mirror of https://github.com/getdnsapi/getdns.git
OpenSSL 1.1 support
This commit is contained in:
Willem Toorop
parent
3fa34dcfca
commit
bb3d741f7a
|
|
@ -245,6 +245,7 @@ else
|
|||
fi
|
||||
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method])
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
|
||||
AC_INCLUDES_DEFAULT
|
||||
|
|
|
|||
|
|
@ -672,6 +672,15 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
|
|||
GETDNS_FREE(upstreams->mf, upstreams);
|
||||
}
|
||||
|
||||
#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
|
||||
static char*
|
||||
getdns_auth_str_array[] = {
|
||||
GETDNS_STR_AUTH_NONE,
|
||||
GETDNS_STR_AUTH_FAILED,
|
||||
GETDNS_STR_AUTH_OK
|
||||
};
|
||||
#endif
|
||||
|
||||
void
|
||||
_getdns_upstream_shutdown(getdns_upstream *upstream)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -23,6 +23,15 @@
|
|||
#ifdef HAVE_OPENSSL_ENGINE_H
|
||||
# include <openssl/engine.h>
|
||||
#endif
|
||||
#ifdef HAVE_OPENSSL_BN_H
|
||||
#include <openssl/bn.h>
|
||||
#endif
|
||||
#ifdef HAVE_OPENSSL_RSA_H
|
||||
#include <openssl/rsa.h>
|
||||
#endif
|
||||
#ifdef HAVE_OPENSSL_DSA_H
|
||||
#include <openssl/dsa.h>
|
||||
#endif
|
||||
#endif /* HAVE_SSL */
|
||||
|
||||
size_t
|
||||
|
|
@ -215,6 +224,7 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
|
|||
BN_free(Y);
|
||||
return NULL;
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
|
||||
#ifndef S_SPLINT_S
|
||||
dsa->p = P;
|
||||
dsa->q = Q;
|
||||
|
|
@ -222,6 +232,25 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
|
|||
dsa->pub_key = Y;
|
||||
#endif /* splint */
|
||||
|
||||
#else /* OPENSSL_VERSION_NUMBER */
|
||||
if (!DSA_set0_pqg(dsa, P, Q, G)) {
|
||||
/* QPG not yet attached, need to free */
|
||||
BN_free(Q);
|
||||
BN_free(P);
|
||||
BN_free(G);
|
||||
|
||||
DSA_free(dsa);
|
||||
BN_free(Y);
|
||||
return NULL;
|
||||
}
|
||||
if (!DSA_set0_key(dsa, Y, NULL)) {
|
||||
/* QPG attached, cleaned up by DSA_fre() */
|
||||
DSA_free(dsa);
|
||||
BN_free(Y);
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
|
||||
return dsa;
|
||||
}
|
||||
|
||||
|
|
@ -273,11 +302,21 @@ gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
|
|||
BN_free(modulus);
|
||||
return NULL;
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
|
||||
#ifndef S_SPLINT_S
|
||||
rsa->n = modulus;
|
||||
rsa->e = exponent;
|
||||
#endif /* splint */
|
||||
|
||||
#else /* OPENSSL_VERSION_NUMBER */
|
||||
if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
|
||||
BN_free(exponent);
|
||||
BN_free(modulus);
|
||||
RSA_free(rsa);
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
|
||||
return rsa;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -195,7 +195,7 @@ enum gldns_enum_rr_type
|
|||
GLDNS_RR_TYPE_TALINK = 58,
|
||||
GLDNS_RR_TYPE_CDS = 59, /** RFC 7344 */
|
||||
GLDNS_RR_TYPE_CDNSKEY = 60, /** RFC 7344 */
|
||||
GLDNS_RR_TYPE_OPENPGPKEY = 61, /* draft-ietf-dane-openpgpkey */
|
||||
GLDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
|
||||
GLDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */
|
||||
|
||||
GLDNS_RR_TYPE_SPF = 99, /* RFC 4408 */
|
||||
|
|
|
|||
|
|
@ -118,7 +118,7 @@ int gldns_str_print(char** str, size_t* slen, const char* format, ...)
|
|||
* @param str_len: the size of the string buffer. If more is needed, it'll
|
||||
* silently truncate the output to fit in the buffer.
|
||||
* @return the number of characters for this element, excluding zerobyte.
|
||||
* Is larger than str_len if output was truncated.
|
||||
* Is larger or equal than str_len if output was truncated.
