Start work on better authentication

m4/acx_openssl.m4

@@ -105,9 +105,15 @@ AC_DEFUN([ACX_SSL_CHECKS], [
 AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT])
-dnl Authentication now requires 1.0.2, which supports TLSv1.2
+
-AC_CHECK_LIB(ssl, SSL_CTX_get0_param,AC_DEFINE([HAVE_LIBSSL_102], [1],
+dnl TLS v1.2 requires OpenSSL 1.0.1
-    [Define if you have libssl 1.0.2 or later]),[AC_MSG_WARN([libssl 1.0.2 or higher is required for TLS authentication. TLS will not be available.])])
+AC_CHECK_LIB(ssl, TLSv1_2_client_method,AC_DEFINE([HAVE_LIBTLS1_2], [1],
+    [Define if you have libssl with tls 1.2]),[AC_MSG_WARN([Cannot find TLSv1_2_client_method in libssl library. TLS will not be available.])])
+])dnl End of ACX_SSL_CHECKS
+
+dnl Authentication for TLS requires 1.0.2
+AC_CHECK_LIB(ssl, SSL_CTX_get0_param, AC_DEFINE([HAVE_LIBSSL_102], [1],
+    [Define if you have libssl 1.0.2 or later]),[AC_MSG_WARN([libssl 1.0.2 or higher is required for TLS authentication. Authenticated TLS will not be available.])])
 ])dnl End of ACX_SSL_CHECKS
 
 dnl Check for SSL, where SSL is mandatory

src/context.c

@@ -2176,15 +2176,21 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
 	if (context->resolution_type == GETDNS_RESOLUTION_STUB) {
 		if (tls_is_in_transports_list(context) == 1 &&
 		    context->tls_ctx == NULL) {
-#ifdef HAVE_LIBSSL_102
+#ifdef HAVE_LIBTLS1_2
 			/* Create client context, use TLS v1.2 only for now */
 			context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
-#endif
 			if(context->tls_ctx == NULL)
 				return GETDNS_RETURN_BAD_CONTEXT;
-			SSL_CTX_set_verify(context->tls_ctx, SSL_VERIFY_PEER, NULL);
+			SSL_CTX_set_verify(context->tls_ctx, SSL_VERIFY_PEER, _getdns_tls_verify_callback);
 			if (!SSL_CTX_set_default_verify_paths(context->tls_ctx))
 				return GETDNS_RETURN_BAD_CONTEXT;
+#else
+			if (tls_only_is_in_transports_list(context) == 1)
+				return GETDNS_RETURN_BAD_CONTEXT;
+			/* A null tls_ctx will make TLS fail and fallback to the other
+			   transports will kick-in.*/
+#endif
+
 		}
 	}
 	/* Block use of STARTTLS/TLS ONLY in recursive mode as it won't work */

src/stub.c

@@ -827,8 +827,13 @@ tls_create_object(getdns_context *context, int fd, const char* auth_name)
 {
 #ifdef HAVE_LIBSSL_102
 	/* Create SSL instance */
-	if (context->tls_ctx == NULL || auth_name == NULL)
+	if (context->tls_ctx == NULL)
 		return NULL;
+
+	// if (auth_name[0] == '\0') {
+	// 	DEBUG_STUB("--- %s, ERROR: No host name provided for authentication\n", __FUNCTION__);
+	// 	return NULL;
+	// }
 	SSL* ssl = SSL_new(context->tls_ctx);
 	X509_VERIFY_PARAM *param;
 
@@ -851,6 +856,16 @@ tls_create_object(getdns_context *context, int fd, const char* auth_name)
 #endif
 }
 
+int 
+_getdns_tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
+	int     err;
+	err = X509_STORE_CTX_get_error(ctx);
+	const char * err_str;
+	err_str = X509_verify_cert_error_string(err);
+	DEBUG_STUB("--- %s, ERROR: %s\n", __FUNCTION__, err_str);
+	return 1;
+}
+
 static int
 tls_do_handshake(getdns_upstream *upstream)
 {

src/stub.h

@@ -41,6 +41,8 @@ getdns_return_t _getdns_submit_stub_request(getdns_network_req *netreq);
 
 void _getdns_cancel_stub_request(getdns_network_req *netreq);
 
+int _getdns_tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx);
+
 #endif
 
 /* stub.h */

src/test/tests_transports.sh

@@ -55,7 +55,7 @@ usage () {
 	echo "can be specified via the command line option."
 	echo
 	echo "usage: test_transport.sh"
-	ehco "         -p   path to getdns_query binary"
+	echo "         -p   path to getdns_query binary"
 	echo "         -s   server configured for only TCP and UDP"
 	echo "         -t   server configured for TLS, STARTTLS, TCP and UDP"
 	echo "              (This must include the hostname e.g. 185.49.141.38~www.dnssec-name-and-shame.com)"