systemd/0071-backport-CVE-2018-21029-resolved-check-for-IP-in-certificate-when-using-DoT-.patch

From 7f2f4faced3fda47e6b76ab73cde747cc20cf8b8 Mon Sep 17 00:00:00 2001
From: Iwan Timmer <irtimmer@gmail.com>
Date: Tue, 29 Oct 2019 20:32:18 +0100
Subject: [PATCH] resolved: check for IP in certificate when using DoT with
 GnuTLS

Validate the IP address in the certificate for DNS-over-TLS in strict mode when GnuTLS is used. As this is not yet the case in contrast to the documentation.
---
 src/resolve/resolved-dnstls-gnutls.c | 13 +++++++++++--
 src/resolve/resolved-dnstls-gnutls.h |  1 +
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
index ea276d2c20..9e5e60fcce 100644
--- a/src/resolve/resolved-dnstls-gnutls.c
+++ b/src/resolve/resolved-dnstls-gnutls.c
@@ -55,8 +55,17 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
                 server->dnstls_data.session_data.size = 0;
         }
 
-        if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES)
-                gnutls_session_set_verify_cert(gs, NULL, 0);
+        if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
+                stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
+                if (server->family == AF_INET) {
+                        stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
+                        stream->dnstls_data.validation.size = 4;
+                } else {
+                        stream->dnstls_data.validation.data = server->address.in6.s6_addr;
+                        stream->dnstls_data.validation.size = 16;
+                }
+                gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
+        }
 
         gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
 
diff --git a/src/resolve/resolved-dnstls-gnutls.h b/src/resolve/resolved-dnstls-gnutls.h
index af52f04fdf..d4da2017c3 100644
--- a/src/resolve/resolved-dnstls-gnutls.h
+++ b/src/resolve/resolved-dnstls-gnutls.h
@@ -18,6 +18,7 @@ struct DnsTlsServerData {
 
 struct DnsTlsStreamData {
         gnutls_session_t session;
+        gnutls_typed_vdata_st validation;
         int handshake;
         bool shutdown;
 };
-- 
2.26.2