From 7f2f4faced3fda47e6b76ab73cde747cc20cf8b8 Mon Sep 17 00:00:00 2001 From: Iwan Timmer Date: Tue, 29 Oct 2019 20:32:18 +0100 Subject: [PATCH] resolved: check for IP in certificate when using DoT with GnuTLS Validate the IP address in the certificate for DNS-over-TLS in strict mode when GnuTLS is used. As this is not yet the case in contrast to the documentation. --- src/resolve/resolved-dnstls-gnutls.c | 13 +++++++++++-- src/resolve/resolved-dnstls-gnutls.h | 1 + 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c index ea276d2c20f..9e5e60fccee 100644 --- a/src/resolve/resolved-dnstls-gnutls.c +++ b/src/resolve/resolved-dnstls-gnutls.c @@ -55,8 +55,17 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { server->dnstls_data.session_data.size = 0; } - if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) - gnutls_session_set_verify_cert(gs, NULL, 0); + if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) { + stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS; + if (server->family == AF_INET) { + stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr; + stream->dnstls_data.validation.size = 4; + } else { + stream->dnstls_data.validation.data = server->address.in6.s6_addr; + stream->dnstls_data.validation.size = 16; + } + gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0); + } gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); diff --git a/src/resolve/resolved-dnstls-gnutls.h b/src/resolve/resolved-dnstls-gnutls.h index af52f04fdf2..d4da2017c3a 100644 --- a/src/resolve/resolved-dnstls-gnutls.h +++ b/src/resolve/resolved-dnstls-gnutls.h @@ -18,6 +18,7 @@ struct DnsTlsServerData { struct DnsTlsStreamData { gnutls_session_t session; + gnutls_typed_vdata_st validation; int handshake; bool shutdown; };