interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

To aid proof-of-concept work, insist on OpenSSL 1.1.1 or later. 

Remove ssl_dane as now surplus to requirements.
This commit is contained in:
Jim Hague 2018-11-16 17:53:08 +00:00
parent 0fd6fd4c5c
commit 5d353d9efb
8 changed files with 12 additions and 278 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitmodules vendored
View File

@ -10,7 +10,3 @@
path = stubby path = stubby
url = https://github.com/getdnsapi/stubby.git url = https://github.com/getdnsapi/stubby.git
branch = develop branch = develop
[submodule "src/ssl_dane"]
path = src/ssl_dane
url = https://github.com/getdnsapi/ssl_dane
branch = getdns

22
configure.ac
View File

@ -440,28 +440,24 @@ AC_INCLUDES_DEFAULT
]) ])
fi fi
AC_MSG_CHECKING([whether we need to compile/link DANE support]) AC_MSG_CHECKING([for OpenSSL >= 1.1.1])
DANESSL_XTRA_OBJS=""
AC_LANG_PUSH(C) AC_LANG_PUSH(C)
AC_COMPILE_IFELSE( AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([ [AC_LANG_PROGRAM([
[#include <openssl/opensslv.h>] [#include <openssl/opensslv.h>]
[#if OPENSSL_VERSION_NUMBER < 0x1000000fL] [#if OPENSSL_VERSION_NUMBER < 0x10101000L]
[#error "OpenSSL 1.0.0 or higher required for DANE library"] [#error "OpenSSL 1.1.1 or higher required"]
[#elif defined(HAVE_SSL_DANE_ENABLE)]
[#error "OpenSSL has native DANE support"]
[#elif defined(LIBRESSL_VERSION_NUMBER)] [#elif defined(LIBRESSL_VERSION_NUMBER)]
[#error "dane_ssl library does not work with LibreSSL"] [#error "LibreSSL not supported"]
[#endif] [#endif]
],[[]])], ],[[]])],
[ [
AC_MSG_RESULT([yes]) AC_MSG_RESULT([yes])
AC_DEFINE([USE_DANESSL], [1], [Define this to use DANE functions from the ssl_dane/danessl library.]) ],
DANESSL_XTRA_OBJS="danessl.lo" [
], AC_MSG_ERROR([OpenSSL 1.1.1 or later required])
[AC_MSG_RESULT([no])]) ])
AC_LANG_POP(C) AC_LANG_POP(C)
AC_SUBST(DANESSL_XTRA_OBJS)
AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support])) AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support]))
case "$enable_sha1" in case "$enable_sha1" in

6
src/Makefile.in
View File

@ -98,9 +98,8 @@ TLS_OBJ=tls.lo
YXML_OBJ=yxml.lo YXML_OBJ=yxml.lo
YAML_OBJ=convert_yaml_to_json.lo YAML_OBJ=convert_yaml_to_json.lo
DANESSL_OBJ=danessl.lo
GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@ @DANESSL_XTRA_OBJS@ GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@
STUBBY_XTRA_OBJS=@STUBBY_XTRA_OBJS@ STUBBY_XTRA_OBJS=@STUBBY_XTRA_OBJS@
EXTENSION_OBJ=$(DEFAULT_EVENTLOOP_OBJ) libevent.lo libev.lo EXTENSION_OBJ=$(DEFAULT_EVENTLOOP_OBJ) libevent.lo libev.lo
@ -140,9 +139,6 @@ $(TLS_OBJ):
$(YAML_OBJ): $(YAML_OBJ):
$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@ $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@
$(DANESSL_OBJ):
$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WNOERRORFLAG) -c $(srcdir)/ssl_dane/$(@:.lo=.c) -o $@
$(YXML_OBJ): $(YXML_OBJ):
$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -I$(srcdir)/yxml -DYXML_GETDNS -Wno-unused-parameter -c $(srcdir)/yxml/$(@:.lo=.c) -o $@ $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -I$(srcdir)/yxml -DYXML_GETDNS -Wno-unused-parameter -c $(srcdir)/yxml/$(@:.lo=.c) -o $@

53
src/context.c
View File

@ -82,9 +82,6 @@ typedef unsigned short in_port_t;
#include "list.h" #include "list.h"
#include "dict.h" #include "dict.h"
#include "pubkey-pinning.h" #include "pubkey-pinning.h"
#ifdef USE_DANESSL
# include "ssl_dane/danessl.h"
#endif
#include "const-info.h" #include "const-info.h"
#include "tls.h" #include "tls.h"
@ -599,26 +596,6 @@ upstreams_create(getdns_context *context, size_t size)
} }
#if defined(USE_DANESSL) && defined(STUB_DEBUG) && STUB_DEBUG
static void _stub_debug_print_openssl_errors(void)
{
unsigned long err;
char buffer[1024];
const char *file;
const char *data;
int line;
int flags;
while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
ERR_error_string_n(err, buffer, sizeof(buffer));
if (flags & ERR_TXT_STRING)
DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d:%s\n", buffer, file, line, data);
else
DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d\n", buffer, file, line);
}
}
#endif
void void
_getdns_upstreams_dereference(getdns_upstreams *upstreams) _getdns_upstreams_dereference(getdns_upstreams *upstreams)
{ {
@ -660,12 +637,6 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
if (upstream->tls_obj != NULL) { if (upstream->tls_obj != NULL) {
_getdns_tls_connection_shutdown(upstream->tls_obj); _getdns_tls_connection_shutdown(upstream->tls_obj);
#ifdef USE_DANESSL
# if defined(STUB_DEBUG) && STUB_DEBUG
_stub_debug_print_openssl_errors();
# endif
DANESSL_cleanup(upstream->tls_obj->ssl);
#endif
_getdns_tls_connection_free(upstream->tls_obj); _getdns_tls_connection_free(upstream->tls_obj);
} }
if (upstream->fd != -1) if (upstream->fd != -1)
@ -779,12 +750,6 @@ _getdns_upstream_reset(getdns_upstream *upstream)
} }
if (upstream->tls_obj != NULL) { if (upstream->tls_obj != NULL) {
_getdns_tls_connection_shutdown(upstream->tls_obj); _getdns_tls_connection_shutdown(upstream->tls_obj);
#ifdef USE_DANESSL
# if defined(STUB_DEBUG) && STUB_DEBUG
_stub_debug_print_openssl_errors();
# endif
DANESSL_cleanup(upstream->tls_obj->ssl);
#endif
_getdns_tls_connection_free(upstream->tls_obj); _getdns_tls_connection_free(upstream->tls_obj);
upstream->tls_obj = NULL; upstream->tls_obj = NULL;
} }
@ -3579,7 +3544,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
} }
if (context->tls_ctx == NULL) { if (context->tls_ctx == NULL) {
#ifdef HAVE_TLS_v1_2
context->tls_ctx = _getdns_tls_context_new(); context->tls_ctx = _getdns_tls_context_new();
if (context->tls_ctx == NULL) if (context->tls_ctx == NULL)
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
@ -3608,7 +3572,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED)
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
} }
# if defined(HAVE_SSL_CTX_DANE_ENABLE)
# if defined(STUB_DEBUG) && STUB_DEBUG # if defined(STUB_DEBUG) && STUB_DEBUG
int osr = int osr =
# else # else
@ -3617,22 +3580,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
SSL_CTX_dane_enable(context->tls_ctx->ssl); SSL_CTX_dane_enable(context->tls_ctx->ssl);
DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n" DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
, STUB_DEBUG_SETUP_TLS, __FUNC__, osr); , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
# elif defined(USE_DANESSL)
# if defined(STUB_DEBUG) && STUB_DEBUG
int osr =
# else
(void)
# endif
DANESSL_CTX_init(context->tls_ctx->ssl);
DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n"
, STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
# endif
#else /* HAVE_TLS_v1_2 */
if (tls_only_is_in_transports_list(context) == 1)
return GETDNS_RETURN_BAD_CONTEXT;
/* A null tls_ctx will make TLS fail and fallback to the other
transports will kick-in.*/
#endif /* HAVE_TLS_v1_2 */
} }
} }

18
src/gldns/keyraw.c
View File

@ -232,15 +232,6 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
BN_free(Y); BN_free(Y);
return NULL; return NULL;
} }
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
#ifndef S_SPLINT_S
dsa->p = P;
dsa->q = Q;
dsa->g = G;
dsa->pub_key = Y;
#endif /* splint */
#else /* OPENSSL_VERSION_NUMBER */
if (!DSA_set0_pqg(dsa, P, Q, G)) { if (!DSA_set0_pqg(dsa, P, Q, G)) {
/* QPG not yet attached, need to free */ /* QPG not yet attached, need to free */
BN_free(Q); BN_free(Q);
@ -257,7 +248,6 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
BN_free(Y); BN_free(Y);
return NULL; return NULL;
} }
#endif
return dsa; return dsa;
} }
@ -310,20 +300,12 @@ gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
BN_free(modulus); BN_free(modulus);
return NULL; return NULL;
} }
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
#ifndef S_SPLINT_S
rsa->n = modulus;
rsa->e = exponent;
#endif /* splint */
#else /* OPENSSL_VERSION_NUMBER */
if (!RSA_set0_key(rsa, modulus, exponent, NULL)) { if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
BN_free(exponent); BN_free(exponent);
BN_free(modulus); BN_free(modulus);
RSA_free(rsa); RSA_free(rsa);
return NULL; return NULL;
} }
#endif
return rsa; return rsa;
} }

13
src/openssl/tls.c
View File

@ -44,10 +44,6 @@
#include "tls.h" #include "tls.h"
#ifdef USE_DANESSL
# include "ssl_dane/danessl.h"
#endif
static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert) static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert)
{ {
_getdns_tls_x509* res; _getdns_tls_x509* res;
@ -156,19 +152,10 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
void _getdns_tls_init() void _getdns_tls_init()
{ {
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
OpenSSL_add_all_algorithms();
SSL_library_init();
# ifdef USE_DANESSL
(void) DANESSL_library_init();
# endif
#else
OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS
| OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_ADD_ALL_DIGESTS
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
(void)OPENSSL_init_ssl(0, NULL); (void)OPENSSL_init_ssl(0, NULL);
#endif
} }
_getdns_tls_context* _getdns_tls_context_new() _getdns_tls_context* _getdns_tls_context_new()

1
src/ssl_dane

@ -1 +0,0 @@
Subproject commit dd093e585a237e0321d303ec35e84c393ef739f4

173
src/stub.c
View File

@ -55,9 +55,6 @@
#include "platform.h" #include "platform.h"
#include "general.h" #include "general.h"
#include "pubkey-pinning.h" #include "pubkey-pinning.h"
#ifdef USE_DANESSL
# include "ssl_dane/danessl.h"
#endif
/* WSA TODO: /* WSA TODO:
* STUB_TCP_RETRY added to deal with edge triggered event loops (versus * STUB_TCP_RETRY added to deal with edge triggered event loops (versus
@ -829,9 +826,6 @@ tls_requested(getdns_network_req *netreq)
1 : 0; 1 : 0;
} }
#if defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL)
static int static int
_getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx) _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
{ {
@ -857,64 +851,6 @@ _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
return 1; return 1;
} }
#else /* defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */
static int
tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
getdns_upstream *upstream;
getdns_return_t pinset_ret = GETDNS_RETURN_GOOD;
upstream = _getdns_upstream_from_x509_store(ctx);
if (!upstream)
return 0;
int err = X509_STORE_CTX_get_error(ctx);
# if defined(STUB_DEBUG) && STUB_DEBUG
DEBUG_STUB("%s %-35s: FD: %d Verify result: (%d) \"%s\"\n",
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err,
X509_verify_cert_error_string(err));
# endif
if (!preverify_ok && !upstream->tls_fallback_ok)
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
"%-40s : Verify failed: TLS - *Failure* - (%d) \"%s\"\n",
upstream->addr_str, err,
X509_verify_cert_error_string(err));
/* No need to deal with hostname authentication, since this will be
* dealt with in the DANE preprocessor paths.
*/
/* Deal with the pinset validation */
if (upstream->tls_pubkey_pinset)
pinset_ret = _getdns_verify_pinset_match(upstream->tls_pubkey_pinset, ctx);
if (pinset_ret != GETDNS_RETURN_GOOD) {
DEBUG_STUB("%s %-35s: FD: %d, WARNING: Pinset validation failure!\n",
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
preverify_ok = 0;
upstream->tls_auth_state = GETDNS_AUTH_FAILED;
if (upstream->tls_fallback_ok)
DEBUG_STUB("%s %-35s: FD: %d, WARNING: Proceeding even though pinset validation failed!\n",
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
else
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
"%-40s : Conn failed: TLS - *Failure* - Pinset validation failure\n",
upstream->addr_str);
}
/* If nothing has failed yet and we had credentials, we have successfully authenticated*/
if (preverify_ok == 0)
upstream->tls_auth_state = GETDNS_AUTH_FAILED;
else if (upstream->tls_auth_state == GETDNS_AUTH_NONE &&
(upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]))
upstream->tls_auth_state = GETDNS_AUTH_OK;
/* If fallback is allowed, proceed regardless of what the auth error is
(might not be hostname or pinset related) */
return (upstream->tls_fallback_ok) ? 1 : preverify_ok;
}
#endif /* #else defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */
static _getdns_tls_connection* static _getdns_tls_connection*
tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
{ {
@ -946,28 +882,11 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n", DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name); STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
SSL_set_tlsext_host_name(tls->ssl, upstream->tls_auth_name); SSL_set_tlsext_host_name(tls->ssl, upstream->tls_auth_name);
#if defined(HAVE_SSL_HN_AUTH) /* Set up native OpenSSL hostname verification */
/* Set up native OpenSSL hostname verification
* ( doesn't work with USE_DANESSL, but we verify the
* name afterwards in such cases )
*/
X509_VERIFY_PARAM *param; X509_VERIFY_PARAM *param;
param = SSL_get0_param(tls->ssl); param = SSL_get0_param(tls->ssl);
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0); X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
#elif !defined(HAVE_X509_CHECK_HOST)
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) {
DEBUG_STUB("%s %-35s: ERROR: Hostname Authentication not available from TLS library (check library version)\n",
STUB_DEBUG_SETUP_TLS, __FUNC__);
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
"%-40s : ERROR: Hostname Authentication not available from TLS library (check library version)\n",
upstream->addr_str);
upstream->tls_hs_state = GETDNS_HS_FAILED;
_getdns_tls_connection_free(tls);
upstream->tls_auth_state = GETDNS_AUTH_FAILED;
return NULL;
}
#endif
/* Allow fallback to opportunistic if settings permit it*/ /* Allow fallback to opportunistic if settings permit it*/
if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED) if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
upstream->tls_fallback_ok = 1; upstream->tls_fallback_ok = 1;
@ -1006,7 +925,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS,
__FUNC__); __FUNC__);
} }
#if defined(HAVE_SSL_DANE_ENABLE)
int osr; int osr;
# if defined(STUB_DEBUG) && STUB_DEBUG # if defined(STUB_DEBUG) && STUB_DEBUG
osr = osr =
@ -1033,44 +952,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
if (osr > 0) if (osr > 0)
