interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

More specific return codes, more logging

This commit is contained in:
Willem Toorop 2018-12-12 16:12:07 +01:00
parent bb99321e57
commit 91a3a3db36
4 changed files with 360 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/const-info.c
View File

@ -124,7 +124,10 @@ static struct const_info consts_info[] = {
{ 1402, "GETDNS_TLS1_1", GETDNS_TLS1_1_TEXT }, { 1402, "GETDNS_TLS1_1", GETDNS_TLS1_1_TEXT },
{ 1403, "GETDNS_TLS1_2", GETDNS_TLS1_2_TEXT }, { 1403, "GETDNS_TLS1_2", GETDNS_TLS1_2_TEXT },
{ 1404, "GETDNS_TLS1_3", GETDNS_TLS1_3_TEXT }, { 1404, "GETDNS_TLS1_3", GETDNS_TLS1_3_TEXT },
{ 4096, "GETDNS_LOG_UPSTREAM_STATS", GETDNS_LOG_UPSTREAM_STATS_TEXT }, { 8192, "GETDNS_LOG_SYS_STUB", GETDNS_LOG_SYS_STUB_TEXT },
{ 12288, "GETDNS_LOG_UPSTREAM_STATS", GETDNS_LOG_UPSTREAM_STATS_TEXT },
{ 16384, "GETDNS_LOG_SYS_RECURSING", GETDNS_LOG_SYS_RECURSING_TEXT },
{ 24576, "GETDNS_LOG_SYS_RESOLVING", GETDNS_LOG_SYS_RESOLVING_TEXT },
}; };
static int const_info_cmp(const void *a, const void *b) static int const_info_cmp(const void *a, const void *b)
@ -225,7 +228,10 @@ static struct const_name_info consts_name_info[] = {
{ "GETDNS_LOG_ERR", 3 }, { "GETDNS_LOG_ERR", 3 },
{ "GETDNS_LOG_INFO", 6 }, { "GETDNS_LOG_INFO", 6 },
{ "GETDNS_LOG_NOTICE", 5 }, { "GETDNS_LOG_NOTICE", 5 },
{ "GETDNS_LOG_UPSTREAM_STATS", 4096 }, { "GETDNS_LOG_SYS_RECURSING", 16384 },
{ "GETDNS_LOG_SYS_RESOLVING", 24576 },
{ "GETDNS_LOG_SYS_STUB", 8192 },
{ "GETDNS_LOG_UPSTREAM_STATS", 12288 },
{ "GETDNS_LOG_WARNING", 4 }, { "GETDNS_LOG_WARNING", 4 },
{ "GETDNS_NAMESPACE_DNS", 500 }, { "GETDNS_NAMESPACE_DNS", 500 },
{ "GETDNS_NAMESPACE_LOCALNAMES", 501 }, { "GETDNS_NAMESPACE_LOCALNAMES", 501 },

390
src/context.c
View File

@ -193,7 +193,7 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
PCCERT_CONTEXT pTargetCert = NULL; PCCERT_CONTEXT pTargetCert = NULL;
_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG _getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG
, "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__ , "%s: %s\n", STUB_DEBUG_SETUP_TLS,
, "Adding Windows certificates from system root store to CA store") , "Adding Windows certificates from system root store to CA store")
; ;
@ -213,7 +213,7 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
L"root")) == 0) L"root")) == 0)
{ {
_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR _getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__ , "%s: %s\n", STUB_DEBUG_SETUP_TLS
, "Could not CertOpenStore()"); , "Could not CertOpenStore()");
return 0; return 0;
} }
@ -221,7 +221,7 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx); X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx);
if (!store) { if (!store) {
_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR _getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__ , "%s: %s\n", STUB_DEBUG_SETUP_TLS
, "Could not SSL_CTX_get_cert_store()"); , "Could not SSL_CTX_get_cert_store()");
return 0; return 0;
} }
@ -230,7 +230,7 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
if ((pTargetCert = CertEnumCertificatesInStore( if ((pTargetCert = CertEnumCertificatesInStore(
hSystemStore, pTargetCert)) == 0) { hSystemStore, pTargetCert)) == 0) {
_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_NOTICE _getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_NOTICE
, "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__ , "%s: %s\n", STUB_DEBUG_SETUP_TLS
, "CA certificate store for Windows is empty."); , "CA certificate store for Windows is empty.");
return 0; return 0;
} }
@ -244,8 +244,8 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
/* return error if a cert fails */ /* return error if a cert fails */
_getdns_log(&ctxt->log _getdns_log(&ctxt->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR, , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR,
, "%s %-35s: %s %d:%s\n" , "%s: %s %d:%s\n"
, STUB_DEBUG_SETUP_TLS, __FUNC__ , STUB_DEBUG_SETUP_TLS
, "Unable to parse certificate in memory" , "Unable to parse certificate in memory"
, ERR_get_error() , ERR_get_error()
, ERR_error_string(ERR_get_error(), NULL)); , ERR_error_string(ERR_get_error(), NULL));
@ -263,8 +263,8 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
_getdns_log(&ctxt->log _getdns_log(&ctxt->log
, GETDNS_LOG_SYS_STUB , GETDNS_LOG_SYS_STUB
, GETDNS_LOG_ERR , GETDNS_LOG_ERR
, "%s %-35s: %s %d:%s\n" , "%s: %s %d:%s\n"
, STUB_DEBUG_SETUP_TLS, __FUNC__ , STUB_DEBUG_SETUP_TLS
, "Error adding certificate" , "Error adding certificate"
, ERR_get_error() , ERR_get_error()
, ERR_error_string( ERR_get_error() , ERR_error_string( ERR_get_error()
@ -287,13 +287,13 @@ add_WIN_cacerts_to_openssl_store(getdns_context *ctxt, SSL_CTX* tls_ctx)
if (!CertCloseStore(hSystemStore, 0)) { if (!CertCloseStore(hSystemStore, 0)) {
_getdns_log(&ctxt->log _getdns_log(&ctxt->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__ , "%s: %s\n", STUB_DEBUG_SETUP_TLS
, "Could not CertCloseStore()"); , "Could not CertCloseStore()");
return 0; return 0;
} }
} }
_getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_INFO _getdns_log(&ctxt->log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_INFO
, "%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__ , "%s: %s\n", STUB_DEBUG_SETUP_TLS
, "Completed adding Windows certificates to CA store successfully") , "Completed adding Windows certificates to CA store successfully")
; ;
return 1; return 1;
@ -709,6 +709,8 @@ upstreams_create(getdns_context *context, size_t size)
getdns_upstreams *r = (void *) GETDNS_XMALLOC(context->mf, char, getdns_upstreams *r = (void *) GETDNS_XMALLOC(context->mf, char,
sizeof(getdns_upstreams) + sizeof(getdns_upstreams) +
sizeof(getdns_upstream) * size); sizeof(getdns_upstream) * size);
if (r) {
r->mf = context->mf; r->mf = context->mf;
r->referenced = 1; r->referenced = 1;
r->count = 0; r->count = 0;
@ -718,6 +720,7 @@ upstreams_create(getdns_context *context, size_t size)
r->tls_backoff_time = context->tls_backoff_time; r->tls_backoff_time = context->tls_backoff_time;
r->tls_connection_retries = context->tls_connection_retries; r->tls_connection_retries = context->tls_connection_retries;
r->log = context->log; r->log = context->log;
}
return r; return r;
} }
@ -3523,18 +3526,36 @@ ub_setup_stub(struct ub_ctx *ctx, getdns_context *context)
getdns_upstream *upstream; getdns_upstream *upstream;
char addr[1024]; char addr[1024];
getdns_upstreams *upstreams = context->upstreams; getdns_upstreams *upstreams = context->upstreams;
int r;
(void) ub_ctx_set_fwd(ctx, NULL); if ((r = ub_ctx_set_fwd(ctx, NULL))) {
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_WARNING
, "%s: %s (%s)\n"
, STUB_DEBUG_SETUP
, "Error while clearing forwarding modus on unbound context"
, ub_strerror(r));
}
for (i = 0; i < upstreams->count; i++) { for (i = 0; i < upstreams->count; i++) {
upstream = &upstreams->upstreams[i]; upstream = &upstreams->upstreams[i];
/*[TLS]: Use only the TLS subset of upstreams when TLS is the only thing /* [TLS]: Use only the TLS subset of upstreams when TLS is the
* used. All other cases must currently fallback to TCP for libunbound.*/ * only thing used. All other cases must currently fallback to
* TCP for libunbound.*/
if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS && if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS &&
context->dns_transport_count ==1 && context->dns_transport_count ==1 &&
upstream->transport != GETDNS_TRANSPORT_TLS) upstream->transport != GETDNS_TRANSPORT_TLS)
continue; continue;
upstream_ntop_buf(upstream, addr, 1024); upstream_ntop_buf(upstream, addr, 1024);
ub_ctx_set_fwd(ctx, addr); if ((r = ub_ctx_set_fwd(ctx, addr))) {
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_WARNING
, "%s: %s '%s' (%s)\n"
, STUB_DEBUG_SETUP
, "Error while setting up unbound context for "
"forwarding to"
, addr
, ub_strerror(r));
}
} }
/* Allow lookups of: /* Allow lookups of:
@ -3604,8 +3625,16 @@ ub_setup_recursing(struct ub_ctx *ctx, getdns_context *context)
{ {
_getdns_rr_iter rr_spc, *rr; _getdns_rr_iter rr_spc, *rr;
char ta_str[8192]; char ta_str[8192];
int r;
(void) ub_ctx_set_fwd(ctx, NULL); if ((r = ub_ctx_set_fwd(ctx, NULL))) {
_getdns_log(&context->log
, GETDNS_LOG_SYS_RECURSING, GETDNS_LOG_WARNING
, "%s: %s (%s)\n"
, STUB_DEBUG_SETUP
, "Error while clearing forwarding modus on unbound context"
, ub_strerror(r));
}
if (!context->unbound_ta_set && context->trust_anchors) { if (!context->unbound_ta_set && context->trust_anchors) {
for ( rr = _getdns_rr_iter_init( &rr_spc for ( rr = _getdns_rr_iter_init( &rr_spc
, context->trust_anchors , context->trust_anchors
@ -3614,7 +3643,17 @@ ub_setup_recursing(struct ub_ctx *ctx, getdns_context *context)
(void) gldns_wire2str_rr_buf((UNCONST_UINT8_p)rr->pos, (void) gldns_wire2str_rr_buf((UNCONST_UINT8_p)rr->pos,
rr->nxt - rr->pos, ta_str, sizeof(ta_str)); rr->nxt - rr->pos, ta_str, sizeof(ta_str));
(void) ub_ctx_add_ta(ctx, ta_str); if ((r = ub_ctx_add_ta(ctx, ta_str))) {
_getdns_log(&context->log
, GETDNS_LOG_SYS_RECURSING
, GETDNS_LOG_WARNING
, "%s: %s '%s' (%s)\n"
, STUB_DEBUG_SETUP
, "Error while equiping unbound context "
"with trust anchor"
, ta_str
, ub_strerror(r));
}
} }
context->unbound_ta_set = 1; context->unbound_ta_set = 1;
} }
@ -3629,8 +3668,15 @@ _getdns_ns_dns_setup(struct getdns_context *context)
switch (context->resolution_type) { switch (context->resolution_type) {
case GETDNS_RESOLUTION_STUB: case GETDNS_RESOLUTION_STUB:
if (!context->upstreams || !context->upstreams->count) if (!context->upstreams || !context->upstreams->count) {
return GETDNS_RETURN_GENERIC_ERROR; _getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s: %s\n"
, STUB_DEBUG_SETUP
, "Stub resolution requested, but no upstreams "
"configured");
return GETDNS_RETURN_BAD_CONTEXT;
}
#ifdef STUB_NATIVE_DNSSEC #ifdef STUB_NATIVE_DNSSEC
# ifdef DNSSEC_ROADBLOCK_AVOIDANCE # ifdef DNSSEC_ROADBLOCK_AVOIDANCE
# ifdef HAVE_LIBUNBOUND # ifdef HAVE_LIBUNBOUND
@ -3655,6 +3701,12 @@ _getdns_ns_dns_setup(struct getdns_context *context)
return GETDNS_RETURN_NOT_IMPLEMENTED; return GETDNS_RETURN_NOT_IMPLEMENTED;
#endif #endif
} }
_getdns_log(&context->log
, GETDNS_LOG_SYS_RESOLVING
, GETDNS_LOG_ERR
, "%s: %s (%d)\n", STUB_DEBUG_SETUP
, "Unknown resolution type: "
, context->resolution_type);
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
} }
@ -3662,9 +3714,8 @@ getdns_return_t
_getdns_context_prepare_for_resolution(getdns_context *context) _getdns_context_prepare_for_resolution(getdns_context *context)
{ {
getdns_return_t r; getdns_return_t r;
#if defined(HAVE_SSL_CTX_DANE_ENABLE) || defined(USE_DANESSL) char ssl_err[256];
int osr; int osr;
#endif
assert(context); assert(context);
if (context->destroying) if (context->destroying)
