openssl 1.1 support
Willem Toorop
8 years ago
| 222 | 222 | fi |
| 223 | 223 | AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) |
| 224 | 224 | AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) |
| 225 | AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode]) | |
| 225 | AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method]) | |
| 226 | 226 | AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ |
| 227 | 227 | AC_INCLUDES_DEFAULT |
| 228 | 228 | #ifdef HAVE_OPENSSL_ERR_H |
| 403 | 403 | ;; |
| 404 | 404 | esac |
| 405 | 405 | |
| 406 | AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support])) | |
| 407 | case "$enable_dsa" in | |
| 408 | no) | |
| 409 | ;; | |
| 410 | *) dnl default | |
| 411 | # detect if DSA is supported, and turn it off if not. | |
| 412 | AC_CHECK_FUNC(EVP_dss1, [ | |
| 413 | AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.]) | |
| 414 | ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.]) | |
| 415 | fi ]) | |
| 416 | ;; | |
| 417 | esac | |
| 406 | 418 | |
| 407 | 419 | AC_ARG_ENABLE(draft-dnssec-roadblock-avoidance, AC_HELP_STRING([--enable-draft-dnssec-roadblock-avoidance], [Enable experimental dnssec roadblock avoidance])) |
| 408 | 420 | AC_ARG_ENABLE(draft-edns-cookies, AC_HELP_STRING([--enable-draft-edns-cookies], [Enable experimental edns cookies])) |
| 46 | 46 | ACX_RUNTIME_PATH_ADD([$ssldir/lib]) |
| 47 | 47 | fi |
| 48 | 48 | |
| 49 | AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto]) | |
| 49 | AC_MSG_CHECKING([for HMAC_Update in -lcrypto]) | |
| 50 | 50 | LIBS="-lssl -lcrypto $LIBS" |
| 51 | 51 | LIBSSL_LIBS="-lssl -lcrypto $LIBSSL_LIBS" |
| 52 | 52 | AC_TRY_LINK(, [ |
| 53 | int HMAC_CTX_init(void); | |
| 54 | (void)HMAC_CTX_init(); | |
| 53 | int HMAC_Update(void); | |
| 54 | (void)HMAC_Update(); | |
| 55 | 55 | ], [ |
| 56 | AC_DEFINE([HAVE_HMAC_UPDATE], 1, | |
| 57 | [If you have HMAC_Update]) | |
| 56 | 58 | AC_MSG_RESULT(yes) |
| 57 | AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, | |
| 58 | [If you have HMAC_CTX_init]) | |
| 59 | 59 | ], [ |
| 60 | 60 | AC_MSG_RESULT(no) |
| 61 | 61 | # check if -lwsock32 or -lgdi32 are needed. |
| 65 | 65 | LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32" |
| 66 | 66 | AC_MSG_CHECKING([if -lcrypto needs -lgdi32]) |
| 67 | 67 | AC_TRY_LINK([], [ |
| 68 | int HMAC_CTX_init(void); | |
| 69 | (void)HMAC_CTX_init(); | |
| 68 | int HMAC_Update(void); | |
| 69 | (void)HMAC_Update(); | |
| 70 | 70 | ],[ |
| 71 | AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, | |
| 72 | [If you have HMAC_CTX_init]) | |
| 71 | AC_DEFINE([HAVE_HMAC_UPDATE], 1, | |
| 72 | [If you have HMAC_Update]) | |
| 73 | 73 | AC_MSG_RESULT(yes) |
| 74 | 74 | ],[ |
| 75 | 75 | AC_MSG_RESULT(no) |
| 79 | 79 | LIBSSL_LIBS="$LIBSSL_LIBS -ldl" |
| 80 | 80 | AC_MSG_CHECKING([if -lcrypto needs -ldl]) |
| 81 | 81 | AC_TRY_LINK([], [ |
| 82 | int HMAC_CTX_init(void); | |
| 83 | (void)HMAC_CTX_init(); | |
| 82 | int HMAC_Update(void); | |
| 83 | (void)HMAC_Update(); | |
| 84 | 84 | ],[ |
| 85 | AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, | |
| 86 | [If you have HMAC_CTX_init]) | |
| 85 | AC_DEFINE([HAVE_HMAC_UPDATE], 1, | |
| 86 | [If you have HMAC_Update]) | |
| 87 | 87 | AC_MSG_RESULT(yes) |
| 88 | 88 | ],[ |
| 89 | 89 | AC_MSG_RESULT(no) |
| 1231 | 1231 | result->edns_do_bit = 0; |
| 1232 | 1232 | result->edns_client_subnet_private = 0; |
| 1233 | 1233 | result->tls_query_padding_blocksize = 1; /* default is to not try to pad */ |
| 1234 | result-> tls_ctx = NULL; | |
| 1234 | result->tls_ctx = NULL; | |
| 1235 | 1235 | |
| 1236 | 1236 | result->extension = &result->default_eventloop.loop; |
| 1237 | 1237 | _getdns_default_eventloop_init(&result->default_eventloop); |
| 1925 | 1925 | getdns_context_set_dns_root_servers( |
| 1926 | 1926 | getdns_context *context, getdns_list *addresses) |
| 1927 | 1927 | { |
| 1928 | #if defined(HAVE_LIBUNBOUND) && !defined(HAVE_UB_CTX_SET_STUB) | |
| 1928 | #ifdef HAVE_LIBUNBOUND | |
| 1929 | # ifndef HAVE_UB_CTX_SET_STUB | |
| 1929 | 1930 | char tmpfn[FILENAME_MAX] = P_tmpdir "/getdns-root-dns-servers-XXXXXX"; |
| 1930 | 1931 | FILE *fh; |
| 1931 | 1932 | int fd; |
| 1932 | 1933 | size_t dst_len; |
| 1933 | #endif | |
| 1934 | # endif | |
| 1934 | 1935 | size_t i; |
| 1935 | 1936 | getdns_dict *rr_dict; |
| 1936 | 1937 | getdns_return_t r; |
| 1937 | 1938 | getdns_bindata *addr_bd; |
| 1938 | 1939 | char dst[2048]; |
| 1940 | #endif | |
| 1939 | 1941 | getdns_list *newlist; |
| 1940 | 1942 | |
| 1941 | 1943 | if (!context) |
| 2892 | 2894 | if (context->tls_ctx == NULL) { |
| 2893 | 2895 | #ifdef HAVE_TLS_v1_2 |
| 2894 | 2896 | /* Create client context, use TLS v1.2 only for now */ |
| 2897 | # ifdef HAVE_TLS_CLIENT_METHOD | |
| 2898 | context->tls_ctx = SSL_CTX_new(TLS_client_method()); | |
| 2899 | # else | |
| 2895 | 2900 | context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method()); |
| 2901 | # endif | |
| 2896 | 2902 | if(context->tls_ctx == NULL) |
| 2897 | 2903 | return GETDNS_RETURN_BAD_CONTEXT; |
| 2904 | ||
| 2905 | # ifdef HAVE_TLS_CLIENT_METHOD | |
| 2906 | if (!SSL_CTX_set_min_proto_version( | |
| 2907 | context->tls_ctx, TLS1_2_VERSION)) { | |
| 2908 | SSL_CTX_free(context->tls_ctx); | |
| 2909 | context->tls_ctx = NULL; | |
| 2910 | return GETDNS_RETURN_BAD_CONTEXT; | |
| 2911 | } | |
| 2912 | # endif | |
| 2898 | 2913 | /* Be strict and only use the cipher suites recommended in RFC7525 |
| 2899 | 2914 | Unless we later fallback to opportunistic. */ |
| 2900 | 2915 | const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EECDH+aECDSA+AESGCM:EDH+aRSA+AESGCM"; |
| 2902 | 2917 | return GETDNS_RETURN_BAD_CONTEXT; |
| 2903 | 2918 | /* For strict authentication, we must have local root certs available |
| 2904 | 2919 | Set up is done only when the tls_ctx is created (per getdns_context)*/ |
| 2905 | #ifndef USE_WINSOCK | |
| 2920 | # ifndef USE_WINSOCK | |
| 2906 | 2921 | if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { |
| 2907 | #else | |
| 2922 | # else | |
| 2908 | 2923 | if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) { |
| 2909 | #endif /* USE_WINSOCK */ | |
| 2924 | # endif /* USE_WINSOCK */ | |
| 2910 | 2925 | if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) |
| 2911 | 2926 | return GETDNS_RETURN_BAD_CONTEXT; |
| 2912 | 2927 | } |
| 392 | 392 | } |
| 393 | 393 | |
| 394 | 394 | x = sk_X509_value(store->untrusted, i); |
| 395 | if (x->cert_info == NULL) | |
| 396 | continue; | |
| 397 | 395 | #if defined(STUB_DEBUG) && STUB_DEBUG |
| 398 | 396 | DEBUG_STUB("%s %-35s: Name of cert: %d ", |
| 399 | 397 | STUB_DEBUG_SETUP_TLS, __FUNCTION__, i); |
| 400 | 398 | if (x->cert_info->subject != NULL) |
| 401 | X509_NAME_print_ex_fp(stderr, x->cert_info->subject, 1, XN_FLAG_ONELINE); | |
| 399 | X509_NAME_print_ex_fp(stderr, X509_get_subject_name(x), 1, XN_FLAG_ONELINE); | |
| 402 | 400 | fprintf(stderr, "\n"); |
| 403 | 401 | #endif |
| 404 | if (x->cert_info->key == NULL) | |
| 405 | continue; | |
| 406 | ||
| 407 | 402 | /* digest the cert with sha256 */ |
| 408 | 403 | len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), NULL); |
| 409 | 404 | if (len > sizeof(raw)) { |
| 458 | 458 | unsigned int result_mac_len = EVP_MAX_MD_SIZE; |
| 459 | 459 | uint16_t original_id; |
| 460 | 460 | const EVP_MD *digester; |
| 461 | HMAC_CTX ctx; | |
| 461 | HMAC_CTX *ctx; | |
| 462 | #ifndef HAVE_HMAC_CTX_NEW | |
| 463 | HMAC_CTX ctx_space; | |
| 464 | #endif | |
| 462 | 465 | |
| 463 | 466 | DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNCTION__); |
| 464 | 467 | for ( rr = _getdns_rr_iter_init(&rr_spc, req->query, |
| 586 | 589 | #endif |
| 587 | 590 | default : return; |
| 588 | 591 | } |
| 589 | ||
| 590 | HMAC_CTX_init(&ctx); | |
| 591 | (void) HMAC_Init_ex(&ctx, req->upstream->tsig_key, | |
| 592 | #ifdef HAVE_HMAC_CTX_NEW | |
| 593 | ctx = HMAC_CTX_new(); | |
| 594 | #else | |
| 595 | ctx = &ctx_space; | |
| 596 | HMAC_CTX_init(ctx); | |
| 597 | #endif | |
| 598 | (void) HMAC_Init_ex(ctx, req->upstream->tsig_key, | |
| 592 | 599 | req->upstream->tsig_size, digester, NULL); |
| 593 | (void) HMAC_Update(&ctx, request_mac - 2, request_mac_len + 2); | |
| 594 | (void) HMAC_Update(&ctx, req->response, rr->pos - req->response); | |
| 595 | (void) HMAC_Update(&ctx, tsig_vars, gldns_buffer_position(&gbuf)); | |
| 596 | HMAC_Final(&ctx, result_mac, &result_mac_len); | |
| 600 | (void) HMAC_Update(ctx, request_mac - 2, request_mac_len + 2); | |
| 601 | (void) HMAC_Update(ctx, req->response, rr->pos - req->response); | |
| 602 | (void) HMAC_Update(ctx, tsig_vars, gldns_buffer_position(&gbuf)); | |
| 603 | HMAC_Final(ctx, result_mac, &result_mac_len); | |
| 597 | 604 | |
| 598 | 605 | DEBUG_STUB("%s %-35s: Result MAC length: %d\n", |
| 599 | 606 | STUB_DEBUG_TSIG, __FUNCTION__, (int)(result_mac_len)); |
| 601 | 608 | memcmp(result_mac, response_mac, result_mac_len) == 0) |
| 602 | 609 | req->tsig_status = GETDNS_DNSSEC_SECURE; |
| 603 | 610 | |
| 604 | HMAC_CTX_cleanup(&ctx); | |
| 605 | ||
| 611 | #ifdef HAVE_HMAC_CTX_FREE | |
| 612 | HMAC_CTX_free(ctx); | |
| 613 | #else | |
| 614 | HMAC_CTX_cleanup(ctx); | |
| 615 | #endif | |
| 606 | 616 | gldns_write_uint16(req->response, gldns_read_uint16(req->query)); |
| 607 | 617 | gldns_write_uint16(req->response + 10, |
| 608 | 618 | gldns_read_uint16(req->response + 10) + 1); |