From: Otto <otto.moerbeek@open-xchange.com>
Date: Wed, 3 Feb 2021 14:10:33 +0000 (+0100)
Subject: Cert validation
X-Git-Tag: dnsdist-1.6.0-alpha2~59^2~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ee572159a7c47067f7e726bc08ceb50d73e36f8;p=thirdparty%2Fpdns.git

Cert validation
---

diff --git a/m4/pdns_with_libssl.m4 b/m4/pdns_with_libssl.m4
index 8a8438854c..c42905fd1d 100644
--- a/m4/pdns_with_libssl.m4
+++ b/m4/pdns_with_libssl.m4
@@ -17,7 +17,7 @@ AC_DEFUN([PDNS_WITH_LIBSSL], [
         save_LIBS=$LIBS
         CFLAGS="$LIBSSL_CFLAGS $CFLAGS"
         LIBS="$LIBSSL_LIBS -lcrypto $LIBS"
-        AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites OCSP_basic_sign SSL_CTX_set_num_tickets SSL_CTX_set_keylog_callback SSL_CTX_get0_privatekey SSL_CTX_set_min_proto_version])
+        AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites OCSP_basic_sign SSL_CTX_set_num_tickets SSL_CTX_set_keylog_callback SSL_CTX_get0_privatekey SSL_CTX_set_min_proto_version SSL_set_hostflags])
         CFLAGS=$save_CFLAGS
         LIBS=$save_LIBS
 
diff --git a/pdns/sdig.cc b/pdns/sdig.cc
index 82d4c16088..cb3487376a 100644
--- a/pdns/sdig.cc
+++ b/pdns/sdig.cc
@@ -39,7 +39,7 @@ static void usage()
   cerr << "sdig" << endl;
   cerr << "Syntax: sdig IP-ADDRESS-OR-DOH-URL PORT QNAME QTYPE "
           "[dnssec] [ednssubnet SUBNET/MASK] [hidesoadetails] [hidettl] "
-          "[recurse] [showflags] [tcp] [dot] [xpf XPFDATA] [class CLASSNUM] "
+          "[recurse] [showflags] [tcp] [dot] [insecure] [subjectName name][xpf XPFDATA] [class CLASSNUM] "
           "[proxy UDP(0)/TCP(1) SOURCE-IP-ADDRESS-AND-PORT DESTINATION-IP-ADDRESS-AND-PORT]"
        << endl;
 }
@@ -218,6 +218,7 @@ try {
   char *xpfsrc = NULL, *xpfdst = NULL;
   uint16_t qclass = QClass::IN;
   string proxyheader;
+  string subjectName;
 
   for (int i = 1; i < argc; i++) {
     if ((string)argv[i] == "--help") {
@@ -242,28 +243,28 @@ try {
     for (int i = 5; i < argc; i++) {
       if (strcmp(argv[i], "dnssec") == 0)
         dnssec = true;
-      if (strcmp(argv[i], "recurse") == 0)
+      else if (strcmp(argv[i], "recurse") == 0)
         recurse = true;
-      if (strcmp(argv[i], "showflags") == 0)
+      else if (strcmp(argv[i], "showflags") == 0)
         showflags = true;
-      if (strcmp(argv[i], "hidesoadetails") == 0)
+      else if (strcmp(argv[i], "hidesoadetails") == 0)
         hidesoadetails = true;
-      if (strcmp(argv[i], "hidettl") == 0)
+      else if (strcmp(argv[i], "hidettl") == 0)
         hidettl = true;
-      if (strcmp(argv[i], "tcp") == 0)
+      else if (strcmp(argv[i], "tcp") == 0)
         tcp = true;
-      if (strcmp(argv[i], "dot") == 0)
+      else if (strcmp(argv[i], "dot") == 0)
         dot = true;
-      if (strcmp(argv[i], "insecure") == 0)
+      else if (strcmp(argv[i], "insecure") == 0)
         insecureDoT = true;
-      if (strcmp(argv[i], "ednssubnet") == 0) {
+      else if (strcmp(argv[i], "ednssubnet") == 0) {
         if (argc < i + 2) {
           cerr << "ednssubnet needs an argument" << endl;
           exit(EXIT_FAILURE);
         }
         ednsnm = Netmask(argv[++i]);
       }
-      if (strcmp(argv[i], "xpf") == 0) {
+      else if (strcmp(argv[i], "xpf") == 0) {
         if (argc < i + 6) {
           cerr << "xpf needs five arguments" << endl;
           exit(EXIT_FAILURE);
@@ -274,14 +275,21 @@ try {
         xpfsrc = argv[++i];
         xpfdst = argv[++i];
       }
-      if (strcmp(argv[i], "class") == 0) {
+      else if (strcmp(argv[i], "class") == 0) {
         if (argc < i+2) {
           cerr << "class needs an argument"<<endl;
           exit(EXIT_FAILURE);
         }
         qclass = atoi(argv[++i]);
       }
-      if (strcmp(argv[i], "proxy") == 0) {
+      else if (strcmp(argv[i], "subjectName") == 0) {
+        if (argc < i+2) {
+          cerr << "subjectName needs an argument"<<endl;
+          exit(EXIT_FAILURE);
+        }
+        subjectName = argv[++i];
+      }
+      else if (strcmp(argv[i], "proxy") == 0) {
         if(argc < i+4) {
           cerr<<"proxy needs three arguments"<<endl;
           exit(EXIT_FAILURE);
@@ -291,6 +299,10 @@ try {
         ComboAddress dest(argv[++i]);
         proxyheader = makeProxyHeader(ptcp, src, dest, {});
       }
+      else {
+        cerr << argv[i] << ": unknown argument" << endl;
+        exit(EXIT_FAILURE);
+      }
     }
   }
 
@@ -380,7 +392,7 @@ try {
     uint16_t counter = 0;
     Socket sock(dest.sin4.sin_family, SOCK_STREAM);
     SConnectWithTimeout(sock.getHandle(), dest, timeout);
-    TCPIOHandler handler("buab", sock.getHandle(), timeout, tlsCtx, time(nullptr));
+    TCPIOHandler handler(subjectName, sock.getHandle(), timeout, tlsCtx, time(nullptr));
     handler.connect(fastOpen, dest, timeout);
     // we are writing the proxyheader inside the TLS connection. Is that right?
     if (proxyheader.size() > 0 && handler.write(proxyheader.data(), proxyheader.size(), timeout) != proxyheader.size()) {
diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index 3cbebeff8c..ca4ef085d5 100644
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -12,14 +12,11 @@
 #ifdef HAVE_DNS_OVER_TLS
 #ifdef HAVE_LIBSSL
 
-#ifdef ___OpenBSD__
-#define LIBRESSL_HAS_TLS1_3
-#endif
-
 #include <openssl/conf.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
+#include <openssl/x509v3.h>
 
 #include "libssl.hh"
 
@@ -98,8 +95,8 @@ public:
       throw std::runtime_error("Error assigning socket");
     }
 
-#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
-    // XXX SSL_set_hostflags(d_conn.get(), X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && HAVE_SSL_SET_HOSTFLAGS // grrr libressl
+    SSL_set_hostflags(d_conn.get(), X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
     if (SSL_set1_host(d_conn.get(), d_hostname.c_str()) != 1) {
       throw std::runtime_error("Error setting TLS hostname for certificate validation");
     }
@@ -125,9 +122,10 @@ public:
       return IOState::NeedWrite;
     }
     else if (error == SSL_ERROR_SYSCALL) {
-      throw std::runtime_error("Error while processing TLS connection: " + std::string(strerror(errno)));
+      throw std::runtime_error("Syscall error while processing TLS connection: " + std::string(strerror(errno)));
     }
     else {
+      ERR_print_errors_fp(stderr);
       throw std::runtime_error("Error while processing TLS connection: " + std::to_string(error));
     }
   }
@@ -431,10 +429,8 @@ public:
       SSL_OP_SINGLE_ECDH_USE |
       SSL_OP_CIPHER_SERVER_PREFERENCE;
 
+    registerOpenSSLUser();
 #if 0 // XXX
-    if (s_users.fetch_add(1) == 0) {
-      registerOpenSSLUser();
-
       s_ticketsKeyIndex = SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
 
       if (s_ticketsKeyIndex == -1) {
@@ -474,6 +470,11 @@ public:
 #endif /* HAVE_SSL_CTX_SET_CIPHERSUITES */
 
     if (params.d_validateCertificates) {
+      // XXX parameter!
+      if (SSL_CTX_set_default_verify_paths(d_tlsCtx.get()) != 1) {
+        warnlog("could not load default CA store");
+      }
+
       SSL_CTX_set_verify(d_tlsCtx.get(), SSL_VERIFY_PEER, nullptr);
 #if (OPENSSL_VERSION_NUMBER < 0x10002000L)
       warnlog("TLS hostname validation requested but not supported for OpenSSL < 1.0.2");
@@ -484,11 +485,7 @@ public:
   ~OpenSSLTLSIOCtx() override
   {
     d_tlsCtx.reset();
-#if 0 // XXX
-    if (s_users.fetch_sub(1) == 1) {
-      unregisterOpenSSLUser();
-    }
-#endif
+    unregisterOpenSSLUser();
   }
 
   static int ticketKeyCb(SSL *s, unsigned char keyName[TLS_TICKETS_KEY_NAME_SIZE], unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc)