Commit c22e726b authored by Daniel Salzman's avatar Daniel Salzman

utils: separate TLS code from netio

parent 15733217
......@@ -451,6 +451,8 @@ src/utils/common/resolv.c
src/utils/common/resolv.h
src/utils/common/sign.c
src/utils/common/sign.h
src/utils/common/tls.c
src/utils/common/tls.h
src/utils/common/token.c
src/utils/common/token.h
src/utils/kdig/kdig_exec.c
......@@ -574,6 +576,7 @@ tests/requestor.c
tests/rrl.c
tests/server.c
tests/test_conf.h
tests/utils/test_cert.c
tests/utils/test_lookup.c
tests/worker_pool.c
tests/worker_queue.c
......
......@@ -201,6 +201,21 @@ Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).
\fB+\fP[\fBno\fP]\fBignore\fP
Don\(aqt use TCP automatically if a truncated reply is received.
.TP
\fB+\fP[\fBno\fP]\fBtls\fP
Use TLS with the Opportunistic privacy profile.
.TP
\fB+\fP[\fBno\fP]\fBtls\-ca\fP[=\fIFILE\fP]
Use TLS with the Out\-Of\-Band privacy profile, use a specified PEM file
(default is system certificate storage if no argument is provided).
Can be specified multiple times.
.TP
\fB+\fP[\fBno\fP]\fBtls\-pin\fP=\fIBASE64\fP
Use TLS with a pinned certificate check. The PIN must be a Base64 encoded
SHA\-256 hash of the X.509 SubjectPublicKeyInfo. Can be specified multiple times.
.TP
\fB+\fP[\fBno\fP]\fBtls\-hostname\fP=\fISTR\fP
Use TLS with a remote server hostname check.
.TP
\fB+\fP[\fBno\fP]\fBnsid\fP
Request the nameserver identifier (NSID).
.TP
......@@ -276,6 +291,21 @@ $ kdig +tcp example.com \-t A @192.0.2.1 \-x 2001:DB8::1 @192.0.2.2
.fi
.UNINDENT
.UNINDENT
.IP 4. 3
Get SOA record for example.com, use TLS, use system certificates, check
for specified hostname, check for certificate pin, and print additional
debug info:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ kdig \-d @185.49.141.38 +tls\-ca +tls\-host=getdnsapi.net \e
+tls\-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
.SH FILES
.sp
......
......@@ -178,6 +178,21 @@ Options
**+**\ [\ **no**\ ]\ **ignore**
Don't use TCP automatically if a truncated reply is received.
**+**\ [\ **no**\ ]\ **tls**
Use TLS with the Opportunistic privacy profile.
**+**\ [\ **no**\ ]\ **tls-ca**\[\ =\ *FILE*\]
Use TLS with the Out-Of-Band privacy profile, use a specified PEM file
(default is system certificate storage if no argument is provided).
Can be specified multiple times.
**+**\ [\ **no**\ ]\ **tls-pin**\ =\ *BASE64*
Use TLS with a pinned certificate check. The PIN must be a Base64 encoded
SHA-256 hash of the X.509 SubjectPublicKeyInfo. Can be specified multiple times.
**+**\ [\ **no**\ ]\ **tls-hostname**\ =\ *STR*
Use TLS with a remote server hostname check.
**+**\ [\ **no**\ ]\ **nsid**
Request the nameserver identifier (NSID).
......@@ -232,6 +247,13 @@ Examples
$ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
4. Get SOA record for example.com, use TLS, use system certificates, check
for specified hostname, check for certificate pin, and print additional
debug info::
$ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
+tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
Files
-----
......
......@@ -218,6 +218,8 @@ libknotus_la_SOURCES = \
utils/common/resolv.h \
utils/common/sign.c \
utils/common/sign.h \
utils/common/tls.c \
utils/common/tls.h \
utils/common/token.c \
utils/common/token.h
......
......@@ -597,6 +597,7 @@ void print_packet(const knot_pkt_t *packet,
// Print packet information header.
if (style->show_header) {
print_tls(&net->tls);
print_header(packet, style, rcode);
}
......
This diff is collapsed.
/* Copyright (C) 2011 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -14,9 +14,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*!
* \file netio.h
*
* \author Daniel Salzman <daniel.salzman@nic.cz>
* \file
*
* \brief Networking abstraction for utilities.
*
......@@ -29,9 +27,9 @@
#include <netdb.h>
#include <stdint.h>
#include <sys/socket.h>
#include <gnutls/gnutls.h>
#include "utils/common/params.h"
#include "utils/common/tls.h"
/*! \brief Structure containing server information. */
typedef struct {
......@@ -75,13 +73,9 @@ typedef struct {
* used.
*/
struct addrinfo *local_info;
/*! TLS Privacy Profile. */
tls_profile_t tls;
/*! TLS Privacy Profile Pin. */
char *tls_pin;
/*! GnuTLS session handle */
gnutls_session_t tls_session;
gnutls_certificate_credentials_t tls_creds;
/*! TLS context. */
tls_ctx_t tls;
} net_t;
/*!
......@@ -93,7 +87,7 @@ typedef struct {
* \retval server if success.
* \retval NULL if error.
*/
srv_info_t* srv_info_create(const char *name, const char *service);
srv_info_t *srv_info_create(const char *name, const char *service);
/*!
* \brief Destroys server structure.