@ -3677,7 +3728,9 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
if (tls_only_is_in_transports_list(context) == 1 && if (tls_only_is_in_transports_list(context) == 1 &&
context->tls_auth == GETDNS_AUTHENTICATION_REQUIRED) { context->tls_auth == GETDNS_AUTHENTICATION_REQUIRED) {
context->tls_auth_min = GETDNS_AUTHENTICATION_REQUIRED; context->tls_auth_min = GETDNS_AUTHENTICATION_REQUIRED;
/* TODO: If no auth data provided for any upstream, fail here */ /* TODO: If no auth data provided for any upstream,
* fail here
*/
} }
else { else {
context->tls_auth_min = GETDNS_AUTHENTICATION_NONE; context->tls_auth_min = GETDNS_AUTHENTICATION_NONE;
@ -3691,22 +3744,52 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
# else # else
context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method()); context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
# endif # endif
if(context->tls_ctx == NULL) if(context->tls_ctx == NULL) {
ERR_error_string_n( ERR_get_error()
, ssl_err, sizeof(ssl_err));
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s: %s (%s)\n"
, STUB_DEBUG_SETUP_TLS
, "Error creating TLS context"
, ssl_err);
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
}
# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) \ # if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) \
&& HAVE_DECL_SSL_SET_MIN_PROTO_VERSION && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
if (!SSL_CTX_set_min_proto_version(context->tls_ctx, if (!SSL_CTX_set_min_proto_version(context->tls_ctx,
_getdns_tls_version2openssl_version(context->tls_min_version))) { _getdns_tls_version2openssl_version(
context->tls_min_version))) {
SSL_CTX_free(context->tls_ctx); SSL_CTX_free(context->tls_ctx);
context->tls_ctx = NULL; context->tls_ctx = NULL;
ERR_error_string_n( ERR_get_error()
, ssl_err, sizeof(ssl_err));
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s: %s (%s)\n"
, STUB_DEBUG_SETUP_TLS
, "Error configuring TLS context with "
"minimum TLS version"
, ssl_err);
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
} }
if (context->tls_max_version if (context->tls_max_version
&& !SSL_CTX_set_max_proto_version(context->tls_ctx, && !SSL_CTX_set_max_proto_version(context->tls_ctx,
_getdns_tls_version2openssl_version(context->tls_max_version))) { _getdns_tls_version2openssl_version(
context->tls_max_version))) {
SSL_CTX_free(context->tls_ctx); SSL_CTX_free(context->tls_ctx);
context->tls_ctx = NULL; context->tls_ctx = NULL;
ERR_error_string_n( ERR_get_error()
, ssl_err, sizeof(ssl_err));
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s: %s (%s)\n"
, STUB_DEBUG_SETUP_TLS
, "Error configuring TLS context with "
"maximum TLS version"
, ssl_err);
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
} }
# else # else
@ -3714,65 +3797,181 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
if (( context->tls_min_version if (( context->tls_min_version
&& context->tls_min_version != GETDNS_TLS1_2) && context->tls_min_version != GETDNS_TLS1_2)
|| context->tls_max_version) { || context->tls_max_version) {
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s: %s\n"
, STUB_DEBUG_SETUP_TLS
, "This version of OpenSSL does not "
"support setting of mimum or maximum "
"TLS versions");
return GETDNS_RETURN_NOT_IMPLEMENTED; return GETDNS_RETURN_NOT_IMPLEMENTED;
} }
# endif # endif
# endif # endif
/* Be strict and only use the cipher suites recommended in RFC7525 /* Be strict and only use the cipher suites recommended
Unless we later fallback to opportunistic. */ * in RFC7525 Unless we later fallback to opportunistic.
*/
if (!SSL_CTX_set_cipher_list(context->tls_ctx, if (!SSL_CTX_set_cipher_list(context->tls_ctx,
context->tls_cipher_list ? context->tls_cipher_list context->tls_cipher_list
: _getdns_default_tls_cipher_list)) ? context->tls_cipher_list
: _getdns_default_tls_cipher_list)) {
ERR_error_string_n( ERR_get_error()
, ssl_err, sizeof(ssl_err));
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s: %s (%s)\n"
, STUB_DEBUG_SETUP_TLS
, "Error configuring TLS context with "
"cipher list"
, ssl_err);
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
}
# ifdef HAVE_SSL_CTX_SET_CIPHERSUITES # ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (!SSL_CTX_set_ciphersuites(context->tls_ctx, if (!SSL_CTX_set_ciphersuites(context->tls_ctx,
context->tls_ciphersuites ? context->tls_ciphersuites context->tls_ciphersuites
: _getdns_default_tls_ciphersuites)) ? context->tls_ciphersuites
return GETDNS_RETURN_BAD_CONTEXT; : _getdns_default_tls_ciphersuites)) {
# else ERR_error_string_n( ERR_get_error()
if (context->tls_ciphersuites) , ssl_err, sizeof(ssl_err));
return GETDNS_RETURN_NOT_IMPLEMENTED; _getdns_log(&context->log
# endif , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
# if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST , "%s: %s (%s)\n"
if (context->tls_curves_list && , STUB_DEBUG_SETUP_TLS
!SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list)) , "Error configuring TLS context with "
return GETDNS_RETURN_BAD_CONTEXT; "cipher suites"
# else , ssl_err);
if (context->tls_curves_list)
return GETDNS_RETURN_NOT_IMPLEMENTED;
# endif
/* For strict authentication, we must have local root certs available
Set up is done only when the tls_ctx is created (per getdns_context)*/
if ((context->tls_ca_file || context->tls_ca_path) &&
SSL_CTX_load_verify_locations(context->tls_ctx
, context->tls_ca_file, context->tls_ca_path))
; /* pass */
# ifndef USE_WINSOCK
else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
# else
else if (!add_WIN_cacerts_to_openssl_store(context, context->tls_ctx)) {
# endif /* USE_WINSOCK */
if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED)
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
} }
# else
if (context->tls_ciphersuites) {
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s: %s\n"
, STUB_DEBUG_SETUP_TLS
, "This version of OpenSSL does not "
"support configuring cipher suites");
return GETDNS_RETURN_NOT_IMPLEMENTED;
}
# endif
# if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) \
&& HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
if (context->tls_curves_list &&
!SSL_CTX_set1_curves_list(context->tls_ctx,
context->tls_curves_list)) {
ERR_error_string_n( ERR_get_error()
, ssl_err, sizeof(ssl_err));
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s: %s (%s)\n"
, STUB_DEBUG_SETUP_TLS
, "Error configuring TLS context with "
"curves list"
, ssl_err);
return GETDNS_RETURN_BAD_CONTEXT;
}
# else
if (context->tls_curves_list) {
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s: %s\n"
, STUB_DEBUG_SETUP_TLS
, "This version of OpenSSL does not "
"support configuring curves list");
return GETDNS_RETURN_NOT_IMPLEMENTED;
}
# endif
/* For strict authentication, we must have local root
* certs available. Set up is done only when the tls_ctx
* is created (per getdns_context)
*/
osr = 0;
if (context->tls_ca_file || context->tls_ca_path) {
osr = SSL_CTX_load_verify_locations(
context->tls_ctx
, context->tls_ca_file
, context->tls_ca_path );
if (!osr) {
ERR_error_string_n( ERR_get_error()
, ssl_err
, sizeof(ssl_err));
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB
, GETDNS_LOG_WARNING
, "%s: %s (%s)\n"
, STUB_DEBUG_SETUP_TLS
, "Could not load verify locations"
, ssl_err);
} else {
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB
, GETDNS_LOG_DEBUG
, "%s: %s\n"
, STUB_DEBUG_SETUP_TLS
, "Verify locations loaded");
}
}
if (osr)
; /* verify locations loaded: pass */
# ifndef USE_WINSOCK
else if (!SSL_CTX_set_default_verify_paths(
context->tls_ctx) &&
# else
else if (!add_WIN_cacerts_to_openssl_store(
context, context->tls_ctx) &&
# endif /* USE_WINSOCK */
context->tls_auth_min
== GETDNS_AUTHENTICATION_REQUIRED) {
ERR_error_string_n( ERR_get_error()
, ssl_err, sizeof(ssl_err));
_getdns_log(&context->log
, GETDNS_LOG_SYS_STUB
, GETDNS_LOG_ERR
, "%s: %s (%s)\n"
, STUB_DEBUG_SETUP_TLS
, "Authentication is needed but no default "
"verify location could be loaded"
, ssl_err);
return GETDNS_RETURN_BAD_CONTEXT;
}
# if defined(HAVE_SSL_CTX_DANE_ENABLE) # if defined(HAVE_SSL_CTX_DANE_ENABLE)
osr = SSL_CTX_dane_enable(context->tls_ctx); if (!SSL_CTX_dane_enable(context->tls_ctx)) {
ERR_error_string_n( ERR_get_error()
, ssl_err, sizeof(ssl_err));
_getdns_log(&context->log _getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG , GETDNS_LOG_SYS_STUB, GETDNS_LOG_WARNING
, "%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n" , "%s: %s (%s)\n"
, STUB_DEBUG_SETUP_TLS, __FUNC__, osr); , STUB_DEBUG_SETUP_TLS
, "Could not enable DANE on TLX context"
, ssl_err);
}
# elif defined(USE_DANESSL) # elif defined(USE_DANESSL)
osr = DANESSL_CTX_init(context->tls_ctx); if (!DANESSL_CTX_init(context->tls_ctx)) {
ERR_error_string_n( ERR_get_error()
, ssl_err, sizeof(ssl_err));
_getdns_log(&context->log _getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG , GETDNS_LOG_SYS_STUB, GETDNS_LOG_WARNING
, "%s %-35s: DEBUG: DANESSL_CTX_init() returned " , "%s: %s (%s)\n"
"%d\n", STUB_DEBUG_SETUP_TLS, __FUNC__, osr); , STUB_DEBUG_SETUP_TLS
, "Could not enable DANE on TLX context"
, ssl_err);
}
# endif # endif
#else /* HAVE_TLS_v1_2 */ #else /* HAVE_TLS_v1_2 */
if (tls_only_is_in_transports_list(context) == 1) if (tls_only_is_in_transports_list(context) == 1) {
return GETDNS_RETURN_BAD_CONTEXT; _getdns_log(&context->log
/* A null tls_ctx will make TLS fail and fallback to the other , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
transports will kick-in.*/ , "%s: %s\n"
, STUB_DEBUG_SETUP_TLS
, "This version of OpenSSL does not "
"support authenticated TLS");
return GETDNS_RETURN_NOT_IMPLEMENTED;
}
/* A null tls_ctx will make TLS fail and fallback to
* the other transports will kick-in.
*/
#endif /* HAVE_TLS_v1_2 */ #endif /* HAVE_TLS_v1_2 */
} }
} }
@ -3780,10 +3979,16 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
/* Block use of TLS ONLY in recursive mode as it won't work */ /* Block use of TLS ONLY in recursive mode as it won't work */
/* Note: If TLS is used in recursive mode this will try TLS on port /* Note: If TLS is used in recursive mode this will try TLS on port
* 53 so it is blocked here. */ * 53 so it is blocked here. */
if (context->resolution_type == GETDNS_RESOLUTION_RECURSING && if (context->resolution_type == GETDNS_RESOLUTION_RECURSING
tls_only_is_in_transports_list(context) == 1) && tls_only_is_in_transports_list(context) == 1) {
return GETDNS_RETURN_BAD_CONTEXT; _getdns_log(&context->log
, GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR
, "%s: %s\n"
, STUB_DEBUG_SETUP_TLS
, "TLS only transport is not supported for the recursing "
"resolution type");
return GETDNS_RETURN_NOT_IMPLEMENTED;
}
if (context->resolution_type_set == context->resolution_type) if (context->resolution_type_set == context->resolution_type)
/* already set and no config changes /* already set and no config changes
* have caused this to be bad. * have caused this to be bad.
@ -3794,8 +3999,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
* the spec calls for us to treat the namespace list as ordered * the spec calls for us to treat the namespace list as ordered
* so we need to respect that order * so we need to respect that order
*/ */
r = _getdns_ns_dns_setup(context); r = _getdns_ns_dns_setup(context);
if (r == GETDNS_RETURN_GOOD) if (r == GETDNS_RETURN_GOOD)
context->resolution_type_set = context->resolution_type; context->resolution_type_set = context->resolution_type;
@ -4268,7 +4471,7 @@ _getdns_context_local_namespace_resolve(
getdns_context *context = dnsreq->context; getdns_context *context = dnsreq->context;
host_name_addrs *hnas; host_name_addrs *hnas;
uint8_t lookup[256]; uint8_t lookup[256];
getdns_list empty_list = { 0, 0, NULL, { NULL, {{ NULL, NULL, NULL }}}}; getdns_list empty_list = { 0, 0, NULL, { NULL, {{ NULL,NULL,NULL}}}};
getdns_bindata bindata; getdns_bindata bindata;
getdns_list *jaa; getdns_list *jaa;
size_t i; size_t i;
@ -4279,9 +4482,10 @@ _getdns_context_local_namespace_resolve(
int ipv6 = dnsreq->netreqs[0]->request_type == GETDNS_RRTYPE_AAAA || int ipv6 = dnsreq->netreqs[0]->request_type == GETDNS_RRTYPE_AAAA ||
(dnsreq->netreqs[1] && (dnsreq->netreqs[1] &&
dnsreq->netreqs[1]->request_type == GETDNS_RRTYPE_AAAA); dnsreq->netreqs[1]->request_type == GETDNS_RRTYPE_AAAA);
getdns_return_t r;
if (!ipv4 && !ipv6) if (!ipv4 && !ipv6)
return GETDNS_RETURN_GENERIC_ERROR; return GETDNS_RETURN_WRONG_TYPE_REQUESTED;
/*Do the lookup*/ /*Do the lookup*/
(void)memcpy(lookup, dnsreq->name, dnsreq->name_len); (void)memcpy(lookup, dnsreq->name, dnsreq->name_len);
@ -4289,59 +4493,61 @@ _getdns_context_local_namespace_resolve(
if (!(hnas = (host_name_addrs *) if (!(hnas = (host_name_addrs *)
_getdns_rbtree_search(&context->local_hosts, lookup))) _getdns_rbtree_search(&context->local_hosts, lookup)))
return GETDNS_RETURN_GENERIC_ERROR; return GETDNS_RETURN_NO_SUCH_DICT_NAME;
if (!hnas->ipv4addrs && (!ipv6 || !hnas->ipv6addrs)) if (!hnas->ipv4addrs && (!ipv6 || !hnas->ipv6addrs))
return GETDNS_RETURN_GENERIC_ERROR; return GETDNS_RETURN_NO_SUCH_DICT_NAME;
if (!hnas->ipv6addrs && (!ipv4 || !hnas->ipv4addrs)) if (!hnas->ipv6addrs && (!ipv4 || !hnas->ipv4addrs))
return GETDNS_RETURN_GENERIC_ERROR; return GETDNS_RETURN_NO_SUCH_DICT_NAME;
if (!(*response = getdns_dict_create_with_context(context))) if (!(*response = getdns_dict_create_with_context(context)))
return GETDNS_RETURN_GENERIC_ERROR; return GETDNS_RETURN_MEMORY_ERROR;
bindata.size = dnsreq->name_len; bindata.size = dnsreq->name_len;
bindata.data = dnsreq->name; bindata.data = dnsreq->name;
if (getdns_dict_set_bindata(*response, "canonical_name", &bindata)) if ((r = getdns_dict_set_bindata(*response,"canonical_name",&bindata)))
goto error; goto error;
empty_list.mf = context->mf; empty_list.mf = context->mf;
if (getdns_dict_set_list(*response, "replies_full", &empty_list)) if ((r = getdns_dict_set_list(*response, "replies_full", &empty_list)))
goto error; goto error;
if (getdns_dict_set_list(*response, "replies_tree", &empty_list)) if ((r = getdns_dict_set_list(*response, "replies_tree", &empty_list)))
goto error; goto error;
if (getdns_dict_set_int(*response, "status", GETDNS_RESPSTATUS_GOOD)) if ((r=getdns_dict_set_int(*response,"status",GETDNS_RESPSTATUS_GOOD)))
goto error; goto error;
if (!ipv4 || !hnas->ipv4addrs) { if (!ipv4 || !hnas->ipv4addrs) {
if (getdns_dict_set_list(*response, if ((r = getdns_dict_set_list(*response,
"just_address_answers", hnas->ipv6addrs)) "just_address_answers", hnas->ipv6addrs)))
goto error; goto error;
return GETDNS_RETURN_GOOD; return GETDNS_RETURN_GOOD;
} else if (!ipv6 || !hnas->ipv6addrs) { } else if (!ipv6 || !hnas->ipv6addrs) {
if (getdns_dict_set_list(*response, if ((r = getdns_dict_set_list(*response,
"just_address_answers", hnas->ipv4addrs)) "just_address_answers", hnas->ipv4addrs)))
goto error; goto error;
return GETDNS_RETURN_GOOD; return GETDNS_RETURN_GOOD;
} }
if (!(jaa = getdns_list_create_with_context(context))) if (!(jaa = getdns_list_create_with_context(context))) {
r = GETDNS_RETURN_MEMORY_ERROR;
goto error; goto error;
}
for (i = 0; !getdns_list_get_dict(hnas->ipv4addrs, i, &addr); i++) for (i = 0; !getdns_list_get_dict(hnas->ipv4addrs, i, &addr); i++)
if (_getdns_list_append_dict(jaa, addr)) if ((r = _getdns_list_append_dict(jaa, addr)))
break; break;
for (i = 0; !getdns_list_get_dict(hnas->ipv6addrs, i, &addr); i++) for (i = 0; !getdns_list_get_dict(hnas->ipv6addrs, i, &addr); i++)
if (_getdns_list_append_dict(jaa, addr)) if ((r = _getdns_list_append_dict(jaa, addr)))
break; break;
if (!_getdns_dict_set_this_list(*response, "just_address_answers", jaa)) if (!(r = _getdns_dict_set_this_list(*response, "just_address_answers", jaa)))
return GETDNS_RETURN_GOOD; return GETDNS_RETURN_GOOD;
else else
getdns_list_destroy(jaa); getdns_list_destroy(jaa);
error: error:
getdns_dict_destroy(*response); getdns_dict_destroy(*response);
return GETDNS_RETURN_GENERIC_ERROR; return r;
} }
struct mem_funcs * struct mem_funcs *

8
src/getdns/getdns_extra.h.in
View File

@ -557,10 +557,14 @@ typedef enum getdns_loglevel_type {
#define GETDNS_LOG_INFO_TEXT "Informational message" #define GETDNS_LOG_INFO_TEXT "Informational message"
#define GETDNS_LOG_DEBUG_TEXT "Debug-level message" #define GETDNS_LOG_DEBUG_TEXT "Debug-level message"
#define GETDNS_LOG_UPSTREAM_STATS 0x1000 #define GETDNS_LOG_UPSTREAM_STATS 0x3000
#define GETDNS_LOG_UPSTREAM_STATS_TEXT "Log messages about upstream statistics" #define GETDNS_LOG_UPSTREAM_STATS_TEXT "Log messages about upstream statistics"
#define GETDNS_LOG_SYS_STUB 0x2000 #define GETDNS_LOG_SYS_STUB 0x2000
#define GETDNS_LOG_SYS_STUB_TEXT "Log messages involving non upstream specific stub matters" #define GETDNS_LOG_SYS_STUB_TEXT "Log messages about stub resolving"
#define GETDNS_LOG_SYS_RECURSING 0x4000
#define GETDNS_LOG_SYS_RECURSING_TEXT "Log messages about recursive resolving"
#define GETDNS_LOG_SYS_RESOLVING 0x6000
#define GETDNS_LOG_SYS_RESOLVING_TEXT "Log messages about resolving"
typedef void (*getdns_logfunc_type) (void *userarg, uint64_t log_systems, typedef void (*getdns_logfunc_type) (void *userarg, uint64_t log_systems,

4
src/mk-const-info.c.sh
View File

@ -14,7 +14,7 @@ cat > const-info.c << END_OF_HEAD
static struct const_info consts_info[] = { static struct const_info consts_info[] = {
{ -1, NULL, "/* <unknown getdns value> */" }, { -1, NULL, "/* <unknown getdns value> */" },
END_OF_HEAD END_OF_HEAD
gawk '/^[ ]+GETDNS_[A-Z0-9_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z0-9_]+[ ]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/ && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z0-9_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c gawk --non-decimal-data '/^[ ]+GETDNS_[A-Z0-9_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z0-9_]+[ ]+(0[xX][0-9a-fA-F]+|[0-9]+)/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/ && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z0-9_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
cat >> const-info.c << END_OF_TAIL cat >> const-info.c << END_OF_TAIL
}; };
@ -49,7 +49,7 @@ getdns_get_errorstr_by_id(uint16_t err)
static struct const_name_info consts_name_info[] = { static struct const_name_info consts_name_info[] = {
END_OF_TAIL END_OF_TAIL
gawk '/^[ ]+GETDNS_[A-Z0-9_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z0-9_]+[ ]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z0-9_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c gawk --non-decimal-data '/^[ ]+GETDNS_[A-Z0-9_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z0-9_]+[ ]+(0[xX][0-9a-fA-F]+|[0-9]+)/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z0-9_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
cat >> const-info.c << END_OF_TAIL cat >> const-info.c << END_OF_TAIL
}; };