interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
3,125 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

2230 Commits

Author SHA1 Message Date
Vladislav Grishenko 4f4ed98112 Fix build error with gnu99 compilers 
Typedefs sha256_pin_t & getdns_log_config multiple declaration in context.h,
tls.h and tls_internal.h causes build error with some gnu99 compilers, even
if the redefinition is identical.
One possible way is to protect each occurence with ifdefs, but it seems too
brute, other one is to keep typedef in context.h only and use struct types
in recently added tls* scope.

Error example:
../libtool --quiet --tag=CC --mode=compile arm-brcm-linux-uclibcgnueabi-gcc
-std=gnu99 -I. -I. -I./util/auxiliary -I./tls -I./openssl -I./../stubby/src
-Wall -Wextra -D_BSD_SOURCE -D_DEFAULT_SOURCE ... -c ./convert.c -o convert.lo
In file included from ./context.h:53:0,
                 from ./util-internal.h:42,
                 from ./convert.c:50:
./tls.h:45:27: error: redefinition of typedef 'sha256_pin_t'
./openssl/tls-internal.h:57:27: note: previous declaration of 'sha256_pin_t' was here
In file included from ./util-internal.h:42:0,
                 from ./convert.c:50:
./context.h:133:3: error: redefinition of typedef 'sha256_pin_t'
./tls.h:45:27: note: previous declaration of 'sha256_pin_t' was here
./context.h:267:3: error: redefinition of typedef 'getdns_log_config'
./openssl/tls-internal.h:58:34: note: previous declaration of 'getdns_log_config' was here
 2019-04-12 01:40:51 +05:00
Willem Toorop b22768709a Runtime fallback and FreeBSD compatible TFO 2019-04-03 12:24:09 +02:00
Willem Toorop b6e290f42a Fix compiling for debugging 2019-04-03 11:51:35 +02:00
Maciej S. Szmigiero 0a1883047d
Don't transmit an extra NULL byte in the anchor fetch HTTP request 
When calculating HTTP request buffer size tas_connect() unnecessarily adds
an extra octet for the terminating NULL byte.
The terminating NULL was already accounted for by sizeof(fmt), however,
since sizeof("123") = 4.

The extra NULL byte at the end of the anchor fetch HTTP request resulted
in an extra "501 Not implemented" HTTP response from the trust anchor
server.
 2019-03-24 00:51:20 +01:00
Maciej S. Szmigiero 99e32f1e46
Increase anchor fetch timeout in tas_doc_read() 
tas_doc_read() uses a very short 50 msec network read timeout which makes
fetching trust anchors pretty much impossible on high-latency connections
like 3G.

Use a 2 second read timeout, just like the other tas_read_cb() callback
setter does.
 2019-03-24 00:50:49 +01:00
Willem Toorop 342b1090f8 Declarations are always defined 2019-03-15 17:22:31 +01:00
Willem Toorop 754d65eb6d Correct dependencies 2019-03-15 16:58:10 +01:00
Willem Toorop 324370c537 GnuTLS with Zero configuration DNSSEC 2019-03-15 16:50:10 +01:00
Willem Toorop 7438de712a Issue #422: Update server & client TFO 
Seems to work for TLS now too.
At least on Linux.
Thanks Craig Andrews
 2019-03-15 12:13:38 +01:00
Willem Toorop 99d15b999c Issue #423: Fix insecure delegation detection while scheduling 2019-03-13 14:21:06 +01:00
Jim Hague 968e914e94 Avoid build errors if $sysconfdir or $runstatedir contain a space. 
Building on Windows was failing if sysconfdir was, e.g. C:\Program Files.
 2019-02-21 14:37:25 +00:00
Willem Toorop acc9b1cbd5 Typo and unused parameter warning 2019-02-15 13:46:28 +01:00
Willem Toorop 30367dada2 space needed for unit test to succeed 2019-02-15 13:43:28 +01:00
Willem Toorop 034b775e5c DOA & AMTRELAY RR types implementation 2019-02-15 13:36:39 +01:00
Willem Toorop 71b773ab2f '"' needs to be escaped too in json 2019-02-15 10:44:49 +01:00
Willem Toorop c3d0afd47d Issue #419: Escape backslashes when printing json 
Thanks boB Rudis
 2019-02-15 10:29:39 +01:00
Willem Toorop 97ac5d3ddc Merge branch 'develop' of github.com:getdnsapi/getdns into develop 2019-02-04 15:46:46 +01:00
Willem Toorop 0fef131e9b bugfix #418 duplicate ,'s in Windows build 2019-02-04 15:46:10 +01:00
Havard Eidnes c68f5a7a8d Fix various build warnings uncovered on NetBSD w/pkgsrc. 
The isxxxx() and toxxxx() functions have a limited well-defined
input value range, namely that of "unsigned char" plus EOF.  Cast
args accordingly.

