1) Fix enum mapping error.

2) Also add detection of TLS 1.2 in openssl during configure and warn that it if not available then TLS will not be available. Using TLS_ONLY in stub mode will then error with BAD_CONTEXT. TLS/TCP will fallback to TCP. 3) Explicitly disallow use of TLS_ONLY in RECURSIVE mode since it isn't supported yet. TLS/TCP will fallback to TCP. 4) Fix for MAC OS X build where openssl not linked correctly
2015-04-17 18:38:13 +01:00 · 2015-04-17 18:38:13 +01:00 · 6c7ffc4e4e
parent ab4fb8d9e9
commit 6c7ffc4e4e
4 changed files with 21 additions and 10 deletions
--- a/m4/acx_openssl.m4
+++ b/m4/acx_openssl.m4
@ -48,8 +48,8 @@ AC_DEFUN([ACX_SSL_CHECKS], [
            fi
        
            AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto])
-            LIBS="$LIBS -lcrypto"
-            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
+            LIBS="$LIBS -lcrypto -lssl"
+            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto -lssl"
            AC_TRY_LINK(, [
                int HMAC_CTX_init(void);
                (void)HMAC_CTX_init();
@ -105,6 +105,8 @@ AC_DEFUN([ACX_SSL_CHECKS], [
 AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_LIB(ssl, TLSv1_2_client_method,AC_DEFINE([HAVE_LIBTLS1_2], [1],
+    [Define if you have libssl with tls 1.2]),[AC_MSG_WARN([Cannot find TLSv1_2_client_method in libssl library. TLS will not be available.])])
 ])dnl End of ACX_SSL_CHECKS

 dnl Check for SSL, where SSL is mandatory
--- a/src/context.c
+++ b/src/context.c
@ -1134,8 +1134,8 @@ getdns_context_set_namespaces(struct getdns_context *context,
    return GETDNS_RETURN_GOOD;
 }               /* getdns_context_set_namespaces */

-getdns_transport_t
-priv_get_transport(getdns_transport_t transport, int level) {
+getdns_base_transport_t
+priv_get_base_transport(getdns_transport_t transport, int level) {
 	if (!(level == 0 || level == 1)) return GETDNS_TRANSPORT_NONE;
 	switch (transport) {
 		case GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP:
@ -1837,23 +1837,30 @@ getdns_context_prepare_for_resolution(struct getdns_context *context,
    }

 	/* Transport can in theory be set per query in stub mode */
+	/* TODO: move this transport logic to a separate functions*/
 	if (context->resolution_type == GETDNS_RESOLUTION_STUB) {
 		switch (context->dns_transport) {
 			case GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN:
 			case GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN:
 				if (context->tls_ctx == NULL) {
+#ifdef HAVE_LIBTLS1_2
 					/* Create client context, use TLS v1.2 only for now */
-					SSL_CTX* tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
-					if(!tls_ctx) {
+					context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
+#endif
+					if(!context->tls_ctx && context->dns_transport == 
+					   GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN) {
 						return GETDNS_RETURN_BAD_CONTEXT;
 					}
-					context->tls_ctx = tls_ctx;
 				}
 				break;
 			default:
 				break;
 		}
 	}
+	/* Block use of TLS ONLY in recursive mode as it won't work */
+	if (context->resolution_type == GETDNS_RESOLUTION_RECURSING
+	&& context->dns_transport == GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN)
+		return GETDNS_RETURN_BAD_CONTEXT;

 	if (context->resolution_type_set == context->resolution_type)
        	/* already set and no config changes
--- a/src/context.h
+++ b/src/context.h
@ -231,6 +231,6 @@ int filechg_check(struct getdns_context *context, struct filechg *fchg);

 void priv_getdns_context_ub_read_cb(void *userarg);

-getdns_transport_t priv_get_transport(getdns_transport_t transport, int level);
+getdns_base_transport_t priv_get_base_transport(getdns_transport_t transport, int level);

 #endif /* _GETDNS_CONTEXT_H_ */
--- a/src/stub.c
+++ b/src/stub.c
@ -663,6 +663,8 @@ do_tls_handshake(getdns_dns_req *dnsreq, getdns_upstream *upstream)
 	}

 	/* Create SSL instance */
+	if (dnsreq->context->tls_ctx == NULL)
+		return NULL;
 	SSL* ssl = SSL_new(dnsreq->context->tls_ctx);
 	if(!ssl) {
 		return NULL;
@ -1210,9 +1212,9 @@ priv_getdns_submit_stub_request(getdns_network_req *netreq)
 	    	return GETDNS_RETURN_GENERIC_ERROR;

 	// Work out the primary and fallback transport options
-	getdns_base_transport_t transport    = priv_get_transport(
+	getdns_base_transport_t transport    = priv_get_base_transport(
 	                                       dnsreq->context->dns_transport,0);
-	getdns_base_transport_t fb_transport = priv_get_transport(
+	getdns_base_transport_t fb_transport = priv_get_base_transport(
 	                                       dnsreq->context->dns_transport,1);
 	switch(transport) {
 	case GETDNS_TRANSPORT_UDP: