Merge pull request #13870 from irtimmer/check_ip_gnutls
resolved: validate IP address in certificate for DNS-over-TLS (GnuTLS)
This commit is contained in:
commit
b7a4129ca9
2
README
2
README
|
@ -155,7 +155,7 @@ REQUIREMENTS:
|
|||
libmicrohttpd (optional)
|
||||
libpython (optional)
|
||||
libidn2 or libidn (optional)
|
||||
gnutls >= 3.1.4 (optional, >= 3.5.3 is required to support DNS-over-TLS with gnutls)
|
||||
gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
|
||||
openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
|
||||
elfutils >= 158 (optional)
|
||||
polkit (optional)
|
||||
|
|
|
@ -1199,7 +1199,7 @@ if dns_over_tls != 'false'
|
|||
if dns_over_tls == 'openssl'
|
||||
have_gnutls = false
|
||||
else
|
||||
have_gnutls = (conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.5.3'))
|
||||
have_gnutls = (conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.6.0'))
|
||||
if dns_over_tls == 'gnutls' and not have_gnutls
|
||||
error('DNS-over-TLS support was requested with gnutls, but dependencies are not available')
|
||||
endif
|
||||
|
|
|
@ -9,11 +9,7 @@
|
|||
#include "resolved-dns-stream.h"
|
||||
#include "resolved-dnstls.h"
|
||||
|
||||
#if GNUTLS_VERSION_NUMBER >= 0x030600
|
||||
#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
|
||||
#else
|
||||
#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2"
|
||||
#endif
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit);
|
||||
|
||||
static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
|
||||
|
@ -59,8 +55,17 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
|
|||
server->dnstls_data.session_data.size = 0;
|
||||
}
|
||||
|
||||
if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES)
|
||||
gnutls_session_set_verify_cert(gs, NULL, 0);
|
||||
if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
|
||||
stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
|
||||
if (server->family == AF_INET) {
|
||||
stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
|
||||
stream->dnstls_data.validation.size = 4;
|
||||
} else {
|
||||
stream->dnstls_data.validation.data = server->address.in6.s6_addr;
|
||||
stream->dnstls_data.validation.size = 16;
|
||||
}
|
||||
gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
|
||||
}
|
||||
|
||||
gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
|
||||
|
||||
|
|
|
@ -18,6 +18,7 @@ struct DnsTlsServerData {
|
|||
|
||||
struct DnsTlsStreamData {
|
||||
gnutls_session_t session;
|
||||
gnutls_typed_vdata_st validation;
|
||||
int handshake;
|
||||
bool shutdown;
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue