1. 25 Feb, 2019 3 commits
  2. 22 Feb, 2019 3 commits
    • Vladimír Čunát's avatar
      daemon: rework handling of TLS authentication params · 81b1450e
      Vladimír Čunát authored
      It's mainly about the way we parse and validate them.
      
      Almost all of the parts of validation that were being done
      in modules/policy/policy.lua and daemon/tls.c got moved
      to daemon/bindings/net.c, so it's easier to follow that.
      Also more checks are being done now, e.g. contents of .pin_sha256
      and .hostname strings.
      81b1450e
    • Vladimír Čunát's avatar
      policy.TLS_FORWARD: send SNI on wire if configured · a4284580
      Vladimír Čunát authored
      In https world it's standard to do that, and it's relied on.
      Real-life example: 8.8.8.8#853 over TLSv1.3 won't send a certificate
      if we don't send SNI (no idea why; also they do send it with TLSv1.2).
      
      As a consequence, we no longer allow multiple hostnames per
      address-port tuple, but that didn't seem useful.
      a4284580
    • Tomas Krizek's avatar
      daemon/network: avoid unused functions and variables · eae04d89
      Tomas Krizek authored
      Make sure gcc doesn't produce unused func/var warnings when using
      optional compilation. This fixes three such issues on CentOS 7.
      eae04d89
  3. 21 Feb, 2019 1 commit
  4. 08 Jan, 2019 2 commits
  5. 04 Jan, 2019 1 commit
  6. 14 Dec, 2018 1 commit
  7. 05 Dec, 2018 2 commits
  8. 28 Nov, 2018 2 commits
  9. 26 Nov, 2018 2 commits
  10. 12 Oct, 2018 5 commits
  11. 14 Sep, 2018 4 commits
    • Vladimír Čunát's avatar
      misc nitpicks · 9d05c1f0
      Vladimír Čunát authored
      - \param family, esp. don't rely on AF_UNSPEC being zero
      - kres_gnutls_vec_push(): don't uv_write() if ENOMEM
      - tls_client_params_clear(): remove unused function
      9d05c1f0
    • Grigorii Demidov's avatar
      4a8688ec
    • Grigorii Demidov's avatar
      1f1e1750
    • Marek Vavruša's avatar
      daemon/worker: fixes error handling from TLS writes · f52231b6
      Marek Vavruša authored
      The error handling loop for uncorking TLS data was wrong, as the
      underlying push function is asynchronous and there's no relationship
      between completed DNS packet writes and number of TLS message writes.
      In case of the asynchronous function, the buffered data must be valid
      until the write is complete, currently this is not guaranteed and
      loading the resolver with pipelined requests results in memory errors:
      
      ```
      $ getdns_query @127.0.0.1#853 -s -a -s -l L -B -F queries -q
      ...
      ==47111==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290040a1253 at pc 0x00010da960d3 bp 0x7ffee2628b30 sp 0x7ffee26282e0
      READ of size 499 at 0x6290040a1253 thread T0
          #0 0x10da960d2 in wrap_write (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1f0d2)
          #1 0x10d855971 in uv__write (libuv.1.dylib:x86_64+0xf971)
          #2 0x10d85422e in uv__stream_io (libuv.1.dylib:x86_64+0xe22e)
          #3 0x10d85b35a in uv__io_poll (libuv.1.dylib:x86_64+0x1535a)
          #4 0x10d84c644 in uv_run (libuv.1.dylib:x86_64+0x6644)
          #5 0x10d602ddf in main main.c:422
          #6 0x7fff6a28a014 in start (libdyld.dylib:x86_64+0x1014)
      
      0x6290040a1253 is located 83 bytes inside of 16895-byte region [0x6290040a1200,0x6290040a53ff)
      freed by thread T0 here:
          #0 0x10dacdfdd in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56fdd)
          #1 0x10d913c2e in _mbuffer_head_remove_bytes (libgnutls.30.dylib:x86_64+0xbc2e)
          #2 0x10d915080 in _gnutls_io_write_flush (libgnutls.30.dylib:x86_64+0xd080)
          #3 0x10d90ca18 in _gnutls_send_tlen_int (libgnutls.30.dylib:x86_64+0x4a18)
          #4 0x10d90edde in gnutls_record_send2 (libgnutls.30.dylib:x86_64+0x6dde)
          #5 0x10d90f085 in gnutls_record_uncork (libgnutls.30.dylib:x86_64+0x7085)
          #6 0x10d5f6569 in tls_push tls.c:238
          #7 0x10d5e5b2a in qr_task_send worker.c:1002
          #8 0x10d5e2ea6 in qr_task_finalize worker.c:1562
          #9 0x10d5dab99 in qr_task_step worker.c
          #10 0x10d5e12fe in worker_process_tcp worker.c:2410
      ```
      
      The current implementation adds opportunistic uv_try_write which
      either writes the requested data, or returns UV_EAGAIN or an error,
      which then falls back to slower asynchronous write that copies the buffered data.
      
      The function signature is changed from simple write to vectorized write.
      
      This also enables TLS False Start to save 1RTT when possible.
      f52231b6
  12. 23 Jul, 2018 1 commit
  13. 13 Jun, 2018 2 commits
  14. 08 Jun, 2018 1 commit
  15. 06 Jun, 2018 2 commits
  16. 23 Apr, 2018 1 commit
    • Grigorii Demidov's avatar
      daemon/worker: adjust tcp timeouts · 2e4d4be4
      Grigorii Demidov authored
      This is an attempt to fix two problems:
      1. kresd tries to close incoming TCP connection too early. This may lead
      to multiple client reconnections. This problem primarily
      affects TCP/TLS clients who send several queries over single TCP connection.
      
      2. In certain circumstances outbound TCP connection doesn't timeout
      despite that fact that upstream doesn't send back any answers.
      This may lead to timeouts on non-problematic queries.
      2e4d4be4
  17. 13 Apr, 2018 4 commits
  18. 23 Mar, 2018 1 commit
    • Marek Vavruša's avatar
      daemon/tls: downgraded TLS logging to verbose · c1539763
      Marek Vavruša authored
      Logging handshake and connection failures should be verbose, as
      it's not really a server failure if client errors, or uses a wrong
      SPKI pin to the certificate. It is however not ideal to flood logs.
      c1539763
  19. 08 Feb, 2018 2 commits