From 3a1cb30c280fe3ecc4073111bd8c5918232d8b1f Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 21 Nov 2017 15:38:49 +0100 Subject: [PATCH 01/47] BOGUS answer because unable to fetch root DNSKEY... ... should not cause segfault --- src/dnssec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/dnssec.c b/src/dnssec.c index 03e8c326..4e1fc392 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -3164,6 +3164,7 @@ static void check_chain_complete(chain_head *chain) if ((head = chain) && (node = _to_the_root(head->parent)) && node->dnskey.name && *node->dnskey.name == 0 + && node->dnskey_req && node->dnskey_req->dnssec_status == GETDNS_DNSSEC_BOGUS){ DEBUG_ANCHOR("root DNSKEY set was bogus!\n"); From a7a6240202f6e780c9828648a8fb632199d83fe4 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 22 Nov 2017 15:01:38 +0100 Subject: [PATCH 02/47] Set default resolvconf and hosts during configure --- configure.ac | 16 ++++++++++++++++ src/context.c | 18 ++++++++++++------ src/context.h | 3 --- 3 files changed, 28 insertions(+), 9 deletions(-) diff --git a/configure.ac b/configure.ac index 01dcbdb9..2337754a 100644 --- a/configure.ac +++ b/configure.ac @@ -345,6 +345,22 @@ AC_CHECK_FUNCS([strptime],[AC_CHECK_STRPTIME_WORKS],[AC_LIBOBJ([strptime])]) AC_CHECK_HEADERS([windows.h winsock.h stdio.h winsock2.h ws2tcpip.h],,, [AC_INCLUDES_DEFAULT]) ACX_CHECK_GETADDRINFO_WITH_INCLUDES +AC_ARG_WITH(resolvconf, AS_HELP_STRING([--with-resolvconf=PATH], + [Set the resolver configuration file path. Defaults to /etc/resolv.conf or values retrieved via GetNetworkParams() on Windows]), + [], [withval="/etc/resolv.conf"]) +AC_DEFINE_UNQUOTED([GETDNS_FN_RESOLVCONF], ["$withval"], [Path to resolver configuration file]) + +AC_ARG_WITH(hosts, AS_HELP_STRING([--with-hosts=PATH], + [Set the static table lookup for hostnames path. Defaults to /etc/hosts or C:\Windows\System32\Drivers\etc\hosts on Windows]), + [], [ +if test "$USE_WINSOCK" = 1; then + withval="C:\\\\Windows\\\\System32\\\\Drivers\\\\etc\\\\hosts" +else + withval="/etc/hosts" +fi +]) +AC_DEFINE_UNQUOTED([GETDNS_FN_HOSTS], ["$withval"], [Path to static table lookup for hostnames]) + AC_ARG_WITH(fd-setsize, AS_HELP_STRING([--with-fd-setsize=size], [Set maximum file descriptor number that can be used by select]), [], [withval="no"]) diff --git a/src/context.c b/src/context.c index 62678873..6db0745d 100644 --- a/src/context.c +++ b/src/context.c @@ -505,11 +505,7 @@ create_local_hosts(getdns_context *context) int start_of_line = 1; getdns_dict *address = NULL; -#ifdef USE_WINSOCK - in = fopen("c:\\WINDOWS\\system32\\drivers\\etc\\hosts", "r"); -#else - in = fopen("/etc/hosts", "r"); -#endif + in = fopen(GETDNS_FN_HOSTS, "r"); while (fgets(pos, (int)(sizeof(buf) - (pos - buf)), in)) { pos = buf; /* Break out of for to read more */ @@ -1207,7 +1203,7 @@ set_os_defaults(struct getdns_context *context) GETDNS_MALLOC(context->my_mf, struct filechg); if(context->fchg_resolvconf == NULL) return GETDNS_RETURN_MEMORY_ERROR; - context->fchg_resolvconf->fn = "/etc/resolv.conf"; + context->fchg_resolvconf->fn = GETDNS_FN_RESOLVCONF; context->fchg_resolvconf->prevstat = NULL; context->fchg_resolvconf->changes = GETDNS_FCHG_NOCHANGES; context->fchg_resolvconf->errors = GETDNS_FCHG_NOERROR; @@ -3869,6 +3865,8 @@ _get_context_settings(getdns_context* context) (void) getdns_dict_util_set_string(result, "trust_anchors_verify_CA", str_value); if (!getdns_context_get_trust_anchors_verify_email(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "trust_anchors_verify_email", str_value); + if (context->fchg_resolvconf && context->fchg_resolvconf->fn) + (void) getdns_dict_util_set_string(result, "resolvconf_file", context->fchg_resolvconf->fn); return result; error: @@ -3905,6 +3903,12 @@ getdns_context_get_api_information(getdns_context* context) && ! getdns_dict_util_set_string( result, "default_trust_anchor_location", TRUST_ANCHOR_FILE) + && ! getdns_dict_util_set_string( + result, "default_resolvconf_location", GETDNS_FN_RESOLVCONF) + + && ! getdns_dict_util_set_string( + result, "default_hosts_location", GETDNS_FN_HOSTS) + && ! getdns_dict_set_int( result, "resolution_type", context->resolution_type) @@ -4624,6 +4628,8 @@ _getdns_context_config_setting(getdns_context *context, && !_streq(setting, "api_version_number") && !_streq(setting, "trust_anchor_file") && !_streq(setting, "default_trust_anchor_location") + && !_streq(setting, "default_resolvconf_location") + && !_streq(setting, "default_hosts_location") && !_streq(setting, "compilation_comment") ) { r = GETDNS_RETURN_NOT_IMPLEMENTED; diff --git a/src/context.h b/src/context.h index 1a6d93a4..048137b5 100644 --- a/src/context.h +++ b/src/context.h @@ -54,9 +54,6 @@ struct getdns_dns_req; struct ub_ctx; -#define GETDNS_FN_RESOLVCONF "/etc/resolv.conf" -#define GETDNS_FN_HOSTS "/etc/hosts" - enum filechgs { GETDNS_FCHG_ERRORS = -1 , GETDNS_FCHG_NOERROR = 0 , GETDNS_FCHG_NOCHANGES = 0 From ed6c7a6b586c9cb5aa61013a5a7d5f1031d24391 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 22 Nov 2017 15:49:30 +0100 Subject: [PATCH 03/47] getdns_context_create2 and family that set an ... ... alternative resolvconf file --- src/context.c | 59 ++++++++++++++++++++++++++-------- src/context.h | 2 +- src/getdns/getdns_extra.h.in | 61 ++++++++++++++++++++++++++++++++++++ src/libgetdns.symbols | 3 ++ 4 files changed, 111 insertions(+), 14 deletions(-) diff --git a/src/context.c b/src/context.c index 6db0745d..e12f4c04 100644 --- a/src/context.c +++ b/src/context.c @@ -1090,7 +1090,7 @@ static int get_dns_suffix_windows(getdns_list *suffix, char* domain) static getdns_return_t -set_os_defaults_windows(struct getdns_context *context) +set_os_defaults(getdns_context *context, const char *resolvconf_file) { char domain[1024] = ""; size_t upstreams_limit = 10; @@ -1107,7 +1107,7 @@ set_os_defaults_windows(struct getdns_context *context) GETDNS_MALLOC(context->my_mf, struct filechg); if (context->fchg_resolvconf == NULL) return GETDNS_RETURN_MEMORY_ERROR; - context->fchg_resolvconf->fn = "InvalidOnWindows"; + context->fchg_resolvconf->fn = resolvconf_file; context->fchg_resolvconf->prevstat = NULL; context->fchg_resolvconf->changes = GETDNS_FCHG_NOCHANGES; context->fchg_resolvconf->errors = GETDNS_FCHG_NOERROR; @@ -1186,7 +1186,7 @@ set_os_defaults_windows(struct getdns_context *context) #else static getdns_return_t -set_os_defaults(struct getdns_context *context) +set_os_defaults(getdns_context *context, const char *resolvconf_file) { FILE *in; char line[1024], domain[1024]; @@ -1203,7 +1203,7 @@ set_os_defaults(struct getdns_context *context) GETDNS_MALLOC(context->my_mf, struct filechg); if(context->fchg_resolvconf == NULL) return GETDNS_RETURN_MEMORY_ERROR; - context->fchg_resolvconf->fn = GETDNS_FN_RESOLVCONF; + context->fchg_resolvconf->fn = resolvconf_file; context->fchg_resolvconf->prevstat = NULL; context->fchg_resolvconf->changes = GETDNS_FCHG_NOCHANGES; context->fchg_resolvconf->errors = GETDNS_FCHG_NOERROR; @@ -1395,9 +1395,9 @@ static const char *_getdns_default_trust_anchors_verify_email = * Call this to initialize the context that is used in other getdns calls. */ getdns_return_t -getdns_context_create_with_extended_memory_functions( - struct getdns_context ** context, - int set_from_os, +getdns_context_create_with_extended_memory_functions2( + getdns_context **context, + const char *resolvconf_file, void *userarg, void *(*malloc)(void *userarg, size_t), void *(*realloc)(void *userarg, void *, size_t), @@ -1571,13 +1571,8 @@ getdns_context_create_with_extended_memory_functions( result->fchg_hosts = NULL; // resolv.conf does not exist on Windows, handle differently -#ifndef USE_WINSOCK - if ((set_from_os & 1) && (r = set_os_defaults(result))) + if (resolvconf_file && (r = set_os_defaults(result, resolvconf_file))) goto error; -#else - if ((set_from_os & 1) && (r = set_os_defaults_windows(result))) - goto error; -#endif result->dnssec_allowed_skew = 0; result->edns_maximum_udp_payload_size = -1; @@ -1638,6 +1633,21 @@ error: return r; } /* getdns_context_create_with_extended_memory_functions */ +getdns_return_t +getdns_context_create_with_extended_memory_functions( + getdns_context **context, + int set_from_os, + void *userarg, + void *(*malloc)(void *userarg, size_t), + void *(*realloc)(void *userarg, void *, size_t), + void (*free)(void *userarg, void *) + ) +{ + return getdns_context_create_with_extended_memory_functions2(context, + ((set_from_os & 1) ? GETDNS_FN_RESOLVCONF : NULL), userarg, + malloc, realloc, free); +} + /* * getdns_context_create * @@ -1672,6 +1682,29 @@ getdns_context_create(struct getdns_context ** context, int set_from_os) set_from_os, malloc, realloc, free); } /* getdns_context_create */ +getdns_return_t +getdns_context_create_with_memory_functions2(getdns_context **context, + const char *resolvconf_file, + void *(*malloc)(size_t), + void *(*realloc)(void *, size_t), + void (*free)(void *) + ) +{ + mf_union mf; + mf.pln.malloc = malloc; + mf.pln.realloc = realloc; + mf.pln.free = free; + return getdns_context_create_with_extended_memory_functions2( + context, resolvconf_file, MF_PLAIN, + mf.ext.malloc, mf.ext.realloc, mf.ext.free); +} + +getdns_return_t +getdns_context_create2(getdns_context **context, const char *resolvconf_file) +{ + return getdns_context_create_with_memory_functions2(context, + resolvconf_file, malloc, realloc, free); +} /* * getdns_context_destroy diff --git a/src/context.h b/src/context.h index 048137b5..54a46306 100644 --- a/src/context.h +++ b/src/context.h @@ -69,7 +69,7 @@ typedef void (*getdns_update_callback2) (struct getdns_context *, /* internal use only for detecting changes to system files */ struct filechg { - char *fn; + const char *fn; int changes; int errors; struct stat *prevstat; diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in index ca62b2fb..b2e362ee 100644 --- a/src/getdns/getdns_extra.h.in +++ b/src/getdns/getdns_extra.h.in @@ -377,6 +377,67 @@ getdns_context_run(getdns_context *context); * @{ */ +/** + * creates a new getdns context with default settings. + * If used multi-threaded, user must define appropriate OpenSSL callback locking functions + * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. + * @param context context that can be used immediately with other API calls + * @param resolvconf is the location of the resolv.conf file from which to + * read the OS settings. When NULL, the context will not be + * initialized with the settings herein. + * @return GETDNS_RETURN_GOOD on success +*/ +getdns_return_t +getdns_context_create2(getdns_context ** context, const char *resolvconf); + + +/** + * creates a new getdns context with default settings using custom memory functions. + * If used multi-threaded, user must define appropriate OpenSSL callback locking functions + * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. + * @param context context that can be used immediately with other API calls + * @param resolvconf is the location of the resolv.conf file from which to + * read the OS settings. When NULL, the context will not be + * initialized with the settings herein. + * @param malloc custom malloc function + * @param realloc custom realloc function + * @param free custom free function + * @return GETDNS_RETURN_GOOD on success +*/ +getdns_return_t +getdns_context_create_with_memory_functions2( + getdns_context ** context, + const char *resolvconf, + void *(*malloc) (size_t), + void *(*realloc) (void *, size_t), + void (*free) (void *) +); + + +/** + * creates a new getdns context with default settings using extended custom memory functions. + * If used multi-threaded, user must define appropriate OpenSSL callback locking functions + * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. + * @param context context that can be used immediately with other API calls + * @param resolvconf is the location of the resolv.conf file from which to + * read the OS settings. When NULL, the context will not be + * initialized with the settings herein. + * @param userarg parameter passed to the custom malloc, realloc and free functions + * @param malloc custom malloc function + * @param realloc custom realloc function + * @param free custom free function + * @return GETDNS_RETURN_GOOD on success +*/ +getdns_return_t +getdns_context_create_with_extended_memory_functions2( + getdns_context **context, + const char *resolvconf, + void *userarg, + void *(*malloc) (void *userarg, size_t), + void *(*realloc) (void *userarg, void *, size_t), + void (*free) (void *userarg, void *) +); + /** * Register a callback function for context changes. * @see getdns_context_set_context_update_callback diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols index 3f26578a..46199c59 100644 --- a/src/libgetdns.symbols +++ b/src/libgetdns.symbols @@ -3,8 +3,11 @@ getdns_address_sync getdns_cancel_callback getdns_context_config getdns_context_create +getdns_context_create2 getdns_context_create_with_extended_memory_functions +getdns_context_create_with_extended_memory_functions2 getdns_context_create_with_memory_functions +getdns_context_create_with_memory_functions2 getdns_context_destroy getdns_context_detach_eventloop getdns_context_get_api_information From 3e1607556397145b9ecc9d70275540d4fd9998bf Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 23 Nov 2017 12:26:40 +0100 Subject: [PATCH 04/47] Test getdns_context_create2 with getdns_query --- src/sync.c | 5 +- src/tools/getdns_query.c | 118 +++++++++++++++++++++++++-------------- 2 files changed, 80 insertions(+), 43 deletions(-) diff --git a/src/sync.c b/src/sync.c index debf904b..e592e7d1 100644 --- a/src/sync.c +++ b/src/sync.c @@ -112,7 +112,10 @@ getdns_sync_data_cleanup(getdns_sync_data *data) /* If statefull upstream have events scheduled against the sync loop, * reschedule against the async loop. */ - for (i = 0; i < ctxt->upstreams->count; i++) { + if (!ctxt->upstreams) + ; /* pass */ + + else for (i = 0; i < ctxt->upstreams->count; i++) { upstream = &ctxt->upstreams->upstreams[i]; if (upstream->loop != &data->context->sync_eventloop.loop) continue; diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index a9b4b96d..8bc2c231 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -91,6 +91,8 @@ static int async = 0, interactive = 0; static enum { GENERAL, ADDRESS, HOSTNAME, SERVICE } calltype = GENERAL; static int bogus_answers = 0; static int check_dnssec = 0; +static char *resolvconf = NULL; +static int print_api_info = 0, print_trust_anchors = 0; static int get_rrtype(const char *t) { @@ -252,9 +254,11 @@ print_usage(FILE *out, const char *progname) fprintf(out, "\t-k\tPrint root trust anchors\n"); fprintf(out, "\t-K \tPin a public key for TLS connections (can repeat)\n"); fprintf(out, "\t\t(should look like '" EXAMPLE_PIN "')\n"); - fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default)\n"); fprintf(out, "\t-m\tSet TLS authentication mode to REQUIRED\n"); - fprintf(out, "\t-p\tPretty print response dict\n"); + fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default)\n"); + fprintf(out, "\t-o \tSet resolver configuration file path\n"); + fprintf(out, "\t\t(default = %s)\n", GETDNS_FN_RESOLVCONF); + fprintf(out, "\t-p\tPretty print response dict (default)\n"); fprintf(out, "\t-P \tPad TLS queries to a multiple of blocksize\n" "\t\t(special values: 0: no padding, 1: sensible default policy)\n"); fprintf(out, "\t-q\tQuiet mode - don't print response\n"); @@ -592,7 +596,7 @@ getdns_return_t parse_args(int argc, char **argv) size_t j; int i, klass; char *arg, *c, *endptr; - int t, print_api_info = 0, print_trust_anchors = 0; + int t; getdns_list *upstream_list = NULL; getdns_list *tas = NULL, *hints = NULL; getdns_dict *pubkey_pin = NULL; @@ -820,6 +824,14 @@ getdns_return_t parse_args(int argc, char **argv) getdns_context_set_tls_authentication(context, GETDNS_AUTHENTICATION_REQUIRED); break; + case 'o': + if (c[1] != 0 || ++i >= argc || !*argv[i]) { + fprintf(stderr, "" + "expected after -o\n"); + return GETDNS_RETURN_GENERIC_ERROR; + } + resolvconf = argv[i]; + break; case 'P': if (c[1] != 0 || ++i >= argc || !*argv[i]) { fprintf(stderr, "tls_query_padding_blocksize " @@ -1102,44 +1114,6 @@ next: ; if (upstream_list) getdns_list_destroy(upstream_list); - if (print_api_info) { - getdns_dict *api_information = - getdns_context_get_api_information(context); - char *api_information_str; - - if (listen_dict && !getdns_dict_get_list( - listen_dict, "listen_list", &listen_list)) { - - (void) getdns_dict_set_list(api_information, - "listen_addresses", listen_list); - } else if (listen_list) { - (void) getdns_dict_set_list(api_information, - "listen_addresses", listen_list); - - } else if ((listen_list = getdns_list_create())) { - (void) getdns_dict_set_list(api_information, - "listen_addresses", listen_list); - getdns_list_destroy(listen_list); - listen_list = NULL; - } - api_information_str = - getdns_pretty_print_dict(api_information); - fprintf(stdout, "%s\n", api_information_str); - free(api_information_str); - getdns_dict_destroy(api_information); - return CONTINUE; - } - if (print_trust_anchors) { - if (!getdns_context_get_dnssec_trust_anchors(context, &tas)) { - /* if ((tas = getdns_root_trust_anchor(NULL))) { */ - char *tas_str = getdns_pretty_print_list(tas); - fprintf(stdout, "%s\n", tas_str); - free(tas_str); - getdns_list_destroy(tas); - return CONTINUE; - } else - return CONTINUE_ERROR; - } return r; } @@ -1757,8 +1731,68 @@ main(int argc, char **argv) (void) getdns_context_set_logfunc(context, NULL, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, stubby_log); - if ((r = parse_args(argc, argv))) + if ((r = parse_args(argc, argv)) && r != CONTINUE) goto done_destroy_context; + fprintf(stderr, "resolvconf: %s\n", resolvconf); + if (resolvconf) { + getdns_context_destroy(context); + if ((r = getdns_context_create2(&context, resolvconf))) { + fprintf(stderr, "Create context failed: %d\n", (int)r); + context = NULL; + goto done_destroy_context; + } + if ((r = parse_args(argc, argv))) + goto done_destroy_context; + } + if (print_api_info) { + getdns_dict *api_information = + getdns_context_get_api_information(context); + char *api_information_str; + + if (listen_dict && !getdns_dict_get_list( + listen_dict, "listen_list", &listen_list)) { + + (void) getdns_dict_set_list(api_information, + "listen_addresses", listen_list); + } else if (listen_list) { + (void) getdns_dict_set_list(api_information, + "listen_addresses", listen_list); + + } else if ((listen_list = getdns_list_create())) { + (void) getdns_dict_set_list(api_information, + "listen_addresses", listen_list); + getdns_list_destroy(listen_list); + listen_list = NULL; + } + api_information_str = json + ? getdns_print_json_dict(api_information, json == 1) + : getdns_pretty_print_dict(api_information); + fprintf(stdout, "%s\n", api_information_str); + free(api_information_str); + getdns_dict_destroy(api_information); + } + if (print_trust_anchors) { + getdns_list *tas = NULL; + + if (!getdns_context_get_dnssec_trust_anchors(context, &tas)) { + /* if ((tas = getdns_root_trust_anchor(NULL))) { */ + char *tas_str; + + tas_str = json + ? getdns_print_json_list(tas, json == 1) + : getdns_pretty_print_list(tas); + + fprintf(stdout, "%s\n", tas_str); + free(tas_str); + getdns_list_destroy(tas); + } + } + if (!r && (print_trust_anchors || print_api_info)) { + r = CONTINUE; + } + if (r) + goto done_destroy_context; + clear_listen_list_on_arg = 0; if (query_file) { From c0a3babe0a51580e3b1e7072fc0d7d1dd3281bc4 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 23 Nov 2017 12:39:07 +0100 Subject: [PATCH 05/47] Separate sys_ctxt for meta queries --- src/anchor.c | 32 ++++---------------------------- src/context.c | 35 +++++++++++++++++++++++++++++++++++ src/context.h | 3 +++ 3 files changed, 42 insertions(+), 28 deletions(-) diff --git a/src/anchor.c b/src/anchor.c index 006e5da4..a374ab78 100644 --- a/src/anchor.c +++ b/src/anchor.c @@ -1517,6 +1517,7 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) char tas_hostname[256]; const char *verify_CA; const char *verify_email; + getdns_context *sys_ctxt; if ((r = _getdns_get_tas_url_hostname(context, tas_hostname, NULL))) { DEBUG_ANCHOR("ERROR %s(): Could not get_tas_url_hostname" @@ -1557,32 +1558,7 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) DEBUG_ANCHOR("%s on the %ssynchronous loop\n", __FUNC__, loop == &context->sync_eventloop.loop ? "" : "a"); - while (!context->sys_ctxt) { /* Used as breakable if. Never repeats. */ - if ((r = getdns_context_create_with_extended_memory_functions( - &context->sys_ctxt, 1, context->mf.mf_arg, - context->mf.mf.ext.malloc, context->mf.mf.ext.realloc, - context->mf.mf.ext.free))) - DEBUG_ANCHOR("Could not create system context: %s\n" - , getdns_get_errorstr_by_id(r)); - - else if ((r = getdns_context_set_eventloop( - context->sys_ctxt, loop))) - DEBUG_ANCHOR("Could not configure %ssynchronous loop " - "with system context: %s\n" - , ( loop == &context->sync_eventloop.loop - ? "" : "a" ) - , getdns_get_errorstr_by_id(r)); - - else if ((r = getdns_context_set_resolution_type( - context->sys_ctxt, GETDNS_RESOLUTION_STUB))) - DEBUG_ANCHOR("Could not configure system context for " - "stub resolver: %s\n" - , getdns_get_errorstr_by_id(r)); - else - break; - - getdns_context_destroy(context->sys_ctxt); - context->sys_ctxt = NULL; + if (!(sys_ctxt = _getdns_context_get_sys_ctxt(context, loop))) { DEBUG_ANCHOR("Fatal error fetching trust anchor: " "missing system context\n"); context->trust_anchors_source = GETDNS_TASRC_FAILED; @@ -1592,7 +1568,7 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) scheduled = 0; #if 1 context->a.state = TAS_LOOKUP_ADDRESSES; - if ((r = _getdns_general_loop(context->sys_ctxt, loop, + if ((r = _getdns_general_loop(sys_ctxt, loop, tas_hostname, GETDNS_RRTYPE_A, NULL, context, &context->a.req, NULL, _tas_hostname_lookup_cb))) { DEBUG_ANCHOR("Error scheduling A lookup for %s: %s\n" @@ -1603,7 +1579,7 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) #if 1 context->aaaa.state = TAS_LOOKUP_ADDRESSES; - if ((r = _getdns_general_loop(context->sys_ctxt, loop, + if ((r = _getdns_general_loop(sys_ctxt, loop, tas_hostname, GETDNS_RRTYPE_AAAA, NULL, context, &context->aaaa.req, NULL, _tas_hostname_lookup_cb))) { DEBUG_ANCHOR("Error scheduling AAAA lookup for %s: %s\n" diff --git a/src/context.c b/src/context.c index e12f4c04..1fc188ff 100644 --- a/src/context.c +++ b/src/context.c @@ -5048,5 +5048,40 @@ getdns_context_set_appdata_dir( return GETDNS_RETURN_GOOD; } +getdns_context *_getdns_context_get_sys_ctxt( + getdns_context *context, getdns_eventloop *loop) +{ + getdns_return_t r; + + if (context->sys_ctxt) + return context->sys_ctxt; + + if ((r = getdns_context_create_with_extended_memory_functions( + &context->sys_ctxt, 1, context->mf.mf_arg, + context->mf.mf.ext.malloc, context->mf.mf.ext.realloc, + context->mf.mf.ext.free))) + DEBUG_ANCHOR("Could not create system context: %s\n" + , getdns_get_errorstr_by_id(r)); + + else if ((r = getdns_context_set_eventloop( + context->sys_ctxt, loop))) + DEBUG_ANCHOR("Could not configure %ssynchronous loop " + "with system context: %s\n" + , ( loop == &context->sync_eventloop.loop + ? "" : "a" ) + , getdns_get_errorstr_by_id(r)); + + else if ((r = getdns_context_set_resolution_type( + context->sys_ctxt, GETDNS_RESOLUTION_STUB))) + DEBUG_ANCHOR("Could not configure system context for " + "stub resolver: %s\n" + , getdns_get_errorstr_by_id(r)); + else + return context->sys_ctxt; + + getdns_context_destroy(context->sys_ctxt); + context->sys_ctxt = NULL; + return NULL; +} /* context.c */ diff --git a/src/context.h b/src/context.h index 54a46306..5fc0ff38 100644 --- a/src/context.h +++ b/src/context.h @@ -554,4 +554,7 @@ int _getdns_context_write_priv_file(getdns_context *context, int _getdns_context_can_write_appdata(getdns_context *context); +getdns_context *_getdns_context_get_sys_ctxt( + getdns_context *context, getdns_eventloop *loop); + #endif /* _GETDNS_CONTEXT_H_ */ From c3cdf496e3d0ce7fc2d000054492c440544d6043 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 23 Nov 2017 12:48:48 +0100 Subject: [PATCH 06/47] Meta queries to upstreams from resolvconf setting --- src/context.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/context.c b/src/context.c index 1fc188ff..a104e8cd 100644 --- a/src/context.c +++ b/src/context.c @@ -5056,10 +5056,11 @@ getdns_context *_getdns_context_get_sys_ctxt( if (context->sys_ctxt) return context->sys_ctxt; - if ((r = getdns_context_create_with_extended_memory_functions( - &context->sys_ctxt, 1, context->mf.mf_arg, - context->mf.mf.ext.malloc, context->mf.mf.ext.realloc, - context->mf.mf.ext.free))) + if ((r = getdns_context_create_with_extended_memory_functions2( + ( context->fchg_resolvconf && context->fchg_resolvconf->fn + ? context->fchg_resolvconf->fn : NULL ), + context->mf.mf_arg, context->mf.mf.ext.malloc, + context->mf.mf.ext.realloc, context->mf.mf.ext.free))) DEBUG_ANCHOR("Could not create system context: %s\n" , getdns_get_errorstr_by_id(r)); From 6afb02b2f147ab8402e3b20eee074e85b404e7f5 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 23 Nov 2017 13:20:42 +0100 Subject: [PATCH 07/47] Bugfix #359: edns_client_subnet_private should set family Thanks Daniel Areiza --- ChangeLog | 4 ++++ src/stub.c | 22 +++++++++++++--------- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 69d8872b..133ccbdb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +* 201?-??-??: Version 1.?.? + * Bugfix #359: edns_client_subnet_private should set family + Thanks Daniel Areiza + * 2017-11-11: Version 1.2.1 * Handle more I/O error cases. Also, when an I/O error does occur, never stop listening (with servers), and diff --git a/src/stub.c b/src/stub.c index 10745928..d8da9a9c 100644 --- a/src/stub.c +++ b/src/stub.c @@ -151,15 +151,19 @@ calc_new_cookie(getdns_upstream *upstream, uint8_t *cookie) static getdns_return_t attach_edns_client_subnet_private(getdns_network_req *req) { - /* see - * https://tools.ietf.org/html/draft-ietf-dnsop-edns-client-subnet-04#section-6 */ - /* all-zeros is a request to not leak the data further: */ - /* "\x00\x00" FAMILY: 0 (because no address) */ - /* "\x00" SOURCE PREFIX-LENGTH: 0 */ - /* "\x00"; SCOPE PREFIX-LENGTH: 0 */ - return _getdns_network_req_add_upstream_option(req, - GLDNS_EDNS_CLIENT_SUBNET, - 4, NULL); + /* see https://tools.ietf.org/html/rfc7871#section-7.1.2 + * all-zeros is a request to not leak the data further: + * A two byte FAMILY field is a SHOULD even when SOURCE + * and SCOPE are 0. + * "\x00\x02" FAMILY: 2 for IPv6 upstreams in network byte order, or + * "\x00\x01" FAMILY: 1 for IPv4 upstreams in network byte order, then: + * "\x00" SOURCE PREFIX-LENGTH: 0 + * "\x00"; SCOPE PREFIX-LENGTH: 0 + */ + return _getdns_network_req_add_upstream_option( + req, GLDNS_EDNS_CLIENT_SUBNET, 4, + ( req->upstream->addr.ss_family == AF_INET6 + ? "\x00\x02\x00\x00" : "\x00\x01\x00\x00" )); } static getdns_return_t From 27847b9a0a74bc719388bc37b6604c88544f9b06 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 23 Nov 2017 13:23:00 +0100 Subject: [PATCH 08/47] Initialize context->sys_ctxt! --- src/context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/context.c b/src/context.c index a104e8cd..09718efb 100644 --- a/src/context.c +++ b/src/context.c @@ -5056,7 +5056,7 @@ getdns_context *_getdns_context_get_sys_ctxt( if (context->sys_ctxt) return context->sys_ctxt; - if ((r = getdns_context_create_with_extended_memory_functions2( + if ((r = getdns_context_create_with_extended_memory_functions2(&context->sys_ctxt, ( context->fchg_resolvconf && context->fchg_resolvconf->fn ? context->fchg_resolvconf->fn : NULL ), context->mf.mf_arg, context->mf.mf.ext.malloc, From 323239be582161c2bc26cda2cbcc0557e4aaa25d Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Mon, 27 Nov 2017 15:02:32 +0100 Subject: [PATCH 09/47] Scan valgrind logs for errors too --- .../tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.test | 6 ++++++ .../225-stub-only-valgrind-checks.test | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.test b/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.test index 0e7c4981..4ea22337 100644 --- a/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.test +++ b/src/test/tpkg/125-valgrind-checks.tpkg/125-valgrind-checks.test @@ -32,3 +32,9 @@ then cat output exit 1 fi +if ! awk '/^==.* ERROR SUMMARY/{print;if($4>0)exit(1)}' valgrind.log +then + cat valgrind.log + cat output + exit 1 +fi diff --git a/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.test b/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.test index 94bd6d2f..1c957404 100644 --- a/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.test +++ b/src/test/tpkg/225-stub-only-valgrind-checks.tpkg/225-stub-only-valgrind-checks.test @@ -11,6 +11,7 @@ qwerlkjhasdfpuiqwyerm.1234kjhrqwersv.com -G TXT bogus.nlnetlabs.nl -H 8.8.8.8 -H 2a04:b900:0:100::37 +-A _acme-challenge.getdnsapi.net EOT ( if ! "${BUILDDIR}/build-stub-only/libtool" exec valgrind -v --log-file=valgrind.log --leak-check=full --error-exitcode=1 --track-origins=yes "${GETDNS_STUB_QUERY}" -F queries -f "${TPKG_NAME}.ds" +dnssec_return_validation_chain @@ -24,3 +25,9 @@ then cat output exit 1 fi +if ! awk '/^==.* ERROR SUMMARY/{print;if($4>0)exit(1)}' valgrind.log +then + cat valgrind.log + cat output + exit 1 +fi From 30e440d35cf28ddff7c8edf6696ab67ee802a223 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Mon, 27 Nov 2017 15:26:45 +0100 Subject: [PATCH 10/47] Access of freed memory in stub DNSSEC cleanup code Should fix the latest core dump reported in getdnsapi/stubby#34 --- src/dnssec.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/dnssec.c b/src/dnssec.c index 4e1fc392..57f0ed81 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -3395,10 +3395,21 @@ void _getdns_validation_chain_timeout(getdns_dns_req *dnsreq) void _getdns_cancel_validation_chain(getdns_dns_req *dnsreq) { - chain_head *head = dnsreq->chain, *next, *dnskey_head; + chain_head *head, *next; chain_node *node; size_t node_count; + /* Clear nodes under direct DNSKEY queries. + * They share the DNSKEY lookup netreq, but _dnskey_query() can not + * be used because we're free'ing the heads. + */ + for (head = dnsreq->chain; head; head = head->next) { + if ( head->rrset.rr_type == GETDNS_RRTYPE_DNSKEY + && head->node_count + && head->netreq == head->parent->dnskey_req) + head->parent->dnskey_req = NULL; + } + head = dnsreq->chain; dnsreq->chain = NULL; while (head) { next = head->next; @@ -3407,10 +3418,7 @@ void _getdns_cancel_validation_chain(getdns_dns_req *dnsreq) ; node_count ; node_count--, node = node->parent ) { - if (node->dnskey_req && - !( (dnskey_head = _dnskey_query(node)) - && dnskey_head->netreq == node->dnskey_req)) - + if (node->dnskey_req) _getdns_context_cancel_request( node->dnskey_req->owner); From 025f1cdff35879dd09e0e547137df0024e82fc8d Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 28 Nov 2017 16:04:23 +0100 Subject: [PATCH 11/47] set_from_os last to initialize ... ... because it is initialized with values from context itself! I.e. context->tls_backoff_time, context->tls_connection_retries and context->log are used to initialize upstreams in upstreams_create() called from set_from_os --- src/context.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/src/context.c b/src/context.c index 62678873..b5b37630 100644 --- a/src/context.c +++ b/src/context.c @@ -1574,15 +1574,6 @@ getdns_context_create_with_extended_memory_functions( result->fchg_resolvconf = NULL; result->fchg_hosts = NULL; - // resolv.conf does not exist on Windows, handle differently -#ifndef USE_WINSOCK - if ((set_from_os & 1) && (r = set_os_defaults(result))) - goto error; -#else - if ((set_from_os & 1) && (r = set_os_defaults_windows(result))) - goto error; -#endif - result->dnssec_allowed_skew = 0; result->edns_maximum_udp_payload_size = -1; if ((r = create_default_dns_transports(result))) @@ -1634,6 +1625,14 @@ getdns_context_create_with_extended_memory_functions( create_local_hosts(result); + // resolv.conf does not exist on Windows, handle differently +#ifndef USE_WINSOCK + if ((set_from_os & 1) && (r = set_os_defaults(result))) + goto error; +#else + if ((set_from_os & 1) && (r = set_os_defaults_windows(result))) + goto error; +#endif *context = result; return GETDNS_RETURN_GOOD; From 543435d89d48f9911102b72f0e710a8e1cf23a05 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 28 Nov 2017 16:40:17 +0100 Subject: [PATCH 12/47] Clang bitfield issue --- .travis.yml | 4 ++-- src/general.c | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.travis.yml b/.travis.yml index 60a37347..5a95e4fa 100644 --- a/.travis.yml +++ b/.travis.yml @@ -20,5 +20,5 @@ addons: script: - mkdir tests - cd tests - - ../src/test/tpkg/run-all.sh -# - ../src/test/tpkg/run-one.sh 400-static-analysis -V +# - ../src/test/tpkg/run-all.sh + - ../src/test/tpkg/run-one.sh 225-stub-only-valgrind-checks diff --git a/src/general.c b/src/general.c index b263c0a9..80b40a2c 100644 --- a/src/general.c +++ b/src/general.c @@ -116,7 +116,7 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) /* Do we have to check more suffixes on nxdomain/nodata? */ - if (dns_req->is_dns_request && + if (dns_req->is_dns_request == 1 && dns_req->suffix_appended && /* Something was appended */ dns_req->suffix_len > 1 && /* Next suffix available */ no_answer(dns_req)) { @@ -153,7 +153,7 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) return; } } else if ( - dns_req->is_dns_request && + dns_req->is_dns_request == 1 && ( dns_req->append_name == GETDNS_APPEND_NAME_ONLY_TO_SINGLE_LABEL_AFTER_FAILURE || dns_req->append_name == @@ -206,7 +206,7 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) } else if (! results_found) _getdns_call_user_callback(dns_req, NULL); else if ( - dns_req->is_dns_request && + dns_req->is_dns_request == 1 && (dns_req->dnssec_return_validation_chain #ifdef DNSSEC_ROADBLOCK_AVOIDANCE || ( dns_req->dnssec_roadblock_avoidance @@ -343,7 +343,7 @@ _getdns_netreq_change_state( if (!netreq) return; - if (!netreq->owner->is_dns_request) { + if (netreq->owner->is_dns_request == 0) { netreq->state = new_state; return; } From 72eb8628d0b35ec059ecdec920d8621faad43ec4 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 28 Nov 2017 16:44:08 +0100 Subject: [PATCH 13/47] Report on single unit tests too --- .travis.yml | 2 +- src/test/tpkg/run-one.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 5a95e4fa..e1143683 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ sudo: false language: c compiler: - - gcc +# - gcc - clang addons: apt: diff --git a/src/test/tpkg/run-one.sh b/src/test/tpkg/run-one.sh index 4c2ca485..10795374 100755 --- a/src/test/tpkg/run-one.sh +++ b/src/test/tpkg/run-one.sh @@ -8,3 +8,4 @@ ONE_TEST=$1 shift "${TPKG}" $* exe ${SRCDIR}/${ONE_TEST}.tpkg +"${TPKG}" -n -1 r From 2a39b6e2e81f8b445e2e7c8d220e200cd88446eb Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 28 Nov 2017 16:51:28 +0100 Subject: [PATCH 14/47] Handle the uninitialized memory error the brutal way Because clang (or valgrind with clang) is just wrong here --- src/request-internal.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/request-internal.c b/src/request-internal.c index c9f27db0..b78c19ab 100644 --- a/src/request-internal.c +++ b/src/request-internal.c @@ -866,6 +866,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, if (! (region = GETDNS_XMALLOC(context->mf, uint8_t, dnsreq_base_sz + (a_aaaa_query ? 2 : 1) * netreq_sz))) return NULL; + (void) memset(region, 0, sizeof(getdns_dns_req)); result = (getdns_dns_req *)region; result->netreqs[0] = (getdns_network_req *)(region + dnsreq_base_sz); From 8c87028d77231424b08562fa23d9dfe885dfb88a Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 28 Nov 2017 16:58:12 +0100 Subject: [PATCH 15/47] Only get root-anchors.xml when BOGUS root dnskey... did have signatures which did not validate --- src/dnssec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/dnssec.c b/src/dnssec.c index 57f0ed81..d4c6375b 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -3160,12 +3160,19 @@ static void check_chain_complete(chain_head *chain) _getdns_context_update_root_ksk(context,&node->dnskey); } else if (_getdns_bogus(dnsreq)) { + _getdns_rrsig_iter rrsig_spc; DEBUG_ANCHOR("Request was bogus!\n"); if ((head = chain) && (node = _to_the_root(head->parent)) + /* The root DNSKEY rrset */ && node->dnskey.name && *node->dnskey.name == 0 + /* We queried it and had a response */ && node->dnskey_req - && node->dnskey_req->dnssec_status == GETDNS_DNSSEC_BOGUS){ + /* The response was bogus */ + && node->dnskey_req->dnssec_status == GETDNS_DNSSEC_BOGUS + /* The response was bogus, but not because it has no rrsigs */ + && _getdns_rrsig_iter_init(&rrsig_spc, &node->dnskey) + ){ DEBUG_ANCHOR("root DNSKEY set was bogus!\n"); if (!dnsreq->waiting_for_ta) { From 17d23ddb998ab3b65c29e08b396c95f97703f854 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 28 Nov 2017 16:58:58 +0100 Subject: [PATCH 16/47] Restore running all unit tests again --- .travis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index e1143683..2cace3f4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ sudo: false language: c compiler: -# - gcc + - gcc - clang addons: apt: @@ -20,5 +20,5 @@ addons: script: - mkdir tests - cd tests -# - ../src/test/tpkg/run-all.sh - - ../src/test/tpkg/run-one.sh 225-stub-only-valgrind-checks + - ../src/test/tpkg/run-all.sh +# - ../src/test/tpkg/run-one.sh 225-stub-only-valgrind-checks From 96ed06c6a96a7b00794042014abab954b6d74b51 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 12 Dec 2017 12:24:31 +0100 Subject: [PATCH 17/47] Initialize context with given resolv.conf and hosts files - getdns_context_create with set_from_os set will simply call these functions with the defaults + filechg_check is simplified somewhat (reducting memory management) + get OpenSSL version version via get_api_information() --- ChangeLog | 10 ++ configure.ac | 2 +- src/const-info.c | 6 + src/context.c | 325 +++++++++++++++++++---------------- src/context.h | 10 +- src/getdns/getdns_extra.h.in | 117 ++++++------- src/libgetdns.symbols | 7 +- src/tools/getdns_query.c | 6 +- stubby | 2 +- 9 files changed, 257 insertions(+), 228 deletions(-) diff --git a/ChangeLog b/ChangeLog index 133ccbdb..a9d48429 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,14 @@ * 201?-??-??: Version 1.?.? + * getdns_context_set_resolvconf() function to initialize a context + upstreams and suffices with a resolv.conf file. + getdns_context_get_resolvconf() to get the file used to initialize + the context's upstreams and suffixes. + getdns_context_set_hosts() function to initialize a context's + LOCALNAMES namespace. + getdns_context_get_hosts() function to get the file used to initialize + the context's LOCALNAMES namespace. + * get which version of OpenSSL was used at build time and at run time + when available with getdns_context_get_api_information() * Bugfix #359: edns_client_subnet_private should set family Thanks Daniel Areiza diff --git a/configure.ac b/configure.ac index 2337754a..ed14463f 100644 --- a/configure.ac +++ b/configure.ac @@ -407,7 +407,7 @@ fi AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version]) +AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version]) AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H diff --git a/src/const-info.c b/src/const-info.c index 2c582ed1..f1bfd891 100644 --- a/src/const-info.c +++ b/src/const-info.c @@ -30,6 +30,7 @@ static struct const_info consts_info[] = { { 310, "GETDNS_RETURN_MEMORY_ERROR", GETDNS_RETURN_MEMORY_ERROR_TEXT }, { 311, "GETDNS_RETURN_INVALID_PARAMETER", GETDNS_RETURN_INVALID_PARAMETER_TEXT }, { 312, "GETDNS_RETURN_NOT_IMPLEMENTED", GETDNS_RETURN_NOT_IMPLEMENTED_TEXT }, + { 397, "GETDNS_RETURN_IO_ERROR", GETDNS_RETURN_IO_ERROR_TEXT }, { 398, "GETDNS_RETURN_NO_UPSTREAM_AVAILABLE", GETDNS_RETURN_NO_UPSTREAM_AVAILABLE_TEXT }, { 399, "GETDNS_RETURN_NEED_MORE_SPACE", GETDNS_RETURN_NEED_MORE_SPACE_TEXT }, { 400, "GETDNS_DNSSEC_SECURE", GETDNS_DNSSEC_SECURE_TEXT }, @@ -86,6 +87,8 @@ static struct const_info consts_info[] = { { 626, "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA", GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA_TEXT }, { 627, "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL", GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL_TEXT }, { 628, "GETDNS_CONTEXT_CODE_APPDATA_DIR", GETDNS_CONTEXT_CODE_APPDATA_DIR_TEXT }, + { 629, "GETDNS_CONTEXT_CODE_RESOLVCONF", GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT }, + { 630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT }, { 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT }, { 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT }, { 702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT }, @@ -166,12 +169,14 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CONTEXT_CODE_EDNS_MAXIMUM_UDP_PAYLOAD_SIZE", 610 }, { "GETDNS_CONTEXT_CODE_EDNS_VERSION", 612 }, { "GETDNS_CONTEXT_CODE_FOLLOW_REDIRECTS", 602 }, + { "GETDNS_CONTEXT_CODE_HOSTS", 630 }, { "GETDNS_CONTEXT_CODE_IDLE_TIMEOUT", 617 }, { "GETDNS_CONTEXT_CODE_LIMIT_OUTSTANDING_QUERIES", 606 }, { "GETDNS_CONTEXT_CODE_MEMORY_FUNCTIONS", 615 }, { "GETDNS_CONTEXT_CODE_NAMESPACES", 600 }, { "GETDNS_CONTEXT_CODE_PUBKEY_PINSET", 621 }, { "GETDNS_CONTEXT_CODE_RESOLUTION_TYPE", 601 }, + { "GETDNS_CONTEXT_CODE_RESOLVCONF", 629 }, { "GETDNS_CONTEXT_CODE_ROUND_ROBIN_UPSTREAMS", 622 }, { "GETDNS_CONTEXT_CODE_SUFFIX", 608 }, { "GETDNS_CONTEXT_CODE_TIMEOUT", 616 }, @@ -248,6 +253,7 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_RETURN_GENERIC_ERROR", 1 }, { "GETDNS_RETURN_GOOD", 0 }, { "GETDNS_RETURN_INVALID_PARAMETER", 311 }, + { "GETDNS_RETURN_IO_ERROR", 397 }, { "GETDNS_RETURN_MEMORY_ERROR", 310 }, { "GETDNS_RETURN_NEED_MORE_SPACE", 399 }, { "GETDNS_RETURN_NOT_IMPLEMENTED", 312 }, diff --git a/src/context.c b/src/context.c index 9f84248a..fc33fec2 100644 --- a/src/context.c +++ b/src/context.c @@ -57,6 +57,9 @@ typedef unsigned short in_port_t; #include #endif +#include +#include + #include #include #include @@ -495,8 +498,45 @@ str_addr_dict(getdns_context *context, const char *str) return address; } -static void -create_local_hosts(getdns_context *context) +/** + * check a file for changes since the last check + * and refresh the current data if changes are detected + * @param context pointer to a previously created context to be used for this call + * @param fchg file to check + * @returns changes as OR'd list of GETDNS_FCHG_* values + * @returns GETDNS_FCHG_NONE if no changes + * @returns GETDNS_FCHG_ERRORS if problems (see fchg->errors for details) + */ +static int +_getdns_filechg_check(struct filechg *fchg) +{ + struct stat finfo; + + if(fchg == NULL) + return 0; + + fchg->errors = GETDNS_FCHG_NOERROR; + fchg->changes = GETDNS_FCHG_NOCHANGES; + + if(stat(fchg->fn, &finfo) != 0) { + fchg->errors = errno; + return GETDNS_FCHG_ERRORS; + } + + /* we want to consider a file that previously returned error for stat() as a + change */ + + if(fchg->prevstat.st_mtime != finfo.st_mtime) + fchg->changes |= GETDNS_FCHG_MTIME; + if(fchg->prevstat.st_ctime != finfo.st_ctime) + fchg->changes |= GETDNS_FCHG_CTIME; + + fchg->prevstat = finfo; + return fchg->changes; +} /* filechg */ + +getdns_return_t +getdns_context_set_hosts(getdns_context *context, const char *hosts) { /* enough space in buf for longest allowed domain name */ char buf[1024]; @@ -505,7 +545,21 @@ create_local_hosts(getdns_context *context) int start_of_line = 1; getdns_dict *address = NULL; - in = fopen(GETDNS_FN_HOSTS, "r"); + if (!context || !hosts) + return GETDNS_RETURN_INVALID_PARAMETER; + + if (!(in = fopen(hosts, "r"))) + return GETDNS_RETURN_IO_ERROR; + + (void)strlcpy(context->fchg_hosts.fn, hosts, _GETDNS_PATH_MAX); + (void) memset(&context->fchg_hosts.prevstat, 0, sizeof(struct stat)); + context->fchg_hosts.changes = GETDNS_FCHG_NOCHANGES; + context->fchg_hosts.errors = GETDNS_FCHG_NOERROR; + (void) _getdns_filechg_check(&context->fchg_hosts); + _getdns_traverse_postorder(&context->local_hosts, + destroy_local_host, context); + _getdns_rbtree_init(&context->local_hosts, local_host_cmp); + while (fgets(pos, (int)(sizeof(buf) - (pos - buf)), in)) { pos = buf; /* Break out of for to read more */ @@ -585,59 +639,19 @@ read_more: ; address = NULL; getdns_dict_destroy(address); } + return GETDNS_RETURN_GOOD; } -/** - * check a file for changes since the last check - * and refresh the current data if changes are detected - * @param context pointer to a previously created context to be used for this call - * @param fchg file to check - * @returns changes as OR'd list of GETDNS_FCHG_* values - * @returns GETDNS_FCHG_NONE if no changes - * @returns GETDNS_FCHG_ERRORS if problems (see fchg->errors for details) - */ -int -_getdns_filechg_check(struct getdns_context *context, struct filechg *fchg) +getdns_return_t +getdns_context_get_hosts(getdns_context *context, const char **hosts) { - struct stat *finfo; + if (!context || !hosts) + return GETDNS_RETURN_INVALID_PARAMETER; - if(fchg == NULL) - return 0; + *hosts = *context->fchg_hosts.fn ? context->fchg_hosts.fn : NULL; + return GETDNS_RETURN_GOOD; +} - fchg->errors = GETDNS_FCHG_NOERROR; - fchg->changes = GETDNS_FCHG_NOCHANGES; - - finfo = GETDNS_MALLOC(context->my_mf, struct stat); - if(finfo == NULL) - { - fchg->errors = errno; - return GETDNS_FCHG_ERRORS; - } - - if(stat(fchg->fn, finfo) != 0) - { - GETDNS_FREE(context->my_mf, finfo); - fchg->errors = errno; - return GETDNS_FCHG_ERRORS; - } - - /* we want to consider a file that previously returned error for stat() as a - change */ - - if(fchg->prevstat == NULL) - fchg->changes = GETDNS_FCHG_MTIME | GETDNS_FCHG_CTIME; - else - { - if(fchg->prevstat->st_mtime != finfo->st_mtime) - fchg->changes |= GETDNS_FCHG_MTIME; - if(fchg->prevstat->st_ctime != finfo->st_ctime) - fchg->changes |= GETDNS_FCHG_CTIME; - GETDNS_FREE(context->my_mf, fchg->prevstat); - } - fchg->prevstat = finfo; - - return fchg->changes; -} /* filechg */ static getdns_upstreams * upstreams_create(getdns_context *context, size_t size) @@ -1090,7 +1104,7 @@ static int get_dns_suffix_windows(getdns_list *suffix, char* domain) static getdns_return_t -set_os_defaults(getdns_context *context, const char *resolvconf_file) +set_os_defaults_windows(getdns_context *context) { char domain[1024] = ""; size_t upstreams_limit = 10; @@ -1102,19 +1116,8 @@ set_os_defaults(getdns_context *context, const char *resolvconf_file) int s; uint32_t info_err = 0; - if (context->fchg_resolvconf == NULL) { - context->fchg_resolvconf = - GETDNS_MALLOC(context->my_mf, struct filechg); - if (context->fchg_resolvconf == NULL) - return GETDNS_RETURN_MEMORY_ERROR; - context->fchg_resolvconf->fn = resolvconf_file; - context->fchg_resolvconf->prevstat = NULL; - context->fchg_resolvconf->changes = GETDNS_FCHG_NOCHANGES; - context->fchg_resolvconf->errors = GETDNS_FCHG_NOERROR; - } - _getdns_filechg_check(context, context->fchg_resolvconf); - - context->upstreams = upstreams_create(context, upstreams_limit); + if (!(context->upstreams = upstreams_create(context, upstreams_limit))) + return GETDNS_RETURN_MEMORY_ERROR; memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */ @@ -1185,8 +1188,8 @@ set_os_defaults(getdns_context *context, const char *resolvconf_file) #else -static getdns_return_t -set_os_defaults(getdns_context *context, const char *resolvconf_file) +getdns_return_t +getdns_context_set_resolvconf(getdns_context *context, const char *resolvconf) { FILE *in; char line[1024], domain[1024]; @@ -1198,21 +1201,18 @@ set_os_defaults(getdns_context *context, const char *resolvconf_file) getdns_list *suffix; int s; - if(context->fchg_resolvconf == NULL) { - context->fchg_resolvconf = - GETDNS_MALLOC(context->my_mf, struct filechg); - if(context->fchg_resolvconf == NULL) - return GETDNS_RETURN_MEMORY_ERROR; - context->fchg_resolvconf->fn = resolvconf_file; - context->fchg_resolvconf->prevstat = NULL; - context->fchg_resolvconf->changes = GETDNS_FCHG_NOCHANGES; - context->fchg_resolvconf->errors = GETDNS_FCHG_NOERROR; - } - _getdns_filechg_check(context, context->fchg_resolvconf); + if (!context || !resolvconf) + return GETDNS_RETURN_INVALID_PARAMETER; - in = fopen(context->fchg_resolvconf->fn, "r"); - if (!in) - return GETDNS_RETURN_GOOD; + + (void) strlcpy( context->fchg_resolvconf.fn, resolvconf, _GETDNS_PATH_MAX); + (void) memset(&context->fchg_resolvconf.prevstat, 0, sizeof(struct stat)); + context->fchg_resolvconf.changes = GETDNS_FCHG_NOCHANGES; + context->fchg_resolvconf.errors = GETDNS_FCHG_NOERROR; + (void) _getdns_filechg_check(&context->fchg_resolvconf); + + if (!(in = fopen(context->fchg_resolvconf.fn, "r"))) + return GETDNS_RETURN_IO_ERROR; upstream_count = 0; while (fgets(line, (int)sizeof(line), in)) @@ -1221,12 +1221,16 @@ set_os_defaults(getdns_context *context, const char *resolvconf_file) fclose(in); suffix = getdns_list_create_with_context(context); - context->upstreams = upstreams_create( - context, upstream_count * GETDNS_UPSTREAM_TRANSPORTS); - - in = fopen(context->fchg_resolvconf->fn, "r"); - if (!in) - return GETDNS_RETURN_GOOD; + if (context->upstreams) { + _getdns_upstreams_dereference(context->upstreams); + context->upstreams = NULL; + } + if (!(context->upstreams = upstreams_create( + context, upstream_count * GETDNS_UPSTREAM_TRANSPORTS))) { + return GETDNS_RETURN_MEMORY_ERROR; + } + if (!(in = fopen(context->fchg_resolvconf.fn, "r"))) + return GETDNS_RETURN_IO_ERROR; memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */ @@ -1302,10 +1306,25 @@ set_os_defaults(getdns_context *context, const char *resolvconf_file) (void )getdns_context_set_suffix(context, suffix); getdns_list_destroy(suffix); + dispatch_updated(context, + GETDNS_CONTEXT_CODE_UPSTREAM_RECURSIVE_SERVERS); + return GETDNS_RETURN_GOOD; } /* set_os_defaults */ #endif +getdns_return_t +getdns_context_get_resolvconf(getdns_context *context, const char **resolvconf) +{ + if (!context || !resolvconf) + return GETDNS_RETURN_INVALID_PARAMETER; + + *resolvconf = *context->fchg_resolvconf.fn + ? context->fchg_resolvconf.fn : NULL; + return GETDNS_RETURN_GOOD; +} + + /* compare of transaction ids in DESCENDING order so that 0 comes last */ @@ -1395,9 +1414,9 @@ static const char *_getdns_default_trust_anchors_verify_email = * Call this to initialize the context that is used in other getdns calls. */ getdns_return_t -getdns_context_create_with_extended_memory_functions2( +getdns_context_create_with_extended_memory_functions( getdns_context **context, - const char *resolvconf_file, + int set_from_os, void *userarg, void *(*malloc)(void *userarg, size_t), void *(*realloc)(void *userarg, void *, size_t), @@ -1567,8 +1586,8 @@ getdns_context_create_with_extended_memory_functions2( /* state data used to detect changes to the system config files */ - result->fchg_resolvconf = NULL; - result->fchg_hosts = NULL; + (void)memset(&result->fchg_resolvconf, 0, sizeof(struct filechg)); + (void)memset(&result->fchg_hosts , 0, sizeof(struct filechg)); result->dnssec_allowed_skew = 0; result->edns_maximum_udp_payload_size = -1; @@ -1619,12 +1638,12 @@ getdns_context_create_with_extended_memory_functions2( _getdns_mdns_context_init(result); #endif - create_local_hosts(result); - // resolv.conf does not exist on Windows, handle differently #ifndef USE_WINSOCK - if ((set_from_os & 1) && (r = set_os_defaults(result, resolvconf_file))) - goto error; + if ((set_from_os & 1)) { + (void) getdns_context_set_resolvconf(result, GETDNS_FN_RESOLVCONF); + (void) getdns_context_set_hosts(result, GETDNS_FN_HOSTS); + } #else if ((set_from_os & 1) && (r = set_os_defaults_windows(result))) goto error; @@ -1637,21 +1656,6 @@ error: return r; } /* getdns_context_create_with_extended_memory_functions */ -getdns_return_t -getdns_context_create_with_extended_memory_functions( - getdns_context **context, - int set_from_os, - void *userarg, - void *(*malloc)(void *userarg, size_t), - void *(*realloc)(void *userarg, void *, size_t), - void (*free)(void *userarg, void *) - ) -{ - return getdns_context_create_with_extended_memory_functions2(context, - ((set_from_os & 1) ? GETDNS_FN_RESOLVCONF : NULL), userarg, - malloc, realloc, free); -} - /* * getdns_context_create * @@ -1686,30 +1690,6 @@ getdns_context_create(struct getdns_context ** context, int set_from_os) set_from_os, malloc, realloc, free); } /* getdns_context_create */ -getdns_return_t -getdns_context_create_with_memory_functions2(getdns_context **context, - const char *resolvconf_file, - void *(*malloc)(size_t), - void *(*realloc)(void *, size_t), - void (*free)(void *) - ) -{ - mf_union mf; - mf.pln.malloc = malloc; - mf.pln.realloc = realloc; - mf.pln.free = free; - return getdns_context_create_with_extended_memory_functions2( - context, resolvconf_file, MF_PLAIN, - mf.ext.malloc, mf.ext.realloc, mf.ext.free); -} - -getdns_return_t -getdns_context_create2(getdns_context **context, const char *resolvconf_file) -{ - return getdns_context_create_with_memory_functions2(context, - resolvconf_file, malloc, realloc, free); -} - /* * getdns_context_destroy * @@ -1764,16 +1744,6 @@ getdns_context_destroy(struct getdns_context *context) if (context->dns_transports) GETDNS_FREE(context->my_mf, context->dns_transports); - if(context->fchg_resolvconf) { - if(context->fchg_resolvconf->prevstat) - GETDNS_FREE(context->my_mf, context->fchg_resolvconf->prevstat); - GETDNS_FREE(context->my_mf, context->fchg_resolvconf); - } - if(context->fchg_hosts) { - if(context->fchg_hosts->prevstat) - GETDNS_FREE(context->my_mf, context->fchg_hosts->prevstat); - GETDNS_FREE(context->my_mf, context->fchg_hosts); - } if (context->tls_ctx) SSL_CTX_free(context->tls_ctx); @@ -3902,9 +3872,10 @@ _get_context_settings(getdns_context* context) (void) getdns_dict_util_set_string(result, "trust_anchors_verify_CA", str_value); if (!getdns_context_get_trust_anchors_verify_email(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "trust_anchors_verify_email", str_value); - if (context->fchg_resolvconf && context->fchg_resolvconf->fn) - (void) getdns_dict_util_set_string(result, "resolvconf_file", context->fchg_resolvconf->fn); - + if (!getdns_context_get_resolvconf(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "resolvconf", str_value); + if (!getdns_context_get_hosts(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "hosts", str_value); return result; error: getdns_dict_destroy(result); @@ -3946,6 +3917,33 @@ getdns_context_get_api_information(getdns_context* context) && ! getdns_dict_util_set_string( result, "default_hosts_location", GETDNS_FN_HOSTS) + && ! getdns_dict_set_int( + result, "openssl_build_version_number", OPENSSL_VERSION_NUMBER) + +#ifdef HAVE_OPENSSL_VERSION_NUM + && ! getdns_dict_set_int( + result, "openssl_version_number", OpenSSL_version_num()) +#endif +#ifdef HAVE_OPENSSL_VERSION + && ! getdns_dict_util_set_string( + result, "openssl_version_string", OpenSSL_version(OPENSSL_VERSION)) + + && ! getdns_dict_util_set_string( + result, "openssl_cflags", OpenSSL_version(OPENSSL_CFLAGS)) + + && ! getdns_dict_util_set_string( + result, "openssl_built_on", OpenSSL_version(OPENSSL_BUILT_ON)) + + && ! getdns_dict_util_set_string( + result, "openssl_platform", OpenSSL_version(OPENSSL_PLATFORM)) + + && ! getdns_dict_util_set_string( + result, "openssl_dir", OpenSSL_version(OPENSSL_DIR)) + + && ! getdns_dict_util_set_string( + result, "openssl_engines_dir", OpenSSL_version(OPENSSL_ENGINES_DIR)) +#endif + && ! getdns_dict_set_int( result, "resolution_type", context->resolution_type) @@ -4606,6 +4604,8 @@ _getdns_context_config_setting(getdns_context *context, CONTEXT_SETTING_STRING(trust_anchors_verify_CA) CONTEXT_SETTING_STRING(trust_anchors_verify_email) CONTEXT_SETTING_STRING(appdata_dir) + CONTEXT_SETTING_STRING(resolvconf) + CONTEXT_SETTING_STRING(hosts) /**************************************/ /**** ****/ @@ -4668,6 +4668,14 @@ _getdns_context_config_setting(getdns_context *context, && !_streq(setting, "default_resolvconf_location") && !_streq(setting, "default_hosts_location") && !_streq(setting, "compilation_comment") + && !_streq(setting, "openssl_build_version_number") + && !_streq(setting, "openssl_version_number") + && !_streq(setting, "openssl_version_string") + && !_streq(setting, "openssl_cflags") + && !_streq(setting, "openssl_built_on") + && !_streq(setting, "openssl_platform") + && !_streq(setting, "openssl_dir") + && !_streq(setting, "openssl_engines_dir") ) { r = GETDNS_RETURN_NOT_IMPLEMENTED; } @@ -5060,14 +5068,27 @@ getdns_context *_getdns_context_get_sys_ctxt( if (context->sys_ctxt) return context->sys_ctxt; - if ((r = getdns_context_create_with_extended_memory_functions2(&context->sys_ctxt, - ( context->fchg_resolvconf && context->fchg_resolvconf->fn - ? context->fchg_resolvconf->fn : NULL ), - context->mf.mf_arg, context->mf.mf.ext.malloc, - context->mf.mf.ext.realloc, context->mf.mf.ext.free))) + if ((r = getdns_context_create_with_extended_memory_functions( + &context->sys_ctxt, 1, context->mf.mf_arg, + context->mf.mf.ext.malloc, context->mf.mf.ext.realloc, + context->mf.mf.ext.free))) DEBUG_ANCHOR("Could not create system context: %s\n" , getdns_get_errorstr_by_id(r)); + else if (*context->fchg_resolvconf.fn && + (r = getdns_context_set_resolvconf( + context->sys_ctxt, context->fchg_resolvconf.fn))) + DEBUG_ANCHOR("Could initialize system context with resolvconf " + "\"%s\": %s\n", context->fchg_resolvconf.fn + , getdns_get_errorstr_by_id(r)); + + else if (*context->fchg_hosts.fn && + (r = getdns_context_set_hosts( + context->sys_ctxt, context->fchg_hosts.fn))) + DEBUG_ANCHOR("Could initialize system context with hosts " + "\"%s\": %s\n", context->fchg_resolvconf.fn + , getdns_get_errorstr_by_id(r)); + else if ((r = getdns_context_set_eventloop( context->sys_ctxt, loop))) DEBUG_ANCHOR("Could not configure %ssynchronous loop " diff --git a/src/context.h b/src/context.h index 5fc0ff38..bc85d65a 100644 --- a/src/context.h +++ b/src/context.h @@ -69,10 +69,10 @@ typedef void (*getdns_update_callback2) (struct getdns_context *, /* internal use only for detecting changes to system files */ struct filechg { - const char *fn; + char fn[_GETDNS_PATH_MAX]; int changes; int errors; - struct stat *prevstat; + struct stat prevstat; }; typedef enum getdns_tls_hs_state { @@ -452,8 +452,8 @@ struct getdns_context { /* * state data used to detect changes to the system config files */ - struct filechg *fchg_resolvconf; - struct filechg *fchg_hosts; + struct filechg fchg_resolvconf; + struct filechg fchg_hosts; uint8_t trust_anchors_spc[1024]; @@ -537,8 +537,6 @@ void _getdns_bindata_destroy( getdns_return_t _getdns_context_local_namespace_resolve( getdns_dns_req* req, struct getdns_dict **response); -int _getdns_filechg_check(struct getdns_context *context, struct filechg *fchg); - void _getdns_context_ub_read_cb(void *userarg); void _getdns_upstreams_dereference(getdns_upstreams *upstreams); diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in index b2e362ee..2f8fa8cd 100644 --- a/src/getdns/getdns_extra.h.in +++ b/src/getdns/getdns_extra.h.in @@ -53,6 +53,8 @@ extern "C" { * \addtogroup returntypestext Return values and texts * @{ */ +#define GETDNS_RETURN_IO_ERROR ((getdns_return_t) 397 ) +#define GETDNS_RETURN_IO_ERROR_TEXT "An input/output error occurred. Inspect errno for details." #define GETDNS_RETURN_NO_UPSTREAM_AVAILABLE ((getdns_return_t) 398 ) #define GETDNS_RETURN_NO_UPSTREAM_AVAILABLE_TEXT "None of the configured upstreams could be used to send queries on the specified transports" #define GETDNS_RETURN_NEED_MORE_SPACE ((getdns_return_t) 399 ) @@ -88,6 +90,11 @@ extern "C" { #define GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL_TEXT "Change related to getdns_context_set_trust_anchors_verify_email" #define GETDNS_CONTEXT_CODE_APPDATA_DIR 628 #define GETDNS_CONTEXT_CODE_APPDATA_DIR_TEXT "Change related to getdns_context_set_appdata_dir" +#define GETDNS_CONTEXT_CODE_RESOLVCONF 629 +#define GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT "Change related to getdns_context_set_resolvconf" +#define GETDNS_CONTEXT_CODE_HOSTS 630 +#define GETDNS_CONTEXT_CODE_HOSTS_TEXT "Change related to getdns_context_set_hosts" + /** @} */ @@ -377,67 +384,6 @@ getdns_context_run(getdns_context *context); * @{ */ -/** - * creates a new getdns context with default settings. - * If used multi-threaded, user must define appropriate OpenSSL callback locking functions - * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. - * @param context context that can be used immediately with other API calls - * @param resolvconf is the location of the resolv.conf file from which to - * read the OS settings. When NULL, the context will not be - * initialized with the settings herein. - * @return GETDNS_RETURN_GOOD on success -*/ -getdns_return_t -getdns_context_create2(getdns_context ** context, const char *resolvconf); - - -/** - * creates a new getdns context with default settings using custom memory functions. - * If used multi-threaded, user must define appropriate OpenSSL callback locking functions - * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. - * @param context context that can be used immediately with other API calls - * @param resolvconf is the location of the resolv.conf file from which to - * read the OS settings. When NULL, the context will not be - * initialized with the settings herein. - * @param malloc custom malloc function - * @param realloc custom realloc function - * @param free custom free function - * @return GETDNS_RETURN_GOOD on success -*/ -getdns_return_t -getdns_context_create_with_memory_functions2( - getdns_context ** context, - const char *resolvconf, - void *(*malloc) (size_t), - void *(*realloc) (void *, size_t), - void (*free) (void *) -); - - -/** - * creates a new getdns context with default settings using extended custom memory functions. - * If used multi-threaded, user must define appropriate OpenSSL callback locking functions - * (e.g. CRYPTO_THREADID_set_call) depending on the library version used. - * @param context context that can be used immediately with other API calls - * @param resolvconf is the location of the resolv.conf file from which to - * read the OS settings. When NULL, the context will not be - * initialized with the settings herein. - * @param userarg parameter passed to the custom malloc, realloc and free functions - * @param malloc custom malloc function - * @param realloc custom realloc function - * @param free custom free function - * @return GETDNS_RETURN_GOOD on success -*/ -getdns_return_t -getdns_context_create_with_extended_memory_functions2( - getdns_context **context, - const char *resolvconf, - void *userarg, - void *(*malloc) (void *userarg, size_t), - void *(*realloc) (void *userarg, void *, size_t), - void (*free) (void *userarg, void *) -); - /** * Register a callback function for context changes. * @see getdns_context_set_context_update_callback @@ -741,6 +687,30 @@ getdns_return_t getdns_context_set_trust_anchors_verify_email( getdns_context *context, const char *verify_email); +/** + * Initialized the context's upstream recursive servers and suffixes + * with the values from the given resolv.conf file. + * @see getdns_context_get_resolvconf + * @see getdns_context_set_hosts + * @param[in] context The context to configure + * @param[in] resolvonf Defaults to /etc/resolv.conf + * @return GETDNS_RETURN_GOOD when successful and error code otherwise. + */ +getdns_return_t +getdns_context_set_resolvconf(getdns_context *context, const char *resolvconf); + +/** + * Initialized the context's GETDNS_NAMESPACE_LOCALNAMES namespace with + * values from the given hosts file. + * @see getdns_context_get_hosts + * @see getdns_context_set_resolvconf + * @param[in] context The context to configure + * @param[in] hosts Defaults to /etc/hosts + * @return GETDNS_RETURN_GOOD when successful and error code otherwise. + */ +getdns_return_t +getdns_context_set_hosts(getdns_context *context, const char *hosts); + /** * Get the current resolution type setting from this context. * @see getdns_context_set_resolution_type @@ -1195,6 +1165,31 @@ getdns_return_t getdns_context_get_trust_anchors_verify_email( getdns_context *context, const char **verify_email); +/** + * Get the value with which the context's upstream recursive servers + * and suffixes were initialized. + * @see getdns_context_set_resolvconf + * @see getdns_context_get_hosts + * @param[in] context The context to configure + * @param[out] resolvonf NULL if the context was not initialized with a + * resolv.conf file. + * @return GETDNS_RETURN_GOOD when successful and error code otherwise. + */ +getdns_return_t +getdns_context_get_resolvconf(getdns_context *context, const char **resolvconf); + +/** + * Get the value with which the context's GETDNS_NAMESPACE_LOCALNAMES namespace + * was initialized. + * @see getdns_context_set_hosts + * @see getdns_context_get_resolvconf + * @param[in] context The context to configure + * @param[out] hosts NULL when GETDNS_NAMESPACE_LOCALNAMES namespace + * was not initialized. + * @return GETDNS_RETURN_GOOD when successful and error code otherwise. + */ +getdns_return_t +getdns_context_get_hosts(getdns_context *context, const char **hosts); /** @} */ diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols index 46199c59..d2b7900a 100644 --- a/src/libgetdns.symbols +++ b/src/libgetdns.symbols @@ -3,11 +3,8 @@ getdns_address_sync getdns_cancel_callback getdns_context_config getdns_context_create -getdns_context_create2 getdns_context_create_with_extended_memory_functions -getdns_context_create_with_extended_memory_functions2 getdns_context_create_with_memory_functions -getdns_context_create_with_memory_functions2 getdns_context_destroy getdns_context_detach_eventloop getdns_context_get_api_information @@ -24,11 +21,13 @@ getdns_context_get_edns_maximum_udp_payload_size getdns_context_get_edns_version getdns_context_get_eventloop getdns_context_get_follow_redirects +getdns_context_get_hosts getdns_context_get_idle_timeout getdns_context_get_limit_outstanding_queries getdns_context_get_namespaces getdns_context_get_num_pending_requests getdns_context_get_resolution_type +getdns_context_get_resolvconf getdns_context_get_round_robin_upstreams getdns_context_get_suffix getdns_context_get_timeout @@ -59,6 +58,7 @@ getdns_context_set_edns_version getdns_context_set_eventloop getdns_context_set_extended_memory_functions getdns_context_set_follow_redirects +getdns_context_set_hosts getdns_context_set_idle_timeout getdns_context_set_limit_outstanding_queries getdns_context_set_listen_addresses @@ -66,6 +66,7 @@ getdns_context_set_logfunc getdns_context_set_memory_functions getdns_context_set_namespaces getdns_context_set_resolution_type +getdns_context_set_resolvconf getdns_context_set_return_dnssec_status getdns_context_set_round_robin_upstreams getdns_context_set_suffix diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index 8bc2c231..4722e07f 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -1735,10 +1735,8 @@ main(int argc, char **argv) goto done_destroy_context; fprintf(stderr, "resolvconf: %s\n", resolvconf); if (resolvconf) { - getdns_context_destroy(context); - if ((r = getdns_context_create2(&context, resolvconf))) { - fprintf(stderr, "Create context failed: %d\n", (int)r); - context = NULL; + if ((r = getdns_context_set_resolvconf(context, resolvconf))) { + fprintf(stderr, "Problem initializing with resolvconf: %d\n", (int)r); goto done_destroy_context; } if ((r = parse_args(argc, argv))) diff --git a/stubby b/stubby index a43be56e..d9bba5a0 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit a43be56e28f3a802f74b7c5b19b4b4c5fbaa908a +Subproject commit d9bba5a018943abb548aa0795ef9c0529bc2c328 From 26877d44944ceb33fd9992f397382fec6b6bcc00 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 12 Dec 2017 12:38:55 +0100 Subject: [PATCH 18/47] Include sys/stat.h (from config.h) + + introduce GETDNS_RETURN_IO_ERROR return code (forgot to mention that in previous commit) --- ChangeLog | 1 + configure.ac | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a9d48429..7f5cf497 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,7 @@ the context's LOCALNAMES namespace. * get which version of OpenSSL was used at build time and at run time when available with getdns_context_get_api_information() + * GETDNS_RETURN_IO_ERROR return error code * Bugfix #359: edns_client_subnet_private should set family Thanks Daniel Areiza diff --git a/configure.ac b/configure.ac index ed14463f..dd499b90 100644 --- a/configure.ac +++ b/configure.ac @@ -265,7 +265,7 @@ esac DEFAULT_EVENTLOOP=select_eventloop -AC_CHECK_HEADERS([signal.h sys/poll.h poll.h sys/resource.h sys/types.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([signal.h sys/poll.h poll.h sys/resource.h sys/types.h sys/stat.h],,, [AC_INCLUDES_DEFAULT]) AC_ARG_ENABLE(poll-eventloop, AC_HELP_STRING([--disable-poll-eventloop], [Disable default eventloop based on poll (default=enabled if available)])) case "$enable_poll_eventloop" in no) @@ -1516,6 +1516,10 @@ static inline int _gldns_custom_vsnprintf(char *str, size_t size, const char *fo #include #endif +#ifdef HAVE_SYS_STAT_H +#include +#endif + #ifdef HAVE_NETINET_IN_H #include #endif From da3f023d8f315c4884deafc948186ca6cf435bcf Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 12 Dec 2017 15:10:37 +0100 Subject: [PATCH 19/47] set_CApath() and set_CAfile() for alt verify locs --- ChangeLog | 2 ++ src/const-info.c | 4 +++ src/context.c | 66 ++++++++++++++++++++++++++++++++++-- src/context.h | 3 ++ src/getdns/getdns_extra.h.in | 55 ++++++++++++++++++++++++++++++ src/libgetdns.symbols | 4 +++ 6 files changed, 132 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 133ccbdb..3cc44cef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ * 201?-??-??: Version 1.?.? + * Specify locations at which CA certificates for verification purposes + are located: getdns_context_set_CApath() getdns_context_set_CAfile() * Bugfix #359: edns_client_subnet_private should set family Thanks Daniel Areiza diff --git a/src/const-info.c b/src/const-info.c index 2c582ed1..b1bd4f96 100644 --- a/src/const-info.c +++ b/src/const-info.c @@ -86,6 +86,8 @@ static struct const_info consts_info[] = { { 626, "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA", GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA_TEXT }, { 627, "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL", GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL_TEXT }, { 628, "GETDNS_CONTEXT_CODE_APPDATA_DIR", GETDNS_CONTEXT_CODE_APPDATA_DIR_TEXT }, + { 630, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT }, + { 631, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT }, { 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT }, { 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT }, { 702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT }, @@ -156,6 +158,8 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CALLBACK_TIMEOUT", 702 }, { "GETDNS_CONTEXT_CODE_APPDATA_DIR", 628 }, { "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 }, + { "GETDNS_CONTEXT_CODE_CAFILE", 631 }, + { "GETDNS_CONTEXT_CODE_CAPATH", 630 }, { "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 }, { "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 }, { "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 }, diff --git a/src/context.c b/src/context.c index b5b37630..ef5126eb 100644 --- a/src/context.c +++ b/src/context.c @@ -1498,6 +1498,8 @@ getdns_context_create_with_extended_memory_functions( result->trust_anchors_verify_email = NULL; result->trust_anchors_verify_CA = NULL; result->appdata_dir = NULL; + result->CApath = NULL; + result->CAfile = NULL; (void) memset(&result->root_ksk, 0, sizeof(result->root_ksk)); @@ -1773,6 +1775,11 @@ getdns_context_destroy(struct getdns_context *context) , context->trust_anchors_verify_email); if (context->appdata_dir) GETDNS_FREE(context->mf, context->appdata_dir); + if (context->CApath) + GETDNS_FREE(context->mf, context->CApath); + if (context->CAfile) + GETDNS_FREE(context->mf, context->CAfile); + #ifdef USE_WINSOCK WSACleanup(); @@ -3568,10 +3575,14 @@ _getdns_context_prepare_for_resolution(getdns_context *context) return GETDNS_RETURN_BAD_CONTEXT; /* For strict authentication, we must have local root certs available Set up is done only when the tls_ctx is created (per getdns_context)*/ + if ((context->CAfile || context->CApath) && + SSL_CTX_load_verify_locations(context->tls_ctx + , context->CAfile, context->CApath)) + ; /* pass */ # ifndef USE_WINSOCK - if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { + else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { # else - if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) { + else if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) { # endif /* USE_WINSOCK */ if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) return GETDNS_RETURN_BAD_CONTEXT; @@ -3868,6 +3879,10 @@ _get_context_settings(getdns_context* context) (void) getdns_dict_util_set_string(result, "trust_anchors_verify_CA", str_value); if (!getdns_context_get_trust_anchors_verify_email(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "trust_anchors_verify_email", str_value); + if (!getdns_context_get_CApath(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "CApath", str_value); + if (!getdns_context_get_CAfile(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "CAfile", str_value); return result; error: @@ -4564,6 +4579,8 @@ _getdns_context_config_setting(getdns_context *context, CONTEXT_SETTING_STRING(trust_anchors_verify_CA) CONTEXT_SETTING_STRING(trust_anchors_verify_email) CONTEXT_SETTING_STRING(appdata_dir) + CONTEXT_SETTING_STRING(CApath) + CONTEXT_SETTING_STRING(CAfile) /**************************************/ /**** ****/ @@ -5008,5 +5025,50 @@ getdns_context_set_appdata_dir( return GETDNS_RETURN_GOOD; } +getdns_return_t +getdns_context_set_CApath(getdns_context *context, const char *CApath) +{ + if (!context || !CApath) + return GETDNS_RETURN_INVALID_PARAMETER; + if (context->CApath) + GETDNS_FREE(context->mf, context->CApath); + context->CApath = _getdns_strdup(&context->mf, CApath); + + dispatch_updated(context, GETDNS_CONTEXT_CODE_CAPATH); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_get_CApath(getdns_context *context, const char **CApath) +{ + if (!context || !CApath) + return GETDNS_RETURN_INVALID_PARAMETER; + + *CApath = context->CApath; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_set_CAfile(getdns_context *context, const char *CAfile) +{ + if (!context || !CAfile) + return GETDNS_RETURN_INVALID_PARAMETER; + if (context->CAfile) + GETDNS_FREE(context->mf, context->CAfile); + context->CAfile = _getdns_strdup(&context->mf, CAfile); + + dispatch_updated(context, GETDNS_CONTEXT_CODE_CAFILE); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_get_CAfile(getdns_context *context, const char **CAfile) +{ + if (!context || !CAfile) + return GETDNS_RETURN_INVALID_PARAMETER; + + *CAfile = context->CAfile; + return GETDNS_RETURN_GOOD; +} /* context.c */ diff --git a/src/context.h b/src/context.h index 1a6d93a4..4d174e60 100644 --- a/src/context.h +++ b/src/context.h @@ -346,6 +346,9 @@ struct getdns_context { char *appdata_dir; _getdns_property can_write_appdata; + char *CApath; + char *CAfile; + getdns_upstreams *upstreams; uint16_t limit_outstanding_queries; uint32_t dnssec_allowed_skew; diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in index ca62b2fb..f803d503 100644 --- a/src/getdns/getdns_extra.h.in +++ b/src/getdns/getdns_extra.h.in @@ -88,6 +88,10 @@ extern "C" { #define GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL_TEXT "Change related to getdns_context_set_trust_anchors_verify_email" #define GETDNS_CONTEXT_CODE_APPDATA_DIR 628 #define GETDNS_CONTEXT_CODE_APPDATA_DIR_TEXT "Change related to getdns_context_set_appdata_dir" +#define GETDNS_CONTEXT_CODE_CAPATH 630 +#define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath" +#define GETDNS_CONTEXT_CODE_CAFILE 631 +#define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile" /** @} */ @@ -680,6 +684,31 @@ getdns_return_t getdns_context_set_trust_anchors_verify_email( getdns_context *context, const char *verify_email); +/** + * Specify where the location for CA certificates for verification purposes + * are located. + * @see getdns_context_get_CApath + * @see getdns_context_set_CAfile + * @param[in] context The context to configure + * @param[in] CApath Directory with Certificate Authority certificates. + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_set_CApath(getdns_context *context, const char *CApath); + +/** + * Specify the file with CA certificates for verification purposes. + * @see getdns_context_get_CAfile + * @see getdns_context_set_CApath + * @param[in] context The context to configure + * @param[in] CAfile The file with Certificate Authority certificates. + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_set_CAfile(getdns_context *context, const char *CAfile); + /** * Get the current resolution type setting from this context. * @see getdns_context_set_resolution_type @@ -1134,6 +1163,32 @@ getdns_return_t getdns_context_get_trust_anchors_verify_email( getdns_context *context, const char **verify_email); +/** + * Get the location of the directory for CA certificates for verification + * purposes. + * @see getdns_context_set_CApath + * @see getdns_context_get_CAfile + * @param[in] context The context to configure + * @param[out] CApath Directory with Certificate Authority certificates + * or NULL when one was not configured. + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_get_CApath(getdns_context *context, const char **CApath); + +/** + * Get the file location with CA certificates for verification purposes. + * @see getdns_context_set_CAfile + * @see getdns_context_get_CApath + * @param[in] context The context to configure + * @param[out] CAfile The file with Certificate Authority certificates + * or NULL when one was not configured. + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_get_CAfile(getdns_context *context, const char **CAfile); /** @} */ diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols index 3f26578a..300baa70 100644 --- a/src/libgetdns.symbols +++ b/src/libgetdns.symbols @@ -7,6 +7,8 @@ getdns_context_create_with_extended_memory_functions getdns_context_create_with_memory_functions getdns_context_destroy getdns_context_detach_eventloop +getdns_context_get_CAfile +getdns_context_get_CApath getdns_context_get_api_information getdns_context_get_append_name getdns_context_get_dns_root_servers @@ -40,6 +42,8 @@ getdns_context_get_update_callback getdns_context_get_upstream_recursive_servers getdns_context_process_async getdns_context_run +getdns_context_set_CAfile +getdns_context_set_CApath getdns_context_set_appdata_dir getdns_context_set_append_name getdns_context_set_context_update_callback From d5518bad6772d7ab9a8ffcbb682b848674831cb5 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 11:12:49 +0100 Subject: [PATCH 20/47] Return which extensions are set (for programs (Stubby) to know whether a context will do native dnssec validation or not) --- src/context.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++ src/dict.c | 20 +++++++++++++++++- 2 files changed, 77 insertions(+), 1 deletion(-) diff --git a/src/context.c b/src/context.c index fc33fec2..448daa0c 100644 --- a/src/context.c +++ b/src/context.c @@ -3876,6 +3876,64 @@ _get_context_settings(getdns_context* context) (void) getdns_dict_util_set_string(result, "resolvconf", str_value); if (!getdns_context_get_hosts(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "hosts", str_value); + + /* Default settings for extensions */ + (void)getdns_dict_set_int( + result, "add_warning_for_bad_dns", + context->add_warning_for_bad_dns ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_all_statuses", + context->dnssec_return_all_statuses ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_full_validation_chain", + context->dnssec_return_full_validation_chain ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_only_secure", + context->dnssec_return_only_secure ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_status", + context->dnssec_return_status ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_validation_chain", + context->dnssec_return_validation_chain ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + +#if defined(DNSSEC_ROADBLOCK_AVOIDANCE) && defined(HAVE_LIBUNBOUND) + (void)getdns_dict_set_int( + result, "dnssec_roadblock_avoidance", + context->dnssec_roadblock_avoidance ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); +#endif +#ifdef EDNS_COOKIES + (void)getdns_dict_set_int( + result, "edns_cookies", + context->edns_cookies ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); +#endif + (void)getdns_dict_set_int( + result, "return_both_v4_and_v6", + context->return_both_v4_and_v6 ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "return_call_reporting", + context->return_call_reporting ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int(result, "specify_class", + (uint32_t)context->specify_class); + + if (context->add_opt_parameters) + (void)getdns_dict_set_dict( + result, "add_opt_parameters", context->add_opt_parameters); + + if (context->header) + (void)getdns_dict_set_dict( + result, "header", context->add_opt_parameters); + return result; error: getdns_dict_destroy(result); diff --git a/src/dict.c b/src/dict.c index 99e347ad..27ed57be 100644 --- a/src/dict.c +++ b/src/dict.c @@ -1082,7 +1082,25 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent, strcmp(item->node.key, "follow_redirects") == 0 || strcmp(item->node.key, "transport") == 0 || strcmp(item->node.key, "resolution_type") == 0 || - strcmp(item->node.key, "tls_authentication") == 0 ) && + strcmp(item->node.key, "tls_authentication") == 0 || + + /* extensions */ + strcmp(item->node.key, "add_warning_for_bad_dns") == 0 || + strcmp(item->node.key, "dnssec_return_all_statuses") == 0 || + strcmp(item->node.key, "dnssec_return_full_validation_chain") == 0 || + strcmp(item->node.key, "dnssec_return_only_secure") == 0 || + strcmp(item->node.key, "dnssec_return_status") == 0 || + strcmp(item->node.key, "dnssec_return_validation_chain") == 0 || +#if defined(DNSSEC_ROADBLOCK_AVOIDANCE) && defined(HAVE_LIBUNBOUND) + strcmp(item->node.key, "dnssec_roadblock_avoidance") == 0 || +#endif +#ifdef EDNS_COOKIES + strcmp(item->node.key, "edns_cookies") == 0 || +#endif + strcmp(item->node.key, "return_api_information") == 0 || + strcmp(item->node.key, "return_both_v4_and_v6") == 0 || + strcmp(item->node.key, "return_call_reporting") == 0 + ) && (strval = _getdns_get_const_info(item->i.data.n)->name)) { if (gldns_buffer_printf(buf, " %s", strval) < 0) From d4ec98ae6dc4a7040aa9cc7bb0109919abee100f Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 11:55:49 +0100 Subject: [PATCH 21/47] ChangeLog for previous commit --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 7f5cf497..a1f0a48d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ * 201?-??