Bring strncasecmp() into scope by including <strings.h>.
 2019-01-28 11:24:10 +01:00
Willem Toorop 7c1b43b420 Fix sole pinset validation with ssl_dane library 2019-01-23 14:33:35 +00:00
Willem Toorop cad7eb2461 Probably the strlcpy 2019-01-23 14:06:04 +01:00
Willem Toorop f72fe60035 Cannot reuse qname (via name) after read_line_cb.. 
.. returns.
 2019-01-23 13:55:29 +01:00
Willem Toorop e657024531 Run all unit tests again 2019-01-23 12:50:44 +01:00
Willem Toorop 35f2ce37c0 Restore original serve delays 2019-01-23 12:49:22 +01:00
Willem Toorop c4bd91b196 Merge remote-tracking branch 'jim/feature/abstract-tls' into devel/abstract-tls 2019-01-23 12:46:07 +01:00
Willem Toorop d71dccaf2c - Nested getdns_context_runt() prevention 
- Fix address query with qname and missing qtype for -I and -F too
- disable tiny delay again
 2019-01-23 12:43:20 +01:00
Jim Hague cdc0d43315 Correct auth state thinko. Spotter credit to Willem. 2019-01-23 11:34:02 +00:00
Willem Toorop 8980f5f5ee Fix nested scheduling with getdns_query -F and -I 
+ add 1 millisecond delay between batched queries, just because...
 2019-01-23 11:41:00 +01:00
Willem Toorop 0af9a629f4 Does smaller delay make a difference? 2019-01-23 10:50:57 +01:00
Willem Toorop ac379787a2 Reassure clang static analyzer that all is OK 2019-01-23 10:29:20 +01:00
Willem Toorop 79fbef07d8 type specifier misplaced by #ifdef unclarity 2019-01-23 10:27:17 +01:00
Jim Hague 814ee2c4cf Fix more gcc 8 warnings. 
As warnings, these cause builds to fail when running the test suite.
 2019-01-17 11:23:39 +00:00
Jim Hague 09ca9a826b Fix gcc 8 warnings. 2019-01-15 17:13:13 +00:00
Jim Hague 9024fd7736 Fix build with INTERCEPT_COM_DS defined. 
Decide that layout of handling write results is more readable, and use with read too.
 2019-01-15 15:34:33 +00:00
Jim Hague 8609a35e5b GnuTLS: Add support for TLS 1.3. 2019-01-15 11:31:22 +00:00
Jim Hague ccd6c3592d GnuTLS: Can't set priority for SSL3. 2019-01-15 11:30:56 +00:00
Jim Hague 24774fefd6 Remove 'upstream' association with connection, now unused. 2019-01-15 11:01:58 +00:00
Jim Hague 3fe0c94357 Merge branch 'develop' into feature/abstract-tls 2019-01-14 19:09:20 +00:00
Jim Hague 51cb570809 Re-add support for OpenSSL prior to 1.1, but now require at least 1.0.2 and drop LibreSSL support. 2019-01-11 11:16:48 +00:00
Willem Toorop 411c5cf571 Git rid of * if in libgetdns.symbols 2019-01-07 12:08:26 +01:00
Willem Toorop a4020a6841 mk-symfiles.sh improvent 
to filter out #defines as intended.
Thanks Zero King
 2019-01-07 11:33:21 +01:00
Willem Toorop bbe7dff257 No TLS1.3 ciphers in cipher_list only when ... 
SSL_set_ciphersuites in OpenSSL API.
 2018-12-31 16:13:20 +01:00
Bruno Pagani 1962c03b79
context: remove TLS13 cipher from cipher_list 
TLS 1.3 ciphers have to be set in ciphersuites instead.
 2018-12-23 11:31:27 +00:00
Willem Toorop 309db67f8b RFE getdnsapi/stubby#121 log re-instantiating TLS ... 
... upstreams (because they reached tls_backoff_time) at log level 4 (WARNING)
 2018-12-21 16:30:46 +01:00
Willem Toorop 7c52883341 Remove truncated response from transport test 2018-12-21 12:44:51 +01:00
Willem Toorop 431f86f414 Make tests aware of NODATA == NO_NAME change 2018-12-21 12:10:19 +01:00
Willem Toorop 13e1e36ba3 RESPSTATUS_NO_NAME when no answers found 
(so for NODATA answers too)
 2018-12-21 11:28:00 +01:00
Willem Toorop ff1cdce6f8 s/explicitely/explicitly/g 
Thanks Andreas Schulze
 2018-12-20 15:06:01 +01:00
Jim Hague 65f4fbbc81 Make sure all connection deinits are only called if there is something to deinit. 2018-12-14 15:38:32 +00:00
Jim Hague c1bf12c8a2 Update default GnuTLS cipher suite priority string to one that gives the same ciphers as the OpenSSL version. 
Also fix deinit segfault.

