Update readme
This commit is contained in:
Nick Peng
@@ -624,20 +624,20 @@ int dns_client_spki_decode(const char *spki, unsigned char *spki_data_out)
|
||||
return spki_data_len;
|
||||
}
|
||||
|
||||
static char *_dns_client_server_get_tls_host_check(struct dns_server_info *server_info)
|
||||
static char *_dns_client_server_get_tls_host_verify(struct dns_server_info *server_info)
|
||||
{
|
||||
char *tls_host_check = NULL;
|
||||
char *tls_host_verify = NULL;
|
||||
|
||||
switch (server_info->type) {
|
||||
case DNS_SERVER_UDP: {
|
||||
} break;
|
||||
case DNS_SERVER_HTTPS: {
|
||||
struct client_dns_server_flag_https *flag_https = &server_info->flags.https;
|
||||
tls_host_check = flag_https->tls_host_check;
|
||||
tls_host_verify = flag_https->tls_host_verify;
|
||||
} break;
|
||||
case DNS_SERVER_TLS: {
|
||||
struct client_dns_server_flag_tls *flag_tls = &server_info->flags.tls;
|
||||
tls_host_check = flag_tls->tls_host_check;
|
||||
tls_host_verify = flag_tls->tls_host_verify;
|
||||
} break;
|
||||
case DNS_SERVER_TCP:
|
||||
break;
|
||||
@@ -646,13 +646,13 @@ static char *_dns_client_server_get_tls_host_check(struct dns_server_info *serve
|
||||
break;
|
||||
}
|
||||
|
||||
if (tls_host_check) {
|
||||
if (tls_host_check[0] == '\0') {
|
||||
if (tls_host_verify) {
|
||||
if (tls_host_verify[0] == '\0') {
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
return tls_host_check;
|
||||
return tls_host_verify;
|
||||
}
|
||||
|
||||
static char *_dns_client_server_get_spki(struct dns_server_info *server_info, int *spki_len)
|
||||
@@ -691,7 +691,6 @@ static int _dns_client_server_add(char *server_ip, char *server_host, int port,
|
||||
{
|
||||
struct dns_server_info *server_info = NULL;
|
||||
struct addrinfo *gai = NULL;
|
||||
unsigned char *spki_data = NULL;
|
||||
int spki_data_len = 0;
|
||||
int ttl = 0;
|
||||
char port_s[8];
|
||||
@@ -825,10 +824,6 @@ static int _dns_client_server_add(char *server_ip, char *server_host, int port,
|
||||
|
||||
return 0;
|
||||
errout:
|
||||
if (spki_data) {
|
||||
free(spki_data);
|
||||
}
|
||||
|
||||
if (server_info) {
|
||||
if (server_info->ssl_ctx) {
|
||||
SSL_CTX_free(server_info->ssl_ctx);
|
||||
@@ -1948,7 +1943,7 @@ static int _dns_client_tls_verify(struct dns_server_info *server_info)
|
||||
unsigned char *key_sha256 = NULL;
|
||||
char *spki = NULL;
|
||||
int spki_len = 0;
|
||||
char *tls_host_check = NULL;
|
||||
char *tls_host_verify = NULL;
|
||||
|
||||
cert = SSL_get_peer_certificate(server_info->ssl);
|
||||
if (cert == NULL) {
|
||||
@@ -1960,10 +1955,10 @@ static int _dns_client_tls_verify(struct dns_server_info *server_info)
|
||||
tlog(TLOG_DEBUG, "peer CN: %s", peer_CN);
|
||||
|
||||
/* check tls host */
|
||||
tls_host_check = _dns_client_server_get_tls_host_check(server_info);
|
||||
if (tls_host_check) {
|
||||
if (_dns_client_tls_matchName(peer_CN, tls_host_check, strnlen(tls_host_check, DNS_MAX_CNAME_LEN)) != 0) {
|
||||
tlog(TLOG_INFO, "server %s CN is invalid, peer CN: %s, expect CN: %s", server_info->ip, peer_CN, tls_host_check);
|
||||
tls_host_verify = _dns_client_server_get_tls_host_verify(server_info);
|
||||
if (tls_host_verify) {
|
||||
if (_dns_client_tls_matchName(peer_CN, tls_host_verify, strnlen(tls_host_verify, DNS_MAX_CNAME_LEN)) != 0) {
|
||||
tlog(TLOG_INFO, "server %s CN is invalid, peer CN: %s, expect CN: %s", server_info->ip, peer_CN, tls_host_verify);
|
||||
goto errout;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -50,7 +50,7 @@ struct client_dns_server_flag_tls {
