interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
1,541 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

157 Commits

Author SHA1 Message Date
Willem Toorop 6b2d9a2d70 Unused var compile warning in certain conditions 2015-12-31 11:26:29 +01:00
Willem Toorop a2bdfb2f22 Merge branch 'features/windows-support' into develop 2015-12-24 14:44:18 +01:00
Willem Toorop 9d3905459e Miscellaneous fixes to compile on windows 
Also without warnings.
 2015-12-24 14:41:50 +01:00
Willem Toorop caba5f19d5 Merge branch 'develop' into features/windows-support 2015-12-24 11:01:26 +01:00
Daniel Kahn Gillmor 2a50f4d2ac Set tls_auth_failed when any present authentication mechanism fails 
We used to only have hostnames available.  now we have pubkey_pinsets
available as well.

We want upstream->tls_auth_failed to be 1 when any authentication
mechanism we've been asked for fails (and also when we haven't been
given any authentication mechanism at all).
 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 57a04f61db Allow AUTHENTICATION_REQUIRED w/o hostname when pubkey pinset is available 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor 77802808ce rename GETDNS_AUTHENTICATION_HOSTNAME with GETDNS_AUTHENTICATION_REQUIRED 2015-12-23 18:00:43 +00:00
Sara Dickinson 2ce806c05b Tinker with debug statements/comments. 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor a9eb9ccca9 Check that the pinset matches if it is configured 
if the upstream is configured to allow fallback, this will not be a
fatal error, but it will still be checked.

Future work:

 * verify any certs higher in the chain than the end-entity cert
 * deal with raw public keys
 * in the fallback case, report to the user whether the pinset match failed
 2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor d09675539e Provide access to the pinsets during the TLS verification callback 
We do this by associating a getdns_upstream object with the SSL object
handled by that upstream.

This allows us to collapse the verification callback code to a single
function.

Note that if we've agreed that fallback is ok, we are now willing to
accept *any* cert verification error, not just HOSTNAME_MISMATCH.
This is fine, because the alternative is falling back to cleartext,
which would be worse.

We also always set SSL_VERIFY_PEER, since we might as well try to do
so; we'll drop the verification error ourselves if we know we're OK
with falling back.
 2015-12-23 18:00:43 +00:00
Willem Toorop fe7a1e89e3 Constify new work 2015-12-22 11:32:15 +01:00
Willem Toorop 5bbcbb97a1 Merge branch 'develop' into features/conversion_functions 2015-12-22 11:28:27 +01:00
Willem Toorop 0a809cb7d8 Allow truncated answers to be returned 2015-12-22 10:56:20 +01:00
Willem Toorop ee2a1fbfe6 Merge branch 'features/tsig' into develop 2015-12-22 01:08:25 +01:00
Willem Toorop 6c1e00fc3f Send TSIG 2015-12-21 22:11:16 +01:00
Sara Dickinson 746a827baa Implement client side edns-tcp-keepalive 2015-12-21 17:05:56 +00:00
Sara Dickinson 91a73ab3d0 cleanup 2015-12-18 16:22:09 +00:00
Sara Dickinson 4165e874de Fix tests 2015-12-18 16:14:54 +00:00
Sara Dickinson c5b839bda8 remove STARTTLS 2015-12-18 16:14:54 +00:00
Willem Toorop 5663f914fb Mode debug marco's to own header 
To reduce dependency location fixes in test directory.
 2015-12-18 13:40:52 +01:00
Willem Toorop 5a65d2b693 Look further then you nose Willem! 2015-12-17 15:46:31 +01:00
Willem Toorop b839b97ac2 Oops... reverted syntax/style to agressively 2015-12-17 13:07:39 +01:00
Willem Toorop a2e15a169d Revert syntactic/style changes 
So actual changes aren't obfuscated
 2015-12-17 12:37:33 +01:00
Willem Toorop 16b62f43eb Merge branch 'develop' into features/conversion_functions 2015-12-16 13:53:25 +01:00
wtoorop 69b54be99c Merge pull request #126 from saradickinson/feature/mac_tfo 
Enable TFO by default if possible, add MAC OSX TFO support
Looks good, thanks.
 2015-12-16 13:45:14 +01:00
Sara Dickinson 736d9f20bf Enable TCP FastOpen by default and add support for OSX implementation of TFO. 2015-12-13 17:44:31 +00:00
Willem Toorop d67949d1e7 iterators go over const wireformat data 2015-12-07 16:43:41 +01:00
unknown 22a8550caa Bug fix in get_os_defaults, clean up code in winsock_event, add code to handle event handling differences in Winsock2 2015-12-04 16:12:43 -05:00
unknown 2d58ed465c Changes for Windows, Fix configure.ac to take in a winsock option to configure and generafigure, add ifdef's to stub out windows code for other platforms. 2015-11-22 22:38:13 -05:00
Willem Toorop 08bf613cde Prevent segfault with failed TLS handshake? 
Need proper review for this patch!  Sara?
 2015-11-15 12:46:21 -05:00
Sara Dickinson d75ba83013 Fix bug with call_debugging reporting of UDP and add a getter for tls_authentication 2015-11-13 13:28:43 +00:00
saradickinson 1a72454b88 Remove debug 2015-11-05 14:41:23 +09:00
saradickinson 5f60683f57 Fix seg fault on timeout 2015-11-05 14:41:23 +09:00
Willem Toorop 26566a3b00 Merge branch 'develop' of github.com:getdnsapi/getdns into develop 2015-11-04 23:25:49 +01:00
Willem Toorop 7f4bdc0868 Bumb versions 2015-11-04 23:25:38 +01:00
Willem Toorop 0c3eb08f4d Merge branch 'features/call_debug' into develop 2015-11-04 16:23:22 +09:00
Daniel Kahn Gillmor 83bf5ab08b actually implement tls_query_padding_blocksize 
since no DNS OPT value has been allocated, i chose a random value in
the experimental/local range.
 2015-11-01 15:49:56 +09:00
Daniel Kahn Gillmor df3725e635 added edns_client_subnet_private to getdns_context 
https://tools.ietf.org/html/draft-ietf-dnsop-edns-client-subnet-04

Using the above spec, an intermediate resolver may forward a chunk of
the client's IP address to the authoritative resolver.

Setting edns_client_subnet_private to a getdns_context in stub mode
will indicate to the next-hop recursive resolver that the client
wishes to keep their address information private.
 2015-11-01 15:49:50 +09:00
Daniel Kahn Gillmor 0b388872ea clarify per-query options vs. per-upstream options 
Sending DNS cookies was overwriting any existing options (DNS OPT) in
the outbound query.

Also, DNS cookies may not be the only option that gets set
per-upstream (instead of per-query).

This changeset establishes a set of per-query options (established at
the time of the query), and a buffer of additional space for adding
options based on the upstream is in use.

The size of this buffer is defined at configure time (defaults to 3000
octets).

Just before a query is sent out, we add the per-upstream options to
the query.

Note: we're also standardizing the query in tls too, even though we're
not sending any upstream options in that case at the moment
(edns_cookies are much weaker than TLS itself)
 2015-11-01 15:47:22 +09:00
Daniel Kahn Gillmor 3e90795680 enable talking to servers with ECDSA certs 
There is no clear reason to reject servers that don't have RSA certs.
We should accept ECDSA certs as well.

(also, clean up comments about opportunistic TLS)
 2015-11-01 15:47:03 +09:00
jad 51eb2fdf55 working prototype 6 2015-11-01 12:47:49 +09:00
jad 2d20e18b8a working prototype 4 2015-11-01 11:14:45 +09:00
jad a85b17c885 working prototype 1 2015-11-01 10:24:02 +09:00
Willem Toorop 35c803208b Bit more concise and clear confusing code text 2015-10-31 18:24:24 +09:00
Willem Toorop 521e46879b Document that thing that we keep forgetting about 2015-10-31 17:15:36 +09:00
Willem Toorop 0a717f5d51 Warning with older (less intelligent) compiles 2015-10-29 16:25:07 +01:00
Sara Dickinson e397d1e020 Fix error that was not allowing cipher suite fallback for opportunistic TLS. 2015-10-25 15:28:20 +00:00
Willem Toorop ebd94f48cf Anticipate missing X509_V_ERR_HOSTNAME_MISMATCH 2015-10-21 16:01:40 +02:00
Sara Dickinson b74c62066c Cleanup 2015-10-16 18:31:57 +01:00
Sara Dickinson 689447509a Change port used for TLS to 853 2015-10-16 17:00:14 +01:00