summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWillem Toorop <willem@NLnetLabs.nl>2012-10-16 13:59:41 +0200
committerWillem Toorop <willem@NLnetLabs.nl>2012-10-16 13:59:41 +0200
commit25b494b756647bb06755e305c6eddaf7f1819aab (patch)
treef2e5cb9d3af62f1c6fa60c62069adc84d9409c34
parent864ca5b149f6c9e8abe6293ae0b8c816d2e8914a (diff)
downloadldns-25b494b756647bb06755e305c6eddaf7f1819aab.tar.gz
Merge in 1.6.14rc2 changes:
- Paul Wouter's suggestion to have a create and a verify option to ldns-dane and configurable CAfile and CApath and configurable trust anchor and - Get rid of doxygen-1.8 warnings
-rw-r--r--Changelog7
-rw-r--r--configure.ac48
-rw-r--r--drill/configure.ac17
-rw-r--r--drill/drill.c4
-rw-r--r--drill/drill.h4
-rw-r--r--examples/Makefile.in7
-rw-r--r--examples/configure.ac42
-rw-r--r--examples/ldns-dane.1.in (renamed from examples/ldns-dane.1)40
-rw-r--r--examples/ldns-dane.c203
-rw-r--r--examples/ldns-test-edns.c24
-rw-r--r--examples/ldns-verify-zone.1.in (renamed from examples/ldns-verify-zone.1)13
-rw-r--r--examples/ldns-verify-zone.c27
-rw-r--r--ldns/common.h.in2
-rw-r--r--ldns/dname.h2
-rw-r--r--ldns/dnssec.h1
-rw-r--r--ldns/dnssec_verify.h1
-rw-r--r--ldns/rdata.h2
-rw-r--r--ldns/resolver.h4
-rw-r--r--libdns.doxygen187
19 files changed, 473 insertions, 162 deletions
diff --git a/Changelog b/Changelog
index 3e1a7c11..483ee09a 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,9 @@
1.6.14
* DANE support (RFC6698), including ldns-dane example tool.
- * A default key for drill when none is given
+ * Configurable default CA certificate repository for ldns-dane with
+ --with-ca-file=CAFILE and --with-ca-path=CAPATH
+ * Configurable default trust anchor with --with-trust-anchor=FILE
+ for drill, ldns-verify-zone and ldns-dane
* bugfix #474: Define socklen_t when undefined (like in Win32)
* bugfix #473: Dead code removal and resource leak fix in drill
* bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too.
@@ -14,7 +17,7 @@
now documented in their own Changelog.
* bugfix: Make ldns_resolver_pop_nameserver clear the array when
there was only one.
- * bugfix #459: Export only symbols defined in ldns_symbols
+ * bugfix #459: Remove ldns_symbols and export symbols based on regex
* bugfix #458: Track all newly created signatures when signing.
* bugfix #454: Only set -g and -O2 CFLAGS when no CFLAGS was given.
* bugfix #457: Memory leak fix for ldns_key_new_frm_algorithm.
diff --git a/configure.ac b/configure.ac
index 082e74a3..ee6e6858 100644
--- a/configure.ac
+++ b/configure.ac
@@ -141,12 +141,14 @@ This does not work with the --with-examples option.
Please remove the config.h from the examples subdirectory
or do not use the --with-examples option.])
fi
+ EXAMPLES_CONFIG=" examples/ldns-dane.1 examples/ldns-verify-zone.1"
else
AC_SUBST(EXAMPLES,[""])
AC_SUBST(INSTALL_EXAMPLES,[""])
AC_SUBST(UNINSTALL_EXAMPLES,[""])
AC_SUBST(CLEAN_EXAMPLES,[""])
AC_SUBST(LINT_EXAMPLES,[""])
+ EXAMPLES_CONFIG=""
fi
# add option to disable installation of ldns-config script
@@ -518,15 +520,43 @@ fi
AC_DEFINE([SYSCONFDIR], [sysconfdir], [System configuration dir])
-AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=[KEYFILE]],
-[Default location of the trust anchor file for drill. [default=SYSCONFDIR/unbound/root.key]]), [
-AC_SUBST(LDNS_TRUST_ANCHOR_FILE, [${with_trust_anchor}])
+AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=KEYFILE], [Default location of the trust anchor file for drill and ldns-dane. [default=SYSCONFDIR/unbound/root.key]]), [
+ LDNS_TRUST_ANCHOR_FILE="$withval"
],[
-if test "x$sysconfdir" = 'x${prefix}/etc' ; then
-AC_SUBST(LDNS_TRUST_ANCHOR_FILE, [${prefix}/etc/unbound/root.key])
-else
-AC_SUBST(LDNS_TRUST_ANCHOR_FILE, [${sysconfdir}/unbound/root.key])
-fi
+ if test "x$LDNS_TRUST_ANCHOR_FILE" = "x"; then
+ if test "x$sysconfdir" = 'x${prefix}/etc' ; then
+ if test "x$prefix" = 'xNONE' ; then
+ LDNS_TRUST_ANCHOR_FILE="/etc/unbound/root.key"
+ else
+ LDNS_TRUST_ANCHOR_FILE="${prefix}/etc/unbound/root.key"
+ fi
+ else
+ LDNS_TRUST_ANCHOR_FILE="${sysconfdir}/unbound/root.key"
+ fi
+ fi
+])
+AC_DEFINE_UNQUOTED([LDNS_TRUST_ANCHOR_FILE], ["$LDNS_TRUST_ANCHOR_FILE"], [Default trust anchor file])
+AC_SUBST(LDNS_TRUST_ANCHOR_FILE)
+AC_MSG_NOTICE([Default trust anchor: $LDNS_TRUST_ANCHOR_FILE])
+
+AC_ARG_WITH(ca-file, AC_HELP_STRING([--with-ca-file=CAFILE], [File containing CA certificates for ldns-dane]), [
+ AC_DEFINE([HAVE_DANE_CA_FILE], [1], [Is a CAFILE given at configure time])
+ AC_DEFINE_UNQUOTED([LDNS_DANE_CA_FILE], ["$withval"], [Is a CAFILE given at configure time])
+ AC_MSG_NOTICE([Using CAfile: $withval])
+ AC_SUBST(DEFAULT_CAFILE, ["Default is $withval"])
+],[
+ AC_DEFINE([HAVE_DANE_CA_FILE], [0], [Is a CAFILE given at configure time])
+ AC_SUBST(DEFAULT_CAFILE, [])
+])
+
+AC_ARG_WITH(ca-path, AC_HELP_STRING([--with-ca-path=CAPATH], [Directory containing CA certificate files for ldns-dane]), [
+ AC_DEFINE([HAVE_DANE_CA_PATH], [1], [Is a CAPATH given at configure time])
+ AC_DEFINE_UNQUOTED([LDNS_DANE_CA_PATH], ["$withval"], [Is a CAPATH given at configure time])
+ AC_MSG_NOTICE([Using CApath: $withval])
+ AC_SUBST(DEFAULT_CAPATH, ["Default is $withval"])
+],[
+ AC_DEFINE([HAVE_DANE_CA_PATH], [0], [Is a CAPATH given at configure time])
