interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
3,261 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

2298 Commits

Author SHA1 Message Date
Jim Hague 91764fb6b0 Correct checking of connection validation result. 2018-12-06 11:04:00 +00:00
Jim Hague c6dffa1239 Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation. 
Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.

GnuTLS uses Nettle itself, so this is not adding a new dependency.
 2018-12-06 10:41:58 +00:00
Jim Hague b2312aee12 Implement hostname authentication. 2018-12-05 17:20:28 +00:00
Jim Hague f64aa8703d First pass at a mostly stubbed GnuTLS implementation. 
This works enough to do a TLS lookup.
 2018-12-05 11:25:32 +00:00
Willem Toorop c80aa72725 ED25519 & ED448 support 2018-12-03 15:35:03 +01:00
Willem Toorop ea55b12a08 getdns_query for addresses with qname but no qtype 2018-12-03 14:52:58 +01:00
Willem Toorop 30a3a6b026 Longer timeout for recursing_6 test 2018-12-03 14:33:56 +01:00
Willem Toorop 390e383a1a ED25519 & ED448 DNSSEC validation support 2018-12-03 14:33:21 +01:00
Willem Toorop 6d066f95f9 Merge branch 'features/trust_anchors_backoff_time' into develop 2018-12-03 12:51:00 +01:00
Willem Toorop 4b688443f4 Sync with unbound 2018-12-03 12:50:37 +01:00
Willem Toorop a1692359f3 RFE #408: Retry fetching of TA after backoff time 2018-12-03 12:27:31 +01:00
Willem Toorop 1e7da76901 Bugfix getdnsapi/stubby#140 fallback on getentropy failure 2018-11-30 14:50:06 +01:00
Willem Toorop c1f51815ba RFE #408: "dnssec" extension requiring DNSSEC 
When this extension is set, GETDNS_DNSSEC_INDETERMINATE status will no
longer be returned.
 2018-11-30 14:20:12 +01:00
Jim Hague 153e766edf tls.h uses struct mem_funcs in types-internal.h. 2018-11-27 18:04:14 +00:00
Jim Hague c4a3f75844 Correct make depend generation for TLS directory. 2018-11-27 18:03:27 +00:00
Jim Hague e60d852637 Common OpenSSL digester selection. 2018-11-27 16:55:33 +00:00
Willem Toorop e3b007a43a Issue #410: Document ownership with getdns_context_get_api_information() 
+ const for extensions and namespaces
TODO: Look at other cases that are not const for no good reason.

Thanks Stefan Bühler
 2018-11-27 16:59:47 +01:00
Jim Hague c101a7a021 Abstract context DANE initialisation. 2018-11-27 15:41:23 +00:00
Jim Hague 26bcddd029 Abstract cookie SHA256 calculation. 2018-11-27 15:31:33 +00:00
Jim Hague af962228fc Abstract maximum digest length. 2018-11-27 15:31:05 +00:00
Jim Hague 0cdede21df Abstract SHA1 calculation. 2018-11-27 15:29:48 +00:00
Jim Hague 5e390a4b23 Revise all TLS interfaces to pass in GetDNS memory functions where necessary. 
This means we can remove OpenSSL_free() calls from request-internal.c and util-internal.c.
 2018-11-27 14:41:46 +00:00
Jim Hague bc3106af94 Abstract out HMAC functions in request-internal.c. 2018-11-27 11:49:12 +00:00
Jim Hague 4ec93a3df0 Add Doxygen for remaining tls.h functions. 2018-11-26 11:32:18 +00:00
Jim Hague 27a7e4e28f Attempt minimal autoconf changes to use GnuTLS instead of OpenSSL. 
I could waste the rest of the available time trying to turn configure.ac into something that cleanly ignores OpenSSL, uses GnuTLS instead and retains all the options. Or even better scrap the whole autoconf mess and start again.

But in the interests of prototyping, do something quick and dirty. This means GnuTLS must for now be configured thus:

$ CFLAGS="-g" ../configure --enable-stub-only --with-gnutls --disable-gost --disable-ecdsa --disable-edns-cookies

to evade other items with hardcoded OpenSSL checks in them.
 2018-11-23 17:49:06 +00:00
Jim Hague 2267863a53 Attempt to improve the preprocessor horror that is util/val_secalgo.h. 
Convert the main util/val_secalgo.h to a plain interface. Move the preprocessor redefines into validator/val_secalgo.h, and move THAT under openssl, because it is OpenSSL implementation specific at present - you can compile with NSS and Nettle if config allows.
 2018-11-23 16:28:55 +00:00
Willem Toorop 2d76a5fd52 We had complaints for serving the root, so.. 
TCP only full recursion test now starting from K-root
	(because other roots are unreliable TCP-wise)
 2018-11-22 12:16:19 +01:00
Willem Toorop b90ba236ae tls_ciphersuites, tls_cipher_list, tls_curve_list, 
tls_min_version & tls_max_version settings must cause
	failure when not supported by the TLS library.  Not during
	configure time, but during connection setup so it doesn't
	hamper alternative transports.
 2018-11-22 11:37:28 +01:00
Willem Toorop 6b10570842 DNSSEC bugfix found with static analysis 
* Fix for DNSSEC bug in finding most specific key when
  trust anchor proves non-existance of one of the labels
  along the authentication chain other than the non-
  existance of a DS record on a zonecut.
 2018-11-22 10:21:48 +01:00
Willem Toorop 4ff9816e39 google now supports DoT 2018-11-21 17:00:03 +01:00
Willem Toorop 73868643d2 Fix compile warnings 2018-11-21 16:07:47 +01:00
Willem Toorop 1904ee7318 Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130 
Configurable TLS version
 2018-11-21 15:02:28 +01:00
Jim Hague 4f67491971 Remove unnecessary OpenSSL include in dnssec.c. 2018-11-20 17:36:56 +00:00
Jim Hague 05f9d30e89 Move anchor.c to under openssl. 2018-11-20 16:57:48 +00:00
Jim Hague f3e0f2b9e6 Split OpenSSL specific bits of keyraw.hc into keyraw-internal.hc. 
All usage is internal to val_secalgo.c, which is already in openssl.
 2018-11-20 16:51:17 +00:00
Jim Hague da94b52f74 Move val_secalgo.c to openssl. 
It contains ports other than OpenSSL (NSS and NETTLE), but we're not worrying about those for our purposes at present.
 2018-11-20 16:21:06 +00:00
Jim Hague 4eb845bc58 Move internal-only functions from public pubkey-pinning interface. 
The interface now only exposes functions used by the main getdns code.
 2018-11-20 15:55:34 +00:00
Jim Hague ff9cde2087 Remove SSL type from pubkey-pinning interface. 2018-11-20 15:49:26 +00:00
Jim Hague 756eda96d8 Remove ssl_dane dir from dependency generation search. 2018-11-20 15:47:56 +00:00
Willem Toorop 6a5e96d4e1 tls_ciphersuites + bugfix in strdup2!! 2018-11-20 16:13:57 +01:00
Jim Hague 52421be5f4 Correct error checking result of _getdns_tls_context_set_ca(). 2018-11-20 15:12:10 +00:00
Jim Hague 1b0a09a23f Wrap hostname/certificate verification. 
This removes the last OpenSSL items from stub.c.
 2018-11-20 14:53:31 +00:00
Jim Hague fb73bcb77e Correct return value error from _getdns_tls_connection_(read|write)(). 2018-11-20 12:43:17 +00:00
Jim Hague 2e8c48544b Move pubkey-pinning implementation under openssl/. 2018-11-19 13:55:02 +00:00
Jim Hague aba0e2fb4c Move non-TLS-library specific parts of tls.h to ~/src/tls.h and have it include lib-specific tls-internal.h. 
Update dependencies.
 2018-11-19 09:49:54 +00:00
Jim Hague 5d353d9efb To aid proof-of-concept work, insist on OpenSSL 1.1.1 or later. 
Remove ssl_dane as now surplus to requirements.
 2018-11-16 17:58:29 +00:00
Jim Hague 0fd6fd4c5c Replace (one instance of) SSL_get_peer_certificate(). 2018-11-16 17:09:26 +00:00
Jim Hague 4b8c9d1bd7 Replace SSL_get_version(). 2018-11-15 17:53:37 +00:00
Jim Hague 09019bee75 Replace SSL_write(). 2018-11-15 17:53:29 +00:00
Jim Hague e7453522d5 Replace SSL_read(). 2018-11-15 17:51:52 +00:00
Jim Hague e22c01e212 tls_do_handshake: move handshake and check for new session into abstraction layer. 2018-11-15 14:28:04 +00:00
Jim Hague ffd1136e94 tls_create_object(): Move setting client state and auto-retry into connection_new and add setting connection session. 2018-11-15 13:23:00 +00:00
Jim Hague d9fdd4c10d Abstracting TLS; let's start with context only. 
Change data types in context.h and fix up context.c. Do minimal fixups to stub.c.
 2018-11-15 11:01:13 +00:00
Willem Toorop 12589d85c2 Wild guess at OpenSSL without engine support 2018-06-12 17:00:45 +02:00
Willem Toorop 9b4e8e9e91 X509_get_notAfter not in OpenSSL 1.1.1 anymore 2018-06-12 16:37:46 +02:00
Willem Toorop 884f6ddc5e DS is always a delegation and never at the apex 2018-06-10 16:57:40 +02:00
Willem Toorop 25231aa686 Fix finding signer of NSEC and NSEC3s 
Thanks Philip Homburg
 2018-06-08 21:39:59 +02:00
Willem Toorop 000fa94ae2 Sync ldns & utils with unbound 2018-05-22 12:44:13 +02:00
Willem Toorop 799bd2f6b1 Bugfix #399: Reinclude <linux/sysctl.h> in getentropy_linux.c 2018-05-15 08:11:55 +02:00
Willem Toorop e481273ff4 Last minute update 2018-05-11 13:20:08 +02:00
wtoorop 0510fb00d3
Merge pull request #397 from ehmry/tcp_sendto 
No TCP sendto without TCP_FASTOPEN
 2018-05-11 12:04:49 +01:00
wtoorop 7fe45a7012
Merge pull request #396 from saradickinson/bugfix/windows_certs 
Temporary fix for https://github.com/getdnsapi/stubby/issues/87. Dete…
 2018-05-11 11:51:33 +01:00
Willem Toorop 6c99e7b8a6 Bugfix getdnsapi/stubby#106: Core dump when ... 
printing certain configuration. Thanks Han Vinke
 2018-05-11 11:28:52 +02:00
Willem Toorop 98b1ff624a Memory loss with empty string bindata's 2018-05-11 11:23:19 +02:00
Emery Hemingway a6ec2b2449 No TCP sendto without TCP_FASTOPEN 2018-05-08 14:58:17 +02:00
Willem Toorop 7331717990 Fix for Fallback to current (working) directory (for appdata_dir). 2018-05-04 15:30:27 +02:00
Willem Toorop 99bfe4a287 Fallback to current (working) directory (for appdata_dir). 
To improve integration with system and service managers like systemd
See also getdnsapi/stubby#106
 2018-05-04 10:40:49 +02:00
Willem Toorop 3c355d425b Warnings are errors :( 2018-05-03 12:15:48 +02:00
Willem Toorop 101d602739 Travis output showed it was a bracket issue 2018-05-03 11:48:07 +02:00
Willem Toorop de7f007bf3 Without dl_iterate_phdr for now... 2018-05-03 11:40:44 +02:00
Willem Toorop f5c588c955 Need _GNU_SOURCE before config.h 2018-05-03 11:30:28 +02:00
Willem Toorop f0f101511b _GNU_SOURCE needed for struct dl_phdr_info from link.h 2018-05-03 11:21:11 +02:00
Willem Toorop 4f050facc3 Bugfix #394: Update src/compat/getentropy_linux.c 
in order to handle ENOSYS (not implemented) fallback.
Thanks Brent Blood
 2018-05-02 14:32:12 +02:00
Willem Toorop 9c01968048 DS and DNSKEY lookups for tld and sld immediately 
Resolves issue getdnsapi/stubby#99
 2018-05-01 17:07:16 +02:00
Willem Toorop 7fecf5a93d Allow NSEC spans starting from (unexpanded) wildcards 2018-05-01 13:19:24 +02:00
Willem Toorop a834d32718 Fix negative reversed IPv4 test 
which assumes 1.1.1.1.in-addr.arpa does not exist
 2018-04-23 14:05:02 +02:00
Willem Toorop 1b5b0ca799 Force trailing '\0' with string config settings 
Because even though it is added when parsing from JSON, it will be lost when the bindata is copied into a dict with getdns_dict_set_bindata.
 2018-04-23 15:11:20 +02:00
saradickinson ced112ca74 Temporary fix for https://github.com/getdnsapi/stubby/issues/87. Detect and ignore duplicate certs in the root store. 2018-04-05 18:35:07 +01:00
Willem Toorop 7548b095bc Doxygen fixes 2018-03-05 16:12:49 +01:00
Willem Toorop 8a2fc5f5a9 max_udp_backoff should not be public 
At least, not with this point release
 2018-03-05 12:42:27 +01:00
Robert Groenenberg eec6ec29dd [UDP] try upstreams in round-robin fashion when all yupstreams have failed 2018-03-05 12:03:20 +01:00
Robert Groenenberg f787c87137 Reset back_off on successful query 2018-03-05 12:02:01 +01:00
Robert Groenenberg a0fb2c8424 Limit back_off value to avoid very long retry interval 2018-03-05 12:01:52 +01:00
Willem Toorop fd5e0cdc02 Merge branch 'bugfix/388-endless-fallback-loop' into release/1.4.1 2018-03-05 11:52:36 +01:00
Willem Toorop e93b583a26 Merge branch 'devel/dnssec_issues' into release/1.4.1 2018-03-05 11:41:55 +01:00
Willem Toorop 0ff1839a6f Upstream reset on searchpath retry 2018-03-02 23:31:33 +01:00
Willem Toorop b178f94505 Don't retry an already tried upstream 2018-03-02 15:56:00 +01:00
Willem Toorop e29cfb6b6a Query for DS i.s.o. SOA to find zonecuts 
Because of broken setups that have zonecuts without SOA:

```
$ drill -T www.gslb.kpn.com A
.	518400	IN	NS	i.root-servers.net.
com.	172800	IN	NS	a.gtld-servers.net.
kpn.com.	172800	IN	NS	ns1.kpn.net.
kpn.com.	172800	IN	NS	ns2.kpn.net.
gslb.kpn.com.	3600	IN	NS	gss1.kpn.com.
gslb.kpn.com.	3600	IN	NS	gss2.kpn.com.
www.gslb.kpn.com.	10	IN	A	145.7.170.135
```

