From 8f88981efe16a299f9a83c7d81513058c02c8e2a Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 21 Dec 2017 11:35:05 +0100 Subject: [PATCH] rename set_cipher_list() to set_tls_cipher_list() --- ChangeLog | 2 +- src/const-info.c | 4 ++-- src/context.c | 44 +++++++++++++++++++----------------- src/context.h | 2 +- src/getdns/getdns_extra.h.in | 14 +++++++----- src/libgetdns.symbols | 4 ++-- 6 files changed, 37 insertions(+), 33 deletions(-) diff --git a/ChangeLog b/ChangeLog index 503db698..94c09909 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ * 2017-12-??: Version 1.3.0 * Specify available cipher suites for authenticated TLS upstreams - with getdns_context_set_ciphers_list() + with getdns_context_set_tls_ciphers_list() * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305 Thanks Pascal Ernster * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the diff --git a/src/const-info.c b/src/const-info.c index 1cd30020..28f6ff60 100644 --- a/src/const-info.c +++ b/src/const-info.c @@ -91,7 +91,7 @@ static struct const_info consts_info[] = { { 630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT }, { 631, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT }, { 632, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT }, - { 633, "GETDNS_CONTEXT_CODE_CIPHER_LIST", GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT }, + { 633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT }, { 700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT }, { 701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT }, { 702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT }, @@ -164,7 +164,6 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 }, { "GETDNS_CONTEXT_CODE_CAFILE", 632 }, { "GETDNS_CONTEXT_CODE_CAPATH", 631 }, - { "GETDNS_CONTEXT_CODE_CIPHER_LIST", 633 }, { "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 }, { "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 }, { "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 }, @@ -188,6 +187,7 @@ static struct const_name_info consts_name_info[] = { { "GETDNS_CONTEXT_CODE_TIMEOUT", 616 }, { "GETDNS_CONTEXT_CODE_TLS_AUTHENTICATION", 618 }, { "GETDNS_CONTEXT_CODE_TLS_BACKOFF_TIME", 623 }, + { "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 }, { "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 }, { "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 }, { "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 }, diff --git a/src/context.c b/src/context.c index 90a35beb..973f577b 100644 --- a/src/context.c +++ b/src/context.c @@ -1407,7 +1407,7 @@ static char const * const _getdns_default_trust_anchors_verify_CA = static char const * const _getdns_default_trust_anchors_verify_email = "dnssec@iana.org"; -static char const * const _getdns_default_cipher_list = +static char const * const _getdns_default_tls_cipher_list = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:" "TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20"; @@ -1518,7 +1518,7 @@ getdns_context_create_with_extended_memory_functions( result->appdata_dir = NULL; result->CApath = NULL; result->CAfile = NULL; - result->cipher_list = NULL; + result->tls_cipher_list = NULL; (void) memset(&result->root_ksk, 0, sizeof(result->root_ksk)); @@ -1787,8 +1787,8 @@ getdns_context_destroy(struct getdns_context *context) GETDNS_FREE(context->mf, context->CApath); if (context->CAfile) GETDNS_FREE(context->mf, context->CAfile); - if (context->cipher_list) - GETDNS_FREE(context->mf, context->cipher_list); + if (context->tls_cipher_list) + GETDNS_FREE(context->mf, context->tls_cipher_list); #ifdef USE_WINSOCK WSACleanup(); @@ -3580,8 +3580,8 @@ _getdns_context_prepare_for_resolution(getdns_context *context) /* Be strict and only use the cipher suites recommended in RFC7525 Unless we later fallback to opportunistic. */ if (!SSL_CTX_set_cipher_list(context->tls_ctx, - context->cipher_list ? context->cipher_list - : _getdns_default_cipher_list)) + context->tls_cipher_list ? context->tls_cipher_list + : _getdns_default_tls_cipher_list)) return GETDNS_RETURN_BAD_CONTEXT; /* For strict authentication, we must have local root certs available Set up is done only when the tls_ctx is created (per getdns_context)*/ @@ -3897,8 +3897,8 @@ _get_context_settings(getdns_context* context) (void) getdns_dict_util_set_string(result, "CApath", str_value); if (!getdns_context_get_CAfile(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "CAfile", str_value); - if (!getdns_context_get_cipher_list(context, &str_value) && str_value) - (void) getdns_dict_util_set_string(result, "cipher_list", str_value); + if (!getdns_context_get_tls_cipher_list(context, &str_value) && str_value) + (void) getdns_dict_util_set_string(result, "tls_cipher_list", str_value); /* Default settings for extensions */ (void)getdns_dict_set_int( @@ -4691,7 +4691,7 @@ _getdns_context_config_setting(getdns_context *context, CONTEXT_SETTING_STRING(hosts) CONTEXT_SETTING_STRING(CApath) CONTEXT_SETTING_STRING(CAfile) - CONTEXT_SETTING_STRING(cipher_list) + CONTEXT_SETTING_STRING(tls_cipher_list) /**************************************/ /**** ****/ @@ -5243,29 +5243,31 @@ getdns_context_get_CAfile(getdns_context *context, const char **CAfile) } getdns_return_t -getdns_context_set_cipher_list(getdns_context *context, const char *cipher_list) +getdns_context_set_tls_cipher_list( + getdns_context *context, const char *tls_cipher_list) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; - if (context->cipher_list) - GETDNS_FREE(context->mf, context->cipher_list); - context->cipher_list = cipher_list - ? _getdns_strdup(&context->mf, cipher_list) - : NULL; + if (context->tls_cipher_list) + GETDNS_FREE(context->mf, context->tls_cipher_list); + context->tls_cipher_list = tls_cipher_list + ? _getdns_strdup(&context->mf, tls_cipher_list) + : NULL; - dispatch_updated(context, GETDNS_CONTEXT_CODE_CIPHER_LIST); + dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST); return GETDNS_RETURN_GOOD; } getdns_return_t -getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list) +getdns_context_get_tls_cipher_list( + getdns_context *context, const char **tls_cipher_list) { - if (!context || !cipher_list) + if (!context || !tls_cipher_list) return GETDNS_RETURN_INVALID_PARAMETER; - *cipher_list = context->cipher_list - ? context->cipher_list - : _getdns_default_cipher_list; + *tls_cipher_list = context->tls_cipher_list + ? context->tls_cipher_list + : _getdns_default_tls_cipher_list; return GETDNS_RETURN_GOOD; } diff --git a/src/context.h b/src/context.h index fe1ba18c..beab21ac 100644 --- a/src/context.h +++ b/src/context.h @@ -345,7 +345,7 @@ struct getdns_context { char *CApath; char *CAfile; - char *cipher_list; + char *tls_cipher_list; getdns_upstreams *upstreams; uint16_t limit_outstanding_queries; diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in index 9f949f72..fd353ef4 100644 --- a/src/getdns/getdns_extra.h.in +++ b/src/getdns/getdns_extra.h.in @@ -98,8 +98,8 @@ extern "C" { #define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath" #define GETDNS_CONTEXT_CODE_CAFILE 632 #define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile" -#define GETDNS_CONTEXT_CODE_CIPHER_LIST 633 -#define GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT "Change related to getdns_context_set_cipher_list" +#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST 633 +#define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT "Change related to getdns_context_set_tls_cipher_list" /** @} */ @@ -743,14 +743,15 @@ getdns_context_set_CAfile(getdns_context *context, const char *CAfile); /** * Sets the list of available ciphers for authenticated TLS upstreams. - * @see getdns_context_get_cipher_list + * @see getdns_context_get_tls_cipher_list * @param[in] context The context to configure * @param[in] cipher_list The cipher list * @return GETDNS_RETURN_GOOD when successful * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. */ getdns_return_t -getdns_context_set_cipher_list(getdns_context *context, const char *CAfile); +getdns_context_set_tls_cipher_list( + getdns_context *context, const char *cipher_list); /** * Get the current resolution type setting from this context. @@ -1261,14 +1262,15 @@ getdns_context_get_CAfile(getdns_context *context, const char **CAfile); /** * Get the list of available ciphers for authenticated TLS upstreams. - * @see getdns_context_set_cipher_list + * @see getdns_context_set_tls_cipher_list * @param[in] context The context configure * @param[out] cipher_list The cipher list * @return GETDNS_RETURN_GOOD when successful * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL. */ getdns_return_t -getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list); +getdns_context_get_tls_cipher_list( + getdns_context *context, const char **cipher_list); /** @} diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols index 35d2761f..2c67564f 100644 --- a/src/libgetdns.symbols +++ b/src/libgetdns.symbols @@ -11,7 +11,6 @@ getdns_context_get_CAfile getdns_context_get_CApath getdns_context_get_api_information getdns_context_get_append_name -getdns_context_get_cipher_list getdns_context_get_dns_root_servers getdns_context_get_dns_transport getdns_context_get_dns_transport_list @@ -36,6 +35,7 @@ getdns_context_get_suffix getdns_context_get_timeout getdns_context_get_tls_authentication getdns_context_get_tls_backoff_time +getdns_context_get_tls_cipher_list getdns_context_get_tls_connection_retries getdns_context_get_tls_query_padding_blocksize getdns_context_get_trust_anchors_url @@ -49,7 +49,6 @@ getdns_context_set_CAfile getdns_context_set_CApath getdns_context_set_appdata_dir getdns_context_set_append_name -getdns_context_set_cipher_list getdns_context_set_context_update_callback getdns_context_set_dns_root_servers getdns_context_set_dns_transport @@ -79,6 +78,7 @@ getdns_context_set_suffix getdns_context_set_timeout getdns_context_set_tls_authentication getdns_context_set_tls_backoff_time +getdns_context_set_tls_cipher_list getdns_context_set_tls_connection_retries getdns_context_set_tls_query_padding_blocksize getdns_context_set_trust_anchors_url