resolved: check for IP in certificate when using DoT with GnuTLS

Validate the IP address in the certificate for DNS-over-TLS in strict mode when GnuTLS is used. As this is not yet the case in contrast to the documentation.

2 files changed, 12 insertions, 2 deletions

diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
index ea276d2c20..9e5e60fcce 100644
--- a/src/resolve/resolved-dnstls-gnutls.c
+++ b/src/resolve/resolved-dnstls-gnutls.c
@@ -55,8 +55,17 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
                 server->dnstls_data.session_data.size = 0;
         }
 
-        if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES)
-                gnutls_session_set_verify_cert(gs, NULL, 0);
+        if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
+                stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
+                if (server->family == AF_INET) {
+                        stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
+                        stream->dnstls_data.validation.size = 4;
+                } else {
+                        stream->dnstls_data.validation.data = server->address.in6.s6_addr;
+                        stream->dnstls_data.validation.size = 16;
+                }
+                gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
+        }
 
         gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
 
diff --git a/src/resolve/resolved-dnstls-gnutls.h b/src/resolve/resolved-dnstls-gnutls.h
index af52f04fdf..d4da2017c3 100644
--- a/src/resolve/resolved-dnstls-gnutls.h
+++ b/src/resolve/resolved-dnstls-gnutls.h
@@ -18,6 +18,7 @@ struct DnsTlsServerData {
 
 struct DnsTlsStreamData {
         gnutls_session_t session;
+        gnutls_typed_vdata_st validation;
         int handshake;
         bool shutdown;
 };