mirror of https://github.com/getdnsapi/getdns.git
Merge pull request #261 from saradickinson/feature/stubby_updates
Feature/stubby updates
This commit is contained in:
commit
94e1f48f58
|
@ -24,6 +24,7 @@ static struct const_info consts_info[] = {
|
|||
{ 310, "GETDNS_RETURN_MEMORY_ERROR", GETDNS_RETURN_MEMORY_ERROR_TEXT },
|
||||
{ 311, "GETDNS_RETURN_INVALID_PARAMETER", GETDNS_RETURN_INVALID_PARAMETER_TEXT },
|
||||
{ 312, "GETDNS_RETURN_NOT_IMPLEMENTED", GETDNS_RETURN_NOT_IMPLEMENTED_TEXT },
|
||||
{ 398, "GETDNS_RETURN_NO_UPSTREAM_AVAILABLE", GETDNS_RETURN_NO_UPSTREAM_AVAILABLE_TEXT },
|
||||
{ 399, "GETDNS_RETURN_NEED_MORE_SPACE", GETDNS_RETURN_NEED_MORE_SPACE_TEXT },
|
||||
{ 400, "GETDNS_DNSSEC_SECURE", GETDNS_DNSSEC_SECURE_TEXT },
|
||||
{ 401, "GETDNS_DNSSEC_BOGUS", GETDNS_DNSSEC_BOGUS_TEXT },
|
||||
|
@ -223,6 +224,7 @@ static struct const_name_info consts_name_info[] = {
|
|||
{ "GETDNS_RETURN_NO_SUCH_DICT_NAME", 305 },
|
||||
{ "GETDNS_RETURN_NO_SUCH_EXTENSION", 307 },
|
||||
{ "GETDNS_RETURN_NO_SUCH_LIST_ITEM", 304 },
|
||||
{ "GETDNS_RETURN_NO_UPSTREAM_AVAILABLE", 398 },
|
||||
{ "GETDNS_RETURN_UNKNOWN_TRANSACTION", 303 },
|
||||
{ "GETDNS_RETURN_WRONG_TYPE_REQUESTED", 306 },
|
||||
{ "GETDNS_RRCLASS_ANY", 255 },
|
||||
|
|
|
@ -56,6 +56,8 @@ extern "C" {
|
|||
* \defgroup Ureturnvaluesandtext Additional return values and texts
|
||||
* @{
|
||||
*/
|
||||
#define GETDNS_RETURN_NO_UPSTREAM_AVAILABLE ((getdns_return_t) 398 )
|
||||
#define GETDNS_RETURN_NO_UPSTREAM_AVAILABLE_TEXT "None of the configured upstreams could be used to send queries on the specified transports"
|
||||
#define GETDNS_RETURN_NEED_MORE_SPACE ((getdns_return_t) 399 )
|
||||
#define GETDNS_RETURN_NEED_MORE_SPACE_TEXT "The buffer was too small"
|
||||
/** @}
|
||||
|
|
24
src/stub.c
24
src/stub.c
|
@ -520,7 +520,7 @@ stub_cleanup(getdns_network_req *netreq)
|
|||
static void
|
||||
upstream_failed(getdns_upstream *upstream, int during_setup)
|
||||
{
|
||||
DEBUG_STUB("%s %-35s: FD: %d During setup = %d\n",
|
||||
DEBUG_STUB("%s %-35s: FD: %d Failure during connection setup = %d\n",
|
||||
STUB_DEBUG_CLEANUP, __FUNC__, upstream->fd, during_setup);
|
||||
/* Fallback code should take care of queue queries and then close conn
|
||||
when idle.*/
|
||||
|
@ -868,13 +868,19 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
|||
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err,
|
||||
X509_verify_cert_error_string(err));
|
||||
#endif
|
||||
#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
|
||||
if (!preverify_ok && !upstream->tls_fallback_ok)
|
||||
DEBUG_DAEMON("%s %s : Conn failed : Transport=TLS - *Failure* - (%d) \"%s\"\n",
|
||||
STUB_DEBUG_DAEMON, upstream->addr_str, err,
|
||||
X509_verify_cert_error_string(err));
|
||||
#endif
|
||||
|
||||
/* First deal with the hostname authentication done by OpenSSL. */
|
||||
#ifdef X509_V_ERR_HOSTNAME_MISMATCH
|
||||
/*Report if error is hostname mismatch*/
|
||||
if (err == X509_V_ERR_HOSTNAME_MISMATCH && upstream->tls_fallback_ok)
|
||||
DEBUG_STUB("%s %-35s: FD: %d WARNING: Proceeding even though hostname validation failed!\n",
|
||||
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
|
||||
DEBUG_STUB("%s %-35s: FD: %d WARNING: Proceeding even though hostname validation failed!\n",
|
||||
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
|
||||
#else
|
||||
/* if we weren't built against OpenSSL with hostname matching we
|
||||
* could not have matched the hostname, so this would be an automatic
|
||||
|
@ -897,9 +903,15 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
|||
if (upstream->tls_fallback_ok)
|
||||
DEBUG_STUB("%s %-35s: FD: %d, WARNING: Proceeding even though pinset validation failed!\n",
