mirror of https://github.com/getdnsapi/getdns.git
More auth_status in "call_reporting dict"
Key "tls_auth_pin" == 1 when a pin from a pinset is used to authenticate the tls session, 0 otherwise Key "tls_auth_pkix" == 1 when the cert was signed with a CA in the verification location, 0 if it was not PKIX authenticated and 2 if unkown (for example when a pinset was sufficient to authenticate the session)
This commit is contained in:
Willem Toorop
parent
d2967532f6
commit
c8efb19624
|
|
@ -536,6 +536,23 @@ const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn)
|
|||
return gnutls_protocol_get_name(gnutls_protocol_get_version(conn->tls));
|
||||
}
|
||||
|
||||
/* CBN:TODO Implement! */
|
||||
int _getdns_tls_connection_get_pkix_auth(_getdns_tls_connection* conn)
|
||||
{
|
||||
if (!conn || !conn->ssl)
|
||||
return 0;
|
||||
|
||||
return 2 /* 2 is unknown */;
|
||||
}
|
||||
|
||||
/* CBN:TODO Implement! */
|
||||
int _getdns_tls_connection_get_pin_auth(_getdns_tls_connection* conn)
|
||||
{
|
||||
if (!conn || !conn->ssl)
|
||||
return 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn)
|
||||
{
|
||||
int r;
|
||||
|
|
|
|||
|
|
@ -842,6 +842,26 @@ const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn)
|
|||
return SSL_get_version(conn->ssl);
|
||||
}
|
||||
|
||||
int _getdns_tls_connection_get_pkix_auth(_getdns_tls_connection* conn)
|
||||
{
|
||||
uint8_t usage = 255; /* 0 and 1 for also PKIX, 2 and 3 for DANE only */
|
||||
|
||||
if (!conn || !conn->ssl)
|
||||
return 0;
|
||||
|
||||
if (SSL_get0_dane_tlsa(conn->ssl, &usage, NULL, NULL, NULL, NULL) < 0)
|
||||
return SSL_get_verify_result(conn->ssl) == X509_V_OK ? 1 : 0;
|
||||
|
||||
return usage <= 1 ? 1 : 2 /* 2 is unknown */;
|
||||
}
|
||||
|
||||
int _getdns_tls_connection_get_pin_auth(_getdns_tls_connection* conn)
|
||||
{
|
||||
if (!conn || !conn->ssl)
|
||||
return 0;
|
||||
return SSL_get0_dane_authority(conn->ssl, NULL, NULL) >= 0;
|
||||
}
|
||||
|
||||
getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn)
|
||||
{
|
||||
int r;
|
||||
|
|
|
|||
|
|
@ -218,6 +218,11 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner,
|
|||
net_req->debug_tls_peer_cert.size = 0;
|
||||
net_req->debug_tls_peer_cert.data = NULL;
|
||||
net_req->debug_tls_version = NULL;
|
||||
net_req->debug_pkix_auth = 0; /* 1 == authenticated with PKIX
|
||||
* 0 == not authenticated with PKIX
|
||||
* 2 == unknown
|
||||
*/
|
||||
net_req->debug_pin_auth = 0; /* == 1 if authenticated with pinset */
|
||||
net_req->debug_udp = 0;
|
||||
|
||||
/* Scheduling, touch only via _getdns_netreq_change_state!
|
||||
|
|
|
|||
|
|
@ -1853,6 +1853,8 @@ upstream_write_cb(void *userarg)
|
|||
_getdns_tls_x509_free(&upstream->upstreams->mf, cert);
|
||||
}
|
||||
netreq->debug_tls_version = _getdns_tls_connection_get_version(netreq->upstream->tls_obj);
|
||||
netreq->debug_pkix_auth = _getdns_tls_connection_get_pkix_auth(netreq->upstream->tls_obj);
|
||||
netreq->debug_pin_auth = _getdns_tls_connection_get_pin_auth(netreq->upstream->tls_obj);
|
||||
}
|
||||
/* Need this because auth status is reset on connection close */
|
||||
netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state;
|
||||
|
|
|
|||
16
src/tls.h
16
src/tls.h
|
|
@ -265,6 +265,22 @@ _getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _
|
|||
*/
|
||||
const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn);
|
||||
|
||||
/**
|
||||
* Return whether or not the peer cert PKIX validated
|
||||
*
|
||||
* @param conn the connection
|
||||
* @return 1 when the peer cert PKIX validated, 0 if it did not validate, 2 otherwise
|
||||
*/
|
||||
int _getdns_tls_connection_get_pkix_auth(_getdns_tls_connection* conn);
|
||||
|
||||
/**
|
||||
* Return whether or not a pin from the pinset matched
|
||||
*
|
||||
* @param conn the connection
|
||||
* @return 1 when the peer cert matched a pinset, 0 otherwise
|
||||
*/
|
||||
int _getdns_tls_connection_get_pin_auth(_getdns_tls_connection* conn);
|
||||
|
||||
/**
|
||||
* Attempt TLS handshake.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -244,6 +244,9 @@ typedef struct getdns_network_req
|
|||
const char *debug_tls_version;
|
||||
|
||||
/* Some booleans */
|
||||
unsigned debug_pkix_auth: 2; /* 1 if TLS connection is PKIX valid
|
||||
2 if this is unknown */
|
||||
unsigned debug_pin_auth : 1; /* 1 if one of the pinset's matched */
|
||||
unsigned debug_udp : 1;
|
||||
unsigned keepalive_sent : 1;
|
||||
unsigned badcookie_retry: 1;
|
||||
|
|
|
|||
|
|
@ -966,6 +966,18 @@ _getdns_create_call_reporting_dict(
|
|||
getdns_dict_destroy(netreq_debug);
|
||||
return NULL;
|
||||
}
|
||||
if (getdns_dict_set_int(netreq_debug, "tls_auth_pin",
|
||||
netreq->debug_pin_auth)) {
|
||||
|
||||
getdns_dict_destroy(netreq_debug);
|
||||
return NULL;
|
||||
}
|
||||
if (getdns_dict_set_int(netreq_debug, "tls_auth_pkix",
|
||||
netreq->debug_pkix_auth)) {
|
||||
|
||||
getdns_dict_destroy(netreq_debug);
|
||||
return NULL;
|
||||
}
|
||||
if (getdns_dict_util_set_string(netreq_debug, "tls_version",
|
||||
netreq->debug_tls_version)){
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue