Abstracting TLS; let's start with context only.

Change data types in context.h and fix up context.c. Do minimal fixups to stub.c.

src/Makefile.in

@@ -56,7 +56,7 @@ stubbysrcdir = $(srcdir)/../stubby
 LIBTOOL = ../libtool
 
 CC=@CC@
-CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS)
+CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/openssl -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS)
 WPEDANTICFLAG=@WPEDANTICFLAG@
 WNOERRORFLAG=@WNOERRORFLAG@
 LDFLAGS=@LDFLAGS@ @LIBS@
@@ -94,6 +94,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo)
 UTIL_OBJ=rbtree.lo val_secalgo.lo lruhash.lo lookup3.lo locks.lo
 
 JSMN_OBJ=jsmn.lo
+TLS_OBJ=tls.lo
 YXML_OBJ=yxml.lo
 
 YAML_OBJ=convert_yaml_to_json.lo
@@ -133,6 +134,9 @@ $(UTIL_OBJ):
 $(JSMN_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -DJSMN_GETDNS -c $(srcdir)/jsmn/$(@:.lo=.c) -o $@
 
+$(TLS_OBJ):
+	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/openssl/$(@:.lo=.c) -o $@
+
 $(YAML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@
 
@@ -194,8 +198,8 @@ libgetdns_ext_uv.la: libgetdns.la libuv.lo
 libgetdns_ext_ev.la: libgetdns.la libev.lo
 	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ libev.lo libgetdns.la $(LDFLAGS) $(EXTENSION_LIBEV_LDFLAGS) $(EXTENSION_LIBEV_EXT_LIBS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/extension/libev.symbols
 
-libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS)
+libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS)
-	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols
+	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols
 
 test: default
 	cd test && $(MAKE) $@
@@ -271,13 +275,14 @@ Makefile: $(srcdir)/Makefile.in ../config.status
 depend:
 	(cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new )
 
-	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \
+	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iopenssl -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c openssl/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \
 		sed -e "s? $$blddir/? ?g" \
 		    -e 's? gldns/? $$(srcdir)/gldns/?g' \
 		    -e 's? compat/? $$(srcdir)/compat/?g' \
 		    -e 's? util/auxiliary/util/? $$(srcdir)/util/auxiliary/util/?g' \
 		    -e 's? util/? $$(srcdir)/util/?g' \
 		    -e 's? jsmn/? $$(srcdir)/jsmn/?g' \
+		    -e 's? openssl/? $$(srcdir)/openssl/?g' \
 		    -e 's? yxml/? $$(srcdir)/yxml/?g' \
 		    -e 's? ssl_dane/? $$(srcdir)/ssl_dane/?g' \
 		    -e 's? extension/? $$(srcdir)/extension/?g' \
@@ -299,137 +304,104 @@ depend:
 FORCE:
 
 # Dependencies for gldns, utils, the extensions and compat functions
-anchor.lo anchor.o: $(srcdir)/anchor.c \
+anchor.lo anchor.o: $(srcdir)/anchor.c config.h \
- config.h \
  $(srcdir)/debug.h $(srcdir)/anchor.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h \
+ $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h
- $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h
 const-info.lo const-info.o: $(srcdir)/const-info.c \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/const-info.h
-context.lo context.o: $(srcdir)/context.c \
+context.lo context.o: $(srcdir)/context.c config.h \
- config.h \
+ $(srcdir)/anchor.h getdns/getdns.h \
- $(srcdir)/anchor.h \
- getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/debug.h \
  $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h \
+ $(srcdir)/const-info.h
- $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h
+convert.lo convert.o: $(srcdir)/convert.c config.h \
-convert.lo convert.o: $(srcdir)/convert.c \
- config.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
- $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \
- $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h \
+ $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h \
- $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/wire2str.h \
+ $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h $(srcdir)/debug.h
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h \
+dict.lo dict.o: $(srcdir)/dict.c config.h \
- $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h
-dict.lo dict.o: $(srcdir)/dict.c \
- config.h \
  $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h \
+dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \
- $(srcdir)/gldns/parseutil.h
+ $(srcdir)/debug.h getdns/getdns.h \
-dnssec.lo dnssec.o: $(srcdir)/dnssec.c \
- config.h \
- $(srcdir)/debug.h \
- getdns/getdns.h \
  $(srcdir)/context.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
+ $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h \
+ $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h
- $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h \
+general.lo general.o: $(srcdir)/general.c config.h \
- $(srcdir)/util/orig-headers/val_secalgo.h
+ $(srcdir)/general.h getdns/getdns.h \
-general.lo general.o: $(srcdir)/general.c \
- config.h \
- $(srcdir)/general.h \
- getdns/getdns.h \
  $(srcdir)/types-internal.h \
  getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/ub_loop.h $(srcdir)/debug.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h \
- $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/platform.h
 list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \
- config.h \
+ config.h $(srcdir)/context.h \
- $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
+ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/list.h $(srcdir)/dict.h
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+mdns.lo mdns.o: $(srcdir)/mdns.c config.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/list.h $(srcdir)/dict.h
-mdns.lo mdns.o: $(srcdir)/mdns.c \
- config.h \
  $(srcdir)/debug.h $(srcdir)/context.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h \
- $(srcdir)/platform.h $(srcdir)/mdns.h $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/lookup3.h \
- $(srcdir)/util/orig-headers/lookup3.h
 platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \
  config.h
 pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \
- config.h \
+ config.h $(srcdir)/debug.h \
- $(srcdir)/debug.h \
+ getdns/getdns.h $(srcdir)/context.h \
- getdns/getdns.h \
- $(srcdir)/context.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h
 request-internal.lo request-internal.o: $(srcdir)/request-internal.c \
- config.h \
+ config.h $(srcdir)/types-internal.h \
- $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/dict.h $(srcdir)/convert.h $(srcdir)/general.h
 rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \
  config.h \
  getdns/getdns.h \
@@ -437,26 +409,20 @@ rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/openssl/tls.h $(srcdir)/dict.h
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \
- $(srcdir)/dict.h
 rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
  config.h \
  getdns/getdns.h \
  $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h
-server.lo server.o: $(srcdir)/server.c \
+server.lo server.o: $(srcdir)/server.c config.h \
- config.h \
  getdns/getdns_extra.h \
- getdns/getdns.h \
+ getdns/getdns.h $(srcdir)/context.h \
- $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
+ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+stub.lo stub.o: $(srcdir)/stub.c config.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/platform.h
-stub.lo stub.o: $(srcdir)/stub.c \
- config.h \
  $(srcdir)/debug.h $(srcdir)/stub.h \
  getdns/getdns.h \
  $(srcdir)/types-internal.h \
@@ -464,61 +430,48 @@ stub.lo stub.o: $(srcdir)/stub.c \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \
  $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \
  $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \
- $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h
- $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/anchor.h \
+sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \
- $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h
+ config.h $(srcdir)/context.h \
-sync.lo sync.o: $(srcdir)/sync.c \
- getdns/getdns.h \
- config.h \
- $(srcdir)/context.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h
 ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \
- config.h \
+ config.h
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h
 util-internal.lo util-internal.o: $(srcdir)/util-internal.c \
  config.h \
- getdns/getdns.h \
+ getdns/getdns.h $(srcdir)/dict.h \
- $(srcdir)/dict.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \
- getdns/getdns_extra.h \
+ getdns/getdns_extra.h $(srcdir)/list.h \
- $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
+ $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
+ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \
- $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \
- $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h \
+ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h
- $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h
 gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \
- config.h \
+ config.h $(srcdir)/gldns/gbuffer.h
- $(srcdir)/gldns/gbuffer.h
 keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \
- config.h \
+ config.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/rrdef.h
+ $(srcdir)/gldns/rrdef.h
 parse.lo parse.o: $(srcdir)/gldns/parse.c \
- config.h \
+ config.h $(srcdir)/gldns/parse.h \
- $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
+ $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
 parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \
- config.h \
+ config.h $(srcdir)/gldns/parseutil.h
- $(srcdir)/gldns/parseutil.h
 rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \
- config.h \
+ config.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h
+ $(srcdir)/gldns/parseutil.h
 str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \
- config.h \
+ config.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h \
+ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h \
- $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h
+ $(srcdir)/gldns/parseutil.h
 wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \
- config.h \
+ config.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h \
+ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h
+ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h
 arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \
  config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \
@@ -547,8 +500,7 @@ strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \
  config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c \
  config.h
-locks.lo locks.o: $(srcdir)/util/locks.c \
+locks.lo locks.o: $(srcdir)/util/locks.c config.h \
- config.h \
  $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h
 lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \
  config.h \
@@ -560,10 +512,10 @@ lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \
  $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
  $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h
 rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
- config.h \
+ config.h $(srcdir)/util/auxiliary/log.h \
- $(srcdir)/util/auxiliary/log.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h \
+ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \
- $(srcdir)/util/auxiliary/fptr_wlist.h $(srcdir)/util/auxiliary/util/fptr_wlist.h \
+ $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h
+ $(srcdir)/util/orig-headers/rbtree.h
 val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \
  config.h \
  $(srcdir)/util/auxiliary/util/data/packed_rrset.h \
@@ -573,40 +525,37 @@ val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \
  $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \
  $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h
 jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
+tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \
+ $(srcdir)/openssl/tls.h getdns/getdns.h
 yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
 danessl.lo danessl.o: $(srcdir)/ssl_dane/danessl.c $(srcdir)/ssl_dane/danessl.h
 libev.lo libev.o: $(srcdir)/extension/libev.c \
- config.h \
+ config.h $(srcdir)/types-internal.h \
- $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h
 libevent.lo libevent.o: $(srcdir)/extension/libevent.c \
- config.h \
+ config.h $(srcdir)/types-internal.h \
- $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h
 libuv.lo libuv.o: $(srcdir)/extension/libuv.c \
- config.h \
+ config.h $(srcdir)/debug.h \
- $(srcdir)/debug.h $(srcdir)/types-internal.h \
+ $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h
 poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \
- config.h \
+ config.h $(srcdir)/util-internal.h \
- $(srcdir)/util-internal.h $(srcdir)/context.h \
+ $(srcdir)/context.h getdns/getdns.h \
- getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
+ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
+ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/platform.h $(srcdir)/debug.h
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/platform.h
 select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \
- config.h \
+ config.h $(srcdir)/debug.h \
- $(srcdir)/debug.h $(srcdir)/types-internal.h \
+ $(srcdir)/types-internal.h \
  getdns/getdns.h \
  getdns/getdns_extra.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \

src/context.c

@@ -47,20 +47,12 @@
 #include <iphlpapi.h>
 typedef unsigned short in_port_t;
 
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/bio.h>
-
 #include <stdio.h>
 #include <windows.h>
 #include <wincrypt.h>
 #include <shlobj.h>
 #endif
 
-#include <openssl/opensslv.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
 #include <sys/stat.h>
 #include <string.h>
 #include <stdio.h>
@@ -94,6 +86,7 @@ typedef unsigned short in_port_t;
 # include "ssl_dane/danessl.h"
 #endif
 #include "const-info.h"
+#include "tls.h"
 
 #define GETDNS_PORT_ZERO 0
 #define GETDNS_PORT_DNS 53
@@ -182,98 +175,6 @@ _getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s)
     }
 }
 
-#ifdef USE_WINSOCK
-/* For windows, the CA trust store is not read by openssl. 
-   Add code to open the trust store using wincrypt API and add
-   the root certs into openssl trust store */
-static int 
-add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
-{
-	HCERTSTORE      hSystemStore;
-	PCCERT_CONTEXT  pTargetCert = NULL;
-
-	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-		"Adding Windows certificates from system root store to CA store");
-
-	/* load just once per context lifetime for this version of getdns
-	   TODO: dynamically update CA trust changes as they are available */
-	if (!tls_ctx)
-		return 0;
-
-	/* Call wincrypt's CertOpenStore to open the CA root store. */
-
-	if ((hSystemStore = CertOpenStore(
-		CERT_STORE_PROV_SYSTEM,
-		0,
-		0,
-		/* NOTE: mingw does not have this const: replace with 1 << 16 from code 
-		   CERT_SYSTEM_STORE_CURRENT_USER, */
-		1 << 16,
-		L"root")) == 0)
-	{
-		return 0;
-	}
-
-	X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx);
-	if (!store)
-		return 0;
-
-	/* failure if the CA store is empty or the call fails */
-	if ((pTargetCert = CertEnumCertificatesInStore(
-		hSystemStore, pTargetCert)) == 0) {
-		DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-			"CA certificate store for Windows is empty.");
-			return 0;
-	}
-	/* iterate over the windows cert store and add to openssl store */
-	do 
-	{
-		X509 *cert1 = d2i_X509(NULL, 
-			(const unsigned char **)&pTargetCert->pbCertEncoded,
-			pTargetCert->cbCertEncoded);
-		if (!cert1) {
-			/* return error if a cert fails */
-			DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-				"Unable to parse certificate in memory",
-				ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
-			return 0;
-		}
-		else {
-			/* return error if a cert add to store fails */
-			if (X509_STORE_add_cert(store, cert1) == 0) {
-				unsigned long error = ERR_peek_last_error();
- 
-				/* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
-				* certificate is already in the store.  */ 
-				if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
-				   ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
-					DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-					    "Error adding certificate", ERR_get_error(),
-					     ERR_error_string(ERR_get_error(), NULL));
-					X509_free(cert1);
-					return 0;
-				}
-			}
-			X509_free(cert1);
-		}
-	} while ((pTargetCert = CertEnumCertificatesInStore(
-		hSystemStore, pTargetCert)) != 0);
-
-	/* Clean up memory and quit. */
-	if (pTargetCert)
-		CertFreeCertificateContext(pTargetCert);
-	if (hSystemStore)
-	{
-		if (!CertCloseStore(
-			hSystemStore, 0))
-			return 0;
-	}
-	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
-		"Completed adding Windows certificates to CA store successfully");
-	return 1;
-}
-#endif
-
 static uint8_t*
 upstream_addr(getdns_upstream *upstream)
 {
@@ -755,17 +656,17 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 			}
 		}
 		if (upstream->tls_session != NULL)
-			SSL_SESSION_free(upstream->tls_session);
+			_getdns_tls_session_free(upstream->tls_session);
 
 		if (upstream->tls_obj != NULL) {
-			SSL_shutdown(upstream->tls_obj);
+			_getdns_tls_connection_shutdown(upstream->tls_obj);
 #ifdef USE_DANESSL
 # if defined(STUB_DEBUG) && STUB_DEBUG
 			_stub_debug_print_openssl_errors();
 # endif
-			DANESSL_cleanup(upstream->tls_obj);
+			DANESSL_cleanup(upstream->tls_obj->ssl);
 #endif
-			SSL_free(upstream->tls_obj);
+			_getdns_tls_connection_free(upstream->tls_obj);
 		}
 		if (upstream->fd != -1)
 		{
@@ -877,14 +778,14 @@ _getdns_upstream_reset(getdns_upstream *upstream)
 		    upstream->loop, &upstream->event);
 	}
 	if (upstream->tls_obj != NULL) {
-		SSL_shutdown(upstream->tls_obj);
+		_getdns_tls_connection_shutdown(upstream->tls_obj);
 #ifdef USE_DANESSL
 # if defined(STUB_DEBUG) && STUB_DEBUG
 		_stub_debug_print_openssl_errors();
 # endif
-		DANESSL_cleanup(upstream->tls_obj);
+		DANESSL_cleanup(upstream->tls_obj->ssl);
 #endif
-		SSL_free(upstream->tls_obj);
+		_getdns_tls_connection_free(upstream->tls_obj);
 		upstream->tls_obj = NULL;
 	}
 	if (upstream->fd != -1) {
@@ -1689,18 +1590,7 @@ getdns_context_create_with_extended_memory_functions(
 #endif
 	/* Only initialise SSL once and ideally in a thread-safe manner */
 	if (ssl_init == false) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+		_getdns_tls_init();
-		OpenSSL_add_all_algorithms();
-		SSL_library_init();
-# ifdef USE_DANESSL
-		(void) DANESSL_library_init();
-# endif
-#else
-		OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS
-		                   | OPENSSL_INIT_ADD_ALL_DIGESTS
-		                   | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
-		(void)OPENSSL_init_ssl(0, NULL);
-#endif
 		ssl_init = true;
 	}
 #ifdef HAVE_PTHREAD
@@ -1826,7 +1716,7 @@ getdns_context_destroy(struct getdns_context *context)
 		GETDNS_FREE(context->my_mf, context->dns_transports);
 
 	if (context->tls_ctx)
-		SSL_CTX_free(context->tls_ctx);
+		_getdns_tls_context_free(context->tls_ctx);
 
 	getdns_list_destroy(context->dns_root_servers);
 
@@ -3121,7 +3011,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 				(void) getdns_dict_get_bindata(
 				    dict, "tls_curves_list", &tls_curves_list);
 				if (tls_curves_list) {
-#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
+#if HAVE_TLS_CONN_CURVES_LIST					
 					upstream->tls_curves_list = 
 					    _getdns_strdup2(&upstreams->mf
 					                   , tls_curves_list);
@@ -3168,7 +3058,7 @@ invalid_parameter:
 error:
 	_getdns_upstreams_dereference(upstreams);
 	return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
-#if !defined(HAVE_DECL_SSL_SET1_CURVES_LIST) || !HAVE_DECL_SSL_SET1_CURVES_LIST
+#if !HAVE_TLS_CONN_CURVES_LIST
 not_implemented:
 	_getdns_upstreams_dereference(upstreams);
 	return GETDNS_RETURN_NOT_IMPLEMENTED;
@@ -3690,46 +3580,31 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 
 		if (context->tls_ctx == NULL) {
 #ifdef HAVE_TLS_v1_2
-			/* Create client context, use TLS v1.2 only for now */
+			context->tls_ctx = _getdns_tls_context_new();
-#  ifdef HAVE_TLS_CLIENT_METHOD
+			if (context->tls_ctx == NULL)
-			context->tls_ctx = SSL_CTX_new(TLS_client_method());
-#  else
-			context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
-#  endif
-			if(context->tls_ctx == NULL)
 				return GETDNS_RETURN_BAD_CONTEXT;
 
-#  ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+			r = _getdns_tls_context_set_min_proto_1_2(context->tls_ctx);
-			if (!SSL_CTX_set_min_proto_version(
+			if (r && r != GETDNS_RETURN_NOT_IMPLEMENTED) {
-			    context->tls_ctx, TLS1_2_VERSION)) {
+				_getdns_tls_context_free(context->tls_ctx);
-				SSL_CTX_free(context->tls_ctx);
 				context->tls_ctx = NULL;
 				return GETDNS_RETURN_BAD_CONTEXT;
 			}
-#  endif
 			/* Be strict and only use the cipher suites recommended in RFC7525
 			   Unless we later fallback to opportunistic. */
-			if (!SSL_CTX_set_cipher_list(context->tls_ctx,
+			if (_getdns_tls_context_set_cipher_list(context->tls_ctx,
 			    context->tls_cipher_list ? context->tls_cipher_list
 			                             : _getdns_default_tls_cipher_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
 
-#  if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
 			if (context->tls_curves_list &&
-			    !SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list))
+			    _getdns_tls_context_set_curves_list(context->tls_ctx, context->tls_curves_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
-#  endif
+			
+			
 			/* For strict authentication, we must have local root certs available
 		       Set up is done only when the tls_ctx is created (per getdns_context)*/
-			if ((context->tls_ca_file || context->tls_ca_path) &&
+			if (!_getdns_tls_context_set_ca(context->tls_ctx, context->tls_ca_file, context->tls_ca_path)) {
-			    SSL_CTX_load_verify_locations(context->tls_ctx
-				    , context->tls_ca_file, context->tls_ca_path))
-				; /* pass */
-#  ifndef USE_WINSOCK
-			else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
-#  else
-			else if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) {
-#  endif /* USE_WINSOCK */
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
 			}
@@ -3739,7 +3614,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 #   else
 			(void)
 #   endif
-				SSL_CTX_dane_enable(context->tls_ctx);
+				SSL_CTX_dane_enable(context->tls_ctx->ssl);
 			DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
 			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
 #  elif defined(USE_DANESSL)
@@ -3748,7 +3623,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 #   else
 			(void)
 #   endif
-				DANESSL_CTX_init(context->tls_ctx);
+				DANESSL_CTX_init(context->tls_ctx->ssl);
 			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n"
 			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
 #  endif
@@ -4159,32 +4034,7 @@ getdns_context_get_api_information(getdns_context* context)
 	    && ! getdns_dict_util_set_string(
 	    result, "default_hosts_location", GETDNS_FN_HOSTS)
 
-	    && ! getdns_dict_set_int(
+	    && ! _getdns_tls_get_api_information(result)
-	    result, "openssl_build_version_number", OPENSSL_VERSION_NUMBER)
-
-#ifdef HAVE_OPENSSL_VERSION_NUM
-	    && ! getdns_dict_set_int(
-	    result, "openssl_version_number", OpenSSL_version_num())
-#endif
-#ifdef HAVE_OPENSSL_VERSION
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_version_string", OpenSSL_version(OPENSSL_VERSION))
-	    
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_cflags", OpenSSL_version(OPENSSL_CFLAGS))
-
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_built_on", OpenSSL_version(OPENSSL_BUILT_ON))
-
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_platform", OpenSSL_version(OPENSSL_PLATFORM))
-
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_dir", OpenSSL_version(OPENSSL_DIR))
-
-	    && ! getdns_dict_util_set_string(
-	    result, "openssl_engines_dir", OpenSSL_version(OPENSSL_ENGINES_DIR))
-#endif
 
 	    && ! getdns_dict_set_int(
 	    result, "resolution_type", context->resolution_type)
@@ -5497,7 +5347,7 @@ getdns_context_set_tls_curves_list(
 {
 	if (!context)
 		return GETDNS_RETURN_INVALID_PARAMETER;
-#if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
+#if HAVE_TLS_CTX_CURVES_LIST
 	if (context->tls_curves_list)
 		GETDNS_FREE(context->mf, context->tls_curves_list);
 	context->tls_curves_list = tls_curves_list

src/context.h

@@ -50,6 +50,7 @@
 #endif
 #include "rr-iter.h"
 #include "anchor.h"
+#include "tls.h"
 
 struct getdns_dns_req;
 struct ub_ctx;
@@ -201,8 +202,8 @@ typedef struct getdns_upstream {
 	_getdns_rbtree_t         netreq_by_query_id;
 
     /* TLS specific connection handling*/
-	SSL*                     tls_obj;
+	_getdns_tls_connection*  tls_obj;
-	SSL_SESSION*             tls_session;
+	_getdns_tls_session*     tls_session;
 	getdns_tls_hs_state_t    tls_hs_state;
 	getdns_auth_state_t      tls_auth_state;
 	unsigned                 tls_fallback_ok : 1;
@@ -371,7 +372,7 @@ struct getdns_context {
 	int edns_maximum_udp_payload_size; /* -1 is unset */
 	uint8_t edns_client_subnet_private;
 	uint16_t tls_query_padding_blocksize;
-	SSL_CTX* tls_ctx;
+	_getdns_tls_context* tls_ctx;
 
 	getdns_update_callback  update_callback;
 	getdns_update_callback2 update_callback2;

