mirror of https://github.com/getdnsapi/getdns.git
hostname auth with libressl
This commit is contained in:
Willem Toorop
parent
b914b63e18
commit
c3e4061fe2
|
|
@ -408,7 +408,7 @@ fi
|
||||||
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
|
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add])
|
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host])
|
||||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
|
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
|
||||||
AC_INCLUDES_DEFAULT
|
AC_INCLUDES_DEFAULT
|
||||||
#ifdef HAVE_OPENSSL_ERR_H
|
#ifdef HAVE_OPENSSL_ERR_H
|
||||||
|
|
|
||||||
12
src/stub.c
12
src/stub.c
|
|
@ -945,7 +945,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
||||||
DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
|
DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
|
||||||
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
|
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
|
||||||
SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
|
SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name);
|
||||||
#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL)
|
|
||||||
#if defined(HAVE_SSL_HN_AUTH)
|
#if defined(HAVE_SSL_HN_AUTH)
|
||||||
/* Set up native OpenSSL hostname verification
|
/* Set up native OpenSSL hostname verification
|
||||||
* ( doesn't work with USE_DANESSL, but we verify the
|
* ( doesn't work with USE_DANESSL, but we verify the
|
||||||
|
|
@ -955,7 +954,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
||||||
param = SSL_get0_param(ssl);
|
param = SSL_get0_param(ssl);
|
||||||
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||||
X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
|
X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
|
||||||
# else
|
#elif !defined(HAVE_X509_CHECK_HOST)
|
||||||
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) {
|
if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) {
|
||||||
DEBUG_STUB("%s %-35s: ERROR: Hostname Authentication not available from TLS library (check library version)\n",
|
DEBUG_STUB("%s %-35s: ERROR: Hostname Authentication not available from TLS library (check library version)\n",
|
||||||
STUB_DEBUG_SETUP_TLS, __FUNC__);
|
STUB_DEBUG_SETUP_TLS, __FUNC__);
|
||||||
|
|
@ -967,7 +966,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
||||||
upstream->tls_auth_state = GETDNS_AUTH_FAILED;
|
upstream->tls_auth_state = GETDNS_AUTH_FAILED;
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
# endif
|
|
||||||
#endif
|
#endif
|
||||||
/* Allow fallback to opportunistic if settings permit it*/
|
/* Allow fallback to opportunistic if settings permit it*/
|
||||||
if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
|
if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
|
||||||
|
|
@ -1133,7 +1131,6 @@ tls_do_handshake(getdns_upstream *upstream)
|
||||||
else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
|
else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
|
||||||
X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj);
|
X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj);
|
||||||
long verify_result = SSL_get_verify_result(upstream->tls_obj);
|
long verify_result = SSL_get_verify_result(upstream->tls_obj);
|
||||||
int xch;
|
|
||||||
|
|
||||||
/* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
|
/* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
|
||||||
* we need to verify auth_name explicitely (otherwise it will not be checked,
|
* we need to verify auth_name explicitely (otherwise it will not be checked,
|
||||||
|
|
@ -1141,10 +1138,11 @@ tls_do_handshake(getdns_upstream *upstream)
|
||||||
* This is not needed with native OpenSSL DANE, because EE name checks have
|
* This is not needed with native OpenSSL DANE, because EE name checks have
|
||||||
* to be disabled explicitely.
|
* to be disabled explicitely.
|
||||||
*/
|
*/
|
||||||
#if defined(USE_DANESSL) || OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL)
|
#if defined(USE_DANESSL) || (!defined(HAVE_SSL_HN_AUTH) && defined(HAVE_X509_CHECK_HOST))
|
||||||
|
int xch;
|
||||||
if (peer_cert && verify_result == X509_V_OK
|
if (peer_cert && verify_result == X509_V_OK
|
||||||
&& upstream->tls_auth_name[0]
|
&& upstream->tls_auth_name[0]
|
||||||
# if defined(USE_DANESSL) && !(OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL))
|
# if defined(USE_DANESSL) && defined(HAVE_SSL_HN_AUTH)
|
||||||
&& upstream->tls_pubkey_pinset
|
&& upstream->tls_pubkey_pinset
|
||||||
# endif
|
# endif
|
||||||
&& (xch = X509_check_host(peer_cert,
|
&& (xch = X509_check_host(peer_cert,
|
||||||
|
|
@ -1208,7 +1206,7 @@ tls_do_handshake(getdns_upstream *upstream)
|
||||||
? "Tolerated because of Opportunistic profile"
|
? "Tolerated because of Opportunistic profile"
|
||||||
: "*Failure*" ), verify_result,
|
: "*Failure*" ), verify_result,
|
||||||
X509_verify_cert_error_string(verify_result));
|
X509_verify_cert_error_string(verify_result));
|
||||||
#if !defined(HAVE_SSL_HN_AUTH) && !(OPENSSL_VERSION_NUMBER < 0x10002000L || defined(HAVE_LIBRESSL))
|
#if !defined(HAVE_SSL_HN_AUTH) && !defined(HAVE_X509_CHECK_HOST)
|
||||||
else if (*upstream->tls_auth_name) {
|
else if (*upstream->tls_auth_name) {
|
||||||
_getdns_upstream_log(upstream,
|
_getdns_upstream_log(upstream,
|
||||||
GETDNS_LOG_UPSTREAM_STATS,
|
GETDNS_LOG_UPSTREAM_STATS,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue