interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
3,261 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

2298 Commits

Author SHA1 Message Date
Jim Hague 09ca9a826b Fix gcc 8 warnings. 2019-01-15 17:13:13 +00:00
Jim Hague 9024fd7736 Fix build with INTERCEPT_COM_DS defined. 
Decide that layout of handling write results is more readable, and use with read too.
 2019-01-15 15:34:33 +00:00
Jim Hague 8609a35e5b GnuTLS: Add support for TLS 1.3. 2019-01-15 11:31:22 +00:00
Jim Hague ccd6c3592d GnuTLS: Can't set priority for SSL3. 2019-01-15 11:30:56 +00:00
Jim Hague 24774fefd6 Remove 'upstream' association with connection, now unused. 2019-01-15 11:01:58 +00:00
Jim Hague 3fe0c94357 Merge branch 'develop' into feature/abstract-tls 2019-01-14 19:09:20 +00:00
Jim Hague 51cb570809 Re-add support for OpenSSL prior to 1.1, but now require at least 1.0.2 and drop LibreSSL support. 2019-01-11 11:16:48 +00:00
Willem Toorop 411c5cf571 Git rid of * if in libgetdns.symbols 2019-01-07 12:08:26 +01:00
Willem Toorop a4020a6841 mk-symfiles.sh improvent 
to filter out #defines as intended.
Thanks Zero King
 2019-01-07 11:33:21 +01:00
Willem Toorop bbe7dff257 No TLS1.3 ciphers in cipher_list only when ... 
SSL_set_ciphersuites in OpenSSL API.
 2018-12-31 16:13:20 +01:00
Bruno Pagani 1962c03b79
context: remove TLS13 cipher from cipher_list 
TLS 1.3 ciphers have to be set in ciphersuites instead.
 2018-12-23 11:31:27 +00:00
Willem Toorop 309db67f8b RFE getdnsapi/stubby#121 log re-instantiating TLS ... 
... upstreams (because they reached tls_backoff_time) at log level 4 (WARNING)
 2018-12-21 16:30:46 +01:00
Willem Toorop 7c52883341 Remove truncated response from transport test 2018-12-21 12:44:51 +01:00
Willem Toorop 431f86f414 Make tests aware of NODATA == NO_NAME change 2018-12-21 12:10:19 +01:00
Willem Toorop 13e1e36ba3 RESPSTATUS_NO_NAME when no answers found 
(so for NODATA answers too)
 2018-12-21 11:28:00 +01:00
Willem Toorop ff1cdce6f8 s/explicitely/explicitly/g 
Thanks Andreas Schulze
 2018-12-20 15:06:01 +01:00
Jim Hague 65f4fbbc81 Make sure all connection deinits are only called if there is something to deinit. 2018-12-14 15:38:32 +00:00
Jim Hague c1bf12c8a2 Update default GnuTLS cipher suite priority string to one that gives the same ciphers as the OpenSSL version. 
Also fix deinit segfault.

./gnutls-ciphers "NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL"
Cipher suites for NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL
TLS_ECDHE_RSA_AES_256_GCM_SHA384                  	0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256                  	0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305                   	0xcc, 0xa8 TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                0xc0, 0x2 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305                 0xcc, 0xa9 TLS1.2

$ openssl ciphers -v TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
 2018-12-14 15:24:13 +00:00
Willem Toorop 232f655663 trust_anchor_backoff_time also when appdata dir is not writable 2018-12-14 13:42:43 +01:00
Willem Toorop 990372329c typo 2018-12-13 15:26:13 +01:00
Willem Toorop dc6bb0fa52 Something wrong with /etc/hosts? 2018-12-13 15:24:37 +01:00
Willem Toorop eecc18703a Issue found with static analysis 2018-12-13 15:24:27 +01:00
Willem Toorop 154f98e321 Update consts 2018-12-13 15:24:19 +01:00
Willem Toorop 93b7cb6a01 ZONEMD rr-type 2018-12-13 14:53:41 +01:00
Jim Hague a4590bafcb Implement reading CAs from file or dir. 
I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot
easier than I feared. Plus a little diggiing shows that if you're
loading the system defaults, GnuTLS on Windows does load them from the
Windows certificate store.
 2018-12-13 13:33:54 +00:00
Willem Toorop 41f4940072 Log messages about trust anchor fetching and installing 2018-12-13 14:23:32 +01:00
Jim Hague e8f34d48fb Adjust default cipher list so required authentication works with getdnsapi. 
The previous default cipher string wouldn't connect with getdnsapi.
Selection of cipher strings requires some deep study, I think.

So, taking working with getdnsapi.net as our target, discover that we
need SECURE128 as well as SECURE192. And rather than disable everything
except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects
to TLS1.3.
 2018-12-13 12:04:01 +00:00
Jim Hague 2759d727e5 Minor speeling fix. 2018-12-13 11:54:41 +00:00
Jim Hague fa9d8885f0 Fix problems with GnuTLS pinset handling. 
Pinset validation now seems to work.
 2018-12-13 11:03:31 +00:00
Willem Toorop 91a3a3db36 More specific return codes, more logging 2018-12-12 16:12:07 +01:00
Jim Hague 45be26642b Fix dane query handling and verify error reporting. 
Verify error is flags, not values. And deiniting a dane_query that is
NULL segfaults.
 2018-12-12 15:01:07 +00:00
Jim Hague b51c7384e6 Implement _getdns_decode_base64() for GnuTLS. 
Use primitives in libnettle.
 2018-12-12 15:00:03 +00:00
Jim Hague 0dec4a6f21 Correct format string, fixing type error in specifier. 
I was wondering why the error output did appear.
 2018-12-12 14:59:13 +00:00
Jim Hague 35b4969216 Abstract out OpenSSL specific parts of getdns_pubkey_pin_create_from_string(). 
The only OpenSSL function is decoding Base64.
 2018-12-11 18:03:00 +00:00
Jim Hague aa49a935c7 Fixed error detection in certificate verification. 2018-12-11 17:59:44 +00:00
Jim Hague ab69a9a7da Merge branch 'feature/abstract-tls' of https://github.com/banburybill/getdns into feature/abstract-tls 2018-12-11 15:01:44 +00:00
Jim Hague 2c6ec5e0be Implement setting up pinset for DANE. Verification to come. 2018-12-11 14:59:21 +00:00
Willem Toorop a6ab7ffe41 ed25519 and ecdsa support with libnettle 2018-12-11 15:05:09 +01:00
Jim Hague ff7ffc246c Rename TLS Interface DANE init to pinset init. That's what it's actually used for. 2018-12-11 12:46:05 +00:00
Jim Hague 1acd880f26 Correct error return value from stub. 2018-12-07 17:56:12 +00:00
Jim Hague fee864c25c Implement setting cipher/curve lists. 
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
 2018-12-07 16:55:17 +00:00
Willem Toorop bb99321e57 More constness for issue #410 2018-12-07 16:34:03 +01:00
Willem Toorop 8a7226baee Move from debugging to logging for 
- upstream_stats & stub system
 2018-12-07 14:02:17 +01:00
Willem Toorop bdfdd99645 Anticipate different openssl versions 2018-12-07 14:00:47 +01:00
Jim Hague 511dfc75ef Implement _getdns_tls_context_set_min_proto_1_2(). 
Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake.
This means we need to access the context from a connection, so add a pointer to the context to the connection.
 2018-12-07 11:11:33 +00:00
Jim Hague 64f0d6aaa8 Rename _getdns_tls_connection_verify() to _getdns_tls_connection_certificate_verify(). 
I managed to mislead myself about what it did, which suggests the name should be clearer.
 2018-12-07 11:09:20 +00:00
Jim Hague b0c057e8ae Update dependencies for GnuTLS. 
In practice a 'make depend' is required before building with either OpenSSL or GnuTLS.
 2018-12-06 16:35:43 +00:00
Jim Hague 46c49cbcfe Modify getdns_server_mon to use GnuTLS or OpenSSL. 
Untested.
 2018-12-06 16:32:20 +00:00
Jim Hague 72d9b91a2e Extract non-OpenSSL specific code from pubkey-pinning.c, and move it back to common source. 
OpenSSL-specific items are in pubkey-pinning-internal.c.
 2018-12-06 14:09:30 +00:00
Jim Hague e73ab48687 Extract non-OpenSSL specific code from anchor.c, and move it back to common source. 
OpenSSL-specific items are in anchor-internal.c.
 2018-12-06 14:07:32 +00:00
Jim Hague 91764fb6b0 Correct checking of connection validation result. 2018-12-06 11:04:00 +00:00
Jim Hague c6dffa1239 Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation. 
Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.

GnuTLS uses Nettle itself, so this is not adding a new dependency.
 2018-12-06 10:41:58 +00:00
Jim Hague b2312aee12 Implement hostname authentication. 2018-12-05 17:20:28 +00:00
Jim Hague f64aa8703d First pass at a mostly stubbed GnuTLS implementation. 
This works enough to do a TLS lookup.
 2018-12-05 11:25:32 +00:00
Willem Toorop c80aa72725 ED25519 & ED448 support 2018-12-03 15:35:03 +01:00
Willem Toorop ea55b12a08 getdns_query for addresses with qname but no qtype 2018-12-03 14:52:58 +01:00
Willem Toorop 30a3a6b026 Longer timeout for recursing_6 test 2018-12-03 14:33:56 +01:00
Willem Toorop 390e383a1a ED25519 & ED448 DNSSEC validation support 2018-12-03 14:33:21 +01:00
Willem Toorop 6d066f95f9 Merge branch 'features/trust_anchors_backoff_time' into develop 2018-12-03 12:51:00 +01:00
Willem Toorop 4b688443f4 Sync with unbound 2018-12-03 12:50:37 +01:00
Willem Toorop a1692359f3 RFE #408: Retry fetching of TA after backoff time 2018-12-03 12:27:31 +01:00
Willem Toorop 1e7da76901 Bugfix getdnsapi/stubby#140 fallback on getentropy failure 2018-11-30 14:50:06 +01:00
Willem Toorop c1f51815ba RFE #408: "dnssec" extension requiring DNSSEC 
When this extension is set, GETDNS_DNSSEC_INDETERMINATE status will no
longer be returned.
 2018-11-30 14:20:12 +01:00
Jim Hague 153e766edf tls.h uses struct mem_funcs in types-internal.h. 2018-11-27 18:04:14 +00:00
Jim Hague c4a3f75844 Correct make depend generation for TLS directory. 2018-11-27 18:03:27 +00:00
Jim Hague e60d852637 Common OpenSSL digester selection. 2018-11-27 16:55:33 +00:00
Willem Toorop e3b007a43a Issue #410: Document ownership with getdns_context_get_api_information() 
+ const for extensions and namespaces
TODO: Look at other cases that are not const for no good reason.

Thanks Stefan Bühler
 2018-11-27 16:59:47 +01:00
Jim Hague c101a7a021 Abstract context DANE initialisation. 2018-11-27 15:41:23 +00:00
Jim Hague 26bcddd029 Abstract cookie SHA256 calculation. 2018-11-27 15:31:33 +00:00
Jim Hague af962228fc Abstract maximum digest length. 2018-11-27 15:31:05 +00:00
Jim Hague 0cdede21df Abstract SHA1 calculation. 2018-11-27 15:29:48 +00:00
Jim Hague 5e390a4b23 Revise all TLS interfaces to pass in GetDNS memory functions where necessary. 
This means we can remove OpenSSL_free() calls from request-internal.c and util-internal.c.
 2018-11-27 14:41:46 +00:00
Jim Hague bc3106af94 Abstract out HMAC functions in request-internal.c. 2018-11-27 11:49:12 +00:00
Jim Hague 4ec93a3df0 Add Doxygen for remaining tls.h functions. 2018-11-26 11:32:18 +00:00
Jim Hague 27a7e4e28f Attempt minimal autoconf changes to use GnuTLS instead of OpenSSL. 
I could waste the rest of the available time trying to turn configure.ac into something that cleanly ignores OpenSSL, uses GnuTLS instead and retains all the options. Or even better scrap the whole autoconf mess and start again.

But in the interests of prototyping, do something quick and dirty. This means GnuTLS must for now be configured thus:

$ CFLAGS="-g" ../configure --enable-stub-only --with-gnutls --disable-gost --disable-ecdsa --disable-edns-cookies

to evade other items with hardcoded OpenSSL checks in them.
 2018-11-23 17:49:06 +00:00
Jim Hague 2267863a53 Attempt to improve the preprocessor horror that is util/val_secalgo.h. 
Convert the main util/val_secalgo.h to a plain interface. Move the preprocessor redefines into validator/val_secalgo.h, and move THAT under openssl, because it is OpenSSL implementation specific at present - you can compile with NSS and Nettle if config allows.
 2018-11-23 16:28:55 +00:00
Willem Toorop 2d76a5fd52 We had complaints for serving the root, so.. 
TCP only full recursion test now starting from K-root
	(because other roots are unreliable TCP-wise)
 2018-11-22 12:16:19 +01:00
Willem Toorop b90ba236ae tls_ciphersuites, tls_cipher_list, tls_curve_list, 
tls_min_version & tls_max_version settings must cause
	failure when not supported by the TLS library.  Not during
	configure time, but during connection setup so it doesn't
	hamper alternative transports.
 2018-11-22 11:37:28 +01:00
Willem Toorop 6b10570842 DNSSEC bugfix found with static analysis 
* Fix for DNSSEC bug in finding most specific key when
  trust anchor proves non-existance of one of the labels
  along the authentication chain other than the non-
  existance of a DS record on a zonecut.
 2018-11-22 10:21:48 +01:00
Willem Toorop 4ff9816e39 google now supports DoT 2018-11-21 17:00:03 +01:00
Willem Toorop 73868643d2 Fix compile warnings 2018-11-21 16:07:47 +01:00
Willem Toorop 1904ee7318 Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130 
Configurable TLS version
 2018-11-21 15:02:28 +01:00
Jim Hague 4f67491971 Remove unnecessary OpenSSL include in dnssec.c. 2018-11-20 17:36:56 +00:00
Jim Hague 05f9d30e89 Move anchor.c to under openssl. 2018-11-20 16:57:48 +00:00
Jim Hague f3e0f2b9e6 Split OpenSSL specific bits of keyraw.hc into keyraw-internal.hc. 
All usage is internal to val_secalgo.c, which is already in openssl.
 2018-11-20 16:51:17 +00:00
Jim Hague da94b52f74 Move val_secalgo.c to openssl. 
It contains ports other than OpenSSL (NSS and NETTLE), but we're not worrying about those for our purposes at present.
 2018-11-20 16:21:06 +00:00
Jim Hague 4eb845bc58 Move internal-only functions from public pubkey-pinning interface. 
The interface now only exposes functions used by the main getdns code.
 2018-11-20 15:55:34 +00:00
Jim Hague ff9cde2087 Remove SSL type from pubkey-pinning interface. 2018-11-20 15:49:26 +00:00
Jim Hague 756eda96d8 Remove ssl_dane dir from dependency generation search. 2018-11-20 15:47:56 +00:00
Willem Toorop 6a5e96d4e1 tls_ciphersuites + bugfix in strdup2!! 2018-11-20 16:13:57 +01:00
Jim Hague 52421be5f4 Correct error checking result of _getdns_tls_context_set_ca(). 2018-11-20 15:12:10 +00:00
Jim Hague 1b0a09a23f Wrap hostname/certificate verification. 
This removes the last OpenSSL items from stub.c.
 2018-11-20 14:53:31 +00:00
Jim Hague fb73bcb77e Correct return value error from _getdns_tls_connection_(read|write)(). 2018-11-20 12:43:17 +00:00
Jim Hague 2e8c48544b Move pubkey-pinning implementation under openssl/. 2018-11-19 13:55:02 +00:00
Jim Hague aba0e2fb4c Move non-TLS-library specific parts of tls.h to ~/src/tls.h and have it include lib-specific tls-internal.h. 
Update dependencies.
 2018-11-19 09:49:54 +00:00
Jim Hague 5d353d9efb To aid proof-of-concept work, insist on OpenSSL 1.1.1 or later. 
Remove ssl_dane as now surplus to requirements.
 2018-11-16 17:58:29 +00:00
Jim Hague 0fd6fd4c5c Replace (one instance of) SSL_get_peer_certificate(). 2018-11-16 17:09:26 +00:00
Jim Hague 4b8c9d1bd7 Replace SSL_get_version(). 2018-11-15 17:53:37 +00:00
Jim Hague 09019bee75 Replace SSL_write(). 2018-11-15 17:53:29 +00:00
Jim Hague e7453522d5 Replace SSL_read(). 2018-11-15 17:51:52 +00:00
Jim Hague e22c01e212 tls_do_handshake: move handshake and check for new session into abstraction layer. 2018-11-15 14:28:04 +00:00
Jim Hague ffd1136e94 tls_create_object(): Move setting client state and auto-retry into connection_new and add setting connection session. 2018-11-15 13:23:00 +00:00
Jim Hague d9fdd4c10d Abstracting TLS; let's start with context only. 
Change data types in context.h and fix up context.c. Do minimal fixups to stub.c.
 2018-11-15 11:01:13 +00:00
Willem Toorop 12589d85c2 Wild guess at OpenSSL without engine support 2018-06-12 17:00:45 +02:00
Willem Toorop 9b4e8e9e91 X509_get_notAfter not in OpenSSL 1.1.1 anymore 2018-06-12 16:37:46 +02:00
Willem Toorop 884f6ddc5e DS is always a delegation and never at the apex 2018-06-10 16:57:40 +02:00
Willem Toorop 25231aa686 Fix finding signer of NSEC and NSEC3s 
Thanks Philip Homburg
 2018-06-08 21:39:59 +02:00
Willem Toorop 000fa94ae2 Sync ldns & utils with unbound 2018-05-22 12:44:13 +02:00
Willem Toorop 799bd2f6b1 Bugfix #399: Reinclude <linux/sysctl.h> in getentropy_linux.c 2018-05-15 08:11:55 +02:00
Willem Toorop e481273ff4 Last minute update 2018-05-11 13:20:08 +02:00
wtoorop 0510fb00d3
Merge pull request #397 from ehmry/tcp_sendto 
No TCP sendto without TCP_FASTOPEN
 2018-05-11 12:04:49 +01:00
wtoorop 7fe45a7012
Merge pull request #396 from saradickinson/bugfix/windows_certs 
Temporary fix for https://github.com/getdnsapi/stubby/issues/87. Dete…
 2018-05-11 11:51:33 +01:00
Willem Toorop 6c99e7b8a6 Bugfix getdnsapi/stubby#106: Core dump when ... 
printing certain configuration. Thanks Han Vinke
 2018-05-11 11:28:52 +02:00
Willem Toorop 98b1ff624a Memory loss with empty string bindata's 2018-05-11 11:23:19 +02:00
Emery Hemingway a6ec2b2449 No TCP sendto without TCP_FASTOPEN 2018-05-08 14:58:17 +02:00
Willem Toorop 7331717990 Fix for Fallback to current (working) directory (for appdata_dir). 2018-05-04 15:30:27 +02:00
Willem Toorop 99bfe4a287 Fallback to current (working) directory (for appdata_dir). 
To improve integration with system and service managers like systemd
See also getdnsapi/stubby#106
 2018-05-04 10:40:49 +02:00
Willem Toorop 3c355d425b Warnings are errors :( 2018-05-03 12:15:48 +02:00
Willem Toorop 101d602739 Travis output showed it was a bracket issue 2018-05-03 11:48:07 +02:00
Willem Toorop de7f007bf3 Without dl_iterate_phdr for now... 2018-05-03 11:40:44 +02:00
Willem Toorop f5c588c955 Need _GNU_SOURCE before config.h 2018-05-03 11:30:28 +02:00
Willem Toorop f0f101511b _GNU_SOURCE needed for struct dl_phdr_info from link.h 2018-05-03 11:21:11 +02:00
Willem Toorop 4f050facc3 Bugfix #394: Update src/compat/getentropy_linux.c 
in order to handle ENOSYS (not implemented) fallback.
Thanks Brent Blood
 2018-05-02 14:32:12 +02:00
Willem Toorop 9c01968048 DS and DNSKEY lookups for tld and sld immediately 
Resolves issue getdnsapi/stubby#99
 2018-05-01 17:07:16 +02:00
Willem Toorop 7fecf5a93d Allow NSEC spans starting from (unexpanded) wildcards 2018-05-01 13:19:24 +02:00
Willem Toorop a834d32718 Fix negative reversed IPv4 test 
which assumes 1.1.1.1.in-addr.arpa does not exist
 2018-04-23 14:05:02 +02:00
Willem Toorop 1b5b0ca799 Force trailing '\0' with string config settings 
Because even though it is added when parsing from JSON, it will be lost when the bindata is copied into a dict with getdns_dict_set_bindata.
 2018-04-23 15:11:20 +02:00
saradickinson ced112ca74 Temporary fix for https://github.com/getdnsapi/stubby/issues/87. Detect and ignore duplicate certs in the root store. 2018-04-05 18:35:07 +01:00
Willem Toorop 7548b095bc Doxygen fixes 2018-03-05 16:12:49 +01:00
Willem Toorop 8a2fc5f5a9 max_udp_backoff should not be public 
At least, not with this point release
 2018-03-05 12:42:27 +01:00
Robert Groenenberg eec6ec29dd [UDP] try upstreams in round-robin fashion when all yupstreams have failed 2018-03-05 12:03:20 +01:00
Robert Groenenberg f787c87137 Reset back_off on successful query 2018-03-05 12:02:01 +01:00
Robert Groenenberg a0fb2c8424 Limit back_off value to avoid very long retry interval 2018-03-05 12:01:52 +01:00
Willem Toorop fd5e0cdc02 Merge branch 'bugfix/388-endless-fallback-loop' into release/1.4.1 2018-03-05 11:52:36 +01:00
Willem Toorop e93b583a26 Merge branch 'devel/dnssec_issues' into release/1.4.1 2018-03-05 11:41:55 +01:00
Willem Toorop 0ff1839a6f Upstream reset on searchpath retry 2018-03-02 23:31:33 +01:00
Willem Toorop b178f94505 Don't retry an already tried upstream 2018-03-02 15:56:00 +01:00
Willem Toorop e29cfb6b6a Query for DS i.s.o. SOA to find zonecuts 
Because of broken setups that have zonecuts without SOA:

```
$ drill -T www.gslb.kpn.com A
.	518400	IN	NS	i.root-servers.net.
com.	172800	IN	NS	a.gtld-servers.net.
kpn.com.	172800	IN	NS	ns1.kpn.net.
kpn.com.	172800	IN	NS	ns2.kpn.net.
gslb.kpn.com.	3600	IN	NS	gss1.kpn.com.
gslb.kpn.com.	3600	IN	NS	gss2.kpn.com.
www.gslb.kpn.com.	10	IN	A	145.7.170.135
```

but

```
$ drill gslb.kpn.com SOA
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 48303
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; gslb.kpn.com.	IN	SOA

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 8 msec
;; SERVER: 185.49.140.100
;; WHEN: Fri Mar  2 14:13:21 2018
;; MSG SIZE  rcvd: 30
```
 2018-03-02 14:14:28 +01:00
Willem Toorop abc69f96fe Follow unsigned SOA's as insecure zonecut indication 
Should resolve issue #385
 2018-03-02 11:15:45 +01:00
Daniel Kahn Gillmor 9301f8970c Fix minor spelling and formatting. 
These issues were found with the codespell tool.
 2018-02-23 14:12:11 -08:00
Willem Toorop e705109f22 Fix tpkg dependencies 2018-02-22 15:02:11 +01:00
Willem Toorop 75297b17ae Fixes from running servers with valgrind 2018-02-22 14:45:56 +01:00
Willem Toorop 65e610f26e Unit test maintenance, to: 
- remove obsolete tests
- test better for parallel installs
- run custom servers through valgrind
 2018-02-22 14:44:13 +01:00
Willem Toorop 6325dae563 Run localhost unit tests on local localhost address 2018-02-21 13:40:19 +01:00
Willem Toorop a150c6d927 implied source ($<) not defined in explicit rules 2018-02-21 12:17:51 +01:00
Willem Toorop f2c531265b libidns2 doesn't detect locale that well... 2018-02-13 16:58:12 +01:00
Willem Toorop 9999907593 update Stubby + other dist tarball fixes 2018-02-13 15:05:29 +01:00
Willem Toorop 223e85bc02 Merge branch 'features/tls_curves_list' into release/1.4.0 2018-02-12 16:04:49 +01:00
Willem Toorop 0c3b6fb2f6 Symbols & constants 2018-02-12 15:57:28 +01:00
Willem Toorop 1ebd54a1de Utils from unbound update 2018-02-12 15:54:43 +01:00
Willem Toorop 31e5cd5ab6 sldns update 2018-02-12 15:54:01 +01:00
Willem Toorop 9a4e389946 Better #ifdef select when to use X509_check_host 2018-02-12 15:46:42 +01:00
Willem Toorop 401aa2e3b8 Specify the supported curves with TLS 2018-02-12 15:40:17 +01:00
Willem Toorop c3e4061fe2 hostname auth with libressl 2018-02-09 15:18:44 +01:00
Willem Toorop b914b63e18 Merge branch 'feature/monitor-tool' into release/1.4.0 2018-02-08 14:06:40 +01:00
Willem Toorop c033e3f1a3 Merge branch 'libressl' into release/1.4.0 2018-02-08 14:04:02 +01:00
Jim Hague 088d775117 In Keepalive test, send the maximum possible timeout value to the server. 
The response will then show the server's value.
 2018-02-08 12:35:45 +00:00
Willem Toorop f7278ca696 Make getdns_server_mon work with libressl 2018-02-08 12:38:50 +01:00
Willem Toorop bf1f01c87e Syntactic mod to minimizing changes with before PR 
So changes are highlighted in side-by-side views.
 2018-02-08 12:02:48 +01:00
Willem Toorop 7af885396f Merge branch 'release/1.4.0' into release/1.4.0-merge-PR-377 2018-02-08 11:46:28 +01:00
Willem Toorop 87fec7f9b4 Merge branch 'feature/monitor-tool' into release/1.4.0 2018-02-07 17:11:28 +01:00
Willem Toorop a72359e058 Comply to new style transport logging 2018-02-07 17:08:55 +01:00
Willem Toorop 7d4ccabc7f Merge branch 'bugfix/opportunistic_fallabck' into release/1.4.0-merge-PR-377 2018-02-07 17:00:25 +01:00
Willem Toorop 0eba73a945 LibreSSL like OpenSSL < 1.0.2 2018-02-07 16:42:11 +01:00
Willem Toorop c28a293c9f "Pinset validation failure" error when it occurred 2018-02-07 14:38:31 +01:00
Willem Toorop 9c5a93bbdf Merge branch 'develop' into devel/spki_pinset_via_tlsa_checking 2018-02-07 14:12:24 +01:00
Willem Toorop e944203e55 Merge branch 'develop' of github.com:getdnsapi/getdns into develop 2018-02-07 13:50:53 +01:00
Willem Toorop 82c00eb0a5 version.bind CH TXT for getdns_query 2018-02-07 13:50:29 +01:00
Jim Hague 13d7a730ee Further mitigate cache effects for OOOR by adding random label to delay lookup. 
It turns out that delay.getdnsapi.net only pays attention to the left-most label.
 2018-02-07 12:41:24 +00:00
Jim Hague a25f832d8a Remove timeout argument from keepalive test. 
The client doesn't send a timeout value to the server, so there's no point having this argument.
 2018-02-01 16:04:22 +00:00
Willem Toorop ec8b8ba903 One more fixing the fixes fix that slipped through 2018-01-31 14:41:13 +01:00
Willem Toorop 9bc98272a1 Fixing the fixes 2018-01-31 14:33:31 +01:00
Willem Toorop 97b056c355 Prevent erred TCP connection to be rescheduled ... 
for reading (or writing) when an reply comes in.

