Commit Graph

260 Commits

Author SHA1 Message Date
Willem Toorop 7bf953b2bd Merge branch 'huitema-develop' into develop 2017-01-18 12:00:33 +01:00
Christian Huitema f1b8b25afa Implementation of basic MDNS support 2016-12-22 15:51:47 -08:00
Willem Toorop 80219a4195 Merge branch 'bugfix/replace__FUNCTION__' into bugfix/1.1.0-alpha3/replace__FUNCTION__ 2016-12-12 14:20:31 +01:00
Willem Toorop 5f6b93f7f2 Use __func__ var when supported
And let debugging messages compile with -Wpedantic -Werror too
2016-12-12 13:55:10 +01:00
Sara Dickinson 83a0b944b5 Fix another stupid error.... 2016-12-11 17:10:44 +00:00
Sara Dickinson cfc7d18c85 Ug. Fix stupid mistake with string array. 2016-12-11 16:57:52 +00:00
Sara Dickinson ef12b0e764 Fix some compiler warnings on OS X 2016-12-09 17:15:28 +00:00
Sara Dickinson 7b58dc25a6 - Fix bug where a self signed cert + only a pinset would not authenticate
- Add OARC servers with pinset only to stubby.conf
- Move Authentication strings to types_internal for use in call_debugging
- Add connection counts to call_debugging
-
2016-12-09 17:03:41 +00:00
Willem Toorop 37cced78fc Merge branch 'develop' into release/1.1.0-alpha3 2016-12-09 13:27:55 +01:00
Willem Toorop 5cc67ff554 Merge branch 'develop' into merge-develops 2016-12-09 12:05:42 +01:00
Willem Toorop 6e9b1b5f53 One more unused when no TCP_FASTOPEN 2016-12-08 23:25:53 +01:00
Willem Toorop f31b2fa233 Merge branch 'develop' into release/1.1.0-alpha3 2016-12-08 15:06:25 +01:00
Willem Toorop 473da8966b Library fixed for CFLAGS=-Wextra 2016-12-08 14:05:58 +01:00
Christian Huitema 50b064a292 Fixing potential clipping of idle_timeout value in call to upstream_reschedule_events 2016-12-07 15:40:24 -08:00
Sara Dickinson 691d32cf80 Improve README entry on stubby. Add a link to dnsprivacy.org (Willem - is this set up yet?)
Add sample Strict config file into the source with a pointer from the README. Not sure about installing this yet as opportunistic seems a better default...?
2016-12-06 15:59:40 +00:00
Sara Dickinson 471e8725e2 Change the default profile for Stubby to use TLS then UDP/TCP
- this will only try over TLS a few times before backing off to clear text
  - but makes the default  for Stubby opportunistic privacy (Willem - WDYT?)
Also use padding and ECS privacy by default for Stubby.
More debugging to help users when there are failures or fallbacks.
Also remove a few help options from Stubby that don't apply
Add -v to output version on getdns_query/stubby
2016-12-06 14:44:40 +00:00
Christian Huitema dee33f53b6 Reminder of changes required by the Windows port. This solves the issues 228, 229, 230 and 232. 2016-12-05 11:38:59 -08:00
Sara Dickinson 576e38977f More logging changes to stubby to correctly report profile, transport and stats for TCP and UDP when used as fallbacks.
Reporting UDP stats every 100 responses or timeouts to give user some indication UDP is being used.
2016-12-05 18:05:04 +00:00
Sara Dickinson b0e5f87984 Minor logging updates 2016-11-13 13:14:03 +09:00
Sara Dickinson 1593129b85 Fix mishandling of auth state for name mismatch 2016-11-09 16:41:40 +00:00
Sara Dickinson a0ae9130cc Fix issue with session re-use making authentication appear to fail 2016-10-21 14:18:24 +01:00
Sara Dickinson f156f2f24a Had to change some preprocessor checks to get all the options to compile 2016-08-08 17:07:46 +01:00
Sara Dickinson 6f9bfffe9f Catch another error path for failed connections 2016-08-08 16:12:33 +01:00
Sara Dickinson fdbefa17ec Add timer for back off on upstream (use 1 hr). Reset as new upstream when re-instated. 2016-08-05 17:25:27 +01:00
Sara Dickinson a1461d51ec Add abbreviated logging mode for daemon 2016-08-05 14:10:55 +01:00
Sara Dickinson 0432fe37c4 Tinker with upstream keepalive 2016-08-04 16:10:23 +01:00
Willem Toorop 470fb7a5fb !0 is not necessarily 1 2016-07-14 11:42:21 +02:00
Willem Toorop fed4818c27 Fix idle_timeout without keepalive for TLS 2016-07-14 11:03:33 +02:00
Sara Dickinson 6c73144b50 Minor logging updates 2016-07-13 17:39:26 +01:00
Sara Dickinson 105d7acfa9 Just re-read RFC7858 and realised that TLS does support idle connections without keepalive. It is just TCP that doesn't. 2016-07-04 17:02:18 +01:00
Sara Dickinson 5e1575dabc Correct the logic for upstream back off 2016-07-04 17:02:18 +01:00
Sara Dickinson 8fa84c836a Initial re-work of stateful transport selection and timeout/error handling. Also update transport test to avoid timeout. 2016-07-04 17:02:14 +01:00
wtoorop a435932b04 Features/call reporting timeout (#1)
* Timed out and canceled netreqs are finished too

* Minor code duplication elemination

* Blah typo

* Embarrassing logic error
2016-06-23 14:02:55 +02:00
Robert Groenenberg 60c6c8d8ca Fixed build 2016-06-21 13:19:11 +02:00
Robert Groenenberg 3634fff4dd Return call_reporting info in case of timeout, so that we can see
which server did not respond.
2016-06-20 18:39:15 +02:00
Sara Dickinson c0187a19ea Quick fix for TLS timeouts not re-using a connection. Better solution is needed.
Also minor fixes in getdns_query:
 - spurious semicolon (caused build warning)
 - build warning for initialised variable
 - have getdns_query honour the CLASS in the incoming query
2016-06-15 17:15:13 +01:00
Willem Toorop 490aac1b48 Merge branch 'develop' into features/getdns_service 2016-06-08 10:21:29 +02:00
Willem Toorop cf675a9284 Add srv_addresses when query was for SRV
Moved _getdns_rrset iterators to rr-iter.[ch] in the process
2016-06-07 16:52:10 +02:00
Willem Toorop e01211d6b4 Debug setting that keeps connections open 2016-05-25 15:57:37 +02:00
Sara Dickinson 5f225d6be3 Add TLS session resumption 2016-05-16 17:41:55 +01:00
Willem Toorop 516f211843 Fire idle timeouts immediately with sync requests 2016-04-13 12:06:51 +02:00
Willem Toorop 57954ad41e Small bugfix in checking complete requests async 2016-04-11 15:33:08 +02:00
Willem Toorop da577a463d set upstream loop to the sync loop for sync reqs
And reset to the async loop when sync request was finished, rescheduling the upstream->event.
Note that finished_event is scheduled against the async loop always.
2016-04-11 14:49:44 +02:00
Willem Toorop e4b0d08fad Minor bugfix for use with openssl 1.1.0 2016-04-05 13:15:59 -03:00
Willem Toorop b0ecda5d2e No more side effects with synchronous calls
(and upstreams that keep connections open)
2016-03-23 22:13:31 +01:00
Willem Toorop e934c100a2 Merge branch 'develop' into devel/codebase-maintenance 2016-03-22 13:22:13 +01:00
Willem Toorop e4e3dde61f Don't breakup the sync vs async schedule
to accentuate changes.
2016-03-18 13:30:49 +01:00
Sara Dickinson c1f15fc0ac Minor tweaks 2016-03-18 12:02:40 +00:00
Sara Dickinson c08371ebb0 First pass at updating DEBUG_STUB output 2016-03-18 11:34:51 +00:00
Willem Toorop ab742b34b6 Miscelaneous scheduling fixes and improvements 2016-03-17 16:49:05 +01:00
Willem Toorop 0c0868517c Remove leftover debugging printfs 2016-01-12 16:57:17 +01:00
Willem Toorop fed8cc51ed Initial TCP support for Windows 2016-01-12 16:54:42 +01:00
Willem Toorop 4fd8d3dddd Replace mini_event extension by default_eventloop
* default_eventloop was prototyped in getdns_query and is still in there as my_eventloop
  * It interfaces directly with the scheduling primitives of getdns.
  * It can operate entirely from stack and does not have to do
    any memory allocations or deallocations.

* Adapted configure.ac to allow libunbound to be linked with Windows
  (with the removal of winsock_event.c we have no symbol clashed anymore)

* Added STUB_TCP_WOULDBLOCK return code in stub_resolving helper functions,
  to anticipate dealing with edge triggered event loops (versus level triggered). (i.e. Windows)
2016-01-12 15:52:14 +01:00
Willem Toorop 6b2d9a2d70 Unused var compile warning in certain conditions 2015-12-31 11:26:29 +01:00
Willem Toorop a2bdfb2f22 Merge branch 'features/windows-support' into develop 2015-12-24 14:44:18 +01:00
Willem Toorop 9d3905459e Miscellaneous fixes to compile on windows
Also without warnings.
2015-12-24 14:41:50 +01:00
Willem Toorop caba5f19d5 Merge branch 'develop' into features/windows-support 2015-12-24 11:01:26 +01:00
Daniel Kahn Gillmor 2a50f4d2ac Set tls_auth_failed when any present authentication mechanism fails
We used to only have hostnames available.  now we have pubkey_pinsets
available as well.

We want upstream->tls_auth_failed to be 1 when any authentication
mechanism we've been asked for fails (and also when we haven't been
given any authentication mechanism at all).
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 57a04f61db Allow AUTHENTICATION_REQUIRED w/o hostname when pubkey pinset is available 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 77802808ce rename GETDNS_AUTHENTICATION_HOSTNAME with GETDNS_AUTHENTICATION_REQUIRED 2015-12-23 18:00:43 +00:00
Sara Dickinson 2ce806c05b Tinker with debug statements/comments. 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor a9eb9ccca9 Check that the pinset matches if it is configured
if the upstream is configured to allow fallback, this will not be a
fatal error, but it will still be checked.

Future work:

 * verify any certs higher in the chain than the end-entity cert
 * deal with raw public keys
 * in the fallback case, report to the user whether the pinset match failed
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor d09675539e Provide access to the pinsets during the TLS verification callback
We do this by associating a getdns_upstream object with the SSL object
handled by that upstream.

This allows us to collapse the verification callback code to a single
function.

Note that if we've agreed that fallback is ok, we are now willing to
accept *any* cert verification error, not just HOSTNAME_MISMATCH.
This is fine, because the alternative is falling back to cleartext,
which would be worse.

