mirror of https://github.com/getdnsapi/getdns.git
getdns_context_set_ciphers_list()
This commit is contained in:
Willem Toorop
parent
2bd5df4959
commit
7fe3bd6a1f
|
|
@ -1,4 +1,6 @@
|
|||
* 2017-12-??: Version 1.3.0
|
||||
* Specify available cipher suites for authenticated TLS upstreams
|
||||
with getdns_context_set_ciphers_list()
|
||||
* PR #366: Add support for TLS 1.3 and Chacha20-Poly1305
|
||||
Thanks Pascal Ernster
|
||||
* Bugfix #356: Do Zero configuration DNSSEC meta queries over on the
|
||||
|
|
|
|||
|
|
@ -91,6 +91,7 @@ static struct const_info consts_info[] = {
|
|||
{ 630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT },
|
||||
{ 631, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT },
|
||||
{ 632, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT },
|
||||
{ 633, "GETDNS_CONTEXT_CODE_CIPHER_LIST", GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT },
|
||||
{ 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
|
||||
{ 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
|
||||
{ 702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT },
|
||||
|
|
@ -163,6 +164,7 @@ static struct const_name_info consts_name_info[] = {
|
|||
{ "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 },
|
||||
{ "GETDNS_CONTEXT_CODE_CAFILE", 632 },
|
||||
{ "GETDNS_CONTEXT_CODE_CAPATH", 631 },
|
||||
{ "GETDNS_CONTEXT_CODE_CIPHER_LIST", 633 },
|
||||
{ "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 },
|
||||
{ "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 },
|
||||
{ "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 },
|
||||
|
|
|
|||
|
|
@ -1377,11 +1377,11 @@ static void _getdns_check_expired_pending_netreqs_cb(void *arg)
|
|||
_getdns_check_expired_pending_netreqs((getdns_context *)arg, &now_ms);
|
||||
}
|
||||
|
||||
static const char *_getdns_default_trust_anchors_url =
|
||||
static char const * const _getdns_default_trust_anchors_url =
|
||||
"http://data.iana.org/root-anchors/root-anchors.xml";
|
||||
|
||||
/* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */
|
||||
static const char *_getdns_default_trust_anchors_verify_CA =
|
||||
static char const * const _getdns_default_trust_anchors_verify_CA =
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
|
||||
"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
|
||||
|
|
@ -1404,9 +1404,12 @@ static const char *_getdns_default_trust_anchors_verify_CA =
|
|||
"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
|
||||
"-----END CERTIFICATE-----\n";
|
||||
|
||||
static const char *_getdns_default_trust_anchors_verify_email =
|
||||
static char const * const _getdns_default_trust_anchors_verify_email =
|
||||
"dnssec@iana.org";
|
||||
|
||||
static char const * const _getdns_default_cipher_list =
|
||||
"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
|
||||
"TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
|
||||
|
||||
/*
|
||||
* getdns_context_create
|
||||
|
|
@ -1515,6 +1518,7 @@ getdns_context_create_with_extended_memory_functions(
|
|||
result->appdata_dir = NULL;
|
||||
result->CApath = NULL;
|
||||
result->CAfile = NULL;
|
||||
result->cipher_list = NULL;
|
||||
|
||||
(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
|
||||
|
||||
|
|
@ -1783,7 +1787,8 @@ getdns_context_destroy(struct getdns_context *context)
|
|||
GETDNS_FREE(context->mf, context->CApath);
|
||||
if (context->CAfile)
|
||||
GETDNS_FREE(context->mf, context->CAfile);
|
||||
|
||||
if (context->cipher_list)
|
||||
GETDNS_FREE(context->mf, context->cipher_list);
|
||||
|
||||
#ifdef USE_WINSOCK
|
||||
WSACleanup();
|
||||
|
|
@ -3574,8 +3579,9 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
|
|||
# endif
|
||||
/* Be strict and only use the cipher suites recommended in RFC7525
|
||||
Unless we later fallback to opportunistic. */
|
||||
const char* const PREFERRED_CIPHERS = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
|
||||
if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS))
|
||||
if (!SSL_CTX_set_cipher_list(context->tls_ctx,
|
||||
context->cipher_list ? context->cipher_list
|
||||
: _getdns_default_cipher_list))
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
/* For strict authentication, we must have local root certs available
|
||||
Set up is done only when the tls_ctx is created (per getdns_context)*/
|
||||
|
|
@ -3891,6 +3897,8 @@ _get_context_settings(getdns_context* context)
|
|||
(void) getdns_dict_util_set_string(result, "CApath", str_value);
|
||||
if (!getdns_context_get_CAfile(context, &str_value) && str_value)
|
||||
