Commit Graph

2955 Commits

Author SHA1 Message Date
Jim Hague 1acd880f26 Correct error return value from stub. 2018-12-07 17:56:12 +00:00
Jim Hague fee864c25c Implement setting cipher/curve lists.
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
2018-12-07 16:55:17 +00:00
Willem Toorop bb99321e57 More constness for issue #410 2018-12-07 16:34:03 +01:00
Willem Toorop 8a7226baee Move from debugging to logging for
- upstream_stats & stub system
2018-12-07 14:02:17 +01:00
Willem Toorop bdfdd99645 Anticipate different openssl versions 2018-12-07 14:00:47 +01:00
Jim Hague 511dfc75ef Implement _getdns_tls_context_set_min_proto_1_2().
Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake.
This means we need to access the context from a connection, so add a pointer to the context to the connection.
2018-12-07 11:11:33 +00:00
Jim Hague 64f0d6aaa8 Rename _getdns_tls_connection_verify() to _getdns_tls_connection_certificate_verify().
I managed to mislead myself about what it did, which suggests the name should be clearer.
2018-12-07 11:09:20 +00:00
Jim Hague b0c057e8ae Update dependencies for GnuTLS.
In practice a 'make depend' is required before building with either OpenSSL or GnuTLS.
2018-12-06 16:35:43 +00:00
Jim Hague 46c49cbcfe Modify getdns_server_mon to use GnuTLS or OpenSSL.
Untested.
2018-12-06 16:32:20 +00:00
Jim Hague 72d9b91a2e Extract non-OpenSSL specific code from pubkey-pinning.c, and move it back to common source.
OpenSSL-specific items are in pubkey-pinning-internal.c.
2018-12-06 14:09:30 +00:00
Jim Hague e73ab48687 Extract non-OpenSSL specific code from anchor.c, and move it back to common source.
OpenSSL-specific items are in anchor-internal.c.
2018-12-06 14:07:32 +00:00
Jim Hague 91764fb6b0 Correct checking of connection validation result. 2018-12-06 11:04:00 +00:00
Jim Hague c6dffa1239 Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation.
Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.

GnuTLS uses Nettle itself, so this is not adding a new dependency.
2018-12-06 10:41:58 +00:00
Jim Hague b2312aee12 Implement hostname authentication. 2018-12-05 17:20:28 +00:00
Jim Hague f64aa8703d First pass at a mostly stubbed GnuTLS implementation.
This works enough to do a TLS lookup.
2018-12-05 11:25:32 +00:00
Willem Toorop 46f0b06f24 Start release processes for getdns-1.5.0 2018-12-04 14:17:20 +01:00
Willem Toorop c80aa72725 ED25519 & ED448 support 2018-12-03 15:35:03 +01:00
Willem Toorop ea55b12a08 getdns_query for addresses with qname but no qtype 2018-12-03 14:52:58 +01:00
Willem Toorop 30a3a6b026 Longer timeout for recursing_6 test 2018-12-03 14:33:56 +01:00
Willem Toorop 390e383a1a ED25519 & ED448 DNSSEC validation support 2018-12-03 14:33:21 +01:00
Willem Toorop 6d066f95f9 Merge branch 'features/trust_anchors_backoff_time' into develop 2018-12-03 12:51:00 +01:00
Willem Toorop 4b688443f4 Sync with unbound 2018-12-03 12:50:37 +01:00
Willem Toorop a1692359f3 RFE #408: Retry fetching of TA after backoff time 2018-12-03 12:27:31 +01:00
Willem Toorop 1e7da76901 Bugfix getdnsapi/stubby#140 fallback on getentropy failure 2018-11-30 14:50:06 +01:00
Willem Toorop 5986d0497f Merge branch 'features/dnssec_extension' into develop 2018-11-30 14:23:49 +01:00
Willem Toorop c1f51815ba RFE #408: "dnssec" extension requiring DNSSEC
When this extension is set, GETDNS_DNSSEC_INDETERMINATE status will no
longer be returned.
2018-11-30 14:20:12 +01:00
Jim Hague 153e766edf tls.h uses struct mem_funcs in types-internal.h. 2018-11-27 18:04:14 +00:00
Jim Hague c4a3f75844 Correct make depend generation for TLS directory. 2018-11-27 18:03:27 +00:00
Jim Hague e60d852637 Common OpenSSL digester selection. 2018-11-27 16:55:33 +00:00
Willem Toorop e3b007a43a Issue #410: Document ownership with getdns_context_get_api_information()
+ const for extensions and namespaces
TODO: Look at other cases that are not const for no good reason.

Thanks Stefan Bühler
2018-11-27 16:59:47 +01:00
Jim Hague c101a7a021 Abstract context DANE initialisation. 2018-11-27 15:41:23 +00:00
Jim Hague 26bcddd029 Abstract cookie SHA256 calculation. 2018-11-27 15:31:33 +00:00
Jim Hague af962228fc Abstract maximum digest length. 2018-11-27 15:31:05 +00:00
Jim Hague 0cdede21df Abstract SHA1 calculation. 2018-11-27 15:29:48 +00:00
Jim Hague 5e390a4b23 Revise all TLS interfaces to pass in GetDNS memory functions where necessary.
This means we can remove OpenSSL_free() calls from request-internal.c and util-internal.c.
2018-11-27 14:41:46 +00:00
Jim Hague bc3106af94 Abstract out HMAC functions in request-internal.c. 2018-11-27 11:49:12 +00:00
Jim Hague 4ec93a3df0 Add Doxygen for remaining tls.h functions. 2018-11-26 11:32:18 +00:00
Jim Hague 27a7e4e28f Attempt minimal autoconf changes to use GnuTLS instead of OpenSSL.
I could waste the rest of the available time trying to turn configure.ac into something that cleanly ignores OpenSSL, uses GnuTLS instead and retains all the options. Or even better scrap the whole autoconf mess and start again.

But in the interests of prototyping, do something quick and dirty. This means GnuTLS must for now be configured thus:

$ CFLAGS="-g" ../configure --enable-stub-only --with-gnutls --disable-gost --disable-ecdsa --disable-edns-cookies

to evade other items with hardcoded OpenSSL checks in them.
2018-11-23 17:49:06 +00:00
Jim Hague 2267863a53 Attempt to improve the preprocessor horror that is util/val_secalgo.h.
Convert the main util/val_secalgo.h to a plain interface. Move the preprocessor redefines into validator/val_secalgo.h, and move THAT under openssl, because it is OpenSSL implementation specific at present - you can compile with NSS and Nettle if config allows.
2018-11-23 16:28:55 +00:00
Willem Toorop 2d76a5fd52 We had complaints for serving the root, so..
TCP only full recursion test now starting from K-root
	(because other roots are unreliable TCP-wise)
2018-11-22 12:16:19 +01:00
Willem Toorop b90ba236ae tls_ciphersuites, tls_cipher_list, tls_curve_list,
tls_min_version & tls_max_version settings must cause
	failure when not supported by the TLS library.  Not during
	configure time, but during connection setup so it doesn't
	hamper alternative transports.
2018-11-22 11:37:28 +01:00
Willem Toorop 6b10570842 DNSSEC bugfix found with static analysis
* Fix for DNSSEC bug in finding most specific key when
  trust anchor proves non-existance of one of the labels
  along the authentication chain other than the non-
  existance of a DS record on a zonecut.
2018-11-22 10:21:48 +01:00
Willem Toorop 4ff9816e39 google now supports DoT 2018-11-21 17:00:03 +01:00
Willem Toorop 73868643d2 Fix compile warnings 2018-11-21 16:07:47 +01:00
Willem Toorop 1904ee7318 Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130
Configurable TLS version
2018-11-21 15:02:28 +01:00
Jim Hague e7593541ef Ensure that compat/getentropy* don't get used, and so drag in OpenSSL. 2018-11-20 17:37:46 +00:00
Jim Hague 4f67491971 Remove unnecessary OpenSSL include in dnssec.c. 2018-11-20 17:36:56 +00:00
Jim Hague 05f9d30e89 Move anchor.c to under openssl. 2018-11-20 16:57:48 +00:00
Jim Hague f3e0f2b9e6 Split OpenSSL specific bits of keyraw.hc into keyraw-internal.hc.
All usage is internal to val_secalgo.c, which is already in openssl.
2018-11-20 16:51:17 +00:00
Jim Hague da94b52f74 Move val_secalgo.c to openssl.
It contains ports other than OpenSSL (NSS and NETTLE), but we're not worrying about those for our purposes at present.
2018-11-20 16:21:06 +00:00