mirror of
https://github.com/NLnetLabs/unbound.git
synced 2026-02-17 01:28:33 -05:00
dnstap io, set tls auth name in outgoing ssl
This commit is contained in:
W.C.A. Wijngaards
parent
812d8f71e8
commit
ad180402ea
4 changed files with 52 additions and 38 deletions
|
|
@ -1500,6 +1500,10 @@ static int dtio_setup_ssl(struct dt_io_thread* dtio)
|
|||
if(!dtio->ssl) return 0;
|
||||
dtio->ssl_handshake_done = 0;
|
||||
dtio->ssl_brief_read = 0;
|
||||
|
||||
if(!set_auth_name_on_ssl(dtio->ssl, dtio->tls_server_name)) {
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -373,45 +373,13 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
|
|||
comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl);
|
||||
#endif
|
||||
pend->c->ssl_shake_state = comm_ssl_shake_write;
|
||||
if(w->tls_auth_name) {
|
||||
#ifdef HAVE_SSL
|
||||
(void)SSL_set_tlsext_host_name(pend->c->ssl, w->tls_auth_name);
|
||||
#endif
|
||||
if(!set_auth_name_on_ssl(pend->c->ssl, w->tls_auth_name)) {
|
||||
pend->c->fd = s;
|
||||
SSL_free(pend->c->ssl);
|
||||
pend->c->ssl = NULL;
|
||||
comm_point_close(pend->c);
|
||||
return 0;
|
||||
}
|
||||
#ifdef HAVE_SSL_SET1_HOST
|
||||
if(w->tls_auth_name) {
|
||||
SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);
|
||||
/* setting the hostname makes openssl verify the
|
||||
* host name in the x509 certificate in the
|
||||
* SSL connection*/
|
||||
if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
|
||||
log_err("SSL_set1_host failed");
|
||||
pend->c->fd = s;
|
||||
SSL_free(pend->c->ssl);
|
||||
pend->c->ssl = NULL;
|
||||
comm_point_close(pend->c);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
|
||||
/* openssl 1.0.2 has this function that can be used for
|
||||
* set1_host like verification */
|
||||
if(w->tls_auth_name) {
|
||||
X509_VERIFY_PARAM* param = SSL_get0_param(pend->c->ssl);
|
||||
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||
if(!X509_VERIFY_PARAM_set1_host(param, w->tls_auth_name, strlen(w->tls_auth_name))) {
|
||||
log_err("X509_VERIFY_PARAM_set1_host failed");
|
||||
pend->c->fd = s;
|
||||
SSL_free(pend->c->ssl);
|
||||
pend->c->ssl = NULL;
|
||||
comm_point_close(pend->c);
|
||||
return 0;
|
||||
}
|
||||
SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);
|
||||
}
|
||||
#else
|
||||
verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication");
|
||||
#endif /* HAVE_SSL_SET1_HOST */
|
||||
}
|
||||
w->pkt = NULL;
|
||||
w->next_waiting = (void*)pend;
|
||||
|
|
|
|||
|
|
@ -1191,6 +1191,40 @@ void* outgoing_ssl_fd(void* sslctx, int fd)
|
|||
#endif
|
||||
}
|
||||
|
||||
/** set the authname on an SSL structure, SSL* ssl */
|
||||
int set_auth_name_on_ssl(void* ssl, char* auth_name)
|
||||
{
|
||||
if(!auth_name) return 1;
|
||||
#ifdef HAVE_SSL
|
||||
(void)SSL_set_tlsext_host_name(ssl, auth_name);
|
||||
#endif
|
||||
#ifdef HAVE_SSL_SET1_HOST
|
||||
SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
|
||||
/* setting the hostname makes openssl verify the
|
||||
* host name in the x509 certificate in the
|
||||
* SSL connection*/
|
||||
if(!SSL_set1_host(ssl, auth_name)) {
|
||||
log_err("SSL_set1_host failed");
|
||||
return 0;
|
||||
}
|
||||
#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
|
||||
/* openssl 1.0.2 has this function that can be used for
|
||||
* set1_host like verification */
|
||||
if(auth_name) {
|
||||
X509_VERIFY_PARAM* param = SSL_get0_param(ssl);
|
||||
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||
if(!X509_VERIFY_PARAM_set1_host(param, auth_name, strlen(auth_name))) {
|
||||
log_err("X509_VERIFY_PARAM_set1_host failed");
|
||||
return 0;
|
||||
}
|
||||
SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
|
||||
}
|
||||
#else
|
||||
verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication");
|
||||
#endif /* HAVE_SSL_SET1_HOST */
|
||||
return 1;
|
||||
}
|
||||
|
||||
#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
/** global lock list for openssl locks */
|
||||
static lock_basic_type *ub_openssl_locks = NULL;
|
||||
|
|
|
|||
|
|
@ -434,6 +434,14 @@ void* incoming_ssl_fd(void* sslctx, int fd);
|
|||
*/
|
||||
void* outgoing_ssl_fd(void* sslctx, int fd);
|
||||
|
||||
/**
|
||||
* set auth name on SSL for verification
|
||||
* @param ssl: SSL* to set
|
||||
* @param auth_name: if NULL nothing happens, otherwise the name to check.
|
||||
* @return 1 on success or NULL auth_name, 0 on failure.
|
||||
*/
|
||||
int set_auth_name_on_ssl(void* ssl, char* auth_name);
|
||||
|
||||
/**
|
||||
* Initialize openssl locking for thread safety
|
||||
* @return false on failure (alloc failure).
|
||||
|
|
|
|||
Loading…
Reference in a new issue