From e710286e4522454ac75c5cb18feeb0c8cab4fea9 Mon Sep 17 00:00:00 2001 From: Sara Dickinson Date: Mon, 21 Sep 2015 13:02:03 +0100 Subject: [PATCH] Start work on better authentication --- m4/acx_openssl.m4 | 12 +++++++++--- src/context.c | 12 +++++++++--- src/stub.c | 17 ++++++++++++++++- src/stub.h | 2 ++ src/test/tests_transports.sh | 2 +- 5 files changed, 37 insertions(+), 8 deletions(-) diff --git a/m4/acx_openssl.m4 b/m4/acx_openssl.m4 index 693075c4..e3aa4586 100644 --- a/m4/acx_openssl.m4 +++ b/m4/acx_openssl.m4 @@ -105,9 +105,15 @@ AC_DEFUN([ACX_SSL_CHECKS], [ AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT]) -dnl Authentication now requires 1.0.2, which supports TLSv1.2 -AC_CHECK_LIB(ssl, SSL_CTX_get0_param,AC_DEFINE([HAVE_LIBSSL_102], [1], - [Define if you have libssl 1.0.2 or later]),[AC_MSG_WARN([libssl 1.0.2 or higher is required for TLS authentication. TLS will not be available.])]) + +dnl TLS v1.2 requires OpenSSL 1.0.1 +AC_CHECK_LIB(ssl, TLSv1_2_client_method,AC_DEFINE([HAVE_LIBTLS1_2], [1], + [Define if you have libssl with tls 1.2]),[AC_MSG_WARN([Cannot find TLSv1_2_client_method in libssl library. TLS will not be available.])]) +])dnl End of ACX_SSL_CHECKS + +dnl Authentication for TLS requires 1.0.2 +AC_CHECK_LIB(ssl, SSL_CTX_get0_param, AC_DEFINE([HAVE_LIBSSL_102], [1], + [Define if you have libssl 1.0.2 or later]),[AC_MSG_WARN([libssl 1.0.2 or higher is required for TLS authentication. Authenticated TLS will not be available.])]) ])dnl End of ACX_SSL_CHECKS dnl Check for SSL, where SSL is mandatory diff --git a/src/context.c b/src/context.c index 0a7478c4..7e46d57e 100644 --- a/src/context.c +++ b/src/context.c @@ -2176,15 +2176,21 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context, if (context->resolution_type == GETDNS_RESOLUTION_STUB) { if (tls_is_in_transports_list(context) == 1 && context->tls_ctx == NULL) { -#ifdef HAVE_LIBSSL_102 +#ifdef HAVE_LIBTLS1_2 /* Create client context, use TLS v1.2 only for now */ context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method()); -#endif if(context->tls_ctx == NULL) return GETDNS_RETURN_BAD_CONTEXT; - SSL_CTX_set_verify(context->tls_ctx, SSL_VERIFY_PEER, NULL); + SSL_CTX_set_verify(context->tls_ctx, SSL_VERIFY_PEER, _getdns_tls_verify_callback); if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) return GETDNS_RETURN_BAD_CONTEXT; +#else + if (tls_only_is_in_transports_list(context) == 1) + return GETDNS_RETURN_BAD_CONTEXT; + /* A null tls_ctx will make TLS fail and fallback to the other + transports will kick-in.*/ +#endif + } } /* Block use of STARTTLS/TLS ONLY in recursive mode as it won't work */ diff --git a/src/stub.c b/src/stub.c index b9da8d17..6cb5ce57 100644 --- a/src/stub.c +++ b/src/stub.c @@ -827,8 +827,13 @@ tls_create_object(getdns_context *context, int fd, const char* auth_name) { #ifdef HAVE_LIBSSL_102 /* Create SSL instance */ - if (context->tls_ctx == NULL || auth_name == NULL) + if (context->tls_ctx == NULL) return NULL; + + // if (auth_name[0] == '\0') { + // DEBUG_STUB("--- %s, ERROR: No host name provided for authentication\n", __FUNCTION__); + // return NULL; + // } SSL* ssl = SSL_new(context->tls_ctx); X509_VERIFY_PARAM *param; @@ -851,6 +856,16 @@ tls_create_object(getdns_context *context, int fd, const char* auth_name) #endif } +int +_getdns_tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { + int err; + err = X509_STORE_CTX_get_error(ctx); + const char * err_str; + err_str = X509_verify_cert_error_string(err); + DEBUG_STUB("--- %s, ERROR: %s\n", __FUNCTION__, err_str); + return 1; +} + static int tls_do_handshake(getdns_upstream *upstream) { diff --git a/src/stub.h b/src/stub.h index 41aa629a..e10c39be 100644 --- a/src/stub.h +++ b/src/stub.h @@ -41,6 +41,8 @@ getdns_return_t _getdns_submit_stub_request(getdns_network_req *netreq); void _getdns_cancel_stub_request(getdns_network_req *netreq); +int _getdns_tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx); + #endif /* stub.h */ diff --git a/src/test/tests_transports.sh b/src/test/tests_transports.sh index 98c3aec3..ec75e7ab 100755 --- a/src/test/tests_transports.sh +++ b/src/test/tests_transports.sh @@ -55,7 +55,7 @@ usage () { echo "can be specified via the command line option." echo echo "usage: test_transport.sh" - ehco " -p path to getdns_query binary" + echo " -p path to getdns_query binary" echo " -s server configured for only TCP and UDP" echo " -t server configured for TLS, STARTTLS, TCP and UDP" echo " (This must include the hostname e.g. 185.49.141.38~www.dnssec-name-and-shame.com)"