Support for IPv4

More auth_status in "call_reporting dict"
Key "tls_auth_pin" == 1 when a pin from a pinset is used to authenticate the tls session, 0 otherwise Key "tls_auth_pkix" == 1 when the cert was signed with a CA in the verification location, 0 if it was not PKIX authenticated and 2 if unkown (for example when a pinset was sufficient to authenticate the session)
2022-09-02 10:40:32 +02:00 · 2022-09-02 10:03:46 +02:00 · 2022-08-29 08:57:54 +02:00 · 2022-08-22 10:41:05 +02:00
10 changed files with 91 additions and 4 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -262,6 +262,7 @@ check_include_file(inttypes.h HAVE_INTTYPES_H)
 check_include_file(limits.h HAVE_LIMITS_H)
 check_include_file(sys/limits.h HAVE_SYS_LIMITS_H)
 check_include_file(stdarg.h HAVE_STDARG_H)
+check_include_file(stddef.h HAVE_STDDEF_H)
 check_include_file(stdint.h HAVE_STDINT_H)
 check_include_file(stdio.h HAVE_STDIO_H)
 check_include_file(stdlib.h HAVE_STDLIB_H)
--- a/cmake/include/cmakeconfig.h.in
+++ b/cmake/include/cmakeconfig.h.in
@ -15,6 +15,7 @@
 #cmakedefine HAVE_LIMITS_H      1
 #cmakedefine HAVE_SYS_LIMITS_H  1
 #cmakedefine HAVE_STDARG_H      1
+#cmakedefine HAVE_STDDEF_H      1
 #cmakedefine HAVE_STDINT_H      1
 #cmakedefine HAVE_STDIO_H       1
 #cmakedefine HAVE_STDLIB_H      1
@ -241,6 +242,10 @@
 #  define FD_SETSIZE 1024
 # endif

+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* the version of the windows API enabled */
 # ifndef WINVER
 #  define WINVER 0x0600 // 0x0502
@ -307,12 +312,11 @@
 #include <string.h>
 #endif

-#ifdef __cplusplus
-extern "C" {
+#ifdef HAVE_STDLIB_H
+#include <stdlib.h>
 #endif

-#if STDC_HEADERS
-#include <stdlib.h>
+#ifdef HAVE_STDDEF_H
 #include <stddef.h>
 #endif

--- a/src/context.c
+++ b/src/context.c
@ -3589,6 +3589,7 @@ getdns_context_set_local_proxy_policy(getdns_context *context,
 	size_t i, j;
 	getdns_proxy_policies *policies;
 	getdns_list *resolvers;
+	struct sockaddr_in *sin4p;
 	struct sockaddr_in6 *sin6p;

 fprintf(stderr, "in getdns_context_set_local_proxy_policy\n");
@ -3677,6 +3678,12 @@ fprintf(stderr, "in getdns_context_set_local_proxy_policy\n");
 					== 0) {
 					if (addr_data->size != 4)
 						goto error;
+					sin4p= (struct sockaddr_in *)
+						&policies->policies[i].addrs[j];
+					sin4p->sin_family= AF_INET;
+					memcpy(&sin4p->sin_addr,
+						addr_data->data, 
+						sizeof(sin4p->sin_addr));
 				}
 				else if (addr_type->size == 4 &&
 					memcmp(addr_type->data, "IPv6", 4)
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@ -536,6 +536,23 @@ const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn)
 	return gnutls_protocol_get_name(gnutls_protocol_get_version(conn->tls));
 }

+/* CBN:TODO Implement! */
+int _getdns_tls_connection_get_pkix_auth(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return 0;
+
+	return 2 /* 2 is unknown */;
+}
+
+/* CBN:TODO Implement! */
+int _getdns_tls_connection_get_pin_auth(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return 0;
+	return 0;
+}
+
 getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn)
 {
 	int r;
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@ -842,6 +842,26 @@ const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn)
 	return SSL_get_version(conn->ssl);
 }

+int _getdns_tls_connection_get_pkix_auth(_getdns_tls_connection* conn)
+{
+	uint8_t usage = 255; /* 0 and 1 for also PKIX, 2 and 3 for DANE only */
+
+	if (!conn || !conn->ssl)
+		return 0;
+
+	if (SSL_get0_dane_tlsa(conn->ssl, &usage, NULL, NULL, NULL, NULL) < 0)
+		return SSL_get_verify_result(conn->ssl) == X509_V_OK  ? 1 : 0;
+
+	return usage <= 1 ? 1 : 2 /* 2 is unknown */;
+}
+
+int _getdns_tls_connection_get_pin_auth(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return 0;
+	return SSL_get0_dane_authority(conn->ssl, NULL, NULL) >= 0;
+}
+
 getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn)
 {
 	int r;
--- a/src/request-internal.c
+++ b/src/request-internal.c
@ -218,6 +218,11 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner,
 	net_req->debug_tls_peer_cert.size = 0;
 	net_req->debug_tls_peer_cert.data = NULL;
 	net_req->debug_tls_version = NULL;
+	net_req->debug_pkix_auth = 0; /* 1 == authenticated with PKIX
+                                       * 0 == not authenticated with PKIX
+                                       * 2 == unknown
+	                               */
+	net_req->debug_pin_auth = 0;  /* == 1 if authenticated with pinset */
 	net_req->debug_udp = 0;

 	/* Scheduling, touch only via _getdns_netreq_change_state!
--- a/src/stub.c
+++ b/src/stub.c
@ -1853,6 +1853,8 @@ upstream_write_cb(void *userarg)
 				_getdns_tls_x509_free(&upstream->upstreams->mf, cert);
 			}
 			netreq->debug_tls_version = _getdns_tls_connection_get_version(netreq->upstream->tls_obj);
+			netreq->debug_pkix_auth = _getdns_tls_connection_get_pkix_auth(netreq->upstream->tls_obj);
+			netreq->debug_pin_auth = _getdns_tls_connection_get_pin_auth(netreq->upstream->tls_obj);
 		}
 		/* Need this because auth status is reset on connection close */
 		netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state;
--- a/src/tls.h
+++ b/src/tls.h
@ -265,6 +265,22 @@ _getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _
 */
 const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn);

+/**
+ * Return whether or not the peer cert PKIX validated
+ *
+ * @param conn  the connection
+ * @return 1 when the peer cert PKIX validated, 0 if it did not validate, 2 otherwise
+ */
+int _getdns_tls_connection_get_pkix_auth(_getdns_tls_connection* conn);
+
+/**
+ * Return whether or not a pin from the pinset matched
+ *
+ * @param conn  the connection
+ * @return 1 when the peer cert matched a pinset, 0 otherwise
+ */
+int _getdns_tls_connection_get_pin_auth(_getdns_tls_connection* conn);
+
 /**
 * Attempt TLS handshake.
 *
--- a/src/types-internal.h
+++ b/src/types-internal.h
@ -244,6 +244,9 @@ typedef struct getdns_network_req
 	const char             *debug_tls_version;

 	/* Some booleans */
+	unsigned                debug_pkix_auth: 2; /* 1 if TLS connection is PKIX valid 
+	                                               2 if this is unknown */
+	unsigned                debug_pin_auth : 1; /* 1 if one of the pinset's matched */
 	unsigned                debug_udp      : 1;
 	unsigned                keepalive_sent : 1;
 	unsigned                badcookie_retry: 1;
--- a/src/util-internal.c
+++ b/src/util-internal.c
@ -966,6 +966,18 @@ _getdns_create_call_reporting_dict(
 		getdns_dict_destroy(netreq_debug);
 		return NULL;
 	}
+	if (getdns_dict_set_int(netreq_debug, "tls_auth_pin",
+	    netreq->debug_pin_auth)) {
+
+		getdns_dict_destroy(netreq_debug);
+		return NULL;
+	}
+	if (getdns_dict_set_int(netreq_debug, "tls_auth_pkix",
+	    netreq->debug_pkix_auth)) {
+
+		getdns_dict_destroy(netreq_debug);
+		return NULL;
+	}
 	if (getdns_dict_util_set_string(netreq_debug, "tls_version",
 	    netreq->debug_tls_version)){
Author	SHA1	Message	Date
Philip Homburg	291ecdae64	Support for IPv4	2022-09-02 10:40:32 +02:00
Willem Toorop	c8efb19624	More auth_status in "call_reporting dict" Key "tls_auth_pin" == 1 when a pin from a pinset is used to authenticate the tls session, 0 otherwise Key "tls_auth_pkix" == 1 when the cert was signed with a CA in the verification location, 0 if it was not PKIX authenticated and 2 if unkown (for example when a pinset was sufficient to authenticate the session)	2022-09-02 10:03:46 +02:00
Willem Toorop	d2967532f6	Merge branch 'develop' into philip-proxy-config	2022-08-29 08:57:54 +02:00
Willem Toorop	9c076ca34b	Issue #526 Some gldns files need stdlib	2022-08-22 10:41:05 +02:00