interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,924 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

2157 Commits

Author SHA1 Message Date
Willem Toorop 35f2ce37c0 Restore original serve delays 2019-01-23 12:49:22 +01:00
Willem Toorop c4bd91b196 Merge remote-tracking branch 'jim/feature/abstract-tls' into devel/abstract-tls 2019-01-23 12:46:07 +01:00
Willem Toorop d71dccaf2c - Nested getdns_context_runt() prevention 
- Fix address query with qname and missing qtype for -I and -F too
- disable tiny delay again
 2019-01-23 12:43:20 +01:00
Jim Hague cdc0d43315 Correct auth state thinko. Spotter credit to Willem. 2019-01-23 11:34:02 +00:00
Willem Toorop 8980f5f5ee Fix nested scheduling with getdns_query -F and -I 
+ add 1 millisecond delay between batched queries, just because...
 2019-01-23 11:41:00 +01:00
Willem Toorop 0af9a629f4 Does smaller delay make a difference? 2019-01-23 10:50:57 +01:00
Willem Toorop ac379787a2 Reassure clang static analyzer that all is OK 2019-01-23 10:29:20 +01:00
Willem Toorop 79fbef07d8 type specifier misplaced by #ifdef unclarity 2019-01-23 10:27:17 +01:00
Jim Hague 814ee2c4cf Fix more gcc 8 warnings. 
As warnings, these cause builds to fail when running the test suite.
 2019-01-17 11:23:39 +00:00
Jim Hague 09ca9a826b Fix gcc 8 warnings. 2019-01-15 17:13:13 +00:00
Jim Hague 9024fd7736 Fix build with INTERCEPT_COM_DS defined. 
Decide that layout of handling write results is more readable, and use with read too.
 2019-01-15 15:34:33 +00:00
Jim Hague 8609a35e5b GnuTLS: Add support for TLS 1.3. 2019-01-15 11:31:22 +00:00
Jim Hague ccd6c3592d GnuTLS: Can't set priority for SSL3. 2019-01-15 11:30:56 +00:00
Jim Hague 24774fefd6 Remove 'upstream' association with connection, now unused. 2019-01-15 11:01:58 +00:00
Jim Hague 3fe0c94357 Merge branch 'develop' into feature/abstract-tls 2019-01-14 19:09:20 +00:00
Jim Hague 51cb570809 Re-add support for OpenSSL prior to 1.1, but now require at least 1.0.2 and drop LibreSSL support. 2019-01-11 11:16:48 +00:00
Willem Toorop 411c5cf571 Git rid of * if in libgetdns.symbols 2019-01-07 12:08:26 +01:00
Willem Toorop a4020a6841 mk-symfiles.sh improvent 
to filter out #defines as intended.
Thanks Zero King
 2019-01-07 11:33:21 +01:00
Willem Toorop bbe7dff257 No TLS1.3 ciphers in cipher_list only when ... 
SSL_set_ciphersuites in OpenSSL API.
 2018-12-31 16:13:20 +01:00
Bruno Pagani 1962c03b79
context: remove TLS13 cipher from cipher_list 
TLS 1.3 ciphers have to be set in ciphersuites instead.
 2018-12-23 11:31:27 +00:00
Willem Toorop 309db67f8b RFE getdnsapi/stubby#121 log re-instantiating TLS ... 
... upstreams (because they reached tls_backoff_time) at log level 4 (WARNING)
 2018-12-21 16:30:46 +01:00
Willem Toorop 7c52883341 Remove truncated response from transport test 2018-12-21 12:44:51 +01:00
Willem Toorop 431f86f414 Make tests aware of NODATA == NO_NAME change 2018-12-21 12:10:19 +01:00
Willem Toorop 13e1e36ba3 RESPSTATUS_NO_NAME when no answers found 
(so for NODATA answers too)
 2018-12-21 11:28:00 +01:00
Willem Toorop ff1cdce6f8 s/explicitely/explicitly/g 
Thanks Andreas Schulze
 2018-12-20 15:06:01 +01:00
Jim Hague 65f4fbbc81 Make sure all connection deinits are only called if there is something to deinit. 2018-12-14 15:38:32 +00:00
Jim Hague c1bf12c8a2 Update default GnuTLS cipher suite priority string to one that gives the same ciphers as the OpenSSL version. 
Also fix deinit segfault.

./gnutls-ciphers "NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL"
Cipher suites for NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL
TLS_ECDHE_RSA_AES_256_GCM_SHA384                  	0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256                  	0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305                   	0xcc, 0xa8 TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                0xc0, 0x2 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305                 0xcc, 0xa9 TLS1.2

$ openssl ciphers -v TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
 2018-12-14 15:24:13 +00:00
Willem Toorop 232f655663 trust_anchor_backoff_time also when appdata dir is not writable 2018-12-14 13:42:43 +01:00
Willem Toorop 990372329c typo 2018-12-13 15:26:13 +01:00
Willem Toorop dc6bb0fa52 Something wrong with /etc/hosts? 2018-12-13 15:24:37 +01:00
Willem Toorop eecc18703a Issue found with static analysis 2018-12-13 15:24:27 +01:00
Willem Toorop 154f98e321 Update consts 2018-12-13 15:24:19 +01:00
Willem Toorop 93b7cb6a01 ZONEMD rr-type 2018-12-13 14:53:41 +01:00
Jim Hague a4590bafcb Implement reading CAs from file or dir. 
I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot
easier than I feared. Plus a little diggiing shows that if you're
loading the system defaults, GnuTLS on Windows does load them from the
Windows certificate store.
 2018-12-13 13:33:54 +00:00
Willem Toorop 41f4940072 Log messages about trust anchor fetching and installing 2018-12-13 14:23:32 +01:00
Jim Hague e8f34d48fb Adjust default cipher list so required authentication works with getdnsapi. 
The previous default cipher string wouldn't connect with getdnsapi.
Selection of cipher strings requires some deep study, I think.

So, taking working with getdnsapi.net as our target, discover that we
need SECURE128 as well as SECURE192. And rather than disable everything
except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects
to TLS1.3.
 2018-12-13 12:04:01 +00:00
Jim Hague 2759d727e5 Minor speeling fix. 2018-12-13 11:54:41 +00:00
Jim Hague fa9d8885f0 Fix problems with GnuTLS pinset handling. 
Pinset validation now seems to work.
 2018-12-13 11:03:31 +00:00
Willem Toorop 91a3a3db36 More specific return codes, more logging 2018-12-12 16:12:07 +01:00
Jim Hague 45be26642b Fix dane query handling and verify error reporting. 
Verify error is flags, not values. And deiniting a dane_query that is
NULL segfaults.
 2018-12-12 15:01:07 +00:00
Jim Hague b51c7384e6 Implement _getdns_decode_base64() for GnuTLS. 
Use primitives in libnettle.
 2018-12-12 15:00:03 +00:00
Jim Hague 0dec4a6f21 Correct format string, fixing type error in specifier. 
I was wondering why the error output did appear.
 2018-12-12 14:59:13 +00:00
Jim Hague 35b4969216 Abstract out OpenSSL specific parts of getdns_pubkey_pin_create_from_string(). 
The only OpenSSL function is decoding Base64.
 2018-12-11 18:03:00 +00:00
Jim Hague aa49a935c7 Fixed error detection in certificate verification. 2018-12-11 17:59:44 +00:00
Jim Hague ab69a9a7da Merge branch 'feature/abstract-tls' of https://github.com/banburybill/getdns into feature/abstract-tls 2018-12-11 15:01:44 +00:00
Jim Hague 2c6ec5e0be Implement setting up pinset for DANE. Verification to come. 2018-12-11 14:59:21 +00:00
Willem Toorop a6ab7ffe41 ed25519 and ecdsa support with libnettle 2018-12-11 15:05:09 +01:00
Jim Hague ff7ffc246c Rename TLS Interface DANE init to pinset init. That's what it's actually used for. 2018-12-11 12:46:05 +00:00
Jim Hague 1acd880f26 Correct error return value from stub. 2018-12-07 17:56:12 +00:00
Jim Hague fee864c25c Implement setting cipher/curve lists. 
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
 2018-12-07 16:55:17 +00:00