interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,597 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

275 Commits

Author SHA1 Message Date
Sara Dickinson c0187a19ea Quick fix for TLS timeouts not re-using a connection. Better solution is needed. 
Also minor fixes in getdns_query:
 - spurious semicolon (caused build warning)
 - build warning for initialised variable
 - have getdns_query honour the CLASS in the incoming query
 2016-06-15 17:15:13 +01:00
Willem Toorop 490aac1b48 Merge branch 'develop' into features/getdns_service 2016-06-08 10:21:29 +02:00
Willem Toorop cf675a9284 Add srv_addresses when query was for SRV 
Moved _getdns_rrset iterators to rr-iter.[ch] in the process
 2016-06-07 16:52:10 +02:00
Willem Toorop e01211d6b4 Debug setting that keeps connections open 2016-05-25 15:57:37 +02:00
Sara Dickinson 5f225d6be3 Add TLS session resumption 2016-05-16 17:41:55 +01:00
Willem Toorop 516f211843 Fire idle timeouts immediately with sync requests 2016-04-13 12:06:51 +02:00
Willem Toorop 57954ad41e Small bugfix in checking complete requests async 2016-04-11 15:33:08 +02:00
Willem Toorop da577a463d set upstream loop to the sync loop for sync reqs 
And reset to the async loop when sync request was finished, rescheduling the upstream->event.
Note that finished_event is scheduled against the async loop always.
 2016-04-11 14:49:44 +02:00
Willem Toorop e4b0d08fad Minor bugfix for use with openssl 1.1.0 2016-04-05 13:15:59 -03:00
Willem Toorop b0ecda5d2e No more side effects with synchronous calls 
(and upstreams that keep connections open)
 2016-03-23 22:13:31 +01:00
Willem Toorop e934c100a2 Merge branch 'develop' into devel/codebase-maintenance 2016-03-22 13:22:13 +01:00
Willem Toorop e4e3dde61f Don't breakup the sync vs async schedule 
to accentuate changes.
 2016-03-18 13:30:49 +01:00
Sara Dickinson c1f15fc0ac Minor tweaks 2016-03-18 12:02:40 +00:00
Sara Dickinson c08371ebb0 First pass at updating DEBUG_STUB output 2016-03-18 11:34:51 +00:00
Willem Toorop ab742b34b6 Miscelaneous scheduling fixes and improvements 2016-03-17 16:49:05 +01:00
Willem Toorop 0c0868517c Remove leftover debugging printfs 2016-01-12 16:57:17 +01:00
Willem Toorop fed8cc51ed Initial TCP support for Windows 2016-01-12 16:54:42 +01:00
Willem Toorop 4fd8d3dddd Replace mini_event extension by default_eventloop 
* default_eventloop was prototyped in getdns_query and is still in there as my_eventloop
  * It interfaces directly with the scheduling primitives of getdns.
  * It can operate entirely from stack and does not have to do
    any memory allocations or deallocations.

* Adapted configure.ac to allow libunbound to be linked with Windows
  (with the removal of winsock_event.c we have no symbol clashed anymore)

* Added STUB_TCP_WOULDBLOCK return code in stub_resolving helper functions,
  to anticipate dealing with edge triggered event loops (versus level triggered). (i.e. Windows)
 2016-01-12 15:52:14 +01:00
Willem Toorop 6b2d9a2d70 Unused var compile warning in certain conditions 2015-12-31 11:26:29 +01:00
Willem Toorop a2bdfb2f22 Merge branch 'features/windows-support' into develop 2015-12-24 14:44:18 +01:00
Willem Toorop 9d3905459e Miscellaneous fixes to compile on windows 
Also without warnings.
 2015-12-24 14:41:50 +01:00
Willem Toorop caba5f19d5 Merge branch 'develop' into features/windows-support 2015-12-24 11:01:26 +01:00
Daniel Kahn Gillmor 2a50f4d2ac Set tls_auth_failed when any present authentication mechanism fails 
We used to only have hostnames available.  now we have pubkey_pinsets
available as well.

