interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,788 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

2047 Commits

Author SHA1 Message Date
Willem Toorop 9a4e389946 Better #ifdef select when to use X509_check_host 2018-02-12 15:46:42 +01:00
Willem Toorop 401aa2e3b8 Specify the supported curves with TLS 2018-02-12 15:40:17 +01:00
Willem Toorop c3e4061fe2 hostname auth with libressl 2018-02-09 15:18:44 +01:00
Willem Toorop b914b63e18 Merge branch 'feature/monitor-tool' into release/1.4.0 2018-02-08 14:06:40 +01:00
Willem Toorop c033e3f1a3 Merge branch 'libressl' into release/1.4.0 2018-02-08 14:04:02 +01:00
Jim Hague 088d775117 In Keepalive test, send the maximum possible timeout value to the server. 
The response will then show the server's value.
 2018-02-08 12:35:45 +00:00
Willem Toorop f7278ca696 Make getdns_server_mon work with libressl 2018-02-08 12:38:50 +01:00
Willem Toorop bf1f01c87e Syntactic mod to minimizing changes with before PR 
So changes are highlighted in side-by-side views.
 2018-02-08 12:02:48 +01:00
Willem Toorop 7af885396f Merge branch 'release/1.4.0' into release/1.4.0-merge-PR-377 2018-02-08 11:46:28 +01:00
Willem Toorop 87fec7f9b4 Merge branch 'feature/monitor-tool' into release/1.4.0 2018-02-07 17:11:28 +01:00
Willem Toorop a72359e058 Comply to new style transport logging 2018-02-07 17:08:55 +01:00
Willem Toorop 7d4ccabc7f Merge branch 'bugfix/opportunistic_fallabck' into release/1.4.0-merge-PR-377 2018-02-07 17:00:25 +01:00
Willem Toorop 0eba73a945 LibreSSL like OpenSSL < 1.0.2 2018-02-07 16:42:11 +01:00
Willem Toorop c28a293c9f "Pinset validation failure" error when it occurred 2018-02-07 14:38:31 +01:00
Willem Toorop 9c5a93bbdf Merge branch 'develop' into devel/spki_pinset_via_tlsa_checking 2018-02-07 14:12:24 +01:00
Willem Toorop e944203e55 Merge branch 'develop' of github.com:getdnsapi/getdns into develop 2018-02-07 13:50:53 +01:00
Willem Toorop 82c00eb0a5 version.bind CH TXT for getdns_query 2018-02-07 13:50:29 +01:00
Jim Hague 13d7a730ee Further mitigate cache effects for OOOR by adding random label to delay lookup. 
It turns out that delay.getdnsapi.net only pays attention to the left-most label.
 2018-02-07 12:41:24 +00:00
Jim Hague a25f832d8a Remove timeout argument from keepalive test. 
The client doesn't send a timeout value to the server, so there's no point having this argument.
 2018-02-01 16:04:22 +00:00
Willem Toorop ec8b8ba903 One more fixing the fixes fix that slipped through 2018-01-31 14:41:13 +01:00
Willem Toorop 9bc98272a1 Fixing the fixes 2018-01-31 14:33:31 +01:00
Willem Toorop 97b056c355 Prevent erred TCP connection to be rescheduled ... 
for reading (or writing) when an reply comes in.

Thanks Maddie!
 2018-01-30 15:21:46 +01:00
Willem Toorop 1f401f7253 Do not return freed netreqs! 2018-01-30 12:40:47 +01:00
Willem Toorop 2e03d3799c Memory leak on some TLS creation error cases 2018-01-30 12:23:23 +01:00
Jim Hague 3b5657e580 Reduce delay on OOOR delayed lookup. 
A delay of 1000ms was causing frequent lookup timeouts e.g. on 9.9.9.9. We hypothesise that the delay causes an internal timeout in the server to fire. So reduce the delay to a smaller value that seems to leave the test working but reduces the incidence of timeouts.

