interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

tls_ciphersuites + bugfix in strdup2!!

This commit is contained in:
Willem Toorop 2018-11-20 16:13:57 +01:00
parent e5a53fb1d2
commit 6a5e96d4e1
6 changed files with 110 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
configure.ac
View File

@ -418,7 +418,7 @@ AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter])
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list], [], [], [
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_CTX_set_ciphersuites,SSL_set_ciphersuites], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>

2
src/const-info.c
View File

@ -93,6 +93,7 @@ static struct const_info consts_info[] = {
{ 632, "GETDNS_CONTEXT_CODE_TLS_CA_FILE", GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT },
{ 633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT },
{ 634, "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT },
{ 635, "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT },
{ 699, "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT },
{ 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
{ 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
@ -190,6 +191,7 @@ static struct const_name_info consts_name_info[] = {
{ "GETDNS_CONTEXT_CODE_TLS_BACKOFF_TIME", 623 },
{ "GETDNS_CONTEXT_CODE_TLS_CA_FILE", 632 },
{ "GETDNS_CONTEXT_CODE_TLS_CA_PATH", 631 },
{ "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", 635 },
{ "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 },
{ "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 },
{ "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", 634 },

66
src/context.c
View File

@ -178,7 +178,7 @@ _getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s)
return NULL;
else {
r[s->size] = '\0';
return memcpy(r, s, s->size);
return memcpy(r, s->data, s->size);
}
}
@ -781,6 +781,8 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
upstream->tls_pubkey_pinset = NULL;
if (upstream->tls_cipher_list)
GETDNS_FREE(upstreams->mf, upstream->tls_cipher_list);
if (upstream->tls_ciphersuites)
GETDNS_FREE(upstreams->mf, upstream->tls_ciphersuites);
if (upstream->tls_curves_list)
GETDNS_FREE(upstreams->mf, upstream->tls_curves_list);
}
@ -1075,6 +1077,7 @@ upstream_init(getdns_upstream *upstream,
upstream->tls_obj = NULL;
upstream->tls_session = NULL;
upstream->tls_cipher_list = NULL;
upstream->tls_ciphersuites = NULL;
upstream->tls_curves_list = NULL;
upstream->transport = GETDNS_TRANSPORT_TCP;
upstream->tls_hs_state = GETDNS_HS_NONE;
@ -1478,8 +1481,11 @@ static char const * const _getdns_default_trust_anchors_verify_email =
"dnssec@iana.org";
static char const * const _getdns_default_tls_cipher_list =
"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
"TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
"TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
static char const * const _getdns_default_tls_ciphersuites =
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
/*
* getdns_context_create
@ -1589,6 +1595,7 @@ getdns_context_create_with_extended_memory_functions(
result->tls_ca_path = NULL;
result->tls_ca_file = NULL;
result->tls_cipher_list = NULL;
result->tls_ciphersuites = NULL;
result->tls_curves_list = NULL;
(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
@ -1864,6 +1871,8 @@ getdns_context_destroy(struct getdns_context *context)
GETDNS_FREE(context->mf, context->tls_ca_file);
if (context->tls_cipher_list)
GETDNS_FREE(context->mf, context->tls_cipher_list);
if (context->tls_ciphersuites)
GETDNS_FREE(context->mf, context->tls_ciphersuites);
if (context->tls_curves_list)
GETDNS_FREE(context->mf, context->tls_curves_list);
@ -3079,6 +3088,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
if (dict && getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) {
getdns_list *pubkey_pinset = NULL;
getdns_bindata *tls_cipher_list = NULL;
getdns_bindata *tls_ciphersuites = NULL;
getdns_bindata *tls_curves_list = NULL;
if ((r = getdns_dict_get_bindata(
@ -3118,6 +3128,12 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
? _getdns_strdup2(&upstreams->mf
, tls_cipher_list)
: NULL;
(void) getdns_dict_get_bindata(
dict, "tls_ciphersuites", &tls_ciphersuites);
upstream->tls_ciphersuites = tls_ciphersuites
? _getdns_strdup2(&upstreams->mf
, tls_ciphersuites)
: NULL;
(void) getdns_dict_get_bindata(
dict, "tls_curves_list", &tls_curves_list);
if (tls_curves_list) {
@ -3713,7 +3729,12 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
context->tls_cipher_list ? context->tls_cipher_list
: _getdns_default_tls_cipher_list))
return GETDNS_RETURN_BAD_CONTEXT;
# if defined(HAVE_DECL_SSL_CTX_SET_CIPHERSUITES) && HAVE_DECL_SSL_CTX_SET_CIPHERSUITES
if (!SSL_CTX_set_ciphersuites(context->tls_ctx,
context->tls_ciphersuites ? context->tls_ciphersuites
: _getdns_default_tls_ciphersuites))
return GETDNS_RETURN_BAD_CONTEXT;
# endif
# if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
if (context->tls_curves_list &&
!SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list))
@ -4058,6 +4079,8 @@ _get_context_settings(getdns_context* context)
(void) getdns_dict_util_set_string(result, "tls_ca_file", str_value);
if (!getdns_context_get_tls_cipher_list(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "tls_cipher_list", str_value);
if (!getdns_context_get_tls_ciphersuites(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "tls_ciphersuites", str_value);
if (!getdns_context_get_tls_curves_list(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "tls_curves_list", str_value);
@ -4668,6 +4691,11 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
d, "tls_cipher_list",
upstream->tls_cipher_list);
}
if (upstream->tls_ciphersuites) {
(void) getdns_dict_util_set_string(
d, "tls_ciphersuites",
upstream->tls_ciphersuites);
}
if (upstream->tls_curves_list) {
(void) getdns_dict_util_set_string(
d, "tls_curves_list",
@ -4893,6 +4921,7 @@ _getdns_context_config_setting(getdns_context *context,
CONTEXT_SETTING_STRING(tls_ca_path)
CONTEXT_SETTING_STRING(tls_ca_file)
CONTEXT_SETTING_STRING(tls_cipher_list)
CONTEXT_SETTING_STRING(tls_ciphersuites)
CONTEXT_SETTING_STRING(tls_curves_list)
/**************************************/
@ -5491,6 +5520,35 @@ getdns_context_get_tls_cipher_list(
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_set_tls_ciphersuites(
getdns_context *context, const char *tls_ciphersuites)
{
if (!context)
return GETDNS_RETURN_INVALID_PARAMETER;
if (context->tls_ciphersuites)
GETDNS_FREE(context->mf, context->tls_ciphersuites);
context->tls_ciphersuites = tls_ciphersuites
? _getdns_strdup(&context->mf, tls_ciphersuites)
: NULL;
dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES);
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_get_tls_ciphersuites(
getdns_context *context, const char **tls_ciphersuites)
{
if (!context || !tls_ciphersuites)
return GETDNS_RETURN_INVALID_PARAMETER;
*tls_ciphersuites = context->tls_ciphersuites
? context->tls_ciphersuites
: _getdns_default_tls_ciphersuites;
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_set_tls_curves_list(
getdns_context *context, const char *tls_curves_list)

2
src/context.h
View File

@ -207,6 +207,7 @@ typedef struct getdns_upstream {
getdns_auth_state_t tls_auth_state;
unsigned tls_fallback_ok : 1;
char *tls_cipher_list;
char *tls_ciphersuites;
char *tls_curves_list;
/* Auth credentials*/
char tls_auth_name[256];
@ -350,6 +351,7 @@ struct getdns_context {
char *tls_ca_path;
char *tls_ca_file;
char *tls_cipher_list;
char *tls_ciphersuites;
char *tls_curves_list;
getdns_upstreams *upstreams;

28
src/getdns/getdns_extra.h.in
View File

@ -102,6 +102,9 @@ extern "C" {
#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT "Change related to getdns_context_set_tls_cipher_list"
#define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST 634
#define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT "Change related to getdns_context_set_tls_curves_list"
#define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES 635
#define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT "Change related to getdns_context_set_tls_ciphersuites"
/** @}
*/
@ -755,6 +758,18 @@ getdns_return_t
getdns_context_set_tls_cipher_list(
getdns_context *context, const char *cipher_list);
/**
* Configure the available TLS1.3 ciphersuites for authenticated TLS upstreams.
* @see getdns_context_get_tls_ciphersuites
* @param[in] context The context to configure
* @param[in] ciphersuites The cipher list
* @return GETDNS_RETURN_GOOD when successful
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
*/
getdns_return_t
getdns_context_set_tls_ciphersuites(
getdns_context *context, const char *ciphersuites);
/**
* Sets the supported curves TLS upstreams.
* @see getdns_context_get_tls_curves_list
@ -1287,6 +1302,19 @@ getdns_return_t
getdns_context_get_tls_cipher_list(
getdns_context *context, const char **cipher_list);
/**
* Get the configured available TLS1.3 ciphersuited for authenticated TLS
* upstreams.
* @see getdns_context_set_tls_ciphersuites
* @param[in] context The context configure
* @param[out] ciphersuites The cipher list
* @return GETDNS_RETURN_GOOD when successful
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
*/
getdns_return_t
getdns_context_get_tls_ciphersuites(
getdns_context *context, const char **ciphersuites);
/**
* Get the supported curves list if one has been set earlier.
* @see getdns_context_set_tls_curves_list

17
src/stub.c
View File

@ -1006,11 +1006,24 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n",
STUB_DEBUG_SETUP_TLS, __FUNC__);
} else {
if (upstream->tls_cipher_list)
SSL_set_cipher_list(ssl, upstream->tls_cipher_list);
if (upstream->tls_cipher_list &&
!SSL_set_cipher_list(ssl, upstream->tls_cipher_list))
_getdns_upstream_log(upstream,
GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
"%-40s : Error configuring cipher_list\"%s\"\n",
upstream->addr_str, upstream->tls_cipher_list);
DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS,
__FUNC__);
}
#if defined(HAVE_DECL_SSL_SET_CIPHERSUITES) && HAVE_DECL_SSL_SET_CIPHERSUITES
if (upstream->tls_ciphersuites &&
!SSL_set_ciphersuites(ssl, upstream->tls_ciphersuites)) {
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
GETDNS_LOG_ERR, "%-40s : Error configuring ciphersuites "
"\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
}
#endif
#if defined(HAVE_SSL_DANE_ENABLE)
int osr;
# if defined(STUB_DEBUG) && STUB_DEBUG