We want upstream->tls_auth_failed to be 1 when any authentication
mechanism we've been asked for fails (and also when we haven't been
given any authentication mechanism at all).
 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 57a04f61db Allow AUTHENTICATION_REQUIRED w/o hostname when pubkey pinset is available 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 77802808ce rename GETDNS_AUTHENTICATION_HOSTNAME with GETDNS_AUTHENTICATION_REQUIRED 2015-12-23 18:00:43 +00:00
Sara Dickinson 2ce806c05b Tinker with debug statements/comments. 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor a9eb9ccca9 Check that the pinset matches if it is configured 
if the upstream is configured to allow fallback, this will not be a
fatal error, but it will still be checked.

Future work:

 * verify any certs higher in the chain than the end-entity cert
 * deal with raw public keys
 * in the fallback case, report to the user whether the pinset match failed
 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor d09675539e Provide access to the pinsets during the TLS verification callback 
We do this by associating a getdns_upstream object with the SSL object
handled by that upstream.

This allows us to collapse the verification callback code to a single
function.

Note that if we've agreed that fallback is ok, we are now willing to
accept *any* cert verification error, not just HOSTNAME_MISMATCH.
This is fine, because the alternative is falling back to cleartext,
which would be worse.

We also always set SSL_VERIFY_PEER, since we might as well try to do
so; we'll drop the verification error ourselves if we know we're OK
with falling back.
 2015-12-23 18:00:43 +00:00
Willem Toorop fe7a1e89e3 Constify new work 2015-12-22 11:32:15 +01:00
Willem Toorop 5bbcbb97a1 Merge branch 'develop' into features/conversion_functions 2015-12-22 11:28:27 +01:00
Willem Toorop 0a809cb7d8 Allow truncated answers to be returned 2015-12-22 10:56:20 +01:00
Willem Toorop ee2a1fbfe6 Merge branch 'features/tsig' into develop 2015-12-22 01:08:25 +01:00
Willem Toorop 6c1e00fc3f Send TSIG 2015-12-21 22:11:16 +01:00
Sara Dickinson 746a827baa Implement client side edns-tcp-keepalive 2015-12-21 17:05:56 +00:00
Sara Dickinson 91a73ab3d0 cleanup 2015-12-18 16:22:09 +00:00
Sara Dickinson 4165e874de Fix tests 2015-12-18 16:14:54 +00:00
Sara Dickinson c5b839bda8 remove STARTTLS 2015-12-18 16:14:54 +00:00
Willem Toorop 5663f914fb Mode debug marco's to own header 
To reduce dependency location fixes in test directory.
 2015-12-18 13:40:52 +01:00
Willem Toorop 5a65d2b693 Look further then you nose Willem! 2015-12-17 15:46:31 +01:00
Willem Toorop b839b97ac2 Oops... reverted syntax/style to agressively 2015-12-17 13:07:39 +01:00
Willem Toorop a2e15a169d Revert syntactic/style changes 
So actual changes aren't obfuscated
 2015-12-17 12:37:33 +01:00
Willem Toorop 16b62f43eb Merge branch 'develop' into features/conversion_functions 2015-12-16 13:53:25 +01:00
wtoorop 69b54be99c Merge pull request #126 from saradickinson/feature/mac_tfo 
Enable TFO by default if possible, add MAC OSX TFO support
Looks good, thanks.
 2015-12-16 13:45:14 +01:00
Sara Dickinson 736d9f20bf Enable TCP FastOpen by default and add support for OSX implementation of TFO. 2015-12-13 17:44:31 +00:00
Willem Toorop d67949d1e7 iterators go over const wireformat data 2015-12-07 16:43:41 +01:00
unknown 22a8550caa Bug fix in get_os_defaults, clean up code in winsock_event, add code to handle event handling differences in Winsock2 2015-12-04 16:12:43 -05:00
unknown 2d58ed465c Changes for Windows, Fix configure.ac to take in a winsock option to configure and generafigure, add ifdef's to stub out windows code for other platforms. 2015-11-22 22:38:13 -05:00
Willem Toorop 08bf613cde Prevent segfault with failed TLS handshake? 
Need proper review for this patch!  Sara?
 2015-11-15 12:46:21 -05:00
Sara Dickinson d75ba83013 Fix bug with call_debugging reporting of UDP and add a getter for tls_authentication 2015-11-13 13:28:43 +00:00
saradickinson 1a72454b88 Remove debug 2015-11-05 14:41:23 +09:00
saradickinson 5f60683f57 Fix seg fault on timeout 2015-11-05 14:41:23 +09:00
Willem Toorop 26566a3b00 Merge branch 'develop' of github.com:getdnsapi/getdns into develop 2015-11-04 23:25:49 +01:00
Willem Toorop 7f4bdc0868 Bumb versions 2015-11-04 23:25:38 +01:00
Willem Toorop 0c3eb08f4d Merge branch 'features/call_debug' into develop 2015-11-04 16:23:22 +09:00
Daniel Kahn Gillmor 83bf5ab08b actually implement tls_query_padding_blocksize 
since no DNS OPT value has been allocated, i chose a random value in
the experimental/local range.
 2015-11-01 15:49:56 +09:00
Daniel Kahn Gillmor df3725e635 added edns_client_subnet_private to getdns_context 
https://tools.ietf.org/html/draft-ietf-dnsop-edns-client-subnet-04

