From 511dfc75ef8aaf7c2b516c7a8e8ce6fb8931788e Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Fri, 7 Dec 2018 11:11:33 +0000 Subject: [PATCH] Implement _getdns_tls_context_set_min_proto_1_2(). Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake. This means we need to access the context from a connection, so add a pointer to the context to the connection. --- src/gnutls/tls-internal.h | 5 ++++- src/gnutls/tls.c | 12 ++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h index 2b76d564..15115b4d 100644 --- a/src/gnutls/tls-internal.h +++ b/src/gnutls/tls-internal.h @@ -34,6 +34,8 @@ #ifndef _GETDNS_TLS_INTERNAL_H #define _GETDNS_TLS_INTERNAL_H +#include + #include #include @@ -52,13 +54,14 @@ typedef struct _getdns_tls_context { - int unused; + bool min_proto_1_2; } _getdns_tls_context; typedef struct _getdns_tls_connection { gnutls_session_t tls; gnutls_certificate_credentials_t cred; int shutdown; + _getdns_tls_context* ctx; } _getdns_tls_connection; typedef struct _getdns_tls_session { diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index 2d515b3a..5a2b6c94 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -95,6 +95,7 @@ _getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs) if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_context))) return NULL; + res->min_proto_1_2 = false; return res; } @@ -113,7 +114,9 @@ void _getdns_tls_context_dane_init(_getdns_tls_context* ctx) getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx) { - (void) ctx; + if (!ctx) + return GETDNS_RETURN_INVALID_PARAMETER; + ctx->min_proto_1_2 = true; return GETDNS_RETURN_NOT_IMPLEMENTED; } @@ -157,6 +160,7 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn return NULL; res->shutdown = 0; + res->ctx = ctx; r = gnutls_certificate_allocate_credentials(&res->cred); if (r == GNUTLS_E_SUCCESS) @@ -270,8 +274,12 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn return GETDNS_RETURN_INVALID_PARAMETER; r = gnutls_handshake(conn->tls); - if (r == GNUTLS_E_SUCCESS) + if (r == GNUTLS_E_SUCCESS) { + if (conn->ctx->min_proto_1_2 && + gnutls_protocol_get_version(conn->tls) < GNUTLS_TLS1_2) + return GETDNS_RETURN_GENERIC_ERROR; return GETDNS_RETURN_GOOD; + } else return error_may_want_read_write(conn, r); }