Merge branch 'libressl' into release/1.4.0

2018-02-08 14:04:02 +01:00 · 2018-02-08 14:04:02 +01:00 · c033e3f1a3
parent f7278ca696 0fa6d1fe2d
commit c033e3f1a3
1 changed files with 19 additions and 13 deletions
--- a/src/stub.c
+++ b/src/stub.c
@ -945,7 +945,8 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
 		SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
-#ifdef HAVE_SSL_HN_AUTH
+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL)
+# if defined(HAVE_SSL_HN_AUTH)
 		/* Set up native OpenSSL hostname verification
 		 * ( doesn't work with USE_DANESSL, but we verify the
 		 *   name afterwards in such cases )
@ -966,6 +967,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			upstream->tls_auth_state = GETDNS_AUTH_FAILED;
 			return NULL;
 		}
+# endif
 #endif
 		/* Allow fallback to opportunistic if settings permit it*/
 		if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
@ -1128,10 +1130,10 @@ tls_do_handshake(getdns_upstream *upstream)
 	if (SSL_session_reused(upstream->tls_obj))
 		upstream->tls_auth_state = upstream->last_tls_auth_state;

-#if defined(USE_DANESSL) || defined(HAVE_SSL_HN_AUTH)
 	else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
 		X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj);
 		long verify_result = SSL_get_verify_result(upstream->tls_obj);
+		int xch;

 /* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
 * we need to verify auth_name explicitely (otherwise it will not be checked,
@ -1139,12 +1141,17 @@ tls_do_handshake(getdns_upstream *upstream)
 * This is not needed with native OpenSSL DANE, because EE name checks have
 * to be disabled explicitely.
 */
-# if defined(USE_DANESSL) && defined(HAVE_SSL_HN_AUTH)
+#if defined(USE_DANESSL) || OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL)
 		if (peer_cert && verify_result == X509_V_OK
 		    && upstream->tls_auth_name[0]
+# if defined(USE_DANESSL) && !(OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL))
 		    && upstream->tls_pubkey_pinset
-		    && X509_check_host(peer_cert, upstream->tls_auth_name, 0,
-			    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL) <= 0)
+# endif
+		    && (xch = X509_check_host(peer_cert,
+				    upstream->tls_auth_name,
+				    strlen(upstream->tls_auth_name),
+				    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
+				    NULL)) <= 0)
 			verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
 #endif
 		upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK
@ -1201,7 +1208,7 @@ tls_do_handshake(getdns_upstream *upstream)
 			    ? "Tolerated because of Opportunistic profile"
 			    : "*Failure*" ), verify_result,
 			    X509_verify_cert_error_string(verify_result));
-# ifndef HAVE_SSL_HN_AUTH
+#if !defined(HAVE_SSL_HN_AUTH) && !(OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL))
 		else if (*upstream->tls_auth_name) {
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS,
@ -1229,7 +1236,6 @@ tls_do_handshake(getdns_upstream *upstream)
 		    && !upstream->tls_fallback_ok)
 			return STUB_SETUP_ERROR;
 	}
-#endif /* defined(USE_DANESSL) || defined(HAVE_SSL_HN_AUTH) */
 	DEBUG_STUB("%s %-35s: FD:  %d Handshake succeeded with auth state %s. Session is %s.\n", 
 		         STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, 
 		         _getdns_auth_str(upstream->tls_auth_state),