Using the above spec, an intermediate resolver may forward a chunk of
the client's IP address to the authoritative resolver.

Setting edns_client_subnet_private to a getdns_context in stub mode
will indicate to the next-hop recursive resolver that the client
wishes to keep their address information private.
 2015-11-01 15:49:50 +09:00
Daniel Kahn Gillmor 0b388872ea clarify per-query options vs. per-upstream options 
Sending DNS cookies was overwriting any existing options (DNS OPT) in
the outbound query.

Also, DNS cookies may not be the only option that gets set
per-upstream (instead of per-query).

This changeset establishes a set of per-query options (established at
the time of the query), and a buffer of additional space for adding
options based on the upstream is in use.

The size of this buffer is defined at configure time (defaults to 3000
octets).

Just before a query is sent out, we add the per-upstream options to
the query.

Note: we're also standardizing the query in tls too, even though we're
not sending any upstream options in that case at the moment
(edns_cookies are much weaker than TLS itself)
 2015-11-01 15:47:22 +09:00
Daniel Kahn Gillmor 3e90795680 enable talking to servers with ECDSA certs 
There is no clear reason to reject servers that don't have RSA certs.
We should accept ECDSA certs as well.

(also, clean up comments about opportunistic TLS)
 2015-11-01 15:47:03 +09:00
jad 51eb2fdf55 working prototype 6 2015-11-01 12:47:49 +09:00
jad 2d20e18b8a working prototype 4 2015-11-01 11:14:45 +09:00
jad a85b17c885 working prototype 1 2015-11-01 10:24:02 +09:00
Willem Toorop 35c803208b Bit more concise and clear confusing code text 2015-10-31 18:24:24 +09:00
Willem Toorop 521e46879b Document that thing that we keep forgetting about 2015-10-31 17:15:36 +09:00
Willem Toorop 0a717f5d51 Warning with older (less intelligent) compiles 2015-10-29 16:25:07 +01:00
Sara Dickinson e397d1e020 Fix error that was not allowing cipher suite fallback for opportunistic TLS. 2015-10-25 15:28:20 +00:00
Willem Toorop ebd94f48cf Anticipate missing X509_V_ERR_HOSTNAME_MISMATCH 2015-10-21 16:01:40 +02:00
Sara Dickinson b74c62066c Cleanup 2015-10-16 18:31:57 +01:00
Sara Dickinson 689447509a Change port used for TLS to 853 2015-10-16 17:00:14 +01:00
Sara Dickinson 28ffb2fdf6 Add ls_authentication to API 2015-10-16 17:00:14 +01:00
Sara Dickinson 6b4ee4ed31 Block authenticated requests on unauthenticated connection 2015-10-16 17:00:14 +01:00
Sara Dickinson af617e92a7 Implement authenticaiton fallback on a given upstream (needs more work). Also need API option to set auth requirement. 2015-10-16 17:00:14 +01:00
Sara Dickinson e710286e45 Start work on better authentication 2015-10-16 16:57:13 +01:00
Willem Toorop 53e23f1358 Revert "Revert "Merge pull request #112 from saradickinson/features/tls_auth"" 
This reverts commit 6d29e6044e.
 2015-09-04 10:56:30 +02:00
Willem Toorop 6d29e6044e Revert "Merge pull request #112 from saradickinson/features/tls_auth" 
This reverts commit d436165a88, reversing
changes made to 7c902bf73c.
 2015-08-27 13:31:22 +02:00
Willem Toorop 015e387ea5 Final internal symbols rename to _getdns prefix 2015-08-19 16:33:19 +02:00
Willem Toorop b9e8455e27 Internal symbols always prefixed with _getdns 2015-08-19 16:30:15 +02:00
Willem Toorop fcd595298a Rename all priv_getdns internal symbols to _getdns 2015-08-19 16:22:38 +02:00
Willem Toorop 450aabefcc Make util symbols private (i.e. prefix _getdns) 2015-08-19 16:07:01 +02:00
wtoorop d436165a88 Merge pull request #112 from saradickinson/features/tls_auth 
Features/tls auth
 2015-08-17 12:53:38 +02:00
Willem Toorop 7c902bf73c Fix fallback failures fix ;) 2015-08-17 12:35:10 +02:00
Sara Dickinson dc7d7e7689 Fix openssl dependancy 2015-08-15 16:35:30 +01:00
Sara Dickinson 45de1f65b3 Update docs with details of OS X certificate handling. 2015-08-15 14:40:16 +01:00
saradickinson cb1dff1ac7 Add ability to verify server certificate using hostname for TLS/STARTTLS 
NOTE: This implementation will only work for OpenSSL v1.0.2 and later.
Doing it for earlier versions is totally insane:

  https://wiki.openssl.org/index.php/Hostname_validation
 2015-08-15 14:40:15 +01:00
Sara Dickinson ab60211020 Fix fallback failures. Add manual regression test script. 2015-08-12 11:42:02 +01:00
Willem Toorop 9daaa1638c One more event callback setting before clearance 2015-07-14 13:42:40 +02:00
Willem Toorop d4e932890a Do not reset event callbacks before clearing 2015-07-14 11:54:25 +02:00
Willem Toorop 70857ccc74 Proper handling of system stub query timeouts 2015-07-09 23:09:39 +02:00
Willem Toorop f066d5ef73 Merge branch 'features/native-stub-dnssec' into develop 
Conflicts:
	configure.ac
	src/stub.c
 2015-07-02 10:27:27 +02:00
Willem Toorop 8d5ac3afde Store dnsreq->name in wire format 2015-06-29 23:32:49 +02:00
Willem Toorop 407ecffb67 dnssec_status in netreqs 2015-06-29 22:23:01 +02:00
wtoorop 93e0237273 Merge pull request #106 from saradickinson/features/transport_fixups 
Features/transport fixups
 2015-06-29 21:09:47 +02:00
Sara Dickinson e5a80943e2 Turn fast open on by default. Fix build warning. 2015-06-29 11:54:31 +01:00
Sara Dickinson e20d679bc8 Improve TCP close handling and sync connection closing 2015-06-29 09:09:13 +01:00
wtoorop 9ac1ea39b8 Merge pull request #105 from saradickinson/features/transport_fallback 
Features/transport fallback
 2015-06-29 09:21:31 +02:00
Sara Dickinson 8c61ecd024 Finally fix problem with upstream walking that was causing intermittent crash. And fix sync idle timeouts. Again. 2015-06-26 16:14:04 +01:00
Sara Dickinson 8925fb22fc More bug fixes and tidy up 2015-06-26 14:27:21 +01:00
Sara Dickinson ddd90e29c5 Fix idle_timeout bug 2015-06-26 08:19:22 +01:00
Sara Dickinson cb5bbac26d Do better with unbound transport mapping and fix problems with sync fallback 2015-06-25 20:21:00 +01:00
Sara Dickinson 8819d29535 Implement TCP fallback and hack for lack of sync idle timeout. 2015-06-24 18:49:34 +01:00
Sara Dickinson c425f96e0b Fix TLS handshake for sync messages. 2015-06-23 15:39:56 +01:00
Willem Toorop 5c01df226c Init netreq dnssec status at netreq init time 2015-06-23 16:39:30 +02:00
Sara Dickinson 67e282edd1 More work on transport/upstream fallback. TLS and UDP fallback not working yet.... Probably need to maintain a current upstream for each transport to get this working properly 2015-06-22 18:02:28 +01:00
Sara Dickinson 57b163c790 Fix bug in STARTTLS timeout 2015-06-22 14:31:19 +01:00
Sara Dickinson b73b5b2792 Fix some bugs... 2015-06-21 16:55:12 +01:00
Sara Dickinson 635cf9e182 Re-factor of internal handing of transport list. 2015-06-19 18:28:29 +01:00
wtoorop d819bc901b Merge pull request #104 from saradickinson/features/transport_api 
Commit addition of transport list to the API.
 2015-06-18 22:02:46 +02:00
Sara Dickinson 68dfb15706 Add context idle timeout 2015-06-18 17:11:11 +01:00
