From 6c7ffc4e4ecbffbe148fea6e1b7d2cdf75d49104 Mon Sep 17 00:00:00 2001
From: Sara Dickinson <sara@sinodun.com>
Date: Fri, 17 Apr 2015 18:38:13 +0100
Subject: [PATCH] 1) Fix enum mapping error.

2) Also add detection of TLS 1.2 in openssl during configure and warn that it if not available then TLS will not be available. Using TLS_ONLY in stub mode will then error with BAD_CONTEXT. TLS/TCP will fallback to TCP.

3) Explicitly disallow use of TLS_ONLY in RECURSIVE mode since it isn't supported yet. TLS/TCP will fallback to TCP.

4) Fix for MAC OS X build where openssl not linked correctly
---
 m4/acx_openssl.m4 |  6 ++++--
 src/context.c     | 17 ++++++++++++-----
 src/context.h     |  2 +-
 src/stub.c        |  6 ++++--
 4 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/m4/acx_openssl.m4 b/m4/acx_openssl.m4
index 68e40f38..87507dce 100644
--- a/m4/acx_openssl.m4
+++ b/m4/acx_openssl.m4
@@ -48,8 +48,8 @@ AC_DEFUN([ACX_SSL_CHECKS], [
             fi
         
             AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto])
-            LIBS="$LIBS -lcrypto"
-            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
+            LIBS="$LIBS -lcrypto -lssl"
+            LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto -lssl"
             AC_TRY_LINK(, [
                 int HMAC_CTX_init(void);
                 (void)HMAC_CTX_init();
@@ -105,6 +105,8 @@ AC_DEFUN([ACX_SSL_CHECKS], [
 AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_LIB(ssl, TLSv1_2_client_method,AC_DEFINE([HAVE_LIBTLS1_2], [1],
+    [Define if you have libssl with tls 1.2]),[AC_MSG_WARN([Cannot find TLSv1_2_client_method in libssl library. TLS will not be available.])])
 ])dnl End of ACX_SSL_CHECKS
 
 dnl Check for SSL, where SSL is mandatory
diff --git a/src/context.c b/src/context.c
index 77fe07df..1c6caddd 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1134,8 +1134,8 @@ getdns_context_set_namespaces(struct getdns_context *context,
     return GETDNS_RETURN_GOOD;
 }               /* getdns_context_set_namespaces */
 
-getdns_transport_t
-priv_get_transport(getdns_transport_t transport, int level) {
+getdns_base_transport_t
+priv_get_base_transport(getdns_transport_t transport, int level) {
 	if (!(level == 0 || level == 1)) return GETDNS_TRANSPORT_NONE;
 	switch (transport) {
  		case GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP:
@@ -1837,23 +1837,30 @@ getdns_context_prepare_for_resolution(struct getdns_context *context,
     }
 
 	/* Transport can in theory be set per query in stub mode */
+	/* TODO: move this transport logic to a separate functions*/
 	if (context->resolution_type == GETDNS_RESOLUTION_STUB) {
 		switch (context->dns_transport) {
 			case GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN:
 			case GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN:
 				if (context->tls_ctx == NULL) {
+#ifdef HAVE_LIBTLS1_2
 					/* Create client context, use TLS v1.2 only for now */
-					SSL_CTX* tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
-					if(!tls_ctx) {
+					context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
+#endif
+					if(!context->tls_ctx && context->dns_transport == 
+					   GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN) {
 						return GETDNS_RETURN_BAD_CONTEXT;
 					}
-					context->tls_ctx = tls_ctx;
 				}
 				break;
 			default:
 				break;
 		}
 	}
+	/* Block use of TLS ONLY in recursive mode as it won't work */
+	if (context->resolution_type == GETDNS_RESOLUTION_RECURSING
+	&& context->dns_transport == GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN)
+		return GETDNS_RETURN_BAD_CONTEXT;
 
 	if (context->resolution_type_set == context->resolution_type)
         	/* already set and no config changes
diff --git a/src/context.h b/src/context.h
index a9b23317..569d42c5 100644
--- a/src/context.h
+++ b/src/context.h
@@ -231,6 +231,6 @@ int filechg_check(struct getdns_context *context, struct filechg *fchg);
 
 void priv_getdns_context_ub_read_cb(void *userarg);
 
-getdns_transport_t priv_get_transport(getdns_transport_t transport, int level);
+getdns_base_transport_t priv_get_base_transport(getdns_transport_t transport, int level);
 
 #endif /* _GETDNS_CONTEXT_H_ */
diff --git a/src/stub.c b/src/stub.c
index 72c00faf..0914aa57 100755
--- a/src/stub.c
+++ b/src/stub.c
@@ -663,6 +663,8 @@ do_tls_handshake(getdns_dns_req *dnsreq, getdns_upstream *upstream)
 	}
 
 	/* Create SSL instance */
+	if (dnsreq->context->tls_ctx == NULL)
+		return NULL;
 	SSL* ssl = SSL_new(dnsreq->context->tls_ctx);
 	if(!ssl) {
 		return NULL;
@@ -1210,9 +1212,9 @@ priv_getdns_submit_stub_request(getdns_network_req *netreq)
 	    	return GETDNS_RETURN_GENERIC_ERROR;
 
 	// Work out the primary and fallback transport options
-	getdns_base_transport_t transport    = priv_get_transport(
+	getdns_base_transport_t transport    = priv_get_base_transport(
 	                                       dnsreq->context->dns_transport,0);
-	getdns_base_transport_t fb_transport = priv_get_transport(
+	getdns_base_transport_t fb_transport = priv_get_base_transport(
 	                                       dnsreq->context->dns_transport,1);
 	switch(transport) {
 	case GETDNS_TRANSPORT_UDP: