||
int HMAC_CTX_init(void);
|
||||
(void)HMAC_CTX_init();
|
||||
|
@ -105,6 +105,8 @@ AC_DEFUN([ACX_SSL_CHECKS], [
|
|||
AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_LIB(ssl, TLSv1_2_client_method,AC_DEFINE([HAVE_LIBTLS1_2], [1],
|
||||
[Define if you have libssl with tls 1.2]),[AC_MSG_WARN([Cannot find TLSv1_2_client_method in libssl library. TLS will not be available.])])
|
||||
])dnl End of ACX_SSL_CHECKS
|
||||
|
||||
dnl Check for SSL, where SSL is mandatory
|
||||
|
|
|
@ -1134,8 +1134,8 @@ getdns_context_set_namespaces(struct getdns_context *context,
|
|||
return GETDNS_RETURN_GOOD;
|
||||
} /* getdns_context_set_namespaces */
|
||||
|
||||
getdns_transport_t
|
||||
priv_get_transport(getdns_transport_t transport, int level) {
|
||||
getdns_base_transport_t
|
||||
priv_get_base_transport(getdns_transport_t transport, int level) {
|
||||
if (!(level == 0 || level == 1)) return GETDNS_TRANSPORT_NONE;
|
||||
switch (transport) {
|
||||
case GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP:
|
||||
|
@ -1837,23 +1837,30 @@ getdns_context_prepare_for_resolution(struct getdns_context *context,
|
|||
}
|
||||
|
||||
/* Transport can in theory be set per query in stub mode */
|
||||
/* TODO: move this transport logic to a separate functions*/
|
||||
if (context->resolution_type == GETDNS_RESOLUTION_STUB) {
|
||||
switch (context->dns_transport) {
|
||||
case GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN:
|
||||
case GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN:
|
||||
if (context->tls_ctx == NULL) {
|
||||
#ifdef HAVE_LIBTLS1_2
|
||||
/* Create client context, use TLS v1.2 only for now */
|
||||
SSL_CTX* tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
|
||||
if(!tls_ctx) {
|
||||
context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
|
||||
#endif
|
||||
if(!context->tls_ctx && context->dns_transport ==
|
||||
GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN) {
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
}
|
||||
context->tls_ctx = tls_ctx;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
/* Block use of TLS ONLY in recursive mode as it won't work */
|
||||
if (context->resolution_type == GETDNS_RESOLUTION_RECURSING
|
||||
&& context->dns_transport == GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN)
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
|
||||
if (context->resolution_type_set == context->resolution_type)
|
||||
/* already set and no config changes
|
||||
|
|
|
@ -231,6 +231,6 @@ int filechg_check(struct getdns_context *context, struct filechg *fchg);
|
|||
|
||||
void priv_getdns_context_ub_read_cb(void *userarg);
|
||||
|
||||
getdns_transport_t priv_get_transport(getdns_transport_t transport, int level);
|
||||
getdns_base_transport_t priv_get_base_transport(getdns_transport_t transport, int level);
|
||||
|
||||
#endif /* _GETDNS_CONTEXT_H_ */
|
||||
|
|
|
@ -663,6 +663,8 @@ do_tls_handshake(getdns_dns_req *dnsreq, getdns_upstream *upstream)
|
|||
}
|
||||
|
||||
/* Create SSL instance */
|
||||
if (dnsreq->context->tls_ctx == NULL)
|
||||
return NULL;
|
||||
SSL* ssl = SSL_new(dnsreq->context->tls_ctx);
|
||||
if(!ssl) {
|
||||
return NULL;
|
||||
|
@ -1210,9 +1212,9 @@ priv_getdns_submit_stub_request(getdns_network_req *netreq)
|
|||
return GETDNS_RETURN_GENERIC_ERROR;
|
||||
|
||||
// Work out the primary and fallback transport options
|
||||
getdns_base_transport_t transport = priv_get_transport(
|
||||
getdns_base_transport_t transport = priv_get_base_transport(
|
||||
dnsreq->context->dns_transport,0);
|
||||
getdns_base_transport_t fb_transport = priv_get_transport(
|
||||
getdns_base_transport_t fb_transport = priv_get_base_transport(
|
||||
dnsreq->context->dns_transport,1);
|
||||
switch(transport) {
|
||||
case GETDNS_TRANSPORT_UDP:
|
||||
|
|
Loading…
Reference in New Issue