aboutsummaryrefslogtreecommitdiffstats
path: root/examples
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2017-02-03 13:01:00 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2017-02-03 13:01:00 +0000
commitc6342fe2e90510d8d2296423f2ca92818a7b3d18 (patch)
tree0cc9064980c804a7bf5cc6d96c9249950c7e56a9 /examples
parent65be028f32ed37dce84f6328d4a7172132c8c224 (diff)
downloadsrc-c6342fe2e90510d8d2296423f2ca92818a7b3d18.tar.gz
src-c6342fe2e90510d8d2296423f2ca92818a7b3d18.zip
Notes
Notes: svn path=/vendor/ldns/dist/; revision=313156 svn path=/vendor/ldns/1.7.0/; revision=313157; tag=vendor/ldns/1.7.0
Diffstat (limited to 'examples')
-rw-r--r--examples/config.h.in4
-rwxr-xr-xexamples/configure375
-rw-r--r--examples/configure.ac2
-rw-r--r--examples/ldns-compare-zones.19
-rw-r--r--examples/ldns-compare-zones.c13
-rw-r--r--examples/ldns-dane.1.in29
-rw-r--r--examples/ldns-dane.c422
-rw-r--r--examples/ldns-dpa.136
-rw-r--r--examples/ldns-dpa.c13
-rw-r--r--examples/ldns-gen-zone.14
-rw-r--r--examples/ldns-gen-zone.c2
-rw-r--r--examples/ldns-key2ds.17
-rw-r--r--examples/ldns-key2ds.c8
-rw-r--r--examples/ldns-keyfetcher.c5
-rw-r--r--examples/ldns-keygen.12
-rw-r--r--examples/ldns-keygen.c127
-rw-r--r--examples/ldns-mx.c19
-rw-r--r--examples/ldns-notify.12
-rw-r--r--examples/ldns-notify.c19
-rw-r--r--examples/ldns-read-zone.130
-rw-r--r--examples/ldns-read-zone.c179
-rw-r--r--examples/ldns-signzone.14
-rw-r--r--examples/ldns-signzone.c33
-rw-r--r--examples/ldns-test-edns.c4
-rw-r--r--examples/ldns-testns.c7
-rw-r--r--examples/ldns-testpkts.c8
-rw-r--r--examples/ldns-update.118
-rw-r--r--examples/ldns-update.c2
-rw-r--r--examples/ldns-verify-zone.1.in2
-rw-r--r--examples/ldns-verify-zone.c91
-rw-r--r--examples/ldns-walk.c8
-rw-r--r--examples/ldnsd.c4
32 files changed, 943 insertions, 545 deletions
diff --git a/examples/config.h.in b/examples/config.h.in
index e645acea1744..7145f80e4df8 100644
--- a/examples/config.h.in
+++ b/examples/config.h.in
@@ -36,8 +36,8 @@
/* Define to 1 if you have the <getopt.h> header file. */
#undef HAVE_GETOPT_H
-/* If you have HMAC_CTX_init */
-#undef HAVE_HMAC_CTX_INIT
+/* If you have HMAC_Update */
+#undef HAVE_HMAC_UPDATE
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
diff --git a/examples/configure b/examples/configure
index 601f6ee06a0b..07bb57bd4921 100755
--- a/examples/configure
+++ b/examples/configure
@@ -1,13 +1,11 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for ldns 1.6.17.
+# Generated by GNU Autoconf 2.69 for ldns 1.7.0.
#
# Report bugs to <libdns@nlnetlabs.nl>.
#
#
-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
-# Foundation, Inc.
+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
#
#
# This configure script is free software; the Free Software Foundation
@@ -136,6 +134,31 @@ export LANGUAGE
# CDPATH.
(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+# Use a proper internal environment variable to ensure we don't fall
+ # into an infinite loop, continuously re-executing ourselves.
+ if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
+ _as_can_reexec=no; export _as_can_reexec;
+ # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+ *v*x* | *x*v* ) as_opts=-vx ;;
+ *v* ) as_opts=-v ;;
+ *x* ) as_opts=-x ;;
+ * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+as_fn_exit 255
+ fi
+ # We don't want this to propagate to other subprocesses.
+ { _as_can_reexec=; unset _as_can_reexec;}
if test "x$CONFIG_SHELL" = x; then
as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
emulate sh
@@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
else
exitcode=1; echo positional parameters were not saved.
fi
-test x\$exitcode = x0 || exit 1"
+test x\$exitcode = x0 || exit 1
+test -x / || exit 1"
as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
@@ -214,21 +238,25 @@ IFS=$as_save_IFS
if test "x$CONFIG_SHELL" != x; then :
- # We cannot yet assume a decent shell, so we have to provide a
- # neutralization value for shells without unset; and this also
- # works around shells that cannot unset nonexistent variables.
- # Preserve -v and -x to the replacement shell.
- BASH_ENV=/dev/null
- ENV=/dev/null
- (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
- export CONFIG_SHELL
- case $- in # ((((
- *v*x* | *x*v* ) as_opts=-vx ;;
- *v* ) as_opts=-v ;;
- *x* ) as_opts=-x ;;
- * ) as_opts= ;;
- esac
- exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
+ export CONFIG_SHELL
+ # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+ *v*x* | *x*v* ) as_opts=-vx ;;
+ *v* ) as_opts=-v ;;
+ *x* ) as_opts=-x ;;
+ * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+exit 255
fi
if test x$as_have_required = xno; then :
@@ -331,6 +359,14 @@ $as_echo X"$as_dir" |
} # as_fn_mkdir_p
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+ test -f "$1" && test -x "$1"
+} # as_fn_executable_p
# as_fn_append VAR VALUE
# ----------------------
# Append the text in VALUE to the end of the definition contained in VAR. Take
@@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits
chmod +x "$as_me.lineno" ||
{ $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
+ # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
+ # already done that, so ensure we don't try to do so again and fall
+ # in an infinite loop. This has already happened in practice.
+ _as_can_reexec=no; export _as_can_reexec
# Don't try to exec as it changes $[0], causing all sort of problems
# (the dirname of $[0] is not the place where we might find the
# original and so on. Autoconf is especially sensitive to this).
@@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then
# ... but there are two gotchas:
# 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
# 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
- # In both cases, we have to default to `cp -p'.
+ # In both cases, we have to default to `cp -pR'.
ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
- as_ln_s='cp -p'
+ as_ln_s='cp -pR'
elif ln conf$$.file conf$$ 2>/dev/null; then
as_ln_s=ln
else
- as_ln_s='cp -p'
+ as_ln_s='cp -pR'
fi
else
- as_ln_s='cp -p'
+ as_ln_s='cp -pR'
fi
rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
rmdir conf$$.dir 2>/dev/null
@@ -507,28 +547,8 @@ else
as_mkdir_p=false
fi
-if test -x / >/dev/null 2>&1; then
- as_test_x='test -x'
-else
- if ls -dL / >/dev/null 2>&1; then
- as_ls_L_option=L
- else
- as_ls_L_option=
- fi
- as_test_x='
- eval sh -c '\''
- if test -d "$1"; then
- test -d "$1/.";
- else
- case $1 in #(
- -*)set "./$1";;
- esac;
- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
- ???[sx]*):;;*)false;;esac;fi
- '\'' sh
- '
-fi
-as_executable_p=$as_test_x
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -560,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='ldns'
PACKAGE_TARNAME='libdns'
-PACKAGE_VERSION='1.6.17'
-PACKAGE_STRING='ldns 1.6.17'
+PACKAGE_VERSION='1.7.0'
+PACKAGE_STRING='ldns 1.7.0'
PACKAGE_BUGREPORT='libdns@nlnetlabs.nl'
PACKAGE_URL=''
@@ -646,6 +666,7 @@ infodir
docdir
oldincludedir
includedir
+runstatedir
localstatedir
sharedstatedir
sysconfdir
@@ -726,6 +747,7 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -978,6 +1000,15 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
+ -runstatedir | --runstatedir | --runstatedi | --runstated \
+ | --runstate | --runstat | --runsta | --runst | --runs \
+ | --run | --ru | --r)
+ ac_prev=runstatedir ;;
+ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+ | --run=* | --ru=* | --r=*)
+ runstatedir=$ac_optarg ;;
+
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1115,7 +1146,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir
+ libdir localedir mandir runstatedir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@@ -1143,8 +1174,6 @@ target=$target_alias
if test "x$host_alias" != x; then
if test "x$build_alias" = x; then
cross_compiling=maybe
- $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
- If a cross compiler is detected then cross compile mode will be used" >&2
elif test "x$build_alias" != "x$host_alias"; then
cross_compiling=yes
fi
@@ -1230,7 +1259,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures ldns 1.6.17 to adapt to many kinds of systems.
+\`configure' configures ldns 1.7.0 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1270,6 +1299,7 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
+ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
@@ -1291,7 +1321,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of ldns 1.6.17:";;
+ short | recursive ) echo "Configuration of ldns 1.7.0:";;
esac
cat <<\_ACEOF
@@ -1397,10 +1427,10 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-ldns configure 1.6.17
-generated by GNU Autoconf 2.68
+ldns configure 1.7.0
+generated by GNU Autoconf 2.69
-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
_ACEOF
@@ -1731,7 +1761,7 @@ $as_echo "$ac_try_echo"; } >&5
test ! -s conftest.err
} && test -s conftest$ac_exeext && {
test "$cross_compiling" = yes ||
- $as_test_x conftest$ac_exeext
+ test -x conftest$ac_exeext
}; then :
ac_retval=0
else
@@ -1866,8 +1896,8 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by ldns $as_me 1.6.17, which was
-generated by GNU Autoconf 2.68. Invocation command line was
+It was created by ldns $as_me 1.7.0, which was
+generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2219,7 +2249,15 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
-# Version 26
+# Version 34
+# 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
+# 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
+# 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
+# 2015-12-11 FLTO check for new OSX, clang.
+# 2015-11-18 spelling check fix.
+# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
+# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
+# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
# 2013-09-19 FLTO help text improved.
# 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
# 2013-06-25 FLTO has --disable-flto option.
@@ -2310,6 +2348,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
# ACX_CHECK_MEMCMP_SIGNED - check if memcmp uses signed characters.
# AHX_MEMCMP_BROKEN - replace memcmp func for CHECK_MEMCMP_SIGNED.
# ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family
+# ACX_CHECK_PIE - add --enable-pie option and check if works
+# ACX_CHECK_RELRO_NOW - add --enable-relro-now option and check it
#
@@ -2413,6 +2453,12 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+
+
+
OURCPPFLAGS=''
CPPFLAGS=${CPPFLAGS:-${OURCPPFLAGS}}
OURCFLAGS='-g'
@@ -2443,7 +2489,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_CC="${ac_tool_prefix}gcc"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -2483,7 +2529,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_ac_ct_CC="gcc"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -2536,7 +2582,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_CC="${ac_tool_prefix}cc"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -2577,7 +2623,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
ac_prog_rejected=yes
continue
@@ -2635,7 +2681,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -2679,7 +2725,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_ac_ct_CC="$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -3125,8 +3171,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <stdarg.h>
#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+struct stat;
/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */
struct buf { int x; };
FILE * (*rcsopen) (struct buf *, struct stat *, int);
@@ -3366,7 +3411,7 @@ do
for ac_prog in grep ggrep; do
for ac_exec_ext in '' $ac_executable_extensions; do
ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
- { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+ as_fn_executable_p "$ac_path_GREP" || continue
# Check for GNU ac_path_GREP and select it if it is found.
# Check for GNU $ac_path_GREP
case `"$ac_path_GREP" --version 2>&1` in
@@ -3432,7 +3477,7 @@ do
for ac_prog in egrep; do
for ac_exec_ext in '' $ac_executable_extensions; do
ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
- { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+ as_fn_executable_p "$ac_path_EGREP" || continue
# Check for GNU ac_path_EGREP and select it if it is found.
# Check for GNU $ac_path_EGREP
case `"$ac_path_EGREP" --version 2>&1` in
@@ -3639,8 +3684,8 @@ else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-# define __EXTENSIONS__ 1
- $ac_includes_default
+# define __EXTENSIONS__ 1
+ $ac_includes_default
int
main ()
{
@@ -3694,7 +3739,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_CC="${ac_tool_prefix}gcc"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -3734,7 +3779,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_ac_ct_CC="gcc"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -3787,7 +3832,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_CC="${ac_tool_prefix}cc"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -3828,7 +3873,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
ac_prog_rejected=yes
continue
@@ -3886,7 +3931,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -3930,7 +3975,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_ac_ct_CC="$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -4126,8 +4171,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <stdarg.h>
#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+struct stat;
/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */
struct buf { int x; };
FILE * (*rcsopen) (struct buf *, struct stat *, int);
@@ -4261,7 +4305,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_libtool="$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -5060,8 +5104,8 @@ $as_echo "found in $ssldir" >&6; }
fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_CTX_init in -lcrypto" >&5
-$as_echo_n "checking for HMAC_CTX_init in -lcrypto... " >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_Update in -lcrypto" >&5
+$as_echo_n "checking for HMAC_Update in -lcrypto... " >&6; }
LIBS="$LIBS -lcrypto"
LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -5071,8 +5115,8 @@ int
main ()
{
- int HMAC_CTX_init(void);
- (void)HMAC_CTX_init();
+ int HMAC_Update(void);
+ (void)HMAC_Update();
;
return 0;
@@ -5083,7 +5127,7 @@ if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
-$as_echo "#define HAVE_HMAC_CTX_INIT 1" >>confdefs.h
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
else
@@ -5104,8 +5148,8 @@ int
main ()
{
- int HMAC_CTX_init(void);
- (void)HMAC_CTX_init();
+ int HMAC_Update(void);
+ (void)HMAC_Update();
;
return 0;
@@ -5114,7 +5158,7 @@ _ACEOF
if ac_fn_c_try_link "$LINENO"; then :
-$as_echo "#define HAVE_HMAC_CTX_INIT 1" >>confdefs.h
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
@@ -5136,8 +5180,8 @@ int
main ()
{
- int HMAC_CTX_init(void);
- (void)HMAC_CTX_init();
+ int HMAC_Update(void);
+ (void)HMAC_Update();
;
return 0;
@@ -5146,7 +5190,7 @@ _ACEOF
if ac_fn_c_try_link "$LINENO"; then :
-$as_echo "#define HAVE_HMAC_CTX_INIT 1" >>confdefs.h
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
@@ -5155,83 +5199,58 @@ else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
- as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5
-
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
- fi
-
-
- # openssl engine functionality needs dlopen().
- BAKLIBS="$LIBS"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
-$as_echo_n "checking for library containing dlopen... " >&6; }
-if ${ac_cv_search_dlopen+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ LIBS="$BAKLIBS"
+ LIBSSL_LIBS="$BAKSSLLIBS"
+ LIBS="$LIBS -ldl -pthread"
+ LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl -pthread" >&5
+$as_echo_n "checking if -lcrypto needs -ldl -pthread... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
int
main ()
{
-return dlopen ();
+
+ int HMAC_Update(void);
+ (void)HMAC_Update();
+
;
return 0;
}
_ACEOF
-for ac_lib in '' dl; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_dlopen=$ac_res
+if ac_fn_c_try_link "$LINENO"; then :
+
+
+$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5
+
fi
rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_dlopen+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_dlopen+:} false; then :
+ conftest$ac_exeext conftest.$ac_ext
-else
- ac_cv_search_dlopen=no
fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5
-$as_echo "$ac_cv_search_dlopen" >&6; }
-ac_res=$ac_cv_search_dlopen
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ fi
+
- if test "$LIBS" != "$BAKLIBS"; then
- LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
- fi
fi
for ac_header in openssl/ssl.h
do :
@@ -6448,16 +6467,16 @@ if (echo >conf$$.file) 2>/dev/null; then
# ... but there are two gotchas:
# 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
# 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
- # In both cases, we have to default to `cp -p'.
+ # In both cases, we have to default to `cp -pR'.
ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
- as_ln_s='cp -p'
+ as_ln_s='cp -pR'
elif ln conf$$.file conf$$ 2>/dev/null; then
as_ln_s=ln
else
- as_ln_s='cp -p'
+ as_ln_s='cp -pR'
fi
else
- as_ln_s='cp -p'
+ as_ln_s='cp -pR'
fi
rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
rmdir conf$$.dir 2>/dev/null
@@ -6517,28 +6536,16 @@ else
as_mkdir_p=false
fi
-if test -x / >/dev/null 2>&1; then
- as_test_x='test -x'
-else
- if ls -dL / >/dev/null 2>&1; then
- as_ls_L_option=L
- else
- as_ls_L_option=
- fi
- as_test_x='
- eval sh -c '\''
- if test -d "$1"; then
- test -d "$1/.";
- else
- case $1 in #(
- -*)set "./$1";;
- esac;
- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
- ???[sx]*):;;*)false;;esac;fi
- '\'' sh
- '
-fi
-as_executable_p=$as_test_x
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+ test -f "$1" && test -x "$1"
+} # as_fn_executable_p
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -6559,8 +6566,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by ldns $as_me 1.6.17, which was
-generated by GNU Autoconf 2.68. Invocation command line was
+This file was extended by ldns $as_me 1.7.0, which was
+generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
CONFIG_HEADERS = $CONFIG_HEADERS
@@ -6621,11 +6628,11 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-ldns config.status 1.6.17
-configured by $0, generated by GNU Autoconf 2.68,
+ldns config.status 1.7.0
+configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
This config.status script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it."
@@ -6713,7 +6720,7 @@ fi
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
if \$ac_cs_recheck; then
- set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+ set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
shift
\$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
CONFIG_SHELL='$SHELL'
diff --git a/examples/configure.ac b/examples/configure.ac
index e33983e77185..f692a4dceca3 100644
--- a/examples/configure.ac
+++ b/examples/configure.ac
@@ -2,7 +2,7 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.56)
-AC_INIT(ldns, 1.6.17, libdns@nlnetlabs.nl,libdns)
+AC_INIT(ldns, 1.7.0, libdns@nlnetlabs.nl,libdns)
AC_CONFIG_SRCDIR([ldns-read-zone.c])
sinclude(../acx_nlnetlabs.m4)
diff --git a/examples/ldns-compare-zones.1 b/examples/ldns-compare-zones.1
index facccd874562..f299bb229eb8 100644
--- a/examples/ldns-compare-zones.1
+++ b/examples/ldns-compare-zones.1
@@ -14,7 +14,7 @@ ldns-compare-zones \- read and compare two zonefiles and print differences
\fBldns-compare-zones\fR reads two DNS zone files and prints number of differences.
.nf
Output is formated to:
- +NUM_INS -NUM_DEL ~NUM_CHG
+ +NUM_INS \-NUM_DEL ~NUM_CHG
.fi
The major comparison is based on the owner name. If an owner name is present in zonefile 1, but not in zonefile 2, the resource records with this owner name are considered deleted, and counted as NUM_DEL. If an owner name is present in zonefile 2, but not in zonefile 1, the resource records with this owner name are considered inserted, and counted as NUM_INS. If an owner name is present in both, but there is a difference in the amount or content of the records, these are considered changed, and counted as NUM_CHG.
@@ -30,8 +30,8 @@ Print resource records whose owner names are present only in ZONEFILE2 (a.k.a. i
Print resource records whose owner names are present only in ZONEFILE1 (a.k.a. deleted)
.TP
\fB-a\fR
-Print all changes. Specifying this option is the same as specifying -c -i
-amd -d.
+Print all changes. Specifying this option is the same as specifying \-c \-i
+amd \-d.
.TP
\fB-z\fR
Suppress zone sorting; this option is not recommended; it can cause records
@@ -42,6 +42,9 @@ Do not exclude the SOA record from the comparison. The SOA record may
then show up as changed due to a new serial number. Off by default since
you may be interested to know if (other zone apex elements) have changed.
.TP
+\fB-e\fR
+Exit with status code 2 when zones differ.
+.TP
\fB-h\fR
Show usage and exit
.TP
diff --git a/examples/ldns-compare-zones.c b/examples/ldns-compare-zones.c
index a39c4b80c607..514bcb258d84 100644
--- a/examples/ldns-compare-zones.c
+++ b/examples/ldns-compare-zones.c
@@ -25,14 +25,15 @@
static void
usage(char *prog)
{
- printf("Usage: %s [-v] [-i] [-d] [-c] [-s] <zonefile1> <zonefile2>\n",
- prog);
+ printf("Usage: %s [-v] [-i] [-d] [-c] [-s] [-e] "
+ "<zonefile1> <zonefile2>\n", prog);
printf(" -i - print inserted\n");
printf(" -d - print deleted\n");
printf(" -c - print changed\n");
printf(" -a - print all differences (-i -d -c)\n");
printf(" -s - do not exclude SOA record from comparison\n");
printf(" -z - do not sort zones\n");
+ printf(" -e - exit with status 2 on changed zones\n");
printf(" -h - show usage and exit\n");
printf(" -v - show the version and exit\n");
}
@@ -54,9 +55,10 @@ main(int argc, char **argv)
int c;
bool opt_deleted = false, opt_inserted = false, opt_changed = false;
bool sort = true, inc_soa = false;
+ bool opt_exit_status = false;
char op = 0;
- while ((c = getopt(argc, argv, "ahvdicsz")) != -1) {
+ while ((c = getopt(argc, argv, "ahvdicesz")) != -1) {
switch (c) {
case 'h':
usage(argv[0]);
@@ -69,6 +71,9 @@ main(int argc, char **argv)
ldns_version());
exit(EXIT_SUCCESS);
break;
+ case 'e':
+ opt_exit_status = true;
+ break;
case 's':
inc_soa = true;
break;
@@ -281,5 +286,5 @@ main(int argc, char **argv)
ldns_zone_deep_free(z2);
ldns_zone_deep_free(z1);
- return 0;
+ return opt_exit_status && (num_ins || num_del || num_chg) ? 2 : 0;
}
diff --git a/examples/ldns-dane.1.in b/examples/ldns-dane.1.in
index b65e64f0441f..a3d83a227fff 100644
--- a/examples/ldns-dane.1.in
+++ b/examples/ldns-dane.1.in
@@ -17,9 +17,9 @@ ldns-dane \- verify or create TLS authentication with DANE (RFC6698)
.B ldns-dane
.IR [OPTIONS]
+.IR create
.IR name
.IR port
-.IR create
.PP
[
.IR Certificate-usage
@@ -55,38 +55,35 @@ The parameters for TLSA rr creation are:
.PD 0
.I Certificate-usage\fR:
.RS
-.IP 0
+.IP "0 | PKIX-TA"
CA constraint
-.IP 1
+.IP "1 | PKIX-EE"
Service certificate constraint
-.IP 2
+.IP "2 | DANE-TA"
Trust anchor assertion
-.IP 3
+.IP "3 | DANE-EE"
Domain-issued certificate (default)
.RE
.I Selector\fR:
.RS
-.IP 0
-Full certificate (default)
-.IP 1
-SubjectPublicKeyInfo
+.IP "0 | Cert"
+Full certificate
+.IP "1 | SPKI"
+SubjectPublicKeyInfo (default)
.RE
.I Matching-type\fR:
.RS
-.IP 0
+.IP "0 | Full"
No hash used
-.IP 1
+.IP "1 | SHA2-256"
SHA-256 (default)
-.IP 2
+.IP "2 | SHA2-512"
SHA-512
.RE
.PD 1
-In stead of numbers the first few letters of the value may be used.
-Except for the hash algorithm name, where the full name must be specified.
-
.SH OPTIONS
.IP -4
TLS connect IPv4 only
@@ -128,7 +125,7 @@ select the \fIoffset\fRth certificate offset from the end
of the validation chain. 0 means the last certificate, 1 the one but last,
2 the second but last, etc.
-When \fIoffset\fR is -1 (the default), the last certificate
+When \fIoffset\fR is \-1 (the default), the last certificate
is used (like with 0) that MUST be self-signed. This can help to make
sure that the intended (self signed) trust anchor is actually present
in the server certificate chain (which is a DANE requirement).
diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c
index 93c18e548353..f22367595206 100644
--- a/examples/ldns-dane.c
+++ b/examples/ldns-dane.c
@@ -58,37 +58,45 @@
/* int verbosity = 3; */
-void
+static void
print_usage(const char* progname)
{
+#ifdef USE_DANE_VERIY
printf("Usage: %s [OPTIONS] verify <name> <port>\n", progname);
printf(" or: %s [OPTIONS] -t <tlsafile> verify\n", progname);
printf("\n\tVerify the TLS connection at <name>:<port> or"
"\n\tuse TLSA record(s) from <tlsafile> to verify the\n"
"\tTLS service they reference.\n");
printf("\n or: %s [OPTIONS] create <name> <port> [<usage> "
+#else
+ printf("Usage: %s [OPTIONS] create <name> <port> [<usage> "
+#endif
"[<selector> [<type>]]]\n", progname);
printf("\n\tUse the TLS connection(s) to <name> <port> "
"to create the TLSA\n\t"
"resource record(s) that would "
"authenticate the connection.\n");
printf("\n\t<usage>"
- "\t\t0: CA constraint\n"
- "\t\t\t1: Service certificate constraint\n"
- "\t\t\t2: Trust anchor assertion\n"
- "\t\t\t3: Domain-issued certificate (default)\n");
+ "\t\t0 | PKIX-TA : CA constraint\n"
+ "\t\t\t1 | PKIX-EE : Service certificate constraint\n"
+ "\t\t\t2 | DANE-TA : Trust anchor assertion\n"
+ "\t\t\t3 | DANE-EE : Domain-issued certificate "
+ "(default)\n");
printf("\n\t<selector>"
- "\t0: Full certificate (default)\n"
- "\t\t\t1: SubjectPublicKeyInfo\n");
+ "\t0 | Cert : Full certificate\n"
+ "\t\t\t1 | SPKI : SubjectPublicKeyInfo "
+ "(default)\n");
printf("\n\t<type>"
- "\t\t0: No hash used\n"
- "\t\t\t1: SHA-256 (default)\n"
- "\t\t\t2: SHA-512\n");
+ "\t\t0 | Full : No hash used\n"
+ "\t\t\t1 | SHA2-256 : SHA-256 (default)\n"
+ "\t\t\t2 | SHA2-512 : SHA-512\n");
printf("OPTIONS:\n");
printf("\t-h\t\tshow this text\n");
printf("\t-4\t\tTLS connect IPv4 only\n");
printf("\t-6\t\tTLS connect IPv6 only\n");
+ printf("\t-r <address>\t"
+ "use resolver at <address> instead of local resolver\n");
printf("\t-a <address>\t"
"don't resolve <name>, but connect to <address>(es)\n");
printf("\t-b\t\t"
@@ -133,7 +141,7 @@ print_usage(const char* progname)
exit(EXIT_SUCCESS);
}
-int
+static int
dane_int_within_range(const char* arg, int max, const char* name)
{
char* endptr; /* utility var for strtol usage */
@@ -157,30 +165,52 @@ struct dane_param_choice_struct {
typedef struct dane_param_choice_struct dane_param_choice;
dane_param_choice dane_certificate_usage_table[] = {
- { "CA constraint" , 0 },
- { "CA-constraint" , 0 },
- { "Service certificate constraint" , 1 },
- { "Service-certificate-constraint" , 1 },
- { "Trust anchor assertion" , 2 },
- { "Trust-anchor-assertion" , 2 },
- { "anchor" , 2 },
- { "Domain-issued certificate" , 3 },
- { "Domain-issued-certificate" , 3 },
+ { "PKIX-TA" , 0 },
+ { "CA constraint" , 0 },
+ { "CA-constraint" , 0 },
+ { "PKIX-EE" , 1 },
+ { "Service certificate constraint" , 1 },
+ { "Service-certificate-constraint" , 1 },
+ { "DANE-TA" , 2 },
+ { "Trust anchor assertion" , 2 },
+ { "Trust-anchor-assertion" , 2 },
+ { "anchor" , 2 },
+ { "DANE-EE" , 3 },
+ { "Domain-issued certificate" , 3 },
+ { "Domain-issued-certificate" , 3 },
+ { "PrivCert" , 255 },
{ NULL, -1 }
};
dane_param_choice dane_selector_table[] = {
- { "Full certificate" , 0 },
- { "Full-certificate" , 0 },
- { "certificate" , 0 },
- { "SubjectPublicKeyInfo", 1 },
- { "PublicKey" , 1 },
- { "pubkey" , 1 },
- { "key" , 1 },
+ { "Cert" , 0 },
+ { "Full certificate" , 0 },
+ { "Full-certificate" , 0 },
+ { "certificate" , 0 },
+ { "SPKI" , 1 },
+ { "SubjectPublicKeyInfo", 1 },
+ { "PublicKey" , 1 },
+ { "pubkey" , 1 },
+ { "key" , 1 },
+ { "PrivSel" , 255 },
{ NULL, -1 }
};
-int
+dane_param_choice dane_matching_type_table[] = {
+ { "Full" , 0 },
+ { "no-hash-used" , 0 },
+ { "no hash used" , 0 },
+ { "SHA2-256" , 1 },
+ { "sha256" , 1 },
+ { "sha-256" , 1 },
+ { "SHA2-512" , 2 },
+ { "sha512" , 2 },
+ { "sha-512" , 2 },
+ { "PrivMatch" , 255 },
+ { NULL, -1 }
+};
+
+static int
dane_int_within_range_table(const char* arg, int max, const char* name,
dane_param_choice table[])
{
@@ -196,7 +226,7 @@ dane_int_within_range_table(const char* arg, int max, const char* name,
return dane_int_within_range(arg, max, name);
}
-void
+static void
ssl_err(const char* s)
{
fprintf(stderr, "error: %s\n", s);
@@ -204,7 +234,7 @@ ssl_err(const char* s)
exit(EXIT_FAILURE);
}
-void
+static void
ldns_err(const char* s, ldns_status err)
{
if (err == LDNS_STATUS_SSL_ERR) {
@@ -215,7 +245,7 @@ ldns_err(const char* s, ldns_status err)
}
}
-ldns_status
+static ldns_status
ssl_connect_and_get_cert_chain(
X509** cert, STACK_OF(X509)** extra_certs,
SSL* ssl, const char* name_str,
@@ -296,7 +326,8 @@ ssl_connect_and_get_cert_chain(
}
-void
+#ifdef USE_DANE_VERIFY
+static void
ssl_interact(SSL* ssl)
{
fd_set rfds;
@@ -382,9 +413,10 @@ ssl_interact(SSL* ssl)
} /* for (;;) */
}
+#endif /* USE_DANE_VERIFY */
-ldns_rr_list*
+static ldns_rr_list*
rr_list_filter_rr_type(ldns_rr_list* l, ldns_rr_type t)
{
size_t i;
@@ -414,7 +446,7 @@ rr_list_filter_rr_type(ldns_rr_list* l, ldns_rr_type t)
*
* This to check what would happen if PKIX validation was successfull always.
*/
-ldns_rr_list*
+static ldns_rr_list*
dane_no_pkix_transform(const ldns_rr_list* tlas)
{
size_t i;
@@ -476,7 +508,7 @@ dane_no_pkix_transform(const ldns_rr_list* tlas)
return r;
}
-void
+static void
print_rr_as_TYPEXXX(FILE* out, ldns_rr* rr)
{
size_t i, sz;
@@ -507,7 +539,7 @@ print_rr_as_TYPEXXX(FILE* out, ldns_rr* rr)
LDNS_FREE(str);
}
-void
+static void
print_rr_list_as_TYPEXXX(FILE* out, ldns_rr_list* l)
{
size_t i;
@@ -517,7 +549,7 @@ print_rr_list_as_TYPEXXX(FILE* out, ldns_rr_list* l)
}
}
-ldns_status
+static ldns_status
read_key_file(const char *filename, ldns_rr_list *keys)
{
ldns_status status = LDNS_STATUS_ERR;
@@ -556,15 +588,24 @@ read_key_file(const char *filename, ldns_rr_list *keys)
}
-ldns_status
-dane_setup_resolver(ldns_resolver** res,
+static ldns_status
+dane_setup_resolver(ldns_resolver** res, ldns_rdf* nameserver_addr,
ldns_rr_list* keys, bool dnssec_off)
{
- ldns_status s;
+ ldns_status s = LDNS_STATUS_OK;
assert(res != NULL);
- s = ldns_resolver_new_frm_file(res, NULL);
+ if (nameserver_addr) {
+ *res = ldns_resolver_new();
+ if (*res) {
+ s = ldns_resolver_push_nameserver(*res, nameserver_addr);
+ } else {
+ s = LDNS_STATUS_MEM_ERR;
+ }
+ } else {
+ s = ldns_resolver_new_frm_file(res, NULL);
+ }
if (s == LDNS_STATUS_OK) {
ldns_resolver_set_dnssec(*res, ! dnssec_off);
@@ -578,7 +619,7 @@ dane_setup_resolver(ldns_resolver** res,
}
-ldns_status
+static ldns_status
dane_query(ldns_rr_list** rrs, ldns_resolver* r,
ldns_rdf *name, ldns_rr_type t, ldns_rr_class c,
bool insecure_is_ok)
@@ -597,7 +638,7 @@ dane_query(ldns_rr_list** rrs, ldns_resolver* r,
}
*rrs = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_ANSWER);
- if (! ldns_resolver_dnssec(r)) { /* DNSSEC explicitely disabled,
+ if (! ldns_resolver_dnssec(r)) { /* DNSSEC explicitly disabled,
anything goes */
ldns_pkt_free(p);
return LDNS_STATUS_OK;
@@ -683,7 +724,7 @@ cleanup:
}
-ldns_rr_list*
+static ldns_rr_list*
dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname,
int ai_family)
{
@@ -750,7 +791,7 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname,
return r;
}
-ldns_status
+static ldns_status
dane_read_tlsas_from_file(ldns_rr_list** tlsas,
char* filename, ldns_rdf* origin)
{
@@ -842,7 +883,7 @@ error:
return s;
}
-bool
+static bool
dane_wildcard_label_cmp(uint8_t iw, const char* w, uint8_t il, const char* l)
{
if (iw == 0) { /* End of match label */
@@ -885,7 +926,7 @@ dane_wildcard_label_cmp(uint8_t iw, const char* w, uint8_t il, const char* l)
return iw == 0 && il == 0;
}
-bool
+static bool
dane_label_matches_label(ldns_rdf* w, ldns_rdf* l)
{
uint8_t iw;
@@ -898,7 +939,7 @@ dane_label_matches_label(ldns_rdf* w, ldns_rdf* l)
il, (const char*)ldns_rdf_data(l) + 1);
}
-bool
+static bool
dane_name_matches_server_name(const char* name_str, ldns_rdf* server_name)
{
ldns_rdf* name;
@@ -938,7 +979,7 @@ dane_name_matches_server_name(const char* name_str, ldns_rdf* server_name)
return true;
}
-bool
+static bool
dane_X509_any_subject_alt_name_matches_server_name(
X509 *cert, ldns_rdf* server_name)
{
@@ -972,7 +1013,7 @@ dane_X509_any_subject_alt_name_matches_server_name(
return false;
}
-bool
+static bool
dane_X509_subject_name_matches_server_name(X509 *cert, ldns_rdf* server_name)
{
X509_NAME* subject_name;
@@ -1000,7 +1041,7 @@ dane_X509_subject_name_matches_server_name(X509 *cert, ldns_rdf* server_name)
}
}
-bool
+static bool
dane_verify_server_name(X509* cert, ldns_rdf* server_name)
{
ldns_rdf* server_name_lc;
@@ -1018,7 +1059,7 @@ dane_verify_server_name(X509* cert, ldns_rdf* server_name)
return r;
}
-void
+static void
dane_create(ldns_rr_list* tlsas, ldns_rdf* tlsa_owner,
ldns_tlsa_certificate_usage certificate_usage, int offset,
ldns_tlsa_selector selector,
@@ -1047,7 +1088,7 @@ dane_create(ldns_rr_list* tlsas, ldns_rdf* tlsa_owner,
selected_cert);
LDNS_ERR(s, "could not create tlsa rr");
- ldns_rr_set_owner(tlsa_rr, tlsa_owner);
+ ldns_rr_set_owner(tlsa_rr, ldns_rdf_clone(tlsa_owner));
if (! ldns_rr_list_contains_rr(tlsas, tlsa_rr)) {
if (! ldns_rr_list_push_rr(tlsas, tlsa_rr)) {
@@ -1056,7 +1097,8 @@ dane_create(ldns_rr_list* tlsas, ldns_rdf* tlsa_owner,
}
}
-bool
+#if defined(USE_DANE_VERIFY) && ( OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) )
+static bool
dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
X509* cert, STACK_OF(X509)* extra_certs,
X509_STORE* validate_store,
@@ -1096,6 +1138,22 @@ dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
ldns_get_errorstr_by_id(s));
return false;
}
+#endif /* defined(USE_DANE_VERIFY) && OPENSSL_VERSION_NUMBER < 0x10100000 */
+
+/**
+ * Return either an A or AAAA rdf, based on the given
+ * string. If it it not a valid ip address, return null.
+ *
+ * Caller receives ownership of returned rdf (if not null),
+ * and must free it.
+ */
+static inline ldns_rdf* rdf_addr_frm_str(const char* str) {
+ ldns_rdf *a = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_A, str);
+ if (!a) {
+ a = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_AAAA, str);
+ }
+ return a;
+}
int
@@ -1107,6 +1165,11 @@ main(int argc, char* const* argv)
ldns_status s;
size_t i;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && ! defined(HAVE_LIBRESSL)
+ size_t j, usable_tlsas = 0;
+ X509_STORE_CTX *store_ctx = NULL;
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
+
bool print_tlsa_as_type52 = false;
bool assume_dnssec_validity = false;
bool assume_pkix_validity = false;
@@ -1143,6 +1206,7 @@ main(int argc, char* const* argv)
uint16_t port = 0; /* supress uninitialized warning */
ldns_resolver* res = NULL;
+ ldns_rdf* nameserver_rdf = NULL;
ldns_rdf* tlsa_owner = NULL;
char* tlsa_owner_str = NULL;
ldns_rr_list* tlsas = NULL;
@@ -1178,7 +1242,7 @@ main(int argc, char* const* argv)
if (! keys || ! addresses) {
MEMERR("ldns_rr_list_new");
}
- while((c = getopt(argc, argv, "46a:bc:df:hik:no:p:sSt:TuvV:")) != -1){
+ while((c = getopt(argc, argv, "46a:bc:df:hik:no:p:r:sSt:TuvV:")) != -1){
switch(c) {
case 'h':
print_usage("ldns-dane");
@@ -1189,6 +1253,19 @@ main(int argc, char* const* argv)
case '6':
ai_family = AF_INET6;
break;
+ case 'r':
+ if (nameserver_rdf) {
+ fprintf(stderr, "Can only specify -r once\n");
+ exit(EXIT_FAILURE);
+ }
+ nameserver_rdf = rdf_addr_frm_str(optarg);
+ if (!nameserver_rdf) {
+ fprintf(stderr,
+ "Could not interpret address %s\n",
+ optarg);
+ exit(EXIT_FAILURE);
+ }
+ break;
case 'a':
s = ldns_str2rdf_a(&address, optarg);
if (s == LDNS_STATUS_OK) {
@@ -1336,6 +1413,7 @@ main(int argc, char* const* argv)
argc--;
argv++;
+#ifdef USE_DANE_VERIFY
} else if (strncasecmp(*argv, "verify", strlen(*argv)) == 0) {
mode = VERIFY;
@@ -1344,9 +1422,20 @@ main(int argc, char* const* argv)
} else {
fprintf(stderr, "Specify create or verify mode\n");
+#else
+ } else {
+ fprintf(stderr, "Specify create mode\n");
+#endif
exit(EXIT_FAILURE);
}
+#ifndef USE_DANE_VERIFY
+ (void)transport_str;
+ (void)transport_rdf;
+ (void)port_str;
+ (void)port_rdf;
+ (void)interact;
+#else
if (mode == VERIFY && argc == 0) {
if (! tlsas_file) {
@@ -1446,7 +1535,9 @@ main(int argc, char* const* argv)
}
- } else if (argc < 2) {
+ } else
+#endif /* USE_DANE_VERIFY */
+ if (argc < 2) {
print_usage("ldns-dane");
@@ -1480,8 +1571,8 @@ main(int argc, char* const* argv)
LDNS_ERR(s, "could not read tlas from file");
} else {
/* lookup tlsas */
- s = dane_setup_resolver(&res, keys,
- assume_dnssec_validity);
+ s = dane_setup_resolver(&res, nameserver_rdf,
+ keys, assume_dnssec_validity);
LDNS_ERR(s, "could not dane_setup_resolver");
s = dane_query(&tlsas, res, tlsa_owner,
LDNS_RR_TYPE_TLSA, LDNS_RR_CLASS_IN,
@@ -1532,8 +1623,7 @@ main(int argc, char* const* argv)
dane_certificate_usage_table);
argc--;
} else {
- certificate_usage =
- LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE;
+ certificate_usage = LDNS_TLSA_USAGE_DANE_EE;
}
if (argc > 0) {
selector = dane_int_within_range_table(
@@ -1541,35 +1631,16 @@ main(int argc, char* const* argv)
dane_selector_table);
argc--;
} else {
- selector = LDNS_TLSA_SELECTOR_FULL_CERTIFICATE;
+ selector = LDNS_TLSA_SELECTOR_SPKI;
}
if (argc > 0) {
- if (*argv && /* strlen(argv) > 0 */
- (strncasecmp(*argv, "no-hash-used",
- strlen(*argv)) == 0 ||
- strncasecmp(*argv, "no hash used",
- strlen(*argv)) == 0 )) {
- matching_type =
- LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED;
+ matching_type = dane_int_within_range_table(
+ *argv++, 2, "matching type",
+ dane_matching_type_table);
- } else if (strcasecmp(*argv, "sha256") == 0 ||
- strcasecmp(*argv, "sha-256") == 0) {
-
- matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256;
-
- } else if (strcasecmp(*argv, "sha512") == 0 ||
- strcasecmp(*argv, "sha-512") == 0) {
-
- matching_type = LDNS_TLSA_MATCHING_TYPE_SHA512;
-
- } else {
- matching_type = dane_int_within_range(
- *argv, 2, "matching type");
- }
- argv++;
argc--;
} else {
- matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256;
+ matching_type = LDNS_TLSA_MATCHING_TYPE_SHA2_256;
}
if (argc > 0) {
@@ -1617,7 +1688,14 @@ main(int argc, char* const* argv)
}
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
ctx = SSL_CTX_new(SSLv23_client_method());
+#else
+ ctx = SSL_CTX_new(TLS_client_method());
+ if (ctx && SSL_CTX_dane_enable(ctx) <= 0) {
+ ssl_err("could not SSL_CTX_dane_enable");
+ }
+#endif
if (! ctx) {
ssl_err("could not SSL_CTX_new");
}
@@ -1636,16 +1714,23 @@ main(int argc, char* const* argv)
if (! cert) {
ssl_err("could not SSL_get_certificate");
}
+#ifndef SSL_CTX_get_extra_chain_certs
#ifndef S_SPLINT_S
extra_certs = ctx->extra_certs;
+#endif /* splint */
+#else
+ if(!SSL_CTX_get_extra_chain_certs(ctx, &extra_certs)) {
+ ssl_err("could not SSL_CTX_get_extra_chain_certs");
+ }
#endif
-
switch (mode) {
case CREATE: dane_create(tlsas, tlsa_owner, certificate_usage,
offset, selector, matching_type,
cert, extra_certs, store,
verify_server_name, name);
break;
+#ifdef USE_DANE_VERIFY
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
case VERIFY: if (! dane_verify(tlsas, NULL,
cert, extra_certs, store,
verify_server_name, name,
@@ -1653,6 +1738,82 @@ main(int argc, char* const* argv)
success = false;
}
break;
+#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+ case VERIFY:
+ usable_tlsas = 0;
+ SSL_set_connect_state(ssl);
+ if (SSL_dane_enable(ssl, name_str) <= 0) {
+ ssl_err("could not SSL_dane_enable");
+ }
+ if (!verify_server_name) {
+ SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
+ }
+ for (j = 0; j < ldns_rr_list_rr_count(tlsas); j++) {
+ int ret;
+ ldns_rr *tlsa_rr = ldns_rr_list_rr(tlsas, j);
+
+ if (ldns_rr_get_type(tlsa_rr) != LDNS_RR_TYPE_TLSA) {
+ fprintf(stderr, "Skipping non TLSA RR: ");
+ ldns_rr_print(stderr, tlsa_rr);
+ fprintf(stderr, "\n");
+ continue;
+ }
+ if (ldns_rr_rd_count(tlsa_rr) != 4) {
+ fprintf(stderr, "Skipping TLSA with wrong rdata RR: ");
+ ldns_rr_print(stderr, tlsa_rr);
+ fprintf(stderr, "\n");
+ continue;
+ }
+ ret = SSL_dane_tlsa_add(ssl,
+ ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)),
+ ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)),
+ ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)),
+ ldns_rdf_data(ldns_rr_rdf(tlsa_rr, 3)),
+ ldns_rdf_size(ldns_rr_rdf(tlsa_rr, 3)));
+ if (ret < 0) {
+ ssl_err("could not SSL_dane_tlsa_add");
+ }
+ if (ret == 0) {
+ fprintf(stderr, "Skipping unusable TLSA RR: ");
+ ldns_rr_print(stderr, tlsa_rr);
+ fprintf(stderr, "\n");
+ continue;
+ }
+ usable_tlsas += 1;
+ }
+ if (!usable_tlsas) {
+ fprintf(stderr, "No usable TLSA records were found.\n"
+ "PKIX validation without DANE will be performed.\n");
+ }
+ if (!(store_ctx = X509_STORE_CTX_new())) {
+ ssl_err("could not SSL_new");
+ }
+ if (!X509_STORE_CTX_init(store_ctx, store, cert, extra_certs)) {
+ ssl_err("could not X509_STORE_CTX_init");
+ }
+ X509_STORE_CTX_set_default(store_ctx,
+ SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
+ X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
+ SSL_get0_param(ssl));
+ X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
+ X509_NAME_print_ex_fp(stdout,
+ X509_get_subject_name(cert), 0, 0);
+ if (X509_verify_cert(store_ctx)) {
+ fprintf(stdout, " %s-validated successfully\n",
+ usable_tlsas
+ ? "dane" : "PKIX");
+ } else {
+ fprintf(stdout, " did not dane-validate, because: %s\n",
+ X509_verify_cert_error_string(
+ X509_STORE_CTX_get_error(store_ctx)));
+ success = false;
+ }
+ if (store_ctx) {
+ X509_STORE_CTX_free(store_ctx);
+ }
+ break;
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+#endif /* ifdef USE_DANE_VERIFY */
default: break; /* suppress warning */
}
SSL_free(ssl);
@@ -1661,8 +1822,8 @@ main(int argc, char* const* argv)
/* We need addresses to connect to */
if (ldns_rr_list_rr_count(addresses) == 0) {
- s = dane_setup_resolver(&res, keys,
- assume_dnssec_validity);
+ s = dane_setup_resolver(&res, nameserver_rdf,
+ keys, assume_dnssec_validity);
LDNS_ERR(s, "could not dane_setup_resolver");
ldns_rr_list_free(addresses);
addresses =dane_lookup_addresses(res, name, ai_family);
@@ -1683,7 +1844,54 @@ main(int argc, char* const* argv)
address = ldns_rr_a_address(
ldns_rr_list_rr(addresses, i));
assert(address != NULL);
-
+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && ! defined(HAVE_LIBRESSL)
+ if (mode == VERIFY) {
+ usable_tlsas = 0;
+ if (SSL_dane_enable(ssl, name_str) <= 0) {
+ ssl_err("could not SSL_dane_enable");
+ }
+ if (!verify_server_name) {
+ SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
+ }
+ for (j = 0; j < ldns_rr_list_rr_count(tlsas); j++) {
+ int ret;
+ ldns_rr *tlsa_rr = ldns_rr_list_rr(tlsas, j);
+
+ if (ldns_rr_get_type(tlsa_rr) != LDNS_RR_TYPE_TLSA) {
+ fprintf(stderr, "Skipping non TLSA RR: ");
+ ldns_rr_print(stderr, tlsa_rr);
+ fprintf(stderr, "\n");
+ continue;
+ }
+ if (ldns_rr_rd_count(tlsa_rr) != 4) {
+ fprintf(stderr, "Skipping TLSA with wrong rdata RR: ");
+ ldns_rr_print(stderr, tlsa_rr);
+ fprintf(stderr, "\n");
+ continue;
+ }
+ ret = SSL_dane_tlsa_add(ssl,
+ ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)),
+ ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)),
+ ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)),
+ ldns_rdf_data(ldns_rr_rdf(tlsa_rr, 3)),
+ ldns_rdf_size(ldns_rr_rdf(tlsa_rr, 3)));
+ if (ret < 0) {
+ ssl_err("could not SSL_dane_tlsa_add");
+ }
+ if (ret == 0) {
+ fprintf(stderr, "Skipping unusable TLSA RR: ");
+ ldns_rr_print(stderr, tlsa_rr);
+ fprintf(stderr, "\n");
+ continue;
+ }
+ usable_tlsas += 1;
+ }
+ if (!usable_tlsas) {
+ fprintf(stderr, "No usable TLSA records were found.\n"
+ "PKIX validation without DANE will be performed.\n");
+ }
+ }
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
s = ssl_connect_and_get_cert_chain(&cert, &extra_certs,
ssl, name_str, address,port, transport);
if (s == LDNS_STATUS_NETWORK_ERR) {
@@ -1696,8 +1904,27 @@ main(int argc, char* const* argv)
continue;
}
LDNS_ERR(s, "could not get cert chain from ssl");
- switch (mode) {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && ! defined(HAVE_LIBRESSL)
+
+ if (mode == VERIFY) {
+ char *address_str = ldns_rdf2str(address);
+ long verify_result = SSL_get_verify_result(ssl);
+
+ fprintf(stdout, "%s", address_str ? address_str : "<address>");
+ free(address_str);
+ if (verify_result == X509_V_OK) {
+ fprintf(stdout, " %s-validated successfully\n",
+ usable_tlsas
+ ? "dane" : "PKIX");
+ } else {
+ fprintf(stdout, " did not dane-validate, because: %s\n",
+ X509_verify_cert_error_string(verify_result));
+ success = false;
+ }
+ }
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
+ switch (mode) {
case CREATE: dane_create(tlsas, tlsa_owner,
certificate_usage, offset,
selector, matching_type,
@@ -1705,16 +1932,23 @@ main(int argc, char* const* argv)
verify_server_name, name);
break;
- case VERIFY: if (! dane_verify(tlsas, address,
+#ifdef USE_DANE_VERIFY
+ case VERIFY:
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+ if (! dane_verify(tlsas, address,
cert, extra_certs, store,
verify_server_name, name,
assume_pkix_validity)) {
success = false;
- } else if (interact) {
+ }
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+ if (success && interact) {
ssl_interact(ssl);
}
break;
+#endif /* USE_DANE_VERIFY */
+
default: break; /* suppress warning */
}
while (SSL_shutdown(ssl) == 0);
@@ -1734,6 +1968,9 @@ main(int argc, char* const* argv)
/* cleanup */
SSL_CTX_free(ctx);
+ if (nameserver_rdf) {
+ ldns_rdf_deep_free(nameserver_rdf);
+ }
if (store) {
X509_STORE_free(store);
}
@@ -1768,6 +2005,9 @@ main(int argc, char **argv)
int
main(int argc, char **argv)
{
+ (void)argc;
+ (void)argv;
+
fprintf(stderr, "dane support was disabled with this build of ldns, "
"and has not been compiled in\n");
return 1;
diff --git a/examples/ldns-dpa.1 b/examples/ldns-dpa.1
index 0b433df66179..b6688ae4c73a 100644
--- a/examples/ldns-dpa.1
+++ b/examples/ldns-dpa.1
@@ -26,17 +26,17 @@ Show usage
.TP
\fB-p\fR
-Show the total number of correct DNS packets, and percentage of -u and
--c values (of the total of matching on the -f filter. if no filter is
+Show the total number of correct DNS packets, and percentage of \-u and
+\-c values (of the total of matching on the \-f filter. if no filter is
given, percentages are on all correct dns packets)
.TP
\fB-of\fR \fIfile\fR
-Write all packets that match the -f flag to file, as pcap data.
+Write all packets that match the \-f flag to file, as pcap data.
.TP
\fB-ofh\fR \fIfile\fR
-Write all packets that match the -f flag to file, in hexadecimal format,
+Write all packets that match the \-f flag to file, in hexadecimal format,
readable by drill.
.TP
@@ -49,8 +49,8 @@ show possible match operators and values for name
.TP
\fB-sf\fR
-Only evaluate packets (in representation format) that match the -f filter.
-If no -f was given, evaluate all correct dns packets.
+Only evaluate packets (in representation format) that match the \-f filter.
+If no \-f was given, evaluate all correct dns packets.
.TP
\fB-u\fR \fImatchnamelist\fR
@@ -58,15 +58,15 @@ Count every occurence of every value of the matchname (for instance, count all p
.TP
\fB-ua\fR
-For every matchname in -u, show the average value of all matches. Behaviour for match types that do not have an integer value is undefined.
+For every matchname in \-u, show the average value of all matches. Behaviour for match types that do not have an integer value is undefined.
.TP
\fB-uac\fR
-For every matchname in -u, show the average number of times this value was encountered.
+For every matchname in \-u, show the average number of times this value was encountered.
.TP
\fB-um\fR \fInumber\fR
-Only show the results from -u for values that occurred more than <number> times.
+Only show the results from \-u for values that occurred more than <number> times.
.TP
\fB-v\fR \fIlevel\fR
@@ -86,7 +86,7 @@ Show version and exit
.SH LIST AND MATCHES
-A <matchnamelist> is a comma separated list of match names (use -s to see possible match names).
+A <matchnamelist> is a comma separated list of match names (use \-s to see possible match names).
A <expressionlist> is a comma separated list of expressions.
An expression has the following form:
@@ -106,36 +106,36 @@ An expression has the following form:
<= lesser than or equal to <value>
~= contains <value>
-See the -s option for possible matchnames, operators and values.
+See the \-s option for possible matchnames, operators and values.
.SH EXAMPLES
.TP
-ldns-dpa -u packetsize -p test.tr
+ldns-dpa \-u packetsize \-p test.tr
Count all different packetsizes in test.tr and show the precentages.
.TP
-ldns-dpa -f "edns=1&qr=0" -of edns.tr test.tr
+ldns-dpa \-f "edns=1&qr=0" \-of edns.tr test.tr
Filter out all edns enable queries in test.tr and put them in edns.tr
.TP
-ldns-dpa -f edns=1 -c tc=1 -u rcode test.tr
+ldns-dpa \-f edns=1 \-c tc=1 \-u rcode test.tr
For all edns packets, count the number of truncated packets and all their rcodes in test.tr.
.TP
-ldns-dpa -c tc=1,qr=0,qr=1,opcode=QUERY test.tr
+ldns-dpa \-c tc=1,qr=0,qr=1,opcode=QUERY test.tr
For all packets, count the number of truncated packets, the number of packets with qr=0, the number of packets with qr=1 and the number of queries in test.tr.
.TP
-ldns-dpa -u packetsize -ua test.tr
+ldns-dpa \-u packetsize \-ua test.tr
Show all packet sizes and the average packet size per packet.
.TP
-ldns-dpa -u srcaddress -uac test.tr
+ldns-dpa \-u srcaddress \-uac test.tr
Show all packet source addresses and the average number of packets sent from this address.
.TP
-sudo tcpdump -i eth0 -s 0 -U -w - port 53 | ldns-dpa -f qr=0 -sf
+sudo tcpdump \-i eth0 \-s 0 \-U \-w \- port 53 | ldns-dpa \-f qr=0 \-sf
Print all query packets seen on the specified interface.
diff --git a/examples/ldns-dpa.c b/examples/ldns-dpa.c
index 0bc8a8403296..356b7eea759d 100644
--- a/examples/ldns-dpa.c
+++ b/examples/ldns-dpa.c
@@ -920,7 +920,7 @@ match_opcode(type_operator operator,
a = lt->id;
} else {
i = atoi(value);
- if (i >= 0 && !isdigit(value[0]) == 0) {
+ if (i >= 0 && isdigit((unsigned char)value[0])) {
lt = ldns_lookup_by_id(ldns_opcodes, i);
if (lt) {
a = lt->id;
@@ -941,7 +941,7 @@ match_opcode(type_operator operator,
b = lt->id;
} else {
i = atoi(mvalue);
- if (i >= 0 && !isdigit(mvalue[0]) == 0) {
+ if (i >= 0 && isdigit((unsigned char)mvalue[0])) {
lt = ldns_lookup_by_id(ldns_opcodes, i);
if (lt) {
b = lt->id;
@@ -1053,7 +1053,7 @@ match_rcode(type_operator operator,
a = lt->id;
} else {
i = atoi(value);
- if (i >= 0 && !isdigit(value[0]) == 0) {
+ if (i >= 0 && isdigit((unsigned char)value[0])) {
lt = ldns_lookup_by_id(ldns_rcodes, i);
if (lt) {
a = lt->id;
@@ -1074,8 +1074,7 @@ match_rcode(type_operator operator,
b = lt->id;
} else {
i = atoi(mvalue);
-
- if (i >= 0 && !isdigit(mvalue[0]) == 0) {
+ if (i >= 0 && isdigit((unsigned char)mvalue[0])) {
lt = ldns_lookup_by_id(ldns_rcodes, i);
if (lt) {
b = lt->id;
@@ -1663,7 +1662,7 @@ parse_match_expression(char *string)
j = 0;
for (i = 0; i < strlen(string); i++) {
- if(!isspace(string[i])) {
+ if(!isspace((unsigned char)string[i])) {
str[j] = string[i];
j++;
}
@@ -2505,7 +2504,7 @@ parse_uniques(match_id ids[], size_t *count, char *string)
str = malloc(strlen(string) + 1);
j = 0;
for (i = 0; i < strlen(string); i++) {
- if (!isspace(string[i])) {
+ if (!isspace((unsigned char)string[i])) {
str[j] = string[i];
j++;
}
diff --git a/examples/ldns-gen-zone.1 b/examples/ldns-gen-zone.1
index 5e7129b88922..0e5a0dc678d8 100644
--- a/examples/ldns-gen-zone.1
+++ b/examples/ldns-gen-zone.1
@@ -62,13 +62,13 @@ Show version and exit.
.SH EXAMPLES
.TP
-\fBldns-gen-zone -a 100000 -p 10 -s ./zonefile.txt\fR
+\fBldns-gen-zone \-a 100000 \-p 10 \-s ./zonefile.txt\fR
Read a zonefile, add 100.000 artificial NS RRSets and 10% of DS records,
print it to standard output. Don't sort (will only work well if the input
zonefile is already sorted and canonicalized).
.TP
-\fBldns-gen-zone -p 10 -s -o nl zonefile.txt | named-compilezone -s relative -i none -o zonefile_10.txt nl /dev/stdin\fR
+\fBldns-gen-zone \-p 10 \-s \-o nl zonefile.txt | named-compilezone \-s relative \-i none \-o zonefile_10.txt nl /dev/stdin\fR
This creates a nicely formatted zone file with the help of \fBnamed-compilezone\fR.
It adds 10% DS records to the .nl zone, reformats it and saves it as \fBzonefile_10.txt\fR.
diff --git a/examples/ldns-gen-zone.c b/examples/ldns-gen-zone.c
index c19d0f6dc05f..bd7111a016bb 100644
--- a/examples/ldns-gen-zone.c
+++ b/examples/ldns-gen-zone.c
@@ -28,7 +28,7 @@ usage(FILE *fp, char *prog) {
fprintf(fp, "\n\nUsage: %s [-hsv] [-ap NUM] [-o ORIGIN] [<zonefile>]\n", prog);
fprintf(fp, "\tReads a zonefile and add some artificial NS RRsets and DS records.\n");
fprintf(fp, "\tIf no zonefile is given, the zone is read from stdin.\n");
- fprintf(fp, "\t-a <NUM> add NUM artifical delegations (NS RRSets) to output.\n");
+ fprintf(fp, "\t-a <NUM> add NUM artificial delegations (NS RRSets) to output.\n");
fprintf(fp, "\t-p <NUM> add NUM percent of DS RRset's to the NS RRsets (1-%d RR's per DS RRset).\n", NUM_DS);
fprintf(fp, "\t-o ORIGIN sets an $ORIGIN, which can be handy if the one in the zonefile is set to @.\n");
fprintf(fp, "\t-s if input zone file is already sorted and canonicalized (ie all lowercase),\n\t use this option to speed things up while inserting DS records.\n");
diff --git a/examples/ldns-key2ds.1 b/examples/ldns-key2ds.1
index a20ab96fb475..5571777dbc7a 100644
--- a/examples/ldns-key2ds.1
+++ b/examples/ldns-key2ds.1
@@ -32,6 +32,13 @@ Use SHA1 as the hash function.
\fB-2\fR
Use SHA256 as the hash function
+.TP
+\fB-g\fR
+Use GOST as the hash function
+
+.TP
+\fB-4\fR
+Use SHA384 as the hash function
.SH AUTHOR
Written by the ldns team as an example for ldns usage.
diff --git a/examples/ldns-key2ds.c b/examples/ldns-key2ds.c
index 9426f685929b..be1f8c654ac1 100644
--- a/examples/ldns-key2ds.c
+++ b/examples/ldns-key2ds.c
@@ -63,6 +63,14 @@ suitable_hash(ldns_signing_algorithm algorithm)
case LDNS_SIGN_ECDSAP384SHA384:
return LDNS_SHA384;
#endif
+#ifdef USE_ED25519
+ case LDNS_SIGN_ED25519:
+ return LDNS_SHA256;
+#endif
+#ifdef USE_ED448
+ case LDNS_SIGN_ED448:
+ return LDNS_SHA256;
+#endif
default: break;
}
return LDNS_SHA1;
diff --git a/examples/ldns-keyfetcher.c b/examples/ldns-keyfetcher.c
index 4988bfbb3fb3..10a47ddc4dd9 100644
--- a/examples/ldns-keyfetcher.c
+++ b/examples/ldns-keyfetcher.c
@@ -377,7 +377,7 @@ retrieve_dnskeys(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
authority_list = NULL;
if (loop_count++ > 20) {
- /* unlikely that we are doing something usefull */
+ /* unlikely that we are doing something useful */
fprintf(stderr, "Looks like we are looping");
ldns_pkt_free(p);
return NULL;
@@ -507,7 +507,7 @@ retrieve_dnskeys(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
* for the root zone and A records for those NS RRs.
* Read them, check them, and append the a records to the rr list given.
*/
-ldns_rr_list *
+static ldns_rr_list *
read_root_hints(const char *filename)
{
FILE *fp = NULL;
@@ -725,7 +725,6 @@ main(int argc, char *argv[])
fprintf(stderr, "no answer packet received, stub resolver config:\n");
ldns_resolver_print(stderr, res);
}
- printf("\n");
ldns_rdf_deep_free(domain);
ldns_resolver_deep_free(res);
diff --git a/examples/ldns-keygen.1 b/examples/ldns-keygen.1
index 734ad6d16360..57603c7b3e8b 100644
--- a/examples/ldns-keygen.1
+++ b/examples/ldns-keygen.1
@@ -16,7 +16,7 @@ DNSKEY record.
\fBldns-keygen\fR can also be used to create symmetric keys (for TSIG) by
selecting the appropriate algorithm: \%\fIhmac-md5.sig-alg.reg.int\fR,
-\%\fIhmac-sha1\fR or \%\fIhmac-sha256\fR.
+\%\fIhmac-sha1\fR, \%\fIhmac-sha224\fR, \%\fIhmac-sha256\fR, \%\fIhmac-sha384\fR or \%\fIhmac-sha512\fR.
In that case no DS record will be created and no .ds file.
\fBldns-keygen\fR prints the basename for the key files:
diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c
index 316d60d77740..62b8d228eda6 100644
--- a/examples/ldns-keygen.c
+++ b/examples/ldns-keygen.c
@@ -10,6 +10,9 @@
#include <ldns/ldns.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
#include <errno.h>
#ifdef HAVE_SSL
@@ -28,7 +31,7 @@ usage(FILE *fp, char *prog) {
fprintf(fp, " The following files will be created:\n");
fprintf(fp, " K<name>+<alg>+<id>.key\tPublic key in RR format\n");
fprintf(fp, " K<name>+<alg>+<id>.private\tPrivate key in key format\n");
- fprintf(fp, " K<name>+<alg>+<id>.ds\tDS in RR format (only for DNSSEC keys)\n");
+ fprintf(fp, " K<name>+<alg>+<id>.ds\tDS in RR format (only for DNSSEC KSK keys)\n");
fprintf(fp, " The base name (K<name>+<alg>+<id> will be printed to stdout\n");
}
@@ -48,11 +51,13 @@ int
main(int argc, char *argv[])
{
int c;
+ int fd;
char *prog;
/* default key size */
uint16_t def_bits = 1024;
uint16_t bits = def_bits;
+ bool had_bits = false;
bool ksk;
FILE *file;
@@ -94,7 +99,8 @@ main(int argc, char *argv[])
if (bits == 0) {
fprintf(stderr, "%s: %s %d", prog, "Can not parse the -b argument, setting it to the default\n", (int) def_bits);
bits = def_bits;
- }
+ } else
+ had_bits = true;
break;
case 'k':
ksk = true;
@@ -133,16 +139,20 @@ main(int argc, char *argv[])
switch (algorithm) {
case LDNS_SIGN_RSAMD5:
case LDNS_SIGN_RSASHA1:
+ case LDNS_SIGN_RSASHA1_NSEC3:
+ case LDNS_SIGN_RSASHA256:
+ case LDNS_SIGN_RSASHA512:
if (bits < 512 || bits > 4096) {
fprintf(stderr, "For RSA, the key size must be between ");
- fprintf(stderr, " 512 and 4096 bytes. Aborting.\n");
+ fprintf(stderr, " 512 and 4096 bits. Aborting.\n");
exit(1);
}
break;
case LDNS_SIGN_DSA:
- if (bits < 512 || bits > 4096) {
+ case LDNS_SIGN_DSA_NSEC3:
+ if (bits < 512 || bits > 1024) {
fprintf(stderr, "For DSA, the key size must be between ");
- fprintf(stderr, " 512 and 1024 bytes. Aborting.\n");
+ fprintf(stderr, " 512 and 1024 bits. Aborting.\n");
exit(1);
}
break;
@@ -157,10 +167,66 @@ main(int argc, char *argv[])
#ifdef USE_ECDSA
case LDNS_SIGN_ECDSAP256SHA256:
case LDNS_SIGN_ECDSAP384SHA384:
+ break;
#endif
case LDNS_SIGN_HMACMD5:
+ if (!had_bits) {
+ bits = 512;
+ } else if (bits < 1 || bits > 512) {
+ fprintf(stderr, "For hmac-md5, the key size must be ");
+ fprintf(stderr, "between 1 and 512 bits. Aborting.\n");
+ exit(1);
+ }
+ break;
case LDNS_SIGN_HMACSHA1:
+ if (!had_bits) {
+ bits = 160;
+ } else if (bits < 1 || bits > 160) {
+ fprintf(stderr, "For hmac-sha1, the key size must be ");
+ fprintf(stderr, "between 1 and 160 bits. Aborting.\n");
+ exit(1);
+ }
+ break;
+
+ case LDNS_SIGN_HMACSHA224:
+ if (!had_bits) {
+ bits = 224;
+ } else if (bits < 1 || bits > 224) {
+ fprintf(stderr, "For hmac-sha224, the key size must be ");
+ fprintf(stderr, "between 1 and 224 bits. Aborting.\n");
+ exit(1);
+ }
+ break;
+
case LDNS_SIGN_HMACSHA256:
+ if (!had_bits) {
+ bits = 256;
+ } else if (bits < 1 || bits > 256) {
+ fprintf(stderr, "For hmac-sha256, the key size must be ");
+ fprintf(stderr, "between 1 and 256 bits. Aborting.\n");
+ exit(1);
+ }
+ break;
+
+ case LDNS_SIGN_HMACSHA384:
+ if (!had_bits) {
+ bits = 384;
+ } else if (bits < 1 || bits > 384) {
+ fprintf(stderr, "For hmac-sha384, the key size must be ");
+ fprintf(stderr, "between 1 and 384 bits. Aborting.\n");
+ exit(1);
+ }
+ break;
+
+ case LDNS_SIGN_HMACSHA512:
+ if (!had_bits) {
+ bits = 512;
+ } else if (bits < 1 || bits > 512) {
+ fprintf(stderr, "For hmac-sha512, the key size must be ");
+ fprintf(stderr, "between 1 and 512 bits. Aborting.\n");
+ exit(1);
+ }
+ break;
default:
break;
}
@@ -181,6 +247,11 @@ main(int argc, char *argv[])
/* generate a new key */
key = ldns_key_new_frm_algorithm(algorithm, bits);
+ if(!key) {
+ fprintf(stderr, "cannot generate key of algorithm %s\n",
+ ldns_pkt_algorithm2str((ldns_algorithm)algorithm));
+ exit(EXIT_FAILURE);
+ }
/* set the owner name in the key - this is a /separate/ step */
ldns_key_set_pubkey_owner(key, domain);
@@ -210,6 +281,12 @@ main(int argc, char *argv[])
break;
case LDNS_SIGN_ECDSAP256SHA256:
#endif
+#ifdef USE_ED25519
+ case LDNS_SIGN_ED25519:
+#endif
+#ifdef USE_ED448
+ case LDNS_SIGN_ED448:
+#endif
case LDNS_SIGN_RSASHA256:
case LDNS_SIGN_RSASHA512:
ds = ldns_key_rr2ds(pubkey, LDNS_SHA256);
@@ -250,25 +327,28 @@ main(int argc, char *argv[])
/* print the priv key to stderr */
filename = LDNS_XMALLOC(char, strlen(owner) + 21);
snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key));
- file = fopen(filename, "w");
+ /* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/
+ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
+ if (fd < 0) {
+ goto fail;
+ }
+
+ file = fdopen(fd, "w");
if (!file) {
- fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
- ldns_key_deep_free(key);
- free(owner);
- ldns_rr_free(pubkey);
- ldns_rr_free(ds);
- LDNS_FREE(filename);
- exit(EXIT_FAILURE);
- } else {
- ldns_key_print(file, key);
- fclose(file);
- LDNS_FREE(filename);
+ goto fail;
}
+ ldns_key_print(file, key);
+ fclose(file);
+ LDNS_FREE(filename);
+
/* print the DS to .ds */
- if (algorithm != LDNS_SIGN_HMACMD5 &&
+ if (ksk && algorithm != LDNS_SIGN_HMACMD5 &&
algorithm != LDNS_SIGN_HMACSHA1 &&
- algorithm != LDNS_SIGN_HMACSHA256) {
+ algorithm != LDNS_SIGN_HMACSHA224 &&
+ algorithm != LDNS_SIGN_HMACSHA256 &&
+ algorithm != LDNS_SIGN_HMACSHA384 &&
+ algorithm != LDNS_SIGN_HMACSHA512) {
filename = LDNS_XMALLOC(char, strlen(owner) + 16);
snprintf(filename, strlen(owner) + 15, "K%s+%03u+%05u.ds", owner, algorithm, (unsigned int) ldns_key_keytag(key));
file = fopen(filename, "w");
@@ -296,6 +376,15 @@ main(int argc, char *argv[])
ldns_rr_free(pubkey);
ldns_rr_free(ds);
exit(EXIT_SUCCESS);
+
+fail:
+ fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
+ ldns_key_deep_free(key);
+ free(owner);
+ ldns_rr_free(pubkey);
+ ldns_rr_free(ds);
+ LDNS_FREE(filename);
+ exit(EXIT_FAILURE);
}
#else
int
diff --git a/examples/ldns-mx.c b/examples/ldns-mx.c
index 873cf55f87de..84d27c837f89 100644
--- a/examples/ldns-mx.c
+++ b/examples/ldns-mx.c
@@ -40,6 +40,15 @@ main(int argc, char *argv[])
usage(stdout, argv[0]);
exit(EXIT_FAILURE);
}
+ if (! ldns_dname_str_absolute(argv[1]) &&
+ ldns_dname_absolute(domain)) {
+
+ /* ldns_dname_new_frm_str makes absolute dnames always!
+ * So deabsolutify domain.
+ * TODO: Create ldns_dname_new_frm_str_relative? Yuck!
+ */
+ ldns_rdf_set_size(domain, ldns_rdf_size(domain) - 1);
+ }
}
/* create a new resolver from /etc/resolv.conf */
@@ -52,11 +61,11 @@ main(int argc, char *argv[])
/* use the resolver to send a query for the mx
* records of the domain given on the command line
*/
- p = ldns_resolver_query(res,
- domain,
- LDNS_RR_TYPE_MX,
- LDNS_RR_CLASS_IN,
- LDNS_RD);
+ p = ldns_resolver_search(res,
+ domain,
+ LDNS_RR_TYPE_MX,
+ LDNS_RR_CLASS_IN,
+ LDNS_RD);
ldns_rdf_deep_free(domain);
diff --git a/examples/ldns-notify.1 b/examples/ldns-notify.1
index 7ae77ac04658..27266c1ce8f4 100644
--- a/examples/ldns-notify.1
+++ b/examples/ldns-notify.1
@@ -4,7 +4,7 @@ ldns-notify \- notify DNS servers that updates are available
.SH SYNOPSIS
.B ldns-notify
[options]
--z zone
+\-z zone
.IR servers
.SH DESCRIPTION
diff --git a/examples/ldns-notify.c b/examples/ldns-notify.c
index 50da6e606af8..ee8d817411d8 100644
--- a/examples/ldns-notify.c
+++ b/examples/ldns-notify.c
@@ -182,6 +182,7 @@ main(int argc, char **argv)
uint8_t *wire = NULL;
size_t wiresize = 0;
const char *port = "53";
+ char *keydata;
srandom(time(NULL) ^ getpid());
@@ -203,14 +204,14 @@ main(int argc, char **argv)
case 'y':
tsig_cred.algorithm = (char*)"hmac-md5.sig-alg.reg.int.";
tsig_cred.keyname = optarg;
- tsig_cred.keydata = strchr(optarg, ':');
- if (tsig_cred.keydata == NULL) {
+ keydata = strchr(optarg, ':');
+ if (keydata == NULL) {
printf("TSIG argument is not in form "
"key:data: %s\n", optarg);
exit(1);
}
- *tsig_cred.keydata = '\0';
- tsig_cred.keydata++;
+ *keydata++ = '\0';
+ tsig_cred.keydata = keydata;
printf("Sign with %s : %s\n", tsig_cred.keyname,
tsig_cred.keydata);
break;
@@ -306,7 +307,7 @@ main(int argc, char **argv)
for(i=0; i<argc; i++)
{
- struct addrinfo hints, *res0, *res;
+ struct addrinfo hints, *res0, *ai_res;
int error;
int default_family = AF_INET;
@@ -322,13 +323,13 @@ main(int argc, char **argv)
gai_strerror(error));
continue;
}
- for (res = res0; res; res = res->ai_next) {
- int s = socket(res->ai_family, res->ai_socktype,
- res->ai_protocol);
+ for (ai_res = res0; ai_res; ai_res = ai_res->ai_next) {
+ int s = socket(ai_res->ai_family, ai_res->ai_socktype,
+ ai_res->ai_protocol);
if(s == -1)
continue;
/* send the notify */
- notify_host(s, res, wire, wiresize, argv[i]);
+ notify_host(s, ai_res, wire, wiresize, argv[i]);
}
freeaddrinfo(res0);
}
diff --git a/examples/ldns-read-zone.1 b/examples/ldns-read-zone.1
index 8652fe9acd39..0d77889f49c7 100644
--- a/examples/ldns-read-zone.1
+++ b/examples/ldns-read-zone.1
@@ -12,24 +12,36 @@ resource record per line, and no pretty-printing makeup.
.SH OPTIONS
.TP
+\fB-0\fR
+Print a (null) for the RRSIG inception, expiry and key data. This option
+can be used when comparing different signing systems that use the same
+DNSKEYs for signing but would have a slightly different timings/jitter.
+
+.TP
+\fB-b\fR
+Include Bubble Babble encoding of DS's.
+
+.TP
\fB-c\fR
Canonicalize all resource records in the zone before printing
.TP
\fB-d\fR
Only print DNSSEC data from the zone. This option skips every record
-that is not of type NSEC, NSEC3, RRSIG or DNSKEY. DS records are not
+that is not of type NSEC, NSEC3 or RRSIG. DNSKEY and DS records are not
printed.
.TP
-\fB-b\fR
-Include Bubble Babble encoding of DS's.
+\fB-e\fR \fIRR type\fR
+Do not print RRs of the given \fIrr type\fR.
+This option may be given multiple times.
+\fB-e\fR is not meant to be used together with \fB-E\fR.
.TP
-\fB-0\fR
-Print a (null) for the RRSIG inception, expiry and key data. This option
-can be used when comparing different signing systems that use the same
-DNSKEYs for signing but would have a slightly different timings/jitter.
+\fB-E\fR \fIRR type\fR
+Print only RRs of the given \fIrr type\fR.
+This option may be given multiple times.
+\fB-E\fR is not meant to be used together with \fB-e\fR.
.TP
\fB-h\fR
@@ -47,7 +59,7 @@ take ten characters. This is useful for in file serial number increments.
.TP
\fB-s\fR
Strip DNSSEC data from the zone. This option skips every record
-that is of type NSEC, NSEC3, RRSIG or DNSKEY. DS records are still
+that is of type NSEC, NSEC3 or RRSIG. DNSKEY and DS records are still
printed.
