interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

openssl 1.1 support

This commit is contained in:
Willem Toorop 2016-03-24 14:02:18 +01:00
parent e10e774d32
commit fdd3992f65
6 changed files with 70 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
configure.ac
View File

@ -223,7 +223,7 @@ else
fi fi
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode]) AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method])
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
AC_INCLUDES_DEFAULT AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H #ifdef HAVE_OPENSSL_ERR_H
@ -404,6 +404,18 @@ case "$enable_ecdsa" in
;; ;;
esac esac
AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support]))
case "$enable_dsa" in
no)
;;
*) dnl default
# detect if DSA is supported, and turn it off if not.
AC_CHECK_FUNC(EVP_dss1, [
AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
fi ])
;;
esac
AC_ARG_ENABLE(draft-dnssec-roadblock-avoidance, AC_HELP_STRING([--enable-draft-dnssec-roadblock-avoidance], [Enable experimental dnssec roadblock avoidance])) AC_ARG_ENABLE(draft-dnssec-roadblock-avoidance, AC_HELP_STRING([--enable-draft-dnssec-roadblock-avoidance], [Enable experimental dnssec roadblock avoidance]))
AC_ARG_ENABLE(draft-edns-cookies, AC_HELP_STRING([--enable-draft-edns-cookies], [Enable experimental edns cookies])) AC_ARG_ENABLE(draft-edns-cookies, AC_HELP_STRING([--enable-draft-edns-cookies], [Enable experimental edns cookies]))

26
m4/acx_openssl.m4
View File

@ -47,16 +47,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
ACX_RUNTIME_PATH_ADD([$ssldir/lib]) ACX_RUNTIME_PATH_ADD([$ssldir/lib])
fi fi
AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto]) AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
LIBS="-lssl -lcrypto $LIBS" LIBS="-lssl -lcrypto $LIBS"
LIBSSL_LIBS="-lssl -lcrypto $LIBSSL_LIBS" LIBSSL_LIBS="-lssl -lcrypto $LIBSSL_LIBS"
AC_TRY_LINK(, [ AC_TRY_LINK(, [
int HMAC_CTX_init(void); int HMAC_Update(void);
(void)HMAC_CTX_init(); (void)HMAC_Update();
], [ ], [
AC_DEFINE([HAVE_HMAC_UPDATE], 1,
[If you have HMAC_Update])
AC_MSG_RESULT(yes) AC_MSG_RESULT(yes)
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1,
[If you have HMAC_CTX_init])
], [ ], [
AC_MSG_RESULT(no) AC_MSG_RESULT(no)
# check if -lwsock32 or -lgdi32 are needed. # check if -lwsock32 or -lgdi32 are needed.
@ -66,11 +66,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32" LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32"
AC_MSG_CHECKING([if -lcrypto needs -lgdi32]) AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
AC_TRY_LINK([], [ AC_TRY_LINK([], [
int HMAC_CTX_init(void); int HMAC_Update(void);
(void)HMAC_CTX_init(); (void)HMAC_Update();
],[ ],[
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, AC_DEFINE([HAVE_HMAC_UPDATE], 1,
[If you have HMAC_CTX_init]) [If you have HMAC_Update])
AC_MSG_RESULT(yes) AC_MSG_RESULT(yes)
],[ ],[
AC_MSG_RESULT(no) AC_MSG_RESULT(no)
@ -80,11 +80,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
LIBSSL_LIBS="$LIBSSL_LIBS -ldl" LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
AC_MSG_CHECKING([if -lcrypto needs -ldl]) AC_MSG_CHECKING([if -lcrypto needs -ldl])
AC_TRY_LINK([], [ AC_TRY_LINK([], [
int HMAC_CTX_init(void); int HMAC_Update(void);
(void)HMAC_CTX_init(); (void)HMAC_Update();
],[ ],[
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, AC_DEFINE([HAVE_HMAC_UPDATE], 1,
[If you have HMAC_CTX_init]) [If you have HMAC_Update])
AC_MSG_RESULT(yes) AC_MSG_RESULT(yes)
],[ ],[
AC_MSG_RESULT(no) AC_MSG_RESULT(no)

27
src/context.c
View File

@ -1232,7 +1232,7 @@ getdns_context_create_with_extended_memory_functions(
result->edns_do_bit = 0; result->edns_do_bit = 0;
result->edns_client_subnet_private = 0; result->edns_client_subnet_private = 0;
result->tls_query_padding_blocksize = 1; /* default is to not try to pad */ result->tls_query_padding_blocksize = 1; /* default is to not try to pad */
result-> tls_ctx = NULL; result->tls_ctx = NULL;
result->extension = &result->default_eventloop.loop; result->extension = &result->default_eventloop.loop;
_getdns_default_eventloop_init(&result->default_eventloop); _getdns_default_eventloop_init(&result->default_eventloop);
@ -1926,17 +1926,19 @@ getdns_return_t
getdns_context_set_dns_root_servers( getdns_context_set_dns_root_servers(
getdns_context *context, getdns_list *addresses) getdns_context *context, getdns_list *addresses)
{ {
#if defined(HAVE_LIBUNBOUND) && !defined(HAVE_UB_CTX_SET_STUB) #ifdef HAVE_LIBUNBOUND
# ifndef HAVE_UB_CTX_SET_STUB
char tmpfn[FILENAME_MAX] = P_tmpdir "/getdns-root-dns-servers-XXXXXX"; char tmpfn[FILENAME_MAX] = P_tmpdir "/getdns-root-dns-servers-XXXXXX";
FILE *fh; FILE *fh;
int fd; int fd;
size_t dst_len; size_t dst_len;
#endif # endif
size_t i; size_t i;
getdns_dict *rr_dict; getdns_dict *rr_dict;
getdns_return_t r; getdns_return_t r;
getdns_bindata *addr_bd; getdns_bindata *addr_bd;
char dst[2048]; char dst[2048];
#endif
getdns_list *newlist; getdns_list *newlist;
if (!context) if (!context)
@ -2893,9 +2895,22 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
if (context->tls_ctx == NULL) { if (context->tls_ctx == NULL) {
#ifdef HAVE_TLS_v1_2 #ifdef HAVE_TLS_v1_2
/* Create client context, use TLS v1.2 only for now */ /* Create client context, use TLS v1.2 only for now */
# ifdef HAVE_TLS_CLIENT_METHOD
context->tls_ctx = SSL_CTX_new(TLS_client_method());
# else
context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method()); context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
# endif
if(context->tls_ctx == NULL) if(context->tls_ctx == NULL)
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
# ifdef HAVE_TLS_CLIENT_METHOD
if (!SSL_CTX_set_min_proto_version(
context->tls_ctx, TLS1_2_VERSION)) {
SSL_CTX_free(context->tls_ctx);
context->tls_ctx = NULL;
return GETDNS_RETURN_BAD_CONTEXT;
}
# endif
/* Be strict and only use the cipher suites recommended in RFC7525 /* Be strict and only use the cipher suites recommended in RFC7525
Unless we later fallback to opportunistic. */ Unless we later fallback to opportunistic. */
const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EECDH+aECDSA+AESGCM:EDH+aRSA+AESGCM"; const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EECDH+aECDSA+AESGCM:EDH+aRSA+AESGCM";
@ -2903,11 +2918,11 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
/* For strict authentication, we must have local root certs available /* For strict authentication, we must have local root certs available
Set up is done only when the tls_ctx is created (per getdns_context)*/ Set up is done only when the tls_ctx is created (per getdns_context)*/
#ifndef USE_WINSOCK # ifndef USE_WINSOCK
if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
#else # else
if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) { if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) {
#endif /* USE_WINSOCK */ # endif /* USE_WINSOCK */
if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED)
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;
} }

7
src/pubkey-pinning.c
View File

@ -393,18 +393,13 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
} }
x = sk_X509_value(store->untrusted, i); x = sk_X509_value(store->untrusted, i);
if (x->cert_info == NULL)
continue;
#if defined(STUB_DEBUG) && STUB_DEBUG #if defined(STUB_DEBUG) && STUB_DEBUG
DEBUG_STUB("%s %-35s: Name of cert: %d ", DEBUG_STUB("%s %-35s: Name of cert: %d ",
STUB_DEBUG_SETUP_TLS, __FUNCTION__, i); STUB_DEBUG_SETUP_TLS, __FUNCTION__, i);
if (x->cert_info->subject != NULL) if (x->cert_info->subject != NULL)
X509_NAME_print_ex_fp(stderr, x->cert_info->subject, 1, XN_FLAG_ONELINE); X509_NAME_print_ex_fp(stderr, X509_get_subject_name(x), 1, XN_FLAG_ONELINE);
fprintf(stderr, "\n"); fprintf(stderr, "\n");
#endif #endif
if (x->cert_info->key == NULL)
continue;
/* digest the cert with sha256 */ /* digest the cert with sha256 */
len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), NULL); len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), NULL);
if (len > sizeof(raw)) { if (len > sizeof(raw)) {