|
||||
char spki[DNS_SERVER_SPKI_LEN];
|
||||
int spi_len;
|
||||
char hostname[DNS_MAX_CNAME_LEN];
|
||||
char tls_host_check[DNS_MAX_CNAME_LEN];
|
||||
char tls_host_verify[DNS_MAX_CNAME_LEN];
|
||||
};
|
||||
|
||||
struct client_dns_server_flag_https {
|
||||
@@ -59,7 +59,7 @@ struct client_dns_server_flag_https {
|
||||
char hostname[DNS_MAX_CNAME_LEN];
|
||||
char httphost[DNS_MAX_CNAME_LEN];
|
||||
char path[DNS_MAX_CNAME_LEN];
|
||||
char tls_host_check[DNS_MAX_CNAME_LEN];
|
||||
char tls_host_verify[DNS_MAX_CNAME_LEN];
|
||||
};
|
||||
|
||||
struct client_dns_server_flags {
|
||||
|
||||
@@ -181,7 +181,7 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
|
||||
{"spki-pin", required_argument, NULL, 'p'}, /* check SPKI pin */
|
||||
{"host-name", required_argument, NULL, 'h'}, /* host name */
|
||||
{"http-host", required_argument, NULL, 'H'}, /* http host */
|
||||
{"tls-host-check", required_argument, NULL, 'V' }, /* check tls hostname */
|
||||
{"tls-host-verify", required_argument, NULL, 'V' }, /* verify tls hostname */
|
||||
{"group", required_argument, NULL, 'g'}, /* add to group */
|
||||
{"exclude-default-group", no_argument, NULL, 'E'}, /* ecluse this from default group */
|
||||
{NULL, no_argument, NULL, 0}
|
||||
@@ -202,7 +202,7 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
|
||||
server->path[0] = '\0';
|
||||
server->hostname[0] = '\0';
|
||||
server->httphost[0] = '\0';
|
||||
server->tls_host_check[0] = '\0';
|
||||
server->tls_host_verify[0] = '\0';
|
||||
|
||||
ip = argv[1];
|
||||
|
||||
@@ -272,7 +272,7 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
|
||||
break;
|
||||
}
|
||||
case 'V': {
|
||||
safe_strncpy(server->tls_host_check, optarg, DNS_MAX_CNAME_LEN);
|
||||
safe_strncpy(server->tls_host_verify, optarg, DNS_MAX_CNAME_LEN);
|
||||
break;
|
||||
}
|
||||
default:
|
||||
|
||||
@@ -128,7 +128,7 @@ struct dns_servers {
|
||||
char spki[DNS_MAX_SPKI_LEN];
|
||||
char hostname[DNS_MAX_CNAME_LEN];
|
||||
char httphost[DNS_MAX_CNAME_LEN];
|
||||
char tls_host_check[DNS_MAX_CNAME_LEN];
|
||||
char tls_host_verify[DNS_MAX_CNAME_LEN];
|
||||
char path[DNS_MAX_URL_LEN];
|
||||
};
|
||||
|
||||
|
||||
@@ -157,13 +157,13 @@ static int _smartdns_add_servers(void)
|
||||
safe_strncpy(flag_http->hostname, dns_conf_servers[i].hostname, sizeof(flag_http->hostname));
|
||||
safe_strncpy(flag_http->path, dns_conf_servers[i].path, sizeof(flag_http->path));
|
||||
safe_strncpy(flag_http->httphost, dns_conf_servers[i].httphost, sizeof(flag_http->httphost));
|
||||
safe_strncpy(flag_http->tls_host_check, dns_conf_servers[i].tls_host_check, sizeof(flag_http->tls_host_check));
|
||||
safe_strncpy(flag_http->tls_host_verify, dns_conf_servers[i].tls_host_verify, sizeof(flag_http->tls_host_verify));
|
||||
} break;
|
||||
case DNS_SERVER_TLS: {
|
||||
struct client_dns_server_flag_tls *flag_tls = &flags.tls;
|
||||
flag_tls->spi_len = dns_client_spki_decode(dns_conf_servers[i].spki, (unsigned char *)flag_tls->spki);
|
||||
safe_strncpy(flag_tls->hostname, dns_conf_servers[i].hostname, sizeof(flag_tls->hostname));
|
||||
safe_strncpy(flag_tls->tls_host_check, dns_conf_servers[i].tls_host_check, sizeof(flag_tls->tls_host_check));
|
||||
safe_strncpy(flag_tls->tls_host_verify, dns_conf_servers[i].tls_host_verify, sizeof(flag_tls->tls_host_verify));
|
||||
} break;
|
||||
case DNS_SERVER_TCP:
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user