Sara Dickinson 8dd8d90e74 Commit addition of transport list to the API. 
- set and get functions are added.
- Existing transport functions retained for backwards compatibility.
- Basic combinations work as before, but underlying functional changes and cleanup are not complete yet...
- Context level options for timeouts and max_transactions_per_tcp_connection coming soon...
 2015-06-17 17:18:09 +01:00
Willem Toorop 39639a86c4 Make dname_equal reusable 
+ some symbol renames
 2015-06-16 16:11:51 +02:00
Willem Toorop 97f0dddb1e remove ldns dependency from rr-dict.c 
Only dnssec.c left
 2015-06-12 13:51:36 +02:00
Willem Toorop e820452aaa Rm 2 outdated ldns usage cases 2015-06-11 11:21:12 +02:00
Willem Toorop d5f70ab904 rm spurious execute bits +unit test to detect them 
Thanks Paul Wouters
 2015-05-26 14:16:27 +02:00
Sara Dickinson 894cb1555b Fix intermittent crash for STARTTLS 2015-05-13 17:15:56 +01:00
Willem Toorop 98b3364b65 uniform debugging method + disable stub debugging 2015-05-13 12:47:17 +02:00
saradickinson 3ac5e660f9 Address few minor bugs pointed out by willem 2015-05-11 22:01:31 +02:00
Sara Dickinson 9a7bfdd45b Add trivial stub_debug functions. 2015-05-03 15:39:21 +01:00
Sara Dickinson 9d967317d3 Improve the timeout handling for TLS. 2015-05-03 15:11:46 +01:00
Sara Dickinson 01adce8299 Organise code in stub.c and add some utility methods. 2015-05-02 18:08:45 +01:00
Sara Dickinson d6d83b219d Make sure UDP only uses 1 upstream per IP address. Fix a couple of other bugs. 2015-04-30 19:07:49 +01:00
Sara Dickinson 450a3bc6ff Fix STARTTLS fallback. 2015-04-30 14:52:16 +01:00
Sara Dickinson 7905eda8b7 Some clean up of connection handling. Still a problem with STARTTLS fallback that needs fixing. 2015-04-30 12:24:13 +01:00
Sara Dickinson 79b3412fbf Add another transport option as proof of concept for STARTTLS. 2015-04-29 19:20:25 +01:00
Sara Dickinson b533bc59c5 Fix bug when fallback not available 2015-04-27 16:37:16 +01:00
Sara Dickinson 4e6e66fc77 Get sync messages working with new async code. 2015-04-27 15:32:57 +01:00
Sara Dickinson 3de15ad782 Change internal transport handling to use a list, not a fixed type 2015-04-24 16:29:08 +01:00
Sara Dickinson f2ae55858f First pass at making handshake async. Lots of issues with this code still 
- timeouts are not being rescheduled on fallback
- several error cases are not being handled correctly (e.g. 8.8.8.8) and a user callback is not always called
- the fallback mechanism is not generic (specific to tls to tcp)
 2015-04-23 17:46:31 +01:00
Sara Dickinson 6c7ffc4e4e 1) Fix enum mapping error. 
2) Also add detection of TLS 1.2 in openssl during configure and warn that it if not available then TLS will not be available. Using TLS_ONLY in stub mode will then error with BAD_CONTEXT. TLS/TCP will fallback to TCP.

3) Explicitly disallow use of TLS_ONLY in RECURSIVE mode since it isn't supported yet. TLS/TCP will fallback to TCP.

4) Fix for MAC OS X build where openssl not linked correctly
 2015-04-17 18:38:13 +01:00
Sara Dickinson ab4fb8d9e9 Enable GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN for libunbound. Should only be used in stub mode. 
GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN still just does TCP.
Also some tidy up of new transport types.
 2015-04-17 15:50:08 +01:00
Sara Dickinson 99c1973fae Cleanup of TLS code 2015-04-16 18:05:51 +01:00
saradickinson 99aa79b48f First pass at TLS implementation - needs work! 2015-04-16 18:05:27 +01:00
Willem Toorop 3c816b0c86 Emberassing mistake (dont look) 2015-03-23 15:38:50 -05:00
Willem Toorop 19547536ac arc4random in secret generation 2015-03-22 11:01:37 -05:00
Willem Toorop d06d94a0c7 Merge branch 'arc4random' into release-0.1.7 
Conflicts:
	src/config.h.in
 2015-03-22 10:55:03 -05:00
Willem Toorop 00f047816d EDNS cookies processing as stub 2015-03-22 10:50:48 -05:00
Willem Toorop 4683208fd1 First go at using arc4random 4 random numbers 2015-03-21 04:41:25 -05:00
Willem Toorop 04e2d4c2c1 bugfix: on tcp read, realloc with *new* buffer sz 2015-02-12 12:05:10 +01:00
Willem Toorop cd098f9429 bugfix: Dynamic max payload only when OPT present 2015-02-12 12:03:20 +01:00
Willem Toorop f01ed133f5 ldns_wire2pkt at create_getdns_response time only 
This break priv_get_validation_chain
 2015-02-11 14:55:22 +01:00
Willem Toorop 9ed074e58d set max_udp_payload_size 2 response size 2015-02-03 11:36:08 +01:00
Willem Toorop b5a6fa8064 rm some obsolete includes in stub.c 2015-02-03 11:24:35 +01:00
Willem Toorop 545a83e1a6 netreq->response contains wire_data packet 2015-02-03 11:12:05 +01:00
Willem Toorop f1b916aac8 Store wireformat queries in netreq's too 2015-02-03 10:46:44 +01:00
Willem Toorop 3f046cf573 Embed netreqs in dns_reqs and wire_data in netreqs 
TODO: make sure the wire_data buffer is filled with the response
 2015-01-29 12:30:40 +01:00
Willem Toorop 736f5ff157 No executable flags on source files 
Thanks Paul Wouters
 2015-01-20 12:16:49 +01:00
saradickinson 593670f524 Removing debug statement (blush) 2014-11-07 20:17:03 -10:00
saradickinson 0680e1144f Add detection of TFO support during configure 2014-10-28 17:51:49 +00:00
saradickinson 9d7d9997df TCP fast open support (linux only). Enabled with --enable-tcp-fastopen configure option. 2014-10-28 17:51:49 +00:00
Willem Toorop d92dc8b460 edns_do_bit defaults to 0 with stub 
And better handling of including OPT RR in stub query
 2014-10-28 14:32:29 +01:00
Willem Toorop 35c58cc598 set payload size < 512 to 512 with extensions too 2014-10-27 19:26:15 +01:00
Willem Toorop f633886cbf recv, write and sendto return ssize_t 2014-10-24 23:12:28 +02:00