mirror of
https://github.com/systemd/systemd.git
synced 2024-12-25 01:34:28 +03:00
resolved: check for IP in certificate when using DoT with GnuTLS
Validate the IP address in the certificate for DNS-over-TLS in strict mode when GnuTLS is used. As this is not yet the case in contrast to the documentation.
This commit is contained in:
parent
38e053c58f
commit
7f2f4faced
@ -55,8 +55,17 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
|
|||||||
server->dnstls_data.session_data.size = 0;
|
server->dnstls_data.session_data.size = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES)
|
if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
|
||||||
gnutls_session_set_verify_cert(gs, NULL, 0);
|
stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
|
||||||
|
if (server->family == AF_INET) {
|
||||||
|
stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
|
||||||
|
stream->dnstls_data.validation.size = 4;
|
||||||
|
} else {
|
||||||
|
stream->dnstls_data.validation.data = server->address.in6.s6_addr;
|
||||||
|
stream->dnstls_data.validation.size = 16;
|
||||||
|
}
|
||||||
|
gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
|
||||||
|
}
|
||||||
|
|
||||||
gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
|
gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
|
||||||
|
|
||||||
|
@ -18,6 +18,7 @@ struct DnsTlsServerData {
|
|||||||
|
|
||||||
struct DnsTlsStreamData {
|
struct DnsTlsStreamData {
|
||||||
gnutls_session_t session;
|
gnutls_session_t session;
|
||||||
|
gnutls_typed_vdata_st validation;
|
||||||
int handshake;
|
int handshake;
|
||||||
bool shutdown;
|
bool shutdown;
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user