Merge branch 'features/CA_verify_locations' into release/1.2.2

2017-12-13 14:49:42 +01:00 · 2017-12-13 14:49:42 +01:00 · 5f1a2f8659
parent cfeaefbe3f da3f023d8f
commit 5f1a2f8659
6 changed files with 135 additions and 3 deletions
--- a/2
+++ b/2
@ -1,4 +1,6 @@
 * 2017-12-??: Version 1.2.2
+  * Specify locations at which CA certificates for verification purposes
+    are located: getdns_context_set_CApath() getdns_context_set_CAfile()
  * getdns_context_set_resolvconf() function to initialize a context 
    upstreams and suffices with a resolv.conf file.
    getdns_context_get_resolvconf() to get the file used to initialize
--- a/src/const-info.c
+++ b/src/const-info.c
@ -89,6 +89,8 @@ static struct const_info consts_info[] = {
 	{     628, "GETDNS_CONTEXT_CODE_APPDATA_DIR", GETDNS_CONTEXT_CODE_APPDATA_DIR_TEXT },
 	{     629, "GETDNS_CONTEXT_CODE_RESOLVCONF", GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT },
 	{     630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT },
+	{     630, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT },
+	{     631, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT },
 	{     700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
 	{     701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
 	{     702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT },
@ -159,6 +161,8 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CALLBACK_TIMEOUT", 702 },
 	{ "GETDNS_CONTEXT_CODE_APPDATA_DIR", 628 },
 	{ "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 },
+	{ "GETDNS_CONTEXT_CODE_CAFILE", 631 },
+	{ "GETDNS_CONTEXT_CODE_CAPATH", 630 },
 	{ "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 },
 	{ "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 },
 	{ "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 },
--- a/src/context.c
+++ b/src/context.c
@ -1513,6 +1513,8 @@ getdns_context_create_with_extended_memory_functions(
 	result->trust_anchors_verify_email = NULL;
 	result->trust_anchors_verify_CA = NULL;
 	result->appdata_dir = NULL;
+	result->CApath = NULL;
+	result->CAfile = NULL;

 	(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));

@ -1777,6 +1779,11 @@ getdns_context_destroy(struct getdns_context *context)
 		           , context->trust_anchors_verify_email);
 	if (context->appdata_dir)
 		GETDNS_FREE(context->mf, context->appdata_dir);
+	if (context->CApath)
+		GETDNS_FREE(context->mf, context->CApath);
+	if (context->CAfile)
+		GETDNS_FREE(context->mf, context->CAfile);
+

 #ifdef USE_WINSOCK
 	WSACleanup();
@ -3572,10 +3579,14 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 				return GETDNS_RETURN_BAD_CONTEXT;
 			/* For strict authentication, we must have local root certs available
 		       Set up is done only when the tls_ctx is created (per getdns_context)*/
+			if ((context->CAfile || context->CApath) &&
+			    SSL_CTX_load_verify_locations(context->tls_ctx
+				    , context->CAfile, context->CApath))
+				; /* pass */
 #  ifndef USE_WINSOCK
-			if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
+			else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
 #  else
-			if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) {
+			else if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) {
 #  endif /* USE_WINSOCK */
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
@ -3876,6 +3887,11 @@ _get_context_settings(getdns_context* context)
 		(void) getdns_dict_util_set_string(result, "resolvconf", str_value);
 	if (!getdns_context_get_hosts(context, &str_value) && str_value)
 		(void) getdns_dict_util_set_string(result, "hosts", str_value);
+	if (!getdns_context_get_CApath(context, &str_value) && str_value)
+		(void) getdns_dict_util_set_string(result, "CApath", str_value);
+	if (!getdns_context_get_CAfile(context, &str_value) && str_value)
+		(void) getdns_dict_util_set_string(result, "CAfile", str_value);
+
 	return result;
 error:
 	getdns_dict_destroy(result);
@ -4606,6 +4622,8 @@ _getdns_context_config_setting(getdns_context *context,
 	CONTEXT_SETTING_STRING(appdata_dir)
 	CONTEXT_SETTING_STRING(resolvconf)
 	CONTEXT_SETTING_STRING(hosts)
+	CONTEXT_SETTING_STRING(CApath)
+	CONTEXT_SETTING_STRING(CAfile)

 	/**************************************/
 	/****                              ****/
@ -5110,4 +5128,50 @@ getdns_context *_getdns_context_get_sys_ctxt(
 	return NULL;
 }

+getdns_return_t
+getdns_context_set_CApath(getdns_context *context, const char *CApath)
+{
+	if (!context || !CApath)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (context->CApath)
+		GETDNS_FREE(context->mf, context->CApath);
+	context->CApath = _getdns_strdup(&context->mf, CApath);
+
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_CAPATH);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_get_CApath(getdns_context *context, const char **CApath)
+{
+	if (!context || !CApath)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	*CApath = context->CApath;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_set_CAfile(getdns_context *context, const char *CAfile)
+{
+	if (!context || !CAfile)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (context->CAfile)
+		GETDNS_FREE(context->mf, context->CAfile);
+	context->CAfile = _getdns_strdup(&context->mf, CAfile);
+
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_CAFILE);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_get_CAfile(getdns_context *context, const char **CAfile)
+{
+	if (!context || !CAfile)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	*CAfile = context->CAfile;
+	return GETDNS_RETURN_GOOD;
+}
+
 /* context.c */
--- a/src/context.h
+++ b/src/context.h
@ -343,6 +343,9 @@ struct getdns_context {
 	char                 *appdata_dir;
 	_getdns_property      can_write_appdata;

+	char                 *CApath;
+	char                 *CAfile;
+
 	getdns_upstreams     *upstreams;
 	uint16_t             limit_outstanding_queries;
 	uint32_t             dnssec_allowed_skew;
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@ -94,7 +94,10 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_RESOLVCONF_TEXT "Change related to getdns_context_set_resolvconf"
 #define GETDNS_CONTEXT_CODE_HOSTS 630
 #define GETDNS_CONTEXT_CODE_HOSTS_TEXT "Change related to getdns_context_set_hosts"
-
+#define GETDNS_CONTEXT_CODE_CAPATH 630
+#define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath"
+#define GETDNS_CONTEXT_CODE_CAFILE 631
+#define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile"

 /** @}
  */
@ -711,6 +714,31 @@ getdns_context_set_resolvconf(getdns_context *context, const char *resolvconf);
 getdns_return_t
 getdns_context_set_hosts(getdns_context *context, const char *hosts);

+/**
+ * Specify where the location for CA certificates for verification purposes
+ * are located.
+ * @see getdns_context_get_CApath
+ * @see getdns_context_set_CAfile
+ * @param[in] context      The context to configure
+ * @param[in] CApath       Directory with Certificate Authority certificates.
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_set_CApath(getdns_context *context, const char *CApath);
+
+/**
+ * Specify the file with CA certificates for verification purposes.
+ * @see getdns_context_get_CAfile
+ * @see getdns_context_set_CApath
+ * @param[in] context      The context to configure
+ * @param[in] CAfile       The file with Certificate Authority certificates.
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_set_CAfile(getdns_context *context, const char *CAfile);
+
 /**
 * Get the current resolution type setting from this context.
 * @see getdns_context_set_resolution_type
@ -1191,6 +1219,33 @@ getdns_context_get_resolvconf(getdns_context *context, const char **resolvconf);
 getdns_return_t
 getdns_context_get_hosts(getdns_context *context, const char **hosts);

+/**
+ * Get the location of the directory for CA certificates for verification
+ * purposes.
+ * @see getdns_context_set_CApath
+ * @see getdns_context_get_CAfile
+ * @param[in]  context      The context to configure
+ * @param[out] CApath       Directory with Certificate Authority certificates
+ *                          or NULL when one was not configured.
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_get_CApath(getdns_context *context, const char **CApath);
+
+/**
+ * Get the file location with CA certificates for verification purposes.
+ * @see getdns_context_set_CAfile
+ * @see getdns_context_get_CApath
+ * @param[in]  context      The context to configure
+ * @param[out] CAfile       The file with Certificate Authority certificates
+ *                          or NULL when one was not configured.
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_get_CAfile(getdns_context *context, const char **CAfile);
+
 /** @}
 */

--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@ -7,6 +7,8 @@ getdns_context_create_with_extended_memory_functions
 getdns_context_create_with_memory_functions
 getdns_context_destroy
 getdns_context_detach_eventloop
+getdns_context_get_CAfile
+getdns_context_get_CApath
 getdns_context_get_api_information
 getdns_context_get_append_name
 getdns_context_get_dns_root_servers
@ -42,6 +44,8 @@ getdns_context_get_update_callback
 getdns_context_get_upstream_recursive_servers
 getdns_context_process_async
 getdns_context_run
+getdns_context_set_CAfile
+getdns_context_set_CApath
 getdns_context_set_appdata_dir
 getdns_context_set_append_name
 getdns_context_set_context_update_callback