From: Wouter Wijngaards Date: Mon, 10 Dec 2018 14:27:24 +0000 (+0000) Subject: - Fix #4206: support openssl 1.0.2 for TLS hostname verification, X-Git-Tag: release-1.9.0rc1~63 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=71b078611f2e2bd9aa58b6b59cbbd5ef6fa41ce6;p=thirdparty%2Funbound.git - Fix #4206: support openssl 1.0.2 for TLS hostname verification, alongside the 1.1.0 and later support that is already there. git-svn-id: file:///svn/unbound/trunk@5018 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/config.h.in b/config.h.in index 2f98f193c..f1853ba38 100644 --- a/config.h.in +++ b/config.h.in @@ -586,6 +586,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_WS2TCPIP_H +/* Define to 1 if you have the `X509_VERIFY_PARAM_set1_host' function. */ +#undef HAVE_X509_VERIFY_PARAM_SET1_HOST + /* Define to 1 if you have the `_beginthreadex' function. */ #undef HAVE__BEGINTHREADEX diff --git a/configure b/configure index 9a28c76f9..21db04744 100755 --- a/configure +++ b/configure @@ -18008,7 +18008,7 @@ done # these check_funcs need -lssl BAKLIBS="$LIBS" LIBS="-lssl $LIBS" -for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername +for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" diff --git a/configure.ac b/configure.ac index d6fb4349d..588d66e85 100644 --- a/configure.ac +++ b/configure.ac @@ -785,7 +785,7 @@ AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_C # these check_funcs need -lssl BAKLIBS="$LIBS" LIBS="-lssl $LIBS" -AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername]) +AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host]) LIBS="$BAKLIBS" AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ diff --git a/doc/Changelog b/doc/Changelog index aea6a776b..f20bdffc8 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -3,6 +3,8 @@ - ip-ratelimit-factor of 1 allows all traffic through, instead of the previous blocking everything. - Fix for FreeBSD port make with dnscrypt and dnstap enabled. + - Fix #4206: support openssl 1.0.2 for TLS hostname verification, + alongside the 1.1.0 and later support that is already there. 6 December 2018: Wouter - Fix dns64 allocation in wrong region for returned internal queries. diff --git a/services/outside_network.c b/services/outside_network.c index c3569dbbf..18385825b 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -385,6 +385,22 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len) return 0; } } +#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) + /* openssl 1.0.2 has this function that can be used for + * set1_host like verification */ + if(w->tls_auth_name) { + X509_VERIFY_PARAM* param = SSL_get0_param(pend->c->ssl); + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + if(!X509_VERIFY_PARAM_set1_host(param, w->tls_auth_name, strlen(w->tls_auth_name))) { + log_err("X509_VERIFY_PARAM_set1_host failed"); + pend->c->fd = s; + SSL_free(pend->c->ssl); + pend->c->ssl = NULL; + comm_point_close(pend->c); + return 0; + } + SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); + } #endif /* HAVE_SSL_SET1_HOST */ } w->pkt = NULL; @@ -2403,6 +2419,18 @@ outnet_comm_point_for_http(struct outside_network* outnet, return NULL; } } +#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) + /* openssl 1.0.2 has this function that can be used for + * set1_host like verification */ + if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) { + X509_VERIFY_PARAM* param = SSL_get0_param(pend->c->ssl); + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + if(!X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) { + log_err("X509_VERIFY_PARAM_set1_host failed"); + comm_point_delete(cp); + return NULL; + } + } #endif /* HAVE_SSL_SET1_HOST */ }