Willem Toorop
f84c67282d
Merge branch 'features/add_warning_for_bad_dns' into develop
2015-12-30 10:51:26 +01:00
Willem Toorop
f3e3e47e15
Implement bad_dns extension
2015-12-29 14:10:18 +01:00
Willem Toorop
ad23c446b6
Complement ChangeLog and bump versions
2015-12-24 16:57:48 +01:00
Willem Toorop
d79884f10a
Replace ssize_t with int in conversion funcs tpkg
2015-12-24 16:22:38 +01:00
Willem Toorop
240b34e215
Missing file removals with distclean
2015-12-24 16:22:03 +01:00
Willem Toorop
0b1e0e6d0f
Definite December 2015 version of spec
2015-12-24 16:05:04 +01:00
Willem Toorop
2fa7fbefa4
Update spec to December 2015 version
2015-12-24 15:47:55 +01:00
Willem Toorop
3e2464af6d
Changes that came out of portability tests
2015-12-24 15:28:12 +01:00
Willem Toorop
a09a051ed5
New code, new dependencies...
2015-12-24 15:01:45 +01:00
Willem Toorop
a2bdfb2f22
Merge branch 'features/windows-support' into develop
2015-12-24 14:44:18 +01:00
Willem Toorop
9d3905459e
Miscellaneous fixes to compile on windows
...
Also without warnings.
2015-12-24 14:41:50 +01:00
saradickinson
b777552f34
Merge pull request #131 from saradickinson/feature/pubkey-pinning
...
Feature/pubkey pinning
2015-12-24 10:13:53 +00:00
Willem Toorop
caba5f19d5
Merge branch 'develop' into features/windows-support
2015-12-24 11:01:26 +01:00
Sara Dickinson
f94798b237
Final mixups
2015-12-24 10:00:15 +00:00
Willem Toorop
05efbd79de
Merge branch 'features/dns_root_servers' into develop
2015-12-24 10:51:50 +01:00
Willem Toorop
8bde787703
Use mkstemp instead of tmpnam to eliminate warning
2015-12-24 10:50:58 +01:00
Willem Toorop
71b2a44945
Remove root_servers comment leftovers
2015-12-23 21:19:52 +01:00
Sara Dickinson
3afba25dad
Update test case and changeling
2015-12-23 18:00:44 +00:00
Sara Dickinson
a5027981d9
Change how the aliasing is done so the tpkg tests will pass
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
2a50f4d2ac
Set tls_auth_failed when any present authentication mechanism fails
...
We used to only have hostnames available. now we have pubkey_pinsets
available as well.
We want upstream->tls_auth_failed to be 1 when any authentication
mechanism we've been asked for fails (and also when we haven't been
given any authentication mechanism at all).
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
57a04f61db
Allow AUTHENTICATION_REQUIRED w/o hostname when pubkey pinset is available
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
77802808ce
rename GETDNS_AUTHENTICATION_HOSTNAME with GETDNS_AUTHENTICATION_REQUIRED
2015-12-23 18:00:43 +00:00
Sara Dickinson
792ecd65b8
Add missing constant to const-info.c
2015-12-23 18:00:43 +00:00
Sara Dickinson
2ce806c05b
Tinker with debug statements/comments.
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
a9eb9ccca9
Check that the pinset matches if it is configured
...
if the upstream is configured to allow fallback, this will not be a
fatal error, but it will still be checked.
Future work:
* verify any certs higher in the chain than the end-entity cert
* deal with raw public keys
* in the fallback case, report to the user whether the pinset match failed
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
d09675539e
Provide access to the pinsets during the TLS verification callback
...
We do this by associating a getdns_upstream object with the SSL object
handled by that upstream.
This allows us to collapse the verification callback code to a single
function.
Note that if we've agreed that fallback is ok, we are now willing to
accept *any* cert verification error, not just HOSTNAME_MISMATCH.
This is fine, because the alternative is falling back to cleartext,
which would be worse.
We also always set SSL_VERIFY_PEER, since we might as well try to do
so; we'll drop the verification error ourselves if we know we're OK
with falling back.
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
614d317fd8
getdns_query: add -K option to attach pinsets to getdns_contexts.
2015-12-23 18:00:43 +00:00
Daniel Kahn Gillmor
0d2256df09
set and return the pubkey_pinsets on the upstream resolvers
2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor
b305f073fe
add functions to translate between getdns_list and sha256_pin linked list
2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor
4dbe1813e4
added simple sha256 public key pinning linked list to getdns_upstream
2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor
5e64f1262b
add getdns_pubkey_pinset_sanity_check()
2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor
91f04ecd5e
add getdns_pubkey_pin_create_from_string()
2015-12-23 17:59:50 +00:00
Daniel Kahn Gillmor
4047bd09da
define _DEFAULT_SOURCE as well as _BSD_SOURCE for glibc version 2.20 and up
...
in recent versions of feature_test_macros(7), it says of _BSD_SOURCE:
Since glibc 2.20, this macro is deprecated. It now has the same
effect as defining _DEFAULT_SOURCE, but generates a compile-time
warning (unless _DEFAULT_SOURCE is also defined). Use
_DEFAULT_SOURCE instead. To allow code that requires
_BSD_SOURCE in glibc 2.19 and earlier and _DEFAULT_SOURCE in
glibc 2.20 and later to compile without warnings, define both
_BSD_SOURCE and _DEFAULT_SOURCE.
2015-12-23 17:57:49 +00:00
Willem Toorop
ce1185166c
Merge branch 'features/dns_root_servers' into develop
2015-12-23 17:41:40 +01:00
Willem Toorop
29b033c14c
off-by-one bugfixes
2015-12-23 17:38:36 +01:00
Willem Toorop
fbae577a54
Setting of root servers
...
test with
getdns_query -f yeti.key -R yeti.hints nlnetlabs.nl A +dnssec_return_status
where yeti.key comes from:
https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/named.cache
and yeti.hints from:
https://raw.githubusercontent.com/BII-Lab/Yeti-Project/master/domain/KSK.pub
2015-12-23 17:15:45 +01:00
Willem Toorop
746c26dafc
Update Makefile dependencies
2015-12-23 12:26:39 +01:00
Willem Toorop
8ebb047693
Merge branch 'features/conversion_functions' into develop
2015-12-23 12:13:44 +01:00
Willem Toorop
f9c2f96996
Fixes for miscelanous little zone parse errors
...
Hopefully the tpkg test is more deterministic now too...
2015-12-23 12:06:09 +01:00
Willem Toorop
11cd892662
Clean boundries on wireformat scans
2015-12-22 19:14:18 +01:00
Willem Toorop
e4fa06a57b
getdns_fp2rr_list conversion function
...
+ private conversion functions that respect custom memory handlers
+ converage of more different example functions in 260-conversion-functions test package
2015-12-22 18:37:24 +01:00
Willem Toorop
0cb513e9b7
Doc of (|_buf|_scan) style conversion funcs
...
+ (|_buf|_scan) versions of most of the conversion directions.
+ mk-const-info handles new return_t's defines
2015-12-22 16:04:43 +01:00
Willem Toorop
6519a05780
all debug config option for broadest src coverage
...
With the 300 tpkg test
2015-12-22 11:43:06 +01:00
Willem Toorop
fe7a1e89e3
Constify new work
2015-12-22 11:32:15 +01:00
Willem Toorop
5bbcbb97a1
Merge branch 'develop' into features/conversion_functions
2015-12-22 11:28:27 +01:00
Willem Toorop
0a809cb7d8
Allow truncated answers to be returned
2015-12-22 10:56:20 +01:00
Willem Toorop
ee2a1fbfe6
Merge branch 'features/tsig' into develop
2015-12-22 01:08:25 +01:00
Willem Toorop
8a8a017fc5
Validate received TSIG reply
2015-12-22 01:03:31 +01:00
Willem Toorop
6c1e00fc3f
Send TSIG
2015-12-21 22:11:16 +01:00
wtoorop
8eeb3a6650
Merge pull request #129 from saradickinson/feature/edns-tcp-keepalive
...
Implement client side edns-tcp-keepalive
Great work! Thanks!
2015-12-21 20:20:27 +01:00