|
||||
*/
|
||||
int gldns_wire2str_pkt_buf(uint8_t* data, size_t data_len, char* str,
|
||||
size_t str_len);
|
||||
|
|
@ -351,7 +351,7 @@ int gldns_wire2str_edns_option_code_print(char** str, size_t* str_len,
|
|||
* @param str_len: the size of the string buffer. If more is needed, it'll
|
||||
* silently truncate the output to fit in the buffer.
|
||||
* @return the number of characters for this element, excluding zerobyte.
|
||||
* Is larger than str_len if output was truncated.
|
||||
* Is larger or equal than str_len if output was truncated.
|
||||
*/
|
||||
int gldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str,
|
||||
size_t str_len);
|
||||
|
|
@ -369,7 +369,7 @@ int gldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str,
|
|||
* @param str_len: the size of the string buffer. If more is needed, it'll
|
||||
* silently truncate the output to fit in the buffer.
|
||||
* @return the number of characters for this element, excluding zerobyte.
|
||||
* Is larger than str_len if output was truncated.
|
||||
* Is larger or equal than str_len if output was truncated.
|
||||
*/
|
||||
int gldns_wire2str_rr_unknown_buf(uint8_t* rr, size_t rr_len, char* str,
|
||||
size_t str_len);
|
||||
|
|
@ -389,7 +389,7 @@ int gldns_wire2str_rr_unknown_buf(uint8_t* rr, size_t rr_len, char* str,
|
|||
* @param str_len: the size of the string buffer. If more is needed, it'll
|
||||
* silently truncate the output to fit in the buffer.
|
||||
* @return the number of characters for this element, excluding zerobyte.
|
||||
* Is larger than str_len if output was truncated.
|
||||
* Is larger or equal than str_len if output was truncated.
|
||||
*/
|
||||
int gldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rr_len, size_t dname_len,
|
||||
char* str, size_t str_len);
|
||||
|
|
@ -406,7 +406,7 @@ int gldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rr_len, size_t dname_len,
|
|||
* silently truncate the output to fit in the buffer.
|
||||
* @param rrtype: rr type of the data
|
||||
* @return the number of characters for this element, excluding zerobyte.
|
||||
* Is larger than str_len if output was truncated.
|
||||
* Is larger or equal than str_len if output was truncated.
|
||||
*/
|
||||
int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
|
||||
size_t str_len, uint16_t rrtype);
|
||||
|
|
@ -417,7 +417,7 @@ int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
|
|||
* @param str: the string to write to.
|
||||
* @param len: length of str.
|
||||
* @return the number of characters for this element, excluding zerobyte.
|
||||
* Is larger than str_len if output was truncated.
|
||||
* Is larger or equal than str_len if output was truncated.
|
||||
*/
|
||||
int gldns_wire2str_type_buf(uint16_t rrtype, char* str, size_t len);
|
||||
|
||||
|
|
@ -427,7 +427,7 @@ int gldns_wire2str_type_buf(uint16_t rrtype, char* str, size_t len);
|
|||
* @param str: the string to write to.
|
||||
* @param len: length of str.
|
||||
* @return the number of characters for this element, excluding zerobyte.
|
||||
* Is larger than str_len if output was truncated.
|
||||
* Is larger or equal than str_len if output was truncated.
|
||||
*/
|
||||
int gldns_wire2str_class_buf(uint16_t rrclass, char* str, size_t len);
|
||||
|
||||
|
|
@ -437,7 +437,7 @@ int gldns_wire2str_class_buf(uint16_t rrclass, char* str, size_t len);
|
|||
* @param str: the string to write to.
|
||||
* @param len: length of str.
|
||||
* @return the number of characters for this element, excluding zerobyte.
|
||||
* Is larger than str_len if output was truncated.
|
||||
* Is larger or equal than str_len if output was truncated.
|
||||
*/
|
||||
int gldns_wire2str_rcode_buf(int rcode, char* str, size_t len);
|
||||
|
||||
|
|
@ -448,7 +448,7 @@ int gldns_wire2str_rcode_buf(int rcode, char* str, size_t len);
|
|||
* @param str: the string to write to.
|
||||
* @param len: length of string.
|
||||
* @return the number of characters for this element, excluding zerobyte.
|
||||
* Is larger than str_len if output was truncated.
|
||||
* Is larger or equal than str_len if output was truncated.