+ AC_SUBST(DEFAULT_CAPATH, [])
])
AH_BOTTOM([
@@ -685,7 +715,7 @@ else
AC_SUBST(ldns_build_config_have_attr_unused, 0)
fi
-CONFIG_FILES="Makefile ldns/common.h ldns/net.h ldns/util.h packaging/libldns.pc packaging/ldns-config $DRILL_CONFIG"
+CONFIG_FILES="Makefile ldns/common.h ldns/net.h ldns/util.h packaging/libldns.pc packaging/ldns-config $DRILL_CONFIG $EXAMPLES_CONFIG"
AC_SUBST(CONFIG_FILES)
AC_CONFIG_FILES([$CONFIG_FILES])
diff --git a/drill/configure.ac b/drill/configure.ac
index a135e173..7a3e556c 100644
--- a/drill/configure.ac
+++ b/drill/configure.ac
@@ -177,19 +177,10 @@ fi
AC_SUBST(LDNSDIR)
-if test -f $LDNSDIR/ldns/common.h && \
- grep LDNS_TRUST_ANCHOR_FILE $LDNSDIR/ldns/common.h >/dev/null; then
- LDNS_TRUST_ANCHOR_FILE=`grep LDNS_TRUST_ANCHOR_FILE $LDNSDIR/ldns/common.h | sed -e 's/^.*"\(.*\)".*$/\1/'`
-else
- LDNS_TRUST_ANCHOR_FILE=""
-fi
-
-AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=[KEYFILE]],
-[Default location of the trust anchor file. [default=LDNS_TRUST_ANCHOR_FILE or SYSCONFDIR/unbound/root.key]]), [
- AC_DEFINE([HAVE_DRILL_TRUST_ANCHOR], [1], [Is the trust anchor file explicitely given at configure time])
+AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=KEYFILE],
+[Default location of the trust anchor file. [default=SYSCONFDIR/unbound/root.key]]), [
LDNS_TRUST_ANCHOR_FILE="$withval"
],[
- AC_DEFINE([HAVE_DRILL_TRUST_ANCHOR], [0], [Is the trust anchor file explicitely given at configure time])
if test "x$LDNS_TRUST_ANCHOR_FILE" = "x"; then
if test "x$sysconfdir" = 'x${prefix}/etc' ; then
if test "x$prefix" = 'xNONE' ; then
@@ -202,9 +193,9 @@ AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=[KEYFILE]],
fi
fi
])
-
-AC_DEFINE_UNQUOTED([DRILL_TRUST_ANCHOR_FILE], ["$LDNS_TRUST_ANCHOR_FILE"], [Default trust anchor file])
+AC_DEFINE_UNQUOTED([LDNS_TRUST_ANCHOR_FILE], ["$LDNS_TRUST_ANCHOR_FILE"], [Default trust anchor file])
AC_SUBST(LDNS_TRUST_ANCHOR_FILE)
+AC_MSG_NOTICE([Default trust anchor: $LDNS_TRUST_ANCHOR_FILE])
AH_BOTTOM([
diff --git a/drill/drill.c b/drill/drill.c
index 1de72de7..f24405be 100644
--- a/drill/drill.c
+++ b/drill/drill.c
@@ -404,7 +404,9 @@ main(int argc, char *argv[])
argc -= optind;
argv += optind;
- if (qdnssec && ldns_rr_list_rr_count(key_list) == 0) {
+ if ((qdnssec || PURPOSE == DRILL_CHASE) &&
+ ldns_rr_list_rr_count(key_list) == 0) {
+
(void) read_key_file(LDNS_TRUST_ANCHOR_FILE, key_list, true);
}
if (ldns_rr_list_rr_count(key_list) > 0) {
diff --git a/drill/drill.h b/drill/drill.h
index e7eacbc3..0746fe7b 100644
--- a/drill/drill.h
+++ b/drill/drill.h
@@ -12,10 +12,6 @@
#include "drill_util.h"
-#ifndef LDNS_TRUST_ANCHOR_FILE
-#define LDNS_TRUST_ANCHOR_FILE DRILL_TRUST_ANCHOR_FILE
-#endif
-
#define DRILL_VERSION PACKAGE_VERSION
/* what kind of stuff do we allow */
diff --git a/examples/Makefile.in b/examples/Makefile.in
index e17f2181..4d867ca6 100644
--- a/examples/Makefile.in
+++ b/examples/Makefile.in
@@ -157,11 +157,12 @@ clean:
realclean: clean
rm -rf autom4te.cache/
- rm -f config.log config.status aclocal.m4 config.h.in configure Makefile
- rm -f config.h
+ rm -f config.log config.status aclocal.m4 config.h.in configure
+ rm -f config.h ldns-dane.1 ldns-verify-zone.1 Makefile
confclean: clean
- rm -rf config.log config.status config.h Makefile
+ rm -rf config.log config.status
+ rm -f config.h ldns-dane.1 ldns-verify-zone.1 Makefile
install: $(PROGRAMS) $(SSL_PROGRAMS)
$(INSTALL) -d -m 755 $(DESTDIR)$(bindir)
diff --git a/examples/configure.ac b/examples/configure.ac
index 0e27eecd..3fbf5bf5 100644
--- a/examples/configure.ac
+++ b/examples/configure.ac
@@ -315,13 +315,51 @@ if test -f $ldns_dev_dir/ldns/util.h && \
else
AC_MSG_RESULT([no])
AC_CHECK_LIB(ldns, ldns_rr_new,, [
- AC_MSG_ERROR([Can't find ldns library])
+ AC_MSG_ERROR([Can't find ldns library])dnl'
]
)
fi
AC_SUBST(LDNSDIR)
+AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=KEYFILE], [Default location of the trust anchor file for drill and ldns-dane. [default=SYSCONFDIR/unbound/root.key]]), [
+ LDNS_TRUST_ANCHOR_FILE="$withval"
+],[
+ if test "x$LDNS_TRUST_ANCHOR_FILE" = "x"; then
+ if test "x$sysconfdir" = 'x${prefix}/etc' ; then
+ if test "x$prefix" = 'xNONE' ; then
+ LDNS_TRUST_ANCHOR_FILE="/etc/unbound/root.key"
+ else
+ LDNS_TRUST_ANCHOR_FILE="${prefix}/etc/unbound/root.key"
+ fi
+ else
+ LDNS_TRUST_ANCHOR_FILE="${sysconfdir}/unbound/root.key"
+ fi
+ fi
+])
+AC_DEFINE_UNQUOTED([LDNS_TRUST_ANCHOR_FILE], ["$LDNS_TRUST_ANCHOR_FILE"], [Default trust anchor file])
+AC_SUBST(LDNS_TRUST_ANCHOR_FILE)
+AC_MSG_NOTICE([Default trust anchor: $LDNS_TRUST_ANCHOR_FILE])
+
+AC_ARG_WITH(ca-file, AC_HELP_STRING([--with-ca-file=CAFILE], [File containing CA certificates for ldns-dane]), [
+ AC_DEFINE([HAVE_DANE_CA_FILE], [1], [Is a CAFILE given at configure time])
+ AC_DEFINE_UNQUOTED([LDNS_DANE_CA_FILE], ["$withval"], [Is a CAFILE given at configure time])
+ AC_MSG_NOTICE([Using CAfile: $withval])
+ AC_SUBST(DEFAULT_CAFILE, ["Default is $withval"])
+],[
+ AC_DEFINE([HAVE_DANE_CA_FILE], [0], [Is a CAFILE given at configure time])
+ AC_SUBST(DEFAULT_CAFILE, [])
+])
+
+AC_ARG_WITH(ca-path, AC_HELP_STRING([--with-ca-path=CAPATH], [Directory containing CA certificate files for ldns-dane]), [
+ AC_DEFINE([HAVE_DANE_CA_PATH], [1], [Is a CAPATH given at configure time])
+ AC_DEFINE_UNQUOTED([LDNS_DANE_CA_PATH], ["$withval"], [Is a CAPATH given at configure time])
+ AC_MSG_NOTICE([Using CApath: $withval])
+ AC_SUBST(DEFAULT_CAPATH, ["Default is $withval"])
+],[
+ AC_DEFINE([HAVE_DANE_CA_PATH], [0], [Is a CAPATH given at configure time])
+ AC_SUBST(DEFAULT_CAPATH, [])
+])
AH_BOTTOM([
@@ -418,6 +456,6 @@ extern int optind, opterr;
#endif
])
-AC_CONFIG_FILES([Makefile])
+AC_CONFIG_FILES([Makefile ldns-dane.1 ldns-verify-zone.1])
AC_CONFIG_HEADER([config.h])
AC_OUTPUT
diff --git a/examples/ldns-dane.1 b/examples/ldns-dane.1.in
index 52472302..8f05d7f6 100644
--- a/examples/ldns-dane.1
+++ b/examples/ldns-dane.1.in
@@ -5,6 +5,7 @@ ldns-dane \- verify or create TLS authentication with DANE (RFC6698)
.PD 0
.B ldns-dane
.IR [OPTIONS]
+.IR verify
.IR name
.IR port
.PP
@@ -12,14 +13,21 @@ ldns-dane \- verify or create TLS authentication with DANE (RFC6698)
.IR [OPTIONS]
.IR -t
.IR tlsafile
+.IR verify
.B ldns-dane
.IR [OPTIONS]
.IR name
.IR port
+.IR create
+.PP
+ [
.IR Certificate-usage
+[
.IR Selector
+[
.IR Matching-type
+] ] ]
.B ldns-dane
.IR -h
@@ -54,13 +62,13 @@ Service certificate constraint
.IP 2
Trust anchor assertion
.IP 3
-Domain-issued certificate
+Domain-issued certificate (default)
.RE
.I Selector\fR:
.RS
.IP 0
-Full certificate
+Full certificate (default)
.IP 1
SubjectPublicKeyInfo
.RE
@@ -70,7 +78,7 @@ SubjectPublicKeyInfo
.IP 0
No hash used
.IP 1
-SHA-256
+SHA-256 (default)
.IP 2
SHA-512
.RE
@@ -98,17 +106,20 @@ TLSA records) for the certificate (chain) in \fIcertfile\fR instead.
Assume DNSSEC validity even when the TLSA records were acquired insecure
or were bogus.
.IP "-f \fICAfile\fR"
-Use CAfile to validate.
+Use CAfile to validate. @DEFAULT_CAFILE@
.IP -h
Print short usage help
.IP -i
Interact after connecting.
.IP "-k \fIkeyfile\fR"
Specify a file that contains a trusted DNSKEY or DS rr.
-Without a trusted DNSKEY, the local network is trusted to provide
-a DNSSEC resolver (i.e. AD bit is checked).
+Key(s) are used when chasing signatures (i.e. \fI-S\fR is given).
This option may be given more than once.
+
+Alternatively, if \fB-k\fR is not specified, and a default trust anchor
+(@LDNS_TRUST_ANCHOR_FILE@) exists and contains a valid DNSKEY or DS record,
+it will be used as the trust anchor.
.IP -n
Do \fBnot\fR verify server name in certificate.
.IP "-o \fIoffset\fR"
@@ -122,7 +133,7 @@ is used (like with 0) that MUST be self-signed. This can help to make
sure that the intended (self signed) trust anchor is actually present
in the server certificate chain (which is a DANE requirement).
.IP "-p \fICApath\fR"
-Use certificates in the \fICApath\fR directory to validate.
+Use certificates in the \fICApath\fR directory to validate. @DEFAULT_CAPATH@
.IP -s
When creating TLSA resource records with the "CA Constraint" and the
"Service Certificate Constraint" certificate usage, do not validate and
@@ -130,6 +141,11 @@ assume PKIX is valid.
For "CA Constraint" this means that verification should end with a
self-signed certificate.
+.IP -S
+Chase signature(s) to a known key.
+
+Without this option, the local network is trusted to provide
+a DNSSEC resolver (i.e. AD bit is checked).
.IP "-t \fItlsafile\fR"
Read TLSA record(s) from \fItlsafile\fR. When \fIname\fR and \fIport\fR
are also given, only TLSA records that match the \fIname\fR, \fIport\fR and
@@ -140,6 +156,16 @@ Use UDP transport instead of TCP.
.IP -v
Show version and exit.
+.SH "FILES"
+.TP
+@LDNS_TRUST_ANCHOR_FILE@
+The file from which trusted keys are loaded for signature chasing,
+when no \fB-k\fR option is given.
+
+.SH "SEE ALSO"
+.LP
+unbound-anchor(8)
+
.SH AUTHOR
Written by the ldns team as an example for ldns usage.
diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c
index 9f38c3c8..f5c86b4e 100644
--- a/examples/ldns-dane.c
+++ b/examples/ldns-dane.c
@@ -42,28 +42,28 @@
void
print_usage(const char* progname)
{
- printf("Usage: %s [OPTIONS] <name> <port>\n", progname);
- printf(" or: %s [OPTIONS] -t <tlsafile>\n", progname);
+ printf("Usage: %s [OPTIONS] verify <name> <port>\n", progname);
+ printf(" or: %s [OPTIONS] -t <tlsafile> verify\n", progname);
printf("\n\tVerify the TLS connection at <name>:<port> or"
"\n\tuse TLSA record(s) from <tlsafile> to verify the\n"
"\tTLS service they reference.\n");
- printf("\n or: %s [OPTIONS] <name> <port> <cert usage> <selector> "
- "<match type>\n", progname);
+ printf("\n or: %s [OPTIONS] create <name> <port> [<usage> "
+ "[<selector> [<type>]]]\n", progname);
printf("\n\tUse the TLS connection(s) to <name> <port> "
"to create the TLSA\n\t"
"resource record(s) that would "
"authenticate the connection.\n");
- printf("\n\t<cert usage>"
- "\t0: CA constraint\n"
+ printf("\n\t<usage>"
+ "\t\t0: CA constraint\n"
"\t\t\t1: Service certificate constraint\n"
"\t\t\t2: Trust anchor assertion\n"
- "\t\t\t3: Domain-issued certificate\n");
+ "\t\t\t3: Domain-issued certificate (default)\n");
printf("\n\t<selector>"
- "\t0: Full certificate\n"
+ "\t0: Full certificate (default)\n"
"\t\t\t1: SubjectPublicKeyInfo\n");
- printf("\n\t<match type>"
- "\t0: No hash used\n"
- "\t\t\t1: SHA-256\n"
+ printf("\n\t<type>"
+ "\t\t0: No hash used\n"
+ "\t\t\t1: SHA-256 (default)\n"
"\t\t\t2: SHA-512\n");