(void) getdns_dict_util_set_string(result, "CAfile", str_value);
|
||||
if (!getdns_context_get_cipher_list(context, &str_value) && str_value)
|
||||
(void) getdns_dict_util_set_string(result, "cipher_list", str_value);
|
||||
|
||||
/* Default settings for extensions */
|
||||
(void)getdns_dict_set_int(
|
||||
|
|
@ -4683,6 +4691,7 @@ _getdns_context_config_setting(getdns_context *context,
|
|||
CONTEXT_SETTING_STRING(hosts)
|
||||
CONTEXT_SETTING_STRING(CApath)
|
||||
CONTEXT_SETTING_STRING(CAfile)
|
||||
CONTEXT_SETTING_STRING(cipher_list)
|
||||
|
||||
/**************************************/
|
||||
/**** ****/
|
||||
|
|
@ -5233,4 +5242,32 @@ getdns_context_get_CAfile(getdns_context *context, const char **CAfile)
|
|||
return GETDNS_RETURN_GOOD;
|
||||
}
|
||||
|
||||
getdns_return_t
|
||||
getdns_context_set_cipher_list(getdns_context *context, const char *cipher_list)
|
||||
{
|
||||
if (!context)
|
||||
return GETDNS_RETURN_INVALID_PARAMETER;
|
||||
if (context->cipher_list)
|
||||
GETDNS_FREE(context->mf, context->cipher_list);
|
||||
context->cipher_list = cipher_list
|
||||
? _getdns_strdup(&context->mf, cipher_list)
|
||||
: NULL;
|
||||
|
||||
dispatch_updated(context, GETDNS_CONTEXT_CODE_CIPHER_LIST);
|
||||
return GETDNS_RETURN_GOOD;
|
||||
}
|
||||
|
||||
getdns_return_t
|
||||
getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list)
|
||||
{
|
||||
if (!context || !cipher_list)
|
||||
return GETDNS_RETURN_INVALID_PARAMETER;
|
||||
|
||||
*cipher_list = context->cipher_list
|
||||
? context->cipher_list
|
||||
: _getdns_default_cipher_list;
|
||||
return GETDNS_RETURN_GOOD;
|
||||
}
|
||||
|
||||
|
||||
/* context.c */
|
||||
|
|
|
|||
|
|
@ -345,6 +345,7 @@ struct getdns_context {
|
|||
|
||||
char *CApath;
|
||||
char *CAfile;
|
||||
char *cipher_list;
|
||||
|
||||
getdns_upstreams *upstreams;
|
||||
uint16_t limit_outstanding_queries;
|
||||
|
|
|
|||
|
|
@ -98,6 +98,8 @@ extern "C" {
|
|||
#define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath"
|
||||
#define GETDNS_CONTEXT_CODE_CAFILE 632
|
||||
#define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile"
|
||||
#define GETDNS_CONTEXT_CODE_CIPHER_LIST 633
|
||||
#define GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT "Change related to getdns_context_set_cipher_list"
|
||||
|
||||
/** @}
|
||||
*/
|
||||
|
|
@ -739,6 +741,17 @@ getdns_context_set_CApath(getdns_context *context, const char *CApath);
|
|||
getdns_return_t
|
||||
getdns_context_set_CAfile(getdns_context *context, const char *CAfile);
|
||||
|
||||
/**
|
||||
* Sets the list of available ciphers for authenticated TLS upstreams.
|
||||
* @see getdns_context_get_cipher_list
|
||||
* @param[in] context The context to configure
|
||||
* @param[in] cipher_list The cipher list
|
||||
* @return GETDNS_RETURN_GOOD when successful
|
||||
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
|
||||
*/
|
||||
getdns_return_t
|
||||
getdns_context_set_cipher_list(getdns_context *context, const char *CAfile);
|
||||
|
||||
/**
|
||||
* Get the current resolution type setting from this context.
|
||||
* @see getdns_context_set_resolution_type
|
||||
|
|
@ -1246,6 +1259,18 @@ getdns_context_get_CApath(getdns_context *context, const char **CApath);
|
|||
getdns_return_t
|
||||
getdns_context_get_CAfile(getdns_context *context, const char **CAfile);
|
||||
|
||||
/**
|
||||
* Get the list of available ciphers for authenticated TLS upstreams.
|
||||
* @see getdns_context_set_cipher_list
|
||||
* @param[in] context The context configure
|
||||
* @param[out] cipher_list The cipher list
|
||||
* @return GETDNS_RETURN_GOOD when successful
|
||||
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
|
||||
*/
|
||||
getdns_return_t
|
||||
getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list);
|
||||
|
||||
|
||||
/** @}
|
||||
*/
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ getdns_context_get_CAfile
|
|||
getdns_context_get_CApath
|
||||
getdns_context_get_api_information
|
||||
getdns_context_get_append_name
|
||||
getdns_context_get_cipher_list
|
||||
getdns_context_get_dns_root_servers
|
||||
getdns_context_get_dns_transport
|
||||
getdns_context_get_dns_transport_list
|
||||
|
|
@ -48,6 +49,7 @@ getdns_context_set_CAfile
|
|||
getdns_context_set_CApath
|
||||
getdns_context_set_appdata_dir
|
||||
getdns_context_set_append_name
|
||||
getdns_context_set_cipher_list
|
||||
getdns_context_set_context_update_callback
|
||||
getdns_context_set_dns_root_servers
|
||||
getdns_context_set_dns_transport
|
||||
|
|
|
|||
Loading…
Reference in New Issue