From b90ba236ae1961c4e75c795163af8a945434a2b1 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 22 Nov 2018 11:37:28 +0100 Subject: [PATCH] tls_ciphersuites, tls_cipher_list, tls_curve_list, tls_min_version & tls_max_version settings must cause failure when not supported by the TLS library. Not during configure time, but during connection setup so it doesn't hamper alternative transports. --- src/context.c | 26 +++++++++++++++++++------- src/stub.c | 38 ++++++++++++++++++++++++++++++++++++-- 2 files changed, 55 insertions(+), 9 deletions(-) diff --git a/src/context.c b/src/context.c index d79d7876..7b879f60 100644 --- a/src/context.c +++ b/src/context.c @@ -3095,6 +3095,9 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, getdns_bindata *tls_ciphersuites = NULL; getdns_bindata *tls_curves_list = NULL; uint32_t tls_version; + /* Missing support in TLS library is + * detected and reported during connection setup. + */ if ((r = getdns_dict_get_bindata( dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) { @@ -3190,11 +3193,6 @@ invalid_parameter: error: _getdns_upstreams_dereference(upstreams); return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; -#if !defined(HAVE_DECL_SSL_SET1_CURVES_LIST) || !HAVE_DECL_SSL_SET1_CURVES_LIST -not_implemented: - _getdns_upstreams_dereference(upstreams); - return GETDNS_RETURN_NOT_IMPLEMENTED; -#endif } /* getdns_context_set_upstream_recursive_servers */ @@ -3721,8 +3719,8 @@ _getdns_context_prepare_for_resolution(getdns_context *context) if(context->tls_ctx == NULL) return GETDNS_RETURN_BAD_CONTEXT; -# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION - fprintf(stderr, "SSL_CTX_set_min_proto_version(%d)\n", context->tls_min_version); +# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) \ + && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION if (!SSL_CTX_set_min_proto_version(context->tls_ctx, _getdns_tls_version2openssl_version(context->tls_min_version))) { SSL_CTX_free(context->tls_ctx); @@ -3736,6 +3734,14 @@ _getdns_context_prepare_for_resolution(getdns_context *context) context->tls_ctx = NULL; return GETDNS_RETURN_BAD_CONTEXT; } +# else +# ifndef HAVE_TLS_CLIENT_METHOD + if (( context->tls_min_version + && context->tls_min_version != GETDNS_TLS1_2) + || context->tls_max_version) { + return GETDNS_RETURN_NOT_IMPLEMENTED; + } +# endif # endif /* Be strict and only use the cipher suites recommended in RFC7525 Unless we later fallback to opportunistic. */ @@ -3748,11 +3754,17 @@ _getdns_context_prepare_for_resolution(getdns_context *context) context->tls_ciphersuites ? context->tls_ciphersuites : _getdns_default_tls_ciphersuites)) return GETDNS_RETURN_BAD_CONTEXT; +# else + if (context->tls_ciphersuites) + return GETDNS_RETURN_NOT_IMPLEMENTED; # endif # if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST if (context->tls_curves_list && !SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list)) return GETDNS_RETURN_BAD_CONTEXT; +# else + if (context->tls_curves_list) + return GETDNS_RETURN_NOT_IMPLEMENTED; # endif /* For strict authentication, we must have local root certs available Set up is done only when the tls_ctx is created (per getdns_context)*/ diff --git a/src/stub.c b/src/stub.c index e4f764a4..7dfcf1cb 100644 --- a/src/stub.c +++ b/src/stub.c @@ -935,8 +935,18 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) if (upstream->tls_curves_list && !SSL_set1_curves_list(ssl, upstream->tls_curves_list)) { _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, - GETDNS_LOG_ERR, "%-40s : Error configuring tls_curves_list" + GETDNS_LOG_ERR, "%-40s : Error configuring tls_curves_list " "\"%s\"\n", upstream->addr_str, upstream->tls_curves_list); + SSL_free(ssl); + return NULL; + } +#else + if (upstream->tls_curves_list) { + _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, + GETDNS_LOG_ERR, "%-40s : tls_curves_list not supported " + "in tls library\n", upstream->addr_str); + SSL_free(ssl); + return NULL; } #endif #ifdef HAVE_SSL_SET_CIPHERSUITES @@ -946,8 +956,17 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) GETDNS_LOG_ERR, "%-40s : Error configuring tls_ciphersuites " "\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites); } +#else + if (upstream->tls_ciphersuites) { + _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, + GETDNS_LOG_ERR, "%-40s : tls_ciphersuites not " + "supported in tls library\n", upstream->addr_str); + SSL_free(ssl); + return NULL; + } #endif -#if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION +#if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) \ + && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION if (upstream->tls_min_version && !SSL_set_min_proto_version(ssl, _getdns_tls_version2openssl_version(upstream->tls_min_version))) { struct const_info *ci = @@ -978,6 +997,21 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) "tls_max_version \"%d\"\n", upstream->addr_str, upstream->tls_max_version); } +#else + if (upstream->tls_min_version) { + _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, + GETDNS_LOG_ERR, "%-40s : tls_min_version not " + "supported in tls library\n", upstream->addr_str); + SSL_free(ssl); + return NULL; + } + if (upstream->tls_max_version) { + _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, + GETDNS_LOG_ERR, "%-40s : tls_max_version not " + "supported in tls library\n", upstream->addr_str); + SSL_free(ssl); + return NULL; + } #endif /* make sure we'll be able to find the context again when we need it */ if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) {