From: Willem Toorop Date: Tue, 16 Oct 2012 11:59:41 +0000 (+0000) Subject: Merge in 1.6.14rc2 changes: X-Git-Tag: release-1.6.17rc1~189 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=25b494b756647bb06755e305c6eddaf7f1819aab;p=thirdparty%2Fldns.git Merge in 1.6.14rc2 changes: - Paul Wouter's suggestion to have a create and a verify option to ldns-dane and configurable CAfile and CApath and configurable trust anchor and - Get rid of doxygen-1.8 warnings --- diff --git a/Changelog b/Changelog index 3e1a7c11..483ee09a 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,9 @@ 1.6.14 * DANE support (RFC6698), including ldns-dane example tool. - * A default key for drill when none is given + * Configurable default CA certificate repository for ldns-dane with + --with-ca-file=CAFILE and --with-ca-path=CAPATH + * Configurable default trust anchor with --with-trust-anchor=FILE + for drill, ldns-verify-zone and ldns-dane * bugfix #474: Define socklen_t when undefined (like in Win32) * bugfix #473: Dead code removal and resource leak fix in drill * bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too. @@ -14,7 +17,7 @@ now documented in their own Changelog. * bugfix: Make ldns_resolver_pop_nameserver clear the array when there was only one. - * bugfix #459: Export only symbols defined in ldns_symbols + * bugfix #459: Remove ldns_symbols and export symbols based on regex * bugfix #458: Track all newly created signatures when signing. * bugfix #454: Only set -g and -O2 CFLAGS when no CFLAGS was given. * bugfix #457: Memory leak fix for ldns_key_new_frm_algorithm. diff --git a/configure.ac b/configure.ac index 082e74a3..ee6e6858 100644 --- a/configure.ac +++ b/configure.ac @@ -141,12 +141,14 @@ This does not work with the --with-examples option. Please remove the config.h from the examples subdirectory or do not use the --with-examples option.]) fi + EXAMPLES_CONFIG=" examples/ldns-dane.1 examples/ldns-verify-zone.1" else AC_SUBST(EXAMPLES,[""]) AC_SUBST(INSTALL_EXAMPLES,[""]) AC_SUBST(UNINSTALL_EXAMPLES,[""]) AC_SUBST(CLEAN_EXAMPLES,[""]) AC_SUBST(LINT_EXAMPLES,[""]) + EXAMPLES_CONFIG="" fi # add option to disable installation of ldns-config script @@ -518,15 +520,43 @@ fi AC_DEFINE([SYSCONFDIR], [sysconfdir], [System configuration dir]) -AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=[KEYFILE]], -[Default location of the trust anchor file for drill. [default=SYSCONFDIR/unbound/root.key]]), [ -AC_SUBST(LDNS_TRUST_ANCHOR_FILE, [${with_trust_anchor}]) +AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=KEYFILE], [Default location of the trust anchor file for drill and ldns-dane. [default=SYSCONFDIR/unbound/root.key]]), [ + LDNS_TRUST_ANCHOR_FILE="$withval" ],[ -if test "x$sysconfdir" = 'x${prefix}/etc' ; then -AC_SUBST(LDNS_TRUST_ANCHOR_FILE, [${prefix}/etc/unbound/root.key]) -else -AC_SUBST(LDNS_TRUST_ANCHOR_FILE, [${sysconfdir}/unbound/root.key]) -fi + if test "x$LDNS_TRUST_ANCHOR_FILE" = "x"; then + if test "x$sysconfdir" = 'x${prefix}/etc' ; then + if test "x$prefix" = 'xNONE' ; then + LDNS_TRUST_ANCHOR_FILE="/etc/unbound/root.key" + else + LDNS_TRUST_ANCHOR_FILE="${prefix}/etc/unbound/root.key" + fi + else + LDNS_TRUST_ANCHOR_FILE="${sysconfdir}/unbound/root.key" + fi + fi +]) +AC_DEFINE_UNQUOTED([LDNS_TRUST_ANCHOR_FILE], ["$LDNS_TRUST_ANCHOR_FILE"], [Default trust anchor file]) +AC_SUBST(LDNS_TRUST_ANCHOR_FILE) +AC_MSG_NOTICE([Default trust anchor: $LDNS_TRUST_ANCHOR_FILE]) + +AC_ARG_WITH(ca-file, AC_HELP_STRING([--with-ca-file=CAFILE], [File containing CA certificates for ldns-dane]), [ + AC_DEFINE([HAVE_DANE_CA_FILE], [1], [Is a CAFILE given at configure time]) + AC_DEFINE_UNQUOTED([LDNS_DANE_CA_FILE], ["$withval"], [Is a CAFILE given at configure time]) + AC_MSG_NOTICE([Using CAfile: $withval]) + AC_SUBST(DEFAULT_CAFILE, ["Default is $withval"]) +],[ + AC_DEFINE([HAVE_DANE_CA_FILE], [0], [Is a CAFILE given at configure time]) + AC_SUBST(DEFAULT_CAFILE, []) +]) + +AC_ARG_WITH(ca-path, AC_HELP_STRING([--with-ca-path=CAPATH], [Directory containing CA certificate files for ldns-dane]), [ + AC_DEFINE([HAVE_DANE_CA_PATH], [1], [Is a CAPATH given at configure time]) + AC_DEFINE_UNQUOTED([LDNS_DANE_CA_PATH], ["$withval"], [Is a CAPATH given at configure time]) + AC_MSG_NOTICE([Using CApath: $withval]) + AC_SUBST(DEFAULT_CAPATH, ["Default is $withval"]) +],[ + AC_DEFINE([HAVE_DANE_CA_PATH], [0], [Is a CAPATH given at configure time]) + AC_SUBST(DEFAULT_CAPATH, []) ]) AH_BOTTOM([ @@ -685,7 +715,7 @@ else AC_SUBST(ldns_build_config_have_attr_unused, 0) fi -CONFIG_FILES="Makefile ldns/common.h ldns/net.h ldns/util.h packaging/libldns.pc packaging/ldns-config $DRILL_CONFIG" +CONFIG_FILES="Makefile ldns/common.h ldns/net.h ldns/util.h packaging/libldns.pc packaging/ldns-config $DRILL_CONFIG $EXAMPLES_CONFIG" AC_SUBST(CONFIG_FILES) AC_CONFIG_FILES([$CONFIG_FILES]) diff --git a/drill/configure.ac b/drill/configure.ac index a135e173..7a3e556c 100644 --- a/drill/configure.ac +++ b/drill/configure.ac @@ -177,19 +177,10 @@ fi AC_SUBST(LDNSDIR) -if test -f $LDNSDIR/ldns/common.h && \ - grep LDNS_TRUST_ANCHOR_FILE $LDNSDIR/ldns/common.h >/dev/null; then - LDNS_TRUST_ANCHOR_FILE=`grep LDNS_TRUST_ANCHOR_FILE $LDNSDIR/ldns/common.h | sed -e 's/^.*"\(.*\)".*$/\1/'` -else - LDNS_TRUST_ANCHOR_FILE="" -fi - -AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=[KEYFILE]], -[Default location of the trust anchor file. [default=LDNS_TRUST_ANCHOR_FILE or SYSCONFDIR/unbound/root.key]]), [ - AC_DEFINE([HAVE_DRILL_TRUST_ANCHOR], [1], [Is the trust anchor file explicitely given at configure time]) +AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=KEYFILE], +[Default location of the trust anchor file. [default=SYSCONFDIR/unbound/root.key]]), [ LDNS_TRUST_ANCHOR_FILE="$withval" ],[ - AC_DEFINE([HAVE_DRILL_TRUST_ANCHOR], [0], [Is the trust anchor file explicitely given at configure time]) if test "x$LDNS_TRUST_ANCHOR_FILE" = "x"; then if test "x$sysconfdir" = 'x${prefix}/etc' ; then if test "x$prefix" = 'xNONE' ; then @@ -202,9 +193,9 @@ AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=[KEYFILE]], fi fi ]) - -AC_DEFINE_UNQUOTED([DRILL_TRUST_ANCHOR_FILE], ["$LDNS_TRUST_ANCHOR_FILE"], [Default trust anchor file]) +AC_DEFINE_UNQUOTED([LDNS_TRUST_ANCHOR_FILE], ["$LDNS_TRUST_ANCHOR_FILE"], [Default trust anchor file]) AC_SUBST(LDNS_TRUST_ANCHOR_FILE) +AC_MSG_NOTICE([Default trust anchor: $LDNS_TRUST_ANCHOR_FILE]) AH_BOTTOM([ diff --git a/drill/drill.c b/drill/drill.c index 1de72de7..f24405be 100644 --- a/drill/drill.c +++ b/drill/drill.c @@ -404,7 +404,9 @@ main(int argc, char *argv[]) argc -= optind; argv += optind; - if (qdnssec && ldns_rr_list_rr_count(key_list) == 0) { + if ((qdnssec || PURPOSE == DRILL_CHASE) && + ldns_rr_list_rr_count(key_list) == 0) { + (void) read_key_file(LDNS_TRUST_ANCHOR_FILE, key_list, true); } if (ldns_rr_list_rr_count(key_list) > 0) { diff --git a/drill/drill.h b/drill/drill.h index e7eacbc3..0746fe7b 100644 --- a/drill/drill.h +++ b/drill/drill.h @@ -12,10 +12,6 @@ #include "drill_util.h" -#ifndef LDNS_TRUST_ANCHOR_FILE -#define LDNS_TRUST_ANCHOR_FILE DRILL_TRUST_ANCHOR_FILE -#endif - #define DRILL_VERSION PACKAGE_VERSION /* what kind of stuff do we allow */ diff --git a/examples/Makefile.in b/examples/Makefile.in index e17f2181..4d867ca6 100644 --- a/examples/Makefile.in +++ b/examples/Makefile.in @@ -157,11 +157,12 @@ clean: realclean: clean rm -rf autom4te.cache/ - rm -f config.log config.status aclocal.m4 config.h.in configure Makefile - rm -f config.h + rm -f config.log config.status aclocal.m4 config.h.in configure + rm -f config.h ldns-dane.1 ldns-verify-zone.1 Makefile confclean: clean - rm -rf config.log config.status config.h Makefile + rm -rf config.log config.status + rm -f config.h ldns-dane.1 ldns-verify-zone.1 Makefile install: $(PROGRAMS) $(SSL_PROGRAMS) $(INSTALL) -d -m 755 $(DESTDIR)$(bindir) diff --git a/examples/configure.ac b/examples/configure.ac index 0e27eecd..3fbf5bf5 100644 --- a/examples/configure.ac +++ b/examples/configure.ac @@ -315,13 +315,51 @@ if test -f $ldns_dev_dir/ldns/util.h && \ else AC_MSG_RESULT([no]) AC_CHECK_LIB(ldns, ldns_rr_new,, [ - AC_MSG_ERROR([Can't find ldns library]) + AC_MSG_ERROR([Can't find ldns library])dnl' ] ) fi AC_SUBST(LDNSDIR) +AC_ARG_WITH(trust-anchor, AC_HELP_STRING([--with-trust-anchor=KEYFILE], [Default location of the trust anchor file for drill and ldns-dane. [default=SYSCONFDIR/unbound/root.key]]), [ + LDNS_TRUST_ANCHOR_FILE="$withval" +],[ + if test "x$LDNS_TRUST_ANCHOR_FILE" = "x"; then + if test "x$sysconfdir" = 'x${prefix}/etc' ; then + if test "x$prefix" = 'xNONE' ; then + LDNS_TRUST_ANCHOR_FILE="/etc/unbound/root.key" + else + LDNS_TRUST_ANCHOR_FILE="${prefix}/etc/unbound/root.key" + fi + else + LDNS_TRUST_ANCHOR_FILE="${sysconfdir}/unbound/root.key" + fi + fi +]) +AC_DEFINE_UNQUOTED([LDNS_TRUST_ANCHOR_FILE], ["$LDNS_TRUST_ANCHOR_FILE"], [Default trust anchor file]) +AC_SUBST(LDNS_TRUST_ANCHOR_FILE) +AC_MSG_NOTICE([Default trust anchor: $LDNS_TRUST_ANCHOR_FILE]) + +AC_ARG_WITH(ca-file, AC_HELP_STRING([--with-ca-file=CAFILE], [File containing CA certificates for ldns-dane]), [ + AC_DEFINE([HAVE_DANE_CA_FILE], [1], [Is a CAFILE given at configure time]) + AC_DEFINE_UNQUOTED([LDNS_DANE_CA_FILE], ["$withval"], [Is a CAFILE given at configure time]) + AC_MSG_NOTICE([Using CAfile: $withval]) + AC_SUBST(DEFAULT_CAFILE, ["Default is $withval"]) +],[ + AC_DEFINE([HAVE_DANE_CA_FILE], [0], [Is a CAFILE given at configure time]) + AC_SUBST(DEFAULT_CAFILE, []) +]) + +AC_ARG_WITH(ca-path, AC_HELP_STRING([--with-ca-path=CAPATH], [Directory containing CA certificate files for ldns-dane]), [ + AC_DEFINE([HAVE_DANE_CA_PATH], [1], [Is a CAPATH given at configure time]) + AC_DEFINE_UNQUOTED([LDNS_DANE_CA_PATH], ["$withval"], [Is a CAPATH given at configure time]) + AC_MSG_NOTICE([Using CApath: $withval]) + AC_SUBST(DEFAULT_CAPATH, ["Default is $withval"]) +],[ + AC_DEFINE([HAVE_DANE_CA_PATH], [0], [Is a CAPATH given at configure time]) + AC_SUBST(DEFAULT_CAPATH, []) +]) AH_BOTTOM([ @@ -418,6 +456,6 @@ extern int optind, opterr; #endif ]) -AC_CONFIG_FILES([Makefile]) +AC_CONFIG_FILES([Makefile ldns-dane.1 ldns-verify-zone.1]) AC_CONFIG_HEADER([config.h]) AC_OUTPUT diff --git a/examples/ldns-dane.1 b/examples/ldns-dane.1.in similarity index 82% rename from examples/ldns-dane.1 rename to examples/ldns-dane.1.in index 52472302..8f05d7f6 100644 --- a/examples/ldns-dane.1 +++ b/examples/ldns-dane.1.in @@ -5,6 +5,7 @@ ldns-dane \- verify or create TLS authentication with DANE (RFC6698) .PD 0 .B ldns-dane .IR [OPTIONS] +.IR verify .IR name .IR port .PP @@ -12,14 +13,21 @@ ldns-dane \- verify or create TLS authentication with DANE (RFC6698) .IR [OPTIONS] .IR -t .IR tlsafile +.IR verify .B ldns-dane .IR [OPTIONS] .IR name .IR port +.IR create +.PP + [ .IR Certificate-usage +[ .IR Selector +[ .IR Matching-type +] ] ] .B ldns-dane .IR -h @@ -54,13 +62,13 @@ Service certificate constraint .IP 2 Trust anchor assertion .IP 3 -Domain-issued certificate +Domain-issued certificate (default) .RE .I Selector\fR: .RS .IP 0 -Full certificate +Full certificate (default) .IP 1 SubjectPublicKeyInfo .RE @@ -70,7 +78,7 @@ SubjectPublicKeyInfo .IP 0 No hash used .IP 1 -SHA-256 +SHA-256 (default) .IP 2 SHA-512 .RE @@ -98,17 +106,20 @@ TLSA records) for the certificate (chain) in \fIcertfile\fR instead. Assume DNSSEC validity even when the TLSA records were acquired insecure or were bogus. .IP "-f \fICAfile\fR" -Use CAfile to validate. +Use CAfile to validate. @DEFAULT_CAFILE@ .IP -h Print short usage help .IP -i Interact after connecting. .IP "-k \fIkeyfile\fR" Specify a file that contains a trusted DNSKEY or DS rr. -Without a trusted DNSKEY, the local network is trusted to provide -a DNSSEC resolver (i.e. AD bit is checked). +Key(s) are used when chasing signatures (i.e. \fI-S\fR is given). This option may be given more than once. + +Alternatively, if \fB-k\fR is not specified, and a default trust anchor +(@LDNS_TRUST_ANCHOR_FILE@) exists and contains a valid DNSKEY or DS record, +it will be used as the trust anchor. .IP -n Do \fBnot\fR verify server name in certificate. .IP "-o \fIoffset\fR" @@ -122,7 +133,7 @@ is used (like with 0) that MUST be self-signed. This can help to make sure that the intended (self signed) trust anchor is actually present in the server certificate chain (which is a DANE requirement). .IP "-p \fICApath\fR" -Use certificates in the \fICApath\fR directory to validate. +Use certificates in the \fICApath\fR directory to validate. @DEFAULT_CAPATH@ .IP -s When creating TLSA resource records with the "CA Constraint" and the "Service Certificate Constraint" certificate usage, do not validate and @@ -130,6 +141,11 @@ assume PKIX is valid. For "CA Constraint" this means that verification should end with a self-signed certificate. +.IP -S +Chase signature(s) to a known key. + +Without this option, the local network is trusted to provide +a DNSSEC resolver (i.e. AD bit is checked). .IP "-t \fItlsafile\fR" Read TLSA record(s) from \fItlsafile\fR. When \fIname\fR and \fIport\fR are also given, only TLSA records that match the \fIname\fR, \fIport\fR and @@ -140,6 +156,16 @@ Use UDP transport instead of TCP. .IP -v Show version and exit. +.SH "FILES" +.TP +@LDNS_TRUST_ANCHOR_FILE@ +The file from which trusted keys are loaded for signature chasing, +when no \fB-k\fR option is given. + +.SH "SEE ALSO" +.LP +unbound-anchor(8) + .SH AUTHOR Written by the ldns team as an example for ldns usage. diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c index 9f38c3c8..f5c86b4e 100644 --- a/examples/ldns-dane.c +++ b/examples/ldns-dane.c @@ -42,28 +42,28 @@ void print_usage(const char* progname) { - printf("Usage: %s [OPTIONS] \n", progname); - printf(" or: %s [OPTIONS] -t \n", progname); + printf("Usage: %s [OPTIONS] verify \n", progname); + printf(" or: %s [OPTIONS] -t verify\n", progname); printf("\n\tVerify the TLS connection at : or" "\n\tuse TLSA record(s) from to verify the\n" "\tTLS service they reference.\n"); - printf("\n or: %s [OPTIONS] " - "\n", progname); + printf("\n or: %s [OPTIONS] create [ " + "[ []]]\n", progname); printf("\n\tUse the TLS connection(s) to " "to create the TLSA\n\t" "resource record(s) that would " "authenticate the connection.\n"); - printf("\n\t" - "\t0: CA constraint\n" + printf("\n\t" + "\t\t0: CA constraint\n" "\t\t\t1: Service certificate constraint\n" "\t\t\t2: Trust anchor assertion\n" - "\t\t\t3: Domain-issued certificate\n"); + "\t\t\t3: Domain-issued certificate (default)\n"); printf("\n\t" - "\t0: Full certificate\n" + "\t0: Full certificate (default)\n" "\t\t\t1: SubjectPublicKeyInfo\n"); - printf("\n\t" - "\t0: No hash used\n" - "\t\t\t1: SHA-256\n" + printf("\n\t" + "\t\t0: No hash used\n" + "\t\t\t1: SHA-256 (default)\n" "\t\t\t2: SHA-512\n"); printf("OPTIONS:\n"); @@ -81,10 +81,15 @@ print_usage(const char* progname) ); printf("\t-d\t\tassume DNSSEC validity even when insecure or bogus\n"); printf("\t-f \tuse CAfile to validate\n"); +#if HAVE_DANE_CA_FILE + printf("\t\t\tDefault is %s\n", LDNS_DANE_CA_FILE); +#endif printf("\t-i\t\tinteract after connecting\n"); printf("\t-k \t" "use DNSKEY/DS rr(s) in to validate TLSAs\n" + "\t\t\twhen signature chasing (i.e. -S)\n" ); + printf("\t\t\tDefault is %s\n", LDNS_TRUST_ANCHOR_FILE); printf("\t-n\t\tdo *not* verify server name in certificate\n"); printf("\t-o \t" "select th certificate from the end of\n" @@ -93,7 +98,11 @@ print_usage(const char* progname) printf("\t-p \t" "use certificates in the directory to validate\n" ); +#if HAVE_DANE_CA_PATH + printf("\t\t\tDefaults is %s\n", LDNS_DANE_CA_PATH); +#endif printf("\t-s\t\tassume PKIX validity\n"); + printf("\t-S\t\tChase signature(s) to a known key\n"); printf("\t-t \tdo not use DNS, " "but read TLSA record(s) from \n" ); @@ -501,8 +510,6 @@ read_key_file(const char *filename, ldns_rr_list *keys) int line_nr; if (!(fp = fopen(filename, "r"))) { - fprintf(stderr, "Error opening %s: %s\n", filename, - strerror(errno)); return LDNS_STATUS_FILE_ERR; } while (!feof(fp)) { @@ -668,7 +675,8 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname, } else if (s != LDNS_STATUS_OK) { LDNS_ERR(s, "dane_query"); - } else if (! ldns_rr_list_push_rr_list(r, as)) { + } + if (! ldns_rr_list_push_rr_list(r, as)) { MEMERR("ldns_rr_list_push_rr_list"); } } @@ -685,7 +693,8 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname, } else if (s != LDNS_STATUS_OK) { LDNS_ERR(s, "dane_query"); - } else if (! ldns_rr_list_push_rr_list(r, aaas)) { + } + if (! ldns_rr_list_push_rr_list(r, aaas)) { MEMERR("ldns_rr_list_push_rr_list"); } } @@ -1035,7 +1044,7 @@ dane_verify(ldns_rr_list* tlsas, ldns_rdf* address, int -main(int argc, char** argv) +main(int argc, char* const* argv) { int c; enum { UNDETERMINED, VERIFY, CREATE } mode = UNDETERMINED; @@ -1049,14 +1058,23 @@ main(int argc, char** argv) bool verify_server_name = true; bool interact = false; - char* CAfile = NULL; - char* CApath = NULL; +#if HAVE_DANE_CA_FILE + const char* CAfile = LDNS_DANE_CA_FILE; +#else + const char* CAfile = NULL; +#endif +#if HAVE_DANE_CA_PATH + const char* CApath = LDNS_DANE_CA_PATH; +#else + const char* CApath = NULL; +#endif char* cert_file = NULL; X509* cert = NULL; STACK_OF(X509)* extra_certs = NULL; - ldns_rr_list* keys = ldns_rr_list_new(); - size_t nkeys = 0; + ldns_rr_list* keys = ldns_rr_list_new(); + size_t nkeys = 0; + bool do_sigchase = false; ldns_rr_list* addresses = ldns_rr_list_new(); ldns_rr* address_rr; @@ -1102,7 +1120,7 @@ main(int argc, char** argv) if (! keys || ! addresses) { MEMERR("ldns_rr_list_new"); } - while((c = getopt(argc, argv, "46a:bc:df:hik:no:p:st:uvV:")) != -1) { + while((c = getopt(argc, argv, "46a:bc:df:hik:no:p:sSt:uvV:")) != -1) { switch(c) { case 'h': print_usage("ldns-dane"); @@ -1164,10 +1182,14 @@ main(int argc, char** argv) break; case 'k': s = read_key_file(optarg, keys); + if (s == LDNS_STATUS_FILE_ERR) { + fprintf(stderr, "Error opening %s: %s\n", + optarg, strerror(errno)); + } LDNS_ERR(s, "Could not parse key file"); if (ldns_rr_list_rr_count(keys) == nkeys) { - fprintf(stderr, "No keys found in file %s\n", - optarg); + fprintf(stderr, "No keys found in file" + " %s\n", optarg); exit(EXIT_FAILURE); } nkeys = ldns_rr_list_rr_count(keys); @@ -1184,6 +1206,9 @@ main(int argc, char** argv) case 's': assume_pkix_validity = true; break; + case 'S': + do_sigchase = true; + break; case 't': tlsas_file = optarg; break; @@ -1222,13 +1247,51 @@ main(int argc, char** argv) } } + if (do_sigchase) { + if (nkeys == 0) { + (void) read_key_file(LDNS_TRUST_ANCHOR_FILE, keys); + nkeys = ldns_rr_list_rr_count(keys); + + if (nkeys == 0) { + fprintf(stderr, "Unable to chase " + "signature without keys.