From d9fdd4c10dfc9ce6286e948f8a23b4dfdaef5eba Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 14 Nov 2018 18:11:49 +0000 Subject: [PATCH 001/108] Abstracting TLS; let's start with context only. Change data types in context.h and fix up context.c. Do minimal fixups to stub.c. --- src/Makefile.in | 273 ++++++++++++++------------------- src/context.c | 202 ++++--------------------- src/context.h | 7 +- src/openssl/tls.c | 375 ++++++++++++++++++++++++++++++++++++++++++++++ src/openssl/tls.h | 84 +++++++++++ src/stub.c | 83 +++++----- 6 files changed, 639 insertions(+), 385 deletions(-) create mode 100644 src/openssl/tls.c create mode 100644 src/openssl/tls.h diff --git a/src/Makefile.in b/src/Makefile.in index 1059afca..de5f3e26 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -56,7 +56,7 @@ stubbysrcdir = $(srcdir)/../stubby LIBTOOL = ../libtool CC=@CC@ -CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS) +CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/openssl -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS) WPEDANTICFLAG=@WPEDANTICFLAG@ WNOERRORFLAG=@WNOERRORFLAG@ LDFLAGS=@LDFLAGS@ @LIBS@ @@ -94,6 +94,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo) UTIL_OBJ=rbtree.lo val_secalgo.lo lruhash.lo lookup3.lo locks.lo JSMN_OBJ=jsmn.lo +TLS_OBJ=tls.lo YXML_OBJ=yxml.lo YAML_OBJ=convert_yaml_to_json.lo @@ -133,6 +134,9 @@ $(UTIL_OBJ): $(JSMN_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -DJSMN_GETDNS -c $(srcdir)/jsmn/$(@:.lo=.c) -o $@ +$(TLS_OBJ): + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/openssl/$(@:.lo=.c) -o $@ + $(YAML_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@ @@ -194,8 +198,8 @@ libgetdns_ext_uv.la: libgetdns.la libuv.lo libgetdns_ext_ev.la: libgetdns.la libev.lo $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ libev.lo libgetdns.la $(LDFLAGS) $(EXTENSION_LIBEV_LDFLAGS) $(EXTENSION_LIBEV_EXT_LIBS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/extension/libev.symbols -libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) - $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols +libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) + $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols test: default cd test && $(MAKE) $@ @@ -271,13 +275,14 @@ Makefile: $(srcdir)/Makefile.in ../config.status depend: (cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new ) - (blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \ + (blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iopenssl -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c openssl/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \ sed -e "s? $$blddir/? ?g" \ -e 's? gldns/? $$(srcdir)/gldns/?g' \ -e 's? compat/? $$(srcdir)/compat/?g' \ -e 's? util/auxiliary/util/? $$(srcdir)/util/auxiliary/util/?g' \ -e 's? util/? $$(srcdir)/util/?g' \ -e 's? jsmn/? $$(srcdir)/jsmn/?g' \ + -e 's? openssl/? $$(srcdir)/openssl/?g' \ -e 's? yxml/? $$(srcdir)/yxml/?g' \ -e 's? ssl_dane/? $$(srcdir)/ssl_dane/?g' \ -e 's? extension/? $$(srcdir)/extension/?g' \ @@ -299,137 +304,104 @@ depend: FORCE: # Dependencies for gldns, utils, the extensions and compat functions -anchor.lo anchor.o: $(srcdir)/anchor.c \ - config.h \ +anchor.lo anchor.o: $(srcdir)/anchor.c config.h \ $(srcdir)/debug.h $(srcdir)/anchor.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h \ - $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h const-info.lo const-info.o: $(srcdir)/const-info.c \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/const-info.h -context.lo context.o: $(srcdir)/context.c \ - config.h \ - $(srcdir)/anchor.h \ - getdns/getdns.h \ +context.lo context.o: $(srcdir)/context.c config.h \ + $(srcdir)/anchor.h getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/debug.h \ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h -convert.lo convert.o: $(srcdir)/convert.c \ - config.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h \ + $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h \ + $(srcdir)/const-info.h +convert.lo convert.o: $(srcdir)/convert.c config.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ - $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h \ - $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h \ - $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h -dict.lo dict.o: $(srcdir)/dict.c \ - config.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ + $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \ + $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h \ + $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h $(srcdir)/debug.h +dict.lo dict.o: $(srcdir)/dict.c config.h \ $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/parseutil.h -dnssec.lo dnssec.o: $(srcdir)/dnssec.c \ - config.h \ - $(srcdir)/debug.h \ - getdns/getdns.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h \ + $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h +dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \ + $(srcdir)/debug.h getdns/getdns.h \ $(srcdir)/context.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h \ - $(srcdir)/util/orig-headers/val_secalgo.h -general.lo general.o: $(srcdir)/general.c \ - config.h \ - $(srcdir)/general.h \ - getdns/getdns.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ + $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h \ + $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h +general.lo general.o: $(srcdir)/general.c config.h \ + $(srcdir)/general.h getdns/getdns.h \ $(srcdir)/types-internal.h \ getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/ub_loop.h $(srcdir)/debug.h \ - $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h \ - $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/platform.h + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \ - config.h \ - $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/list.h $(srcdir)/dict.h -mdns.lo mdns.o: $(srcdir)/mdns.c \ - config.h \ + config.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/list.h $(srcdir)/dict.h +mdns.lo mdns.o: $(srcdir)/mdns.c config.h \ $(srcdir)/debug.h $(srcdir)/context.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h \ - $(srcdir)/platform.h $(srcdir)/mdns.h $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/lookup3.h \ - $(srcdir)/util/orig-headers/lookup3.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \ config.h pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \ - config.h \ - $(srcdir)/debug.h \ - getdns/getdns.h \ - $(srcdir)/context.h \ + config.h $(srcdir)/debug.h \ + getdns/getdns.h $(srcdir)/context.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h request-internal.lo request-internal.o: $(srcdir)/request-internal.c \ - config.h \ - $(srcdir)/types-internal.h \ + config.h $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/dict.h $(srcdir)/convert.h $(srcdir)/general.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \ config.h \ getdns/getdns.h \ @@ -437,26 +409,20 @@ rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \ - $(srcdir)/dict.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \ + $(srcdir)/openssl/tls.h $(srcdir)/dict.h rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ config.h \ getdns/getdns.h \ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h -server.lo server.o: $(srcdir)/server.c \ - config.h \ +server.lo server.o: $(srcdir)/server.c config.h \ getdns/getdns_extra.h \ - getdns/getdns.h \ - $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + getdns/getdns.h $(srcdir)/context.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/platform.h -stub.lo stub.o: $(srcdir)/stub.c \ - config.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h +stub.lo stub.o: $(srcdir)/stub.c config.h \ $(srcdir)/debug.h $(srcdir)/stub.h \ getdns/getdns.h \ $(srcdir)/types-internal.h \ @@ -464,61 +430,48 @@ stub.lo stub.o: $(srcdir)/stub.c \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \ $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h \ - $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/anchor.h \ - $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h -sync.lo sync.o: $(srcdir)/sync.c \ - getdns/getdns.h \ - config.h \ - $(srcdir)/context.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \ + $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h +sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \ + config.h $(srcdir)/context.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \ - config.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h + config.h util-internal.lo util-internal.o: $(srcdir)/util-internal.c \ config.h \ - getdns/getdns.h \ - $(srcdir)/dict.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \ - getdns/getdns_extra.h \ - $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ - $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h \ - $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/str2wire.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h + getdns/getdns.h $(srcdir)/dict.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \ + getdns/getdns_extra.h $(srcdir)/list.h \ + $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ + $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \ + $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \ - config.h \ - $(srcdir)/gldns/gbuffer.h + config.h $(srcdir)/gldns/gbuffer.h keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \ - config.h \ - $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/rrdef.h + config.h $(srcdir)/gldns/keyraw.h \ + $(srcdir)/gldns/rrdef.h parse.lo parse.o: $(srcdir)/gldns/parse.c \ - config.h \ - $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h + config.h $(srcdir)/gldns/parse.h \ + $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \ - config.h \ - $(srcdir)/gldns/parseutil.h + config.h $(srcdir)/gldns/parseutil.h rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \ - config.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h + config.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/parseutil.h str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \ - config.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h + config.h $(srcdir)/gldns/str2wire.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h \ + $(srcdir)/gldns/parseutil.h wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \ - config.h \ - $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h \ - $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h + config.h $(srcdir)/gldns/wire2str.h \ + $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \ config.h arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \ @@ -547,8 +500,7 @@ strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \ config.h strptime.lo strptime.o: $(srcdir)/compat/strptime.c \ config.h -locks.lo locks.o: $(srcdir)/util/locks.c \ - config.h \ +locks.lo locks.o: $(srcdir)/util/locks.c config.h \ $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \ config.h \ @@ -560,10 +512,10 @@ lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \ $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \ - config.h \ - $(srcdir)/util/auxiliary/log.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h \ - $(srcdir)/util/auxiliary/fptr_wlist.h $(srcdir)/util/auxiliary/util/fptr_wlist.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h + config.h $(srcdir)/util/auxiliary/log.h \ + $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \ + $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \ config.h \ $(srcdir)/util/auxiliary/util/data/packed_rrset.h \ @@ -573,40 +525,37 @@ val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \ $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \ $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h +tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \ + $(srcdir)/openssl/tls.h getdns/getdns.h yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h danessl.lo danessl.o: $(srcdir)/ssl_dane/danessl.c $(srcdir)/ssl_dane/danessl.h libev.lo libev.o: $(srcdir)/extension/libev.c \ - config.h \ - $(srcdir)/types-internal.h \ + config.h $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h libevent.lo libevent.o: $(srcdir)/extension/libevent.c \ - config.h \ - $(srcdir)/types-internal.h \ + config.h $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h libuv.lo libuv.o: $(srcdir)/extension/libuv.c \ - config.h \ - $(srcdir)/debug.h $(srcdir)/types-internal.h \ + config.h $(srcdir)/debug.h \ + $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \ - config.h \ - $(srcdir)/util-internal.h $(srcdir)/context.h \ - getdns/getdns.h \ + config.h $(srcdir)/util-internal.h \ + $(srcdir)/context.h getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/platform.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/platform.h $(srcdir)/debug.h select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \ - config.h \ - $(srcdir)/debug.h $(srcdir)/types-internal.h \ + config.h $(srcdir)/debug.h \ + $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \ diff --git a/src/context.c b/src/context.c index 56d827ee..c0f4f8e1 100644 --- a/src/context.c +++ b/src/context.c @@ -47,20 +47,12 @@ #include typedef unsigned short in_port_t; -#include -#include -#include - #include #include #include #include #endif -#include -#include -#include - #include #include #include @@ -94,6 +86,7 @@ typedef unsigned short in_port_t; # include "ssl_dane/danessl.h" #endif #include "const-info.h" +#include "tls.h" #define GETDNS_PORT_ZERO 0 #define GETDNS_PORT_DNS 53 @@ -182,98 +175,6 @@ _getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s) } } -#ifdef USE_WINSOCK -/* For windows, the CA trust store is not read by openssl. - Add code to open the trust store using wincrypt API and add - the root certs into openssl trust store */ -static int -add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) -{ - HCERTSTORE hSystemStore; - PCCERT_CONTEXT pTargetCert = NULL; - - DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "Adding Windows certificates from system root store to CA store"); - - /* load just once per context lifetime for this version of getdns - TODO: dynamically update CA trust changes as they are available */ - if (!tls_ctx) - return 0; - - /* Call wincrypt's CertOpenStore to open the CA root store. */ - - if ((hSystemStore = CertOpenStore( - CERT_STORE_PROV_SYSTEM, - 0, - 0, - /* NOTE: mingw does not have this const: replace with 1 << 16 from code - CERT_SYSTEM_STORE_CURRENT_USER, */ - 1 << 16, - L"root")) == 0) - { - return 0; - } - - X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx); - if (!store) - return 0; - - /* failure if the CA store is empty or the call fails */ - if ((pTargetCert = CertEnumCertificatesInStore( - hSystemStore, pTargetCert)) == 0) { - DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "CA certificate store for Windows is empty."); - return 0; - } - /* iterate over the windows cert store and add to openssl store */ - do - { - X509 *cert1 = d2i_X509(NULL, - (const unsigned char **)&pTargetCert->pbCertEncoded, - pTargetCert->cbCertEncoded); - if (!cert1) { - /* return error if a cert fails */ - DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "Unable to parse certificate in memory", - ERR_get_error(), ERR_error_string(ERR_get_error(), NULL)); - return 0; - } - else { - /* return error if a cert add to store fails */ - if (X509_STORE_add_cert(store, cert1) == 0) { - unsigned long error = ERR_peek_last_error(); - - /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the - * certificate is already in the store. */ - if(ERR_GET_LIB(error) != ERR_LIB_X509 || - ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) { - DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "Error adding certificate", ERR_get_error(), - ERR_error_string(ERR_get_error(), NULL)); - X509_free(cert1); - return 0; - } - } - X509_free(cert1); - } - } while ((pTargetCert = CertEnumCertificatesInStore( - hSystemStore, pTargetCert)) != 0); - - /* Clean up memory and quit. */ - if (pTargetCert) - CertFreeCertificateContext(pTargetCert); - if (hSystemStore) - { - if (!CertCloseStore( - hSystemStore, 0)) - return 0; - } - DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "Completed adding Windows certificates to CA store successfully"); - return 1; -} -#endif - static uint8_t* upstream_addr(getdns_upstream *upstream) { @@ -755,17 +656,17 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams) } } if (upstream->tls_session != NULL) - SSL_SESSION_free(upstream->tls_session); + _getdns_tls_session_free(upstream->tls_session); if (upstream->tls_obj != NULL) { - SSL_shutdown(upstream->tls_obj); + _getdns_tls_connection_shutdown(upstream->tls_obj); #ifdef USE_DANESSL # if defined(STUB_DEBUG) && STUB_DEBUG _stub_debug_print_openssl_errors(); # endif - DANESSL_cleanup(upstream->tls_obj); + DANESSL_cleanup(upstream->tls_obj->ssl); #endif - SSL_free(upstream->tls_obj); + _getdns_tls_connection_free(upstream->tls_obj); } if (upstream->fd != -1) { @@ -877,14 +778,14 @@ _getdns_upstream_reset(getdns_upstream *upstream) upstream->loop, &upstream->event); } if (upstream->tls_obj != NULL) { - SSL_shutdown(upstream->tls_obj); + _getdns_tls_connection_shutdown(upstream->tls_obj); #ifdef USE_DANESSL # if defined(STUB_DEBUG) && STUB_DEBUG _stub_debug_print_openssl_errors(); # endif - DANESSL_cleanup(upstream->tls_obj); + DANESSL_cleanup(upstream->tls_obj->ssl); #endif - SSL_free(upstream->tls_obj); + _getdns_tls_connection_free(upstream->tls_obj); upstream->tls_obj = NULL; } if (upstream->fd != -1) { @@ -1689,18 +1590,7 @@ getdns_context_create_with_extended_memory_functions( #endif /* Only initialise SSL once and ideally in a thread-safe manner */ if (ssl_init == false) { -#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) - OpenSSL_add_all_algorithms(); - SSL_library_init(); -# ifdef USE_DANESSL - (void) DANESSL_library_init(); -# endif -#else - OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS - | OPENSSL_INIT_ADD_ALL_DIGESTS - | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); - (void)OPENSSL_init_ssl(0, NULL); -#endif + _getdns_tls_init(); ssl_init = true; } #ifdef HAVE_PTHREAD @@ -1826,7 +1716,7 @@ getdns_context_destroy(struct getdns_context *context) GETDNS_FREE(context->my_mf, context->dns_transports); if (context->tls_ctx) - SSL_CTX_free(context->tls_ctx); + _getdns_tls_context_free(context->tls_ctx); getdns_list_destroy(context->dns_root_servers); @@ -3121,7 +3011,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, (void) getdns_dict_get_bindata( dict, "tls_curves_list", &tls_curves_list); if (tls_curves_list) { -#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST +#if HAVE_TLS_CONN_CURVES_LIST upstream->tls_curves_list = _getdns_strdup2(&upstreams->mf , tls_curves_list); @@ -3168,7 +3058,7 @@ invalid_parameter: error: _getdns_upstreams_dereference(upstreams); return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; -#if !defined(HAVE_DECL_SSL_SET1_CURVES_LIST) || !HAVE_DECL_SSL_SET1_CURVES_LIST +#if !HAVE_TLS_CONN_CURVES_LIST not_implemented: _getdns_upstreams_dereference(upstreams); return GETDNS_RETURN_NOT_IMPLEMENTED; @@ -3690,46 +3580,31 @@ _getdns_context_prepare_for_resolution(getdns_context *context) if (context->tls_ctx == NULL) { #ifdef HAVE_TLS_v1_2 - /* Create client context, use TLS v1.2 only for now */ -# ifdef HAVE_TLS_CLIENT_METHOD - context->tls_ctx = SSL_CTX_new(TLS_client_method()); -# else - context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method()); -# endif - if(context->tls_ctx == NULL) + context->tls_ctx = _getdns_tls_context_new(); + if (context->tls_ctx == NULL) return GETDNS_RETURN_BAD_CONTEXT; -# ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION - if (!SSL_CTX_set_min_proto_version( - context->tls_ctx, TLS1_2_VERSION)) { - SSL_CTX_free(context->tls_ctx); + r = _getdns_tls_context_set_min_proto_1_2(context->tls_ctx); + if (r && r != GETDNS_RETURN_NOT_IMPLEMENTED) { + _getdns_tls_context_free(context->tls_ctx); context->tls_ctx = NULL; return GETDNS_RETURN_BAD_CONTEXT; } -# endif /* Be strict and only use the cipher suites recommended in RFC7525 Unless we later fallback to opportunistic. */ - if (!SSL_CTX_set_cipher_list(context->tls_ctx, + if (_getdns_tls_context_set_cipher_list(context->tls_ctx, context->tls_cipher_list ? context->tls_cipher_list : _getdns_default_tls_cipher_list)) return GETDNS_RETURN_BAD_CONTEXT; -# if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST if (context->tls_curves_list && - !SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list)) + _getdns_tls_context_set_curves_list(context->tls_ctx, context->tls_curves_list)) return GETDNS_RETURN_BAD_CONTEXT; -# endif + + /* For strict authentication, we must have local root certs available Set up is done only when the tls_ctx is created (per getdns_context)*/ - if ((context->tls_ca_file || context->tls_ca_path) && - SSL_CTX_load_verify_locations(context->tls_ctx - , context->tls_ca_file, context->tls_ca_path)) - ; /* pass */ -# ifndef USE_WINSOCK - else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { -# else - else if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) { -# endif /* USE_WINSOCK */ + if (!_getdns_tls_context_set_ca(context->tls_ctx, context->tls_ca_file, context->tls_ca_path)) { if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) return GETDNS_RETURN_BAD_CONTEXT; } @@ -3739,7 +3614,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) # else (void) # endif - SSL_CTX_dane_enable(context->tls_ctx); + SSL_CTX_dane_enable(context->tls_ctx->ssl); DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); # elif defined(USE_DANESSL) @@ -3748,7 +3623,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) # else (void) # endif - DANESSL_CTX_init(context->tls_ctx); + DANESSL_CTX_init(context->tls_ctx->ssl); DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); # endif @@ -4159,32 +4034,7 @@ getdns_context_get_api_information(getdns_context* context) && ! getdns_dict_util_set_string( result, "default_hosts_location", GETDNS_FN_HOSTS) - && ! getdns_dict_set_int( - result, "openssl_build_version_number", OPENSSL_VERSION_NUMBER) - -#ifdef HAVE_OPENSSL_VERSION_NUM - && ! getdns_dict_set_int( - result, "openssl_version_number", OpenSSL_version_num()) -#endif -#ifdef HAVE_OPENSSL_VERSION - && ! getdns_dict_util_set_string( - result, "openssl_version_string", OpenSSL_version(OPENSSL_VERSION)) - - && ! getdns_dict_util_set_string( - result, "openssl_cflags", OpenSSL_version(OPENSSL_CFLAGS)) - - && ! getdns_dict_util_set_string( - result, "openssl_built_on", OpenSSL_version(OPENSSL_BUILT_ON)) - - && ! getdns_dict_util_set_string( - result, "openssl_platform", OpenSSL_version(OPENSSL_PLATFORM)) - - && ! getdns_dict_util_set_string( - result, "openssl_dir", OpenSSL_version(OPENSSL_DIR)) - - && ! getdns_dict_util_set_string( - result, "openssl_engines_dir", OpenSSL_version(OPENSSL_ENGINES_DIR)) -#endif + && ! _getdns_tls_get_api_information(result) && ! getdns_dict_set_int( result, "resolution_type", context->resolution_type) @@ -5497,7 +5347,7 @@ getdns_context_set_tls_curves_list( { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; -#if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST +#if HAVE_TLS_CTX_CURVES_LIST if (context->tls_curves_list) GETDNS_FREE(context->mf, context->tls_curves_list); context->tls_curves_list = tls_curves_list diff --git a/src/context.h b/src/context.h index 27dd2bee..61e7fc5d 100644 --- a/src/context.h +++ b/src/context.h @@ -50,6 +50,7 @@ #endif #include "rr-iter.h" #include "anchor.h" +#include "tls.h" struct getdns_dns_req; struct ub_ctx; @@ -201,8 +202,8 @@ typedef struct getdns_upstream { _getdns_rbtree_t netreq_by_query_id; /* TLS specific connection handling*/ - SSL* tls_obj; - SSL_SESSION* tls_session; + _getdns_tls_connection* tls_obj; + _getdns_tls_session* tls_session; getdns_tls_hs_state_t tls_hs_state; getdns_auth_state_t tls_auth_state; unsigned tls_fallback_ok : 1; @@ -371,7 +372,7 @@ struct getdns_context { int edns_maximum_udp_payload_size; /* -1 is unset */ uint8_t edns_client_subnet_private; uint16_t tls_query_padding_blocksize; - SSL_CTX* tls_ctx; + _getdns_tls_context* tls_ctx; getdns_update_callback update_callback; getdns_update_callback2 update_callback2; diff --git a/src/openssl/tls.c b/src/openssl/tls.c new file mode 100644 index 00000000..f6a663a6 --- /dev/null +++ b/src/openssl/tls.c @@ -0,0 +1,375 @@ +/** + * + * \file tls.c + * @brief getdns TLS functions + */ + +/* + * Copyright (c) 2018, NLnet Labs + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include +#include +#include +#include + +#include +#include + +#include "tls.h" + +#ifdef USE_DANESSL +# include "ssl_dane/danessl.h" +#endif + +#ifdef USE_WINSOCK +/* For windows, the CA trust store is not read by openssl. + Add code to open the trust store using wincrypt API and add + the root certs into openssl trust store */ +static int +add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) +{ + HCERTSTORE hSystemStore; + PCCERT_CONTEXT pTargetCert = NULL; + + DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "Adding Windows certificates from system root store to CA store"); + + /* load just once per context lifetime for this version of getdns + TODO: dynamically update CA trust changes as they are available */ + if (!tls_ctx) + return 0; + + /* Call wincrypt's CertOpenStore to open the CA root store. */ + + if ((hSystemStore = CertOpenStore( + CERT_STORE_PROV_SYSTEM, + 0, + 0, + /* NOTE: mingw does not have this const: replace with 1 << 16 from code + CERT_SYSTEM_STORE_CURRENT_USER, */ + 1 << 16, + L"root")) == 0) + { + return 0; + } + + X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx); + if (!store) + return 0; + + /* failure if the CA store is empty or the call fails */ + if ((pTargetCert = CertEnumCertificatesInStore( + hSystemStore, pTargetCert)) == 0) { + DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "CA certificate store for Windows is empty."); + return 0; + } + /* iterate over the windows cert store and add to openssl store */ + do + { + X509 *cert1 = d2i_X509(NULL, + (const unsigned char **)&pTargetCert->pbCertEncoded, + pTargetCert->cbCertEncoded); + if (!cert1) { + /* return error if a cert fails */ + DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "Unable to parse certificate in memory", + ERR_get_error(), ERR_error_string(ERR_get_error(), NULL)); + return 0; + } + else { + /* return error if a cert add to store fails */ + if (X509_STORE_add_cert(store, cert1) == 0) { + unsigned long error = ERR_peek_last_error(); + + /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the + * certificate is already in the store. */ + if(ERR_GET_LIB(error) != ERR_LIB_X509 || + ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) { + DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "Error adding certificate", ERR_get_error(), + ERR_error_string(ERR_get_error(), NULL)); + X509_free(cert1); + return 0; + } + } + X509_free(cert1); + } + } while ((pTargetCert = CertEnumCertificatesInStore( + hSystemStore, pTargetCert)) != 0); + + /* Clean up memory and quit. */ + if (pTargetCert) + CertFreeCertificateContext(pTargetCert); + if (hSystemStore) + { + if (!CertCloseStore( + hSystemStore, 0)) + return 0; + } + DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "Completed adding Windows certificates to CA store successfully"); + return 1; +} +#endif + +void _getdns_tls_init() +{ +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) + OpenSSL_add_all_algorithms(); + SSL_library_init(); + +# ifdef USE_DANESSL + (void) DANESSL_library_init(); +# endif +#else + OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS + | OPENSSL_INIT_ADD_ALL_DIGESTS + | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + (void)OPENSSL_init_ssl(0, NULL); +#endif +} + +_getdns_tls_context* _getdns_tls_context_new() +{ + _getdns_tls_context* res; + + if (!(res = malloc(sizeof(struct _getdns_tls_context)))) + return NULL; + + /* Create client context, use TLS v1.2 only for now */ +# ifdef HAVE_TLS_CLIENT_METHOD + res->ssl = SSL_CTX_new(TLS_client_method()); +# else + res->ssl = SSL_CTX_new(TLSv1_2_client_method()); +# endif + if(res->ssl == NULL) { + free(res); + return NULL; + } + return res; +} + +getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx) +{ + if (!ctx || !ctx->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + SSL_CTX_free(ctx->ssl); + free(ctx); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx) +{ +#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION + if (!ctx || !ctx->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + if (!SSL_CTX_set_min_proto_version(ctx->ssl, TLS1_2_VERSION)) + return GETDNS_RETURN_BAD_CONTEXT; + return GETDNS_RETURN_GOOD; +#else + (void) ctx; + return GETDNS_RETURN_NOT_IMPLEMENTED; +#endif +} + +getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list) +{ + if (!ctx || !ctx->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + if (!SSL_CTX_set_cipher_list(ctx->ssl, list)) + return GETDNS_RETURN_BAD_CONTEXT; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list) +{ + if (!ctx || !ctx->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; +#if HAVE_TLS_CTX_CURVES_LIST + if (list && + !SSL_CTX_set1_curves_list(ctx->ssl, list)) + return GETDNS_RETURN_BAD_CONTEXT; +#else + (void) list; +#endif + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path) +{ + if (!ctx || !ctx->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + if ((file || path) && + SSL_CTX_load_verify_locations(ctx->ssl, file, path)) + return GETDNS_RETURN_GOOD; /* pass */ +#ifndef USE_WINSOCK + else if (SSL_CTX_set_default_verify_paths(ctx->ssl)) + return GETDNS_RETURN_GOOD; +#else + else if (add_WIN_cacerts_to_openssl_store(ctx->ssl)) + return GETDNS_RETURN_GOOD; +#endif /* USE_WINSOCK */ + return GETDNS_RETURN_GENERIC_ERROR; +} + +_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd) +{ + _getdns_tls_connection* res; + + if (!ctx || !ctx->ssl) + return NULL; + + if (!(res = malloc(sizeof(struct _getdns_tls_connection)))) + return NULL; + + res->ssl = SSL_new(ctx->ssl); + if (!res->ssl) { + free(res); + return NULL; + } + + if (!SSL_set_fd(res->ssl, fd)) { + SSL_free(res->ssl); + free(res); + return NULL; + } + + return res; +} + +getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* conn) +{ + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + SSL_free(conn->ssl); + free(conn); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn) +{ + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + + switch(SSL_shutdown(conn->ssl)) + { + case 0: return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; + case 1: return GETDNS_RETURN_GOOD; + default: return GETDNS_RETURN_GENERIC_ERROR; + } +} + +getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list) +{ + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + if (!SSL_set_cipher_list(conn->ssl, list)) + return GETDNS_RETURN_BAD_CONTEXT; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list) +{ + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; +#if HAVE_TLS_CONN_CURVES_LIST + if (list && + !SSL_set1_curves_list(conn->ssl, list)) + return GETDNS_RETURN_BAD_CONTEXT; +#else + (void) list; +#endif + return GETDNS_RETURN_GOOD; +} + +_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn) +{ + _getdns_tls_session* res; + + if (!conn || !conn->ssl) + return NULL; + + if (!(res = malloc(sizeof(struct _getdns_tls_session)))) + return NULL; + + res->ssl = SSL_get1_session(conn->ssl); + if (!res->ssl) { + free(res); + return NULL; + } + + return res; +} + +getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s) +{ + if (!s || !s->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + SSL_SESSION_free(s->ssl); + free(s); + return GETDNS_RETURN_GOOD; +} + + + +getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict) +{ + if (! getdns_dict_set_int( + dict, "openssl_build_version_number", OPENSSL_VERSION_NUMBER) + +#ifdef HAVE_OPENSSL_VERSION_NUM + && ! getdns_dict_set_int( + dict, "openssl_version_number", OpenSSL_version_num()) +#endif +#ifdef HAVE_OPENSSL_VERSION + && ! getdns_dict_util_set_string( + dict, "openssl_version_string", OpenSSL_version(OPENSSL_VERSION)) + + && ! getdns_dict_util_set_string( + dict, "openssl_cflags", OpenSSL_version(OPENSSL_CFLAGS)) + + && ! getdns_dict_util_set_string( + dict, "openssl_built_on", OpenSSL_version(OPENSSL_BUILT_ON)) + + && ! getdns_dict_util_set_string( + dict, "openssl_platform", OpenSSL_version(OPENSSL_PLATFORM)) + + && ! getdns_dict_util_set_string( + dict, "openssl_dir", OpenSSL_version(OPENSSL_DIR)) + + && ! getdns_dict_util_set_string( + dict, "openssl_engines_dir", OpenSSL_version(OPENSSL_ENGINES_DIR)) +#endif + ) + return GETDNS_RETURN_GOOD; + return GETDNS_RETURN_GENERIC_ERROR; +} + +/* tls.c */ diff --git a/src/openssl/tls.h b/src/openssl/tls.h new file mode 100644 index 00000000..f86aa465 --- /dev/null +++ b/src/openssl/tls.h @@ -0,0 +1,84 @@ +/** + * + * \file tls.h + * @brief getdns TLS functions + */ + +/* + * Copyright (c) 2018, NLnet Labs + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _GETDNS_TLS_H +#define _GETDNS_TLS_H + +#include "getdns/getdns.h" + +#ifndef HAVE_DECL_SSL_CTX_SET1_CURVES_LIST +#define HAVE_TLS_CTX_CURVES_LIST 0 +#else +#define HAVE_TLS_CTX_CURVES_LIST (HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) +#endif +#ifndef HAVE_DECL_SSL_SET1_CURVES_LIST +#define HAVE_TLS_CONN_CURVES_LIST 0 +#else +#define HAVE_TLS_CONN_CURVES_LIST (HAVE_DECL_SSL_SET1_CURVES_LIST) +#endif + +typedef struct _getdns_tls_context { + SSL_CTX* ssl; +} _getdns_tls_context; + +typedef struct _getdns_tls_connection { + SSL* ssl; +} _getdns_tls_connection; + +typedef struct _getdns_tls_session { + SSL_SESSION* ssl; +} _getdns_tls_session; + +void _getdns_tls_init(); + +_getdns_tls_context* _getdns_tls_context_new(); +getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx); + +getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx); +getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list); +getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list); +getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path); + +_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd); +getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* ctx); +getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn); + +getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list); +getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list); +_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn); + +getdns_return_t _getdns_tls_session_free(_getdns_tls_session* ctx); + +getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict); + +#endif /* _GETDNS_TLS_H */ diff --git a/src/stub.c b/src/stub.c index 785d9f1f..8be04fd7 100644 --- a/src/stub.c +++ b/src/stub.c @@ -915,28 +915,23 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) #endif /* #else defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */ -static SSL* +static _getdns_tls_connection* tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) { - /* Create SSL instance */ + /* Create SSL instance and connect with a file descriptor */ getdns_context *context = dnsreq->context; if (context->tls_ctx == NULL) return NULL; - SSL* ssl = SSL_new(context->tls_ctx); - if(!ssl) + _getdns_tls_connection* tls = _getdns_tls_connection_new(context->tls_ctx, fd); + if(!tls) return NULL; - /* Connect the SSL object with a file descriptor */ - if(!SSL_set_fd(ssl,fd)) { - SSL_free(ssl); - return NULL; - } #if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST if (upstream->tls_curves_list) - (void) SSL_set1_curves_list(ssl, upstream->tls_curves_list); + _getdns_tls_connection_set_curves_list(tls, upstream->tls_curves_list); #endif /* make sure we'll be able to find the context again when we need it */ - if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) { - SSL_free(ssl); + if (_getdns_associate_upstream_with_SSL(tls->ssl, upstream) != GETDNS_RETURN_GOOD) { + _getdns_tls_connection_free(tls); return NULL; } @@ -950,14 +945,14 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) /*Request certificate for the auth_name*/ DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name); - SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name); + SSL_set_tlsext_host_name(tls->ssl, upstream->tls_auth_name); #if defined(HAVE_SSL_HN_AUTH) /* Set up native OpenSSL hostname verification * ( doesn't work with USE_DANESSL, but we verify the * name afterwards in such cases ) */ X509_VERIFY_PARAM *param; - param = SSL_get0_param(ssl); + param = SSL_get0_param(tls->ssl); X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0); #elif !defined(HAVE_X509_CHECK_HOST) @@ -968,7 +963,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) "%-40s : ERROR: Hostname Authentication not available from TLS library (check library version)\n", upstream->addr_str); upstream->tls_hs_state = GETDNS_HS_FAILED; - SSL_free(ssl); + _getdns_tls_connection_free(tls); upstream->tls_auth_state = GETDNS_AUTH_FAILED; return NULL; } @@ -990,7 +985,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) "%-40s : Verify fail: *CONFIG ERROR* - No auth name or pinset provided for this upstream for Strict TLS authentication\n", upstream->addr_str); upstream->tls_hs_state = GETDNS_HS_FAILED; - SSL_free(ssl); + _getdns_tls_connection_free(tls); upstream->tls_auth_state = GETDNS_AUTH_FAILED; return NULL; } @@ -1002,12 +997,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) } } if (upstream->tls_fallback_ok) { - SSL_set_cipher_list(ssl, "DEFAULT"); + _getdns_tls_connection_set_cipher_list(tls, "DEFAULT"); DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n", STUB_DEBUG_SETUP_TLS, __FUNC__); } else { if (upstream->tls_cipher_list) - SSL_set_cipher_list(ssl, upstream->tls_cipher_list); + _getdns_tls_connection_set_cipher_list(tls, upstream->tls_cipher_list); DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, __FUNC__); } @@ -1018,20 +1013,20 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) # else (void) # endif - SSL_dane_enable(ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL); + SSL_dane_enable(tls->ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL); DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr); - SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); + SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); sha256_pin_t *pin_p; size_t n_pins = 0; for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) { - osr = SSL_dane_tlsa_add(ssl, 2, 1, 1, + osr = SSL_dane_tlsa_add(tls->ssl, 2, 1, 1, (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); if (osr > 0) ++n_pins; - osr = SSL_dane_tlsa_add(ssl, 3, 1, 1, + osr = SSL_dane_tlsa_add(tls->ssl, 3, 1, 1, (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); @@ -1047,23 +1042,23 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) # else (void) # endif - DANESSL_init(ssl, + DANESSL_init(tls->ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL, *upstream->tls_auth_name ? auth_names : NULL ); DEBUG_STUB("%s %-35s: DEBUG: DANESSL_init(\"%s\") -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr); - SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); + SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); sha256_pin_t *pin_p; size_t n_pins = 0; for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) { - osr = DANESSL_add_tlsa(ssl, 3, 1, "sha256", + osr = DANESSL_add_tlsa(tls->ssl, 3, 1, "sha256", (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); if (osr > 0) ++n_pins; - osr = DANESSL_add_tlsa(ssl, 2, 1, "sha256", + osr = DANESSL_add_tlsa(tls->ssl, 2, 1, "sha256", (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); @@ -1071,14 +1066,14 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) ++n_pins; } } else { - SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); + SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); } #else - SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback); + SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, tls_verify_callback); #endif - SSL_set_connect_state(ssl); - (void) SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + SSL_set_connect_state(tls->ssl); + (void) SSL_set_mode(tls->ssl, SSL_MODE_AUTO_RETRY); /* Session resumption. There are trade-offs here. Want to do it when possible only if we have the right type of connection. Note a change @@ -1087,12 +1082,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) if ((upstream->tls_fallback_ok == 0 && upstream->last_tls_auth_state == GETDNS_AUTH_OK) || upstream->tls_fallback_ok == 1) { - SSL_set_session(ssl, upstream->tls_session); + SSL_set_session(tls->ssl, upstream->tls_session->ssl); DEBUG_STUB("%s %-35s: Attempting session re-use\n", STUB_DEBUG_SETUP_TLS, __FUNC__); } } - return ssl; + return tls; } static int @@ -1103,9 +1098,9 @@ tls_do_handshake(getdns_upstream *upstream) int r; int want; ERR_clear_error(); - while ((r = SSL_do_handshake(upstream->tls_obj)) != 1) + while ((r = SSL_do_handshake(upstream->tls_obj->ssl)) != 1) { - want = SSL_get_error(upstream->tls_obj, r); + want = SSL_get_error(upstream->tls_obj->ssl, r); switch (want) { case SSL_ERROR_WANT_READ: GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event); @@ -1131,12 +1126,12 @@ tls_do_handshake(getdns_upstream *upstream) } } /* A re-used session is not verified so need to fix up state in that case */ - if (SSL_session_reused(upstream->tls_obj)) + if (SSL_session_reused(upstream->tls_obj->ssl)) upstream->tls_auth_state = upstream->last_tls_auth_state; else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) { - X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj); - long verify_result = SSL_get_verify_result(upstream->tls_obj); + X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj->ssl); + long verify_result = SSL_get_verify_result(upstream->tls_obj->ssl); /* In case of DANESSL use, and a tls_auth_name was given alongside a pinset, * we need to verify auth_name explicitely (otherwise it will not be checked, @@ -1187,7 +1182,7 @@ tls_do_handshake(getdns_upstream *upstream) else if (verify_result == X509_V_ERR_CERT_UNTRUSTED && upstream->tls_pubkey_pinset && !DANESSL_get_match_cert( - upstream->tls_obj, NULL, NULL, NULL)) + upstream->tls_obj->ssl, NULL, NULL, NULL)) _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, ( upstream->tls_fallback_ok @@ -1245,8 +1240,8 @@ tls_do_handshake(getdns_upstream *upstream) upstream->conn_state = GETDNS_CONN_OPEN; upstream->conn_completed++; if (upstream->tls_session != NULL) - SSL_SESSION_free(upstream->tls_session); - upstream->tls_session = SSL_get1_session(upstream->tls_obj); + _getdns_tls_session_free(upstream->tls_session); + upstream->tls_session = _getdns_tls_connection_get_session(upstream->tls_obj); /* Reset timeout on success*/ GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event); upstream->event.read_cb = NULL; @@ -1287,7 +1282,7 @@ stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp, ssize_t read; uint8_t *buf; size_t buf_size; - SSL* tls_obj = upstream->tls_obj; + SSL* tls_obj = upstream->tls_obj->ssl; int q = tls_connected(upstream); if (q != 0) @@ -1370,7 +1365,7 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp, ssize_t written; uint16_t query_id; intptr_t query_id_intptr; - SSL* tls_obj = upstream->tls_obj; + SSL* tls_obj = upstream->tls_obj->ssl; uint16_t padding_sz; int q = tls_connected(upstream); @@ -1875,12 +1870,12 @@ upstream_write_cb(void *userarg) if (netreq->owner->return_call_reporting && netreq->upstream->tls_obj) { if (netreq->debug_tls_peer_cert.data == NULL && - (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj))) { + (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj->ssl))) { netreq->debug_tls_peer_cert.size = i2d_X509( cert, &netreq->debug_tls_peer_cert.data); X509_free(cert); } - netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj); + netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj->ssl); } /* Need this because auth status is reset on connection close */ netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state; From ffd1136e94ca82b60169a415bd19f3d0d7a3c414 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 15 Nov 2018 13:23:00 +0000 Subject: [PATCH 002/108] tls_create_object(): Move setting client state and auto-retry into connection_new and add setting connection session. --- src/openssl/tls.c | 14 ++++++++++++++ src/openssl/tls.h | 3 ++- src/stub.c | 7 ++----- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index f6a663a6..c0e6338c 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -261,6 +261,11 @@ _getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int return NULL; } + /* Connection is a client. */ + SSL_set_connect_state(res->ssl); + + /* If non-application data received, retry read. */ + SSL_set_mode(res->ssl, SSL_MODE_AUTO_RETRY); return res; } @@ -309,6 +314,15 @@ getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* c return GETDNS_RETURN_GOOD; } +getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s) +{ + if (!conn || !conn->ssl || !s || !s->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + if (!SSL_set_session(conn->ssl, s->ssl)) + return GETDNS_RETURN_GENERIC_ERROR; + return GETDNS_RETURN_GOOD; +} + _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn) { _getdns_tls_session* res; diff --git a/src/openssl/tls.h b/src/openssl/tls.h index f86aa465..53430653 100644 --- a/src/openssl/tls.h +++ b/src/openssl/tls.h @@ -75,9 +75,10 @@ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn); getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list); getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list); +getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s); _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn); -getdns_return_t _getdns_tls_session_free(_getdns_tls_session* ctx); +getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s); getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict); diff --git a/src/stub.c b/src/stub.c index 8be04fd7..16b49060 100644 --- a/src/stub.c +++ b/src/stub.c @@ -925,7 +925,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) _getdns_tls_connection* tls = _getdns_tls_connection_new(context->tls_ctx, fd); if(!tls) return NULL; -#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST +#if HAVE_TLS_CONN_CURVES_LIST if (upstream->tls_curves_list) _getdns_tls_connection_set_curves_list(tls, upstream->tls_curves_list); #endif @@ -1072,9 +1072,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, tls_verify_callback); #endif - SSL_set_connect_state(tls->ssl); - (void) SSL_set_mode(tls->ssl, SSL_MODE_AUTO_RETRY); - /* Session resumption. There are trade-offs here. Want to do it when possible only if we have the right type of connection. Note a change to the upstream auth info creates a new upstream so never re-uses.*/ @@ -1082,7 +1079,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) if ((upstream->tls_fallback_ok == 0 && upstream->last_tls_auth_state == GETDNS_AUTH_OK) || upstream->tls_fallback_ok == 1) { - SSL_set_session(tls->ssl, upstream->tls_session->ssl); + _getdns_tls_connection_set_session(tls, upstream->tls_session); DEBUG_STUB("%s %-35s: Attempting session re-use\n", STUB_DEBUG_SETUP_TLS, __FUNC__); } From e22c01e212d75c296dee28c5dc09561128d4761a Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 15 Nov 2018 14:28:04 +0000 Subject: [PATCH 003/108] tls_do_handshake: move handshake and check for new session into abstraction layer. --- src/openssl/tls.c | 38 ++++++++++++++++++++++++++++++++++++++ src/openssl/tls.h | 27 +++++++++++++++++++++++++++ src/stub.c | 15 ++++++--------- 3 files changed, 71 insertions(+), 9 deletions(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index c0e6338c..0e0e0f93 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -33,6 +33,7 @@ #include "config.h" +#include #include #include #include @@ -342,6 +343,43 @@ _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* return res; } +getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn) +{ + int r; + int err; + + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + + ERR_clear_error(); + r = SSL_do_handshake(conn->ssl); + if (r == 1) + return GETDNS_RETURN_GOOD; + err = SSL_get_error(conn->ssl, r); + switch(err) + { + case SSL_ERROR_WANT_READ: + return GETDNS_RETURN_TLS_WANT_READ; + + case SSL_ERROR_WANT_WRITE: + return GETDNS_RETURN_TLS_WANT_WRITE; + + default: + return GETDNS_RETURN_GENERIC_ERROR; + } +} + +getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn) +{ + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + + if (SSL_session_reused(conn->ssl)) + return GETDNS_RETURN_GOOD; + else + return GETDNS_RETURN_TLS_CONNECTION_FRESH; +} + getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s) { if (!s || !s->ssl) diff --git a/src/openssl/tls.h b/src/openssl/tls.h index 53430653..6dfc503d 100644 --- a/src/openssl/tls.h +++ b/src/openssl/tls.h @@ -47,6 +47,11 @@ #define HAVE_TLS_CONN_CURVES_LIST (HAVE_DECL_SSL_SET1_CURVES_LIST) #endif +/* Additional return codes required by TLS abstraction. Internal use only. */ +#define GETDNS_RETURN_TLS_WANT_READ ((getdns_return_t) 420) +#define GETDNS_RETURN_TLS_WANT_WRITE ((getdns_return_t) 421) +#define GETDNS_RETURN_TLS_CONNECTION_FRESH ((getdns_return_t) 422) + typedef struct _getdns_tls_context { SSL_CTX* ssl; } _getdns_tls_context; @@ -78,6 +83,28 @@ getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* c getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s); _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn); +/** + * Attempt TLS handshake. + * + * @param conn the connection. + * @return GETDNS_RETURN_GOOD if handshake is complete. + * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL. + * @return GETDNS_RETURN_TLS_WANT_READ if handshake needs to read to proceed. + * @return GETDNS_RETURN_TLS_WANT_WRITE if handshake needs to write to proceed. + * @return GETDNS_RETURN_GENERIC_ERROR if handshake failed. + */ +getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn); + +/** + * See whether the connection is reusing a session. + * + * @param conn the connection. + * @return GETDNS_RETURN_GOOD if connection is being reused. + * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL. + * @return GETDNS_RETURN_TLS_CONNECTION_FRESH if connection is not being reused. + */ +getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn); + getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s); getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict); diff --git a/src/stub.c b/src/stub.c index 16b49060..3acbb2ea 100644 --- a/src/stub.c +++ b/src/stub.c @@ -1093,13 +1093,10 @@ tls_do_handshake(getdns_upstream *upstream) DEBUG_STUB("%s %-35s: FD: %d \n", STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd); int r; - int want; - ERR_clear_error(); - while ((r = SSL_do_handshake(upstream->tls_obj->ssl)) != 1) + while ((r = _getdns_tls_connection_do_handshake(upstream->tls_obj)) != GETDNS_RETURN_GOOD) { - want = SSL_get_error(upstream->tls_obj->ssl, r); - switch (want) { - case SSL_ERROR_WANT_READ: + switch (r) { + case GETDNS_RETURN_TLS_WANT_READ: GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event); upstream->event.read_cb = upstream_read_cb; upstream->event.write_cb = NULL; @@ -1107,7 +1104,7 @@ tls_do_handshake(getdns_upstream *upstream) upstream->fd, TIMEOUT_TLS, &upstream->event); upstream->tls_hs_state = GETDNS_HS_READ; return STUB_TCP_RETRY; - case SSL_ERROR_WANT_WRITE: + case GETDNS_RETURN_TLS_WANT_WRITE: GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event); upstream->event.read_cb = NULL; upstream->event.write_cb = upstream_write_cb; @@ -1123,7 +1120,7 @@ tls_do_handshake(getdns_upstream *upstream) } } /* A re-used session is not verified so need to fix up state in that case */ - if (SSL_session_reused(upstream->tls_obj->ssl)) + if (!_getdns_tls_connection_is_session_reused(upstream->tls_obj)) upstream->tls_auth_state = upstream->last_tls_auth_state; else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) { @@ -1232,7 +1229,7 @@ tls_do_handshake(getdns_upstream *upstream) DEBUG_STUB("%s %-35s: FD: %d Handshake succeeded with auth state %s. Session is %s.\n", STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, _getdns_auth_str(upstream->tls_auth_state), - SSL_session_reused(upstream->tls_obj) ?"re-used":"new"); + _getdns_tls_connection_is_session_reused(upstream->tls_obj) ? "new" : "re-used"); upstream->tls_hs_state = GETDNS_HS_DONE; upstream->conn_state = GETDNS_CONN_OPEN; upstream->conn_completed++; From e7453522d5060a07fc0f202dc8c760b28e0b7485 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 15 Nov 2018 14:50:00 +0000 Subject: [PATCH 004/108] Replace SSL_read(). --- src/openssl/tls.c | 34 ++++++++++++++++++++++++++++------ src/openssl/tls.h | 15 +++++++++++++++ src/stub.c | 41 ++++++++++++++++++++++------------------- 3 files changed, 65 insertions(+), 25 deletions(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 0e0e0f93..a3267c52 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -284,8 +284,7 @@ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn) if (!conn || !conn->ssl) return GETDNS_RETURN_INVALID_PARAMETER; - switch(SSL_shutdown(conn->ssl)) - { + switch (SSL_shutdown(conn->ssl)) { case 0: return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; case 1: return GETDNS_RETURN_GOOD; default: return GETDNS_RETURN_GENERIC_ERROR; @@ -356,8 +355,7 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn if (r == 1) return GETDNS_RETURN_GOOD; err = SSL_get_error(conn->ssl, r); - switch(err) - { + switch (err) { case SSL_ERROR_WANT_READ: return GETDNS_RETURN_TLS_WANT_READ; @@ -380,6 +378,32 @@ getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* return GETDNS_RETURN_TLS_CONNECTION_FRESH; } +getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_t* buf, size_t to_read, size_t* read) +{ + int sread; + + if (!conn || !conn->ssl || !read) + return -GETDNS_RETURN_INVALID_PARAMETER; + + ERR_clear_error(); + sread = SSL_read(conn->ssl, buf, to_read); + if (sread <= 0) { + switch (SSL_get_error(conn->ssl, sread)) { + case SSL_ERROR_WANT_READ: + return GETDNS_RETURN_TLS_WANT_READ; + + case SSL_ERROR_WANT_WRITE: + return GETDNS_RETURN_TLS_WANT_WRITE; + + default: + return GETDNS_RETURN_GENERIC_ERROR; + } + } + + *read = sread; + return GETDNS_RETURN_GOOD; +} + getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s) { if (!s || !s->ssl) @@ -389,8 +413,6 @@ getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s) return GETDNS_RETURN_GOOD; } - - getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict) { if (! getdns_dict_set_int( diff --git a/src/openssl/tls.h b/src/openssl/tls.h index 6dfc503d..44a50bd2 100644 --- a/src/openssl/tls.h +++ b/src/openssl/tls.h @@ -105,6 +105,21 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn */ getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn); +/** + * Read from TLS. + * + * @param conn the connection. + * @param buf the buffer to read to. + * @param to_read the number of bytes to read. + * @param read pointer to holder for the number of bytes read. + * @return GETDNS_RETURN_GOOD if some bytes were read. + * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL. + * @return GETDNS_RETURN_TLS_WANT_READ if the read needs to be retried. + * @return GETDNS_RETURN_TLS_WANT_WRITE if handshake isn't finished. + * @return GETDNS_RETURN_GENERIC_ERROR if read failed. + */ +getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_t* buf, size_t to_read, size_t* read); + getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s); getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict); diff --git a/src/stub.c b/src/stub.c index 3acbb2ea..28d2e983 100644 --- a/src/stub.c +++ b/src/stub.c @@ -1273,10 +1273,10 @@ static int stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp, struct mem_funcs *mf) { - ssize_t read; + size_t read; uint8_t *buf; size_t buf_size; - SSL* tls_obj = upstream->tls_obj->ssl; + _getdns_tls_connection* tls_obj = upstream->tls_obj; int q = tls_connected(upstream); if (q != 0) @@ -1292,16 +1292,17 @@ stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp, tcp->to_read = 2; /* Packet size */ } - ERR_clear_error(); - read = SSL_read(tls_obj, tcp->read_pos, tcp->to_read); - if (read <= 0) { - /* TODO[TLS]: Handle SSL_ERROR_WANT_WRITE which means handshake - renegotiation. Need to keep handshake state to do that.*/ - int want = SSL_get_error(tls_obj, read); - if (want == SSL_ERROR_WANT_READ) { + switch ((int)_getdns_tls_connection_read(tls_obj, tcp->read_pos, tcp->to_read, &read)) { + case GETDNS_RETURN_GOOD: + break; + + case GETDNS_RETURN_TLS_WANT_READ: return STUB_TCP_RETRY; /* Come back later */ - } else - return STUB_TCP_ERROR; + + default: + /* TODO[TLS]: Handle GETDNS_RETURN_TLS_WANT_WRITE which means handshake + renegotiation. Need to keep handshake state to do that.*/ + return STUB_TCP_ERROR; } tcp->to_read -= read; tcp->read_pos += read; @@ -1333,15 +1334,17 @@ stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp, /* Ready to start reading the packet */ tcp->read_pos = tcp->read_buf; - read = SSL_read(tls_obj, tcp->read_pos, tcp->to_read); - if (read <= 0) { - /* TODO[TLS]: Handle SSL_ERROR_WANT_WRITE which means handshake + switch ((int)_getdns_tls_connection_read(tls_obj, tcp->read_pos, tcp->to_read, &read)) { + case GETDNS_RETURN_GOOD: + break; + + case GETDNS_RETURN_TLS_WANT_READ: + return STUB_TCP_RETRY; /* Come back later */ + + default: + /* TODO[TLS]: Handle GETDNS_RETURN_TLS_WANT_WRITE which means handshake renegotiation. Need to keep handshake state to do that.