mirror of https://github.com/getdnsapi/getdns.git
openssl 1.1 support
This commit is contained in:
Willem Toorop
parent
e10e774d32
commit
fdd3992f65
14
configure.ac
14
configure.ac
|
|
@ -223,7 +223,7 @@ else
|
|||
fi
|
||||
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method])
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
|
||||
AC_INCLUDES_DEFAULT
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
|
|
@ -404,6 +404,18 @@ case "$enable_ecdsa" in
|
|||
;;
|
||||
esac
|
||||
|
||||
AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support]))
|
||||
case "$enable_dsa" in
|
||||
no)
|
||||
;;
|
||||
*) dnl default
|
||||
# detect if DSA is supported, and turn it off if not.
|
||||
AC_CHECK_FUNC(EVP_dss1, [
|
||||
AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
|
||||
], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
|
||||
fi ])
|
||||
;;
|
||||
esac
|
||||
|
||||
AC_ARG_ENABLE(draft-dnssec-roadblock-avoidance, AC_HELP_STRING([--enable-draft-dnssec-roadblock-avoidance], [Enable experimental dnssec roadblock avoidance]))
|
||||
AC_ARG_ENABLE(draft-edns-cookies, AC_HELP_STRING([--enable-draft-edns-cookies], [Enable experimental edns cookies]))
|
||||
|
|
|
|||
|
|
@ -47,16 +47,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
|
|||
ACX_RUNTIME_PATH_ADD([$ssldir/lib])
|
||||
fi
|
||||
|
||||
AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto])
|
||||
AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
|
||||
LIBS="-lssl -lcrypto $LIBS"
|
||||
LIBSSL_LIBS="-lssl -lcrypto $LIBSSL_LIBS"
|
||||
AC_TRY_LINK(, [
|
||||
int HMAC_CTX_init(void);
|
||||
(void)HMAC_CTX_init();
|
||||
int HMAC_Update(void);
|
||||
(void)HMAC_Update();
|
||||
], [
|
||||
AC_DEFINE([HAVE_HMAC_UPDATE], 1,
|
||||
[If you have HMAC_Update])
|
||||
AC_MSG_RESULT(yes)
|
||||
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1,
|
||||
[If you have HMAC_CTX_init])
|
||||
], [
|
||||
AC_MSG_RESULT(no)
|
||||
# check if -lwsock32 or -lgdi32 are needed.
|
||||
|
|
@ -66,11 +66,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
|
|||
LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32"
|
||||
AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
|
||||
AC_TRY_LINK([], [
|
||||
int HMAC_CTX_init(void);
|
||||
(void)HMAC_CTX_init();
|
||||
int HMAC_Update(void);
|
||||
(void)HMAC_Update();
|
||||
],[
|
||||
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1,
|
||||
[If you have HMAC_CTX_init])
|
||||
AC_DEFINE([HAVE_HMAC_UPDATE], 1,
|
||||
[If you have HMAC_Update])
|
||||
AC_MSG_RESULT(yes)
|
||||
],[
|
||||
AC_MSG_RESULT(no)
|
||||
|
|
@ -80,11 +80,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
|
|||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
|
||||
AC_MSG_CHECKING([if -lcrypto needs -ldl])
|
||||
AC_TRY_LINK([], [
|
||||
int HMAC_CTX_init(void);
|
||||
(void)HMAC_CTX_init();
|
||||
int HMAC_Update(void);
|
||||
(void)HMAC_Update();
|
||||
],[
|
||||
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1,
|
||||
[If you have HMAC_CTX_init])
|
||||
AC_DEFINE([HAVE_HMAC_UPDATE], 1,
|
||||
[If you have HMAC_Update])
|
||||
AC_MSG_RESULT(yes)
|
||||
],[
|
||||
AC_MSG_RESULT(no)
|
||||
|
|
|
|||
|
|
@ -1232,7 +1232,7 @@ getdns_context_create_with_extended_memory_functions(
|
|||
result->edns_do_bit = 0;
|
||||
result->edns_client_subnet_private = 0;
|
||||
result->tls_query_padding_blocksize = 1; /* default is to not try to pad */
|
||||
result-> tls_ctx = NULL;
|
||||
result->tls_ctx = NULL;
|
||||
|
||||
result->extension = &result->default_eventloop.loop;
|
||||
_getdns_default_eventloop_init(&result->default_eventloop);
|
||||
|
|
@ -1926,17 +1926,19 @@ getdns_return_t
|
|||
getdns_context_set_dns_root_servers(
|
||||
getdns_context *context, getdns_list *addresses)
|
||||
{
|
||||
#if defined(HAVE_LIBUNBOUND) && !defined(HAVE_UB_CTX_SET_STUB)
|
||||
#ifdef HAVE_LIBUNBOUND
|
||||
# ifndef HAVE_UB_CTX_SET_STUB
|
||||
char tmpfn[FILENAME_MAX] = P_tmpdir "/getdns-root-dns-servers-XXXXXX";
|
||||
FILE *fh;
|
||||
int fd;
|
||||
size_t dst_len;
|
||||
#endif
|
||||
# endif
|
||||
size_t i;
|
||||
getdns_dict *rr_dict;
|
||||
getdns_return_t r;
|
||||
getdns_bindata *addr_bd;
|
||||
char dst[2048];
|
||||
#endif
|
||||
getdns_list *newlist;
|
||||
|
||||
if (!context)
|
||||
|
|
@ -2893,9 +2895,22 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
|
|||
if (context->tls_ctx == NULL) {
|
||||
#ifdef HAVE_TLS_v1_2
|
||||
/* Create client context, use TLS v1.2 only for now */
|
||||
# ifdef HAVE_TLS_CLIENT_METHOD
|
||||
context->tls_ctx = SSL_CTX_new(TLS_client_method());
|
||||
# else
|
||||
context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
|
||||
# endif
|
||||
if(context->tls_ctx == NULL)
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
|
||||
# ifdef HAVE_TLS_CLIENT_METHOD
|
||||
if (!SSL_CTX_set_min_proto_version(
|
||||
context->tls_ctx, TLS1_2_VERSION)) {
|
||||
SSL_CTX_free(context->tls_ctx);
|
||||
context->tls_ctx = NULL;
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
}
|
||||
# endif
|
||||
/* Be strict and only use the cipher suites recommended in RFC7525
|
||||
Unless we later fallback to opportunistic. */
|
||||
const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EECDH+aECDSA+AESGCM:EDH+aRSA+AESGCM";
|
||||
|
|
@ -2903,11 +2918,11 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
|
|||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
/* For strict authentication, we must have local root certs available
|
||||
Set up is done only when the tls_ctx is created (per getdns_context)*/
|
||||
#ifndef USE_WINSOCK
|
||||
# ifndef USE_WINSOCK
|
||||
if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
|
||||
#else
|
||||
# else
|
||||
if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) {
|
||||
#endif /* USE_WINSOCK */
|
||||
# endif /* USE_WINSOCK */
|
||||
if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED)
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -393,18 +393,13 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
|
|||
}
|
||||
|
||||
x = sk_X509_value(store->untrusted, i);
|
||||
if (x->cert_info == NULL)
|
||||
continue;
|
||||
#if defined(STUB_DEBUG) && STUB_DEBUG