Thanks Maddie!
 2018-01-30 15:21:46 +01:00
Willem Toorop 1f401f7253 Do not return freed netreqs! 2018-01-30 12:40:47 +01:00
Willem Toorop 2e03d3799c Memory leak on some TLS creation error cases 2018-01-30 12:23:23 +01:00
Jim Hague 3b5657e580 Reduce delay on OOOR delayed lookup. 
A delay of 1000ms was causing frequent lookup timeouts e.g. on 9.9.9.9. We hypothesise that the delay causes an internal timeout in the server to fire. So reduce the delay to a smaller value that seems to leave the test working but reduces the incidence of timeouts.

We observe this still leaves timeouts on TLS connections to 9.9.9.9. These seem to occur only on TLS connections, and reducing the delay much further does not alter the observed behaviour. We guess there is something else going on there.
 2018-01-29 10:17:54 +00:00
Sara Dickinson 7e3439efbc Improve handling of opportunistic back-off. If other transports are working, don’t forcibly promote failed upstreams just wait for the re-try timer. 
Clean up logs.
 2018-01-24 13:13:14 +00:00
Willem Toorop 4f37d2b933 No wildcard expansions allowed for RRs used in DNSSEC proofs 
Signatures of DNSKEYs, DSs, NSECs and NSEC3s can not be wildcard expansions when used with DNSSEC proofs.
Only direct queries for those types are allowed to be wildcard expansions.

This in response to https://unbound.net/downloads/CVE-2017-15105.txt, although getdns was not vulnerable for this specific issue.
 2018-01-23 16:50:05 +01:00
Jim Hague 037f6039c8 Improve AsciiDoc table formatting. 2018-01-23 13:53:08 +00:00
Jim Hague 01ea1d6a22 Note TLS 1.3 is experimental. At least until we find a stable test server. 2018-01-23 13:47:31 +00:00
Jim Hague b0661b9d9f Add a tool README. 
Use AsciiDoc for this, as the GitHub table support in Markdown is woeful. But AsciiDoc is always better than Markdown anyway.
 2018-01-23 13:45:55 +00:00
Jim Hague 8ba53f10b6 Correct RTT warning and critical default thresholds. 2018-01-23 13:45:09 +00:00
Jim Hague fcaa4f9845 Reflow usage message entry. 2018-01-23 12:37:14 +00:00
Jim Hague f3b2f83879 More output tittivating. Make verbose by default in non-monitoring mode. 2018-01-23 12:14:40 +00:00
Jim Hague a4f17760ab Revise rcode_text() to get text from getdns, and add rrtype_text(). 2018-01-23 12:13:59 +00:00
Jim Hague 7e884e2cd0 Rename concurrent to OOOR (Out Of Order Responses). 2018-01-23 11:30:12 +00:00
Jim Hague bedd3a02cf Revise concurrency test to use <n>.delay.getdnsapi.net. 
This gives more secure results than the previous method.
 2018-01-22 17:39:25 +00:00
Jim Hague 1e774a95f5 Don't rely on GCC extensions. 2018-01-22 16:49:53 +00:00
Jim Hague 8c3047dbe0 Add 'concurrent' test 
The concurrent test works by sending a known good query synchronously,
and then sending asynchronous queries for three random TLDs followed by
the known good query. The latter should be answerable from cache, and so
give a result before at least one of the random TLDs.
 2018-01-22 16:49:53 +00:00
Willem Toorop d38f233a80 Track readbuf free's 
As tcp_connection_destroy() might be called more than once per connection (depending on outstanding work)
 2018-01-22 16:56:48 +01:00
Jim Hague f9e4c9f853 Revise output. 
If in monitoring mode, make output conform to Nagios norms. This starts with the probe type and result, so we need to save output generated during the operation and print it at the end.

If not in monitoring mode, make the formatting more expansive.
 2018-01-22 14:36:54 +00:00
Jim Hague 0291e205fd Add TLS 1.3 test. 
Add a new item tls_version to call_reporting, containing the OpenSSL version string for the name of the protocol used for the connection.

The test does a normal lookup, but first sets the cipher list to TLS1.3 only ciphers. This will cause a Bad Context error at search time, so we can tell if the underlying OpenSSL library lacks TLS 1.3. The check the call reporting for a TLS version of "TLSv1.3".
 2018-01-19 15:56:40 +00:00
Jim Hague 62ad159f15 Update dnssec-validate. Check we can retrieve info for bogus domain, and remove must use TCP flag. 
Run a second query with the CD bit set and check that succeeds.
 2018-01-19 14:51:46 +00:00
Jim Hague 3fd4f7f240 Add 'dnssec-validate' test. 
This test checks whether the server does DNSSEC validation. If it manages to find an A record for dnssec-failed.org, it doesn't.
 2018-01-19 14:51:46 +00:00
Jim Hague 1a3025a405 If server does not return expected TXT in qname-min, return UNKNOWN not WARNING. 2018-01-18 17:17:16 +00:00
Jim Hague ea035fa82e Correct some code formatting. 2018-01-18 17:16:28 +00:00
Jim Hague add818fea2 Remove dependency on timegm() when using OpenSSL < 1.0.2. 
Convert dates to Julian and diff. This is basically what ASN1_TIME_diff() does internally.

And that's quite enough near-pointless polishing here.
 2018-01-18 10:55:44 +00:00
Jim Hague 00c17dca14 Add to certificate time conversion to cope with pre-1.0.2 OpenSSL. Also tag printed time with UTC. 
The time parse with pre-1.0.2 is a best effort, and relies on timegm() to convert struct tm in UTC to time_t. There being attractive alternative. Isn't C time handling grotty?
 2018-01-17 18:38:28 +00:00
Willem Toorop 155b035cd8 Forgot to surround surround yaml include with defines 2018-01-17 17:07:36 +01:00
Jim Hague 760269acbd Make internal types POSIX-compliant by not naming them *_t. 
See: http://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xsh_chap02.html#tag_22_02_12_01

The change tacitly ignores the colossal number of coach and horses the entire world, including getdns, has stampeded through this POSIX hope for decades, but simply hopes for some small recognition when the Recording Angel tots up the damages.
 2018-01-17 15:35:56 +00:00