*/ - int want = SSL_get_error(tls_obj, read); - if (want == SSL_ERROR_WANT_READ) { - return STUB_TCP_RETRY; /* read more later */ - } else - return STUB_TCP_ERROR; + return STUB_TCP_ERROR; } tcp->to_read -= read; tcp->read_pos += read; From 09019bee75239d566f716de770d9efff058067d8 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 15 Nov 2018 15:00:19 +0000 Subject: [PATCH 005/108] Replace SSL_write(). --- src/openssl/tls.c | 33 +++++++++++++++++++++++++++++++++ src/openssl/tls.h | 15 +++++++++++++++ src/stub.c | 31 ++++++++++++------------------- 3 files changed, 60 insertions(+), 19 deletions(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index a3267c52..ad940ef8 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -404,6 +404,39 @@ getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_ return GETDNS_RETURN_GOOD; } +getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8_t* buf, size_t to_write, size_t* written) +{ + int swritten; + + if (!conn || !conn->ssl || !written) + return -GETDNS_RETURN_INVALID_PARAMETER; + + ERR_clear_error(); + swritten = SSL_write(conn->ssl, buf, to_write); + if (swritten <= 0) { + switch(SSL_get_error(conn->ssl, swritten)) { + case SSL_ERROR_WANT_READ: + /* SSL_write will not do partial writes, because + * SSL_MODE_ENABLE_PARTIAL_WRITE is not default, + * but the write could fail because of renegotiation. + * In that case SSL_get_error() will return + * SSL_ERROR_WANT_READ or, SSL_ERROR_WANT_WRITE. + * Return for retry in such cases. + */ + return GETDNS_RETURN_TLS_WANT_READ; + + case SSL_ERROR_WANT_WRITE: + return GETDNS_RETURN_TLS_WANT_WRITE; + + default: + return GETDNS_RETURN_GENERIC_ERROR; + } + } + + *written = swritten; + return GETDNS_RETURN_GOOD; +} + getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s) { if (!s || !s->ssl) diff --git a/src/openssl/tls.h b/src/openssl/tls.h index 44a50bd2..dda05030 100644 --- a/src/openssl/tls.h +++ b/src/openssl/tls.h @@ -120,6 +120,21 @@ getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* */ getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_t* buf, size_t to_read, size_t* read); +/** + * Write to TLS. + * + * @param conn the connection. + * @param buf the buffer to write from. + * @param to_write the number of bytes to write. + * @param written the number of bytes written. + * @return GETDNS_RETURN_GOOD if some bytes were read. + * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL. + * @return GETDNS_RETURN_TLS_WANT_READ if handshake isn't finished. + * @return GETDNS_RETURN_TLS_WANT_WRITE if the write needs to be retried. + * @return GETDNS_RETURN_GENERIC_ERROR if write failed. + */ +getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8_t* buf, size_t to_write, size_t* written); + getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s); getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict); diff --git a/src/stub.c b/src/stub.c index 28d2e983..75ee576d 100644 --- a/src/stub.c +++ b/src/stub.c @@ -1359,10 +1359,10 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp, getdns_network_req *netreq) { size_t pkt_len; - ssize_t written; + size_t written; uint16_t query_id; intptr_t query_id_intptr; - SSL* tls_obj = upstream->tls_obj->ssl; + _getdns_tls_connection* tls_obj = upstream->tls_obj; uint16_t padding_sz; int q = tls_connected(upstream); @@ -1437,7 +1437,6 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp, * Lets see how much of it we can write */ /* TODO[TLS]: Handle error cases, partial writes, renegotiation etc. */ - ERR_clear_error(); #if INTERCEPT_COM_DS /* Intercept and do not sent out COM DS queries. For debugging * purposes only. Never commit with this turned on. @@ -1454,22 +1453,16 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp, written = pkt_len + 2; } else #endif - written = SSL_write(tls_obj, netreq->query - 2, pkt_len + 2); - if (written <= 0) { - /* SSL_write will not do partial writes, because - * SSL_MODE_ENABLE_PARTIAL_WRITE is not default, - * but the write could fail because of renegotiation. - * In that case SSL_get_error() will return - * SSL_ERROR_WANT_READ or, SSL_ERROR_WANT_WRITE. - * Return for retry in such cases. - */ - switch (SSL_get_error(tls_obj, written)) { - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - return STUB_TCP_RETRY; - default: - return STUB_TCP_ERROR; - } + switch ((int)_getdns_tls_connection_write(tls_obj, netreq->query - 2, pkt_len + 2, &written)) { + case GETDNS_RETURN_GOOD: + break; + + case GETDNS_RETURN_TLS_WANT_READ: + case GETDNS_RETURN_TLS_WANT_WRITE: + return STUB_TCP_RETRY; + + default: + return STUB_TCP_ERROR; } /* We were able to write everything! Start reading. */ return (int) query_id; From 4b8c9d1bd7a158054b8ba7778e9bff086f82d709 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 15 Nov 2018 15:58:19 +0000 Subject: [PATCH 006/108] Replace SSL_get_version(). --- src/openssl/tls.c | 7 +++++++ src/openssl/tls.h | 8 ++++++++ src/stub.c | 2 +- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index ad940ef8..635ba5ee 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -342,6 +342,13 @@ _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* return res; } +const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn) +{ + if (!conn || !conn->ssl) + return NULL; + return SSL_get_version(conn->ssl); +} + getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn) { int r; diff --git a/src/openssl/tls.h b/src/openssl/tls.h index dda05030..7e95a165 100644 --- a/src/openssl/tls.h +++ b/src/openssl/tls.h @@ -83,6 +83,14 @@ getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* c getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s); _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn); +/** + * Report the TLS version of the connection. + * + * @param conn the connection. + * @return string with the connection description, NULL on error. + */ +const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn); + /** * Attempt TLS handshake. * diff --git a/src/stub.c b/src/stub.c index 75ee576d..fdcc9db6 100644 --- a/src/stub.c +++ b/src/stub.c @@ -1865,7 +1865,7 @@ upstream_write_cb(void *userarg) cert, &netreq->debug_tls_peer_cert.data); X509_free(cert); } - netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj->ssl); + netreq->debug_tls_version = _getdns_tls_connection_get_version(netreq->upstream->tls_obj); } /* Need this because auth status is reset on connection close */ netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state; From 0fd6fd4c5cf7efb547d4fc9368846caf9c29688b Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 16 Nov 2018 17:09:26 +0000 Subject: [PATCH 007/108] Replace (one instance of) SSL_get_peer_certificate(). --- src/openssl/tls.c | 37 +++++++++++++++++++++++++++++++++++++ src/openssl/tls.h | 29 +++++++++++++++++++++++++++++ src/stub.c | 8 ++++---- 3 files changed, 70 insertions(+), 4 deletions(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 635ba5ee..18a5e970 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -48,6 +48,20 @@ # include "ssl_dane/danessl.h" #endif +static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert) +{ + _getdns_tls_x509* res; + + if (!cert) + return NULL; + + res = malloc(sizeof(_getdns_tls_x509)); + if (res) + res->ssl = cert; + + return res; +} + #ifdef USE_WINSOCK /* For windows, the CA trust store is not read by openssl. Add code to open the trust store using wincrypt API and add @@ -374,6 +388,14 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn } } +_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connection* conn) +{ + if (!conn || !conn->ssl) + return NULL; + + return _getdns_tls_x509_new(SSL_get_peer_certificate(conn->ssl)); +} + getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn) { if (!conn || !conn->ssl) @@ -486,4 +508,19 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict) return GETDNS_RETURN_GENERIC_ERROR; } +void _getdns_tls_x509_free(_getdns_tls_x509* cert) +{ + if (cert && cert->ssl) + X509_free(cert->ssl); + free(cert); +} + +int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf) +{ + if (!cert || !cert->ssl) + return 0; + + return i2d_X509(cert->ssl, buf); +} + /* tls.c */ diff --git a/src/openssl/tls.h b/src/openssl/tls.h index 7e95a165..92e35459 100644 --- a/src/openssl/tls.h +++ b/src/openssl/tls.h @@ -64,6 +64,11 @@ typedef struct _getdns_tls_session { SSL_SESSION* ssl; } _getdns_tls_session; +typedef struct _getdns_tls_x509 +{ + X509* ssl; +} _getdns_tls_x509; + void _getdns_tls_init(); _getdns_tls_context* _getdns_tls_context_new(); @@ -103,6 +108,14 @@ const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn); */ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn); +/** + * Get the connection peer certificate. + * + * @param conn the connection. + * @return certificate or NULL on error. + */ +_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connection* conn); + /** * See whether the connection is reusing a session. * @@ -145,6 +158,22 @@ getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8 getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s); +/** + * Free X509 certificate. + * + * @param cert the certificate. + */ +void _getdns_tls_x509_free(_getdns_tls_x509* cert); + +/** + * Convert X509 to DER. + * + * @param cert the certificate. + * @param buf buffer to receive conversion. NULL to just get the length. + * @return length of conversion, 0 on error. + */ +int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf); + getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict); #endif /* _GETDNS_TLS_H */ diff --git a/src/stub.c b/src/stub.c index fdcc9db6..d012566b 100644 --- a/src/stub.c +++ b/src/stub.c @@ -1797,7 +1797,7 @@ upstream_write_cb(void *userarg) getdns_upstream *upstream = (getdns_upstream *)userarg; getdns_network_req *netreq = upstream->write_queue; int q; - X509 *cert; + _getdns_tls_x509 *cert; if (!netreq) { GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event); @@ -1860,10 +1860,10 @@ upstream_write_cb(void *userarg) if (netreq->owner->return_call_reporting && netreq->upstream->tls_obj) { if (netreq->debug_tls_peer_cert.data == NULL && - (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj->ssl))) { - netreq->debug_tls_peer_cert.size = i2d_X509( + (cert = _getdns_tls_connection_get_peer_certificate(netreq->upstream->tls_obj))) { + netreq->debug_tls_peer_cert.size = _getdns_tls_x509_to_der( cert, &netreq->debug_tls_peer_cert.data); - X509_free(cert); + _getdns_tls_x509_free(cert); } netreq->debug_tls_version = _getdns_tls_connection_get_version(netreq->upstream->tls_obj); } From 5d353d9efbfe34d05f495988a5b3e2a47b58dd8d Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 16 Nov 2018 17:53:08 +0000 Subject: [PATCH 008/108] To aid proof-of-concept work, insist on OpenSSL 1.1.1 or later. Remove ssl_dane as now surplus to requirements. --- .gitmodules | 4 -- configure.ac | 22 +++--- src/Makefile.in | 6 +- src/context.c | 53 -------------- src/gldns/keyraw.c | 18 ----- src/openssl/tls.c | 13 ---- src/ssl_dane | 1 - src/stub.c | 173 +-------------------------------------------- 8 files changed, 12 insertions(+), 278 deletions(-) delete mode 160000 src/ssl_dane diff --git a/.gitmodules b/.gitmodules index 26a1f354..27d60b78 100644 --- a/.gitmodules +++ b/.gitmodules @@ -10,7 +10,3 @@ path = stubby url = https://github.com/getdnsapi/stubby.git branch = develop -[submodule "src/ssl_dane"] - path = src/ssl_dane - url = https://github.com/getdnsapi/ssl_dane - branch = getdns diff --git a/configure.ac b/configure.ac index 67636c57..c361848b 100644 --- a/configure.ac +++ b/configure.ac @@ -440,28 +440,24 @@ AC_INCLUDES_DEFAULT ]) fi -AC_MSG_CHECKING([whether we need to compile/link DANE support]) -DANESSL_XTRA_OBJS="" +AC_MSG_CHECKING([for OpenSSL >= 1.1.1]) AC_LANG_PUSH(C) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM([ [#include ] - [#if OPENSSL_VERSION_NUMBER < 0x1000000fL] - [#error "OpenSSL 1.0.0 or higher required for DANE library"] - [#elif defined(HAVE_SSL_DANE_ENABLE)] - [#error "OpenSSL has native DANE support"] + [#if OPENSSL_VERSION_NUMBER < 0x10101000L] + [#error "OpenSSL 1.1.1 or higher required"] [#elif defined(LIBRESSL_VERSION_NUMBER)] - [#error "dane_ssl library does not work with LibreSSL"] + [#error "LibreSSL not supported"] [#endif] ],[[]])], [ - AC_MSG_RESULT([yes]) - AC_DEFINE([USE_DANESSL], [1], [Define this to use DANE functions from the ssl_dane/danessl library.]) - DANESSL_XTRA_OBJS="danessl.lo" - ], - [AC_MSG_RESULT([no])]) + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_ERROR([OpenSSL 1.1.1 or later required]) + ]) AC_LANG_POP(C) -AC_SUBST(DANESSL_XTRA_OBJS) AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support])) case "$enable_sha1" in diff --git a/src/Makefile.in b/src/Makefile.in index de5f3e26..d7ed0343 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -98,9 +98,8 @@ TLS_OBJ=tls.lo YXML_OBJ=yxml.lo YAML_OBJ=convert_yaml_to_json.lo -DANESSL_OBJ=danessl.lo -GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@ @DANESSL_XTRA_OBJS@ +GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@ STUBBY_XTRA_OBJS=@STUBBY_XTRA_OBJS@ EXTENSION_OBJ=$(DEFAULT_EVENTLOOP_OBJ) libevent.lo libev.lo @@ -140,9 +139,6 @@ $(TLS_OBJ): $(YAML_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@ -$(DANESSL_OBJ): - $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WNOERRORFLAG) -c $(srcdir)/ssl_dane/$(@:.lo=.c) -o $@ - $(YXML_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -I$(srcdir)/yxml -DYXML_GETDNS -Wno-unused-parameter -c $(srcdir)/yxml/$(@:.lo=.c) -o $@ diff --git a/src/context.c b/src/context.c index c0f4f8e1..0729f4d8 100644 --- a/src/context.c +++ b/src/context.c @@ -82,9 +82,6 @@ typedef unsigned short in_port_t; #include "list.h" #include "dict.h" #include "pubkey-pinning.h" -#ifdef USE_DANESSL -# include "ssl_dane/danessl.h" -#endif #include "const-info.h" #include "tls.h" @@ -599,26 +596,6 @@ upstreams_create(getdns_context *context, size_t size) } -#if defined(USE_DANESSL) && defined(STUB_DEBUG) && STUB_DEBUG -static void _stub_debug_print_openssl_errors(void) -{ - unsigned long err; - char buffer[1024]; - const char *file; - const char *data; - int line; - int flags; - - while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) { - ERR_error_string_n(err, buffer, sizeof(buffer)); - if (flags & ERR_TXT_STRING) - DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d:%s\n", buffer, file, line, data); - else - DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d\n", buffer, file, line); - } -} -#endif - void _getdns_upstreams_dereference(getdns_upstreams *upstreams) { @@ -660,12 +637,6 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams) if (upstream->tls_obj != NULL) { _getdns_tls_connection_shutdown(upstream->tls_obj); -#ifdef USE_DANESSL -# if defined(STUB_DEBUG) && STUB_DEBUG - _stub_debug_print_openssl_errors(); -# endif - DANESSL_cleanup(upstream->tls_obj->ssl); -#endif _getdns_tls_connection_free(upstream->tls_obj); } if (upstream->fd != -1) @@ -779,12 +750,6 @@ _getdns_upstream_reset(getdns_upstream *upstream) } if (upstream->tls_obj != NULL) { _getdns_tls_connection_shutdown(upstream->tls_obj); -#ifdef USE_DANESSL -# if defined(STUB_DEBUG) && STUB_DEBUG - _stub_debug_print_openssl_errors(); -# endif - DANESSL_cleanup(upstream->tls_obj->ssl); -#endif _getdns_tls_connection_free(upstream->tls_obj); upstream->tls_obj = NULL; } @@ -3579,7 +3544,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context) } if (context->tls_ctx == NULL) { -#ifdef HAVE_TLS_v1_2 context->tls_ctx = _getdns_tls_context_new(); if (context->tls_ctx == NULL) return GETDNS_RETURN_BAD_CONTEXT; @@ -3608,7 +3572,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context) if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) return GETDNS_RETURN_BAD_CONTEXT; } -# if defined(HAVE_SSL_CTX_DANE_ENABLE) # if defined(STUB_DEBUG) && STUB_DEBUG int osr = # else @@ -3617,22 +3580,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context) SSL_CTX_dane_enable(context->tls_ctx->ssl); DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); -# elif defined(USE_DANESSL) -# if defined(STUB_DEBUG) && STUB_DEBUG - int osr = -# else - (void) -# endif - DANESSL_CTX_init(context->tls_ctx->ssl); - DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n" - , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); -# endif -#else /* HAVE_TLS_v1_2 */ - if (tls_only_is_in_transports_list(context) == 1) - return GETDNS_RETURN_BAD_CONTEXT; - /* A null tls_ctx will make TLS fail and fallback to the other - transports will kick-in.*/ -#endif /* HAVE_TLS_v1_2 */ } } diff --git a/src/gldns/keyraw.c b/src/gldns/keyraw.c index ed8188c8..db84743e 100644 --- a/src/gldns/keyraw.c +++ b/src/gldns/keyraw.c @@ -232,15 +232,6 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len) BN_free(Y); return NULL; } -#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) -#ifndef S_SPLINT_S - dsa->p = P; - dsa->q = Q; - dsa->g = G; - dsa->pub_key = Y; -#endif /* splint */ - -#else /* OPENSSL_VERSION_NUMBER */ if (!DSA_set0_pqg(dsa, P, Q, G)) { /* QPG not yet attached, need to free */ BN_free(Q); @@ -257,7 +248,6 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len) BN_free(Y); return NULL; } -#endif return dsa; } @@ -310,20 +300,12 @@ gldns_key_buf2rsa_raw(unsigned char* key, size_t len) BN_free(modulus); return NULL; } -#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) -#ifndef S_SPLINT_S - rsa->n = modulus; - rsa->e = exponent; -#endif /* splint */ - -#else /* OPENSSL_VERSION_NUMBER */ if (!RSA_set0_key(rsa, modulus, exponent, NULL)) { BN_free(exponent); BN_free(modulus); RSA_free(rsa); return NULL; } -#endif return rsa; } diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 18a5e970..0c4fd917 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -44,10 +44,6 @@ #include "tls.h" -#ifdef USE_DANESSL -# include "ssl_dane/danessl.h" -#endif - static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert) { _getdns_tls_x509* res; @@ -156,19 +152,10 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) void _getdns_tls_init() { -#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) - OpenSSL_add_all_algorithms(); - SSL_library_init(); - -# ifdef USE_DANESSL - (void) DANESSL_library_init(); -# endif -#else OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); (void)OPENSSL_init_ssl(0, NULL); -#endif } _getdns_tls_context* _getdns_tls_context_new() diff --git a/src/ssl_dane b/src/ssl_dane deleted file mode 160000 index dd093e58..00000000 --- a/src/ssl_dane +++ /dev/null @@ -1 +0,0 @@ -Subproject commit dd093e585a237e0321d303ec35e84c393ef739f4 diff --git a/src/stub.c b/src/stub.c index d012566b..52478dfb 100644 --- a/src/stub.c +++ b/src/stub.c @@ -55,9 +55,6 @@ #include "platform.h" #include "general.h" #include "pubkey-pinning.h" -#ifdef USE_DANESSL -# include "ssl_dane/danessl.h" -#endif /* WSA TODO: * STUB_TCP_RETRY added to deal with edge triggered event loops (versus @@ -829,9 +826,6 @@ tls_requested(getdns_network_req *netreq) 1 : 0; } - -#if defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) - static int _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx) { @@ -857,64 +851,6 @@ _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx) return 1; } -#else /* defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */ - -static int -tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) -{ - getdns_upstream *upstream; - getdns_return_t pinset_ret = GETDNS_RETURN_GOOD; - upstream = _getdns_upstream_from_x509_store(ctx); - if (!upstream) - return 0; - - int err = X509_STORE_CTX_get_error(ctx); -# if defined(STUB_DEBUG) && STUB_DEBUG - DEBUG_STUB("%s %-35s: FD: %d Verify result: (%d) \"%s\"\n", - STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err, - X509_verify_cert_error_string(err)); -# endif - if (!preverify_ok && !upstream->tls_fallback_ok) - _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR, - "%-40s : Verify failed: TLS - *Failure* - (%d) \"%s\"\n", - upstream->addr_str, err, - X509_verify_cert_error_string(err)); - - /* No need to deal with hostname authentication, since this will be - * dealt with in the DANE preprocessor paths. - */ - - /* Deal with the pinset validation */ - if (upstream->tls_pubkey_pinset) - pinset_ret = _getdns_verify_pinset_match(upstream->tls_pubkey_pinset, ctx); - - if (pinset_ret != GETDNS_RETURN_GOOD) { - DEBUG_STUB("%s %-35s: FD: %d, WARNING: Pinset validation failure!\n", - STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd); - preverify_ok = 0; - upstream->tls_auth_state = GETDNS_AUTH_FAILED; - if (upstream->tls_fallback_ok) - DEBUG_STUB("%s %-35s: FD: %d, WARNING: Proceeding even though pinset validation failed!\n", - STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd); - else - _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR, - "%-40s : Conn failed: TLS - *Failure* - Pinset validation failure\n", - upstream->addr_str); - } - /* If nothing has failed yet and we had credentials, we have successfully authenticated*/ - if (preverify_ok == 0) - upstream->tls_auth_state = GETDNS_AUTH_FAILED; - else if (upstream->tls_auth_state == GETDNS_AUTH_NONE && - (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0])) - upstream->tls_auth_state = GETDNS_AUTH_OK; - - /* If fallback is allowed, proceed regardless of what the auth error is - (might not be hostname or pinset related) */ - return (upstream->tls_fallback_ok) ? 1 : preverify_ok; -} - -#endif /* #else defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */ - static _getdns_tls_connection* tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) { @@ -946,28 +882,11 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name); SSL_set_tlsext_host_name(tls->ssl, upstream->tls_auth_name); -#if defined(HAVE_SSL_HN_AUTH) - /* Set up native OpenSSL hostname verification - * ( doesn't work with USE_DANESSL, but we verify the - * name afterwards in such cases ) - */ + /* Set up native OpenSSL hostname verification */ X509_VERIFY_PARAM *param; param = SSL_get0_param(tls->ssl); X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0); -#elif !defined(HAVE_X509_CHECK_HOST) - if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) { - DEBUG_STUB("%s %-35s: ERROR: Hostname Authentication not available from TLS library (check library version)\n", - STUB_DEBUG_SETUP_TLS, __FUNC__); - _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR, - "%-40s : ERROR: Hostname Authentication not available from TLS library (check library version)\n", - upstream->addr_str); - upstream->tls_hs_state = GETDNS_HS_FAILED; - _getdns_tls_connection_free(tls); - upstream->tls_auth_state = GETDNS_AUTH_FAILED; - return NULL; - } -#endif /* Allow fallback to opportunistic if settings permit it*/ if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED) upstream->tls_fallback_ok = 1; @@ -1006,7 +925,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, __FUNC__); } -#if defined(HAVE_SSL_DANE_ENABLE) + int osr; # if defined(STUB_DEBUG) && STUB_DEBUG osr = @@ -1033,44 +952,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) if (osr > 0) ++n_pins; } -#elif defined(USE_DANESSL) - if (upstream->tls_pubkey_pinset) { - const char *auth_names[2] = { upstream->tls_auth_name, NULL }; - int osr; -# if defined(STUB_DEBUG) && STUB_DEBUG - osr = -# else - (void) -# endif - DANESSL_init(tls->ssl, - *upstream->tls_auth_name ? upstream->tls_auth_name : NULL, - *upstream->tls_auth_name ? auth_names : NULL - ); - DEBUG_STUB("%s %-35s: DEBUG: DANESSL_init(\"%s\") -> %d\n" - , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr); - SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); - sha256_pin_t *pin_p; - size_t n_pins = 0; - for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) { - osr = DANESSL_add_tlsa(tls->ssl, 3, 1, "sha256", - (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); - DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n" - , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); - if (osr > 0) - ++n_pins; - osr = DANESSL_add_tlsa(tls->ssl, 2, 1, "sha256", - (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); - DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n" - , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); - if (osr > 0) - ++n_pins; - } - } else { - SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); - } -#else - SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, tls_verify_callback); -#endif /* Session resumption. There are trade-offs here. Want to do it when possible only if we have the right type of connection. Note a change @@ -1127,23 +1008,6 @@ tls_do_handshake(getdns_upstream *upstream) X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj->ssl); long verify_result = SSL_get_verify_result(upstream->tls_obj->ssl); -/* In case of DANESSL use, and a tls_auth_name was given alongside a pinset, - * we need to verify auth_name explicitely (otherwise it will not be checked, - * because this is not required with DANE with an EE match). - * This is not needed with native OpenSSL DANE, because EE name checks have - * to be disabled explicitely. - */ -#if defined(HAVE_X509_CHECK_HOST) && (defined(USE_DANESSL) || !defined(HAVE_SSL_HN_AUTH)) - int xch; - if (peer_cert && verify_result == X509_V_OK - && upstream->tls_auth_name[0] - && (xch = X509_check_host(peer_cert, - upstream->tls_auth_name, - strlen(upstream->tls_auth_name), - X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, - NULL)) <= 0) - verify_result = X509_V_ERR_HOSTNAME_MISMATCH; -#endif upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK ? GETDNS_AUTH_OK : GETDNS_AUTH_FAILED; if (!peer_cert) @@ -1161,7 +1025,6 @@ tls_do_handshake(getdns_upstream *upstream) /* Since we don't have DANE validation yet, DANE validation * failures are always pinset validation failures */ -#if defined(HAVE_SSL_DANE_ENABLE) else if (verify_result == X509_V_ERR_DANE_NO_MATCH) _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, @@ -1172,21 +1035,6 @@ tls_do_handshake(getdns_upstream *upstream) ( upstream->tls_fallback_ok ? "Tolerated because of Opportunistic profile" : "*Failure*" )); -#elif defined(USE_DANESSL) - else if (verify_result == X509_V_ERR_CERT_UNTRUSTED - && upstream->tls_pubkey_pinset - && !DANESSL_get_match_cert( - upstream->tls_obj->ssl, NULL, NULL, NULL)) - _getdns_upstream_log(upstream, - GETDNS_LOG_UPSTREAM_STATS, - ( upstream->tls_fallback_ok - ? GETDNS_LOG_INFO : GETDNS_LOG_ERR), - "%-40s : Verify failed : TLS - %s - " - "Pinset validation failure\n", upstream->addr_str, - ( upstream->tls_fallback_ok - ? "Tolerated because of Opportunistic profile" - : "*Failure*" )); -#endif else if (verify_result != X509_V_OK) _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, @@ -1198,23 +1046,6 @@ tls_do_handshake(getdns_upstream *upstream) ? "Tolerated because of Opportunistic profile" : "*Failure*" ), verify_result, X509_verify_cert_error_string(verify_result)); -#if !defined(HAVE_SSL_HN_AUTH) && !defined(HAVE_X509_CHECK_HOST) - else if (*upstream->tls_auth_name) { - _getdns_upstream_log(upstream, - GETDNS_LOG_UPSTREAM_STATS, - ( upstream->tls_fallback_ok - ? GETDNS_LOG_INFO : GETDNS_LOG_ERR), - "%-40s : Verify failed : TLS - %s - " - "Hostname Authentication not available from TLS " - "library (check library version)\n", - upstream->addr_str, - ( upstream->tls_fallback_ok - ? "Tolerated because of Opportunistic profile" - : "*Failure*" )); - - upstream->tls_auth_state = GETDNS_AUTH_FAILED; - } -#endif else _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, From aba0e2fb4c7c87ce8b8619b9a89e96b8b5d1c79c Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Mon, 19 Nov 2018 09:49:54 +0000 Subject: [PATCH 009/108] Move non-TLS-library specific parts of tls.h to ~/src/tls.h and have it include lib-specific tls-internal.h. Update dependencies. --- src/Makefile.in | 261 ------------------------------------- src/openssl/tls-internal.h | 67 ++++++++++ src/test/Makefile.in | 3 +- src/{openssl => }/tls.h | 28 +--- src/tools/Makefile.in | 6 +- 5 files changed, 70 insertions(+), 295 deletions(-) create mode 100644 src/openssl/tls-internal.h rename src/{openssl => }/tls.h (91%) diff --git a/src/Makefile.in b/src/Makefile.in index d7ed0343..67a36f62 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -300,264 +300,3 @@ depend: FORCE: # Dependencies for gldns, utils, the extensions and compat functions -anchor.lo anchor.o: $(srcdir)/anchor.c config.h \ - $(srcdir)/debug.h $(srcdir)/anchor.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h -const-info.lo const-info.o: $(srcdir)/const-info.c \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/const-info.h -context.lo context.o: $(srcdir)/context.c config.h \ - $(srcdir)/anchor.h getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/debug.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h \ - $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h \ - $(srcdir)/const-info.h -convert.lo convert.o: $(srcdir)/convert.c config.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ - $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \ - $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h \ - $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h $(srcdir)/debug.h -dict.lo dict.o: $(srcdir)/dict.c config.h \ - $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h \ - $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h -dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \ - $(srcdir)/debug.h getdns/getdns.h \ - $(srcdir)/context.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h \ - $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h -general.lo general.o: $(srcdir)/general.c config.h \ - $(srcdir)/general.h getdns/getdns.h \ - $(srcdir)/types-internal.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h -list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \ - config.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/list.h $(srcdir)/dict.h -mdns.lo mdns.o: $(srcdir)/mdns.c config.h \ - $(srcdir)/debug.h $(srcdir)/context.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h -platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \ - config.h -pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \ - config.h $(srcdir)/debug.h \ - getdns/getdns.h $(srcdir)/context.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h -request-internal.lo request-internal.o: $(srcdir)/request-internal.c \ - config.h $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h -rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \ - config.h \ - getdns/getdns.h \ - $(srcdir)/gldns/gbuffer.h $(srcdir)/util-internal.h $(srcdir)/context.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \ - $(srcdir)/openssl/tls.h $(srcdir)/dict.h -rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ - config.h \ - getdns/getdns.h \ - $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h -server.lo server.o: $(srcdir)/server.c config.h \ - getdns/getdns_extra.h \ - getdns/getdns.h $(srcdir)/context.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h -stub.lo stub.o: $(srcdir)/stub.c config.h \ - $(srcdir)/debug.h $(srcdir)/stub.h \ - getdns/getdns.h \ - $(srcdir)/types-internal.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \ - $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \ - $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h -sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \ - config.h $(srcdir)/context.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h -ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \ - config.h -util-internal.lo util-internal.o: $(srcdir)/util-internal.c \ - config.h \ - getdns/getdns.h $(srcdir)/dict.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \ - getdns/getdns_extra.h $(srcdir)/list.h \ - $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ - $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h -gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \ - config.h $(srcdir)/gldns/gbuffer.h -keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \ - config.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/gldns/rrdef.h -parse.lo parse.o: $(srcdir)/gldns/parse.c \ - config.h $(srcdir)/gldns/parse.h \ - $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h -parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \ - config.h $(srcdir)/gldns/parseutil.h -rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \ - config.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/gldns/parseutil.h -str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \ - config.h $(srcdir)/gldns/str2wire.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h \ - $(srcdir)/gldns/parseutil.h -wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \ - config.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \ - $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h -arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \ - config.h -arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \ - config.h \ - $(srcdir)/compat/chacha_private.h -arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c \ - config.h -explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c \ - config.h -getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c \ - config.h -getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c \ - config.h -getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c \ - config.h -getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c -gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c \ - config.h -inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c \ - config.h -inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c \ - config.h -sha512.lo sha512.o: $(srcdir)/compat/sha512.c \ - config.h -strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \ - config.h -strptime.lo strptime.o: $(srcdir)/compat/strptime.c \ - config.h -locks.lo locks.o: $(srcdir)/util/locks.c config.h \ - $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h -lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \ - config.h \ - $(srcdir)/util/auxiliary/util/storage/lookup3.h $(srcdir)/util/lookup3.h \ - $(srcdir)/util/orig-headers/lookup3.h -lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \ - config.h \ - $(srcdir)/util/auxiliary/util/storage/lruhash.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h -rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \ - config.h $(srcdir)/util/auxiliary/log.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \ - $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h -val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \ - config.h \ - $(srcdir)/util/auxiliary/util/data/packed_rrset.h \ - $(srcdir)/util/auxiliary/validator/val_secalgo.h $(srcdir)/util/val_secalgo.h \ - $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h -jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h -tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \ - $(srcdir)/openssl/tls.h getdns/getdns.h -yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h -danessl.lo danessl.o: $(srcdir)/ssl_dane/danessl.c $(srcdir)/ssl_dane/danessl.h -libev.lo libev.o: $(srcdir)/extension/libev.c \ - config.h $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h -libevent.lo libevent.o: $(srcdir)/extension/libevent.c \ - config.h $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h -libuv.lo libuv.o: $(srcdir)/extension/libuv.c \ - config.h $(srcdir)/debug.h \ - $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h -poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \ - config.h $(srcdir)/util-internal.h \ - $(srcdir)/context.h getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/platform.h $(srcdir)/debug.h -select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \ - config.h $(srcdir)/debug.h \ - $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \ - $(srcdir)/extension/select_eventloop.h -stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c \ - config.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h new file mode 100644 index 00000000..f13c8602 --- /dev/null +++ b/src/openssl/tls-internal.h @@ -0,0 +1,67 @@ +/** + * + * \file tls-internal.h + * @brief getdns TLS implementation-specific items + */ + +/* + * Copyright (c) 2018, NLnet Labs + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _GETDNS_TLS_INTERNAL_H +#define _GETDNS_TLS_INTERNAL_H + +#include "getdns/getdns.h" + +#ifndef HAVE_DECL_SSL_CTX_SET1_CURVES_LIST +#define HAVE_TLS_CTX_CURVES_LIST 0 +#else +#define HAVE_TLS_CTX_CURVES_LIST (HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) +#endif +#ifndef HAVE_DECL_SSL_SET1_CURVES_LIST +#define HAVE_TLS_CONN_CURVES_LIST 0 +#else +#define HAVE_TLS_CONN_CURVES_LIST (HAVE_DECL_SSL_SET1_CURVES_LIST) +#endif + +typedef struct _getdns_tls_context { + SSL_CTX* ssl; +} _getdns_tls_context; + +typedef struct _getdns_tls_connection { + SSL* ssl; +} _getdns_tls_connection; + +typedef struct _getdns_tls_session { + SSL_SESSION* ssl; +} _getdns_tls_session; + +typedef struct _getdns_tls_x509 +{ + X509* ssl; +} _getdns_tls_x509; + +#endif /* _GETDNS_TLS_INTERNAL_H */ diff --git a/src/test/Makefile.in b/src/test/Makefile.in index 9d4dad00..89f5d3af 100644 --- a/src/test/Makefile.in +++ b/src/test/Makefile.in @@ -305,8 +305,7 @@ tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h \ tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h \ ../getdns/getdns.h tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c \ - ../config.h \ - $(srcdir)/testmessages.h \ + ../config.h $(srcdir)/testmessages.h \ ../getdns/getdns.h \ ../getdns/getdns_extra.h tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h \ diff --git a/src/openssl/tls.h b/src/tls.h similarity index 91% rename from src/openssl/tls.h rename to src/tls.h index 92e35459..9d0b0704 100644 --- a/src/openssl/tls.h +++ b/src/tls.h @@ -36,39 +36,13 @@ #include "getdns/getdns.h" -#ifndef HAVE_DECL_SSL_CTX_SET1_CURVES_LIST -#define HAVE_TLS_CTX_CURVES_LIST 0 -#else -#define HAVE_TLS_CTX_CURVES_LIST (HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) -#endif -#ifndef HAVE_DECL_SSL_SET1_CURVES_LIST -#define HAVE_TLS_CONN_CURVES_LIST 0 -#else -#define HAVE_TLS_CONN_CURVES_LIST (HAVE_DECL_SSL_SET1_CURVES_LIST) -#endif +#include "tls-internal.h" /* Additional return codes required by TLS abstraction. Internal use only. */ #define GETDNS_RETURN_TLS_WANT_READ ((getdns_return_t) 420) #define GETDNS_RETURN_TLS_WANT_WRITE ((getdns_return_t) 421) #define GETDNS_RETURN_TLS_CONNECTION_FRESH ((getdns_return_t) 422) -typedef struct _getdns_tls_context { - SSL_CTX* ssl; -} _getdns_tls_context; - -typedef struct _getdns_tls_connection { - SSL* ssl; -} _getdns_tls_connection; - -typedef struct _getdns_tls_session { - SSL_SESSION* ssl; -} _getdns_tls_session; - -typedef struct _getdns_tls_x509 -{ - X509* ssl; -} _getdns_tls_x509; - void _getdns_tls_init(); _getdns_tls_context* _getdns_tls_context_new(); diff --git a/src/tools/Makefile.in b/src/tools/Makefile.in index 88d5f21d..c51e2daf 100644 --- a/src/tools/Makefile.in +++ b/src/tools/Makefile.in @@ -123,14 +123,10 @@ depend: # Dependencies for getdns_query getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c \ - ../config.h \ - $(srcdir)/../debug.h \ + ../config.h $(srcdir)/../debug.h \ ../getdns/getdns.h \ ../getdns/getdns_extra.h - -# Dependencies for getdns_server_mon getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c \ ../config.h \ - $(srcdir)/../debug.h \ ../getdns/getdns.h \ ../getdns/getdns_extra.h From 2e8c48544b78b2644dbfff286c7df1efca4c6446 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Mon, 19 Nov 2018 13:55:02 +0000 Subject: [PATCH 010/108] Move pubkey-pinning implementation under openssl/. --- src/Makefile.in | 4 ++-- src/{ => openssl}/pubkey-pinning.c | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename src/{ => openssl}/pubkey-pinning.c (100%) diff --git a/src/Makefile.in b/src/Makefile.in index 67a36f62..f3e253f8 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -78,7 +78,7 @@ C99COMPATFLAGS=@C99COMPATFLAGS@ DEFAULT_EVENTLOOP_OBJ=@DEFAULT_EVENTLOOP@.lo GETDNS_OBJ=const-info.lo convert.lo dict.lo dnssec.lo general.lo \ - list.lo request-internal.lo platform.lo pubkey-pinning.lo rr-dict.lo \ + list.lo request-internal.lo platform.lo rr-dict.lo \ rr-iter.lo server.lo stub.lo sync.lo ub_loop.lo util-internal.lo \ mdns.lo @@ -94,7 +94,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo) UTIL_OBJ=rbtree.lo val_secalgo.lo lruhash.lo lookup3.lo locks.lo JSMN_OBJ=jsmn.lo -TLS_OBJ=tls.lo +TLS_OBJ=tls.lo pubkey-pinning.lo YXML_OBJ=yxml.lo YAML_OBJ=convert_yaml_to_json.lo diff --git a/src/pubkey-pinning.c b/src/openssl/pubkey-pinning.c similarity index 100% rename from src/pubkey-pinning.c rename to src/openssl/pubkey-pinning.c From fb73bcb77e2e938942837bc3ec738f841b1476aa Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 12:43:17 +0000 Subject: [PATCH 011/108] Correct return value error from _getdns_tls_connection_(read|write)(). --- src/openssl/tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 0c4fd917..134525fd 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -399,7 +399,7 @@ getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_ int sread; if (!conn || !conn->ssl || !read) - return -GETDNS_RETURN_INVALID_PARAMETER; + return GETDNS_RETURN_INVALID_PARAMETER; ERR_clear_error(); sread = SSL_read(conn->ssl, buf, to_read); @@ -425,7 +425,7 @@ getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8 int swritten; if (!conn || !conn->ssl || !written) - return -GETDNS_RETURN_INVALID_PARAMETER; + return GETDNS_RETURN_INVALID_PARAMETER; ERR_clear_error(); swritten = SSL_write(conn->ssl, buf, to_write); From 1b0a09a23f2b306ec37addd3e564b09b8f903b00 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 14:53:31 +0000 Subject: [PATCH 012/108] Wrap hostname/certificate verification. This removes the last OpenSSL items from stub.c. --- src/openssl/tls.c | 99 ++++++++++++++++++++++++++++++++++++ src/stub.c | 127 +++++++++++++--------------------------------- src/tls.h | 36 +++++++++++++ 3 files changed, 170 insertions(+), 92 deletions(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 134525fd..36a0f9a3 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -34,7 +34,9 @@ #include "config.h" #include +#include #include +#include #include #include #include @@ -42,8 +44,35 @@ #include #include +#include "debug.h" +#include "context.h" + #include "tls.h" +static int _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx) +{ +# if defined(STUB_DEBUG) && STUB_DEBUG + char buf[8192]; + X509 *cert; + int err; + int depth; + + cert = X509_STORE_CTX_get_current_cert(ctx); + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + + if (cert) + X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); + else + strcpy(buf, ""); + DEBUG_STUB("DEBUG Cert verify: depth=%d verify=%d err=%d subject=%s errorstr=%s\n", depth, ok, err, buf, X509_verify_cert_error_string(err)); +# else /* defined(STUB_DEBUG) && STUB_DEBUG */ + (void)ok; + (void)ctx; +# endif /* #else defined(STUB_DEBUG) && STUB_DEBUG */ + return 1; +} + static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert) { _getdns_tls_x509* res; @@ -394,6 +423,76 @@ getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* return GETDNS_RETURN_TLS_CONNECTION_FRESH; } +getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connection* conn, const char* auth_name) +{ + if (!conn || !conn->ssl || !auth_name) + return GETDNS_RETURN_INVALID_PARAMETER; + + SSL_set_tlsext_host_name(conn->ssl, auth_name); + /* Set up native OpenSSL hostname verification */ + X509_VERIFY_PARAM *param; + param = SSL_get0_param(conn->ssl); + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + X509_VERIFY_PARAM_set1_host(param, auth_name, 0); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* conn, const char* auth_name, const sha256_pin_t* pinset) +{ + if (!conn || !conn->ssl || !auth_name) + return GETDNS_RETURN_INVALID_PARAMETER; + + int osr = SSL_dane_enable(conn->ssl, *auth_name ? auth_name : NULL); + (void) osr; + DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n" + , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr); + SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); + const sha256_pin_t *pin_p; + size_t n_pins = 0; + for (pin_p = pinset; pin_p; pin_p = pin_p->next) { + osr = SSL_dane_tlsa_add(conn->ssl, 2, 1, 1, + (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); + DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n" + , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); + if (osr > 0) + ++n_pins; + osr = SSL_dane_tlsa_add(conn->ssl, 3, 1, 1, + (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); + DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n" + , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); + if (osr > 0) + ++n_pins; + } + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg) +{ + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + + long verify_result = SSL_get_verify_result(conn->ssl); + switch (verify_result) { + case X509_V_OK: + return GETDNS_RETURN_GOOD; + + case X509_V_ERR_DANE_NO_MATCH: + if (errnum) + *errnum = 0; + if (errmsg) + *errmsg = "Pinset validation failure"; + return GETDNS_RETURN_GENERIC_ERROR; + + default: + if (errnum) + *errnum = verify_result; + if (errmsg) + *errmsg = X509_verify_cert_error_string(verify_result); + return GETDNS_RETURN_GENERIC_ERROR; + } +} + + getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_t* buf, size_t to_read, size_t* read) { int sread; diff --git a/src/stub.c b/src/stub.c index 52478dfb..8db8a7fe 100644 --- a/src/stub.c +++ b/src/stub.c @@ -39,9 +39,6 @@ #define INTERCEPT_COM_DS 0 #include "debug.h" -#include -#include -#include #include #include "stub.h" #include "gldns/gbuffer.h" @@ -826,31 +823,6 @@ tls_requested(getdns_network_req *netreq) 1 : 0; } -static int -_getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx) -{ -# if defined(STUB_DEBUG) && STUB_DEBUG - char buf[8192]; - X509 *cert; - int err; - int depth; - - cert = X509_STORE_CTX_get_current_cert(ctx); - err = X509_STORE_CTX_get_error(ctx); - depth = X509_STORE_CTX_get_error_depth(ctx); - - if (cert) - X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); - else - strcpy(buf, ""); - DEBUG_STUB("DEBUG Cert verify: depth=%d verify=%d err=%d subject=%s errorstr=%s\n", depth, ok, err, buf, X509_verify_cert_error_string(err)); -# else /* defined(STUB_DEBUG) && STUB_DEBUG */ - (void)ok; - (void)ctx; -# endif /* #else defined(STUB_DEBUG) && STUB_DEBUG */ - return 1; -} - static _getdns_tls_connection* tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) { @@ -881,12 +853,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) /*Request certificate for the auth_name*/ DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name); - SSL_set_tlsext_host_name(tls->ssl, upstream->tls_auth_name); - /* Set up native OpenSSL hostname verification */ - X509_VERIFY_PARAM *param; - param = SSL_get0_param(tls->ssl); - X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); - X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0); + _getdns_tls_connection_setup_hostname_auth(tls, upstream->tls_auth_name); /* Allow fallback to opportunistic if settings permit it*/ if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED) upstream->tls_fallback_ok = 1; @@ -926,32 +893,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) __FUNC__); } - int osr; -# if defined(STUB_DEBUG) && STUB_DEBUG - osr = -# else - (void) -# endif - SSL_dane_enable(tls->ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL); - DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n" - , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr); - SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); - sha256_pin_t *pin_p; - size_t n_pins = 0; - for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) { - osr = SSL_dane_tlsa_add(tls->ssl, 2, 1, 1, - (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); - DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n" - , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); - if (osr > 0) - ++n_pins; - osr = SSL_dane_tlsa_add(tls->ssl, 3, 1, 1, - (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); - DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n" - , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); - if (osr > 0) - ++n_pins; - } + _getdns_tls_connection_set_host_pinset(tls, upstream->tls_auth_name, upstream->tls_pubkey_pinset); /* Session resumption. There are trade-offs here. Want to do it when possible only if we have the right type of connection. Note a change @@ -1005,12 +947,9 @@ tls_do_handshake(getdns_upstream *upstream) upstream->tls_auth_state = upstream->last_tls_auth_state; else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) { - X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj->ssl); - long verify_result = SSL_get_verify_result(upstream->tls_obj->ssl); + _getdns_tls_x509* peer_cert = _getdns_tls_connection_get_peer_certificate(upstream->tls_obj); - upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK - ? GETDNS_AUTH_OK : GETDNS_AUTH_FAILED; - if (!peer_cert) + if (!peer_cert) { _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, ( upstream->tls_fallback_ok @@ -1021,38 +960,42 @@ tls_do_handshake(getdns_upstream *upstream) ( upstream->tls_fallback_ok ? "Tolerated because of Opportunistic profile" : "*Failure*" )); + upstream->tls_auth_state = GETDNS_AUTH_FAILED; + } else { + long verify_errno; + const char* verify_errmsg; - /* Since we don't have DANE validation yet, DANE validation - * failures are always pinset validation failures - */ - else if (verify_result == X509_V_ERR_DANE_NO_MATCH) - _getdns_upstream_log(upstream, - GETDNS_LOG_UPSTREAM_STATS, - ( upstream->tls_fallback_ok - ? GETDNS_LOG_INFO : GETDNS_LOG_ERR), - "%-40s : Verify failed : TLS - %s - " - "Pinset validation failure\n", upstream->addr_str, - ( upstream->tls_fallback_ok - ? "Tolerated because of Opportunistic profile" - : "*Failure*" )); - else if (verify_result != X509_V_OK) - _getdns_upstream_log(upstream, - GETDNS_LOG_UPSTREAM_STATS, - ( upstream->tls_fallback_ok - ? GETDNS_LOG_INFO : GETDNS_LOG_ERR), - "%-40s : Verify failed : TLS - %s - " - "(%d) \"%s\"\n", upstream->addr_str, - ( upstream->tls_fallback_ok - ? "Tolerated because of Opportunistic profile" - : "*Failure*" ), verify_result, - X509_verify_cert_error_string(verify_result)); - else + if (!_getdns_tls_connection_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) { + upstream->tls_auth_state = GETDNS_AUTH_OK; + if (verify_errno != 0) { + _getdns_upstream_log(upstream, + GETDNS_LOG_UPSTREAM_STATS, + ( upstream->tls_fallback_ok + ? GETDNS_LOG_INFO : GETDNS_LOG_ERR), "%-40s : Verify failed : TLS - %s - " + "(%d) \"%s\"\n", upstream->addr_str, + ( upstream->tls_fallback_ok + ? "Tolerated because of Opportunistic profile" + : "*Failure*" ), + verify_errno, verify_errmsg); + } else { + _getdns_upstream_log(upstream, + GETDNS_LOG_UPSTREAM_STATS, + ( upstream->tls_fallback_ok + ? GETDNS_LOG_INFO : GETDNS_LOG_ERR), "%-40s : Verify failed : TLS - %s - " + "%s\n", upstream->addr_str, + ( upstream->tls_fallback_ok + ? "Tolerated because of Opportunistic profile" + : "*Failure*" ), + verify_errno, verify_errmsg); + } + } else { _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, "%-40s : Verify passed : TLS\n", upstream->addr_str); - - X509_free(peer_cert); + } + _getdns_tls_x509_free(peer_cert); + } if (upstream->tls_auth_state == GETDNS_AUTH_FAILED && !upstream->tls_fallback_ok) return STUB_SETUP_ERROR; diff --git a/src/tls.h b/src/tls.h index 9d0b0704..295b649c 100644 --- a/src/tls.h +++ b/src/tls.h @@ -38,6 +38,10 @@ #include "tls-internal.h" +/* Forward declare type. */ +struct sha256_pin; +typedef struct sha256_pin sha256_pin_t; + /* Additional return codes required by TLS abstraction. Internal use only. */ #define GETDNS_RETURN_TLS_WANT_READ ((getdns_return_t) 420) #define GETDNS_RETURN_TLS_WANT_WRITE ((getdns_return_t) 421) @@ -100,6 +104,38 @@ _getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connec */ getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn); +/** + * Set up host name verification. + * + * @param conn the connection. + * @param auth_name the hostname. + * @return GETDNS_RETURN_GOOD if all OK. + * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL. + */ +getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connection* conn, const char* auth_name); + +/** + * Set host pinset. + * + * @param conn the connection. + * @param auth_name the hostname. + * @return GETDNS_RETURN_GOOD if all OK. + * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL. + */ +getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* conn, const char* auth_name, const sha256_pin_t* pinset); + +/** + * Get result of certificate verification. + * + * @param conn the connection. + * @param errno failure error number. + * @param errmsg failure error message. + * @return GETDNS_RETURN_GOOD if all OK. + * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL. + * @return GETDNS_RETURN_GENERIC_ERROR if verification failed. + */ +getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg); + /** * Read from TLS. * From 52421be5f428a0a3937e3c1aefff24b240d34af0 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 15:12:10 +0000 Subject: [PATCH 013/108] Correct error checking result of _getdns_tls_context_set_ca(). --- src/context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/context.c b/src/context.c index 0729f4d8..4ee4b5de 100644 --- a/src/context.c +++ b/src/context.c @@ -3568,7 +3568,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) /* For strict authentication, we must have local root certs available Set up is done only when the tls_ctx is created (per getdns_context)*/ - if (!_getdns_tls_context_set_ca(context->tls_ctx, context->tls_ca_file, context->tls_ca_path)) { + if (_getdns_tls_context_set_ca(context->tls_ctx, context->tls_ca_file, context->tls_ca_path)) { if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) return GETDNS_RETURN_BAD_CONTEXT; } From cfa78707a36a33eeaacbe1de9e62e3e3d71385a2 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 15:35:59 +0000 Subject: [PATCH 014/108] Add openssl subdir to distribution. --- Makefile.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Makefile.in b/Makefile.in index ee6b86bb..53ffb04a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -210,6 +210,7 @@ $(distdir): mkdir -p $(distdir)/src/compat mkdir -p $(distdir)/src/util mkdir -p $(distdir)/src/gldns + mkdir -p $(distdir)/src/openssl mkdir -p $(distdir)/src/tools mkdir -p $(distdir)/src/jsmn mkdir -p $(distdir)/src/yxml @@ -263,6 +264,7 @@ $(distdir): cp $(srcdir)/spec/*.html $(distdir)/spec cp $(srcdir)/spec/example/Makefile.in $(distdir)/spec/example cp $(srcdir)/spec/example/*.[ch] $(distdir)/spec/example + cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/openssl cp $(srcdir)/src/tools/Makefile.in $(distdir)/src/tools cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/tools cp $(srcdir)/stubby/stubby.yml.example $(distdir)/stubby From 756eda96d852d6dd58ffac18e0c9b42340d254c0 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 15:47:56 +0000 Subject: [PATCH 015/108] Remove ssl_dane dir from dependency generation search. --- src/Makefile.in | 275 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 273 insertions(+), 2 deletions(-) diff --git a/src/Makefile.in b/src/Makefile.in index f3e253f8..b17efd85 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -271,7 +271,7 @@ Makefile: $(srcdir)/Makefile.in ../config.status depend: (cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new ) - (blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iopenssl -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c openssl/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \ + (blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iopenssl -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c openssl/*.c yxml/*.c extension/*.c ../stubby/src/*.c | \ sed -e "s? $$blddir/? ?g" \ -e 's? gldns/? $$(srcdir)/gldns/?g' \ -e 's? compat/? $$(srcdir)/compat/?g' \ @@ -280,7 +280,6 @@ depend: -e 's? jsmn/? $$(srcdir)/jsmn/?g' \ -e 's? openssl/? $$(srcdir)/openssl/?g' \ -e 's? yxml/? $$(srcdir)/yxml/?g' \ - -e 's? ssl_dane/? $$(srcdir)/ssl_dane/?g' \ -e 's? extension/? $$(srcdir)/extension/?g' \ -e 's? \.\./stubby/? $$(stubbysrcdir)/?g' \ -e 's? \([a-z_-]*\)\.\([ch]\)? $$(srcdir)/\1.\2?g' \ @@ -300,3 +299,275 @@ depend: FORCE: # Dependencies for gldns, utils, the extensions and compat functions +anchor.lo anchor.o: $(srcdir)/anchor.c config.h \ + $(srcdir)/debug.h $(srcdir)/anchor.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h \ + $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h \ + $(srcdir)/platform.h +const-info.lo const-info.o: $(srcdir)/const-info.c \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/const-info.h +context.lo context.o: $(srcdir)/context.c config.h \ + $(srcdir)/anchor.h getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/debug.h \ + $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h \ + $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h \ + $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h +convert.lo convert.o: $(srcdir)/convert.c config.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ + $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ + $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h \ + $(srcdir)/debug.h +dict.lo dict.o: $(srcdir)/dict.c config.h \ + $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h \ + $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h +dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \ + $(srcdir)/debug.h getdns/getdns.h \ + $(srcdir)/context.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ + $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h \ + $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h +general.lo general.o: $(srcdir)/general.c config.h \ + $(srcdir)/general.h getdns/getdns.h \ + $(srcdir)/types-internal.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h +list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \ + config.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/list.h $(srcdir)/dict.h +mdns.lo mdns.o: $(srcdir)/mdns.c config.h \ + $(srcdir)/debug.h $(srcdir)/context.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/general.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h +platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \ + config.h +request-internal.lo request-internal.o: $(srcdir)/request-internal.c \ + config.h $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h +rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \ + config.h \ + getdns/getdns.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/util-internal.h $(srcdir)/context.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \ + $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dict.h +rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + config.h \ + getdns/getdns.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h +server.lo server.o: $(srcdir)/server.c config.h \ + getdns/getdns_extra.h \ + getdns/getdns.h $(srcdir)/context.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/debug.h \ + $(srcdir)/util-internal.h $(srcdir)/platform.h +stub.lo stub.o: $(srcdir)/stub.c config.h \ + $(srcdir)/debug.h $(srcdir)/stub.h \ + getdns/getdns.h \ + $(srcdir)/types-internal.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \ + $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \ + $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \ + $(srcdir)/pubkey-pinning.h +sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \ + config.h $(srcdir)/context.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/general.h \ + $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h +ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \ + config.h +util-internal.lo util-internal.o: $(srcdir)/util-internal.c \ + config.h \ + getdns/getdns.h $(srcdir)/dict.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \ + getdns/getdns_extra.h $(srcdir)/list.h \ + $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ + $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ + $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \ + $(srcdir)/gldns/rrdef.h +gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \ + config.h $(srcdir)/gldns/gbuffer.h +keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \ + config.h $(srcdir)/gldns/keyraw.h \ + $(srcdir)/gldns/rrdef.h +parse.lo parse.o: $(srcdir)/gldns/parse.c \ + config.h $(srcdir)/gldns/parse.h \ + $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h +parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \ + config.h $(srcdir)/gldns/parseutil.h +rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \ + config.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/parseutil.h +str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \ + config.h $(srcdir)/gldns/str2wire.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h \ + $(srcdir)/gldns/parseutil.h +wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \ + config.h $(srcdir)/gldns/wire2str.h \ + $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h +arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \ + config.h +arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \ + config.h \ + $(srcdir)/compat/chacha_private.h +arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c \ + config.h +explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c \ + config.h +getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c \ + config.h +getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c \ + config.h +getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c \ + config.h +getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c +gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c \ + config.h +inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c \ + config.h +inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c \ + config.h +sha512.lo sha512.o: $(srcdir)/compat/sha512.c \ + config.h +strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \ + config.h +strptime.lo strptime.o: $(srcdir)/compat/strptime.c \ + config.h +locks.lo locks.o: $(srcdir)/util/locks.c config.h \ + $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h +lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \ + config.h \ + $(srcdir)/util/auxiliary/util/storage/lookup3.h $(srcdir)/util/lookup3.h \ + $(srcdir)/util/orig-headers/lookup3.h +lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \ + config.h \ + $(srcdir)/util/auxiliary/util/storage/lruhash.h $(srcdir)/util/lruhash.h \ + $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ + $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h +rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \ + config.h $(srcdir)/util/auxiliary/log.h \ + $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \ + $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h +val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \ + config.h \ + $(srcdir)/util/auxiliary/util/data/packed_rrset.h \ + $(srcdir)/util/auxiliary/validator/val_secalgo.h $(srcdir)/util/val_secalgo.h \ + $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \ + $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \ + $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h +jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h +pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/openssl/pubkey-pinning.c \ + config.h $(srcdir)/debug.h \ + getdns/getdns.h $(srcdir)/context.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/context.h +tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \ + $(srcdir)/debug.h $(srcdir)/context.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/tls.h +yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h +libev.lo libev.o: $(srcdir)/extension/libev.c \ + config.h $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h +libevent.lo libevent.o: $(srcdir)/extension/libevent.c \ + config.h $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h +libuv.lo libuv.o: $(srcdir)/extension/libuv.c \ + config.h $(srcdir)/debug.h \ + $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h +poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \ + config.h $(srcdir)/util-internal.h \ + $(srcdir)/context.h getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h +select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \ + config.h $(srcdir)/debug.h \ + $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \ + $(srcdir)/extension/select_eventloop.h +stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c \ + config.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h From ff9cde2087282b66357b9bd450fef61daf5db7cb Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 15:49:26 +0000 Subject: [PATCH 016/108] Remove SSL type from pubkey-pinning interface. --- src/openssl/pubkey-pinning.c | 11 +++++++---- src/pubkey-pinning.h | 5 +++-- src/stub.c | 2 +- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/openssl/pubkey-pinning.c b/src/openssl/pubkey-pinning.c index 1b9674fd..09cb2c70 100644 --- a/src/openssl/pubkey-pinning.c +++ b/src/openssl/pubkey-pinning.c @@ -361,15 +361,18 @@ _getdns_upstream_from_x509_store(X509_STORE_CTX *store) } getdns_return_t -_getdns_associate_upstream_with_SSL(SSL *ssl, - getdns_upstream *upstream) +_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, + getdns_upstream *upstream) { + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) int uidx = _get_ssl_getdns_upstream_idx(); #else - int uidx = _get_ssl_getdns_upstream_idx(SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl))); + int uidx = _get_ssl_getdns_upstream_idx(SSL_CTX_get_cert_store(SSL_get_SSL_CTX(conn->ssl))); #endif - if (SSL_set_ex_data(ssl, uidx, upstream)) + if (SSL_set_ex_data(conn->ssl, uidx, upstream)) return GETDNS_RETURN_GOOD; else return GETDNS_RETURN_GENERIC_ERROR; diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h index 894ccf00..5f0e4840 100644 --- a/src/pubkey-pinning.h +++ b/src/pubkey-pinning.h @@ -34,6 +34,7 @@ #ifndef PUBKEY_PINNING_H_ #define PUBKEY_PINNING_H_ +#include "tls.h" /* create and populate a pinset linked list from a getdns_list pinset */ getdns_return_t @@ -57,8 +58,8 @@ _getdns_upstream_from_x509_store(X509_STORE_CTX *store); getdns_return_t -_getdns_associate_upstream_with_SSL(SSL *ssl, - getdns_upstream *upstream); +_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, + getdns_upstream *upstream); getdns_return_t _getdns_verify_pinset_match(const sha256_pin_t *pinset, diff --git a/src/stub.c b/src/stub.c index 8db8a7fe..ca4c55d0 100644 --- a/src/stub.c +++ b/src/stub.c @@ -838,7 +838,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) _getdns_tls_connection_set_curves_list(tls, upstream->tls_curves_list); #endif /* make sure we'll be able to find the context again when we need it */ - if (_getdns_associate_upstream_with_SSL(tls->ssl, upstream) != GETDNS_RETURN_GOOD) { + if (_getdns_associate_upstream_with_connection(tls, upstream) != GETDNS_RETURN_GOOD) { _getdns_tls_connection_free(tls); return NULL; } From 4eb845bc58de7d3c904804ec489dee7c71555e0d Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 15:55:34 +0000 Subject: [PATCH 017/108] Move internal-only functions from public pubkey-pinning interface. The interface now only exposes functions used by the main getdns code. --- src/Makefile.in | 2 +- src/openssl/pubkey-pinning-internal.h | 51 +++++++++++++++++++++++++++ src/openssl/pubkey-pinning.c | 2 ++ src/pubkey-pinning.h | 14 +------- 4 files changed, 55 insertions(+), 14 deletions(-) create mode 100644 src/openssl/pubkey-pinning-internal.h diff --git a/src/Makefile.in b/src/Makefile.in index b17efd85..72e5002c 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -525,7 +525,7 @@ pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/openssl/pubkey-pinning.c \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \ - $(srcdir)/context.h + $(srcdir)/context.h $(srcdir)/openssl/pubkey-pinning-internal.h tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \ $(srcdir)/debug.h $(srcdir)/context.h \ getdns/getdns.h \ diff --git a/src/openssl/pubkey-pinning-internal.h b/src/openssl/pubkey-pinning-internal.h new file mode 100644 index 00000000..3313dffd --- /dev/null +++ b/src/openssl/pubkey-pinning-internal.h @@ -0,0 +1,51 @@ +/** + * + * /brief internal functions for dealing with pubkey pinsets + * + */ + +/* + * Copyright (c) 2015 ACLU + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef PUBKEY_PINNING_INTERNAL_H_ +#define PUBKEY_PINNING_INTERNAL_H_ + +#include + +/* internal functions for associating X.509 verification processes in + * OpenSSL with getdns_upstream objects. */ + +getdns_upstream* +_getdns_upstream_from_x509_store(X509_STORE_CTX *store); + + +getdns_return_t +_getdns_verify_pinset_match(const sha256_pin_t *pinset, + X509_STORE_CTX *store); + +#endif +/* pubkey-pinning-internal.h */ diff --git a/src/openssl/pubkey-pinning.c b/src/openssl/pubkey-pinning.c index 09cb2c70..8f10ee6f 100644 --- a/src/openssl/pubkey-pinning.c +++ b/src/openssl/pubkey-pinning.c @@ -56,6 +56,8 @@ #include "context.h" #include "util-internal.h" +#include "pubkey-pinning-internal.h" + #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) #define X509_STORE_CTX_get0_untrusted(store) store->untrusted #endif diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h index 5f0e4840..4e8a31e5 100644 --- a/src/pubkey-pinning.h +++ b/src/pubkey-pinning.h @@ -1,6 +1,6 @@ /** * - * /brief internal functions for dealing with pubkey pinsets + * /brief functions for dealing with pubkey pinsets * */ @@ -49,21 +49,9 @@ _getdns_get_pubkey_pinset_list(getdns_context *ctx, const sha256_pin_t *pinset_in, getdns_list **pinset_list); - -/* internal functions for associating X.509 verification processes in - * OpenSSL with getdns_upstream objects. */ - -getdns_upstream* -_getdns_upstream_from_x509_store(X509_STORE_CTX *store); - - getdns_return_t _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, getdns_upstream *upstream); -getdns_return_t -_getdns_verify_pinset_match(const sha256_pin_t *pinset, - X509_STORE_CTX *store); - #endif /* pubkey-pinning.h */ From da94b52f749e907eecec69df0195d2307069be7f Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 16:21:06 +0000 Subject: [PATCH 018/108] Move val_secalgo.c to openssl. It contains ports other than OpenSSL (NSS and NETTLE), but we're not worrying about those for our purposes at present. --- src/Makefile.in | 20 ++++++++++---------- src/{util => openssl}/val_secalgo.c | 0 2 files changed, 10 insertions(+), 10 deletions(-) rename src/{util => openssl}/val_secalgo.c (100%) diff --git a/src/Makefile.in b/src/Makefile.in index 72e5002c..4e1085a8 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -91,10 +91,10 @@ LIBOBJDIR= LIBOBJS=@LIBOBJS@ COMPAT_OBJ=$(LIBOBJS:.o=.lo) -UTIL_OBJ=rbtree.lo val_secalgo.lo lruhash.lo lookup3.lo locks.lo +UTIL_OBJ=rbtree.lo lruhash.lo lookup3.lo locks.lo JSMN_OBJ=jsmn.lo -TLS_OBJ=tls.lo pubkey-pinning.lo +TLS_OBJ=tls.lo pubkey-pinning.lo val_secalgo.lo YXML_OBJ=yxml.lo YAML_OBJ=convert_yaml_to_json.lo @@ -508,14 +508,6 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \ $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/orig-headers/rbtree.h -val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \ - config.h \ - $(srcdir)/util/auxiliary/util/data/packed_rrset.h \ - $(srcdir)/util/auxiliary/validator/val_secalgo.h $(srcdir)/util/val_secalgo.h \ - $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/openssl/pubkey-pinning.c \ config.h $(srcdir)/debug.h \ @@ -534,6 +526,14 @@ tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/tls.h +val_secalgo.lo val_secalgo.o: $(srcdir)/openssl/val_secalgo.c \ + config.h \ + $(srcdir)/util/auxiliary/util/data/packed_rrset.h \ + $(srcdir)/util/auxiliary/validator/val_secalgo.h $(srcdir)/util/val_secalgo.h \ + $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \ + $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \ + $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h libev.lo libev.o: $(srcdir)/extension/libev.c \ config.h $(srcdir)/types-internal.h \ diff --git a/src/util/val_secalgo.c b/src/openssl/val_secalgo.c similarity index 100% rename from src/util/val_secalgo.c rename to src/openssl/val_secalgo.c From f3e0f2b9e635609e9740dcd96935e9eca007d55d Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 16:51:17 +0000 Subject: [PATCH 019/108] Split OpenSSL specific bits of keyraw.hc into keyraw-internal.hc. All usage is internal to val_secalgo.c, which is already in openssl. --- src/Makefile.in | 19 +- src/gldns/keyraw.c | 332 -------------------------------- src/gldns/keyraw.h | 83 +------- src/openssl/keyraw-internal.c | 348 ++++++++++++++++++++++++++++++++++ src/openssl/keyraw-internal.h | 110 +++++++++++ 5 files changed, 471 insertions(+), 421 deletions(-) create mode 100644 src/openssl/keyraw-internal.c create mode 100644 src/openssl/keyraw-internal.h diff --git a/src/Makefile.in b/src/Makefile.in index 4e1085a8..8da886c5 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -94,7 +94,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo) UTIL_OBJ=rbtree.lo lruhash.lo lookup3.lo locks.lo JSMN_OBJ=jsmn.lo -TLS_OBJ=tls.lo pubkey-pinning.lo val_secalgo.lo +TLS_OBJ=tls.lo pubkey-pinning.lo keyraw-internal.lo val_secalgo.lo YXML_OBJ=yxml.lo YAML_OBJ=convert_yaml_to_json.lo @@ -308,8 +308,8 @@ anchor.lo anchor.o: $(srcdir)/anchor.c config.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h \ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h \ - $(srcdir)/platform.h + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h \ + $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h const-info.lo const-info.o: $(srcdir)/const-info.c \ getdns/getdns.h \ getdns/getdns_extra.h \ @@ -352,8 +352,8 @@ dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h \ - $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h + $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \ + $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h general.lo general.o: $(srcdir)/general.c config.h \ $(srcdir)/general.h getdns/getdns.h \ $(srcdir)/types-internal.h \ @@ -447,7 +447,7 @@ gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \ config.h $(srcdir)/gldns/gbuffer.h keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \ config.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/gldns/rrdef.h + $(srcdir)/openssl/keyraw-internal.h parse.lo parse.o: $(srcdir)/gldns/parse.c \ config.h $(srcdir)/gldns/parse.h \ $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h @@ -463,7 +463,7 @@ str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \ wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \ config.h $(srcdir)/gldns/wire2str.h \ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \ - $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \ config.h arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \ @@ -509,6 +509,9 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \ $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/orig-headers/rbtree.h jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h +keyraw-internal.lo keyraw-internal.o: $(srcdir)/openssl/keyraw-internal.c \ + config.h $(srcdir)/gldns/keyraw.h \ + $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/rrdef.h pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/openssl/pubkey-pinning.c \ config.h $(srcdir)/debug.h \ getdns/getdns.h $(srcdir)/context.h \ @@ -533,7 +536,7 @@ val_secalgo.lo val_secalgo.o: $(srcdir)/openssl/val_secalgo.c \ $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \ $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h + $(srcdir)/openssl/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h libev.lo libev.o: $(srcdir)/extension/libev.c \ config.h $(srcdir)/types-internal.h \ diff --git a/src/gldns/keyraw.c b/src/gldns/keyraw.c index db84743e..e59189e0 100644 --- a/src/gldns/keyraw.c +++ b/src/gldns/keyraw.c @@ -14,26 +14,6 @@ #include "gldns/keyraw.h" #include "gldns/rrdef.h" -#ifdef HAVE_SSL -#include -#include -#include -#include -#include -#ifdef HAVE_OPENSSL_ENGINE_H -# include -#endif -#ifdef HAVE_OPENSSL_BN_H -#include -#endif -#ifdef HAVE_OPENSSL_RSA_H -#include -#endif -#ifdef HAVE_OPENSSL_DSA_H -#include -#endif -#endif /* HAVE_SSL */ - size_t gldns_rr_dnskey_key_size_raw(const unsigned char* keydata, const size_t len, int alg) @@ -126,315 +106,3 @@ uint16_t gldns_calc_keytag_raw(const uint8_t* key, size_t keysize) return (uint16_t) (ac32 & 0xFFFF); } } - -#ifdef HAVE_SSL -#ifdef USE_GOST -/** store GOST engine reference loaded into OpenSSL library */ -ENGINE* gldns_gost_engine = NULL; - -int -gldns_key_EVP_load_gost_id(void) -{ - static int gost_id = 0; - const EVP_PKEY_ASN1_METHOD* meth; - ENGINE* e; - - if(gost_id) return gost_id; - - /* see if configuration loaded gost implementation from other engine*/ - meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1); - if(meth) { - EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); - return gost_id; - } - - /* see if engine can be loaded already */ - e = ENGINE_by_id("gost"); - if(!e) { - /* load it ourself, in case statically linked */ - ENGINE_load_builtin_engines(); - ENGINE_load_dynamic(); - e = ENGINE_by_id("gost"); - } - if(!e) { - /* no gost engine in openssl */ - return 0; - } - if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { - ENGINE_finish(e); - ENGINE_free(e); - return 0; - } - - meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1); - if(!meth) { - /* algo not found */ - ENGINE_finish(e); - ENGINE_free(e); - return 0; - } - /* Note: do not ENGINE_finish and ENGINE_free the acquired engine - * on some platforms this frees up the meth and unloads gost stuff */ - gldns_gost_engine = e; - - EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); - return gost_id; -} - -void gldns_key_EVP_unload_gost(void) -{ - if(gldns_gost_engine) { - ENGINE_finish(gldns_gost_engine); - ENGINE_free(gldns_gost_engine); - gldns_gost_engine = NULL; - } -} -#endif /* USE_GOST */ - -DSA * -gldns_key_buf2dsa_raw(unsigned char* key, size_t len) -{ - uint8_t T; - uint16_t length; - uint16_t offset; - DSA *dsa; - BIGNUM *Q; BIGNUM *P; - BIGNUM *G; BIGNUM *Y; - - if(len == 0) - return NULL; - T = (uint8_t)key[0]; - length = (64 + T * 8); - offset = 1; - - if (T > 8) { - return NULL; - } - if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length) - return NULL; - - Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL); - offset += SHA_DIGEST_LENGTH; - - P = BN_bin2bn(key+offset, (int)length, NULL); - offset += length; - - G = BN_bin2bn(key+offset, (int)length, NULL); - offset += length; - - Y = BN_bin2bn(key+offset, (int)length, NULL); - - /* create the key and set its properties */ - if(!Q || !P || !G || !Y || !(dsa = DSA_new())) { - BN_free(Q); - BN_free(P); - BN_free(G); - BN_free(Y); - return NULL; - } - if (!DSA_set0_pqg(dsa, P, Q, G)) { - /* QPG not yet attached, need to free */ - BN_free(Q); - BN_free(P); - BN_free(G); - - DSA_free(dsa); - BN_free(Y); - return NULL; - } - if (!DSA_set0_key(dsa, Y, NULL)) { - /* QPG attached, cleaned up by DSA_fre() */ - DSA_free(dsa); - BN_free(Y); - return NULL; - } - - return dsa; -} - -RSA * -gldns_key_buf2rsa_raw(unsigned char* key, size_t len) -{ - uint16_t offset; - uint16_t exp; - uint16_t int16; - RSA *rsa; - BIGNUM *modulus; - BIGNUM *exponent; - - if (len == 0) - return NULL; - if (key[0] == 0) { - if(len < 3) - return NULL; - memmove(&int16, key+1, 2); - exp = ntohs(int16); - offset = 3; - } else { - exp = key[0]; - offset = 1; - } - - /* key length at least one */ - if(len < (size_t)offset + exp + 1) - return NULL; - - /* Exponent */ - exponent = BN_new(); - if(!exponent) return NULL; - (void) BN_bin2bn(key+offset, (int)exp, exponent); - offset += exp; - - /* Modulus */ - modulus = BN_new(); - if(!modulus) { - BN_free(exponent); - return NULL; - } - /* length of the buffer must match the key length! */ - (void) BN_bin2bn(key+offset, (int)(len - offset), modulus); - - rsa = RSA_new(); - if(!rsa) { - BN_free(exponent); - BN_free(modulus); - return NULL; - } - if (!RSA_set0_key(rsa, modulus, exponent, NULL)) { - BN_free(exponent); - BN_free(modulus); - RSA_free(rsa); - return NULL; - } - - return rsa; -} - -#ifdef USE_GOST -EVP_PKEY* -gldns_gost2pkey_raw(unsigned char* key, size_t keylen) -{ - /* prefix header for X509 encoding */ - uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, - 0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40}; - unsigned char encoded[37+64]; - const unsigned char* pp; - if(keylen != 64) { - /* key wrong size */ - return NULL; - } - - /* create evp_key */ - memmove(encoded, asn, 37); - memmove(encoded+37, key, 64); - pp = (unsigned char*)&encoded[0]; - - return d2i_PUBKEY(NULL, &pp, (int)sizeof(encoded)); -} -#endif /* USE_GOST */ - -#ifdef USE_ECDSA -EVP_PKEY* -gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo) -{ - unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ - const unsigned char* pp = buf; - EVP_PKEY *evp_key; - EC_KEY *ec; - /* check length, which uncompressed must be 2 bignums */ - if(algo == GLDNS_ECDSAP256SHA256) { - if(keylen != 2*256/8) return NULL; - ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - } else if(algo == GLDNS_ECDSAP384SHA384) { - if(keylen != 2*384/8) return NULL; - ec = EC_KEY_new_by_curve_name(NID_secp384r1); - } else ec = NULL; - if(!ec) return NULL; - if(keylen+1 > sizeof(buf)) { /* sanity check */ - EC_KEY_free(ec); - return NULL; - } - /* prepend the 0x02 (from docs) (or actually 0x04 from implementation - * of openssl) for uncompressed data */ - buf[0] = POINT_CONVERSION_UNCOMPRESSED; - memmove(buf+1, key, keylen); - if(!o2i_ECPublicKey(&ec, &pp, (int)keylen+1)) { - EC_KEY_free(ec); - return NULL; - } - evp_key = EVP_PKEY_new(); - if(!evp_key) { - EC_KEY_free(ec); - return NULL; - } - if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) { - EVP_PKEY_free(evp_key); - EC_KEY_free(ec); - return NULL; - } - return evp_key; -} -#endif /* USE_ECDSA */ - -#ifdef USE_ED25519 -EVP_PKEY* -gldns_ed255192pkey_raw(const unsigned char* key, size_t keylen) -{ - /* ASN1 for ED25519 is 302a300506032b6570032100 <32byteskey> */ - uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, - 0x70, 0x03, 0x21, 0x00}; - int pre_len = 12; - uint8_t buf[256]; - EVP_PKEY *evp_key; - /* pp gets modified by d2i() */ - const unsigned char* pp = (unsigned char*)buf; - if(keylen != 32 || keylen + pre_len > sizeof(buf)) - return NULL; /* wrong length */ - memmove(buf, pre, pre_len); - memmove(buf+pre_len, key, keylen); - evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen)); - return evp_key; -} -#endif /* USE_ED25519 */ - -#ifdef USE_ED448 -EVP_PKEY* -gldns_ed4482pkey_raw(const unsigned char* key, size_t keylen) -{ - /* ASN1 for ED448 is 3043300506032b6571033a00 <57byteskey> */ - uint8_t pre[] = {0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, - 0x71, 0x03, 0x3a, 0x00}; - int pre_len = 12; - uint8_t buf[256]; - EVP_PKEY *evp_key; - /* pp gets modified by d2i() */ - const unsigned char* pp = (unsigned char*)buf; - if(keylen != 57 || keylen + pre_len > sizeof(buf)) - return NULL; /* wrong length */ - memmove(buf, pre, pre_len); - memmove(buf+pre_len, key, keylen); - evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen)); - return evp_key; -} -#endif /* USE_ED448 */ - -int -gldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest, - const EVP_MD* md) -{ - EVP_MD_CTX* ctx; - ctx = EVP_MD_CTX_create(); - if(!ctx) - return 0; - if(!EVP_DigestInit_ex(ctx, md, NULL) || - !EVP_DigestUpdate(ctx, data, len) || - !EVP_DigestFinal_ex(ctx, dest, NULL)) { - EVP_MD_CTX_destroy(ctx); - return 0; - } - EVP_MD_CTX_destroy(ctx); - return 1; -} -#endif /* HAVE_SSL */ diff --git a/src/gldns/keyraw.h b/src/gldns/keyraw.h index a847887c..caefad01 100644 --- a/src/gldns/keyraw.h +++ b/src/gldns/keyraw.h @@ -20,13 +20,11 @@ #ifndef GLDNS_KEYRAW_H #define GLDNS_KEYRAW_H +#include "keyraw-internal.h" + #ifdef __cplusplus extern "C" { #endif -#if GLDNS_BUILD_CONFIG_HAVE_SSL -# include -# include -#endif /* GLDNS_BUILD_CONFIG_HAVE_SSL */ /** * get the length of the keydata in bits @@ -46,83 +44,6 @@ size_t gldns_rr_dnskey_key_size_raw(const unsigned char *keydata, */ uint16_t gldns_calc_keytag_raw(const uint8_t* key, size_t keysize); -#if GLDNS_BUILD_CONFIG_HAVE_SSL -/** - * Get the PKEY id for GOST, loads GOST into openssl as a side effect. - * Only available if GOST is compiled into the library and openssl. - * \return the gost id for EVP_CTX creation. - */ -int gldns_key_EVP_load_gost_id(void); - -/** Release the engine reference held for the GOST engine. */ -void gldns_key_EVP_unload_gost(void); - -/** - * Like gldns_key_buf2dsa, but uses raw buffer. - * \param[in] key the uncompressed wireformat of the key. - * \param[in] len length of key data - * \return a DSA * structure with the key material - */ -DSA *gldns_key_buf2dsa_raw(unsigned char* key, size_t len); - -/** - * Converts a holding buffer with key material to EVP PKEY in openssl. - * Only available if ldns was compiled with GOST. - * \param[in] key data to convert - * \param[in] keylen length of the key data - * \return the key or NULL on error. - */ -EVP_PKEY* gldns_gost2pkey_raw(unsigned char* key, size_t keylen); - -/** - * Converts a holding buffer with key material to EVP PKEY in openssl. - * Only available if ldns was compiled with ECDSA. - * \param[in] key data to convert - * \param[in] keylen length of the key data - * \param[in] algo precise algorithm to initialize ECC group values. - * \return the key or NULL on error. - */ -EVP_PKEY* gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo); - -/** - * Like gldns_key_buf2rsa, but uses raw buffer. - * \param[in] key the uncompressed wireformat of the key. - * \param[in] len length of key data - * \return a RSA * structure with the key material - */ -RSA *gldns_key_buf2rsa_raw(unsigned char* key, size_t len); - -/** - * Converts a holding buffer with key material to EVP PKEY in openssl. - * Only available if ldns was compiled with ED25519. - * \param[in] key the uncompressed wireformat of the key. - * \param[in] len length of key data - * \return the key or NULL on error. - */ -EVP_PKEY* gldns_ed255192pkey_raw(const unsigned char* key, size_t len); - -/** - * Converts a holding buffer with key material to EVP PKEY in openssl. - * Only available if ldns was compiled with ED448. - * \param[in] key the uncompressed wireformat of the key. - * \param[in] len length of key data - * \return the key or NULL on error. - */ -EVP_PKEY* gldns_ed4482pkey_raw(const unsigned char* key, size_t len); - -/** - * Utility function to calculate hash using generic EVP_MD pointer. - * \param[in] data the data to hash. - * \param[in] len length of data. - * \param[out] dest the destination of the hash, must be large enough. - * \param[in] md the message digest to use. - * \return true if worked, false on failure. - */ -int gldns_digest_evp(unsigned char* data, unsigned int len, - unsigned char* dest, const EVP_MD* md); - -#endif /* GLDNS_BUILD_CONFIG_HAVE_SSL */ - #ifdef __cplusplus } #endif diff --git a/src/openssl/keyraw-internal.c b/src/openssl/keyraw-internal.c new file mode 100644 index 00000000..75c53c00 --- /dev/null +++ b/src/openssl/keyraw-internal.c @@ -0,0 +1,348 @@ +/* + * keyraw.c - raw key operations and conversions - OpenSSL version + * + * (c) NLnet Labs, 2004-2008 + * + * See the file LICENSE for the license + */ +/** + * \file + * Implementation of raw DNSKEY functions (work on wire rdata). + */ + +#include "config.h" +#include "gldns/keyraw.h" +#include "gldns/rrdef.h" + +#ifdef HAVE_SSL +#include +#include +#include +#include +#include +#ifdef HAVE_OPENSSL_ENGINE_H +# include +#endif +#ifdef HAVE_OPENSSL_BN_H +#include +#endif +#ifdef HAVE_OPENSSL_RSA_H +#include +#endif +#ifdef HAVE_OPENSSL_DSA_H +#include +#endif +#endif /* HAVE_SSL */ + +#ifdef HAVE_SSL +#ifdef USE_GOST + +/** store GOST engine reference loaded into OpenSSL library */ +ENGINE* gldns_gost_engine = NULL; + +int +gldns_key_EVP_load_gost_id(void) +{ + static int gost_id = 0; + const EVP_PKEY_ASN1_METHOD* meth; + ENGINE* e; + + if(gost_id) return gost_id; + + /* see if configuration loaded gost implementation from other engine*/ + meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1); + if(meth) { + EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); + return gost_id; + } + + /* see if engine can be loaded already */ + e = ENGINE_by_id("gost"); + if(!e) { + /* load it ourself, in case statically linked */ + ENGINE_load_builtin_engines(); + ENGINE_load_dynamic(); + e = ENGINE_by_id("gost"); + } + if(!e) { + /* no gost engine in openssl */ + return 0; + } + if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { + ENGINE_finish(e); + ENGINE_free(e); + return 0; + } + + meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1); + if(!meth) { + /* algo not found */ + ENGINE_finish(e); + ENGINE_free(e); + return 0; + } + /* Note: do not ENGINE_finish and ENGINE_free the acquired engine + * on some platforms this frees up the meth and unloads gost stuff */ + gldns_gost_engine = e; + + EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); + return gost_id; +} + +void gldns_key_EVP_unload_gost(void) +{ + if(gldns_gost_engine) { + ENGINE_finish(gldns_gost_engine); + ENGINE_free(gldns_gost_engine); + gldns_gost_engine = NULL; + } +} +#endif /* USE_GOST */ + +DSA * +gldns_key_buf2dsa_raw(unsigned char* key, size_t len) +{ + uint8_t T; + uint16_t length; + uint16_t offset; + DSA *dsa; + BIGNUM *Q; BIGNUM *P; + BIGNUM *G; BIGNUM *Y; + + if(len == 0) + return NULL; + T = (uint8_t)key[0]; + length = (64 + T * 8); + offset = 1; + + if (T > 8) { + return NULL; + } + if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length) + return NULL; + + Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL); + offset += SHA_DIGEST_LENGTH; + + P = BN_bin2bn(key+offset, (int)length, NULL); + offset += length; + + G = BN_bin2bn(key+offset, (int)length, NULL); + offset += length; + + Y = BN_bin2bn(key+offset, (int)length, NULL); + + /* create the key and set its properties */ + if(!Q || !P || !G || !Y || !(dsa = DSA_new())) { + BN_free(Q); + BN_free(P); + BN_free(G); + BN_free(Y); + return NULL; + } + if (!DSA_set0_pqg(dsa, P, Q, G)) { + /* QPG not yet attached, need to free */ + BN_free(Q); + BN_free(P); + BN_free(G); + + DSA_free(dsa); + BN_free(Y); + return NULL; + } + if (!DSA_set0_key(dsa, Y, NULL)) { + /* QPG attached, cleaned up by DSA_fre() */ + DSA_free(dsa); + BN_free(Y); + return NULL; + } + + return dsa; +} + +RSA * +gldns_key_buf2rsa_raw(unsigned char* key, size_t len) +{ + uint16_t offset; + uint16_t exp; + uint16_t int16; + RSA *rsa; + BIGNUM *modulus; + BIGNUM *exponent; + + if (len == 0) + return NULL; + if (key[0] == 0) { + if(len < 3) + return NULL; + memmove(&int16, key+1, 2); + exp = ntohs(int16); + offset = 3; + } else { + exp = key[0]; + offset = 1; + } + + /* key length at least one */ + if(len < (size_t)offset + exp + 1) + return NULL; + + /* Exponent */ + exponent = BN_new(); + if(!exponent) return NULL; + (void) BN_bin2bn(key+offset, (int)exp, exponent); + offset += exp; + + /* Modulus */ + modulus = BN_new(); + if(!modulus) { + BN_free(exponent); + return NULL; + } + /* length of the buffer must match the key length! */ + (void) BN_bin2bn(key+offset, (int)(len - offset), modulus); + + rsa = RSA_new(); + if(!rsa) { + BN_free(exponent); + BN_free(modulus); + return NULL; + } + if (!RSA_set0_key(rsa, modulus, exponent, NULL)) { + BN_free(exponent); + BN_free(modulus); + RSA_free(rsa); + return NULL; + } + + return rsa; +} + +#ifdef USE_GOST +EVP_PKEY* +gldns_gost2pkey_raw(unsigned char* key, size_t keylen) +{ + /* prefix header for X509 encoding */ + uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85, + 0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85, + 0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, + 0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40}; + unsigned char encoded[37+64]; + const unsigned char* pp; + if(keylen != 64) { + /* key wrong size */ + return NULL; + } + + /* create evp_key */ + memmove(encoded, asn, 37); + memmove(encoded+37, key, 64); + pp = (unsigned char*)&encoded[0]; + + return d2i_PUBKEY(NULL, &pp, (int)sizeof(encoded)); +} +#endif /* USE_GOST */ + +#ifdef USE_ECDSA +EVP_PKEY* +gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo) +{ + unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ + const unsigned char* pp = buf; + EVP_PKEY *evp_key; + EC_KEY *ec; + /* check length, which uncompressed must be 2 bignums */ + if(algo == GLDNS_ECDSAP256SHA256) { + if(keylen != 2*256/8) return NULL; + ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + } else if(algo == GLDNS_ECDSAP384SHA384) { + if(keylen != 2*384/8) return NULL; + ec = EC_KEY_new_by_curve_name(NID_secp384r1); + } else ec = NULL; + if(!ec) return NULL; + if(keylen+1 > sizeof(buf)) { /* sanity check */ + EC_KEY_free(ec); + return NULL; + } + /* prepend the 0x02 (from docs) (or actually 0x04 from implementation + * of openssl) for uncompressed data */ + buf[0] = POINT_CONVERSION_UNCOMPRESSED; + memmove(buf+1, key, keylen); + if(!o2i_ECPublicKey(&ec, &pp, (int)keylen+1)) { + EC_KEY_free(ec); + return NULL; + } + evp_key = EVP_PKEY_new(); + if(!evp_key) { + EC_KEY_free(ec); + return NULL; + } + if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) { + EVP_PKEY_free(evp_key); + EC_KEY_free(ec); + return NULL; + } + return evp_key; +} +#endif /* USE_ECDSA */ + +#ifdef USE_ED25519 +EVP_PKEY* +gldns_ed255192pkey_raw(const unsigned char* key, size_t keylen) +{ + /* ASN1 for ED25519 is 302a300506032b6570032100 <32byteskey> */ + uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, + 0x70, 0x03, 0x21, 0x00}; + int pre_len = 12; + uint8_t buf[256]; + EVP_PKEY *evp_key; + /* pp gets modified by d2i() */ + const unsigned char* pp = (unsigned char*)buf; + if(keylen != 32 || keylen + pre_len > sizeof(buf)) + return NULL; /* wrong length */ + memmove(buf, pre, pre_len); + memmove(buf+pre_len, key, keylen); + evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen)); + return evp_key; +} +#endif /* USE_ED25519 */ + +#ifdef USE_ED448 +EVP_PKEY* +gldns_ed4482pkey_raw(const unsigned char* key, size_t keylen) +{ + /* ASN1 for ED448 is 3043300506032b6571033a00 <57byteskey> */ + uint8_t pre[] = {0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, + 0x71, 0x03, 0x3a, 0x00}; + int pre_len = 12; + uint8_t buf[256]; + EVP_PKEY *evp_key; + /* pp gets modified by d2i() */ + const unsigned char* pp = (unsigned char*)buf; + if(keylen != 57 || keylen + pre_len > sizeof(buf)) + return NULL; /* wrong length */ + memmove(buf, pre, pre_len); + memmove(buf+pre_len, key, keylen); + evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen)); + return evp_key; +} +#endif /* USE_ED448 */ + +int +gldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest, + const EVP_MD* md) +{ + EVP_MD_CTX* ctx; + ctx = EVP_MD_CTX_create(); + if(!ctx) + return 0; + if(!EVP_DigestInit_ex(ctx, md, NULL) || + !EVP_DigestUpdate(ctx, data, len) || + !EVP_DigestFinal_ex(ctx, dest, NULL)) { + EVP_MD_CTX_destroy(ctx); + return 0; + } + EVP_MD_CTX_destroy(ctx); + return 1; +} +#endif /* HAVE_SSL */ diff --git a/src/openssl/keyraw-internal.h b/src/openssl/keyraw-internal.h new file mode 100644 index 00000000..92717c95 --- /dev/null +++ b/src/openssl/keyraw-internal.h @@ -0,0 +1,110 @@ +/* + * keyraw.h -- raw key and signature access and conversion - OpenSSL + * + * Copyright (c) 2005-2008, NLnet Labs. All rights reserved. + * + * See LICENSE for the license. + * + */ + +/** + * \file + * + * raw key and signature access and conversion + * + * Since those functions heavily rely op cryptographic operations, + * this module is dependent on openssl. + * + */ + +#ifndef GLDNS_KEYRAW_INTERNAL_H +#define GLDNS_KEYRAW_INTERNAL_H + +#ifdef __cplusplus +extern "C" { +#endif +#if GLDNS_BUILD_CONFIG_HAVE_SSL +# include +# include + +/** + * Get the PKEY id for GOST, loads GOST into openssl as a side effect. + * Only available if GOST is compiled into the library and openssl. + * \return the gost id for EVP_CTX creation. + */ +int gldns_key_EVP_load_gost_id(void); + +/** Release the engine reference held for the GOST engine. */ +void gldns_key_EVP_unload_gost(void); + +/** + * Like gldns_key_buf2dsa, but uses raw buffer. + * \param[in] key the uncompressed wireformat of the key. + * \param[in] len length of key data + * \return a DSA * structure with the key material + */ +DSA *gldns_key_buf2dsa_raw(unsigned char* key, size_t len); + +/** + * Converts a holding buffer with key material to EVP PKEY in openssl. + * Only available if ldns was compiled with GOST. + * \param[in] key data to convert + * \param[in] keylen length of the key data + * \return the key or NULL on error. + */ +EVP_PKEY* gldns_gost2pkey_raw(unsigned char* key, size_t keylen); + +/** + * Converts a holding buffer with key material to EVP PKEY in openssl. + * Only available if ldns was compiled with ECDSA. + * \param[in] key data to convert + * \param[in] keylen length of the key data + * \param[in] algo precise algorithm to initialize ECC group values. + * \return the key or NULL on error. + */ +EVP_PKEY* gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo); + +/** + * Like gldns_key_buf2rsa, but uses raw buffer. + * \param[in] key the uncompressed wireformat of the key. + * \param[in] len length of key data + * \return a RSA * structure with the key material + */ +RSA *gldns_key_buf2rsa_raw(unsigned char* key, size_t len); + +/** + * Converts a holding buffer with key material to EVP PKEY in openssl. + * Only available if ldns was compiled with ED25519. + * \param[in] key the uncompressed wireformat of the key. + * \param[in] len length of key data + * \return the key or NULL on error. + */ +EVP_PKEY* gldns_ed255192pkey_raw(const unsigned char* key, size_t len); + +/** + * Converts a holding buffer with key material to EVP PKEY in openssl. + * Only available if ldns was compiled with ED448. + * \param[in] key the uncompressed wireformat of the key. + * \param[in] len length of key data + * \return the key or NULL on error. + */ +EVP_PKEY* gldns_ed4482pkey_raw(const unsigned char* key, size_t len); + +/** + * Utility function to calculate hash using generic EVP_MD pointer. + * \param[in] data the data to hash. + * \param[in] len length of data. + * \param[out] dest the destination of the hash, must be large enough. + * \param[in] md the message digest to use. + * \return true if worked, false on failure. + */ +int gldns_digest_evp(unsigned char* data, unsigned int len, + unsigned char* dest, const EVP_MD* md); + +#endif /* GLDNS_BUILD_CONFIG_HAVE_SSL */ + +#ifdef __cplusplus +} +#endif + +#endif /* GLDNS_KEYRAW_INTERNAL_H */ From 05f9d30e894bcaf7bf478d062cc44a1351223e4c Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 16:57:48 +0000 Subject: [PATCH 020/108] Move anchor.c to under openssl. --- src/Makefile.in | 26 +++++++++++++------------- src/{ => openssl}/anchor.c | 0 2 files changed, 13 insertions(+), 13 deletions(-) rename src/{ => openssl}/anchor.c (100%) diff --git a/src/Makefile.in b/src/Makefile.in index 8da886c5..c7faf32c 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -146,7 +146,7 @@ $(EXTENSION_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/extension/$(@:.lo=.c) -o $@ anchor.lo: - $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/anchor.c -o anchor.lo + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/openssl/anchor.c -o anchor.lo context.lo: $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/context.c -o context.lo @@ -299,17 +299,6 @@ depend: FORCE: # Dependencies for gldns, utils, the extensions and compat functions -anchor.lo anchor.o: $(srcdir)/anchor.c config.h \ - $(srcdir)/debug.h $(srcdir)/anchor.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h \ - $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h \ - $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h const-info.lo const-info.o: $(srcdir)/const-info.c \ getdns/getdns.h \ getdns/getdns_extra.h \ @@ -447,7 +436,7 @@ gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \ config.h $(srcdir)/gldns/gbuffer.h keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \ config.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/openssl/keyraw-internal.h + $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/rrdef.h parse.lo parse.o: $(srcdir)/gldns/parse.c \ config.h $(srcdir)/gldns/parse.h \ $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h @@ -509,6 +498,17 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \ $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/orig-headers/rbtree.h jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h +anchor.lo anchor.o: $(srcdir)/openssl/anchor.c \ + config.h $(srcdir)/debug.h $(srcdir)/anchor.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h $(srcdir)/types-internal.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h $(srcdir)/ub_loop.h \ + $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/str2wire.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/keyraw.h \ + $(srcdir)/openssl/keyraw-internal.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/platform.h keyraw-internal.lo keyraw-internal.o: $(srcdir)/openssl/keyraw-internal.c \ config.h $(srcdir)/gldns/keyraw.h \ $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/rrdef.h diff --git a/src/anchor.c b/src/openssl/anchor.c similarity index 100% rename from src/anchor.c rename to src/openssl/anchor.c From 4f67491971d865ad879afcdee4d4ca85dc285711 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 17:36:56 +0000 Subject: [PATCH 021/108] Remove unnecessary OpenSSL include in dnssec.c. --- src/dnssec.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/dnssec.c b/src/dnssec.c index fd8ac932..0e0e9ba1 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -194,7 +194,6 @@ #include #include #include -#include #include "getdns/getdns.h" #include "context.h" #include "util-internal.h" From e7593541ef2bc846cfee222a1aa206f403e71fc9 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 20 Nov 2018 17:37:46 +0000 Subject: [PATCH 022/108] Ensure that compat/getentropy* don't get used, and so drag in OpenSSL. --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index c361848b..cc80080e 100644 --- a/configure.ac +++ b/configure.ac @@ -1434,6 +1434,7 @@ if test "$ac_cv_func_arc4random" = "no"; then if test "$USE_WINSOCK" = 1; then AC_LIBOBJ(getentropy_win) else + AC_MSG_ERROR([Function getentropy missing.]) case `uname` in Darwin) AC_LIBOBJ(getentropy_osx) From 2267863a53ffb6fe85ee0efd64785246895e161c Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 23 Nov 2018 16:20:48 +0000 Subject: [PATCH 023/108] Attempt to improve the preprocessor horror that is util/val_secalgo.h. Convert the main util/val_secalgo.h to a plain interface. Move the preprocessor redefines into validator/val_secalgo.h, and move THAT under openssl, because it is OpenSSL implementation specific at present - you can compile with NSS and Nettle if config allows. --- src/Makefile.in | 9 ++- .../validator/val_nsec3.h | 0 src/openssl/validator/val_secalgo.h | 48 ++++++++++++++++ src/util/auxiliary/validator/val_secalgo.h | 1 - src/util/val_secalgo.h | 56 +++++-------------- 5 files changed, 67 insertions(+), 47 deletions(-) rename src/{util/auxiliary => openssl}/validator/val_nsec3.h (100%) create mode 100644 src/openssl/validator/val_secalgo.h delete mode 100644 src/util/auxiliary/validator/val_secalgo.h diff --git a/src/Makefile.in b/src/Makefile.in index c7faf32c..ed5c95bf 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -342,7 +342,7 @@ dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \ - $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h + $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h general.lo general.o: $(srcdir)/general.c config.h \ $(srcdir)/general.h getdns/getdns.h \ $(srcdir)/types-internal.h \ @@ -531,12 +531,11 @@ tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/tls.h val_secalgo.lo val_secalgo.o: $(srcdir)/openssl/val_secalgo.c \ config.h \ - $(srcdir)/util/auxiliary/util/data/packed_rrset.h \ - $(srcdir)/util/auxiliary/validator/val_secalgo.h $(srcdir)/util/val_secalgo.h \ - $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \ + $(srcdir)/util/auxiliary/util/data/packed_rrset.h $(srcdir)/openssl/validator/val_secalgo.h \ + $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h $(srcdir)/openssl/validator/val_nsec3.h \ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \ $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/openssl/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h + $(srcdir)/openssl/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h libev.lo libev.o: $(srcdir)/extension/libev.c \ config.h $(srcdir)/types-internal.h \ diff --git a/src/util/auxiliary/validator/val_nsec3.h b/src/openssl/validator/val_nsec3.h similarity index 100% rename from src/util/auxiliary/validator/val_nsec3.h rename to src/openssl/validator/val_nsec3.h diff --git a/src/openssl/validator/val_secalgo.h b/src/openssl/validator/val_secalgo.h new file mode 100644 index 00000000..e4e2a7a7 --- /dev/null +++ b/src/openssl/validator/val_secalgo.h @@ -0,0 +1,48 @@ +#ifndef VAL_SECALGO_H_VALIDATOR +#define VAL_SECALGO_H_VALIDATOR + +#define sldns_buffer gldns_buffer + +#define nsec3_hash_algo_size_supported _getdns_nsec3_hash_algo_size_supported +#define secalgo_nsec3_hash _getdns_secalgo_nsec3_hash +#define secalgo_hash_sha256 _getdns_secalgo_hash_sha256 +#define ds_digest_size_supported _getdns_ds_digest_size_supported +#define secalgo_ds_digest _getdns_secalgo_ds_digest +#define dnskey_algo_id_is_supported _getdns_dnskey_algo_id_is_supported +#define verify_canonrrset _getdns_verify_canonrrset +#define sec_status _getdns_sec_status +#define sec_status_secure _getdns_sec_status_secure +#define sec_status_insecure _getdns_sec_status_insecure +#define sec_status_unchecked _getdns_sec_status_unchecked +#define sec_status_bogus _getdns_sec_status_bogus +#define fake_sha1 _getdns_fake_sha1 +#define fake_dsa _getdns_fake_dsa + +#define NSEC3_HASH_SHA1 0x01 + +#define LDNS_SHA1 GLDNS_SHA1 +#define LDNS_SHA256 GLDNS_SHA256 +#define LDNS_SHA384 GLDNS_SHA384 +#define LDNS_HASH_GOST GLDNS_HASH_GOST +#define LDNS_RSAMD5 GLDNS_RSAMD5 +#define LDNS_DSA GLDNS_DSA +#define LDNS_DSA_NSEC3 GLDNS_DSA_NSEC3 +#define LDNS_RSASHA1 GLDNS_RSASHA1 +#define LDNS_RSASHA1_NSEC3 GLDNS_RSASHA1_NSEC3 +#define LDNS_RSASHA256 GLDNS_RSASHA256 +#define LDNS_RSASHA512 GLDNS_RSASHA512 +#define LDNS_ECDSAP256SHA256 GLDNS_ECDSAP256SHA256 +#define LDNS_ECDSAP384SHA384 GLDNS_ECDSAP384SHA384 +#define LDNS_ECC_GOST GLDNS_ECC_GOST +#define sldns_key_EVP_load_gost_id gldns_key_EVP_load_gost_id +#define sldns_digest_evp gldns_digest_evp +#define sldns_key_buf2dsa_raw gldns_key_buf2dsa_raw +#define sldns_key_buf2rsa_raw gldns_key_buf2rsa_raw +#define sldns_gost2pkey_raw gldns_gost2pkey_raw +#define sldns_ecdsa2pkey_raw gldns_ecdsa2pkey_raw +#define sldns_buffer_begin gldns_buffer_begin +#define sldns_buffer_limit gldns_buffer_limit + +#include "util/val_secalgo.h" + +#endif diff --git a/src/util/auxiliary/validator/val_secalgo.h b/src/util/auxiliary/validator/val_secalgo.h deleted file mode 100644 index 1e187cba..00000000 --- a/src/util/auxiliary/validator/val_secalgo.h +++ /dev/null @@ -1 +0,0 @@ -#include "util/val_secalgo.h" diff --git a/src/util/val_secalgo.h b/src/util/val_secalgo.h index 08f40e83..3554c658 100644 --- a/src/util/val_secalgo.h +++ b/src/util/val_secalgo.h @@ -1,7 +1,7 @@ /** * - * \file rbtree.h - * /brief Alternative symbol names for unbound's rbtree.h + * \file val_secalgo.h + * /brief secalgo interface. * */ /* @@ -32,49 +32,23 @@ */ #ifndef VAL_SECALGO_H_SYMBOLS #define VAL_SECALGO_H_SYMBOLS -#define sldns_buffer gldns_buffer -#define nsec3_hash_algo_size_supported _getdns_nsec3_hash_algo_size_supported -#define secalgo_nsec3_hash _getdns_secalgo_nsec3_hash -#define secalgo_hash_sha256 _getdns_secalgo_hash_sha256 -#define ds_digest_size_supported _getdns_ds_digest_size_supported -#define secalgo_ds_digest _getdns_secalgo_ds_digest -#define dnskey_algo_id_is_supported _getdns_dnskey_algo_id_is_supported -#define verify_canonrrset _getdns_verify_canonrrset -#define sec_status _getdns_sec_status -#define sec_status_secure _getdns_sec_status_secure -#define sec_status_insecure _getdns_sec_status_insecure -#define sec_status_unchecked _getdns_sec_status_unchecked -#define sec_status_bogus _getdns_sec_status_bogus -#define fake_sha1 _getdns_fake_sha1 -#define fake_dsa _getdns_fake_dsa + +#include "gldns/gbuffer.h" enum sec_status { sec_status_bogus = 0 , sec_status_unchecked = 0 , sec_status_insecure = 0 , sec_status_secure = 1 }; -#define NSEC3_HASH_SHA1 0x01 -#define LDNS_SHA1 GLDNS_SHA1 -#define LDNS_SHA256 GLDNS_SHA256 -#define LDNS_SHA384 GLDNS_SHA384 -#define LDNS_HASH_GOST GLDNS_HASH_GOST -#define LDNS_RSAMD5 GLDNS_RSAMD5 -#define LDNS_DSA GLDNS_DSA -#define LDNS_DSA_NSEC3 GLDNS_DSA_NSEC3 -#define LDNS_RSASHA1 GLDNS_RSASHA1 -#define LDNS_RSASHA1_NSEC3 GLDNS_RSASHA1_NSEC3 -#define LDNS_RSASHA256 GLDNS_RSASHA256 -#define LDNS_RSASHA512 GLDNS_RSASHA512 -#define LDNS_ECDSAP256SHA256 GLDNS_ECDSAP256SHA256 -#define LDNS_ECDSAP384SHA384 GLDNS_ECDSAP384SHA384 -#define LDNS_ECC_GOST GLDNS_ECC_GOST -#define sldns_key_EVP_load_gost_id gldns_key_EVP_load_gost_id -#define sldns_digest_evp gldns_digest_evp -#define sldns_key_buf2dsa_raw gldns_key_buf2dsa_raw -#define sldns_key_buf2rsa_raw gldns_key_buf2rsa_raw -#define sldns_gost2pkey_raw gldns_gost2pkey_raw -#define sldns_ecdsa2pkey_raw gldns_ecdsa2pkey_raw -#define sldns_buffer_begin gldns_buffer_begin -#define sldns_buffer_limit gldns_buffer_limit -#include "util/orig-headers/val_secalgo.h" +size_t _getdns_ds_digest_size_supported(int algo); + +int _getdns_secalgo_ds_digest(int algo, unsigned char* buf, size_t len, + unsigned char* res); + +int _getdns_dnskey_algo_id_is_supported(int id); + +enum sec_status _getdns_verify_canonrrset(struct gldns_buffer* buf, int algo, + unsigned char* sigblock, unsigned int sigblock_len, + unsigned char* key, unsigned int keylen, char** reason); + #endif From 27a7e4e28f12acb9f69ff2c4b087bfde39aea4dd Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 23 Nov 2018 17:42:35 +0000 Subject: [PATCH 024/108] Attempt minimal autoconf changes to use GnuTLS instead of OpenSSL. I could waste the rest of the available time trying to turn configure.ac into something that cleanly ignores OpenSSL, uses GnuTLS instead and retains all the options. Or even better scrap the whole autoconf mess and start again. But in the interests of prototyping, do something quick and dirty. This means GnuTLS must for now be configured thus: $ CFLAGS="-g" ../configure --enable-stub-only --with-gnutls --disable-gost --disable-ecdsa --disable-edns-cookies to evade other items with hardcoded OpenSSL checks in them. --- configure.ac | 19 +++++++++++++++++-- src/Makefile.in | 11 ++++++----- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index cc80080e..a16100e3 100644 --- a/configure.ac +++ b/configure.ac @@ -399,11 +399,26 @@ yes) ;; esac +# Which TLS and crypto libs to use. +AC_ARG_WITH([gnutls], + [AS_HELP_STRING([--with-gnutls], + [use GnuTLS instead of OpenSSL])], + [ + PKG_CHECK_MODULES([libgnutls], [gnutls >= 3.5.0]) + LIBS="$libgnutls_LIBS $LIBS" + CFLAGS="$libgnutls_CFLAGS $CFLAGS" + AC_SUBST([TLSDIR], 'gnutls') + AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library]) + ], + [ + ACX_WITH_SSL_OPTIONAL + ACX_LIB_SSL + AC_SUBST([TLSDIR], 'openssl') + ]) + USE_NSS="no" # openssl if test $USE_NSS = "no"; then -ACX_WITH_SSL_OPTIONAL -ACX_LIB_SSL AC_MSG_CHECKING([for LibreSSL]) if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then AC_MSG_RESULT([yes]) diff --git a/src/Makefile.in b/src/Makefile.in index ed5c95bf..88a239ac 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -52,11 +52,12 @@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ srcdir = @srcdir@ +tlsdir = @TLSDIR@ stubbysrcdir = $(srcdir)/../stubby LIBTOOL = ../libtool CC=@CC@ -CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/openssl -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS) +CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/$(tlsdir) -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS) WPEDANTICFLAG=@WPEDANTICFLAG@ WNOERRORFLAG=@WNOERRORFLAG@ LDFLAGS=@LDFLAGS@ @LIBS@ @@ -134,7 +135,7 @@ $(JSMN_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -DJSMN_GETDNS -c $(srcdir)/jsmn/$(@:.lo=.c) -o $@ $(TLS_OBJ): - $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/openssl/$(@:.lo=.c) -o $@ + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/$(tlsdir)/$(@:.lo=.c) -o $@ $(YAML_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@ @@ -146,7 +147,7 @@ $(EXTENSION_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/extension/$(@:.lo=.c) -o $@ anchor.lo: - $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/openssl/anchor.c -o anchor.lo + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/$(tlsdir)/anchor.c -o anchor.lo context.lo: $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/context.c -o context.lo @@ -271,14 +272,14 @@ Makefile: $(srcdir)/Makefile.in ../config.status depend: (cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new ) - (blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iopenssl -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c openssl/*.c yxml/*.c extension/*.c ../stubby/src/*.c | \ + (blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -I$(tlsdir) -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c $(tlsdir)/*.c yxml/*.c extension/*.c ../stubby/src/*.c | \ sed -e "s? $$blddir/? ?g" \ -e 's? gldns/? $$(srcdir)/gldns/?g' \ -e 's? compat/? $$(srcdir)/compat/?g' \ -e 's? util/auxiliary/util/? $$(srcdir)/util/auxiliary/util/?g' \ -e 's? util/? $$(srcdir)/util/?g' \ -e 's? jsmn/? $$(srcdir)/jsmn/?g' \ - -e 's? openssl/? $$(srcdir)/openssl/?g' \ + -e 's? $$(tlsdir)/? $$(srcdir)/$$(tlsdir)/?g' \ -e 's? yxml/? $$(srcdir)/yxml/?g' \ -e 's? extension/? $$(srcdir)/extension/?g' \ -e 's? \.\./stubby/? $$(stubbysrcdir)/?g' \ From 4ec93a3df025c8a1773e7ec2fb2fdbb4d2709c28 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Mon, 26 Nov 2018 11:32:03 +0000 Subject: [PATCH 025/108] Add Doxygen for remaining tls.h functions. --- src/tls.h | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/src/tls.h b/src/tls.h index 295b649c..cc654430 100644 --- a/src/tls.h +++ b/src/tls.h @@ -47,23 +47,146 @@ typedef struct sha256_pin sha256_pin_t; #define GETDNS_RETURN_TLS_WANT_WRITE ((getdns_return_t) 421) #define GETDNS_RETURN_TLS_CONNECTION_FRESH ((getdns_return_t) 422) +/** + * Global initialisation of the TLS interface. + */ void _getdns_tls_init(); +/** + * Create a new TLS context. + * + * @return pointer to new context or NULL on error. + */ _getdns_tls_context* _getdns_tls_context_new(); + +/** + * Free a TLS context. + * + * @param ctx the context to free. + * @return GETDNS_RETURN_GOOD on success. + * @return GETDNS_RETURN_INVALID_PARAMETER if ctx is invalid. + */ getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx); +/** + * Set TLS 1.2 as minimum TLS version. + * + * @param ctx the context. + * @return GETDNS_RETURN_GOOD on success. + * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer. + * @return GETDNS_RETURN_NOT_IMPLEMENTED if not implemented. + * @return GETDNS_RETURN_BAD_CONTEXT on failure. + */ getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx); + +/** + * Set list of allowed ciphers. + * + * @param ctx the context. + * @param list the list of cipher identifiers. + * @return GETDNS_RETURN_GOOD on success. + * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer. + * @return GETDNS_RETURN_BAD_CONTEXT on failure. + */ getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list); + +/** + * Set list of allowed curves. + * + * @param ctx the context. + * @param list the list of curve identifiers. + * @return GETDNS_RETURN_GOOD on success. + * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer. + * @return GETDNS_RETURN_BAD_CONTEXT on failure. + */ getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list); + + +/** + * Set certificate authority details. + * + * Load CA from either a file or a directory. If both file + * and path are NULL, use default locations. + * + * @param ctx the context. + * @param file a file of CA certificates in PEM format. + * @param path a directory containing CA certificates in PEM format. + * Files are looked up by CA subject name hash value. + * @return GETDNS_RETURN_GOOD on success. + * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer. + * @return GETDNS_RETURN_GENERIC_ERROR on failure. + */ getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path); +/** + * Create a new TLS connection and associate it with a file descriptior. + * + * @param ctx the context. + * @param fd the file descriptor to associate with the connection. + * @return pointer to new connection or NULL on error. + */ _getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd); + +/** + * Free a TLS connection. + * + * @param conn the connection to free. + * @return GETDNS_RETURN_GOOD on success. + * @return GETDNS_RETURN_INVALID_PARAMETER if conn is invalid. + */ getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* ctx); + +/** + * Shut down a TLS connection. + * + * @param conn the connection to shut down. + * @return GETDNS_RETURN_GOOD on success. + * @return GETDNS_RETURN_INVALID_PARAMETER if conn is invalid. + * @return GETDNS_RETURN_CONTEXT_UPDATE_FAIL if shutdown is not finished, + * and this routine should be called again. + * @return GETDNS_RETURN_GENERIC_ERROR on error. + */ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn); +/** + * Set list of allowed ciphers on this connection. + * + * @param conn the connection. + * @param list the list of cipher identifiers. + * @return GETDNS_RETURN_GOOD on success. + * @return GETDNS_RETURN_INVALID_PARAMETER on bad connection pointer. + * @return GETDNS_RETURN_BAD_CONTEXT on failure. + */ getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list); + +/** + * Set list of allowed curves on this connection. + * + * @param conn the connection. + * @param list the list of curve identifiers. + * @return GETDNS_RETURN_GOOD on success. + * @return GETDNS_RETURN_INVALID_PARAMETER on bad connection pointer. + * @return GETDNS_RETURN_BAD_CONTEXT on failure. + */ getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list); + +/** + * Set the session for this connection. + * + * @param conn the connection. + * @param s the session. + * @return GETDNS_RETURN_GOOD on success. + * @return GETDNS_RETURN_INVALID_PARAMETER on bad connection pointer. + * @return GETDNS_RETURN_GENERIC_ERROR on failure. + */ getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s); + +/** + * Get the session for this connection. + * + * @param conn the connection. + * @return pointer to the session or NULL on error. + */ _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn); /** @@ -184,6 +307,13 @@ void _getdns_tls_x509_free(_getdns_tls_x509* cert); */ int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf); +/** + * Fill in dictionary with TLS API information. + * + * @param dict the dictionary to add to. + * @return GETDNS_RETURN_GOOD if some bytes were read. + * @return GETDNS_RETURN_GENERIC_ERROR if items cannot be set. + */ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict); #endif /* _GETDNS_TLS_H */ From bc3106af94d3847db6c41d5aed164ae53c10701e Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 27 Nov 2018 11:49:12 +0000 Subject: [PATCH 026/108] Abstract out HMAC functions in request-internal.c. --- src/openssl/tls-internal.h | 12 ++++ src/openssl/tls.c | 122 +++++++++++++++++++++++++++++++++++++ src/request-internal.c | 93 ++++++---------------------- src/tls.h | 44 +++++++++++++ 4 files changed, 198 insertions(+), 73 deletions(-) diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h index f13c8602..59b5b292 100644 --- a/src/openssl/tls-internal.h +++ b/src/openssl/tls-internal.h @@ -34,6 +34,10 @@ #ifndef _GETDNS_TLS_INTERNAL_H #define _GETDNS_TLS_INTERNAL_H +#include +#include +#include + #include "getdns/getdns.h" #ifndef HAVE_DECL_SSL_CTX_SET1_CURVES_LIST @@ -64,4 +68,12 @@ typedef struct _getdns_tls_x509 X509* ssl; } _getdns_tls_x509; +typedef struct _getdns_tls_hmac +{ + HMAC_CTX *ctx; +#ifndef HAVE_HMAC_CTX_NEW + HMAC_CTX ctx_space; +#endif +} _getdns_tls_hmac; + #endif /* _GETDNS_TLS_INTERNAL_H */ diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 36a0f9a3..611fbf3b 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -609,4 +609,126 @@ int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf) return i2d_X509(cert->ssl, buf); } +unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size) +{ + const EVP_MD* digester; + unsigned char* res; + unsigned int md_len; + + switch (algorithm) { +#ifdef HAVE_EVP_MD5 + case GETDNS_HMAC_MD5 : digester = EVP_md5() ; break; +#endif +#ifdef HAVE_EVP_SHA1 + case GETDNS_HMAC_SHA1 : digester = EVP_sha1() ; break; +#endif +#ifdef HAVE_EVP_SHA224 + case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break; +#endif +#ifdef HAVE_EVP_SHA256 + case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break; +#endif +#ifdef HAVE_EVP_SHA384 + case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break; +#endif +#ifdef HAVE_EVP_SHA512 + case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break; +#endif + default : return NULL; + } + + res = (unsigned char*) malloc(EVP_MAX_MD_SIZE); + if (!res) + return NULL; + + (void) HMAC(digester, key, key_size, data, data_size, res, &md_len); + + if (output_size) + *output_size = md_len; + return res; +} + +_getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t key_size) +{ + const EVP_MD *digester; + _getdns_tls_hmac* res; + + switch (algorithm) { +#ifdef HAVE_EVP_MD5 + case GETDNS_HMAC_MD5 : digester = EVP_md5() ; break; +#endif +#ifdef HAVE_EVP_SHA1 + case GETDNS_HMAC_SHA1 : digester = EVP_sha1() ; break; +#endif +#ifdef HAVE_EVP_SHA224 + case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break; +#endif +#ifdef HAVE_EVP_SHA256 + case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break; +#endif +#ifdef HAVE_EVP_SHA384 + case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break; +#endif +#ifdef HAVE_EVP_SHA512 + case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break; +#endif + default : return NULL; + } + + if (!(res = malloc(sizeof(struct _getdns_tls_hmac)))) + return NULL; + +#ifdef HAVE_HMAC_CTX_NEW + res->ctx = HMAC_CTX_new(); + if (!res->ctx) { + free(res); + return NULL; + } +#else + res->ctx = &res->ctx_space; + HMAC_CTX_init(res->ctx); +#endif + if (!HMAC_Init_ex(res->ctx, key, key_size, digester, NULL)) { +#ifdef HAVE_HMAC_CTX_NEW + HMAC_CTX_free(res->ctx); +#endif + free(res); + return NULL; + } + + return res; +} + +getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size) +{ + if (!h || !h->ctx || !data) + return GETDNS_RETURN_INVALID_PARAMETER; + + if (!HMAC_Update(h->ctx, data, data_size)) + return GETDNS_RETURN_GENERIC_ERROR; + else + return GETDNS_RETURN_GOOD; +} + +unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size) +{ + unsigned char* res; + unsigned int md_len; + + res = (unsigned char*) malloc(EVP_MAX_MD_SIZE); + if (!res) + return NULL; + + (void) HMAC_Final(h->ctx, res, &md_len); + +#ifdef HAVE_HMAC_CTX_NEW + HMAC_CTX_free(h->ctx); +#endif + free(h); + + if (output_size) + *output_size = md_len; + return res; +} + /* tls.c */ diff --git a/src/request-internal.c b/src/request-internal.c index 89476717..1b2a7cb4 100644 --- a/src/request-internal.c +++ b/src/request-internal.c @@ -401,9 +401,8 @@ _getdns_network_req_add_tsig(getdns_network_req *req) gldns_buffer gbuf; uint16_t arcount; const getdns_tsig_info *tsig_info; - uint8_t md_buf[EVP_MAX_MD_SIZE]; - unsigned int md_len = EVP_MAX_MD_SIZE; - const EVP_MD *digester; + unsigned char* md_buf; + size_t md_len; /* Should only be called when in stub mode */ assert(req->query); @@ -436,31 +435,9 @@ _getdns_network_req_add_tsig(getdns_network_req *req) gldns_buffer_write_u16(&gbuf, 0); /* Error */ gldns_buffer_write_u16(&gbuf, 0); /* Other len */ - switch (upstream->tsig_alg) { -#ifdef HAVE_EVP_MD5 - case GETDNS_HMAC_MD5 : digester = EVP_md5() ; break; -#endif -#ifdef HAVE_EVP_SHA1 - case GETDNS_HMAC_SHA1 : digester = EVP_sha1() ; break; -#endif -#ifdef HAVE_EVP_SHA224 - case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break; -#endif -#ifdef HAVE_EVP_SHA256 - case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break; -#endif -#ifdef HAVE_EVP_SHA384 - case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break; -#endif -#ifdef HAVE_EVP_SHA512 - case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break; -#endif - default : return req->response - req->query; - } - - (void) HMAC(digester, upstream->tsig_key, upstream->tsig_size, - (void *)req->query, gldns_buffer_current(&gbuf) - req->query, - md_buf, &md_len); + md_buf = _getdns_tls_hmac_hash(upstream->tsig_alg, upstream->tsig_key, upstream->tsig_size, (void *)req->query, gldns_buffer_current(&gbuf) - req->query, &md_len); + if (!md_buf) + return req->response - req->query; gldns_buffer_rewind(&gbuf); gldns_buffer_write(&gbuf, @@ -480,6 +457,8 @@ _getdns_network_req_add_tsig(getdns_network_req *req) gldns_buffer_write_u16(&gbuf, 0); /* Error */ gldns_buffer_write_u16(&gbuf, 0); /* Other len */ + free(md_buf); + if (gldns_buffer_position(&gbuf) > gldns_buffer_limit(&gbuf)) return req->response - req->query; @@ -506,14 +485,10 @@ _getdns_network_validate_tsig(getdns_network_req *req) const uint8_t *response_mac; uint16_t response_mac_len; uint8_t other_len; - uint8_t result_mac[EVP_MAX_MD_SIZE]; - unsigned int result_mac_len = EVP_MAX_MD_SIZE; + unsigned char *result_mac; + size_t result_mac_len; uint16_t original_id; - const EVP_MD *digester; - HMAC_CTX *ctx; -#ifndef HAVE_HMAC_CTX_NEW - HMAC_CTX ctx_space; -#endif + _getdns_tls_hmac *hmac; DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNC__); for ( rr = _getdns_rr_iter_init(&rr_spc, req->query, @@ -620,39 +595,16 @@ _getdns_network_validate_tsig(getdns_network_req *req) gldns_read_uint16(req->response + 10) - 1); gldns_write_uint16(req->response, original_id); - switch (req->upstream->tsig_alg) { -#ifdef HAVE_EVP_MD5 - case GETDNS_HMAC_MD5 : digester = EVP_md5() ; break; -#endif -#ifdef HAVE_EVP_SHA1 - case GETDNS_HMAC_SHA1 : digester = EVP_sha1() ; break; -#endif -#ifdef HAVE_EVP_SHA224 - case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break; -#endif -#ifdef HAVE_EVP_SHA256 - case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break; -#endif -#ifdef HAVE_EVP_SHA384 - case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break; -#endif -#ifdef HAVE_EVP_SHA512 - case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break; -#endif - default : return; - } -#ifdef HAVE_HMAC_CTX_NEW - ctx = HMAC_CTX_new(); -#else - ctx = &ctx_space; - HMAC_CTX_init(ctx); -#endif - (void) HMAC_Init_ex(ctx, req->upstream->tsig_key, - req->upstream->tsig_size, digester, NULL); - (void) HMAC_Update(ctx, request_mac - 2, request_mac_len + 2); - (void) HMAC_Update(ctx, req->response, rr->pos - req->response); - (void) HMAC_Update(ctx, tsig_vars, gldns_buffer_position(&gbuf)); - HMAC_Final(ctx, result_mac, &result_mac_len); + hmac = _getdns_tls_hmac_new(req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size); + if (!hmac) + return; + + _getdns_tls_hmac_add(hmac, request_mac - 2, request_mac_len + 2); + _getdns_tls_hmac_add(hmac, req->response, rr->pos - req->response); + _getdns_tls_hmac_add(hmac, tsig_vars, gldns_buffer_position(&gbuf)); + result_mac = _getdns_tls_hmac_end(hmac, &result_mac_len); + if (!result_mac) + return; DEBUG_STUB("%s %-35s: Result MAC length: %d\n", STUB_DEBUG_TSIG, __FUNC__, (int)(result_mac_len)); @@ -660,11 +612,6 @@ _getdns_network_validate_tsig(getdns_network_req *req) memcmp(result_mac, response_mac, result_mac_len) == 0) req->tsig_status = GETDNS_DNSSEC_SECURE; -#ifdef HAVE_HMAC_CTX_FREE - HMAC_CTX_free(ctx); -#else - HMAC_CTX_cleanup(ctx); -#endif gldns_write_uint16(req->response, gldns_read_uint16(req->query)); gldns_write_uint16(req->response + 10, gldns_read_uint16(req->response + 10) + 1); diff --git a/src/tls.h b/src/tls.h index cc654430..a70ea1bb 100644 --- a/src/tls.h +++ b/src/tls.h @@ -316,4 +316,48 @@ int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf); */ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict); +/** + * Return buffer with HMAC hash. + * + * @param algorithm hash algorithm to use (GETDNS_HMAC_?). + * @param key the key. + * @param key_size the key size. + * @param data the data to hash. + * @param data_size the data size. + * @param output_size the output size will be written here if not NULL. + * @return output malloc'd buffer with output, NULL on error. + */ +unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size); + +/** + * Return a new HMAC handle. + * + * @param algorithm hash algorithm to use (GETDNS_HMAC_?). + * @param key the key. + * @param key_size the key size. + * @return HMAC handle or NULL on error. + */ +_getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t key_size); + +/** + * Add data to a HMAC. + * + * @param h the HMAC. + * @param data the data to add. + * @param data_size the size of data to add. + * @return GETDNS_RETURN_GOOD if added. + * @return GETDNS_RETURN_INVALID_PARAMETER if h is null or has no HMAC. + * @return GETDNS_RETURN_GENERIC_ERROR on error. + */ +getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size); + +/** + * Return the HMAC digest and free the handle. + * + * @param h the HMAC. + * @param output_size the output size will be written here if not NULL. + * @return output malloc'd buffer with output, NULL on error. + */ +unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size); + #endif /* _GETDNS_TLS_H */ From 5e390a4b235643fe1af4ea478c48e521b5ddd5de Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 27 Nov 2018 14:41:46 +0000 Subject: [PATCH 027/108] Revise all TLS interfaces to pass in GetDNS memory functions where necessary. This means we can remove OpenSSL_free() calls from request-internal.c and util-internal.c. --- src/context.c | 12 +++--- src/openssl/tls.c | 84 +++++++++++++++++++++++++----------------- src/request-internal.c | 12 +++--- src/stub.c | 21 +++++------ src/tls.h | 44 +++++++++++++++------- src/util-internal.c | 2 +- 6 files changed, 105 insertions(+), 70 deletions(-) diff --git a/src/context.c b/src/context.c index 4ee4b5de..e5ddf9a6 100644 --- a/src/context.c +++ b/src/context.c @@ -633,11 +633,11 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams) } } if (upstream->tls_session != NULL) - _getdns_tls_session_free(upstream->tls_session); + _getdns_tls_session_free(&upstreams->mf, upstream->tls_session); if (upstream->tls_obj != NULL) { _getdns_tls_connection_shutdown(upstream->tls_obj); - _getdns_tls_connection_free(upstream->tls_obj); + _getdns_tls_connection_free(&upstreams->mf, upstream->tls_obj); } if (upstream->fd != -1) { @@ -750,7 +750,7 @@ _getdns_upstream_reset(getdns_upstream *upstream) } if (upstream->tls_obj != NULL) { _getdns_tls_connection_shutdown(upstream->tls_obj); - _getdns_tls_connection_free(upstream->tls_obj); + _getdns_tls_connection_free(&upstream->upstreams->mf, upstream->tls_obj); upstream->tls_obj = NULL; } if (upstream->fd != -1) { @@ -1681,7 +1681,7 @@ getdns_context_destroy(struct getdns_context *context) GETDNS_FREE(context->my_mf, context->dns_transports); if (context->tls_ctx) - _getdns_tls_context_free(context->tls_ctx); + _getdns_tls_context_free(&context->my_mf, context->tls_ctx); getdns_list_destroy(context->dns_root_servers); @@ -3544,13 +3544,13 @@ _getdns_context_prepare_for_resolution(getdns_context *context) } if (context->tls_ctx == NULL) { - context->tls_ctx = _getdns_tls_context_new(); + context->tls_ctx = _getdns_tls_context_new(&context->my_mf); if (context->tls_ctx == NULL) return GETDNS_RETURN_BAD_CONTEXT; r = _getdns_tls_context_set_min_proto_1_2(context->tls_ctx); if (r && r != GETDNS_RETURN_NOT_IMPLEMENTED) { - _getdns_tls_context_free(context->tls_ctx); + _getdns_tls_context_free(&context->my_mf, context->tls_ctx); context->tls_ctx = NULL; return GETDNS_RETURN_BAD_CONTEXT; } diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 611fbf3b..f14603fb 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -73,14 +73,14 @@ static int _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx) return 1; } -static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert) +static _getdns_tls_x509* _getdns_tls_x509_new(struct mem_funcs* mfs, X509* cert) { _getdns_tls_x509* res; if (!cert) return NULL; - res = malloc(sizeof(_getdns_tls_x509)); + res = GETDNS_MALLOC(*mfs, _getdns_tls_x509); if (res) res->ssl = cert; @@ -187,11 +187,11 @@ void _getdns_tls_init() (void)OPENSSL_init_ssl(0, NULL); } -_getdns_tls_context* _getdns_tls_context_new() +_getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs) { _getdns_tls_context* res; - if (!(res = malloc(sizeof(struct _getdns_tls_context)))) + if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_context))) return NULL; /* Create client context, use TLS v1.2 only for now */ @@ -201,18 +201,18 @@ _getdns_tls_context* _getdns_tls_context_new() res->ssl = SSL_CTX_new(TLSv1_2_client_method()); # endif if(res->ssl == NULL) { - free(res); + GETDNS_FREE(*mfs, res); return NULL; } return res; } -getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx) +getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx) { if (!ctx || !ctx->ssl) return GETDNS_RETURN_INVALID_PARAMETER; SSL_CTX_free(ctx->ssl); - free(ctx); + GETDNS_FREE(*mfs, ctx); return GETDNS_RETURN_GOOD; } @@ -270,25 +270,25 @@ getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* return GETDNS_RETURN_GENERIC_ERROR; } -_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd) +_getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd) { _getdns_tls_connection* res; if (!ctx || !ctx->ssl) return NULL; - if (!(res = malloc(sizeof(struct _getdns_tls_connection)))) + if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_connection))) return NULL; res->ssl = SSL_new(ctx->ssl); if (!res->ssl) { - free(res); + GETDNS_FREE(*mfs, res); return NULL; } if (!SSL_set_fd(res->ssl, fd)) { SSL_free(res->ssl); - free(res); + GETDNS_FREE(*mfs, res); return NULL; } @@ -300,12 +300,12 @@ _getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int return res; } -getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* conn) +getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_connection* conn) { if (!conn || !conn->ssl) return GETDNS_RETURN_INVALID_PARAMETER; SSL_free(conn->ssl); - free(conn); + GETDNS_FREE(*mfs, conn); return GETDNS_RETURN_GOOD; } @@ -353,19 +353,19 @@ getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, return GETDNS_RETURN_GOOD; } -_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn) +_getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _getdns_tls_connection* conn) { _getdns_tls_session* res; if (!conn || !conn->ssl) return NULL; - if (!(res = malloc(sizeof(struct _getdns_tls_session)))) + if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_session))) return NULL; res->ssl = SSL_get1_session(conn->ssl); if (!res->ssl) { - free(res); + GETDNS_FREE(*mfs, res); return NULL; } @@ -404,12 +404,12 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn } } -_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connection* conn) +_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(struct mem_funcs* mfs, _getdns_tls_connection* conn) { if (!conn || !conn->ssl) return NULL; - return _getdns_tls_x509_new(SSL_get_peer_certificate(conn->ssl)); + return _getdns_tls_x509_new(mfs, SSL_get_peer_certificate(conn->ssl)); } getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn) @@ -552,12 +552,12 @@ getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8 return GETDNS_RETURN_GOOD; } -getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s) +getdns_return_t _getdns_tls_session_free(struct mem_funcs* mfs, _getdns_tls_session* s) { if (!s || !s->ssl) return GETDNS_RETURN_INVALID_PARAMETER; SSL_SESSION_free(s->ssl); - free(s); + GETDNS_FREE(*mfs, s); return GETDNS_RETURN_GOOD; } @@ -594,22 +594,38 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict) return GETDNS_RETURN_GENERIC_ERROR; } -void _getdns_tls_x509_free(_getdns_tls_x509* cert) +void _getdns_tls_x509_free(struct mem_funcs* mfs, _getdns_tls_x509* cert) { if (cert && cert->ssl) X509_free(cert->ssl); - free(cert); + GETDNS_FREE(*mfs, cert); } -int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf) +int _getdns_tls_x509_to_der(struct mem_funcs* mfs, _getdns_tls_x509* cert, getdns_bindata* bindata) { - if (!cert || !cert->ssl) + unsigned char* buf = NULL; + int len; + + if (!cert || !cert->ssl ) return 0; - return i2d_X509(cert->ssl, buf); + if (bindata == NULL) + return i2d_X509(cert->ssl, NULL); + + len = i2d_X509(cert->ssl, &buf); + if (len == 0 || (bindata->data = GETDNS_XMALLOC(*mfs, uint8_t, len)) == NULL) { + bindata->size = 0; + bindata->data = NULL; + } else { + bindata->size = len; + (void) memcpy(bindata->data, buf, len); + OPENSSL_free(buf); + } + + return len; } -unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size) +unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size) { const EVP_MD* digester; unsigned char* res; @@ -637,7 +653,7 @@ unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_ default : return NULL; } - res = (unsigned char*) malloc(EVP_MAX_MD_SIZE); + res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, EVP_MAX_MD_SIZE); if (!res) return NULL; @@ -648,7 +664,7 @@ unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_ return res; } -_getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t key_size) +_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size) { const EVP_MD *digester; _getdns_tls_hmac* res; @@ -675,13 +691,13 @@ _getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t ke default : return NULL; } - if (!