|
||||
DEBUG_STUB("%s %-35s: Name of cert: %d ",
|
||||
STUB_DEBUG_SETUP_TLS, __FUNCTION__, i);
|
||||
if (x->cert_info->subject != NULL)
|
||||
X509_NAME_print_ex_fp(stderr, x->cert_info->subject, 1, XN_FLAG_ONELINE);
|
||||
X509_NAME_print_ex_fp(stderr, X509_get_subject_name(x), 1, XN_FLAG_ONELINE);
|
||||
fprintf(stderr, "\n");
|
||||
#endif
|
||||
if (x->cert_info->key == NULL)
|
||||
continue;
|
||||
|
||||
/* digest the cert with sha256 */
|
||||
len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), NULL);
|
||||
if (len > sizeof(raw)) {
|
||||
|
|
|
|||
|
|
@ -459,7 +459,10 @@ _getdns_network_validate_tsig(getdns_network_req *req)
|
|||
unsigned int result_mac_len = EVP_MAX_MD_SIZE;
|
||||
uint16_t original_id;
|
||||
const EVP_MD *digester;
|
||||
HMAC_CTX ctx;
|
||||
HMAC_CTX *ctx;
|
||||
#ifndef HAVE_HMAC_CTX_NEW
|
||||
HMAC_CTX ctx_space;
|
||||
#endif
|
||||
|
||||
DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNCTION__);
|
||||
for ( rr = _getdns_rr_iter_init(&rr_spc, req->query,
|
||||
|
|
@ -587,14 +590,18 @@ _getdns_network_validate_tsig(getdns_network_req *req)
|
|||
#endif
|
||||
default : return;
|
||||
}
|
||||
|
||||
HMAC_CTX_init(&ctx);
|
||||
(void) HMAC_Init_ex(&ctx, req->upstream->tsig_key,
|
||||
#ifdef HAVE_HMAC_CTX_NEW
|
||||
ctx = HMAC_CTX_new();
|
||||
#else
|
||||
ctx = &ctx_space;
|
||||
HMAC_CTX_init(ctx);
|
||||
#endif
|
||||
(void) HMAC_Init_ex(ctx, req->upstream->tsig_key,
|
||||
req->upstream->tsig_size, digester, NULL);
|
||||
(void) HMAC_Update(&ctx, request_mac - 2, request_mac_len + 2);
|
||||
(void) HMAC_Update(&ctx, req->response, rr->pos - req->response);
|
||||
(void) HMAC_Update(&ctx, tsig_vars, gldns_buffer_position(&gbuf));
|
||||
HMAC_Final(&ctx, result_mac, &result_mac_len);
|
||||
(void) HMAC_Update(ctx, request_mac - 2, request_mac_len + 2);
|
||||
(void) HMAC_Update(ctx, req->response, rr->pos - req->response);
|
||||
(void) HMAC_Update(ctx, tsig_vars, gldns_buffer_position(&gbuf));
|
||||
HMAC_Final(ctx, result_mac, &result_mac_len);
|
||||
|
||||
DEBUG_STUB("%s %-35s: Result MAC length: %d\n",
|
||||
STUB_DEBUG_TSIG, __FUNCTION__, (int)(result_mac_len));
|
||||
|
|
@ -602,8 +609,11 @@ _getdns_network_validate_tsig(getdns_network_req *req)
|
|||
memcmp(result_mac, response_mac, result_mac_len) == 0)
|
||||
req->tsig_status = GETDNS_DNSSEC_SECURE;
|
||||
|
||||
HMAC_CTX_cleanup(&ctx);
|
||||
|
||||
#ifdef HAVE_HMAC_CTX_FREE
|
||||
HMAC_CTX_free(ctx);
|
||||
#else
|
||||
HMAC_CTX_cleanup(ctx);
|
||||
#endif
|
||||
gldns_write_uint16(req->response, gldns_read_uint16(req->query));
|
||||
gldns_write_uint16(req->response + 10,
|
||||
gldns_read_uint16(req->response + 10) + 1);
|
||||
|
|
|
|||
|
|
@ -57,7 +57,9 @@ typedef struct getdns_sync_data {
|
|||
static getdns_return_t
|
||||
getdns_sync_data_init(getdns_context *context, getdns_sync_data *data)
|
||||
{
|
||||
#ifdef HAVE_LIBUNBOUND
|
||||
getdns_eventloop *ext = &context->sync_eventloop.loop;
|
||||
#endif
|
||||
|
||||
data->context = context;
|
||||
data->to_run = 1;
|
||||
|
|
|
|||
Loading…
Reference in New Issue