431f86f414
Make tests aware of NODATA == NO_NAME change
2018-12-21 12:10:19 +01:00
5247fc8de4
Mention RESPSTATUS_NO_NAME change in Changelog
2018-12-21 11:44:04 +01:00
13e1e36ba3
RESPSTATUS_NO_NAME when no answers found
...
(so for NODATA answers too)
2018-12-21 11:28:00 +01:00
ff1cdce6f8
s/explicitely/explicitly/g
...
Thanks Andreas Schulze
2018-12-20 15:06:01 +01:00
65f4fbbc81
Make sure all connection deinits are only called if there is something to deinit.
2018-12-14 15:38:32 +00:00
c1bf12c8a2
Update default GnuTLS cipher suite priority string to one that gives the same ciphers as the OpenSSL version.
...
Also fix deinit segfault.
./gnutls-ciphers "NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL"
Cipher suites for NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL
TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
$ openssl ciphers -v TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD
2018-12-14 15:24:13 +00:00
79459f5d1d
Merge branch 'release/1.5.0' into develop
2018-12-14 16:05:27 +01:00
36cb9b0243
We also always publish sha1 over tarballs
2018-12-14 13:45:22 +01:00
232f655663
trust_anchor_backoff_time also when appdata dir is not writable
2018-12-14 13:42:43 +01:00
e9060792dc
Merge branch 'release/1.5.0' into develop
2018-12-14 10:45:57 +01:00
990372329c
typo
2018-12-13 15:26:13 +01:00
dc6bb0fa52
Something wrong with /etc/hosts?
2018-12-13 15:24:37 +01:00
eecc18703a
Issue found with static analysis
2018-12-13 15:24:27 +01:00
154f98e321
Update consts
2018-12-13 15:24:19 +01:00
93b7cb6a01
ZONEMD rr-type
2018-12-13 14:53:41 +01:00
a4590bafcb
Implement reading CAs from file or dir.
...
I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot
easier than I feared. Plus a little diggiing shows that if you're
loading the system defaults, GnuTLS on Windows does load them from the
Windows certificate store.
2018-12-13 13:33:54 +00:00
41f4940072
Log messages about trust anchor fetching and installing
2018-12-13 14:23:32 +01:00
e8f34d48fb
Adjust default cipher list so required authentication works with getdnsapi.
...
The previous default cipher string wouldn't connect with getdnsapi.
Selection of cipher strings requires some deep study, I think.
So, taking working with getdnsapi.net as our target, discover that we
need SECURE128 as well as SECURE192. And rather than disable everything
except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects
to TLS1.3.
2018-12-13 12:04:01 +00:00
2759d727e5
Minor speeling fix.
2018-12-13 11:54:41 +00:00
fa9d8885f0
Fix problems with GnuTLS pinset handling.
...
Pinset validation now seems to work.
2018-12-13 11:03:31 +00:00
91a3a3db36
More specific return codes, more logging
2018-12-12 16:12:07 +01:00
45be26642b
Fix dane query handling and verify error reporting.
...
Verify error is flags, not values. And deiniting a dane_query that is
NULL segfaults.
2018-12-12 15:01:07 +00:00
b51c7384e6
Implement _getdns_decode_base64() for GnuTLS.
...
Use primitives in libnettle.
2018-12-12 15:00:03 +00:00
0dec4a6f21
Correct format string, fixing type error in specifier.
...
I was wondering why the error output did appear.
2018-12-12 14:59:13 +00:00
35b4969216
Abstract out OpenSSL specific parts of getdns_pubkey_pin_create_from_string().
...
The only OpenSSL function is decoding Base64.
2018-12-11 18:03:00 +00:00
bf011d9294
Add GnuTLS DANE library to configure detection when using GnuTLS.
2018-12-11 18:02:03 +00:00
aa49a935c7
Fixed error detection in certificate verification.
2018-12-11 17:59:44 +00:00
ab69a9a7da
Merge branch 'feature/abstract-tls' of https://github.com/banburybill/getdns into feature/abstract-tls
2018-12-11 15:01:44 +00:00
0a9f155cc9
Merge pull request #4 from wtoorop/feature/abstract-tls-willem
...
Enable ed25519, ecdsa and cookies with gnutls/libnettle
2018-12-11 15:01:12 +00:00
2c6ec5e0be
Implement setting up pinset for DANE. Verification to come.
2018-12-11 14:59:21 +00:00
ab700e70fe
DNS Cookies with libnettle too
2018-12-11 15:13:17 +01:00
a6ab7ffe41
ed25519 and ecdsa support with libnettle
2018-12-11 15:05:09 +01:00
ff7ffc246c
Rename TLS Interface DANE init to pinset init. That's what it's actually used for.
2018-12-11 12:46:05 +00:00
1acd880f26
Correct error return value from stub.
2018-12-07 17:56:12 +00:00
fee864c25c
Implement setting cipher/curve lists.
...
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
2018-12-07 16:55:17 +00:00
bb99321e57
More constness for issue #410
2018-12-07 16:34:03 +01:00
8a7226baee
Move from debugging to logging for
...
- upstream_stats & stub system
2018-12-07 14:02:17 +01:00
bdfdd99645
Anticipate different openssl versions
2018-12-07 14:00:47 +01:00
511dfc75ef
Implement _getdns_tls_context_set_min_proto_1_2().
...
Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake.
This means we need to access the context from a connection, so add a pointer to the context to the connection.
2018-12-07 11:11:33 +00:00
64f0d6aaa8
Rename _getdns_tls_connection_verify() to _getdns_tls_connection_certificate_verify().
...
I managed to mislead myself about what it did, which suggests the name should be clearer.
2018-12-07 11:09:20 +00:00
b0c057e8ae
Update dependencies for GnuTLS.
...
In practice a 'make depend' is required before building with either OpenSSL or GnuTLS.
2018-12-06 16:35:43 +00:00
46c49cbcfe
Modify getdns_server_mon to use GnuTLS or OpenSSL.
...
Untested.
2018-12-06 16:32:20 +00:00
72d9b91a2e
Extract non-OpenSSL specific code from pubkey-pinning.c, and move it back to common source.
...
OpenSSL-specific items are in pubkey-pinning-internal.c.
2018-12-06 14:09:30 +00:00
e73ab48687
Extract non-OpenSSL specific code from anchor.c, and move it back to common source.
...
OpenSSL-specific items are in anchor-internal.c.
2018-12-06 14:07:32 +00:00
91764fb6b0
Correct checking of connection validation result.
2018-12-06 11:04:00 +00:00
c6dffa1239
Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation.
...
Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.
GnuTLS uses Nettle itself, so this is not adding a new dependency.
2018-12-06 10:41:58 +00:00
b2312aee12
Implement hostname authentication.
2018-12-05 17:20:28 +00:00
f64aa8703d
First pass at a mostly stubbed GnuTLS implementation.
...
This works enough to do a TLS lookup.
2018-12-05 11:25:32 +00:00
46f0b06f24
Start release processes for getdns-1.5.0
2018-12-04 14:17:20 +01:00
c80aa72725
ED25519 & ED448 support
2018-12-03 15:35:03 +01:00
Willem Toorop
Jim Hague
Jim Hague