mirror of https://github.com/getdnsapi/getdns.git
rename GETDNS_AUTHENTICATION_HOSTNAME with GETDNS_AUTHENTICATION_REQUIRED
This commit is contained in:
Daniel Kahn Gillmor
Sara Dickinson
parent
792ecd65b8
commit
77802808ce
|
|
@ -90,7 +90,7 @@ static struct const_info consts_info[] = {
|
||||||
{ 1201, "GETDNS_TRANSPORT_TCP", GETDNS_TRANSPORT_TCP_TEXT },
|
{ 1201, "GETDNS_TRANSPORT_TCP", GETDNS_TRANSPORT_TCP_TEXT },
|
||||||
{ 1202, "GETDNS_TRANSPORT_TLS", GETDNS_TRANSPORT_TLS_TEXT },
|
{ 1202, "GETDNS_TRANSPORT_TLS", GETDNS_TRANSPORT_TLS_TEXT },
|
||||||
{ 1300, "GETDNS_AUTHENTICATION_NONE", GETDNS_AUTHENTICATION_NONE_TEXT },
|
{ 1300, "GETDNS_AUTHENTICATION_NONE", GETDNS_AUTHENTICATION_NONE_TEXT },
|
||||||
{ 1301, "GETDNS_AUTHENTICATION_HOSTNAME", GETDNS_AUTHENTICATION_HOSTNAME_TEXT },
|
{ 1301, "GETDNS_AUTHENTICATION_REQUIRED", GETDNS_AUTHENTICATION_REQUIRED_TEXT },
|
||||||
};
|
};
|
||||||
|
|
||||||
static int const_info_cmp(const void *a, const void *b)
|
static int const_info_cmp(const void *a, const void *b)
|
||||||
|
|
|
||||||
|
|
@ -1487,7 +1487,7 @@ getdns_context_set_tls_authentication(getdns_context *context,
|
||||||
{
|
{
|
||||||
RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
|
RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
|
||||||
if (value != GETDNS_AUTHENTICATION_NONE &&
|
if (value != GETDNS_AUTHENTICATION_NONE &&
|
||||||
value != GETDNS_AUTHENTICATION_HOSTNAME) {
|
value != GETDNS_AUTHENTICATION_REQUIRED) {
|
||||||
return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
|
return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
|
||||||
}
|
}
|
||||||
context->tls_auth = value;
|
context->tls_auth = value;
|
||||||
|
|
@ -2462,8 +2462,8 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
if (tls_only_is_in_transports_list(context) == 1 &&
|
if (tls_only_is_in_transports_list(context) == 1 &&
|
||||||
context->tls_auth == GETDNS_AUTHENTICATION_HOSTNAME) {
|
context->tls_auth == GETDNS_AUTHENTICATION_REQUIRED) {
|
||||||
context->tls_auth_min = GETDNS_AUTHENTICATION_HOSTNAME;
|
context->tls_auth_min = GETDNS_AUTHENTICATION_REQUIRED;
|
||||||
/* TODO: If no auth data provided for any upstream, fail here */
|
/* TODO: If no auth data provided for any upstream, fail here */
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
|
|
||||||
|
|
@ -418,7 +418,8 @@ uint32_t getdns_get_api_version_number(void);
|
||||||
/* Authentication options used when doing TLS */
|
/* Authentication options used when doing TLS */
|
||||||
typedef enum getdns_tls_authentication_t {
|
typedef enum getdns_tls_authentication_t {
|
||||||
GETDNS_AUTHENTICATION_NONE = 1300,
|
GETDNS_AUTHENTICATION_NONE = 1300,
|
||||||
GETDNS_AUTHENTICATION_HOSTNAME = 1301,
|
GETDNS_AUTHENTICATION_REQUIRED = 1301,
|
||||||
|
GETDNS_AUTHENTICATION_HOSTNAME = 1301, /* an alias for REQUIRED */
|
||||||
} getdns_tls_authentication_t;
|
} getdns_tls_authentication_t;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -426,7 +427,7 @@ typedef enum getdns_tls_authentication_t {
|
||||||
* @{
|
* @{
|
||||||
*/
|
*/
|
||||||
#define GETDNS_AUTHENTICATION_NONE_TEXT "See getdns_context_set_tls_authentication()"
|
#define GETDNS_AUTHENTICATION_NONE_TEXT "See getdns_context_set_tls_authentication()"
|
||||||
#define GETDNS_AUTHENTICATION_HOSTNAME_TEXT "See getdns_context_set_tls_authentication()"
|
#define GETDNS_AUTHENTICATION_REQUIRED_TEXT "See getdns_context_set_tls_authentication()"
|
||||||
/** @}
|
/** @}
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -835,7 +835,7 @@ tls_failed(getdns_upstream *upstream)
|
||||||
|
|
||||||
static int
|
static int
|
||||||
tls_auth_status_ok(getdns_upstream *upstream, getdns_network_req *netreq) {
|
tls_auth_status_ok(getdns_upstream *upstream, getdns_network_req *netreq) {
|
||||||