src/openssl/tls.c

@@ -0,0 +1,375 @@
+/**
+ *
+ * \file tls.c
+ * @brief getdns TLS functions
+ */
+
+/*
+ * Copyright (c) 2018, NLnet Labs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/bio.h>
+#include <openssl/ssl.h>
+
+#include <openssl/opensslv.h>
+#include <openssl/crypto.h>
+
+#include "tls.h"
+
+#ifdef USE_DANESSL
+# include "ssl_dane/danessl.h"
+#endif
+
+#ifdef USE_WINSOCK
+/* For windows, the CA trust store is not read by openssl.
+   Add code to open the trust store using wincrypt API and add
+   the root certs into openssl trust store */
+static int
+add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
+{
+	HCERTSTORE      hSystemStore;
+	PCCERT_CONTEXT  pTargetCert = NULL;
+
+	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+		"Adding Windows certificates from system root store to CA store");
+
+	/* load just once per context lifetime for this version of getdns
+	   TODO: dynamically update CA trust changes as they are available */
+	if (!tls_ctx)
+		return 0;
+
+	/* Call wincrypt's CertOpenStore to open the CA root store. */
+
+	if ((hSystemStore = CertOpenStore(
+		CERT_STORE_PROV_SYSTEM,
+		0,
+		0,
+		/* NOTE: mingw does not have this const: replace with 1 << 16 from code
+		   CERT_SYSTEM_STORE_CURRENT_USER, */
+		1 << 16,
+		L"root")) == 0)
+	{
+		return 0;
+	}
+
+	X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx);
+	if (!store)
+		return 0;
+
+	/* failure if the CA store is empty or the call fails */
+	if ((pTargetCert = CertEnumCertificatesInStore(
+		hSystemStore, pTargetCert)) == 0) {
+		DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+			"CA certificate store for Windows is empty.");
+			return 0;
+	}
+	/* iterate over the windows cert store and add to openssl store */
+	do
+	{
+		X509 *cert1 = d2i_X509(NULL,
+			(const unsigned char **)&pTargetCert->pbCertEncoded,
+			pTargetCert->cbCertEncoded);
+		if (!cert1) {
+			/* return error if a cert fails */
+			DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+				"Unable to parse certificate in memory",
+				ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
+			return 0;
+		}
+		else {
+			/* return error if a cert add to store fails */
+			if (X509_STORE_add_cert(store, cert1) == 0) {
+				unsigned long error = ERR_peek_last_error();
+
+				/* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
+				* certificate is already in the store.  */
+				if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
+				   ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+					DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+					    "Error adding certificate", ERR_get_error(),
+					     ERR_error_string(ERR_get_error(), NULL));
+					X509_free(cert1);
+					return 0;
+				}
+			}
+			X509_free(cert1);
+		}
+	} while ((pTargetCert = CertEnumCertificatesInStore(
+		hSystemStore, pTargetCert)) != 0);
+
+	/* Clean up memory and quit. */
+	if (pTargetCert)
+		CertFreeCertificateContext(pTargetCert);
+	if (hSystemStore)
+	{
+		if (!CertCloseStore(
+			hSystemStore, 0))
+			return 0;
+	}
+	DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__,
+		"Completed adding Windows certificates to CA store successfully");
+	return 1;
+}
+#endif
+
+void _getdns_tls_init()
+{
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+	OpenSSL_add_all_algorithms();
+	SSL_library_init();
+
+# ifdef USE_DANESSL
+		(void) DANESSL_library_init();
+# endif
+#else
+	OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS
+	                   | OPENSSL_INIT_ADD_ALL_DIGESTS
+	                   | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+	(void)OPENSSL_init_ssl(0, NULL);
+#endif
+}
+
+_getdns_tls_context* _getdns_tls_context_new()
+{
+	_getdns_tls_context* res;
+
+	if (!(res = malloc(sizeof(struct _getdns_tls_context))))
+		return NULL;
+
+	/* Create client context, use TLS v1.2 only for now */
+#  ifdef HAVE_TLS_CLIENT_METHOD
+	res->ssl = SSL_CTX_new(TLS_client_method());
+#  else
+	res->ssl = SSL_CTX_new(TLSv1_2_client_method());
+#  endif
+	if(res->ssl == NULL) {
+		free(res);
+		return NULL;
+	}
+	return res;
+}
+
+getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx)
+{
+	if (!ctx || !ctx->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	SSL_CTX_free(ctx->ssl);
+	free(ctx);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx)
+{
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+	if (!ctx || !ctx->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (!SSL_CTX_set_min_proto_version(ctx->ssl, TLS1_2_VERSION))
+		return GETDNS_RETURN_BAD_CONTEXT;
+	return GETDNS_RETURN_GOOD;
+#else
+	(void) ctx;
+	return GETDNS_RETURN_NOT_IMPLEMENTED;
+#endif
+}
+
+getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list)
+{
+	if (!ctx || !ctx->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (!SSL_CTX_set_cipher_list(ctx->ssl, list))
+		return GETDNS_RETURN_BAD_CONTEXT;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list)
+{
+	if (!ctx || !ctx->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+#if HAVE_TLS_CTX_CURVES_LIST
+	if (list &&
+	    !SSL_CTX_set1_curves_list(ctx->ssl, list))
+		return GETDNS_RETURN_BAD_CONTEXT;
+#else
+	(void) list;
+#endif
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path)
+{
+	if (!ctx || !ctx->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if ((file || path) &&
+	    SSL_CTX_load_verify_locations(ctx->ssl, file, path))
+		return GETDNS_RETURN_GOOD; /* pass */
+#ifndef USE_WINSOCK
+	else if (SSL_CTX_set_default_verify_paths(ctx->ssl))
+		return GETDNS_RETURN_GOOD;
+#else
+	else if (add_WIN_cacerts_to_openssl_store(ctx->ssl))
+		return GETDNS_RETURN_GOOD;
+#endif /* USE_WINSOCK */
+	return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd)
+{
+	_getdns_tls_connection* res;
+
+	if (!ctx || !ctx->ssl)
+		return NULL;
+
+	if (!(res = malloc(sizeof(struct _getdns_tls_connection))))
+		return NULL;
+
+	res->ssl = SSL_new(ctx->ssl);
+	if (!res->ssl) {
+		free(res);
+		return NULL;
+	}
+
+	if (!SSL_set_fd(res->ssl, fd)) {
+		SSL_free(res->ssl);
+		free(res);
+		return NULL;
+	}
+
+	return res;
+}
+
+getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	SSL_free(conn->ssl);
+	free(conn);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	switch(SSL_shutdown(conn->ssl))
+	{
+	case 0:		return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
+	case 1:		return GETDNS_RETURN_GOOD;
+	default:	return GETDNS_RETURN_GENERIC_ERROR;
+	}
+}
+
+getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list)
+{
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (!SSL_set_cipher_list(conn->ssl, list))
+		return GETDNS_RETURN_BAD_CONTEXT;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list)
+{
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+#if HAVE_TLS_CONN_CURVES_LIST
+	if (list &&
+	    !SSL_set1_curves_list(conn->ssl, list))
+		return GETDNS_RETURN_BAD_CONTEXT;
+#else
+	(void) list;
+#endif
+	return GETDNS_RETURN_GOOD;
+}
+
+_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn)
+{
+	_getdns_tls_session* res;
+
+	if (!conn || !conn->ssl)
+		return NULL;
+
+	if (!(res = malloc(sizeof(struct _getdns_tls_session))))
+		return NULL;
+
+	res->ssl = SSL_get1_session(conn->ssl);
+	if (!res->ssl) {
+		free(res);
+		return NULL;
+	}
+
+	return res;
+}
+
+getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s)
+{
+	if (!s || !s->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	SSL_SESSION_free(s->ssl);
+	free(s);
+	return GETDNS_RETURN_GOOD;
+}
+
+
+
+getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict)
+{
+	if (! getdns_dict_set_int(
+	    dict, "openssl_build_version_number", OPENSSL_VERSION_NUMBER)
+
+#ifdef HAVE_OPENSSL_VERSION_NUM
+	    && ! getdns_dict_set_int(
+	    dict, "openssl_version_number", OpenSSL_version_num())
+#endif
+#ifdef HAVE_OPENSSL_VERSION
+	    && ! getdns_dict_util_set_string(
+	    dict, "openssl_version_string", OpenSSL_version(OPENSSL_VERSION))
+
+	    && ! getdns_dict_util_set_string(
+	    dict, "openssl_cflags", OpenSSL_version(OPENSSL_CFLAGS))
+
+	    && ! getdns_dict_util_set_string(
+	    dict, "openssl_built_on", OpenSSL_version(OPENSSL_BUILT_ON))
+
+	    && ! getdns_dict_util_set_string(
+	    dict, "openssl_platform", OpenSSL_version(OPENSSL_PLATFORM))
+
+	    && ! getdns_dict_util_set_string(
+	    dict, "openssl_dir", OpenSSL_version(OPENSSL_DIR))
+
+	    && ! getdns_dict_util_set_string(
+		    dict, "openssl_engines_dir", OpenSSL_version(OPENSSL_ENGINES_DIR))
+#endif
+		)
+		return GETDNS_RETURN_GOOD;
+	return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+/* tls.c */

src/openssl/tls.h

@@ -0,0 +1,84 @@
+/**
+ *
+ * \file tls.h
+ * @brief getdns TLS functions
+ */
+
+/*
+ * Copyright (c) 2018, NLnet Labs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _GETDNS_TLS_H
+#define _GETDNS_TLS_H
+
+#include "getdns/getdns.h"
+
+#ifndef HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
+#define HAVE_TLS_CTX_CURVES_LIST	0
+#else
+#define HAVE_TLS_CTX_CURVES_LIST	(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST)
+#endif
+#ifndef HAVE_DECL_SSL_SET1_CURVES_LIST
+#define HAVE_TLS_CONN_CURVES_LIST	0
+#else
+#define HAVE_TLS_CONN_CURVES_LIST	(HAVE_DECL_SSL_SET1_CURVES_LIST)
+#endif
+
+typedef struct _getdns_tls_context {
+	SSL_CTX* ssl;
+} _getdns_tls_context;
+
+typedef struct _getdns_tls_connection {
+	SSL* ssl;
+} _getdns_tls_connection;
+
+typedef struct _getdns_tls_session {
+	SSL_SESSION* ssl;
+} _getdns_tls_session;
+
+void _getdns_tls_init();
+
+_getdns_tls_context* _getdns_tls_context_new();
+getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx);
+
+getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx);
+getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list);
+getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list);
+getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path);
+
+_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd);
+getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* ctx);
+getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn);
+
+getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list);
+getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list);
+_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn);
+
+getdns_return_t _getdns_tls_session_free(_getdns_tls_session* ctx);
+
+getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
+
+#endif /* _GETDNS_TLS_H */

src/stub.c

@@ -915,28 +915,23 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 
 #endif /* #else defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */
 
-static SSL*
+static _getdns_tls_connection*
 tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 {
-	/* Create SSL instance */
+	/* Create SSL instance and connect with a file descriptor */
 	getdns_context *context = dnsreq->context;
 	if (context->tls_ctx == NULL)
 		return NULL;
-	SSL* ssl = SSL_new(context->tls_ctx);
+	_getdns_tls_connection* tls = _getdns_tls_connection_new(context->tls_ctx, fd);
-	if(!ssl) 
+	if(!tls) 
 		return NULL;
-	/* Connect the SSL object with a file descriptor */
-	if(!SSL_set_fd(ssl,fd)) {
-		SSL_free(ssl);
-		return NULL;
-	}
 #if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
 	if (upstream->tls_curves_list)
-		(void) SSL_set1_curves_list(ssl, upstream->tls_curves_list);
+		_getdns_tls_connection_set_curves_list(tls, upstream->tls_curves_list);
 #endif
 	/* make sure we'll be able to find the context again when we need it */
-	if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) {
+	if (_getdns_associate_upstream_with_SSL(tls->ssl, upstream) != GETDNS_RETURN_GOOD) {
-		SSL_free(ssl);
+		_getdns_tls_connection_free(tls);
 		return NULL;
 	}
 
@@ -950,14 +945,14 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		/*Request certificate for the auth_name*/
 		DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
-		SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
+		SSL_set_tlsext_host_name(tls->ssl, upstream->tls_auth_name);
 #if defined(HAVE_SSL_HN_AUTH)
 		/* Set up native OpenSSL hostname verification
 		 * ( doesn't work with USE_DANESSL, but we verify the
 		 *   name afterwards in such cases )
 		 */
 		X509_VERIFY_PARAM *param;
-		param = SSL_get0_param(ssl);
+		param = SSL_get0_param(tls->ssl);
 		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 		X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
 #elif !defined(HAVE_X509_CHECK_HOST)
@@ -968,7 +963,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			    "%-40s : ERROR: Hostname Authentication not available from TLS library (check library version)\n",
 			    upstream->addr_str);
 			upstream->tls_hs_state = GETDNS_HS_FAILED;
-			SSL_free(ssl);
+			_getdns_tls_connection_free(tls);
 			upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 			return NULL;
 		}
@@ -990,7 +985,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 				    "%-40s : Verify fail: *CONFIG ERROR* - No auth name or pinset provided for this upstream for Strict TLS authentication\n",
 				    upstream->addr_str);
 				upstream->tls_hs_state = GETDNS_HS_FAILED;
-				SSL_free(ssl);
+				_getdns_tls_connection_free(tls);
 				upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 				return NULL;
 			}
@@ -1002,12 +997,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		}
 	}
 	if (upstream->tls_fallback_ok) {
-		SSL_set_cipher_list(ssl, "DEFAULT");
+		_getdns_tls_connection_set_cipher_list(tls, "DEFAULT");
 		DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__);
 	} else {
 		if (upstream->tls_cipher_list)
-			SSL_set_cipher_list(ssl, upstream->tls_cipher_list);
+			_getdns_tls_connection_set_cipher_list(tls, upstream->tls_cipher_list);
 		DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, 
 		             __FUNC__);
 	}
@@ -1018,20 +1013,20 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 # else
 	(void)
 # endif
-		SSL_dane_enable(ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL);
+		SSL_dane_enable(tls->ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL);
 	DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n"
 	          , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
-	SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+	SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
 	sha256_pin_t *pin_p;
 	size_t n_pins = 0;
 	for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) {
-		osr = SSL_dane_tlsa_add(ssl, 2, 1, 1,
+		osr = SSL_dane_tlsa_add(tls->ssl, 2, 1, 1,
 		    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
 		DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n"
 			  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
 		if (osr > 0)
 			++n_pins;
-		osr = SSL_dane_tlsa_add(ssl, 3, 1, 1,
+		osr = SSL_dane_tlsa_add(tls->ssl, 3, 1, 1,
 		    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
 		DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n"
 			  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
@@ -1047,23 +1042,23 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 # else
 		(void)
 # endif
-			DANESSL_init(ssl,
+			DANESSL_init(tls->ssl,
 		    *upstream->tls_auth_name ? upstream->tls_auth_name : NULL,
 		    *upstream->tls_auth_name ? auth_names : NULL
 		    );
 		DEBUG_STUB("%s %-35s: DEBUG: DANESSL_init(\"%s\") -> %d\n"
 			  , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
-		SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+		SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
 		sha256_pin_t *pin_p;
 		size_t n_pins = 0;
 		for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) {
-			osr = DANESSL_add_tlsa(ssl, 3, 1, "sha256",
+			osr = DANESSL_add_tlsa(tls->ssl, 3, 1, "sha256",
 			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
 			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
 				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
 			if (osr > 0)
 				++n_pins;
-			osr = DANESSL_add_tlsa(ssl, 2, 1, "sha256",
+			osr = DANESSL_add_tlsa(tls->ssl, 2, 1, "sha256",
 			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
 			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
 				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
@@ -1071,14 +1066,14 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 				++n_pins;
 		}
 	} else {
-		SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
+		SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
 	}
 #else
-	SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback);
+	SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, tls_verify_callback);
 #endif
 
