diff --git a/configure.ac b/configure.ac index a1f5dee1..31d75a20 100644 --- a/configure.ac +++ b/configure.ac @@ -400,48 +400,49 @@ yes) esac USE_NSS="no" -AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path], - [use libnss instead of openssl, installed at path.]), - [ - USE_NSS="yes" - AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto]) - if test "$withval" != "" -a "$withval" != "yes"; then - CPPFLAGS="$CPPFLAGS -I$withval/include/nss3" - LDFLAGS="$LDFLAGS -L$withval/lib" - ACX_RUNTIME_PATH_ADD([$withval/lib]) - CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS" - else - CPPFLAGS="$CPPFLAGS -I/usr/include/nss3" - CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS" - fi - LIBS="$LIBS -lnss3 -lnspr4" - SSLLIB="" - ] -) +dnl AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path], +dnl [use libnss instead of openssl, installed at path.]), +dnl [ +dnl USE_NSS="yes" +dnl AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto]) +dnl if test "$withval" != "" -a "$withval" != "yes"; then +dnl CPPFLAGS="$CPPFLAGS -I$withval/include/nss3" +dnl LDFLAGS="$LDFLAGS -L$withval/lib" +dnl ACX_RUNTIME_PATH_ADD([$withval/lib]) +dnl CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS" +dnl else +dnl CPPFLAGS="$CPPFLAGS -I/usr/include/nss3" +dnl CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS" +dnl fi +dnl LIBS="$LIBS -lnss3 -lnspr4" +dnl SSLLIB="" +dnl ] +dnl ) # libnettle USE_NETTLE="no" -AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path], - [use libnettle as crypto library, installed at path.]), - [ - USE_NETTLE="yes" - AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto]) - AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT]) - if test "$withval" != "" -a "$withval" != "yes"; then - CPPFLAGS="$CPPFLAGS -I$withval/include/nettle" - LDFLAGS="$LDFLAGS -L$withval/lib" - ACX_RUNTIME_PATH_ADD([$withval/lib]) - else - CPPFLAGS="$CPPFLAGS -I/usr/include/nettle" - fi - LIBS="$LIBS -lhogweed -lnettle -lgmp" - SSLLIB="" - ] -) +dnl AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path], +dnl [use libnettle as crypto library, installed at path.]), +dnl [ +dnl USE_NETTLE="yes" +dnl AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto]) +dnl AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT]) +dnl if test "$withval" != "" -a "$withval" != "yes"; then +dnl CPPFLAGS="$CPPFLAGS -I$withval/include/nettle" +dnl LDFLAGS="$LDFLAGS -L$withval/lib" +dnl ACX_RUNTIME_PATH_ADD([$withval/lib]) +dnl else +dnl CPPFLAGS="$CPPFLAGS -I/usr/include/nettle" +dnl fi +dnl LIBS="$LIBS -lhogweed -lnettle -lgmp" +dnl SSLLIB="" +dnl ] +dnl ) # openssl if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then -ACX_WITH_SSL_OPTIONAL +ACX_WITH_SSL +fi ACX_LIB_SSL AC_MSG_CHECKING([for LibreSSL]) if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then @@ -453,7 +454,7 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/ else AC_MSG_RESULT([no]) fi -AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([openssl/conf.h openssl/ssl.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites]) @@ -477,7 +478,6 @@ AC_INCLUDES_DEFAULT #include #include ]) -fi AC_MSG_CHECKING([whether we need to compile/link DANE support]) DANESSL_XTRA_OBJS="" diff --git a/src/request-internal.c b/src/request-internal.c index c94038b7..d53f85e0 100644 --- a/src/request-internal.c +++ b/src/request-internal.c @@ -495,6 +495,9 @@ _getdns_network_req_add_tsig(getdns_network_req *req) void _getdns_network_validate_tsig(getdns_network_req *req) { +#if defined(HAVE_NSS) || defined(HAVE_NETTLE) + (void)req; +#else _getdns_rr_iter rr_spc, *rr; _getdns_rdf_iter rdf_spc, *rdf; const uint8_t *request_mac; @@ -668,6 +671,7 @@ _getdns_network_validate_tsig(getdns_network_req *req) gldns_write_uint16(req->response, gldns_read_uint16(req->query)); gldns_write_uint16(req->response + 10, gldns_read_uint16(req->response + 10) + 1); +#endif } void diff --git a/src/util-internal.c b/src/util-internal.c index 2deefba0..0eaf3435 100644 --- a/src/util-internal.c +++ b/src/util-internal.c @@ -1119,7 +1119,8 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request) int rrsigs_in_answer = 0; getdns_dict *reply; getdns_bindata *canonical_name = NULL; - int nreplies = 0, nanswers = 0, nsecure = 0, ninsecure = 0, nbogus = 0; + int nreplies = 0, nanswers = 0; + int nsecure = 0, ninsecure = 0, nindeterminate = 0, nbogus = 0; getdns_dict *netreq_debug; _srvs srvs = { 0, 0, NULL }; @@ -1193,16 +1194,18 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request) _getdns_network_validate_tsig(netreq); nreplies++; - if (netreq->dnssec_status == GETDNS_DNSSEC_SECURE) - nsecure++; - else if (netreq->dnssec_status != GETDNS_DNSSEC_BOGUS) - ninsecure++; - - if (dnssec_return_status && - netreq->dnssec_status == GETDNS_DNSSEC_BOGUS) - nbogus++; - - + switch (netreq->dnssec_status) { + case GETDNS_DNSSEC_SECURE : nsecure++; + break; + case GETDNS_DNSSEC_INSECURE : ninsecure++; + break; + case GETDNS_DNSSEC_INDETERMINATE: nindeterminate++; + ninsecure++; + break; + case GETDNS_DNSSEC_BOGUS : if (dnssec_return_status) + nbogus++; + break; + } if (! completed_request->dnssec_return_all_statuses && ! completed_request->dnssec_return_validation_chain) { if (dnssec_return_status && @@ -1291,8 +1294,11 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request) if (getdns_dict_set_int(result, GETDNS_STR_KEY_STATUS, completed_request->request_timed_out || nreplies == 0 ? GETDNS_RESPSTATUS_ALL_TIMEOUT : + ( completed_request->dnssec + && nsecure == 0 && nindeterminate ) > 0 + ? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS : ( completed_request->dnssec_return_only_secure - || completed_request->dnssec ) && nsecure == 0 && ninsecure > 0 + && nsecure == 0 && ninsecure ) > 0 ? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS : ( completed_request->dnssec_return_only_secure || completed_request->dnssec ) && nsecure == 0 && nbogus > 0