From 0d2256df09f6de38360752836fddafc0a5f084b5 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 21 Dec 2015 18:08:53 -0500 Subject: [PATCH] set and return the pubkey_pinsets on the upstream resolvers --- src/context.c | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/src/context.c b/src/context.c index 94a88f72..5e9a0b9d 100644 --- a/src/context.c +++ b/src/context.c @@ -55,6 +55,7 @@ #include "stub.h" #include "list.h" #include "dict.h" +#include "pubkey-pinning.h" #define GETDNS_PORT_ZERO 0 #define GETDNS_PORT_DNS 53 @@ -1950,6 +1951,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, upstream_init(upstream, upstreams, ai); upstream->transport = getdns_upstream_transports[j]; if (getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) { + getdns_list *pubkey_pinset = NULL; if ((r = getdns_dict_get_bindata( dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) { /*TODO: VALIDATE THIS STRING!*/ @@ -1958,6 +1960,16 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, tls_auth_name->size); upstream->tls_auth_name[tls_auth_name->size] = '\0'; } + if ((r = getdns_dict_get_list(dict, "tls_pubkey_pinset", + &pubkey_pinset)) == GETDNS_RETURN_GOOD) { + /* TODO: what if the user supplies tls_pubkey_pinset with + * something other than a list? */ + r = _getdns_get_pubkey_pinset_from_list(pubkey_pinset, + &(upstreams->mf), + &(upstream->tls_pubkey_pinset)); + if (r != GETDNS_RETURN_GOOD) + goto invalid_parameter; + } } if ((upstream->tsig_alg = tsig_alg)) { if (tsig_name) { @@ -3170,11 +3182,19 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context, (uint32_t)upstream_port(upstream)))) break; - if (upstream->transport == GETDNS_TRANSPORT_TLS && - upstream_port(upstream) != getdns_port_array[j] && - (r = getdns_dict_set_int(d, "tls_port", - (uint32_t)upstream_port(upstream)))) - break; + if (upstream->transport == GETDNS_TRANSPORT_TLS) { + if (upstream_port(upstream) == getdns_port_array[j]) + (void) getdns_dict_set_int(d, "tls_port", + (uint32_t) upstream_port(upstream)); + if (upstream->tls_pubkey_pinset) { + getdns_list *pins = NULL; + if (_getdns_get_pubkey_pinset_list(context, + upstream->tls_pubkey_pinset, + &pins) == GETDNS_RETURN_GOOD) + (void) getdns_dict_set_list(d, "tls_pubkey_pinset", pins); + getdns_list_destroy(pins); + } + } } if (!r) r = _getdns_list_append_dict(upstreams, d);