From 38e053c58fa139e0f546f327b5d8ce3db7cf1647 Mon Sep 17 00:00:00 2001 From: Iwan Timmer Date: Tue, 29 Oct 2019 20:26:05 +0100 Subject: [PATCH 1/2] resolved: require at least version 3.6.0 of GnuTLS for DNS-over-TLS Increase the required version to ensure TLS 1.3 is always supported when using GnuTLS for DNS-over-TLS and allow further changes to use recent API additions. --- README | 2 +- meson.build | 2 +- src/resolve/resolved-dnstls-gnutls.c | 4 ---- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/README b/README index 8aa16fe8c9..8dbf94b49c 100644 --- a/README +++ b/README @@ -155,7 +155,7 @@ REQUIREMENTS: libmicrohttpd (optional) libpython (optional) libidn2 or libidn (optional) - gnutls >= 3.1.4 (optional, >= 3.5.3 is required to support DNS-over-TLS with gnutls) + gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls) openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl) elfutils >= 158 (optional) polkit (optional) diff --git a/meson.build b/meson.build index 0001504d53..a7a9222582 100644 --- a/meson.build +++ b/meson.build @@ -1199,7 +1199,7 @@ if dns_over_tls != 'false' if dns_over_tls == 'openssl' have_gnutls = false else - have_gnutls = (conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.5.3')) + have_gnutls = (conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.6.0')) if dns_over_tls == 'gnutls' and not have_gnutls error('DNS-over-TLS support was requested with gnutls, but dependencies are not available') endif diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c index 7ad9662073..ea276d2c20 100644 --- a/src/resolve/resolved-dnstls-gnutls.c +++ b/src/resolve/resolved-dnstls-gnutls.c @@ -9,11 +9,7 @@ #include "resolved-dns-stream.h" #include "resolved-dnstls.h" -#if GNUTLS_VERSION_NUMBER >= 0x030600 #define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" -#else -#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2" -#endif DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit); static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) { From 7f2f4faced3fda47e6b76ab73cde747cc20cf8b8 Mon Sep 17 00:00:00 2001 From: Iwan Timmer Date: Tue, 29 Oct 2019 20:32:18 +0100 Subject: [PATCH 2/2] resolved: check for IP in certificate when using DoT with GnuTLS Validate the IP address in the certificate for DNS-over-TLS in strict mode when GnuTLS is used. As this is not yet the case in contrast to the documentation. --- src/resolve/resolved-dnstls-gnutls.c | 13 +++++++++++-- src/resolve/resolved-dnstls-gnutls.h | 1 + 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c index ea276d2c20..9e5e60fcce 100644 --- a/src/resolve/resolved-dnstls-gnutls.c +++ b/src/resolve/resolved-dnstls-gnutls.c @@ -55,8 +55,17 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { server->dnstls_data.session_data.size = 0; } - if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) - gnutls_session_set_verify_cert(gs, NULL, 0); + if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) { + stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS; + if (server->family == AF_INET) { + stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr; + stream->dnstls_data.validation.size = 4; + } else { + stream->dnstls_data.validation.data = server->address.in6.s6_addr; + stream->dnstls_data.validation.size = 16; + } + gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0); + } gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); diff --git a/src/resolve/resolved-dnstls-gnutls.h b/src/resolve/resolved-dnstls-gnutls.h index af52f04fdf..d4da2017c3 100644 --- a/src/resolve/resolved-dnstls-gnutls.h +++ b/src/resolve/resolved-dnstls-gnutls.h @@ -18,6 +18,7 @@ struct DnsTlsServerData { struct DnsTlsStreamData { gnutls_session_t session; + gnutls_typed_vdata_st validation; int handshake; bool shutdown; };