.TP
@@ -86,7 +98,7 @@ Show the version and exit
.TP
\fB-z\fR
-Sort the zone before printing (this implies -c)
+Sort the zone before printing (this implies \-c)
.SH AUTHOR
diff --git a/examples/ldns-read-zone.c b/examples/ldns-read-zone.c
index 512621d3fff6..c61f80ad80b4 100644
--- a/examples/ldns-read-zone.c
+++ b/examples/ldns-read-zone.c
@@ -15,15 +15,23 @@
#include <errno.h>
-void print_usage(const char* progname)
+static void print_usage(const char* progname)
{
printf("Usage: %s [OPTIONS] <zonefile>\n", progname);
printf("\tReads the zonefile and prints it.\n");
printf("\tThe RR count of the zone is printed to stderr.\n");
- printf("\t-b include Bubble Babble encoding of DS's.\n");
printf("\t-0 zeroize timestamps and signature in RRSIG records.\n");
+ printf("\t-b include Bubble Babble encoding of DS's.\n");
printf("\t-c canonicalize all rrs in the zone.\n");
printf("\t-d only show DNSSEC data from the zone\n");
+ printf("\t-e <rr type>\n");
+ printf("\t\tDo not print RRs of the given <rr type>.\n");
+ printf("\t\tThis option may be given multiple times.\n");
+ printf("\t\t-e is not meant to be used together with -E.\n");
+ printf("\t-E <rr type>\n");
+ printf("\t\tPrint only RRs of the given <rr type>.\n");
+ printf("\t\tThis option may be given multiple times.\n");
+ printf("\t\t-E is not meant to be used together with -e.\n");
printf("\t-h show this text\n");
printf("\t-n do not print the SOA record\n");
printf("\t-p prepend SOA serial with spaces so"
@@ -61,6 +69,46 @@ void print_usage(const char* progname)
exit(EXIT_SUCCESS);
}
+static void exclude_type(ldns_rdf **show_types, ldns_rr_type t)
+{
+ ldns_status s;
+
+ assert(show_types != NULL);
+
+ if (! *show_types && LDNS_STATUS_OK !=
+ (s = ldns_rdf_bitmap_known_rr_types(show_types)))
+ goto fail;
+
+ s = ldns_nsec_bitmap_clear_type(*show_types, t);
+ if (s == LDNS_STATUS_OK)
+ return;
+fail:
+ fprintf(stderr, "Cannot exclude rr type %s: %s\n"
+ , ldns_rr_descript(t)->_name
+ , ldns_get_errorstr_by_id(s));
+ exit(EXIT_FAILURE);
+}
+
+static void include_type(ldns_rdf **show_types, ldns_rr_type t)
+{
+ ldns_status s;
+
+ assert(show_types != NULL);
+
+ if (! *show_types && LDNS_STATUS_OK !=
+ (s = ldns_rdf_bitmap_known_rr_types_space(show_types)))
+ goto fail;
+
+ s = ldns_nsec_bitmap_set_type(*show_types, t);
+ if (s == LDNS_STATUS_OK)
+ return;
+fail:
+ fprintf(stderr, "Cannot exclude all rr types except %s: %s\n"
+ , ldns_rr_descript(t)->_name
+ , ldns_get_errorstr_by_id(s));
+ exit(EXIT_FAILURE);
+}
+
int
main(int argc, char **argv)
{
@@ -71,38 +119,43 @@ main(int argc, char **argv)
int c;
bool canonicalize = false;
bool sort = false;
- bool strip = false;
- bool only_dnssec = false;
bool print_soa = true;
ldns_status s;
size_t i;
ldns_rr_list *stripped_list;
ldns_rr *cur_rr;
- ldns_rr_type cur_rr_type;
ldns_output_format_storage fmt_storage;
ldns_output_format* fmt = ldns_output_format_init(&fmt_storage);
+ ldns_rdf *show_types = NULL;
ldns_soa_serial_increment_func_t soa_serial_increment_func = NULL;
int soa_serial_increment_func_data = 0;
- while ((c = getopt(argc, argv, "0bcdhnpsu:U:vzS:")) != -1) {
+ while ((c = getopt(argc, argv, "0bcde:E:hnpsS:u:U:vz")) != -1) {
switch(c) {
+ case '0':
+ fmt->flags |= LDNS_FMT_ZEROIZE_RRSIGS;
+ break;
case 'b':
fmt->flags |=
( LDNS_COMMENT_BUBBLEBABBLE |
LDNS_COMMENT_FLAGS );
break;
- case '0':
- fmt->flags |= LDNS_FMT_ZEROIZE_RRSIGS;
- break;
case 'c':
canonicalize = true;
break;
case 'd':
- only_dnssec = true;
- if (strip) {
- fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
- }
+ include_type(&show_types, LDNS_RR_TYPE_RRSIG);
+ include_type(&show_types, LDNS_RR_TYPE_NSEC);
+ include_type(&show_types, LDNS_RR_TYPE_NSEC3);
+ break;
+ case 'e':
+ exclude_type(&show_types,
+ ldns_get_rr_type_by_name(optarg));
+ break;
+ case 'E':
+ include_type(&show_types,
+ ldns_get_rr_type_by_name(optarg));
break;
case 'h':
print_usage("ldns-read-zone");
@@ -113,12 +166,37 @@ main(int argc, char **argv)
case 'p':
fmt->flags |= LDNS_FMT_PAD_SOA_SERIAL;
break;
- case 's':
- strip = true;
- if (only_dnssec) {
- fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
+ case 's':
+ case 'S':
+ exclude_type(&show_types, LDNS_RR_TYPE_RRSIG);
+ exclude_type(&show_types, LDNS_RR_TYPE_NSEC);
+ exclude_type(&show_types, LDNS_RR_TYPE_NSEC3);
+ if (c == 's') break;
+ if (*optarg == '+' || *optarg == '-') {
+ soa_serial_increment_func_data =
+ atoi(optarg);
+ soa_serial_increment_func =
+ ldns_soa_serial_increment_by;
+ } else if (! strtok(optarg, "0123456789")) {
+ soa_serial_increment_func_data =
+ atoi(optarg);
+ soa_serial_increment_func =
+ ldns_soa_serial_identity;
+ } else if (!strcasecmp(optarg, "YYYYMMDDxx")){
+ soa_serial_increment_func =
+ ldns_soa_serial_datecounter;
+ } else if (!strcasecmp(optarg, "unixtime")){
+ soa_serial_increment_func =
+ ldns_soa_serial_unixtime;
+ } else {
+ fprintf(stderr, "-S expects a number "
+ "optionally preceded by a "
+ "+ or - sign to indicate an "
+ "offset, or the text YYYYMM"
+ "DDxx or unixtime\n");
+ exit(EXIT_FAILURE);
}
- break;
+ break;
case 'u':
s = ldns_output_format_set_type(fmt,
ldns_get_rr_type_by_name(optarg));
@@ -159,36 +237,8 @@ main(int argc, char **argv)
canonicalize = true;
sort = true;
break;
- case 'S':
- strip = true;
- if (*optarg == '+' || *optarg == '-') {
- soa_serial_increment_func_data =
- atoi(optarg);
- soa_serial_increment_func =
- ldns_soa_serial_increment_by;
- } else if (! strtok(optarg, "0123456789")) {
- soa_serial_increment_func_data =
- atoi(optarg);
- soa_serial_increment_func =
- ldns_soa_serial_identity;
- } else if (!strcasecmp(optarg, "YYYYMMDDxx")){
- soa_serial_increment_func =
- ldns_soa_serial_datecounter;
- } else if (!strcasecmp(optarg, "unixtime")){
- soa_serial_increment_func =
- ldns_soa_serial_unixtime;
- } else {
- fprintf(stderr, "-S expects a number "
- "optionally preceded by a "
- "+ or - sign to indicate an "
- "offset, or the text YYYYMM"
- "DDxx or unixtime\n");
- exit(EXIT_FAILURE);
- }
- break;
}
}
-
argc -= optind;
argv += optind;
@@ -214,38 +264,17 @@ main(int argc, char **argv)
exit(EXIT_FAILURE);
}
-
- if (strip) {
+ if (show_types) {
+ if (print_soa)
+ print_soa = ldns_nsec_bitmap_covers_type(show_types,
+ LDNS_RR_TYPE_SOA);
stripped_list = ldns_rr_list_new();
- while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
- cur_rr_type = ldns_rr_get_type(cur_rr);
- if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
- cur_rr_type == LDNS_RR_TYPE_NSEC ||
- cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
- cur_rr_type == LDNS_RR_TYPE_NSEC3PARAM
- ) {
- ldns_rr_free(cur_rr);
- } else {
+ while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z))))
+ if (ldns_nsec_bitmap_covers_type(show_types,
+ ldns_rr_get_type(cur_rr)))
ldns_rr_list_push_rr(stripped_list, cur_rr);
- }
- }
- ldns_rr_list_free(ldns_zone_rrs(z));
- ldns_zone_set_rrs(z, stripped_list);
- }
- if (only_dnssec) {
- stripped_list = ldns_rr_list_new();
- while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
- cur_rr_type = ldns_rr_get_type(cur_rr);
- if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
- cur_rr_type == LDNS_RR_TYPE_NSEC ||
- cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
- cur_rr_type == LDNS_RR_TYPE_NSEC3PARAM
- ) {
- ldns_rr_list_push_rr(stripped_list, cur_rr);
- } else {
+ else
ldns_rr_free(cur_rr);
- }
- }
ldns_rr_list_free(ldns_zone_rrs(z));
ldns_zone_set_rrs(z, stripped_list);
}
diff --git a/examples/ldns-signzone.1 b/examples/ldns-signzone.1
index a83da94e63d4..c33e15210f35 100644
--- a/examples/ldns-signzone.1
+++ b/examples/ldns-signzone.1
@@ -121,11 +121,11 @@ Number of hash iterations
.SH ENGINE OPTIONS
You can modify the possible engines, if supported, by setting an
OpenSSL configuration file. This is done through the environment
-variable OPENSSL_CONF. If you use -E with a non-existent engine name,
+variable OPENSSL_CONF. If you use \-E with a non-existent engine name,
ldns-signzone will print a list of engines supported by your
configuration.
-The key options (-k and -K) work as follows; you specify a key id, and a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can be any of the following:
+The key options (\-k and \-K) work as follows; you specify a key id, and a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can be any of the following:
<id>
<slot>:<id>
diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c
index ffdd3c03cd24..2adc94317966 100644
--- a/examples/ldns-signzone.c
+++ b/examples/ldns-signzone.c
@@ -39,6 +39,7 @@ usage(FILE *fp, const char *prog) {
fprintf(fp, " -o <domain>\torigin for the zone\n");
fprintf(fp, " -v\t\tprint version and exit\n");
fprintf(fp, " -A\t\tsign DNSKEY with all keys instead of minimal\n");
+ fprintf(fp, " -U\t\tSign with every unique algorithm in the provided keys\n");
fprintf(fp, " -E <name>\tuse <name> as the crypto engine for signing\n");
fprintf(fp, " \tThis can have a lot of extra options, see the manual page for more info\n");
fprintf(fp, " -k <id>,<int>\tuse key id with algorithm int from engine\n");
@@ -287,29 +288,6 @@ find_or_create_pubkey(const char *keyfile_name_base, ldns_key *key, ldns_zone *o
}
}
-void
-strip_dnssec_records(ldns_zone *zone)
-{
- ldns_rr_list *new_list;
- ldns_rr *cur_rr;
-
- new_list = ldns_rr_list_new();
-
- while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(zone)))) {
- if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_RRSIG ||
- ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_NSEC ||
- ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_NSEC3
- ) {
-
- ldns_rr_free(cur_rr);
- } else {
- ldns_rr_list_push_rr(new_list, cur_rr);
- }
- }
- ldns_rr_list_free(ldns_zone_rrs(zone));
- ldns_zone_set_rrs(zone, new_list);
-}
-
int
main(int argc, char *argv[])
{
@@ -376,9 +354,7 @@ main(int argc, char *argv[])
keys = ldns_key_list_new();
- OPENSSL_config(NULL);
-
- while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAE:K:")) != -1) {
+ while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAUE:K:")) != -1) {
switch (c) {
case 'a':
nsec3_algorithm = (uint8_t) atoi(optarg);
@@ -473,7 +449,9 @@ main(int argc, char *argv[])
case 'E':
ENGINE_load_builtin_engines();
ENGINE_load_dynamic();
+#ifdef HAVE_ENGINE_LOAD_CRYPTODEV
ENGINE_load_cryptodev();
+#endif
engine = ENGINE_by_id(optarg);
if (!engine) {
printf("No such engine: %s\n", optarg);
@@ -567,6 +545,9 @@ main(int argc, char *argv[])
printf("Not implemented yet\n");
exit(EXIT_FAILURE);
break;
+ case 'U':
+ signflags |= LDNS_SIGN_WITH_ALL_ALGORITHMS;
+ break;
case 's':
if (strlen(optarg) % 2 != 0) {
fprintf(stderr, "Salt value is not valid hex data, not a multiple of 2 characters\n");
diff --git a/examples/ldns-test-edns.c b/examples/ldns-test-edns.c
index b4292a0fa5d3..75a0f176c1cc 100644
--- a/examples/ldns-test-edns.c
+++ b/examples/ldns-test-edns.c
@@ -15,13 +15,13 @@
/** print error details */
static int verb = 1;
-struct sockaddr_in6* cast_sockaddr_storage2sockaddr_in6(
+static struct sockaddr_in6* cast_sockaddr_storage2sockaddr_in6(
struct sockaddr_storage* s)
{
return (struct sockaddr_in6*)s;
}
-struct sockaddr_in* cast_sockaddr_storage2sockaddr_in(
+static struct sockaddr_in* cast_sockaddr_storage2sockaddr_in(
struct sockaddr_storage* s)
{
return (struct sockaddr_in*)s;
diff --git a/examples/ldns-testns.c b/examples/ldns-testns.c
index f9732faaf07e..885453d3dcda 100644
--- a/examples/ldns-testns.c
+++ b/examples/ldns-testns.c
@@ -150,7 +150,7 @@ struct sockaddr_storage;
#define INBUF_SIZE 4096 /* max size for incoming queries */
#define DEFAULT_PORT 53 /* default if no -p port is specified */
-#define CONN_BACKLOG 5 /* 5 connections queued up for tcp */
+#define CONN_BACKLOG 256 /* connections queued up for tcp */
static const char* prog_name = "ldns-testns";
static FILE* logfile = 0;
static int do_verbose = 0;
@@ -188,6 +188,7 @@ static void error(const char* msg, ...)
exit(EXIT_FAILURE);
}
+void verbose(int lvl, const char* msg, ...) ATTR_FORMAT(printf, 2, 3);
void verbose(int ATTR_UNUSED(lvl), const char* msg, ...)
{
va_list args;
@@ -280,6 +281,10 @@ read_n_bytes(int sock, uint8_t* buf, size_t sz)
if(nb < 0) {
log_msg("recv(): %s\n", strerror(errno));
return;
+ } else if(nb == 0) {
+ log_msg("recv: remote end closed the channel\n");
+ memset(buf+count, 0, sz-count);
+ return;
}
count += nb;
}
diff --git a/examples/ldns-testpkts.c b/examples/ldns-testpkts.c
index ed26285c1f23..cc339790df3c 100644
--- a/examples/ldns-testpkts.c
+++ b/examples/ldns-testpkts.c
@@ -31,12 +31,8 @@ struct sockaddr_storage;
/** string to show in warnings and errors */
static const char* prog_name = "ldns-testpkts";
-#ifndef UTIL_LOG_H
-/** verbosity definition for compat */
-enum verbosity_value { NO_VERBOSE=0 };
-#endif
/** logging routine, provided by caller */
-void verbose(enum verbosity_value lvl, const char* msg, ...) ATTR_FORMAT(printf, 2, 3);
+void verbose(int lvl, const char* msg, ...) ATTR_FORMAT(printf, 2, 3);
/** print error and exit */
static void error(const char* msg, ...)
@@ -929,7 +925,7 @@ handle_query(uint8_t* inbuf, ssize_t inlen, struct entry* entries, int* count,
}
/** delete the list of reply packets */
-void delete_replylist(struct reply_packet* replist)
+static void delete_replylist(struct reply_packet* replist)
{
struct reply_packet *p=replist, *np;
while(p) {
diff --git a/examples/ldns-update.1 b/examples/ldns-update.1
index 971397ddb092..f36b2683401a 100644
--- a/examples/ldns-update.1
+++ b/examples/ldns-update.1
@@ -2,14 +2,17 @@
.SH NAME
ldns-update \- send a dynamic update packet
.SH SYNOPSIS
-.B ldns-update
+.B ldns-update
+.IR name
[
.IR zone
]
+[
.IR ip
+]
[
-.IR tsig_name
-.IR tsig_als
+.IR tsig_name
+.IR tsig_alg
.IR tsig_hmac
]
@@ -18,12 +21,17 @@ ldns-update \- send a dynamic update packet
.SH OPTIONS
.TP
+\fBname\fR
+The domainname to associate with the given \fBip\fR address.
+
+.TP
\fBzone\fR
-Use this zone instead of trying to read it from the zonefile's SOA record.
+When given uses this \fBzone\fR instead of trying to find and process \fBdomain\fR's SOA record.
.TP
\fBip\fR
-Send the update to this IP address
+Send the update to this IP address.
+Or, when the literal text \fBnone\fR is given, remove any previous addresses.
.TP
\fBtsig_name tsig_alg tsig_hmac\fR
diff --git a/examples/ldns-update.c b/examples/ldns-update.c
index af4dd02a5438..c6782036507d 100644
--- a/examples/ldns-update.c
+++ b/examples/ldns-update.c
@@ -262,7 +262,7 @@ main(int argc, char **argv)
ldns_tsig_credentials tsig_cr, *tsig_cred;
int c = 2;
uint32_t defttl = 300;
- uint32_t port = 5353;
+ uint32_t port = 53;
prog = strdup(argv[0]);
diff --git a/examples/ldns-verify-zone.1.in b/examples/ldns-verify-zone.1.in
index e03b7003eb79..2cee807f250c 100644
--- a/examples/ldns-verify-zone.1.in
+++ b/examples/ldns-verify-zone.1.in
@@ -49,7 +49,7 @@ Defaults to 100.
.TP
\fB-S\fR
Chase signature(s) to a known key.
-The network may be accessed to validate the zone's DNSKEYs. (implies -k)
+The network may be accessed to validate the zone's DNSKEYs. (implies \-k)
.TP
\fB-t\fR \fIYYYYMMDDhhmmss | [+|-]offset\fR
diff --git a/examples/ldns-verify-zone.c b/examples/ldns-verify-zone.c
index 156eb649196e..8a438cef9251 100644
--- a/examples/ldns-verify-zone.c
+++ b/examples/ldns-verify-zone.c
@@ -55,7 +55,7 @@ print_type(FILE* stream, ldns_rr_type type)
}
}
-ldns_status
+static ldns_status
read_key_file(const char *filename, ldns_rr_list *keys)
{
ldns_status status = LDNS_STATUS_ERR;
@@ -655,6 +655,46 @@ error:
return result;
}
+static void print_usage(FILE *out, const char *progname)
+{
+ fprintf(out, "Usage: %s [OPTIONS] <zonefile>\n", progname);
+ fprintf(out, "\tReads the zonefile and checks for DNSSEC errors.\n");
+ fprintf(out, "\nIt checks whether NSEC(3)s are present, "
+ "and verifies all signatures\n");
+ fprintf(out, "It also checks the NSEC(3) chain, but it "
+ "will error on opted-out delegations\n");
+ fprintf(out, "\nOPTIONS:\n");
+ fprintf(out, "\t-h\t\tshow this text\n");
+ fprintf(out, "\t-a\t\tapex only, check only the zone apex\n");
+ fprintf(out, "\t-e <period>\tsignatures may not expire "
+ "within this period.\n\t\t\t"
+ "(default no period is used)\n");
+ fprintf(out, "\t-i <period>\tsignatures must have been "
+ "valid at least this long.\n\t\t\t"
+ "(default signatures should just be valid now)\n");
+ fprintf(out, "\t-k <file>\tspecify a file that contains a "
+ "trusted DNSKEY or DS rr.\n\t\t\t"
+ "This option may be given more than once.\n"
+ "\t\t\tDefault is %s\n", LDNS_TRUST_ANCHOR_FILE);
+ fprintf(out, "\t-p [0-100]\tonly checks this percentage of "
+ "the zone.\n\t\t\tDefaults to 100\n");
+ fprintf(out, "\t-S\t\tchase signature(s) to a known key. "
+ "The network may be\n\t\t\taccessed to "
+ "validate the zone's DNSKEYs. (implies -k)\n");
+ fprintf(out, "\t-t YYYYMMDDhhmmss | [+|-]offset\n\t\t\t"
+ "set the validation time either by an "
+ "absolute time\n\t\t\tvalue or as an "
+ "offset in seconds from <now>.\n\t\t\t"
+ "For data that came from the network (while "
+ "chasing),\n\t\t\tsystem time will be used "
+ "for validating it regardless.\n");
+ fprintf(out, "\t-v\t\tshows the version and exits\n");
+ fprintf(out, "\t-V [0-5]\tset verbosity level (default 3)\n");
+ fprintf(out, "\n<period>s are given in ISO 8601 duration format: "
+ "P[n]Y[n]M[n]DT[n]H[n]M[n]S\n");
+ fprintf(out, "\nif no file is given standard input is read\n");
+}
+
int
main(int argc, char **argv)
{
@@ -671,6 +711,7 @@ main(int argc, char **argv)
ldns_duration_type *duration;
ldns_rr_list *keys = ldns_rr_list_new();
size_t nkeys = 0;
+ const char *progname = argv[0];
check_time = ldns_time(NULL);
myout = stdout;
@@ -682,48 +723,7 @@ main(int argc, char **argv)
apexonly = true;
break;
case 'h':
- printf("Usage: %s [OPTIONS] <zonefile>\n", argv[0]);
- printf("\tReads the zonefile and checks for DNSSEC "
- "errors.\n");
- printf("\nIt checks whether NSEC(3)s are present, "
- "and verifies all signatures\n");
- printf("It also checks the NSEC(3) chain, but it "
- "will error on opted-out delegations\n");
- printf("\nOPTIONS:\n");
- printf("\t-h\t\tshow this text\n");
- printf("\t-a\t\tapex only, "
- "check only the zone apex\n");
- printf("\t-e <period>\tsignatures may not expire "
- "within this period.\n\t\t\t"
- "(default no period is used)\n");
- printf("\t-i <period>\tsignatures must have been "
- "valid at least this long.\n\t\t\t"
- "(default signatures should just be valid "
- "now)\n");
- printf("\t-k <file>\tspecify a file that contains a "
- "trusted DNSKEY or DS rr.\n\t\t\t"
- "This option may be given more than once.\n"
- "\t\t\tDefault is %s", LDNS_TRUST_ANCHOR_FILE);
- printf("\t-p [0-100]\tonly checks this percentage of "
- "the zone.\n\t\t\tDefaults to 100\n");
- printf("\t-S\t\tchase signature(s) to a known key. "
- "The network may be\n\t\t\taccessed to "
- "validate the zone's DNSKEYs. (implies -k)\n");
- printf("\t-t YYYYMMDDhhmmss | [+|-]offset\n\t\t\t"
- "set the validation time either by an "
- "absolute time\n\t\t\tvalue or as an "
- "offset in seconds from <now>.\n\t\t\t"
- "For data that came from the network (while "
- "chasing),\n\t\t\tsystem time will be used "
- "for validating it regardless.\n");
- printf("\t-v\t\tshows the version and exits\n");
- printf("\t-V [0-5]\tset verbosity level (default 3)\n"
- );
- printf("\n<period>s are given "
- "in ISO 8601 duration format: "
- "P[n]Y[n]M[n]DT[n]H[n]M[n]S\n");
- printf("\nif no file is given "
- "standard input is read\n");
+ print_usage(stdout, progname);
exit(EXIT_SUCCESS);
break;
case 'e':
@@ -833,7 +833,7 @@ main(int argc, char **argv)
if (argc == 0) {
fp = stdin;
- } else {
+ } else if (argc == 1) {
filename = argv[0];
fp = fopen(filename, "r");
@@ -844,6 +844,9 @@ main(int argc, char **argv)
}
exit(EXIT_FAILURE);
}
+ } else {
+ print_usage(stderr, progname);
+ exit(EXIT_FAILURE);
}
s = ldns_dnssec_zone_new_frm_fp_l(&dnssec_zone, fp, NULL, 0,
diff --git a/examples/ldns-walk.c b/examples/ldns-walk.c
index da0f74db350c..2afe24e24aed 100644
--- a/examples/ldns-walk.c
+++ b/examples/ldns-walk.c
@@ -27,7 +27,7 @@ usage(FILE *fp, char *prog) {
return 0;
}
-ldns_rdf *
+static ldns_rdf *
create_dname_plus_1(ldns_rdf *dname)
{
uint8_t *wire;
@@ -94,7 +94,7 @@ create_dname_plus_1(ldns_rdf *dname)
return newdname;
}
-ldns_rdf *
+static ldns_rdf *
create_plus_1_dname(ldns_rdf *dname)
{
ldns_rdf *label;
@@ -120,7 +120,7 @@ create_plus_1_dname(ldns_rdf *dname)
return label;
}
-ldns_status
+static ldns_status
query_type_bitmaps(ldns_resolver *res,
uint16_t res_flags,
const ldns_rdf *name,
@@ -259,7 +259,7 @@ main(int argc, char *argv[])
full = true;
} else if (strncmp(argv[i], "-s", 3) == 0) {
if (i + 1 < argc) {
- if (!ldns_str2rdf_dname(&startpoint, argv[i + 1]) == LDNS_STATUS_OK) {
+ if (ldns_str2rdf_dname(&startpoint, argv[i + 1]) != LDNS_STATUS_OK) {
printf("Bad start point name: %s\n", argv[i + 1]);
exit(1);
}
diff --git a/examples/ldnsd.c b/examples/ldnsd.c
index 77c5dd5c628d..c742f04d9445 100644
--- a/examples/ldnsd.c
+++ b/examples/ldnsd.c
@@ -30,7 +30,7 @@
#define INBUF_SIZE 4096
-void usage(FILE *output)
+static void usage(FILE *output)
{
fprintf(output, "Usage: ldnsd <address> <port> <zone> <zonefile>\n");
fprintf(output, "Listens on the specified port and answers queries for the given zone\n");
@@ -63,7 +63,7 @@ static int udp_bind(int sock, int port, const char *my_address)
}
/* this will probably be moved to a better place in the library itself */
-ldns_rr_list *
+static ldns_rr_list *
get_rrset(const ldns_zone *zone, const ldns_rdf *owner_name, const ldns_rr_type qtype, const ldns_rr_class qclass)
{
uint16_t i;