but

```
$ drill gslb.kpn.com SOA
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 48303
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; gslb.kpn.com.	IN	SOA

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 8 msec
;; SERVER: 185.49.140.100
;; WHEN: Fri Mar  2 14:13:21 2018
;; MSG SIZE  rcvd: 30
```
 2018-03-02 14:14:28 +01:00
Willem Toorop abc69f96fe Follow unsigned SOA's as insecure zonecut indication 
Should resolve issue #385
 2018-03-02 11:15:45 +01:00
Daniel Kahn Gillmor 9301f8970c Fix minor spelling and formatting. 
These issues were found with the codespell tool.
 2018-02-23 14:12:11 -08:00
Willem Toorop e705109f22 Fix tpkg dependencies 2018-02-22 15:02:11 +01:00
Willem Toorop 75297b17ae Fixes from running servers with valgrind 2018-02-22 14:45:56 +01:00
Willem Toorop 65e610f26e Unit test maintenance, to: 
- remove obsolete tests
- test better for parallel installs
- run custom servers through valgrind
 2018-02-22 14:44:13 +01:00
Willem Toorop 6325dae563 Run localhost unit tests on local localhost address 2018-02-21 13:40:19 +01:00
Willem Toorop a150c6d927 implied source ($<) not defined in explicit rules 2018-02-21 12:17:51 +01:00
Willem Toorop f2c531265b libidns2 doesn't detect locale that well... 2018-02-13 16:58:12 +01:00
Willem Toorop 9999907593 update Stubby + other dist tarball fixes 2018-02-13 15:05:29 +01:00
Willem Toorop 223e85bc02 Merge branch 'features/tls_curves_list' into release/1.4.0 2018-02-12 16:04:49 +01:00
Willem Toorop 0c3b6fb2f6 Symbols & constants 2018-02-12 15:57:28 +01:00
Willem Toorop 1ebd54a1de Utils from unbound update 2018-02-12 15:54:43 +01:00
Willem Toorop 31e5cd5ab6 sldns update 2018-02-12 15:54:01 +01:00
Willem Toorop 9a4e389946 Better #ifdef select when to use X509_check_host 2018-02-12 15:46:42 +01:00
Willem Toorop 401aa2e3b8 Specify the supported curves with TLS 2018-02-12 15:40:17 +01:00
Willem Toorop c3e4061fe2 hostname auth with libressl 2018-02-09 15:18:44 +01:00
Willem Toorop b914b63e18 Merge branch 'feature/monitor-tool' into release/1.4.0 2018-02-08 14:06:40 +01:00
Willem Toorop c033e3f1a3 Merge branch 'libressl' into release/1.4.0 2018-02-08 14:04:02 +01:00
Jim Hague 088d775117 In Keepalive test, send the maximum possible timeout value to the server. 
The response will then show the server's value.
 2018-02-08 12:35:45 +00:00
Willem Toorop f7278ca696 Make getdns_server_mon work with libressl 2018-02-08 12:38:50 +01:00
Willem Toorop bf1f01c87e Syntactic mod to minimizing changes with before PR 
So changes are highlighted in side-by-side views.
 2018-02-08 12:02:48 +01:00
Willem Toorop 7af885396f Merge branch 'release/1.4.0' into release/1.4.0-merge-PR-377 2018-02-08 11:46:28 +01:00
Willem Toorop 87fec7f9b4 Merge branch 'feature/monitor-tool' into release/1.4.0 2018-02-07 17:11:28 +01:00
Willem Toorop a72359e058 Comply to new style transport logging 2018-02-07 17:08:55 +01:00
Willem Toorop 7d4ccabc7f Merge branch 'bugfix/opportunistic_fallabck' into release/1.4.0-merge-PR-377 2018-02-07 17:00:25 +01:00
Willem Toorop 0eba73a945 LibreSSL like OpenSSL < 1.0.2 2018-02-07 16:42:11 +01:00
Willem Toorop c28a293c9f "Pinset validation failure" error when it occurred 2018-02-07 14:38:31 +01:00
Willem Toorop 9c5a93bbdf Merge branch 'develop' into devel/spki_pinset_via_tlsa_checking 2018-02-07 14:12:24 +01:00
Willem Toorop e944203e55 Merge branch 'develop' of github.com:getdnsapi/getdns into develop 2018-02-07 13:50:53 +01:00
Willem Toorop 82c00eb0a5 version.bind CH TXT for getdns_query 2018-02-07 13:50:29 +01:00
Jim Hague 13d7a730ee Further mitigate cache effects for OOOR by adding random label to delay lookup. 
It turns out that delay.getdnsapi.net only pays attention to the left-most label.
 2018-02-07 12:41:24 +00:00
Jim Hague a25f832d8a Remove timeout argument from keepalive test. 
The client doesn't send a timeout value to the server, so there's no point having this argument.
 2018-02-01 16:04:22 +00:00
Willem Toorop ec8b8ba903 One more fixing the fixes fix that slipped through 2018-01-31 14:41:13 +01:00
Willem Toorop 9bc98272a1 Fixing the fixes 2018-01-31 14:33:31 +01:00
Willem Toorop 97b056c355 Prevent erred TCP connection to be rescheduled ... 
for reading (or writing) when an reply comes in.

Thanks Maddie!
 2018-01-30 15:21:46 +01:00
Willem Toorop 1f401f7253 Do not return freed netreqs! 2018-01-30 12:40:47 +01:00
Willem Toorop 2e03d3799c Memory leak on some TLS creation error cases 2018-01-30 12:23:23 +01:00
Jim Hague 3b5657e580 Reduce delay on OOOR delayed lookup. 
A delay of 1000ms was causing frequent lookup timeouts e.g. on 9.9.9.9. We hypothesise that the delay causes an internal timeout in the server to fire. So reduce the delay to a smaller value that seems to leave the test working but reduces the incidence of timeouts.

We observe this still leaves timeouts on TLS connections to 9.9.9.9. These seem to occur only on TLS connections, and reducing the delay much further does not alter the observed behaviour. We guess there is something else going on there.
 2018-01-29 10:17:54 +00:00
Sara Dickinson 7e3439efbc Improve handling of opportunistic back-off. If other transports are working, don’t forcibly promote failed upstreams just wait for the re-try timer. 
Clean up logs.
 2018-01-24 13:13:14 +00:00
Willem Toorop 4f37d2b933 No wildcard expansions allowed for RRs used in DNSSEC proofs 
Signatures of DNSKEYs, DSs, NSECs and NSEC3s can not be wildcard expansions when used with DNSSEC proofs.
Only direct queries for those types are allowed to be wildcard expansions.

This in response to https://unbound.net/downloads/CVE-2017-15105.txt, although getdns was not vulnerable for this specific issue.
 2018-01-23 16:50:05 +01:00
Jim Hague 037f6039c8 Improve AsciiDoc table formatting. 2018-01-23 13:53:08 +00:00
Jim Hague 01ea1d6a22 Note TLS 1.3 is experimental. At least until we find a stable test server. 2018-01-23 13:47:31 +00:00
Jim Hague b0661b9d9f Add a tool README. 
Use AsciiDoc for this, as the GitHub table support in Markdown is woeful. But AsciiDoc is always better than Markdown anyway.
 2018-01-23 13:45:55 +00:00
Jim Hague 8ba53f10b6 Correct RTT warning and critical default thresholds. 2018-01-23 13:45:09 +00:00
Jim Hague fcaa4f9845 Reflow usage message entry. 2018-01-23 12:37:14 +00:00
Jim Hague f3b2f83879 More output tittivating. Make verbose by default in non-monitoring mode. 2018-01-23 12:14:40 +00:00
Jim Hague a4f17760ab Revise rcode_text() to get text from getdns, and add rrtype_text(). 2018-01-23 12:13:59 +00:00
Jim Hague 7e884e2cd0 Rename concurrent to OOOR (Out Of Order Responses). 2018-01-23 11:30:12 +00:00
Jim Hague bedd3a02cf Revise concurrency test to use <n>.delay.getdnsapi.net. 
This gives more secure results than the previous method.
 2018-01-22 17:39:25 +00:00
Jim Hague 1e774a95f5 Don't rely on GCC extensions. 2018-01-22 16:49:53 +00:00
Jim Hague 8c3047dbe0 Add 'concurrent' test 
The concurrent test works by sending a known good query synchronously,
and then sending asynchronous queries for three random TLDs followed by
the known good query. The latter should be answerable from cache, and so
give a result before at least one of the random TLDs.
 2018-01-22 16:49:53 +00:00
Willem Toorop d38f233a80 Track readbuf free's 
As tcp_connection_destroy() might be called more than once per connection (depending on outstanding work)
 2018-01-22 16:56:48 +01:00
Jim Hague f9e4c9f853 Revise output. 
If in monitoring mode, make output conform to Nagios norms. This starts with the probe type and result, so we need to save output generated during the operation and print it at the end.

If not in monitoring mode, make the formatting more expansive.
 2018-01-22 14:36:54 +00:00
Jim Hague 0291e205fd Add TLS 1.3 test. 
Add a new item tls_version to call_reporting, containing the OpenSSL version string for the name of the protocol used for the connection.

The test does a normal lookup, but first sets the cipher list to TLS1.3 only ciphers. This will cause a Bad Context error at search time, so we can tell if the underlying OpenSSL library lacks TLS 1.3. The check the call reporting for a TLS version of "TLSv1.3".
 2018-01-19 15:56:40 +00:00
Jim Hague 62ad159f15 Update dnssec-validate. Check we can retrieve info for bogus domain, and remove must use TCP flag. 
Run a second query with the CD bit set and check that succeeds.
 2018-01-19 14:51:46 +00:00
Jim Hague 3fd4f7f240 Add 'dnssec-validate' test. 
This test checks whether the server does DNSSEC validation. If it manages to find an A record for dnssec-failed.org, it doesn't.
 2018-01-19 14:51:46 +00:00
Jim Hague 1a3025a405 If server does not return expected TXT in qname-min, return UNKNOWN not WARNING. 2018-01-18 17:17:16 +00:00
Jim Hague ea035fa82e Correct some code formatting. 2018-01-18 17:16:28 +00:00
Jim Hague add818fea2 Remove dependency on timegm() when using OpenSSL < 1.0.2. 
Convert dates to Julian and diff. This is basically what ASN1_TIME_diff() does internally.

