diff --git a/.travis.yml b/.travis.yml index 60a37347..2cace3f4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -21,4 +21,4 @@ script: - mkdir tests - cd tests - ../src/test/tpkg/run-all.sh -# - ../src/test/tpkg/run-one.sh 400-static-analysis -V +# - ../src/test/tpkg/run-one.sh 225-stub-only-valgrind-checks diff --git a/ChangeLog b/ChangeLog index 69d8872b..575855cd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,36 @@ +* 2017-12-21: Version 1.3.0 + * Bugfix #300: Detect dnsmasq and skip unit test that fails with it. + Thanks Tim Rühsen and Konomi Kitten + * Specify default available cipher suites for authenticated TLS + upstreams with getdns_context_set_tls_ciphers_list() + An upstream specific available cipher suite may also be given + with the tls_cipher_list setting in the upstream dict with + getdns_context_set_upstream_recursive_servers() + * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305 + Thanks Pascal Ernster + * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the + context configured upstreams. Thanks Andreas Schulze + * Report default extension settings with + getdns_context_get_api_information() + * Specify locations at which CA certificates for verification purposes + are located: getdns_context_set_tls_ca_path() + getdns_context_set_tls_ca_file() + * getdns_context_set_resolvconf() function to initialize a context + upstreams and suffices with a resolv.conf file. + getdns_context_get_resolvconf() to get the file used to initialize + the context's upstreams and suffixes. + getdns_context_set_hosts() function to initialize a context's + LOCALNAMES namespace. + getdns_context_get_hosts() function to get the file used to initialize + the context's LOCALNAMES namespace. + * get which version of OpenSSL was used at build time and at run time + when available with getdns_context_get_api_information() + * GETDNS_RETURN_IO_ERROR return error code + * Bugfix #359: edns_client_subnet_private should set family + Thanks Daniel Areiza & Andreas Schulze + * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC + validation. Thanks Bruno Pagani + * 2017-11-11: Version 1.2.1 * Handle more I/O error cases. Also, when an I/O error does occur, never stop listening (with servers), and diff --git a/Makefile.in b/Makefile.in index 1096dc3b..63216493 100644 --- a/Makefile.in +++ b/Makefile.in @@ -253,7 +253,7 @@ $(distdir): cp $(srcdir)/src/tools/Makefile.in $(distdir)/src/tools cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/tools cp $(srcdir)/stubby/stubby.yml.example $(distdir)/stubby - cp $(srcdir)/stubby/stubby-setdns-macos.sh $(distdir)/stubby + cp $(srcdir)/stubby/macos/stubby-setdns-macos.sh $(distdir)/stubby cp $(srcdir)/stubby/src/*.[ch] $(distdir)/stubby/src cp $(srcdir)/stubby/src/yaml/*.[ch] $(distdir)/stubby/src/yaml cp $(srcdir)/stubby/COPYING $(distdir)/stubby diff --git a/configure.ac b/configure.ac index 01dcbdb9..9bc7f66a 100644 --- a/configure.ac +++ b/configure.ac @@ -36,7 +36,7 @@ sinclude(./m4/acx_getaddrinfo.m4) sinclude(./m4/ax_check_compile_flag.m4) sinclude(./m4/pkg.m4) -AC_INIT([getdns], [1.2.1], [team@getdnsapi.net], [getdns], [https://getdnsapi.net]) +AC_INIT([getdns], [1.3.0], [team@getdnsapi.net], [getdns], [https://getdnsapi.net]) # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian) # patched to do the same, but frequently (MacOS) not. So add a with option @@ -62,7 +62,7 @@ AC_ARG_WITH([current-date], [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"]) AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"]) -AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01020100]) +AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01030000]) AC_SUBST(API_VERSION, ["December 2015"]) AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00]) GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API" @@ -98,9 +98,10 @@ GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRE # getdns-1.1.2 had libversion 7:0:1 # getdns-1.1.3 had libversion 7:1:1 # getdns-1.2.0 had libversion 8:0:2 -# getdns-1.2.1 has libversion 8:1:2 +# getdns-1.2.1 had libversion 8:1:2 +# getdns-1.3.0 has libversion 9:0:3 # -GETDNS_LIBVERSION=8:1:2 +GETDNS_LIBVERSION=9:0:3 AC_SUBST(GETDNS_COMPILATION_COMMENT) AC_SUBST(GETDNS_LIBVERSION) @@ -265,7 +266,7 @@ esac DEFAULT_EVENTLOOP=select_eventloop -AC_CHECK_HEADERS([signal.h sys/poll.h poll.h sys/resource.h sys/types.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([signal.h sys/poll.h poll.h sys/resource.h sys/types.h sys/stat.h],,, [AC_INCLUDES_DEFAULT]) AC_ARG_ENABLE(poll-eventloop, AC_HELP_STRING([--disable-poll-eventloop], [Disable default eventloop based on poll (default=enabled if available)])) case "$enable_poll_eventloop" in no) @@ -345,6 +346,22 @@ AC_CHECK_FUNCS([strptime],[AC_CHECK_STRPTIME_WORKS],[AC_LIBOBJ([strptime])]) AC_CHECK_HEADERS([windows.h winsock.h stdio.h winsock2.h ws2tcpip.h],,, [AC_INCLUDES_DEFAULT]) ACX_CHECK_GETADDRINFO_WITH_INCLUDES +AC_ARG_WITH(resolvconf, AS_HELP_STRING([--with-resolvconf=PATH], + [Set the resolver configuration file path. Defaults to /etc/resolv.conf or values retrieved via GetNetworkParams() on Windows]), + [], [withval="/etc/resolv.conf"]) +AC_DEFINE_UNQUOTED([GETDNS_FN_RESOLVCONF], ["$withval"], [Path to resolver configuration file]) + +AC_ARG_WITH(hosts, AS_HELP_STRING([--with-hosts=PATH], + [Set the static table lookup for hostnames path. Defaults to /etc/hosts or C:\Windows\System32\Drivers\etc\hosts on Windows]), + [], [ +if test "$USE_WINSOCK" = 1; then + withval="C:\\\\Windows\\\\System32\\\\Drivers\\\\etc\\\\hosts" +else + withval="/etc/hosts" +fi +]) +AC_DEFINE_UNQUOTED([GETDNS_FN_HOSTS], ["$withval"], [Path to static table lookup for hostnames]) + AC_ARG_WITH(fd-setsize, AS_HELP_STRING([--with-fd-setsize=size], [Set maximum file descriptor number that can be used by select]), [], [withval="no"]) @@ -391,7 +408,7 @@ fi AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version]) +AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version]) AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H @@ -1500,6 +1517,10 @@ static inline int _gldns_custom_vsnprintf(char *str, size_t size, const char *fo #include #endif +#ifdef HAVE_SYS_STAT_H +#include +#endif + #ifdef HAVE_NETINET_IN_H #include #endif diff --git a/src/Makefile.in b/src/Makefile.in index a84dbf16..b37d296e 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -208,9 +208,9 @@ install-stubby-files-unix: $(stubbysrcdir)/stubby.yml.example test -f $(DESTDIR)$(stubbyconfdir)/stubby.yml || \ $(INSTALL_DATA) $(stubbysrcdir)/stubby.yml.example $(DESTDIR)$(stubbyconfdir)/stubby.yml -install-stubby-files-macos: $(stubbysrcdir)/stubby-setdns-macos.sh install-stubby-files-unix +install-stubby-files-macos: $(stubbysrcdir)/macos/stubby-setdns-macos.sh install-stubby-files-unix $(INSTALL) -m 755 -d $(DESTDIR)$(sbindir) - $(INSTALL) -m 755 $(stubbysrcdir)/stubby-setdns-macos.sh $(DESTDIR)$(sbindir) + $(INSTALL) -m 755 $(stubbysrcdir)/macos/stubby-setdns-macos.sh $(DESTDIR)$(sbindir) stubby.yml.windows: $(stubbysrcdir)/stubby.yml.example awk "{sub(/$$/,\"\r\")}1" $(stubbysrcdir)/stubby.yml.example > stubby.yml.windows diff --git a/src/anchor.c b/src/anchor.c index 006e5da4..31e0e6f0 100644 --- a/src/anchor.c +++ b/src/anchor.c @@ -1557,44 +1557,13 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) DEBUG_ANCHOR("%s on the %ssynchronous loop\n", __FUNC__, loop == &context->sync_eventloop.loop ? "" : "a"); - while (!context->sys_ctxt) { /* Used as breakable if. Never repeats. */ - if ((r = getdns_context_create_with_extended_memory_functions( - &context->sys_ctxt, 1, context->mf.mf_arg, - context->mf.mf.ext.malloc, context->mf.mf.ext.realloc, - context->mf.mf.ext.free))) - DEBUG_ANCHOR("Could not create system context: %s\n" - , getdns_get_errorstr_by_id(r)); - - else if ((r = getdns_context_set_eventloop( - context->sys_ctxt, loop))) - DEBUG_ANCHOR("Could not configure %ssynchronous loop " - "with system context: %s\n" - , ( loop == &context->sync_eventloop.loop - ? "" : "a" ) - , getdns_get_errorstr_by_id(r)); - - else if ((r = getdns_context_set_resolution_type( - context->sys_ctxt, GETDNS_RESOLUTION_STUB))) - DEBUG_ANCHOR("Could not configure system context for " - "stub resolver: %s\n" - , getdns_get_errorstr_by_id(r)); - else - break; - - getdns_context_destroy(context->sys_ctxt); - context->sys_ctxt = NULL; - DEBUG_ANCHOR("Fatal error fetching trust anchor: " - "missing system context\n"); - context->trust_anchors_source = GETDNS_TASRC_FAILED; - _getdns_ta_notify_dnsreqs(context); - return; - } scheduled = 0; #if 1 context->a.state = TAS_LOOKUP_ADDRESSES; - if ((r = _getdns_general_loop(context->sys_ctxt, loop, - tas_hostname, GETDNS_RRTYPE_A, NULL, context, - &context->a.req, NULL, _tas_hostname_lookup_cb))) { + if ((r = _getdns_general_loop(context, loop, + tas_hostname, GETDNS_RRTYPE_A, + no_dnssec_checking_disabled_opportunistic, + context, &context->a.req, NULL, _tas_hostname_lookup_cb))) { DEBUG_ANCHOR("Error scheduling A lookup for %s: %s\n" , tas_hostname, getdns_get_errorstr_by_id(r)); } else @@ -1603,9 +1572,10 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) #if 1 context->aaaa.state = TAS_LOOKUP_ADDRESSES; - if ((r = _getdns_general_loop(context->sys_ctxt, loop, - tas_hostname, GETDNS_RRTYPE_AAAA, NULL, context, - &context->aaaa.req, NULL, _tas_hostname_lookup_cb))) { + if ((r = _getdns_general_loop(context, loop, + tas_hostname, GETDNS_RRTYPE_AAAA, + no_dnssec_checking_disabled_opportunistic, + context, &context->aaaa.req, NULL, _tas_hostname_lookup_cb))) { DEBUG_ANCHOR("Error scheduling AAAA lookup for %s: %s\n" , tas_hostname, getdns_get_errorstr_by_id(r)); } else diff --git a/src/const-info.c b/src/const-info.c index 2c582ed1..d8e61f47 100644 --- a/src/const-info.c +++ b/src/const-info.c @@ -30,6 +30,7 @@ static struct const_info consts_info[] = { { 310, "GETDNS_RETURN_MEMORY_ERROR", GETDNS_RETURN_MEMORY_ERROR_TEXT }, { 311, "GETDNS_RETURN_INVALID_PARAMETER", GETDNS_RETURN_INVALID_PARAMETER_TEXT }, { 312, "GETDNS_RETURN_NOT_IMPLEMENTED", GETDNS_RETURN_NOT_IMPLEMENTED_TEXT }, + { 397, "GETDNS_RETURN_IO_ERROR", GETDNS_RETURN_IO_ERROR_TEXT }, { 398, "GETDNS_RETURN_NO_UPSTREAM_AVAILABLE", GETDNS_RETURN_NO_UPSTREAM_AVAILABLE_TEXT }, { 399, "GETDNS_RETURN_NEED_MORE_SPACE", GETDNS_RETURN_NEED_MORE_SPACE_TEXT }, { 400, "GETDNS_DNSSEC_SECURE", GETDNS_DNSSEC_SECURE_TEXT }, @@ -86,6 +87,11 @@ static struct const_info consts_info[] = { { 626, "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA", GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA_TEXT }, { 627, "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL", GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL_TEXT }, { 628, "GETDNS_CONTEXT_CODE_APPDATA_DIR", GETDNS_CONTEXT_CODE_APPDATA_DIR_TEXT }, + { 629, "GETDNS_CONTEXT_CODE_RESOLVCONF", GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT }, + { 630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT }, + { 631, "GETDNS_CONTEXT_CODE_TLS_CA_PATH", GETDNS_CONTEXT_CODE_TLS_CA_PATH_TEXT }, + { 632, "GETDNS_CONTEXT_CODE_TLS_CA_FILE", GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT }, + { 633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT }, { 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT }, { 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT }, { 702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT }, @@ -166,17 +172,22 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CONTEXT_CODE_EDNS_MAXIMUM_UDP_PAYLOAD_SIZE", 610 }, { "GETDNS_CONTEXT_CODE_EDNS_VERSION", 612 }, { "GETDNS_CONTEXT_CODE_FOLLOW_REDIRECTS", 602 }, + { "GETDNS_CONTEXT_CODE_HOSTS", 630 }, { "GETDNS_CONTEXT_CODE_IDLE_TIMEOUT", 617 }, { "GETDNS_CONTEXT_CODE_LIMIT_OUTSTANDING_QUERIES", 606 }, { "GETDNS_CONTEXT_CODE_MEMORY_FUNCTIONS", 615 }, { "GETDNS_CONTEXT_CODE_NAMESPACES", 600 }, { "GETDNS_CONTEXT_CODE_PUBKEY_PINSET", 621 }, { "GETDNS_CONTEXT_CODE_RESOLUTION_TYPE", 601 }, + { "GETDNS_CONTEXT_CODE_RESOLVCONF", 629 }, { "GETDNS_CONTEXT_CODE_ROUND_ROBIN_UPSTREAMS", 622 }, { "GETDNS_CONTEXT_CODE_SUFFIX", 608 }, { "GETDNS_CONTEXT_CODE_TIMEOUT", 616 }, { "GETDNS_CONTEXT_CODE_TLS_AUTHENTICATION", 618 }, { "GETDNS_CONTEXT_CODE_TLS_BACKOFF_TIME", 623 }, + { "GETDNS_CONTEXT_CODE_TLS_CA_FILE", 632 }, + { "GETDNS_CONTEXT_CODE_TLS_CA_PATH", 631 }, + { "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 }, { "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 }, { "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 }, { "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 }, @@ -248,6 +259,7 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_RETURN_GENERIC_ERROR", 1 }, { "GETDNS_RETURN_GOOD", 0 }, { "GETDNS_RETURN_INVALID_PARAMETER", 311 }, + { "GETDNS_RETURN_IO_ERROR", 397 }, { "GETDNS_RETURN_MEMORY_ERROR", 310 }, { "GETDNS_RETURN_NEED_MORE_SPACE", 399 }, { "GETDNS_RETURN_NOT_IMPLEMENTED", 312 }, diff --git a/src/context.c b/src/context.c index 62678873..c8f14363 100644 --- a/src/context.c +++ b/src/context.c @@ -57,6 +57,9 @@ typedef unsigned short in_port_t; #include #endif +#include +#include + #include #include #include @@ -162,6 +165,17 @@ static void set_ub_dnssec_allowed_skew(struct getdns_context*, uint32_t); /* Stuff to make it compile pedantically */ #define RETURN_IF_NULL(ptr, code) if(ptr == NULL) return code; +static char * +_getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s) +{ + char *r; + if (!s || !(r = GETDNS_XMALLOC(*mfs, char, s->size + 1))) + return NULL; + else { + r[s->size] = '\0'; + return memcpy(r, s, s->size); + } +} #ifdef USE_WINSOCK /* For windows, the CA trust store is not read by openssl. @@ -495,8 +509,45 @@ str_addr_dict(getdns_context *context, const char *str) return address; } -static void -create_local_hosts(getdns_context *context) +/** + * check a file for changes since the last check + * and refresh the current data if changes are detected + * @param context pointer to a previously created context to be used for this call + * @param fchg file to check + * @returns changes as OR'd list of GETDNS_FCHG_* values + * @returns GETDNS_FCHG_NONE if no changes + * @returns GETDNS_FCHG_ERRORS if problems (see fchg->errors for details) + */ +static int +_getdns_filechg_check(struct filechg *fchg) +{ + struct stat finfo; + + if(fchg == NULL) + return 0; + + fchg->errors = GETDNS_FCHG_NOERROR; + fchg->changes = GETDNS_FCHG_NOCHANGES; + + if(stat(fchg->fn, &finfo) != 0) { + fchg->errors = errno; + return GETDNS_FCHG_ERRORS; + } + + /* we want to consider a file that previously returned error for stat() as a + change */ + + if(fchg->prevstat.st_mtime != finfo.st_mtime) + fchg->changes |= GETDNS_FCHG_MTIME; + if(fchg->prevstat.st_ctime != finfo.st_ctime) + fchg->changes |= GETDNS_FCHG_CTIME; + + fchg->prevstat = finfo; + return fchg->changes; +} /* filechg */ + +getdns_return_t +getdns_context_set_hosts(getdns_context *context, const char *hosts) { /* enough space in buf for longest allowed domain name */ char buf[1024]; @@ -505,11 +556,21 @@ create_local_hosts(getdns_context *context) int start_of_line = 1; getdns_dict *address = NULL; -#ifdef USE_WINSOCK - in = fopen("c:\\WINDOWS\\system32\\drivers\\etc\\hosts", "r"); -#else - in = fopen("/etc/hosts", "r"); -#endif + if (!context || !hosts) + return GETDNS_RETURN_INVALID_PARAMETER; + + if (!(in = fopen(hosts, "r"))) + return GETDNS_RETURN_IO_ERROR; + + (void)strlcpy(context->fchg_hosts.fn, hosts, _GETDNS_PATH_MAX); + (void) memset(&context->fchg_hosts.prevstat, 0, sizeof(struct stat)); + context->fchg_hosts.changes = GETDNS_FCHG_NOCHANGES; + context->fchg_hosts.errors = GETDNS_FCHG_NOERROR; + (void) _getdns_filechg_check(&context->fchg_hosts); + _getdns_traverse_postorder(&context->local_hosts, + destroy_local_host, context); + _getdns_rbtree_init(&context->local_hosts, local_host_cmp); + while (fgets(pos, (int)(sizeof(buf) - (pos - buf)), in)) { pos = buf; /* Break out of for to read more */ @@ -589,59 +650,19 @@ read_more: ; address = NULL; getdns_dict_destroy(address); } + return GETDNS_RETURN_GOOD; } -/** - * check a file for changes since the last check - * and refresh the current data if changes are detected - * @param context pointer to a previously created context to be used for this call - * @param fchg file to check - * @returns changes as OR'd list of GETDNS_FCHG_* values - * @returns GETDNS_FCHG_NONE if no changes - * @returns GETDNS_FCHG_ERRORS if problems (see fchg->errors for details) - */ -int -_getdns_filechg_check(struct getdns_context *context, struct filechg *fchg) +getdns_return_t +getdns_context_get_hosts(getdns_context *context, const char **hosts) { - struct stat *finfo; + if (!context || !hosts) + return GETDNS_RETURN_INVALID_PARAMETER; - if(fchg == NULL) - return 0; + *hosts = *context->fchg_hosts.fn ? context->fchg_hosts.fn : NULL; + return GETDNS_RETURN_GOOD; +} - fchg->errors = GETDNS_FCHG_NOERROR; - fchg->changes = GETDNS_FCHG_NOCHANGES; - - finfo = GETDNS_MALLOC(context->my_mf, struct stat); - if(finfo == NULL) - { - fchg->errors = errno; - return GETDNS_FCHG_ERRORS; - } - - if(stat(fchg->fn, finfo) != 0) - { - GETDNS_FREE(context->my_mf, finfo); - fchg->errors = errno; - return GETDNS_FCHG_ERRORS; - } - - /* we want to consider a file that previously returned error for stat() as a - change */ - - if(fchg->prevstat == NULL) - fchg->changes = GETDNS_FCHG_MTIME | GETDNS_FCHG_CTIME; - else - { - if(fchg->prevstat->st_mtime != finfo->st_mtime) - fchg->changes |= GETDNS_FCHG_MTIME; - if(fchg->prevstat->st_ctime != finfo->st_ctime) - fchg->changes |= GETDNS_FCHG_CTIME; - GETDNS_FREE(context->my_mf, fchg->prevstat); - } - fchg->prevstat = finfo; - - return fchg->changes; -} /* filechg */ static getdns_upstreams * upstreams_create(getdns_context *context, size_t size) @@ -707,12 +728,16 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams) { _getdns_closesocket(upstream->fd); } + if (upstream->tcp.read_buf) + GETDNS_FREE(upstreams->mf, upstream->tcp.read_buf); while (pin) { sha256_pin_t *nextpin = pin->next; GETDNS_FREE(upstreams->mf, pin); pin = nextpin; } upstream->tls_pubkey_pinset = NULL; + if (upstream->tls_cipher_list) + GETDNS_FREE(upstreams->mf, upstream->tls_cipher_list); } GETDNS_FREE(upstreams->mf, upstreams); } @@ -996,6 +1021,7 @@ upstream_init(getdns_upstream *upstream, upstream->fd = -1; upstream->tls_obj = NULL; upstream->tls_session = NULL; + upstream->tls_cipher_list = NULL; upstream->transport = GETDNS_TRANSPORT_TCP; upstream->tls_hs_state = GETDNS_HS_NONE; upstream->tls_auth_name[0] = '\0'; @@ -1094,7 +1120,7 @@ static int get_dns_suffix_windows(getdns_list *suffix, char* domain) static getdns_return_t -set_os_defaults_windows(struct getdns_context *context) +set_os_defaults_windows(getdns_context *context) { char domain[1024] = ""; size_t upstreams_limit = 10; @@ -1106,19 +1132,8 @@ set_os_defaults_windows(struct getdns_context *context) int s; uint32_t info_err = 0; - if (context->fchg_resolvconf == NULL) { - context->fchg_resolvconf = - GETDNS_MALLOC(context->my_mf, struct filechg); - if (context->fchg_resolvconf == NULL) - return GETDNS_RETURN_MEMORY_ERROR; - context->fchg_resolvconf->fn = "InvalidOnWindows"; - context->fchg_resolvconf->prevstat = NULL; - context->fchg_resolvconf->changes = GETDNS_FCHG_NOCHANGES; - context->fchg_resolvconf->errors = GETDNS_FCHG_NOERROR; - } - _getdns_filechg_check(context, context->fchg_resolvconf); - - context->upstreams = upstreams_create(context, upstreams_limit); + if (!(context->upstreams = upstreams_create(context, upstreams_limit))) + return GETDNS_RETURN_MEMORY_ERROR; memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */ @@ -1189,8 +1204,8 @@ set_os_defaults_windows(struct getdns_context *context) #else -static getdns_return_t -set_os_defaults(struct getdns_context *context) +getdns_return_t +getdns_context_set_resolvconf(getdns_context *context, const char *resolvconf) { FILE *in; char line[1024], domain[1024]; @@ -1202,21 +1217,18 @@ set_os_defaults(struct getdns_context *context) getdns_list *suffix; int s; - if(context->fchg_resolvconf == NULL) { - context->fchg_resolvconf = - GETDNS_MALLOC(context->my_mf, struct filechg); - if(context->fchg_resolvconf == NULL) - return GETDNS_RETURN_MEMORY_ERROR; - context->fchg_resolvconf->fn = "/etc/resolv.conf"; - context->fchg_resolvconf->prevstat = NULL; - context->fchg_resolvconf->changes = GETDNS_FCHG_NOCHANGES; - context->fchg_resolvconf->errors = GETDNS_FCHG_NOERROR; - } - _getdns_filechg_check(context, context->fchg_resolvconf); + if (!context || !resolvconf) + return GETDNS_RETURN_INVALID_PARAMETER; - in = fopen(context->fchg_resolvconf->fn, "r"); - if (!in) - return GETDNS_RETURN_GOOD; + + (void) strlcpy( context->fchg_resolvconf.fn, resolvconf, _GETDNS_PATH_MAX); + (void) memset(&context->fchg_resolvconf.prevstat, 0, sizeof(struct stat)); + context->fchg_resolvconf.changes = GETDNS_FCHG_NOCHANGES; + context->fchg_resolvconf.errors = GETDNS_FCHG_NOERROR; + (void) _getdns_filechg_check(&context->fchg_resolvconf); + + if (!(in = fopen(context->fchg_resolvconf.fn, "r"))) + return GETDNS_RETURN_IO_ERROR; upstream_count = 0; while (fgets(line, (int)sizeof(line), in)) @@ -1225,12 +1237,16 @@ set_os_defaults(struct getdns_context *context) fclose(in); suffix = getdns_list_create_with_context(context); - context->upstreams = upstreams_create( - context, upstream_count * GETDNS_UPSTREAM_TRANSPORTS); - - in = fopen(context->fchg_resolvconf->fn, "r"); - if (!in) - return GETDNS_RETURN_GOOD; + if (context->upstreams) { + _getdns_upstreams_dereference(context->upstreams); + context->upstreams = NULL; + } + if (!(context->upstreams = upstreams_create( + context, upstream_count * GETDNS_UPSTREAM_TRANSPORTS))) { + return GETDNS_RETURN_MEMORY_ERROR; + } + if (!(in = fopen(context->fchg_resolvconf.fn, "r"))) + return GETDNS_RETURN_IO_ERROR; memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */ @@ -1306,10 +1322,25 @@ set_os_defaults(struct getdns_context *context) (void )getdns_context_set_suffix(context, suffix); getdns_list_destroy(suffix); + dispatch_updated(context, + GETDNS_CONTEXT_CODE_UPSTREAM_RECURSIVE_SERVERS); + return GETDNS_RETURN_GOOD; } /* set_os_defaults */ #endif +getdns_return_t +getdns_context_get_resolvconf(getdns_context *context, const char **resolvconf) +{ + if (!context || !resolvconf) + return GETDNS_RETURN_INVALID_PARAMETER; + + *resolvconf = *context->fchg_resolvconf.fn + ? context->fchg_resolvconf.fn : NULL; + return GETDNS_RETURN_GOOD; +} + + /* compare of transaction ids in DESCENDING order so that 0 comes last */ @@ -1362,11 +1393,11 @@ static void _getdns_check_expired_pending_netreqs_cb(void *arg) _getdns_check_expired_pending_netreqs((getdns_context *)arg, &now_ms); } -static const char *_getdns_default_trust_anchors_url = +static char const * const _getdns_default_trust_anchors_url = "http://data.iana.org/root-anchors/root-anchors.xml"; /* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */ -static const char *_getdns_default_trust_anchors_verify_CA = +static char const * const _getdns_default_trust_anchors_verify_CA = "-----BEGIN CERTIFICATE-----\n" "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n" "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n" @@ -1389,9 +1420,12 @@ static const char *_getdns_default_trust_anchors_verify_CA = "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n" "-----END CERTIFICATE-----\n"; -static const char *_getdns_default_trust_anchors_verify_email = +static char const * const _getdns_default_trust_anchors_verify_email = "dnssec@iana.org"; +static char const * const _getdns_default_tls_cipher_list = + "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:" + "TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20"; /* * getdns_context_create @@ -1400,7 +1434,7 @@ static const char *_getdns_default_trust_anchors_verify_email = */ getdns_return_t getdns_context_create_with_extended_memory_functions( - struct getdns_context ** context, + getdns_context **context, int set_from_os, void *userarg, void *(*malloc)(void *userarg, size_t), @@ -1498,6 +1532,9 @@ getdns_context_create_with_extended_memory_functions( result->trust_anchors_verify_email = NULL; result->trust_anchors_verify_CA = NULL; result->appdata_dir = NULL; + result->tls_ca_path = NULL; + result->tls_ca_file = NULL; + result->tls_cipher_list = NULL; (void) memset(&result->root_ksk, 0, sizeof(result->root_ksk)); @@ -1571,17 +1608,8 @@ getdns_context_create_with_extended_memory_functions( /* state data used to detect changes to the system config files */ - result->fchg_resolvconf = NULL; - result->fchg_hosts = NULL; - - // resolv.conf does not exist on Windows, handle differently -#ifndef USE_WINSOCK - if ((set_from_os & 1) && (r = set_os_defaults(result))) - goto error; -#else - if ((set_from_os & 1) && (r = set_os_defaults_windows(result))) - goto error; -#endif + (void)memset(&result->fchg_resolvconf, 0, sizeof(struct filechg)); + (void)memset(&result->fchg_hosts , 0, sizeof(struct filechg)); result->dnssec_allowed_skew = 0; result->edns_maximum_udp_payload_size = -1; @@ -1632,8 +1660,16 @@ getdns_context_create_with_extended_memory_functions( _getdns_mdns_context_init(result); #endif - create_local_hosts(result); - + // resolv.conf does not exist on Windows, handle differently +#ifndef USE_WINSOCK + if ((set_from_os & 1)) { + (void) getdns_context_set_resolvconf(result, GETDNS_FN_RESOLVCONF); + (void) getdns_context_set_hosts(result, GETDNS_FN_HOSTS); + } +#else + if ((set_from_os & 1) && (r = set_os_defaults_windows(result))) + goto error; +#endif *context = result; return GETDNS_RETURN_GOOD; @@ -1676,7 +1712,6 @@ getdns_context_create(struct getdns_context ** context, int set_from_os) set_from_os, malloc, realloc, free); } /* getdns_context_create */ - /* * getdns_context_destroy * @@ -1731,16 +1766,6 @@ getdns_context_destroy(struct getdns_context *context) if (context->dns_transports) GETDNS_FREE(context->my_mf, context->dns_transports); - if(context->fchg_resolvconf) { - if(context->fchg_resolvconf->prevstat) - GETDNS_FREE(context->my_mf, context->fchg_resolvconf->prevstat); - GETDNS_FREE(context->my_mf, context->fchg_resolvconf); - } - if(context->fchg_hosts) { - if(context->fchg_hosts->prevstat) - GETDNS_FREE(context->my_mf, context->fchg_hosts->prevstat); - GETDNS_FREE(context->my_mf, context->fchg_hosts); - } if (context->tls_ctx) SSL_CTX_free(context->tls_ctx); @@ -1774,6 +1799,12 @@ getdns_context_destroy(struct getdns_context *context) , context->trust_anchors_verify_email); if (context->appdata_dir) GETDNS_FREE(context->mf, context->appdata_dir); + if (context->tls_ca_path) + GETDNS_FREE(context->mf, context->tls_ca_path); + if (context->tls_ca_file) + GETDNS_FREE(context->mf, context->tls_ca_file); + if (context->tls_cipher_list) + GETDNS_FREE(context->mf, context->tls_cipher_list); #ifdef USE_WINSOCK WSACleanup(); @@ -2962,16 +2993,19 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, upstream->addr.ss_family = addr.ss_family; upstream_init(upstream, upstreams, ai); upstream->transport = getdns_upstream_transports[j]; - if (getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) { + if (dict && getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) { getdns_list *pubkey_pinset = NULL; - if (dict && (r = getdns_dict_get_bindata( + getdns_bindata *tls_cipher_list = NULL; + + if ((r = getdns_dict_get_bindata( dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) { if (tls_auth_name->size >= sizeof(upstream->tls_auth_name)) { - /* tls_auth_name's are just - * domain names and should - * thus not be larger than 256 - * bytes. + /* tls_auth_name's are + * domain names in presentation + * format and, taking escaping + * into account, should not + * be larger than 1024 bytes. */ goto invalid_parameter; } @@ -2981,7 +3015,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, upstream->tls_auth_name [tls_auth_name->size] = '\0'; } - if (dict && (r = getdns_dict_get_list(dict, "tls_pubkey_pinset", + if ((r = getdns_dict_get_list(dict, "tls_pubkey_pinset", &pubkey_pinset)) == GETDNS_RETURN_GOOD) { /* TODO: what if the user supplies tls_pubkey_pinset with * something other than a list? */ @@ -2991,6 +3025,12 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, if (r != GETDNS_RETURN_GOOD) goto invalid_parameter; } + (void) getdns_dict_get_bindata( + dict, "tls_cipher_list", &tls_cipher_list); + upstream->tls_cipher_list = tls_cipher_list + ? _getdns_strdup2(&upstreams->mf + , tls_cipher_list) + : NULL; } if ((upstream->tsig_alg = tsig_alg)) { if (tsig_name) { @@ -3564,15 +3604,20 @@ _getdns_context_prepare_for_resolution(getdns_context *context) # endif /* Be strict and only use the cipher suites recommended in RFC7525 Unless we later fallback to opportunistic. */ - const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EECDH+aECDSA+AESGCM:EDH+aRSA+AESGCM"; - if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS)) + if (!SSL_CTX_set_cipher_list(context->tls_ctx, + context->tls_cipher_list ? context->tls_cipher_list + : _getdns_default_tls_cipher_list)) return GETDNS_RETURN_BAD_CONTEXT; /* For strict authentication, we must have local root certs available Set up is done only when the tls_ctx is created (per getdns_context)*/ + if ((context->tls_ca_file || context->tls_ca_path) && + SSL_CTX_load_verify_locations(context->tls_ctx + , context->tls_ca_file, context->tls_ca_path)) + ; /* pass */ # ifndef USE_WINSOCK - if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { + else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { # else - if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) { + else if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) { # endif /* USE_WINSOCK */ if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) return GETDNS_RETURN_BAD_CONTEXT; @@ -3611,7 +3656,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) return r; } /* _getdns_context_prepare_for_resolution */ -char * +static char * _getdns_strdup(const struct mem_funcs *mfs, const char *s) { size_t sz; @@ -3869,6 +3914,73 @@ _get_context_settings(getdns_context* context) (void) getdns_dict_util_set_string(result, "trust_anchors_verify_CA", str_value); if (!getdns_context_get_trust_anchors_verify_email(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "trust_anchors_verify_email", str_value); + if (!getdns_context_get_resolvconf(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "resolvconf", str_value); + if (!getdns_context_get_hosts(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "hosts", str_value); + if (!getdns_context_get_tls_ca_path(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "tls_ca_path", str_value); + if (!getdns_context_get_tls_ca_file(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "tls_ca_file", str_value); + if (!getdns_context_get_tls_cipher_list(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "tls_cipher_list", str_value); + + /* Default settings for extensions */ + (void)getdns_dict_set_int( + result, "add_warning_for_bad_dns", + context->add_warning_for_bad_dns ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_all_statuses", + context->dnssec_return_all_statuses ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_full_validation_chain", + context->dnssec_return_full_validation_chain ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_only_secure", + context->dnssec_return_only_secure ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_status", + context->dnssec_return_status ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_validation_chain", + context->dnssec_return_validation_chain ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + +#if defined(DNSSEC_ROADBLOCK_AVOIDANCE) && defined(HAVE_LIBUNBOUND) + (void)getdns_dict_set_int( + result, "dnssec_roadblock_avoidance", + context->dnssec_roadblock_avoidance ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); +#endif +#ifdef EDNS_COOKIES + (void)getdns_dict_set_int( + result, "edns_cookies", + context->edns_cookies ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); +#endif + (void)getdns_dict_set_int( + result, "return_both_v4_and_v6", + context->return_both_v4_and_v6 ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "return_call_reporting", + context->return_call_reporting ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int(result, "specify_class", + (uint32_t)context->specify_class); + + if (context->add_opt_parameters) + (void)getdns_dict_set_dict( + result, "add_opt_parameters", context->add_opt_parameters); + + if (context->header) + (void)getdns_dict_set_dict( + result, "header", context->add_opt_parameters); return result; error: @@ -3905,6 +4017,39 @@ getdns_context_get_api_information(getdns_context* context) && ! getdns_dict_util_set_string( result, "default_trust_anchor_location", TRUST_ANCHOR_FILE) + && ! getdns_dict_util_set_string( + result, "default_resolvconf_location", GETDNS_FN_RESOLVCONF) + + && ! getdns_dict_util_set_string( + result, "default_hosts_location", GETDNS_FN_HOSTS) + + && ! getdns_dict_set_int( + result, "openssl_build_version_number", OPENSSL_VERSION_NUMBER) + +#ifdef HAVE_OPENSSL_VERSION_NUM + && ! getdns_dict_set_int( + result, "openssl_version_number", OpenSSL_version_num()) +#endif +#ifdef HAVE_OPENSSL_VERSION + && ! getdns_dict_util_set_string( + result, "openssl_version_string", OpenSSL_version(OPENSSL_VERSION)) + + && ! getdns_dict_util_set_string( + result, "openssl_cflags", OpenSSL_version(OPENSSL_CFLAGS)) + + && ! getdns_dict_util_set_string( + result, "openssl_built_on", OpenSSL_version(OPENSSL_BUILT_ON)) + + && ! getdns_dict_util_set_string( + result, "openssl_platform", OpenSSL_version(OPENSSL_PLATFORM)) + + && ! getdns_dict_util_set_string( + result, "openssl_dir", OpenSSL_version(OPENSSL_DIR)) + + && ! getdns_dict_util_set_string( + result, "openssl_engines_dir", OpenSSL_version(OPENSSL_ENGINES_DIR)) +#endif + && ! getdns_dict_set_int( result, "resolution_type", context->resolution_type) @@ -4363,6 +4508,11 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context, break; } } + if (upstream->tls_cipher_list) { + (void) getdns_dict_util_set_string( + d, "tls_cipher_list", + upstream->tls_cipher_list); + } } } if (!r) @@ -4565,6 +4715,13 @@ _getdns_context_config_setting(getdns_context *context, CONTEXT_SETTING_STRING(trust_anchors_verify_CA) CONTEXT_SETTING_STRING(trust_anchors_verify_email) CONTEXT_SETTING_STRING(appdata_dir) +#ifndef USE_WINSOCK + CONTEXT_SETTING_STRING(resolvconf) +#endif + CONTEXT_SETTING_STRING(hosts) + CONTEXT_SETTING_STRING(tls_ca_path) + CONTEXT_SETTING_STRING(tls_ca_file) + CONTEXT_SETTING_STRING(tls_cipher_list) /**************************************/ /**** ****/ @@ -4624,7 +4781,17 @@ _getdns_context_config_setting(getdns_context *context, && !_streq(setting, "api_version_number") && !_streq(setting, "trust_anchor_file") && !_streq(setting, "default_trust_anchor_location") + && !_streq(setting, "default_resolvconf_location") + && !_streq(setting, "default_hosts_location") && !_streq(setting, "compilation_comment") + && !_streq(setting, "openssl_build_version_number") + && !_streq(setting, "openssl_version_number") + && !_streq(setting, "openssl_version_string") + && !_streq(setting, "openssl_cflags") + && !_streq(setting, "openssl_built_on") + && !_streq(setting, "openssl_platform") + && !_streq(setting, "openssl_dir") + && !_streq(setting, "openssl_engines_dir") ) { r = GETDNS_RETURN_NOT_IMPLEMENTED; } @@ -5009,5 +5176,130 @@ getdns_context_set_appdata_dir( return GETDNS_RETURN_GOOD; } +getdns_context *_getdns_context_get_sys_ctxt( + getdns_context *context, getdns_eventloop *loop) +{ + getdns_return_t r; + + if (context->sys_ctxt) + return context->sys_ctxt; + + if ((r = getdns_context_create_with_extended_memory_functions( + &context->sys_ctxt, 1, context->mf.mf_arg, + context->mf.mf.ext.malloc, context->mf.mf.ext.realloc, + context->mf.mf.ext.free))) + DEBUG_ANCHOR("Could not create system context: %s\n" + , getdns_get_errorstr_by_id(r)); +#ifndef USE_WINSOCK + else if (*context->fchg_resolvconf.fn && + (r = getdns_context_set_resolvconf( + context->sys_ctxt, context->fchg_resolvconf.fn))) + DEBUG_ANCHOR("Could initialize system context with resolvconf " + "\"%s\": %s\n", context->fchg_resolvconf.fn + , getdns_get_errorstr_by_id(r)); +#endif + else if (*context->fchg_hosts.fn && + (r = getdns_context_set_hosts( + context->sys_ctxt, context->fchg_hosts.fn))) + DEBUG_ANCHOR("Could initialize system context with hosts " + "\"%s\": %s\n", context->fchg_resolvconf.fn + , getdns_get_errorstr_by_id(r)); + + else if ((r = getdns_context_set_eventloop( + context->sys_ctxt, loop))) + DEBUG_ANCHOR("Could not configure %ssynchronous loop " + "with system context: %s\n" + , ( loop == &context->sync_eventloop.loop + ? "" : "a" ) + , getdns_get_errorstr_by_id(r)); + + else if ((r = getdns_context_set_resolution_type( + context->sys_ctxt, GETDNS_RESOLUTION_STUB))) + DEBUG_ANCHOR("Could not configure system context for " + "stub resolver: %s\n" + , getdns_get_errorstr_by_id(r)); + else + return context->sys_ctxt; + + getdns_context_destroy(context->sys_ctxt); + context->sys_ctxt = NULL; + return NULL; +} + +getdns_return_t +getdns_context_set_tls_ca_path(getdns_context *context, const char *tls_ca_path) +{ + if (!context || !tls_ca_path) + return GETDNS_RETURN_INVALID_PARAMETER; + if (context->tls_ca_path) + GETDNS_FREE(context->mf, context->tls_ca_path); + context->tls_ca_path = _getdns_strdup(&context->mf, tls_ca_path); + + dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CA_PATH); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path) +{ + if (!context || !tls_ca_path) + return GETDNS_RETURN_INVALID_PARAMETER; + + *tls_ca_path = context->tls_ca_path; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_set_tls_ca_file(getdns_context *context, const char *tls_ca_file) +{ + if (!context || !tls_ca_file) + return GETDNS_RETURN_INVALID_PARAMETER; + if (context->tls_ca_file) + GETDNS_FREE(context->mf, context->tls_ca_file); + context->tls_ca_file = _getdns_strdup(&context->mf, tls_ca_file); + + dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CA_FILE); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file) +{ + if (!context || !tls_ca_file) + return GETDNS_RETURN_INVALID_PARAMETER; + + *tls_ca_file = context->tls_ca_file; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_set_tls_cipher_list( + getdns_context *context, const char *tls_cipher_list) +{ + if (!context) + return GETDNS_RETURN_INVALID_PARAMETER; + if (context->tls_cipher_list) + GETDNS_FREE(context->mf, context->tls_cipher_list); + context->tls_cipher_list = tls_cipher_list + ? _getdns_strdup(&context->mf, tls_cipher_list) + : NULL; + + dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_get_tls_cipher_list( + getdns_context *context, const char **tls_cipher_list) +{ + if (!context || !tls_cipher_list) + return GETDNS_RETURN_INVALID_PARAMETER; + + *tls_cipher_list = context->tls_cipher_list + ? context->tls_cipher_list + : _getdns_default_tls_cipher_list; + return GETDNS_RETURN_GOOD; +} + /* context.c */ diff --git a/src/context.h b/src/context.h index 1a6d93a4..b4319403 100644 --- a/src/context.h +++ b/src/context.h @@ -54,9 +54,6 @@ struct getdns_dns_req; struct ub_ctx; -#define GETDNS_FN_RESOLVCONF "/etc/resolv.conf" -#define GETDNS_FN_HOSTS "/etc/hosts" - enum filechgs { GETDNS_FCHG_ERRORS = -1 , GETDNS_FCHG_NOERROR = 0 , GETDNS_FCHG_NOCHANGES = 0 @@ -72,10 +69,10 @@ typedef void (*getdns_update_callback2) (struct getdns_context *, /* internal use only for detecting changes to system files */ struct filechg { - char *fn; + char fn[_GETDNS_PATH_MAX]; int changes; int errors; - struct stat *prevstat; + struct stat prevstat; }; typedef enum getdns_tls_hs_state { @@ -208,6 +205,7 @@ typedef struct getdns_upstream { getdns_tls_hs_state_t tls_hs_state; getdns_auth_state_t tls_auth_state; unsigned tls_fallback_ok : 1; + char *tls_cipher_list; /* Auth credentials*/ char tls_auth_name[256]; sha256_pin_t *tls_pubkey_pinset; @@ -346,6 +344,10 @@ struct getdns_context { char *appdata_dir; _getdns_property can_write_appdata; + char *tls_ca_path; + char *tls_ca_file; + char *tls_cipher_list; + getdns_upstreams *upstreams; uint16_t limit_outstanding_queries; uint32_t dnssec_allowed_skew; @@ -455,8 +457,8 @@ struct getdns_context { /* * state data used to detect changes to the system config files */ - struct filechg *fchg_resolvconf; - struct filechg *fchg_hosts; + struct filechg fchg_resolvconf; + struct filechg fchg_hosts; uint8_t trust_anchors_spc[1024]; @@ -527,8 +529,6 @@ void _getdns_context_cancel_request(getdns_dns_req *dnsreq); */ void _getdns_context_request_timed_out(getdns_dns_req *dnsreq); -char *_getdns_strdup(const struct mem_funcs *mfs, const char *str); - struct getdns_bindata *_getdns_bindata_copy( struct mem_funcs *mfs, size_t size, const uint8_t *data); @@ -540,8 +540,6 @@ void _getdns_bindata_destroy( getdns_return_t _getdns_context_local_namespace_resolve( getdns_dns_req* req, struct getdns_dict **response); -int _getdns_filechg_check(struct getdns_context *context, struct filechg *fchg); - void _getdns_context_ub_read_cb(void *userarg); void _getdns_upstreams_dereference(getdns_upstreams *upstreams); @@ -557,4 +555,7 @@ int _getdns_context_write_priv_file(getdns_context *context, int _getdns_context_can_write_appdata(getdns_context *context); +getdns_context *_getdns_context_get_sys_ctxt( + getdns_context *context, getdns_eventloop *loop); + #endif /* _GETDNS_CONTEXT_H_ */ diff --git a/src/dict.c b/src/dict.c index 99e347ad..27ed57be 100644 --- a/src/dict.c +++ b/src/dict.c @@ -1082,7 +1082,25 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent, strcmp(item->node.key, "follow_redirects") == 0 || strcmp(item->node.key, "transport") == 0 || strcmp(item->node.key, "resolution_type") == 0 || - strcmp(item->node.key, "tls_authentication") == 0 ) && + strcmp(item->node.key, "tls_authentication") == 0 || + + /* extensions */ + strcmp(item->node.key, "add_warning_for_bad_dns") == 0 || + strcmp(item->node.key, "dnssec_return_all_statuses") == 0 || + strcmp(item->node.key, "dnssec_return_full_validation_chain") == 0 || + strcmp(item->node.key, "dnssec_return_only_secure") == 0 || + strcmp(item->node.key, "dnssec_return_status") == 0 || + strcmp(item->node.key, "dnssec_return_validation_chain") == 0 || +#if defined(DNSSEC_ROADBLOCK_AVOIDANCE) && defined(HAVE_LIBUNBOUND) + strcmp(item->node.key, "dnssec_roadblock_avoidance") == 0 || +#endif +#ifdef EDNS_COOKIES + strcmp(item->node.key, "edns_cookies") == 0 || +#endif + strcmp(item->node.key, "return_api_information") == 0 || + strcmp(item->node.key, "return_both_v4_and_v6") == 0 || + strcmp(item->node.key, "return_call_reporting") == 0 + ) && (strval = _getdns_get_const_info(item->i.data.n)->name)) { if (gldns_buffer_printf(buf, " %s", strval) < 0) diff --git a/src/dnssec.c b/src/dnssec.c index 03e8c326..d4c6375b 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -3160,11 +3160,19 @@ static void check_chain_complete(chain_head *chain) _getdns_context_update_root_ksk(context,&node->dnskey); } else if (_getdns_bogus(dnsreq)) { + _getdns_rrsig_iter rrsig_spc; DEBUG_ANCHOR("Request was bogus!\n"); if ((head = chain) && (node = _to_the_root(head->parent)) + /* The root DNSKEY rrset */ && node->dnskey.name && *node->dnskey.name == 0 - && node->dnskey_req->dnssec_status == GETDNS_DNSSEC_BOGUS){ + /* We queried it and had a response */ + && node->dnskey_req + /* The response was bogus */ + && node->dnskey_req->dnssec_status == GETDNS_DNSSEC_BOGUS + /* The response was bogus, but not because it has no rrsigs */ + && _getdns_rrsig_iter_init(&rrsig_spc, &node->dnskey) + ){ DEBUG_ANCHOR("root DNSKEY set was bogus!\n"); if (!dnsreq->waiting_for_ta) { @@ -3394,10 +3402,21 @@ void _getdns_validation_chain_timeout(getdns_dns_req *dnsreq) void _getdns_cancel_validation_chain(getdns_dns_req *dnsreq) { - chain_head *head = dnsreq->chain, *next, *dnskey_head; + chain_head *head, *next; chain_node *node; size_t node_count; + /* Clear nodes under direct DNSKEY queries. + * They share the DNSKEY lookup netreq, but _dnskey_query() can not + * be used because we're free'ing the heads. + */ + for (head = dnsreq->chain; head; head = head->next) { + if ( head->rrset.rr_type == GETDNS_RRTYPE_DNSKEY + && head->node_count + && head->netreq == head->parent->dnskey_req) + head->parent->dnskey_req = NULL; + } + head = dnsreq->chain; dnsreq->chain = NULL; while (head) { next = head->next; @@ -3406,10 +3425,7 @@ void _getdns_cancel_validation_chain(getdns_dns_req *dnsreq) ; node_count ; node_count--, node = node->parent ) { - if (node->dnskey_req && - !( (dnskey_head = _dnskey_query(node)) - && dnskey_head->netreq == node->dnskey_req)) - + if (node->dnskey_req) _getdns_context_cancel_request( node->dnskey_req->owner); diff --git a/src/general.c b/src/general.c index b263c0a9..80b40a2c 100644 --- a/src/general.c +++ b/src/general.c @@ -116,7 +116,7 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) /* Do we have to check more suffixes on nxdomain/nodata? */ - if (dns_req->is_dns_request && + if (dns_req->is_dns_request == 1 && dns_req->suffix_appended && /* Something was appended */ dns_req->suffix_len > 1 && /* Next suffix available */ no_answer(dns_req)) { @@ -153,7 +153,7 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) return; } } else if ( - dns_req->is_dns_request && + dns_req->is_dns_request == 1 && ( dns_req->append_name == GETDNS_APPEND_NAME_ONLY_TO_SINGLE_LABEL_AFTER_FAILURE || dns_req->append_name == @@ -206,7 +206,7 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) } else if (! results_found) _getdns_call_user_callback(dns_req, NULL); else if ( - dns_req->is_dns_request && + dns_req->is_dns_request == 1 && (dns_req->dnssec_return_validation_chain #ifdef DNSSEC_ROADBLOCK_AVOIDANCE || ( dns_req->dnssec_roadblock_avoidance @@ -343,7 +343,7 @@ _getdns_netreq_change_state( if (!netreq) return; - if (!netreq->owner->is_dns_request) { + if (netreq->owner->is_dns_request == 0) { netreq->state = new_state; return; } diff --git a/src/getdns/getdns.h.in b/src/getdns/getdns.h.in index 4732a4a3..788f0d94 100644 --- a/src/getdns/getdns.h.in +++ b/src/getdns/getdns.h.in @@ -1687,6 +1687,8 @@ getdns_context_set_dnssec_allowed_skew(getdns_context *context, * - `value` A SHA256 hash of the `SubjectPublicKeyInfo` * of the upstream, which will be used to authenticate * it. + * - `tls_cipher_list` (a bindata) that is the string + * of available ciphers specific for this upstream. * @return GETDNS_RETURN_GOOD when successful. * @return GETDNS_RETURN_INVALID_PARAMETER when `context` or `upstream_list` was `NULL` * @return GETDNS_RETURN_CONTEXT_UPDATE_FAIL when there were problems parsing diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in index ca62b2fb..f8cec882 100644 --- a/src/getdns/getdns_extra.h.in +++ b/src/getdns/getdns_extra.h.in @@ -53,6 +53,8 @@ extern "C" { * \addtogroup returntypestext Return values and texts * @{ */ +#define GETDNS_RETURN_IO_ERROR ((getdns_return_t) 397 ) +#define GETDNS_RETURN_IO_ERROR_TEXT "An input/output error occurred. Inspect errno for details." #define GETDNS_RETURN_NO_UPSTREAM_AVAILABLE ((getdns_return_t) 398 ) #define GETDNS_RETURN_NO_UPSTREAM_AVAILABLE_TEXT "None of the configured upstreams could be used to send queries on the specified transports" #define GETDNS_RETURN_NEED_MORE_SPACE ((getdns_return_t) 399 ) @@ -88,6 +90,16 @@ extern "C" { #define GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL_TEXT "Change related to getdns_context_set_trust_anchors_verify_email" #define GETDNS_CONTEXT_CODE_APPDATA_DIR 628 #define GETDNS_CONTEXT_CODE_APPDATA_DIR_TEXT "Change related to getdns_context_set_appdata_dir" +#define GETDNS_CONTEXT_CODE_RESOLVCONF 629 +#define GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT "Change related to getdns_context_set_resolvconf" +#define GETDNS_CONTEXT_CODE_HOSTS 630 +#define GETDNS_CONTEXT_CODE_HOSTS_TEXT "Change related to getdns_context_set_hosts" +#define GETDNS_CONTEXT_CODE_TLS_CA_PATH 631 +#define GETDNS_CONTEXT_CODE_TLS_CA_PATH_TEXT "Change related to