mirror of https://github.com/getdnsapi/getdns.git
Change port used for TLS to 853
This commit is contained in:
parent
28ffb2fdf6
commit
689447509a
|
@ -56,10 +56,10 @@
|
||||||
|
|
||||||
#define GETDNS_PORT_ZERO 0
|
#define GETDNS_PORT_ZERO 0
|
||||||
#define GETDNS_PORT_DNS 53
|
#define GETDNS_PORT_DNS 53
|
||||||
#define GETDNS_PORT_DNS_OVER_TLS 1021
|
#define GETDNS_PORT_DNS_OVER_TLS 853
|
||||||
#define GETDNS_STR_PORT_ZERO "0"
|
#define GETDNS_STR_PORT_ZERO "0"
|
||||||
#define GETDNS_STR_PORT_DNS "53"
|
#define GETDNS_STR_PORT_DNS "53"
|
||||||
#define GETDNS_STR_PORT_DNS_OVER_TLS "1021"
|
#define GETDNS_STR_PORT_DNS_OVER_TLS "853"
|
||||||
|
|
||||||
void *plain_mem_funcs_user_arg = MF_PLAIN;
|
void *plain_mem_funcs_user_arg = MF_PLAIN;
|
||||||
|
|
||||||
|
@ -2205,13 +2205,11 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
|
||||||
context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
|
context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
|
||||||
if(context->tls_ctx == NULL)
|
if(context->tls_ctx == NULL)
|
||||||
return GETDNS_RETURN_BAD_CONTEXT;
|
return GETDNS_RETURN_BAD_CONTEXT;
|
||||||
// /* Be strict and only use the cipher suites recommended in RFC7525 */
|
/* Be strict and only use the cipher suites recommended in RFC7525
|
||||||
// const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EDH+aRSA+AESGCM";
|
Unless we later fallback to oppotunistic. */
|
||||||
// if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS))
|
const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EDH+aRSA+AESGCM";
|
||||||
// return GETDNS_RETURN_BAD_CONTEXT;
|
if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS))
|
||||||
/* By default cert chain will be verified, but note that per
|
return GETDNS_RETURN_BAD_CONTEXT;
|
||||||
connection management of the result and hostname verification is done.*/
|
|
||||||
SSL_CTX_set_verify(context->tls_ctx, SSL_VERIFY_PEER, _getdns_tls_verify_callback);
|
|
||||||
if (!SSL_CTX_set_default_verify_paths(context->tls_ctx))
|
if (!SSL_CTX_set_default_verify_paths(context->tls_ctx))
|
||||||
return GETDNS_RETURN_BAD_CONTEXT;
|
return GETDNS_RETURN_BAD_CONTEXT;
|
||||||
#else
|
#else
|
||||||
|
@ -2223,13 +2221,11 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
|
||||||
}
|
}
|
||||||
if (tls_only_is_in_transports_list(context) == 1 &&
|
if (tls_only_is_in_transports_list(context) == 1 &&
|
||||||
context->tls_auth == GETDNS_AUTHENTICATION_HOSTNAME) {
|
context->tls_auth == GETDNS_AUTHENTICATION_HOSTNAME) {
|
||||||
fprintf(stdout, "Setting auth min to HOSTNAME\n");
|
|
||||||
context->tls_auth_min = GETDNS_AUTHENTICATION_HOSTNAME;
|
context->tls_auth_min = GETDNS_AUTHENTICATION_HOSTNAME;
|
||||||
/* TODO: If no auth data provided for any upstream, fail here */
|
/* TODO: If no auth data provided for any upstream, fail here */
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
context->tls_auth_min = GETDNS_AUTHENTICATION_NONE;
|
context->tls_auth_min = GETDNS_AUTHENTICATION_NONE;
|
||||||
fprintf(stdout, "Setting auth min to NONE\n");
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
70
src/stub.c
70
src/stub.c
|
@ -563,7 +563,7 @@ upstream_tls_timeout_cb(void *userarg)
|
||||||
tls_cleanup(upstream);
|
tls_cleanup(upstream);
|
||||||
|
|
||||||
/* Need to handle the case where the far end doesn't respond to a
|
/* Need to handle the case where the far end doesn't respond to a
|
||||||
* TCP SYN and doesn't do a reset (as is the case with e.g. 8.8.8.8@1021).
|
* TCP SYN and doesn't do a reset (as is the case with e.g. 8.8.8.8@853).
|
||||||
* For that case the socket never becomes writable so doesn't trigger any
|
* For that case the socket never becomes writable so doesn't trigger any
|
||||||
* callbacks. If so then clear out the queue in one go.*/
|
* callbacks. If so then clear out the queue in one go.*/
|
||||||
int ret;
|
int ret;
|
||||||
|
@ -590,7 +590,7 @@ stub_tls_timeout_cb(void *userarg)
|
||||||
tls_cleanup(upstream);
|
tls_cleanup(upstream);
|
||||||
|
|
||||||
/* Need to handle the case where the far end doesn't respond to a
|
/* Need to handle the case where the far end doesn't respond to a
|
||||||
* TCP SYN and doesn't do a reset (as is the case with e.g. 8.8.8.8@1021).
|
* TCP SYN and doesn't do a reset (as is the case with e.g. 8.8.8.8@853).
|
||||||
* For that case the socket never becomes writable so doesn't trigger any
|
* For that case the socket never becomes writable so doesn't trigger any
|
||||||
* callbacks. If so then clear out the queue in one go.*/
|
* callbacks. If so then clear out the queue in one go.*/
|
||||||
int ret;
|
int ret;
|
||||||
|
@ -830,7 +830,7 @@ tls_auth_status_ok(getdns_upstream *upstream, getdns_network_req *netreq) {
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
_getdns_tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
|
tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
|
||||||
int err;
|
int err;
|
||||||
err = X509_STORE_CTX_get_error(ctx);
|
err = X509_STORE_CTX_get_error(ctx);
|
||||||
const char * err_str;
|
const char * err_str;
|
||||||
|
@ -864,7 +864,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
||||||
if (context->tls_ctx == NULL)
|
if (context->tls_ctx == NULL)
|
||||||
return NULL;
|
return NULL;
|
||||||
SSL* ssl = SSL_new(context->tls_ctx);
|
SSL* ssl = SSL_new(context->tls_ctx);
|
||||||
|
|
||||||
if(!ssl)
|
if(!ssl)
|
||||||
return NULL;
|
return NULL;
|
||||||
/* Connect the SSL object with a file descriptor */
|
/* Connect the SSL object with a file descriptor */
|
||||||
|
@ -874,11 +873,38 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* NOTE: this code will fallback on a given upstream, without trying
|
/* NOTE: this code will fallback on a given upstream, without trying
|
||||||
authentication on other upstreams first. This is non-optimal and is
|
authentication on other upstreams first. This is non-optimal and but avoids
|
||||||
an interim simplification. */
|
multiple TLS handshakes before getting a usable connection. */
|
||||||
|
|
||||||
|
/* If we have a hostname, always use it */
|
||||||
|
if (upstream->tls_auth_name[0] != '\0') {
|
||||||
|
/*Request certificate for the auth_name*/
|
||||||
|
SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
|
||||||
|
#ifdef HAVE_SSL_HN_AUTH
|
||||||
|
/* Set up native OpenSSL hostname verification*/
|
||||||
|
X509_VERIFY_PARAM *param;
|
||||||
|
param = SSL_get0_param(ssl);
|
||||||
|
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||||
|
X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
|
||||||
|
DEBUG_STUB("--- %s, HOSTNAME VERIFICATION REQUESTED \n", __FUNCTION__);
|
||||||
|
#else
|
||||||
|
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME) {
|
||||||
|
/* TODO: Trigger post-handshake custom validation*/
|
||||||
|
DEBUG_STUB("--- %s, ERROR: Authentication functionality not available\n", __FUNCTION__);
|
||||||
|
upstream->tls_hs_state = GETDNS_HS_FAILED;
|
||||||
|
upstream->tls_auth_failed = 1;
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
/* Allow fallback to oppotunisitc if settings permit it*/
|
||||||
|
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME)
|
||||||
|
SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback);
|
||||||
|
else {
|
||||||
|
SSL_set_verify(ssl, SSL_VERIFY_NONE, tls_verify_callback_with_fallback);
|
||||||
|
SSL_CTX_set_cipher_list(context->tls_ctx, NULL);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
/* Lack of host name is OK unless only authenticated TLS is specified*/
|
/* Lack of host name is OK unless only authenticated TLS is specified*/
|
||||||
if (upstream->tls_auth_name[0] == '\0') {
|
|
||||||
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME) {
|
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME) {
|
||||||
DEBUG_STUB("--- %s, ERROR: No host name provided for authentication\n", __FUNCTION__);
|
DEBUG_STUB("--- %s, ERROR: No host name provided for authentication\n", __FUNCTION__);
|
||||||
upstream->tls_hs_state = GETDNS_HS_FAILED;
|
upstream->tls_hs_state = GETDNS_HS_FAILED;
|
||||||
|
@ -887,31 +913,9 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
||||||
} else {
|
} else {
|
||||||
DEBUG_STUB("--- %s, PROCEEDING WITHOUT HOSTNAME VALIDATION!!\n", __FUNCTION__);
|
DEBUG_STUB("--- %s, PROCEEDING WITHOUT HOSTNAME VALIDATION!!\n", __FUNCTION__);
|
||||||
upstream->tls_auth_failed = 1;
|
upstream->tls_auth_failed = 1;
|
||||||
/* TODO: Should we always enforce validation of the cert at least??*/
|
|
||||||
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
/*Request certificate for the auth_name*/
|
|
||||||
SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
|
|
||||||
|
|
||||||
#ifdef HAVE_SSL_HN_AUTH
|
|
||||||
/* Set up native OpenSSL hostname verification*/
|
|
||||||
X509_VERIFY_PARAM *param;
|
|
||||||
param = SSL_get0_param(ssl);
|
|
||||||
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
|
||||||
X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
|
|
||||||
#else
|
|
||||||
/* TODO: Trigger post-handshake custom validation*/
|
|
||||||
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME) {
|
|
||||||
DEBUG_STUB("--- %s, ERROR: Authentication functionality not available\n", __FUNCTION__);
|
|
||||||
upstream->tls_hs_state = GETDNS_HS_FAILED;
|
|
||||||
upstream->tls_auth_failed = 1;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
/* Allow fallback from authenticated TLS if settings permit it*/
|
|
||||||
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_NONE)
|
|
||||||
SSL_set_verify(ssl, SSL_VERIFY_NONE, tls_verify_callback_with_fallback);
|
SSL_set_verify(ssl, SSL_VERIFY_NONE, tls_verify_callback_with_fallback);
|
||||||
|
SSL_CTX_set_cipher_list(context->tls_ctx, NULL);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
SSL_set_connect_state(ssl);
|
SSL_set_connect_state(ssl);
|
||||||
|
@ -976,10 +980,6 @@ tls_do_handshake(getdns_upstream *upstream)
|
||||||
r = SSL_get_verify_result(upstream->tls_obj);
|
r = SSL_get_verify_result(upstream->tls_obj);
|
||||||
if (r == X509_V_ERR_HOSTNAME_MISMATCH)
|
if (r == X509_V_ERR_HOSTNAME_MISMATCH)
|
||||||
upstream->tls_auth_failed = 1;
|
upstream->tls_auth_failed = 1;
|
||||||
//#ifndef HAVE_SSL_HN_AUTH
|
|
||||||
/*TODO: When OpenSSL 1.0.2 not available, use custom function to validate
|
|
||||||
the hostname e.g. see libcurl:openssl.c:verifyhost() */
|
|
||||||
//#endif
|
|
||||||
/* Reset timeout on success*/
|
/* Reset timeout on success*/
|
||||||
GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
|
GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
|
||||||
upstream->event.read_cb = NULL;
|
upstream->event.read_cb = NULL;
|
||||||
|
|
|
@ -41,8 +41,6 @@ getdns_return_t _getdns_submit_stub_request(getdns_network_req *netreq);
|
||||||
|
|
||||||
void _getdns_cancel_stub_request(getdns_network_req *netreq);
|
void _getdns_cancel_stub_request(getdns_network_req *netreq);
|
||||||
|
|
||||||
int _getdns_tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx);
|
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* stub.h */
|
/* stub.h */
|
||||||
|
|
Loading…
Reference in New Issue