return (netreq->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME &&
|
return (netreq->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED &&
|
||||||
upstream->tls_auth_failed) ? 0 : 1;
|
upstream->tls_auth_failed) ? 0 : 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -909,7 +909,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
||||||
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||||
X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
|
X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
|
||||||
#else
|
#else
|
||||||
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME) {
|
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) {
|
||||||
/* TODO: Trigger post-handshake custom validation*/
|
/* TODO: Trigger post-handshake custom validation*/
|
||||||
DEBUG_STUB("--- %s, ERROR: TLS Authentication functionality not available\n", __FUNCTION__);
|
DEBUG_STUB("--- %s, ERROR: TLS Authentication functionality not available\n", __FUNCTION__);
|
||||||
upstream->tls_hs_state = GETDNS_HS_FAILED;
|
upstream->tls_hs_state = GETDNS_HS_FAILED;
|
||||||
|
|
@ -918,11 +918,11 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
/* Allow fallback to opportunistic if settings permit it*/
|
/* Allow fallback to opportunistic if settings permit it*/
|
||||||
if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_HOSTNAME)
|
if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
|
||||||
upstream->tls_fallback_ok = 1;
|
upstream->tls_fallback_ok = 1;
|
||||||
} else {
|
} else {
|
||||||
/* Lack of host name is OK unless only authenticated TLS is specified*/
|
/* Lack of host name is OK unless only authenticated TLS is specified*/
|
||||||
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME) {
|
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) {
|
||||||
DEBUG_STUB("--- %s, ERROR: No host name provided for TLS authentication\n", __FUNCTION__);
|
DEBUG_STUB("--- %s, ERROR: No host name provided for TLS authentication\n", __FUNCTION__);
|
||||||
upstream->tls_hs_state = GETDNS_HS_FAILED;
|
upstream->tls_hs_state = GETDNS_HS_FAILED;
|
||||||
upstream->tls_auth_failed = 1;
|
upstream->tls_auth_failed = 1;
|
||||||
|
|
|
||||||
|
|
@ -481,7 +481,7 @@ print_usage(FILE *out, const char *progname)
|
||||||
fprintf(out, "\t-K <pin>\tPin a public key for TLS connections (can repeat)\n");
|
fprintf(out, "\t-K <pin>\tPin a public key for TLS connections (can repeat)\n");
|
||||||
fprintf(out, "\t\t(should look like '" EXAMPLE_PIN "')\n");
|
fprintf(out, "\t\t(should look like '" EXAMPLE_PIN "')\n");
|
||||||
fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default)\n");
|
fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default)\n");
|
||||||
fprintf(out, "\t-m\tSet TLS authentication mode to HOSTNAME\n");
|
fprintf(out, "\t-m\tSet TLS authentication mode to REQUIRED\n");
|
||||||
fprintf(out, "\t-p\tPretty print response dict\n");
|
fprintf(out, "\t-p\tPretty print response dict\n");
|
||||||
fprintf(out, "\t-P <blocksize>\tPad TLS queries to a multiple of blocksize\n");
|
fprintf(out, "\t-P <blocksize>\tPad TLS queries to a multiple of blocksize\n");
|
||||||
fprintf(out, "\t-r\tSet recursing resolution type\n");
|
fprintf(out, "\t-r\tSet recursing resolution type\n");
|
||||||
|
|
@ -865,7 +865,7 @@ getdns_return_t parse_args(int argc, char **argv)
|
||||||
break;
|
break;
|
||||||
case 'm':
|
case 'm':
|
||||||
getdns_context_set_tls_authentication(context,
|
getdns_context_set_tls_authentication(context,
|
||||||
GETDNS_AUTHENTICATION_HOSTNAME);
|
GETDNS_AUTHENTICATION_REQUIRED);
|
||||||
break;
|
break;
|
||||||
case 'P':
|
case 'P':
|
||||||
if (c[1] != 0 || ++i >= argc || !*argv[i]) {
|
if (c[1] != 0 || ++i >= argc || !*argv[i]) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue