From d9fdd4c10dfc9ce6286e948f8a23b4dfdaef5eba Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 14 Nov 2018 18:11:49 +0000 Subject: [PATCH] Abstracting TLS; let's start with context only. Change data types in context.h and fix up context.c. Do minimal fixups to stub.c. --- src/Makefile.in | 273 ++++++++++++++------------------- src/context.c | 202 ++++--------------------- src/context.h | 7 +- src/openssl/tls.c | 375 ++++++++++++++++++++++++++++++++++++++++++++++ src/openssl/tls.h | 84 +++++++++++ src/stub.c | 83 +++++----- 6 files changed, 639 insertions(+), 385 deletions(-) create mode 100644 src/openssl/tls.c create mode 100644 src/openssl/tls.h diff --git a/src/Makefile.in b/src/Makefile.in index 1059afca..de5f3e26 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -56,7 +56,7 @@ stubbysrcdir = $(srcdir)/../stubby LIBTOOL = ../libtool CC=@CC@ -CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS) +CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(srcdir)/openssl -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS) WPEDANTICFLAG=@WPEDANTICFLAG@ WNOERRORFLAG=@WNOERRORFLAG@ LDFLAGS=@LDFLAGS@ @LIBS@ @@ -94,6 +94,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo) UTIL_OBJ=rbtree.lo val_secalgo.lo lruhash.lo lookup3.lo locks.lo JSMN_OBJ=jsmn.lo +TLS_OBJ=tls.lo YXML_OBJ=yxml.lo YAML_OBJ=convert_yaml_to_json.lo @@ -133,6 +134,9 @@ $(UTIL_OBJ): $(JSMN_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -DJSMN_GETDNS -c $(srcdir)/jsmn/$(@:.lo=.c) -o $@ +$(TLS_OBJ): + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/openssl/$(@:.lo=.c) -o $@ + $(YAML_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@ @@ -194,8 +198,8 @@ libgetdns_ext_uv.la: libgetdns.la libuv.lo libgetdns_ext_ev.la: libgetdns.la libev.lo $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ libev.lo libgetdns.la $(LDFLAGS) $(EXTENSION_LIBEV_LDFLAGS) $(EXTENSION_LIBEV_EXT_LIBS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/extension/libev.symbols -libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) - $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols +libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) + $(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(TLS_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols test: default cd test && $(MAKE) $@ @@ -271,13 +275,14 @@ Makefile: $(srcdir)/Makefile.in ../config.status depend: (cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new ) - (blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \ + (blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iopenssl -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c openssl/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \ sed -e "s? $$blddir/? ?g" \ -e 's? gldns/? $$(srcdir)/gldns/?g' \ -e 's? compat/? $$(srcdir)/compat/?g' \ -e 's? util/auxiliary/util/? $$(srcdir)/util/auxiliary/util/?g' \ -e 's? util/? $$(srcdir)/util/?g' \ -e 's? jsmn/? $$(srcdir)/jsmn/?g' \ + -e 's? openssl/? $$(srcdir)/openssl/?g' \ -e 's? yxml/? $$(srcdir)/yxml/?g' \ -e 's? ssl_dane/? $$(srcdir)/ssl_dane/?g' \ -e 's? extension/? $$(srcdir)/extension/?g' \ @@ -299,137 +304,104 @@ depend: FORCE: # Dependencies for gldns, utils, the extensions and compat functions -anchor.lo anchor.o: $(srcdir)/anchor.c \ - config.h \ +anchor.lo anchor.o: $(srcdir)/anchor.c config.h \ $(srcdir)/debug.h $(srcdir)/anchor.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h \ - $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/yxml/yxml.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h const-info.lo const-info.o: $(srcdir)/const-info.c \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/const-info.h -context.lo context.o: $(srcdir)/context.c \ - config.h \ - $(srcdir)/anchor.h \ - getdns/getdns.h \ +context.lo context.o: $(srcdir)/context.c config.h \ + $(srcdir)/anchor.h getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/debug.h \ $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h -convert.lo convert.o: $(srcdir)/convert.c \ - config.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h \ + $(srcdir)/platform.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h \ + $(srcdir)/const-info.h +convert.lo convert.o: $(srcdir)/convert.c config.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ - $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h \ - $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h \ - $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h -dict.lo dict.o: $(srcdir)/dict.c \ - config.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ + $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \ + $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h \ + $(srcdir)/const-info.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h $(srcdir)/debug.h +dict.lo dict.o: $(srcdir)/dict.c config.h \ $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h \ - $(srcdir)/gldns/parseutil.h -dnssec.lo dnssec.o: $(srcdir)/dnssec.c \ - config.h \ - $(srcdir)/debug.h \ - getdns/getdns.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h \ + $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/parseutil.h +dnssec.lo dnssec.o: $(srcdir)/dnssec.c config.h \ + $(srcdir)/debug.h getdns/getdns.h \ $(srcdir)/context.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h \ - $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h \ - $(srcdir)/util/orig-headers/val_secalgo.h -general.lo general.o: $(srcdir)/general.c \ - config.h \ - $(srcdir)/general.h \ - getdns/getdns.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \ + $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h \ + $(srcdir)/util/val_secalgo.h $(srcdir)/util/orig-headers/val_secalgo.h +general.lo general.o: $(srcdir)/general.c config.h \ + $(srcdir)/general.h getdns/getdns.h \ $(srcdir)/types-internal.h \ getdns/getdns_extra.