interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,844 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

2844 Commits

Author SHA1 Message Date
Jim Hague fa9d8885f0 Fix problems with GnuTLS pinset handling. 
Pinset validation now seems to work.
 2018-12-13 11:03:31 +00:00
Jim Hague 45be26642b Fix dane query handling and verify error reporting. 
Verify error is flags, not values. And deiniting a dane_query that is
NULL segfaults.
 2018-12-12 15:01:07 +00:00
Jim Hague b51c7384e6 Implement _getdns_decode_base64() for GnuTLS. 
Use primitives in libnettle.
 2018-12-12 15:00:03 +00:00
Jim Hague 0dec4a6f21 Correct format string, fixing type error in specifier. 
I was wondering why the error output did appear.
 2018-12-12 14:59:13 +00:00
Jim Hague 35b4969216 Abstract out OpenSSL specific parts of getdns_pubkey_pin_create_from_string(). 
The only OpenSSL function is decoding Base64.
 2018-12-11 18:03:00 +00:00
Jim Hague bf011d9294 Add GnuTLS DANE library to configure detection when using GnuTLS. 2018-12-11 18:02:03 +00:00
Jim Hague aa49a935c7 Fixed error detection in certificate verification. 2018-12-11 17:59:44 +00:00
Jim Hague ab69a9a7da Merge branch 'feature/abstract-tls' of https://github.com/banburybill/getdns into feature/abstract-tls 2018-12-11 15:01:44 +00:00
Jim Hague 0a9f155cc9
Merge pull request #4 from wtoorop/feature/abstract-tls-willem 
Enable ed25519, ecdsa and cookies with gnutls/libnettle
 2018-12-11 15:01:12 +00:00
Jim Hague 2c6ec5e0be Implement setting up pinset for DANE. Verification to come. 2018-12-11 14:59:21 +00:00
Willem Toorop ab700e70fe DNS Cookies with libnettle too 2018-12-11 15:13:17 +01:00
Willem Toorop a6ab7ffe41 ed25519 and ecdsa support with libnettle 2018-12-11 15:05:09 +01:00
Jim Hague ff7ffc246c Rename TLS Interface DANE init to pinset init. That's what it's actually used for. 2018-12-11 12:46:05 +00:00
Jim Hague 1acd880f26 Correct error return value from stub. 2018-12-07 17:56:12 +00:00
Jim Hague fee864c25c Implement setting cipher/curve lists. 
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
 2018-12-07 16:55:17 +00:00
Jim Hague 511dfc75ef Implement _getdns_tls_context_set_min_proto_1_2(). 
Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake.
This means we need to access the context from a connection, so add a pointer to the context to the connection.
 2018-12-07 11:11:33 +00:00
Jim Hague 64f0d6aaa8 Rename _getdns_tls_connection_verify() to _getdns_tls_connection_certificate_verify(). 
I managed to mislead myself about what it did, which suggests the name should be clearer.
 2018-12-07 11:09:20 +00:00
Jim Hague b0c057e8ae Update dependencies for GnuTLS. 
In practice a 'make depend' is required before building with either OpenSSL or GnuTLS.
 2018-12-06 16:35:43 +00:00
Jim Hague 46c49cbcfe Modify getdns_server_mon to use GnuTLS or OpenSSL. 
Untested.
 2018-12-06 16:32:20 +00:00
Jim Hague 72d9b91a2e Extract non-OpenSSL specific code from pubkey-pinning.c, and move it back to common source. 
OpenSSL-specific items are in pubkey-pinning-internal.c.
 2018-12-06 14:09:30 +00:00
Jim Hague e73ab48687 Extract non-OpenSSL specific code from anchor.c, and move it back to common source. 
OpenSSL-specific items are in anchor-internal.c.
 2018-12-06 14:07:32 +00:00
Jim Hague 91764fb6b0 Correct checking of connection validation result. 2018-12-06 11:04:00 +00:00
Jim Hague c6dffa1239 Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation. 
Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.

