dns_client: check whether ssl cert is loaded.

2021-01-28 01:35:26 +08:00
parent 328f44e800
commit f2fc970561
5 changed files with 27 additions and 31 deletions
--- a/src/dns.c
+++ b/src/dns.c
@@ -253,11 +253,8 @@ static int _dns_add_qr_head(struct dns_data_context *data_context, char *domain,
 		return -1;
 	}

-	*((unsigned short *)(data_context->ptr)) = qtype;
-	data_context->ptr += 2;
-
-	*((unsigned short *)(data_context->ptr)) = qclass;
-	data_context->ptr += 2;
+	_dns_write_short(&data_context->ptr, qtype);
+	_dns_write_short(&data_context->ptr, qclass);

 	return 0;
 }
@@ -266,6 +263,10 @@ static int _dns_get_qr_head(struct dns_data_context *data_context, char *domain,
 {
 	int i;
 	int is_read_all = 0;
+
+	if (domain == NULL || data_context == NULL) {
+		return -1;
+	}
 	/* question head */
 	/* |domain         |
 	 * |qtype | qclass |
@@ -296,11 +297,8 @@ static int _dns_get_qr_head(struct dns_data_context *data_context, char *domain,
 		return -1;
 	}

-	*qtype = *((unsigned short *)(data_context->ptr));
-	data_context->ptr += 2;
-
-	*qclass = *((unsigned short *)(data_context->ptr));
-	data_context->ptr += 2;
+	*qtype = _dns_read_short(&data_context->ptr);
+	*qclass = _dns_read_short(&data_context->ptr);

 	return 0;
 }
@@ -325,11 +323,8 @@ static int _dns_add_rr_head(struct dns_data_context *data_context, char *domain,
 		return -1;
 	}

-	*((unsigned int *)(data_context->ptr)) = ttl;
-	data_context->ptr += 4;
-
-	*((unsigned short *)(data_context->ptr)) = rr_len;
-	data_context->ptr += 2;
+	_dns_write_int(&data_context->ptr, ttl);
+	_dns_write_short(&data_context->ptr, rr_len);

 	return 0;
 }
@@ -351,11 +346,8 @@ static int _dns_get_rr_head(struct dns_data_context *data_context, char *domain,
 		return -1;
 	}

-	*ttl = *((unsigned int *)(data_context->ptr));
-	data_context->ptr += 4;
-
-	*rr_len = *((unsigned short *)(data_context->ptr));
-	data_context->ptr += 2;
+	*ttl = _dns_read_int(&data_context->ptr);
+	*rr_len = _dns_read_short(&data_context->ptr);

 	return len;
 }
--- a/src/dns_client.c
+++ b/src/dns_client.c
@@ -850,11 +850,15 @@ static int _dns_client_set_trusted_cert(SSL_CTX *ssl_ctx)
 	}

 	if (cafile == NULL && capath == NULL) {
-		if (SSL_CTX_set_default_verify_paths(ssl_ctx) == 0) {
+		if (SSL_CTX_set_default_verify_paths(ssl_ctx)) {
+			cert_path_set = 1;
+		}
+
+		const STACK_OF(X509_NAME) *cas = SSL_CTX_get_client_CA_list(ssl_ctx);
+		if (cas && sk_X509_NAME_num(cas) == 0) {
 			cafile = "/etc/ssl/certs/ca-certificates.crt";
 			capath = "/etc/ssl/certs";
-		} else {
-			cert_path_set = 1;
+			cert_path_set = 0;
 		}
 	}

@@ -2362,7 +2366,7 @@ static int _dns_client_tls_verify(struct dns_server_info *server_info)
 			pthread_mutex_unlock(&server_info->lock);
 			peer_CN[0] = '\0';
 			_dns_client_tls_get_cert_CN(cert, peer_CN, sizeof(peer_CN));
-			tlog(TLOG_WARN, "peer server %s certificate verify failed", server_info->ip);
+			tlog(TLOG_WARN, "peer server %s certificate verify failed, ret = %ld", server_info->ip, res);
 			tlog(TLOG_WARN, "peer CN: %s", peer_CN);
 			goto errout;
 		}
@@ -3108,6 +3112,7 @@ static void _dns_client_add_pending_servers(void)
 			if (add_success == 0) {
 				tlog(TLOG_WARN, "add pending DNS server %s failed.", pending->host);
 			}
+			list_del_init(&pending->list);
 			_dns_client_server_pending_release_lck(pending);
 		} else {
 			tlog(TLOG_DEBUG, "add pending DNS server %s failed, retry %d...", pending->host, pending->retry_cnt);
--- a/src/dns_conf.c
+++ b/src/dns_conf.c
@@ -516,6 +516,7 @@ static int _config_domain_rule_flag_set(char *domain, unsigned int flag, unsigne
 	/* add new rule to domain */
 	if (domain_rule->rules[DOMAIN_RULE_FLAGS] == NULL) {
 		rule_flags = malloc(sizeof(*rule_flags));
+		memset(rule_flags, 0, sizeof(*rule_flags));
 		rule_flags->flags = 0;
 		domain_rule->rules[DOMAIN_RULE_FLAGS] = rule_flags;
 	}
--- a/src/dns_server.c
+++ b/src/dns_server.c
@@ -2451,16 +2451,14 @@ static int _dns_server_process_cache(struct dns_request *request)
 		goto out;
 	}

-	if (request->qtype == DNS_T_A) {
-		if (dns_cache_is_soa(dns_cache)) {
-			ret = _dns_server_reply_SOA(DNS_RC_NOERROR, request);
-			goto out;
-		}
+	if (dns_cache_is_soa(dns_cache)) {
+		ret = _dns_server_reply_SOA(DNS_RC_NOERROR, request);
+		goto out;
 	}

 	if (request->dualstack_selection && request->qtype == DNS_T_AAAA) {
 		dns_cache_A = dns_cache_lookup(request->domain, DNS_T_A);
-		if (dns_cache_A && (dns_cache_A->info.speed > 0)) {
+		if (dns_cache_A && dns_cache_is_soa(dns_cache_A) == 0 && (dns_cache_A->info.speed > 0)) {
 			if ((dns_cache_A->info.speed + (dns_conf_dualstack_ip_selection_threshold * 10)) < dns_cache->info.speed ||
 				dns_cache->info.speed < 0) {
 				tlog(TLOG_DEBUG, "Force IPV4 perfered.");
--- a/src/util.c
+++ b/src/util.c
@@ -936,7 +936,7 @@ void get_compiled_time(struct tm *tm)
 	int hour, min, sec;
 	static const char *month_names = "JanFebMarAprMayJunJulAugSepOctNovDec";

-	sscanf(__DATE__, "%5s %d %d", s_month, &day, &year);
+	sscanf(__DATE__, "%4s %d %d", s_month, &day, &year);
 	month = (strstr(month_names, s_month) - month_names) / 3;
 	sscanf(__TIME__, "%d:%d:%d", &hour, &min, &sec);
 	tm->tm_year = year - 1900;