30
src/request-internal.c
View File

@ -459,7 +459,10 @@ _getdns_network_validate_tsig(getdns_network_req *req)
unsigned int result_mac_len = EVP_MAX_MD_SIZE; unsigned int result_mac_len = EVP_MAX_MD_SIZE;
uint16_t original_id; uint16_t original_id;
const EVP_MD *digester; const EVP_MD *digester;
HMAC_CTX ctx; HMAC_CTX *ctx;
#ifndef HAVE_HMAC_CTX_NEW
HMAC_CTX ctx_space;
#endif
DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNCTION__); DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNCTION__);
for ( rr = _getdns_rr_iter_init(&rr_spc, req->query, for ( rr = _getdns_rr_iter_init(&rr_spc, req->query,
@ -587,14 +590,18 @@ _getdns_network_validate_tsig(getdns_network_req *req)
#endif #endif
default : return; default : return;
} }
#ifdef HAVE_HMAC_CTX_NEW
HMAC_CTX_init(&ctx); ctx = HMAC_CTX_new();
(void) HMAC_Init_ex(&ctx, req->upstream->tsig_key, #else
ctx = &ctx_space;
HMAC_CTX_init(ctx);
#endif
(void) HMAC_Init_ex(ctx, req->upstream->tsig_key,
req->upstream->tsig_size, digester, NULL); req->upstream->tsig_size, digester, NULL);
(void) HMAC_Update(&ctx, request_mac - 2, request_mac_len + 2); (void) HMAC_Update(ctx, request_mac - 2, request_mac_len + 2);
(void) HMAC_Update(&ctx, req->response, rr->pos - req->response); (void) HMAC_Update(ctx, req->response, rr->pos - req->response);
(void) HMAC_Update(&ctx, tsig_vars, gldns_buffer_position(&gbuf)); (void) HMAC_Update(ctx, tsig_vars, gldns_buffer_position(&gbuf));
HMAC_Final(&ctx, result_mac, &result_mac_len); HMAC_Final(ctx, result_mac, &result_mac_len);
DEBUG_STUB("%s %-35s: Result MAC length: %d\n", DEBUG_STUB("%s %-35s: Result MAC length: %d\n",
STUB_DEBUG_TSIG, __FUNCTION__, (int)(result_mac_len)); STUB_DEBUG_TSIG, __FUNCTION__, (int)(result_mac_len));
@ -602,8 +609,11 @@ _getdns_network_validate_tsig(getdns_network_req *req)
memcmp(result_mac, response_mac, result_mac_len) == 0) memcmp(result_mac, response_mac, result_mac_len) == 0)
req->tsig_status = GETDNS_DNSSEC_SECURE; req->tsig_status = GETDNS_DNSSEC_SECURE;
HMAC_CTX_cleanup(&ctx); #ifdef HAVE_HMAC_CTX_FREE
HMAC_CTX_free(ctx);
#else
HMAC_CTX_cleanup(ctx);
#endif
gldns_write_uint16(req->response, gldns_read_uint16(req->query)); gldns_write_uint16(req->response, gldns_read_uint16(req->query));
gldns_write_uint16(req->response + 10, gldns_write_uint16(req->response + 10,
gldns_read_uint16(req->response + 10) + 1); gldns_read_uint16(req->response + 10) + 1);

2
src/sync.c
View File

@ -57,7 +57,9 @@ typedef struct getdns_sync_data {
static getdns_return_t static getdns_return_t
getdns_sync_data_init(getdns_context *context, getdns_sync_data *data) getdns_sync_data_init(getdns_context *context, getdns_sync_data *data)
{ {
#ifdef HAVE_LIBUNBOUND
getdns_eventloop *ext = &context->sync_eventloop.loop; getdns_eventloop *ext = &context->sync_eventloop.loop;
#endif
data->context = context; data->context = context;
data->to_run = 1; data->to_run = 1;