|
||||
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
|
||||
#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
|
||||
else
|
||||
DEBUG_DAEMON("%s %s : Conn failed : Transport=TLS - *Failure* - Pinset validation failure\n",
|
||||
STUB_DEBUG_DAEMON, upstream->addr_str);
|
||||
#endif
|
||||
} else {
|
||||
/* If we _only_ had a pinset and it is good then force succesful
|
||||
authentication when the cert self-signed */
|
||||
authentication when the cert self-signed
|
||||
TODO: We need to check for other error cases here, not blindly accept the cert!! */
|
||||
if ((upstream->tls_pubkey_pinset && upstream->tls_auth_name[0] == '\0') &&
|
||||
(err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
|
||||
err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
|
||||
|
@ -915,6 +927,7 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
|||
else if (upstream->tls_auth_state == GETDNS_AUTH_NONE &&
|
||||
(upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]))
|
||||
upstream->tls_auth_state = GETDNS_AUTH_OK;
|
||||
|
||||
/* If fallback is allowed, proceed regardless of what the auth error is
|
||||
(might not be hostname or pinset related) */
|
||||
return (upstream->tls_fallback_ok) ? 1 : preverify_ok;
|
||||
|
@ -2023,8 +2036,7 @@ _getdns_submit_stub_request(getdns_network_req *netreq)
|
|||
* All other set up is done async*/
|
||||
fd = upstream_find_for_netreq(netreq);
|
||||
if (fd == -1)
|
||||
/* Handle better, will give unhelpful error is some cases */
|
||||
return GETDNS_RETURN_GENERIC_ERROR;
|
||||
return GETDNS_RETURN_NO_UPSTREAM_AVAILABLE;
|
||||
|
||||
getdns_transport_list_t transport =
|
||||
netreq->transports[netreq->transport_current];
|
||||
|
|
|
@ -215,7 +215,7 @@ print_usage(FILE *out, const char *progname)
|
|||
fprintf(out, "\t\tThe file must be in json dict format.\n");
|
||||
if (i_am_stubby) {
|
||||
fprintf(out, "\t\tBy default, configuration is first read from");
|
||||
fprintf(out, "\t\t\"/etc/stubby.conf\" and then from \"$HOME/.stubby.conf\"");
|
||||
fprintf(out, "\n\t\t\"/etc/stubby.conf\" and then from \"$HOME/.stubby.conf\"\n");
|
||||
}
|
||||
fprintf(out, "\t-D\tSet edns0 do bit\n");
|
||||
fprintf(out, "\t-d\tclear edns0 do bit\n");
|
||||
|
|
|
@ -5,14 +5,14 @@
|
|||
, tls_auth_name: "dnsovertls.sinodun.com"
|
||||
, tls_pubkey_pinset:
|
||||
[ { digest: "sha256"
|
||||
, value: 0xA132D34D34C181765337C70B83E3697B9524DDDB05A7118B43C0284033D5A0CC
|
||||
, value: 0xEB694ABBD1EC0D56F288F7A70299DCE2C7E64984C73957C580BDE9C81F9C04BE
|
||||
} ]
|
||||
},
|
||||
{ address_data: 145.100.185.16
|
||||
, tls_auth_name: "dnsovertls1.sinodun.com"
|
||||
, tls_pubkey_pinset:
|
||||
[ { digest: "sha256"
|
||||
, value: 0x659B41EB08DCC70EE9D624E6219C76EE31954DA1548B0C8519EAE5228CB24150
|
||||
, value: 0x704D9E7002DE13907EBAB2610EB26554599FDFC7092C0BEA7A438DBE3BE9A940
|
||||
} ]
|
||||
},
|
||||
{ address_data: 185.49.141.38
|
||||
|
@ -26,14 +26,14 @@
|
|||
, tls_auth_name: "dnsovertls.sinodun.com"
|
||||
, tls_pubkey_pinset:
|
||||
[ { digest: "sha256"
|
||||
, value: 0xA132D34D34C181765337C70B83E3697B9524DDDB05A7118B43C0284033D5A0CC
|
||||
, value: 0xEB694ABBD1EC0D56F288F7A70299DCE2C7E64984C73957C580BDE9C81F9C04BE
|
||||
} ]
|
||||
},
|
||||
{ address_data: 2001:610:1:40ba:145:100:185:16
|
||||
, tls_auth_name: "dnsovertls1.sinodun.com"
|
||||
, tls_pubkey_pinset:
|
||||
[ { digest: "sha256"
|
||||
, value: 0x659B41EB08DCC70EE9D624E6219C76EE31954DA1548B0C8519EAE5228CB24150
|
||||
, value: 0x704D9E7002DE13907EBAB2610EB26554599FDFC7092C0BEA7A438DBE3BE9A940
|
||||
} ]
|
||||
},
|
||||
{ address_data: 2a04:b900:0:100::38
|
||||
|
|
Loading…
Reference in New Issue