openssl 1.1 support
Willem Toorop
8 years ago
222 | 222 | fi |
223 | 223 | AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) |
224 | 224 | AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) |
225 | AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode]) | |
225 | AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method]) | |
226 | 226 | AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ |
227 | 227 | AC_INCLUDES_DEFAULT |
228 | 228 | #ifdef HAVE_OPENSSL_ERR_H |
403 | 403 | ;; |
404 | 404 | esac |
405 | 405 | |
406 | AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support])) | |
407 | case "$enable_dsa" in | |
408 | no) | |
409 | ;; | |
410 | *) dnl default | |
411 | # detect if DSA is supported, and turn it off if not. | |
412 | AC_CHECK_FUNC(EVP_dss1, [ | |
413 | AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.]) | |
414 | ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.]) | |
415 | fi ]) | |
416 | ;; | |
417 | esac | |
406 | 418 | |
407 | 419 | AC_ARG_ENABLE(draft-dnssec-roadblock-avoidance, AC_HELP_STRING([--enable-draft-dnssec-roadblock-avoidance], [Enable experimental dnssec roadblock avoidance])) |
408 | 420 | AC_ARG_ENABLE(draft-edns-cookies, AC_HELP_STRING([--enable-draft-edns-cookies], [Enable experimental edns cookies])) |
46 | 46 | ACX_RUNTIME_PATH_ADD([$ssldir/lib]) |
47 | 47 | fi |
48 | 48 | |
49 | AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto]) | |
49 | AC_MSG_CHECKING([for HMAC_Update in -lcrypto]) | |
50 | 50 | LIBS="-lssl -lcrypto $LIBS" |
51 | 51 | LIBSSL_LIBS="-lssl -lcrypto $LIBSSL_LIBS" |
52 | 52 | AC_TRY_LINK(, [ |
53 | int HMAC_CTX_init(void); | |
54 | (void)HMAC_CTX_init(); | |
53 | int HMAC_Update(void); | |
54 | (void)HMAC_Update(); | |
55 | 55 | ], [ |
56 | AC_DEFINE([HAVE_HMAC_UPDATE], 1, | |
57 | [If you have HMAC_Update]) | |
56 | 58 | AC_MSG_RESULT(yes) |
57 | AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, | |
58 | [If you have HMAC_CTX_init]) | |
59 | 59 | ], [ |
60 | 60 | AC_MSG_RESULT(no) |
61 | 61 | # check if -lwsock32 or -lgdi32 are needed. |
65 | 65 | LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32" |
66 | 66 | AC_MSG_CHECKING([if -lcrypto needs -lgdi32]) |
67 | 67 | AC_TRY_LINK([], [ |
68 | int HMAC_CTX_init(void); | |
69 | (void)HMAC_CTX_init(); | |
68 | int HMAC_Update(void); | |
69 | (void)HMAC_Update(); | |
70 | 70 | ],[ |
71 | AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, | |
72 | [If you have HMAC_CTX_init]) | |
71 | AC_DEFINE([HAVE_HMAC_UPDATE], 1, | |
72 | [If you have HMAC_Update]) | |
73 | 73 | AC_MSG_RESULT(yes) |
74 | 74 | ],[ |
75 | 75 | AC_MSG_RESULT(no) |
79 | 79 | LIBSSL_LIBS="$LIBSSL_LIBS -ldl" |
80 | 80 | AC_MSG_CHECKING([if -lcrypto needs -ldl]) |
81 | 81 | AC_TRY_LINK([], [ |
82 | int HMAC_CTX_init(void); | |
83 | (void)HMAC_CTX_init(); | |
82 | int HMAC_Update(void); | |
83 | (void)HMAC_Update(); | |
84 | 84 | ],[ |
85 | AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, | |
86 | [If you have HMAC_CTX_init]) | |
85 | AC_DEFINE([HAVE_HMAC_UPDATE], 1, | |
86 | [If you have HMAC_Update]) | |
87 | 87 | AC_MSG_RESULT(yes) |
88 | 88 | ],[ |
89 | 89 | AC_MSG_RESULT(no) |
1231 | 1231 | result->edns_do_bit = 0; |
1232 | 1232 | result->edns_client_subnet_private = 0; |
1233 | 1233 | result->tls_query_padding_blocksize = 1; /* default is to not try to pad */ |
1234 | result-> tls_ctx = NULL; | |
1234 | result->tls_ctx = NULL; | |
1235 | 1235 | |
1236 | 1236 | result->extension = &result->default_eventloop.loop; |
1237 | 1237 | _getdns_default_eventloop_init(&result->default_eventloop); |
1925 | 1925 | getdns_context_set_dns_root_servers( |
1926 | 1926 | getdns_context *context, getdns_list *addresses) |
1927 | 1927 | { |
1928 | #if defined(HAVE_LIBUNBOUND) && !defined(HAVE_UB_CTX_SET_STUB) | |
1928 | #ifdef HAVE_LIBUNBOUND | |
1929 | # ifndef HAVE_UB_CTX_SET_STUB | |
1929 | 1930 | char tmpfn[FILENAME_MAX] = P_tmpdir "/getdns-root-dns-servers-XXXXXX"; |
1930 | 1931 | FILE *fh; |
1931 | 1932 | int fd; |
1932 | 1933 | size_t dst_len; |
1933 | #endif | |
1934 | # endif | |
1934 | 1935 | size_t i; |
1935 | 1936 | getdns_dict *rr_dict; |
1936 | 1937 | getdns_return_t r; |
1937 | 1938 | getdns_bindata *addr_bd; |
1938 | 1939 | char dst[2048]; |
1940 | #endif | |
1939 | 1941 | getdns_list *newlist; |
1940 | 1942 | |
1941 | 1943 | if (!context) |
2892 | 2894 | if (context->tls_ctx == NULL) { |
2893 | 2895 | #ifdef HAVE_TLS_v1_2 |
2894 | 2896 | /* Create client context, use TLS v1.2 only for now */ |
2897 | # ifdef HAVE_TLS_CLIENT_METHOD | |
2898 | context->tls_ctx = SSL_CTX_new(TLS_client_method()); | |
2899 | # else | |
2895 | 2900 | context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method()); |
2901 | # endif | |
2896 | 2902 | if(context->tls_ctx == NULL) |
2897 | 2903 | return GETDNS_RETURN_BAD_CONTEXT; |
2904 | ||
2905 | # ifdef HAVE_TLS_CLIENT_METHOD | |
2906 | if (!SSL_CTX_set_min_proto_version( | |
2907 | context->tls_ctx, TLS1_2_VERSION)) { | |
2908 | SSL_CTX_free(context->tls_ctx); | |
2909 | context->tls_ctx = NULL; | |
2910 | return GETDNS_RETURN_BAD_CONTEXT; | |
2911 | } | |
2912 | # endif | |
2898 | 2913 | /* Be strict and only use the cipher suites recommended in RFC7525 |
2899 | 2914 | Unless we later fallback to opportunistic. */ |
2900 | 2915 | const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EECDH+aECDSA+AESGCM:EDH+aRSA+AESGCM"; |
2902 | 2917 | return GETDNS_RETURN_BAD_CONTEXT; |
2903 | 2918 | /* For strict authentication, we must have local root certs available |
2904 | 2919 | Set up is done only when the tls_ctx is created (per getdns_context)*/ |
2905 | #ifndef USE_WINSOCK | |
2920 | # ifndef USE_WINSOCK | |
2906 | 2921 | if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { |
2907 | #else | |
2922 | # else | |
2908 | 2923 | if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) { |
2909 | #endif /* USE_WINSOCK */ | |
2924 | # endif /* USE_WINSOCK */ | |
2910 | 2925 | if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) |
2911 | 2926 | return GETDNS_RETURN_BAD_CONTEXT; |
2912 | 2927 | } |
392 | 392 | } |
393 | 393 | |
394 | 394 | x = sk_X509_value(store->untrusted, i); |
395 | if (x->cert_info == NULL) | |
396 | continue; | |
397 | 395 | #if defined(STUB_DEBUG) && STUB_DEBUG |
398 | 396 | DEBUG_STUB("%s %-35s: Name of cert: %d ", |
399 | 397 | STUB_DEBUG_SETUP_TLS, __FUNCTION__, i); |
400 | 398 | if (x->cert_info->subject != NULL) |
401 | X509_NAME_print_ex_fp(stderr, x->cert_info->subject, 1, XN_FLAG_ONELINE); | |
399 | X509_NAME_print_ex_fp(stderr, X509_get_subject_name(x), 1, XN_FLAG_ONELINE); | |
402 | 400 | fprintf(stderr, "\n"); |
403 | 401 | #endif |
404 | if (x->cert_info->key == NULL) | |
405 | continue; | |
406 | ||
407 | 402 | /* digest the cert with sha256 */ |
408 | 403 | len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), NULL); |
409 | 404 | if (len > sizeof(raw)) { |
458 | 458 | unsigned int result_mac_len = EVP_MAX_MD_SIZE; |
459 | 459 | uint16_t original_id; |
460 | 460 | const EVP_MD *digester; |
461 | HMAC_CTX ctx; | |
461 | HMAC_CTX *ctx; | |
462 | #ifndef HAVE_HMAC_CTX_NEW | |
463 | HMAC_CTX ctx_space; | |
464 | #endif | |
462 | 465 | |
463 | 466 | DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNCTION__); |
464 | 467 | for ( rr = _getdns_rr_iter_init(&rr_spc, req->query, |
586 | 589 | #endif |
587 | 590 | default : return; |
588 | 591 | } |
589 | ||
590 | HMAC_CTX_init(&ctx); | |
591 | (void) HMAC_Init_ex(&ctx, req->upstream->tsig_key, | |
592 | #ifdef HAVE_HMAC_CTX_NEW | |
593 | ctx = HMAC_CTX_new(); | |
594 | #else | |
595 | ctx = &ctx_space; | |
596 | HMAC_CTX_init(ctx); | |
597 | #endif | |
598 | (void) HMAC_Init_ex(ctx, req->upstream->tsig_key, | |
592 | 599 | req->upstream->tsig_size, digester, NULL); |
593 | (void) HMAC_Update(&ctx, request_mac - 2, request_mac_len + 2); | |
594 | (void) HMAC_Update(&ctx, req->response, rr->pos - req->response); | |
595 | (void) HMAC_Update(&ctx, tsig_vars, gldns_buffer_position(&gbuf)); | |
596 | HMAC_Final(&ctx, result_mac, &result_mac_len); | |
600 | (void) HMAC_Update(ctx, request_mac - 2, request_mac_len + 2); | |
601 | (void) HMAC_Update(ctx, req->response, rr->pos - req->response); | |
602 | (void) HMAC_Update(ctx, tsig_vars, gldns_buffer_position(&gbuf)); | |
603 | HMAC_Final(ctx, result_mac, &result_mac_len); | |
597 | 604 | |
598 | 605 | DEBUG_STUB("%s %-35s: Result MAC length: %d\n", |
599 | 606 | STUB_DEBUG_TSIG, __FUNCTION__, (int)(result_mac_len)); |
601 | 608 | memcmp(result_mac, response_mac, result_mac_len) == 0) |
602 | 609 | req->tsig_status = GETDNS_DNSSEC_SECURE; |
603 | 610 | |
604 | HMAC_CTX_cleanup(&ctx); | |
605 | ||
611 | #ifdef HAVE_HMAC_CTX_FREE | |
612 | HMAC_CTX_free(ctx); | |
613 | #else | |
614 | HMAC_CTX_cleanup(ctx); | |
615 | #endif | |
606 | 616 | gldns_write_uint16(req->response, gldns_read_uint16(req->query)); |
607 | 617 | gldns_write_uint16(req->response + 10, |
608 | 618 | gldns_read_uint16(req->response + 10) + 1); |