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/ub_loop.h $(srcdir)/debug.h \ - $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h \ - $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/platform.h + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/debug.h list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \ - config.h \ - $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/list.h $(srcdir)/dict.h -mdns.lo mdns.o: $(srcdir)/mdns.c \ - config.h \ + config.h $(srcdir)/context.h \ + $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/list.h $(srcdir)/dict.h +mdns.lo mdns.o: $(srcdir)/mdns.c config.h \ $(srcdir)/debug.h $(srcdir)/context.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h \ - $(srcdir)/platform.h $(srcdir)/mdns.h $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/lookup3.h \ - $(srcdir)/util/orig-headers/lookup3.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/mdns.h platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \ config.h pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \ - config.h \ - $(srcdir)/debug.h \ - getdns/getdns.h \ - $(srcdir)/context.h \ + config.h $(srcdir)/debug.h \ + getdns/getdns.h $(srcdir)/context.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h request-internal.lo request-internal.o: $(srcdir)/request-internal.c \ - config.h \ - $(srcdir)/types-internal.h \ + config.h $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/dict.h $(srcdir)/convert.h $(srcdir)/general.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/dict.h $(srcdir)/debug.h $(srcdir)/convert.h $(srcdir)/general.h rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \ config.h \ getdns/getdns.h \ @@ -437,26 +409,20 @@ rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \ - $(srcdir)/dict.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \ + $(srcdir)/openssl/tls.h $(srcdir)/dict.h rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \ config.h \ getdns/getdns.h \ $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h -server.lo server.o: $(srcdir)/server.c \ - config.h \ +server.lo server.o: $(srcdir)/server.c config.h \ getdns/getdns_extra.h \ - getdns/getdns.h \ - $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ + getdns/getdns.h $(srcdir)/context.h \ + $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/platform.h -stub.lo stub.o: $(srcdir)/stub.c \ - config.h \ + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h +stub.lo stub.o: $(srcdir)/stub.c config.h \ $(srcdir)/debug.h $(srcdir)/stub.h \ getdns/getdns.h \ $(srcdir)/types-internal.h \ @@ -464,61 +430,48 @@ stub.lo stub.o: $(srcdir)/stub.c \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \ $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \ $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h \ - $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/anchor.h \ - $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h -sync.lo sync.o: $(srcdir)/sync.c \ - getdns/getdns.h \ - config.h \ - $(srcdir)/context.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/anchor.h \ + $(srcdir)/openssl/tls.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h +sync.lo sync.o: $(srcdir)/sync.c getdns/getdns.h \ + config.h $(srcdir)/context.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \ - $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \ - config.h \ - getdns/getdns.h \ - getdns/getdns_extra.h \ - $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h + config.h util-internal.lo util-internal.o: $(srcdir)/util-internal.c \ config.h \ - getdns/getdns.h \ - $(srcdir)/dict.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \ - getdns/getdns_extra.h \ - $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ - $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \ - $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h \ - $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/str2wire.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h + getdns/getdns.h $(srcdir)/dict.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \ + getdns/getdns_extra.h $(srcdir)/list.h \ + $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \ + $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h \ + $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h \ + $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \ - config.h \ - $(srcdir)/gldns/gbuffer.h + config.h $(srcdir)/gldns/gbuffer.h keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \ - config.h \ - $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/rrdef.h + config.h $(srcdir)/gldns/keyraw.h \ + $(srcdir)/gldns/rrdef.h parse.lo parse.o: $(srcdir)/gldns/parse.c \ - config.h \ - $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h + config.h $(srcdir)/gldns/parse.h \ + $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \ - config.h \ - $(srcdir)/gldns/parseutil.h + config.h $(srcdir)/gldns/parseutil.h rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \ - config.h \ - $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h + config.h $(srcdir)/gldns/rrdef.h \ + $(srcdir)/gldns/parseutil.h str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \ - config.h \ - $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h + config.h $(srcdir)/gldns/str2wire.h \ + $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/parse.h \ + $(srcdir)/gldns/parseutil.h wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \ - config.h \ - $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h \ - $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h + config.h $(srcdir)/gldns/wire2str.h \ + $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/parseutil.h \ + $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \ config.h arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \ @@ -547,8 +500,7 @@ strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \ config.h strptime.lo strptime.o: $(srcdir)/compat/strptime.c \ config.h -locks.lo locks.o: $(srcdir)/util/locks.c \ - config.h \ +locks.lo locks.o: $(srcdir)/util/locks.c config.h \ $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \ config.h \ @@ -560,10 +512,10 @@ lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \ $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \ - config.h \ - $(srcdir)/util/auxiliary/log.