Commit e615a92c authored by Ondrej Sury's avatar Ondrej Sury

Imported Upstream version 1.6.1~rc1

parent 65090329
1.6.x
* --enable-gost : use the GOST algorithm (experimental).
* Added some missing options to drill manpage
* Some fixes to --without-ssl option
* Fixed quote parsing withing strings
* Bitmask fix in EDNS handling
* Fixed non-fqdn domain name completion for rdata field domain
names of length 1
* Fixed chain validation with SHA256 DS records
1.6.0
Additions:
* Addition of an ldns-config script which gives cflags and libs
......
......@@ -28,7 +28,7 @@ LIBS = @LIBS@
LIBOBJS = @LIBOBJS@
RUNTIME_PATH = @RUNTIME_PATH@
DATE = $(shell date +%Y%m%d)
LIBTOOL = $(libtool) --tag=CC
LIBTOOL = $(libtool) --tag=CC --quiet
ACLOCAL_AMFLAGS = -Im4
INSTALL_LDNS_CONFIG = @INSTALL_LDNS_CONFIG@
......
This diff is collapsed.
This diff is collapsed.
......@@ -3,10 +3,10 @@
AC_PREREQ(2.56)
sinclude(acx_nlnetlabs.m4)
AC_INIT(ldns, 1.6.0, libdns@nlnetlabs.nl, libdns)
AC_INIT(ldns, 1.6.1rc1, libdns@nlnetlabs.nl, libdns)
AC_CONFIG_SRCDIR([packet.c])
# needed to build correct soname
AC_SUBST(LIBTOOL_VERSION_INFO, "1:6:0")
AC_SUBST(LIBTOOL_VERSION_INFO, "1:6:1")
PACKAGE_VERSION="$PACKAGE_VERSION"
......@@ -75,7 +75,19 @@ AC_CHECK_TYPE(uint64_t, unsigned long long)
# my own checks
AC_CHECK_PROG(doxygen, doxygen, doxygen)
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--enable-sha2], [Enable SHA256 and SHA512 RRSIG support]))
ACX_WITH_SSL_OPTIONAL
AC_CHECK_FUNCS([EVP_sha256])
# Use libtool
ACX_LIBTOOL_C_ONLY
# for macosx, see if glibtool exists and use that
# BSD's need to know the version...
#AC_CHECK_PROG(glibtool, glibtool, [glibtool], )
#AC_CHECK_PROGS(libtool, [libtool15 libtool], [./libtool])
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--enable-sha2], [Enable SHA256 and SHA512 RRSIG support, experimental]))
case "$enable_sha2" in
yes)
AC_MSG_CHECKING(for SHA256 and SHA512)
......@@ -88,6 +100,17 @@ case "$enable_sha2" in
;;
esac
AC_ARG_ENABLE(gost, AC_HELP_STRING([--enable-gost], [Enable GOST support, experimental]))
case "$enable_gost" in
yes)
AC_MSG_CHECKING(for GOST)
AC_CHECK_LIB(crypto, EVP_PKEY_set_type_str,,[AC_MSG_ERROR([OpenSSL >= 1.0.0 is needed for GOST support])])
AC_DEFINE_UNQUOTED([USE_GOST], [1], [Define this to enable GOST support.])
;;
no|*)
;;
esac
# add option to disable installation of ldns-config script
AC_ARG_ENABLE(ldns-config, [ --disable-ldns-config disable installation of ldns-config (default=enabled)],
enable_ldns_config=$enableval, enable_ldns_config=yes)
......@@ -108,86 +131,6 @@ if test "x$enable_rpath" = xyes; then
RPATH_VAL="-Wl,-rpath=\${libdir}"
fi
# Checks for libraries.
# Check for SSL, original taken from
# http://www.gnu.org/software/ac-archive/htmldoc/check_ssl.html and
# modified for NSD and
# copied again for use in ldns
AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
[enable SSL (will check /usr/local/ssl
/usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
],[
withval="yes"
])
if test x_$withval != x_no; then
AC_MSG_CHECKING(for SSL)
if test x_$withval = x_ -o x_$withval = x_yes; then
withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr"
fi
for dir in $withval; do
ssldir="$dir"
if test -f "$dir/include/openssl/ssl.h"; then
found_ssl="yes"
AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
AC_SUBST(HAVE_SSL)
CPPFLAGS="$CPPFLAGS -I$ssldir/include"
break;
fi
done
if test x_$found_ssl != x_yes; then
AC_MSG_ERROR(Cannot find the SSL libraries in $withval)
else
AC_MSG_RESULT(found in $ssldir)
HAVE_SSL=yes
AC_SUBST(HAVE_SSL)
LDFLAGS="$LDFLAGS -L$ssldir/lib -lcrypto"
if test "x$enable_rpath" = xyes; then
RUNTIME_PATH="$RUNTIME_PATH -R$ssldir/lib"
fi
AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto])
ORIGLIBS="$LIBS"
LIBS="$LIBS -lcrypto"
AC_TRY_LINK(, [
int HMAC_CTX_init(void);
(void)HMAC_CTX_init();
], [
AC_MSG_RESULT(yes)
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1,
[If you have HMAC_CTX_init])
], [
AC_MSG_RESULT(no)
# check if -lwsock32 or -lgdi32 are needed.
LIBS="$LIBS -lgdi32"
AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
AC_TRY_LINK([], [
int HMAC_CTX_init(void);
(void)HMAC_CTX_init();
],[
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1,
[If you have HMAC_CTX_init])
AC_MSG_RESULT(yes)
LDFLAGS="$LDFLAGS -lgdi32"
],[
AC_MSG_RESULT(no)
AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
])
])
fi
AC_SUBST(RUNTIME_PATH)
fi
AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT])
# Use libtool
ACX_LIBTOOL_C_ONLY
# for macosx, see if glibtool exists and use that
# BSD's need to know the version...
#AC_CHECK_PROG(glibtool, glibtool, [glibtool], )
#AC_CHECK_PROGS(libtool, [libtool15 libtool], [./libtool])
#AC_TRY_RUN(
#[
#int main()
......@@ -290,62 +233,9 @@ AC_REPLACE_FUNCS(strlcpy)
AC_REPLACE_FUNCS(memmove)
AC_CHECK_FUNCS([endprotoent endservent sleep random])
AC_DEFUN([AC_CHECK_GETADDRINFO_WITH_INCLUDES],
[AC_REQUIRE([AC_PROG_CC])
AC_MSG_CHECKING(for getaddrinfo)
AC_CACHE_VAL(ac_cv_func_getaddrinfo,
[ac_cv_func_getaddrinfo=no
AC_LINK_IFELSE(
[
#ifdef __cplusplus
extern "C"
{
#endif
char* getaddrinfo();
char* (*f) () = getaddrinfo;
#ifdef __cplusplus
}
#endif
int main() {
;
return 0;
}
],
dnl this case on linux, solaris, bsd
[ac_cv_func_getaddrinfo="yes"],
dnl no quick getaddrinfo, try mingw32 and winsock2 library.
ORIGLIBS="$LIBS"
LIBS="$LIBS -lws2_32"
AC_LINK_IFELSE(
AC_LANG_PROGRAM(
[
#ifdef HAVE_WS2TCPIP_H
#include <ws2tcpip.h>
#endif
],
[
(void)getaddrinfo(NULL, NULL, NULL, NULL);
]
),
[ac_cv_func_getaddrinfo="yes"
LDFLAGS="$LDFLAGS -lws2_32"
],
[ac_cv_func_getaddrinfo="no"
LIBS="$ORIGLIBS"
])
)
])
AC_MSG_RESULT($ac_cv_func_getaddrinfo)
if test $ac_cv_func_getaddrinfo = yes; then
AC_DEFINE(HAVE_GETADDRINFO, 1, [Whether getaddrinfo is available])
fi
])dnl
AC_CHECK_GETADDRINFO_WITH_INCLUDES
ACX_CHECK_GETADDRINFO_WITH_INCLUDES
if test $ac_cv_func_getaddrinfo = no; then
AC_LIBOBJ([fake-rfc2553])
AC_LIBOBJ([fake-rfc2553])
fi
#AC_SEARCH_LIBS(RSA_new, [crypto])
......