printf("OPTIONS:\n");
@@ -81,10 +81,15 @@ print_usage(const char* progname)
);
printf("\t-d\t\tassume DNSSEC validity even when insecure or bogus\n");
printf("\t-f <CAfile>\tuse CAfile to validate\n");
+#if HAVE_DANE_CA_FILE
+ printf("\t\t\tDefault is %s\n", LDNS_DANE_CA_FILE);
+#endif
printf("\t-i\t\tinteract after connecting\n");
printf("\t-k <keyfile>\t"
"use DNSKEY/DS rr(s) in <keyfile> to validate TLSAs\n"
+ "\t\t\twhen signature chasing (i.e. -S)\n"
);
+ printf("\t\t\tDefault is %s\n", LDNS_TRUST_ANCHOR_FILE);
printf("\t-n\t\tdo *not* verify server name in certificate\n");
printf("\t-o <offset>\t"
"select <offset>th certificate from the end of\n"
@@ -93,7 +98,11 @@ print_usage(const char* progname)
printf("\t-p <CApath>\t"
"use certificates in the <CApath> directory to validate\n"
);
+#if HAVE_DANE_CA_PATH
+ printf("\t\t\tDefaults is %s\n", LDNS_DANE_CA_PATH);
+#endif
printf("\t-s\t\tassume PKIX validity\n");
+ printf("\t-S\t\tChase signature(s) to a known key\n");
printf("\t-t <tlsafile>\tdo not use DNS, "
"but read TLSA record(s) from <tlsafile>\n"
);
@@ -501,8 +510,6 @@ read_key_file(const char *filename, ldns_rr_list *keys)
int line_nr;
if (!(fp = fopen(filename, "r"))) {
- fprintf(stderr, "Error opening %s: %s\n", filename,
- strerror(errno));
return LDNS_STATUS_FILE_ERR;
}
while (!feof(fp)) {
@@ -668,7 +675,8 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname,
} else if (s != LDNS_STATUS_OK) {
LDNS_ERR(s, "dane_query");
- } else if (! ldns_rr_list_push_rr_list(r, as)) {
+ }
+ if (! ldns_rr_list_push_rr_list(r, as)) {
MEMERR("ldns_rr_list_push_rr_list");
}
}
@@ -685,7 +693,8 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname,
} else if (s != LDNS_STATUS_OK) {
LDNS_ERR(s, "dane_query");
- } else if (! ldns_rr_list_push_rr_list(r, aaas)) {
+ }
+ if (! ldns_rr_list_push_rr_list(r, aaas)) {
MEMERR("ldns_rr_list_push_rr_list");
}
}
@@ -1035,7 +1044,7 @@ dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
int
-main(int argc, char** argv)
+main(int argc, char* const* argv)
{
int c;
enum { UNDETERMINED, VERIFY, CREATE } mode = UNDETERMINED;
@@ -1049,14 +1058,23 @@ main(int argc, char** argv)
bool verify_server_name = true;
bool interact = false;
- char* CAfile = NULL;
- char* CApath = NULL;
+#if HAVE_DANE_CA_FILE
+ const char* CAfile = LDNS_DANE_CA_FILE;
+#else
+ const char* CAfile = NULL;
+#endif
+#if HAVE_DANE_CA_PATH
+ const char* CApath = LDNS_DANE_CA_PATH;
+#else
+ const char* CApath = NULL;
+#endif
char* cert_file = NULL;
X509* cert = NULL;
STACK_OF(X509)* extra_certs = NULL;
- ldns_rr_list* keys = ldns_rr_list_new();
- size_t nkeys = 0;
+ ldns_rr_list* keys = ldns_rr_list_new();
+ size_t nkeys = 0;
+ bool do_sigchase = false;
ldns_rr_list* addresses = ldns_rr_list_new();
ldns_rr* address_rr;
@@ -1102,7 +1120,7 @@ main(int argc, char** argv)
if (! keys || ! addresses) {
MEMERR("ldns_rr_list_new");
}
- while((c = getopt(argc, argv, "46a:bc:df:hik:no:p:st:uvV:")) != -1) {
+ while((c = getopt(argc, argv, "46a:bc:df:hik:no:p:sSt:uvV:")) != -1) {
switch(c) {
case 'h':
print_usage("ldns-dane");
@@ -1164,10 +1182,14 @@ main(int argc, char** argv)
break;
case 'k':
s = read_key_file(optarg, keys);
+ if (s == LDNS_STATUS_FILE_ERR) {
+ fprintf(stderr, "Error opening %s: %s\n",
+ optarg, strerror(errno));
+ }
LDNS_ERR(s, "Could not parse key file");
if (ldns_rr_list_rr_count(keys) == nkeys) {
- fprintf(stderr, "No keys found in file %s\n",
- optarg);
+ fprintf(stderr, "No keys found in file"
+ " %s\n", optarg);
exit(EXIT_FAILURE);
}
nkeys = ldns_rr_list_rr_count(keys);
@@ -1184,6 +1206,9 @@ main(int argc, char** argv)
case 's':
assume_pkix_validity = true;
break;
+ case 'S':
+ do_sigchase = true;
+ break;
case 't':
tlsas_file = optarg;
break;
@@ -1222,13 +1247,51 @@ main(int argc, char** argv)
}
}
+ if (do_sigchase) {
+ if (nkeys == 0) {
+ (void) read_key_file(LDNS_TRUST_ANCHOR_FILE, keys);
+ nkeys = ldns_rr_list_rr_count(keys);
+
+ if (nkeys == 0) {
+ fprintf(stderr, "Unable to chase "
+ "signature without keys.\n");
+ exit(EXIT_FAILURE);
+ }
+ }
+ } else {
+ keys = NULL;
+ }
+
argc -= optind;
argv += optind;
- if (argc == 0 && tlsas_file != NULL) {
+ if (argc == 0) {
+
+ print_usage("ldns-dane");
+ }
+ if (strncasecmp(*argv, "create", strlen(*argv)) == 0) {
+
+ mode = CREATE;
+ argc--;
+ argv++;
+
+ } else if (strncasecmp(*argv, "verify", strlen(*argv)) == 0) {
mode = VERIFY;
+ argc--;
+ argv++;
+
+ } else {
+ fprintf(stderr, "Specify create or verify mode\n");
+ exit(EXIT_FAILURE);
+ }
+ if (mode == VERIFY && argc == 0) {
+
+ if (! tlsas_file) {
+ fprintf(stderr, "ERROR! Nothing given to verify\n");
+ exit(EXIT_FAILURE);
+ }
s = dane_read_tlsas_from_file(&tlsas, tlsas_file, NULL);
LDNS_ERR(s, "could not read tlas from file");
@@ -1321,16 +1384,18 @@ main(int argc, char** argv)
MEMERR("ldns_rdf2str");
}
+
} else if (argc < 2) {
print_usage("ldns-dane");
} else {
- name_str = argv[0];
+ name_str = *argv++; argc--;
s = ldns_str2rdf_dname(&name, name_str);
LDNS_ERR(s, "could not ldns_str2rdf_dname");
- port = (uint16_t)dane_int_within_range(argv[1], 65535, "port");
+ port = (uint16_t)dane_int_within_range(*argv++, 65535, "port");
+ --argc;
s = ldns_dane_create_tlsa_owner(&tlsa_owner,
name, port, transport);
@@ -1341,10 +1406,12 @@ main(int argc, char** argv)
}
}
- if (argc == 2) {
-
- mode = VERIFY;
+ switch (mode) {
+ case VERIFY:
+ if (argc > 0) {
+ print_usage("ldns-dane");
+ }
if (tlsas_file) {
s = dane_read_tlsas_from_file(&tlsas, tlsas_file,
@@ -1391,39 +1458,57 @@ main(int argc, char** argv)
tlsas = dane_no_pkix_transform(originals);
}
- } else if (argc == 5) {
-
- mode = CREATE;
-
- tlsas = ldns_rr_list_new();
-
- certificate_usage = dane_int_within_range_table(
- argv[2], 3, "certificate usage",
- dane_certificate_usage_table);
- selector = dane_int_within_range_table(
- argv[3], 1, "selector",
- dane_selector_table);
+ break;
- if (*argv[4] && /* strlen(argv[4]) > 0 */
- (strncasecmp(argv[4], "no-hash-used",
- strlen(argv[4])) == 0 ||
- strncasecmp(argv[4], "no hash used",
- strlen(argv[4])) == 0 )) {
- matching_type = 0;
+ case CREATE:
+ if (argc > 0) {
+ certificate_usage = dane_int_within_range_table(
+ *argv++, 3, "certificate usage",
+ dane_certificate_usage_table);
+ argc--;
+ } else {
+ certificate_usage =
+ LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE;
+ }
+ if (argc > 0) {
+ selector = dane_int_within_range_table(
+ *argv++, 1, "selector",
+ dane_selector_table);
+ argc--;
+ } else {
+ selector = LDNS_TLSA_SELECTOR_FULL_CERTIFICATE;
+ }
+ if (argc > 0) {
+ if (*argv && /* strlen(argv) > 0 */
+ (strncasecmp(*argv, "no-hash-used",
+ strlen(*argv)) == 0 ||
+ strncasecmp(*argv, "no hash used",
+ strlen(*argv)) == 0 )) {
+ matching_type =
+ LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED;
- } else if (strcasecmp(argv[4], "sha256") == 0 ||
- strcasecmp(argv[4], "sha-256") == 0) {
+ } else if (strcasecmp(*argv, "sha256") == 0 ||
+ strcasecmp(*argv, "sha-256") == 0) {
- matching_type = 1;
+ matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256;
- } else if (strcasecmp(argv[4], "sha512") == 0 ||
- strcasecmp(argv[4], "sha-512") == 0) {
+ } else if (strcasecmp(*argv, "sha512") == 0 ||
+ strcasecmp(*argv, "sha-512") == 0) {
- matching_type = 2;
+ matching_type = LDNS_TLSA_MATCHING_TYPE_SHA512;
+ } else {
+ matching_type = dane_int_within_range(
+ *argv, 2, "matching type");
+ }
+ argv++;
+ argc--;
} else {
- matching_type = dane_int_within_range(argv[4], 2,
- "matching type");
+ matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256;
+ }
+ if (argc > 0) {
+
+ print_usage("ldns-dane");
}
if ((certificate_usage == LDNS_TLSA_USAGE_CA_CONSTRAINT ||
certificate_usage ==
@@ -1444,9 +1529,11 @@ main(int argc, char** argv)
exit(EXIT_FAILURE);
}
- } else if (mode == UNDETERMINED) {
-
- print_usage("ldns-dane");
+ tlsas = ldns_rr_list_new();
+ break;
+ default:
+ fprintf(stderr, "Unreachable code\n");
+ assert(0);
}
/* ssl inititalize */
diff --git a/examples/ldns-test-edns.c b/examples/ldns-test-edns.c
index d9d708c7..b4292a0f 100644
--- a/examples/ldns-test-edns.c
+++ b/examples/ldns-test-edns.c
@@ -15,6 +15,18 @@
/** print error details */
static int verb = 1;
+struct sockaddr_in6* cast_sockaddr_storage2sockaddr_in6(
+ struct sockaddr_storage* s)
+{
+ return (struct sockaddr_in6*)s;
+}
+
+struct sockaddr_in* cast_sockaddr_storage2sockaddr_in(
+ struct sockaddr_storage* s)
+{
+ return (struct sockaddr_in*)s;
+}
+
/** parse IP address */
static int
convert_addr(char* str, int p, struct sockaddr_storage* addr, socklen_t* len)
@@ -22,8 +34,10 @@ convert_addr(char* str, int p, struct sockaddr_storage* addr, socklen_t* len)
#ifdef AF_INET6
if(strchr(str, ':')) {
*len = (socklen_t)sizeof(struct sockaddr_in6);
- ((struct sockaddr_in6*)addr)->sin6_family = AF_INET6;
- ((struct sockaddr_in6*)addr)->sin6_port = htons((uint16_t)p);
+ cast_sockaddr_storage2sockaddr_in6(addr)->sin6_family =
+ AF_INET6;
+ cast_sockaddr_storage2sockaddr_in6(addr)->sin6_port =
+ htons((uint16_t)p);
if(inet_pton(AF_INET6, str,
&((struct sockaddr_in6*)addr)->sin6_addr) == 1)
return 1;
@@ -31,9 +45,11 @@ convert_addr(char* str, int p, struct sockaddr_storage* addr, socklen_t* len)
#endif
*len = (socklen_t)sizeof(struct sockaddr_in);
#ifndef S_SPLINT_S
- ((struct sockaddr_in*)addr)->sin_family = AF_INET;
+ cast_sockaddr_storage2sockaddr_in(addr)->sin_family =
+ AF_INET;
#endif
- ((struct sockaddr_in*)addr)->sin_port = htons((uint16_t)p);
+ cast_sockaddr_storage2sockaddr_in(addr)->sin_port =
+ htons((uint16_t)p);
if(inet_pton(AF_INET, str,
&((struct sockaddr_in*)addr)->sin_addr) == 1)
return 1;
diff --git a/examples/ldns-verify-zone.1 b/examples/ldns-verify-zone.1.in
index a4cb767d..e03b7003 100644
--- a/examples/ldns-verify-zone.1
+++ b/examples/ldns-verify-zone.1.in
@@ -37,6 +37,9 @@ Default signatures should just be valid now.
A file that contains a trusted DNSKEY or DS rr.
This option may be given more than once.
+Alternatively, if \fB-k\fR is not specified, and a default trust anchor
+(@LDNS_TRUST_ANCHOR_FILE@) exists and contains a valid DNSKEY or DS record,
+it will be used as the trust anchor.
.TP
\fB-p\fR \fI[0-100]\fR
Only check this percentage of the zone.
@@ -77,6 +80,16 @@ P[n]Y[n]M[n]DT[n]H[n]M[n]S
.LP
If no file is given standard input is read.
+.SH "FILES"
+.TP
+@LDNS_TRUST_ANCHOR_FILE@
+The file from which trusted keys are loaded for signature chasing,
+when no \fB-k\fR option is given.
+
+.SH "SEE ALSO"
+.LP
+unbound-anchor(8)
+
.SH AUTHOR
Written by the ldns team as an example for ldns usage.
diff --git a/examples/ldns-verify-zone.c b/examples/ldns-verify-zone.c
index 9a8e13f9..0bbb97f4 100644
--- a/examples/ldns-verify-zone.c
+++ b/examples/ldns-verify-zone.c
@@ -66,10 +66,6 @@ read_key_file(const char *filename, ldns_rr_list *keys)
int line_nr;
if (!(fp = fopen(filename, "r"))) {
- if (verbosity > 0) {
- fprintf(myerr, "Error opening %s: %s\n", filename,
- strerror(errno));
- }
return LDNS_STATUS_FILE_ERR;
}
while (!feof(fp)) {
@@ -754,7 +750,8 @@ main(int argc, char **argv)
"now)\n");
printf("\t-k <file>\tspecify a file that contains a "
"trusted DNSKEY or DS rr.\n\t\t\t"
- "This option may be given more than once.\n");
+ "This option may be given more than once.\n"
+ "\t\t\tDefault is %s", LDNS_TRUST_ANCHOR_FILE);
printf("\t-p [0-100]\tonly checks this percentage of "
"the zone.\n\t\t\tDefaults to 100\n");
printf("\t-S\t\tchase signature(s) to a known key. "
@@ -799,6 +796,13 @@ main(int argc, char **argv)
break;
case 'k':
s = read_key_file(optarg, keys);
+ if (s == LDNS_STATUS_FILE_ERR) {
+ if (verbosity > 0) {
+ fprintf(myerr,
+ "Error opening %s: %s\n",
+ optarg, strerror(errno));
+ }
+ }
if (s != LDNS_STATUS_OK) {
if (verbosity > 0) {
fprintf(myerr,
@@ -860,11 +864,16 @@ main(int argc, char **argv)
}
}
if (do_sigchase && nkeys == 0) {
- if (verbosity > 0) {
- fprintf(myerr,
- "Unable to chase signature without keys.\n");
+ (void) read_key_file(LDNS_TRUST_ANCHOR_FILE, keys);
+ nkeys = ldns_rr_list_rr_count(keys);
+
+ if (nkeys == 0) {
+ if (verbosity > 0) {
+ fprintf(myerr, "Unable to chase "
+ "signature without keys.\n");
+ }
+ exit(EXIT_FAILURE);
}
- exit(EXIT_FAILURE);
}
argc -= optind;
diff --git a/ldns/common.h.in b/ldns/common.h.in
index 0813e474..aedfc96d 100644
--- a/ldns/common.h.in
+++ b/ldns/common.h.in
@@ -66,8 +66,6 @@ typedef bool _Bool;
#define ATTR_UNUSED(x) x
#endif /* !LDNS_BUILD_CONFIG_HAVE_ATTR_UNUSED */
-#define LDNS_TRUST_ANCHOR_FILE "@LDNS_TRUST_ANCHOR_FILE@"
-
#if !LDNS_BUILD_CONFIG_HAVE_SOCKLEN_T
typedef int socklen_t;
#endif
diff --git a/ldns/dname.h b/ldns/dname.h
index d4d712f3..16b45429 100644
--- a/ldns/dname.h
+++ b/ldns/dname.h
@@ -111,6 +111,7 @@ ldns_rdf *ldns_dname_new_frm_str(const char *str);
* Create a new dname rdf from a string
* \param[in] s the size of the new dname
* \param[in] *data pointer to the actual data
+ *
* \return ldns_rdf*
*/
ldns_rdf *ldns_dname_new(uint16_t s, void *data);
@@ -119,6 +120,7 @@ ldns_rdf *ldns_dname_new(uint16_t s, void *data);
* Create a new dname rdf from data (the data is copied)
* \param[in] size the size of the data
* \param[in] *data pointer to the actual data
+ *
* \return ldns_rdf*
*/
ldns_rdf *ldns_dname_new_frm_data(uint16_t size, const void *data);
diff --git a/ldns/dnssec.h b/ldns/dnssec.h
index 9e602b5b..34f63714 100644
--- a/ldns/dnssec.h
+++ b/ldns/dnssec.h
@@ -198,6 +198,7 @@ RSA *ldns_key_buf2rsa_raw(unsigned char* key, size_t len);
*
* \param[in] *key the key to convert
* \param[in] h the hash to use LDNS_SHA1/LDNS_SHA256
+ *
* \return ldns_rr* a new rr pointer to a DS
*/
ldns_rr *ldns_key_rr2ds(const ldns_rr *key, ldns_hash h);
diff --git a/ldns/dnssec_verify.h b/ldns/dnssec_verify.h
index 32036a8c..b6bdeca5 100644
--- a/ldns/dnssec_verify.h
+++ b/ldns/dnssec_verify.h
@@ -367,6 +367,7 @@ void ldns_dnssec_derive_trust_tree_no_sig_time(
*
* \param *tree The trust tree so search
* \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for
+ *
* \return LDNS_STATUS_OK if there is a trusted path to one of
* the keys, or the *first* error encountered
* if there were no paths
diff --git a/ldns/rdata.h b/ldns/rdata.h
index 90dcbf13..229a4d4c 100644
--- a/ldns/rdata.h
+++ b/ldns/rdata.h
@@ -194,6 +194,7 @@ ldns_rdf_type ldns_rdf_get_type(const ldns_rdf *rd);
/**
* returns the data of the rdf.
* \param[in] *rd the rdf to read from
+ *
* \return uint8_t* pointer to the rdf's data
*/
uint8_t *ldns_rdf_data(const ldns_rdf *rd);
@@ -303,6 +304,7 @@ ldns_rdf *ldns_native2rdf_int32(ldns_rdf_type type, uint32_t value);
* The memory is copied, and an LDNS_RDF_TYPE_INT16DATA is returned
* \param[in] size the size of the data
* \param[in] *data pointer to the actual data
+ *
* \return ldns_rd* the rdf with the data
*/
ldns_rdf *ldns_native2rdf_int16_data(size_t size, uint8_t *data);
diff --git a/ldns/resolver.h b/ldns/resolver.h
index f887aaf6..7af5d401 100644
--- a/ldns/resolver.h
+++ b/ldns/resolver.h
@@ -578,6 +578,7 @@ ldns_status ldns_resolver_push_nameserver_rr_list(ldns_resolver *r, ldns_rr_list
* \param[in] t query for this type (may be 0, defaults to A)
* \param[in] c query for this class (may be 0, default to IN)
* \param[in] flags the query flags
+ *
* \return ldns_pkt* a packet with the reply from the nameserver
*/
ldns_pkt* ldns_resolver_search(const ldns_resolver *r, const ldns_rdf *rdf, ldns_rr_type t, ldns_rr_class c, uint16_t flags);
@@ -590,6 +591,7 @@ ldns_pkt* ldns_resolver_search(const ldns_resolver *r, const ldns_rdf *rdf, ldns
* \param[in] t query for this type (may be 0, defaults to A)
* \param[in] c query for this class (may be 0, default to IN)
* \param[in] f the query flags
+ *
* \return ldns_pkt* a packet with the reply from the nameserver
*/
ldns_status ldns_resolver_prepare_query_pkt(ldns_pkt **q, ldns_resolver *r, const ldns_rdf *name, ldns_rr_type t, ldns_rr_class c, uint16_t f);
@@ -602,6 +604,7 @@ ldns_status ldns_resolver_prepare_query_pkt(ldns_pkt **q, ldns_resolver *r, cons
* \param[in] t query for this type (may be 0, defaults to A)
* \param[in] c query for this class (may be 0, default to IN)
* \param[in] flags the query flags
+ *
* \return ldns_pkt* a packet with the reply from the nameserver
*/
ldns_status ldns_resolver_send(ldns_pkt **answer, ldns_resolver *r, const ldns_rdf *name, ldns_rr_type t, ldns_rr_class c, uint16_t flags);
@@ -621,6 +624,7 @@ ldns_status ldns_resolver_send_pkt(ldns_pkt **answer, ldns_resolver *r, ldns_pkt
* \param[in] *t query for this type (may be 0, defaults to A)
* \param[in] *c query for this class (may be 0, default to IN)
* \param[in] flags the query flags
+ *
* \return ldns_pkt* a packet with the reply from the nameserver
* if _defnames is true the default domain will be added
*/
diff --git a/libdns.doxygen b/libdns.doxygen
index ef94a55b..0f84b734 100644
--- a/libdns.doxygen
+++ b/libdns.doxygen
@@ -1,4 +1,4 @@
-# Doxyfile 1.7.3
+# Doxyfile 1.7.6.1
# This file describes the settings to be used by the documentation system
# doxygen (www.doxygen.org) for a project.
@@ -22,8 +22,9 @@
DOXYFILE_ENCODING = UTF-8
-# The PROJECT_NAME tag is a single word (or a sequence of words surrounded
-# by quotes) that should identify the project.