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h \ - $(srcdir)/util/auxiliary/fptr_wlist.h $(srcdir)/util/auxiliary/util/fptr_wlist.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h + config.h $(srcdir)/util/auxiliary/log.h \ + $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/fptr_wlist.h \ + $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/orig-headers/rbtree.h val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \ config.h \ $(srcdir)/util/auxiliary/util/data/packed_rrset.h \ @@ -573,40 +525,37 @@ val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \ $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \ $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h +tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \ + $(srcdir)/openssl/tls.h getdns/getdns.h yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h danessl.lo danessl.o: $(srcdir)/ssl_dane/danessl.c $(srcdir)/ssl_dane/danessl.h libev.lo libev.o: $(srcdir)/extension/libev.c \ - config.h \ - $(srcdir)/types-internal.h \ + config.h $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h libevent.lo libevent.o: $(srcdir)/extension/libevent.c \ - config.h \ - $(srcdir)/types-internal.h \ + config.h $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h libuv.lo libuv.o: $(srcdir)/extension/libuv.c \ - config.h \ - $(srcdir)/debug.h $(srcdir)/types-internal.h \ + config.h $(srcdir)/debug.h \ + $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \ - config.h \ - $(srcdir)/util-internal.h $(srcdir)/context.h \ - getdns/getdns.h \ + config.h $(srcdir)/util-internal.h \ + $(srcdir)/context.h getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \ $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \ - $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \ - $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \ - $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ - $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/platform.h + $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \ + $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/openssl/tls.h $(srcdir)/platform.h $(srcdir)/debug.h select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \ - config.h \ - $(srcdir)/debug.h $(srcdir)/types-internal.h \ + config.h $(srcdir)/debug.h \ + $(srcdir)/types-internal.h \ getdns/getdns.h \ getdns/getdns_extra.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \ diff --git a/src/context.c b/src/context.c index 56d827ee..c0f4f8e1 100644 --- a/src/context.c +++ b/src/context.c @@ -47,20 +47,12 @@ #include typedef unsigned short in_port_t; -#include -#include -#include - #include #include #include #include #endif -#include -#include -#include - #include #include #include @@ -94,6 +86,7 @@ typedef unsigned short in_port_t; # include "ssl_dane/danessl.h" #endif #include "const-info.h" +#include "tls.h" #define GETDNS_PORT_ZERO 0 #define GETDNS_PORT_DNS 53 @@ -182,98 +175,6 @@ _getdns_strdup2(const struct mem_funcs *mfs, const getdns_bindata *s) } } -#ifdef USE_WINSOCK -/* For windows, the CA trust store is not read by openssl. - Add code to open the trust store using wincrypt API and add - the root certs into openssl trust store */ -static int -add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) -{ - HCERTSTORE hSystemStore; - PCCERT_CONTEXT pTargetCert = NULL; - - DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "Adding Windows certificates from system root store to CA store"); - - /* load just once per context lifetime for this version of getdns - TODO: dynamically update CA trust changes as they are available */ - if (!tls_ctx) - return 0; - - /* Call wincrypt's CertOpenStore to open the CA root store. */ - - if ((hSystemStore = CertOpenStore( - CERT_STORE_PROV_SYSTEM, - 0, - 0, - /* NOTE: mingw does not have this const: replace with 1 << 16 from code - CERT_SYSTEM_STORE_CURRENT_USER, */ - 1 << 16, - L"root")) == 0) - { - return 0; - } - - X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx); - if (!store) - return 0; - - /* failure if the CA store is empty or the call fails */ - if ((pTargetCert = CertEnumCertificatesInStore( - hSystemStore, pTargetCert)) == 0) { - DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "CA certificate store for Windows is empty."); - return 0; - } - /* iterate over the windows cert store and add to openssl store */ - do - { - X509 *cert1 = d2i_X509(NULL, - (const unsigned char **)&pTargetCert->pbCertEncoded, - pTargetCert->cbCertEncoded); - if (!cert1) { - /* return error if a cert fails */ - DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "Unable to parse certificate in memory", - ERR_get_error(), ERR_error_string(ERR_get_error(), NULL)); - return 0; - } - else { - /* return error if a cert add to store fails */ - if (X509_STORE_add_cert(store, cert1) == 0) { - unsigned long error = ERR_peek_last_error(); - - /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the - * certificate is already in the store. */ - if(ERR_GET_LIB(error) != ERR_LIB_X509 || - ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) { - DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "Error adding certificate", ERR_get_error(), - ERR_error_string(ERR_get_error(), NULL)); - X509_free(cert1); - return 0; - } - } - X509_free(cert1); - } - } while ((pTargetCert = CertEnumCertificatesInStore( - hSystemStore, pTargetCert)) != 0); - - /* Clean up memory and quit. */ - if (pTargetCert) - CertFreeCertificateContext(pTargetCert); - if (hSystemStore) - { - if (!CertCloseStore( - hSystemStore, 0)) - return 0; - } - DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, - "Completed adding Windows certificates to CA store successfully"); - return 1; -} -#endif - static uint8_t* upstream_addr(getdns_upstream *upstream) { @@ -755,17 +656,17 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams) } } if (upstream->tls_session != NULL) - SSL_SESSION_free(upstream->tls_session); + _getdns_tls_session_free(upstream->tls_session); if (upstream->tls_obj != NULL) { - SSL_shutdown(upstream->tls_obj); + _getdns_tls_connection_shutdown(upstream->tls_obj); #ifdef USE_DANESSL # if defined(STUB_DEBUG) && STUB_DEBUG _stub_debug_print_openssl_errors(); # endif - DANESSL_cleanup(upstream->tls_obj); + DANESSL_cleanup(upstream->tls_obj->ssl); #endif - SSL_free(upstream->tls_obj); + _getdns_tls_connection_free(upstream->tls_obj); } if (upstream->fd != -1) { @@ -877,14 +778,14 @@ _getdns_upstream_reset(getdns_upstream *upstream) upstream->loop, &upstream->event); } if (upstream->tls_obj != NULL) { - SSL_shutdown(upstream->tls_obj); + _getdns_tls_connection_shutdown(upstream->tls_obj); #ifdef USE_DANESSL # if defined(STUB_DEBUG) && STUB_DEBUG _stub_debug_print_openssl_errors(); # endif - DANESSL_cleanup(upstream->tls_obj); + DANESSL_cleanup(upstream->tls_obj->ssl); #endif - SSL_free(upstream->tls_obj); + _getdns_tls_connection_free(upstream->tls_obj); upstream->tls_obj = NULL; } if (upstream->fd != -1) { @@ -1689,18 +1590,7 @@ getdns_context_create_with_extended_memory_functions( #endif /* Only initialise SSL once and ideally in a thread-safe manner */ if (ssl_init == false) { -#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) - OpenSSL_add_all_algorithms(); - SSL_library_init(); -# ifdef USE_DANESSL - (void) DANESSL_library_init(); -# endif -#else - OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS - | OPENSSL_INIT_ADD_ALL_DIGESTS - | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); - (void)OPENSSL_init_ssl(0, NULL); -#endif + _getdns_tls_init(); ssl_init = true; } #ifdef HAVE_PTHREAD @@ -1826,7 +1716,7 @@ getdns_context_destroy(struct getdns_context *context) GETDNS_FREE(context->my_mf, context->dns_transports); if (context->tls_ctx) - SSL_CTX_free(context->tls_ctx); + _getdns_tls_context_free(context->tls_ctx); getdns_list_destroy(context->dns_root_servers); @@ -3121,7 +3011,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context, (void) getdns_dict_get_bindata( dict, "tls_curves_list", &tls_curves_list); if (tls_curves_list) { -#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST +#if HAVE_TLS_CONN_CURVES_LIST upstream->tls_curves_list = _getdns_strdup2(&upstreams->mf , tls_curves_list); @@ -3168,7 +3058,7 @@ invalid_parameter: error: _getdns_upstreams_dereference(upstreams); return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; -#if !defined(HAVE_DECL_SSL_SET1_CURVES_LIST) || !HAVE_DECL_SSL_SET1_CURVES_LIST +#if !HAVE_TLS_CONN_CURVES_LIST not_implemented: _getdns_upstreams_dereference(upstreams); return GETDNS_RETURN_NOT_IMPLEMENTED; @@ -3690,46 +3580,31 @@ _getdns_context_prepare_for_resolution(getdns_context *context) if (context->tls_ctx == NULL) { #ifdef HAVE_TLS_v1_2 - /* Create client context, use TLS v1.2 only for now */ -# ifdef HAVE_TLS_CLIENT_METHOD - context->tls_ctx = SSL_CTX_new(TLS_client_method()); -# else - context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method()); -# endif - if(context->tls_ctx == NULL) + context->tls_ctx = _getdns_tls_context_new(); + if (context->tls_ctx == NULL) return GETDNS_RETURN_BAD_CONTEXT; -# ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION - if (!SSL_CTX_set_min_proto_version( - context->tls_ctx, TLS1_2_VERSION)) { - SSL_CTX_free(context->tls_ctx); + r = _getdns_tls_context_set_min_proto_1_2(context->tls_ctx); + if (r && r != GETDNS_RETURN_NOT_IMPLEMENTED) { + _getdns_tls_context_free(context->tls_ctx); context->tls_ctx = NULL; return GETDNS_RETURN_BAD_CONTEXT; } -# endif /* Be strict and only use the cipher suites recommended in RFC7525 Unless we later fallback to opportunistic. */ - if (!SSL_CTX_set_cipher_list(context->tls_ctx, + if (_getdns_tls_context_set_cipher_list(context->tls_ctx, context->tls_cipher_list ? context->tls_cipher_list : _getdns_default_tls_cipher_list)) return GETDNS_RETURN_BAD_CONTEXT; -# if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST if (context->tls_curves_list && - !SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list)) + _getdns_tls_context_set_curves_list(context->tls_ctx, context->tls_curves_list)) return GETDNS_RETURN_BAD_CONTEXT; -# endif + + /* For strict authentication, we must have local root certs available Set up is done only when the tls_ctx is created (per getdns_context)*/ - if ((context->tls_ca_file || context->tls_ca_path) && - SSL_CTX_load_verify_locations(context->tls_ctx - , context->tls_ca_file, context->tls_ca_path)) - ; /* pass */ -# ifndef USE_WINSOCK - else if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { -# else - else if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) { -# endif /* USE_WINSOCK */ + if (!_getdns_tls_context_set_ca(context->tls_ctx, context->tls_ca_file, context->tls_ca_path)) { if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) return GETDNS_RETURN_BAD_CONTEXT; } @@ -3739,7 +3614,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) # else (void) # endif - SSL_CTX_dane_enable(context->tls_ctx); + SSL_CTX_dane_enable(context->tls_ctx->ssl); DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); # elif defined(USE_DANESSL) @@ -3748,7 +3623,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context) # else (void) # endif - DANESSL_CTX_init(context->tls_ctx); + DANESSL_CTX_init(context->tls_ctx->ssl); DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); # endif @@ -4159,32 +4034,7 @@ getdns_context_get_api_information(getdns_context* context) && ! getdns_dict_util_set_string( result, "default_hosts_location", GETDNS_FN_HOSTS) - && ! getdns_dict_set_int( - result, "openssl_build_version_number", OPENSSL_VERSION_NUMBER) - -#ifdef HAVE_OPENSSL_VERSION_NUM - && ! getdns_dict_set_int( - result, "openssl_version_number", OpenSSL_version_num()) -#endif -#ifdef HAVE_OPENSSL_VERSION - && ! getdns_dict_util_set_string( - result, "openssl_version_string", OpenSSL_version(OPENSSL_VERSION)) - - && ! getdns_dict_util_set_string( - result, "openssl_cflags", OpenSSL_version(OPENSSL_CFLAGS)) - - && ! getdns_dict_util_set_string( - result, "openssl_built_on", OpenSSL_version(OPENSSL_BUILT_ON)) - - && ! getdns_dict_util_set_string( - result, "openssl_platform", OpenSSL_version(OPENSSL_PLATFORM)) - - && ! getdns_dict_util_set_string( - result, "openssl_dir", OpenSSL_version(OPENSSL_DIR)) - - && ! getdns_dict_util_set_string( - result, "openssl_engines_dir", OpenSSL_version(OPENSSL_ENGINES_DIR)) -#endif + && ! _getdns_tls_get_api_information(result) && ! getdns_dict_set_int( result, "resolution_type", context->resolution_type) @@ -5497,7 +5347,7 @@ getdns_context_set_tls_curves_list( { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; -#if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST +#if HAVE_TLS_CTX_CURVES_LIST if (context->tls_curves_list) GETDNS_FREE(context->mf, context->tls_curves_list); context->tls_curves_list = tls_curves_list diff --git a/src/context.h b/src/context.h index 27dd2bee..61e7fc5d 100644 --- a/src/context.h +++ b/src/context.h @@ -50,6 +50,7 @@ #endif #include "rr-iter.h" #include "anchor.h" +#include "tls.h" struct getdns_dns_req; struct ub_ctx; @@ -201,8 +202,8 @@ typedef struct getdns_upstream { _getdns_rbtree_t netreq_by_query_id; /* TLS specific connection handling*/ - SSL* tls_obj; - SSL_SESSION* tls_session; + _getdns_tls_connection* tls_obj; + _getdns_tls_session* tls_session; getdns_tls_hs_state_t tls_hs_state; getdns_auth_state_t tls_auth_state; unsigned tls_fallback_ok : 1; @@ -371,7 +372,7 @@ struct getdns_context { int edns_maximum_udp_payload_size; /* -1 is unset */ uint8_t edns_client_subnet_private; uint16_t tls_query_padding_blocksize; - SSL_CTX* tls_ctx; + _getdns_tls_context* tls_ctx; getdns_update_callback update_callback; getdns_update_callback2 update_callback2; diff --git a/src/openssl/tls.c b/src/openssl/tls.c new file mode 100644 index 00000000..f6a663a6 --- /dev/null +++ b/src/openssl/tls.c @@ -0,0 +1,375 @@ +/** + * + * \file tls.c + * @brief getdns TLS functions + */ + +/* + * Copyright (c) 2018, NLnet Labs + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include +#include +#include +#include + +#include +#include + +#include "tls.h" + +#ifdef USE_DANESSL +# include "ssl_dane/danessl.h" +#endif + +#ifdef USE_WINSOCK +/* For windows, the CA trust store is not read by openssl. + Add code to open the trust store using wincrypt API and add + the root certs into openssl trust store */ +static int +add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) +{ + HCERTSTORE hSystemStore; + PCCERT_CONTEXT pTargetCert = NULL; + + DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "Adding Windows certificates from system root store to CA store"); + + /* load just once per context lifetime for this version of getdns + TODO: dynamically update CA trust changes as they are available */ + if (!tls_ctx) + return 0; + + /* Call wincrypt's CertOpenStore to open the CA root store. */ + + if ((hSystemStore = CertOpenStore( + CERT_STORE_PROV_SYSTEM, + 0, + 0, + /* NOTE: mingw does not have this const: replace with 1 << 16 from code + CERT_SYSTEM_STORE_CURRENT_USER, */ + 1 << 16, + L"root")) == 0) + { + return 0; + } + + X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx); + if (!store) + return 0; + + /* failure if the CA store is empty or the call fails */ + if ((pTargetCert = CertEnumCertificatesInStore( + hSystemStore, pTargetCert)) == 0) { + DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "CA certificate store for Windows is empty."); + return 0; + } + /* iterate over the windows cert store and add to openssl store */ + do + { + X509 *cert1 = d2i_X509(NULL, + (const unsigned char **)&pTargetCert->pbCertEncoded, + pTargetCert->cbCertEncoded); + if (!cert1) { + /* return error if a cert fails */ + DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "Unable to parse certificate in memory", + ERR_get_error(), ERR_error_string(ERR_get_error(), NULL)); + return 0; + } + else { + /* return error if a cert add to store fails */ + if (X509_STORE_add_cert(store, cert1) == 0) { + unsigned long error = ERR_peek_last_error(); + + /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the + * certificate is already in the store. */ + if(ERR_GET_LIB(error) != ERR_LIB_X509 || + ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) { + DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "Error adding certificate", ERR_get_error(), + ERR_error_string(ERR_get_error(), NULL)); + X509_free(cert1); + return 0; + } + } + X509_free(cert1); + } + } while ((pTargetCert = CertEnumCertificatesInStore( + hSystemStore, pTargetCert)) != 0); + + /* Clean up memory and quit. */ + if (pTargetCert) + CertFreeCertificateContext(pTargetCert); + if (hSystemStore) + { + if (!CertCloseStore( + hSystemStore, 0)) + return 0; + } + DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, + "Completed adding Windows certificates to CA store successfully"); + return 1; +} +#endif + +void _getdns_tls_init() +{ +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) + OpenSSL_add_all_algorithms(); + SSL_library_init(); + +# ifdef USE_DANESSL + (void) DANESSL_library_init(); +# endif +#else + OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS + | OPENSSL_INIT_ADD_ALL_DIGESTS + | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + (void)OPENSSL_init_ssl(0, NULL); +#endif +} + +_getdns_tls_context* _getdns_tls_context_new() +{ + _getdns_tls_context* res; + + if (!(res = malloc(sizeof(struct _getdns_tls_context)))) + return NULL; + + /* Create client context, use TLS v1.2 only for now */ +# ifdef HAVE_TLS_CLIENT_METHOD + res->ssl = SSL_CTX_new(TLS_client_method()); +# else + res->ssl = SSL_CTX_new(TLSv1_2_client_method()); +# endif + if(res->ssl == NULL) { + free(res); + return NULL; + } + return res; +} + +getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx) +{ + if (!ctx || !ctx->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + SSL_CTX_free(ctx->ssl); + free(ctx); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx) +{ +#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION + if (!ctx || !ctx->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + if (!SSL_CTX_set_min_proto_version(ctx->ssl, TLS1_2_VERSION)) + return GETDNS_RETURN_BAD_CONTEXT; + return GETDNS_RETURN_GOOD; +#else + (void) ctx; + return GETDNS_RETURN_NOT_IMPLEMENTED; +#endif +} + +getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list) +{ + if (!ctx || !ctx->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + if (!SSL_CTX_set_cipher_list(ctx->ssl, list)) + return GETDNS_RETURN_BAD_CONTEXT; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list) +{ + if (!ctx || !ctx->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; +#if HAVE_TLS_CTX_CURVES_LIST + if (list && + !SSL_CTX_set1_curves_list(ctx->ssl, list)) + return GETDNS_RETURN_BAD_CONTEXT; +#else + (void) list; +#endif + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path) +{ + if (!ctx || !ctx->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + if ((file || path) && + SSL_CTX_load_verify_locations(ctx->ssl, file, path)) + return GETDNS_RETURN_GOOD; /* pass */ +#ifndef USE_WINSOCK + else if (SSL_CTX_set_default_verify_paths(ctx->ssl)) + return GETDNS_RETURN_GOOD; +#else + else if (add_WIN_cacerts_to_openssl_store(ctx->ssl)) + return GETDNS_RETURN_GOOD; +#endif /* USE_WINSOCK */ + return GETDNS_RETURN_GENERIC_ERROR; +} + +_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd) +{ + _getdns_tls_connection* res; + + if (!ctx || !ctx->ssl) + return NULL; + + if (!(res = malloc(sizeof(struct _getdns_tls_connection)))) + return NULL; + + res->ssl = SSL_new(ctx->ssl); + if (!res->ssl) { + free(res); + return NULL; + } + + if (!SSL_set_fd(res->ssl, fd)) { + SSL_free(res->ssl); + free(res); + return NULL; + } + + return res; +} + +getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* conn) +{ + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + SSL_free(conn->ssl); + free(conn); + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn) +{ + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + + switch(SSL_shutdown(conn->ssl)) + { + case 0: return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; + case 1: return GETDNS_RETURN_GOOD; + default: return GETDNS_RETURN_GENERIC_ERROR; + } +} + +getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list) +{ + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + if (!SSL_set_cipher_list(conn->ssl, list)) + return GETDNS_RETURN_BAD_CONTEXT; + return GETDNS_RETURN_GOOD; +} + +getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list) +{ + if (!conn || !conn->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; +#if HAVE_TLS_CONN_CURVES_LIST + if (list && + !SSL_set1_curves_list(conn->ssl, list)) + return GETDNS_RETURN_BAD_CONTEXT; +#else + (void) list; +#endif + return GETDNS_RETURN_GOOD; +} + +_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn) +{ + _getdns_tls_session* res; + + if (!conn || !conn->ssl) + return NULL; + + if (!(res = malloc(sizeof(struct _getdns_tls_session)))) + return NULL; + + res->ssl = SSL_get1_session(conn->ssl); + if (!res->ssl) { + free(res); + return NULL; + } + + return res; +} + +getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s) +{ + if (!s || !s->ssl) + return GETDNS_RETURN_INVALID_PARAMETER; + SSL_SESSION_free(s->ssl); + free(s); + return GETDNS_RETURN_GOOD; +} + + + +getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict) +{ + if (! getdns_dict_set_int( + dict, "openssl_build_version_number", OPENSSL_VERSION_NUMBER) + +#ifdef HAVE_OPENSSL_VERSION_NUM + && ! getdns_dict_set_int( + dict, "openssl_version_number", OpenSSL_version_num()) +#endif +#ifdef HAVE_OPENSSL_VERSION + && ! getdns_dict_util_set_string( + dict, "openssl_version_string", OpenSSL_version(OPENSSL_VERSION)) + + && ! getdns_dict_util_set_string( + dict, "openssl_cflags", OpenSSL_version(OPENSSL_CFLAGS)) + + && ! getdns_dict_util_set_string( + dict, "openssl_built_on", OpenSSL_version(OPENSSL_BUILT_ON)) + + && ! getdns_dict_util_set_string( + dict, "openssl_platform", OpenSSL_version(OPENSSL_PLATFORM)) + + && ! getdns_dict_util_set_string( + dict, "openssl_dir", OpenSSL_version(OPENSSL_DIR)) + + && ! getdns_dict_util_set_string( + dict, "openssl_engines_dir", OpenSSL_version(OPENSSL_ENGINES_DIR)) +#endif + ) + return GETDNS_RETURN_GOOD; + return GETDNS_RETURN_GENERIC_ERROR; +} + +/* tls.c */ diff --git a/src/openssl/tls.h b/src/openssl/tls.h new file mode 100644 index 00000000..f86aa465 --- /dev/null +++ b/src/openssl/tls.h @@ -0,0 +1,84 @@ +/** + * + * \file tls.h + * @brief getdns TLS functions + */ + +/* + * Copyright (c) 2018, NLnet Labs + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _GETDNS_TLS_H +#define _GETDNS_TLS_H + +#include "getdns/getdns.h" + +#ifndef HAVE_DECL_SSL_CTX_SET1_CURVES_LIST +#define HAVE_TLS_CTX_CURVES_LIST 0 +#else +#define HAVE_TLS_CTX_CURVES_LIST (HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) +#endif +#ifndef HAVE_DECL_SSL_SET1_CURVES_LIST +#define HAVE_TLS_CONN_CURVES_LIST 0 +#else +#define HAVE_TLS_CONN_CURVES_LIST (HAVE_DECL_SSL_SET1_CURVES_LIST) +#endif + +typedef struct _getdns_tls_context { + SSL_CTX* ssl; +} _getdns_tls_context; + +typedef struct _getdns_tls_connection { + SSL* ssl; +} _getdns_tls_connection; + +typedef struct _getdns_tls_session { + SSL_SESSION* ssl; +} _getdns_tls_session; + +void _getdns_tls_init(); + +_getdns_tls_context* _getdns_tls_context_new(); +getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx); + +getdns_return_t _getdns_tls_context_set_min_proto_1_2(_getdns_tls_context* ctx); +getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list); +getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list); +getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path); + +_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd); +getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* ctx); +getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn); + +getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list); +getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list); +_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn); + +getdns_return_t _getdns_tls_session_free(_getdns_tls_session* ctx); + +getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict); + +#endif /* _GETDNS_TLS_H */ diff --git a/src/stub.c b/src/stub.c index 785d9f1f..8be04fd7 100644 --- a/src/stub.c +++ b/src/stub.c @@ -915,28 +915,23 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) #endif /* #else defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */ -static SSL* +static _getdns_tls_connection* tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) { - /* Create SSL instance */ + /* Create SSL instance and connect with a file descriptor */ getdns_context *context = dnsreq->context; if (context->tls_ctx == NULL) return NULL; - SSL* ssl = SSL_new(context->tls_ctx); - if(!ssl) + _getdns_tls_connection* tls = _getdns_tls_connection_new(context->tls_ctx, fd); + if(!tls) return NULL; - /* Connect the SSL object with a file descriptor */ - if(!SSL_set_fd(ssl,fd)) { - SSL_free(ssl); - return NULL; - } #if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST if (upstream->tls_curves_list) - (void) SSL_set1_curves_list(ssl, upstream->tls_curves_list); + _getdns_tls_connection_set_curves_list(tls, upstream->tls_curves_list); #endif /* make sure we'll be able to find the context again when we need it */ - if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) { - SSL_free(ssl); + if (_getdns_associate_upstream_with_SSL(tls->ssl, upstream) != GETDNS_RETURN_GOOD) { + _getdns_tls_connection_free(tls); return NULL; } @@ -950,14 +945,14 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) /*Request certificate for the auth_name*/ DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name); - SSL_set_tlsext_host_name(ssl, upstream->tls_auth_name); + SSL_set_tlsext_host_name(tls->ssl, upstream->tls_auth_name); #if defined(HAVE_SSL_HN_AUTH) /* Set up native OpenSSL hostname verification * ( doesn't work with USE_DANESSL, but we verify the * name afterwards in such cases ) */ X509_VERIFY_PARAM *param; - param = SSL_get0_param(ssl); + param = SSL_get0_param(tls->ssl); X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0); #elif !defined(HAVE_X509_CHECK_HOST) @@ -968,7 +963,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) "%-40s : ERROR: Hostname Authentication not available from TLS library (check library version)\n", upstream->addr_str); upstream->tls_hs_state = GETDNS_HS_FAILED; - SSL_free(ssl); + _getdns_tls_connection_free(tls); upstream->tls_auth_state = GETDNS_AUTH_FAILED; return NULL; } @@ -990,7 +985,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) "%-40s : Verify fail: *CONFIG ERROR* - No auth name or pinset provided for this upstream for Strict TLS authentication\n", upstream->addr_str); upstream->tls_hs_state = GETDNS_HS_FAILED; - SSL_free(ssl); + _getdns_tls_connection_free(tls); upstream->tls_auth_state = GETDNS_AUTH_FAILED; return NULL; } @@ -1002,12 +997,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) } } if (upstream->tls_fallback_ok) { - SSL_set_cipher_list(ssl, "DEFAULT"); + _getdns_tls_connection_set_cipher_list(tls, "DEFAULT"); DEBUG_STUB("%s %-35s: WARNING: Using Oppotunistic TLS (fallback allowed)!\n", STUB_DEBUG_SETUP_TLS, __FUNC__); } else { if (upstream->tls_cipher_list) - SSL_set_cipher_list(ssl, upstream->tls_cipher_list); + _getdns_tls_connection_set_cipher_list(tls, upstream->tls_cipher_list); DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, __FUNC__); } @@ -1018,20 +1013,20 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) # else (void) # endif - SSL_dane_enable(ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL); + SSL_dane_enable(tls->ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL); DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr); - SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); + SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); sha256_pin_t *pin_p; size_t n_pins = 0; for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) { - osr = SSL_dane_tlsa_add(ssl, 2, 1, 1, + osr = SSL_dane_tlsa_add(tls->ssl, 2, 1, 1, (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); if (osr > 0) ++n_pins; - osr = SSL_dane_tlsa_add(ssl, 3, 1, 1, + osr = SSL_dane_tlsa_add(tls->ssl, 3, 1, 1, (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_tlsa_add() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); @@ -1047,23 +1042,23 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) # else (void) # endif - DANESSL_init(ssl, + DANESSL_init(tls->ssl, *upstream->tls_auth_name ? upstream->tls_auth_name : NULL, *upstream->tls_auth_name ? auth_names : NULL ); DEBUG_STUB("%s %-35s: DEBUG: DANESSL_init(\"%s\") -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr); - SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); + SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); sha256_pin_t *pin_p; size_t n_pins = 0; for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) { - osr = DANESSL_add_tlsa(ssl, 3, 1, "sha256", + osr = DANESSL_add_tlsa(tls->ssl, 3, 1, "sha256", (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); if (osr > 0) ++n_pins; - osr = DANESSL_add_tlsa(ssl, 2, 1, "sha256", + osr = DANESSL_add_tlsa(tls->ssl, 2, 1, "sha256", (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH); DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n" , STUB_DEBUG_SETUP_TLS, __FUNC__, osr); @@ -1071,14 +1066,14 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) ++n_pins; } } else { - SSL_set_verify(ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); + SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok); } #else - SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback); + SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, tls_verify_callback); #endif - SSL_set_connect_state(ssl); - (void) SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + SSL_set_connect_state(tls->ssl); + (void) SSL_set_mode(tls->ssl, SSL_MODE_AUTO_RETRY); /* Session resumption. There are trade-offs here. Want to do it when possible only if we have the right type of connection. Note a change @@ -1087,12 +1082,12 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) if ((upstream->tls_fallback_ok == 0 && upstream->last_tls_auth_state == GETDNS_AUTH_OK) || upstream->tls_fallback_ok == 1) { - SSL_set_session(ssl, upstream->tls_session); + SSL_set_session(tls->ssl, upstream->tls_session->ssl); DEBUG_STUB("%s %-35s: Attempting session re-use\n", STUB_DEBUG_SETUP_TLS, __FUNC__); } } - return ssl; + return tls; } static int @@ -1103,9 +1098,9 @@ tls_do_handshake(getdns_upstream *upstream) int r; int want; ERR_clear_error(); - while ((r = SSL_do_handshake(upstream->tls_obj)) != 1) + while ((r = SSL_do_handshake(upstream->tls_obj->ssl)) != 1) { - want = SSL_get_error(upstream->tls_obj, r); + want = SSL_get_error(upstream->tls_obj->ssl, r); switch (want) { case SSL_ERROR_WANT_READ: GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event); @@ -1131,12 +1126,12 @@ tls_do_handshake(getdns_upstream *upstream) } } /* A re-used session is not verified so need to fix up state in that case */ - if (SSL_session_reused(upstream->tls_obj)) + if (SSL_session_reused(upstream->tls_obj->ssl)) upstream->tls_auth_state = upstream->last_tls_auth_state; else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) { - X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj); - long verify_result = SSL_get_verify_result(upstream->tls_obj); + X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj->ssl); + long verify_result = SSL_get_verify_result(upstream->tls_obj->ssl); /* In case of DANESSL use, and a tls_auth_name was given alongside a pinset, * we need to verify auth_name explicitely (otherwise it will not be checked, @@ -1187,7 +1182,7 @@ tls_do_handshake(getdns_upstream *upstream) else if (verify_result == X509_V_ERR_CERT_UNTRUSTED && upstream->tls_pubkey_pinset && !DANESSL_get_match_cert( - upstream->tls_obj, NULL, NULL, NULL)) + upstream->tls_obj->ssl, NULL, NULL, NULL)) _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, ( upstream->tls_fallback_ok @@ -1245,8 +1240,8 @@ tls_do_handshake(getdns_upstream *upstream) upstream->conn_state = GETDNS_CONN_OPEN; upstream->conn_completed++; if (upstream->tls_session != NULL) - SSL_SESSION_free(upstream->tls_session); - upstream->tls_session = SSL_get1_session(upstream->tls_obj); + _getdns_tls_session_free(upstream->tls_session); + upstream->tls_session = _getdns_tls_connection_get_session(upstream->tls_obj); /* Reset timeout on success*/ GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event); upstream->event.read_cb = NULL; @@ -1287,7 +1282,7 @@ stub_tls_read(getdns_upstream *upstream, getdns_tcp_state *tcp, ssize_t read; uint8_t *buf; size_t buf_size; - SSL* tls_obj = upstream->tls_obj; + SSL* tls_obj = upstream->tls_obj->ssl; int q = tls_connected(upstream); if (q != 0) @@ -1370,7 +1365,7 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp, ssize_t written; uint16_t query_id; intptr_t query_id_intptr; - SSL* tls_obj = upstream->tls_obj; + SSL* tls_obj = upstream->tls_obj->ssl; uint16_t padding_sz; int q = tls_connected(upstream); @@ -1875,12 +1870,12 @@ upstream_write_cb(void *userarg) if (netreq->owner->return_call_reporting && netreq->upstream->tls_obj) { if (netreq->debug_tls_peer_cert.data == NULL && - (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj))) { + (cert = SSL_get_peer_certificate(netreq->upstream->tls_obj->ssl))) { netreq->debug_tls_peer_cert.size = i2d_X509( cert, &netreq->debug_tls_peer_cert.data); X509_free(cert); } - netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj); + netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj->ssl); } /* Need this because auth status is reset on connection close */ netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state;