......@@ -129,7 +123,7 @@ int get_socktype(const protocol_t proto, const uint16_t type);
*
* \retval "TCP" or "UDP".
*/
const char* get_sockname(const int socktype);
const char *get_sockname(const int socktype);
/*!
* \brief Translates int socket type to the common string one.
......@@ -150,6 +144,7 @@ void get_addr_str(const struct sockaddr_storage *ss,
* \param iptype IP version.
* \param socktype Socket type.
* \param wait Network timeout interval.
* \param tls_params TLS parameters.
* \param net Network structure to initialize.
*
* \retval KNOT_EOK if success.
......@@ -160,8 +155,7 @@ int net_init(const srv_info_t *local,
const int iptype,
const int socktype,
const int wait,
const tls_profile_t tls,
const char *tls_pin,
const tls_params_t *tls_params,
net_t *net);
/*!
......
......@@ -119,10 +119,8 @@ int best_param(const char *str, const size_t str_len, const param_t *tbl,
case -1:
continue;
case 0:
best_pos = i;
best_match = 0;
matches = 1;
break;
*unique = true;
return i;
default:
if (ret < best_match) {
best_pos = i;
......
......@@ -67,16 +67,6 @@ typedef enum {
FORMAT_NSUPDATE
} format_t;
/*! \brief DNS over TLS Privacy Profiles. */
typedef enum {
/*!< No TLS */
TLS_PROFILE_NONE,
/*!< Opportunistic Privacy Profile. */
TLS_PROFILE_OPPORTUNISTIC,
/*!< Out-of-Band Key-Pinned Privacy Profile. */
TLS_PROFILE_OOB_PINNED,
} tls_profile_t;
/*! \brief Text output settings. */
typedef struct {
/*!< Output format. */
......
This diff is collapsed.
/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#pragma once
#include <stdint.h>
#include <gnutls/gnutls.h>
#include "contrib/ucw/lists.h"
/*! \brief TLS parameters. */
typedef struct {
/*! Use TLS indicator. */
bool enable;
/*! Import system certificates indicator. */
bool system_ca;
/*! Certificate files to import. */
list_t ca_files;
/*! Pinned certificates. */
list_t pins;
/*! Required server hostname. */
char *hostname;
} tls_params_t;
/*! \brief TLS context. */
typedef struct {
/*! TLS handshake timeout. */
int wait;
/*! TLS parameters. */
const tls_params_t *params;
/*! GnuTLS session handle. */
gnutls_session_t session;
/*! GnuTLS credentials handle. */
gnutls_certificate_credentials_t credentials;
} tls_ctx_t;
void tls_params_init(tls_params_t *params);
int tls_params_copy(tls_params_t *dst, const tls_params_t *src);
void tls_params_clean(tls_params_t *params);
int tls_ctx_init(tls_ctx_t *ctx, const tls_params_t *params, int wait);
int tls_ctx_connect(tls_ctx_t *ctx, int sockfd, const char *remote);
int tls_ctx_send(tls_ctx_t *ctx, const uint8_t *buf, const size_t buf_len);
int tls_ctx_receive(tls_ctx_t *ctx, uint8_t *buf, const size_t buf_len);
void tls_ctx_close(tls_ctx_t *ctx);
void tls_ctx_deinit(tls_ctx_t *ctx);
void print_tls(const tls_ctx_t *ctx);
......@@ -705,7 +705,7 @@ static void process_query(const query_t *query)
for (size_t i = 0; i <= query->retries; i++) {
// Initialize network structure for current server.
ret = net_init(query->local, remote, iptype, socktype,
query->wait, query->tls, query->tls_pin, &net);
query->wait, &query->tls, &net);
if (ret != KNOT_EOK) {
continue;
}
......@@ -987,8 +987,8 @@ static void process_xfr(const query_t *query)
get_sockname(socktype));
// Initialize network structure.
ret = net_init(query->local, remote, iptype, socktype,
query->wait, query->tls, query->tls_pin, &net);
ret = net_init(query->local, remote, iptype, socktype, query->wait,
&query->tls, &net);
if (ret != KNOT_EOK) {
sign_context_deinit(&sign_ctx);
knot_pkt_free(&out_packet);
......@@ -1032,7 +1032,7 @@ int kdig_exec(const kdig_params_t *params)
// Loop over query list.
WALK_LIST(n, params->queries) {
query_t *query = (query_t *)n;
switch (query->operation) {
case OPERATION_QUERY:
process_query(query);
......
This diff is collapsed.
......@@ -136,10 +136,8 @@ struct query {
int32_t padding;
/*!< Query alignment with EDNS0 padding (0 ~ uninitialized). */
uint16_t alignment;
/*!< TLS Privacy Profile. */
tls_profile_t tls;
/*!< TLS Privacy Profile PIN. */
char *tls_pin;
/*!< TLS parameters. */
tls_params_t tls;
#if USE_DNSTAP
/*!< Context for dnstap reader input. */
dt_reader_t *dt_reader;
......
......@@ -434,8 +434,7 @@ static int pkt_sendrecv(knsupdate_params_t *params)
get_iptype(params->ip),
get_socktype(params->protocol, KNOT_RRTYPE_SOA),
params->wait,
TLS_PROFILE_NONE, // TLS
NULL,
NULL,
&net);
if (ret != KNOT_EOK) {
return -1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment