interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

getdns_context_set_ciphers_list()

This commit is contained in:
Willem Toorop 2017-12-20 13:13:02 +01:00
parent 2bd5df4959
commit 7fe3bd6a1f
6 changed files with 75 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@ -1,4 +1,6 @@
* 2017-12-??: Version 1.3.0 * 2017-12-??: Version 1.3.0
* Specify available cipher suites for authenticated TLS upstreams
with getdns_context_set_ciphers_list()
* PR #366: Add support for TLS 1.3 and Chacha20-Poly1305 * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305
Thanks Pascal Ernster Thanks Pascal Ernster
* Bugfix #356: Do Zero configuration DNSSEC meta queries over on the * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the

2
src/const-info.c
View File

@ -91,6 +91,7 @@ static struct const_info consts_info[] = {
{ 630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT }, { 630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT },
{ 631, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT }, { 631, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT },
{ 632, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT }, { 632, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT },
{ 633, "GETDNS_CONTEXT_CODE_CIPHER_LIST", GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT },
{ 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT }, { 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
{ 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT }, { 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
{ 702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT }, { 702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT },
@ -163,6 +164,7 @@ static struct const_name_info consts_name_info[] = {
{ "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 }, { "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 },
{ "GETDNS_CONTEXT_CODE_CAFILE", 632 }, { "GETDNS_CONTEXT_CODE_CAFILE", 632 },
{ "GETDNS_CONTEXT_CODE_CAPATH", 631 }, { "GETDNS_CONTEXT_CODE_CAPATH", 631 },
{ "GETDNS_CONTEXT_CODE_CIPHER_LIST", 633 },
{ "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 }, { "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 },
{ "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 }, { "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 },
{ "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 }, { "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 },

49
src/context.c
View File

@ -1377,11 +1377,11 @@ static void _getdns_check_expired_pending_netreqs_cb(void *arg)
_getdns_check_expired_pending_netreqs((getdns_context *)arg, &now_ms); _getdns_check_expired_pending_netreqs((getdns_context *)arg, &now_ms);
} }
static const char *_getdns_default_trust_anchors_url = static char const * const _getdns_default_trust_anchors_url =
"http://data.iana.org/root-anchors/root-anchors.xml"; "http://data.iana.org/root-anchors/root-anchors.xml";
/* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */ /* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */
static const char *_getdns_default_trust_anchors_verify_CA = static char const * const _getdns_default_trust_anchors_verify_CA =
"-----BEGIN CERTIFICATE-----\n" "-----BEGIN CERTIFICATE-----\n"
"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n" "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n" "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
@ -1404,9 +1404,12 @@ static const char *_getdns_default_trust_anchors_verify_CA =
"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n" "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
"-----END CERTIFICATE-----\n"; "-----END CERTIFICATE-----\n";
static const char *_getdns_default_trust_anchors_verify_email = static char const * const _getdns_default_trust_anchors_verify_email =
"dnssec@iana.org"; "dnssec@iana.org";
static char const * const _getdns_default_cipher_list =
"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
"TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
/* /*
* getdns_context_create * getdns_context_create
@ -1515,6 +1518,7 @@ getdns_context_create_with_extended_memory_functions(
result->appdata_dir = NULL; result->appdata_dir = NULL;
result->CApath = NULL; result->CApath = NULL;
result->CAfile = NULL; result->CAfile = NULL;
result->cipher_list = NULL;
(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk)); (void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
@ -1783,7 +1787,8 @@ getdns_context_destroy(struct getdns_context *context)
GETDNS_FREE(context->mf, context->CApath); GETDNS_FREE(context->mf, context->CApath);
if (context->CAfile) if (context->CAfile)
GETDNS_FREE(context->mf, context->CAfile); GETDNS_FREE(context->mf, context->CAfile);
if (context->cipher_list)
GETDNS_FREE(context->mf, context->cipher_list);
#ifdef USE_WINSOCK #ifdef USE_WINSOCK
WSACleanup(); WSACleanup();
@ -3574,8 +3579,9 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
# endif # endif
/* Be strict and only use the cipher suites recommended in RFC7525 /* Be strict and only use the cipher suites recommended in RFC7525
Unless we later fallback to opportunistic. */ Unless we later fallback to opportunistic. */
const char* const PREFERRED_CIPHERS = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20"; if (!SSL_CTX_set_cipher_list(context->tls_ctx,
if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS)) context->cipher_list ? context->cipher_list
: _getdns_default_cipher_list))
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
/* For strict authentication, we must have local root certs available /* For strict authentication, we must have local root certs available
Set up is done only when the tls_ctx is created (per getdns_context)*/ Set up is done only when the tls_ctx is created (per getdns_context)*/
@ -3891,6 +3897,8 @@ _get_context_settings(getdns_context* context)
(void) getdns_dict_util_set_string(result, "CApath", str_value); (void) getdns_dict_util_set_string(result, "CApath", str_value);
if (!getdns_context_get_CAfile(context, &str_value) && str_value) if (!getdns_context_get_CAfile(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "CAfile", str_value); (void) getdns_dict_util_set_string(result, "CAfile", str_value);
if (!getdns_context_get_cipher_list(context, &str_value) && str_value)
(void) getdns_dict_util_set_string(result, "cipher_list", str_value);
/* Default settings for extensions */ /* Default settings for extensions */
(void)getdns_dict_set_int( (void)getdns_dict_set_int(
@ -4683,6 +4691,7 @@ _getdns_context_config_setting(getdns_context *context,
CONTEXT_SETTING_STRING(hosts) CONTEXT_SETTING_STRING(hosts)
CONTEXT_SETTING_STRING(CApath) CONTEXT_SETTING_STRING(CApath)
CONTEXT_SETTING_STRING(CAfile) CONTEXT_SETTING_STRING(CAfile)
CONTEXT_SETTING_STRING(cipher_list)
/**************************************/ /**************************************/
/**** ****/ /**** ****/
@ -5233,4 +5242,32 @@ getdns_context_get_CAfile(getdns_context *context, const char **CAfile)
return GETDNS_RETURN_GOOD; return GETDNS_RETURN_GOOD;
} }
getdns_return_t
getdns_context_set_cipher_list(getdns_context *context, const char *cipher_list)
{
if (!context)
return GETDNS_RETURN_INVALID_PARAMETER;
if (context->cipher_list)
GETDNS_FREE(context->mf, context->cipher_list);
context->cipher_list = cipher_list
? _getdns_strdup(&context->mf, cipher_list)
: NULL;
dispatch_updated(context, GETDNS_CONTEXT_CODE_CIPHER_LIST);
return GETDNS_RETURN_GOOD;
}
getdns_return_t
getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list)
{
if (!context || !cipher_list)
return GETDNS_RETURN_INVALID_PARAMETER;
*cipher_list = context->cipher_list
? context->cipher_list
: _getdns_default_cipher_list;
return GETDNS_RETURN_GOOD;
}
/* context.c */ /* context.c */

1
src/context.h
View File

@ -345,6 +345,7 @@ struct getdns_context {
char *CApath; char *CApath;
char *CAfile; char *CAfile;
char *cipher_list;
getdns_upstreams *upstreams; getdns_upstreams *upstreams;
uint16_t limit_outstanding_queries; uint16_t limit_outstanding_queries;

25
src/getdns/getdns_extra.h.in
View File

@ -98,6 +98,8 @@ extern "C" {
#define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath" #define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath"
#define GETDNS_CONTEXT_CODE_CAFILE 632 #define GETDNS_CONTEXT_CODE_CAFILE 632
#define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile" #define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile"
#define GETDNS_CONTEXT_CODE_CIPHER_LIST 633
#define GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT "Change related to getdns_context_set_cipher_list"
/** @} /** @}
*/ */
@ -739,6 +741,17 @@ getdns_context_set_CApath(getdns_context *context, const char *CApath);
getdns_return_t getdns_return_t
getdns_context_set_CAfile(getdns_context *context, const char *CAfile); getdns_context_set_CAfile(getdns_context *context, const char *CAfile);
/**
* Sets the list of available ciphers for authenticated TLS upstreams.
* @see getdns_context_get_cipher_list
* @param[in] context The context to configure
* @param[in] cipher_list The cipher list
* @return GETDNS_RETURN_GOOD when successful
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
*/
getdns_return_t
getdns_context_set_cipher_list(getdns_context *context, const char *CAfile);
/** /**
* Get the current resolution type setting from this context. * Get the current resolution type setting from this context.
* @see getdns_context_set_resolution_type * @see getdns_context_set_resolution_type
@ -1246,6 +1259,18 @@ getdns_context_get_CApath(getdns_context *context, const char **CApath);
getdns_return_t getdns_return_t
getdns_context_get_CAfile(getdns_context *context, const char **CAfile); getdns_context_get_CAfile(getdns_context *context, const char **CAfile);
/**
* Get the list of available ciphers for authenticated TLS upstreams.
* @see getdns_context_set_cipher_list
* @param[in] context The context configure
* @param[out] cipher_list The cipher list
* @return GETDNS_RETURN_GOOD when successful
* @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
*/
getdns_return_t
getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list);
/** @} /** @}
*/ */

2
src/libgetdns.symbols
View File

@ -11,6 +11,7 @@ getdns_context_get_CAfile
getdns_context_get_CApath getdns_context_get_CApath
getdns_context_get_api_information getdns_context_get_api_information
getdns_context_get_append_name getdns_context_get_append_name
getdns_context_get_cipher_list
getdns_context_get_dns_root_servers getdns_context_get_dns_root_servers
getdns_context_get_dns_transport getdns_context_get_dns_transport
getdns_context_get_dns_transport_list getdns_context_get_dns_transport_list
@ -48,6 +49,7 @@ getdns_context_set_CAfile
getdns_context_set_CApath getdns_context_set_CApath
getdns_context_set_appdata_dir getdns_context_set_appdata_dir
getdns_context_set_append_name getdns_context_set_append_name
getdns_context_set_cipher_list
getdns_context_set_context_update_callback getdns_context_set_context_update_callback
getdns_context_set_dns_root_servers getdns_context_set_dns_root_servers
getdns_context_set_dns_transport getdns_context_set_dns_transport