Merge pull request #261 from saradickinson/feature/stubby_updates

Feature/stubby updates
2017-02-27 14:25:15 -08:00 · 2017-02-27 14:25:15 -08:00 · 94e1f48f58
parent 4b6962cd9a 7c8605c3b1
commit 94e1f48f58
5 changed files with 27 additions and 11 deletions
--- a/src/const-info.c
+++ b/src/const-info.c
@ -24,6 +24,7 @@ static struct const_info consts_info[] = {
 	{  310, "GETDNS_RETURN_MEMORY_ERROR", GETDNS_RETURN_MEMORY_ERROR_TEXT },
 	{  311, "GETDNS_RETURN_INVALID_PARAMETER", GETDNS_RETURN_INVALID_PARAMETER_TEXT },
 	{  312, "GETDNS_RETURN_NOT_IMPLEMENTED", GETDNS_RETURN_NOT_IMPLEMENTED_TEXT },
+	{  398, "GETDNS_RETURN_NO_UPSTREAM_AVAILABLE", GETDNS_RETURN_NO_UPSTREAM_AVAILABLE_TEXT },
 	{  399, "GETDNS_RETURN_NEED_MORE_SPACE", GETDNS_RETURN_NEED_MORE_SPACE_TEXT },
 	{  400, "GETDNS_DNSSEC_SECURE", GETDNS_DNSSEC_SECURE_TEXT },
 	{  401, "GETDNS_DNSSEC_BOGUS", GETDNS_DNSSEC_BOGUS_TEXT },
@ -223,6 +224,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RETURN_NO_SUCH_DICT_NAME", 305 },
 	{ "GETDNS_RETURN_NO_SUCH_EXTENSION", 307 },
 	{ "GETDNS_RETURN_NO_SUCH_LIST_ITEM", 304 },
+	{ "GETDNS_RETURN_NO_UPSTREAM_AVAILABLE", 398 },
 	{ "GETDNS_RETURN_UNKNOWN_TRANSACTION", 303 },
 	{ "GETDNS_RETURN_WRONG_TYPE_REQUESTED", 306 },
 	{ "GETDNS_RRCLASS_ANY", 255 },
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@ -56,6 +56,8 @@ extern "C" {
 * \defgroup Ureturnvaluesandtext Additional return values and texts
 *  @{
 */
+#define GETDNS_RETURN_NO_UPSTREAM_AVAILABLE ((getdns_return_t) 398 )
+#define GETDNS_RETURN_NO_UPSTREAM_AVAILABLE_TEXT "None of the configured upstreams could be used to send queries on the specified transports"
 #define GETDNS_RETURN_NEED_MORE_SPACE ((getdns_return_t) 399 )
 #define GETDNS_RETURN_NEED_MORE_SPACE_TEXT "The buffer was too small"
 /** @}
--- a/src/stub.c
+++ b/src/stub.c
@ -520,7 +520,7 @@ stub_cleanup(getdns_network_req *netreq)
 static void
 upstream_failed(getdns_upstream *upstream, int during_setup)
 {
-	DEBUG_STUB("%s %-35s: FD:  %d During setup = %d\n",
+	DEBUG_STUB("%s %-35s: FD:  %d Failure during connection setup = %d\n",
 	           STUB_DEBUG_CLEANUP, __FUNC__, upstream->fd, during_setup);
 	/* Fallback code should take care of queue queries and then close conn
 	   when idle.*/
@ -868,13 +868,19 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 	            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err,
 	            X509_verify_cert_error_string(err));
 #endif
+#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
+	if (!preverify_ok && !upstream->tls_fallback_ok)
+			DEBUG_DAEMON("%s %s : Conn failed   : Transport=TLS - *Failure* -  (%d) \"%s\"\n",
+		                  STUB_DEBUG_DAEMON, upstream->addr_str, err,
+			              X509_verify_cert_error_string(err));
+#endif

 	/* First deal with the hostname authentication done by OpenSSL. */
 #ifdef X509_V_ERR_HOSTNAME_MISMATCH
 	/*Report if error is hostname mismatch*/
 	if (err == X509_V_ERR_HOSTNAME_MISMATCH && upstream->tls_fallback_ok)
-		DEBUG_STUB("%s %-35s: FD:  %d WARNING: Proceeding even though hostname validation failed!\n",
-		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
+			DEBUG_STUB("%s %-35s: FD:  %d WARNING: Proceeding even though hostname validation failed!\n",
+		                STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
 #else
 	/* if we weren't built against OpenSSL with hostname matching we
 	 * could not have matched the hostname, so this would be an automatic
@ -897,9 +903,15 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 		if (upstream->tls_fallback_ok)
 			DEBUG_STUB("%s %-35s: FD:  %d, WARNING: Proceeding even though pinset validation failed!\n",
 			            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
+#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
+		else
+			DEBUG_DAEMON("%s %s : Conn failed   : Transport=TLS - *Failure* - Pinset validation failure\n",
+		                  STUB_DEBUG_DAEMON, upstream->addr_str);
+#endif
 	} else {
 		/* If we _only_ had a pinset and it is good then force succesful
-		   authentication when the cert self-signed */
+		   authentication when the cert self-signed
+		   TODO: We need to check for other error cases here, not blindly accept the cert!! */
 		if ((upstream->tls_pubkey_pinset && upstream->tls_auth_name[0] == '\0') &&
 		     (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
 		      err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
@ -915,6 +927,7 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 	else if (upstream->tls_auth_state == GETDNS_AUTH_NONE &&
 	         (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]))
 		upstream->tls_auth_state = GETDNS_AUTH_OK;
+
 	/* If fallback is allowed, proceed regardless of what the auth error is
 	   (might not be hostname or pinset related) */
 	return (upstream->tls_fallback_ok) ? 1 : preverify_ok;
@ -2023,8 +2036,7 @@ _getdns_submit_stub_request(getdns_network_req *netreq)
 	 * All other set up is done async*/
 	fd = upstream_find_for_netreq(netreq);
 	if (fd == -1)
-		/* Handle better, will give unhelpful error is some cases */
-		return GETDNS_RETURN_GENERIC_ERROR;
+		return GETDNS_RETURN_NO_UPSTREAM_AVAILABLE;

 	getdns_transport_list_t transport =
 	                             netreq->transports[netreq->transport_current];
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@ -215,7 +215,7 @@ print_usage(FILE *out, const char *progname)
 	fprintf(out, "\t\tThe file must be in json dict format.\n");
 	if (i_am_stubby) {
 		fprintf(out, "\t\tBy default, configuration is first read from");
-		fprintf(out, "\t\t\"/etc/stubby.conf\" and then from \"$HOME/.stubby.conf\"");
+		fprintf(out, "\n\t\t\"/etc/stubby.conf\" and then from \"$HOME/.stubby.conf\"\n");
 	}
 	fprintf(out, "\t-D\tSet edns0 do bit\n");
 	fprintf(out, "\t-d\tclear edns0 do bit\n");
--- a/src/tools/stubby.conf
+++ b/src/tools/stubby.conf
@ -5,14 +5,14 @@
    , tls_auth_name: "dnsovertls.sinodun.com"
    , tls_pubkey_pinset:
      [ { digest: "sha256"
-        , value: 0xA132D34D34C181765337C70B83E3697B9524DDDB05A7118B43C0284033D5A0CC
+        , value: 0xEB694ABBD1EC0D56F288F7A70299DCE2C7E64984C73957C580BDE9C81F9C04BE
      } ] 
    },
    { address_data: 145.100.185.16
    , tls_auth_name: "dnsovertls1.sinodun.com"
    , tls_pubkey_pinset:
      [ { digest: "sha256"
-        , value: 0x659B41EB08DCC70EE9D624E6219C76EE31954DA1548B0C8519EAE5228CB24150
+        , value: 0x704D9E7002DE13907EBAB2610EB26554599FDFC7092C0BEA7A438DBE3BE9A940
      } ] 
    },
    { address_data: 185.49.141.38
@ -26,14 +26,14 @@
    , tls_auth_name: "dnsovertls.sinodun.com"
    , tls_pubkey_pinset:
      [ { digest: "sha256"
-        , value: 0xA132D34D34C181765337C70B83E3697B9524DDDB05A7118B43C0284033D5A0CC
+        , value: 0xEB694ABBD1EC0D56F288F7A70299DCE2C7E64984C73957C580BDE9C81F9C04BE
      } ] 
    },
    { address_data: 2001:610:1:40ba:145:100:185:16
    , tls_auth_name: "dnsovertls1.sinodun.com"
    , tls_pubkey_pinset:
      [ { digest: "sha256"
-        , value: 0x659B41EB08DCC70EE9D624E6219C76EE31954DA1548B0C8519EAE5228CB24150
+        , value: 0x704D9E7002DE13907EBAB2610EB26554599FDFC7092C0BEA7A438DBE3BE9A940
      } ] 
    },
    { address_data: 2a04:b900:0:100::38