diff --git a/ChangeLog b/ChangeLog index 52a04b0b..290372a0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ * 2018-05-11: Version 1.4.2 + * Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs + in the Windows root CA store. + * PR #397: No TCP sendto without TCP_FASTOPEN + Thanks Emery Hemingway * Bugfix getdnsapi/stubby#106: Core dump when printing certain configuration. Thanks Han Vinke * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root diff --git a/project-doc/packages.txt b/project-doc/packages.txt index 3544c9ee..7e40a201 100644 --- a/project-doc/packages.txt +++ b/project-doc/packages.txt @@ -12,3 +12,6 @@ https://github.com/openwrt/packages/tree/master/net/stubby For AstLinux Project, created and maintained by Lonnie Abelbeck (abelbeck) https://github.com/astlinux-project/astlinux/tree/master/package/getdns + +For Genode, created and maintained by Emery Hemingway (ehmry) +https://github.com/genodelabs/genode/blob/master/repos/ports/ports/getdns.port diff --git a/src/context.c b/src/context.c index 4b5a77ad..56d827ee 100644 --- a/src/context.c +++ b/src/context.c @@ -193,7 +193,7 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) PCCERT_CONTEXT pTargetCert = NULL; DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "Adding Windows certificates to CA store"); + "Adding Windows certificates from system root store to CA store"); /* load just once per context lifetime for this version of getdns TODO: dynamically update CA trust changes as they are available */ @@ -241,10 +241,18 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) else { /* return error if a cert add to store fails */ if (X509_STORE_add_cert(store, cert1) == 0) { - DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "Error adding certificate", ERR_get_error(), - ERR_error_string(ERR_get_error(), NULL)); - return 0; + unsigned long error = ERR_peek_last_error(); + + /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the + * certificate is already in the store. */ + if(ERR_GET_LIB(error) != ERR_LIB_X509 || + ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) { + DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "Error adding certificate", ERR_get_error(), + ERR_error_string(ERR_get_error(), NULL)); + X509_free(cert1); + return 0; + } } X509_free(cert1); } @@ -260,6 +268,8 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) hSystemStore, 0)) return 0; } + DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "Completed adding Windows certificates to CA store successfully"); return 1; } #endif diff --git a/src/stub.c b/src/stub.c index 437c19cc..785d9f1f 100644 --- a/src/stub.c +++ b/src/stub.c @@ -760,10 +760,7 @@ stub_tcp_write(int fd, getdns_tcp_state *tcp, getdns_network_req *netreq) if (written == -1 && _getdns_socketerror() == _getdns_EISCONN) written = write(fd, netreq->query - 2, pkt_len + 2); #else - written = sendto(fd, (const char *)(netreq->query - 2), - pkt_len + 2, 0, - (struct sockaddr *)&(netreq->upstream->addr), - netreq->upstream->addr_len); + written = send(fd, (const char *)(netreq->query - 2), pkt_len + 2, 0); #endif if ((written == -1 && _getdns_socketerror_wants_retry()) || (size_t)written < pkt_len + 2) {