picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Merge pull request #13870 from irtimmer/check_ip_gnutls

Browse source 
resolved: validate IP address in certificate for DNS-over-TLS (GnuTLS)
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2019-10-30 14:08:26 +01:00 committed by GitHub
parent 8fc59b6ef1 7f2f4faced
commit b7a4129ca9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 14 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README
View file

@ -155,7 +155,7 @@ REQUIREMENTS:
libmicrohttpd (optional)
libpython (optional)
libidn2 or libidn (optional)
gnutls >= 3.1.4 (optional, >= 3.5.3 is required to support DNS-over-TLS with gnutls)
gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
elfutils >= 158 (optional)
polkit (optional)

2
meson.build
View file

@ -1199,7 +1199,7 @@ if dns_over_tls != 'false'
if dns_over_tls == 'openssl'
have_gnutls = false
else
have_gnutls = (conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.5.3'))
have_gnutls = (conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.6.0'))
if dns_over_tls == 'gnutls' and not have_gnutls
error('DNS-over-TLS support was requested with gnutls, but dependencies are not available')
endif

17
src/resolve/resolved-dnstls-gnutls.c
View file

@ -9,11 +9,7 @@
#include "resolved-dns-stream.h"
#include "resolved-dnstls.h"
#if GNUTLS_VERSION_NUMBER >= 0x030600
#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
#else
#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2"
#endif
DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit);
static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
@ -59,8 +55,17 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
server->dnstls_data.session_data.size = 0;
}
if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES)
gnutls_session_set_verify_cert(gs, NULL, 0);
if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
if (server->family == AF_INET) {
stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
stream->dnstls_data.validation.size = 4;
} else {
stream->dnstls_data.validation.data = server->address.in6.s6_addr;
stream->dnstls_data.validation.size = 16;
}
gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
}
gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);

1
src/resolve/resolved-dnstls-gnutls.h
View file

@ -18,6 +18,7 @@ struct DnsTlsServerData {
struct DnsTlsStreamData {
gnutls_session_t session;
gnutls_typed_vdata_st validation;
int handshake;
bool shutdown;
};