Jim Hague
1acd880f26
Correct error return value from stub.
2018-12-07 17:56:12 +00:00
Jim Hague
fee864c25c
Implement setting cipher/curve lists.
...
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
2018-12-07 16:55:17 +00:00
Willem Toorop
bb99321e57
More constness for issue #410
2018-12-07 16:34:03 +01:00
Willem Toorop
8a7226baee
Move from debugging to logging for
...
- upstream_stats & stub system
2018-12-07 14:02:17 +01:00
Willem Toorop
bdfdd99645
Anticipate different openssl versions
2018-12-07 14:00:47 +01:00
Jim Hague
511dfc75ef
Implement _getdns_tls_context_set_min_proto_1_2().
...
Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake.
This means we need to access the context from a connection, so add a pointer to the context to the connection.
2018-12-07 11:11:33 +00:00
Jim Hague
64f0d6aaa8
Rename _getdns_tls_connection_verify() to _getdns_tls_connection_certificate_verify().
...
I managed to mislead myself about what it did, which suggests the name should be clearer.
2018-12-07 11:09:20 +00:00
Jim Hague
b0c057e8ae
Update dependencies for GnuTLS.
...
In practice a 'make depend' is required before building with either OpenSSL or GnuTLS.
2018-12-06 16:35:43 +00:00
Jim Hague
46c49cbcfe
Modify getdns_server_mon to use GnuTLS or OpenSSL.
...
Untested.
2018-12-06 16:32:20 +00:00
Jim Hague
72d9b91a2e
Extract non-OpenSSL specific code from pubkey-pinning.c, and move it back to common source.
...
OpenSSL-specific items are in pubkey-pinning-internal.c.
2018-12-06 14:09:30 +00:00
Jim Hague
e73ab48687
Extract non-OpenSSL specific code from anchor.c, and move it back to common source.
...
OpenSSL-specific items are in anchor-internal.c.
2018-12-06 14:07:32 +00:00
Jim Hague
91764fb6b0
Correct checking of connection validation result.
2018-12-06 11:04:00 +00:00
Jim Hague
c6dffa1239
Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation.
...
Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.
GnuTLS uses Nettle itself, so this is not adding a new dependency.
2018-12-06 10:41:58 +00:00
Jim Hague
b2312aee12
Implement hostname authentication.
2018-12-05 17:20:28 +00:00
Jim Hague
f64aa8703d
First pass at a mostly stubbed GnuTLS implementation.
...
This works enough to do a TLS lookup.
2018-12-05 11:25:32 +00:00
Willem Toorop
46f0b06f24
Start release processes for getdns-1.5.0
2018-12-04 14:17:20 +01:00
Willem Toorop
c80aa72725
ED25519 & ED448 support
2018-12-03 15:35:03 +01:00
Willem Toorop
ea55b12a08
getdns_query for addresses with qname but no qtype
2018-12-03 14:52:58 +01:00
Willem Toorop
30a3a6b026
Longer timeout for recursing_6 test
2018-12-03 14:33:56 +01:00
Willem Toorop
390e383a1a
ED25519 & ED448 DNSSEC validation support
2018-12-03 14:33:21 +01:00
Willem Toorop
6d066f95f9
Merge branch 'features/trust_anchors_backoff_time' into develop
2018-12-03 12:51:00 +01:00
Willem Toorop
4b688443f4
Sync with unbound
2018-12-03 12:50:37 +01:00
Willem Toorop
a1692359f3
RFE #408 : Retry fetching of TA after backoff time
2018-12-03 12:27:31 +01:00
Willem Toorop
1e7da76901
Bugfix getdnsapi/stubby#140 fallback on getentropy failure
2018-11-30 14:50:06 +01:00
Willem Toorop
5986d0497f
Merge branch 'features/dnssec_extension' into develop
2018-11-30 14:23:49 +01:00
Willem Toorop
c1f51815ba
RFE #408 : "dnssec" extension requiring DNSSEC
...
When this extension is set, GETDNS_DNSSEC_INDETERMINATE status will no
longer be returned.
2018-11-30 14:20:12 +01:00
Jim Hague
153e766edf
tls.h uses struct mem_funcs in types-internal.h.
2018-11-27 18:04:14 +00:00
Jim Hague
c4a3f75844
Correct make depend generation for TLS directory.
2018-11-27 18:03:27 +00:00
Jim Hague
e60d852637
Common OpenSSL digester selection.
2018-11-27 16:55:33 +00:00
Willem Toorop
e3b007a43a
Issue #410 : Document ownership with getdns_context_get_api_information()
...
+ const for extensions and namespaces
TODO: Look at other cases that are not const for no good reason.
Thanks Stefan Bühler
2018-11-27 16:59:47 +01:00
Jim Hague
c101a7a021
Abstract context DANE initialisation.
2018-11-27 15:41:23 +00:00
Jim Hague
26bcddd029
Abstract cookie SHA256 calculation.
2018-11-27 15:31:33 +00:00
Jim Hague
af962228fc
Abstract maximum digest length.
2018-11-27 15:31:05 +00:00
Jim Hague
0cdede21df
Abstract SHA1 calculation.
2018-11-27 15:29:48 +00:00
Jim Hague
5e390a4b23
Revise all TLS interfaces to pass in GetDNS memory functions where necessary.
...
This means we can remove OpenSSL_free() calls from request-internal.c and util-internal.c.
2018-11-27 14:41:46 +00:00
Jim Hague
bc3106af94
Abstract out HMAC functions in request-internal.c.
2018-11-27 11:49:12 +00:00
Jim Hague
4ec93a3df0
Add Doxygen for remaining tls.h functions.
2018-11-26 11:32:18 +00:00
Jim Hague
27a7e4e28f
Attempt minimal autoconf changes to use GnuTLS instead of OpenSSL.
...
I could waste the rest of the available time trying to turn configure.ac into something that cleanly ignores OpenSSL, uses GnuTLS instead and retains all the options. Or even better scrap the whole autoconf mess and start again.
But in the interests of prototyping, do something quick and dirty. This means GnuTLS must for now be configured thus:
$ CFLAGS="-g" ../configure --enable-stub-only --with-gnutls --disable-gost --disable-ecdsa --disable-edns-cookies
to evade other items with hardcoded OpenSSL checks in them.
2018-11-23 17:49:06 +00:00
Jim Hague
2267863a53
Attempt to improve the preprocessor horror that is util/val_secalgo.h.
...
Convert the main util/val_secalgo.h to a plain interface. Move the preprocessor redefines into validator/val_secalgo.h, and move THAT under openssl, because it is OpenSSL implementation specific at present - you can compile with NSS and Nettle if config allows.
2018-11-23 16:28:55 +00:00
Willem Toorop
2d76a5fd52
We had complaints for serving the root, so..
...
TCP only full recursion test now starting from K-root
(because other roots are unreliable TCP-wise)
2018-11-22 12:16:19 +01:00
Willem Toorop
b90ba236ae
tls_ciphersuites, tls_cipher_list, tls_curve_list,
...
tls_min_version & tls_max_version settings must cause
failure when not supported by the TLS library. Not during
configure time, but during connection setup so it doesn't
hamper alternative transports.
2018-11-22 11:37:28 +01:00
Willem Toorop
6b10570842
DNSSEC bugfix found with static analysis
...
* Fix for DNSSEC bug in finding most specific key when
trust anchor proves non-existance of one of the labels
along the authentication chain other than the non-
existance of a DS record on a zonecut.
2018-11-22 10:21:48 +01:00
Willem Toorop
4ff9816e39
google now supports DoT
2018-11-21 17:00:03 +01:00
Willem Toorop
73868643d2
Fix compile warnings
2018-11-21 16:07:47 +01:00
Willem Toorop
1904ee7318
Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130
...
Configurable TLS version
2018-11-21 15:02:28 +01:00
Jim Hague
e7593541ef
Ensure that compat/getentropy* don't get used, and so drag in OpenSSL.
2018-11-20 17:37:46 +00:00
Jim Hague
4f67491971
Remove unnecessary OpenSSL include in dnssec.c.
2018-11-20 17:36:56 +00:00
Jim Hague
05f9d30e89
Move anchor.c to under openssl.
2018-11-20 16:57:48 +00:00
Jim Hague
f3e0f2b9e6
Split OpenSSL specific bits of keyraw.hc into keyraw-internal.hc.
...
All usage is internal to val_secalgo.c, which is already in openssl.
2018-11-20 16:51:17 +00:00
Jim Hague
da94b52f74
Move val_secalgo.c to openssl.
...
It contains ports other than OpenSSL (NSS and NETTLE), but we're not worrying about those for our purposes at present.
2018-11-20 16:21:06 +00:00