diff --git a/src/context.c b/src/context.c index 00c685ce..94a88f72 100644 --- a/src/context.c +++ b/src/context.c @@ -515,6 +515,7 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams) ; upstreams->count ; upstreams->count--, upstream++ ) { + sha256_pin_t *pin = upstream->tls_pubkey_pinset; if (upstream->loop && ( upstream->event.read_cb || upstream->event.write_cb || upstream->event.timeout_cb) ) { @@ -530,6 +531,12 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams) } if (upstream->fd != -1) close(upstream->fd); + while (pin) { + sha256_pin_t *nextpin = pin->next; + GETDNS_FREE(upstreams->mf, pin); + pin = nextpin; + } + upstream->tls_pubkey_pinset = NULL; } GETDNS_FREE(upstreams->mf, upstreams); } @@ -669,6 +676,7 @@ upstream_init(getdns_upstream *upstream, upstream->tls_hs_state = GETDNS_HS_NONE; upstream->tls_auth_failed = 0; upstream->tls_auth_name[0] = '\0'; + upstream->tls_pubkey_pinset = NULL; upstream->tcp.write_error = 0; upstream->loop = NULL; (void) getdns_eventloop_event_init( diff --git a/src/context.h b/src/context.h index 264cb687..729962ac 100644 --- a/src/context.h +++ b/src/context.h @@ -102,6 +102,12 @@ typedef struct getdns_tsig_info { const getdns_tsig_info *_getdns_get_tsig_info(getdns_tsig_algo tsig_alg); +/* for doing public key pinning of TLS-capable upstreams: */ +typedef struct sha256_pin { + char pin[SHA256_DIGEST_LENGTH]; + struct sha256_pin *next; +} sha256_pin_t; + typedef struct getdns_upstream { /* backpointer to containing upstreams structure */ struct getdns_upstreams *upstreams; @@ -126,6 +132,7 @@ typedef struct getdns_upstream { getdns_tcp_state tcp; char tls_auth_name[256]; size_t tls_auth_failed; + sha256_pin_t *tls_pubkey_pinset; /* Pipelining of TCP network requests */ getdns_network_req *write_queue;