./gnutls-ciphers "NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL"
Cipher suites for NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL
TLS_ECDHE_RSA_AES_256_GCM_SHA384                  	0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256                  	0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305                   	0xcc, 0xa8 TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                0xc0, 0x2 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305                 0xcc, 0xa9 TLS1.2

$ openssl ciphers -v TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
 2018-12-14 15:24:13 +00:00
Willem Toorop 232f655663 trust_anchor_backoff_time also when appdata dir is not writable 2018-12-14 13:42:43 +01:00
Willem Toorop 990372329c typo 2018-12-13 15:26:13 +01:00
Willem Toorop dc6bb0fa52 Something wrong with /etc/hosts? 2018-12-13 15:24:37 +01:00
Willem Toorop eecc18703a Issue found with static analysis 2018-12-13 15:24:27 +01:00
Willem Toorop 154f98e321 Update consts 2018-12-13 15:24:19 +01:00
Willem Toorop 93b7cb6a01 ZONEMD rr-type 2018-12-13 14:53:41 +01:00
Jim Hague a4590bafcb Implement reading CAs from file or dir. 
I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot
easier than I feared. Plus a little diggiing shows that if you're
loading the system defaults, GnuTLS on Windows does load them from the
Windows certificate store.
 2018-12-13 13:33:54 +00:00
Willem Toorop 41f4940072 Log messages about trust anchor fetching and installing 2018-12-13 14:23:32 +01:00
Jim Hague e8f34d48fb Adjust default cipher list so required authentication works with getdnsapi. 
The previous default cipher string wouldn't connect with getdnsapi.
Selection of cipher strings requires some deep study, I think.

So, taking working with getdnsapi.net as our target, discover that we
need SECURE128 as well as SECURE192. And rather than disable everything
except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects
to TLS1.3.
 2018-12-13 12:04:01 +00:00
Jim Hague 2759d727e5 Minor speeling fix. 2018-12-13 11:54:41 +00:00
Jim Hague fa9d8885f0 Fix problems with GnuTLS pinset handling. 
Pinset validation now seems to work.
 2018-12-13 11:03:31 +00:00
Willem Toorop 91a3a3db36 More specific return codes, more logging 2018-12-12 16:12:07 +01:00
Jim Hague 45be26642b Fix dane query handling and verify error reporting. 
Verify error is flags, not values. And deiniting a dane_query that is
NULL segfaults.
 2018-12-12 15:01:07 +00:00
Jim Hague b51c7384e6 Implement _getdns_decode_base64() for GnuTLS. 
Use primitives in libnettle.
 2018-12-12 15:00:03 +00:00
Jim Hague 0dec4a6f21 Correct format string, fixing type error in specifier. 
I was wondering why the error output did appear.
 2018-12-12 14:59:13 +00:00
Jim Hague 35b4969216 Abstract out OpenSSL specific parts of getdns_pubkey_pin_create_from_string(). 
The only OpenSSL function is decoding Base64.
 2018-12-11 18:03:00 +00:00
Jim Hague aa49a935c7 Fixed error detection in certificate verification. 2018-12-11 17:59:44 +00:00
Jim Hague ab69a9a7da Merge branch 'feature/abstract-tls' of https://github.com/banburybill/getdns into feature/abstract-tls 2018-12-11 15:01:44 +00:00
Jim Hague 2c6ec5e0be Implement setting up pinset for DANE. Verification to come. 2018-12-11 14:59:21 +00:00
Willem Toorop a6ab7ffe41 ed25519 and ecdsa support with libnettle 2018-12-11 15:05:09 +01:00
Jim Hague ff7ffc246c Rename TLS Interface DANE init to pinset init. That's what it's actually used for. 2018-12-11 12:46:05 +00:00
Jim Hague 1acd880f26 Correct error return value from stub. 2018-12-07 17:56:12 +00:00
Jim Hague fee864c25c Implement setting cipher/curve lists. 
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
 2018-12-07 16:55:17 +00:00
Willem Toorop bb99321e57 More constness for issue #410 2018-12-07 16:34:03 +01:00
Willem Toorop 8a7226baee Move from debugging to logging for 
- upstream_stats & stub system
 2018-12-07 14:02:17 +01:00
Willem Toorop bdfdd99645 Anticipate different openssl versions 2018-12-07 14:00:47 +01:00
Jim Hague 511dfc75ef Implement _getdns_tls_context_set_min_proto_1_2(). 
Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake.
This means we need to access the context from a connection, so add a pointer to the context to the connection.
 2018-12-07 11:11:33 +00:00
Jim Hague 64f0d6aaa8 Rename _getdns_tls_connection_verify() to _getdns_tls_connection_certificate_verify(). 
I managed to mislead myself about what it did, which suggests the name should be clearer.
 2018-12-07 11:09:20 +00:00
Jim Hague b0c057e8ae Update dependencies for GnuTLS. 
In practice a 'make depend' is required before building with either OpenSSL or GnuTLS.
 2018-12-06 16:35:43 +00:00
Jim Hague 46c49cbcfe Modify getdns_server_mon to use GnuTLS or OpenSSL. 
Untested.
 2018-12-06 16:32:20 +00:00
Jim Hague 72d9b91a2e Extract non-OpenSSL specific code from pubkey-pinning.c, and move it back to common source. 
OpenSSL-specific items are in pubkey-pinning-internal.c.
 2018-12-06 14:09:30 +00:00
Jim Hague e73ab48687 Extract non-OpenSSL specific code from anchor.c, and move it back to common source. 
OpenSSL-specific items are in anchor-internal.c.
 2018-12-06 14:07:32 +00:00
Jim Hague 91764fb6b0 Correct checking of connection validation result. 2018-12-06 11:04:00 +00:00
Jim Hague c6dffa1239 Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation. 
Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.