+# The PROJECT_NAME tag is a single word (or sequence of words) that should
+# identify the project. Note that if you do not use Doxywizard you need
+# to put quotes around the project name if it contains spaces.
PROJECT_NAME = ldns
@@ -33,7 +34,9 @@ PROJECT_NAME = ldns
PROJECT_NUMBER = 1.6.7
-# Using the PROJECT_BRIEF tag one can provide an optional one line description for a project that appears at the top of each page and should give viewer a quick idea about the purpose of the project. Keep the description short.
+# Using the PROJECT_BRIEF tag one can provide an optional one line description
+# for a project that appears at the top of each page and should give viewer
+# a quick idea about the purpose of the project. Keep the description short.
PROJECT_BRIEF =
@@ -192,6 +195,13 @@ TAB_SIZE = 8
ALIASES =
+# This tag can be used to specify a number of word-keyword mappings (TCL only).
+# A mapping has the form "name=value". For example adding
+# "class=itcl::class" will allow you to use the command class in the
+# itcl::class meaning.
+
+TCL_SUBST =
+
# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C
# sources only. Doxygen will then generate output that is more tailored for C.
# For instance, some of the names that are used will be different. The list
@@ -274,6 +284,22 @@ DISTRIBUTE_GROUP_DOC = NO
SUBGROUPING = YES
+# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and
+# unions are shown inside the group in which they are included (e.g. using
+# @ingroup) instead of on a separate page (for HTML and Man pages) or
+# section (for LaTeX and RTF).
+
+INLINE_GROUPED_CLASSES = NO
+
+# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and
+# unions with only public data fields will be shown inline in the documentation
+# of the scope in which they are defined (i.e. file, namespace, or group
+# documentation), provided this scope is documented. If set to NO (the default),
+# structs, classes, and unions are shown on a separate page (for HTML and Man
+# pages) or section (for LaTeX and RTF).
+
+INLINE_SIMPLE_STRUCTS = NO
+
# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum
# is documented as struct, union, or enum with the name of the typedef. So
# typedef struct TypeS {} TypeT, will appear in the documentation as a struct
@@ -296,10 +322,21 @@ TYPEDEF_HIDES_STRUCT = NO
# a logarithmic scale so increasing the size by one will roughly double the
# memory usage. The cache size is given by this formula:
# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0,
-# corresponding to a cache size of 2^16 = 65536 symbols
+# corresponding to a cache size of 2^16 = 65536 symbols.
SYMBOL_CACHE_SIZE = 0
+# Similar to the SYMBOL_CACHE_SIZE the size of the symbol lookup cache can be
+# set using LOOKUP_CACHE_SIZE. This cache is used to resolve symbols given
+# their name and scope. Since this can be an expensive process and often the
+# same symbol appear multiple times in the code, doxygen keeps a cache of
+# pre-resolved symbols. If the cache is too small doxygen will become slower.
+# If the cache is too large, memory is wasted. The cache size is given by this
+# formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range is 0..9, the default is 0,
+# corresponding to a cache size of 2^16 = 65536 symbols.
+
+LOOKUP_CACHE_SIZE = 0
+
#---------------------------------------------------------------------------
# Build related configuration options
#---------------------------------------------------------------------------
@@ -449,8 +486,11 @@ SORT_GROUP_NAMES = NO
SORT_BY_SCOPE_NAME = NO
-# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper type resolution of all parameters of a function it will reject a
-# match between the prototype and the implementation of a member function even if there is only one candidate or it is obvious which candidate to choose by doing a simple string match. By disabling STRICT_PROTO_MATCHING doxygen
+# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to
+# do proper type resolution of all parameters of a function it will reject a
+# match between the prototype and the implementation of a member function even
+# if there is only one candidate or it is obvious which candidate to choose
+# by doing a simple string match. By disabling STRICT_PROTO_MATCHING doxygen
# will still accept a match between prototype and implementation in such cases.
STRICT_PROTO_MATCHING = NO
@@ -538,6 +578,16 @@ FILE_VERSION_FILTER =
LAYOUT_FILE =
+# The CITE_BIB_FILES tag can be used to specify one or more bib files
+# containing the references data. This must be a list of .bib files. The
+# .bib extension is automatically appended if omitted. Using this command
+# requires the bibtex tool to be installed. See also
+# http://en.wikipedia.org/wiki/BibTeX for more info. For LaTeX the style
+# of the bibliography can be controlled using LATEX_BIB_STYLE. To use this
+# feature you need bibtex and perl available in the search path.
+
+CITE_BIB_FILES =
+
#---------------------------------------------------------------------------
# configuration options related to warning and progress messages
#---------------------------------------------------------------------------
@@ -629,13 +679,15 @@ FILE_PATTERNS =
RECURSIVE = NO
-# The EXCLUDE tag can be used to specify files and/or directories that should
+# The EXCLUDE tag can be used to specify files and/or directories that should be
# excluded from the INPUT source files. This way you can easily exclude a
# subdirectory from a directory tree whose root is specified with the INPUT tag.
+# Note that relative paths are relative to the directory from which doxygen is
+# run.
EXCLUDE =
-# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
+# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
# directories that are symbolic links (a Unix file system feature) are excluded
# from the input.
@@ -821,7 +873,14 @@ HTML_FILE_EXTENSION = .html
# The HTML_HEADER tag can be used to specify a personal HTML header for
# each generated HTML page. If it is left blank doxygen will generate a
-# standard header.
+# standard header. Note that when using a custom header you are responsible
+# for the proper inclusion of any scripts and style sheets that doxygen
+# needs, which is dependent on the configuration options used.
+# It is advised to generate a default header using "doxygen -w html
+# header.html footer.html stylesheet.css YourConfigFile" and then modify
+# that header. Note that the header is subject to change so you typically
+# have to redo this when upgrading to a newer version of doxygen or when
+# changing the value of configuration settings such as GENERATE_TREEVIEW!
HTML_HEADER = doc/header.html
@@ -836,12 +895,21 @@ HTML_FOOTER =
# fine-tune the look of the HTML output. If the tag is left blank doxygen
# will generate a default style sheet. Note that doxygen will try to copy
# the style sheet file to the HTML output directory, so don't put your own
-# stylesheet in the HTML output directory as well, or it will be erased!
+# style sheet in the HTML output directory as well, or it will be erased!
HTML_STYLESHEET =
+# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the HTML output directory. Note
+# that these files will be copied to the base HTML output directory. Use the
+# $relpath$ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
+# files. In the HTML_STYLESHEET file, use the file name only. Also note that
+# the files will be copied as-is; there are no commands or markers available.
+
+HTML_EXTRA_FILES =
+
# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output.
-# Doxygen will adjust the colors in the stylesheet and background images
+# Doxygen will adjust the colors in the style sheet and background images
# according to this color. Hue is specified as an angle on a colorwheel,
# see http://en.wikipedia.org/wiki/Hue for more information.
# For instance the value 0 represents red, 60 is yellow, 120 is green,
@@ -871,12 +939,6 @@ HTML_COLORSTYLE_GAMMA = 80
HTML_TIMESTAMP = YES
-# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes,
-# files or namespaces will be aligned in HTML using tables. If set to
-# NO a bullet list will be used.
-
-HTML_ALIGN_MEMBERS = YES
-
# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
# documentation will contain sections that can be hidden and shown after the
# page has loaded. For this to work a browser that supports
@@ -1036,18 +1098,14 @@ GENERATE_ECLIPSEHELP = NO
ECLIPSE_DOC_ID = org.doxygen.Project
-# The DISABLE_INDEX tag can be used to turn on/off the condensed index at
-# top of each HTML page. The value NO (the default) enables the index and
-# the value YES disables it.