We also always set SSL_VERIFY_PEER, since we might as well try to do
so; we'll drop the verification error ourselves if we know we're OK
with falling back.
2015-12-23 18:00:43 +00:00
Willem Toorop fe7a1e89e3 Constify new work 2015-12-22 11:32:15 +01:00
Willem Toorop 5bbcbb97a1 Merge branch 'develop' into features/conversion_functions 2015-12-22 11:28:27 +01:00
Willem Toorop 0a809cb7d8 Allow truncated answers to be returned 2015-12-22 10:56:20 +01:00
Willem Toorop ee2a1fbfe6 Merge branch 'features/tsig' into develop 2015-12-22 01:08:25 +01:00
Willem Toorop 6c1e00fc3f Send TSIG 2015-12-21 22:11:16 +01:00
Sara Dickinson 746a827baa Implement client side edns-tcp-keepalive 2015-12-21 17:05:56 +00:00
Sara Dickinson 91a73ab3d0 cleanup 2015-12-18 16:22:09 +00:00
Sara Dickinson 4165e874de Fix tests 2015-12-18 16:14:54 +00:00
Sara Dickinson c5b839bda8 remove STARTTLS 2015-12-18 16:14:54 +00:00
Willem Toorop 5663f914fb Mode debug marco's to own header
To reduce dependency location fixes in test directory.
2015-12-18 13:40:52 +01:00
Willem Toorop 5a65d2b693 Look further then you nose Willem! 2015-12-17 15:46:31 +01:00
Willem Toorop b839b97ac2 Oops... reverted syntax/style to agressively 2015-12-17 13:07:39 +01:00
Willem Toorop a2e15a169d Revert syntactic/style changes
So actual changes aren't obfuscated
2015-12-17 12:37:33 +01:00
Willem Toorop 16b62f43eb Merge branch 'develop' into features/conversion_functions 2015-12-16 13:53:25 +01:00
wtoorop 69b54be99c Merge pull request #126 from saradickinson/feature/mac_tfo
Enable TFO by default if possible, add MAC OSX TFO support
Looks good, thanks.
2015-12-16 13:45:14 +01:00
Sara Dickinson 736d9f20bf Enable TCP FastOpen by default and add support for OSX implementation of TFO. 2015-12-13 17:44:31 +00:00
Willem Toorop d67949d1e7 iterators go over const wireformat data 2015-12-07 16:43:41 +01:00
unknown 22a8550caa Bug fix in get_os_defaults, clean up code in winsock_event, add code to handle event handling differences in Winsock2 2015-12-04 16:12:43 -05:00
unknown 2d58ed465c Changes for Windows, Fix configure.ac to take in a winsock option to configure and generafigure, add ifdef's to stub out windows code for other platforms. 2015-11-22 22:38:13 -05:00
Willem Toorop 08bf613cde Prevent segfault with failed TLS handshake?
Need proper review for this patch!  Sara?
2015-11-15 12:46:21 -05:00
Sara Dickinson d75ba83013 Fix bug with call_debugging reporting of UDP and add a getter for tls_authentication 2015-11-13 13:28:43 +00:00
saradickinson 1a72454b88 Remove debug 2015-11-05 14:41:23 +09:00
saradickinson 5f60683f57 Fix seg fault on timeout 2015-11-05 14:41:23 +09:00
Willem Toorop 26566a3b00 Merge branch 'develop' of github.com:getdnsapi/getdns into develop 2015-11-04 23:25:49 +01:00
Willem Toorop 7f4bdc0868 Bumb versions 2015-11-04 23:25:38 +01:00
Willem Toorop 0c3eb08f4d Merge branch 'features/call_debug' into develop 2015-11-04 16:23:22 +09:00
Daniel Kahn Gillmor 83bf5ab08b actually implement tls_query_padding_blocksize
since no DNS OPT value has been allocated, i chose a random value in
the experimental/local range.
2015-11-01 15:49:56 +09:00
Daniel Kahn Gillmor df3725e635 added edns_client_subnet_private to getdns_context
https://tools.ietf.org/html/draft-ietf-dnsop-edns-client-subnet-04

Using the above spec, an intermediate resolver may forward a chunk of
the client's IP address to the authoritative resolver.

Setting edns_client_subnet_private to a getdns_context in stub mode
will indicate to the next-hop recursive resolver that the client
wishes to keep their address information private.
2015-11-01 15:49:50 +09:00
Daniel Kahn Gillmor 0b388872ea clarify per-query options vs. per-upstream options
Sending DNS cookies was overwriting any existing options (DNS OPT) in
the outbound query.

Also, DNS cookies may not be the only option that gets set
per-upstream (instead of per-query).

This changeset establishes a set of per-query options (established at
the time of the query), and a buffer of additional space for adding
options based on the upstream is in use.

The size of this buffer is defined at configure time (defaults to 3000
octets).

Just before a query is sent out, we add the per-upstream options to
the query.

Note: we're also standardizing the query in tls too, even though we're
not sending any upstream options in that case at the moment
(edns_cookies are much weaker than TLS itself)
2015-11-01 15:47:22 +09:00
Daniel Kahn Gillmor 3e90795680 enable talking to servers with ECDSA certs
There is no clear reason to reject servers that don't have RSA certs.
We should accept ECDSA certs as well.

(also, clean up comments about opportunistic TLS)
2015-11-01 15:47:03 +09:00
jad 51eb2fdf55 working prototype 6 2015-11-01 12:47:49 +09:00
jad 2d20e18b8a working prototype 4 2015-11-01 11:14:45 +09:00
jad a85b17c885 working prototype 1 2015-11-01 10:24:02 +09:00
Willem Toorop 35c803208b Bit more concise and clear confusing code text 2015-10-31 18:24:24 +09:00
Willem Toorop 521e46879b Document that thing that we keep forgetting about 2015-10-31 17:15:36 +09:00
Willem Toorop 0a717f5d51 Warning with older (less intelligent) compiles 2015-10-29 16:25:07 +01:00
Sara Dickinson e397d1e020 Fix error that was not allowing cipher suite fallback for opportunistic TLS. 2015-10-25 15:28:20 +00:00