(res = malloc(sizeof(struct _getdns_tls_hmac)))) + if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac))) return NULL; #ifdef HAVE_HMAC_CTX_NEW res->ctx = HMAC_CTX_new(); if (!res->ctx) { - free(res); + GETDNS_FREE(*mfs, res); return NULL; } #else @@ -692,7 +708,7 @@ _getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t ke #ifdef HAVE_HMAC_CTX_NEW HMAC_CTX_free(res->ctx); #endif - free(res); + GETDNS_FREE(*mfs, res); return NULL; } @@ -710,12 +726,12 @@ getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size return GETDNS_RETURN_GOOD; } -unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size) +unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size) { unsigned char* res; unsigned int md_len; - res = (unsigned char*) malloc(EVP_MAX_MD_SIZE); + res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, EVP_MAX_MD_SIZE); if (!res) return NULL; @@ -724,7 +740,7 @@ unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size) #ifdef HAVE_HMAC_CTX_NEW HMAC_CTX_free(h->ctx); #endif - free(h); + GETDNS_FREE(*mfs, h); if (output_size) *output_size = md_len; diff --git a/src/request-internal.c b/src/request-internal.c index 1b2a7cb4..76ce6e3e 100644 --- a/src/request-internal.c +++ b/src/request-internal.c @@ -125,7 +125,7 @@ network_req_cleanup(getdns_network_req *net_req) GETDNS_FREE(net_req->owner->my_mf, net_req->response); if (net_req->debug_tls_peer_cert.size && net_req->debug_tls_peer_cert.data) - OPENSSL_free(net_req->debug_tls_peer_cert.data); + GETDNS_FREE(net_req->owner->my_mf, net_req->debug_tls_peer_cert.data); } static uint8_t * @@ -435,7 +435,7 @@ _getdns_network_req_add_tsig(getdns_network_req *req) gldns_buffer_write_u16(&gbuf, 0); /* Error */ gldns_buffer_write_u16(&gbuf, 0); /* Other len */ - md_buf = _getdns_tls_hmac_hash(upstream->tsig_alg, upstream->tsig_key, upstream->tsig_size, (void *)req->query, gldns_buffer_current(&gbuf) - req->query, &md_len); + md_buf = _getdns_tls_hmac_hash(&req->owner->my_mf, upstream->tsig_alg, upstream->tsig_key, upstream->tsig_size, (void *)req->query, gldns_buffer_current(&gbuf) - req->query, &md_len); if (!md_buf) return req->response - req->query; @@ -457,7 +457,7 @@ _getdns_network_req_add_tsig(getdns_network_req *req) gldns_buffer_write_u16(&gbuf, 0); /* Error */ gldns_buffer_write_u16(&gbuf, 0); /* Other len */ - free(md_buf); + GETDNS_FREE(req->owner->my_mf, md_buf); if (gldns_buffer_position(&gbuf) > gldns_buffer_limit(&gbuf)) return req->response - req->query; @@ -595,14 +595,14 @@ _getdns_network_validate_tsig(getdns_network_req *req) gldns_read_uint16(req->response + 10) - 1); gldns_write_uint16(req->response, original_id); - hmac = _getdns_tls_hmac_new(req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size); + hmac = _getdns_tls_hmac_new(&req->owner->my_mf, req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size); if (!hmac) return; _getdns_tls_hmac_add(hmac, request_mac - 2, request_mac_len + 2); _getdns_tls_hmac_add(hmac, req->response, rr->pos - req->response); _getdns_tls_hmac_add(hmac, tsig_vars, gldns_buffer_position(&gbuf)); - result_mac = _getdns_tls_hmac_end(hmac, &result_mac_len); + result_mac = _getdns_tls_hmac_end(&req->owner->my_mf, hmac, &result_mac_len); if (!result_mac) return; @@ -612,6 +612,8 @@ _getdns_network_validate_tsig(getdns_network_req *req) memcmp(result_mac, response_mac, result_mac_len) == 0) req->tsig_status = GETDNS_DNSSEC_SECURE; + GETDNS_FREE(req->owner->my_mf, result_mac); + gldns_write_uint16(req->response, gldns_read_uint16(req->query)); gldns_write_uint16(req->response + 10, gldns_read_uint16(req->response + 10) + 1); diff --git a/src/stub.c b/src/stub.c index ca4c55d0..3bbcc53f 100644 --- a/src/stub.c +++ b/src/stub.c @@ -830,7 +830,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) getdns_context *context = dnsreq->context; if (context->tls_ctx == NULL) return NULL; - _getdns_tls_connection* tls = _getdns_tls_connection_new(context->tls_ctx, fd); + _getdns_tls_connection* tls = _getdns_tls_connection_new(&context->my_mf, context->tls_ctx, fd); if(!tls) return NULL; #if HAVE_TLS_CONN_CURVES_LIST @@ -839,7 +839,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) #endif /* make sure we'll be able to find the context again when we need it */ if (_getdns_associate_upstream_with_connection(tls, upstream) != GETDNS_RETURN_GOOD) { - _getdns_tls_connection_free(tls); + _getdns_tls_connection_free(&context->my_mf, tls); return NULL; } @@ -871,7 +871,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) "%-40s : Verify fail: *CONFIG ERROR* - No auth name or pinset provided for this upstream for Strict TLS authentication\n", upstream->addr_str); upstream->tls_hs_state = GETDNS_HS_FAILED; - _getdns_tls_connection_free(tls); + _getdns_tls_connection_free(&upstream->upstreams->mf, tls); upstream->tls_auth_state = GETDNS_AUTH_FAILED; return NULL; } @@ -947,7 +947,7 @@ tls_do_handshake(getdns_upstream *upstream) upstream->tls_auth_state = upstream->last_tls_auth_state; else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) { - _getdns_tls_x509* peer_cert = _getdns_tls_connection_get_peer_certificate(upstream->tls_obj); + _getdns_tls_x509* peer_cert = _getdns_tls_connection_get_peer_certificate(&upstream->upstreams->mf, upstream->tls_obj); if (!peer_cert) { _getdns_upstream_log(upstream, @@ -994,7 +994,7 @@ tls_do_handshake(getdns_upstream *upstream) "%-40s : Verify passed : TLS\n", upstream->addr_str); } - _getdns_tls_x509_free(peer_cert); + _getdns_tls_x509_free(&upstream->upstreams->mf, peer_cert); } if (upstream->tls_auth_state == GETDNS_AUTH_FAILED && !upstream->tls_fallback_ok) @@ -1008,8 +1008,8 @@ tls_do_handshake(getdns_upstream *upstream) upstream->conn_state = GETDNS_CONN_OPEN; upstream->conn_completed++; if (upstream->tls_session != NULL) - _getdns_tls_session_free(upstream->tls_session); - upstream->tls_session = _getdns_tls_connection_get_session(upstream->tls_obj); + _getdns_tls_session_free(&upstream->upstreams->mf, upstream->tls_session); + upstream->tls_session = _getdns_tls_connection_get_session(&upstream->upstreams->mf, upstream->tls_obj); /* Reset timeout on success*/ GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event); upstream->event.read_cb = NULL; @@ -1634,10 +1634,9 @@ upstream_write_cb(void *userarg) if (netreq->owner->return_call_reporting && netreq->upstream->tls_obj) { if (netreq->debug_tls_peer_cert.data == NULL && - (cert = _getdns_tls_connection_get_peer_certificate(netreq->upstream->tls_obj))) { - netreq->debug_tls_peer_cert.size = _getdns_tls_x509_to_der( - cert, &netreq->debug_tls_peer_cert.data); - _getdns_tls_x509_free(cert); + (cert = _getdns_tls_connection_get_peer_certificate(&upstream->upstreams->mf, netreq->upstream->tls_obj))) { + _getdns_tls_x509_to_der(&upstream->upstreams->mf, cert, &netreq->debug_tls_peer_cert); + _getdns_tls_x509_free(&upstream->upstreams->mf, cert); } netreq->debug_tls_version = _getdns_tls_connection_get_version(netreq->upstream->tls_obj); } diff --git a/src/tls.h b/src/tls.h index a70ea1bb..8adc47e7 100644 --- a/src/tls.h +++ b/src/tls.h @@ -55,18 +55,20 @@ void _getdns_tls_init(); /** * Create a new TLS context. * + * @param mfs point to getdns memory functions. * @return pointer to new context or NULL on error. */ -_getdns_tls_context* _getdns_tls_context_new(); +_getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs); /** * Free a TLS context. * + * @param mfs point to getdns memory functions. * @param ctx the context to free. * @return GETDNS_RETURN_GOOD on success. * @return GETDNS_RETURN_INVALID_PARAMETER if ctx is invalid. */ -getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx); +getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx); /** * Set TLS 1.2 as minimum TLS version. @@ -121,20 +123,22 @@ getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* /** * Create a new TLS connection and associate it with a file descriptior. * + * @param mfs pointer to getdns memory functions. * @param ctx the context. * @param fd the file descriptor to associate with the connection. * @return pointer to new connection or NULL on error. */ -_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd); +_getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd); /** * Free a TLS connection. * + * @param mfs pointer to getdns memory functions. * @param conn the connection to free. * @return GETDNS_RETURN_GOOD on success. * @return GETDNS_RETURN_INVALID_PARAMETER if conn is invalid. */ -getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* ctx); +getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_connection* conn); /** * Shut down a TLS connection. @@ -184,10 +188,11 @@ getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, /** * Get the session for this connection. * + * @param mfs pointer to getdns memory functions. * @param conn the connection. * @return pointer to the session or NULL on error. */ -_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn); +_getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _getdns_tls_connection* conn); /** * Report the TLS version of the connection. @@ -212,10 +217,11 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn /** * Get the connection peer certificate. * + * @param mfs pointer to getdns memory functions. * @param conn the connection. * @return certificate or NULL on error. */ -_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connection* conn); +_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(struct mem_funcs* mfs, _getdns_tls_connection* conn); /** * See whether the connection is reusing a session. @@ -289,23 +295,32 @@ getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_ */ getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8_t* buf, size_t to_write, size_t* written); -getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s); +/** + * Free a session. + * + * @param mfs pointer to getdns memory functions. + * @param s the session. + * @return GETDNS_RETURN_GOOD on success. + * @return GETDNS_RETURN_INVALID_PARAMETER if s is null or has no SSL. + */ +getdns_return_t _getdns_tls_session_free(struct mem_funcs* mfs, _getdns_tls_session* s); /** * Free X509 certificate. * + * @param mfs pointer to getdns memory functions. * @param cert the certificate. */ -void _getdns_tls_x509_free(_getdns_tls_x509* cert); +void _getdns_tls_x509_free(struct mem_funcs* mfs, _getdns_tls_x509* cert); /** * Convert X509 to DER. * * @param cert the certificate. - * @param buf buffer to receive conversion. NULL to just get the length. + * @param buf buffer to receive conversion. * @return length of conversion, 0 on error. */ -int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf); +int _getdns_tls_x509_to_der(struct mem_funcs* mfs, _getdns_tls_x509* cert, getdns_bindata* bindata); /** * Fill in dictionary with TLS API information. @@ -319,6 +334,7 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict); /** * Return buffer with HMAC hash. * + * @param mfs pointer to getdns memory functions. * @param algorithm hash algorithm to use (GETDNS_HMAC_?). * @param key the key. * @param key_size the key size. @@ -327,17 +343,18 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict); * @param output_size the output size will be written here if not NULL. * @return output malloc'd buffer with output, NULL on error. */ -unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size); +unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size); /** * Return a new HMAC handle. * + * @param mfs pointer to getdns memory functions. * @param algorithm hash algorithm to use (GETDNS_HMAC_?). * @param key the key. * @param key_size the key size. * @return HMAC handle or NULL on error. */ -_getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t key_size); +_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size); /** * Add data to a HMAC. @@ -354,10 +371,11 @@ getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size /** * Return the HMAC digest and free the handle. * + * @param mfs pointer to getdns memory functions. * @param h the HMAC. * @param output_size the output size will be written here if not NULL. * @return output malloc'd buffer with output, NULL on error. */ -unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size); +unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size); #endif /* _GETDNS_TLS_H */ diff --git a/src/util-internal.c b/src/util-internal.c index 0bceb002..a1cc11c5 100644 --- a/src/util-internal.c +++ b/src/util-internal.c @@ -933,7 +933,7 @@ _getdns_create_call_reporting_dict( return NULL; } netreq->debug_tls_peer_cert.size = 0; - OPENSSL_free(netreq->debug_tls_peer_cert.data); + GETDNS_FREE(context->my_mf, netreq->debug_tls_peer_cert.data); netreq->debug_tls_peer_cert.data = NULL; return netreq_debug; } From 0cdede21df0269530d5ef94b11ff5f5c2d3e1dfd Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 27 Nov 2018 15:29:48 +0000 Subject: [PATCH 028/108] Abstract SHA1 calculation. --- src/dnssec.c | 5 +++-- src/openssl/tls.c | 5 +++++ src/tls.h | 10 ++++++++++ 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/src/dnssec.c b/src/dnssec.c index 0e0e9ba1..4e0f2af3 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -209,6 +209,7 @@ #include "list.h" #include "util/val_secalgo.h" #include "anchor.h" +#include "tls.h" #define SIGNATURE_VERIFIED 0x10000 #define NSEC3_ITERATION_COUNT_HIGH 0x20000 @@ -1582,12 +1583,12 @@ static uint8_t *_getdns_nsec3_hash_label(uint8_t *label, size_t label_len, (void)memcpy(dst, salt + 1, *salt); dst += *salt; - (void)SHA1(buf, dst - buf, md); + _getdns_tls_sha1(buf, dst - buf, md); if (iterations) { (void)memcpy(buf + SHA_DIGEST_LENGTH, salt + 1, *salt); while (iterations--) { (void)memcpy(buf, md, SHA_DIGEST_LENGTH); - SHA1(buf, SHA_DIGEST_LENGTH + *salt, md); + _getdns_tls_sha1(buf, SHA_DIGEST_LENGTH + *salt, md); } } *label = gldns_b32_ntop_extended_hex( diff --git a/src/openssl/tls.c b/src/openssl/tls.c index f14603fb..d3e61e5e 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -747,4 +747,9 @@ unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, return res; } +void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf) +{ + SHA1(data, data_size, buf); +} + /* tls.c */ diff --git a/src/tls.h b/src/tls.h index 8adc47e7..fae8e939 100644 --- a/src/tls.h +++ b/src/tls.h @@ -378,4 +378,14 @@ getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size */ unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size); +/** + * Calculate a SHA1 hash. + * + * @param data the data to hash. + * @param data_size the size of the data to hash. + * @param buf the buffer to receive the hash. Must be at least + * SHA_DIGEST_LENGTH bytes. + */ +void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf); + #endif /* _GETDNS_TLS_H */ From af962228fcf25e3f1bbdceff1a857b5c3394e247 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 27 Nov 2018 15:31:05 +0000 Subject: [PATCH 029/108] Abstract maximum digest length. --- src/openssl/tls-internal.h | 3 +++ src/openssl/tls.c | 2 +- src/request-internal.c | 7 ++++--- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h index 59b5b292..4b4b4b49 100644 --- a/src/openssl/tls-internal.h +++ b/src/openssl/tls-internal.h @@ -34,6 +34,7 @@ #ifndef _GETDNS_TLS_INTERNAL_H #define _GETDNS_TLS_INTERNAL_H +#include #include #include #include @@ -51,6 +52,8 @@ #define HAVE_TLS_CONN_CURVES_LIST (HAVE_DECL_SSL_SET1_CURVES_LIST) #endif +#define GETDNS_TLS_MAX_DIGEST_LENGTH (EVP_MAX_MD_SIZE) + typedef struct _getdns_tls_context { SSL_CTX* ssl; } _getdns_tls_context; diff --git a/src/openssl/tls.c b/src/openssl/tls.c index d3e61e5e..9569fe89 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -653,7 +653,7 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const default : return NULL; } - res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, EVP_MAX_MD_SIZE); + res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, GETDNS_TLS_MAX_DIGEST_LENGTH); if (!res) return NULL; diff --git a/src/request-internal.c b/src/request-internal.c index 76ce6e3e..c0f347af 100644 --- a/src/request-internal.c +++ b/src/request-internal.c @@ -44,6 +44,7 @@ #include "debug.h" #include "convert.h" #include "general.h" +#include "tls.h" /* MAXIMUM_TSIG_SPACE = TSIG name (dname) : 256 * TSIG type (uint16_t) : 2 @@ -54,15 +55,15 @@ * Time Signed (uint48_t) : 6 * Fudge (uint16_t) : 2 * Mac Size (uint16_t) : 2 - * Mac (variable) : EVP_MAX_MD_SIZE + * Mac (variable) : GETDNS_TLS_MAX_DIGEST_LENGTH * Original Id (uint16_t) : 2 * Error (uint16_t) : 2 * Other Len (uint16_t) : 2 * Other Data (nothing) : 0 * ---- + - * 538 + EVP_MAX_MD_SIZE + * 538 + GETDNS_TLS_MAX_DIGEST_LENGTH */ -#define MAXIMUM_TSIG_SPACE (538 + EVP_MAX_MD_SIZE) +#define MAXIMUM_TSIG_SPACE (538 + GETDNS_TLS_MAX_DIGEST_LENGTH) getdns_dict dnssec_ok_checking_disabled_spc = { { RBTREE_NULL, 0, (int (*)(const void *, const void *)) strcmp }, From 26bcddd02916b8f5a910063c2db898be026d11b9 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 27 Nov 2018 15:31:33 +0000 Subject: [PATCH 030/108] Abstract cookie SHA256 calculation. --- src/openssl/tls.c | 19 ++++++++++++++++++- src/stub.c | 14 +++----------- src/tls.h | 11 +++++++++++ 3 files changed, 32 insertions(+), 12 deletions(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 9569fe89..72e8645b 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -731,7 +731,7 @@ unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, unsigned char* res; unsigned int md_len; - res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, EVP_MAX_MD_SIZE); + res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, GETDNS_TLS_MAX_DIGEST_LENGTH); if (!res) return NULL; @@ -752,4 +752,21 @@ void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf) SHA1(data, data_size, buf); } +void _getdns_tls_cookie_sha256(uint32_t secret, void* addr, size_t addrlen, unsigned char* buf, size_t* buflen) +{ + const EVP_MD *md; + EVP_MD_CTX *mdctx; + unsigned int md_len; + + md = EVP_sha256(); + mdctx = EVP_MD_CTX_create(); + EVP_DigestInit_ex(mdctx, md, NULL); + EVP_DigestUpdate(mdctx, &secret, sizeof(secret)); + EVP_DigestUpdate(mdctx, addr, addrlen); + EVP_DigestFinal_ex(mdctx, buf, &md_len); + EVP_MD_CTX_destroy(mdctx); + + *buflen = md_len; +} + /* tls.c */ diff --git a/src/stub.c b/src/stub.c index 3bbcc53f..f1421edb 100644 --- a/src/stub.c +++ b/src/stub.c @@ -121,10 +121,8 @@ rollover_secret() static void calc_new_cookie(getdns_upstream *upstream, uint8_t *cookie) { - const EVP_MD *md; - EVP_MD_CTX *mdctx; - unsigned char md_value[EVP_MAX_MD_SIZE]; - unsigned int md_len; + unsigned char md_value[GETDNS_TLS_MAX_DIGEST_LENGTH]; + size_t md_len; size_t i; sa_family_t af = upstream->addr.ss_family; void *sa_addr = ((struct sockaddr*)&upstream->addr)->sa_data; @@ -132,13 +130,7 @@ calc_new_cookie(getdns_upstream *upstream, uint8_t *cookie) : af == AF_INET ? sizeof(struct sockaddr_in) : 0 ) - sizeof(sa_family_t); - md = EVP_sha256(); - mdctx = EVP_MD_CTX_create(); - EVP_DigestInit_ex(mdctx, md, NULL); - EVP_DigestUpdate(mdctx, &secret, sizeof(secret)); - EVP_DigestUpdate(mdctx, sa_addr, addr_len); - EVP_DigestFinal_ex(mdctx, md_value, &md_len); - EVP_MD_CTX_destroy(mdctx); + _getdns_tls_cookie_sha256(secret, sa_addr, addr_len, md_value, &md_len); (void) memset(cookie, 0, 8); for (i = 0; i < md_len; i++) diff --git a/src/tls.h b/src/tls.h index fae8e939..434d79fb 100644 --- a/src/tls.h +++ b/src/tls.h @@ -388,4 +388,15 @@ unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, */ void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf); +/** + * Calculate SHA256 for cookie. + * + * @param secret the secret. + * @param addr the address. + * @param addrlen the address length. + * @param buf buffer to receive hash. + * @param buflen receive the hash length. + */ +void _getdns_tls_cookie_sha256(uint32_t secret, void* addr, size_t addrlen, unsigned char* buf, size_t* buflen); + #endif /* _GETDNS_TLS_H */ From c101a7a0210bd0d3e287de9b7513e7fd806a5e3a Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 27 Nov 2018 15:41:23 +0000 Subject: [PATCH 031/108] Abstract context DANE initialisation. --- src/context.c | 9 +-------- src/openssl/tls.c | 12 ++++++++++++ src/tls.h | 8 +++++++- 3 files changed, 20 insertions(+), 9 deletions(-) diff --git a/src/context.c b/src/context.c index e5ddf9a6..ddda54de 100644 --- a/src/context.c +++ b/src/context.c @@ -3572,14 +3572,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) return GETDNS_RETURN_BAD_CONTEXT; } -# if defined(STUB_DEBUG) && STUB_DEBUG - int osr = -# else - (void) -# endif - SSL_CTX_dane_enable(context->tls_ctx->ssl); - DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n" - , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); + _getdns_tls_context_dane_init(context->tls_ctx); } } diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 72e8645b..2387faf4 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -216,6 +216,18 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont return GETDNS_RETURN_GOOD; } +void _getdns_tls_context_dane_init(_getdns_tls_context* ctx) +{ +# if defined(STUB_DEBUG) && STUB_DEBUG + int osr = +# else + (void) +# endif + SSL_CTX_dane_enable(ctx->ssl); + DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n" + , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); +} + getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx) { #ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION diff --git a/src/tls.h b/src/tls.h index 434d79fb..7a98a140 100644 --- a/src/tls.h +++ b/src/tls.h @@ -70,6 +70,13 @@ _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs); */ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx); +/** + * Initialise any shared state for DANE checking. + * + * @param ctx the context to initialise. + */ +void _getdns_tls_context_dane_init(_getdns_tls_context* ctx); + /** * Set TLS 1.2 as minimum TLS version. * @@ -103,7 +110,6 @@ getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, co */ getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list); - /** * Set certificate authority details. * From e60d8526371424fed330e8f1f22047d7e16f8dc7 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 27 Nov 2018 16:55:33 +0000 Subject: [PATCH 032/108] Common OpenSSL digester selection. --- src/openssl/tls.c | 79 +++++++++++++++++++++-------------------------- 1 file changed, 35 insertions(+), 44 deletions(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 2387faf4..de913b42 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -87,6 +87,35 @@ static _getdns_tls_x509* _getdns_tls_x509_new(struct mem_funcs* mfs, X509* cert) return res; } +static const EVP_MD* get_digester(int algorithm) +{ + const EVP_MD* digester; + + switch (algorithm) { +#ifdef HAVE_EVP_MD5 + case GETDNS_HMAC_MD5 : digester = EVP_md5() ; break; +#endif +#ifdef HAVE_EVP_SHA1 + case GETDNS_HMAC_SHA1 : digester = EVP_sha1() ; break; +#endif +#ifdef HAVE_EVP_SHA224 + case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break; +#endif +#ifdef HAVE_EVP_SHA256 + case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break; +#endif +#ifdef HAVE_EVP_SHA384 + case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break; +#endif +#ifdef HAVE_EVP_SHA512 + case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break; +#endif + default : digester = NULL; + } + + return digester; +} + #ifdef USE_WINSOCK /* For windows, the CA trust store is not read by openssl. Add code to open the trust store using wincrypt API and add @@ -639,31 +668,12 @@ int _getdns_tls_x509_to_der(struct mem_funcs* mfs, _getdns_tls_x509* cert, getdn unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size) { - const EVP_MD* digester; + const EVP_MD* digester = get_digester(algorithm); unsigned char* res; unsigned int md_len; - switch (algorithm) { -#ifdef HAVE_EVP_MD5 - case GETDNS_HMAC_MD5 : digester = EVP_md5() ; break; -#endif -#ifdef HAVE_EVP_SHA1 - case GETDNS_HMAC_SHA1 : digester = EVP_sha1() ; break; -#endif -#ifdef HAVE_EVP_SHA224 - case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break; -#endif -#ifdef HAVE_EVP_SHA256 - case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break; -#endif -#ifdef HAVE_EVP_SHA384 - case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break; -#endif -#ifdef HAVE_EVP_SHA512 - case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break; -#endif - default : return NULL; - } + if (!digester) + return NULL; res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, GETDNS_TLS_MAX_DIGEST_LENGTH); if (!res) @@ -678,30 +688,11 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const _getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size) { - const EVP_MD *digester; + const EVP_MD *digester = get_digester(algorithm); _getdns_tls_hmac* res; - switch (algorithm) { -#ifdef HAVE_EVP_MD5 - case GETDNS_HMAC_MD5 : digester = EVP_md5() ; break; -#endif -#ifdef HAVE_EVP_SHA1 - case GETDNS_HMAC_SHA1 : digester = EVP_sha1() ; break; -#endif -#ifdef HAVE_EVP_SHA224 - case GETDNS_HMAC_SHA224: digester = EVP_sha224(); break; -#endif -#ifdef HAVE_EVP_SHA256 - case GETDNS_HMAC_SHA256: digester = EVP_sha256(); break; -#endif -#ifdef HAVE_EVP_SHA384 - case GETDNS_HMAC_SHA384: digester = EVP_sha384(); break; -#endif -#ifdef HAVE_EVP_SHA512 - case GETDNS_HMAC_SHA512: digester = EVP_sha512(); break; -#endif - default : return NULL; - } + if (!digester) + return NULL; if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac))) return NULL; From c4a3f758444a97c72a1e7688d1064f9161856319 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 27 Nov 2018 18:03:27 +0000 Subject: [PATCH 033/108] Correct make depend generation for TLS directory. --- src/Makefile.in | 64 ++++++++++++++++++++++++------------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/src/Makefile.in b/src/Makefile.in index 88a239ac..05e32b6f 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -279,7 +279,7 @@ depend: -e 's? util/auxiliary/util/? $$(srcdir)/util/auxiliary/util/?g' \ -e 's? util/? $$(srcdir)/util/?g' \ -e 's? jsmn/? $$(srcdir)/jsmn/?g' \ - -e 's? $$(tlsdir)/? $$(srcdir)/$$(tlsdir)/?g' \ + -e 's? $(tlsdir)/? $$(srcdir)/$$(tlsdir)/?g' \ -e 's? yxml/? $$(srcdir)/yxml/?g' \ -e 's? extension/? $$(srcdir)/extension/?g' \ -e 's? \.\./stubby/? $$(stubbysrcdir)/?g' \ @@ -311,7 +311,7 @@ context.lo context.o: $(srcdir)/context.c config.h \ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h \ $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h convert.lo convert.o: $(srcdir)/convert.c config.h \ @@ -321,7 +321,7 @@ convert.lo convert.o: $(srcdir)/convert.c config.h \ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ - $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h \ $(srcdir)/debug.h dict.lo dict.o: $(srcdir)/dict.c config.h \ @@ -331,7 +331,7 @@ dict.lo dict.o: $(srcdir)/dict.c config.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h \ $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \ $(srcdir)/debug.h getdns/getdns.h \ @@ -340,9 +340,9 @@ dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \ + $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \ $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h general.lo general.o: $(srcdir)/general.c config.h \ $(srcdir)/general.h getdns/getdns.h \ @@ -351,7 +351,7 @@ general.lo general.o: $(srcdir)/general.c config.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \ getdns/getdns.h \ @@ -360,7 +360,7 @@ list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \ config.h $(srcdir)/context.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/list.h $(srcdir)/dict.h + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/list.h $(srcdir)/dict.h mdns.lo mdns.o: $(srcdir)/mdns.c config.h \ $(srcdir)/debug.h $(srcdir)/context.h \ getdns/getdns.h \ @@ -368,7 +368,7 @@ mdns.lo mdns.o: $(srcdir)/mdns.c config.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/general.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h \ $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \ config.h @@ -379,7 +379,7 @@ request-internal.lo request-internal.o: $(srcdir)/request-internal.c \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/rrdef.h \ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \ config.h \ @@ -389,7 +389,7 @@ rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \ - $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dict.h + $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ config.h \ getdns/getdns.h \ @@ -400,7 +400,7 @@ server.lo server.o: $(srcdir)/server.c config.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/debug.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/debug.h \ $(srcdir)/util-internal.h $(srcdir)/platform.h stub.lo stub.o: $(srcdir)/stub.c config.h \ $(srcdir)/debug.h $(srcdir)/stub.h \ @@ -411,7 +411,7 @@ stub.lo stub.o: $(srcdir)/stub.c config.h \ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \ $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \ - $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \ + $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \ $(srcdir)/pubkey-pinning.h sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \ config.h $(srcdir)/context.h \ @@ -419,7 +419,7 @@ sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/general.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h \ $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \ config.h @@ -431,13 +431,13 @@ util-internal.lo util-internal.o: $(srcdir)/util-internal.c \ $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ - $(srcdir)/openssl/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \ + $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \ $(srcdir)/gldns/rrdef.h gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \ config.h $(srcdir)/gldns/gbuffer.h keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \ config.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/rrdef.h + $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h parse.lo parse.o: $(srcdir)/gldns/parse.c \ config.h $(srcdir)/gldns/parse.h \ $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h @@ -453,7 +453,7 @@ str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \ wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \ config.h $(srcdir)/gldns/wire2str.h \ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \ - $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h $(srcdir)/openssl/keyraw-internal.h + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \ config.h arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \ @@ -499,44 +499,44 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \ $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/orig-headers/rbtree.h jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h -anchor.lo anchor.o: $(srcdir)/openssl/anchor.c \ +anchor.lo anchor.o: $(srcdir)/$(tlsdir)/anchor.c \ config.h $(srcdir)/debug.h $(srcdir)/anchor.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h $(srcdir)/types-internal.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h $(srcdir)/ub_loop.h \ - $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/str2wire.h \ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/openssl/keyraw-internal.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/platform.h -keyraw-internal.lo keyraw-internal.o: $(srcdir)/openssl/keyraw-internal.c \ + $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/platform.h +keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c \ config.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/openssl/keyraw-internal.h $(srcdir)/gldns/rrdef.h -pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/openssl/pubkey-pinning.c \ + $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h +pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/$(tlsdir)/pubkey-pinning.c \ config.h $(srcdir)/debug.h \ getdns/getdns.h $(srcdir)/context.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \ - $(srcdir)/context.h $(srcdir)/openssl/pubkey-pinning-internal.h -tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/context.h $(srcdir)/$(tlsdir)/pubkey-pinning-internal.h +tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c config.h \ $(srcdir)/debug.h $(srcdir)/context.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/tls.h -val_secalgo.lo val_secalgo.o: $(srcdir)/openssl/val_secalgo.c \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/tls.h +val_secalgo.lo val_secalgo.o: $(srcdir)/$(tlsdir)/val_secalgo.c \ config.h \ - $(srcdir)/util/auxiliary/util/data/packed_rrset.h $(srcdir)/openssl/validator/val_secalgo.h \ - $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h $(srcdir)/openssl/validator/val_nsec3.h \ + $(srcdir)/util/auxiliary/util/data/packed_rrset.h $(srcdir)/$(tlsdir)/validator/val_secalgo.h \ + $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h $(srcdir)/$(tlsdir)/validator/val_nsec3.h \ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \ $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/openssl/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h + $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h libev.lo libev.o: $(srcdir)/extension/libev.c \ config.h $(srcdir)/types-internal.h \ @@ -561,7 +561,7 @@ poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \ config.h $(srcdir)/debug.h \ $(srcdir)/types-internal.h \ From 153e766edf437298688c2d1ee25990f36da08bc0 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 27 Nov 2018 18:04:14 +0000 Subject: [PATCH 034/108] tls.h uses struct mem_funcs in types-internal.h. --- src/tls.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/tls.h b/src/tls.h index 7a98a140..d475ee53 100644 --- a/src/tls.h +++ b/src/tls.h @@ -36,6 +36,8 @@ #include "getdns/getdns.h" +#include "types-internal.h" + #include "tls-internal.h" /* Forward declare type. */ From f64aa8703dde7189e3686c45e156fe2d9b78514f Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 5 Dec 2018 11:25:32 +0000 Subject: [PATCH 035/108] First pass at a mostly stubbed GnuTLS implementation. This works enough to do a TLS lookup. --- src/gnutls/anchor.c | 48 ++++ src/gnutls/keyraw-internal.c | 15 ++ src/gnutls/keyraw-internal.h | 31 +++ src/gnutls/pubkey-pinning.c | 84 ++++++ src/gnutls/tls-internal.h | 79 ++++++ src/gnutls/tls.c | 505 +++++++++++++++++++++++++++++++++++ src/gnutls/val_secalgo.c | 58 ++++ 7 files changed, 820 insertions(+) create mode 100644 src/gnutls/anchor.c create mode 100644 src/gnutls/keyraw-internal.c create mode 100644 src/gnutls/keyraw-internal.h create mode 100644 src/gnutls/pubkey-pinning.c create mode 100644 src/gnutls/tls-internal.h create mode 100644 src/gnutls/tls.c create mode 100644 src/gnutls/val_secalgo.c diff --git a/src/gnutls/anchor.c b/src/gnutls/anchor.c new file mode 100644 index 00000000..57fb60e1 --- /dev/null +++ b/src/gnutls/anchor.c @@ -0,0 +1,48 @@ +/** + * + * /brief functions for DNSSEC trust anchor management + * + */ + +/* + * Copyright (c) 2017, NLnet Labs + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "anchor.h" + +void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms) +{ +} + +void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) +{ +} + +void _getdns_context_update_root_ksk( + getdns_context *context, _getdns_rrset *dnskey_set) +{ +} diff --git a/src/gnutls/keyraw-internal.c b/src/gnutls/keyraw-internal.c new file mode 100644 index 00000000..a674033f --- /dev/null +++ b/src/gnutls/keyraw-internal.c @@ -0,0 +1,15 @@ +/* + * keyraw.c - raw key operations and conversions - OpenSSL version + * + * (c) NLnet Labs, 2004-2008 + * + * See the file LICENSE for the license + */ +/** + * \file + * Implementation of raw DNSKEY functions (work on wire rdata). + */ + +#include "config.h" +#include "gldns/keyraw.h" +#include "gldns/rrdef.h" diff --git a/src/gnutls/keyraw-internal.h b/src/gnutls/keyraw-internal.h new file mode 100644 index 00000000..eaac30c3 --- /dev/null +++ b/src/gnutls/keyraw-internal.h @@ -0,0 +1,31 @@ +/* + * keyraw.h -- raw key and signature access and conversion - OpenSSL + * + * Copyright (c) 2005-2008, NLnet Labs. All rights reserved. + * + * See LICENSE for the license. + * + */ + +/** + * \file + * + * raw key and signature access and conversion + * + * Since those functions heavily rely op cryptographic operations, + * this module is dependent on openssl. + * + */ + +#ifndef GLDNS_KEYRAW_INTERNAL_H +#define GLDNS_KEYRAW_INTERNAL_H + +#ifdef __cplusplus +extern "C" { +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* GLDNS_KEYRAW_INTERNAL_H */ diff --git a/src/gnutls/pubkey-pinning.c b/src/gnutls/pubkey-pinning.c new file mode 100644 index 00000000..c1aeedc3 --- /dev/null +++ b/src/gnutls/pubkey-pinning.c @@ -0,0 +1,84 @@ +/** + * + * /brief functions for dealing with pubkey pinsets + * + */ + +/* + * Copyright (c) 2015 ACLU + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "context.h" +#include "types-internal.h" + +#include "pubkey-pinning.h" + +/** + ** Interfaces from pubkey-pinning.h + **/ + +/* create and populate a pinset linked list from a getdns_list pinset */ +getdns_return_t +_getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list, + struct mem_funcs *mf, + sha256_pin_t **pinset_out) +{ + return GETDNS_RETURN_GENERIC_ERROR; +} + + + +/* create a getdns_list version of the pinset */ +getdns_return_t +_getdns_get_pubkey_pinset_list(getdns_context *ctx, + const sha256_pin_t *pinset_in, + getdns_list **pinset_list) +{ + return GETDNS_RETURN_GENERIC_ERROR; +} + +getdns_return_t +_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, + getdns_upstream *upstream) +{ + return GETDNS_RETURN_GOOD; +} + +/** + ** Interfaces from getdns_extra.h. + **/ + +getdns_dict* +getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str) +{ + return GETDNS_RETURN_GENERIC_ERROR; +} + +getdns_return_t +getdns_pubkey_pinset_sanity_check(const getdns_list* pinset, getdns_list* errorlist) +{ + return GETDNS_RETURN_GENERIC_ERROR; +} diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h new file mode 100644 index 00000000..2b76d564 --- /dev/null +++ b/src/gnutls/tls-internal.h @@ -0,0 +1,79 @@ +/** + * + * \file tls-internal.h + * @brief getdns TLS implementation-specific items + */ + +/* + * Copyright (c) 2018, NLnet Labs + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _GETDNS_TLS_INTERNAL_H +#define _GETDNS_TLS_INTERNAL_H + +#include +#include + +#include "getdns/getdns.h" + +#define SHA_DIGEST_LENGTH 20 +#define SHA224_DIGEST_LENGTH 28 +#define SHA256_DIGEST_LENGTH 32 +#define SHA384_DIGEST_LENGTH 48 +#define SHA512_DIGEST_LENGTH 64 + +#define GETDNS_TLS_MAX_DIGEST_LENGTH (SHA512_DIGEST_LENGTH) + +#define HAVE_TLS_CTX_CURVES_LIST 0 +#define HAVE_TLS_CONN_CURVES_LIST 0 + + +typedef struct _getdns_tls_context { + int unused; +} _getdns_tls_context; + +typedef struct _getdns_tls_connection { + gnutls_session_t tls; + gnutls_certificate_credentials_t cred; + int shutdown; +} _getdns_tls_connection; + +typedef struct _getdns_tls_session { + gnutls_datum_t tls; +} _getdns_tls_session; + +typedef struct _getdns_tls_x509 +{ + gnutls_datum_t tls; +} _getdns_tls_x509; + +typedef struct _getdns_tls_hmac +{ + gnutls_hmac_hd_t tls; + unsigned int md_len; +} _getdns_tls_hmac; + +#endif /* _GETDNS_TLS_INTERNAL_H */ diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c new file mode 100644 index 00000000..34c1d24c --- /dev/null +++ b/src/gnutls/tls.c @@ -0,0 +1,505 @@ +/** + * + * \file tls.c + * @brief getdns TLS functions + */ + +/* + * Copyright (c) 2018, NLnet Labs + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include + +#include "config.h" + +#include "debug.h" +#include "context.h" + +#include "tls.h" + +static getdns_return_t error_may_want_read_write(_getdns_tls_connection* conn, int err) +{ + switch (err) { + case GNUTLS_E_INTERRUPTED: + case GNUTLS_E_AGAIN: + case GNUTLS_E_WARNING_ALERT_RECEIVED: + case GNUTLS_E_GOT_APPLICATION_DATA: + if (gnutls_record_get_direction(conn->tls) == 0) + return GETDNS_RETURN_TLS_WANT_READ; + else + return GETDNS_RETURN_TLS_WANT_WRITE; + + default: + return GETDNS_RETURN_GENERIC_ERROR; + } +} + +static getdns_return_t get_gnu_mac_algorithm(int algorithm, gnutls_mac_algorithm_t* gnualg) +{ + switch (algorithm) { + case GETDNS_HMAC_MD5 : *gnualg = GNUTLS_MAC_MD5 ; break; + case GETDNS_HMAC_SHA1 : *gnualg = GNUTLS_MAC_SHA1 ; break; + case GETDNS_HMAC_SHA224: *gnualg = GNUTLS_MAC_SHA224; break; + case GETDNS_HMAC_SHA256: *gnualg = GNUTLS_MAC_SHA256; break; + case GETDNS_HMAC_SHA384: *gnualg = GNUTLS_MAC_SHA384; break; + case GETDNS_HMAC_SHA512: *gnualg = GNUTLS_MAC_SHA512; break; + default : return GETDNS_RETURN_GENERIC_ERROR; + } + + return GETDNS_RETURN_GOOD; +} + +static _getdns_tls_x509* _getdns_tls_x509_new(struct mem_funcs* mfs, gnutls_datum_t cert) +{ + _getdns_tls_x509* res; + + res = GETDNS_MALLOC(*mfs, _getdns_tls_x509); + if (res) + res->tls = cert; + + return res; +} + +void _getdns_tls_init() +{ + gnutls_global_init(); +} + +_getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs) +{ + _getdns_tls_context* res; + + if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_context))) + return NULL; + + return res; +} + +getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx) +{ + if (!ctx) + return GETDNS_RETURN_INVALID_PARAMETER; + GETDNS_FREE(*mfs, ctx); + return GETDNS_RETURN_GOOD; +} + +void _getdns_tls_context_dane_init(_getdns_tls_context* ctx) +{ + (void) ctx; +} + +getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx) +{ + (void) ctx; + return GETDNS_RETURN_NOT_IMPLEMENTED; +} + +getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list) +{ + (void) list; + + if (!ctx) + return GETDNS_RETURN_INVALID_PARAMETER; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list) +{ + (void) list; + + if (!ctx) + return GETDNS_RETURN_INVALID_PARAMETER; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path) +{ + (void) file; + (void) path; + + if (!ctx) + return GETDNS_RETURN_INVALID_PARAMETER; + return GETDNS_RETURN_GOOD; +} + +_getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd) +{ + _getdns_tls_connection* res; + int r; + + if (!ctx) + return NULL; + + if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_connection))) + return NULL; + + res->shutdown = 0; + + r = gnutls_certificate_allocate_credentials(&res->cred); + if (r == GNUTLS_E_SUCCESS) + gnutls_certificate_set_x509_system_trust(res->cred); + if (r == GNUTLS_E_SUCCESS) + r = gnutls_init(&res->tls, GNUTLS_CLIENT | GNUTLS_NONBLOCK); + if (r == GNUTLS_E_SUCCESS) + r = gnutls_set_default_priority(res->tls); + if (r == GNUTLS_E_SUCCESS) + r = gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred); + if (r != GNUTLS_E_SUCCESS) { + _getdns_tls_connection_free(mfs, res); + return NULL; + } + + gnutls_transport_set_int(res->tls, fd); + return res; +} + +getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_connection* conn) +{ + if (!conn || !conn->tls) + return GETDNS_RETURN_INVALID_PARAMETER; + + gnutls_deinit(conn->tls); + gnutls_certificate_free_credentials(conn->cred); + GETDNS_FREE(*mfs, conn); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn) +{ + if (!conn || !conn->tls) + return GETDNS_RETURN_INVALID_PARAMETER; + + if (conn->shutdown == 0) { + gnutls_bye(conn->tls, GNUTLS_SHUT_WR); + conn->shutdown++; + } else { + gnutls_bye(conn->tls, GNUTLS_SHUT_RDWR); + conn->shutdown++; + } + + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list) +{ + (void) list; + + if (!conn || !conn->tls) + return GETDNS_RETURN_INVALID_PARAMETER; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list) +{ + (void) list; + + if (!conn || !conn->tls) + return GETDNS_RETURN_INVALID_PARAMETER; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s) +{ + int r; + + if (!conn || !conn->tls || !s) + return GETDNS_RETURN_INVALID_PARAMETER; + + r = gnutls_session_set_data(conn->tls, s->tls.data, s->tls.size); + if (r != GNUTLS_E_SUCCESS) + return GETDNS_RETURN_GENERIC_ERROR; + return GETDNS_RETURN_GOOD; +} + +_getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _getdns_tls_connection* conn) +{ + _getdns_tls_session* res; + int r; + + if (!conn || !conn->tls) + return NULL; + + if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_session))) + return NULL; + + r = gnutls_session_get_data2(conn->tls, &res->tls); + if (r != GNUTLS_E_SUCCESS) { + GETDNS_FREE(*mfs, res); + return NULL; + } + + return res; +} + +const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn) +{ + if (!conn || !conn->tls) + return NULL; + + return gnutls_protocol_get_name(gnutls_protocol_get_version(conn->tls)); +} + +getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn) +{ + int r; + + if (!conn || !conn->tls) + return GETDNS_RETURN_INVALID_PARAMETER; + + r = gnutls_handshake(conn->tls); + if (r == GNUTLS_E_SUCCESS) + return GETDNS_RETURN_GOOD; + else + return error_may_want_read_write(conn, r); +} + +_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(struct mem_funcs* mfs, _getdns_tls_connection* conn) +{ + const gnutls_datum_t *cert_list; + unsigned int cert_list_size; + + if (!conn || !conn->tls) + return NULL; + + cert_list = gnutls_certificate_get_peers(conn->tls, &cert_list_size); + if (cert_list == NULL) + return NULL; + + return _getdns_tls_x509_new(mfs, *cert_list); +} + +getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn) +{ + if (!conn || !conn->tls) + return GETDNS_RETURN_INVALID_PARAMETER; + + if (gnutls_session_is_resumed(conn->tls) != 0) + return GETDNS_RETURN_GOOD; + else + return GETDNS_RETURN_TLS_CONNECTION_FRESH; +} + +getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connection* conn, const char* auth_name) +{ + if (!conn || !conn->tls || !auth_name) + return GETDNS_RETURN_INVALID_PARAMETER; + + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* conn, const char* auth_name, const sha256_pin_t* pinset) +{ + (void) pinset; + + if (!conn || !conn->tls || !auth_name) + return GETDNS_RETURN_INVALID_PARAMETER; + + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg) +{ + (void) errnum; + (void) errmsg; + + if (!conn || !conn->tls) + return GETDNS_RETURN_INVALID_PARAMETER; + + return GETDNS_RETURN_GOOD; +} + + +getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_t* buf, size_t to_read, size_t* read) +{ + ssize_t sread; + + if (!conn || !conn->tls || !read) + return GETDNS_RETURN_INVALID_PARAMETER; + + sread = gnutls_record_recv(conn->tls, buf, to_read); + if (sread < 0) + return error_may_want_read_write(conn, sread); + + *read = sread; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8_t* buf, size_t to_write, size_t* written) +{ + int swritten; + + if (!conn || !conn->tls || !written) + return GETDNS_RETURN_INVALID_PARAMETER; + + swritten = gnutls_record_send(conn->tls, buf, to_write); + if (swritten < 0) + return error_may_want_read_write(conn, swritten); + + *written = swritten; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_session_free(struct mem_funcs* mfs, _getdns_tls_session* s) +{ + if (!s) + return GETDNS_RETURN_INVALID_PARAMETER; + GETDNS_FREE(*mfs, s); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict) +{ + if (! getdns_dict_set_int( + dict, "gnutls_version_number", GNUTLS_VERSION_NUMBER) + + && ! getdns_dict_util_set_string( + dict, "gnutls_version_string", GNUTLS_VERSION) + ) + return GETDNS_RETURN_GOOD; + return GETDNS_RETURN_GENERIC_ERROR; +} + +void _getdns_tls_x509_free(struct mem_funcs* mfs, _getdns_tls_x509* cert) +{ + if (cert) + GETDNS_FREE(*mfs, cert); +} + +int _getdns_tls_x509_to_der(struct mem_funcs* mfs, _getdns_tls_x509* cert, getdns_bindata* bindata) +{ + gnutls_x509_crt_t crt; + size_t s; + + if (!cert || gnutls_x509_crt_init(&crt) != GNUTLS_E_SUCCESS) + return 0; + + gnutls_x509_crt_import(crt, &cert->tls, GNUTLS_X509_FMT_DER); + gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER, NULL, &s); + + if (!bindata) { + gnutls_x509_crt_deinit(crt); + return s; + } + + bindata->data = GETDNS_XMALLOC(*mfs, uint8_t, s); + if (!bindata->data) { + gnutls_x509_crt_deinit(crt); + return 0; + } + + gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER, bindata->data, &s); + bindata->size = s; + gnutls_x509_crt_deinit(crt); + return s; +} + +unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size) +{ + gnutls_mac_algorithm_t alg; + unsigned int md_len; + unsigned char* res; + + if (get_gnu_mac_algorithm(algorithm, &alg) != GETDNS_RETURN_GOOD) + return NULL; + + md_len = gnutls_hmac_get_len(alg); + res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, md_len); + if (!res) + return NULL; + + (void) gnutls_hmac_fast(alg, key, key_size, data, data_size, res); + + if (output_size) + *output_size = md_len; + return res; +} + +_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size) +{ + gnutls_mac_algorithm_t alg; + _getdns_tls_hmac* res; + + if (get_gnu_mac_algorithm(algorithm, &alg) != GETDNS_RETURN_GOOD) + return NULL; + + if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac))) + return NULL; + + if (gnutls_hmac_init(&res->tls, alg, key, key_size) < 0) { + GETDNS_FREE(*mfs, res); + return NULL; + } + res->md_len = gnutls_hmac_get_len(alg); + return res; +} + +getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size) +{ + if (!h || !h->tls || !data) + return GETDNS_RETURN_INVALID_PARAMETER; + + if (gnutls_hmac(h->tls, data, data_size) < 0) + return GETDNS_RETURN_GENERIC_ERROR; + else + return GETDNS_RETURN_GOOD; +} + +unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size) +{ + unsigned char* res; + + if (!h || !h->tls) + return NULL; + + res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, h->md_len); + if (!res) + return NULL; + + gnutls_hmac_deinit(h->tls, res); + if (output_size) + *output_size = h->md_len; + + GETDNS_FREE(*mfs, h); + return res; +} + +void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf) +{ + gnutls_hash_fast(GNUTLS_DIG_SHA1, data, data_size, buf); +} + +void _getdns_tls_cookie_sha256(uint32_t secret, void* addr, size_t addrlen, unsigned char* buf, size_t* buflen) +{ + gnutls_hash_hd_t digest; + + gnutls_hash_init(&digest, GNUTLS_DIG_SHA256); + gnutls_hash(digest, &secret, sizeof(secret)); + gnutls_hash(digest, addr, addrlen); + gnutls_hash_deinit(digest, buf); + *buflen = gnutls_hash_get_len(GNUTLS_DIG_SHA256); +} + +/* tls.c */ diff --git a/src/gnutls/val_secalgo.c b/src/gnutls/val_secalgo.c new file mode 100644 index 00000000..2290eb4c --- /dev/null +++ b/src/gnutls/val_secalgo.c @@ -0,0 +1,58 @@ +/** + * + * /brief secalgo interface. + * + */ +/* + * Copyright (c) 2017, NLnet Labs, the getdns team + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "util/val_secalgo.h" + +size_t _getdns_ds_digest_size_supported(int algo) +{ + return 0; +} + +int _getdns_secalgo_ds_digest(int algo, unsigned char* buf, size_t len, + unsigned char* res) +{ + return 0; +} + +int _getdns_dnskey_algo_id_is_supported(int id) +{ + return 0; +} + +enum sec_status _getdns_verify_canonrrset(struct gldns_buffer* buf, int algo, + unsigned char* sigblock, unsigned int sigblock_len, + unsigned char* key, unsigned int keylen, char** reason) +{ + return sec_status_bogus; +} From b2312aee12e32e3eae1ef9e8a6c33ce4a5f36ff6 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 5 Dec 2018 17:20:28 +0000 Subject: [PATCH 036/108] Implement hostname authentication. --- src/gnutls/tls.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index 34c1d24c..8588670c 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -304,9 +304,16 @@ getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connection* conn, const char* auth_name) { + int r; + if (!conn || !conn->tls || !auth_name) return GETDNS_RETURN_INVALID_PARAMETER; + r = gnutls_server_name_set(conn->tls, GNUTLS_NAME_DNS, auth_name, strlen(auth_name)); + if (r != GNUTLS_E_SUCCESS) + return GETDNS_RETURN_GENERIC_ERROR; + + gnutls_session_set_verify_cert(conn->tls, auth_name, 0); return GETDNS_RETURN_GOOD; } From c6dffa1239bf362577a7c8b8430ce5911b512560 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 6 Dec 2018 10:41:58 +0000 Subject: [PATCH 037/108] Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation. Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes. GnuTLS uses Nettle itself, so this is not adding a new dependency. --- configure.ac | 2 + m4/ax_lib_nettle.m4 | 80 +++++++++++++++++++++++++++++++++++++++ src/gnutls/val_secalgo.c | 59 +---------------------------- src/gnutls/validator | 1 + src/openssl/val_secalgo.c | 20 +++++----- 5 files changed, 94 insertions(+), 68 deletions(-) create mode 100644 m4/ax_lib_nettle.m4 mode change 100644 => 120000 src/gnutls/val_secalgo.c create mode 120000 src/gnutls/validator diff --git a/configure.ac b/configure.ac index a16100e3..865e21b4 100644 --- a/configure.ac +++ b/configure.ac @@ -33,6 +33,7 @@ AC_PREREQ([2.68]) AC_CONFIG_MACRO_DIRS([m4]) sinclude(./m4/acx_openssl.m4) sinclude(./m4/acx_getaddrinfo.m4) +sinclude(./m4/ac_lib_nettle.m4) sinclude(./m4/ax_check_compile_flag.m4) sinclude(./m4/pkg.m4) @@ -409,6 +410,7 @@ AC_ARG_WITH([gnutls], CFLAGS="$libgnutls_CFLAGS $CFLAGS" AC_SUBST([TLSDIR], 'gnutls') AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library]) + AX_LIB_NETTLE(yes) ], [ ACX_WITH_SSL_OPTIONAL diff --git a/m4/ax_lib_nettle.m4 b/m4/ax_lib_nettle.m4 new file mode 100644 index 00000000..e0ba1eac --- /dev/null +++ b/m4/ax_lib_nettle.m4 @@ -0,0 +1,80 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_lib_nettle.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_LIB_NETTLE([yes|no|auto]) +# +# DESCRIPTION +# +# Searches for the 'nettle' library with the --with... option. +# +# If found, define HAVE_NETTLE and macro NETTLE_LIBS. Also defines +# NETTLE_WITH_ for the algorithms found available. Possible +# algorithms: AES ARCTWO BLOWFISH CAST128 DES DES3 SERPENT TWOFISH MD2 MD4 +# MD5 SHA1 SHA256. +# +# The argument is used if no --with...-nettle option is set. Value "yes" +# requires the configuration by default. Value "no" does not require it by +# default. Value "auto" configures the library only if available. +# +# See also AX_LIB_BEECRYPT, AX_LIB_CRYPTO, and AX_LIB_GCRYPT. +# +# LICENSE +# +# Copyright (c) 2009 Fabien Coelho +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 10 + +# AX_CHECK_NETTLE_ALGO([name],[function]) +AC_DEFUN([AX_CHECK_NETTLE_ALGO],[ + AC_CHECK_LIB([nettle], [nettle_$2], + AC_DEFINE([NETTLE_WITH_$1],[1],[Algorithm $1 in nettle library])) +]) + +# AX_LIB_NETTLE([yes|no|auto]) +AC_DEFUN([AX_LIB_NETTLE],[ + AC_MSG_CHECKING([whether nettle is enabled]) + AC_ARG_WITH([nettle], + AC_HELP_STRING([--with-nettle], [Require nettle library (required with GnuTLS)]),[ + AC_MSG_RESULT([$withval]) + ax_with_nettle=$withval + ],[ + AC_MSG_RESULT([$1]) + ax_with_nettle=$1 + ]) + if test "$ax_with_nettle" = "yes" -o "$ax_with_nettle" = "auto" ; then + AC_CHECK_HEADERS([nettle/nettle-meta.h],[ + AC_CHECK_LIB([nettle],[nettle_base64_encode_final],[ + AC_DEFINE([HAVE_NETTLE],[1],[Nettle library is available]) + HAVE_NETTLE=1 + AC_SUBST([NETTLE_LIBS],[-lnettle]) + # ciphers + AX_CHECK_NETTLE_ALGO([AES],[aes_encrypt]) + AX_CHECK_NETTLE_ALGO([ARCTWO],[arctwo_encrypt]) + AX_CHECK_NETTLE_ALGO([BLOWFISH],[blowfish_encrypt]) + AX_CHECK_NETTLE_ALGO([CAST128],[cast128_encrypt]) + AX_CHECK_NETTLE_ALGO([DES],[des_encrypt]) + AX_CHECK_NETTLE_ALGO([DES3],[des3_encrypt]) + AX_CHECK_NETTLE_ALGO([SERPENT],[serpent_encrypt]) + AX_CHECK_NETTLE_ALGO([TWOFISH],[twofish_encrypt]) + # digests + AX_CHECK_NETTLE_ALGO([MD2],[md2_digest]) + AX_CHECK_NETTLE_ALGO([MD4],[md4_digest]) + AX_CHECK_NETTLE_ALGO([MD5],[md5_digest]) + AX_CHECK_NETTLE_ALGO([SHA1],[sha1_digest]) + AX_CHECK_NETTLE_ALGO([SHA256],[sha256_digest]) + ]) + ]) + # complain only if explicitly required + if test "$ax_with_nettle" = "yes" -a "x$HAVE_NETTLE" = "x" ; then + AC_MSG_ERROR([cannot configure required nettle library]) + fi + fi +]) diff --git a/src/gnutls/val_secalgo.c b/src/gnutls/val_secalgo.c deleted file mode 100644 index 2290eb4c..00000000 --- a/src/gnutls/val_secalgo.c +++ /dev/null @@ -1,58 +0,0 @@ -/** - * - * /brief secalgo interface. - * - */ -/* - * Copyright (c) 2017, NLnet Labs, the getdns team - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of the copyright holders nor the - * names of its contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND - * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "config.h" - -#include "util/val_secalgo.h" - -size_t _getdns_ds_digest_size_supported(int algo) -{ - return 0; -} - -int _getdns_secalgo_ds_digest(int algo, unsigned char* buf, size_t len, - unsigned char* res) -{ - return 0; -} - -int _getdns_dnskey_algo_id_is_supported(int id) -{ - return 0; -} - -enum sec_status _getdns_verify_canonrrset(struct gldns_buffer* buf, int algo, - unsigned char* sigblock, unsigned int sigblock_len, - unsigned char* key, unsigned int keylen, char** reason) -{ - return sec_status_bogus; -} diff --git a/src/gnutls/val_secalgo.c b/src/gnutls/val_secalgo.c new file mode 120000 index 00000000..446f8e5f --- /dev/null +++ b/src/gnutls/val_secalgo.c @@ -0,0 +1 @@ +../openssl/val_secalgo.c \ No newline at end of file diff --git a/src/gnutls/validator b/src/gnutls/validator new file mode 120000 index 00000000..3e9ba44b --- /dev/null +++ b/src/gnutls/validator @@ -0,0 +1 @@ +../openssl/validator \ No newline at end of file diff --git a/src/openssl/val_secalgo.c b/src/openssl/val_secalgo.c index 95200a48..03fc96f2 100644 --- a/src/openssl/val_secalgo.c +++ b/src/openssl/val_secalgo.c @@ -1321,21 +1321,21 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, #elif defined(HAVE_NETTLE) -#include "sha.h" -#include "bignum.h" -#include "macros.h" -#include "rsa.h" -#include "dsa.h" +#include +#include +#include +#include +#include #ifdef HAVE_NETTLE_DSA_COMPAT_H -#include "dsa-compat.h" +#include #endif -#include "asn1.h" +#include #ifdef USE_ECDSA -#include "ecdsa.h" -#include "ecc-curve.h" +#include +#include #endif #ifdef HAVE_NETTLE_EDDSA_H -#include "eddsa.h" +#include #endif static int From 91764fb6b0bda5c523f93d3e1cca05c0690303f6 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 6 Dec 2018 11:04:00 +0000 Subject: [PATCH 038/108] Correct checking of connection validation result. --- src/stub.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/stub.c b/src/stub.c index f1421edb..723bd149 100644 --- a/src/stub.c +++ b/src/stub.c @@ -957,7 +957,7 @@ tls_do_handshake(getdns_upstream *upstream) long verify_errno; const char* verify_errmsg; - if (!_getdns_tls_connection_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) { + if (_getdns_tls_connection_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) { upstream->tls_auth_state = GETDNS_AUTH_OK; if (verify_errno != 0) { _getdns_upstream_log(upstream, From e73ab48687fc8d929c64714a852db41bea9b58a9 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 6 Dec 2018 13:40:07 +0000 Subject: [PATCH 039/108] Extract non-OpenSSL specific code from anchor.c, and move it back to common source. OpenSSL-specific items are in anchor-internal.c. --- src/Makefile.in | 4 +- src/{openssl => }/anchor.c | 338 +----------------- src/anchor.h | 23 ++ src/gnutls/{anchor.c => anchor-internal.c} | 14 +- src/openssl/anchor-internal.c | 382 +++++++++++++++++++++ 5 files changed, 417 insertions(+), 344 deletions(-) rename src/{openssl => }/anchor.c (80%) rename src/gnutls/{anchor.c => anchor-internal.c} (82%) create mode 100644 src/openssl/anchor-internal.c diff --git a/src/Makefile.in b/src/Makefile.in index 05e32b6f..48e8da3e 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -95,7 +95,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo) UTIL_OBJ=rbtree.lo lruhash.lo lookup3.lo locks.lo JSMN_OBJ=jsmn.lo -TLS_OBJ=tls.lo pubkey-pinning.lo keyraw-internal.lo val_secalgo.lo +TLS_OBJ=tls.lo pubkey-pinning.lo keyraw-internal.lo val_secalgo.lo anchor-internal.lo YXML_OBJ=yxml.lo YAML_OBJ=convert_yaml_to_json.lo @@ -147,7 +147,7 @@ $(EXTENSION_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/extension/$(@:.lo=.c) -o $@ anchor.lo: - $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/$(tlsdir)/anchor.c -o anchor.lo + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/anchor.c -o anchor.lo context.lo: $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/context.c -o context.lo diff --git a/src/openssl/anchor.c b/src/anchor.c similarity index 80% rename from src/openssl/anchor.c rename to src/anchor.c index 31e0e6f0..12f16841 100644 --- a/src/openssl/anchor.c +++ b/src/anchor.c @@ -33,9 +33,6 @@ #include "debug.h" #include "anchor.h" #include -#include -#include -#include #include #include #include "types-internal.h" @@ -52,141 +49,6 @@ #include "util-internal.h" #include "platform.h" -/* get key usage out of its extension, returns 0 if no key_usage extension */ -static unsigned long -_getdns_get_usage_of_ex(X509* cert) -{ - unsigned long val = 0; - ASN1_BIT_STRING* s; - - if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) { - if(s->length > 0) { - val = s->data[0]; - if(s->length > 1) - val |= s->data[1] << 8; - } - ASN1_BIT_STRING_free(s); - } - return val; -} - -/** get valid signers from the list of signers in the signature */ -static STACK_OF(X509)* -_getdns_get_valid_signers(PKCS7* p7, const char* p7signer) -{ - int i; - STACK_OF(X509)* validsigners = sk_X509_new_null(); - STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0); - unsigned long usage = 0; - if(!validsigners) { - DEBUG_ANCHOR("ERROR %s(): Failed to allocated validsigners\n" - , __FUNC__); - sk_X509_free(signers); - return NULL; - } - if(!signers) { - DEBUG_ANCHOR("ERROR %s(): Failed to allocated signers\n" - , __FUNC__); - sk_X509_free(validsigners); - return NULL; - } - for(i=0; idata, xml_bd->size))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n" - , __FUNC__); - - else if (!(p7s = BIO_new_mem_buf(p7s_bd->data, p7s_bd->size))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n" - , __FUNC__); - - else if (!(crt = BIO_new_mem_buf(crt_bd->data, crt_bd->size))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n" - , __FUNC__); - - else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL))) - DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n" - , __FUNC__); - - else if (!(store = X509_STORE_new())) - DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n" - , __FUNC__); - - else if (!X509_STORE_add_cert(store, x)) - DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n" - , __FUNC__); - - else if (_getdns_verify_p7sig(xml, p7s, store, p7signer)) { - gldns_buffer gbuf; - - gldns_buffer_init_vfixed_frm_data(&gbuf, tas, *tas_len); - - if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms, - (char *)xml_bd->data, xml_bd->size)) - DEBUG_ANCHOR("Failed to parse trust anchor XML data"); - - else if (gldns_buffer_position(&gbuf) > *tas_len) { - *tas_len = gldns_buffer_position(&gbuf); - if ((success = GETDNS_XMALLOC(*mf, uint8_t, *tas_len))) { - gldns_buffer_init_frm_data(&gbuf, success, *tas_len); - if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, - now_ms, (char *)xml_bd->data, xml_bd->size)) { - - DEBUG_ANCHOR("Failed to re-parse trust" - " anchor XML data\n"); - GETDNS_FREE(*mf, success); - success = NULL; - } - } else - DEBUG_ANCHOR("Could not allocate space for " - "trust anchors\n"); - } else { - success = tas; - *tas_len = gldns_buffer_position(&gbuf); - } - } else { - DEBUG_ANCHOR("Verifying trust-anchors failed!\n"); - } - if (store) X509_STORE_free(store); - if (x) X509_free(x); - if (crt) BIO_free(crt); - if (xml) BIO_free(xml); - if (p7s) BIO_free(p7s); - return success; -} - -void _getdns_context_equip_with_anchor( - getdns_context *context, uint64_t *now_ms) -{ - uint8_t xml_spc[4096], *xml_data = NULL; - uint8_t p7s_spc[4096], *p7s_data = NULL; - size_t xml_len, p7s_len; - const char *verify_email = NULL; - const char *verify_CA = NULL; - getdns_return_t r; - - BIO *xml = NULL, *p7s = NULL, *crt = NULL; - X509 *x = NULL; - X509_STORE *store = NULL; - - if ((r = getdns_context_get_trust_anchors_verify_CA( - context, &verify_CA))) - DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify" - " CA: \"%s\"\n", __FUNC__ - , getdns_get_errorstr_by_id(r)); - - else if (!verify_CA || !*verify_CA) - DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely " - "disabled by empty verify CA\n"); - - else if ((r = getdns_context_get_trust_anchors_verify_email( - context, &verify_email))) - DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify email " - "address: \"%s\"\n", __FUNC__ - , getdns_get_errorstr_by_id(r)); - - else if (!verify_email || !*verify_email) - DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely " - "disabled by empty verify email\n"); - - else if (!(xml_data = _getdns_context_get_priv_file(context, - "root-anchors.xml", xml_spc, sizeof(xml_spc), &xml_len))) - DEBUG_ANCHOR("DEBUG %s(): root-anchors.xml not present\n" - , __FUNC__); - - else if (!(p7s_data = _getdns_context_get_priv_file(context, - "root-anchors.p7s", p7s_spc, sizeof(p7s_spc), &p7s_len))) - DEBUG_ANCHOR("DEBUG %s(): root-anchors.p7s not present\n" - , __FUNC__); - - else if (!(xml = BIO_new_mem_buf(xml_data, xml_len))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n" - , __FUNC__); - - else if (!(p7s = BIO_new_mem_buf(p7s_data, p7s_len))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n" - , __FUNC__); - - else if (!(crt = BIO_new_mem_buf((void *)verify_CA, -1))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n" - , __FUNC__); - - else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL))) - DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n" - , __FUNC__); - - else if (!(store = X509_STORE_new())) - DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n" - , __FUNC__); - - else if (!X509_STORE_add_cert(store, x)) - DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n" - , __FUNC__); - - else if (_getdns_verify_p7sig(xml, p7s, store, verify_email)) { - uint8_t ta_spc[sizeof(context->trust_anchors_spc)]; - size_t ta_len; - uint8_t *ta = NULL; - gldns_buffer gbuf; - - gldns_buffer_init_vfixed_frm_data( - &gbuf, ta_spc, sizeof(ta_spc)); - - if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms, - (char *)xml_data, xml_len)) - DEBUG_ANCHOR("Failed to parse trust anchor XML data"); - else if ((ta_len = gldns_buffer_position(&gbuf)) > sizeof(ta_spc)) { - if ((ta = GETDNS_XMALLOC(context->mf, uint8_t, ta_len))) { - gldns_buffer_init_frm_data(&gbuf, ta, - gldns_buffer_position(&gbuf)); - if (!_getdns_parse_xml_trust_anchors_buf( - &gbuf, now_ms, (char *)xml_data, xml_len)) { - DEBUG_ANCHOR("Failed to re-parse trust" - " anchor XML data"); - GETDNS_FREE(context->mf, ta); - } else { - context->trust_anchors = ta; - context->trust_anchors_len = ta_len; - context->trust_anchors_source = GETDNS_TASRC_XML; - _getdns_ta_notify_dnsreqs(context); - } - } else - DEBUG_ANCHOR("Could not allocate space for XML file"); - } else { - (void)memcpy(context->trust_anchors_spc, ta_spc, ta_len); - context->trust_anchors = context->trust_anchors_spc; - context->trust_anchors_len = ta_len; - context->trust_anchors_source = GETDNS_TASRC_XML; - _getdns_ta_notify_dnsreqs(context); - } - DEBUG_ANCHOR("ta: %p, ta_len: %d\n", - (void *)context->trust_anchors, (int)context->trust_anchors_len); - - } else { - DEBUG_ANCHOR("Verifying trust-anchors failed!\n"); - } - if (store) X509_STORE_free(store); - if (x) X509_free(x); - if (crt) BIO_free(crt); - if (xml) BIO_free(xml); - if (p7s) BIO_free(p7s); - if (xml_data && xml_data != xml_spc) - GETDNS_FREE(context->mf, xml_data); - if (p7s_data && p7s_data != p7s_spc) - GETDNS_FREE(context->mf, p7s_data); -} - static const char tas_write_p7s_buf[] = "GET %s HTTP/1.1\r\n" "Host: %s\r\n" @@ -1032,7 +700,7 @@ static void tas_doc_read(getdns_context *context, tas_connection *a) " email address: \"%s\"\n", __FUNC__ , getdns_get_errorstr_by_id(r)); - else if (!(tas = tas_validate(&context->mf, &a->xml, &p7s_bd, + else if (!(tas = _getdns_tas_validate(&context->mf, &a->xml, &p7s_bd, &verify_CA, verify_email, &now_ms, tas, &tas_len))) ; /* pass */ diff --git a/src/anchor.h b/src/anchor.h index 3c826384..139dd341 100644 --- a/src/anchor.h +++ b/src/anchor.h @@ -39,6 +39,29 @@ #include #include "rr-iter.h" +#include "types-internal.h" + +/** + ** Internal functions, implemented in anchor-internal.c. + **/ +void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms); + +uint8_t *_getdns_tas_validate(struct mem_funcs *mf, + const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd, + const getdns_bindata *crt_bd, const char *p7signer, + uint64_t *now_ms, uint8_t *tas, size_t *tas_len); + + +/** + ** anchor.c functions used by anchor-internal.c. + **/ +time_t _getdns_xml_convertdate(const char* str); + +uint16_t _getdns_parse_xml_trust_anchors_buf(gldns_buffer *gbuf, uint64_t *now_ms, char *xml_data, size_t xml_len); + +/** + ** Public interface. + **/ void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms); void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop); diff --git a/src/gnutls/anchor.c b/src/gnutls/anchor-internal.c similarity index 82% rename from src/gnutls/anchor.c rename to src/gnutls/anchor-internal.c index 57fb60e1..45b58d52 100644 --- a/src/gnutls/anchor.c +++ b/src/gnutls/anchor-internal.c @@ -34,15 +34,15 @@ #include "config.h" #include "anchor.h" -void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms) +void _getdns_context_equip_with_anchor( + getdns_context *context, uint64_t *now_ms) { } -void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) -{ -} - -void _getdns_context_update_root_ksk( - getdns_context *context, _getdns_rrset *dnskey_set) +uint8_t *_getdns_tas_validate(struct mem_funcs *mf, + const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd, + const getdns_bindata *crt_bd, const char *p7signer, + uint64_t *now_ms, uint8_t *tas, size_t *tas_len) { + return NULL; } diff --git a/src/openssl/anchor-internal.c b/src/openssl/anchor-internal.c new file mode 100644 index 00000000..db9e01f8 --- /dev/null +++ b/src/openssl/anchor-internal.c @@ -0,0 +1,382 @@ +/** + * + * /brief functions for DNSSEC trust anchor management + */ +/* + * Copyright (c) 2017, NLnet Labs, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "debug.h" +#include "anchor.h" +#include +#include +#include +#include +#include +#include +#include "types-internal.h" +#include "context.h" +#include "dnssec.h" +#include "yxml/yxml.h" +#include "gldns/parseutil.h" +#include "gldns/gbuffer.h" +#include "gldns/str2wire.h" +#include "gldns/wire2str.h" +#include "gldns/pkthdr.h" +#include "gldns/keyraw.h" +#include "general.h" +#include "util-internal.h" +#include "platform.h" + +/* get key usage out of its extension, returns 0 if no key_usage extension */ +static unsigned long +_getdns_get_usage_of_ex(X509* cert) +{ + unsigned long val = 0; + ASN1_BIT_STRING* s; + + if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) { + if(s->length > 0) { + val = s->data[0]; + if(s->length > 1) + val |= s->data[1] << 8; + } + ASN1_BIT_STRING_free(s); + } + return val; +} + +/** get valid signers from the list of signers in the signature */ +static STACK_OF(X509)* +_getdns_get_valid_signers(PKCS7* p7, const char* p7signer) +{ + int i; + STACK_OF(X509)* validsigners = sk_X509_new_null(); + STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0); + unsigned long usage = 0; + if(!validsigners) { + DEBUG_ANCHOR("ERROR %s(): Failed to allocated validsigners\n" + , __FUNC__); + sk_X509_free(signers); + return NULL; + } + if(!signers) { + DEBUG_ANCHOR("ERROR %s(): Failed to allocated signers\n" + , __FUNC__); + sk_X509_free(validsigners); + return NULL; + } + for(i=0; idata, xml_bd->size))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n" + , __FUNC__); + + else if (!(p7s = BIO_new_mem_buf(p7s_bd->data, p7s_bd->size))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n" + , __FUNC__); + + else if (!(crt = BIO_new_mem_buf(crt_bd->data, crt_bd->size))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n" + , __FUNC__); + + else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL))) + DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n" + , __FUNC__); + + else if (!(store = X509_STORE_new())) + DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n" + , __FUNC__); + + else if (!X509_STORE_add_cert(store, x)) + DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n" + , __FUNC__); + + else if (_getdns_verify_p7sig(xml, p7s, store, p7signer)) { + gldns_buffer gbuf; + + gldns_buffer_init_vfixed_frm_data(&gbuf, tas, *tas_len); + + if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms, + (char *)xml_bd->data, xml_bd->size)) + DEBUG_ANCHOR("Failed to parse trust anchor XML data"); + + else if (gldns_buffer_position(&gbuf) > *tas_len) { + *tas_len = gldns_buffer_position(&gbuf); + if ((success = GETDNS_XMALLOC(*mf, uint8_t, *tas_len))) { + gldns_buffer_init_frm_data(&gbuf, success, *tas_len); + if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, + now_ms, (char *)xml_bd->data, xml_bd->size)) { + + DEBUG_ANCHOR("Failed to re-parse trust" + " anchor XML data\n"); + GETDNS_FREE(*mf, success); + success = NULL; + } + } else + DEBUG_ANCHOR("Could not allocate space for " + "trust anchors\n"); + } else { + success = tas; + *tas_len = gldns_buffer_position(&gbuf); + } + } else { + DEBUG_ANCHOR("Verifying trust-anchors failed!\n"); + } + if (store) X509_STORE_free(store); + if (x) X509_free(x); + if (crt) BIO_free(crt); + if (xml) BIO_free(xml); + if (p7s) BIO_free(p7s); + return success; +} + +void _getdns_context_equip_with_anchor( + getdns_context *context, uint64_t *now_ms) +{ + uint8_t xml_spc[4096], *xml_data = NULL; + uint8_t p7s_spc[4096], *p7s_data = NULL; + size_t xml_len, p7s_len; + const char *verify_email = NULL; + const char *verify_CA = NULL; + getdns_return_t r; + + BIO *xml = NULL, *p7s = NULL, *crt = NULL; + X509 *x = NULL; + X509_STORE *store = NULL; + + if ((r = getdns_context_get_trust_anchors_verify_CA( + context, &verify_CA))) + DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify" + " CA: \"%s\"\n", __FUNC__ + , getdns_get_errorstr_by_id(r)); + + else if (!verify_CA || !*verify_CA) + DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely " + "disabled by empty verify CA\n"); + + else if ((r = getdns_context_get_trust_anchors_verify_email( + context, &verify_email))) + DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify email " + "address: \"%s\"\n", __FUNC__ + , getdns_get_errorstr_by_id(r)); + + else if (!verify_email || !*verify_email) + DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely " + "disabled by empty verify email\n"); + + else if (!(xml_data = _getdns_context_get_priv_file(context, + "root-anchors.xml", xml_spc, sizeof(xml_spc), &xml_len))) + DEBUG_ANCHOR("DEBUG %s(): root-anchors.xml not present\n" + , __FUNC__); + + else if (!(p7s_data = _getdns_context_get_priv_file(context, + "root-anchors.p7s", p7s_spc, sizeof(p7s_spc), &p7s_len))) + DEBUG_ANCHOR("DEBUG %s(): root-anchors.p7s not present\n" + , __FUNC__); + + else if (!(xml = BIO_new_mem_buf(xml_data, xml_len))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n" + , __FUNC__); + + else if (!(p7s = BIO_new_mem_buf(p7s_data, p7s_len))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n" + , __FUNC__); + + else if (!(crt = BIO_new_mem_buf((void *)verify_CA, -1))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n" + , __FUNC__); + + else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL))) + DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n" + , __FUNC__); + + else if (!(store = X509_STORE_new())) + DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n" + , __FUNC__); + + else if (!X509_STORE_add_cert(store, x)) + DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n" + , __FUNC__); + + else if (_getdns_verify_p7sig(xml, p7s, store, verify_email)) { + uint8_t ta_spc[sizeof(context->trust_anchors_spc)]; + size_t ta_len; + uint8_t *ta = NULL; + gldns_buffer gbuf; + + gldns_buffer_init_vfixed_frm_data( + &gbuf, ta_spc, sizeof(ta_spc)); + + if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms, + (char *)xml_data, xml_len)) + DEBUG_ANCHOR("Failed to parse trust anchor XML data"); + else if ((ta_len = gldns_buffer_position(&gbuf)) > sizeof(ta_spc)) { + if ((ta = GETDNS_XMALLOC(context->mf, uint8_t, ta_len))) { + gldns_buffer_init_frm_data(&gbuf, ta, + gldns_buffer_position(&gbuf)); + if (!_getdns_parse_xml_trust_anchors_buf( + &gbuf, now_ms, (char *)xml_data, xml_len)) { + DEBUG_ANCHOR("Failed to re-parse trust" + " anchor XML data"); + GETDNS_FREE(context->mf, ta); + } else { + context->trust_anchors = ta; + context->trust_anchors_len = ta_len; + context->trust_anchors_source = GETDNS_TASRC_XML; + _getdns_ta_notify_dnsreqs(context); + } + } else + DEBUG_ANCHOR("Could not allocate space for XML file"); + } else { + (void)memcpy(context->trust_anchors_spc, ta_spc, ta_len); + context->trust_anchors = context->trust_anchors_spc; + context->trust_anchors_len = ta_len; + context->trust_anchors_source = GETDNS_TASRC_XML; + _getdns_ta_notify_dnsreqs(context); + } + DEBUG_ANCHOR("ta: %p, ta_len: %d\n", + (void *)context->trust_anchors, (int)context->trust_anchors_len); + + } else { + DEBUG_ANCHOR("Verifying trust-anchors failed!\n"); + } + if (store) X509_STORE_free(store); + if (x) X509_free(x); + if (crt) BIO_free(crt); + if (xml) BIO_free(xml); + if (p7s) BIO_free(p7s); + if (xml_data && xml_data != xml_spc) + GETDNS_FREE(context->mf, xml_data); + if (p7s_data && p7s_data != p7s_spc) + GETDNS_FREE(context->mf, p7s_data); +} From 72d9b91a2e44ec5a3a74214a334b5f4c61a9184d Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 6 Dec 2018 14:09:30 +0000 Subject: [PATCH 040/108] Extract non-OpenSSL specific code from pubkey-pinning.c, and move it back to common source. OpenSSL-specific items are in pubkey-pinning-internal.c. --- src/Makefile.in | 4 +- ...ey-pinning.c => pubkey-pinning-internal.c} | 26 -- src/gnutls/pubkey-pinning-internal.h | 0 ...ey-pinning.c => pubkey-pinning-internal.c} | 161 ------------ src/pubkey-pinning.c | 231 ++++++++++++++++++ src/pubkey-pinning.h | 9 + 6 files changed, 242 insertions(+), 189 deletions(-) rename src/gnutls/{pubkey-pinning.c => pubkey-pinning-internal.c} (76%) create mode 100644 src/gnutls/pubkey-pinning-internal.h rename src/openssl/{pubkey-pinning.c => pubkey-pinning-internal.c} (71%) create mode 100644 src/pubkey-pinning.c diff --git a/src/Makefile.in b/src/Makefile.in index 48e8da3e..cfec9a47 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -81,7 +81,7 @@ DEFAULT_EVENTLOOP_OBJ=@DEFAULT_EVENTLOOP@.lo GETDNS_OBJ=const-info.lo convert.lo dict.lo dnssec.lo general.lo \ list.lo request-internal.lo platform.lo rr-dict.lo \ rr-iter.lo server.lo stub.lo sync.lo ub_loop.lo util-internal.lo \ - mdns.lo + mdns.lo pubkey-pinning.lo GLDNS_OBJ=keyraw.lo gbuffer.lo wire2str.lo parse.lo parseutil.lo rrdef.lo \ str2wire.lo @@ -95,7 +95,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo) UTIL_OBJ=rbtree.lo lruhash.lo lookup3.lo locks.lo JSMN_OBJ=jsmn.lo -TLS_OBJ=tls.lo pubkey-pinning.lo keyraw-internal.lo val_secalgo.lo anchor-internal.lo +TLS_OBJ=tls.lo pubkey-pinning-internal.lo keyraw-internal.lo val_secalgo.lo anchor-internal.lo YXML_OBJ=yxml.lo YAML_OBJ=convert_yaml_to_json.lo diff --git a/src/gnutls/pubkey-pinning.c b/src/gnutls/pubkey-pinning-internal.c similarity index 76% rename from src/gnutls/pubkey-pinning.c rename to src/gnutls/pubkey-pinning-internal.c index c1aeedc3..0d58712c 100644 --- a/src/gnutls/pubkey-pinning.c +++ b/src/gnutls/pubkey-pinning-internal.c @@ -40,26 +40,6 @@ ** Interfaces from pubkey-pinning.h **/ -/* create and populate a pinset linked list from a getdns_list pinset */ -getdns_return_t -_getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list, - struct mem_funcs *mf, - sha256_pin_t **pinset_out) -{ - return GETDNS_RETURN_GENERIC_ERROR; -} - - - -/* create a getdns_list version of the pinset */ -getdns_return_t -_getdns_get_pubkey_pinset_list(getdns_context *ctx, - const sha256_pin_t *pinset_in, - getdns_list **pinset_list) -{ - return GETDNS_RETURN_GENERIC_ERROR; -} - getdns_return_t _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, getdns_upstream *upstream) @@ -76,9 +56,3 @@ getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str) { return GETDNS_RETURN_GENERIC_ERROR; } - -getdns_return_t -getdns_pubkey_pinset_sanity_check(const getdns_list* pinset, getdns_list* errorlist) -{ - return GETDNS_RETURN_GENERIC_ERROR; -} diff --git a/src/gnutls/pubkey-pinning-internal.h b/src/gnutls/pubkey-pinning-internal.h new file mode 100644 index 00000000..e69de29b diff --git a/src/openssl/pubkey-pinning.c b/src/openssl/pubkey-pinning-internal.c similarity index 71% rename from src/openssl/pubkey-pinning.c rename to src/openssl/pubkey-pinning-internal.c index 8f10ee6f..ab2d7c08 100644 --- a/src/openssl/pubkey-pinning.c +++ b/src/openssl/pubkey-pinning-internal.c @@ -148,167 +148,6 @@ getdns_dict* getdns_pubkey_pin_create_from_string( return NULL; } - -/* Test whether a given pinset is reasonable, including: - - * is it well-formed? - * are there at least two pins? - * are the digests used sane? - - if errorlist is NULL, the sanity check just returns success or - failure. - - if errorlist is not NULL, we append human-readable strings to - report the errors. -*/ - -#define PKP_SC_ERR(e) { \ - if (errorlist) \ - _getdns_list_append_const_bindata(errorlist, \ - sizeof(e), e); \ - errorcount++; \ - } -#define PKP_SC_HARDERR(e, val) { \ - PKP_SC_ERR(e); return val; \ - } -getdns_return_t getdns_pubkey_pinset_sanity_check( - const getdns_list* pinset, - getdns_list* errorlist) -{ - size_t errorcount = 0, pins = 0, i; - getdns_dict * pin; - getdns_bindata * data; - - if (getdns_list_get_length(pinset, &pins)) - PKP_SC_HARDERR("Can't get length of pinset", - GETDNS_RETURN_INVALID_PARAMETER); - if (pins < 2) - PKP_SC_ERR("This pinset has fewer than 2 pins"); - for (i = 0; i < pins; i++) - { - /* is it a dict? */ - if (getdns_list_get_dict(pinset, i, &pin)) { - PKP_SC_ERR("Could not retrieve a pin"); - } else { - /* does the pin have the right digest type? */ - if (getdns_dict_get_bindata(pin, "digest", &data)) { - PKP_SC_ERR("Pin has no 'digest' entry"); - } else { - if (data->size != sha256.size || - memcmp(data->data, sha256.data, sha256.size)) - PKP_SC_ERR("Pin has 'digest' other than sha256"); - } - /* if it does, is the value the right length? */ - if (getdns_dict_get_bindata(pin, "value", &data)) { - PKP_SC_ERR("Pin has no 'value' entry"); - } else { - if (data->size != SHA256_DIGEST_LENGTH) - PKP_SC_ERR("Pin has the wrong size 'value' (should be 32 octets for sha256)"); - } - - /* should we choke if it has some other key? for - * extensibility, we will not treat this as an - * error.*/ - } - } - - if (errorcount > 0) - return GETDNS_RETURN_GENERIC_ERROR; - return GETDNS_RETURN_GOOD; -} - -getdns_return_t -_getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list, - struct mem_funcs *mf, - sha256_pin_t **pinset_out) -{ - getdns_return_t r; - size_t pins, i; - sha256_pin_t *out = NULL, *onext = NULL; - getdns_dict * pin; - getdns_bindata * data = NULL; - - if (r = getdns_list_get_length(pinset_list, &pins), r) - return r; - for (i = 0; i < pins; i++) - { - if (r = getdns_list_get_dict(pinset_list, i, &pin), r) - goto fail; - /* does the pin have the right digest type? */ - if (r = getdns_dict_get_bindata(pin, "digest", &data), r) - goto fail; - if (data->size != sha256.size || - memcmp(data->data, sha256.data, sha256.size)) { - r = GETDNS_RETURN_INVALID_PARAMETER; - goto fail; - } - /* if it does, is the value the right length? */ - if (r = getdns_dict_get_bindata(pin, "value", &data), r) - goto fail; - if (data->size != SHA256_DIGEST_LENGTH) { - r = GETDNS_RETURN_INVALID_PARAMETER; - goto fail; - } - /* make a new pin */ - onext = GETDNS_MALLOC(*mf, sha256_pin_t); - if (onext == NULL) { - r = GETDNS_RETURN_MEMORY_ERROR; - goto fail; - } - onext->next = out; - memcpy(onext->pin, data->data, SHA256_DIGEST_LENGTH); - out = onext; - } - - *pinset_out = out; - return GETDNS_RETURN_GOOD; - fail: - while (out) { - onext = out->next; - GETDNS_FREE(*mf, out); - out = onext; - } - return r; -} - -getdns_return_t -_getdns_get_pubkey_pinset_list(getdns_context *ctx, - const sha256_pin_t *pinset_in, - getdns_list **pinset_list) -{ - getdns_list *out = getdns_list_create_with_context(ctx); - getdns_return_t r; - uint8_t buf[SHA256_DIGEST_LENGTH]; - getdns_bindata value = { .size = SHA256_DIGEST_LENGTH, .data = buf }; - getdns_dict *pin = NULL; - - if (out == NULL) - return GETDNS_RETURN_MEMORY_ERROR; - while (pinset_in) { - pin = getdns_dict_create_with_context(ctx); - if (pin == NULL) { - r = GETDNS_RETURN_MEMORY_ERROR; - goto fail; - } - if (r = getdns_dict_set_bindata(pin, "digest", &sha256), r) - goto fail; - memcpy(buf, pinset_in->pin, sizeof(buf)); - if (r = getdns_dict_set_bindata(pin, "value", &value), r) - goto fail; - if (r = _getdns_list_append_this_dict(out, pin), r) - goto fail; - pin = NULL; - pinset_in = pinset_in->next; - } - - *pinset_list = out; - return GETDNS_RETURN_GOOD; - fail: - getdns_dict_destroy(pin); - getdns_list_destroy(out); - return r; -} - /* this should only happen once ever in the life of the library. it's used to associate a getdns_context_t with an SSL_CTX, to be able to do custom verification. diff --git a/src/pubkey-pinning.c b/src/pubkey-pinning.c new file mode 100644 index 00000000..aaff6eb3 --- /dev/null +++ b/src/pubkey-pinning.c @@ -0,0 +1,231 @@ +/** + * + * /brief functions for Public Key Pinning + * + */ + +/* + * Copyright (c) 2015, Daniel Kahn Gillmor + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * getdns Public Key Pinning + * + * a public key pinset is a list of dicts. each dict should have a + * "digest" and a "value". + * + * "digest": a string indicating the type of digest. at the moment, we + * only support a "digest" of "sha256". + * + * "value": a binary representation of the digest provided. + * + * given a such a pinset, we should be able to validate a chain + * properly according to section 2.6 of RFC 7469. + */ +#include "config.h" +#include "debug.h" +#include +#include +#include "context.h" +#include "util-internal.h" + +#include "pubkey-pinning-internal.h" + +/* we only support sha256 at the moment. adding support for another + digest is more complex than just adding another entry here. in + particular, you'll probably need a match for a particular cert + against all supported algorithms. better to wait on doing that + until it is a better-understood problem (i.e. wait until hpkp is + updated and follow the guidance in rfc7469bis) +*/ + +static const getdns_bindata sha256 = { + .size = sizeof("sha256") - 1, + .data = (uint8_t*)"sha256" +}; + + +/* Test whether a given pinset is reasonable, including: + + * is it well-formed? + * are there at least two pins? + * are the digests used sane? + + if errorlist is NULL, the sanity check just returns success or + failure. + + if errorlist is not NULL, we append human-readable strings to + report the errors. +*/ + +#define PKP_SC_ERR(e) { \ + if (errorlist) \ + _getdns_list_append_const_bindata(errorlist, \ + sizeof(e), e); \ + errorcount++; \ + } +#define PKP_SC_HARDERR(e, val) { \ + PKP_SC_ERR(e); return val; \ + } +getdns_return_t getdns_pubkey_pinset_sanity_check( + const getdns_list* pinset, + getdns_list* errorlist) +{ + size_t errorcount = 0, pins = 0, i; + getdns_dict * pin; + getdns_bindata * data; + + if (getdns_list_get_length(pinset, &pins)) + PKP_SC_HARDERR("Can't get length of pinset", + GETDNS_RETURN_INVALID_PARAMETER); + if (pins < 2) + PKP_SC_ERR("This pinset has fewer than 2 pins"); + for (i = 0; i < pins; i++) + { + /* is it a dict? */ + if (getdns_list_get_dict(pinset, i, &pin)) { + PKP_SC_ERR("Could not retrieve a pin"); + } else { + /* does the pin have the right digest type? */ + if (getdns_dict_get_bindata(pin, "digest", &data)) { + PKP_SC_ERR("Pin has no 'digest' entry"); + } else { + if (data->size != sha256.size || + memcmp(data->data, sha256.data, sha256.size)) + PKP_SC_ERR("Pin has 'digest' other than sha256"); + } + /* if it does, is the value the right length? */ + if (getdns_dict_get_bindata(pin, "value", &data)) { + PKP_SC_ERR("Pin has no 'value' entry"); + } else { + if (data->size != SHA256_DIGEST_LENGTH) + PKP_SC_ERR("Pin has the wrong size 'value' (should be 32 octets for sha256)"); + } + + /* should we choke if it has some other key? for + * extensibility, we will not treat this as an + * error.*/ + } + } + + if (errorcount > 0) + return GETDNS_RETURN_GENERIC_ERROR; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +_getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list, + struct mem_funcs *mf, + sha256_pin_t **pinset_out) +{ + getdns_return_t r; + size_t pins, i; + sha256_pin_t *out = NULL, *onext = NULL; + getdns_dict * pin; + getdns_bindata * data = NULL; + + if (r = getdns_list_get_length(pinset_list, &pins), r) + return r; + for (i = 0; i < pins; i++) + { + if (r = getdns_list_get_dict(pinset_list, i, &pin), r) + goto fail; + /* does the pin have the right digest type? */ + if (r = getdns_dict_get_bindata(pin, "digest", &data), r) + goto fail; + if (data->size != sha256.size || + memcmp(data->data, sha256.data, sha256.size)) { + r = GETDNS_RETURN_INVALID_PARAMETER; + goto fail; + } + /* if it does, is the value the right length? */ + if (r = getdns_dict_get_bindata(pin, "value", &data), r) + goto fail; + if (data->size != SHA256_DIGEST_LENGTH) { + r = GETDNS_RETURN_INVALID_PARAMETER; + goto fail; + } + /* make a new pin */ + onext = GETDNS_MALLOC(*mf, sha256_pin_t); + if (onext == NULL) { + r = GETDNS_RETURN_MEMORY_ERROR; + goto fail; + } + onext->next = out; + memcpy(onext->pin, data->data, SHA256_DIGEST_LENGTH); + out = onext; + } + + *pinset_out = out; + return GETDNS_RETURN_GOOD; + fail: + while (out) { + onext = out->next; + GETDNS_FREE(*mf, out); + out = onext; + } + return r; +} + +getdns_return_t +_getdns_get_pubkey_pinset_list(getdns_context *ctx, + const sha256_pin_t *pinset_in, + getdns_list **pinset_list) +{ + getdns_list *out = getdns_list_create_with_context(ctx); + getdns_return_t r; + uint8_t buf[SHA256_DIGEST_LENGTH]; + getdns_bindata value = { .size = SHA256_DIGEST_LENGTH, .data = buf }; + getdns_dict *pin = NULL; + + if (out == NULL) + return GETDNS_RETURN_MEMORY_ERROR; + while (pinset_in) { + pin = getdns_dict_create_with_context(ctx); + if (pin == NULL) { + r = GETDNS_RETURN_MEMORY_ERROR; + goto fail; + } + if (r = getdns_dict_set_bindata(pin, "digest", &sha256), r) + goto fail; + memcpy(buf, pinset_in->pin, sizeof(buf)); + if (r = getdns_dict_set_bindata(pin, "value", &value), r) + goto fail; + if (r = _getdns_list_append_this_dict(out, pin), r) + goto fail; + pin = NULL; + pinset_in = pinset_in->next; + } + + *pinset_list = out; + return GETDNS_RETURN_GOOD; + fail: + getdns_dict_destroy(pin); + getdns_list_destroy(out); + return r; +} + +/* pubkey-pinning.c */ diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h index 4e8a31e5..5f12baf2 100644 --- a/src/pubkey-pinning.h +++ b/src/pubkey-pinning.h @@ -36,6 +36,15 @@ #include "tls.h" +/** + ** Internal functions, implemented in pubkey-pinning-internal.c. + **/ +getdns_dict* getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str); + +/** + ** Public interface. + **/ + /* create and populate a pinset linked list from a getdns_list pinset */ getdns_return_t _getdns_get_pubkey_pinset_from_list(const getdns_list *pinset_list, From 46c49cbcfe1f385161381fe7ba6687515753d513 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 6 Dec 2018 16:32:20 +0000 Subject: [PATCH 041/108] Modify getdns_server_mon to use GnuTLS or OpenSSL. Untested. --- src/tools/getdns_server_mon.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c index 360bf520..3b2d1045 100644 --- a/src/tools/getdns_server_mon.c +++ b/src/tools/getdns_server_mon.c @@ -36,9 +36,13 @@ #include #include +#ifdef USE_GNUTLS +#include +#else #include #include #include +#endif #include #include @@ -181,7 +185,7 @@ static const char *rcode_text(int rcode) return getdns_intval_text(rcode, "rcode", "GETDNS_RCODE_"); } -#if OPENSSL_VERSION_NUMBER < 0x10002000 || defined(LIBRESSL_VERSION_NUMBER) +#if !defined(USE_GNUTLS) && (OPENSSL_VERSION_NUMBER < 0x10002000 || defined(LIBRESSL_VERSION_NUMBER)) /* * Convert date to Julian day. * See https://en.wikipedia.org/wiki/Julian_day @@ -212,6 +216,27 @@ static long secs_in_day(const struct tm *tm) */ static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t) { +#ifdef USE_GNUTLS + gnutls_x509_crt_t cert; + gnutls_datum_t datum; + bool res = false; + + datum.data = (unsigned char*) data; + datum.size = len; + + if (gnutls_x509_crt_init(&cert) != GNUTLS_E_SUCCESS) + return false; + + if (gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER) == GNUTLS_E_SUCCESS) { + time_t expiry = gnutls_x509_crt_get_expiration_time(cert); + if (expiry != GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION) { + res = true; + *t = expiry; + } + } + gnutls_x509_crt_deinit(cert); + return res; +#else X509 *cert = d2i_X509(NULL, &data, len); if (!cert) return false; @@ -299,6 +324,7 @@ static bool extract_cert_expiry(const unsigned char *data, size_t len, time_t *t X509_free(cert); #endif *t += day_diff * SECS_IN_DAY + sec_diff; +#endif /* USE_GNUTLS */ return true; } From b0c057e8ae62ede13973943b2a21eb3226fabcb8 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 6 Dec 2018 16:35:43 +0000 Subject: [PATCH 042/108] Update dependencies for GnuTLS. In practice a 'make depend' is required before building with either OpenSSL or GnuTLS. --- src/Makefile.in | 146 +++++++++++++++++++++++++----------------- src/test/Makefile.in | 3 +- src/tools/Makefile.in | 3 +- 3 files changed, 92 insertions(+), 60 deletions(-) diff --git a/src/Makefile.in b/src/Makefile.in index cfec9a47..2047ca0e 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -300,21 +300,34 @@ depend: FORCE: # Dependencies for gldns, utils, the extensions and compat functions +anchor.lo anchor.o: $(srcdir)/anchor.c \ + config.h $(srcdir)/debug.h \ + $(srcdir)/anchor.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dnssec.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h \ + $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h const-info.lo const-info.o: $(srcdir)/const-info.c \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/const-info.h -context.lo context.o: $(srcdir)/context.c config.h \ - $(srcdir)/anchor.h getdns/getdns.h \ +context.lo context.o: $(srcdir)/context.c \ + config.h $(srcdir)/anchor.h \ + getdns/getdns.h \ getdns/getdns_extra.h \ - $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/debug.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ - $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h \ - $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h -convert.lo convert.o: $(srcdir)/convert.c config.h \ + $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h $(srcdir)/gldns/str2wire.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h \ + $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h +convert.lo convert.o: $(srcdir)/convert.c \ + config.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ @@ -333,8 +346,9 @@ dict.lo dict.o: $(srcdir)/dict.c config.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h \ $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h -dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \ - $(srcdir)/debug.h getdns/getdns.h \ +dnssec.lo dnssec.o: $(srcdir)/dnssec.c \ + config.h $(srcdir)/debug.h \ + getdns/getdns.h \ $(srcdir)/context.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ @@ -344,8 +358,9 @@ dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \ $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h -general.lo general.o: $(srcdir)/general.c config.h \ - $(srcdir)/general.h getdns/getdns.h \ +general.lo general.o: $(srcdir)/general.c \ + config.h $(srcdir)/general.h \ + getdns/getdns.h \ $(srcdir)/types-internal.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ @@ -372,8 +387,19 @@ mdns.lo mdns.o: $(srcdir)/mdns.c config.h \ $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \ config.h +pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \ + config.h $(srcdir)/debug.h \ + getdns/getdns.h \ + $(srcdir)/context.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/$(tlsdir)/pubkey-pinning-internal.h request-internal.lo request-internal.o: $(srcdir)/request-internal.c \ - config.h $(srcdir)/types-internal.h \ + config.h \ + $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ @@ -394,10 +420,11 @@ rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict. config.h \ getdns/getdns.h \ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h -server.lo server.o: $(srcdir)/server.c config.h \ +server.lo server.o: $(srcdir)/server.c \ + config.h \ getdns/getdns_extra.h \ - getdns/getdns.h $(srcdir)/context.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + getdns/getdns.h \ + $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/debug.h \ @@ -413,7 +440,8 @@ stub.lo stub.o: $(srcdir)/stub.c config.h \ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \ $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \ $(srcdir)/pubkey-pinning.h -sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \ +sync.lo sync.o: $(srcdir)/sync.c \ + getdns/getdns.h \ config.h $(srcdir)/context.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ @@ -427,33 +455,36 @@ util-internal.lo util-internal.o: $(srcdir)/util-internal.c \ config.h \ getdns/getdns.h $(srcdir)/dict.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \ - getdns/getdns_extra.h $(srcdir)/list.h \ - $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ + getdns/getdns_extra.h \ + $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \ $(srcdir)/gldns/rrdef.h gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \ - config.h $(srcdir)/gldns/gbuffer.h + config.h \ + $(srcdir)/gldns/gbuffer.h keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \ - config.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h + config.h \ + $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h parse.lo parse.o: $(srcdir)/gldns/parse.c \ config.h $(srcdir)/gldns/parse.h \ $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \ - config.h $(srcdir)/gldns/parseutil.h + config.h \ + $(srcdir)/gldns/parseutil.h rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \ config.h $(srcdir)/gldns/rrdef.h \ $(srcdir)/gldns/parseutil.h str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \ - config.h $(srcdir)/gldns/str2wire.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h \ - $(srcdir)/gldns/parseutil.h + config.h \ + $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \ - config.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \ - $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h + config.h \ + $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h \ + $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h \ + $(srcdir)/$(tlsdir)/keyraw-internal.h arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \ config.h arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \ @@ -482,8 +513,9 @@ strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \ config.h strptime.lo strptime.o: $(srcdir)/compat/strptime.c \ config.h -locks.lo locks.o: $(srcdir)/util/locks.c config.h \ - $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h +locks.lo locks.o: $(srcdir)/util/locks.c \ + config.h $(srcdir)/util/locks.h \ + $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \ config.h \ $(srcdir)/util/auxiliary/util/storage/lookup3.h $(srcdir)/util/lookup3.h \ @@ -494,36 +526,31 @@ lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \ $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \ - config.h $(srcdir)/util/auxiliary/log.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \ - $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h + config.h \ + $(srcdir)/util/auxiliary/log.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h \ + $(srcdir)/util/auxiliary/fptr_wlist.h $(srcdir)/util/auxiliary/util/fptr_wlist.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h -anchor.lo anchor.o: $(srcdir)/$(tlsdir)/anchor.c \ - config.h $(srcdir)/debug.h $(srcdir)/anchor.h \ +anchor-internal.lo anchor-internal.o: $(srcdir)/$(tlsdir)/anchor-internal.c \ + config.h $(srcdir)/anchor.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h $(srcdir)/types-internal.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h $(srcdir)/ub_loop.h \ - $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/str2wire.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/platform.h + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c \ - config.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h -pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/$(tlsdir)/pubkey-pinning.c \ - config.h $(srcdir)/debug.h \ - getdns/getdns.h $(srcdir)/context.h \ + config.h \ + $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h +pubkey-pinning-internal.lo pubkey-pinning-internal.o: $(srcdir)/$(tlsdir)/pubkey-pinning-internal.c $(srcdir)/context.h \ + getdns/getdns.h \ getdns/getdns_extra.h \ + config.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ - $(srcdir)/context.h $(srcdir)/$(tlsdir)/pubkey-pinning-internal.h -tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c config.h \ - $(srcdir)/debug.h $(srcdir)/context.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/pubkey-pinning.h +tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c \ + config.h $(srcdir)/debug.h \ + $(srcdir)/context.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ @@ -539,12 +566,14 @@ val_secalgo.lo val_secalgo.o: $(srcdir)/$(tlsdir)/val_secalgo.c \ $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h libev.lo libev.o: $(srcdir)/extension/libev.c \ - config.h $(srcdir)/types-internal.h \ + config.h \ + $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h libevent.lo libevent.o: $(srcdir)/extension/libevent.c \ - config.h $(srcdir)/types-internal.h \ + config.h \ + $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h @@ -555,8 +584,9 @@ libuv.lo libuv.o: $(srcdir)/extension/libuv.c \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \ - config.h $(srcdir)/util-internal.h \ - $(srcdir)/context.h getdns/getdns.h \ + config.h \ + $(srcdir)/util-internal.h $(srcdir)/context.h \ + getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ diff --git a/src/test/Makefile.in b/src/test/Makefile.in index 89f5d3af..9d4dad00 100644 --- a/src/test/Makefile.in +++ b/src/test/Makefile.in @@ -305,7 +305,8 @@ tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h \ tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h \ ../getdns/getdns.h tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c \ - ../config.h $(srcdir)/testmessages.h \ + ../config.h \ + $(srcdir)/testmessages.h \ ../getdns/getdns.h \ ../getdns/getdns_extra.h tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h \ diff --git a/src/tools/Makefile.in b/src/tools/Makefile.in index c51e2daf..6cefffcd 100644 --- a/src/tools/Makefile.in +++ b/src/tools/Makefile.in @@ -123,7 +123,8 @@ depend: # Dependencies for getdns_query getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c \ - ../config.h $(srcdir)/../debug.h \ + ../config.h \ + $(srcdir)/../debug.h \ ../getdns/getdns.h \ ../getdns/getdns_extra.h getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c \ From 64f0d6aaa81ffd4fc38e8473d221318c55d89352 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 7 Dec 2018 11:09:20 +0000 Subject: [PATCH 043/108] Rename _getdns_tls_connection_verify() to _getdns_tls_connection_certificate_verify(). I managed to mislead myself about what it did, which suggests the name should be clearer. --- src/gnutls/tls.c | 2 +- src/openssl/tls.c | 2 +- src/stub.c | 2 +- src/tls.h | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index 8588670c..2d515b3a 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -327,7 +327,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c return GETDNS_RETURN_GOOD; } -getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg) +getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg) { (void) errnum; (void) errmsg; diff --git a/src/openssl/tls.c b/src/openssl/tls.c index de913b42..dcc68494 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -507,7 +507,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c return GETDNS_RETURN_GOOD; } -getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg) +getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg) { if (!conn || !conn->ssl) return GETDNS_RETURN_INVALID_PARAMETER; diff --git a/src/stub.c b/src/stub.c index 723bd149..b6a9cdf1 100644 --- a/src/stub.c +++ b/src/stub.c @@ -957,7 +957,7 @@ tls_do_handshake(getdns_upstream *upstream) long verify_errno; const char* verify_errmsg; - if (_getdns_tls_connection_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) { + if (_getdns_tls_connection_certificate_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) { upstream->tls_auth_state = GETDNS_AUTH_OK; if (verify_errno != 0) { _getdns_upstream_log(upstream, diff --git a/src/tls.h b/src/tls.h index d475ee53..fe05dc52 100644 --- a/src/tls.h +++ b/src/tls.h @@ -271,7 +271,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c * @return GETDNS_RETURN_INVALID_PARAMETER if conn is null or has no SSL. * @return GETDNS_RETURN_GENERIC_ERROR if verification failed. */ -getdns_return_t _getdns_tls_connection_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg); +getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg); /** * Read from TLS. From 511dfc75ef8aaf7c2b516c7a8e8ce6fb8931788e Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 7 Dec 2018 11:11:33 +0000 Subject: [PATCH 044/108] Implement _getdns_tls_context_set_min_proto_1_2(). Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake. This means we need to access the context from a connection, so add a pointer to the context to the connection. --- src/gnutls/tls-internal.h | 5 ++++- src/gnutls/tls.c | 12 ++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h index 2b76d564..15115b4d 100644 --- a/src/gnutls/tls-internal.h +++ b/src/gnutls/tls-internal.h @@ -34,6 +34,8 @@ #ifndef _GETDNS_TLS_INTERNAL_H #define _GETDNS_TLS_INTERNAL_H +#include + #include #include @@ -52,13 +54,14 @@ typedef struct _getdns_tls_context { - int unused; + bool min_proto_1_2; } _getdns_tls_context; typedef struct _getdns_tls_connection { gnutls_session_t tls; gnutls_certificate_credentials_t cred; int shutdown; + _getdns_tls_context* ctx; } _getdns_tls_connection; typedef struct _getdns_tls_session { diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index 2d515b3a..5a2b6c94 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -95,6 +95,7 @@ _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs) if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_context))) return NULL; + res->min_proto_1_2 = false; return res; } @@ -113,7 +114,9 @@ void _getdns_tls_context_dane_init(_getdns_tls_context* ctx) getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx) { - (void) ctx; + if (!ctx) + return GETDNS_RETURN_INVALID_PARAMETER; + ctx->min_proto_1_2 = true; return GETDNS_RETURN_NOT_IMPLEMENTED; } @@ -157,6 +160,7 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn return NULL; res->shutdown = 0; + res->ctx = ctx; r = gnutls_certificate_allocate_credentials(&res->cred); if (r == GNUTLS_E_SUCCESS) @@ -270,8 +274,12 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn return GETDNS_RETURN_INVALID_PARAMETER; r = gnutls_handshake(conn->tls); - if (r == GNUTLS_E_SUCCESS) + if (r == GNUTLS_E_SUCCESS) { + if (conn->ctx->min_proto_1_2 && + gnutls_protocol_get_version(conn->tls) < GNUTLS_TLS1_2) + return GETDNS_RETURN_GENERIC_ERROR; return GETDNS_RETURN_GOOD; + } else return error_may_want_read_write(conn, r); } From fee864c25cc8537803796daeb14b9b36a9ebf59b Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 7 Dec 2018 12:38:17 +0000 Subject: [PATCH 045/108] Implement setting cipher/curve lists. Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation. --- src/context.c | 10 +--- src/gnutls/tls-internal.h | 6 ++ src/gnutls/tls.c | 116 ++++++++++++++++++++++++++++++++++---- src/openssl/tls.c | 16 ++++++ src/stub.c | 2 +- src/tls.h | 13 +++-- 6 files changed, 139 insertions(+), 24 deletions(-) diff --git a/src/context.c b/src/context.c index ddda54de..6e919114 100644 --- a/src/context.c +++ b/src/context.c @@ -1343,10 +1343,6 @@ static char const * const _getdns_default_trust_anchors_verify_CA = static char const * const _getdns_default_trust_anchors_verify_email = "dnssec@iana.org"; -static char const * const _getdns_default_tls_cipher_list = - "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:" - "TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20"; - /* * getdns_context_create * @@ -3556,9 +3552,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) } /* Be strict and only use the cipher suites recommended in RFC7525 Unless we later fallback to opportunistic. */ - if (_getdns_tls_context_set_cipher_list(context->tls_ctx, - context->tls_cipher_list ? context->tls_cipher_list - : _getdns_default_tls_cipher_list)) + if (_getdns_tls_context_set_cipher_list(context->tls_ctx, context->tls_cipher_list)) return GETDNS_RETURN_BAD_CONTEXT; if (context->tls_curves_list && @@ -5277,7 +5271,7 @@ getdns_context_get_tls_cipher_list( *tls_cipher_list = context->tls_cipher_list ? context->tls_cipher_list - : _getdns_default_tls_cipher_list; + : _getdns_tls_context_default_cipher_list; return GETDNS_RETURN_GOOD; } diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h index 15115b4d..d9ac1974 100644 --- a/src/gnutls/tls-internal.h +++ b/src/gnutls/tls-internal.h @@ -54,6 +54,9 @@ typedef struct _getdns_tls_context { + struct mem_funcs* mfs; + char* cipher_list; + char* curve_list; bool min_proto_1_2; } _getdns_tls_context; @@ -62,6 +65,9 @@ typedef struct _getdns_tls_connection { gnutls_certificate_credentials_t cred; int shutdown; _getdns_tls_context* ctx; + struct mem_funcs* mfs; + char* cipher_list; + char* curve_list; } _getdns_tls_connection; typedef struct _getdns_tls_session { diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index 5a2b6c94..a60dcddf 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -40,6 +40,75 @@ #include "tls.h" +/* + * Cipher suites recommended in RFC7525. + * + * The GnuTLS 3.5.19 being used for this proof of concept doesn't have + * TLS 1.3 support, as in the OpenSSL equivalent. Fall back for now to + * a known working priority string. + */ +char const * const _getdns_tls_context_default_cipher_list = + "SECURE192:-VERS-ALL:+VERS-TLS1.2"; + +static char const * const _getdns_tls_connection_opportunistic_cipher_list = + "NORMAL"; + +static char* getdns_strdup(struct mem_funcs* mfs, const char* s) +{ + char* res; + + if (!s) + return NULL; + + res = GETDNS_XMALLOC(*mfs, char, strlen(s) + 1); + if (!res) + return NULL; + strcpy(res, s); + return res; +} + +static char* getdns_priappend(struct mem_funcs* mfs, char* s1, const char* s2) +{ + char* res; + + if (!s1) + return getdns_strdup(mfs, s2); + if (!s2) + return s1; + + res = GETDNS_XMALLOC(*mfs, char, strlen(s1) + strlen(s2) + 2); + if (!res) + return NULL; + strcpy(res, s1); + strcat(res, ":"); + strcat(res, s2); + GETDNS_FREE(*mfs, s1); + return res; +} + +static int set_connection_ciphers(_getdns_tls_connection* conn) +{ + char* pri = NULL; + int res; + + if (conn->cipher_list) + pri = getdns_priappend(conn->mfs, pri, conn->cipher_list); + else if (conn->ctx->cipher_list) + pri = getdns_priappend(conn->mfs, pri, conn->ctx->cipher_list); + + if (conn->curve_list) + pri = getdns_priappend(conn->mfs, pri, conn->curve_list); + else if (conn->ctx->curve_list) + pri = getdns_priappend(conn->mfs, pri, conn->ctx->curve_list); + + if (pri) + res = gnutls_priority_set_direct(conn->tls, pri, NULL); + else + res = gnutls_set_default_priority(conn->tls); + GETDNS_FREE(*conn->mfs, pri); + return res; +} + static getdns_return_t error_may_want_read_write(_getdns_tls_connection* conn, int err) { switch (err) { @@ -95,7 +164,9 @@ _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs) if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_context))) return NULL; + res->mfs = mfs; res->min_proto_1_2 = false; + res->cipher_list = res->curve_list = NULL; return res; } @@ -103,6 +174,8 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont { if (!ctx) return GETDNS_RETURN_INVALID_PARAMETER; + GETDNS_FREE(*mfs, ctx->curve_list); + GETDNS_FREE(*mfs, ctx->cipher_list); GETDNS_FREE(*mfs, ctx); return GETDNS_RETURN_GOOD; } @@ -122,19 +195,24 @@ getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx) getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list) { - (void) list; - if (!ctx) return GETDNS_RETURN_INVALID_PARAMETER; + + if (!list) + list = _getdns_tls_context_default_cipher_list; + + GETDNS_FREE(*ctx->mfs, ctx->cipher_list); + ctx->cipher_list = getdns_strdup(ctx->mfs, list); return GETDNS_RETURN_GOOD; } getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list) { - (void) list; - if (!ctx) return GETDNS_RETURN_INVALID_PARAMETER; + + GETDNS_FREE(*ctx->mfs, ctx->curve_list); + ctx->curve_list = getdns_strdup(ctx->mfs, list); return GETDNS_RETURN_GOOD; } @@ -161,6 +239,9 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn res->shutdown = 0; res->ctx = ctx; + res->mfs = mfs; + res->cipher_list = NULL; + res->curve_list = NULL; r = gnutls_certificate_allocate_credentials(&res->cred); if (r == GNUTLS_E_SUCCESS) @@ -168,7 +249,7 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn if (r == GNUTLS_E_SUCCESS) r = gnutls_init(&res->tls, GNUTLS_CLIENT | GNUTLS_NONBLOCK); if (r == GNUTLS_E_SUCCESS) - r = gnutls_set_default_priority(res->tls); + r = set_connection_ciphers(res); if (r == GNUTLS_E_SUCCESS) r = gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred); if (r != GNUTLS_E_SUCCESS) { @@ -187,6 +268,8 @@ getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_c gnutls_deinit(conn->tls); gnutls_certificate_free_credentials(conn->cred); + GETDNS_FREE(*mfs, conn->curve_list); + GETDNS_FREE(*mfs, conn->cipher_list); GETDNS_FREE(*mfs, conn); return GETDNS_RETURN_GOOD; } @@ -209,20 +292,31 @@ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn) getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list) { - (void) list; - if (!conn || !conn->tls) return GETDNS_RETURN_INVALID_PARAMETER; - return GETDNS_RETURN_GOOD; + + if (!list) + list = _getdns_tls_connection_opportunistic_cipher_list; + + GETDNS_FREE(*conn->mfs, conn->cipher_list); + conn->cipher_list = getdns_strdup(conn->mfs, list); + if (set_connection_ciphers(conn) == GNUTLS_E_SUCCESS) + return GETDNS_RETURN_GOOD; + else + return GETDNS_RETURN_GENERIC_ERROR; } getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list) { - (void) list; - if (!conn || !conn->tls) return GETDNS_RETURN_INVALID_PARAMETER; - return GETDNS_RETURN_GOOD; + + GETDNS_FREE(*conn->mfs, conn->curve_list); + conn->curve_list = getdns_strdup(conn->mfs, list); + if (set_connection_ciphers(conn) == GNUTLS_E_SUCCESS) + return GETDNS_RETURN_GOOD; + else + return GETDNS_RETURN_GENERIC_ERROR; } getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index dcc68494..82fa0870 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -49,6 +49,14 @@ #include "tls.h" +/* Cipher suites recommended in RFC7525. */ +char const * const _getdns_tls_context_default_cipher_list = + "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:" + "TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20"; + +static char const * const _getdns_tls_connection_opportunistic_cipher_list = + "DEFAULT"; + static int _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx) { # if defined(STUB_DEBUG) && STUB_DEBUG @@ -275,6 +283,10 @@ getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, co { if (!ctx || !ctx->ssl) return GETDNS_RETURN_INVALID_PARAMETER; + + if (!list) + list = _getdns_tls_context_default_cipher_list; + if (!SSL_CTX_set_cipher_list(ctx->ssl, list)) return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_GOOD; @@ -366,6 +378,10 @@ getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* c { if (!conn || !conn->ssl) return GETDNS_RETURN_INVALID_PARAMETER; + + if (!list) + list = _getdns_tls_connection_opportunistic_cipher_list; + if (!SSL_set_cipher_list(conn->ssl, list)) return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_GOOD; diff --git a/src/stub.c b/src/stub.c index b6a9cdf1..7cbfe9a2 100644 --- a/src/stub.c +++ b/src/stub.c @@ -875,7 +875,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) } } if (upstream->tls_fallback_ok) { - _getdns_tls_connection_set_cipher_list(tls, "DEFAULT"); + _getdns_tls_connection_set_cipher_list(tls, NULL); DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n", STUB_DEBUG_SETUP_TLS, __FUNC__); } else { diff --git a/src/tls.h b/src/tls.h index fe05dc52..e58d4ce3 100644 --- a/src/tls.h +++ b/src/tls.h @@ -94,7 +94,7 @@ getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx); * Set list of allowed ciphers. * * @param ctx the context. - * @param list the list of cipher identifiers. + * @param list the list of cipher identifiers. NULL for default setting. * @return GETDNS_RETURN_GOOD on success. * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer. * @return GETDNS_RETURN_BAD_CONTEXT on failure. @@ -105,7 +105,7 @@ getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, co * Set list of allowed curves. * * @param ctx the context. - * @param list the list of curve identifiers. + * @param list the list of curve identifiers. NULL for default setting. * @return GETDNS_RETURN_GOOD on success. * @return GETDNS_RETURN_INVALID_PARAMETER on bad context pointer. * @return GETDNS_RETURN_BAD_CONTEXT on failure. @@ -164,7 +164,7 @@ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn); * Set list of allowed ciphers on this connection. * * @param conn the connection. - * @param list the list of cipher identifiers. + * @param list the list of cipher identifiers. NULL for opportunistic setting. * @return GETDNS_RETURN_GOOD on success. * @return GETDNS_RETURN_INVALID_PARAMETER on bad connection pointer. * @return GETDNS_RETURN_BAD_CONTEXT on failure. @@ -175,7 +175,7 @@ getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* c * Set list of allowed curves on this connection. * * @param conn the connection. - * @param list the list of curve identifiers. + * @param list the list of curve identifiers. NULL for default setting. * @return GETDNS_RETURN_GOOD on success. * @return GETDNS_RETURN_INVALID_PARAMETER on bad connection pointer. * @return GETDNS_RETURN_BAD_CONTEXT on failure. @@ -407,4 +407,9 @@ void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf); */ void _getdns_tls_cookie_sha256(uint32_t secret, void* addr, size_t addrlen, unsigned char* buf, size_t* buflen); +/** + * Default context cipher list. + */ +const char* const _getdns_tls_context_default_cipher_list; + #endif /* _GETDNS_TLS_H */ From 1acd880f268846974e00bd457a39444e3876b0d4 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 7 Dec 2018 17:56:12 +0000 Subject: [PATCH 046/108] Correct error return value from stub. --- src/gnutls/pubkey-pinning-internal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gnutls/pubkey-pinning-internal.c b/src/gnutls/pubkey-pinning-internal.c index 0d58712c..6568f52a 100644 --- a/src/gnutls/pubkey-pinning-internal.c +++ b/src/gnutls/pubkey-pinning-internal.c @@ -54,5 +54,5 @@ _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, getdns_dict* getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str) { - return GETDNS_RETURN_GENERIC_ERROR; + return NULL; } From ff7ffc246c1340e8420764e855286a297f949159 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 11 Dec 2018 12:46:05 +0000 Subject: [PATCH 047/108] Rename TLS Interface DANE init to pinset init. That's what it's actually used for. --- src/context.c | 2 +- src/gnutls/tls.c | 2 +- src/openssl/tls.c | 2 +- src/tls.h | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/context.c b/src/context.c index 6e919114..5c40f2e3 100644 --- a/src/context.c +++ b/src/context.c @@ -3566,7 +3566,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) return GETDNS_RETURN_BAD_CONTEXT; } - _getdns_tls_context_dane_init(context->tls_ctx); + _getdns_tls_context_pinset_init(context->tls_ctx); } } diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index a60dcddf..f0555289 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -180,7 +180,7 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont return GETDNS_RETURN_GOOD; } -void _getdns_tls_context_dane_init(_getdns_tls_context* ctx) +void _getdns_tls_context_pinset_init(_getdns_tls_context* ctx) { (void) ctx; } diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 82fa0870..111c15d0 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -253,7 +253,7 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont return GETDNS_RETURN_GOOD; } -void _getdns_tls_context_dane_init(_getdns_tls_context* ctx) +void _getdns_tls_context_pinset_init(_getdns_tls_context* ctx) { # if defined(STUB_DEBUG) && STUB_DEBUG int osr = diff --git a/src/tls.h b/src/tls.h index e58d4ce3..4f65bf64 100644 --- a/src/tls.h +++ b/src/tls.h @@ -73,11 +73,11 @@ _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs); getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx); /** - * Initialise any shared state for DANE checking. + * Initialise any shared state for pinset checking. * * @param ctx the context to initialise. */ -void _getdns_tls_context_dane_init(_getdns_tls_context* ctx); +void _getdns_tls_context_pinset_init(_getdns_tls_context* ctx); /** * Set TLS 1.2 as minimum TLS version. From a6ab7ffe416279f114b14c7c46f0f5107fbea405 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 11 Dec 2018 15:05:09 +0100 Subject: [PATCH 048/108] ed25519 and ecdsa support with libnettle --- configure.ac | 100 ++++++++++++++++++++++++---- src/openssl/validator/val_secalgo.h | 5 ++ 2 files changed, 93 insertions(+), 12 deletions(-) diff --git a/configure.ac b/configure.ac index 865e21b4..77f9b091 100644 --- a/configure.ac +++ b/configure.ac @@ -400,6 +400,45 @@ yes) ;; esac +USE_NSS="no" +AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path], + [use libnss instead of openssl, installed at path.]), + [ + USE_NSS="yes" + AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto]) + if test "$withval" != "" -a "$withval" != "yes"; then + CPPFLAGS="$CPPFLAGS -I$withval/include/nss3" + LDFLAGS="$LDFLAGS -L$withval/lib" + ACX_RUNTIME_PATH_ADD([$withval/lib]) + CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS" + else + CPPFLAGS="$CPPFLAGS -I/usr/include/nss3" + CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS" + fi + LIBS="$LIBS -lnss3 -lnspr4" + SSLLIB="" + ] +) + +# libnettle +USE_NETTLE="no" +AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path], + [use libnettle as crypto library, installed at path.]), + [ + USE_NETTLE="yes" + AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto]) + AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT]) + if test "$withval" != "" -a "$withval" != "yes"; then + CPPFLAGS="$CPPFLAGS -I$withval/include/nettle" + LDFLAGS="$LDFLAGS -L$withval/lib" + ACX_RUNTIME_PATH_ADD([$withval/lib]) + else + CPPFLAGS="$CPPFLAGS -I/usr/include/nettle" + fi + LIBS="$LIBS -lhogweed -lnettle -lgmp" + SSLLIB="" + ] +) # Which TLS and crypto libs to use. AC_ARG_WITH([gnutls], [AS_HELP_STRING([--with-gnutls], @@ -410,17 +449,25 @@ AC_ARG_WITH([gnutls], CFLAGS="$libgnutls_CFLAGS $CFLAGS" AC_SUBST([TLSDIR], 'gnutls') AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library]) - AX_LIB_NETTLE(yes) + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then + + AX_LIB_NETTLE(yes) + USE_NETTLE="yes" + AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto]) + AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT]) + fi ], [ - ACX_WITH_SSL_OPTIONAL + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then + ACX_WITH_SSL + fi ACX_LIB_SSL AC_SUBST([TLSDIR], 'openssl') ]) -USE_NSS="no" + # openssl -if test $USE_NSS = "no"; then +if test $USE_NSS = "no" -a $USE_NETTLE = "no" ; then AC_MSG_CHECKING([for LibreSSL]) if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then AC_MSG_RESULT([yes]) @@ -431,11 +478,11 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/ else AC_MSG_RESULT([no]) fi -AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([openssl/conf.h openssl/ssl.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter]) -AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list], [], [], [ +AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites]) +AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_set_min_proto_version,SSL_get_min_proto_version], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H #include @@ -594,7 +641,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works) AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support])) use_gost="no" -if test $USE_NSS = "no"; then +if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then case "$enable_gost" in no) ;; @@ -608,7 +655,7 @@ case "$enable_gost" in fi ;; esac -fi dnl !USE_NSS +fi dnl !USE_NSS && !USE_NETTLE AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support])) use_ecdsa="no" @@ -616,7 +663,7 @@ case "$enable_ecdsa" in no) ;; *) - if test $USE_NSS = "no"; then + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])]) AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])]) AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT @@ -648,6 +695,7 @@ case "$enable_dsa" in ;; *) dnl default # detect if DSA is supported, and turn it off if not. + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then AC_CHECK_FUNC(DSA_SIG_new, [ AC_CHECK_TYPE(DSA_SIG*, [ AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.]) @@ -672,6 +720,9 @@ AC_INCLUDES_DEFAULT ]) ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.]) fi ]) + else + AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.]) + fi ;; esac @@ -681,15 +732,40 @@ case "$enable_ed25519" in no) ;; *) - if test "$USE_NSS" = "no" -a "$USE_NETTLE" = "no"; then + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then AC_CHECK_DECLS([NID_ED25519], [ - AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.]) use_ed25519="yes" ], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.]) fi ], [AC_INCLUDES_DEFAULT #include ]) fi + if test $USE_NETTLE = "yes"; then + AC_CHECK_HEADERS([nettle/eddsa.h], use_ed25519="yes",, [AC_INCLUDES_DEFAULT]) + fi + if test $use_ed25519 = "yes"; then + AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.]) + fi + ;; +esac + +AC_ARG_ENABLE(ed448, AC_HELP_STRING([--disable-ed448], [Disable ED448 support])) +use_ed448="no" +case "$enable_ed448" in + no) + ;; + *) + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then + AC_CHECK_DECLS([NID_ED448], [ + use_ed448="yes" + ], [ if test "x$enable_ed448" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED448 and you used --enable-ed448.]) + fi ], [AC_INCLUDES_DEFAULT +#include + ]) + fi + if test $use_ed448 = "yes"; then + AC_DEFINE_UNQUOTED([USE_ED448], [1], [Define this to enable ED448 support.]) + fi ;; esac diff --git a/src/openssl/validator/val_secalgo.h b/src/openssl/validator/val_secalgo.h index e4e2a7a7..ef26cf34 100644 --- a/src/openssl/validator/val_secalgo.h +++ b/src/openssl/validator/val_secalgo.h @@ -18,6 +18,7 @@ #define fake_sha1 _getdns_fake_sha1 #define fake_dsa _getdns_fake_dsa + #define NSEC3_HASH_SHA1 0x01 #define LDNS_SHA1 GLDNS_SHA1 @@ -34,6 +35,10 @@ #define LDNS_ECDSAP256SHA256 GLDNS_ECDSAP256SHA256 #define LDNS_ECDSAP384SHA384 GLDNS_ECDSAP384SHA384 #define LDNS_ECC_GOST GLDNS_ECC_GOST +#define LDNS_ED25519 GLDNS_ED25519 +#define LDNS_ED448 GLDNS_ED448 +#define sldns_ed255192pkey_raw gldns_ed255192pkey_raw +#define sldns_ed4482pkey_raw gldns_ed4482pkey_raw #define sldns_key_EVP_load_gost_id gldns_key_EVP_load_gost_id #define sldns_digest_evp gldns_digest_evp #define sldns_key_buf2dsa_raw gldns_key_buf2dsa_raw From ab700e70fe1b9c41f141070eaaf874914a9c9a27 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 11 Dec 2018 15:13:17 +0100 Subject: [PATCH 049/108] DNS Cookies with libnettle too --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 77f9b091..21f386e5 100644 --- a/configure.ac +++ b/configure.ac @@ -791,8 +791,8 @@ case "$enable_edns_cookies" in no) ;; yes|*) - if test "x_$HAVE_SSL" != "x_yes"; then - AC_MSG_ERROR([edns cookies need openssl libcrypto which is not available, please rerun with --disable-edns-cookies]) + if test "x_$HAVE_SSL" != "x_yes" -a $USE_NETTLE = "no"; then + AC_MSG_ERROR([edns cookies needs crypto library which is not available, please rerun with --disable-edns-cookies]) fi AC_DEFINE_UNQUOTED([EDNS_COOKIES], [1], [Define this to enable the experimental edns cookies.]) ;; From 2c6ec5e0be8ed2bfe93241880eba34c87bf72aa2 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 11 Dec 2018 14:59:21 +0000 Subject: [PATCH 050/108] Implement setting up pinset for DANE. Verification to come. --- src/gnutls/tls-internal.h | 4 +++ src/gnutls/tls.c | 60 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 61 insertions(+), 3 deletions(-) diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h index d9ac1974..9186184a 100644 --- a/src/gnutls/tls-internal.h +++ b/src/gnutls/tls-internal.h @@ -38,6 +38,7 @@ #include #include +#include #include "getdns/getdns.h" @@ -68,6 +69,9 @@ typedef struct _getdns_tls_connection { struct mem_funcs* mfs; char* cipher_list; char* curve_list; + dane_query_t dane_query; + dane_state_t dane_state; + char* tlsa; } _getdns_tls_connection; typedef struct _getdns_tls_session { diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index f0555289..c4d48bd1 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -242,6 +242,8 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn res->mfs = mfs; res->cipher_list = NULL; res->curve_list = NULL; + res->dane_query = NULL; + res->tlsa = NULL; r = gnutls_certificate_allocate_credentials(&res->cred); if (r == GNUTLS_E_SUCCESS) @@ -252,7 +254,9 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn r = set_connection_ciphers(res); if (r == GNUTLS_E_SUCCESS) r = gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred); - if (r != GNUTLS_E_SUCCESS) { + if (r == GNUTLS_E_SUCCESS) + r = dane_state_init(&res->dane_state, DANE_F_INSECURE | DANE_F_IGNORE_DNSSEC); + if (r != DANE_E_SUCCESS) { _getdns_tls_connection_free(mfs, res); return NULL; } @@ -266,8 +270,11 @@ getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_c if (!conn || !conn->tls) return GETDNS_RETURN_INVALID_PARAMETER; + dane_query_deinit(conn->dane_query); + dane_state_deinit(conn->dane_state); gnutls_deinit(conn->tls); gnutls_certificate_free_credentials(conn->cred); + GETDNS_FREE(*mfs, conn->tlsa); GETDNS_FREE(*mfs, conn->curve_list); GETDNS_FREE(*mfs, conn->cipher_list); GETDNS_FREE(*mfs, conn); @@ -421,12 +428,59 @@ getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connectio getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* conn, const char* auth_name, const sha256_pin_t* pinset) { - (void) pinset; + int r; if (!conn || !conn->tls || !auth_name) return GETDNS_RETURN_INVALID_PARAMETER; - return GETDNS_RETURN_GOOD; + size_t tlsa_len = 0; + size_t npins = 0; + for (const sha256_pin_t* pin = pinset; pin; pin = pin->next) + npins++; + tlsa_len += (SHA256_DIGEST_LENGTH + 3) * 2; + + GETDNS_FREE(*conn->mfs, conn->tlsa); + conn->tlsa = GETDNS_XMALLOC(*conn->mfs, char, npins * (SHA256_DIGEST_LENGTH + 3) * 2); + if (!conn->tlsa) + return GETDNS_RETURN_GENERIC_ERROR; + + char** dane_data = GETDNS_XMALLOC(*conn->mfs, char*, npins * 2 + 1); + if (!dane_data) + return GETDNS_RETURN_GENERIC_ERROR; + int* dane_data_len = GETDNS_XMALLOC(*conn->mfs, int, npins * 2 + 1); + if (!dane_data_len) { + GETDNS_FREE(*conn->mfs, dane_data); + return GETDNS_RETURN_GENERIC_ERROR; + } + + char** dane_p = dane_data; + int* dane_len_p = dane_data_len; + char* p = conn->tlsa; + for (const sha256_pin_t* pin = pinset; pin; pin = pin->next) { + *dane_p++ = p; + *dane_len_p++ = SHA_DIGEST_LENGTH + 3; + p[0] = 2; + p[1] = 1; + p[2] = 1; + memcpy(&p[3], pin->pin, SHA256_DIGEST_LENGTH); + p += SHA256_DIGEST_LENGTH + 3; + + *dane_p++ = p; + *dane_len_p++ = SHA_DIGEST_LENGTH + 3; + p[0] = 3; + p[1] = 1; + p[2] = 1; + memcpy(&p[3], pin->pin, SHA256_DIGEST_LENGTH); + p += SHA256_DIGEST_LENGTH + 3; + } + *dane_p = NULL; + + dane_query_deinit(conn->dane_query); + r = dane_raw_tlsa(conn->dane_state, &conn->dane_query, dane_data, dane_data_len, 0, 0); + GETDNS_FREE(*conn->mfs, dane_data_len); + GETDNS_FREE(*conn->mfs, dane_data); + + return (r == DANE_E_SUCCESS) ? GETDNS_RETURN_GOOD : GETDNS_RETURN_GENERIC_ERROR; } getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg) From aa49a935c7b37d88fd94edd59322099801b7b300 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 11 Dec 2018 17:56:14 +0000 Subject: [PATCH 051/108] Fixed error detection in certificate verification. --- src/stub.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/stub.c b/src/stub.c index 7cbfe9a2..66de58fe 100644 --- a/src/stub.c +++ b/src/stub.c @@ -958,7 +958,7 @@ tls_do_handshake(getdns_upstream *upstream) const char* verify_errmsg; if (_getdns_tls_connection_certificate_verify(upstream->tls_obj, &verify_errno, &verify_errmsg)) { - upstream->tls_auth_state = GETDNS_AUTH_OK; + upstream->tls_auth_state = GETDNS_AUTH_FAILED; if (verify_errno != 0) { _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, @@ -978,13 +978,14 @@ tls_do_handshake(getdns_upstream *upstream) ( upstream->tls_fallback_ok ? "Tolerated because of Opportunistic profile" : "*Failure*" ), - verify_errno, verify_errmsg); + verify_errmsg); } } else { - _getdns_upstream_log(upstream, - GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, - "%-40s : Verify passed : TLS\n", - upstream->addr_str); + upstream->tls_auth_state = GETDNS_AUTH_OK; + _getdns_upstream_log(upstream, + GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, + "%-40s : Verify passed : TLS\n", + upstream->addr_str); } _getdns_tls_x509_free(&upstream->upstreams->mf, peer_cert); } From bf011d929441ff406adaf7fce6a50200b26a01eb Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 11 Dec 2018 18:02:03 +0000 Subject: [PATCH 052/108] Add GnuTLS DANE library to configure detection when using GnuTLS. --- configure.ac | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 21f386e5..6fadac38 100644 --- a/configure.ac +++ b/configure.ac @@ -445,8 +445,9 @@ AC_ARG_WITH([gnutls], [use GnuTLS instead of OpenSSL])], [ PKG_CHECK_MODULES([libgnutls], [gnutls >= 3.5.0]) - LIBS="$libgnutls_LIBS $LIBS" - CFLAGS="$libgnutls_CFLAGS $CFLAGS" + PKG_CHECK_MODULES([libgnutlsdane], [gnutls-dane >= 3.5.0]) + LIBS="$libgnutls_LIBS $libgnutlsdane_LIBS $LIBS" + CFLAGS="$libgnutls_CFLAGS $libgnutlsdane_CFLAGS $CFLAGS" AC_SUBST([TLSDIR], 'gnutls') AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library]) if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then From 35b4969216322ca9baf03f009bc198f78c66b2a1 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 11 Dec 2018 18:03:00 +0000 Subject: [PATCH 053/108] Abstract out OpenSSL specific parts of getdns_pubkey_pin_create_from_string(). The only OpenSSL function is decoding Base64. --- src/gnutls/pubkey-pinning-internal.c | 9 +-- src/gnutls/tls.c | 110 +++++++++++++++++++++++++- src/openssl/pubkey-pinning-internal.c | 69 ++-------------- src/pubkey-pinning.c | 62 +++++++++++++++ src/pubkey-pinning.h | 4 +- 5 files changed, 180 insertions(+), 74 deletions(-) diff --git a/src/gnutls/pubkey-pinning-internal.c b/src/gnutls/pubkey-pinning-internal.c index 6568f52a..2ae97bf7 100644 --- a/src/gnutls/pubkey-pinning-internal.c +++ b/src/gnutls/pubkey-pinning-internal.c @@ -47,12 +47,7 @@ _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, return GETDNS_RETURN_GOOD; } -/** - ** Interfaces from getdns_extra.h. - **/ - -getdns_dict* -getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str) +getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size) { - return NULL; + return GETDNS_RETURN_GENERIC_ERROR; } diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index c4d48bd1..33d0047a 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -485,12 +485,116 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg) { - (void) errnum; - (void) errmsg; - if (!conn || !conn->tls) return GETDNS_RETURN_INVALID_PARAMETER; + /* Most of the internals of dane_verify_session_crt() */ + + const gnutls_datum_t* cert_list; + unsigned int cert_list_size = 0; + unsigned int type; + int ret; + const gnutls_datum_t* cl; + gnutls_datum_t* new_cert_list = NULL; + int clsize; + unsigned int verify; + + cert_list = gnutls_certificate_get_peers(conn->tls, &cert_list_size); + if (cert_list_size == 0) { + *errnum = 1; + *errmsg = "No peer certificate"; + return GETDNS_RETURN_GENERIC_ERROR; + } + cl = cert_list; + + type = gnutls_certificate_type_get(conn->tls); + + /* this list may be incomplete, try to get the self-signed CA if any */ + if (cert_list_size > 0) { + gnutls_x509_crt_t crt, ca; + gnutls_certificate_credentials_t sc; + + ret = gnutls_x509_crt_init(&crt); + if (ret < 0) + goto failsafe; + + ret = gnutls_x509_crt_import(crt, &cert_list[cert_list_size-1], GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_x509_crt_deinit(crt); + goto failsafe; + } + + /* if it is already self signed continue normally */ + ret = gnutls_x509_crt_check_issuer(crt, crt); + if (ret != 0) { + gnutls_x509_crt_deinit(crt); + goto failsafe; + } + + /* chain does not finish in a self signed cert, try to obtain the issuer */ + ret = gnutls_credentials_get(conn->tls, GNUTLS_CRD_CERTIFICATE, (void**)&sc); + if (ret < 0) { + gnutls_x509_crt_deinit(crt); + goto failsafe; + } + + ret = gnutls_certificate_get_issuer(sc, crt, &ca, 0); + if (ret < 0) { + gnutls_x509_crt_deinit(crt); + goto failsafe; + } + + /* make the new list */ + new_cert_list = GETDNS_XMALLOC(*conn->mfs, gnutls_datum_t, cert_list_size + 1); + if (new_cert_list == NULL) { + gnutls_x509_crt_deinit(crt); + goto failsafe; + } + + memcpy(new_cert_list, cert_list, cert_list_size*sizeof(gnutls_datum_t)); + cl = new_cert_list; + + ret = gnutls_x509_crt_export2(ca, GNUTLS_X509_FMT_DER, &new_cert_list[cert_list_size]); + if (ret < 0) { + GETDNS_FREE(*conn->mfs, new_cert_list); + gnutls_x509_crt_deinit(crt); + goto failsafe; + } + } + +failsafe: + + clsize = cert_list_size; + if (cl == new_cert_list) + clsize += 1; + + ret = dane_verify_crt_raw(NULL, cl, clsize, type, conn->dane_query, 0, 0, &verify); + + if (new_cert_list) { + gnutls_free(new_cert_list[cert_list_size].data); + GETDNS_FREE(*conn->mfs, new_cert_list); + } + + if (ret != DANE_E_SUCCESS) + return GETDNS_RETURN_GENERIC_ERROR; + + switch (verify) { + case DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: + *errnum = 2; + *errmsg = "CA constraints violated"; + return GETDNS_RETURN_GENERIC_ERROR; + + case DANE_VERIFY_CERT_DIFFERS: + *errnum = 3; + *errmsg = "Certificate differs"; + return GETDNS_RETURN_GENERIC_ERROR; + + case DANE_VERIFY_UNKNOWN_DANE_INFO: + *errnum = 4; + *errmsg = "Unknown DANE info"; + return GETDNS_RETURN_GENERIC_ERROR; + } + return GETDNS_RETURN_GOOD; } diff --git a/src/openssl/pubkey-pinning-internal.c b/src/openssl/pubkey-pinning-internal.c index ab2d7c08..5ef02db2 100644 --- a/src/openssl/pubkey-pinning-internal.c +++ b/src/openssl/pubkey-pinning-internal.c @@ -70,82 +70,25 @@ updated and follow the guidance in rfc7469bis) */ -static const getdns_bindata sha256 = { - .size = sizeof("sha256") - 1, - .data = (uint8_t*)"sha256" -}; - - -#define PIN_PREFIX "pin-sha256=\"" -#define PIN_PREFIX_LENGTH (sizeof(PIN_PREFIX) - 1) /* b64 turns every 3 octets (or fraction thereof) into 4 octets */ #define B64_ENCODED_SHA256_LENGTH (((SHA256_DIGEST_LENGTH + 2)/3) * 4) - -/* convert an HPKP-style pin description to an appropriate getdns data - structure. An example string is: (with the quotes, without any - leading or trailing whitespace): - - pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" - - getdns_build_pin_from_string returns a dict created from ctx, or - NULL if the string did not match. If ctx is NULL, the dict is - created via getdns_dict_create(). - - It is the caller's responsibility to call getdns_dict_destroy when - it is no longer needed. - */ -getdns_dict* getdns_pubkey_pin_create_from_string( - getdns_context* context, - const char* str) +getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size) { BIO *bio = NULL; - size_t i; - uint8_t buf[SHA256_DIGEST_LENGTH]; char inbuf[B64_ENCODED_SHA256_LENGTH + 1]; - getdns_bindata value = { .size = SHA256_DIGEST_LENGTH, .data = buf }; - getdns_dict* out = NULL; - - /* we only do sha256 right now, make sure this is well-formed */ - if (!str || strncmp(PIN_PREFIX, str, PIN_PREFIX_LENGTH)) - return NULL; - for (i = PIN_PREFIX_LENGTH; i < PIN_PREFIX_LENGTH + B64_ENCODED_SHA256_LENGTH - 1; i++) - if (!((str[i] >= 'a' && str[i] <= 'z') || - (str[i] >= 'A' && str[i] <= 'Z') || - (str[i] >= '0' && str[i] <= '9') || - (str[i] == '+') || (str[i] == '/'))) - return NULL; - if (str[i++] != '=') - return NULL; - if (str[i++] != '"') - return NULL; - if (str[i++] != '\0') - return NULL; + getdns_return_t ret = GETDNS_RETURN_GOOD; /* openssl needs a trailing newline to base64 decode */ - memcpy(inbuf, str + PIN_PREFIX_LENGTH, B64_ENCODED_SHA256_LENGTH); + memcpy(inbuf, str, B64_ENCODED_SHA256_LENGTH); inbuf[B64_ENCODED_SHA256_LENGTH] = '\n'; bio = BIO_push(BIO_new(BIO_f_base64()), BIO_new_mem_buf(inbuf, sizeof(inbuf))); - if (BIO_read(bio, buf, sizeof(buf)) != sizeof(buf)) - goto fail; - - if (context) - out = getdns_dict_create_with_context(context); - else - out = getdns_dict_create(); - if (out == NULL) - goto fail; - if (getdns_dict_set_bindata(out, "digest", &sha256)) - goto fail; - if (getdns_dict_set_bindata(out, "value", &value)) - goto fail; - return out; + if (BIO_read(bio, res, res_size) != (int) res_size) + ret = GETDNS_RETURN_GENERIC_ERROR; - fail: BIO_free_all(bio); - getdns_dict_destroy(out); - return NULL; + return ret; } /* this should only happen once ever in the life of the library. it's diff --git a/src/pubkey-pinning.c b/src/pubkey-pinning.c index aaff6eb3..983888fa 100644 --- a/src/pubkey-pinning.c +++ b/src/pubkey-pinning.c @@ -52,6 +52,7 @@ #include "context.h" #include "util-internal.h" +#include "pubkey-pinning.h" #include "pubkey-pinning-internal.h" /* we only support sha256 at the moment. adding support for another @@ -67,6 +68,67 @@ static const getdns_bindata sha256 = { .data = (uint8_t*)"sha256" }; +#define PIN_PREFIX "pin-sha256=\"" +#define PIN_PREFIX_LENGTH (sizeof(PIN_PREFIX) - 1) +/* b64 turns every 3 octets (or fraction thereof) into 4 octets */ +#define B64_ENCODED_SHA256_LENGTH (((SHA256_DIGEST_LENGTH + 2)/3) * 4) +/* convert an HPKP-style pin description to an appropriate getdns data + structure. An example string is: (with the quotes, without any + leading or trailing whitespace): + + pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" + + getdns_build_pin_from_string returns a dict created from ctx, or + NULL if the string did not match. If ctx is NULL, the dict is + created via getdns_dict_create(). + + It is the caller's responsibility to call getdns_dict_destroy when + it is no longer needed. + */ +getdns_dict* getdns_pubkey_pin_create_from_string( + getdns_context* context, + const char* str) +{ + size_t i; + uint8_t buf[SHA256_DIGEST_LENGTH]; + getdns_bindata value = { .size = SHA256_DIGEST_LENGTH, .data = buf }; + getdns_dict* out = NULL; + + /* we only do sha256 right now, make sure this is well-formed */ + if (!str || strncmp(PIN_PREFIX, str, PIN_PREFIX_LENGTH)) + return NULL; + for (i = PIN_PREFIX_LENGTH; i < PIN_PREFIX_LENGTH + B64_ENCODED_SHA256_LENGTH - 1; i++) + if (!((str[i] >= 'a' && str[i] <= 'z') || + (str[i] >= 'A' && str[i] <= 'Z') || + (str[i] >= '0' && str[i] <= '9') || + (str[i] == '+') || (str[i] == '/'))) + return NULL; + if (str[i++] != '=') + return NULL; + if (str[i++] != '"') + return NULL; + if (str[i++] != '\0') + return NULL; + + if (_getdns_decode_base64(str + PIN_PREFIX_LENGTH, buf, sizeof(buf)) != GETDNS_RETURN_GOOD) + goto fail; + + if (context) + out = getdns_dict_create_with_context(context); + else + out = getdns_dict_create(); + if (out == NULL) + goto fail; + if (getdns_dict_set_bindata(out, "digest", &sha256)) + goto fail; + if (getdns_dict_set_bindata(out, "value", &value)) + goto fail; + return out; + + fail: + getdns_dict_destroy(out); + return NULL; +} /* Test whether a given pinset is reasonable, including: diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h index 5f12baf2..b94f58af 100644 --- a/src/pubkey-pinning.h +++ b/src/pubkey-pinning.h @@ -39,7 +39,7 @@ /** ** Internal functions, implemented in pubkey-pinning-internal.c. **/ -getdns_dict* getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str); +getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size); /** ** Public interface. @@ -62,5 +62,7 @@ getdns_return_t _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, getdns_upstream *upstream); +getdns_dict* getdns_pubkey_pin_create_from_string(getdns_context* context, const char* str); + #endif /* pubkey-pinning.h */ From 0dec4a6f2170517122e436c866d0e1ead8316dcb Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 12 Dec 2018 14:59:13 +0000 Subject: [PATCH 054/108] Correct format string, fixing type error in specifier. I was wondering why the error output did appear. --- src/stub.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/stub.c b/src/stub.c index 66de58fe..d110cf06 100644 --- a/src/stub.c +++ b/src/stub.c @@ -963,8 +963,9 @@ tls_do_handshake(getdns_upstream *upstream) _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, ( upstream->tls_fallback_ok - ? GETDNS_LOG_INFO : GETDNS_LOG_ERR), "%-40s : Verify failed : TLS - %s - " - "(%d) \"%s\"\n", upstream->addr_str, + ? GETDNS_LOG_INFO : GETDNS_LOG_ERR), + "%-40s : Verify failed : TLS - %s - " + "(%ld) \"%s\"\n", upstream->addr_str, ( upstream->tls_fallback_ok ? "Tolerated because of Opportunistic profile" : "*Failure*" ), From b51c7384e6891c8c0df0b65d31ea131d74cd4b76 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 12 Dec 2018 15:00:03 +0000 Subject: [PATCH 055/108] Implement _getdns_decode_base64() for GnuTLS. Use primitives in libnettle. --- src/gnutls/pubkey-pinning-internal.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/gnutls/pubkey-pinning-internal.c b/src/gnutls/pubkey-pinning-internal.c index 2ae97bf7..61d94645 100644 --- a/src/gnutls/pubkey-pinning-internal.c +++ b/src/gnutls/pubkey-pinning-internal.c @@ -32,6 +32,8 @@ */ #include "context.h" +#include + #include "types-internal.h" #include "pubkey-pinning.h" @@ -49,5 +51,16 @@ _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size) { - return GETDNS_RETURN_GENERIC_ERROR; + struct base64_decode_ctx ctx; + uint8_t* lim = res + res_size; + + base64_decode_init(&ctx); + + for(; *str != '\0' && res < lim; ++str) { + int r = base64_decode_single(&ctx, res, *str); + if (r == -1 ) + return GETDNS_RETURN_GENERIC_ERROR; + res += r; + } + return (res == lim) ? GETDNS_RETURN_GOOD : GETDNS_RETURN_GENERIC_ERROR; } From 45be26642b1770377277d464e97fb94e2be43ca1 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 12 Dec 2018 15:01:07 +0000 Subject: [PATCH 056/108] Fix dane query handling and verify error reporting. Verify error is flags, not values. And deiniting a dane_query that is NULL segfaults. --- src/gnutls/tls.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index 33d0047a..21c85063 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -270,7 +270,8 @@ getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_c if (!conn || !conn->tls) return GETDNS_RETURN_INVALID_PARAMETER; - dane_query_deinit(conn->dane_query); + if (conn->dane_query) + dane_query_deinit(conn->dane_query); dane_state_deinit(conn->dane_state); gnutls_deinit(conn->tls); gnutls_certificate_free_credentials(conn->cred); @@ -475,7 +476,8 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c } *dane_p = NULL; - dane_query_deinit(conn->dane_query); + if (conn->dane_query) + dane_query_deinit(conn->dane_query); r = dane_raw_tlsa(conn->dane_state, &conn->dane_query, dane_data, dane_data_len, 0, 0); GETDNS_FREE(*conn->mfs, dane_data_len); GETDNS_FREE(*conn->mfs, dane_data); @@ -578,20 +580,17 @@ failsafe: if (ret != DANE_E_SUCCESS) return GETDNS_RETURN_GENERIC_ERROR; - switch (verify) { - case DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: - *errnum = 2; - *errmsg = "CA constraints violated"; - return GETDNS_RETURN_GENERIC_ERROR; - - case DANE_VERIFY_CERT_DIFFERS: - *errnum = 3; - *errmsg = "Certificate differs"; - return GETDNS_RETURN_GENERIC_ERROR; - - case DANE_VERIFY_UNKNOWN_DANE_INFO: - *errnum = 4; - *errmsg = "Unknown DANE info"; + if (verify != 0) { + if (verify & DANE_VERIFY_CERT_DIFFERS) { + *errnum = 3; + *errmsg = "Certificate differs"; + } else if (verify & DANE_VERIFY_CA_CONSTRAINTS_VIOLATED) { + *errnum = 2; + *errmsg = "CA constraints violated"; + } else { + *errnum = 4; + *errmsg = "Unknown DANE info"; + } return GETDNS_RETURN_GENERIC_ERROR; } From fa9d8885f0f8045dd0d5337b7d18db53dc4ace07 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 13 Dec 2018 11:03:31 +0000 Subject: [PATCH 057/108] Fix problems with GnuTLS pinset handling. Pinset validation now seems to work. --- src/gnutls/tls.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index 21c85063..adfac78c 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -255,7 +255,7 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn if (r == GNUTLS_E_SUCCESS) r = gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred); if (r == GNUTLS_E_SUCCESS) - r = dane_state_init(&res->dane_state, DANE_F_INSECURE | DANE_F_IGNORE_DNSSEC); + r = dane_state_init(&res->dane_state, DANE_F_IGNORE_DNSSEC); if (r != DANE_E_SUCCESS) { _getdns_tls_connection_free(mfs, res); return NULL; @@ -434,11 +434,9 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c if (!conn || !conn->tls || !auth_name) return GETDNS_RETURN_INVALID_PARAMETER; - size_t tlsa_len = 0; size_t npins = 0; for (const sha256_pin_t* pin = pinset; pin; pin = pin->next) npins++; - tlsa_len += (SHA256_DIGEST_LENGTH + 3) * 2; GETDNS_FREE(*conn->mfs, conn->tlsa); conn->tlsa = GETDNS_XMALLOC(*conn->mfs, char, npins * (SHA256_DIGEST_LENGTH + 3) * 2); @@ -459,18 +457,18 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c char* p = conn->tlsa; for (const sha256_pin_t* pin = pinset; pin; pin = pin->next) { *dane_p++ = p; - *dane_len_p++ = SHA_DIGEST_LENGTH + 3; - p[0] = 2; - p[1] = 1; - p[2] = 1; + *dane_len_p++ = SHA256_DIGEST_LENGTH + 3; + p[0] = DANE_CERT_USAGE_LOCAL_CA; + p[1] = DANE_CERT_PK; + p[2] = DANE_MATCH_SHA2_256; memcpy(&p[3], pin->pin, SHA256_DIGEST_LENGTH); p += SHA256_DIGEST_LENGTH + 3; *dane_p++ = p; - *dane_len_p++ = SHA_DIGEST_LENGTH + 3; - p[0] = 3; - p[1] = 1; - p[2] = 1; + *dane_len_p++ = SHA256_DIGEST_LENGTH + 3; + p[0] = DANE_CERT_USAGE_LOCAL_EE; + p[1] = DANE_CERT_PK; + p[2] = DANE_MATCH_SHA2_256; memcpy(&p[3], pin->pin, SHA256_DIGEST_LENGTH); p += SHA256_DIGEST_LENGTH + 3; } @@ -490,6 +488,10 @@ getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection if (!conn || !conn->tls) return GETDNS_RETURN_INVALID_PARAMETER; + /* If no pinset, no DANE info to check. */ + if (!conn->dane_query) + return GETDNS_RETURN_GOOD; + /* Most of the internals of dane_verify_session_crt() */ const gnutls_datum_t* cert_list; @@ -570,7 +572,7 @@ failsafe: if (cl == new_cert_list) clsize += 1; - ret = dane_verify_crt_raw(NULL, cl, clsize, type, conn->dane_query, 0, 0, &verify); + ret = dane_verify_crt_raw(conn->dane_state, cl, clsize, type, conn->dane_query, 0, 0, &verify); if (new_cert_list) { gnutls_free(new_cert_list[cert_list_size].data); @@ -583,13 +585,13 @@ failsafe: if (verify != 0) { if (verify & DANE_VERIFY_CERT_DIFFERS) { *errnum = 3; - *errmsg = "Certificate differs"; + *errmsg = "Pinset validation: Certificate differs"; } else if (verify & DANE_VERIFY_CA_CONSTRAINTS_VIOLATED) { *errnum = 2; - *errmsg = "CA constraints violated"; + *errmsg = "Pinset validation: CA constraints violated"; } else { *errnum = 4; - *errmsg = "Unknown DANE info"; + *errmsg = "Pinset validation: Unknown DANE info"; } return GETDNS_RETURN_GENERIC_ERROR; } From 2759d727e5a5d5192f35e8d49dccc968b6108e85 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 13 Dec 2018 11:54:41 +0000 Subject: [PATCH 058/108] Minor speeling fix. --- src/stub.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/stub.c b/src/stub.c index d110cf06..b1e3772b 100644 --- a/src/stub.c +++ b/src/stub.c @@ -876,7 +876,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) } if (upstream->tls_fallback_ok) { _getdns_tls_connection_set_cipher_list(tls, NULL); - DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n", + DEBUG_STUB("%s %-35s: WARNING: Using Opportunistic TLS (fallback allowed)!\n", STUB_DEBUG_SETUP_TLS, __FUNC__); } else { if (upstream->tls_cipher_list) From e8f34d48fb13b3d3c9141e7f5e319757e89b9ddc Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 13 Dec 2018 12:04:01 +0000 Subject: [PATCH 059/108] Adjust default cipher list so required authentication works with getdnsapi. The previous default cipher string wouldn't connect with getdnsapi. Selection of cipher strings requires some deep study, I think. So, taking working with getdnsapi.net as our target, discover that we need SECURE128 as well as SECURE192. And rather than disable everything except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects to TLS1.3. --- src/gnutls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index adfac78c..fe6fbc07 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -48,7 +48,7 @@ * a known working priority string. */ char const * const _getdns_tls_context_default_cipher_list = - "SECURE192:-VERS-ALL:+VERS-TLS1.2"; + "SECURE128:SECURE192:-VERS-TLS1.0:-VERS-TLS1.1"; static char const * const _getdns_tls_connection_opportunistic_cipher_list = "NORMAL"; From a4590bafcbc3f55a44ca4cca4dff2acdbdad9ef4 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 13 Dec 2018 13:33:54 +0000 Subject: [PATCH 060/108] Implement reading CAs from file or dir. I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot easier than I feared. Plus a little diggiing shows that if you're loading the system defaults, GnuTLS on Windows does load them from the Windows certificate store. --- src/gnutls/tls-internal.h | 2 ++ src/gnutls/tls.c | 50 ++++++++++++++++++++++++++------------- 2 files changed, 35 insertions(+), 17 deletions(-) diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h index 9186184a..1fafe550 100644 --- a/src/gnutls/tls-internal.h +++ b/src/gnutls/tls-internal.h @@ -59,6 +59,8 @@ typedef struct _getdns_tls_context { char* cipher_list; char* curve_list; bool min_proto_1_2; + char* ca_trust_file; + char* ca_trust_path; } _getdns_tls_context; typedef struct _getdns_tls_connection { diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index fe6fbc07..e7265ee1 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -167,6 +167,9 @@ _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs) res->mfs = mfs; res->min_proto_1_2 = false; res->cipher_list = res->curve_list = NULL; + res->ca_trust_file = NULL; + res->ca_trust_path = NULL; + return res; } @@ -174,6 +177,9 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont { if (!ctx) return GETDNS_RETURN_INVALID_PARAMETER; + + GETDNS_FREE(*mfs, ctx->ca_trust_path); + GETDNS_FREE(*mfs, ctx->ca_trust_file); GETDNS_FREE(*mfs, ctx->curve_list); GETDNS_FREE(*mfs, ctx->cipher_list); GETDNS_FREE(*mfs, ctx); @@ -218,18 +224,19 @@ getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, co getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path) { - (void) file; - (void) path; - if (!ctx) return GETDNS_RETURN_INVALID_PARAMETER; + + GETDNS_FREE(*ctx->mfs, ctx->ca_trust_file); + ctx->ca_trust_file = getdns_strdup(ctx->mfs, file); + GETDNS_FREE(*ctx->mfs, ctx->ca_trust_path); + ctx->ca_trust_path = getdns_strdup(ctx->mfs, path); return GETDNS_RETURN_GOOD; } _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd) { _getdns_tls_connection* res; - int r; if (!ctx) return NULL; @@ -245,24 +252,33 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn res->dane_query = NULL; res->tlsa = NULL; - r = gnutls_certificate_allocate_credentials(&res->cred); - if (r == GNUTLS_E_SUCCESS) + if (gnutls_certificate_allocate_credentials(&res->cred) != GNUTLS_E_SUCCESS) + goto failed; + + if (!ctx->ca_trust_file && !ctx->ca_trust_path) gnutls_certificate_set_x509_system_trust(res->cred); - if (r == GNUTLS_E_SUCCESS) - r = gnutls_init(&res->tls, GNUTLS_CLIENT | GNUTLS_NONBLOCK); - if (r == GNUTLS_E_SUCCESS) - r = set_connection_ciphers(res); - if (r == GNUTLS_E_SUCCESS) - r = gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred); - if (r == GNUTLS_E_SUCCESS) - r = dane_state_init(&res->dane_state, DANE_F_IGNORE_DNSSEC); - if (r != DANE_E_SUCCESS) { - _getdns_tls_connection_free(mfs, res); - return NULL; + else { + if (ctx->ca_trust_file) + gnutls_certificate_set_x509_trust_file(res->cred, ctx->ca_trust_file, GNUTLS_X509_FMT_PEM); + if (ctx->ca_trust_path) + gnutls_certificate_set_x509_trust_dir(res->cred, ctx->ca_trust_path, GNUTLS_X509_FMT_PEM); } + if (gnutls_init(&res->tls, GNUTLS_CLIENT | GNUTLS_NONBLOCK) != GNUTLS_E_SUCCESS) + goto failed; + if (set_connection_ciphers(res) != GNUTLS_E_SUCCESS) + goto failed; + if (gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred) != GNUTLS_E_SUCCESS) + goto failed; + if (dane_state_init(&res->dane_state, DANE_F_IGNORE_DNSSEC) != DANE_E_SUCCESS) + goto failed; + gnutls_transport_set_int(res->tls, fd); return res; + +failed: + _getdns_tls_connection_free(mfs, res); + return NULL; } getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_connection* conn) From c1bf12c8a252e7ec2c32768ca2b17a8664baa641 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 14 Dec 2018 15:23:23 +0000 Subject: [PATCH 061/108] Update default GnuTLS cipher suite priority string to one that gives the same ciphers as the OpenSSL version. Also fix deinit segfault. ./gnutls-ciphers "NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL" Cipher suites for NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2 TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2 TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2 TLS1.2 TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2 TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2 $ openssl ciphers -v TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD --- src/gnutls/tls.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index e7265ee1..b2ea8e91 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -43,12 +43,13 @@ /* * Cipher suites recommended in RFC7525. * - * The GnuTLS 3.5.19 being used for this proof of concept doesn't have - * TLS 1.3 support, as in the OpenSSL equivalent. Fall back for now to - * a known working priority string. + * The following string generates a list with the same ciphers that are + * generated by the equivalent string in the OpenSSL version of this file. */ char const * const _getdns_tls_context_default_cipher_list = - "SECURE128:SECURE192:-VERS-TLS1.0:-VERS-TLS1.1"; + "NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:" + "+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:" + "+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL"; static char const * const _getdns_tls_connection_opportunistic_cipher_list = "NORMAL"; @@ -247,8 +248,10 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn res->shutdown = 0; res->ctx = ctx; res->mfs = mfs; + res->tls = NULL; res->cipher_list = NULL; res->curve_list = NULL; + res->dane_state = NULL; res->dane_query = NULL; res->tlsa = NULL; @@ -288,8 +291,10 @@ getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_c if (conn->dane_query) dane_query_deinit(conn->dane_query); - dane_state_deinit(conn->dane_state); - gnutls_deinit(conn->tls); + if (conn->dane_state) + dane_state_deinit(conn->dane_state); + if (conn->tls) + gnutls_deinit(conn->tls); gnutls_certificate_free_credentials(conn->cred); GETDNS_FREE(*mfs, conn->tlsa); GETDNS_FREE(*mfs, conn->curve_list); From 65f4fbbc81b799d324f486b8294cd08166f92fc7 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 14 Dec 2018 15:38:32 +0000 Subject: [PATCH 062/108] Make sure all connection deinits are only called if there is something to deinit. --- src/gnutls/tls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index b2ea8e91..a9e96241 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -248,6 +248,7 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn res->shutdown = 0; res->ctx = ctx; res->mfs = mfs; + res->cred = NULL; res->tls = NULL; res->cipher_list = NULL; res->curve_list = NULL; @@ -295,7 +296,8 @@ getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_c dane_state_deinit(conn->dane_state); if (conn->tls) gnutls_deinit(conn->tls); - gnutls_certificate_free_credentials(conn->cred); + if (conn->cred) + gnutls_certificate_free_credentials(conn->cred); GETDNS_FREE(*mfs, conn->tlsa); GETDNS_FREE(*mfs, conn->curve_list); GETDNS_FREE(*mfs, conn->cipher_list); From 51cb57080961db6b5fdfa97642534e38021d446c Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 11 Jan 2019 11:16:48 +0000 Subject: [PATCH 063/108] Re-add support for OpenSSL prior to 1.1, but now require at least 1.0.2 and drop LibreSSL support. --- .gitmodules | 4 + configure.ac | 44 ++++----- src/Makefile.in | 6 +- src/openssl/keyraw-internal.c | 18 ++++ src/openssl/tls-internal.h | 8 +- src/openssl/tls.c | 173 +++++++++++++++++++++++++++++++--- src/ssl_dane | 1 + 7 files changed, 213 insertions(+), 41 deletions(-) create mode 160000 src/ssl_dane diff --git a/.gitmodules b/.gitmodules index 27d60b78..26a1f354 100644 --- a/.gitmodules +++ b/.gitmodules @@ -10,3 +10,7 @@ path = stubby url = https://github.com/getdnsapi/stubby.git branch = develop +[submodule "src/ssl_dane"] + path = src/ssl_dane + url = https://github.com/getdnsapi/ssl_dane + branch = getdns diff --git a/configure.ac b/configure.ac index 6fadac38..d5a7f25e 100644 --- a/configure.ac +++ b/configure.ac @@ -464,6 +464,24 @@ AC_ARG_WITH([gnutls], fi ACX_LIB_SSL AC_SUBST([TLSDIR], 'openssl') + + # Verify OpenSSL is at least version 1.0.2. + # We also check it's not LibreSSL, but that's a little later, not here. + AC_CHECK_FUNCS([X509_check_host SSL_dane_enable]) + if test "x$ac_cv_func_X509_check_host" != xyes; then + AC_MSG_ERROR([getdns requires OpenSSL version 1.0.2 or later]) + fi + + AC_MSG_CHECKING([whether we need to compile/link DANE support]) + DANESSL_XTRA_OBJS="" + if test "x$ac_cv_func_SSL_dane_enable" = xyes; then + AC_MSG_RESULT([no]) + else + AC_MSG_RESULT([yes]) + AC_DEFINE([USE_DANESSL], [1], [Define this to use DANE functions from the ssl_dane/danessl library.]) + DANESSL_XTRA_OBJS="danessl.lo" + fi + AC_SUBST(DANESSL_XTRA_OBJS) ]) @@ -472,17 +490,14 @@ if test $USE_NSS = "no" -a $USE_NETTLE = "no" ; then AC_MSG_CHECKING([for LibreSSL]) if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then AC_MSG_RESULT([yes]) - AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL]) - # libressl provides these compat functions, but they may also be - # declared by the OS in libc. See if they have been declared. - AC_CHECK_DECLS([strlcpy,arc4random,arc4random_uniform]) + AC_MSG_ERROR([getdns does not support LibreSSL]) else AC_MSG_RESULT([no]) fi AC_CHECK_HEADERS([openssl/conf.h openssl/ssl.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites]) +AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites OPENSSL_init_crypto DSA_set0_pqg DSA_set0_key RSA_set0_key]) AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_set_min_proto_version,SSL_get_min_proto_version], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H @@ -505,25 +520,6 @@ AC_INCLUDES_DEFAULT ]) fi -AC_MSG_CHECKING([for OpenSSL >= 1.1.1]) -AC_LANG_PUSH(C) -AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM([ - [#include ] - [#if OPENSSL_VERSION_NUMBER < 0x10101000L] - [#error "OpenSSL 1.1.1 or higher required"] - [#elif defined(LIBRESSL_VERSION_NUMBER)] - [#error "LibreSSL not supported"] - [#endif] - ],[[]])], - [ - AC_MSG_RESULT([yes]) - ], - [ - AC_MSG_ERROR([OpenSSL 1.1.1 or later required]) - ]) -AC_LANG_POP(C) - AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support])) case "$enable_sha1" in no) diff --git a/src/Makefile.in b/src/Makefile.in index 2047ca0e..411f5874 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -99,8 +99,9 @@ TLS_OBJ=tls.lo pubkey-pinning-internal.lo keyraw-internal.lo val_secalgo.lo anch YXML_OBJ=yxml.lo YAML_OBJ=convert_yaml_to_json.lo +DANESSL_OBJ=danessl.lo -GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@ +GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@ @DANESSL_XTRA_OBJS@ STUBBY_XTRA_OBJS=@STUBBY_XTRA_OBJS@ EXTENSION_OBJ=$(DEFAULT_EVENTLOOP_OBJ) libevent.lo libev.lo @@ -140,6 +141,9 @@ $(TLS_OBJ): $(YAML_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@ +$(DANESSL_OBJ): + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WNOERRORFLAG) -c $(srcdir)/ssl_dane/$(@:.lo=.c) -o $@ + $(YXML_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -I$(srcdir)/yxml -DYXML_GETDNS -Wno-unused-parameter -c $(srcdir)/yxml/$(@:.lo=.c) -o $@ diff --git a/src/openssl/keyraw-internal.c b/src/openssl/keyraw-internal.c index 75c53c00..b8077049 100644 --- a/src/openssl/keyraw-internal.c +++ b/src/openssl/keyraw-internal.c @@ -140,6 +140,8 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len) BN_free(Y); return NULL; } + +#if defined(HAVE_DSA_SET0_PQG) && defined(HAVE_DSA_SET0_KEY) if (!DSA_set0_pqg(dsa, P, Q, G)) { /* QPG not yet attached, need to free */ BN_free(Q); @@ -156,6 +158,14 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len) BN_free(Y); return NULL; } +#else +# ifndef S_SPLINT_S + dsa->p = P; + dsa->q = Q; + dsa->g = G; + dsa->pub_key = Y; +# endif /* splint */ +#endif return dsa; } @@ -208,12 +218,20 @@ gldns_key_buf2rsa_raw(unsigned char* key, size_t len) BN_free(modulus); return NULL; } + +#if defined(HAVE_RSA_SET0_KEY) if (!RSA_set0_key(rsa, modulus, exponent, NULL)) { BN_free(exponent); BN_free(modulus); RSA_free(rsa); return NULL; } +#else +# ifndef S_SPLINT_S + rsa->n = modulus; + rsa->e = exponent; +# endif /* splint */ +#endif return rsa; } diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h index 4b4b4b49..06f95bda 100644 --- a/src/openssl/tls-internal.h +++ b/src/openssl/tls-internal.h @@ -5,7 +5,7 @@ */ /* - * Copyright (c) 2018, NLnet Labs + * Copyright (c) 2018-2019, NLnet Labs * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -54,12 +54,18 @@ #define GETDNS_TLS_MAX_DIGEST_LENGTH (EVP_MAX_MD_SIZE) +typedef struct sha256_pin sha256_pin_t; + typedef struct _getdns_tls_context { SSL_CTX* ssl; } _getdns_tls_context; typedef struct _getdns_tls_connection { SSL* ssl; +#if defined(USE_DANESSL) + const char* auth_name; + sha256_pin_t* pinset; +#endif } _getdns_tls_connection; typedef struct _getdns_tls_session { diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 111c15d0..ba1648f1 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -5,7 +5,7 @@ */ /* - * Copyright (c) 2018, NLnet Labs + * Copyright (c) 2018-2019, NLnet Labs * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -47,8 +47,20 @@ #include "debug.h" #include "context.h" +#ifdef USE_DANESSL +# include "ssl_dane/danessl.h" +#endif + #include "tls.h" +/* Double check configure has worked as expected. */ +#if defined(USE_DANESSL) && \ + (defined(HAVE_SSL_DANE_ENABLE) || \ + defined(HAVE_OPENSSL_INIT_CRYPTO) || \ + defined(HAVE_SSL_CTX_DANE_ENABLE)) +#error Configure error USE_DANESSL defined with OpenSSL 1.1 functions! +#endif + /* Cipher suites recommended in RFC7525. */ char const * const _getdns_tls_context_default_cipher_list = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:" @@ -57,6 +69,26 @@ char const * const _getdns_tls_context_default_cipher_list = static char const * const _getdns_tls_connection_opportunistic_cipher_list = "DEFAULT"; +#if defined(USE_DANESSL) && defined(STUB_DEBUG) && STUB_DEBUG +static void _stub_debug_print_openssl_errors(void) +{ + unsigned long err; + char buffer[1024]; + const char *file; + const char *data; + int line; + int flags; + + while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) { + ERR_error_string_n(err, buffer, sizeof(buffer)); + if (flags & ERR_TXT_STRING) + DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d:%s\n", buffer, file, line, data); + else + DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d\n", buffer, file, line); + } +} +#endif + static int _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx) { # if defined(STUB_DEBUG) && STUB_DEBUG @@ -218,10 +250,19 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) void _getdns_tls_init() { +#ifdef HAVE_OPENSSL_INIT_CRYPTO OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); (void)OPENSSL_init_ssl(0, NULL); +#else + OpenSSL_add_all_algorithms(); + SSL_library_init(); + +# ifdef USE_DANESSL + (void) DANESSL_library_init(); +# endif +#endif } _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs) @@ -255,14 +296,20 @@ getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_cont void _getdns_tls_context_pinset_init(_getdns_tls_context* ctx) { -# if defined(STUB_DEBUG) && STUB_DEBUG - int osr = -# else - (void) -# endif - SSL_CTX_dane_enable(ctx->ssl); - DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n" - , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); + int osr; + (void) osr; + +#if defined(HAVE_SSL_CTX_DANE_ENABLE) + osr = SSL_CTX_dane_enable(ctx->ssl); + DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n", + STUB_DEBUG_SETUP_TLS, __FUNC__, osr); +#elif defined(USE_DANESSL) + osr = DANESSL_CTX_init(ctx->ssl); + DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n", + STUB_DEBUG_SETUP_TLS, __FUNC__, osr); +#else +#error Must have either DANE SSL or OpenSSL v1.1. +#endif } getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx) @@ -367,6 +414,13 @@ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn) if (!conn || !conn->ssl) return GETDNS_RETURN_INVALID_PARAMETER; +#ifdef USE_DANESSL +# if defined(STUB_DEBUG) && STUB_DEBUG + _stub_debug_print_openssl_errors(); +# endif + DANESSL_cleanup(conn->ssl); +#endif + switch (SSL_shutdown(conn->ssl)) { case 0: return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; case 1: return GETDNS_RETURN_GOOD; @@ -485,12 +539,19 @@ getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connectio if (!conn || !conn->ssl || !auth_name) return GETDNS_RETURN_INVALID_PARAMETER; +#if defined(HAVE_SSL_DANE_ENABLE) SSL_set_tlsext_host_name(conn->ssl, auth_name); /* Set up native OpenSSL hostname verification */ X509_VERIFY_PARAM *param; param = SSL_get0_param(conn->ssl); X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, auth_name, 0); +#elif defined(USE_DANESSL) + /* Stash auth name away for use in cert verification. */ + conn->auth_name = auth_name; +#else +#error Must have either DANE SSL or OpenSSL v1.1. +#endif return GETDNS_RETURN_GOOD; } @@ -499,6 +560,13 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c if (!conn || !conn->ssl || !auth_name) return GETDNS_RETURN_INVALID_PARAMETER; +#if defined(USE_DANE_SSL) + /* Stash auth name and pinset away for use in cert verification. */ + conn->auth_name = auth_name; + conn->pinset = pinset; +#endif + +#if defined(HAVE_SSL_DANE_ENABLE) int osr = SSL_dane_enable(conn->ssl, *auth_name ? auth_name : NULL); (void) osr; DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n" @@ -520,6 +588,38 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c if (osr > 0) ++n_pins; } +#elif defined(USE_DANESSL) + if (pinset) { + const char *auth_names[2] = { auth_name, NULL }; + int osr = DANESSL_init(conn->ssl, + *auth_name ? auth_name : NULL, + *auth_name ? auth_names : NULL); + (void) osr; + DEBUG_STUB("%s %-35s: DEBUG: DANESSL_init(\"%s\") -> %d\n" + , STUB_DEBUG_SETUP_TLS, __FUNC__, auth_name, osr); + SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); + const sha256_pin_t *pin_p; + size_t n_pins = 0; + for (pin_p = pinset; pin_p; pin_p = pin_p->next) { + osr = DANESSL_add_tlsa(conn->ssl, 3, 1, "sha256", + (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); + DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n" + , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); + if (osr > 0) + ++n_pins; + osr = DANESSL_add_tlsa(conn->ssl, 2, 1, "sha256", + (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); + DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n" + , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); + if (osr > 0) + ++n_pins; + } + } else { + SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); + } +#else +#error Must have either DANE SSL or OpenSSL v1.1. +#endif return GETDNS_RETURN_GOOD; } @@ -529,10 +629,38 @@ getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection return GETDNS_RETURN_INVALID_PARAMETER; long verify_result = SSL_get_verify_result(conn->ssl); + + /* Since we don't have DANE validation yet, DANE validation + * failures are always pinset validation failures */ + switch (verify_result) { case X509_V_OK: +#if defined(USE_DANESSL) + { + getdns_return_t res = GETDNS_RETURN_GOOD; + X509* peer_cert = SSL_get_peer_certificate(conn->ssl); + if (peer_cert) { + if (conn->auth_name[0] && + X509_check_host(peer_cert, + conn->auth_name, + strlen(conn->auth_name), + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, + NULL) <= 0) { + if (errnum) + *errnum = 1; + if (errmsg) + *errmsg = "Hostname mismatch"; + res = GETDNS_RETURN_GENERIC_ERROR; + } + X509_free(peer_cert); + } + return res; + } +#else return GETDNS_RETURN_GOOD; +#endif +#if defined(HAVE_SSL_DANE_ENABLE) case X509_V_ERR_DANE_NO_MATCH: if (errnum) *errnum = 0; @@ -540,13 +668,28 @@ getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection *errmsg = "Pinset validation failure"; return GETDNS_RETURN_GENERIC_ERROR; - default: - if (errnum) - *errnum = verify_result; - if (errmsg) - *errmsg = X509_verify_cert_error_string(verify_result); - return GETDNS_RETURN_GENERIC_ERROR; +#elif defined(USE_DANESSL) + case X509_V_ERR_CERT_UNTRUSTED: + if (conn->pinset && + !DANESSL_get_match_cert(conn->ssl, NULL, NULL, NULL)) { + if (errnum) + *errnum = 0; + if (errmsg) + *errmsg = "Pinset validation failure"; + return GETDNS_RETURN_GENERIC_ERROR; + } + break; +#else +#error Must have either DANE SSL or OpenSSL v1.1. +#endif } + + /* General error if we get here. */ + if (errnum) + *errnum = verify_result; + if (errmsg) + *errmsg = X509_verify_cert_error_string(verify_result); + return GETDNS_RETURN_GENERIC_ERROR; } diff --git a/src/ssl_dane b/src/ssl_dane new file mode 160000 index 00000000..dd093e58 --- /dev/null +++ b/src/ssl_dane @@ -0,0 +1 @@ +Subproject commit dd093e585a237e0321d303ec35e84c393ef739f4 From 24774fefd674bb230c271ede1c825856bdd56d1f Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 15 Jan 2019 11:01:58 +0000 Subject: [PATCH 064/108] Remove 'upstream' association with connection, now unused. --- src/gnutls/pubkey-pinning-internal.c | 7 ---- src/openssl/pubkey-pinning-internal.c | 56 --------------------------- src/pubkey-pinning.h | 4 -- src/stub.c | 4 -- 4 files changed, 71 deletions(-) diff --git a/src/gnutls/pubkey-pinning-internal.c b/src/gnutls/pubkey-pinning-internal.c index 61d94645..41033bf3 100644 --- a/src/gnutls/pubkey-pinning-internal.c +++ b/src/gnutls/pubkey-pinning-internal.c @@ -42,13 +42,6 @@ ** Interfaces from pubkey-pinning.h **/ -getdns_return_t -_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, - getdns_upstream *upstream) -{ - return GETDNS_RETURN_GOOD; -} - getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size) { struct base64_decode_ctx ctx; diff --git a/src/openssl/pubkey-pinning-internal.c b/src/openssl/pubkey-pinning-internal.c index fd8ad6fe..d18103de 100644 --- a/src/openssl/pubkey-pinning-internal.c +++ b/src/openssl/pubkey-pinning-internal.c @@ -58,10 +58,6 @@ #include "pubkey-pinning-internal.h" -#if OPENSSL_VERSION_NUMBER < 0x10100000 -#define X509_STORE_CTX_get0_untrusted(store) store->untrusted -#endif - /* we only support sha256 at the moment. adding support for another digest is more complex than just adding another entry here. in particular, you'll probably need a match for a particular cert @@ -91,56 +87,4 @@ getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_ return ret; } -/* this should only happen once ever in the life of the library. it's - used to associate a getdns_context_t with an SSL_CTX, to be able to - do custom verification. - - see doc/HOWTO/proxy_certificates.txt as an example -*/ -static int -#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) -_get_ssl_getdns_upstream_idx(void) -#else -_get_ssl_getdns_upstream_idx(X509_STORE *store) -#endif -{ - static volatile int idx = -1; - if (idx < 0) { -#if OPENSSL_VERSION_NUMBER < 0x10100000 - CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); -#else - X509_STORE_lock(store); -#endif - if (idx < 0) - idx = SSL_get_ex_new_index(0, "associated getdns upstream", - NULL,NULL,NULL); -#if OPENSSL_VERSION_NUMBER < 0x10100000 - CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); -#else - X509_STORE_unlock(store); -#endif - } - return idx; -} - -getdns_return_t -_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, - getdns_upstream *upstream) -{ - if (!conn || !conn->ssl) - return GETDNS_RETURN_INVALID_PARAMETER; - -#if OPENSSL_VERSION_NUMBER < 0x10100000 - int uidx = _get_ssl_getdns_upstream_idx(); -#else - int uidx = _get_ssl_getdns_upstream_idx(SSL_CTX_get_cert_store(SSL_get_SSL_CTX(conn->ssl))); -#endif - if (SSL_set_ex_data(conn->ssl, uidx, upstream)) - return GETDNS_RETURN_GOOD; - else - return GETDNS_RETURN_GENERIC_ERROR; - /* TODO: if we want more details about errors somehow, we - * might call ERR_get_error (see CRYPTO_set_ex_data(3ssl))*/ -} - /* pubkey-pinning.c */ diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h index c60a7eca..0e2347b2 100644 --- a/src/pubkey-pinning.h +++ b/src/pubkey-pinning.h @@ -52,9 +52,5 @@ _getdns_get_pubkey_pinset_list(const getdns_context *ctx, const sha256_pin_t *pinset_in, getdns_list **pinset_list); -getdns_return_t -_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, - getdns_upstream *upstream); - #endif /* pubkey-pinning.h */ diff --git a/src/stub.c b/src/stub.c index 29929613..d9736288 100644 --- a/src/stub.c +++ b/src/stub.c @@ -843,10 +843,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) r = _getdns_tls_connection_set_cipher_list(tls, upstream->tls_cipher_list); } - /* make sure we'll be able to find the context again when we need it */ - if (!r) - r = _getdns_associate_upstream_with_connection(tls, upstream); - if (r) { _getdns_tls_connection_free(&upstream->upstreams->mf, tls); upstream->tls_auth_state = r; From ccd6c3592d63ffb351b9b6ff87ecd81abf6e643f Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 15 Jan 2019 11:30:56 +0000 Subject: [PATCH 065/108] GnuTLS: Can't set priority for SSL3. --- src/gnutls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index 304fbda9..e9863159 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -57,7 +57,7 @@ static char const * const _getdns_tls_connection_opportunistic_cipher_list = static char const * const _getdns_tls_priorities[] = { NULL, /* No protocol */ - "+VERS-TLS1.0", /* SSL3 */ + NULL, /* SSL3 - no available keyword. */ "+VERS-TLS1.0", /* TLS1.0 */ "+VERS-TLS1.1", /* TLS1.1 */ "+VERS-TLS1.2", /* TLS1.2 */ From 8609a35e5bdf97ac74f324b62d3c907336f95268 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 15 Jan 2019 11:31:22 +0000 Subject: [PATCH 066/108] GnuTLS: Add support for TLS 1.3. --- src/gnutls/tls.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index e9863159..5ef1849f 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -193,6 +193,9 @@ static gnutls_protocol_t _getdns_tls_version2gnutls_version(getdns_tls_version_t case GETDNS_TLS1 : return GNUTLS_TLS1; case GETDNS_TLS1_1: return GNUTLS_TLS1_1; case GETDNS_TLS1_2: return GNUTLS_TLS1_2; +#if GNUTLS_VERSION_NUMBER >= 0x030605 + case GETDNS_TLS1_3: return GNUTLS_TLS1_3; +#endif default : return GNUTLS_TLS_VERSION_MAX; } } From 6553aa3aad44633242bf2f39767767229b8cc5a3 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 15 Jan 2019 12:11:13 +0000 Subject: [PATCH 067/108] The new minimum OpenSSL version means that Travis must switch to Xenial. --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index 2cace3f4..e4a2b9e6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,5 @@ sudo: false +dist: xenial language: c compiler: - gcc @@ -6,6 +7,7 @@ compiler: addons: apt: packages: + - libssl-dev - libunbound-dev - libidn11-dev - libyaml-dev From ee6bc7d978147382ad1e6134e8e437893672f0bd Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 15 Jan 2019 12:39:02 +0000 Subject: [PATCH 068/108] Remove development test erroneously checked in. --- configure.ac | 1 - 1 file changed, 1 deletion(-) diff --git a/configure.ac b/configure.ac index 182209c6..f927ef6c 100644 --- a/configure.ac +++ b/configure.ac @@ -1527,7 +1527,6 @@ if test "$ac_cv_func_arc4random" = "no"; then if test "$USE_WINSOCK" = 1; then AC_LIBOBJ(getentropy_win) else - AC_MSG_ERROR([Function getentropy missing.]) case `uname` in Darwin) AC_LIBOBJ(getentropy_osx) From 9024fd773694ee630809c9f9af293dbac6c1f957 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 15 Jan 2019 15:19:50 +0000 Subject: [PATCH 069/108] Fix build with INTERCEPT_COM_DS defined. Decide that layout of handling write results is more readable, and use with read too. --- src/stub.c | 35 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/src/stub.c b/src/stub.c index d9736288..05e48f0a 100644 --- a/src/stub.c +++ b/src/stub.c @@ -1072,18 +1072,14 @@ stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp, tcp->to_read = 2; /* Packet size */ } - switch ((int)_getdns_tls_connection_read(tls_obj, tcp->read_pos, tcp->to_read, &read)) { - case GETDNS_RETURN_GOOD: - break; - - case GETDNS_RETURN_TLS_WANT_READ: - return STUB_TCP_RETRY; /* Come back later */ - - default: - /* TODO[TLS]: Handle GETDNS_RETURN_TLS_WANT_WRITE which means handshake - renegotiation. Need to keep handshake state to do that.*/ + getdns_return_t r = _getdns_tls_connection_read(tls_obj, tcp->read_pos, tcp->to_read, &read); + /* TODO[TLS]: Handle GETDNS_RETURN_TLS_WANT_WRITE which means handshake + renegotiation. Need to keep handshake state to do that.*/ + if (r == GETDNS_RETURN_TLS_WANT_READ) + return STUB_TCP_RETRY; + else if (r != GETDNS_RETURN_GOOD) return STUB_TCP_ERROR; - } + tcp->to_read -= read; tcp->read_pos += read; @@ -1217,6 +1213,8 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp, * Lets see how much of it we can write */ /* TODO[TLS]: Handle error cases, partial writes, renegotiation etc. */ + getdns_return_t r; + #if INTERCEPT_COM_DS /* Intercept and do not sent out COM DS queries. For debugging * purposes only. Never commit with this turned on. @@ -1231,19 +1229,16 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp, debug_req("Intercepting", netreq); written = pkt_len + 2; + r = GETDNS_RETURN_GOOD; } else #endif - switch ((int)_getdns_tls_connection_write(tls_obj, netreq->query - 2, pkt_len + 2, &written)) { - case GETDNS_RETURN_GOOD: - break; - - case GETDNS_RETURN_TLS_WANT_READ: - case GETDNS_RETURN_TLS_WANT_WRITE: + r = _getdns_tls_connection_write(tls_obj, netreq->query - 2, pkt_len + 2, &written); + if (r == GETDNS_RETURN_TLS_WANT_READ || + r == GETDNS_RETURN_TLS_WANT_WRITE) return STUB_TCP_RETRY; - - default: + else if (r != GETDNS_RETURN_GOOD) return STUB_TCP_ERROR; - } + /* We were able to write everything! Start reading. */ return (int) query_id; From 09ca9a826b3446c6f63ed40e4f9eefb3416dfe3e Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 15 Jan 2019 17:13:13 +0000 Subject: [PATCH 070/108] Fix gcc 8 warnings. --- src/anchor.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/src/anchor.c b/src/anchor.c index 602a0153..1d685130 100644 --- a/src/anchor.c +++ b/src/anchor.c @@ -68,6 +68,15 @@ typedef struct ta_iter { char digest[2048]; } ta_iter; +static void strcpytrunc(char* dst, const char* src, size_t dstsize) +{ + size_t to_copy = strlen(src); + if (to_copy >= dstsize) + to_copy = dstsize -1; + memcpy(dst, src, to_copy); + dst[to_copy] = '\0'; +} + /** * XML convert DateTime element to time_t. * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] @@ -190,8 +199,8 @@ static ta_iter *ta_iter_next(ta_iter *ta) else if (level == 0 && cur) { /* content ready */ - (void) strncpy( ta->zone, value - , sizeof(ta->zone)); + strcpytrunc( ta->zone, value + , sizeof(ta->zone)); /* Reset to start of */ cur = NULL; @@ -366,20 +375,20 @@ static ta_iter *ta_iter_next(ta_iter *ta) DEBUG_ANCHOR("elem end: %s\n", value); switch (elem_type) { case KEYTAG: - (void) strncpy( ta->keytag, value - , sizeof(ta->keytag)); + strcpytrunc( ta->keytag, value + , sizeof(ta->keytag)); break; case ALGORITHM: - (void) strncpy( ta->algorithm, value - , sizeof(ta->algorithm)); + strcpytrunc( ta->algorithm, value + , sizeof(ta->algorithm)); break; case DIGESTTYPE: - (void) strncpy( ta->digesttype, value - , sizeof(ta->digesttype)); + strcpytrunc( ta->digesttype, value + , sizeof(ta->digesttype)); break; case DIGEST: - (void) strncpy( ta->digest, value - , sizeof(ta->digest)); + strcpytrunc( ta->digest, value + , sizeof(ta->digest)); break; } break; From 814ee2c4cf0fba8da553a1a1a275750f9375a20c Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 17 Jan 2019 11:23:39 +0000 Subject: [PATCH 071/108] Fix more gcc 8 warnings. As warnings, these cause builds to fail when running the test suite. --- src/general.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/general.c b/src/general.c index cb923187..43cc7bd0 100644 --- a/src/general.c +++ b/src/general.c @@ -252,9 +252,17 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) #ifdef HAVE_LIBUNBOUND #ifdef HAVE_UNBOUND_EVENT_API static void +#if UNBOUND_VERSION_MAJOR > 1 || (UNBOUND_VERSION_MAJOR == 1 && UNBOUND_VERSION_MINOR >= 8) +ub_resolve_event_callback(void* arg, int rcode, void *pkt, int pkt_len, + int sec, char* why_bogus, int was_ratelimited) +{ + (void) was_ratelimited; +#else +static void ub_resolve_event_callback(void* arg, int rcode, void *pkt, int pkt_len, int sec, char* why_bogus) { +#endif getdns_network_req *netreq = (getdns_network_req *) arg; getdns_dns_req *dns_req = netreq->owner; From 61cae868e393a316b8327852073751eeab3eedc9 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 17 Jan 2019 11:24:40 +0000 Subject: [PATCH 072/108] Update ChangeLog to include changes in this branch. --- ChangeLog | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2f2023dd..234077f2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,11 +1,17 @@ * 2019-01-11: Version 1.5.1 + * Introduce proof of concept GnuTLS implementation. Incomplete support + for Trust Anchor validation. Requires GnuTLS DANE library. Currently + untested with GnuTLS prior to 3.5.19, so configure demands a minumum + version of 3.5.0. + * Be consistent and always fail connection setup if setting ciphers/curves/ + TLS version/cipher suites fails. + * Refactor OpenSSL usage into modules under src/openssl. + Drop support for LibreSSL and versions of OpenSSL prior to 1.0.2. * PR #414: remove TLS13 ciphers from cipher_list, but only when SSL_CTX_set_ciphersuites is available. Thanks Bruno Pagani * Issue #415: Filter out #defines etc. when creating symbols file. Thanks Zero King - * Be consistent and always fail connection setup if setting ciphers/curves/ - TLS version/cipher suites fails. * 2018-12-21: Version 1.5.0 * RFE getdnsapi/stubby#121 log re-instantiating TLS From 79fbef07d889559da688a208d1adf06f94cf94e7 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Jan 2019 10:27:17 +0100 Subject: [PATCH 073/108] type specifier misplaced by #ifdef unclarity --- src/general.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/general.c b/src/general.c index 43cc7bd0..3ed067ba 100644 --- a/src/general.c +++ b/src/general.c @@ -251,8 +251,8 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) #ifdef HAVE_LIBUNBOUND #ifdef HAVE_UNBOUND_EVENT_API -static void #if UNBOUND_VERSION_MAJOR > 1 || (UNBOUND_VERSION_MAJOR == 1 && UNBOUND_VERSION_MINOR >= 8) +static void ub_resolve_event_callback(void* arg, int rcode, void *pkt, int pkt_len, int sec, char* why_bogus, int was_ratelimited) { From ac379787a21b55c98116afb40ff447d188573684 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Jan 2019 10:29:20 +0100 Subject: [PATCH 074/108] Reassure clang static analyzer that all is OK --- src/compat/arc4random.c | 3 +++ src/test/tpkg/run-all.sh | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/compat/arc4random.c b/src/compat/arc4random.c index b2159abd..3ba57dc1 100644 --- a/src/compat/arc4random.c +++ b/src/compat/arc4random.c @@ -171,6 +171,9 @@ _rs_init(u_char *buf, size_t n) if(!rsx) abort(); #endif + /* Pleast older clang scan-build */ + if (!buf) + buf = rsx->rs_buf; } chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8, 0); diff --git a/src/test/tpkg/run-all.sh b/src/test/tpkg/run-all.sh index 94a5623a..0822a159 100755 --- a/src/test/tpkg/run-all.sh +++ b/src/test/tpkg/run-all.sh @@ -11,7 +11,8 @@ control_c() } -for TEST_PKG in ${SRCDIR}/*.tpkg +# for TEST_PKG in ${SRCDIR}/*.tpkg +for TEST_PKG in ${SRCDIR}/400-static-analysis.tpkg do "${TPKG}" $* exe "${TEST_PKG}" # trap keyboard interrupt (control-c) From 0af9a629f4695d081dfec8e4b60f59bfb50bad58 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Jan 2019 10:50:57 +0100 Subject: [PATCH 075/108] Does smaller delay make a difference? --- .../280-limit_outstanding_queries.c | 2 +- .../285-out_of_filedescriptors.c | 2 +- src/test/tpkg/run-all.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c index 8337caf4..3d3f2429 100644 --- a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c +++ b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c @@ -98,7 +98,7 @@ void handler(getdns_context *context, getdns_callback_type_t callback_type, trans->ev.timeout_cb = delay_cb; if (getdns_context_get_eventloop(context, &trans->loop) - || trans->loop->vmt->schedule(trans->loop, -1, 300, &trans->ev)) + || trans->loop->vmt->schedule(trans->loop, -1, 200, &trans->ev)) fprintf(stderr, "Could not schedule delay\n"); else return; } diff --git a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c index 88ecaf20..4135b74a 100644 --- a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c +++ b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c @@ -103,7 +103,7 @@ void handler(getdns_context *context, getdns_callback_type_t callback_type, fprintf(stderr, "sched delay for query %s, n_request %d\n", fqdn, (int)n_requests); free(fqdn); if (getdns_context_get_eventloop(context, &trans->loop) - || trans->loop->vmt->schedule(trans->loop, -1, 300, &trans->ev)) + || trans->loop->vmt->schedule(trans->loop, -1, 200, &trans->ev)) fprintf(stderr, "Could not schedule delay\n"); else return; } diff --git a/src/test/tpkg/run-all.sh b/src/test/tpkg/run-all.sh index 0822a159..cc59ed6b 100755 --- a/src/test/tpkg/run-all.sh +++ b/src/test/tpkg/run-all.sh @@ -12,7 +12,7 @@ control_c() # for TEST_PKG in ${SRCDIR}/*.tpkg -for TEST_PKG in ${SRCDIR}/400-static-analysis.tpkg +for TEST_PKG in ${SRCDIR}/280-limit_outstanding_queries.tpkg ${SRCDIR}/285-out_of_filedescriptors.tpkg do "${TPKG}" $* exe "${TEST_PKG}" # trap keyboard interrupt (control-c) From 8980f5f5ee5df0f780764bdc70fbf38b57dd5ba3 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Jan 2019 11:41:00 +0100 Subject: [PATCH 076/108] Fix nested scheduling with getdns_query -F and -I + add 1 millisecond delay between batched queries, just because... --- src/tools/getdns_query.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index 25f27d60..7845a407 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -1181,7 +1181,7 @@ getdns_return_t do_the_call(void) r = GETDNS_RETURN_GENERIC_ERROR; break; } - if (r == GETDNS_RETURN_GOOD && !batch_mode) + if (r == GETDNS_RETURN_GOOD && !batch_mode && !interactive) getdns_context_run(context); if (r != GETDNS_RETURN_GOOD) fprintf(stderr, "An error occurred: %d '%s'\n", (int)r, @@ -1258,6 +1258,17 @@ static void incoming_request_handler(getdns_context *context, void *userarg, getdns_transaction_t request_id); +void read_line_cb(void *userarg); +void read_line_tiny_delay_cb(void *userarg) +{ + getdns_eventloop_event *read_line_ev = userarg; + + loop->vmt->clear(loop, read_line_ev); + read_line_ev->timeout_cb = NULL; + read_line_ev->read_cb = read_line_cb; + loop->vmt->schedule(loop, fileno(fp), -1, read_line_ev); +} + void read_line_cb(void *userarg) { getdns_eventloop_event *read_line_ev = userarg; @@ -1312,9 +1323,18 @@ void read_line_cb(void *userarg) (r != CONTINUE && r != CONTINUE_ERROR)) loop->vmt->clear(loop, read_line_ev); - else if (! query_file) { - printf("> "); - fflush(stdout); + else { + /* Tiny delay, to make sending queries less bursty with + * -F parameter. + */ + loop->vmt->clear(loop, read_line_ev); + read_line_ev->read_cb = NULL; + read_line_ev->timeout_cb = read_line_tiny_delay_cb; + loop->vmt->schedule(loop, fileno(fp), 1, read_line_ev); + if (! query_file) { + printf("> "); + fflush(stdout); + } } } From cdc0d4331556993b637d0bbfad879fa34e4b840d Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 23 Jan 2019 11:34:02 +0000 Subject: [PATCH 077/108] Correct auth state thinko. Spotter credit to Willem. --- src/stub.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/stub.c b/src/stub.c index 05e48f0a..c5a467fe 100644 --- a/src/stub.c +++ b/src/stub.c @@ -845,7 +845,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) if (r) { _getdns_tls_connection_free(&upstream->upstreams->mf, tls); - upstream->tls_auth_state = r; + upstream->tls_auth_state = GETDNS_AUTH_NONE; return NULL; } From d71dccaf2cbae24d20a4cb981bd80d7c9667c1ea Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Jan 2019 12:43:20 +0100 Subject: [PATCH 078/108] - Nested getdns_context_runt() prevention - Fix address query with qname and missing qtype for -I and -F too - disable tiny delay again --- src/tools/getdns_query.