mirror of https://github.com/getdnsapi/getdns.git
Merge branch 'libressl' into release/1.4.0
This commit is contained in:
Willem Toorop
commit
c033e3f1a3
20
src/stub.c
20
src/stub.c
|
|
@ -945,7 +945,8 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
||||||
DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
|
DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
|
||||||
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
|
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
|
||||||
SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
|
SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
|
||||||
#ifdef HAVE_SSL_HN_AUTH
|
#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL)
|
||||||
|
# if defined(HAVE_SSL_HN_AUTH)
|
||||||
/* Set up native OpenSSL hostname verification
|
/* Set up native OpenSSL hostname verification
|
||||||
* ( doesn't work with USE_DANESSL, but we verify the
|
* ( doesn't work with USE_DANESSL, but we verify the
|
||||||
* name afterwards in such cases )
|
* name afterwards in such cases )
|
||||||
|
|
@ -966,6 +967,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
||||||
upstream->tls_auth_state = GETDNS_AUTH_FAILED;
|
upstream->tls_auth_state = GETDNS_AUTH_FAILED;
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
# endif
|
||||||
#endif
|
#endif
|
||||||
/* Allow fallback to opportunistic if settings permit it*/
|
/* Allow fallback to opportunistic if settings permit it*/
|
||||||
if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
|
if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
|
||||||
|
|
@ -1128,10 +1130,10 @@ tls_do_handshake(getdns_upstream *upstream)
|
||||||
if (SSL_session_reused(upstream->tls_obj))
|
if (SSL_session_reused(upstream->tls_obj))
|
||||||
upstream->tls_auth_state = upstream->last_tls_auth_state;
|
upstream->tls_auth_state = upstream->last_tls_auth_state;
|
||||||
|
|
||||||
#if defined(USE_DANESSL) || defined(HAVE_SSL_HN_AUTH)
|
|
||||||
else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
|
else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
|
||||||
X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj);
|
X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj);
|
||||||
long verify_result = SSL_get_verify_result(upstream->tls_obj);
|
long verify_result = SSL_get_verify_result(upstream->tls_obj);
|
||||||
|
int xch;
|
||||||
|
|
||||||
/* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
|
/* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
|
||||||
* we need to verify auth_name explicitely (otherwise it will not be checked,
|
* we need to verify auth_name explicitely (otherwise it will not be checked,
|
||||||
|
|
@ -1139,12 +1141,17 @@ tls_do_handshake(getdns_upstream *upstream)
|
||||||
* This is not needed with native OpenSSL DANE, because EE name checks have
|
* This is not needed with native OpenSSL DANE, because EE name checks have
|
||||||
* to be disabled explicitely.
|
* to be disabled explicitely.
|
||||||
*/
|
*/
|
||||||
# if defined(USE_DANESSL) && defined(HAVE_SSL_HN_AUTH)
|
#if defined(USE_DANESSL) || OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL)
|
||||||
if (peer_cert && verify_result == X509_V_OK
|
if (peer_cert && verify_result == X509_V_OK
|
||||||
&& upstream->tls_auth_name[0]
|
&& upstream->tls_auth_name[0]
|
||||||
|
# if defined(USE_DANESSL) && !(OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL))
|
||||||
&& upstream->tls_pubkey_pinset
|
&& upstream->tls_pubkey_pinset
|
||||||
&& X509_check_host(peer_cert, upstream->tls_auth_name, 0,
|
# endif
|
||||||
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL) <= 0)
|
&& (xch = X509_check_host(peer_cert,
|
||||||
|
upstream->tls_auth_name,
|
||||||
|
strlen(upstream->tls_auth_name),
|
||||||
|
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
|
||||||
|
NULL)) <= 0)
|
||||||
verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
|
verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
|
||||||
#endif
|
#endif
|
||||||
upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK
|
upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK
|
||||||
|
|
@ -1201,7 +1208,7 @@ tls_do_handshake(getdns_upstream *upstream)
|
||||||
? "Tolerated because of Opportunistic profile"
|
? "Tolerated because of Opportunistic profile"
|
||||||
: "*Failure*" ), verify_result,
|
: "*Failure*" ), verify_result,
|
||||||
X509_verify_cert_error_string(verify_result));
|
X509_verify_cert_error_string(verify_result));
|
||||||
# ifndef HAVE_SSL_HN_AUTH
|
#if !defined(HAVE_SSL_HN_AUTH) && !(OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL))
|
||||||
else if (*upstream->tls_auth_name) {
|
else if (*upstream->tls_auth_name) {
|
||||||
_getdns_upstream_log(upstream,
|
_getdns_upstream_log(upstream,
|
||||||
GETDNS_LOG_UPSTREAM_STATS,
|
GETDNS_LOG_UPSTREAM_STATS,
|
||||||
|
|
@ -1229,7 +1236,6 @@ tls_do_handshake(getdns_upstream *upstream)
|
||||||
&& !upstream->tls_fallback_ok)
|
&& !upstream->tls_fallback_ok)
|
||||||
return STUB_SETUP_ERROR;
|
return STUB_SETUP_ERROR;
|
||||||
}
|
}
|
||||||
#endif /* defined(USE_DANESSL) || defined(HAVE_SSL_HN_AUTH) */
|
|
||||||
DEBUG_STUB("%s %-35s: FD: %d Handshake succeeded with auth state %s. Session is %s.\n",
|
DEBUG_STUB("%s %-35s: FD: %d Handshake succeeded with auth state %s. Session is %s.\n",
|
||||||
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd,
|
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd,
|
||||||
_getdns_auth_str(upstream->tls_auth_state),
|
_getdns_auth_str(upstream->tls_auth_state),
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue