a5a1256adc
Update Stubby to always send the `dot` ALPN when using DoT
2022-06-07 10:27:39 +01:00
01715688d7
Sync crypto funcs from Unbound
2022-02-04 16:32:54 +01:00
2a0114591a
Resolve compile warnings
...
Thanks Andreas!
2021-06-03 20:45:55 +02:00
ae090a29b1
Merge pull request #482 from neheb/patch-1
...
val_secalgo: add missing DSA header
2021-05-26 15:48:10 +02:00
80cdfb3bd0
fix compilation without deprecated OpenSSL APIs
...
Several cmake header checks were missing and added.
Added rsa.h include.
Remove ENGINE_load_dynamic. ENGINE_load_builtin_engines already does
this.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-08-04 19:54:18 -07:00
31031d7c57
Added checks for LibreSSL and OpenBSD
2020-03-24 14:14:39 +01:00
4f4ed98112
Fix build error with gnu99 compilers
...
Typedefs sha256_pin_t & getdns_log_config multiple declaration in context.h,
tls.h and tls_internal.h causes build error with some gnu99 compilers, even
if the redefinition is identical.
One possible way is to protect each occurence with ifdefs, but it seems too
brute, other one is to keep typedef in context.h only and use struct types
in recently added tls* scope.
Error example:
../libtool --quiet --tag=CC --mode=compile arm-brcm-linux-uclibcgnueabi-gcc
-std=gnu99 -I. -I. -I./util/auxiliary -I./tls -I./openssl -I./../stubby/src
-Wall -Wextra -D_BSD_SOURCE -D_DEFAULT_SOURCE ... -c ./convert.c -o convert.lo
In file included from ./context.h:53:0,
from ./util-internal.h:42,
from ./convert.c:50:
./tls.h:45:27: error: redefinition of typedef 'sha256_pin_t'
./openssl/tls-internal.h:57:27: note: previous declaration of 'sha256_pin_t' was here
In file included from ./util-internal.h:42:0,
from ./convert.c:50:
./context.h:133:3: error: redefinition of typedef 'sha256_pin_t'
./tls.h:45:27: note: previous declaration of 'sha256_pin_t' was here
./context.h:267:3: error: redefinition of typedef 'getdns_log_config'
./openssl/tls-internal.h:58:34: note: previous declaration of 'getdns_log_config' was here
2019-04-12 01:40:51 +05:00
b6e290f42a
Fix compiling for debugging
2019-04-03 11:51:35 +02:00
324370c537
GnuTLS with Zero configuration DNSSEC
2019-03-15 16:50:10 +01:00
97ac5d3ddc
Merge branch 'develop' of github.com:getdnsapi/getdns into develop
2019-02-04 15:46:46 +01:00
0fef131e9b
bugfix #418 duplicate ,'s in Windows build
2019-02-04 15:46:10 +01:00
7c1b43b420
Fix sole pinset validation with ssl_dane library
2019-01-23 14:33:35 +00:00
24774fefd6
Remove 'upstream' association with connection, now unused.
2019-01-15 11:01:58 +00:00
3fe0c94357
Merge branch 'develop' into feature/abstract-tls
2019-01-14 19:09:20 +00:00
51cb570809
Re-add support for OpenSSL prior to 1.1, but now require at least 1.0.2 and drop LibreSSL support.
2019-01-11 11:16:48 +00:00
35b4969216
Abstract out OpenSSL specific parts of getdns_pubkey_pin_create_from_string().
...
The only OpenSSL function is decoding Base64.
2018-12-11 18:03:00 +00:00
ab69a9a7da
Merge branch 'feature/abstract-tls' of https://github.com/banburybill/getdns into feature/abstract-tls
2018-12-11 15:01:44 +00:00
a6ab7ffe41
ed25519 and ecdsa support with libnettle
2018-12-11 15:05:09 +01:00
ff7ffc246c
Rename TLS Interface DANE init to pinset init. That's what it's actually used for.
2018-12-11 12:46:05 +00:00
fee864c25c
Implement setting cipher/curve lists.
...
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
2018-12-07 16:55:17 +00:00
64f0d6aaa8
Rename _getdns_tls_connection_verify() to _getdns_tls_connection_certificate_verify().
...
I managed to mislead myself about what it did, which suggests the name should be clearer.
2018-12-07 11:09:20 +00:00
72d9b91a2e
Extract non-OpenSSL specific code from pubkey-pinning.c, and move it back to common source.
...
OpenSSL-specific items are in pubkey-pinning-internal.c.
2018-12-06 14:09:30 +00:00
e73ab48687
Extract non-OpenSSL specific code from anchor.c, and move it back to common source.
...
OpenSSL-specific items are in anchor-internal.c.
2018-12-06 14:07:32 +00:00
c6dffa1239
Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation.
...
Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.
GnuTLS uses Nettle itself, so this is not adding a new dependency.
2018-12-06 10:41:58 +00:00
e60d852637
Common OpenSSL digester selection.
2018-11-27 16:55:33 +00:00
c101a7a021
Abstract context DANE initialisation.
2018-11-27 15:41:23 +00:00
26bcddd029
Abstract cookie SHA256 calculation.
2018-11-27 15:31:33 +00:00
af962228fc
Abstract maximum digest length.
2018-11-27 15:31:05 +00:00
0cdede21df
Abstract SHA1 calculation.
2018-11-27 15:29:48 +00:00
5e390a4b23
Revise all TLS interfaces to pass in GetDNS memory functions where necessary.
...
This means we can remove OpenSSL_free() calls from request-internal.c and util-internal.c.
2018-11-27 14:41:46 +00:00
bc3106af94
Abstract out HMAC functions in request-internal.c.
2018-11-27 11:49:12 +00:00
2267863a53
Attempt to improve the preprocessor horror that is util/val_secalgo.h.
...
Convert the main util/val_secalgo.h to a plain interface. Move the preprocessor redefines into validator/val_secalgo.h, and move THAT under openssl, because it is OpenSSL implementation specific at present - you can compile with NSS and Nettle if config allows.
2018-11-23 16:28:55 +00:00
05f9d30e89
Move anchor.c to under openssl.
2018-11-20 16:57:48 +00:00
f3e0f2b9e6
Split OpenSSL specific bits of keyraw.hc into keyraw-internal.hc.
...
All usage is internal to val_secalgo.c, which is already in openssl.
2018-11-20 16:51:17 +00:00
da94b52f74
Move val_secalgo.c to openssl.
...
It contains ports other than OpenSSL (NSS and NETTLE), but we're not worrying about those for our purposes at present.
2018-11-20 16:21:06 +00:00
4eb845bc58
Move internal-only functions from public pubkey-pinning interface.
...
The interface now only exposes functions used by the main getdns code.
2018-11-20 15:55:34 +00:00
ff9cde2087
Remove SSL type from pubkey-pinning interface.
2018-11-20 15:49:26 +00:00
1b0a09a23f
Wrap hostname/certificate verification.
...
This removes the last OpenSSL items from stub.c.
2018-11-20 14:53:31 +00:00
fb73bcb77e
Correct return value error from _getdns_tls_connection_(read|write)().
2018-11-20 12:43:17 +00:00
2e8c48544b
Move pubkey-pinning implementation under openssl/.
2018-11-19 13:55:02 +00:00
aba0e2fb4c
Move non-TLS-library specific parts of tls.h to ~/src/tls.h and have it include lib-specific tls-internal.h.
...
Update dependencies.
2018-11-19 09:49:54 +00:00
5d353d9efb
To aid proof-of-concept work, insist on OpenSSL 1.1.1 or later.
...
Remove ssl_dane as now surplus to requirements.
2018-11-16 17:58:29 +00:00
0fd6fd4c5c
Replace (one instance of) SSL_get_peer_certificate().
2018-11-16 17:09:26 +00:00
4b8c9d1bd7
Replace SSL_get_version().
2018-11-15 17:53:37 +00:00
09019bee75
Replace SSL_write().
2018-11-15 17:53:29 +00:00
e7453522d5
Replace SSL_read().
2018-11-15 17:51:52 +00:00
e22c01e212
tls_do_handshake: move handshake and check for new session into abstraction layer.
2018-11-15 14:28:04 +00:00
ffd1136e94
tls_create_object(): Move setting client state and auto-retry into connection_new and add setting connection session.
2018-11-15 13:23:00 +00:00
d9fdd4c10d
Abstracting TLS; let's start with context only.
...
Change data types in context.h and fix up context.c. Do minimal fixups to stub.c.
2018-11-15 11:01:13 +00:00
Sara Dickinson
Willem Toorop
Rosen Penev
Renaud Allard
Vladislav Grishenko
Jim Hague