diff --git a/ChangeLog b/ChangeLog index 0c366782..cc3cf584 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,15 @@ * 2018-0?-??: Version 1.4.3 + * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130: + Configurable minimum and maximum TLS versions with + getdns_context_set_tls_min_version() and + getdns_context_set_tls_max_version() functions and + tls_min_version and tls_max_version configuration parameters + for upstreams. + * Configurable TLS1.3 ciphersuites with the + getdns_context_set_tls_ciphersuites() function and + tls_ciphersuites config parameter for upstreams. + * Bugfix in upstream string configurations: tls_cipher_list and + tls_curve_list * Bugfix finding signer for validating NSEC and NSEC3s, which caused trouble with the partly tracing DNSSEC from the root up, introduced in 1.4.2. Thanks Philip Homburg diff --git a/configure.ac b/configure.ac index 9ce45a81..9d12285a 100644 --- a/configure.ac +++ b/configure.ac @@ -417,8 +417,8 @@ fi AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter]) -AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_CTX_set_ciphersuites,SSL_set_ciphersuites], [], [], [ +AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites]) +AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_set_min_proto_version,SSL_get_min_proto_version], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H #include diff --git a/src/const-info.c b/src/const-info.c index b4dde28d..3b9918bc 100644 --- a/src/const-info.c +++ b/src/const-info.c @@ -94,6 +94,8 @@ static struct const_info consts_info[] = { { 633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT }, { 634, "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT }, { 635, "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT }, + { 636, "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT }, + { 637, "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT }, { 699, "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT }, { 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT }, { 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT }, @@ -116,6 +118,11 @@ static struct const_info consts_info[] = { { 1202, "GETDNS_TRANSPORT_TLS", GETDNS_TRANSPORT_TLS_TEXT }, { 1300, "GETDNS_AUTHENTICATION_NONE", GETDNS_AUTHENTICATION_NONE_TEXT }, { 1301, "GETDNS_AUTHENTICATION_REQUIRED", GETDNS_AUTHENTICATION_REQUIRED_TEXT }, + { 1400, "GETDNS_SSL3", GETDNS_SSL3_TEXT }, + { 1401, "GETDNS_TLS1", GETDNS_TLS1_TEXT }, + { 1402, "GETDNS_TLS1_1", GETDNS_TLS1_1_TEXT }, + { 1403, "GETDNS_TLS1_2", GETDNS_TLS1_2_TEXT }, + { 1404, "GETDNS_TLS1_3", GETDNS_TLS1_3_TEXT }, { 4096, "GETDNS_LOG_UPSTREAM_STATS", GETDNS_LOG_UPSTREAM_STATS_TEXT }, }; @@ -195,6 +202,8 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 }, { "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 }, { "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", 634 }, + { "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", 637 }, + { "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", 636 }, { "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 }, { "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 }, { "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA", 626 }, @@ -281,6 +290,7 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_RRCLASS_IN", 1 }, { "GETDNS_RRCLASS_NONE", 254 }, { "GETDNS_RRTYPE_A", 1 }, + { "GETDNS_RRTYPE_A6", 38 }, { "GETDNS_RRTYPE_AAAA", 28 }, { "GETDNS_RRTYPE_AFSDB", 18 }, { "GETDNS_RRTYPE_ANY", 255 }, @@ -301,6 +311,8 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_RRTYPE_DOA", 259 }, { "GETDNS_RRTYPE_DS", 43 }, { "GETDNS_RRTYPE_EID", 31 }, + { "GETDNS_RRTYPE_EUI48", 108 }, + { "GETDNS_RRTYPE_EUI64", 109 }, { "GETDNS_RRTYPE_GID", 102 }, { "GETDNS_RRTYPE_GPOS", 27 }, { "GETDNS_RRTYPE_HINFO", 13 }, @@ -310,6 +322,8 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_RRTYPE_IXFR", 251 }, { "GETDNS_RRTYPE_KEY", 25 }, { "GETDNS_RRTYPE_KX", 36 }, + { "GETDNS_RRTYPE_L32", 105 }, + { "GETDNS_RRTYPE_L64", 106 }, { "GETDNS_RRTYPE_LOC", 29 }, { "GETDNS_RRTYPE_LP", 107 }, { "GETDNS_RRTYPE_MAILA", 254 }, @@ -329,6 +343,8 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_RRTYPE_NSAP", 22 }, { "GETDNS_RRTYPE_NSAP_PTR", 23 }, { "GETDNS_RRTYPE_NSEC", 47 }, + { "GETDNS_RRTYPE_NSEC3", 50 }, + { "GETDNS_RRTYPE_NSEC3PARAM", 51 }, { "GETDNS_RRTYPE_NULL", 10 }, { "GETDNS_RRTYPE_NXT", 30 }, { "GETDNS_RRTYPE_OPENPGPKEY", 61 }, @@ -357,6 +373,12 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_RRTYPE_UNSPEC", 103 }, { "GETDNS_RRTYPE_URI", 256 }, { "GETDNS_RRTYPE_WKS", 11 }, + { "GETDNS_RRTYPE_X25", 19 }, + { "GETDNS_SSL3", 1400 }, + { "GETDNS_TLS1", 1401 }, + { "GETDNS_TLS1_1", 1402 }, + { "GETDNS_TLS1_2", 1403 }, + { "GETDNS_TLS1_3", 1404 }, { "GETDNS_TRANSPORT_TCP", 1201 }, { "GETDNS_TRANSPORT_TCP_ONLY", 542 }, { "GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN", 543 }, diff --git a/src/context.c b/src/context.c index 322bfb5b..d79d7876 100644 --- a/src/context.c +++ b/src/context.c @@ -1079,6 +1079,8 @@ upstream_init(getdns_upstream *upstream, upstream->tls_cipher_list = NULL; upstream->tls_ciphersuites = NULL; upstream->tls_curves_list = NULL; + upstream->tls_min_version = (getdns_tls_version_t)0; + upstream->tls_max_version = (getdns_tls_version_t)0; upstream->transport = GETDNS_TRANSPORT_TCP; upstream->tls_hs_state = GETDNS_HS_NONE; upstream->tls_auth_name[0] = '\0'; @@ -1597,6 +1599,8 @@ getdns_context_create_with_extended_memory_functions( result->tls_cipher_list = NULL; result->tls_ciphersuites = NULL; result->tls_curves_list = NULL; + result->tls_min_version = GETDNS_TLS1_2; + result->tls_max_version = (getdns_tls_version_t)0; (void) memset(&result->root_ksk, 0, sizeof(result->root_ksk)); @@ -3090,6 +3094,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, getdns_bindata *tls_cipher_list = NULL; getdns_bindata *tls_ciphersuites = NULL; getdns_bindata *tls_curves_list = NULL; + uint32_t tls_version; if ((r = getdns_dict_get_bindata( dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) { @@ -3137,16 +3142,17 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, (void) getdns_dict_get_bindata( dict, "tls_curves_list", &tls_curves_list); if (tls_curves_list) { -#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST upstream->tls_curves_list = _getdns_strdup2(&upstreams->mf , tls_curves_list); -#else - freeaddrinfo(ai); - goto not_implemented; -#endif } else upstream->tls_curves_list = NULL; + if (!getdns_dict_get_int( + dict, "tls_min_version", &tls_version)) + upstream->tls_min_version = tls_version; + if (!getdns_dict_get_int( + dict, "tls_max_version", &tls_version)) + upstream->tls_max_version = tls_version; } if ((upstream->tsig_alg = tsig_alg)) { if (tsig_name) { @@ -3715,9 +3721,17 @@ _getdns_context_prepare_for_resolution(getdns_context *context) if(context->tls_ctx == NULL) return GETDNS_RETURN_BAD_CONTEXT; -# ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION - if (!SSL_CTX_set_min_proto_version( - context->tls_ctx, TLS1_2_VERSION)) { +# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION + fprintf(stderr, "SSL_CTX_set_min_proto_version(%d)\n", context->tls_min_version); + if (!SSL_CTX_set_min_proto_version(context->tls_ctx, + _getdns_tls_version2openssl_version(context->tls_min_version))) { + SSL_CTX_free(context->tls_ctx); + context->tls_ctx = NULL; + return GETDNS_RETURN_BAD_CONTEXT; + } + if (context->tls_max_version + && !SSL_CTX_set_max_proto_version(context->tls_ctx, + _getdns_tls_version2openssl_version(context->tls_max_version))) { SSL_CTX_free(context->tls_ctx); context->tls_ctx = NULL; return GETDNS_RETURN_BAD_CONTEXT; @@ -3729,7 +3743,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) context->tls_cipher_list ? context->tls_cipher_list : _getdns_default_tls_cipher_list)) return GETDNS_RETURN_BAD_CONTEXT; -# if defined(HAVE_DECL_SSL_CTX_SET_CIPHERSUITES) && HAVE_DECL_SSL_CTX_SET_CIPHERSUITES +# ifdef HAVE_SSL_CTX_SET_CIPHERSUITES if (!SSL_CTX_set_ciphersuites(context->tls_ctx, context->tls_ciphersuites ? context->tls_ciphersuites : _getdns_default_tls_ciphersuites)) @@ -4083,6 +4097,12 @@ _get_context_settings(getdns_context* context) (void) getdns_dict_util_set_string(result, "tls_ciphersuites", str_value); if (!getdns_context_get_tls_curves_list(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "tls_curves_list", str_value); + if (context->tls_min_version) + (void) getdns_dict_set_int( result, "tls_min_version" + , context->tls_min_version); + if (context->tls_max_version) + (void) getdns_dict_set_int( result, "tls_max_version" + , context->tls_max_version); /* Default settings for extensions */ (void)getdns_dict_set_int( @@ -4701,6 +4721,16 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context, d, "tls_curves_list", upstream->tls_curves_list); } + if (upstream->tls_min_version) { + (void) getdns_dict_set_int( + d, "tls_min_version", + upstream->tls_min_version); + } + if (upstream->tls_max_version) { + (void) getdns_dict_set_int( + d, "tls_max_version", + upstream->tls_max_version); + } } } if (!r) @@ -4923,6 +4953,8 @@ _getdns_context_config_setting(getdns_context *context, CONTEXT_SETTING_STRING(tls_cipher_list) CONTEXT_SETTING_STRING(tls_ciphersuites) CONTEXT_SETTING_STRING(tls_curves_list) + CONTEXT_SETTING_INT(tls_min_version) + CONTEXT_SETTING_INT(tls_max_version) /**************************************/ /**** ****/ @@ -5580,4 +5612,46 @@ getdns_context_get_tls_curves_list( return GETDNS_RETURN_GOOD; } +getdns_return_t +getdns_context_set_tls_min_version( + getdns_context *context, getdns_tls_version_t tls_min_version) +{ + if (!context) + return GETDNS_RETURN_INVALID_PARAMETER; + context->tls_min_version = tls_min_version; + dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_MIN_VERSION); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_get_tls_min_version( + getdns_context *context, getdns_tls_version_t *tls_min_version) +{ + if (!context || !tls_min_version) + return GETDNS_RETURN_INVALID_PARAMETER; + *tls_min_version = context->tls_min_version; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_set_tls_max_version( + getdns_context *context, getdns_tls_version_t tls_max_version) +{ + if (!context) + return GETDNS_RETURN_INVALID_PARAMETER; + context->tls_max_version = tls_max_version; + dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_MAX_VERSION); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t +getdns_context_get_tls_max_version( + getdns_context *context, getdns_tls_version_t *tls_max_version) +{ + if (!context || !tls_max_version) + return GETDNS_RETURN_INVALID_PARAMETER; + *tls_max_version = context->tls_max_version; + return GETDNS_RETURN_GOOD; +} + /* context.c */ diff --git a/src/context.h b/src/context.h index 5d453c7d..29890928 100644 --- a/src/context.h +++ b/src/context.h @@ -200,16 +200,21 @@ typedef struct getdns_upstream { getdns_network_req *write_queue_last; _getdns_rbtree_t netreq_by_query_id; - /* TLS specific connection handling*/ + /* TLS specific connection handling */ SSL* tls_obj; SSL_SESSION* tls_session; getdns_tls_hs_state_t tls_hs_state; getdns_auth_state_t tls_auth_state; unsigned tls_fallback_ok : 1; + + /* TLS settings */ char *tls_cipher_list; char *tls_ciphersuites; char *tls_curves_list; - /* Auth credentials*/ + getdns_tls_version_t tls_min_version; + getdns_tls_version_t tls_max_version; + + /* Auth credentials */ char tls_auth_name[256]; sha256_pin_t *tls_pubkey_pinset; @@ -353,6 +358,8 @@ struct getdns_context { char *tls_cipher_list; char *tls_ciphersuites; char *tls_curves_list; + getdns_tls_version_t tls_min_version; + getdns_tls_version_t tls_max_version; getdns_upstreams *upstreams; uint16_t limit_outstanding_queries; @@ -360,7 +367,7 @@ struct getdns_context { getdns_tls_authentication_t tls_auth; /* What user requested for TLS*/ getdns_tls_authentication_t tls_auth_min; /* Derived minimum auth allowed*/ uint8_t round_robin_upstreams; - uint16_t max_backoff_value; + uint16_t max_backoff_value; uint16_t tls_backoff_time; uint16_t tls_connection_retries; diff --git a/src/dict.c b/src/dict.c index 0c86cd0f..3a454516 100644 --- a/src/dict.c +++ b/src/dict.c @@ -1078,6 +1078,8 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent, strcmp(item->node.key, "transport") == 0 || strcmp(item->node.key, "resolution_type") == 0 || strcmp(item->node.key, "tls_authentication") == 0 || + strcmp(item->node.key, "tls_min_version") == 0 || + strcmp(item->node.key, "tls_max_version") == 0 || /* extensions */ strcmp(item->node.key, "add_warning_for_bad_dns") == 0 || diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in index 83db831f..135c29bb 100644 --- a/src/getdns/getdns_extra.h.in +++ b/src/getdns/getdns_extra.h.in @@ -104,6 +104,11 @@ extern "C" { #define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT "Change related to getdns_context_set_tls_curves_list" #define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES 635 #define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT "Change related to getdns_context_set_tls_ciphersuites" +#define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION 636 +#define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT "Change related to getdns_context_set_tls_min_version" +#define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION 637 +#define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT "Change related to getdns_context_set_tls_max_version" + /** @} @@ -783,6 +788,80 @@ getdns_return_t getdns_context_set_tls_curves_list( getdns_context *context, const char *curves_list); +typedef enum getdns_tls_version_t { + GETDNS_SSL3 = 1400, + GETDNS_TLS1 = 1401, + GETDNS_TLS1_1 = 1402, + GETDNS_TLS1_2 = 1403, + GETDNS_TLS1_3 = 1404 +} getdns_tls_version_t; + +#define GETDNS_SSL3_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()" +#define GETDNS_TLS1_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()" +#define GETDNS_TLS1_1_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()" +#define GETDNS_TLS1_2_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()" +#define GETDNS_TLS1_3_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()" + +/** + * Configure context for minimum supported TLS version. + * @see getdns_context_set_tls_max_version + * @see getdns_context_get_tls_min_version + * @param context The context to configure + * @param min_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1, + * GETDNS_TLS1_2, GETDNS_TLS1_3 + * @return GETDNS_RETURN_GOOD on success + * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an + * invalid value. + */ +getdns_return_t +getdns_context_set_tls_min_version( + getdns_context *context, getdns_tls_version_t min_version); + +/** + * Get configured minimum supported TLS version. + * @see getdns_context_get_tls_max_version + * @see getdns_context_set_tls_min_version + * @param context The context to configure + * @param min_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1, + * GETDNS_TLS1_2, GETDNS_TLS1_3 + * @return GETDNS_RETURN_GOOD on success + * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an + * invalid value. + */ +getdns_return_t +getdns_context_get_tls_min_version( + getdns_context *context, getdns_tls_version_t *min_version); + +/** + * Configure context for maximum supported TLS version. + * @see getdns_context_set_tls_min_version + * @see getdns_context_get_tls_max_version + * @param context The context to configure + * @param max_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1, + * GETDNS_TLS1_2, GETDNS_TLS1_3 + * @return GETDNS_RETURN_GOOD on success + * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an + * invalid value. + */ +getdns_return_t +getdns_context_set_tls_max_version( + getdns_context *context, getdns_tls_version_t max_version); + +/** + * Get configured maximum supported TLS version. + * @see getdns_context_get_tls_min_version + * @see getdns_context_set_tls_max_version + * @param context The context to configure + * @param max_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1, + * GETDNS_TLS1_2, GETDNS_TLS1_3 + * @return GETDNS_RETURN_GOOD on success + * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an + * invalid value. + */ +getdns_return_t +getdns_context_get_tls_max_version( + getdns_context *context, getdns_tls_version_t *max_version); + /** * Get the current resolution type setting from this context. * @see getdns_context_set_resolution_type diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols index ccbff42a..5c3fb52d 100644 --- a/src/libgetdns.symbols +++ b/src/libgetdns.symbols @@ -1,6 +1,7 @@ getdns_address getdns_address_sync getdns_cancel_callback +getdns_context_ getdns_context_config getdns_context_create getdns_context_create_with_extended_memory_functions @@ -36,8 +37,11 @@ getdns_context_get_tls_backoff_time getdns_context_get_tls_ca_file getdns_context_get_tls_ca_path getdns_context_get_tls_cipher_list +getdns_context_get_tls_ciphersuites getdns_context_get_tls_connection_retries getdns_context_get_tls_curves_list +getdns_context_get_tls_max_version +getdns_context_get_tls_min_version getdns_context_get_tls_query_padding_blocksize getdns_context_get_trust_anchors_url getdns_context_get_trust_anchors_verify_CA @@ -80,8 +84,11 @@ getdns_context_set_tls_backoff_time getdns_context_set_tls_ca_file getdns_context_set_tls_ca_path getdns_context_set_tls_cipher_list +getdns_context_set_tls_ciphersuites getdns_context_set_tls_connection_retries getdns_context_set_tls_curves_list +getdns_context_set_tls_max_version +getdns_context_set_tls_min_version getdns_context_set_tls_query_padding_blocksize getdns_context_set_trust_anchors_url getdns_context_set_trust_anchors_verify_CA diff --git a/src/mk-const-info.c.sh b/src/mk-const-info.c.sh index 3a47c103..5915bc85 100755 --- a/src/mk-const-info.c.sh +++ b/src/mk-const-info.c.sh @@ -14,7 +14,7 @@ cat > const-info.c << END_OF_HEAD static struct const_info consts_info[] = { { -1, NULL, "/* */" }, END_OF_HEAD -gawk '/^[ ]+GETDNS_[A-Z_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z_]+[ ]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/ && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c +gawk '/^[ ]+GETDNS_[A-Z0-9_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z0-9_]+[ ]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/ && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z0-9_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c cat >> const-info.c << END_OF_TAIL }; @@ -49,7 +49,7 @@ getdns_get_errorstr_by_id(uint16_t err) static struct const_name_info consts_name_info[] = { END_OF_TAIL -gawk '/^[ ]+GETDNS_[A-Z_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z_]+[ ]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c +gawk '/^[ ]+GETDNS_[A-Z0-9_]+[ ]+=[ ]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z0-9_]+[ ]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z0-9_]+[ ]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c cat >> const-info.c << END_OF_TAIL }; diff --git a/src/stub.c b/src/stub.c index d4861a53..f5d59750 100644 --- a/src/stub.c +++ b/src/stub.c @@ -931,8 +931,50 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) return NULL; } #if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST - if (upstream->tls_curves_list) - (void) SSL_set1_curves_list(ssl, upstream->tls_curves_list); + if (upstream->tls_curves_list + && !SSL_set1_curves_list(ssl, upstream->tls_curves_list)) { + _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, + GETDNS_LOG_ERR, "%-40s : Error configuring tls_curves_list" + "\"%s\"\n", upstream->addr_str, upstream->tls_curves_list); + } +#endif +#ifdef HAVE_SSL_SET_CIPHERSUITES + if (upstream->tls_ciphersuites && + !SSL_set_ciphersuites(ssl, upstream->tls_ciphersuites)) { + _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, + GETDNS_LOG_ERR, "%-40s : Error configuring tls_ciphersuites " + "\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites); + } +#endif +#ifdef defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION + if (upstream->tls_min_version && !SSL_set_min_proto_version(ssl, + _getdns_tls_version2openssl_version(upstream->tls_min_version))) { + struct const_info *ci = _getdns_get_const_info(int value); + if (ci && *ci->name) + _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, + GETDNS_LOG_ERR, "%-40s : Error configuring " + "tls_min_version \"%s\"\n", upstream->addr_str, + ci->name); + else + _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, + GETDNS_LOG_ERR, "%-40s : Error configuring " + "tls_min_version \"%d\"\n", upstream->addr_str, + upstream->tls_min_version); + } + if (upstream->tls_max_version && !SSL_set_max_proto_version(ssl, + _getdns_tls_version2openssl_version(upstream->tls_max_version))) { + struct const_info *ci = _getdns_get_const_info(int value); + if (ci && *ci->name) + _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, + GETDNS_LOG_ERR, "%-40s : Error configuring " + "tls_max_version \"%s\"\n", upstream->addr_str, + ci->name); + else + _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, + GETDNS_LOG_ERR, "%-40s : Error configuring " + "tls_max_version \"%d\"\n", upstream->addr_str, + upstream->tls_max_version); + } #endif /* make sure we'll be able to find the context again when we need it */ if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) { @@ -1016,14 +1058,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, __FUNC__); } -#if defined(HAVE_DECL_SSL_SET_CIPHERSUITES) && HAVE_DECL_SSL_SET_CIPHERSUITES - if (upstream->tls_ciphersuites && - !SSL_set_ciphersuites(ssl, upstream->tls_ciphersuites)) { - _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, - GETDNS_LOG_ERR, "%-40s : Error configuring ciphersuites " - "\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites); - } -#endif #if defined(HAVE_SSL_DANE_ENABLE) int osr; # if defined(STUB_DEBUG) && STUB_DEBUG diff --git a/src/util-internal.h b/src/util-internal.h index 3d768de1..529ebce0 100644 --- a/src/util-internal.h +++ b/src/util-internal.h @@ -218,5 +218,19 @@ INLINE uint64_t _getdns_ms_until_expiry2(uint64_t expires, uint64_t *now_ms) return *now_ms >= expires ? 0 : expires - *now_ms; } +# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION +INLINE int _getdns_tls_version2openssl_version(getdns_tls_version_t v) +{ + switch (v) { + case GETDNS_SSL3 : return SSL3_VERSION; + case GETDNS_TLS1 : return TLS1_VERSION; + case GETDNS_TLS1_1: return TLS1_1_VERSION; + case GETDNS_TLS1_2: return TLS1_2_VERSION; + case GETDNS_TLS1_3: return TLS1_3_VERSION; + default : return TLS_MAX_VERSION; + } +} +# endif + #endif /* util-internal.h */