interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
1,771 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

1771 Commits

Author SHA1 Message Date
Willem Toorop 9b97eb9361 Update dependencies 2015-12-30 14:18:19 +01:00
Willem Toorop 1128ebdd54 Unit test fail with unimplemented follow_redirect 2015-12-30 14:10:36 +01:00
Willem Toorop 68fbb93cd6 Release candidate 2 2015-12-30 13:56:53 +01:00
Willem Toorop 8c46e969d6 Notify for not implemented namespaces and ... 
follow_redirects.
 2015-12-30 13:55:45 +01:00
Willem Toorop 2a9dd53d8d Complement getdns_query documentation 
+ +specify_class extension
 2015-12-30 13:38:14 +01:00
Willem Toorop 11b0346ded Miscelaneous TSIG bugfixes 2015-12-30 12:25:58 +01:00
Willem Toorop 853bc6c150 Merge branch 'features/suffix_handling' into develop 2015-12-30 10:51:37 +01:00
Willem Toorop f84c67282d Merge branch 'features/add_warning_for_bad_dns' into develop 2015-12-30 10:51:26 +01:00
Willem Toorop d85d395770 Options to getdns_query to test suffix appending 2015-12-30 10:44:08 +01:00
Willem Toorop 875ef3f9d4 Successive suffix append retries 2015-12-29 23:06:02 +01:00
Willem Toorop 89b6c04d4f First query append 2015-12-29 17:34:14 +01:00
Willem Toorop 54498cd556 Distinct between suffix and suffixes more clearly 2015-12-29 16:23:04 +01:00
Willem Toorop ebe3d361ea Returning strings does include the null byte 2015-12-29 16:17:17 +01:00
Willem Toorop 5a388386b4 Store suffixes in wireformat 2015-12-29 16:00:15 +01:00
Willem Toorop f91e263f09 Simplify _set_string functions 2015-12-29 15:57:55 +01:00
Willem Toorop f3e3e47e15 Implement bad_dns extension 2015-12-29 14:10:18 +01:00
Willem Toorop ad23c446b6 Complement ChangeLog and bump versions 2015-12-24 16:57:48 +01:00
Willem Toorop d79884f10a Replace ssize_t with int in conversion funcs tpkg 2015-12-24 16:22:38 +01:00
Willem Toorop 240b34e215 Missing file removals with distclean 2015-12-24 16:22:03 +01:00
Willem Toorop 0b1e0e6d0f Definite December 2015 version of spec 2015-12-24 16:05:04 +01:00
Willem Toorop 2fa7fbefa4 Update spec to December 2015 version 2015-12-24 15:47:55 +01:00
Willem Toorop 3e2464af6d Changes that came out of portability tests 2015-12-24 15:28:12 +01:00
Willem Toorop a09a051ed5 New code, new dependencies... 2015-12-24 15:01:45 +01:00
Willem Toorop a2bdfb2f22 Merge branch 'features/windows-support' into develop 2015-12-24 14:44:18 +01:00
Willem Toorop 9d3905459e Miscellaneous fixes to compile on windows 
Also without warnings.
 2015-12-24 14:41:50 +01:00
saradickinson b777552f34 Merge pull request #131 from saradickinson/feature/pubkey-pinning 
Feature/pubkey pinning
 2015-12-24 10:13:53 +00:00
Willem Toorop caba5f19d5 Merge branch 'develop' into features/windows-support 2015-12-24 11:01:26 +01:00
Sara Dickinson f94798b237 Final mixups 2015-12-24 10:00:15 +00:00
Willem Toorop 05efbd79de Merge branch 'features/dns_root_servers' into develop 2015-12-24 10:51:50 +01:00
Willem Toorop 8bde787703 Use mkstemp instead of tmpnam to eliminate warning 2015-12-24 10:50:58 +01:00
Willem Toorop 71b2a44945 Remove root_servers comment leftovers 2015-12-23 21:19:52 +01:00
Sara Dickinson 3afba25dad Update test case and changeling 2015-12-23 18:00:44 +00:00
Sara Dickinson a5027981d9 Change how the aliasing is done so the tpkg tests will pass 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 2a50f4d2ac Set tls_auth_failed when any present authentication mechanism fails 
We used to only have hostnames available.  now we have pubkey_pinsets
available as well.

We want upstream->tls_auth_failed to be 1 when any authentication
mechanism we've been asked for fails (and also when we haven't been
given any authentication mechanism at all).
 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 57a04f61db Allow AUTHENTICATION_REQUIRED w/o hostname when pubkey pinset is available 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 77802808ce rename GETDNS_AUTHENTICATION_HOSTNAME with GETDNS_AUTHENTICATION_REQUIRED 2015-12-23 18:00:43 +00:00
Sara Dickinson 792ecd65b8 Add missing constant to const-info.c 2015-12-23 18:00:43 +00:00
Sara Dickinson 2ce806c05b Tinker with debug statements/comments. 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor a9eb9ccca9 Check that the pinset matches if it is configured 
if the upstream is configured to allow fallback, this will not be a
fatal error, but it will still be checked.

Future work:

 * verify any certs higher in the chain than the end-entity cert
 * deal with raw public keys
 * in the fallback case, report to the user whether the pinset match failed
 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor d09675539e Provide access to the pinsets during the TLS verification callback 
We do this by associating a getdns_upstream object with the SSL object
handled by that upstream.

This allows us to collapse the verification callback code to a single
function.

Note that if we've agreed that fallback is ok, we are now willing to
accept *any* cert verification error, not just HOSTNAME_MISMATCH.
This is fine, because the alternative is falling back to cleartext,
which would be worse.

We also always set SSL_VERIFY_PEER, since we might as well try to do
so; we'll drop the verification error ourselves if we know we're OK
with falling back.
 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 614d317fd8 getdns_query: add -K option to attach pinsets to getdns_contexts. 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 0d2256df09 set and return the pubkey_pinsets on the upstream resolvers 2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor b305f073fe add functions to translate between getdns_list and sha256_pin linked list 2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor 4dbe1813e4 added simple sha256 public key pinning linked list to getdns_upstream 2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor 5e64f1262b add getdns_pubkey_pinset_sanity_check() 2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor 91f04ecd5e add getdns_pubkey_pin_create_from_string() 2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor 4047bd09da define _DEFAULT_SOURCE as well as _BSD_SOURCE for glibc version 2.20 and up 
in recent versions of feature_test_macros(7), it says of _BSD_SOURCE:

    Since glibc 2.20, this macro is deprecated.  It now has the same
    effect as defining _DEFAULT_SOURCE, but generates a compile-time
    warning   (unless   _DEFAULT_SOURCE   is   also  defined).   Use
    _DEFAULT_SOURCE  instead.    To   allow   code   that   requires
    _BSD_SOURCE  in  glibc  2.19  and earlier and _DEFAULT_SOURCE in
    glibc 2.20 and later to compile without  warnings,  define  both
    _BSD_SOURCE and _DEFAULT_SOURCE.
 2015-12-23 17:57:49 +00:00
Willem Toorop ce1185166c Merge branch 'features/dns_root_servers' into develop 2015-12-23 17:41:40 +01:00
Willem Toorop 29b033c14c off-by-one bugfixes 2015-12-23 17:38:36 +01:00
Willem Toorop fbae577a54 Setting of root servers 
test with

	getdns_query -f yeti.key -R yeti.hints nlnetlabs.nl A +dnssec_return_status

where yeti.key comes from:

	https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/named.cache

and yeti.hints from:

	https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/KSK.pub
 2015-12-23 17:15:45 +01:00