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index 7845a407..95866587 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -74,9 +74,11 @@ static getdns_dict *listen_dict = NULL; static size_t pincount = 0; static size_t listen_count = 0; static uint16_t request_type = GETDNS_RRTYPE_NS; +static int got_rrtype = 0; static int timeout, edns0_size, padding_blocksize; static int async = 0, interactive = 0; static enum { GENERAL, ADDRESS, HOSTNAME, SERVICE } calltype = GENERAL; +static int got_calltype = 0; static int bogus_answers = 0; static int check_dnssec = 0; #ifndef USE_WINSOCK @@ -581,8 +583,6 @@ getdns_return_t parse_args(int argc, char **argv) size_t upstream_count = 0; FILE *fh; int int_value; - int got_rrtype = 0; - int got_calltype = 0; int got_qname = 0; for (i = 1; i < argc; i++) { @@ -1271,12 +1271,15 @@ void read_line_tiny_delay_cb(void *userarg) void read_line_cb(void *userarg) { + static int n = 0; getdns_eventloop_event *read_line_ev = userarg; getdns_return_t r; char line[1024], *token, *linev[256]; int linec; + assert(n == 0); + n += 1; if (!fgets(line, 1024, fp) || !*line) { if (query_file && verbosity) fprintf(stdout,"End of file."); @@ -1287,6 +1290,7 @@ void read_line_cb(void *userarg) if (interactive && !query_file) (void) getdns_context_set_upstream_recursive_servers( context, NULL); + n -= 1; return; } if (query_file && verbosity) @@ -1299,6 +1303,7 @@ void read_line_cb(void *userarg) printf("> "); fflush(stdout); } + n -= 1; return; } if (*token == '#') { @@ -1308,6 +1313,7 @@ void read_line_cb(void *userarg) printf("> "); fflush(stdout); } + n -= 1; return; } do linev[linec++] = token; @@ -1324,18 +1330,22 @@ void read_line_cb(void *userarg) loop->vmt->clear(loop, read_line_ev); else { +#if 0 /* Tiny delay, to make sending queries less bursty with * -F parameter. + * */ loop->vmt->clear(loop, read_line_ev); read_line_ev->read_cb = NULL; read_line_ev->timeout_cb = read_line_tiny_delay_cb; loop->vmt->schedule(loop, fileno(fp), 1, read_line_ev); +#endif if (! query_file) { printf("> "); fflush(stdout); } } + n -= 1; } typedef struct dns_msg { From 35f2ce37c001e5689040d96ce29ae6cae12819cf Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Jan 2019 12:49:22 +0100 Subject: [PATCH 079/108] Restore original serve delays --- .../280-limit_outstanding_queries.c | 2 +- .../285-out_of_filedescriptors.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c index 3d3f2429..8337caf4 100644 --- a/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c +++ b/src/test/tpkg/280-limit_outstanding_queries.tpkg/280-limit_outstanding_queries.c @@ -98,7 +98,7 @@ void handler(getdns_context *context, getdns_callback_type_t callback_type, trans->ev.timeout_cb = delay_cb; if (getdns_context_get_eventloop(context, &trans->loop) - || trans->loop->vmt->schedule(trans->loop, -1, 200, &trans->ev)) + || trans->loop->vmt->schedule(trans->loop, -1, 300, &trans->ev)) fprintf(stderr, "Could not schedule delay\n"); else return; } diff --git a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c index 4135b74a..88ecaf20 100644 --- a/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c +++ b/src/test/tpkg/285-out_of_filedescriptors.tpkg/285-out_of_filedescriptors.c @@ -103,7 +103,7 @@ void handler(getdns_context *context, getdns_callback_type_t callback_type, fprintf(stderr, "sched delay for query %s, n_request %d\n", fqdn, (int)n_requests); free(fqdn); if (getdns_context_get_eventloop(context, &trans->loop) - || trans->loop->vmt->schedule(trans->loop, -1, 200, &trans->ev)) + || trans->loop->vmt->schedule(trans->loop, -1, 300, &trans->ev)) fprintf(stderr, "Could not schedule delay\n"); else return; } From e657024531f66afc568d77551957ce2b43e6ea46 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Jan 2019 12:50:44 +0100 Subject: [PATCH 080/108] Run all unit tests again --- src/test/tpkg/run-all.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/test/tpkg/run-all.sh b/src/test/tpkg/run-all.sh index cc59ed6b..94a5623a 100755 --- a/src/test/tpkg/run-all.sh +++ b/src/test/tpkg/run-all.sh @@ -11,8 +11,7 @@ control_c() } -# for TEST_PKG in ${SRCDIR}/*.tpkg -for TEST_PKG in ${SRCDIR}/280-limit_outstanding_queries.tpkg ${SRCDIR}/285-out_of_filedescriptors.tpkg +for TEST_PKG in ${SRCDIR}/*.tpkg do "${TPKG}" $* exe "${TEST_PKG}" # trap keyboard interrupt (control-c) From f72fe60035f465c1f9269ffa21acdd9de32b77b1 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Jan 2019 13:55:29 +0100 Subject: [PATCH 081/108] Cannot reuse qname (via name) after read_line_cb.. .. returns. --- src/tools/getdns_query.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index 95866587..b3dca443 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -62,8 +62,7 @@ static int quiet = 0; static int batch_mode = 0; static char *query_file = NULL; static int json = 0; -static char *the_root = "."; -static char *name; +static char name[2048] = "."; static getdns_context *context; static getdns_dict *extensions; static getdns_dict *query_extensions_spc = NULL; @@ -659,7 +658,11 @@ getdns_return_t parse_args(int argc, char **argv) } else if (arg[0] != '-') { got_qname = 1; - name = arg; + if (strlen(arg) > sizeof(name)) { + fprintf(stderr, "Query name too long\n"); + return GETDNS_RETURN_BAD_DOMAIN_NAME; + } + (void) strlcpy(name, arg, sizeof(name)); continue; } for (c = arg+1; *c; c++) { @@ -1770,7 +1773,6 @@ main(int argc, char **argv) { getdns_return_t r; - name = the_root; if ((r = getdns_context_create(&context, 1))) { fprintf(stderr, "Create context failed: %d\n", (int)r); return r; From cad7eb2461e20d206436bd3968b0544d68f0640e Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Jan 2019 14:06:04 +0100 Subject: [PATCH 082/108] Probably the strlcpy --- src/tools/getdns_query.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index b3dca443..dc866586 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -657,12 +657,15 @@ getdns_return_t parse_args(int argc, char **argv) continue; } else if (arg[0] != '-') { + size_t arg_len = strlen(arg); + got_qname = 1; - if (strlen(arg) > sizeof(name)) { + if (arg_len > sizeof(name) - 1) { fprintf(stderr, "Query name too long\n"); return GETDNS_RETURN_BAD_DOMAIN_NAME; } - (void) strlcpy(name, arg, sizeof(name)); + (void) memcpy(name, arg, arg_len); + name[arg_len] = 0; continue; } for (c = arg+1; *c; c++) { From 7c1b43b4208c3bb984dae7249c0f5a34061fea3a Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 23 Jan 2019 14:33:35 +0000 Subject: [PATCH 083/108] Fix sole pinset validation with ssl_dane library --- src/openssl/tls-internal.h | 2 +- src/openssl/tls.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h index e640150d..615f79e3 100644 --- a/src/openssl/tls-internal.h +++ b/src/openssl/tls-internal.h @@ -67,7 +67,7 @@ typedef struct _getdns_tls_connection { const getdns_log_config* log; #if defined(USE_DANESSL) const char* auth_name; - sha256_pin_t* pinset; + const sha256_pin_t* pinset; #endif } _getdns_tls_connection; diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 33e37a4c..3a8878ce 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -904,7 +904,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c if (!conn || !conn->ssl || !auth_name) return GETDNS_RETURN_INVALID_PARAMETER; -#if defined(USE_DANE_SSL) +#if defined(USE_DANESSL) /* Stash auth name and pinset away for use in cert verification. */ conn->auth_name = auth_name; conn->pinset = pinset; From c68f5a7a8d2dcd166cea0a55e8ef1f26f7025dac Mon Sep 17 00:00:00 2001 From: Havard Eidnes Date: Mon, 28 Jan 2019 11:24:10 +0100 Subject: [PATCH 084/108] Fix various build warnings uncovered on NetBSD w/pkgsrc. The isxxxx() and toxxxx() functions have a limited well-defined input value range, namely that of "unsigned char" plus EOF. Cast args accordingly. Bring strncasecmp() into scope by including . --- src/context.c | 1 + src/convert.c | 2 +- src/tools/getdns_query.c | 4 ++-- src/tools/getdns_server_mon.c | 2 +- src/util-internal.c | 4 ++-- 5 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/context.c b/src/context.c index aa0478ff..0a0e4456 100644 --- a/src/context.c +++ b/src/context.c @@ -55,6 +55,7 @@ typedef unsigned short in_port_t; #include #include +#include #include #include diff --git a/src/convert.c b/src/convert.c index 53d98e99..42365c84 100644 --- a/src/convert.c +++ b/src/convert.c @@ -1670,7 +1670,7 @@ getdns_str2dict(const char *str, getdns_dict **dict) if (!str || !dict) return GETDNS_RETURN_INVALID_PARAMETER; - while (*str && isspace(*str)) + while (*str && isspace((unsigned char)*str)) str++; if (*str != '{') { diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index dc866586..80b94dbd 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -98,7 +98,7 @@ static int get_rrtype(const char *t) if (strlen(t) > sizeof(buf) - 15) return -1; for (i = 14; *t && i < sizeof(buf) - 1; i++, t++) - buf[i] = *t == '-' ? '_' : toupper(*t); + buf[i] = *t == '-' ? '_' : toupper((unsigned char)*t); buf[i] = '\0'; if (!getdns_str2int(buf, &rrtype)) @@ -123,7 +123,7 @@ static int get_rrclass(const char *t) if (strlen(t) > sizeof(buf) - 16) return -1; for (i = 15; *t && i < sizeof(buf) - 1; i++, t++) - buf[i] = toupper(*t); + buf[i] = toupper((unsigned char)*t); buf[i] = '\0'; if (!getdns_str2int(buf, &rrclass)) diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c index 3b2d1045..a11ed55e 100644 --- a/src/tools/getdns_server_mon.c +++ b/src/tools/getdns_server_mon.c @@ -130,7 +130,7 @@ static int get_rrtype(const char *t) if (strlen(t) > sizeof(buf) - 15) return -1; for (i = 14; *t && i < sizeof(buf) - 1; i++, t++) - buf[i] = *t == '-' ? '_' : toupper(*t); + buf[i] = *t == '-' ? '_' : toupper((unsigned char)*t); buf[i] = '\0'; if (!getdns_str2int(buf, &rrtype)) diff --git a/src/util-internal.c b/src/util-internal.c index a592b90d..be919637 100644 --- a/src/util-internal.c +++ b/src/util-internal.c @@ -1428,9 +1428,9 @@ _getdns_validate_dname(const char* dname) { break; case '\\': s += 1; - if (isdigit(s[0])) { + if (isdigit((unsigned char)s[0])) { /* octet value */ - if (! isdigit(s[1]) && ! isdigit(s[2])) + if (! isdigit((unsigned char)s[1]) && ! isdigit((unsigned char)s[2])) return GETDNS_RETURN_BAD_DOMAIN_NAME; if ((s[0] - '0') * 100 + From 0fef131e9b31593a4c4be41a9980ab52700d4d23 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Mon, 4 Feb 2019 15:46:10 +0100 Subject: [PATCH 085/108] bugfix #418 duplicate ,'s in Windows build --- src/openssl/tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 33e37a4c..e53cb60b 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -194,7 +194,7 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx, const getdns_log_config* log) PCCERT_CONTEXT pTargetCert = NULL; _getdns_log(log, GETDNS_LOG_SYS_STUB, GETDNS_LOG_DEBUG - , "%s: %s\n", STUB_DEBUG_SETUP_TLS, + , "%s: %s\n", STUB_DEBUG_SETUP_TLS , "Adding Windows certificates from system root store to CA store") ; @@ -244,7 +244,7 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx, const getdns_log_config* log) if (!cert1) { /* return error if a cert fails */ _getdns_log(log - , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR, + , GETDNS_LOG_SYS_STUB, GETDNS_LOG_ERR , "%s: %s %d:%s\n" , STUB_DEBUG_SETUP_TLS , "Unable to parse certificate in memory" From c3d0afd47d9693588b4c7d16aca3856425d07a96 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Feb 2019 10:29:39 +0100 Subject: [PATCH 086/108] Issue #419: Escape backslashes when printing json Thanks boB Rudis --- ChangeLog | 4 ++++ src/dict.c | 28 +++++++++++++++++++++++----- src/gldns/gbuffer.c | 2 ++ 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 234077f2..dccc733d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +* 2019-??-??: Version 1.?.? + * Issue #419: Escape backslashed when printing in JSON format. + Thanks boB Rudis + * 2019-01-11: Version 1.5.1 * Introduce proof of concept GnuTLS implementation. Incomplete support for Trust Anchor validation. Requires GnuTLS DANE library. Currently diff --git a/src/dict.c b/src/dict.c index d2ce53a9..69c8d06d 100644 --- a/src/dict.c +++ b/src/dict.c @@ -782,13 +782,31 @@ getdns_pp_bindata(gldns_buffer *buf, getdns_bindata *bindata, if (bindata->size > 0 && i == bindata->size) { /* all printable? */ - if (json) - (void)snprintf(spc, sizeof(spc), "\"%%.%ds\"", (int)i); - else + if (json) { + const uint8_t *s = bindata->data; + const uint8_t *e = s + bindata->size; + const uint8_t *b; + + if (!gldns_buffer_reserve(buf, (e - s) + 2)) + return -1; + gldns_buffer_write_u8(buf, '"'); + while ((b = memchr(s, '\\', e - s))) { + if (!gldns_buffer_reserve(buf, (b - s) + 3)) + return -1; + gldns_buffer_write(buf, s, b - s); + gldns_buffer_write_u8(buf, '\\'); + gldns_buffer_write_u8(buf, '\\'); + s = b + 1; + } + if (s < e) + gldns_buffer_write(buf, s, e - s); + gldns_buffer_write_u8(buf, '"'); + } else { (void)snprintf(spc, sizeof(spc), "of \"%%.%ds\"%s>", (int)(i > 32 ? 32 : i), (i > 32 ? "..." : "")); - if (gldns_buffer_printf(buf, spc, bindata->data) < 0) - return -1; + if (gldns_buffer_printf(buf, spc, bindata->data) < 0) + return -1; + } } else if (bindata->size > 1 && /* null terminated printable */ i == bindata->size - 1 && bindata->data[i] == 0) { diff --git a/src/gldns/gbuffer.c b/src/gldns/gbuffer.c index 180fa631..3b39f438 100644 --- a/src/gldns/gbuffer.c +++ b/src/gldns/gbuffer.c @@ -106,6 +106,8 @@ int gldns_buffer_reserve(gldns_buffer *buffer, size_t amount) { gldns_buffer_invariant(buffer); + if (buffer->_vfixed) + return 1; assert(!buffer->_fixed); if (buffer->_capacity < buffer->_position + amount) { size_t new_capacity = buffer->_capacity * 3 / 2; From 71b773ab2f80bbe95463c389d683aac55c1c3dc0 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Feb 2019 10:44:49 +0100 Subject: [PATCH 087/108] '"' needs to be escaped too in json --- src/dict.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/dict.c b/src/dict.c index 69c8d06d..f1ccb1a4 100644 --- a/src/dict.c +++ b/src/dict.c @@ -790,12 +790,18 @@ getdns_pp_bindata(gldns_buffer *buf, getdns_bindata *bindata, if (!gldns_buffer_reserve(buf, (e - s) + 2)) return -1; gldns_buffer_write_u8(buf, '"'); - while ((b = memchr(s, '\\', e - s))) { + for (;;) { + for ( b = s + ; b < e && *b != '\\' && *b != '"' + ; b++) + ; /* pass */ + if (b == e) + break; if (!gldns_buffer_reserve(buf, (b - s) + 3)) return -1; gldns_buffer_write(buf, s, b - s); gldns_buffer_write_u8(buf, '\\'); - gldns_buffer_write_u8(buf, '\\'); + gldns_buffer_write_u8(buf, *b); s = b + 1; } if (s < e) From 034b775e5c69d223c9b0e2101a6acae6874d327f Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Feb 2019 13:36:39 +0100 Subject: [PATCH 088/108] DOA & AMTRELAY RR types implementation --- ChangeLog | 2 + src/const-info.c | 1 + src/getdns/getdns.h.in | 1 + src/gldns/rrdef.c | 15 +++ src/gldns/rrdef.h | 8 +- src/gldns/str2wire.c | 76 ++++++++++++++ src/gldns/str2wire.h | 9 ++ src/gldns/wire2str.c | 58 +++++++++++ src/gldns/wire2str.h | 15 +++ src/rr-dict.c | 228 ++++++++++++++++++++++++++++++++++++++++- 10 files changed, 407 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index dccc733d..b50e946c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ * 2019-??-??: Version 1.?.? * Issue #419: Escape backslashed when printing in JSON format. Thanks boB Rudis + * DOA rr-type + * AMTRELAY rr-type * 2019-01-11: Version 1.5.1 * Introduce proof of concept GnuTLS implementation. Incomplete support diff --git a/src/const-info.c b/src/const-info.c index ebff80a4..6265c523 100644 --- a/src/const-info.c +++ b/src/const-info.c @@ -303,6 +303,7 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_RRTYPE_A6", 38 }, { "GETDNS_RRTYPE_AAAA", 28 }, { "GETDNS_RRTYPE_AFSDB", 18 }, + { "GETDNS_RRTYPE_AMTRELAY", 260 }, { "GETDNS_RRTYPE_ANY", 255 }, { "GETDNS_RRTYPE_APL", 42 }, { "GETDNS_RRTYPE_ATMA", 34 }, diff --git a/src/getdns/getdns.h.in b/src/getdns/getdns.h.in index 5e4873b5..b2702d43 100644 --- a/src/getdns/getdns.h.in +++ b/src/getdns/getdns.h.in @@ -439,6 +439,7 @@ typedef enum getdns_callback_type_t { #define GETDNS_RRTYPE_CAA 257 #define GETDNS_RRTYPE_AVC 258 #define GETDNS_RRTYPE_DOA 259 +#define GETDNS_RRTYPE_AMTRELAY 260 #define GETDNS_RRTYPE_TA 32768 #define GETDNS_RRTYPE_DLV 32769 /** @} diff --git a/src/gldns/rrdef.c b/src/gldns/rrdef.c index 9f27a5a1..114f807e 100644 --- a/src/gldns/rrdef.c +++ b/src/gldns/rrdef.c @@ -232,6 +232,15 @@ static const gldns_rdf_type type_caa_wireformat[] = { GLDNS_RDF_TYPE_TAG, GLDNS_RDF_TYPE_LONG_STR }; +#ifdef DRAFT_RRTYPES +static const gldns_rdf_type type_doa_wireformat[] = { + GLDNS_RDF_TYPE_INT32, GLDNS_RDF_TYPE_INT32, GLDNS_RDF_TYPE_INT8, + GLDNS_RDF_TYPE_STR, GLDNS_RDF_TYPE_B64 +}; +static const gldns_rdf_type type_amtrelay_wireformat[] = { + GLDNS_RDF_TYPE_AMTRELAY +}; +#endif /* All RR's defined in 1035 are well known and can thus * be compressed. See RFC3597. These RR's are: @@ -608,8 +617,14 @@ static gldns_rr_descriptor rdata_field_descriptors[] = { #ifdef DRAFT_RRTYPES /* 258 */ {GLDNS_RR_TYPE_AVC, "AVC", 1, 0, NULL, GLDNS_RDF_TYPE_STR, GLDNS_RR_NO_COMPRESS, 0 }, + /* 259 */ + {GLDNS_RR_TYPE_DOA, "DOA", 1, 0, type_doa_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 }, + /* 260 */ + {GLDNS_RR_TYPE_AMTRELAY, "AMTRELAY", 1, 0, type_amtrelay_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 }, #else {GLDNS_RR_TYPE_NULL, "TYPE258", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 }, +{GLDNS_RR_TYPE_NULL, "TYPE259", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 }, +{GLDNS_RR_TYPE_NULL, "TYPE260", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 }, #endif /* split in array, no longer contiguous */ diff --git a/src/gldns/rrdef.h b/src/gldns/rrdef.h index a11984b3..a393dc8e 100644 --- a/src/gldns/rrdef.h +++ b/src/gldns/rrdef.h @@ -38,7 +38,7 @@ extern "C" { #define GLDNS_KEY_REVOKE_KEY 0x0080 /* used to revoke KSK, rfc 5011 */ /* The first fields are contiguous and can be referenced instantly */ -#define GLDNS_RDATA_FIELD_DESCRIPTORS_COMMON 259 +#define GLDNS_RDATA_FIELD_DESCRIPTORS_COMMON 260 /** lookuptable for rr classes */ extern struct gldns_struct_lookup_table* gldns_rr_classes; @@ -226,7 +226,8 @@ enum gldns_enum_rr_type GLDNS_RR_TYPE_URI = 256, /* RFC 7553 */ GLDNS_RR_TYPE_CAA = 257, /* RFC 6844 */ GLDNS_RR_TYPE_AVC = 258, - GLDNS_RR_TYPE_DOA = 259, + GLDNS_RR_TYPE_DOA = 259, /* draft-durand-doa-over-dns */ + GLDNS_RR_TYPE_AMTRELAY= 260, /* draft-ietf-mboned-driad-amt-discovery */ /** DNSSEC Trust Authorities */ GLDNS_RR_TYPE_TA = 32768, @@ -351,6 +352,9 @@ enum gldns_enum_rdf_type */ GLDNS_RDF_TYPE_LONG_STR, + /* draft-ietf-mboned-driad-amt-discovery */ + GLDNS_RDF_TYPE_AMTRELAY, + /** TSIG extended 16bit error value */ GLDNS_RDF_TYPE_TSIGERROR, diff --git a/src/gldns/str2wire.c b/src/gldns/str2wire.c index 26c2ea6f..708df50e 100644 --- a/src/gldns/str2wire.c +++ b/src/gldns/str2wire.c @@ -997,6 +997,8 @@ int gldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len, return gldns_str2wire_hip_buf(str, rd, len); case GLDNS_RDF_TYPE_INT16_DATA: return gldns_str2wire_int16_data_buf(str, rd, len); + case GLDNS_RDF_TYPE_AMTRELAY: + return gldns_str2wire_amtrelay_buf(str, rd, len); case GLDNS_RDF_TYPE_UNKNOWN: case GLDNS_RDF_TYPE_SERVICE: return GLDNS_WIREPARSE_ERR_NOT_IMPL; @@ -2118,3 +2120,77 @@ int gldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len) *len = ((size_t)n)+2; return GLDNS_WIREPARSE_ERR_OK; } + +int gldns_str2wire_amtrelay_buf(const char* str, uint8_t* rd, size_t* len) +{ + size_t relay_len = 0; + int s; + uint8_t relay_type; + char token[512]; + gldns_buffer strbuf; + gldns_buffer_init_frm_data(&strbuf, (uint8_t*)str, strlen(str)); + + if(*len < 2) + return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL; + /* precedence */ + if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0) + return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR, + gldns_buffer_position(&strbuf)); + rd[0] = (uint8_t)atoi(token); + /* discovery_optional */ + if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0) + return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR, + gldns_buffer_position(&strbuf)); + if ((token[0] != '0' && token[0] != '1') || token[1] != 0) + return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR, + gldns_buffer_position(&strbuf)); + + rd[1] = *token == '1' ? 0x80 : 0x00; + /* relay_type */ + if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0) + return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR, + gldns_buffer_position(&strbuf)); + relay_type = (uint8_t)atoi(token); + if (relay_type > 0x7F) + return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR, + gldns_buffer_position(&strbuf)); + rd[1] |= relay_type; + + if (relay_type == 0) { + *len = 2; + return GLDNS_WIREPARSE_ERR_OK; + } + /* relay */ + if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0) + return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR, + gldns_buffer_position(&strbuf)); + if(relay_type == 1) { + /* IP4 */ + relay_len = *len - 2; + s = gldns_str2wire_a_buf(token, rd+2, &relay_len); + if(s) return RET_ERR_SHIFT(s, gldns_buffer_position(&strbuf)); + } else if(relay_type == 2) { + /* IP6 */ + relay_len = *len - 2; + s = gldns_str2wire_aaaa_buf(token, rd+2, &relay_len); + if(s) return RET_ERR_SHIFT(s, gldns_buffer_position(&strbuf)); + } else if(relay_type == 3) { + /* DNAME */ + relay_len = *len - 2; + s = gldns_str2wire_dname_buf(token, rd+2, &relay_len); + if(s) return RET_ERR_SHIFT(s, gldns_buffer_position(&strbuf)); + } else { + /* unknown gateway type */ + return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR, + gldns_buffer_position(&strbuf)); + } + /* double check for size */ + if(*len < 2 + relay_len) + return RET_ERR(GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL, + gldns_buffer_position(&strbuf)); + + *len = 2 + relay_len; + return GLDNS_WIREPARSE_ERR_OK; +} + + diff --git a/src/gldns/str2wire.h b/src/gldns/str2wire.h index 2aba0e10..293a4981 100644 --- a/src/gldns/str2wire.h +++ b/src/gldns/str2wire.h @@ -554,6 +554,15 @@ int gldns_str2wire_hip_buf(const char* str, uint8_t* rd, size_t* len); */ int gldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len); +/** + * Convert rdf of type GLDNS_RDF_TYPE_AMTRELAY from string to wireformat. + * @param str: the text to convert for this rdata element. + * @param rd: rdata buffer for the wireformat. + * @param len: length of rd buffer on input, used length on output. + * @return 0 on success, error on failure. + */ +int gldns_str2wire_amtrelay_buf(const char* str, uint8_t* rd, size_t* len); + /** * Strip whitespace from the start and the end of line. * @param line: modified with 0 to shorten it. diff --git a/src/gldns/wire2str.c b/src/gldns/wire2str.c index 54e336d8..28b7863b 100644 --- a/src/gldns/wire2str.c +++ b/src/gldns/wire2str.c @@ -1004,6 +1004,9 @@ int gldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen, return gldns_wire2str_tag_scan(d, dlen, s, slen); case GLDNS_RDF_TYPE_LONG_STR: return gldns_wire2str_long_str_scan(d, dlen, s, slen); + case GLDNS_RDF_TYPE_AMTRELAY: + return gldns_wire2str_amtrelay_scan(d, dlen, s, slen, pkt, + pktlen); case GLDNS_RDF_TYPE_TSIGERROR: return gldns_wire2str_tsigerror_scan(d, dlen, s, slen); } @@ -1707,6 +1710,61 @@ int gldns_wire2str_long_str_scan(uint8_t** d, size_t* dl, char** s, size_t* sl) return w; } +/* internal scan routine that can modify arguments on failure */ +static int gldns_wire2str_amtrelay_scan_internal(uint8_t** d, size_t* dl, + char** s, size_t* sl, uint8_t* pkt, size_t pktlen) +{ + /* https://www.ietf.org/id/draft-ietf-mboned-driad-amt-discovery-01.txt */ + uint8_t precedence, discovery_optional, relay_type; + int w = 0; + + if(*dl < 2) return -1; + precedence = (*d)[0]; + discovery_optional= (*d)[1] >> 7; + relay_type = (*d)[1] % 0x7F; + if(relay_type > 3) + return -1; /* unknown */ + (*d)+=2; + (*dl)-=2; + w += gldns_str_print(s, sl, "%d %d %d ", + (int)precedence, (int)discovery_optional, (int)relay_type); + + switch(relay_type) { + case 0: /* no relay */ + break; + case 1: /* ip4 */ + w += gldns_wire2str_a_scan(d, dl, s, sl); + break; + case 2: /* ip6 */ + w += gldns_wire2str_aaaa_scan(d, dl, s, sl); + break; + case 3: /* dname */ + w += gldns_wire2str_dname_scan(d, dl, s, sl, pkt, pktlen); + break; + default: /* unknown */ + return -1; + } + return w; +} + +int gldns_wire2str_amtrelay_scan(uint8_t** d, size_t* dl, char** s, size_t* sl, + uint8_t* pkt, size_t pktlen) +{ + uint8_t* od = *d; + char* os = *s; + size_t odl = *dl, osl = *sl; + int w=gldns_wire2str_amtrelay_scan_internal(d, dl, s, sl, pkt, pktlen); + if(w == -1) { + *d = od; + *s = os; + *dl = odl; + *sl = osl; + return -1; + } + return w; +} + + int gldns_wire2str_tsigerror_scan(uint8_t** d, size_t* dl, char** s, size_t* sl) { gldns_lookup_table *lt; diff --git a/src/gldns/wire2str.h b/src/gldns/wire2str.h index a7a7c930..99a737a1 100644 --- a/src/gldns/wire2str.h +++ b/src/gldns/wire2str.h @@ -916,6 +916,21 @@ int gldns_wire2str_tag_scan(uint8_t** data, size_t* data_len, char** str, int gldns_wire2str_long_str_scan(uint8_t** data, size_t* data_len, char** str, size_t* str_len); +/** + * Scan wireformat AMTRELAY field to string, with user buffers. + * It shifts the arguments to move along (see gldns_wire2str_pkt_scan). + * @param data: wireformat data. + * @param data_len: length of data buffer. + * @param str: string buffer. + * @param str_len: length of string buffer. + * @param pkt: packet for decompression, if NULL no decompression. + * @param pktlen: length of packet buffer. + * @return number of characters (except null) needed to print. + * Can return -1 on failure. + */ +int gldns_wire2str_amtrelay_scan(uint8_t** data, size_t* data_len, char** str, + size_t* str_len, uint8_t* pkt, size_t pktlen); + /** * Print EDNS LLQ option data to string. User buffers, moves string pointers. * @param str: string buffer. diff --git a/src/rr-dict.c b/src/rr-dict.c index 79fb7bcc..0ad75a43 100644 --- a/src/rr-dict.c +++ b/src/rr-dict.c @@ -431,6 +431,214 @@ static _getdns_rdf_special hip_public_key = { hip_public_key_dict2wire, NULL }; +static const uint8_t * +amtrelay_D_rdf_end(const uint8_t *pkt, const uint8_t *pkt_end, const uint8_t *rdf) +{ + (void)pkt; + return rdf < pkt_end ? rdf + 1 : NULL; +} +static getdns_return_t +amtrelay_D_wire2dict(getdns_dict *dict, const uint8_t *rdf) +{ + return getdns_dict_set_int(dict, "discovery_optional", (*rdf >> 7)); +} +static getdns_return_t +amtrelay_D_dict2wire(const getdns_dict *dict, + uint8_t *rdata, uint8_t *rdf, size_t *rdf_len) +{ + getdns_return_t r; + uint32_t value; + (void)rdata; /* unused parameter */ + + if ((r = getdns_dict_get_int(dict, "discovery_optional", &value))) + return r; + + *rdf_len = 1; + if (*rdf_len < 1) + return GETDNS_RETURN_NEED_MORE_SPACE; + + *rdf_len = 1; + *rdf = value ? 0x80 : 0x00; + return GETDNS_RETURN_GOOD; +} +static _getdns_rdf_special amtrelay_D = { + amtrelay_D_rdf_end, + amtrelay_D_wire2dict, NULL, + amtrelay_D_dict2wire, NULL +}; + +static const uint8_t * +amtrelay_rtype_rdf_end( + const uint8_t *pkt, const uint8_t *pkt_end, const uint8_t *rdf) +{ + return rdf; +} +static getdns_return_t +amtrelay_rtype_wire2dict(getdns_dict *dict, const uint8_t *rdf) +{ + return _getdns_dict_set_int( + dict, "replay_type", (rdf[-1] & 0x7F)); +} +static getdns_return_t +amtrelay_rtype_dict2wire( + const getdns_dict *dict, uint8_t *rdata, uint8_t *rdf, size_t *rdf_len) +{ + getdns_return_t r; + uint32_t value; + + if ((r = getdns_dict_get_int(dict, "relay_type", &value))) + return r; + + if (rdf - 1 < rdata) + return GETDNS_RETURN_GENERIC_ERROR; + + *rdf_len = 0; + rdf[-1] |= (value & 0x7F); + + return GETDNS_RETURN_GOOD; +} +static _getdns_rdf_special amtrelay_rtype = { + amtrelay_rtype_rdf_end, + amtrelay_rtype_wire2dict, NULL, + amtrelay_rtype_dict2wire, NULL +}; + +static const uint8_t * +amtrelay_relay_rdf_end( + const uint8_t *pkt, const uint8_t *pkt_end, const uint8_t *rdf) +{ + const uint8_t *end; + + if (rdf - 4 < pkt) + return NULL; + switch (rdf[-1] & 0x7F) { + case 0: end = rdf; + break; + case 1: end = rdf + 4; + break; + case 2: end = rdf + 16; + break; + case 3: for (end = rdf; end < pkt_end; end += *end + 1) + if ((*end & 0xC0) == 0xC0) + end += 2; + else if (*end & 0xC0) + return NULL; + else if (!*end) { + end += 1; + break; + } + break; + default: + return NULL; + } + return end <= pkt_end ? end : NULL; +} +static getdns_return_t +amtrelay_relay_equip_const_bindata( + const uint8_t *rdf, size_t *size, const uint8_t **data) +{ + *data = rdf; + switch (rdf[-1] & 0x7F) { + case 0: *size = 0; + break; + case 1: *size = 4; + break; + case 2: *size = 16; + break; + case 3: while (*rdf) + if ((*rdf & 0xC0) == 0xC0) + rdf += 2; + else if (*rdf & 0xC0) + return GETDNS_RETURN_GENERIC_ERROR; + else + rdf += *rdf + 1; + *size = rdf + 1 - *data; + break; + default: + return GETDNS_RETURN_GENERIC_ERROR; + } + return GETDNS_RETURN_GOOD; +} + +static getdns_return_t +amtrelay_relay_wire2dict(getdns_dict *dict, const uint8_t *rdf) +{ + size_t size; + const uint8_t *data; + + if (amtrelay_relay_equip_const_bindata(rdf, &size, &data)) + return GETDNS_RETURN_GENERIC_ERROR; + + else if (! size) + return GETDNS_RETURN_GOOD; + else + return _getdns_dict_set_const_bindata(dict, "relay", size, data); +} +static getdns_return_t +amtrelay_relay_2wire( + const getdns_bindata *value, uint8_t *rdata, uint8_t *rdf, size_t *rdf_len) +{ + assert(rdf - 1 >= rdata && (rdf[-1] & 0x7F) > 0); + + switch (rdf[-1] & 0x7F) { + case 1: if (!value || value->size != 4) + return GETDNS_RETURN_INVALID_PARAMETER; + if (*rdf_len < 4) { + *rdf_len = 4; + return GETDNS_RETURN_NEED_MORE_SPACE; + } + *rdf_len = 4; + (void)memcpy(rdf, value->data, 4); + return GETDNS_RETURN_GOOD; + case 2: if (!value || value->size != 16) + return GETDNS_RETURN_INVALID_PARAMETER; + if (*rdf_len < 16) { + *rdf_len = 16; + return GETDNS_RETURN_NEED_MORE_SPACE; + } + *rdf_len = 16; + (void)memcpy(rdf, value->data, 16); + return GETDNS_RETURN_GOOD; + case 3: if (!value || value->size == 0) + return GETDNS_RETURN_INVALID_PARAMETER; + /* Assume bindata is a valid dname; garbage in, garbage out */ + if (*rdf_len < value->size) { + *rdf_len = value->size; + return GETDNS_RETURN_NEED_MORE_SPACE; + } + *rdf_len = value->size; + (void)memcpy(rdf, value->data, value->size); + return GETDNS_RETURN_GOOD; + default: + return GETDNS_RETURN_GENERIC_ERROR; + } + return GETDNS_RETURN_GOOD; +} +static getdns_return_t +amtrelay_relay_dict2wire( + const getdns_dict *dict, uint8_t *rdata, uint8_t *rdf, size_t *rdf_len) +{ + getdns_return_t r; + getdns_bindata *value; + + if (rdf - 1 < rdata) + return GETDNS_RETURN_GENERIC_ERROR; + + else if ((rdf[-1] & 0x7F) == 0) { + *rdf_len = 0; + return GETDNS_RETURN_GOOD; + } + else if ((r = getdns_dict_get_bindata(dict, "relay", &value))) + return r; + else + return amtrelay_relay_2wire(value, rdata, rdf, rdf_len); +} +static _getdns_rdf_special amtrelay_relay = { + amtrelay_relay_rdf_end, + amtrelay_relay_wire2dict, NULL, + amtrelay_relay_dict2wire, NULL +}; + static _getdns_rdata_def a_rdata[] = { { "ipv4_address" , GETDNS_RDF_A , NULL }}; @@ -665,6 +873,17 @@ static _getdns_rdata_def dlv_rdata[] = { { "algorithm" , GETDNS_RDF_I1 , NULL }, { "digest_type" , GETDNS_RDF_I1 , NULL }, { "digest" , GETDNS_RDF_X , NULL }}; +static _getdns_rdata_def doa_rdata[] = { + { "enterprise" , GETDNS_RDF_I4 , NULL }, + { "type" , GETDNS_RDF_I4 , NULL }, + { "location" , GETDNS_RDF_I1 , NULL }, + { "media_type" , GETDNS_RDF_S , NULL }, + { "data" , GETDNS_RDF_B , NULL }}; +static _getdns_rdata_def amtrelay_rdata[] = { + { "precedence" , GETDNS_RDF_I1 , NULL }, + { "discovery_optional" , GETDNS_RDF_SPECIAL, &amtrelay_D}, + { "relay_type" , GETDNS_RDF_SPECIAL, &amtrelay_rtype }, + { "relay" , GETDNS_RDF_SPECIAL, &amtrelay_relay }}; static _getdns_rr_def _getdns_rr_defs[] = { { NULL, NULL, 0 }, @@ -926,7 +1145,8 @@ static _getdns_rr_def _getdns_rr_defs[] = { { "URI", uri_rdata, ALEN( uri_rdata) }, /* 256 - */ { "CAA", caa_rdata, ALEN( caa_rdata) }, { "AVC", txt_rdata, ALEN( txt_rdata) }, - { "DOA", UNKNOWN_RDATA, 0 }, /* - 259 */ + { "DOA", doa_rdata, ALEN( doa_rdata) }, + { "AMTRELAY", amtrelay_rdata, ALEN( amtrelay_rdata) }, /* - 260 */ { "TA", ds_rdata, ALEN( ds_rdata) }, /* 32768 */ { "DLV", dlv_rdata, ALEN( dlv_rdata) } /* 32769 */ }; @@ -934,12 +1154,12 @@ static _getdns_rr_def _getdns_rr_defs[] = { const _getdns_rr_def * _getdns_rr_def_lookup(uint16_t rr_type) { - if (rr_type <= 259) + if (rr_type <= 260) return &_getdns_rr_defs[rr_type]; else if (rr_type == 32768) - return &_getdns_rr_defs[260]; - else if (rr_type == 32769) return &_getdns_rr_defs[261]; + else if (rr_type == 32769) + return &_getdns_rr_defs[262]; return _getdns_rr_defs; } From 30367dada2a9f299011dbb999c89fe945a724434 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Feb 2019 13:43:28 +0100 Subject: [PATCH 089/108] space needed for unit test to succeed --- src/gldns/rrdef.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gldns/rrdef.h b/src/gldns/rrdef.h index a393dc8e..ef3c8d9d 100644 --- a/src/gldns/rrdef.h +++ b/src/gldns/rrdef.h @@ -227,7 +227,7 @@ enum gldns_enum_rr_type GLDNS_RR_TYPE_CAA = 257, /* RFC 6844 */ GLDNS_RR_TYPE_AVC = 258, GLDNS_RR_TYPE_DOA = 259, /* draft-durand-doa-over-dns */ - GLDNS_RR_TYPE_AMTRELAY= 260, /* draft-ietf-mboned-driad-amt-discovery */ + GLDNS_RR_TYPE_AMTRELAY = 260, /* draft-ietf-mboned-driad-amt-discovery */ /** DNSSEC Trust Authorities */ GLDNS_RR_TYPE_TA = 32768, From acc9b1cbd502b4195f1d815a8b246d5688fc8362 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Feb 2019 13:46:28 +0100 Subject: [PATCH 090/108] Typo and unused parameter warning --- src/rr-dict.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/rr-dict.c b/src/rr-dict.c index 0ad75a43..fc675830 100644 --- a/src/rr-dict.c +++ b/src/rr-dict.c @@ -471,12 +471,13 @@ static const uint8_t * amtrelay_rtype_rdf_end( const uint8_t *pkt, const uint8_t *pkt_end, const uint8_t *rdf) { + (void)pkt; (void)pkt_end; return rdf; } static getdns_return_t amtrelay_rtype_wire2dict(getdns_dict *dict, const uint8_t *rdf) { - return _getdns_dict_set_int( + return getdns_dict_set_int( dict, "replay_type", (rdf[-1] & 0x7F)); } static getdns_return_t From a7a17f3725b4824b06887dfdaf5bb6ffe96e5a43 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 20 Feb 2019 11:06:21 +0000 Subject: [PATCH 091/108] Fix builds in mingw32. On mingw64, configure does not find declarations for inet_ntop() and inet_pton(), but does find implementations, and so does not try to compile the compat versions. On mingw32, configure find neither declarations or implementations, and so tries to compile the compat versions. However, there are declarations in ws2tcpip.h, and these do not have the same prototype as compat. The build fails, complaining about conflicting types for inet_ntop(). The declarations in ws2tcpip.h are #defines to Windows functions InetNtopA() and InetPtonA(). Which is not good, but we're stuck with it. Try to work around this by including ws2tcpip.h in the headers while checking for declarations. Unfortunately it looks like you can't do that when checking for implementations and substituting compat versions when not found. So only do that if we don't find declarations; we're already making sure that ws2tcpip.h is included via config.h in source modules. --- configure.ac | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index f927ef6c..0412f538 100644 --- a/configure.ac +++ b/configure.ac @@ -1514,9 +1514,20 @@ CFLAGS="$CFLAGS $LIBBSD_CFLAGS" ],[ AC_MSG_WARN([libbsd not found or usable; using embedded code instead]) ]) -AC_CHECK_DECLS([inet_pton,inet_ntop,strlcpy,arc4random,arc4random_uniform]) -AC_REPLACE_FUNCS(inet_pton) -AC_REPLACE_FUNCS(inet_ntop) +AC_CHECK_DECLS([inet_pton,inet_ntop,strlcpy,arc4random,arc4random_uniform], [], [], [ +AC_INCLUDES_DEFAULT +#ifdef HAVE_WS2TCPIP_H +#include +#endif +]) +AS_IF([test "x$ac_cv_have_decl_inet_pton" = xyes], + [], + [AC_REPLACE_FUNCS(inet_pton)] +) +AS_IF([test "x$ac_cv_have_decl_inet_ntop" = xyes], + [], + [AC_REPLACE_FUNCS(inet_ntop)] +) AC_REPLACE_FUNCS(strlcpy) AC_REPLACE_FUNCS(arc4random) AC_REPLACE_FUNCS(arc4random_uniform) From 968e914e948d86ad38d395c9d85c94741aa3012a Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 21 Feb 2019 14:37:25 +0000 Subject: [PATCH 092/108] Avoid build errors if $sysconfdir or $runstatedir contain a space. Building on Windows was failing if sysconfdir was, e.g. C:\Program Files. --- src/Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Makefile.in b/src/Makefile.in index 411f5874..93a72425 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -215,7 +215,7 @@ stubby.1: $(stubbysrcdir)/doc/stubby.1.in sed -e "s|@ETCDIR@|$(stubbyconfdir)|g" $(stubbysrcdir)/doc/stubby.1.in > $@ stubby.lo: $(stubbysrcdir)/src/stubby.c - $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR=\"$(sysconfdir)/stubby\" -DRUNSTATEDIR=\"$(runstatedir)\" -c $(stubbysrcdir)/src/stubby.c -o $@ + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR='"$(sysconfdir)/stubby"' -DRUNSTATEDIR='"$(runstatedir)"' -c $(stubbysrcdir)/src/stubby.c -o $@ stubby: stubby.lo libgetdns.la $(STUBBY_XTRA_OBJS) $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ stubby.lo $(STUBBY_XTRA_OBJS) $(STUBBY_LDFLAGS) libgetdns.la From eebea43b84f64815d74289cd8ff2e5946baa1893 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 27 Feb 2019 18:28:04 +0000 Subject: [PATCH 093/108] Update README to document root anchor storage directory on Windows. This fixes Stubby issue #153. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 565310c7..c777f507 100644 --- a/README.md +++ b/README.md @@ -134,9 +134,9 @@ format. Note that this is different than the format of BIND.keys. When the root trust anchor is not installed in the default location and a DNSSEC query is done, getdns will try to use the trust anchors published here: http://data.iana.org/root-anchors/root-anchors.xml . It will validate these anchors with the ICANN Certificate Authority certificate following the procedure described in [RFC7958]. -The `root-anchors.xml` and `root-anchors.p7s` S/MIME signature will be cached in the `$HOME/.getdns` directory. +The `root-anchors.xml` and `root-anchors.p7s` S/MIME signature will be cached in the `$HOME/.getdns` directory on Unixes, and the `%appdata%\getdns` directory on Windows. -When using trust-anchors from the `root-anchors.xml` file, getdns will track the keys in the root DNSKEY rrset and store a copy in $HOME/.getdns/root.key. +When using trust-anchors from the `root-anchors.xml` file, getdns will track the keys in the root DNSKEY rrset and store a copy in `$HOME/.getdns/root.key` on Unixes, and `%appdata%\getdns\root.key` on Windows. Only when the KSK DNSKEY's change, a new version of `root-anchors.xml` is tried to be retrieved from [data.iana.org](https://data.iana.org/root-anchors/). A installed trust-anchor from the default location (`/etc/unbound/getdns-root.key`) that fails to validate the root DNSKEY RRset, will also trigger the "Zero configuration DNSSEC" procedure described above. From 0abd2345defec5c654b3a607beaaa39f476fd13f Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 28 Feb 2019 16:07:11 +0100 Subject: [PATCH 094/108] New commits in stubby --- stubby | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stubby b/stubby index 8fb853ac..14444aaf 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 8fb853ac8d6148fd9b53fdcbc107ecd375071ec5 +Subproject commit 14444aaf167ccacbfae4c618affb5a572eb719f1 From 13976cca685ae2cd6baa6699aa579c419f6724b4 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 1 Mar 2019 12:27:48 +0000 Subject: [PATCH 095/108] Update to latest Stubby develop. --- stubby | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stubby b/stubby index 14444aaf..108a15c6 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 14444aaf167ccacbfae4c618affb5a572eb719f1 +Subproject commit 108a15c63dc08b50d6fd3800cef6948f87e14c8a From 99d15b999cf0a8f37f4cacec16f68854860e2f68 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Mar 2019 14:21:06 +0100 Subject: [PATCH 096/108] Issue #423: Fix insecure delegation detection while scheduling --- ChangeLog | 1 + src/dnssec.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 70 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index b50e946c..4764e9f4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,5 @@ * 2019-??-??: Version 1.?.? + * Issue #423: Fix insecure delegation detection while scheduling. * Issue #419: Escape backslashed when printing in JSON format. Thanks boB Rudis * DOA rr-type diff --git a/src/dnssec.c b/src/dnssec.c index 2be6096e..ab4aa8a0 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -1110,6 +1110,65 @@ static void cancel_requests_for_subdomains_of( } head = next; } + +} + +static int nsec3_matches_name(_getdns_rrset *nsec3, const uint8_t *name); +static int nsec3_covers_name( + _getdns_rrset *nsec3, const uint8_t *name, int *opt_out); + +static int insecure_delegation(_getdns_rrset *ds_rrset) +{ + _getdns_rrset nsec_rrset; + _getdns_rrtype_iter *rr, rr_spc; + _getdns_rrsig_iter rrsig_spc; + _getdns_rdf_iter bitmap_spc, *bitmap; + _getdns_rrset_iter *i, i_spc; + + /* For NSEC, an insecure delegation is a NODATA proof for DS */ + nsec_rrset = *ds_rrset; + nsec_rrset.rr_type = GETDNS_RRTYPE_NSEC; + if (!_getdns_rrsig_iter_init(&rrsig_spc, &nsec_rrset)) + ; /* pass */ + else for ( rr = _getdns_rrtype_iter_init(&rr_spc, &nsec_rrset) + ; rr ; rr = _getdns_rrtype_iter_next(rr)) { + + if ((bitmap = _getdns_rdf_iter_init_at( &bitmap_spc + , &rr->rr_i, 1)) + && bitmap_has_type(bitmap, GETDNS_RRTYPE_NS) + && !bitmap_has_type(bitmap, GETDNS_RRTYPE_DS) + && _getdns_rrsig_iter_init(&rrsig_spc, &nsec_rrset)) + return 1; + } + + /* For NSEC3 it is either a NODATA proof with a delegation, + or a NSEC3 opt-out coverage */ + for ( i = _getdns_rrset_iter_init(&i_spc, ds_rrset->pkt + , ds_rrset->pkt_len + , SECTION_NO_ADDITIONAL) + ; i ; i = _getdns_rrset_iter_next(i)) { + _getdns_rrset *nsec3_rrset = _getdns_rrset_iter_value(i); + int opt_out; + + if ( !nsec3_rrset + || nsec3_rrset->rr_type != GETDNS_RRTYPE_NSEC3 + ||!(rr = _getdns_rrtype_iter_init(&rr_spc, nsec3_rrset))) + continue; + + if (!nsec3_covers_name(nsec3_rrset, ds_rrset->name, &opt_out)) + continue; + + if (nsec3_matches_name(nsec3_rrset, ds_rrset->name)) { + bitmap = _getdns_rdf_iter_init_at( &bitmap_spc + , &rr->rr_i, 5); + return bitmap + && bitmap_has_type(bitmap, GETDNS_RRTYPE_NS) + && !bitmap_has_type(bitmap, GETDNS_RRTYPE_DS); + } + else if (opt_out) + return 1; + } + return 0; } static void val_chain_node_cb(getdns_dns_req *dnsreq) @@ -1158,10 +1217,16 @@ static void val_chain_node_cb(getdns_dns_req *dnsreq) else if (n_signers) { _getdns_rrtype_iter ds_spc; - if (!_getdns_rrtype_iter_init(&ds_spc, &node->ds)) { - debug_sec_print_rrset("A DS NX proof for ", &node->ds); - DEBUG_SEC("Cancel all more specific requests\n"); - cancel_requests_for_subdomains_of(node->chains, node->ds.name); + if (_getdns_rrtype_iter_init(&ds_spc, &node->ds)) + ; /* pass */ + + else if (insecure_delegation(&node->ds)) { + debug_sec_print_rrset("Insecure delegation. " + "Canceling requests below ", &node->ds); + cancel_requests_for_subdomains_of( + node->chains, node->ds.name); + } else { + debug_sec_print_rrset("No DS at ", &node->ds); } } else { /* No signed DS and no signed proof of non-existance. From 7438de712af16995fdbf1a0c094b3b32de737a7c Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Mar 2019 12:13:38 +0100 Subject: [PATCH 097/108] Issue #422: Update server & client TFO Seems to work for TLS now too. At least on Linux. Thanks Craig Andrews --- ChangeLog | 3 +++ configure.ac | 30 ++++++++++++++++++++++++++---- src/server.c | 8 +++++++- src/stub.c | 50 ++++++++++++++++++++++++++++++++++++++------------ 4 files changed, 74 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4764e9f4..3054561f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ * 2019-??-??: Version 1.?.? + * Issue #422: Enable server side and update client side TCP Fast + Open implementation. Thanks Craig Andrews * Issue #423: Fix insecure delegation detection while scheduling. + Thanks Charles Milette * Issue #419: Escape backslashed when printing in JSON format. Thanks boB Rudis * DOA rr-type diff --git a/configure.ac b/configure.ac index 0412f538..ff837502 100644 --- a/configure.ac +++ b/configure.ac @@ -302,13 +302,31 @@ if test "x$enable_tcp_fastopen" = xno; then AC_MSG_WARN([TCP Fast Open is disabled]) else case `uname` in - Linux) AC_CHECK_DECL([MSG_FASTOPEN], [AC_DEFINE_UNQUOTED([USE_TCP_FASTOPEN], [1], [Define this to enable TCP fast open.])], - [AC_MSG_WARN([TCP Fast Open is not available, continuing without])], [#include ]) - ;; Darwin) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_DEFINE_UNQUOTED([USE_OSX_TCP_FASTOPEN], [1], [Define this to enable TCP fast open.])], [AC_MSG_WARN([TCP Fast Open is not available, continuing without])], [#include ]) ;; - *) AC_MSG_WARN([TCP Fast Open is not available, continuing without]) + *) + AC_CHECK_HEADERS([sys/socket.h netinet/tcp.h],,, [AC_INCLUDES_DEFAULT]) + AC_CHECK_DECL([TCP_FASTOPEN], [ + AC_DEFINE_UNQUOTED([USE_TCP_FASTOPEN], [1], [Define this to enable TCP fast open.]) + AC_CHECK_DECLS([TCP_FASTOPEN,MSG_FASTOPEN,TCP_FASTOPEN_CONNECT], [], [], [AC_INCLUDES_DEFAULT +#ifdef HAVE_SYS_SOCKET_H +# include +#endif +#ifdef HAVE_NETINET_TCP_H +# include +#endif +]) + ], [ + AC_MSG_WARN([TCP Fast Open is not available, continuing without]) + ], [AC_INCLUDES_DEFAULT +#ifdef HAVE_SYS_SOCKET_H +# include +#endif +#ifdef HAVE_NETINET_TCP_H +# include +#endif +]) ;; esac fi @@ -1731,6 +1749,10 @@ static inline int _gldns_custom_vsnprintf(char *str, size_t size, const char *fo #include #endif +#ifdef HAVE_NETINET_TCP_H +#include +#endif + #ifdef HAVE_SYS_SELECT_H #include #endif diff --git a/src/server.c b/src/server.c index 3736a6f2..5b1edd86 100644 --- a/src/server.c +++ b/src/server.c @@ -860,9 +860,15 @@ static getdns_return_t add_listeners(listen_set *set) break; if (setsockopt(l->fd, SOL_SOCKET, SO_REUSEADDR, - &enable, sizeof(int)) < 0) { + &enable, sizeof(enable)) < 0) { ; /* Ignore */ } +#ifdef HAVE_DECL_TCP_FASTOPEN + if (setsockopt(l->fd, IPPROTO_TCP, TCP_FASTOPEN, + &enable, sizeof(enable)) < 0) { + ; /* Ignore */ + } +#endif if (bind(l->fd, (struct sockaddr *)&l->addr, l->addr_len) == -1) /* IO error */ diff --git a/src/stub.c b/src/stub.c index c5a467fe..c71ce1ca 100644 --- a/src/stub.c +++ b/src/stub.c @@ -375,22 +375,23 @@ getdns_sock_nonblock(int sockfd) static int tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport) { +#if defined(TCP_FASTOPEN) || defined(TCP_FASTOPEN_CONNECT) +# ifdef USE_WINSOCK + static const char enable = 1; +# else + static const int enable = 1; +# endif +#endif int fd = -1; + + DEBUG_STUB("%s %-35s: Creating TCP connection: %p\n", STUB_DEBUG_SETUP, __FUNC__, (void*)upstream); if ((fd = socket(upstream->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) return -1; getdns_sock_nonblock(fd); - /* Note that error detection is different with TFO. Since the handshake - doesn't start till the sendto() lack of connection is often delayed until - then or even the subsequent event depending on the error and platform.*/ -#ifdef USE_TCP_FASTOPEN - /* Leave the connect to the later call to sendto() if using TCP*/ - if (transport == GETDNS_TRANSPORT_TCP) - return fd; -#elif USE_OSX_TCP_FASTOPEN - (void)transport; +#ifdef USE_OSX_TCP_FASTOPEN sa_endpoints_t endpoints; endpoints.sae_srcif = 0; endpoints.sae_srcaddr = NULL; @@ -405,9 +406,29 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport) if (_getdns_socketerror() == _getdns_EINPROGRESS || _getdns_socketerror() == _getdns_EWOULDBLOCK) return fd; -#else + (void)transport; -#endif +#else /* USE_OSX_TCP_FASTOPEN */ + /* Note that error detection is different with TFO. Since the handshake + doesn't start till the sendto() lack of connection is often delayed until + then or even the subsequent event depending on the error and platform.*/ +# ifdef HAVE_DECL_TCP_FASTOPEN_CONNECT + (void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT + , (void *)&enable, sizeof(enable)); +# else /* HAVE_DECL_TCP_FASTOPEN_CONNECT */ +# ifdef HAVE_DECL_TCP_FASTOPEN + (void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN + , (void *)&enable, sizeof(enable)); +# endif/* HAVE_DECL_TCP_FASTOPEN*/ +# endif /* HAVE_DECL_TCP_FASTOPEN_CONNECT */ +# ifdef HAVE_DECL_MSG_FASTOPEN + /* Leave the connect to the later call to sendto() if using TCP*/ + if (transport == GETDNS_TRANSPORT_TCP) + return fd; +# else /* HAVE_DECL_MSG_FASTOPEN */ + (void)transport; +# endif /* HAVE_DECL_MSG_FASTOPEN */ +#endif /* USE_OSX_TCP_FASTOPEN */ if (connect(fd, (struct sockaddr *)&upstream->addr, upstream->addr_len) == -1) { if (_getdns_socketerror() == _getdns_EINPROGRESS || @@ -739,7 +760,12 @@ stub_tcp_write(int fd, getdns_tcp_state *tcp, getdns_network_req *netreq) /* We use sendto() here which will do both a connect and send */ #ifdef USE_TCP_FASTOPEN written = sendto(fd, netreq->query - 2, pkt_len + 2, - MSG_FASTOPEN, (struct sockaddr *)&(netreq->upstream->addr), +# ifdef HAVE_DECL_MSG_FASTOPEN + MSG_FASTOPEN, +# else + 0, +# endif + (struct sockaddr *)&(netreq->upstream->addr), netreq->upstream->addr_len); /* If pipelining we will find that the connection is already up so just fall back to a 'normal' write. */ From 324370c537edaaf415f9b57545236993689d13c1 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Mar 2019 16:50:10 +0100 Subject: [PATCH 098/108] GnuTLS with Zero configuration DNSSEC --- configure.ac | 12 +- spec/example/Makefile.in | 24 +- src/Makefile.in | 480 +++++++----------- src/gnutls/anchor-internal.c | 48 -- src/gnutls/pubkey-pinning-internal.h | 0 src/gnutls/val_secalgo.c | 1 - src/gnutls/validator | 1 - src/test/Makefile.in | 71 +-- src/{openssl => tls}/anchor-internal.c | 1 + .../pubkey-pinning-internal.h | 0 src/{openssl => tls}/val_secalgo.c | 2 +- src/{openssl => tls}/validator/val_nsec3.h | 0 src/{openssl => tls}/validator/val_secalgo.h | 0 src/tools/Makefile.in | 11 +- 14 files changed, 235 insertions(+), 416 deletions(-) delete mode 100644 src/gnutls/anchor-internal.c delete mode 100644 src/gnutls/pubkey-pinning-internal.h delete mode 120000 src/gnutls/val_secalgo.c delete mode 120000 src/gnutls/validator rename src/{openssl => tls}/anchor-internal.c (99%) rename src/{openssl => tls}/pubkey-pinning-internal.h (100%) rename src/{openssl => tls}/val_secalgo.c (99%) rename src/{openssl => tls}/validator/val_nsec3.h (100%) rename src/{openssl => tls}/validator/val_secalgo.h (100%) diff --git a/configure.ac b/configure.ac index ff837502..e7625f5b 100644 --- a/configure.ac +++ b/configure.ac @@ -478,6 +478,14 @@ AC_ARG_WITH([gnutls], AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto]) AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT]) fi + # Zero configuration DNSSEC we still need libcrypto + AC_CHECK_HEADERS([openssl/x509.h],,, [AC_INCLUDES_DEFAULT]) + AC_CHECK_LIB([crypto], [X509_STORE_new], [ + AC_DEFINE_UNQUOTED([HAVE_LIBCRYPTO], [2], [Define to 1 if you have the `crypto' library (-lcrypto).]) dnl + LIBS="-lcrypto $LIBS" + ], [ + AC_MSG_ERROR([libcrypto still needed for Zero configuration DNSSEC]) + ]) ], [ if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then @@ -1773,10 +1781,6 @@ static inline int _gldns_custom_vsnprintf(char *str, size_t size, const char *fo #include #endif -#ifdef HAVE_OPENSSL_SSL_H -#include -#endif - #ifdef HAVE_INTTYPES_H #include #endif diff --git a/spec/example/Makefile.in b/spec/example/Makefile.in index 8ff7f2d1..7bf5e016 100644 --- a/spec/example/Makefile.in +++ b/spec/example/Makefile.in @@ -149,24 +149,16 @@ depend: # Dependencies for the examples example-all-functions.lo example-all-functions.o: $(srcdir)/example-all-functions.c $(srcdir)/getdns_libevent.h \ - ../../src/config.h \ - ../../src/getdns/getdns.h \ - $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ - ../../src/getdns/getdns_extra.h -example-reverse.lo example-reverse.o: $(srcdir)/example-reverse.c $(srcdir)/getdns_libevent.h \ - ../../src/config.h \ - ../../src/getdns/getdns.h \ - $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ + ../../src/config.h ../../src/getdns/getdns.h \ + $(srcdir)/../../src/getdns/getdns_ext_libevent.h ../../src/getdns/getdns_extra.h +example-reverse.lo example-reverse.o: $(srcdir)/example-reverse.c $(srcdir)/getdns_libevent.h ../../src/config.h \ + ../../src/getdns/getdns.h $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ ../../src/getdns/getdns_extra.h example-simple-answers.lo example-simple-answers.o: $(srcdir)/example-simple-answers.c $(srcdir)/getdns_libevent.h \ - ../../src/config.h \ - ../../src/getdns/getdns.h \ - $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ - ../../src/getdns/getdns_extra.h + ../../src/config.h ../../src/getdns/getdns.h \ + $(srcdir)/../../src/getdns/getdns_ext_libevent.h ../../src/getdns/getdns_extra.h example-synchronous.lo example-synchronous.o: $(srcdir)/example-synchronous.c $(srcdir)/getdns_core_only.h \ ../../src/getdns/getdns.h -example-tree.lo example-tree.o: $(srcdir)/example-tree.c $(srcdir)/getdns_libevent.h \ - ../../src/config.h \ - ../../src/getdns/getdns.h \ - $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ +example-tree.lo example-tree.o: $(srcdir)/example-tree.c $(srcdir)/getdns_libevent.h ../../src/config.h \ + ../../src/getdns/getdns.h $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ ../../src/getdns/getdns_extra.h diff --git a/src/Makefile.in b/src/Makefile.in index 93a72425..2632d11b 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -57,7 +57,7 @@ stubbysrcdir = $(srcdir)/../stubby LIBTOOL = ../libtool CC=@CC@ -CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/$(tlsdir) -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS) +CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/tls -I$(srcdir)/$(tlsdir) -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS) WPEDANTICFLAG=@WPEDANTICFLAG@ WNOERRORFLAG=@WNOERRORFLAG@ LDFLAGS=@LDFLAGS@ @LIBS@ @@ -95,7 +95,8 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo) UTIL_OBJ=rbtree.lo lruhash.lo lookup3.lo locks.lo JSMN_OBJ=jsmn.lo -TLS_OBJ=tls.lo pubkey-pinning-internal.lo keyraw-internal.lo val_secalgo.lo anchor-internal.lo +TLS_OBJ=tls.lo pubkey-pinning-internal.lo keyraw-internal.lo +TLS_COMMON_OBJ=val_secalgo.lo anchor-internal.lo YXML_OBJ=yxml.lo YAML_OBJ=convert_yaml_to_json.lo @@ -138,6 +139,9 @@ $(JSMN_OBJ): $(TLS_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/$(tlsdir)/$(@:.lo=.c) -o $@ +$(TLS_COMMON_OBJ): + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/tls/$(@:.lo=.c) -o $@ + $(YAML_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@ @@ -199,8 +203,8 @@ libgetdns_ext_uv.la: libgetdns.la libuv.lo libgetdns_ext_ev.la: libgetdns.la libev.lo $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ libev.lo libgetdns.la $(LDFLAGS) $(EXTENSION_LIBEV_LDFLAGS) $(EXTENSION_LIBEV_EXT_LIBS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/extension/libev.symbols -libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) - $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols +libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(TLS_COMMON_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) + $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(TLS_COMMON_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols test: default cd test && $(MAKE) $@ @@ -276,7 +280,7 @@ Makefile: $(srcdir)/Makefile.in ../config.status depend: (cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new ) - (blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -I$(tlsdir) -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c $(tlsdir)/*.c yxml/*.c extension/*.c ../stubby/src/*.c | \ + (blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Itls -I$(tlsdir) -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c $(tlsdir)/*.c yxml/*.c extension/*.c ../stubby/src/*.c | \ sed -e "s? $$blddir/? ?g" \ -e 's? gldns/? $$(srcdir)/gldns/?g' \ -e 's? compat/? $$(srcdir)/compat/?g' \ @@ -304,307 +308,207 @@ depend: FORCE: # Dependencies for gldns, utils, the extensions and compat functions -anchor.lo anchor.o: $(srcdir)/anchor.c \ - config.h $(srcdir)/debug.h \ - $(srcdir)/anchor.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dnssec.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \ +anchor.lo anchor.o: $(srcdir)/anchor.c config.h $(srcdir)/debug.h $(srcdir)/anchor.h getdns/getdns.h \ + getdns/getdns_extra.h getdns/getdns.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ + config.h $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ + $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h \ $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h -const-info.lo const-info.o: $(srcdir)/const-info.c \ - getdns/getdns.h \ - getdns/getdns_extra.h \ +const-info.lo const-info.o: $(srcdir)/const-info.c getdns/getdns.h getdns/getdns_extra.h \ + getdns/getdns.h $(srcdir)/const-info.h +context.lo context.o: $(srcdir)/context.c config.h $(srcdir)/anchor.h getdns/getdns.h \ + getdns/getdns_extra.h getdns/getdns.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \ + $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ + $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h \ $(srcdir)/const-info.h -context.lo context.o: $(srcdir)/context.c \ - config.h $(srcdir)/anchor.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h $(srcdir)/gldns/str2wire.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h \ - $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h -convert.lo convert.o: $(srcdir)/convert.c \ - config.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ - $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ - $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h \ - $(srcdir)/debug.h -dict.lo dict.o: $(srcdir)/dict.c config.h \ - $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h \ - $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h -dnssec.lo dnssec.o: $(srcdir)/dnssec.c \ - config.h $(srcdir)/debug.h \ - getdns/getdns.h \ - $(srcdir)/context.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ - $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ +convert.lo convert.o: $(srcdir)/convert.c config.h getdns/getdns.h getdns/getdns_extra.h \ + getdns/getdns.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \ + $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ + $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/wire2str.h \ + $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h \ + $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h +dict.lo dict.o: $(srcdir)/dict.c config.h $(srcdir)/types-internal.h getdns/getdns.h \ + getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \ + getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ + $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ + $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h \ + $(srcdir)/gldns/parseutil.h +dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h $(srcdir)/debug.h getdns/getdns.h $(srcdir)/context.h \ + getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \ + $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ + $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \ + $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \ $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h -general.lo general.o: $(srcdir)/general.c \ - config.h $(srcdir)/general.h \ - getdns/getdns.h \ - $(srcdir)/types-internal.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ - $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h -list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \ - config.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ +general.lo general.o: $(srcdir)/general.c config.h $(srcdir)/general.h getdns/getdns.h $(srcdir)/types-internal.h \ + getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \ + getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ + $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h +list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h getdns/getdns.h getdns/getdns_extra.h \ + getdns/getdns.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \ + config.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \ + $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ + $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/list.h $(srcdir)/dict.h -mdns.lo mdns.o: $(srcdir)/mdns.c config.h \ - $(srcdir)/debug.h $(srcdir)/context.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h -platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \ - config.h -pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \ - config.h $(srcdir)/debug.h \ - getdns/getdns.h \ - $(srcdir)/context.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ +mdns.lo mdns.o: $(srcdir)/mdns.c config.h $(srcdir)/debug.h $(srcdir)/context.h getdns/getdns.h \ + getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \ + $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ + $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \ + $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h +platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h config.h +pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c config.h $(srcdir)/debug.h getdns/getdns.h \ + $(srcdir)/context.h getdns/getdns.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ + config.h $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ - $(srcdir)/$(tlsdir)/pubkey-pinning-internal.h -request-internal.lo request-internal.o: $(srcdir)/request-internal.c \ - config.h \ - $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h -rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \ - config.h \ - getdns/getdns.h \ - $(srcdir)/gldns/gbuffer.h $(srcdir)/util-internal.h $(srcdir)/context.h \ - getdns/getdns_extra.h \ + $(srcdir)/gldns/parseutil.h $(srcdir)/pubkey-pinning.h tls/pubkey-pinning-internal.h +request-internal.lo request-internal.o: $(srcdir)/request-internal.c config.h $(srcdir)/types-internal.h \ + getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \ + getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ + $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ + $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/dict.h $(srcdir)/convert.h $(srcdir)/general.h +rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h config.h getdns/getdns.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/util-internal.h $(srcdir)/context.h getdns/getdns_extra.h getdns/getdns.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \ - $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h -rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ - config.h \ - getdns/getdns.h \ + $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \ + getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ + $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h +rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h config.h getdns/getdns.h \ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h -server.lo server.o: $(srcdir)/server.c \ - config.h \ - getdns/getdns_extra.h \ - getdns/getdns.h \ - $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/debug.h \ - $(srcdir)/util-internal.h $(srcdir)/platform.h -stub.lo stub.o: $(srcdir)/stub.c config.h \ - $(srcdir)/debug.h $(srcdir)/stub.h \ - getdns/getdns.h \ - $(srcdir)/types-internal.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \ - $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \ - $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \ - $(srcdir)/pubkey-pinning.h -sync.lo sync.o: $(srcdir)/sync.c \ - getdns/getdns.h \ - config.h $(srcdir)/context.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ +server.lo server.o: $(srcdir)/server.c config.h getdns/getdns_extra.h getdns/getdns.h \ + $(srcdir)/context.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \ + $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ + $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/platform.h +stub.lo stub.o: $(srcdir)/stub.c config.h $(srcdir)/debug.h $(srcdir)/stub.h getdns/getdns.h $(srcdir)/types-internal.h \ + getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \ + $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ + $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h +sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h config.h $(srcdir)/context.h getdns/getdns_extra.h \ + getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \ + $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ + $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h \ $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h -ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \ - config.h -util-internal.lo util-internal.o: $(srcdir)/util-internal.c \ - config.h \ - getdns/getdns.h $(srcdir)/dict.h \ +ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h config.h getdns/getdns.h \ + getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h +util-internal.lo util-internal.o: $(srcdir)/util-internal.c config.h getdns/getdns.h $(srcdir)/dict.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \ - getdns/getdns_extra.h \ - $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ - $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ + getdns/getdns_extra.h getdns/getdns.h $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \ + getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ + $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \ $(srcdir)/gldns/rrdef.h -gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \ - config.h \ +version.lo version.o: version.c +gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c config.h $(srcdir)/gldns/gbuffer.h +keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c config.h $(srcdir)/gldns/keyraw.h \ + $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h +parse.lo parse.o: $(srcdir)/gldns/parse.c config.h $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h \ $(srcdir)/gldns/gbuffer.h -keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \ - config.h \ - $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h -parse.lo parse.o: $(srcdir)/gldns/parse.c \ - config.h $(srcdir)/gldns/parse.h \ - $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h -parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \ - config.h \ - $(srcdir)/gldns/parseutil.h -rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \ - config.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/gldns/parseutil.h -str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \ - config.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h -wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \ - config.h \ - $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h \ - $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/$(tlsdir)/keyraw-internal.h -arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \ - config.h -arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \ - config.h \ - $(srcdir)/compat/chacha_private.h -arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c \ - config.h -explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c \ - config.h -getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c \ - config.h -getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c \ - config.h -getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c \ - config.h +parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c config.h $(srcdir)/gldns/parseutil.h +rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c config.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h +str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c config.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h +wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c config.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h +arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h +arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h +arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c config.h +explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h +getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h +getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h +getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c -gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c \ - config.h -inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c \ - config.h -inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c \ - config.h -sha512.lo sha512.o: $(srcdir)/compat/sha512.c \ - config.h -strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \ - config.h -strptime.lo strptime.o: $(srcdir)/compat/strptime.c \ - config.h -locks.lo locks.o: $(srcdir)/util/locks.c \ - config.h $(srcdir)/util/locks.h \ - $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h -lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \ - config.h \ - $(srcdir)/util/auxiliary/util/storage/lookup3.h $(srcdir)/util/lookup3.h \ - $(srcdir)/util/orig-headers/lookup3.h -lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \ - config.h \ - $(srcdir)/util/auxiliary/util/storage/lruhash.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h -rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \ - config.h \ - $(srcdir)/util/auxiliary/log.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h \ - $(srcdir)/util/auxiliary/fptr_wlist.h $(srcdir)/util/auxiliary/util/fptr_wlist.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h +gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c config.h +inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c config.h +inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c config.h +sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h +strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h +strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h +locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ + $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h +lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c config.h $(srcdir)/util/auxiliary/util/storage/lookup3.h \ + $(srcdir)/util/lookup3.h $(srcdir)/util/orig-headers/lookup3.h +lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c config.h $(srcdir)/util/auxiliary/util/storage/lruhash.h \ + $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h \ + $(srcdir)/util/auxiliary/util/fptr_wlist.h +rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/auxiliary/log.h \ + $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h $(srcdir)/util/auxiliary/fptr_wlist.h \ + $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h -anchor-internal.lo anchor-internal.o: $(srcdir)/$(tlsdir)/anchor-internal.c \ - config.h $(srcdir)/anchor.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h -keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c \ - config.h \ - $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h -pubkey-pinning-internal.lo pubkey-pinning-internal.o: $(srcdir)/$(tlsdir)/pubkey-pinning-internal.c $(srcdir)/context.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - config.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/pubkey-pinning.h -tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c \ - config.h $(srcdir)/debug.h \ - $(srcdir)/context.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/tls.h -val_secalgo.lo val_secalgo.o: $(srcdir)/$(tlsdir)/val_secalgo.c \ - config.h \ - $(srcdir)/util/auxiliary/util/data/packed_rrset.h $(srcdir)/$(tlsdir)/validator/val_secalgo.h \ - $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h $(srcdir)/$(tlsdir)/validator/val_nsec3.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/util/auxiliary/sldns/sbuffer.h +keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c config.h $(srcdir)/gldns/keyraw.h \ + $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h +pubkey-pinning-internal.lo pubkey-pinning-internal.o: $(srcdir)/$(tlsdir)/pubkey-pinning-internal.c config.h \ + $(srcdir)/debug.h config.h getdns/getdns.h $(srcdir)/context.h getdns/getdns.h \ + getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ + $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/context.h tls/pubkey-pinning-internal.h +tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c config.h $(srcdir)/debug.h config.h $(srcdir)/context.h getdns/getdns.h \ + getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ + $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/const-info.h $(srcdir)/tls.h yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h -libev.lo libev.o: $(srcdir)/extension/libev.c \ - config.h \ - $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h -libevent.lo libevent.o: $(srcdir)/extension/libevent.c \ - config.h \ - $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h -libuv.lo libuv.o: $(srcdir)/extension/libuv.c \ - config.h $(srcdir)/debug.h \ - $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h -poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \ - config.h \ - $(srcdir)/util-internal.h $(srcdir)/context.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ +libev.lo libev.o: $(srcdir)/extension/libev.c config.h $(srcdir)/types-internal.h getdns/getdns.h \ + getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h \ + getdns/getdns_extra.h +libevent.lo libevent.o: $(srcdir)/extension/libevent.c config.h $(srcdir)/types-internal.h \ + getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h \ + getdns/getdns_extra.h +libuv.lo libuv.o: $(srcdir)/extension/libuv.c config.h $(srcdir)/debug.h config.h $(srcdir)/types-internal.h \ + getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h \ + getdns/getdns_extra.h +poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c config.h $(srcdir)/util-internal.h \ + config.h $(srcdir)/context.h getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h -select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \ - config.h $(srcdir)/debug.h \ - $(srcdir)/types-internal.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \ - $(srcdir)/extension/select_eventloop.h -stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c \ - config.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h + getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ + $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ + $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h +select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c config.h $(srcdir)/debug.h \ + config.h $(srcdir)/types-internal.h getdns/getdns.h getdns/getdns_extra.h \ + getdns/getdns.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \ + $(srcdir)/extension/select_eventloop.h getdns/getdns_extra.h +stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c config.h getdns/getdns.h \ + getdns/getdns_extra.h $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h diff --git a/src/gnutls/anchor-internal.c b/src/gnutls/anchor-internal.c deleted file mode 100644 index 45b58d52..00000000 --- a/src/gnutls/anchor-internal.c +++ /dev/null @@ -1,48 +0,0 @@ -/** - * - * /brief functions for DNSSEC trust anchor management - * - */ - -/* - * Copyright (c) 2017, NLnet Labs - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of the copyright holders nor the - * names of its contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND - * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "config.h" -#include "anchor.h" - -void _getdns_context_equip_with_anchor( - getdns_context *context, uint64_t *now_ms) -{ -} - -uint8_t *_getdns_tas_validate(struct mem_funcs *mf, - const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd, - const getdns_bindata *crt_bd, const char *p7signer, - uint64_t *now_ms, uint8_t *tas, size_t *tas_len) -{ - return NULL; -} diff --git a/src/gnutls/pubkey-pinning-internal.h b/src/gnutls/pubkey-pinning-internal.h deleted file mode 100644 index e69de29b..00000000 diff --git a/src/gnutls/val_secalgo.c b/src/gnutls/val_secalgo.c deleted file mode 120000 index 446f8e5f..00000000 --- a/src/gnutls/val_secalgo.c +++ /dev/null @@ -1 +0,0 @@ -../openssl/val_secalgo.c \ No newline at end of file diff --git a/src/gnutls/validator b/src/gnutls/validator deleted file mode 120000 index 3e9ba44b..00000000 --- a/src/gnutls/validator +++ /dev/null @@ -1 +0,0 @@ -../openssl/validator \ No newline at end of file diff --git a/src/test/Makefile.in b/src/test/Makefile.in index 9d4dad00..00211237 100644 --- a/src/test/Makefile.in +++ b/src/test/Makefile.in @@ -231,13 +231,10 @@ depend: .PHONY: clean test # Dependencies for the unit tests -check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c \ - ../getdns/getdns.h \ - $(srcdir)/check_getdns_common.h \ - ../getdns/getdns_extra.h \ - $(srcdir)/check_getdns_address.h $(srcdir)/check_getdns_address_sync.h \ - $(srcdir)/check_getdns_cancel_callback.h $(srcdir)/check_getdns_context_create.h \ - $(srcdir)/check_getdns_context_destroy.h \ +check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c ../getdns/getdns.h $(srcdir)/check_getdns_common.h \ + ../getdns/getdns_extra.h $(srcdir)/check_getdns_address.h \ + $(srcdir)/check_getdns_address_sync.h $(srcdir)/check_getdns_cancel_callback.h \ + $(srcdir)/check_getdns_context_create.h $(srcdir)/check_getdns_context_destroy.h \ $(srcdir)/check_getdns_context_set_context_update_callback.h \ $(srcdir)/check_getdns_context_set_dns_transport.h \ $(srcdir)/check_getdns_context_set_timeout.h \ @@ -257,58 +254,34 @@ check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c \ $(srcdir)/check_getdns_list_get_list.h $(srcdir)/check_getdns_pretty_print_dict.h \ $(srcdir)/check_getdns_service.h $(srcdir)/check_getdns_service_sync.h \ $(srcdir)/check_getdns_transport.h -check_getdns_common.lo check_getdns_common.o: $(srcdir)/check_getdns_common.c \ - ../getdns/getdns.h \ - ../config.h \ - $(srcdir)/check_getdns_common.h \ - ../getdns/getdns_extra.h \ +check_getdns_common.lo check_getdns_common.o: $(srcdir)/check_getdns_common.c ../getdns/getdns.h \ + ../config.h $(srcdir)/check_getdns_common.h ../getdns/getdns_extra.h \ $(srcdir)/check_getdns_eventloop.h check_getdns_context_set_timeout.lo check_getdns_context_set_timeout.o: $(srcdir)/check_getdns_context_set_timeout.c \ $(srcdir)/check_getdns_context_set_timeout.h $(srcdir)/check_getdns_common.h \ - ../getdns/getdns.h \ - ../getdns/getdns_extra.h + ../getdns/getdns.h ../getdns/getdns_extra.h check_getdns_libev.lo check_getdns_libev.o: $(srcdir)/check_getdns_libev.c $(srcdir)/check_getdns_eventloop.h \ - ../config.h \ - ../getdns/getdns.h \ - $(srcdir)/../getdns/getdns_ext_libev.h \ - ../getdns/getdns_extra.h \ - $(srcdir)/check_getdns_common.h + ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libev.h \ + ../getdns/getdns_extra.h $(srcdir)/check_getdns_common.h check_getdns_libevent.lo check_getdns_libevent.o: $(srcdir)/check_getdns_libevent.c $(srcdir)/check_getdns_eventloop.h \ - ../config.h \ - ../getdns/getdns.h \ - $(srcdir)/../getdns/getdns_ext_libevent.h \ - ../getdns/getdns_extra.h \ - $(srcdir)/check_getdns_libevent.h $(srcdir)/check_getdns_common.h + ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libevent.h \ + ../getdns/getdns_extra.h $(srcdir)/check_getdns_libevent.h $(srcdir)/check_getdns_common.h check_getdns_libuv.lo check_getdns_libuv.o: $(srcdir)/check_getdns_libuv.c $(srcdir)/check_getdns_eventloop.h \ - ../config.h \ - ../getdns/getdns.h \ - $(srcdir)/../getdns/getdns_ext_libuv.h \ - ../getdns/getdns_extra.h \ - $(srcdir)/check_getdns_common.h + ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libuv.h \ + ../getdns/getdns_extra.h $(srcdir)/check_getdns_common.h check_getdns_selectloop.lo check_getdns_selectloop.o: $(srcdir)/check_getdns_selectloop.c \ - $(srcdir)/check_getdns_eventloop.h \ - ../config.h \ - ../getdns/getdns.h \ + $(srcdir)/check_getdns_eventloop.h ../config.h ../getdns/getdns.h \ ../getdns/getdns_extra.h check_getdns_transport.lo check_getdns_transport.o: $(srcdir)/check_getdns_transport.c \ - $(srcdir)/check_getdns_transport.h $(srcdir)/check_getdns_common.h \ - ../getdns/getdns.h \ + $(srcdir)/check_getdns_transport.h $(srcdir)/check_getdns_common.h ../getdns/getdns.h \ ../getdns/getdns_extra.h -scratchpad.template.lo scratchpad.template.o: scratchpad.template.c \ - ../getdns/getdns.h \ +scratchpad.template.lo scratchpad.template.o: scratchpad.template.c ../getdns/getdns.h \ ../getdns/getdns_extra.h testmessages.lo testmessages.o: $(srcdir)/testmessages.c $(srcdir)/testmessages.h -tests_dict.lo tests_dict.o: $(srcdir)/tests_dict.c $(srcdir)/testmessages.h \ - ../getdns/getdns.h -tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h \ - ../getdns/getdns.h -tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h \ - ../getdns/getdns.h -tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c \ - ../config.h \ - $(srcdir)/testmessages.h \ - ../getdns/getdns.h \ - ../getdns/getdns_extra.h -tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h \ - ../getdns/getdns.h \ +tests_dict.lo tests_dict.o: $(srcdir)/tests_dict.c $(srcdir)/testmessages.h ../getdns/getdns.h +tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h ../getdns/getdns.h +tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h ../getdns/getdns.h +tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c ../config.h $(srcdir)/testmessages.h \ + ../getdns/getdns.h ../getdns/getdns_extra.h +tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h ../getdns/getdns.h \ ../getdns/getdns_extra.h diff --git a/src/openssl/anchor-internal.c b/src/tls/anchor-internal.c similarity index 99% rename from src/openssl/anchor-internal.c rename to src/tls/anchor-internal.c index db9e01f8..a981f556 100644 --- a/src/openssl/anchor-internal.c +++ b/src/tls/anchor-internal.c @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include diff --git a/src/openssl/pubkey-pinning-internal.h b/src/tls/pubkey-pinning-internal.h similarity index 100% rename from src/openssl/pubkey-pinning-internal.h rename to src/tls/pubkey-pinning-internal.h diff --git a/src/openssl/val_secalgo.c b/src/tls/val_secalgo.c similarity index 99% rename from src/openssl/val_secalgo.c rename to src/tls/val_secalgo.c index c7158d82..765eafa7 100644 --- a/src/openssl/val_secalgo.c +++ b/src/tls/val_secalgo.c @@ -55,7 +55,7 @@ #endif /* OpenSSL implementation */ -#ifdef HAVE_SSL +#if defined(HAVE_SSL) && !defined(HAVE_NETTLE) #ifdef HAVE_OPENSSL_ERR_H #include #endif diff --git a/src/openssl/validator/val_nsec3.h b/src/tls/validator/val_nsec3.h similarity index 100% rename from src/openssl/validator/val_nsec3.h rename to src/tls/validator/val_nsec3.h diff --git a/src/openssl/validator/val_secalgo.h b/src/tls/validator/val_secalgo.h similarity index 100% rename from src/openssl/validator/val_secalgo.h rename to src/tls/validator/val_secalgo.h diff --git a/src/tools/Makefile.in b/src/tools/Makefile.in index 6cefffcd..7d94edb7 100644 --- a/src/tools/Makefile.in +++ b/src/tools/Makefile.in @@ -122,12 +122,7 @@ depend: .PHONY: clean test # Dependencies for getdns_query -getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c \ - ../config.h \ - $(srcdir)/../debug.h \ - ../getdns/getdns.h \ - ../getdns/getdns_extra.h -getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c \ - ../config.h \ - ../getdns/getdns.h \ +getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c ../config.h $(srcdir)/../debug.h ../config.h \ + ../getdns/getdns.h ../getdns/getdns_extra.h +getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c ../config.h ../getdns/getdns.h \ ../getdns/getdns_extra.h From 754d65eb6d2fa8415aaf579aa67ce526c0bd953e Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Mar 2019 16:58:10 +0100 Subject: [PATCH 099/108] Correct dependencies --- spec/example/Makefile.in | 24 +- src/Makefile.in | 468 +++++++++++++++++++++++---------------- src/test/Makefile.in | 71 ++++-- src/tools/Makefile.in | 11 +- 4 files changed, 356 insertions(+), 218 deletions(-) diff --git a/spec/example/Makefile.in b/spec/example/Makefile.in index 7bf5e016..8ff7f2d1 100644 --- a/spec/example/Makefile.in +++ b/spec/example/Makefile.in @@ -149,16 +149,24 @@ depend: # Dependencies for the examples example-all-functions.lo example-all-functions.o: $(srcdir)/example-all-functions.c $(srcdir)/getdns_libevent.h \ - ../../src/config.h ../../src/getdns/getdns.h \ - $(srcdir)/../../src/getdns/getdns_ext_libevent.h ../../src/getdns/getdns_extra.h -example-reverse.lo example-reverse.o: $(srcdir)/example-reverse.c $(srcdir)/getdns_libevent.h ../../src/config.h \ - ../../src/getdns/getdns.h $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ + ../../src/config.h \ + ../../src/getdns/getdns.h \ + $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ + ../../src/getdns/getdns_extra.h +example-reverse.lo example-reverse.o: $(srcdir)/example-reverse.c $(srcdir)/getdns_libevent.h \ + ../../src/config.h \ + ../../src/getdns/getdns.h \ + $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ ../../src/getdns/getdns_extra.h example-simple-answers.lo example-simple-answers.o: $(srcdir)/example-simple-answers.c $(srcdir)/getdns_libevent.h \ - ../../src/config.h ../../src/getdns/getdns.h \ - $(srcdir)/../../src/getdns/getdns_ext_libevent.h ../../src/getdns/getdns_extra.h + ../../src/config.h \ + ../../src/getdns/getdns.h \ + $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ + ../../src/getdns/getdns_extra.h example-synchronous.lo example-synchronous.o: $(srcdir)/example-synchronous.c $(srcdir)/getdns_core_only.h \ ../../src/getdns/getdns.h -example-tree.lo example-tree.o: $(srcdir)/example-tree.c $(srcdir)/getdns_libevent.h ../../src/config.h \ - ../../src/getdns/getdns.h $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ +example-tree.lo example-tree.o: $(srcdir)/example-tree.c $(srcdir)/getdns_libevent.h \ + ../../src/config.h \ + ../../src/getdns/getdns.h \ + $(srcdir)/../../src/getdns/getdns_ext_libevent.h \ ../../src/getdns/getdns_extra.h diff --git a/src/Makefile.in b/src/Makefile.in index 2632d11b..9b206491 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -287,6 +287,7 @@ depend: -e 's? util/auxiliary/util/? $$(srcdir)/util/auxiliary/util/?g' \ -e 's? util/? $$(srcdir)/util/?g' \ -e 's? jsmn/? $$(srcdir)/jsmn/?g' \ + -e 's? tls/? $$(srcdir)/tls/?g' \ -e 's? $(tlsdir)/? $$(srcdir)/$$(tlsdir)/?g' \ -e 's? yxml/? $$(srcdir)/yxml/?g' \ -e 's? extension/? $$(srcdir)/extension/?g' \ @@ -308,207 +309,304 @@ depend: FORCE: # Dependencies for gldns, utils, the extensions and compat functions -anchor.lo anchor.o: $(srcdir)/anchor.c config.h $(srcdir)/debug.h $(srcdir)/anchor.h getdns/getdns.h \ - getdns/getdns_extra.h getdns/getdns.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ - $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - config.h $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h \ +anchor.lo anchor.o: $(srcdir)/anchor.c \ + config.h $(srcdir)/debug.h \ + $(srcdir)/anchor.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h \ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h \ $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h -const-info.lo const-info.o: $(srcdir)/const-info.c getdns/getdns.h getdns/getdns_extra.h \ - getdns/getdns.h $(srcdir)/const-info.h -context.lo context.o: $(srcdir)/context.c config.h $(srcdir)/anchor.h getdns/getdns.h \ - getdns/getdns_extra.h getdns/getdns.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ - $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \ - $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ - $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ - $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h \ +const-info.lo const-info.o: $(srcdir)/const-info.c \ + getdns/getdns.h \ + getdns/getdns_extra.h \ $(srcdir)/const-info.h -convert.lo convert.o: $(srcdir)/convert.c config.h getdns/getdns.h getdns/getdns_extra.h \ - getdns/getdns.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \ - $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ - $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h \ - $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h -dict.lo dict.o: $(srcdir)/dict.c config.h $(srcdir)/types-internal.h getdns/getdns.h \ - getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \ - getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ +context.lo context.o: $(srcdir)/context.c \ + config.h $(srcdir)/anchor.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h $(srcdir)/gldns/str2wire.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/tls.h \ + $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/const-info.h +convert.lo convert.o: $(srcdir)/convert.c \ + config.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ - $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/parseutil.h -dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h $(srcdir)/debug.h getdns/getdns.h $(srcdir)/context.h \ - getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \ - $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ - $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \ - $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \ - $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h -general.lo general.o: $(srcdir)/general.c config.h $(srcdir)/general.h getdns/getdns.h $(srcdir)/types-internal.h \ - getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \ - getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h +dict.lo dict.o: $(srcdir)/dict.c \ + config.h \ + $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ - $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h -list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h getdns/getdns.h getdns/getdns_extra.h \ - getdns/getdns.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \ - config.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \ - $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ - $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/list.h $(srcdir)/dict.h -mdns.lo mdns.o: $(srcdir)/mdns.c config.h $(srcdir)/debug.h $(srcdir)/context.h getdns/getdns.h \ - getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \ - $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ - $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \ - $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h -platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h config.h -pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c config.h $(srcdir)/debug.h getdns/getdns.h \ - $(srcdir)/context.h getdns/getdns.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ - config.h $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h \ + $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h +dnssec.lo dnssec.o: $(srcdir)/dnssec.c \ + config.h $(srcdir)/debug.h \ + getdns/getdns.h \ + $(srcdir)/context.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ - $(srcdir)/gldns/parseutil.h $(srcdir)/pubkey-pinning.h tls/pubkey-pinning-internal.h -request-internal.lo request-internal.o: $(srcdir)/request-internal.c config.h $(srcdir)/types-internal.h \ - getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \ - getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ - $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ - $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/dict.h $(srcdir)/convert.h $(srcdir)/general.h -rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h config.h getdns/getdns.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/util-internal.h $(srcdir)/context.h getdns/getdns_extra.h getdns/getdns.h \ + $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ + $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h \ + $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h $(srcdir)/gldns/gbuffer.h +general.lo general.o: $(srcdir)/general.c \ + config.h $(srcdir)/general.h \ + getdns/getdns.h \ + $(srcdir)/types-internal.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/ub_loop.h $(srcdir)/debug.h \ + $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ + $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h +list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \ + config.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ + $(srcdir)/list.h $(srcdir)/dict.h +mdns.lo mdns.o: $(srcdir)/mdns.c \ + config.h $(srcdir)/debug.h \ + $(srcdir)/context.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ - $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \ - getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ - $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h -rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h config.h getdns/getdns.h \ - $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h -server.lo server.o: $(srcdir)/server.c config.h getdns/getdns_extra.h getdns/getdns.h \ - $(srcdir)/context.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \ - $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ - $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ - $(srcdir)/platform.h -stub.lo stub.o: $(srcdir)/stub.c config.h $(srcdir)/debug.h $(srcdir)/stub.h getdns/getdns.h $(srcdir)/types-internal.h \ - getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ - $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h config.h \ - $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ - $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ - $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h -sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h config.h $(srcdir)/context.h getdns/getdns_extra.h \ - getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h config.h \ - $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ - $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/general.h \ - $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h -ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h config.h getdns/getdns.h \ - getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h -util-internal.lo util-internal.o: $(srcdir)/util-internal.c config.h getdns/getdns.h $(srcdir)/dict.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \ - getdns/getdns_extra.h getdns/getdns.h $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h \ - $(srcdir)/extension/default_eventloop.h config.h $(srcdir)/extension/poll_eventloop.h \ - getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h +platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \ + config.h +pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \ + config.h $(srcdir)/debug.h \ + getdns/getdns.h \ + $(srcdir)/context.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ + $(srcdir)/gldns/parseutil.h $(srcdir)/pubkey-pinning.h $(srcdir)/tls/pubkey-pinning-internal.h +request-internal.lo request-internal.o: $(srcdir)/request-internal.c \ + config.h \ + $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/convert.h $(srcdir)/general.h +rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \ + config.h \ + getdns/getdns.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/util-internal.h $(srcdir)/context.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h \ + $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/dict.h +rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + config.h \ + getdns/getdns.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h +server.lo server.o: $(srcdir)/server.c \ + config.h \ + getdns/getdns_extra.h \ + getdns/getdns.h \ + $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ + $(srcdir)/util-internal.h $(srcdir)/platform.h +stub.lo stub.o: $(srcdir)/stub.c \ + config.h $(srcdir)/debug.h \ + $(srcdir)/stub.h \ + getdns/getdns.h \ + $(srcdir)/types-internal.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \ + $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \ + $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h \ + $(srcdir)/pubkey-pinning.h +sync.lo sync.o: $(srcdir)/sync.c \ + getdns/getdns.h \ + config.h $(srcdir)/context.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ + $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h +ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \ + config.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h +util-internal.lo util-internal.o: $(srcdir)/util-internal.c \ + config.h \ + getdns/getdns.h \ + $(srcdir)/dict.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \ + getdns/getdns_extra.h \ + $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h \ $(srcdir)/gldns/rrdef.h -version.lo version.o: version.c -gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c config.h $(srcdir)/gldns/gbuffer.h -keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c config.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h -parse.lo parse.o: $(srcdir)/gldns/parse.c config.h $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h \ +gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \ + config.h \ $(srcdir)/gldns/gbuffer.h -parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c config.h $(srcdir)/gldns/parseutil.h -rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c config.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h -str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c config.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h -wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c config.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h -arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h -arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h -arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c config.h -explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h -getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h -getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h -getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h +keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \ + config.h \ + $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h +parse.lo parse.o: $(srcdir)/gldns/parse.c \ + config.h \ + $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h +parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \ + config.h \ + $(srcdir)/gldns/parseutil.h +rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \ + config.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h +str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \ + config.h \ + $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h +wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \ + config.h \ + $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h \ + $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h \ + $(srcdir)/$(tlsdir)/keyraw-internal.h +arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \ + config.h +arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \ + config.h \ + $(srcdir)/compat/chacha_private.h +arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c \ + config.h +explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c \ + config.h +getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c \ + config.h +getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c \ + config.h +getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c \ + config.h getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c -gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c config.h -inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c config.h -inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c config.h -sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h -strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h -strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h -locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h -lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c config.h $(srcdir)/util/auxiliary/util/storage/lookup3.h \ - $(srcdir)/util/lookup3.h $(srcdir)/util/orig-headers/lookup3.h -lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c config.h $(srcdir)/util/auxiliary/util/storage/lruhash.h \ - $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h \ - $(srcdir)/util/auxiliary/util/fptr_wlist.h -rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/auxiliary/log.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h config.h $(srcdir)/util/auxiliary/fptr_wlist.h \ - $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h +gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c \ + config.h +inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c \ + config.h +inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c \ + config.h +sha512.lo sha512.o: $(srcdir)/compat/sha512.c \ + config.h +strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \ + config.h +strptime.lo strptime.o: $(srcdir)/compat/strptime.c \ + config.h +locks.lo locks.o: $(srcdir)/util/locks.c \ + config.h $(srcdir)/util/locks.h \ + $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h +lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \ + config.h \ + $(srcdir)/util/auxiliary/util/storage/lookup3.h $(srcdir)/util/lookup3.h \ + $(srcdir)/util/orig-headers/lookup3.h +lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \ + config.h \ + $(srcdir)/util/auxiliary/util/storage/lruhash.h $(srcdir)/util/lruhash.h \ + $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ + $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h +rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \ + config.h \ + $(srcdir)/util/auxiliary/log.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h \ + $(srcdir)/util/auxiliary/fptr_wlist.h $(srcdir)/util/auxiliary/util/fptr_wlist.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h -keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c config.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h -pubkey-pinning-internal.lo pubkey-pinning-internal.o: $(srcdir)/$(tlsdir)/pubkey-pinning-internal.c config.h \ - $(srcdir)/debug.h config.h getdns/getdns.h $(srcdir)/context.h getdns/getdns.h \ - getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ - $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/util-internal.h \ - $(srcdir)/context.h tls/pubkey-pinning-internal.h -tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c config.h $(srcdir)/debug.h config.h $(srcdir)/context.h getdns/getdns.h \ - getdns/getdns_extra.h getdns/getdns.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h getdns/getdns_extra.h $(srcdir)/types-internal.h \ - $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/const-info.h $(srcdir)/tls.h -yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h -libev.lo libev.o: $(srcdir)/extension/libev.c config.h $(srcdir)/types-internal.h getdns/getdns.h \ - getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h \ - getdns/getdns_extra.h -libevent.lo libevent.o: $(srcdir)/extension/libevent.c config.h $(srcdir)/types-internal.h \ - getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h \ - getdns/getdns_extra.h -libuv.lo libuv.o: $(srcdir)/extension/libuv.c config.h $(srcdir)/debug.h config.h $(srcdir)/types-internal.h \ - getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h \ - getdns/getdns_extra.h -poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c config.h $(srcdir)/util-internal.h \ - config.h $(srcdir)/context.h getdns/getdns.h getdns/getdns_extra.h getdns/getdns.h \ +keyraw-internal.lo keyraw-internal.o: $(srcdir)/$(tlsdir)/keyraw-internal.c \ + config.h \ + $(srcdir)/gldns/keyraw.h $(srcdir)/$(tlsdir)/keyraw-internal.h $(srcdir)/gldns/rrdef.h +pubkey-pinning-internal.lo pubkey-pinning-internal.o: $(srcdir)/$(tlsdir)/pubkey-pinning-internal.c \ + config.h $(srcdir)/debug.h \ + getdns/getdns.h \ + $(srcdir)/context.h \ + getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - getdns/getdns_extra.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ - $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h \ - $(srcdir)/$(tlsdir)/tls-internal.h $(srcdir)/platform.h $(srcdir)/debug.h -select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c config.h $(srcdir)/debug.h \ - config.h $(srcdir)/types-internal.h getdns/getdns.h getdns/getdns_extra.h \ - getdns/getdns.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \ - $(srcdir)/extension/select_eventloop.h getdns/getdns_extra.h -stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c config.h getdns/getdns.h \ - getdns/getdns_extra.h $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ + $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/tls/pubkey-pinning-internal.h +tls.lo tls.o: $(srcdir)/$(tlsdir)/tls.c \ + config.h $(srcdir)/debug.h \ + $(srcdir)/context.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ + $(srcdir)/const-info.h $(srcdir)/tls.h +yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h +libev.lo libev.o: $(srcdir)/extension/libev.c \ + config.h \ + $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h +libevent.lo libevent.o: $(srcdir)/extension/libevent.c \ + config.h \ + $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h +libuv.lo libuv.o: $(srcdir)/extension/libuv.c \ + config.h $(srcdir)/debug.h \ + $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h +poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \ + config.h \ + $(srcdir)/util-internal.h $(srcdir)/context.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/$(tlsdir)/tls-internal.h \ + $(srcdir)/platform.h $(srcdir)/debug.h +select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \ + config.h $(srcdir)/debug.h \ + $(srcdir)/types-internal.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \ + $(srcdir)/extension/select_eventloop.h +stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c \ + config.h \ + getdns/getdns.h \ + getdns/getdns_extra.h \ + $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h diff --git a/src/test/Makefile.in b/src/test/Makefile.in index 00211237..9d4dad00 100644 --- a/src/test/Makefile.in +++ b/src/test/Makefile.in @@ -231,10 +231,13 @@ depend: .PHONY: clean test # Dependencies for the unit tests -check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c ../getdns/getdns.h $(srcdir)/check_getdns_common.h \ - ../getdns/getdns_extra.h $(srcdir)/check_getdns_address.h \ - $(srcdir)/check_getdns_address_sync.h $(srcdir)/check_getdns_cancel_callback.h \ - $(srcdir)/check_getdns_context_create.h $(srcdir)/check_getdns_context_destroy.h \ +check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c \ + ../getdns/getdns.h \ + $(srcdir)/check_getdns_common.h \ + ../getdns/getdns_extra.h \ + $(srcdir)/check_getdns_address.h $(srcdir)/check_getdns_address_sync.h \ + $(srcdir)/check_getdns_cancel_callback.h $(srcdir)/check_getdns_context_create.h \ + $(srcdir)/check_getdns_context_destroy.h \ $(srcdir)/check_getdns_context_set_context_update_callback.h \ $(srcdir)/check_getdns_context_set_dns_transport.h \ $(srcdir)/check_getdns_context_set_timeout.h \ @@ -254,34 +257,58 @@ check_getdns.lo check_getdns.o: $(srcdir)/check_getdns.c ../getdns/getdns.h $(sr $(srcdir)/check_getdns_list_get_list.h $(srcdir)/check_getdns_pretty_print_dict.h \ $(srcdir)/check_getdns_service.h $(srcdir)/check_getdns_service_sync.h \ $(srcdir)/check_getdns_transport.h -check_getdns_common.lo check_getdns_common.o: $(srcdir)/check_getdns_common.c ../getdns/getdns.h \ - ../config.h $(srcdir)/check_getdns_common.h ../getdns/getdns_extra.h \ +check_getdns_common.lo check_getdns_common.o: $(srcdir)/check_getdns_common.c \ + ../getdns/getdns.h \ + ../config.h \ + $(srcdir)/check_getdns_common.h \ + ../getdns/getdns_extra.h \ $(srcdir)/check_getdns_eventloop.h check_getdns_context_set_timeout.lo check_getdns_context_set_timeout.o: $(srcdir)/check_getdns_context_set_timeout.c \ $(srcdir)/check_getdns_context_set_timeout.h $(srcdir)/check_getdns_common.h \ - ../getdns/getdns.h ../getdns/getdns_extra.h + ../getdns/getdns.h \ + ../getdns/getdns_extra.h check_getdns_libev.lo check_getdns_libev.o: $(srcdir)/check_getdns_libev.c $(srcdir)/check_getdns_eventloop.h \ - ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libev.h \ - ../getdns/getdns_extra.h $(srcdir)/check_getdns_common.h + ../config.h \ + ../getdns/getdns.h \ + $(srcdir)/../getdns/getdns_ext_libev.h \ + ../getdns/getdns_extra.h \ + $(srcdir)/check_getdns_common.h check_getdns_libevent.lo check_getdns_libevent.o: $(srcdir)/check_getdns_libevent.c $(srcdir)/check_getdns_eventloop.h \ - ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libevent.h \ - ../getdns/getdns_extra.h $(srcdir)/check_getdns_libevent.h $(srcdir)/check_getdns_common.h + ../config.h \ + ../getdns/getdns.h \ + $(srcdir)/../getdns/getdns_ext_libevent.h \ + ../getdns/getdns_extra.h \ + $(srcdir)/check_getdns_libevent.h $(srcdir)/check_getdns_common.h check_getdns_libuv.lo check_getdns_libuv.o: $(srcdir)/check_getdns_libuv.c $(srcdir)/check_getdns_eventloop.h \ - ../config.h ../getdns/getdns.h $(srcdir)/../getdns/getdns_ext_libuv.h \ - ../getdns/getdns_extra.h $(srcdir)/check_getdns_common.h + ../config.h \ + ../getdns/getdns.h \ + $(srcdir)/../getdns/getdns_ext_libuv.h \ + ../getdns/getdns_extra.h \ + $(srcdir)/check_getdns_common.h check_getdns_selectloop.lo check_getdns_selectloop.o: $(srcdir)/check_getdns_selectloop.c \ - $(srcdir)/check_getdns_eventloop.h ../config.h ../getdns/getdns.h \ + $(srcdir)/check_getdns_eventloop.h \ + ../config.h \ + ../getdns/getdns.h \ ../getdns/getdns_extra.h check_getdns_transport.lo check_getdns_transport.o: $(srcdir)/check_getdns_transport.c \ - $(srcdir)/check_getdns_transport.h $(srcdir)/check_getdns_common.h ../getdns/getdns.h \ + $(srcdir)/check_getdns_transport.h $(srcdir)/check_getdns_common.h \ + ../getdns/getdns.h \ ../getdns/getdns_extra.h -scratchpad.template.lo scratchpad.template.o: scratchpad.template.c ../getdns/getdns.h \ +scratchpad.template.lo scratchpad.template.o: scratchpad.template.c \ + ../getdns/getdns.h \ ../getdns/getdns_extra.h testmessages.lo testmessages.o: $(srcdir)/testmessages.c $(srcdir)/testmessages.h -tests_dict.lo tests_dict.o: $(srcdir)/tests_dict.c $(srcdir)/testmessages.h ../getdns/getdns.h -tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h ../getdns/getdns.h -tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h ../getdns/getdns.h -tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c ../config.h $(srcdir)/testmessages.h \ - ../getdns/getdns.h ../getdns/getdns_extra.h -tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h ../getdns/getdns.h \ +tests_dict.lo tests_dict.o: $(srcdir)/tests_dict.c $(srcdir)/testmessages.h \ + ../getdns/getdns.h +tests_list.lo tests_list.o: $(srcdir)/tests_list.c $(srcdir)/testmessages.h \ + ../getdns/getdns.h +tests_namespaces.lo tests_namespaces.o: $(srcdir)/tests_namespaces.c $(srcdir)/testmessages.h \ + ../getdns/getdns.h +tests_stub_async.lo tests_stub_async.o: $(srcdir)/tests_stub_async.c \ + ../config.h \ + $(srcdir)/testmessages.h \ + ../getdns/getdns.h \ + ../getdns/getdns_extra.h +tests_stub_sync.lo tests_stub_sync.o: $(srcdir)/tests_stub_sync.c $(srcdir)/testmessages.h \ + ../getdns/getdns.h \ ../getdns/getdns_extra.h diff --git a/src/tools/Makefile.in b/src/tools/Makefile.in index 7d94edb7..6cefffcd 100644 --- a/src/tools/Makefile.in +++ b/src/tools/Makefile.in @@ -122,7 +122,12 @@ depend: .PHONY: clean test # Dependencies for getdns_query -getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c ../config.h $(srcdir)/../debug.h ../config.h \ - ../getdns/getdns.h ../getdns/getdns_extra.h -getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c ../config.h ../getdns/getdns.h \ +getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c \ + ../config.h \ + $(srcdir)/../debug.h \ + ../getdns/getdns.h \ + ../getdns/getdns_extra.h +getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c \ + ../config.h \ + ../getdns/getdns.h \ ../getdns/getdns_extra.h From 342b1090f8e700eaf742ee882740c6d125c93e30 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Mar 2019 17:22:31 +0100 Subject: [PATCH 100/108] Declarations are always defined --- src/server.c | 2 +- src/stub.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/server.c b/src/server.c index 5b1edd86..4339d593 100644 --- a/src/server.c +++ b/src/server.c @@ -863,7 +863,7 @@ static getdns_return_t add_listeners(listen_set *set) &enable, sizeof(enable)) < 0) { ; /* Ignore */ } -#ifdef HAVE_DECL_TCP_FASTOPEN +#if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN if (setsockopt(l->fd, IPPROTO_TCP, TCP_FASTOPEN, &enable, sizeof(enable)) < 0) { ; /* Ignore */ diff --git a/src/stub.c b/src/stub.c index c71ce1ca..0a5b4b46 100644 --- a/src/stub.c +++ b/src/stub.c @@ -412,16 +412,16 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport) /* Note that error detection is different with TFO. Since the handshake doesn't start till the sendto() lack of connection is often delayed until then or even the subsequent event depending on the error and platform.*/ -# ifdef HAVE_DECL_TCP_FASTOPEN_CONNECT +# if defined(HAVE_DECL_TCP_FASTOPEN_CONNECT) && HAVE_DECL_TCP_FASTOPEN_CONNECT (void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT , (void *)&enable, sizeof(enable)); # else /* HAVE_DECL_TCP_FASTOPEN_CONNECT */ -# ifdef HAVE_DECL_TCP_FASTOPEN +# if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN (void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN , (void *)&enable, sizeof(enable)); # endif/* HAVE_DECL_TCP_FASTOPEN*/ # endif /* HAVE_DECL_TCP_FASTOPEN_CONNECT */ -# ifdef HAVE_DECL_MSG_FASTOPEN +# if defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN /* Leave the connect to the later call to sendto() if using TCP*/ if (transport == GETDNS_TRANSPORT_TCP) return fd; @@ -760,7 +760,7 @@ stub_tcp_write(int fd, getdns_tcp_state *tcp, getdns_network_req *netreq) /* We use sendto() here which will do both a connect and send */ #ifdef USE_TCP_FASTOPEN written = sendto(fd, netreq->query - 2, pkt_len + 2, -# ifdef HAVE_DECL_MSG_FASTOPEN +# if defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN MSG_FASTOPEN, # else 0, From 82b9f5781e130e266e33f00ff2561e263e62c4a2 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Mar 2019 20:28:41 +0100 Subject: [PATCH 101/108] Take along new dirs in distributions --- Makefile.in | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index f92fccdf..0532bd08 100644 --- a/Makefile.in +++ b/Makefile.in @@ -213,6 +213,8 @@ $(distdir): mkdir -p $(distdir)/src/compat mkdir -p $(distdir)/src/util mkdir -p $(distdir)/src/gldns + mkdir -p $(distdir)/src/tls/validator + mkdir -p $(distdir)/src/gnutls mkdir -p $(distdir)/src/openssl mkdir -p $(distdir)/src/tools mkdir -p $(distdir)/src/jsmn @@ -261,13 +263,16 @@ $(distdir): cp -r $(srcdir)/src/util/orig-headers $(distdir)/src/util cp -r $(srcdir)/src/util/auxiliary $(distdir)/src/util cp $(srcdir)/src/gldns/*.[ch] $(distdir)/src/gldns + cp $(srcdir)/src/tls/*.[ch] $(distdir)/src/tls + cp $(srcdir)/src/tls/validator/*.[ch] $(distdir)/src/tls/validator + cp $(srcdir)/src/gnutls/*.[ch] $(distdir)/src/gnutls + cp $(srcdir)/src/openssl/*.[ch] $(distdir)/src/openssl cp $(srcdir)/doc/Makefile.in $(distdir)/doc cp $(srcdir)/doc/*.in $(distdir)/doc cp $(srcdir)/doc/manpgaltnames $(distdir)/doc cp $(srcdir)/spec/*.html $(distdir)/spec cp $(srcdir)/spec/example/Makefile.in $(distdir)/spec/example cp $(srcdir)/spec/example/*.[ch] $(distdir)/spec/example - cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/openssl cp $(srcdir)/src/tools/Makefile.in $(distdir)/src/tools cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/tools cp $(srcdir)/stubby/stubby.yml.example $(distdir)/stubby From 5b20971464b301a7ef862bd0096fe7a525641423 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Mar 2019 20:45:04 +0100 Subject: [PATCH 102/108] Setup branch for the 1.5.2 release process --- ChangeLog | 5 ++++- configure.ac | 17 +++++++++-------- stubby | 2 +- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3054561f..d319b220 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,13 @@ -* 2019-??-??: Version 1.?.? +* 2019-03-??: Version 1.5.2 * Issue #422: Enable server side and update client side TCP Fast Open implementation. Thanks Craig Andrews * Issue #423: Fix insecure delegation detection while scheduling. Thanks Charles Milette * Issue #419: Escape backslashed when printing in JSON format. Thanks boB Rudis + * Use GnuTLS instead of OpenSSL for TLS with the --with-gnutls + option to configure. libcrypto (from OpenSSL) still needed + for Zero configuration DNSSEC. * DOA rr-type * AMTRELAY rr-type diff --git a/configure.ac b/configure.ac index e7625f5b..670d6035 100644 --- a/configure.ac +++ b/configure.ac @@ -37,7 +37,7 @@ sinclude(./m4/ac_lib_nettle.m4) sinclude(./m4/ax_check_compile_flag.m4) sinclude(./m4/pkg.m4) -AC_INIT([getdns], [1.5.1], [team@getdnsapi.net], [getdns], [https://getdnsapi.net]) +AC_INIT([getdns], [1.5.2], [team@getdnsapi.net], [getdns], [https://getdnsapi.net]) # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian) # patched to do the same, but frequently (MacOS) not. So add a with option @@ -53,8 +53,8 @@ AC_SUBST([runstatedir], [$with_piddir]) # Don't forget to put a dash in front of the release candidate!!! # That is how it is done with semantic versioning! # -AC_SUBST(RELEASE_CANDIDATE, []) -AC_SUBST(STUBBY_RELEASE_CANDIDATE, []) +AC_SUBST(RELEASE_CANDIDATE, [rc1]) +AC_SUBST(STUBBY_RELEASE_CANDIDATE, [rc1]) # Set current date from system if not set AC_ARG_WITH([current-date], @@ -64,13 +64,13 @@ AC_ARG_WITH([current-date], [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"]) AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"]) -AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050100]) +AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010501c1]) AC_SUBST(API_VERSION, ["December 2015"]) AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00]) GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API" AC_DEFINE_UNQUOTED([STUBBY_PACKAGE], ["stubby"], [Stubby package]) -AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.5$STUBBY_RELEASE_CANDIDATE"], [Stubby package string]) +AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.6$STUBBY_RELEASE_CANDIDATE"], [Stubby package string]) # Library version # --------------- @@ -107,9 +107,10 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.5$STUBBY_RELEASE_CANDIDATE"], # getdns-1.4.0 had libversion 10:0:0 # getdns-1.4.1 had libversion 10:1:0 # getdns-1.4.2 had libversion 10:2:0 -# getdns-1.5.0 has libversion 11:0:1 -# getdns-1.5.1 has libversion 11:1:1 -GETDNS_LIBVERSION=11:1:1 +# getdns-1.5.0 had libversion 11:0:1 +# getdns-1.5.1 had libversion 11:1:1 +# getdns-1.5.2 will have libversion 11:2:1 +GETDNS_LIBVERSION=11:2:1 AC_SUBST(GETDNS_COMPILATION_COMMENT) AC_SUBST(GETDNS_LIBVERSION) diff --git a/stubby b/stubby index 108a15c6..376a8dbc 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 108a15c63dc08b50d6fd3800cef6948f87e14c8a +Subproject commit 376a8dbc5c4a8b1f52726182966b2ea9ff36be9d From 1527979129a24722d988660a0e366ce731380d02 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 15 Mar 2019 21:16:13 +0100 Subject: [PATCH 103/108] Release candidate need dashes before rc --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 670d6035..262b56fd 100644 --- a/configure.ac +++ b/configure.ac @@ -53,8 +53,8 @@ AC_SUBST([runstatedir], [$with_piddir]) # Don't forget to put a dash in front of the release candidate!!! # That is how it is done with semantic versioning! # -AC_SUBST(RELEASE_CANDIDATE, [rc1]) -AC_SUBST(STUBBY_RELEASE_CANDIDATE, [rc1]) +AC_SUBST(RELEASE_CANDIDATE, [-rc1]) +AC_SUBST(STUBBY_RELEASE_CANDIDATE, [-rc1]) # Set current date from system if not set AC_ARG_WITH([current-date], From 99e32f1e46749d380edbe3c8543e847c2a010165 Mon Sep 17 00:00:00 2001 From: "Maciej S. Szmigiero" Date: Sun, 24 Mar 2019 00:40:19 +0100 Subject: [PATCH 104/108] Increase anchor fetch timeout in tas_doc_read() tas_doc_read() uses a very short 50 msec network read timeout which makes fetching trust anchors pretty much impossible on high-latency connections like 3G. Use a 2 second read timeout, just like the other tas_read_cb() callback setter does. --- src/anchor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/anchor.c b/src/anchor.c index 1d685130..09f71232 100644 --- a/src/anchor.c +++ b/src/anchor.c @@ -750,7 +750,7 @@ static void tas_doc_read(getdns_context *context, tas_connection *a) a->tcp.read_pos = a->tcp.read_buf; a->tcp.to_read = sizeof(context->tas_hdr_spc); } - GETDNS_SCHEDULE_EVENT(a->loop, a->fd, 50, + GETDNS_SCHEDULE_EVENT(a->loop, a->fd, 2000, getdns_eventloop_event_init(&a->event, a->req->owner, tas_read_cb, NULL, tas_reconnect_cb)); return; From 0a1883047d6874857fe2848e3212fed881da695d Mon Sep 17 00:00:00 2001 From: "Maciej S. Szmigiero" Date: Sun, 24 Mar 2019 00:50:19 +0100 Subject: [PATCH 105/108] Don't transmit an extra NULL byte in the anchor fetch HTTP request When calculating HTTP request buffer size tas_connect() unnecessarily adds an extra octet for the terminating NULL byte. The terminating NULL was already accounted for by sizeof(fmt), however, since sizeof("123") = 4. The extra NULL byte at the end of the anchor fetch HTTP request resulted in an extra "501 Not implemented" HTTP response from the trust anchor server. --- src/anchor.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/anchor.c b/src/anchor.c index 09f71232..16fd8042 100644 --- a/src/anchor.c +++ b/src/anchor.c @@ -1086,11 +1086,11 @@ static void tas_connect(getdns_context *context, tas_connection *a) } if (a->state == TAS_RETRY_GET_PS7) { buf_sz = sizeof(tas_write_p7s_buf) - + 1 * (hostname_len - 2) + 1 * (path_len - 2) + 1; + + 1 * (hostname_len - 2) + 1 * (path_len - 2); fmt = tas_write_p7s_buf; } else { buf_sz = sizeof(tas_write_xml_p7s_buf) - + 2 * (hostname_len - 2) + 2 * (path_len - 2) + 1; + + 2 * (hostname_len - 2) + 2 * (path_len - 2); fmt = tas_write_xml_p7s_buf; } if (!(write_buf = GETDNS_XMALLOC(context->mf, char, buf_sz))) { From b6e290f42a6be2cb4b596455841984377a814222 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 3 Apr 2019 11:51:35 +0200 Subject: [PATCH 106/108] Fix compiling for debugging --- src/openssl/tls.c | 2 +- src/stub.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/openssl/tls.c b/src/openssl/tls.c index 94335848..af1c3122 100644 --- a/src/openssl/tls.c +++ b/src/openssl/tls.c @@ -914,7 +914,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c int osr = SSL_dane_enable(conn->ssl, *auth_name ? auth_name : NULL); (void) osr; DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n" - , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr); + , STUB_DEBUG_SETUP_TLS, __FUNC__, auth_name, osr); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); const sha256_pin_t *pin_p; size_t n_pins = 0; diff --git a/src/stub.c b/src/stub.c index 0a5b4b46..4bf470d8 100644 --- a/src/stub.c +++ b/src/stub.c @@ -967,8 +967,7 @@ tls_do_handshake(getdns_upstream *upstream) return STUB_TCP_RETRY; default: DEBUG_STUB("%s %-35s: FD: %d Handshake failed %d\n", - STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, - want); + STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, r); return STUB_SETUP_ERROR; } } From b22768709af464ccc3ff7281520952fbb6c5f7c6 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 3 Apr 2019 12:24:09 +0200 Subject: [PATCH 107/108] Runtime fallback and FreeBSD compatible TFO --- src/context.h | 6 ++-- src/stub.c | 80 +++++++++++++++++++++++++++++++++++---------------- 2 files changed, 60 insertions(+), 26 deletions(-) diff --git a/src/context.h b/src/context.h index 10031014..eb42382f 100644 --- a/src/context.h +++ b/src/context.h @@ -201,12 +201,14 @@ typedef struct getdns_upstream { getdns_network_req *write_queue_last; _getdns_rbtree_t netreq_by_query_id; - /* TLS specific connection handling*/ + /* TCP specific connection handling*/ + unsigned tfo_use_sendto : 1; + /* TLS specific connection handling*/ + unsigned tls_fallback_ok : 1; _getdns_tls_connection* tls_obj; _getdns_tls_session* tls_session; getdns_tls_hs_state_t tls_hs_state; getdns_auth_state_t tls_auth_state; - unsigned tls_fallback_ok : 1; /* TLS settings */ char *tls_cipher_list; diff --git a/src/stub.c b/src/stub.c index 4bf470d8..2547d10f 100644 --- a/src/stub.c +++ b/src/stub.c @@ -385,6 +385,7 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport) int fd = -1; + upstream->tfo_use_sendto = 0; DEBUG_STUB("%s %-35s: Creating TCP connection: %p\n", STUB_DEBUG_SETUP, __FUNC__, (void*)upstream); if ((fd = socket(upstream->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) @@ -413,21 +414,50 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport) doesn't start till the sendto() lack of connection is often delayed until then or even the subsequent event depending on the error and platform.*/ # if defined(HAVE_DECL_TCP_FASTOPEN_CONNECT) && HAVE_DECL_TCP_FASTOPEN_CONNECT - (void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT - , (void *)&enable, sizeof(enable)); + if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT + , (void *)&enable, sizeof(enable)) < 0) { + /* runtime fallback to TCP_FASTOPEN option */ + _getdns_upstream_log(upstream, + GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING, + "%-40s : Upstream : " + "Could not setup TLS capable TFO connect\n", + upstream->addr_str); +# if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN + /* TCP_FASTOPEN works for TCP only (not TLS) */ + if (transport != GETDNS_TRANSPORT_TCP) + ; /* This variant of TFO doesn't work with TLS */ + else if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN + , (void *)&enable, sizeof(enable)) >= 0) { + + upstream->tfo_use_sendto = 1; + return fd; + } else + _getdns_upstream_log(upstream, + GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING, + "%-40s : Upstream : " + "Could not fallback to TCP TFO\n", + upstream->addr_str); +# endif/* HAVE_DECL_TCP_FASTOPEN*/ + } + /* On success regular connect is fine, TFO will happen automagically */ # else /* HAVE_DECL_TCP_FASTOPEN_CONNECT */ # if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN - (void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN - , (void *)&enable, sizeof(enable)); + /* TCP_FASTOPEN works for TCP only (not TLS) */ + if (transport != GETDNS_TRANSPORT_TCP) + ; /* This variant of TFO doesn't work with TLS */ + else if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN + , (void *)&enable, sizeof(enable)) >= 0) { + + upstream->tfo_use_sendto = 1; + return fd; + } else + _getdns_upstream_log(upstream, + GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING, + "%-40s : Upstream : Could not setup TCP TFO\n", + upstream->addr_str); + # endif/* HAVE_DECL_TCP_FASTOPEN*/ # endif /* HAVE_DECL_TCP_FASTOPEN_CONNECT */ -# if defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN - /* Leave the connect to the later call to sendto() if using TCP*/ - if (transport == GETDNS_TRANSPORT_TCP) - return fd; -# else /* HAVE_DECL_MSG_FASTOPEN */ - (void)transport; -# endif /* HAVE_DECL_MSG_FASTOPEN */ #endif /* USE_OSX_TCP_FASTOPEN */ if (connect(fd, (struct sockaddr *)&upstream->addr, upstream->addr_len) == -1) { @@ -758,22 +788,24 @@ stub_tcp_write(int fd, getdns_tcp_state *tcp, getdns_network_req *netreq) * Lets see how much of it we can write */ /* We use sendto() here which will do both a connect and send */ -#ifdef USE_TCP_FASTOPEN - written = sendto(fd, netreq->query - 2, pkt_len + 2, + if (netreq->upstream->tfo_use_sendto) { + written = sendto(fd, netreq->query - 2, pkt_len + 2, # if defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN - MSG_FASTOPEN, + MSG_FASTOPEN, # else - 0, + 0, # endif - (struct sockaddr *)&(netreq->upstream->addr), - netreq->upstream->addr_len); - /* If pipelining we will find that the connection is already up so - just fall back to a 'normal' write. */ - if (written == -1 && _getdns_socketerror() == _getdns_EISCONN) - written = write(fd, netreq->query - 2, pkt_len + 2); -#else - written = send(fd, (const char *)(netreq->query - 2), pkt_len + 2, 0); -#endif + (struct sockaddr *)&(netreq->upstream->addr), + netreq->upstream->addr_len); + /* If pipelining we will find that the connection is already up so + just fall back to a 'normal' write. */ + if (written == -1 + && _getdns_socketerror() == _getdns_EISCONN) + written = write(fd, netreq->query - 2 + , pkt_len + 2); + } else + written = send(fd, (const char *)(netreq->query - 2) + , pkt_len + 2, 0); if ((written == -1 && _getdns_socketerror_wants_retry()) || (size_t)written < pkt_len + 2) { From ffe471543bd947d6d96ddd212ee987ba3787fb36 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 3 Apr 2019 12:36:04 +0200 Subject: [PATCH 108/108] Bumb versions for 1.5.2 release --- ChangeLog | 4 +++- configure.ac | 8 ++++---- stubby | 2 +- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index d319b220..2fb2fce3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ -* 2019-03-??: Version 1.5.2 +* 2019-04-03: Version 1.5.2 + * PR #424: Two small trust anchor fetcher fixes + Thanks Maciej S. Szmigiero * Issue #422: Enable server side and update client side TCP Fast Open implementation. Thanks Craig Andrews * Issue #423: Fix insecure delegation detection while scheduling. diff --git a/configure.ac b/configure.ac index 262b56fd..dd8ff09f 100644 --- a/configure.ac +++ b/configure.ac @@ -53,8 +53,8 @@ AC_SUBST([runstatedir], [$with_piddir]) # Don't forget to put a dash in front of the release candidate!!! # That is how it is done with semantic versioning! # -AC_SUBST(RELEASE_CANDIDATE, [-rc1]) -AC_SUBST(STUBBY_RELEASE_CANDIDATE, [-rc1]) +AC_SUBST(RELEASE_CANDIDATE, []) +AC_SUBST(STUBBY_RELEASE_CANDIDATE, []) # Set current date from system if not set AC_ARG_WITH([current-date], @@ -64,7 +64,7 @@ AC_ARG_WITH([current-date], [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"]) AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"]) -AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010501c1]) +AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050200]) AC_SUBST(API_VERSION, ["December 2015"]) AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00]) GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API" @@ -109,7 +109,7 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.6$STUBBY_RELEASE_CANDIDATE"], # getdns-1.4.2 had libversion 10:2:0 # getdns-1.5.0 had libversion 11:0:1 # getdns-1.5.1 had libversion 11:1:1 -# getdns-1.5.2 will have libversion 11:2:1 +# getdns-1.5.2 has libversion 11:2:1 GETDNS_LIBVERSION=11:2:1 AC_SUBST(GETDNS_COMPILATION_COMMENT) diff --git a/stubby b/stubby index 376a8dbc..b0d3154a 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 376a8dbc5c4a8b1f52726182966b2ea9ff36be9d +Subproject commit b0d3154af61e1b46a30b56d239dc074273642217