\n"); + exit(EXIT_FAILURE); + } + } + } else { + keys = NULL; + } + argc -= optind; argv += optind; - if (argc == 0 && tlsas_file != NULL) { + if (argc == 0) { + + print_usage("ldns-dane"); + } + if (strncasecmp(*argv, "create", strlen(*argv)) == 0) { + + mode = CREATE; + argc--; + argv++; + + } else if (strncasecmp(*argv, "verify", strlen(*argv)) == 0) { mode = VERIFY; + argc--; + argv++; + + } else { + fprintf(stderr, "Specify create or verify mode\n"); + exit(EXIT_FAILURE); + } + if (mode == VERIFY && argc == 0) { + + if (! tlsas_file) { + fprintf(stderr, "ERROR! Nothing given to verify\n"); + exit(EXIT_FAILURE); + } s = dane_read_tlsas_from_file(&tlsas, tlsas_file, NULL); LDNS_ERR(s, "could not read tlas from file"); @@ -1321,16 +1384,18 @@ main(int argc, char** argv) MEMERR("ldns_rdf2str"); } + } else if (argc < 2) { print_usage("ldns-dane"); } else { - name_str = argv[0]; + name_str = *argv++; argc--; s = ldns_str2rdf_dname(&name, name_str); LDNS_ERR(s, "could not ldns_str2rdf_dname"); - port = (uint16_t)dane_int_within_range(argv[1], 65535, "port"); + port = (uint16_t)dane_int_within_range(*argv++, 65535, "port"); + --argc; s = ldns_dane_create_tlsa_owner(&tlsa_owner, name, port, transport); @@ -1341,10 +1406,12 @@ main(int argc, char** argv) } } - if (argc == 2) { - - mode = VERIFY; + switch (mode) { + case VERIFY: + if (argc > 0) { + print_usage("ldns-dane"); + } if (tlsas_file) { s = dane_read_tlsas_from_file(&tlsas, tlsas_file, @@ -1391,39 +1458,57 @@ main(int argc, char** argv) tlsas = dane_no_pkix_transform(originals); } - } else if (argc == 5) { - - mode = CREATE; - - tlsas = ldns_rr_list_new(); - - certificate_usage = dane_int_within_range_table( - argv[2], 3, "certificate usage", - dane_certificate_usage_table); - selector = dane_int_within_range_table( - argv[3], 1, "selector", - dane_selector_table); + break; - if (*argv[4] && /* strlen(argv[4]) > 0 */ - (strncasecmp(argv[4], "no-hash-used", - strlen(argv[4])) == 0 || - strncasecmp(argv[4], "no hash used", - strlen(argv[4])) == 0 )) { - matching_type = 0; + case CREATE: + if (argc > 0) { + certificate_usage = dane_int_within_range_table( + *argv++, 3, "certificate usage", + dane_certificate_usage_table); + argc--; + } else { + certificate_usage = + LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE; + } + if (argc > 0) { + selector = dane_int_within_range_table( + *argv++, 1, "selector", + dane_selector_table); + argc--; + } else { + selector = LDNS_TLSA_SELECTOR_FULL_CERTIFICATE; + } + if (argc > 0) { + if (*argv && /* strlen(argv) > 0 */ + (strncasecmp(*argv, "no-hash-used", + strlen(*argv)) == 0 || + strncasecmp(*argv, "no hash used", + strlen(*argv)) == 0 )) { + matching_type = + LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED; - } else if (strcasecmp(argv[4], "sha256") == 0 || - strcasecmp(argv[4], "sha-256") == 0) { + } else if (strcasecmp(*argv, "sha256") == 0 || + strcasecmp(*argv, "sha-256") == 0) { - matching_type = 1; + matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256; - } else if (strcasecmp(argv[4], "sha512") == 0 || - strcasecmp(argv[4], "sha-512") == 0) { + } else if (strcasecmp(*argv, "sha512") == 0 || + strcasecmp(*argv, "sha-512") == 0) { - matching_type = 2; + matching_type = LDNS_TLSA_MATCHING_TYPE_SHA512; + } else { + matching_type = dane_int_within_range( + *argv, 2, "matching type"); + } + argv++; + argc--; } else { - matching_type = dane_int_within_range(argv[4], 2, - "matching type"); + matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256; + } + if (argc > 0) { + + print_usage("ldns-dane"); } if ((certificate_usage == LDNS_TLSA_USAGE_CA_CONSTRAINT || certificate_usage == @@ -1444,9 +1529,11 @@ main(int argc, char** argv) exit(EXIT_FAILURE); } - } else if (mode == UNDETERMINED) { - - print_usage("ldns-dane"); + tlsas = ldns_rr_list_new(); + break; + default: + fprintf(stderr, "Unreachable code\n"); + assert(0); } /* ssl inititalize */ diff --git a/examples/ldns-test-edns.c b/examples/ldns-test-edns.c index d9d708c7..b4292a0f 100644 --- a/examples/ldns-test-edns.c +++ b/examples/ldns-test-edns.c @@ -15,6 +15,18 @@ /** print error details */ static int verb = 1; +struct sockaddr_in6* cast_sockaddr_storage2sockaddr_in6( + struct sockaddr_storage* s) +{ + return (struct sockaddr_in6*)s; +} + +struct sockaddr_in* cast_sockaddr_storage2sockaddr_in( + struct sockaddr_storage* s) +{ + return (struct sockaddr_in*)s; +} + /** parse IP address */ static int convert_addr(char* str, int p, struct sockaddr_storage* addr, socklen_t* len) @@ -22,8 +34,10 @@ convert_addr(char* str, int p, struct sockaddr_storage* addr, socklen_t* len) #ifdef AF_INET6 if(strchr(str, ':')) { *len = (socklen_t)sizeof(struct sockaddr_in6); - ((struct sockaddr_in6*)addr)->sin6_family = AF_INET6; - ((struct sockaddr_in6*)addr)->sin6_port = htons((uint16_t)p); + cast_sockaddr_storage2sockaddr_in6(addr)->sin6_family = + AF_INET6; + cast_sockaddr_storage2sockaddr_in6(addr)->sin6_port = + htons((uint16_t)p); if(inet_pton(AF_INET6, str, &((struct sockaddr_in6*)addr)->sin6_addr) == 1) return 1; @@ -31,9 +45,11 @@ convert_addr(char* str, int p, struct sockaddr_storage* addr, socklen_t* len) #endif *len = (socklen_t)sizeof(struct sockaddr_in); #ifndef S_SPLINT_S - ((struct sockaddr_in*)addr)->sin_family = AF_INET; + cast_sockaddr_storage2sockaddr_in(addr)->sin_family = + AF_INET; #endif - ((struct sockaddr_in*)addr)->sin_port = htons((uint16_t)p); + cast_sockaddr_storage2sockaddr_in(addr)->sin_port = + htons((uint16_t)p); if(inet_pton(AF_INET, str, &((struct sockaddr_in*)addr)->sin_addr) == 1) return 1; diff --git a/examples/ldns-verify-zone.1 