interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130 

Configurable TLS version
This commit is contained in:
Willem Toorop 2018-11-21 15:02:28 +01:00
parent 6a5e96d4e1
commit 1904ee7318
11 changed files with 276 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -1,4 +1,15 @@
* 2018-0?-??: Version 1.4.3
* Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
Configurable minimum and maximum TLS versions with
getdns_context_set_tls_min_version() and
getdns_context_set_tls_max_version() functions and
tls_min_version and tls_max_version configuration parameters
for upstreams.
* Configurable TLS1.3 ciphersuites with the
getdns_context_set_tls_ciphersuites() function and
tls_ciphersuites config parameter for upstreams.
* Bugfix in upstream string configurations: tls_cipher_list and
tls_curve_list
* Bugfix finding signer for validating NSEC and NSEC3s, which
caused trouble with the partly tracing DNSSEC from the root
up, introduced in 1.4.2. Thanks Philip Homburg

4
configure.ac
View File

@ -417,8 +417,8 @@ fi
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter])
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_CTX_set_ciphersuites,SSL_set_ciphersuites], [], [], [
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites])
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_set_min_proto_version,SSL_get_min_proto_version], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>

22
src/const-info.c
View File

@ -94,6 +94,8 @@ static struct const_info consts_info[] = {
{ 633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT },
{ 634, "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT },
{ 635, "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT },
{ 636, "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT },
{ 637, "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT },
{ 699, "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT },
{ 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
{ 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
@ -116,6 +118,11 @@ static struct const_info consts_info[] = {
{ 1202, "GETDNS_TRANSPORT_TLS", GETDNS_TRANSPORT_TLS_TEXT },
{ 1300, "GETDNS_AUTHENTICATION_NONE", GETDNS_AUTHENTICATION_NONE_TEXT },
{ 1301, "GETDNS_AUTHENTICATION_REQUIRED", GETDNS_AUTHENTICATION_REQUIRED_TEXT },
{ 1400, "GETDNS_SSL3", GETDNS_SSL3_TEXT },
{ 1401, "GETDNS_TLS1", GETDNS_TLS1_TEXT },
{ 1402, "GETDNS_TLS1_1", GETDNS_TLS1_1_TEXT },
{ 1403, "GETDNS_TLS1_2", GETDNS_TLS1_2_TEXT },
{ 1404, "GETDNS_TLS1_3", GETDNS_TLS1_3_TEXT },
{ 4096, "GETDNS_LOG_UPSTREAM_STATS", GETDNS_LOG_UPSTREAM_STATS_TEXT },
};
@ -195,6 +202,8 @@ static struct const_name_info consts_name_info[] = {
{ "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 },
{ "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 },
{ "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", 634 },
{ "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", 637 },
{ "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", 636 },
{ "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 },
{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 },
{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA", 626 },
@ -281,6 +290,7 @@ static struct const_name_info consts_name_info[] = {
{ "GETDNS_RRCLASS_IN", 1 },
{ "GETDNS_RRCLASS_NONE", 254 },
{ "GETDNS_RRTYPE_A", 1 },
{ "GETDNS_RRTYPE_A6", 38 },
{ "GETDNS_RRTYPE_AAAA", 28 },
{ "GETDNS_RRTYPE_AFSDB", 18 },
{ "GETDNS_RRTYPE_ANY", 255 },
@ -301,6 +311,8 @@ static struct const_name_info consts_name_info[] = {
{ "GETDNS_RRTYPE_DOA", 259 },
{ "GETDNS_RRTYPE_DS", 43 },
{ "GETDNS_RRTYPE_EID", 31 },
{ "GETDNS_RRTYPE_EUI48", 108 },
{ "GETDNS_RRTYPE_EUI64", 109 },
{ "GETDNS_RRTYPE_GID", 102 },
{ "GETDNS_RRTYPE_GPOS", 27 },
{ "GETDNS_RRTYPE_HINFO", 13 },
@ -310,6 +322,8 @@ static struct const_name_info consts_name_info[] = {
{ "GETDNS_RRTYPE_IXFR", 251 },
{ "GETDNS_RRTYPE_KEY", 25 },
{ "GETDNS_RRTYPE_KX", 36 },
{ "GETDNS_RRTYPE_L32", 105 },
{ "GETDNS_RRTYPE_L64", 106 },
{ "GETDNS_RRTYPE_LOC", 29 },
{ "GETDNS_RRTYPE_LP", 107 },
{ "GETDNS_RRTYPE_MAILA", 254 },
@ -329,6 +343,8 @@ static struct const_name_info consts_name_info[] = {
{ "GETDNS_RRTYPE_NSAP", 22 },
{ "GETDNS_RRTYPE_NSAP_PTR", 23 },
{ "GETDNS_RRTYPE_NSEC", 47 },
{ "GETDNS_RRTYPE_NSEC3", 50 },
{ "GETDNS_RRTYPE_NSEC3PARAM", 51 },
{ "GETDNS_RRTYPE_NULL", 10 },
{ "GETDNS_RRTYPE_NXT", 30 },
{ "GETDNS_RRTYPE_OPENPGPKEY", 61 },
@ -357,6 +373,12 @@ static struct const_name_info consts_name_info[] = {
{ "GETDNS_RRTYPE_UNSPEC", 103 },
{ "GETDNS_RRTYPE_URI", 256 },
{ "GETDNS_RRTYPE_WKS", 11 },
{ "GETDNS_RRTYPE_X25", 19 },
{ "GETDNS_SSL3", 1400 },
{ "GETDNS_TLS1", 1401 },
{ "GETDNS_TLS1_1", 1402 },
{ "GETDNS_TLS1_2", 1403 },
{ "GETDNS_TLS1_3", 1404 },
{ "GETDNS_TRANSPORT_TCP", 1201 },
{ "GETDNS_TRANSPORT_TCP_ONLY", 542 },
{ "GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN", 543 },

92
src/context.c
View File

@ -1079,6 +1079,8 @@ upstream_init(getdns_upstream *upstream,
upstream->tls_cipher_list = NULL;
upstream->tls_ciphersuites = NULL;
upstream->tls_curves_list = NULL;
upstream->tls_min_version = (getdns_tls_version_t)0;
upstream->tls_max_version = (getdns_tls_version_t)0;
upstream->transport = GETDNS_TRANSPORT_TCP;
upstream->tls_hs_state = GETDNS_HS_NONE;
upstream->tls_auth_name[0] = '\0';
@ -1597,6 +1599,8 @@ getdns_context_create_with_extended_memory_functions(
result->tls_cipher_list = NULL;
result->tls_ciphersuites = NULL;
result->tls_curves_list = NULL;
result->tls_min_version = GETDNS_TLS1_2;
result->tls_max_version = (getdns_tls_version_t)0;
(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
@ -3090,6 +3094,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
getdns_bindata *tls_cipher_list = NULL;
getdns_bindata *tls_ciphersuites = NULL;
getdns_bindata *tls_curves_list = NULL;
uint32_t tls_version;
if ((r = getdns_dict_get_bindata(
dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) {
@ -3137,16 +3142,17 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
(void) getdns_dict_get_bindata(
dict, "tls_curves_list", &tls_curves_list);
if (tls_curves_list) {
#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
upstream->tls_curves_list =
_getdns_strdup2(&upstreams->mf
, tls_curves_list);
#else
freeaddrinfo(ai);
goto not_implemented;
#endif
} else
upstream->tls_curves_list = NULL;
if (!getdns_dict_get_int(
dict, "tls_min_version", &tls_version))
upstream->tls_min_version = tls_version;
if (!getdns_dict_get_int(
dict, "tls_max_version", &tls_version))
upstream->tls_max_version = tls_version;
}
if ((upstream->tsig_alg = tsig_alg)) {
if (tsig_name) {
@ -3715,9 +3721,17 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
if(context->tls_ctx == NULL)
return GETDNS_RETURN_BAD_CONTEXT;
# ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
if (!SSL_CTX_set_min_proto_version(
context->tls_ctx, TLS1_2_VERSION)) {
# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
fprintf(stderr, "SSL_CTX_set_min_proto_version(%d)\n", context->tls_min_version);
if (!SSL_CTX_set_min_proto_version(context->tls_ctx,
_getdns_tls_version2openssl_version(context->tls_min_version))) {
SSL_CTX_free(context->tls_ctx);
context->tls_ctx = NULL;
return GETDNS_RETURN_BAD_CONTEXT;
}
if (context->tls_max_version
&& !SSL_CTX_set_max_proto_version(context->tls_ctx,
_getdns_tls_version2openssl_version(context->tls_max_version))) {
SSL_CTX_free(context->tls_ctx);
context->tls_ctx = NULL;
return GETDNS_RETURN_BAD_CONTEXT;
@ -3729,7 +3743,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
context->tls_cipher_list ? context->tls_cipher_list
: _getdns_default_tls_cipher_list))
return GETDNS_RETURN_BAD_CONTEXT;
# if defined(HAVE_DECL_SSL_CTX_SET_CIPHERSUITES) && HAVE_DECL_SSL_CTX_SET_CIPHERSUITES
# ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (!SSL_CTX_set_ciphersuites(context->tls_ctx,
context->tls_ciphersuites ? context->tls_ciphersuites
: _getdns_default_tls_ciphersuites))
@ -4083,6 +4097,12 @@ _get_context_settings(getdns_context* context)
(void) getdns_dict_util_set_string(result, "tls_ciphersuites", str_value);
if (!getdns_context_get_tls_curves_list(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "tls_curves_list", str_value);
if (context->tls_min_version)
(void) getdns_dict_set_int( result, "tls_min_version"
, context->tls_min_version);
if (context->tls_max_version)
(void) getdns_dict_set_int( result, "tls_max_version"
, context->tls_max_version);
/* Default settings for extensions */
(void)getdns_dict_set_int(
@ -4701,6 +4721,16 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
d, "tls_curves_list",
upstream->tls_curves_list);
}
if (upstream->tls_min_version) {
(void) getdns_dict_set_int(
d, "tls_min_version",
upstream->tls_min_version);
}
if (upstream->tls_max_version) {
(void) getdns_dict_set_int(
d, "tls_max_version",
upstream->tls_max_version);
}
}
}
if (!r)
@ -4923,6 +4953,8 @@ _getdns_context_config_setting(getdns_context *context,
CONTEXT_SETTING_STRING(tls_cipher_list)
CONTEXT_SETTING_STRING(tls_ciphersuites)
CONTEXT_SETTING_STRING(tls_curves_list)
CONTEXT_SETTING_INT(tls_min_version)
CONTEXT_SETTING_INT(tls_max_version)
/**************************************/
/**** ****/
@ -5580,4 +5612,46 @@ getdns_context_get_tls_curves_list(
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_set_tls_min_version(
getdns_context *context, getdns_tls_version_t tls_min_version)
{
if (!context)
return GETDNS_RETURN_INVALID_PARAMETER;
context->tls_min_version = tls_min_version;
dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_MIN_VERSION);
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_get_tls_min_version(
getdns_context *context, getdns_tls_version_t *tls_min_version)
{
if (!context || !tls_min_version)
return GETDNS_RETURN_INVALID_PARAMETER;
*tls_min_version = context->tls_min_version;
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_set_tls_max_version(
getdns_context *context, getdns_tls_version_t tls_max_version)
{
if (!context)
return GETDNS_RETURN_INVALID_PARAMETER;
context->tls_max_version = tls_max_version;
dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_MAX_VERSION);
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_get_tls_max_version(
getdns_context *context, getdns_tls_version_t *tls_max_version)
{
if (!context || !tls_max_version)
return GETDNS_RETURN_INVALID_PARAMETER;
*tls_max_version = context->tls_max_version;
return GETDNS_RETURN_GOOD;
}
/* context.c */

13
src/context.h
View File

@ -200,16 +200,21 @@ typedef struct getdns_upstream {
getdns_network_req *write_queue_last;
_getdns_rbtree_t netreq_by_query_id;
/* TLS specific connection handling*/
/* TLS specific connection handling */
SSL* tls_obj;
SSL_SESSION* tls_session;
getdns_tls_hs_state_t tls_hs_state;
getdns_auth_state_t tls_auth_state;
unsigned tls_fallback_ok : 1;
/* TLS settings */
char *tls_cipher_list;
char *tls_ciphersuites;
char *tls_curves_list;
/* Auth credentials*/
getdns_tls_version_t tls_min_version;
getdns_tls_version_t tls_max_version;
/* Auth credentials */
char tls_auth_name[256];
sha256_pin_t *tls_pubkey_pinset;
@ -353,6 +358,8 @@ struct getdns_context {
char *tls_cipher_list;
char *tls_ciphersuites;
char *tls_curves_list;
getdns_tls_version_t tls_min_version;
getdns_tls_version_t tls_max_version;
getdns_upstreams *upstreams;
uint16_t limit_outstanding_queries;
@ -360,7 +367,7 @@ struct getdns_context {
getdns_tls_authentication_t tls_auth; /* What user requested for TLS*/
getdns_tls_authentication_t tls_auth_min; /* Derived minimum auth allowed*/
uint8_t round_robin_upstreams;
uint16_t max_backoff_value;
uint16_t max_backoff_value;
uint16_t tls_backoff_time;
uint16_t tls_connection_retries;

2
src/dict.c
View File

@ -1078,6 +1078,8 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent,
strcmp(item->node.key, "transport") == 0 ||
strcmp(item->node.key, "resolution_type") == 0 ||
strcmp(item->node.key, "tls_authentication") == 0 ||
strcmp(item->node.key, "tls_min_version") == 0 ||
strcmp(item->node.key, "tls_max_version") == 0 ||
/* extensions */
strcmp(item->node.key, "add_warning_for_bad_dns") == 0 ||

79
src/getdns/getdns_extra.h.in
View File

@ -104,6 +104,11 @@ extern "C" {
#define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT "Change related to getdns_context_set_tls_curves_list"
#define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES 635
#define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT "Change related to getdns_context_set_tls_ciphersuites"
#define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION 636
#define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT "Change related to getdns_context_set_tls_min_version"
#define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION 637
#define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT "Change related to getdns_context_set_tls_max_version"
/** @}
@ -783,6 +788,80 @@ getdns_return_t
getdns_context_set_tls_curves_list(
getdns_context *context, const char *curves_list);
typedef enum getdns_tls_version_t {
GETDNS_SSL3 = 1400,
GETDNS_TLS1 = 1401,
GETDNS_TLS1_1 = 1402,
GETDNS_TLS1_2 = 1403,
GETDNS_TLS1_3 = 1404
} getdns_tls_version_t;
#define GETDNS_SSL3_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
#define GETDNS_TLS1_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
#define GETDNS_TLS1_1_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
#define GETDNS_TLS1_2_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
#define GETDNS_TLS1_3_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
/**
* Configure context for minimum supported TLS version.
* @see getdns_context_set_tls_max_version
* @see getdns_context_get_tls_min_version
* @param context The context to configure
* @param min_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
* GETDNS_TLS1_2, GETDNS_TLS1_3
* @return GETDNS_RETURN_GOOD on success
* @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
* invalid value.
*/
getdns_return_t
getdns_context_set_tls_min_version(
getdns_context *context, getdns_tls_version_t min_version);
/**
* Get configured minimum supported TLS version.
* @see getdns_context_get_tls_max_version
* @see getdns_context_set_tls_min_version
* @param context The context to configure
* @param min_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
* GETDNS_TLS1_2, GETDNS_TLS1_3
* @return GETDNS_RETURN_GOOD on success
* @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
* invalid value.
*/
getdns_return_t
getdns_context_get_tls_min_version(
getdns_context *context, getdns_tls_version_t *min_version);
/**
* Configure context for maximum supported TLS version.
* @see getdns_context_set_tls_min_version
* @see getdns_context_get_tls_max_version
* @param context The context to configure
* @param max_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
* GETDNS_TLS1_2, GETDNS_TLS1_3
* @return GETDNS_RETURN_GOOD on success
* @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
* invalid value.
*/
getdns_return_t
getdns_context_set_tls_max_version(
getdns_context *context, getdns_tls_version_t max_version);
/**
* Get configured maximum supported TLS version.
* @see getdns_context_get_tls_min_version
* @see getdns_context_set_tls_max_version
* @param context The context to configure
* @param max_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
* GETDNS_TLS1_2, GETDNS_TLS1_3
* @return GETDNS_RETURN_GOOD on success
* @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
* invalid value.
*/
getdns_return_t
getdns_context_get_tls_max_version(
getdns_context *context, getdns_tls_version_t *max_version);
/**
* Get the current resolution type setting from this context.
* @see getdns_context_set_resolution_type

7
src/libgetdns.symbols
View File

@ -1,6 +1,7 @@
getdns_address
getdns_address_sync
getdns_cancel_callback
getdns_context_
getdns_context_config
getdns_context_create
getdns_context_create_with_extended_memory_functions
@ -36,8 +37,11 @@ getdns_context_get_tls_backoff_time
getdns_context_get_tls_ca_file
getdns_context_get_tls_ca_path
getdns_context_get_tls_cipher_list
getdns_context_get_tls_ciphersuites
getdns_context_get_tls_connection_retries
getdns_context_get_tls_curves_list
getdns_context_get_tls_max_version
getdns_context_get_tls_min_version
getdns_context_get_tls_query_padding_blocksize
getdns_context_get_trust_anchors_url
getdns_context_get_trust_anchors_verify_CA
@ -80,8 +84,11 @@ getdns_context_set_tls_backoff_time
getdns_context_set_tls_ca_file
getdns_context_set_tls_ca_path
getdns_context_set_tls_cipher_list
getdns_context_set_tls_ciphersuites
getdns_context_set_tls_connection_retries
getdns_context_set_tls_curves_list
getdns_context_set_tls_max_version
getdns_context_set_tls_min_version
getdns_context_set_tls_query_padding_blocksize
getdns_context_set_trust_anchors_url
getdns_context_set_trust_anchors_verify_CA

4
src/mk-const-info.c.sh
View File

@ -14,7 +14,7 @@ cat > const-info.c << END_OF_HEAD
static struct const_info consts_info[] = {
{ -1, NULL, "/* <unknown getdns value> */" },
END_OF_HEAD
gawk '/^[ ]+GETDNS_[A-Z_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z_]+[ ]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/ && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
gawk '/^[ ]+GETDNS_[A-Z0-9_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z0-9_]+[ ]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/ && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z0-9_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
cat >> const-info.c << END_OF_TAIL
};
@ -49,7 +49,7 @@ getdns_get_errorstr_by_id(uint16_t err)
static struct const_name_info consts_name_info[] = {
END_OF_TAIL
gawk '/^[ ]+GETDNS_[A-Z_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z_]+[ ]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
gawk '/^[ ]+GETDNS_[A-Z0-9_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z0-9_]+[ ]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z0-9_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
cat >> const-info.c << END_OF_TAIL
};

54
src/stub.c
View File

@ -931,8 +931,50 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
return NULL;
}
#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
if (upstream->tls_curves_list)
(void) SSL_set1_curves_list(ssl, upstream->tls_curves_list);
if (upstream->tls_curves_list
&& !SSL_set1_curves_list(ssl, upstream->tls_curves_list)) {
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
GETDNS_LOG_ERR, "%-40s : Error configuring tls_curves_list"
"\"%s\"\n", upstream->addr_str, upstream->tls_curves_list);
}
#endif
#ifdef HAVE_SSL_SET_CIPHERSUITES
if (upstream->tls_ciphersuites &&
!SSL_set_ciphersuites(ssl, upstream->tls_ciphersuites)) {
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
GETDNS_LOG_ERR, "%-40s : Error configuring tls_ciphersuites "
"\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
}
#endif
#ifdef defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
if (upstream->tls_min_version && !SSL_set_min_proto_version(ssl,
_getdns_tls_version2openssl_version(upstream->tls_min_version))) {
struct const_info *ci = _getdns_get_const_info(int value);
if (ci && *ci->name)
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
GETDNS_LOG_ERR, "%-40s : Error configuring "
"tls_min_version \"%s\"\n", upstream->addr_str,
ci->name);
else
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
GETDNS_LOG_ERR, "%-40s : Error configuring "
"tls_min_version \"%d\"\n", upstream->addr_str,
upstream->tls_min_version);
}
if (upstream->tls_max_version && !SSL_set_max_proto_version(ssl,
_getdns_tls_version2openssl_version(upstream->tls_max_version))) {
struct const_info *ci = _getdns_get_const_info(int value);
if (ci && *ci->name)
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
GETDNS_LOG_ERR, "%-40s : Error configuring "
"tls_max_version \"%s\"\n", upstream->addr_str,
ci->name);
else
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
GETDNS_LOG_ERR, "%-40s : Error configuring "
"tls_max_version \"%d\"\n", upstream->addr_str,
upstream->tls_max_version);
}
#endif
/* make sure we'll be able to find the context again when we need it */
if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) {
@ -1016,14 +1058,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS,
__FUNC__);
}
#if defined(HAVE_DECL_SSL_SET_CIPHERSUITES) && HAVE_DECL_SSL_SET_CIPHERSUITES
if (upstream->tls_ciphersuites &&
!SSL_set_ciphersuites(ssl, upstream->tls_ciphersuites)) {
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
GETDNS_LOG_ERR, "%-40s : Error configuring ciphersuites "
"\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
}
#endif
#if defined(HAVE_SSL_DANE_ENABLE)
int osr;
# if defined(STUB_DEBUG) && STUB_DEBUG

14
src/util-internal.h
View File

@ -218,5 +218,19 @@ INLINE uint64_t _getdns_ms_until_expiry2(uint64_t expires, uint64_t *now_ms)
return *now_ms >= expires ? 0 : expires - *now_ms;
}
# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
INLINE int _getdns_tls_version2openssl_version(getdns_tls_version_t v)
{
switch (v) {
case GETDNS_SSL3 : return SSL3_VERSION;
case GETDNS_TLS1 : return TLS1_VERSION;
case GETDNS_TLS1_1: return TLS1_1_VERSION;
case GETDNS_TLS1_2: return TLS1_2_VERSION;
case GETDNS_TLS1_3: return TLS1_3_VERSION;
default : return TLS_MAX_VERSION;
}
}
# endif
#endif
/* util-internal.h */