Commit Graph

2928 Commits

Author SHA1 Message Date
Willem Toorop 990372329c typo 2018-12-13 15:26:13 +01:00
Willem Toorop dc6bb0fa52 Something wrong with /etc/hosts? 2018-12-13 15:24:37 +01:00
Willem Toorop eecc18703a Issue found with static analysis 2018-12-13 15:24:27 +01:00
Willem Toorop 154f98e321 Update consts 2018-12-13 15:24:19 +01:00
Willem Toorop 93b7cb6a01 ZONEMD rr-type 2018-12-13 14:53:41 +01:00
Jim Hague a4590bafcb Implement reading CAs from file or dir.
I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot
easier than I feared. Plus a little diggiing shows that if you're
loading the system defaults, GnuTLS on Windows does load them from the
Windows certificate store.
2018-12-13 13:33:54 +00:00
Willem Toorop 41f4940072 Log messages about trust anchor fetching and installing 2018-12-13 14:23:32 +01:00
Jim Hague e8f34d48fb Adjust default cipher list so required authentication works with getdnsapi.
The previous default cipher string wouldn't connect with getdnsapi.
Selection of cipher strings requires some deep study, I think.

So, taking working with getdnsapi.net as our target, discover that we
need SECURE128 as well as SECURE192. And rather than disable everything
except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects
to TLS1.3.
2018-12-13 12:04:01 +00:00
Jim Hague 2759d727e5 Minor speeling fix. 2018-12-13 11:54:41 +00:00
Jim Hague fa9d8885f0 Fix problems with GnuTLS pinset handling.
Pinset validation now seems to work.
2018-12-13 11:03:31 +00:00
Willem Toorop 91a3a3db36 More specific return codes, more logging 2018-12-12 16:12:07 +01:00
Jim Hague 45be26642b Fix dane query handling and verify error reporting.
Verify error is flags, not values. And deiniting a dane_query that is
NULL segfaults.
2018-12-12 15:01:07 +00:00
Jim Hague b51c7384e6 Implement _getdns_decode_base64() for GnuTLS.
Use primitives in libnettle.
2018-12-12 15:00:03 +00:00
Jim Hague 0dec4a6f21 Correct format string, fixing type error in specifier.
I was wondering why the error output did appear.
2018-12-12 14:59:13 +00:00
Jim Hague 35b4969216 Abstract out OpenSSL specific parts of getdns_pubkey_pin_create_from_string().
The only OpenSSL function is decoding Base64.
2018-12-11 18:03:00 +00:00
Jim Hague bf011d9294 Add GnuTLS DANE library to configure detection when using GnuTLS. 2018-12-11 18:02:03 +00:00
Jim Hague aa49a935c7 Fixed error detection in certificate verification. 2018-12-11 17:59:44 +00:00
Jim Hague ab69a9a7da Merge branch 'feature/abstract-tls' of https://github.com/banburybill/getdns into feature/abstract-tls 2018-12-11 15:01:44 +00:00
Jim Hague 0a9f155cc9
Merge pull request #4 from wtoorop/feature/abstract-tls-willem
Enable ed25519, ecdsa and cookies with gnutls/libnettle
2018-12-11 15:01:12 +00:00
Jim Hague 2c6ec5e0be Implement setting up pinset for DANE. Verification to come. 2018-12-11 14:59:21 +00:00
Willem Toorop ab700e70fe DNS Cookies with libnettle too 2018-12-11 15:13:17 +01:00
Willem Toorop a6ab7ffe41 ed25519 and ecdsa support with libnettle 2018-12-11 15:05:09 +01:00
Jim Hague ff7ffc246c Rename TLS Interface DANE init to pinset init. That's what it's actually used for. 2018-12-11 12:46:05 +00:00
Jim Hague 1acd880f26 Correct error return value from stub. 2018-12-07 17:56:12 +00:00
Jim Hague fee864c25c Implement setting cipher/curve lists.
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
2018-12-07 16:55:17 +00:00
Willem Toorop bb99321e57 More constness for issue #410 2018-12-07 16:34:03 +01:00
Willem Toorop 8a7226baee Move from debugging to logging for
- upstream_stats & stub system
2018-12-07 14:02:17 +01:00
Willem Toorop bdfdd99645 Anticipate different openssl versions 2018-12-07 14:00:47 +01:00
Jim Hague 511dfc75ef Implement _getdns_tls_context_set_min_proto_1_2().
Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake.
This means we need to access the context from a connection, so add a pointer to the context to the connection.
2018-12-07 11:11:33 +00:00
Jim Hague 64f0d6aaa8 Rename _getdns_tls_connection_verify() to _getdns_tls_connection_certificate_verify().
I managed to mislead myself about what it did, which suggests the name should be clearer.
2018-12-07 11:09:20 +00:00
Jim Hague b0c057e8ae Update dependencies for GnuTLS.
In practice a 'make depend' is required before building with either OpenSSL or GnuTLS.
2018-12-06 16:35:43 +00:00
Jim Hague 46c49cbcfe Modify getdns_server_mon to use GnuTLS or OpenSSL.
Untested.
2018-12-06 16:32:20 +00:00
Jim Hague 72d9b91a2e Extract non-OpenSSL specific code from pubkey-pinning.c, and move it back to common source.
OpenSSL-specific items are in pubkey-pinning-internal.c.
2018-12-06 14:09:30 +00:00
Jim Hague e73ab48687 Extract non-OpenSSL specific code from anchor.c, and move it back to common source.
OpenSSL-specific items are in anchor-internal.c.
2018-12-06 14:07:32 +00:00
Jim Hague 91764fb6b0 Correct checking of connection validation result. 2018-12-06 11:04:00 +00:00
Jim Hague c6dffa1239 Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation.
Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.

GnuTLS uses Nettle itself, so this is not adding a new dependency.
2018-12-06 10:41:58 +00:00
Jim Hague b2312aee12 Implement hostname authentication. 2018-12-05 17:20:28 +00:00
Jim Hague f64aa8703d First pass at a mostly stubbed GnuTLS implementation.
This works enough to do a TLS lookup.
2018-12-05 11:25:32 +00:00
Willem Toorop 46f0b06f24 Start release processes for getdns-1.5.0 2018-12-04 14:17:20 +01:00
Willem Toorop c80aa72725 ED25519 & ED448 support 2018-12-03 15:35:03 +01:00
Willem Toorop ea55b12a08 getdns_query for addresses with qname but no qtype 2018-12-03 14:52:58 +01:00
Willem Toorop 30a3a6b026 Longer timeout for recursing_6 test 2018-12-03 14:33:56 +01:00
Willem Toorop 390e383a1a ED25519 & ED448 DNSSEC validation support 2018-12-03 14:33:21 +01:00
Willem Toorop 6d066f95f9 Merge branch 'features/trust_anchors_backoff_time' into develop 2018-12-03 12:51:00 +01:00
Willem Toorop 4b688443f4 Sync with unbound 2018-12-03 12:50:37 +01:00
Willem Toorop a1692359f3 RFE #408: Retry fetching of TA after backoff time 2018-12-03 12:27:31 +01:00
Willem Toorop 1e7da76901 Bugfix getdnsapi/stubby#140 fallback on getentropy failure 2018-11-30 14:50:06 +01:00
Willem Toorop 5986d0497f Merge branch 'features/dnssec_extension' into develop 2018-11-30 14:23:49 +01:00
Willem Toorop c1f51815ba RFE #408: "dnssec" extension requiring DNSSEC
When this extension is set, GETDNS_DNSSEC_INDETERMINATE status will no
longer be returned.
2018-11-30 14:20:12 +01:00
Jim Hague 153e766edf tls.h uses struct mem_funcs in types-internal.h. 2018-11-27 18:04:14 +00:00