From b74c62066c5dead0cdf976232053250fdc407906 Mon Sep 17 00:00:00 2001 From: Sara Dickinson Date: Fri, 16 Oct 2015 18:31:57 +0100 Subject: [PATCH] Cleanup --- ChangeLog | 6 ++++++ Makefile.in | 3 --- README.md | 5 +++-- m4/acx_openssl.m4 | 2 +- src/Makefile.in | 3 --- src/context.c | 5 ++--- src/stub.c | 4 ++-- src/test/Makefile.in | 2 -- src/test/getdns_query.c | 6 ++---- src/test/tests_transports.sh | 12 +++++++----- 10 files changed, 23 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index f31cb691..c4569813 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,12 @@ (ldns still necessary to be able to run tests though) * Bugfix: DNSSEC code finding zone cut with redirects + pursuing unsigned DS answers close to the root. Thanks Theogene Bucuti! + * Default port for TLS changed to 853 + * Unofficial extension to the API to allow TLS hostname verification to be + required for stub mode when using only TLS as a transport. + When required a hostname must be supplied in the + 'hostname' field of the upstream_list dict and the TLS cipher suites are + restricted to the 4 AEAD suites recommended in RFC7525. * 2015-09-09: Version 0.3.3 * Fix clearing upstream events on shutdown diff --git a/Makefile.in b/Makefile.in index 01e04555..93ef6946 100644 --- a/Makefile.in +++ b/Makefile.in @@ -91,9 +91,6 @@ doc: FORCE example: cd spec/example && $(MAKE) $@ -test_code: - cd src && $(MAKE) $@ - test: cd src && $(MAKE) $@ diff --git a/README.md b/README.md index 175f8aaf..0353a6d0 100644 --- a/README.md +++ b/README.md @@ -87,7 +87,8 @@ External dependencies are linked outside the getdns API build tree (we rely on c * [libunbound from NLnet Labs](http://www.nlnetlabs.nl/projects/unbound/) version 1.4.16 or later * [libidn from the FSF](http://www.gnu.org/software/libidn/) version 1. -* [libssl from the OpenSSL Project](https://www.openssl.org/) version 0.9.7 or later. (Note: version 1.0.2 or later is required for TLS support) +* [libssl from the OpenSSL Project](https://www.openssl.org/) version 0.9.7 or later. (Note: version 1.0.1 or later is required for TLS support, version 1.0.2 +or later is required for TLS hostname authentication) * Doxygen is used to generate documentation, while this is not technically necessary for the build it makes things a lot more pleasant. You have to install the library and also the library-devel (or -dev) for your @@ -226,7 +227,7 @@ To install the [event loop integration libraries](https://github.com/getdnsapi/g Note that in order to compile the examples, the `--with-libevent` switch is required. -As of the 0.2.0 release, when installing via Homebrew, the trust anchor is expected to be located at `$(brew --prefix)/etc/getdns-root.key`. Additionally, the OpenSSL library installed by Homebrew is linked against. Note that the Homebrew OpenSSL installation clones the Keychain certificates to the default OpenSSL location so TLS authentication should work out of the box. +As of the 0.2.0 release, when installing via Homebrew, the trust anchor is expected to be located at `$(brew --prefix)/etc/getdns-root.key`. Additionally, the OpenSSL library installed by Homebrew is linked against. Note that the Homebrew