We observe this still leaves timeouts on TLS connections to 9.9.9.9. These seem to occur only on TLS connections, and reducing the delay much further does not alter the observed behaviour. We guess there is something else going on there.
 2018-01-29 10:17:54 +00:00
Sara Dickinson 7e3439efbc Improve handling of opportunistic back-off. If other transports are working, don’t forcibly promote failed upstreams just wait for the re-try timer. 
Clean up logs.
 2018-01-24 13:13:14 +00:00
Willem Toorop 4f37d2b933 No wildcard expansions allowed for RRs used in DNSSEC proofs 
Signatures of DNSKEYs, DSs, NSECs and NSEC3s can not be wildcard expansions when used with DNSSEC proofs.
Only direct queries for those types are allowed to be wildcard expansions.

This in response to https://unbound.net/downloads/CVE-2017-15105.txt, although getdns was not vulnerable for this specific issue.
 2018-01-23 16:50:05 +01:00
Jim Hague 037f6039c8 Improve AsciiDoc table formatting. 2018-01-23 13:53:08 +00:00
Jim Hague 01ea1d6a22 Note TLS 1.3 is experimental. At least until we find a stable test server. 2018-01-23 13:47:31 +00:00
Jim Hague b0661b9d9f Add a tool README. 
Use AsciiDoc for this, as the GitHub table support in Markdown is woeful. But AsciiDoc is always better than Markdown anyway.
 2018-01-23 13:45:55 +00:00
Jim Hague 8ba53f10b6 Correct RTT warning and critical default thresholds. 2018-01-23 13:45:09 +00:00
Jim Hague fcaa4f9845 Reflow usage message entry. 2018-01-23 12:37:14 +00:00
Jim Hague f3b2f83879 More output tittivating. Make verbose by default in non-monitoring mode. 2018-01-23 12:14:40 +00:00
Jim Hague a4f17760ab Revise rcode_text() to get text from getdns, and add rrtype_text(). 2018-01-23 12:13:59 +00:00
Jim Hague 7e884e2cd0 Rename concurrent to OOOR (Out Of Order Responses). 2018-01-23 11:30:12 +00:00
Jim Hague bedd3a02cf Revise concurrency test to use <n>.delay.getdnsapi.net. 
This gives more secure results than the previous method.
 2018-01-22 17:39:25 +00:00
Jim Hague 1e774a95f5 Don't rely on GCC extensions. 2018-01-22 16:49:53 +00:00
Jim Hague 8c3047dbe0 Add 'concurrent' test 
The concurrent test works by sending a known good query synchronously,
and then sending asynchronous queries for three random TLDs followed by
the known good query. The latter should be answerable from cache, and so
give a result before at least one of the random TLDs.
 2018-01-22 16:49:53 +00:00
Willem Toorop d38f233a80 Track readbuf free's 
As tcp_connection_destroy() might be called more than once per connection (depending on outstanding work)
 2018-01-22 16:56:48 +01:00
Jim Hague f9e4c9f853 Revise output. 
If in monitoring mode, make output conform to Nagios norms. This starts with the probe type and result, so we need to save output generated during the operation and print it at the end.

If not in monitoring mode, make the formatting more expansive.
 2018-01-22 14:36:54 +00:00
Jim Hague 0291e205fd Add TLS 1.3 test. 
Add a new item tls_version to call_reporting, containing the OpenSSL version string for the name of the protocol used for the connection.

The test does a normal lookup, but first sets the cipher list to TLS1.3 only ciphers. This will cause a Bad Context error at search time, so we can tell if the underlying OpenSSL library lacks TLS 1.3. The check the call reporting for a TLS version of "TLSv1.3".
 2018-01-19 15:56:40 +00:00
Jim Hague 62ad159f15 Update dnssec-validate. Check we can retrieve info for bogus domain, and remove must use TCP flag. 
Run a second query with the CD bit set and check that succeeds.
 2018-01-19 14:51:46 +00:00
Jim Hague 3fd4f7f240 Add 'dnssec-validate' test. 
This test checks whether the server does DNSSEC validation. If it manages to find an A record for dnssec-failed.org, it doesn't.
 2018-01-19 14:51:46 +00:00
Jim Hague 1a3025a405 If server does not return expected TXT in qname-min, return UNKNOWN not WARNING. 2018-01-18 17:17:16 +00:00
Jim Hague ea035fa82e Correct some code formatting. 2018-01-18 17:16:28 +00:00
Jim Hague add818fea2 Remove dependency on timegm() when using OpenSSL < 1.0.2. 
Convert dates to Julian and diff. This is basically what ASN1_TIME_diff() does internally.