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs)
+# at top of each HTML page. The value NO (the default) enables the index and
+# the value YES disables it. Since the tabs have the same information as the
+# navigation tree you can set this option to NO if you already set
+# GENERATE_TREEVIEW to YES.
DISABLE_INDEX = NO
-# This tag can be used to set the number of enum values (range [0,1..20])
-# that doxygen will group on one line in the generated HTML documentation.
-# Note that a value of 0 will completely suppress the enum values from appearing in the overview section.
-
-ENUM_VALUES_PER_LINE = 4
-
# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
# structure should be generated to display hierarchical information.
# If the tag value is set to YES, a side panel will be generated
@@ -1055,13 +1113,17 @@ ENUM_VALUES_PER_LINE = 4
# is generated for HTML Help). For this to work a browser that supports
# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser).
# Windows users are probably better off using the HTML help feature.
+# Since the tree basically has the same information as the tab index you
+# could consider to set DISABLE_INDEX to NO when enabling this option.
GENERATE_TREEVIEW = NO
-# By enabling USE_INLINE_TREES, doxygen will generate the Groups, Directories,
-# and Class Hierarchy pages using a tree view instead of an ordered list.
+# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values
+# (range [0,1..20]) that doxygen will group on one line in the generated HTML
+# documentation. Note that a value of 0 will completely suppress the enum
+# values from appearing in the overview section.
-USE_INLINE_TREES = NO
+ENUM_VALUES_PER_LINE = 4
# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be
# used to set the initial width (in pixels) of the frame in which the tree
@@ -1103,12 +1165,18 @@ USE_MATHJAX = NO
# HTML output directory using the MATHJAX_RELPATH option. The destination
# directory should contain the MathJax.js script. For instance, if the mathjax
# directory is located at the same level as the HTML output directory, then
-# MATHJAX_RELPATH should be ../mathjax. The default value points to the mathjax.org site, so you can quickly see the result without installing
+# MATHJAX_RELPATH should be ../mathjax. The default value points to the
+# mathjax.org site, so you can quickly see the result without installing
# MathJax, but it is strongly recommended to install a local copy of MathJax
# before deployment.
MATHJAX_RELPATH = http://www.mathjax.org/mathjax
+# The MATHJAX_EXTENSIONS tag can be used to specify one or MathJax extension
+# names that should be enabled during MathJax rendering.
+
+MATHJAX_EXTENSIONS =
+
# When the SEARCHENGINE tag is enabled doxygen will generate a search box
# for the HTML output. The underlying search engine uses javascript
# and DHTML and should work on any modern browser. Note that when using
@@ -1182,6 +1250,13 @@ EXTRA_PACKAGES =
LATEX_HEADER =
+# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for
+# the generated latex document. The footer should contain everything after
+# the last chapter. If it is left blank doxygen will generate a
+# standard footer. Notice: only use this tag if you know what you are doing!
+
+LATEX_FOOTER =
+
# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
# is prepared for conversion to pdf (using ps2pdf). The pdf file will
# contain links (just like the HTML output) instead of page references
@@ -1215,6 +1290,12 @@ LATEX_HIDE_INDICES = NO
LATEX_SOURCE_CODE = NO
+# The LATEX_BIB_STYLE tag can be used to specify the style to use for the
+# bibliography, e.g. plainnat, or ieeetr. The default style is "plain". See
+# http://en.wikipedia.org/wiki/BibTeX for more info.
+
+LATEX_BIB_STYLE = plain
+
#---------------------------------------------------------------------------
# configuration options related to the RTF output
#---------------------------------------------------------------------------
@@ -1246,7 +1327,7 @@ COMPACT_RTF = NO
RTF_HYPERLINKS = NO
-# Load stylesheet definitions from file. Syntax is similar to doxygen's
+# Load style sheet definitions from file. Syntax is similar to doxygen's
# config file, i.e. a series of assignments. You only have to provide
# replacements, missing definitions are set to their default value.
@@ -1391,7 +1472,7 @@ MACRO_EXPANSION = YES
EXPAND_ONLY_PREDEF = NO
# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
-# in the INCLUDE_PATH (see below) will be search if a #include is found.
+# pointed to by INCLUDE_PATH will be searched when a #include is found.
SEARCH_INCLUDES = YES
@@ -1421,7 +1502,8 @@ PREDEFINED = HAVE_SSL
# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then
# this tag can be used to specify a list of macro names that should be expanded.
# The macro definition that is found in the sources will be used.
-# Use the PREDEFINED tag if you want to use a different macro definition that overrules the definition found in the source code.
+# Use the PREDEFINED tag if you want to use a different macro definition that
+# overrules the definition found in the source code.
EXPAND_AS_DEFINED =
@@ -1519,13 +1601,12 @@ HAVE_DOT = NO
DOT_NUM_THREADS = 0
-# By default doxygen will write a font called Helvetica to the output
-# directory and reference it in all dot files that doxygen generates.
-# When you want a differently looking font you can specify the font name
-# using DOT_FONTNAME. You need to make sure dot is able to find the font,
-# which can be done by putting it in a standard location or by setting the
-# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory
-# containing the font.
+# By default doxygen will use the Helvetica font for all dot files that
+# doxygen generates. When you want a differently looking font you can specify
+# the font name using DOT_FONTNAME. You need to make sure dot is able to find
+# the font, which can be done by putting it in a standard location or by setting
+# the DOTFONTPATH environment variable or by setting DOT_FONTPATH to the
+# directory containing the font.
DOT_FONTNAME = Helvetica
@@ -1534,17 +1615,16 @@ DOT_FONTNAME = Helvetica
DOT_FONTSIZE = 10
-# By default doxygen will tell dot to use the output directory to look for the
-# FreeSans.ttf font (which doxygen will put there itself). If you specify a
-# different font using DOT_FONTNAME you can set the path where dot
-# can find it using this tag.
+# By default doxygen will tell dot to use the Helvetica font.
+# If you specify a different font using DOT_FONTNAME you can use DOT_FONTPATH to
+# set the path where dot can find it.
DOT_FONTPATH =
# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen
# will generate a graph for each documented class showing the direct and
# indirect inheritance relations. Setting this tag to YES will force the
-# the CLASS_DIAGRAMS tag to NO.
+# CLASS_DIAGRAMS tag to NO.
CLASS_GRAPH = YES
@@ -1614,11 +1694,22 @@ GRAPHICAL_HIERARCHY = YES
DIRECTORY_GRAPH = YES
# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
-# generated by dot. Possible values are png, svg, gif or svg.
-# If left blank png will be used.
+# generated by dot. Possible values are svg, png, jpg, or gif.
+# If left blank png will be used. If you choose svg you need to set
+# HTML_FILE_EXTENSION to xhtml in order to make the SVG files
+# visible in IE 9+ (other browsers do not have this requirement).
DOT_IMAGE_FORMAT = png
+# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
+# enable generation of interactive SVG images that allow zooming and panning.
+# Note that this requires a modern browser other than Internet Explorer.
+# Tested and working are Firefox, Chrome, Safari, and Opera. For IE 9+ you
+# need to set HTML_FILE_EXTENSION to xhtml in order to make the SVG files
+# visible. Older versions of IE do not have SVG support.
+
+INTERACTIVE_SVG = NO
+
# The tag DOT_PATH can be used to specify the path where the dot tool can be
# found. If left blank, it is assumed the dot tool can be found in the path.