......@@ -424,6 +424,24 @@ ldns_key_buf2rsa_raw(unsigned char* key, size_t len)
return rsa;
}
int
ldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
const EVP_MD* md)
{
EVP_MD_CTX* ctx;
ctx = EVP_MD_CTX_create();
if(!ctx)
return false;
if(!EVP_DigestInit_ex(ctx, md, NULL) ||
!EVP_DigestUpdate(ctx, data, len) ||
!EVP_DigestFinal_ex(ctx, dest, NULL)) {
EVP_MD_CTX_destroy(ctx);
return false;
}
EVP_MD_CTX_destroy(ctx);
return true;
}
#endif /* HAVE_SSL */
ldns_rr *
......@@ -435,6 +453,9 @@ ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
uint8_t sha1hash;
uint8_t *digest;
ldns_buffer *data_buf;
#ifdef USE_GOST
const EVP_MD* md = NULL;
#endif
if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY) {
return NULL;
......@@ -466,6 +487,25 @@ ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
return NULL;
}
break;
case LDNS_HASH_GOST94:
#ifdef USE_GOST
(void)ldns_key_EVP_load_gost_id();
md = EVP_get_digestbyname("md_gost94");
if(!md) {
ldns_rr_free(ds);
return NULL;
}
digest = LDNS_XMALLOC(uint8_t, EVP_MD_size(md));
if (!digest) {
ldns_rr_free(ds);
return NULL;
}
#else
/* not implemented */
ldns_rr_free(ds);
return NULL;
#endif
break;
}
data_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
......@@ -534,6 +574,22 @@ ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
digest);
ldns_rr_push_rdf(ds, tmp);
break;
case LDNS_HASH_GOST94:
#ifdef USE_GOST
if(!ldns_digest_evp((unsigned char *) ldns_buffer_begin(data_buf),
(unsigned int) ldns_buffer_position(data_buf),
(unsigned char *) digest, md)) {
LDNS_FREE(digest);
ldns_buffer_free(data_buf);
ldns_rr_free(ds);
return NULL;
}
tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
EVP_MD_size(md),
digest);
ldns_rr_push_rdf(ds, tmp);
#endif
break;
}
LDNS_FREE(digest);
......
......@@ -141,6 +141,14 @@ ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
EVP_sha512());
break;
#endif /* USE_SHA2 */
#ifdef USE_GOST
case LDNS_SIGN_GOST:
b64rdf = ldns_sign_public_evp(
sign_buf,
ldns_key_evp_key(current_key),
EVP_get_digestbyname("md_gost94"));
break;
#endif /* USE_GOST */
case LDNS_SIGN_RSAMD5:
b64rdf = ldns_sign_public_evp(
sign_buf,
......
......@@ -508,6 +508,8 @@ ldns_dnssec_trust_tree_print_sm(FILE *out,
} else if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_DS) {
fprintf(out, " keytag: ");
ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 0));
fprintf(out, " digest type: ");
ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 2));
}
if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_NSEC) {
fprintf(out, " ");
......@@ -978,15 +980,12 @@ ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys,
ldns_rr_list *good_keys)
{
uint16_t i;
bool valid;
ldns_status verify_result = LDNS_STATUS_ERR;
if (!rrset || !rrsig || !keys) {
return LDNS_STATUS_ERR;
}
valid = false;
if (ldns_rr_list_rr_count(rrset) < 1) {
return LDNS_STATUS_ERR;
}
......@@ -1014,6 +1013,44 @@ ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys,
return verify_result;
}
ldns_status
ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig,
const ldns_rr_list *keys, ldns_rr_list *good_keys)
{
uint16_t i;
ldns_status verify_result = LDNS_STATUS_ERR;
if (!rrset || !rrsig || !keys) {
return LDNS_STATUS_ERR;
}
if (ldns_rr_list_rr_count(rrset) < 1) {
return LDNS_STATUS_ERR;
}
if (ldns_rr_list_rr_count(rrsig) < 1) {
return LDNS_STATUS_CRYPTO_NO_RRSIG;
}
if (ldns_rr_list_rr_count(keys) < 1) {
verify_result = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY;
} else {
for (i = 0; i < ldns_rr_list_rr_count(rrsig); i++) {
ldns_status s = ldns_verify_rrsig_keylist_notime(rrset,
ldns_rr_list_rr(rrsig, i), keys, good_keys);
/* try a little to get more descriptive error */
if(s == LDNS_STATUS_OK) {
verify_result = LDNS_STATUS_OK;
} else if(verify_result == LDNS_STATUS_ERR)
verify_result = s;
else if(s != LDNS_STATUS_ERR && verify_result ==
LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY)
verify_result = s;
}
}
return verify_result;
}
ldns_rr_list *
ldns_fetch_valid_domain_keys(const ldns_resolver *res,
const ldns_rdf *domain,
......@@ -1473,6 +1510,54 @@ ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
}
#endif /* HAVE_SSL */
#ifdef USE_GOST
EVP_PKEY*
ldns_gost2pkey_raw(unsigned char* key, size_t keylen)
{
/* prefix header for X509 encoding */
uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85,
0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85,
0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03,
0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40};
unsigned char encoded[37+64];
const unsigned char* pp;
if(keylen != 64) {
/* key wrong size */
return NULL;
}
/* create evp_key */
memmove(encoded, asn, 37);
memmove(encoded+37, key, 64);
pp = (unsigned char*)&encoded[0];
return d2i_PUBKEY(NULL, &pp, sizeof(encoded));
}
static ldns_status
ldns_verify_rrsig_gost_raw(unsigned char* sig, size_t siglen,
ldns_buffer* rrset, unsigned char* key, size_t keylen)
{
EVP_PKEY *evp_key;
ldns_status result;
(void) ldns_key_EVP_load_gost_id();
evp_key = ldns_gost2pkey_raw(key, keylen);
if(!evp_key) {
/* could not convert key */
return LDNS_STATUS_CRYPTO_BOGUS;
}
/* verify signature */
result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset,
evp_key, EVP_get_digestbyname("md_gost94"));
EVP_PKEY_free(evp_key);
return result;
}
#endif
ldns_status
ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, ldns_buffer *verify_buf,
ldns_buffer *key_buf, uint8_t algo)
......@@ -1523,6 +1608,12 @@ ldns_verify_rrsig_buffers_raw(unsigned char* sig, size_t siglen,
key,
keylen);
break;
#endif
#ifdef USE_GOST
case LDNS_GOST:
return ldns_verify_rrsig_gost_raw(sig, siglen, verify_buf,
key, keylen);
break;
#endif
case LDNS_RSAMD5:
return ldns_verify_rrsig_rsamd5_raw(sig,
......@@ -1608,6 +1699,9 @@ ldns_rrsig2rawsig_buffer(ldns_buffer* rawsig_buf, ldns_rr* rrsig)
#ifdef USE_SHA2
case LDNS_RSASHA256:
case LDNS_RSASHA512:
#endif
#ifdef USE_GOST
case LDNS_GOST:
#endif
if (ldns_rdf2buffer_wire(rawsig_buf,
ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
......@@ -1776,6 +1870,35 @@ ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
ldns_rr *rrsig,
const ldns_rr_list *keys,
ldns_rr_list *good_keys)
{
ldns_status result;
ldns_rr_list *valid = ldns_rr_list_new();
if (!valid)
return LDNS_STATUS_MEM_ERR;
result = ldns_verify_rrsig_keylist_notime(rrset, rrsig, keys, valid);
if(result != LDNS_STATUS_OK) {
ldns_rr_list_free(valid);
return result;
}
/* check timestamps last; its OK except time */
result = ldns_rrsig_check_timestamps(rrsig, (int32_t)time(NULL));
if(result != LDNS_STATUS_OK) {
ldns_rr_list_free(valid);
return result;
}
ldns_rr_list_cat(good_keys, valid);
ldns_rr_list_free(valid);
return LDNS_STATUS_OK;
}
ldns_status
ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset,
ldns_rr *rrsig,
const ldns_rr_list *keys,
ldns_rr_list *good_keys)
{
ldns_buffer *rawsig_buf;
ldns_buffer *verify_buf;
......@@ -1845,12 +1968,7 @@ ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
return result;
}
/* check timestamps last; its OK except time */
result = ldns_rrsig_check_timestamps(rrsig, (int32_t)time(NULL));
if(result != LDNS_STATUS_OK) {
ldns_rr_list_free(validkeys);
return result;
}
/* do not check timestamps */
ldns_rr_list_cat(good_keys, validkeys);
ldns_rr_list_free(validkeys);
......@@ -2074,7 +2192,6 @@ ldns_verify_rrsig_rsasha512_raw(unsigned char* sig,
}
ldns_status
ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,
size_t siglen,
......
......@@ -70,7 +70,7 @@ ldns_verify_rrsig_dsa, ldns_verify_rrsig_rsasha1, ldns_verify_rrsig_rsamd5 | ldn
ldns_pkt_tsig_verify, ldns_pkt_tsig_sign | ldns_key
# verify
ldns_verify, ldns_verify_rrsig, ldns_verify_rrsig_keylist | ldns_verify_rrsig_evp | ldns_verify_rrsig_dsa, ldns_verify_rrsig_rsasha1, ldns_verify_rrsig_rsamd5, ldns_sign_public, ldns_zone_sign, ldns_key
ldns_verify, ldns_verify_rrsig, ldns_verify_rrsig_keylist, ldns_verify_rrsig_keylist_notime, ldns_verify_notime | ldns_verify_rrsig_evp | ldns_verify_rrsig_dsa, ldns_verify_rrsig_rsasha1, ldns_verify_rrsig_rsamd5, ldns_sign_public, ldns_zone_sign, ldns_key
# convert
ldns_key_buf2dsa, ldns_key_buf2rsa | ldns_key_rr2ds
......@@ -109,7 +109,7 @@ ldns_key_new_frm_fp_rsa, ldns_key_new_frm_fp_rsa_l | ldns_key_new_frm_fp, ldns_k
ldns_key_new_frm_fp_dsa, ldns_key_new_frm_fp_dsa_l | ldns_key_new_frm_fp, ldns_key
ldns_key_list_new | ldns_key_new, ldns_key
# access, write
ldns_key_set_algorithm, ldns_key_set_rsa_key, ldns_key_set_dsa_key, ldns_key_set_hmac_key, ldns_key_set_origttl, ldns_key_set_inception, ldns_key_set_expiration, ldns_key_set_pubkey_owner, ldns_key_set_keytag, ldns_key_set_flags, ldns_key_list_set_key_count | ldns_key_push_key, ldns_key
ldns_key_set_algorithm, ldns_key_set_rsa_key, ldns_key_set_dsa_key, ldns_key_set_hmac_key, ldns_key_set_origttl, ldns_key_set_inception, ldns_key_set_expiration, ldns_key_set_pubkey_owner, ldns_key_set_keytag, ldns_key_set_flags, ldns_key_list_set_key_count, ldns_key_algo_supported | ldns_key_push_key, ldns_key
ldns_key_list_push_key | ldns_key_list_pop_key, ldns_key
ldns_key_list_pop_key | ldns_key_list_push_key, ldns_key
# access, read
......
......@@ -54,6 +54,15 @@
/* Define to 1 if you have the <net/if.h> header file. */
#undef HAVE_NET_IF_H
/* Define to 1 if you have the <openssl/err.h> header file. */
#undef HAVE_OPENSSL_ERR_H
/* Define to 1 if you have the <openssl/rand.h> header file. */
#undef HAVE_OPENSSL_RAND_H
/* Define to 1 if you have the <openssl/ssl.h> header file. */
#undef HAVE_OPENSSL_SSL_H
/* Define if you have the SSL libraries installed. */
#undef HAVE_SSL
......
This diff is collapsed.
......@@ -2,8 +2,9 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.56)
AC_INIT(ldns, 1.6.0, libdns@nlnetlabs.nl,libdns)
AC_INIT(ldns, 1.6.1rc1, libdns@nlnetlabs.nl,libdns)
AC_CONFIG_SRCDIR([drill.c])
sinclude(../acx_nlnetlabs.m4)
OURCPPFLAGS=''
CPPFLAGS=${CPPFLAGS:-${OURCPPFLAGS}}
......@@ -194,71 +195,7 @@ AC_CHECK_TYPE(in_port_t, [], [AC_DEFINE([in_port_t], [uint16_t], [in_port_t])],
AC_CHECK_LIB(socket, socket)
AC_CHECK_LIB(nsl, inet_pton)
# Checks for libraries.
# Check for SSL, original taken from
# http://www.gnu.org/software/ac-archive/htmldoc/check_ssl.html and
# modified for NSD and
# copied again for use in ldns
AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
[enable SSL (will check /usr/local/ssl
/usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr/sfw /usr)]),[
],[
withval="yes"
if test x_$withval != x_no; then
AC_MSG_CHECKING(for SSL)
if test x_$withval = x_ -o x_$withval = x_yes; then
withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr/sfw /usr"
fi
for dir in $withval; do
ssldir="$dir"
if test -f "$dir/include/openssl/ssl.h"; then
found_ssl="yes";
AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
CPPFLAGS="$CPPFLAGS -I$ssldir/include";
break;
fi
done
if test x_$found_ssl != x_yes; then
AC_MSG_ERROR(Cannot find the SSL libraries in $withval)
else
AC_MSG_RESULT(found in $ssldir)
HAVE_SSL=yes
LDFLAGS="$LDFLAGS -L$ssldir/lib";
if test "x$enable_rpath" = xyes; then
RUNTIME_PATH="$RUNTIME_PATH -R$ssldir/lib"
fi
AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto])
LIBS="$LIBS -lcrypto"
AC_TRY_LINK(, [
int HMAC_CTX_init(void);
(void)HMAC_CTX_init();
], [
AC_MSG_RESULT(yes)
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1,
[If you have HMAC_CTX_init])
], [
AC_MSG_RESULT(no)
# check if -lwsock32 or -lgdi32 are needed.
LIBS="$LIBS -lgdi32 -lws2_32"
AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
AC_TRY_LINK([], [
int HMAC_CTX_init(void);
(void)HMAC_CTX_init();
],[
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1,
[If you have HMAC_CTX_init])
AC_MSG_RESULT(yes)
],[
AC_MSG_RESULT(no)
AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or
higher is required])
])
])
fi
AC_SUBST(HAVE_SSL)
AC_SUBST(RUNTIME_PATH)
fi
])
ACX_WITH_SSL_OPTIONAL
LIBS_STC="$LIBS"
AC_SUBST(LIBS_STC)
......
......@@ -52,11 +52,13 @@ Show the MX records of the domain miek.nl
.TP
\fBdrill -S jelte.nlnetlabs.nl\fR
Chase any signatures in the jelte.nlnetlab.nl domain.
Chase any signatures in the jelte.nlnetlab.nl domain. This option is
only available when ldns has been compiled with openssl-support.
.TP
\fBdrill -TD www.example.com\fR
Do a DNSSEC (-D) trace (-T) from the rootservers down to www.example.com.
This option only works when ldns has been compiled with openssl support.
.TP
\fBdrill -s dnskey jelte.nlnetlabs.nl\fR
......@@ -140,6 +142,14 @@ structure will fall back to TCP.
\fB\-b \fIsize\fR
Use size as the buffer size in the EDNS0 pseudo RR.
.TP
\fB\-c \fIfile\fR
Use file instead of /etc/resolv.conf for nameserver configuration.
.TP
\fB\-d \fIdomain\fR
When tracing (-T), start from this domain instead of the root.
.TP
\fB\-t
Use TCP/IP when querying a server
......@@ -173,6 +183,10 @@ cache to not validate the answers it gives out.
\fB\-p \fIport\fR
Use this port instead of the default of 53.
.TP
\fB\-r \fIfile\fR
When tracing (-T), use file as a root servers hint file.
.TP
\fB\-s
When encountering a DNSKEY print the equivalent DS also.
......@@ -194,6 +208,10 @@ Do a reverse loopup. The type argument is not used, it is preset to PTR.
\fB\-y \fI<name:key[:algo]>\fR
specify named base64 tsig key, and optional an algorithm (defaults to hmac-md5.sig-alg.reg.int)
.TP
\fB\-z \fR
don't randomize the nameserver list before sending queries.
.SH AUTHOR
Jelte Jansen and Miek Gieben. Both of NLnet Labs.
......
......@@ -204,7 +204,6 @@ main(int argc, char *argv[])
case 'I':
/* reserved for backward compatibility */
break;
#ifdef HAVE_SSL
case 'T':
if (PURPOSE == DRILL_CHASE) {
fprintf(stderr, "-T and -S cannot be used at the same time.\n");
......@@ -212,6 +211,7 @@ main(int argc, char *argv[])
}
PURPOSE = DRILL_TRACE;
break;
#ifdef HAVE_SSL
case 'S':
if (PURPOSE == DRILL_TRACE) {
fprintf(stderr, "-T and -S cannot be used at the same time.\n");
......@@ -389,10 +389,15 @@ main(int argc, char *argv[])
/* do a secure trace when requested */
if (PURPOSE == DRILL_TRACE && qdnssec) {
#ifdef HAVE_SSL
if (ldns_rr_list_rr_count(key_list) == 0) {
warning("%s", "No trusted keys were given. Will not be able to verify authenticity!");
}
PURPOSE = DRILL_SECTRACE;
#else
fprintf(stderr, "ldns has not been compiled with OpenSSL support. Secure trace not available\n");
exit(1);
#endif /* HAVE_SSL */
}
/* parse the arguments, with multiple arguments, the last argument
......@@ -546,7 +551,6 @@ main(int argc, char *argv[])
case DRILL_TRACE:
/* do a trace from the root down */
if (!global_dns_root) {
init_root();
}
qname = ldns_dname_new_frm_str(name);
......
......@@ -24,31 +24,45 @@ init_root(void)
global_dns_root = ldns_rr_list_new();
(void)ldns_rr_new_frm_str(&r, "a.root-servers.net 3600 IN A 198.41.0.4", 0, NULL, NULL);
(void)ldns_rr_new_frm_str(&r, "A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4", 0, NULL, NULL);
ldns_rr_list_push_rr(global_dns_root, r);
(void)ldns_rr_new_frm_str(&r, "b.root-servers.net 3600 IN A 192.228.79.201", 0, NULL, NULL);
(void)ldns_rr_new_frm_str(&r, "A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30", 0, NULL, NULL);
ldns_rr_list_push_rr(global_dns_root, r);
(void)ldns_rr_new_frm_str(&r, "c.root-servers.net 3600 IN A 192.33.4.12", 0, NULL, NULL);
(void)ldns_rr_new_frm_str(&r, "B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201", 0, NULL, NULL);
ldns_rr_list_push_rr(global_dns_root, r);
(void)ldns_rr_new_frm_str(&r, "d.root-servers.net 3600 IN A 128.8.10.90", 0, NULL, NULL);
(void)ldns_rr_new_frm_str(&r, "C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12", 0, NULL, NULL);
ldns_rr_list_push_rr(global_dns_root, r);
(void)ldns_rr_new_frm_str(&r, "e.root-servers.net 3600 IN A 192.203.230.10", 0, NULL, NULL);
(void)ldns_rr_new_frm_str(&r, "D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90", 0, NULL, NULL);
ldns_rr_list_push_rr(global_dns_root, r);
(void)ldns_rr_new_frm_str(&r, "f.root-servers.net 3600 IN A 192.5.5.241", 0, NULL, NULL);
(void)ldns_rr_new_frm_str(&r, "E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10", 0, NULL, NULL);