From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 27 Feb 2020 15:57:24 +0000 (+0100)
Subject: Fixup ssl authentication not available with check for it.
X-Git-Tag: 1.11.0rc1~120^2~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=398e2601454ec26e91a2d5119739545b4eb66054;p=thirdparty%2Funbound.git

Fixup ssl authentication not available with check for it.
---

diff --git a/dnstap/dtstream.c b/dnstap/dtstream.c
index 67ad72d61..29fc5ee59 100644
--- a/dnstap/dtstream.c
+++ b/dnstap/dtstream.c
@@ -302,6 +302,8 @@ int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg)
 				log_err("dnstap setup: malloc failure");
 				return 0;
 			}
+			if(!check_auth_name_for_ssl(dtio->tls_server_name))
+				return 0;
 		}
 		if(cfg->dnstap_tls_client_key_file &&
 			cfg->dnstap_tls_client_key_file[0]) {
diff --git a/util/net_help.c b/util/net_help.c
index 898ebc900..cc1ca7ec5 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1217,6 +1217,19 @@ void* outgoing_ssl_fd(void* sslctx, int fd)
 #endif
 }
 
+int check_auth_name_for_ssl(char* auth_name)
+{
+	if(!auth_name) return 1;
+#ifdef HAVE_SSL
+#if !defined(HAVE_SSL_SET1_HOST) && !defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+	log_err("the query has an auth_name %s, but libssl has no call to "
+		"perform TLS authentication.  Remove that name from config "
+		"or upgrade the ssl crypto library.", auth_name);
+#endif
+#endif
+	return 1;
+}
+
 /** set the authname on an SSL structure, SSL* ssl */
 int set_auth_name_on_ssl(void* ssl, char* auth_name)
 {
diff --git a/util/net_help.h b/util/net_help.h
index 6df9f9b39..d9ee37ad0 100644
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -442,6 +442,13 @@ void* incoming_ssl_fd(void* sslctx, int fd);
  */
 void* outgoing_ssl_fd(void* sslctx, int fd);
 
+/**
+ * check if authname SSL functionality is available, false if not
+ * @param auth_name: the name for the remote server, used for error print.
+ * @return false if SSL functionality to check the SSL name is not available.
+ */
+int check_auth_name_for_ssl(char* auth_name);
+
 /**
  * set auth name on SSL for verification
  * @param ssl: SSL* to set