++n_pins; ++n_pins;
} }
#elif defined(USE_DANESSL)
if (upstream->tls_pubkey_pinset) {
const char *auth_names[2] = { upstream->tls_auth_name, NULL };
int osr;
# if defined(STUB_DEBUG) && STUB_DEBUG
osr =
# else
(void)
# endif
DANESSL_init(tls->ssl,
*upstream->tls_auth_name ? upstream->tls_auth_name : NULL,
*upstream->tls_auth_name ? auth_names : NULL
);
DEBUG_STUB("%s %-35s: DEBUG: DANESSL_init(\"%s\") -> %d\n"
, STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
sha256_pin_t *pin_p;
size_t n_pins = 0;
for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) {
osr = DANESSL_add_tlsa(tls->ssl, 3, 1, "sha256",
(unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
, STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
if (osr > 0)
++n_pins;
osr = DANESSL_add_tlsa(tls->ssl, 2, 1, "sha256",
(unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
, STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
if (osr > 0)
++n_pins;
}
} else {
SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
}
#else
SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, tls_verify_callback);
#endif
/* Session resumption. There are trade-offs here. Want to do it when /* Session resumption. There are trade-offs here. Want to do it when
possible only if we have the right type of connection. Note a change possible only if we have the right type of connection. Note a change
@ -1127,23 +1008,6 @@ tls_do_handshake(getdns_upstream *upstream)
X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj->ssl); X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj->ssl);
long verify_result = SSL_get_verify_result(upstream->tls_obj->ssl); long verify_result = SSL_get_verify_result(upstream->tls_obj->ssl);
/* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
* we need to verify auth_name explicitely (otherwise it will not be checked,
* because this is not required with DANE with an EE match).
* This is not needed with native OpenSSL DANE, because EE name checks have
* to be disabled explicitely.
*/
#if defined(HAVE_X509_CHECK_HOST) && (defined(USE_DANESSL) || !defined(HAVE_SSL_HN_AUTH))
int xch;
if (peer_cert && verify_result == X509_V_OK
&& upstream->tls_auth_name[0]
&& (xch = X509_check_host(peer_cert,
upstream->tls_auth_name,
strlen(upstream->tls_auth_name),
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
NULL)) <= 0)
verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
#endif
upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK
? GETDNS_AUTH_OK : GETDNS_AUTH_FAILED; ? GETDNS_AUTH_OK : GETDNS_AUTH_FAILED;
if (!peer_cert) if (!peer_cert)
@ -1161,7 +1025,6 @@ tls_do_handshake(getdns_upstream *upstream)
/* Since we don't have DANE validation yet, DANE validation /* Since we don't have DANE validation yet, DANE validation
* failures are always pinset validation failures * failures are always pinset validation failures
*/ */
#if defined(HAVE_SSL_DANE_ENABLE)
else if (verify_result == X509_V_ERR_DANE_NO_MATCH) else if (verify_result == X509_V_ERR_DANE_NO_MATCH)
_getdns_upstream_log(upstream, _getdns_upstream_log(upstream,
GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_UPSTREAM_STATS,
@ -1172,21 +1035,6 @@ tls_do_handshake(getdns_upstream *upstream)
( upstream->tls_fallback_ok ( upstream->tls_fallback_ok
? "Tolerated because of Opportunistic profile" ? "Tolerated because of Opportunistic profile"
: "*Failure*" )); : "*Failure*" ));
#elif defined(USE_DANESSL)
else if (verify_result == X509_V_ERR_CERT_UNTRUSTED
&& upstream->tls_pubkey_pinset
&& !DANESSL_get_match_cert(
upstream->tls_obj->ssl, NULL, NULL, NULL))
_getdns_upstream_log(upstream,
GETDNS_LOG_UPSTREAM_STATS,
( upstream->tls_fallback_ok
? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
"%-40s : Verify failed : TLS - %s - "
"Pinset validation failure\n", upstream->addr_str,
( upstream->tls_fallback_ok
? "Tolerated because of Opportunistic profile"
: "*Failure*" ));
#endif
else if (verify_result != X509_V_OK) else if (verify_result != X509_V_OK)
_getdns_upstream_log(upstream, _getdns_upstream_log(upstream,
GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_UPSTREAM_STATS,
@ -1198,23 +1046,6 @@ tls_do_handshake(getdns_upstream *upstream)
? "Tolerated because of Opportunistic profile" ? "Tolerated because of Opportunistic profile"
: "*Failure*" ), verify_result, : "*Failure*" ), verify_result,
X509_verify_cert_error_string(verify_result)); X509_verify_cert_error_string(verify_result));
#if !defined(HAVE_SSL_HN_AUTH) && !defined(HAVE_X509_CHECK_HOST)
else if (*upstream->tls_auth_name) {
_getdns_upstream_log(upstream,
GETDNS_LOG_UPSTREAM_STATS,
( upstream->tls_fallback_ok
? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
"%-40s : Verify failed : TLS - %s - "
"Hostname Authentication not available from TLS "
"library (check library version)\n",
upstream->addr_str,
( upstream->tls_fallback_ok
? "Tolerated because of Opportunistic profile"
: "*Failure*" ));
upstream->tls_auth_state = GETDNS_AUTH_FAILED;
}
#endif
else else
_getdns_upstream_log(upstream, _getdns_upstream_log(upstream,
GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG,