Sara Dickinson
f94798b237
Final mixups
2015-12-24 10:00:15 +00:00
Willem Toorop
05efbd79de
Merge branch 'features/dns_root_servers' into develop
2015-12-24 10:51:50 +01:00
Willem Toorop
8bde787703
Use mkstemp instead of tmpnam to eliminate warning
2015-12-24 10:50:58 +01:00
Willem Toorop
71b2a44945
Remove root_servers comment leftovers
2015-12-23 21:19:52 +01:00
Sara Dickinson
3afba25dad
Update test case and changeling
2015-12-23 18:00:44 +00:00
Sara Dickinson
a5027981d9
Change how the aliasing is done so the tpkg tests will pass
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
2a50f4d2ac
Set tls_auth_failed when any present authentication mechanism fails
...
We used to only have hostnames available. now we have pubkey_pinsets
available as well.
We want upstream->tls_auth_failed to be 1 when any authentication
mechanism we've been asked for fails (and also when we haven't been
given any authentication mechanism at all).
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
57a04f61db
Allow AUTHENTICATION_REQUIRED w/o hostname when pubkey pinset is available
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
77802808ce
rename GETDNS_AUTHENTICATION_HOSTNAME with GETDNS_AUTHENTICATION_REQUIRED
2015-12-23 18:00:43 +00:00
Sara Dickinson
792ecd65b8
Add missing constant to const-info.c
2015-12-23 18:00:43 +00:00
Sara Dickinson
2ce806c05b
Tinker with debug statements/comments.
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
a9eb9ccca9
Check that the pinset matches if it is configured
...
if the upstream is configured to allow fallback, this will not be a
fatal error, but it will still be checked.
Future work:
* verify any certs higher in the chain than the end-entity cert
* deal with raw public keys
* in the fallback case, report to the user whether the pinset match failed
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
d09675539e
Provide access to the pinsets during the TLS verification callback
...
We do this by associating a getdns_upstream object with the SSL object
handled by that upstream.
This allows us to collapse the verification callback code to a single
function.
Note that if we've agreed that fallback is ok, we are now willing to
accept *any* cert verification error, not just HOSTNAME_MISMATCH.
This is fine, because the alternative is falling back to cleartext,
which would be worse.
We also always set SSL_VERIFY_PEER, since we might as well try to do
so; we'll drop the verification error ourselves if we know we're OK
with falling back.
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
614d317fd8
getdns_query: add -K option to attach pinsets to getdns_contexts.
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
0d2256df09
set and return the pubkey_pinsets on the upstream resolvers
2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor
b305f073fe
add functions to translate between getdns_list and sha256_pin linked list
2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor
4dbe1813e4
added simple sha256 public key pinning linked list to getdns_upstream
2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor
5e64f1262b
add getdns_pubkey_pinset_sanity_check()
2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor
91f04ecd5e
add getdns_pubkey_pin_create_from_string()
2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor
4047bd09da
define _DEFAULT_SOURCE as well as _BSD_SOURCE for glibc version 2.20 and up
...
in recent versions of feature_test_macros(7), it says of _BSD_SOURCE:
Since glibc 2.20, this macro is deprecated. It now has the same
effect as defining _DEFAULT_SOURCE, but generates a compile-time
warning (unless _DEFAULT_SOURCE is also defined). Use
_DEFAULT_SOURCE instead. To allow code that requires
_BSD_SOURCE in glibc 2.19 and earlier and _DEFAULT_SOURCE in
glibc 2.20 and later to compile without warnings, define both
_BSD_SOURCE and _DEFAULT_SOURCE.
2015-12-23 17:57:49 +00:00
Willem Toorop
ce1185166c
Merge branch 'features/dns_root_servers' into develop
2015-12-23 17:41:40 +01:00
Willem Toorop
29b033c14c
off-by-one bugfixes
2015-12-23 17:38:36 +01:00
Willem Toorop
fbae577a54
Setting of root servers
...
test with
getdns_query -f yeti.key -R yeti.hints nlnetlabs.nl A +dnssec_return_status
where yeti.key comes from:
https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/named.cache
and yeti.hints from:
https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/KSK.pub
2015-12-23 17:15:45 +01:00
Willem Toorop
746c26dafc
Update Makefile dependencies
2015-12-23 12:26:39 +01:00
Willem Toorop
8ebb047693
Merge branch 'features/conversion_functions' into develop
2015-12-23 12:13:44 +01:00
Willem Toorop
f9c2f96996
Fixes for miscelanous little zone parse errors
...
Hopefully the tpkg test is more deterministic now too...
2015-12-23 12:06:09 +01:00
Willem Toorop
11cd892662
Clean boundries on wireformat scans
2015-12-22 19:14:18 +01:00
Willem Toorop
e4fa06a57b
getdns_fp2rr_list conversion function
...
+ private conversion functions that respect custom memory handlers
+ converage of more different example functions in 260-conversion-functions test package
2015-12-22 18:37:24 +01:00
Willem Toorop
0cb513e9b7
Doc of (|_buf|_scan) style conversion funcs
...
+ (|_buf|_scan) versions of most of the conversion directions.
+ mk-const-info handles new return_t's defines
2015-12-22 16:04:43 +01:00
Willem Toorop
6519a05780
all debug config option for broadest src coverage
...
With the 300 tpkg test
2015-12-22 11:43:06 +01:00
Willem Toorop
fe7a1e89e3
Constify new work
2015-12-22 11:32:15 +01:00
Willem Toorop
5bbcbb97a1
Merge branch 'develop' into features/conversion_functions
2015-12-22 11:28:27 +01:00
Willem Toorop
0a809cb7d8
Allow truncated answers to be returned
2015-12-22 10:56:20 +01:00
Willem Toorop
ee2a1fbfe6
Merge branch 'features/tsig' into develop
2015-12-22 01:08:25 +01:00
Willem Toorop
8a8a017fc5
Validate received TSIG reply
2015-12-22 01:03:31 +01:00
Willem Toorop
6c1e00fc3f
Send TSIG
2015-12-21 22:11:16 +01:00
wtoorop
8eeb3a6650
Merge pull request #129 from saradickinson/feature/edns-tcp-keepalive
...
Implement client side edns-tcp-keepalive
Great work! Thanks!
2015-12-21 20:20:27 +01:00
Sara Dickinson
f55721d261
Update unit test. Since 0 is the default, it can be set via the function.
2015-12-21 17:36:59 +00:00
Sara Dickinson
746a827baa
Implement client side edns-tcp-keepalive
2015-12-21 17:05:56 +00:00
wtoorop
eb6c6e3f67
Merge pull request #128 from saradickinson/feature/STARTTLS_removal2
...
Feature/starttls removal2
Excellent! Thanks!
2015-12-21 16:38:10 +01:00
Willem Toorop
98dc4018c3
Setting & getting of tsig info per upstream
2015-12-21 12:22:59 +01:00
Sara Dickinson
91a73ab3d0
cleanup
2015-12-18 16:22:09 +00:00
Sara Dickinson
4165e874de
Fix tests
2015-12-18 16:14:54 +00:00
Sara Dickinson
13ddf9ad83
Update constants
2015-12-18 16:14:54 +00:00
Sara Dickinson
3e97e1f032
Fix make file
2015-12-18 16:14:54 +00:00
Sara Dickinson
c5b839bda8
remove STARTTLS
2015-12-18 16:14:54 +00:00
gmadkat
7c766e5284
Update configure.ac
2015-12-18 10:40:12 -05:00
Willem Toorop
bc2ec7cee3
Specify TSIG parameters with getdns_query
2015-12-18 15:16:48 +01:00
Willem Toorop
95e9fa1f35
Better/shorter tpkg descriptions
2015-12-18 14:09:30 +01:00
Willem Toorop
0129550130
Dependencies
2015-12-18 14:04:16 +01:00