Merge pull request #13870 from irtimmer/check_ip_gnutls

resolved: validate IP address in certificate for DNS-over-TLS (GnuTLS)
author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2019-10-30 14:08:26 +0100
committer: GitHub <noreply@github.com> 2019-10-30 14:08:26 +0100
commit: b7a4129ca946ed49e161a03283faf5bbab96d110 (patch)
tree: 41bd36fcc121a8572c71ec952a1525b723da3411 /src
parent: 8fc59b6ef1572ee68091e355c66a76ae8be32f69 (diff)
parent: 7f2f4faced3fda47e6b76ab73cde747cc20cf8b8 (diff)
download: systemd-b7a4129ca946ed49e161a03283faf5bbab96d110.tar.gz
systemd-b7a4129ca946ed49e161a03283faf5bbab96d110.tar.bz2
systemd-b7a4129ca946ed49e161a03283faf5bbab96d110.zip
2 files changed, 12 insertions, 6 deletions
diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
index 7ad9662073..9e5e60fcce 100644
--- a/src/resolve/resolved-dnstls-gnutls.c
+++ b/src/resolve/resolved-dnstls-gnutls.c
@@ -9,11 +9,7 @@
 #include "resolved-dns-stream.h"
 #include "resolved-dnstls.h"
 
-#if GNUTLS_VERSION_NUMBER >= 0x030600
 #define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
-#else
-#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2"
-#endif
 DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit);
 
 static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
@@ -59,8 +55,17 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
                 server->dnstls_data.session_data.size = 0;
         }
 
-        if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES)
-                gnutls_session_set_verify_cert(gs, NULL, 0);
+        if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
+                stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
+                if (server->family == AF_INET) {
+                        stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
+                        stream->dnstls_data.validation.size = 4;
+                } else {
+                        stream->dnstls_data.validation.data = server->address.in6.s6_addr;
+                        stream->dnstls_data.validation.size = 16;
+                }
+                gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
+        }
 
         gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
 
diff --git a/src/resolve/resolved-dnstls-gnutls.h b/src/resolve/resolved-dnstls-gnutls.h
index af52f04fdf..d4da2017c3 100644
--- a/src/resolve/resolved-dnstls-gnutls.h
+++ b/src/resolve/resolved-dnstls-gnutls.h
@@ -18,6 +18,7 @@ struct DnsTlsServerData {
 
 struct DnsTlsStreamData {
         gnutls_session_t session;
+        gnutls_typed_vdata_st validation;
         int handshake;
         bool shutdown;
 };
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2019-10-30 14:08:26 +0100
committer	GitHub <noreply@github.com>	2019-10-30 14:08:26 +0100
commit	b7a4129ca946ed49e161a03283faf5bbab96d110 (patch)
tree	41bd36fcc121a8572c71ec952a1525b723da3411 /src
parent	8fc59b6ef1572ee68091e355c66a76ae8be32f69 (diff)
parent	7f2f4faced3fda47e6b76ab73cde747cc20cf8b8 (diff)
download	systemd-b7a4129ca946ed49e161a03283faf5bbab96d110.tar.gz systemd-b7a4129ca946ed49e161a03283faf5bbab96d110.tar.bz2 systemd-b7a4129ca946ed49e161a03283faf5bbab96d110.zip