getdns_context_set_tls_ca_path" +#define GETDNS_CONTEXT_CODE_TLS_CA_FILE 632 +#define GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT "Change related to getdns_context_set_tls_ca_file" +#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST 633 +#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT "Change related to getdns_context_set_tls_cipher_list" /** @} */ @@ -680,6 +692,67 @@ getdns_return_t getdns_context_set_trust_anchors_verify_email( getdns_context *context, const char *verify_email); +/** + * Initialized the context's upstream recursive servers and suffixes + * with the values from the given resolv.conf file. + * @see getdns_context_get_resolvconf + * @see getdns_context_set_hosts + * @param[in] context The context to configure + * @param[in] resolvonf Defaults to /etc/resolv.conf + * @return GETDNS_RETURN_GOOD when successful and error code otherwise. + */ +getdns_return_t +getdns_context_set_resolvconf(getdns_context *context, const char *resolvconf); + +/** + * Initialized the context's GETDNS_NAMESPACE_LOCALNAMES namespace with + * values from the given hosts file. + * @see getdns_context_get_hosts + * @see getdns_context_set_resolvconf + * @param[in] context The context to configure + * @param[in] hosts Defaults to /etc/hosts + * @return GETDNS_RETURN_GOOD when successful and error code otherwise. + */ +getdns_return_t +getdns_context_set_hosts(getdns_context *context, const char *hosts); + +/** + * Specify where the location for CA certificates for verification purposes + * are located. + * @see getdns_context_get_tls_ca_path + * @see getdns_context_set_tls_ca_file + * @param[in] context The context to configure + * @param[in] tls_ca_path Directory with Certificate Authority certificates. + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_set_tls_ca_path(getdns_context *context, const char *tls_ca_path); + +/** + * Specify the file with CA certificates for verification purposes. + * @see getdns_context_get_tls_ca_file + * @see getdns_context_set_tls_ca_path + * @param[in] context The context to configure + * @param[in] tls_ca_file The file with Certificate Authority certificates. + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_set_tls_ca_file(getdns_context *context, const char *tls_ca_file); + +/** + * Sets the list of available ciphers for authenticated TLS upstreams. + * @see getdns_context_get_tls_cipher_list + * @param[in] context The context to configure + * @param[in] cipher_list The cipher list + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_set_tls_cipher_list( + getdns_context *context, const char *cipher_list); + /** * Get the current resolution type setting from this context. * @see getdns_context_set_resolution_type @@ -1134,6 +1207,71 @@ getdns_return_t getdns_context_get_trust_anchors_verify_email( getdns_context *context, const char **verify_email); +/** + * Get the value with which the context's upstream recursive servers + * and suffixes were initialized. + * @see getdns_context_set_resolvconf + * @see getdns_context_get_hosts + * @param[in] context The context to configure + * @param[out] resolvonf NULL if the context was not initialized with a + * resolv.conf file. + * @return GETDNS_RETURN_GOOD when successful and error code otherwise. + */ +getdns_return_t +getdns_context_get_resolvconf(getdns_context *context, const char **resolvconf); + +/** + * Get the value with which the context's GETDNS_NAMESPACE_LOCALNAMES namespace + * was initialized. + * @see getdns_context_set_hosts + * @see getdns_context_get_resolvconf + * @param[in] context The context to configure + * @param[out] hosts NULL when GETDNS_NAMESPACE_LOCALNAMES namespace + * was not initialized. + * @return GETDNS_RETURN_GOOD when successful and error code otherwise. + */ +getdns_return_t +getdns_context_get_hosts(getdns_context *context, const char **hosts); + +/** + * Get the location of the directory for CA certificates for verification + * purposes. + * @see getdns_context_set_tls_ca_path + * @see getdns_context_get_tls_ca_file + * @param[in] context The context to configure + * @param[out] tls_ca_path Directory with Certificate Authority certificates + * or NULL when one was not configured. + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path); + +/** + * Get the file location with CA certificates for verification purposes. + * @see getdns_context_set_tls_ca_file + * @see getdns_context_get_tls_ca_path + * @param[in] context The context to configure + * @param[out] tls_ca_file The file with Certificate Authority certificates + * or NULL when one was not configured. + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file); + +/** + * Get the list of available ciphers for authenticated TLS upstreams. + * @see getdns_context_set_tls_cipher_list + * @param[in] context The context configure + * @param[out] cipher_list The cipher list + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_get_tls_cipher_list( + getdns_context *context, const char **cipher_list); + /** @} */ diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols index 3f26578a..02c64b19 100644 --- a/src/libgetdns.symbols +++ b/src/libgetdns.symbols @@ -21,16 +21,21 @@ getdns_context_get_edns_maximum_udp_payload_size getdns_context_get_edns_version getdns_context_get_eventloop getdns_context_get_follow_redirects +getdns_context_get_hosts getdns_context_get_idle_timeout getdns_context_get_limit_outstanding_queries getdns_context_get_namespaces getdns_context_get_num_pending_requests getdns_context_get_resolution_type +getdns_context_get_resolvconf getdns_context_get_round_robin_upstreams getdns_context_get_suffix getdns_context_get_timeout getdns_context_get_tls_authentication getdns_context_get_tls_backoff_time +getdns_context_get_tls_ca_file +getdns_context_get_tls_ca_path +getdns_context_get_tls_cipher_list getdns_context_get_tls_connection_retries getdns_context_get_tls_query_padding_blocksize getdns_context_get_trust_anchors_url @@ -56,6 +61,7 @@ getdns_context_set_edns_version getdns_context_set_eventloop getdns_context_set_extended_memory_functions getdns_context_set_follow_redirects +getdns_context_set_hosts getdns_context_set_idle_timeout getdns_context_set_limit_outstanding_queries getdns_context_set_listen_addresses @@ -63,12 +69,16 @@ getdns_context_set_logfunc getdns_context_set_memory_functions getdns_context_set_namespaces getdns_context_set_resolution_type +getdns_context_set_resolvconf getdns_context_set_return_dnssec_status getdns_context_set_round_robin_upstreams getdns_context_set_suffix getdns_context_set_timeout getdns_context_set_tls_authentication getdns_context_set_tls_backoff_time +getdns_context_set_tls_ca_file +getdns_context_set_tls_ca_path +getdns_context_set_tls_cipher_list getdns_context_set_tls_connection_retries getdns_context_set_tls_query_padding_blocksize getdns_context_set_trust_anchors_url diff --git a/src/request-internal.c b/src/request-internal.c index c9f27db0..cc082039 100644 --- a/src/request-internal.c +++ b/src/request-internal.c @@ -84,6 +84,12 @@ getdns_dict dnssec_ok_checking_disabled_avoid_roadblocks_spc = { getdns_dict *dnssec_ok_checking_disabled_avoid_roadblocks = &dnssec_ok_checking_disabled_avoid_roadblocks_spc; +getdns_dict no_dnssec_checking_disabled_opportunistic_spc = { + { RBTREE_NULL, 0, (int (*)(const void *, const void *)) strcmp }, + { NULL, {{ NULL, NULL, NULL }}} +}; +getdns_dict *no_dnssec_checking_disabled_opportunistic + = &no_dnssec_checking_disabled_opportunistic_spc; static int is_extension_set(getdns_dict *extensions, const char *name, int default_value) @@ -94,7 +100,8 @@ is_extension_set(getdns_dict *extensions, const char *name, int default_value) if ( ! extensions || extensions == dnssec_ok_checking_disabled || extensions == dnssec_ok_checking_disabled_roadblock_avoidance - || extensions == dnssec_ok_checking_disabled_avoid_roadblocks) + || extensions == dnssec_ok_checking_disabled_avoid_roadblocks + || extensions == no_dnssec_checking_disabled_opportunistic) return 0; r = getdns_dict_get_int(extensions, name, &value); @@ -155,8 +162,8 @@ netreq_reset(getdns_network_req *net_req) static int network_req_init(getdns_network_req *net_req, getdns_dns_req *owner, - uint16_t request_type, int dnssec_extension_set, int with_opt, - int edns_maximum_udp_payload_size, + uint16_t request_type, int checking_disabled, int opportunistic, + int with_opt, int edns_maximum_udp_payload_size, uint8_t edns_extended_rcode, uint8_t edns_version, int edns_do_bit, uint16_t opt_options_size, size_t noptions, getdns_list *options, size_t wire_data_sz, size_t max_query_sz, getdns_dict *extensions) @@ -186,6 +193,7 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner, owner->context->tls_auth == GETDNS_AUTHENTICATION_REQUIRED && owner->context->dns_transport_count == 1 && owner->context->dns_transports[0] == GETDNS_TRANSPORT_TLS + && !opportunistic ? GETDNS_AUTHENTICATION_REQUIRED : GETDNS_AUTHENTICATION_NONE; @@ -240,7 +248,7 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner, _getdns_reply_dict2wire(owner->context->header, &gbuf, 1); gldns_buffer_rewind(&gbuf); _getdns_reply_dict2wire(extensions, &gbuf, 1); - if (dnssec_extension_set) /* We will do validation ourselves */ + if (checking_disabled) /* We will do validation ourselves */ GLDNS_CD_SET(net_req->query); if (with_opt) { @@ -762,8 +770,24 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, */ size_t max_query_sz, max_response_sz, netreq_sz, dnsreq_base_sz; uint8_t *region, *suffixes; + int checking_disabled = dnssec_extension_set; + int opportunistic = 0; - if (extensions == dnssec_ok_checking_disabled || + if (extensions == no_dnssec_checking_disabled_opportunistic) { + dnssec_return_status = 0; + dnssec_return_only_secure = 0; + dnssec_return_all_statuses = 0; + dnssec_return_full_validation_chain = 0; + dnssec_return_validation_chain = 0; + dnssec_extension_set = 0; +#ifdef DNSSEC_ROADBLOCK_AVOIDANCE + dnssec_roadblock_avoidance = 0; + avoid_dnssec_roadblocks = 0; +#endif + extensions = NULL; + checking_disabled = 1; + opportunistic = 1; + } else if (extensions == dnssec_ok_checking_disabled || extensions == dnssec_ok_checking_disabled_roadblock_avoidance || extensions == dnssec_ok_checking_disabled_avoid_roadblocks) extensions = NULL; @@ -866,6 +890,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, if (! (region = GETDNS_XMALLOC(context->mf, uint8_t, dnsreq_base_sz + (a_aaaa_query ? 2 : 1) * netreq_sz))) return NULL; + (void) memset(region, 0, sizeof(getdns_dns_req)); result = (getdns_dns_req *)region; result->netreqs[0] = (getdns_network_req *)(region + dnsreq_base_sz); @@ -972,8 +997,8 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, result->chain = NULL; network_req_init(result->netreqs[0], result, - request_type, dnssec_extension_set, with_opt, - edns_maximum_udp_payload_size, + request_type, checking_disabled, opportunistic, + with_opt, edns_maximum_udp_payload_size, edns_extended_rcode, edns_version, edns_do_bit, (uint16_t) opt_options_size, noptions, options, netreq_sz - sizeof(getdns_network_req), max_query_sz, @@ -983,7 +1008,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, network_req_init(result->netreqs[1], result, ( request_type == GETDNS_RRTYPE_A ? GETDNS_RRTYPE_AAAA : GETDNS_RRTYPE_A ), - dnssec_extension_set, with_opt, + checking_disabled, opportunistic, with_opt, edns_maximum_udp_payload_size, edns_extended_rcode, edns_version, edns_do_bit, (uint16_t) opt_options_size, noptions, options, diff --git a/src/stub.c b/src/stub.c index 10745928..07f22fcd 100644 --- a/src/stub.c +++ b/src/stub.c @@ -151,15 +151,19 @@ calc_new_cookie(getdns_upstream *upstream, uint8_t *cookie) static getdns_return_t attach_edns_client_subnet_private(getdns_network_req *req) { - /* see - * https://tools.ietf.org/html/draft-ietf-dnsop-edns-client-subnet-04#section-6 */ - /* all-zeros is a request to not leak the data further: */ - /* "\x00\x00" FAMILY: 0 (because no address) */ - /* "\x00" SOURCE PREFIX-LENGTH: 0 */ - /* "\x00"; SCOPE PREFIX-LENGTH: 0 */ - return _getdns_network_req_add_upstream_option(req, - GLDNS_EDNS_CLIENT_SUBNET, - 4, NULL); + /* see https://tools.ietf.org/html/rfc7871#section-7.1.2 + * all-zeros is a request to not leak the data further: + * A two byte FAMILY field is a SHOULD even when SOURCE + * and SCOPE are 0. + * "\x00\x02" FAMILY: 2 for IPv6 upstreams in network byte order, or + * "\x00\x01" FAMILY: 1 for IPv4 upstreams in network byte order, then: + * "\x00" SOURCE PREFIX-LENGTH: 0 + * "\x00"; SCOPE PREFIX-LENGTH: 0 + */ + return _getdns_network_req_add_upstream_option( + req, GLDNS_EDNS_CLIENT_SUBNET, 4, + ( req->upstream->addr.ss_family == AF_INET6 + ? "\x00\x02\x00\x00" : "\x00\x01\x00\x00" )); } static getdns_return_t @@ -982,9 +986,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) SSL_set_cipher_list(ssl, "DEFAULT"); DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n", STUB_DEBUG_SETUP_TLS, __FUNC__); - } else + } else { + if (upstream->tls_cipher_list) + SSL_set_cipher_list(ssl, upstream->tls_cipher_list); DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, __FUNC__); + } SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback); SSL_set_connect_state(ssl); diff --git a/src/sync.c b/src/sync.c index debf904b..e592e7d1 100644 --- a/src/sync.c +++ b/src/sync.c @@ -112,7 +112,10 @@ getdns_sync_data_cleanup(getdns_sync_data *data) /* If statefull upstream have events scheduled against the sync loop, * reschedule against the async loop. */ - for (i = 0; i < ctxt->upstreams->count; i++) { + if (!ctxt->upstreams) + ; /* pass */ + + else for (i = 0; i < ctxt->upstreams->count; i++) { upstream = &ctxt->upstreams->upstreams[i]; if (upstream->loop != &data->context->sync_eventloop.loop) continue; diff --git a/src/test/check_getdns_context_set_dns_transport.h b/src/test/check_getdns_context_set_dns_transport.h index f76ee74b..fbd7f503 100644 --- a/src/test/check_getdns_context_set_dns_transport.h +++ b/src/test/check_getdns_context_set_dns_transport.h @@ -144,6 +144,8 @@ uint16_t payload_size; uint8_t do_bit; getdns_transport_t trans; + int upstream_is_dnsmasq = 0; + getdns_bindata *version_str = NULL; /* Note that stricly this test just establishes that the requested transport and the reported transport are consistent, it does not guarentee which @@ -156,6 +158,7 @@ ASSERT_RC(getdns_dict_set_int(extensions,"return_call_reporting", GETDNS_EXTENSION_TRUE), GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()"); + /* Request a response that should be truncated over UDP */ ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_ONLY), GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()"); @@ -163,6 +166,15 @@ GETDNS_RETURN_GOOD, "Return code from getdns_context_get_dns_transport()"); ck_assert_msg(trans == 541, "dns_transport should be 541(GETDNS_TRANSPORT_UDP_ONLY) but got %d", (int)trans); + ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_CH), + GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()"); + ASSERT_RC(getdns_general_sync(context, "version.bind.", GETDNS_RRTYPE_TXT, extensions, &response), + GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); + (void) getdns_dict_get_bindata(response, "/replies_tree/0/answer/0/rdata/txt_strings/0", &version_str); + upstream_is_dnsmasq = version_str && version_str->size > 7 && + strncmp((char *)version_str->data, "dnsmasq", 7) == 0; + ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_IN), + GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()"); ASSERT_RC(getdns_context_set_edns_maximum_udp_payload_size(context, 512), GETDNS_RETURN_GOOD, "Return code from getdns_context_set_edns_maximum_udp_payload_size()"); @@ -187,35 +199,36 @@ ASSERT_RC(type, GETDNS_RESOLUTION_STUB, "Query did not use stub mode"); ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc), GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); - ASSERT_RC(tc, 1, "Packet not trucated as expected"); + if (!upstream_is_dnsmasq) { + ASSERT_RC(tc, 1, "Packet not truncated as expected"); - /* Re-do over TCP */ - ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_TCP_ONLY), - GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()"); + /* Re-do over TCP */ + ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_TCP_ONLY), + GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()"); + + ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), + GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); - ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), - GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); + ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport), + GETDNS_RETURN_GOOD, "Failed to extract \"transport\""); + ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP"); + ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc), + GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); + ASSERT_RC(tc, 0, "Packet trucated - not as expected"); - ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport), - GETDNS_RETURN_GOOD, "Failed to extract \"transport\""); - ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP"); - ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc), - GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); - ASSERT_RC(tc, 0, "Packet trucated - not as expected"); - - /* Now let it fall back to TCP */ - ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP), - GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()"); - ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), - GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); - - ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport), - GETDNS_RETURN_GOOD, "Failed to extract \"transport\""); - ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP"); - ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc), - GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); - ASSERT_RC(tc, 0, "Packet trucated - not as expected"); + /* Now let it fall back to TCP */ + ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP), + GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()"); + ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), + GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); + ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport), + GETDNS_RETURN_GOOD, "Failed to extract \"transport\""); + ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP"); + ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc), + GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); + ASSERT_RC(tc, 0, "Packet trucated - not as expected"); + } ASSERT_RC(getdns_context_unset_edns_maximum_udp_payload_size(context), GETDNS_RETURN_GOOD, "Return code from getdns_context_unset_edns_maximum_udp_payload_size()"); diff --git a/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.test b/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.test index 0e7c4981..4ea22337 100644 --- a/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.test +++ b/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.test @@ -32,3 +32,9 @@ then cat output exit 1 fi +if ! awk '/^==.* ERROR SUMMARY/{print;if($4>0)exit(1)}' valgrind.log +then + cat valgrind.log + cat output + exit 1 +fi diff --git a/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.pre b/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.pre index 46686828..39b234eb 100644 --- a/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.pre +++ b/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.pre @@ -25,4 +25,4 @@ done rm -fr "${BUILDDIR}/build-stub-only" mkdir "${BUILDDIR}/build-stub-only" cd "${BUILDDIR}/build-stub-only" -"${SRCROOT}/configure" $* --enable-stub-only +"${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install-stub-only" --enable-stub-only diff --git a/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.test b/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.test index 94bd6d2f..1c957404 100644 --- a/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.test +++ b/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.test @@ -11,6 +11,7 @@ qwerlkjhasdfpuiqwyerm.1234kjhrqwersv.com -G TXT bogus.nlnetlabs.nl -H 8.8.8.8 -H 2a04:b900:0:100::37 +-A _acme-challenge.getdnsapi.net EOT ( if ! "${BUILDDIR}/build-stub-only/libtool" exec valgrind -v --log-file=valgrind.log --leak-check=full --error-exitcode=1 --track-origins=yes "${GETDNS_STUB_QUERY}" -F queries -f "${TPKG_NAME}.ds" +dnssec_return_validation_chain @@ -24,3 +25,9 @@ then cat output exit 1 fi +if ! awk '/^==.* ERROR SUMMARY/{print;if($4>0)exit(1)}' valgrind.log +then + cat valgrind.log + cat output + exit 1 +fi diff --git a/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test b/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test index 1169e337..90a6e580 100644 --- a/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test +++ b/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test @@ -7,10 +7,10 @@ rm -fr "${BUILDDIR}/build-event-loops" mkdir "${BUILDDIR}/build-event-loops" cd "${BUILDDIR}/build-event-loops" -"${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libuv +"${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libev \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libev \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libuv diff --git a/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre b/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre index a79bdeed..9a95798c 100644 --- a/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre +++ b/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre @@ -25,11 +25,11 @@ done rm -fr "${BUILDDIR}/build-static-analysis" mkdir "${BUILDDIR}/build-static-analysis" cd "${BUILDDIR}/build-static-analysis" -"${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libuv +"${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libev \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libev \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libuv diff --git a/src/test/tpkg/clean.sh b/src/test/tpkg/clean.sh index a405d5b0..cceccb47 100755 --- a/src/test/tpkg/clean.sh +++ b/src/test/tpkg/clean.sh @@ -3,5 +3,5 @@ export SRCDIR=`dirname $0` ( cd $SRCDIR ./tpkg clean - rm -fr build build-stub-only build-event-loops build-static-analysis install scan-build-reports .tpkg.var.master *.info Makefile + rm -fr build build-stub-only build-event-loops build-static-analysis install install-stub-only install-event-loops install-static-analysis scan-build-reports .tpkg.var.master *.info Makefile ) diff --git a/src/test/tpkg/run-one.sh b/src/test/tpkg/run-one.sh index 4c2ca485..10795374 100755 --- a/src/test/tpkg/run-one.sh +++ b/src/test/tpkg/run-one.sh @@ -8,3 +8,4 @@ ONE_TEST=$1 shift "${TPKG}" $* exe ${SRCDIR}/${ONE_TEST}.tpkg +"${TPKG}" -n -1 r diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index a9b4b96d..713783fc 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -91,6 +91,10 @@ static int async = 0, interactive = 0; static enum { GENERAL, ADDRESS, HOSTNAME, SERVICE } calltype = GENERAL; static int bogus_answers = 0; static int check_dnssec = 0; +#ifndef USE_WINSOCK +static char *resolvconf = NULL; +#endif +static int print_api_info = 0, print_trust_anchors = 0; static int get_rrtype(const char *t) { @@ -252,9 +256,13 @@ print_usage(FILE *out, const char *progname) fprintf(out, "\t-k\tPrint root trust anchors\n"); fprintf(out, "\t-K \tPin a public key for TLS connections (can repeat)\n"); fprintf(out, "\t\t(should look like '" EXAMPLE_PIN "')\n"); - fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default)\n"); fprintf(out, "\t-m\tSet TLS authentication mode to REQUIRED\n"); - fprintf(out, "\t-p\tPretty print response dict\n"); + fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default)\n"); +#ifndef USE_WINSOCK + fprintf(out, "\t-o \tSet resolver configuration file path\n"); + fprintf(out, "\t\t(default = %s)\n", GETDNS_FN_RESOLVCONF); +#endif + fprintf(out, "\t-p\tPretty print response dict (default)\n"); fprintf(out, "\t-P \tPad TLS queries to a multiple of blocksize\n" "\t\t(special values: 0: no padding, 1: sensible default policy)\n"); fprintf(out, "\t-q\tQuiet mode - don't print response\n"); @@ -592,7 +600,7 @@ getdns_return_t parse_args(int argc, char **argv) size_t j; int i, klass; char *arg, *c, *endptr; - int t, print_api_info = 0, print_trust_anchors = 0; + int t; getdns_list *upstream_list = NULL; getdns_list *tas = NULL, *hints = NULL; getdns_dict *pubkey_pin = NULL; @@ -820,6 +828,16 @@ getdns_return_t parse_args(int argc, char **argv) getdns_context_set_tls_authentication(context, GETDNS_AUTHENTICATION_REQUIRED); break; +#ifndef USE_WINSOCK + case 'o': + if (c[1] != 0 || ++i >= argc || !*argv[i]) { + fprintf(stderr, "" + "expected after -o\n"); + return GETDNS_RETURN_GENERIC_ERROR; + } + resolvconf = argv[i]; + break; +#endif case 'P': if (c[1] != 0 || ++i >= argc || !*argv[i]) { fprintf(stderr, "tls_query_padding_blocksize " @@ -1102,44 +1120,6 @@ next: ; if (upstream_list) getdns_list_destroy(upstream_list); - if (print_api_info) { - getdns_dict *api_information = - getdns_context_get_api_information(context); - char *api_information_str; - - if (listen_dict && !getdns_dict_get_list( - listen_dict, "listen_list", &listen_list)) { - - (void) getdns_dict_set_list(api_information, - "listen_addresses", listen_list); - } else if (listen_list) { - (void) getdns_dict_set_list(api_information, - "listen_addresses", listen_list); - - } else if ((listen_list = getdns_list_create())) { - (void) getdns_dict_set_list(api_information, - "listen_addresses", listen_list); - getdns_list_destroy(listen_list); - listen_list = NULL; - } - api_information_str = - getdns_pretty_print_dict(api_information); - fprintf(stdout, "%s\n", api_information_str); - free(api_information_str); - getdns_dict_destroy(api_information); - return CONTINUE; - } - if (print_trust_anchors) { - if (!getdns_context_get_dnssec_trust_anchors(context, &tas)) { - /* if ((tas = getdns_root_trust_anchor(NULL))) { */ - char *tas_str = getdns_pretty_print_list(tas); - fprintf(stdout, "%s\n", tas_str); - free(tas_str); - getdns_list_destroy(tas); - return CONTINUE; - } else - return CONTINUE_ERROR; - } return r; } @@ -1757,8 +1737,67 @@ main(int argc, char **argv) (void) getdns_context_set_logfunc(context, NULL, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, stubby_log); - if ((r = parse_args(argc, argv))) + if ((r = parse_args(argc, argv)) && r != CONTINUE) goto done_destroy_context; +#ifndef USE_WINSOCK + if (resolvconf) { + if ((r = getdns_context_set_resolvconf(context, resolvconf))) { + fprintf(stderr, "Problem initializing with resolvconf: %d\n", (int)r); + goto done_destroy_context; + } + if ((r = parse_args(argc, argv))) + goto done_destroy_context; + } +#endif + if (print_api_info) { + getdns_dict *api_information = + getdns_context_get_api_information(context); + char *api_information_str; + + if (listen_dict && !getdns_dict_get_list( + listen_dict, "listen_list", &listen_list)) { + + (void) getdns_dict_set_list(api_information, + "listen_addresses", listen_list); + } else if (listen_list) { + (void) getdns_dict_set_list(api_information, + "listen_addresses", listen_list); + + } else if ((listen_list = getdns_list_create())) { + (void) getdns_dict_set_list(api_information, + "listen_addresses", listen_list); + getdns_list_destroy(listen_list); + listen_list = NULL; + } + api_information_str = json + ? getdns_print_json_dict(api_information, json == 1) + : getdns_pretty_print_dict(api_information); + fprintf(stdout, "%s\n", api_information_str); + free(api_information_str); + getdns_dict_destroy(api_information); + } + if (print_trust_anchors) { + getdns_list *tas = NULL; + + if (!getdns_context_get_dnssec_trust_anchors(context, &tas)) { + /* if ((tas = getdns_root_trust_anchor(NULL))) { */ + char *tas_str; + + tas_str = json + ? getdns_print_json_list(tas, json == 1) + : getdns_pretty_print_list(tas); + + fprintf(stdout, "%s\n", tas_str); + free(tas_str); + getdns_list_destroy(tas); + } + } + if (!r && (print_trust_anchors || print_api_info)) { + r = CONTINUE; + } + if (r) + goto done_destroy_context; + clear_listen_list_on_arg = 0; if (query_file) { diff --git a/src/types-internal.h b/src/types-internal.h index 05589f4a..3199b134 100644 --- a/src/types-internal.h +++ b/src/types-internal.h @@ -425,6 +425,7 @@ typedef struct getdns_dns_req { extern getdns_dict *dnssec_ok_checking_disabled; extern getdns_dict *dnssec_ok_checking_disabled_roadblock_avoidance; extern getdns_dict *dnssec_ok_checking_disabled_avoid_roadblocks; +extern getdns_dict *no_dnssec_checking_disabled_opportunistic; /* dns request utils */ getdns_dns_req *_getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, diff --git a/stubby b/stubby index a43be56e..f0b33045 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit a43be56e28f3a802f74b7c5b19b4b4c5fbaa908a +Subproject commit f0b330454b95a07106af33b1869b7cd18cfaebf2