interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
1,651 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

1651 Commits

Author SHA1 Message Date
Willem Toorop 2fa7fbefa4 Update spec to December 2015 version 2015-12-24 15:47:55 +01:00
Willem Toorop 3e2464af6d Changes that came out of portability tests 2015-12-24 15:28:12 +01:00
Willem Toorop a09a051ed5 New code, new dependencies... 2015-12-24 15:01:45 +01:00
Willem Toorop a2bdfb2f22 Merge branch 'features/windows-support' into develop 2015-12-24 14:44:18 +01:00
Willem Toorop 9d3905459e Miscellaneous fixes to compile on windows 
Also without warnings.
 2015-12-24 14:41:50 +01:00
saradickinson b777552f34 Merge pull request #131 from saradickinson/feature/pubkey-pinning 
Feature/pubkey pinning
 2015-12-24 10:13:53 +00:00
Willem Toorop caba5f19d5 Merge branch 'develop' into features/windows-support 2015-12-24 11:01:26 +01:00
Sara Dickinson f94798b237 Final mixups 2015-12-24 10:00:15 +00:00
Willem Toorop 05efbd79de Merge branch 'features/dns_root_servers' into develop 2015-12-24 10:51:50 +01:00
Willem Toorop 8bde787703 Use mkstemp instead of tmpnam to eliminate warning 2015-12-24 10:50:58 +01:00
Willem Toorop 71b2a44945 Remove root_servers comment leftovers 2015-12-23 21:19:52 +01:00
Sara Dickinson 3afba25dad Update test case and changeling 2015-12-23 18:00:44 +00:00
Sara Dickinson a5027981d9 Change how the aliasing is done so the tpkg tests will pass 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 2a50f4d2ac Set tls_auth_failed when any present authentication mechanism fails 
We used to only have hostnames available.  now we have pubkey_pinsets
available as well.

We want upstream->tls_auth_failed to be 1 when any authentication
mechanism we've been asked for fails (and also when we haven't been
given any authentication mechanism at all).
 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 57a04f61db Allow AUTHENTICATION_REQUIRED w/o hostname when pubkey pinset is available 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 77802808ce rename GETDNS_AUTHENTICATION_HOSTNAME with GETDNS_AUTHENTICATION_REQUIRED 2015-12-23 18:00:43 +00:00
Sara Dickinson 792ecd65b8 Add missing constant to const-info.c 2015-12-23 18:00:43 +00:00
Sara Dickinson 2ce806c05b Tinker with debug statements/comments. 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor a9eb9ccca9 Check that the pinset matches if it is configured 
if the upstream is configured to allow fallback, this will not be a
fatal error, but it will still be checked.

Future work:

 * verify any certs higher in the chain than the end-entity cert
 * deal with raw public keys
 * in the fallback case, report to the user whether the pinset match failed
 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor d09675539e Provide access to the pinsets during the TLS verification callback 
We do this by associating a getdns_upstream object with the SSL object
handled by that upstream.

This allows us to collapse the verification callback code to a single
function.

Note that if we've agreed that fallback is ok, we are now willing to
accept *any* cert verification error, not just HOSTNAME_MISMATCH.
This is fine, because the alternative is falling back to cleartext,
which would be worse.

We also always set SSL_VERIFY_PEER, since we might as well try to do
so; we'll drop the verification error ourselves if we know we're OK
with falling back.
 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 614d317fd8 getdns_query: add -K option to attach pinsets to getdns_contexts. 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 0d2256df09 set and return the pubkey_pinsets on the upstream resolvers 2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor b305f073fe add functions to translate between getdns_list and sha256_pin linked list 2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor 4dbe1813e4 added simple sha256 public key pinning linked list to getdns_upstream 2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor 5e64f1262b add getdns_pubkey_pinset_sanity_check() 2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor 91f04ecd5e add getdns_pubkey_pin_create_from_string() 2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor 4047bd09da define _DEFAULT_SOURCE as well as _BSD_SOURCE for glibc version 2.20 and up 
in recent versions of feature_test_macros(7), it says of _BSD_SOURCE:

    Since glibc 2.20, this macro is deprecated.  It now has the same
    effect as defining _DEFAULT_SOURCE, but generates a compile-time
    warning   (unless   _DEFAULT_SOURCE   is   also  defined).   Use
    _DEFAULT_SOURCE  instead.    To   allow   code   that   requires
    _BSD_SOURCE  in  glibc  2.19  and earlier and _DEFAULT_SOURCE in
    glibc 2.20 and later to compile without  warnings,  define  both
    _BSD_SOURCE and _DEFAULT_SOURCE.
 2015-12-23 17:57:49 +00:00
Willem Toorop ce1185166c Merge branch 'features/dns_root_servers' into develop 2015-12-23 17:41:40 +01:00
Willem Toorop 29b033c14c off-by-one bugfixes 2015-12-23 17:38:36 +01:00
Willem Toorop fbae577a54 Setting of root servers 
test with

	getdns_query -f yeti.key -R yeti.hints nlnetlabs.nl A +dnssec_return_status

where yeti.key comes from:

	https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/named.cache

and yeti.hints from:

	https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/KSK.pub
 2015-12-23 17:15:45 +01:00
Willem Toorop 746c26dafc Update Makefile dependencies 2015-12-23 12:26:39 +01:00
Willem Toorop 8ebb047693 Merge branch 'features/conversion_functions' into develop 2015-12-23 12:13:44 +01:00
Willem Toorop f9c2f96996 Fixes for miscelanous little zone parse errors 
Hopefully the tpkg test is more deterministic now too...
 2015-12-23 12:06:09 +01:00
Willem Toorop 11cd892662 Clean boundries on wireformat scans 2015-12-22 19:14:18 +01:00
Willem Toorop e4fa06a57b getdns_fp2rr_list conversion function 
+ private conversion functions that respect custom memory handlers
+ converage of more different example functions in 260-conversion-functions test package
 2015-12-22 18:37:24 +01:00
Willem Toorop 0cb513e9b7 Doc of (|_buf|_scan) style conversion funcs 
+ (|_buf|_scan) versions of most of the conversion directions.
+ mk-const-info handles new return_t's defines
 2015-12-22 16:04:43 +01:00
Willem Toorop 6519a05780 all debug config option for broadest src coverage 
With the 300 tpkg test
 2015-12-22 11:43:06 +01:00
Willem Toorop fe7a1e89e3 Constify new work 2015-12-22 11:32:15 +01:00
Willem Toorop 5bbcbb97a1 Merge branch 'develop' into features/conversion_functions 2015-12-22 11:28:27 +01:00
Willem Toorop 0a809cb7d8 Allow truncated answers to be returned 2015-12-22 10:56:20 +01:00
Willem Toorop ee2a1fbfe6 Merge branch 'features/tsig' into develop 2015-12-22 01:08:25 +01:00
Willem Toorop 8a8a017fc5 Validate received TSIG reply 2015-12-22 01:03:31 +01:00
Willem Toorop 6c1e00fc3f Send TSIG 2015-12-21 22:11:16 +01:00
wtoorop 8eeb3a6650 Merge pull request #129 from saradickinson/feature/edns-tcp-keepalive 
Implement client side edns-tcp-keepalive

Great work!  Thanks!
 2015-12-21 20:20:27 +01:00
Sara Dickinson f55721d261 Update unit test. Since 0 is the default, it can be set via the function. 2015-12-21 17:36:59 +00:00
Sara Dickinson 746a827baa Implement client side edns-tcp-keepalive 2015-12-21 17:05:56 +00:00
wtoorop eb6c6e3f67 Merge pull request #128 from saradickinson/feature/STARTTLS_removal2 
Feature/starttls removal2

Excellent!  Thanks!
 2015-12-21 16:38:10 +01:00
Willem Toorop 98dc4018c3 Setting & getting of tsig info per upstream 2015-12-21 12:22:59 +01:00
Sara Dickinson 91a73ab3d0 cleanup 2015-12-18 16:22:09 +00:00
Sara Dickinson 4165e874de Fix tests 2015-12-18 16:14:54 +00:00