GnuTLS uses Nettle itself, so this is not adding a new dependency.
 2018-12-06 10:41:58 +00:00
Jim Hague b2312aee12 Implement hostname authentication. 2018-12-05 17:20:28 +00:00
Jim Hague f64aa8703d First pass at a mostly stubbed GnuTLS implementation. 
This works enough to do a TLS lookup.
 2018-12-05 11:25:32 +00:00
Jim Hague 153e766edf tls.h uses struct mem_funcs in types-internal.h. 2018-11-27 18:04:14 +00:00
Jim Hague c4a3f75844 Correct make depend generation for TLS directory. 2018-11-27 18:03:27 +00:00
Jim Hague e60d852637 Common OpenSSL digester selection. 2018-11-27 16:55:33 +00:00
Jim Hague c101a7a021 Abstract context DANE initialisation. 2018-11-27 15:41:23 +00:00
Jim Hague 26bcddd029 Abstract cookie SHA256 calculation. 2018-11-27 15:31:33 +00:00
Jim Hague af962228fc Abstract maximum digest length. 2018-11-27 15:31:05 +00:00
Jim Hague 0cdede21df Abstract SHA1 calculation. 2018-11-27 15:29:48 +00:00
Jim Hague 5e390a4b23 Revise all TLS interfaces to pass in GetDNS memory functions where necessary. 
This means we can remove OpenSSL_free() calls from request-internal.c and util-internal.c.
 2018-11-27 14:41:46 +00:00
Jim Hague bc3106af94 Abstract out HMAC functions in request-internal.c. 2018-11-27 11:49:12 +00:00
Jim Hague 4ec93a3df0 Add Doxygen for remaining tls.h functions. 2018-11-26 11:32:18 +00:00
Jim Hague 27a7e4e28f Attempt minimal autoconf changes to use GnuTLS instead of OpenSSL. 
I could waste the rest of the available time trying to turn configure.ac into something that cleanly ignores OpenSSL, uses GnuTLS instead and retains all the options. Or even better scrap the whole autoconf mess and start again.

But in the interests of prototyping, do something quick and dirty. This means GnuTLS must for now be configured thus:

$ CFLAGS="-g" ../configure --enable-stub-only --with-gnutls --disable-gost --disable-ecdsa --disable-edns-cookies

to evade other items with hardcoded OpenSSL checks in them.
 2018-11-23 17:49:06 +00:00
Jim Hague 2267863a53 Attempt to improve the preprocessor horror that is util/val_secalgo.h. 
Convert the main util/val_secalgo.h to a plain interface. Move the preprocessor redefines into validator/val_secalgo.h, and move THAT under openssl, because it is OpenSSL implementation specific at present - you can compile with NSS and Nettle if config allows.
 2018-11-23 16:28:55 +00:00
Jim Hague e7593541ef Ensure that compat/getentropy* don't get used, and so drag in OpenSSL. 2018-11-20 17:37:46 +00:00
Jim Hague 4f67491971 Remove unnecessary OpenSSL include in dnssec.c. 2018-11-20 17:36:56 +00:00
Jim Hague 05f9d30e89 Move anchor.c to under openssl. 2018-11-20 16:57:48 +00:00
Jim Hague f3e0f2b9e6 Split OpenSSL specific bits of keyraw.hc into keyraw-internal.hc. 
All usage is internal to val_secalgo.c, which is already in openssl.
 2018-11-20 16:51:17 +00:00
Jim Hague da94b52f74 Move val_secalgo.c to openssl. 
It contains ports other than OpenSSL (NSS and NETTLE), but we're not worrying about those for our purposes at present.
 2018-11-20 16:21:06 +00:00
Jim Hague 4eb845bc58 Move internal-only functions from public pubkey-pinning interface. 
The interface now only exposes functions used by the main getdns code.
 2018-11-20 15:55:34 +00:00
Jim Hague ff9cde2087 Remove SSL type from pubkey-pinning interface. 2018-11-20 15:49:26 +00:00
Jim Hague 756eda96d8 Remove ssl_dane dir from dependency generation search. 2018-11-20 15:47:56 +00:00
Jim Hague cfa78707a3 Add openssl subdir to distribution. 2018-11-20 15:35:59 +00:00
Jim Hague 52421be5f4 Correct error checking result of _getdns_tls_context_set_ca(). 2018-11-20 15:12:10 +00:00
Jim Hague 1b0a09a23f Wrap hostname/certificate verification. 
This removes the last OpenSSL items from stub.c.
 2018-11-20 14:53:31 +00:00
Jim Hague fb73bcb77e Correct return value error from _getdns_tls_connection_(read|write)(). 2018-11-20 12:43:17 +00:00
Jim Hague 2e8c48544b Move pubkey-pinning implementation under openssl/. 2018-11-19 13:55:02 +00:00