mirror of https://github.com/getdnsapi/getdns.git
tls_ciphersuites + bugfix in strdup2!!
This commit is contained in:
Willem Toorop
parent
e5a53fb1d2
commit
6a5e96d4e1
|
|
@ -418,7 +418,7 @@ AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
|||
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter])
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list], [], [], [
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_CTX_set_ciphersuites,SSL_set_ciphersuites], [], [], [
|
||||
AC_INCLUDES_DEFAULT
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
|
|
|
|||
|
|
@ -93,6 +93,7 @@ static struct const_info consts_info[] = {
|
|||
{ 632, "GETDNS_CONTEXT_CODE_TLS_CA_FILE", GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT },
|
||||
{ 633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT },
|
||||
{ 634, "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT },
|
||||
{ 635, "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT },
|
||||
{ 699, "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT },
|
||||
{ 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
|
||||
{ 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
|
||||
|
|
@ -190,6 +191,7 @@ static struct const_name_info consts_name_info[] = {
|
|||
{ "GETDNS_CONTEXT_CODE_TLS_BACKOFF_TIME", 623 },
|
||||
{ "GETDNS_CONTEXT_CODE_TLS_CA_FILE", 632 },
|
||||
{ "GETDNS_CONTEXT_CODE_TLS_CA_PATH", 631 },
|
||||
{ "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", 635 },
|
||||
{ "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 },
|
||||
{ "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 },
|
||||
{ "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", 634 },
|
||||
|
|
|
|||
|
|
@ -178,7 +178,7 @@ _getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s)
|
|||
return NULL;
|
||||
else {
|
||||
r[s->size] = '\0';
|
||||
return memcpy(r, s, s->size);
|
||||
return memcpy(r, s->data, s->size);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -781,6 +781,8 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
|
|||
upstream->tls_pubkey_pinset = NULL;
|
||||
if (upstream->tls_cipher_list)
|
||||
GETDNS_FREE(upstreams->mf, upstream->tls_cipher_list);
|
||||
if (upstream->tls_ciphersuites)
|
||||
GETDNS_FREE(upstreams->mf, upstream->tls_ciphersuites);
|
||||
if (upstream->tls_curves_list)
|
||||
GETDNS_FREE(upstreams->mf, upstream->tls_curves_list);
|
||||
}
|
||||
|
|
@ -1075,6 +1077,7 @@ upstream_init(getdns_upstream *upstream,
|
|||
upstream->tls_obj = NULL;
|
||||
upstream->tls_session = NULL;
|
||||
upstream->tls_cipher_list = NULL;
|
||||
upstream->tls_ciphersuites = NULL;
|
||||
upstream->tls_curves_list = NULL;
|
||||
upstream->transport = GETDNS_TRANSPORT_TCP;
|
||||
upstream->tls_hs_state = GETDNS_HS_NONE;
|
||||
|
|
@ -1481,6 +1484,9 @@ static char const * const _getdns_default_tls_cipher_list =
|
|||
"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
|
||||
"TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
|
||||
|
||||
static char const * const _getdns_default_tls_ciphersuites =
|
||||
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
|
||||
|
||||
/*
|
||||
* getdns_context_create
|
||||
*
|
||||
|
|
@ -1589,6 +1595,7 @@ getdns_context_create_with_extended_memory_functions(
|
|||
result->tls_ca_path = NULL;
|
||||
result->tls_ca_file = NULL;
|
||||
result->tls_cipher_list = NULL;
|
||||
result->tls_ciphersuites = NULL;
|
||||
result->tls_curves_list = NULL;
|
||||
|
||||
(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
|
||||
|
|
@ -1864,6 +1871,8 @@ getdns_context_destroy(struct getdns_context *context)
|
|||
GETDNS_FREE(context->mf, context->tls_ca_file);
|
||||
if (context->tls_cipher_list)
|
||||
GETDNS_FREE(context->mf, context->tls_cipher_list);
|
||||
if (context->tls_ciphersuites)
|
||||
GETDNS_FREE(context->mf, context->tls_ciphersuites);
|
||||
if (context->tls_curves_list)
|
||||
GETDNS_FREE(context->mf, context->tls_curves_list);
|
||||
|
||||
|
|
@ -3079,6 +3088,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
|
|||
if (dict && getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) {
|
||||
getdns_list *pubkey_pinset = NULL;
|
||||
getdns_bindata *tls_cipher_list = NULL;
|
||||
getdns_bindata *tls_ciphersuites = NULL;
|
||||
getdns_bindata *tls_curves_list = NULL;
|
||||
|
||||
if ((r = getdns_dict_get_bindata(
|
||||
|
|
@ -3118,6 +3128,12 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
|
|||
? _getdns_strdup2(&upstreams->mf
|
||||
, tls_cipher_list)
|
||||
: NULL;
|
||||
(void) getdns_dict_get_bindata(
|
||||
dict, "tls_ciphersuites", &tls_ciphersuites);
|
||||
upstream->tls_ciphersuites = tls_ciphersuites
|
||||
? _getdns_strdup2(&upstreams->mf
|
||||
, tls_ciphersuites)
|
||||
: NULL;
|
||||
(void) getdns_dict_get_bindata(
|
||||
dict, "tls_curves_list", &tls_curves_list);
|
||||
if (tls_curves_list) {
|
||||
|
|
@ -3713,7 +3729,12 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
|
|||
context->tls_cipher_list ? context->tls_cipher_list
|
||||
: _getdns_default_tls_cipher_list))
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
|
||||
# if defined(HAVE_DECL_SSL_CTX_SET_CIPHERSUITES) && HAVE_DECL_SSL_CTX_SET_CIPHERSUITES
|
||||
if (!SSL_CTX_set_ciphersuites(context->tls_ctx,
|
||||
context->tls_ciphersuites ? context->tls_ciphersuites
|
||||
: _getdns_default_tls_ciphersuites))
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
# endif
|
||||
# if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
|
||||
if (context->tls_curves_list &&
|
||||
!SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list))
|
||||
|
|
@ -4058,6 +4079,8 @@ _get_context_settings(getdns_context* context)
|
|||
(void) getdns_dict_util_set_string(result, "tls_ca_file", str_value);
|
||||
if (!getdns_context_get_tls_cipher_list(context, &str_value) && str_value)
|
||||
(void) getdns_dict_util_set_string(result, "tls_cipher_list", str_value);
|
||||
if (!getdns_context_get_tls_ciphersuites(context, &str_value) && str_value)
|
||||
(void) getdns_dict_util_set_string(result, "tls_ciphersuites", str_value);
|
||||
if (!getdns_context_get_tls_curves_list(context, &str_value) && str_value)
|
||||
(void) getdns_dict_util_set_string(result, "tls_curves_list", str_value);
|
||||
|
||||
|
|
@ -4668,6 +4691,11 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
|
|||
d, "tls_cipher_list",
|
||||
upstream->tls_cipher_list);
|
||||
}
|
||||
if (upstream->tls_ciphersuites) {
|
||||
(void) getdns_dict_util_set_string(
|
||||
d, "tls_ciphersuites",
|
||||
upstream->tls_ciphersuites);
|
||||
}
|
||||
if (upstream->tls_curves_list) {
|
||||
(void) getdns_dict_util_set_string(
|
||||
d, "tls_curves_list",
|
||||
|
|
@ -4893,6 +4921,7 @@ _getdns_context_config_setting(getdns_context *context,
|
|||
CONTEXT_SETTING_STRING(tls_ca_path)
|
||||
CONTEXT_SETTING_STRING(tls_ca_file)
|
||||
CONTEXT_SETTING_STRING(tls_cipher_list)
|
||||
CONTEXT_SETTING_STRING(tls_ciphersuites)
|
||||
CONTEXT_SETTING_STRING(tls_curves_list)
|
||||
|
||||
/**************************************/
|
||||
|
|
@ -5491,6 +5520,35 @@ getdns_context_get_tls_cipher_list(
|
|||
return GETDNS_RETURN_GOOD;
|
||||
}
|
||||
|
||||
getdns_return_t
|
||||
getdns_context_set_tls_ciphersuites(
|
||||
getdns_context *context, const char *tls_ciphersuites)
|
||||
{
|
||||
if (!context)
|
||||
return GETDNS_RETURN_INVALID_PARAMETER;
|
||||
if (context->tls_ciphersuites)
|
||||
GETDNS_FREE(context->mf, context->tls_ciphersuites);
|
||||
context->tls_ciphersuites = tls_ciphersuites
|
||||
? _getdns_strdup(&context->mf, tls_ciphersuites)
|
||||
: NULL;
|
||||
|
||||
dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES);
|
||||
return GETDNS_RETURN_GOOD;
|
||||
}
|
||||
|
||||
getdns_return_t
|
||||
getdns_context_get_tls_ciphersuites(
|
||||
getdns_context *context, const char **tls_ciphersuites)
|
||||
{
|
||||
if (!context || !tls_ciphersuites)
|
||||
return GETDNS_RETURN_INVALID_PARAMETER;
|
||||
|
||||
*tls_ciphersuites = context->tls_ciphersuites
|
||||
? context->tls_ciphersuites
|
||||
: _getdns_default_tls_ciphersuites;
|
||||
return GETDNS_RETURN_GOOD;
|
||||
}
|
||||
|
||||
getdns_return_t
|
||||
getdns_context_set_tls_curves_list(
|
||||
getdns_context *context, const char *tls_curves_list)
|
||||
|
|
|
|||
|
|
@ -207,6 +207,7 @@ typedef struct getdns_upstream {
|
|||
getdns_auth_state_t tls_auth_state;
|
||||
unsigned tls_fallback_ok : 1;
|
||||
char *tls_cipher_list;
|
||||
char *tls_ciphersuites;
|
||||
char *tls_curves_list;
|
||||
/* Auth credentials*/
|
||||
char tls_auth_name[256];
|
||||
|
|
@ -350,6 +351,7 @@ struct getdns_context {
|
|||
char *tls_ca_path;
|
||||
char *tls_ca_file;
|
||||
char *tls_cipher_list;
|
||||
char *tls_ciphersuites;
|
||||
char *tls_curves_list;
|
||||
|
||||
getdns_upstreams *upstreams;
|
||||
|
|
|
|||
|
|
@ -102,6 +102,9 @@ extern "C" {
|
|||
#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT "Change related to getdns_context_set_tls_cipher_list"
|
||||
#define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST 634
|
||||
#define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT "Change related to getdns_context_set_tls_curves_list"
|
||||
#define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES 635
|
||||
#define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT "Change related to getdns_context_set_tls_ciphersuites"
|
||||
|
||||
|
||||
/** @}
|
||||
*/
|
||||
|
|
@ -755,6 +758,18 @@ getdns_return_t
|
|||
getdns_context_set_tls_cipher_list(
|
||||
getdns_context *context, const char *cipher_list);
|
||||
|
||||
/**
|
||||
* Configure the available TLS1.3 ciphersuites for authenticated TLS upstreams.
|
||||
* @see getdns_context_get_tls_ciphersuites
|
||||
* @param[in] context The context to configure
|
||||
* @param[in] ciphersuites The cipher list
|
||||
* @return GETDNS_RETURN_GOOD when successful
|
||||
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
|
||||
*/
|
||||
getdns_return_t
|
||||
getdns_context_set_tls_ciphersuites(
|
||||
getdns_context *context, const char *ciphersuites);
|
||||
|
||||
/**
|
||||
* Sets the supported curves TLS upstreams.
|
||||
* @see getdns_context_get_tls_curves_list
|
||||
|
|
@ -1287,6 +1302,19 @@ getdns_return_t
|
|||
getdns_context_get_tls_cipher_list(
|
||||
getdns_context *context, const char **cipher_list);
|
||||
|
||||
/**
|
||||
* Get the configured available TLS1.3 ciphersuited for authenticated TLS
|
||||
* upstreams.
|
||||
* @see getdns_context_set_tls_ciphersuites
|
||||
* @param[in] context The context configure
|
||||
* @param[out] ciphersuites The cipher list
|
||||
* @return GETDNS_RETURN_GOOD when successful
|
||||
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
|
||||
*/
|
||||
getdns_return_t
|
||||
getdns_context_get_tls_ciphersuites(
|
||||
getdns_context *context, const char **ciphersuites);
|
||||
|
||||
/**
|
||||
* Get the supported curves list if one has been set earlier.
|
||||
* @see getdns_context_set_tls_curves_list
|
||||
|
|
|
|||
17
src/stub.c
17
src/stub.c
|
|
@ -1006,11 +1006,24 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
|||
DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n",
|
||||
STUB_DEBUG_SETUP_TLS, __FUNC__);
|
||||
} else {
|
||||
if (upstream->tls_cipher_list)
|
||||
SSL_set_cipher_list(ssl, upstream->tls_cipher_list);
|
||||
if (upstream->tls_cipher_list &&
|
||||
!SSL_set_cipher_list(ssl, upstream->tls_cipher_list))
|
||||
_getdns_upstream_log(upstream,
|
||||
GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
|
||||
"%-40s : Error configuring cipher_list\"%s\"\n",
|
||||
upstream->addr_str, upstream->tls_cipher_list);
|
||||
|
||||
DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS,
|
||||
__FUNC__);
|
||||
}
|
||||
#if defined(HAVE_DECL_SSL_SET_CIPHERSUITES) && HAVE_DECL_SSL_SET_CIPHERSUITES
|
||||
if (upstream->tls_ciphersuites &&
|
||||
!SSL_set_ciphersuites(ssl, upstream->tls_ciphersuites)) {
|
||||
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
|
||||
GETDNS_LOG_ERR, "%-40s : Error configuring ciphersuites "
|
||||
"\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
|
||||
}
|
||||
#endif
|
||||
#if defined(HAVE_SSL_DANE_ENABLE)
|
||||
int osr;
|
||||
# if defined(STUB_DEBUG) && STUB_DEBUG
|
||||
|
|
|
|||
Loading…
Reference in New Issue