GnuTLS uses Nettle itself, so this is not adding a new dependency.
 2018-12-06 10:41:58 +00:00
Jim Hague b2312aee12 Implement hostname authentication. 2018-12-05 17:20:28 +00:00
Jim Hague f64aa8703d First pass at a mostly stubbed GnuTLS implementation. 
This works enough to do a TLS lookup.
 2018-12-05 11:25:32 +00:00
Willem Toorop c80aa72725 ED25519 & ED448 support 2018-12-03 15:35:03 +01:00
Willem Toorop ea55b12a08 getdns_query for addresses with qname but no qtype 2018-12-03 14:52:58 +01:00
Willem Toorop 30a3a6b026 Longer timeout for recursing_6 test 2018-12-03 14:33:56 +01:00
Willem Toorop 390e383a1a ED25519 & ED448 DNSSEC validation support 2018-12-03 14:33:21 +01:00
Willem Toorop 6d066f95f9 Merge branch 'features/trust_anchors_backoff_time' into develop 2018-12-03 12:51:00 +01:00
Willem Toorop 4b688443f4 Sync with unbound 2018-12-03 12:50:37 +01:00
Willem Toorop a1692359f3 RFE #408: Retry fetching of TA after backoff time 2018-12-03 12:27:31 +01:00
Willem Toorop 1e7da76901 Bugfix getdnsapi/stubby#140 fallback on getentropy failure 2018-11-30 14:50:06 +01:00
Willem Toorop c1f51815ba RFE #408: "dnssec" extension requiring DNSSEC 
When this extension is set, GETDNS_DNSSEC_INDETERMINATE status will no
longer be returned.
 2018-11-30 14:20:12 +01:00
Jim Hague 153e766edf tls.h uses struct mem_funcs in types-internal.h. 2018-11-27 18:04:14 +00:00
Jim Hague c4a3f75844 Correct make depend generation for TLS directory. 2018-11-27 18:03:27 +00:00
Jim Hague e60d852637 Common OpenSSL digester selection. 2018-11-27 16:55:33 +00:00
Willem Toorop e3b007a43a Issue #410: Document ownership with getdns_context_get_api_information() 
+ const for extensions and namespaces
TODO: Look at other cases that are not const for no good reason.

Thanks Stefan Bühler
 2018-11-27 16:59:47 +01:00
Jim Hague c101a7a021 Abstract context DANE initialisation. 2018-11-27 15:41:23 +00:00