-	SSL_set_connect_state(ssl);
+	SSL_set_connect_state(tls->ssl);
-	(void) SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+	(void) SSL_set_mode(tls->ssl, SSL_MODE_AUTO_RETRY);
 
 	/* Session resumption. There are trade-offs here. Want to do it when
 	   possible only if we have the right type of connection. Note a change
@@ -1087,12 +1082,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		if ((upstream->tls_fallback_ok == 0 &&
 		     upstream->last_tls_auth_state == GETDNS_AUTH_OK) ||
 		     upstream->tls_fallback_ok == 1) {
-			SSL_set_session(ssl, upstream->tls_session);
+			SSL_set_session(tls->ssl, upstream->tls_session->ssl);
 			DEBUG_STUB("%s %-35s: Attempting session re-use\n", STUB_DEBUG_SETUP_TLS, 
 			            __FUNC__);
 			}
 	}
-	return ssl;
+	return tls;
 }
 
 static int
@@ -1103,9 +1098,9 @@ tls_do_handshake(getdns_upstream *upstream)
 	int r;
 	int want;
 	ERR_clear_error();
-	while ((r = SSL_do_handshake(upstream->tls_obj)) != 1)
+	while ((r = SSL_do_handshake(upstream->tls_obj->ssl)) != 1)
 	{
-		want = SSL_get_error(upstream->tls_obj, r);
+		want = SSL_get_error(upstream->tls_obj->ssl, r);
 		switch (want) {
 			case SSL_ERROR_WANT_READ:
 				GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
@@ -1131,12 +1126,12 @@ tls_do_handshake(getdns_upstream *upstream)
 	   }
 	}
 	/* A re-used session is not verified so need to fix up state in that case */
-	if (SSL_session_reused(upstream->tls_obj))
+	if (SSL_session_reused(upstream->tls_obj->ssl))
 		upstream->tls_auth_state = upstream->last_tls_auth_state;
 
 	else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
-		X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj);
+		X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj->ssl);
-		long verify_result = SSL_get_verify_result(upstream->tls_obj);
+		long verify_result = SSL_get_verify_result(upstream->tls_obj->ssl);
 
 /* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
  * we need to verify auth_name explicitely (otherwise it will not be checked,
@@ -1187,7 +1182,7 @@ tls_do_handshake(getdns_upstream *upstream)
 		else if (verify_result == X509_V_ERR_CERT_UNTRUSTED
 		    && upstream->tls_pubkey_pinset
 		    && !DANESSL_get_match_cert(
-			    upstream->tls_obj, NULL, NULL, NULL))
+			    upstream->tls_obj->ssl, NULL, NULL, NULL))
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS,
 			    ( upstream->tls_fallback_ok
@@ -1245,8 +1240,8 @@ tls_do_handshake(getdns_upstream *upstream)
 	upstream->conn_state = GETDNS_CONN_OPEN;
 	upstream->conn_completed++;
 	if (upstream->tls_session != NULL)
-	    SSL_SESSION_free(upstream->tls_session);
+	    _getdns_tls_session_free(upstream->tls_session);
-	upstream->tls_session = SSL_get1_session(upstream->tls_obj);
+	upstream->tls_session = _getdns_tls_connection_get_session(upstream->tls_obj);
 	/* Reset timeout on success*/
 	GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
 	upstream->event.read_cb = NULL;
@@ -1287,7 +1282,7 @@ stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp,
 	ssize_t  read;
 	uint8_t *buf;
 	size_t   buf_size;
-	SSL* tls_obj = upstream->tls_obj;
+	SSL* tls_obj = upstream->tls_obj->ssl;
 
 	int q = tls_connected(upstream);
 	if (q != 0)
@@ -1370,7 +1365,7 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp,
 	ssize_t         written;
 	uint16_t        query_id;
 	intptr_t        query_id_intptr;
-	SSL* tls_obj = upstream->tls_obj;
+	SSL* tls_obj = upstream->tls_obj->ssl;
 	uint16_t        padding_sz;
 
 	int q = tls_connected(upstream);
@@ -1875,12 +1870,12 @@ upstream_write_cb(void *userarg)
 		if (netreq->owner->return_call_reporting &&
 		    netreq->upstream->tls_obj) {
 			if (netreq->debug_tls_peer_cert.data == NULL &&
-			    (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj))) {
+			    (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj->ssl))) {
 				netreq->debug_tls_peer_cert.size = i2d_X509(
 					cert, &netreq->debug_tls_peer_cert.data);
 				X509_free(cert);
 			}
-			netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj);
+			netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj->ssl);
 		}
 		/* Need this because auth status is reset on connection close */
 		netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state;