And that's quite enough near-pointless polishing here.
 2018-01-18 10:55:44 +00:00
Jim Hague 00c17dca14 Add to certificate time conversion to cope with pre-1.0.2 OpenSSL. Also tag printed time with UTC. 
The time parse with pre-1.0.2 is a best effort, and relies on timegm() to convert struct tm in UTC to time_t. There being attractive alternative. Isn't C time handling grotty?
 2018-01-17 18:38:28 +00:00
Willem Toorop 155b035cd8 Forgot to surround surround yaml include with defines 2018-01-17 17:07:36 +01:00
Jim Hague 760269acbd Make internal types POSIX-compliant by not naming them *_t. 
See: http://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xsh_chap02.html#tag_22_02_12_01

The change tacitly ignores the colossal number of coach and horses the entire world, including getdns, has stampeded through this POSIX hope for decades, but simply hopes for some small recognition when the Recording Angel tots up the damages.
 2018-01-17 15:35:56 +00:00
Jim Hague 6bd0f8b980 Encode exit status words in () to make it clear that it's not part of the sentence. 
'Server validates OK' -> 'Server validates (OK)'
 2018-01-17 15:24:17 +00:00
Jim Hague 3666d994a7 Add 'keepalive' test and supporting changes to getdns library. 
Checking for server support for keepalive means we need to know if the server did send a keepalive option to the client. This information is not currently exposed in getdns, so add a flag 'server_keepalive_received' to call_reporting. This is 0 if not received, 1 if received. If received, the actual timeout is in 'idle timeout in ms', though watch out for the overflow alternative.
 2018-01-17 15:17:20 +00:00
Jim Hague a4ff6de985 Add 'tls-padding' test. 2018-01-16 12:59:03 +00:00
Jim Hague fdafb458ef Decide we don't want return_both_v4_and_v6 on queries. 2018-01-16 12:19:33 +00:00
Jim Hague b8424e494d Fix up some small usage typos, and don't report result if issuing test usage message. 2018-01-16 11:05:16 +00:00
Jim Hague 5ea0edf262 Update usage. 2018-01-15 17:42:57 +00:00
Jim Hague 8dc3a84735 Add options specifying transport. 2018-01-15 17:42:43 +00:00
Jim Hague 3438c68591 Prefix TLS-only options with 'tls-'. 2018-01-15 13:26:09 +00:00
Jim Hague 08b5976f9c Decouple from getdns config. This is now a pure getdns client. 2018-01-15 13:19:48 +00:00
Jim Hague 3298b5cd50 Extract common processing into search_check() and parse_search_check(). 2018-01-15 12:37:57 +00:00
Jim Hague cb7af33488 Some tests imply TLS. Explicitly make sure these always go over TLS. 2018-01-15 11:28:11 +00:00
Jim Hague 77a5a15cdf Minor output corrections. 2018-01-15 11:02:14 +00:00
Jim Hague 22996bf07d If TLS auth name given, lookup is to go over TLS. 2018-01-15 11:00:12 +00:00
Jim Hague c0d7d2c279 Print exit status at end of main output line. 2018-01-15 10:27:10 +00:00
Jim Hague 5d4bc8bc96 Add rtt test. 2018-01-15 10:16:26 +00:00
Jim Hague b9312e790f Correct certificate expiry custom threshold handling. 2018-01-15 10:01:01 +00:00
Jim Hague 3258fdfd5a Tabs? Spaces? Currently both, switch to spaces only. 2018-01-14 23:28:55 +00:00
Jim Hague 379662a3f3 Add plain lookup test. 2018-01-14 13:41:44 +00:00
Jim Hague 60118e9241 Improve cert-valid argument order to most likely first. 2018-01-13 14:56:55 +00:00
Jim Hague e7618321ce Add cert-valid test. 2018-01-12 18:21:38 +00:00
Jim Hague e597daa4c0 Add 'auth' test. 2018-01-12 17:23:42 +00:00
Jim Hague 305daab9aa Add first version of getdns_server_mon. 
Currently only QNAME minimisation check is working.
 2018-01-12 16:11:48 +00:00
Norbert Copones 0fa6d1fe2d src/stub.c: LibreSSL has hostname verification turned on by default 2018-01-12 05:44:27 +08:00
Willem Toorop d44237554d No warnings from danessl allowed 2018-01-11 12:40:01 +01:00
Willem Toorop dd433ede68 Merge branch 'develop' into devel/spki_pinset_via_tlsa_checking 2018-01-10 14:36:43 +01:00
Willem Toorop a746ea5e08 Dependencies 2018-01-10 14:36:33 +01:00
Willem Toorop 6b4446c7cd Suppress compiler warnings in danessl library 2018-01-10 14:34:25 +01:00
Willem Toorop 712617e568 Dead assignment (without stub debugging) 2018-01-10 13:54:18 +01:00
Willem Toorop 7c5bdd5431 Use danessl submodule when OpenSSL version between 1.0.0 and 1.1.0 2018-01-10 12:47:14 +01:00
Willem Toorop 9e34588f19 logic error 2018-01-08 16:04:40 +01:00
Willem Toorop 546b75a9b1 libidn2 support. Thanks Paul Wouters 2018-01-08 12:54:48 +01:00
Willem Toorop a1e5cc44a0 Add https://github.com/vdukhovni/ssl_dane submodule 2018-01-08 10:33:25 +01:00
Willem Toorop 608189710c Log printing in getdns_query 2018-01-04 16:35:22 +01:00
Willem Toorop 2471f43dea Less logging with successful authenticated upstreams 2018-01-04 16:15:50 +01:00
Willem Toorop 540735a956 Check pins with DANE functions when available 2018-01-04 15:58:09 +01:00
Willem Toorop 03d4950470 We need to set transport list before first query 
(this needs to be reviewed...)
 2017-12-21 16:49:19 +01:00
Willem Toorop 9aa1d067d2 Detect dnsmasq and skip the unit test that fails with it 
This actually resolves issue #300
Thanks Tim Rühsen and Konomi Kitten
 2017-12-21 16:21:10 +01:00
Willem Toorop aa419a88d0 Skip some more truncation issues with dnsmasq 2017-12-21 16:01:48 +01:00
Willem Toorop 81ffa2f48d Skip test that breaks with dnsmasq 
when SKIP_DNSMASQ_ISSUE variable is test.
Helps out a little with issue #300
 2017-12-21 15:45:58 +01:00
Willem Toorop 0ef910b9ee read_buf's may remain on canceled tcp requests 2017-12-21 14:53:54 +01:00
Willem Toorop 97cc67d026 s/CApath/tls_ca_path/g s/CAfile/tls_ca_file/g 2017-12-21 13:08:01 +01:00
Willem Toorop ae38a29a50 Upstream specific tls_cipher_list's 2017-12-21 12:30:15 +01:00
Willem Toorop 8f88981efe rename set_cipher_list() to set_tls_cipher_list() 2017-12-21 11:35:05 +01:00
Willem Toorop 7fe3bd6a1f getdns_context_set_ciphers_list() 2017-12-20 13:13:02 +01:00
Willem Toorop 274bc9bc4a Merge branch 'develop' into release/1.2.2 2017-12-20 09:37:56 +01:00
Pascal Ernster 65c7a738eb
Add support for TLS 1.3 and Chacha20-Poly1305 
Add support for TLS 1.3 (requires OpenSSL 1.1.1) and Chacha20-Poly1305 (requires OpenSSL 1.1).

Older OpenSSL versions will simply ignore ciphersuite specifications they don't understand and use the subset which they do unterstand.

Note that "EECDH" does *not* select anonymous cipher suites (as opposed to "kECDHE").
 2017-12-15 20:01:30 +00:00
Sara Dickinson 00d3232ba4 Fix windows build 2017-12-15 16:53:23 +00:00
Willem Toorop ac17d4ebed We need a specific install location for tests builds ... 
to not load default library
 2017-12-14 11:53:15 +01:00
wtoorop 9c35fa1643
Merge pull request #364 from saradickinson/move_macos_script 
Update makefile because a file in Stubby was moved
 2017-12-13 16:35:32 +01:00
Willem Toorop 0615457dfa Resolve constant conflict 2017-12-13 15:43:36 +01:00
Sara Dickinson d232353f93 Update makefile because a file in Stubby was moved 2017-12-13 14:22:52 +00:00
Willem Toorop 2c66487635 Merge branch 'devel/dnssec_meta_queries' into release/1.2.2 2017-12-13 14:52:00 +01:00
Willem Toorop 5f1a2f8659 Merge branch 'features/CA_verify_locations' into release/1.2.2 2017-12-13 14:49:42 +01:00
Willem Toorop a63e5edb86 trust-anchor meta queries need to be done opportunistic too 
In anticipation of DANE authenticated upstreams
 2017-12-13 12:58:24 +01:00
Willem Toorop e691312a3f Schedule DNSSEC meta queries against existing context 2017-12-13 12:50:03 +01:00
Willem Toorop 362d168380 no_dnssec_checking_disabled extension for internal use only 2017-12-13 12:36:02 +01:00
Willem Toorop d5518bad67 Return which extensions are set 
(for programs (Stubby) to know whether a context will do native dnssec validation or not)
 2017-12-13 11:12:49 +01:00
Willem Toorop da3f023d8f set_CApath() and set_CAfile() for alt verify locs 2017-12-12 15:10:37 +01:00
Willem Toorop 96ed06c6a9 Initialize context with given resolv.conf and hosts files 
- getdns_context_create with set_from_os set will simply call these
  functions with the defaults

+ filechg_check is simplified somewhat (reducting memory management)
+ get OpenSSL version version via get_api_information()
 2017-12-12 12:24:31 +01:00
Willem Toorop 01197f10ff Merge branch 'develop' into features/resolvconf 2017-11-29 15:25:50 +01:00
wtoorop b105faad7d
Merge pull request #360 from getdnsapi/bugfix/private_ecs_with_family 
Bugfix #359: edns_client_subnet_private should set family
 2017-11-28 16:59:37 +01:00
Willem Toorop 8c87028d77 Only get root-anchors.xml when BOGUS root dnskey... 
did have signatures which did not validate
 2017-11-28 16:58:12 +01:00
Willem Toorop 2a39b6e2e8 Handle the uninitialized memory error the brutal way 
Because clang (or valgrind with clang) is just wrong here
 2017-11-28 16:51:28 +01:00
Willem Toorop 72eb8628d0 Report on single unit tests too 2017-11-28 16:44:08 +01:00
Willem Toorop 543435d89d Clang bitfield issue 2017-11-28 16:40:17 +01:00
Willem Toorop 025f1cdff3 set_from_os last to initialize ... 
... because it is initialized with values from context itself!
I.e. context->tls_backoff_time, context->tls_connection_retries and context->log are used to initialize upstreams in upstreams_create() called from set_from_os
 2017-11-28 16:04:23 +01:00
Willem Toorop 30e440d35c Access of freed memory in stub DNSSEC cleanup code 
Should fix the latest core dump reported in getdnsapi/stubby#34
 2017-11-27 15:26:45 +01:00
Willem Toorop 323239be58 Scan valgrind logs for errors too 2017-11-27 15:02:32 +01:00
Willem Toorop 27847b9a0a Initialize context->sys_ctxt! 2017-11-23 13:23:00 +01:00
Willem Toorop 6afb02b2f1 Bugfix #359: edns_client_subnet_private should set family 
Thanks Daniel Areiza
 2017-11-23 13:20:42 +01:00
Willem Toorop c3cdf496e3 Meta queries to upstreams from resolvconf setting 2017-11-23 12:48:48 +01:00
Willem Toorop c0a3babe0a Separate sys_ctxt for meta queries 2017-11-23 12:44:40 +01:00
Willem Toorop 3e16075563 Test getdns_context_create2 with getdns_query 2017-11-23 12:26:40 +01:00
Willem Toorop ed6c7a6b58 getdns_context_create2 and family that set an ... 
... alternative resolvconf file
 2017-11-22 15:49:30 +01:00
Willem Toorop a7a6240202 Set default resolvconf and hosts during configure 2017-11-22 15:01:38 +01:00
Willem Toorop 3a1cb30c28 BOGUS answer because unable to fetch root DNSKEY... 
... should not cause segfault
 2017-11-21 15:38:49 +01:00
Willem Toorop 8821c1c8cf Merge branch 'release/1.2.1' into develop 2017-11-11 10:24:25 +08:00
Willem Toorop 260416a859 Ignore SIGPIPE signal (for not suddenly stopping) 2017-11-10 10:42:17 +01:00
Willem Toorop 6f20016889 default_trust_anchor_location in api_information 
instead of trust_anchor_file
 2017-11-10 10:35:41 +01:00
Sara Dickinson 26eb5b8969 Add DESTDIR to runstatedir creation path 2017-11-08 11:38:52 +00:00
wtoorop 168d83ac19
Merge pull request #353 from getdnsapi/devel/errno_handling 
Handle more harmless I/O error cases +
 2017-11-03 20:00:40 +01:00
Willem Toorop 439f41149b Last rename + explicit EMFILE check replacement 2017-11-03 16:42:38 +01:00
Willem Toorop 9b019b8c6e Check errno is not 0 before testing errors 2017-11-03 16:29:43 +01:00
Willem Toorop 4508ec77fb Few more renames 2017-11-03 16:26:19 +01:00
Willem Toorop 3b7b83e309 Review comments from Jim 2017-11-03 15:41:31 +01:00
Willem Toorop a8fac29a66 Handle more harmless I/O error cases + 
- never exit on I/O errors
- never stop listening on I/O errors
- extended platfrom.[ch] with _getdns_strerror()
 2017-11-03 13:50:13 +01:00
wtoorop b683cc4870
Merge pull request #352 from saradickinson/bugfix/make_runstatedir 
Make sure the runstatedir exists
 2017-11-03 13:42:52 +01:00
Sara Dickinson 4b8ea64140 Make sure the runstatedir exists 2017-11-02 16:55:25 +00:00
Willem Toorop 2434336ead Include all RRSIGs in validation chain 
Because we don't know algorithm support of other validators.

But still canonicalize the RRset with the one used to validate just because we can.
 2017-11-02 12:42:26 +01:00
Willem Toorop 7e103217c6 unsigned RRs in authority section with BIND 
when +CD flag is used
 2017-11-01 16:47:28 +01:00
Willem Toorop 270c3d654f Support DNSSEC validation without support records 2017-11-01 15:28:46 +01:00
Willem Toorop b4ae4b7121 Cannot fetch DNSKEY when in DNSKEY callback ... 
for the same name in full recursion
 2017-11-01 15:01:58 +01:00
Willem Toorop 4669956391 retry full recursion bogus answers only when... 
dnssec validation was requested in the first place
 2017-11-01 10:59:55 +01:00
Willem Toorop 09b4f6d57d One more _getdns_perror 2017-10-31 16:22:09 +01:00
Willem Toorop 12272dda36 Merge branch 'develop' into devel/robustness 2017-10-20 16:10:35 +02:00
Willem Toorop 971d876c70 Dependencies 2017-10-20 15:59:42 +02:00
Willem Toorop b2d32430f6 Merge branch 'develop' into features/mingw-win10-perror 2017-10-20 15:57:50 +02:00
Willem Toorop fc073267f1 Dead assignment 2017-10-19 14:14:37 +02:00
Willem Toorop f8e1ed78b8 Make upstream_reset static (and not shared between .c files) 2017-10-19 12:48:58 +02:00
Willem Toorop 5ce764ab70 Merge branch 'devel/robustness' into devel/robustness_bugfix 2017-10-19 12:37:53 +02:00