OpenSSL installation clones the Keychain certificates to the default OpenSSL location so TLS certificate authentication should work out of the box. Contributors ============ diff --git a/m4/acx_openssl.m4 b/m4/acx_openssl.m4 index 4a567fd2..135131fb 100644 --- a/m4/acx_openssl.m4 +++ b/m4/acx_openssl.m4 @@ -112,7 +112,7 @@ AC_CHECK_LIB(ssl, TLSv1_2_client_method,AC_DEFINE([HAVE_TLS_v1_2], [1], dnl Native OpenSSL hostname verification requires OpenSSL 1.0.2 AC_CHECK_LIB(ssl, SSL_CTX_get0_param,AC_DEFINE([HAVE_SSL_HN_AUTH], [1], - [Define if you have libssl with host name verification]),[AC_MSG_WARN([Cannot find SSL_CTX_get0_param in libssl library. Native TLS hostname verification will not be available, custom code will be used.])]) + [Define if you have libssl with host name verification]),[AC_MSG_WARN([Cannot find SSL_CTX_get0_param in libssl library. TLS hostname verification will not be available.])]) ]) dnl Check for SSL, where SSL is mandatory diff --git a/src/Makefile.in b/src/Makefile.in index b7f81f60..d5b8badd 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -147,9 +147,6 @@ libgetdns_ext_ev.la: libgetdns.la libev.lo libgetdns.la: $(GETDNS_OBJ) version.lo context.lo libmini_event.lo $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) -o $@ $(GETDNS_OBJ) version.lo context.lo libmini_event.lo $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols -test_code: FORCE - cd test && $(MAKE) $@ - test: FORCE cd test && $(MAKE) $@ diff --git a/src/context.c b/src/context.c index dd21e304..defe18e6 100644 --- a/src/context.c +++ b/src/context.c @@ -900,8 +900,8 @@ getdns_context_create_with_extended_memory_functions( result->edns_maximum_udp_payload_size = -1; if ((r = create_default_dns_transports(result))) goto error; - result->tls_auth = GETDNS_AUTHENTICATION_HOSTNAME; - result->tls_auth_min = GETDNS_AUTHENTICATION_HOSTNAME; + result->tls_auth = GETDNS_AUTHENTICATION_NONE; + result->tls_auth_min = GETDNS_AUTHENTICATION_NONE; result->limit_outstanding_queries = 0; result->return_dnssec_status = GETDNS_EXTENSION_FALSE; @@ -1273,7 +1273,6 @@ getdns_set_base_dns_transports( memcpy(context->dns_transports, transports, transport_count * sizeof(getdns_transport_list_t)); context->dns_transport_count = transport_count; - dispatch_updated(context, GETDNS_CONTEXT_CODE_DNS_TRANSPORT); return GETDNS_RETURN_GOOD; } diff --git a/src/stub.c b/src/stub.c index 6b85ccf8..c26d3b95 100644 --- a/src/stub.c +++ b/src/stub.c @@ -79,6 +79,7 @@ static void stub_timeout_cb(void *userarg); /* General utility functions */ /*****************************/ + static void rollover_secret() { @@ -824,7 +825,6 @@ tls_failed(getdns_upstream *upstream) static int tls_auth_status_ok(getdns_upstream *upstream, getdns_network_req *netreq) { - DEBUG_STUB("--- %s %d %d\n", __FUNCTION__, (int)netreq->tls_auth_min, (int)upstream->tls_auth_failed); return (netreq->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME && upstream->tls_auth_failed) ? 