-??: Version 1.?.? + * Report default extension settings with + getdns_context_get_api_information() * getdns_context_set_resolvconf() function to initialize a context upstreams and suffices with a resolv.conf file. getdns_context_get_resolvconf() to get the file used to initialize From 362d16838008f743885b46907b953fefa522d5e2 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 12:36:02 +0100 Subject: [PATCH 22/47] no_dnssec_checking_disabled extension for internal use only --- src/request-internal.c | 32 ++++++++++++++++++++++++++------ src/types-internal.h | 1 + 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/src/request-internal.c b/src/request-internal.c index b78c19ab..a819fea0 100644 --- a/src/request-internal.c +++ b/src/request-internal.c @@ -84,6 +84,11 @@ getdns_dict dnssec_ok_checking_disabled_avoid_roadblocks_spc = { getdns_dict *dnssec_ok_checking_disabled_avoid_roadblocks = &dnssec_ok_checking_disabled_avoid_roadblocks_spc; +getdns_dict no_dnssec_checking_disabled_spc = { + { RBTREE_NULL, 0, (int (*)(const void *, const void *)) strcmp }, + { NULL, {{ NULL, NULL, NULL }}} +}; +getdns_dict *no_dnssec_checking_disabled = &no_dnssec_checking_disabled_spc; static int is_extension_set(getdns_dict *extensions, const char *name, int default_value) @@ -94,7 +99,8 @@ is_extension_set(getdns_dict *extensions, const char *name, int default_value) if ( ! extensions || extensions == dnssec_ok_checking_disabled || extensions == dnssec_ok_checking_disabled_roadblock_avoidance - || extensions == dnssec_ok_checking_disabled_avoid_roadblocks) + || extensions == dnssec_ok_checking_disabled_avoid_roadblocks + || extensions == no_dnssec_checking_disabled) return 0; r = getdns_dict_get_int(extensions, name, &value); @@ -155,7 +161,7 @@ netreq_reset(getdns_network_req *net_req) static int network_req_init(getdns_network_req *net_req, getdns_dns_req *owner, - uint16_t request_type, int dnssec_extension_set, int with_opt, + uint16_t request_type, int checking_disabled, int with_opt, int edns_maximum_udp_payload_size, uint8_t edns_extended_rcode, uint8_t edns_version, int edns_do_bit, uint16_t opt_options_size, size_t noptions, getdns_list *options, @@ -240,7 +246,7 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner, _getdns_reply_dict2wire(owner->context->header, &gbuf, 1); gldns_buffer_rewind(&gbuf); _getdns_reply_dict2wire(extensions, &gbuf, 1); - if (dnssec_extension_set) /* We will do validation ourselves */ + if (checking_disabled) /* We will do validation ourselves */ GLDNS_CD_SET(net_req->query); if (with_opt) { @@ -762,8 +768,22 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, */ size_t max_query_sz, max_response_sz, netreq_sz, dnsreq_base_sz; uint8_t *region, *suffixes; + int checking_disabled = dnssec_extension_set; - if (extensions == dnssec_ok_checking_disabled || + if (extensions == no_dnssec_checking_disabled) { + dnssec_return_status = 0; + dnssec_return_only_secure = 0; + dnssec_return_all_statuses = 0; + dnssec_return_full_validation_chain = 0; + dnssec_return_validation_chain = 0; + dnssec_extension_set = 0; +#ifdef DNSSEC_ROADBLOCK_AVOIDANCE + dnssec_roadblock_avoidance = 0; + avoid_dnssec_roadblocks = 0; +#endif + extensions = NULL; + checking_disabled = 1; + } else if (extensions == dnssec_ok_checking_disabled || extensions == dnssec_ok_checking_disabled_roadblock_avoidance || extensions == dnssec_ok_checking_disabled_avoid_roadblocks) extensions = NULL; @@ -973,7 +993,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, result->chain = NULL; network_req_init(result->netreqs[0], result, - request_type, dnssec_extension_set, with_opt, + request_type, checking_disabled, with_opt, edns_maximum_udp_payload_size, edns_extended_rcode, edns_version, edns_do_bit, (uint16_t) opt_options_size, noptions, options, @@ -984,7 +1004,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, network_req_init(result->netreqs[1], result, ( request_type == GETDNS_RRTYPE_A ? GETDNS_RRTYPE_AAAA : GETDNS_RRTYPE_A ), - dnssec_extension_set, with_opt, + checking_disabled, with_opt, edns_maximum_udp_payload_size, edns_extended_rcode, edns_version, edns_do_bit, (uint16_t) opt_options_size, noptions, options, diff --git a/src/types-internal.h b/src/types-internal.h index 05589f4a..6c6cf63a 100644 --- a/src/types-internal.h +++ b/src/types-internal.h @@ -425,6 +425,7 @@ typedef struct getdns_dns_req { extern getdns_dict *dnssec_ok_checking_disabled; extern getdns_dict *dnssec_ok_checking_disabled_roadblock_avoidance; extern getdns_dict *dnssec_ok_checking_disabled_avoid_roadblocks; +extern getdns_dict *no_dnssec_checking_disabled; /* dns request utils */ getdns_dns_req *_getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, From e691312a3fea46539a13aee9aefbd465e683ec13 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 12:50:03 +0100 Subject: [PATCH 23/47] Schedule DNSSEC meta queries against existing context --- src/anchor.c | 20 ++++++-------------- src/tools/getdns_query.c | 1 - 2 files changed, 6 insertions(+), 15 deletions(-) diff --git a/src/anchor.c b/src/anchor.c index a374ab78..c23320fe 100644 --- a/src/anchor.c +++ b/src/anchor.c @@ -1517,7 +1517,6 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) char tas_hostname[256]; const char *verify_CA; const char *verify_email; - getdns_context *sys_ctxt; if ((r = _getdns_get_tas_url_hostname(context, tas_hostname, NULL))) { DEBUG_ANCHOR("ERROR %s(): Could not get_tas_url_hostname" @@ -1558,19 +1557,12 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) DEBUG_ANCHOR("%s on the %ssynchronous loop\n", __FUNC__, loop == &context->sync_eventloop.loop ? "" : "a"); - if (!(sys_ctxt = _getdns_context_get_sys_ctxt(context, loop))) { - DEBUG_ANCHOR("Fatal error fetching trust anchor: " - "missing system context\n"); - context->trust_anchors_source = GETDNS_TASRC_FAILED; - _getdns_ta_notify_dnsreqs(context); - return; - } scheduled = 0; #if 1 context->a.state = TAS_LOOKUP_ADDRESSES; - if ((r = _getdns_general_loop(sys_ctxt, loop, - tas_hostname, GETDNS_RRTYPE_A, NULL, context, - &context->a.req, NULL, _tas_hostname_lookup_cb))) { + if ((r = _getdns_general_loop(context, loop, + tas_hostname, GETDNS_RRTYPE_A, no_dnssec_checking_disabled, + context, &context->a.req, NULL, _tas_hostname_lookup_cb))) { DEBUG_ANCHOR("Error scheduling A lookup for %s: %s\n" , tas_hostname, getdns_get_errorstr_by_id(r)); } else @@ -1579,9 +1571,9 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) #if 1 context->aaaa.state = TAS_LOOKUP_ADDRESSES; - if ((r = _getdns_general_loop(sys_ctxt, loop, - tas_hostname, GETDNS_RRTYPE_AAAA, NULL, context, - &context->aaaa.req, NULL, _tas_hostname_lookup_cb))) { + if ((r = _getdns_general_loop(context, loop, + tas_hostname, GETDNS_RRTYPE_AAAA, no_dnssec_checking_disabled, + context, &context->aaaa.req, NULL, _tas_hostname_lookup_cb))) { DEBUG_ANCHOR("Error scheduling AAAA lookup for %s: %s\n" , tas_hostname, getdns_get_errorstr_by_id(r)); } else diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index 4722e07f..4601f097 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -1733,7 +1733,6 @@ main(int argc, char **argv) if ((r = parse_args(argc, argv)) && r != CONTINUE) goto done_destroy_context; - fprintf(stderr, "resolvconf: %s\n", resolvconf); if (resolvconf) { if ((r = getdns_context_set_resolvconf(context, resolvconf))) { fprintf(stderr, "Problem initializing with resolvconf: %d\n", (int)r); From a63e5edb86a083c68daa66bcb21d7491f0b7d760 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 12:58:24 +0100 Subject: [PATCH 24/47] trust-anchor meta queries need to be done opportunistic too In anticipation of DANE authenticated upstreams --- src/anchor.c | 6 ++++-- src/request-internal.c | 22 +++++++++++++--------- src/types-internal.h | 2 +- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/src/anchor.c b/src/anchor.c index c23320fe..31e0e6f0 100644 --- a/src/anchor.c +++ b/src/anchor.c @@ -1561,7 +1561,8 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) #if 1 context->a.state = TAS_LOOKUP_ADDRESSES; if ((r = _getdns_general_loop(context, loop, - tas_hostname, GETDNS_RRTYPE_A, no_dnssec_checking_disabled, + tas_hostname, GETDNS_RRTYPE_A, + no_dnssec_checking_disabled_opportunistic, context, &context->a.req, NULL, _tas_hostname_lookup_cb))) { DEBUG_ANCHOR("Error scheduling A lookup for %s: %s\n" , tas_hostname, getdns_get_errorstr_by_id(r)); @@ -1572,7 +1573,8 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) #if 1 context->aaaa.state = TAS_LOOKUP_ADDRESSES; if ((r = _getdns_general_loop(context, loop, - tas_hostname, GETDNS_RRTYPE_AAAA, no_dnssec_checking_disabled, + tas_hostname, GETDNS_RRTYPE_AAAA, + no_dnssec_checking_disabled_opportunistic, context, &context->aaaa.req, NULL, _tas_hostname_lookup_cb))) { DEBUG_ANCHOR("Error scheduling AAAA lookup for %s: %s\n" , tas_hostname, getdns_get_errorstr_by_id(r)); diff --git a/src/request-internal.c b/src/request-internal.c index a819fea0..cc082039 100644 --- a/src/request-internal.c +++ b/src/request-internal.c @@ -84,11 +84,12 @@ getdns_dict dnssec_ok_checking_disabled_avoid_roadblocks_spc = { getdns_dict *dnssec_ok_checking_disabled_avoid_roadblocks = &dnssec_ok_checking_disabled_avoid_roadblocks_spc; -getdns_dict no_dnssec_checking_disabled_spc = { +getdns_dict no_dnssec_checking_disabled_opportunistic_spc = { { RBTREE_NULL, 0, (int (*)(const void *, const void *)) strcmp }, { NULL, {{ NULL, NULL, NULL }}} }; -getdns_dict *no_dnssec_checking_disabled = &no_dnssec_checking_disabled_spc; +getdns_dict *no_dnssec_checking_disabled_opportunistic + = &no_dnssec_checking_disabled_opportunistic_spc; static int is_extension_set(getdns_dict *extensions, const char *name, int default_value) @@ -100,7 +101,7 @@ is_extension_set(getdns_dict *extensions, const char *name, int default_value) || extensions == dnssec_ok_checking_disabled || extensions == dnssec_ok_checking_disabled_roadblock_avoidance || extensions == dnssec_ok_checking_disabled_avoid_roadblocks - || extensions == no_dnssec_checking_disabled) + || extensions == no_dnssec_checking_disabled_opportunistic) return 0; r = getdns_dict_get_int(extensions, name, &value); @@ -161,8 +162,8 @@ netreq_reset(getdns_network_req *net_req) static int network_req_init(getdns_network_req *net_req, getdns_dns_req *owner, - uint16_t request_type, int checking_disabled, int with_opt, - int edns_maximum_udp_payload_size, + uint16_t request_type, int checking_disabled, int opportunistic, + int with_opt, int edns_maximum_udp_payload_size, uint8_t edns_extended_rcode, uint8_t edns_version, int edns_do_bit, uint16_t opt_options_size, size_t noptions, getdns_list *options, size_t wire_data_sz, size_t max_query_sz, getdns_dict *extensions) @@ -192,6 +193,7 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner, owner->context->tls_auth == GETDNS_AUTHENTICATION_REQUIRED && owner->context->dns_transport_count == 1 && owner->context->dns_transports[0] == GETDNS_TRANSPORT_TLS + && !opportunistic ? GETDNS_AUTHENTICATION_REQUIRED : GETDNS_AUTHENTICATION_NONE; @@ -769,8 +771,9 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, size_t max_query_sz, max_response_sz, netreq_sz, dnsreq_base_sz; uint8_t *region, *suffixes; int checking_disabled = dnssec_extension_set; + int opportunistic = 0; - if (extensions == no_dnssec_checking_disabled) { + if (extensions == no_dnssec_checking_disabled_opportunistic) { dnssec_return_status = 0; dnssec_return_only_secure = 0; dnssec_return_all_statuses = 0; @@ -783,6 +786,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, #endif extensions = NULL; checking_disabled = 1; + opportunistic = 1; } else if (extensions == dnssec_ok_checking_disabled || extensions == dnssec_ok_checking_disabled_roadblock_avoidance || extensions == dnssec_ok_checking_disabled_avoid_roadblocks) @@ -993,8 +997,8 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, result->chain = NULL; network_req_init(result->netreqs[0], result, - request_type, checking_disabled, with_opt, - edns_maximum_udp_payload_size, + request_type, checking_disabled, opportunistic, + with_opt, edns_maximum_udp_payload_size, edns_extended_rcode, edns_version, edns_do_bit, (uint16_t) opt_options_size, noptions, options, netreq_sz - sizeof(getdns_network_req), max_query_sz, @@ -1004,7 +1008,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, network_req_init(result->netreqs[1], result, ( request_type == GETDNS_RRTYPE_A ? GETDNS_RRTYPE_AAAA : GETDNS_RRTYPE_A ), - checking_disabled, with_opt, + checking_disabled, opportunistic, with_opt, edns_maximum_udp_payload_size, edns_extended_rcode, edns_version, edns_do_bit, (uint16_t) opt_options_size, noptions, options, diff --git a/src/types-internal.h b/src/types-internal.h index 6c6cf63a..3199b134 100644 --- a/src/types-internal.h +++ b/src/types-internal.h @@ -425,7 +425,7 @@ typedef struct getdns_dns_req { extern getdns_dict *dnssec_ok_checking_disabled; extern getdns_dict *dnssec_ok_checking_disabled_roadblock_avoidance; extern getdns_dict *dnssec_ok_checking_disabled_avoid_roadblocks; -extern getdns_dict *no_dnssec_checking_disabled; +extern getdns_dict *no_dnssec_checking_disabled_opportunistic; /* dns request utils */ getdns_dns_req *_getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, From 090b076d96e0de4533f726fbf94ed99ec8abde1e Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 13:08:24 +0100 Subject: [PATCH 25/47] Zero configuration DNSSEC meta queries on existing transports Should fix bug #356 --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index a1f0a48d..4639bcec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ * 201?-??-??: Version 1.?.? + * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the + context configured upstreams. * Report default extension settings with getdns_context_get_api_information() * getdns_context_set_resolvconf() function to initialize a context From 825e2fd15fec387a600c15d2d5731ecd831b9588 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 14:42:18 +0100 Subject: [PATCH 26/47] Bump version --- ChangeLog | 2 +- configure.ac | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 133ccbdb..e9066b9a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,4 @@ -* 201?-??-??: Version 1.?.? +* 2017-12-??: Version 1.2.2 * Bugfix #359: edns_client_subnet_private should set family Thanks Daniel Areiza diff --git a/configure.ac b/configure.ac index 01dcbdb9..c20070b0 100644 --- a/configure.ac +++ b/configure.ac @@ -36,7 +36,7 @@ sinclude(./m4/acx_getaddrinfo.m4) sinclude(./m4/ax_check_compile_flag.m4) sinclude(./m4/pkg.m4) -AC_INIT([getdns], [1.2.1], [team@getdnsapi.net], [getdns], [https://getdnsapi.net]) +AC_INIT([getdns], [1.2.2], [team@getdnsapi.net], [getdns], [https://getdnsapi.net]) # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian) # patched to do the same, but frequently (MacOS) not. So add a with option @@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir]) # Dont forget to put a dash in front of the release candidate!!! # That is how it is done with semantic versioning! # -AC_SUBST(RELEASE_CANDIDATE, []) +AC_SUBST(RELEASE_CANDIDATE, [-rc1]) # Set current date from system if not set AC_ARG_WITH([current-date], @@ -62,7 +62,7 @@ AC_ARG_WITH([current-date], [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"]) AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"]) -AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01020100]) +AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010201c1]) AC_SUBST(API_VERSION, ["December 2015"]) AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00]) GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API" @@ -99,8 +99,9 @@ GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRE # getdns-1.1.3 had libversion 7:1:1 # getdns-1.2.0 had libversion 8:0:2 # getdns-1.2.1 has libversion 8:1:2 +# getdns-1.2.2 will have libversion 9:0:3 # -GETDNS_LIBVERSION=8:1:2 +GETDNS_LIBVERSION=9:0:3 AC_SUBST(GETDNS_COMPILATION_COMMENT) AC_SUBST(GETDNS_LIBVERSION) From d7864ee0df04665f59035ee96111bb34d531e155 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 14:52:49 +0100 Subject: [PATCH 27/47] Stubby disabling DNSSEC validation update --- stubby | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stubby b/stubby index d9bba5a0..4ad1f44a 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit d9bba5a018943abb548aa0795ef9c0529bc2c328 +Subproject commit 4ad1f44ae70044d083e36bd2fd0efb282c7d38c4 From d232353f93f1d1780b455ff55e670cbfda4cea06 Mon Sep 17 00:00:00 2001 From: Sara Dickinson Date: Wed, 13 Dec 2017 14:22:52 +0000 Subject: [PATCH 28/47] Update makefile because a file in Stubby was moved --- Makefile.in | 2 +- src/Makefile.in | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile.in b/Makefile.in index 1096dc3b..63216493 100644 --- a/Makefile.in +++ b/Makefile.in @@ -253,7 +253,7 @@ $(distdir): cp $(srcdir)/src/tools/Makefile.in $(distdir)/src/tools cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/tools cp $(srcdir)/stubby/stubby.yml.example $(distdir)/stubby - cp $(srcdir)/stubby/stubby-setdns-macos.sh $(distdir)/stubby + cp $(srcdir)/stubby/macos/stubby-setdns-macos.sh $(distdir)/stubby cp $(srcdir)/stubby/src/*.[ch] $(distdir)/stubby/src cp $(srcdir)/stubby/src/yaml/*.[ch] $(distdir)/stubby/src/yaml cp $(srcdir)/stubby/COPYING $(distdir)/stubby diff --git a/src/Makefile.in b/src/Makefile.in index a84dbf16..b37d296e 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -208,9 +208,9 @@ install-stubby-files-unix: $(stubbysrcdir)/stubby.yml.example test -f $(DESTDIR)$(stubbyconfdir)/stubby.yml || \ $(INSTALL_DATA) $(stubbysrcdir)/stubby.yml.example $(DESTDIR)$(stubbyconfdir)/stubby.yml -install-stubby-files-macos: $(stubbysrcdir)/stubby-setdns-macos.sh install-stubby-files-unix +install-stubby-files-macos: $(stubbysrcdir)/macos/stubby-setdns-macos.sh install-stubby-files-unix $(INSTALL) -m 755 -d $(DESTDIR)$(sbindir) - $(INSTALL) -m 755 $(stubbysrcdir)/stubby-setdns-macos.sh $(DESTDIR)$(sbindir) + $(INSTALL) -m 755 $(stubbysrcdir)/macos/stubby-setdns-macos.sh $(DESTDIR)$(sbindir) stubby.yml.windows: $(stubbysrcdir)/stubby.yml.example awk "{sub(/$$/,\"\r\")}1" $(stubbysrcdir)/stubby.yml.example > stubby.yml.windows From 9f566de65dfe7685d12925cf108abf64dfcaacb5 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 15:41:08 +0100 Subject: [PATCH 29/47] DNSSEC segfault issue --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 92ed4920..8d709265 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,8 @@ * GETDNS_RETURN_IO_ERROR return error code * Bugfix #359: edns_client_subnet_private should set family Thanks Daniel Areiza + * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC + validation. Thanks Bruno Pagani * 2017-11-11: Version 1.2.1 * Handle more I/O error cases. Also, when an I/O error does occur, From 0615457dfa57c7a79e9e584d0e2ac876679be1a6 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 15:43:36 +0100 Subject: [PATCH 30/47] Resolve constant conflict --- src/const-info.c | 8 ++++---- src/getdns/getdns_extra.h.in | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/const-info.c b/src/const-info.c index 9ffdba7c..41d1c091 100644 --- a/src/const-info.c +++ b/src/const-info.c @@ -89,8 +89,8 @@ static struct const_info consts_info[] = { { 628, "GETDNS_CONTEXT_CODE_APPDATA_DIR", GETDNS_CONTEXT_CODE_APPDATA_DIR_TEXT }, { 629, "GETDNS_CONTEXT_CODE_RESOLVCONF", GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT }, { 630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT }, - { 630, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT }, - { 631, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT }, + { 631, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT }, + { 632, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT }, { 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT }, { 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT }, { 702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT }, @@ -161,8 +161,8 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CALLBACK_TIMEOUT", 702 }, { "GETDNS_CONTEXT_CODE_APPDATA_DIR", 628 }, { "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 }, - { "GETDNS_CONTEXT_CODE_CAFILE", 631 }, - { "GETDNS_CONTEXT_CODE_CAPATH", 630 }, + { "GETDNS_CONTEXT_CODE_CAFILE", 632 }, + { "GETDNS_CONTEXT_CODE_CAPATH", 631 }, { "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 }, { "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 }, { "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 }, diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in index 3fe0a2c3..1c88813b 100644 --- a/src/getdns/getdns_extra.h.in +++ b/src/getdns/getdns_extra.h.in @@ -94,9 +94,9 @@ extern "C" { #define GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT "Change related to getdns_context_set_resolvconf" #define GETDNS_CONTEXT_CODE_HOSTS 630 #define GETDNS_CONTEXT_CODE_HOSTS_TEXT "Change related to getdns_context_set_hosts" -#define GETDNS_CONTEXT_CODE_CAPATH 630 +#define GETDNS_CONTEXT_CODE_CAPATH 631 #define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath" -#define GETDNS_CONTEXT_CODE_CAFILE 631 +#define GETDNS_CONTEXT_CODE_CAFILE 632 #define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile" /** @} From fd16d7b5ebfc8018c1a1161a16e15029c527c41e Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 15:59:42 +0100 Subject: [PATCH 31/47] Bugfix in stubby.c (copy/paste error) --- stubby | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stubby b/stubby index 4ad1f44a..30403ec9 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 4ad1f44ae70044d083e36bd2fd0efb282c7d38c4 +Subproject commit 30403ec9390aa23699cb9f0bd4dc1ca72399bccb From 2b5b59537fdf1ba75ecbd8be835a845980fbc75f Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 13 Dec 2017 16:33:37 +0100 Subject: [PATCH 32/47] Getting Stubby ready to merge PR #364 --- stubby | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stubby b/stubby index 30403ec9..3d0766f8 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 30403ec9390aa23699cb9f0bd4dc1ca72399bccb +Subproject commit 3d0766f832368ff249020fc5101cca1a41a98620 From ac17d4ebedb10df4af3c997d38327721c7e8c623 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 14 Dec 2017 11:53:15 +0100 Subject: [PATCH 33/47] We need a specific install location for tests builds ... to not load default library --- .../200-stub-only-compile.pre | 2 +- .../300-event-loops-configure.test | 14 +++++++------- .../400-static-analysis.pre | 14 +++++++------- src/test/tpkg/clean.sh | 2 +- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.pre b/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.pre index 46686828..39b234eb 100644 --- a/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.pre +++ b/src/test/tpkg/200-stub-only-compile.tpkg/200-stub-only-compile.pre @@ -25,4 +25,4 @@ done rm -fr "${BUILDDIR}/build-stub-only" mkdir "${BUILDDIR}/build-stub-only" cd "${BUILDDIR}/build-stub-only" -"${SRCROOT}/configure" $* --enable-stub-only +"${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install-stub-only" --enable-stub-only diff --git a/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test b/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test index 1169e337..90a6e580 100644 --- a/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test +++ b/src/test/tpkg/300-event-loops-configure.tpkg/300-event-loops-configure.test @@ -7,10 +7,10 @@ rm -fr "${BUILDDIR}/build-event-loops" mkdir "${BUILDDIR}/build-event-loops" cd "${BUILDDIR}/build-event-loops" -"${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libuv +"${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libev \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libev \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libuv diff --git a/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre b/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre index a79bdeed..9a95798c 100644 --- a/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre +++ b/src/test/tpkg/400-static-analysis.tpkg/400-static-analysis.pre @@ -25,11 +25,11 @@ done rm -fr "${BUILDDIR}/build-static-analysis" mkdir "${BUILDDIR}/build-static-analysis" cd "${BUILDDIR}/build-static-analysis" -"${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev --with-libuv \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libevent \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libev \ - || "${SRCROOT}/configure" $* --enable-all-drafts --with-stubby --with-libuv +"${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libev \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libev --with-libuv \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libevent \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libev \ + || "${SRCROOT}/configure" $* --prefix "${BUILDDIR}/install" --enable-all-drafts --with-stubby --with-libuv diff --git a/src/test/tpkg/clean.sh b/src/test/tpkg/clean.sh index a405d5b0..cceccb47 100755 --- a/src/test/tpkg/clean.sh +++ b/src/test/tpkg/clean.sh @@ -3,5 +3,5 @@ export SRCDIR=`dirname $0` ( cd $SRCDIR ./tpkg clean - rm -fr build build-stub-only build-event-loops build-static-analysis install scan-build-reports .tpkg.var.master *.info Makefile + rm -fr build build-stub-only build-event-loops build-static-analysis install install-stub-only install-event-loops install-static-analysis scan-build-reports .tpkg.var.master *.info Makefile ) From 00d3232ba4d06989bb70a906d67742e5805f455b Mon Sep 17 00:00:00 2001 From: Sara Dickinson Date: Fri, 15 Dec 2017 14:12:04 +0000 Subject: [PATCH 34/47] Fix windows build --- src/context.c | 6 ++++-- src/tools/getdns_query.c | 8 ++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/context.c b/src/context.c index 959d43d0..46a89d97 100644 --- a/src/context.c +++ b/src/context.c @@ -4677,7 +4677,9 @@ _getdns_context_config_setting(getdns_context *context, CONTEXT_SETTING_STRING(trust_anchors_verify_CA) CONTEXT_SETTING_STRING(trust_anchors_verify_email) CONTEXT_SETTING_STRING(appdata_dir) +#ifndef USE_WINSOCK CONTEXT_SETTING_STRING(resolvconf) +#endif CONTEXT_SETTING_STRING(hosts) CONTEXT_SETTING_STRING(CApath) CONTEXT_SETTING_STRING(CAfile) @@ -5149,14 +5151,14 @@ getdns_context *_getdns_context_get_sys_ctxt( context->mf.mf.ext.free))) DEBUG_ANCHOR("Could not create system context: %s\n" , getdns_get_errorstr_by_id(r)); - +#ifndef USE_WINSOCK else if (*context->fchg_resolvconf.fn && (r = getdns_context_set_resolvconf( context->sys_ctxt, context->fchg_resolvconf.fn))) DEBUG_ANCHOR("Could initialize system context with resolvconf " "\"%s\": %s\n", context->fchg_resolvconf.fn , getdns_get_errorstr_by_id(r)); - +#endif else if (*context->fchg_hosts.fn && (r = getdns_context_set_hosts( context->sys_ctxt, context->fchg_hosts.fn))) diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index 4601f097..713783fc 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -91,7 +91,9 @@ static int async = 0, interactive = 0; static enum { GENERAL, ADDRESS, HOSTNAME, SERVICE } calltype = GENERAL; static int bogus_answers = 0; static int check_dnssec = 0; +#ifndef USE_WINSOCK static char *resolvconf = NULL; +#endif static int print_api_info = 0, print_trust_anchors = 0; static int get_rrtype(const char *t) @@ -256,8 +258,10 @@ print_usage(FILE *out, const char *progname) fprintf(out, "\t\t(should look like '" EXAMPLE_PIN "')\n"); fprintf(out, "\t-m\tSet TLS authentication mode to REQUIRED\n"); fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default)\n"); +#ifndef USE_WINSOCK fprintf(out, "\t-o \tSet resolver configuration file path\n"); fprintf(out, "\t\t(default = %s)\n", GETDNS_FN_RESOLVCONF); +#endif fprintf(out, "\t-p\tPretty print response dict (default)\n"); fprintf(out, "\t-P \tPad TLS queries to a multiple of blocksize\n" "\t\t(special values: 0: no padding, 1: sensible default policy)\n"); @@ -824,6 +828,7 @@ getdns_return_t parse_args(int argc, char **argv) getdns_context_set_tls_authentication(context, GETDNS_AUTHENTICATION_REQUIRED); break; +#ifndef USE_WINSOCK case 'o': if (c[1] != 0 || ++i >= argc || !*argv[i]) { fprintf(stderr, "" @@ -832,6 +837,7 @@ getdns_return_t parse_args(int argc, char **argv) } resolvconf = argv[i]; break; +#endif case 'P': if (c[1] != 0 || ++i >= argc || !*argv[i]) { fprintf(stderr, "tls_query_padding_blocksize " @@ -1733,6 +1739,7 @@ main(int argc, char **argv) if ((r = parse_args(argc, argv)) && r != CONTINUE) goto done_destroy_context; +#ifndef USE_WINSOCK if (resolvconf) { if ((r = getdns_context_set_resolvconf(context, resolvconf))) { fprintf(stderr, "Problem initializing with resolvconf: %d\n", (int)r); @@ -1741,6 +1748,7 @@ main(int argc, char **argv) if ((r = parse_args(argc, argv))) goto done_destroy_context; } +#endif if (print_api_info) { getdns_dict *api_information = getdns_context_get_api_information(context); From 65c7a738eb00d682a55e320ad43168e9baa19958 Mon Sep 17 00:00:00 2001 From: Pascal Ernster Date: Fri, 15 Dec 2017 20:01:30 +0000 Subject: [PATCH 35/47] Add support for TLS 1.3 and Chacha20-Poly1305 Add support for TLS 1.3 (requires OpenSSL 1.1.1) and Chacha20-Poly1305 (requires OpenSSL 1.1). Older OpenSSL versions will simply ignore ciphersuite specifications they don't understand and use the subset which they do unterstand. Note that "EECDH" does *not* select anonymous cipher suites (as opposed to "kECDHE"). --- src/context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/context.c b/src/context.c index 959d43d0..bf3427bb 100644 --- a/src/context.c +++ b/src/context.c @@ -3574,7 +3574,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) # endif /* Be strict and only use the cipher suites recommended in RFC7525 Unless we later fallback to opportunistic. */ - const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EECDH+aECDSA+AESGCM:EDH+aRSA+AESGCM"; + const char* const PREFERRED_CIPHERS = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20"; if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS)) return GETDNS_RETURN_BAD_CONTEXT; /* For strict authentication, we must have local root certs available From d35fae50381cec8ce2df842e2e14f06db4fa2e18 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 20 Dec 2017 09:43:45 +0100 Subject: [PATCH 36/47] Bump version (to 1.3.0-rc2), update ChangeLog --- ChangeLog | 8 +++++--- configure.ac | 8 ++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8d709265..05c1d9c3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ -* 2017-12-??: Version 1.2.2 +* 2017-12-??: Version 1.3.0 + * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305 + Thanks Pascal Ernster * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the - context configured upstreams. + context configured upstreams. Thanks Andreas Schulze * Report default extension settings with getdns_context_get_api_information() * Specify locations at which CA certificates for verification purposes @@ -17,7 +19,7 @@ when available with getdns_context_get_api_information() * GETDNS_RETURN_IO_ERROR return error code * Bugfix #359: edns_client_subnet_private should set family - Thanks Daniel Areiza + Thanks Daniel Areiza & Andreas Schulze * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC validation. Thanks Bruno Pagani diff --git a/configure.ac b/configure.ac index 755f9210..4bca695d 100644 --- a/configure.ac +++ b/configure.ac @@ -36,7 +36,7 @@ sinclude(./m4/acx_getaddrinfo.m4) sinclude(./m4/ax_check_compile_flag.m4) sinclude(./m4/pkg.m4) -AC_INIT([getdns], [1.2.2], [team@getdnsapi.net], [getdns], [https://getdnsapi.net]) +AC_INIT([getdns], [1.3.0], [team@getdnsapi.net], [getdns], [https://getdnsapi.net]) # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian) # patched to do the same, but frequently (MacOS) not. So add a with option @@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir]) # Dont forget to put a dash in front of the release candidate!!! # That is how it is done with semantic versioning! # -AC_SUBST(RELEASE_CANDIDATE, [-rc1]) +AC_SUBST(RELEASE_CANDIDATE, [-rc2]) # Set current date from system if not set AC_ARG_WITH([current-date], @@ -62,7 +62,7 @@ AC_ARG_WITH([current-date], [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"]) AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"]) -AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010201c1]) +AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010201c2]) AC_SUBST(API_VERSION, ["December 2015"]) AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00]) GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API" @@ -99,7 +99,7 @@ GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRE # getdns-1.1.3 had libversion 7:1:1 # getdns-1.2.0 had libversion 8:0:2 # getdns-1.2.1 has libversion 8:1:2 -# getdns-1.2.2 will have libversion 9:0:3 +# getdns-1.3.0 will have libversion 9:0:3 # GETDNS_LIBVERSION=9:0:3 From 2bd5df495973f6c94e4e366052e5e660502b3905 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 20 Dec 2017 09:53:11 +0100 Subject: [PATCH 37/47] Update to Stubby v0.2.1 --- stubby | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stubby b/stubby index 3d0766f8..f0b33045 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 3d0766f832368ff249020fc5101cca1a41a98620 +Subproject commit f0b330454b95a07106af33b1869b7cd18cfaebf2 From 7fe3bd6a1fb5f346b99ab33ea88bc2841628429f Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Wed, 20 Dec 2017 13:13:02 +0100 Subject: [PATCH 38/47] getdns_context_set_ciphers_list() --- ChangeLog | 2 ++ src/const-info.c | 2 ++ src/context.c | 49 +++++++++++++++++++++++++++++++----- src/context.h | 1 + src/getdns/getdns_extra.h.in | 25 ++++++++++++++++++ src/libgetdns.symbols | 2 ++ 6 files changed, 75 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 05c1d9c3..503db698 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ * 2017-12-??: Version 1.3.0 + * Specify available cipher suites for authenticated TLS upstreams + with getdns_context_set_ciphers_list() * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305 Thanks Pascal Ernster * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the diff --git a/src/const-info.c b/src/const-info.c index 41d1c091..1cd30020 100644 --- a/src/const-info.c +++ b/src/const-info.c @@ -91,6 +91,7 @@ static struct const_info consts_info[] = { { 630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT }, { 631, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT }, { 632, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT }, + { 633, "GETDNS_CONTEXT_CODE_CIPHER_LIST", GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT }, { 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT }, { 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT }, { 702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT }, @@ -163,6 +164,7 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 }, { "GETDNS_CONTEXT_CODE_CAFILE", 632 }, { "GETDNS_CONTEXT_CODE_CAPATH", 631 }, + { "GETDNS_CONTEXT_CODE_CIPHER_LIST", 633 }, { "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 }, { "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 }, { "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 }, diff --git a/src/context.c b/src/context.c index 7f7d393a..90a35beb 100644 --- a/src/context.c +++ b/src/context.c @@ -1377,11 +1377,11 @@ static void _getdns_check_expired_pending_netreqs_cb(void *arg) _getdns_check_expired_pending_netreqs((getdns_context *)arg, &now_ms); } -static const char *_getdns_default_trust_anchors_url = +static char const * const _getdns_default_trust_anchors_url = "http://data.iana.org/root-anchors/root-anchors.xml"; /* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */ -static const char *_getdns_default_trust_anchors_verify_CA = +static char const * const _getdns_default_trust_anchors_verify_CA = "-----BEGIN CERTIFICATE-----\n" "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n" "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n" @@ -1404,9 +1404,12 @@ static const char *_getdns_default_trust_anchors_verify_CA = "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n" "-----END CERTIFICATE-----\n"; -static const char *_getdns_default_trust_anchors_verify_email = +static char const * const _getdns_default_trust_anchors_verify_email = "dnssec@iana.org"; +static char const * const _getdns_default_cipher_list = + "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:" + "TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20"; /* * getdns_context_create @@ -1515,6 +1518,7 @@ getdns_context_create_with_extended_memory_functions( result->appdata_dir = NULL; result->CApath = NULL; result->CAfile = NULL; + result->cipher_list = NULL; (void) memset(&result->root_ksk, 0, sizeof(result->root_ksk)); @@ -1783,7 +1787,8 @@ getdns_context_destroy(struct getdns_context *context) GETDNS_FREE(context->mf, context->CApath); if (context->CAfile) GETDNS_FREE(context->mf, context->CAfile); - + if (context->cipher_list) + GETDNS_FREE(context->mf, context->cipher_list); #ifdef USE_WINSOCK WSACleanup(); @@ -3574,8 +3579,9 @@ _getdns_context_prepare_for_resolution(getdns_context *context) # endif /* Be strict and only use the cipher suites recommended in RFC7525 Unless we later fallback to opportunistic. */ - const char* const PREFERRED_CIPHERS = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20"; - if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS)) + if (!SSL_CTX_set_cipher_list(context->tls_ctx, + context->cipher_list ? context->cipher_list + : _getdns_default_cipher_list)) return GETDNS_RETURN_BAD_CONTEXT; /* For strict authentication, we must have local root certs available Set up is done only when the tls_ctx is created (per getdns_context)*/ @@ -3891,6 +3897,8 @@ _get_context_settings(getdns_context* context) (void) getdns_dict_util_set_string(result, "CApath", str_value); if (!getdns_context_get_CAfile(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "CAfile", str_value); + if (!getdns_context_get_cipher_list(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "cipher_list", str_value); /* Default settings for extensions */ (void)getdns_dict_set_int( @@ -4683,6 +4691,7 @@ _getdns_context_config_setting(getdns_context *context, CONTEXT_SETTING_STRING(hosts) CONTEXT_SETTING_STRING(CApath) CONTEXT_SETTING_STRING(CAfile) + CONTEXT_SETTING_STRING(cipher_list) /**************************************/ /**** ****/ @@ -5233,4 +5242,32 @@ getdns_context_get_CAfile(getdns_context *context, const char **CAfile) return GETDNS_RETURN_GOOD; } +getdns_return_t +getdns_context_set_cipher_list(getdns_context *context, const char *cipher_list) +{ + if (!context) + return GETDNS_RETURN_INVALID_PARAMETER; + if (context->cipher_list) + GETDNS_FREE(context->mf, context->cipher_list); + context->cipher_list = cipher_list + ? _getdns_strdup(&context->mf, cipher_list) + : NULL; + + dispatch_updated(context, GETDNS_CONTEXT_CODE_CIPHER_LIST); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list) +{ + if (!context || !cipher_list) + return GETDNS_RETURN_INVALID_PARAMETER; + + *cipher_list = context->cipher_list + ? context->cipher_list + : _getdns_default_cipher_list; + return GETDNS_RETURN_GOOD; +} + + /* context.c */ diff --git a/src/context.h b/src/context.h index 12c29356..fe1ba18c 100644 --- a/src/context.h +++ b/src/context.h @@ -345,6 +345,7 @@ struct getdns_context { char *CApath; char *CAfile; + char *cipher_list; getdns_upstreams *upstreams; uint16_t limit_outstanding_queries; diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in index 1c88813b..9f949f72 100644 --- a/src/getdns/getdns_extra.h.in +++ b/src/getdns/getdns_extra.h.in @@ -98,6 +98,8 @@ extern "C" { #define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath" #define GETDNS_CONTEXT_CODE_CAFILE 632 #define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile" +#define GETDNS_CONTEXT_CODE_CIPHER_LIST 633 +#define GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT "Change related to getdns_context_set_cipher_list" /** @} */ @@ -739,6 +741,17 @@ getdns_context_set_CApath(getdns_context *context, const char *CApath); getdns_return_t getdns_context_set_CAfile(getdns_context *context, const char *CAfile); +/** + * Sets the list of available ciphers for authenticated TLS upstreams. + * @see getdns_context_get_cipher_list + * @param[in] context The context to configure + * @param[in] cipher_list The cipher list + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_set_cipher_list(getdns_context *context, const char *CAfile); + /** * Get the current resolution type setting from this context. * @see getdns_context_set_resolution_type @@ -1246,6 +1259,18 @@ getdns_context_get_CApath(getdns_context *context, const char **CApath); getdns_return_t getdns_context_get_CAfile(getdns_context *context, const char **CAfile); +/** + * Get the list of available ciphers for authenticated TLS upstreams. + * @see getdns_context_set_cipher_list + * @param[in] context The context configure + * @param[out] cipher_list The cipher list + * @return GETDNS_RETURN_GOOD when successful + * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. + */ +getdns_return_t +getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list); + + /** @} */ diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols index 1dadfa45..35d2761f 100644 --- a/src/libgetdns.symbols +++ b/src/libgetdns.symbols @@ -11,6 +11,7 @@ getdns_context_get_CAfile getdns_context_get_CApath getdns_context_get_api_information getdns_context_get_append_name +getdns_context_get_cipher_list getdns_context_get_dns_root_servers getdns_context_get_dns_transport getdns_context_get_dns_transport_list @@ -48,6 +49,7 @@ getdns_context_set_CAfile getdns_context_set_CApath getdns_context_set_appdata_dir getdns_context_set_append_name +getdns_context_set_cipher_list getdns_context_set_context_update_callback getdns_context_set_dns_root_servers getdns_context_set_dns_transport From 8f88981efe16a299f9a83c7d81513058c02c8e2a Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 21 Dec 2017 11:35:05 +0100 Subject: [PATCH 39/47] rename set_cipher_list() to set_tls_cipher_list() --- ChangeLog | 2 +- src/const-info.c | 4 ++-- src/context.c | 44 +++++++++++++++++++----------------- src/context.h | 2 +- src/getdns/getdns_extra.h.in | 14 +++++++----- src/libgetdns.symbols | 4 ++-- 6 files changed, 37 insertions(+), 33 deletions(-) diff --git a/ChangeLog b/ChangeLog index 503db698..94c09909 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ * 2017-12-??: Version 1.3.0 * Specify available cipher suites for authenticated TLS upstreams - with getdns_context_set_ciphers_list() + with getdns_context_set_tls_ciphers_list() * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305 Thanks Pascal Ernster * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the diff --git a/src/const-info.c b/src/const-info.c index 1cd30020..28f6ff60 100644 --- a/src/const-info.c +++ b/src/const-info.c @@ -91,7 +91,7 @@ static struct const_info consts_info[] = { { 630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT }, { 631, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT }, { 632, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT }, - { 633, "GETDNS_CONTEXT_CODE_CIPHER_LIST", GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT }, + { 633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT }, { 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT }, { 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT }, { 702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT }, @@ -164,7 +164,6 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 }, { "GETDNS_CONTEXT_CODE_CAFILE", 632 }, { "GETDNS_CONTEXT_CODE_CAPATH", 631 }, - { "GETDNS_CONTEXT_CODE_CIPHER_LIST", 633 }, { "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 }, { "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 }, { "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 }, @@ -188,6 +187,7 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CONTEXT_CODE_TIMEOUT", 616 }, { "GETDNS_CONTEXT_CODE_TLS_AUTHENTICATION", 618 }, { "GETDNS_CONTEXT_CODE_TLS_BACKOFF_TIME", 623 }, + { "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 }, { "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 }, { "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 }, { "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 }, diff --git a/src/context.c b/src/context.c index 90a35beb..973f577b 100644 --- a/src/context.c +++ b/src/context.c @@ -1407,7 +1407,7 @@ static char const * const _getdns_default_trust_anchors_verify_CA = static char const * const _getdns_default_trust_anchors_verify_email = "dnssec@iana.org"; -static char const * const _getdns_default_cipher_list = +static char const * const _getdns_default_tls_cipher_list = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:" "TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20"; @@ -1518,7 +1518,7 @@ getdns_context_create_with_extended_memory_functions( result->appdata_dir = NULL; result->CApath = NULL; result->CAfile = NULL; - result->cipher_list = NULL; + result->tls_cipher_list = NULL; (void) memset(&result->root_ksk, 0, sizeof(result->root_ksk)); @@ -1787,8 +1787,8 @@ getdns_context_destroy(struct getdns_context *context) GETDNS_FREE(context->mf, context->CApath); if (context->CAfile) GETDNS_FREE(context->mf, context->CAfile); - if (context->cipher_list) - GETDNS_FREE(context->mf, context->cipher_list); + if (context->tls_cipher_list) + GETDNS_FREE(context->mf, context->tls_cipher_list); #ifdef USE_WINSOCK WSACleanup(); @@ -3580,8 +3580,8 @@ _getdns_context_prepare_for_resolution(getdns_context *context) /* Be strict and only use the cipher suites recommended in RFC7525 Unless we later fallback to opportunistic. */ if (!SSL_CTX_set_cipher_list(context->tls_ctx, - context->cipher_list ? context->cipher_list - : _getdns_default_cipher_list)) + context->tls_cipher_list ? context->tls_cipher_list + : _getdns_default_tls_cipher_list)) return GETDNS_RETURN_BAD_CONTEXT; /* For strict authentication, we must have local root certs available Set up is done only when the tls_ctx is created (per getdns_context)*/ @@ -3897,8 +3897,8 @@ _get_context_settings(getdns_context* context) (void) getdns_dict_util_set_string(result, "CApath", str_value); if (!getdns_context_get_CAfile(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "CAfile", str_value); - if (!getdns_context_get_cipher_list(context, &str_value) && str_value) - (void) getdns_dict_util_set_string(result, "cipher_list", str_value); + if (!getdns_context_get_tls_cipher_list(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "tls_cipher_list", str_value); /* Default settings for extensions */ (void)getdns_dict_set_int( @@ -4691,7 +4691,7 @@ _getdns_context_config_setting(getdns_context *context, CONTEXT_SETTING_STRING(hosts) CONTEXT_SETTING_STRING(CApath) CONTEXT_SETTING_STRING(CAfile) - CONTEXT_SETTING_STRING(cipher_list) + CONTEXT_SETTING_STRING(tls_cipher_list) /**************************************/ /**** ****/ @@ -5243,29 +5243,31 @@ getdns_context_get_CAfile(getdns_context *context, const char **CAfile) } getdns_return_t -getdns_context_set_cipher_list(getdns_context *context, const char *cipher_list) +getdns_context_set_tls_cipher_list( + getdns_context *context, const char *tls_cipher_list) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; - if (context->cipher_list) - GETDNS_FREE(context->mf, context->cipher_list); - context->cipher_list = cipher_list - ? _getdns_strdup(&context->mf, cipher_list) - : NULL; + if (context->tls_cipher_list) + GETDNS_FREE(context->mf, context->tls_cipher_list); + context->tls_cipher_list = tls_cipher_list + ? _getdns_strdup(&context->mf, tls_cipher_list) + : NULL; - dispatch_updated(context, GETDNS_CONTEXT_CODE_CIPHER_LIST); + dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST); return GETDNS_RETURN_GOOD; } getdns_return_t -getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list) +getdns_context_get_tls_cipher_list( + getdns_context *context, const char **tls_cipher_list) { - if (!context || !cipher_list) + if (!context || !tls_cipher_list) return GETDNS_RETURN_INVALID_PARAMETER; - *cipher_list = context->cipher_list - ? context->cipher_list - : _getdns_default_cipher_list; + *tls_cipher_list = context->tls_cipher_list + ? context->tls_cipher_list + : _getdns_default_tls_cipher_list; return GETDNS_RETURN_GOOD; } diff --git a/src/context.h b/src/context.h index fe1ba18c..beab21ac 100644 --- a/src/context.h +++ b/src/context.h @@ -345,7 +345,7 @@ struct getdns_context { char *CApath; char *CAfile; - char *cipher_list; + char *tls_cipher_list; getdns_upstreams *upstreams; uint16_t limit_outstanding_queries; diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in index 9f949f72..fd353ef4 100644 --- a/src/getdns/getdns_extra.h.in +++ b/src/getdns/getdns_extra.h.in @@ -98,8 +98,8 @@ extern "C" { #define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath" #define GETDNS_CONTEXT_CODE_CAFILE 632 #define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile" -#define GETDNS_CONTEXT_CODE_CIPHER_LIST 633 -#define GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT "Change related to getdns_context_set_cipher_list" +#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST 633 +#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT "Change related to getdns_context_set_tls_cipher_list" /** @} */ @@ -743,14 +743,15 @@ getdns_context_set_CAfile(getdns_context *context, const char *CAfile); /** * Sets the list of available ciphers for authenticated TLS upstreams. - * @see getdns_context_get_cipher_list + * @see getdns_context_get_tls_cipher_list * @param[in] context The context to configure * @param[in] cipher_list The cipher list * @return GETDNS_RETURN_GOOD when successful * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. */ getdns_return_t -getdns_context_set_cipher_list(getdns_context *context, const char *CAfile); +getdns_context_set_tls_cipher_list( + getdns_context *context, const char *cipher_list); /** * Get the current resolution type setting from this context. @@ -1261,14 +1262,15 @@ getdns_context_get_CAfile(getdns_context *context, const char **CAfile); /** * Get the list of available ciphers for authenticated TLS upstreams. - * @see getdns_context_set_cipher_list + * @see getdns_context_set_tls_cipher_list * @param[in] context The context configure * @param[out] cipher_list The cipher list * @return GETDNS_RETURN_GOOD when successful * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. */ getdns_return_t -getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list); +getdns_context_get_tls_cipher_list( + getdns_context *context, const char **cipher_list); /** @} diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols index 35d2761f..2c67564f 100644 --- a/src/libgetdns.symbols +++ b/src/libgetdns.symbols @@ -11,7 +11,6 @@ getdns_context_get_CAfile getdns_context_get_CApath getdns_context_get_api_information getdns_context_get_append_name -getdns_context_get_cipher_list getdns_context_get_dns_root_servers getdns_context_get_dns_transport getdns_context_get_dns_transport_list @@ -36,6 +35,7 @@ getdns_context_get_suffix getdns_context_get_timeout getdns_context_get_tls_authentication getdns_context_get_tls_backoff_time +getdns_context_get_tls_cipher_list getdns_context_get_tls_connection_retries getdns_context_get_tls_query_padding_blocksize getdns_context_get_trust_anchors_url @@ -49,7 +49,6 @@ getdns_context_set_CAfile getdns_context_set_CApath getdns_context_set_appdata_dir getdns_context_set_append_name -getdns_context_set_cipher_list getdns_context_set_context_update_callback getdns_context_set_dns_root_servers getdns_context_set_dns_transport @@ -79,6 +78,7 @@ getdns_context_set_suffix getdns_context_set_timeout getdns_context_set_tls_authentication getdns_context_set_tls_backoff_time +getdns_context_set_tls_cipher_list getdns_context_set_tls_connection_retries getdns_context_set_tls_query_padding_blocksize getdns_context_set_trust_anchors_url From ae38a29a5082632c8567d660bb26c0eeb7fc3751 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 21 Dec 2017 12:30:15 +0100 Subject: [PATCH 40/47] Upstream specific tls_cipher_list's --- ChangeLog | 7 +++++-- src/context.c | 44 ++++++++++++++++++++++++++++++++++-------- src/context.h | 3 +-- src/getdns/getdns.h.in | 2 ++ src/stub.c | 5 ++++- 5 files changed, 48 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 94c09909..74e977dc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ * 2017-12-??: Version 1.3.0 - * Specify available cipher suites for authenticated TLS upstreams - with getdns_context_set_tls_ciphers_list() + * Specify default available cipher suites for authenticated TLS + upstreams with getdns_context_set_tls_ciphers_list() + An upstream specific available cipher suite may also be given + with the tls_cipher_list setting in the upstream dict with + getdns_context_set_upstream_recursive_servers() * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305 Thanks Pascal Ernster * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the diff --git a/src/context.c b/src/context.c index 973f577b..b50dff1a 100644 --- a/src/context.c +++ b/src/context.c @@ -165,6 +165,17 @@ static void set_ub_dnssec_allowed_skew(struct getdns_context*, uint32_t); /* Stuff to make it compile pedantically */ #define RETURN_IF_NULL(ptr, code) if(ptr == NULL) return code; +static char * +_getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s) +{ + char *r; + if (!s || !(r = GETDNS_XMALLOC(*mfs, char, s->size + 1))) + return NULL; + else { + r[s->size] = '\0'; + return memcpy(r, s, s->size); + } +} #ifdef USE_WINSOCK /* For windows, the CA trust store is not read by openssl. @@ -723,6 +734,8 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams) pin = nextpin; } upstream->tls_pubkey_pinset = NULL; + if (upstream->tls_cipher_list) + GETDNS_FREE(upstreams->mf, upstream->tls_cipher_list); } GETDNS_FREE(upstreams->mf, upstreams); } @@ -1006,6 +1019,7 @@ upstream_init(getdns_upstream *upstream, upstream->fd = -1; upstream->tls_obj = NULL; upstream->tls_session = NULL; + upstream->tls_cipher_list = NULL; upstream->transport = GETDNS_TRANSPORT_TCP; upstream->tls_hs_state = GETDNS_HS_NONE; upstream->tls_auth_name[0] = '\0'; @@ -2977,16 +2991,19 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, upstream->addr.ss_family = addr.ss_family; upstream_init(upstream, upstreams, ai); upstream->transport = getdns_upstream_transports[j]; - if (getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) { + if (dict && getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) { getdns_list *pubkey_pinset = NULL; - if (dict && (r = getdns_dict_get_bindata( + getdns_bindata *tls_cipher_list = NULL; + + if ((r = getdns_dict_get_bindata( dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) { if (tls_auth_name->size >= sizeof(upstream->tls_auth_name)) { - /* tls_auth_name's are just - * domain names and should - * thus not be larger than 256 - * bytes. + /* tls_auth_name's are + * domain names in presentation + * format and, taking escaping + * into account, should not + * be larger than 1024 bytes. */ goto invalid_parameter; } @@ -2996,7 +3013,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, upstream->tls_auth_name [tls_auth_name->size] = '\0'; } - if (dict && (r = getdns_dict_get_list(dict, "tls_pubkey_pinset", + if ((r = getdns_dict_get_list(dict, "tls_pubkey_pinset", &pubkey_pinset)) == GETDNS_RETURN_GOOD) { /* TODO: what if the user supplies tls_pubkey_pinset with * something other than a list? */ @@ -3006,6 +3023,12 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, if (r != GETDNS_RETURN_GOOD) goto invalid_parameter; } + (void) getdns_dict_get_bindata( + dict, "tls_cipher_list", &tls_cipher_list); + upstream->tls_cipher_list = tls_cipher_list + ? _getdns_strdup2(&upstreams->mf + , tls_cipher_list) + : NULL; } if ((upstream->tsig_alg = tsig_alg)) { if (tsig_name) { @@ -3631,7 +3654,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) return r; } /* _getdns_context_prepare_for_resolution */ -char * +static char * _getdns_strdup(const struct mem_funcs *mfs, const char *s) { size_t sz; @@ -4483,6 +4506,11 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context, break; } } + if (upstream->tls_cipher_list) { + (void) getdns_dict_util_set_string( + d, "tls_cipher_list", + upstream->tls_cipher_list); + } } } if (!r) diff --git a/src/context.h b/src/context.h index beab21ac..86f40b03 100644 --- a/src/context.h +++ b/src/context.h @@ -205,6 +205,7 @@ typedef struct getdns_upstream { getdns_tls_hs_state_t tls_hs_state; getdns_auth_state_t tls_auth_state; unsigned tls_fallback_ok : 1; + char *tls_cipher_list; /* Auth credentials*/ char tls_auth_name[256]; sha256_pin_t *tls_pubkey_pinset; @@ -528,8 +529,6 @@ void _getdns_context_cancel_request(getdns_dns_req *dnsreq); */ void _getdns_context_request_timed_out(getdns_dns_req *dnsreq); -char *_getdns_strdup(const struct mem_funcs *mfs, const char *str); - struct getdns_bindata *_getdns_bindata_copy( struct mem_funcs *mfs, size_t size, const uint8_t *data); diff --git a/src/getdns/getdns.h.in b/src/getdns/getdns.h.in index 4732a4a3..788f0d94 100644 --- a/src/getdns/getdns.h.in +++ b/src/getdns/getdns.h.in @@ -1687,6 +1687,8 @@ getdns_context_set_dnssec_allowed_skew(getdns_context *context, * - `value` A SHA256 hash of the `SubjectPublicKeyInfo` * of the upstream, which will be used to authenticate * it. + * - `tls_cipher_list` (a bindata) that is the string + * of available ciphers specific for this upstream. * @return GETDNS_RETURN_GOOD when successful. * @return GETDNS_RETURN_INVALID_PARAMETER when `context` or `upstream_list` was `NULL` * @return GETDNS_RETURN_CONTEXT_UPDATE_FAIL when there were problems parsing diff --git a/src/stub.c b/src/stub.c index d8da9a9c..07f22fcd 100644 --- a/src/stub.c +++ b/src/stub.c @@ -986,9 +986,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) SSL_set_cipher_list(ssl, "DEFAULT"); DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n", STUB_DEBUG_SETUP_TLS, __FUNC__); - } else + } else { + if (upstream->tls_cipher_list) + SSL_set_cipher_list(ssl, upstream->tls_cipher_list); DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, __FUNC__); + } SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback); SSL_set_connect_state(ssl); From 97cc67d026d62bb3b4a91527adf491f553d57013 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 21 Dec 2017 13:08:01 +0100 Subject: [PATCH 41/47] s/CApath/tls_ca_path/g s/CAfile/tls_ca_file/g --- ChangeLog | 3 +- src/const-info.c | 8 ++--- src/context.c | 64 ++++++++++++++++++------------------ src/context.h | 4 +-- src/getdns/getdns_extra.h.in | 40 +++++++++++----------- src/libgetdns.symbols | 8 ++--- 6 files changed, 64 insertions(+), 63 deletions(-) diff --git a/ChangeLog b/ChangeLog index 74e977dc..7f9f8eb1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,7 +11,8 @@ * Report default extension settings with getdns_context_get_api_information() * Specify locations at which CA certificates for verification purposes - are located: getdns_context_set_CApath() getdns_context_set_CAfile() + are located: getdns_context_set_tls_ca_path() + getdns_context_set_tls_ca_file() * getdns_context_set_resolvconf() function to initialize a context upstreams and suffices with a resolv.conf file. getdns_context_get_resolvconf() to get the file used to initialize diff --git a/src/const-info.c b/src/const-info.c index 28f6ff60..d8e61f47 100644 --- a/src/const-info.c +++ b/src/const-info.c @@ -89,8 +89,8 @@ static struct const_info consts_info[] = { { 628, "GETDNS_CONTEXT_CODE_APPDATA_DIR", GETDNS_CONTEXT_CODE_APPDATA_DIR_TEXT }, { 629, "GETDNS_CONTEXT_CODE_RESOLVCONF", GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT }, { 630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT }, - { 631, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT }, - { 632, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT }, + { 631, "GETDNS_CONTEXT_CODE_TLS_CA_PATH", GETDNS_CONTEXT_CODE_TLS_CA_PATH_TEXT }, + { 632, "GETDNS_CONTEXT_CODE_TLS_CA_FILE", GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT }, { 633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT }, { 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT }, { 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT }, @@ -162,8 +162,6 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CALLBACK_TIMEOUT", 702 }, { "GETDNS_CONTEXT_CODE_APPDATA_DIR", 628 }, { "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 }, - { "GETDNS_CONTEXT_CODE_CAFILE", 632 }, - { "GETDNS_CONTEXT_CODE_CAPATH", 631 }, { "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 }, { "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 }, { "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 }, @@ -187,6 +185,8 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CONTEXT_CODE_TIMEOUT", 616 }, { "GETDNS_CONTEXT_CODE_TLS_AUTHENTICATION", 618 }, { "GETDNS_CONTEXT_CODE_TLS_BACKOFF_TIME", 623 }, + { "GETDNS_CONTEXT_CODE_TLS_CA_FILE", 632 }, + { "GETDNS_CONTEXT_CODE_TLS_CA_PATH", 631 }, { "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 }, { "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 }, { "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 }, diff --git a/src/context.c b/src/context.c index b50dff1a..c1e0d7c5 100644 --- a/src/context.c +++ b/src/context.c @@ -1530,8 +1530,8 @@ getdns_context_create_with_extended_memory_functions( result->trust_anchors_verify_email = NULL; result->trust_anchors_verify_CA = NULL; result->appdata_dir = NULL; - result->CApath = NULL; - result->CAfile = NULL; + result->tls_ca_path = NULL; + result->tls_ca_file = NULL; result->tls_cipher_list = NULL; (void) memset(&result->root_ksk, 0, sizeof(result->root_ksk)); @@ -1797,10 +1797,10 @@ getdns_context_destroy(struct getdns_context *context) , context->trust_anchors_verify_email); if (context->appdata_dir) GETDNS_FREE(context->mf, context->appdata_dir); - if (context->CApath) - GETDNS_FREE(context->mf, context->CApath); - if (context->CAfile) - GETDNS_FREE(context->mf, context->CAfile); + if (context->tls_ca_path) + GETDNS_FREE(context->mf, context->tls_ca_path); + if (context->tls_ca_file) + GETDNS_FREE(context->mf, context->tls_ca_file); if (context->tls_cipher_list) GETDNS_FREE(context->mf, context->tls_cipher_list); @@ -3608,9 +3608,9 @@ _getdns_context_prepare_for_resolution(getdns_context *context) return GETDNS_RETURN_BAD_CONTEXT; /* For strict authentication, we must have local root certs available Set up is done only when the tls_ctx is created (per getdns_context)*/ - if ((context->CAfile || context->CApath) && + if ((context->tls_ca_file || context->tls_ca_path) && SSL_CTX_load_verify_locations(context->tls_ctx - , context->CAfile, context->CApath)) + , context->tls_ca_file, context->tls_ca_path)) ; /* pass */ # ifndef USE_WINSOCK else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { @@ -3916,10 +3916,10 @@ _get_context_settings(getdns_context* context) (void) getdns_dict_util_set_string(result, "resolvconf", str_value); if (!getdns_context_get_hosts(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "hosts", str_value); - if (!getdns_context_get_CApath(context, &str_value) && str_value) - (void) getdns_dict_util_set_string(result, "CApath", str_value); - if (!getdns_context_get_CAfile(context, &str_value) && str_value) - (void) getdns_dict_util_set_string(result, "CAfile", str_value); + if (!getdns_context_get_tls_ca_path(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "tls_ca_path", str_value); + if (!getdns_context_get_tls_ca_file(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "tls_ca_file", str_value); if (!getdns_context_get_tls_cipher_list(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "tls_cipher_list", str_value); @@ -4717,8 +4717,8 @@ _getdns_context_config_setting(getdns_context *context, CONTEXT_SETTING_STRING(resolvconf) #endif CONTEXT_SETTING_STRING(hosts) - CONTEXT_SETTING_STRING(CApath) - CONTEXT_SETTING_STRING(CAfile) + CONTEXT_SETTING_STRING(tls_ca_path) + CONTEXT_SETTING_STRING(tls_ca_file) CONTEXT_SETTING_STRING(tls_cipher_list) /**************************************/ @@ -5225,48 +5225,48 @@ getdns_context *_getdns_context_get_sys_ctxt( } getdns_return_t -getdns_context_set_CApath(getdns_context *context, const char *CApath) +getdns_context_set_tls_ca_path(getdns_context *context, const char *tls_ca_path) { - if (!context || !CApath) + if (!context || !tls_ca_path) return GETDNS_RETURN_INVALID_PARAMETER; - if (context->CApath) - GETDNS_FREE(context->mf, context->CApath); - context->CApath = _getdns_strdup(&context->mf, CApath); + if (context->tls_ca_path) + GETDNS_FREE(context->mf, context->tls_ca_path); + context->tls_ca_path = _getdns_strdup(&context->mf, tls_ca_path); - dispatch_updated(context, GETDNS_CONTEXT_CODE_CAPATH); + dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CA_PATH); return GETDNS_RETURN_GOOD; } getdns_return_t -getdns_context_get_CApath(getdns_context *context, const char **CApath) +getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path) { - if (!context || !CApath) + if (!context || !tls_ca_path) return GETDNS_RETURN_INVALID_PARAMETER; - *CApath = context->CApath; + *tls_ca_path = context->tls_ca_path; return GETDNS_RETURN_GOOD; } getdns_return_t -getdns_context_set_CAfile(getdns_context *context, const char *CAfile) +getdns_context_set_tls_ca_file(getdns_context *context, const char *tls_ca_file) { - if (!context || !CAfile) + if (!context || !tls_ca_file) return GETDNS_RETURN_INVALID_PARAMETER; - if (context->CAfile) - GETDNS_FREE(context->mf, context->CAfile); - context->CAfile = _getdns_strdup(&context->mf, CAfile); + if (context->tls_ca_file) + GETDNS_FREE(context->mf, context->tls_ca_file); + context->tls_ca_file = _getdns_strdup(&context->mf, tls_ca_file); - dispatch_updated(context, GETDNS_CONTEXT_CODE_CAFILE); + dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CA_FILE); return GETDNS_RETURN_GOOD; } getdns_return_t -getdns_context_get_CAfile(getdns_context *context, const char **CAfile) +getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file) { - if (!context || !CAfile) + if (!context || !tls_ca_file) return GETDNS_RETURN_INVALID_PARAMETER; - *CAfile = context->CAfile; + *tls_ca_file = context->tls_ca_file; return GETDNS_RETURN_GOOD; } diff --git a/src/context.h b/src/context.h index 86f40b03..b4319403 100644 --- a/src/context.h +++ b/src/context.h @@ -344,8 +344,8 @@ struct getdns_context { char *appdata_dir; _getdns_property can_write_appdata; - char *CApath; - char *CAfile; + char *tls_ca_path; + char *tls_ca_file; char *tls_cipher_list; getdns_upstreams *upstreams; diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in index fd353ef4..f8cec882 100644 --- a/src/getdns/getdns_extra.h.in +++ b/src/getdns/getdns_extra.h.in @@ -94,10 +94,10 @@ extern "C" { #define GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT "Change related to getdns_context_set_resolvconf" #define GETDNS_CONTEXT_CODE_HOSTS 630 #define GETDNS_CONTEXT_CODE_HOSTS_TEXT "Change related to getdns_context_set_hosts" -#define GETDNS_CONTEXT_CODE_CAPATH 631 -#define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath" -#define GETDNS_CONTEXT_CODE_CAFILE 632 -#define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile" +#define GETDNS_CONTEXT_CODE_TLS_CA_PATH 631 +#define GETDNS_CONTEXT_CODE_TLS_CA_PATH_TEXT "Change related to getdns_context_set_tls_ca_path" +#define GETDNS_CONTEXT_CODE_TLS_CA_FILE 632 +#define GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT "Change related to getdns_context_set_tls_ca_file" #define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST 633 #define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT "Change related to getdns_context_set_tls_cipher_list" @@ -719,27 +719,27 @@ getdns_context_set_hosts(getdns_context *context, const char *hosts); /** * Specify where the location for CA certificates for verification purposes * are located. - * @see getdns_context_get_CApath - * @see getdns_context_set_CAfile + * @see getdns_context_get_tls_ca_path + * @see getdns_context_set_tls_ca_file * @param[in] context The context to configure - * @param[in] CApath Directory with Certificate Authority certificates. + * @param[in] tls_ca_path Directory with Certificate Authority certificates. * @return GETDNS_RETURN_GOOD when successful * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. */ getdns_return_t -getdns_context_set_CApath(getdns_context *context, const char *CApath); +getdns_context_set_tls_ca_path(getdns_context *context, const char *tls_ca_path); /** * Specify the file with CA certificates for verification purposes. - * @see getdns_context_get_CAfile - * @see getdns_context_set_CApath + * @see getdns_context_get_tls_ca_file + * @see getdns_context_set_tls_ca_path * @param[in] context The context to configure - * @param[in] CAfile The file with Certificate Authority certificates. + * @param[in] tls_ca_file The file with Certificate Authority certificates. * @return GETDNS_RETURN_GOOD when successful * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. */ getdns_return_t -getdns_context_set_CAfile(getdns_context *context, const char *CAfile); +getdns_context_set_tls_ca_file(getdns_context *context, const char *tls_ca_file); /** * Sets the list of available ciphers for authenticated TLS upstreams. @@ -1236,29 +1236,29 @@ getdns_context_get_hosts(getdns_context *context, const char **hosts); /** * Get the location of the directory for CA certificates for verification * purposes. - * @see getdns_context_set_CApath - * @see getdns_context_get_CAfile + * @see getdns_context_set_tls_ca_path + * @see getdns_context_get_tls_ca_file * @param[in] context The context to configure - * @param[out] CApath Directory with Certificate Authority certificates + * @param[out] tls_ca_path Directory with Certificate Authority certificates * or NULL when one was not configured. * @return GETDNS_RETURN_GOOD when successful * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. */ getdns_return_t -getdns_context_get_CApath(getdns_context *context, const char **CApath); +getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path); /** * Get the file location with CA certificates for verification purposes. - * @see getdns_context_set_CAfile - * @see getdns_context_get_CApath + * @see getdns_context_set_tls_ca_file + * @see getdns_context_get_tls_ca_path * @param[in] context The context to configure - * @param[out] CAfile The file with Certificate Authority certificates + * @param[out] tls_ca_file The file with Certificate Authority certificates * or NULL when one was not configured. * @return GETDNS_RETURN_GOOD when successful * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. */ getdns_return_t -getdns_context_get_CAfile(getdns_context *context, const char **CAfile); +getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file); /** * Get the list of available ciphers for authenticated TLS upstreams. diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols index 2c67564f..02c64b19 100644 --- a/src/libgetdns.symbols +++ b/src/libgetdns.symbols @@ -7,8 +7,6 @@ getdns_context_create_with_extended_memory_functions getdns_context_create_with_memory_functions getdns_context_destroy getdns_context_detach_eventloop -getdns_context_get_CAfile -getdns_context_get_CApath getdns_context_get_api_information getdns_context_get_append_name getdns_context_get_dns_root_servers @@ -35,6 +33,8 @@ getdns_context_get_suffix getdns_context_get_timeout getdns_context_get_tls_authentication getdns_context_get_tls_backoff_time +getdns_context_get_tls_ca_file +getdns_context_get_tls_ca_path getdns_context_get_tls_cipher_list getdns_context_get_tls_connection_retries getdns_context_get_tls_query_padding_blocksize @@ -45,8 +45,6 @@ getdns_context_get_update_callback getdns_context_get_upstream_recursive_servers getdns_context_process_async getdns_context_run -getdns_context_set_CAfile -getdns_context_set_CApath getdns_context_set_appdata_dir getdns_context_set_append_name getdns_context_set_context_update_callback @@ -78,6 +76,8 @@ getdns_context_set_suffix getdns_context_set_timeout getdns_context_set_tls_authentication getdns_context_set_tls_backoff_time +getdns_context_set_tls_ca_file +getdns_context_set_tls_ca_path getdns_context_set_tls_cipher_list getdns_context_set_tls_connection_retries getdns_context_set_tls_query_padding_blocksize From 0ef910b9ee430950551eaac2ad17525342d771a8 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 21 Dec 2017 14:53:54 +0100 Subject: [PATCH 42/47] read_buf's may remain on canceled tcp requests --- src/context.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/context.c b/src/context.c index c1e0d7c5..c8f14363 100644 --- a/src/context.c +++ b/src/context.c @@ -728,6 +728,8 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams) { _getdns_closesocket(upstream->fd); } + if (upstream->tcp.read_buf) + GETDNS_FREE(upstreams->mf, upstream->tcp.read_buf); while (pin) { sha256_pin_t *nextpin = pin->next; GETDNS_FREE(upstreams->mf, pin); From 81ffa2f48db0ca1330ec158aaa7353fd85b96eee Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 21 Dec 2017 15:45:58 +0100 Subject: [PATCH 43/47] Skip test that breaks with dnsmasq when SKIP_DNSMASQ_ISSUE variable is test. Helps out a little with issue #300 --- ChangeLog | 2 ++ src/test/check_getdns_context_set_dns_transport.h | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7f9f8eb1..159b00ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ * 2017-12-??: Version 1.3.0 + * Skip unit tests that fail with dnsmasq when the SKIP_DNSMASQ_ISSUE + variable is set. Thanks Konomi Kitten * Specify default available cipher suites for authenticated TLS upstreams with getdns_context_set_tls_ciphers_list() An upstream specific available cipher suite may also be given diff --git a/src/test/check_getdns_context_set_dns_transport.h b/src/test/check_getdns_context_set_dns_transport.h index f76ee74b..15322296 100644 --- a/src/test/check_getdns_context_set_dns_transport.h +++ b/src/test/check_getdns_context_set_dns_transport.h @@ -187,8 +187,9 @@ ASSERT_RC(type, GETDNS_RESOLUTION_STUB, "Query did not use stub mode"); ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc), GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); - ASSERT_RC(tc, 1, "Packet not trucated as expected"); - + if (!getenv("SKIP_DNSMASQ_ISSUE")) { + ASSERT_RC(tc, 1, "Packet not truncated as expected"); + } /* Re-do over TCP */ ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_TCP_ONLY), GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()"); From aa419a88d0c716e0f9ad9d2d66ffe1717c33fade Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 21 Dec 2017 16:01:48 +0100 Subject: [PATCH 44/47] Skip some more truncation issues with dnsmasq --- .../check_getdns_context_set_dns_transport.h | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/src/test/check_getdns_context_set_dns_transport.h b/src/test/check_getdns_context_set_dns_transport.h index 15322296..9fb4956c 100644 --- a/src/test/check_getdns_context_set_dns_transport.h +++ b/src/test/check_getdns_context_set_dns_transport.h @@ -189,34 +189,34 @@ GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); if (!getenv("SKIP_DNSMASQ_ISSUE")) { ASSERT_RC(tc, 1, "Packet not truncated as expected"); + + /* Re-do over TCP */ + ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_TCP_ONLY), + GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()"); + + ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), + GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); + + ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport), + GETDNS_RETURN_GOOD, "Failed to extract \"transport\""); + ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP"); + ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc), + GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); + ASSERT_RC(tc, 0, "Packet trucated - not as expected"); + + /* Now let it fall back to TCP */ + ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP), + GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()"); + ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), + GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); + + ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport), + GETDNS_RETURN_GOOD, "Failed to extract \"transport\""); + ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP"); + ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc), + GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); + ASSERT_RC(tc, 0, "Packet trucated - not as expected"); } - /* Re-do over TCP */ - ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_TCP_ONLY), - GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()"); - - ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), - GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); - - ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport), - GETDNS_RETURN_GOOD, "Failed to extract \"transport\""); - ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP"); - ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc), - GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); - ASSERT_RC(tc, 0, "Packet trucated - not as expected"); - - /* Now let it fall back to TCP */ - ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP), - GETDNS_RETURN_GOOD, "Return code from getdns_context_set_dns_transport()"); - ASSERT_RC(getdns_general_sync(context, "large.getdnsapi.net", GETDNS_RRTYPE_TXT, extensions, &response), - GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); - - ASSERT_RC(getdns_dict_get_int(response, "/call_reporting/0/transport", &transport), - GETDNS_RETURN_GOOD, "Failed to extract \"transport\""); - ASSERT_RC(transport, GETDNS_TRANSPORT_TCP, "Query did not go over TCP"); - ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc), - GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); - ASSERT_RC(tc, 0, "Packet trucated - not as expected"); - ASSERT_RC(getdns_context_unset_edns_maximum_udp_payload_size(context), GETDNS_RETURN_GOOD, "Return code from getdns_context_unset_edns_maximum_udp_payload_size()"); From 9aa1d067d26cfdab42dda93aef3874c28a4ec55a Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 21 Dec 2017 16:21:10 +0100 Subject: [PATCH 45/47] Detect dnsmasq and skip the unit test that fails with it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This actually resolves issue #300 Thanks Tim Rühsen and Konomi Kitten --- ChangeLog | 4 ++-- src/test/check_getdns_context_set_dns_transport.h | 15 ++++++++++++++- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 159b00ca..e5431a6c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ * 2017-12-??: Version 1.3.0 - * Skip unit tests that fail with dnsmasq when the SKIP_DNSMASQ_ISSUE - variable is set. Thanks Konomi Kitten + * Bugfix #300: Detect dnsmasq and skip unit test that fails with it. + Thanks Tim Rühsen and Konomi Kitten * Specify default available cipher suites for authenticated TLS upstreams with getdns_context_set_tls_ciphers_list() An upstream specific available cipher suite may also be given diff --git a/src/test/check_getdns_context_set_dns_transport.h b/src/test/check_getdns_context_set_dns_transport.h index 9fb4956c..cecb7b47 100644 --- a/src/test/check_getdns_context_set_dns_transport.h +++ b/src/test/check_getdns_context_set_dns_transport.h @@ -144,6 +144,8 @@ uint16_t payload_size; uint8_t do_bit; getdns_transport_t trans; + int upstream_is_dnsmasq = 0; + getdns_bindata *version_str = NULL; /* Note that stricly this test just establishes that the requested transport and the reported transport are consistent, it does not guarentee which @@ -155,6 +157,17 @@ GETDNS_RETURN_GOOD, "Return code from getdns_context_set_resolution_type()"); ASSERT_RC(getdns_dict_set_int(extensions,"return_call_reporting", GETDNS_EXTENSION_TRUE), GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()"); + ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_CH), + GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()"); + + ASSERT_RC(getdns_general_sync(context, "version.bind.", GETDNS_RRTYPE_TXT, extensions, &response), + GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); + (void) getdns_dict_get_bindata(response, "/replies_tree/0/answer/0/rdata/txt_strings/0", &version_str); + upstream_is_dnsmasq = version_str && version_str->size > 7 && + strncmp((char *)version_str->data, "dnsmasq", 7) == 0; + + ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_IN), + GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()"); /* Request a response that should be truncated over UDP */ ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_ONLY), @@ -187,7 +200,7 @@ ASSERT_RC(type, GETDNS_RESOLUTION_STUB, "Query did not use stub mode"); ASSERT_RC(getdns_dict_get_int(response, "/replies_tree/0/header/tc", &tc), GETDNS_RETURN_GOOD, "Failed to extract \"tc\""); - if (!getenv("SKIP_DNSMASQ_ISSUE")) { + if (!upstream_is_dnsmasq) { ASSERT_RC(tc, 1, "Packet not truncated as expected"); /* Re-do over TCP */ From 03d495047093af96d7fd9ce12742b4ef68252fa2 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 21 Dec 2017 16:49:19 +0100 Subject: [PATCH 46/47] We need to set transport list before first query (this needs to be reviewed...) --- .../check_getdns_context_set_dns_transport.h | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/src/test/check_getdns_context_set_dns_transport.h b/src/test/check_getdns_context_set_dns_transport.h index cecb7b47..fbd7f503 100644 --- a/src/test/check_getdns_context_set_dns_transport.h +++ b/src/test/check_getdns_context_set_dns_transport.h @@ -157,17 +157,7 @@ GETDNS_RETURN_GOOD, "Return code from getdns_context_set_resolution_type()"); ASSERT_RC(getdns_dict_set_int(extensions,"return_call_reporting", GETDNS_EXTENSION_TRUE), GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()"); - ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_CH), - GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()"); - ASSERT_RC(getdns_general_sync(context, "version.bind.", GETDNS_RRTYPE_TXT, extensions, &response), - GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); - (void) getdns_dict_get_bindata(response, "/replies_tree/0/answer/0/rdata/txt_strings/0", &version_str); - upstream_is_dnsmasq = version_str && version_str->size > 7 && - strncmp((char *)version_str->data, "dnsmasq", 7) == 0; - - ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_IN), - GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()"); /* Request a response that should be truncated over UDP */ ASSERT_RC(getdns_context_set_dns_transport(context, GETDNS_TRANSPORT_UDP_ONLY), @@ -176,6 +166,15 @@ GETDNS_RETURN_GOOD, "Return code from getdns_context_get_dns_transport()"); ck_assert_msg(trans == 541, "dns_transport should be 541(GETDNS_TRANSPORT_UDP_ONLY) but got %d", (int)trans); + ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_CH), + GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()"); + ASSERT_RC(getdns_general_sync(context, "version.bind.", GETDNS_RRTYPE_TXT, extensions, &response), + GETDNS_RETURN_GOOD, "Return code from getdns_general_sync()"); + (void) getdns_dict_get_bindata(response, "/replies_tree/0/answer/0/rdata/txt_strings/0", &version_str); + upstream_is_dnsmasq = version_str && version_str->size > 7 && + strncmp((char *)version_str->data, "dnsmasq", 7) == 0; + ASSERT_RC(getdns_dict_set_int(extensions,"specify_class", GETDNS_RRCLASS_IN), + GETDNS_RETURN_GOOD, "Return code from getdns_dict_set_int()"); ASSERT_RC(getdns_context_set_edns_maximum_udp_payload_size(context, 512), GETDNS_RETURN_GOOD, "Return code from getdns_context_set_edns_maximum_udp_payload_size()"); From 25a31e6b350c4593b5f71491c39c9e91853475c3 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 21 Dec 2017 17:06:43 +0100 Subject: [PATCH 47/47] Bump version --- ChangeLog | 2 +- configure.ac | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index e5431a6c..575855cd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,4 @@ -* 2017-12-??: Version 1.3.0 +* 2017-12-21: Version 1.3.0 * Bugfix #300: Detect dnsmasq and skip unit test that fails with it. Thanks Tim Rühsen and Konomi Kitten * Specify default available cipher suites for authenticated TLS diff --git a/configure.ac b/configure.ac index 4bca695d..9bc7f66a 100644 --- a/configure.ac +++ b/configure.ac @@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir]) # Dont forget to put a dash in front of the release candidate!!! # That is how it is done with semantic versioning! # -AC_SUBST(RELEASE_CANDIDATE, [-rc2]) +AC_SUBST(RELEASE_CANDIDATE, []) # Set current date from system if not set AC_ARG_WITH([current-date], @@ -62,7 +62,7 @@ AC_ARG_WITH([current-date], [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"]) AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"]) -AC_SUBST(GETDNS_NUMERIC_VERSION, [0x010201c2]) +AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01030000]) AC_SUBST(API_VERSION, ["December 2015"]) AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00]) GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API" @@ -98,8 +98,8 @@ GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRE # getdns-1.1.2 had libversion 7:0:1 # getdns-1.1.3 had libversion 7:1:1 # getdns-1.2.0 had libversion 8:0:2 -# getdns-1.2.1 has libversion 8:1:2 -# getdns-1.3.0 will have libversion 9:0:3 +# getdns-1.2.1 had libversion 8:1:2 +# getdns-1.3.0 has libversion 9:0:3 # GETDNS_LIBVERSION=9:0:3