cerr << "sdig" << endl;
cerr << "Syntax: sdig IP-ADDRESS-OR-DOH-URL PORT QNAME QTYPE "
"[dnssec] [ednssubnet SUBNET/MASK] [hidesoadetails] [hidettl] "
- "[recurse] [showflags] [tcp] [dot] [xpf XPFDATA] [class CLASSNUM] "
+ "[recurse] [showflags] [tcp] [dot] [insecure] [subjectName name][xpf XPFDATA] [class CLASSNUM] "
"[proxy UDP(0)/TCP(1) SOURCE-IP-ADDRESS-AND-PORT DESTINATION-IP-ADDRESS-AND-PORT]"
<< endl;
}
char *xpfsrc = NULL, *xpfdst = NULL;
uint16_t qclass = QClass::IN;
string proxyheader;
+ string subjectName;
for (int i = 1; i < argc; i++) {
if ((string)argv[i] == "--help") {
for (int i = 5; i < argc; i++) {
if (strcmp(argv[i], "dnssec") == 0)
dnssec = true;
- if (strcmp(argv[i], "recurse") == 0)
+ else if (strcmp(argv[i], "recurse") == 0)
recurse = true;
- if (strcmp(argv[i], "showflags") == 0)
+ else if (strcmp(argv[i], "showflags") == 0)
showflags = true;
- if (strcmp(argv[i], "hidesoadetails") == 0)
+ else if (strcmp(argv[i], "hidesoadetails") == 0)
hidesoadetails = true;
- if (strcmp(argv[i], "hidettl") == 0)
+ else if (strcmp(argv[i], "hidettl") == 0)
hidettl = true;
- if (strcmp(argv[i], "tcp") == 0)
+ else if (strcmp(argv[i], "tcp") == 0)
tcp = true;
- if (strcmp(argv[i], "dot") == 0)
+ else if (strcmp(argv[i], "dot") == 0)
dot = true;
- if (strcmp(argv[i], "insecure") == 0)
+ else if (strcmp(argv[i], "insecure") == 0)
insecureDoT = true;
- if (strcmp(argv[i], "ednssubnet") == 0) {
+ else if (strcmp(argv[i], "ednssubnet") == 0) {
if (argc < i + 2) {
cerr << "ednssubnet needs an argument" << endl;
exit(EXIT_FAILURE);
}
ednsnm = Netmask(argv[++i]);
}
- if (strcmp(argv[i], "xpf") == 0) {
+ else if (strcmp(argv[i], "xpf") == 0) {
if (argc < i + 6) {
cerr << "xpf needs five arguments" << endl;
exit(EXIT_FAILURE);
xpfsrc = argv[++i];
xpfdst = argv[++i];
}
- if (strcmp(argv[i], "class") == 0) {
+ else if (strcmp(argv[i], "class") == 0) {
if (argc < i+2) {
cerr << "class needs an argument"<<endl;
exit(EXIT_FAILURE);
}
qclass = atoi(argv[++i]);
}
- if (strcmp(argv[i], "proxy") == 0) {
+ else if (strcmp(argv[i], "subjectName") == 0) {
+ if (argc < i+2) {
+ cerr << "subjectName needs an argument"<<endl;
+ exit(EXIT_FAILURE);
+ }
+ subjectName = argv[++i];
+ }
+ else if (strcmp(argv[i], "proxy") == 0) {
if(argc < i+4) {
cerr<<"proxy needs three arguments"<<endl;
exit(EXIT_FAILURE);
ComboAddress dest(argv[++i]);
proxyheader = makeProxyHeader(ptcp, src, dest, {});
}
+ else {
+ cerr << argv[i] << ": unknown argument" << endl;
+ exit(EXIT_FAILURE);
+ }
}
}
uint16_t counter = 0;
Socket sock(dest.sin4.sin_family, SOCK_STREAM);
SConnectWithTimeout(sock.getHandle(), dest, timeout);
- TCPIOHandler handler("buab", sock.getHandle(), timeout, tlsCtx, time(nullptr));
+ TCPIOHandler handler(subjectName, sock.getHandle(), timeout, tlsCtx, time(nullptr));
handler.connect(fastOpen, dest, timeout);
// we are writing the proxyheader inside the TLS connection. Is that right?
if (proxyheader.size() > 0 && handler.write(proxyheader.data(), proxyheader.size(), timeout) != proxyheader.size()) {
#ifdef HAVE_DNS_OVER_TLS
#ifdef HAVE_LIBSSL
-#ifdef ___OpenBSD__
-#define LIBRESSL_HAS_TLS1_3
-#endif
-
#include <openssl/conf.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
#include "libssl.hh"
throw std::runtime_error("Error assigning socket");
}
-#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
- // XXX SSL_set_hostflags(d_conn.get(), X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && HAVE_SSL_SET_HOSTFLAGS // grrr libressl
+ SSL_set_hostflags(d_conn.get(), X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
if (SSL_set1_host(d_conn.get(), d_hostname.c_str()) != 1) {
throw std::runtime_error("Error setting TLS hostname for certificate validation");
}
return IOState::NeedWrite;
}
else if (error == SSL_ERROR_SYSCALL) {
- throw std::runtime_error("Error while processing TLS connection: " + std::string(strerror(errno)));
+ throw std::runtime_error("Syscall error while processing TLS connection: " + std::string(strerror(errno)));
}
else {
+ ERR_print_errors_fp(stderr);
throw std::runtime_error("Error while processing TLS connection: " + std::to_string(error));
}
}
SSL_OP_SINGLE_ECDH_USE |
SSL_OP_CIPHER_SERVER_PREFERENCE;
+ registerOpenSSLUser();
#if 0 // XXX
- if (s_users.fetch_add(1) == 0) {
- registerOpenSSLUser();
-
s_ticketsKeyIndex = SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
if (s_ticketsKeyIndex == -1) {
#endif /* HAVE_SSL_CTX_SET_CIPHERSUITES */
if (params.d_validateCertificates) {
+ // XXX parameter!
+ if (SSL_CTX_set_default_verify_paths(d_tlsCtx.get()) != 1) {
+ warnlog("could not load default CA store");
+ }
+
SSL_CTX_set_verify(d_tlsCtx.get(), SSL_VERIFY_PEER, nullptr);
#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
warnlog("TLS hostname validation requested but not supported for OpenSSL < 1.0.2");
~OpenSSLTLSIOCtx() override
{
d_tlsCtx.reset();
-#if 0 // XXX
- if (s_users.fetch_sub(1) == 1) {
- unregisterOpenSSLUser();
- }
-#endif
+ unregisterOpenSSLUser();
}
static int ticketKeyCb(SSL *s, unsigned char keyName[TLS_TICKETS_KEY_NAME_SIZE], unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc)
projects / thirdparty / pdns.git / commitdiff