0 : 1; } @@ -1697,7 +1697,7 @@ find_upstream_for_netreq(getdns_network_req *netreq) netreq->transports[i], &fd); if (fd == -1 || !upstream) - continue; + continue; netreq->transport_current = i; netreq->upstream = upstream; return fd; diff --git a/src/test/Makefile.in b/src/test/Makefile.in index fb420392..d3fdc2c6 100644 --- a/src/test/Makefile.in +++ b/src/test/Makefile.in @@ -158,8 +158,6 @@ nolibldns: test: $(NOLIBCHECK) $(NOLIBLDNS) all -test_code: $(NOLIBCHECK) all - (cd $(srcdir)/../.. && find . -type f -executable -and \( -name "*.[ch]" -or -name "*.html" -or -name "*.in" -or -name "*.good" -or -name "*.ac" \) | awk 'BEGIN{e=0}{print("ERROR! Executable bit found on", $$0);e=1}END{exit(e)}') ./$(CHECK_GETDNS) if test $(have_libevent) = 1 ; then ./$(CHECK_EVENT_PROG) ; fi diff --git a/src/test/getdns_query.c b/src/test/getdns_query.c index 8c1b2e5e..e131b271 100644 --- a/src/test/getdns_query.c +++ b/src/test/getdns_query.c @@ -193,10 +193,8 @@ void my_eventloop_run_once(getdns_eventloop *loop, int blocking) tv.tv_sec = 0; tv.tv_usec = 0; } else { - //tv.tv_sec = (timeout - now) / 1000000; - tv.tv_sec = 21474836; + tv.tv_sec = (timeout - now) / 1000000; tv.tv_usec = (timeout - now) % 1000000; - //fprintf(stdout, "Using BIG tv: %" PRIu64 " %" PRIu64 ", %lu %d \n", timeout, now, tv.tv_sec, tv.tv_usec); } if (select(max_fd + 1, &readfds, &writefds, NULL, &tv) < 0) { perror("select() failed"); @@ -386,7 +384,7 @@ print_usage(FILE *out, const char *progname) fprintf(out, "\t-I\tInteractive mode (> 1 queries on same context)\n"); fprintf(out, "\t-j\tOutput json response dict\n"); fprintf(out, "\t-J\tPretty print json response dict\n"); - fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default is to verify hostname)\n"); + fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default)\n"); fprintf(out, "\t-m\tSet TLS authentication mode to HOSTNAME\n"); fprintf(out, "\t-p\tPretty print response dict\n"); fprintf(out, "\t-r\tSet recursing resolution type\n"); diff --git a/src/test/tests_transports.sh b/src/test/tests_transports.sh index ec75e7ab..15d31341 100755 --- a/src/test/tests_transports.sh +++ b/src/test/tests_transports.sh @@ -77,20 +77,22 @@ echo $TLS_SERVER_IP_NO_NAME GOOD_QUERIES=( "-s -A -q getdnsapi.net -l U @${SERVER_IP} " "-s -A -q getdnsapi.net -l T @${SERVER_IP} " -"-s -A -q getdnsapi.net -l L @${TLS_SERVER_IP}" -"-s -A -q getdnsapi.net -l S @${TLS_SERVER_IP}") +"-s -A -q getdnsapi.net -l L @${TLS_SERVER_IP_NO_NAME}" +"-s -A -q getdnsapi.net -l L -m @${TLS_SERVER_IP}") +#"-s -A -q getdnsapi.net -l S @${TLS_SERVER_IP_NO_NAME}") GOOD_FALLBACK_QUERIES=( "-s -A -q getdnsapi.net -l LT @${SERVER_IP}" "-s -A -q getdnsapi.net -l LT @${SERVER_IP}" "-s -A -q getdnsapi.net -l LT @${TLS_SERVER_IP_NO_NAME}" -"-s -A -q getdnsapi.net -l L @${SERVER_IP} @${TLS_SERVER_IP}" +"-s -A -q getdnsapi.net -l LT -m @${TLS_SERVER_IP_NO_NAME}" +"-s -A -q getdnsapi.net -l L @${SERVER_IP} @${TLS_SERVER_IP_NO_NAME}" "-s -G -q DNSKEY getdnsapi.net -l UT @${SERVER_IP} -b 512 -D") NOT_AVAILABLE_QUERIES=( "-s -A -q getdnsapi.net -l L @${SERVER_IP} " -"-s -A -q getdnsapi.net -l S @${SERVER_IP} " -"-s -A -q getdnsapi.net -l L @${TLS_SERVER_IP_NO_NAME} " +#"-s -A -q getdnsapi.net -l S @${SERVER_IP} " +"-s -A -q getdnsapi.net -l L -m @${TLS_SERVER_IP_NO_NAME} " "-s -G -q DNSKEY getdnsapi.net -l U @${SERVER_IP} -b 512 -D") echo "Starting transport test"