And that's quite enough near-pointless polishing here.
 2018-01-18 10:55:44 +00:00
Jim Hague 00c17dca14 Add to certificate time conversion to cope with pre-1.0.2 OpenSSL. Also tag printed time with UTC. 
The time parse with pre-1.0.2 is a best effort, and relies on timegm() to convert struct tm in UTC to time_t. There being attractive alternative. Isn't C time handling grotty?
 2018-01-17 18:38:28 +00:00
Willem Toorop 155b035cd8 Forgot to surround surround yaml include with defines 2018-01-17 17:07:36 +01:00
Jim Hague 760269acbd Make internal types POSIX-compliant by not naming them *_t. 
See: http://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xsh_chap02.html#tag_22_02_12_01

The change tacitly ignores the colossal number of coach and horses the entire world, including getdns, has stampeded through this POSIX hope for decades, but simply hopes for some small recognition when the Recording Angel tots up the damages.
 2018-01-17 15:35:56 +00:00
Jim Hague 6bd0f8b980 Encode exit status words in () to make it clear that it's not part of the sentence. 
'Server validates OK' -> 'Server validates (OK)'
 2018-01-17 15:24:17 +00:00
Jim Hague 3666d994a7 Add 'keepalive' test and supporting changes to getdns library. 
Checking for server support for keepalive means we need to know if the server did send a keepalive option to the client. This information is not currently exposed in getdns, so add a flag 'server_keepalive_received' to call_reporting. This is 0 if not received, 1 if received. If received, the actual timeout is in 'idle timeout in ms', though watch out for the overflow alternative.
 2018-01-17 15:17:20 +00:00
Jim Hague a4ff6de985 Add 'tls-padding' test. 2018-01-16 12:59:03 +00:00
Jim Hague fdafb458ef Decide we don't want return_both_v4_and_v6 on queries. 2018-01-16 12:19:33 +00:00
Jim Hague b8424e494d Fix up some small usage typos, and don't report result if issuing test usage message. 2018-01-16 11:05:16 +00:00
Jim Hague 5ea0edf262 Update usage. 2018-01-15 17:42:57 +00:00
Jim Hague 8dc3a84735 Add options specifying transport. 2018-01-15 17:42:43 +00:00
Jim Hague 3438c68591 Prefix TLS-only options with 'tls-'. 2018-01-15 13:26:09 +00:00
Jim Hague 08b5976f9c Decouple from getdns config. This is now a pure getdns client. 2018-01-15 13:19:48 +00:00
Jim Hague 3298b5cd50 Extract common processing into search_check() and parse_search_check(). 2018-01-15 12:37:57 +00:00
Jim Hague cb7af33488 Some tests imply TLS. Explicitly make sure these always go over TLS. 2018-01-15 11:28:11 +00:00
Jim Hague 77a5a15cdf Minor output corrections. 2018-01-15 11:02:14 +00:00
Jim Hague 22996bf07d If TLS auth name given, lookup is to go over TLS. 2018-01-15 11:00:12 +00:00
Jim Hague c0d7d2c279 Print exit status at end of main output line. 2018-01-15 10:27:10 +00:00
Jim Hague 5d4bc8bc96 Add rtt test. 2018-01-15 10:16:26 +00:00
Jim Hague b9312e790f Correct certificate expiry custom threshold handling. 2018-01-15 10:01:01 +00:00
Jim Hague 3258fdfd5a Tabs? Spaces? Currently both, switch to spaces only. 2018-01-14 23:28:55 +00:00
Jim Hague 379662a3f3 Add plain lookup test. 2018-01-14 13:41:44 +00:00
Jim Hague 60118e9241 Improve cert-valid argument order to most likely first. 2018-01-13 14:56:55 +00:00
Jim Hague e7618321ce Add cert-valid test. 2018-01-12 18:21:38 +00:00
Jim Hague e597daa4c0 Add 'auth' test. 2018-01-12 17:23:42 +00:00
Jim Hague 305daab9aa Add first version of getdns_server_mon. 
Currently only QNAME minimisation check is working.
 2018-01-12 16:11:48 +00:00
Norbert Copones 0fa6d1fe2d src/stub.c: LibreSSL has hostname verification turned on by default 2018-01-12 05:44:27 +08:00
Willem Toorop d44237554d No warnings from danessl allowed 2018-01-11 12:40:01 +01:00
Willem Toorop dd433ede68 Merge branch 'develop' into devel/spki_pinset_via_tlsa_checking 2018-01-10 14:36:43 +01:00
Willem Toorop a746ea5e08 Dependencies 2018-01-10 14:36:33 +01:00
Willem Toorop 6b4446c7cd Suppress compiler warnings in danessl library 2018-01-10 14:34:25 +01:00
Willem Toorop 712617e568 Dead assignment (without stub debugging) 2018-01-10 13:54:18 +01:00
Willem Toorop 7c5bdd5431 Use danessl submodule when OpenSSL version between 1.0.0 and 1.1.0 2018-01-10 12:47:14 +01:00
Willem Toorop 9e34588f19 logic error 2018-01-08 16:04:40 +01:00
Willem Toorop 546b75a9b1 libidn2 support. Thanks Paul Wouters 2018-01-08 12:54:48 +01:00
Willem Toorop a1e5cc44a0 Add https://github.com/vdukhovni/ssl_dane submodule 2018-01-08 10:33:25 +01:00
Willem Toorop 608189710c Log printing in getdns_query 2018-01-04 16:35:22 +01:00
Willem Toorop 2471f43dea Less logging with successful authenticated upstreams 2018-01-04 16:15:50 +01:00
Willem Toorop 540735a956 Check pins with DANE functions when available 2018-01-04 15:58:09 +01:00
Willem Toorop 03d4950470 We need to set transport list before first query 
(this needs to be reviewed...)
 2017-12-21 16:49:19 +01:00
Willem Toorop 9aa1d067d2 Detect dnsmasq and skip the unit test that fails with it 
This actually resolves issue #300
Thanks Tim Rühsen and Konomi Kitten
 2017-12-21 16:21:10 +01:00
Willem Toorop aa419a88d0 Skip some more truncation issues with dnsmasq 2017-12-21 16:01:48 +01:00
Willem Toorop 81ffa2f48d Skip test that breaks with dnsmasq 
when SKIP_DNSMASQ_ISSUE variable is test.
Helps out a little with issue #300
 2017-12-21 15:45:58 +01:00
Willem Toorop 0ef910b9ee read_buf's may remain on canceled tcp requests 2017-12-21 14:53:54 +01:00
Willem Toorop 97cc67d026 s/CApath/tls_ca_path/g s/CAfile/tls_ca_file/g 2017-12-21 13:08:01 +01:00
Willem Toorop ae38a29a50 Upstream specific tls_cipher_list's 2017-12-21 12:30:15 +01:00
Willem Toorop 8f88981efe rename set_cipher_list() to set_tls_cipher_list() 2017-12-21 11:35:05 +01:00
Willem Toorop 7fe3bd6a1f getdns_context_set_ciphers_list() 2017-12-20 13:13:02 +01:00
Willem Toorop 274bc9bc4a Merge branch 'develop' into release/1.2.2 2017-12-20 09:37:56 +01:00
Pascal Ernster 65c7a738eb
Add support for TLS 1.3 and Chacha20-Poly1305 
Add support for TLS 1.3 (requires OpenSSL 1.1.1) and Chacha20-Poly1305 (requires OpenSSL 1.1).

Older OpenSSL versions will simply ignore ciphersuite specifications they don't understand and use the subset which they do unterstand.

Note that "EECDH" does *not* select anonymous cipher suites (as opposed to "kECDHE").
 2017-12-15 20:01:30 +00:00
Sara Dickinson 00d3232ba4 Fix windows build 2017-12-15 16:53:23 +00:00
Willem Toorop ac17d4ebed We need a specific install location for tests builds ... 
to not load default library
 2017-12-14 11:53:15 +01:00
wtoorop 9c35fa1643
Merge pull request #364 from saradickinson/move_macos_script 
Update makefile because a file in Stubby was moved
 2017-12-13 16:35:32 +01:00
Willem Toorop 0615457dfa Resolve constant conflict 2017-12-13 15:43:36 +01:00
Sara Dickinson d232353f93 Update makefile because a file in Stubby was moved 2017-12-13 14:22:52 +00:00