|
||||
*/
|
||||
int gldns_wire2str_dname_buf(uint8_t* dname, size_t dname_len, char* str,
|
||||
size_t len);
|
||||
|
|
|
|||
|
|
@ -56,6 +56,10 @@
|
|||
#include "context.h"
|
||||
#include "util-internal.h"
|
||||
|
||||
#ifndef X509_STORE_CTX_get0_untrusted
|
||||
#define X509_STORE_CTX_get0_untrusted(store) store->untrusted
|
||||
#endif
|
||||
|
||||
/* we only support sha256 at the moment. adding support for another
|
||||
digest is more complex than just adding another entry here. in
|
||||
particular, you'll probably need a match for a particular cert
|
||||
|
|
@ -314,11 +318,11 @@ _get_ssl_getdns_upstream_idx()
|
|||
{
|
||||
static volatile int idx = -1;
|
||||
if (idx < 0) {
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
|
||||
/* CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); */
|
||||
if (idx < 0)
|
||||
idx = SSL_get_ex_new_index(0, "associated getdns upstream",
|
||||
NULL,NULL,NULL);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
|
||||
/* CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); */
|
||||
}
|
||||
return idx;
|
||||
}
|
||||
|
|
@ -383,7 +387,7 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
|
|||
|
||||
/* TODO: how do we handle raw public keys? */
|
||||
|
||||
for (i = 0; i < sk_X509_num(store->untrusted); i++) {
|
||||
for (i = 0; i < sk_X509_num(X509_STORE_CTX_get0_untrusted(store)); i++) {
|
||||
if (i > 0) {
|
||||
/* TODO: how do we ensure that the certificates in
|
||||
* each stage appropriately sign the previous one?
|
||||
|
|
@ -392,7 +396,7 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
|
|||
return GETDNS_RETURN_GENERIC_ERROR;
|
||||
}
|
||||
|
||||
x = sk_X509_value(store->untrusted, i);
|
||||
x = sk_X509_value(X509_STORE_CTX_get0_untrusted(store), i);
|
||||
#if defined(STUB_DEBUG) && STUB_DEBUG
|
||||
DEBUG_STUB("%s %-35s: Name of cert: %d ",
|
||||
STUB_DEBUG_SETUP_TLS, __FUNCTION__, i);
|
||||
|
|
|
|||
|
|
@ -590,7 +590,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
|
|||
log_err("EVP_MD_CTX_new: malloc failure");
|
||||
EVP_PKEY_free(evp_key);
|
||||
if(dofree) free(sigblock);
|
||||
else if(docrypto_free) CRYPTO_free(sigblock);
|
||||
else if(docrypto_free) OPENSSL_free(sigblock);
|
||||
return 0;
|
||||
}
|
||||
if(EVP_VerifyInit(ctx, digest_type) == 0) {
|
||||
|
|
@ -598,7 +598,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
|
|||
EVP_MD_CTX_destroy(ctx);
|
||||
EVP_PKEY_free(evp_key);
|
||||
if(dofree) free(sigblock);
|
||||
else if(docrypto_free) CRYPTO_free(sigblock);
|
||||
else if(docrypto_free) OPENSSL_free(sigblock);
|
||||
return 0;
|
||||
}
|
||||
if(EVP_VerifyUpdate(ctx, (unsigned char*)gldns_buffer_begin(buf),
|
||||
|
|
@ -607,7 +607,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
|
|||
EVP_MD_CTX_destroy(ctx);
|
||||
EVP_PKEY_free(evp_key);
|
||||
if(dofree) free(sigblock);
|
||||
else if(docrypto_free) CRYPTO_free(sigblock);
|
||||
else if(docrypto_free) OPENSSL_free(sigblock);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -621,7 +621,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
|
|||
EVP_PKEY_free(evp_key);
|
||||
|
||||
if(dofree) free(sigblock);
|
||||
else if(docrypto_free) CRYPTO_free(sigblock);
|
||||
else if(docrypto_free) OPENSSL_free(sigblock);
|
||||
|
||||
if(res == 1) {
|
||||
return 1;
|
||||
|
|
@ -1359,6 +1359,7 @@ _getdns_dnskey_algo_id_is_supported(int id)
|
|||
}
|
||||
}
|
||||
|
||||
#ifdef USE_DSA
|
||||
static char *
|
||||
_verify_nettle_dsa(gldns_buffer* buf, unsigned char* sigblock,
|
||||
unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
|
||||
|
|
@ -1446,6 +1447,7 @@ _verify_nettle_dsa(gldns_buffer* buf, unsigned char* sigblock,
|
|||
else
|
||||
return NULL;
|
||||
}
|
||||
#endif /* USE_DSA */
|
||||
|
||||
static char *
|
||||
_verify_nettle_rsa(gldns_buffer* buf, unsigned int digest_size, char* sigblock,
|
||||
|
|
|
|||
Loading…
Reference in New Issue