From ad180402ea781e1209015255b3245f217f293058 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Wed, 5 Feb 2020 16:17:21 +0100
Subject: [PATCH] dnstap io, set tls auth name in outgoing ssl

---
 dnstap/dtstream.c          |  4 ++++
 services/outside_network.c | 44 ++++++--------------------------------
 util/net_help.c            | 34 +++++++++++++++++++++++++++++
 util/net_help.h            |  8 +++++++
 4 files changed, 52 insertions(+), 38 deletions(-)

diff --git a/dnstap/dtstream.c b/dnstap/dtstream.c
index a33103ec1..0ea933dc9 100644
--- a/dnstap/dtstream.c
+++ b/dnstap/dtstream.c
@@ -1500,6 +1500,10 @@ static int dtio_setup_ssl(struct dt_io_thread* dtio)
 	if(!dtio->ssl) return 0;
 	dtio->ssl_handshake_done = 0;
 	dtio->ssl_brief_read = 0;
+
+	if(!set_auth_name_on_ssl(dtio->ssl, dtio->tls_server_name)) {
+		return 0;
+	}
 	return 1;
 }
 
diff --git a/services/outside_network.c b/services/outside_network.c
index 9876c2150..612767056 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -373,45 +373,13 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
 		comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl);
 #endif
 		pend->c->ssl_shake_state = comm_ssl_shake_write;
-		if(w->tls_auth_name) {
-#ifdef HAVE_SSL
-			(void)SSL_set_tlsext_host_name(pend->c->ssl, w->tls_auth_name);
-#endif
-		}
-#ifdef HAVE_SSL_SET1_HOST
-		if(w->tls_auth_name) {
-			SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);
-			/* setting the hostname makes openssl verify the
-                         * host name in the x509 certificate in the
-                         * SSL connection*/
-                        if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
-                                log_err("SSL_set1_host failed");
-				pend->c->fd = s;
-				SSL_free(pend->c->ssl);
-				pend->c->ssl = NULL;
-				comm_point_close(pend->c);
-				return 0;
-			}
-		}
-#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
-		/* openssl 1.0.2 has this function that can be used for
-		 * set1_host like verification */
-		if(w->tls_auth_name) {
-			X509_VERIFY_PARAM* param = SSL_get0_param(pend->c->ssl);
-			X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-			if(!X509_VERIFY_PARAM_set1_host(param, w->tls_auth_name, strlen(w->tls_auth_name))) {
-				log_err("X509_VERIFY_PARAM_set1_host failed");
-				pend->c->fd = s;
-				SSL_free(pend->c->ssl);
-				pend->c->ssl = NULL;
-				comm_point_close(pend->c);
-				return 0;
-			}
-			SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);
+		if(!set_auth_name_on_ssl(pend->c->ssl, w->tls_auth_name)) {
+			pend->c->fd = s;
+			SSL_free(pend->c->ssl);
+			pend->c->ssl = NULL;
+			comm_point_close(pend->c);
+			return 0;
 		}
-#else
-		verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication");
-#endif /* HAVE_SSL_SET1_HOST */
 	}
 	w->pkt = NULL;
 	w->next_waiting = (void*)pend;
diff --git a/util/net_help.c b/util/net_help.c
index 0869f91f9..7e0a7ac08 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1191,6 +1191,40 @@ void* outgoing_ssl_fd(void* sslctx, int fd)
 #endif
 }
 
+/** set the authname on an SSL structure, SSL* ssl */
+int set_auth_name_on_ssl(void* ssl, char* auth_name)
+{
+	if(!auth_name) return 1;
+#ifdef HAVE_SSL
+	(void)SSL_set_tlsext_host_name(ssl, auth_name);
+#endif
+#ifdef HAVE_SSL_SET1_HOST
+	SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
+	/* setting the hostname makes openssl verify the
+	 * host name in the x509 certificate in the
+	 * SSL connection*/
+	if(!SSL_set1_host(ssl, auth_name)) {
+		log_err("SSL_set1_host failed");
+		return 0;
+	}
+#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+	/* openssl 1.0.2 has this function that can be used for
+	 * set1_host like verification */
+	if(auth_name) {
+		X509_VERIFY_PARAM* param = SSL_get0_param(ssl);
+		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+		if(!X509_VERIFY_PARAM_set1_host(param, auth_name, strlen(auth_name))) {
+			log_err("X509_VERIFY_PARAM_set1_host failed");
+			return 0;
+		}
+		SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
+	}
+#else
+	verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication");
+#endif /* HAVE_SSL_SET1_HOST */
+	return 1;
+}
+
 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
 /** global lock list for openssl locks */
 static lock_basic_type *ub_openssl_locks = NULL;
diff --git a/util/net_help.h b/util/net_help.h
index 7a33a7203..b621639c0 100644
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -434,6 +434,14 @@ void* incoming_ssl_fd(void* sslctx, int fd);
  */
 void* outgoing_ssl_fd(void* sslctx, int fd);
 
+/**
+ * set auth name on SSL for verification
+ * @param ssl: SSL* to set
+ * @param auth_name: if NULL nothing happens, otherwise the name to check.
+ * @return 1 on success or NULL auth_name, 0 on failure.
+ */
+int set_auth_name_on_ssl(void* ssl, char* auth_name);
+
 /**
  * Initialize openssl locking for thread safety
  * @return false on failure (alloc failure).
-- 
2.47.3