diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2019-10-30 14:08:26 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-10-30 14:08:26 +0100 |
| commit | b7a4129ca946ed49e161a03283faf5bbab96d110 (patch) | |
| tree | 41bd36fcc121a8572c71ec952a1525b723da3411 | |
| parent | 8fc59b6ef1572ee68091e355c66a76ae8be32f69 (diff) | |
| parent | 7f2f4faced3fda47e6b76ab73cde747cc20cf8b8 (diff) | |
| download | systemd-b7a4129ca946ed49e161a03283faf5bbab96d110.tar.gz | |
Merge pull request #13870 from irtimmer/check_ip_gnutls
resolved: validate IP address in certificate for DNS-over-TLS (GnuTLS)
| -rw-r--r-- | README | 2 | ||||
| -rw-r--r-- | meson.build | 2 | ||||
| -rw-r--r-- | src/resolve/resolved-dnstls-gnutls.c | 17 | ||||
| -rw-r--r-- | src/resolve/resolved-dnstls-gnutls.h | 1 |
4 files changed, 14 insertions, 8 deletions
@@ -155,7 +155,7 @@ REQUIREMENTS: libmicrohttpd (optional) libpython (optional) libidn2 or libidn (optional) - gnutls >= 3.1.4 (optional, >= 3.5.3 is required to support DNS-over-TLS with gnutls) + gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls) openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl) elfutils >= 158 (optional) polkit (optional) diff --git a/meson.build b/meson.build index 0001504d53..a7a9222582 100644 --- a/meson.build +++ b/meson.build @@ -1199,7 +1199,7 @@ if dns_over_tls != 'false' if dns_over_tls == 'openssl' have_gnutls = false else - have_gnutls = (conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.5.3')) + have_gnutls = (conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.6.0')) if dns_over_tls == 'gnutls' and not have_gnutls error('DNS-over-TLS support was requested with gnutls, but dependencies are not available') endif diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c index 7ad9662073..9e5e60fcce 100644 --- a/src/resolve/resolved-dnstls-gnutls.c +++ b/src/resolve/resolved-dnstls-gnutls.c @@ -9,11 +9,7 @@ #include "resolved-dns-stream.h" #include "resolved-dnstls.h" -#if GNUTLS_VERSION_NUMBER >= 0x030600 #define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" -#else -#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2" -#endif DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit); static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) { @@ -59,8 +55,17 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { server->dnstls_data.session_data.size = 0; } - if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) - gnutls_session_set_verify_cert(gs, NULL, 0); + if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) { + stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS; + if (server->family == AF_INET) { + stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr; + stream->dnstls_data.validation.size = 4; + } else { + stream->dnstls_data.validation.data = server->address.in6.s6_addr; + stream->dnstls_data.validation.size = 16; + } + gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0); + } gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); diff --git a/src/resolve/resolved-dnstls-gnutls.h b/src/resolve/resolved-dnstls-gnutls.h index af52f04fdf..d4da2017c3 100644 --- a/src/resolve/resolved-dnstls-gnutls.h +++ b/src/resolve/resolved-dnstls-gnutls.h @@ -18,6 +18,7 @@ struct DnsTlsServerData { struct DnsTlsStreamData { gnutls_session_t session; + gnutls_typed_vdata_st validation; int handshake; bool shutdown; }; |