b/examples/ldns-verify-zone.1.in similarity index 84% rename from examples/ldns-verify-zone.1 rename to examples/ldns-verify-zone.1.in index a4cb767d..e03b7003 100644 --- a/examples/ldns-verify-zone.1 +++ b/examples/ldns-verify-zone.1.in @@ -37,6 +37,9 @@ Default signatures should just be valid now. A file that contains a trusted DNSKEY or DS rr. This option may be given more than once. +Alternatively, if \fB-k\fR is not specified, and a default trust anchor +(@LDNS_TRUST_ANCHOR_FILE@) exists and contains a valid DNSKEY or DS record, +it will be used as the trust anchor. .TP \fB-p\fR \fI[0-100]\fR Only check this percentage of the zone. @@ -77,6 +80,16 @@ P[n]Y[n]M[n]DT[n]H[n]M[n]S .LP If no file is given standard input is read. +.SH "FILES" +.TP +@LDNS_TRUST_ANCHOR_FILE@ +The file from which trusted keys are loaded for signature chasing, +when no \fB-k\fR option is given. + +.SH "SEE ALSO" +.LP +unbound-anchor(8) + .SH AUTHOR Written by the ldns team as an example for ldns usage. diff --git a/examples/ldns-verify-zone.c b/examples/ldns-verify-zone.c index 9a8e13f9..0bbb97f4 100644 --- a/examples/ldns-verify-zone.c +++ b/examples/ldns-verify-zone.c @@ -66,10 +66,6 @@ read_key_file(const char *filename, ldns_rr_list *keys) int line_nr; if (!(fp = fopen(filename, "r"))) { - if (verbosity > 0) { - fprintf(myerr, "Error opening %s: %s\n", filename, - strerror(errno)); - } return LDNS_STATUS_FILE_ERR; } while (!feof(fp)) { @@ -754,7 +750,8 @@ main(int argc, char **argv) "now)\n"); printf("\t-k \tspecify a file that contains a " "trusted DNSKEY or DS rr.\n\t\t\t" - "This option may be given more than once.\n"); + "This option may be given more than once.\n" + "\t\t\tDefault is %s", LDNS_TRUST_ANCHOR_FILE); printf("\t-p [0-100]\tonly checks this percentage of " "the zone.\n\t\t\tDefaults to 100\n"); printf("\t-S\t\tchase signature(s) to a known key. " @@ -799,6 +796,13 @@ main(int argc, char **argv) break; case 'k': s = read_key_file(optarg, keys); + if (s == LDNS_STATUS_FILE_ERR) { + if (verbosity > 0) { + fprintf(myerr, + "Error opening %s: %s\n", + optarg, strerror(errno)); + } + } if (s != LDNS_STATUS_OK) { if (verbosity > 0) { fprintf(myerr, @@ -860,11 +864,16 @@ main(int argc, char **argv) } } if (do_sigchase && nkeys == 0) { - if (verbosity > 0) { - fprintf(myerr, - "Unable to chase signature without keys.\n"); + (void) read_key_file(LDNS_TRUST_ANCHOR_FILE, keys); + nkeys = ldns_rr_list_rr_count(keys); + + if (nkeys == 0) { + if (verbosity > 0) { + fprintf(myerr, "Unable to chase " + "signature without keys.\n"); + } + exit(EXIT_FAILURE); } - exit(EXIT_FAILURE); } argc -= optind; diff --git a/ldns/common.h.in b/ldns/common.h.in index 0813e474..aedfc96d 100644 --- a/ldns/common.h.in +++ b/ldns/common.h.in @@ -66,8 +66,6 @@ typedef bool _Bool; #define ATTR_UNUSED(x) x #endif /* !LDNS_BUILD_CONFIG_HAVE_ATTR_UNUSED */ -#define LDNS_TRUST_ANCHOR_FILE "@LDNS_TRUST_ANCHOR_FILE@" - #if !LDNS_BUILD_CONFIG_HAVE_SOCKLEN_T typedef int socklen_t; #endif diff --git a/ldns/dname.h b/ldns/dname.h index d4d712f3..16b45429 100644 --- a/ldns/dname.h +++ b/ldns/dname.h @@ -111,6 +111,7 @@ ldns_rdf *ldns_dname_new_frm_str(const char *str); * Create a new dname rdf from a string * \param[in] s the size of the new dname * \param[in] *data pointer to the actual data + * * \return ldns_rdf* */ ldns_rdf *ldns_dname_new(uint16_t s, void *data); @@ -119,6 +120,7 @@ ldns_rdf *ldns_dname_new(uint16_t s, void *data); * Create a new dname rdf from data (the data is copied) * \param[in] size the size of the data * \param[in] *data pointer to the actual data + * * \return ldns_rdf* */ ldns_rdf *ldns_dname_new_frm_data(uint16_t size, const void *data); diff --git a/ldns/dnssec.h b/ldns/dnssec.h index 9e602b5b..34f63714 100644 --- a/ldns/dnssec.h +++ b/ldns/dnssec.h @@ -198,6 +198,7 @@ RSA *ldns_key_buf2rsa_raw(unsigned char* key, size_t len); * * \param[in] *key the key to convert * \param[in] h the hash to use LDNS_SHA1/LDNS_SHA256 + * * \return ldns_rr* a new rr pointer to a DS */ ldns_rr *ldns_key_rr2ds(const ldns_rr *key, ldns_hash h); diff --git a/ldns/dnssec_verify.h b/ldns/dnssec_verify.h index 32036a8c..b6bdeca5 100644 --- a/ldns/dnssec_verify.h +++ b/ldns/dnssec_verify.h @@ -367,6 +367,7 @@ void ldns_dnssec_derive_trust_tree_no_sig_time( * * \param *tree The trust tree so search * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for + * * \return LDNS_STATUS_OK if there is a trusted path to one of * the keys, or the *first* error encountered * if there were no paths diff --git a/ldns/rdata.h b/ldns/rdata.h index 90dcbf13..229a4d4c 100644 --- a/ldns/rdata.h +++ b/ldns/rdata.h @@ -194,6 +194,7 @@ ldns_rdf_type ldns_rdf_get_type(const ldns_rdf *rd); /** * returns the data of the rdf. * \param[in] *rd the rdf to read from + * * \return uint8_t* pointer to the rdf's data */ uint8_t *ldns_rdf_data(const ldns_rdf *rd); @@ -303,6 +304,7 @@ ldns_rdf *ldns_native2rdf_int32(ldns_rdf_type type, uint32_t value); * The memory is copied, and an LDNS_RDF_TYPE_INT16DATA is returned * \param[in] size the size of the data * \param[in] *data pointer to the actual data + * * \return ldns_rd* the rdf with the data */ ldns_rdf *ldns_native2rdf_int16_data(size_t size, uint8_t *data); diff --git a/ldns/resolver.h b/ldns/resolver.h index f887aaf6..7af5d401 100644 --- a/ldns/resolver.h +++ b/ldns/resolver.h @@ -578,6 +578,7 @@ ldns_status ldns_resolver_push_nameserver_rr_list(ldns_resolver *r, ldns_rr_list * \param[in] t query for this type (may be 0, defaults to A) * \param[in] c query for this class (may be 0, default to IN) * \param[in] flags the query flags + * * \return ldns_pkt* a packet with the reply from the nameserver */ ldns_pkt* ldns_resolver_search(const ldns_resolver *r, const ldns_rdf *rdf, ldns_rr_type t, ldns_rr_class c, uint16_t flags); @@ -590,6 +591,7 @@ ldns_pkt* ldns_resolver_search(const ldns_resolver *r, const ldns_rdf *rdf, ldns * \param[in] t query for this type (may be 0, defaults to A) * \param[in] c query for this class (may be 0, default to IN) * \param[in] f the query flags + * * \return ldns_pkt* a packet with the reply from the nameserver */ ldns_status ldns_resolver_prepare_query_pkt(ldns_pkt **q, ldns_resolver *r, const ldns_rdf *name, ldns_rr_type t, ldns_rr_class c, uint16_t f); @@ -602,6 +604,7 @@ ldns_status ldns_resolver_prepare_query_pkt(ldns_pkt **q, ldns_resolver *r, cons * \param[in] t query for this type (may be 0, defaults to A) * \param[in] c query for this class (may be 0, default to IN) * \param[in] flags the query flags + * * \return ldns_pkt* a packet with the reply from the nameserver */ ldns_status ldns_resolver_send(ldns_pkt **answer, ldns_resolver *r, const ldns_rdf *name, ldns_rr_type t, ldns_rr_class c, uint16_t flags); @@ -621,6 +624,7 @@ ldns_status ldns_resolver_send_pkt(ldns_pkt **answer, ldns_resolver *r, ldns_pkt * \param[in] *t query for this type (may be 0, defaults to A) * \param[in] *c query for this class (may be 0, default to IN) * \param[in] flags the query flags + * * \return ldns_pkt* a packet with the reply from the nameserver * if _defnames is true the default domain will be added */ diff --git a/libdns.doxygen b/libdns.doxygen index ef94a55b..0f84b734 100644 --- a/libdns.doxygen +++ b/libdns.doxygen @@ -1,4 +1,4 @@ -# Doxyfile 1.7.3 +# Doxyfile 1.7.6.1 # This file describes the settings to be used by the documentation system # doxygen (www.doxygen.org) for a project. @@ -22,8 +22,9 @@ DOXYFILE_ENCODING = UTF-8 -# The PROJECT_NAME tag is a single word (or a sequence of words surrounded -# by quotes) that should identify the project. +# The PROJECT_NAME tag is a single word (or sequence of words) that should +# identify the project. Note that if you do not use Doxywizard you need +# to put quotes around the project name if it contains spaces. PROJECT_NAME = ldns @@ -33,7 +34,9 @@ PROJECT_NAME = ldns PROJECT_NUMBER = 1.6.7 -# Using the PROJECT_BRIEF tag one can provide an optional one line description for a project that appears at the top of each page and should give viewer a quick idea about the purpose of the project. Keep the description short. +# Using the PROJECT_BRIEF tag one can provide an optional one line description +# for a project that appears at the top of each page and should give viewer +# a quick idea about the purpose of the project. Keep the description short. PROJECT_BRIEF = @@ -192,6 +195,13 @@ TAB_SIZE = 8 ALIASES = +# This tag can be used to specify a number of word-keyword mappings (TCL only). +# A mapping has the form "name=value". For example adding +# "class=itcl::class" will allow you to use the command class in the +# itcl::class meaning. + +TCL_SUBST = + # Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C # sources only. Doxygen will then generate output that is more tailored for C. # For instance, some of the names that are used will be different. The list @@ -274,6 +284,22 @@ DISTRIBUTE_GROUP_DOC = NO SUBGROUPING = YES +# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and +# unions are shown inside the group in which they are included (e.g. using +# @ingroup) instead of on a separate page (for HTML and Man pages) or +# section (for LaTeX and RTF). + +INLINE_GROUPED_CLASSES = NO + +# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and +# unions with only public data fields will be shown inline in the documentation +# of the scope in which they are defined (i.e. file, namespace, or group +# documentation), provided this scope is documented. If set to NO (the default), +# structs, classes, and unions are shown on a separate page (for HTML and Man +# pages) or section (for LaTeX and RTF). + +INLINE_SIMPLE_STRUCTS = NO + # When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum # is documented as struct, union, or enum with the name of the typedef. So # typedef struct TypeS {} TypeT, will appear in the documentation as a struct @@ -296,10 +322,21 @@ TYPEDEF_HIDES_STRUCT = NO # a logarithmic scale so increasing the size by one will roughly double the # memory usage. The cache size is given by this formula: # 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0, -# corresponding to a cache size of 2^16 = 65536 symbols +# corresponding to a cache size of 2^16 = 65536 symbols. SYMBOL_CACHE_SIZE = 0 +# Similar to the SYMBOL_CACHE_SIZE the size of the symbol lookup cache can be +# set using LOOKUP_CACHE_SIZE. This cache is used to resolve symbols given +# their name and scope. Since this can be an expensive process and often the +# same symbol appear multiple times in the code, doxygen keeps a cache of +# pre-resolved symbols. If the cache is too small doxygen will become slower. +# If the cache is too large, memory is wasted. The cache size is given by this +# formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range is 0..9, the default is 0, +# corresponding to a cache size of 2^16 = 65536 symbols. + +LOOKUP_CACHE_SIZE = 0 + #--------------------------------------------------------------------------- # Build related configuration options #--------------------------------------------------------------------------- @@ -449,8 +486,11 @@ SORT_GROUP_NAMES = NO SORT_BY_SCOPE_NAME = NO -# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper type resolution of all parameters of a function it will reject a -# match between the prototype and the implementation of a member function even if there is only one candidate or it is obvious which candidate to choose by doing a simple string match. By disabling STRICT_PROTO_MATCHING doxygen +# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to +# do proper type resolution of all parameters of a function it will reject a +# match between the prototype and the implementation of a member function even +# if there is only one candidate or it is obvious which candidate to choose +# by doing a simple string match. By disabling STRICT_PROTO_MATCHING doxygen # will still accept a match between prototype and implementation in such cases. STRICT_PROTO_MATCHING = NO @@ -538,6 +578,16 @@ FILE_VERSION_FILTER = LAYOUT_FILE = +# The CITE_BIB_FILES tag can be used to specify one or more bib files +# containing the references data. This must be a list of .bib files. The +# .bib extension is automatically appended if omitted. Using this command +# requires the bibtex tool to be installed. See also +# http://en.wikipedia.org/wiki/BibTeX for more info. For LaTeX the style +# of the bibliography can be controlled using LATEX_BIB_STYLE. To use this +# feature you need bibtex and perl available in the search path. + +CITE_BIB_FILES = + #--------------------------------------------------------------------------- # configuration options related to warning and progress messages #--------------------------------------------------------------------------- @@ -629,13 +679,15 @@ FILE_PATTERNS = RECURSIVE = NO -# The EXCLUDE tag can be used to specify files and/or directories that should +# The EXCLUDE tag can be used to specify files and/or directories that should be # excluded from the INPUT source files. This way you can easily exclude a # subdirectory from a directory tree whose root is specified with the INPUT tag. +# Note that relative paths are relative to the directory from which doxygen is +# run. EXCLUDE = -# The EXCLUDE_SYMLINKS tag can be used select whether or not files or +# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or # directories that are symbolic links (a Unix file system feature) are excluded # from the input. @@ -821,7 +873,14 @@ HTML_FILE_EXTENSION = .html # The HTML_HEADER tag can be used to specify a personal HTML header for # each generated HTML page. If it is left blank doxygen will generate a -# standard header. +# standard header. Note that when using a custom header you are responsible +# for the proper inclusion of any scripts and style sheets that doxygen +# needs, which is dependent on the configuration options used. +# It is advised to generate a default header using "doxygen -w html +# header.html footer.html stylesheet.css YourConfigFile" and then modify +# that header. Note that the header is subject to change so you typically +# have to redo this when upgrading to a newer version of doxygen or when +# changing the value of configuration settings such as GENERATE_TREEVIEW! HTML_HEADER = doc/header.html @@ -836,12 +895,21 @@ HTML_FOOTER = # fine-tune the look of the HTML output. If the tag is left blank doxygen # will generate a default style sheet. Note that doxygen will try to copy # the style sheet file to the HTML output directory, so don't put your own -# stylesheet in the HTML output directory as well, or it will be erased! +# style sheet in the HTML output directory as well, or it will be erased! HTML_STYLESHEET = +# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or +# other source files which should be copied to the HTML output directory. Note +# that these files will be copied to the base HTML output directory. Use the +# $relpath$ marker in the HTML_HEADER and/or HTML_FOOTER files to load these +# files. In the HTML_STYLESHEET file, use the file name only. Also note that +# the files will be copied as-is; there are no commands or markers available. + +HTML_EXTRA_FILES = + # The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. -# Doxygen will adjust the colors in the stylesheet and background images +# Doxygen will adjust the colors in the style sheet and background images # according to this color. Hue is specified as an angle on a colorwheel, # see http://en.wikipedia.org/wiki/Hue for more information. # For instance the value 0 represents red, 60 is yellow, 120 is green, @@ -871,12 +939,6 @@ HTML_COLORSTYLE_GAMMA = 80 HTML_TIMESTAMP = YES -# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, -# files or namespaces will be aligned in HTML using tables. If set to -# NO a bullet list will be used. - -HTML_ALIGN_MEMBERS = YES - # If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML # documentation will contain sections that can be hidden and shown after the # page has loaded. For this to work a browser that supports @@ -1036,18 +1098,14 @@ GENERATE_ECLIPSEHELP = NO ECLIPSE_DOC_ID = org.doxygen.Project -# The DISABLE_INDEX tag can be used to turn on/off the condensed index at -# top of each HTML page. The value NO (the default) enables the index and -# the value YES disables it. +# The DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) +# at top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. Since the tabs have the same information as the +# navigation tree you can set this option to NO if you already set +# GENERATE_TREEVIEW to YES. DISABLE_INDEX = NO -# This tag can be used to set the number of enum values (range [0,1..20]) -# that doxygen will group on one line in the generated HTML documentation. -# Note that a value of 0 will completely suppress the enum values from appearing in the overview section. - -ENUM_VALUES_PER_LINE = 4 - # The GENERATE_TREEVIEW tag is used to specify whether a tree-like index # structure should be generated to display hierarchical information. # If the tag value is set to YES, a side panel will be generated @@ -1055,13 +1113,17 @@ ENUM_VALUES_PER_LINE = 4 # is generated for HTML Help). For this to work a browser that supports # JavaScript, DHTML, CSS and frames is required (i.e. any modern browser). # Windows users are probably better off using the HTML help feature. +# Since the tree basically has the same information as the tab index you +# could consider to set DISABLE_INDEX to NO when enabling this option. GENERATE_TREEVIEW = NO -# By enabling USE_INLINE_TREES, doxygen will generate the Groups, Directories, -# and Class Hierarchy pages using a tree view instead of an ordered list. +# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values +# (range [0,1..20]) that doxygen will group on one line in the generated HTML +# documentation. Note that a value of 0 will completely suppress the enum +# values from appearing in the overview section. -USE_INLINE_TREES = NO +ENUM_VALUES_PER_LINE = 4 # If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be # used to set the initial width (in pixels) of the frame in which the tree @@ -1103,12 +1165,18 @@ USE_MATHJAX = NO # HTML output directory using the MATHJAX_RELPATH option. The destination # directory should contain the MathJax.js script. For instance, if the mathjax # directory is located at the same level as the HTML output directory, then -# MATHJAX_RELPATH should be ../mathjax. The default value points to the mathjax.org site, so you can quickly see the result without installing +# MATHJAX_RELPATH should be ../mathjax. The default value points to the +# mathjax.org site, so you can quickly see the result without installing # MathJax, but it is strongly recommended to install a local copy of MathJax # before deployment. MATHJAX_RELPATH = http://www.mathjax.org/mathjax +# The MATHJAX_EXTENSIONS tag can be used to specify one or MathJax extension +# names that should be enabled during MathJax rendering. + +MATHJAX_EXTENSIONS = + # When the SEARCHENGINE tag is enabled doxygen will generate a search box # for the HTML output. The underlying search engine uses javascript # and DHTML and should work on any modern browser. Note that when using @@ -1182,6 +1250,13 @@ EXTRA_PACKAGES = LATEX_HEADER = +# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for +# the generated latex document. The footer should contain everything after +# the last chapter. If it is left blank doxygen will generate a +# standard footer. Notice: only use this tag if you know what you are doing! + +LATEX_FOOTER = + # If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated # is prepared for conversion to pdf (using ps2pdf). The pdf file will # contain links (just like the HTML output) instead of page references @@ -1215,6 +1290,12 @@ LATEX_HIDE_INDICES = NO LATEX_SOURCE_CODE = NO +# The LATEX_BIB_STYLE tag can be used to specify the style to use for the +# bibliography, e.g. plainnat, or ieeetr. The default style is "plain". See +# http://en.wikipedia.org/wiki/BibTeX for more info. + +LATEX_BIB_STYLE = plain + #--------------------------------------------------------------------------- # configuration options related to the RTF output #--------------------------------------------------------------------------- @@ -1246,7 +1327,7 @@ COMPACT_RTF = NO RTF_HYPERLINKS = NO -# Load stylesheet definitions from file. Syntax is similar to doxygen's +# Load style sheet definitions from file. Syntax is similar to doxygen's # config file, i.e. a series of assignments. You only have to provide # replacements, missing definitions are set to their default value. @@ -1391,7 +1472,7 @@ MACRO_EXPANSION = YES EXPAND_ONLY_PREDEF = NO # If the SEARCH_INCLUDES tag is set to YES (the default) the includes files -# in the INCLUDE_PATH (see below) will be search if a #include is found. +# pointed to by INCLUDE_PATH will be searched when a #include is found. SEARCH_INCLUDES = YES @@ -1421,7 +1502,8 @@ PREDEFINED = HAVE_SSL # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then # this tag can be used to specify a list of macro names that should be expanded. # The macro definition that is found in the sources will be used. -# Use the PREDEFINED tag if you want to use a different macro definition that overrules the definition found in the source code. +# Use the PREDEFINED tag if you want to use a different macro definition that +# overrules the definition found in the source code. EXPAND_AS_DEFINED = @@ -1519,13 +1601,12 @@ HAVE_DOT = NO DOT_NUM_THREADS = 0 -# By default doxygen will write a font called Helvetica to the output -# directory and reference it in all dot files that doxygen generates. -# When you want a differently looking font you can specify the font name -# using DOT_FONTNAME. You need to make sure dot is able to find the font, -# which can be done by putting it in a standard location or by setting the -# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory -# containing the font. +# By default doxygen will use the Helvetica font for all dot files that +# doxygen generates. When you want a differently looking font you can specify +# the font name using DOT_FONTNAME. You need to make sure dot is able to find +# the font, which can be done by putting it in a standard location or by setting +# the DOTFONTPATH environment variable or by setting DOT_FONTPATH to the +# directory containing the font. DOT_FONTNAME = Helvetica @@ -1534,17 +1615,16 @@ DOT_FONTNAME = Helvetica DOT_FONTSIZE = 10 -# By default doxygen will tell dot to use the output directory to look for the -# FreeSans.ttf font (which doxygen will put there itself). If you specify a -# different font using DOT_FONTNAME you can set the path where dot -# can find it using this tag. +# By default doxygen will tell dot to use the Helvetica font. +# If you specify a different font using DOT_FONTNAME you can use DOT_FONTPATH to +# set the path where dot can find it. DOT_FONTPATH = # If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen # will generate a graph for each documented class showing the direct and # indirect inheritance relations. Setting this tag to YES will force the -# the CLASS_DIAGRAMS tag to NO. +# CLASS_DIAGRAMS tag to NO. CLASS_GRAPH = YES @@ -1614,11 +1694,22 @@ GRAPHICAL_HIERARCHY = YES DIRECTORY_GRAPH = YES # The DOT_IMAGE_FORMAT tag can be used to set the image format of the images -# generated by dot. Possible values are png, svg, gif or svg. -# If left blank png will be used. +# generated by dot. Possible values are svg, png, jpg, or gif. +# If left blank png will be used. If you choose svg you need to set +# HTML_FILE_EXTENSION to xhtml in order to make the SVG files +# visible in IE 9+ (other browsers do not have this requirement). DOT_IMAGE_FORMAT = png +# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to +# enable generation of interactive SVG images that allow zooming and panning. +# Note that this requires a modern browser other than Internet Explorer. +# Tested and working are Firefox, Chrome, Safari, and Opera. For IE 9+ you +# need to set HTML_FILE_EXTENSION to xhtml in order to make the SVG files +# visible. Older versions of IE do not have SVG support. + +INTERACTIVE_SVG = NO + # The tag DOT_PATH can be used to specify the path where the dot tool can be # found. If left blank, it is assumed the dot tool can be found in the path.